commit 7f324ea75baa059ea126cddd4141198895880a69 Author: Greg Kroah-Hartman Date: Thu Mar 4 10:26:54 2021 +0100 Linux 5.4.102 Tested-by: Hulk Robot Tested-by: Jon Hunter Tested-by: Florian Fainelli Tested-by: Linux Kernel Functional Testing Tested-by: Guenter Roeck Tested-by: Jason Self Link: https://lore.kernel.org/r/20210301161048.294656001@linuxfoundation.org Link: https://lore.kernel.org/r/20210301194420.658523615@linuxfoundation.org Link: https://lore.kernel.org/r/20210302122324.851128359@linuxfoundation.org Link: https://lore.kernel.org/r/20210302123219.029306163@linuxfoundation.org Link: https://lore.kernel.org/r/20210302192606.592235492@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 07c4c2e2bcd38896762f29e74abb57bdd3a2a4d1 Author: John Wang Date: Wed Dec 2 13:16:34 2020 +0800 ARM: dts: aspeed: Add LCLK to lpc-snoop commit d050d049f8b8077025292c1ecf456c4ee7f96861 upstream. Signed-off-by: John Wang Reviewed-by: Joel Stanley Link: https://lore.kernel.org/r/20201202051634.490-2-wangzhiqiang.bj@bytedance.com Signed-off-by: Joel Stanley Signed-off-by: Greg Kroah-Hartman commit 39be7b978fdef567cb1a7c8c85f11dc6fe5371f7 Author: Takeshi Misawa Date: Mon Feb 22 08:44:27 2021 +0900 net: qrtr: Fix memory leak in qrtr_tun_open commit fc0494ead6398609c49afa37bc949b61c5c16b91 upstream. If qrtr_endpoint_register() failed, tun is leaked. Fix this, by freeing tun in error path. syzbot report: BUG: memory leak unreferenced object 0xffff88811848d680 (size 64): comm "syz-executor684", pid 10171, jiffies 4294951561 (age 26.070s) hex dump (first 32 bytes): 80 dd 0a 84 ff ff ff ff 00 00 00 00 00 00 00 00 ................ 90 d6 48 18 81 88 ff ff 90 d6 48 18 81 88 ff ff ..H.......H..... backtrace: [<0000000018992a50>] kmalloc include/linux/slab.h:552 [inline] [<0000000018992a50>] kzalloc include/linux/slab.h:682 [inline] [<0000000018992a50>] qrtr_tun_open+0x22/0x90 net/qrtr/tun.c:35 [<0000000003a453ef>] misc_open+0x19c/0x1e0 drivers/char/misc.c:141 [<00000000dec38ac8>] chrdev_open+0x10d/0x340 fs/char_dev.c:414 [<0000000079094996>] do_dentry_open+0x1e6/0x620 fs/open.c:817 [<000000004096d290>] do_open fs/namei.c:3252 [inline] [<000000004096d290>] path_openat+0x74a/0x1b00 fs/namei.c:3369 [<00000000b8e64241>] do_filp_open+0xa0/0x190 fs/namei.c:3396 [<00000000a3299422>] do_sys_openat2+0xed/0x230 fs/open.c:1172 [<000000002c1bdcef>] do_sys_open fs/open.c:1188 [inline] [<000000002c1bdcef>] __do_sys_openat fs/open.c:1204 [inline] [<000000002c1bdcef>] __se_sys_openat fs/open.c:1199 [inline] [<000000002c1bdcef>] __x64_sys_openat+0x7f/0xe0 fs/open.c:1199 [<00000000f3a5728f>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<000000004b38b7ec>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 28fb4e59a47d ("net: qrtr: Expose tunneling endpoint to user space") Reported-by: syzbot+5d6e4af21385f5cfc56a@syzkaller.appspotmail.com Signed-off-by: Takeshi Misawa Link: https://lore.kernel.org/r/20210221234427.GA2140@DESKTOP Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7b518508c685448650cace97588e26537b8a8100 Author: Nikos Tsironis Date: Fri Jan 22 17:19:31 2021 +0200 dm era: Update in-core bitset after committing the metadata commit 2099b145d77c1d53f5711f029c37cc537897cee6 upstream. In case of a system crash, dm-era might fail to mark blocks as written in its metadata, although the corresponding writes to these blocks were passed down to the origin device and completed successfully. Consider the following sequence of events: 1. We write to a block that has not been yet written in the current era 2. era_map() checks the in-core bitmap for the current era and sees that the block is not marked as written. 3. The write is deferred for submission after the metadata have been updated and committed. 4. The worker thread processes the deferred write (process_deferred_bios()) and marks the block as written in the in-core bitmap, **before** committing the metadata. 5. The worker thread starts committing the metadata. 6. We do more writes that map to the same block as the write of step (1) 7. era_map() checks the in-core bitmap and sees that the block is marked as written, **although the metadata have not been committed yet**. 8. These writes are passed down to the origin device immediately and the device reports them as completed. 9. The system crashes, e.g., power failure, before the commit from step (5) finishes. When the system recovers and we query the dm-era target for the list of written blocks it doesn't report the aforementioned block as written, although the writes of step (6) completed successfully. The issue is that era_map() decides whether to defer or not a write based on non committed information. The root cause of the bug is that we update the in-core bitmap, **before** committing the metadata. Fix this by updating the in-core bitmap **after** successfully committing the metadata. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 976ee31ea300c827ab713287bbc27e50cd0df053 Author: Vlad Buslov Date: Tue Feb 16 18:22:00 2021 +0200 net: sched: fix police ext initialization commit 396d7f23adf9e8c436dd81a69488b5b6a865acf8 upstream. When police action is created by cls API tcf_exts_validate() first conditional that calls tcf_action_init_1() directly, the action idr is not updated according to latest changes in action API that require caller to commit newly created action to idr with tcf_idr_insert_many(). This results such action not being accessible through act API and causes crash reported by syzbot: ================================================================== BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] BUG: KASAN: null-ptr-deref in atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] BUG: KASAN: null-ptr-deref in __tcf_idr_release net/sched/act_api.c:178 [inline] BUG: KASAN: null-ptr-deref in tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 Read of size 4 at addr 0000000000000010 by task kworker/u4:5/204 CPU: 0 PID: 204 Comm: kworker/u4:5 Not tainted 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 __kasan_report mm/kasan/report.c:400 [inline] kasan_report.cold+0x5f/0xd5 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:179 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] __tcf_idr_release net/sched/act_api.c:178 [inline] tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 tc_action_net_exit include/net/act_api.h:151 [inline] police_exit_net+0x168/0x360 net/sched/act_police.c:390 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================== Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 204 Comm: kworker/u4:5 Tainted: G B 5.11.0-rc7-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 panic+0x306/0x73d kernel/panic.c:231 end_report+0x58/0x5e mm/kasan/report.c:100 __kasan_report mm/kasan/report.c:403 [inline] kasan_report.cold+0x67/0xd5 mm/kasan/report.c:413 check_memory_region_inline mm/kasan/generic.c:179 [inline] check_memory_region+0x13d/0x180 mm/kasan/generic.c:185 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/asm-generic/atomic-instrumented.h:27 [inline] __tcf_idr_release net/sched/act_api.c:178 [inline] tcf_idrinfo_destroy+0x129/0x1d0 net/sched/act_api.c:598 tc_action_net_exit include/net/act_api.h:151 [inline] police_exit_net+0x168/0x360 net/sched/act_police.c:390 ops_exit_list+0x10d/0x160 net/core/net_namespace.c:190 cleanup_net+0x4ea/0xb10 net/core/net_namespace.c:604 process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275 worker_thread+0x64c/0x1120 kernel/workqueue.c:2421 kthread+0x3b1/0x4a0 kernel/kthread.c:292 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 Kernel Offset: disabled Fix the issue by calling tcf_idr_insert_many() after successful action initialization. Fixes: 0fedc63fadf0 ("net_sched: commit action insertions together") Reported-by: syzbot+151e3e714d34ae4ce7e8@syzkaller.appspotmail.com Signed-off-by: Vlad Buslov Reviewed-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9875cb3c0968ad37f07d3990eaa10e51a8d1e0b0 Author: Jason A. Donenfeld Date: Tue Feb 23 14:18:58 2021 +0100 net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending commit ee576c47db60432c37e54b1e2b43a8ca6d3a8dca upstream. The icmp{,v6}_send functions make all sorts of use of skb->cb, casting it with IPCB or IP6CB, assuming the skb to have come directly from the inet layer. But when the packet comes from the ndo layer, especially when forwarded, there's no telling what might be in skb->cb at that point. As a result, the icmp sending code risks reading bogus memory contents, which can result in nasty stack overflows such as this one reported by a user: panic+0x108/0x2ea __stack_chk_fail+0x14/0x20 __icmp_send+0x5bd/0x5c0 icmp_ndo_send+0x148/0x160 In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read from it. The optlen parameter there is of particular note, as it can induce writes beyond bounds. There are quite a few ways that can happen in __ip_options_echo. For example: // sptr/skb are attacker-controlled skb bytes sptr = skb_network_header(skb); // dptr/dopt points to stack memory allocated by __icmp_send dptr = dopt->__data; // sopt is the corrupt skb->cb in question if (sopt->rr) { optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data // this now writes potentially attacker-controlled data, over // flowing the stack: memcpy(dptr, sptr+sopt->rr, optlen); } In the icmpv6_send case, the story is similar, but not as dire, as only IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is worse than the iif case, but it is passed to ipv6_find_tlv, which does a bit of bounds checking on the value. This is easy to simulate by doing a `memset(skb->cb, 0x41, sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by good fortune and the rarity of icmp sending from that context that we've avoided reports like this until now. For example, in KASAN: BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0 Write of size 38 at addr ffff888006f1f80e by task ping/89 CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5 Call Trace: dump_stack+0x9a/0xcc print_address_description.constprop.0+0x1a/0x160 __kasan_report.cold+0x20/0x38 kasan_report+0x32/0x40 check_memory_region+0x145/0x1a0 memcpy+0x39/0x60 __ip_options_echo+0xa0e/0x12b0 __icmp_send+0x744/0x1700 Actually, out of the 4 drivers that do this, only gtp zeroed the cb for the v4 case, while the rest did not. So this commit actually removes the gtp-specific zeroing, while putting the code where it belongs in the shared infrastructure of icmp{,v6}_ndo_send. This commit fixes the issue by passing an empty IPCB or IP6CB along to the functions that actually do the work. For the icmp_send, this was already trivial, thanks to __icmp_send providing the plumbing function. For icmpv6_send, this required a tiny bit of refactoring to make it behave like the v4 case, after which it was straight forward. Fixes: a2b78e9b2cac ("sunvnet: generate ICMP PTMUD messages for smaller port MTUs") Reported-by: SinYu Reviewed-by: Willem de Bruijn Link: https://lore.kernel.org/netdev/CAF=yD-LOF116aHub6RMe8vB8ZpnrrnoTdqhobEx+bvoA8AsP0w@mail.gmail.com/T/ Signed-off-by: Jason A. Donenfeld Link: https://lore.kernel.org/r/20210223131858.72082-1-Jason@zx2c4.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 354fb7244fd014742794c7e2f95a860f01ead53d Author: Leon Romanovsky Date: Wed Feb 3 15:51:09 2021 +0200 ipv6: silence compilation warning for non-IPV6 builds commit 1faba27f11c8da244e793546a1b35a9b1da8208e upstream. The W=1 compilation of allmodconfig generates the following warning: net/ipv6/icmp.c:448:6: warning: no previous prototype for 'icmp6_send' [-Wmissing-prototypes] 448 | void icmp6_send(struct sk_buff *skb, u8 type, u8 code, __u32 info, | ^~~~~~~~~~ Fix it by providing function declaration for builds with ipv6 as a module. Signed-off-by: Leon Romanovsky Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e528edf1e579939c2f5d4008471d95dd33911bd8 Author: Eric Dumazet Date: Fri Jun 19 12:02:59 2020 -0700 ipv6: icmp6: avoid indirect call for icmpv6_send() commit cc7a21b6fbd945f8d8f61422ccd27203c1fafeb7 upstream. If IPv6 is builtin, we do not need an expensive indirect call to reach icmp6_send(). v2: put inline keyword before the type to avoid sparse warnings. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c30e93eee3bf0cd4e82fe4b7b3d68f342fee1dec Author: Jason A. Donenfeld Date: Tue Feb 11 20:47:09 2020 +0100 xfrm: interface: use icmp_ndo_send helper commit 45942ba890e6f35232727a5fa33d732681f4eb9f upstream. Because xfrmi is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. Signed-off-by: Jason A. Donenfeld Cc: Nicolas Dichtel Cc: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e1ec06b833aa2638f151f3c21a834942ab4b1d1f Author: Jason A. Donenfeld Date: Tue Feb 11 20:47:07 2020 +0100 sunvnet: use icmp_ndo_send helper commit 67c9a7e1e3ac491b5df018803639addc36f154ba upstream. Because sunvnet is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. While we're at it, doing the additional route lookup before calling icmp_ndo_send is superfluous, since this is the job of the icmp code in the first place. Signed-off-by: Jason A. Donenfeld Cc: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8d268ce1a5ebe73b74f83d7fd9a69d19ea98362 Author: Jason A. Donenfeld Date: Tue Feb 11 20:47:06 2020 +0100 gtp: use icmp_ndo_send helper commit e0fce6f945a26d4e953a147fe7ca11410322c9fe upstream. Because gtp is calling icmp from network device context, it should use the ndo helper so that the rate limiting applies correctly. Signed-off-by: Jason A. Donenfeld Cc: Harald Welte Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dd28e735df5ca03bc9d70a5b5d6ae38e6ab02835 Author: Jason A. Donenfeld Date: Tue Feb 25 18:05:35 2020 +0800 icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n commit a8e41f6033a0c5633d55d6e35993c9e2005d872f upstream. The icmpv6_send function has long had a static inline implementation with an empty body for CONFIG_IPV6=n, so that code calling it doesn't need to be ifdef'd. The new icmpv6_ndo_send function, which is intended for drivers as a drop-in replacement with an identical function signature, should follow the same pattern. Without this patch, drivers that used to work with CONFIG_IPV6=n now result in a linker error. Cc: Chen Zhou Reported-by: Hulk Robot Fixes: 0b41713b6066 ("icmp: introduce helper for nat'd source address in network device context") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2019554f965642f8d4452f957c95c51393d20d32 Author: Jason A. Donenfeld Date: Tue Feb 11 20:47:05 2020 +0100 icmp: introduce helper for nat'd source address in network device context commit 0b41713b606694257b90d61ba7e2712d8457648b upstream. This introduces a helper function to be called only by network drivers that wraps calls to icmp[v6]_send in a conntrack transformation, in case NAT has been used. We don't want to pollute the non-driver path, though, so we introduce this as a helper to be called by places that actually make use of this, as suggested by Florian. Signed-off-by: Jason A. Donenfeld Cc: Florian Westphal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a35ff986617b158a5ea100498e957fc4382869a Author: Ville Syrjälä Date: Wed Feb 3 11:30:44 2021 +0200 drm/i915: Reject 446-480MHz HDMI clock on GLK commit 7a6c6243b44a439bda4bf099032be35ebcf53406 upstream. The BXT/GLK DPLL can't generate certain frequencies. We already reject the 233-240MHz range on both. But on GLK the DPLL max frequency was bumped from 300MHz to 594MHz, so now we get to also worry about the 446-480MHz range (double the original problem range). Reject any frequency within the higher problematic range as well. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/3000 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210203093044.30532-1-ville.syrjala@linux.intel.com Reviewed-by: Mika Kahola (cherry picked from commit 41751b3e5c1ac656a86f8d45a8891115281b729e) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 467214ddfa7e4dabd82e54abaa5e71603e4c4f42 Author: Nikos Tsironis Date: Thu Feb 11 16:22:43 2021 +0200 dm era: only resize metadata in preresume commit cca2c6aebe86f68103a8615074b3578e854b5016 upstream. Metadata resize shouldn't happen in the ctr. The ctr loads a temporary (inactive) table that will only become active upon resume. That is why resize should always be done in terms of resume. Otherwise a load (ctr) whose inactive table never becomes active will incorrectly resize the metadata. Also, perform the resize directly in preresume, instead of using the worker to do it. The worker might run other metadata operations, e.g., it could start digestion, before resizing the metadata. These operations will end up using the old size. This could lead to errors, like: device-mapper: era: metadata_digest_transcribe_writeset: dm_array_set_value failed device-mapper: era: process_old_eras: digest step failed, stopping digestion The reason of the above error is that the worker started the digestion of the archived writeset using the old, larger size. As a result, metadata_digest_transcribe_writeset tried to write beyond the end of the era array. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit fb8986363019491e6b2f7f973f9b50dacdddebad Author: Nikos Tsironis Date: Fri Jan 22 17:22:04 2021 +0200 dm era: Reinitialize bitset cache before digesting a new writeset commit 2524933307fd0036d5c32357c693c021ab09a0b0 upstream. In case of devices with at most 64 blocks, the digestion of consecutive eras uses the writeset of the first era as the writeset of all eras to digest, leading to lost writes. That is, we lose the information about what blocks were written during the affected eras. The digestion code uses a dm_disk_bitset object to access the archived writesets. This structure includes a one word (64-bit) cache to reduce the number of array lookups. This structure is initialized only once, in metadata_digest_start(), when we kick off digestion. But, when we insert a new writeset into the writeset tree, before the digestion of the previous writeset is done, or equivalently when there are multiple writesets in the writeset tree to digest, then all these writesets are digested using the same cache and the cache is not re-initialized when moving from one writeset to the next. For devices with more than 64 blocks, i.e., the size of the cache, the cache is indirectly invalidated when we move to a next set of blocks, so we avoid the bug. But for devices with at most 64 blocks we end up using the same cached data for digesting all archived writesets, i.e., the cache is loaded when digesting the first writeset and it never gets reloaded, until the digestion is done. As a result, the writeset of the first era to digest is used as the writeset of all the following archived eras, leading to lost writes. Fix this by reinitializing the dm_disk_bitset structure, and thus invalidating the cache, every time the digestion code starts digesting a new writeset. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit e59b9a8464beeb7313062485b7e7640e3d74a12c Author: Nikos Tsironis Date: Fri Jan 22 17:25:55 2021 +0200 dm era: Use correct value size in equality function of writeset tree commit 64f2d15afe7b336aafebdcd14cc835ecf856df4b upstream. Fix the writeset tree equality test function to use the right value size when comparing two btree values. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Reviewed-by: Ming-Hung Tsai Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit fead0c8e5c56ad409856a7e36c6260e8597afef5 Author: Nikos Tsironis Date: Fri Jan 22 17:25:54 2021 +0200 dm era: Fix bitset memory leaks commit 904e6b266619c2da5c58b5dce14ae30629e39645 upstream. Deallocate the memory allocated for the in-core bitsets when destroying the target and in error paths. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Reviewed-by: Ming-Hung Tsai Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 8ca89085fe72708840b514bfb10ce648c51b3434 Author: Nikos Tsironis Date: Fri Jan 22 17:25:53 2021 +0200 dm era: Verify the data block size hasn't changed commit c8e846ff93d5eaa5384f6f325a1687ac5921aade upstream. dm-era doesn't support changing the data block size of existing devices, so check explicitly that the requested block size for a new target matches the one stored in the metadata. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Reviewed-by: Ming-Hung Tsai Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit e8a146ef82a416fe712d8f0d4a5b87c19003679d Author: Nikos Tsironis Date: Fri Jan 22 17:19:30 2021 +0200 dm era: Recover committed writeset after crash commit de89afc1e40fdfa5f8b666e5d07c43d21a1d3be0 upstream. Following a system crash, dm-era fails to recover the committed writeset for the current era, leading to lost writes. That is, we lose the information about what blocks were written during the affected era. dm-era assumes that the writeset of the current era is archived when the device is suspended. So, when resuming the device, it just moves on to the next era, ignoring the committed writeset. This assumption holds when the device is properly shut down. But, when the system crashes, the code that suspends the target never runs, so the writeset for the current era is not archived. There are three issues that cause the committed writeset to get lost: 1. dm-era doesn't load the committed writeset when opening the metadata 2. The code that resizes the metadata wipes the information about the committed writeset (assuming it was loaded at step 1) 3. era_preresume() starts a new era, without taking into account that the current era might not have been archived, due to a system crash. To fix this: 1. Load the committed writeset when opening the metadata 2. Fix the code that resizes the metadata to make sure it doesn't wipe the loaded writeset 3. Fix era_preresume() to check for a loaded writeset and archive it, before starting a new era. Fixes: eec40579d84873 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit d873884783edb0d18666dad28841695a4e57459c Author: Mikulas Patocka Date: Tue Feb 9 10:56:20 2021 -0500 dm writecache: fix writing beyond end of underlying device when shrinking commit 4134455f2aafdfeab50cabb4cccb35e916034b93 upstream. Do not attempt to write any data beyond the end of the underlying data device while shrinking it. The DM writecache device must be suspended when the underlying data device is shrunk. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 5233c47c8d468be88ae594d2fd19e89f321bf419 Author: Mikulas Patocka Date: Wed Feb 10 15:26:23 2021 -0500 dm: fix deadlock when swapping to encrypted device commit a666e5c05e7c4aaabb2c5d58117b0946803d03d2 upstream. The system would deadlock when swapping to a dm-crypt device. The reason is that for each incoming write bio, dm-crypt allocates memory that holds encrypted data. These excessive allocations exhaust all the memory and the result is either deadlock or OOM trigger. This patch limits the number of in-flight swap bios, so that the memory consumed by dm-crypt is limited. The limit is enforced if the target set the "limit_swap_bios" variable and if the bio has REQ_SWAP set. Non-swap bios are not affected becuase taking the semaphore would cause performance degradation. This is similar to request-based drivers - they will also block when the number of requests is over the limit. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit fd3b7e07d3c148a910fddb94e83b6824f6aa8874 Author: Andreas Gruenbacher Date: Tue Feb 9 18:32:32 2021 +0100 gfs2: Recursive gfs2_quota_hold in gfs2_iomap_end commit 7009fa9cd9a5262944b30eb7efb1f0561d074b68 upstream. When starting an iomap write, gfs2_quota_lock_check -> gfs2_quota_lock -> gfs2_quota_hold is called from gfs2_iomap_begin. At the end of the write, before unlocking the quotas, punch_hole -> gfs2_quota_hold can be called again in gfs2_iomap_end, which is incorrect and leads to a failed assertion. Instead, move the call to gfs2_quota_unlock before the call to punch_hole to fix that. Fixes: 64bc06bb32ee ("gfs2: iomap buffered write support") Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit fa0201d3902ec9be524e8bc231cd6f0baef984e7 Author: Bob Peterson Date: Fri Feb 5 13:50:41 2021 -0500 gfs2: Don't skip dlm unlock if glock has an lvb commit 78178ca844f0eb88f21f31c7fde969384be4c901 upstream. Patch fb6791d100d1 was designed to allow gfs2 to unmount quicker by skipping the step where it tells dlm to unlock glocks in EX with lvbs. This was done because when gfs2 unmounts a file system, it destroys the dlm lockspace shortly after it destroys the glocks so it doesn't need to unlock them all: the unlock is implied when the lockspace is destroyed by dlm. However, that patch introduced a use-after-free in dlm: as part of its normal dlm_recoverd process, it can call ls_recovery to recover dead locks. In so doing, it can call recover_rsbs which calls recover_lvb for any mastered rsbs. Func recover_lvb runs through the list of lkbs queued to the given rsb (if the glock is cached but unlocked, it will still be queued to the lkb, but in NL--Unlocked--mode) and if it has an lvb, copies it to the rsb, thus trying to preserve the lkb. However, when gfs2 skips the dlm unlock step, it frees the glock and its lvb, which means dlm's function recover_lvb references the now freed lvb pointer, copying the freed lvb memory to the rsb. This patch changes the check in gdlm_put_lock so that it calls dlm_unlock for all glocks that contain an lvb pointer. Fixes: fb6791d100d1 ("GFS2: skip dlm_unlock calls in unmount") Cc: stable@vger.kernel.org # v3.8+ Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit c5abc17d27407444617d9863cee6308c51668261 Author: Masahisa Kojima Date: Mon Feb 1 01:31:09 2021 -0600 spi: spi-synquacer: fix set_cs handling commit 1c9f1750f0305bf605ff22686fc0ac89c06deb28 upstream. When the slave chip select is deasserted, DMSTOP bit must be set. Fixes: b0823ee35cf9 ("spi: Add spi driver for Socionext SynQuacer platform") Signed-off-by: Masahisa Kojima Signed-off-by: Jassi Brar Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210201073109.9036-1-jassisinghbrar@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3dbe8f1d24de5b553c4606ace78ae0a98e6aac55 Author: Al Viro Date: Mon Jul 20 02:21:51 2020 +0100 sparc32: fix a user-triggerable oops in clear_user() commit 7780918b36489f0b2f9a3749d7be00c2ceaec513 upstream. Back in 2.1.29 the clear_user() guts (__bzero()) had been merged with memset(). Unfortunately, while all exception handlers had been copied, one of the exception table entries got lost. As the result, clear_user() starting at 128*n bytes before the end of page and spanning between 8 and 127 bytes into the next page would oops when the second page is unmapped. It's trivial to reproduce - all it takes is main() { int fd = open("/dev/zero", O_RDONLY); char *p = mmap(NULL, 16384, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0); munmap(p + 8192, 8192); read(fd, p + 8192 - 128, 192); } which had been oopsing since March 1997. Says something about the quality of test coverage... ;-/ And while today sparc32 port is nearly dead, back in '97 it had been very much alive; in fact, sparc64 had only been in mainline for 3 months by that point... Cc: stable@kernel.org Fixes: v2.1.29 Signed-off-by: Al Viro Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e17044631aa4e451f55cd3267c6f831fba37e76 Author: Chao Yu Date: Wed Dec 16 17:15:23 2020 +0800 f2fs: fix out-of-repair __setattr_copy() commit 2562515f0ad7342bde6456602c491b64c63fe950 upstream. __setattr_copy() was copied from setattr_copy() in fs/attr.c, there is two missing patches doesn't cover this inner function, fix it. Commit 7fa294c8991c ("userns: Allow chown and setgid preservation") Commit 23adbe12ef7d ("fs,userns: Change inode_capable to capable_wrt_inode_uidgid") Fixes: fbfa2cc58d53 ("f2fs: add file operations") Cc: stable@vger.kernel.org Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Greg Kroah-Hartman commit 5b5d76028056db3296a2c9b997dad13c5bec78b5 Author: Johannes Berg Date: Wed Jan 13 22:08:02 2021 +0100 um: mm: check more comprehensively for stub changes commit 47da29763ec9a153b9b685bff9db659e4e09e494 upstream. If userspace tries to change the stub, we need to kill it, because otherwise it can escape the virtual machine. In a few cases the stub checks weren't good, e.g. if userspace just tries to mmap(0x100000 - 0x1000, 0x3000, ...) it could succeed to get a new private/anonymous mapping replacing the stubs. Fix this by checking everywhere, and checking for _overlap_, not just direct changes. Cc: stable@vger.kernel.org Fixes: 3963333fe676 ("uml: cover stubs with a VMA") Signed-off-by: Johannes Berg Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit b95baf4efb6835d4a76d5db5b74bad84f234a872 Author: Cornelia Huck Date: Tue Feb 16 12:06:45 2021 +0100 virtio/s390: implement virtio-ccw revision 2 correctly commit 182f709c5cff683e6732d04c78e328de0532284f upstream. CCW_CMD_READ_STATUS was introduced with revision 2 of virtio-ccw, and drivers should only rely on it being implemented when they negotiated at least that revision with the device. However, virtio_ccw_get_status() issued READ_STATUS for any device operating at least at revision 1. If the device accepts READ_STATUS regardless of the negotiated revision (which some implementations like QEMU do, even though the spec currently does not allow it), everything works as intended. While a device rejecting the command should also be handled gracefully, we will not be able to see any changes the device makes to the status, such as setting NEEDS_RESET or setting the status to zero after a completed reset. We negotiated the revision to at most 1, as we never bumped the maximum revision; let's do that now and properly send READ_STATUS only if we are operating at least at revision 2. Cc: stable@vger.kernel.org Fixes: 7d3ce5ab9430 ("virtio/s390: support READ_STATUS command for virtio-ccw") Reviewed-by: Halil Pasic Signed-off-by: Cornelia Huck Signed-off-by: Vasily Gorbik Link: https://lore.kernel.org/r/20210216110645.1087321-1-cohuck@redhat.com Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 8e6c8cfa9aee65d4ca9b89634d14eed2215ddc07 Author: Heiko Carstens Date: Tue Feb 2 16:45:37 2021 +0100 s390/vtime: fix inline assembly clobber list commit b29c5093820d333eef22f58cd04ec0d089059c39 upstream. The stck/stckf instruction used within the inline assembly within do_account_vtime() changes the condition code. This is not reflected with the clobber list, and therefore might result in incorrect code generation. It seems unlikely that the compiler could generate incorrect code considering the surrounding C code, but it must still be fixed. Cc: Reviewed-by: Christian Borntraeger Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 07332771663b0a5eafef7097c11cf919c7d6f90b Author: Chen Yu Date: Tue Jan 12 13:21:27 2021 +0800 cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available commit 6f67e060083a84a4cc364eab6ae40c717165fb0c upstream. Currently, when turbo is disabled (either by BIOS or by the user), the intel_pstate driver reads the max non-turbo frequency from the package-wide MSR_PLATFORM_INFO(0xce) register. However, on asymmetric platforms it is possible in theory that small and big core with HWP enabled might have different max non-turbo CPU frequency, because MSR_HWP_CAPABILITIES is per-CPU scope according to Intel Software Developer Manual. The turbo max freq is already per-CPU in current code, so make similar change to the max non-turbo frequency as well. Reported-by: Wendy Wang Signed-off-by: Chen Yu [ rjw: Subject and changelog edits ] Cc: 4.18+ # 4.18+: a45ee4d4e13b: cpufreq: intel_pstate: Change intel_pstate_get_hwp_max() argument Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit dfbbed769f1b7197e79fbd7a61c6627753b0b674 Author: Muchun Song Date: Wed Feb 10 11:48:23 2021 +0800 printk: fix deadlock when kernel panic commit 8a8109f303e25a27f92c1d8edd67d7cbbc60a4eb upstream. printk_safe_flush_on_panic() caused the following deadlock on our server: CPU0: CPU1: panic rcu_dump_cpu_stacks kdump_nmi_shootdown_cpus nmi_trigger_cpumask_backtrace register_nmi_handler(crash_nmi_callback) printk_safe_flush __printk_safe_flush raw_spin_lock_irqsave(&read_lock) // send NMI to other processors apic_send_IPI_allbutself(NMI_VECTOR) // NMI interrupt, dead loop crash_nmi_callback printk_safe_flush_on_panic printk_safe_flush __printk_safe_flush // deadlock raw_spin_lock_irqsave(&read_lock) DEADLOCK: read_lock is taken on CPU1 and will never get released. It happens when panic() stops a CPU by NMI while it has been in the middle of printk_safe_flush(). Handle the lock the same way as logbuf_lock. The printk_safe buffers are flushed only when both locks can be safely taken. It can avoid the deadlock _in this particular case_ at expense of losing contents of printk_safe buffers. Note: It would actually be safe to re-init the locks when all CPUs were stopped by NMI. But it would require passing this information from arch-specific code. It is not worth the complexity. Especially because logbuf_lock and printk_safe buffers have been obsoleted by the lockless ring buffer. Fixes: cf9b1106c81c ("printk/nmi: flush NMI messages on the system panic") Signed-off-by: Muchun Song Reviewed-by: Petr Mladek Cc: Acked-by: Sergey Senozhatsky Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20210210034823.64867-1-songmuchun@bytedance.com Signed-off-by: Greg Kroah-Hartman commit 81c2472bcf33548beb47f9c38a142a99cc6a07b1 Author: Maxim Kiselev Date: Wed Feb 17 14:10:00 2021 +0100 gpio: pcf857x: Fix missing first interrupt commit a8002a35935aaefcd6a42ad3289f62bab947f2ca upstream. If no n_latch value will be provided at driver probe then all pins will be used as an input: gpio->out = ~n_latch; In that case initial state for all pins is "one": gpio->status = gpio->out; So if pcf857x IRQ happens with change pin value from "zero" to "one" then we miss it, because of "one" from IRQ and "one" from initial state leaves corresponding pin unchanged: change = (gpio->status ^ status) & gpio->irq_enabled; The right solution will be to read actual state at driver probe. Cc: stable@vger.kernel.org Fixes: 6e20a0a429bd ("gpio: pcf857x: enable gpio_to_irq() support") Signed-off-by: Maxim Kiselev Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 70dcfb66ef686ef723738101153d7c1cfaedc9f3 Author: Subbaraman Narayanamurthy Date: Thu Feb 11 19:14:17 2021 -0800 spmi: spmi-pmic-arb: Fix hw_irq overflow commit d19db80a366576d3ffadf2508ed876b4c1faf959 upstream. Currently, when handling the SPMI summary interrupt, the hw_irq number is calculated based on SID, Peripheral ID, IRQ index and APID. This is then passed to irq_find_mapping() to see if a mapping exists for this hw_irq and if available, invoke the interrupt handler. Since the IRQ index uses an "int" type, hw_irq which is of unsigned long data type can take a large value when SID has its MSB set to 1 and the type conversion happens. Because of this, irq_find_mapping() returns 0 as there is no mapping for this hw_irq. This ends up invoking cleanup_irq() as if the interrupt is spurious whereas it is actually a valid interrupt. Fix this by using the proper data type (u32) for id. Cc: stable@vger.kernel.org Signed-off-by: Subbaraman Narayanamurthy Link: https://lore.kernel.org/r/1612812784-26369-1-git-send-email-subbaram@codeaurora.org Signed-off-by: Stephen Boyd Link: https://lore.kernel.org/r/20210212031417.3148936-1-sboyd@kernel.org Signed-off-by: Greg Kroah-Hartman commit d5194f7264e2a6a563e49d2ca26888f6e67c057a Author: Christophe Leroy Date: Mon Feb 8 15:10:20 2021 +0000 powerpc/32s: Add missing call to kuep_lock on syscall entry commit 57fdfbce89137ae85cd5cef48be168040a47dd13 upstream. Userspace Execution protection and fast syscall entry were implemented independently from each other and were both merged in kernel 5.2, leading to syscall entry missing userspace execution protection. On syscall entry, execution of user space memory must be locked in the same way as on exception entry. Fixes: b86fb88855ea ("powerpc/32: implement fast entry for syscalls on non BOOKE") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/c65e105b63aaf74f91a14f845bc77192350b84a6.1612796617.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 6b22c402dff91e69317143e9b168e66adf44c58c Author: Frank Li Date: Wed Feb 10 12:19:33 2021 -0600 mmc: sdhci-esdhc-imx: fix kernel panic when remove module commit a56f44138a2c57047f1ea94ea121af31c595132b upstream. In sdhci_esdhc_imx_remove() the SDHCI_INT_STATUS in read. Under some circumstances, this may be done while the device is runtime suspended, triggering the below splat. Fix the problem by adding a pm_runtime_get_sync(), before reading the register, which will turn on clocks etc making the device accessible again. [ 1811.323148] mmc1: card aaaa removed [ 1811.347483] Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP [ 1811.354988] Modules linked in: sdhci_esdhc_imx(-) sdhci_pltfm sdhci cqhci mmc_block mmc_core [last unloaded: mmc_core] [ 1811.365726] CPU: 0 PID: 3464 Comm: rmmod Not tainted 5.10.1-sd-99871-g53835a2e8186 #5 [ 1811.373559] Hardware name: Freescale i.MX8DXL EVK (DT) [ 1811.378705] pstate: 60000005 (nZCv daif -PAN -UAO -TCO BTYPE=--) [ 1811.384723] pc : sdhci_esdhc_imx_remove+0x28/0x15c [sdhci_esdhc_imx] [ 1811.391090] lr : platform_drv_remove+0x2c/0x50 [ 1811.395536] sp : ffff800012c7bcb0 [ 1811.398855] x29: ffff800012c7bcb0 x28: ffff00002c72b900 [ 1811.404181] x27: 0000000000000000 x26: 0000000000000000 [ 1811.409497] x25: 0000000000000000 x24: 0000000000000000 [ 1811.414814] x23: ffff0000042b3890 x22: ffff800009127120 [ 1811.420131] x21: ffff00002c4c9580 x20: ffff0000042d0810 [ 1811.425456] x19: ffff0000042d0800 x18: 0000000000000020 [ 1811.430773] x17: 0000000000000000 x16: 0000000000000000 [ 1811.436089] x15: 0000000000000004 x14: ffff000004019c10 [ 1811.441406] x13: 0000000000000000 x12: 0000000000000020 [ 1811.446723] x11: 0101010101010101 x10: 7f7f7f7f7f7f7f7f [ 1811.452040] x9 : fefefeff6364626d x8 : 7f7f7f7f7f7f7f7f [ 1811.457356] x7 : 78725e6473607372 x6 : 0000000080808080 [ 1811.462673] x5 : 0000000000000000 x4 : 0000000000000000 [ 1811.467990] x3 : ffff800011ac1cb0 x2 : 0000000000000000 [ 1811.473307] x1 : ffff8000091214d4 x0 : ffff8000133a0030 [ 1811.478624] Call trace: [ 1811.481081] sdhci_esdhc_imx_remove+0x28/0x15c [sdhci_esdhc_imx] [ 1811.487098] platform_drv_remove+0x2c/0x50 [ 1811.491198] __device_release_driver+0x188/0x230 [ 1811.495818] driver_detach+0xc0/0x14c [ 1811.499487] bus_remove_driver+0x5c/0xb0 [ 1811.503413] driver_unregister+0x30/0x60 [ 1811.507341] platform_driver_unregister+0x14/0x20 [ 1811.512048] sdhci_esdhc_imx_driver_exit+0x1c/0x3a8 [sdhci_esdhc_imx] [ 1811.518495] __arm64_sys_delete_module+0x19c/0x230 [ 1811.523291] el0_svc_common.constprop.0+0x78/0x1a0 [ 1811.528086] do_el0_svc+0x24/0x90 [ 1811.531405] el0_svc+0x14/0x20 [ 1811.534461] el0_sync_handler+0x1a4/0x1b0 [ 1811.538474] el0_sync+0x174/0x180 [ 1811.541801] Code: a9025bf5 f9403e95 f9400ea0 9100c000 (b9400000) [ 1811.547902] ---[ end trace 3fb1a3bd48ff7be5 ]--- Signed-off-by: Frank Li Cc: stable@vger.kernel.org # v4.0+ Link: https://lore.kernel.org/r/20210210181933.29263-1-Frank.Li@nxp.com [Ulf: Clarified the commit message a bit] Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit b6bc5417385deda9f8f998c832e414cef62d2bab Author: Fangrui Song Date: Fri Jan 15 11:52:22 2021 -0800 module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols commit ebfac7b778fac8b0e8e92ec91d0b055f046b4604 upstream. clang-12 -fno-pic (since https://github.com/llvm/llvm-project/commit/a084c0388e2a59b9556f2de0083333232da3f1d6) can emit `call __stack_chk_fail@PLT` instead of `call __stack_chk_fail` on x86. The two forms should have identical behaviors on x86-64 but the former causes GNU as<2.37 to produce an unreferenced undefined symbol _GLOBAL_OFFSET_TABLE_. (On x86-32, there is an R_386_PC32 vs R_386_PLT32 difference but the linker behavior is identical as far as Linux kernel is concerned.) Simply ignore _GLOBAL_OFFSET_TABLE_ for now, like what scripts/mod/modpost.c:ignore_undef_symbol does. This also fixes the problem for gcc/clang -fpie and -fpic, which may emit `call foo@PLT` for external function calls on x86. Note: ld -z defs and dynamic loaders do not error for unreferenced undefined symbols so the module loader is reading too much. If we ever need to ignore more symbols, the code should be refactored to ignore unreferenced symbols. Cc: Link: https://github.com/ClangBuiltLinux/linux/issues/1250 Link: https://sourceware.org/bugzilla/show_bug.cgi?id=27178 Reported-by: Marco Elver Reviewed-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Tested-by: Marco Elver Signed-off-by: Fangrui Song Signed-off-by: Jessica Yu Signed-off-by: Greg Kroah-Hartman commit 8a3e6c6fe9c63e023d6fa01796520996ee65f08c Author: Sean Young Date: Fri Jan 29 11:54:53 2021 +0100 media: smipcie: fix interrupt handling and IR timeout commit 6532923237b427ed30cc7b4486f6f1ccdee3c647 upstream. After the first IR message, interrupts are no longer received. In addition, the code generates a timeout IR message of 10ms but sets the timeout value to 100ms, so no timeout was ever generated. Link: https://bugzilla.kernel.org/show_bug.cgi?id=204317 Fixes: a49a7a4635de ("media: smipcie: add universal ir capability") Tested-by: Laz Lev Cc: stable@vger.kernel.org # v5.1+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2e1df9bfe6fa193120f9fa1349a278df1a50d75a Author: Suzuki K Poulose Date: Wed Feb 3 23:00:57 2021 +0000 arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 commit c0b15c25d25171db4b70cc0b7dbc1130ee94017d upstream. The erratum 1024718 affects Cortex-A55 r0p0 to r2p0. However we apply the work around for r0p0 - r1p0. Unfortunately this won't be fixed for the future revisions for the CPU. Thus extend the work around for all versions of A55, to cover for r2p0 and any future revisions. Cc: stable@vger.kernel.org Cc: Catalin Marinas Cc: Will Deacon Cc: James Morse Cc: Kunihiko Hayashi Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20210203230057.3961239-1-suzuki.poulose@arm.com [will: Update Kconfig help text] Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 56620980617681cb50bb2346116679adc93f4303 Author: Mike Kravetz Date: Wed Feb 24 12:07:54 2021 -0800 hugetlb: fix copy_huge_page_from_user contig page struct assumption commit 3272cfc2525b3a2810a59312d7a1e6f04a0ca3ef upstream. page structs are not guaranteed to be contiguous for gigantic pages. The routine copy_huge_page_from_user can encounter gigantic pages, yet it assumes page structs are contiguous when copying pages from user space. Since page structs for the target gigantic page are not contiguous, the data copied from user space could overwrite other pages not associated with the gigantic page and cause data corruption. Non-contiguous page structs are generally not an issue. However, they can exist with a specific kernel configuration and hotplug operations. For example: Configure the kernel with CONFIG_SPARSEMEM and !CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where the gigantic page will be allocated. Link: https://lkml.kernel.org/r/20210217184926.33567-2-mike.kravetz@oracle.com Fixes: 8fb5debc5fcd ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support") Signed-off-by: Mike Kravetz Cc: Zi Yan Cc: Davidlohr Bueso Cc: "Kirill A . Shutemov" Cc: Andrea Arcangeli Cc: Matthew Wilcox Cc: Oscar Salvador Cc: Joao Martins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5dd34ee9abdc2bbf563bc25a9534737c75b38fde Author: Mike Kravetz Date: Wed Feb 24 12:07:50 2021 -0800 hugetlb: fix update_and_free_page contig page struct assumption commit dbfee5aee7e54f83d96ceb8e3e80717fac62ad63 upstream. page structs are not guaranteed to be contiguous for gigantic pages. The routine update_and_free_page can encounter a gigantic page, yet it assumes page structs are contiguous when setting page flags in subpages. If update_and_free_page encounters non-contiguous page structs, we can see “BUG: Bad page state in process …” errors. Non-contiguous page structs are generally not an issue. However, they can exist with a specific kernel configuration and hotplug operations. For example: Configure the kernel with CONFIG_SPARSEMEM and !CONFIG_SPARSEMEM_VMEMMAP. Then, hotplug add memory for the area where the gigantic page will be allocated. Zi Yan outlined steps to reproduce here [1]. [1] https://lore.kernel.org/linux-mm/16F7C58B-4D79-41C5-9B64-A1A1628F4AF2@nvidia.com/ Link: https://lkml.kernel.org/r/20210217184926.33567-1-mike.kravetz@oracle.com Fixes: 944d9fec8d7a ("hugetlb: add support for gigantic page allocation at runtime") Signed-off-by: Zi Yan Signed-off-by: Mike Kravetz Cc: Zi Yan Cc: Davidlohr Bueso Cc: "Kirill A . Shutemov" Cc: Andrea Arcangeli Cc: Matthew Wilcox Cc: Oscar Salvador Cc: Joao Martins Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b74e3493264f772d782612475ad028dac7ccaceb Author: NeilBrown Date: Thu Feb 25 17:22:29 2021 -0800 x86: fix seq_file iteration for pat/memtype.c commit 3d2fc4c082448e9c05792f9b2a11c1d5db408b85 upstream. The memtype seq_file iterator allocates a buffer in the ->start and ->next functions and frees it in the ->show function. The preferred handling for such resources is to free them in the subsequent ->next or ->stop function call. Since Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") there is no guarantee that ->show will be called after ->next, so this function can now leak memory. So move the freeing of the buffer to ->next and ->stop. Link: https://lkml.kernel.org/r/161248539022.21478.13874455485854739066.stgit@noble1 Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") Signed-off-by: NeilBrown Cc: Xin Long Cc: Alexander Viro Cc: Andy Lutomirski Cc: Dave Hansen Cc: "David S. Miller" Cc: Ingo Molnar Cc: Jonathan Corbet Cc: Marcelo Ricardo Leitner Cc: Neil Horman Cc: Peter Zijlstra Cc: Vlad Yasevich Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ebd5a480db0edd688519c1b997021d22e17a702c Author: NeilBrown Date: Thu Feb 25 17:22:25 2021 -0800 seq_file: document how per-entry resources are managed. commit b3656d8227f4c45812c6b40815d8f4e446ed372a upstream. Patch series "Fix some seq_file users that were recently broken". A recent change to seq_file broke some users which were using seq_file in a non-"standard" way ... though the "standard" isn't documented, so they can be excused. The result is a possible leak - of memory in one case, of references to a 'transport' in the other. These three patches: 1/ document and explain the problem 2/ fix the problem user in x86 3/ fix the problem user in net/sctp This patch (of 3): Users of seq_file will sometimes find it convenient to take a resource, such as a lock or memory allocation, in the ->start or ->next operations. These are per-entry resources, distinct from per-session resources which are taken in ->start and released in ->stop. The preferred management of these is release the resource on the subsequent call to ->next or ->stop. However prior to Commit 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") it happened that ->show would always be called after ->start or ->next, and a few users chose to release the resource in ->show. This is no longer reliable. Since the mentioned commit, ->next will always come after a successful ->show (to ensure m->index is updated correctly), so the original ordering cannot be maintained. This patch updates the documentation to clearly state the required behaviour. Other patches will fix the few problematic users. [akpm@linux-foundation.org: fix typo, per Willy] Link: https://lkml.kernel.org/r/161248518659.21478.2484341937387294998.stgit@noble1 Link: https://lkml.kernel.org/r/161248539020.21478.3147971477400875336.stgit@noble1 Fixes: 1f4aace60b0e ("fs/seq_file.c: simplify seq_file iteration code and interface") Signed-off-by: NeilBrown Cc: Xin Long Cc: Alexander Viro Cc: Jonathan Corbet Cc: Ingo Molnar Cc: Dave Hansen Cc: Andy Lutomirski Cc: Peter Zijlstra Cc: Vlad Yasevich Cc: Neil Horman Cc: Marcelo Ricardo Leitner Cc: "David S. Miller" Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3e9b85cabea04b22ab63fc00149c59d561e95542 Author: Pan Bian Date: Wed Jan 20 00:51:13 2021 -0800 fs/affs: release old buffer head on error path commit 70779b897395b330ba5a47bed84f94178da599f9 upstream. The reference count of the old buffer head should be decremented on path that fails to get the new buffer head. Fixes: 6b4657667ba0 ("fs/affs: add rename exchange") CC: stable@vger.kernel.org # 4.14+ Signed-off-by: Pan Bian Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit b2b5c3aec866a171cf888f34bde348be7be2211a Author: Pan Bian Date: Thu Jan 21 01:18:47 2021 -0800 mtd: spi-nor: hisi-sfc: Put child node np on error path commit fe6653460ee7a7dbe0cd5fd322992af862ce5ab0 upstream. Put the child node np when it fails to get or register device. Fixes: e523f11141bd ("mtd: spi-nor: add hisilicon spi-nor flash controller driver") Cc: stable@vger.kernel.org Signed-off-by: Pan Bian [ta: Add Fixes tag and Cc stable] Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/20210121091847.85362-1-bianpan2016@163.com Signed-off-by: Greg Kroah-Hartman commit 61dfd4fbbd1efa6c3ec5baced1f89f7de1d6ec91 Author: Takahiro Kuwano Date: Fri Oct 2 14:18:02 2020 +0900 mtd: spi-nor: core: Add erase size check for erase command initialization commit 58fa22f68fcaff20ce4d08a6adffa64f65ccd37d upstream. Even if erase type is same as previous region, erase size can be different if the previous region is overlaid region. Since 'region->size' is assigned to 'cmd->size' for overlaid region, comparing 'erase->size' and 'cmd->size' can detect previous overlaid region. Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") Cc: stable@vger.kernel.org Signed-off-by: Takahiro Kuwano [ta: Add Fixes tag and Cc to stable] Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/13d47e8d8991b8a7fd8cc7b9e2a5319c56df35cc.1601612872.git.Takahiro.Kuwano@infineon.com Signed-off-by: Greg Kroah-Hartman commit 3ab134965691a2aaa8984463ca18d541a52d8df2 Author: Takahiro Kuwano Date: Fri Oct 2 14:18:01 2020 +0900 mtd: spi-nor: core: Fix erase type discovery for overlaid region commit 969b276718de37dfe66fce3a5633f611e8cd58fd upstream. In case of overlaid regions in which their biggest erase size command overpasses in size the region's size, only the non-overlaid portion of the sector gets erased. For example, if a Sector Erase command is applied to a 256-kB range that is overlaid by 4-kB sectors, the overlaid 4-kB sectors are not affected by the erase. For overlaid regions, 'region->size' is assigned to 'cmd->size' later in spi_nor_init_erase_cmd(), so 'erase->size' can be greater than 'len'. Fixes: 5390a8df769e ("mtd: spi-nor: add support to non-uniform SFDP SPI NOR flash memories") Cc: stable@vger.kernel.org Signed-off-by: Takahiro Kuwano [ta: Update commit description, add Fixes tag and Cc to stable] Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/fa5d8b944a5cca488ac54ba37c95e775ac2deb34.1601612872.git.Takahiro.Kuwano@infineon.com Signed-off-by: Greg Kroah-Hartman commit cc27d5f4068002e5321d25b10cb206cd6198a0de Author: Takahiro Kuwano Date: Fri Oct 2 14:17:59 2020 +0900 mtd: spi-nor: sfdp: Fix wrong erase type bitmask for overlaid region commit abdf5a5ef9652bad4d58058bc22ddf23543ba3e1 upstream. At the time spi_nor_region_check_overlay() is called, the erase types are sorted in ascending order of erase size. The 'erase_type' should be masked with 'BIT(erase[i].idx)' instead of 'BIT(i)'. Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") Cc: stable@vger.kernel.org Signed-off-by: Takahiro Kuwano [ta: Add Fixes tag and Cc to stable] Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/fd90c40d5b626a1319a78fc2bcee79a8871d4d57.1601612872.git.Takahiro.Kuwano@infineon.com Signed-off-by: Greg Kroah-Hartman commit 7852feb3accbf1c7e9484ef593477c73d680f12d Author: Takahiro Kuwano Date: Fri Oct 2 14:18:00 2020 +0900 mtd: spi-nor: sfdp: Fix last erase region marking commit 9166f4af32db74e1544a2149aef231ff24515ea3 upstream. The place of spi_nor_region_mark_end() must be moved, because 'i' is re-used for the index of erase[]. Fixes: b038e8e3be72 ("mtd: spi-nor: parse SFDP Sector Map Parameter Table") Cc: stable@vger.kernel.org Signed-off-by: Takahiro Kuwano [ta: Add Fixes tag and Cc to stable] Signed-off-by: Tudor Ambarus Link: https://lore.kernel.org/r/02ce8d84b7989ebee33382f6494df53778dd508e.1601612872.git.Takahiro.Kuwano@infineon.com Signed-off-by: Greg Kroah-Hartman commit 97d079fd2ac126486eaa32e3bd08fa4ca4d47f89 Author: Alexander Usyskin Date: Sun Jan 24 13:49:38 2021 +0200 watchdog: mei_wdt: request stop on unregister commit 740c0a57b8f1e36301218bf549f3c9cc833a60be upstream. The MEI bus has a special behavior on suspend it destroys all the attached devices, this is due to the fact that also firmware context is not persistent across power flows. If watchdog on MEI bus is ticking before suspending the firmware times out and reports that the OS is missing watchdog tick. Send the stop command to the firmware on watchdog unregistered to eliminate the false event on suspend. This does not make the things worse from the user-space perspective as a user-space should re-open watchdog device after suspending before this patch. Cc: Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20210124114938.373885-1-tomas.winkler@intel.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 4262c46bfbcf95d924d0684950794e9887d122bf Author: Sai Prakash Ranjan Date: Tue Jan 26 20:32:41 2021 +0530 watchdog: qcom: Remove incorrect usage of QCOM_WDT_ENABLE_IRQ commit a4f3407c41605d14f09e490045d0609990cd5d94 upstream. As per register documentation, QCOM_WDT_ENABLE_IRQ which is BIT(1) of watchdog control register is wakeup interrupt enable bit and not related to bark interrupt at all, BIT(0) is used for that. So remove incorrect usage of this bit when supporting bark irq for pre-timeout notification. Currently with this bit set and bark interrupt specified, pre-timeout notification and/or watchdog reset/bite does not occur. Fixes: 36375491a439 ("watchdog: qcom: support pre-timeout when the bark irq is available") Cc: stable@vger.kernel.org Signed-off-by: Sai Prakash Ranjan Reviewed-by: Guenter Roeck Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/20210126150241.10009-1-saiprakash.ranjan@codeaurora.org Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit a82ebd5dde7dfdb81cec940fefb8daabe4e20b43 Author: He Zhe Date: Tue Feb 23 16:25:34 2021 +0800 arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing commit d47422d953e258ad587b5edf2274eb95d08bdc7d upstream. As stated in linux/errno.h, ENOTSUPP should never be seen by user programs. When we set up uprobe with 32-bit perf and arm64 kernel, we would see the following vague error without useful hint. The sys_perf_event_open() syscall returned with 524 (INTERNAL ERROR: strerror_r(524, [buf], 128)=22) Use EOPNOTSUPP instead to indicate such cases. Signed-off-by: He Zhe Link: https://lore.kernel.org/r/20210223082535.48730-1-zhe.he@windriver.com Cc: Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit efca4c991ecfb6ff85357eb517863d0bbc471068 Author: qiuguorui1 Date: Thu Feb 18 20:59:00 2021 +0800 arm64: kexec_file: fix memory leakage in create_dtb() when fdt_open_into() fails commit 656d1d58d8e0958d372db86c24f0b2ea36f50888 upstream. in function create_dtb(), if fdt_open_into() fails, we need to vfree buf before return. Fixes: 52b2a8af7436 ("arm64: kexec_file: load initrd and device-tree") Cc: stable@vger.kernel.org # v5.0 Signed-off-by: qiuguorui1 Link: https://lore.kernel.org/r/20210218125900.6810-1-qiuguorui1@huawei.com Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d4a7d6c022617330dd00b0336e74233214e8667d Author: Jiri Kosina Date: Fri Jan 22 12:13:20 2021 +0100 floppy: reintroduce O_NDELAY fix commit 8a0c014cd20516ade9654fc13b51345ec58e7be8 upstream. This issue was originally fixed in 09954bad4 ("floppy: refactor open() flags handling"). The fix as a side-effect, however, introduce issue for open(O_ACCMODE) that is being used for ioctl-only open. I wrote a fix for that, but instead of it being merged, full revert of 09954bad4 was performed, re-introducing the O_NDELAY / O_NONBLOCK issue, and it strikes again. This is a forward-port of the original fix to current codebase; the original submission had the changelog below: ==== Commit 09954bad4 ("floppy: refactor open() flags handling"), as a side-effect, causes open(/dev/fdX, O_ACCMODE) to fail. It turns out that this is being used setfdprm userspace for ioctl-only open(). Reintroduce back the original behavior wrt !(FMODE_READ|FMODE_WRITE) modes, while still keeping the original O_NDELAY bug fixed. Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2101221209060.5622@cbobk.fhfr.pm Cc: stable@vger.kernel.org Reported-by: Wim Osterholt Tested-by: Wim Osterholt Reported-and-tested-by: Kurt Garloff Fixes: 09954bad4 ("floppy: refactor open() flags handling") Fixes: f2791e7ead ("Revert "floppy: refactor open() flags handling"") Signed-off-by: Jiri Kosina Signed-off-by: Denis Efremov Signed-off-by: Greg Kroah-Hartman commit 337bba09d85020a94a7a1ac9e776381caaa54337 Author: Frederic Weisbecker Date: Mon Feb 1 00:05:45 2021 +0100 rcu/nocb: Perform deferred wake up before last idle's need_resched() check commit 43789ef3f7d61aa7bed0cb2764e588fc990c30ef upstream. Entering RCU idle mode may cause a deferred wake up of an RCU NOCB_GP kthread (rcuog) to be serviced. Usually a local wake up happening while running the idle task is handled in one of the need_resched() checks carefully placed within the idle loop that can break to the scheduler. Unfortunately the call to rcu_idle_enter() is already beyond the last generic need_resched() check and we may halt the CPU with a resched request unhandled, leaving the task hanging. Fix this with splitting the rcuog wakeup handling from rcu_idle_enter() and place it before the last generic need_resched() check in the idle loop. It is then assumed that no call to call_rcu() will be performed after that in the idle loop until the CPU is put in low power mode. Fixes: 96d3fd0d315a (rcu: Break call_rcu() deadlock involving scheduler and perf) Reported-by: Paul E. McKenney Signed-off-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20210131230548.32970-3-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit 3cd9a74bead167bed0d783430e74b6eacff5f773 Author: Frederic Weisbecker Date: Mon Feb 1 00:05:44 2021 +0100 rcu: Pull deferred rcuog wake up to rcu_eqs_enter() callers commit 54b7429efffc99e845ba9381bee3244f012a06c2 upstream. Deferred wakeup of rcuog kthreads upon RCU idle mode entry is going to be handled differently whether initiated by idle, user or guest. Prepare with pulling that control up to rcu_eqs_enter() callers. Signed-off-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20210131230548.32970-2-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit 14122331b1c35da5c35b6112ba47960834134ffb Author: Cédric Le Goater Date: Fri Jan 22 08:50:29 2021 +0100 powerpc/prom: Fix "ibm,arch-vec-5-platform-support" scan commit ed5b00a05c2ae95b59adc3442f45944ec632e794 upstream. The "ibm,arch-vec-5-platform-support" property is a list of pairs of bytes representing the options and values supported by the platform firmware. At boot time, Linux scans this list and activates the available features it recognizes : Radix and XIVE. A recent change modified the number of entries to loop on and 8 bytes, 4 pairs of { options, values } entries are always scanned. This is fine on KVM but not on PowerVM which can advertises less. As a consequence on this platform, Linux reads extra entries pointing to random data, interprets these as available features and tries to activate them, leading to a firmware crash in ibm,client-architecture-support. Fix that by using the property length of "ibm,arch-vec-5-platform-support". Fixes: ab91239942a9 ("powerpc/prom: Remove VLA in prom_check_platform_support()") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Cédric Le Goater Reviewed-by: Fabiano Rosas Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210122075029.797013-1-clg@kaod.org Signed-off-by: Greg Kroah-Hartman commit 84ec5883b4f96400c12e4bf193a2cc869030c819 Author: Sean Christopherson Date: Wed Dec 30 16:26:55 2020 -0800 x86/reboot: Force all cpus to exit VMX root if VMX is supported commit ed72736183c45a413a8d6974dd04be90f514cb6b upstream. Force all CPUs to do VMXOFF (via NMI shootdown) during an emergency reboot if VMX is _supported_, as VMX being off on the current CPU does not prevent other CPUs from being in VMX root (post-VMXON). This fixes a bug where a crash/panic reboot could leave other CPUs in VMX root and prevent them from being woken via INIT-SIPI-SIPI in the new kernel. Fixes: d176720d34c7 ("x86: disable VMX on all CPUs on reboot") Cc: stable@vger.kernel.org Suggested-by: Sean Christopherson Signed-off-by: David P. Reed [sean: reworked changelog and further tweaked comment] Signed-off-by: Sean Christopherson Message-Id: <20201231002702.2223707-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 4fa1541241644717a96bcbd7b35ef8a55f6bc1e3 Author: Sean Christopherson Date: Wed Dec 30 16:26:54 2020 -0800 x86/virt: Eat faults on VMXOFF in reboot flows commit aec511ad153556640fb1de38bfe00c69464f997f upstream. Silently ignore all faults on VMXOFF in the reboot flows as such faults are all but guaranteed to be due to the CPU not being in VMX root. Because (a) VMXOFF may be executed in NMI context, e.g. after VMXOFF but before CR4.VMXE is cleared, (b) there's no way to query the CPU's VMX state without faulting, and (c) the whole point is to get out of VMX root, eating faults is the simplest way to achieve the desired behaior. Technically, VMXOFF can fault (or fail) for other reasons, but all other fault and failure scenarios are mode related, i.e. the kernel would have to magically end up in RM, V86, compat mode, at CPL>0, or running with the SMI Transfer Monitor active. The kernel is beyond hosed if any of those scenarios are encountered; trying to do something fancy in the error path to handle them cleanly is pointless. Fixes: 1e9931146c74 ("x86: asm/virtext.h: add cpu_vmxoff() inline function") Reported-by: David P. Reed Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20201231002702.2223707-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3f5dc4a102a9dcb3f342be39dca044a3fcb0e63b Author: Pavel Machek Date: Wed Dec 30 13:55:50 2020 +0100 media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() commit 334de4b45892f7e67074e1b1b2ac36fd3e091118 upstream. Loop was useless as it would always exit on the first iteration. Fix it with right condition. Signed-off-by: Pavel Machek (CIP) Fixes: a86cf9b29e8b ("media: ipu3-cio2: Validate mbus format in setting subdev format") Tested-by: Laurent Pinchart Reviewed-by: Laurent Pinchart Cc: stable@vger.kernel.org # v4.16 and up Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit de9b5d51b627168adcdbc3e0ace08521d3960204 Author: Martin Kaiser Date: Thu Feb 4 09:52:17 2021 +0100 staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table commit 7a8d2f1908a59003e55ef8691d09efb7fbc51625 upstream. The Edimax EW-7811UN V2 uses an RTL8188EU chipset and works with this driver. Signed-off-by: Martin Kaiser Cc: stable Link: https://lore.kernel.org/r/20210204085217.9743-1-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman commit bb5bfd51f603fa9995ed5babccd1854d49b19e96 Author: Amey Narkhede Date: Thu Feb 11 11:08:19 2021 +0530 staging: gdm724x: Fix DMA from stack commit 7c3a0635cd008eaca9a734dc802709ee0b81cac5 upstream. Stack allocated buffers cannot be used for DMA on all architectures so allocate hci_packet buffer using kmalloc. Reviewed-by: Dan Carpenter Signed-off-by: Amey Narkhede Link: https://lore.kernel.org/r/20210211053819.34858-1-ameynarkhede03@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit d69583a2c1b38396c9bdcdffa3f3667cff12b0b8 Author: Ilya Lipnitskiy Date: Fri Jan 29 19:45:07 2021 -0800 staging/mt7621-dma: mtk-hsdma.c->hsdma-mt7621.c commit 1f92798cbe7fe923479cff754dd06dd23d352e36 upstream. Also use KBUILD_MODNAME for module name. This driver is only used by RALINK MIPS MT7621 SoCs. Tested by building against that target using OpenWrt with Linux 5.10.10. Fixes the following error: error: the following would cause module name conflict: drivers/dma/mediatek/mtk-hsdma.ko drivers/staging/mt7621-dma/mtk-hsdma.ko Cc: stable@vger.kernel.org Cc: Masahiro Yamada Signed-off-by: Ilya Lipnitskiy Link: https://lore.kernel.org/r/20210130034507.2115280-1-ilya.lipnitskiy@gmail.com Signed-off-by: Greg Kroah-Hartman commit eb6f42b101ec41da2a692c08c70f92cc01fc8085 Author: Frank Wunderlich Date: Wed Jan 13 19:09:19 2021 +0100 dts64: mt7622: fix slow sd card access commit dc2e76175417e69c41d927dba75a966399f18354 upstream. Fix extreme slow speed (200MB takes ~20 min) on writing sdcard on bananapi-r64 by adding reset-control for mmc1 like it's done for mmc0/emmc. Fixes: 2c002a3049f7 ("arm64: dts: mt7622: add mmc related device nodes") Signed-off-by: Frank Wunderlich Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210113180919.49523-1-linux@fw-web.de Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit f73e98efaa10293577ae16e3e1a1fac3ab86e6d1 Author: Jiri Bohac Date: Thu Feb 18 12:15:47 2021 +0100 pstore: Fix typo in compression option name commit 19d8e9149c27b689c6224f5c84b96a159342195a upstream. Both pstore_compress() and decompress_record() use a mistyped config option name ("PSTORE_COMPRESSION" instead of "PSTORE_COMPRESS"). As a result compression and decompression of pstore records was always disabled. Use the correct config option name. Signed-off-by: Jiri Bohac Fixes: fd49e03280e5 ("pstore: Fix linking when crypto API disabled") Acked-by: Matteo Croce Signed-off-by: Kees Cook Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210218111547.johvp5klpv3xrpnn@dwarf.suse.cz Signed-off-by: Greg Kroah-Hartman commit c9e529e635b93351be19d7d1e3e080d538779ead Author: Sabyrzhan Tasbolatov Date: Tue Feb 9 16:26:12 2021 +0600 drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue commit 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e upstream. syzbot found WARNING in qp_broker_alloc[1] in qp_host_alloc_queue() when num_pages is 0x100001, giving queue_size + queue_page_size bigger than KMALLOC_MAX_SIZE for kzalloc(), resulting order >= MAX_ORDER condition. queue_size + queue_page_size=0x8000d8, where KMALLOC_MAX_SIZE=0x400000. [1] Call Trace: alloc_pages include/linux/gfp.h:547 [inline] kmalloc_order+0x40/0x130 mm/slab_common.c:837 kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853 kmalloc_large include/linux/slab.h:481 [inline] __kmalloc+0x257/0x330 mm/slub.c:3959 kmalloc include/linux/slab.h:557 [inline] kzalloc include/linux/slab.h:682 [inline] qp_host_alloc_queue drivers/misc/vmw_vmci/vmci_queue_pair.c:540 [inline] qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline] qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739 Reported-by: syzbot+15ec7391f3d6a1a7cc7d@syzkaller.appspotmail.com Signed-off-by: Sabyrzhan Tasbolatov Link: https://lore.kernel.org/r/20210209102612.2112247-1-snovitoll@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit d82d5a77f0a0e19452ce5229551b911312185079 Author: Ricky Wu Date: Thu Feb 4 16:31:15 2021 +0800 misc: rtsx: init of rts522a add OCP power off when no card is present commit 920fd8a70619074eac7687352c8f1c6f3c2a64a5 upstream. Power down OCP for power consumption when no SD/MMC card is present Cc: stable@vger.kernel.org Signed-off-by: Ricky Wu Link: https://lore.kernel.org/r/20210204083115.9471-1-ricky_wu@realtek.com Signed-off-by: Greg Kroah-Hartman commit aa00c2d60ae146779598ac8f929f853b7480b8cb Author: Paul Cercueil Date: Mon Jan 11 17:28:39 2021 +0000 seccomp: Add missing return in non-void function commit 04b38d012556199ba4c31195940160e0c44c64f0 upstream. We don't actually care about the value, since the kernel will panic before that; but a value should nonetheless be returned, otherwise the compiler will complain. Fixes: 8112c4f140fa ("seccomp: remove 2-phase API") Cc: stable@vger.kernel.org # 4.7+ Signed-off-by: Paul Cercueil Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210111172839.640914-1-paul@crapouillou.net Signed-off-by: Greg Kroah-Hartman commit 0d95bdee02ad96ca53435bdcfb06059e6f997fcb Author: Corentin Labbe Date: Mon Dec 14 20:02:29 2020 +0000 crypto: sun4i-ss - initialize need_fallback commit 4ec8977b921fd9d512701e009ce8082cb94b5c1c upstream. The need_fallback is never initialized and seem to be always true at runtime. So all hardware operations are always bypassed. Fixes: 0ae1f46c55f87 ("crypto: sun4i-ss - fallback when length is not multiple of blocksize") Cc: Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 903f576f4e66089600d69704e2a68f817c390ac6 Author: Corentin Labbe Date: Mon Dec 14 20:02:28 2020 +0000 crypto: sun4i-ss - handle BigEndian for cipher commit 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 upstream. Ciphers produce invalid results on BE. Key and IV need to be written in LE. Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Cc: Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 4fc52e091a2c8366f62b2a354aebc14b8c53bf6b Author: Corentin Labbe Date: Mon Dec 14 20:02:26 2020 +0000 crypto: sun4i-ss - checking sg length is not sufficient commit 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf upstream. The optimized cipher function need length multiple of 4 bytes. But it get sometimes odd length. This is due to SG data could be stored with an offset. So the fix is to check also if the offset is aligned with 4 bytes. Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Cc: Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 3b40af844c26777763311c321e695d10cf99434e Author: Ard Biesheuvel Date: Mon Jan 4 16:55:46 2021 +0100 crypto: aesni - prevent misaligned buffers on the stack commit a13ed1d15b07a04b1f74b2df61ff7a5e47f45dd8 upstream. The GCM mode driver uses 16 byte aligned buffers on the stack to pass the IV to the asm helpers, but unfortunately, the x86 port does not guarantee that the stack pointer is 16 byte aligned upon entry in the first place. Since the compiler is not aware of this, it will not emit the additional stack realignment sequence that is needed, and so the alignment is not guaranteed to be more than 8 bytes. So instead, allocate some padding on the stack, and realign the IV pointer by hand. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 46e6d781f87e34dce20947a970a7ba546855a87f Author: Ard Biesheuvel Date: Thu Jan 14 19:10:10 2021 +0100 crypto: arm64/sha - add missing module aliases commit 0df07d8117c3576f1603b05b84089742a118d10a upstream. The accelerated, instruction based implementations of SHA1, SHA2 and SHA3 are autoloaded based on CPU capabilities, given that the code is modest in size, and widely used, which means that resolving the algo name, loading all compatible modules and picking the one with the highest priority is taken to be suboptimal. However, if these algorithms are requested before this CPU feature based matching and autoloading occurs, these modules are not even considered, and we end up with suboptimal performance. So add the missing module aliases for the various SHA implementations. Cc: Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit dca4f29507e4c5f955e49a78ca5a77a4382d0d3c Author: Filipe Manana Date: Thu Feb 4 14:35:44 2021 +0000 btrfs: fix extent buffer leak on failure to copy root commit 72c9925f87c8b74f36f8e75a4cd93d964538d3ca upstream. At btrfs_copy_root(), if the call to btrfs_inc_ref() fails we end up returning without unlocking and releasing our reference on the extent buffer named "cow" we previously allocated with btrfs_alloc_tree_block(). So fix that by unlocking the extent buffer and dropping our reference on it before returning. Fixes: be20aa9dbadc8c ("Btrfs: Add mount option to turn off data cow") CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit df369c3afb0d138e43cae3ad82a54abfe80dbe18 Author: Josef Bacik Date: Thu Jan 14 14:02:43 2021 -0500 btrfs: splice remaining dirty_bg's onto the transaction dirty bg list commit 938fcbfb0cbcf532a1869efab58e6009446b1ced upstream. While doing error injection testing with my relocation patches I hit the following assert: assertion failed: list_empty(&block_group->dirty_list), in fs/btrfs/block-group.c:3356 ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.h:3357! invalid opcode: 0000 [#1] SMP NOPTI CPU: 0 PID: 24351 Comm: umount Tainted: G W 5.10.0-rc3+ #193 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 RIP: 0010:assertfail.constprop.0+0x18/0x1a RSP: 0018:ffffa09b019c7e00 EFLAGS: 00010282 RAX: 0000000000000056 RBX: ffff8f6492c18000 RCX: 0000000000000000 RDX: ffff8f64fbc27c60 RSI: ffff8f64fbc19050 RDI: ffff8f64fbc19050 RBP: ffff8f6483bbdc00 R08: 0000000000000000 R09: 0000000000000000 R10: ffffa09b019c7c38 R11: ffffffff85d70928 R12: ffff8f6492c18100 R13: ffff8f6492c18148 R14: ffff8f6483bbdd70 R15: dead000000000100 FS: 00007fbfda4cdc40(0000) GS:ffff8f64fbc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fbfda666fd0 CR3: 000000013cf66002 CR4: 0000000000370ef0 Call Trace: btrfs_free_block_groups.cold+0x55/0x55 close_ctree+0x2c5/0x306 ? fsnotify_destroy_marks+0x14/0x100 generic_shutdown_super+0x6c/0x100 kill_anon_super+0x14/0x30 btrfs_kill_super+0x12/0x20 deactivate_locked_super+0x36/0xa0 cleanup_mnt+0x12d/0x190 task_work_run+0x5c/0xa0 exit_to_user_mode_prepare+0x1b1/0x1d0 syscall_exit_to_user_mode+0x54/0x280 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This happened because I injected an error in btrfs_cow_block() while running the dirty block groups. When we run the dirty block groups, we splice the list onto a local list to process. However if an error occurs, we only cleanup the transactions dirty block group list, not any pending block groups we have on our locally spliced list. In fact if we fail to allocate a path in this function we'll also fail to clean up the splice list. Fix this by splicing the list back onto the transaction dirty block group list so that the block groups are cleaned up. Then add a 'out' label and have the error conditions jump to out so that the errors are handled properly. This also has the side-effect of fixing a problem where we would clear 'ret' on error because we unconditionally ran btrfs_run_delayed_refs(). CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit dc0780e456ac764dbeaa68afa6f0bdc2126f704b Author: Josef Bacik Date: Thu Jan 14 14:02:42 2021 -0500 btrfs: fix reloc root leak with 0 ref reloc roots on recovery commit c78a10aebb275c38d0cfccae129a803fe622e305 upstream. When recovering a relocation, if we run into a reloc root that has 0 refs we simply add it to the reloc_control->reloc_roots list, and then clean it up later. The problem with this is __del_reloc_root() doesn't do anything if the root isn't in the radix tree, which in this case it won't be because we never call __add_reloc_root() on the reloc_root. This exit condition simply isn't correct really. During normal operation we can remove ourselves from the rb tree and then we're meant to clean up later at merge_reloc_roots() time, and this happens correctly. During recovery we're depending on free_reloc_roots() to drop our references, but we're short-circuiting. Fix this by continuing to check if we're on the list and dropping ourselves from the reloc_control root list and dropping our reference appropriately. Change the corresponding BUG_ON() to an ASSERT() that does the correct thing if we aren't in the rb tree. CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit c0baf3aaf4b90e877c497a7771026a8f1bbd937a Author: Josef Bacik Date: Thu Jan 14 14:02:46 2021 -0500 btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root commit 867ed321f90d06aaba84e2c91de51cd3038825ef upstream. While testing my error handling patches, I added a error injection site at btrfs_inc_extent_ref, to validate the error handling I added was doing the correct thing. However I hit a pretty ugly corruption while doing this check, with the following error injection stack trace: btrfs_inc_extent_ref btrfs_copy_root create_reloc_root btrfs_init_reloc_root btrfs_record_root_in_trans btrfs_start_transaction btrfs_update_inode btrfs_update_time touch_atime file_accessed btrfs_file_mmap This is because we do not catch the error from btrfs_inc_extent_ref, which in practice would be ENOMEM, which means we lose the extent references for a root that has already been allocated and inserted, which is the problem. Fix this by aborting the transaction if we fail to do the reference modification. CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 2910038c09f4c8d839f663df1e09233c4e40a739 Author: Jarkko Sakkinen Date: Fri Jan 29 01:56:20 2021 +0200 KEYS: trusted: Fix migratable=1 failing commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream. Consider the following transcript: $ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u add_key: Invalid argument The documentation has the following description: migratable= 0|1 indicating permission to reseal to new PCR values, default 1 (resealing allowed) The consequence is that "migratable=1" should succeed. Fix this by allowing this condition to pass instead of return -EINVAL. [*] Documentation/security/keys/trusted-encrypted.rst Cc: stable@vger.kernel.org Cc: "James E.J. Bottomley" Cc: Mimi Zohar Cc: David Howells Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 2c21eac499f8674abb5e7b30e3d8e4f734792f9e Author: James Bottomley Date: Thu Oct 1 11:09:22 2020 -0700 tpm_tis: Clean up locality release commit e42acf104d6e0bd7ccd2f09103d5be5e6d3c637c upstream. The current release locality code seems to be based on the misunderstanding that the TPM interrupts when a locality is released: it doesn't, only when the locality is acquired. Furthermore, there seems to be no point in waiting for the locality to be released. All it does is penalize the last TPM user. However, if there's no next TPM user, this is a pointless wait and if there is a next TPM user, they'll pay the penalty waiting for the new locality (or possibly not if it's the same as the old locality). Fix the code by making release_locality as simple write to release with no waiting for completion. Cc: stable@ger.kernel.org Fixes: 33bafe90824b ("tpm_tis: verify locality released before returning from release_locality") Signed-off-by: James Bottomley Reviewed-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit f19b98394c0ac6d958aa17ee45b8d89bee81b841 Author: James Bottomley Date: Thu Oct 1 11:09:21 2020 -0700 tpm_tis: Fix check_locality for correct locality acquisition commit 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 upstream. The TPM TIS specification says the TPM signals the acquisition of locality when the TMP_ACCESS_REQUEST_USE bit goes to one *and* the TPM_ACCESS_REQUEST_USE bit goes to zero. Currently we only check the former not the latter, so check both. Adding the check on TPM_ACCESS_REQUEST_USE should fix the case where the locality is re-requested before the TPM has released it. In this case the locality may get released briefly before it is reacquired, which causes all sorts of problems. However, with the added check, TPM_ACCESS_REQUEST_USE should remain 1 until the second request for the locality is granted. Cc: stable@ger.kernel.org Fixes: 27084efee0c3 ("[PATCH] tpm: driver for next generation TPM chips") Signed-off-by: James Bottomley Reviewed-by: Jerry Snitselaar Signed-off-by: Jarkko Sakkinen Signed-off-by: Greg Kroah-Hartman commit 52f3bdb1078aaac069fd41b64f13e92d218faa6d Author: Gao Xiang Date: Tue Feb 9 21:06:18 2021 +0800 erofs: initialized fields can only be observed after bit is set commit ce063129181312f8781a047a50be439c5859747b upstream. Currently, although set_bit() & test_bit() pairs are used as a fast- path for initialized configurations. However, these atomic ops are actually relaxed forms. Instead, load-acquire & store-release form is needed to make sure uninitialized fields won't be observed in advance here (yet no such corresponding bitops so use full barriers instead.) Link: https://lore.kernel.org/r/20210209130618.15838-1-hsiangkao@aol.com Fixes: 62dc45979f3f ("staging: erofs: fix race of initializing xattrs of a inode at the same time") Fixes: 152a333a5895 ("staging: erofs: add compacted compression indexes support") Cc: # 5.3+ Reported-by: Huang Jianan Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman commit 4d09487509ad85ea185dfef164ba1d38c111f9ea Author: Andrey Grodzovsky Date: Mon Jan 18 16:01:13 2021 -0500 drm/sched: Cancel and flush all outstanding jobs before finish. commit e582951baabba3e278c97169d0acc1e09b24a72e upstream. To avoid any possible use after free. Signed-off-by: Andrey Grodzovsky Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/414814/ CC: stable@vger.kernel.org Signed-off-by: Christian König Signed-off-by: Greg Kroah-Hartman commit c38fd6afe146d2199dc69357a17ba184b31fbd3f Author: Karol Herbst Date: Fri Nov 27 19:39:09 2020 +0100 drm/nouveau/kms: handle mDP connectors commit d1f5a3fc85566e9ddce9361ef180f070367e6eab upstream. In some cases we have the handle those explicitly as the fallback connector type detection fails and marks those as eDP connectors. Attempting to use such a connector with mutter leads to a crash of mutter as it ends up with two eDP displays. Information is taken from the official DCB documentation. Cc: stable@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: Ben Skeggs Reported-by: Mark Pearson Tested-by: Mark Pearson Signed-off-by: Karol Herbst Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 7c1a2f91908f5a0c789907a1221d802aa4c7beeb Author: Alex Deucher Date: Tue Feb 16 10:57:00 2021 -0500 drm/amdgpu: Set reference clock to 100Mhz on Renoir (v2) commit 6e80fb8ab04f6c4f377e2fd422bdd1855beb7371 upstream. Fixes the rlc reference clock used for GPU timestamps. Value is 100Mhz. Confirmed with hardware team. v2: reword commit message. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1480 Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit ca5a8ad84ba0d431daacd912da8b1d6594bc9e3c Author: Rodrigo Siqueira Date: Fri Feb 5 14:15:11 2021 -0500 drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1 commit 688f97ed3f5e339c0c2c09d9ee7ff23d5807b0a7 upstream. When run igt@kms_vrr in a device that uses DCN2.1 architecture, we noticed multiple failures. Furthermore, when we tested a VRR demo, we noticed a system hang where the mouse pointer still works, but the entire system freezes; in this case, we don't see any dmesg warning or failure messages kernel. This happens due to a lack of vupdate_no_lock interrupt, making the userspace wait eternally to get the event back. For fixing this issue, we need to add the vupdate_no_lock interrupt in the interrupt list. Signed-off-by: Rodrigo Siqueira Acked-by: Bindu Ramamurthy Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 5431cb67306d6d488bc33f5aa7cb91191691b353 Author: Kai Krakow Date: Wed Feb 10 13:07:27 2021 +0800 bcache: Move journal work to new flush wq commit afe78ab46f638ecdf80a35b122ffc92c20d9ae5d upstream. This is potentially long running and not latency sensitive, let's get it out of the way of other latency sensitive events. As observed in the previous commit, the `system_wq` comes easily congested by bcache, and this fixes a few more stalls I was observing every once in a while. Let's not make this `WQ_MEM_RECLAIM` as it showed to reduce performance of boot and file system operations in my tests. Also, without `WQ_MEM_RECLAIM`, I no longer see desktop stalls. This matches the previous behavior as `system_wq` also does no memory reclaim: > // workqueue.c: > system_wq = alloc_workqueue("events", 0, 0); Cc: Coly Li Cc: stable@vger.kernel.org # 5.4+ Signed-off-by: Kai Krakow Signed-off-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a339f0998eb1b06606a794ff37957b1d1d13311d Author: Kai Krakow Date: Wed Feb 10 13:07:26 2021 +0800 bcache: Give btree_io_wq correct semantics again commit d797bd9897e3559eb48d68368550d637d32e468c upstream. Before killing `btree_io_wq`, the queue was allocated using `create_singlethread_workqueue()` which has `WQ_MEM_RECLAIM`. After killing it, it no longer had this property but `system_wq` is not single threaded. Let's combine both worlds and make it multi threaded but able to reclaim memory. Cc: Coly Li Cc: stable@vger.kernel.org # 5.4+ Signed-off-by: Kai Krakow Signed-off-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit de5510b9825cd74b07412591a15bba1bd422c6aa Author: Kai Krakow Date: Wed Feb 10 13:07:25 2021 +0800 Revert "bcache: Kill btree_io_wq" commit 9f233ffe02e5cef611100cd8c5bcf4de26ca7bef upstream. This reverts commit 56b30770b27d54d68ad51eccc6d888282b568cee. With the btree using the `system_wq`, I seem to see a lot more desktop latency than I should. After some more investigation, it looks like the original assumption of 56b3077 no longer is true, and bcache has a very high potential of congesting the `system_wq`. In turn, this introduces laggy desktop performance, IO stalls (at least with btrfs), and input events may be delayed. So let's revert this. It's important to note that the semantics of using `system_wq` previously mean that `btree_io_wq` should be created before and destroyed after other bcache wqs to keep the same assumptions. Cc: Coly Li Cc: stable@vger.kernel.org # 5.4+ Signed-off-by: Kai Krakow Signed-off-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f6992915031e601d446101d2bbb488703425dc6a Author: PeiSen Hou Date: Tue Feb 2 10:30:22 2021 +0100 ALSA: hda/realtek: modify EAPD in the ALC886 commit 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 upstream. Modify 0x20 index 7 bit 5 to 1, make the 0x15 EAPD the same as 0x14. Signed-off-by: PeiSen Hou Cc: Link: https://lore.kernel.org/r/e62c5058957f48d8b8953e97135ff108@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 48d1950dafe956728243ba3e1ae42e8940ca85b6 Author: Kai Vehmanen Date: Fri Feb 12 17:10:22 2021 +0200 ALSA: hda: Add another CometLake-H PCI ID commit 0d3070f5e6551d8a759619e85736e49a3bf40398 upstream. Add one more HD Audio PCI ID for CometLake-H PCH. Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Cc: Link: https://lore.kernel.org/r/20210212151022.2568567-1-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3ed9bd25fd8885da3c3143de6e84f084cd071de1 Author: Dan Carpenter Date: Thu Jan 28 12:35:23 2021 +0300 USB: serial: mos7720: fix error code in mos7720_write() commit fea7372cbc40869876df0f045e367f6f97a1666c upstream. This code should return -ENOMEM if the kmalloc() fails but instead it returns success. Signed-off-by: Dan Carpenter Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit e73874b4128661fcbb12db85e59d886dd1e7cdde Author: Dan Carpenter Date: Tue Jan 26 13:26:54 2021 +0300 USB: serial: mos7840: fix error code in mos7840_write() commit a70aa7dc60099bbdcbd6faca42a915d80f31161e upstream. This should return -ENOMEM instead of 0 if the kmalloc() fails. Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") Signed-off-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit a678d130424a8da74220341a6e6f0d28c16658b6 Author: Johan Hovold Date: Tue Jan 26 14:59:17 2021 +0100 USB: serial: ftdi_sio: fix FTX sub-integer prescaler commit 528222d0c8ce93e435a95cd1e476b60409dd5381 upstream. The most-significant bit of the sub-integer-prescaler index is set in the high byte of the baudrate request wIndex also for FTX devices. This fixes rates like 1152000 which got mapped to 1.2 MBd. Reported-by: Vladimir Link: https://bugzilla.kernel.org/show_bug.cgi?id=210351 Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit d1f773b70ae662584f3c1f3a4b4390fdda968d93 Author: Thinh Nguyen Date: Mon Feb 8 13:53:16 2021 -0800 usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt commit 4b049f55ed95cd889bcdb3034fd75e1f01852b38 upstream. The dep->interval captures the number of frames/microframes per interval from bInterval. Fullspeed interrupt endpoint bInterval is the number of frames per interval and not 2^(bInterval - 1). So fix it here. This change is only for debugging purpose and should not affect the interrupt endpoint operation. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/1263b563dedc4ab8b0fb854fba06ce4bc56bd495.1612820995.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 1c073b56e765d037d09ebe7018e1bbae05b29c95 Author: Thinh Nguyen Date: Mon Feb 8 13:53:10 2021 -0800 usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 commit a1679af85b2ae35a2b78ad04c18bb069c37330cc upstream. Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it must be set to 0 when the controller operates in full-speed. See the programming guide for DEPCFG command section 3.2.2.1 (v3.30a). Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Cc: Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/3f57026f993c0ce71498dbb06e49b3a47c4d0265.1612820995.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit a5ae281779a54cbe22d96bd384f731f7a3b80d68 Author: Paul Cercueil Date: Sat Jan 23 14:24:59 2021 +0000 usb: musb: Fix runtime PM race in musb_queue_resume_work commit 0eaa1a3714db34a59ce121de5733c3909c529463 upstream. musb_queue_resume_work() would call the provided callback if the runtime PM status was 'active'. Otherwise, it would enqueue the request if the hardware was still suspended (musb->is_runtime_suspended is true). This causes a race with the runtime PM handlers, as it is possible to be in the case where the runtime PM status is not yet 'active', but the hardware has been awaken (PM resume function has been called). When hitting the race, the resume work was not enqueued, which probably triggered other bugs further down the stack. For instance, a telnet connection on Ingenic SoCs would result in a 50/50 chance of a segmentation fault somewhere in the musb code. Rework the code so that either we call the callback directly if (musb->is_runtime_suspended == 0), or enqueue the query otherwise. Fixes: ea2f35c01d5e ("usb: musb: Fix sleeping function called from invalid context for hdrc glue") Cc: stable@vger.kernel.org # v4.9+ Tested-by: Tony Lindgren Reviewed-by: Tony Lindgren Signed-off-by: Paul Cercueil Link: https://lore.kernel.org/r/20210123142502.16980-1-paul@crapouillou.net Signed-off-by: Greg Kroah-Hartman commit e3ddfaf3e6173e9fad7d08ff3df485b2fbce8bd7 Author: Lech Perczak Date: Sun Feb 7 01:54:43 2021 +0100 USB: serial: option: update interface mapping for ZTE P685M commit 6420a569504e212d618d4a4736e2c59ed80a8478 upstream. This patch prepares for qmi_wwan driver support for the device. Previously "option" driver mapped itself to interfaces 0 and 3 (matching ff/ff/ff), while interface 3 is in fact a QMI port. Interfaces 1 and 2 (matching ff/00/00) expose AT commands, and weren't supported previously at all. Without this patch, a possible conflict would exist if device ID was added to qmi_wwan driver for interface 3. Update and simplify device ID to match interfaces 0-2 directly, to expose QCDM (0), PCUI (1), and modem (2) ports and avoid conflict with QMI (3), and ADB (4). The modem is used inside ZTE MF283+ router and carriers identify it as such. Interface mapping is: 0: QCDM, 1: AT (PCUI), 2: AT (Modem), 3: QMI, 4: ADB T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=19d2 ProdID=1275 Rev=f0.00 S: Manufacturer=ZTE,Incorporated S: Product=ZTE Technologies MSM S: SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0 C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan E: Ad=87(I) Atr=03(Int.) MxPS= 8 Ivl=32ms E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms Cc: Johan Hovold Cc: Bjørn Mork Signed-off-by: Lech Perczak Link: https://lore.kernel.org/r/20210207005443.12936-1-lech.perczak@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 32a82e001ead372f9909af058b98e3da102bc50a Author: James Reynolds Date: Tue Dec 22 13:07:04 2020 +0100 media: mceusb: Fix potential out-of-bounds shift commit 1b43bad31fb0e00f45baf5b05bd21eb8d8ce7f58 upstream. When processing a MCE_RSP_GETPORTSTATUS command, the bit index to set in ir->txports_cabled comes from response data, and isn't validated. As ir->txports_cabled is a u8, nothing should be done if the bit index is greater than 7. Cc: stable@vger.kernel.org Reported-by: syzbot+ec3b3128c576e109171d@syzkaller.appspotmail.com Signed-off-by: James Reynolds Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 8812bed7ec749060623bd395c399834e23beb106 Author: Marcos Paulo de Souza Date: Fri Feb 19 10:37:13 2021 -0800 Input: i8042 - add ASUS Zenbook Flip to noselftest list commit b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 upstream. After commit 77b425399f6d ("Input: i8042 - use chassis info to skip selftest on Asus laptops"), all modern Asus laptops have the i8042 selftest disabled. It has done by using chassys type "10" (laptop). The Asus Zenbook Flip suffers from similar suspend/resume issues, but it _sometimes_ work and sometimes it doesn't. Setting noselftest makes it work reliably. In this case, we need to add chassis type "31" (convertible) in order to avoid selftest in this device. Reported-by: Ludvig Norgren Guldhag Signed-off-by: Marcos Paulo de Souza Link: https://lore.kernel.org/r/20210219164638.761-1-mpdesouza@suse.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 80168ba86034fc938970500b40c88b3914fede96 Author: Dan Carpenter Date: Wed Feb 17 12:21:10 2021 -0800 Input: joydev - prevent potential read overflow in ioctl commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream. The problem here is that "len" might be less than "joydev->nabs" so the loops which verfy abspam[i] and keypam[] might read beyond the buffer. Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda [dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP] Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 9fe66416b02e1fe7f431f91605c03aa91fc6edf4 Author: Olivier Crête Date: Fri Feb 5 11:59:08 2021 -0800 Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S commit 42ffcd1dba1796bcda386eb6f260df9fc23c90af upstream. Signed-off-by: Olivier Crête Link: https://lore.kernel.org/r/20210204005318.615647-1-olivier.crete@collabora.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit d84f9c28abbe391fcbeebf19288e22450bd9b832 Author: jeffrey.lin Date: Tue Dec 15 10:50:12 2020 -0800 Input: raydium_ts_i2c - do not send zero length commit fafd320ae51b9c72d371585b2501f86640ea7b7d upstream. Add default write command package to prevent i2c quirk error of zero data length as Raydium touch firmware update is executed. Signed-off-by: jeffrey.lin Link: https://lore.kernel.org/r/1608031217-7247-1-git-send-email-jeffrey.lin@raydium.corp-partner.google.com Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 2d954832ba48d02a77387d0c4b8d71a1e8b91282 Author: Jason Gerecke Date: Tue Feb 16 11:41:54 2021 -0800 HID: wacom: Ignore attempts to overwrite the touch_max value from HID commit 88f38846bfb1a452a3d47e38aeab20a4ceb74294 upstream. The `wacom_feature_mapping` function is careful to only set the the touch_max value a single time, but this care does not extend to the `wacom_wac_finger_event` function. In particular, if a device sends multiple HID_DG_CONTACTMAX items in a single feature report, the driver will end up retaining the value of last item. The HID descriptor for the Cintiq Companion 2 does exactly this. It incorrectly sets a "Report Count" of 2, which will cause the driver to process two HID_DG_CONTACTCOUNT items. The first item has the actual count, while the second item should have been declared as a constant zero. The constant zero is the value the driver ends up using, however, since it is the last HID_DG_CONTACTCOUNT in the report. Report ID (16), Usage (Contact Count Maximum), ; Contact count maximum (55h, static value) Report Count (2), Logical Maximum (10), Feature (Variable), To address this, we add a check that the touch_max is not already set within the `wacom_wac_finger_event` function that processes the HID_DG_TOUCHMAX item. We emit a warning if the value is set and ignore the updated value. This could potentially cause problems if there is a tablet which has a similar issue but requires the last item to be used. This is unlikely, however, since it would have to have a different non-zero value for HID_DG_CONTACTMAX earlier in the same report, which makes no sense except in the case of a firmware bug. Note that cases where the HID_DG_CONTACTMAX items are in different reports is already handled (and similarly ignored) by `wacom_feature_mapping` as mentioned above. Link: https://github.com/linuxwacom/input-wacom/issues/223 Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report") Signed-off-by: Jason Gerecke CC: stable@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 394f2b794310f48abde38dbed33aae7ae98db6a2 Author: Filipe Laíns Date: Fri Feb 5 14:34:44 2021 +0000 HID: logitech-dj: add support for keyboard events in eQUAD step 4 Gaming commit ef07c116d98772952807492bd32a61f5af172a94 upstream. In e400071a805d6229223a98899e9da8c6233704a1 I added support for the receiver that comes with the G602 device, but unfortunately I screwed up during testing and it seems the keyboard events were actually not being sent to userspace. This resulted in keyboard events being broken in userspace, please backport the fix. The receiver uses the normal 0x01 Logitech keyboard report descriptor, as expected, so it is just a matter of flagging it as supported. Reported in https://github.com/libratbag/libratbag/issues/1124 Fixes: e400071a805d6 ("HID: logitech-dj: add the G602 receiver") Cc: Signed-off-by: Filipe Laíns Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit e690b3f486358ae27eaf90385ba7e5ff099f19ec Author: Qinglang Miao Date: Fri Jan 15 10:22:50 2021 +0800 ACPI: configfs: add missing check after configfs_register_default_group() commit 67e40054de86aae520ddc2a072d7f6951812a14f upstream. A list_add corruption is reported by Hulk Robot like this: ============== list_add corruption. Call Trace: link_obj+0xc0/0x1c0 link_group+0x21/0x140 configfs_register_subsystem+0xdb/0x380 acpi_configfs_init+0x25/0x1000 [acpi_configfs] do_one_initcall+0x149/0x820 do_init_module+0x1ef/0x720 load_module+0x35c8/0x4380 __do_sys_finit_module+0x10d/0x1a0 do_syscall_64+0x34/0x80 It's because of the missing check after configfs_register_default_group, where configfs_unregister_subsystem should be called once failure. Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs") Reported-by: Hulk Robot Suggested-by: Hanjun Guo Signed-off-by: Qinglang Miao Cc: 4.10+ # 4.10+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 40b70c98be98b0aa0e8afcdcfd6889b3b08dd7eb Author: Rafael J. Wysocki Date: Thu Feb 11 19:30:01 2021 +0100 ACPI: property: Fix fwnode string properties matching commit e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 upstream. Property matching does not work for ACPI fwnodes if the value of the given property is not represented as a package in the _DSD package containing it. For example, the "compatible" property in the _DSD below Name (_DSD, Package () { ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"), Package () { Package () {"compatible", "ethernet-phy-ieee802.3-c45"} } }) will not be found by fwnode_property_match_string(), because the ACPI code handling device properties does not regard the single value as a "list" in that case. Namely, fwnode_property_match_string() invoked to match a given string property value first calls fwnode_property_read_string_array() with the last two arguments equal to NULL and 0, respectively, in order to count the items in the value of the given property, with the assumption that this value may be an array. For ACPI fwnodes, that operation is carried out by acpi_node_prop_read() which calls acpi_data_prop_read() for this purpose. However, when the return (val) pointer is NULL, that function only looks for a property whose value is a package without checking the single-value case at all. To fix that, make acpi_data_prop_read() check the single-value case if its return pointer argument is NULL and modify acpi_data_prop_read_single() handling that case to attempt to read the value of the property if the return pointer is NULL and return 1 if that succeeds. Fixes: 3708184afc77 ("device property: Move FW type specific functionality to FW specific files") Reported-by: Calvin Johnson Cc: 4.13+ # 4.13+ Signed-off-by: Rafael J. Wysocki Reviewed-by: Sakari Ailus Reviewed-by: Mika Westerberg Reviewed-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 371a2218ed33b5f7b9b42385223539c34ed7e0d4 Author: Mikulas Patocka Date: Tue Feb 23 19:25:30 2021 -0700 blk-settings: align max_sectors on "logical_block_size" boundary commit 97f433c3601a24d3513d06f575a389a2ca4e11e4 upstream. We get I/O errors when we run md-raid1 on the top of dm-integrity on the top of ramdisk. device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 device-mapper: integrity: Bio not aligned on 8 sectors: 0x8048, 0xff device-mapper: integrity: Bio not aligned on 8 sectors: 0x8147, 0xff device-mapper: integrity: Bio not aligned on 8 sectors: 0x8246, 0xff device-mapper: integrity: Bio not aligned on 8 sectors: 0x8345, 0xbb The ramdisk device has logical_block_size 512 and max_sectors 255. The dm-integrity device uses logical_block_size 4096 and it doesn't affect the "max_sectors" value - thus, it inherits 255 from the ramdisk. So, we have a device with max_sectors not aligned on logical_block_size. The md-raid device sees that the underlying leg has max_sectors 255 and it will split the bios on 255-sector boundary, making the bios unaligned on logical_block_size. In order to fix the bug, we round down max_sectors to logical_block_size. Cc: stable@vger.kernel.org Reviewed-by: Ming Lei Signed-off-by: Mikulas Patocka Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4ad2a372e1cdf9e3cc5b380074eb6b646ba581df Author: Randy Dunlap Date: Sat Feb 13 11:24:28 2021 -0800 scsi: bnx2fc: Fix Kconfig warning & CNIC build errors [ Upstream commit eefb816acb0162e94a85a857f3a55148f671d5a5 ] CNIC depends on MMU, but since 'select' does not follow any dependency chains, SCSI_BNX2X_FCOE also needs to depend on MMU, so that erroneous configs are not generated, which cause build errors in cnic. WARNING: unmet direct dependencies detected for CNIC Depends on [n]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_BROADCOM [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && MMU [=n] Selected by [y]: - SCSI_BNX2X_FCOE [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && (IPV6 [=n] || IPV6 [=n]=n) && LIBFC [=y] && LIBFCOE [=y] riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L154': cnic.c:(.text+0x1094): undefined reference to `uio_event_notify' riscv64-linux-ld: cnic.c:(.text+0x10bc): undefined reference to `uio_event_notify' riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L1442': cnic.c:(.text+0x96a8): undefined reference to `__uio_register_device' riscv64-linux-ld: drivers/net/ethernet/broadcom/cnic.o: in function `.L0 ': cnic.c:(.text.unlikely+0x68): undefined reference to `uio_unregister_device' Link: https://lore.kernel.org/r/20210213192428.22537-1-rdunlap@infradead.org Fixes: 853e2bd2103a ("[SCSI] bnx2fc: Broadcom FCoE offload driver") Cc: Saurav Kashyap Cc: Javed Hasan Cc: GR-QLogic-Storage-Upstream@marvell.com Cc: "James E.J. Bottomley" Cc: "Martin K. Petersen" Cc: linux-scsi@vger.kernel.org Reported-by: kernel test robot Signed-off-by: Randy Dunlap Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d2aa80c36727b9fccfcde791bd06f30cde8d1a7d Author: Miaohe Lin Date: Thu Feb 25 17:18:09 2021 -0800 mm/rmap: fix potential pte_unmap on an not mapped pte [ Upstream commit 5d5d19eda6b0ee790af89c45e3f678345be6f50f ] For PMD-mapped page (usually THP), pvmw->pte is NULL. For PTE-mapped THP, pvmw->pte is mapped. But for HugeTLB pages, pvmw->pte is not mapped and set to the relevant page table entry. So in page_vma_mapped_walk_done(), we may do pte_unmap() for HugeTLB pte which is not mapped. Fix this by checking pvmw->page against PageHuge before trying to do pte_unmap(). Link: https://lkml.kernel.org/r/20210127093349.39081-1-linmiaohe@huawei.com Fixes: ace71a19cec5 ("mm: introduce page_vma_mapped_walk()") Signed-off-by: Hongxiang Lou Signed-off-by: Miaohe Lin Tested-by: Sedat Dilek Cc: Kees Cook Cc: Nathan Chancellor Cc: Mike Kravetz Cc: Shakeel Butt Cc: Johannes Weiner Cc: Vlastimil Babka Cc: Michel Lespinasse Cc: Nick Desaulniers Cc: "Kirill A. Shutemov" Cc: Wei Yang Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Brian Geffon Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 8450b1cd7cb3292ec2df24300269bcbc4855e794 Author: Maxime Ripard Date: Thu Feb 25 17:11:01 2021 +0100 i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition [ Upstream commit a1858ce0cfe31368b23ba55794e409fb57ced4a4 ] The brcmstb_send_i2c_cmd currently has a condition that is (CMD_RD || CMD_WR) which always evaluates to true, while the obvious fix is to test whether the cmd variable passed as parameter holds one of these two values. Fixes: dd1aa2524bc5 ("i2c: brcmstb: Add Broadcom settop SoC i2c controller driver") Reported-by: Dave Stevenson Signed-off-by: Maxime Ripard Acked-by: Florian Fainelli Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 1a47856548fb4801ee936e4f30ec1613f4b444cb Author: Marc Zyngier Date: Wed Feb 24 09:37:37 2021 +0000 arm64: Add missing ISB after invalidating TLB in __primary_switch [ Upstream commit 9d41053e8dc115c92b8002c3db5f545d7602498b ] Although there has been a bit of back and forth on the subject, it appears that invalidating TLBs requires an ISB instruction when FEAT_ETS is not implemented by the CPU. From the bible: | In an implementation that does not implement FEAT_ETS, a TLB | maintenance instruction executed by a PE, PEx, can complete at any | time after it is issued, but is only guaranteed to be finished for a | PE, PEx, after the execution of DSB by the PEx followed by a Context | synchronization event Add the missing ISB in __primary_switch, just in case. Fixes: 3c5e9f238bc4 ("arm64: head.S: move KASLR processing out of __enable_mmu()") Suggested-by: Will Deacon Signed-off-by: Marc Zyngier Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20210224093738.3629662-3-maz@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 94a432151c35020d7bcb670fda59fef670ae4794 Author: Heiner Kallweit Date: Thu Feb 25 16:05:19 2021 +0100 r8169: fix jumbo packet handling on RTL8168e [ Upstream commit 6cf739131a15e4177e58a1b4f2bede9d5da78552 ] Josef reported [0] that using jumbo packets fails on RTL8168e. Aligning the values for register MaxTxPacketSize with the vendor driver fixes the problem. [0] https://bugzilla.kernel.org/show_bug.cgi?id=211827 Fixes: d58d46b5d851 ("r8169: jumbo fixes.") Reported-by: Josef Oškera Tested-by: Josef Oškera Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/b15ddef7-0d50-4320-18f4-6a3f86fbfd3e@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c70c3b6e62e4df0a63abef5e6e994f7b6dc7c091 Author: Wonhyuk Yang Date: Wed Feb 24 12:09:36 2021 -0800 mm/compaction: fix misbehaviors of fast_find_migrateblock() [ Upstream commit 15d28d0d11609c7a4f217b3d85e26456d9beb134 ] In the fast_find_migrateblock(), it iterates ocer the freelist to find the proper pageblock. But there are some misbehaviors. First, if the page we found is equal to cc->migrate_pfn, it is considered that we didn't find a suitable pageblock. Secondly, if the loop was terminated because order is less than PAGE_ALLOC_COSTLY_ORDER, it could be considered that we found a suitable one. Thirdly, if the skip bit is set on the page block and we goto continue, it doesn't check nr_scanned. Fourthly, if the page block's skip bit is set, it checks that page block is the last of list, which is unnecessary. Link: https://lkml.kernel.org/r/20210128130411.6125-1-vvghjk1234@gmail.com Fixes: 70b44595eafe9 ("mm, compaction: use free lists to quickly locate a migration source") Signed-off-by: Wonhyuk Yang Acked-by: Vlastimil Babka Cc: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c200f4959586117d9a30c8eb94449ed3ffdb1e4e Author: Miaohe Lin Date: Wed Feb 24 12:06:50 2021 -0800 mm/hugetlb: fix potential double free in hugetlb_register_node() error path [ Upstream commit cc2205a67dec5a700227a693fc113441e73e4641 ] In hugetlb_sysfs_add_hstate(), we would do kobject_put() on hstate_kobjs when failed to create sysfs group but forget to set hstate_kobjs to NULL. Then in hugetlb_register_node() error path, we may free it again via hugetlb_unregister_node(). Link: https://lkml.kernel.org/r/20210107123249.36964-1-linmiaohe@huawei.com Fixes: a3437870160c ("hugetlb: new sysfs interface") Signed-off-by: Miaohe Lin Reviewed-by: Mike Kravetz Reviewed-by: Muchun Song Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 67a982ee20d20e112f15eff98592a718de7c652e Author: Miaohe Lin Date: Wed Feb 24 12:04:33 2021 -0800 mm/memory.c: fix potential pte_unmap_unlock pte error [ Upstream commit 90a3e375d324b2255b83e3dd29e99e2b05d82aaf ] Since commit 42e4089c7890 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings"), when the first pfn modify is not allowed, we would break the loop with pte unchanged. Then the wrong pte - 1 would be passed to pte_unmap_unlock. Andi said: "While the fix is correct, I'm not sure if it actually is a real bug. Is there any architecture that would do something else than unlocking the underlying page? If it's just the underlying page then it should be always the same page, so no bug" Link: https://lkml.kernel.org/r/20210109080118.20885-1-linmiaohe@huawei.com Fixes: 42e4089c789 ("x86/speculation/l1tf: Disallow non privileged high MMIO PROT_NONE mappings") Signed-off-by: Hongxiang Lou Signed-off-by: Miaohe Lin Cc: Thomas Gleixner Cc: Dave Hansen Cc: Andi Kleen Cc: Josh Poimboeuf Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 5bf318965485274e1ca62ce401479f17a795924d Author: Dan Carpenter Date: Wed Feb 24 12:00:41 2021 -0800 ocfs2: fix a use after free on error [ Upstream commit c57d117f2b2f2a19b570c36f2819ef8d8210af20 ] The error handling in this function frees "reg" but it is still on the "o2hb_all_regions" list so it will lead to a use after freew. Joseph Qi points out that we need to clear the bit in the "o2hb_region_bitmap" as well Link: https://lkml.kernel.org/r/YBk4M6HUG8jB/jc7@mwanda Fixes: 1cf257f51191 ("ocfs2: fix memory leak") Signed-off-by: Dan Carpenter Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 55b6be947efa313b07dd68fbc226e4335e769a19 Author: Taehee Yoo Date: Sun Feb 21 15:45:52 2021 +0000 vxlan: move debug check after netdev unregister [ Upstream commit 92584ddf550ae72d492858c19d1f9025e07a9350 ] The debug check must be done after unregister_netdevice_many() call -- the hlist_del_rcu() for this is done inside .ndo_stop. This is the same with commit 0fda7600c2e1 ("geneve: move debug check after netdev unregister") Test commands: ip netns del A ip netns add A ip netns add B ip netns exec B ip link add vxlan0 type vxlan vni 100 local 10.0.0.1 \ remote 10.0.0.2 dstport 4789 srcport 4789 4789 ip netns exec B ip link set vxlan0 netns A ip netns exec A ip link set vxlan0 up ip netns del B Splat looks like: [ 73.176249][ T7] ------------[ cut here ]------------ [ 73.178662][ T7] WARNING: CPU: 4 PID: 7 at drivers/net/vxlan.c:4743 vxlan_exit_batch_net+0x52e/0x720 [vxlan] [ 73.182597][ T7] Modules linked in: vxlan openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 mlx5_core nfp mlxfw ixgbevf tls sch_fq_codel nf_tables nfnetlink ip_tables x_tables unix [ 73.190113][ T7] CPU: 4 PID: 7 Comm: kworker/u16:0 Not tainted 5.11.0-rc7+ #838 [ 73.193037][ T7] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 73.196986][ T7] Workqueue: netns cleanup_net [ 73.198946][ T7] RIP: 0010:vxlan_exit_batch_net+0x52e/0x720 [vxlan] [ 73.201509][ T7] Code: 00 01 00 00 0f 84 39 fd ff ff 48 89 ca 48 c1 ea 03 80 3c 1a 00 0f 85 a6 00 00 00 89 c2 48 83 c2 02 49 8b 14 d4 48 85 d2 74 ce <0f> 0b eb ca e8 b9 51 db dd 84 c0 0f 85 4a fe ff ff 48 c7 c2 80 bc [ 73.208813][ T7] RSP: 0018:ffff888100907c10 EFLAGS: 00010286 [ 73.211027][ T7] RAX: 000000000000003c RBX: dffffc0000000000 RCX: ffff88800ec411f0 [ 73.213702][ T7] RDX: ffff88800a278000 RSI: ffff88800fc78c70 RDI: ffff88800fc78070 [ 73.216169][ T7] RBP: ffff88800b5cbdc0 R08: fffffbfff424de61 R09: fffffbfff424de61 [ 73.218463][ T7] R10: ffffffffa126f307 R11: fffffbfff424de60 R12: ffff88800ec41000 [ 73.220794][ T7] R13: ffff888100907d08 R14: ffff888100907c50 R15: ffff88800fc78c40 [ 73.223337][ T7] FS: 0000000000000000(0000) GS:ffff888114800000(0000) knlGS:0000000000000000 [ 73.225814][ T7] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 73.227616][ T7] CR2: 0000562b5cb4f4d0 CR3: 0000000105fbe001 CR4: 00000000003706e0 [ 73.229700][ T7] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 73.231820][ T7] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 73.233844][ T7] Call Trace: [ 73.234698][ T7] ? vxlan_err_lookup+0x3c0/0x3c0 [vxlan] [ 73.235962][ T7] ? ops_exit_list.isra.11+0x93/0x140 [ 73.237134][ T7] cleanup_net+0x45e/0x8a0 [ ... ] Fixes: 57b61127ab7d ("vxlan: speedup vxlan tunnels dismantle") Signed-off-by: Taehee Yoo Link: https://lore.kernel.org/r/20210221154552.11749-1-ap420073@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e9ae8928ddd61c123a3cef6360c209831b5c1827 Author: Chuhong Yuan Date: Sun Feb 21 22:35:59 2021 +0800 net/mlx4_core: Add missed mlx4_free_cmd_mailbox() [ Upstream commit 8eb65fda4a6dbd59cd5de24b106a10b6ee0d2176 ] mlx4_do_mirror_rule() forgets to call mlx4_free_cmd_mailbox() to free the memory region allocated by mlx4_alloc_cmd_mailbox() before an exit. Add the missed call to fix it. Fixes: 78efed275117 ("net/mlx4_core: Support mirroring VF DMFS rules on both ports") Signed-off-by: Chuhong Yuan Reviewed-by: Tariq Toukan Link: https://lore.kernel.org/r/20210221143559.390277-1-hslester96@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e41bb745fd0fcaa1d37a7bd4da46230822ffe18f Author: Alex Williamson Date: Tue Feb 16 15:49:34 2021 -0700 vfio/type1: Use follow_pte() [ Upstream commit 07956b6269d3ed05d854233d5bb776dca91751dd ] follow_pfn() doesn't make sure that we're using the correct page protections, get the pte with follow_pte() so that we can test protections and get the pfn from the pte. Fixes: 5cbf3264bc71 ("vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn()") Reviewed-by: Jason Gunthorpe Reviewed-by: Cornelia Huck Reviewed-by: Peter Xu Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 005ed88685aac9264744d5788ee0c19ad5083009 Author: Mateusz Palczewski Date: Mon Dec 28 11:38:00 2020 +0100 i40e: Fix add TC filter for IPv6 [ Upstream commit 61c1e0eb8375def7c891bfe857bb795a57090526 ] Fix insufficient distinction between IPv4 and IPv6 addresses when creating a filter. IPv4 and IPv6 are kept in the same memory area. If IPv6 is added, then it's caught by IPv4 check, which leads to err -95. Fixes: 2f4b411a3d67 ("i40e: Enable cloud filters via tc-flower") Signed-off-by: Grzegorz Szczurek Signed-off-by: Mateusz Palczewski Reviewed-by: Jaroslaw Gawin Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 1b66e64ce349e0088d2f1e718dbfaaa0194305b2 Author: Sylwester Dziedziuch Date: Fri Nov 27 11:23:01 2020 +0000 i40e: Fix VFs not created [ Upstream commit dc8812626440fa6a27f1f3f654f6dc435e042e42 ] When creating VFs they were sometimes not getting resources. It was caused by not executing i40e_reset_all_vfs due to flag __I40E_VF_DISABLE being set on PF. Because of this IAVF was never able to finish setup sequence never getting reset indication from PF. Changed test_and_set_bit __I40E_VF_DISABLE in i40e_sync_filters_subtask to test_bit and removed clear_bit. This function should not set this bit it should only check if it hasn't been already set. Fixes: a7542b876075 ("i40e: check __I40E_VF_DISABLE bit in i40e_sync_filters_subtask") Signed-off-by: Sylwester Dziedziuch Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit a60ef5efff553a91645bae0a488814295d76300e Author: Mateusz Palczewski Date: Fri Nov 27 10:39:03 2020 +0000 i40e: Fix addition of RX filters after enabling FW LLDP agent [ Upstream commit 28b1208e7a7fa3ddc9345b022bb93e53d9dcc28a ] Fix addition of VLAN filter for PF after enabling FW LLDP agent. Changing LLDP Agent causes FW to re-initialize per NVM settings. Remove default PF filter and move "Enable/Disable" to currently used reset flag. Without this patch PF would try to add MAC VLAN filter with default switch filter present. This causes AQ error and sets promiscuous mode on. Fixes: c65e78f87f81 ("i40e: Further implementation of LLDP") Signed-off-by: Przemyslaw Patynowski Signed-off-by: Mateusz Palczewski Reviewed-by: Sylwester Dziedziuch Reviewed-by: Aleksandr Loktionov Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 57a7b145d8a1f5c314e68d484c7deb2c4e570736 Author: Mateusz Palczewski Date: Tue Nov 24 15:08:27 2020 +0000 i40e: Fix overwriting flow control settings during driver loading [ Upstream commit 4cdb9f80dcd46aab3c0020b4a6920c22735c5d6e ] During driver loading flow control settings were written to FW using a variable which was always zero, since it was being set only by ethtool. This behavior has been corrected and driver no longer overwrites the default FW/NVM settings. Fixes: 373149fc99a0 ("i40e: Decrease the scope of rtnl lock") Signed-off-by: Dawid Lukwinski Signed-off-by: Mateusz Palczewski Reviewed-by: Aleksandr Loktionov Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 55af95c8ce4d99b4972d443a10899e0b6f45abfd Author: Mateusz Palczewski Date: Fri Nov 20 10:35:37 2020 +0000 i40e: Add zero-initialization of AQ command structures [ Upstream commit d2c788f739b6f68090e968a2ee31b543701e795f ] Zero-initialize AQ command data structures to comply with API specifications. Fixes: 2f4b411a3d67 ("i40e: Enable cloud filters via tc-flower") Fixes: f4492db16df8 ("i40e: Add NPAR BW get and set functions") Signed-off-by: Andrzej Sawuła Signed-off-by: Mateusz Palczewski Reviewed-by: Arkadiusz Kubalewski Reviewed-by: Aleksandr Loktionov Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit d7c25783b8c89d911e42b5c6d4c79dfa10fbe2e5 Author: Slawomir Laba Date: Thu Sep 10 07:57:04 2020 +0000 i40e: Fix flow for IPv6 next header (extension header) [ Upstream commit 92c6058024e87087cf1b99b0389d67c0a886360e ] When a packet contains an IPv6 header with next header which is an extension header and not a protocol one, the kernel function skb_transport_header called with such sk_buff will return a pointer to the extension header and not to the TCP one. The above explained call caused a problem with packet processing for skb with encapsulation for tunnel with I40E_TX_CTX_EXT_IP_IPV6. The extension header was not skipped at all. The ipv6_skip_exthdr function does check if next header of the IPV6 header is an extension header and doesn't modify the l4_proto pointer if it points to a protocol header value so its safe to omit the comparison of exthdr and l4.hdr pointers. The ipv6_skip_exthdr can return value -1. This means that the skipping process failed and there is something wrong with the packet so it will be dropped. Fixes: a3fd9d8876a5 ("i40e/i40evf: Handle IPv6 extension headers in checksum offload") Signed-off-by: Slawomir Laba Signed-off-by: Przemyslaw Patynowski Reviewed-by: Aleksandr Loktionov Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 2efbd63b6e7400f362aecbad5682129b7ae0243d Author: Bard Liao Date: Fri Jan 22 15:06:30 2021 +0800 regmap: sdw: use _no_pm functions in regmap_read/write [ Upstream commit d288a5712ef961e16d588bbdb2d846e00b5ef154 ] sdw_update_slave_status will be invoked when a codec is attached, and the codec driver will initialize the codec with regmap functions while the codec device is pm_runtime suspended. regmap routines currently rely on regular SoundWire IO functions, which will call pm_runtime_get_sync()/put_autosuspend. This causes a deadlock where the resume routine waits for an initialization complete signal that while the initialization complete can only be reached when the resume completes. The only solution if we allow regmap functions to be used in resume operations as well as during codec initialization is to use _no_pm routines. The duty of making sure the bus is operational needs to be handled above the regmap level. Fixes: 7c22ce6e21840 ('regmap: Add SoundWire bus support') Signed-off-by: Bard Liao Acked-by: Mark Brown Link: https://lore.kernel.org/r/20210122070634.12825-6-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 62c4532ebb1db9fe68fe3707eeb0673c55bf409a Author: Ahmad Fatoum Date: Fri Jan 29 17:14:30 2021 +0000 nvmem: core: skip child nodes not matching binding [ Upstream commit 0445efacec75b85c2a3c176957ee050ba9be53f0 ] The nvmem cell binding applies to all eeprom child nodes matching "^.*@[0-9a-f]+$" without taking a compatible into account. Linux drivers, like at24, are even more extensive and assume _all_ at24 eeprom child nodes to be nvmem cells since e888d445ac33 ("nvmem: resolve cells from DT at registration time"). Since df5f3b6f5357 ("dt-bindings: nvmem: stm32: new property for data access"), the additionalProperties: True means it's Ok to have other properties as long as they don't match "^.*@[0-9a-f]+$". The barebox bootloader extends the MTD partitions binding to EEPROM and can fix up following device tree node: &eeprom { partitions { compatible = "fixed-partitions"; }; }; This is allowed binding-wise, but drivers using nvmem_register() like at24 will fail to parse because the function expects all child nodes to have a reg property present. This results in the whole EEPROM driver probe failing despite the device tree being correct. Fix this by skipping nodes lacking a reg property instead of returning an error. This effectively makes the drivers adhere to the binding because all nodes with a unit address must have a reg property and vice versa. Fixes: e888d445ac33 ("nvmem: resolve cells from DT at registration time"). Signed-off-by: Ahmad Fatoum Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210129171430.11328-6-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e40a8924eb3bf89fb21ffa124928423d8843f915 Author: Dan Carpenter Date: Fri Jan 29 17:14:26 2021 +0000 nvmem: core: Fix a resource leak on error in nvmem_add_cells_from_of() [ Upstream commit 72e008ce307fa2f35f6783997378b32e83122839 ] This doesn't call of_node_put() on the error path so it leads to a memory leak. Fixes: 0749aa25af82 ("nvmem: core: fix regression in of_nvmem_cell_get()") Signed-off-by: Dan Carpenter Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210129171430.11328-2-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d8b7689a6240533f4bb7924aa421cad383752d36 Author: Theodore Ts'o Date: Thu Feb 4 00:05:20 2021 -0500 ext4: fix potential htree index checksum corruption [ Upstream commit b5776e7524afbd4569978ff790864755c438bba7 ] In the case where we need to do an interior node split, and immediately afterwards, we are unable to allocate a new directory leaf block due to ENOSPC, the directory index checksum's will not be filled in correctly (and indeed, will not be correctly journalled). This looks like a bug that was introduced when we added largedir support. The original code doesn't make any sense (and should have been caught in code review), but it was hidden because most of the time, the index node checksum will be set by do_split(). But if do_split bails out due to ENOSPC, then ext4_handle_dirty_dx_node() won't get called, and so the directory index checksum field will not get set, leading to: EXT4-fs error (device sdb): dx_probe:858: inode #6635543: block 4022: comm nfsd: Directory index failed checksum Google-Bug-Id: 176345532 Fixes: e08ac99fa2a2 ("ext4: add largedir feature") Cc: Artem Blagodarenko Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 2df4434766aa2fa5a311ea2e3ea7aa8434b937a0 Author: Keqian Zhu Date: Fri Jan 22 17:26:35 2021 +0800 vfio/iommu_type1: Fix some sanity checks in detach group [ Upstream commit 4a19f37a3dd3f29997735e61b25ddad24b8abe73 ] vfio_sanity_check_pfn_list() is used to check whether pfn_list and notifier are empty when remove the external domain, so it makes a wrong assumption that only external domain will use the pinning interface. Now we apply the pfn_list check when a vfio_dma is removed and apply the notifier check when all domains are removed. Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") Signed-off-by: Keqian Zhu Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 179b83e72c89e93ffd83c116e359659538d1ee0a Author: Iskren Chernev Date: Wed Jan 27 17:24:40 2021 +0200 drm/msm/mdp5: Fix wait-for-commit for cmd panels [ Upstream commit 68e4f01fddb4ead80e8c7084db489307f22c9cbb ] Before the offending commit in msm_atomic_commit_tail wait_flush was called once per frame, after the commit was submitted. After it wait_flush is also called at the beginning to ensure previous potentially async commits are done. For cmd panels the source of wait_flush is a ping-pong irq notifying a completion. The completion needs to be notified with complete_all so multiple waiting parties (new async committers) can proceed. Signed-off-by: Iskren Chernev Suggested-by: Rob Clark Fixes: 2d99ced787e3d ("drm/msm: async commit support") Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 32cf1b5c153de015d86836182cfd069d41bf5eb7 Author: Konrad Dybcio Date: Mon Jan 18 17:15:58 2021 +0100 drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) [ Upstream commit 33a7808ce1aea6e2edc1af25db25928137940c02 ] The previous registers were *almost* correct, but instead of PHYs, they were pointing at DSI PLLs, resulting in the PHY id autodetection failing miserably. Fixes: dcefc117cc19 ("drm/msm/dsi: Add support for msm8x94") Signed-off-by: Konrad Dybcio Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit e2d44809c4f4e14be61ea0a504224faf0542f895 Author: Alexander Usyskin Date: Fri Jan 29 14:07:48 2021 +0200 mei: hbm: call mei_set_devstate() on hbm stop response [ Upstream commit 3a77df62deb2e62de0dc26c1cb763cc152329287 ] Use mei_set_devstate() wrapper upon hbm stop command response, to trigger sysfs event. Fixes: 43b8a7ed4739 ("mei: expose device state in sysfs") Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20210129120752.850325-3-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c7cac840c2b303bfee595b3b4c91016bf37c69b6 Author: Heiner Kallweit Date: Sun Jan 24 16:39:32 2021 +0100 PCI: Align checking of syscall user config accessors [ Upstream commit ef9e4005cbaf022c6251263aa27836acccaef65d ] After 34e3207205ef ("PCI: handle positive error codes"), pci_user_read_config_*() and pci_user_write_config_*() return 0 or negative errno values, not PCIBIOS_* values like PCIBIOS_SUCCESSFUL or PCIBIOS_BAD_REGISTER_NUMBER. Remove comparisons with PCIBIOS_SUCCESSFUL and check only for non-zero. It happens that PCIBIOS_SUCCESSFUL is zero, so this is not a functional change, but it aligns this code with the user accessors. [bhelgaas: commit log] Fixes: 34e3207205ef ("PCI: handle positive error codes") Link: https://lore.kernel.org/r/f1220314-e518-1e18-bf94-8e6f8c703758@gmail.com Signed-off-by: Heiner Kallweit Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 8c23e9f4c7b0d25cd88984e0838387f7e7496d80 Author: Jorgen Hansen Date: Wed Jan 20 08:32:40 2021 -0800 VMCI: Use set_page_dirty_lock() when unregistering guest memory [ Upstream commit 5a16c535409f8dcb7568e20737309e3027ae3e49 ] When the VMCI host support releases guest memory in the case where the VM was killed, the pinned guest pages aren't locked. Use set_page_dirty_lock() instead of set_page_dirty(). Testing done: Killed VM while having an active VMCI based vSocket connection and observed warning from ext4. With this fix, no warning was observed. Ran various vSocket tests without issues. Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") Reviewed-by: Vishnu Dasa Signed-off-by: Jorgen Hansen Link: https://lore.kernel.org/r/1611160360-30299-1-git-send-email-jhansen@vmware.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e8ba75011695ca7c317b043bf7bbd73100c3b7ee Author: Simon South Date: Tue Jan 19 11:12:06 2021 -0500 pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() [ Upstream commit d5d8d675865ccddfe4da26c85f22c55cec663bf2 ] If rockchip_pwm_probe() fails to register a PWM device it calls clk_unprepare() for the device's PWM clock, without having first disabled the clock and before jumping to an error handler that also unprepares it. This is likely to produce warnings from the kernel about the clock being unprepared when it is still enabled, and then being unprepared when it has already been unprepared. Prevent these warnings by removing this unnecessary call to clk_unprepare(). Fixes: 48cf973cae33 ("pwm: rockchip: Avoid glitches on already running PWMs") Signed-off-by: Simon South Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3a9044ea78ead56f52c1542f7019b4fbc67a4301 Author: Pierre-Louis Bossart Date: Fri Jan 15 13:37:37 2021 +0800 soundwire: cadence: fix ACK/NAK handling [ Upstream commit db9d9f944f95e7f3aa60ac00cbd502415152c421 ] The existing code reports a NAK only when ACK=0 This is not aligned with the SoundWire 1.x specifications. Table 32 in the SoundWire 1.2 specification shows that a Device shall not set NAK=1 if ACK=1. But Table 33 shows the Combined Response may very well be NAK=1/ACK=1, e.g. if another Device than the one addressed reports a parity error. NAK=1 signals a 'Command_Aborted', regardless of the ACK bit value. Move the tests for NAK so that the NAK=1/ACK=1 combination is properly detected according to the specification. Fixes: 956baa1992f9a ('soundwire: cdns: Add sdw_master_ops and IO transfer support') Signed-off-by: Pierre-Louis Bossart Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20210115053738.22630-5-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit fcfec32c9a01b29e8febb053b3796617479d2000 Author: Aswath Govindraju Date: Wed Jan 13 10:42:52 2021 +0530 misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users [ Upstream commit 4540b9fbd8ebb21bb3735796d300a1589ee5fbf2 ] Module alias "spi:93xx46" is used by non device tree users like drivers/misc/eeprom/digsy_mtc_eeprom.c and removing it will break support for them. Fix this by adding back the module alias "spi:93xx46". Fixes: 13613a2246bf ("misc: eeprom_93xx46: Fix module alias to enable module autoprobe") Signed-off-by: Aswath Govindraju Link: https://lore.kernel.org/r/20210113051253.15061-1-a-govindraju@ti.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 52fe389c0a998a195487b308551eb95d2bb0d0cd Author: Chris Ruehl Date: Thu Dec 10 16:04:54 2020 +0800 phy: rockchip-emmc: emmc_phy_init() always return 0 [ Upstream commit 39961bd6b70e5a5d7c4b5483ad8e1db6b5765c60 ] rockchip_emmc_phy_init() return variable is not set with the error value if clk_get() failed. 'emmcclk' is optional, thus use clk_get_optional() and if the return value != NULL make error processing and set the return code accordingly. Fixes: 52c0624a10cce phy: rockchip-emmc: Set phyctrl_frqsel based on card clock Signed-off-by: Chris Ruehl Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20201210080454.17379-1-chris.ruehl@gtsys.com.hk Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 047e029392a5d4d2e096bbf4da45e983ab517107 Author: Aswath Govindraju Date: Thu Jan 7 22:09:53 2021 +0530 misc: eeprom_93xx46: Fix module alias to enable module autoprobe [ Upstream commit 13613a2246bf531f5fc04e8e62e8f21a3d39bf1c ] Fix module autoprobe by correcting module alias to match the string from /sys/class/.../spi1.0/modalias content. Fixes: 06b4501e88ad ("misc/eeprom: add driver for microwire 93xx46 EEPROMs") Signed-off-by: Aswath Govindraju Link: https://lore.kernel.org/r/20210107163957.28664-2-a-govindraju@ti.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f7fb313affee472133b817ec76790620e0dd6f00 Author: Randy Dunlap Date: Wed Nov 25 16:40:11 2020 -0800 sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set [ Upstream commit 80bddf5c93a99e11fc9faf7e4b575d01cecd45d3 ] Currently COMPAT on SPARC64 selects COMPAT_BINFMT_ELF unconditionally, even when BINFMT_ELF is not enabled. This causes a kconfig warning. Instead, just select COMPAT_BINFMT_ELF if BINFMT_ELF is enabled. This builds cleanly with no kconfig warnings. WARNING: unmet direct dependencies detected for COMPAT_BINFMT_ELF Depends on [n]: COMPAT [=y] && BINFMT_ELF [=n] Selected by [y]: - COMPAT [=y] && SPARC64 [=y] Fixes: 26b4c912185a ("sparc,sparc64: unify Kconfig files") Signed-off-by: Randy Dunlap Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Cc: Sam Ravnborg Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0a072f01e58521ebda3db03de733980f07c8f247 Author: Dan Carpenter Date: Tue Feb 16 20:29:05 2021 -0800 Input: elo - fix an error code in elo_connect() [ Upstream commit 0958351e93fa0ac142f6dd8bd844441594f30a57 ] If elo_setup_10() fails then this should return an error code instead of success. Fixes: fae3006e4b42 ("Input: elo - add support for non-pressure-sensitive touchscreens") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YBKFd5CvDu+jVmfW@mwanda Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2062856c441ccc958b141636d20e9702de5e0998 Author: Namhyung Kim Date: Sun Feb 14 18:16:38 2021 +0900 perf test: Fix unaligned access in sample parsing test [ Upstream commit c5c97cadd7ed13381cb6b4bef5c841a66938d350 ] The ubsan reported the following error. It was because sample's raw data missed u32 padding at the end. So it broke the alignment of the array after it. The raw data contains an u32 size prefix so the data size should have an u32 padding after 8-byte aligned data. 27: Sample parsing :util/synthetic-events.c:1539:4: runtime error: store to misaligned address 0x62100006b9bc for type '__u64' (aka 'unsigned long long'), which requires 8 byte alignment 0x62100006b9bc: note: pointer points here 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ #0 0x561532a9fc96 in perf_event__synthesize_sample util/synthetic-events.c:1539:13 #1 0x5615327f4a4f in do_test tests/sample-parsing.c:284:8 #2 0x5615327f3f50 in test__sample_parsing tests/sample-parsing.c:381:9 #3 0x56153279d3a1 in run_test tests/builtin-test.c:424:9 #4 0x56153279c836 in test_and_print tests/builtin-test.c:454:9 #5 0x56153279b7eb in __cmd_test tests/builtin-test.c:675:4 #6 0x56153279abf0 in cmd_test tests/builtin-test.c:821:9 #7 0x56153264e796 in run_builtin perf.c:312:11 #8 0x56153264cf03 in handle_internal_command perf.c:364:8 #9 0x56153264e47d in run_argv perf.c:408:2 #10 0x56153264c9a9 in main perf.c:538:3 #11 0x7f137ab6fbbc in __libc_start_main (/lib64/libc.so.6+0x38bbc) #12 0x561532596828 in _start ... SUMMARY: UndefinedBehaviorSanitizer: misaligned-pointer-use util/synthetic-events.c:1539:4 in Fixes: 045f8cd8542d ("perf tests: Add a sample parsing test") Signed-off-by: Namhyung Kim Acked-by: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Cc: Stephane Eranian Link: https://lore.kernel.org/r/20210214091638.519643-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit eb191a88be52373f54bd174b084947871da7a206 Author: Adrian Hunter Date: Fri Feb 5 19:53:48 2021 +0200 perf intel-pt: Fix premature IPC [ Upstream commit 20aa39708a5999b7921b27482a756766272286ac ] The code assumed a change in cycle count means accurate IPC. That is not correct, for example when sampling both branches and instructions, or at a FUP packet (which is not CYC-eligible) address. Fix by using an explicit flag to indicate when IPC can be sampled. Fixes: 5b1dc0fd1da06 ("perf intel-pt: Add support for samples to contain IPC ratio") Signed-off-by: Adrian Hunter Reviewed-by: Andi Kleen Cc: Jiri Olsa Cc: linux-kernel@vger.kernel.org Link: https://lore.kernel.org/r/20210205175350.23817-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 119f96bb14bcdba1f6e364d5855939dc79d5732c Author: Adrian Hunter Date: Fri Feb 5 19:53:47 2021 +0200 perf intel-pt: Fix missing CYC processing in PSB [ Upstream commit 03fb0f859b45d1eb05c984ab4bd3bef67e45ede2 ] Add missing CYC packet processing when walking through PSB+. This improves the accuracy of timestamps that follow PSB+, until the next MTC. Fixes: 3d49807870f08 ("perf tools: Add new Intel PT packet definitions") Signed-off-by: Adrian Hunter Reviewed-by: Andi Kleen Cc: Jiri Olsa Link: https://lore.kernel.org/r/20210205175350.23817-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit ce40b82cfa096072a5b61b202e33b5de390ecaf9 Author: Dan Carpenter Date: Tue Feb 16 20:30:45 2021 -0800 Input: sur40 - fix an error code in sur40_probe() [ Upstream commit b0b7d2815839024e5181bd2572f5d8d4f65363b3 ] If v4l2_ctrl_handler_setup() fails then probe() should return an error code instead of returning success. Fixes: cee1e3e2ef39 ("media: add video control handlers using V4L2 control framework") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YBKFkbATXa5fA3xj@mwanda Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit d5ca5d1190a4c1c5c1ff82134ab5f40d176346fe Author: Lang Cheng Date: Sun Feb 7 16:55:40 2021 +0800 RDMA/hns: Fixes missing error code of CMDQ [ Upstream commit 8f86e2eadac968200a6ab1d7074fc0f5cbc1e075 ] When posting a multi-descriptors command, the error code of previous failed descriptors may be rewrote to 0 by a later successful descriptor. Fixes: a04ff739f2a9 ("RDMA/hns: Add command queue support for hip08 RoCE driver") Link: https://lore.kernel.org/r/1612688143-28226-3-git-send-email-liweihang@huawei.com Signed-off-by: Lang Cheng Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8677e99150b0830d29cc1318b4cc559e176940bb Author: J. Bruce Fields Date: Wed Feb 3 11:42:13 2021 -0500 nfsd: register pernet ops last, unregister first [ Upstream commit bd5ae9288d6451bd346a1b4a59d4fe7e62ba29b7 ] These pernet operations may depend on stuff set up or torn down in the module init/exit functions. And they may be called at any time in between. So it makes more sense for them to be the last to be registered in the init function, and the first to be unregistered in the exit function. In particular, without this, the drc slab is being destroyed before all the per-net drcs are shut down, resulting in an "Objects remaining in nfsd_drc on __kmem_cache_shutdown()" warning in exit_nfsd. Reported-by: Zhi Li Fixes: 3ba75830ce17 "nfsd4: drc containerization" Signed-off-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 046615ffd431d84f106a0d0b19df5901175d91b3 Author: Ryan Chen Date: Tue Jan 19 14:17:15 2021 +0800 clk: aspeed: Fix APLL calculate formula from ast2600-A2 [ Upstream commit 6286ce1e3ece54799f12775f8ce2a1cba9cbcfc5 ] Starting from A2, the A-PLL calculation has changed. Use the existing formula for A0/A1 and the new formula for A2 onwards. Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") Signed-off-by: Ryan Chen Link: https://lore.kernel.org/r/20210119061715.6043-1-ryan_chen@aspeedtech.com Reviewed-by: Joel Stanley Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 9230273026667a97e23e5dd28a8dadd955f259d1 Author: Jonathan Marek Date: Wed Feb 10 22:49:35 2021 -0500 regulator: qcom-rpmh: fix pm8009 ldo7 [ Upstream commit 20ccc362c3d20da734af896e075b74222589f2c0 ] Use the correct name to avoid ldo7 commands being sent to ldo6's address. Fixes: 06369bcc15a1 ("regulator: qcom-rpmh: Add support for SM8150") Signed-off-by: Jonathan Marek Reviewed-by: Vinod Koul Link: https://lore.kernel.org/r/20210211034935.5622-1-jonathan@marek.ca Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2ebadcea0ef3485856584b27dbaa67668610b850 Author: Andy Shevchenko Date: Mon Feb 8 18:38:15 2021 +0200 spi: pxa2xx: Fix the controller numbering for Wildcat Point [ Upstream commit 54c5d3bfb0cfb7b31259765524567871dee11615 ] Wildcat Point has two SPI controllers and added one is actually second one. Fix the numbering by adding the description of the first one. Fixes: caba248db286 ("spi: spi-pxa2xx-pci: Add ID and driver type for WildcatPoint PCH") Cc: Leif Liddy Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210208163816.22147-1-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e0c516e72fd576ba3c60fc4b5ade4b2a16561893 Author: Weihang Li Date: Fri Feb 5 17:39:24 2021 +0800 RDMA/hns: Fix type of sq_signal_bits [ Upstream commit ea4092f3b56b236d08890ea589506ebd76248c53 ] This bit should be in type of enum ib_sig_type, or there will be a sparse warning. Fixes: bfe860351e31 ("RDMA/hns: Fix cast from or to restricted __le32 for driver") Link: https://lore.kernel.org/r/1612517974-31867-3-git-send-email-liweihang@huawei.com Reported-by: kernel test robot Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d21f6d9a3e49ff64b6b86e2685079b0b05278137 Author: Kamal Heib Date: Mon Feb 1 13:29:22 2021 +0200 RDMA/siw: Fix calculation of tx_valid_cpus size [ Upstream commit 429fa9698957d1a910535ce5e33aedf5adfdabc1 ] The size of tx_valid_cpus was calculated under the assumption that the numa nodes identifiers are continuous, which is not the case in all archs as this could lead to the following panic when trying to access an invalid tx_valid_cpus index, avoid the following panic by using nr_node_ids instead of num_online_nodes() to allocate the tx_valid_cpus size. Kernel attempted to read user page (8) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000008 Faulting instruction address: 0xc0080000081b4a90 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV Modules linked in: siw(+) rfkill rpcrdma ib_isert iscsi_target_mod ib_iser libiscsi scsi_transport_iscsi ib_srpt target_core_mod ib_srp scsi_transport_srp ib_ipoib rdma_ucm sunrpc ib_umad rdma_cm ib_cm iw_cm i40iw ib_uverbs ib_core i40e ses enclosure scsi_transport_sas ipmi_powernv ibmpowernv at24 ofpart ipmi_devintf regmap_i2c ipmi_msghandler powernv_flash uio_pdrv_genirq uio mtd opal_prd zram ip_tables xfs libcrc32c sd_mod t10_pi ast i2c_algo_bit drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm_ttm_helper ttm drm vmx_crypto aacraid drm_panel_orientation_quirks dm_mod CPU: 40 PID: 3279 Comm: modprobe Tainted: G W X --------- --- 5.11.0-0.rc4.129.eln108.ppc64le #2 NIP: c0080000081b4a90 LR: c0080000081b4a2c CTR: c0000000007ce1c0 REGS: c000000027fa77b0 TRAP: 0300 Tainted: G W X --------- --- (5.11.0-0.rc4.129.eln108.ppc64le) MSR: 9000000002009033 CR: 44224882 XER: 00000000 CFAR: c0000000007ce200 DAR: 0000000000000008 DSISR: 40000000 IRQMASK: 0 GPR00: c0080000081b4a2c c000000027fa7a50 c0080000081c3900 0000000000000040 GPR04: c000000002023080 c000000012e1c300 000020072ad70000 0000000000000001 GPR08: c000000001726068 0000000000000008 0000000000000008 c0080000081b5758 GPR12: c0000000007ce1c0 c0000007fffc3000 00000001590b1e40 0000000000000000 GPR16: 0000000000000000 0000000000000001 000000011ad68fc8 00007fffcc09c5c8 GPR20: 0000000000000008 0000000000000000 00000001590b2850 00000001590b1d30 GPR24: 0000000000043d68 000000011ad67a80 000000011ad67a80 0000000000100000 GPR28: c000000012e1c300 c0000000020271c8 0000000000000001 c0080000081bf608 NIP [c0080000081b4a90] siw_init_cpulist+0x194/0x214 [siw] LR [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] Call Trace: [c000000027fa7a50] [c0080000081b4a2c] siw_init_cpulist+0x130/0x214 [siw] (unreliable) [c000000027fa7a90] [c0080000081b4e68] siw_init_module+0x40/0x2a0 [siw] [c000000027fa7b30] [c0000000000124f4] do_one_initcall+0x84/0x2e0 [c000000027fa7c00] [c000000000267ffc] do_init_module+0x7c/0x350 [c000000027fa7c90] [c00000000026a180] __do_sys_init_module+0x210/0x250 [c000000027fa7db0] [c0000000000387e4] system_call_exception+0x134/0x230 [c000000027fa7e10] [c00000000000d660] system_call_common+0xf0/0x27c Instruction dump: 40810044 3d420000 e8bf0000 e88a82d0 3d420000 e90a82c8 792a1f24 7cc4302a 7d2642aa 79291f24 7d25482a 7d295214 <7d4048a8> 7d4a3b78 7d4049ad 40c2fff4 Fixes: bdcf26bf9b3a ("rdma/siw: network and RDMA core interface") Link: https://lore.kernel.org/r/20210201112922.141085-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Reviewed-by: Bernard Metzler Tested-by: Yi Zhang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d0005c4ab5e1854159a55c8e66ecd38fb9285c03 Author: Wenpeng Liang Date: Sat Jan 30 16:58:02 2021 +0800 RDMA/hns: Fixed wrong judgments in the goto branch [ Upstream commit bb74fe7e81c8b2b65c6a351a247fdb9a969cbaec ] When an error occurs, the qp_table must be cleared, regardless of whether the SRQ feature is enabled. Fixes: 5c1f167af112 ("RDMA/hns: Init SRQ table for hip08") Link: https://lore.kernel.org/r/1611997090-48820-5-git-send-email-liweihang@huawei.com Signed-off-by: Wenpeng Liang Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c42d1e8caad50a9204fbe31e9e906d0a67bab57c Author: AngeloGioacchino Del Regno Date: Thu Jan 14 23:10:54 2021 +0100 clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs [ Upstream commit 292f75ecff07e8a07fe2e3e19b4b567d0b698842 ] All of the GPLLs in the MSM8998 Global Clock Controller are Fabia PLLs and not generic alphas: this was producing bad effects over the entire clock tree of MSM8998, where any GPLL child clock was declaring a false clock rate, due to their parent also showing the same. The issue resides in the calculation of the clock rate for the specific Alpha PLL type, where Fabia has a different register layout; switching the MSM8998 GPLLs to the correct Alpha Fabia PLL type fixes the rate (calculation) reading. While at it, also make these PLLs fixed since their rate is supposed to *never* be changed while the system runs, as this would surely crash the entire SoC. Now all the children of all the PLLs are also complying with their specified clock table and system stability is improved. Fixes: b5f5f525c547 ("clk: qcom: Add MSM8998 Global Clock Control (GCC) driver") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20210114221059.483390-7-angelogioacchino.delregno@somainline.org Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit ecfae933df3aac7df4af7e5105e26cac57ffd2ec Author: Christophe Leroy Date: Fri Feb 5 08:56:13 2021 +0000 powerpc/8xx: Fix software emulation interrupt [ Upstream commit 903178d0ce6bb30ef80a3604ab9ee2b57869fbc9 ] For unimplemented instructions or unimplemented SPRs, the 8xx triggers a "Software Emulation Exception" (0x1000). That interrupt doesn't set reason bits in SRR1 as the "Program Check Exception" does. Go through emulation_assist_interrupt() to set REASON_ILLEGAL. Fixes: fbbcc3bb139e ("powerpc/8xx: Remove SoftwareEmulation()") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/ad782af87a222efc79cfb06079b0fd23d4224eaf.1612515180.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit ba5c8a0ee6247363ce4577d144463f5de0e394b7 Author: Nathan Lynch Date: Wed Jan 6 20:59:00 2021 -0600 powerpc/pseries/dlpar: handle ibm, configure-connector delay status [ Upstream commit 768d70e19ba525debd571b36e6d0ab19956c63d7 ] dlpar_configure_connector() has two problems in its handling of ibm,configure-connector's return status: 1. When the status is -2 (busy, call again), we call ibm,configure-connector again immediately without checking whether to schedule, which can result in monopolizing the CPU. 2. Extended delay status (9900..9905) goes completely unhandled, causing the configuration to unnecessarily terminate. Fix both of these issues by using rtas_busy_delay(). Fixes: ab519a011caa ("powerpc/pseries: Kernel DLPAR Infrastructure") Signed-off-by: Nathan Lynch Reviewed-by: Tyrel Datwyler Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210107025900.410369-1-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit 0c79abee609da83f68461835d0100c7129d8dc52 Author: Dan Carpenter Date: Fri Jan 29 17:37:24 2021 +0300 mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() [ Upstream commit 26783d74cc6a440ee3ef9836a008a697981013d0 ] The "req" struct is always added to the "wm831x->auxadc_pending" list, but it's only removed from the list on the success path. If a failure occurs then the "req" struct is freed but it's still on the list, leading to a use after free. Fixes: 78bb3688ea18 ("mfd: Support multiple active WM831x AUXADC conversions") Signed-off-by: Dan Carpenter Acked-by: Charles Keepax Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 046a8158982bc67a56ce2b6c1e8ef020d2d49c05 Author: Alain Volmat Date: Fri Feb 5 19:59:25 2021 +0100 spi: stm32: properly handle 0 byte transfer [ Upstream commit 2269f5a8b1a7b38651d62676b98182828f29d11a ] On 0 byte transfer request, return straight from the xfer function after finalizing the transfer. Fixes: dcbe0d84dfa5 ("spi: add driver for STM32 SPI controller") Signed-off-by: Alain Volmat Link: https://lore.kernel.org/r/1612551572-495-2-git-send-email-alain.volmat@foss.st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3cb8510625d5441e60ac42de031e56628cec1237 Author: Bob Pearson Date: Thu Jan 28 12:23:02 2021 -0600 RDMA/rxe: Correct skb on loopback path [ Upstream commit 5120bf0a5fc15dec210a0fe0f39e4a256bb6e349 ] rxe_net.c sends packets at the IP layer with skb->data pointing at the IP header but receives packets from a UDP tunnel with skb->data pointing at the UDP header. On the loopback path this was not correctly accounted for. This patch corrects for this by using sbk_pull() to strip the IP header from the skb on received packets. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20210128182301.16859-1-rpearson@hpe.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c88fc726d9c0e7a83b71df971adcc6a3cf657ad1 Author: Bob Pearson Date: Thu Jan 28 11:47:53 2021 -0600 RDMA/rxe: Fix coding error in rxe_rcv_mcast_pkt [ Upstream commit 8fc1b7027fc162738d5a85c82410e501a371a404 ] rxe_rcv_mcast_pkt() in rxe_recv.c can leak SKBs in error path code. The loop over the QPs attached to a multicast group creates new cloned SKBs for all but the last QP in the list and passes the SKB and its clones to rxe_rcv_pkt() for further processing. Any QPs that do not pass some checks are skipped. If the last QP in the list fails the tests the SKB is leaked. This patch checks if the SKB for the last QP was used and if not frees it. Also removes a redundant loop invariant assignment. Fixes: 8700e3e7c485 ("Soft RoCE driver") Fixes: 71abf20b28ff ("RDMA/rxe: Handle skb_clone() failure in rxe_recv.c") Link: https://lore.kernel.org/r/20210128174752.16128-1-rpearson@hpe.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2e556ba37f1328d6a35a81fccb36470287a3d890 Author: Bob Pearson Date: Wed Jan 27 15:45:01 2021 -0600 RDMA/rxe: Fix coding error in rxe_recv.c [ Upstream commit 7d9ae80e31df57dd3253e1ec514f0000aa588a81 ] check_type_state() in rxe_recv.c is written as if the type bits in the packet opcode were a bit mask which is not correct. This patch corrects this code to compare all 3 type bits to the required type. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20210127214500.3707-1-rpearson@hpe.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d2ee0b2070cd3e3e449ab607b47cb84cee290db6 Author: John Garry Date: Thu Jan 28 20:00:33 2021 +0800 perf vendor events arm64: Fix Ampere eMag event typo [ Upstream commit 2bf797be81fa808f05f1a7a65916619132256a27 ] The "briefdescription" for event 0x35 has a typo - fix it. Fixes: d35c595bf005 ("perf vendor events arm64: Revise core JSON events for eMAG") Signed-off-by: John Garry Acked-by: Will Deacon Cc: James Clark Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Mathieu Poirier Cc: Nakamura, Shunsuke/中村 俊介 Cc: linux-arm-kernel@lists.infradead.org Cc: linuxarm@openeuler.org Link: https://lore.kernel.org/r/1611835236-34696-2-git-send-email-john.garry@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit a0ea1f58aeea8f96decb20223f43db7e84ece27a Author: Arnaldo Carvalho de Melo Date: Thu Jan 28 09:52:47 2021 -0300 perf tools: Fix DSO filtering when not finding a map for a sampled address [ Upstream commit c69bf11ad3d30b6bf01cfa538ddff1a59467c734 ] When we lookup an address and don't find a map we should filter that sample if the user specified a list of --dso entries to filter on, fix it. Before: $ perf script sleep 274800 2843.556162: 1 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) sleep 274800 2843.556168: 1 cycles:u: ffffffffbb2b047d [unknown] ([unknown]) sleep 274800 2843.556171: 1 cycles:u: ffffffffbb2706b2 [unknown] ([unknown]) sleep 274800 2843.556174: 6 cycles:u: ffffffffbb2b0267 [unknown] ([unknown]) sleep 274800 2843.556176: 59 cycles:u: ffffffffbb2b03b1 [unknown] ([unknown]) sleep 274800 2843.556180: 691 cycles:u: ffffffffbb26bff4 [unknown] ([unknown]) sleep 274800 2843.556189: 9160 cycles:u: 7fa9550eeaa3 __GI___tunables_init+0xf3 (/usr/lib64/ld-2.32.so) sleep 274800 2843.556312: 86937 cycles:u: 7fa9550e157b _dl_lookup_symbol_x+0x4b (/usr/lib64/ld-2.32.so) $ So we have some samples we somehow didn't find in a map for, if we now do: $ perf report --stdio --dso /usr/lib64/ld-2.32.so # dso: /usr/lib64/ld-2.32.so # # Total Lost Samples: 0 # # Samples: 8 of event 'cycles:u' # Event count (approx.): 96856 # # Overhead Command Symbol # ........ ....... ........................ # 89.76% sleep [.] _dl_lookup_symbol_x 9.46% sleep [.] __GI___tunables_init 0.71% sleep [k] 0xffffffffbb26bff4 0.06% sleep [k] 0xffffffffbb2b03b1 0.01% sleep [k] 0xffffffffbb2b0267 0.00% sleep [k] 0xffffffffbb2706b2 0.00% sleep [k] 0xffffffffbb2b047d $ After this patch we get the right output with just entries for the DSOs specified in --dso: $ perf report --stdio --dso /usr/lib64/ld-2.32.so # dso: /usr/lib64/ld-2.32.so # # Total Lost Samples: 0 # # Samples: 8 of event 'cycles:u' # Event count (approx.): 96856 # # Overhead Command Symbol # ........ ....... ........................ # 89.76% sleep [.] _dl_lookup_symbol_x 9.46% sleep [.] __GI___tunables_init $ # Fixes: 96415e4d3f5fdf9c ("perf symbols: Avoid unnecessary symbol loading when dso list is specified") Cc: Alexander Shishkin Cc: Andi Kleen Cc: Ingo Molnar Cc: Jin Yao Cc: Jiri Olsa Cc: Kan Liang Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210128131209.GD775562@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit e59e0ced076313e3c5357650921bfa03d1cdd7af Author: Steven Rostedt (VMware) Date: Wed Nov 18 09:34:05 2020 -0500 tracepoint: Do not fail unregistering a probe due to memory failure [ Upstream commit befe6d946551d65cddbd32b9cb0170b0249fd5ed ] The list of tracepoint callbacks is managed by an array that is protected by RCU. To update this array, a new array is allocated, the updates are copied over to the new array, and then the list of functions for the tracepoint is switched over to the new array. After a completion of an RCU grace period, the old array is freed. This process happens for both adding a callback as well as removing one. But on removing a callback, if the new array fails to be allocated, the callback is not removed, and may be used after it is freed by the clients of the tracepoint. There's really no reason to fail if the allocation for a new array fails when removing a function. Instead, the function can simply be replaced by a stub function that could be cleaned up on the next modification of the array. That is, instead of calling the function registered to the tracepoint, it would call a stub function in its place. Link: https://lore.kernel.org/r/20201115055256.65625-1-mmullins@mmlx.us Link: https://lore.kernel.org/r/20201116175107.02db396d@gandalf.local.home Link: https://lore.kernel.org/r/20201117211836.54acaef2@oasis.local.home Link: https://lkml.kernel.org/r/20201118093405.7a6d2290@gandalf.local.home [ Note, this version does use undefined compiler behavior (assuming that a stub function with no parameters or return, can be called by a location that thinks it has parameters but still no return value. Static calls do the same thing, so this trick is not without precedent. There's another solution that uses RCU tricks and is more complex, but can be an alternative if this solution becomes an issue. Link: https://lore.kernel.org/lkml/20210127170721.58bce7cc@gandalf.local.home/ ] Cc: Peter Zijlstra Cc: Josh Poimboeuf Cc: Mathieu Desnoyers Cc: Ingo Molnar Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Dmitry Vyukov Cc: Martin KaFai Lau Cc: Song Liu Cc: Yonghong Song Cc: Andrii Nakryiko Cc: John Fastabend Cc: KP Singh Cc: netdev Cc: bpf Cc: Kees Cook Cc: Florian Weimer Fixes: 97e1c18e8d17b ("tracing: Kernel Tracepoints") Reported-by: syzbot+83aa762ef23b6f0d1991@syzkaller.appspotmail.com Reported-by: syzbot+d29e58bb557324e55e5e@syzkaller.appspotmail.com Reported-by: Matt Mullins Signed-off-by: Steven Rostedt (VMware) Tested-by: Matt Mullins Signed-off-by: Sasha Levin commit 4cb8bdaebbd88520776dcc75531c50fb029ce362 Author: Parav Pandit Date: Wed Jan 27 17:00:08 2021 +0200 IB/cm: Avoid a loop when device has 255 ports [ Upstream commit 131be26750379592f0dd6244b2a90bbb504a10bb ] When RDMA device has 255 ports, loop iterator i overflows. Due to which cm_add_one() port iterator loops infinitely. Use core provided port iterator to avoid the infinite loop. Fixes: a977049dacde ("[PATCH] IB: Add the kernel CM implementation") Link: https://lore.kernel.org/r/20210127150010.1876121-9-leon@kernel.org Signed-off-by: Mark Bloch Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 180cd50dd9a806b0de4e7467717e400b6b2529d2 Author: Parav Pandit Date: Wed Jan 27 17:00:07 2021 +0200 IB/mlx5: Return appropriate error code instead of ENOMEM [ Upstream commit d286ac1d05210695c312b9018b3aa7c2048e9aca ] When mlx5_ib_stage_init_init() fails, return the error code related to failure instead of -ENOMEM. Fixes: 16c1975f1032 ("IB/mlx5: Create profile infrastructure to add and remove stages") Link: https://lore.kernel.org/r/20210127150010.1876121-8-leon@kernel.org Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 379b5ee283dd2c7a8abcf3de33ba15a8a0702d58 Author: Uwe Kleine-König Date: Tue Jan 26 17:58:31 2021 +0100 amba: Fix resource leak for drivers without .remove [ Upstream commit de5d7adb89367bbc87b4e5ce7afe7ae9bd86dc12 ] Consider an amba driver with a .probe but without a .remove callback (e.g. pl061_gpio_driver). The function amba_probe() is called to bind a device and so dev_pm_domain_attach() and others are called. As there is no remove callback amba_remove() isn't called at unbind time however and so calling dev_pm_domain_detach() is missed and the pm domain keeps active. To fix this always use the core driver callbacks and handle missing amba callbacks there. For probe refuse registration as a driver without probe doesn't make sense. Fixes: 7cfe249475fd ("ARM: AMBA: Add pclk support to AMBA bus infrastructure") Reviewed-by: Ulf Hansson Reviewed-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210126165835.687514-2-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Sasha Levin commit 65159b4401fd0b768f155c39e3d6be3185605769 Author: Roja Rani Yarubandi Date: Mon Dec 21 18:08:00 2020 +0530 i2c: qcom-geni: Store DMA mapping data in geni_i2c_dev struct [ Upstream commit 357ee8841d0b7bd822f25fc768afbc0c2ab7e47b ] Store DMA mapping data in geni_i2c_dev struct to enhance DMA mapping data scope. For example during shutdown callback to unmap DMA mapping, this stored DMA mapping data can be used to call geni_se_tx_dma_unprep and geni_se_rx_dma_unprep functions. Add two helper functions geni_i2c_rx_msg_cleanup and geni_i2c_tx_msg_cleanup to unwrap the things after rx/tx FIFO/DMA transfers, so that the same can be used in geni_i2c_stop_xfer() function during shutdown callback. Signed-off-by: Roja Rani Yarubandi Reviewed-by: Akash Asthana Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 870ab7ef9799bdc1d58d4ac17c6aba38641d54ca Author: Vladimir Murzin Date: Thu Jan 7 10:47:24 2021 +0100 ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores [ Upstream commit 2acb909750431030b65a0a2a17fd8afcbd813a84 ] It was observed that decompressor running on hardware implementing ARM v8.2 Load/Store Multiple Atomicity and Ordering Control (LSMAOC), say, as guest, would stuck just after: Uncompressing Linux... done, booting the kernel. The reason is that it clears nTLSMD bit when disabling caches: nTLSMD, bit [3] When ARMv8.2-LSMAOC is implemented: No Trap Load Multiple and Store Multiple to Device-nGRE/Device-nGnRE/Device-nGnRnE memory. 0b0 All memory accesses by A32 and T32 Load Multiple and Store Multiple at EL1 or EL0 that are marked at stage 1 as Device-nGRE/Device-nGnRE/Device-nGnRnE memory are trapped and generate a stage 1 Alignment fault. 0b1 All memory accesses by A32 and T32 Load Multiple and Store Multiple at EL1 or EL0 that are marked at stage 1 as Device-nGRE/Device-nGnRE/Device-nGnRnE memory are not trapped. This bit is permitted to be cached in a TLB. This field resets to 1. Otherwise: Reserved, RES1 So as effect we start getting traps we are not quite ready for. Looking into history it seems that mask used for SCTLR clear came from the similar code for ARMv4, where bit[3] is the enable/disable bit for the write buffer. That not applicable to ARMv7 and onwards, so retire that bit from the masks. Fixes: 7d09e85448dfa78e3e58186c934449aaf6d49b50 ("[ARM] 4393/2: ARMv7: Add uncompressing code for the new CPU Id format") Signed-off-by: Vladimir Murzin Signed-off-by: Russell King Signed-off-by: Sasha Levin commit f201f050a52ae1eb1da5c9c9f7a9863173742550 Author: Takeshi Saito Date: Wed Dec 16 19:29:31 2020 +0900 mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes [ Upstream commit d7aefb2887601cf1fc3f86f55d43b2c9aece5e8f ] According to the latest datasheet, the internal DMAC buffer alignment R-Car Gen3 SDHI HW should be 128-bytes. So, fix it. Signed-off-by: Takeshi Saito [shimoda: revise commit description, rebase] Fixes: 2a68ea7896e3 ("mmc: renesas-sdhi: add support for R-Car Gen3 SDHI DMAC") Signed-off-by: Yoshihiro Shimoda Reviewed-by: Wolfram Sang Tested-by: Wolfram Sang Link: https://lore.kernel.org/r/1608114572-1892-2-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 2096ca11967ca0a650b595dd1d52fa7d886f0fa4 Author: Christophe JAILLET Date: Thu Dec 17 22:09:22 2020 +0100 mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe [ Upstream commit 6052b3c370fb82dec28bcfff6d7ec0da84ac087a ] A call to 'ausdhi6_dma_release()' to undo a previous call to 'usdhi6_dma_request()' is missing in the error handling path of the probe function. It is already present in the remove function. Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201217210922.165340-1-christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit de1e8961db05a1b9211e905a60112f782ab0cb98 Author: Christophe JAILLET Date: Thu Dec 17 21:42:36 2020 +0100 mmc: sdhci-sprd: Fix some resource leaks in the remove function [ Upstream commit c9c256a8b0dc09c305c409d6264cc016af2ba38d ] 'sdhci_remove_host()' and 'sdhci_pltfm_free()' should be used in place of 'mmc_remove_host()' and 'mmc_free_host()'. This avoids some resource leaks, is more in line with the error handling path of the probe function, and is more consistent with other drivers. Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller") Signed-off-by: Christophe JAILLET Acked-by: Orson Zhai Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20201217204236.163446-1-christophe.jaillet@wanadoo.fr Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c4c70ac4659e3a0cf06755a2d41cfa848c5cec8b Author: Christophe Leroy Date: Wed Jan 20 07:49:13 2021 +0000 powerpc/47x: Disable 256k page size [ Upstream commit 910a0cb6d259736a0c86e795d4c2f42af8d0d775 ] PPC47x_TLBE_SIZE isn't defined for 256k pages, leading to a build break if 256k pages is selected. So change the kconfig so that 256k pages can't be selected for 47x. Fixes: e7f75ad01d59 ("powerpc/47x: Base ppc476 support") Reported-by: kernel test robot Signed-off-by: Christophe Leroy [mpe: Expand change log to mention build break] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/2fed79b1154c872194f98bac4422c23918325e61.1611128938.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 8121f35cc657ab569fdebdfe94ecb9d345bfb89d Author: Cédric Le Goater Date: Mon Jan 4 15:32:01 2021 +0100 KVM: PPC: Make the VMX instruction emulation routines static [ Upstream commit 9236f57a9e51c72ce426ccd2e53e123de7196a0f ] These are only used locally. It fixes these W=1 compile errors : ../arch/powerpc/kvm/powerpc.c:1521:5: error: no previous prototype for ‘kvmppc_get_vmx_dword’ [-Werror=missing-prototypes] 1521 | int kvmppc_get_vmx_dword(struct kvm_vcpu *vcpu, int index, u64 *val) | ^~~~~~~~~~~~~~~~~~~~ ../arch/powerpc/kvm/powerpc.c:1539:5: error: no previous prototype for ‘kvmppc_get_vmx_word’ [-Werror=missing-prototypes] 1539 | int kvmppc_get_vmx_word(struct kvm_vcpu *vcpu, int index, u64 *val) | ^~~~~~~~~~~~~~~~~~~ ../arch/powerpc/kvm/powerpc.c:1557:5: error: no previous prototype for ‘kvmppc_get_vmx_hword’ [-Werror=missing-prototypes] 1557 | int kvmppc_get_vmx_hword(struct kvm_vcpu *vcpu, int index, u64 *val) | ^~~~~~~~~~~~~~~~~~~~ ../arch/powerpc/kvm/powerpc.c:1575:5: error: no previous prototype for ‘kvmppc_get_vmx_byte’ [-Werror=missing-prototypes] 1575 | int kvmppc_get_vmx_byte(struct kvm_vcpu *vcpu, int index, u64 *val) | ^~~~~~~~~~~~~~~~~~~ Fixes: acc9eb9305fe ("KVM: PPC: Reimplement LOAD_VMX/STORE_VMX instruction mmio emulation with analyse_instr() input") Signed-off-by: Cédric Le Goater Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210104143206.695198-19-clg@kaod.org Signed-off-by: Sasha Levin commit 144422afaa1061e82b7dab66cb01f46c713460af Author: Shay Drory Date: Mon Jan 25 14:13:39 2021 +0200 IB/umad: Return EPOLLERR in case of when device disassociated [ Upstream commit def4cd43f522253645b72c97181399c241b54536 ] Currently, polling a umad device will always works, even if the device was disassociated. A disassociated device should immediately return EPOLLERR from poll(). Otherwise userspace is endlessly hung on poll() with no idea that the device has been removed from the system. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20210125121339.837518-3-leon@kernel.org Signed-off-by: Shay Drory Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 40d9bcab50d0f75f984d52781e1ec6b28ccc3b49 Author: Shay Drory Date: Mon Jan 25 14:13:38 2021 +0200 IB/umad: Return EIO in case of when device disassociated [ Upstream commit 4fc5461823c9cad547a9bdfbf17d13f0da0d6bb5 ] MAD message received by the user has EINVAL error in all flows including when the device is disassociated. That makes it impossible for the applications to treat such flow differently. Change it to return EIO, so the applications will be able to perform disassociation recovery. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20210125121339.837518-2-leon@kernel.org Signed-off-by: Shay Drory Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f337e5947a19e67d3ec3fa8bbc225191c6b432b4 Author: Josh Poimboeuf Date: Thu Jan 21 15:29:19 2021 -0600 objtool: Fix ".cold" section suffix check for newer versions of GCC [ Upstream commit 34ca59e109bdf69704c33b8eeffaa4c9f71076e5 ] With my version of GCC 9.3.1 the ".cold" subfunctions no longer have a numbered suffix, so the trailing period is no longer there. Presumably this doesn't yet trigger a user-visible bug since most of the subfunction detection logic is duplicated. I only found it when testing vmlinux.o validation. Fixes: 54262aa28301 ("objtool: Fix sibling call detection") Signed-off-by: Josh Poimboeuf Link: https://lore.kernel.org/r/ca0b5a57f08a2fbb48538dd915cc253b5edabb40.1611263461.git.jpoimboe@redhat.com Signed-off-by: Sasha Levin commit 9d20f53167e6708e8d3f51000e0c88b38f4f7d26 Author: Josh Poimboeuf Date: Thu Jan 21 15:29:17 2021 -0600 objtool: Fix error handling for STD/CLD warnings [ Upstream commit 6f567c9300a5ebd7b18c26dda1c8d6ffbdd0debd ] Actually return an error (and display a backtrace, if requested) for directional bit warnings. Fixes: 2f0f9e9ad7b3 ("objtool: Add Direction Flag validation") Signed-off-by: Josh Poimboeuf Link: https://lore.kernel.org/r/dc70f2adbc72f09526f7cab5b6feb8bf7f6c5ad4.1611263461.git.jpoimboe@redhat.com Signed-off-by: Sasha Levin commit 68b6d02b3774854e60e51ea41fae86906747c1f6 Author: Geert Uytterhoeven Date: Fri Jan 22 16:39:40 2021 +0100 auxdisplay: ht16k33: Fix refresh rate handling [ Upstream commit e89b0a426721a8ca5971bc8d70aa5ea35c020f90 ] Drop the call to msecs_to_jiffies(), as "HZ / fbdev->refresh_rate" is already the number of jiffies to wait. Fixes: 8992da44c6805d53 ("auxdisplay: ht16k33: Driver for LED controller") Signed-off-by: Geert Uytterhoeven Signed-off-by: Miguel Ojeda Signed-off-by: Sasha Levin commit 88b6e7267f9e97d29e5f987ecaddd414360f6a48 Author: Pan Bian Date: Mon Jan 18 04:04:55 2021 -0800 isofs: release buffer head before return [ Upstream commit 0a6dc67a6aa45f19bd4ff89b4f468fc50c4b8daa ] Release the buffer_head before returning error code in do_isofs_readdir() and isofs_find_entry(). Fixes: 2deb1acc653c ("isofs: fix access to unallocated memory when reading corrupted filesystem") Link: https://lore.kernel.org/r/20210118120455.118955-1-bianpan2016@163.com Signed-off-by: Pan Bian Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 8eaf7e3480ecd4d560e1b79d7f4ccc61ffb97198 Author: Hans de Goede Date: Fri Jan 22 19:32:50 2021 +0100 regulator: core: Avoid debugfs: Directory ... already present! error [ Upstream commit dbe954d8f1635f949a1d9a5d6e6fb749ae022b47 ] Sometimes regulator_get() gets called twice for the same supply on the same device. This may happen e.g. when a framework / library is used which uses the regulator; and the driver itself also needs to enable the regulator in some cases where the framework will not enable it. Commit ff268b56ce8c ("regulator: core: Don't spew backtraces on duplicate sysfs") already takes care of the backtrace which would trigger when creating a duplicate consumer symlink under /sys/class/regulator/regulator.%d in this scenario. Commit c33d442328f5 ("debugfs: make error message a bit more verbose") causes a new error to get logged in this scenario: [ 26.938425] debugfs: Directory 'wm5102-codec-MICVDD' with parent 'spi-WM510204:00-MICVDD' already present! There is no _nowarn variant of debugfs_create_dir(), but we can detect and avoid this problem by checking the return value of the earlier sysfs_create_link_nowarn() call. Add a check for the earlier sysfs_create_link_nowarn() failing with -EEXIST and skip the debugfs_create_dir() call in that case, avoiding this error getting logged. Fixes: c33d442328f5 ("debugfs: make error message a bit more verbose") Cc: Charles Keepax Signed-off-by: Hans de Goede Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/20210122183250.370571-1-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 486a018932fedbd389c350652f71761aec0bebc6 Author: Krzysztof Kozlowski Date: Thu Jan 21 16:59:14 2021 +0100 regulator: s5m8767: Drop regulators OF node reference [ Upstream commit a5872bd3398d0ff2ce4c77794bc7837899c69024 ] The device node reference obtained with of_get_child_by_name() should be dropped on error paths. Fixes: 26aec009f6b6 ("regulator: add device tree support for s5m8767") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210121155914.48034-1-krzk@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ab669048f97deda1e98cc0ccd16e46960dee9184 Author: Pan Bian Date: Tue Jan 19 21:00:25 2021 -0800 spi: atmel: Put allocated master before return [ Upstream commit 21ea2743f015dbacec1831bdc8afc848db9c2b8c ] The allocated master is not released. Goto error handling label rather than directly return. Fixes: 5e9af37e46bc ("spi: atmel: introduce probe deferring") Signed-off-by: Pan Bian Fixes: 5e9af37e46bc ("spi: atmel: introduce probe deferring") Reviewed-by: Tudor Ambarus Link: https://lore.kernel.org/r/20210120050025.25426-1-bianpan2016@163.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bdad2e9c992e6041af850e97d45ad18b9caaf053 Author: Pan Bian Date: Wed Jan 20 19:27:56 2021 -0800 regulator: s5m8767: Fix reference count leak [ Upstream commit dea6dd2ba63f8c8532addb8f32daf7b89a368a42 ] Call of_node_put() to drop references of regulators_np and reg_np before returning error code. Fixes: 9ae5cc75ceaa ("regulator: s5m8767: Pass descriptor instead of GPIO number") Signed-off-by: Pan Bian Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20210121032756.49501-1-bianpan2016@163.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0fec3272abf17bf337dc9d8934d7a0d3ff4e83d8 Author: David Howells Date: Fri Nov 20 19:04:23 2020 +0100 certs: Fix blacklist flag type confusion [ Upstream commit 4993e1f9479a4161fd7d93e2b8b30b438f00cb0f ] KEY_FLAG_KEEP is not meant to be passed to keyring_alloc() or key_alloc(), as these only take KEY_ALLOC_* flags. KEY_FLAG_KEEP has the same value as KEY_ALLOC_BYPASS_RESTRICTION, but fortunately only key_create_or_update() uses it. LSMs using the key_alloc hook don't check that flag. KEY_FLAG_KEEP is then ignored but fortunately (again) the root user cannot write to the blacklist keyring, so it is not possible to remove a key/hash from it. Fix this by adding a KEY_ALLOC_SET_KEEP flag that tells key_alloc() to set KEY_FLAG_KEEP on the new key. blacklist_init() can then, correctly, pass this to keyring_alloc(). We can also use this in ima_mok_init() rather than setting the flag manually. Note that this doesn't fix an observable bug with the current implementation but it is required to allow addition of new hashes to the blacklist in the future without making it possible for them to be removed. Fixes: 734114f8782f ("KEYS: Add a system blacklist keyring") Reported-by: Mickaël Salaün Signed-off-by: David Howells cc: Mickaël Salaün cc: Mimi Zohar Cc: David Woodhouse Signed-off-by: Sasha Levin commit 8d0c3acd0370dfdf81549e6c6fd7a72b74959daa Author: Pan Bian Date: Wed Jan 20 04:33:13 2021 -0800 regulator: axp20x: Fix reference cout leak [ Upstream commit e78bf6be7edaacb39778f3a89416caddfc6c6d70 ] Decrements the reference count of device node and its child node. Fixes: dfe7a1b058bb ("regulator: AXP20x: Add support for regulators subsystem") Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/20210120123313.107640-1-bianpan2016@163.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit edf1d902519574c1c7a6a560a1fbd0d5fd647b3b Author: Andre Przywara Date: Mon Jan 18 00:09:12 2021 +0000 clk: sunxi-ng: h6: Fix clock divider range on some clocks [ Upstream commit 04ef679591c76571a9e7d5ca48316cc86fa0ef12 ] While comparing clocks between the H6 and H616, some of the M factor ranges were found to be wrong: the manual says they are only covering two bits [1:0], but our code had "5" in the number-of-bits field. By writing 0xff into that register in U-Boot and via FEL, it could be confirmed that bits [4:2] are indeed masked off, so the manual is right. Change to number of bits in the affected clock's description. Fixes: 524353ea480b ("clk: sunxi-ng: add support for the Allwinner H6 CCU") Signed-off-by: Andre Przywara Reviewed-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210118000912.28116-1-andre.przywara@arm.com Signed-off-by: Sasha Levin commit e68366695807278ca32556110bfa2f2aa3c739d1 Author: Yishai Hadas Date: Wed Dec 30 15:01:19 2020 +0200 RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation [ Upstream commit 8798e4ad0abe0ba1221928a46561981c510be0c6 ] Use the correct obj_id upon DEVX TIR creation by strictly taking the tirn 24 bits and not the general obj_id which is 32 bits. Fixes: 7efce3691d33 ("IB/mlx5: Add obj create and destroy functionality") Link: https://lore.kernel.org/r/20201230130121.180350-2-leon@kernel.org Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6a52a17fd0a3b3da5414ca3f81d21f5b7dd6053c Author: Tom Rix Date: Mon Jan 18 13:19:55 2021 -0800 clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined [ Upstream commit 7da390694afbaed8e0f05717a541dfaf1077ba51 ] When DEBUG is defined this error occurs drivers/clocksource/mxs_timer.c:138:1: error: expected ‘;’ before ‘}’ token The preceding statement needs a semicolon. Replace pr_info() with pr_debug() and remove the unneeded ifdef. Fixes: eb8703e2ef7c ("clockevents/drivers/mxs: Migrate to new 'set-state' interface") Signed-off-by: Tom Rix Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210118211955.763609-1-trix@redhat.com Signed-off-by: Sasha Levin commit 898c96f756163f757fc9b89a7c23ffd28917d57f Author: Arnd Bergmann Date: Sun Jan 3 14:59:24 2021 +0100 clocksource/drivers/ixp4xx: Select TIMER_OF when needed [ Upstream commit 7a3b8758bd6e45f7b671723b5c9fa2b69d0787ae ] Compile-testing the ixp4xx timer with CONFIG_OF enabled but CONFIG_TIMER_OF disabled leads to a harmless warning: arm-linux-gnueabi-ld: warning: orphan section `__timer_of_table' from `drivers/clocksource/timer-ixp4xx.o' being placed in section `__timer_of_table' Move the select statement from the platform code into the driver so it always gets enabled in configurations that rely on it. Fixes: 40df14cc5cc0 ("clocksource/drivers/ixp4xx: Add OF initialization support") Signed-off-by: Arnd Bergmann Reviewed-by: Linus Walleij Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210103135955.3808976-1-arnd@kernel.org Signed-off-by: Sasha Levin commit d8a9db6dfa23d8523a70cac09c673a40f09437b1 Author: Bartosz Golaszewski Date: Thu Jan 14 11:22:17 2021 +0100 rtc: s5m: select REGMAP_I2C [ Upstream commit 1f0cbda3b452b520c5f3794f8f0e410e8bc7386a ] The rtc-s5m uses the I2C regmap but doesn't select it in Kconfig so depending on the configuration the build may fail. Fix it. Fixes: 959df7778bbd ("rtc: Enable compile testing for Maxim and Samsung drivers") Signed-off-by: Bartosz Golaszewski Reviewed-by: Krzysztof Kozlowski Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20210114102219.23682-2-brgl@bgdev.pl Signed-off-by: Sasha Levin commit 239670e85cbb8ab1e42d1cd3ba81c8dc9ef02b1c Author: Claudiu Beznea Date: Wed Dec 16 14:57:31 2020 +0200 power: reset: at91-sama5d2_shdwc: fix wkupdbc mask [ Upstream commit 95aa21a3f1183260db1b0395e03df5bebc5ed641 ] According to datasheet WKUPDBC mask is b/w bits 26..24. Fixes: f80cb48843987 ("power: reset: at91-shdwc: add new shutdown controller driver") Signed-off-by: Claudiu Beznea Reviewed-by: Alexandre Belloni Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 3cbd3038c9155038020560729cde50588311105d Author: Nicolas Boichat Date: Fri Jan 15 11:45:44 2021 +0000 of/fdt: Make sure no-map does not remove already reserved regions [ Upstream commit 8a5a75e5e9e55de1cef5d83ca3589cb4899193ef ] If the device tree is incorrectly configured, and attempts to define a "no-map" reserved memory that overlaps with the kernel data/code, the kernel would crash quickly after boot, with no obvious clue about the nature of the issue. For example, this would happen if we have the kernel mapped at these addresses (from /proc/iomem): 40000000-41ffffff : System RAM 40080000-40dfffff : Kernel code 40e00000-411fffff : reserved 41200000-413e0fff : Kernel data And we declare a no-map shared-dma-pool region at a fixed address within that range: mem_reserved: mem_region { compatible = "shared-dma-pool"; reg = <0 0x40000000 0 0x01A00000>; no-map; }; To fix this, when removing memory regions at early boot (which is what "no-map" regions do), we need to make sure that the memory is not already reserved. If we do, __reserved_mem_reserve_reg will throw an error: [ 0.000000] OF: fdt: Reserved memory: failed to reserve memory for node 'mem_region': base 0x0000000040000000, size 26 MiB and the code that will try to use the region should also fail, later on. We do not do anything for non-"no-map" regions, as memblock explicitly allows reserved regions to overlap, and the commit that this fixes removed the check for that precise reason. [ qperret: fixed conflicts caused by the usage of memblock_mark_nomap ] Fixes: 094cb98179f19b7 ("of/fdt: memblock_reserve /memreserve/ regions in the case of partial overlap") Signed-off-by: Nicolas Boichat Reviewed-by: Stephen Boyd Signed-off-by: Quentin Perret Link: https://lore.kernel.org/r/20210115114544.1830068-3-qperret@google.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit fb326c6ce0dcbb6273202c6e012759754ec8538d Author: KarimAllah Ahmed Date: Fri Jan 15 11:45:43 2021 +0000 fdt: Properly handle "no-map" field in the memory region [ Upstream commit 86588296acbfb1591e92ba60221e95677ecadb43 ] Mark the memory region with NOMAP flag instead of completely removing it from the memory blocks. That makes the FDT handling consistent with the EFI memory map handling. Cc: Rob Herring Cc: Frank Rowand Cc: devicetree@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: KarimAllah Ahmed Signed-off-by: Quentin Perret Link: https://lore.kernel.org/r/20210115114544.1830068-2-qperret@google.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 5fba43deff93272f6db6e1b0b2cf39ceb7d555a8 Author: Yoshihiro Shimoda Date: Tue Jan 12 18:00:56 2021 +0900 mfd: bd9571mwv: Use devm_mfd_add_devices() [ Upstream commit c58ad0f2b052b5675d6394e03713ee41e721b44c ] To remove mfd devices when unload this driver, should use devm_mfd_add_devices() instead. Fixes: d3ea21272094 ("mfd: Add ROHM BD9571MWV-M MFD PMIC driver") Signed-off-by: Yoshihiro Shimoda Acked-for-MFD-by: Lee Jones Reviewed-by: Geert Uytterhoeven Reviewed-by: Matti Vaittinen Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit 3b0053360e84ea6725954d889ba3a61aefc5ef0c Author: Ferry Toth Date: Tue Jan 12 23:37:49 2021 +0100 dmaengine: hsu: disable spurious interrupt [ Upstream commit 035b73b2b3b2e074a56489a7bf84b6a8012c0e0d ] On Intel Tangier B0 and Anniedale the interrupt line, disregarding to have different numbers, is shared between HSU DMA and UART IPs. Thus on such SoCs we are expecting that IRQ handler is called in UART driver only. hsu_pci_irq was handling the spurious interrupt from HSU DMA by returning immediately. This wastes CPU time and since HSU DMA and HSU UART interrupt occur simultaneously they race to be handled causing delay to the HSU UART interrupt handling. Fix this by disabling the interrupt entirely. Fixes: 4831e0d9054c ("serial: 8250_mid: handle interrupt correctly in DMA case") Signed-off-by: Ferry Toth Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210112223749.97036-1-ftoth@exalondelft.nl Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit fe0a870739bade89bff048f4015f2387673375c3 Author: Christophe JAILLET Date: Sat Dec 12 17:25:35 2020 +0100 dmaengine: owl-dma: Fix a resource leak in the remove function [ Upstream commit 1f0a16f04113f9f0ab0c8e6d3abe661edab549e6 ] A 'dma_pool_destroy()' call is missing in the remove function. Add it. This call is already made in the error handling path of the probe function. Fixes: 47e20577c24d ("dmaengine: Add Actions Semi Owl family S900 DMA driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201212162535.95727-1-christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6f4fdb448b4c9078fc2b6e03ad3c1009e2e8fa7f Author: Christophe JAILLET Date: Sat Dec 12 17:06:14 2020 +0100 dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function [ Upstream commit b202d4e82531a62a33a6b14d321dd2aad491578e ] In case of error, the previous 'fsl_dma_chan_probe()' calls must be undone by some 'fsl_dma_chan_remove()', as already done in the remove function. It was added in the remove function in commit 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module") Fixes: d3f620b2c4fe ("fsldma: simplify IRQ probing and handling") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201212160614.92576-1-christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 67be754e077150339c248c9c3c2751dcd8799833 Author: Christophe JAILLET Date: Sat Dec 12 17:05:16 2020 +0100 dmaengine: fsldma: Fix a resource leak in the remove function [ Upstream commit cbc0ad004c03ad7971726a5db3ec84dba3dcb857 ] A 'irq_dispose_mapping()' call is missing in the remove function. Add it. This is needed to undo the 'irq_of_parse_and_map() call from the probe function and already part of the error handling path of the probe function. It was added in the probe function only in commit d3f620b2c4fe ("fsldma: simplify IRQ probing and handling") Fixes: 77cd62e8082b ("fsldma: allow Freescale Elo DMA driver to be compiled as a module") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20201212160516.92515-1-christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit da0f70eadabffaa7ceac65cbfa84d54eca8dedb9 Author: Bernard Metzler Date: Fri Jan 8 13:58:45 2021 +0100 RDMA/siw: Fix handling of zero-sized Read and Receive Queues. [ Upstream commit 661f385961f06f36da24cf408d461f988d0c39ad ] During connection setup, the application may choose to zero-size inbound and outbound READ queues, as well as the Receive queue. This patch fixes handling of zero-sized queues, but not prevents it. Kamal Heib says in an initial error report: When running the blktests over siw the following shift-out-of-bounds is reported, this is happening because the passed IRD or ORD from the ulp could be zero which will lead to unexpected behavior when calling roundup_pow_of_two(), fix that by blocking zero values of ORD or IRD. UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 shift exponent 64 is too large for 64-bit type 'long unsigned int' CPU: 20 PID: 3957 Comm: kworker/u64:13 Tainted: G S 5.10.0-rc6 #2 Hardware name: Dell Inc. PowerEdge R630/02C2CP, BIOS 2.1.5 04/11/2016 Workqueue: iw_cm_wq cm_work_handler [iw_cm] Call Trace: dump_stack+0x99/0xcb ubsan_epilogue+0x5/0x40 __ubsan_handle_shift_out_of_bounds.cold.11+0xb4/0xf3 ? down_write+0x183/0x3d0 siw_qp_modify.cold.8+0x2d/0x32 [siw] ? __local_bh_enable_ip+0xa5/0xf0 siw_accept+0x906/0x1b60 [siw] ? xa_load+0x147/0x1f0 ? siw_connect+0x17a0/0x17a0 [siw] ? lock_downgrade+0x700/0x700 ? siw_get_base_qp+0x1c2/0x340 [siw] ? _raw_spin_unlock_irqrestore+0x39/0x40 iw_cm_accept+0x1f4/0x430 [iw_cm] rdma_accept+0x3fa/0xb10 [rdma_cm] ? check_flush_dependency+0x410/0x410 ? cma_rep_recv+0x570/0x570 [rdma_cm] nvmet_rdma_queue_connect+0x1a62/0x2680 [nvmet_rdma] ? nvmet_rdma_alloc_cmds+0xce0/0xce0 [nvmet_rdma] ? lock_release+0x56e/0xcc0 ? lock_downgrade+0x700/0x700 ? lock_downgrade+0x700/0x700 ? __xa_alloc_cyclic+0xef/0x350 ? __xa_alloc+0x2d0/0x2d0 ? rdma_restrack_add+0xbe/0x2c0 [ib_core] ? __ww_mutex_die+0x190/0x190 cma_cm_event_handler+0xf2/0x500 [rdma_cm] iw_conn_req_handler+0x910/0xcb0 [rdma_cm] ? _raw_spin_unlock_irqrestore+0x39/0x40 ? trace_hardirqs_on+0x1c/0x150 ? cma_ib_handler+0x8a0/0x8a0 [rdma_cm] ? __kasan_kmalloc.constprop.7+0xc1/0xd0 cm_work_handler+0x121c/0x17a0 [iw_cm] ? iw_cm_reject+0x190/0x190 [iw_cm] ? trace_hardirqs_on+0x1c/0x150 process_one_work+0x8fb/0x16c0 ? pwq_dec_nr_in_flight+0x320/0x320 worker_thread+0x87/0xb40 ? __kthread_parkme+0xd1/0x1a0 ? process_one_work+0x16c0/0x16c0 kthread+0x35f/0x430 ? kthread_mod_delayed_work+0x180/0x180 ret_from_fork+0x22/0x30 Fixes: a531975279f3 ("rdma/siw: main include file") Fixes: f29dd55b0236 ("rdma/siw: queue pair methods") Fixes: 8b6a361b8c48 ("rdma/siw: receive path") Fixes: b9be6f18cf9e ("rdma/siw: transmit path") Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") Link: https://lore.kernel.org/r/20210108125845.1803-1-bmt@zurich.ibm.com Reported-by: Kamal Heib Reported-by: Yi Zhang Reported-by: kernel test robot Signed-off-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1f5fea7616e8126a5be2514b090fee4f7c5ea9a7 Author: Randy Dunlap Date: Wed Dec 16 17:12:21 2020 -0800 HID: core: detect and skip invalid inputs to snto32() [ Upstream commit a0312af1f94d13800e63a7d0a66e563582e39aec ] Prevent invalid (0, 0) inputs to hid-core's snto32() function. Maybe it is just the dummy device here that is causing this, but there are hundreds of calls to snto32(0, 0). Having n (bits count) of 0 is causing the current UBSAN trap with a shift value of 0xffffffff (-1, or n - 1 in this function). Either of the value to shift being 0 or the bits count being 0 can be handled by just returning 0 to the caller, avoiding the following complex shift + OR operations: return value & (1 << (n - 1)) ? value | (~0U << n) : value; Fixes: dde5845a529f ("[PATCH] Generic HID layer - code split") Signed-off-by: Randy Dunlap Reported-by: syzbot+1e911ad71dd4ea72e04a@syzkaller.appspotmail.com Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: linux-input@vger.kernel.org Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 34d0d61a864d3b69644182fdf78b2633b8b925f6 Author: Andre Przywara Date: Wed Jan 6 14:32:46 2021 +0000 clk: sunxi-ng: h6: Fix CEC clock [ Upstream commit 756650820abd4770c4200763505b634a3c04e05e ] The CEC clock on the H6 SoC is a bit special, since it uses a fixed pre-dividier for one source clock (the PLL), but conveys the other clock (32K OSC) directly. We are using a fixed predivider array for that, but fail to use the right flag to actually activate that. Fixes: 524353ea480b ("clk: sunxi-ng: add support for the Allwinner H6 CCU") Reported-by: Jernej Skrabec Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210106143246.11255-1-andre.przywara@arm.com Signed-off-by: Sasha Levin commit 2dd73db1b508810288131ff63d4f2f5f63c216fc Author: Pratyush Yadav Date: Wed Dec 23 00:14:20 2020 +0530 spi: cadence-quadspi: Abort read if dummy cycles required are too many [ Upstream commit ceeda328edeeeeac7579e9dbf0610785a3b83d39 ] The controller can only support up to 31 dummy cycles. If the command requires more it falls back to using 31. This command is likely to fail because the correct number of cycles are not waited upon. Rather than silently issuing an incorrect command, fail loudly so the caller can get a chance to find out the command can't be supported by the controller. Fixes: 140623410536 ("mtd: spi-nor: Add driver for Cadence Quad SPI Flash Controller") Signed-off-by: Pratyush Yadav Link: https://lore.kernel.org/r/20201222184425.7028-3-p.yadav@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0473358e075ceef89daa85499ac392ca34628fc3 Author: Rayagonda Kokatanur Date: Mon Nov 2 09:24:32 2020 +0530 i2c: iproc: handle master read request [ Upstream commit e21d79778768e4e187b2892d662c6aaa01e1d399 ] Handle single or multi byte master read request with or without repeated start. Fixes: c245d94ed106 ("i2c: iproc: Add multi byte read-write support for slave mode") Signed-off-by: Rayagonda Kokatanur Acked-by: Ray Jui Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 128c8431e8b9e44ff7fec312c1a519e38e37da00 Author: Rayagonda Kokatanur Date: Mon Nov 2 09:24:30 2020 +0530 i2c: iproc: update slave isr mask (ISR_MASK_SLAVE) [ Upstream commit 603e77af7b0704bdb057de0368f1f2b04fc9552c ] Update slave isr mask (ISR_MASK_SLAVE) to include remaining two slave interrupts. Fixes: c245d94ed106 ("i2c: iproc: Add multi byte read-write support for slave mode") Signed-off-by: Rayagonda Kokatanur Acked-by: Ray Jui Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit d8a5e1780a2b23d30c2f638125fdbf84b8955846 Author: Rayagonda Kokatanur Date: Mon Nov 2 09:24:29 2020 +0530 i2c: iproc: handle only slave interrupts which are enabled [ Upstream commit 545f4011e156554d704d6278245d54543f6680d1 ] Handle only slave interrupts which are enabled. The IS_OFFSET register contains the interrupt status bits which will be set regardless of the enabling of the corresponding interrupt condition. One must therefore look at both IS_OFFSET and IE_OFFSET to determine whether an interrupt condition is set and enabled. Fixes: c245d94ed106 ("i2c: iproc: Add multi byte read-write support for slave mode") Signed-off-by: Rayagonda Kokatanur Acked-by: Ray Jui Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 8b63c0cbc7243cf6b0a3531dd132629a5def1ad2 Author: Jan Kara Date: Tue Dec 22 12:09:53 2020 +0100 quota: Fix memory leak when handling corrupted quota file [ Upstream commit a4db1072e1a3bd7a8d9c356e1902b13ac5deb8ef ] When checking corrupted quota file we can bail out and leak allocated info structure. Properly free info structure on error return. Reported-by: syzbot+77779c9b52ab78154b08@syzkaller.appspotmail.com Fixes: 11c514a99bb9 ("quota: Sanity-check quota file headers on load") Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 623c86840e8ab72371bc0071bddb93f0e7d3a820 Author: Po-Hsu Lin Date: Mon Dec 28 12:34:59 2020 +0800 selftests/powerpc: Make the test check in eeh-basic.sh posix compliant [ Upstream commit 3db380570af7052620ace20c29e244938610ca71 ] The == operand is a bash extension, thus this will fail on Ubuntu with: ./eeh-basic.sh: 89: test: 2: unexpected operator As the /bin/sh on Ubuntu is pointed to DASH. Use -eq to fix this posix compatibility issue. Fixes: 996f9e0f93f162 ("selftests/powerpc: Fix eeh-basic.sh exit codes") Signed-off-by: Po-Hsu Lin Reviewed-by: Frederic Barrat Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201228043459.14281-1-po-hsu.lin@canonical.com Signed-off-by: Sasha Levin commit b070f3b6ee5a944f3d68f9c6d2e043c45c803eb6 Author: Martin Blumenstingl Date: Sat Dec 26 13:15:56 2020 +0100 clk: meson: clk-pll: propagate the error from meson_clk_pll_set_rate() [ Upstream commit ccdc1f0836f8e37b558a424f1e491f929b2e7ede ] Popagate the error code from meson_clk_pll_set_rate() when the PLL does not lock with the new settings. Fixes: 722825dcd54b2e ("clk: meson: migrate plls clocks to clk_regmap") Signed-off-by: Martin Blumenstingl Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20201226121556.975418-4-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit f8c601cb3ab4952cd8df339acd3b9a71125f6e0f Author: Martin Blumenstingl Date: Sat Dec 26 13:15:55 2020 +0100 clk: meson: clk-pll: make "ret" a signed integer [ Upstream commit 9e717285f0bd591d716fa0e7418f2cdaf756dd25 ] The error codes returned by meson_clk_get_pll_settings() are all negative. Make "ret" a signed integer in meson_clk_pll_set_rate() to make it match with the clk_ops.set_rate API as well as the data type returned by meson_clk_get_pll_settings(). Fixes: 8eed1db1adec6a ("clk: meson: pll: update driver for the g12a") Signed-off-by: Martin Blumenstingl Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20201226121556.975418-3-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit fcba0f6ab1e2c71bf051557384db48839737407b Author: Martin Blumenstingl Date: Sat Dec 26 13:15:54 2020 +0100 clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL [ Upstream commit 2f290b7c67adf6459a17a4c978102af35cd62e4a ] The "rate" parameter in meson_clk_pll_set_rate() contains the new rate. Retrieve the old rate with clk_hw_get_rate() so we don't inifinitely try to switch from the new rate to the same rate again. Fixes: 7a29a869434e8b ("clk: meson: Add support for Meson clock controller") Signed-off-by: Martin Blumenstingl Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20201226121556.975418-2-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 6413d0318ca41542cf960e9ac60bf0c847e704f3 Author: Zhang Qilong Date: Mon Nov 23 18:18:27 2020 +0800 HSI: Fix PM usage counter unbalance in ssi_hw_init [ Upstream commit aa57e77b3d28f0df07149d88c47bc0f3aa77330b ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: b209e047bc743 ("HSI: Introduce OMAP SSI driver") Signed-off-by: Zhang Qilong Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 33a2e62473e8fe5766e2b28a4db805896458b524 Author: Eric W. Biederman Date: Thu Dec 17 09:42:00 2020 -0600 capabilities: Don't allow writing ambiguous v3 file capabilities [ Upstream commit 95ebabde382c371572297915b104e55403674e73 ] The v3 file capabilities have a uid field that records the filesystem uid of the root user of the user namespace the file capabilities are valid in. When someone is silly enough to have the same underlying uid as the root uid of multiple nested containers a v3 filesystem capability can be ambiguous. In the spirit of don't do that then, forbid writing a v3 filesystem capability if it is ambiguous. Fixes: 8db6c34f1dbc ("Introduce v3 namespaced file capabilities") Reviewed-by: Andrew G. Morgan Reviewed-by: Serge Hallyn Signed-off-by: Eric W. Biederman Signed-off-by: Sasha Levin commit b42b04e517cb046803c198e1d099555bb8819d51 Author: Wang ShaoBo Date: Sun Nov 15 16:23:43 2020 +0800 ubifs: Fix error return code in alloc_wbufs() [ Upstream commit 42119dbe571eb419dae99b81dd20fa42f47464e1 ] Fix to return PTR_ERR() error code from the error handling case instead fo 0 in function alloc_wbufs(), as done elsewhere in this function. Fixes: 6a98bc4614de ("ubifs: Add authentication nodes to journal") Signed-off-by: Wang ShaoBo Reviewed-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 5501892826bb8373c1cf38d3b80c65c1b29514bd Author: Dinghao Liu Date: Tue Jan 5 14:03:40 2021 +0800 ubifs: Fix memleak in ubifs_init_authentication [ Upstream commit 11b8ab3836454a2600e396f34731e491b661f9d5 ] When crypto_shash_digestsize() fails, c->hmac_tfm has not been freed before returning, which leads to memleak. Fixes: 49525e5eecca5 ("ubifs: Add helper functions for authentication support") Signed-off-by: Dinghao Liu Reviewed-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit c4ede7571b4fc05dc1d9d799d466cc5275173082 Author: Tom Rix Date: Wed Dec 30 06:56:04 2020 -0800 jffs2: fix use after free in jffs2_sum_write_data() [ Upstream commit 19646447ad3a680d2ab08c097585b7d96a66126b ] clang static analysis reports this problem fs/jffs2/summary.c:794:31: warning: Use of memory after it is freed c->summary->sum_list_head = temp->u.next; ^~~~~~~~~~~~ In jffs2_sum_write_data(), in a loop summary data is handles a node at a time. When it has written out the node it is removed the summary list, and the node is deleted. In the corner case when a JFFS2_FEATURE_RWCOMPAT_COPY is seen, a call is made to jffs2_sum_disable_collecting(). jffs2_sum_disable_collecting() deletes the whole list which conflicts with the loop's deleting the list by parts. To preserve the old behavior of stopping the write midway, bail out of the loop after disabling summary collection. Fixes: 6171586a7ae5 ("[JFFS2] Correct handling of JFFS2_FEATURE_RWCOMPAT_COPY nodes.") Signed-off-by: Tom Rix Reviewed-by: Nathan Chancellor Signed-off-by: Richard Weinberger Signed-off-by: Sasha Levin commit 746ef39b0bd6b6cd0614e9f021ac766da9e5e49d Author: Colin Ian King Date: Thu Feb 11 13:01:08 2021 +0000 fs/jfs: fix potential integer overflow on shift of a int [ Upstream commit 4208c398aae4c2290864ba15c3dab7111f32bec1 ] The left shift of int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit integer. In the case where l2nb is 32 or more this can lead to an overflow. Avoid this by shifting the value 1LL instead. Addresses-Coverity: ("Uninitentional integer overflow") Fixes: b40c2e665cd5 ("fs/jfs: TRIM support for JFS Filesystem") Signed-off-by: Colin Ian King Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit ff138fd20f17ec5e84cace33d71f3f18f39395ec Author: Sameer Pujar Date: Wed Feb 10 12:13:39 2021 +0530 ASoC: simple-card-utils: Fix device module clock [ Upstream commit 1e30f642cf2939bbdac82ea0dd3071232670b5ab ] If "clocks = <&xxx>" is specified from the CPU or Codec component device node, the clock is not getting enabled. Thus audio playback or capture fails. Fix this by populating "simple_dai->clk" field when clocks property is specified from device node as well. Also tidy up by re-organising conditional statements of parsing logic. Fixes: bb6fc620c2ed ("ASoC: simple-card-utils: add asoc_simple_card_parse_clk()") Cc: Kuninori Morimoto Signed-off-by: Sameer Pujar Link: https://lore.kernel.org/r/1612939421-19900-2-git-send-email-spujar@nvidia.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 091b409383ad7e71fc51752c4b37364ca6831584 Author: Lakshmi Ramasubramanian Date: Thu Feb 4 09:49:51 2021 -0800 ima: Free IMA measurement buffer after kexec syscall [ Upstream commit f31e3386a4e92ba6eda7328cb508462956c94c64 ] IMA allocates kernel virtual memory to carry forward the measurement list, from the current kernel to the next kernel on kexec system call, in ima_add_kexec_buffer() function. This buffer is not freed before completing the kexec system call resulting in memory leak. Add ima_buffer field in "struct kimage" to store the virtual address of the buffer allocated for the IMA measurement list. Free the memory allocated for the IMA measurement list in kimage_file_post_load_cleanup() function. Signed-off-by: Lakshmi Ramasubramanian Suggested-by: Tyler Hicks Reviewed-by: Thiago Jung Bauermann Reviewed-by: Tyler Hicks Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list") Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit e436d3f7bdac29abfb14324bd4dd8eb0a670721d Author: Lakshmi Ramasubramanian Date: Thu Feb 4 09:49:50 2021 -0800 ima: Free IMA measurement buffer on error [ Upstream commit 6d14c6517885fa68524238787420511b87d671df ] IMA allocates kernel virtual memory to carry forward the measurement list, from the current kernel to the next kernel on kexec system call, in ima_add_kexec_buffer() function. In error code paths this memory is not freed resulting in memory leak. Free the memory allocated for the IMA measurement list in the error code paths in ima_add_kexec_buffer() function. Signed-off-by: Lakshmi Ramasubramanian Suggested-by: Tyler Hicks Fixes: 7b8589cc29e7 ("ima: on soft reboot, save the measurement list") Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit f04787555f4c9b1d5913e6c0f1413d6eecc47527 Author: Daniele Alessandrelli Date: Wed Feb 3 11:28:37 2021 +0000 crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() [ Upstream commit a53ab94eb6850c3657392e2d2ce9b38c387a2633 ] The length ('len' parameter) passed to crypto_ecdh_decode_key() is never checked against the length encoded in the passed buffer ('buf' parameter). This could lead to an out-of-bounds access when the passed length is less than the encoded length. Add a check to prevent that. Fixes: 3c4b23901a0c7 ("crypto: ecdh - Add ECDH software support") Signed-off-by: Daniele Alessandrelli Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit cba03a29611cbdcc2daa9612110738fdf60d8148 Author: Jan Henrik Weinstock Date: Mon Feb 1 16:14:59 2021 +0100 hwrng: timeriomem - Fix cooldown period calculation [ Upstream commit e145f5565dc48ccaf4cb50b7cfc48777bed8c100 ] Ensure cooldown period tolerance of 1% is actually accounted for. Fixes: ca3bff70ab32 ("hwrng: timeriomem - Improve performance...") Signed-off-by: Jan Henrik Weinstock Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6f651ec266ba18338f8bccecaecc0eb41974a5fc Author: Zhihao Cheng Date: Fri Nov 20 09:08:04 2020 +0800 btrfs: clarify error returns values in __load_free_space_cache [ Upstream commit 3cc64e7ebfb0d7faaba2438334c43466955a96e8 ] Return value in __load_free_space_cache is not properly set after (unlikely) memory allocation failures and 0 is returned instead. This is not a problem for the caller load_free_space_cache because only value 1 is considered as 'cache loaded' but for clarity it's better to set the errors accordingly. Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache") Reported-by: Hulk Robot Signed-off-by: Zhihao Cheng Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 790c0dcbb519f2f1336a797072f5cffd43beb168 Author: Hui Wang Date: Mon Feb 8 18:38:57 2021 +0800 ASoC: SOF: debug: Fix a potential issue on string buffer termination [ Upstream commit 9037c3bde65d339017ef41d81cb58069ffc321d4 ] The function simple_write_to_buffer() doesn't add string termination at the end of buf, we need to handle it on our own. This change refers to the function tokenize_input() in debug.c and the function sof_dfsentry_trace_filter_write() in trace.c. Fixes: 091c12e1f50c ("ASoC: SOF: debug: add new debugfs entries for IPC flood test") Reviewed-by: Kai Vehmanen Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210208103857.75705-1-hui.wang@canonical.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 624d18332e13700b845394b07bbac630adbbdb96 Author: Andrea Parri (Microsoft) Date: Wed Dec 9 08:08:25 2020 +0100 Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() [ Upstream commit e3fa4b747f085d2cda09bba0533b86fa76038635 ] When channel->device_obj is non-NULL, vmbus_onoffer_rescind() could invoke put_device(), that will eventually release the device and free the channel object (cf. vmbus_device_release()). However, a pointer to the object is dereferenced again later to load the primary_channel. The use-after-free can be avoided by noticing that this load/check is redundant if device_obj is non-NULL: primary_channel must be NULL if device_obj is non-NULL, cf. vmbus_add_channel_work(). Fixes: 54a66265d6754b ("Drivers: hv: vmbus: Fix rescind handling") Reported-by: Juan Vazquez Signed-off-by: Andrea Parri (Microsoft) Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20201209070827.29335-5-parri.andrea@gmail.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 76faeef2f45e82e9f477898f7f43cc94d9255116 Author: Dehe Gu Date: Tue Feb 2 17:39:22 2021 +0800 f2fs: fix a wrong condition in __submit_bio [ Upstream commit 39f71b7e40e21805d6b15fc7750bdd9cab6a5010 ] We should use !F2FS_IO_ALIGNED() to check and submit_io directly. Fixes: 8223ecc456d0 ("f2fs: fix to add missing F2FS_IO_ALIGNED() condition") Reviewed-by: Chao Yu Signed-off-by: Dehe Gu Signed-off-by: Ge Qiu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 721c986986d246075bc75425d0030bba8699dbd3 Author: Dan Carpenter Date: Tue Feb 2 08:56:36 2021 +0300 drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() [ Upstream commit c915ef890d5dc79f483e1ca3b3a5b5f1a170690c ] If the user passes a "level" value which is higher than 31 then that leads to shift wrapping. The undefined behavior will lead to a syzkaller stack dump. Fixes: 5632708f4452 ("drm/amd/powerplay: add dpm force multiple levels on cz/tonga/fiji/polaris (v2)") Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c1a421b198bc93ac2f6d97b9117016e9bba391f1 Author: Yi Chen Date: Thu Jan 28 17:02:56 2021 +0800 f2fs: fix to avoid inconsistent quota data [ Upstream commit 25fb04dbce6a0e165d28fd1fa8a1d7018c637fe8 ] Occasionally, quota data may be corrupted detected by fsck: Info: checkpoint state = 45 : crc compacted_summary unmount [QUOTA WARNING] Usage inconsistent for ID 0:actual (1543036928, 762) != expected (1543032832, 762) [ASSERT] (fsck_chk_quota_files:1986) --> Quota file is missing or invalid quota file content found. [QUOTA WARNING] Usage inconsistent for ID 0:actual (1352478720, 344) != expected (1352474624, 344) [ASSERT] (fsck_chk_quota_files:1986) --> Quota file is missing or invalid quota file content found. [FSCK] Unreachable nat entries [Ok..] [0x0] [FSCK] SIT valid block bitmap checking [Ok..] [FSCK] Hard link checking for regular file [Ok..] [0x0] [FSCK] valid_block_count matching with CP [Ok..] [0xdf299] [FSCK] valid_node_count matcing with CP (de lookup) [Ok..] [0x2b01] [FSCK] valid_node_count matcing with CP (nat lookup) [Ok..] [0x2b01] [FSCK] valid_inode_count matched with CP [Ok..] [0x2665] [FSCK] free segment_count matched with CP [Ok..] [0xcb04] [FSCK] next block offset is free [Ok..] [FSCK] fixing SIT types [FSCK] other corrupted bugs [Fail] The root cause is: If we open file w/ readonly flag, disk quota info won't be initialized for this file, however, following mmap() will force to convert inline inode via f2fs_convert_inline_inode(), which may increase block usage for this inode w/o updating quota data, it causes inconsistent disk quota info. The issue will happen in following stack: open(file, O_RDONLY) mmap(file) - f2fs_convert_inline_inode - f2fs_convert_inline_page - f2fs_reserve_block - f2fs_reserve_new_block - f2fs_reserve_new_blocks - f2fs_i_blocks_write - dquot_claim_block inode->i_blocks increase, but the dqb_curspace keep the size for the dquots is NULL. To fix this issue, let's call dquot_initialize() anyway in both f2fs_truncate() and f2fs_convert_inline_inode() functions to avoid potential inconsistent quota data issue. Fixes: 0abd675e97e6 ("f2fs: support plain user/group quota") Signed-off-by: Daiyue Zhang Signed-off-by: Dehe Gu Signed-off-by: Junchao Jiang Signed-off-by: Ge Qiu Signed-off-by: Yi Chen Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7cb52169ada4e404bd6a06e1e76439bd54ce6667 Author: Manivannan Sadhasivam Date: Mon Jan 4 09:41:37 2021 +0530 mtd: parsers: afs: Fix freeing the part name memory in failure [ Upstream commit 7b844cf445f0a7daa68be0ce71eb2c88d68b0c5d ] In the case of failure while parsing the partitions, the iterator should be pre decremented by one before starting to free the memory allocated by kstrdup(). Because in the failure case, kstrdup() will not succeed and thus no memory will be allocated for the current iteration. Fixes: 1fca1f6abb38 ("mtd: afs: simplify partition parsing") Signed-off-by: Manivannan Sadhasivam Reviewed-by: Linus Walleij Cc: Linus Walleij Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210104041137.113075-5-manivannan.sadhasivam@linaro.org Signed-off-by: Sasha Levin commit 35a5d96a4c22a109962e369bf6c1a0f1522f60fd Author: Sebastian Reichel Date: Sat Jan 23 18:29:45 2021 +0100 ASoC: cpcap: fix microphone timeslot mask [ Upstream commit de5bfae2fd962a9da99f56382305ec7966a604b9 ] The correct mask is 0x1f8 (Bit 3-8), but due to missing BIT() 0xf (Bit 0-3) was set instead. This means setting of CPCAP_BIT_MIC1_RX_TIMESLOT0 (Bit 3) still worked (part of both masks). On the other hand the code does not properly clear the other MIC timeslot bits. I think this is not a problem, since they are probably initialized to 0 and not touched by the driver anywhere else. But the mask also contains some wrong bits, that will be cleared. Bit 0 (CPCAP_BIT_SMB_CDC) should be safe, since the driver enforces it to be 0 anyways. Bit 1-2 are CPCAP_BIT_FS_INV and CPCAP_BIT_CLK_INV. This means enabling audio recording forces the codec into SND_SOC_DAIFMT_NB_NF mode, which is obviously bad. The bug probably remained undetected, because there are not many use cases for routing microphone to the CPU on platforms using cpcap and user base is small. I do remember having some issues with bad sound quality when testing voice recording back when I wrote the driver. It probably was this bug. Fixes: f6cdf2d3445d ("ASoC: cpcap: new codec") Reported-by: Dan Carpenter Signed-off-by: Sebastian Reichel Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20210123172945.3958622-1-sre@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4168bf93ccc4e6e5ace55b22e6b31c39dd971333 Author: Florian Fainelli Date: Fri Jan 29 10:28:45 2021 -0800 ata: ahci_brcm: Add back regulators management [ Upstream commit 10340f8d7b6dd54e616339c8ccb2f397133ebea0 ] While reworking the resources management and departing from using ahci_platform_enable_resources() which did not allow a proper step separation like we need, we unfortunately lost the ability to control AHCI regulators. This broke some Broadcom STB systems that do expect regulators to be turned on to link up with attached hard drives. Fixes: c0cdf2ac4b5b ("ata: ahci_brcm: Fix AHCI resources management") Signed-off-by: Florian Fainelli Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0faef25462f886a77e0b397cca31d51163215332 Author: Frantisek Hrbata Date: Fri Aug 28 11:28:46 2020 +0200 drm/nouveau: bail out of nouveau_channel_new if channel init fails [ Upstream commit eaba3b28401f50e22d64351caa8afe8d29509f27 ] Unprivileged user can crash kernel by using DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC ioctl. This was reported by trinity[1] fuzzer. [ 71.073906] nouveau 0000:01:00.0: crashme[1329]: channel failed to initialise, -17 [ 71.081730] BUG: kernel NULL pointer dereference, address: 00000000000000a0 [ 71.088928] #PF: supervisor read access in kernel mode [ 71.094059] #PF: error_code(0x0000) - not-present page [ 71.099189] PGD 119590067 P4D 119590067 PUD 1054f5067 PMD 0 [ 71.104842] Oops: 0000 [#1] SMP NOPTI [ 71.108498] CPU: 2 PID: 1329 Comm: crashme Not tainted 5.8.0-rc6+ #2 [ 71.114993] Hardware name: AMD Pike/Pike, BIOS RPK1506A 09/03/2014 [ 71.121213] RIP: 0010:nouveau_abi16_ioctl_channel_alloc+0x108/0x380 [nouveau] [ 71.128339] Code: 48 89 9d f0 00 00 00 41 8b 4c 24 04 41 8b 14 24 45 31 c0 4c 8d 4b 10 48 89 ee 4c 89 f7 e8 10 11 00 00 85 c0 75 78 48 8b 43 10 <8b> 90 a0 00 00 00 41 89 54 24 08 80 7d 3d 05 0f 86 bb 01 00 00 41 [ 71.147074] RSP: 0018:ffffb4a1809cfd38 EFLAGS: 00010246 [ 71.152526] RAX: 0000000000000000 RBX: ffff98cedbaa1d20 RCX: 00000000000003bf [ 71.159651] RDX: 00000000000003be RSI: 0000000000000000 RDI: 0000000000030160 [ 71.166774] RBP: ffff98cee776de00 R08: ffffdc0144198a08 R09: ffff98ceeefd4000 [ 71.173901] R10: ffff98cee7e81780 R11: 0000000000000001 R12: ffffb4a1809cfe08 [ 71.181214] R13: ffff98cee776d000 R14: ffff98cec519e000 R15: ffff98cee776def0 [ 71.188339] FS: 00007fd926250500(0000) GS:ffff98ceeac80000(0000) knlGS:0000000000000000 [ 71.196418] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 71.202155] CR2: 00000000000000a0 CR3: 0000000106622000 CR4: 00000000000406e0 [ 71.209297] Call Trace: [ 71.211777] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] [ 71.218053] drm_ioctl_kernel+0xac/0xf0 [drm] [ 71.222421] drm_ioctl+0x211/0x3c0 [drm] [ 71.226379] ? nouveau_abi16_ioctl_getparam+0x1f0/0x1f0 [nouveau] [ 71.232500] nouveau_drm_ioctl+0x57/0xb0 [nouveau] [ 71.237285] ksys_ioctl+0x86/0xc0 [ 71.240595] __x64_sys_ioctl+0x16/0x20 [ 71.244340] do_syscall_64+0x4c/0x90 [ 71.248110] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 71.253162] RIP: 0033:0x7fd925d4b88b [ 71.256731] Code: Bad RIP value. [ 71.259955] RSP: 002b:00007ffc743592d8 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 [ 71.267514] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fd925d4b88b [ 71.274637] RDX: 0000000000601080 RSI: 00000000c0586442 RDI: 0000000000000003 [ 71.281986] RBP: 00007ffc74359340 R08: 00007fd926016ce0 R09: 00007fd926016ce0 [ 71.289111] R10: 0000000000000003 R11: 0000000000000206 R12: 0000000000400620 [ 71.296235] R13: 00007ffc74359420 R14: 0000000000000000 R15: 0000000000000000 [ 71.303361] Modules linked in: rfkill sunrpc snd_hda_codec_realtek snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core edac_mce_amd snd_hwdep kvm_amd snd_seq ccp snd_seq_device snd_pcm kvm snd_timer snd irqbypass soundcore sp5100_tco pcspkr crct10dif_pclmul crc32_pclmul ghash_clmulni_intel wmi_bmof joydev i2c_piix4 fam15h_power k10temp acpi_cpufreq ip_tables xfs libcrc32c sd_mod t10_pi sg nouveau video mxm_wmi i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm broadcom bcm_phy_lib ata_generic ahci drm e1000 crc32c_intel libahci serio_raw tg3 libata firewire_ohci firewire_core wmi crc_itu_t dm_mirror dm_region_hash dm_log dm_mod [ 71.365269] CR2: 00000000000000a0 simplified reproducer ---------------------------------8<---------------------------------------- /* * gcc -o crashme crashme.c * ./crashme /dev/dri/renderD128 */ struct drm_nouveau_channel_alloc { uint32_t fb_ctxdma_handle; uint32_t tt_ctxdma_handle; int channel; uint32_t pushbuf_domains; /* Notifier memory */ uint32_t notifier_handle; /* DRM-enforced subchannel assignments */ struct { uint32_t handle; uint32_t grclass; } subchan[8]; uint32_t nr_subchan; }; static struct drm_nouveau_channel_alloc channel; int main(int argc, char *argv[]) { int fd; int rv; if (argc != 2) die("usage: %s ", 0, argv[0]); if ((fd = open(argv[1], O_RDONLY)) == -1) die("open %s", errno, argv[1]); if (ioctl(fd, DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC, &channel) == -1 && errno == EACCES) die("ioctl %s", errno, argv[1]); close(fd); printf("PASS\n"); return 0; } ---------------------------------8<---------------------------------------- [1] https://github.com/kernelslacker/trinity Fixes: eeaf06ac1a55 ("drm/nouveau/svm: initial support for shared virtual memory") Signed-off-by: Frantisek Hrbata Reviewed-by: Karol Herbst Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit adc2e1dba9773dd687e7cfa7ab968c5b115e3dd5 Author: Christophe Leroy Date: Wed Jan 20 18:57:24 2021 +0000 crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) [ Upstream commit 416b846757bcea20006a9197e67ba3a8b5b2a680 ] Talitos Security Engine AESU considers any input data size that is not a multiple of 16 bytes to be an error. This is not a problem in general, except for Counter mode that is a stream cipher and can have an input of any size. Test Manager for ctr(aes) fails on 4th test vector which has a length of 499 while all previous vectors which have a 16 bytes multiple length succeed. As suggested by Freescale, round up the input data length to the nearest 16 bytes. Fixes: 5e75ae1b3cef ("crypto: talitos - add new crypto modes") Signed-off-by: Christophe Leroy Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 7284c2692aff2459bbc97bd79a402f491dd64cef Author: Dan Carpenter Date: Thu Jan 28 12:36:52 2021 +0300 mtd: parser: imagetag: fix error codes in bcm963xx_parse_imagetag_partitions() [ Upstream commit 12ba8f8ce29fdd277f3100052eddc1afd2f5ea3f ] If the kstrtouint() calls fail, then this should return a negative error code but it currently returns success. Fixes: dd84cb022b31 ("mtd: bcm63xxpart: move imagetag parsing to its own parser") Signed-off-by: Dan Carpenter Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/YBKFtNaFHGYBj+u4@mwanda Signed-off-by: Sasha Levin commit aae14aed37d5ee106f0a7cba54ba10a9e9b43f34 Author: Qais Yousef Date: Tue Jan 19 12:07:55 2021 +0000 sched/eas: Don't update misfit status if the task is pinned [ Upstream commit 0ae78eec8aa64e645866e75005162603a77a0f49 ] If the task is pinned to a cpu, setting the misfit status means that we'll unnecessarily continuously attempt to migrate the task but fail. This continuous failure will cause the balance_interval to increase to a high value, and eventually cause unnecessary significant delays in balancing the system when real imbalance happens. Caught while testing uclamp where rt-app calibration loop was pinned to cpu 0, shortly after which we spawn another task with high util_clamp value. The task was failing to migrate after over 40ms of runtime due to balance_interval unnecessary expanded to a very high value from the calibration loop. Not done here, but it could be useful to extend the check for pinning to verify that the affinity of the task has a cpu that fits. We could end up in a similar situation otherwise. Fixes: 3b1baa6496e6 ("sched/fair: Add 'group_misfit_task' load-balance type") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Quentin Perret Acked-by: Valentin Schneider Link: https://lkml.kernel.org/r/20210119120755.2425264-1-qais.yousef@arm.com Signed-off-by: Sasha Levin commit ba95955ee1e2863c9b487394f043c5d706463134 Author: Laurent Pinchart Date: Sun Dec 20 15:11:13 2020 +0100 media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values [ Upstream commit dc9455ffae02d7b7fb51ba1e007fffcb9dc5d890 ] The Renkforce RF AC4K 300 Action Cam 4K reports invalid bFormatIndex and bFrameIndex values when negotiating the video probe and commit controls. The UVC descriptors report a single supported format and frame size, with bFormatIndex and bFrameIndex both equal to 2, but the video probe and commit controls report bFormatIndex and bFrameIndex set to 1. The device otherwise operates correctly, but the driver rejects the values and fails the format try operation. Fix it by ignoring the invalid indices, and assuming that the format and frame requested by the driver are accepted by the device. Link: https://bugzilla.kernel.org/show_bug.cgi?id=210767 Fixes: 8a652a17e3c0 ("media: uvcvideo: Ensure all probed info is returned to v4l2") Reported-by: Till Dörges Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 27019b87386398befab8e3b9b53a71df81e9fe95 Author: Tom Rix Date: Mon Jan 18 14:45:13 2021 +0100 media: pxa_camera: declare variable when DEBUG is defined [ Upstream commit 031b9212eeee365443aaef013360ea6cded7b2c4 ] When DEBUG is defined this error occurs drivers/media/platform/pxa_camera.c:1410:7: error: ‘i’ undeclared (first use in this function) for (i = 0; i < vb->num_planes; i++) ^ The variable 'i' is missing, so declare it. Fixes: 6f28435d1c15 ("[media] media: platform: pxa_camera: trivial move of functions") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0f16925a9e7082e896312613830fbdc585e370ad Author: Christophe JAILLET Date: Sat Jan 16 22:21:46 2021 +0100 media: cx25821: Fix a bug when reallocating some dma memory [ Upstream commit b2de3643c5024fc4fd128ba7767c7fb8b714bea7 ] This function looks like a realloc. However, if 'risc->cpu != NULL', the memory will be freed, but never reallocated with the bigger 'size'. Explicitly set 'risc->cpu' to NULL, so that the reallocation is correctly performed a few lines below. [hverkuil: NULL != risc->cpu -> risc->cpu] Fixes: 5ede94c70553 ("[media] cx25821: remove bogus btcx_risc dependency) Signed-off-by: Christophe JAILLET Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c3a2f73a7925f7a7661e939f8ea0ffbd32f32e7a Author: Luo Meng Date: Wed Nov 25 02:34:37 2020 +0100 media: qm1d1c0042: fix error return code in qm1d1c0042_init() [ Upstream commit fcf8d018bdca0453b8d6359062e6bc1512d04c38 ] Fix to return a negative error code from the error handling case instead of 0 in function qm1d1c0042_init(), as done elsewhere in this function. Fixes: ab4d14528fdf ("[media] em28xx: add support for PLEX PX-BCUD (ISDB-S)") Reported-by: Hulk Robot Signed-off-by: Luo Meng Acked-by: Akihiro Tsukada Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 96a3bc313aa3e9a6547f728f57abfb08677ac2c8 Author: Joe Perches Date: Sun Aug 23 20:13:31 2020 +0200 media: lmedm04: Fix misuse of comma [ Upstream commit 59a3e78f8cc33901fe39035c1ab681374bba95ad ] There's a comma used instead of a semicolon that causes multiple statements to be executed after an if instead of just the intended single statement. Replace the comma with a semicolon. Fixes: 15e1ce33182d ("[media] lmedm04: Fix usb_submit_urb BOGUS urb xfer, pipe 1 != type 3 in interrupt urb") Signed-off-by: Joe Perches Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 69e859a9d0a46d49f5ba1a7828c8040f3813014e Author: Daniel Scally Date: Thu Jan 7 14:28:24 2021 +0100 media: software_node: Fix refcounts in software_node_get_next_child() [ Upstream commit fb5ec981adf08b94e6ce27ca16b7765c94f4513c ] The software_node_get_next_child() function currently does not hold references to the child software_node that it finds or put the ref that is held against the old child - fix that. Fixes: 59abd83672f7 ("drivers: base: Introducing software nodes to the firmware node framework") Reviewed-by: Andy Shevchenko Reviewed-by: Laurent Pinchart Signed-off-by: Daniel Scally Reviewed-by: Heikki Krogerus Acked-by: Greg Kroah-Hartman Acked-by: Rafael J. Wysocki Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1e0f565138dba1149fb6a57fd817904ae269c73f Author: Mario Kleiner Date: Thu Jan 21 07:17:03 2021 +0100 drm/amd/display: Fix HDMI deep color output for DCE 6-11. [ Upstream commit efa18405baa55a864c61d2f3cc6fe4d363818eb3 ] This fixes corrupted display output in HDMI deep color 10/12 bpc mode at least as observed on AMD Mullins, DCE-8.3. It will hopefully also provide fixes for other DCE's up to DCE-11, assuming those will need similar fixes, but i could not test that for HDMI due to lack of suitable hw, so viewer discretion is advised. dce110_stream_encoder_hdmi_set_stream_attribute() is used for HDMI setup on all DCE's and is missing color_depth assignment. dce110_program_pix_clk() is used for pixel clock setup on HDMI for DCE 6-11, and is missing color_depth assignment. Additionally some of the underlying Atombios specific encoder and pixelclock setup functions are missing code which is in the classic amdgpu kms modesetting path and the in the radeon kms driver for DCE6/DCE8. encoder_control_digx_v3() - Was missing setup code wrt. amdgpu and radeon kms classic drivers. Added here, but untested due to lack of suitable test hw. encoder_control_digx_v4() - Added missing setup code. Successfully tested on AMD mullins / DCE-8.3 with HDMI deep color output at 10 bpc and 12 bpc. Note that encoder_control_digx_v5() has proper setup code in place and is used, e.g., by DCE-11.2, but this code wasn't used for deep color setup due to the missing cntl.color_depth setup in the calling function for HDMI. set_pixel_clock_v5() - Missing setup code wrt. classic amdgpu/radeon kms. Added here, but untested due to lack of hw. set_pixel_clock_v6() - Missing setup code added. Successfully tested on AMD mullins DCE-8.3. This fixes corrupted display output at HDMI deep color output with 10 bpc or 12 bpc. Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)") Reviewed-by: Nicholas Kazlauskas Signed-off-by: Mario Kleiner Cc: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 7d1fc1e88b36d04334c3a455e651eab59a693c17 Author: Mario Kleiner Date: Thu Jan 21 07:17:02 2021 +0100 drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction. [ Upstream commit 1916866dfa4aaceba1a70db83fde569387649d93 ] In set_clamp(), the comments and definitions for the COLOR_DEPTH_101010 and COLOR_DEPTH_121212 cases directly contradict the code comment which explains how this should work, whereas the COLOR_DEPTH_888 case is consistent with the code comments. Comment says the bitmask should be chosen to align to the top-most 10 or 12 MSB's on a 14 bit bus, but the implementation contradicts that: 10 bit case sets a mask for 12 bpc clamping, whereas 12 bit case sets a mask for 14 bpc clamping. Note that during my limited testing on DCE-8.3 (HDMI deep color) and DCE-11.2 (DP deep color), this didn't have any obvious ill effects, neither did fixing it change anything obvious for the better, so this fix may be inconsequential on DCE, and just reduce the confusion of innocent bystanders when reading the code and trying to investigate problems with 10 bpc+ output. Fixes: 4562236b3bc0 ("drm/amd/dc: Add dc display driver (v2)") Signed-off-by: Mario Kleiner Cc: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ed0b50cd4407c001f1498952a714c386d360754e Author: Pan Bian Date: Tue Jan 19 04:33:11 2021 -0800 bsg: free the request before return error code [ Upstream commit 0f7b4bc6bb1e57c48ef14f1818df947c1612b206 ] Free the request rq before returning error code. Fixes: 972248e9111e ("scsi: bsg-lib: handle bidi requests without block layer help") Signed-off-by: Pan Bian Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit de9b26b5133fdfd34b15296a0b75516cbb2314bf Author: Alexander Lobakin Date: Sun Jan 10 11:56:28 2021 +0000 MIPS: properly stop .eh_frame generation [ Upstream commit 894ef530012fb5078466efdfb2c15d8b2f1565cd ] Commit 866b6a89c6d1 ("MIPS: Add DWARF unwinding to assembly") added -fno-asynchronous-unwind-tables to KBUILD_CFLAGS to prevent compiler from emitting .eh_frame symbols. However, as MIPS heavily uses CFI, that's not enough. Use the approach taken for x86 (as it also uses CFI) and explicitly put CFI symbols into the .debug_frame section (except for VDSO). This allows us to drop .eh_frame from DISCARDS as it's no longer being generated. Fixes: 866b6a89c6d1 ("MIPS: Add DWARF unwinding to assembly") Suggested-by: Kees Cook Signed-off-by: Alexander Lobakin Reviewed-by: Kees Cook Reviewed-by: Nathan Chancellor Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 1169602150d52d8eed4558917679a241af3a56a5 Author: Giulio Benetti Date: Thu Jan 14 09:17:32 2021 +0100 drm/sun4i: tcon: fix inverted DCLK polarity [ Upstream commit 67f4aeb2b41a0629abde3794d463547f60b0cbdd ] During commit 88bc4178568b ("drm: Use new DRM_BUS_FLAG_*_(DRIVE|SAMPLE)_(POS|NEG)EDGE flags") DRM_BUS_FLAG_* macros have been changed to avoid ambiguity but just because of this ambiguity previous DRM_BUS_FLAG_PIXDATA_(POS/NEG)EDGE were used meaning _SAMPLE_ not _DRIVE_. This leads to DLCK inversion and need to fix but instead of swapping phase values, let's adopt an easier approach Maxime suggested: It turned out that bit 26 of SUN4I_TCON0_IO_POL_REG is dedicated to invert DCLK polarity and this makes things really easier than before. So let's handle DCLK polarity by adding SUN4I_TCON0_IO_POL_DCLK_DRIVE_NEGEDGE as bit 26 and activating according to bus_flags the same way it is done for all the other signals polarity. Fixes: 88bc4178568b ("drm: Use new DRM_BUS_FLAG_*_(DRIVE|SAMPLE)_(POS|NEG)EDGE flags") Suggested-by: Maxime Ripard Signed-off-by: Giulio Benetti Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210114081732.9386-1-giulio.benetti@benettiengineering.com Signed-off-by: Sasha Levin commit 48f2fcd7b928390f5b63a797bfe96d4e1c6ce1c7 Author: Jiri Olsa Date: Tue Jan 5 00:02:37 2021 +0100 crypto: bcm - Rename struct device_private to bcm_device_private [ Upstream commit f7f2b43eaf6b4cfe54c75100709be31d5c4b52c8 ] Renaming 'struct device_private' to 'struct bcm_device_private', because it clashes with 'struct device_private' from 'drivers/base/base.h'. While it's not a functional problem, it's causing two distinct type hierarchies in BTF data. It also breaks build with options: CONFIG_DEBUG_INFO_BTF=y CONFIG_CRYPTO_DEV_BCM_SPU=y as reported by Qais Yousef [1]. [1] https://lore.kernel.org/lkml/20201229151352.6hzmjvu3qh6p2qgg@e107158-lin/ Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Jiri Olsa Tested-by: Qais Yousef Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 3d5afcae9af281aae3299744b132f8572debf72e Author: Dinghao Liu Date: Sun Jan 10 16:02:53 2021 +0800 evm: Fix memleak in init_desc [ Upstream commit ccf11dbaa07b328fa469415c362d33459c140a37 ] tmp_tfm is allocated, but not freed on subsequent kmalloc failure, which leads to a memory leak. Free tmp_tfm. Fixes: d46eb3699502b ("evm: crypto hash replaced by shash") Signed-off-by: Dinghao Liu [zohar@linux.ibm.com: formatted/reworded patch description] Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 76b7e3a636b4e9609be8ad796a19508e4d0fae89 Author: Dan Carpenter Date: Fri Dec 11 13:07:59 2020 +0300 ASoC: cs42l56: fix up error handling in probe [ Upstream commit 856fe64da84c95a1d415564b981ae3908eea2a76 ] There are two issues with this code. The first error path forgot to set the error code and instead returns success. The second error path doesn't clean up. Fixes: 272b5edd3b8f ("ASoC: Add support for CS42L56 CODEC") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/X9NE/9nK9/TuxuL+@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c7ebd8b358b0eadfef07e4ed1f076541f1a3585d Author: Zhang Changzhong Date: Fri Dec 4 09:27:58 2020 +0100 media: aspeed: fix error return code in aspeed_video_setup_video() [ Upstream commit d497fcdab02996a4510d5dd0d743447c737c317a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 438d2cc7b8cc4b54bf8d1610a91de6258e10b375 Author: Dinghao Liu Date: Sat Jan 2 09:26:37 2021 +0100 media: tm6000: Fix memleak in tm6000_start_stream [ Upstream commit 76aaf8a96771c16365b8510f1fb97738dc88026e ] When usb_clear_halt() fails, dvb->bulk_urb->transfer_buffer and dvb->bulk_urb should be freed just like when usb_submit_urb() fails. Fixes: 3169c9b26fffa ("V4L/DVB (12788): tm6000: Add initial DVB-T support") Signed-off-by: Dinghao Liu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 31730cb2461bd088b55b5d559ef3f6a4d8e5fde6 Author: Dinghao Liu Date: Sat Jan 2 07:27:22 2021 +0100 media: media/pci: Fix memleak in empress_init [ Upstream commit 15d0c52241ecb1c9d802506bff6f5c3f7872c0df ] When vb2_queue_init() fails, dev->empress_dev should be released just like other error handling paths. Fixes: 2ada815fc48bb ("[media] saa7134: convert to vb2") Signed-off-by: Dinghao Liu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 57cc424326df4b18b42df76f6c8cc4e7891675cb Author: Dinghao Liu Date: Mon Dec 28 14:02:05 2020 +0100 media: em28xx: Fix use-after-free in em28xx_alloc_urbs [ Upstream commit a26efd1961a18b91ae4cd2e433adbcf865b40fa3 ] When kzalloc() fails, em28xx_uninit_usb_xfer() will free usb_bufs->buf and set it to NULL. Thus the later access to usb_bufs->buf[i] will lead to null pointer dereference. Also the kfree(usb_bufs->buf) after that is redundant. Fixes: d571b592c6206 ("media: em28xx: don't use coherent buffer for DMA transfers") Signed-off-by: Dinghao Liu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3e0c29a407da8230f6db1ae0fd1656e18954fbc7 Author: Christophe JAILLET Date: Sat Dec 12 18:41:19 2020 +0100 media: vsp1: Fix an error handling path in the probe function [ Upstream commit 7113469dafc2d545fa4fa9bc649c31dc27db492e ] A previous 'rcar_fcp_get()' call must be undone in the error handling path, as already done in the remove function. Fixes: 94fcdf829793 ("[media] v4l: vsp1: Add FCP support") Signed-off-by: Christophe JAILLET Reviewed-by: Geert Uytterhoeven Reviewed-by: Kieran Bingham Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e01fcc71a9940ee1a1810b154a1f73d14518feb8 Author: Dan Carpenter Date: Wed Dec 9 07:51:30 2020 +0100 media: camss: missing error code in msm_video_register() [ Upstream commit 9c67ed2ab299123872be14a3dc2ea44ce7e4538b ] This error path returns success but it should return -EINVAL. Fixes: cba3819d1e93 ("media: camss: Format configuration per hardware version") Signed-off-by: Dan Carpenter Reviewed-by: Robert Foss Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1b26ba73b18f881582523588eab210f6eee272ae Author: Ezequiel Garcia Date: Mon Jan 4 21:34:40 2021 +0100 media: imx: Fix csc/scaler unregister [ Upstream commit 89b14485caa4b7b2eaf70be0064f0978e68ebeee ] The csc/scaler device private struct is released by ipu_csc_scaler_video_device_release(), which can be called by video_unregister_device() if there are no users of the underlying struct video device. Therefore, the mutex can't be held when calling video_unregister_device() as its memory may be freed by it, leading to a kernel oops. Fortunately, the fix is quite simple as no locking is needed when calling video_unregister_device(): v4l2-core already has its own internal locking, and the structures are also properly refcounted. Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") Signed-off-by: Ezequiel Garcia Reviewed-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0634c66e666001f53ad2c1383d67a0b7f53efa19 Author: Ezequiel Garcia Date: Mon Jan 4 21:34:39 2021 +0100 media: imx: Unregister csc/scaler only if registered [ Upstream commit bb2216548a2b13cf2942a058b475438a7a6bb028 ] The csc/scaler device pointer (imxmd->m2m_vdev) is assigned after the imx media device v4l2-async probe completes, therefore we need to check if the device is non-NULL before trying to unregister it. This can be the case if the non-completed imx media device is unbinded (or the driver is removed), leading to a kernel oops. Fixes: a8ef0488cc59 ("media: imx: add csc/scaler mem2mem device") Signed-off-by: Ezequiel Garcia Reviewed-by: Philipp Zabel Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 61f638b3afe9298f48b6766e0f7a46a568119eed Author: Jacopo Mondi Date: Mon Dec 21 18:52:20 2020 +0100 media: i2c: ov5670: Fix PIXEL_RATE minimum value [ Upstream commit dc1eb7c9c290cba52937c9a224b22a400bb0ffd7 ] The driver currently reports a single supported value for V4L2_CID_PIXEL_RATE and initializes the control's minimum value to 0, which is very risky, as userspace might accidentally use it as divider when calculating the time duration of a line. Fix this by using as minimum the only supported value when registering the control. Fixes: 5de35c9b8dcd1 ("media: i2c: Add Omnivision OV5670 5M sensor support") Signed-off-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7dfe4fed118def03d95c5e0b927d3afe06f84be9 Author: Nathan Chancellor Date: Tue Jan 5 13:15:48 2021 -0700 MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 [ Upstream commit c6f2a9e17b9bef7677caddb1626c2402f3e9d2bd ] When building xway_defconfig with clang: arch/mips/lantiq/irq.c:305:48: error: use of logical '&&' with constant operand [-Werror,-Wconstant-logical-operand] if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ^ ~~~~~~~~~~~~~~~~~ arch/mips/lantiq/irq.c:305:48: note: use '&' for a bitwise operation if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ^~ & arch/mips/lantiq/irq.c:305:48: note: remove constant to silence this warning if ((irq == LTQ_ICU_EBU_IRQ) && (module == 0) && LTQ_EBU_PCC_ISTAT) ~^~~~~~~~~~~~~~~~~~~~ 1 error generated. Explicitly compare the constant LTQ_EBU_PCC_ISTAT against 0 to fix the warning. Additionally, remove the unnecessary parentheses as this is a simple conditional statement and shorthand '== 0' to '!'. Fixes: 3645da0276ae ("OF: MIPS: lantiq: implement irq_domain support") Link: https://github.com/ClangBuiltLinux/linux/issues/807 Reported-by: Dmitry Golovin Signed-off-by: Nathan Chancellor Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit ea27c3f0bc1abd9e15c5593a02f86784c2fb6141 Author: Nathan Chancellor Date: Tue Jan 5 13:34:56 2021 -0700 MIPS: c-r4k: Fix section mismatch for loongson2_sc_init [ Upstream commit c58734eee6a2151ba033c0dcb31902c89e310374 ] When building with clang, the following section mismatch warning occurs: WARNING: modpost: vmlinux.o(.text+0x24490): Section mismatch in reference from the function r4k_cache_init() to the function .init.text:loongson2_sc_init() This should have been fixed with commit ad4fddef5f23 ("mips: fix Section mismatch in reference") but it was missed. Remove the improper __init annotation like that commit did. Fixes: 078a55fc824c ("MIPS: Delete __cpuinit/__CPUINIT usage from MIPS code") Link: https://github.com/ClangBuiltLinux/linux/issues/787 Signed-off-by: Nathan Chancellor Reviewed-by: Huacai Chen Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit d9f6d2a54487c945c499ca1c15d6e8bb818b0afe Author: Chenyang Li Date: Sat Dec 26 16:56:07 2020 +0800 drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition [ Upstream commit 956e20eb0fbb206e5e795539db5469db099715c8 ] Add an underscore in amdgpu_trace.h line 24 "_AMDGPU_TRACE_H". Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Reviewed-by: Guchun Chen Reviewed-by: Paul Menzel Signed-off-by: Chenyang Li Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0d528f6151c7a8023e5712f5df135a9a11b8ab2d Author: Ard Biesheuvel Date: Thu Dec 17 19:55:15 2020 +0100 crypto: arm64/aes-ce - really hide slower algos when faster ones are enabled [ Upstream commit 15deb4333cd6d4e1e3216582e4c531ec40a6b060 ] Commit 69b6f2e817e5b ("crypto: arm64/aes-neon - limit exposed routines if faster driver is enabled") intended to hide modes from the plain NEON driver that are also implemented by the faster bit sliced NEON one if both are enabled. However, the defined() CPP function does not detect if the bit sliced NEON driver is enabled as a module. So instead, let's use IS_ENABLED() here. Fixes: 69b6f2e817e5b ("crypto: arm64/aes-neon - limit exposed routines if ...") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e056f69dea5ae905b20a9cfa8755318de086731a Author: Corentin Labbe Date: Mon Dec 14 20:02:30 2020 +0000 crypto: sun4i-ss - fix kmap usage [ Upstream commit 9bc3dd24e7dccd50757db743a3635ad5b0497e6e ] With the recent kmap change, some tests which were conditional on CONFIG_DEBUG_HIGHMEM now are enabled by default. This permit to detect a problem in sun4i-ss usage of kmap. sun4i-ss uses two kmap via sg_miter (one for input, one for output), but using two kmap at the same time is hard: "the ordering has to be correct and with sg_miter that's probably hard to get right." (quoting Tlgx) So the easiest solution is to never have two sg_miter/kmap open at the same time. After each use of sg_miter, I store the current index, for being able to resume sg_miter to the right place. Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a3eeb7fd063f832ff95f6c3efe4caae1a0f5cadf Author: Corentin Labbe Date: Mon Dec 14 20:02:25 2020 +0000 crypto: sun4i-ss - linearize buffers content must be kept [ Upstream commit 583513510a7acd2306787865bcd19ebb2f629d42 ] When running the non-optimized cipher function, SS produce partial random output. This is due to linearize buffers being reseted after each loop. For preserving stack, instead of moving them back to start of function, I move them in sun4i_ss_ctx. Fixes: 8d3bcb9900ca ("crypto: sun4i-ss - reduce stack usage") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 914d61930b8993611c6bb1f3e12071283eb70ec1 Author: Chuhong Yuan Date: Thu Dec 3 22:42:48 2020 +0800 drm/fb-helper: Add missed unlocks in setcmap_legacy() [ Upstream commit 0a260e731d6c4c17547ac275a2cde888a9eb4a3d ] setcmap_legacy() does not call drm_modeset_unlock_all() in some exits, add the missed unlocks with goto to fix it. Fixes: 964c60063bff ("drm/fb-helper: separate the fb_setcmap helper into atomic and legacy paths") Signed-off-by: Chuhong Yuan Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201203144248.418281-1-hslester96@gmail.com Signed-off-by: Sasha Levin commit 200e603d5517a0cc9fe9b9fbfb965365d0709e0d Author: Dan Carpenter Date: Thu Dec 3 11:40:48 2020 +0300 gma500: clean up error handling in init [ Upstream commit 15ccc39b3aab667c6fa131206f01f31bfbccdf6a ] The main problem with this error handling was that it didn't clean up if i2c_add_numbered_adapter() failed. This code is pretty old, and doesn't match with today's checkpatch.pl standards so I took the opportunity to tidy it up a bit. I changed the NULL comparison, and removed the WARNING message if kzalloc() fails and updated the label names. Fixes: 1b082ccf5901 ("gma500: Add Oaktrail support") Signed-off-by: Dan Carpenter Signed-off-by: Patrik Jakobsson Link: https://patchwork.freedesktop.org/patch/msgid/X8ikkAqZfnDO2lu6@mwanda Signed-off-by: Sasha Levin commit 2e5c94708d3e3d1b42a77af13e363af5f3e829ca Author: Jialin Zhang Date: Mon Nov 30 10:02:16 2020 +0800 drm/gma500: Fix error return code in psb_driver_load() [ Upstream commit 6926872ae24452d4f2176a3ba2dee659497de2c4 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 5c49fd3aa0ab ("gma500: Add the core DRM files and headers") Reported-by: Hulk Robot Signed-off-by: Jialin Zhang Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201130020216.1906141-1-zhangjialin11@huawei.com Signed-off-by: Sasha Levin commit 0da21f552344a5bbef550beeff730b691974bbaf Author: Randy Dunlap Date: Thu Nov 26 19:17:52 2020 -0800 fbdev: aty: SPARC64 requires FB_ATY_CT [ Upstream commit c6c90c70db4d9a0989111d6b994d545659410f7a ] It looks like SPARC64 requires FB_ATY_CT to build without errors, so have FB_ATY select FB_ATY_CT if both SPARC64 and PCI are enabled instead of using "default y if SPARC64 && PCI", which is not strong enough to prevent build errors. As it currently is, FB_ATY_CT can be disabled, resulting in build errors: ERROR: modpost: "aty_postdividers" [drivers/video/fbdev/aty/atyfb.ko] undefined! ERROR: modpost: "aty_ld_pll_ct" [drivers/video/fbdev/aty/atyfb.ko] undefined! Reviewed-by: Geert Uytterhoeven Fixes: f7018c213502 ("video: move fbdev to drivers/video/fbdev") Signed-off-by: Randy Dunlap Cc: "David S. Miller" Cc: sparclinux@vger.kernel.org Cc: Tomi Valkeinen Cc: dri-devel@lists.freedesktop.org Cc: linux-fbdev@vger.kernel.org Cc: Daniel Vetter Cc: David Airlie Cc: Bartlomiej Zolnierkiewicz Cc: Geert Uytterhoeven Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201127031752.10371-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit e7b6ac5c46fe78a94858732a7c47601d1ba95dc9 Author: Maxime Chevallier Date: Tue Feb 16 10:25:35 2021 +0100 net: mvneta: Remove per-cpu queue mapping for Armada 3700 [ Upstream commit cf9bf871280d9e0a8869d98c2602d29caf69dfa3 ] According to Errata #23 "The per-CPU GbE interrupt is limited to Core 0", we can't use the per-cpu interrupt mechanism on the Armada 3700 familly. This is correctly checked for RSS configuration, but the initial queue mapping is still done by having the queues spread across all the CPUs in the system, both in the init path and in the cpu_hotplug path. Fixes: 2636ac3cc2b4 ("net: mvneta: Add network support for Armada 3700 SoC") Signed-off-by: Maxime Chevallier Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 825c82d5519747faa532fc8acfebafbe056f4161 Author: Shyam Sundar S K Date: Wed Feb 17 00:37:10 2021 +0530 net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP [ Upstream commit 9eab3fdb419916f66a72d1572f68d82cd9b3f963 ] Frequent link up/down events can happen when a Bel Fuse SFP part is connected to the amd-xgbe device. Try to avoid the frequent link issues by resetting the PHY as documented in Bel Fuse SFP datasheets. Fixes: e722ec82374b ("amd-xgbe: Update the BelFuse quirk to support SGMII") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 46121a6f3be557d4c972c9d3417061dcadfc028c Author: Shyam Sundar S K Date: Wed Feb 17 00:37:09 2021 +0530 net: amd-xgbe: Reset link when the link never comes back [ Upstream commit 84fe68eb67f9499309cffd97c1ba269de125ff14 ] Normally, auto negotiation and reconnect should be automatically done by the hardware. But there seems to be an issue where auto negotiation has to be restarted manually. This happens because of link training and so even though still connected to the partner the link never "comes back". This needs an auto-negotiation restart. Also, a change in xgbe-mdio is needed to get ethtool to recognize the link down and get the link change message. This change is only required in a backplane connection mode. Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 70bf58171f19514dc82abf98a6d2eaab2e72bba5 Author: Shyam Sundar S K Date: Wed Feb 17 00:37:08 2021 +0530 net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning [ Upstream commit 186edbb510bd60e748f93975989ccba25ee99c50 ] The current driver calls netif_carrier_off() late in the link tear down which can result in a netdev watchdog timeout. Calling netif_carrier_off() immediately after netif_tx_stop_all_queues() avoids the warning. ------------[ cut here ]------------ NETDEV WATCHDOG: enp3s0f2 (amd-xgbe): transmit queue 0 timed out WARNING: CPU: 3 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x20d/0x220 Modules linked in: amd_xgbe(E) amd-xgbe 0000:03:00.2 enp3s0f2: Link is Down CPU: 3 PID: 0 Comm: swapper/3 Tainted: G E Hardware name: AMD Bilby-RV2/Bilby-RV2, BIOS RBB1202A 10/18/2019 RIP: 0010:dev_watchdog+0x20d/0x220 Code: 00 49 63 4e e0 eb 92 4c 89 e7 c6 05 c6 e2 c1 00 01 e8 e7 ce fc ff 89 d9 48 RSP: 0018:ffff90cfc28c3e88 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 RDX: 0000000000000007 RSI: 0000000000000086 RDI: ffff90cfc28d63c0 RBP: ffff90cfb977845c R08: 0000000000000050 R09: 0000000000196018 R10: ffff90cfc28c3ef8 R11: 0000000000000000 R12: ffff90cfb9778000 R13: 0000000000000003 R14: ffff90cfb9778480 R15: 0000000000000010 FS: 0000000000000000(0000) GS:ffff90cfc28c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f240ff2d9d0 CR3: 00000001e3e0a000 CR4: 00000000003406e0 Call Trace: ? pfifo_fast_reset+0x100/0x100 call_timer_fn+0x2b/0x130 run_timer_softirq+0x3e8/0x440 ? enqueue_hrtimer+0x39/0x90 Fixes: e722ec82374b ("amd-xgbe: Update the BelFuse quirk to support SGMII") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0496eb6f48cc79964ff8b8d7df653934da0cf904 Author: Shyam Sundar S K Date: Wed Feb 17 00:37:07 2021 +0530 net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout [ Upstream commit 30b7edc82ec82578f4f5e6706766f0a9535617d3 ] Sometimes mailbox commands timeout when the RX data path becomes unresponsive. This prevents the submission of new mailbox commands to DXIO. This patch identifies the timeout and resets the RX data path so that the next message can be submitted properly. Fixes: 549b32af9f7c ("amd-xgbe: Simplify mailbox interface rate change code") Co-developed-by: Sudheesh Mavila Signed-off-by: Sudheesh Mavila Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 95672dd575472fd73971255190a425c8c0e4a120 Author: Lijun Pan Date: Fri Feb 12 20:49:00 2021 -0600 ibmvnic: skip send_request_unmap for timeout reset [ Upstream commit 7d3a7b9ea59ddb223aec59b45fa1713c633aaed4 ] Timeout reset will trigger the VIOS to unmap it automatically, similarly as FAILVOER and MOBILITY events. If we unmap it in the linux side, we will see errors like "30000003: Error 4 in REQUEST_UNMAP_RSP". So, don't call send_request_unmap for timeout reset. Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Signed-off-by: Lijun Pan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 64a87b0b650c157a2d2bca18f6cd65acca22e7ac Author: Lijun Pan Date: Fri Feb 12 20:48:40 2021 -0600 ibmvnic: add memory barrier to protect long term buffer [ Upstream commit 42557dab78edc8235aba5b441f2eb35f725a0ede ] dma_rmb() barrier is added to load the long term buffer before copying it to socket buffer; and dma_wmb() barrier is added to update the long term buffer before it being accessed by VIOS (virtual i/o server). Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") Signed-off-by: Lijun Pan Acked-by: Thomas Falcon Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8022d52a102bb145b70a42003690bd6031245a2a Author: Colin Ian King Date: Mon Feb 15 12:05:32 2021 +0000 b43: N-PHY: Fix the update of coef for the PHY revision >= 3case [ Upstream commit 4773acf3d4b50768bf08e9e97a204819e9ea0895 ] The documentation for the PHY update [1] states: Loop 4 times with index i If PHY Revision >= 3 Copy table[i] to coef[i] Otherwise Set coef[i] to 0 the copy of the table to coef is currently implemented the wrong way around, table is being updated from uninitialized values in coeff. Fix this by swapping the assignment around. [1] https://bcm-v4.sipsolutions.net/802.11/PHY/N/RestoreCal/ Fixes: 2f258b74d13c ("b43: N-PHY: implement restoring general configuration") Addresses-Coverity: ("Uninitialized scalar variable") Signed-off-by: Colin Ian King Acked-by: Larry Finger Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9db1f14e7043a3d55b53dfb692559d0b815f18b3 Author: Ayush Sawal Date: Mon Feb 15 17:12:26 2021 +0530 cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds [ Upstream commit 2355a6773a2cb0d2dce13432dde78497f1d6617b ] The Max imm data size in cxgb4 is not similar to the max imm data size in the chtls. This caused an mismatch in output of is_ofld_imm() of cxgb4 and chtls. So fixed this by keeping the max wreq size of imm data same in both chtls and cxgb4 as MAX_IMM_OFLD_TX_DATA_WR_LEN. As cxgb4's max imm. data value for ofld packets is changed to MAX_IMM_OFLD_TX_DATA_WR_LEN. Using the same in cxgbit also. Fixes: 36bedb3f2e5b8 ("crypto: chtls - Inline TLS record Tx") Signed-off-by: Ayush Sawal Acked-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 399fb9d51ba9a281511e263bb3e9cacdab837170 Author: Robert Hancock Date: Fri Feb 12 18:17:48 2021 -0600 net: axienet: Handle deferred probe on clock properly [ Upstream commit 57baf8cc70ea4cf5503c9d42f31f6a86d7f5ff1a ] This driver is set up to use a clock mapping in the device tree if it is present, but still work without one for backward compatibility. However, if getting the clock returns -EPROBE_DEFER, then we need to abort and return that error from our driver initialization so that the probe can be retried later after the clock is set up. Move clock initialization to earlier in the process so we do not waste as much effort if the clock is not yet available. Switch to use devm_clk_get_optional and abort initialization on any error reported. Also enable the clock regardless of whether the controller is using an MDIO bus, as the clock is required in any case. Fixes: 09a0354cadec267be7f ("net: axienet: Use clock framework to get device clock rate") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 774bacf121c3810b4fba0331438e527fe1b2d3f9 Author: Eric Dumazet Date: Fri Feb 12 15:22:13 2021 -0800 tcp: fix SO_RCVLOWAT related hangs under mem pressure [ Upstream commit f969dc5a885736842c3511ecdea240fbb02d25d9 ] While commit 24adbc1676af ("tcp: fix SO_RCVLOWAT hangs with fat skbs") fixed an issue vs too small sk_rcvbuf for given sk_rcvlowat constraint, it missed to address issue caused by memory pressure. 1) If we are under memory pressure and socket receive queue is empty. First incoming packet is allowed to be queued, after commit 76dfa6082032 ("tcp: allow one skb to be received per socket under memory pressure") But we do not send EPOLLIN yet, in case tcp_data_ready() sees sk_rcvlowat is bigger than skb length. 2) Then, when next packet comes, it is dropped, and we directly call sk->sk_data_ready(). 3) If application is using poll(), tcp_poll() will then use tcp_stream_is_readable() and decide the socket receive queue is not yet filled, so nothing will happen. Even when sender retransmits packets, phases 2) & 3) repeat and flow is effectively frozen, until memory pressure is off. Fix is to consider tcp_under_memory_pressure() to take care of global memory pressure or memcg pressure. Fixes: 24adbc1676af ("tcp: fix SO_RCVLOWAT hangs with fat skbs") Signed-off-by: Eric Dumazet Reported-by: Arjun Roy Suggested-by: Wei Wang Reviewed-by: Wei Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 88f8f40c901c3c8b7739be3636a7368d1f74b441 Author: Jesper Dangaard Brouer Date: Tue Feb 9 14:38:14 2021 +0100 bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx [ Upstream commit 2c0a10af688c02adcf127aad29e923e0056c6b69 ] BPF end-user on Cilium slack-channel (Carlo Carraro) wants to use bpf_fib_lookup for doing MTU-check, but *prior* to extending packet size, by adjusting fib_params 'tot_len' with the packet length plus the expected encap size. (Just like the bpf_check_mtu helper supports). He discovered that for SKB ctx the param->tot_len was not used, instead skb->len was used (via MTU check in is_skb_forwardable() that checks against netdev MTU). Fix this by using fib_params 'tot_len' for MTU check. If not provided (e.g. zero) then keep existing TC behaviour intact. Notice that 'tot_len' for MTU check is done like XDP code-path, which checks against FIB-dst MTU. V16: - Revert V13 optimization, 2nd lookup is against egress/resulting netdev V13: - Only do ifindex lookup one time, calling dev_get_by_index_rcu(). V10: - Use same method as XDP for 'tot_len' MTU check Fixes: 4c79579b44b1 ("bpf: Change bpf_fib_lookup to return lookup status") Reported-by: Carlo Carraro Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/161287789444.790810.15247494756551413508.stgit@firesoul Signed-off-by: Sasha Levin commit 5af224ab94863378920d3cbbb88a39cc0739fb2d Author: Colin Ian King Date: Fri Feb 5 17:53:52 2021 +0000 mac80211: fix potential overflow when multiplying to u32 integers [ Upstream commit 6194f7e6473be78acdc5d03edd116944bdbb2c4e ] The multiplication of the u32 variables tx_time and estimated_retx is performed using a 32 bit multiplication and the result is stored in a u64 result. This has a potential u32 overflow issue, so avoid this by casting tx_time to a u64 to force a 64 bit multiply. Addresses-Coverity: ("Unintentional integer overflow") Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210205175352.208841-1-colin.king@canonical.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit fef6f594ea434231d45b5df0dd1d9a8b38f7a9eb Author: Juergen Gross Date: Thu Feb 11 11:16:12 2021 +0100 xen/netback: fix spurious event detection for common event case [ Upstream commit a3daf3d39132b405781be8d9ede0c449b244b64e ] In case of a common event for rx and tx queue the event should be regarded to be spurious if no rx and no tx requests are pending. Unfortunately the condition for testing that is wrong causing to decide a event being spurious if no rx OR no tx requests are pending. Fix that plus using local variables for rx/tx pending indicators in order to split function calls and if condition. Fixes: 23025393dbeb3b ("xen/netback: use lateeoi irq binding") Signed-off-by: Juergen Gross Reviewed-by: Jan Beulich Reviewed-by: Paul Durrant Reviewed-by: Wei Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5c54aaed078d283f33417ad67f8fd37b61b363b5 Author: Edwin Peer Date: Thu Feb 11 02:24:23 2021 -0500 bnxt_en: reverse order of TX disable and carrier off [ Upstream commit 132e0b65dc2b8bfa9721bfce834191f24fd1d7ed ] A TX queue can potentially immediately timeout after it is stopped and the last TX timestamp on that queue was more than 5 seconds ago with carrier still up. Prevent these intermittent false TX timeouts by bringing down carrier first before calling netif_tx_disable(). Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a1b692506569f32e21990fbf68c7f6a8fc1c14ab Author: Sukadev Bhattiprolu Date: Wed Feb 10 17:41:43 2021 -0800 ibmvnic: Set to CLOSED state even on error [ Upstream commit d4083d3c00f60a09ad82e3bf17ff57fec69c8aa6 ] If set_link_state() fails for any reason, we still cleanup the adapter state and cannot recover from a partial close anyway. So set the adapter to CLOSED state. That way if a new soft/hard reset is processed, the adapter will remain in the CLOSED state until the next ibmvnic_open(). Fixes: 01d9bd792d16 ("ibmvnic: Reorganize device close") Signed-off-by: Sukadev Bhattiprolu Reported-by: Abdul Haleem Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9de820ae6cc1611d4d4a588968c0aa14dc305042 Author: Linus Lüssing Date: Wed Feb 10 09:53:44 2021 +0200 ath9k: fix data bus crash when setting nf_override via debugfs [ Upstream commit 12c8f3d1cdd84f01ee777b756db9dddc1f1c9d17 ] When trying to set the noise floor via debugfs, a "data bus error" crash like the following can happen: [ 88.433133] Data bus error, epc == 80221c28, ra == 83314e60 [ 88.438895] Oops[#1]: [ 88.441246] CPU: 0 PID: 7263 Comm: sh Not tainted 4.14.195 #0 [ 88.447174] task: 838a1c20 task.stack: 82d5e000 [ 88.451847] $ 0 : 00000000 00000030 deadc0de 83141de4 [ 88.457248] $ 4 : b810a2c4 0000a2c4 83230fd4 00000000 [ 88.462652] $ 8 : 0000000a 00000000 00000001 00000000 [ 88.468055] $12 : 7f8ef318 00000000 00000000 77f802a0 [ 88.473457] $16 : 83230080 00000002 0000001b 83230080 [ 88.478861] $20 : 83a1c3f8 00841000 77f7adb0 ffffff92 [ 88.484263] $24 : 00000fa4 77edd860 [ 88.489665] $28 : 82d5e000 82d5fda8 00000000 83314e60 [ 88.495070] Hi : 00000000 [ 88.498044] Lo : 00000000 [ 88.501040] epc : 80221c28 ioread32+0x8/0x10 [ 88.505671] ra : 83314e60 ath9k_hw_loadnf+0x88/0x520 [ath9k_hw] [ 88.512049] Status: 1000fc03 KERNEL EXL IE [ 88.516369] Cause : 5080801c (ExcCode 07) [ 88.520508] PrId : 00019374 (MIPS 24Kc) [ 88.524556] Modules linked in: ath9k ath9k_common pppoe ppp_async l2tp_ppp cdc_mbim batman_adv ath9k_hw ath sr9700 smsc95xx sierra_net rndis_host qmi_wwan pppox ppp_generic pl2303 nf_conntrack_ipv6 mcs7830 mac80211 kalmia iptable_nat ipt_REJECT ipt_MASQUERADE huawei_cdc_ncm ftdi_sio dm9601 cfg80211 cdc_subset cdc_ncm cdc_ether cdc_eem ax88179_178a asix xt_time xt_tcpudp xt_tcpmss xt_statistic xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_length xt_hl xt_ecn xt_dscp xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_NETMAP xt_LOG xt_HL xt_FLOWOFFLOAD xt_DSCP xt_CLASSIFY usbserial usbnet usbhid slhc rtl8150 r8152 pegasus nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack [ 88.597894] libcrc32c kaweth iptable_mangle iptable_filter ipt_ECN ipheth ip_tables hso hid_generic crc_ccitt compat cdc_wdm cdc_acm br_netfilter hid evdev input_core nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 l2tp_netlink l2tp_core udp_tunnel ip6_udp_tunnel xfrm6_mode_tunnel xfrm6_mode_transport xfrm6_mode_beet ipcomp6 xfrm6_tunnel esp6 ah6 xfrm4_tunnel xfrm4_mode_tunnel xfrm4_mode_transport xfrm4_mode_beet ipcomp esp4 ah4 tunnel6 tunnel4 tun xfrm_user xfrm_ipcomp af_key xfrm_algo sha256_generic sha1_generic jitterentropy_rng drbg md5 hmac echainiv des_generic deflate zlib_inflate zlib_deflate cbc authenc crypto_acompress ehci_platform ehci_hcd gpio_button_hotplug usbcore nls_base usb_common crc16 mii aead crypto_null cryptomgr crc32c_generic [ 88.671671] crypto_hash [ 88.674292] Process sh (pid: 7263, threadinfo=82d5e000, task=838a1c20, tls=77f81efc) [ 88.682279] Stack : 00008060 00000008 00000200 00000000 00000000 00000000 00000000 00000002 [ 88.690916] 80500000 83230080 82d5fe22 00841000 77f7adb0 00000000 00000000 83156858 [ 88.699553] 00000000 8352fa00 83ad62b0 835302a8 00000000 300a00f8 00000003 82d5fe38 [ 88.708190] 82d5fef4 00000001 77f54dc4 77f80000 77f7adb0 c79fe901 00000000 00000000 [ 88.716828] 80510000 00000002 00841000 77f54dc4 77f80000 801ce4cc 0000000b 41824292 [ 88.725465] ... [ 88.727994] Call Trace: [ 88.730532] [<80221c28>] ioread32+0x8/0x10 [ 88.734765] Code: 00000000 8c820000 0000000f <03e00008> 00000000 08088708 00000000 aca40000 03e00008 [ 88.744846] [ 88.746464] ---[ end trace db226b2de1b69b9e ]--- [ 88.753477] Kernel panic - not syncing: Fatal exception [ 88.759981] Rebooting in 3 seconds.. The "REG_READ(ah, AR_PHY_AGC_CONTROL)" in ath9k_hw_loadnf() does not like being called when the hardware is asleep, leading to this crash. The easiest way to reproduce this is trying to set nf_override while the hardware is down: $ ip link set down dev wlan0 $ echo "-85" > /sys/kernel/debug/ieee80211/phy0/ath9k/nf_override Fixing this crash by waking the hardware up before trying to set the noise floor. Similar to what other ath9k debugfs files do. Tested on a Lima board from 8devices, which has a QCA 4531 chipset. Fixes: b90189759a7f ("ath9k: add noise floor override option") Cc: Simon Wunderlich Signed-off-by: Linus Lüssing Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210209184352.4272-1-linus.luessing@c0d3.blue Signed-off-by: Sasha Levin commit 4dcfd936030b1f2477fbdf136e02688b7fc1910e Author: Marco Elver Date: Tue Feb 9 12:27:01 2021 +0100 bpf_lru_list: Read double-checked variable once without lock [ Upstream commit 6df8fb83301d68ea0a0c0e1cbcc790fcc333ed12 ] For double-checked locking in bpf_common_lru_push_free(), node->type is read outside the critical section and then re-checked under the lock. However, concurrent writes to node->type result in data races. For example, the following concurrent access was observed by KCSAN: write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1: __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91 __local_list_flush kernel/bpf/bpf_lru_list.c:298 ... read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0: bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507 bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555 ... Fix the data races where node->type is read outside the critical section (for double-checked locking) by marking the access with READ_ONCE() as well as ensuring the variable is only accessed once. Fixes: 3a08c2fd7634 ("bpf: LRU List") Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com Signed-off-by: Marco Elver Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20210209112701.3341724-1-elver@google.com Signed-off-by: Sasha Levin commit bcda70ed686feb78f640c94d079c651244a16643 Author: Jae Hyun Yoo Date: Tue Dec 8 17:17:47 2020 +0800 soc: aspeed: snoop: Add clock control logic [ Upstream commit 3f94cf15583be554df7aaa651b8ff8e1b68fbe51 ] If LPC SNOOP driver is registered ahead of lpc-ctrl module, LPC SNOOP block will be enabled without heart beating of LCLK until lpc-ctrl enables the LCLK. This issue causes improper handling on host interrupts when the host sends interrupt in that time frame. Then kernel eventually forcibly disables the interrupt with dumping stack and printing a 'nobody cared this irq' message out. To prevent this issue, all LPC sub-nodes should enable LCLK individually so this patch adds clock control logic into the LPC SNOOP driver. Fixes: 3772e5da4454 ("drivers/misc: Aspeed LPC snoop output using misc chardev") Signed-off-by: Jae Hyun Yoo Signed-off-by: Vernon Mauery Signed-off-by: John Wang Reviewed-by: Joel Stanley Link: https://lore.kernel.org/r/20201208091748.1920-1-wangzhiqiang.bj@bytedance.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 5350b91a73d7f18fa6c9f8051bd00f6fa170c3a0 Author: Arnd Bergmann Date: Thu Feb 4 17:23:42 2021 +0100 ARM: s3c: fix fiq for clang IAS [ Upstream commit 7f9942c61fa60eda7cc8e42f04bd25b7d175876e ] Building with the clang integrated assembler produces a couple of errors for the s3c24xx fiq support: arch/arm/mach-s3c/irq-s3c24xx-fiq.S:52:2: error: instruction 'subne' can not set flags, but 's' suffix specified subnes pc, lr, #4 @@ return, still have work to do arch/arm/mach-s3c/irq-s3c24xx-fiq.S:64:1: error: invalid symbol redefinition s3c24xx_spi_fiq_txrx: There are apparently two problems: one with extraneous or duplicate labels, and one with old-style opcode mnemonics. Stefan Agner has previously fixed other problems like this, but missed this particular file. Fixes: bec0806cfec6 ("spi_s3c24xx: add FIQ pseudo-DMA support") Cc: Stefan Agner Signed-off-by: Arnd Bergmann Reviewed-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20210204162416.3030114-1-arnd@kernel.org Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit b9634e38ac61067b84ff42f333e26bdb3ef025d5 Author: Vincent Knecht Date: Sat Jan 23 11:44:16 2021 +0100 arm64: dts: msm8916: Fix reserved and rfsa nodes unit address [ Upstream commit d5ae2528b0b56cf054b27d48b0cb85330900082f ] Fix `reserved` and `rfsa` unit address according to their reg address Fixes: 7258e10e6a0b ("ARM: dts: msm8916: Update reserved-memory") Signed-off-by: Vincent Knecht Link: https://lore.kernel.org/r/20210123104417.518105-1-vincent.knecht@mailoo.org Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 65f9fdb425bc47b5608b8039cb1ccb4f5d276c67 Author: Jupeng Zhong Date: Tue Feb 2 09:39:13 2021 +0800 Bluetooth: btusb: Fix memory leak in btusb_mtk_wmt_recv [ Upstream commit de71a6cb4bf24d8993b9ca90d1ddb131b60251a1 ] In btusb_mtk_wmt_recv if skb_clone fails, the alocated skb should be released. Omit the labels “err_out” and “err_free_skb” in this function implementation so that the desired exception handling code would be directly specified in the affected if branches. Fixes: a1c49c434e15 ("btusb: Add protocol support for MediaTek MT7668U USB devices") Signed-off-by: Jupeng Zhong Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 80ace34028854d05c4e30947a2f0abd7b4410367 Author: Marek Behún Date: Mon Jan 11 03:12:43 2021 +0100 arm64: dts: armada-3720-turris-mox: rename u-boot mtd partition to a53-firmware [ Upstream commit a9d9bfcadfb43b856dbcf9419de75f7420d5a225 ] The partition called "u-boot" in reality contains TF-A and U-Boot, and TF-A is before U-Boot. Rename this parition to "a53-firmware" to avoid confusion for users, since they cannot simply build U-Boot from U-Boot repository and flash the resulting image there. Instead they have to build the firmware with the sources from the mox-boot-builder repository [1] and flash the a53-firmware.bin binary there. [1] https://gitlab.nic.cz/turris/mox-boot-builder Signed-off-by: Marek Behún Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") Cc: Gregory CLEMENT Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 18ab54cfda051bbb47e5d69caab0adc6c5675c6b Author: Rosen Penev Date: Wed Dec 2 18:23:21 2020 -0800 ARM: dts: armada388-helios4: assign pinctrl to each fan [ Upstream commit 46ecdfc1830eaa40a11d7f832089c82b0e67ea96 ] Split up the pins for each fan. This is needed in order to control them Fixes: ced8025b569e ("ARM: dts: armada388-helios4") Signed-off-by: Rosen Penev Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 3d3098c2ddada2015edc1458fa49c10b39ba9020 Author: Rosen Penev Date: Wed Dec 2 18:23:20 2020 -0800 ARM: dts: armada388-helios4: assign pinctrl to LEDs [ Upstream commit e011c9025a4691b5c734029577a920bd6c320994 ] Split up the pins to match earlier definitions. Allows LEDs to flash properly. Fixes: ced8025b569e ("ARM: dts: armada388-helios4") Signed-off-by: Rosen Penev Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 6b86cbc97589e9d94e5af8030e1e30dc515d714a Author: Chen-Yu Tsai Date: Fri Jan 8 22:14:01 2021 +0800 staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules [ Upstream commit 61834c967a929f6b4b7fcb91f43fa225cc29aa19 ] The custom regulatory ruleset in the rtl8723bs driver lists an incorrect number of rules: one too many. This results in an out-of-bounds access, as detected by KASAN. This was possible thanks to the newly added support for KASAN on ARMv7. Fix this by filling in the correct number of rules given. KASAN report: ================================================================== BUG: KASAN: global-out-of-bounds in cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211] Read of size 4 at addr bf20c254 by task ip/971 CPU: 2 PID: 971 Comm: ip Tainted: G C 5.11.0-rc2-00020-gf7fe528a7ebe #1 Hardware name: Allwinner sun8i Family [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (dump_stack+0x9c/0xb4) [] (dump_stack) from [] (print_address_description.constprop.2+0x1dc/0x2dc) [] (print_address_description.constprop.2) from [] (kasan_report+0x1a8/0x1c4) [] (kasan_report) from [] (cfg80211_does_bw_fit_range+0x14/0x4c [cfg80211]) [] (cfg80211_does_bw_fit_range [cfg80211]) from [] (freq_reg_info_regd.part.6+0x108/0x124 [> [] (freq_reg_info_regd.part.6 [cfg80211]) from [] (handle_channel_custom.constprop.12+0x48/> [] (handle_channel_custom.constprop.12 [cfg80211]) from [] (wiphy_apply_custom_regulatory+0> [] (wiphy_apply_custom_regulatory [cfg80211]) from [] (rtw_regd_init+0x60/0x70 [r8723bs]) [] (rtw_regd_init [r8723bs]) from [] (rtw_cfg80211_init_wiphy+0x164/0x1e8 [r8723bs]) [] (rtw_cfg80211_init_wiphy [r8723bs]) from [] (_netdev_open+0xe4/0x28c [r8723bs]) [] (_netdev_open [r8723bs]) from [] (netdev_open+0x60/0x88 [r8723bs]) [] (netdev_open [r8723bs]) from [] (__dev_open+0x178/0x220) [] (__dev_open) from [] (__dev_change_flags+0x258/0x2c4) [] (__dev_change_flags) from [] (dev_change_flags+0x40/0x80) [] (dev_change_flags) from [] (do_setlink+0x538/0x1160) [] (do_setlink) from [] (__rtnl_newlink+0x65c/0xad8) [] (__rtnl_newlink) from [] (rtnl_newlink+0x4c/0x6c) [] (rtnl_newlink) from [] (rtnetlink_rcv_msg+0x1f8/0x454) [] (rtnetlink_rcv_msg) from [] (netlink_rcv_skb+0xc4/0x1e0) [] (netlink_rcv_skb) from [] (netlink_unicast+0x2c8/0x3c4) [] (netlink_unicast) from [] (netlink_sendmsg+0x320/0x5f0) [] (netlink_sendmsg) from [] (____sys_sendmsg+0x320/0x3e0) [] (____sys_sendmsg) from [] (___sys_sendmsg+0xe8/0x12c) [] (___sys_sendmsg) from [] (__sys_sendmsg+0xc0/0x120) [] (__sys_sendmsg) from [] (ret_fast_syscall+0x0/0x58) Exception stack(0xc5693fa8 to 0xc5693ff0) 3fa0: 00000074 c7a39800 00000003 b6cee648 00000000 00000000 3fc0: 00000074 c7a39800 00000001 00000128 78d18349 00000000 b6ceeda0 004f7cb0 3fe0: 00000128 b6cee5e8 aeca151f aec1d746 The buggy address belongs to the variable: rtw_drv_halt+0xf908/0x6b4 [r8723bs] Memory state around the buggy address: bf20c100: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 bf20c180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >bf20c200: 00 00 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 ^ bf20c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bf20c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 554c0a3abf21 ("staging: Add rtl8723bs sdio wifi driver") Signed-off-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20210108141401.31741-1-wens@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c75f541e12f8ab4cb9a420e7b24660a2dc95fa30 Author: Guenter Roeck Date: Wed Jan 13 12:20:51 2021 +0100 usb: dwc2: Make "trimming xfer length" a debug message [ Upstream commit 1a9e38cabd80356ffb98c2c88fec528ea9644fd5 ] With some USB network adapters, such as DM96xx, the following message is seen for each maximum size receive packet. dwc2 ff540000.usb: dwc2_update_urb_state(): trimming xfer length This happens because the packet size requested by the driver is 1522 bytes, wMaxPacketSize is 64, the dwc2 driver configures the chip to receive 24*64 = 1536 bytes, and the chip does indeed send more than 1522 bytes of data. Since the event does not indicate an error condition, the message is just noise. Demote it to debug level. Fixes: 7359d482eb4d3 ("staging: HCD files for the DWC2 driver") Tested-by: Nicolas Saenz Julienne Reviewed-by: Douglas Anderson Signed-off-by: Guenter Roeck Signed-off-by: Nicolas Saenz Julienne Link: https://lore.kernel.org/r/20210113112052.17063-4-nsaenzjulienne@suse.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6e89da2174f70240f0814e9eab714bf8d99d4e8c Author: Guenter Roeck Date: Wed Jan 13 12:20:50 2021 +0100 usb: dwc2: Abort transaction after errors with unknown reason [ Upstream commit f74b68c61cbc4b2245022fcce038509333d63f6f ] In some situations, the following error messages are reported. dwc2 ff540000.usb: dwc2_hc_chhltd_intr_dma: Channel 1 - ChHltd set, but reason is unknown dwc2 ff540000.usb: hcint 0x00000002, intsts 0x04000021 This is sometimes followed by: dwc2 ff540000.usb: dwc2_update_urb_state_abn(): trimming xfer length and then: WARNING: CPU: 0 PID: 0 at kernel/v4.19/drivers/usb/dwc2/hcd.c:2913 dwc2_assign_and_init_hc+0x98c/0x990 The warning suggests that an odd buffer address is to be used for DMA. After an error is observed, the receive buffer may be full (urb->actual_length >= urb->length). However, the urb is still left in the queue unless three errors were observed in a row. When it is queued again, the dwc2 hcd code translates this into a 1-block transfer. If urb->actual_length (ie the total expected receive length) is not DMA-aligned, the buffer pointer programmed into the chip will be unaligned. This results in the observed warning. To solve the problem, abort input transactions after an error with unknown cause if the entire packet was already received. This may be a bit drastic, but we don't really know why the transfer was aborted even though the entire packet was received. Aborting the transfer in this situation is less risky than accepting a potentially corrupted packet. With this patch in place, the 'ChHltd set' and 'trimming xfer length' messages are still observed, but there are no more transfer attempts with odd buffer addresses. Fixes: 151d0cbdbe860 ("usb: dwc2: make the scheduler handle excessive NAKs better") Cc: Boris ARZUR Cc: Douglas Anderson Tested-by: Nicolas Saenz Julienne Reviewed-by: Douglas Anderson Signed-off-by: Guenter Roeck Signed-off-by: Nicolas Saenz Julienne Link: https://lore.kernel.org/r/20210113112052.17063-3-nsaenzjulienne@suse.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c192b2cc4d394df4105461f96a6bdf87811a145e Author: Guenter Roeck Date: Wed Jan 13 12:20:49 2021 +0100 usb: dwc2: Do not update data length if it is 0 on inbound transfers [ Upstream commit 415fa1c7305dedbb345e2cc8ac91769bc1c83f1a ] The DWC2 documentation states that transfers with zero data length should set the number of packets to 1 and the transfer length to 0. This is not currently the case for inbound transfers: the transfer length is set to the maximum packet length. This can have adverse effects if the chip actually does transfer data as it is programmed to do. Follow chip documentation and keep the transfer length set to 0 in that situation. Fixes: 56f5b1cff22a1 ("staging: Core files for the DWC2 driver") Tested-by: Nicolas Saenz Julienne Reviewed-by: Douglas Anderson Signed-off-by: Guenter Roeck Signed-off-by: Nicolas Saenz Julienne Link: https://lore.kernel.org/r/20210113112052.17063-2-nsaenzjulienne@suse.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c7722f66478826e97762566a416322541b5ddaf1 Author: Tony Lindgren Date: Wed Dec 30 10:42:30 2020 +0200 ARM: dts: Configure missing thermal interrupt for 4430 [ Upstream commit 44f416879a442600b006ef7dec3a6dc98bcf59c6 ] We have gpio_86 wired internally to the bandgap thermal shutdown interrupt on 4430 like we have it on 4460 according to the TRM. This can be found easily by searching for TSHUT. For some reason the thermal shutdown interrupt was never added for 4430, let's add it. I believe this is needed for the thermal shutdown interrupt handler ti_bandgap_tshut_irq_handler() to call orderly_poweroff(). Fixes: aa9bb4bb8878 ("arm: dts: add omap4430 thermal data") Cc: Carl Philipp Klemm Cc: Daniel Lezcano Cc: Eduardo Valentin Cc: Merlijn Wajer Cc: Pavel Machek Cc: Peter Ujfalusi Cc: Sebastian Reichel Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 75921ff8bdc492bc19be3f8a32f790aea07b7f05 Author: Pan Bian Date: Thu Jan 21 01:03:59 2021 -0800 memory: ti-aemif: Drop child node when jumping out loop [ Upstream commit 94e9dd43cf327366388c8f146bccdc6322c0d999 ] Call of_node_put() to decrement the reference count of the child node child_np when jumping out of the loop body of for_each_available_child_of_node(), which is a macro that increments and decrements the reference count of child node. If the loop is broken, the reference of the child node should be dropped manually. Fixes: 5a7c81547c1d ("memory: ti-aemif: introduce AEMIF driver") Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/20210121090359.61763-1-bianpan2016@163.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 725cb22009f7fe317be13df194b5badaab07b645 Author: Pan Bian Date: Thu Jan 21 00:10:45 2021 -0800 Bluetooth: Put HCI device if inquiry procedure interrupts [ Upstream commit 28a758c861ff290e39d4f1ee0aa5df0f0b9a45ee ] Jump to the label done to decrement the reference count of HCI device hdev on path that the Inquiry procedure is interrupted. Fixes: 3e13fa1e1fab ("Bluetooth: Fix hci_inquiry ioctl usage") Signed-off-by: Pan Bian Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 9f2816a99ace41d5a69767e778ee84b47ea6c4a5 Author: Pan Bian Date: Wed Jan 20 23:34:19 2021 -0800 Bluetooth: drop HCI device reference before return [ Upstream commit 5a3ef03afe7e12982dc3b978f4c5077c907f7501 ] Call hci_dev_put() to decrement reference count of HCI device hdev if fails to duplicate memory. Fixes: 0b26ab9dce74 ("Bluetooth: AMP: Handle Accept phylink command status evt") Signed-off-by: Pan Bian Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit a5542b45c729a58b94b4ae875a2379443639616c Author: Jack Pham Date: Mon Jan 18 09:46:39 2021 +0100 usb: gadget: u_audio: Free requests only after callback [ Upstream commit 7de8681be2cde9f6953d3be1fa6ce05f9fe6e637 ] As per the kernel doc for usb_ep_dequeue(), it states that "this routine is asynchronous, that is, it may return before the completion routine runs". And indeed since v5.0 the dwc3 gadget driver updated its behavior to place dequeued requests on to a cancelled list to be given back later after the endpoint is stopped. The free_ep() was incorrectly assuming that a request was ready to be freed after calling dequeue which results in a use-after-free in dwc3 when it traverses its cancelled list. Fix this by moving the usb_ep_free_request() call to the callback itself in case the ep is disabled. Fixes: eb9fecb9e69b0 ("usb: gadget: f_uac2: split out audio core") Reported-and-tested-by: Ferry Toth Reviewed-and-tested-by: Peter Chen Acked-by: Felipe Balbi Signed-off-by: Jack Pham Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20210118084642.322510-2-jbrunet@baylibre.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a17fa903921804d4e8f0ff83c9cd342b49880ef1 Author: Maximilian Luz Date: Fri Jan 15 10:48:18 2021 -0800 ACPICA: Fix exception code class checks [ Upstream commit 3dfaea3811f8b6a89a347e8da9ab862cdf3e30fe ] ACPICA commit 1a3a549286ea9db07d7ec700e7a70dd8bcc4354e The macros to classify different AML exception codes are broken. For instance, ACPI_ENV_EXCEPTION(Status) will always evaluate to zero due to #define AE_CODE_ENVIRONMENTAL 0x0000 #define ACPI_ENV_EXCEPTION(Status) (Status & AE_CODE_ENVIRONMENTAL) Similarly, ACPI_AML_EXCEPTION(Status) will evaluate to a non-zero value for error codes of type AE_CODE_PROGRAMMER, AE_CODE_ACPI_TABLES, as well as AE_CODE_AML, and not just AE_CODE_AML as the name suggests. This commit fixes those checks. Fixes: d46b6537f0ce ("ACPICA: AML Parser: ignore all exceptions resulting from incorrect AML during table load") Link: https://github.com/acpica/acpica/commit/1a3a5492 Signed-off-by: Maximilian Luz Signed-off-by: Bob Moore Signed-off-by: Erik Kaneda Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fb6aa67ab1da201a46061843284be4466ab9141a Author: Christophe JAILLET Date: Sun Jan 17 15:26:44 2021 +0100 cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() [ Upstream commit 3657f729b6fb5f2c0bf693742de2dcd49c572aa1 ] If 'cpufreq_unregister_driver()' fails, just WARN and continue, so that other resources are freed. Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") Signed-off-by: Christophe JAILLET [ Viresh: Updated Subject ] Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 279bc604e2e913653396cebbd4fb4a3ff632257d Author: Christophe JAILLET Date: Sun Jan 17 15:26:35 2021 +0100 cpufreq: brcmstb-avs-cpufreq: Free resources in error path [ Upstream commit 05f456286fd489558c72a4711d22a5612c965685 ] If 'cpufreq_register_driver()' fails, we must release the resources allocated in 'brcm_avs_prepare_init()' as already done in the remove function. To do that, introduce a new function 'brcm_avs_prepare_uninit()' in order to avoid code duplication. This also makes the code more readable (IMHO). Fixes: de322e085995 ("cpufreq: brcmstb-avs-cpufreq: AVS CPUfreq driver for Broadcom STB SoCs") Signed-off-by: Christophe JAILLET [ Viresh: Updated Subject ] Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 24932862d9ee7b1b73780cd249b8428dafc2daed Author: Andre Przywara Date: Wed Jan 13 15:26:28 2021 +0000 arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz [ Upstream commit 948c657cc45e8ce48cb533d4e2106145fa765759 ] In contrast to the H6 (and later) manuals, the A64 datasheet does not specify any limitations in the maximum possible frequency for eMMC controllers. However experimentation has found that a 150 MHz limit similar to other SoCs and also the MMC0 and MMC1 controllers on the A64 seems to exist for the MMC2 controller. Limit the frequency for the MMC2 controller to 150 MHz in the SoC .dtsi. The Pinebook seems to be the an odd exception, since it apparently seems to work with 200 MHz as well, so overwrite this in its board .dts file. Tested on a Pine64-LTS: 200 MHz HS-200 fails, 150 MHz HS-200 works. Fixes: 22be992faea7 ("arm64: allwinner: a64: Increase the MMC max frequency") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210113152630.28810-7-andre.przywara@arm.com Signed-off-by: Sasha Levin commit f85f6c5572ff9526f26e6da4926f11b31ee7b4bd Author: Andre Przywara Date: Wed Jan 13 15:26:27 2021 +0000 arm64: dts: allwinner: H6: Allow up to 150 MHz MMC bus frequency [ Upstream commit cfe6c487b9a1abc6197714ec5605716a5428cf03 ] The H6 manual explicitly lists a frequency limit of 150 MHz for the bus frequency of the MMC controllers. So far we had no explicit limits in the DT, which limited eMMC to the spec defined frequencies, or whatever the driver defines (both Linux and FreeBSD use 52 MHz here). Put those maximum frequencies in the SoC .dtsi, to allow higher speed modes (which still would need to be explicitly enabled, per board). Tested with an eMMC using HS-200 on a Pine H64. Running at the spec'ed 200 MHz indeed fails with I/O errors, but 150 MHz seems to work stably. Fixes: 8f54bd1595b3 ("arm64: allwinner: h6: add device tree nodes for MMC controllers") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210113152630.28810-6-andre.przywara@arm.com Signed-off-by: Sasha Levin commit 06010cf028cec0b43a6649058a86fd97237b86e0 Author: Andre Przywara Date: Wed Jan 13 15:26:26 2021 +0000 arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card [ Upstream commit 941432d007689f3774646e41a1439228b6c6ee0e ] The SD card on the SoPine SoM module is somewhat concealed, so was originally defined as "non-removable". However there is a working card-detect pin (tested on two different SoM versions), and in certain SoM base boards it might be actually accessible at runtime. Also the Pine64-LTS shares the SoPine base .dtsi, so inherited the non-removable flag, even though the SD card slot is perfectly accessible and usable there. (It turns out that just *my* board has a broken card detect switch, so I originally thought CD wouldn't work on the LTS.) Drop the "non-removable" flag to describe the SD card slot properly. Fixes: c3904a269891 ("arm64: allwinner: a64: add DTSI file for SoPine SoM") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210113152630.28810-5-andre.przywara@arm.com Signed-off-by: Sasha Levin commit 288764e9ac2feffe8aa82832eba5b33227c3baf2 Author: Andre Przywara Date: Wed Jan 13 15:26:24 2021 +0000 arm64: dts: allwinner: H6: properly connect USB PHY to port 0 [ Upstream commit da2fb8457f71138d455cba82edec0d34f858e506 ] In recent Allwinner SoCs the first USB host controller (HCI0) shares the first PHY with the MUSB controller. Probably to make this sharing work, we were avoiding to declare this in the DT. This has two shortcomings: - U-Boot (which uses the same .dts) cannot use this port in host mode without a PHY linked, so we were loosing one USB port there. - It requires the MUSB driver to be enabled and loaded, although we don't actually use it. To avoid those issues, let's add this PHY link to the H6 .dtsi file. After all PHY port 0 *is* connected to HCI0, so we should describe it as this. This makes it work in U-Boot, also improves compatiblity when no MUSB driver is loaded (for instance in distribution installers). Fixes: eabb3d424b6d ("arm64: dts: allwinner: h6: add USB2-related device nodes") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210113152630.28810-3-andre.przywara@arm.com Signed-off-by: Sasha Levin commit c4be5762aab90d4425d80f5813f10b97825f69c6 Author: Andre Przywara Date: Wed Jan 13 15:26:23 2021 +0000 arm64: dts: allwinner: A64: properly connect USB PHY to port 0 [ Upstream commit cc72570747e43335f4933a24dd74d5653639176a ] In recent Allwinner SoCs the first USB host controller (HCI0) shares the first PHY with the MUSB controller. Probably to make this sharing work, we were avoiding to declare this in the DT. This has two shortcomings: - U-Boot (which uses the same .dts) cannot use this port in host mode without a PHY linked, so we were loosing one USB port there. - It requires the MUSB driver to be enabled and loaded, although we don't actually use it. To avoid those issues, let's add this PHY link to the A64 .dtsi file. After all PHY port 0 *is* connected to HCI0, so we should describe it as this. Remove the part from the Pinebook DTS which already had this property. This makes it work in U-Boot, also improves compatiblity when no MUSB driver is loaded (for instance in distribution installers). Fixes: dc03a047df1d ("arm64: allwinner: a64: add EHCI0/OHCI0 nodes to A64 DTSI") Signed-off-by: Andre Przywara Acked-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210113152630.28810-2-andre.przywara@arm.com Signed-off-by: Sasha Levin commit c616257c9db49ebda9d31365f6e98848d6bf17a9 Author: Andrii Nakryiko Date: Mon Jan 11 23:55:15 2021 -0800 bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args [ Upstream commit 6943c2b05bf09fd5c5729f7d7d803bf3f126cb9a ] BPF interpreter uses extra input argument, so re-casts __bpf_call_base into __bpf_call_base_args. Avoid compiler warning about incompatible function prototypes by casting to void * first. Fixes: 1ea47e01ad6e ("bpf: add support for bpf_call to interpreter") Reported-by: kernel test robot Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20210112075520.4103414-3-andrii@kernel.org Signed-off-by: Sasha Levin commit fa3fc79c78341a40ccf79355d43e2df57336f99a Author: Andrii Nakryiko Date: Mon Jan 11 23:55:14 2021 -0800 bpf: Add bpf_patch_call_args prototype to include/linux/bpf.h [ Upstream commit a643bff752dcf72a07e1b2ab2f8587e4f51118be ] Add bpf_patch_call_args() prototype. This function is called from BPF verifier and only if CONFIG_BPF_JIT_ALWAYS_ON is not defined. This fixes compiler warning about missing prototype in some kernel configurations. Fixes: 1ea47e01ad6e ("bpf: add support for bpf_call to interpreter") Reported-by: kernel test robot Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20210112075520.4103414-2-andrii@kernel.org Signed-off-by: Sasha Levin commit ab9de93d12c98044ba5d8a6f7c0be6b0017e08f7 Author: Zhang Qilong Date: Mon Nov 23 18:21:18 2020 +0800 memory: mtk-smi: Fix PM usage counter unbalance in mtk_smi ops [ Upstream commit a2d522ff0f5cc26915c4ccee9457fd4b4e1edc48 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 4f0a1a1ae3519 ("memory: mtk-smi: Invoke pm runtime_callback to enable clocks") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201123102118.3866195-1-zhangqilong3@huawei.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 9ab4364ecd9908eda133e0df6a74c4083db59351 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:29:02 2020 +0100 arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso [ Upstream commit 1fea2eb2f5bbd3fbbe2513d2386b5f6e6db17fd7 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: 9589f7721e16 ("arm64: dts: Add S2MPS15 PMIC node on exynos7-espresso") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201210212903.216728-8-krzk@kernel.org Signed-off-by: Sasha Levin commit 0fb966b5d10bbead16c617701889fa80c268a611 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:29:01 2020 +0100 arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 [ Upstream commit e98e2367dfb4b6d7a80c8ce795c644124eff5f36 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: 01e5d2352152 ("arm64: dts: exynos: Add dts file for Exynos5433-based TM2 board") Signed-off-by: Krzysztof Kozlowski Tested-by: Marek Szyprowski Link: https://lore.kernel.org/r/20201210212903.216728-7-krzk@kernel.org Signed-off-by: Sasha Levin commit f0f9e9152375409aaa1a61485b23d43b4b7bd5f2 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:29:00 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family [ Upstream commit 3e7d9a583a24f7582c6bc29a0d4d624feedbc2f9 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. The falling edge interrupt will mostly work but it's not correct. Fixes: aac4e0615341 ("ARM: dts: odroidxu3: Enable wake alarm of S2MPS11 RTC") Signed-off-by: Krzysztof Kozlowski Tested-by: Marek Szyprowski Link: https://lore.kernel.org/r/20201210212903.216728-6-krzk@kernel.org Signed-off-by: Sasha Levin commit d32a94371fc1a387a6e9e019d68435d705d32348 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:28:59 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa [ Upstream commit 1ac8893c4fa3d4a34915dc5cdab568a39db5086c ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. The falling edge interrupt will mostly work but it's not correct. Fixes: 1fed2252713e ("ARM: dts: fix pinctrl for s2mps11-irq on exynos5420-arndale-octa") Signed-off-by: Krzysztof Kozlowski Tested-by: Marek Szyprowski Link: https://lore.kernel.org/r/20201210212903.216728-5-krzk@kernel.org Signed-off-by: Sasha Levin commit da40c06e41b59defc933caf6959d631af49eef8f Author: Krzysztof Kozlowski Date: Thu Dec 10 22:28:58 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Spring [ Upstream commit 77e6a5467cb8657cf8b5e610a30a4c502085e4f9 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: 53dd4138bb0a ("ARM: dts: Add exynos5250-spring device tree") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201210212903.216728-4-krzk@kernel.org Signed-off-by: Sasha Levin commit e23124590415280f656d5a88d9c42515e2a5bb93 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:28:57 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato [ Upstream commit 437ae60947716bb479e2f32466f49445c0509b1e ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: faaf348ef468 ("ARM: dts: Add board dts file for exynos3250-rinato") Signed-off-by: Krzysztof Kozlowski Tested-by: Marek Szyprowski Link: https://lore.kernel.org/r/20201210212903.216728-3-krzk@kernel.org Signed-off-by: Sasha Levin commit 4a0e0208bbb533499558bd0e1e41dc84d3885555 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:28:56 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Monk [ Upstream commit 8528cda2b7c667e9cd173aef1a677c71b7d5a096 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: e0cefb3f79d3 ("ARM: dts: add board dts file for Exynos3250-based Monk board") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201210212903.216728-2-krzk@kernel.org Signed-off-by: Sasha Levin commit 6d4c9e525833d58d730caad5679b6432f83519e8 Author: Krzysztof Kozlowski Date: Thu Dec 10 22:28:55 2020 +0100 ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 [ Upstream commit cb31334687db31c691901269d65074a7ffaecb18 ] The Samsung PMIC datasheets describe the interrupt line as active low with a requirement of acknowledge from the CPU. Without specifying the interrupt type in Devicetree, kernel might apply some fixed configuration, not necessarily working for this hardware. Fixes: b004a34bd0ff ("ARM: dts: exynos: Add exynos3250-artik5 dtsi file for ARTIK5 module") Signed-off-by: Krzysztof Kozlowski Tested-by: Marek Szyprowski Link: https://lore.kernel.org/r/20201210212903.216728-1-krzk@kernel.org Signed-off-by: Sasha Levin commit 36c39c445265c42632e6a4797dd371dcefcf0d08 Author: Christopher William Snowhill Date: Sat Dec 26 19:12:32 2020 -0800 Bluetooth: Fix initializing response id after clearing struct [ Upstream commit a5687c644015a097304a2e47476c0ecab2065734 ] Looks like this was missed when patching the source to clear the structures throughout, causing this one instance to clear the struct after the response id is assigned. Fixes: eddb7732119d ("Bluetooth: A2MP: Fix not initializing all members") Signed-off-by: Christopher William Snowhill Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 04792d477215852a59f8f1c5515cf6ef9ca03076 Author: Claire Chang Date: Mon Dec 14 15:29:21 2020 +0800 Bluetooth: hci_uart: Fix a race for write_work scheduling [ Upstream commit afe0b1c86458f121b085271e4f3034017a90d4a3 ] In hci_uart_write_work, there is a loop/goto checking the value of HCI_UART_TX_WAKEUP. If HCI_UART_TX_WAKEUP is set again, it keeps trying hci_uart_dequeue; otherwise, it clears HCI_UART_SENDING and returns. In hci_uart_tx_wakeup, if HCI_UART_SENDING is already set, it sets HCI_UART_TX_WAKEUP, skips schedule_work and assumes the running/pending hci_uart_write_work worker will do hci_uart_dequeue properly. However, if the HCI_UART_SENDING check in hci_uart_tx_wakeup is done after the loop breaks, but before HCI_UART_SENDING is cleared in hci_uart_write_work, the schedule_work is skipped incorrectly. Fix this race by changing the order of HCI_UART_SENDING and HCI_UART_TX_WAKEUP modification. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: 82f5169bf3d3 ("Bluetooth: hci_uart: add serdev driver support library") Signed-off-by: Claire Chang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit b624bc27cf82d8b717c7f5e8cea7d8c5a94a8ab3 Author: Christophe JAILLET Date: Sat Dec 12 10:46:58 2020 +0100 Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function [ Upstream commit 9a39a927be01d89e53f04304ab99a8761e08910d ] Some resource should be released in the error handling path of the probe function, as already done in the remove function. The remove function was fixed in commit 5052de8deff5 ("soc: qcom: smd: Transition client drivers from smd to rpmsg") Fixes: 1511cc750c3d ("Bluetooth: Introduce Qualcomm WCNSS SMD based HCI driver") Signed-off-by: Christophe JAILLET Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit a48bb93f6fbe872325686d4f16045557a501744e Author: Rakesh Pillai Date: Sat Dec 12 00:30:10 2020 +0530 ath10k: Fix error handling in case of CE pipe init failure [ Upstream commit 31561e8557cd1eeba5806ac9ce820f8323b2201b ] Currently if the copy engine pipe init fails for snoc based chipsets, the rri is not freed. Fix this error handling for copy engine pipe init failure. Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1 Fixes: 4945af5b264f ("ath10k: enable SRRI/DRRI support on ddr for WCN3990") Signed-off-by: Rakesh Pillai Reviewed-by: Brian Norris Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1607713210-18320-1-git-send-email-pillair@codeaurora.org Signed-off-by: Sasha Levin commit 3a954b0d909ca5a7a3c02db1e1125277a4dfbc84 Author: Eric Biggers Date: Tue Jan 12 11:28:18 2021 -0800 random: fix the RNDRESEEDCRNG ioctl commit 11a0b5e0ec8c13bef06f7414f9e914506140d5cb upstream. The RNDRESEEDCRNG ioctl reseeds the primary_crng from itself, which doesn't make sense. Reseed it from the input_pool instead. Fixes: d848e5f8e1eb ("random: add new ioctl RNDRESEEDCRNG") Cc: stable@vger.kernel.org Cc: linux-crypto@vger.kernel.org Cc: Andy Lutomirski Cc: Jann Horn Cc: Theodore Ts'o Reviewed-by: Jann Horn Acked-by: Ard Biesheuvel Signed-off-by: Eric Biggers Link: https://lore.kernel.org/r/20210112192818.69921-1-ebiggers@kernel.org Signed-off-by: Greg Kroah-Hartman commit 1be2b1d23529631427fa3e66d77c9719b60c9faa Author: Alexander Lobakin Date: Sun Jan 10 11:56:08 2021 +0000 MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section commit 8ac7c87acdcac156670f9920c8acbd84308ff4b1 upstream. MIPS uses its own declaration of rwdata, and thus it should be kept in sync with the asm-generic one. Currently PAGE_ALIGNED_DATA() is missing from the linker script, which emits the following ld warnings: mips-alpine-linux-musl-ld: warning: orphan section `.data..page_aligned' from `arch/mips/kernel/vdso.o' being placed in section `.data..page_aligned' mips-alpine-linux-musl-ld: warning: orphan section `.data..page_aligned' from `arch/mips/vdso/vdso-image.o' being placed in section `.data..page_aligned' Add the necessary declaration, so the mentioned structures will be placed in vmlinux as intended: ffffffff80630580 D __end_once ffffffff80630580 D __start___dyndbg ffffffff80630580 D __start_once ffffffff80630580 D __stop___dyndbg ffffffff80634000 d mips_vdso_data ffffffff80638000 d vdso_data ffffffff80638580 D _gp ffffffff8063c000 T __init_begin ffffffff8063c000 D _edata ffffffff8063c000 T _sinittext -> ffffffff805a4000 D __end_init_task ffffffff805a4000 D __nosave_begin ffffffff805a4000 D __nosave_end ffffffff805a4000 d mips_vdso_data ffffffff805a8000 d vdso_data ffffffff805ac000 D mmlist_lock ffffffff805ac080 D tasklist_lock Fixes: ebb5e78cc634 ("MIPS: Initial implementation of a VDSO") Signed-off-by: Alexander Lobakin Reviewed-by: Kees Cook Reviewed-by: Nathan Chancellor Cc: stable@vger.kernel.org # 4.4+ Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit d3b8fa2e1d036c662daf8cb70f9ff198ed313038 Author: Takashi Iwai Date: Fri Feb 5 15:45:59 2021 +0100 ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode commit fb3c293b82c31a9a68fbcf4e7a45fadd8a47ea2b upstream. The commit f274baa49be6 ("ALSA: usb-audio: Allow non-vmalloc buffer for PCM buffers") introduced the mode to allocate coherent pages for PCM buffers, and it used bus->controller device as its DMA device. It turned out, however, that bus->sysdev is a more appropriate device to be used for DMA mapping in HCD code. This patch corrects the device reference accordingly. Note that, on most platforms, both point to the very same device, hence this patch doesn't change anything practically. But on platforms like xhcd-plat hcd, the change becomes effective. Fixes: f274baa49be6 ("ALSA: usb-audio: Allow non-vmalloc buffer for PCM buffers") Cc: Link: https://lore.kernel.org/r/20210205144559.29555-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 166f9bc8ca0db46dddcb71fb6a403c2e55a093ad Author: Jan Kara Date: Fri Jun 5 16:16:16 2020 +0200 bfq: Avoid false bfq queue merging commit 41e76c85660c022c6bf5713bfb6c21e64a487cec upstream. bfq_setup_cooperator() uses bfqd->in_serv_last_pos so detect whether it makes sense to merge current bfq queue with the in-service queue. However if the in-service queue is freshly scheduled and didn't dispatch any requests yet, bfqd->in_serv_last_pos is stale and contains value from the previously scheduled bfq queue which can thus result in a bogus decision that the two queues should be merged. This bug can be observed for example with the following fio jobfile: [global] direct=0 ioengine=sync invalidate=1 size=1g rw=read [reader] numjobs=4 directory=/mnt where the 4 processes will end up in the one shared bfq queue although they do IO to physically very distant files (for some reason I was able to observe this only with slice_idle=1ms setting). Fix the problem by invalidating bfqd->in_serv_last_pos when switching in-service queue. Fixes: 058fdecc6de7 ("block, bfq: fix in-service-queue check for queue merging") CC: stable@vger.kernel.org Signed-off-by: Jan Kara Acked-by: Paolo Valente Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 608ba1f447bc95613e7e4fce41ae635a46a1a2e2 Author: Hans de Goede Date: Thu Jan 21 16:07:54 2021 +0100 virt: vbox: Do not use wait_event_interruptible when called from kernel context commit c35901b39ddc20077f4ae7b9f7bf344487f62212 upstream. Do not use wait_event_interruptible when vbg_hgcm_call() gets called from kernel-context, such as it being called by the vboxsf filesystem code. This fixes some filesystem related system calls on shared folders unexpectedly failing with -EINTR. Fixes: 0532a1b0d045 ("virt: vbox: Implement passing requestor info to the host for VirtualBox 6.0.x") Reported-by: Ludovic Pouzenc Signed-off-by: Hans de Goede Cc: stable Link: https://lore.kernel.org/r/20210121150754.147598-1-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 468bf1861a9c2f62eda7b05eb90de3e2eb1b41c9 Author: Ard Biesheuvel Date: Sat Jan 9 10:53:53 2021 +0100 PCI: Decline to resize resources if boot config must be preserved commit 729e3a669d1b62e9876a671ac03ccba399a23b68 upstream. The _DSM #5 method in the ACPI host bridge object tells us whether the OS must preserve the resource assignments done by firmware. If this is the case, we should not permit drivers to resize BARs on the fly. Make pci_resize_resource() take this into account. Link: https://lore.kernel.org/r/20210109095353.13417-1-ardb@kernel.org Signed-off-by: Ard Biesheuvel Signed-off-by: Bjorn Helgaas Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Greg Kroah-Hartman commit 213c6f635babc000c1eb0b9bb19b7288313978f2 Author: Ansuel Smith Date: Mon Oct 19 18:55:55 2020 +0200 PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 commit 2cfef1971aea6119ee27429181d6cb3383031ac2 upstream. The use of PHY_REFCLK_USE_PAD introduced a regression for apq8064 devices. It was tested that while apq doesn't require the padding, ipq SoC must use it or the kernel hangs on boot. Link: https://lore.kernel.org/r/20201019165555.8269-1-ansuelsmth@gmail.com Fixes: de3c4bf64897 ("PCI: qcom: Add support for tx term offset for rev 2.1.0") Reported-by: Ilia Mirkin Signed-off-by: Ilia Mirkin Signed-off-by: Ansuel Smith Signed-off-by: Lorenzo Pieralisi Signed-off-by: Bjorn Helgaas Acked-by: Stanimir Varbanov Cc: stable@vger.kernel.org # v4.19+ Signed-off-by: Greg Kroah-Hartman commit c37821e061f0d057b551dfcf16f1cb2c38d22768 Author: Sumit Garg Date: Fri Jan 22 16:35:56 2021 +0530 kdb: Make memory allocations more robust commit 93f7a6d818deef69d0ba652d46bae6fbabbf365c upstream. Currently kdb uses in_interrupt() to determine whether its library code has been called from the kgdb trap handler or from a saner calling context such as driver init. This approach is broken because in_interrupt() alone isn't able to determine kgdb trap handler entry from normal task context. This can happen during normal use of basic features such as breakpoints and can also be trivially reproduced using: echo g > /proc/sysrq-trigger We can improve this by adding check for in_dbg_master() instead which explicitly determines if we are running in debugger context. Cc: stable@vger.kernel.org Signed-off-by: Sumit Garg Link: https://lore.kernel.org/r/1611313556-4004-1-git-send-email-sumit.garg@linaro.org Signed-off-by: Daniel Thompson Signed-off-by: Greg Kroah-Hartman commit 6f15d498bfe835b9e2fc2c6f72dde056022a4158 Author: Greg Kroah-Hartman Date: Thu Feb 18 11:08:18 2021 +0100 debugfs: do not attempt to create a new file before the filesystem is initalized commit 56348560d495d2501e87db559a61de717cd3ab02 upstream. Some subsystems want to add debugfs files at early boot, way before debugfs is initialized. This seems to work somehow as the vfs layer will not allow it to happen, but let's be explicit and test to ensure we are properly up and running before allowing files to be created. Cc: "Rafael J. Wysocki" Cc: stable Reported-by: Michael Walle Reported-by: Marc Zyngier Link: https://lore.kernel.org/r/20210218100818.3622317-2-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit de5ae40870350dc8f4d9dd70cd73410f167a23eb Author: Greg Kroah-Hartman Date: Thu Feb 18 11:08:17 2021 +0100 debugfs: be more robust at handling improper input in debugfs_lookup() commit bc6de804d36b3709d54fa22bd128cbac91c11526 upstream. debugfs_lookup() doesn't like it if it is passed an illegal name pointer, or if the filesystem isn't even initialized yet. If either of these happen, it will crash the system, so fix it up by properly testing for valid input and that we are up and running before trying to find a file in the filesystem. Cc: "Rafael J. Wysocki" Cc: stable Reported-by: Michael Walle Tested-by: Michael Walle Tested-by: Marc Zyngier Link: https://lore.kernel.org/r/20210218100818.3622317-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit d239c08f091ad75c38006e71dcba706346523d18 Author: Maxim Levitsky Date: Wed Jul 8 14:57:31 2020 +0300 kvm: x86: replace kvm_spec_ctrl_test_value with runtime test on the host commit 841c2be09fe4f495fe5224952a419bd8c7e5b455 upstream. To avoid complex and in some cases incorrect logic in kvm_spec_ctrl_test_value, just try the guest's given value on the host processor instead, and if it doesn't #GP, allow the guest to set it. One such case is when host CPU supports STIBP mitigation but doesn't support IBRS (as is the case with some Zen2 AMD cpus), and in this case we were giving guest #GP when it tried to use STIBP The reason why can can do the host test is that IA32_SPEC_CTRL msr is passed to the guest, after the guest sets it to a non zero value for the first time (due to performance reasons), and as as result of this, it is pointless to emulate #GP condition on this first access, in a different way than what the host CPU does. This is based on a patch from Sean Christopherson, who suggested this idea. Fixes: 6441fa6178f5 ("KVM: x86: avoid incorrect writes to host MSR_IA32_SPEC_CTRL") Cc: stable@vger.kernel.org Suggested-by: Sean Christopherson Signed-off-by: Maxim Levitsky Message-Id: <20200708115731.180097-1-mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Thomas Lamprecht Signed-off-by: Greg Kroah-Hartman commit 0a6565762f2783604ccc9c3d7d237d153724b307 Author: Nick Desaulniers Date: Fri Feb 5 12:22:18 2021 -0800 vmlinux.lds.h: add DWARF v5 sections commit 3c4fa46b30c551b1df2fb1574a684f68bc22067c upstream. We expect toolchains to produce these new debug info sections as part of DWARF v5. Add explicit placements to prevent the linker warnings from --orphan-section=warn. Compilers may produce such sections with explicit -gdwarf-5, or based on the implicit default version of DWARF when -g is used via DEBUG_INFO. This implicit default changes over time, and has changed to DWARF v5 with GCC 11. .debug_sup was mentioned in review, but without compilers producing it today, let's wait to add it until it becomes necessary. Cc: stable@vger.kernel.org Link: https://bugzilla.redhat.com/show_bug.cgi?id=1922707 Reported-by: Chris Murphy Suggested-by: Fangrui Song Reviewed-by: Nathan Chancellor Reviewed-by: Mark Wielaard Tested-by: Sedat Dilek Signed-off-by: Nick Desaulniers Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman