commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 Author: Linus Torvalds Date: Sun Apr 25 13:49:08 2021 -0700 Linux 5.12 commit d2d09fbe33f80ec17536b6a687ac5274feb927c7 Merge: 24dfc390079c5 c6f87141254d1 Author: Linus Torvalds Date: Sun Apr 25 09:48:46 2021 -0700 Merge tag 'perf-tools-fixes-for-v5.12-2021-04-25' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tools fixes from Arnaldo Carvalho de Melo: - Fix potential NULL pointer dereference in the auxtrace option parser - Fix access to PID in an array when setting a PID filter in 'perf ftrace' - Fix error return code in the 'perf data' tool and in maps__clone(), found using a static analysis tool from Huawei * tag 'perf-tools-fixes-for-v5.12-2021-04-25' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf map: Fix error return code in maps__clone() perf ftrace: Fix access to pid in array when setting a pid filter perf auxtrace: Fix potential NULL pointer dereference perf data: Fix error return code in perf_data__create_dir() commit 24dfc390079c5bda43a689d8b83812ce308e1e07 Merge: 0146da0d4ceca 4b2f1e59229b9 Author: Linus Torvalds Date: Sun Apr 25 09:42:06 2021 -0700 Merge tag 'perf_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 perf fixes from Borislav Petkov: - Fix Broadwell Xeon's stepping in the PEBS isolation table of CPUs - Fix a panic when initializing perf uncore machinery on Haswell and Broadwell servers * tag 'perf_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 commit 0146da0d4cecad571f69f02fe35d75d6dba9723c Merge: 682b26bd80f96 84a24bf8c52e6 Author: Linus Torvalds Date: Sun Apr 25 09:10:10 2021 -0700 Merge tag 'locking_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Borislav Petkov: "Fix ordering in the queued writer lock's slowpath" * tag 'locking_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() commit 682b26bd80f96c2e4da3eb6dcec8bf684b79151c Merge: 11fac7a004113 0c89d87d1d43d Author: Linus Torvalds Date: Sun Apr 25 09:08:19 2021 -0700 Merge tag 'sched_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Borislav Petkov: "Fix a typo in a macro ifdeffery" * tag 'sched_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: preempt/dynamic: Fix typo in macro conditional statement commit 11fac7a004113466b7155e9b0d836156cf8a7e8d Merge: 2a1d7946fa53c 5849cdf8c120e Author: Linus Torvalds Date: Sun Apr 25 09:02:13 2021 -0700 Merge tag 'x86_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Borislav Petkov: "Fix an out-of-bounds memory access when setting up a crash kernel with kexec" * tag 'x86_urgent_for_v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access commit 2a1d7946fa53cea2083e5981ff55a8176ab2be6b Merge: 799bac5512188 9c1a07442c95f Author: Linus Torvalds Date: Sat Apr 24 09:40:18 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fix from Paolo Bonzini: "Fix SRCU bug introduced in the merge window" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86/xen: Take srcu lock when accessing kvm_memslots() commit 799bac5512188522213e2d7eb78ca7094dfdf30c Author: Linus Torvalds Date: Sat Apr 24 09:32:35 2021 -0700 Revert "net/rds: Avoid potential use after free in rds_send_remove_from_sock" This reverts commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05. The games with 'rm' are on (two separate instances) of a local variable, and make no difference. Quoting Aditya Pakki: "I was the author of the patch and it was the cause of the giant UMN revert. The patch is garbage and I was unaware of the steps involved in retracting it. I *believed* the maintainers would pull it, given it was already under Greg's list. The patch does not introduce any bugs but is pointless and is stupid. I accept my incompetence and for not requesting a revert earlier." Link: https://lwn.net/Articles/854319/ Requested-by: Aditya Pakki Cc: Santosh Shilimkar Cc: David S. Miller Cc: Al Viro Signed-off-by: Linus Torvalds commit 8db5efb83fa99e81c3f8dee92a6589b251f117f3 Merge: e77a830c8297c 482715ff0601c Author: Linus Torvalds Date: Fri Apr 23 17:11:10 2021 -0700 Merge tag 'pinctrl-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Late pin control fixes, would have been in the main pull request normally but hey I got lucky and we got another week to polish up v5.12 so here we go. One driver fix and one making the core debugfs work: - Fix the number of pins in the community of the Intel Lewisburg SoC - Show pin numbers for controllers with base = 0 in the new debugfs feature" * tag 'pinctrl-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: core: Show pin numbers for the controllers with base = 0 pinctrl: lewisburg: Update number of pins in community commit e77a830c8297c088f80e337cf888af7d014a16d7 Merge: 95838bd9fcfaa 1974c45dd7745 Author: Linus Torvalds Date: Fri Apr 23 14:56:23 2021 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "5 patches. Subsystems affected by this patch series: coda, overlayfs, and mm (pagecache and memcg)" * emailed patches from Andrew Morton : tools/cgroup/slabinfo.py: updated to work on current kernel mm/filemap: fix mapping_seek_hole_data on THP & 32-bit mm/filemap: fix find_lock_entries hang on 32-bit THP ovl: fix reference counting in ovl_mmap error path coda: fix reference counting in coda_file_mmap error path commit 95838bd9fcfaa12452dc9fd6d6920faef6bb5a46 Merge: 6d1d45cb98347 68e6582e8f2dc Author: Linus Torvalds Date: Fri Apr 23 14:46:20 2021 -0700 Merge tag 'block-5.12-2021-04-23' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "A single fix for a behavioral regression in this series, when re-reading the partition table with partitions open" * tag 'block-5.12-2021-04-23' of git://git.kernel.dk/linux-block: block: return -EBUSY when there are open partitions in blkdev_reread_part commit 1974c45dd7745e999b9387be3d8fdcb27a5b1721 Author: Vasily Averin Date: Fri Apr 23 14:29:03 2021 -0700 tools/cgroup/slabinfo.py: updated to work on current kernel slabinfo.py script does not work with actual kernel version. First, it was unable to recognise SLUB susbsytem, and when I specified it manually it failed again with AttributeError: 'struct page' has no member 'obj_cgroups' .. and then again with File "tools/cgroup/memcg_slabinfo.py", line 221, in main memcg.kmem_caches.address_of_(), AttributeError: 'struct mem_cgroup' has no member 'kmem_caches' Link: https://lkml.kernel.org/r/cec1a75e-43b4-3d64-2084-d9f98fda037f@virtuozzo.com Signed-off-by: Vasily Averin Tested-by: Roman Gushchin Acked-by: Roman Gushchin Cc: Michal Hocko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit ed98b0159fa92a22a2838bd92522b8c8d964556b Author: Hugh Dickins Date: Fri Apr 23 14:29:00 2021 -0700 mm/filemap: fix mapping_seek_hole_data on THP & 32-bit No problem on 64-bit, or without huge pages, but xfstests generic/285 and other SEEK_HOLE/SEEK_DATA tests have regressed on huge tmpfs, and on 32-bit architectures, with the new mapping_seek_hole_data(). Several different bugs turned out to need fixing. u64 cast to stop losing bits when converting unsigned long to loff_t (and let's use shifts throughout, rather than mixed with * and /). Use round_up() when advancing pos, to stop assuming that pos was already THP-aligned when advancing it by THP-size. (This use of round_up() assumes that any THP has THP-aligned index: true at present and true going forward, but could be recoded to avoid the assumption.) Use xas_set() when iterating away from a THP, so that xa_index stays in synch with start, instead of drifting away to return bogus offset. Check start against end to avoid wrapping 32-bit xa_index to 0 (and to handle these additional cases, seek_data or not, it's easier to break the loop than goto: so rearrange exit from the function). [hughd@google.com: remove unneeded u64 casts, per Matthew] Link: https://lkml.kernel.org/r/alpine.LSU.2.11.2104221347240.1170@eggly.anvils Link: https://lkml.kernel.org/r/alpine.LSU.2.11.2104211737410.3299@eggly.anvils Fixes: 41139aa4c3a3 ("mm/filemap: add mapping_seek_hole_data") Signed-off-by: Hugh Dickins Cc: Christoph Hellwig Cc: Dave Chinner Cc: Jan Kara Cc: Johannes Weiner Cc: "Kirill A. Shutemov" Cc: Matthew Wilcox Cc: William Kucharski Cc: Yang Shi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2d11e738151d6cd321dd944cefe9c941ea00086c Author: Hugh Dickins Date: Fri Apr 23 14:28:57 2021 -0700 mm/filemap: fix find_lock_entries hang on 32-bit THP No problem on 64-bit, or without huge pages, but xfstests generic/308 hung uninterruptibly on 32-bit huge tmpfs. Since commit 0cc3b0ec23ce ("Clarify (and fix) in 4.13 MAX_LFS_FILESIZE macros"), MAX_LFS_FILESIZE is only a PAGE_SIZE away from wrapping 32-bit xa_index to 0, so the new find_lock_entries() has to be extra careful when handling a THP. Link: https://lkml.kernel.org/r/alpine.LSU.2.11.2104211735430.3299@eggly.anvils Fixes: 5c211ba29deb ("mm: add and use find_lock_entries") Signed-off-by: Hugh Dickins Cc: Matthew Wilcox Cc: William Kucharski Cc: Christoph Hellwig Cc: Jan Kara Cc: Dave Chinner Cc: Johannes Weiner Cc: "Kirill A. Shutemov" Cc: Yang Shi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 2896900e22f8212606a1837d89a6bbce314ceeda Author: Christian König Date: Fri Apr 23 14:28:54 2021 -0700 ovl: fix reference counting in ovl_mmap error path mmap_region() now calls fput() on the vma->vm_file. Fix this by using vma_set_file() so it doesn't need to be handled manually here any more. Link: https://lkml.kernel.org/r/20210421132012.82354-2-christian.koenig@amd.com Fixes: 1527f926fd04 ("mm: mmap: fix fput in error path v2") Signed-off-by: Christian König Reviewed-by: Daniel Vetter Cc: Jan Harkes Cc: Miklos Szeredi Cc: Jason Gunthorpe Cc: [5.11+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9da29c7f77cd04e5c9150e30f047521b6f20a918 Author: Christian König Date: Fri Apr 23 14:28:51 2021 -0700 coda: fix reference counting in coda_file_mmap error path mmap_region() now calls fput() on the vma->vm_file. So we need to drop the extra reference on the coda file instead of the host file. Link: https://lkml.kernel.org/r/20210421132012.82354-1-christian.koenig@amd.com Fixes: 1527f926fd04 ("mm: mmap: fix fput in error path v2") Signed-off-by: Christian König Reviewed-by: Daniel Vetter Acked-by: Jan Harkes Cc: Miklos Szeredi Cc: Jason Gunthorpe Cc: [5.11+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9c1a07442c95f6e64dc8de099e9f35ea73db7852 Author: Wanpeng Li Date: Fri Apr 23 16:23:20 2021 +0800 KVM: x86/xen: Take srcu lock when accessing kvm_memslots() kvm_memslots() will be called by kvm_write_guest_offset_cached() so we should take the srcu lock. Let's pull the srcu lock operation from kvm_steal_time_set_preempted() again to fix xen part. Fixes: 30b5c851af7 ("KVM: x86/xen: Add support for vCPU runstate information") Signed-off-by: Wanpeng Li Message-Id: <1619166200-9215-1-git-send-email-wanpengli@tencent.com> Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini commit 6d1d45cb98347dbd101b378d11b5f0deb87b345d Merge: 5bfc75d92efd4 a1768dad775b5 Author: Linus Torvalds Date: Fri Apr 23 13:01:05 2021 -0700 Merge tag 'arm-fixes-5.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "These should be the final fixes for v5.12. There is one fix for SD card detection on one Allwinner board, and a few fixes for the Tegra platform that I had already queued up for v5.13 due to a communication problem. This addresses MMC device ordering on multiple machines, audio support on Jetson AGX Xavier and suspend/resume on Jetson TX2" * tag 'arm-fixes-5.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS arm64: tegra: Move clocks from RT5658 endpoint to device node arm64: tegra: Fix mmc0 alias for Jetson Xavier NX arm64: tegra: Set fw_devlink=on for Jetson TX2 arm64: tegra: Add unit-address for ACONNECT on Tegra186 commit c6f87141254d16e281e4b4431af7316895207b8f Author: Zhen Lei Date: Thu Apr 15 17:27:44 2021 +0800 perf map: Fix error return code in maps__clone() Although 'err' has been initialized to -ENOMEM, but it will be reassigned by the "err = unwind__prepare_access(...)" statement in the for loop. So that, the value of 'err' is unknown when map__clone() failed. Fixes: 6c502584438bda63 ("perf unwind: Call unwind__prepare_access for forked thread") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: zhen lei Link: http://lore.kernel.org/lkml/20210415092744.3793-1-thunder.leizhen@huawei.com Signed-off-by: Arnaldo Carvalho de Melo commit 671b60cb6a897a5b3832fe57657152f2c3995e25 Author: Thomas Richter Date: Wed Apr 21 14:04:00 2021 +0200 perf ftrace: Fix access to pid in array when setting a pid filter Command 'perf ftrace -v -- ls' fails in s390 (at least 5.12.0rc6). The root cause is a missing pointer dereference which causes an array element address to be used as PID. Fix this by extracting the PID. Output before: # ./perf ftrace -v -- ls function_graph tracer is used write '-263732416' to tracing/set_ftrace_pid failed: Invalid argument failed to set ftrace pid # Output after: ./perf ftrace -v -- ls function_graph tracer is used # tracer: function_graph # # CPU DURATION FUNCTION CALLS # | | | | | | | 4) | rcu_read_lock_sched_held() { 4) 0.552 us | rcu_lockdep_current_cpu_online(); 4) 6.124 us | } Reported-by: Alexander Schmidt Signed-off-by: Thomas Richter Acked-by: Namhyung Kim Cc: Heiko Carstens Cc: Sumanth Korikkar Cc: Sven Schnelle Cc: Vasily Gorbik Link: http://lore.kernel.org/lkml/20210421120400.2126433-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo commit b14585d9f18dc617e975815570fe836be656b1da Author: Leo Yan Date: Tue Apr 20 23:15:53 2021 +0800 perf auxtrace: Fix potential NULL pointer dereference In the function auxtrace_parse_snapshot_options(), the callback pointer "itr->parse_snapshot_options" can be NULL if it has not been set during the AUX record initialization. This can cause tool crashing if the callback pointer "itr->parse_snapshot_options" is dereferenced without performing NULL check. Add a NULL check for the pointer "itr->parse_snapshot_options" before invoke the callback. Fixes: d20031bb63dd6dde ("perf tools: Add AUX area tracing Snapshot Mode") Signed-off-by: Leo Yan Acked-by: Adrian Hunter Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Tiezhu Yang Link: http://lore.kernel.org/lkml/20210420151554.2031768-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit 5bfc75d92efd494db37f5c4c173d3639d4772966 Merge: 22c4e5bcd3cd7 aca38735ae624 Author: Linus Torvalds Date: Fri Apr 23 10:23:57 2021 -0700 Merge tag 'drm-fixes-2021-04-23' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Just some small i915 and amdgpu fixes this week, should be all until you open the merge window. amdgpu: - Fix gpuvm page table update issue - Modifier fixes - Register fix for dimgrey cavefish i915: - GVT's BDW regression fix for cmd parser - Fix modesetting in case of unexpected AUX timeouts" * tag 'drm-fixes-2021-04-23' of git://anongit.freedesktop.org/drm/drm: drm/amdgpu: fix GCR_GENERAL_CNTL offset for dimgrey_cavefish amd/display: allow non-linear multi-planar formats drm/amd/display: Update modifier list for gfx10_3 drm/amdgpu: reserve fence slot to update page table drm/i915: Fix modesetting in case of unexpected AUX timeouts drm/i915/gvt: Fix BDW command parser regression commit 22c4e5bcd3cd7a798f1c6b4df646f75587813e72 Merge: 18a3c5f7abfdf ddd8d94ca31e7 Author: Linus Torvalds Date: Fri Apr 23 10:19:19 2021 -0700 Merge tag 'gpio-fixes-for-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fix from Bartosz Golaszewski: "Save and restore the sysconfig register in gpio-omap to fix a power-management issue" * tag 'gpio-fixes-for-v5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: omap: Save and restore sysconfig commit a1768dad775b5ceb25d17bc7a13318f43adf3069 Merge: 450225a402e5b 405fa9e9d8664 Author: Arnd Bergmann Date: Fri Apr 23 15:37:53 2021 +0200 Merge branch 'tegra/dt64' into arm/fixes arm64: tegra: Device tree fixes for v5.12-rc6 This contains a couple of device tree fixes for the v5.12 release cycle. These are needed for proper audio support on Jetson AGX Xavier, to boot the Jetson Xavier NX from an SD card and to be able to suspend/resume the Jetson TX2. * tegra/dt64: arm64: tegra: Move clocks from RT5658 endpoint to device node arm64: tegra: Fix mmc0 alias for Jetson Xavier NX arm64: tegra: Set fw_devlink=on for Jetson TX2 arm64: tegra: Add unit-address for ACONNECT on Tegra186 Link: https://lore.kernel.org/linux-arm-kernel/YILD4yyPXuiYbHW1@orome.fritz.box/ Signed-off-by: Arnd Bergmann commit aca38735ae624b93c71c055b68d5802b8f356ea5 Merge: b4d1913df2b78 2d292995bb8f4 Author: Dave Airlie Date: Fri Apr 23 12:16:12 2021 +1000 Merge tag 'drm-intel-fixes-2021-04-22' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - GVT's BDW regression fix for cmd parser (Zhenyu) - Fix modesetting in case of unexpected AUX timeouts (Imre) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YIGZ3pQPgPQtZtyI@intel.com commit b4d1913df2b78b872cab62456321f436ab232c3c Merge: bf05bf16c76bb 24d034528ef06 Author: Dave Airlie Date: Fri Apr 23 11:34:02 2021 +1000 Merge tag 'amd-drm-fixes-5.12-2021-04-21' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.12-2021-04-21: amdgpu: - Fix gpuvm page table update issue - Modifier fixes - Register fix for dimgrey cavefish Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20210421220456.3839-1-alexander.deucher@amd.com commit 18a3c5f7abfdf97f88536d35338ebbee119c355c Merge: 90c911ad7445c be286f84e33da Author: Linus Torvalds Date: Thu Apr 22 16:28:18 2021 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "Very late in the cycle but both risky if left unfixed and more or less obvious.." * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails vhost-vdpa: protect concurrent access to vhost device iotlb commit be286f84e33da1a7f83142b64dbd86f600e73363 Author: Eli Cohen Date: Sun Apr 11 11:36:46 2021 +0300 vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails Set err = -ENOMEM if dma_map_sg_attrs() fails so the function reutrns error. Fixes: 94abbccdf291 ("vdpa/mlx5: Add shared memory registration code") Signed-off-by: Eli Cohen Reported-by: kernel test robot Reported-by: Dan Carpenter Link: https://lore.kernel.org/r/20210411083646.910546-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Reviewed-by: Stefano Garzarella commit a9d064524fc3cf463b3bb14fa63de78aafb40dab Author: Xie Yongji Date: Mon Apr 12 17:55:12 2021 +0800 vhost-vdpa: protect concurrent access to vhost device iotlb Protect vhost device iotlb by vhost_dev->mutex. Otherwise, it might cause corruption of the list and interval tree in struct vhost_iotlb if userspace sends the VHOST_IOTLB_MSG_V2 message concurrently. Fixes: 4c8cf318("vhost: introduce vDPA-based backend") Cc: stable@vger.kernel.org Signed-off-by: Xie Yongji Acked-by: Jason Wang Reviewed-by: Stefano Garzarella Link: https://lore.kernel.org/r/20210412095512.178-1-xieyongji@bytedance.com Signed-off-by: Michael S. Tsirkin commit 450225a402e5b2b4c7ddef7ec54f797868d0f583 Merge: b9a9786a13ea1 4d09ccc4a81e7 Author: Arnd Bergmann Date: Thu Apr 22 23:18:30 2021 +0200 Merge tag 'sunxi-fixes-for-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes One fix for the MMC card detect on the Pine H64 board * tag 'sunxi-fixes-for-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS Link: https://lore.kernel.org/r/45fc5e4d-ef48-4729-a869-79a8f288bb83.lettre@localhost Signed-off-by: Arnd Bergmann commit 90c911ad7445ccec9936763f05fa5db6a3da53be Merge: 16fc44d6387e2 9d5171eab462a Author: Linus Torvalds Date: Thu Apr 22 13:51:46 2021 -0700 Merge tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/tpmdd Pull tpm fix from James Bottomley: "This is an urgent regression fix for a tpm patch set that went in this merge window. It looks like a rebase before the original pull request lost a tpm_try_get_ops() so we have a lock imbalance in our code which is causing oopses. The original patch was correct on the mailing list. I'm sending this in agreement with Mimi (as joint maintainers of trusted keys) because Jarkko is off communing with the Reindeer or whatever it is Finns do when on holiday" * tag 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/tpmdd: KEYS: trusted: Fix TPM reservation for seal/unseal commit 4b2f1e59229b9da319d358828cdfa4ddbc140769 Author: Jim Mattson Date: Wed Apr 21 17:18:34 2021 -0700 perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] The only stepping of Broadwell Xeon parts is stepping 1. Fix the relevant isolation_ucodes[] entry, which previously enumerated stepping 2. Although the original commit was characterized as an optimization, it is also a workaround for a correctness issue. If a PMI arrives between kvm's call to perf_guest_get_msrs() and the subsequent VM-entry, a stale value for the IA32_PEBS_ENABLE MSR may be restored at the next VM-exit. This is because, unbeknownst to kvm, PMI throttling may clear bits in the IA32_PEBS_ENABLE MSR. CPUs with "PEBS isolation" don't suffer from this issue, because perf_guest_get_msrs() doesn't report the IA32_PEBS_ENABLE value. Fixes: 9b545c04abd4f ("perf/x86/kvm: Avoid unnecessary work in guest filtering") Signed-off-by: Jim Mattson Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Peter Shier Acked-by: Andi Kleen Link: https://lkml.kernel.org/r/20210422001834.1748319-1-jmattson@google.com commit 4d09ccc4a81e7de6b002482af554d8b5626f5041 Author: Andre Przywara Date: Wed Apr 14 11:47:40 2021 +0100 arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS Commit 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") enabled the card detect GPIO for the SOPine module, along the way with the Pine64-LTS, which share the same base .dtsi. This was based on the observation that the Pine64-LTS has as "push-push" SD card socket, and that the schematic mentions the card detect GPIO. After having received two reports about failing SD card access with that patch, some more research and polls on that subject revealed that there are at least two different versions of the Pine64-LTS out there: - On some boards (including mine) the card detect pin is "stuck" at high, regardless of an microSD card being inserted or not. - On other boards the card-detect is working, but is active-high, by virtue of an explicit inverter circuit, as shown in the schematic. To cover all versions of the board out there, and don't take any chances, let's revert the introduction of the active-low CD GPIO, but let's use the broken-cd property for the Pine64-LTS this time. That should avoid regressions and should work for everyone, even allowing SD card changes now. The SOPine card detect has proven to be working, so let's keep that GPIO in place. Fixes: 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") Reported-by: Michael Weiser Reported-by: Daniel Kulesz Suggested-by: Chen-Yu Tsai Signed-off-by: Andre Przywara Tested-by: Michael Weiser Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210414104740.31497-1-andre.przywara@arm.com commit 482715ff0601c836152b792f06c353464d826b9b Author: Andy Shevchenko Date: Thu Apr 15 16:03:56 2021 +0300 pinctrl: core: Show pin numbers for the controllers with base = 0 The commit f1b206cf7c57 ("pinctrl: core: print gpio in pins debugfs file") enabled GPIO pin number and label in debugfs for pin controller. However, it limited that feature to the chips where base is positive number. This, in particular, excluded chips where base is 0 for the historical or backward compatibility reasons. Refactor the code to include the latter as well. Fixes: f1b206cf7c57 ("pinctrl: core: print gpio in pins debugfs file") Cc: Drew Fustini Signed-off-by: Andy Shevchenko Tested-by: Drew Fustini Reviewed-by: Drew Fustini Link: https://lore.kernel.org/r/20210415130356.15885-1-andriy.shevchenko@linux.intel.com Signed-off-by: Linus Walleij commit 9d5171eab462a63e2fbebfccf6026e92be018f20 Author: James Bottomley Date: Wed Apr 21 15:42:47 2021 -0700 KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621.127925-4-jarkko@kernel.org/ But somehow got rebased so that the tpm_try_get_ops() in tpm2_seal_trusted() got lost. This causes an imbalanced put of the TPM ops and causes oopses on TIS based hardware. This fix puts back the lost tpm_try_get_ops() Fixes: 8c657a0590de ("KEYS: trusted: Reserve TPM for seal and unseal operations") Reported-by: Mimi Zohar Acked-by: Mimi Zohar Signed-off-by: James Bottomley commit 16fc44d6387e260f4932e9248b985837324705d8 Merge: 1fe5501ba1abf 7412dee9f1fd3 Author: Linus Torvalds Date: Wed Apr 21 10:22:54 2021 -0700 Merge tag 'mmc-v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fix from Ulf Hansson: "Replace WARN_ONCE with dev_warn_once for non-optimal sg-alignment in the meson-gx host driver" * tag 'mmc-v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: meson-gx: replace WARN_ONCE with dev_warn_once about scatterlist size alignment in block mode commit 68e6582e8f2dc32fd2458b9926564faa1fb4560e Author: Christoph Hellwig Date: Wed Apr 21 18:05:02 2021 +0200 block: return -EBUSY when there are open partitions in blkdev_reread_part The switch to go through blkdev_get_by_dev means we now ignore the return value from bdev_disk_changed in __blkdev_get. Add a manual check to restore the old semantics. Fixes: 4601b4b130de ("block: reopen the device in blkdev_reread_part") Reported-by: Karel Zak Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20210421160502.447418-1-hch@lst.de Signed-off-by: Jens Axboe commit 24d034528ef06ad94cfcf4394beac0443ab1b16d Author: Jiansong Chen Date: Mon Apr 19 16:33:22 2021 +0800 drm/amdgpu: fix GCR_GENERAL_CNTL offset for dimgrey_cavefish dimgrey_cavefish has similar gc_10_3 ip with sienna_cichlid, so follow its registers offset setting. Signed-off-by: Jiansong Chen Reviewed-by: Tao Zhou Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 9ebb6bc0125dfb1e65a53eea4aeecc63d4d6ec2d Author: Simon Ser Date: Fri Mar 26 17:59:44 2021 +0100 amd/display: allow non-linear multi-planar formats Accept non-linear buffers which use a multi-planar format, as long as they don't use DCC. Tested on GFX9 with NV12. Signed-off-by: Simon Ser Cc: Alex Deucher Cc: Harry Wentland Cc: Nicholas Kazlauskas Cc: Bas Nieuwenhuizen Reviewed-by: Bas Nieuwenhuizen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 6d638b3ffd27036c062d32cb4efd4be172c2a65e Author: Qingqing Zhuo Date: Wed Apr 14 19:00:01 2021 -0400 drm/amd/display: Update modifier list for gfx10_3 [Why] Current list supports modifiers that have DCC_MAX_COMPRESSED_BLOCK set to AMD_FMT_MOD_DCC_BLOCK_128B, while AMD_FMT_MOD_DCC_BLOCK_64B is used instead by userspace. [How] Replace AMD_FMT_MOD_DCC_BLOCK_128B with AMD_FMT_MOD_DCC_BLOCK_64B for modifiers with DCC supported. Fixes: faa37f54ce0462 ("drm/amd/display: Expose modifiers") Signed-off-by: Qingqing Zhuo Reviewed-by: Bas Nieuwenhuizen Tested-by: Bas Nieuwenhuizen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit d42a5b639d15622ece5b9dd12dafd9776efa2593 Author: Philip Yang Date: Thu Apr 1 00:22:23 2021 -0400 drm/amdgpu: reserve fence slot to update page table Forgot to reserve a fence slot to use sdma to update page table, cause below kernel BUG backtrace to handle vm retry fault while application is exiting. [ 133.048143] kernel BUG at /home/yangp/git/compute_staging/kernel/drivers/dma-buf/dma-resv.c:281! [ 133.048487] Workqueue: events amdgpu_irq_handle_ih1 [amdgpu] [ 133.048506] RIP: 0010:dma_resv_add_shared_fence+0x204/0x280 [ 133.048672] amdgpu_vm_sdma_commit+0x134/0x220 [amdgpu] [ 133.048788] amdgpu_vm_bo_update_range+0x220/0x250 [amdgpu] [ 133.048905] amdgpu_vm_handle_fault+0x202/0x370 [amdgpu] [ 133.049031] gmc_v9_0_process_interrupt+0x1ab/0x310 [amdgpu] [ 133.049165] ? kgd2kfd_interrupt+0x9a/0x180 [amdgpu] [ 133.049289] ? amdgpu_irq_dispatch+0xb6/0x240 [amdgpu] [ 133.049408] amdgpu_irq_dispatch+0xb6/0x240 [amdgpu] [ 133.049534] amdgpu_ih_process+0x9b/0x1c0 [amdgpu] [ 133.049657] amdgpu_irq_handle_ih1+0x21/0x60 [amdgpu] [ 133.049669] process_one_work+0x29f/0x640 [ 133.049678] worker_thread+0x39/0x3f0 [ 133.049685] ? process_one_work+0x640/0x640 Signed-off-by: Philip Yang Signed-off-by: Felix Kuehling Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.11.x commit ddd8d94ca31e768c76cf8bfe34ba7b10136b3694 Author: Tony Lindgren Date: Sat Apr 17 11:38:39 2021 +0300 gpio: omap: Save and restore sysconfig As we are using cpu_pm to save and restore context, we must also save and restore the GPIO sysconfig register. This is needed because we are not calling PM runtime functions at all with cpu_pm. We need to save the sysconfig on idle as it's value can get reconfigured by PM runtime and can be different from the init time value. Device specific flags like "ti,no-idle-on-init" can affect the init value. Fixes: b764a5863fd8 ("gpio: omap: Remove custom PM calls and use cpu_pm instead") Cc: Aaro Koskinen Cc: Adam Ford Cc: Andreas Kemnade Cc: Grygorii Strashko Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren Acked-by: Grygorii Strashko Signed-off-by: Bartosz Golaszewski commit 9d480158ee86ad606d3a8baaf81e6b71acbfd7d5 Author: Kan Liang Date: Thu Apr 15 14:22:43 2021 -0700 perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 There may be a kernel panic on the Haswell server and the Broadwell server, if the snbep_pci2phy_map_init() return error. The uncore_extra_pci_dev[HSWEP_PCI_PCU_3] is used in the cpu_init() to detect the existence of the SBOX, which is a MSR type of PMON unit. The uncore_extra_pci_dev is allocated in the uncore_pci_init(). If the snbep_pci2phy_map_init() returns error, perf doesn't initialize the PCI type of the PMON units, so the uncore_extra_pci_dev will not be allocated. But perf may continue initializing the MSR type of PMON units. A null dereference kernel panic will be triggered. The sockets in a Haswell server or a Broadwell server are identical. Only need to detect the existence of the SBOX once. Current perf probes all available PCU devices and stores them into the uncore_extra_pci_dev. It's unnecessary. Use the pci_get_device() to replace the uncore_extra_pci_dev. Only detect the existence of the SBOX on the first available PCU device once. Factor out hswep_has_limit_sbox(), since the Haswell server and the Broadwell server uses the same way to detect the existence of the SBOX. Add some macros to replace the magic number. Fixes: 5306c31c5733 ("perf/x86/uncore/hsw-ep: Handle systems with only two SBOXes") Reported-by: Steve Wahl Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Tested-by: Steve Wahl Link: https://lkml.kernel.org/r/1618521764-100923-1-git-send-email-kan.liang@linux.intel.com commit 1fe5501ba1abf2b7e78295df73675423bd6899a0 Merge: db2e718a47984 0e1e71d34901a Author: Linus Torvalds Date: Tue Apr 20 14:38:35 2021 -0700 Merge tag 'trace-v5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fix from Steven Rostedt: "Fix tp_printk command line and trace events Masami added a wrapper to be able to unhash trace event pointers as they are only read by root anyway, and they can also be extracted by the raw trace data buffers. But this wrapper utilized the iterator to have a temporary buffer to manipulate the text with. tp_printk is a kernel command line option that will send the trace output of a trace event to the console on boot up (useful when the system crashes before finishing the boot). But the code used the same wrapper that Masami added, and its iterator did not have a buffer, and this caused the system to crash. Have the wrapper just print the trace event normally if the iterator has no temporary buffer" * tag 'trace-v5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Fix checking event hash pointer logic when tp_printk is enabled commit db2e718a47984b9d71ed890eb2ea36ecf150de18 Author: Serge E. Hallyn Date: Tue Apr 20 08:43:34 2021 -0500 capabilities: require CAP_SETFCAP to map uid 0 cap_setfcap is required to create file capabilities. Since commit 8db6c34f1dbc ("Introduce v3 namespaced file capabilities"), a process running as uid 0 but without cap_setfcap is able to work around this as follows: unshare a new user namespace which maps parent uid 0 into the child namespace. While this task will not have new capabilities against the parent namespace, there is a loophole due to the way namespaced file capabilities are represented as xattrs. File capabilities valid in userns 1 are distinguished from file capabilities valid in userns 2 by the kuid which underlies uid 0. Therefore the restricted root process can unshare a new self-mapping namespace, add a namespaced file capability onto a file, then use that file capability in the parent namespace. To prevent that, do not allow mapping parent uid 0 if the process which opened the uid_map file does not have CAP_SETFCAP, which is the capability for setting file capabilities. As a further wrinkle: a task can unshare its user namespace, then open its uid_map file itself, and map (only) its own uid. In this case we do not have the credential from before unshare, which was potentially more restricted. So, when creating a user namespace, we record whether the creator had CAP_SETFCAP. Then we can use that during map_write(). With this patch: 1. Unprivileged user can still unshare -Ur ubuntu@caps:~$ unshare -Ur root@caps:~# logout 2. Root user can still unshare -Ur ubuntu@caps:~$ sudo bash root@caps:/home/ubuntu# unshare -Ur root@caps:/home/ubuntu# logout 3. Root user without CAP_SETFCAP cannot unshare -Ur: root@caps:/home/ubuntu# /sbin/capsh --drop=cap_setfcap -- root@caps:/home/ubuntu# /sbin/setcap cap_setfcap=p /sbin/setcap unable to set CAP_SETFCAP effective capability: Operation not permitted root@caps:/home/ubuntu# unshare -Ur unshare: write failed /proc/self/uid_map: Operation not permitted Note: an alternative solution would be to allow uid 0 mappings by processes without CAP_SETFCAP, but to prevent such a namespace from writing any file capabilities. This approach can be seen at [1]. Background history: commit 95ebabde382 ("capabilities: Don't allow writing ambiguous v3 file capabilities") tried to fix the issue by preventing v3 fscaps to be written to disk when the root uid would map to the same uid in nested user namespaces. This led to regressions for various workloads. For example, see [2]. Ultimately this is a valid use-case we have to support meaning we had to revert this change in 3b0c2d3eaa83 ("Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities")"). Link: https://git.kernel.org/pub/scm/linux/kernel/git/sergeh/linux.git/log/?h=2021-04-15/setfcap-nsfscaps-v4 [1] Link: https://github.com/containers/buildah/issues/3071 [2] Signed-off-by: Serge Hallyn Reviewed-by: Andrew G. Morgan Tested-by: Christian Brauner Reviewed-by: Christian Brauner Tested-by: Giuseppe Scrivano Cc: Eric Biederman Signed-off-by: Linus Torvalds commit f2211881e737cade55e0ee07cf6a26d91a35a6fe Author: Zhen Lei Date: Thu Apr 15 16:34:16 2021 +0800 perf data: Fix error return code in perf_data__create_dir() Although 'ret' has been initialized to -1, but it will be reassigned by the "ret = open(...)" statement in the for loop. So that, the value of 'ret' is unknown when asprintf() failed. Reported-by: Hulk Robot Signed-off-by: Zhen Lei Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210415083417.3740-1-thunder.leizhen@huawei.com Signed-off-by: Arnaldo Carvalho de Melo commit 5849cdf8c120e3979c57d34be55b92d90a77a47e Author: Mike Galbraith Date: Fri Apr 16 14:02:07 2021 +0200 x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access Commit in Fixes: added support for kexec-ing a kernel on panic using a new system call. As part of it, it does prepare a memory map for the new kernel. However, while doing so, it wrongly accesses memory it has not allocated: it accesses the first element of the cmem->ranges[] array in memmap_exclude_ranges() but it has not allocated the memory for it in crash_setup_memmap_entries(). As KASAN reports: BUG: KASAN: vmalloc-out-of-bounds in crash_setup_memmap_entries+0x17e/0x3a0 Write of size 8 at addr ffffc90000426008 by task kexec/1187 (gdb) list *crash_setup_memmap_entries+0x17e 0xffffffff8107cafe is in crash_setup_memmap_entries (arch/x86/kernel/crash.c:322). 317 unsigned long long mend) 318 { 319 unsigned long start, end; 320 321 cmem->ranges[0].start = mstart; 322 cmem->ranges[0].end = mend; 323 cmem->nr_ranges = 1; 324 325 /* Exclude elf header region */ 326 start = image->arch.elf_load_addr; (gdb) Make sure the ranges array becomes a single element allocated. [ bp: Write a proper commit message. ] Fixes: dd5f726076cc ("kexec: support for kexec on panic using new system call") Signed-off-by: Mike Galbraith Signed-off-by: Borislav Petkov Reviewed-by: Dave Young Cc: Link: https://lkml.kernel.org/r/725fa3dc1da2737f0f6188a1a9701bead257ea9d.camel@gmx.de commit 0e1e71d34901a633825cd5ae78efaf8abd9215c6 Author: Steven Rostedt (VMware) Date: Mon Apr 19 14:23:12 2021 -0400 tracing: Fix checking event hash pointer logic when tp_printk is enabled Pointers in events that are printed are unhashed if the flags allow it, and the logic to do so is called before processing the event output from the raw ring buffer. In most cases, this is done when a user reads one of the trace files. But if tp_printk is added on the kernel command line, this logic is done for trace events when they are triggered, and their output goes out via printk. The unhash logic (and even the validation of the output) did not support the tp_printk output, and would crash. Link: https://lore.kernel.org/linux-tegra/9835d9f1-8d3a-3440-c53f-516c2606ad07@nvidia.com/ Fixes: efbbdaa22bb7 ("tracing: Show real address for trace event arguments") Reported-by: Jon Hunter Tested-by: Jon Hunter Signed-off-by: Steven Rostedt (VMware) commit 2d292995bb8f49a2596bef522679c1e1454f3230 Merge: d2b9935d65dab 6b5b2a5bcfe9a Author: Rodrigo Vivi Date: Tue Apr 20 09:41:32 2021 -0400 Merge tag 'gvt-fixes-2021-04-20' of https://github.com/intel/gvt-linux into drm-intel-fixes gvt-fixes-2021-04-20 - Fix cmd parser regression on BDW (Zhenyu) Signed-off-by: Rodrigo Vivi From: Zhenyu Wang Link: https://patchwork.freedesktop.org/patch/msgid/20210420023312.GL1551@zhen-hp.sh.intel.com commit 7af08140979a6e7e12b78c93b8625c8d25b084e2 Author: Linus Torvalds Date: Mon Apr 19 15:08:49 2021 -0700 Revert "gcov: clang: fix clang-11+ build" This reverts commit 04c53de57cb6435738961dace8b1b71d3ecd3c39. Nathan Chancellor points out that it should not have been merged into mainline by itself. It was a fix for "gcov: use kvmalloc()", which is still in -mm/-next. Merging it alone has broken the build. Link: https://github.com/ClangBuiltLinux/continuous-integration2/runs/2384465683?check_suite_focus=true Reported-by: Nathan Chancellor Cc: Johannes Berg Cc: Nick Desaulniers Cc: Andrew Morton Signed-off-by: Linus Torvalds commit d2b9935d65dab6e92beb33c150c1a6ded14ab670 Author: Imre Deak Date: Tue Apr 13 02:24:12 2021 +0300 drm/i915: Fix modesetting in case of unexpected AUX timeouts In case AUX failures happen unexpectedly during a modeset, the driver should still complete the modeset. In particular the driver should perform the link training sequence steps even in case of an AUX failure, as this sequence also includes port initialization steps. Not doing that can leave the port/pipe in a broken state and lead for instance to a flip done timeout. Fix this by continuing with link training (in a no-LTTPR mode) if the DPRX DPCD readout failed for some reason at the beginning of link training. After a successful connector detection we already have the DPCD read out and cached, so the failed repeated read for it should not cause a problem. Note that a partial AUX read could in theory partly overwrite the cached DPCD (and return error) but this overwrite should not happen if the returned values are corrupted (due to a timeout or some other IO error). Kudos to Ville to root cause the problem. Fixes: 7dffbdedb96a ("drm/i915: Disable LTTPR support when the DPCD rev < 1.4") References: https://gitlab.freedesktop.org/drm/intel/-/issues/3308 Cc: stable@vger.kernel.org # 5.11 Cc: Ville Syrjälä Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210412232413.2755054-1-imre.deak@intel.com (cherry picked from commit e42e7e585984b85b0fb9dd1fefc85ee4800ca629) Signed-off-by: Rodrigo Vivi [adjusted Fixes: tag] commit 0c89d87d1d43d9fa268d1dc489518564d58bf497 Author: Zhouyi Zhou Date: Sat Apr 10 15:35:23 2021 +0800 preempt/dynamic: Fix typo in macro conditional statement Commit 40607ee97e4e ("preempt/dynamic: Provide irqentry_exit_cond_resched() static call") tried to provide irqentry_exit_cond_resched() static call in irqentry_exit, but has a typo in macro conditional statement. Fixes: 40607ee97e4e ("preempt/dynamic: Provide irqentry_exit_cond_resched() static call") Signed-off-by: Zhouyi Zhou Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20210410073523.5493-1-zhouzhouyi@gmail.com commit 7412dee9f1fd3e224202b633fdfa6eeaebe0307e Author: Neil Armstrong Date: Fri Apr 16 11:43:47 2021 +0200 mmc: meson-gx: replace WARN_ONCE with dev_warn_once about scatterlist size alignment in block mode Since commit e085b51c74cc ("mmc: meson-gx: check for scatterlist size alignment in block mode"), support for SDIO SD_IO_RW_EXTENDED transferts are properly filtered but some driver like brcmfmac still gives a block sg buffer size not aligned with SDIO block, triggerring a WARN_ONCE() with scary stacktrace even if the transfer works fine but with possible degraded performances. Simply replace with dev_warn_once() to inform user this should be fixed to avoid degraded performance. This should be ultimately fixed in brcmfmac, but since it's only a performance issue the warning should be removed. Fixes: e085b51c74cc ("mmc: meson-gx: check for scatterlist size alignment in block mode") Reported-by: Marek Szyprowski Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/20210416094347.2015896-1-narmstrong@baylibre.com Signed-off-by: Ulf Hansson commit bf05bf16c76bb44ab5156223e1e58e26dfe30a88 Author: Linus Torvalds Date: Sun Apr 18 14:45:32 2021 -0700 Linux 5.12-rc8 commit 5ffe04ccd69ae56af304ff7f98fbdaa4478ed47e Merge: f5ce0466dc963 b9a9786a13ea1 Author: Linus Torvalds Date: Sun Apr 18 13:23:26 2021 -0700 Merge tag 'arm-fixes-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "Another smaller set of fixes for three of the Arm platforms: TI OMAP: Fix swapped mmc device order also for omap3 that got changed with the recent PROBE_PREFER_ASYNCHRONOUS changes. While eventually the aliases should be board specific, all the mmc device instances are all there in the SoC, and we do probe them by default so that PM runtime can idle the devices if left enabled from the bootloader. Qualcomm Snapdragon: This bypasses the recently introduced interconnect handling in the GENI (serial engine) driver when running off ACPI, as this causes the GENI probe to fail and the Lenovo Yoga C630 to boot without keyboard and touchpad. Allwinner: One 32kHz clock fix for the beelink gs1, a CD polarity fix for the SoPine, some MAINTAINERS maintainance, and a clk / reset switch to our headers" * tag 'arm-fixes-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference MAINTAINERS: Match on allwinner keyword MAINTAINERS: Add our new mailing-list arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems arm64: dts: allwinner: h6: Switch to macros for RSB clock/reset indices ARM: OMAP2+: Fix uninitialized sr_inst ARM: dts: Fix swapped mmc order for omap3 ARM: OMAP2+: Fix warning for omap_init_time_of() soc: qcom: geni: shield geni_icc_get() for ACPI boot commit f5ce0466dc96326e07b52b8fc170c91bc234beb3 Merge: c98ff1d013d2d d2f7eca60b290 Author: Linus Torvalds Date: Sun Apr 18 11:55:31 2021 -0700 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: - Halve maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled - Fix conversion for_each_membock() to for_each_mem_range() - Fix footbridge PCI mapping - Avoid uprobes hooking on thumb instructions * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 9071/1: uprobes: Don't hook on thumb instructions ARM: footbridge: fix PCI interrupt mapping ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range() ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled commit d2f7eca60b29006285d57c7035539e33300e89e5 Author: Fredrik Strupe Date: Mon Apr 5 21:52:05 2021 +0100 ARM: 9071/1: uprobes: Don't hook on thumb instructions Since uprobes is not supported for thumb, check that the thumb bit is not set when matching the uprobes instruction hooks. The Arm UDF instructions used for uprobes triggering (UPROBE_SWBP_ARM_INSN and UPROBE_SS_ARM_INSN) coincidentally share the same encoding as a pair of unallocated 32-bit thumb instructions (not UDF) when the condition code is 0b1111 (0xf). This in effect makes it possible to trigger the uprobes functionality from thumb, and at that using two unallocated instructions which are not permanently undefined. Signed-off-by: Fredrik Strupe Cc: stable@vger.kernel.org Fixes: c7edc9e326d5 ("ARM: add uprobes support") Signed-off-by: Russell King commit c98ff1d013d2d53911c4b3e8ba14c7cd141cf1ed Merge: aba5970c4da00 176ddd89171dd Author: Linus Torvalds Date: Sat Apr 17 20:25:33 2021 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Two fixes: the libsas fix is for a problem that occurs when trying to change the cache type of an ATA device and the libiscsi one is a regression fix from this merge window" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: libsas: Reset num_scatter if libata marks qc as NODATA scsi: iscsi: Fix iSCSI cls conn state commit aba5970c4da0059ed8052188a341a85ac8845d6f Merge: 194cf48256382 796b556cbfdbe Author: Linus Torvalds Date: Sat Apr 17 20:00:36 2021 -0700 Merge tag 'drm-fixes-2021-04-18' of git://anongit.freedesktop.org/drm/drm Pull vmwgfx fixes from Dave Airlie: "This contains two regression fixes for vmwgfx, one due to a refactor which meant locks were being used before initialisation, and the other in fixing up some warnings from the core when destroying pinned buffers. vmwgfx: - fixed unpinning before destruction - lockdep init reordering" * tag 'drm-fixes-2021-04-18' of git://anongit.freedesktop.org/drm/drm: drm/vmwgfx: Make sure bo's are unpinned before putting them back drm/vmwgfx: Fix the lockdep breakage drm/vmwgfx: Make sure we unpin no longer needed buffers commit 796b556cbfdbe0d65b9793e63653ad24f9fa033c Merge: 4d2e1288372cc 2ef4fb92363c4 Author: Dave Airlie Date: Sun Apr 18 09:26:54 2021 +1000 Merge tag 'vmwgfx-fixes-2021-04-14' of gitlab.freedesktop.org:zack/vmwgfx into drm-fixes vmwgfx fixes for regressions in 5.12 Here's a set of 3 patches fixing ugly regressions in the vmwgfx driver. We broke lock initialization code and ended up using spinlocks before initialization breaking lockdep. Also there was a bit of a fallout from drm changes which made the core validate that unreferenced buffers have been unpinned. vmwgfx pinning code predates a lot of the core drm and wasn't written to account for those semantics. Fortunately changes required to fix it are not too intrusive. The changes have been validated by our internal ci. Signed-off-by: Zack Rusin Signed-off-by: Dave Airlie From: Zack Rusin Link: https://patchwork.freedesktop.org/patch/msgid/f7add0a2-162e-3bd2-b1be-344a94f2acbf@vmware.com commit 194cf4825638256e9afe1d360831aa5379b3517a Merge: 0c93ac69407d6 39930213e7779 Author: Linus Torvalds Date: Sat Apr 17 12:01:51 2021 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fix from Wolfram Sang: "One more driver bugfix for I2C" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: mv64xxx: Fix random system lock caused by runtime PM commit 0c93ac69407d63a85be0129aa55ffaec27ffebd3 Author: Linus Torvalds Date: Sat Apr 17 09:27:04 2021 -0700 readdir: make sure to verify directory entry for legacy interfaces too This does the directory entry name verification for the legacy "fillonedir" (and compat) interface that goes all the way back to the dark ages before we had a proper dirent, and the readdir() system call returned just a single entry at a time. Nobody should use this interface unless you still have binaries from 1991, but let's do it right. This came up during discussions about unsafe_copy_to_user() and proper checking of all the inputs to it, as the networking layer is looking to use it in a few new places. So let's make sure the _old_ users do it all right and proper, before we add new ones. See also commit 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid") which did the proper modern interfaces that people actually use. It had a note: Note that I didn't bother adding the checks to any legacy interfaces that nobody uses. which this now corrects. Note that we really don't care about POSIX and the presense of '/' in a directory entry, but verify_dirent_name() also ends up doing the proper name length verification which is what the input checking discussion was about. [ Another option would be to remove the support for this particular very old interface: any binaries that use it are likely a.out binaries, and they will no longer run anyway since we removed a.out binftm support in commit eac616557050 ("x86: Deprecate a.out support"). But I'm not sure which came first: getdents() or ELF support, so let's pretend somebody might still have a working binary that uses the legacy readdir() case.. ] Link: https://lore.kernel.org/lkml/CAHk-=wjbvzCAhAtvG0d81W5o0-KT5PPTHhfJ5ieDFq+bGtgOYg@mail.gmail.com/ Acked-by: Al Viro Signed-off-by: Linus Torvalds commit 88a5af943985fb43b4c9472b5abd9c0b9705533d Merge: bdfd99e6d6bd6 f2764bd4f6a8d Author: Linus Torvalds Date: Sat Apr 17 09:57:15 2021 -0700 Merge tag 'net-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Networking fixes for 5.12-rc8, including fixes from netfilter, and bpf. BPF verifier changes stand out, otherwise things have slowed down. Current release - regressions: - gro: ensure frag0 meets IP header alignment - Revert "net: stmmac: re-init rx buffers when mac resume back" - ethernet: macb: fix the restore of cmp registers Previous releases - regressions: - ixgbe: Fix NULL pointer dereference in ethtool loopback test - ixgbe: fix unbalanced device enable/disable in suspend/resume - phy: marvell: fix detection of PHY on Topaz switches - make tcp_allowed_congestion_control readonly in non-init netns - xen-netback: Check for hotplug-status existence before watching Previous releases - always broken: - bpf: mitigate a speculative oob read of up to map value size by tightening the masking window - sctp: fix race condition in sctp_destroy_sock - sit, ip6_tunnel: Unregister catch-all devices - netfilter: nftables: clone set element expression template - netfilter: flowtable: fix NAT IPv6 offload mangling - net: geneve: check skb is large enough for IPv4/IPv6 header - netlink: don't call ->netlink_bind with table lock held" * tag 'net-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (52 commits) netlink: don't call ->netlink_bind with table lock held MAINTAINERS: update my email bpf: Update selftests to reflect new error states bpf: Tighten speculative pointer arithmetic mask bpf: Move sanitize_val_alu out of op switch bpf: Refactor and streamline bounds check into helper bpf: Improve verifier error messages for users bpf: Rework ptr_limit into alu_limit and add common error path bpf: Ensure off_reg has no mixed signed bounds for all types bpf: Move off_reg into sanitize_ptr_alu bpf: Use correct permission flag for mixed signed bounds arithmetic ch_ktls: do not send snd_una update to TCB in middle ch_ktls: tcb close causes tls connection failure ch_ktls: fix device connection close ch_ktls: Fix kernel panic i40e: fix the panic when running bpf in xdpdrv mode net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta net/mlx5e: Fix setting of RS FEC mode net/mlx5: Fix setting of devlink traps in switchdev mode Revert "net: stmmac: re-init rx buffers when mac resume back" ... commit bdfd99e6d6bd690b47bd1d45dad218bf08be1dde Merge: 7c22677407243 11d2498f1568a Author: Linus Torvalds Date: Sat Apr 17 09:40:44 2021 -0700 Merge tag 'libnvdimm-fixes-for-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm Pull libnvdimm fixes from Dan Williams: "The largest change is for a regression that landed during -rc1 for block-device read-only handling. Vaibhav found a new use for the ability (originally introduced by virtio_pmem) to call back to the platform to flush data, but also found an original bug in that implementation. Lastly, Arnd cleans up some compile warnings in dax. This has all appeared in -next with no reported issues. Summary: - Fix a regression of read-only handling in the pmem driver - Fix a compile warning - Fix support for platform cache flush commands on powerpc/papr" * tag 'libnvdimm-fixes-for-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm: libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC libnvdimm: Notify disk drivers to revalidate region read-only dax: avoid -Wempty-body warnings commit 7c22677407243d63df3aee1bb2f6d9aa12c01a24 Merge: fdb5d6cab638a fae8817ae804a Author: Linus Torvalds Date: Sat Apr 17 09:30:58 2021 -0700 Merge tag 'cxl-fixes-for-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl Pull CXL memory class fixes from Dan Williams: "A collection of fixes for the CXL memory class driver introduced in this release cycle. The driver was primarily developed on a work-in-progress QEMU emulation of the interface and we have since found a couple places where it hid spec compliance bugs in the driver, or had a spec implementation bug itself. The biggest change here is replacing a percpu_ref with an rwsem to cleanup a couple bugs in the error unwind path during ioctl device init. Lastly there were some minor cleanups to not export the power-management sysfs-ABI for the ioctl device, use the proper sysfs helper for emitting values, and prevent subtle bugs as new administration commands are added to the supported list. The bulk of it has appeared in -next save for the top commit which was found today and validated on a fixed-up QEMU model. Summary: - Fix support for CXL memory devices with registers offset from the BAR base. - Fix the reporting of device capacity. - Fix the driver commands list definition to be disconnected from the UAPI command list. - Replace percpu_ref with rwsem to fix initialization error path. - Fix leaks in the driver initialization error path. - Drop the power/ directory from CXL device sysfs. - Use the recommended sysfs helper for attribute 'show' implementations" * tag 'cxl-fixes-for-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/cxl/cxl: cxl/mem: Fix memory device capacity probing cxl/mem: Fix register block offset calculation cxl/mem: Force array size of mem_commands[] to CXL_MEM_COMMAND_ID_MAX cxl/mem: Disable cxl device power management cxl/mem: Do not rely on device_add() side effects for dev_set_name() failures cxl/mem: Fix synchronization mechanism for device removal vs ioctl operations cxl/mem: Use sysfs_emit() for attribute show routines commit fdb5d6cab638a2881687b59b27817c74d8efac76 Merge: 9cdbf64674240 c95c2d328cd05 Author: Linus Torvalds Date: Sat Apr 17 08:38:23 2021 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "12 patches. Subsystems affected by this patch series: mm (documentation, kasan, and pagemap), csky, ia64, gcov, and lib" * emailed patches from Andrew Morton : lib: remove "expecting prototype" kernel-doc warnings gcov: clang: fix clang-11+ build mm: ptdump: fix build failure mm/mapping_dirty_helpers: guard hugepage pud's usage ia64: tools: remove duplicate definition of ia64_mf() on ia64 ia64: tools: remove inclusion of ia64-specific version of errno.h header ia64: fix discontig.c section mismatches ia64: remove duplicate entries in generic_defconfig csky: change a Kconfig symbol name to fix e1000 build error kasan: remove redundant config option kasan: fix hwasan build for gcc mm: eliminate "expecting prototype" kernel-doc warnings commit 84a24bf8c52e66b7ac89ada5e3cfbe72d65c1896 Author: Ali Saidi Date: Thu Apr 15 17:27:11 2021 +0000 locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader can acquire the lock without holding wait_lock. The writer side loops checking the value with the atomic_cond_read_acquire(), but only truly acquires the lock when the compare-and-exchange is completed successfully which isn’t ordered. This exposes the window between the acquire and the cmpxchg to an A-B-A problem which allows reads following the lock acquisition to observe values speculatively before the write lock is truly acquired. We've seen a problem in epoll where the reader does a xchg while holding the read lock, but the writer can see a value change out from under it. Writer | Reader -------------------------------------------------------------------------------- ep_scan_ready_list() | |- write_lock_irq() | |- queued_write_lock_slowpath() | |- atomic_cond_read_acquire() | | read_lock_irqsave(&ep->lock, flags); --> (observes value before unlock) | chain_epi_lockless() | | epi->next = xchg(&ep->ovflist, epi); | | read_unlock_irqrestore(&ep->lock, flags); | | | atomic_cmpxchg_relaxed() | |-- READ_ONCE(ep->ovflist); | A core can order the read of the ovflist ahead of the atomic_cmpxchg_relaxed(). Switching the cmpxchg to use acquire semantics addresses this issue at which point the atomic_cond_read can be switched to use relaxed semantics. Fixes: b519b56e378ee ("locking/qrwlock: Use atomic_cond_read_acquire() when spinning in qrwlock") Signed-off-by: Ali Saidi [peterz: use try_cmpxchg()] Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steve Capper Acked-by: Will Deacon Acked-by: Waiman Long Tested-by: Steve Capper commit fae8817ae804a682c6823ad1672438f39fc46c28 Author: Dan Williams Date: Fri Apr 16 17:43:30 2021 -0700 cxl/mem: Fix memory device capacity probing The CXL Identify Memory Device output payload emits capacity in 256MB units. The driver is treating the capacity field as bytes. This was missed because QEMU reports bytes when it should report bytes / 256MB. Fixes: 8adaf747c9f0 ("cxl/mem: Find device capabilities") Reviewed-by: Vishal Verma Cc: Ben Widawsky Link: https://lore.kernel.org/r/161862021044.3259705.7008520073059739760.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit f2764bd4f6a8dffaec3e220728385d9756b3c2cb Author: Florian Westphal Date: Fri Apr 16 21:29:13 2021 +0200 netlink: don't call ->netlink_bind with table lock held When I added support to allow generic netlink multicast groups to be restricted to subscribers with CAP_NET_ADMIN I was unaware that a genl_bind implementation already existed in the past. It was reverted due to ABBA deadlock: 1. ->netlink_bind gets called with the table lock held. 2. genetlink bind callback is invoked, it grabs the genl lock. But when a new genl subsystem is (un)registered, these two locks are taken in reverse order. One solution would be to revert again and add a comment in genl referring 1e82a62fec613, "genetlink: remove genl_bind"). This would need a second change in mptcp to not expose the raw token value anymore, e.g. by hashing the token with a secret key so userspace can still associate subflow events with the correct mptcp connection. However, Paolo Abeni reminded me to double-check why the netlink table is locked in the first place. I can't find one. netlink_bind() is already called without this lock when userspace joins a group via NETLINK_ADD_MEMBERSHIP setsockopt. Same holds for the netlink_unbind operation. Digging through the history, commit f773608026ee1 ("netlink: access nlk groups safely in netlink bind and getname") expanded the lock scope. commit 3a20773beeeeade ("net: netlink: cap max groups which will be considered in netlink_bind()") ... removed the nlk->ngroups access that the lock scope extension was all about. Reduce the lock scope again and always call ->netlink_bind without the table lock. The Fixes tag should be vs. the patch mentioned in the link below, but that one got squash-merged into the patch that came earlier in the series. Fixes: 4d54cc32112d8d ("mptcp: avoid lock_fast usage in accept path") Link: https://lore.kernel.org/mptcp/20210213000001.379332-8-mathew.j.martineau@linux.intel.com/T/#u Cc: Cong Wang Cc: Xin Long Cc: Johannes Berg Cc: Sean Tranchetti Cc: Paolo Abeni Cc: Pablo Neira Ayuso Signed-off-by: Florian Westphal Signed-off-by: David S. Miller commit 9cdbf6467424045617cd6e79dcaad06bb8efa31c Merge: 151501160401e c7d95613c7d6e Author: Linus Torvalds Date: Fri Apr 16 16:18:53 2021 -0700 Merge tag 'io_uring-5.12-2021-04-16' of git://git.kernel.dk/linux-block Pull io_uring fix from Jens Axboe: "Fix for a potential hang at exit with SQPOLL from Pavel" * tag 'io_uring-5.12-2021-04-16' of git://git.kernel.dk/linux-block: io_uring: fix early sqd_list removal sqpoll hangs commit c95c2d328cd051484bea161e66dfa715c02a7d7e Author: Randy Dunlap Date: Fri Apr 16 15:46:26 2021 -0700 lib: remove "expecting prototype" kernel-doc warnings Fix various kernel-doc warnings in lib/ due to missing or erroneous function names. Add kernel-doc for some function parameters that was missing. Use kernel-doc "Return:" notation in earlycpio.c. Quietens the following warnings: lib/earlycpio.c:61: warning: expecting prototype for cpio_data find_cpio_data(). Prototype was for find_cpio_data() instead lib/lru_cache.c:640: warning: expecting prototype for lc_dump(). Prototype was for lc_seq_dump_details() instead lru_cache.c:90: warning: Function parameter or member 'cache' not described in 'lc_create' lib/parman.c:368: warning: expecting prototype for parman_item_del(). Prototype was for parman_item_remove() instead parman.c:309: warning: Excess function parameter 'prority' description in 'parman_prio_init' lib/radix-tree.c:703: warning: expecting prototype for __radix_tree_insert(). Prototype was for radix_tree_insert() instead radix-tree.c:180: warning: Excess function parameter 'addr' description in 'radix_tree_find_next_bit' radix-tree.c:180: warning: Excess function parameter 'size' description in 'radix_tree_find_next_bit' radix-tree.c:931: warning: Function parameter or member 'iter' not described in 'radix_tree_iter_replace' Link: https://lkml.kernel.org/r/20210411221756.15461-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Cc: Philipp Reisner Cc: Lars Ellenberg Cc: Jiri Pirko Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 04c53de57cb6435738961dace8b1b71d3ecd3c39 Author: Johannes Berg Date: Fri Apr 16 15:46:23 2021 -0700 gcov: clang: fix clang-11+ build With clang-11+, the code is broken due to my kvmalloc() conversion (which predated the clang-11 support code) leaving one vmalloc() in place. Fix that. Link: https://lkml.kernel.org/r/20210412214210.6e1ecca9cdc5.I24459763acf0591d5e6b31c7e3a59890d802f79c@changeid Signed-off-by: Johannes Berg Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 458376913d86bed2fb781b4952eb6861675ef3be Author: Christophe Leroy Date: Fri Apr 16 15:46:20 2021 -0700 mm: ptdump: fix build failure READ_ONCE() cannot be used for reading PTEs. Use ptep_get() instead, to avoid the following errors: CC mm/ptdump.o In file included from : mm/ptdump.c: In function 'ptdump_pte_entry': include/linux/compiler_types.h:320:38: error: call to '__compiletime_assert_207' declared with attribute error: Unsupported access size for {READ,WRITE}_ONCE(). 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^ include/linux/compiler_types.h:301:4: note: in definition of macro '__compiletime_assert' 301 | prefix ## suffix(); \ | ^~~~~~ include/linux/compiler_types.h:320:2: note: in expansion of macro '_compiletime_assert' 320 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | ^~~~~~~~~~~~~~~~~~~ include/asm-generic/rwonce.h:36:2: note: in expansion of macro 'compiletime_assert' 36 | compiletime_assert(__native_word(t) || sizeof(t) == sizeof(long long), \ | ^~~~~~~~~~~~~~~~~~ include/asm-generic/rwonce.h:49:2: note: in expansion of macro 'compiletime_assert_rwonce_type' 49 | compiletime_assert_rwonce_type(x); \ | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ mm/ptdump.c:114:14: note: in expansion of macro 'READ_ONCE' 114 | pte_t val = READ_ONCE(*pte); | ^~~~~~~~~ make[2]: *** [mm/ptdump.o] Error 1 See commit 481e980a7c19 ("mm: Allow arches to provide ptep_get()") and commit c0e1c8c22beb ("powerpc/8xx: Provide ptep_get() with 16k pages") for details. Link: https://lkml.kernel.org/r/912b349e2bcaa88939904815ca0af945740c6bd4.1618478922.git.christophe.leroy@csgroup.eu Fixes: 30d621f6723b ("mm: add generic ptdump") Signed-off-by: Christophe Leroy Cc: Steven Price Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 94036f4c884377bdf2da1ba7666c9599d6df0191 Author: Zack Rusin Date: Fri Apr 16 15:46:18 2021 -0700 mm/mapping_dirty_helpers: guard hugepage pud's usage Mapping dirty helpers have, so far, been only used on X86, but a port of vmwgfx to ARM64 exposed a problem which results in a compilation error on ARM64 systems: mm/mapping_dirty_helpers.c: In function `wp_clean_pud_entry': mm/mapping_dirty_helpers.c:172:32: error: implicit declaration of function `pud_dirty'; did you mean `pmd_dirty'? [-Werror=implicit-function-declaration] This is due to the fact that mapping_dirty_helpers code assumes that pud_dirty is always defined, which is not the case for architectures that don't define CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD. ARM64 arch is a little inconsistent when it comes to PUD hugepage helpers, e.g. it defines pud_young but not pud_dirty but regardless of that the core kernel code shouldn't assume that any of the PUD hugepage helpers are available unless CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE_PUD is defined. This prevents compilation errors whenever one of the drivers is ported to new architectures. Link: https://lkml.kernel.org/r/20210409165151.694574-1-zackr@vmware.com Signed-off-by: Zack Rusin Reviewed-by: Thomas Hellstrm (Intel) Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f4bf09dc3aaa4b07cd15630f2023f68cb2668809 Author: John Paul Adrian Glaubitz Date: Fri Apr 16 15:46:15 2021 -0700 ia64: tools: remove duplicate definition of ia64_mf() on ia64 The ia64_mf() macro defined in tools/arch/ia64/include/asm/barrier.h is already defined in on ia64 which causes libbpf failing to build: CC /usr/src/linux/tools/bpf/bpftool//libbpf/staticobjs/libbpf.o In file included from /usr/src/linux/tools/include/asm/barrier.h:24, from /usr/src/linux/tools/include/linux/ring_buffer.h:4, from libbpf.c:37: /usr/src/linux/tools/include/asm/../../arch/ia64/include/asm/barrier.h:43: error: "ia64_mf" redefined [-Werror] 43 | #define ia64_mf() asm volatile ("mf" ::: "memory") | In file included from /usr/include/ia64-linux-gnu/asm/intrinsics.h:20, from /usr/include/ia64-linux-gnu/asm/swab.h:11, from /usr/include/linux/swab.h:8, from /usr/include/linux/byteorder/little_endian.h:13, from /usr/include/ia64-linux-gnu/asm/byteorder.h:5, from /usr/src/linux/tools/include/uapi/linux/perf_event.h:20, from libbpf.c:36: /usr/include/ia64-linux-gnu/asm/gcc_intrin.h:382: note: this is the location of the previous definition 382 | #define ia64_mf() __asm__ volatile ("mf" ::: "memory") | cc1: all warnings being treated as errors Thus, remove the definition from tools/arch/ia64/include/asm/barrier.h. Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 17786fea414393813b56e33a1a01b2dfa03c0915 Author: John Paul Adrian Glaubitz Date: Fri Apr 16 15:46:12 2021 -0700 ia64: tools: remove inclusion of ia64-specific version of errno.h header There is no longer an ia64-specific version of the errno.h header below arch/ia64/include/uapi/asm/, so trying to build tools/bpf fails with: CC /usr/src/linux/tools/bpf/bpftool/btf_dumper.o In file included from /usr/src/linux/tools/include/linux/err.h:8, from btf_dumper.c:11: /usr/src/linux/tools/include/uapi/asm/errno.h:13:10: fatal error: ../../../arch/ia64/include/uapi/asm/errno.h: No such file or directory 13 | #include "../../../arch/ia64/include/uapi/asm/errno.h" | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ compilation terminated. Thus, just remove the inclusion of the ia64-specific errno.h so that the build will use the generic errno.h header on this target which was used there anyway as the ia64-specific errno.h was just a wrapper for the generic header. Fixes: c25f867ddd00 ("ia64: remove unneeded uapi asm-generic wrappers") Signed-off-by: John Paul Adrian Glaubitz Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e2af9da4f867a1a54f1252bf3abc1a5c63951778 Author: Randy Dunlap Date: Fri Apr 16 15:46:09 2021 -0700 ia64: fix discontig.c section mismatches Fix IA64 discontig.c Section mismatch warnings. When CONFIG_SPARSEMEM=y and CONFIG_MEMORY_HOTPLUG=y, the functions computer_pernodesize() and scatter_node_data() should not be marked as __meminit because they are needed after init, on any memory hotplug event. Also, early_nr_cpus_node() is called by compute_pernodesize(), so early_nr_cpus_node() cannot be __meminit either. WARNING: modpost: vmlinux.o(.text.unlikely+0x1612): Section mismatch in reference from the function arch_alloc_nodedata() to the function .meminit.text:compute_pernodesize() The function arch_alloc_nodedata() references the function __meminit compute_pernodesize(). This is often because arch_alloc_nodedata lacks a __meminit annotation or the annotation of compute_pernodesize is wrong. WARNING: modpost: vmlinux.o(.text.unlikely+0x1692): Section mismatch in reference from the function arch_refresh_nodedata() to the function .meminit.text:scatter_node_data() The function arch_refresh_nodedata() references the function __meminit scatter_node_data(). This is often because arch_refresh_nodedata lacks a __meminit annotation or the annotation of scatter_node_data is wrong. WARNING: modpost: vmlinux.o(.text.unlikely+0x1502): Section mismatch in reference from the function compute_pernodesize() to the function .meminit.text:early_nr_cpus_node() The function compute_pernodesize() references the function __meminit early_nr_cpus_node(). This is often because compute_pernodesize lacks a __meminit annotation or the annotation of early_nr_cpus_node is wrong. Link: https://lkml.kernel.org/r/20210411001201.3069-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Cc: Mike Rapoport Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 19d000d93303e05bd7b1326e3de9df05a41b25b5 Author: Randy Dunlap Date: Fri Apr 16 15:46:06 2021 -0700 ia64: remove duplicate entries in generic_defconfig Fix ia64 generic_defconfig duplicate entries, as warned by: arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA: => 58 arch/ia64/configs/generic_defconfig: warning: override: reassigning to symbol ATA_PIIX: => 59 These 2 symbols still have the same value as in the removed lines. Link: https://lkml.kernel.org/r/20210411020255.18052-1-rdunlap@infradead.org Fixes: c331649e6371 ("ia64: Use libata instead of the legacy ide driver in defconfigs") Signed-off-by: Randy Dunlap Reported-by: Geert Uytterhoeven Reviewed-by: Christoph Hellwig Cc: Tony Luck Cc: Fenghua Yu Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d199161653d612b8fb96ac51bfd5b2d2782ecef3 Author: Randy Dunlap Date: Fri Apr 16 15:46:03 2021 -0700 csky: change a Kconfig symbol name to fix e1000 build error e1000's #define of CONFIG_RAM_BASE conflicts with a Kconfig symbol in arch/csky/Kconfig. The symbol in e1000 has been around longer, so change arch/csky/ to use DRAM_BASE instead of RAM_BASE to remove the conflict. (although e1000 is also a 2-line change) Link: https://lkml.kernel.org/r/20210411055335.7111-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Reported-by: kernel test robot Acked-by: Guo Ren Cc: Jesse Brandeburg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 02c587733c8161355a43e6e110c2e29bd0acff72 Author: Walter Wu Date: Fri Apr 16 15:46:00 2021 -0700 kasan: remove redundant config option CONFIG_KASAN_STACK and CONFIG_KASAN_STACK_ENABLE both enable KASAN stack instrumentation, but we should only need one config, so that we remove CONFIG_KASAN_STACK_ENABLE and make CONFIG_KASAN_STACK workable. see [1]. When enable KASAN stack instrumentation, then for gcc we could do no prompt and default value y, and for clang prompt and default value n. This patch fixes the following compilation warning: include/linux/kasan.h:333:30: warning: 'CONFIG_KASAN_STACK' is not defined, evaluates to 0 [-Wundef] [akpm@linux-foundation.org: fix merge snafu] Link: https://bugzilla.kernel.org/show_bug.cgi?id=210221 [1] Link: https://lkml.kernel.org/r/20210226012531.29231-1-walter-zh.wu@mediatek.com Fixes: d9b571c885a8 ("kasan: fix KASAN_STACK dependency for HW_TAGS") Signed-off-by: Walter Wu Suggested-by: Dmitry Vyukov Reviewed-by: Nathan Chancellor Acked-by: Arnd Bergmann Reviewed-by: Andrey Konovalov Cc: Andrey Ryabinin Cc: Dmitry Vyukov Cc: Alexander Potapenko Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 5c595ac4c776c44b5c59de22ab43b3fe256d9fbb Author: Arnd Bergmann Date: Fri Apr 16 15:45:57 2021 -0700 kasan: fix hwasan build for gcc gcc-11 adds support for -fsanitize=kernel-hwaddress, so it becomes possible to enable CONFIG_KASAN_SW_TAGS. Unfortunately this fails to build at the moment, because the corresponding command line arguments use llvm specific syntax. Change it to use the cc-param macro instead, which works on both clang and gcc. [elver@google.com: fixup for "kasan: fix hwasan build for gcc"] Link: https://lkml.kernel.org/r/YHQZVfVVLE/LDK2v@elver.google.com Link: https://lkml.kernel.org/r/20210323124112.1229772-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Signed-off-by: Marco Elver Reviewed-by: Marco Elver Acked-by: Andrey Konovalov Cc: Masahiro Yamada Cc: Michal Marek Cc: Andrey Ryabinin Cc: Nathan Chancellor Cc: Nick Desaulniers Cc: Alexander Potapenko Cc: Dmitry Vyukov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 845be1cd34464620861b457b808e5fb2115d06b0 Author: Randy Dunlap Date: Fri Apr 16 15:45:54 2021 -0700 mm: eliminate "expecting prototype" kernel-doc warnings Fix stray kernel-doc warnings in mm/ due to mis-typed or missing function names. Quietens these kernel-doc warnings: mm/mmu_gather.c:264: warning: expecting prototype for tlb_gather_mmu(). Prototype was for __tlb_gather_mmu() instead mm/oom_kill.c:180: warning: expecting prototype for Check whether unreclaimable slab amount is greater than(). Prototype was for should_dump_unreclaim_slab() instead mm/shuffle.c:155: warning: expecting prototype for shuffle_free_memory(). Prototype was for __shuffle_free_memory() instead Link: https://lkml.kernel.org/r/20210411210642.11362-1-rdunlap@infradead.org Signed-off-by: Randy Dunlap Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit b02265429681c9c827c45978a61a9f00be5ea9aa Merge: 6b389c16378a0 d7a5091351756 Author: David S. Miller Date: Fri Apr 16 15:48:08 2021 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2021-04-17 The following pull-request contains BPF updates for your *net* tree. We've added 10 non-merge commits during the last 9 day(s) which contain a total of 8 files changed, 175 insertions(+), 111 deletions(-). The main changes are: 1) Fix a potential NULL pointer dereference in libbpf's xsk umem handling, from Ciara Loftus. 2) Mitigate a speculative oob read of up to map value size by tightening the masking window, from Daniel Borkmann. ==================== Signed-off-by: David S. Miller commit 6b389c16378a03fe71f3b1365b593ba41d2dd8ec Author: Lijun Pan Date: Thu Apr 15 23:18:13 2021 -0500 MAINTAINERS: update my email Update my email and change myself to Reviewer. Signed-off-by: Lijun Pan Signed-off-by: David S. Miller commit d7a5091351756d0ae8e63134313c455624e36a13 Author: Daniel Borkmann Date: Wed Mar 24 14:52:31 2021 +0100 bpf: Update selftests to reflect new error states Update various selftest error messages: * The 'Rx tried to sub from different maps, paths, or prohibited types' is reworked into more specific/differentiated error messages for better guidance. * The change into 'value -4294967168 makes map_value pointer be out of bounds' is due to moving the mixed bounds check into the speculation handling and thus occuring slightly later than above mentioned sanity check. * The change into 'math between map_value pointer and register with unbounded min value' is similarly due to register sanity check coming before the mixed bounds check. * The case of 'map access: known scalar += value_ptr from different maps' now loads fine given masks are the same from the different paths (despite max map value size being different). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 Author: Daniel Borkmann Date: Wed Mar 24 10:38:26 2021 +0100 bpf: Tighten speculative pointer arithmetic mask This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk Reported-by: Benedict Schlueter Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Tested-by: Benedict Schlueter commit f528819334881fd622fdadeddb3f7edaed8b7c9b Author: Daniel Borkmann Date: Wed Mar 24 11:25:39 2021 +0100 bpf: Move sanitize_val_alu out of op switch Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 Author: Daniel Borkmann Date: Tue Mar 23 15:05:48 2021 +0100 bpf: Refactor and streamline bounds check into helper Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit a6aaece00a57fa6f22575364b3903dfbccf5345d Author: Daniel Borkmann Date: Tue Mar 23 09:30:01 2021 +0100 bpf: Improve verifier error messages for users Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 Author: Daniel Borkmann Date: Tue Mar 23 09:04:10 2021 +0100 bpf: Rework ptr_limit into alu_limit and add common error path Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e Author: Daniel Borkmann Date: Tue Mar 23 08:51:02 2021 +0100 bpf: Ensure off_reg has no mixed signed bounds for all types The mixed signed bounds check really belongs into retrieve_ptr_limit() instead of outside of it in adjust_ptr_min_max_vals(). The reason is that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer types that we handle in retrieve_ptr_limit() and given errors from the latter propagate back to adjust_ptr_min_max_vals() and lead to rejection of the program, it's a better place to reside to avoid anything slipping through for future types. The reason why we must reject such off_reg is that we otherwise would not be able to derive a mask, see details in 9d7eceede769 ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged"). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 6f55b2f2a1178856c19bbce2f71449926e731914 Author: Daniel Borkmann Date: Mon Mar 22 15:45:52 2021 +0100 bpf: Move off_reg into sanitize_ptr_alu Small refactor to drag off_reg into sanitize_ptr_alu(), so we later on can use off_reg for generalizing some of the checks for all pointer types. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 9601148392520e2e134936e76788fc2a6371e7be Author: Daniel Borkmann Date: Tue Mar 23 08:32:59 2021 +0100 bpf: Use correct permission flag for mixed signed bounds arithmetic We forbid adding unknown scalars with mixed signed bounds due to the spectre v1 masking mitigation. Hence this also needs bypass_spec_v1 flag instead of allow_ptr_leaks. Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF") Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov commit 151501160401e2dc669ea7dac2c599b53f220c33 Merge: 06c2aac4014c3 7ae11635ec900 Author: Linus Torvalds Date: Fri Apr 16 10:05:42 2021 -0700 Merge tag 'riscv-for-linus-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "A handful of fixes: - a fix to properly select SPARSEMEM_STATIC on rv32 - a few fixes to kprobes I don't generally like sending stuff this late, but these all seem pretty safe" * tag 'riscv-for-linus-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: keep interrupts disabled for BREAKPOINT exception riscv: kprobes/ftrace: Add recursion protection to the ftrace callback riscv: add do_page_fault and do_trap_break into the kprobes blacklist riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM" commit 06c2aac4014c38247256fe49c61b7f55890271e7 Merge: 2f7b98d1e55cc 22315a2296f4c Author: Linus Torvalds Date: Fri Apr 16 09:45:30 2021 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Fix kernel compilation when using the LLVM integrated assembly. A recent commit (2decad92f473, "arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically") broke the kernel build when using the LLVM integrated assembly (only noticeable with clang-12 as MTE is not supported by earlier versions and the code in question not compiled). The Fixes: tag in the commit refers to the original patch introducing subsections for the alternative code sequences" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: alternatives: Move length validation in alternative_{insn, endif} commit 2f7b98d1e55ccd34e4998bf5f321ec7b9d6b451b Merge: 7e25f40eab52c 4d2e1288372cc Author: Linus Torvalds Date: Fri Apr 16 07:49:04 2021 -0700 Merge tag 'drm-fixes-2021-04-16' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Daniel Vetter: "I pinged the usual suspects, only intel fixes pending" * tag 'drm-fixes-2021-04-16' of git://anongit.freedesktop.org/drm/drm: drm/i915/display/vlv_dsi: Do not skip panel_pwr_cycle_delay when disabling the panel drm/i915: Don't zero out the Y plane's watermarks drm/i915/dpcd_bl: Don't try vesa interface unless specified by VBT commit 6b5b2a5bcfe9a250da19bac4ef7cabdc81d154ec Author: Zhenyu Wang Date: Wed Apr 14 16:48:12 2021 +0800 drm/i915/gvt: Fix BDW command parser regression On BDW new Windows driver has brought extra registers to handle for LRM/LRR command in WA ctx. Add allowed registers in cmd parser for BDW. Cc: Alex Williamson Cc: Yan Zhao Cc: stable@vger.kernel.org Tested-by: Alex Williamson Reviewed-by: Colin Xu Fixes: 73a37a43d1b0 ("drm/i915/gvt: filter cmds "lrr-src" and "lrr-dst" in cmd_handler") Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20210414084813.3763353-1-zhenyuw@linux.intel.com commit 7ae11635ec90072083503c6b6485cdffe46203b3 Author: Jisheng Zhang Date: Tue Mar 30 02:16:24 2021 +0800 riscv: keep interrupts disabled for BREAKPOINT exception Current riscv's kprobe handlers are run with both preemption and interrupt enabled, this violates kprobe requirements. Fix this issue by keeping interrupts disabled for BREAKPOINT exception. Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Cc: stable@vger.kernel.org Signed-off-by: Jisheng Zhang Reviewed-by: Masami Hiramatsu [Palmer: add a comment] Signed-off-by: Palmer Dabbelt commit e31be8d343e64e7ab17aef55c1d1b36dc504da67 Author: Jisheng Zhang Date: Tue Mar 30 02:14:40 2021 +0800 riscv: kprobes/ftrace: Add recursion protection to the ftrace callback Currently, the riscv's kprobes(powerred by ftrace) handler is preemptible. Futher check indicates we miss something similar as the commit c536aa1c5b17 ("kprobes/ftrace: Add recursion protection to the ftrace callback"), so do similar modifications as the commit does. Fixes: 829adda597fe ("riscv: Add KPROBES_ON_FTRACE supported") Cc: stable@vger.kernel.org Signed-off-by: Jisheng Zhang Reviewed-by: Steven Rostedt (VMware) Signed-off-by: Palmer Dabbelt commit 2349a3b26e29b8d860466bafda2e02b4b87a9e40 Author: Jisheng Zhang Date: Tue Mar 30 02:12:26 2021 +0800 riscv: add do_page_fault and do_trap_break into the kprobes blacklist These two functions are used to implement the kprobes feature so they can't be kprobed. Fixes: c22b0bcb1dd0 ("riscv: Add kprobes supported") Cc: stable@vger.kernel.org Signed-off-by: Jisheng Zhang Reviewed-by: Masami Hiramatsu Signed-off-by: Palmer Dabbelt commit 199fc6b8dee7d6d50467a57e0dc7e3e1b7d59966 Author: Kefeng Wang Date: Mon Mar 29 11:13:07 2021 +0800 riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM" There is a spelling mistake when SPARSEMEM Kconfig copy. Fixes: a5406a7ff56e ("riscv: Correct SPARSEMEM configuration") Cc: stable@vger.kernel.org Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit b21bb4cd1102dd9e24a169d09cf4e6f3c8a46bcf Author: Ben Widawsky Date: Thu Apr 15 16:26:08 2021 -0700 cxl/mem: Fix register block offset calculation The "Register Offset Low" register of a "DVSEC Register Locator" contains the 64K aligned offset for the registers along with the BAR indicator and an id. The implementation was treating the "Register Block Offset Low" field a value rather than as a pre-aligned component of the 64-bit offset. So, just mask, don't mask and shift (FIELD_GET). The user visible result of this bug is that the driver fails to bind to the device after none of the required blocks are found. This was missed earlier because the primary development done in the QEMU environment only uses 0 offsets, i.e. 0 shifted is still 0. Fixes: 8adaf747c9f0 ("cxl/mem: Find device capabilities") Reported-by: Vishal Verma Signed-off-by: Ben Widawsky Link: https://lore.kernel.org/r/20210415232610.603273-1-ben.widawsky@intel.com Signed-off-by: Dan Williams commit 0e0704bb9ea00813dd3d5405516089fee286079b Merge: 61d773586eba5 e8a4155567b3c Author: David S. Miller Date: Thu Apr 15 16:55:49 2021 -0700 Merge branch 'ch_tlss-fixes' Vinay Kumar Yadav says: ==================== chelsio/ch_ktls: chelsio inline tls driver bug fixes This series of patches fix following bugs in Chelsio inline tls driver. Patch1: kernel panic. Patch2: connection close issue. Patch3: tcb close call issue. Patch4: unnecessary snd_una update. ==================== Signed-off-by: David S. Miller commit e8a4155567b3c903f49cbf89b8017e9cc22c4fe4 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:48 2021 +0530 ch_ktls: do not send snd_una update to TCB in middle snd_una update should not be done when the same skb is being sent out.chcr_short_record_handler() sends it again even though SND_UNA update is already sent for the skb in chcr_ktls_xmit(), which causes mismatch in un-acked TCP seq number, later causes problem in sending out complete record. Fixes: 429765a149f1 ("chcr: handle partial end part of a record") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller commit 21d8c25e3f4b9052a471ced8f47b531956eb9963 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:47 2021 +0530 ch_ktls: tcb close causes tls connection failure HW doesn't need marking TCB closed. This TCB state change sometimes causes problem to the new connection which gets the same tid. Fixes: 34aba2c45024 ("cxgb4/chcr : Register to tls add and del callback") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller commit bc16efd2430652f894ae34b1de5eccc3bf0d2810 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:46 2021 +0530 ch_ktls: fix device connection close When sge queue is full and chcr_ktls_xmit_wr_complete() returns failure, skb is not freed if it is not the last tls record in this skb, causes refcount never gets freed and tls_dev_del() never gets called on this connection. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller commit 1a73e427b824133940c2dd95ebe26b6dce1cbf10 Author: Vinay Kumar Yadav Date: Thu Apr 15 13:17:45 2021 +0530 ch_ktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panic sometimes. It's better to take tx_ctx lock for the complete skb transmit, to avoid page cleanup if ACK received in middle. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Vinay Kumar Yadav Signed-off-by: Rohit Maheshwari Signed-off-by: David S. Miller commit 61d773586eba5c102bcb2cccdd88239227ce8b26 Merge: 4e39a072a6a0f e3e0f9b279705 Author: David S. Miller Date: Thu Apr 15 16:43:29 2021 -0700 Merge tag 'mlx5-fixes-2021-04-14' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2021-04-14 This series provides 3 small fixes to mlx5 driver. Please pull and let me know if there is any problem. ==================== Signed-off-by: David S. Miller commit 4e39a072a6a0fc422ba7da5e4336bdc295d70211 Author: Jason Xing Date: Wed Apr 14 10:34:28 2021 +0800 i40e: fix the panic when running bpf in xdpdrv mode Fix this panic by adding more rules to calculate the value of @rss_size_max which could be used in allocating the queues when bpf is loaded, which, however, could cause the failure and then trigger the NULL pointer of vsi->rx_rings. Prio to this fix, the machine doesn't care about how many cpus are online and then allocates 256 queues on the machine with 32 cpus online actually. Once the load of bpf begins, the log will go like this "failed to get tracking for 256 queues for VSI 0 err -12" and this "setup of MAIN VSI failed". Thus, I attach the key information of the crash-log here. BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 RIP: 0010:i40e_xdp+0xdd/0x1b0 [i40e] Call Trace: [2160294.717292] ? i40e_reconfig_rss_queues+0x170/0x170 [i40e] [2160294.717666] dev_xdp_install+0x4f/0x70 [2160294.718036] dev_change_xdp_fd+0x11f/0x230 [2160294.718380] ? dev_disable_lro+0xe0/0xe0 [2160294.718705] do_setlink+0xac7/0xe70 [2160294.719035] ? __nla_parse+0xed/0x120 [2160294.719365] rtnl_newlink+0x73b/0x860 Fixes: 41c445ff0f48 ("i40e: main driver core") Co-developed-by: Shujin Li Signed-off-by: Shujin Li Signed-off-by: Jason Xing Reviewed-by: Jesse Brandeburg Acked-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller commit 39930213e7779b9c4257499972b8afb8858f1a2d Author: Marek Behún Date: Thu Apr 8 04:00:00 2021 +0200 i2c: mv64xxx: Fix random system lock caused by runtime PM I noticed a weird bug with this driver on Marvell CN9130 Customer Reference Board. Sometime after boot, the system locks with the following message: [104.071363] i2c i2c-0: mv64xxx: I2C bus locked, block: 1, time_left: 0 The system does not respond afterwards, only warns about RCU stalls. This first appeared with commit e5c02cf54154 ("i2c: mv64xxx: Add runtime PM support"). With further experimentation I discovered that adding a delay into mv64xxx_i2c_hw_init() fixes this issue. This function is called before every xfer, due to how runtime PM works in this driver. It seems that in order to work correctly, a delay is needed after the bus is reset in this function. Since there already is a known erratum with this controller needing a delay, I assume that this is just another place this needs to be applied. Therefore I apply the delay only if errata_delay is true. Signed-off-by: Marek Behún Acked-by: Gregory CLEMENT Reviewed-by: Samuel Holland Signed-off-by: Wolfram Sang commit 7e25f40eab52c57ff6772d27d2aef3640a3237d7 Merge: 33f0d9d94a0ef 6998a8800d731 Author: Linus Torvalds Date: Thu Apr 15 10:53:39 2021 -0700 Merge tag 'acpi-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Restore the initrd-based ACPI table override functionality broken by one of the recent fixes" * tag 'acpi-5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() commit 33f0d9d94a0ef0814d23320c2536c4135d230114 Merge: e7e3a53b30d6e 23cf00ddd2e1a Author: Linus Torvalds Date: Thu Apr 15 10:48:51 2021 -0700 Merge tag 'gpio-fixes-for-v5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux Pull gpio fix from Bartosz Golaszewski: "A single fix for an older problem with the sysfs interface: do not allow exporting GPIO lines which were marked invalid by the driver" * tag 'gpio-fixes-for-v5.12-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux: gpio: sysfs: Obey valid_mask commit e7e3a53b30d6e6f54eef81400ddfe8b32224b77f Merge: 1df01322f00a0 276559d8d02c2 Author: Linus Torvalds Date: Thu Apr 15 10:43:18 2021 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: "The changes are all device/driver specific fixes: - EV_KEY and EV_ABS regression fix for Wacom from Ping Cheng - BIOS-specific quirk to fix some of the AMD_SFH-based systems, from Hans de Goede - other small error handling fixes and device ID additions" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices AMD_SFH: Add DMI quirk table for BIOS-es which don't set the activestatus bits AMD_SFH: Add sensor_mask module parameter AMD_SFH: Removed unused activecontrolstatus member from the amd_mp2_dev struct HID: wacom: Assign boolean values to a bool variable HID cp2112: fix support for multiple gpiochips HID: alps: fix error return code in alps_input_configured() HID: asus: Add support for 2021 ASUS N-Key keyboard HID: google: add don USB id commit 22315a2296f4c251fa92aec45fbbae37e9301b6c Author: Nathan Chancellor Date: Tue Apr 13 17:08:04 2021 -0700 arm64: alternatives: Move length validation in alternative_{insn, endif} After commit 2decad92f473 ("arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically"), LLVM's integrated assembler fails to build entry.S: :5:7: error: expected assembly-time absolute expression .org . - (664b-663b) + (662b-661b) ^ :6:7: error: expected assembly-time absolute expression .org . - (662b-661b) + (664b-663b) ^ The root cause is LLVM's assembler has a one-pass design, meaning it cannot figure out these instruction lengths when the .org directive is outside of the subsection that they are in, which was changed by the .arch_extension directive added in the above commit. Apply the same fix from commit 966a0acce2fc ("arm64/alternatives: move length validation inside the subsection") to the alternative_endif macro, shuffling the .org directives so that the length validation happen will always happen in the same subsections. alternative_insn has not shown any issue yet but it appears that it could have the same issue in the future so just preemptively change it. Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") Cc: # 5.8.x Link: https://github.com/ClangBuiltLinux/linux/issues/1347 Signed-off-by: Nathan Chancellor Reviewed-by: Sami Tolvanen Tested-by: Sami Tolvanen Reviewed-by: Nick Desaulniers Tested-by: Nick Desaulniers Link: https://lore.kernel.org/r/20210414000803.662534-1-nathan@kernel.org Signed-off-by: Catalin Marinas commit 1df01322f00a0aedd4a589597ce9c0b680ae6068 Merge: 7f75285ca572e 56cfe6f820a63 Author: Linus Torvalds Date: Thu Apr 15 10:23:44 2021 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: "Just a few driver fixes here" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: elants_i2c - drop zero-checking of ABS_MT_TOUCH_MAJOR resolution Input: elants_i2c - fix division by zero if firmware reports zero phys size Input: nspire-keypad - enable interrupts only when opened Input: i8042 - fix Pegatron C15B ID entry Input: n64joy - fix return value check in n64joy_probe() Input: s6sy761 - fix coordinate read bit shift commit 4d2e1288372ccc5ac60290bc10cace49c9bfa6d0 Merge: d434405aaab7d aee6f25e9c911 Author: Daniel Vetter Date: Thu Apr 15 15:24:17 2021 +0200 Merge tag 'drm-intel-fixes-2021-04-15' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes Display panel & power related fixes: - Backlight fix (Lyude) - Display watermark fix (Ville) - VLV panel power fix (Hans) Signed-off-by: Daniel Vetter From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YHg4nz/ndzDRmPjd@intel.com commit e3e0f9b279705154b951d579dc3d8b7041710e24 Author: wenxu Date: Fri Apr 9 13:33:48 2021 +0800 net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta In the nft_offload there is the mate flow_dissector with no ingress_ifindex but with ingress_iftype that only be used in the software. So if the mask of ingress_ifindex in meta is 0, this meta check should be bypass. Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support") Signed-off-by: wenxu Acked-by: Pablo Neira Ayuso Signed-off-by: Saeed Mahameed commit 7a320c9db3e73fb6c4f9a331087df9df18767221 Author: Aya Levin Date: Sun Apr 11 09:33:12 2021 +0300 net/mlx5e: Fix setting of RS FEC mode Change register setting from bit number to bit mask. Fixes: b5ede32d3329 ("net/mlx5e: Add support for FEC modes based on 50G per lane links") Signed-off-by: Aya Levin Reviewed-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed commit 41bafb31dcd58d834bdffa5db703f94fd2cec727 Author: Aya Levin Date: Mon Apr 12 17:50:08 2021 +0300 net/mlx5: Fix setting of devlink traps in switchdev mode Prevent setting of devlink traps on the uplink while in switchdev mode. In this mode, it is the SW switch responsibility to handle both packets with a mismatch in destination MAC or VLAN ID. Therefore, there are no flow steering tables to trap undesirable packets and driver crashes upon setting a trap. Fixes: 241dc159391f ("net/mlx5: Notify on trap action by blocking event") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Reviewed-by: Roi Dayan Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 9e196e4398869e4dfe3f49f7f3e0935e07b1d1b9 Merge: 00423969d806d ef963ae427aa4 Author: David S. Miller Date: Wed Apr 14 14:12:12 2021 -0700 Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2021-04-14 This series contains updates to ixgbe and ice drivers. Alex Duyck fixes a NULL pointer dereference for ixgbe. Yongxin Liu fixes an unbalanced enable/disable which was causing a call trace with suspend for ixgbe. Colin King fixes a potential infinite loop for ice. ==================== Signed-off-by: David S. Miller commit 00423969d806d7169d16fa6314c570a472ca26c9 Author: Thierry Reding Date: Wed Apr 14 17:10:07 2021 +0200 Revert "net: stmmac: re-init rx buffers when mac resume back" This reverts commit 9c63faaa931e443e7abbbee9de0169f1d4710546, which introduces a suspend/resume regression on Jetson TX2 boards that can be reproduced every time. Given that the issue that this was supposed to fix only occurs very sporadically the safest course of action is to revert before v5.12 and then we can have another go at fixing the more rare issue in the next release (and perhaps backport it if necessary). The root cause of the observed problem seems to be that when the system is suspended, some packets are still in transit. When the descriptors for these buffers are cleared on resume, the descriptors become invalid and cause a fatal bus error. Link: https://lore.kernel.org/r/708edb92-a5df-ecc4-3126-5ab36707e275@nvidia.com/ Reported-by: Jonathan Hunter Signed-off-by: Thierry Reding Signed-off-by: David S. Miller commit 416dcc5ce9d2a810477171c62ffa061a98f87367 Author: Wan Jiabing Date: Wed Apr 14 19:31:48 2021 +0800 cavium/liquidio: Fix duplicate argument Fix the following coccicheck warning: ./drivers/net/ethernet/cavium/liquidio/cn66xx_regs.h:413:6-28: duplicated argument to & or | The CN6XXX_INTR_M1UPB0_ERR here is duplicate. Here should be CN6XXX_INTR_M1UNB0_ERR. Signed-off-by: Wan Jiabing Signed-off-by: David S. Miller commit a714e27ea8bdee2b238748029d31472d0a65b611 Author: Claudiu Beznea Date: Wed Apr 14 14:20:29 2021 +0300 net: macb: fix the restore of cmp registers Commit a14d273ba159 ("net: macb: restore cmp registers on resume path") introduces the restore of CMP registers on resume path. In case the IP doesn't support type 2 screeners (zero on DCFG8 register) the struct macb::rx_fs_list::list is not initialized and thus the list_for_each_entry(item, &bp->rx_fs_list.list, list) loop introduced in commit a14d273ba159 ("net: macb: restore cmp registers on resume path") will access an uninitialized list leading to crash. Thus, initialize the struct macb::rx_fs_list::list without taking into account if the IP supports type 2 screeners or not. Fixes: a14d273ba159 ("net: macb: restore cmp registers on resume path") Signed-off-by: Claudiu Beznea Signed-off-by: David S. Miller commit 2ef4fb92363c44e8a6f93fd0877b6a7dee6f874d Author: Zack Rusin Date: Mon Mar 22 13:04:11 2021 -0400 drm/vmwgfx: Make sure bo's are unpinned before putting them back During cotable resize we pin the backup buffer to make sure the trylock doesn't fail. We were never unpinning the backup buffer resulting in every subsequent cotable resize trying to release a pinned bo. After we copy the old backup to the new we can release the pin. Mob's are always pinned so we just have to make sure we unpin them before releasing them. Reviewed-by: Thomas Hellström (Intel) Fixes: d1a73c641afd ("drm/vmwgfx: Make sure we unpin no longer needed buffers") Link: https://patchwork.freedesktop.org/patch/msgid/20210413205938.788366-1-zackr@vmware.com Signed-off-by: Zack Rusin commit 68ce556bd1643498080af310d4544f46f3c4f3df Author: Zack Rusin Date: Mon Mar 22 12:54:57 2021 -0400 drm/vmwgfx: Fix the lockdep breakage Thomas has noticed that the lockdep was broken in vmwgfx. It was broken during the pci initialization rework. This fixes the breakage by making sure we initialize the locking code before doing anything else. This was independently spotted and fixed by Tetsuo Handa as well. Reviewed-by: Martin Krastev Reviewed-by: Roland Scheidegger Cc: Tetsuo Handa Cc: dri-devel@lists.freedesktop.org Signed-off-by: Zack Rusin Fixes: 8772c0bb58bbf98a ("drm/vmwgfx: Cleanup pci resource allocation") Link: https://patchwork.freedesktop.org/patch/msgid/20210408172245.673785-1-zackr@vmware.com commit ab4d9913632b1e5ffcf3365783e98718b3c83c7f Author: Zack Rusin Date: Thu Jan 14 18:38:16 2021 -0500 drm/vmwgfx: Make sure we unpin no longer needed buffers We were not correctly unpinning no longer needed buffers. In particular vmw_buffer_object, which is internally often pinned on creation wasn't unpinned on destruction and none of the internal MOB buffers were unpinned before being put back. Technically this existed for a long time but commit 57fcd550eb15 ("drm/ttm: Warn on pinning without holding a reference") introduced a WARN_ON which was filling up the kernel logs rather quickly. Quite frankly internal usage of vmw_buffer_object and in general pinning needs to be refactored in vmwgfx but for now this makes it work. Signed-off-by: Zack Rusin Reviewed-by: Martin Krastev Reviewed-by: Roland Scheidegger Fixes: 57fcd550eb15 ("drm/ttm: Warn on pinning without holding a reference") Link: https://patchwork.freedesktop.org/patch/414984/?series=86052&rev=1 Cc: Huang Rui Cc: Christian König Cc: Daniel Vetter Cc: Christian Koenig Cc: dri-devel@lists.freedesktop.org commit 7f75285ca572eaabc028cf78c6ab5473d0d160be Merge: 8e2e0104ef78d 8ca7cab82bda4 Author: Linus Torvalds Date: Wed Apr 14 13:23:54 2021 -0700 Merge tag 'for-5.12/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fix from Mike Snitzer: "Fix DM verity target FEC support's RS roots IO to always be aligned. This fixes a previous stable@ fix that overcorrected for a different configuration that also resulted in misaligned roots IO" * tag 'for-5.12/dm-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm verity fec: fix misaligned RS roots IO commit 2e1534f395e73152e2051332034bff61a56a8368 Author: Nicolas Dichtel Date: Wed Apr 14 12:03:25 2021 +0200 vrf: fix a comment about loopback device This is a leftover of the below commit. Fixes: 4f04256c983a ("net: vrf: Drop local rtable and rt6_info") Signed-off-by: Nicolas Dichtel Acked-by: David Ahern Signed-off-by: David S. Miller commit 292ecd9f5a94dd29d09fe03b5b669cb20b44f19e Author: Nicolas Dichtel Date: Wed Apr 14 12:00:27 2021 +0200 doc: move seg6_flowlabel to seg6-sysctl.rst Let's have all seg6 sysctl at the same place. Fixes: a6dc6670cd7e ("ipv6: sr: Add documentation for seg_flowlabel sysctl") Signed-off-by: Nicolas Dichtel Signed-off-by: David S. Miller commit 49963eed2c239365c12418d07ca9ba621dc69313 Merge: 453a77894efa4 7c451f3ef676c Author: David S. Miller Date: Wed Apr 14 13:10:58 2021 -0700 Merge branch 'ibmvnic-napi-fixes' Lijun Pan says: ==================== ibmvnic: correctly call NAPI APIs This series correct some misuse of NAPI APIs in the driver. ==================== Signed-off-by: David S. Miller commit 7c451f3ef676c805a4b77a743a01a5c21a250a73 Author: Lijun Pan Date: Wed Apr 14 02:46:16 2021 -0500 ibmvnic: remove duplicate napi_schedule call in open function Remove the unnecessary napi_schedule() call in __ibmvnic_open() since interrupt_rx() calls napi_schedule_prep/__napi_schedule during every receive interrupt. Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Signed-off-by: Lijun Pan Signed-off-by: David S. Miller commit d3a6abccbd272aea7dc2c6f984bb5a2c11278e44 Author: Lijun Pan Date: Wed Apr 14 02:46:15 2021 -0500 ibmvnic: remove duplicate napi_schedule call in do_reset function During adapter reset, do_reset/do_hard_reset calls ibmvnic_open(), which will calls napi_schedule if previous state is VNIC_CLOSED (i.e, the reset case, and "ifconfig down" case). So there is no need for do_reset to call napi_schedule again at the end of the function though napi_schedule will neglect the request if napi is already scheduled. Fixes: ed651a10875f ("ibmvnic: Updated reset handling") Signed-off-by: Lijun Pan Signed-off-by: David S. Miller commit 0775ebc4cf8554bdcd2c212669a0868ab68df5c0 Author: Lijun Pan Date: Wed Apr 14 02:46:14 2021 -0500 ibmvnic: avoid calling napi_disable() twice __ibmvnic_open calls napi_disable without checking whether NAPI polling has already been disabled or not. This could cause napi_disable being called twice, which could generate deadlock. For example, the first napi_disable will spin until NAPI_STATE_SCHED is cleared by napi_complete_done, then set it again. When napi_disable is called the second time, it will loop infinitely because no dev->poll will be running to clear NAPI_STATE_SCHED. To prevent above scenario from happening, call ibmvnic_napi_disable() which checks if napi is disabled or not before calling napi_disable. Fixes: bfc32f297337 ("ibmvnic: Move resource initialization to its own routine") Suggested-by: Thomas Falcon Signed-off-by: Lijun Pan Signed-off-by: David S. Miller commit 453a77894efa4d9b6ef9644d74b9419c47ac427c Author: Heiner Kallweit Date: Wed Apr 14 10:47:10 2021 +0200 r8169: don't advertise pause in jumbo mode It has been reported [0] that using pause frames in jumbo mode impacts performance. There's no available chip documentation, but vendor drivers r8168 and r8125 don't advertise pause in jumbo mode. So let's do the same, according to Roman it fixes the issue. [0] https://bugzilla.kernel.org/show_bug.cgi?id=212617 Fixes: 9cf9b84cc701 ("r8169: make use of phy_set_asym_pause") Reported-by: Roman Mamedov Tested-by: Roman Mamedov Signed-off-by: Heiner Kallweit Cc: stable@vger.kernel.org Signed-off-by: David S. Miller commit 16756d3e77ad58cd07e36cbed724aa13ae5a0278 Author: Jakub Kicinski Date: Tue Apr 13 20:46:14 2021 -0700 ethtool: pause: make sure we init driver stats The intention was for pause statistics to not be reported when driver does not have the relevant callback (only report an empty netlink nest). What happens currently we report all 0s instead. Make sure statistics are initialized to "not set" (which is -1) so the dumping code skips them. Fixes: 9a27a33027f2 ("ethtool: add standard pause stats") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit c7d95613c7d6e003969722a290397b8271bdad17 Author: Pavel Begunkov Date: Tue Apr 13 11:43:00 2021 +0100 io_uring: fix early sqd_list removal sqpoll hangs [ 245.463317] INFO: task iou-sqp-1374:1377 blocked for more than 122 seconds. [ 245.463334] task:iou-sqp-1374 state:D flags:0x00004000 [ 245.463345] Call Trace: [ 245.463352] __schedule+0x36b/0x950 [ 245.463376] schedule+0x68/0xe0 [ 245.463385] __io_uring_cancel+0xfb/0x1a0 [ 245.463407] do_exit+0xc0/0xb40 [ 245.463423] io_sq_thread+0x49b/0x710 [ 245.463445] ret_from_fork+0x22/0x30 It happens when sqpoll forgot to run park_task_work and goes to exit, then exiting user may remove ctx from sqd_list, and so corresponding io_sq_thread() -> io_uring_cancel_sqpoll() won't be executed. Hopefully it just stucks in do_exit() in this case. Fixes: dbe1bdbb39db ("io_uring: handle signals for IO threads like a normal thread") Reported-by: Joakim Hassila Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 8ca7cab82bda4eb0b8064befeeeaa38106cac637 Author: Jaegeuk Kim Date: Wed Apr 14 08:28:28 2021 -0700 dm verity fec: fix misaligned RS roots IO commit df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") introduced the possibility for misaligned roots IO relative to the underlying device's logical block size. E.g. Android's default RS roots=2 results in dm_bufio->block_size=1024, which causes the following EIO if the logical block size of the device is 4096, given v->data_dev_block_bits=12: E sd 0 : 0:0:0: [sda] tag#30 request not aligned to the logical block size E blk_update_request: I/O error, dev sda, sector 10368424 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 0 E device-mapper: verity-fec: 254:8: FEC 9244672: parity read failed (block 18056): -5 Fix this by onlu using f->roots for dm_bufio blocksize IFF it is aligned to v->data_dev_block_bits. Fixes: df7b59ba9245 ("dm verity: fix FEC for RS roots unaligned to block size") Cc: stable@vger.kernel.org Signed-off-by: Jaegeuk Kim Signed-off-by: Mike Snitzer commit 8e2e0104ef78d49a51db9acfd24eaf6d52dc779e Merge: ec97a7296ad1c a994eddb947ea Author: Linus Torvalds Date: Wed Apr 14 10:55:56 2021 -0700 Merge tag 's390-5.12-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - setup stack backchain properly in external and i/o interrupt handler to fix stack unwinding. This broke when converting to generic entry - save caller address of psw_idle to get a sane stacktrace * tag 's390-5.12-7' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/entry: save the caller of psw_idle s390/entry: avoid setting up backchain in ext|io handlers commit ec97a7296ad1ca3ccb8bca1e72739cb8262686f1 Merge: c17a3066b4c1a 738fa58ee1328 Author: Linus Torvalds Date: Wed Apr 14 10:36:03 2021 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: - Fix incorrect asm constraint for load_unaligned_zeropad() fixup - Fix thread flag update when setting TIF_MTE_ASYNC_FAULT - Fix restored irq state when handling fault on kprobe * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kprobes: Restore local irqflag if kprobes is cancelled arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically arm64: fix inline asm in load_unaligned_zeropad() commit c17a3066b4c1acdf36fa307faaa391f558ac0420 Merge: e70b911acc168 ea9aadc06a9f1 Author: Linus Torvalds Date: Wed Apr 14 09:36:54 2021 -0700 Merge tag 'dmaengine-fix-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine Pull dmaengine fixes from Vinod Koul: "A couple of dmaengine driver fixes for: - race and descriptor issue for xilinx driver - fix interrupt handling, wq state & cleanup, field sizes for completion, msix permissions for idxd driver - runtime pm fix for tegra driver - double free fix in dma_async_device_register" * tag 'dmaengine-fix-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine: dmaengine: idxd: fix wq cleanup of WQCFG registers dmaengine: idxd: clear MSIX permission entry on shutdown dmaengine: plx_dma: add a missing put_device() on error path dmaengine: tegra20: Fix runtime PM imbalance on error dmaengine: Fix a double free in dma_async_device_register dmaengine: dw: Make it dependent to HAS_IOMEM dmaengine: idxd: fix wq size store permission state dmaengine: idxd: fix opcap sysfs attribute output dmaengine: idxd: fix delta_rec and crc size field for completion record dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback dmaengine: xilinx: dpdma: Fix race condition in done IRQ dmaengine: xilinx: dpdma: Fix descriptor issuing on video group commit e70b911acc1687100c31e550251715dbdac96a12 Merge: 2558258d78873 909290786ea33 Author: Linus Torvalds Date: Wed Apr 14 09:10:54 2021 -0700 Merge tag 'vfio-v5.12-rc8' of git://github.com/awilliam/linux-vfio Pull VFIO fix from Alex Williamson: "Verify mmap region within range (Christian A. Ehrhardt)" * tag 'vfio-v5.12-rc8' of git://github.com/awilliam/linux-vfio: vfio/pci: Add missing range check in vfio_pci_mmap commit 2558258d78873998b8cd81ce7661dc68541b8b51 Merge: 50987beca096a 04c4f2ee3f68c Author: Linus Torvalds Date: Wed Apr 14 08:50:46 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fix from Paolo Bonzini: "Fix for a possible out-of-bounds access" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: VMX: Don't use vcpu->run->internal.ndata as an array index commit 33cc5270d8f23066c2c3291ebd2aa8edda5f5fea Merge: e49d033bddf5b 196d941753297 Author: Linus Walleij Date: Wed Apr 14 09:09:10 2021 +0200 Merge tag 'intel-pinctrl-v5.12-4' of gitolite.kernel.org:pub/scm/linux/kernel/git/pinctrl/intel into fixes intel-pinctrl for v5.12-4 * Fix pin numbering per community in Intel Lewisburg driver The following is an automated git shortlog grouped by driver: lewisburg: - Update number of pins in community commit 50987beca096a7ed4f453a6da245fd6a2fadedeb Merge: eebe426d32e1a 8db403b963133 Author: Linus Torvalds Date: Tue Apr 13 18:40:00 2021 -0700 Merge tag 'trace-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fix from Steven Rostedt: "Fix a memory link in dyn_event_release(). An error path exited the function before freeing the allocated 'argv' variable" * tag 'trace-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing/dynevent: Fix a memory leak in an error handling path commit 2afeec08ab5c86ae21952151f726bfe184f6b23d Author: Michael Brown Date: Tue Apr 13 16:25:12 2021 +0100 xen-netback: Check for hotplug-status existence before watching The logic in connect() is currently written with the assumption that xenbus_watch_pathfmt() will return an error for a node that does not exist. This assumption is incorrect: xenstore does allow a watch to be registered for a nonexistent node (and will send notifications should the node be subsequently created). As of commit 1f2565780 ("xen-netback: remove 'hotplug-status' once it has served its purpose"), this leads to a failure when a domU transitions into XenbusStateConnected more than once. On the first domU transition into Connected state, the "hotplug-status" node will be deleted by the hotplug_status_changed() callback in dom0. On the second or subsequent domU transition into Connected state, the hotplug_status_changed() callback will therefore never be invoked, and so the backend will remain stuck in InitWait. This failure prevents scenarios such as reloading the xen-netfront module within a domU, or booting a domU via iPXE. There is unfortunately no way for the domU to work around this dom0 bug. Fix by explicitly checking for existence of the "hotplug-status" node, thereby creating the behaviour that was previously assumed to exist. Signed-off-by: Michael Brown Reviewed-by: Paul Durrant Signed-off-by: David S. Miller commit 04c4f2ee3f68c9a4bf1653d15f1a9a435ae33f7a Author: Reiji Watanabe Date: Tue Apr 13 15:47:40 2021 +0000 KVM: VMX: Don't use vcpu->run->internal.ndata as an array index __vmx_handle_exit() uses vcpu->run->internal.ndata as an index for an array access. Since vcpu->run is (can be) mapped to a user address space with a writer permission, the 'ndata' could be updated by the user process at anytime (the user process can set it to outside the bounds of the array). So, it is not safe that __vmx_handle_exit() uses the 'ndata' that way. Fixes: 1aa561b1a4c0 ("kvm: x86: Add "last CPU" to some KVM_EXIT information") Signed-off-by: Reiji Watanabe Reviewed-by: Jim Mattson Message-Id: <20210413154739.490299-1-reijiw@google.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 Author: Eric Dumazet Date: Tue Apr 13 05:41:35 2021 -0700 gro: ensure frag0 meets IP header alignment After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head") Guenter Roeck reported one failure in his tests using sh architecture. After much debugging, we have been able to spot silent unaligned accesses in inet_gro_receive() The issue at hand is that upper networking stacks assume their header is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN bytes before the Ethernet header to make that happen. This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path if the fragment is not properly aligned. Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN as 0, this extra check will be a NOP for them. Note that if frag0 is not used, GRO will call pskb_may_pull() as many times as needed to pull network and transport headers. Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head") Fixes: 78a478d0efd9 ("gro: Inline skb_gro_header and cache frag0 virtual address") Signed-off-by: Eric Dumazet Reported-by: Guenter Roeck Cc: Xuan Zhuo Cc: "Michael S. Tsirkin" Cc: Jason Wang Acked-by: Michael S. Tsirkin Tested-by: Guenter Roeck Signed-off-by: David S. Miller commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b Author: Or Cohen Date: Tue Apr 13 21:10:31 2021 +0300 net/sctp: fix race condition in sctp_destroy_sock If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock held and sp->do_auto_asconf is true, then an element is removed from the auto_asconf_splist without any proper locking. This can happen in the following functions: 1. In sctp_accept, if sctp_sock_migrate fails. 2. In inet_create or inet6_create, if there is a bpf program attached to BPF_CGROUP_INET_SOCK_CREATE which denies creation of the sctp socket. The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock instead of sctp_close. This addresses CVE-2021-23133. Reported-by: Or Cohen Reviewed-by: Xin Long Fixes: 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") Signed-off-by: Or Cohen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit ca09bf7bb109a37a7ff05f230bb3fa3627e6625f Author: Lijun Pan Date: Tue Apr 13 03:33:25 2021 -0500 ibmvnic: correctly use dev_consume/free_skb_irq It is more correct to use dev_kfree_skb_irq when packets are dropped, and to use dev_consume_skb_irq when packets are consumed. Fixes: 0d973388185d ("ibmvnic: Introduce xmit_more support using batched subCRQ hcalls") Suggested-by: Thomas Falcon Signed-off-by: Lijun Pan Signed-off-by: David S. Miller commit 97684f0970f6e112926de631fdd98d9693c7e5c1 Author: Jonathon Reinhart Date: Tue Apr 13 03:08:48 2021 -0400 net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable; writing to it in any net namespace will leak into all other net namespaces. tcp_available_congestion_control and tcp_allowed_congestion_control are the only sysctls in ipv4_net_table (the per-netns sysctl table) with a NULL data pointer; their handlers (proc_tcp_available_congestion_control and proc_allowed_congestion_control) have no other way of referencing a struct net. Thus, they operate globally. Because ipv4_net_table does not use designated initializers, there is no easy way to fix up this one "bad" table entry. However, the data pointer updating logic shouldn't be applied to NULL pointers anyway, so we instead force these entries to be read-only. These sysctls used to exist in ipv4_table (init-net only), but they were moved to the per-net ipv4_net_table, presumably without realizing that tcp_allowed_congestion_control was writable and thus introduced a leak. Because the intent of that commit was only to know (i.e. read) "which congestion algorithms are available or allowed", this read-only solution should be sufficient. The logic added in recent commit 31c4d2f160eb: ("net: Ensure net namespace isolation of sysctls") does not and cannot check for NULL data pointers, because other table entries (e.g. /proc/sys/net/netfilter/nf_log/) have .data=NULL but use other methods (.extra2) to access the struct net. Fixes: 9cb8e048e5d9 ("net/ipv4/sysctl: show tcp_{allowed, available}_congestion_control in non-initial netns") Signed-off-by: Jonathon Reinhart Signed-off-by: David S. Miller commit 61aaa1aa9a8f83dbdc763c6939568952a2a30c90 Merge: ccb39c6285581 941ea91e87a6e Author: David S. Miller Date: Tue Apr 13 14:31:52 2021 -0700 Merge branch 'catch-all-devices' Hristo Venev says: ==================== net: Fix two use-after-free bugs The two patches fix two use-after-free bugs related to cleaning up network namespaces, one in sit and one in ip6_tunnel. They are easy to trigger if the user has the ability to create network namespaces. The bugs can be used to trigger null pointer dereferences. I am not sure if they can be exploited further, but I would guess that they can. I am not sending them to the mailing list without confirmation that doing so would be OK. ==================== Signed-off-by: David S. Miller commit 941ea91e87a6e879ed82dad4949f6234f2702bec Author: Hristo Venev Date: Mon Apr 12 20:41:17 2021 +0300 net: ip6_tunnel: Unregister catch-all devices Similarly to the sit case, we need to remove the tunnels with no addresses that have been moved to another network namespace. Fixes: 0bd8762824e73 ("ip6tnl: add x-netns support") Signed-off-by: Hristo Venev Signed-off-by: David S. Miller commit 610f8c0fc8d46e0933955ce13af3d64484a4630a Author: Hristo Venev Date: Mon Apr 12 20:41:16 2021 +0300 net: sit: Unregister catch-all devices A sit interface created without a local or a remote address is linked into the `sit_net::tunnels_wc` list of its original namespace. When deleting a network namespace, delete the devices that have been moved. The following script triggers a null pointer dereference if devices linked in a deleted `sit_net` remain: for i in `seq 1 30`; do ip netns add ns-test ip netns exec ns-test ip link add dev veth0 type veth peer veth1 ip netns exec ns-test ip link add dev sit$i type sit dev veth0 ip netns exec ns-test ip link set dev sit$i netns $$ ip netns del ns-test done for i in `seq 1 30`; do ip link del dev sit$i done Fixes: 5e6700b3bf98f ("sit: add support of x-netns") Signed-off-by: Hristo Venev Signed-off-by: David S. Miller commit eebe426d32e1a10ac7c35f8ffab5f818c32a2454 Merge: 89698becf06d3 2fb164f0ce95e Author: Linus Torvalds Date: Tue Apr 13 14:01:34 2021 -0700 Merge tag 'fixes-for-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull MTD fix from Richard Weinberger: "Fix WAITRDY break condition and timeout in mtk nand driver" * tag 'fixes-for-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: mtk: Fix WAITRDY break condition and timeout commit ef963ae427aa4669905e0a96b3bd9d44dc85db32 Author: Colin Ian King Date: Wed Mar 31 15:46:28 2021 +0100 ice: Fix potential infinite loop when using u8 loop counter A for-loop is using a u8 loop counter that is being compared to a u32 cmp_dcbcfg->numapp to check for the end of the loop. If cmp_dcbcfg->numapp is larger than 255 then the counter j will wrap around to zero and hence an infinite loop occurs. Fix this by making counter j the same type as cmp_dcbcfg->numapp. Addresses-Coverity: ("Infinite loop") Fixes: aeac8ce864d9 ("ice: Recognize 860 as iSCSI port in CEE mode") Signed-off-by: Colin Ian King Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit debb9df311582c83fe369baa35fa4b92e8a9c58a Author: Yongxin Liu Date: Mon Mar 22 15:14:48 2021 +0800 ixgbe: fix unbalanced device enable/disable in suspend/resume pci_disable_device() called in __ixgbe_shutdown() decreases dev->enable_cnt by 1. pci_enable_device_mem() which increases dev->enable_cnt by 1, was removed from ixgbe_resume() in commit 6f82b2558735 ("ixgbe: use generic power management"). This caused unbalanced increase/decrease. So add pci_enable_device_mem() back. Fix the following call trace. ixgbe 0000:17:00.1: disabling already-disabled device Call Trace: __ixgbe_shutdown+0x10a/0x1e0 [ixgbe] ixgbe_suspend+0x32/0x70 [ixgbe] pci_pm_suspend+0x87/0x160 ? pci_pm_freeze+0xd0/0xd0 dpm_run_callback+0x42/0x170 __device_suspend+0x114/0x460 async_suspend+0x1f/0xa0 async_run_entry_fn+0x3c/0xf0 process_one_work+0x1dd/0x410 worker_thread+0x34/0x3f0 ? cancel_delayed_work+0x90/0x90 kthread+0x14c/0x170 ? kthread_park+0x90/0x90 ret_from_fork+0x1f/0x30 Fixes: 6f82b2558735 ("ixgbe: use generic power management") Signed-off-by: Yongxin Liu Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 31166efb1cee348eb6314e9c0095d84cbeb66b9d Author: Alexander Duyck Date: Mon Mar 8 12:41:56 2021 -0800 ixgbe: Fix NULL pointer dereference in ethtool loopback test The ixgbe driver currently generates a NULL pointer dereference when performing the ethtool loopback test. This is due to the fact that there isn't a q_vector associated with the test ring when it is setup as interrupts are not normally added to the test rings. To address this I have added code that will check for a q_vector before returning a napi_id value. If a q_vector is not present it will return a value of 0. Fixes: b02e5a0ebb17 ("xsk: Propagate napi_id to XDP socket Rx path") Signed-off-by: Alexander Duyck Acked-by: Björn Töpel Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 8db403b9631331ef1d5e302cdf353c48849ca9d5 Author: Christophe JAILLET Date: Sun Apr 11 12:21:54 2021 +0200 tracing/dynevent: Fix a memory leak in an error handling path We must free 'argv' before returning, as already done in all the other paths of this function. Link: https://lkml.kernel.org/r/21e3594ccd7fc88c5c162c98450409190f304327.1618136448.git.christophe.jaillet@wanadoo.fr Fixes: d262271d0483 ("tracing/dynevent: Delegate parsing to create function") Acked-by: Masami Hiramatsu Signed-off-by: Christophe JAILLET Signed-off-by: Steven Rostedt (VMware) commit 909290786ea335366e21d7f1ed5812b90f2f0a92 Author: Christian A. Ehrhardt Date: Mon Apr 12 23:41:24 2021 +0200 vfio/pci: Add missing range check in vfio_pci_mmap When mmaping an extra device region verify that the region index derived from the mmap offset is valid. Fixes: a15b1883fee1 ("vfio_pci: Allow mapping extra regions") Cc: stable@vger.kernel.org Signed-off-by: Christian A. Ehrhardt Message-Id: <20210412214124.GA241759@lisa.in-ulm.de> Reviewed-by: David Gibson Reviewed-by: Cornelia Huck Signed-off-by: Alex Williamson commit 6998a8800d73116187aad542391ce3b2dd0f9e30 Author: Rafael J. Wysocki Date: Tue Apr 13 16:01:00 2021 +0200 ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables") attempted to address an issue with reserving the memory occupied by ACPI tables, but it broke the initrd-based table override mechanism relied on by multiple users. To restore the initrd-based ACPI table override functionality, move the acpi_boot_table_init() invocation in setup_arch() on x86 after the acpi_table_upgrade() one. Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables") Reported-by: Hans de Goede Tested-by: Hans de Goede Signed-off-by: Rafael J. Wysocki commit 196d941753297d0ca73c563ccd7d00be049ec226 Author: Yuanyuan Zhong Date: Mon Apr 12 17:17:59 2021 -0600 pinctrl: lewisburg: Update number of pins in community When updating pin names for Intel Lewisburg, the numbers of pins were left behind. Update them accordingly. Fixes: e66ff71fd0db ("pinctrl: lewisburg: Update pin list according to v1.1v6") Signed-off-by: Yuanyuan Zhong Signed-off-by: Andy Shevchenko commit 738fa58ee1328481d1d7889e7c430b3401c571b9 Author: Jisheng Zhang Date: Mon Apr 12 17:41:01 2021 +0800 arm64: kprobes: Restore local irqflag if kprobes is cancelled If instruction being single stepped caused a page fault, the kprobes is cancelled to let the page fault handler continue as a normal page fault. But the local irqflags are disabled so cpu will restore pstate with DAIF masked. After pagefault is serviced, the kprobes is triggerred again, we overwrite the saved_irqflag by calling kprobes_save_local_irqflag(). NOTE, DAIF is masked in this new saved irqflag. After kprobes is serviced, the cpu pstate is retored with DAIF masked. This patch is inspired by one patch for riscv from Liao Chang. Signed-off-by: Jisheng Zhang Acked-by: Masami Hiramatsu Link: https://lore.kernel.org/r/20210412174101.6bfb0594@xhacker.debian Signed-off-by: Will Deacon commit ccb39c6285581992f0225c45e4de704028a8ec17 Merge: f33b0e196ed7a 4d8f9065830e5 Author: David S. Miller Date: Mon Apr 12 16:17:50 2021 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix NAT IPv6 offload in the flowtable. 2) icmpv6 is printed as unknown in /proc/net/nf_conntrack. 3) Use div64_u64() in nft_limit, from Eric Dumazet. 4) Use pre_exit to unregister ebtables and arptables hooks, from Florian Westphal. 5) Fix out-of-bound memset in x_tables compat match/target, also from Florian. 6) Clone set elements expression to ensure proper initialization. ==================== Signed-off-by: David S. Miller commit 4d8f9065830e526c83199186c5f56a6514f457d2 Author: Pablo Neira Ayuso Date: Sat Apr 10 21:29:38 2021 +0200 netfilter: nftables: clone set element expression template memcpy() breaks when using connlimit in set elements. Use nft_expr_clone() to initialize the connlimit expression list, otherwise connlimit garbage collector crashes when walking on the list head copy. [ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount] [ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83 [ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297 [ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000 [ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0 [ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c [ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001 [ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000 [ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000 [ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0 [ 493.064733] Call Trace: [ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount] [ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables] Reported-by: Laura Garcia Liebana Fixes: 409444522976 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso commit b29c457a6511435960115c0f548c4360d5f4801d Author: Florian Westphal Date: Wed Apr 7 21:38:57 2021 +0200 netfilter: x_tables: fix compat match/target pad out-of-bound write xt_compat_match/target_from_user doesn't check that zeroing the area to start of next rule won't write past end of allocated ruleset blob. Remove this code and zero the entire blob beforehand. Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com Reported-by: Andy Nguyen Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit f33b0e196ed7aa3dc285b26db7768c1db1eb3a41 Author: Jakub Kicinski Date: Mon Apr 12 11:47:07 2021 -0700 ethtool: fix kdoc attr name Add missing 't' in attrtype. Signed-off-by: Jakub Kicinski Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit 1fe976d308acb6374c899a4ee8025a0a016e453e Author: Pali Rohár Date: Mon Apr 12 18:57:39 2021 +0200 net: phy: marvell: fix detection of PHY on Topaz switches Since commit fee2d546414d ("net: phy: marvell: mv88e6390 temperature sensor reading"), Linux reports the temperature of Topaz hwmon as constant -75°C. This is because switches from the Topaz family (88E6141 / 88E6341) have the address of the temperature sensor register different from Peridot. This address is instead compatible with 88E1510 PHYs, as was used for Topaz before the above mentioned commit. Create a new mapping table between switch family and PHY ID for families which don't have a model number. And define PHY IDs for Topaz and Peridot families. Create a new PHY ID and a new PHY driver for Topaz's internal PHY. The only difference from Peridot's PHY driver is the HWMON probing method. Prior this change Topaz's internal PHY is detected by kernel as: PHY [...] driver [Marvell 88E6390] (irq=63) And afterwards as: PHY [...] driver [Marvell 88E6341 Family] (irq=63) Signed-off-by: Pali Rohár BugLink: https://github.com/globalscaletechnologies/linux/issues/1 Fixes: fee2d546414d ("net: phy: marvell: mv88e6390 temperature sensor reading") Reviewed-by: Marek Behún Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit ea9aadc06a9f10ad20a90edc0a484f1147d88a7a Author: Dave Jiang Date: Mon Apr 12 09:02:36 2021 -0700 dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clear WQCFG registers was leaked into upstream code. Use wq reset command instead of blasting the MMIO region. This also address an issue where we clobber registers in future devices. Fixes: da32b28c95a7 ("dmaengine: idxd: cleanup workqueue config after disabling") Reported-by: Shreenivaas Devarajan Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161824330020.881560.16375921906426627033.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit 6df0e6c57dfc064af330071f372f11aa8c584997 Author: Dave Jiang Date: Mon Apr 12 09:23:27 2021 -0700 dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown to mirror the enabling of the MSIX entries on probe. Current code left the MSIX enabled and the pasid entries still programmed at device shutdown. Fixes: 8e50d392652f ("dmaengine: idxd: Add shared workqueue support") Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161824457969.882533.6020239898682672311.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit 89698becf06d341a700913c3d89ce2a914af69a2 Merge: d434405aaab7d d2bd44c4c05d0 Author: Linus Torvalds Date: Mon Apr 12 09:03:49 2021 -0700 Merge tag 'm68knommu-for-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu Pull m68knommu fix from Greg Ungerer: "Some m68k platforms with a non-zero memory base fail to boot with the recent flatmem changes. This is a single regression fix to the pfn offset for that case" * tag 'm68knommu-for-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu: m68k: fix flatmem memory model setup commit 2decad92f4731fac9755a083fcfefa66edb7d67d Author: Catalin Marinas Date: Fri Apr 9 18:37:10 2021 +0100 arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically The entry from EL0 code checks the TFSRE0_EL1 register for any asynchronous tag check faults in user space and sets the TIF_MTE_ASYNC_FAULT flag. This is not done atomically, potentially racing with another CPU calling set_tsk_thread_flag(). Replace the non-atomic ORR+STR with an STSET instruction. While STSET requires ARMv8.1 and an assembler that understands LSE atomics, the MTE feature is part of ARMv8.5 and already requires an updated assembler. Signed-off-by: Catalin Marinas Fixes: 637ec831ea4f ("arm64: mte: Handle synchronous and asynchronous tag check faults") Cc: # 5.10.x Reported-by: Will Deacon Cc: Will Deacon Cc: Vincenzo Frascino Cc: Mark Rutland Link: https://lore.kernel.org/r/20210409173710.18582-1-catalin.marinas@arm.com Signed-off-by: Will Deacon commit aee6f25e9c911323aa89a200e1bb160c1613ed3d Author: Hans de Goede Date: Thu Mar 25 12:48:22 2021 +0100 drm/i915/display/vlv_dsi: Do not skip panel_pwr_cycle_delay when disabling the panel After the recently added commit fe0f1e3bfdfe ("drm/i915: Shut down displays gracefully on reboot"), the DSI panel on a Cherry Trail based Predia Basic tablet would no longer properly light up after reboot. I've managed to reproduce this without rebooting by doing: chvt 3; echo 1 > /sys/class/graphics/fb0/blank;\ echo 0 > /sys/class/graphics/fb0/blank Which rapidly turns the panel off and back on again. The vlv_dsi.c code uses an intel_dsi_msleep() helper for the various delays used for panel on/off, since starting with MIPI-sequences version >= 3 the delays are already included inside the MIPI-sequences. The problems exposed by the "Shut down displays gracefully on reboot" change, show that using this helper for the panel_pwr_cycle_delay is not the right thing to do. This has not been noticed until now because normally the panel never is cycled off and directly on again in quick succession. Change the msleep for the panel_pwr_cycle_delay to a normal msleep() call to avoid the panel staying black after a quick off + on cycle. Cc: Ville Syrjälä Fixes: fe0f1e3bfdfe ("drm/i915: Shut down displays gracefully on reboot") Signed-off-by: Hans de Goede Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210325114823.44922-1-hdegoede@redhat.com (cherry picked from commit 2878b29fc25a0dac0e1c6c94177f07c7f94240f0) Signed-off-by: Rodrigo Vivi commit bf52dc49ba0101f648b4c3ea26b812061406b0d4 Author: Ville Syrjälä Date: Sat Mar 27 02:59:45 2021 +0200 drm/i915: Don't zero out the Y plane's watermarks Don't zero out the watermarks for the Y plane since we've already computed them when computing the UV plane's watermarks (since the UV plane always appears before ethe Y plane when iterating through the planes). This leads to allocating no DDB for the Y plane since .min_ddb_alloc also gets zeroed. And that of course leads to underruns when scanning out planar formats. Cc: stable@vger.kernel.org Cc: Stanislav Lisovskiy Fixes: dbf71381d733 ("drm/i915: Nuke intel_atomic_crtc_state_for_each_plane_state() from skl+ wm code") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210327005945.4929-1-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit f99b805fb9413ff007ca0b6add871737664117dd) Signed-off-by: Rodrigo Vivi commit 11664169981a025b7f6072d136ac724294b7b65c Author: Lyude Paul Date: Thu Mar 18 13:02:02 2021 -0400 drm/i915/dpcd_bl: Don't try vesa interface unless specified by VBT Looks like that there actually are another subset of laptops on the market that don't support the Intel HDR backlight interface, but do advertise support for the VESA DPCD backlight interface despite the fact it doesn't seem to work. Note though I'm not entirely clear on this - on one of the machines where this issue was observed, I also noticed that we appeared to be rejecting the VBT defined backlight frequency in intel_dp_aux_vesa_calc_max_backlight(). It's noted in this function that: /* Use highest possible value of Pn for more granularity of brightness * adjustment while satifying the conditions below. * ... * - FxP is within 25% of desired value. * Note: 25% is arbitrary value and may need some tweak. */ So it's possible that this value might just need to be tweaked, but for now let's just disable the VESA backlight interface unless it's specified in the VBT just to be safe. We might be able to try enabling this again by default in the future. Fixes: 2227816e647a ("drm/i915/dp: Allow forcing specific interfaces through enable_dpcd_backlight") Cc: Jani Nikula Cc: Rodrigo Vivi Bugzilla: https://gitlab.freedesktop.org/drm/intel/-/issues/3169 Signed-off-by: Lyude Paul Reviewed-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20210318170204.513000-1-lyude@redhat.com (cherry picked from commit 9e2eb6d5380e9dadcd2baecb51f238e5eba94bee) Signed-off-by: Rodrigo Vivi commit a994eddb947ea9ebb7b14d9a1267001699f0a136 Author: Vasily Gorbik Date: Fri Apr 9 00:15:21 2021 +0200 s390/entry: save the caller of psw_idle Currently psw_idle does not allocate a stack frame and does not save its r14 and r15 into the save area. Even though this is valid from call ABI point of view, because psw_idle does not make any calls explicitly, in reality psw_idle is an entry point for controlled transition into serving interrupts. So, in practice, psw_idle stack frame is analyzed during stack unwinding. Depending on build options that r14 slot in the save area of psw_idle might either contain a value saved by previous sibling call or complete garbage. [task 0000038000003c28] do_ext_irq+0xd6/0x160 [task 0000038000003c78] ext_int_handler+0xba/0xe8 [task *0000038000003dd8] psw_idle_exit+0x0/0x8 <-- pt_regs ([task 0000038000003dd8] 0x0) [task 0000038000003e10] default_idle_call+0x42/0x148 [task 0000038000003e30] do_idle+0xce/0x160 [task 0000038000003e70] cpu_startup_entry+0x36/0x40 [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 So, to make a stacktrace nicer and actually point for the real caller of psw_idle in this frequently occurring case, make psw_idle save its r14. [task 0000038000003c28] do_ext_irq+0xd6/0x160 [task 0000038000003c78] ext_int_handler+0xba/0xe8 [task *0000038000003dd8] psw_idle_exit+0x0/0x6 <-- pt_regs ([task 0000038000003dd8] arch_cpu_idle+0x3c/0xd0) [task 0000038000003e10] default_idle_call+0x42/0x148 [task 0000038000003e30] do_idle+0xce/0x160 [task 0000038000003e70] cpu_startup_entry+0x36/0x40 [task 0000038000003ea0] arch_call_rest_init+0x76/0x80 Reviewed-by: Sven Schnelle Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit b74e409ea1b18128b877a50883d92a12eba83c33 Author: Vasily Gorbik Date: Fri Apr 9 00:13:18 2021 +0200 s390/entry: avoid setting up backchain in ext|io handlers Currently when interrupt arrives to cpu while in kernel context INT_HANDLER macro (used for ext_int_handler and io_int_handler) allocates new stack frame and pt_regs on the kernel stack and sets up the backchain to jump over the pt_regs to the frame which has been interrupted. This is not ideal to two reasons: 1. This hides the fact that kernel stack contains interrupt frame in it and hence breaks arch_stack_walk_reliable(), which needs to know that to guarantee "reliability" and checks that there are no pt_regs on the way. 2. It breaks the backchain unwinder logic, which assumes that the next stack frame after an interrupt frame is reliable, while it is not. In some cases (when r14 contains garbage) this leads to early unwinding termination with an error, instead of marking frame as unreliable and continuing. To address that, only set backchain to 0. Fixes: 56e62a737028 ("s390: convert to generic entry") Reviewed-by: Sven Schnelle Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 07503e6aefe4a6efd777062191944a14f03b3a18 Author: Dan Carpenter Date: Tue Mar 23 16:19:59 2021 +0300 dmaengine: plx_dma: add a missing put_device() on error path Add a missing put_device(&pdev->dev) if the call to dma_async_device_register(dma); fails. Fixes: 905ca51e63be ("dmaengine: plx-dma: Introduce PLX DMA engine PCI driver skeleton") Signed-off-by: Dan Carpenter Reviewed-by: Logan Gunthorpe Link: https://lore.kernel.org/r/YFnq/0IQzixtAbC1@mwanda Signed-off-by: Vinod Koul commit 917a3200b9f467a154999c7572af345f2470aaf4 Author: Dinghao Liu Date: Fri Apr 9 16:28:05 2021 +0800 dmaengine: tegra20: Fix runtime PM imbalance on error pm_runtime_get_sync() will increase the runtime PM counter even it returns an error. Thus a pairing decrement is needed to prevent refcount leak. Fix this by replacing this API with pm_runtime_resume_and_get(), which will not change the runtime PM counter on error. Signed-off-by: Dinghao Liu Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20210409082805.23643-1-dinghao.liu@zju.edu.cn Signed-off-by: Vinod Koul commit ea45b6008f8095db0cc09ad6e03c7785c2986197 Author: Lv Yunlong Date: Tue Mar 30 18:44:58 2021 -0700 dmaengine: Fix a double free in dma_async_device_register In the first list_for_each_entry() macro of dma_async_device_register, it gets the chan from list and calls __dma_async_device_channel_register (..,chan). We can see that chan->local is allocated by alloc_percpu() and it is freed chan->local by free_percpu(chan->local) when __dma_async_device_channel_register() failed. But after __dma_async_device_channel_register() failed, the caller will goto err_out and freed the chan->local in the second time by free_percpu(). The cause of this problem is forget to set chan->local to NULL when chan->local was freed in __dma_async_device_channel_register(). My patch sets chan->local to NULL when the callee failed to avoid double free. Fixes: d2fb0a0438384 ("dmaengine: break out channel registration") Signed-off-by: Lv Yunlong Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20210331014458.3944-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Vinod Koul commit 88cd1d6191b13689094310c2405394e4ce36d061 Author: Andy Shevchenko Date: Wed Mar 24 16:17:57 2021 +0200 dmaengine: dw: Make it dependent to HAS_IOMEM Some architectures do not provide devm_*() APIs. Hence make the driver dependent on HAVE_IOMEM. Fixes: dbde5c2934d1 ("dw_dmac: use devm_* functions to simplify code") Reported-by: kernel test robot Signed-off-by: Andy Shevchenko Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20210324141757.24710-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul commit 0fff71c5a311e1264988179f7dcc217fda15fadd Author: Dave Jiang Date: Wed Apr 7 12:59:47 2021 -0700 dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current code allows change when device is enabled but wq is disabled. Change the check to detect device state. Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161782558755.107710.18138252584838406025.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit ea6a5735d2a61b938a302eb3629272342a9e7c46 Author: Dave Jiang Date: Mon Mar 22 16:37:29 2021 -0700 dmaengine: idxd: fix opcap sysfs attribute output The operation capability register is 256bits. The current output only prints out the first 64bits. Fix to output the entire 256bits. The current code omits operation caps from IAX devices. Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Reported-by: Lucas Van Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161645624963.2003736.829798666998490151.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit 4ac823e9cd85f66da274c951d21bf9f6b714b729 Author: Dave Jiang Date: Mon Mar 22 16:36:25 2021 -0700 dmaengine: idxd: fix delta_rec and crc size field for completion record The delta_rec_size and crc_val in the completion record should be 32bits and not 16bits. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Reported-by: Nikhil Rao Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161645618572.2003490.14466173451736323035.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit ea941ac294d75d0ace50797aebf0056f6f8f7a7f Author: Dave Jiang Date: Tue Feb 16 17:13:42 2021 -0700 dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Write back the bits actually read instead so the driver avoids clobbering the OVERFLOW bit that comes after the register is read. Fixes: bfe1d56091c1 ("dmaengine: idxd: Init and probe for Intel data accelerators") Reported-by: Sanjay Kumar Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/161352082229.3511254.1002151220537623503.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul commit 6628ddfec7580882f11fdc5c194a8ea781fdadfa Author: Phillip Potter Date: Sun Apr 11 12:28:24 2021 +0100 net: geneve: check skb is large enough for IPv4/IPv6 header Check within geneve_xmit_skb/geneve6_xmit_skb that sk_buff structure is large enough to include IPv4 or IPv6 header, and reject if not. The geneve_xmit_skb portion and overall idea was contributed by Eric Dumazet. Fixes a KMSAN-found uninit-value bug reported by syzbot at: https://syzkaller.appspot.com/bug?id=abe95dc3e3e9667fc23b8d81f29ecad95c6f106f Suggested-by: Eric Dumazet Reported-by: syzbot+2e406a9ac75bb71d4b7a@syzkaller.appspotmail.com Signed-off-by: Phillip Potter Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 31457db3750c0b0ed229d836f2609fdb8a5b790e Author: Christophe JAILLET Date: Sun Apr 11 11:02:08 2021 +0200 net: davicom: Fix regulator not turned off on failed probe When the probe fails, we must disable the regulator that was previously enabled. This patch is a follow-up to commit ac88c531a5b3 ("net: davicom: Fix regulator not turned off on failed probe") which missed one case. Fixes: 7994fe55a4a2 ("dm9000: Add regulator and reset support to dm9000") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller commit 4af2178ac605faf32ebe638f7ac17d841d40ea9b Author: Joakim Zhang Date: Fri Apr 9 17:11:45 2021 +0800 MAINTAINERS: update maintainer entry for freescale fec driver Update maintainer entry for freescale fec driver. Suggested-by: Heiner Kallweit Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller commit d2bd44c4c05d043fb65cfdf26c54e6d8b94a4b41 Author: Angelo Dureghello Date: Sun Feb 28 20:08:28 2021 +0100 m68k: fix flatmem memory model setup Detected a broken boot on mcf54415, likely introduced from commit 4bfc848e0981 ("m68k/mm: enable use of generic memory_model.h for !DISCONTIGMEM") Fix ARCH_PFN_OFFSET to be a pfn. Signed-off-by: Angelo Dureghello Acked-by: Mike Rapoport Signed-off-by: Greg Ungerer commit d434405aaab7d0ebc516b68a8fc4100922d7f5ef Author: Linus Torvalds Date: Sun Apr 11 15:16:13 2021 -0700 Linux 5.12-rc7 commit 7d900724913cb293620a05c5a3134710db95d0d9 Merge: add6b92660b3d 53b74fa990bf7 Author: Linus Torvalds Date: Sun Apr 11 11:53:36 2021 -0700 Merge tag 'for-5.12-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fix from David Sterba: "One more patch that we'd like to get to 5.12 before release. It's changing where and how the superblock is stored in the zoned mode. It is an on-disk format change but so far there are no implications for users as the proper mkfs support hasn't been merged and is waiting for the kernel side to settle. Until now, the superblocks were derived from the zone index, but zone size can differ per device. This is changed to be based on fixed offset values, to make it independent of the device zone size. The work on that got a bit delayed, we discussed the exact locations to support potential device sizes and usecases. (Partially delayed also due to my vacation.) Having that in the same release where the zoned mode is declared usable is highly desired, there are userspace projects that need to be updated to recognize the feature. Pushing that to the next release would make things harder to test" * tag 'for-5.12-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: zoned: move superblock logging zone location commit add6b92660b3dca65465d3bd7710b4b1338f34f0 Merge: 06f838e02d3b6 6d48b7912cc72 Author: Linus Torvalds Date: Sun Apr 11 11:47:03 2021 -0700 Merge tag 'locking-urgent-2021-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixlets from Ingo Molnar: "Two minor fixes: one for a Clang warning, the other improves an ambiguous/confusing kernel log message" * tag 'locking-urgent-2021-04-11' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: lockdep: Address clang -Wformat warning printing for %hd lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message commit 06f838e02d3b6e161df08c910e12e8366f1cb465 Merge: 52e44129fba5c 632a1c209b877 Author: Linus Torvalds Date: Sun Apr 11 11:42:18 2021 -0700 Merge tag 'x86_urgent_for_v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: - Fix the vDSO exception handling return path to disable interrupts again. - A fix for the CE collector to return the proper return values to its callers which are used to convey what the collector has done with the error address. * tag 'x86_urgent_for_v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/traps: Correct exc_general_protection() and math_error() return paths RAS/CEC: Correct ce_add_elem()'s returned values commit 52e44129fba5cfc4e351fdb5e45849afc74d9a53 Merge: efc2da9241e64 0760fa3d8f7fc Author: Linus Torvalds Date: Sat Apr 10 12:51:12 2021 -0700 Merge branch 'for-5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dennis/percpu Pull percpu fix from Dennis Zhou: "This contains a fix for sporadically failing atomic percpu allocations. I only caught it recently while I was reviewing a new series [1] and simultaneously saw reports by btrfs in xfstests [2] and [3]. In v5.9, memcg accounting was extended to percpu done by adding a second type of chunk. I missed an interaction with the free page float count used to ensure we can support atomic allocations. If one type of chunk has no free pages, but the other has enough to satisfy the free page float requirement, we will not repopulate the free pages for the former type of chunk. This led to the sporadically failing atomic allocations" Link: https://lore.kernel.org/linux-mm/20210324190626.564297-1-guro@fb.com/ [1] Link: https://lore.kernel.org/linux-mm/20210401185158.3275.409509F4@e16-tech.com/ [2] Link: https://lore.kernel.org/linux-mm/CAL3q7H5RNBjCi708GH7jnczAOe0BLnacT9C+OBgA-Dx9jhB6SQ@mail.gmail.com/ [3] * 'for-5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/dennis/percpu: percpu: make pcpu_nr_empty_pop_pages per chunk type commit efc2da9241e643cb90897ac4ed3542daa3edf3bc Merge: 95c7b07551879 5cd0f6f57639c Author: Linus Torvalds Date: Sat Apr 10 12:29:19 2021 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Seven fixes, all in drivers. The hpsa three are the most extensive and the most problematic: it's a packed structure misalignment that oopses on ia64 but looks like it would also oops on quite a few non-x86 architectures. The pm80xx is a regression and the rest are bug fixes for patches in the misc tree" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state scsi: target: iscsi: Fix zero tag inside a trace event scsi: pm80xx: Fix chip initialization failure scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs scsi: ufs: core: Fix task management request completion timeout scsi: hpsa: Add an assert to prevent __packed reintroduction scsi: hpsa: Fix boot on ia64 (atomic_t alignment) scsi: hpsa: Use __packed on individual structs, not header-wide commit d163a925ebbc6eb5b562b0f1d72c7e817aa75c40 Author: Florian Westphal Date: Wed Apr 7 21:43:40 2021 +0200 netfilter: arp_tables: add pre_exit hook for table unregister Same problem that also existed in iptables/ip(6)tables, when arptable_filter is removed there is no longer a wait period before the table/ruleset is free'd. Unregister the hook in pre_exit, then remove the table in the exit function. This used to work correctly because the old nf_hook_unregister API did unconditional synchronize_net. The per-net hook unregister function uses call_rcu instead. Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 7ee3c61dcd28bf6e290e06ad382f13511dc790e9 Author: Florian Westphal Date: Wed Apr 7 21:43:39 2021 +0200 netfilter: bridge: add pre_exit hooks for ebtable unregistration Just like ip/ip6/arptables, the hooks have to be removed, then synchronize_rcu() has to be called to make sure no more packets are being processed before the ruleset data is released. Place the hook unregistration in the pre_exit hook, then call the new ebtables pre_exit function from there. Years ago, when first netns support got added for netfilter+ebtables, this used an older (now removed) netfilter hook unregister API, that did a unconditional synchronize_rcu(). Now that all is done with call_rcu, ebtable_{filter,nat,broute} pernet exit handlers may free the ebtable ruleset while packets are still in flight. This can only happens on module removal, not during netns exit. The new function expects the table name, not the table struct. This is because upcoming patch set (targeting -next) will remove all net->xt.{nat,filter,broute}_table instances, this makes it necessary to avoid external references to those member variables. The existing APIs will be converted, so follow the upcoming scheme of passing name + hook type instead. Fixes: aee12a0a3727e ("ebtables: remove nf_hook_register usage") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit b895bdf5d643b6feb7c60856326dd4feb6981560 Author: Eric Dumazet Date: Fri Apr 9 08:49:39 2021 -0700 netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriate math function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8390 Comm: syz-executor188 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:div_u64_rem include/linux/math64.h:28 [inline] RIP: 0010:div_u64 include/linux/math64.h:127 [inline] RIP: 0010:nft_limit_init+0x2a2/0x5e0 net/netfilter/nft_limit.c:85 Code: ef 4c 01 eb 41 0f 92 c7 48 89 de e8 38 a5 22 fa 4d 85 ff 0f 85 97 02 00 00 e8 ea 9e 22 fa 4c 0f af f3 45 89 ed 31 d2 4c 89 f0 <49> f7 f5 49 89 c6 e8 d3 9e 22 fa 48 8d 7d 48 48 b8 00 00 00 00 00 RSP: 0018:ffffc90009447198 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000200000000000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff875152e6 RDI: 0000000000000003 RBP: ffff888020f80908 R08: 0000200000000000 R09: 0000000000000000 R10: ffffffff875152d8 R11: 0000000000000000 R12: ffffc90009447270 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 FS: 000000000097a300(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000200001c4 CR3: 0000000026a52000 CR4: 00000000001506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: nf_tables_newexpr net/netfilter/nf_tables_api.c:2675 [inline] nft_expr_init+0x145/0x2d0 net/netfilter/nf_tables_api.c:2713 nft_set_elem_expr_alloc+0x27/0x280 net/netfilter/nf_tables_api.c:5160 nf_tables_newset+0x1997/0x3150 net/netfilter/nf_tables_api.c:4321 nfnetlink_rcv_batch+0x85a/0x21b0 net/netfilter/nfnetlink.c:456 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:580 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:598 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling") Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting") Signed-off-by: Eric Dumazet Diagnosed-by: Luigi Rizzo Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso commit 95c7b07551879c8ad4d6dca10c02de46ddbf55a8 Merge: d5fa1dad75bef 791f9e36599d9 Author: Linus Torvalds Date: Sat Apr 10 09:31:52 2021 -0700 Merge tag 'powerpc-5.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Some some more powerpc fixes for 5.12: - Fix an oops triggered by ptrace when CONFIG_PPC_FPU_REGS=n - Fix an oops on sigreturn when the VDSO is unmapped on 32-bit - Fix vdso_wrapper.o not being rebuilt everytime vdso.so is rebuilt Thanks to Christophe Leroy" * tag 'powerpc-5.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/vdso: Make sure vdso_wrapper.o is rebuilt everytime vdso.so is rebuilt powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO powerpc/ptrace: Don't return error when getting/setting FP regs without CONFIG_PPC_FPU_REGS commit d5fa1dad75bef69fbff5a193b7a99ada624a0154 Merge: 445e09e79743c eed6e41813deb Author: Linus Torvalds Date: Sat Apr 10 09:24:35 2021 -0700 Merge tag 'driver-core-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fix from Greg KH: "Here is a single driver core fix for 5.12-rc7 to resolve a reported problem that caused some devices to lockup when booting. It has been in linux-next with no reported issues" * tag 'driver-core-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: driver core: Fix locking bug in deferred_probe_timeout_work_func() commit 445e09e79743c8ba01f1e9eb6b10faab5a92a5c7 Merge: 12a0cf7241f9e bc2f3e4c66284 Author: Linus Torvalds Date: Sat Apr 10 09:19:33 2021 -0700 Merge tag 'usb-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB/Thunderbolt fixes from Greg KH: "Here are a few small USB and Thunderbolt driver fixes for 5.12-rc7 for reported issues: - thunderbolt leaks and off-by-one fix - cdnsp deque fix - usbip fixes for syzbot-reported issues All have been in linux-next with no reported problems" * tag 'usb-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usbip: synchronize event handler with sysfs code paths usbip: vudc synchronize sysfs code paths usbip: stub-dev synchronize sysfs code paths usbip: add sysfs_lock to synchronize sysfs code paths thunderbolt: Fix off by one in tb_port_find_retimer() thunderbolt: Fix a leak in tb_retimer_add() usb: cdnsp: Fixes issue with dequeuing requests after disabling endpoint commit 12a0cf7241f9ee6b9b62e4c5aad53c43f46817a4 Merge: d4961772226de df8a39f2911a4 Author: Linus Torvalds Date: Sat Apr 10 09:10:55 2021 -0700 Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "A mixture of driver and documentation bugfixes for I2C" * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: i2c: imx: mention Oleksij as maintainer of the binding docs i2c: exynos5: correct top kerneldoc i2c: designware: Adjust bus_freq_hz when refuse high speed mode set i2c: hix5hd2: use the correct HiSilicon copyright i2c: gpio: update email address in binding docs i2c: imx: drop me as maintainer of binding docs i2c: stm32f4: Mundane typo fix I2C: JZ4780: Fix bug for Ingenic X1000. i2c: turn recovery error on init to debug commit 53b74fa990bf76f290aa5930abfcf37424a1a865 Author: Naohiro Aota Date: Thu Apr 8 17:25:28 2021 +0900 btrfs: zoned: move superblock logging zone location Moves the location of the superblock logging zones. The new locations of the logging zones are now determined based on fixed block addresses instead of on fixed zone numbers. The old placement method based on fixed zone numbers causes problems when one needs to inspect a file system image without access to the drive zone information. In such case, the super block locations cannot be reliably determined as the zone size is unknown. By locating the superblock logging zones using fixed addresses, we can scan a dumped file system image without the zone information since a super block copy will always be present at or after the fixed known locations. Introduce the following three pairs of zones containing fixed offset locations, regardless of the device zone size. - primary superblock: offset 0B (and the following zone) - first copy: offset 512G (and the following zone) - Second copy: offset 4T (4096G, and the following zone) If a logging zone is outside of the disk capacity, we do not record the superblock copy. The first copy position is much larger than for a non-zoned filesystem, which is at 64M. This is to avoid overlapping with the log zones for the primary superblock. This higher location is arbitrary but allows supporting devices with very large zone sizes, plus some space around in between. Such large zone size is unrealistic and very unlikely to ever be seen in real devices. Currently, SMR disks have a zone size of 256MB, and we are expecting ZNS drives to be in the 1-4GB range, so this limit gives us room to breathe. For now, we only allow zone sizes up to 8GB. The maximum zone size that would still fit in the space is 256G. The fixed location addresses are somewhat arbitrary, with the intent of maintaining superblock reliability for smaller and larger devices, with the preference for the latter. For this reason, there are two superblocks under the first 1T. This should cover use cases for physical devices and for emulated/device-mapper devices. The superblock logging zones are reserved for superblock logging and never used for data or metadata blocks. Note that we only reserve the two zones per primary/copy actually used for superblock logging. We do not reserve the ranges of zones possibly containing superblocks with the largest supported zone size (0-16GB, 512G-528GB, 4096G-4112G). The zones containing the fixed location offsets used to store superblocks on a non-zoned volume are also reserved to avoid confusion. Signed-off-by: Naohiro Aota Signed-off-by: David Sterba commit 11d2498f1568a0f923dc8ef7621de15a9e89267f Merge: a2948b17f6b93 9de82caad0282 Author: Dan Williams Date: Fri Apr 9 22:00:09 2021 -0700 Merge branch 'for-5.12/dax' into libnvdimm-fixes Pick up dax compile fix. commit a2948b17f6b936fc52f86c0f92c46d2f91928b79 Author: Vaibhav Jain Date: Fri Apr 2 14:55:55 2021 +0530 libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC In case a platform doesn't provide explicit flush-hints but provides an explicit flush callback via ND_REGION_ASYNC region flag, then nvdimm_has_flush() still returns '0' indicating that writes do not require flushing. This happens on PPC64 with patch at [1] applied, where 'deep_flush' of a region was denied even though an explicit flush function was provided. Fix this by adding a condition to nvdimm_has_flush() to test for the ND_REGION_ASYNC flag on the region and see if a 'region->flush' callback is assigned. Link: http://lore.kernel.org/r/161703936121.36.7260632399582101498.stgit@e1fbed493c87 [1] Fixes: c5d4355d10d4 ("libnvdimm: nd_region flush callback support") Reported-by: Shivaprasad G Bhat Signed-off-by: Vaibhav Jain Link: https://lore.kernel.org/r/20210402092555.208590-1-vaibhav@linux.ibm.com Signed-off-by: Dan Williams commit d4961772226de3b48a395a26c076d450d7044c76 Merge: 9288e1f7d396b 50ce6826a48f1 Author: Linus Torvalds Date: Fri Apr 9 20:00:10 2021 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Here's the latest pile of clk driver and clk framework fixes for this release: - Two clk framework fixes for a long standing issue in clk_notifier_{register,unregister}() where we used a pointer that was for a struct containing a list head when there was no container struct - A compile warning fix for socfpga that's good to have - A double free problem with devm registered fixed factor clks - One last fix to the Qualcomm camera clk driver to use the right clk ops so clks don't get stuck and stop working because the firmware takes them for a ride" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: fixed: fix double free in resource managed fixed-factor clock clk: fix invalid usage of list cursor in unregister clk: fix invalid usage of list cursor in register clk: qcom: camcc: Update the clock ops for the SC7180 clk: socfpga: fix iomem pointer cast on 64-bit commit 9288e1f7d396b7702649d78f2c711c3e0020c71d Merge: adb2c4174fb22 92f1e8adf7db2 Author: Linus Torvalds Date: Fri Apr 9 17:12:31 2021 -0700 Merge tag 'perf-tools-fixes-for-v5.12-2020-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tool fixes from Arnaldo Carvalho de Melo: - Fix wrong LBR block sorting in 'perf report' - Fix 'perf inject' repipe usage when consuming perf.data files - Avoid potential buffer overrun when decoding ARM SPE hardware tracing packets, bug found using a fuzzer * tag 'perf-tools-fixes-for-v5.12-2020-04-09' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf arm-spe: Avoid potential buffer overrun perf report: Fix wrong LBR block sorting perf inject: Fix repipe usage commit adb2c4174fb2294bfed3b161174e8d79743f0167 Merge: 4e04e7513b0fa 7d37cb2c912dc Author: Linus Torvalds Date: Fri Apr 9 17:06:32 2021 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "14 patches. Subsystems affected by this patch series: mm (kasan, gup, pagecache, and kfence), MAINTAINERS, mailmap, nds32, gcov, ocfs2, ia64, and lib" * emailed patches from Andrew Morton : lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS kfence, x86: fix preemptible warning on KPTI-enabled systems lib/test_kasan_module.c: suppress unused var warning kasan: fix conflict with page poisoning fs: direct-io: fix missing sdio->boundary ia64: fix user_stack_pointer() for ptrace() ocfs2: fix deadlock between setattr and dio_end_io_write gcov: re-fix clang-11+ support nds32: flush_dcache_page: use page_mapping_file to avoid races with swapoff mm/gup: check page posion status for coredump. .mailmap: fix old email addresses mailmap: update email address for Jordan Crouse treewide: change my e-mail address, fix my name MAINTAINERS: update CZ.NIC's Turris information commit 4e04e7513b0fa2fe8966a1c83fb473f1667e2810 Merge: 3b9784350f990 27f0ad71699de Author: Linus Torvalds Date: Fri Apr 9 15:26:51 2021 -0700 Merge tag 'net-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from Jakub Kicinski: "Networking fixes for 5.12-rc7, including fixes from can, ipsec, mac80211, wireless, and bpf trees. No scary regressions here or in the works, but small fixes for 5.12 changes keep coming. Current release - regressions: - virtio: do not pull payload in skb->head - virtio: ensure mac header is set in virtio_net_hdr_to_skb() - Revert "net: correct sk_acceptq_is_full()" - mptcp: revert "mptcp: provide subflow aware release function" - ethernet: lan743x: fix ethernet frame cutoff issue - dsa: fix type was not set for devlink port - ethtool: remove link_mode param and derive link params from driver - sched: htb: fix null pointer dereference on a null new_q - wireless: iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() - wireless: iwlwifi: fw: fix notification wait locking - wireless: brcmfmac: p2p: Fix deadlock introduced by avoiding the rtnl dependency Current release - new code bugs: - napi: fix hangup on napi_disable for threaded napi - bpf: take module reference for trampoline in module - wireless: mt76: mt7921: fix airtime reporting and related tx hangs - wireless: iwlwifi: mvm: rfi: don't lock mvm->mutex when sending config command Previous releases - regressions: - rfkill: revert back to old userspace API by default - nfc: fix infinite loop, refcount & memory leaks in LLCP sockets - let skb_orphan_partial wake-up waiters - xfrm/compat: Cleanup WARN()s that can be user-triggered - vxlan, geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply - can: fix msg_namelen values depending on CAN_REQUIRED_SIZE - can: uapi: mark union inside struct can_frame packed - sched: cls: fix action overwrite reference counting - sched: cls: fix err handler in tcf_action_init() - ethernet: mlxsw: fix ECN marking in tunnel decapsulation - ethernet: nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx - ethernet: i40e: fix receiving of single packets in xsk zero-copy mode - ethernet: cxgb4: avoid collecting SGE_QBASE regs during traffic Previous releases - always broken: - bpf: Refuse non-O_RDWR flags in BPF_OBJ_GET - bpf: Refcount task stack in bpf_get_task_stack - bpf, x86: Validate computation of branch displacements - ieee802154: fix many similar syzbot-found bugs - fix NULL dereferences in netlink attribute handling - reject unsupported operations on monitor interfaces - fix error handling in llsec_key_alloc() - xfrm: make ipv4 pmtu check honor ip header df - xfrm: make hash generation lock per network namespace - xfrm: esp: delete NETIF_F_SCTP_CRC bit from features for esp offload - ethtool: fix incorrect datatype in set_eee ops - xdp: fix xdp_return_frame() kernel BUG throw for page_pool memory model - openvswitch: fix send of uninitialized stack memory in ct limit reply Misc: - udp: add get handling for UDP_GRO sockopt" * tag 'net-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (182 commits) net: fix hangup on napi_disable for threaded napi net: hns3: Trivial spell fix in hns3 driver lan743x: fix ethernet frame cutoff issue net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits net: dsa: lantiq_gswip: Don't use PHY auto polling net: sched: sch_teql: fix null-pointer dereference ipv6: report errors for iftoken via netlink extack net: sched: fix err handler in tcf_action_init() net: sched: fix action overwrite reference counting Revert "net: sched: bump refcount for new action in ACT replace mode" ice: fix memory leak of aRFS after resuming from suspend i40e: Fix sparse warning: missing error code 'err' i40e: Fix sparse error: 'vsi->netdev' could be null i40e: Fix sparse error: uninitialized symbol 'ring' i40e: Fix sparse errors in i40e_txrx.c i40e: Fix parameters in aq_get_phy_register() nl80211: fix beacon head validation bpf, x86: Validate computation of branch displacements for x86-32 bpf, x86: Validate computation of branch displacements for x86-64 ... commit 3b9784350f990d8fe2ca08978dc25cd5180d5c21 Merge: a2521822bdfd7 c60eb049f4a19 Author: Linus Torvalds Date: Fri Apr 9 15:06:52 2021 -0700 Merge tag 'io_uring-5.12-2021-04-09' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "Two minor fixups for the reissue logic, and one for making sure that unbounded work is canceled on io-wq exit" * tag 'io_uring-5.12-2021-04-09' of git://git.kernel.dk/linux-block: io-wq: cancel unbounded works on io-wq destroy io_uring: fix rw req completion io_uring: clear F_REISSUE right after getting it commit 7d37cb2c912dc5c25ffac784a4f9b98c06c6bd08 Author: Julian Braha Date: Fri Apr 9 13:27:47 2021 -0700 lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS When LATENCYTOP, LOCKDEP, or FAULT_INJECTION_STACKTRACE_FILTER is enabled and ARCH_WANT_FRAME_POINTERS is disabled, Kbuild gives a warning such as: WARNING: unmet direct dependencies detected for FRAME_POINTER Depends on [n]: DEBUG_KERNEL [=y] && (M68K || UML || SUPERH) || ARCH_WANT_FRAME_POINTERS [=n] || MCOUNT [=n] Selected by [y]: - LATENCYTOP [=y] && DEBUG_KERNEL [=y] && STACKTRACE_SUPPORT [=y] && PROC_FS [=y] && !MIPS && !PPC && !S390 && !MICROBLAZE && !ARM && !ARC && !X86 Depending on ARCH_WANT_FRAME_POINTERS causes a recursive dependency error. ARCH_WANT_FRAME_POINTERS is to be selected by the architecture, and is not supposed to be overridden by other config options. Link: https://lkml.kernel.org/r/20210329165329.27994-1-julianbraha@gmail.com Signed-off-by: Julian Braha Cc: Andreas Schwab Cc: Geert Uytterhoeven Cc: Necip Fazil Yildiran Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 6a77d38efcda40f555a920909eab22ee0917fd0d Author: Marco Elver Date: Fri Apr 9 13:27:44 2021 -0700 kfence, x86: fix preemptible warning on KPTI-enabled systems On systems with KPTI enabled, we can currently observe the following warning: BUG: using smp_processor_id() in preemptible caller is invalidate_user_asid+0x13/0x50 CPU: 6 PID: 1075 Comm: dmesg Not tainted 5.12.0-rc4-gda4a2b1a5479-kfence_1+ #1 Hardware name: Hewlett-Packard HP Pro 3500 Series/2ABF, BIOS 8.11 10/24/2012 Call Trace: dump_stack+0x7f/0xad check_preemption_disabled+0xc8/0xd0 invalidate_user_asid+0x13/0x50 flush_tlb_one_kernel+0x5/0x20 kfence_protect+0x56/0x80 ... While it normally makes sense to require preemption to be off, so that the expected CPU's TLB is flushed and not another, in our case it really is best-effort (see comments in kfence_protect_page()). Avoid the warning by disabling preemption around flush_tlb_one_kernel(). Link: https://lore.kernel.org/lkml/YGIDBAboELGgMgXy@elver.google.com/ Link: https://lkml.kernel.org/r/20210330065737.652669-1-elver@google.com Signed-off-by: Marco Elver Reported-by: Tomi Sarvela Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrey Konovalov Cc: Jann Horn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit e156656717b810202914b77557de8112df4dad0d Author: Andrew Morton Date: Fri Apr 9 13:27:41 2021 -0700 lib/test_kasan_module.c: suppress unused var warning Local `unused' is intentionally unused - it is there to suppress __must_check warnings. Reported-by: kernel test robot Link: https://lkml.kernel.org/r/202104050216.HflRxfJm-lkp@intel.com Cc: Marco Elver Cc: Alexander Potapenko Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 06b1f85588948bd4c772845e5d6891b8f6082248 Author: Andrey Konovalov Date: Fri Apr 9 13:27:38 2021 -0700 kasan: fix conflict with page poisoning When page poisoning is enabled, it accesses memory that is marked as poisoned by KASAN, which leas to false-positive KASAN reports. Suppress the reports by adding KASAN annotations to unpoison_page() (poison_page() already has them). Link: https://lkml.kernel.org/r/2dc799014d31ac13fd97bd906bad33e16376fc67.1617118501.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov Cc: Alexander Potapenko Cc: Marco Elver Cc: Dmitry Vyukov Cc: Andrey Ryabinin Cc: Andrey Konovalov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit df41872b68601059dd4a84858952dcae58acd331 Author: Jack Qiu Date: Fri Apr 9 13:27:35 2021 -0700 fs: direct-io: fix missing sdio->boundary I encountered a hung task issue, but not a performance one. I run DIO on a device (need lba continuous, for example open channel ssd), maybe hungtask in below case: DIO: Checkpoint: get addr A(at boundary), merge into BIO, no submit because boundary missing flush dirty data(get addr A+1), wait IO(A+1) writeback timeout, because DIO(A) didn't submit get addr A+2 fail, because checkpoint is doing dio_send_cur_page() may clear sdio->boundary, so prevent it from missing a boundary. Link: https://lkml.kernel.org/r/20210322042253.38312-1-jack.qiu@huawei.com Fixes: b1058b981272 ("direct-io: submit bio after boundary buffer is added to it") Signed-off-by: Jack Qiu Reviewed-by: Jan Kara Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 7ad1e366167837daeb93d0bacb57dee820b0b898 Author: Sergei Trofimovich Date: Fri Apr 9 13:27:32 2021 -0700 ia64: fix user_stack_pointer() for ptrace() ia64 has two stacks: - memory stack (or stack), pointed at by by r12 - register backing store (register stack), pointed at by ar.bsp/ar.bspstore with complications around dirty register frame on CPU. In [1] Dmitry noticed that PTRACE_GET_SYSCALL_INFO returns the register stack instead memory stack. The bug comes from the fact that user_stack_pointer() and current_user_stack_pointer() don't return the same register: ulong user_stack_pointer(struct pt_regs *regs) { return regs->ar_bspstore; } #define current_user_stack_pointer() (current_pt_regs()->r12) The change gets both back in sync. I think ptrace(PTRACE_GET_SYSCALL_INFO) is the only affected user by this bug on ia64. The change fixes 'rt_sigreturn.gen.test' strace test where it was observed initially. Link: https://bugs.gentoo.org/769614 [1] Link: https://lkml.kernel.org/r/20210331084447.2561532-1-slyfox@gentoo.org Signed-off-by: Sergei Trofimovich Reported-by: Dmitry V. Levin Cc: Oleg Nesterov Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 90bd070aae6c4fb5d302f9c4b9c88be60c8197ec Author: Wengang Wang Date: Fri Apr 9 13:27:29 2021 -0700 ocfs2: fix deadlock between setattr and dio_end_io_write The following deadlock is detected: truncate -> setattr path is waiting for pending direct IO to be done (inode->i_dio_count become zero) with inode->i_rwsem held (down_write). PID: 14827 TASK: ffff881686a9af80 CPU: 20 COMMAND: "ora_p005_hrltd9" #0 __schedule at ffffffff818667cc #1 schedule at ffffffff81866de6 #2 inode_dio_wait at ffffffff812a2d04 #3 ocfs2_setattr at ffffffffc05f322e [ocfs2] #4 notify_change at ffffffff812a5a09 #5 do_truncate at ffffffff812808f5 #6 do_sys_ftruncate.constprop.18 at ffffffff81280cf2 #7 sys_ftruncate at ffffffff81280d8e #8 do_syscall_64 at ffffffff81003949 #9 entry_SYSCALL_64_after_hwframe at ffffffff81a001ad dio completion path is going to complete one direct IO (decrement inode->i_dio_count), but before that it hung at locking inode->i_rwsem: #0 __schedule+700 at ffffffff818667cc #1 schedule+54 at ffffffff81866de6 #2 rwsem_down_write_failed+536 at ffffffff8186aa28 #3 call_rwsem_down_write_failed+23 at ffffffff8185a1b7 #4 down_write+45 at ffffffff81869c9d #5 ocfs2_dio_end_io_write+180 at ffffffffc05d5444 [ocfs2] #6 ocfs2_dio_end_io+85 at ffffffffc05d5a85 [ocfs2] #7 dio_complete+140 at ffffffff812c873c #8 dio_aio_complete_work+25 at ffffffff812c89f9 #9 process_one_work+361 at ffffffff810b1889 #10 worker_thread+77 at ffffffff810b233d #11 kthread+261 at ffffffff810b7fd5 #12 ret_from_fork+62 at ffffffff81a0035e Thus above forms ABBA deadlock. The same deadlock was mentioned in upstream commit 28f5a8a7c033 ("ocfs2: should wait dio before inode lock in ocfs2_setattr()"). It seems that that commit only removed the cluster lock (the victim of above dead lock) from the ABBA deadlock party. End-user visible effects: Process hang in truncate -> ocfs2_setattr path and other processes hang at ocfs2_dio_end_io_write path. This is to fix the deadlock itself. It removes inode_lock() call from dio completion path to remove the deadlock and add ip_alloc_sem lock in setattr path to synchronize the inode modifications. [wen.gang.wang@oracle.com: remove the "had_alloc_lock" as suggested] Link: https://lkml.kernel.org/r/20210402171344.1605-1-wen.gang.wang@oracle.com Link: https://lkml.kernel.org/r/20210331203654.3911-1-wen.gang.wang@oracle.com Signed-off-by: Wengang Wang Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9562fd132985ea9185388a112e50f2a51557827d Author: Nick Desaulniers Date: Fri Apr 9 13:27:26 2021 -0700 gcov: re-fix clang-11+ support LLVM changed the expected function signature for llvm_gcda_emit_function() in the clang-11 release. Users of clang-11 or newer may have noticed their kernels producing invalid coverage information: $ llvm-cov gcov -a -c -u -f -b .gcda -- gcno=.gcno 1 : checksum mismatch, \ (, ) != (, ) 2 Invalid .gcda File! ... Fix up the function signatures so calling this function interprets its parameters correctly and computes the correct cfg checksum. In particular, in clang-11, the additional checksum is no longer optional. Link: https://reviews.llvm.org/rG25544ce2df0daa4304c07e64b9c8b0f7df60c11d Link: https://lkml.kernel.org/r/20210408184631.1156669-1-ndesaulniers@google.com Reported-by: Prasad Sodagudi Tested-by: Prasad Sodagudi Signed-off-by: Nick Desaulniers Reviewed-by: Nathan Chancellor Cc: [5.4+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a3a8833dffb7e7329c2586b8bfc531adb503f123 Author: Mike Rapoport Date: Fri Apr 9 13:27:23 2021 -0700 nds32: flush_dcache_page: use page_mapping_file to avoid races with swapoff Commit cb9f753a3731 ("mm: fix races between swapoff and flush dcache") updated flush_dcache_page implementations on several architectures to use page_mapping_file() in order to avoid races between page_mapping() and swapoff(). This update missed arch/nds32 and there is a possibility of a race there. Replace page_mapping() with page_mapping_file() in nds32 implementation of flush_dcache_page(). Link: https://lkml.kernel.org/r/20210330175126.26500-1-rppt@kernel.org Fixes: cb9f753a3731 ("mm: fix races between swapoff and flush dcache") Signed-off-by: Mike Rapoport Reviewed-by: Matthew Wilcox (Oracle) Acked-by: Greentime Hu Cc: Huang Ying Cc: Nick Hu Cc: Vincent Chen Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d3378e86d1822b6d0bebfbc18a8348691c05dfa0 Author: Aili Yao Date: Fri Apr 9 13:27:19 2021 -0700 mm/gup: check page posion status for coredump. When we do coredump for user process signal, this may be an SIGBUS signal with BUS_MCEERR_AR or BUS_MCEERR_AO code, which means this signal is resulted from ECC memory fail like SRAR or SRAO, we expect the memory recovery work is finished correctly, then the get_dump_page() will not return the error page as its process pte is set invalid by memory_failure(). But memory_failure() may fail, and the process's related pte may not be correctly set invalid, for current code, we will return the poison page, get it dumped, and then lead to system panic as its in kernel code. So check the poison status in get_dump_page(), and if TRUE, return NULL. There maybe other scenario that is also better to check the posion status and not to panic, so make a wrapper for this check, Thanks to David's suggestion(). [akpm@linux-foundation.org: s/0/false/] [yaoaili@kingsoft.com: is_page_poisoned() arg cannot be null, per Matthew] Link: https://lkml.kernel.org/r/20210322115233.05e4e82a@alex-virtual-machine Link: https://lkml.kernel.org/r/20210319104437.6f30e80d@alex-virtual-machine Signed-off-by: Aili Yao Cc: David Hildenbrand Cc: Matthew Wilcox Cc: Naoya Horiguchi Cc: Oscar Salvador Cc: Mike Kravetz Cc: Aili Yao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a5c5e441518f1f39da7ed3ef8e61361a9ea90c8b Author: Matthew Wilcox Date: Fri Apr 9 13:27:10 2021 -0700 .mailmap: fix old email addresses Update Nick & Nadia's old addresses. Link: https://lkml.kernel.org/r/20210406134036.GQ2531743@casper.infradead.org Signed-off-by: Matthew Wilcox Cc: Nicholas Piggin Cc: Nadia Yvette Chambers Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 620ff418ef440f2d585d8c8b2e9396ccfacaacd7 Author: Jordan Crouse Date: Fri Apr 9 13:27:07 2021 -0700 mailmap: update email address for Jordan Crouse jcrouse at codeaurora.org has started bouncing. Redirect to a more permanent address. Link: https://lkml.kernel.org/r/20210325143700.1490518-1-jordan@cosmicpenguin.net Signed-off-by: Jordan Crouse Cc: Alexander Lobakin Cc: Jonathan Corbet Cc: Kees Cook Cc: Miguel Ojeda Cc: Thomas Bogendoerfer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit b37c38484375f5a204500e0b10b40da268090995 Author: Marek Behún Date: Fri Apr 9 13:27:04 2021 -0700 treewide: change my e-mail address, fix my name Change my e-mail address to kabel@kernel.org, and fix my name in non-code parts (add diacritical mark). Link: https://lkml.kernel.org/r/20210325171123.28093-2-kabel@kernel.org Signed-off-by: Marek Behún Cc: Bartosz Golaszewski Cc: Greg Kroah-Hartman Cc: Jassi Brar Cc: Linus Walleij Cc: Pavel Machek Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 4873d8cc141e76aa5f3e7ef6e98dfb3823fcbe6d Author: Marek Behún Date: Fri Apr 9 13:27:01 2021 -0700 MAINTAINERS: update CZ.NIC's Turris information Add all the files maintained by Turris team, not only for MOX, but also for Omnia. Change website. Link: https://lkml.kernel.org/r/20210325171123.28093-1-kabel@kernel.org Signed-off-by: Marek Behún Cc: Pavel Machek Cc: Jassi Brar Cc: Linus Walleij Cc: Bartosz Golaszewski Cc: Greg Kroah-Hartman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a2521822bdfd73bd40d7cd81dfa89cc922b1cff4 Merge: a85f165e1f38c d473d32c2fbac Author: Linus Torvalds Date: Fri Apr 9 13:01:48 2021 -0700 Merge tag 'devicetree-fixes-for-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux Pull devicetree fixes from Rob Herring: - Fix fw_devlink failure with ".*,nr-gpios" properties - Doc link reference fixes from Mauro - Fixes for unaligned FDT handling found on OpenRisc. First, avoid crash with better error handling when unflattening an unaligned FDT. Second, fix memory allocations for FDTs to ensure alignment. * tag 'devicetree-fixes-for-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux: of: property: fw_devlink: do not link ".*,nr-gpios" dt-bindings:iio:adc: update motorola,cpcap-adc.yaml reference dt-bindings: fix references for iio-bindings.txt dt-bindings: don't use ../dir for doc references of: unittest: overlay: ensure proper alignment of copied FDT of: properly check for error returned by fdt_get_name() commit a85f165e1f38c0a5a6e671ce8126a8cafe35af09 Merge: 60144b23c9421 bd119f471299c Author: Linus Torvalds Date: Fri Apr 9 12:56:10 2021 -0700 Merge tag 'drm-fixes-2021-04-10' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Was relatively quiet this week, but still a few pulls came in, pretty much small fixes across the board, a couple of regression fixes in the amdgpu/radeon code, msm has a few minor fixes across the board, a panel regression fix also. amdgpu: - DCN3 fix - Fix CAC setting regression for TOPAZ - Fix ttm regression radeon: - Fix ttm regression msm: - a5xx/a6xx timestamp fix - microcode version check - fail path fix - block programming fix - error removal fix i915: - Fix invalid access to ACPI _DSM objects xen: - Fix use-after-free in xen - minor duplicate defintion cleanup vc4: - Reduce fifo threshold on hvs4 to fix a fifo full error - minor redunantant assignment cleanup panel: - Disable TE support for Droid4 and N950" * tag 'drm-fixes-2021-04-10' of git://anongit.freedesktop.org/drm/drm: drm/vc4: crtc: Reduce PV fifo threshold on hvs4 drm/vc4: plane: Remove redundant assignment drm/amdgpu/smu7: fix CAC setting on TOPAZ drm/radeon: Fix size overflow drm/amdgpu: Fix size overflow drm/i915: Fix invalid access to ACPI _DSM objects drm/amd/display: Add missing mask for DCN3 drm/panel: panel-dsi-cm: disable TE for now drm/msm/disp/dpu1: program 3d_merge only if block is attached drm/msm: a6xx: fix version check for the A650 SQE microcode drm/msm: Fix a5xx/a6xx timestamps drm/msm: Fix removal of valid error case when checking speed_bin drm/msm: Set drvdata to NULL when msm_drm_init() fails drivers: gpu: drm: xen_drm_front_drm_info is declared twice gpu/xen: Fix a use after free in xen_drm_drv_init commit 27f0ad71699de41bae013c367b95a6b319cc46a9 Author: Paolo Abeni Date: Fri Apr 9 17:24:17 2021 +0200 net: fix hangup on napi_disable for threaded napi napi_disable() is subject to an hangup, when the threaded mode is enabled and the napi is under heavy traffic. If the relevant napi has been scheduled and the napi_disable() kicks in before the next napi_threaded_wait() completes - so that the latter quits due to the napi_disable_pending() condition, the existing code leaves the NAPI_STATE_SCHED bit set and the napi_disable() loop waiting for such bit will hang. This patch addresses the issue by dropping the NAPI_STATE_DISABLE bit test in napi_thread_wait(). The later napi_threaded_poll() iteration will take care of clearing the NAPI_STATE_SCHED. This also addresses a related problem reported by Jakub: before this patch a napi_disable()/napi_enable() pair killed the napi thread, effectively disabling the threaded mode. On the patched kernel napi_disable() simply stops scheduling the relevant thread. v1 -> v2: - let the main napi_thread_poll() loop clear the SCHED bit Reported-by: Jakub Kicinski Fixes: 29863d41bb6e ("net: implement threaded-able napi poll loop support") Signed-off-by: Paolo Abeni Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/883923fa22745a9589e8610962b7dc59df09fb1f.1617981844.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski commit cd7e963d2f0875789ddb5c3746b628716bd0a8c9 Author: Salil Mehta Date: Fri Apr 9 08:42:23 2021 +0100 net: hns3: Trivial spell fix in hns3 driver Some trivial spelling mistakes which caught my eye during the review of the code. Signed-off-by: Salil Mehta Link: https://lore.kernel.org/r/20210409074223.32480-1-salil.mehta@huawei.com Signed-off-by: Jakub Kicinski commit 3bc41d6d2721d5168a8f7fea34028a5332068f5e Author: Sven Van Asbroeck Date: Thu Apr 8 20:39:04 2021 -0400 lan743x: fix ethernet frame cutoff issue The ethernet frame length is calculated incorrectly. Depending on the value of RX_HEAD_PADDING, this may result in ethernet frames that are too short (cut off at the end), or too long (garbage added to the end). Fix by calculating the ethernet frame length correctly. For added clarity, use the ETH_FCS_LEN constant in the calculation. Many thanks to Heiner Kallweit for suggesting this solution. Suggested-by: Heiner Kallweit Fixes: 3e21a10fdea3 ("lan743x: trim all 4 bytes of the FCS; not just 2") Link: https://lore.kernel.org/lkml/20210408172353.21143-1-TheSven73@gmail.com/ Signed-off-by: Sven Van Asbroeck Reviewed-by: George McCollister Tested-by: George McCollister Link: https://lore.kernel.org/r/20210409003904.8957-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski commit d473d32c2fbac2d1d7082c61899cfebd34eb267a Author: Ilya Lipnitskiy Date: Mon Apr 5 15:25:40 2021 -0700 of: property: fw_devlink: do not link ".*,nr-gpios" [,]nr-gpios property is used by some GPIO drivers[0] to indicate the number of GPIOs present on a system, not define a GPIO. nr-gpios is not configured by #gpio-cells and can't be parsed along with other "*-gpios" properties. nr-gpios without the "," prefix is not allowed by the DT spec[1], so only add exception for the ",nr-gpios" suffix and let the error message continue being printed for non-compliant implementations. [0] nr-gpios is referenced in Documentation/devicetree/bindings/gpio: - gpio-adnp.txt - gpio-xgene-sb.txt - gpio-xlp.txt - snps,dw-apb-gpio.yaml [1] Link: https://github.com/devicetree-org/dt-schema/blob/cb53a16a1eb3e2169ce170c071e47940845ec26e/schemas/gpio/gpio-consumer.yaml#L20 Fixes errors such as: OF: /palmbus@300000/gpio@600: could not find phandle Fixes: 7f00be96f125 ("of: property: Add device link support for interrupt-parent, dmas and -gpio(s)") Signed-off-by: Ilya Lipnitskiy Cc: Saravana Kannan Cc: stable@vger.kernel.org # v5.5+ Link: https://lore.kernel.org/r/20210405222540.18145-1-ilya.lipnitskiy@gmail.com Signed-off-by: Rob Herring commit 21d6ff39e1692b1f8c0d17331b15f76b40a3c726 Author: Mauro Carvalho Chehab Date: Fri Apr 9 14:47:47 2021 +0200 dt-bindings:iio:adc: update motorola,cpcap-adc.yaml reference Changeset 1ca9d1b1342d ("dt-bindings:iio:adc:motorola,cpcap-adc yaml conversion") renamed: Documentation/devicetree/bindings/iio/adc/cpcap-adc.txt to: Documentation/devicetree/bindings/iio/adc/motorola,cpcap-adc.yaml. Update its cross-reference accordingly. Fixes: 1ca9d1b1342d ("dt-bindings:iio:adc:motorola,cpcap-adc yaml conversion") Acked-by: Jonathan Cameron Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/3e205e5fa701e4bc15d39d6ac1f57717df2bb4c6.1617972339.git.mchehab+huawei@kernel.org Signed-off-by: Rob Herring commit 8235ef155d00d903ff46df099175517ff08f34c9 Author: Mauro Carvalho Chehab Date: Fri Apr 9 14:47:46 2021 +0200 dt-bindings: fix references for iio-bindings.txt The iio-bindings.txt was converted into two files and merged at the dt-schema git tree at: https://github.com/devicetree-org/dt-schema Yet, some documents still refer to the old file. Fix their references, in order to point to the right URL. Fixes: dba91f82d580 ("dt-bindings:iio:iio-binding.txt Drop file as content now in dt-schema") Acked-by: Jonathan Cameron Acked-by: Guenter Roeck Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/4efd81eca266ca0875d3bf9d1672097444146c69.1617972339.git.mchehab+huawei@kernel.org Signed-off-by: Rob Herring commit f6d6c6993a30af46c3a2c323589611890c10ecda Author: Mauro Carvalho Chehab Date: Fri Apr 9 14:47:45 2021 +0200 dt-bindings: don't use ../dir for doc references As documents have been renamed and moved around, their references will break, but this will be unnoticed, as the script which checks for it won't handle "../" references. So, replace them by the full patch. Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/68d3a1244119d1f2829c375b0ef554cf348bc89f.1617972339.git.mchehab+huawei@kernel.org Signed-off-by: Rob Herring commit bd119f471299c8692a00b2f5e9bba8e3b81c3466 Merge: d416bd0bf7efc b6a37a93c9ac3 Author: Dave Airlie Date: Sat Apr 10 05:18:31 2021 +1000 Merge tag 'drm-intel-fixes-2021-04-09' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fix invalid access to ACPI _DSM objects (Takashi) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YHAW6NInrybUoat6@intel.com commit d416bd0bf7efc733f80cbd9b1e387368965ef121 Merge: 2e99cd7a313a0 eb9dfdd1ed403 Author: Dave Airlie Date: Sat Apr 10 05:15:35 2021 +1000 Merge tag 'drm-misc-fixes-2021-04-09' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes drm-misc-fixes for v5.12-rc7: - Fix use-after-free in xen. - Reduce fifo threshold on hvs4 to fix a fifo full error. - Disable TE support for Droid4 and N950. - Small compiler fixes. Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/e7647dd9-60c3-9dfd-a377-89d717212e13@linux.intel.com commit 60144b23c94216b4aca6fba90dca9349183f39e1 Merge: 189fefc7a4f04 9ad6e9cb39c66 Author: Linus Torvalds Date: Fri Apr 9 11:51:06 2021 -0700 Merge tag 'selinux-pr-20210409' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fixes from Paul Moore: "Three SELinux fixes. These fix known problems relating to (re)loading SELinux policy or changing the policy booleans, and pass our test suite without problem" * tag 'selinux-pr-20210409' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinux: fix race between old and new sidtab selinux: fix cond_list corruption when changing booleans selinux: make nslot handling in avtab more robust commit 189fefc7a4f0401d0f799de96b772319a6541fc1 Merge: 3766fcf5d3180 bc04d93ea30a0 Author: Linus Torvalds Date: Fri Apr 9 10:09:51 2021 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull vdpa/mlx5 fixes from Michael Tsirkin: "Last minute fixes. These all look like something we are better off having than not ..." * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vdpa/mlx5: Fix suspend/resume index restoration vdpa/mlx5: Fix wrong use of bit numbers vdpa/mlx5: Retrieve BAR address suitable any function vdpa/mlx5: Use the correct dma device when registering memory vdpa/mlx5: should exclude header length and fcs from mtu commit 3766fcf5d318046e0ae58659e03ead35d40cb9dd Merge: 0b76088799cc8 9afeefcf06fc7 Author: Linus Torvalds Date: Fri Apr 9 10:05:25 2021 -0700 Merge tag 'rproc-v5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc Pull remoteproc fixes from Bjorn Andersson: "This fixes an issue with firmware loading on the TI K3 PRU, fixes compatibility with GNU binutils for the same and resolves link error due to a 64-bit division in the Qualcomm PIL info. It also recognizes Mathieu Poirier as co-maintainer of the remoteproc and rpmsg subsystems" * tag 'rproc-v5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/andersson/remoteproc: remoteproc: pru: Fix firmware loading crashes on K3 SoCs remoteproc: pru: Fix loading of GNU Binutils ELF MAINTAINERS: Add co-maintainer for remoteproc/RPMSG subsystems remoteproc: qcom: pil_info: avoid 64-bit division commit 0b76088799cc8db1ea9c626e54e7bc65f605e65f Merge: ccd6c35c72c77 d120198bd5ff1 Author: Linus Torvalds Date: Fri Apr 9 09:58:42 2021 -0700 Merge tag 'for-linus-5.12b-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "A single fix of a 5.12 patch for the rather uncommon problem of running as a Xen guest with a real time kernel config" * tag 'for-linus-5.12b-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen/evtchn: Change irq_info lock to raw_spinlock_t commit ccd6c35c72c771616c37d1978e02a982da0678ef Merge: 895915226a598 fa26d0c778b43 Author: Linus Torvalds Date: Fri Apr 9 09:25:31 2021 -0700 Merge tag 'acpi-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fix from Rafael Wysocki: "Fix a build issue introduced by a previous fix in the ACPI processor driver (Vitaly Kuznetsov)" * tag 'acpi-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m commit bc04d93ea30a0a8eb2a2648b848cef35d1f6f798 Author: Eli Cohen Date: Thu Apr 8 12:10:47 2021 +0300 vdpa/mlx5: Fix suspend/resume index restoration When we suspend the VM, the VDPA interface will be reset. When the VM is resumed again, clear_virtqueues() will clear the available and used indices resulting in hardware virqtqueue objects becoming out of sync. We can avoid this function alltogether since qemu will clear them if required, e.g. when the VM went through a reboot. Moreover, since the hw available and used indices should always be identical on query and should be restored to the same value same value for virtqueues that complete in order, we set the single value provided by set_vq_state(). In get_vq_state() we return the value of hardware used index. Fixes: b35ccebe3ef7 ("vdpa/mlx5: Restore the hardware used index after change map") Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20210408091047.4269-6-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit 4b454a82418dd76d8c0590bb3f7a99a63ea57dc5 Author: Eli Cohen Date: Thu Apr 8 12:10:46 2021 +0300 vdpa/mlx5: Fix wrong use of bit numbers VIRTIO_F_VERSION_1 is a bit number. Use BIT_ULL() with mask conditionals. Also, in mlx5_vdpa_is_little_endian() use BIT_ULL for consistency with the rest of the code. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20210408091047.4269-5-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit b2ae0a2db8a2d42a643590c4935faf61fedf553b Author: Eli Cohen Date: Thu Apr 8 12:10:45 2021 +0300 vdpa/mlx5: Retrieve BAR address suitable any function struct mlx5_core_dev has a bar_addr field that contains the correct bar address for the function regardless of whether it is pci function or sub function. Use it. Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") Signed-off-by: Eli Cohen Reviewed-by: Parav Pandit Link: https://lore.kernel.org/r/20210408091047.4269-4-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit d13a15d544ce51c0d83744ccb638c954e645feea Author: Eli Cohen Date: Thu Apr 8 12:10:44 2021 +0300 vdpa/mlx5: Use the correct dma device when registering memory In cases where the vdpa instance uses a SF (sub function), the DMA device is the parent device. Use a function to retrieve the correct DMA device. Fixes: 1958fc2f0712 ("net/mlx5: SF, Add auxiliary device driver") Signed-off-by: Eli Cohen Reviewed-by: Parav Pandit Link: https://lore.kernel.org/r/20210408091047.4269-3-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit d084d996aaf53c0cc583dc75a4fc2a67fe485846 Author: Si-Wei Liu Date: Thu Apr 8 12:10:43 2021 +0300 vdpa/mlx5: should exclude header length and fcs from mtu When feature VIRTIO_NET_F_MTU is negotiated on mlx5_vdpa, 22 extra bytes worth of MTU length is shown in guest. This is because the mlx5_query_port_max_mtu API returns the "hardware" MTU value, which does not just contain the Ethernet payload, but includes extra lengths starting from the Ethernet header up to the FCS altogether. Fix the MTU so packets won't get dropped silently. Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Si-Wei Liu Acked-by: Jason Wang Acked-by: Eli Cohen Link: https://lore.kernel.org/r/20210408091047.4269-2-elic@nvidia.com Signed-off-by: Michael S. Tsirkin commit 895915226a598394fe9bf57fe97612bdfcb2fb86 Author: Hans de Goede Date: Fri Apr 9 15:58:50 2021 +0200 Bluetooth: btusb: Revert Fix the autosuspend enable and disable drivers/usb/core/hub.c: usb_new_device() contains the following: /* By default, forbid autosuspend for all devices. It will be * allowed for hubs during binding. */ usb_disable_autosuspend(udev); So for anything which is not a hub, such as btusb devices, autosuspend is disabled by default and we must call usb_enable_autosuspend(udev) to enable it. This means that the "Fix the autosuspend enable and disable" commit, which drops the usb_enable_autosuspend() call when the enable_autosuspend module option is true, is completely wrong, revert it. This reverts commit 7bd9fb058d77213130e4b3e594115c028b708e7e. Cc: Hui Wang Fixes: 7bd9fb058d77 ("Bluetooth: btusb: Fix the autosuspend enable and disable") Acked-by: Hui Wang Acked-by: Marcel Holtmann Signed-off-by: Hans de Goede Signed-off-by: Linus Torvalds commit 0760fa3d8f7fceeea508b98899f1c826e10ffe78 Author: Roman Gushchin Date: Wed Apr 7 20:57:33 2021 -0700 percpu: make pcpu_nr_empty_pop_pages per chunk type nr_empty_pop_pages is used to guarantee that there are some free populated pages to satisfy atomic allocations. Accounted and non-accounted allocations are using separate sets of chunks, so both need to have a surplus of empty pages. This commit makes pcpu_nr_empty_pop_pages and the corresponding logic per chunk type. [Dennis] This issue came up as I was reviewing [1] and realized I missed this. Simultaneously, it was reported btrfs was seeing failed atomic allocations in fsstress tests [2] and [3]. [1] https://lore.kernel.org/linux-mm/20210324190626.564297-1-guro@fb.com/ [2] https://lore.kernel.org/linux-mm/20210401185158.3275.409509F4@e16-tech.com/ [3] https://lore.kernel.org/linux-mm/CAL3q7H5RNBjCi708GH7jnczAOe0BLnacT9C+OBgA-Dx9jhB6SQ@mail.gmail.com/ Fixes: 3c7be18ac9a0 ("mm: memcg/percpu: account percpu memory to memory cgroups") Cc: stable@vger.kernel.org # 5.9+ Signed-off-by: Roman Gushchin Tested-by: Filipe Manana Signed-off-by: Dennis Zhou commit 632a1c209b8773cb0119fe3aada9f1db14fa357c Author: Thomas Tai Date: Thu Apr 8 13:28:33 2021 -0400 x86/traps: Correct exc_general_protection() and math_error() return paths Commit 334872a09198 ("x86/traps: Attempt to fixup exceptions in vDSO before signaling") added return statements which bypass calling cond_local_irq_disable(). According to ca4c6a9858c2 ("x86/traps: Make interrupt enable/disable symmetric in C code"), cond_local_irq_disable() is needed because the asm return code no longer disables interrupts. Follow the existing code as an example to use "goto exit" instead of "return" statement. [ bp: Massage commit message. ] Fixes: 334872a09198 ("x86/traps: Attempt to fixup exceptions in vDSO before signaling") Signed-off-by: Thomas Tai Signed-off-by: Borislav Petkov Reviewed-by: Alexandre Chartre Link: https://lkml.kernel.org/r/1617902914-83245-1-git-send-email-thomas.tai@oracle.com commit 2361db89aaadfb671db6911b0063e01ec8922c28 Author: Dan Williams Date: Tue Mar 9 17:43:38 2021 -0800 libnvdimm: Notify disk drivers to revalidate region read-only Previous kernels allowed the BLKROSET to override the disk's read-only status. With that situation fixed the pmem driver needs to rely on notification events to reevaluate the disk read-only status after the host region has been marked read-write. Recall that when libnvdimm determines that the persistent memory has lost persistence (for example lack of energy to flush from DRAM to FLASH on an NVDIMM-N device) it marks the region read-only, but that state can be overridden by the user via: echo 0 > /sys/bus/nd/devices/regionX/read_only ...to date there is no notification that the region has restored persistence, so the user override is the only recovery. Fixes: 52f019d43c22 ("block: add a hard-readonly flag to struct gendisk") Reported-by: kernel test robot Reported-by: Vishal Verma Tested-by: Vishal Verma Reviewed-by: Christoph Hellwig Cc: Christoph Hellwig Cc: Ming Lei Cc: Martin K. Petersen Cc: Hannes Reinecke Cc: Jens Axboe Link: https://lore.kernel.org/r/161534060720.528671.2341213328968989192.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit 17e7124aad766b3f158943acb51467f86220afe9 Merge: 4fa56ad0d12e2 0fc9322ab5e1f Author: Linus Torvalds Date: Thu Apr 8 18:57:47 2021 -0700 Merge tag '5.12-rc6-smb3' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Three cifs/smb3 fixes, two for stable: a reconnect fix and a fix for display of devnames with special characters" * tag '5.12-rc6-smb3' of git://git.samba.org/sfrench/cifs-2.6: cifs: escape spaces in share names fs: cifs: Remove unnecessary struct declaration cifs: On cifs_reconnect, resolve the hostname again. commit 2e99cd7a313a0d97b62ccf320c72ef70179dc3f3 Merge: 2bbbb07da802a 12aca1ce9ee33 Author: Dave Airlie Date: Fri Apr 9 10:33:11 2021 +1000 Merge tag 'drm-msm-fixes-2021-04-02' of https://gitlab.freedesktop.org/drm/msm into drm-fixes some more minor fixes: - a5xx/a6xx timestamp fix - microcode version check - fail path fix - block programming fix - error removal fix. Signed-off-by: Dave Airlie From: Rob Clark Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGsMj7Nv3vVaVWMxPy8Y=Z_SnZmVKhKgKDxDYTr9rGN_+w@mail.gmail.com commit 864db232dc7036aa2de19749c3d5be0143b24f8f Author: Muhammad Usama Anjum Date: Fri Apr 9 03:01:29 2021 +0500 net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh nlh is being checked for validtity two times when it is dereferenced in this function. Check for validity again when updating the flags through nlh pointer to make the dereferencing safe. CC: Addresses-Coverity: ("NULL pointer dereference") Signed-off-by: Muhammad Usama Anjum Signed-off-by: David S. Miller commit 2d1b50abf8d4964b14705bfec253be6e80c22099 Merge: 6494d15fd643e 4b5923249b8fa Author: David S. Miller Date: Thu Apr 8 16:38:23 2021 -0700 Merge branch 'lantiq-GSWIP-fixes' Martin Blumenstingl says: ==================== lantiq: GSWIP: two more fixes after my last patch got accepted and is now in net as commit 3e6fdeb28f4c33 ("net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock") [0] some more people from the OpenWrt community (many thanks to everyone involved) helped test the GSWIP driver: [1] It turns out that the previous fix does not work for all boards. There's no regression, but it doesn't fix as many problems as I thought. This is why two more fixes are needed: - the first one solves many (four known but probably there are a few extra hidden ones) reported bugs with the GSWIP where no traffic would flow. Not all circumstances are fully understood but testing shows that switching away from PHY auto polling solves all of them - while investigating the different problems which are addressed by the first patch some small issues with the existing code were found. These are addressed by the second patch Changes since v1 at [0]: - Don't configure the link parameters in gswip_phylink_mac_config (as we're using the "modern" way in gswip_phylink_mac_link_up). Thanks to Andrew for the hint with the phylink documentation. - Clarify that GSWIP_MII_CFG_RMII_CLK is ignored by the hardware in the description of the second patch as suggested by Hauke - Don't set GSWIP_MII_CFG_RGMII_IBS in the second patch as we don't have any hardware available for testing this. The patch description now also reflects this. - Added Andrew's Reviewed-by to the first patch (thank you!) ==================== Signed-off-by: David S. Miller commit 4b5923249b8fa427943b50b8f35265176472be38 Author: Martin Blumenstingl Date: Thu Apr 8 20:38:28 2021 +0200 net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits There are a few more bits in the GSWIP_MII_CFG register for which we did rely on the boot-loader (or the hardware defaults) to set them up properly. For some external RMII PHYs we need to select the GSWIP_MII_CFG_RMII_CLK bit and also we should un-set it for non-RMII PHYs. The GSWIP_MII_CFG_RMII_CLK bit is ignored for other PHY connection modes. The GSWIP IP also supports in-band auto-negotiation for RGMII PHYs when the GSWIP_MII_CFG_RGMII_IBS bit is set. Clear this bit always as there's no known hardware which uses this (so it is not tested yet). Clear the xMII isolation bit when set at initialization time if it was previously set by the bootloader. Not doing so could lead to no traffic (neither RX nor TX) on a port with this bit set. While here, also add the GSWIP_MII_CFG_RESET bit. We don't need to manage it because this bit is self-clearning when set. We still add it here to get a better overview of the GSWIP_MII_CFG register. Fixes: 14fceff4771e51 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Cc: stable@vger.kernel.org Suggested-by: Hauke Mehrtens Acked-by: Hauke Mehrtens Signed-off-by: Martin Blumenstingl Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 3e9005be87777afc902b9f5497495898202d335d Author: Martin Blumenstingl Date: Thu Apr 8 20:38:27 2021 +0200 net: dsa: lantiq_gswip: Don't use PHY auto polling PHY auto polling on the GSWIP hardware can be used so link changes (speed, link up/down, etc.) can be detected automatically. Internally GSWIP reads the PHY's registers for this functionality. Based on this automatic detection GSWIP can also automatically re-configure it's port settings. Unfortunately this auto polling (and configuration) mechanism seems to cause various issues observed by different people on different devices: - FritzBox 7360v2: the two Gbit/s ports (connected to the two internal PHY11G instances) are working fine but the two Fast Ethernet ports (using an AR8030 RMII PHY) are completely dead (neither RX nor TX are received). It turns out that the AR8030 PHY sets the BMSR_ESTATEN bit as well as the ESTATUS_1000_TFULL and ESTATUS_1000_XFULL bits. This makes the PHY auto polling state machine (rightfully?) think that the established link speed (when the other side is Gbit/s capable) is 1Gbit/s. - None of the Ethernet ports on the Zyxel P-2812HNU-F1 (two are connected to the internal PHY11G GPHYs while the other three are external RGMII PHYs) are working. Neither RX nor TX traffic was observed. It is not clear which part of the PHY auto polling state- machine caused this. - FritzBox 7412 (only one LAN port which is connected to one of the internal GPHYs running in PHY22F / Fast Ethernet mode) was seeing random disconnects (link down events could be seen). Sometimes all traffic would stop after such disconnect. It is not clear which part of the PHY auto polling state-machine cauased this. - TP-Link TD-W9980 (two ports are connected to the internal GPHYs running in PHY11G / Gbit/s mode, the other two are external RGMII PHYs) was affected by similar issues as the FritzBox 7412 just without the "link down" events Switch to software based configuration instead of PHY auto polling (and letting the GSWIP hardware configure the ports automatically) for the following link parameters: - link up/down - link speed - full/half duplex - flow control (RX / TX pause) After a big round of manual testing by various people (who helped test this on OpenWrt) it turns out that this fixes all reported issues. Additionally it can be considered more future proof because any "quirk" which is implemented for a PHY on the driver side can now be used with the GSWIP hardware as well because Linux is in control of the link parameters. As a nice side-effect this also solves a problem where fixed-links were not supported previously because we were relying on the PHY auto polling mechanism, which cannot work for fixed-links as there's no PHY from where it can read the registers. Configuring the link settings on the GSWIP ports means that we now use the settings from device-tree also for ports with fixed-links. Fixes: 14fceff4771e51 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Fixes: 3e6fdeb28f4c33 ("net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock") Cc: stable@vger.kernel.org Acked-by: Hauke Mehrtens Reviewed-by: Andrew Lunn Signed-off-by: Martin Blumenstingl Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 4fa56ad0d12e24df768c98bffe9039f915d1bc02 Merge: 3fb4f979b4fa1 d1c803a9ccd7b Author: Linus Torvalds Date: Thu Apr 8 15:51:11 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Nothing very exciting here, just a few small bug fixes. No red flags for this release have shown up. - Regression from the last pull request in cxgb4 related to the ipv6 fixes - KASAN crasher in rtrs - oops in hfi1 related to a buggy BIOS - Userspace could oops qedr's XRC support - Uninitialized memory when parsing a LS_NLA_TYPE_DGID netlink message" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/addr: Be strict with gid size RDMA/qedr: Fix kernel panic when trying to access recv_cq IB/hfi1: Fix probe time panic when AIP is enabled with a buggy BIOS RDMA/cxgb4: check for ipv6 address properly while destroying listener RDMA/rtrs-clt: Close rtrs client conn before destroying rtrs clt session files commit 48d499bd89191b359a6dbe44d32107e3021571c2 Author: Frank Rowand Date: Thu Apr 8 15:45:08 2021 -0500 of: unittest: overlay: ensure proper alignment of copied FDT The Devicetree standard specifies an 8 byte alignment of the FDT. Code in libfdt expects this alignment for an FDT image in memory. kmemdup() returns 4 byte alignment on openrisc. Replace kmemdup() with kmalloc(), align pointer, memcpy() to get proper alignment. The 4 byte alignment exposed a related bug which triggered a crash on openrisc with: commit 79edff12060f ("scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9") as reported in: https://lore.kernel.org/lkml/20210327224116.69309-1-linux@roeck-us.net/ Reported-by: Guenter Roeck Signed-off-by: Frank Rowand Link: https://lore.kernel.org/r/20210408204508.2276230-1-frowand.list@gmail.com Signed-off-by: Rob Herring commit afd0be7299533bb2e2b09104399d8a467ecbd2c5 Author: Ciara Loftus Date: Thu Apr 8 05:20:09 2021 +0000 libbpf: Fix potential NULL pointer dereference Wait until after the UMEM is checked for null to dereference it. Fixes: 43f1bc1efff1 ("libbpf: Restore umem state after socket create failure") Signed-off-by: Ciara Loftus Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210408052009.7844-1-ciara.loftus@intel.com commit 6494d15fd643ed24e0603e52923ee64ed1cfa00e Merge: 1ffbc7ea91606 1831da7ea5bdf Author: David S. Miller Date: Thu Apr 8 14:21:40 2021 -0700 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2021-04-08 This series contains updates to i40e and ice drivers. Grzegorz fixes the ordering of parameters to i40e_aq_get_phy_register() which is causing incorrect information to be reported. Arkadiusz fixes various sparse issues reported on the i40e driver. Yongxin Liu fixes a memory leak with aRFS following resume from suspend for ice driver. ==================== Signed-off-by: David S. Miller commit 1ffbc7ea91606e4abd10eb60de5367f1c86daf5e Author: Pavel Tikhomirov Date: Thu Apr 8 18:14:31 2021 +0300 net: sched: sch_teql: fix null-pointer dereference Reproduce: modprobe sch_teql tc qdisc add dev teql0 root teql0 This leads to (for instance in Centos 7 VM) OOPS: [ 532.366633] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 [ 532.366733] IP: [] teql_destroy+0x18/0x100 [sch_teql] [ 532.366825] PGD 80000001376d5067 PUD 137e37067 PMD 0 [ 532.366906] Oops: 0000 [#1] SMP [ 532.366987] Modules linked in: sch_teql ... [ 532.367945] CPU: 1 PID: 3026 Comm: tc Kdump: loaded Tainted: G ------------ T 3.10.0-1062.7.1.el7.x86_64 #1 [ 532.368041] Hardware name: Virtuozzo KVM, BIOS 1.11.0-2.vz7.2 04/01/2014 [ 532.368125] task: ffff8b7d37d31070 ti: ffff8b7c9fdbc000 task.ti: ffff8b7c9fdbc000 [ 532.368224] RIP: 0010:[] [] teql_destroy+0x18/0x100 [sch_teql] [ 532.368320] RSP: 0018:ffff8b7c9fdbf8e0 EFLAGS: 00010286 [ 532.368394] RAX: ffffffffc0612490 RBX: ffff8b7cb1565e00 RCX: ffff8b7d35ba2000 [ 532.368476] RDX: ffff8b7d35ba2000 RSI: 0000000000000000 RDI: ffff8b7cb1565e00 [ 532.368557] RBP: ffff8b7c9fdbf8f8 R08: ffff8b7d3fd1f140 R09: ffff8b7d3b001600 [ 532.368638] R10: ffff8b7d3b001600 R11: ffffffff84c7d65b R12: 00000000ffffffd8 [ 532.368719] R13: 0000000000008000 R14: ffff8b7d35ba2000 R15: ffff8b7c9fdbf9a8 [ 532.368800] FS: 00007f6a4e872740(0000) GS:ffff8b7d3fd00000(0000) knlGS:0000000000000000 [ 532.368885] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 532.368961] CR2: 00000000000000a8 CR3: 00000001396ee000 CR4: 00000000000206e0 [ 532.369046] Call Trace: [ 532.369159] [] qdisc_create+0x36e/0x450 [ 532.369268] [] ? ns_capable+0x29/0x50 [ 532.369366] [] ? nla_parse+0x32/0x120 [ 532.369442] [] tc_modify_qdisc+0x13c/0x610 [ 532.371508] [] rtnetlink_rcv_msg+0xa7/0x260 [ 532.372668] [] ? sock_has_perm+0x75/0x90 [ 532.373790] [] ? rtnl_newlink+0x890/0x890 [ 532.374914] [] netlink_rcv_skb+0xab/0xc0 [ 532.376055] [] rtnetlink_rcv+0x28/0x30 [ 532.377204] [] netlink_unicast+0x170/0x210 [ 532.378333] [] netlink_sendmsg+0x308/0x420 [ 532.379465] [] sock_sendmsg+0xb6/0xf0 [ 532.380710] [] ? __xfs_filemap_fault+0x8e/0x1d0 [xfs] [ 532.381868] [] ? xfs_filemap_fault+0x2c/0x30 [xfs] [ 532.383037] [] ? __do_fault.isra.61+0x8a/0x100 [ 532.384144] [] ___sys_sendmsg+0x3e9/0x400 [ 532.385268] [] ? handle_mm_fault+0x39d/0x9b0 [ 532.386387] [] ? __do_page_fault+0x238/0x500 [ 532.387472] [] __sys_sendmsg+0x51/0x90 [ 532.388560] [] SyS_sendmsg+0x12/0x20 [ 532.389636] [] system_call_fastpath+0x25/0x2a [ 532.390704] [] ? system_call_after_swapgs+0xae/0x146 [ 532.391753] Code: 00 00 00 00 00 00 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 41 55 41 54 53 48 8b b7 48 01 00 00 48 89 fb <48> 8b 8e a8 00 00 00 48 85 c9 74 43 48 89 ca eb 0f 0f 1f 80 00 [ 532.394036] RIP [] teql_destroy+0x18/0x100 [sch_teql] [ 532.395127] RSP [ 532.396179] CR2: 00000000000000a8 Null pointer dereference happens on master->slaves dereference in teql_destroy() as master is null-pointer. When qdisc_create() calls teql_qdisc_init() it imediately fails after check "if (m->dev == dev)" because both devices are teql0, and it does not set qdisc_priv(sch)->m leaving it zero on error path, then qdisc_create() imediately calls teql_destroy() which does not expect zero master pointer and we get OOPS. Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation") Signed-off-by: Pavel Tikhomirov Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit 971e3057113d5eb25597af1ae61450c0b87c5287 Merge: ac075bdd6899b 26f55a59dc65f Author: David S. Miller Date: Thu Apr 8 14:10:53 2021 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2021-04-08 The following pull-request contains BPF updates for your *net* tree. We've added 4 non-merge commits during the last 2 day(s) which contain a total of 4 files changed, 31 insertions(+), 10 deletions(-). The main changes are: 1) Validate and reject invalid JIT branch displacements, from Piotr Krysiuk. 2) Fix incorrect unhash restore as well as fwd_alloc memory accounting in sock map, from John Fastabend. ==================== Signed-off-by: David S. Miller commit ac075bdd6899b03785d7fbe3abed1cdf13162726 Merge: 3583a4e8d77d4 9a6847ba17478 Author: David S. Miller Date: Thu Apr 8 14:08:37 2021 -0700 Merge tag 'mac80211-for-net-2021-04-08.2' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes berg says: ==================== Various small fixes: * S1G beacon validation * potential leak in nl80211 * fast-RX confusion with 4-addr mode * erroneous WARN_ON that userspace can trigger * wrong time units in virt_wifi * rfkill userspace API breakage * TXQ AC confusing that led to traffic stopped forever * connection monitoring time after/before confusion * netlink beacon head validation buffer overrun ==================== Signed-off-by: David S. Miller commit 3583a4e8d77d44697a21437227dd53fc6e7b2cb5 Author: Stephen Hemminger Date: Wed Apr 7 08:59:12 2021 -0700 ipv6: report errors for iftoken via netlink extack Setting iftoken can fail for several different reasons but there and there was no report to user as to the cause. Add netlink extended errors to the processing of the request. This requires adding additional argument through rtnl_af_ops set_link_af callback. Reported-by: Hongren Zheng Signed-off-by: Stephen Hemminger Reviewed-by: David Ahern Signed-off-by: David S. Miller commit f2fbd0aacdaf10cef961750af55d895b8a455b12 Merge: 8a12f8836145f b3650bf76a323 Author: David S. Miller Date: Thu Apr 8 13:47:34 2021 -0700 Merge branch 'net-sched-action-init-fixes' Vlad Buslov says: ==================== Action initalization fixes This series fixes reference counting of action instances and modules in several parts of action init code. The first patch reverts previous fix that didn't properly account for rollback from a failure in the middle of the loop in tcf_action_init() which is properly fixed by the following patch. ==================== Signed-off-by: David S. Miller commit b3650bf76a32380d4d80a3e21b5583e7303f216c Author: Vlad Buslov Date: Wed Apr 7 18:36:04 2021 +0300 net: sched: fix err handler in tcf_action_init() With recent changes that separated action module load from action initialization tcf_action_init() function error handling code was modified to manually release the loaded modules if loading/initialization of any further action in same batch failed. For the case when all modules successfully loaded and some of the actions were initialized before one of them failed in init handler. In this case for all previous actions the module will be released twice by the error handler: First time by the loop that manually calls module_put() for all ops, and second time by the action destroy code that puts the module after destroying the action. Reproduction: $ sudo tc actions add action simple sdata \"2\" index 2 $ sudo tc actions add action simple sdata \"1\" index 1 \ action simple sdata \"2\" index 2 RTNETLINK answers: File exists We have an error talking to the kernel $ sudo tc actions ls action simple total acts 1 action order 0: Simple <"2"> index 2 ref 1 bind 0 $ sudo tc actions flush action simple $ sudo tc actions ls action simple $ sudo tc actions add action simple sdata \"2\" index 2 Error: Failed to load TC action module. We have an error talking to the kernel $ lsmod | grep simple act_simple 20480 -1 Fix the issue by modifying module reference counting handling in action initialization code: - Get module reference in tcf_idr_create() and put it in tcf_idr_release() instead of taking over the reference held by the caller. - Modify users of tcf_action_init_1() to always release the module reference which they obtain before calling init function instead of assuming that created action takes over the reference. - Finally, modify tcf_action_init_1() to not release the module reference when overwriting existing action as this is no longer necessary since both upper and lower layers obtain and manage their own module references independently. Fixes: d349f9976868 ("net_sched: fix RTNL deadlock again caused by request_module()") Suggested-by: Cong Wang Signed-off-by: Vlad Buslov Signed-off-by: David S. Miller commit 87c750e8c38bce706eb32e4d8f1e3402f2cebbd4 Author: Vlad Buslov Date: Wed Apr 7 18:36:03 2021 +0300 net: sched: fix action overwrite reference counting Action init code increments reference counter when it changes an action. This is the desired behavior for cls API which needs to obtain action reference for every classifier that points to action. However, act API just needs to change the action and releases the reference before returning. This sequence breaks when the requested action doesn't exist, which causes act API init code to create new action with specified index, but action is still released before returning and is deleted (unless it was referenced concurrently by cls API). Reproduction: $ sudo tc actions ls action gact $ sudo tc actions change action gact drop index 1 $ sudo tc actions ls action gact Extend tcf_action_init() to accept 'init_res' array and initialize it with action->ops->init() result. In tcf_action_add() remove pointers to created actions from actions array before passing it to tcf_action_put_many(). Fixes: cae422f379f3 ("net: sched: use reference counting action init") Reported-by: Kumar Kartikeya Dwivedi Signed-off-by: Vlad Buslov Signed-off-by: David S. Miller commit 4ba86128ba077fbb7d86516ae24ed642e6c3adef Author: Vlad Buslov Date: Wed Apr 7 18:36:02 2021 +0300 Revert "net: sched: bump refcount for new action in ACT replace mode" This reverts commit 6855e8213e06efcaf7c02a15e12b1ae64b9a7149. Following commit in series fixes the issue without introducing regression in error rollback of tcf_action_destroy(). Signed-off-by: Vlad Buslov Signed-off-by: David S. Miller commit df8a39f2911a4c7769e0f760509f556a9e9d37af Author: Wolfram Sang Date: Wed Apr 7 20:35:32 2021 +0200 i2c: imx: mention Oleksij as maintainer of the binding docs When I removed myself as a maintainer of the yaml file, I missed that some maintainer is required. Oleksij is already listed in MAINTAINERS for this file, so add him here as well. Fixes: 1ae6b3780848 ("i2c: imx: drop me as maintainer of binding docs") Reviewed-by: Oleksij Rempel Reviewed-by: Rob Herring Signed-off-by: Wolfram Sang commit c60eb049f4a19ddddcd3ee97a9c79ab8066a6a03 Author: Pavel Begunkov Date: Thu Apr 8 01:54:42 2021 +0100 io-wq: cancel unbounded works on io-wq destroy WARNING: CPU: 5 PID: 227 at fs/io_uring.c:8578 io_ring_exit_work+0xe6/0x470 RIP: 0010:io_ring_exit_work+0xe6/0x470 Call Trace: process_one_work+0x206/0x400 worker_thread+0x4a/0x3d0 kthread+0x129/0x170 ret_from_fork+0x22/0x30 INFO: task lfs-openat:2359 blocked for more than 245 seconds. task:lfs-openat state:D stack: 0 pid: 2359 ppid: 1 flags:0x00000004 Call Trace: ... wait_for_completion+0x8b/0xf0 io_wq_destroy_manager+0x24/0x60 io_wq_put_and_exit+0x18/0x30 io_uring_clean_tctx+0x76/0xa0 __io_uring_files_cancel+0x1b9/0x2e0 do_exit+0xc0/0xb40 ... Even after io-wq destroy has been issued io-wq worker threads will continue executing all left work items as usual, and may hang waiting for I/O that won't ever complete (aka unbounded). [<0>] pipe_read+0x306/0x450 [<0>] io_iter_do_read+0x1e/0x40 [<0>] io_read+0xd5/0x330 [<0>] io_issue_sqe+0xd21/0x18a0 [<0>] io_wq_submit_work+0x6c/0x140 [<0>] io_worker_handle_work+0x17d/0x400 [<0>] io_wqe_worker+0x2c0/0x330 [<0>] ret_from_fork+0x22/0x30 Cancel all unbounded I/O instead of executing them. This changes the user visible behaviour, but that's inevitable as io-wq is not per task. Suggested-by: Jens Axboe Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/cd4b543154154cba055cf86f351441c2174d7f71.1617842918.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 9728463737db027557e8ba315cbbca6b81122c04 Author: Pavel Begunkov Date: Thu Apr 8 19:28:03 2021 +0100 io_uring: fix rw req completion WARNING: at fs/io_uring.c:8578 io_ring_exit_work.cold+0x0/0x18 As reissuing is now passed back by REQ_F_REISSUE and kiocb_done() internally uses __io_complete_rw(), it may stop after setting the flag so leaving a dangling request. There are tricky edge cases, e.g. reading beyound file, boundary, so the easiest way is to hand code reissue in kiocb_done() as __io_complete_rw() was doing for us before. Fixes: 230d50d448ac ("io_uring: move reissue into regular IO path") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/f602250d292f8a84cca9a01d747744d1e797be26.1617842918.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit d1c803a9ccd7bd3aff5e989ccfb39ed3b799b975 Author: Leon Romanovsky Date: Mon Apr 5 10:44:34 2021 +0300 RDMA/addr: Be strict with gid size The nla_len() is less than or equal to 16. If it's less than 16 then end of the "gid" buffer is uninitialized. Fixes: ae43f8286730 ("IB/core: Add IP to GID netlink offload") Link: https://lore.kernel.org/r/20210405074434.264221-1-leon@kernel.org Reported-by: Dan Carpenter Signed-off-by: Mark Bloch Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 3fb4f979b4fa1f92a02b538ae86e725b73e703d0 Merge: e0a472fffe435 ad31a8c05196a Author: Linus Torvalds Date: Thu Apr 8 11:09:25 2021 -0700 Merge tag 's390-5.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Heiko Carstens: - fix incorrect dereference of the ext_params2 external interrupt parameter, which leads to an instant kernel crash if a pfault interrupt occurs. - add forgotten stack unwinder support, and fix memory leak for the new machine check handler stack. - fix inline assembly register clobbering due to KASAN code instrumentation. * tag 's390-5.12-6' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/setup: use memblock_free_late() to free old stack s390/irq: fix reading of ext_params2 field from lowcore s390/unwind: add machine check handler stack s390/cpcmd: fix inline assembly register clobbering commit 1831da7ea5bdf5531d78bcf81f526faa4c4375fa Author: Yongxin Liu Date: Thu Apr 1 11:59:15 2021 -0700 ice: fix memory leak of aRFS after resuming from suspend In ice_suspend(), ice_clear_interrupt_scheme() is called, and then irq_free_descs() will be eventually called to free irq and its descriptor. In ice_resume(), ice_init_interrupt_scheme() is called to allocate new irqs. However, in ice_rebuild_arfs(), struct irq_glue and struct cpu_rmap maybe cannot be freed, if the irqs that released in ice_suspend() were reassigned to other devices, which makes irq descriptor's affinity_notify lost. So call ice_free_cpu_rx_rmap() before ice_clear_interrupt_scheme(), which can make sure all irq_glue and cpu_rmap can be correctly released before corresponding irq and descriptor are released. Fix the following memory leak. unreferenced object 0xffff95bd951afc00 (size 512): comm "kworker/0:1", pid 134, jiffies 4294684283 (age 13051.958s) hex dump (first 32 bytes): 18 00 00 00 18 00 18 00 70 fc 1a 95 bd 95 ff ff ........p....... 00 00 ff ff 01 00 ff ff 02 00 ff ff 03 00 ff ff ................ backtrace: [<0000000072e4b914>] __kmalloc+0x336/0x540 [<0000000054642a87>] alloc_cpu_rmap+0x3b/0xb0 [<00000000f220deec>] ice_set_cpu_rx_rmap+0x6a/0x110 [ice] [<000000002370a632>] ice_probe+0x941/0x1180 [ice] [<00000000d692edba>] local_pci_probe+0x47/0xa0 [<00000000503934f0>] work_for_cpu_fn+0x1a/0x30 [<00000000555a9e4a>] process_one_work+0x1dd/0x410 [<000000002c4b414a>] worker_thread+0x221/0x3f0 [<00000000bb2b556b>] kthread+0x14c/0x170 [<00000000ad2cf1cd>] ret_from_fork+0x1f/0x30 unreferenced object 0xffff95bd81b0a2a0 (size 96): comm "kworker/0:1", pid 134, jiffies 4294684283 (age 13051.958s) hex dump (first 32 bytes): 38 00 00 00 01 00 00 00 e0 ff ff ff 0f 00 00 00 8............... b0 a2 b0 81 bd 95 ff ff b0 a2 b0 81 bd 95 ff ff ................ backtrace: [<00000000582dd5c5>] kmem_cache_alloc_trace+0x31f/0x4c0 [<000000002659850d>] irq_cpu_rmap_add+0x25/0xe0 [<00000000495a3055>] ice_set_cpu_rx_rmap+0xb4/0x110 [ice] [<000000002370a632>] ice_probe+0x941/0x1180 [ice] [<00000000d692edba>] local_pci_probe+0x47/0xa0 [<00000000503934f0>] work_for_cpu_fn+0x1a/0x30 [<00000000555a9e4a>] process_one_work+0x1dd/0x410 [<000000002c4b414a>] worker_thread+0x221/0x3f0 [<00000000bb2b556b>] kthread+0x14c/0x170 [<00000000ad2cf1cd>] ret_from_fork+0x1f/0x30 Fixes: 769c500dcc1e ("ice: Add advanced power mgmt for WoL") Signed-off-by: Yongxin Liu Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 8a1e918d833ca5c391c4ded5dc006e2d1ce6d37c Author: Arkadiusz Kubalewski Date: Fri Mar 26 19:43:43 2021 +0100 i40e: Fix sparse warning: missing error code 'err' Set proper return values inside error checking if-statements. Previously following warning was produced when compiling against sparse. i40e_main.c:15162 i40e_init_recovery_mode() warn: missing error code 'err' Fixes: 4ff0ee1af0169 ("i40e: Introduce recovery mode support") Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 6b5674fe6b9bf05394886ebcec62b2d7dae88c42 Author: Arkadiusz Kubalewski Date: Fri Mar 26 19:43:42 2021 +0100 i40e: Fix sparse error: 'vsi->netdev' could be null Remove vsi->netdev->name from the trace. This is redundant information. With the devinfo trace, the adapter is already identifiable. Previously following error was produced when compiling against sparse. i40e_main.c:2571 i40e_sync_vsi_filters() error: we previously assumed 'vsi->netdev' could be null (see line 2323) Fixes: b603f9dc20af ("i40e: Log info when PF is entering and leaving Allmulti mode.") Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit d6d04ee6d2c9bb5084c8f6074195d6aa0024e825 Author: Arkadiusz Kubalewski Date: Fri Mar 26 19:43:41 2021 +0100 i40e: Fix sparse error: uninitialized symbol 'ring' Init pointer with NULL in default switch case statement. Previously the error was produced when compiling against sparse. i40e_debugfs.c:582 i40e_dbg_dump_desc() error: uninitialized symbol 'ring'. Fixes: 44ea803e2fa7 ("i40e: introduce new dump desc XDP command") Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 12738ac4754ec92a6a45bf3677d8da780a1412b3 Author: Arkadiusz Kubalewski Date: Fri Mar 26 19:43:40 2021 +0100 i40e: Fix sparse errors in i40e_txrx.c Remove error handling through pointers. Instead use plain int to return value from i40e_run_xdp(...). Previously: - sparse errors were produced during compilation: i40e_txrx.c:2338 i40e_run_xdp() error: (-2147483647) too low for ERR_PTR i40e_txrx.c:2558 i40e_clean_rx_irq() error: 'skb' dereferencing possible ERR_PTR() - sk_buff* was used to return value, but it has never had valid pointer to sk_buff. Returned value was always int handled as a pointer. Fixes: 0c8493d90b6b ("i40e: add XDP support for pass and drop actions") Fixes: 2e6893123830 ("i40e: split XDP_TX tail and XDP_REDIRECT map flushing") Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit b2d0efc4be7ed320e33eaa9b6dd6f3f6011ffb8e Author: Grzegorz Siwik Date: Wed Mar 24 09:58:27 2021 +0100 i40e: Fix parameters in aq_get_phy_register() Change parameters order in aq_get_phy_register() due to wrong statistics in PHY reported by ethtool. Previously all PHY statistics were exactly the same for all interfaces Now statistics are reported correctly - different for different interfaces Fixes: 0514db37dd78 ("i40e: Extend PHY access with page change flag") Signed-off-by: Grzegorz Siwik Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit e0a472fffe435af52ea4e21e1e0001c5c8ffc6c7 Merge: d381b05e8605f c8426b2700b57 Author: Linus Torvalds Date: Thu Apr 8 09:01:30 2021 -0700 Merge tag 'sound-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "This batch became unexpectedly bigger due to the pending ASoC patches, but all look small and fine device-specific fixes. Many of the commits are for ASoC Intel drivers, while the rest are for ASoC small codec/platform fixes and HD-audio quirks" * tag 'sound-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (21 commits) ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 ALSA: aloop: Fix initialization of controls ALSA: hda/conexant: Apply quirk for another HP ZBook G5 model ASoC: fsl_esai: Fix TDM slot setup for I2S mode ASoC: codecs: lpass-rx-macro: set npl clock rate correctly ASoC: codecs: lpass-tx-macro: set npl clock rate correctly ASoC: sunxi: sun4i-codec: fill ASoC card owner ASoC: cygnus: fix for_each_child.cocci warnings ASoC: max98373: Added 30ms turn on/off time delay ASoC: max98373: Changed amp shutdown register as volatile ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions ASoC: intel: atom: Stop advertising non working S24LE support ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips ASoC: SOF: Intel: move ELH chip info ASoC: SOF: Intel: APL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: CNL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: ICL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: TGL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: TGL: fix EHL ops ASoC: SOF: core: harden shutdown helper ... commit b9a9786a13ea158ee3b23614217f2e3158178421 Merge: aa68a77863b3f fc85dc42a3840 Author: Arnd Bergmann Date: Thu Apr 8 17:56:08 2021 +0200 Merge tag 'omap-for-v5.12/fixes-rc6-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes Fixes for omaps for v5.12-rc cycle Fix swapped mmc device order also for omap3 that got changed with the recent PROBE_PREFER_ASYNCHRONOUS changes. While eventually the aliases should be board specific, all the mmc device instances are all there in the SoC, and we do probe them by default so that PM runtime can idle the devices if left enabled from the bootloader. Also included are two compiler warning fixes. * tag 'omap-for-v5.12/fixes-rc6-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: OMAP2+: Fix uninitialized sr_inst ARM: dts: Fix swapped mmc order for omap3 ARM: OMAP2+: Fix warning for omap_init_time_of() ARM: OMAP4: PM: update ROM return address for OSWR and OFF ARM: OMAP4: Fix PMIC voltage domains for bionic ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race Link: https://lore.kernel.org/r/pull-1617702755-711306@atomide.com Signed-off-by: Arnd Bergmann commit d381b05e8605f8b11913831e7f3c00e700e97bbc Merge: 4ea51e0e37c89 315f02c60d942 Author: Linus Torvalds Date: Thu Apr 8 08:54:26 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fix from Paolo Bonzini: "A lone x86 patch, for a bug found while developing a backport to stable versions" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86/mmu: preserve pending TLB flush across calls to kvm_tdp_mmu_zap_sp commit 4ea51e0e37c890847eb2b402b01389ae099efec1 Merge: 035d80695fae5 9b5b872215fe6 Author: Linus Torvalds Date: Thu Apr 8 08:46:53 2021 -0700 Merge tag 'for-linus-2021-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux Pull close_range() fix from Christian Brauner: "Syzbot reported a bug in close_range. Debugging this showed we didn't recalculate the current maximum fd number for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC after we unshared the file descriptors table. As a result, max_fd could exceed the current fdtable maximum causing us to set excessive bits. As a concrete example, let's say the user requested everything from fd 4 to ~0UL to be closed and their current fdtable size is 256 with their highest open fd being 4. With CLOSE_RANGE_UNSHARE the caller will end up with a new fdtable which has room for 64 file descriptors since that is the lowest fdtable size we accept. But now max_fd will still point to 255 and needs to be adjusted. Fix this by retrieving the correct maximum fd value in __range_cloexec(). I've carried this fix for a little while but since there was no linux-next release over easter I waited until now. With this change close_range() can be further simplified but imho we are in no hurry to do that and so I'll defer this for the 5.13 merge window" * tag 'for-linus-2021-04-08' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: file: fix close_range() for unshare+cloexec commit aa68a77863b3fa74aa6659c7cb46ce708a09429f Merge: 974be36e1ca98 0c9fdcdba6820 Author: Arnd Bergmann Date: Thu Apr 8 17:36:40 2021 +0200 Merge tag 'qcom-drivers-fixes-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes Qualcomm fix for 5.12 This bypasses the, recently introduced, interconnect handling in the GENI (serial engine) driver when running off ACPI, as this causes the GENI probe to fail and the Lenovo Yoga C630 to boot without keyboard and touchpad. * tag 'qcom-drivers-fixes-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: soc: qcom: geni: shield geni_icc_get() for ACPI boot Link: https://lore.kernel.org/r/20210404155604.712236-1-bjorn.andersson@linaro.org Signed-off-by: Arnd Bergmann commit 974be36e1ca987a1940eb6894a2b5bb631049791 Merge: e49d033bddf5b 7a2f6e69e9c10 Author: Arnd Bergmann Date: Thu Apr 8 17:35:52 2021 +0200 Merge tag 'sunxi-fixes-for-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes One 32kHz clock fix for the beelink gs1, a CD polarity fix for the SoPine, some MAINTAINERS maintainance, and a clk / reset switch to our headers. * tag 'sunxi-fixes-for-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference MAINTAINERS: Match on allwinner keyword MAINTAINERS: Add our new mailing-list arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems arm64: dts: allwinner: h6: Switch to macros for RSB clock/reset indices Link: https://lore.kernel.org/r/9972a85e-60b7-49f4-a246-db3396dd4764.lettre@localhost Signed-off-by: Arnd Bergmann commit 035d80695fae55ed3e788cd8a62525657a43b924 Merge: 454859c552da7 4f0ed93fb92d3 Author: Linus Torvalds Date: Thu Apr 8 08:26:06 2021 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull umount fix from Al Viro: "Brown paperbag time: dumb braino in the series that went into 5.7 broke the 'don't step into ->d_weak_revalidate() when umount(2) looks the victim up' behaviour. Spotted only now - saw if (!err && unlikely(nd->flags & LOOKUP_MOUNTPOINT)) { err = handle_lookup_down(nd); nd->flags &= ~LOOKUP_JUMPED; // no d_weak_revalidate(), please... } and went "why do we clear that flag here - nothing below that point is going to check it anyway" / "wait a minute, what is it doing *after* complete_walk() (which is where we check that flag and call ->d_weak_revalidate())" / "how could that possibly _not_ break?", followed by reproducing the breakage and verifying that the obvious fix of that braino does, indeed, fix it. The reproducer is (assuming that $DIR exists and is exported r/w to localhost) mkdir $DIR/a mkdir /tmp/foo mount --bind /tmp/foo /tmp/foo mkdir /tmp/foo/a mkdir /tmp/foo/b mount -t nfs4 localhost:$DIR/a /tmp/foo/a mount -t nfs4 localhost:$DIR /tmp/foo/b rmdir /tmp/foo/b/a umount /tmp/foo/b umount /tmp/foo/a umount -l /tmp/foo # will get everything under /tmp/foo, no matter what Correct behaviour is successful umount; broken kernels (5.7-rc1 and later) get umount.nfs4: /tmp/foo/a: Stale file handle Note that bind mount is there to be able to recover - on broken kernels we'd get stuck with impossible-to-umount filesystem if not for that. FWIW, that braino had been posted for review back then, at least twice. Unfortunately, the call of complete_walk() was outside of diff context, so the bogosity hadn't been immediately obvious from the patch alone ;-/" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: LOOKUP_MOUNTPOINT: we are cleaning "jumped" flag too late commit 9a6847ba1747858ccac53c5aba3e25c54fbdf846 Author: Johannes Berg Date: Thu Apr 8 15:45:20 2021 +0200 nl80211: fix beacon head validation If the beacon head attribute (NL80211_ATTR_BEACON_HEAD) is too short to even contain the frame control field, we access uninitialized data beyond the buffer. Fix this by checking the minimal required size first. We used to do this until S1G support was added, where the fixed data portion has a different size. Reported-and-tested-by: syzbot+72b99dcf4607e8c770f3@syzkaller.appspotmail.com Suggested-by: Eric Dumazet Fixes: 1d47f1198d58 ("nl80211: correctly validate S1G beacon head") Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20210408154518.d9b06d39b4ee.Iff908997b2a4067e8d456b3cb96cab9771d252b8@changeid Signed-off-by: Johannes Berg commit 26f55a59dc65ff77cd1c4b37991e26497fc68049 Author: Piotr Krysiuk Date: Tue Apr 6 21:59:39 2021 +0100 bpf, x86: Validate computation of branch displacements for x86-32 The branch displacement logic in the BPF JIT compilers for x86 assumes that, for any generated branch instruction, the distance cannot increase between optimization passes. But this assumption can be violated due to how the distances are computed. Specifically, whenever a backward branch is processed in do_jit(), the distance is computed by subtracting the positions in the machine code from different optimization passes. This is because part of addrs[] is already updated for the current optimization pass, before the branch instruction is visited. And so the optimizer can expand blocks of machine code in some cases. This can confuse the optimizer logic, where it assumes that a fixed point has been reached for all machine code blocks once the total program size stops changing. And then the JIT compiler can output abnormal machine code containing incorrect branch displacements. To mitigate this issue, we assert that a fixed point is reached while populating the output image. This rejects any problematic programs. The issue affects both x86-32 and x86-64. We mitigate separately to ease backporting. Signed-off-by: Piotr Krysiuk Reviewed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann commit e4d4d456436bfb2fe412ee2cd489f7658449b098 Author: Piotr Krysiuk Date: Mon Apr 5 22:52:15 2021 +0100 bpf, x86: Validate computation of branch displacements for x86-64 The branch displacement logic in the BPF JIT compilers for x86 assumes that, for any generated branch instruction, the distance cannot increase between optimization passes. But this assumption can be violated due to how the distances are computed. Specifically, whenever a backward branch is processed in do_jit(), the distance is computed by subtracting the positions in the machine code from different optimization passes. This is because part of addrs[] is already updated for the current optimization pass, before the branch instruction is visited. And so the optimizer can expand blocks of machine code in some cases. This can confuse the optimizer logic, where it assumes that a fixed point has been reached for all machine code blocks once the total program size stops changing. And then the JIT compiler can output abnormal machine code containing incorrect branch displacements. To mitigate this issue, we assert that a fixed point is reached while populating the output image. This rejects any problematic programs. The issue affects both x86-32 and x86-64. We mitigate separately to ease backporting. Signed-off-by: Piotr Krysiuk Reviewed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann commit eb9dfdd1ed40357b99a4201c8534c58c562e48c9 Author: Dom Cobley Date: Thu Mar 18 17:13:28 2021 +0100 drm/vc4: crtc: Reduce PV fifo threshold on hvs4 Experimentally have found PV on hvs4 reports fifo full error with expected settings and does not with one less This appears as: [drm:drm_atomic_helper_wait_for_flip_done] *ERROR* [CRTC:82:crtc-3] flip_done timed out with bit 10 of PV_STAT set "HVS driving pixels when the PV FIFO is full" Fixes: c8b75bca92cb ("drm/vc4: Add KMS support for Raspberry Pi.") Signed-off-by: Dom Cobley Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210318161328.1471556-3-maxime@cerno.tech commit 35d65ab3fdba1bdecde9ac3424d6d634ea038729 Author: Maxime Ripard Date: Thu Mar 18 17:13:27 2021 +0100 drm/vc4: plane: Remove redundant assignment The vc4_plane_atomic_async_update function assigns twice in a row the src_h field in the drm_plane_state structure to the same value. Remove the second one. Reviewed-by: Dave Stevenson Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20210318161328.1471556-2-maxime@cerno.tech commit abaf94ecc9c356d0b885a84edef4905cdd89cfdd Author: Johannes Berg Date: Thu Apr 8 14:28:34 2021 +0200 nl80211: fix potential leak of ACL params In case nl80211_parse_unsol_bcast_probe_resp() results in an error, need to "goto out" instead of just returning to free possibly allocated data. Fixes: 7443dcd1f171 ("nl80211: Unsolicited broadcast probe response support") Link: https://lore.kernel.org/r/20210408142833.d8bc2e2e454a.If290b1ba85789726a671ff0b237726d4851b5b0f@changeid Signed-off-by: Johannes Berg commit b5ac0146492fc5c199de767e492be8a66471011a Author: Johannes Berg Date: Thu Apr 8 14:28:27 2021 +0200 cfg80211: check S1G beacon compat element length We need to check the length of this element so that we don't access data beyond its end. Fix that. Fixes: 9eaffe5078ca ("cfg80211: convert S1G beacon to scan results") Link: https://lore.kernel.org/r/20210408142826.f6f4525012de.I9fdeff0afdc683a6024e5ea49d2daa3cd2459d11@changeid Signed-off-by: Johannes Berg commit 315f02c60d9425b38eb8ad7f21b8a35e40db23f9 Author: Paolo Bonzini Date: Tue Apr 6 11:08:51 2021 -0400 KVM: x86/mmu: preserve pending TLB flush across calls to kvm_tdp_mmu_zap_sp Right now, if a call to kvm_tdp_mmu_zap_sp returns false, the caller will skip the TLB flush, which is wrong. There are two ways to fix it: - since kvm_tdp_mmu_zap_sp will not yield and therefore will not flush the TLB itself, we could change the call to kvm_tdp_mmu_zap_sp to use "flush |= ..." - or we can chain the flush argument through kvm_tdp_mmu_zap_sp down to __kvm_tdp_mmu_zap_gfn_range. Note that kvm_tdp_mmu_zap_sp will neither yield nor flush, so flush would never go from true to false. This patch does the former to simplify application to stable kernels, and to make it further clearer that kvm_tdp_mmu_zap_sp will not flush. Cc: seanjc@google.com Fixes: 048f49809c526 ("KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping") Cc: # 5.10.x: 048f49809c: KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping Cc: # 5.10.x: 33a3164161: KVM: x86/mmu: Don't allow TDP MMU to yield when recovering NX pages Cc: Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini commit bc2f3e4c662841dc19f7e7efae87782b9f3c0831 Merge: 363eaa3a450ab 08fe7ae185708 Author: Greg Kroah-Hartman Date: Thu Apr 8 11:48:48 2021 +0200 Merge tag 'thunderbolt-for-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt into usb-linus Mika writes: thunderbolt: Fixes for v5.12-rc7 This includes two fixes: - Fix memory leak in tb_retimer_add() - Off by one in tb_port_find_retimer() Both have been in linux-next without reported issues. * tag 'thunderbolt-for-v5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/westeri/thunderbolt: thunderbolt: Fix off by one in tb_port_find_retimer() thunderbolt: Fix a leak in tb_retimer_add() commit b57aa17f07c9270e576ef7df09f142978b5a75f0 Author: A. Cody Schuffelen Date: Thu Mar 18 13:04:19 2021 -0700 virt_wifi: Return micros for BSS TSF values cfg80211_inform_bss expects to receive a TSF value, but is given the time since boot in nanoseconds. TSF values are expected to be at microsecond scale rather than nanosecond scale. Signed-off-by: A. Cody Schuffelen Link: https://lore.kernel.org/r/20210318200419.1421034-1-schuffelen@google.com Signed-off-by: Johannes Berg commit 1b5ab825d9acc0f27d2f25c6252f3526832a9626 Author: Du Cheng Date: Thu Apr 8 00:27:56 2021 +0800 cfg80211: remove WARN_ON() in cfg80211_sme_connect A WARN_ON(wdev->conn) would trigger in cfg80211_sme_connect(), if multiple send_msg(NL80211_CMD_CONNECT) system calls are made from the userland, which should be anticipated and handled by the wireless driver. Remove this WARN_ON() to prevent kernel panic if kernel is configured to "panic_on_warn". Bug reported by syzbot. Reported-by: syzbot+5f9392825de654244975@syzkaller.appspotmail.com Signed-off-by: Du Cheng Link: https://lore.kernel.org/r/20210407162756.6101-1-ducheng2@gmail.com Signed-off-by: Johannes Berg commit 7d73cd946d4bc7d44cdc5121b1c61d5d71425dea Author: Ben Greear Date: Tue Mar 30 16:07:49 2021 -0700 mac80211: fix time-is-after bug in mlme The incorrect timeout check caused probing to happen when it did not need to happen. This in turn caused tx performance drop for around 5 seconds in ath10k-ct driver. Possibly that tx drop is due to a secondary issue, but fixing the probe to not happen when traffic is running fixes the symptom. Signed-off-by: Ben Greear Fixes: 9abf4e49830d ("mac80211: optimize station connection monitor") Acked-by: Felix Fietkau Link: https://lore.kernel.org/r/20210330230749.14097-1-greearb@candelatech.com Signed-off-by: Johannes Berg commit 1153a74768a9212daadbb50767aa400bc6a0c9b0 Author: Johannes Berg Date: Tue Mar 23 21:05:01 2021 +0100 mac80211: fix TXQ AC confusion Normally, TXQs have txq->tid = tid; txq->ac = ieee80211_ac_from_tid(tid); However, the special management TXQ actually has txq->tid = IEEE80211_NUM_TIDS; // 16 txq->ac = IEEE80211_AC_VO; This makes sense, but ieee80211_ac_from_tid(16) is the same as ieee80211_ac_from_tid(0) which is just IEEE80211_AC_BE. Now, normally this is fine. However, if the netdev queues were stopped, then the code in ieee80211_tx_dequeue() will propagate the stop from the interface (vif->txqs_stopped[]) if the AC 2 (ieee80211_ac_from_tid(txq->tid)) is marked as stopped. On wake, however, __ieee80211_wake_txqs() will wake the TXQ if AC 0 (txq->ac) is woken up. If a driver stops all queues with ieee80211_stop_tx_queues() and then wakes them again with ieee80211_wake_tx_queues(), the ieee80211_wake_txqs() tasklet will run to resync queue and TXQ state. If all queues were woken, then what'll happen is that _ieee80211_wake_txqs() will run in order of HW queues 0-3, typically (and certainly for iwlwifi) corresponding to ACs 0-3, so it'll call __ieee80211_wake_txqs() for each AC in order 0-3. When __ieee80211_wake_txqs() is called for AC 0 (VO) that'll wake up the management TXQ (remember its tid is 16), and the driver's wake_tx_queue() will be called. That tries to get a frame, which will immediately *stop* the TXQ again, because now we check against AC 2, and AC 2 hasn't yet been marked as woken up again in sdata->vif.txqs_stopped[] since we're only in the __ieee80211_wake_txqs() call for AC 0. Thus, the management TXQ will never be started again. Fix this by checking txq->ac directly instead of calculating the AC as ieee80211_ac_from_tid(txq->tid). Fixes: adf8ed01e4fd ("mac80211: add an optional TXQ for other PS-buffered frames") Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20210323210500.bf4d50afea4a.I136ffde910486301f8818f5442e3c9bf8670a9c4@changeid Signed-off-by: Johannes Berg commit 71826654ce40112f0651b6f4e94c422354f4adb6 Author: Johannes Berg Date: Fri Mar 19 23:25:11 2021 +0100 rfkill: revert back to old userspace API by default Recompiling with the new extended version of struct rfkill_event broke systemd in *two* ways: - It used "sizeof(struct rfkill_event)" to read the event, but then complained if it actually got something != 8, this broke it on new kernels (that include the updated API); - It used sizeof(struct rfkill_event) to write a command, but didn't implement the intended expansion protocol where the kernel returns only how many bytes it accepted, and errored out due to the unexpected smaller size on kernels that didn't include the updated API. Even though systemd has now been fixed, that fix may not be always deployed, and other applications could potentially have similar issues. As such, in the interest of avoiding regressions, revert the default API "struct rfkill_event" back to the original size. Instead, add a new "struct rfkill_event_ext" that extends it by the new field, and even more clearly document that applications should be prepared for extensions in two ways: * write might only accept fewer bytes on older kernels, and will return how many to let userspace know which data may have been ignored; * read might return anything between 8 (the original size) and whatever size the application sized its buffer at, indicating how much event data was supported by the kernel. Perhaps that will help avoid such issues in the future and we won't have to come up with another version of the struct if we ever need to extend it again. Applications that want to take advantage of the new field will have to be modified to use struct rfkill_event_ext instead now, which comes with the danger of them having already been updated to use it from 'struct rfkill_event', but I found no evidence of that, and it's still relatively new. Cc: stable@vger.kernel.org # 5.11 Reported-by: Takashi Iwai Tested-by: Sedat Dilek # LLVM/Clang v12.0.0-r4 (x86-64) Link: https://lore.kernel.org/r/20210319232510.f1a139cfdd9c.Ic5c7c9d1d28972059e132ea653a21a427c326678@changeid Signed-off-by: Johannes Berg commit dd0b45538146cb6a54d6da7663b8c3afd16ebcfd Author: Seevalamuthu Mariappan Date: Fri Mar 19 19:48:52 2021 +0530 mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN In some race conditions, with more clients and traffic configuration, below crash is seen when making the interface down. sta->fast_rx wasn't cleared when STA gets removed from 4-addr AP_VLAN interface. The crash is due to try accessing 4-addr AP_VLAN interface's net_device (fast_rx->dev) which has been deleted already. Resolve this by clearing sta->fast_rx pointer when STA removes from a 4-addr VLAN. [ 239.449529] Unable to handle kernel NULL pointer dereference at virtual address 00000004 [ 239.449531] pgd = 80204000 ... [ 239.481496] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.60 #227 [ 239.481591] Hardware name: Generic DT based system [ 239.487665] task: be05b700 ti: be08e000 task.ti: be08e000 [ 239.492360] PC is at get_rps_cpu+0x2d4/0x31c [ 239.497823] LR is at 0xbe08fc54 ... [ 239.778574] [<80739740>] (get_rps_cpu) from [<8073cb10>] (netif_receive_skb_internal+0x8c/0xac) [ 239.786722] [<8073cb10>] (netif_receive_skb_internal) from [<8073d578>] (napi_gro_receive+0x48/0xc4) [ 239.795267] [<8073d578>] (napi_gro_receive) from [] (ieee80211_mark_rx_ba_filtered_frames+0xbcc/0x12d4 [mac80211]) [ 239.804776] [] (ieee80211_mark_rx_ba_filtered_frames [mac80211]) from [] (ieee80211_rx_napi+0x7b8/0x8c8 [mac8 0211]) [ 239.815857] [] (ieee80211_rx_napi [mac80211]) from [] (ath11k_dp_process_rx+0x7bc/0x8c8 [ath11k]) [ 239.827757] [] (ath11k_dp_process_rx [ath11k]) from [] (ath11k_dp_service_srng+0x2c0/0x2e0 [ath11k]) [ 239.838484] [] (ath11k_dp_service_srng [ath11k]) from [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll+0x20/0x84 [ath11k_ahb] ) [ 239.849419] [<7f55b7dc>] (ath11k_ahb_ext_grp_napi_poll [ath11k_ahb]) from [<8073ce1c>] (net_rx_action+0xe0/0x28c) [ 239.860945] [<8073ce1c>] (net_rx_action) from [<80324868>] (__do_softirq+0xe4/0x228) [ 239.871269] [<80324868>] (__do_softirq) from [<80324c48>] (irq_exit+0x98/0x108) [ 239.879080] [<80324c48>] (irq_exit) from [<8035c59c>] (__handle_domain_irq+0x90/0xb4) [ 239.886114] [<8035c59c>] (__handle_domain_irq) from [<8030137c>] (gic_handle_irq+0x50/0x94) [ 239.894100] [<8030137c>] (gic_handle_irq) from [<803024c0>] (__irq_svc+0x40/0x74) Signed-off-by: Seevalamuthu Mariappan Link: https://lore.kernel.org/r/1616163532-3881-1-git-send-email-seevalam@codeaurora.org Signed-off-by: Johannes Berg commit c8426b2700b57d2760ff335840a02f66a64b6044 Author: Takashi Iwai Date: Wed Apr 7 11:57:30 2021 +0200 ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1 We've got a report about Acer Aspire E1 (PCI SSID 1025:0840) that loses the speaker output after resume. With the comparison of COEF dumps, it was identified that the COEF 0x0d bits 0x6000 corresponds to the speaker amp. This patch adds the specific quirk for the device to restore the COEF bits at the codec (re-)initialization. BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1183869 Cc: Link: https://lore.kernel.org/r/20210407095730.12560-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 2bbbb07da802a5b5e2252841b754292cc834e8c9 Merge: e49d033bddf5b cdcc108a2aced Author: Dave Airlie Date: Thu Apr 8 17:11:09 2021 +1000 Merge tag 'amd-drm-fixes-5.12-2021-04-08' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.12-2021-04-08: amdgpu: - DCN3 fix - Fix CAC setting regression for TOPAZ - Fix ttm regression radeon: - Fix ttm regression Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20210408045512.3879-1-alexander.deucher@amd.com commit cdcc108a2aced5f9cbc45920e29bf49819e5477f Author: Alex Deucher Date: Wed Apr 7 09:28:23 2021 -0400 drm/amdgpu/smu7: fix CAC setting on TOPAZ We need to enable MC CAC for mclk switching to work. Fixes: d765129a719f ("drm/amd/pm: correct sclk/mclk dpm enablement") Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1561 Tested-by: Konstantin Kharlamov Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 2efc021060c2aa55e1e8f7b98249d3ea63232fc7 Author: xinhui pan Date: Wed Apr 7 20:57:50 2021 +0800 drm/radeon: Fix size overflow ttm->num_pages is uint32. Hit overflow when << PAGE_SHIFT directly Fixes: 230c079fdcf4 ("drm/ttm: make num_pages uint32_t") Signed-off-by: xinhui pan Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 1b0b6e939f112949089e32ec89fd27796677263a Author: xinhui pan Date: Wed Apr 7 19:29:39 2021 +0800 drm/amdgpu: Fix size overflow ttm->num_pages is uint32. Hit overflow when << PAGE_SHIFT directly Fixes: 230c079fdcf4 ("drm/ttm: make num_pages uint32_t") Signed-off-by: xinhui pan Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 6ad7f2332e84c46f0c94e73e05b5b7c2bc1a6b74 Author: Pavel Begunkov Date: Thu Apr 8 01:54:39 2021 +0100 io_uring: clear F_REISSUE right after getting it There are lots of ways r/w request may continue its path after getting REQ_F_REISSUE, it's not necessarily io-wq and can be, e.g. apoll, and submitted via io_async_task_func() -> __io_req_task_submit() Clear the flag right after getting it, so the next attempt is well prepared regardless how the request will be executed. Fixes: 230d50d448ac ("io_uring: move reissue into regular IO path") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/11dcead939343f4e27cab0074d34afcab771bfa4.1617842918.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 0fc9322ab5e1fe6910c9673e1a7ff29f7dd72611 Author: Maciek Borzecki Date: Tue Apr 6 17:02:29 2021 +0200 cifs: escape spaces in share names Commit 653a5efb849a ("cifs: update super_operations to show_devname") introduced the display of devname for cifs mounts. However, when mounting a share which has a whitespace in the name, that exact share name is also displayed in mountinfo. Make sure that all whitespace is escaped. Signed-off-by: Maciek Borzecki CC: # 5.11+ Reviewed-by: Shyam Prasad N Signed-off-by: Steve French commit d135be0a7fb83f4dd68721b3355fec6de686834c Author: Wan Jiabing Date: Thu Apr 1 15:51:17 2021 +0800 fs: cifs: Remove unnecessary struct declaration struct cifs_readdata is declared twice. One is declared at 208th line. And struct cifs_readdata is defined blew. The declaration here is not needed. Remove the duplicate. Signed-off-by: Wan Jiabing Reviewed-by: Shyam Prasad N Signed-off-by: Steve French commit 4e456b30f78c429b183db420e23b26cde7e03a78 Author: Shyam Prasad N Date: Wed Mar 31 14:35:24 2021 +0000 cifs: On cifs_reconnect, resolve the hostname again. On cifs_reconnect, make sure that DNS resolution happens again. It could be the cause of connection to go dead in the first place. This also contains the fix for a build issue identified by Intel bot. Reported-by: kernel test robot Signed-off-by: Shyam Prasad N Reviewed-by: Paulo Alcantara (SUSE) Reviewed-by: Pavel Shilovsky CC: # 5.11+ Signed-off-by: Steve French commit 176ddd89171ddcf661862d90c5d257877f7326d6 Author: Jolly Shah Date: Thu Mar 18 15:56:32 2021 -0700 scsi: libsas: Reset num_scatter if libata marks qc as NODATA When the cache_type for the SCSI device is changed, the SCSI layer issues a MODE_SELECT command. The caching mode details are communicated via a request buffer associated with the SCSI command with data direction set as DMA_TO_DEVICE (scsi_mode_select()). When this command reaches the libata layer, as a part of generic initial setup, libata layer sets up the scatterlist for the command using the SCSI command (ata_scsi_qc_new()). This command is then translated by the libata layer into ATA_CMD_SET_FEATURES (ata_scsi_mode_select_xlat()). The libata layer treats this as a non-data command (ata_mselect_caching()), since it only needs an ATA taskfile to pass the caching on/off information to the device. It does not need the scatterlist that has been setup, so it does not perform dma_map_sg() on the scatterlist (ata_qc_issue()). Unfortunately, when this command reaches the libsas layer (sas_ata_qc_issue()), libsas layer sees it as a non-data command with a scatterlist. It cannot extract the correct DMA length since the scatterlist has not been mapped with dma_map_sg() for a DMA operation. When this partially constructed SAS task reaches pm80xx LLDD, it results in the following warning: "pm80xx_chip_sata_req 6058: The sg list address start_addr=0x0000000000000000 data_len=0x0end_addr_high=0xffffffff end_addr_low=0xffffffff has crossed 4G boundary" Update libsas to handle ATA non-data commands separately so num_scatter and total_xfer_len remain 0. Link: https://lore.kernel.org/r/20210318225632.2481291-1-jollys@google.com Fixes: 53de092f47ff ("scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA") Tested-by: Luo Jiaxing Reviewed-by: John Garry Signed-off-by: Jolly Shah Signed-off-by: Martin K. Petersen commit 0dcf8febcb7b9d42bec98bc068e01d1a6ea578b8 Author: Mike Christie Date: Tue Apr 6 12:17:46 2021 -0500 scsi: iscsi: Fix iSCSI cls conn state In commit 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and sync thread") I missed that libiscsi was now setting the iSCSI class state, and that patch ended up resetting the state during conn stoppage and using the wrong state value during ep_disconnect. This patch moves the setting of the class state to the class module and then fixes the two issues above. Link: https://lore.kernel.org/r/20210406171746.5016-1-michael.christie@oracle.com Fixes: 9e67600ed6b8 ("scsi: iscsi: Fix race condition between login and sync thread") Cc: Gulam Mohamed Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen commit 9ad6e9cb39c66366bf7b9aece114aca277981a1f Author: Ondrej Mosnacek Date: Wed Apr 7 09:24:43 2021 +0200 selinux: fix race between old and new sidtab Since commit 1b8b31a2e612 ("selinux: convert policy read-write lock to RCU"), there is a small window during policy load where the new policy pointer has already been installed, but some threads may still be holding the old policy pointer in their read-side RCU critical sections. This means that there may be conflicting attempts to add a new SID entry to both tables via sidtab_context_to_sid(). See also (and the rest of the thread): https://lore.kernel.org/selinux/CAFqZXNvfux46_f8gnvVvRYMKoes24nwm2n3sPbMjrB8vKTW00g@mail.gmail.com/ Fix this by installing the new policy pointer under the old sidtab's spinlock along with marking the old sidtab as "frozen". Then, if an attempt to add new entry to a "frozen" sidtab is detected, make sidtab_context_to_sid() return -ESTALE to indicate that a new policy has been installed and that the caller will have to abort the policy transaction and try again after re-taking the policy pointer (which is guaranteed to be a newer policy). This requires adding a retry-on-ESTALE logic to all callers of sidtab_context_to_sid(), but fortunately these are easy to determine and aren't that many. This seems to be the simplest solution for this problem, even if it looks somewhat ugly. Note that other places in the kernel (e.g. do_mknodat() in fs/namei.c) use similar stale-retry patterns, so I think it's reasonable. Cc: stable@vger.kernel.org Fixes: 1b8b31a2e612 ("selinux: convert policy read-write lock to RCU") Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore commit e1ad897b9c738d5550be6762bf3a6ef1672259a4 Author: Kamal Heib Date: Sun Apr 4 15:55:01 2021 +0300 RDMA/qedr: Fix kernel panic when trying to access recv_cq As INI QP does not require a recv_cq, avoid the following null pointer dereference by checking if the qp_type is not INI before trying to extract the recv_cq. BUG: kernel NULL pointer dereference, address: 00000000000000e0 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 54250 Comm: mpitests-IMB-MP Not tainted 5.12.0-rc5 #1 Hardware name: Dell Inc. PowerEdge R320/0KM5PX, BIOS 2.7.0 08/19/2019 RIP: 0010:qedr_create_qp+0x378/0x820 [qedr] Code: 02 00 00 50 e8 29 d4 a9 d1 48 83 c4 18 e9 65 fe ff ff 48 8b 53 10 48 8b 43 18 44 8b 82 e0 00 00 00 45 85 c0 0f 84 10 74 00 00 <8b> b8 e0 00 00 00 85 ff 0f 85 50 fd ff ff e9 fd 73 00 00 48 8d bd RSP: 0018:ffff9c8f056f7a70 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff9c8f056f7b58 RCX: 0000000000000009 RDX: ffff8c41a9744c00 RSI: ffff9c8f056f7b58 RDI: ffff8c41c0dfa280 RBP: ffff8c41c0dfa280 R08: 0000000000000002 R09: 0000000000000001 R10: 0000000000000000 R11: ffff8c41e06fc608 R12: ffff8c4194052000 R13: 0000000000000000 R14: ffff8c4191546070 R15: ffff8c41c0dfa280 FS: 00007f78b2787b80(0000) GS:ffff8c43a3200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000e0 CR3: 00000001011d6002 CR4: 00000000001706f0 Call Trace: ib_uverbs_handler_UVERBS_METHOD_QP_CREATE+0x4e4/0xb90 [ib_uverbs] ? ib_uverbs_cq_event_handler+0x30/0x30 [ib_uverbs] ib_uverbs_run_method+0x6f6/0x7a0 [ib_uverbs] ? ib_uverbs_handler_UVERBS_METHOD_QP_DESTROY+0x70/0x70 [ib_uverbs] ? __cond_resched+0x15/0x30 ? __kmalloc+0x5a/0x440 ib_uverbs_cmd_verbs+0x195/0x360 [ib_uverbs] ? xa_load+0x6e/0x90 ? cred_has_capability+0x7c/0x130 ? avc_has_extended_perms+0x17f/0x440 ? vma_link+0xae/0xb0 ? vma_set_page_prot+0x2a/0x60 ? mmap_region+0x298/0x6c0 ? do_mmap+0x373/0x520 ? selinux_file_ioctl+0x17f/0x220 ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs] __x64_sys_ioctl+0x84/0xc0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f78b120262b Fixes: 06e8d1df46ed ("RDMA/qedr: Add support for user mode XRC-SRQ's") Link: https://lore.kernel.org/r/20210404125501.154789-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Signed-off-by: Jason Gunthorpe commit b6a37a93c9ac3900987c79b726d0bb3699d8db4e Author: Takashi Iwai Date: Fri Apr 2 10:23:17 2021 +0200 drm/i915: Fix invalid access to ACPI _DSM objects intel_dsm_platform_mux_info() tries to parse the ACPI package data from _DSM for the debug information, but it assumes the fixed format without checking what values are stored in the elements actually. When an unexpected value is returned from BIOS, it may lead to GPF or NULL dereference, as reported recently. Add the checks of the contents in the returned values and skip the values for invalid cases. v1->v2: Check the info contents before dereferencing, too BugLink: http://bugzilla.opensuse.org/show_bug.cgi?id=1184074 Cc: Signed-off-by: Takashi Iwai Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210402082317.871-1-tiwai@suse.de (cherry picked from commit 337d7a1621c7f02af867229990ac67c97da1b53a) Signed-off-by: Rodrigo Vivi commit 50ce6826a48f119baf2794fa384a64efe9bd84a5 Author: Dmitry Baryshkov Date: Wed Apr 7 02:06:06 2021 +0300 clk: fixed: fix double free in resource managed fixed-factor clock devm_clk_hw_register_fixed_factor_release(), the release function for the devm_clk_hw_register_fixed_factor(), calls clk_hw_unregister_fixed_factor(), which will kfree() the clock. However after that the devres functions will also kfree the allocated data, resulting in double free/memory corruption. Just call clk_hw_unregister() instead, leaving kfree() to devres code. Reported-by: Rob Clark Cc: Daniel Palmer Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20210406230606.3007138-1-dmitry.baryshkov@linaro.org Fixes: 0b9266d295ce ("clk: fixed: add devm helper for clk_hw_register_fixed_factor()") [sboyd@kernel.org: Remove ugly cast] Signed-off-by: Stephen Boyd commit 8a12f8836145ffe37e9c8733dce18c22fb668b66 Author: Anirudh Rayabharam Date: Wed Apr 7 22:57:22 2021 +0530 net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a double unregistration of the same device. The first unregistration succeeds but the next one results in a null-ptr-deref. The get_free_serial_index() function returns an available minor number but doesn't assign it immediately. The assignment is done by the caller later. But before this assignment, calls to get_free_serial_index() would return the same minor number. Fix this by modifying get_free_serial_index to assign the minor number immediately after one is found to be and rename it to obtain_minor() to better reflect what it does. Similary, rename set_serial_by_index() to release_minor() and modify it to free up the minor number of the given hso_serial. Every obtain_minor() should have corresponding release_minor() call. Fixes: 72dc1c096c705 ("HSO: add option hso driver") Reported-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com Tested-by: syzbot+c49fe6089f295a05e6f8@syzkaller.appspotmail.com Reviewed-by: Greg Kroah-Hartman Signed-off-by: Anirudh Rayabharam Signed-off-by: David S. Miller commit 5d1dbacde1a2770fda1d80d6423e08365c8d6e9a Merge: 107adc694558d 1165affd48488 Author: David S. Miller Date: Wed Apr 7 15:04:55 2021 -0700 Merge tag 'ieee802154-for-davem-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan Stefan Schmidt says: ==================== pull-request: ieee802154 for net 2021-04-07 An update from ieee802154 for your *net* tree. Most of these are coming from the flood of syzkaller reports lately got for the ieee802154 subsystem. There are likely to come more for this, but this is a good batch to get out for now. Alexander Aring created a patchset to avoid llsec handling on a monitor interface, which we do not support. Alex Shi removed a unused macro. Pavel Skripkin fixed another protection fault found by syzkaller. ==================== Signed-off-by: David S. Miller commit 107adc694558dd51c35fca07b025c2fe2168afb5 Merge: 3cf1482852825 65db391dd874d Author: David S. Miller Date: Wed Apr 7 14:57:35 2021 -0700 Merge tag 'wireless-drivers-2021-04-07' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for v5.12 Third, and last, set of fixes for v5.12. Small fixes, iwlwifi having most of them. brcmfmac regression caused by cfg80211 changes is the most important here. iwlwifi * fix a lockdep warning * fix regulatory feature detection in certain firmware versions * new hardware support * fix lockdep warning * mvm: fix beacon protection checks mt76 * mt7921: fix airtime reporting brcmfmac * fix a deadlock regression ==================== Signed-off-by: David S. Miller commit 3cf1482852825bdf8cc4e4f09346262c80ad5cbe Merge: bb58023bee8b0 fde32dbe712bc Author: David S. Miller Date: Wed Apr 7 14:53:04 2021 -0700 Merge branch 'ethtool-link_mode' Danielle Ratson says: ==================== Fix link_mode derived params functionality Currently, link_mode parameter derives 3 other link parameters, speed, lanes and duplex, and the derived information is sent to user space. Few bugs were found in that functionality. First, some drivers clear the 'ethtool_link_ksettings' struct in their get_link_ksettings() callback and cause receiving wrong link mode information in user space. And also, some drivers can report random values in the 'link_mode' field and cause general protection fault. Second, the link parameters are only derived in netlink path so in ioctl path, we don't any reasonable values. Third, setting 'speed 10000 lanes 1' fails since the lanes parameter wasn't set for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT. Patch #1 solves the first two problems by removing link_mode parameter and deriving the link parameters in driver instead of ethtool. Patch #2 solves the third one, by setting the lanes parameter for the link_mode. v3: * Remove the link_mode parameter in the first patch to solve both two issues from patch#1 and patch#2. * Add the second patch to solve the third issue. v2: * Add patch #2. * Introduce 'cap_link_mode_supported' instead of adding a validity field to 'ethtool_link_ksettings' struct in patch #1. ==================== Signed-off-by: David S. Miller commit fde32dbe712bc7cea61d8c5ed14e10e17eec8257 Author: Danielle Ratson Date: Wed Apr 7 13:06:52 2021 +0300 ethtool: Add lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT Lanes field is missing for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT link mode and it causes a failure when trying to set 'speed 10000 lanes 1' on Spectrum-2 machines when autoneg is set to on. Add the lanes parameter for ETHTOOL_LINK_MODE_10000baseR_FEC_BIT link mode. Fixes: c8907043c6ac9 ("ethtool: Get link mode in use instead of speed and duplex parameters") Signed-off-by: Danielle Ratson Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller commit a975d7d8a356ce92872af0b007b101183f0224e2 Author: Danielle Ratson Date: Wed Apr 7 13:06:51 2021 +0300 ethtool: Remove link_mode param and derive link params from driver Some drivers clear the 'ethtool_link_ksettings' struct in their get_link_ksettings() callback, before populating it with actual values. Such drivers will set the new 'link_mode' field to zero, resulting in user space receiving wrong link mode information given that zero is a valid value for the field. Another problem is that some drivers (notably tun) can report random values in the 'link_mode' field. This can result in a general protection fault when the field is used as an index to the 'link_mode_params' array [1]. This happens because such drivers implement their set_link_ksettings() callback by simply overwriting their private copy of 'ethtool_link_ksettings' struct with the one they get from the stack, which is not always properly initialized. Fix these problems by removing 'link_mode' from 'ethtool_link_ksettings' and instead have drivers call ethtool_params_from_link_mode() with the current link mode. The function will derive the link parameters (e.g., speed) from the link mode and fill them in the 'ethtool_link_ksettings' struct. v3: * Remove link_mode parameter and derive the link parameters in the driver instead of passing link_mode parameter to ethtool and derive it there. v2: * Introduce 'cap_link_mode_supported' instead of adding a validity field to 'ethtool_link_ksettings' struct. [1] general protection fault, probably for non-canonical address 0xdffffc00f14cc32c: 0000 [#1] PREEMPT SMP KASAN KASAN: probably user-memory-access in range [0x000000078a661960-0x000000078a661967] CPU: 0 PID: 8452 Comm: syz-executor360 Not tainted 5.11.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:__ethtool_get_link_ksettings+0x1a3/0x3a0 net/ethtool/ioctl.c:446 Code: b7 3e fa 83 fd ff 0f 84 30 01 00 00 e8 16 b0 3e fa 48 8d 3c ed 60 d5 69 8a 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 +38 d0 7c 08 84 d2 0f 85 b9 RSP: 0018:ffffc900019df7a0 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff888026136008 RCX: 0000000000000000 RDX: 00000000f14cc32c RSI: ffffffff873439ca RDI: 000000078a661960 RBP: 00000000ffff8880 R08: 00000000ffffffff R09: ffff88802613606f R10: ffffffff873439bc R11: 0000000000000000 R12: 0000000000000000 R13: ffff88802613606c R14: ffff888011d0c210 R15: ffff888011d0c210 FS: 0000000000749300(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004b60f0 CR3: 00000000185c2000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: linkinfo_prepare_data+0xfd/0x280 net/ethtool/linkinfo.c:37 ethnl_default_notify+0x1dc/0x630 net/ethtool/netlink.c:586 ethtool_notify+0xbd/0x1f0 net/ethtool/netlink.c:656 ethtool_set_link_ksettings+0x277/0x330 net/ethtool/ioctl.c:620 dev_ethtool+0x2b35/0x45d0 net/ethtool/ioctl.c:2842 dev_ioctl+0x463/0xb70 net/core/dev_ioctl.c:440 sock_do_ioctl+0x148/0x2d0 net/socket.c:1060 sock_ioctl+0x477/0x6a0 net/socket.c:1177 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: c8907043c6ac9 ("ethtool: Get link mode in use instead of speed and duplex parameters") Signed-off-by: Danielle Ratson Reported-by: Eric Dumazet Reviewed-by: Ido Schimmel Signed-off-by: David S. Miller commit bb58023bee8b08c329c161c2f20b157db8a5ba96 Merge: a79ace4b31295 d5f9b005c3062 Author: David S. Miller Date: Wed Apr 7 14:34:03 2021 -0700 Merge tag 'mlx5-fixes-2021-04-06' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2021-04-06 This series provides some fixes to mlx5 driver. Please pull and let me know if there is any problem. ==================== Signed-off-by: David S. Miller commit df7232c4c676be29f1cf45058ec156c1183539ff Author: Qingqing Zhuo Date: Thu Mar 25 03:44:11 2021 -0400 drm/amd/display: Add missing mask for DCN3 [Why] DCN3 is not reusing DCN1 mask_sh_list, causing SURFACE_FLIP_INT_MASK missing in the mapping. [How] Add the corresponding entry to DCN3 list. Signed-off-by: Qingqing Zhuo Reviewed-by: Nicholas Kazlauskas Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher commit a79ace4b312953c5835fafb12adc3cb6878b26bd Author: Zheng Yongjun Date: Wed Apr 7 09:59:45 2021 +0800 net: tipc: Fix spelling errors in net/tipc module These patches fix a series of spelling errors in net/tipc module. Reported-by: Hulk Robot Signed-off-by: Zheng Yongjun Signed-off-by: David S. Miller commit 9d6803921a16f4d768dc41a75375629828f4d91e Author: Kurt Kanzenbach Date: Tue Apr 6 09:35:09 2021 +0200 net: hsr: Reset MAC header for Tx path Reset MAC header in HSR Tx path. This is needed, because direct packet transmission, e.g. by specifying PACKET_QDISC_BYPASS does not reset the MAC header. This has been observed using the following setup: |$ ip link add name hsr0 type hsr slave1 lan0 slave2 lan1 supervision 45 version 1 |$ ifconfig hsr0 up |$ ./test hsr0 The test binary is using mmap'ed sockets and is specifying the PACKET_QDISC_BYPASS socket option. This patch resolves the following warning on a non-patched kernel: |[ 112.725394] ------------[ cut here ]------------ |[ 112.731418] WARNING: CPU: 1 PID: 257 at net/hsr/hsr_forward.c:560 hsr_forward_skb+0x484/0x568 |[ 112.739962] net/hsr/hsr_forward.c:560: Malformed frame (port_src hsr0) The warning can be safely removed, because the other call sites of hsr_forward_skb() make sure that the skb is prepared correctly. Fixes: d346a3fae3ff ("packet: introduce PACKET_QDISC_BYPASS socket option") Signed-off-by: Kurt Kanzenbach Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit cd90437399a24ae783b9a3a1a50fe8ee2b717355 Merge: 0c85a7e87465f d9c65de0c1e15 Author: David S. Miller Date: Wed Apr 7 14:22:49 2021 -0700 Merge branch 'ethtool-doc' Jakub Kicinski says: ==================== ethtool: kdoc fixes Number of kdoc fixes to ethtool headers. All comment changes. With all the patches posted kdoc script seems happy: $ ./scripts/kernel-doc -none include/uapi/linux/ethtool.h include/linux/ethtool.h $ Note that some of the changes are in -next, e.g. the FEC documentation update so full effect will be seen after trees converge. ==================== Signed-off-by: David S. Miller commit d9c65de0c1e1574d2cc8007dbe02291fe47db1d9 Author: Jakub Kicinski Date: Tue Apr 6 17:28:27 2021 -0700 ethtool: fix kdoc in headers Fix remaining issues with kdoc in the ethtool headers. Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit 83e5feeb385e6d69ae95dd30e0c424afaa17cc6b Author: Jakub Kicinski Date: Tue Apr 6 17:28:26 2021 -0700 ethtool: document reserved fields in the uAPI Add a note on expected handling of reserved fields, and references to all kdocs. This fixes a bunch of kdoc warnings. Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit f0ebc2b6b7df7716749445cda26734b3826a48cf Author: Jakub Kicinski Date: Tue Apr 6 17:28:25 2021 -0700 ethtool: un-kdocify extended link state Extended link state structures and enums use kdoc headers but then do not describe any of the members. Convert to normal comments. Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit 0c85a7e87465f2d4cbc768e245f4f45b2f299b05 Author: Aditya Pakki Date: Tue Apr 6 19:09:12 2021 -0500 net/rds: Avoid potential use after free in rds_send_remove_from_sock In case of rs failure in rds_send_remove_from_sock(), the 'rm' resource is freed and later under spinlock, causing potential use-after-free. Set the free pointer to NULL to avoid undefined behavior. Signed-off-by: Aditya Pakki Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller commit 454859c552da78b0f587205d308401922b56863e Merge: 3a22981230f99 83520d62cc5a9 Author: Linus Torvalds Date: Wed Apr 7 13:21:21 2021 -0700 Merge tag 'arc-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc Pull ARC fixlets from Vineet Gupta: "A few straggler fixes for ARC" * tag 'arc-5.12-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: treewide: avoid the pointer addition with NULL pointer arc: kernel: Return -EFAULT if copy_to_user() fails ARC: haps: bump memory to 1 GB commit 92f1e8adf7db2ef9b90e5662182810c0cf8ac22e Author: Ian Rogers Date: Wed Apr 7 08:39:55 2021 -0700 perf arm-spe: Avoid potential buffer overrun SPE extended headers are > 1 byte so ensure the buffer contains at least this before reading. This issue was detected by fuzzing. Signed-off-by: Ian Rogers Cc: Alexander Shishkin Cc: Andre Przywara Cc: Dave Martin Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Will Deacon Link: http://lore.kernel.org/lkml/20210407153955.317215-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo commit f2013278ae40b89cc27916366c407ce5261815ef Author: Jin Yao Date: Wed Apr 7 10:44:52 2021 +0800 perf report: Fix wrong LBR block sorting When '--total-cycles' is specified, it supports sorting for all blocks by 'Sampled Cycles%'. This is useful to concentrate on the globally hottest blocks. 'Sampled Cycles%' - block sampled cycles aggregation / total sampled cycles But in current code, it doesn't use the cycles aggregation. Part of 'cycles' counting is possibly dropped for some overlap jumps. But for identifying the hot block, we always need the full cycles. # perf record -b ./triad_loop # perf report --total-cycles --stdio Before: # # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] Shared Object # ............... .............. ........... .......... ............................................................. ................. # 0.81% 793 4.32% 793 [setup-vdso.h:34 -> setup-vdso.h:40] ld-2.27.so 0.49% 480 0.87% 160 [native_write_msr+0 -> native_write_msr+16] [kernel.kallsyms] 0.48% 476 0.52% 95 [native_read_msr+0 -> native_read_msr+29] [kernel.kallsyms] 0.31% 303 1.65% 303 [nmi_restore+0 -> nmi_restore+37] [kernel.kallsyms] 0.26% 255 1.39% 255 [nohz_balance_exit_idle+75 -> nohz_balance_exit_idle+162] [kernel.kallsyms] 0.24% 234 1.28% 234 [end_repeat_nmi+67 -> end_repeat_nmi+83] [kernel.kallsyms] 0.23% 227 1.24% 227 [__irqentry_text_end+96 -> __irqentry_text_end+126] [kernel.kallsyms] 0.20% 194 1.06% 194 [native_set_debugreg+52 -> native_set_debugreg+56] [kernel.kallsyms] 0.11% 106 0.14% 26 [native_sched_clock+0 -> native_sched_clock+98] [kernel.kallsyms] 0.10% 97 0.53% 97 [trigger_load_balance+0 -> trigger_load_balance+67] [kernel.kallsyms] 0.09% 85 0.46% 85 [get-dynamic-info.h:102 -> get-dynamic-info.h:111] ld-2.27.so ... 0.00% 92.7K 0.02% 4 [triad_loop.c:64 -> triad_loop.c:65] triad_loop The hottest block '[triad_loop.c:64 -> triad_loop.c:65]' is not at the top of output. After: # Sampled Cycles% Sampled Cycles Avg Cycles% Avg Cycles [Program Block Range] Shared Object # ............... .............. ........... .......... .............................................................. ................. # 94.35% 92.7K 0.02% 4 [triad_loop.c:64 -> triad_loop.c:65] triad_loop 0.81% 793 4.32% 793 [setup-vdso.h:34 -> setup-vdso.h:40] ld-2.27.so 0.49% 480 0.87% 160 [native_write_msr+0 -> native_write_msr+16] [kernel.kallsyms] 0.48% 476 0.52% 95 [native_read_msr+0 -> native_read_msr+29] [kernel.kallsyms] 0.31% 303 1.65% 303 [nmi_restore+0 -> nmi_restore+37] [kernel.kallsyms] 0.26% 255 1.39% 255 [nohz_balance_exit_idle+75 -> nohz_balance_exit_idle+162] [kernel.kallsyms] 0.24% 234 1.28% 234 [end_repeat_nmi+67 -> end_repeat_nmi+83] [kernel.kallsyms] 0.23% 227 1.24% 227 [__irqentry_text_end+96 -> __irqentry_text_end+126] [kernel.kallsyms] 0.20% 194 1.06% 194 [native_set_debugreg+52 -> native_set_debugreg+56] [kernel.kallsyms] 0.11% 106 0.14% 26 [native_sched_clock+0 -> native_sched_clock+98] [kernel.kallsyms] 0.10% 97 0.53% 97 [trigger_load_balance+0 -> trigger_load_balance+67] [kernel.kallsyms] 0.09% 85 0.46% 85 [get-dynamic-info.h:102 -> get-dynamic-info.h:111] ld-2.27.so 0.08% 82 0.06% 11 [intel_pmu_drain_pebs_nhm+580 -> intel_pmu_drain_pebs_nhm+627] [kernel.kallsyms] 0.08% 77 0.42% 77 [lru_add_drain_cpu+0 -> lru_add_drain_cpu+133] [kernel.kallsyms] 0.08% 74 0.10% 18 [handle_pmi_common+271 -> handle_pmi_common+310] [kernel.kallsyms] 0.08% 74 0.40% 74 [get-dynamic-info.h:131 -> get-dynamic-info.h:157] ld-2.27.so 0.07% 69 0.09% 17 [intel_pmu_drain_pebs_nhm+432 -> intel_pmu_drain_pebs_nhm+468] [kernel.kallsyms] Now the hottest block is reported at the top of output. Fixes: b65a7d372b1a55db ("perf hist: Support block formats with compare/sort/display") Signed-off-by: Jin Yao Reviewed-by: Andi Kleen Cc: Alexander Shishkin Cc: Jin Yao Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210407024452.29988-1-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo commit 5de61a47eb9064cbbc5f3360d639e8e34a690a54 Author: Mike Marciniszyn Date: Mon Mar 29 09:48:19 2021 -0400 IB/hfi1: Fix probe time panic when AIP is enabled with a buggy BIOS A panic can result when AIP is enabled: BUG: unable to handle kernel NULL pointer dereference at 000000000000000 PGD 0 P4D 0 Oops: 0000 1 SMP PTI CPU: 70 PID: 981 Comm: systemd-udevd Tainted: G OE --------- - - 4.18.0-240.el8.x86_64 #1 Hardware name: Intel Corporation S2600KP/S2600KP, BIOS SE5C610.86B.01.01.0005.101720141054 10/17/2014 RIP: 0010:__bitmap_and+0x1b/0x70 RSP: 0018:ffff99aa0845f9f0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8d5a6fc18000 RCX: 0000000000000048 RDX: 0000000000000000 RSI: ffffffffc06336f0 RDI: ffff8d5a8fa67750 RBP: 0000000000000079 R08: 0000000fffffffff R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: ffffffffc06336f0 R13: 00000000000000a0 R14: ffff8d5a6fc18000 R15: 0000000000000003 FS: 00007fec137a5980(0000) GS:ffff8d5a9fa80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 0000000a04b48002 CR4: 00000000001606e0 Call Trace: hfi1_num_netdev_contexts+0x7c/0x110 [hfi1] hfi1_init_dd+0xd7f/0x1a90 [hfi1] ? pci_bus_read_config_dword+0x49/0x70 ? pci_mmcfg_read+0x3e/0xe0 do_init_one.isra.18+0x336/0x640 [hfi1] local_pci_probe+0x41/0x90 pci_device_probe+0x105/0x1c0 really_probe+0x212/0x440 driver_probe_device+0x49/0xc0 device_driver_attach+0x50/0x60 __driver_attach+0x61/0x130 ? device_driver_attach+0x60/0x60 bus_for_each_dev+0x77/0xc0 ? klist_add_tail+0x3b/0x70 bus_add_driver+0x14d/0x1e0 ? dev_init+0x10b/0x10b [hfi1] driver_register+0x6b/0xb0 ? dev_init+0x10b/0x10b [hfi1] hfi1_mod_init+0x1e6/0x20a [hfi1] do_one_initcall+0x46/0x1c3 ? free_unref_page_commit+0x91/0x100 ? _cond_resched+0x15/0x30 ? kmem_cache_alloc_trace+0x140/0x1c0 do_init_module+0x5a/0x220 load_module+0x14b4/0x17e0 ? __do_sys_finit_module+0xa8/0x110 __do_sys_finit_module+0xa8/0x110 do_syscall_64+0x5b/0x1a0 The issue happens when pcibus_to_node() returns NO_NUMA_NODE. Fix this issue by moving the initialization of dd->node to hfi1_devdata allocation and remove the other pcibus_to_node() calls in the probe path and use dd->node instead. Affinity logic is adjusted to use a new field dd->affinity_entry as a guard instead of dd->node. Fixes: 4730f4a6c6b2 ("IB/hfi1: Activate the dummy netdev") Link: https://lore.kernel.org/r/1617025700-31865-4-git-send-email-dennis.dalessandro@cornelisnetworks.com Cc: stable@vger.kernel.org Signed-off-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe commit 603c4690b01aaffe3a6c3605a429f6dac39852ae Author: Potnuri Bharat Teja Date: Wed Mar 31 19:27:15 2021 +0530 RDMA/cxgb4: check for ipv6 address properly while destroying listener ipv6 bit is wrongly set by the below which causes fatal adapter lookup engine errors for ipv4 connections while destroying a listener. Fix it to properly check the local address for ipv6. Fixes: 3408be145a5d ("RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server") Link: https://lore.kernel.org/r/20210331135715.30072-1-bharat@chelsio.com Signed-off-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe commit 649cab56de8eb2952498de9b752761ca980cb88a Author: Frank Rowand Date: Sun Apr 4 22:28:45 2021 -0500 of: properly check for error returned by fdt_get_name() fdt_get_name() returns error values via a parameter pointer instead of in function return. Fix check for this error value in populate_node() and callers of populate_node(). Chasing up the caller tree showed callers of various functions failing to initialize the value of pointer parameters that can return error values. Initialize those values to NULL. The bug was introduced by commit e6a6928c3ea1 ("of/fdt: Convert FDT functions to use libfdt") but this patch can not be backported directly to that commit because the relevant code has further been restructured by commit dfbd4c6eff35 ("drivers/of: Split unflatten_dt_node()") The bug became visible by triggering a crash on openrisc with: commit 79edff12060f ("scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9") as reported in: https://lore.kernel.org/lkml/20210327224116.69309-1-linux@roeck-us.net/ Fixes: 79edff12060f ("scripts/dtc: Update to upstream version v1.6.0-51-g183df9e9c2b9") Reported-by: Guenter Roeck Signed-off-by: Frank Rowand Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20210405032845.1942533-1-frowand.list@gmail.com Signed-off-by: Rob Herring commit fa26d0c778b432d3d9814ea82552e813b33eeb5c Author: Vitaly Kuznetsov Date: Tue Apr 6 17:56:40 2021 +0200 ACPI: processor: Fix build when CONFIG_ACPI_PROCESSOR=m Commit 8cdddd182bd7 ("ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead()") tried to fix CPU0 hotplug breakage by copying wakeup_cpu0() + start_cpu0() logic from hlt_play_dead()//mwait_play_dead() into acpi_idle_play_dead(). The problem is that these functions are not exported to modules so when CONFIG_ACPI_PROCESSOR=m build fails. The issue could've been fixed by exporting both wakeup_cpu0()/start_cpu0() (the later from assembly) but it seems putting the whole pattern into a new function and exporting it instead is better. Reported-by: kernel test robot Fixes: 8cdddd182bd7 ("CPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead()") Cc: # 5.10+ Signed-off-by: Vitaly Kuznetsov Signed-off-by: Rafael J. Wysocki commit 3a22981230f997846d1cfeb8eadcda8bcc0f7ea8 Merge: dbaa5d1c254e1 1180042dc6030 Author: Linus Torvalds Date: Wed Apr 7 09:26:50 2021 -0700 Merge tag 'arm-fixes-5.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "Most of the changes again are devicetree fixes, but there are also five trivial build fixes for issues I found when test building with gcc-11 or when running 'make W=1', and some OMAP platform specific code fixups. Broadcom: - One revert for a Raspberry pi interrupt controller change that caused a regression. TI OMAP: - Remove unused duplicate sha2md5_fck clock node that can race with the OMAP4_SHA2MD5_CLKCTRL clock node for disable for unused clocks - Add aliases for omap4/5 mmc to put the slots back into the right order again - Fix typo for bionic voltage controllers that accidentally use mpu for all instances instead of mpu, core and iva - Fix random hangs for droid4 caused by missing fix from TI Android kernel tree to do a dummy smc call on cpuidle wakeup path NXP i.MX: - Fix a system failure on imx6qdl-phytec-pfla02 board when booting from SD, by adding missing vmmc supply for SD interfaces. - Fix address typo in i.MX8MM/Q IOMUXC_SD1_DATA0_GPIO2_IO2 definition. Marvell mvebu: - Fix storm interrupt on Turris Omnia - Enable hardware buffer management as it should be ... and build fixes for PXA, Freescale, Marvell, OMAP1 and Keystone" * tag 'arm-fixes-5.11-2' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin ARM: dts: turris-omnia: fix hardware buffer management Revert "arm64: dts: marvell: armada-cp110: Switch to per-port SATA interrupts" ARM: mvebu: avoid clang -Wtautological-constant warning ARM: pxa: mainstone: avoid -Woverride-init warning ARM: omap1: fix building with clang IAS soc/fsl: qbman: fix conflicting alignment attributes ARM: keystone: fix integer overflow warning ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0 ARM: OMAP4: PM: update ROM return address for OSWR and OFF ARM: OMAP4: Fix PMIC voltage domains for bionic ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race Revert "ARM: dts: bcm2711: Add the BSC interrupt controller" commit dbaa5d1c254e1b565caee9ac7b526a9b7267d4c4 Merge: 5ba091db9386e 0aa2ddc9af44b Author: Linus Torvalds Date: Wed Apr 7 09:20:07 2021 -0700 Merge branch 'parisc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc fixes from Helge Deller: "One link error fix found by the kernel test robot, one sparse warning fix, remove a duplicate declaration and some spelling fixes" * 'parisc-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: math-emu: Few spelling fixes in the file fpu.h parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers parisc: parisc-agp requires SBA IOMMU driver parisc: Remove duplicate struct task_struct declaration commit 5ba091db9386e6f50f32e660253bcc250cdbbca8 Merge: e3bb2f4f96a65 a3790a8a94fc0 Author: Linus Torvalds Date: Wed Apr 7 09:14:04 2021 -0700 Merge tag 'platform-drivers-x86-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform driver fix from Hans de Goede: "A single bugfix to fix spurious wakeups from suspend caused by recent intel-hid driver changes" * tag 'platform-drivers-x86-v5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: intel-hid: Fix spurious wakeups caused by tablet-mode events during suspend commit e3bb2f4f96a653f85b3bf19bc482064d47cdb98c Merge: 2d743660786ec 1deceabbdc0dd Author: Linus Torvalds Date: Wed Apr 7 09:08:36 2021 -0700 Merge tag 'regulator-fix-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator Pull regulator fixes from Mark Brown: "bd9571mwv regulator fixes for v5.12. A set of driver specific fixes here, the main one is a fix to not try to set unsupported voltages on this device. The other two patches clean up the error handling and eliminate the possibility that we could overflow the page when writing sysfs output (which AFAICT wasn't an issue but better to be sure)" * tag 'regulator-fix-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator: regulator: bd9571mwv: Convert device attribute to sysfs_emit() regulator: bd9571mwv: Fix regulator name printed on registration failure regulator: bd9571mwv: Fix AVS and DVFS voltage range commit d120198bd5ff1d41808b6914e1eb89aff937415c Author: Luca Fancellu Date: Tue Apr 6 11:51:04 2021 +0100 xen/evtchn: Change irq_info lock to raw_spinlock_t Unmask operation must be called with interrupt disabled, on preempt_rt spin_lock_irqsave/spin_unlock_irqrestore don't disable/enable interrupts, so use raw_* implementation and change lock variable in struct irq_info from spinlock_t to raw_spinlock_t Cc: stable@vger.kernel.org Fixes: 25da4618af24 ("xen/events: don't unmask an event channel when an eoi is pending") Signed-off-by: Luca Fancellu Reviewed-by: Julien Grall Reviewed-by: Wei Liu Link: https://lore.kernel.org/r/20210406105105.10141-1-luca.fancellu@arm.com Signed-off-by: Boris Ostrovsky commit 9c3195778c71d7f0795d48e2f04a12c9d80d8b98 Merge: 168632a495f49 e7a48c710defa Author: Takashi Iwai Date: Wed Apr 7 15:00:33 2021 +0200 Merge tag 'asoc-fix-v5.12-rc6' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus ASoC: Fixes for v5.12 A fairly small batch of driver specific fixes, mainly for various x86 systems with the biggest set being fixes to power down DSPs properly on x86 SOF systems. commit ad31a8c05196a3dc5283b193e9c74a72022d3c65 Author: Heiko Carstens Date: Mon Apr 5 22:32:27 2021 +0200 s390/setup: use memblock_free_late() to free old stack Use memblock_free_late() to free the old machine check stack to the buddy allocator instead of leaking it. Fixes: b61b1595124a ("s390: add stack for machine check handler") Cc: Vasily Gorbik Acked-by: Sven Schnelle Signed-off-by: Heiko Carstens commit 7a2f6e69e9c1060a7a09c1f8322ccb8d942b3078 Author: Jernej Skrabec Date: Tue Mar 30 20:42:18 2021 +0200 arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference Although every Beelink GS1 seems to have external 32768 Hz oscillator, it works only on one from four tested. There are more reports of RTC issues elsewhere, like Armbian forum. One Beelink GS1 owner read RTC osc status register on Android which shipped with the box. Reported value indicated problems with external oscillator. In order to fix RTC and related issues (HDMI-CEC and suspend/resume with Crust) on all boards, switch to internal oscillator. Fixes: 32507b868119 ("arm64: dts: allwinner: h6: Move ext. oscillator to board DTs") Signed-off-by: Jernej Skrabec Tested-by: Clément Péron Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210330184218.279738-1-jernej.skrabec@siol.net commit 2a996ecd142df9ff2369241fd62ab7778ef07874 Author: Maxime Ripard Date: Wed Mar 31 15:08:30 2021 +0200 MAINTAINERS: Match on allwinner keyword Some drivers (phy, crypto, net) folders don't have sunxi in it but allwinner. Add that keyword to match on it too. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20210331130830.64182-2-maxime@cerno.tech commit c89f3af3b5ba4d8b232c7b397e54dd228c49f6b1 Author: Maxime Ripard Date: Wed Mar 31 15:08:29 2021 +0200 MAINTAINERS: Add our new mailing-list We've been struggling to get an LF-hosted mailing list for a while, but now that lists.linux.dev is there we opted in. Let's add it to MAINTAINERS. Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20210331130830.64182-1-maxime@cerno.tech commit 3dd4ce4185df6798dcdcc3669bddb35899d7d5e1 Author: Andre Przywara Date: Tue Mar 16 14:42:19 2021 +0000 arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems Commit 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") enabled the card detect GPIO for the SOPine module, along the way with the Pine64-LTS, which share the same base .dtsi. However while both boards indeed have a working CD GPIO on PF6, the polarity is different: the SOPine modules uses a "push-pull" socket, which has an active-high switch, while the Pine64-LTS use the more traditional push-push socket and the common active-low switch. Fix the polarity in the sopine.dtsi, and overwrite it in the LTS board .dts, to make the SD card work again on systems using SOPine modules. Fixes: 941432d00768 ("arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card") Reported-by: Ashley Signed-off-by: Andre Przywara Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20210316144219.5973-1-andre.przywara@arm.com commit fbb9e86636ba8aa4d890091ab06cc7b2f4751322 Author: Chen-Yu Tsai Date: Mon Jan 4 16:19:17 2021 +0800 arm64: dts: allwinner: h6: Switch to macros for RSB clock/reset indices The macros for the clock and reset indices for the RSB hardware block were replaced with raw numbers when the RSB controller node was added. This was done to avoid cross-tree dependencies. Now that both the clk and DT changes have been merged, we can switch back to using the macros. Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard commit 3a62583c2853b0ab37a57dde79decea210b5fb89 Author: William Roche Date: Tue Apr 6 11:28:59 2021 -0400 RAS/CEC: Correct ce_add_elem()'s returned values ce_add_elem() uses different return values to signal a result from adding an element to the collector. Commit in Fixes: broke the case where the element being added is not found in the array. Correct that. [ bp: Rewrite commit message, add kernel-doc comments. ] Fixes: de0e0624d86f ("RAS/CEC: Check count_threshold unconditionally") Signed-off-by: William Roche Signed-off-by: Borislav Petkov Cc: Link: https://lkml.kernel.org/r/1617722939-29670-1-git-send-email-william.roche@oracle.com commit 168632a495f49f33a18c2d502fc249d7610375e9 Author: Jonas Holmberg Date: Wed Apr 7 09:54:28 2021 +0200 ALSA: aloop: Fix initialization of controls Add a control to the card before copying the id so that the numid field is initialized in the copy. Otherwise the numid field of active_id, format_id, rate_id and channels_id will be the same (0) and snd_ctl_notify() will not queue the events properly. Signed-off-by: Jonas Holmberg Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/20210407075428.2666787-1-jonashg@axis.com Signed-off-by: Takashi Iwai commit d5f9b005c3062d6d96872896b695e5116b921f52 Author: Xiaoming Ni Date: Mon Apr 5 10:53:39 2021 +0800 net/mlx5: fix kfree mismatch in indir_table.c Memory allocated by kvzalloc() should be freed by kvfree(). Fixes: 34ca65352ddf2 ("net/mlx5: E-Switch, Indirect table infrastructur") Signed-off-by: Xiaoming Ni Reviewed-by: Leon Romanovsky Signed-off-by: Saeed Mahameed commit 534b1204ca4694db1093b15cf3e79a99fcb6a6da Author: Aya Levin Date: Sun Apr 4 12:55:00 2021 +0300 net/mlx5: Fix PBMC register mapping Add reserved mapping to cover all the register in order to avoid setting arbitrary values to newer FW which implements the reserved fields. Fixes: 50b4a3c23646 ("net/mlx5: PPTB and PBMC register firmware command support") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit ce28f0fd670ddffcd564ce7119bdefbaf08f02d3 Author: Aya Levin Date: Sun Apr 4 10:50:50 2021 +0300 net/mlx5: Fix PPLM register mapping Add reserved mapping to cover all the register in order to avoid setting arbitrary values to newer FW which implements the reserved fields. Fixes: a58837f52d43 ("net/mlx5e: Expose FEC feilds and related capability bit") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit a14587dfc5ad2312dabdd42a610d80ecd0dc8bea Author: Raed Salem Date: Thu Jan 21 16:01:37 2021 +0200 net/mlx5: Fix placement of log_max_flow_counter The cited commit wrongly placed log_max_flow_counter field of mlx5_ifc_flow_table_prop_layout_bits, align it to the HW spec intended placement. Fixes: 16f1c5bb3ed7 ("net/mlx5: Check device capability for maximum flow counters") Signed-off-by: Raed Salem Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 1a73704c82ed4ee95532ac04645d02075bd1ce3d Author: Eli Cohen Date: Wed Mar 24 09:46:09 2021 +0200 net/mlx5: Fix HW spec violation configuring uplink Make sure to modify uplink port to follow only if the uplink_follow capability is set as required by the HW spec. Failure to do so causes traffic to the uplink representor net device to cease after switching to switchdev mode. Fixes: 7d0314b11cdd ("net/mlx5e: Modify uplink state on interface up/down") Signed-off-by: Eli Cohen Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 4f0ed93fb92d3528c73c80317509df3f800a222b Author: Al Viro Date: Tue Apr 6 19:46:51 2021 -0400 LOOKUP_MOUNTPOINT: we are cleaning "jumped" flag too late That (and traversals in case of umount .) should be done before complete_walk(). Either a braino or mismerge damage on queue reorders - either way, I should've spotted that much earlier. Fucked-up-by: Al Viro X-Paperbag: Brown Fixes: 161aff1d93ab "LOOKUP_MOUNTPOINT: fold path_mountpointat() into path_lookupat()" Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Al Viro commit 5219d6012d46ec1fa3397e50bfeb7b8c16df72cf Author: Jakub Kicinski Date: Tue Apr 6 15:58:15 2021 -0700 docs: ethtool: fix some copy-paste errors Fix incorrect documentation. Mostly referring to other objects, likely because the text was copied and not adjusted. Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller commit cca8ea3b05c972ffb5295367e6c544369b45fbdd Author: Phillip Potter Date: Tue Apr 6 18:45:54 2021 +0100 net: tun: set tun->dev->addr_len during TUNSETLINK processing When changing type with TUNSETLINK ioctl command, set tun->dev->addr_len to match the appropriate type, using new tun_get_addr_len utility function which returns appropriate address length for given type. Fixes a KMSAN-found uninit-value bug reported by syzbot at: https://syzkaller.appspot.com/bug?id=0766d38c656abeace60621896d705743aeefed51 Reported-by: syzbot+001516d86dbe88862cec@syzkaller.appspotmail.com Diagnosed-by: Eric Dumazet Signed-off-by: Phillip Potter Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit 63cf32389925e234d166fb1a336b46de7f846003 Author: Wong Vee Khee Date: Tue Apr 6 21:17:30 2021 +0800 ethtool: fix incorrect datatype in set_eee ops The member 'tx_lpi_timer' is defined with __u32 datatype in the ethtool header file. Hence, we should use ethnl_update_u32() in set_eee ops. Fixes: fd77be7bd43c ("ethtool: set EEE settings with EEE_SET request") Cc: # 5.10.x Cc: Michal Kubecek Signed-off-by: Wong Vee Khee Reviewed-by: Jakub Kicinski Reviewed-by: Michal Kubecek Signed-off-by: David S. Miller commit ed7bedd2c3ca040f1e8ea02c6590a93116b1ec78 Author: Guangbin Huang Date: Tue Apr 6 21:10:43 2021 +0800 net: hns3: clear VF down state bit before request link status Currently, the VF down state bit is cleared after VF sending link status request command. There is problem that when VF gets link status replied from PF, the down state bit may still set as 1. In this case, the link status replied from PF will be ignored and always set VF link status to down. To fix this problem, clear VF down state bit before VF requests link status. Fixes: e2cb1dec9779 ("net: hns3: Add HNS3 VF HCL(Hardware Compatibility Layer) Support") Signed-off-by: Guangbin Huang Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller commit f57796a4b80be8450a5e8cca1a5f55379cbee328 Merge: 66c3f05ddc538 617085fca6375 Author: David S. Miller Date: Tue Apr 6 16:34:11 2021 -0700 Merge tag 'linux-can-fixes-for-5.12-20210406' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2021-04-06 this is a pull request of 1 patch for net/master. The patch is by me and fixes the SPI half duplex support in the mcp251x CAN driver. ==================== Signed-off-by: David S. Miller commit 66c3f05ddc538ee796321210c906b6ae6fc0792a Author: Guenter Roeck Date: Mon Apr 5 21:29:22 2021 -0700 pcnet32: Use pci_resource_len to validate PCI resource pci_resource_start() is not a good indicator to determine if a PCI resource exists or not, since the resource may start at address 0. This is seen when trying to instantiate the driver in qemu for riscv32 or riscv64. pci 0000:00:01.0: reg 0x10: [io 0x0000-0x001f] pci 0000:00:01.0: reg 0x14: [mem 0x00000000-0x0000001f] ... pcnet32: card has no PCI IO resources, aborting Use pci_resouce_len() instead. Signed-off-by: Guenter Roeck Signed-off-by: David S. Miller commit 144748eb0c445091466c9b741ebd0bfcc5914f3d Author: John Fastabend Date: Thu Apr 1 15:00:40 2021 -0700 bpf, sockmap: Fix incorrect fwd_alloc accounting Incorrect accounting fwd_alloc can result in a warning when the socket is torn down, [18455.319240] WARNING: CPU: 0 PID: 24075 at net/core/stream.c:208 sk_stream_kill_queues+0x21f/0x230 [...] [18455.319543] Call Trace: [18455.319556] inet_csk_destroy_sock+0xba/0x1f0 [18455.319577] tcp_rcv_state_process+0x1b4e/0x2380 [18455.319593] ? lock_downgrade+0x3a0/0x3a0 [18455.319617] ? tcp_finish_connect+0x1e0/0x1e0 [18455.319631] ? sk_reset_timer+0x15/0x70 [18455.319646] ? tcp_schedule_loss_probe+0x1b2/0x240 [18455.319663] ? lock_release+0xb2/0x3f0 [18455.319676] ? __release_sock+0x8a/0x1b0 [18455.319690] ? lock_downgrade+0x3a0/0x3a0 [18455.319704] ? lock_release+0x3f0/0x3f0 [18455.319717] ? __tcp_close+0x2c6/0x790 [18455.319736] ? tcp_v4_do_rcv+0x168/0x370 [18455.319750] tcp_v4_do_rcv+0x168/0x370 [18455.319767] __release_sock+0xbc/0x1b0 [18455.319785] __tcp_close+0x2ee/0x790 [18455.319805] tcp_close+0x20/0x80 This currently happens because on redirect case we do skb_set_owner_r() with the original sock. This increments the fwd_alloc memory accounting on the original sock. Then on redirect we may push this into the queue of the psock we are redirecting to. When the skb is flushed from the queue we give the memory back to the original sock. The problem is if the original sock is destroyed/closed with skbs on another psocks queue then the original sock will not have a way to reclaim the memory before being destroyed. Then above warning will be thrown sockA sockB sk_psock_strp_read() sk_psock_verdict_apply() -- SK_REDIRECT -- sk_psock_skb_redirect() skb_queue_tail(psock_other->ingress_skb..) sk_close() sock_map_unref() sk_psock_put() sk_psock_drop() sk_psock_zap_ingress() At this point we have torn down our own psock, but have the outstanding skb in psock_other. Note that SK_PASS doesn't have this problem because the sk_psock_drop() logic releases the skb, its still associated with our psock. To resolve lets only account for sockets on the ingress queue that are still associated with the current socket. On the redirect case we will check memory limits per 6fa9201a89898, but will omit fwd_alloc accounting until skb is actually enqueued. When the skb is sent via skb_send_sock_locked or received with sk_psock_skb_ingress memory will be claimed on psock_other. Fixes: 6fa9201a89898 ("bpf, sockmap: Avoid returning unneeded EAGAIN when redirecting to self") Reported-by: Andrii Nakryiko Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/161731444013.68884.4021114312848535993.stgit@john-XPS-13-9370 commit 1c84b33101c82683dee8b06761ca1f69e78c8ee7 Author: John Fastabend Date: Thu Apr 1 15:00:19 2021 -0700 bpf, sockmap: Fix sk->prot unhash op reset In '4da6a196f93b1' we fixed a potential unhash loop caused when a TLS socket in a sockmap was removed from the sockmap. This happened because the unhash operation on the TLS ctx continued to point at the sockmap implementation of unhash even though the psock has already been removed. The sockmap unhash handler when a psock is removed does the following, void sock_map_unhash(struct sock *sk) { void (*saved_unhash)(struct sock *sk); struct sk_psock *psock; rcu_read_lock(); psock = sk_psock(sk); if (unlikely(!psock)) { rcu_read_unlock(); if (sk->sk_prot->unhash) sk->sk_prot->unhash(sk); return; } [...] } The unlikely() case is there to handle the case where psock is detached but the proto ops have not been updated yet. But, in the above case with TLS and removed psock we never fixed sk_prot->unhash() and unhash() points back to sock_map_unhash resulting in a loop. To fix this we added this bit of code, static inline void sk_psock_restore_proto(struct sock *sk, struct sk_psock *psock) { sk->sk_prot->unhash = psock->saved_unhash; This will set the sk_prot->unhash back to its saved value. This is the correct callback for a TLS socket that has been removed from the sock_map. Unfortunately, this also overwrites the unhash pointer for all psocks. We effectively break sockmap unhash handling for any future socks. Omitting the unhash operation will leave stale entries in the map if a socket transition through unhash, but does not do close() op. To fix set unhash correctly before calling into tls_update. This way the TLS enabled socket will point to the saved unhash() handler. Fixes: 4da6a196f93b1 ("bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop") Reported-by: Cong Wang Reported-by: Lorenz Bauer Suggested-by: Cong Wang Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/161731441904.68884.15593917809745631972.stgit@john-XPS-13-9370 commit 2a2403ca3add03f542f6b34bef9f74649969b06d Author: Xin Long Date: Tue Apr 6 10:45:23 2021 +0800 tipc: increment the tmp aead refcnt before attaching it Li Shuang found a NULL pointer dereference crash in her testing: [] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 [] RIP: 0010:tipc_crypto_rcv_complete+0xc8/0x7e0 [tipc] [] Call Trace: [] [] tipc_crypto_rcv+0x2d9/0x8f0 [tipc] [] tipc_rcv+0x2fc/0x1120 [tipc] [] tipc_udp_recv+0xc6/0x1e0 [tipc] [] udpv6_queue_rcv_one_skb+0x16a/0x460 [] udp6_unicast_rcv_skb.isra.35+0x41/0xa0 [] ip6_protocol_deliver_rcu+0x23b/0x4c0 [] ip6_input+0x3d/0xb0 [] ipv6_rcv+0x395/0x510 [] __netif_receive_skb_core+0x5fc/0xc40 This is caused by NULL returned by tipc_aead_get(), and then crashed when dereferencing it later in tipc_crypto_rcv_complete(). This might happen when tipc_crypto_rcv_complete() is called by two threads at the same time: the tmp attached by tipc_crypto_key_attach() in one thread may be released by the one attached by that in the other thread. This patch is to fix it by incrementing the tmp's refcnt before attaching it instead of calling tipc_aead_get() after attaching it. Fixes: fc1b6d6de220 ("tipc: introduce TIPC encryption & authentication") Reported-by: Li Shuang Signed-off-by: Xin Long Signed-off-by: David S. Miller commit 0f6925b3e8da0dbbb52447ca8a8b42b371aac7db Author: Eric Dumazet Date: Fri Apr 2 06:26:02 2021 -0700 virtio_net: Do not pull payload in skb->head Xuan Zhuo reported that commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") brought a ~10% performance drop. The reason for the performance drop was that GRO was forced to chain sk_buff (using skb_shinfo(skb)->frag_list), which uses more memory but also cause packet consumers to go over a lot of overhead handling all the tiny skbs. It turns out that virtio_net page_to_skb() has a wrong strategy : It allocates skbs with GOOD_COPY_LEN (128) bytes in skb->head, then copies 128 bytes from the page, before feeding the packet to GRO stack. This was suboptimal before commit 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") because GRO was using 2 frags per MSS, meaning we were not packing MSS with 100% efficiency. Fix is to pull only the ethernet header in page_to_skb() Then, we change virtio_net_hdr_to_skb() to pull the missing headers, instead of assuming they were already pulled by callers. This fixes the performance regression, but could also allow virtio_net to accept packets with more than 128bytes of headers. Many thanks to Xuan Zhuo for his report, and his tests/help. Fixes: 3226b158e67c ("net: avoid 32 x truesize under-estimation for tiny skbs") Reported-by: Xuan Zhuo Link: https://www.spinics.net/lists/netdev/msg731397.html Co-Developed-by: Xuan Zhuo Signed-off-by: Xuan Zhuo Signed-off-by: Eric Dumazet Cc: "Michael S. Tsirkin" Cc: Jason Wang Cc: virtualization@lists.linux-foundation.org Acked-by: Jason Wang Signed-off-by: David S. Miller commit b25b343db0526669947a427e9a31bac91d29bb06 Author: Lv Yunlong Date: Fri Apr 2 10:40:19 2021 -0700 net: broadcom: bcm4908enet: Fix a double free in bcm4908_enet_dma_alloc In bcm4908_enet_dma_alloc, if callee bcm4908_dma_alloc_buf_descs() failed, it will free the ring->cpu_addr by dma_free_coherent() and return error. Then bcm4908_enet_dma_free() will be called, and free the same cpu_addr by dma_free_coherent() again. My patch set ring->cpu_addr to NULL after it is freed in bcm4908_dma_alloc_buf_descs() to avoid the double free. Fixes: 4feffeadbcb2e ("net: broadcom: bcm4908enet: add BCM4908 controller driver") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller commit 1180042dc6030c6e26530d4cfe0338fe8e447ca4 Merge: a2fa9e57a68cd a26c56ae67fa9 Author: Arnd Bergmann Date: Sat Apr 3 21:57:53 2021 +0200 Merge tag 'mvebu-fixes-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu into arm/fixes mvebu fixes for 5.12 (part 1) 2 fixes on on turris-omnia (Armada 38x based:) - Fix storm interrupt - Enable hardware buffer management as it should be Unbreak AHCI on all Marvell Armada 7k8k / CN913x platforms * tag 'mvebu-fixes-5.12-1' of git://git.kernel.org/pub/scm/linux/kernel/git/gclement/mvebu: ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin ARM: dts: turris-omnia: fix hardware buffer management Revert "arm64: dts: marvell: armada-cp110: Switch to per-port SATA interrupts" Link: https://lore.kernel.org/r/87a6qgctit.fsf@BL-laptop Signed-off-by: Arnd Bergmann commit 1165affd484889d4986cf3b724318935a0b120d8 Author: Pavel Skripkin Date: Thu Mar 4 18:21:25 2021 +0300 net: mac802154: Fix general protection fault syzbot found general protection fault in crypto_destroy_tfm()[1]. It was caused by wrong clean up loop in llsec_key_alloc(). If one of the tfm array members is in IS_ERR() range it will cause general protection fault in clean up function [1]. Call Trace: crypto_free_aead include/crypto/aead.h:191 [inline] [1] llsec_key_alloc net/mac802154/llsec.c:156 [inline] mac802154_llsec_key_add+0x9e0/0xcc0 net/mac802154/llsec.c:249 ieee802154_add_llsec_key+0x56/0x80 net/mac802154/cfg.c:338 rdev_add_llsec_key net/ieee802154/rdev-ops.h:260 [inline] nl802154_add_llsec_key+0x3d3/0x560 net/ieee802154/nl802154.c:1584 genl_family_rcv_msg_doit+0x228/0x320 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x328/0x580 net/netlink/genetlink.c:800 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: Pavel Skripkin Reported-by: syzbot+9ec037722d2603a9f52e@syzkaller.appspotmail.com Acked-by: Alexander Aring Link: https://lore.kernel.org/r/20210304152125.1052825-1-paskripkin@gmail.com Signed-off-by: Stefan Schmidt commit 1534efc7bbc1121e92c86c2dabebaf2c9dcece19 Author: Alexander Aring Date: Sun Apr 4 20:30:54 2021 -0400 net: ieee802154: stop dump llsec params for monitors This patch stops dumping llsec params for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Reported-by: syzbot+cde43a581a8e5f317bc2@syzkaller.appspotmail.com Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-16-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 9dde130937e95b72adfae64ab21d6e7e707e2dac Author: Alexander Aring Date: Sun Apr 4 20:30:53 2021 -0400 net: ieee802154: forbid monitor for del llsec seclevel This patch forbids to del llsec seclevel for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Reported-by: syzbot+fbf4fc11a819824e027b@syzkaller.appspotmail.com Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-15-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 56b4c6515a367718ced8595debf1567c052ea0b2 Author: Krzysztof Kozlowski Date: Mon Apr 5 20:14:05 2021 +0200 i2c: exynos5: correct top kerneldoc The top comment is not a kerneldoc, as W=1 build reports: drivers/i2c/busses/i2c-exynos5.c:39: warning: expecting prototype for i2c(). Prototype was for HSI2C_CTL() instead Signed-off-by: Krzysztof Kozlowski Signed-off-by: Wolfram Sang commit 9ec87e322428d4734ac647d1a8e507434086993d Author: Alexander Aring Date: Sun Apr 4 20:30:52 2021 -0400 net: ieee802154: forbid monitor for add llsec seclevel This patch forbids to add llsec seclevel for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-14-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 4c9b4f55ad1f5a4b6206ac4ea58f273126d21925 Author: Alexander Aring Date: Sun Apr 4 20:30:51 2021 -0400 net: ieee802154: stop dump llsec seclevels for monitors This patch stops dumping llsec seclevels for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-13-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 6fb8045319ef172dc88a8142e7f8b58c7608137e Author: Alexander Aring Date: Sun Apr 4 20:30:50 2021 -0400 net: ieee802154: forbid monitor for del llsec devkey This patch forbids to del llsec devkey for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-12-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit a347b3b394868fef15b16f143719df56184be81d Author: Alexander Aring Date: Sun Apr 4 20:30:49 2021 -0400 net: ieee802154: forbid monitor for add llsec devkey This patch forbids to add llsec devkey for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-11-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 080d1a57a94d93e70f84b7a360baa351388c574f Author: Alexander Aring Date: Sun Apr 4 20:30:48 2021 -0400 net: ieee802154: stop dump llsec devkeys for monitors This patch stops dumping llsec devkeys for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-10-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit ad8f9de1f3566686af35b1c6b43240726541da61 Author: Alexander Aring Date: Sun Apr 4 20:30:47 2021 -0400 net: ieee802154: forbid monitor for del llsec dev This patch forbids to del llsec dev for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-9-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 5303f956b05a2886ff42890908156afaec0f95ac Author: Alexander Aring Date: Sun Apr 4 20:30:46 2021 -0400 net: ieee802154: forbid monitor for add llsec dev This patch forbids to add llsec dev for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-8-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit a3790a8a94fc0234c5d38013b48e74ef221ec84c Author: Hans de Goede Date: Sun Apr 4 16:38:31 2021 +0200 platform/x86: intel-hid: Fix spurious wakeups caused by tablet-mode events during suspend Some devices send (duplicate) tablet-mode events when moved around even though the mode has not changed; and they do this even when suspended. Change the tablet-mode event handling when priv->wakeup_mode is set to update the switch state in case it changed and then return immediately (without calling pm_wakeup_hard_event()) to avoid spurious wakeups. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212537 Fixes: 537b0dd4729e ("platform/x86: intel-hid: Add support for SW_TABLET_MODE") Signed-off-by: Hans de Goede Reviewed-by: Elia Devito Link: https://lore.kernel.org/r/20210404143831.25173-1-hdegoede@redhat.com commit 5582d641e6740839c9b83efd1fbf9bcd00b6f5fc Author: Alexander Aring Date: Sun Apr 4 20:30:45 2021 -0400 net: ieee802154: stop dump llsec devs for monitors This patch stops dumping llsec devs for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-7-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit b6e2949544a183f590ae6f3ef2d1aaaa2c44e38a Author: Alexander Aring Date: Sun Apr 4 20:30:44 2021 -0400 net: ieee802154: forbid monitor for del llsec key This patch forbids to del llsec key for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-6-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 08470c5453339369bd3d590c4cbb0b5961cdcbb6 Author: Alexander Aring Date: Sun Apr 4 20:30:43 2021 -0400 net: ieee802154: forbid monitor for add llsec key This patch forbids to add llsec key for monitor interfaces which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-5-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit fb3c5cdf88cd504ef11d59e8d656f4bc896c6922 Author: Alexander Aring Date: Sun Apr 4 20:30:42 2021 -0400 net: ieee802154: stop dump llsec keys for monitors This patch stops dumping llsec keys for monitors which we don't support yet. Otherwise we will access llsec mib which isn't initialized for monitors. Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-4-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 88c17855ac4291fb462e13a86b7516773b6c932e Author: Alexander Aring Date: Sun Apr 4 20:30:41 2021 -0400 net: ieee802154: forbid monitor for set llsec params This patch forbids to set llsec params for monitor interfaces which we don't support yet. Reported-by: syzbot+8b6719da8a04beeafcc3@syzkaller.appspotmail.com Signed-off-by: Alexander Aring Link: https://lore.kernel.org/r/20210405003054.256017-3-aahringo@redhat.com Signed-off-by: Stefan Schmidt commit 2d743660786ec51f5c1fefd5782bbdee7b227db0 Merge: 0a50438c84363 7d01ef7585c07 Author: Linus Torvalds Date: Tue Apr 6 12:52:49 2021 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull fs fixes from Al Viro: "Fairly old hostfs bug (in setups that are not used by anyone, apparently) + fix for this cycle regression: extra dput/mntput in LOOKUP_CACHED failure handling" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: Make sure nd->path.mnt and nd->path.dentry are always valid pointers hostfs: fix memory handling in follow_link() commit 392be0bda730df3c71241b2a16bbecac78ee627d Author: Robert Richter Date: Wed Mar 24 15:16:35 2021 +0100 cxl/mem: Force array size of mem_commands[] to CXL_MEM_COMMAND_ID_MAX Typically the mem_commands[] array is in sync with 'enum { CXL_CMDS }'. Current code works well. However, the array size of mem_commands[] may not strictly be the same as CXL_MEM_COMMAND_ID_MAX. E.g. if a new CXL_CMD() is added that is guarded by #ifdefs, the array could be shorter. This could lead then further to an out-of-bounds array access in cxl_validate_cmd_from_user(). Fix this by forcing the array size to CXL_MEM_COMMAND_ID_MAX. This also adds range checks for array items in mem_commands[] at compile time. Signed-off-by: Robert Richter Link: https://lore.kernel.org/r/20210324141635.22335-1-rrichter@amd.com Signed-off-by: Dan Williams commit 7eda6457a9ca4dc9754e1158c3794e4487ea4392 Author: Dan Williams Date: Thu Apr 1 07:33:30 2021 -0700 cxl/mem: Disable cxl device power management There is no power management of cxl virtual devices, disable device-power-management and runtime-power-management to prevent userspace from growing expectations of those attributes appearing. They can be added back in the future if needed. Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/161728761025.2474381.808344500111924819.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit 1c3333a28d4532cfc37d4d25bfc76654a0c76643 Author: Dan Williams Date: Thu Apr 1 07:33:25 2021 -0700 cxl/mem: Do not rely on device_add() side effects for dev_set_name() failures While device_add() will happen to catch dev_set_name() failures it is a broken pattern to follow given that the core may try to fall back to a different name. Add explicit checking for dev_set_name() failures to be cleaned up by put_device(). Skip cdev_device_add() and proceed directly to put_device() if the name set fails. This type of bug is easier to see if 'alloc' is split from 'add' operations that require put_device() on failure. So cxl_memdev_alloc() is split out as a result. Fixes: b39cb1052a5c ("cxl/mem: Register CXL memX devices") Reported-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/161728760514.2474381.1163928273337158134.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit 5877515912cc4f0d67071b7cee15076ebef24708 Author: Dan Williams Date: Thu Apr 1 07:33:19 2021 -0700 cxl/mem: Fix synchronization mechanism for device removal vs ioctl operations The percpu_ref to gate whether cxl_memdev_ioctl() is free to use the driver context (@cxlm) to issue I/O is overkill, implemented incorrectly (missing a device reference before accessing the percpu_ref), and the complexities of shutting down a percpu_ref contributed to a bug in the error unwind in cxl_mem_add_memdev() (missing put_device() to be fixed separately). Use an rwsem to explicitly synchronize the usage of cxlmd->cxlm, and add the missing reference counting for cxlmd in cxl_memdev_open() and cxl_memdev_release_file(). Fixes: b39cb1052a5c ("cxl/mem: Register CXL memX devices") Reported-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/161728759948.2474381.17481500816783671817.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit 6eff5721933c08c3b76d6126aee24d8f134518ef Author: Dan Williams Date: Thu Apr 1 07:33:14 2021 -0700 cxl/mem: Use sysfs_emit() for attribute show routines While none the CXL sysfs attributes are threatening to overrun a PAGE_SIZE of output, it is good form to use the recommended helpers. Fixes: b39cb1052a5c ("cxl/mem: Register CXL memX devices") Reported-by: Jason Gunthorpe Reviewed-by: Ben Widawsky Reviewed-by: Jason Gunthorpe Link: https://lore.kernel.org/r/161728759424.2474381.11231441014951343463.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams commit 7d01ef7585c07afaf487759a48486228cd065726 Author: Al Viro Date: Tue Apr 6 12:33:07 2021 -0400 Make sure nd->path.mnt and nd->path.dentry are always valid pointers Initialize them in set_nameidata() and make sure that terminate_walk() clears them once the pointers become potentially invalid (i.e. we leave RCU mode or drop them in non-RCU one). Currently we have "path_init() always initializes them and nobody accesses them outside of path_init()/terminate_walk() segments", which is asking for trouble. With that change we would have nd->path.{mnt,dentry} 1) always valid - NULL or pointing to currently allocated objects. 2) non-NULL while we are successfully walking 3) NULL when we are not walking at all 4) contributing to refcounts whenever non-NULL outside of RCU mode. Fixes: 6c6ec2b0a3e0 ("fs: add support for LOOKUP_CACHED") Reported-by: syzbot+c88a7030da47945a3cc3@syzkaller.appspotmail.com Tested-by: Christian Brauner Signed-off-by: Al Viro commit 3b943360a20f3e4b2e0133c7cd7138b51fd93de6 Author: Sebastian Reichel Date: Sat Feb 27 22:45:42 2021 +0100 drm/panel: panel-dsi-cm: disable TE for now Disable TE for Droid 4 panel, since implementation is currently broken. Also disable it for N950 panel, which is untested. Reported-by: Tony Lindgren Reported-by: Tomi Valkeinen Fixes: 4c1b935fea54 ("drm/omap: dsi: move TE GPIO handling into core") Signed-off-by: Sebastian Reichel Tested-by: Tony Lindgren Acked-by: Thierry Reding Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20210227214542.99961-1-sebastian.reichel@collabora.com commit 0aa2ddc9af44bf9032098a587aeabada4da181a7 Author: Bhaskar Chowdhury Date: Thu Mar 18 00:54:27 2021 +0530 parisc: math-emu: Few spelling fixes in the file fpu.h with some additional cleanups by Helge. Signed-off-by: Bhaskar Chowdhury Acked-by: Randy Dunlap Signed-off-by: Helge Deller commit 4d752e5af63753ab5140fc282929b98eaa4bd12e Author: Gao Xiang Date: Tue Apr 6 12:59:29 2021 +0800 parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers commit b344d6a83d01 ("parisc: add support for cmpxchg on u8 pointers") can generate a sparse warning ("cast truncates bits from constant value"), which has been reported several times [1] [2] [3]. The original code worked as expected, but anyway, let silence such sparse warning as what others did [4]. [1] https://lore.kernel.org/r/202104061220.nRMBwCXw-lkp@intel.com [2] https://lore.kernel.org/r/202012291914.T5Agcn99-lkp@intel.com [3] https://lore.kernel.org/r/202008210829.KVwn7Xeh%25lkp@intel.com [4] https://lore.kernel.org/r/20210315131512.133720-2-jacopo+renesas@jmondi.org Cc: Liam Beguin Cc: Helge Deller Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Gao Xiang Signed-off-by: Helge Deller commit c6423ed2da6214a68527446b5f8e09cf7162b2ce Author: Takashi Iwai Date: Thu Apr 1 19:13:14 2021 +0200 ALSA: hda/conexant: Apply quirk for another HP ZBook G5 model There is another HP ZBook G5 model with the PCI SSID 103c:844f that requires the same quirk for controlling the mute LED. Add the corresponding entry to the quirk table. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212407 Cc: Link: https://lore.kernel.org/r/20210401171314.667-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 617085fca6375e2c1667d1fbfc6adc4034c85f04 Author: Marc Kleine-Budde Date: Tue Mar 30 11:46:07 2021 +0200 can: mcp251x: fix support for half duplex SPI host controllers Some SPI host controllers do not support full-duplex SPI transfers. The function mcp251x_spi_trans() does a full duplex transfer. It is used in several places in the driver, where a TX half duplex transfer is sufficient. To fix support for half duplex SPI host controllers, this patch introduces a new function mcp251x_spi_write() and changes all callers that do a TX half duplex transfer to use mcp251x_spi_write(). Fixes: e0e25001d088 ("can: mcp251x: add support for half duplex controllers") Link: https://lore.kernel.org/r/20210330100246.1074375-1-mkl@pengutronix.de Cc: Tim Harvey Tested-By: Tim Harvey Reported-by: Gerhard Bertelsmann Signed-off-by: Marc Kleine-Budde commit 65db391dd874db42279713405f29f4ac93682d13 Author: Johannes Berg Date: Fri Mar 26 12:57:23 2021 +0200 iwlwifi: mvm: fix beacon protection checks Unfortunately, since beacon protection isn't fully available yet, we didn't notice that there are problems with it and that the replay detection isn't working correctly. We were relying only on mac80211, since iwl_mvm_rx_crypto() exits when !ieee80211_has_protected(), which is of course true for protected (but not encrypted) management frames. Fix this to properly detect protected (but not encrypted) management frames and handle them - we continue to only care about beacons since for others everything can and will be checked in mac80211. Signed-off-by: Johannes Berg Fixes: b1fdc2505abc ("iwlwifi: mvm: advertise BIGTK client support if available") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.23c990843369.I09c262a8f6f9852cc8f513cdcb31a7f8f87dd8af@changeid commit 39fb06f791429eaee8374ef12634c0fbf68a5a9f Author: Gregory Greenman Date: Fri Mar 26 12:57:22 2021 +0200 iwlwifi: mvm: rfi: don't lock mvm->mutex when sending config command The mutex is already locked in iwl_mvm_mac_start. Signed-off-by: Gregory Greenman Fixes: 21254908cbe9 ("iwlwifi: mvm: add RFI-M support") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.703288ea058d.I82a0312389032d07c3b478bef3e938e06bfa7df6@changeid commit 08f4b0b1c07bcb70247931d81233fb9c59f50c35 Author: Luca Coelho Date: Fri Mar 26 12:57:21 2021 +0200 iwlwifi: pcie: add support for So-F devices We have a new type of device that has a different MAC ID, but is otherwise identical to So devices. Add rules to match this new ID accordingly. Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.4feea3560def.I2b6ef794c2073a18779dd40fb53f8c942d1ab42d@changeid commit 9c04fd95fa830d60e5bdb08bcd7ff68d7e120e5b Author: Johannes Berg Date: Fri Mar 26 12:57:20 2021 +0200 iwlwifi: fw: fix notification wait locking Since we now call iwl_notification_wait_notify() from the NAPI poll in soft-IRQ, we get a (valid) lockdep complaint that we could get a deadlock by taking the spinlock from sleeping context and then getting the soft-IRQ that also tries to take it (in NAPI polling). Fix this by disabling soft-IRQs for this lock. Signed-off-by: Johannes Berg Fixes: 25edc8f259c7 ("iwlwifi: pcie: properly implement NAPI") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.c3b2e3d6b58b.Ic56f351d04674df70567bab0269cba91bdbc853c@changeid commit 97195d3cad852063208a1cd4f4d073459547a415 Author: Matt Chen Date: Fri Mar 26 12:57:19 2021 +0200 iwlwifi: add support for Qu with AX201 device Add this specific Samsung AX201 sku to driver so it can be detected and initialized successfully. Signed-off-by: Matt Chen Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.30b622037714.Id9fd709cf1c8261c097bbfd7453f6476077dcafc@changeid commit 25628bc08d4526d3673ca7d039eb636aa9006076 Author: Johannes Berg Date: Fri Mar 26 12:57:18 2021 +0200 iwlwifi: pcie: properly set LTR workarounds on 22000 devices As the context info gen3 code is only called for >=AX210 devices (from iwl_trans_pcie_gen2_start_fw()) the code there to set LTR on 22000 devices cannot actually do anything (22000 < AX210). Fix this by moving the LTR code to iwl_trans_pcie_gen2_start_fw() where it can handle both devices. This then requires that we kick the firmware only after that rather than doing it from the context info code. Note that this again had a dead branch in gen3 code, which I've removed here. Signed-off-by: Johannes Berg Fixes: ed0022da8bd9 ("iwlwifi: pcie: set LTR on more devices") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.675486178ed1.Ib61463aba6920645059e366dcdca4c4c77f0ff58@changeid commit 07cc40fec9a85e669ea12e161a438d2cbd76f1ed Author: Luca Coelho Date: Fri Mar 26 12:57:17 2021 +0200 iwlwifi: fix 11ax disabled bit in the regulatory capability flags When version 2 of the regulatory capability flags API was implemented, the flag to disable 11ax was defined as bit 13, but this was later changed and the bit remained as bit 10, like in version 1. This was never changed in the driver, so we were checking for the wrong bit in newer devices. Fix it. Signed-off-by: Luca Coelho Fixes: e27c506a985c ("iwlwifi: regulatory: regulatory capabilities api change") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210326125611.6d28516b59cd.Id0248d5e4662695254f49ce37b0268834ed52918@changeid commit 9054284e8846b0105aad43a4e7174ca29fffbc44 Author: Helge Deller Date: Tue Apr 6 11:32:52 2021 +0200 parisc: parisc-agp requires SBA IOMMU driver Add a dependency to the SBA IOMMU driver to avoid: ERROR: modpost: "sba_list" [drivers/char/agp/parisc-agp.ko] undefined! Reported-by: kernel test robot Cc: stable@vger.kernel.org Signed-off-by: Helge Deller commit 4033e76a7abd102eaa84d7adc232f53b9da8709a Author: Wan Jiabing Date: Wed Mar 31 09:28:50 2021 +0800 parisc: Remove duplicate struct task_struct declaration struct task_struct is declared twice. One has been declared at 154th line. Remove the duplicate. Signed-off-by: Wan Jiabing Signed-off-by: Helge Deller commit 5cd0f6f57639c5afbb36100c69281fee82c95ee7 Author: Martin Wilck Date: Thu Apr 1 11:11:05 2021 +0200 scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state rport_dev_loss_timedout() sets the rport state to SRP_PORT_LOST and the SCSI target state to SDEV_TRANSPORT_OFFLINE. If this races with srp_reconnect_work(), a warning is printed: Mar 27 18:48:07 ictm1604s01h4 kernel: dev_loss_tmo expired for SRP port-18:1 / host18. Mar 27 18:48:07 ictm1604s01h4 kernel: ------------[ cut here ]------------ Mar 27 18:48:07 ictm1604s01h4 kernel: scsi_internal_device_block(18:0:0:100) failed: ret = -22 Mar 27 18:48:07 ictm1604s01h4 kernel: Call Trace: Mar 27 18:48:07 ictm1604s01h4 kernel: ? scsi_target_unblock+0x50/0x50 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: starget_for_each_device+0x80/0xb0 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: target_block+0x24/0x30 [scsi_mod] Mar 27 18:48:07 ictm1604s01h4 kernel: device_for_each_child+0x57/0x90 Mar 27 18:48:07 ictm1604s01h4 kernel: srp_reconnect_rport+0xe4/0x230 [scsi_transport_srp] Mar 27 18:48:07 ictm1604s01h4 kernel: srp_reconnect_work+0x40/0xc0 [scsi_transport_srp] Avoid this by not trying to block targets for rports in SRP_PORT_LOST state. Link: https://lore.kernel.org/r/20210401091105.8046-1-mwilck@suse.com Reviewed-by: Bart Van Assche Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen commit 0352c3d3959a6cf543075b88c7e662fd3546f12e Author: Roman Bolshakov Date: Sun Apr 4 00:54:15 2021 +0300 scsi: target: iscsi: Fix zero tag inside a trace event target_sequencer_start event is triggered inside target_cmd_init_cdb(). se_cmd.tag is not initialized with ITT at the moment so the event always prints zero tag. Link: https://lore.kernel.org/r/20210403215415.95077-1-r.bolshakov@yadro.com Cc: stable@vger.kernel.org # 5.10+ Reviewed-by: Mike Christie Signed-off-by: Roman Bolshakov Signed-off-by: Martin K. Petersen commit 65df7d1986a1909a0869419919e7d9c78d70407e Author: Viswas G Date: Fri Apr 2 11:12:12 2021 +0530 scsi: pm80xx: Fix chip initialization failure Inbound and outbound queues were not properly configured and that lead to MPI configuration failure. Fixes: 05c6c029a44d ("scsi: pm80xx: Increase number of supported queues") Cc: stable@vger.kernel.org # 5.10+ Link: https://lore.kernel.org/r/20210402054212.17834-1-Viswas.G@microchip.com.com Reported-and-tested-by: Ash Izat Signed-off-by: Viswas G Signed-off-by: Martin K. Petersen commit 08c27f3322fec11950b8f1384aa0f3b11d028528 Author: Tetsuo Handa Date: Mon Apr 5 19:16:50 2021 +0900 batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field KMSAN found uninitialized value at batadv_tt_prepare_tvlv_local_data() [1], for commit ced72933a5e8ab52 ("batman-adv: use CRC32C instead of CRC16 in TT code") inserted 'reserved' field into "struct batadv_tvlv_tt_data" and commit 7ea7b4a142758dea ("batman-adv: make the TT CRC logic VLAN specific") moved that field to "struct batadv_tvlv_tt_vlan_data" but left that field uninitialized. [1] https://syzkaller.appspot.com/bug?id=07f3e6dba96f0eb3cabab986adcd8a58b9bdbe9d Reported-by: syzbot Tested-by: syzbot Signed-off-by: Tetsuo Handa Fixes: ced72933a5e8ab52 ("batman-adv: use CRC32C instead of CRC16 in TT code") Fixes: 7ea7b4a142758dea ("batman-adv: make the TT CRC logic VLAN specific") Acked-by: Sven Eckelmann Signed-off-by: David S. Miller commit 22f69de18ee86e81dc41253869e5dd963ccea429 Merge: 630e4576f83ac 0600771fa6b23 Author: David S. Miller Date: Mon Apr 5 15:02:41 2021 -0700 Merge branch 'hns3-fixes' Salil Mehta says: ==================== Misc. fixes for hns3 driver Fixes for the miscellaneous problems found during the review of the code. ==================== Signed-off-by: David S. Miller commit 0600771fa6b231e801ba1ff5d7adfcf7659dbbf3 Author: Salil Mehta Date: Mon Apr 5 18:06:45 2021 +0100 net: hns3: Remove un-necessary 'else-if' in the hclge_reset_event() Code to defer the reset(which caps the frequency of the reset) schedules the timer and returns. Hence, following 'else-if' looks un-necessary. Fixes: 9de0b86f6444 ("net: hns3: Prevent to request reset frequently") Signed-off-by: Salil Mehta Signed-off-by: David S. Miller commit 9a6aaf61487e6d96ce0bf9b84a784c528dbf6e5e Author: Salil Mehta Date: Mon Apr 5 18:06:44 2021 +0100 net: hns3: Remove the left over redundant check & assignment This removes the left over check and assignment which is no longer used anywhere in the function and should have been removed as part of the below mentioned patch. Fixes: 012fcb52f67c ("net: hns3: activate reset timer when calling reset_event") Signed-off-by: Salil Mehta Signed-off-by: David S. Miller commit 5e729bc54bda705f64941008b018b4e41a4322bf Author: Andy Shevchenko Date: Wed Mar 31 14:05:10 2021 +0300 i2c: designware: Adjust bus_freq_hz when refuse high speed mode set When hardware doesn't support High Speed Mode, we forget bus_freq_hz timing adjustment. This makes the timings and real registers being unsynchronized. Adjust bus_freq_hz when refuse high speed mode set. Fixes: b6e67145f149 ("i2c: designware: Enable high speed mode") Reported-by: "Song Bao Hua (Barry Song)" Signed-off-by: Andy Shevchenko Reviewed-by: Barry Song Signed-off-by: Wolfram Sang commit 630e4576f83accf90366686f39808d665d8dbecc Author: Maciej Żenczykowski Date: Mon Apr 5 00:06:52 2021 -0700 net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind() Found by virtue of ipv6 raw sockets not honouring the per-socket IP{,V6}_FREEBIND setting. Based on hits found via: git grep '[.]ip_nonlocal_bind' We fix both raw ipv6 sockets to honour IP{,V6}_FREEBIND and IP{,V6}_TRANSPARENT, and we fix sctp sockets to honour IP{,V6}_TRANSPARENT (they already honoured FREEBIND), and not just the ipv6 'ip_nonlocal_bind' sysctl. The helper is defined as: static inline bool ipv6_can_nonlocal_bind(struct net *net, struct inet_sock *inet) { return net->ipv6.sysctl.ip_nonlocal_bind || inet->freebind || inet->transparent; } so this change only widens the accepted opt-outs and is thus a clean bugfix. I'm not entirely sure what 'fixes' tag to add, since this is AFAICT an ancient bug, but IMHO this should be applied to stable kernels as far back as possible. As such I'm adding a 'fixes' tag with the commit that originally added the helper, which happened in 4.19. Backporting to older LTS kernels (at least 4.9 and 4.14) would presumably require open-coding it or backporting the helper as well. Other possibly relevant commits: v4.18-rc6-1502-g83ba4645152d net: add helpers checking if socket can be bound to nonlocal address v4.18-rc6-1431-gd0c1f01138c4 net/ipv6: allow any source address for sendmsg pktinfo with ip_nonlocal_bind v4.14-rc5-271-gb71d21c274ef sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND v4.7-rc7-1883-g9b9742022888 sctp: support ipv6 nonlocal bind v4.1-12247-g35a256fee52c ipv6: Nonlocal bind Cc: Lorenzo Colitti Fixes: 83ba4645152d ("net: add helpers checking if socket can be bound to nonlocal address") Signed-off-by: Maciej Żenczykowski Reviewed-By: Lorenzo Colitti Signed-off-by: David S. Miller commit 4d51419d49930be2701c2633ae271b350397c3ca Author: Ilya Maximets Date: Sun Apr 4 19:50:31 2021 +0200 openvswitch: fix send of uninitialized stack memory in ct limit reply 'struct ovs_zone_limit' has more members than initialized in ovs_ct_limit_get_default_limit(). The rest of the memory is a random kernel stack content that ends up being sent to userspace. Fix that by using designated initializer that will clear all non-specified fields. Fixes: 11efd5cb04a1 ("openvswitch: Support conntrack zone limit") Signed-off-by: Ilya Maximets Acked-by: Tonghao Zhang Signed-off-by: David S. Miller commit 0a50438c84363bd37fe18fe432888ae9a074dcab Merge: e49d033bddf5b 89e28ce60cb65 Author: Linus Torvalds Date: Mon Apr 5 09:35:58 2021 -0700 Merge branch 'for-5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq Pull workqueue fixes from Tejun Heo: "Two workqueue fixes. One is around debugobj and poses no risk. The other is to prevent the stall watchdog from firing spuriously in certain conditions. Not as trivial as debugobj change but is still fairly low risk" * 'for-5.12-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/wq: workqueue/watchdog: Make unbound workqueues aware of touch_softlockup_watchdog() 84;0;0c84;0;0c There are two workqueue-specific watchdog timestamps: workqueue: Move the position of debug_work_activate() in __queue_work() commit 026334a3bb6a3919b42aba9fc11843db2b77fd41 Author: Adrian Hunter Date: Thu Apr 1 13:36:05 2021 +0300 perf inject: Fix repipe usage Since commit 14d3d54052539a1e ("perf session: Try to read pipe data from file") 'perf inject' has started printing "PERFILE2h" when not processing pipes. The commit exposed perf to the possiblity that the input is not a pipe but the 'repipe' parameter gets used. That causes the printing because perf inject sets 'repipe' to true always. The 'repipe' parameter of perf_session__new() is used by 2 functions: - perf_file_header__read_pipe() - trace_report() In both cases, the functions copy data to STDOUT_FILENO when 'repipe' is true. Fix by setting 'repipe' to true only if the output is a pipe. Fixes: e558a5bd8b74aff4 ("perf inject: Work with files") Signed-off-by: Adrian Hunter Acked-by: Jiri Olsa Cc: Andrew Vagin Link: http://lore.kernel.org/lkml/20210401103605.9000-1-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo commit 85012e764d3a1be02297b23c1aa3467f0df212aa Author: Heiko Carstens Date: Sat Apr 3 12:15:13 2021 +0200 s390/irq: fix reading of ext_params2 field from lowcore The contents of the ext_params2 field of the lowcore should just be copied to the pt_regs structure, not dereferenced. Fixes crashes / program check loops like this: Krnl PSW : 0404c00180000000 00000000d6d02b3c (do_ext_irq+0x74/0x170) R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 RI:0 EA:3 Krnl GPRS: 0000000000000000 80000000000b974e 00000000d71abee0 00000000d71abee0 0000000080030000 000000000000000f 0000000000000000 0000000000000000 0000000000000001 00000380000bf918 00000000d73ef780 00000380000bf518 0000000080348000 00000000d6d13350 00000000d6d02b1e 00000380000bf428 Krnl Code: 00000000d6d02b2e: 58100080 l %r1,128 00000000d6d02b32: 5010b0a4 st %r1,164(%r11) #00000000d6d02b36: e31001b80104 lg %r1,4536 >00000000d6d02b3c: e31010000004 lg %r1,0(%r1) 00000000d6d02b42: e310b0a80024 stg %r1,168(%r11) 00000000d6d02b48: c01000242270 larl %r1,00000000d7187028 00000000d6d02b4e: d5071000b010 clc 0(8,%r1),16(%r11) 00000000d6d02b54: a784001b brc 8,00000000d6d02b8a Call Trace: [<00000000d6d02b3c>] do_ext_irq+0x74/0x170 [<00000000d6d0ea5c>] ext_int_handler+0xc4/0xf4 [<00000000d621d266>] die+0x106/0x188 [<00000000d62305b8>] do_no_context+0xc8/0x100 [<00000000d6d02790>] __do_pgm_check+0xe0/0x1f0 [<00000000d6d0e950>] pgm_check_handler+0x118/0x160 [<00000000d6d02b3c>] do_ext_irq+0x74/0x170 [<00000000d6d0ea5c>] ext_int_handler+0xc4/0xf4 [<00000000d621d266>] die+0x106/0x188 [<00000000d62305b8>] do_no_context+0xc8/0x100 [<00000000d6d02790>] __do_pgm_check+0xe0/0x1f0 [<00000000d6d0e950>] pgm_check_handler+0x118/0x160 [<00000000d6d02b3c>] do_ext_irq+0x74/0x170 [<00000000d6d0ea5c>] ext_int_handler+0xc4/0xf4 [<0000000000000000>] 0x0 [<00000000d6d0e57a>] default_idle_call+0x42/0x110 [<00000000d629856e>] do_idle+0xce/0x160 [<00000000d62987be>] cpu_startup_entry+0x36/0x40 [<00000000d621f2f2>] smp_start_secondary+0x82/0x88 Cc: Sven Schnelle Cc: Vasily Gorbik Fixes: 56e62a737028 ("s390: convert to generic entry") Signed-off-by: Heiko Carstens commit 08edb9683e47f5183aed9aa3f926292b54c278c1 Author: Vasily Gorbik Date: Wed Mar 31 11:44:50 2021 +0200 s390/unwind: add machine check handler stack Fixes: b61b1595124a ("s390: add stack for machine check handler") Signed-off-by: Vasily Gorbik Signed-off-by: Heiko Carstens commit 7a2f91441b2c1d81b77c1cd816a4659f4abc9cbe Author: Alexander Gordeev Date: Mon Mar 29 18:35:07 2021 +0200 s390/cpcmd: fix inline assembly register clobbering Register variables initialized using arithmetic. That leads to kasan instrumentaton code corrupting the registers contents. Follow GCC guidlines and use temporary variables for assigning init values to register variables. Fixes: 94c12cc7d196 ("[S390] Inline assembly cleanup.") Signed-off-by: Alexander Gordeev Acked-by: Ilya Leoshkevich Link: https://gcc.gnu.org/onlinedocs/gcc-10.2.0/gcc/Local-Register-Variables.html Signed-off-by: Heiko Carstens commit eed6e41813deb9ee622cd9242341f21430d7789f Author: Saravana Kannan Date: Thu Apr 1 21:03:40 2021 -0700 driver core: Fix locking bug in deferred_probe_timeout_work_func() list_for_each_entry_safe() is only useful if we are deleting nodes in a linked list within the loop. It doesn't protect against other threads adding/deleting nodes to the list in parallel. We need to grab deferred_probe_mutex when traversing the deferred_probe_pending_list. Cc: stable@vger.kernel.org Fixes: 25b4e70dcce9 ("driver core: allow stopping deferred probe after init") Signed-off-by: Saravana Kannan Link: https://lore.kernel.org/r/20210402040342.2944858-2-saravanak@google.com Signed-off-by: Greg Kroah-Hartman commit 363eaa3a450abb4e63bd6e3ad79d1f7a0f717814 Author: Shuah Khan Date: Mon Mar 29 19:36:51 2021 -0600 usbip: synchronize event handler with sysfs code paths Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to synchronize event handler with sysfs paths in usbip drivers. Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/c5c8723d3f29dfe3d759cfaafa7dd16b0dfe2918.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit bd8b82042269a95db48074b8bb400678dbac1815 Author: Shuah Khan Date: Mon Mar 29 19:36:50 2021 -0600 usbip: vudc synchronize sysfs code paths Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in vudc. Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/caabcf3fc87bdae970509b5ff32d05bb7ce2fb15.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 9dbf34a834563dada91366c2ac266f32ff34641a Author: Shuah Khan Date: Mon Mar 29 19:36:49 2021 -0600 usbip: stub-dev synchronize sysfs code paths Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. Use sysfs_lock to protect sysfs paths in stub-dev. Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/2b182f3561b4a065bf3bf6dce3b0e9944ba17b3f.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 4e9c93af7279b059faf5bb1897ee90512b258a12 Author: Shuah Khan Date: Mon Mar 29 19:36:48 2021 -0600 usbip: add sysfs_lock to synchronize sysfs code paths Fuzzing uncovered race condition between sysfs code paths in usbip drivers. Device connect/disconnect code paths initiated through sysfs interface are prone to races if disconnect happens during connect and vice versa. This problem is common to all drivers while it can be reproduced easily in vhci_hcd. Add a sysfs_lock to usbip_device struct to protect the paths. Use this in vhci_hcd to protect sysfs paths. For a complete fix, usip_host and usip-vudc drivers and the event handler will have to use this lock to protect the paths. These changes will be done in subsequent patches. Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+a93fba6d384346a761e3@syzkaller.appspotmail.com Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/b6568f7beae702bbc236a545d3c020106ca75eac.1616807117.git.skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 3004fcba01b4adb3d2ff48c7eead8763fb837556 Merge: e49d033bddf5b cf97d7af24683 Author: Greg Kroah-Hartman Date: Mon Apr 5 09:04:41 2021 +0200 Merge tag 'v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb into usb-linus Peter writes: Fixes one issue with dequeuing requests after disabling endpoint for cdnsp udc driver * tag 'v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/peter.chen/usb: usb: cdnsp: Fixes issue with dequeuing requests after disabling endpoint commit e49d033bddf5b565044e2abe4241353959bc9120 Author: Linus Torvalds Date: Sun Apr 4 14:15:36 2021 -0700 Linux 5.12-rc6 commit 829933ef05a951c8ff140e814656d73e74915faf Author: Zheyu Ma Date: Sat Apr 3 06:58:36 2021 +0000 firewire: nosy: Fix a use-after-free bug in nosy_ioctl() For each device, the nosy driver allocates a pcilynx structure. A use-after-free might happen in the following scenario: 1. Open nosy device for the first time and call ioctl with command NOSY_IOC_START, then a new client A will be malloced and added to doubly linked list. 2. Open nosy device for the second time and call ioctl with command NOSY_IOC_START, then a new client B will be malloced and added to doubly linked list. 3. Call ioctl with command NOSY_IOC_START for client A, then client A will be readded to the doubly linked list. Now the doubly linked list is messed up. 4. Close the first nosy device and nosy_release will be called. In nosy_release, client A will be unlinked and freed. 5. Close the second nosy device, and client A will be referenced, resulting in UAF. The root cause of this bug is that the element in the doubly linked list is reentered into the list. Fix this bug by adding a check before inserting a client. If a client is already in the linked list, don't insert it. The following KASAN report reveals it: BUG: KASAN: use-after-free in nosy_release+0x1ea/0x210 Write of size 8 at addr ffff888102ad7360 by task poc CPU: 3 PID: 337 Comm: poc Not tainted 5.12.0-rc5+ #6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: nosy_release+0x1ea/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Allocated by task 337: nosy_open+0x154/0x4d0 misc_open+0x2ec/0x410 chrdev_open+0x20d/0x5a0 do_dentry_open+0x40f/0xe80 path_openat+0x1cf9/0x37b0 do_filp_open+0x16d/0x390 do_sys_openat2+0x11d/0x360 __x64_sys_open+0xfd/0x1a0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 337: kfree+0x8f/0x210 nosy_release+0x158/0x210 __fput+0x1e2/0x840 task_work_run+0xe8/0x180 exit_to_user_mode_prepare+0x114/0x120 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888102ad7300 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 96 bytes inside of 128-byte region [ffff888102ad7300, ffff888102ad7380) [ Modified to use 'list_empty()' inside proper lock - Linus ] Link: https://lore.kernel.org/lkml/1617433116-5930-1-git-send-email-zheyuma97@gmail.com/ Reported-and-tested-by: 马哲宇 (Zheyu Ma) Signed-off-by: Zheyu Ma Cc: Greg Kroah-Hartman Cc: Stefan Richter Signed-off-by: Linus Torvalds commit 89e28ce60cb65971c73359c66d076aa20a395cd5 Author: Wang Qing Date: Wed Mar 24 19:40:29 2021 +0800 workqueue/watchdog: Make unbound workqueues aware of touch_softlockup_watchdog() 84;0;0c84;0;0c There are two workqueue-specific watchdog timestamps: + @wq_watchdog_touched_cpu (per-CPU) updated by touch_softlockup_watchdog() + @wq_watchdog_touched (global) updated by touch_all_softlockup_watchdogs() watchdog_timer_fn() checks only the global @wq_watchdog_touched for unbound workqueues. As a result, unbound workqueues are not aware of touch_softlockup_watchdog(). The watchdog might report a stall even when the unbound workqueues are blocked by a known slow code. Solution: touch_softlockup_watchdog() must touch also the global @wq_watchdog_touched timestamp. The global timestamp can no longer be used for bound workqueues because it is now updated from all CPUs. Instead, bound workqueues have to check only @wq_watchdog_touched_cpu and these timestamps have to be updated for all CPUs in touch_all_softlockup_watchdogs(). Beware: The change might cause the opposite problem. An unbound workqueue might get blocked on CPU A because of a real softlockup. The workqueue watchdog would miss it when the timestamp got touched on CPU B. It is acceptable because softlockups are detected by softlockup watchdog. The workqueue watchdog is there to detect stalls where a work never finishes, for example, because of dependencies of works queued into the same workqueue. V3: - Modify the commit message clearly according to Petr's suggestion. Signed-off-by: Wang Qing Signed-off-by: Tejun Heo commit 0687c66b5f666b5ad433f4e94251590d9bc9d10e Author: Zqiang Date: Thu Feb 18 11:16:49 2021 +0800 workqueue: Move the position of debug_work_activate() in __queue_work() The debug_work_activate() is called on the premise that the work can be inserted, because if wq be in WQ_DRAINING status, insert work may be failed. Fixes: e41e704bc4f4 ("workqueue: improve destroy_workqueue() debuggability") Signed-off-by: Zqiang Reviewed-by: Lai Jiangshan Signed-off-by: Tejun Heo commit 2023a53bdf41b7646b1d384b6816af06309f73a5 Merge: d83e98f9d8c88 1683f7de65dbf Author: Linus Torvalds Date: Sat Apr 3 15:42:45 2021 -0700 Merge tag 'for-linus' of git://github.com/openrisc/linux Pull OpenRISC fix from Stafford Horne: "Fix duplicate header include in Litex SOC driver" * tag 'for-linus' of git://github.com/openrisc/linux: soc: litex: Remove duplicated header file inclusion commit d83e98f9d8c88cbae1b05fa5751bddfcf0e222b2 Merge: 8e29be3468d45 e82ad48539483 Author: Linus Torvalds Date: Sat Apr 3 14:26:47 2021 -0700 Merge tag 'io_uring-5.12-2021-04-03' of git://git.kernel.dk/linux-block POull io_uring fix from Jens Axboe: "Just fixing a silly braino in a previous patch, where we'd end up failing to compile if CONFIG_BLOCK isn't enabled. Not that a lot of people do that, but kernel bot spotted it and it's probably prudent to just flush this out now before -rc6. Sorry about that, none of my test compile configs have !CONFIG_BLOCK" * tag 'io_uring-5.12-2021-04-03' of git://git.kernel.dk/linux-block: io_uring: fix !CONFIG_BLOCK compilation failure commit 1683f7de65dbf0a2c6a7d639173fe92430a28930 Author: Zhen Lei Date: Wed Mar 31 15:06:43 2021 +0200 soc: litex: Remove duplicated header file inclusion The header file is already included above and can be removed here. Signed-off-by: Zhen Lei Signed-off-by: Mateusz Holenko Signed-off-by: Stafford Horne commit 8e29be3468d4565dd95fbb098df0d7a79ee60d71 Merge: 7fd7d5c20129d ff132c5f93c06 Author: Linus Torvalds Date: Sat Apr 3 12:15:01 2021 -0700 Merge tag 'gfs2-v5.12-rc2-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fixes from Andreas Gruenbacher: "Two more gfs2 fixes" * tag 'gfs2-v5.12-rc2-fixes2' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: report "already frozen/thawed" errors gfs2: Flag a withdraw if init_threads() fails commit 7fd7d5c20129d2227b95cbe567b24559f144b77c Merge: 9c2ef23e4dae1 1adbc2941eee8 Author: Linus Torvalds Date: Sat Apr 3 11:52:18 2021 -0700 Merge tag 'riscv-for-linus-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "A handful of fixes for 5.12: - fix a stack tracing regression related to "const register asm" variables, which have unexpected behavior. - ensure the value to be written by put_user() is evaluated before enabling access to userspace memory.. - align the exception vector table correctly, so we don't rely on the firmware's handling of unaligned accesses. - build fix to make NUMA depend on MMU, which triggered on some randconfigs" * tag 'riscv-for-linus-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: Make NUMA depend on MMU riscv: remove unneeded semicolon riscv,entry: fix misaligned base for excp_vect_table riscv: evaluate put_user() arg before enabling user access riscv: Drop const annotation for sp commit 9c2ef23e4dae122d2b18e834d90f8bd4dda48fe6 Merge: fa16199500c88 53f1d31708f62 Author: Linus Torvalds Date: Sat Apr 3 10:49:38 2021 -0700 Merge tag 'powerpc-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: "Fix a bug on pseries where spurious wakeups from H_PROD would prevent partition migration from succeeding. Fix oopses seen in pcpu_alloc(), caused by parallel faults of the percpu mapping causing us to corrupt the protection key used for the mapping, and cause a fatal key fault. Thanks to Aneesh Kumar K.V, Murilo Opsfelder Araujo, and Nathan Lynch" * tag 'powerpc-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/mm/book3s64: Use the correct storage key value when calling H_PROTECT powerpc/pseries/mobility: handle premature return from H_JOIN powerpc/pseries/mobility: use struct for shared state commit fa16199500c8863da145870f01d61617d967b6c3 Merge: f5664825fc205 37df9f3fedb6a Author: Linus Torvalds Date: Sat Apr 3 10:42:20 2021 -0700 Merge tag 'hyperv-fixes-signed-20210402' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux Pull Hyper-V fixes from Wei Liu: "One fix from Lu Yunlong for a double free in hvfb_probe" * tag 'hyperv-fixes-signed-20210402' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux: video: hyperv_fb: Fix a double free in hvfb_probe commit f5664825fc2055ed9a0e4988cfc3aeb199dce520 Merge: a443930a3e8ea f0acf637d60ff Author: Linus Torvalds Date: Sat Apr 3 10:14:47 2021 -0700 Merge tag 'driver-core-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fix from Greg KH: "Here is a single driver core fix for a reported problem with differed probing. It has been in linux-next for a while with no reported problems" * tag 'driver-core-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: driver core: clear deferred probe reason on probe retry commit a443930a3e8eaf70c8768cc2c923d1d85b71262f Merge: 3e707eb6b8aa7 3756b6578709c Author: Linus Torvalds Date: Sat Apr 3 10:05:16 2021 -0700 Merge tag 'char-misc-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are a few small driver char/misc changes for 5.12-rc6. Nothing major here, a few fixes for reported issues: - interconnect fixes for problems found - fbcon syzbot-found fix - extcon fixes - firmware stratix10 bugfix - MAINTAINERS file update. All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: drivers: video: fbcon: fix NULL dereference in fbcon_cursor() mei: allow map and unmap of client dma buffer only for disconnected client MAINTAINERS: Add linux-phy list and patchwork interconnect: Fix kerneldoc warning firmware: stratix10-svc: reset COMMAND_RECONFIG_FLAG_PARTIAL to 0 extcon: Fix error handling in extcon_dev_register extcon: Add stubs for extcon_register_notifier_all() functions interconnect: core: fix error return code of icc_link_destroy() interconnect: qcom: msm8939: remove rpm-ids from non-RPM nodes commit 3e707eb6b8aa715847c17279f9c17c8dca2d639b Merge: 0d2c5a9e15179 e78836ae76d20 Author: Linus Torvalds Date: Sat Apr 3 10:03:51 2021 -0700 Merge tag 'staging-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are two rtl8192e staging driver fixes for reported problems. Both of these have been in linux-next for a while with no reported issues" * tag 'staging-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: rtl8192e: Change state information from u16 to u8 staging: rtl8192e: Fix incorrect source in memcpy() commit 0d2c5a9e15179806fd9ff24409d2c0d689fc422f Merge: de879a8d37ff8 29d96eb261345 Author: Linus Torvalds Date: Sat Apr 3 10:00:53 2021 -0700 Merge tag 'tty-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull serial driver fix from Greg KH: "Here is a single serial driver fix for 5.12-rc6. Is is a revert of a change that showed up in 5.9 that has been reported to cause problems. It has been in linux-next for a while with no reported issues" * tag 'tty-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: soc: qcom-geni-se: Cleanup the code to remove proxy votes commit de879a8d37ff86b8111f94a64fc82c81c1dddd89 Merge: 57fbdb15ec427 93f672804bf2d Author: Linus Torvalds Date: Sat Apr 3 09:56:22 2021 -0700 Merge tag 'usb-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are a few small USB driver fixes for 5.12-rc6 to resolve reported problems. They include: - a number of cdc-acm fixes for reported problems. It seems more people are using this driver lately... - dwc3 driver fixes for reported problems, and fixes for the fixes :) - dwc2 driver fixes for reported issues. - musb driver fix. - new USB quirk additions. All of these have been in linux-next for a while with no reported issues" * tag 'usb-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (23 commits) usb: dwc2: Prevent core suspend when port connection flag is 0 usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. usb: musb: Fix suspend with devices connected for a64 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem USB: cdc-acm: do not log successful probe on later errors USB: cdc-acm: always claim data interface USB: cdc-acm: use negation for NULL checks USB: cdc-acm: clean up probe error labels USB: cdc-acm: drop redundant driver-data reset USB: cdc-acm: drop redundant driver-data assignment USB: cdc-acm: fix use-after-free after probe failure USB: cdc-acm: fix double free on probe failure USB: cdc-acm: downgrade message to debug USB: cdc-acm: untangle a circular dependency between callback and softint cdc-acm: fix BREAK rx code path adding necessary calls usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference usb: dwc3: pci: Enable dis_uX_susphy_quirk for Intel Merrifield ... commit 57fbdb15ec427ca3a6f35d4b71fc90ca9af301ea Merge: d93a0d43e3d0b 9e67600ed6b85 Author: Linus Torvalds Date: Sat Apr 3 09:07:35 2021 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fix from James Bottomley: "A single fix to iscsi for a rare race condition which can cause a kernel panic" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: iscsi: Fix race condition between login and sync thread commit 7045465500e465b09f09d6e5bdc260a9f1aab97b Author: Lukasz Bartosik Date: Fri Apr 2 00:51:49 2021 +0200 clk: fix invalid usage of list cursor in unregister Fix invalid usage of a list_for_each_entry cursor in clk_notifier_unregister(). When list is empty or if the list is completely traversed (without breaking from the loop on one of the entries) then the list cursor does not point to a valid entry and therefore should not be used. The patch fixes a logical bug that hasn't been seen in pratice however it is analogus to the bug fixed in clk_notifier_register(). The issue was dicovered when running 5.12-rc1 kernel on x86_64 with KASAN enabled: BUG: KASAN: global-out-of-bounds in clk_notifier_register+0xab/0x230 Read of size 8 at addr ffffffffa0d10588 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1 #1 Hardware name: Google Caroline/Caroline, BIOS Google_Caroline.7820.430.0 07/20/2018 Call Trace: dump_stack+0xee/0x15c print_address_description+0x1e/0x2dc kasan_report+0x188/0x1ce ? clk_notifier_register+0xab/0x230 ? clk_prepare_lock+0x15/0x7b ? clk_notifier_register+0xab/0x230 clk_notifier_register+0xab/0x230 dw8250_probe+0xc01/0x10d4 ... Memory state around the buggy address: ffffffffa0d10480: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffffa0d10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 >ffffffffa0d10580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffffffffa0d10600: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffffa0d10680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ================================================================== Fixes: b2476490ef11 ("clk: introduce the common clock framework") Reported-by: Lukasz Majczak Signed-off-by: Lukasz Bartosik Link: https://lore.kernel.org/r/20210401225149.18826-2-lb@semihalf.com Signed-off-by: Stephen Boyd commit 8d3c0c01cb2e36b2bf3c06a82b18b228d0c8f5d0 Author: Lukasz Bartosik Date: Fri Apr 2 00:51:48 2021 +0200 clk: fix invalid usage of list cursor in register Fix invalid usage of a list_for_each_entry cursor in clk_notifier_register(). When list is empty or if the list is completely traversed (without breaking from the loop on one of the entries) then the list cursor does not point to a valid entry and therefore should not be used. The issue was dicovered when running 5.12-rc1 kernel on x86_64 with KASAN enabled: BUG: KASAN: global-out-of-bounds in clk_notifier_register+0xab/0x230 Read of size 8 at addr ffffffffa0d10588 by task swapper/0/1 CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1 #1 Hardware name: Google Caroline/Caroline, BIOS Google_Caroline.7820.430.0 07/20/2018 Call Trace: dump_stack+0xee/0x15c print_address_description+0x1e/0x2dc kasan_report+0x188/0x1ce ? clk_notifier_register+0xab/0x230 ? clk_prepare_lock+0x15/0x7b ? clk_notifier_register+0xab/0x230 clk_notifier_register+0xab/0x230 dw8250_probe+0xc01/0x10d4 ... Memory state around the buggy address: ffffffffa0d10480: 00 00 00 00 00 03 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffffa0d10500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 >ffffffffa0d10580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 ^ ffffffffa0d10600: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 ffffffffa0d10680: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00 ================================================================== Fixes: b2476490ef11 ("clk: introduce the common clock framework") Reported-by: Lukasz Majczak Signed-off-by: Lukasz Bartosik Link: https://lore.kernel.org/r/20210401225149.18826-1-lb@semihalf.com Signed-off-by: Stephen Boyd commit e82ad4853948382d37ac512b27a3e70b6f01c103 Author: Jens Axboe Date: Fri Apr 2 19:45:34 2021 -0600 io_uring: fix !CONFIG_BLOCK compilation failure kernel test robot correctly pinpoints a compilation failure if CONFIG_BLOCK isn't set: fs/io_uring.c: In function '__io_complete_rw': >> fs/io_uring.c:2509:48: error: implicit declaration of function 'io_rw_should_reissue'; did you mean 'io_rw_reissue'? [-Werror=implicit-function-declaration] 2509 | if ((res == -EAGAIN || res == -EOPNOTSUPP) && io_rw_should_reissue(req)) { | ^~~~~~~~~~~~~~~~~~~~ | io_rw_reissue cc1: some warnings being treated as errors Ensure that we have a stub declaration of io_rw_should_reissue() for !CONFIG_BLOCK. Fixes: 230d50d448ac ("io_uring: move reissue into regular IO path") Reported-by: kernel test robot Signed-off-by: Jens Axboe commit d93a0d43e3d0ba9e19387be4dae4a8d5b175a8d7 Merge: 1faccb6394998 f06c609645ecd Author: Linus Torvalds Date: Fri Apr 2 16:13:13 2021 -0700 Merge tag 'block-5.12-2021-04-02' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - Remove comment that never came to fruition in 22 years of development (Christoph) - Remove unused request flag (Christoph) - Fix for null_blk fake timeout handling (Damien) - Fix for IOCB_NOWAIT being ignored for O_DIRECT on raw bdevs (Pavel) - Error propagation fix for multiple split bios (Yufen) * tag 'block-5.12-2021-04-02' of git://git.kernel.dk/linux-block: block: remove the unused RQF_ALLOCED flag block: update a few comments in uapi/linux/blkpg.h block: don't ignore REQ_NOWAIT for direct IO null_blk: fix command timeout completion handling block: only update parent bi_status when bio fail commit 1faccb63949988e4cfdfba2e9d2c3476c6d690e5 Merge: 0a84c2e440f74 230d50d448acb Author: Linus Torvalds Date: Fri Apr 2 16:08:19 2021 -0700 Merge tag 'io_uring-5.12-2021-04-02' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "Nothing really major in here, and finally nothing really related to signals. A few minor fixups related to the threading changes, and some general fixes, that's it. There's the pending gdb-get-confused-about-arch, but that's more of a cosmetic issue, nothing that hinder use of it. And given that other archs will likely be affected by that oddity too, better to postpone any changes there until 5.13 imho" * tag 'io_uring-5.12-2021-04-02' of git://git.kernel.dk/linux-block: io_uring: move reissue into regular IO path io_uring: fix EIOCBQUEUED iter revert io_uring/io-wq: protect against sprintf overflow io_uring: don't mark S_ISBLK async work as unbounded io_uring: drop sqd lock before handling signals for SQPOLL io_uring: handle setup-failed ctx in kill_timeouts io_uring: always go for cancellation spin on exec commit 0a84c2e440f74cbb2064084cc7ff4f74f5565ba7 Merge: 9314a0e9c711b 91463ebff32d3 Author: Linus Torvalds Date: Fri Apr 2 15:34:17 2021 -0700 Merge tag 'acpi-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These fix an ACPI tables management issue, an issue related to the ACPI enumeration of devices and CPU wakeup in the ACPI processor driver. Specifics: - Ensure that the memory occupied by ACPI tables on x86 will always be reserved to prevent it from being allocated for other purposes which was possible in some cases (Rafael Wysocki). - Fix the ACPI device enumeration code to prevent it from attempting to evaluate the _STA control method for devices with unmet dependencies which is likely to fail (Hans de Goede). - Fix the handling of CPU0 wakeup in the ACPI processor driver to prevent CPU0 online failures from occurring (Vitaly Kuznetsov)" * tag 'acpi-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead() ACPI: scan: Fix _STA getting called on devices with unmet dependencies ACPI: tables: x86: Reserve memory occupied by ACPI tables commit 9314a0e9c711b0c092158ee9e0ed24d5ea25c90a Merge: 05de45383bd13 ac1790ad78f8f Author: Linus Torvalds Date: Fri Apr 2 15:17:08 2021 -0700 Merge tag 'pm-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix a race condition and an ordering issue related to using device links in the runtime PM framework and two kerneldoc comments in cpufreq. Specifics: - Fix race condition related to the handling of supplier devices during consumer device probe and fix the order of decrementation of two related reference counters in the runtime PM core code handling supplier devices (Adrian Hunter). - Fix kerneldoc comments in cpufreq that have not been updated along with the functions documented by them (Geert Uytterhoeven)" * tag 'pm-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM: runtime: Fix race getting/putting suppliers at probe PM: runtime: Fix ordering in pm_runtime_get_suppliers() cpufreq: Fix scaling_{available,boost}_frequencies_show() comments commit a14d273ba15968495896a38b7b3399dba66d0270 Author: Claudiu Beznea Date: Fri Apr 2 15:42:53 2021 +0300 net: macb: restore cmp registers on resume path Restore CMP screener registers on resume path. Fixes: c1e85c6ce57ef ("net: macb: save/restore the remaining registers and features") Signed-off-by: Claudiu Beznea Acked-by: Nicolas Ferre Signed-off-by: David S. Miller commit 990b03b05b2fba79de2a1ee9dc359fc552d95ba6 Author: Yunjian Wang Date: Thu Apr 1 12:52:48 2021 +0800 net: cls_api: Fix uninitialised struct field bo->unlocked_driver_cb The 'unlocked_driver_cb' struct field in 'bo' is not being initialized in tcf_block_offload_init(). The uninitialized 'unlocked_driver_cb' will be used when calling unlocked_driver_cb(). So initialize 'bo' to zero to avoid the issue. Addresses-Coverity: ("Uninitialized scalar variable") Fixes: 0fdcf78d5973 ("net: use flow_indr_dev_setup_offload()") Signed-off-by: Yunjian Wang Signed-off-by: David S. Miller commit a26c56ae67fa9fbb45a8a232dcd7ebaa7af16086 Author: Marek Behún Date: Sun Feb 21 00:11:44 2021 +0100 ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin Use the `marvell,reg-init` DT property to configure the LED[2]/INTn pin of the Marvell 88E1514 ethernet PHY on Turris Omnia into interrupt mode. Without this the pin is by default in LED[2] mode, and the Marvell PHY driver configures LED[2] into "On - Link, Blink - Activity" mode. This fixes the issue where the pca9538 GPIO/interrupt controller (which can't mask interrupts in HW) received too many interrupts and after a time started ignoring the interrupt with error message: IRQ 71: nobody cared There is a work in progress to have the Marvell PHY driver support parsing PHY LED nodes from OF and registering the LEDs as Linux LED class devices. Once this is done the PHY driver can also automatically set the pin into INTn mode if it does not find LED[2] in OF. Until then, though, we fix this via `marvell,reg-init` DT property. Signed-off-by: Marek Behún Reported-by: Rui Salvaterra Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") Cc: Uwe Kleine-König Cc: linux-arm-kernel@lists.infradead.org Cc: Andrew Lunn Cc: Gregory CLEMENT Cc: Tested-by: Rui Salvaterra Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT commit 5b2c7e0ae762fff2b172caf16b2766cc3e1ad859 Author: Rui Salvaterra Date: Wed Feb 17 15:30:38 2021 +0000 ARM: dts: turris-omnia: fix hardware buffer management Hardware buffer management has never worked on the Turris Omnia, as the required MBus window hadn't been reserved. Fix thusly. Fixes: 018b88eee1a2 ("ARM: dts: turris-omnia: enable HW buffer management") Signed-off-by: Rui Salvaterra Reviewed-by: Marek Behún Tested-by: Klaus Kudielka Signed-off-by: Gregory CLEMENT commit 967ff33eb0efcd48e4df11ab9aee51c41e0f44d0 Author: Gregory CLEMENT Date: Fri Apr 2 21:58:26 2021 +0200 Revert "arm64: dts: marvell: armada-cp110: Switch to per-port SATA interrupts" The driver part of this support was not merged which leads to break AHCI on all Marvell Armada 7k8k / CN913x platforms as it was reported by Marcin Wojtas. So for now let's remove it in order to fix the issue waiting for the driver part really be merged. This reverts commit 53e950d597e3578da84238b86424bfcc9e101d87. Fixes: 53e950d597e3 ("arm64: dts: marvell: armada-cp110: Switch to per-port SATA interrupts") Signed-off-by: Gregory CLEMENT commit 29684d802e4ab484c679859217c1588c199f1d4f Merge: 9256ce3311017 6dcc4e3838695 Author: David S. Miller Date: Fri Apr 2 11:00:46 2021 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Alexei Starovoitov says: ==================== pull-request: bpf 2021-04-01 The following pull-request contains BPF updates for your *net* tree. We've added 11 non-merge commits during the last 8 day(s) which contain a total of 10 files changed, 151 insertions(+), 26 deletions(-). The main changes are: 1) xsk creation fixes, from Ciara. 2) bpf_get_task_stack fix, from Dave. 3) trampoline in modules fix, from Jiri. 4) bpf_obj_get fix for links and progs, from Lorenz. 5) struct_ops progs must be gpl compatible fix, from Toke. ==================== Signed-off-by: David S. Miller commit f06c609645ecd043c79380fac94145926603fb33 Author: Christoph Hellwig Date: Fri Apr 2 19:17:46 2021 +0200 block: remove the unused RQF_ALLOCED flag Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe commit b9c6cdc37ee1fe5866d3b1c10efb9d03191a76af Author: Christoph Hellwig Date: Fri Apr 2 19:17:31 2021 +0200 block: update a few comments in uapi/linux/blkpg.h The big top of the file comment talk about grand plans that never happened, so remove them to not confuse the readers. Also mark the devname and volname fields as ignored as they were never used by the kernel. Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe commit d8f5f0ea5b86300390b026b6c6e7836b7150814a Author: Ondrej Mosnacek Date: Fri Apr 2 10:56:19 2021 +0200 selinux: fix cond_list corruption when changing booleans Currently, duplicate_policydb_cond_list() first copies the whole conditional avtab and then tries to link to the correct entries in cond_dup_av_list() using avtab_search(). However, since the conditional avtab may contain multiple entries with the same key, this approach often fails to find the right entry, potentially leading to wrong rules being activated/deactivated when booleans are changed. To fix this, instead start with an empty conditional avtab and add the individual entries one-by-one while building the new av_lists. This approach leads to the correct result, since each entry is present in the av_lists exactly once. The issue can be reproduced with Fedora policy as follows: # sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True # setsebool ftpd_anon_write=off ftpd_connect_all_unreserved=off ftpd_connect_db=off ftpd_full_access=off On fixed kernels, the sesearch output is the same after the setsebool command: # sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True allow ftpd_t public_content_rw_t:dir { add_name create link remove_name rename reparent rmdir setattr unlink watch watch_reads write }; [ ftpd_anon_write ]:True While on the broken kernels, it will be different: # sesearch -s ftpd_t -t public_content_rw_t -c dir -p create -A allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True allow ftpd_t non_security_file_type:dir { add_name create getattr ioctl link lock open read remove_name rename reparent rmdir search setattr unlink watch watch_reads write }; [ ftpd_full_access ]:True While there, also simplify the computation of nslots. This changes the nslots values for nrules 2 or 3 to just two slots instead of 4, which makes the sequence more consistent. Cc: stable@vger.kernel.org Fixes: c7c556f1e81b ("selinux: refactor changing booleans") Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore commit 442dc00f82a9727dc0c48c44f792c168f593c6df Author: Ondrej Mosnacek Date: Fri Apr 2 10:56:18 2021 +0200 selinux: make nslot handling in avtab more robust 1. Make sure all fileds are initialized in avtab_init(). 2. Slightly refactor avtab_alloc() to use the above fact. 3. Use h->nslot == 0 as a sentinel in the access functions to prevent dereferencing h->htable when it's not allocated. Cc: stable@vger.kernel.org Signed-off-by: Ondrej Mosnacek Signed-off-by: Paul Moore commit 05de45383bd134fcb2b7d70d35ebb0bb50b5e4aa Merge: 1678e493d530e 9deb193af69d3 Author: Linus Torvalds Date: Fri Apr 2 08:39:00 2021 -0700 Merge tag 'trace-v5.12-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fix from Steven Rostedt: "Fix stack trace entry size to stop showing garbage The macro that creates both the structure and the format displayed to user space for the stack trace event was changed a while ago to fix the parsing by user space tooling. But this change also modified the structure used to store the stack trace event. It changed the caller array field from [0] to [8]. Even though the size in the ring buffer is dynamic and can be something other than 8 (user space knows how to handle this), the 8 extra words was not accounted for when reserving the event on the ring buffer, and added 8 more entries, due to the calculation of "sizeof(*entry) + nr_entries * sizeof(long)", as the sizeof(*entry) now contains 8 entries. The size of the caller field needs to be subtracted from the size of the entry to create the correct allocation size" * tag 'trace-v5.12-rc5-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tracing: Fix stack trace event size commit 230d50d448acb6639991440913299e50cacf1daf Author: Jens Axboe Date: Thu Apr 1 20:41:15 2021 -0600 io_uring: move reissue into regular IO path It's non-obvious how retry is done for block backed files, when it happens off the kiocb done path. It also makes it tricky to deal with the iov_iter handling. Just mark the req as needing a reissue, and handling it from the submission path instead. This makes it directly obvious that we're not re-importing the iovec from userspace past the submit point, and it means that we can just reuse our usual -EAGAIN retry path from the read/write handling. At some point in the future, we'll gain the ability to always reliably return -EAGAIN through the stack. A previous attempt on the block side didn't pan out and got reverted, hence the need to check for this information out-of-band right now. Signed-off-by: Jens Axboe commit e7a48c710defa0e0fef54d42b7d9e4ab596e2761 Author: Alexander Shiyan Date: Fri Apr 2 11:14:05 2021 +0300 ASoC: fsl_esai: Fix TDM slot setup for I2S mode When using the driver in I2S TDM mode, the fsl_esai_startup() function rewrites the number of slots previously set by the fsl_esai_set_dai_tdm_slot() function to 2. To fix this, let's use the saved slot count value or, if TDM is not used and the number of slots is not set, the driver will use the default value (2), which is set by fsl_esai_probe(). Signed-off-by: Alexander Shiyan Acked-by: Nicolin Chen Link: https://lore.kernel.org/r/20210402081405.9892-1-shc_work@mail.ru Signed-off-by: Mark Brown commit 12aca1ce9ee33af3751aec5e55a5900747cbdd4b Author: Kalyan Thota Date: Fri Apr 2 04:54:53 2021 -0700 drm/msm/disp/dpu1: program 3d_merge only if block is attached Update the 3d merge as active in the data path only if the hw block is selected in the configuration. Reported-by: Stephen Boyd Fixes: 73bfb790ac78 ("msm:disp:dpu1: setup display datapath for SC7180 target") Signed-off-by: Kalyan Thota Message-Id: <1617364493-13518-1-git-send-email-kalyan_t@codeaurora.org> Signed-off-by: Rob Clark commit 6ddbfa1f5adbd5dea14ff66778ca58257f09f17d Author: Dmitry Baryshkov Date: Wed Mar 31 17:02:23 2021 +0300 drm/msm: a6xx: fix version check for the A650 SQE microcode I suppose the microcode version check for a650 is incorrect. It checks for the version 1.95, while the firmware released have major version of 0: 0.91 (vulnerable), 0.99 (fixing the issue). Lower version requirements to accept firmware 0.99. Fixes: 8490f02a3ca4 ("drm/msm: a6xx: Make sure the SQE microcode is safe") Cc: Akhil P Oommen Cc: Jordan Crouse Signed-off-by: Dmitry Baryshkov Acked-by: Jordan Crouse Message-Id: <20210331140223.3771449-1-dmitry.baryshkov@linaro.org> Signed-off-by: Rob Clark commit 9fbd3088351b92e8c2cef6e37a39decb12a8d5bb Author: Rob Clark Date: Wed Mar 24 18:23:52 2021 -0700 drm/msm: Fix a5xx/a6xx timestamps They were reading a counter that was configured to ALWAYS_COUNT (ie. cycles that the GPU is doing something) rather than ALWAYS_ON. This isn't the thing that userspace is looking for. Signed-off-by: Rob Clark Acked-by: Jordan Crouse Message-Id: <20210325012358.1759770-2-robdclark@gmail.com> Signed-off-by: Rob Clark commit 91463ebff32d3e6fc71134784ae6aa91402bfe3d Merge: 8cdddd182bd7b 1a1c130ab7575 3e759425cc3cf Author: Rafael J. Wysocki Date: Fri Apr 2 16:57:56 2021 +0200 Merge branches 'acpi-tables' and 'acpi-scan' * acpi-tables: ACPI: tables: x86: Reserve memory occupied by ACPI tables * acpi-scan: ACPI: scan: Fix _STA getting called on devices with unmet dependencies commit ac1790ad78f8f0cf9a588ffb530c700ad758e8b6 Merge: 9dfacc54a8661 a95d8f581901c Author: Rafael J. Wysocki Date: Fri Apr 2 16:45:58 2021 +0200 Merge branch 'pm-cpufreq' * pm-cpufreq: cpufreq: Fix scaling_{available,boost}_frequencies_show() comments commit f8b78caf21d5bc3fcfc40c18898f9d52ed1451a5 Author: Pavel Begunkov Date: Fri Nov 20 17:10:28 2020 +0000 block: don't ignore REQ_NOWAIT for direct IO If IOCB_NOWAIT is set on submission, then that needs to get propagated to REQ_NOWAIT on the block side. Otherwise we completely lose this information, and any issuer of IOCB_NOWAIT IO will potentially end up blocking on eg request allocation on the storage side. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 9b5b872215fe6d1ca6a1ef411f130bd58e269012 Author: Christian Brauner Date: Fri Apr 2 10:29:36 2021 +0200 file: fix close_range() for unshare+cloexec syzbot reported a bug when putting the last reference to a tasks file descriptor table. Debugging this showed we didn't recalculate the current maximum fd number for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC after we unshared the file descriptors table. So max_fd could exceed the current fdtable maximum causing us to set excessive bits. As a concrete example, let's say the user requested everything from fd 4 to ~0UL to be closed and their current fdtable size is 256 with their highest open fd being 4. With CLOSE_RANGE_UNSHARE the caller will end up with a new fdtable which has room for 64 file descriptors since that is the lowest fdtable size we accept. But now max_fd will still point to 255 and needs to be adjusted. Fix this by retrieving the correct maximum fd value in __range_cloexec(). Reported-by: syzbot+283ce5a46486d6acdbaf@syzkaller.appspotmail.com Fixes: 582f1fb6b721 ("fs, close_range: add flag CLOSE_RANGE_CLOEXEC") Fixes: fec8a6a69103 ("close_range: unshare all fds for CLOSE_RANGE_UNSHARE | CLOSE_RANGE_CLOEXEC") Cc: Christoph Hellwig Cc: Giuseppe Scrivano Cc: Al Viro Cc: linux-fsdevel@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Christian Brauner commit 1adbc2941eee8acbe3c7dc6b51cdbc5a9bf19565 Author: Kefeng Wang Date: Tue Mar 30 21:25:31 2021 +0800 riscv: Make NUMA depend on MMU NUMA is useless when NOMMU, and it leads some build error, make it depend on MMU. Reported-by: kernel test robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 9d8c7d92015ece9a2139a259cef781a41845d2c0 Author: Yang Li Date: Mon Mar 22 16:38:36 2021 +0800 riscv: remove unneeded semicolon Eliminate the following coccicheck warning: ./arch/riscv/mm/kasan_init.c:219:2-3: Unneeded semicolon Reported-by: Abaci Robot Signed-off-by: Yang Li Signed-off-by: Palmer Dabbelt commit ac8d0b901f0033b783156ab2dc1a0e73ec42409b Author: Zihao Yu Date: Wed Mar 17 16:17:25 2021 +0800 riscv,entry: fix misaligned base for excp_vect_table In RV64, the size of each entry in excp_vect_table is 8 bytes. If the base of the table is not 8-byte aligned, loading an entry in the table will raise a misaligned exception. Although such exception will be handled by opensbi/bbl, this still causes performance degradation. Signed-off-by: Zihao Yu Reviewed-by: Anup Patel Signed-off-by: Palmer Dabbelt commit 285a76bb2cf51b0c74c634f2aaccdb93e1f2a359 Author: Ben Dooks Date: Mon Mar 29 10:57:49 2021 +0100 riscv: evaluate put_user() arg before enabling user access The header has a problem with put_user(a, ptr) if the 'a' is not a simple variable, such as a function. This can lead to the compiler producing code as so: 1: enable_user_access() 2: evaluate 'a' into register 'r' 3: put 'r' to 'ptr' 4: disable_user_acess() The issue is that 'a' is now being evaluated with the user memory protections disabled. So we try and force the evaulation by assigning 'x' to __val at the start, and hoping the compiler barriers in enable_user_access() do the job of ordering step 2 before step 1. This has shown up in a bug where 'a' sleeps and thus schedules out and loses the SR_SUM flag. This isn't sufficient to fully fix, but should reduce the window of opportunity. The first instance of this we found is in scheudle_tail() where the code does: $ less -N kernel/sched/core.c 4263 if (current->set_child_tid) 4264 put_user(task_pid_vnr(current), current->set_child_tid); Here, the task_pid_vnr(current) is called within the block that has enabled the user memory access. This can be made worse with KASAN which makes task_pid_vnr() a rather large call with plenty of opportunity to sleep. Signed-off-by: Ben Dooks Reported-by: syzbot+e74b94fe601ab9552d69@syzkaller.appspotmail.com Suggested-by: Arnd Bergman -- Changes since v1: - fixed formatting and updated the patch description with more info Changes since v2: - fixed commenting on __put_user() (schwab@linux-m68k.org) Change since v3: - fixed RFC in patch title. Should be ready to merge. Signed-off-by: Palmer Dabbelt commit 23c1075ae83adaf14ea3f727c40368799f80bccc Author: Kefeng Wang Date: Wed Mar 17 23:08:38 2021 +0800 riscv: Drop const annotation for sp The const annotation should not be used for 'sp', or it will become read only and lead to bad stack output. Fixes: dec822771b01 ("riscv: stacktrace: Move register keyword to beginning of declaration") Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 4b42d557a8add52b9a9924fb31e40a218aab7801 Author: Can Guo Date: Thu Apr 1 00:39:09 2021 -0700 scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs In __ufshcd_issue_tm_cmd(), it is not correct to use hba->nutrs + req->tag as the Task Tag in a TMR UPIU. Directly use req->tag as the Task Tag. Fixes: e293313262d3 ("scsi: ufs: Fix broken task management command implementation") Link: https://lore.kernel.org/r/1617262750-4864-3-git-send-email-cang@codeaurora.org Reviewed-by: Bart Van Assche Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen commit 1235fc569e0bf541ddda0a1224d4c6fa6d914890 Author: Can Guo Date: Thu Apr 1 00:39:08 2021 -0700 scsi: ufs: core: Fix task management request completion timeout ufshcd_tmc_handler() calls blk_mq_tagset_busy_iter(fn = ufshcd_compl_tm()), but since blk_mq_tagset_busy_iter() only iterates over all reserved tags and requests which are not in IDLE state, ufshcd_compl_tm() never gets a chance to run. Thus, TMR always ends up with completion timeout. Fix it by calling blk_mq_start_request() in __ufshcd_issue_tm_cmd(). Link: https://lore.kernel.org/r/1617262750-4864-2-git-send-email-cang@codeaurora.org Fixes: 69a6c269c097 ("scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs") Reviewed-by: Bart Van Assche Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen commit e01a00ff62adca8ec464f3c8d82cfa0e8d8728dd Author: Sergei Trofimovich Date: Tue Mar 30 08:19:58 2021 +0100 scsi: hpsa: Add an assert to prevent __packed reintroduction Link: https://lore.kernel.org/r/20210330071958.3788214-3-slyfox@gentoo.org Fixes: f749d8b7a989 ("scsi: hpsa: Correct dev cmds outstanding for retried cmds") CC: linux-ia64@vger.kernel.org CC: storagedev@microchip.com CC: linux-scsi@vger.kernel.org CC: Joe Szczypek CC: Scott Benesh CC: Scott Teel CC: Tomas Henzl CC: "Martin K. Petersen" CC: Don Brace Reported-by: John Paul Adrian Glaubitz Suggested-by: Don Brace Reviewed-by: Arnd Bergmann Signed-off-by: Sergei Trofimovich Signed-off-by: Martin K. Petersen commit 02ec144292bc424a5800d45d4cb472c66e97c520 Author: Sergei Trofimovich Date: Tue Mar 30 08:19:57 2021 +0100 scsi: hpsa: Fix boot on ia64 (atomic_t alignment) Boot failure was observed on an HP rx3600 ia64 machine with RAID bus controller: Hewlett-Packard Company Smart Array P600: kernel unaligned access to 0xe000000105dd8b95, ip=0xa000000100b87551 kernel unaligned access to 0xe000000105dd8e95, ip=0xa000000100b87551 hpsa 0000:14:01.0: Controller reports max supported commands of 0 Using 16 instead. Ensure that firmware is up to date. swapper/0[1]: error during unaligned kernel access The unaligned access comes from 'struct CommandList' that happens to be packed. Commit f749d8b7a989 ("scsi: hpsa: Correct dev cmds outstanding for retried cmds") introduced unexpected padding and unaligned atomic_t from natural alignment to something else. This change removes packing annotation from a struct not intended to be sent to controller as is. This restores natural `atomic_t` alignment. The change was tested on the same rx3600 machine. Link: https://lore.kernel.org/r/20210330071958.3788214-2-slyfox@gentoo.org Fixes: f749d8b7a989 ("scsi: hpsa: Correct dev cmds outstanding for retried cmds") CC: linux-ia64@vger.kernel.org CC: linux-kernel@vger.kernel.org CC: storagedev@microchip.com CC: linux-scsi@vger.kernel.org CC: Joe Szczypek CC: Scott Benesh CC: Scott Teel CC: Tomas Henzl CC: "Martin K. Petersen" CC: Don Brace Reported-by: John Paul Adrian Glaubitz Suggested-by: Don Brace Reviewed-by: Arnd Bergmann Signed-off-by: Sergei Trofimovich Signed-off-by: Martin K. Petersen commit 5482a9a1a8fd23fbb57afc6d409e12713aa93fa5 Author: Sergei Trofimovich Date: Tue Mar 30 08:19:56 2021 +0100 scsi: hpsa: Use __packed on individual structs, not header-wide The hpsa driver uses data structures which contain a combination of driver internals and commands sent directly to the hardware. To manage alignment for the hardware portions the driver used #pragma pack(1). Commit f749d8b7a989 ("scsi: hpsa: Correct dev cmds outstanding for retried cmds") switched an existing variable from int to bool. Due to the pragma an atomic_t in the same data structure ended up being misaligned and broke boot on ia64. Add __packed to every struct and union in the header file. Subsequent commits will address the actual atomic_t misalignment regression. The commit is a no-op at least on ia64: $ diff -u <(objdump -d -r old.o) <(objdump -d -r new.o) Link: https://lore.kernel.org/r/20210330071958.3788214-1-slyfox@gentoo.org Fixes: f749d8b7a989 ("scsi: hpsa: Correct dev cmds outstanding for retried cmds") CC: linux-ia64@vger.kernel.org CC: storagedev@microchip.com CC: linux-scsi@vger.kernel.org CC: Joe Szczypek CC: Scott Benesh CC: Scott Teel CC: Tomas Henzl CC: "Martin K. Petersen" CC: Don Brace Reported-by: John Paul Adrian Glaubitz Suggested-by: Don Brace Reviewed-by: Arnd Bergmann Signed-off-by: Sergei Trofimovich Signed-off-by: Martin K. Petersen commit 1678e493d530e7977cce34e59a86bb86f3c5631e Merge: 6905b1dc3c32a 6a3193cdd5e5b Author: Linus Torvalds Date: Thu Apr 1 17:57:43 2021 -0700 Merge tag 'lto-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull LTO fix from Kees Cook: "It seems that there is a bug in ld.bfd when doing module section merging. As explicit merging is only needed for LTO, the work-around is to only do it under LTO, leaving the original section layout choices alone under normal builds: - Only perform explicit module section merges under LTO (Sean Christopherson)" * tag 'lto-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG is enabled commit 9256ce33110174decc04caf6ef733409012e5b1c Merge: efd2e92dd2fba c3214de929dbf Author: David S. Miller Date: Thu Apr 1 16:04:50 2021 -0700 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2021-04-01 This series contains updates to i40e driver only. Arkadiusz fixes warnings for inconsistent indentation. Magnus fixes an issue on xsk receive where single packets over time are batched rather than received immediately. Eryk corrects warnings and reporting of veb-stats. ==================== Signed-off-by: David S. Miller commit efd2e92dd2fba35802fefffa776cf9151270d41d Merge: a0b96b4a62745 0a3cc57978d1d Author: David S. Miller Date: Thu Apr 1 16:02:51 2021 -0700 Merge branch 'mptcp-deadlock' Paolo Abeni says: ==================== mptcp: mptcp: fix deadlock in mptcp{,6}_release syzkaller has reported a few deadlock triggered by mptcp{,6}_release. These patches address the issue in the easy way - blocking the relevant, multicast related, sockopt options on MPTCP sockets. Note that later on net-next we are going to revert patch 1/2, as a part of a larger MPTCP sockopt implementation refactor ==================== Signed-off-by: David S. Miller commit 0a3cc57978d1d1448312f8973bd84dca4a71433a Author: Paolo Abeni Date: Thu Apr 1 18:57:45 2021 +0200 mptcp: revert "mptcp: provide subflow aware release function" This change reverts commit ad98dd37051e ("mptcp: provide subflow aware release function"). The latter introduced a deadlock spotted by syzkaller and is not needed anymore after the previous commit. Fixes: ad98dd37051e ("mptcp: provide subflow aware release function") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit 86581852d7710990d8af9dadfe9a661f0abf2114 Author: Paolo Abeni Date: Thu Apr 1 18:57:44 2021 +0200 mptcp: forbit mcast-related sockopt on MPTCP sockets Unrolling mcast state at msk dismantel time is bug prone, as syzkaller reported: ====================================================== WARNING: possible circular locking dependency detected 5.11.0-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor905/8822 is trying to acquire lock: ffffffff8d678fe8 (rtnl_mutex){+.+.}-{3:3}, at: ipv6_sock_mc_close+0xd7/0x110 net/ipv6/mcast.c:323 but task is already holding lock: ffff888024390120 (sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1600 [inline] ffff888024390120 (sk_lock-AF_INET6){+.+.}-{0:0}, at: mptcp6_release+0x57/0x130 net/mptcp/protocol.c:3507 which lock already depends on the new lock. Instead we can simply forbit any mcast-related setsockopt Fixes: 717e79c867ca5 ("mptcp: Add setsockopt()/getsockopt() socket operations") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit a0b96b4a62745397aee662670cfc2157bac03f55 Author: Pavel Skripkin Date: Thu Apr 1 16:27:52 2021 +0300 drivers: net: fix memory leak in peak_usb_create_dev syzbot reported memory leak in peak_usb. The problem was in case of failure after calling ->dev_init()[2] in peak_usb_create_dev()[1]. The data allocated int dev_init() wasn't freed, so simple ->dev_free() call fix this problem. backtrace: [<0000000079d6542a>] kmalloc include/linux/slab.h:552 [inline] [<0000000079d6542a>] kzalloc include/linux/slab.h:682 [inline] [<0000000079d6542a>] pcan_usb_fd_init+0x156/0x210 drivers/net/can/usb/peak_usb/pcan_usb_fd.c:868 [2] [<00000000c09f9057>] peak_usb_create_dev drivers/net/can/usb/peak_usb/pcan_usb_core.c:851 [inline] [1] [<00000000c09f9057>] peak_usb_probe+0x389/0x490 drivers/net/can/usb/peak_usb/pcan_usb_core.c:949 Reported-by: syzbot+91adee8d9ebb9193d22d@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller commit 98184612aca0a9ee42b8eb0262a49900ee9eef0d Author: Norman Maurer Date: Thu Apr 1 08:59:17 2021 +0200 net: udp: Add support for getsockopt(..., ..., UDP_GRO, ..., ...); Support for UDP_GRO was added in the past but the implementation for getsockopt was missed which did lead to an error when we tried to retrieve the setting for UDP_GRO. This patch adds the missing switch case for UDP_GRO Fixes: e20cf8d3f1f7 ("udp: implement GRO for plain UDP sockets.") Signed-off-by: Norman Maurer Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 6b9fbe16955152626557ec6f439f3407b7769941 Author: Pavel Skripkin Date: Thu Apr 1 07:46:24 2021 +0300 drivers: net: fix memory leak in atusb_probe syzbot reported memory leak in atusb_probe()[1]. The problem was in atusb_alloc_urbs(). Since urb is anchored, we need to release the reference to correctly free the urb backtrace: [] kmalloc include/linux/slab.h:559 [inline] [] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74 [] atusb_alloc_urbs drivers/net/ieee802154/atusb.c:362 [inline][2] [] atusb_probe+0x158/0x820 drivers/net/ieee802154/atusb.c:1038 [1] Reported-by: syzbot+28a246747e0a465127f3@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller commit 6dcc4e38386950abf9060784631622dfc4df9577 Merge: d37300ed18213 ca7a83e2487ad Author: Alexei Starovoitov Date: Thu Apr 1 14:45:44 2021 -0700 Merge branch 'AF_XDP Socket Creation Fixes' Ciara Loftus says: ==================== This series fixes some issues around socket creation for AF_XDP. Patch 1 fixes a potential NULL pointer dereference in xsk_socket__create_shared. Patch 2 ensures that the umem passed to xsk_socket__create(_shared) remains unchanged in event of failure. Patch 3 makes it possible for xsk_socket__create(_shared) to succeed even if the rx and tx XDP rings have already been set up by introducing a new fields to struct xsk_umem which represent the ring setup status for the xsk which shares the fd with the umem. v3->v4: * Reduced nesting in xsk_put_ctx as suggested by Alexei. * Use bools instead of a u8 and flags to represent the ring setup status as suggested by Björn. v2->v3: * Instead of ignoring the return values of the setsockopt calls, introduce a new flag to determine whether or not to call them based on the ring setup status as suggested by Alexei. v1->v2: * Simplified restoring the _save pointers as suggested by Magnus. * Fixed the condition which determines whether to unmap umem rings when socket create fails. ==================== Acked-by: Björn Töpel Signed-off-by: Alexei Starovoitov commit ca7a83e2487ad0bc9a3e0e7a8645354aa1782f13 Author: Ciara Loftus Date: Wed Mar 31 06:12:18 2021 +0000 libbpf: Only create rx and tx XDP rings when necessary Prior to this commit xsk_socket__create(_shared) always attempted to create the rx and tx rings for the socket. However this causes an issue when the socket being setup is that which shares the fd with the UMEM. If a previous call to this function failed with this socket after the rings were set up, a subsequent call would always fail because the rings are not torn down after the first call and when we try to set them up again we encounter an error because they already exist. Solve this by remembering whether the rings were set up by introducing new bools to struct xsk_umem which represent the ring setup status and using them to determine whether or not to set up the rings. Fixes: 1cad07884239 ("libbpf: add support for using AF_XDP sockets") Signed-off-by: Ciara Loftus Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210331061218.1647-4-ciara.loftus@intel.com commit 43f1bc1efff16f553dd573d02eb7a15750925568 Author: Ciara Loftus Date: Wed Mar 31 06:12:17 2021 +0000 libbpf: Restore umem state after socket create failure If the call to xsk_socket__create fails, the user may want to retry the socket creation using the same umem. Ensure that the umem is in the same state on exit if the call fails by: 1. ensuring the umem _save pointers are unmodified. 2. not unmapping the set of umem rings that were set up with the umem during xsk_umem__create, since those maps existed before the call to xsk_socket__create and should remain in tact even in the event of failure. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Ciara Loftus Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210331061218.1647-3-ciara.loftus@intel.com commit df662016310aa4475d7986fd726af45c8fe4f362 Author: Ciara Loftus Date: Wed Mar 31 06:12:16 2021 +0000 libbpf: Ensure umem pointer is non-NULL before dereferencing Calls to xsk_socket__create dereference the umem to access the fill_save and comp_save pointers. Make sure the umem is non-NULL before doing this. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Ciara Loftus Signed-off-by: Alexei Starovoitov Acked-by: Magnus Karlsson Link: https://lore.kernel.org/bpf/20210331061218.1647-2-ciara.loftus@intel.com commit d37300ed182131f1757895a62e556332857417e5 Author: Lorenz Bauer Date: Fri Mar 26 16:05:01 2021 +0000 bpf: program: Refuse non-O_RDWR flags in BPF_OBJ_GET As for bpf_link, refuse creating a non-O_RDWR fd. Since program fds currently don't allow modifications this is a precaution, not a straight up bug fix. Signed-off-by: Lorenz Bauer Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Acked-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210326160501.46234-2-lmb@cloudflare.com commit 25fc94b2f02d832fa8e29419699dcc20b0b05c6a Author: Lorenz Bauer Date: Fri Mar 26 16:05:00 2021 +0000 bpf: link: Refuse non-O_RDWR flags in BPF_OBJ_GET Invoking BPF_OBJ_GET on a pinned bpf_link checks the path access permissions based on file_flags, but the returned fd ignores flags. This means that any user can acquire a "read-write" fd for a pinned link with mode 0664 by invoking BPF_OBJ_GET with BPF_F_RDONLY in file_flags. The fd can be used to invoke BPF_LINK_DETACH, etc. Fix this by refusing non-O_RDWR flags in BPF_OBJ_GET. This works because OBJ_GET by default returns a read write mapping and libbpf doesn't expose a way to override this behaviour for programs and links. Fixes: 70ed506c3bbc ("bpf: Introduce pinnable bpf_link abstraction") Signed-off-by: Lorenz Bauer Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Acked-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210326160501.46234-1-lmb@cloudflare.com commit 2b0b219e5ff8bcc673d3a2cb6f327b3c62c5637d Author: John Stultz Date: Tue Mar 30 01:34:08 2021 +0000 drm/msm: Fix removal of valid error case when checking speed_bin Commit 7bf168c8fe8c ("drm/msm: Fix speed-bin support not to access outside valid memory"), reworked the nvmem reading of "speed_bin", but in doing so dropped handling of the -ENOENT case which was previously documented as "fine". That change resulted in the db845c board display to fail to start, with the following error: adreno 5000000.gpu: [drm:a6xx_gpu_init] *ERROR* failed to read speed-bin (-2). Some OPPs may not be supported by hardware Thus, this patch simply re-adds the ENOENT handling so the lack of the speed_bin entry isn't fatal for display, and gets things working on db845c. Cc: Rob Clark Cc: Sean Paul Cc: Jordan Crouse Cc: Eric Anholt Cc: Douglas Anderson Cc: linux-arm-msm@vger.kernel.org Cc: freedreno@lists.freedesktop.org Cc: Bjorn Andersson Cc: YongQin Liu Reported-by: YongQin Liu Fixes: 7bf168c8fe8c ("drm/msm: Fix speed-bin support not to access outside valid memory") Signed-off-by: John Stultz Reviewed-by: Akhil P Oommen Reviewed-by: Douglas Anderson Message-Id: <20210330013408.2532048-1-john.stultz@linaro.org> Signed-off-by: Rob Clark commit 5620b135aea49a8f41c86aaecfcb1598a7774121 Author: Stephen Boyd Date: Thu Mar 25 14:28:22 2021 -0700 drm/msm: Set drvdata to NULL when msm_drm_init() fails We should set the platform device's driver data to NULL here so that code doesn't assume the struct drm_device pointer is valid when it could have been destroyed. The lifetime of this pointer is managed by a kref but when msm_drm_init() fails we call drm_dev_put() on the pointer which will free the pointer's memory. This driver uses the component model, so there's sort of two "probes" in this file, one for the platform device i.e. msm_pdev_probe() and one for the component i.e. msm_drm_bind(). The msm_drm_bind() code is using the platform device's driver data to store struct drm_device so the two functions are intertwined. This relationship becomes a problem for msm_pdev_shutdown() when it tests the NULL-ness of the pointer to see if it should call drm_atomic_helper_shutdown(). The NULL test is a proxy check for if the pointer has been freed by kref_put(). If the drm_device has been destroyed, then we shouldn't call the shutdown helper, and we know that is the case if msm_drm_init() failed, therefore set the driver data to NULL so that this pointer liveness is tracked properly. Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver") Cc: Dmitry Baryshkov Cc: Fabio Estevam Cc: Krishna Manikandan Signed-off-by: Stephen Boyd Message-Id: <20210325212822.3663144-1-swboyd@chromium.org> Signed-off-by: Rob Clark commit 6a3193cdd5e5b96ac65f04ee42555c216da332af Author: Sean Christopherson Date: Mon Mar 22 16:44:38 2021 -0700 kbuild: lto: Merge module sections if and only if CONFIG_LTO_CLANG is enabled Merge module sections only when using Clang LTO. With ld.bfd, merging sections does not appear to update the symbol tables for the module, e.g. 'readelf -s' shows the value that a symbol would have had, if sections were not merged. ld.lld does not show this problem. The stale symbol table breaks gdb's function disassembler, and presumably other things, e.g. gdb -batch -ex "file arch/x86/kvm/kvm.ko" -ex "disassemble kvm_init" reads the wrong bytes and dumps garbage. Fixes: dd2776222abb ("kbuild: lto: merge module sections") Cc: Nick Desaulniers Signed-off-by: Sean Christopherson Reviewed-by: Sami Tolvanen Tested-by: Sami Tolvanen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20210322234438.502582-1-seanjc@google.com commit 06ab134ce8ecfa5a69e850f88f81c8a4c3fa91df Author: Dave Marchevsky Date: Wed Mar 31 17:07:47 2021 -0700 bpf: Refcount task stack in bpf_get_task_stack On x86 the struct pt_regs * grabbed by task_pt_regs() points to an offset of task->stack. The pt_regs are later dereferenced in __bpf_get_stack (e.g. by user_mode() check). This can cause a fault if the task in question exits while bpf_get_task_stack is executing, as warned by task_stack_page's comment: * When accessing the stack of a non-current task that might exit, use * try_get_task_stack() instead. task_stack_page will return a pointer * that could get freed out from under you. Taking the comment's advice and using try_get_task_stack() and put_task_stack() to hold task->stack refcount, or bail early if it's already 0. Incrementing stack_refcount will ensure the task's stack sticks around while we're using its data. I noticed this bug while testing a bpf task iter similar to bpf_iter_task_stack in selftests, except mine grabbed user stack, and getting intermittent crashes, which resulted in dumps like: BUG: unable to handle page fault for address: 0000000000003fe0 \#PF: supervisor read access in kernel mode \#PF: error_code(0x0000) - not-present page RIP: 0010:__bpf_get_stack+0xd0/0x230 Call Trace: bpf_prog_0a2be35c092cb190_get_task_stacks+0x5d/0x3ec bpf_iter_run_prog+0x24/0x81 __task_seq_show+0x58/0x80 bpf_seq_read+0xf7/0x3d0 vfs_read+0x91/0x140 ksys_read+0x59/0xd0 do_syscall_64+0x48/0x120 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: fa28dcb82a38 ("bpf: Introduce helper bpf_get_task_stack()") Signed-off-by: Dave Marchevsky Signed-off-by: Alexei Starovoitov Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20210401000747.3648767-1-davemarchevsky@fb.com commit 6905b1dc3c32a094f0da61bd656a740f0a97d592 Merge: a80314c327a93 55626ca9c6909 Author: Linus Torvalds Date: Thu Apr 1 12:42:55 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "It's a bit larger than I (and probably you) would like by the time we get to -rc6, but perhaps not entirely unexpected since the changes in the last merge window were larger than usual. x86: - Fixes for missing TLB flushes with TDP MMU - Fixes for race conditions in nested SVM - Fixes for lockdep splat with Xen emulation - Fix for kvmclock underflow - Fix srcdir != builddir builds - Other small cleanups ARM: - Fix GICv3 MMIO compatibility probing - Prevent guests from using the ARMv8.4 self-hosted tracing extension" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: selftests: kvm: Check that TSC page value is small after KVM_SET_CLOCK(0) KVM: x86: Prevent 'hv_clock->system_time' from going negative in kvm_guest_time_update() KVM: x86: disable interrupts while pvclock_gtod_sync_lock is taken KVM: x86: reduce pvclock_gtod_sync_lock critical sections KVM: SVM: ensure that EFER.SVME is set when running nested guest or on nested vmexit KVM: SVM: load control fields from VMCB12 before checking them KVM: x86/mmu: Don't allow TDP MMU to yield when recovering NX pages KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping KVM: x86/mmu: Ensure TLBs are flushed when yielding during GFN range zap KVM: make: Fix out-of-source module builds selftests: kvm: make hardware_disable_test less verbose KVM: x86/vPMU: Forbid writing to MSR_F15H_PERF MSRs when guest doesn't have X86_FEATURE_PERFCTR_CORE KVM: x86: remove unused declaration of kvm_write_tsc() KVM: clean up the unused argument tools/kvm_stat: Add restart delay KVM: arm64: Fix CPU interface MMIO compatibility detection KVM: arm64: Disable guest access to trace filter controls KVM: arm64: Hide system instruction access to Trace registers commit a80314c327a937ff1213288adf0d11414c40a898 Merge: ffd9fb546d498 6fdb8e5aba6a3 Author: Linus Torvalds Date: Thu Apr 1 12:19:03 2021 -0700 Merge tag 'drm-fixes-2021-04-02' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Things have settled down in time for Easter, a random smattering of small fixes across a few drivers. I'm guessing though there might be some i915 and misc fixes out there I haven't gotten yet, but since today is a public holiday here, I'm sending this early so I can have the day off, I'll see if more requests come in and decide what to do with them later. amdgpu: - Polaris idle power fix - VM fix - Vangogh S3 fix - Fixes for non-4K page sizes amdkfd: - dqm fence memory corruption fix tegra: - lockdep warning fix - runtine PM reference fix - display controller fix - PLL Fix imx: - memory leak in error path fix - LDB driver channel registration fix - oob array warning in LDB driver exynos - unused header file removal" * tag 'drm-fixes-2021-04-02' of git://anongit.freedesktop.org/drm/drm: drm/amdgpu: check alignment on CPU page for bo map drm/amdgpu: Set a suitable dev_info.gart_page_size drm/amdgpu/vangogh: don't check for dpm in is_dpm_running when in suspend drm/amdkfd: dqm fence memory corruption drm/tegra: sor: Grab runtime PM reference across reset drm/tegra: dc: Restore coupling of display controllers gpu: host1x: Use different lock classes for each client drm/tegra: dc: Don't set PLL clock to 0Hz drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() drm/amd/pm: no need to force MCLK to highest when no display connected drm/exynos/decon5433: Remove the unused include statements drm/imx: imx-ldb: fix out of bounds array access warning drm/imx: imx-ldb: Register LDB channel1 when it is the only channel to be used drm/imx: fix memory leak when fails to init commit 6fdb8e5aba6a33fe5f1a0bd1bcf0cf2884437ead Merge: a0497251f2b05 33ce7f2f95cab Author: Dave Airlie Date: Fri Apr 2 04:52:45 2021 +1000 Merge tag 'imx-drm-fixes-2021-04-01' of git://git.pengutronix.de/git/pza/linux into drm-fixes drm/imx: imx-drm-core and imx-ldb fixes Fix a memory leak in an error path during DRM device initialization, fix the LDB driver to register channel 1 even if channel 0 is unused, and fix an out of bounds array access warning in the LDB driver. Signed-off-by: Dave Airlie From: Philipp Zabel Link: https://patchwork.freedesktop.org/patch/msgid/20210401092235.GA13586@pengutronix.de commit a0497251f2b055a137d62ed065286ba999647b3c Merge: dcdb7aa452ef9 ac097aecfef0b Author: Dave Airlie Date: Fri Apr 2 04:44:28 2021 +1000 Merge tag 'drm/tegra/for-5.12-rc6' of ssh://git.freedesktop.org/git/tegra/linux into drm-fixes drm/tegra: Fixes for v5.12-rc6 This contains a couple of fixes for various issues such as lockdep warnings, runtime PM references, coupled display controllers and misconfigured PLLs. Signed-off-by: Dave Airlie From: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20210401163352.3348296-1-thierry.reding@gmail.com commit 7582207b1059129e59eb92026fca2cfc088a74fc Author: Md Haris Iqbal Date: Thu Mar 25 16:32:57 2021 +0100 RDMA/rtrs-clt: Close rtrs client conn before destroying rtrs clt session files KASAN detected the following BUG: BUG: KASAN: use-after-free in rtrs_clt_update_wc_stats+0x41/0x100 [rtrs_client] Read of size 8 at addr ffff88bf2fb4adc0 by task swapper/0/0 CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 5.4.84-pserver #5.4.84-1+feature+linux+5.4.y+dbg+20201216.1319+b6b887b~deb10 Hardware name: Supermicro H8QG6/H8QG6, BIOS 3.00 09/04/2012 Call Trace: dump_stack+0x96/0xe0 print_address_description.constprop.4+0x1f/0x300 ? irq_work_claim+0x2e/0x50 __kasan_report.cold.8+0x78/0x92 ? rtrs_clt_update_wc_stats+0x41/0x100 [rtrs_client] kasan_report+0x10/0x20 rtrs_clt_update_wc_stats+0x41/0x100 [rtrs_client] rtrs_clt_rdma_done+0xb1/0x760 [rtrs_client] ? lockdep_hardirqs_on+0x1a8/0x290 ? process_io_rsp+0xb0/0xb0 [rtrs_client] ? mlx4_ib_destroy_cq+0x100/0x100 [mlx4_ib] ? add_interrupt_randomness+0x1a2/0x340 __ib_process_cq+0x97/0x100 [ib_core] ib_poll_handler+0x41/0xb0 [ib_core] irq_poll_softirq+0xe0/0x260 __do_softirq+0x127/0x672 irq_exit+0xd1/0xe0 do_IRQ+0xa3/0x1d0 common_interrupt+0xf/0xf RIP: 0010:cpuidle_enter_state+0xea/0x780 Code: 31 ff e8 99 48 47 ff 80 7c 24 08 00 74 12 9c 58 f6 c4 02 0f 85 53 05 00 00 31 ff e8 b0 6f 53 ff e8 ab 4f 5e ff fb 8b 44 24 04 <85> c0 0f 89 f3 01 00 00 48 8d 7b 14 e8 65 1e 77 ff c7 43 14 00 00 RSP: 0018:ffffffffab007d58 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffca RAX: 0000000000000002 RBX: ffff88b803d69800 RCX: ffffffffa91a8298 RDX: 0000000000000007 RSI: dffffc0000000000 RDI: ffffffffab021414 RBP: ffffffffab6329e0 R08: 0000000000000002 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000002 R13: 000000bf39d82466 R14: ffffffffab632aa0 R15: ffffffffab632ae0 ? lockdep_hardirqs_on+0x1a8/0x290 ? cpuidle_enter_state+0xe5/0x780 cpuidle_enter+0x3c/0x60 do_idle+0x2fb/0x390 ? arch_cpu_idle_exit+0x40/0x40 ? schedule+0x94/0x120 cpu_startup_entry+0x19/0x1b start_kernel+0x5da/0x61b ? thread_stack_cache_init+0x6/0x6 ? load_ucode_amd_bsp+0x6f/0xc4 ? init_amd_microcode+0xa6/0xa6 ? x86_family+0x5/0x20 ? load_ucode_bsp+0x182/0x1fd secondary_startup_64+0xa4/0xb0 Allocated by task 5730: save_stack+0x19/0x80 __kasan_kmalloc.constprop.9+0xc1/0xd0 kmem_cache_alloc_trace+0x15b/0x350 alloc_sess+0xf4/0x570 [rtrs_client] rtrs_clt_open+0x3b4/0x780 [rtrs_client] find_and_get_or_create_sess+0x649/0x9d0 [rnbd_client] rnbd_clt_map_device+0xd7/0xf50 [rnbd_client] rnbd_clt_map_device_store+0x4ee/0x970 [rnbd_client] kernfs_fop_write+0x141/0x240 vfs_write+0xf3/0x280 ksys_write+0xba/0x150 do_syscall_64+0x68/0x270 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 5822: save_stack+0x19/0x80 __kasan_slab_free+0x125/0x170 kfree+0xe7/0x3f0 kobject_put+0xd3/0x240 rtrs_clt_destroy_sess_files+0x3f/0x60 [rtrs_client] rtrs_clt_close+0x3c/0x80 [rtrs_client] close_rtrs+0x45/0x80 [rnbd_client] rnbd_client_exit+0x10f/0x2bd [rnbd_client] __x64_sys_delete_module+0x27b/0x340 do_syscall_64+0x68/0x270 entry_SYSCALL_64_after_hwframe+0x49/0xbe When rtrs_clt_close is triggered, it iterates over all the present rtrs_clt_sess and triggers close on them. However, the call to rtrs_clt_destroy_sess_files is done before the rtrs_clt_close_conns. This is incorrect since during the initialization phase we allocate rtrs_clt_sess first, and then we go ahead and create rtrs_clt_con for it. If we free the rtrs_clt_sess structure before closing the rtrs_clt_con, it may so happen that an inflight IO completion would trigger the function rtrs_clt_rdma_done, which would lead to the above UAF case. Hence close the rtrs_clt_con connections first, and then trigger the destruction of session files. Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") Link: https://lore.kernel.org/r/20210325153308.1214057-12-gi-oh.kim@ionos.com Signed-off-by: Md Haris Iqbal Signed-off-by: Jack Wang Signed-off-by: Gioh Kim Signed-off-by: Jason Gunthorpe commit 9deb193af69d3fd6dd8e47f292b67c805a787010 Author: Steven Rostedt (VMware) Date: Thu Apr 1 13:54:40 2021 -0400 tracing: Fix stack trace event size Commit cbc3b92ce037 fixed an issue to modify the macros of the stack trace event so that user space could parse it properly. Originally the stack trace format to user space showed that the called stack was a dynamic array. But it is not actually a dynamic array, in the way that other dynamic event arrays worked, and this broke user space parsing for it. The update was to make the array look to have 8 entries in it. Helper functions were added to make it parse it correctly, as the stack was dynamic, but was determined by the size of the event stored. Although this fixed user space on how it read the event, it changed the internal structure used for the stack trace event. It changed the array size from [0] to [8] (added 8 entries). This increased the size of the stack trace event by 8 words. The size reserved on the ring buffer was the size of the stack trace event plus the number of stack entries found in the stack trace. That commit caused the amount to be 8 more than what was needed because it did not expect the caller field to have any size. This produced 8 entries of garbage (and reading random data) from the stack trace event: -0 [002] d... 1976396.837549: => trace_event_raw_event_sched_switch => __traceiter_sched_switch => __schedule => schedule_idle => do_idle => cpu_startup_entry => secondary_startup_64_no_verify => 0xc8c5e150ffff93de => 0xffff93de => 0 => 0 => 0xc8c5e17800000000 => 0x1f30affff93de => 0x00000004 => 0x200000000 Instead, subtract the size of the caller field from the size of the event to make sure that only the amount needed to store the stack trace is reserved. Link: https://lore.kernel.org/lkml/your-ad-here.call-01617191565-ext-9692@work.hours/ Cc: stable@vger.kernel.org Fixes: cbc3b92ce037 ("tracing: Set kernel_stack's caller size properly") Reported-by: Vasily Gorbik Tested-by: Vasily Gorbik Acked-by: Vasily Gorbik Signed-off-by: Steven Rostedt (VMware) commit 185f2e5f51c2029efd9dd26cceb968a44fe053c6 Author: Peter Collingbourne Date: Thu Apr 1 09:51:10 2021 -0700 arm64: fix inline asm in load_unaligned_zeropad() The inline asm's addr operand is marked as input-only, however in the case where an exception is taken it may be modified by the BIC instruction on the exception path. Fix the problem by using a temporary register as the destination register for the BIC instruction. Signed-off-by: Peter Collingbourne Cc: stable@vger.kernel.org Link: https://linux-review.googlesource.com/id/I84538c8a2307d567b4f45bb20b715451005f9617 Link: https://lore.kernel.org/r/20210401165110.3952103-1-pcc@google.com Signed-off-by: Will Deacon commit ffd9fb546d498b2105dca6efc58a5cd0c17f0807 Merge: 5d17c1ba3ee72 417eadfdd9e25 Author: Linus Torvalds Date: Thu Apr 1 10:09:31 2021 -0700 Merge tag 'sound-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Things seem calming down, only usual device-specific fixes for HD-audio and USB-audio at this time" * tag 'sound-5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek: fix mute/micmute LEDs for HP 640 G8 ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks ALSA: hda: Re-add dropped snd_poewr_change_state() calls ALSA: usb-audio: Apply sample rate quirk to Logitech Connect ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO commit 5d17c1ba3ee7271346f459d9015c13e7a5fb2b39 Merge: e8d1895883da8 4e53d1701b574 Author: Linus Torvalds Date: Thu Apr 1 09:39:51 2021 -0700 Merge tag 'tomoyo-pr-20210401' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1 Pull tomory fix from Tetsuo Handa: "An update on 'tomoyo: recognize kernel threads correctly' from Jens Axboe to not special case PF_IO_WORKER for PF_KTHREAD" * tag 'tomoyo-pr-20210401' of git://git.osdn.net/gitroot/tomoyo/tomoyo-test1: tomoyo: don't special case PF_IO_WORKER for PF_KTHREAD commit e8d1895883da8048266a7da43b0a381588dca87d Merge: d19cc4bfbff1a 2c7e57a02708a Author: Linus Torvalds Date: Thu Apr 1 09:32:18 2021 -0700 Merge tag 'xarray-5.12' of git://git.infradead.org/users/willy/xarray Pull XArray fixes from Matthew Wilcox: "My apologies for the lateness of this. I had a bug reported in the test suite, and when I started working on it, I realised I had two fixes sitting in the xarray tree since last November. Anyway, everything here is fixes, apart from adding xa_limit_16b. The test suite passes. Summary: - Fix a bug when splitting to a non-zero order - Documentation fix - Add a predefined 16-bit allocation limit - Various test suite fixes" * tag 'xarray-5.12' of git://git.infradead.org/users/willy/xarray: idr test suite: Improve reporting from idr_find_test_1 idr test suite: Create anchor before launching throbber idr test suite: Take RCU read lock in idr_find_test_1 radix tree test suite: Register the main thread with the RCU library radix tree test suite: Fix compilation XArray: Add xa_limit_16b XArray: Fix splitting to non-zero orders XArray: Fix split documentation commit c3214de929dbf1b7374add8bbed30ce82b197bbb Author: Eryk Rybak Date: Tue Mar 2 08:46:27 2021 +0100 i40e: Fix display statistics for veb_tc If veb-stats was enabled, the ethtool stats triggered a warning due to invalid size: 'unexpected stat size for veb.tc_%u_tx_packets'. This was due to an incorrect structure definition for the statistics. Structures and functions have been improved in line with requirements for the presentation of statistics, in particular for the functions: 'i40e_add_ethtool_stats' and 'i40e_add_stat_strings'. Fixes: 1510ae0be2a4 ("i40e: convert VEB TC stats to use an i40e_stats array") Signed-off-by: Eryk Rybak Signed-off-by: Grzegorz Szczurek Reviewed-by: Aleksandr Loktionov Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 528060ef3e1105c5c3eba66ffbfc80e0825e2cce Author: Magnus Karlsson Date: Fri Mar 19 10:44:10 2021 +0100 i40e: fix receiving of single packets in xsk zero-copy mode Fix so that single packets are received immediately instead of in batches of 8. If you sent 1 pps to a system, you received 8 packets every 8 seconds instead of 1 packet every second. The problem behind this was that the work_done reporting from the Tx part of the driver was broken. The work_done reporting in i40e controls not only the reporting back to the napi logic but also the setting of the interrupt throttling logic. When Tx or Rx reports that it has more to do, interrupts are throttled or coalesced and when they both report that they are done, interrupts are armed right away. If the wrong work_done value is returned, the logic will start to throttle interrupts in a situation where it should have just enabled them. This leads to the undesired batching behavior seen in user-space. Fix this by returning the correct boolean value from the Tx xsk zero-copy path. Return true if there is nothing to do or if we got fewer packets to process than we asked for. Return false if we got as many packets as the budget since there might be more packets we can process. Fixes: 3106c580fb7c ("i40e: Use batched xsk Tx interfaces to increase performance") Reported-by: Sreedevi Joshi Signed-off-by: Magnus Karlsson Acked-by: Maciej Fijalkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen commit 7a75a8412fdd52a64ee860bd9708d16b1b2aa77a Author: Arkadiusz Kubalewski Date: Wed Feb 17 20:21:19 2021 +0000 i40e: Fix inconsistent indenting Fixed new static analysis findings: "warn: inconsistent indenting" - introduced lately, reported with lkp and smatch build. Fixes: 4b208eaa8078 ("i40e: Add init and default config of software based DCB") Reported-by: kernel test robot Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Dave Switzer Signed-off-by: Tony Nguyen commit 07204f21577a1d882f0259590c3553fe6a476381 Author: Pavel Begunkov Date: Thu Apr 1 12:18:48 2021 +0100 io_uring: fix EIOCBQUEUED iter revert iov_iter_revert() is done in completion handlers that happensf before read/write returns -EIOCBQUEUED, no need to repeat reverting afterwards. Moreover, even though it may appear being just a no-op, it's actually races with 1) user forging a new iovec of a different size 2) reissue, that is done via io-wq continues completely asynchronously. Fixes: 3e6a0d3c7571c ("io_uring: fix -EAGAIN retry with IOPOLL") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 696ee88a7c50f96573f98aa76cc74286033140c1 Author: Pavel Begunkov Date: Thu Apr 1 09:55:04 2021 +0100 io_uring/io-wq: protect against sprintf overflow task_pid may be large enough to not fit into the left space of TASK_COMM_LEN-sized buffers and overflow in sprintf. We not so care about uniqueness, so replace it with safer snprintf(). Reported-by: Alexey Dobriyan Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/1702c6145d7e1c46fbc382f28334c02e1a3d3994.1617267273.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 4b982bd0f383db9132e892c0c5144117359a6289 Author: Jens Axboe Date: Thu Apr 1 08:38:34 2021 -0600 io_uring: don't mark S_ISBLK async work as unbounded S_ISBLK is marked as unbounded work for async preparation, because it doesn't match S_ISREG. That is incorrect, as any read/write to a block device is also a bounded operation. Fix it up and ensure that S_ISBLK isn't marked unbounded. Signed-off-by: Jens Axboe commit a2fa9e57a68cd108777ded8f0443483a5fa179ed Author: Arnd Bergmann Date: Tue Mar 23 14:19:42 2021 +0100 ARM: mvebu: avoid clang -Wtautological-constant warning Clang warns about the comparison when using a 32-bit phys_addr_t: drivers/bus/mvebu-mbus.c:621:17: error: result of comparison of constant 4294967296 with expression of type 'phys_addr_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] if (reg_start >= 0x100000000ULL) Add a cast to shut up the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20210323131952.2835509-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann commit 230ea4c761fc1a8da36044ec358e20b71441efee Author: Arnd Bergmann Date: Tue Mar 23 14:08:27 2021 +0100 ARM: pxa: mainstone: avoid -Woverride-init warning The default initializer at the start of the array causes a warning when building with W=1: In file included from arch/arm/mach-pxa/mainstone.c:47: arch/arm/mach-pxa/mainstone.h:124:33: error: initialized field overwritten [-Werror=override-init] 124 | #define MAINSTONE_IRQ(x) (MAINSTONE_NR_IRQS + (x)) | ^ arch/arm/mach-pxa/mainstone.h:133:33: note: in expansion of macro 'MAINSTONE_IRQ' 133 | #define MAINSTONE_S0_CD_IRQ MAINSTONE_IRQ(9) | ^~~~~~~~~~~~~ arch/arm/mach-pxa/mainstone.c:506:15: note: in expansion of macro 'MAINSTONE_S0_CD_IRQ' 506 | [5] = MAINSTONE_S0_CD_IRQ, | ^~~~~~~~~~~~~~~~~~~ Rework the initializer to list each element explicitly and only once. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210323130849.2362001-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann commit 28399a5a6d569c9bdb612345e4933046ca37cde5 Author: Arnd Bergmann Date: Mon Mar 8 16:34:21 2021 +0100 ARM: omap1: fix building with clang IAS The clang integrated assembler fails to build one file with a complex asm instruction: arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: error: invalid instruction, any one of the following would fix this: mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: note: instruction requires: armv6t2 mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ arch/arm/mach-omap1/ams-delta-fiq-handler.S:249:2: note: instruction requires: thumb2 mov r10, #(1 << (((NR_IRQS_LEGACY + 12) - NR_IRQS_LEGACY) % 32)) @ set deferred_fiq bit ^ The problem is that 'NR_IRQS_LEGACY' is not defined here. Apparently gas does not care because we first add and then subtract this number, leading to the immediate value to be the same regardless of the specific definition of NR_IRQS_LEGACY. Neither the way that 'gas' just silently builds this file, nor the way that clang IAS makes nonsensical suggestions for how to fix it is great. Fortunately there is an easy fix, which is to #include the header that contains the definition. Signed-off-by: Arnd Bergmann Acked-by: Tony Lindgren Link: https://lore.kernel.org/r/20210308153430.2530616-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann commit 040f31196e8b2609613f399793b9225271b79471 Author: Arnd Bergmann Date: Tue Mar 23 14:15:23 2021 +0100 soc/fsl: qbman: fix conflicting alignment attributes When building with W=1, gcc points out that the __packed attribute on struct qm_eqcr_entry conflicts with the 8-byte alignment attribute on struct qm_fd inside it: drivers/soc/fsl/qbman/qman.c:189:1: error: alignment 1 of 'struct qm_eqcr_entry' is less than 8 [-Werror=packed-not-aligned] I assume that the alignment attribute is the correct one, and that qm_eqcr_entry cannot actually be unaligned in memory, so add the same alignment on the outer struct. Fixes: c535e923bb97 ("soc/fsl: Introduce DPAA 1.x QMan device driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210323131530.2619900-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann commit 844b85dda2f569943e1e018fdd63b6f7d1d6f08e Author: Arnd Bergmann Date: Tue Mar 23 14:18:05 2021 +0100 ARM: keystone: fix integer overflow warning clang warns about an impossible condition when building with 32-bit phys_addr_t: arch/arm/mach-keystone/keystone.c:79:16: error: result of comparison of constant 51539607551 with expression of type 'phys_addr_t' (aka 'unsigned int') is always false [-Werror,-Wtautological-constant-out-of-range-compare] mem_end > KEYSTONE_HIGH_PHYS_END) { ~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~ arch/arm/mach-keystone/keystone.c:78:16: error: result of comparison of constant 34359738368 with expression of type 'phys_addr_t' (aka 'unsigned int') is always true [-Werror,-Wtautological-constant-out-of-range-compare] if (mem_start < KEYSTONE_HIGH_PHYS_START || ~~~~~~~~~ ^ ~~~~~~~~~~~~~~~~~~~~~~~~ Change the temporary variable to a fixed-size u64 to avoid the warning. Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Santosh Shilimkar Link: https://lore.kernel.org/r/20210323131814.2751750-1-arnd@kernel.org' Signed-off-by: Arnd Bergmann commit 791f9e36599d94af5a76d3f74d04e16326761aae Author: Christophe Leroy Date: Wed Mar 31 09:12:19 2021 +0000 powerpc/vdso: Make sure vdso_wrapper.o is rebuilt everytime vdso.so is rebuilt Commit bce74491c300 ("powerpc/vdso: fix unnecessary rebuilds of vgettimeofday.o") moved vdso32_wrapper.o and vdso64_wrapper.o out of arch/powerpc/kernel/vdso[32/64]/ and removed the dependencies in the Makefile. This leads to the wrappers not being re-build hence the kernel embedding the old vdso library. Add back missing dependencies to ensure vdso32_wrapper.o and vdso64_wrapper.o are rebuilt when vdso32.so.dbg and vdso64.so.dbg are changed. Fixes: bce74491c300 ("powerpc/vdso: fix unnecessary rebuilds of vgettimeofday.o") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/8bb015bc98c51d8ced581415b7e3d157e18da7c9.1617181918.git.christophe.leroy@csgroup.eu commit acca57217c688c5bbbd5140974533d81e8757cc9 Author: Christophe Leroy Date: Wed Mar 31 14:07:04 2021 +0000 powerpc/signal32: Fix Oops on sigreturn with unmapped VDSO PPC32 encounters a KUAP fault when trying to handle a signal with VDSO unmapped. Kernel attempted to read user page (7fc07ec0) - exploit attempt? (uid: 0) BUG: Unable to handle kernel data access on read at 0x7fc07ec0 Faulting instruction address: 0xc00111d4 Oops: Kernel access of bad area, sig: 11 [#1] BE PAGE_SIZE=16K PREEMPT CMPC885 CPU: 0 PID: 353 Comm: sigreturn_vdso Not tainted 5.12.0-rc4-s3k-dev-01553-gb30c310ea220 #4814 NIP: c00111d4 LR: c0005a28 CTR: 00000000 REGS: cadb3dd0 TRAP: 0300 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220) MSR: 00009032 CR: 48000884 XER: 20000000 DAR: 7fc07ec0 DSISR: 88000000 GPR00: c0007788 cadb3e90 c28d4a40 7fc07ec0 7fc07ed0 000004e0 7fc07ce0 00000000 GPR08: 00000001 00000001 7fc07ec0 00000000 28000282 1001b828 100a0920 00000000 GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e GPR24: ffffffff 105c43c8 00000000 7fc07ec8 cadb3f40 cadb3ec8 c28d4a40 00000000 NIP [c00111d4] flush_icache_range+0x90/0xb4 LR [c0005a28] handle_signal32+0x1bc/0x1c4 Call Trace: [cadb3e90] [100d0000] 0x100d0000 (unreliable) [cadb3ec0] [c0007788] do_notify_resume+0x260/0x314 [cadb3f20] [c000c764] syscall_exit_prepare+0x120/0x184 [cadb3f30] [c00100b4] ret_from_syscall+0xc/0x28 --- interrupt: c00 at 0xfe807f8 NIP: 0fe807f8 LR: 10001060 CTR: c0139378 REGS: cadb3f40 TRAP: 0c00 Not tainted (5.12.0-rc4-s3k-dev-01553-gb30c310ea220) MSR: 0000d032 CR: 28000482 XER: 20000000 GPR00: 00000025 7fc081c0 77bb1690 00000000 0000000a 28000482 00000001 0ff03a38 GPR08: 0000d032 00006de5 c28d4a40 00000009 88000482 1001b828 100a0920 00000000 GPR16: 100cac0c 100b0000 105c43a4 105c5685 100d0000 100d0000 100d0000 100b2e9e GPR24: ffffffff 105c43c8 00000000 77ba7628 10002398 10010000 10002124 00024000 NIP [0fe807f8] 0xfe807f8 LR [10001060] 0x10001060 --- interrupt: c00 Instruction dump: 38630010 7c001fac 38630010 4200fff0 7c0004ac 4c00012c 4e800020 7c001fac 2c0a0000 38630010 4082ffcc 4bffffe4 <7c00186c> 2c070000 39430010 4082ff8c ---[ end trace 3973fb72b049cb06 ]--- This is because flush_icache_range() is called on user addresses. The same problem was detected some time ago on PPC64. It was fixed by enabling KUAP in commit 59bee45b9712 ("powerpc/mm: Fix missing KUAP disable in flush_coherent_icache()"). PPC32 doesn't use flush_coherent_icache() and fallbacks on clean_dcache_range() and invalidate_icache_range(). We could fix it similarly by enabling user access in those functions, but this is overkill for just flushing two instructions. The two instructions are 8 bytes aligned, so a single dcbst/icbi is enough to flush them. Do like __patch_instruction() and inline a dcbst followed by an icbi just after the write of the instructions, while user access is still allowed. The isync is not required because rfi will be used to return to user. icbi() is handled as a read so read-write user access is needed. Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/bde9154e5351a5ac7bca3d59cdb5a5e8edacbb79.1617199569.git.christophe.leroy@csgroup.eu commit 3618250c8399cb36f4a0fbc48610a178307e1c64 Author: Christophe Leroy Date: Wed Mar 31 14:14:58 2021 +0000 powerpc/ptrace: Don't return error when getting/setting FP regs without CONFIG_PPC_FPU_REGS An #ifdef CONFIG_PPC_FPU_REGS is missing in arch_ptrace() leading to the following Oops because [REGSET_FPR] entry is not initialised in native_regsets[]. [ 41.917608] BUG: Unable to handle kernel instruction fetch [ 41.922849] Faulting instruction address: 0xff8fd228 [ 41.927760] Oops: Kernel access of bad area, sig: 11 [#1] [ 41.933089] BE PAGE_SIZE=4K PREEMPT CMPC885 [ 41.940753] Modules linked in: [ 41.943768] CPU: 0 PID: 366 Comm: gdb Not tainted 5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty #4835 [ 41.952800] NIP: ff8fd228 LR: c004d9e0 CTR: ff8fd228 [ 41.957790] REGS: caae9df0 TRAP: 0400 Not tainted (5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty) [ 41.966741] MSR: 40009032 CR: 82004248 XER: 20000000 [ 41.973540] [ 41.973540] GPR00: c004d9b4 caae9eb0 c1b64f60 c1b64520 c0713cd4 caae9eb8 c1bacdfc 00000004 [ 41.973540] GPR08: 00000200 ff8fd228 c1bac700 00001032 28004242 1061aaf4 00000001 106d64a0 [ 41.973540] GPR16: 00000000 00000000 7fa0a774 10610000 7fa0aef9 00000000 10610000 7fa0a538 [ 41.973540] GPR24: 7fa0a580 7fa0a570 c1bacc00 c1b64520 c1bacc00 caae9ee8 00000108 c0713cd4 [ 42.009685] NIP [ff8fd228] 0xff8fd228 [ 42.013300] LR [c004d9e0] __regset_get+0x100/0x124 [ 42.018036] Call Trace: [ 42.020443] [caae9eb0] [c004d9b4] __regset_get+0xd4/0x124 (unreliable) [ 42.026899] [caae9ee0] [c004da94] copy_regset_to_user+0x5c/0xb0 [ 42.032751] [caae9f10] [c002f640] sys_ptrace+0xe4/0x588 [ 42.037915] [caae9f30] [c0011010] ret_from_syscall+0x0/0x28 [ 42.043422] --- interrupt: c00 at 0xfd1f8e4 [ 42.047553] NIP: 0fd1f8e4 LR: 1004a688 CTR: 00000000 [ 42.052544] REGS: caae9f40 TRAP: 0c00 Not tainted (5.12.0-rc5-s3k-dev-01666-g7aac86a0f057-dirty) [ 42.061494] MSR: 0000d032 CR: 48004442 XER: 00000000 [ 42.068551] [ 42.068551] GPR00: 0000001a 7fa0a040 77dad7e0 0000000e 00000170 00000000 7fa0a078 00000004 [ 42.068551] GPR08: 00000000 108deb88 108dda40 106d6010 44004442 1061aaf4 00000001 106d64a0 [ 42.068551] GPR16: 00000000 00000000 7fa0a774 10610000 7fa0aef9 00000000 10610000 7fa0a538 [ 42.068551] GPR24: 7fa0a580 7fa0a570 1078fe00 1078fd70 1078fd70 00000170 0fdd3244 0000000d [ 42.104696] NIP [0fd1f8e4] 0xfd1f8e4 [ 42.108225] LR [1004a688] 0x1004a688 [ 42.111753] --- interrupt: c00 [ 42.114768] Instruction dump: [ 42.117698] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX [ 42.125443] XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX [ 42.133195] ---[ end trace d35616f22ab2100c ]--- Adding the missing #ifdef is not good because gdb doesn't like getting an error when getting registers. Instead, make ptrace return 0s when CONFIG_PPC_FPU_REGS is not set. Fixes: b6254ced4da6 ("powerpc/signal: Don't manage floating point regs when no FPU") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/9121a44a2d50ba1af18d8aa5ada06c9a3bea8afd.1617200085.git.christophe.leroy@csgroup.eu commit de3510e52b0a398261271455562458003b8eea62 Author: Damien Le Moal Date: Thu Apr 1 07:52:44 2021 +0900 null_blk: fix command timeout completion handling Memory backed or zoned null block devices may generate actual request timeout errors due to the submission path being blocked on memory allocation or zone locking. Unlike fake timeouts or injected timeouts, the request submission path will call blk_mq_complete_request() or blk_mq_end_request() for these real timeout errors, causing a double completion and use after free situation as the block layer timeout handler executes blk_mq_rq_timed_out() and __blk_mq_free_request() in blk_mq_check_expired(). This problem often triggers a NULL pointer dereference such as: BUG: kernel NULL pointer dereference, address: 0000000000000050 RIP: 0010:blk_mq_sched_mark_restart_hctx+0x5/0x20 ... Call Trace: dd_finish_request+0x56/0x80 blk_mq_free_request+0x37/0x130 null_handle_cmd+0xbf/0x250 [null_blk] ? null_queue_rq+0x67/0xd0 [null_blk] blk_mq_dispatch_rq_list+0x122/0x850 __blk_mq_do_dispatch_sched+0xbb/0x2c0 __blk_mq_sched_dispatch_requests+0x13d/0x190 blk_mq_sched_dispatch_requests+0x30/0x60 __blk_mq_run_hw_queue+0x49/0x90 process_one_work+0x26c/0x580 worker_thread+0x55/0x3c0 ? process_one_work+0x580/0x580 kthread+0x134/0x150 ? kthread_create_worker_on_cpu+0x70/0x70 ret_from_fork+0x1f/0x30 This problem very often triggers when running the full btrfs xfstests on a memory-backed zoned null block device in a VM with limited amount of memory. Avoid this by executing blk_mq_complete_request() in null_timeout_rq() only for commands that are marked for a fake timeout completion using the fake_timeout boolean in struct null_cmd. For timeout errors injected through debugfs, the timeout handler will execute blk_mq_complete_request()i as before. This is safe as the submission path does not execute complete requests in this case. In null_timeout_rq(), also make sure to set the command error field to BLK_STS_TIMEOUT and to propagate this error through to the request completion. Reported-by: Johannes Thumshirn Signed-off-by: Damien Le Moal Tested-by: Johannes Thumshirn Reviewed-by: Johannes Thumshirn Link: https://lore.kernel.org/r/20210331225244.126426-1-damien.lemoal@wdc.com Signed-off-by: Jens Axboe commit 2c7e57a02708a69d0194f9ef2a7b7e54f5a0484a Author: Matthew Wilcox (Oracle) Date: Thu Apr 1 07:50:42 2021 -0400 idr test suite: Improve reporting from idr_find_test_1 Instead of just reporting an assertion failure, report enough information that we can start diagnosing exactly went wrong. Signed-off-by: Matthew Wilcox (Oracle) commit 094ffbd1d8eaa27ed426feb8530cb1456348b018 Author: Matthew Wilcox (Oracle) Date: Thu Apr 1 07:46:49 2021 -0400 idr test suite: Create anchor before launching throbber The throbber could race with creation of the anchor entry and cause the IDR to have zero entries in it, which would cause the test to fail. Signed-off-by: Matthew Wilcox (Oracle) commit 703586410da69eb40062e64d413ca33bd735917a Author: Matthew Wilcox (Oracle) Date: Thu Apr 1 07:44:48 2021 -0400 idr test suite: Take RCU read lock in idr_find_test_1 When run on a single CPU, this test would frequently access already-freed memory. Due to timing, this bug never showed up on multi-CPU tests. Reported-by: Chris von Recklinghausen Signed-off-by: Matthew Wilcox (Oracle) commit 1bb4bd266cf39fd2fa711f2d265c558b92df1119 Author: Matthew Wilcox (Oracle) Date: Wed Mar 31 14:59:19 2021 -0400 radix tree test suite: Register the main thread with the RCU library Several test runners register individual worker threads with the RCU library, but neglect to register the main thread, which can lead to objects being freed while the main thread is in what appears to be an RCU critical section. Reported-by: Chris von Recklinghausen Signed-off-by: Matthew Wilcox (Oracle) commit 8cdddd182bd7befae6af49c5fd612893f55d6ccb Author: Vitaly Kuznetsov Date: Wed Mar 24 16:22:19 2021 +0100 ACPI: processor: Fix CPU0 wakeup in acpi_idle_play_dead() Commit 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state") broke CPU0 hotplug on certain systems, e.g. I'm observing the following on AWS Nitro (e.g r5b.xlarge but other instance types are affected as well): # echo 0 > /sys/devices/system/cpu/cpu0/online # echo 1 > /sys/devices/system/cpu/cpu0/online <10 seconds delay> -bash: echo: write error: Input/output error In fact, the above mentioned commit only revealed the problem and did not introduce it. On x86, to wakeup CPU an NMI is being used and hlt_play_dead()/mwait_play_dead() loops are prepared to handle it: /* * If NMI wants to wake up CPU0, start CPU0. */ if (wakeup_cpu0()) start_cpu0(); cpuidle_play_dead() -> acpi_idle_play_dead() (which is now being called on systems where it wasn't called before the above mentioned commit) serves the same purpose but it doesn't have a path for CPU0. What happens now on wakeup is: - NMI is sent to CPU0 - wakeup_cpu0_nmi() works as expected - we get back to while (1) loop in acpi_idle_play_dead() - safe_halt() puts CPU0 to sleep again. The straightforward/minimal fix is add the special handling for CPU0 on x86 and that's what the patch is doing. Fixes: 496121c02127 ("ACPI: processor: idle: Allow probing on platforms with one ACPI C-state") Signed-off-by: Vitaly Kuznetsov Cc: 5.10+ # 5.10+ Signed-off-by: Rafael J. Wysocki commit adfc3ed7dcb98f7411d3632e3bdf81690294fe7d Author: Srinivas Kandagatla Date: Wed Mar 31 18:12:35 2021 +0100 ASoC: codecs: lpass-rx-macro: set npl clock rate correctly NPL clock rate is twice the MCLK rate, so set this correctly to avoid soundwire timeouts. Fixes: af3d54b99764 ("ASoC: codecs: lpass-rx-macro: add support for lpass rx macro") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210331171235.24824-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown commit b861106f3cd693f944ba46d9ea8744a3fbfd14db Author: Srinivas Kandagatla Date: Wed Mar 31 18:12:34 2021 +0100 ASoC: codecs: lpass-tx-macro: set npl clock rate correctly NPL clock rate is twice the MCLK rate, so set this correctly to avoid soundwire timeouts. Fixes: c39667ddcfc5 ("ASoC: codecs: lpass-tx-macro: add support for lpass tx macro") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210331171235.24824-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown commit 89e21e1ad92373b7306b9b8494d45781598ce72f Merge: 111a5a421fb77 f57011e72f5fe Author: Arnd Bergmann Date: Thu Apr 1 11:34:06 2021 +0200 Merge tag 'imx-fixes-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.12, round 2: - Fix a system failure on imx6qdl-phytec-pfla02 board when booting from SD, by adding missing vmmc supply for SD interfaces. - Fix address typo in i.MX8MM/Q IOMUXC_SD1_DATA0_GPIO2_IO2 definition. * tag 'imx-fixes-5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0 Link: https://lore.kernel.org/r/20210330090236.GQ22955@dragon Signed-off-by: Arnd Bergmann commit 111a5a421fb770d0fc2e09f7d57eb2cbe51e3ade Merge: 70a6062cc2ca7 b3d09a06d89f4 Author: Arnd Bergmann Date: Thu Apr 1 11:33:34 2021 +0200 Merge tag 'omap-for-v5.12/fixes-rc4-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes More fixes for omaps for v5.12-rc cycle Two fixes for hangs, mmc slot order fix, and a voltage typo fix: - Remove unused duplicate sha2md5_fck clock node that can race with the OMAP4_SHA2MD5_CLKCTRL clock node for disable for unused clocks - Add aliases for omap4/5 mmc to put the slots back into the right order again - Fix typo for bionic voltage controllers that accidentally use mpu for all instances instead of mpu, core and iva - Fix random hangs for droid4 caused by missing fix from TI Android kernel tree to do a dummy smc call on cpuidle wakeup path * tag 'omap-for-v5.12/fixes-rc4-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: OMAP4: PM: update ROM return address for OSWR and OFF ARM: OMAP4: Fix PMIC voltage domains for bionic ARM: dts: Fix moving mmc devices with aliases for omap4 & 5 ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race Link: https://lore.kernel.org/r/pull-1616584662-702939@atomide.com Signed-off-by: Arnd Bergmann commit 70a6062cc2ca74ce0dd9fdff6d0e582b3490dd23 Merge: a5e13c6df0e41 443f0bb8e29fa Author: Arnd Bergmann Date: Thu Apr 1 11:33:00 2021 +0200 Merge tag 'arm-soc/for-5.12/devicetree-part2' of https://github.com/Broadcom/stblinux into arm/fixes This pull request contains Broadcom ARM-based SoC changes for 5.12, please pull the following: - Florian reverts the adding of the second level interrupt controller for HDMI BSC interrupts since they collide with the main I2C controller (i2c-bcm2835). * tag 'arm-soc/for-5.12/devicetree-part2' of https://github.com/Broadcom/stblinux: Revert "ARM: dts: bcm2711: Add the BSC interrupt controller" Signed-off-by: Arnd Bergmann commit 55626ca9c6909d077eca71bccbe15fef6e5ad917 Author: Vitaly Kuznetsov Date: Fri Mar 26 16:55:51 2021 +0100 selftests: kvm: Check that TSC page value is small after KVM_SET_CLOCK(0) Add a test for the issue when KVM_SET_CLOCK(0) call could cause TSC page value to go very big because of a signedness issue around hv_clock->system_time. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210326155551.17446-3-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit 77fcbe823f002ad18426545351fa2fb94f8d5e61 Author: Vitaly Kuznetsov Date: Wed Mar 31 14:41:29 2021 +0200 KVM: x86: Prevent 'hv_clock->system_time' from going negative in kvm_guest_time_update() When guest time is reset with KVM_SET_CLOCK(0), it is possible for 'hv_clock->system_time' to become a small negative number. This happens because in KVM_SET_CLOCK handling we set 'kvm->arch.kvmclock_offset' based on get_kvmclock_ns(kvm) but when KVM_REQ_CLOCK_UPDATE is handled, kvm_guest_time_update() does (masterclock in use case): hv_clock.system_time = ka->master_kernel_ns + v->kvm->arch.kvmclock_offset; And 'master_kernel_ns' represents the last time when masterclock got updated, it can precede KVM_SET_CLOCK() call. Normally, this is not a problem, the difference is very small, e.g. I'm observing hv_clock.system_time = -70 ns. The issue comes from the fact that 'hv_clock.system_time' is stored as unsigned and 'system_time / 100' in compute_tsc_page_parameters() becomes a very big number. Use 'master_kernel_ns' instead of get_kvmclock_ns() when masterclock is in use and get_kvmclock_base_ns() when it's not to prevent 'system_time' from going negative. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210331124130.337992-2-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit a83829f56c7ce17d5d05370820e185d9a23d3090 Author: Paolo Bonzini Date: Thu Mar 25 14:11:14 2021 -0400 KVM: x86: disable interrupts while pvclock_gtod_sync_lock is taken pvclock_gtod_sync_lock can be taken with interrupts disabled if the preempt notifier calls get_kvmclock_ns to update the Xen runstate information: spin_lock include/linux/spinlock.h:354 [inline] get_kvmclock_ns+0x25/0x390 arch/x86/kvm/x86.c:2587 kvm_xen_update_runstate+0x3d/0x2c0 arch/x86/kvm/xen.c:69 kvm_xen_update_runstate_guest+0x74/0x320 arch/x86/kvm/xen.c:100 kvm_xen_runstate_set_preempted arch/x86/kvm/xen.h:96 [inline] kvm_arch_vcpu_put+0x2d8/0x5a0 arch/x86/kvm/x86.c:4062 So change the users of the spinlock to spin_lock_irqsave and spin_unlock_irqrestore. Reported-by: syzbot+b282b65c2c68492df769@syzkaller.appspotmail.com Fixes: 30b5c851af79 ("KVM: x86/xen: Add support for vCPU runstate information") Cc: David Woodhouse Cc: Marcelo Tosatti Signed-off-by: Paolo Bonzini commit c2c647f91aec192f45f0849c225f134183cf4e90 Author: Paolo Bonzini Date: Thu Mar 25 14:05:11 2021 -0400 KVM: x86: reduce pvclock_gtod_sync_lock critical sections There is no need to include changes to vcpu->requests into the pvclock_gtod_sync_lock critical section. The changes to the shared data structures (in pvclock_update_vm_gtod_copy) already occur under the lock. Cc: David Woodhouse Cc: Marcelo Tosatti Signed-off-by: Paolo Bonzini commit 6ebae23c072bb865048d2b2500ee1fae71944263 Merge: 825e34d3c9e21 3c346c0c60ab0 Author: Paolo Bonzini Date: Wed Mar 31 07:50:54 2021 -0400 Merge branch 'kvm-fix-svm-races' into kvm-master commit 3c346c0c60ab06a021d1c0884a0ef494bc4ee3a7 Author: Paolo Bonzini Date: Wed Mar 31 06:28:01 2021 -0400 KVM: SVM: ensure that EFER.SVME is set when running nested guest or on nested vmexit Fixing nested_vmcb_check_save to avoid all TOC/TOU races is a bit harder in released kernels, so do the bare minimum by avoiding that EFER.SVME is cleared. This is problematic because svm_set_efer frees the data structures for nested virtualization if EFER.SVME is cleared. Also check that EFER.SVME remains set after a nested vmexit; clearing it could happen if the bit is zero in the save area that is passed to KVM_SET_NESTED_STATE (the save area of the nested state corresponds to the nested hypervisor's state and is restored on the next nested vmexit). Cc: stable@vger.kernel.org Fixes: 2fcf4876ada ("KVM: nSVM: implement on demand allocation of the nested state") Signed-off-by: Paolo Bonzini commit a58d9166a756a0f4a6618e4f593232593d6df134 Author: Paolo Bonzini Date: Wed Mar 31 06:24:43 2021 -0400 KVM: SVM: load control fields from VMCB12 before checking them Avoid races between check and use of the nested VMCB controls. This for example ensures that the VMRUN intercept is always reflected to the nested hypervisor, instead of being processed by the host. Without this patch, it is possible to end up with svm->nested.hsave pointing to the MSR permission bitmap for nested guests. This bug is CVE-2021-29657. Reported-by: Felix Wilhelm Cc: stable@vger.kernel.org Fixes: 2fcf4876ada ("KVM: nSVM: implement on demand allocation of the nested state") Signed-off-by: Paolo Bonzini commit dcdb7aa452ef9503a9a90dc807475e2d5b78ba21 Merge: 7344c82777a75 e3512fb67093f Author: Dave Airlie Date: Thu Apr 1 15:04:58 2021 +1000 Merge tag 'amd-drm-fixes-5.12-2021-03-31' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.12-2021-03-31: amdgpu: - Polaris idle power fix - VM fix - Vangogh S3 fix - Fixes for non-4K page sizes amdkfd: - dqm fence memory corruption fix Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20210401020057.17831-1-alexander.deucher@amd.com commit 7344c82777a753c87973b1554899592390a95781 Merge: a5e13c6df0e41 6161a435c1910 Author: Dave Airlie Date: Thu Apr 1 13:30:49 2021 +1000 Merge tag 'exynos-drm-fixes-for-v5.12-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos into drm-fixes Just one cleanup which drops of_gpio.h inclusion. - This header file isn't used anymore so drop it. Signed-off-by: Dave Airlie From: Inki Dae Link: https://patchwork.freedesktop.org/patch/msgid/1617016858-14081-1-git-send-email-inki.dae@samsung.com commit e3512fb67093fabdf27af303066627b921ee9bd8 Author: Xℹ Ruoyao Date: Tue Mar 30 23:33:34 2021 +0800 drm/amdgpu: check alignment on CPU page for bo map The page table of AMDGPU requires an alignment to CPU page so we should check ioctl parameters for it. Return -EINVAL if some parameter is unaligned to CPU page, instead of corrupt the page table sliently. Reviewed-by: Christian König Signed-off-by: Xi Ruoyao Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 566c6e25f957ebdb0b6e8073ee291049118f47fb Author: Huacai Chen Date: Tue Mar 30 23:33:33 2021 +0800 drm/amdgpu: Set a suitable dev_info.gart_page_size In Mesa, dev_info.gart_page_size is used for alignment and it was set to AMDGPU_GPU_PAGE_SIZE(4KB). However, the page table of AMDGPU driver requires an alignment on CPU pages. So, for non-4KB page system, gart_page_size should be max_t(u32, PAGE_SIZE, AMDGPU_GPU_PAGE_SIZE). Signed-off-by: Rui Wang Signed-off-by: Huacai Chen Link: https://github.com/loongson-community/linux-stable/commit/caa9c0a1 [Xi: rebased for drm-next, use max_t for checkpatch, and reworded commit message.] Signed-off-by: Xi Ruoyao BugLink: https://gitlab.freedesktop.org/drm/amd/-/issues/1549 Tested-by: Dan Horák Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 6951c3e4a260f65a16433833d2511e8796dc8625 Author: Alex Deucher Date: Fri Mar 26 16:56:07 2021 -0400 drm/amdgpu/vangogh: don't check for dpm in is_dpm_running when in suspend Do the same thing we do for Renoir. We can check, but since the sbios has started DPM, it will always return true which causes the driver to skip some of the SMU init when it shouldn't. Reviewed-by: Zhan Liu Acked-by: Evan Quan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit e92049ae4548ba09e53eaa9c8f6964b07ea274c9 Author: Qu Huang Date: Thu Jan 28 20:14:25 2021 +0800 drm/amdkfd: dqm fence memory corruption Amdgpu driver uses 4-byte data type as DQM fence memory, and transmits GPU address of fence memory to microcode through query status PM4 message. However, query status PM4 message definition and microcode processing are all processed according to 8 bytes. Fence memory only allocates 4 bytes of memory, but microcode does write 8 bytes of memory, so there is a memory corruption. Changes since v1: * Change dqm->fence_addr as a u64 pointer to fix this issue, also fix up query_status and amdkfd_fence_wait_timeout function uses 64 bit fence value to make them consistent. Signed-off-by: Qu Huang Reviewed-by: Felix Kuehling Signed-off-by: Felix Kuehling Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 3edf5346e4f2ce2fa0c94651a90a8dda169565ee Author: Yufen Yu Date: Wed Mar 31 07:53:59 2021 -0400 block: only update parent bi_status when bio fail For multiple split bios, if one of the bio is fail, the whole should return error to application. But we found there is a race between bio_integrity_verify_fn and bio complete, which return io success to application after one of the bio fail. The race as following: split bio(READ) kworker nvme_complete_rq blk_update_request //split error=0 bio_endio bio_integrity_endio queue_work(kintegrityd_wq, &bip->bip_work); bio_integrity_verify_fn bio_endio //split bio __bio_chain_endio if (!parent->bi_status) nvme_irq blk_update_request //parent error=7 req_bio_endio bio->bi_status = 7 //parent bio parent->bi_status = 0 parent->bi_end_io() // return bi_status=0 The bio has been split as two: split and parent. When split bio completed, it depends on kworker to do endio, while bio_integrity_verify_fn have been interrupted by parent bio complete irq handler. Then, parent bio->bi_status which have been set in irq handler will overwrite by kworker. In fact, even without the above race, we also need to conside the concurrency beteen mulitple split bio complete and update the same parent bi_status. Normally, multiple split bios will be issued to the same hctx and complete from the same irq vector. But if we have updated queue map between multiple split bios, these bios may complete on different hw queue and different irq vector. Then the concurrency update parent bi_status may cause the final status error. Suggested-by: Keith Busch Signed-off-by: Yufen Yu Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20210331115359.1125679-1-yuyufen@huawei.com Signed-off-by: Jens Axboe commit 622d13694b5f048c01caa7ba548498d9880d4cb0 Author: Ong Boon Leong Date: Wed Mar 31 21:25:03 2021 +0800 xdp: fix xdp_return_frame() kernel BUG throw for page_pool memory model xdp_return_frame() may be called outside of NAPI context to return xdpf back to page_pool. xdp_return_frame() calls __xdp_return() with napi_direct = false. For page_pool memory model, __xdp_return() calls xdp_return_frame_no_direct() unconditionally and below false negative kernel BUG throw happened under preempt-rt build: [ 430.450355] BUG: using smp_processor_id() in preemptible [00000000] code: modprobe/3884 [ 430.451678] caller is __xdp_return+0x1ff/0x2e0 [ 430.452111] CPU: 0 PID: 3884 Comm: modprobe Tainted: G U E 5.12.0-rc2+ #45 Changes in v2: - This patch fixes the issue by making xdp_return_frame_no_direct() is only called if napi_direct = true, as recommended for better by Jesper Dangaard Brouer. Thanks! Fixes: 2539650fadbf ("xdp: Helpers for disabling napi_direct of xdp_return_frame") Signed-off-by: Ong Boon Leong Acked-by: Jesper Dangaard Brouer Signed-off-by: David S. Miller commit c609e6aae4efcf383fe86b195d1b060befcb3666 Author: Eric Dumazet Date: Wed Mar 31 09:35:12 2021 -0700 Revert "net: correct sk_acceptq_is_full()" This reverts commit f211ac154577ec9ccf07c15f18a6abf0d9bdb4ab. We had similar attempt in the past, and we reverted it. History: 64a146513f8f12ba204b7bf5cb7e9505594ead42 [NET]: Revert incorrect accept queue backlog changes. 8488df894d05d6fa41c2bd298c335f944bb0e401 [NET]: Fix bugs in "Whether sock accept queue is full" checking I am adding a fat comment so that future attempts will be much harder. Fixes: f211ac154577 ("net: correct sk_acceptq_is_full()") Cc: iuyacan Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 9dc22c0d04a2f9734146e6f1e757160d78800e3c Merge: c9170f132178c 3ff3874fa0b26 Author: David S. Miller Date: Wed Mar 31 14:54:32 2021 -0700 Merge tag 'mlx5-fixes-2021-03-31' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2021-03-31 This series introduces some fixes to mlx5 driver. Please pull and let me know if there is any problem. ==================== Signed-off-by: David S. Miller commit c9170f132178cdafefcff7d16434ff3c1b13a988 Merge: bdc2ab5c61a5c ef19e111337f6 Author: David S. Miller Date: Wed Mar 31 14:37:51 2021 -0700 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2021-03-31 1) Fix ipv4 pmtu checks for xfrm anf vti interfaces. From Eyal Birger. 2) There are situations where the socket passed to xfrm_output_resume() is not the same as the one attached to the skb. Use the socket passed to xfrm_output_resume() to avoid lookup failures when xfrm is used with VRFs. From Evan Nimmo. 3) Make the xfrm_state_hash_generation sequence counter per network namespace because but its write serialization lock is also per network namespace. Write protection is insufficient otherwise. From Ahmed S. Darwish. 4) Fixup sctp featue flags when used with esp offload. From Xin Long. 5) xfrm BEET mode doesn't support fragments for inner packets. This is a limitation of the protocol, so no fix possible. Warn at least to notify the user about that situation. From Xin Long. 6) Fix NULL pointer dereference on policy lookup when namespaces are uses in combination with esp offload. 7) Fix incorrect transformation on esp offload when packets get segmented at layer 3. 8) Fix some user triggered usages of WARN_ONCE in the xfrm compat layer. From Dmitry Safonov. Please pull or let me know if there are problems. ==================== Signed-off-by: David S. Miller commit bdc2ab5c61a5c07388f4820ff21e787b4dfd1ced Author: Lv Yunlong Date: Tue Mar 30 18:59:59 2021 -0700 net/rds: Fix a use after free in rds_message_map_pages In rds_message_map_pages, the rm is freed by rds_message_put(rm). But rm is still used by rm->data.op_sg in return value. My patch assigns ERR_CAST(rm->data.op_sg) to err before the rm is freed to avoid the uaf. Fixes: 7dba92037baf3 ("net/rds: Use ERR_PTR for rds_message_alloc_sgs()") Signed-off-by: Lv Yunlong Reviewed-by: Håkon Bugge Signed-off-by: David S. Miller commit d47ec7a0a7271dda08932d6208e4ab65ab0c987c Author: Tong Zhu Date: Fri Mar 19 14:33:37 2021 -0400 neighbour: Disregard DEAD dst in neigh_update After a short network outage, the dst_entry is timed out and put in DST_OBSOLETE_DEAD. We are in this code because arp reply comes from this neighbour after network recovers. There is a potential race condition that dst_entry is still in DST_OBSOLETE_DEAD. With that, another neighbour lookup causes more harm than good. In best case all packets in arp_queue are lost. This is counterproductive to the original goal of finding a better path for those packets. I observed a worst case with 4.x kernel where a dst_entry in DST_OBSOLETE_DEAD state is associated with loopback net_device. It leads to an ethernet header with all zero addresses. A packet with all zero source MAC address is quite deadly with mac80211, ath9k and 802.11 block ack. It fails ieee80211_find_sta_by_ifaddr in ath9k (xmit.c). Ath9k flushes tx queue (ath_tx_complete_aggr). BAW (block ack window) is not updated. BAW logic is damaged and ath9k transmission is disabled. Signed-off-by: Tong Zhu Signed-off-by: David S. Miller commit 3ff3874fa0b261ef74f2bfb008a82ab1601c11eb Author: Tariq Toukan Date: Wed Feb 10 14:58:01 2021 +0200 net/mlx5e: Guarantee room for XSK wakeup NOP on async ICOSQ XSK wakeup flow triggers an IRQ by posting a NOP WQE and hitting the doorbell on the async ICOSQ. It maintains its state so that it doesn't issue another NOP WQE if it has an outstanding one already. For this flow to work properly, the NOP post must not fail. Make sure to reserve room for the NOP WQE in all WQE posts to the async ICOSQ. Fixes: 8d94b590f1e4 ("net/mlx5e: Turn XSK ICOSQ into a general asynchronous one") Fixes: 1182f3659357 ("net/mlx5e: kTLS, Add kTLS RX HW offload support") Fixes: 0419d8c9d8f8 ("net/mlx5e: kTLS, Add kTLS RX resync support") Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed commit 929a2faddd55290fbb0b73f453b200ed1b2b2947 Author: Dima Chumak Date: Thu Feb 11 09:36:33 2021 +0200 net/mlx5e: Consider geneve_opts for encap contexts Current algorithm for encap keys is legacy from initial vxlan implementation and doesn't take into account all possible fields of a tunnel. For example, for a Geneve tunnel, which may have additional TLV options, they are ignored when comparing encap keys and a rule can be attached to an incorrect encap entry. Fix that by introducing encap_info_equal() operation in struct mlx5e_tc_tunnel. Geneve tunnel type uses custom implementation, which extends generic algorithm and considers options if they are set. Fixes: 7f1a546e3222 ("net/mlx5e: Consider tunnel type for encap contexts") Signed-off-by: Dima Chumak Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed commit a7b76002ae78cd230ee652ccdfedf21aa94fcecc Author: Daniel Jurgens Date: Thu Dec 5 16:58:10 2019 -0600 net/mlx5: Don't request more than supported EQs Calculating the number of compeltion EQs based on the number of available IRQ vectors doesn't work now that all async EQs share one IRQ. Thus the max number of EQs can be exceeded on systems with more than approximately 256 CPUs. Take this into account when calculating the number of available completion EQs. Fixes: 81bfa206032a ("net/mlx5: Use a single IRQ for all async EQs") Signed-off-by: Daniel Jurgens Reviewed-by: Parav Pandit Signed-off-by: Saeed Mahameed commit 6f4fdd530a09c8e2c7368ba5a5b1711e6e5ced10 Author: Tariq Toukan Date: Sun Feb 28 15:00:45 2021 +0200 net/mlx5e: kTLS, Fix RX counters atomicity Some TLS RX counters increment per socket/connection, and are not protected against parallel modifications from several cores. Switch them to atomic counters by taking them out of the RQ stats into the global atomic TLS stats. In this patch, we touch 'rx_tls_ctx/del' that count the number of device-offloaded RX TLS connections added/deleted. These counters are updated in the add/del callbacks, out of the fast data-path. This change is not needed for counters that increment only in NAPI context, as they are protected by the NAPI mechanism. Keep them as tls_* counters under 'struct mlx5e_rq_stats'. Fixes: 76c1e1ac2aae ("net/mlx5e: kTLS, Add kTLS RX stats") Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed commit a51bce9698e951fec3fc0624060f124794ec3558 Author: Tariq Toukan Date: Sun Feb 28 13:50:17 2021 +0200 net/mlx5e: kTLS, Fix TX counters atomicity Some TLS TX counters increment per socket/connection, and are not protected against parallel modifications from several cores. Switch them to atomic counters by taking them out of the SQ stats into the global atomic TLS stats. In this patch, we touch a single counter 'tx_tls_ctx' that counts the number of device-offloaded TX TLS connections added. Now that this counter can be increased without the for having the SQ context in hand, move it to the mlx5e_ktls_add_tx() callback where it really belongs, out of the fast data-path. This change is not needed for counters that increment only in NAPI context or under the TX lock, as they are already protected. Keep them as tls_* counters under 'struct mlx5e_sq_stats'. Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support") Signed-off-by: Tariq Toukan Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed commit e929e3da537e3c2d97aabbd00530040997dde9ce Author: Maor Dickman Date: Mon Mar 15 15:20:29 2021 +0200 net/mlx5: E-switch, Create vport miss group only if src rewrite is supported Create send to vport miss group was added in order to support traffic recirculation to root table with metadata source rewrite. This group is created also in case source rewrite isn't supported. Fixed by creating send to vport miss group only if source rewrite is supported by FW. Fixes: 8e404fefa58b ("net/mlx5e: Match recirculated packet miss in slow table using reg_c1") Signed-off-by: Maor Dickman Reviewed-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 3211434dfe7a66fcf55e43961ea524b78336c04c Author: Aya Levin Date: Wed Mar 24 12:25:06 2021 +0200 net/mlx5e: Fix ethtool indication of connector type Use connector_type read from PTYS register when it's valid, based on corresponding capability bit. Fixes: 5b4793f81745 ("net/mlx5e: Add support for reading connector type from PTYS") Signed-off-by: Aya Levin Reviewed-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed commit 1f90aedfb496ccccf862c7b7c0889af20c2fc61a Author: Maor Dickman Date: Mon Mar 22 17:22:03 2021 +0200 net/mlx5: Delete auxiliary bus driver eth-rep first Delete auxiliary bus drivers flow deletes the eth driver first and then the eth-reps driver but eth-reps devices resources are depend on eth device. Fixed by changing the delete order of auxiliary bus drivers to delete the eth-rep driver first and after it the eth driver. Fixes: 601c10c89cbb ("net/mlx5: Delete custom device management logic") Signed-off-by: Maor Dickman Reviewed-by: Leon Romanovsky Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit d24f847e54214049814b9515771622eaab3f42ab Author: Ariel Levkovich Date: Tue Mar 9 01:29:01 2021 +0200 net/mlx5e: Fix mapping of ct_label zero ct_label 0 is a default label each flow has and therefore there can be rules that match on ct_label=0 without a prior rule that set the ct_label to this value. The ct_label value is not used directly in the HW rules and instead it is mapped to some id within a defined range and this id is used to set and match the metadata register which carries the ct_label. If we have a rule that matches on ct_label=0, the hw rule will perform matching on a value that is != 0 because of the mapping from label to id. Since the metadata register default value is 0 and it was never set before to anything else by an action that sets the ct_label, there will always be a mismatch between that register and the value in the rule. To support such rule, a forced mapping of ct_label 0 to id=0 is done so that it will match the metadata register default value of 0. Fixes: 54b154ecfb8c ("net/mlx5e: CT: Map 128 bits labels to 32 bit map ID") Signed-off-by: Ariel Levkovich Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 23cf00ddd2e1aacf1873e43f5e0c519c120daf7a Author: Matti Vaittinen Date: Mon Mar 29 14:41:12 2021 +0300 gpio: sysfs: Obey valid_mask Do not allow exporting GPIOs which are set invalid by the driver's valid mask. Fixes: 726cb3ba4969 ("gpiolib: Support 'gpio-reserved-ranges' property") Signed-off-by: Matti Vaittinen Reviewed-by: Andy Shevchenko Signed-off-by: Bartosz Golaszewski commit d19cc4bfbff1ae72c3505a00fb8ce0d3fa519e6c Merge: 39192106d4efd 59300b36f85f2 Author: Linus Torvalds Date: Wed Mar 31 10:14:55 2021 -0700 Merge tag 'trace-v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull ftrace fix from Steven Rostedt: "Add check of order < 0 before calling free_pages() The function addresses that are traced by ftrace are stored in pages, and the size is held in a variable. If there's some error in creating them, the allocate ones will be freed. In this case, it is possible that the order of pages to be freed may end up being negative due to a size of zero passed to get_count_order(), and then that negative number will cause free_pages() to free a very large section. Make sure that does not happen" * tag 'trace-v5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: ftrace: Check if pages were allocated before calling free_pages() commit 39192106d4efd482f96a0be8b7aaae7ec150d9ee Merge: 5e46d1b78a03d ba845907b23a6 Author: Linus Torvalds Date: Wed Mar 31 10:09:44 2021 -0700 Merge tag 'pinctrl-v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "Some overly ripe fixes for the v5.12 kernel. I should have sent earlier but had my head stuck in GDB. All are driver fixes: - Fix up some Intel GPIO base calculations. - Fix a register offset in the Microchip driver. - Fix suspend/resume bug in the Rockchip driver. - Default pull up strength in the Qualcomm LPASS driver. - Fix two pingroup offsets in the Qualcomm SC7280 driver. - Fix SDC1 register offset in the Qualcomm SC7280 driver. - Fix a nasty string concatenation in the Qualcomm SDX55 driver. - Check the REVID register to see if the device is real or virtualized during virtualization in the Intel driver" * tag 'pinctrl-v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: intel: check REVID register value for device presence pinctrl: qcom: fix unintentional string concatenation pinctrl: qcom: sc7280: Fix SDC1_RCLK configurations pinctrl: qcom: sc7280: Fix SDC_QDSD_PINGROUP and UFS_RESET offsets pinctrl: qcom: lpass lpi: use default pullup/strength values pinctrl: rockchip: fix restore error in resume pinctrl: microchip-sgpio: Fix wrong register offset for IRQ trigger pinctrl: intel: Show the GPIO base calculation explicitly commit 7c0d6e482062eb5c06ecccfab340abc523bdca00 Author: Bastian Germann Date: Wed Mar 31 17:18:43 2021 +0200 ASoC: sunxi: sun4i-codec: fill ASoC card owner card->owner is a required property and since commit 81033c6b584b ("ALSA: core: Warn on empty module") a warning is issued if it is empty. Add it. This fixes following warning observed on Lamobo R1: WARNING: CPU: 1 PID: 190 at sound/core/init.c:207 snd_card_new+0x430/0x480 [snd] Modules linked in: sun4i_codec(E+) sun4i_backend(E+) snd_soc_core(E) ... CPU: 1 PID: 190 Comm: systemd-udevd Tainted: G C E 5.10.0-1-armmp #1 Debian 5.10.4-1 Hardware name: Allwinner sun7i (A20) Family Call trace: (snd_card_new [snd]) (snd_soc_bind_card [snd_soc_core]) (snd_soc_register_card [snd_soc_core]) (sun4i_codec_probe [sun4i_codec]) Fixes: 45fb6b6f2aa3 ("ASoC: sunxi: add support for the on-chip codec on early Allwinner SoCs") Related: commit 3c27ea23ffb4 ("ASoC: qcom: Set card->owner to avoid warnings") Related: commit ec653df2a0cb ("drm/vc4/vc4_hdmi: fill ASoC card owner") Cc: linux-arm-kernel@lists.infradead.org Cc: alsa-devel@alsa-project.org Signed-off-by: Bastian Germann Link: https://lore.kernel.org/r/20210331151843.30583-1-bage@linutronix.de Signed-off-by: Mark Brown commit 825e34d3c9e21ad1243b4464d23739de3c63a48b Merge: 6fb3084ab5d93 33a3164161fc8 Author: Paolo Bonzini Date: Wed Mar 31 07:45:19 2021 -0400 Merge commit 'kvm-tdp-fix-flushes' into kvm-master commit 629a411f7e71afeee34edd4c1418c4e7f7d5575a Author: Hao Fang Date: Tue Mar 30 14:37:14 2021 +0800 i2c: hix5hd2: use the correct HiSilicon copyright s/Hisilicon/HiSilicon/g. It should use capital S, according to https://www.hisilicon.com/en/terms-of-use. Signed-off-by: Hao Fang Signed-off-by: Wolfram Sang commit 98a479991dc5b986d9d48a1b73f568e58e3d82b6 Author: Wolfram Sang Date: Mon Mar 29 21:25:41 2021 +0200 i2c: gpio: update email address in binding docs Signed-off-by: Wolfram Sang commit 1ae6b3780848c6b1efc6b994963082cfd04ac114 Author: Wolfram Sang Date: Mon Mar 29 21:24:09 2021 +0200 i2c: imx: drop me as maintainer of binding docs I dunno why I got added here, but I haven't been using this driver for years. Remove me to make space for interested parties. Signed-off-by: Wolfram Sang commit 67ff1d98652ac141f46b3871ebc34350ddffa2ef Author: Bhaskar Chowdhury Date: Wed Mar 24 19:36:10 2021 +0530 i2c: stm32f4: Mundane typo fix s/postion/position/ Signed-off-by: Bhaskar Chowdhury Acked-by: Randy Dunlap Reviewed-by: Alain Volmat Reviewed-by: Pierre-Yves MORDRET Signed-off-by: Wolfram Sang commit 942bfbecc0281c75db84f744b9b77b0f2396f484 Author: 周琰杰 (Zhou Yanjie) Date: Fri Mar 19 18:12:13 2021 +0800 I2C: JZ4780: Fix bug for Ingenic X1000. Only send "X1000_I2C_DC_STOP" when last byte, or it will cause error when I2C write operation which should look like this: device_addr + w, reg_addr, data; But without this patch, it looks like this: device_addr + w, reg_addr, device_addr + w, data; Fixes: 21575a7a8d4c ("I2C: JZ4780: Add support for the X1000.") Reported-by: 杨文龙 (Yang Wenlong) Tested-by: 杨文龙 (Yang Wenlong) Signed-off-by: 周琰杰 (Zhou Yanjie) Signed-off-by: Wolfram Sang commit fc85dc42a38405099f97aa2af709fe9504a82508 Author: Tony Lindgren Date: Wed Mar 31 09:27:41 2021 +0300 ARM: OMAP2+: Fix uninitialized sr_inst Fix uninitialized sr_inst. Fixes: fbfa463be8dc ("ARM: OMAP2+: Fix smartreflex init regression after dropping legacy data") Reported-by: kernel test robot Signed-off-by: Tony Lindgren commit 61431a5907fc36d0738e9a547c7e1556349a03e9 Author: Eric Dumazet Date: Tue Mar 30 16:43:43 2021 -0700 net: ensure mac header is set in virtio_net_hdr_to_skb() Commit 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct") added a call to dev_parse_header_protocol() but mac_header is not yet set. This means that eth_hdr() reads complete garbage, and syzbot complained about it [1] This patch resets mac_header earlier, to get more coverage about this change. Audit of virtio_net_hdr_to_skb() callers shows that this change should be safe. [1] BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 Read of size 2 at addr ffff888017a6200b by task syz-executor313/8409 CPU: 1 PID: 8409 Comm: syz-executor313 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232 __kasan_report mm/kasan/report.c:399 [inline] kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282 dev_parse_header_protocol include/linux/netdevice.h:3177 [inline] virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83 packet_snd net/packet/af_packet.c:2994 [inline] packet_sendmsg+0x2325/0x52b0 net/packet/af_packet.c:3031 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 sock_no_sendpage+0xf3/0x130 net/core/sock.c:2860 kernel_sendpage.part.0+0x1ab/0x350 net/socket.c:3631 kernel_sendpage net/socket.c:3628 [inline] sock_sendpage+0xe5/0x140 net/socket.c:947 pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364 splice_from_pipe_feed fs/splice.c:418 [inline] __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562 splice_from_pipe fs/splice.c:597 [inline] generic_splice_sendpage+0xd4/0x140 fs/splice.c:746 do_splice_from fs/splice.c:767 [inline] do_splice+0xb7e/0x1940 fs/splice.c:1079 __do_splice+0x134/0x250 fs/splice.c:1144 __do_sys_splice fs/splice.c:1350 [inline] __se_sys_splice fs/splice.c:1332 [inline] __x64_sys_splice+0x198/0x250 fs/splice.c:1332 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct") Signed-off-by: Eric Dumazet Cc: Balazs Nemeth Cc: Willem de Bruijn Reported-by: syzbot Signed-off-by: David S. Miller commit c056d480b40a68f2520ccc156c7fae672d69d57d Author: Florian Fainelli Date: Tue Mar 30 15:00:24 2021 -0700 net: phy: broadcom: Only advertise EEE for supported modes We should not be advertising EEE for modes that we do not support, correct that oversight by looking at the PHY device supported linkmodes. Fixes: 99cec8a4dda2 ("net: phy: broadcom: Allow enabling or disabling of EEE") Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller commit 2ea538dbee1c79f6f6c24a6f2f82986e4b7ccb78 Author: Yinjun Zhang Date: Tue Mar 30 10:30:23 2021 +0200 nfp: flower: ignore duplicate merge hints from FW A merge hint message needs some time to process before the merged flow actually reaches the firmware, during which we may get duplicate merge hints if there're more than one packet that hit the pre-merged flow. And processing duplicate merge hints will cost extra host_ctx's which are a limited resource. Avoid the duplicate merge by using hash table to store the sub_flows to be merged. Fixes: 8af56f40e53b ("nfp: flower: offload merge flows") Signed-off-by: Yinjun Zhang Signed-off-by: Louis Peens Signed-off-by: Simon Horman Signed-off-by: David S. Miller commit fbea31808ca124dd73ff6bb1e67c9af4607c3e32 Author: Pablo Neira Ayuso Date: Wed Mar 31 01:04:45 2021 +0200 netfilter: conntrack: do not print icmpv6 as unknown via /proc /proc/net/nf_conntrack shows icmpv6 as unknown. Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct") Signed-off-by: Pablo Neira Ayuso commit 0e07e25b481aa021e4b48085ecb8a049e9614510 Author: Pablo Neira Ayuso Date: Tue Mar 30 16:24:11 2021 +0200 netfilter: flowtable: fix NAT IPv6 offload mangling Fix out-of-bound access in the address array. Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") Signed-off-by: Pablo Neira Ayuso commit 5e46d1b78a03d52306f21f77a4e4a144b6d31486 Author: Tetsuo Handa Date: Sun Mar 21 23:37:49 2021 +0900 reiserfs: update reiserfs_xattrs_initialized() condition syzbot is reporting NULL pointer dereference at reiserfs_security_init() [1], for commit ab17c4f02156c4f7 ("reiserfs: fixup xattr_root caching") is assuming that REISERFS_SB(s)->xattr_root != NULL in reiserfs_xattr_jcreate_nblocks() despite that commit made REISERFS_SB(sb)->priv_root != NULL && REISERFS_SB(s)->xattr_root == NULL case possible. I guess that commit 6cb4aff0a77cc0e6 ("reiserfs: fix oops while creating privroot with selinux enabled") wanted to check xattr_root != NULL before reiserfs_xattr_jcreate_nblocks(), for the changelog is talking about the xattr root. The issue is that while creating the privroot during mount reiserfs_security_init calls reiserfs_xattr_jcreate_nblocks which dereferences the xattr root. The xattr root doesn't exist, so we get an oops. Therefore, update reiserfs_xattrs_initialized() to check both the privroot and the xattr root. Link: https://syzkaller.appspot.com/bug?id=8abaedbdeb32c861dc5340544284167dd0e46cde # [1] Reported-and-tested-by: syzbot Signed-off-by: Tetsuo Handa Fixes: 6cb4aff0a77c ("reiserfs: fix oops while creating privroot with selinux enabled") Acked-by: Jeff Mahoney Acked-by: Jan Kara Signed-off-by: Linus Torvalds commit 9adc89af724f12a03b47099cd943ed54e877cd59 Author: Paolo Abeni Date: Tue Mar 30 18:43:54 2021 +0200 net: let skb_orphan_partial wake-up waiters. Currently the mentioned helper can end-up freeing the socket wmem without waking-up any processes waiting for more write memory. If the partially orphaned skb is attached to an UDP (or raw) socket, the lack of wake-up can hang the user-space. Even for TCP sockets not calling the sk destructor could have bad effects on TSQ. Address the issue using skb_orphan to release the sk wmem before setting the new sock_efree destructor. Additionally bundle the whole ownership update in a new helper, so that later other potential users could avoid duplicate code. v1 -> v2: - use skb_orphan() instead of sort of open coding it (Eric) - provide an helper for the ownership change (Eric) Fixes: f6ba8d33cfbb ("netem: fix skb_orphan_partial()") Suggested-by: Eric Dumazet Signed-off-by: Paolo Abeni Reviewed-by: Eric Dumazet Signed-off-by: David S. Miller commit ae81feb7338c89cee4e6aa0424bdab2ce2b52da2 Author: Yunjian Wang Date: Tue Mar 30 22:27:48 2021 +0800 sch_htb: fix null pointer dereference on a null new_q sch_htb: fix null pointer dereference on a null new_q Currently if new_q is null, the null new_q pointer will be dereference when 'q->offload' is true. Fix this by adding a braces around htb_parent_to_leaf_offload() to avoid it. Addresses-Coverity: ("Dereference after null check") Fixes: d03b195b5aa0 ("sch_htb: Hierarchical QoS hardware offload") Signed-off-by: Yunjian Wang Signed-off-by: David S. Miller commit 8a03dd925786bdc3834d56ccc980bb70668efa35 Author: Loic Poulain Date: Tue Mar 30 16:11:08 2021 +0200 net: qrtr: Fix memory leak on qrtr_tx_wait failure qrtr_tx_wait does not check for radix_tree_insert failure, causing the 'flow' object to be unreferenced after qrtr_tx_wait return. Fix that by releasing flow on radix_tree_insert failure. Fixes: 5fdeb0d372ab ("net: qrtr: Implement outgoing flow control") Reported-by: syzbot+739016799a89c530b32a@syzkaller.appspotmail.com Signed-off-by: Loic Poulain Reviewed-by: Bjorn Andersson Reviewed-by: Manivannan Sadhasivam Signed-off-by: David S. Miller commit 82734c5b1b24c020d701cf90ccb075e43a5ccb07 Author: Jens Axboe Date: Mon Mar 29 06:52:44 2021 -0600 io_uring: drop sqd lock before handling signals for SQPOLL Don't call into get_signal() with the sqd mutex held, it'll fail if we're freezing the task and we'll get complaints on locks still being held: ==================================== WARNING: iou-sqp-8386/8387 still has locks held! 5.12.0-rc4-syzkaller #0 Not tainted ------------------------------------ 1 lock held by iou-sqp-8386/8387: #0: ffff88801e1d2470 (&sqd->lock){+.+.}-{3:3}, at: io_sq_thread+0x24c/0x13a0 fs/io_uring.c:6731 stack backtrace: CPU: 1 PID: 8387 Comm: iou-sqp-8386 Not tainted 5.12.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 try_to_freeze include/linux/freezer.h:66 [inline] get_signal+0x171a/0x2150 kernel/signal.c:2576 io_sq_thread+0x8d2/0x13a0 fs/io_uring.c:6748 Fold the get_signal() case in with the parking checks, as we need to drop the lock in both cases, and since we need to be checking for parking when juggling the lock anyway. Reported-by: syzbot+796d767eb376810256f5@syzkaller.appspotmail.com Fixes: dbe1bdbb39db ("io_uring: handle signals for IO threads like a normal thread") Signed-off-by: Jens Axboe commit 6855e8213e06efcaf7c02a15e12b1ae64b9a7149 Author: Kumar Kartikeya Dwivedi Date: Tue Mar 30 04:23:23 2021 +0530 net: sched: bump refcount for new action in ACT replace mode Currently, action creation using ACT API in replace mode is buggy. When invoking for non-existent action index 42, tc action replace action bpf obj foo.o sec index 42 kernel creates the action, fills up the netlink response, and then just deletes the action after notifying userspace. tc action show action bpf doesn't list the action. This happens due to the following sequence when ovr = 1 (replace mode) is enabled: tcf_idr_check_alloc is used to atomically check and either obtain reference for existing action at index, or reserve the index slot using a dummy entry (ERR_PTR(-EBUSY)). This is necessary as pointers to these actions will be held after dropping the idrinfo lock, so bumping the reference count is necessary as we need to insert the actions, and notify userspace by dumping their attributes. Finally, we drop the reference we took using the tcf_action_put_many call in tcf_action_add. However, for the case where a new action is created due to free index, its refcount remains one. This when paired with the put_many call leads to the kernel setting up the action, notifying userspace of its creation, and then tearing it down. For existing actions, the refcount is still held so they remain unaffected. Fortunately due to rtnl_lock serialization requirement, such an action with refcount == 1 will not be concurrently deleted by anything else, at best CLS API can move its refcount up and down by binding to it after it has been published from tcf_idr_insert_many. Since refcount is atleast one until put_many call, CLS API cannot delete it. Also __tcf_action_put release path already ensures deterministic outcome (either new action will be created or existing action will be reused in case CLS API tries to bind to action concurrently) due to idr lock serialization. We fix this by making refcount of newly created actions as 2 in ACT API replace mode. A relaxed store will suffice as visibility is ensured only after the tcf_idr_insert_many call. Note that in case of creation or overwriting using CLS API only (i.e. bind = 1), overwriting existing action object is not allowed, and any such request is silently ignored (without error). The refcount bump that occurs in tcf_idr_check_alloc call there for existing action will pair with tcf_exts_destroy call made from the owner module for the same action. In case of action creation, there is no existing action, so no tcf_exts_destroy callback happens. This means no code changes for CLS API. Fixes: cae422f379f3 ("net: sched: use reference counting action init") Signed-off-by: Kumar Kartikeya Dwivedi Signed-off-by: David S. Miller commit 03cb4d05b4ea9a3491674ca40952adb708d549fa Author: Milton Miller Date: Mon Mar 29 10:20:39 2021 -0500 net/ncsi: Avoid channel_monitor hrtimer deadlock Calling ncsi_stop_channel_monitor from channel_monitor is a guaranteed deadlock on SMP because stop calls del_timer_sync on the timer that invoked channel_monitor as its timer function. Recognise the inherent race of marking the monitor disabled before deleting the timer by just returning if enable was cleared. After a timeout (the default case -- reset to START when response received) just mark the monitor.enabled false. If the channel has an entry on the channel_queue list, or if the state is not ACTIVE or INACTIVE, then warn and mark the timer stopped and don't restart, as the locking is broken somehow. Fixes: 0795fb2021f0 ("net/ncsi: Stop monitor if channel times out or is inactive") Signed-off-by: Milton Miller Signed-off-by: Eddie James Signed-off-by: David S. Miller commit 3e759425cc3cf9a43392309819d34c65a3644c59 Author: Hans de Goede Date: Tue Mar 30 20:49:32 2021 +0200 ACPI: scan: Fix _STA getting called on devices with unmet dependencies Commit 71da201f38df ("ACPI: scan: Defer enumeration of devices with _DEP lists") dropped the following 2 lines from acpi_init_device_object(): /* Assume there are unmet deps until acpi_device_dep_initialize() runs */ device->dep_unmet = 1; Leaving the initial value of dep_unmet at the 0 from the kzalloc(). This causes the acpi_bus_get_status() call in acpi_add_single_object() to actually call _STA, even though there maybe unmet deps, leading to errors like these: [ 0.123579] ACPI Error: No handler for Region [ECRM] (00000000ba9edc4c) [GenericSerialBus] (20170831/evregion-166) [ 0.123601] ACPI Error: Region GenericSerialBus (ID=9) has no handler (20170831/exfldio-299) [ 0.123618] ACPI Error: Method parse/execution failed \_SB.I2C1.BAT1._STA, AE_NOT_EXIST (20170831/psparse-550) Fix this by re-adding the dep_unmet = 1 initialization to acpi_init_device_object() and modifying acpi_bus_check_add() to make sure that dep_unmet always gets setup there, overriding the initial 1 value. This re-fixes the issue initially fixed by commit 63347db0affa ("ACPI / scan: Use acpi_bus_get_status() to initialize ACPI_TYPE_DEVICE devs"), which introduced the removed "device->dep_unmet = 1;" statement. This issue was noticed; and the fix tested on a Dell Venue 10 Pro 5055. Fixes: 71da201f38df ("ACPI: scan: Defer enumeration of devices with _DEP lists") Suggested-by: Rafael J. Wysocki Signed-off-by: Hans de Goede Cc: 5.11+ # 5.11+ Signed-off-by: Rafael J. Wysocki commit 6ac86aae89289121db784161fe318819778f7f2a Merge: 17860ccabff53 84d572e634e28 Author: Linus Torvalds Date: Tue Mar 30 10:54:22 2021 -0700 Merge tag 's390-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 updates from Heiko Carstens: - fix incorrect initialization and update of vdso data pages, which results in incorrect tod clock steering, and that clock_gettime(CLOCK_MONOTONIC_RAW, ...) returns incorrect values. - update MAINTAINERS for s390 vfio drivers * tag 's390-5.12-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: MAINTAINERS: add backups for s390 vfio drivers s390/vdso: fix initializing and updating of vdso_data s390/vdso: fix tod_steering_delta type s390/vdso: copy tod_steering_delta value to vdso_data page commit ac097aecfef0bb289ca53d2fe0b73fc7e1612a05 Author: Thierry Reding Date: Fri Mar 19 14:17:22 2021 +0100 drm/tegra: sor: Grab runtime PM reference across reset The SOR resets are exclusively shared with the SOR power domain. This means that exclusive access can only be granted temporarily and in order for that to work, a rigorous sequence must be observed. To ensure that a single consumer gets exclusive access to a reset, each consumer must implement a rigorous protocol using the reset_control_acquire() and reset_control_release() functions. However, these functions alone don't provide any guarantees at the system level. Drivers need to ensure that the only a single consumer has access to the reset at the same time. In order for the SOR to be able to exclusively access its reset, it must therefore ensure that the SOR power domain is not powered off by holding on to a runtime PM reference to that power domain across the reset assert/deassert operation. This used to work fine by accident, but was revealed when recently more devices started to rely on the SOR power domain. Fixes: 11c632e1cfd3 ("drm/tegra: sor: Implement acquire/release for reset") Reported-by: Jonathan Hunter Signed-off-by: Thierry Reding commit 7487de534dcbe143e6f41da751dd3ffcf93b00ee Author: Matthew Wilcox (Oracle) Date: Tue Mar 30 13:44:35 2021 -0400 radix tree test suite: Fix compilation Commit 4bba4c4bb09a added tools/include/linux/compiler_types.h which includes linux/compiler-gcc.h. Unfortunately, we had our own (empty) compiler_types.h which overrode the one added by that commit, and so we lost the definition of __must_be_array(). Removing our empty compiler_types.h fixes the problem and reduces our divergence from the rest of the tools. Signed-off-by: Matthew Wilcox (Oracle) commit df59d0a461bc5935232bf56a279e4d7a71c566a5 Author: Matthew Wilcox (Oracle) Date: Tue Mar 30 13:40:27 2021 -0400 XArray: Add xa_limit_16b A 16-bit limit is a more common limit than I had realised. Make it generally available. Signed-off-by: Matthew Wilcox (Oracle) commit 3012110d71f41410932924e1d188f9eb57f1f824 Author: Matthew Wilcox (Oracle) Date: Thu Nov 19 08:32:31 2020 -0500 XArray: Fix splitting to non-zero orders Splitting an order-4 entry into order-2 entries would leave the array containing pointers to 000040008000c000 instead of 000044448888cccc. This is a one-character fix, but enhance the test suite to check this case. Reported-by: Zi Yan Signed-off-by: Matthew Wilcox (Oracle) commit 12efebab09e383bf366bec323bd296b7d90e1c43 Author: Matthew Wilcox (Oracle) Date: Sat Oct 10 11:17:44 2020 -0400 XArray: Fix split documentation I wrote the documentation backwards; the new order of the entry is stored in the xas and the caller passes the old entry. Reported-by: Zi Yan Signed-off-by: Matthew Wilcox (Oracle) commit a31500fe7055451ed9043c8fff938dfa6f70ee37 Author: Thierry Reding Date: Fri Mar 19 08:06:37 2021 +0100 drm/tegra: dc: Restore coupling of display controllers Coupling of display controllers used to rely on runtime PM to take the companion controller out of reset. Commit fd67e9c6ed5a ("drm/tegra: Do not implement runtime PM") accidentally broke this when runtime PM was removed. Restore this functionality by reusing the hierarchical host1x client suspend/resume infrastructure that's similar to runtime PM and which perfectly fits this use-case. Fixes: fd67e9c6ed5a ("drm/tegra: Do not implement runtime PM") Reported-by: Dmitry Osipenko Reported-by: Paul Fertser Tested-by: Dmitry Osipenko Signed-off-by: Thierry Reding commit a24f98176d1efae2c37d3438c57a624d530d9c33 Author: Mikko Perttunen Date: Mon Mar 29 16:38:27 2021 +0300 gpu: host1x: Use different lock classes for each client To avoid false lockdep warnings, give each client lock a different lock class, passed from the initialization site by macro. Signed-off-by: Mikko Perttunen Signed-off-by: Thierry Reding commit f8fb97c915954fc6de6513cdf277103b5c6df7b3 Author: Dmitry Osipenko Date: Tue Mar 2 16:15:06 2021 +0300 drm/tegra: dc: Don't set PLL clock to 0Hz RGB output doesn't allow to change parent clock rate of the display and PCLK rate is set to 0Hz in this case. The tegra_dc_commit_state() shall not set the display clock to 0Hz since this change propagates to the parent clock. The DISP clock is defined as a NODIV clock by the tegra-clk driver and all NODIV clocks use the CLK_SET_RATE_PARENT flag. This bug stayed unnoticed because by default PLLP is used as the parent clock for the display controller and PLLP silently skips the erroneous 0Hz rate changes because it always has active child clocks that don't permit rate changes. The PLLP isn't acceptable for some devices that we want to upstream (like Samsung Galaxy Tab and ASUS TF700T) due to a display panel clock rate requirements that can't be fulfilled by using PLLP and then the bug pops up in this case since parent clock is set to 0Hz, killing the display output. Don't touch DC clock if pclk=0 in order to fix the problem. Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding commit 33a3164161fc86b9cc238f7f2aa2ccb1d5559b1c Author: Sean Christopherson Date: Thu Mar 25 13:01:19 2021 -0700 KVM: x86/mmu: Don't allow TDP MMU to yield when recovering NX pages Prevent the TDP MMU from yielding when zapping a gfn range during NX page recovery. If a flush is pending from a previous invocation of the zapping helper, either in the TDP MMU or the legacy MMU, but the TDP MMU has not accumulated a flush for the current invocation, then yielding will release mmu_lock with stale TLB entries. That being said, this isn't technically a bug fix in the current code, as the TDP MMU will never yield in this case. tdp_mmu_iter_cond_resched() will yield if and only if it has made forward progress, as defined by the current gfn vs. the last yielded (or starting) gfn. Because zapping a single shadow page is guaranteed to (a) find that page and (b) step sideways at the level of the shadow page, the TDP iter will break its loop before getting a chance to yield. But that is all very, very subtle, and will break at the slightest sneeze, e.g. zapping while holding mmu_lock for read would break as the TDP MMU wouldn't be guaranteed to see the present shadow page, and thus could step sideways at a lower level. Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20210325200119.1359384-4-seanjc@google.com> [Add lockdep assertion. - Paolo] Signed-off-by: Paolo Bonzini commit 048f49809c526348775425420fb5b8e84fd9a133 Author: Sean Christopherson Date: Thu Mar 25 13:01:18 2021 -0700 KVM: x86/mmu: Ensure TLBs are flushed for TDP MMU during NX zapping Honor the "flush needed" return from kvm_tdp_mmu_zap_gfn_range(), which does the flush itself if and only if it yields (which it will never do in this particular scenario), and otherwise expects the caller to do the flush. If pages are zapped from the TDP MMU but not the legacy MMU, then no flush will occur. Fixes: 29cf0f5007a2 ("kvm: x86/mmu: NX largepage recovery for TDP MMU") Cc: stable@vger.kernel.org Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20210325200119.1359384-3-seanjc@google.com> Reviewed-by: Ben Gardon Signed-off-by: Paolo Bonzini commit a835429cda91621fca915d80672a157b47738afb Author: Sean Christopherson Date: Thu Mar 25 13:01:17 2021 -0700 KVM: x86/mmu: Ensure TLBs are flushed when yielding during GFN range zap When flushing a range of GFNs across multiple roots, ensure any pending flush from a previous root is honored before yielding while walking the tables of the current root. Note, kvm_tdp_mmu_zap_gfn_range() now intentionally overwrites its local "flush" with the result to avoid redundant flushes. zap_gfn_range() preserves and return the incoming "flush", unless of course the flush was performed prior to yielding and no new flush was triggered. Fixes: 1af4a96025b3 ("KVM: x86/mmu: Yield in TDU MMU iter even if no SPTES changed") Cc: stable@vger.kernel.org Reviewed-by: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20210325200119.1359384-2-seanjc@google.com> Signed-off-by: Paolo Bonzini commit 6fb3084ab5d9331cfadf07c59cf4a0bd4059bf4a Author: Siddharth Chandrasekaran Date: Wed Mar 24 13:43:47 2021 +0100 KVM: make: Fix out-of-source module builds Building kvm module out-of-source with, make -C $SRC O=$BIN M=arch/x86/kvm fails to find "irq.h" as the include dir passed to cflags-y does not prefix the source dir. Fix this by prefixing $(srctree) to the include dir path. Signed-off-by: Siddharth Chandrasekaran Message-Id: <20210324124347.18336-1-sidcha@amazon.de> Signed-off-by: Paolo Bonzini commit f982fb62a304235397ec092936432199ca50ac4d Author: Vitaly Kuznetsov Date: Tue Mar 23 11:43:31 2021 +0100 selftests: kvm: make hardware_disable_test less verbose hardware_disable_test produces 512 snippets like ... main: [511] waiting semaphore run_test: [511] start vcpus run_test: [511] all threads launched main: [511] waiting 368us main: [511] killing child and this doesn't have much value, let's print this info with pr_debug(). Signed-off-by: Vitaly Kuznetsov Message-Id: <20210323104331.1354800-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit 1973cadd4cca08eaeca944f60598f04ab0d80682 Author: Vitaly Kuznetsov Date: Tue Mar 23 09:45:15 2021 +0100 KVM: x86/vPMU: Forbid writing to MSR_F15H_PERF MSRs when guest doesn't have X86_FEATURE_PERFCTR_CORE MSR_F15H_PERF_CTL0-5, MSR_F15H_PERF_CTR0-5 MSRs are only available when X86_FEATURE_PERFCTR_CORE CPUID bit was exposed to the guest. KVM, however, allows these MSRs unconditionally because kvm_pmu_is_valid_msr() -> amd_msr_idx_to_pmc() check always passes and because kvm_pmu_set_msr() -> amd_pmu_set_msr() doesn't fail. In case of a counter (CTRn), no big harm is done as we only increase internal PMC's value but in case of an eventsel (CTLn), we go deep into perf internals with a non-existing counter. Note, kvm_get_msr_common() just returns '0' when these MSRs don't exist and this also seems to contradict architectural behavior which is #GP (I did check one old Opteron host) but changing this status quo is a bit scarier. Signed-off-by: Vitaly Kuznetsov Message-Id: <20210323084515.1346540-1-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini commit ecaf088f53fcc893cd00c846f53042a536b9630d Author: Dongli Zhang Date: Fri Mar 26 00:03:34 2021 -0700 KVM: x86: remove unused declaration of kvm_write_tsc() kvm_write_tsc() was renamed and made static since commit 0c899c25d754 ("KVM: x86: do not attempt TSC synchronization on guest writes"). Remove its unused declaration. Signed-off-by: Dongli Zhang Message-Id: <20210326070334.12310-1-dongli.zhang@oracle.com> Signed-off-by: Paolo Bonzini commit d632826f26f2361e6ef18881611928036fac30e6 Author: Haiwei Li Date: Sat Mar 13 13:10:32 2021 +0800 KVM: clean up the unused argument kvm_msr_ignored_check function never uses vcpu argument. Clean up the function and invokers. Signed-off-by: Haiwei Li Message-Id: <20210313051032.4171-1-lihaiwei.kernel@gmail.com> Reviewed-by: Keqian Zhu Signed-off-by: Paolo Bonzini commit 75f94ecbd0dfd2ac4e671f165f5ae864b7301422 Author: Stefan Raspl Date: Thu Mar 25 13:29:49 2021 +0100 tools/kvm_stat: Add restart delay If this service is enabled and the system rebooted, Systemd's initial attempt to start this unit file may fail in case the kvm module is not loaded. Since we did not specify a delay for the retries, Systemd restarts with a minimum delay a number of times before giving up and disabling the service. Which means a subsequent kvm module load will have kvm running without monitoring. Adding a delay to fix this. Signed-off-by: Stefan Raspl Message-Id: <20210325122949.1433271-1-raspl@linux.ibm.com> Signed-off-by: Paolo Bonzini commit 41793e7f274e48c9c4a727e522eb22c875b77a0b Merge: a5e13c6df0e41 af22df997d71c Author: Paolo Bonzini Date: Tue Mar 30 13:06:42 2021 -0400 Merge tag 'kvmarm-fixes-5.12-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into HEAD KVM/arm64 fixes for 5.12, take #3 - Fix GICv3 MMIO compatibility probing - Prevent guests from using the ARMv8.4 self-hosted tracing extension commit 17860ccabff533748c85ea32904abd6bae990099 Merge: e720e7d0e983b e0146a108ce4d Author: Linus Torvalds Date: Tue Mar 30 09:49:36 2021 -0700 Merge tag 'vfio-v5.12-rc6' of git://github.com/awilliam/linux-vfio Pull VFIO fixes from Alex Williamson: - Fix pfnmap batch carryover (Daniel Jordan) - Fix nvlink Kconfig dependency (Jason Gunthorpe) * tag 'vfio-v5.12-rc6' of git://github.com/awilliam/linux-vfio: vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends vfio/type1: Empty batch for pfnmap pages commit e720e7d0e983bf05de80b231bccc39f1487f0f16 Author: Ilya Lipnitskiy Date: Mon Mar 29 21:42:08 2021 -0700 mm: fix race by making init_zero_pfn() early_initcall There are code paths that rely on zero_pfn to be fully initialized before core_initcall. For example, wq_sysfs_init() is a core_initcall function that eventually results in a call to kernel_execve, which causes a page fault with a subsequent mmput. If zero_pfn is not initialized by then it may not get cleaned up properly and result in an error: BUG: Bad rss-counter state mm:(ptrval) type:MM_ANONPAGES val:1 Here is an analysis of the race as seen on a MIPS device. On this particular MT7621 device (Ubiquiti ER-X), zero_pfn is PFN 0 until initialized, at which point it becomes PFN 5120: 1. wq_sysfs_init calls into kobject_uevent_env at core_initcall: kobject_uevent_env+0x7e4/0x7ec kset_register+0x68/0x88 bus_register+0xdc/0x34c subsys_virtual_register+0x34/0x78 wq_sysfs_init+0x1c/0x4c do_one_initcall+0x50/0x1a8 kernel_init_freeable+0x230/0x2c8 kernel_init+0x10/0x100 ret_from_kernel_thread+0x14/0x1c 2. kobject_uevent_env() calls call_usermodehelper_exec() which executes kernel_execve asynchronously. 3. Memory allocations in kernel_execve cause a page fault, bumping the MM reference counter: add_mm_counter_fast+0xb4/0xc0 handle_mm_fault+0x6e4/0xea0 __get_user_pages.part.78+0x190/0x37c __get_user_pages_remote+0x128/0x360 get_arg_page+0x34/0xa0 copy_string_kernel+0x194/0x2a4 kernel_execve+0x11c/0x298 call_usermodehelper_exec_async+0x114/0x194 4. In case zero_pfn has not been initialized yet, zap_pte_range does not decrement the MM_ANONPAGES RSS counter and the BUG message is triggered shortly afterwards when __mmdrop checks the ref counters: __mmdrop+0x98/0x1d0 free_bprm+0x44/0x118 kernel_execve+0x160/0x1d8 call_usermodehelper_exec_async+0x114/0x194 ret_from_kernel_thread+0x14/0x1c To avoid races such as described above, initialize init_zero_pfn at early_initcall level. Depending on the architecture, ZERO_PAGE is either constant or gets initialized even earlier, at paging_init, so there is no issue with initializing zero_pfn earlier. Link: https://lkml.kernel.org/r/CALCv0x2YqOXEAy2Q=hafjhHCtTHVodChv1qpM=niAXOpqEbt7w@mail.gmail.com Signed-off-by: Ilya Lipnitskiy Cc: Hugh Dickins Cc: "Eric W. Biederman" Cc: stable@vger.kernel.org Tested-by: 周琰杰 (Zhou Yanjie) Signed-off-by: Linus Torvalds commit 2bb25b3a748af6f11df42298e80b9863ed23f2b3 Merge: a080642d2f831 9ae31e2ab293b Author: Linus Torvalds Date: Tue Mar 30 08:57:50 2021 -0700 Merge tag 'mips-fixes_5.12_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux Pull MIPS fix from Thomas Bogendoerfer: - Fix compile error with option MIPS_ELF_APPENDED_DTB * tag 'mips-fixes_5.12_3' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux: MIPS: kernel: setup.c: fix compilation error commit a080642d2f831cc34b68663c0db1c447d3807421 Merge: 1e43c377a79f9 a846738f8c378 Author: Linus Torvalds Date: Tue Mar 30 08:55:47 2021 -0700 Merge tag 'for-linus-5.12b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fix from Juergen Gross: "One Xen related security fix (XSA-371)" * tag 'for-linus-5.12b-rc6-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: xen-blkback: don't leak persistent grants from xen_blkbk_map() commit 59300b36f85f254260c81d9dd09195fa49eb0f98 Author: Steven Rostedt (VMware) Date: Tue Mar 30 09:58:38 2021 -0400 ftrace: Check if pages were allocated before calling free_pages() It is possible that on error pg->size can be zero when getting its order, which would return a -1 value. It is dangerous to pass in an order of -1 to free_pages(). Check if order is greater than or equal to zero before calling free_pages(). Link: https://lore.kernel.org/lkml/20210330093916.432697c7@gandalf.local.home/ Reported-by: Abaci Robot Signed-off-by: Steven Rostedt (VMware) commit 9ae31e2ab293bf4d9c42e7079b156072f8a7f8ca Author: Mauri Sandberg Date: Mon Mar 29 15:31:36 2021 +0300 MIPS: kernel: setup.c: fix compilation error With ath79_defconfig enabling CONFIG_MIPS_ELF_APPENDED_DTB gives a compilation error. This patch fixes it. Build log: ... CC kernel/locking/percpu-rwsem.o ../arch/mips/kernel/setup.c:46:39: error: conflicting types for '__appended_dtb' const char __section(".appended_dtb") __appended_dtb[0x100000]; ^~~~~~~~~~~~~~ In file included from ../arch/mips/kernel/setup.c:34: ../arch/mips/include/asm/bootinfo.h:118:13: note: previous declaration of '__appended_dtb' was here extern char __appended_dtb[]; ^~~~~~~~~~~~~~ CC fs/attr.o make[4]: *** [../scripts/Makefile.build:271: arch/mips/kernel/setup.o] Error 1 ... Root cause seems to be: Fixes: b83ba0b9df56 ("MIPS: of: Introduce helper function to get DTB") Signed-off-by: Mauri Sandberg Reviewed-by: Thomas Bogendoerfer Cc: trivial@kernel.org Signed-off-by: Thomas Bogendoerfer commit 417eadfdd9e25188465280edf3668ed163fda2d0 Author: Jeremy Szu Date: Tue Mar 30 19:44:27 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs for HP 640 G8 The HP EliteBook 640 G8 Notebook PC is using ALC236 codec which is using 0x02 to control mute LED and 0x01 to control micmute LED. Therefore, add a quirk to make it works. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210330114428.40490-1-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai commit 66affb7bb0dc0905155a1b2475261aa704d1ddb5 Author: Takashi Iwai Date: Mon Mar 29 13:30:59 2021 +0200 ALSA: hda: Add missing sanity checks in PM prepare/complete callbacks The recently added PM prepare and complete callbacks don't have the sanity check whether the card instance has been properly initialized, which may potentially lead to Oops. This patch adds the azx_is_pm_ready() call in each place appropriately like other PM callbacks. Fixes: f5dac54d9d93 ("ALSA: hda: Separate runtime and system suspend") Cc: Link: https://lore.kernel.org/r/20210329113059.25035-2-tiwai@suse.de Signed-off-by: Takashi Iwai commit c8f79808cd8eb5bc8d14de129bd6d586d3fce0aa Author: Takashi Iwai Date: Mon Mar 29 13:30:58 2021 +0200 ALSA: hda: Re-add dropped snd_poewr_change_state() calls The card power state change via snd_power_change_state() at the system suspend/resume seems dropped mistakenly during the PM code rewrite. The card power state doesn't play much role nowadays but it's still referred in a few places such as the HDMI codec driver. This patch restores them, but in a more appropriate place now in the prepare and complete callbacks. Fixes: f5dac54d9d93 ("ALSA: hda: Separate runtime and system suspend") Cc: Link: https://lore.kernel.org/r/20210329113059.25035-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 08fe7ae1857080f5075df5ac7fef2ecd4e289117 Author: Dan Carpenter Date: Mon Mar 29 09:08:01 2021 +0300 thunderbolt: Fix off by one in tb_port_find_retimer() This array uses 1-based indexing so it corrupts memory one element beyond of the array. Fix it by making the array one element larger. Fixes: dacb12877d92 ("thunderbolt: Add support for on-board retimers") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Signed-off-by: Mika Westerberg commit bec4d7c93afc07dd0454ae41c559513f858cfb83 Author: Dan Carpenter Date: Mon Mar 29 09:07:18 2021 +0300 thunderbolt: Fix a leak in tb_retimer_add() After the device_register() succeeds, then the correct way to clean up is to call device_unregister(). The unregister calls both device_del() and device_put(). Since this code was only device_del() it results in a memory leak. Fixes: dacb12877d92 ("thunderbolt: Add support for on-board retimers") Cc: stable@vger.kernel.org Signed-off-by: Dan Carpenter Reviewed-by: Jason Gunthorpe Signed-off-by: Mika Westerberg commit f57011e72f5fe0421ec7a812beb1b57bdf4bb47f Author: Stefan Riedmueller Date: Mon Mar 29 15:01:03 2021 +0200 ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces Setting the vmmc supplies is crucial since otherwise the supplying regulators get disabled and the SD interfaces are no longer powered which leads to system failures if the system is booted from that SD interface. Fixes: 1e44d3f880d5 ("ARM i.MX6Q: dts: Enable I2C1 with EEPROM and PMIC on Phytec phyFLEX-i.MX6 Ouad module") Signed-off-by: Stefan Riedmueller Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo commit ef19e111337f6c3dca7019a8bad5fbc6fb18d635 Author: Dmitry Safonov <0x7f454c46@gmail.com> Date: Tue Mar 30 00:25:06 2021 +0100 xfrm/compat: Cleanup WARN()s that can be user-triggered Replace WARN_ONCE() that can be triggered from userspace with pr_warn_once(). Those still give user a hint what's the issue. I've left WARN()s that are not possible to trigger with current code-base and that would mean that the code has issues: - relying on current compat_msg_min[type] <= xfrm_msg_min[type] - expected 4-byte padding size difference between compat_msg_min[type] and xfrm_msg_min[type] - compat_policy[type].len <= xfrma_policy[type].len (for every type) Reported-by: syzbot+834ffd1afc7212eb8147@syzkaller.appspotmail.com Fixes: 5f3eea6b7e8f ("xfrm/compat: Attach xfrm dumps to 64=>32 bit translator") Cc: "David S. Miller" Cc: Eric Dumazet Cc: Herbert Xu Cc: Jakub Kicinski Cc: Steffen Klassert Cc: netdev@vger.kernel.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Safonov Signed-off-by: Steffen Klassert commit 9e67600ed6b8565da4b85698ec659b5879a6c1c6 Author: Gulam Mohamed Date: Thu Mar 25 09:32:48 2021 +0000 scsi: iscsi: Fix race condition between login and sync thread A kernel panic was observed due to a timing issue between the sync thread and the initiator processing a login response from the target. The session reopen can be invoked both from the session sync thread when iscsid restarts and from iscsid through the error handler. Before the initiator receives the response to a login, another reopen request can be sent from the error handler/sync session. When the initial login response is subsequently processed, the connection has been closed and the socket has been released. To fix this a new connection state, ISCSI_CONN_BOUND, is added: - Set the connection state value to ISCSI_CONN_DOWN upon iscsi_if_ep_disconnect() and iscsi_if_stop_conn() - Set the connection state to the newly created value ISCSI_CONN_BOUND after bind connection (transport->bind_conn()) - In iscsi_set_param(), return -ENOTCONN if the connection state is not either ISCSI_CONN_BOUND or ISCSI_CONN_UP Link: https://lore.kernel.org/r/20210325093248.284678-1-gulam.mohamed@oracle.com Reviewed-by: Mike Christie Signed-off-by: Gulam Mohamed Signed-off-by: Martin K. Petersen index 91074fd97f64..f4bf62b007a0 100644 commit 6e5a03bcba44e080a6bf300194a68ce9bb1e5184 Author: Lv Yunlong Date: Mon Mar 29 04:50:02 2021 -0700 ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx In nfp_bpf_ctrl_msg_rx, if nfp_ccm_get_type(skb) == NFP_CCM_TYPE_BPF_BPF_EVENT is true, the skb will be freed. But the skb is still used by nfp_ccm_rx(&bpf->ccm, skb). My patch adds a return when the skb was freed. Fixes: bcf0cafab44fd ("nfp: split out common control message handling code") Signed-off-by: Lv Yunlong Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller commit ca441a7129904a62fbc5692bb202e4694097bd45 Merge: 4cd7bd599e273 b7eeb52721fe4 Author: David S. Miller Date: Mon Mar 29 16:30:45 2021 -0700 Merge branch '100GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2021-03-29 This series contains updates to ice driver only. Ani does not fail on link/PHY errors during probe as this is not a fatal error to prevent the user from remedying the problem. He also corrects checking Wake on LAN support to be port number, not PF ID. Fabio increases the AdminQ timeout as some commands can take longer than the current value. Chinh fixes iSCSI to use be able to use port 860 by using information from DCBx and other QoS configuration info. Krzysztof fixes a possible race between ice_open() and ice_stop(). Bruce corrects the ordering of arguments in a memory allocation call. Dave removes DCBNL device reset bit which is blocking changes coming from DCBNL interface. Jacek adds error handling for filter allocation failure. Robert ensures memory is freed if VSI filter list issues are encountered. ==================== Signed-off-by: David S. Miller commit 4cd7bd599e273bb75804a406b50cd2c58c40e2e0 Author: Rafał Miłecki Date: Mon Mar 29 17:33:28 2021 +0200 dt-bindings: net: bcm4908-enet: fix Ethernet generic properties This binding file uses $ref: ethernet-controller.yaml# so it's required to use "unevaluatedProperties" (instead of "additionalProperties") to make Ethernet properties validate. Fixes: f08b5cf1eb1f ("dt-bindings: net: bcm4908-enet: include ethernet-controller.yaml") Signed-off-by: Rafał Miłecki Signed-off-by: David S. Miller commit af9d316f3dd6d1385fbd1631b5103e620fc4298a Author: Rafał Miłecki Date: Mon Mar 29 16:03:17 2021 +0200 dt-bindings: net: ethernet-controller: fix typo in NVMEM The correct property name is "nvmem-cell-names". This is what: 1. Was originally documented in the ethernet.txt 2. Is used in DTS files 3. Matches standard syntax for phandles 4. Linux net subsystem checks for Fixes: 9d3de3c58347 ("dt-bindings: net: Add YAML schemas for the generic Ethernet options") Signed-off-by: Rafał Miłecki Signed-off-by: David S. Miller commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046 Author: Lv Yunlong Date: Sun Mar 28 00:30:29 2021 -0700 net:tipc: Fix a double free in tipc_sk_mcast_rcv In the if(skb_peek(arrvq) == skb) branch, it calls __skb_dequeue(arrvq) to get the skb by skb = skb_peek(arrvq). Then __skb_dequeue() unlinks the skb from arrvq and returns the skb which equals to skb_peek(arrvq). After __skb_dequeue(arrvq) finished, the skb is freed by kfree_skb(__skb_dequeue(arrvq)) in the first time. Unfortunately, the same skb is freed in the second time by kfree_skb(skb) after the branch completed. My patch removes kfree_skb() in the if(skb_peek(arrvq) == skb) branch, because this skb will be freed by kfree_skb(skb) finally. Fixes: cb1b728096f54 ("tipc: eliminate race condition at multicast reception") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller commit 1bfb3dea965ff9f6226fd1709338f227363b6061 Author: Rahul Lakkireddy Date: Sat Mar 27 23:49:08 2021 +0530 cxgb4: avoid collecting SGE_QBASE regs during traffic Accessing SGE_QBASE_MAP[0-3] and SGE_QBASE_INDEX registers can lead to SGE missing doorbells under heavy traffic. So, only collect them when adapter is idle. Also update the regdump range to skip collecting these registers. Fixes: 80a95a80d358 ("cxgb4: collect SGE PF/VF queue map") Signed-off-by: Rahul Lakkireddy Signed-off-by: David S. Miller commit ba845907b23a6584e5944f6fbffda3efb010c28b Merge: 58b5ada8c465b 39c1f1bd8adf2 Author: Linus Walleij Date: Tue Mar 30 00:46:49 2021 +0200 Merge tag 'intel-pinctrl-v5.12-3' of gitolite.kernel.org:pub/scm/linux/kernel/git/pinctrl/intel into fixes intel-pinctrl for v5.12-3 * Check if device is present, which is not the case in Xen The following is an automated git shortlog grouped by driver: intel: - check REVID register value for device presence commit e5c359f70e4b5e7b6c2bf4b0ca2d2686d543a37b Author: Taniya Das Date: Sat Mar 27 07:11:05 2021 +0530 clk: qcom: camcc: Update the clock ops for the SC7180 Some of the RCGs could be always ON from the XO source and could be used as the clock on signal for the GDSC to be operational. In the cases where the GDSCs are parked at different source with the source clock disabled, it could lead to the GDSC to be stuck at ON/OFF during gdsc disable/enable. Thus park the RCGs at XO during clock disable and update the rcg_ops to use the shared_ops. Fixes: 15d09e830bbc ("clk: qcom: camcc: Add camera clock controller driver for SC7180") Signed-off-by: Taniya Das Link: https://lore.kernel.org/r/1616809265-11912-1-git-send-email-tdas@codeaurora.org Signed-off-by: Stephen Boyd commit fb6ec87f7229b92baa81b35cbc76f2626d5bfadb Author: Maxim Kochetkov Date: Mon Mar 29 18:30:16 2021 +0300 net: dsa: Fix type was not set for devlink port If PHY is not available on DSA port (described at devicetree but absent or failed to detect) then kernel prints warning after 3700 secs: [ 3707.948771] ------------[ cut here ]------------ [ 3707.948784] Type was not set for devlink port. [ 3707.948894] WARNING: CPU: 1 PID: 17 at net/core/devlink.c:8097 0xc083f9d8 We should unregister the devlink port as a user port and re-register it as an unused port before executing "continue" in case of dsa_port_setup error. Fixes: 86f8b1c01a0a ("net: dsa: Do not make user port errors fatal") Signed-off-by: Maxim Kochetkov Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller commit e0146a108ce4d2c22b9510fd12268e3ee72a0161 Author: Jason Gunthorpe Date: Mon Mar 29 16:00:16 2021 -0300 vfio/nvlink: Add missing SPAPR_TCE_IOMMU depends Compiling the nvlink stuff relies on the SPAPR_TCE_IOMMU otherwise there are compile errors: drivers/vfio/pci/vfio_pci_nvlink2.c:101:10: error: implicit declaration of function 'mm_iommu_put' [-Werror,-Wimplicit-function-declaration] ret = mm_iommu_put(data->mm, data->mem); As PPC only defines these functions when the config is set. Previously this wasn't a problem by chance as SPAPR_TCE_IOMMU was the only IOMMU that could have satisfied IOMMU_API on POWERNV. Fixes: 179209fa1270 ("vfio: IOMMU_API should be selected") Reported-by: kernel test robot Signed-off-by: Jason Gunthorpe Message-Id: <0-v1-83dba9768fc3+419-vfio_nvlink2_kconfig_jgg@nvidia.com> Signed-off-by: Alex Williamson commit bff5b62585123823842833ab20b1c0a7fa437f8c Author: Claudiu Manoil Date: Mon Mar 29 17:08:47 2021 +0300 gianfar: Handle error code at MAC address change Handle return error code of eth_mac_addr(); Fixes: 3d23a05c75c7 ("gianfar: Enable changing mac addr when if up") Signed-off-by: Claudiu Manoil Signed-off-by: David S. Miller commit 63415767a2446136372e777cde5bb351f21ec21d Author: Lv Yunlong Date: Mon Mar 29 05:36:48 2021 -0700 ethernet: myri10ge: Fix a use after free in myri10ge_sw_tso In myri10ge_sw_tso, the skb_list_walk_safe macro will set (curr) = (segs) and (next) = (curr)->next. If status!=0 is true, the memory pointed by curr and segs will be free by dev_kfree_skb_any(curr). But later, the segs is used by segs = segs->next and causes a uaf. As (next) = (curr)->next, my patch replaces seg->next to next. Fixes: 536577f36ff7a ("net: myri10ge: use skb_list_walk_safe helper for gso segments") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller commit 5954846d09e4a210b6c761ab09388cfd41f58342 Author: Manivannan Sadhasivam Date: Mon Mar 29 16:55:37 2021 +0530 MAINTAINERS: Add entry for Qualcomm IPC Router (QRTR) driver Add MAINTAINERS entry for Qualcomm IPC Router (QRTR) driver. Signed-off-by: Manivannan Sadhasivam Signed-off-by: David S. Miller commit f4c848db16bed96734d8074d60047226978276ee Merge: 2dce6987a66d2 f5076c6ba02e8 Author: David S. Miller Date: Mon Mar 29 13:31:18 2021 -0700 Merge tag 'linux-can-fixes-for-5.12-20210329' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can Marc Kleine-Budde says: ==================== pull-request: can 2021-03-29 this is a pull request of 3 patches for net/master. The two patch are by Oliver Hartkopp. He fixes length check in the proto_ops::getname callback for the CAN RAW, BCM and ISOTP protocols, which were broken by the introduction of the J1939 protocol. The last patch is by me and fixes the a BUILD_BUG_ON() check which triggers on ARCH=arm with CONFIG_AEABI unset. ==================== Signed-off-by: David S. Miller commit 2dce6987a66d292ab08fcde9e65ae34d5d2f1a94 Merge: 1b479fb801602 4bfd0de590300 Author: David S. Miller Date: Mon Mar 29 13:29:49 2021 -0700 Merge branch 'mlxsw-ecn-marking' Ido Schimmel says: ==================== mlxsw: spectrum: Fix ECN marking in tunnel decapsulation Patch #1 fixes a discrepancy between the software and hardware data paths with regards to ECN marking after decapsulation. See the changelog for a detailed description. Patch #2 extends the ECN decap test to cover all possible combinations of inner and outer ECN markings. The test passes over both data paths. v2: * Only set ECT(1) if inner is ECT(0) * Introduce a new helper to determine inner ECN. Share it between NVE and IP-in-IP tunnels * Extend the selftest ==================== Signed-off-by: David S. Miller commit 4bfd0de590300d3e3889ee9833bec8cc4059fae6 Author: Ido Schimmel Date: Mon Mar 29 11:29:27 2021 +0300 selftests: forwarding: vxlan_bridge_1d: Add more ECN decap test cases Test that all possible combinations of inner and outer ECN bits result in the correct inner ECN marking according to RFC 6040 4.2. Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit 66167c310deb4ac1725f81004fb4b504676ad0bf Author: Ido Schimmel Date: Mon Mar 29 11:29:23 2021 +0300 mlxsw: spectrum: Fix ECN marking in tunnel decapsulation Cited commit changed the behavior of the software data path with regards to the ECN marking of decapsulated packets. However, the commit did not change other callers of __INET_ECN_decapsulate(), namely mlxsw. The driver is using the function in order to ensure that the hardware and software data paths act the same with regards to the ECN marking of decapsulated packets. The discrepancy was uncovered by commit 5aa3c334a449 ("selftests: forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate value") that aligned the selftest to the new behavior. Without this patch the selftest passes when used with veth pairs, but fails when used with mlxsw netdevs. Fix this by instructing the device to propagate the ECT(1) mark from the outer header to the inner header when the inner header is ECT(0), for both NVE and IP-in-IP tunnels. A helper is added in order not to duplicate the code between both tunnel types. Fixes: b723748750ec ("tunnel: Propagate ECT(1) when decapsulating as recommended by RFC6040") Signed-off-by: Ido Schimmel Reviewed-by: Petr Machata Acked-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller commit 2867b9746cef78745c594894aece6f8ef826e0b4 Author: Krzysztof Kozlowski Date: Sun Mar 14 12:07:09 2021 +0100 clk: socfpga: fix iomem pointer cast on 64-bit Pointers should be cast with uintptr_t instead of integer. This fixes warning when compile testing on ARM64: drivers/clk/socfpga/clk-gate.c: In function ‘socfpga_clk_recalc_rate’: drivers/clk/socfpga/clk-gate.c:102:7: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] Fixes: b7cec13f082f ("clk: socfpga: Look for the GPIO_DB_CLK by its offset") Signed-off-by: Krzysztof Kozlowski Acked-by: Dinh Nguyen Link: https://lore.kernel.org/r/20210314110709.32599-1-krzysztof.kozlowski@canonical.com Signed-off-by: Stephen Boyd commit 1e43c377a79f9189fea8f2711b399d4e8b4e609b Merge: a5e13c6df0e41 7b9acbb6aad4f Author: Linus Torvalds Date: Mon Mar 29 11:37:43 2021 -0700 Merge tag 'xtensa-20210329' of git://github.com/jcmvbkbc/linux-xtensa Pull xtensa fixes from Max Filippov: - fix build with separate exception vectors when they are placed too far from the rest of the kernel - fix uaccess-related livelock in do_page_fault. * tag 'xtensa-20210329' of git://github.com/jcmvbkbc/linux-xtensa: xtensa: fix uaccess-related livelock in do_page_fault xtensa: move coprocessor_flush to the .text section commit 7b9acbb6aad4f54623dcd4bd4b1a60fe0c727b09 Author: Max Filippov Date: Sun Feb 7 04:57:58 2021 -0800 xtensa: fix uaccess-related livelock in do_page_fault If a uaccess (e.g. get_user()) triggers a fault and there's a fault signal pending, the handler will return to the uaccess without having performed a uaccess fault fixup, and so the CPU will immediately execute the uaccess instruction again, whereupon it will livelock bouncing between that instruction and the fault handler. https://lore.kernel.org/lkml/20210121123140.GD48431@C02TD0UTHF1T.local/ Cc: stable@vger.kernel.org Reported-by: Mark Rutland Signed-off-by: Max Filippov commit 5e61b84f9d3ddfba73091f9fbc940caae1c9eb22 Author: Nirmoy Das Date: Fri Mar 26 16:08:10 2021 +0100 drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() Offset calculation wasn't correct as start addresses are in pfn not in bytes. CC: stable@vger.kernel.org Signed-off-by: Nirmoy Das Reviewed-by: Christian König Signed-off-by: Alex Deucher commit acc7baafeb0b52a5b91be64c4776f827a163dda1 Author: Evan Quan Date: Tue Mar 23 16:30:38 2021 +0800 drm/amd/pm: no need to force MCLK to highest when no display connected Correct the check for vblank short. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Tested-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit b7eeb52721fe417730fc5adc5cbeeb5fe349ab26 Author: Robert Malz Date: Fri Feb 26 13:19:32 2021 -0800 ice: Cleanup fltr list in case of allocation issues When ice_remove_vsi_lkup_fltr is called, by calling ice_add_to_vsi_fltr_list local copy of vsi filter list is created. If any issues during creation of vsi filter list occurs it up for the caller to free already allocated memory. This patch ensures proper memory deallocation in these cases. Fixes: 80d144c9ac82 ("ice: Refactor switch rule management structures and functions") Signed-off-by: Robert Malz Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 3176551979b92b02756979c0f1e2d03d1fc82b1e Author: Anirudh Venkataramanan Date: Fri Feb 26 13:19:30 2021 -0800 ice: Use port number instead of PF ID for WoL As per the spec, the WoL control word read from the NVM should be interpreted as port numbers, and not PF numbers. So when checking if WoL supported, use the port number instead of the PF ID. Also, ice_is_wol_supported doesn't really need a pointer to the pf struct, but just needs a pointer to the hw instance. Fixes: 769c500dcc1e ("ice: Add advanced power mgmt for WoL") Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 7a91d3f02b04b2fb18c2dfa8b6c4e5a40a2753f5 Author: Jacek Bułatek Date: Fri Feb 26 13:19:29 2021 -0800 ice: Fix for dereference of NULL pointer Add handling of allocation fault for ice_vsi_list_map_info. Also *fi should not be NULL pointer, it is a reference to raw data field, so remove this variable and use the reference directly. Fixes: 9daf8208dd4d ("ice: Add support for switch filter programming") Signed-off-by: Jacek Bułatek Co-developed-by: Haiyue Wang Signed-off-by: Haiyue Wang Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 741b7b743bbcb5a3848e4e55982064214f900d2f Author: Dave Ertman Date: Fri Feb 26 13:19:28 2021 -0800 ice: remove DCBNL_DEVRESET bit from PF state The original purpose of the ICE_DCBNL_DEVRESET was to protect the driver during DCBNL device resets. But, the flow for DCBNL device resets now consists of only calls up the stack such as dev_close() and dev_open() that will result in NDO calls to the driver. These will be handled with state changes from the stack. Also, there is a problem of the dev_close and dev_open being blocked by checks for reset in progress also using the ICE_DCBNL_DEVRESET bit. Since the ICE_DCBNL_DEVRESET bit is not necessary for protecting the driver from DCBNL device resets and it is actually blocking changes coming from the DCBNL interface, remove the bit from the PF state and don't block driver function based on DCBNL reset in progress. Fixes: b94b013eb626 ("ice: Implement DCBNL support") Signed-off-by: Dave Ertman Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 9dfacc54a8661bc8be6e08cffee59596ec59f263 Author: Adrian Hunter Date: Fri Mar 26 12:56:19 2021 +0200 PM: runtime: Fix race getting/putting suppliers at probe pm_runtime_put_suppliers() must not decrement rpm_active unless the consumer is suspended. That is because, otherwise, it could suspend suppliers for an active consumer. That can happen as follows: static int driver_probe_device(struct device_driver *drv, struct device *dev) { int ret = 0; if (!device_is_registered(dev)) return -ENODEV; dev->can_match = true; pr_debug("bus: '%s': %s: matched device %s with driver %s\n", drv->bus->name, __func__, dev_name(dev), drv->name); pm_runtime_get_suppliers(dev); if (dev->parent) pm_runtime_get_sync(dev->parent); At this point, dev can runtime suspend so rpm_put_suppliers() can run, rpm_active becomes 1 (the lowest value). pm_runtime_barrier(dev); if (initcall_debug) ret = really_probe_debug(dev, drv); else ret = really_probe(dev, drv); Probe callback can have runtime resumed dev, and then runtime put so dev is awaiting autosuspend, but rpm_active is 2. pm_request_idle(dev); if (dev->parent) pm_runtime_put(dev->parent); pm_runtime_put_suppliers(dev); Now pm_runtime_put_suppliers() will put the supplier i.e. rpm_active 2 -> 1, but consumer can still be active. return ret; } Fix by checking the runtime status. For any status other than RPM_SUSPENDED, rpm_active can be considered to be "owned" by rpm_[get/put]_suppliers() and pm_runtime_put_suppliers() need do nothing. Reported-by: Asutosh Das Fixes: 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance") Signed-off-by: Adrian Hunter Cc: 5.1+ # 5.1+ Signed-off-by: Rafael J. Wysocki commit c0c33442f7203704aef345647e14c2fb86071001 Author: Adrian Hunter Date: Fri Mar 26 12:56:18 2021 +0200 PM: runtime: Fix ordering in pm_runtime_get_suppliers() rpm_active indicates how many times the supplier usage_count has been incremented. Consequently it must be updated after pm_runtime_get_sync() of the supplier, not before. Fixes: 4c06c4e6cf63 ("driver core: Fix possible supplier PM-usage counter imbalance") Signed-off-by: Adrian Hunter Cc: 5.1+ # 5.1+ Signed-off-by: Rafael J. Wysocki commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a Author: Rafael J. Wysocki Date: Tue Mar 23 20:26:52 2021 +0100 ACPI: tables: x86: Reserve memory occupied by ACPI tables The following problem has been reported by George Kennedy: Since commit 7fef431be9c9 ("mm/page_alloc: place pages to tail in __free_pages_core()") the following use after free occurs intermittently when ACPI tables are accessed. BUG: KASAN: use-after-free in ibft_init+0x134/0xc49 Read of size 4 at addr ffff8880be453004 by task swapper/0/1 CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-7a7fd0d #1 Call Trace: dump_stack+0xf6/0x158 print_address_description.constprop.9+0x41/0x60 kasan_report.cold.14+0x7b/0xd4 __asan_report_load_n_noabort+0xf/0x20 ibft_init+0x134/0xc49 do_one_initcall+0xc4/0x3e0 kernel_init_freeable+0x5af/0x66b kernel_init+0x16/0x1d0 ret_from_fork+0x22/0x30 ACPI tables mapped via kmap() do not have their mapped pages reserved and the pages can be "stolen" by the buddy allocator. Apparently, on the affected system, the ACPI table in question is not located in "reserved" memory, like ACPI NVS or ACPI Data, that will not be used by the buddy allocator, so the memory occupied by that table has to be explicitly reserved to prevent the buddy allocator from using it. In order to address this problem, rearrange the initialization of the ACPI tables on x86 to locate the initial tables earlier and reserve the memory occupied by them. The other architectures using ACPI should not be affected by this change. Link: https://lore.kernel.org/linux-acpi/1614802160-29362-1-git-send-email-george.kennedy@oracle.com/ Reported-by: George Kennedy Tested-by: George Kennedy Signed-off-by: Rafael J. Wysocki Reviewed-by: Mike Rapoport Cc: 5.10+ # 5.10+ commit 59df14f9cc2326bd6432d60eca0df8201d9d3d4b Author: Bruce Allan Date: Fri Feb 26 13:19:27 2021 -0800 ice: fix memory allocation call Fix the order of number of array members and member size parameters in a *calloc() call. Fixes: b3c3890489f6 ("ice: avoid unnecessary single-member variable-length structs") Signed-off-by: Bruce Allan Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit e95fc8573e07c5e4825df4650fd8b8c93fad27a7 Author: Krzysztof Goreczny Date: Fri Feb 26 13:19:26 2021 -0800 ice: prevent ice_open and ice_stop during reset There is a possibility of race between ice_open or ice_stop calls performed by OS and reset handling routine both trying to modify VSI resources. Observed scenarios: - reset handler deallocates memory in ice_vsi_free_arrays and ice_open tries to access it in ice_vsi_cfg_txq leading to driver crash - reset handler deallocates memory in ice_vsi_free_arrays and ice_close tries to access it in ice_down leading to driver crash - reset handler clears port scheduler topology and sets port state to ICE_SCHED_PORT_STATE_INIT leading to ice_ena_vsi_txq fail in ice_open To prevent this additional checks in ice_open and ice_stop are introduced to make sure that OS is not allowed to alter VSI config while reset is in progress. Fixes: cdedef59deb0 ("ice: Configure VSIs for Tx/Rx") Signed-off-by: Krzysztof Goreczny Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit aeac8ce864d9c0836e12ed5b5cc80f62f3cccb7c Author: Chinh T Cao Date: Fri Feb 26 13:19:25 2021 -0800 ice: Recognize 860 as iSCSI port in CEE mode iSCSI can use both TCP ports 860 and 3260. However, in our current implementation, the ice_aqc_opc_get_cee_dcb_cfg (0x0A07) AQ command doesn't provide a way to communicate the protocol port number to the AQ's caller. Thus, we assume that 3260 is the iSCSI port number at the AQ's caller layer. Rely on the dcbx-willing mode, desired QoS and remote QoS configuration to determine which port number that iSCSI will use. Fixes: 0ebd3ff13cca ("ice: Add code for DCB initialization part 2/4") Signed-off-by: Chinh T Cao Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit f88c529ac77b3c21819d2cf1dfcfae1937849743 Author: Fabio Pricoco Date: Fri Feb 26 13:19:24 2021 -0800 ice: Increase control queue timeout 250 msec timeout is insufficient for some AQ commands. Advice from FW team was to increase the timeout. Increase to 1 second. Fixes: 7ec59eeac804 ("ice: Add support for control queues") Signed-off-by: Fabio Pricoco Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 08771bce330036d473be6ce851cd00bcd351ebf6 Author: Anirudh Venkataramanan Date: Fri Feb 26 13:19:22 2021 -0800 ice: Continue probe on link/PHY errors An incorrect NVM update procedure can result in the driver failing probe. In this case, the recommended resolution method is to update the NVM using the right procedure. However, if the driver fails probe, the user will not be able to update the NVM. So do not fail probe on link/PHY errors. Fixes: 1a3571b5938c ("ice: restore PHY settings on media insertion") Signed-off-by: Anirudh Venkataramanan Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit aa320c7cd45647b75af2233430d36a8d154703d4 Author: kernel test robot Date: Sun Mar 28 16:54:45 2021 +0200 ASoC: cygnus: fix for_each_child.cocci warnings Function "for_each_available_child_of_node" should have of_node_put() before return around line 1352. Generated by: scripts/coccinelle/iterators/for_each_child.cocci CC: Sumera Priyadarsini Reported-by: kernel test robot Signed-off-by: kernel test robot Signed-off-by: Julia Lawall Link: https://lore.kernel.org/r/alpine.DEB.2.22.394.2103281651320.2854@hadrien Signed-off-by: Mark Brown commit 51520426f4bc3e61cbbf7a39ccf4e411b665002d Author: Pavel Begunkov Date: Mon Mar 29 11:39:29 2021 +0100 io_uring: handle setup-failed ctx in kill_timeouts general protection fault, probably for non-canonical address 0xdffffc0000000018: 0000 [#1] KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7] RIP: 0010:io_commit_cqring+0x37f/0xc10 fs/io_uring.c:1318 Call Trace: io_kill_timeouts+0x2b5/0x320 fs/io_uring.c:8606 io_ring_ctx_wait_and_kill+0x1da/0x400 fs/io_uring.c:8629 io_uring_create fs/io_uring.c:9572 [inline] io_uring_setup+0x10da/0x2ae0 fs/io_uring.c:9599 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae It can get into wait_and_kill() before setting up ctx->rings, and hence io_commit_cqring() fails. Mimic poll cancel and do it only when we completed events, there can't be any requests if it failed before initialising rings. Fixes: 80c4cbdb5ee60 ("io_uring: do post-completion chore on t-out cancel") Reported-by: syzbot+0e905eb8228070c457a0@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/660261a48f0e7abf260c8e43c87edab3c16736fa.1617014345.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 625bd5a616ceda4840cd28f82e957c8ced394b6a Author: Ikjoon Jang Date: Wed Mar 24 18:51:52 2021 +0800 ALSA: usb-audio: Apply sample rate quirk to Logitech Connect Logitech ConferenceCam Connect is a compound USB device with UVC and UAC. Not 100% reproducible but sometimes it keeps responding STALL to every control transfer once it receives get_freq request. This patch adds 046d:0x084c to a snd_usb_get_sample_rate_quirk list. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203419 Signed-off-by: Ikjoon Jang Cc: Link: https://lore.kernel.org/r/20210324105153.2322881-1-ikjn@chromium.org Signed-off-by: Takashi Iwai commit 6161a435c1910d07ee00cc25af010889010e1f08 Author: Tian Tao Date: Mon Mar 15 14:41:26 2021 +0800 drm/exynos/decon5433: Remove the unused include statements This driver doesn't reference of_gpio.h, so drop it. Signed-off-by: Tian Tao Signed-off-by: Inki Dae commit f5076c6ba02e8e24c61c40bbf48078929bc0fc79 Author: Marc Kleine-Budde Date: Mon Mar 22 10:44:54 2021 +0100 can: uapi: can.h: mark union inside struct can_frame packed In commit ea7800565a12 ("can: add optional DLC element to Classical CAN frame structure") the struct can_frame::can_dlc was put into an anonymous union with another u8 variable. For various reasons some members in struct can_frame and canfd_frame including the first 8 byes of data are expected to have the same memory layout. This is enforced by a BUILD_BUG_ON check in af_can.c. Since the above mentioned commit this check fails on ARM kernels compiled with the ARM OABI (which means CONFIG_AEABI not set). In this case -mabi=apcs-gnu is passed to the compiler, which leads to a structure size boundary of 32, instead of 8 compared to CONFIG_AEABI enabled. This means the the union in struct can_frame takes 4 bytes instead of the expected 1. Rong Chen illustrates the problem with pahole in the ARM OABI case: | struct can_frame { | canid_t can_id; /* 0 4 */ | union { | __u8 len; /* 4 1 */ | __u8 can_dlc; /* 4 1 */ | }; /* 4 4 */ | __u8 __pad; /* 8 1 */ | __u8 __res0; /* 9 1 */ | __u8 len8_dlc; /* 10 1 */ | | /* XXX 5 bytes hole, try to pack */ | | __u8 data[8] | __attribute__((__aligned__(8))); /* 16 8 */ | | /* size: 24, cachelines: 1, members: 6 */ | /* sum members: 19, holes: 1, sum holes: 5 */ | /* forced alignments: 1, forced holes: 1, sum forced holes: 5 */ | /* last cacheline: 24 bytes */ | } __attribute__((__aligned__(8))); Marking the anonymous union as __attribute__((packed)) fixes the BUILD_BUG_ON problem on these compilers. Fixes: ea7800565a12 ("can: add optional DLC element to Classical CAN frame structure") Reported-by: kernel test robot Suggested-by: Rong Chen Link: https://lore.kernel.org/linux-can/2c82ec23-3551-61b5-1bd8-178c3407ee83@hartkopp.net/ Link: https://lore.kernel.org/r/20210325125850.1620-3-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde commit f522d9559b07854c231cf8f0b8cb5a3578f8b44e Author: Oliver Hartkopp Date: Thu Mar 25 13:58:49 2021 +0100 can: isotp: fix msg_namelen values depending on CAN_REQUIRED_SIZE Since commit f5223e9eee65 ("can: extend sockaddr_can to include j1939 members") the sockaddr_can has been extended in size and a new CAN_REQUIRED_SIZE macro has been introduced to calculate the protocol specific needed size. The ABI for the msg_name and msg_namelen has not been adapted to the new CAN_REQUIRED_SIZE macro for the other CAN protocols which leads to a problem when an existing binary reads the (increased) struct sockaddr_can in msg_name. Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Reported-by: Richard Weinberger Acked-by: Kurt Van Dijck Link: https://lore.kernel.org/linux-can/1135648123.112255.1616613706554.JavaMail.zimbra@nod.at/T/#t Link: https://lore.kernel.org/r/20210325125850.1620-2-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde commit 9e9714742fb70467464359693a73b911a630226f Author: Oliver Hartkopp Date: Thu Mar 25 13:58:48 2021 +0100 can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE Since commit f5223e9eee65 ("can: extend sockaddr_can to include j1939 members") the sockaddr_can has been extended in size and a new CAN_REQUIRED_SIZE macro has been introduced to calculate the protocol specific needed size. The ABI for the msg_name and msg_namelen has not been adapted to the new CAN_REQUIRED_SIZE macro for the other CAN protocols which leads to a problem when an existing binary reads the (increased) struct sockaddr_can in msg_name. Fixes: f5223e9eee65 ("can: extend sockaddr_can to include j1939 members") Reported-by: Richard Weinberger Tested-by: Richard Weinberger Acked-by: Kurt Van Dijck Link: https://lore.kernel.org/linux-can/1135648123.112255.1616613706554.JavaMail.zimbra@nod.at/T/#t Link: https://lore.kernel.org/r/20210325125850.1620-1-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde commit c7dbf4c08868d9db89b8bfe8f8245ca61b01ed2f Author: Steffen Klassert Date: Fri Mar 26 09:44:48 2021 +0100 xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer insertion on HW offload. This flag is set on the secpath that is shared amongst segments. This lead to a situation where some segments are not transformed correctly when segmentation happens at layer 3. Fix this by using private skb extensions for segmented and hw offloaded ESP packets. Fixes: 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec crypto offload.") Signed-off-by: Steffen Klassert commit 56cfe6f820a6315291eb5a1b82bb49633b993d3b Author: Dmitry Osipenko Date: Sun Mar 28 22:57:48 2021 -0700 Input: elants_i2c - drop zero-checking of ABS_MT_TOUCH_MAJOR resolution Drop unnecessary zero-checking of ABS_MT_TOUCH_MAJOR resolution since there is no difference between setting resolution to 0 vs not setting it at all. This change makes code cleaner a tad. Suggested-by: Dmitry Torokhov Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20210328235507.19240-1-digetx@gmail.com Signed-off-by: Dmitry Torokhov commit 5cfad4f45806f6f898b63b8c77cea7452c704cb3 Author: Oliver Stäbler Date: Wed Mar 24 14:28:41 2021 +0100 arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0 Fix address of the pad control register (IOMUXC_SW_PAD_CTL_PAD_SD1_DATA0) for SD1_DATA0_GPIO2_IO2. This seems to be a typo but it leads to an exception when pinctrl is applied due to wrong memory address access. Signed-off-by: Oliver Stäbler Reviewed-by: Fabio Estevam Acked-by: Rob Herring Fixes: c1c9d41319c3 ("dt-bindings: imx: Add pinctrl binding doc for imx8mm") Fixes: 748f908cc882 ("arm64: add basic DTS for i.MX8MQ") Signed-off-by: Shawn Guo commit 1b479fb801602b22512f53c19b1f93a4fc5d5d9d Author: Lv Yunlong Date: Sun Mar 28 00:50:08 2021 -0700 drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit In pvc_xmit, if __skb_pad(skb, pad, false) failed, it will free the skb in the first time and goto drop. But the same skb is freed by kfree_skb(skb) in the second time in drop. Maintaining the original function unchanged, my patch adds a new label out to avoid the double free if __skb_pad() failed. Fixes: f5083d0cee08a ("drivers/net/wan/hdlc_fr: Improvements to the code of pvc_xmit") Signed-off-by: Lv Yunlong Signed-off-by: David S. Miller commit 5a978dcfc0f054e4f6983a0a26355a65e34708cb Author: Pavel Begunkov Date: Sat Mar 27 09:59:30 2021 +0000 io_uring: always go for cancellation spin on exec Always try to do cancellation in __io_uring_task_cancel() at least once, so it actually goes and cleans its sqpoll tasks (i.e. via io_sqpoll_cancel_sync()), otherwise sqpoll task may submit new requests after cancellation and it's racy for many reasons. Fixes: 521d6a737a31c ("io_uring: cancel sqpoll via task_work") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0a21bd6d794bb1629bc906dd57a57b2c2985a8ac.1616839147.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit a5e13c6df0e41702d2b2c77c8ad41677ebb065b3 Author: Linus Torvalds Date: Sun Mar 28 15:48:16 2021 -0700 Linux 5.12-rc5 commit f9e2bb42cf0db3a624d295122db3475aa3e7ad18 Merge: 3fef15f872eec 1dc481c0b0cf1 Author: Linus Torvalds Date: Sun Mar 28 13:22:54 2021 -0700 Merge tag 'perf-tools-fixes-for-v5.12-2020-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux Pull perf tooling fixes from Arnaldo Carvalho de Melo: - Avoid write of uninitialized memory when generating PERF_RECORD_MMAP* records. - Fix 'perf top' BPF support related crash with perf_event_paranoid=3 + kptr_restrict. - Validate raw event with sysfs exported format bits. - Fix waipid on SIGCHLD delivery bugs in 'perf daemon'. - Change to use bash for daemon test on Debian, where the default is dash and thus fails for use of bashisms in this test. - Fix memory leak in vDSO found using ASAN. - Remove now useless (due to the fact that BPF now supports static vars) failing sub test "BPF relocation checker". - Fix auxtrace queue conflict. - Sync linux/kvm.h with the kernel sources. * tag 'perf-tools-fixes-for-v5.12-2020-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux: perf test: Change to use bash for daemon test perf record: Fix memory leak in vDSO found using ASAN perf test: Remove now useless failing sub test "BPF relocation checker" perf daemon: Return from kill functions perf daemon: Force waipid for all session on SIGCHLD delivery perf top: Fix BPF support related crash with perf_event_paranoid=3 + kptr_restrict perf pmu: Validate raw event with sysfs exported format bits perf synthetic events: Avoid write of uninitialized memory when generating PERF_RECORD_MMAP* records tools headers UAPI: Sync linux/kvm.h with the kernel sources perf synthetic-events: Fix uninitialized 'kernel_thread' variable perf auxtrace: Fix auxtrace queue conflict commit 3fef15f872eec8292d4e53e307c1d17530fb16ba Merge: 36a14638f7c06 701454bce9062 Author: Linus Torvalds Date: Sun Mar 28 13:20:38 2021 -0700 Merge tag 'auxdisplay-for-linus-v5.12-rc6' of git://github.com/ojeda/linux Pull auxdisplay fix from Miguel Ojeda: "Remove in_interrupt() usage (Sebastian Andrzej Siewior)" * tag 'auxdisplay-for-linus-v5.12-rc6' of git://github.com/ojeda/linux: auxdisplay: Remove in_interrupt() usage. commit 36a14638f7c06546717cc1316fcfee6da42b98cc Merge: 47fbbc94dab61 9fcb51c14da29 Author: Linus Torvalds Date: Sun Mar 28 12:19:16 2021 -0700 Merge tag 'x86-urgent-2021-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Ingo Molnar: "Two fixes: - Fix build failure on Ubuntu with new GCC packages that turn on -fcf-protection - Fix SME memory encryption PTE encoding bug - AFAICT the code worked on 4K page sizes (level 1) but had the wrong shift at higher page level orders (level 2 and higher)" * tag 'x86-urgent-2021-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/build: Turn off -fcf-protection for realmode targets x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() commit 47fbbc94dab61a1385f21a0a209c61b5d6b0a215 Merge: 81b1d39fd39a0 291da9d4a9eb3 Author: Linus Torvalds Date: Sun Mar 28 12:12:22 2021 -0700 Merge tag 'locking-urgent-2021-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Ingo Molnar: "Fix the non-debug mutex_lock_io_nested() method to map to mutex_lock_io() instead of mutex_lock(). Right now nothing uses this API explicitly, but this is an accident waiting to happen" * tag 'locking-urgent-2021-03-28' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: locking/mutex: Fix non debug version of mutex_lock_io_nested() commit 81b1d39fd39a0ecfd30606714bcc05da586044f9 Merge: b44d1ddcf835b cfc63fc8126a9 Author: Linus Torvalds Date: Sun Mar 28 12:06:21 2021 -0700 Merge tag '5.12-rc4-smb3' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Five cifs/smb3 fixes, two for stable. Includes an important fix for encryption and an ACL fix, as well as a fix for possible reflink data corruption" * tag '5.12-rc4-smb3' of git://git.samba.org/sfrench/cifs-2.6: smb3: fix cached file size problems in duplicate extents (reflink) cifs: Silently ignore unknown oplock break handle cifs: revalidate mapping when we open files for SMB1 POSIX cifs: Fix chmod with modefromsid when an older ACE already exists. cifs: Adjust key sizes and key generation routines for AES256 encryption commit b44d1ddcf835b39a8dc14276d770074deaed297c Merge: abed516ecd02c 2b8ed1c94182d Author: Linus Torvalds Date: Sun Mar 28 11:42:05 2021 -0700 Merge tag 'io_uring-5.12-2021-03-27' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: - Use thread info versions of flag testing, as discussed last week. - The series enabling PF_IO_WORKER to just take signals, instead of needing to special case that they do not in a bunch of places. Ends up being pretty trivial to do, and then we can revert all the special casing we're currently doing. - Kill dead pointer assignment - Fix hashed part of async work queue trace - Fix sign extension issue for IORING_OP_PROVIDE_BUFFERS - Fix a link completion ordering regression in this merge window - Cancellation fixes * tag 'io_uring-5.12-2021-03-27' of git://git.kernel.dk/linux-block: io_uring: remove unsued assignment to pointer io io_uring: don't cancel extra on files match io_uring: don't cancel-track common timeouts io_uring: do post-completion chore on t-out cancel io_uring: fix timeout cancel return code Revert "signal: don't allow STOP on PF_IO_WORKER threads" Revert "kernel: freezer should treat PF_IO_WORKER like PF_KTHREAD for freezing" Revert "kernel: treat PF_IO_WORKER like PF_KTHREAD for ptrace/signals" Revert "signal: don't allow sending any signals to PF_IO_WORKER threads" kernel: stop masking signals in create_io_thread() io_uring: handle signals for IO threads like a normal thread kernel: don't call do_exit() for PF_IO_WORKER threads io_uring: maintain CQE order of a failed link io-wq: fix race around pending work on teardown io_uring: do ctx sqd ejection in a clear context io_uring: fix provide_buffers sign extension io_uring: don't skip file_end_write() on reissue io_uring: correct io_queue_async_work() traces io_uring: don't use {test,clear}_tsk_thread_flag() for current commit abed516ecd02ceb30fbd091e9b26205ea3192c65 Merge: e8cfe8fa22b6c e82fc7855749a Author: Linus Torvalds Date: Sun Mar 28 11:37:42 2021 -0700 Merge tag 'block-5.12-2021-03-27' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - Fix regression from this merge window with the xarray partition change, which allowed partition counts that overflow the u8 that holds the partition number (Ming) - Fix zone append warning (Johannes) - Segmentation count fix for multipage bvecs (David) - Partition scan fix (Chris) * tag 'block-5.12-2021-03-27' of git://git.kernel.dk/linux-block: block: don't create too many partitions block: support zone append bvecs block: recalculate segment count for multi-segment discards correctly block: clear GD_NEED_PART_SCAN later in bdev_disk_changed commit e8cfe8fa22b6c3d12595f68fde6ef10121795267 Merge: 0f4498cef9f5c 36fa766faa0c8 Author: Linus Torvalds Date: Sun Mar 28 11:34:47 2021 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Seven fixes, all in drivers (qla2xxx, mkt3sas, qedi, target, ibmvscsi). The most serious are the target pscsi oom and the qla2xxx revert which can otherwise cause a use after free" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: target: pscsi: Clean up after failure in pscsi_map_sg() scsi: target: pscsi: Avoid OOM in pscsi_map_sg() scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() scsi: qedi: Fix error return code of qedi_alloc_global_queues() scsi: Revert "qla2xxx: Make sure that aborted commands are freed" scsi: ibmvfc: Make ibmvfc_wait_for_ops() MQ aware scsi: ibmvfc: Fix potential race in ibmvfc_wait_for_ops() commit 84d572e634e28827d105746c922d8ada425e2d8b Author: Matthew Rosato Date: Thu Mar 25 09:41:52 2021 -0400 MAINTAINERS: add backups for s390 vfio drivers Add a backup for s390 vfio-pci, an additional backup for vfio-ccw and replace the backup for vfio-ap as Pierre is focusing on other areas. Signed-off-by: Matthew Rosato Acked-by: Eric Farman Acked-by: Halil Pasic Acked-by: Pierre Morel Acked-by: Jason J. Herne Link: https://lore.kernel.org/r/1616679712-7139-1-git-send-email-mjrosato@linux.ibm.com Signed-off-by: Christian Borntraeger Signed-off-by: Heiko Carstens commit 781bab3238c21c8cc6d1999a6ee43de76252fdfd Author: Dmitry Osipenko Date: Fri Mar 26 15:19:27 2021 -0700 Input: elants_i2c - fix division by zero if firmware reports zero phys size Touchscreen firmware of ASUS Transformer TF700T reports zeros for the phys size. Hence check whether the size is zero and don't set the resolution in this case. Reported-by: Jasper Korten Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20210302100824.3423-1-digetx@gmail.com Signed-off-by: Dmitry Torokhov commit 4e53d1701b574b1ee9d500b4913a1ece2fac8911 Author: Jens Axboe Date: Fri Mar 26 10:05:25 2021 -0600 tomoyo: don't special case PF_IO_WORKER for PF_KTHREAD Since commit 3bfe6106693b6b4b ("io-wq: fork worker threads from original task") stopped using PF_KTHREAD flag for the io_uring PF_IO_WORKER threads, tomoyo_kernel_service() no longer needs to check PF_IO_WORKER flag. (This is a 5.12+ patch. Please don't send to stable kernels.) Signed-off-by: Jens Axboe Signed-off-by: Tetsuo Handa commit 2b8ed1c94182dbbd0163d0eb443a934cbf6b0d85 Author: Colin Ian King Date: Fri Mar 26 19:52:51 2021 +0000 io_uring: remove unsued assignment to pointer io There is an assignment to io that is never read after the assignment, the assignment is redundant and can be removed. Signed-off-by: Colin Ian King Signed-off-by: Jens Axboe commit 78d9d7c2a331fb7a68a86e53ef7e12966459e0c5 Author: Pavel Begunkov Date: Thu Mar 25 18:32:45 2021 +0000 io_uring: don't cancel extra on files match As tasks always wait and kill their io-wq on exec/exit, files are of no more concern to us, so we don't need to specifically cancel them by hand in those cases. Moreover we should not, because io_match_task() looks at req->task->files now, which is always true and so leads to extra cancellations, that wasn't a case before per-task io-wq. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/0566c1de9b9dd417f5de345c817ca953580e0e2e.1616696997.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 2482b58ffbdc80cfaae969ad19cb32803056505b Author: Pavel Begunkov Date: Thu Mar 25 18:32:44 2021 +0000 io_uring: don't cancel-track common timeouts Don't account usual timeouts (i.e. not linked) as REQ_F_INFLIGHT but keep behaviour prior to dd59a3d595cc1 ("io_uring: reliably cancel linked timeouts"). Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/104441ef5d97e3932113d44501fda0df88656b83.1616696997.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 80c4cbdb5ee604712e59fe304d7bf084b562f705 Author: Pavel Begunkov Date: Thu Mar 25 18:32:43 2021 +0000 io_uring: do post-completion chore on t-out cancel Don't forget about io_commit_cqring() + io_cqring_ev_posted() after exit/exec cancelling timeouts. Both functions declared only after io_kill_timeouts(), so to avoid tons of forward declarations move it down. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/72ace588772c0f14834a6a4185d56c445a366fb4.1616696997.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 1ee4160c73b2102a52bc97a4128a89c34821414f Author: Pavel Begunkov Date: Thu Mar 25 18:32:42 2021 +0000 io_uring: fix timeout cancel return code When we cancel a timeout we should emit a sensible return code, like -ECANCELED but not 0, otherwise it may trick users. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/7b0ad1065e3bd1994722702bd0ba9e7bc9b0683b.1616696997.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 1e4cf0d3d072173ee70757ee4aec11b2839705f9 Author: Jens Axboe Date: Thu Mar 25 18:23:44 2021 -0600 Revert "signal: don't allow STOP on PF_IO_WORKER threads" This reverts commit 4db4b1a0d1779dc159f7b87feb97030ec0b12597. The IO threads allow and handle SIGSTOP now, so don't special case them anymore in task_set_jobctl_pending(). Signed-off-by: Jens Axboe commit d3dc04cd81e0eaf50b2d09ab051a13300e587439 Author: Jens Axboe Date: Thu Mar 25 18:22:11 2021 -0600 Revert "kernel: freezer should treat PF_IO_WORKER like PF_KTHREAD for freezing" This reverts commit 15b2219facadec583c24523eed40fa45865f859f. Before IO threads accepted signals, the freezer using take signals to wake up an IO thread would cause them to loop without any way to clear the pending signal. That is no longer the case, so stop special casing PF_IO_WORKER in the freezer. Signed-off-by: Jens Axboe commit e8b33b8cfafcfcef287ae4c0f23a173bfcf617f3 Author: Jens Axboe Date: Thu Mar 25 18:18:59 2021 -0600 Revert "kernel: treat PF_IO_WORKER like PF_KTHREAD for ptrace/signals" This reverts commit 6fb8f43cede0e4bd3ead847de78d531424a96be9. The IO threads do allow signals now, including SIGSTOP, and we can allow ptrace attach. Attaching won't reveal anything interesting for the IO threads, but it will allow eg gdb to attach to a task with io_urings and IO threads without complaining. And once attached, it will allow the usual introspection into regular threads. Signed-off-by: Jens Axboe commit 5a842a7448bbfa9bda0a74ca4f239c1b02bb98d8 Author: Jens Axboe Date: Thu Mar 25 18:18:15 2021 -0600 Revert "signal: don't allow sending any signals to PF_IO_WORKER threads" This reverts commit 5be28c8f85ce99ed2d329d2ad8bdd18ea19473a5. IO threads now take signals just fine, so there's no reason to limit them specifically. Revert the change that prevented that from happening. Signed-off-by: Jens Axboe commit b16b3855d89fba640996fefdd3a113c0aa0e380d Author: Jens Axboe Date: Fri Mar 26 09:05:22 2021 -0600 kernel: stop masking signals in create_io_thread() This is racy - move the blocking into when the task is created and we're marking it as PF_IO_WORKER anyway. The IO threads are now prepared to handle signals like SIGSTOP as well, so clear that from the mask to allow proper stopping of IO threads. Acked-by: "Eric W. Biederman" Reported-by: Oleg Nesterov Signed-off-by: Jens Axboe commit dbe1bdbb39db7dfe80a903f0d267f62cf3f093d2 Author: Jens Axboe Date: Thu Mar 25 18:16:06 2021 -0600 io_uring: handle signals for IO threads like a normal thread We go through various hoops to disallow signals for the IO threads, but there's really no reason why we cannot just allow them. The IO threads never return to userspace like a normal thread, and hence don't go through normal signal processing. Instead, just check for a pending signal as part of the work loop, and call get_signal() to handle it for us if anything is pending. With that, we can support receiving signals, including special ones like SIGSTOP. Acked-by: "Eric W. Biederman" Signed-off-by: Jens Axboe commit e82fc7855749aa197740a60ef22c492c41ea5d5f Author: Ming Lei Date: Sat Mar 27 15:13:09 2021 +0800 block: don't create too many partitions Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") drops the check on max supported number of partitionsr, and allows partition with bigger partition numbers to be added. However, ->bd_partno is defined as u8, so partition index of xarray table may not match with ->bd_partno. Then delete_partition() may delete one unmatched partition, and caused use-after-free. Reviewed-by: Bart Van Assche Reported-by: syzbot+8fede7e30c7cee0de139@syzkaller.appspotmail.com Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl") Signed-off-by: Ming Lei Signed-off-by: Jens Axboe commit 3756b6578709c55819742f6ba0c18f93e8901397 Merge: 53e7bf507ac58 491aef7caeb34 Author: Greg Kroah-Hartman Date: Sat Mar 27 12:39:18 2021 +0100 Merge tag 'icc-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc into char-misc-linus Georgi writes: interconnect fixes for v5.12 This contains a few tiny drivers and core fixes that have been reported during this cycle. - msm8939: Remove rpm-ids from non-RPM nodes - core: Fix error return code of icc_link_destroy() - core: Fix kerneldoc warning Signed-off-by: Georgi Djakov * tag 'icc-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/djakov/icc: interconnect: Fix kerneldoc warning interconnect: core: fix error return code of icc_link_destroy() interconnect: qcom: msm8939: remove rpm-ids from non-RPM nodes commit 53e7bf507ac583bc41cec0a8429158d6fe546798 Merge: 01faae5193d61 2e8496f31d0be Author: Greg Kroah-Hartman Date: Sat Mar 27 12:38:19 2021 +0100 Merge tag 'fpga-fixes-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mdf/linux-fpga into char-misc-linus Moritz writes: FPGA Manager fixes for 5.12 Richard's fix addresses an errornously flipped flag. All patches have been reviewed on the mailing list, and have been in the last few linux-next releases (as part of my fixes branch) without issues. Signed-off-by: Moritz Fischer * tag 'fpga-fixes-for-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mdf/linux-fpga: firmware: stratix10-svc: reset COMMAND_RECONFIG_FLAG_PARTIAL to 0 commit 861de02e5f3f2a104eecc5af1d248cb7bf8c5f75 Author: Jiri Olsa Date: Fri Mar 26 11:59:00 2021 +0100 bpf: Take module reference for trampoline in module Currently module can be unloaded even if there's a trampoline register in it. It's easily reproduced by running in parallel: # while :; do ./test_progs -t module_attach; done # while :; do rmmod bpf_testmod; sleep 0.5; done Taking the module reference in case the trampoline's ip is within the module code. Releasing it when the trampoline's ip is unregistered. Signed-off-by: Jiri Olsa Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20210326105900.151466-1-jolsa@kernel.org commit cf97d7af246831ea23c216f17205f91319afc85f Author: Pawel Laszczak Date: Mon Mar 22 06:47:14 2021 +0100 usb: cdnsp: Fixes issue with dequeuing requests after disabling endpoint Patch fixes the bug: BUG: kernel NULL pointer dereference, address: 0000000000000050 PGD 0 P4D 0 Oops: 0002 [#1] SMP PTI CPU: 0 PID: 4137 Comm: uvc-gadget Tainted: G OE 5.10.0-next-20201214+ #3 Hardware name: ASUS All Series/Q87T, BIOS 0908 07/22/2014 RIP: 0010:cdnsp_remove_request+0xe9/0x530 [cdnsp_udc_pci] Code: 01 00 00 31 f6 48 89 df e8 64 d4 ff ff 48 8b 43 08 48 8b 13 45 31 f6 48 89 42 08 48 89 10 b8 98 ff ff ff 48 89 1b 48 89 5b 08 <41> 83 6d 50 01 41 83 af d0 00 00 00 01 41 f6 84 24 78 20 00 00 08 RSP: 0018:ffffb68d00d07b60 EFLAGS: 00010046 RAX: 00000000ffffff98 RBX: ffff9d29c57fbf00 RCX: 0000000000001400 RDX: ffff9d29c57fbf00 RSI: 0000000000000000 RDI: ffff9d29c57fbf00 RBP: ffffb68d00d07bb0 R08: ffff9d2ad9510a00 R09: ffff9d2ac011c000 R10: ffff9d2a12b6e760 R11: 0000000000000000 R12: ffff9d29d3fb8000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff9d29d3fb88c0 FS: 0000000000000000(0000) GS:ffff9d2adba00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000050 CR3: 0000000102164005 CR4: 00000000001706f0 Call Trace: cdnsp_ep_dequeue+0x3c/0x90 [cdnsp_udc_pci] cdnsp_gadget_ep_dequeue+0x3f/0x80 [cdnsp_udc_pci] usb_ep_dequeue+0x21/0x70 [udc_core] uvcg_video_enable+0x19d/0x220 [usb_f_uvc] uvc_v4l2_release+0x49/0x90 [usb_f_uvc] v4l2_release+0xa5/0x100 [videodev] __fput+0x99/0x250 ____fput+0xe/0x10 task_work_run+0x75/0xb0 do_exit+0x370/0xb80 do_group_exit+0x43/0xa0 get_signal+0x12d/0x820 arch_do_signal_or_restart+0xb2/0x870 ? __switch_to_asm+0x36/0x70 ? kern_select+0xc6/0x100 exit_to_user_mode_prepare+0xfc/0x170 syscall_exit_to_user_mode+0x2a/0x40 do_syscall_64+0x43/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fe969cf5dd7 Code: Unable to access opcode bytes at RIP 0x7fe969cf5dad. Problem occurs for UVC class. During disconnecting the UVC class disable endpoints and then start dequeuing all requests. This leads to situation where requests are removed twice. The first one in cdnsp_gadget_ep_disable and the second in cdnsp_gadget_ep_dequeue function. Patch adds condition in cdnsp_gadget_ep_dequeue function which allows dequeue requests only from enabled endpoint. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Signed-off-by: Pawel Laszczak Signed-off-by: Peter Chen commit cfc63fc8126a93cbf95379bc4cad79a7b15b6ece Author: Steve French Date: Fri Mar 26 18:41:55 2021 -0500 smb3: fix cached file size problems in duplicate extents (reflink) There were two problems (one of which could cause data corruption) that were noticed with duplicate extents (ie reflink) when debugging why various xfstests were being incorrectly skipped (e.g. generic/138, generic/140, generic/142). First, we were not updating the file size locally in the cache when extending a file due to reflink (it would refresh after actimeo expires) but xfstest was checking the size immediately which was still 0 so caused the test to be skipped. Second, we were setting the target file size (which could shrink the file) in all cases to the end of the reflinked range rather than only setting the target file size when reflink would extend the file. CC: Signed-off-by: Steve French commit 219481a8f90ec3a5eed9638fb35609e4b1aeece7 Author: Vincent Whitchurch Date: Fri Mar 19 14:57:11 2021 +0100 cifs: Silently ignore unknown oplock break handle Make SMB2 not print out an error when an oplock break is received for an unknown handle, similar to SMB1. The debug message which is printed for these unknown handles may also be misleading, so fix that too. The SMB2 lease break path is not affected by this patch. Without this, a program which writes to a file from one thread, and opens, reads, and writes the same file from another thread triggers the below errors several times a minute when run against a Samba server configured with "smb2 leases = no". CIFS: VFS: \\192.168.0.1 No task to wake, unknown frame received! NumMids 2 00000000: 424d53fe 00000040 00000000 00000012 .SMB@........... 00000010: 00000001 00000000 ffffffff ffffffff ................ 00000020: 00000000 00000000 00000000 00000000 ................ 00000030: 00000000 00000000 00000000 00000000 ................ Signed-off-by: Vincent Whitchurch Reviewed-by: Tom Talpey Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French commit cee8f4f6fcabfdf229542926128e9874d19016d5 Author: Ronnie Sahlberg Date: Thu Mar 25 16:26:35 2021 +1000 cifs: revalidate mapping when we open files for SMB1 POSIX RHBZ: 1933527 Under SMB1 + POSIX, if an inode is reused on a server after we have read and cached a part of a file, when we then open the new file with the re-cycled inode there is a chance that we may serve the old data out of cache to the application. This only happens for SMB1 (deprecated) and when posix are used. The simplest solution to avoid this race is to force a revalidate on smb1-posix open. Signed-off-by: Ronnie Sahlberg Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French commit 3bffbe9e0b2721bb62d226a4d4211bddae52b00a Author: Shyam Prasad N Date: Fri Mar 26 10:28:16 2021 +0000 cifs: Fix chmod with modefromsid when an older ACE already exists. My recent fixes to cifsacl to maintain inherited ACEs had regressed modefromsid when an older ACL already exists. Found testing xfstest 495 with modefromsid mount option Fixes: f5065508897a ("cifs: Retain old ACEs when converting between mode bits and ACL") Signed-off-by: Shyam Prasad N Reviewed-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French commit 10442994ba195efef6fdcc0c3699e4633cb5161b Author: Jens Axboe Date: Fri Mar 26 08:57:10 2021 -0600 kernel: don't call do_exit() for PF_IO_WORKER threads Right now we're never calling get_signal() from PF_IO_WORKER threads, but in preparation for doing so, don't handle a fatal signal for them. The workers have state they need to cleanup when exiting, so just return instead of calling do_exit() on their behalf. The threads themselves will detect a fatal signal and do proper shutdown. Signed-off-by: Jens Axboe commit 0f4498cef9f5cd18d7c6639a2a902ec1edc5be4e Merge: 7931c531fc527 4edbe1d7bcffc Author: Linus Torvalds Date: Fri Mar 26 12:21:05 2021 -0700 Merge tag 'for-5.12/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm Pull device mapper fixes from Mike Snitzer: - Fix DM verity target's optional argument processing. - Fix DM core's zoned model and zone sectors checks. - Fix spurious "detected capacity change" pr_info() when creating new DM device. - Fix DM ioctl out of bounds array access in handling of DM_LIST_DEVICES_CMD when no devices exist. * tag 'for-5.12/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm: dm ioctl: fix out of bounds array access when no devices dm: don't report "detected capacity change" on device creation dm table: Fix zoned model check and zone sectors check dm verity: fix DM_VERITY_OPTS_MAX value commit 4edbe1d7bcffcd6269f3b5eb63f710393ff2ec7a Author: Mikulas Patocka Date: Fri Mar 26 14:32:32 2021 -0400 dm ioctl: fix out of bounds array access when no devices If there are not any dm devices, we need to zero the "dev" argument in the first structure dm_name_list. However, this can cause out of bounds write, because the "needed" variable is zero and len may be less than eight. Fix this bug by reporting DM_BUFFER_FULL_FLAG if the result buffer is too small to hold the "nl->dev" value. Signed-off-by: Mikulas Patocka Reported-by: Dan Carpenter Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer commit 7931c531fc527da650e1761d35216ff8edf28a94 Merge: 8a3cbdda18102 e1db18b59729e Author: Linus Torvalds Date: Fri Mar 26 11:33:39 2021 -0700 Merge tag 'acpi-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull ACPI fixes from Rafael Wysocki: "These fix a memory management regression in ACPICA, repair an ACPI blacklist entry damaged inadvertently during the 5.11 cycle and fix the bookkeeping of devices with the same primary device ID in the ACPI core. Specifics: - Make ACPICA use the same object cache consistently when allocating and freeing objects (Vegard Nossum) - Add a callback pointer removed inadvertently during the 5.11 cycle to the ACPI backlight blacklist entry for Sony VPCEH3U1E (Chris Chiu) - Make the ACPI device enumeration core use IDA for creating names of ACPI device objects with the same primary device ID to avoid using duplicate device object names in some cases (Andy Shevchenko)" * tag 'acpi-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPICA: Always create namespace nodes using acpi_ns_create_node() ACPI: scan: Use unique number for instance_no ACPI: video: Add missing callback back for Sony VPCEH3U1E commit 8a3cbdda181024f9ee7200504e748d2e91adad1a Merge: eb3991ef2c0eb 6f3a283c2f6bb Author: Linus Torvalds Date: Fri Mar 26 11:29:36 2021 -0700 Merge tag 'pm-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fixes from Rafael Wysocki: "These fix an issue related to device links in the runtime PM framework and debugfs usage in the Energy Model code. Specifics: - Modify the runtime PM device suspend to avoid suspending supplier devices before the consumer device's status changes to RPM_SUSPENDED (Rafael Wysocki) - Change the Energy Model code to prevent it from attempting to create its main debugfs directory too early (Lukasz Luba)" * tag 'pm-5.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: PM: EM: postpone creating the debugfs dir till fs_initcall PM: runtime: Defer suspending suppliers commit eb3991ef2c0ebb7dc49c260e12ae1575d1e153b2 Merge: 6c20f6df61ee7 67335b8d28cd2 Author: Linus Torvalds Date: Fri Mar 26 11:19:38 2021 -0700 Merge tag 'soc-fixes-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "Too many fixes have accumulated in the soc tree, so this is a fairly large set. As usual, most of the fixes are for devicetree files, but there are also notable code changes for imx and omap regressions as well as some maintainer file updates. imx: - Fix an Ethernet issue on imx6ul-14x14-evk board that is caused by independent PHY reset. - Add missing `dma-coherent` property for LayerScape device trees to fix a kernel BUG report. - Use IRQCHIP_DECLARE for AVIC driver to fix a boot issue on i.MX25 with fw_devlink=on. - Add missing I2C pinctrl entry for imx8mp-phyboard-pollux-rdk board to fix the broken I2C GPIO recovery support. - Add `fsl,use-minimum-ecc` property for imx6ull-myir-mys-6ulx-eval device tree to fix UBI filesystem mount failure. at91: - wrong phy address that blocks Ethernet use on boards with sama5d27 SoM1 - restrictive pin possibilities for sam9x60 omap: - Fix ocp interconnect bus access error reporting for omap_l3_noc by setting IRQF_NO_THREAD - Fix changed mmc slot order regression by adding mmc aliases for am335x - Fix dra7 reboot regression caused by invalid pcie reset map - Fix smartreflex init regression caused by dropped legacy data - Fix ti-sysc driver warning on unbind if reset is not deasserted - Fix flakey reset deassert for dra7 iva stm32: - MAINTAINER file updates broadcom: - brcmstb SoC ID build fix - MAINTAINER file updates" * tag 'soc-fixes-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: MAINTAINERS: Add Alain Volmat as STM32 I2C/SMBUS maintainer MAINTAINERS: Remove Vincent Abriou for STM/STI DRM drivers. MAINTAINERS: Update some st.com email addresses to foss.st.com ARM: dts: imx6ull: fix ubi filesystem mount failed ARM: imx6ul-14x14-evk: Do not reset the Ethernet PHYs independently arm64: dts: imx8mp-phyboard-pollux-rdk: Add missing pinctrl entry arm64: dts: ls1012a: mark crypto engine dma coherent arm64: dts: ls1043a: mark crypto engine dma coherent arm64: dts: ls1046a: mark crypto engine dma coherent ARM: imx: avic: Convert to using IRQCHIP_DECLARE ARM: dts: at91: sam9x60: fix mux-mask to match product's datasheet ARM: dts: at91: sam9x60: fix mux-mask for PA7 so it can be set to A, B and C ARM: dts: at91-sama5d27_som1: fix phy address to 7 soc: ti: omap-prm: Fix occasional abort on reset deassert for dra7 iva bus: ti-sysc: Fix warning on unbind if reset is not deasserted ARM: OMAP2+: Fix smartreflex init regression after dropping legacy data soc: ti: omap-prm: Fix reboot issue with invalid pcie reset map for dra7 MAINTAINERS: rectify BROADCOM PMB (POWER MANAGEMENT BUS) DRIVER ARM: dts: am33xx: add aliases for mmc interfaces bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD commit 6c20f6df61ee7b8b562143504cf3e89ae802de87 Merge: f944d061f847b af44a387e743a Author: Linus Torvalds Date: Fri Mar 26 11:15:25 2021 -0700 Merge tag 'for-linus-5.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip Pull xen fixes from Juergen Gross: "This contains a small series with a more elegant fix of a problem which was originally fixed in rc2" * tag 'for-linus-5.12b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip: Revert "xen: fix p2m size in dom0 for disabled memory hotplug case" xen/x86: make XEN_BALLOON_MEMORY_HOTPLUG_LIMIT depend on MEMORY_HOTPLUG commit f944d061f847b0ccf0ebc095b5a6ba9ea9caec4e Merge: 57a9006240b22 09d78dde88ef9 Author: Linus Torvalds Date: Fri Mar 26 11:05:18 2021 -0700 Merge tag 'drm-fixes-2021-03-26' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "As expected last week things were overly quiet so this week things seem to have caught up. It still isn't too major. msm and amdgpu lead the size here, the msm fixes are pretty varied across the driver, the amdgpu one is mostly the S0ix fixes with some other minor ones. Otherwise there are a few i915 fixes and one each for nouveau, etnaviv and rcar-du. msm: - pll fixes - shutdown hook fix - runtime resume fix - clear_oob fix - kms locking fix - display aux retry fix rcar-du: - warn_on in encoder init fix etnaviv: - Use FOLL_FORCE and FOLL_LONGTERM i915: - DisplayPort LTTPR fixes around link training and limiting it according to supported spec version. - Fix enabled_planes bitmask to really represent only logically enabled planes. - Fix DSS CTL registers for ICL DSI transcoders - Fix the GT fence revocation runtime PM logic. nouveau: - cursor size regression fix amdgpu: - S0ix fixes - Add PCI ID - Polaris PCIe DPM fix - Display fix for high refresh rate monitors" * tag 'drm-fixes-2021-03-26' of git://anongit.freedesktop.org/drm/drm: (37 commits) drm/nouveau/kms/nve4-nv108: Limit cursors to 128x128 drm/i915: Fix the GT fence revocation runtime PM logic drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x drm/amdgpu: Add additional Sienna Cichlid PCI ID drm/amd/pm: workaround for audio noise issue drm/i915/dsc: fix DSS CTL register usage for ICL DSI transcoders drm/i915: Fix enabled_planes bitmask drm/i915: Disable LTTPR support when the LTTPR rev < 1.4 drm/i915: Disable LTTPR support when the DPCD rev < 1.4 drm/i915/ilk-glk: Fix link training on links with LTTPRs drm/msm/disp/dpu1: icc path needs to be set before dpu runtime resume drm/amdgpu: skip kfd suspend/resume for S0ix drm/amdgpu: drop S0ix checks around CG/PG in suspend drm/amdgpu: skip CG/PG for gfx during S0ix drm/amdgpu: update comments about s0ix suspend/resume drm/amdgpu/swsmu: skip gfx cgpg on s0ix suspend drm/amdgpu: re-enable suspend phase 2 for S0ix drm/amdgpu: move s0ix check into amdgpu_device_ip_suspend_phase2 (v3) drm/amdgpu: clean up non-DC suspend/resume handling drm/amdgpu: don't evict vram on APUs for suspend to ram (v4) ... commit 57a9006240b229b9d77ef60fadb30d2067438437 Author: Pavel Machek Date: Fri Mar 26 10:01:52 2021 +0100 remove Dan Murphy from TI from MAINTAINERS Dan's address bounces, and has been bouncing for some time as he moved to other projects. I believe TI should be more careful with this, and should assign alternate contacts for their drivers. Anyway what we can do now is to remove the obsolete address. Signed-off-by: Pavel Machek Signed-off-by: Linus Torvalds commit d6fe1cf89026d3111112ee29ef8d93cd7a8aaa24 Author: Xu Kuohai Date: Thu Mar 25 13:41:41 2021 +0000 bpf: Fix a spelling typo in bpf_atomic_alu_string disasm The name string for BPF_XOR is "xor", not "or". Fix it. Fixes: 981f94c3e921 ("bpf: Add bitwise atomic instructions") Signed-off-by: Xu Kuohai Signed-off-by: Daniel Borkmann Acked-by: Brendan Jackman Link: https://lore.kernel.org/bpf/20210325134141.8533-1-xukuohai@huawei.com commit d8e8052e42d0f8ff59898b9b4142b16958627ac9 Author: Toke Høiland-Jørgensen Date: Fri Mar 26 11:03:14 2021 +0100 bpf/selftests: Test that kernel rejects a TCP CC with an invalid license This adds a selftest to check that the verifier rejects a TCP CC struct_ops with a non-GPL license. Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20210326100314.121853-2-toke@redhat.com commit 12aa8a9467b354ef893ce0fc5719a4de4949a9fb Author: Toke Høiland-Jørgensen Date: Fri Mar 26 11:03:13 2021 +0100 bpf: Enforce that struct_ops programs be GPL-only With the introduction of the struct_ops program type, it became possible to implement kernel functionality in BPF, making it viable to use BPF in place of a regular kernel module for these particular operations. Thus far, the only user of this mechanism is for implementing TCP congestion control algorithms. These are clearly marked as GPL-only when implemented as modules (as seen by the use of EXPORT_SYMBOL_GPL for tcp_register_congestion_control()), so it seems like an oversight that this was not carried over to BPF implementations. Since this is the only user of the struct_ops mechanism, just enforcing GPL-only for the struct_ops program type seems like the simplest way to fix this. Fixes: 0baf26b0fcd7 ("bpf: tcp: Support tcp_congestion_ops in bpf") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20210326100314.121853-1-toke@redhat.com commit a95d8f581901c560ff1b63bc02107eb34a6efb1b Author: Geert Uytterhoeven Date: Fri Mar 26 13:07:21 2021 +0100 cpufreq: Fix scaling_{available,boost}_frequencies_show() comments The function names in the comment blocks for the functions scaling_available_frequencies_show() and scaling_boost_frequencies_show() do not match the actual names. Fixes: 6f19efc0a1ca08bc ("cpufreq: Add boost frequency support in core") Signed-off-by: Geert Uytterhoeven Signed-off-by: Rafael J. Wysocki commit e1db18b59729e24f001459b98955019344d5b12b Merge: 25928deeb1e4e c1d1e25a8c542 eb50aaf960e3b Author: Rafael J. Wysocki Date: Fri Mar 26 16:55:56 2021 +0100 Merge branches 'acpi-video' and 'acpi-scan' * acpi-video: ACPI: video: Add missing callback back for Sony VPCEH3U1E * acpi-scan: ACPI: scan: Use unique number for instance_no commit 6f3a283c2f6bbbb5a9a6801a0befa61cb60195f1 Merge: 5244f5e2d8012 fb9d62b27ab1e Author: Rafael J. Wysocki Date: Fri Mar 26 16:44:26 2021 +0100 Merge branch 'pm-em' * pm-em: PM: EM: postpone creating the debugfs dir till fs_initcall commit a846738f8c3788d846ed1f587270d2f2e3d32432 Author: Jan Beulich Date: Fri Mar 26 16:33:53 2021 +0100 xen-blkback: don't leak persistent grants from xen_blkbk_map() The fix for XSA-365 zapped too many of the ->persistent_gnt[] entries. Ones successfully obtained should not be overwritten, but instead left for xen_blkbk_unmap_prepare() to pick up and put. This is XSA-371. Signed-off-by: Jan Beulich Cc: stable@vger.kernel.org Reviewed-by: Juergen Gross Reviewed-by: Wei Liu Signed-off-by: Juergen Gross commit 29d96eb261345c8d888e248ae79484e681be2faa Author: Roja Rani Yarubandi Date: Wed Mar 24 15:48:35 2021 +0530 soc: qcom-geni-se: Cleanup the code to remove proxy votes This reverts commit 048eb908a1f2 ("soc: qcom-geni-se: Add interconnect support to fix earlycon crash") ICC core and platforms drivers supports sync_state feature, which ensures that the default ICC BW votes from the bootloader is not removed until all it's consumers are probes. The proxy votes were needed in case other QUP child drivers I2C, SPI probes before UART, they can turn off the QUP-CORE clock which is shared resources for all QUP driver, this causes unclocked access to HW from earlycon. Given above support from ICC there is no longer need to maintain proxy votes on QUP-CORE ICC node from QUP wrapper driver for early console usecase, the default votes won't be removed until real console is probed. Cc: stable@vger.kernel.org Fixes: 266cd33b5913 ("interconnect: qcom: Ensure that the floor bandwidth value is enforced") Fixes: 7d3b0b0d8184 ("interconnect: qcom: Use icc_sync_state") Signed-off-by: Roja Rani Yarubandi Signed-off-by: Akash Asthana Reviewed-by: Matthias Kaehlcke Link: https://lore.kernel.org/r/20210324101836.25272-2-rojay@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 93f672804bf2d7a49ef3fd96827ea6290ca1841e Author: Artur Petrosyan Date: Fri Mar 26 14:25:09 2021 +0400 usb: dwc2: Prevent core suspend when port connection flag is 0 In host mode port connection status flag is "0" when loading the driver. After loading the driver system asserts suspend which is handled by "_dwc2_hcd_suspend()" function. Before the system suspend the port connection status is "0". As result need to check the "port_connect_status" if it is "0", then skipping entering to suspend. Cc: # 5.2 Fixes: 6f6d70597c15 ("usb: dwc2: bus suspend/resume for hosts with DWC2_POWER_DOWN_PARAM_NONE") Signed-off-by: Artur Petrosyan Link: https://lore.kernel.org/r/20210326102510.BDEDEA005D@mailhost.synopsys.com Signed-off-by: Greg Kroah-Hartman commit 5e3bbae8ee3d677a0aa2919dc62b5c60ea01ba61 Author: Artur Petrosyan Date: Fri Mar 26 14:24:46 2021 +0400 usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. Increased the waiting timeout for HPRT0.PrtSusp register field to be set, because on HiKey 960 board HPRT0.PrtSusp wasn't generated with the existing timeout. Cc: # 4.18 Fixes: 22bb5cfdf13a ("usb: dwc2: Fix host exit from hibernation flow.") Signed-off-by: Artur Petrosyan Acked-by: Minas Harutyunyan Link: https://lore.kernel.org/r/20210326102447.8F7FEA005D@mailhost.synopsys.com Signed-off-by: Greg Kroah-Hartman commit 92af4fc6ec331228aca322ca37c8aea7b150a151 Author: Tony Lindgren Date: Wed Mar 24 09:11:41 2021 +0200 usb: musb: Fix suspend with devices connected for a64 Pinephone running on Allwinner A64 fails to suspend with USB devices connected as reported by Bhushan Shah . Reverting commit 5fbf7a253470 ("usb: musb: fix idling for suspend after disconnect interrupt") fixes the issue. Let's add suspend checks also for suspend after disconnect interrupt quirk handling like we already do elsewhere. Fixes: 5fbf7a253470 ("usb: musb: fix idling for suspend after disconnect interrupt") Reported-by: Bhushan Shah Tested-by: Bhushan Shah Signed-off-by: Tony Lindgren Link: https://lore.kernel.org/r/20210324071142.42264-1-tony@atomide.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 6f978a30c9bb12dab1302d0f06951ee290f5e600 Author: Chunfeng Yun Date: Tue Mar 23 15:02:46 2021 +0800 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI The MediaTek 0.96 xHCI controller on some platforms does not support bulk stream even HCCPARAMS says supporting, due to MaxPSASize is set a default value 1 by mistake, here use XHCI_BROKEN_STREAMS quirk to fix it. Fixes: 94a631d91ad3 ("usb: xhci-mtk: check hcc_params after adding primary hcd") Cc: stable Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/1616482975-17841-4-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman commit 5aef629704ad4d983ecf5c8a25840f16e45b6d59 Author: Wesley Cheng Date: Wed Mar 24 11:31:04 2021 -0700 usb: dwc3: gadget: Clear DEP flags after stop transfers in ep disable Ensure that dep->flags are cleared until after stop active transfers is completed. Otherwise, the ENDXFER command will not be executed during ep disable. Fixes: f09ddcfcb8c5 ("usb: dwc3: gadget: Prevent EP queuing while stopping transfers") Cc: stable Reported-and-tested-by: Andy Shevchenko Tested-by: Marek Szyprowski Signed-off-by: Wesley Cheng Link: https://lore.kernel.org/r/1616610664-16495-1-git-send-email-wcheng@codeaurora.org Signed-off-by: Greg Kroah-Hartman commit 1cc5ed25bdade86de2650a82b2730108a76de20c Author: Shuah Khan Date: Wed Mar 24 17:06:54 2021 -0600 usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() Fix shift out-of-bounds in vhci_hub_control() SetPortFeature handling. UBSAN: shift-out-of-bounds in drivers/usb/usbip/vhci_hcd.c:605:42 shift exponent 768 is too large for 32-bit type 'int' Reported-by: syzbot+3dea30b047f41084de66@syzkaller.appspotmail.com Cc: stable@vger.kernel.org Signed-off-by: Shuah Khan Link: https://lore.kernel.org/r/20210324230654.34798-1-skhan@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 45a4546c6167a2da348a31ca439d8a8ff773b6ea Author: Shyam Prasad N Date: Thu Mar 25 12:34:54 2021 +0000 cifs: Adjust key sizes and key generation routines for AES256 encryption For AES256 encryption (GCM and CCM), we need to adjust the size of a few fields to 32 bytes instead of 16 to accommodate the larger keys. Also, the L value supplied to the key generator needs to be changed from to 256 when these algorithms are used. Keeping the ioctl struct for dumping keys of the same size for now. Will send out a different patch for that one. Signed-off-by: Shyam Prasad N Reviewed-by: Ronnie Sahlberg CC: # v5.10+ Signed-off-by: Steve French commit 1dc481c0b0cf18d3952d93a73c4ece90dec277f0 Author: Leo Yan Date: Sat Mar 20 18:45:54 2021 +0800 perf test: Change to use bash for daemon test When executing the daemon test on Arm64 and x86 with Debian (Buster) distro, both skip the test case with the log: # ./perf test -v 76 76: daemon operations : --- start --- test child forked, pid 11687 test daemon list trap: SIGINT: bad trap ./tests/shell/daemon.sh: 173: local: cpu-clock: bad variable name test child finished with -2 ---- end ---- daemon operations: Skip So the error happens for the variable expansion when use local variable in the shell script. Since Debian Buster uses dash but not bash as non-interactive shell, when execute the daemon testing, it hits a known issue for dash which was reported [1]. To resolve this issue, one option is to add double quotes for all local variables assignment, so need to change the code from: local line=`perf daemon --config ${config} -x: | head -2 | tail -1` ... to: local line="`perf daemon --config ${config} -x: | head -2 | tail -1`" But the testing script has bunch of local variables, this leads to big changes for whole script. On the other hand, the testing script asks to use the "local" feature which is bash-specific, so this patch explicitly uses "#!/bin/bash" to ensure running the script with bash. After: # ./perf test -v 76 76: daemon operations : --- start --- test child forked, pid 11329 test daemon list test daemon reconfig test daemon stop test daemon signal signal 12 sent to session 'test [11596]' signal 12 sent to session 'test [11596]' test daemon ping test daemon lock test child finished with 0 ---- end ---- daemon operations: Ok [1] https://bugs.launchpad.net/ubuntu/+source/dash/+bug/139097 Fixes: 2291bb915b55 ("perf tests: Add daemon 'list' command test") Signed-off-by: Leo Yan Acked-by: Namhyung Kim Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Ian Rogers Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210320104554.529213-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo commit 53f1d31708f6240e4615b0927df31f182e389e2f Author: Aneesh Kumar K.V Date: Fri Mar 26 12:37:55 2021 +0530 powerpc/mm/book3s64: Use the correct storage key value when calling H_PROTECT H_PROTECT expects the flag value to include flags: AVPN, pp0, pp1, pp2, key0-key4, Noexec, CMO Option flags This patch updates hpte_updatepp() to fetch the storage key value from the linux page table and use the same in H_PROTECT hcall. native_hpte_updatepp() is not updated because the kernel doesn't clear the existing storage key value there. The kernel also doesn't use hpte_updatepp() callback for updating storage keys. This fixes the below kernel crash observed with KUAP enabled. BUG: Unable to handle kernel data access on write at 0xc009fffffc440000 Faulting instruction address: 0xc0000000000b7030 Key fault AMR: 0xfcffffffffffffff IAMR: 0xc0000077bc498100 Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries ... CFAR: c000000000010100 DAR: c009fffffc440000 DSISR: 02200000 IRQMASK: 0 ... NIP memset+0x68/0x104 LR pcpu_alloc+0x54c/0xb50 Call Trace: pcpu_alloc+0x55c/0xb50 (unreliable) blk_stat_alloc_callback+0x94/0x150 blk_mq_init_allocated_queue+0x64/0x560 blk_mq_init_queue+0x54/0xb0 scsi_mq_alloc_queue+0x30/0xa0 scsi_alloc_sdev+0x1cc/0x300 scsi_probe_and_add_lun+0xb50/0x1020 __scsi_scan_target+0x17c/0x790 scsi_scan_channel+0x90/0xe0 scsi_scan_host_selected+0x148/0x1f0 do_scan_async+0x2c/0x2a0 async_run_entry_fn+0x78/0x220 process_one_work+0x264/0x540 worker_thread+0xa8/0x600 kthread+0x190/0x1a0 ret_from_kernel_thread+0x5c/0x6c With KUAP enabled the kernel uses storage key 3 for all its translations. But as shown by the debug print, in this specific case we have the hash page table entry created with key value 0. Found HPTE: v = 0x40070adbb6fffc05 r = 0x1ffffffffff1194 and DSISR indicates a key fault. This can happen due to parallel fault on the same EA by different CPUs: CPU 0 CPU 1 fault on X H_PAGE_BUSY set fault on X finish fault handling and clear H_PAGE_BUSY check for H_PAGE_BUSY continue with fault handling. This implies CPU1 will end up calling hpte_updatepp for address X and the kernel updated the hash pte entry with key 0 Fixes: d94b827e89dc ("powerpc/book3s64/kuap: Use Key 3 for kernel mapping with hash translation") Reported-by: Murilo Opsfelder Araujo Signed-off-by: Aneesh Kumar K.V Debugged-by: Michael Ellerman Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210326070755.304625-1-aneesh.kumar@linux.ibm.com commit 014305d001987a0eeada6bac610a8665f92aae24 Author: Wan Jiabing Date: Thu Mar 25 14:19:01 2021 +0800 drivers: gpu: drm: xen_drm_front_drm_info is declared twice struct xen_drm_front_drm_info has been declared. Remove the duplicate. Signed-off-by: Wan Jiabing Reviewed-by: Oleksandr Andrushchenko Signed-off-by: Oleksandr Andrushchenko Link: https://patchwork.freedesktop.org/patch/msgid/20210325061901.851273-1-wanjiabing@vivo.com commit 52762efa2b256ed1c5274e5177cbd52ee11a2f6a Author: Lv Yunlong Date: Mon Mar 22 18:46:56 2021 -0700 gpu/xen: Fix a use after free in xen_drm_drv_init In function displback_changed, has the call chain displback_connect(front_info)->xen_drm_drv_init(front_info). We can see that drm_info is assigned to front_info->drm_info and drm_info is freed in fail branch in xen_drm_drv_init(). Later displback_disconnect(front_info) is called and it calls xen_drm_drv_fini(front_info) cause a use after free by drm_info = front_info->drm_info statement. My patch has done two things. First fixes the fail label which drm_info = kzalloc() failed and still free the drm_info. Second sets front_info->drm_info to NULL to avoid uaf. Signed-off-by: Lv Yunlong Reviewed-by: Oleksandr Andrushchenko Signed-off-by: Oleksandr Andrushchenko Link: https://patchwork.freedesktop.org/patch/msgid/20210323014656.10068-1-lyl2019@mail.ustc.edu.cn commit 6032ebb54c60cae24329f6aba3ce0c1ca8ad6abe Author: Pedro Tammela Date: Thu Mar 25 12:01:15 2021 -0300 libbpf: Fix bail out from 'ringbuf_process_ring()' on error The current code bails out with negative and positive returns. If the callback returns a positive return code, 'ring_buffer__consume()' and 'ring_buffer__poll()' will return a spurious number of records consumed, but mostly important will continue the processing loop. This patch makes positive returns from the callback a no-op. Fixes: bf99c936f947 ("libbpf: Add BPF ring buffer support") Signed-off-by: Pedro Tammela Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210325150115.138750-1-pctammela@mojatatu.com commit 09d78dde88ef95a27b54a6e450ee700ccabdf39d Merge: 4e8d123fca536 627dc55c273da Author: Dave Airlie Date: Fri Mar 26 12:59:21 2021 +1000 Merge tag 'drm-msm-fixes-2021-02-25' of https://gitlab.freedesktop.org/drm/msm into drm-fixes - pll fixes - shutdown hook fix - runtime resume fix - clear_oob fix - kms locking fix - display aux retry fix Signed-off-by: Dave Airlie From: Rob Clark Link: https://patchwork.freedesktop.org/patch/msgid/CAF6AEGvmiMKRms_NVavD=NA_jbuexZUcqqL35ke7umqpp-TxMw@mail.gmail.com commit 75887e881b19c903d34b7cc33e7e6188679d9752 Merge: 3a87571f0ffc5 f2916ae9a1bc8 Author: David S. Miller Date: Thu Mar 25 17:43:40 2021 -0700 Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/tnguy/net-queue Tony Nguyen says: ==================== Intel Wired LAN Driver Updates 2021-03-25 This series contains updates to virtchnl header file and i40e driver. Norbert removes added padding from virtchnl RSS structures as this causes issues when iterating over the arrays. Mateusz adds Asym_Pause as supported to allow these settings to be set as the hardware supports it. Eryk fixes an issue where encountering a VF reset alongside releasing VFs could cause a call trace. Arkadiusz moves TC setup before resource setup as previously it was possible to enter with a null q_vector causing a kernel oops. ==================== Signed-off-by: David S. Miller commit 3a87571f0ffc51ba3bf3ecdb6032861d0154b164 Author: Eric Dumazet Date: Thu Mar 25 11:14:53 2021 -0700 sch_red: fix off-by-one checks in red_check_params() This fixes following syzbot report: UBSAN: shift-out-of-bounds in ./include/net/red.h:237:23 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 8418 Comm: syz-executor170 Not tainted 5.12.0-rc4-next-20210324-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 red_set_parms include/net/red.h:237 [inline] choke_change.cold+0x3c/0xc8 net/sched/sch_choke.c:414 qdisc_create+0x475/0x12f0 net/sched/sch_api.c:1247 tc_modify_qdisc+0x4c8/0x1a50 net/sched/sch_api.c:1663 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:674 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x43f039 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffdfa725168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f039 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004 RBP: 0000000000403020 R08: 0000000000400488 R09: 0000000000400488 R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004030b0 R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488 Fixes: 8afa10cbe281 ("net_sched: red: Avoid illegal values") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit 3cec1921a199ba52fa8c7239755c58107842dd65 Merge: aa5a5b7ae5b25 68c1a943ef37b Author: David S. Miller Date: Thu Mar 25 17:27:30 2021 -0700 Merge branch 'tunnel-shinfo' Antoine Tenart says: ==================== net: do not modify the shared tunnel info when PMTU triggers an ICMP reply The series fixes an issue were a shared ip_tunnel_info is modified when PMTU triggers an ICMP reply in vxlan and geneve, making following packets in that flow to have a wrong destination address if the flow isn't updated. A detailled information is given in each of the two commits. This was tested manually with OVS and I ran the PTMU selftests with kmemleak enabled (all OK, none was skipped). ==================== Signed-off-by: David S. Miller commit 68c1a943ef37bafde5ea2383e8ca224c7169ee31 Author: Antoine Tenart Date: Thu Mar 25 16:35:33 2021 +0100 geneve: do not modify the shared tunnel info when PMTU triggers an ICMP reply When the interface is part of a bridge or an Open vSwitch port and a packet exceed a PMTU estimate, an ICMP reply is sent to the sender. When using the external mode (collect metadata) the source and destination addresses are reversed, so that Open vSwitch can match the packet against an existing (reverse) flow. But inverting the source and destination addresses in the shared ip_tunnel_info will make following packets of the flow to use a wrong destination address (packets will be tunnelled to itself), if the flow isn't updated. Which happens with Open vSwitch, until the flow times out. Fixes this by uncloning the skb's ip_tunnel_info before inverting its source and destination addresses, so that the modification will only be made for the PTMU packet, not the following ones. Fixes: c1a800e88dbf ("geneve: Support for PMTU discovery on directly bridged links") Tested-by: Eelco Chaudron Reviewed-by: Eelco Chaudron Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller commit 30a93d2b7d5a7cbb53ac19c9364a256d1aa6c08a Author: Antoine Tenart Date: Thu Mar 25 16:35:32 2021 +0100 vxlan: do not modify the shared tunnel info when PMTU triggers an ICMP reply When the interface is part of a bridge or an Open vSwitch port and a packet exceed a PMTU estimate, an ICMP reply is sent to the sender. When using the external mode (collect metadata) the source and destination addresses are reversed, so that Open vSwitch can match the packet against an existing (reverse) flow. But inverting the source and destination addresses in the shared ip_tunnel_info will make following packets of the flow to use a wrong destination address (packets will be tunnelled to itself), if the flow isn't updated. Which happens with Open vSwitch, until the flow times out. Fixes this by uncloning the skb's ip_tunnel_info before inverting its source and destination addresses, so that the modification will only be made for the PTMU packet, not the following ones. Fixes: fc68c99577cc ("vxlan: Support for PMTU discovery on directly bridged links") Tested-by: Eelco Chaudron Reviewed-by: Eelco Chaudron Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller commit aa5a5b7ae5b2598538dd91a55ae1db7779675a16 Merge: d751350826981 4b5db93e7f2af Author: David S. Miller Date: Thu Mar 25 17:02:01 2021 -0700 Merge branch 'nfc-fixes' Xiaoming Ni says: ==================== nfc: fix Resource leakage and endless loop fix Resource leakage and endless loop in net/nfc/llcp_sock.c, reported by "kiyin(尹亮)". Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 ==================== math: Export mul_u64_u64_div_u64 Fixes: f51d7bf1dbe5 ("ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation") Signed-off-by: David S. Miller commit 4b5db93e7f2afbdfe3b78e37879a85290187e6f1 Author: Xiaoming Ni Date: Thu Mar 25 11:51:13 2021 +0800 nfc: Avoid endless loops caused by repeated llcp_sock_connect() When sock_wait_state() returns -EINPROGRESS, "sk->sk_state" is LLCP_CONNECTING. In this case, llcp_sock_connect() is repeatedly invoked, nfc_llcp_sock_link() will add sk to local->connecting_sockets twice. sk->sk_node->next will point to itself, that will make an endless loop and hang-up the system. To fix it, check whether sk->sk_state is LLCP_CONNECTING in llcp_sock_connect() to avoid repeated invoking. Fixes: b4011239a08e ("NFC: llcp: Fix non blocking sockets connections") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.11 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller commit 7574fcdbdcb335763b6b322f6928dc0fd5730451 Author: Xiaoming Ni Date: Thu Mar 25 11:51:12 2021 +0800 nfc: fix memory leak in llcp_sock_connect() In llcp_sock_connect(), use kmemdup to allocate memory for "llcp_sock->service_name". The memory is not released in the sock_unlink label of the subsequent failure branch. As a result, memory leakage occurs. fix CVE-2020-25672 Fixes: d646960f7986 ("NFC: Initial LLCP support") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.3 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller commit 8a4cd82d62b5ec7e5482333a72b58a4eea4979f0 Author: Xiaoming Ni Date: Thu Mar 25 11:51:11 2021 +0800 nfc: fix refcount leak in llcp_sock_connect() nfc_llcp_local_get() is invoked in llcp_sock_connect(), but nfc_llcp_local_put() is not invoked in subsequent failure branches. As a result, refcount leakage occurs. To fix it, add calling nfc_llcp_local_put(). fix CVE-2020-25671 Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.6 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller commit c33b1cc62ac05c1dbb1cdafe2eb66da01c76ca8d Author: Xiaoming Ni Date: Thu Mar 25 11:51:10 2021 +0800 nfc: fix refcount leak in llcp_sock_bind() nfc_llcp_local_get() is invoked in llcp_sock_bind(), but nfc_llcp_local_put() is not invoked in subsequent failure branches. As a result, refcount leakage occurs. To fix it, add calling nfc_llcp_local_put(). fix CVE-2020-25670 Fixes: c7aa12252f51 ("NFC: Take a reference on the LLCP local pointer when creating a socket") Reported-by: "kiyin(尹亮)" Link: https://www.openwall.com/lists/oss-security/2020/11/01/1 Cc: #v3.6 Signed-off-by: Xiaoming Ni Signed-off-by: David S. Miller commit d75135082698140a26a56defe1bbc1b06f26a41f Author: Shyam Sundar S K Date: Thu Mar 25 08:39:12 2021 +0530 amd-xgbe: Update DMA coherency values Based on the IOMMU configuration, the current cache control settings can result in possible coherency issues. The hardware team has recommended new settings for the PCI device path to eliminate the issue. Fixes: 6f595959c095 ("amd-xgbe: Adjust register settings to improve performance") Signed-off-by: Shyam Sundar S K Acked-by: Tom Lendacky Signed-off-by: David S. Miller commit 3e6fdeb28f4c331acbd27bdb0effc4befd4ef8e8 Author: Martin Blumenstingl Date: Wed Mar 24 20:36:04 2021 +0100 net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock The xMII interface clock depends on the PHY interface (MII, RMII, RGMII) as well as the current link speed. Explicitly configure the GSWIP to automatically select the appropriate xMII interface clock. This fixes an issue seen by some users where ports using an external RMII or RGMII PHY were deaf (no RX or TX traffic could be seen). Most likely this is due to an "invalid" xMII clock being selected either by the bootloader or hardware-defaults. Fixes: 14fceff4771e51 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Signed-off-by: Martin Blumenstingl Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 3ed14d8d47bff8cd70c357da9b72b1f698bf553b Author: Dinh Nguyen Date: Wed Mar 24 08:52:19 2021 -0500 dt-bindings: net: micrel-ksz90x1.txt: correct documentation Correct the Micrel phy documentation for the ksz9021 and ksz9031 phys for how the phy skews are set. Signed-off-by: Dinh Nguyen Signed-off-by: David S. Miller commit de9c7854e6e1589f639c6352112956d08243b659 Author: Daniel Mack Date: Wed Mar 24 14:05:36 2021 +0100 net: axienet: allow setups without MDIO In setups with fixed-link settings there is no mdio node in DTS. axienet_probe() already handles that gracefully but lp->mii_bus is then NULL. Fix code that tries to blindly grab the MDIO lock by introducing two helper functions that make the locking conditional. Signed-off-by: Daniel Mack Reviewed-by: Radhey Shyam Pandey Signed-off-by: David S. Miller commit 479dc497db8322ae486f8ee49020f5600a77a680 Author: Vladimir Oltean Date: Wed Mar 24 11:56:39 2021 +0200 net: dsa: only unset VLAN filtering when last port leaves last VLAN-aware bridge DSA is aware of switches with global VLAN filtering since the blamed commit, but it makes a bad decision when multiple bridges are spanning the same switch: ip link add br0 type bridge vlan_filtering 1 ip link add br1 type bridge vlan_filtering 1 ip link set swp2 master br0 ip link set swp3 master br0 ip link set swp4 master br1 ip link set swp5 master br1 ip link set swp5 nomaster ip link set swp4 nomaster [138665.939930] sja1105 spi0.1: port 3: dsa_core: VLAN filtering is a global setting [138665.947514] DSA: failed to notify DSA_NOTIFIER_BRIDGE_LEAVE When all ports leave br1, DSA blindly attempts to disable VLAN filtering on the switch, ignoring the fact that br0 still exists and is VLAN-aware too. It fails while doing that. This patch checks whether any port exists at all and is under a VLAN-aware bridge. Fixes: d371b7c92d19 ("net: dsa: Unset vlan_filtering when ports leave the bridge") Signed-off-by: Vladimir Oltean Tested-by: Florian Fainelli Reviewed-by: Florian Fainelli Reviewed-by: Kurt Kanzenbach Signed-off-by: David S. Miller commit db24726bfefa68c606947a86132591568a06bfb4 Merge: 701c09c988bd6 92063f3ca73aa Author: Linus Torvalds Date: Thu Mar 25 16:46:43 2021 -0700 Merge tag 'integrity-v5.12-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity fix from Mimi Zohar: "Just one patch to address a NULL ptr dereferencing when there is a mismatch between the user enabled LSMs and IMA/EVM" * tag 'integrity-v5.12-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: integrity: double check iint_cache was initialized commit 7f6c411c9b50cfab41cc798e003eff27608c7016 Author: Al Viro Date: Thu Mar 25 14:12:34 2021 -0400 hostfs: fix memory handling in follow_link() 1) argument should not be freed in any case - the caller already has it as ->s_fs_info (and uses it a lot afterwards) 2) allocate readlink buffer with kmalloc() - the caller has no way to tell if it's got that (on absolute symlink) or a result of kasprintf(). Sure, for SLAB and SLUB kfree() works on results of kmem_cache_alloc(), but that's not documented anywhere, might change in the future *and* is already not true for SLOB. Fixes: 52b209f7b848 ("get rid of hostfs_read_inode()") Signed-off-by: Al Viro commit 701c09c988bd60d950d49c48993b6c06efbfba7f Merge: 002322402dafd c1d6abdac46ca Author: Linus Torvalds Date: Thu Mar 25 15:38:22 2021 -0700 Merge tag 'for-5.12-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux Pull btrfs fixes from David Sterba: "Fixes for issues that have some user visibility and are simple enough for this time of development cycle: - a few fixes for rescue= mount option, adding more checks for missing trees - fix sleeping in atomic context on qgroup deletion - fix subvolume deletion on mount - fix build with M= syntax - fix checksum mismatch error message for direct io" * tag 'for-5.12-rc4-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux: btrfs: fix check_data_csum() error message for direct I/O btrfs: fix sleep while in non-sleep context during qgroup removal btrfs: fix subvolume/snapshot deletion not triggered on mount btrfs: fix build when using M=fs/btrfs btrfs: do not initialize dev replace for bad dev root btrfs: initialize device::fs_info always btrfs: do not initialize dev stats if we have no dev_root btrfs: zoned: remove outdated WARN_ON in direct IO commit 5b43bd184530af6b868d8273b0a743a138d37ee8 Author: Heiko Carstens Date: Wed Mar 24 20:23:55 2021 +0100 s390/vdso: fix initializing and updating of vdso_data Li Wang reported that clock_gettime(CLOCK_MONOTONIC_RAW, ...) returns incorrect values when time is provided via vdso instead of system call: vdso_ts_nsec = 4484351380985507, vdso_ts.tv_sec = 4484351, vdso_ts.tv_nsec = 380985507 sys_ts_nsec = 1446923235377, sys_ts.tv_sec = 1446, sys_ts.tv_nsec = 923235377 Within the s390 specific vdso function __arch_get_hw_counter() reads tod clock steering values from the arch_data member of the passed in vdso_data structure. Problem is that only for the CS_HRES_COARSE vdso_data arch_data is initialized and gets updated. The CS_RAW specific vdso_data does not contain any valid tod_clock_steering information, which explains the different values. Fix this by initializing and updating all vdso_datas. Reported-by: Li Wang Tested-by: Li Wang Fixes: 1ba2d6c0fd4e ("s390/vdso: simplify __arch_get_hw_counter()") Link: https://lore.kernel.org/linux-s390/YFnxr1ZlMIOIqjfq@osiris Signed-off-by: Heiko Carstens commit b24bacd67ffddd9192c4745500fd6f73dbfe565e Author: Heiko Carstens Date: Wed Mar 24 20:22:42 2021 +0100 s390/vdso: fix tod_steering_delta type The s390 specific vdso function __arch_get_hw_counter() is supposed to consider tod clock steering. If a tod clock steering event happens and the tod clock is set to a new value __arch_get_hw_counter() will not return the real tod clock value but slowly drift it from the old delta until the returned value finally matches the real tod clock value again. Unfortunately the type of tod_steering_delta unsigned while it is supposed to be signed. It depends on if tod_steering_delta is negative or positive in which direction the vdso code drifts the clock value. Worst case is now that instead of drifting the clock slowly it will jump into the opposite direction by a factor of two. Fix this by simply making tod_steering_delta signed. Fixes: 4bff8cb54502 ("s390: convert to GENERIC_VDSO") Cc: # 5.10 Signed-off-by: Heiko Carstens commit 72bbc226ed2ef0a46c165a482861fff00dd6d4e1 Author: Heiko Carstens Date: Tue Mar 23 21:40:11 2021 +0100 s390/vdso: copy tod_steering_delta value to vdso_data page When converting the vdso assembler code to C it was forgotten to actually copy the tod_steering_delta value to vdso_data page. Which in turn means that tod clock steering will not work correctly. Fix this by simply copying the value whenever it is updated. Fixes: 4bff8cb54502 ("s390: convert to GENERIC_VDSO") Cc: # 5.10 Signed-off-by: Heiko Carstens commit 4e8d123fca536d1b55f5f9927ad9ee5a444ac41b Merge: 815404281e5df 5c458585c0141 Author: Dave Airlie Date: Fri Mar 26 06:28:17 2021 +1000 Merge tag 'amd-drm-fixes-5.12-2021-03-24' of https://gitlab.freedesktop.org/agd5f/linux into drm-fixes amd-drm-fixes-5.12-2021-03-24: amdgpu: - S0ix fixes - Add PCI ID - Polaris PCIe DPM fix - Display fix for high refresh rate monitors Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20210324210630.3949-1-alexander.deucher@amd.com commit 815404281e5df8c684a93eeaede88de262a37023 Merge: 5165fe0bd1fcc d3999c1f7bbbc Author: Dave Airlie Date: Fri Mar 26 06:25:08 2021 +1000 Merge branch 'linux-5.12' of git://github.com/skeggsb/linux into drm-fixes - cursor size fix Signed-off-by: Dave Airlie From: Ben Skeggs Link: https://patchwork.freedesktop.org/patch/msgid/CACAvsv7js90N_PYc8JncQA9Hu0yjbg+vPw109FKxJ538nZ=fag@mail.gmail.com commit 5165fe0bd1fcca7038ecc3d32012e7d01228938c Merge: 0f43ad782cd41 8840e3bd981f1 Author: Dave Airlie Date: Fri Mar 26 06:21:18 2021 +1000 Merge tag 'drm-intel-fixes-2021-03-25-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - DisplayPort LTTPR fixes around link training and limiting it according to supported spec version. (Imre) - Fix enabled_planes bitmask to really represent only logically enabled planes (Ville). - Fix DSS CTL registers for ICL DSI transcoders (Jani) - Fix the GT fence revocation runtime PM logic. (Imre) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/YFxYdrjqeUtSu+3p@intel.com commit 0f43ad782cd41a9b5513c645af7ed033544a6f84 Merge: d27ce83fa4baa 50891bead80bc Author: Dave Airlie Date: Fri Mar 26 06:18:14 2021 +1000 Merge tag 'drm-misc-fixes-2021-03-25' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes drm-misc-fixes for v5.12: - Use FOLL_FORCE and FOLL_LONGTERM in etnaviv Signed-off-by: Dave Airlie From: Maarten Lankhorst Link: https://patchwork.freedesktop.org/patch/msgid/72d4c9ce-6709-4e0f-a715-79fdcebb48e7@linux.intel.com commit f2916ae9a1bc80aa8e9e8a00b75682f5df6fd59c Author: Arkadiusz Kubalewski Date: Thu Feb 18 21:55:35 2021 +0000 i40e: Fix oops at i40e_rebuild() Setup TC before the i40e_setup_pf_switch() call. Memory must be initialized for all the queues before using its resources. Previously it could be possible that a call: xdp_rxq_info_reg(&rx_ring->xdp_rxq, rx_ring->netdev, rx_ring->queue_index, rx_ring->q_vector->napi.napi_id); was made with q_vector being null. Oops could show up with the following sequence: - no driver loaded - FW LLDP agent is on (flag disable-fw-lldp:off) - link is up - DCB configured with number of Traffic Classes that will not divide completely the default number of queues (usually cpu cores) - driver load - set private flag: disable-fw-lldp:on Fixes: 4b208eaa8078 ("i40e: Add init and default config of software based DCB") Fixes: b02e5a0ebb17 ("xsk: Propagate napi_id to XDP socket Rx path") Signed-off-by: Aleksandr Loktionov Signed-off-by: Arkadiusz Kubalewski Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 347b5650cd158d1d953487cc2bec567af5c5bf96 Author: Eryk Rybak Date: Thu Feb 18 11:15:26 2021 +0000 i40e: Fix kernel oops when i40e driver removes VF's Fix the reason of kernel oops when i40e driver removed VFs. Added new __I40E_VFS_RELEASING state to signalize releasing process by PF, that it makes possible to exit of reset VF procedure. Without this patch, it is possible to suspend the VFs reset by releasing VFs resources procedure. Retrying the reset after the timeout works on the freed VF memory causing a kernel oops. Fixes: d43d60e5eb95 ("i40e: ensure reset occurs when disabling VF") Signed-off-by: Eryk Rybak Signed-off-by: Grzegorz Szczurek Reviewed-by: Aleksandr Loktionov Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit 90b8749022bbdd0c94a13182a78f4903b98fd0d7 Author: Pavel Begunkov Date: Thu Mar 25 19:05:14 2021 +0000 io_uring: maintain CQE order of a failed link Arguably we want CQEs of linked requests be in a strict order of submission as it always was. Now if init of a request fails its CQE may be posted before all prior linked requests including the head of the link. Fix it by failing it last. Fixes: de59bc104c24f ("io_uring: fail links more in io_submit_sqe()") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/b7a96b05832e7ab23ad55f84092a2548c4a888b0.1616699075.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 60c988bc154108bd522a21289e389143006a1ff0 Author: Daniel Jordan Date: Wed Mar 24 21:05:52 2021 -0400 vfio/type1: Empty batch for pfnmap pages When vfio_pin_pages_remote() returns with a partial batch consisting of a single VM_PFNMAP pfn, a subsequent call will unfortunately try restoring it from batch->pages, resulting in vfio mapping the wrong page and unbalancing the page refcount. Prevent the function from returning with this kind of partial batch to avoid the issue. There's no explicit check for a VM_PFNMAP pfn because it's awkward to do so, so infer it from characteristics of the batch instead. This may result in occasional false positives but keeps the code simpler. Fixes: 4d83de6da265 ("vfio/type1: Batch page pinning") Link: https://lkml.kernel.org/r/20210323133254.33ed9161@omen.home.shazbot.org/ Reported-by: Alex Williamson Suggested-by: Alex Williamson Signed-off-by: Daniel Jordan Message-Id: <20210325010552.185481-1-daniel.m.jordan@oracle.com> Signed-off-by: Alex Williamson commit 002322402dafd846c424ffa9240a937f49b48c42 Merge: 2ba9bea2d3682 d3e2ff28ca273 Author: Linus Torvalds Date: Thu Mar 25 11:43:43 2021 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "14 patches. Subsystems affected by this patch series: mm (hugetlb, kasan, gup, selftests, z3fold, kfence, memblock, and highmem), squashfs, ia64, gcov, and mailmap" * emailed patches from Andrew Morton : mailmap: update Andrey Konovalov's email address mm/highmem: fix CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP mm: memblock: fix section mismatch warning again kfence: make compatible with kmemleak gcov: fix clang-11+ support ia64: fix format strings for err_inject ia64: mca: allocate early mca with GFP_ATOMIC squashfs: fix xattr id and id lookup sanity checks squashfs: fix inode lookup sanity checks z3fold: prevent reclaim/free race for headless pages selftests/vm: fix out-of-tree build mm/mmu_notifiers: ensure range_end() is paired with range_start() kasan: fix per-page tags for non-page_alloc pages hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings commit 2ba9bea2d3682361f0f22f68a400bcee4248c205 Merge: 58e4b9de9d985 3408be145a5d6 Author: Linus Torvalds Date: Thu Mar 25 11:23:35 2021 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Not much going on, just some small bug fixes: - Typo causing a regression in mlx5 devx - Regression in the recent hns rework causing the HW to get out of sync - Long-standing cxgb4 adaptor crash when destroying cm ids" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server RDMA/hns: Fix bug during CMDQ initialization RDMA/mlx5: Fix typo in destroy_mkey inbox commit 58e4b9de9d98599d539ad71c7c31f53c0d1f5aba Merge: 43f0b562590e7 a61f4661fba40 Author: Linus Torvalds Date: Thu Mar 25 11:11:45 2021 -0700 Merge tag 'mfd-fixes-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd Pull mfs fix from Lee Jones: "Unconstify editable placeholder structures" * tag 'mfd-fixes-5.12' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd: mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources" commit 43f0b562590e7ac16b74b298ab80b5fb290d02af Merge: 7aae5432ac61f 20109a859a9b5 Author: Linus Torvalds Date: Thu Mar 25 11:07:40 2021 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Will Deacon: "Minor fixes all over, ranging from typos to tests to errata workarounds: - Fix possible memory hotplug failure with KASLR - Fix FFR value in SVE kselftest - Fix backtraces reported in /proc/$pid/stack - Disable broken CnP implementation on NVIDIA Carmel - Typo fixes and ACPI documentation clarification - Fix some W=1 warnings" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kernel: disable CNP on Carmel arm64/process.c: fix Wmissing-prototypes build warnings kselftest/arm64: sve: Do not use non-canonical FFR register value arm64: mm: correct the inside linear map range during hotplug check arm64: kdump: update ppos when reading elfcorehdr arm64: cpuinfo: Fix a typo Documentation: arm64/acpi : clarify arm64 support of IBFT arm64: stacktrace: don't trace arch_stack_walk() arm64: csum: cast to the proper type commit 7aae5432ac61ffae3e5afadbd2713bb73177f11d Author: Chris Chiu Date: Thu Mar 25 22:04:19 2021 +0800 mailmap: update the email address for Chris Chiu Redirect my older email addresses in the git logs. Signed-off-by: Chris Chiu Signed-off-by: Linus Torvalds commit ff132c5f93c06bd4432bbab5c369e468653bdec4 Author: Bob Peterson Date: Thu Mar 25 08:51:13 2021 -0400 gfs2: report "already frozen/thawed" errors Before this patch, gfs2's freeze function failed to report an error when the target file system was already frozen as it should (and as generic vfs function freeze_super does. Similarly, gfs2's thaw function failed to report an error when trying to thaw a file system that is not frozen, as vfs function thaw_super does. The errors were checked, but it always returned a 0 return code. This patch adds the missing error return codes to gfs2 freeze and thaw. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 90449e98c265296329446c7abcd2aae3b20c0bc9 Author: Mateusz Palczewski Date: Mon Jan 4 15:00:02 2021 +0000 i40e: Added Asym_Pause to supported link modes Add Asym_Pause to supported link modes (it is supported by HW). Lack of Asym_Pause in supported modes can cause several problems, i.e. it won't be possible to turn the autonegotiation on with asymmetric pause settings (i.e. Tx on, Rx off). Fixes: 4e91bcd5d47a ("i40e: Finish implementation of ethtool get settings") Signed-off-by: Dawid Lukwinski Signed-off-by: Mateusz Palczewski Reviewed-by: Aleksandr Loktionov Reviewed-by: Przemyslaw Patynowski Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen commit 22f8b5df881e9f1302514bbbbbb8649c2051de55 Author: Norbert Ciosek Date: Thu Jan 28 10:17:02 2021 -0800 virtchnl: Fix layout of RSS structures Remove padding from RSS structures. Previous layout could lead to unwanted compiler optimizations in loops when iterating over key and lut arrays. Fixes: 65ece6de0114 ("virtchnl: Add missing explicit padding to structures") Signed-off-by: Norbert Ciosek Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen commit d3e2ff28ca27352d43a41053263d620202324c1f Author: Andrey Konovalov Date: Wed Mar 24 21:37:56 2021 -0700 mailmap: update Andrey Konovalov's email address Use my personal email, the @google.com one will stop functioning soon. Link: https://lkml.kernel.org/r/ead0e9c32a2f70e0bde6f63b3b9470e0ef13d2ee.1616107969.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 487cfade12fae0eb707bdce71c4d585128238a7d Author: Ira Weiny Date: Wed Mar 24 21:37:53 2021 -0700 mm/highmem: fix CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP The kernel test robot found that __kmap_local_sched_out() was not correctly skipping the guard pages when DEBUG_KMAP_LOCAL_FORCE_MAP was set.[1] This was due to DEBUG_HIGHMEM check being used. Change the configuration check to be correct. [1] https://lore.kernel.org/lkml/20210304083825.GB17830@xsang-OptiPlex-9020/ Link: https://lkml.kernel.org/r/20210318230657.1497881-1-ira.weiny@intel.com Fixes: 0e91a0c6984c ("mm/highmem: Provide CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP") Signed-off-by: Ira Weiny Reported-by: kernel test robot Reviewed-by: Thomas Gleixner Cc: Thomas Gleixner Cc: Oliver Sang Cc: Chaitanya Kulkarni Cc: David Sterba Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit a024b7c2850dddd01e65b8270f0971deaf272f27 Author: Mike Rapoport Date: Wed Mar 24 21:37:50 2021 -0700 mm: memblock: fix section mismatch warning again Commit 34dc2efb39a2 ("memblock: fix section mismatch warning") marked memblock_bottom_up() and memblock_set_bottom_up() as __init, but they could be referenced from non-init functions like memblock_find_in_range_node() on architectures that enable CONFIG_ARCH_KEEP_MEMBLOCK. For such builds kernel test robot reports: WARNING: modpost: vmlinux.o(.text+0x74fea4): Section mismatch in reference from the function memblock_find_in_range_node() to the function .init.text:memblock_bottom_up() The function memblock_find_in_range_node() references the function __init memblock_bottom_up(). This is often because memblock_find_in_range_node lacks a __init annotation or the annotation of memblock_bottom_up is wrong. Replace __init annotations with __init_memblock annotations so that the appropriate section will be selected depending on CONFIG_ARCH_KEEP_MEMBLOCK. Link: https://lore.kernel.org/lkml/202103160133.UzhgY0wt-lkp@intel.com Link: https://lkml.kernel.org/r/20210316171347.14084-1-rppt@kernel.org Fixes: 34dc2efb39a2 ("memblock: fix section mismatch warning") Signed-off-by: Mike Rapoport Reviewed-by: Arnd Bergmann Reported-by: kernel test robot Reviewed-by: David Hildenbrand Acked-by: Nick Desaulniers Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 9551158069ba8fcc893798d42dc4f978b62ef60f Author: Marco Elver Date: Wed Mar 24 21:37:47 2021 -0700 kfence: make compatible with kmemleak Because memblock allocations are registered with kmemleak, the KFENCE pool was seen by kmemleak as one large object. Later allocations through kfence_alloc() that were registered with kmemleak via slab_post_alloc_hook() would then overlap and trigger a warning. Therefore, once the pool is initialized, we can remove (free) it from kmemleak again, since it should be treated as allocator-internal and be seen as "free memory". The second problem is that kmemleak is passed the rounded size, and not the originally requested size, which is also the size of KFENCE objects. To avoid kmemleak scanning past the end of an object and trigger a KFENCE out-of-bounds error, fix the size if it is a KFENCE object. For simplicity, to avoid a call to kfence_ksize() in slab_post_alloc_hook() (and avoid new IS_ENABLED(CONFIG_DEBUG_KMEMLEAK) guard), just call kfence_ksize() in mm/kmemleak.c:create_object(). Link: https://lkml.kernel.org/r/20210317084740.3099921-1-elver@google.com Signed-off-by: Marco Elver Reported-by: Luis Henriques Reviewed-by: Catalin Marinas Tested-by: Luis Henriques Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Andrey Konovalov Cc: Jann Horn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 60bcf728ee7c60ac2a1f9a0eaceb3a7b3954cd2b Author: Nick Desaulniers Date: Wed Mar 24 21:37:44 2021 -0700 gcov: fix clang-11+ support LLVM changed the expected function signatures for llvm_gcda_start_file() and llvm_gcda_emit_function() in the clang-11 release. Users of clang-11 or newer may have noticed their kernels failing to boot due to a panic when enabling CONFIG_GCOV_KERNEL=y +CONFIG_GCOV_PROFILE_ALL=y. Fix up the function signatures so calling these functions doesn't panic the kernel. Link: https://reviews.llvm.org/rGcdd683b516d147925212724b09ec6fb792a40041 Link: https://reviews.llvm.org/rG13a633b438b6500ecad9e4f936ebadf3411d0f44 Link: https://lkml.kernel.org/r/20210312224132.3413602-2-ndesaulniers@google.com Signed-off-by: Nick Desaulniers Reported-by: Prasad Sodagudi Suggested-by: Nathan Chancellor Reviewed-by: Fangrui Song Tested-by: Nathan Chancellor Acked-by: Peter Oberparleiter Reviewed-by: Nathan Chancellor Cc: [5.4+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 95d44a470a6814207d52dd6312203b0f4ef12710 Author: Sergei Trofimovich Date: Wed Mar 24 21:37:41 2021 -0700 ia64: fix format strings for err_inject Fix warning with %lx / u64 mismatch: arch/ia64/kernel/err_inject.c: In function 'show_resources': arch/ia64/kernel/err_inject.c:62:22: warning: format '%lx' expects argument of type 'long unsigned int', but argument 3 has type 'u64' {aka 'long long unsigned int'} 62 | return sprintf(buf, "%lx", name[cpu]); \ | ^~~~~~~ Link: https://lkml.kernel.org/r/20210313104312.1548232-1-slyfox@gentoo.org Signed-off-by: Sergei Trofimovich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f2a419cf495f95cac49ea289318b833477e1a0e2 Author: Sergei Trofimovich Date: Wed Mar 24 21:37:38 2021 -0700 ia64: mca: allocate early mca with GFP_ATOMIC The sleep warning happens at early boot right at secondary CPU activation bootup: smp: Bringing up secondary CPUs ... BUG: sleeping function called from invalid context at mm/page_alloc.c:4942 in_atomic(): 0, irqs_disabled(): 1, non_block: 0, pid: 0, name: swapper/1 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.12.0-rc2-00007-g79e228d0b611-dirty #99 .. Call Trace: show_stack+0x90/0xc0 dump_stack+0x150/0x1c0 ___might_sleep+0x1c0/0x2a0 __might_sleep+0xa0/0x160 __alloc_pages_nodemask+0x1a0/0x600 alloc_page_interleave+0x30/0x1c0 alloc_pages_current+0x2c0/0x340 __get_free_pages+0x30/0xa0 ia64_mca_cpu_init+0x2d0/0x3a0 cpu_init+0x8b0/0x1440 start_secondary+0x60/0x700 start_ap+0x750/0x780 Fixed BSP b0 value from CPU 1 As I understand interrupts are not enabled yet and system has a lot of memory. There is little chance to sleep and switch to GFP_ATOMIC should be a no-op. Link: https://lkml.kernel.org/r/20210315085045.204414-1-slyfox@gentoo.org Signed-off-by: Sergei Trofimovich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 8b44ca2b634527151af07447a8090a5f3a043321 Author: Phillip Lougher Date: Wed Mar 24 21:37:35 2021 -0700 squashfs: fix xattr id and id lookup sanity checks The checks for maximum metadata block size is missing SQUASHFS_BLOCK_OFFSET (the two byte length count). Link: https://lkml.kernel.org/r/2069685113.2081245.1614583677427@webmail.123-reg.co.uk Fixes: f37aa4c7366e23f ("squashfs: add more sanity checks in id lookup") Signed-off-by: Phillip Lougher Cc: Sean Nyekjaer Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c1b2028315c6b15e8d6725e0d5884b15887d3daa Author: Sean Nyekjaer Date: Wed Mar 24 21:37:32 2021 -0700 squashfs: fix inode lookup sanity checks When mouting a squashfs image created without inode compression it fails with: "unable to read inode lookup table" It turns out that the BLOCK_OFFSET is missing when checking the SQUASHFS_METADATA_SIZE agaist the actual size. Link: https://lkml.kernel.org/r/20210226092903.1473545-1-sean@geanix.com Fixes: eabac19e40c0 ("squashfs: add more sanity checks in inode lookup") Signed-off-by: Sean Nyekjaer Acked-by: Phillip Lougher Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 6d679578fe9c762c8fbc3d796a067cbba84a7884 Author: Thomas Hebb Date: Wed Mar 24 21:37:29 2021 -0700 z3fold: prevent reclaim/free race for headless pages Commit ca0246bb97c2 ("z3fold: fix possible reclaim races") introduced the PAGE_CLAIMED flag "to avoid racing on a z3fold 'headless' page release." By atomically testing and setting the bit in each of z3fold_free() and z3fold_reclaim_page(), a double-free was avoided. However, commit dcf5aedb24f8 ("z3fold: stricter locking and more careful reclaim") appears to have unintentionally broken this behavior by moving the PAGE_CLAIMED check in z3fold_reclaim_page() to after the page lock gets taken, which only happens for non-headless pages. For headless pages, the check is now skipped entirely and races can occur again. I have observed such a race on my system: page:00000000ffbd76b7 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x165316 flags: 0x2ffff0000000000() raw: 02ffff0000000000 ffffea0004535f48 ffff8881d553a170 0000000000000000 raw: 0000000000000000 0000000000000011 00000000ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) ------------[ cut here ]------------ kernel BUG at include/linux/mm.h:707! invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 291928 Comm: kworker/2:0 Tainted: G B 5.10.7-arch1-1-kasan #1 Hardware name: Gigabyte Technology Co., Ltd. H97N-WIFI/H97N-WIFI, BIOS F9b 03/03/2016 Workqueue: zswap-shrink shrink_worker RIP: 0010:__free_pages+0x10a/0x130 Code: c1 e7 06 48 01 ef 45 85 e4 74 d1 44 89 e6 31 d2 41 83 ec 01 e8 e7 b0 ff ff eb da 48 c7 c6 e0 32 91 88 48 89 ef e8 a6 89 f8 ff <0f> 0b 4c 89 e7 e8 fc 79 07 00 e9 33 ff ff ff 48 89 ef e8 ff 79 07 RSP: 0000:ffff88819a2ffb98 EFLAGS: 00010296 RAX: 0000000000000000 RBX: ffffea000594c5a8 RCX: 0000000000000000 RDX: 1ffffd4000b298b7 RSI: 0000000000000000 RDI: ffffea000594c5b8 RBP: ffffea000594c580 R08: 000000000000003e R09: ffff8881d5520bbb R10: ffffed103aaa4177 R11: 0000000000000001 R12: ffffea000594c5b4 R13: 0000000000000000 R14: ffff888165316000 R15: ffffea000594c588 FS: 0000000000000000(0000) GS:ffff8881d5500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7c8c3654d8 CR3: 0000000103f42004 CR4: 00000000001706e0 Call Trace: z3fold_zpool_shrink+0x9b6/0x1240 shrink_worker+0x35/0x90 process_one_work+0x70c/0x1210 worker_thread+0x539/0x1200 kthread+0x330/0x400 ret_from_fork+0x22/0x30 Modules linked in: rfcomm ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ccm algif_aead des_generic libdes ecb algif_skcipher cmac bnep md4 algif_hash af_alg vfat fat intel_rapl_msr intel_rapl_common x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iwlmvm hid_logitech_hidpp kvm at24 mac80211 snd_hda_codec_realtek iTCO_wdt snd_hda_codec_generic intel_pmc_bxt snd_hda_codec_hdmi ledtrig_audio iTCO_vendor_support mei_wdt mei_hdcp snd_hda_intel snd_intel_dspcfg libarc4 soundwire_intel irqbypass iwlwifi soundwire_generic_allocation rapl soundwire_cadence intel_cstate snd_hda_codec intel_uncore btusb joydev mousedev snd_usb_audio pcspkr btrtl uvcvideo nouveau btbcm i2c_i801 btintel snd_hda_core videobuf2_vmalloc i2c_smbus snd_usbmidi_lib videobuf2_memops bluetooth snd_hwdep soundwire_bus snd_soc_rt5640 videobuf2_v4l2 cfg80211 snd_soc_rl6231 videobuf2_common snd_rawmidi lpc_ich alx videodev mdio snd_seq_device snd_soc_core mc ecdh_generic mxm_wmi mei_me hid_logitech_dj wmi snd_compress e1000e ac97_bus mei ttm rfkill snd_pcm_dmaengine ecc snd_pcm snd_timer snd soundcore mac_hid acpi_pad pkcs8_key_parser it87 hwmon_vid crypto_user fuse ip_tables x_tables ext4 crc32c_generic crc16 mbcache jbd2 dm_crypt cbc encrypted_keys trusted tpm rng_core usbhid dm_mod crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel crypto_simd cryptd glue_helper xhci_pci xhci_pci_renesas i915 video intel_gtt i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops cec drm agpgart ---[ end trace 126d646fc3dc0ad8 ]--- To fix the issue, re-add the earlier test and set in the case where we have a headless page. Link: https://lkml.kernel.org/r/c8106dbe6d8390b290cd1d7f873a2942e805349e.1615452048.git.tommyhebb@gmail.com Fixes: dcf5aedb24f8 ("z3fold: stricter locking and more careful reclaim") Signed-off-by: Thomas Hebb Reviewed-by: Vitaly Wool Cc: Jongseok Kim Cc: Snild Dolkow Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 19ec368cbc7ee1915e78c120b7a49c7f14734192 Author: Rong Chen Date: Wed Mar 24 21:37:26 2021 -0700 selftests/vm: fix out-of-tree build When building out-of-tree, attempting to make target from $(OUTPUT) directory: make[1]: *** No rule to make target '$(OUTPUT)/protection_keys.c', needed by '$(OUTPUT)/protection_keys_32'. Link: https://lkml.kernel.org/r/20210315094700.522753-1-rong.a.chen@intel.com Signed-off-by: Rong Chen Reported-by: kernel test robot Cc: Shuah Khan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit c2655835fd8cabdfe7dab737253de3ffb88da126 Author: Sean Christopherson Date: Wed Mar 24 21:37:23 2021 -0700 mm/mmu_notifiers: ensure range_end() is paired with range_start() If one or more notifiers fails .invalidate_range_start(), invoke .invalidate_range_end() for "all" notifiers. If there are multiple notifiers, those that did not fail are expecting _start() and _end() to be paired, e.g. KVM's mmu_notifier_count would become imbalanced. Disallow notifiers that can fail _start() from implementing _end() so that it's unnecessary to either track which notifiers rejected _start(), or had already succeeded prior to a failed _start(). Note, the existing behavior of calling _start() on all notifiers even after a previous notifier failed _start() was an unintented "feature". Make it canon now that the behavior is depended on for correctness. As of today, the bug is likely benign: 1. The only caller of the non-blocking notifier is OOM kill. 2. The only notifiers that can fail _start() are the i915 and Nouveau drivers. 3. The only notifiers that utilize _end() are the SGI UV GRU driver and KVM. 4. The GRU driver will never coincide with the i195/Nouveau drivers. 5. An imbalanced kvm->mmu_notifier_count only causes soft lockup in the _guest_, and the guest is already doomed due to being an OOM victim. Fix the bug now to play nice with future usage, e.g. KVM has a potential use case for blocking memslot updates in KVM while an invalidation is in-progress, and failure to unblock would result in said updates being blocked indefinitely and hanging. Found by inspection. Verified by adding a second notifier in KVM that periodically returns -EAGAIN on non-blockable ranges, triggering OOM, and observing that KVM exits with an elevated notifier count. Link: https://lkml.kernel.org/r/20210311180057.1582638-1-seanjc@google.com Fixes: 93065ac753e4 ("mm, oom: distinguish blockable mode for mmu notifiers") Signed-off-by: Sean Christopherson Suggested-by: Jason Gunthorpe Reviewed-by: Jason Gunthorpe Cc: David Rientjes Cc: Ben Gardon Cc: Michal Hocko Cc: "Jérôme Glisse" Cc: Andrea Arcangeli Cc: Johannes Weiner Cc: Dimitri Sivanich Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit cf10bd4c4aff8dd64d1aa7f2a529d0c672bc16af Author: Andrey Konovalov Date: Wed Mar 24 21:37:20 2021 -0700 kasan: fix per-page tags for non-page_alloc pages To allow performing tag checks on page_alloc addresses obtained via page_address(), tag-based KASAN modes store tags for page_alloc allocations in page->flags. Currently, the default tag value stored in page->flags is 0x00. Therefore, page_address() returns a 0x00ffff... address for pages that were not allocated via page_alloc. This might cause problems. A particular case we encountered is a conflict with KFENCE. If a KFENCE-allocated slab object is being freed via kfree(page_address(page) + offset), the address passed to kfree() will get tagged with 0x00 (as slab pages keep the default per-page tags). This leads to is_kfence_address() check failing, and a KFENCE object ending up in normal slab freelist, which causes memory corruptions. This patch changes the way KASAN stores tag in page-flags: they are now stored xor'ed with 0xff. This way, KASAN doesn't need to initialize per-page flags for every created page, which might be slow. With this change, page_address() returns natively-tagged (with 0xff) pointers for pages that didn't have tags set explicitly. This patch fixes the encountered conflict with KFENCE and prevents more similar issues that can occur in the future. Link: https://lkml.kernel.org/r/1a41abb11c51b264511d9e71c303bb16d5cb367b.1615475452.git.andreyknvl@google.com Fixes: 2813b9c02962 ("kasan, mm, arm64: tag non slab memory allocated via pagealloc") Signed-off-by: Andrey Konovalov Reviewed-by: Marco Elver Cc: Catalin Marinas Cc: Will Deacon Cc: Vincenzo Frascino Cc: Dmitry Vyukov Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Peter Collingbourne Cc: Evgenii Stepanov Cc: Branislav Rankov Cc: Kevin Brodsky Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit d85aecf2844ff02a0e5f077252b2461d4f10c9f0 Author: Miaohe Lin Date: Wed Mar 24 21:37:17 2021 -0700 hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings The current implementation of hugetlb_cgroup for shared mappings could have different behavior. Consider the following two scenarios: 1.Assume initial css reference count of hugetlb_cgroup is 1: 1.1 Call hugetlb_reserve_pages with from = 1, to = 2. So css reference count is 2 associated with 1 file_region. 1.2 Call hugetlb_reserve_pages with from = 2, to = 3. So css reference count is 3 associated with 2 file_region. 1.3 coalesce_file_region will coalesce these two file_regions into one. So css reference count is 3 associated with 1 file_region now. 2.Assume initial css reference count of hugetlb_cgroup is 1 again: 2.1 Call hugetlb_reserve_pages with from = 1, to = 3. So css reference count is 2 associated with 1 file_region. Therefore, we might have one file_region while holding one or more css reference counts. This inconsistency could lead to imbalanced css_get() and css_put() pair. If we do css_put one by one (i.g. hole punch case), scenario 2 would put one more css reference. If we do css_put all together (i.g. truncate case), scenario 1 will leak one css reference. The imbalanced css_get() and css_put() pair would result in a non-zero reference when we try to destroy the hugetlb cgroup. The hugetlb cgroup directory is removed __but__ associated resource is not freed. This might result in OOM or can not create a new hugetlb cgroup in a busy workload ultimately. In order to fix this, we have to make sure that one file_region must hold exactly one css reference. So in coalesce_file_region case, we should release one css reference before coalescence. Also only put css reference when the entire file_region is removed. The last thing to note is that the caller of region_add() will only hold one reference to h_cg->css for the whole contiguous reservation region. But this area might be scattered when there are already some file_regions reside in it. As a result, many file_regions may share only one h_cg->css reference. In order to ensure that one file_region must hold exactly one css reference, we should do css_get() for each file_region and release the reference held by caller when they are done. [linmiaohe@huawei.com: fix imbalanced css_get and css_put pair for shared mappings] Link: https://lkml.kernel.org/r/20210316023002.53921-1-linmiaohe@huawei.com Link: https://lkml.kernel.org/r/20210301120540.37076-1-linmiaohe@huawei.com Fixes: 075a61d07a8e ("hugetlb_cgroup: add accounting for shared mappings") Reported-by: kernel test robot (auto build test ERROR) Signed-off-by: Miaohe Lin Reviewed-by: Mike Kravetz Cc: Aneesh Kumar K.V Cc: Wanpeng Li Cc: Mina Almasry Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit f5d2d23bf0d948ce0b9307b7bacae7ff0bc03c71 Author: Jens Axboe Date: Thu Mar 25 10:16:12 2021 -0600 io-wq: fix race around pending work on teardown syzbot reports that it's triggering the warning condition on having pending work on shutdown: WARNING: CPU: 1 PID: 12346 at fs/io-wq.c:1061 io_wq_destroy fs/io-wq.c:1061 [inline] WARNING: CPU: 1 PID: 12346 at fs/io-wq.c:1061 io_wq_put+0x153/0x260 fs/io-wq.c:1072 Modules linked in: CPU: 1 PID: 12346 Comm: syz-executor.5 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:io_wq_destroy fs/io-wq.c:1061 [inline] RIP: 0010:io_wq_put+0x153/0x260 fs/io-wq.c:1072 Code: 8d e8 71 90 ea 01 49 89 c4 41 83 fc 40 7d 4f e8 33 4d 97 ff 42 80 7c 2d 00 00 0f 85 77 ff ff ff e9 7a ff ff ff e8 1d 4d 97 ff <0f> 0b eb b9 8d 6b ff 89 ee 09 de bf ff ff ff ff e8 18 51 97 ff 09 RSP: 0018:ffffc90001ebfb08 EFLAGS: 00010293 RAX: ffffffff81e16083 RBX: ffff888019038040 RCX: ffff88801e86b780 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000040 RBP: 1ffff1100b2f8a80 R08: ffffffff81e15fce R09: ffffed100b2f8a82 R10: ffffed100b2f8a82 R11: 0000000000000000 R12: 0000000000000000 R13: dffffc0000000000 R14: ffff8880597c5400 R15: ffff888019038000 FS: 00007f8dcd89c700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e9a054e160 CR3: 000000001dfb8000 CR4: 00000000001506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: io_uring_clean_tctx+0x1b7/0x210 fs/io_uring.c:8802 __io_uring_files_cancel+0x13c/0x170 fs/io_uring.c:8820 io_uring_files_cancel include/linux/io_uring.h:47 [inline] do_exit+0x258/0x2340 kernel/exit.c:780 do_group_exit+0x168/0x2d0 kernel/exit.c:922 get_signal+0x1734/0x1ef0 kernel/signal.c:2773 arch_do_signal_or_restart+0x3c/0x610 arch/x86/kernel/signal.c:811 handle_signal_work kernel/entry/common.c:147 [inline] exit_to_user_mode_loop kernel/entry/common.c:171 [inline] exit_to_user_mode_prepare+0xac/0x1e0 kernel/entry/common.c:208 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline] syscall_exit_to_user_mode+0x48/0x180 kernel/entry/common.c:301 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x465f69 which shouldn't happen, but seems to be possible due to a race on whether or not the io-wq manager sees a fatal signal first, or whether the io-wq workers do. If we race with queueing work and then send a fatal signal to the owning task, and the io-wq worker sees that before the manager sets IO_WQ_BIT_EXIT, then it's possible to have the worker exit and leave work behind. Just turn the WARN_ON_ONCE() into a cancelation condition instead. Reported-by: syzbot+77a738a6bc947bf639ca@syzkaller.appspotmail.com Signed-off-by: Jens Axboe commit 3a27875e91fb9c29de436199d20b33f9413aea77 Author: Ryan Lee Date: Wed Mar 24 20:35:54 2021 -0700 ASoC: max98373: Added 30ms turn on/off time delay Amp requires 10 ~ 30ms for the power ON and OFF. Added 30ms delay for stability. Signed-off-by: Ryan Lee Link: https://lore.kernel.org/r/20210325033555.29377-2-ryans.lee@maximintegrated.com Signed-off-by: Mark Brown commit a23f9099ff1541f15704e96b784d3846d2a4483d Author: Ryan Lee Date: Wed Mar 24 20:35:53 2021 -0700 ASoC: max98373: Changed amp shutdown register as volatile 0x20FF(amp global enable) register was defined as non-volatile, but it is not. Overheating, overcurrent can cause amp shutdown in hardware. 'regmap_write' compare register readback value before writing to avoid same value writing. 'regmap_read' just read cache not actual hardware value for the non-volatile register. When amp is internally shutdown by some reason, next 'AMP ON' command can be ignored because regmap think amp is already ON. Signed-off-by: Ryan Lee Link: https://lore.kernel.org/r/20210325033555.29377-1-ryans.lee@maximintegrated.com Signed-off-by: Mark Brown commit 37df9f3fedb6aeaff5564145e8162aab912c9284 Author: Lv Yunlong Date: Wed Mar 24 03:37:24 2021 -0700 video: hyperv_fb: Fix a double free in hvfb_probe Function hvfb_probe() calls hvfb_getmem(), expecting upon return that info->apertures is either NULL or points to memory that should be freed by framebuffer_release(). But hvfb_getmem() is freeing the memory and leaving the pointer non-NULL, resulting in a double free if an error occurs or later if hvfb_remove() is called. Fix this by removing all kfree(info->apertures) calls in hvfb_getmem(). This will allow framebuffer_release() to free the memory, which follows the pattern of other fbdev drivers. Fixes: 3a6fb6c4255c ("video: hyperv: hyperv_fb: Use physical memory for fb on HyperV Gen 1 VMs.") Signed-off-by: Lv Yunlong Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20210324103724.4189-1-lyl2019@mail.ustc.edu.cn Signed-off-by: Wei Liu commit 3408be145a5d6418ff955fe5badde652be90e700 Author: Potnuri Bharat Teja Date: Thu Mar 25 00:34:53 2021 +0530 RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server Not setting the ipv6 bit while destroying ipv6 listening servers may result in potential fatal adapter errors due to lookup engine memory hash errors. Therefore always set ipv6 field while destroying ipv6 listening servers. Fixes: 830662f6f032 ("RDMA/cxgb4: Add support for active and passive open connection with IPv6 address") Link: https://lore.kernel.org/r/20210324190453.8171-1-bharat@chelsio.com Signed-off-by: Potnuri Bharat Teja Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 39c1f1bd8adf29840ef52225ce95f390e3d7b2cf Author: Roger Pau Monne Date: Thu Mar 25 10:09:47 2021 +0100 pinctrl: intel: check REVID register value for device presence Use the value read from the REVID register in order to check for the presence of the device. A read of all ones is treated as if the device is not present, and hence probing is ended. This fixes an issue when running as a Xen PVH dom0, where the ACPI DSDT table is provided unmodified to dom0 and hence contains the pinctrl devices, but the MMIO region(s) containing the device registers might not be mapped in the guest physical memory map if such region(s) are not exposed on a PCI device BAR or marked as reserved in the host memory map. Fixes: 91d898e51e60 ("pinctrl: intel: Convert capability list to features") Suggested-by: Andy Shevchenko Signed-off-by: Roger Pau Monné Signed-off-by: Andy Shevchenko commit 405fa9e9d8664e830982c5fbcb70f9ba8656bafc Author: Sameer Pujar Date: Mon Mar 15 23:10:15 2021 +0530 arm64: tegra: Move clocks from RT5658 endpoint to device node An endpoint is not a device and it is recommended to use clocks property in device node. RT5658 Codec binding already specifies the usage of clocks property. Thus move the clocks from endpoint to device node. Fixes: 5b4f6323096a ("arm64: tegra: Audio graph sound card for Jetson AGX Xavier") Suggested-by: Rob Herring Signed-off-by: Sameer Pujar Signed-off-by: Thierry Reding commit 30e3b4f256b4e366a61658c294f6a21b8626dda7 Author: Russell King Date: Thu Mar 25 10:26:21 2021 +0000 ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()"), the PCI code will call the IRQ mapping function whenever a PCI driver is probed. If these are marked as __init, this causes an oops if a PCI driver is loaded or bound after the kernel has initialised. Fixes: 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() in pci_device_probe()") Signed-off-by: Russell King commit 45c2f70cba3a7eff34574103b2e2b901a5f771aa Author: Vladimir Murzin Date: Thu Mar 11 13:32:16 2021 +0100 ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range() for_each_mem_range() uses a loop variable, yet looking into code it is not just iteration counter but more complex entity which encodes information about memblock. Thus condition i == 0 looks fragile. Indeed, it broke boot of R-class platforms since it never took i == 0 path (due to i was set to 1). Fix that with restoring original flag check. Fixes: b10d6bca8720 ("arch, drivers: replace for_each_membock() with for_each_mem_range()") Signed-off-by: Vladimir Murzin Acked-by: Mike Rapoport Signed-off-by: Russell King commit d624833f5984d484c5e3196f34b926f9e71dafee Author: Ard Biesheuvel Date: Wed Feb 17 20:26:23 2021 +0100 ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled The debugging code for kmap_local() doubles the number of per-CPU fixmap slots allocated for kmap_local(), in order to use half of them as guard regions. This causes the fixmap region to grow downwards beyond the start of its reserved window if the supported number of CPUs is large, and collide with the newly added virtual DT mapping right below it, which is obviously not good. One manifestation of this is EFI boot on a kernel built with NR_CPUS=32 and CONFIG_DEBUG_KMAP_LOCAL=y, which may pass the FDT in highmem, resulting in block entries below the fixmap region that the fixmap code misidentifies as fixmap table entries, and subsequently tries to dereference using a phys-to-virt translation that is only valid for lowmem. This results in a cryptic splat such as the one below. ftrace: allocating 45548 entries in 89 pages 8<--- cut here --- Unable to handle kernel paging request at virtual address fc6006f0 pgd = (ptrval) [fc6006f0] *pgd=80000040207003, *pmd=00000000 Internal error: Oops: a06 [#1] SMP ARM Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 5.11.0+ #382 Hardware name: Generic DT based system PC is at cpu_ca15_set_pte_ext+0x24/0x30 LR is at __set_fixmap+0xe4/0x118 pc : [] lr : [] psr: 400000d3 sp : c1601ed8 ip : 00400000 fp : 00800000 r10: 0000071f r9 : 00421000 r8 : 00c00000 r7 : 00c00000 r6 : 0000071f r5 : ffade000 r4 : 4040171f r3 : 00c00000 r2 : 4040171f r1 : c041ac78 r0 : fc6006f0 Flags: nZcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none Control: 30c5387d Table: 40203000 DAC: 00000001 Process swapper (pid: 0, stack limit = 0x(ptrval)) So let's limit CONFIG_NR_CPUS to 16 when CONFIG_DEBUG_KMAP_LOCAL=y. Also, fix the BUILD_BUG_ON() check that was supposed to catch this, by checking whether the region grows below the start address rather than above the end address. Fixes: 2a15ba82fa6ca3f3 ("ARM: highmem: Switch to generic kmap atomic") Reported-by: Peter Robinson Tested-by: Peter Robinson Signed-off-by: Ard Biesheuvel Acked-by: Thomas Gleixner Reviewed-by: Linus Walleij Signed-off-by: Russell King commit 20109a859a9b514eb10c22b8a14b5704ffe93897 Author: Rich Wiley Date: Tue Mar 23 17:28:09 2021 -0700 arm64: kernel: disable CNP on Carmel On NVIDIA Carmel cores, CNP behaves differently than it does on standard ARM cores. On Carmel, if two cores have CNP enabled and share an L2 TLB entry created by core0 for a specific ASID, a non-shareable TLBI from core1 may still see the shared entry. On standard ARM cores, that TLBI will invalidate the shared entry as well. This causes issues with patchsets that attempt to do local TLBIs based on cpumasks instead of broadcast TLBIs. Avoid these issues by disabling CNP support for NVIDIA Carmel cores. Signed-off-by: Rich Wiley Link: https://lore.kernel.org/r/20210324002809.30271-1-rwiley@nvidia.com [will: Fix pre-existing whitespace issue] Signed-off-by: Will Deacon commit baa96377bc7b5aa7b8cf038db09cb99642321490 Author: Maninder Singh Date: Wed Mar 24 12:24:58 2021 +0530 arm64/process.c: fix Wmissing-prototypes build warnings Fix GCC warnings reported when building with "-Wmissing-prototypes": arch/arm64/kernel/process.c:261:6: warning: no previous prototype for '__show_regs' [-Wmissing-prototypes] 261 | void __show_regs(struct pt_regs *regs) | ^~~~~~~~~~~ arch/arm64/kernel/process.c:307:6: warning: no previous prototype for '__show_regs_alloc_free' [-Wmissing-prototypes] 307 | void __show_regs_alloc_free(struct pt_regs *regs) | ^~~~~~~~~~~~~~~~~~~~~~ arch/arm64/kernel/process.c:365:5: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes] 365 | int arch_dup_task_struct(struct task_struct *dst, struct task_struct *src) | ^~~~~~~~~~~~~~~~~~~~ arch/arm64/kernel/process.c:546:41: warning: no previous prototype for '__switch_to' [-Wmissing-prototypes] 546 | __notrace_funcgraph struct task_struct *__switch_to(struct task_struct *prev, | ^~~~~~~~~~~ arch/arm64/kernel/process.c:710:25: warning: no previous prototype for 'arm64_preempt_schedule_irq' [-Wmissing-prototypes] 710 | asmlinkage void __sched arm64_preempt_schedule_irq(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ Link: https://lore.kernel.org/lkml/202103192250.AennsfXM-lkp@intel.com Reported-by: kernel test robot Signed-off-by: Maninder Singh Link: https://lore.kernel.org/r/1616568899-986-1-git-send-email-maninder1.s@samsung.com Signed-off-by: Will Deacon commit 58b5ada8c465b5f1300bc021ebd3d3b8149124b4 Author: Arnd Bergmann Date: Tue Mar 23 14:17:13 2021 +0100 pinctrl: qcom: fix unintentional string concatenation clang is clearly correct to point out a typo in a silly array of strings: drivers/pinctrl/qcom/pinctrl-sdx55.c:426:61: error: suspicious concatenation of string literals in an array initialization; did you mean to separate the elements with a comma? [-Werror,-Wstring-concatenation] "gpio14", "gpio15", "gpio16", "gpio17", "gpio18", "gpio19" "gpio20", "gpio21", "gpio22", ^ Add the missing comma that must have accidentally been removed. Fixes: ac43c44a7a37 ("pinctrl: qcom: Add SDX55 pincontrol driver") Signed-off-by: Arnd Bergmann Reviewed-by: Bjorn Andersson Reviewed-by: Nathan Chancellor Link: https://lore.kernel.org/r/20210323131728.2702789-1-arnd@kernel.org Signed-off-by: Linus Walleij commit 33ce7f2f95cabb5834cf0906308a5cb6103976da Author: Arnd Bergmann Date: Wed Mar 24 17:47:41 2021 +0100 drm/imx: imx-ldb: fix out of bounds array access warning When CONFIG_OF is disabled, building with 'make W=1' produces warnings about out of bounds array access: drivers/gpu/drm/imx/imx-ldb.c: In function 'imx_ldb_set_clock.constprop': drivers/gpu/drm/imx/imx-ldb.c:186:8: error: array subscript -22 is below array bounds of 'struct clk *[4]' [-Werror=array-bounds] Add an error check before the index is used, which helps with the warning, as well as any possible other error condition that may be triggered at runtime. The warning could be fixed by adding a Kconfig depedency on CONFIG_OF, but Liu Ying points out that the driver may hit the out-of-bounds problem at runtime anyway. Signed-off-by: Arnd Bergmann Reviewed-by: Liu Ying Signed-off-by: Philipp Zabel commit 12d0ca80bffdad9e9b2a7a68784bfca54c8cf1a1 Author: Liu Ying Date: Mon Mar 22 10:56:40 2021 +0800 drm/imx: imx-ldb: Register LDB channel1 when it is the only channel to be used LDB channel1 should be registered if it is the only channel to be used. Without this patch, imx_ldb_bind() would skip registering LDB channel1 if LDB channel0 is not used, no matter LDB channel1 needs to be used or not. Fixes: 8767f4711b2b (drm/imx: imx-ldb: move initialization into probe) Signed-off-by: Liu Ying Signed-off-by: Philipp Zabel commit 69c3ed7282a143439bbc2d03dc00d49c68fcb629 Author: Pan Bian Date: Wed Jan 20 01:16:08 2021 -0800 drm/imx: fix memory leak when fails to init Put DRM device on initialization failure path rather than directly return error code. Fixes: a67d5088ceb8 ("drm/imx: drop explicit drm_mode_config_cleanup") Signed-off-by: Pan Bian Signed-off-by: Philipp Zabel commit 36fa766faa0c822c860e636fe82b1affcd022974 Author: Martin Wilck Date: Tue Mar 23 22:24:31 2021 +0100 scsi: target: pscsi: Clean up after failure in pscsi_map_sg() If pscsi_map_sg() fails, make sure to drop references to already allocated bios. Link: https://lore.kernel.org/r/20210323212431.15306-2-mwilck@suse.com Reviewed-by: Christoph Hellwig Reviewed-by: Lee Duncan Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen commit 077ce028b8e0684d5ee7da573bd835b14b591546 Author: Martin Wilck Date: Tue Mar 23 22:24:30 2021 +0100 scsi: target: pscsi: Avoid OOM in pscsi_map_sg() pscsi_map_sg() uses the variable nr_pages as a hint for bio_kmalloc() how many vector elements to allocate. If nr_pages is < BIO_MAX_PAGES, it will be reset to 0 after successful allocation of the bio. If bio_add_pc_page() fails later for whatever reason, pscsi_map_sg() tries to allocate another bio, passing nr_vecs = 0. This causes bio_add_pc_page() to fail immediately in the next call. pci_map_sg() continues to allocate zero-length bios until memory is exhausted and the kernel crashes with OOM. This can be easily observed by exporting a SATA DVD drive via pscsi. The target crashes as soon as the client tries to access the DVD LUN. In the case I analyzed, bio_add_pc_page() would fail because the DVD device's max_sectors_kb (128) was exceeded. Avoid this by simply not resetting nr_pages to 0 after allocating the bio. This way, the client receives an I/O error when it tries to send requests exceeding the devices max_sectors_kb, and eventually gets it right. The client must still limit max_sectors_kb e.g. by an udev rule if (like in my case) the driver doesn't report valid block limits, otherwise it encounters I/O errors. Link: https://lore.kernel.org/r/20210323212431.15306-1-mwilck@suse.com Reviewed-by: Christoph Hellwig Reviewed-by: Lee Duncan Signed-off-by: Martin Wilck Signed-off-by: Martin K. Petersen commit 3401ecf7fc1b9458a19d42c0e26a228f18ac7dda Author: Jia-Ju Bai Date: Sun Mar 7 19:52:41 2021 -0800 scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() When kzalloc() returns NULL, no error return code of mpt3sas_base_attach() is assigned. To fix this bug, r is assigned with -ENOMEM in this case. Link: https://lore.kernel.org/r/20210308035241.3288-1-baijiaju1990@gmail.com Fixes: c696f7b83ede ("scsi: mpt3sas: Implement device_remove_in_progress check in IOCTL path") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Signed-off-by: Martin K. Petersen commit f69953837ca5d98aa983a138dc0b90a411e9c763 Author: Jia-Ju Bai Date: Sun Mar 7 19:30:24 2021 -0800 scsi: qedi: Fix error return code of qedi_alloc_global_queues() When kzalloc() returns NULL to qedi->global_queues[i], no error return code of qedi_alloc_global_queues() is assigned. To fix this bug, status is assigned with -ENOMEM in this case. Link: https://lore.kernel.org/r/20210308033024.27147-1-baijiaju1990@gmail.com Fixes: ace7f46ba5fd ("scsi: qedi: Add QLogic FastLinQ offload iSCSI driver framework.") Reported-by: TOTE Robot Acked-by: Manish Rangankar Signed-off-by: Jia-Ju Bai Signed-off-by: Martin K. Petersen commit 39c0c8553bfb5a3d108aa47f1256076d507605e3 Author: Bart Van Assche Date: Sat Mar 20 16:23:53 2021 -0700 scsi: Revert "qla2xxx: Make sure that aborted commands are freed" Calling vha->hw->tgt.tgt_ops->free_cmd() from qlt_xmit_response() is wrong since the command for which a response is sent must remain valid until the SCSI target core calls .release_cmd(). It has been observed that the following scenario triggers a kernel crash: - qlt_xmit_response() calls qlt_check_reserve_free_req() - qlt_check_reserve_free_req() returns -EAGAIN - qlt_xmit_response() calls vha->hw->tgt.tgt_ops->free_cmd(cmd) - transport_handle_queue_full() tries to retransmit the response Fix this crash by reverting the patch that introduced it. Link: https://lore.kernel.org/r/20210320232359.941-2-bvanassche@acm.org Fixes: 0dcec41acb85 ("scsi: qla2xxx: Make sure that aborted commands are freed") Cc: Quinn Tran Cc: Mike Christie Reviewed-by: Daniel Wagner Reviewed-by: Himanshu Madhani Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen commit 62fc2661482b6beccfab8a5987419e96a9499fb4 Author: Tyrel Datwyler Date: Fri Mar 19 14:50:29 2021 -0600 scsi: ibmvfc: Make ibmvfc_wait_for_ops() MQ aware During MQ enablement of the ibmvfc driver ibmvfc_wait_for_ops() was missed. This function is responsible for waiting on commands to complete that match a certain criteria such as LUN or cancel key. The implementation as is only scans the CRQ for events ignoring any sub-queues and as a result will exit successfully without doing anything when operating in MQ channelized mode. Check the MQ and channel use flags to determine which queues are applicable, and scan each queue accordingly. Note in MQ mode SCSI commands are only issued down sub-queues and the CRQ is only used for driver specific management commands. As such the CRQ events are ignored when operating in MQ mode with channels. Link: https://lore.kernel.org/r/20210319205029.312969-3-tyreld@linux.ibm.com Fixes: 9000cb998bcf ("scsi: ibmvfc: Enable MQ and set reasonable defaults") Reviewed-by: Brian King Signed-off-by: Tyrel Datwyler Signed-off-by: Martin K. Petersen commit 8b1c9b2025491d7c86255fb773b00ecf94b53acc Author: Tyrel Datwyler Date: Fri Mar 19 14:50:28 2021 -0600 scsi: ibmvfc: Fix potential race in ibmvfc_wait_for_ops() For various EH activities the ibmvfc driver uses ibmvfc_wait_for_ops() to wait for the completion of commands that match a given criteria be it cancel key, or specific LUN. With recent changes commands are completed outside the lock in bulk by removing them from the sent list and adding them to a private completion list. This introduces a potential race in ibmvfc_wait_for_ops() since the criteria for a command to be outstanding is no longer simply being on the sent list, but instead not being on the free list. Avoid this race by scanning the entire command event pool and checking that any matching command that ibmvfc needs to wait on is not already on the free list. Link: https://lore.kernel.org/r/20210319205029.312969-2-tyreld@linux.ibm.com Fixes: 1f4a4a19508d ("scsi: ibmvfc: Complete commands outside the host/queue lock") Reviewed-by: Brian King Signed-off-by: Tyrel Datwyler Signed-off-by: Martin K. Petersen commit e138138003eb3b3d06cc91cf2e8c5dec77e2a31e Merge: 4ee998b0ef8b6 e43accba9b071 Author: Linus Torvalds Date: Wed Mar 24 18:16:04 2021 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: "Various fixes, all over: 1) Fix overflow in ptp_qoriq_adjfine(), from Yangbo Lu. 2) Always store the rx queue mapping in veth, from Maciej Fijalkowski. 3) Don't allow vmlinux btf in map_create, from Alexei Starovoitov. 4) Fix memory leak in octeontx2-af from Colin Ian King. 5) Use kvalloc in bpf x86 JIT for storing jit'd addresses, from Yonghong Song. 6) Fix tx ptp stats in mlx5, from Aya Levin. 7) Check correct ip version in tun decap, fropm Roi Dayan. 8) Fix rate calculation in mlx5 E-Switch code, from arav Pandit. 9) Work item memork leak in mlx5, from Shay Drory. 10) Fix ip6ip6 tunnel crash with bpf, from Daniel Borkmann. 11) Lack of preemptrion awareness in macvlan, from Eric Dumazet. 12) Fix data race in pxa168_eth, from Pavel Andrianov. 13) Range validate stab in red_check_params(), from Eric Dumazet. 14) Inherit vlan filtering setting properly in b53 driver, from Florian Fainelli. 15) Fix rtnl locking in igc driver, from Sasha Neftin. 16) Pause handling fixes in igc driver, from Muhammad Husaini Zulkifli. 17) Missing rtnl locking in e1000_reset_task, from Vitaly Lifshits. 18) Use after free in qlcnic, from Lv Yunlong. 19) fix crash in fritzpci mISDN, from Tong Zhang. 20) Premature rx buffer reuse in igb, from Li RongQing. 21) Missing termination of ip[a driver message handler arrays, from Alex Elder. 22) Fix race between "x25_close" and "x25_xmit"/"x25_rx" in hdlc_x25 driver, from Xie He. 23) Use after free in c_can_pci_remove(), from Tong Zhang. 24) Uninitialized variable use in nl80211, from Jarod Wilson. 25) Off by one size calc in bpf verifier, from Piotr Krysiuk. 26) Use delayed work instead of deferrable for flowtable GC, from Yinjun Zhang. 27) Fix infinite loop in NPC unmap of octeontx2 driver, from Hariprasad Kelam. 28) Fix being unable to change MTU of dwmac-sun8i devices due to lack of fifo sizes, from Corentin Labbe. 29) DMA use after free in r8169 with WoL, fom Heiner Kallweit. 30) Mismatched prototypes in isdn-capi, from Arnd Bergmann. 31) Fix psample UAPI breakage, from Ido Schimmel" * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (171 commits) psample: Fix user API breakage math: Export mul_u64_u64_div_u64 ch_ktls: fix enum-conversion warning octeontx2-af: Fix memory leak of object buf ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation net: bridge: don't notify switchdev for local FDB addresses net/sched: act_ct: clear post_ct if doing ct_clear net: dsa: don't assign an error value to tag_ops isdn: capi: fix mismatched prototypes net/mlx5: SF, do not use ecpu bit for vhca state processing net/mlx5e: Fix division by 0 in mlx5e_select_queue net/mlx5e: Fix error path for ethtool set-priv-flag net/mlx5e: Offload tuple rewrite for non-CT flows net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP net/mlx5: Add back multicast stats for uplink representor net: ipconfig: ic_dev can be NULL in ic_close_devs MAINTAINERS: Combine "QLOGIC QLGE 10Gb ETHERNET DRIVER" sections into one docs: networking: Fix a typo r8169: fix DMA being used after buffer free if WoL is enabled net: ipa: fix init header command validation ... commit d3999c1f7bbbc100c167d7ad3cd79c1d10446ba2 Author: Lyude Paul Date: Thu Mar 4 20:52:41 2021 -0500 drm/nouveau/kms/nve4-nv108: Limit cursors to 128x128 While Kepler does technically support 256x256 cursors, it turns out that Kepler actually has some additional requirements for scanout surfaces that we're not enforcing correctly, which aren't present on Maxwell and later. Cursor surfaces must always use small pages (4K), and overlay surfaces must always use large pages (128K). Fixing this correctly though will take a bit more work: as we'll need to add some code in prepare_fb() to move cursor FBs in large pages to small pages, and vice-versa for overlay FBs. So until we have the time to do that, just limit cursor surfaces to 128x128 - a size small enough to always default to small pages. This means small ovlys are still broken on Kepler, but it is extremely unlikely anyone cares about those anyway :). Signed-off-by: Lyude Paul Fixes: d3b2f0f7921c ("drm/nouveau/kms/nv50-: Report max cursor size to userspace") Cc: # v5.11+ Signed-off-by: Ben Skeggs commit e43accba9b071dcd106b5e7643b1b106a158cbb1 Author: Ido Schimmel Date: Wed Mar 24 21:43:32 2021 +0200 psample: Fix user API breakage Cited commit added a new attribute before the existing group reference count attribute, thereby changing its value and breaking existing applications on new kernels. Before: # psample -l libpsample ERROR psample_group_foreach: failed to recv message: Operation not supported After: # psample -l Group Num Refcount Group Seq 1 1 0 Fix by restoring the value of the old attribute and remove the misleading comments from the enumerator to avoid future bugs. Cc: stable@vger.kernel.org Fixes: d8bed686ab96 ("net: psample: Add tunnel support") Signed-off-by: Ido Schimmel Reported-by: Adiel Bidani Reviewed-by: Jiri Pirko Reviewed-by: Petr Machata Signed-off-by: David S. Miller commit bf45947864764548697e7515fe693e10f173f312 Author: David S. Miller Date: Wed Mar 24 16:42:54 2021 -0700 math: Export mul_u64_u64_div_u64 Fixes: f51d7bf1dbe5 ("ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation") Signed-off-by: David S. Miller commit af44a387e743ab7aa39d3fb5e29c0a973cf91bdc Author: Roger Pau Monne Date: Wed Mar 24 13:24:24 2021 +0100 Revert "xen: fix p2m size in dom0 for disabled memory hotplug case" This partially reverts commit 882213990d32 ("xen: fix p2m size in dom0 for disabled memory hotplug case") There's no need to special case XEN_UNPOPULATED_ALLOC anymore in order to correctly size the p2m. The generic memory hotplug option has already been tied together with the Xen hotplug limit, so enabling memory hotplug should already trigger a properly sized p2m on Xen PV. Note that XEN_UNPOPULATED_ALLOC depends on ZONE_DEVICE which pulls in MEMORY_HOTPLUG. Leave the check added to __set_phys_to_machine and the adjusted comment about EXTRA_MEM_RATIO. Signed-off-by: Roger Pau Monné Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20210324122424.58685-3-roger.pau@citrix.com [boris: fixed formatting issues] Signed-off-by: Boris Ostrovsky commit 2b514ec72706a31bea0c3b97e622b81535b5323a Author: Roger Pau Monne Date: Wed Mar 24 13:24:23 2021 +0100 xen/x86: make XEN_BALLOON_MEMORY_HOTPLUG_LIMIT depend on MEMORY_HOTPLUG The Xen memory hotplug limit should depend on the memory hotplug generic option, rather than the Xen balloon configuration. It's possible to have a kernel with generic memory hotplug enabled, but without Xen balloon enabled, at which point memory hotplug won't work correctly due to the size limitation of the p2m. Rename the option to XEN_MEMORY_HOTPLUG_LIMIT since it's no longer tied to ballooning. Fixes: 9e2369c06c8a18 ("xen: add helpers to allocate unpopulated memory") Signed-off-by: Roger Pau Monné Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20210324122424.58685-2-roger.pau@citrix.com Signed-off-by: Boris Ostrovsky commit 632aeebe1b7a3a8b193d71942a10e66919bebfb8 Author: Hans de Goede Date: Wed Mar 24 14:27:11 2021 +0100 ASoC: intel: atom: Remove 44100 sample-rate from the media and deep-buffer DAI descriptions The media and deep-buffer DAIs only support 48000 Hz samplerate, remove the 44100 sample-rate from their descriptions. Acked-by: Pierre-Louis Bossart Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210324132711.216152-3-hdegoede@redhat.com Signed-off-by: Mark Brown commit aa65bacdb70e549a81de03ec72338e1047842883 Author: Hans de Goede Date: Wed Mar 24 14:27:10 2021 +0100 ASoC: intel: atom: Stop advertising non working S24LE support The SST firmware's media and deep-buffer inputs are hardcoded to S16LE, the corresponding DAIs don't have a hw_params callback and their prepare callback also does not take the format into account. So far the advertising of non working S24LE support has not caused issues because pulseaudio defaults to S16LE, but changing pulse-audio's config to use S24LE will result in broken sound. Pipewire is replacing pulse now and pipewire prefers S24LE over S16LE when available, causing the problem of the broken S24LE support to come to the surface now. Cc: stable@vger.kernel.org BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/866 Fixes: 098c2cd281409 ("ASoC: Intel: Atom: add 24-bit support for media playback and capture") Acked-by: Pierre-Louis Bossart Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210324132711.216152-2-hdegoede@redhat.com Signed-off-by: Mark Brown commit 6f235a69e59484e382dc31952025b0308efedc17 Author: Arnd Bergmann Date: Tue Mar 23 22:52:50 2021 +0100 ch_ktls: fix enum-conversion warning gcc points out an incorrect enum assignment: drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c: In function 'chcr_ktls_cpl_set_tcb_rpl': drivers/net/ethernet/chelsio/inline_crypto/ch_ktls/chcr_ktls.c:684:22: warning: implicit conversion from 'enum ' to 'enum ch_ktls_open_state' [-Wenum-conversion] This appears harmless, and should apparently use 'CH_KTLS_OPEN_SUCCESS' instead of 'false', with the same value '0'. Fixes: efca3878a5fb ("ch_ktls: Issue if connection offload fails") Reviewed-by: Andrew Lunn Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller commit 9e0a537d06fc36861e4f78d0a7df1fe2b3592714 Author: Colin Ian King Date: Tue Mar 23 12:32:45 2021 +0000 octeontx2-af: Fix memory leak of object buf Currently the error return path when lfs fails to allocate is not free'ing the memory allocated to buf. Fix this by adding the missing kfree. Addresses-Coverity: ("Resource leak") Fixes: f7884097141b ("octeontx2-af: Formatting debugfs entry rsrc_alloc.") Signed-off-by: Colin Ian King Acked-by: Sunil Goutham Signed-off-by: David S. Miller commit f51d7bf1dbe5522c51c93fe8faa5f4abbdf339cd Author: Yangbo Lu Date: Tue Mar 23 16:02:29 2021 +0800 ptp_qoriq: fix overflow in ptp_qoriq_adjfine() u64 calcalation Current calculation for diff of TMR_ADD register value may have 64-bit overflow in this code line, when long type scaled_ppm is large. adj *= scaled_ppm; This patch is to resolve it by using mul_u64_u64_div_u64(). Signed-off-by: Yangbo Lu Signed-off-by: David S. Miller commit 4ee998b0ef8b6d7b1267cd4d953182224929abba Merge: a0a4df6a9e406 148ddaa89d4a0 Author: Linus Torvalds Date: Wed Mar 24 11:26:50 2021 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Three fixes for the Qualcomm clk driver: two for regressions this merge window and one for a long-standing problem that only popped up now that eMMC is being used" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: qcom: gcc-sc7180: Use floor ops for the correct sdcc1 clk clk: qcom: rcg2: Rectify clk_gfx3d rate rounding without mux division clk: qcom: rpmh: Update the XO clock source for SC7280 commit a0a4df6a9e406939b3d3218ebd30c8862343d199 Merge: 8a9d2e133e2fb d1635448f1105 Author: Linus Torvalds Date: Wed Mar 24 11:21:01 2021 -0700 Merge tag 'platform-drivers-x86-v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86 Pull x86 platform drivers fixes from Hans de Goede: "A set of bug-fixes and some model specific quirks. Summary: - dell-wmi-sysman: A set of probe-error-exit-handling fixes to fix some systems which advertise the WMI GUIDs, but are not compatible, not booting - intel-vbtn/intel-hid: Misc. bugfixes - intel_pmc: Bug-fixes + a quirk to lower suspend power-consumption on Tiger Lake - thinkpad_acpi: misc bugfixes" * tag 'platform-drivers-x86-v5.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/pdx86/platform-drivers-x86: platform/x86: intel_pmc_core: Ignore GBE LTR on Tiger Lake platforms platform/x86: intel_pmc_core: Update Kconfig platform/x86: intel_pmt_crashlog: Fix incorrect macros platform/x86: intel_pmt_class: Initial resource to 0 platform/x86: intel-vbtn: Stop reporting SW_DOCK events platform/x86: dell-wmi-sysman: Cleanup create_attributes_level_sysfs_files() platform/x86: dell-wmi-sysman: Make sysman_init() return -ENODEV of the interfaces are not found platform/x86: dell-wmi-sysman: Cleanup sysman_init() error-exit handling platform/x86: dell-wmi-sysman: Fix release_attributes_data() getting called twice on init_bios_attributes() failure platform/x86: dell-wmi-sysman: Make it safe to call exit_foo_attributes() multiple times platform/x86: dell-wmi-sysman: Fix possible NULL pointer deref on exit platform/x86: dell-wmi-sysman: Fix crash caused by calling kset_unregister twice platform/x86: thinkpad_acpi: Disable DYTC CQL mode around switching to balanced mode platform/x86: thinkpad_acpi: Allow the FnLock LED to change state platform/x86: thinkpad_acpi: check dytc version for lapmode sysfs platform/x86: intel-hid: Support Lenovo ThinkPad X1 Tablet Gen 2 commit 7de55b7d6f09a2865279d3c41c0fbdbfdb87486a Author: Johannes Thumshirn Date: Thu Mar 25 00:47:26 2021 +0900 block: support zone append bvecs Christoph reported that we'll likely trigger the WARN_ON_ONCE() checking that we're not submitting a bvec with REQ_OP_ZONE_APPEND in bio_iov_iter_get_pages() some time ago using zoned btrfs, but I couldn't reproduce it back then. Now Naohiro was able to trigger the bug as well with xfstests generic/095 on a zoned btrfs. There is nothing that prevents bvec submissions via REQ_OP_ZONE_APPEND if the hardware's zone append limit is met. Reported-by: Naohiro Aota Reported-by: Christoph Hellwig Signed-off-by: Johannes Thumshirn Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/10bd414d9326c90cd69029077db63b363854eee5.1616600835.git.johannes.thumshirn@wdc.com Signed-off-by: Jens Axboe commit af22df997d71c32304d6835a8b690281063b8010 Author: Marc Zyngier Date: Tue Mar 23 16:08:18 2021 +0000 KVM: arm64: Fix CPU interface MMIO compatibility detection In order to detect whether a GICv3 CPU interface is MMIO capable, we switch ICC_SRE_EL1.SRE to 0 and check whether it sticks. However, this is only possible if *ALL* of the HCR_EL2 interrupt overrides are set, and the CPU is perfectly allowed to ignore the write to ICC_SRE_EL1 otherwise. This leads KVM to pretend that a whole bunch of ARMv8.0 CPUs aren't MMIO-capable, and breaks VMs that should work correctly otherwise. Fix this by setting IMO/FMO/IMO before touching ICC_SRE_EL1, and clear them afterwards. This allows us to reliably detect the CPU interface capabilities. Tested-by: Shameerali Kolothum Thodi Fixes: 9739f6ef053f ("KVM: arm64: Workaround firmware wrongly advertising GICv2-on-v3 compatibility") Signed-off-by: Marc Zyngier commit a354a64d91eec3e0f8ef0eed575b480fd75b999c Author: Suzuki K Poulose Date: Tue Mar 23 12:06:30 2021 +0000 KVM: arm64: Disable guest access to trace filter controls Disable guest access to the Trace Filter control registers. We do not advertise the Trace filter feature to the guest (ID_AA64DFR0_EL1: TRACE_FILT is cleared) already, but the guest can still access the TRFCR_EL1 unless we trap it. This will also make sure that the guest cannot fiddle with the filtering controls set by a nvhe host. Cc: Marc Zyngier Cc: Will Deacon Cc: Mark Rutland Cc: Catalin Marinas Signed-off-by: Suzuki K Poulose Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210323120647.454211-3-suzuki.poulose@arm.com commit 1d676673d665fd2162e7e466dcfbe5373bfdb73e Author: Suzuki K Poulose Date: Tue Mar 23 12:06:29 2021 +0000 KVM: arm64: Hide system instruction access to Trace registers Currently we advertise the ID_AA6DFR0_EL1.TRACEVER for the guest, when the trace register accesses are trapped (CPTR_EL2.TTA == 1). So, the guest will get an undefined instruction, if trusts the ID registers and access one of the trace registers. Lets be nice to the guest and hide the feature to avoid unexpected behavior. Even though this can be done at KVM sysreg emulation layer, we do this by removing the TRACEVER from the sanitised feature register field. This is fine as long as the ETM drivers can handle the individual trace units separately, even when there are differences among the CPUs. Cc: Will Deacon Cc: Catalin Marinas Cc: Mark Rutland Signed-off-by: Suzuki K Poulose Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210323120647.454211-2-suzuki.poulose@arm.com commit 8a9d2e133e2fb6429d7503eb1d382ca4049219d7 Merge: bf1c82a538906 75b69799610c2 Author: Linus Torvalds Date: Wed Mar 24 10:22:00 2021 -0700 Merge tag 'afs-cachefiles-fixes-20210323' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs Pull cachefiles and afs fixes from David Howells: "Fixes from Matthew Wilcox for page waiting-related issues in cachefiles and afs as extracted from his folio series[1]: - In cachefiles, remove the use of the wait_bit_key struct to access something that's actually in wait_page_key format. The proper struct is now available in the header, so that should be used instead. - Add a proper wait function for waiting killably on the page writeback flag. This includes a recent bugfix[2] that's not in the afs code. - In afs, use the function added in (2) rather than using wait_on_page_bit_killable() which doesn't provide the aforementioned bugfix" Link: https://lore.kernel.org/r/20210320054104.1300774-1-willy@infradead.org[1] Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c2407cf7d22d0c0d94cf20342b3b8f06f1d904e7 [2] Link: https://lore.kernel.org/r/20210323120829.GC1719932@casper.infradead.org/ # v1 * tag 'afs-cachefiles-fixes-20210323' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs: afs: Use wait_on_page_writeback_killable mm/writeback: Add wait_on_page_writeback_killable fs/cachefiles: Remove wait_bit_key layout dependency commit bf1c82a5389061d989f5e07f1c958db4efaf2141 Author: Christian Brauner Date: Wed Mar 24 08:51:10 2021 +0000 cachefiles: do not yet allow on idmapped mounts Based on discussions (e.g. in [1]) my understanding of cachefiles and the cachefiles userspace daemon is that it creates a cache on a local filesystem (e.g. ext4, xfs etc.) for a network filesystem. The way this is done is by writing "bind" to /dev/cachefiles and pointing it to the directory to use as the cache. Currently this directory can technically also be an idmapped mount but cachefiles aren't yet fully aware of such mounts and thus don't take the idmapping into account when creating cache entries. This could leave users confused as the ownership of the files wouldn't match to what they expressed in the idmapping. Block cache files on idmapped mounts until the fscache rework is done and we have ported it to support idmapped mounts. Signed-off-by: Christian Brauner Signed-off-by: David Howells Cc: linux-cachefs@redhat.com Link: https://lore.kernel.org/lkml/20210303161528.n3jzg66ou2wa43qb@wittgenstein [1] Link: https://lore.kernel.org/r/20210316112257.2974212-1-christian.brauner@ubuntu.com/ # v1 Link: https://listman.redhat.com/archives/linux-cachefs/2021-March/msg00044.html # v2 Link: https://lore.kernel.org/r/20210319114146.410329-1-christian.brauner@ubuntu.com/ # v3 Signed-off-by: Linus Torvalds commit 25928deeb1e4e2cdae1dccff349320c6841eb5f8 Author: Vegard Nossum Date: Tue Mar 23 14:20:33 2021 -0700 ACPICA: Always create namespace nodes using acpi_ns_create_node() ACPICA commit 29da9a2a3f5b2c60420893e5c6309a0586d7a329 ACPI is allocating an object using kmalloc(), but then frees it using kmem_cache_free(<"Acpi-Namespace" kmem_cache>). This is wrong and can lead to boot failures manifesting like this: hpet0: 3 comparators, 64-bit 100.000000 MHz counter clocksource: Switched to clocksource tsc-early BUG: unable to handle page fault for address: 000000003ffe0018 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.6.0+ #211 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 RIP: 0010:kmem_cache_alloc+0x70/0x1d0 Code: 00 00 4c 8b 45 00 65 49 8b 50 08 65 4c 03 05 6f cc e7 7e 4d 8b 20 4d 85 e4 0f 84 3d 01 00 00 8b 45 20 48 8b 7d 00 48 8d 4a 01 <49> 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 74 c5 8b 45 20 RSP: 0000:ffffc90000013df8 EFLAGS: 00010206 RAX: 0000000000000018 RBX: ffffffff81c49200 RCX: 0000000000000002 RDX: 0000000000000001 RSI: 0000000000000dc0 RDI: 000000000002b300 RBP: ffff88803e403d00 R08: ffff88803ec2b300 R09: 0000000000000001 R10: 0000000000000dc0 R11: 0000000000000006 R12: 000000003ffe0000 R13: ffffffff8110a583 R14: 0000000000000dc0 R15: ffffffff81c49a80 FS: 0000000000000000(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000003ffe0018 CR3: 0000000001c0a001 CR4: 00000000003606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __trace_define_field+0x33/0xa0 event_trace_init+0xeb/0x2b4 tracer_init_tracefs+0x60/0x195 ? register_tracer+0x1e7/0x1e7 do_one_initcall+0x74/0x160 kernel_init_freeable+0x190/0x1f0 ? rest_init+0x9a/0x9a kernel_init+0x5/0xf6 ret_from_fork+0x35/0x40 CR2: 000000003ffe0018 ---[ end trace 707efa023f2ee960 ]--- RIP: 0010:kmem_cache_alloc+0x70/0x1d0 Bisection leads to unrelated changes in slab; Vlastimil Babka suggests an unrelated layout or slab merge change merely exposed the underlying bug. Link: https://lore.kernel.org/lkml/4dc93ff8-f86e-f4c9-ebeb-6d3153a78d03@oracle.com/ Link: https://lore.kernel.org/r/a1461e21-c744-767d-6dfc-6641fd3e3ce2@siemens.com Link: https://github.com/acpica/acpica/commit/29da9a2a Fixes: f79c8e4136ea ("ACPICA: Namespace: simplify creation of the initial/default namespace") Reported-by: Jan Kiszka Diagnosed-by: Vlastimil Babka Diagnosed-by: Kees Cook Signed-off-by: Vegard Nossum Signed-off-by: Bob Moore Signed-off-by: Erik Kaneda Cc: 5.10+ # 5.10+ Signed-off-by: Rafael J. Wysocki commit 41d585411311abf187e5f09042978fe7073a9375 Author: Namhyung Kim Date: Mon Mar 15 13:56:41 2021 +0900 perf record: Fix memory leak in vDSO found using ASAN I got several memory leak reports from Asan with a simple command. It was because VDSO is not released due to the refcount. Like in __dsos_addnew_id(), it should put the refcount after adding to the list. $ perf record true [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 0.030 MB perf.data (10 samples) ] ================================================================= ==692599==ERROR: LeakSanitizer: detected memory leaks Direct leak of 439 byte(s) in 1 object(s) allocated from: #0 0x7fea52341037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x559bce4aa8ee in dso__new_id util/dso.c:1256 #2 0x559bce59245a in __machine__addnew_vdso util/vdso.c:132 #3 0x559bce59245a in machine__findnew_vdso util/vdso.c:347 #4 0x559bce50826c in map__new util/map.c:175 #5 0x559bce503c92 in machine__process_mmap2_event util/machine.c:1787 #6 0x559bce512f6b in machines__deliver_event util/session.c:1481 #7 0x559bce515107 in perf_session__deliver_event util/session.c:1551 #8 0x559bce51d4d2 in do_flush util/ordered-events.c:244 #9 0x559bce51d4d2 in __ordered_events__flush util/ordered-events.c:323 #10 0x559bce519bea in __perf_session__process_events util/session.c:2268 #11 0x559bce519bea in perf_session__process_events util/session.c:2297 #12 0x559bce2e7a52 in process_buildids /home/namhyung/project/linux/tools/perf/builtin-record.c:1017 #13 0x559bce2e7a52 in record__finish_output /home/namhyung/project/linux/tools/perf/builtin-record.c:1234 #14 0x559bce2ed4f6 in __cmd_record /home/namhyung/project/linux/tools/perf/builtin-record.c:2026 #15 0x559bce2ed4f6 in cmd_record /home/namhyung/project/linux/tools/perf/builtin-record.c:2858 #16 0x559bce422db4 in run_builtin /home/namhyung/project/linux/tools/perf/perf.c:313 #17 0x559bce2acac8 in handle_internal_command /home/namhyung/project/linux/tools/perf/perf.c:365 #18 0x559bce2acac8 in run_argv /home/namhyung/project/linux/tools/perf/perf.c:409 #19 0x559bce2acac8 in main /home/namhyung/project/linux/tools/perf/perf.c:539 #20 0x7fea51e76d09 in __libc_start_main ../csu/libc-start.c:308 Indirect leak of 32 byte(s) in 1 object(s) allocated from: #0 0x7fea52341037 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154 #1 0x559bce520907 in nsinfo__copy util/namespaces.c:169 #2 0x559bce50821b in map__new util/map.c:168 #3 0x559bce503c92 in machine__process_mmap2_event util/machine.c:1787 #4 0x559bce512f6b in machines__deliver_event util/session.c:1481 #5 0x559bce515107 in perf_session__deliver_event util/session.c:1551 #6 0x559bce51d4d2 in do_flush util/ordered-events.c:244 #7 0x559bce51d4d2 in __ordered_events__flush util/ordered-events.c:323 #8 0x559bce519bea in __perf_session__process_events util/session.c:2268 #9 0x559bce519bea in perf_session__process_events util/session.c:2297 #10 0x559bce2e7a52 in process_buildids /home/namhyung/project/linux/tools/perf/builtin-record.c:1017 #11 0x559bce2e7a52 in record__finish_output /home/namhyung/project/linux/tools/perf/builtin-record.c:1234 #12 0x559bce2ed4f6 in __cmd_record /home/namhyung/project/linux/tools/perf/builtin-record.c:2026 #13 0x559bce2ed4f6 in cmd_record /home/namhyung/project/linux/tools/perf/builtin-record.c:2858 #14 0x559bce422db4 in run_builtin /home/namhyung/project/linux/tools/perf/perf.c:313 #15 0x559bce2acac8 in handle_internal_command /home/namhyung/project/linux/tools/perf/perf.c:365 #16 0x559bce2acac8 in run_argv /home/namhyung/project/linux/tools/perf/perf.c:409 #17 0x559bce2acac8 in main /home/namhyung/project/linux/tools/perf/perf.c:539 #18 0x7fea51e76d09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: 471 byte(s) leaked in 2 allocation(s). Signed-off-by: Namhyung Kim Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Andi Kleen Cc: Ian Rogers Cc: Mark Rutland Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210315045641.700430-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit eb8f998bbc3d51042ff290b9f6480c1886f6cfb9 Author: Thomas Richter Date: Wed Mar 24 09:37:34 2021 +0100 perf test: Remove now useless failing sub test "BPF relocation checker" For some time now the 'perf test 42: BPF filter' returns an error on bpf relocation subtest, at least on x86 and s390. This is caused by d859900c4c56dc4f ("bpf, libbpf: support global data/bss/rodata sections") which introduces support for global variables in eBPF programs. Perf test 42.4 checks that the eBPF relocation fails when the eBPF program contains a global variable. It returns OK when the eBPF program could not be loaded and FAILED otherwise. With above commit the test logic for the eBPF relocation is obsolete. The loading of the eBPF now succeeds and the test always shows FAILED. This patch removes the sub test completely. Also a lot of eBPF program testing is done in the eBPF test suite, it also contains tests for global variables. Output before: 42: BPF filter : 42.1: Basic BPF filtering : Ok 42.2: BPF pinning : Ok 42.3: BPF prologue generation : Ok 42.4: BPF relocation checker : Failed # Output after: # ./perf test -F 42 42: BPF filter : 42.1: Basic BPF filtering : Ok 42.2: BPF pinning : Ok 42.3: BPF prologue generation : Ok # Signed-off-by: Thomas Richter Suggested-by: Arnaldo Carvalho de Melo Tested-by: Arnaldo Carvalho de Melo Cc: Heiko Carstens Cc: Sumanth Korikkar Cc: Sven Schnelle Cc: Vasily Gorbik Link: http://lore.kernel.org/lkml/20210324083734.1953123-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo commit 9f177fd8f20b46bbd76dbcc90184caf3b8548a9f Author: Jiri Olsa Date: Sat Mar 20 23:10:13 2021 +0100 perf daemon: Return from kill functions We should return correctly and warn in both daemon_session__kill() and daemon__kill() after we tried everything to kill sessions. The current code will keep on looping and waiting. Signed-off-by: Jiri Olsa Cc: Alexander Shishkin Cc: Ian Rogers Cc: Mark Rutland Cc: Michael Petlan Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210320221013.1619613-2-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 1833b64fee1032d1f48afaa3956bc0ea6b10d5e0 Author: Jiri Olsa Date: Sat Mar 20 23:10:12 2021 +0100 perf daemon: Force waipid for all session on SIGCHLD delivery If we don't process SIGCHLD before another comes, we will see just one SIGCHLD as a result. In this case current code will miss exit notification for a session and wait forever. Adding extra waitpid check for all sessions when SIGCHLD is received, to make sure we don't miss any session exit. Also fix close condition for signal_fd. Reported-by: Ian Rogers Signed-off-by: Jiri Olsa Cc: Alexander Shishkin Cc: Mark Rutland Cc: Michael Petlan Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20210320221013.1619613-1-jolsa@kernel.org Signed-off-by: Arnaldo Carvalho de Melo commit 8840e3bd981f128846b01c12d3966d115e8617c9 Author: Imre Deak Date: Mon Mar 22 22:28:17 2021 +0200 drm/i915: Fix the GT fence revocation runtime PM logic To optimize some task deferring it until runtime resume unless someone holds a runtime PM reference (because in this case the task can be done w/o the overhead of runtime resume), we have to use the runtime PM get-if-active logic: If the runtime PM usage count is 0 (and so get-if-in-use would return false) the runtime suspend handler is not necessarily called yet (it could be just pending), so the device is not necessarily powered down, and so the runtime resume handler is not guaranteed to be called. The fence revocation depends on the above deferral, so add a get-if-active helper and use it during fence revocation. v2: - Add code comment explaining the fence reg programming deferral logic to i915_vma_revoke_fence(). (Chris) - Add Cc: stable and Fixes: tags. (Chris) - Fix the function docbook comment. Cc: Chris Wilson Cc: # v4.12+ Fixes: 181df2d458f3 ("drm/i915: Take rpm wakelock for releasing the fence on unbind") Reviewed-by: Chris Wilson Signed-off-by: Imre Deak Link: https://patchwork.freedesktop.org/patch/msgid/20210322204223.919936-1-imre.deak@intel.com (cherry picked from commit 9d58aa46291d4d696bb1eac3436d3118f7bf2573) Signed-off-by: Rodrigo Vivi commit a1ebdb3741993f853865d1bd8f77881916ad53a7 Author: Tony Lindgren Date: Wed Mar 24 15:10:32 2021 +0200 ARM: dts: Fix swapped mmc order for omap3 Also some omap3 devices like n900 seem to have eMMC and micro-sd swapped around with commit 21b2cec61c04 ("mmc: Set PROBE_PREFER_ASYNCHRONOUS for drivers that existed in v4.4"). Let's fix the issue with aliases as discussed on the mailing lists. While the mmc aliases should be board specific, let's first fix the issue with minimal changes. Cc: Aaro Koskinen Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren commit a185f1db59f13de73aa470559030e90e50b34d93 Author: Pavel Begunkov Date: Tue Mar 23 10:52:38 2021 +0000 io_uring: do ctx sqd ejection in a clear context WARNING: CPU: 1 PID: 27907 at fs/io_uring.c:7147 io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147 CPU: 1 PID: 27907 Comm: iou-sqp-27905 Not tainted 5.12.0-rc4-syzkaller #0 RIP: 0010:io_sq_thread_park+0xb5/0xd0 fs/io_uring.c:7147 Call Trace: io_ring_ctx_wait_and_kill+0x214/0x700 fs/io_uring.c:8619 io_uring_release+0x3e/0x50 fs/io_uring.c:8646 __fput+0x288/0x920 fs/file_table.c:280 task_work_run+0xdd/0x1a0 kernel/task_work.c:140 io_run_task_work fs/io_uring.c:2238 [inline] io_run_task_work fs/io_uring.c:2228 [inline] io_uring_try_cancel_requests+0x8ec/0xc60 fs/io_uring.c:8770 io_uring_cancel_sqpoll+0x1cf/0x290 fs/io_uring.c:8974 io_sqpoll_cancel_cb+0x87/0xb0 fs/io_uring.c:8907 io_run_task_work_head+0x58/0xb0 fs/io_uring.c:1961 io_sq_thread+0x3e2/0x18d0 fs/io_uring.c:6763 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 May happen that last ctx ref is killed in io_uring_cancel_sqpoll(), so fput callback (i.e. io_uring_release()) is enqueued through task_work, and run by same cancellation. As it's deeply nested we can't do parking or taking sqd->lock there, because its state is unclear. So avoid ctx ejection from sqd list from io_ring_ctx_wait_and_kill() and do it in a clear context in io_ring_exit_work(). Fixes: f6d54255f423 ("io_uring: halt SQO submission on ctx exit") Reported-by: syzbot+e3a3f84f5cecf61f0583@syzkaller.appspotmail.com Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/e90df88b8ff2cabb14a7534601d35d62ab4cb8c7.1616496707.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit a3efe3f6d0eb64363f74af4b0e8ba6d19415cef2 Author: Tony Lindgren Date: Wed Mar 24 12:23:58 2021 +0200 ARM: OMAP2+: Fix warning for omap_init_time_of() Fix warning: no previous prototype for 'omap_init_time_of'. Fixes: e69b4e1a7577 ("ARM: OMAP2+: Add omap_init_time_of()") Reported-by: kernel test robot Signed-off-by: Tony Lindgren commit b1e3a5607034aa0a481c6f69a6893049406665fb Author: Steffen Klassert Date: Tue Mar 23 09:26:44 2021 +0100 xfrm: Fix NULL pointer dereference on policy lookup When xfrm interfaces are used in combination with namespaces and ESP offload, we get a dst_entry NULL pointer dereference. This is because we don't have a dst_entry attached in the ESP offloading case and we need to do a policy lookup before the namespace transition. Fix this by expicit checking of skb_dst(skb) before accessing it. Fixes: f203b76d78092 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Steffen Klassert commit 68dc022d04eb0fd60a540e242dcb11ec1bee07e2 Author: Xin Long Date: Fri Mar 19 18:27:58 2021 +0800 xfrm: BEET mode doesn't support fragments for inner packets BEET mode replaces the IP(6) Headers with new IP(6) Headers when sending packets. However, when it's a fragment before the replacement, currently kernel keeps the fragment flag and replace the address field then encaps it with ESP. It would cause in RX side the fragments to get reassembled before decapping with ESP, which is incorrect. In Xiumei's testing, these fragments went over an xfrm interface and got encapped with ESP in the device driver, and the traffic was broken. I don't have a good way to fix it, but only to warn this out in dmesg. Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit 5c458585c0141754cdcbf25feebb547dd671b559 Author: Alex Deucher Date: Tue Feb 16 12:22:40 2021 -0500 drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x Commit 098214999c8f added fetching of the AUX_DPHY register values from the vbios, but it also changed the default values in the case when there are no values in the vbios. This causes problems with displays with high refresh rates. To fix this, switch back to the original default value for AUX_DPHY_TX_CONTROL. Fixes: 098214999c8f ("drm/amd/display: Read VBIOS Golden Settings Tbl") Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1426 Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Cc: Igor Kravchenko Cc: Aric Cyr Cc: Aurabindo Pillai Cc: stable@vger.kernel.org commit c933b111094f2818571fc51b81b98ee0d370c035 Author: Alex Deucher Date: Thu Mar 18 16:44:10 2021 -0400 drm/amdgpu: Add additional Sienna Cichlid PCI ID Add new DID. Reviewed-by: Guchun Chen Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 2c0d7f9186d06f1f3f6c52387195c8f89070af93 Merge: 16b82e75c15a7 8bb84ca873d22 Author: Mark Brown Date: Tue Mar 23 22:09:37 2021 +0000 Merge series "ASoC: SOF: Intel: shutdown and core handling corrections" from Pierre-Louis Bossart : This patchset fixes a logical flow in the core status, improves shutdown support on Intel SOF platforms with an HDaudio controller and cleans-up ElkhartLake support. Guennadi Liakhovetski (1): ASoC: SOF: Intel: HDA: fix core status verification Libin Yang (5): ASoC: SOF: Intel: TGL: fix EHL ops ASoC: SOF: Intel: TGL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: ICL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: CNL: set shutdown callback to hda_dsp_shutdown ASoC: SOF: Intel: APL: set shutdown callback to hda_dsp_shutdown Pierre-Louis Bossart (2): ASoC: SOF: core: harden shutdown helper ASoC: SOF: Intel: move ELH chip info sound/soc/sof/core.c | 8 +++++++- sound/soc/sof/intel/apl.c | 3 ++- sound/soc/sof/intel/cnl.c | 19 ++----------------- sound/soc/sof/intel/hda-dsp.c | 21 +++++++++++++++++---- sound/soc/sof/intel/hda.h | 1 + sound/soc/sof/intel/icl.c | 3 ++- sound/soc/sof/intel/pci-tgl.c | 2 +- sound/soc/sof/intel/tgl.c | 18 +++++++++++++++++- 8 files changed, 49 insertions(+), 26 deletions(-) -- 2.25.1 commit 6ab4c3117aec4e08007d9e971fa4133e1de1082d Author: Vladimir Oltean Date: Mon Mar 22 20:21:08 2021 +0200 net: bridge: don't notify switchdev for local FDB addresses As explained in this discussion: https://lore.kernel.org/netdev/20210117193009.io3nungdwuzmo5f7@skbuf/ the switchdev notifiers for FDB entries managed to have a zero-day bug. The bridge would not say that this entry is local: ip link add br0 type bridge ip link set swp0 master br0 bridge fdb add dev swp0 00:01:02:03:04:05 master local and the switchdev driver would be more than happy to offload it as a normal static FDB entry. This is despite the fact that 'local' and non-'local' entries have completely opposite directions: a local entry is locally terminated and not forwarded, whereas a static entry is forwarded and not locally terminated. So, for example, DSA would install this entry on swp0 instead of installing it on the CPU port as it should. There is an even sadder part, which is that the 'local' flag is implicit if 'static' is not specified, meaning that this command produces the same result of adding a 'local' entry: bridge fdb add dev swp0 00:01:02:03:04:05 master I've updated the man pages for 'bridge', and after reading it now, it should be pretty clear to any user that the commands above were broken and should have never resulted in the 00:01:02:03:04:05 address being forwarded (this behavior is coherent with non-switchdev interfaces): https://patchwork.kernel.org/project/netdevbpf/cover/20210211104502.2081443-1-olteanv@gmail.com/ If you're a user reading this and this is what you want, just use: bridge fdb add dev swp0 00:01:02:03:04:05 master static Because switchdev should have given drivers the means from day one to classify FDB entries as local/non-local, but didn't, it means that all drivers are currently broken. So we can just as well omit the switchdev notifications for local FDB entries, which is exactly what this patch does to close the bug in stable trees. For further development work where drivers might want to trap the local FDB entries to the host, we can add a 'bool is_local' to br_switchdev_fdb_call_notifiers(), and selectively make drivers act upon that bit, while all the others ignore those entries if the 'is_local' bit is set. Fixes: 6b26b51b1d13 ("net: bridge: Add support for notifying devices about FDB add/del") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller commit 8ca1b090e5c9a71abeea1dda8757f4ec3811f06e Author: Marcelo Ricardo Leitner Date: Mon Mar 22 15:13:22 2021 -0300 net/sched: act_ct: clear post_ct if doing ct_clear Invalid detection works with two distinct moments: act_ct tries to find a conntrack entry and set post_ct true, indicating that that was attempted. Then, when flow dissector tries to dissect CT info and no entry is there, it knows that it was tried and no entry was found, and synthesizes/sets key->ct_state = TCA_FLOWER_KEY_CT_FLAGS_TRACKED | TCA_FLOWER_KEY_CT_FLAGS_INVALID; mimicing what OVS does. OVS has this a bit more streamlined, as it recomputes the key after trying to find a conntrack entry for it. Issue here is, when we have 'tc action ct clear', it didn't clear post_ct, causing a subsequent match on 'ct_state -trk' to fail, due to the above. The fix, thus, is to clear it. Reproducer rules: tc filter add dev enp130s0f0np0_0 ingress prio 1 chain 0 \ protocol ip flower ip_proto tcp ct_state -trk \ action ct zone 1 pipe \ action goto chain 2 tc filter add dev enp130s0f0np0_0 ingress prio 1 chain 2 \ protocol ip flower \ action ct clear pipe \ action goto chain 4 tc filter add dev enp130s0f0np0_0 ingress prio 1 chain 4 \ protocol ip flower ct_state -trk \ action mirred egress redirect dev enp130s0f1np1_0 With the fix, the 3rd rule matches, like it does with OVS kernel datapath. Fixes: 7baf2429a1a9 ("net/sched: cls_flower add CT_FLAGS_INVALID flag support") Signed-off-by: Marcelo Ricardo Leitner Reviewed-by: wenxu Signed-off-by: David S. Miller commit 75b69799610c2b909a18e709c402923ea61aedc0 Author: Matthew Wilcox (Oracle) Date: Sat Mar 20 05:40:40 2021 +0000 afs: Use wait_on_page_writeback_killable Open-coding this function meant it missed out on the recent bugfix for waiters being woken by a delayed wake event from a previous instantiation of the page[1]. [DH: Changed the patch to use vmf->page rather than variable page which doesn't exist yet upstream] Fixes: 1cf7a1518aef ("afs: Implement shared-writeable mmap") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Christoph Hellwig Signed-off-by: David Howells Tested-by: kafs-testing@auristor.com cc: linux-afs@lists.infradead.org cc: linux-mm@kvack.org Link: https://lore.kernel.org/r/20210320054104.1300774-4-willy@infradead.org Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c2407cf7d22d0c0d94cf20342b3b8f06f1d904e7 [1] commit e5dbd33218bd8d87ab69f730ab90aed5fab7eb26 Author: Matthew Wilcox (Oracle) Date: Sat Mar 20 05:40:39 2021 +0000 mm/writeback: Add wait_on_page_writeback_killable This is the killable version of wait_on_page_writeback. Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Christoph Hellwig Signed-off-by: David Howells Tested-by: kafs-testing@auristor.com cc: linux-afs@lists.infradead.org cc: linux-mm@kvack.org Link: https://lore.kernel.org/r/20210320054104.1300774-3-willy@infradead.org commit 39f985c8f667c80a3d1eb19d31138032fa36b09e Author: Matthew Wilcox (Oracle) Date: Sat Mar 20 05:40:38 2021 +0000 fs/cachefiles: Remove wait_bit_key layout dependency Cachefiles was relying on wait_page_key and wait_bit_key being the same layout, which is fragile. Now that wait_page_key is exposed in the pagemap.h header, we can remove that fragility A comment on the need to maintain structure layout equivalence was added by Linus[1] and that is no longer applicable. Fixes: 62906027091f ("mm: add PageWaiters indicating tasks are waiting for a page bit") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Christoph Hellwig Signed-off-by: David Howells Tested-by: kafs-testing@auristor.com cc: linux-cachefs@redhat.com cc: linux-mm@kvack.org Link: https://lore.kernel.org/r/20210320054104.1300774-2-willy@infradead.org/ Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3510ca20ece0150af6b10c77a74ff1b5c198e3e2 [1] commit d1635448f1105e549b4041aab930dbc6945fc635 Author: David E. Box Date: Fri Mar 19 13:18:44 2021 -0700 platform/x86: intel_pmc_core: Ignore GBE LTR on Tiger Lake platforms Due to a HW limitation, the Latency Tolerance Reporting (LTR) value programmed in the Tiger Lake GBE controller is not large enough to allow the platform to enter Package C10, which in turn prevents the platform from achieving its low power target during suspend-to-idle. Ignore the GBE LTR value on Tiger Lake. LTR ignore functionality is currently performed solely by a debugfs write call. Split out the LTR code into its own function that can be called by both the debugfs writer and by this work around. Signed-off-by: David E. Box Reviewed-by: Sasha Neftin Cc: intel-wired-lan@lists.osuosl.org Reviewed-by: Rajneesh Bhardwaj Link: https://lore.kernel.org/r/20210319201844.3305399-2-david.e.box@linux.intel.com Signed-off-by: Hans de Goede commit 269b04a50992d8defab869079049ecfc60b6b3e5 Author: David E. Box Date: Fri Mar 19 13:18:43 2021 -0700 platform/x86: intel_pmc_core: Update Kconfig The intel_pmc_core driver is mostly used as a debugging driver for Intel platforms that support SLPS0 (S0ix). But the driver may also be used to communicate actions to the PMC in order to ensure transition to SLPS0 on some systems and architectures. As such the driver should be built on all platforms it supports. Indicate this in the Kconfig. Also update the list of supported features. Signed-off-by: David E. Box Suggested-by: Mario Limonciello Link: https://lore.kernel.org/r/20210319201844.3305399-1-david.e.box@linux.intel.com Signed-off-by: Hans de Goede commit 10c931cdfe64ebc38a15a485dd794915044f2111 Author: David E. Box Date: Tue Mar 16 19:44:55 2021 -0700 platform/x86: intel_pmt_crashlog: Fix incorrect macros Fixes off-by-one bugs in the macro assignments for the crashlog control bits. Was initially tested on emulation but bug revealed after testing on silicon. Fixes: 5ef9998c96b0 ("platform/x86: Intel PMT Crashlog capability driver") Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20210317024455.3071477-2-david.e.box@linux.intel.com Signed-off-by: Hans de Goede commit 7547deff8a221e6bf1e563cf1b636844a8e5378a Author: David E. Box Date: Tue Mar 16 19:44:54 2021 -0700 platform/x86: intel_pmt_class: Initial resource to 0 Initialize the struct resource in intel_pmt_dev_register to zero to avoid a fault should the char *name field be non-zero. Signed-off-by: David E. Box Link: https://lore.kernel.org/r/20210317024455.3071477-1-david.e.box@linux.intel.com Signed-off-by: Hans de Goede commit fb9d62b27ab1e07d625591549c314b7d406d21df Author: Lukasz Luba Date: Tue Mar 23 14:56:08 2021 +0000 PM: EM: postpone creating the debugfs dir till fs_initcall The debugfs directory '/sys/kernel/debug/energy_model' is needed before the Energy Model registration can happen. With the recent change in debugfs subsystem it's not allowed to create this directory at early stage (core_initcall). Thus creating this directory would fail. Postpone the creation of the EM debug dir to later stage: fs_initcall. It should be safe since all clients: CPUFreq drivers, Devfreq drivers will be initialized in later stages. The custom debug log below prints the time of creation the EM debug dir at fs_initcall and successful registration of EMs at later stages. [ 1.505717] energy_model: creating rootdir [ 3.698307] cpu cpu0: EM: created perf domain [ 3.709022] cpu cpu1: EM: created perf domain Fixes: 56348560d495 ("debugfs: do not attempt to create a new file before the filesystem is initalized") Reported-by: Ionela Voinescu Signed-off-by: Lukasz Luba Reviewed-by: Greg Kroah-Hartman Signed-off-by: Rafael J. Wysocki commit bb05e11fff09d341047ce1984aa0d975ed8613e7 Author: Jon Hunter Date: Fri Mar 12 09:42:35 2021 +0000 arm64: tegra: Fix mmc0 alias for Jetson Xavier NX There are two variants of the Jetson Xavier NX platform; one has an eMMC and one as a micro SD-card slot. The SDHCI controller used by each variant is different, however, the current device-tree for both Xavier NX boards have the same SDHCI controller defined as 'mmc0' in the device-tree alias node. Fix this by correcting the 'mmc0' alias for the SD-card variant. Fixes: 3f9efbbe57bc ("arm64: tegra: Add support for Jetson Xavier NX") Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding commit 75c82a25b59576c4b5a3fd0073744af865b1571f Author: Jon Hunter Date: Fri Mar 12 10:15:51 2021 +0000 arm64: tegra: Set fw_devlink=on for Jetson TX2 Commit 5d25c476f252 ("Revert "arm64: tegra: Disable the ACONNECT for Jetson TX2"") re-enabled the Tegra ADMA and ACONNECT drivers to support audio on Jetson TX2. However, this revert was dependent upon commit e590474768f1 ("driver core: Set fw_devlink=on by default") and without this commit, enabling the ACONNECT is causing resume from system suspend to fail on Jetson TX2. Resume fails because the ACONNECT driver is being resumed before the BPMP driver, and the ACONNECT driver is attempting to power on a power-domain that is provided by the BPMP. Commit e590474768f1 ("driver core: Set fw_devlink=on by default") has since been temporarily reverted while some issues are being investigated. This is causing resume from system suspend on Jetson TX2 to fail again. Rather than disable the ACONNECT driver again, fix this by setting fw_devlink is set to 'on' for Jetson TX2 in the bootargs specified in device-tree. Fixes: 5d25c476f252 ("Revert arm64: tegra: Disable the ACONNECT for Jetson TX2") Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding commit 4b154b941f0ed49f901ac2f96e92ee07ff81d8d8 Author: Thierry Reding Date: Fri Mar 12 13:58:08 2021 +0100 arm64: tegra: Add unit-address for ACONNECT on Tegra186 The ACONNECT device tree node has a unit-address on all other SoC generations and there's really no reason not to have it on Tegra186. Reviewed-by: Jon Hunter Signed-off-by: Thierry Reding commit 69d5ff3e9e51e23d5d81bf48480aa5671be67a71 Author: Fabian Vogt Date: Tue Mar 23 10:45:55 2021 -0700 Input: nspire-keypad - enable interrupts only when opened The driver registers an interrupt handler in _probe, but didn't configure them until later when the _open function is called. In between, the keypad can fire an IRQ due to touchpad activity, which the handler ignores. This causes the kernel to disable the interrupt, blocking the keypad from working. Fix this by disabling interrupts before registering the handler. Additionally, disable them in _close, so that they're only enabled while open. Fixes: fc4f31461892 ("Input: add TI-Nspire keypad support") Signed-off-by: Fabian Vogt Link: https://lore.kernel.org/r/3383725.iizBOSrK1V@linux-e202.suse.de Signed-off-by: Dmitry Torokhov commit daa58c8eec0a65ac8e2e77ff3ea8a233d8eec954 Author: Arnd Bergmann Date: Tue Mar 23 09:56:34 2021 -0700 Input: i8042 - fix Pegatron C15B ID entry The Zenbook Flip entry that was added overwrites a previous one because of a typo: In file included from drivers/input/serio/i8042.h:23, from drivers/input/serio/i8042.c:131: drivers/input/serio/i8042-x86ia64io.h:591:28: error: initialized field overwritten [-Werror=override-init] 591 | .matches = { | ^ drivers/input/serio/i8042-x86ia64io.h:591:28: note: (near initialization for 'i8042_dmi_noselftest_table[0].matches') Add the missing separator between the two. Fixes: b5d6e7ab7fe7 ("Input: i8042 - add ASUS Zenbook Flip to noselftest list") Signed-off-by: Arnd Bergmann Reviewed-by: Hans de Goede Reviewed-by: Marcos Paulo de Souza Link: https://lore.kernel.org/r/20210323130623.2302402-1-arnd@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov commit 7acac4b3196caee5e21fb5ea53f8bc124e6a16fc Merge: 84196390620ac 7fd53f41f771d Author: Linus Torvalds Date: Tue Mar 23 10:18:08 2021 -0700 Merge tag 'linux-kselftest-kunit-fixes-5.12-rc5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull KUnit fixes from Shuah Khan: "Two fixes to the kunit tool from David Gow" * tag 'linux-kselftest-kunit-fixes-5.12-rc5.1' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: kunit: tool: Disable PAGE_POISONING under --alltests kunit: tool: Fix a python tuple typing error commit 16b82e75c15a7dbd564ea3654f3feb61df9e1e6f Author: Shengjiu Wang Date: Fri Mar 19 18:48:46 2021 +0800 ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips The input MCLK is 12.288MHz, the desired output sysclk is 11.2896MHz and sample rate is 44100Hz, with the configuration pllprescale=2, postscale=sysclkdiv=1, some chip may have wrong bclk and lrclk output with pll enabled in master mode, but with the configuration pllprescale=1, postscale=2, the output clock is correct. >From Datasheet, the PLL performs best when f2 is between 90MHz and 100MHz when the desired sysclk output is 11.2896MHz or 12.288MHz, so sysclkdiv = 2 (f2/8) is the best choice. So search available sysclk_divs from 2 to 1 other than from 1 to 2. Fixes: 84fdc00d519f ("ASoC: codec: wm9860: Refactor PLL out freq search") Signed-off-by: Shengjiu Wang Acked-by: Charles Keepax Link: https://lore.kernel.org/r/1616150926-22892-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown commit 8bb84ca873d2222ca220e58a097090775b1fd8df Author: Pierre-Louis Bossart Date: Mon Mar 22 11:37:28 2021 -0500 ASoC: SOF: Intel: move ELH chip info ELH is a derivative of TGL, so it should be exposed in tgl.c for consistency. No functional change. Reviewed-by: Rander Wang Reviewed-by: Kai Vehmanen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-9-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit d3aa96bf349882763b9903e5800d2e83fc086886 Author: Libin Yang Date: Mon Mar 22 11:37:27 2021 -0500 ASoC: SOF: Intel: APL: set shutdown callback to hda_dsp_shutdown According to hardware spec and PMC FW requirement, the DSP must be in D3 state before entering S5. Set shutdown call to hda_dsp_shutdown. Reviewed-by: Ranjani Sridharan Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-8-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit b0503e8410e5ee43da116772576dbdeb2a414e0b Author: Libin Yang Date: Mon Mar 22 11:37:26 2021 -0500 ASoC: SOF: Intel: CNL: set shutdown callback to hda_dsp_shutdown According to hardware spec and PMC FW requirement, the DSP must be in D3 state before entering S5. Set shutdown call to hda_dsp_shutdown. Reviewed-by: Ranjani Sridharan Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-7-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit 4939e49ea5804f89941df86d35f1a1e1cd8b435b Author: Libin Yang Date: Mon Mar 22 11:37:25 2021 -0500 ASoC: SOF: Intel: ICL: set shutdown callback to hda_dsp_shutdown According to hardware spec and PMC FW requirement, the DSP must be in D3 state before entering S5. Set shutdown call to hda_dsp_shutdown. Reviewed-by: Ranjani Sridharan Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-6-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit 22aa9e021ad1ee7ce640270e75f4bdccff65d287 Author: Libin Yang Date: Mon Mar 22 11:37:24 2021 -0500 ASoC: SOF: Intel: TGL: set shutdown callback to hda_dsp_shutdown According to hardware spec and PMC FW requirement, the DSP must be in D3 state before entering S5. Define the shutdown function to use snd_sof_suspend as shutdown callback to make sure DSP is in D3 state. Fixes: 44a4cfad8d78 ("ASoC: SOF: Intel: tgl: do thorough remove at .shutdown() callback") Reviewed-by: Ranjani Sridharan Signed-off-by: Pan Xiuli Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-5-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit 3c429f861ed483517a0a352281a16503bcc60b55 Author: Libin Yang Date: Mon Mar 22 11:37:23 2021 -0500 ASoC: SOF: Intel: TGL: fix EHL ops EHL is derived from TGL, not CNL, so we shall use the TGL ops. Fixes: 8d4ba1be3d22 ("ASoC: SOF: pci: split PCI into different drivers") Reviewed-by: Ranjani Sridharan Signed-off-by: Libin Yang Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit 91ec48f540f83022377723a774a0a37a630801af Author: Pierre-Louis Bossart Date: Mon Mar 22 11:37:22 2021 -0500 ASoC: SOF: core: harden shutdown helper When the probe is handled in a workqueue, we must use cancel_work_sync() in the shutdown helper to avoid possible race conditions. We must also take care of possible errors happening in a probe workqueue or during pm_runtime resume (called e.g. before shutdown for PCI devices). We should really only try to access hardware registers and initiate IPCs if the DSP is fully booted. Fixes: daff7f1478e12 ("ASoC: SOF: add snd_sof_device_shutdown() helper for shutdown") Signed-off-by: Pierre-Louis Bossart Reviewed-by: Ranjani Sridharan Reviewed-by: Kai Vehmanen Reviewed-by: Libin Yang Link: https://lore.kernel.org/r/20210322163728.16616-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit 927280909fa7d8e61596800d82f18047c6cfbbe4 Author: Guennadi Liakhovetski Date: Mon Mar 22 11:37:21 2021 -0500 ASoC: SOF: Intel: HDA: fix core status verification When checking for enabled cores it isn't enough to check that some of the requested cores are running, we have to check that all of them are. Fixes: 747503b1813a ("ASoC: SOF: Intel: Add Intel specific HDA DSP HW operations") Reviewed-by: Kai Vehmanen Reviewed-by: Ranjani Sridharan Signed-off-by: Guennadi Liakhovetski Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210322163728.16616-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown commit a958937ff166fc60d1c3a721036f6ff41bfa2821 Author: David Jeffery Date: Thu Feb 11 09:38:07 2021 -0500 block: recalculate segment count for multi-segment discards correctly When a stacked block device inserts a request into another block device using blk_insert_cloned_request, the request's nr_phys_segments field gets recalculated by a call to blk_recalc_rq_segments in blk_cloned_rq_check_limits. But blk_recalc_rq_segments does not know how to handle multi-segment discards. For disk types which can handle multi-segment discards like nvme, this results in discard requests which claim a single segment when it should report several, triggering a warning in nvme and causing nvme to fail the discard from the invalid state. WARNING: CPU: 5 PID: 191 at drivers/nvme/host/core.c:700 nvme_setup_discard+0x170/0x1e0 [nvme_core] ... nvme_setup_cmd+0x217/0x270 [nvme_core] nvme_loop_queue_rq+0x51/0x1b0 [nvme_loop] __blk_mq_try_issue_directly+0xe7/0x1b0 blk_mq_request_issue_directly+0x41/0x70 ? blk_account_io_start+0x40/0x50 dm_mq_queue_rq+0x200/0x3e0 blk_mq_dispatch_rq_list+0x10a/0x7d0 ? __sbitmap_queue_get+0x25/0x90 ? elv_rb_del+0x1f/0x30 ? deadline_remove_request+0x55/0xb0 ? dd_dispatch_request+0x181/0x210 __blk_mq_do_dispatch_sched+0x144/0x290 ? bio_attempt_discard_merge+0x134/0x1f0 __blk_mq_sched_dispatch_requests+0x129/0x180 blk_mq_sched_dispatch_requests+0x30/0x60 __blk_mq_run_hw_queue+0x47/0xe0 __blk_mq_delay_run_hw_queue+0x15b/0x170 blk_mq_sched_insert_requests+0x68/0xe0 blk_mq_flush_plug_list+0xf0/0x170 blk_finish_plug+0x36/0x50 xlog_cil_committed+0x19f/0x290 [xfs] xlog_cil_process_committed+0x57/0x80 [xfs] xlog_state_do_callback+0x1e0/0x2a0 [xfs] xlog_ioend_work+0x2f/0x80 [xfs] process_one_work+0x1b6/0x350 worker_thread+0x53/0x3e0 ? process_one_work+0x350/0x350 kthread+0x11b/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x22/0x30 This patch fixes blk_recalc_rq_segments to be aware of devices which can have multi-segment discards. It calculates the correct discard segment count by counting the number of bio as each discard bio is considered its own segment. Fixes: 1e739730c5b9 ("block: optionally merge discontiguous discard bios into a single request") Signed-off-by: David Jeffery Reviewed-by: Ming Lei Reviewed-by: Laurence Oberman Link: https://lore.kernel.org/r/20210211143807.GA115624@redhat Signed-off-by: Jens Axboe commit 5116784039f0421e9a619023cfba3e302c3d9adc Author: Chris Chiu Date: Tue Mar 23 16:52:19 2021 +0800 block: clear GD_NEED_PART_SCAN later in bdev_disk_changed The GD_NEED_PART_SCAN is set by bdev_check_media_change to initiate a partition scan while removing a block device. It should be cleared after blk_drop_paritions because blk_drop_paritions could return -EBUSY and then the consequence __blkdev_get has no chance to do delete_partition if GD_NEED_PART_SCAN already cleared. It causes some problems on some card readers. Ex. Realtek card reader 0bda:0328 and 0bda:0158. The device node of the partition will not disappear after the memory card removed. Thus the user applications can not update the device mapping correctly. BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1920874 Signed-off-by: Chris Chiu Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20210323085219.24428-1-chris.chiu@canonical.com Signed-off-by: Jens Axboe commit 9fcb51c14da2953de585c5c6e50697b8a6e91a7b Author: Arnd Bergmann Date: Tue Mar 23 13:48:36 2021 +0100 x86/build: Turn off -fcf-protection for realmode targets The new Ubuntu GCC packages turn on -fcf-protection globally, which causes a build failure in the x86 realmode code: cc1: error: ‘-fcf-protection’ is not compatible with this target Turn it off explicitly on compilers that understand this option. Signed-off-by: Arnd Bergmann Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20210323124846.1584944-1-arnd@kernel.org commit 01faae5193d6190b7b3aa93dae43f514e866d652 Author: Du Cheng Date: Fri Mar 12 16:14:21 2021 +0800 drivers: video: fbcon: fix NULL dereference in fbcon_cursor() add null-check on function pointer before dereference on ops->cursor Reported-by: syzbot+b67aaae8d3a927f68d20@syzkaller.appspotmail.com Cc: stable Signed-off-by: Du Cheng Link: https://lore.kernel.org/r/20210312081421.452405-1-ducheng2@gmail.com Signed-off-by: Greg Kroah-Hartman commit ce068bc7da473e39b64d130101e178406023df0c Author: Tomas Winkler Date: Thu Mar 18 07:59:59 2021 +0200 mei: allow map and unmap of client dma buffer only for disconnected client Allow map and unmap of the client dma buffer only when the client is not connected. The functions return -EPROTO if the client is already connected. This is to fix the race when traffic may start or stop when buffer is not available. Cc: #v5.11+ Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20210318055959.305627-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 903079a54cac47ab115fa5abbde6860cf94e258f Author: Vinod Koul Date: Fri Feb 26 16:42:33 2021 +0530 MAINTAINERS: Add linux-phy list and patchwork Linux-phy subsystem gained mailing list and a patchwork instance. Add the details to MAINTAINERS file Signed-off-by: Vinod Koul Link: https://lore.kernel.org/r/20210226111233.2601369-1-vkoul@kernel.org Signed-off-by: Greg Kroah-Hartman commit f0acf637d60ffcef3ccb6e279f743e587b3c7359 Author: Ahmad Fatoum Date: Fri Mar 19 12:04:57 2021 +0100 driver core: clear deferred probe reason on probe retry When retrying a deferred probe, any old defer reason string should be discarded. Otherwise, if the probe is deferred again at a different spot, but without setting a message, the now incorrect probe reason will remain. This was observed with the i.MX I2C driver, which ultimately failed to probe due to lack of the GPIO driver. The probe defer for GPIO doesn't record a message, but a previous probe defer to clock_get did. This had the effect that /sys/kernel/debug/devices_deferred listed a misleading probe deferral reason. Cc: stable Fixes: d090b70ede02 ("driver core: add deferring probe reason to devices_deferred property") Reviewed-by: Andy Shevchenko Reviewed-by: Andrzej Hajda Signed-off-by: Ahmad Fatoum Link: https://lore.kernel.org/r/20210319110459.19966-1-a.fatoum@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit 9d03730ecbc5afabfda26d4dbb014310bc4ea4d9 Author: Kenneth Feng Date: Thu Mar 11 12:19:57 2021 +0800 drm/amd/pm: workaround for audio noise issue On some Intel platforms, audio noise can be detected due to high pcie speed switch latency. This patch leaverages ppfeaturemask to fix to the highest pcie speed then disable pcie switching. v2: coding style fix Signed-off-by: Kenneth Feng Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit e78836ae76d20f38eed8c8c67f21db97529949da Author: Atul Gopinathan Date: Tue Mar 23 17:04:14 2021 +0530 staging: rtl8192e: Change state information from u16 to u8 The "u16 CcxRmState[2];" array field in struct "rtllib_network" has 4 bytes in total while the operations performed on this array through-out the code base are only 2 bytes. The "CcxRmState" field is fed only 2 bytes of data using memcpy(): (In rtllib_rx.c:1972) memcpy(network->CcxRmState, &info_element->data[4], 2) With "info_element->data[]" being a u8 array, if 2 bytes are written into "CcxRmState" (whose one element is u16 size), then the 2 u8 elements from "data[]" gets squashed and written into the first element ("CcxRmState[0]") while the second element ("CcxRmState[1]") is never fed with any data. Same in file rtllib_rx.c:2522: memcpy(dst->CcxRmState, src->CcxRmState, 2); The above line duplicates "src" data to "dst" but only writes 2 bytes (and not 4, which is the actual size). Again, only 1st element gets the value while the 2nd element remains uninitialized. This later makes operations done with CcxRmState unpredictable in the following lines as the 1st element is having a squashed number while the 2nd element is having an uninitialized random number. rtllib_rx.c:1973: if (network->CcxRmState[0] != 0) rtllib_rx.c:1977: network->MBssidMask = network->CcxRmState[1] & 0x07; network->MBssidMask is also of type u8 and not u16. Fix this by changing the type of "CcxRmState" from u16 to u8 so that the data written into this array and read from it make sense and are not random values. NOTE: The wrong initialization of "CcxRmState" can be seen in the following commit: commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver") The above commit created a file `rtl8192e/ieee80211.h` which used to have the faulty line. The file has been deleted (or possibly renamed) with the contents copied in to a new file `rtl8192e/rtllib.h` along with additional code in the commit 94a799425eee (tagged in Fixes). Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") Cc: stable@vger.kernel.org Signed-off-by: Atul Gopinathan Link: https://lore.kernel.org/r/20210323113413.29179-2-atulgopinathan@gmail.com Signed-off-by: Greg Kroah-Hartman commit 72ad25fbbb78930f892b191637359ab5b94b3190 Author: Atul Gopinathan Date: Tue Mar 23 17:04:12 2021 +0530 staging: rtl8192e: Fix incorrect source in memcpy() The variable "info_element" is of the following type: struct rtllib_info_element *info_element defined in drivers/staging/rtl8192e/rtllib.h: struct rtllib_info_element { u8 id; u8 len; u8 data[]; } __packed; The "len" field defines the size of the "data[]" array. The code is supposed to check if "info_element->len" is greater than 4 and later equal to 6. If this is satisfied then, the last two bytes (the 4th and 5th element of u8 "data[]" array) are copied into "network->CcxRmState". Right now the code uses "memcpy()" with the source as "&info_element[4]" which would copy in wrong and unintended information. The struct "rtllib_info_element" has a size of 2 bytes for "id" and "len", therefore indexing will be done in interval of 2 bytes. So, "info_element[4]" would point to data which is beyond the memory allocated for this pointer (that is, at x+8, while "info_element" has been allocated only from x to x+7 (2 + 6 => 8 bytes)). This patch rectifies this error by using "&info_element->data[4]" which correctly copies the last two bytes of "data[]". NOTE: The faulty line of code came from the following commit: commit ecdfa44610fa ("Staging: add Realtek 8192 PCI wireless driver") The above commit created the file `rtl8192e/ieee80211/ieee80211_rx.c` which had the faulty line of code. This file has been deleted (or possibly renamed) with the contents copied in to a new file `rtl8192e/rtllib_rx.c` along with additional code in the commit 94a799425eee (tagged in Fixes). Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") Cc: stable@vger.kernel.org Signed-off-by: Atul Gopinathan Link: https://lore.kernel.org/r/20210323113413.29179-1-atulgopinathan@gmail.com Signed-off-by: Greg Kroah-Hartman commit 0bd860493f81eb2a46173f6f5e44cc38331c8dbd Author: Vincent Palatin Date: Fri Mar 19 13:48:02 2021 +0100 USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem This LTE modem (M.2 card) has a bug in its power management: there is some kind of race condition for U3 wake-up between the host and the device. The modem firmware sometimes crashes/locks when both events happen at the same time and the modem fully drops off the USB bus (and sometimes re-enumerates, sometimes just gets stuck until the next reboot). Tested with the modem wired to the XHCI controller on an AMD 3015Ce platform. Without the patch, the modem dropped of the USB bus 5 times in 3 days. With the quirk, it stayed connected for a week while the 'runtime_suspended_time' counter incremented as excepted. Signed-off-by: Vincent Palatin Link: https://lore.kernel.org/r/20210319124802.2315195-1-vpalatin@chromium.org Cc: stable Signed-off-by: Greg Kroah-Hartman commit 79579411826647fd573dbe301c4d933bc90e4be7 Author: Johan Hovold Date: Mon Mar 22 16:53:18 2021 +0100 USB: cdc-acm: do not log successful probe on later errors Do not log the successful-probe message until the tty device has been registered. Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-9-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 0b2b23ca20ac9329d91bdba713028cf279423383 Author: Johan Hovold Date: Mon Mar 22 16:53:17 2021 +0100 USB: cdc-acm: always claim data interface Make sure to always claim the data interface and bail out if binding fails. Note that the driver had a check to verify that the data interface was not already bound to a driver but would not detect other failures (e.g. if the interface was not authorised). Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-8-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit f8255ee192e92fdb885a9ff6bc90d74f5bfb7cd6 Author: Johan Hovold Date: Mon Mar 22 16:53:16 2021 +0100 USB: cdc-acm: use negation for NULL checks Use negation consistently throughout the driver for NULL checks. Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-7-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4cde059acd11e79b205525e5fd66175d8576ec88 Author: Johan Hovold Date: Mon Mar 22 16:53:15 2021 +0100 USB: cdc-acm: clean up probe error labels Name the probe error labels after what they do rather than using sequence numbers which is harder to review and maintain (e.g. may require renaming unrelated labels when a label is added or removed). Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-6-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit dda6faaa2bdadc56b9ad034602307a51d11e26a7 Author: Johan Hovold Date: Mon Mar 22 16:53:14 2021 +0100 USB: cdc-acm: drop redundant driver-data reset There's no need to clear the interface driver data on failed probe (and driver core will clear it anyway). Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-5-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 8111a8cbd5dde0b6ea8c388ff4840d4e465b5edd Author: Johan Hovold Date: Mon Mar 22 16:53:13 2021 +0100 USB: cdc-acm: drop redundant driver-data assignment The interface driver data has already been set by usb_driver_claim_interface() so drop the redundant subsequent assignment. Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 4e49bf376c0451ad2eae2592e093659cde12be9a Author: Johan Hovold Date: Mon Mar 22 16:53:12 2021 +0100 USB: cdc-acm: fix use-after-free after probe failure If tty-device registration fails the driver would fail to release the data interface. When the device is later disconnected, the disconnect callback would still be called for the data interface and would go about releasing already freed resources. Fixes: c93d81955005 ("usb: cdc-acm: fix error handling in acm_probe()") Cc: stable@vger.kernel.org # 3.9 Cc: Alexey Khoroshilov Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 7180495cb3d0e2a2860d282a468b4146c21da78f Author: Johan Hovold Date: Mon Mar 22 16:53:11 2021 +0100 USB: cdc-acm: fix double free on probe failure If tty-device registration fails the driver copy of any Country Selection functional descriptor would end up being freed twice; first explicitly in the error path and then again in the tty-port destructor. Drop the first erroneous free that was left when fixing a tty-port resource leak. Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail") Cc: stable@vger.kernel.org # 4.19 Cc: Jaejoong Kim Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210322155318.9837-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit b61fde1beb6b1847f1743e75f4d9839acebad76a Author: Jani Nikula Date: Fri Mar 19 13:53:33 2021 +0200 drm/i915/dsc: fix DSS CTL register usage for ICL DSI transcoders Use the correct DSS CTL registers for ICL DSI transcoders. As a side effect, this also brings back the sanity check for trying to use pipe DSC registers on pipe A on ICL. Fixes: 8a029c113b17 ("drm/i915/dp: Modify VDSC helpers to configure DSC for Bigjoiner slave") References: http://lore.kernel.org/r/87eegxq2lq.fsf@intel.com Cc: Manasi Navare Cc: Animesh Manna Cc: Vandita Kulkarni Cc: # v5.11+ Reviewed-by: Manasi Navare Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20210319115333.8330-1-jani.nikula@intel.com (cherry picked from commit 5706d02871240fdba7ddd6ab1cc31672fc95a90f) Signed-off-by: Rodrigo Vivi commit ff2628ed95e42d5245119eed3c1f669db9222285 Author: Ville Syrjälä Date: Fri Mar 5 17:36:05 2021 +0200 drm/i915: Fix enabled_planes bitmask The enabled_planes bitmask was supposed to track logically enabled planes (ie. fb!=NULL and crtc!=NULL), but instead we end up putting even disabled planes into the bitmask since intel_plane_atomic_check_with_state() only takes the early exit if the plane was disabled and stays disabled. I think I misread the early said codepath to exit whenever the plane is logically disabled, which is not true. So let's fix this up properly and set the bit only when the plane actually is logically enabled. Cc: Manasi Navare Fixes: ee42ec19ca2e ("drm/i915: Track logically enabled planes for hw state") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210305153610.12177-2-ville.syrjala@linux.intel.com Reviewed-by: Manasi Navare (cherry picked from commit 97bc7ffa1b1e9a8672e0a8e9a96680b0c3717427) Signed-off-by: Rodrigo Vivi commit ab03631087f5c296030dd86265ea02dcdacc6802 Author: Imre Deak Date: Wed Mar 17 20:49:01 2021 +0200 drm/i915: Disable LTTPR support when the LTTPR rev < 1.4 By the specification the 0xF0000 - 0xF02FF range is only valid if the LTTPR revision at 0xF0000 is at least 1.4. Disable the LTTPR support otherwise. Fixes: 7b2a4ab8b0ef ("drm/i915: Switch to LTTPR transparent mode link training") Cc: # v5.11 Cc: Ville Syrjälä Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210317184901.4029798-4-imre.deak@intel.com (cherry picked from commit 1663ad4936e0679443a315fe342f99636a2420dd) Signed-off-by: Rodrigo Vivi commit 7dffbdedb96a076843719d4ea5b2cd666481c416 Author: Imre Deak Date: Wed Mar 17 21:01:49 2021 +0200 drm/i915: Disable LTTPR support when the DPCD rev < 1.4 By the specification the 0xF0000-0xF02FF range is only valid when the DPCD revision is 1.4 or higher. Disable LTTPR support if this isn't so. Trying to detect LTTPRs returned corrupted values for the above DPCD range at least on a Skylake host with an LG 43UD79-B monitor with a DPCD revision 1.2 connected. v2: Add the actual version check. v3: Fix s/DRPX/DPRX/ typo. Fixes: 7b2a4ab8b0ef ("drm/i915: Switch to LTTPR transparent mode link training") Cc: # v5.11 Cc: Ville Syrjälä Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210317190149.4032966-1-imre.deak@intel.com (cherry picked from commit 264613b406eb0d74cd9ca582c717c5e2c5a975ea) Signed-off-by: Rodrigo Vivi commit 3f3a9bc1f6df5a1a9ec39e3a5bee420328811be4 Author: Imre Deak Date: Wed Mar 17 20:48:59 2021 +0200 drm/i915/ilk-glk: Fix link training on links with LTTPRs The spec requires to use at least 3.2ms for the AUX timeout period if there are LT-tunable PHY Repeaters on the link (2.11.2). An upcoming spec update makes this more specific, by requiring a 3.2ms minimum timeout period for the LTTPR detection reading the 0xF0000-0xF0007 range (3.6.5.1). Accordingly disable LTTPR detection until GLK, where the maximum timeout we can set is only 1.6ms. Link training in the non-transparent mode is known to fail at least on some SKL systems with a WD19 dock on the link, which exposes an LTTPR (see the References below). While this could have different reasons besides the too short AUX timeout used, not detecting LTTPRs (and so not using the non-transparent LT mode) fixes link training on these systems. While at it add a code comment about the platform specific maximum timeout values. v2: Add a comment about the g4x maximum timeout as well. (Ville) Reported-by: Takashi Iwai Reported-and-tested-by: Santiago Zarate Reported-and-tested-by: Bodo Graumann References: https://gitlab.freedesktop.org/drm/intel/-/issues/3166 Fixes: b30edfd8d0b4 ("drm/i915: Switch to LTTPR non-transparent mode link training") Cc: # v5.11 Cc: Takashi Iwai Cc: Ville Syrjälä Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20210317184901.4029798-2-imre.deak@intel.com (cherry picked from commit 984982f3ef7b240cd24c2feb2762d81d9d8da3c2) Signed-off-by: Rodrigo Vivi commit e4c77070ad45fc940af1d7fb1e637c349e848951 Author: Oliver Neukum Date: Thu Mar 11 14:01:26 2021 +0100 USB: cdc-acm: downgrade message to debug This failure is so common that logging an error here amounts to spamming log files. Reviewed-by: Bruno Thomsen Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20210311130126.15972-2-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 6069e3e927c8fb3a1947b07d1a561644ea960248 Author: Oliver Neukum Date: Thu Mar 11 14:01:25 2021 +0100 USB: cdc-acm: untangle a circular dependency between callback and softint We have a cycle of callbacks scheduling works which submit URBs with thos callbacks. This needs to be blocked, stopped and unblocked to untangle the circle. The issue leads to faults like: [ 55.068392] Unable to handle kernel paging request at virtual address 6b6b6c03 [ 55.075624] pgd = be866494 [ 55.078335] [6b6b6c03] *pgd=00000000 [ 55.081924] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [ 55.087238] Modules linked in: ppp_async crc_ccitt ppp_generic slhc xt_TCPMSS xt_tcpmss xt_hl nf_log_ipv6 nf_log_ipv4 nf_log_common xt_policy xt_limit xt_conntrack xt_tcpudp xt_pkttype ip6table_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle ip6table_filter ip6_tables iptable_filter ip_tables des_generic md5 sch_fq_codel cdc_mbim cdc_wdm cdc_ncm usbnet mii cdc_acm usb_storage ip_tunnel xfrm_user xfrm6_tunnel tunnel6 xfrm4_tunnel tunnel4 esp6 esp4 ah6 ah4 xfrm_algo xt_LOG xt_LED xt_comment x_tables ipv6 [ 55.134954] CPU: 0 PID: 82 Comm: kworker/0:2 Tainted: G T 5.8.17 #1 [ 55.142526] Hardware name: Freescale i.MX7 Dual (Device Tree) [ 55.148304] Workqueue: events acm_softint [cdc_acm] [ 55.153196] PC is at kobject_get+0x10/0xa4 [ 55.157302] LR is at usb_get_dev+0x14/0x1c [ 55.161402] pc : [<8047c06c>] lr : [<80560448>] psr: 20000193 [ 55.167671] sp : bca39ea8 ip : 00007374 fp : bf6cbd80 [ 55.172899] r10: 00000000 r9 : bdd92284 r8 : bdd92008 [ 55.178128] r7 : 6b6b6b6b r6 : fffffffe r5 : 60000113 r4 : 6b6b6be3 [ 55.184658] r3 : 6b6b6b6b r2 : 00000111 r1 : 00000000 r0 : 6b6b6be3 [ 55.191191] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment none [ 55.198417] Control: 10c5387d Table: bcf0c06a DAC: 00000051 [ 55.204168] Process kworker/0:2 (pid: 82, stack limit = 0x9bdd2a89) [ 55.210439] Stack: (0xbca39ea8 to 0xbca3a000) [ 55.214805] 9ea0: bf6cbd80 80769a50 6b6b6b6b 80560448 bdeb0500 8056bfe8 [ 55.222991] 9ec0: 00000002 b76da000 00000000 bdeb0500 bdd92448 bca38000 bdeb0510 8056d69c [ 55.231177] 9ee0: bca38000 00000000 80c050fc 00000000 bca39f44 09d42015 00000000 00000001 [ 55.239363] 9f00: bdd92448 bdd92438 bdd92000 7f1158c4 bdd92448 bca2ee00 bf6cbd80 bf6cef00 [ 55.247549] 9f20: 00000000 00000000 00000000 801412d8 bf6cbd98 80c03d00 bca2ee00 bf6cbd80 [ 55.255735] 9f40: bca2ee14 bf6cbd98 80c03d00 00000008 bca38000 80141568 00000000 80c446ae [ 55.263921] 9f60: 00000000 bc9ed880 bc9f0700 bca38000 bc117eb4 80141524 bca2ee00 bc9ed8a4 [ 55.272107] 9f80: 00000000 80147cc8 00000000 bc9f0700 80147b84 00000000 00000000 00000000 [ 55.280292] 9fa0: 00000000 00000000 00000000 80100148 00000000 00000000 00000000 00000000 [ 55.288477] 9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [ 55.296662] 9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 00000000 00000000 [ 55.304860] [<8047c06c>] (kobject_get) from [<80560448>] (usb_get_dev+0x14/0x1c) [ 55.312271] [<80560448>] (usb_get_dev) from [<8056bfe8>] (usb_hcd_unlink_urb+0x50/0xd8) [ 55.320286] [<8056bfe8>] (usb_hcd_unlink_urb) from [<8056d69c>] (usb_kill_urb.part.0+0x44/0xd0) [ 55.329004] [<8056d69c>] (usb_kill_urb.part.0) from [<7f1158c4>] (acm_softint+0x4c/0x10c [cdc_acm]) [ 55.338082] [<7f1158c4>] (acm_softint [cdc_acm]) from [<801412d8>] (process_one_work+0x19c/0x3e8) [ 55.346969] [<801412d8>] (process_one_work) from [<80141568>] (worker_thread+0x44/0x4dc) [ 55.355072] [<80141568>] (worker_thread) from [<80147cc8>] (kthread+0x144/0x180) [ 55.362481] [<80147cc8>] (kthread) from [<80100148>] (ret_from_fork+0x14/0x2c) [ 55.369706] Exception stack(0xbca39fb0 to 0xbca39ff8) Tested-by: Bruno Thomsen Signed-off-by: Oliver Neukum Cc: stable Link: https://lore.kernel.org/r/20210311130126.15972-1-oneukum@suse.com Signed-off-by: Greg Kroah-Hartman commit 08dff274edda54310d6f1cf27b62fddf0f8d146e Author: Oliver Neukum Date: Thu Mar 11 14:37:14 2021 +0100 cdc-acm: fix BREAK rx code path adding necessary calls Counting break events is nice but we should actually report them to the tty layer. Fixes: 5a6a62bdb9257 ("cdc-acm: add TIOCMIWAIT") Signed-off-by: Oliver Neukum Link: https://lore.kernel.org/r/20210311133714.31881-1-oneukum@suse.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 72035f4954f0bca2d8c47cf31b3629c42116f5b7 Author: Tong Zhang Date: Wed Mar 17 19:04:00 2021 -0400 usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference init_dma_pools() calls dma_pool_create(...dev->dev) to create dma pool. however, dev->dev is actually set after calling init_dma_pools(), which effectively makes dma_pool_create(..NULL) and cause crash. To fix this issue, init dma only after dev->dev is set. [ 1.317993] RIP: 0010:dma_pool_create+0x83/0x290 [ 1.323257] Call Trace: [ 1.323390] ? pci_write_config_word+0x27/0x30 [ 1.323626] init_dma_pools+0x41/0x1a0 [snps_udc_core] [ 1.323899] udc_pci_probe+0x202/0x2b1 [amd5536udc_pci] Fixes: 7c51247a1f62 (usb: gadget: udc: Provide correct arguments for 'dma_pool_create') Cc: stable Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20210317230400.357756-1-ztong0001@gmail.com Signed-off-by: Greg Kroah-Hartman commit b522f830d35189e0283fa4d5b4b3ef8d7a78cfcb Author: Andy Shevchenko Date: Mon Mar 22 14:52:44 2021 +0200 usb: dwc3: pci: Enable dis_uX_susphy_quirk for Intel Merrifield It seems that on Intel Merrifield platform the USB PHY shouldn't be suspended. Otherwise it can't be enabled by simply change the cable in the connector. Enable corresponding quirk for the platform in question. Fixes: e5f4ca3fce90 ("usb: dwc3: ulpi: Fix USB2.0 HS/FS/LS PHY suspend regression") Suggested-by: Serge Semin Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210322125244.79407-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 93f1d43c5767d70a1af89f54ef16a7d3e99af048 Author: Thinh Nguyen Date: Mon Mar 8 18:16:50 2021 -0800 usb: dwc3: gadget: Use max speed if unspecified If the gadget driver doesn't specify a max_speed, then use the controller's maximum supported speed as default. For DWC_usb32 IP, the gadget's speed maybe limited to gen2x1 rate only if the driver's max_speed is unknown. This scenario should not occur with the current implementation since the default gadget driver's max_speed should always be specified. However, to make the driver more robust and help with readability, let's cover all the scenarios in __dwc3_gadget_set_speed(). Fixes: 450b9e9fabd8 ("usb: dwc3: gadget: Set speed only up to the max supported") Cc: Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/55ac7001af73bfe9bc750c6446ef4ac8cf6f9313.1615254129.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit cdb651b6021ee091abc24e9fbd9774d318ab96a6 Author: Thinh Nguyen Date: Mon Mar 8 18:16:44 2021 -0800 usb: dwc3: gadget: Set gadget_max_speed when set ssp_rate Set the dwc->gadget_max_speed to SuperSpeed Plus if the user sets the ssp_rate. The udc_set_ssp_rate() is intended for setting the gadget's speed to SuperSpeed Plus at the specified rate. Fixes: 072cab8a0fe2 ("usb: dwc3: gadget: Implement setting of SSP rate") Cc: Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/0b2732e2f380d9912ee87f39dc82c2139223bad9.1615254129.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 5e4010e36a58978e42b2ee13739ff9b50209c830 Author: Shawn Guo Date: Thu Mar 11 14:03:18 2021 +0800 usb: dwc3: qcom: skip interconnect init for ACPI probe The ACPI probe starts failing since commit bea46b981515 ("usb: dwc3: qcom: Add interconnect support in dwc3 driver"), because there is no interconnect support for ACPI, and of_icc_get() call in dwc3_qcom_interconnect_init() will just return -EINVAL. Fix the problem by skipping interconnect init for ACPI probe, and then the NULL icc_path_ddr will simply just scheild all ICC calls. Fixes: bea46b981515 ("usb: dwc3: qcom: Add interconnect support in dwc3 driver") Signed-off-by: Shawn Guo Cc: stable Link: https://lore.kernel.org/r/20210311060318.25418-1-shawn.guo@linaro.org Signed-off-by: Greg Kroah-Hartman commit 291da9d4a9eb3a1cb0610b7f4480f5b52b1825e7 Author: Thomas Gleixner Date: Mon Mar 22 09:46:13 2021 +0100 locking/mutex: Fix non debug version of mutex_lock_io_nested() If CONFIG_DEBUG_LOCK_ALLOC=n then mutex_lock_io_nested() maps to mutex_lock() which is clearly wrong because mutex_lock() lacks the io_schedule_prepare()/finish() invocations. Map it to mutex_lock_io(). Fixes: f21860bac05b ("locking/mutex, sched/wait: Fix the mutex_lock_io_nested() define") Signed-off-by: Thomas Gleixner Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Ingo Molnar Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/878s6fshii.fsf@nanos.tec.linutronix.de commit 8249d17d3194eac064a8ca5bc5ca0abc86feecde Author: Isaku Yamahata Date: Thu Mar 18 13:26:57 2021 -0700 x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() The pfn variable contains the page frame number as returned by the pXX_pfn() functions, shifted to the right by PAGE_SHIFT to remove the page bits. After page protection computations are done to it, it gets shifted back to the physical address using page_level_shift(). That is wrong, of course, because that function determines the shift length based on the level of the page in the page table but in all the cases, it was shifted by PAGE_SHIFT before. Therefore, shift it back using PAGE_SHIFT to get the correct physical address. [ bp: Rewrite commit message. ] Fixes: dfaaec9033b8 ("x86: Add support for changing memory encryption attribute in early boot") Signed-off-by: Isaku Yamahata Signed-off-by: Borislav Petkov Reviewed-by: Kirill A. Shutemov Reviewed-by: Tom Lendacky Cc: Link: https://lkml.kernel.org/r/81abbae1657053eccc535c16151f63cd049dcb97.1616098294.git.isaku.yamahata@intel.com commit bd83a2fc05ed323d7ae38443a6d2e253ef1c4237 Author: Hans de Goede Date: Sat Mar 13 15:36:35 2021 +0100 brcmfmac: p2p: Fix recently introduced deadlock issue Commit a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") replaced the rtnl_lock parameter passed to various brcmf functions with just lock, because since that commit it is not just about the rtnl_lock but also about the wiphy_lock . During this search/replace the "if (!rtnl_locked)" check in brcmfmac/p2p.c was accidentally replaced with "if (locked)", dropping the inversion of the check. This causes the code to now call rtnl_lock() while already holding the lock, causing a deadlock. Add back the "!" to the if-condition to fix this. Cc: Johannes Berg Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") Signed-off-by: Hans de Goede Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20210313143635.109154-1-hdegoede@redhat.com commit 8f6a70fd71a3d7a6b120f83681263fc370eb52ba Author: Lorenzo Bianconi Date: Tue Mar 9 11:09:03 2021 +0100 mt76: mt7921: fix airtime reporting Fix {tx,rx}_airtime reporting for mt7921 driver. Wrong register definitions trigger a tx hangs before resetting airtime stats. Fixes: 163f4d22c118d ("mt76: mt7921: add MAC support") Tested-by: Leon Yen Signed-off-by: Lorenzo Bianconi Acked-by: Felix Fietkau Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/c05333be0e3e85a50a71bb2de81034fe425e3701.1615284335.git.lorenzo@kernel.org commit 2800aadc18a64c96b051bcb7da8a7df7d505db3f Author: Jiri Kosina Date: Tue Mar 2 11:26:55 2021 +0100 iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() It's possible for iwl_pcie_enqueue_hcmd() to be called with hard IRQs disabled (e.g. from LED core). We can't enable BHs in such a situation. Turn the unconditional BH-enable/BH-disable code into hardirq-disable/conditional-enable. This fixes the warning below. WARNING: CPU: 1 PID: 1139 at kernel/softirq.c:178 __local_bh_enable_ip+0xa5/0xf0 CPU: 1 PID: 1139 Comm: NetworkManager Not tainted 5.12.0-rc1-00004-gb4ded168af79 #7 Hardware name: LENOVO 20K5S22R00/20K5S22R00, BIOS R0IET38W (1.16 ) 05/31/2017 RIP: 0010:__local_bh_enable_ip+0xa5/0xf0 Code: f7 69 e8 ee 23 14 00 fb 66 0f 1f 44 00 00 65 8b 05 f0 f4 f7 69 85 c0 74 3f 48 83 c4 08 5b c3 65 8b 05 9b fe f7 69 85 c0 75 8e <0f> 0b eb 8a 48 89 3c 24 e8 4e 20 14 00 48 8b 3c 24 eb 91 e8 13 4e RSP: 0018:ffffafd580b13298 EFLAGS: 00010046 RAX: 0000000000000000 RBX: 0000000000000201 RCX: 0000000000000000 RDX: 0000000000000003 RSI: 0000000000000201 RDI: ffffffffc1272389 RBP: ffff96517ae4c018 R08: 0000000000000001 R09: 0000000000000000 R10: ffffafd580b13178 R11: 0000000000000001 R12: ffff96517b060000 R13: 0000000000000000 R14: ffffffff80000000 R15: 0000000000000001 FS: 00007fc604ebefc0(0000) GS:ffff965267480000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055fb3fef13b2 CR3: 0000000109112004 CR4: 00000000003706e0 Call Trace: ? _raw_spin_unlock_bh+0x1f/0x30 iwl_pcie_enqueue_hcmd+0x5d9/0xa00 [iwlwifi] iwl_trans_txq_send_hcmd+0x6c/0x430 [iwlwifi] iwl_trans_send_cmd+0x88/0x170 [iwlwifi] ? lock_acquire+0x277/0x3d0 iwl_mvm_send_cmd+0x32/0x80 [iwlmvm] iwl_mvm_led_set+0xc2/0xe0 [iwlmvm] ? led_trigger_event+0x46/0x70 led_trigger_event+0x46/0x70 ieee80211_do_open+0x5c5/0xa20 [mac80211] ieee80211_open+0x67/0x90 [mac80211] __dev_open+0xd4/0x150 __dev_change_flags+0x19e/0x1f0 dev_change_flags+0x23/0x60 do_setlink+0x30d/0x1230 ? lock_is_held_type+0xb4/0x120 ? __nla_validate_parse.part.7+0x57/0xcb0 ? __lock_acquire+0x2e1/0x1a50 __rtnl_newlink+0x560/0x910 ? __lock_acquire+0x2e1/0x1a50 ? __lock_acquire+0x2e1/0x1a50 ? lock_acquire+0x277/0x3d0 ? sock_def_readable+0x5/0x290 ? lock_is_held_type+0xb4/0x120 ? find_held_lock+0x2d/0x90 ? sock_def_readable+0xb3/0x290 ? lock_release+0x166/0x2a0 ? lock_is_held_type+0x90/0x120 rtnl_newlink+0x47/0x70 rtnetlink_rcv_msg+0x25c/0x470 ? netlink_deliver_tap+0x97/0x3e0 ? validate_linkmsg+0x350/0x350 netlink_rcv_skb+0x50/0x100 netlink_unicast+0x1b2/0x280 netlink_sendmsg+0x336/0x450 sock_sendmsg+0x5b/0x60 ____sys_sendmsg+0x1ed/0x250 ? copy_msghdr_from_user+0x5c/0x90 ___sys_sendmsg+0x88/0xd0 ? lock_is_held_type+0xb4/0x120 ? find_held_lock+0x2d/0x90 ? lock_release+0x166/0x2a0 ? __fget_files+0xfe/0x1d0 ? __sys_sendmsg+0x5e/0xa0 __sys_sendmsg+0x5e/0xa0 ? lockdep_hardirqs_on_prepare+0xd9/0x170 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fc605c9572d Code: 28 89 54 24 1c 48 89 74 24 10 89 7c 24 08 e8 da ee ff ff 8b 54 24 1c 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 33 44 89 c7 48 89 44 24 08 e8 2e ef ff ff 48 RSP: 002b:00007fffc83789f0 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000055ef468570c0 RCX: 00007fc605c9572d RDX: 0000000000000000 RSI: 00007fffc8378a30 RDI: 000000000000000c RBP: 0000000000000010 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007fffc8378b80 R14: 00007fffc8378b7c R15: 0000000000000000 irq event stamp: 170785 hardirqs last enabled at (170783): [] __local_bh_enable_ip+0x82/0xf0 hardirqs last disabled at (170784): [] _raw_read_lock_irqsave+0x8d/0x90 softirqs last enabled at (170782): [] iwl_pcie_enqueue_hcmd+0x5d9/0xa00 [iwlwifi] softirqs last disabled at (170785): [] iwl_pcie_enqueue_hcmd+0x116/0xa00 [iwlwifi] Signed-off-by: Jiri Kosina Tested-by: Sedat Dilek # LLVM/Clang v12.0.0-rc3 Acked-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/nycvar.YFH.7.76.2103021125430.12405@cbobk.fhfr.pm commit a61f4661fba404418a7c77e86586dc52a58a93c6 Author: Andy Shevchenko Date: Tue Mar 2 15:56:16 2021 +0200 mfd: intel_quark_i2c_gpio: Revert "Constify static struct resources" The structures are used as place holders, so they are modified at run-time. Obviously they may not be constants. BUG: unable to handle page fault for address: d0643220 ... CPU: 0 PID: 110 Comm: modprobe Not tainted 5.11.0+ #1 Hardware name: Intel Corp. QUARK/GalileoGen2, BIOS 0x01000200 01/01/2014 EIP: intel_quark_mfd_probe+0x93/0x1c0 [intel_quark_i2c_gpio] This partially reverts the commit c4a164f41554d2899bed94bdcc499263f41787b4. While at it, add a comment to avoid similar changes in the future. Fixes: c4a164f41554 ("mfd: Constify static struct resources") Signed-off-by: Andy Shevchenko Reviewed-by: Rikard Falkeborn Tested-by: Tong Zhang Signed-off-by: Lee Jones commit 627dc55c273dab308303a5217bd3e767d7083ddb Author: Kalyan Thota Date: Mon Mar 22 02:17:12 2021 -0700 drm/msm/disp/dpu1: icc path needs to be set before dpu runtime resume DPU runtime resume will request for a min vote on the AXI bus as it is a necessary step before turning ON the AXI clock. The change does below 1) Move the icc path set before requesting runtime get_sync. 2) remove the dependency of hw catalog for min ib vote as it is initialized at a later point. Signed-off-by: Kalyan Thota Tested-by: Matthias Kaehlcke Signed-off-by: Rob Clark commit e0c755a45f6fb6e81e3a62a94db0400ef0cdc046 Author: George McCollister Date: Mon Mar 22 15:26:50 2021 -0500 net: dsa: don't assign an error value to tag_ops Use a temporary variable to hold the return value from dsa_tag_driver_get() instead of assigning it to dst->tag_ops. Leaving an error value in dst->tag_ops can result in deferencing an invalid pointer when a deferred switch configuration happens later. Fixes: 357f203bb3b5 ("net: dsa: keep a copy of the tagging protocol in the DSA switch tree") Signed-off-by: George McCollister Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 8fb16e80cb467a6edfec8c83117ea9703279d8db Merge: 5ee7d4c7fbc9d 7c1ef1959b6fe Author: David S. Miller Date: Mon Mar 22 17:00:48 2021 -0700 Merge tag 'mlx5-fixes-2021-03-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2021-03-22 This series introduces some fixes to mlx5 driver. Please pull and let me know if there is any problem. ==================== Signed-off-by: David S. Miller commit 5ee7d4c7fbc9d3119a20b1c77d34003d1f82ac26 Author: Arnd Bergmann Date: Mon Mar 22 17:44:29 2021 +0100 isdn: capi: fix mismatched prototypes gcc-11 complains about a prototype declaration that is different from the function definition: drivers/isdn/capi/kcapi.c:724:44: error: argument 2 of type ‘u8 *’ {aka ‘unsigned char *’} declared as a pointer [-Werror=array-parameter=] 724 | u16 capi20_get_manufacturer(u32 contr, u8 *buf) | ~~~~^~~ In file included from drivers/isdn/capi/kcapi.c:13: drivers/isdn/capi/kcapi.h:62:43: note: previously declared as an array ‘u8[64]’ {aka ‘unsigned char[64]’} 62 | u16 capi20_get_manufacturer(u32 contr, u8 buf[CAPI_MANUFACTURER_LEN]); | ~~~^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/isdn/capi/kcapi.c:790:38: error: argument 2 of type ‘u8 *’ {aka ‘unsigned char *’} declared as a pointer [-Werror=array-parameter=] 790 | u16 capi20_get_serial(u32 contr, u8 *serial) | ~~~~^~~~~~ In file included from drivers/isdn/capi/kcapi.c:13: drivers/isdn/capi/kcapi.h:64:37: note: previously declared as an array ‘u8[8]’ {aka ‘unsigned char[8]’} 64 | u16 capi20_get_serial(u32 contr, u8 serial[CAPI_SERIAL_LEN]); | ~~~^~~~~~~~~~~~~~~~~~~~~~~ Change the definition to make them match. Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller commit 274cb1ca2e7ce02cab56f5f4c61a74aeb566f931 Author: Nathan Lynch Date: Mon Mar 15 03:00:45 2021 -0500 powerpc/pseries/mobility: handle premature return from H_JOIN The pseries join/suspend sequence in its current form was written with the assumption that it was the only user of H_PROD and that it needn't handle spurious successful returns from H_JOIN. That's wrong; powerpc's paravirt spinlock code uses H_PROD, and CPUs entering do_join() can be woken prematurely from H_JOIN with a status of H_SUCCESS as a result. This causes all CPUs to exit the sequence early, preventing suspend from occurring at all. Add a 'done' boolean flag to the pseries_suspend_info struct, and have the waking thread set it before waking the other threads. Threads which receive H_SUCCESS from H_JOIN retry if the 'done' flag is still unset. Fixes: 9327dc0aeef3 ("powerpc/pseries/mobility: use stop_machine for join/suspend") Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210315080045.460331-3-nathanl@linux.ibm.com commit e834df6cfc71d8e5ce2c27a0184145ea125c3f0f Author: Nathan Lynch Date: Mon Mar 15 03:00:44 2021 -0500 powerpc/pseries/mobility: use struct for shared state The atomic_t counter is the only shared state for the join/suspend sequence so far, but that will change. Contain it in a struct (pseries_suspend_info), and document its intended use. No functional change. Signed-off-by: Nathan Lynch Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210315080045.460331-2-nathanl@linux.ibm.com commit 6d48b7912cc72275dc7c59ff961c8bac7ef66a92 Author: Arnd Bergmann Date: Mon Mar 22 12:55:25 2021 +0100 lockdep: Address clang -Wformat warning printing for %hd Clang doesn't like format strings that truncate a 32-bit value to something shorter: kernel/locking/lockdep.c:709:4: error: format specifies type 'short' but the argument has type 'int' [-Werror,-Wformat] In this case, the warning is a slightly questionable, as it could realize that both class->wait_type_outer and class->wait_type_inner are in fact 8-bit struct members, even though the result of the ?: operator becomes an 'int'. However, there is really no point in printing the number as a 16-bit 'short' rather than either an 8-bit or 32-bit number, so just change it to a normal %d. Fixes: de8f5e4f2dc1 ("lockdep: Introduce wait-type checks") Signed-off-by: Arnd Bergmann Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20210322115531.3987555-1-arnd@kernel.org commit 7c1ef1959b6fefe616ef3e7df832bf63dfbab9cf Author: Parav Pandit Date: Thu Mar 11 20:19:25 2021 +0200 net/mlx5: SF, do not use ecpu bit for vhca state processing Device firmware doesn't handle ecpu bit for vhca state processing events and commands. Instead device firmware refers to the unique function id to distinguish SF of different PCI functions. When ecpu bit is used, firmware returns a syndrome. mlx5_cmd_check:780:(pid 872): MODIFY_VHCA_STATE(0xb0e) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x263211) mlx5_sf_dev_table_create:248:(pid 872): SF DEV table create err = -22 Hence, avoid using ecpu bit. Fixes: 8f0105418668 ("net/mlx5: SF, Add port add delete functionality") Fixes: 90d010b8634b ("net/mlx5: SF, Add auxiliary device support") Signed-off-by: Parav Pandit Reviewed-by: Vu Pham Signed-off-by: Saeed Mahameed commit 846d6da1fcdb14105f86b46b4345233550a79d55 Author: Maxim Mikityanskiy Date: Mon Mar 1 20:59:59 2021 +0200 net/mlx5e: Fix division by 0 in mlx5e_select_queue mlx5e_select_queue compares num_tc_x_num_ch to real_num_tx_queues to determine if HTB and/or PTP offloads are active. If they are, it calculates netdev_pick_tx() % num_tc_x_num_ch to prevent it from selecting HTB and PTP queues for regular traffic. However, before the channels are first activated, num_tc_x_num_ch is zero. If ndo_select_queue gets called at this point, the HTB/PTP check will pass, and mlx5e_select_queue will attempt to take a modulo by num_tc_x_num_ch, which equals to zero. This commit fixes the bug by assigning num_tc_x_num_ch to a non-zero value before registering the netdev. Fixes: 214baf22870c ("net/mlx5e: Support HTB offload") Reported-by: Jesper Dangaard Brouer Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 4eacfe72e3e037e3fc019113df32c39a705148c2 Author: Aya Levin Date: Thu Mar 11 17:46:35 2021 +0200 net/mlx5e: Fix error path for ethtool set-priv-flag Expose error value when failing to comply to command: $ ethtool --set-priv-flags eth2 rx_cqe_compress [on/off] Fixes: be7e87f92b58 ("net/mlx5e: Fail safe cqe compressing/moderation mode setting") Signed-off-by: Aya Levin Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 96b5b4585843e3c83fb1930e5dfbefd0fb889c55 Author: Dima Chumak Date: Thu Mar 4 21:28:11 2021 +0200 net/mlx5e: Offload tuple rewrite for non-CT flows Setting connection tracking OVS flows and then setting non-CT flows that use tuple rewrite action (e.g. mod_tp_dst), causes the latter flows not being offloaded. Fix by using a stricter condition in modify_header_match_supported() to check tuple rewrite support only for flows with CT action. The check is factored out into standalone modify_tuple_supported() function to aid readability. Fixes: 7e36feeb0467 ("net/mlx5e: CT: Don't offload tuple rewrites for established tuples") Signed-off-by: Dima Chumak Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed commit 7d6c86e3ccb5ceea767df5c7a9a17cdfccd3df9a Author: Alaa Hleihel Date: Wed Mar 10 17:01:46 2021 +0200 net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP Currently, we support hardware offload only for MPLS over UDP. However, rules matching on MPLS parameters are now wrongly offloaded for regular MPLS, without actually taking the parameters into consideration when doing the offload. Fix it by rejecting such unsupported rules. Fixes: 72046a91d134 ("net/mlx5e: Allow to match on mpls parameters") Signed-off-by: Alaa Hleihel Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit a07231084da2207629b42244380ae2f1e10bd9b4 Author: Huy Nguyen Date: Thu Mar 18 20:33:19 2021 -0500 net/mlx5: Add back multicast stats for uplink representor The multicast counter got removed from uplink representor due to the cited patch. Fixes: 47c97e6b10a1 ("net/mlx5e: Fix multicast counter not up-to-date in "ip -s"") Signed-off-by: Huy Nguyen Reviewed-by: Daniel Jurgens Signed-off-by: Saeed Mahameed commit a50a151e311bd3a793ebe4e5f233db8bfad0b78f Author: Vladimir Oltean Date: Mon Mar 22 02:26:37 2021 +0200 net: ipconfig: ic_dev can be NULL in ic_close_devs ic_close_dev contains a generalization of the logic to not close a network interface if it's the host port for a DSA switch. This logic is disguised behind an iteration through the lowers of ic_dev in ic_close_dev. When no interface for ipconfig can be found, ic_dev is NULL, and ic_close_dev: - dereferences a NULL pointer when assigning selected_dev - would attempt to search through the lower interfaces of a NULL net_device pointer So we should protect against that case. The "lower_dev" iterator variable was shortened to "lower" in order to keep the 80 character limit. Fixes: f68cbaed67cb ("net: ipconfig: avoid use-after-free in ic_close_devs") Fixes: 46acf7bdbc72 ("Revert "net: ipv4: handle DSA enabled master network devices"") Signed-off-by: Vladimir Oltean Tested-by: Heiko Thiery Signed-off-by: David S. Miller commit 6debc0fd71b947b03c1a39cc100f52b8238259d4 Author: Jonathan Neuschäfer Date: Sun Mar 21 14:00:01 2021 +0100 MAINTAINERS: Combine "QLOGIC QLGE 10Gb ETHERNET DRIVER" sections into one There ended up being two sections with the same title. Combine the two into one section. Signed-off-by: Jonathan Neuschäfer Cc: Manish Chopra Cc: Coiby Xu Signed-off-by: David S. Miller commit ac5789ef927006a8449ea235a866922b2d8f8290 Author: Alex Deucher Date: Tue Mar 16 22:02:14 2021 -0400 drm/amdgpu: skip kfd suspend/resume for S0ix GFX is in gfxoff mode during s0ix so we shouldn't need to actually tear anything down and restore it. Acked-by: Evan Quan Signed-off-by: Alex Deucher commit 264705005e6bc7f484652c1d7aee798034c82e12 Author: Alex Deucher Date: Tue Mar 16 14:18:30 2021 -0400 drm/amdgpu: drop S0ix checks around CG/PG in suspend We handle it properly within the CG/PG functions directly now. Acked-by: Evan Quan Signed-off-by: Alex Deucher commit 10cb67eb8a1b21419a7cd8e12f002a36bfef12fd Author: Pratik Vishwakarma Date: Tue Mar 16 14:15:44 2021 -0400 drm/amdgpu: skip CG/PG for gfx during S0ix Not needed as the device is in gfxoff state so the CG/PG state is handled just like it would be for gfxoff during runtime gfxoff. This should also prevent delays on resume. Reworked from Pratik's original patch (Alex) Acked-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Pratik Vishwakarma commit 9bb735abcbd83ec0b75cb2edf8885cff841fc096 Author: Alex Deucher Date: Tue Mar 16 14:00:36 2021 -0400 drm/amdgpu: update comments about s0ix suspend/resume Provide and explanation as to why we skip GFX and PSP for S0ix. GFX goes into gfxoff, same as runtime, so no need to tear down and re-init. PSP is part of the always on state, so no need to touch it. Acked-by: Evan Quan Signed-off-by: Alex Deucher commit 4021229e32bd9e35f2813715e056f59bb3739e7d Author: Alex Deucher Date: Fri Mar 12 16:00:21 2021 -0500 drm/amdgpu/swsmu: skip gfx cgpg on s0ix suspend The SMU expects CGPG to be enabled when entering S0ix. with this we can re-enable SMU suspend. Acked-by: Evan Quan Signed-off-by: Alex Deucher commit 9adb125dde699ffcf5d3e64d2c1476efce00a6f3 Author: Alex Deucher Date: Fri Mar 12 15:36:04 2021 -0500 drm/amdgpu: re-enable suspend phase 2 for S0ix This really needs to be done to properly tear down the device. SMC, PSP, and GFX are still problematic, need to dig deeper into what aspect of them that is problematic. Acked-by: Evan Quan Signed-off-by: Alex Deucher commit 3aa2cacf79b37f703d6b8f7bd0252c8fe8c3f420 Author: Alex Deucher Date: Fri Mar 12 15:33:46 2021 -0500 drm/amdgpu: move s0ix check into amdgpu_device_ip_suspend_phase2 (v3) No functional change. v2: use correct dev v3: rework Reviewed-by: Evan Quan Signed-off-by: Alex Deucher commit ca8ee26d616b5e1818a0c69285d8f01feec35af9 Author: Alex Deucher Date: Fri Mar 19 16:34:45 2021 -0400 drm/amdgpu: clean up non-DC suspend/resume handling Move the non-DC specific code into the DCE IP blocks similar to how we handle DC. This cleans up the common suspend and resume pathes. Reviewed-by: Evan Quan Signed-off-by: Alex Deucher commit e13d002bbf1d211cfe831ad2b2ae229a351eb196 Author: Alex Deucher Date: Tue Mar 9 23:20:46 2021 -0500 drm/amdgpu: don't evict vram on APUs for suspend to ram (v4) Vram is system memory, so no need to evict. v2: use PM_EVENT messages v3: use correct dev v4: use driver flags Reviewed-by: Evan Quan Signed-off-by: Alex Deucher commit 8914089a205be1042f99d49d2087663efc6fafa3 Author: Alex Deucher Date: Fri Mar 12 15:22:36 2021 -0500 drm/amdgpu: rework S3/S4/S0ix state handling Set flags at the top level pmops callbacks to track state. This cleans up the current set of flags and properly handles S4 on S0ix capable systems. Reviewed-by: Evan Quan Signed-off-by: Alex Deucher commit 9aa26019c1a60013ea866d460de6392acb1712ee Author: Prike Liang Date: Tue Mar 9 09:34:00 2021 +0800 drm/amdgpu: fix the hibernation suspend with s0ix During system hibernation suspend still need un-gate gfx CG/PG firstly to handle HW status check before HW resource destory. Signed-off-by: Prike Liang Acked-by: Alex Deucher Acked-by: Huang Rui Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 92063f3ca73aab794bd5408d3361fd5b5ea33079 Author: Mimi Zohar Date: Fri Mar 19 11:17:23 2021 -0400 integrity: double check iint_cache was initialized The kernel may be built with multiple LSMs, but only a subset may be enabled on the boot command line by specifying "lsm=". Not including "integrity" on the ordered LSM list may result in a NULL deref. As reported by Dmitry Vyukov: in qemu: qemu-system-x86_64 -enable-kvm -machine q35,nvdimm -cpu max,migratable=off -smp 4 -m 4G,slots=4,maxmem=16G -hda wheezy.img -kernel arch/x86/boot/bzImage -nographic -vga std -soundhw all -usb -usbdevice tablet -bt hci -bt device:keyboard -net user,host=10.0.2.10,hostfwd=tcp::10022-:22 -net nic,model=virtio-net-pci -object memory-backend-file,id=pmem1,share=off,mem-path=/dev/zero,size=64M -device nvdimm,id=nvdimm1,memdev=pmem1 -append "console=ttyS0 root=/dev/sda earlyprintk=serial rodata=n oops=panic panic_on_warn=1 panic=86400 lsm=smack numa=fake=2 nopcid dummy_hcd.num=8" -pidfile vm_pid -m 2G -cpu host But it crashes on NULL deref in integrity_inode_get during boot: Run /sbin/init as init process BUG: kernel NULL pointer dereference, address: 000000000000001c PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP KASAN CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc2+ #97 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-44-g88ab0c15525c-prebuilt.qemu.org 04/01/2014 RIP: 0010:kmem_cache_alloc+0x2b/0x370 mm/slub.c:2920 Code: 57 41 56 41 55 41 54 41 89 f4 55 48 89 fd 53 48 83 ec 10 44 8b 3d d9 1f 90 0b 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 <8b> 5f 1c 4cf RSP: 0000:ffffc9000032f9d8 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff888017fc4f00 RCX: 0000000000000000 RDX: ffff888040220000 RSI: 0000000000000c40 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888019263627 R10: ffffffff83937cd1 R11: 0000000000000000 R12: 0000000000000c40 R13: ffff888019263538 R14: 0000000000000000 R15: 0000000000ffffff FS: 0000000000000000(0000) GS:ffff88802d180000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 000000000b48e000 CR4: 0000000000750ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: integrity_inode_get+0x47/0x260 security/integrity/iint.c:105 process_measurement+0x33d/0x17e0 security/integrity/ima/ima_main.c:237 ima_bprm_check+0xde/0x210 security/integrity/ima/ima_main.c:474 security_bprm_check+0x7d/0xa0 security/security.c:845 search_binary_handler fs/exec.c:1708 [inline] exec_binprm fs/exec.c:1761 [inline] bprm_execve fs/exec.c:1830 [inline] bprm_execve+0x764/0x19a0 fs/exec.c:1792 kernel_execve+0x370/0x460 fs/exec.c:1973 try_to_run_init_process+0x14/0x4e init/main.c:1366 kernel_init+0x11d/0x1b8 init/main.c:1477 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Modules linked in: CR2: 000000000000001c ---[ end trace 22d601a500de7d79 ]--- Since LSMs and IMA may be configured at build time, but not enabled at run time, panic the system if "integrity" was not initialized before use. Reported-by: Dmitry Vyukov Fixes: 79f7865d844c ("LSM: Introduce "lsm=" for boottime LSM selection") Cc: stable@vger.kernel.org Signed-off-by: Mimi Zohar commit 84196390620ac0e5070ae36af84c137c6216a7dc Merge: 0d02ec6b3136c ee5de60a08b7d Author: Linus Torvalds Date: Mon Mar 22 11:34:31 2021 -0700 Merge tag 'selinux-pr-20210322' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux Pull selinux fixes from Paul Moore: "Three SELinux patches: - Fix a problem where a local variable is used outside its associated function. Thankfully this can only be triggered by reloading the SELinux policy, which is a restricted operation for other obvious reasons. - Fix some incorrect, and inconsistent, audit and printk messages when loading the SELinux policy. All three patches are relatively minor and have been through our testing with no failures" * tag 'selinux-pr-20210322' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux: selinuxfs: unify policy load error reporting selinux: fix variable scope issue in live sidtab conversion selinux: don't log MAC_POLICY_LOAD record on failed policy load commit 83520d62cc5a94d2ff0e2d37c8204fca13dd2637 Author: dean.yang_cp Date: Tue Feb 23 10:00:31 2021 +0800 ARC: treewide: avoid the pointer addition with NULL pointer Signed-off-by: dean.yang_cp Acked-by: Vineet Gupta Signed-off-by: Vineet Gupta commit 46e152186cd89d940b26726fff11eb3f4935b45a Author: Wang Qing Date: Mon Mar 1 20:05:48 2021 +0800 arc: kernel: Return -EFAULT if copy_to_user() fails The copy_to_user() function returns the number of bytes remaining to be copied, but we want to return -EFAULT if the copy doesn't complete. Signed-off-by: Wang Qing Signed-off-by: Vineet Gupta commit eb50aaf960e3bedfef79063411ffd670da94b84b Author: Andy Shevchenko Date: Mon Mar 22 18:31:00 2021 +0200 ACPI: scan: Use unique number for instance_no The decrementation of acpi_device_bus_id->instance_no in acpi_device_del() is incorrect, because it may cause a duplicate instance number to be allocated next time a device with the same acpi_device_bus_id is added. Replace above mentioned approach by using IDA framework. While at it, define the instance range to be [0, 4096). Fixes: e49bd2dd5a50 ("ACPI: use PNPID:instance_no as bus_id of ACPI device") Fixes: ca9dc8d42b30 ("ACPI / scan: Fix acpi_bus_id_list bookkeeping") Signed-off-by: Andy Shevchenko Cc: 4.10+ # 4.10+ Signed-off-by: Rafael J. Wysocki commit 5424a0b867e65f1ecf34ffe88d091a4fcbb35bc1 Author: Mikulas Patocka Date: Mon Mar 22 10:13:54 2021 -0400 dm: don't report "detected capacity change" on device creation When a DM device is first created it doesn't yet have an established capacity, therefore the use of set_capacity_and_notify() should be conditional given the potential for needless pr_info "detected capacity change" noise even if capacity is 0. One could argue that the pr_info() in set_capacity_and_notify() is misplaced, but that position is not held uniformly. Signed-off-by: Mikulas Patocka Fixes: f64d9b2eacb9 ("dm: use set_capacity_and_notify") Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer commit 2d669ceb69c276f7637cf760287ca4187add082e Author: Shin'ichiro Kawasaki Date: Tue Mar 16 13:36:02 2021 +0900 dm table: Fix zoned model check and zone sectors check Commit 24f6b6036c9e ("dm table: fix zoned iterate_devices based device capability checks") triggered dm table load failure when dm-zoned device is set up for zoned block devices and a regular device for cache. The commit inverted logic of two callback functions for iterate_devices: device_is_zoned_model() and device_matches_zone_sectors(). The logic of device_is_zoned_model() was inverted then all destination devices of all targets in dm table are required to have the expected zoned model. This is fine for dm-linear, dm-flakey and dm-crypt on zoned block devices since each target has only one destination device. However, this results in failure for dm-zoned with regular cache device since that target has both regular block device and zoned block devices. As for device_matches_zone_sectors(), the commit inverted the logic to require all zoned block devices in each target have the specified zone_sectors. This check also fails for regular block device which does not have zones. To avoid the check failures, fix the zone model check and the zone sectors check. For zone model check, introduce the new feature flag DM_TARGET_MIXED_ZONED_MODEL, and set it to dm-zoned target. When the target has this flag, allow it to have destination devices with any zoned model. For zone sectors check, skip the check if the destination device is not a zoned block device. Also add comments and improve an error message to clarify expectations to the two checks. Fixes: 24f6b6036c9e ("dm table: fix zoned iterate_devices based device capability checks") Signed-off-by: Shin'ichiro Kawasaki Signed-off-by: Damien Le Moal Signed-off-by: Mike Snitzer commit 160f99db943224e55906dd83880da1a704c6e6b9 Author: JeongHyeon Lee Date: Thu Mar 11 21:10:50 2021 +0900 dm verity: fix DM_VERITY_OPTS_MAX value Three optional parameters must be accepted at once in a DM verity table, e.g.: (verity_error_handling_mode) (ignore_zero_block) (check_at_most_once) Fix this to be possible by incrementing DM_VERITY_OPTS_MAX. Signed-off-by: JeongHyeon Lee Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to only validate hashes once") Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer commit 9de82caad0282205d4c38a39456bce58e3219540 Author: Arnd Bergmann Date: Mon Mar 22 12:44:58 2021 +0100 dax: avoid -Wempty-body warnings gcc warns about an empty body in an else statement: drivers/dax/bus.c: In function 'do_id_store': drivers/dax/bus.c:94:48: error: suggest braces around empty body in an 'else' statement [-Werror=empty-body] 94 | /* nothing to remove */; | ^ drivers/dax/bus.c:99:43: error: suggest braces around empty body in an 'else' statement [-Werror=empty-body] 99 | /* dax_id already added */; | ^ In both of these cases, the 'else' exists only to have a place to add a comment, but that comment doesn't really explain that much either, so the easiest way to shut up that warning is to just remove the else. Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210322114514.3490752-1-arnd@kernel.org Signed-off-by: Dan Williams commit 5244f5e2d801259af877ee759e8c22364c607072 Author: Rafael J. Wysocki Date: Fri Mar 19 15:47:31 2021 +0100 PM: runtime: Defer suspending suppliers Because the PM-runtime status of the device is not updated in __rpm_callback(), attempts to suspend the suppliers of the given device triggered by the rpm_put_suppliers() call in there may cause a supplier to be suspended completely before the status of the consumer is updated to RPM_SUSPENDED, which is confusing. To avoid that (1) modify __rpm_callback() to only decrease the PM-runtime usage counter of each supplier and (2) make rpm_suspend() try to suspend the suppliers after changing the consumer's status to RPM_SUSPENDED, in analogy with the device's parent. Link: https://lore.kernel.org/linux-pm/CAPDyKFqm06KDw_p8WXsM4dijDbho4bb6T4k50UqqvR1_COsp8g@mail.gmail.com/ Fixes: 21d5c57b3726 ("PM / runtime: Use device links") Reported-by: elaine.zhang Diagnosed-by: Ulf Hansson Reviewed-by: Ulf Hansson Signed-off-by: Rafael J. Wysocki commit d81269fecb8ce16eb07efafc9ff5520b2a31c486 Author: Pavel Begunkov Date: Fri Mar 19 10:21:19 2021 +0000 io_uring: fix provide_buffers sign extension io_provide_buffers_prep()'s "p->len * p->nbufs" to sign extension problems. Not a huge problem as it's only used for access_ok() and increases the checked length, but better to keep typing right. Reported-by: Colin Ian King Fixes: efe68c1ca8f49 ("io_uring: validate the full range of provided buffers for access") Signed-off-by: Pavel Begunkov Reviewed-by: Colin Ian King Link: https://lore.kernel.org/r/562376a39509e260d8532186a06226e56eb1f594.1616149233.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit b65c128f963df367a8adcfb08f5ecf8721052723 Author: Pavel Begunkov Date: Mon Mar 22 01:45:59 2021 +0000 io_uring: don't skip file_end_write() on reissue Don't miss to call kiocb_end_write() from __io_complete_rw() on reissue. Shouldn't be much of a problem as the function actually does some work only for ISREG, and NONBLOCK won't be reissued. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/32af9b77c5b874e1bee1a3c46396094bd969e577.1616366969.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit d07f1e8a42614cc938c9c88866d4474a5a7fee31 Author: Pavel Begunkov Date: Mon Mar 22 01:45:58 2021 +0000 io_uring: correct io_queue_async_work() traces Request's io-wq work is hashed in io_prep_async_link(), so as trace_io_uring_queue_async_work() looks at it should follow after prep has been done. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/709c9f872f4d2e198c7aed9c49019ca7095dd24d.1616366969.git.asml.silence@gmail.com Signed-off-by: Jens Axboe commit 7011d72588d16a9e5f5d85acbc8b10019809599c Author: Andre Przywara Date: Fri Mar 19 12:01:28 2021 +0000 kselftest/arm64: sve: Do not use non-canonical FFR register value The "First Fault Register" (FFR) is an SVE register that mimics a predicate register, but clears bits when a load or store fails to handle an element of a vector. The supposed usage scenario is to initialise this register (using SETFFR), then *read* it later on to learn about elements that failed to load or store. Explicit writes to this register using the WRFFR instruction are only supposed to *restore* values previously read from the register (for context-switching only). As the manual describes, this register holds only certain values, it: "... contains a monotonic predicate value, in which starting from bit 0 there are zero or more 1 bits, followed only by 0 bits in any remaining bit positions." Any other value is UNPREDICTABLE and is not supposed to be "restored" into the register. The SVE test currently tries to write a signature pattern into the register, which is *not* a canonical FFR value. Apparently the existing setups treat UNPREDICTABLE as "read-as-written", but a new implementation actually only stores canonical values. As a consequence, the sve-test fails immediately when comparing the FFR value: ----------- # ./sve-test Vector length: 128 bits PID: 207 Mismatch: PID=207, iteration=0, reg=48 Expected [cf00] Got [0f00] Aborted ----------- Fix this by only populating the FFR with proper canonical values. Effectively the requirement described above limits us to 17 unique values over 16 bits worth of FFR, so we condense our signature down to 4 bits (2 bits from the PID, 2 bits from the generation) and generate the canonical pattern from it. Any bits describing elements above the minimum 128 bit are set to 0. This aligns the FFR usage to the architecture and fixes the test on microarchitectures implementing FFR in a more restricted way. Signed-off-by: Andre Przywara Reviwed-by: Mark Brown Link: https://lore.kernel.org/r/20210319120128.29452-1-andre.przywara@arm.com Signed-off-by: Will Deacon commit ee7febce051945be28ad86d16a15886f878204de Author: Pavel Tatashin Date: Tue Feb 16 10:03:51 2021 -0500 arm64: mm: correct the inside linear map range during hotplug check Memory hotplug may fail on systems with CONFIG_RANDOMIZE_BASE because the linear map range is not checked correctly. The start physical address that linear map covers can be actually at the end of the range because of randomization. Check that and if so reduce it to 0. This can be verified on QEMU with setting kaslr-seed to ~0ul: memstart_offset_seed = 0xffff START: __pa(_PAGE_OFFSET(vabits_actual)) = ffff9000c0000000 END: __pa(PAGE_END - 1) = 1000bfffffff Signed-off-by: Pavel Tatashin Fixes: 58284a901b42 ("arm64/mm: Validate hotplug range before creating linear mapping") Tested-by: Tyler Hicks Reviewed-by: Anshuman Khandual Link: https://lore.kernel.org/r/20210216150351.129018-2-pasha.tatashin@soleen.com Signed-off-by: Will Deacon commit 141f8202cfa4192c3af79b6cbd68e7760bb01b5a Author: Pavel Tatashin Date: Fri Mar 19 16:50:54 2021 -0400 arm64: kdump: update ppos when reading elfcorehdr The ppos points to a position in the old kernel memory (and in case of arm64 in the crash kernel since elfcorehdr is passed as a segment). The function should update the ppos by the amount that was read. This bug is not exposed by accident, but other platforms update this value properly. So, fix it in ARM64 version of elfcorehdr_read() as well. Signed-off-by: Pavel Tatashin Fixes: e62aaeac426a ("arm64: kdump: provide /proc/vmcore file") Reviewed-by: Tyler Hicks Link: https://lore.kernel.org/r/20210319205054.743368-1-pasha.tatashin@soleen.com Signed-off-by: Will Deacon commit d1296f1265f7ebb66c2bfab387bc1a0f969a5968 Author: Bhaskar Chowdhury Date: Sat Mar 20 03:58:48 2021 +0530 arm64: cpuinfo: Fix a typo s/acurate/accurate/ Signed-off-by: Bhaskar Chowdhury Acked-by: Randy Dunlap Link: https://lore.kernel.org/r/20210319222848.29928-1-unixbhaskar@gmail.com Signed-off-by: Will Deacon commit e14a371f732b969d4dc881bdd874c93f1b4fdd30 Author: Tom Saeger Date: Tue Mar 16 12:50:41 2021 -0600 Documentation: arm64/acpi : clarify arm64 support of IBFT In commit 94bccc340710 ("iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND") Kconfig was disentangled to make ISCSI_IBFT selection not depend on x86. Update arm64 acpi documentation, changing IBFT support status from "Not Supported" to "Optional". Opportunistically re-flow paragraph for changed lines. Link: https://lore.kernel.org/lkml/1563475054-10680-1-git-send-email-thomas.tai@oracle.com/ Signed-off-by: Tom Saeger Reviewed-by: Konrad Rzeszutek Wilk Acked-by: Ard Biesheuvel Acked-by: Lorenzo Pieralisi Link: https://lore.kernel.org/r/9efc652df2b8d6b53d9acb170eb7c9ca3938dfef.1615920441.git.tom.saeger@oracle.com Signed-off-by: Will Deacon commit c607ab4f916d4d5259072eca34055d3f5a795c21 Author: Mark Rutland Date: Fri Mar 19 18:41:06 2021 +0000 arm64: stacktrace: don't trace arch_stack_walk() We recently converted arm64 to use arch_stack_walk() in commit: 5fc57df2f6fd ("arm64: stacktrace: Convert to ARCH_STACKWALK") The core stacktrace code expects that (when tracing the current task) arch_stack_walk() starts a trace at its caller, and does not include itself in the trace. However, arm64's arch_stack_walk() includes itself, and so traces include one more entry than callers expect. The core stacktrace code which calls arch_stack_walk() tries to skip a number of entries to prevent itself appearing in a trace, and the additional entry prevents skipping one of the core stacktrace functions, leaving this in the trace unexpectedly. We can fix this by having arm64's arch_stack_walk() begin the trace with its caller. The first value returned by the trace will be __builtin_return_address(0), i.e. the caller of arch_stack_walk(). The first frame record to be unwound will be __builtin_frame_address(1), i.e. the caller's frame record. To prevent surprises, arch_stack_walk() is also marked noinline. While __builtin_frame_address(1) is not safe in portable code, local GCC developers have confirmed that it is safe on arm64. To find the caller's frame record, the builtin can safely dereference the current function's frame record or (in theory) could stash the original FP into another GPR at function entry time, neither of which are problematic. Prior to this patch, the tracing code would unexpectedly show up in traces of the current task, e.g. | # cat /proc/self/stack | [<0>] stack_trace_save_tsk+0x98/0x100 | [<0>] proc_pid_stack+0xb4/0x130 | [<0>] proc_single_show+0x60/0x110 | [<0>] seq_read_iter+0x230/0x4d0 | [<0>] seq_read+0xdc/0x130 | [<0>] vfs_read+0xac/0x1e0 | [<0>] ksys_read+0x6c/0xfc | [<0>] __arm64_sys_read+0x20/0x30 | [<0>] el0_svc_common.constprop.0+0x60/0x120 | [<0>] do_el0_svc+0x24/0x90 | [<0>] el0_svc+0x2c/0x54 | [<0>] el0_sync_handler+0x1a4/0x1b0 | [<0>] el0_sync+0x170/0x180 After this patch, the tracing code will not show up in such traces: | # cat /proc/self/stack | [<0>] proc_pid_stack+0xb4/0x130 | [<0>] proc_single_show+0x60/0x110 | [<0>] seq_read_iter+0x230/0x4d0 | [<0>] seq_read+0xdc/0x130 | [<0>] vfs_read+0xac/0x1e0 | [<0>] ksys_read+0x6c/0xfc | [<0>] __arm64_sys_read+0x20/0x30 | [<0>] el0_svc_common.constprop.0+0x60/0x120 | [<0>] do_el0_svc+0x24/0x90 | [<0>] el0_svc+0x2c/0x54 | [<0>] el0_sync_handler+0x1a4/0x1b0 | [<0>] el0_sync+0x170/0x180 Erring on the side of caution, I've given this a spin with a bunch of toolchains, verifying the output of /proc/self/stack and checking that the assembly looked sound. For GCC (where we require version 5.1.0 or later) I tested with the kernel.org crosstool binares for versions 5.5.0, 6.4.0, 6.5.0, 7.3.0, 7.5.0, 8.1.0, 8.3.0, 8.4.0, 9.2.0, and 10.1.0. For clang (where we require version 10.0.1 or later) I tested with the llvm.org binary releases of 11.0.0, and 11.0.1. Fixes: 5fc57df2f6fd ("arm64: stacktrace: Convert to ARCH_STACKWALK") Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Chen Jun Cc: Marco Elver Cc: Mark Brown Cc: Will Deacon Cc: # 5.10.x Reviewed-by: Catalin Marinas Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20210319184106.5688-1-mark.rutland@arm.com Signed-off-by: Will Deacon commit af06b628a6bde8506bbad32dbf7cc641c0176ad7 Author: Lang Cheng Date: Sat Mar 13 10:30:11 2021 +0800 RDMA/hns: Fix bug during CMDQ initialization When reloading driver, the head/tail pointer of CMDQ may be not at position 0. Then during initialization of CMDQ, if head is reset first, the firmware will start to handle CMDQ because the head is not equal to the tail. The driver can reset tail first since the firmware will be triggerred only by head. This bug is introduced by changing macros of head/tail register without changing the order of initialization. Fixes: 292b3352bd5b ("RDMA/hns: Adjust fields and variables about CMDQ tail/head") Link: https://lore.kernel.org/r/1615602611-7963-1-git-send-email-liweihang@huawei.com Signed-off-by: Lang Cheng Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe commit e54f30befa7990b897189b44a56c1138c6bfdbb5 Author: Hui Wang Date: Sat Mar 20 17:15:42 2021 +0800 ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook We found the alc_update_headset_mode() is not called on some machines when unplugging the headset, as a result, the mode of the ALC_HEADSET_MODE_UNPLUGGED can't be set, then the current_headset_type is not cleared, if users plug a differnt type of headset next time, the determine_headset_type() will not be called and the audio jack is set to the headset type of previous time. On the Dell machines which connect the dmic to the PCH, if we open the gnome-sound-setting and unplug the headset, this issue will happen. Those machines disable the auto-mute by ucm and has no internal mic in the input source, so the update_headset_mode() will not be called by cap_sync_hook or automute_hook when unplugging, and because the gnome-sound-setting is opened, the codec will not enter the runtime_suspend state, so the update_headset_mode() will not be called by alc_resume when unplugging. In this case the hp_automute_hook is called when unplugging, so add update_headset_mode() calling to this function. Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210320091542.6748-2-hui.wang@canonical.com Signed-off-by: Takashi Iwai commit febf22565549ea7111e7d45e8f2d64373cc66b11 Author: Hui Wang Date: Sat Mar 20 17:15:41 2021 +0800 ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO We found a recording issue on a Dell AIO, users plug a headset-mic and select headset-mic from UI, but can't record any sound from headset-mic. The root cause is the determine_headset_type() returns a wrong type, e.g. users plug a ctia type headset, but that function returns omtp type. On this machine, the internal mic is not connected to the codec, the "Input Source" is headset mic by default. And when users plug a headset, the determine_headset_type() will be called immediately, the codec on this AIO is alc274, the delay time for this codec in the determine_headset_type() is only 80ms, the delay is too short to correctly determine the headset type, the fail rate is nearly 99% when users plug the headset with the normal speed. Other codecs set several hundred ms delay time, so here I change the delay time to 850ms for alc2x4 series, after this change, the fail rate is zero unless users plug the headset slowly on purpose. Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210320091542.6748-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai commit 154deab6a3ba47792936edf77f2f13a1cbc4351d Author: Xin Long Date: Fri Mar 19 15:35:07 2021 +0800 esp: delete NETIF_F_SCTP_CRC bit from features for esp offload Now in esp4/6_gso_segment(), before calling inner proto .gso_segment, NETIF_F_CSUM_MASK bits are deleted, as HW won't be able to do the csum for inner proto due to the packet encrypted already. So the UDP/TCP packet has to do the checksum on its own .gso_segment. But SCTP is using CRC checksum, and for that NETIF_F_SCTP_CRC should be deleted to make SCTP do the csum in own .gso_segment as well. In Xiumei's testing with SCTP over IPsec/veth, the packets are kept dropping due to the wrong CRC checksum. Reported-by: Xiumei Mu Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6") Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit bc8e0adff343d992ca76d871e8b5e6cb86e1fad9 Author: Ahmed S. Darwish Date: Tue Mar 16 11:56:30 2021 +0100 net: xfrm: Use sequence counter with associated spinlock A sequence counter write section must be serialized or its internal state can get corrupted. A plain seqcount_t does not contain the information of which lock must be held to guaranteee write side serialization. For xfrm_state_hash_generation, use seqcount_spinlock_t instead of plain seqcount_t. This allows to associate the spinlock used for write serialization with the sequence counter. It thus enables lockdep to verify that the write serialization lock is indeed held before entering the sequence counter write section. If lockdep is disabled, this lock association is compiled out and has neither storage size nor runtime overhead. Signed-off-by: Ahmed S. Darwish Signed-off-by: Steffen Klassert commit e88add19f68191448427a6e4eb059664650a837f Author: Ahmed S. Darwish Date: Tue Mar 16 11:56:29 2021 +0100 net: xfrm: Localize sequence counter per network namespace A sequence counter write section must be serialized or its internal state can get corrupted. The "xfrm_state_hash_generation" seqcount is global, but its write serialization lock (net->xfrm.xfrm_state_lock) is instantiated per network namespace. The write protection is thus insufficient. To provide full protection, localize the sequence counter per network namespace instead. This should be safe as both the seqcount read and write sections access data exclusively within the network namespace. It also lays the foundation for transforming "xfrm_state_hash_generation" data type from seqcount_t to seqcount_LOCKNAME_t in further commits. Fixes: b65e3d7be06f ("xfrm: state: add sequence count to detect hash resizes") Signed-off-by: Ahmed S. Darwish Signed-off-by: Steffen Klassert commit d27ce83fa4baa5cb908a42e9878564cad6ea0eb3 Merge: 0d02ec6b3136c 7a1adbd239902 Author: Dave Airlie Date: Mon Mar 22 13:45:36 2021 +1000 Merge tag 'du-fixes-20210316' of git://linuxtv.org/pinchartl/media into drm-fixes R-Car DU v5.12 fix Signed-off-by: Dave Airlie From: Laurent Pinchart Link: https://patchwork.freedesktop.org/patch/msgid/YFAG3ZMcWd1qW/Oo@pendragon.ideasonboard.com commit 0d02ec6b3136c73c09e7859f0d0e4e2c4c07b49b Author: Linus Torvalds Date: Sun Mar 21 14:56:43 2021 -0700 Linux 5.12-rc4 commit d7f5f1bd3c240c4d527c0871a38dc3d61255ea9e Merge: 2c41fab1c60b0 64395d950bc47 Author: Linus Torvalds Date: Sun Mar 21 14:06:10 2021 -0700 Merge tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Miscellaneous ext4 bug fixes for v5.12" * tag 'ext4_for_linus_stable' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: initialize ret to suppress smatch warning ext4: stop inode update before return ext4: fix rename whiteout with fast commit ext4: fix timer use-after-free on failed mount ext4: fix potential error in ext4_do_update_inode ext4: do not try to set xattr into ea_inode if value is empty ext4: do not iput inode under running transaction in ext4_rename() ext4: find old entry again if failed to rename whiteout ext4: fix error handling in ext4_end_enable_verity() ext4: fix bh ref count on error paths fs/ext4: fix integer overflow in s_log_groups_per_flex ext4: add reclaim checks to xattr code ext4: shrink race window in ext4_should_retry_alloc() commit a9748134ea4aad989e52a6a91479e0acfd306e5b Author: Fabio Estevam Date: Sat Mar 20 08:56:03 2021 -0300 drm/msm: Fix suspend/resume on i.MX5 When putting iMX5 into suspend, the following flow is observed: [ 70.023427] [] (msm_atomic_commit_tail) from [] (commit_tail+0x9c/0x18c) [ 70.031890] [] (commit_tail) from [] (drm_atomic_helper_commit+0x1a0/0x1d4) [ 70.040627] [] (drm_atomic_helper_commit) from [] (drm_atomic_helper_disable_all+0x1c4/0x1d4) [ 70.050913] [] (drm_atomic_helper_disable_all) from [] (drm_atomic_helper_suspend+0xb8/0x170) [ 70.061198] [] (drm_atomic_helper_suspend) from [] (drm_mode_config_helper_suspend+0x24/0x58) In the i.MX5 case, priv->kms is not populated (as i.MX5 does not use any of the Qualcomm display controllers), causing a NULL pointer dereference in msm_atomic_commit_tail(): [ 24.268964] 8<--- cut here --- [ 24.274602] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 24.283434] pgd = (ptrval) [ 24.286387] [00000000] *pgd=ca212831 [ 24.290788] Internal error: Oops: 17 [#1] SMP ARM [ 24.295609] Modules linked in: [ 24.298777] CPU: 0 PID: 197 Comm: init Not tainted 5.11.0-rc2-next-20210111 #333 [ 24.306276] Hardware name: Freescale i.MX53 (Device Tree Support) [ 24.312442] PC is at msm_atomic_commit_tail+0x54/0xb9c [ 24.317743] LR is at commit_tail+0xa4/0x1b0 Fix the problem by calling drm_mode_config_helper_suspend/resume() only when priv->kms is available. Fixes: ca8199f13498 ("drm/msm/dpu: ensure device suspend happens during PM sleep") Signed-off-by: Fabio Estevam Signed-off-by: Rob Clark commit 623f279c77811475ac8fd5635cc4e4451aa71291 Author: Dmitry Baryshkov Date: Sat Mar 20 08:56:02 2021 -0300 drm/msm: fix shutdown hook in case GPU components failed to bind If GPU components have failed to bind, shutdown callback would fail with the following backtrace. Add safeguard check to stop that oops from happening and allow the board to reboot. [ 66.617046] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 66.626066] Mem abort info: [ 66.628939] ESR = 0x96000006 [ 66.632088] EC = 0x25: DABT (current EL), IL = 32 bits [ 66.637542] SET = 0, FnV = 0 [ 66.640688] EA = 0, S1PTW = 0 [ 66.643924] Data abort info: [ 66.646889] ISV = 0, ISS = 0x00000006 [ 66.650832] CM = 0, WnR = 0 [ 66.653890] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107f81000 [ 66.660505] [0000000000000000] pgd=0000000100bb2003, p4d=0000000100bb2003, pud=0000000100897003, pmd=0000000000000000 [ 66.671398] Internal error: Oops: 96000006 [#1] PREEMPT SMP [ 66.677115] Modules linked in: [ 66.680261] CPU: 6 PID: 352 Comm: reboot Not tainted 5.11.0-rc2-00309-g79e3faa756b2 #38 [ 66.688473] Hardware name: Qualcomm Technologies, Inc. Robotics RB5 (DT) [ 66.695347] pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--) [ 66.701507] pc : msm_atomic_commit_tail+0x78/0x4e0 [ 66.706437] lr : commit_tail+0xa4/0x184 [ 66.710381] sp : ffff8000108f3af0 [ 66.713791] x29: ffff8000108f3af0 x28: ffff418c44337000 [ 66.719242] x27: 0000000000000000 x26: ffff418c40a24490 [ 66.724693] x25: ffffd3a842a4f1a0 x24: 0000000000000008 [ 66.730146] x23: ffffd3a84313f030 x22: ffff418c444ce000 [ 66.735598] x21: ffff418c408a4980 x20: 0000000000000000 [ 66.741049] x19: 0000000000000000 x18: ffff800010710fbc [ 66.746500] x17: 000000000000000c x16: 0000000000000001 [ 66.751954] x15: 0000000000010008 x14: 0000000000000068 [ 66.757405] x13: 0000000000000001 x12: 0000000000000000 [ 66.762855] x11: 0000000000000001 x10: 00000000000009b0 [ 66.768306] x9 : ffffd3a843192000 x8 : ffff418c44337000 [ 66.773757] x7 : 0000000000000000 x6 : 00000000a401b34e [ 66.779210] x5 : 00ffffffffffffff x4 : 0000000000000000 [ 66.784660] x3 : 0000000000000000 x2 : ffff418c444ce000 [ 66.790111] x1 : ffffd3a841dce530 x0 : ffff418c444cf000 [ 66.795563] Call trace: [ 66.798075] msm_atomic_commit_tail+0x78/0x4e0 [ 66.802633] commit_tail+0xa4/0x184 [ 66.806217] drm_atomic_helper_commit+0x160/0x390 [ 66.811051] drm_atomic_commit+0x4c/0x60 [ 66.815082] drm_atomic_helper_disable_all+0x1f4/0x210 [ 66.820355] drm_atomic_helper_shutdown+0x80/0x130 [ 66.825276] msm_pdev_shutdown+0x14/0x20 [ 66.829303] platform_shutdown+0x28/0x40 [ 66.833330] device_shutdown+0x158/0x330 [ 66.837357] kernel_restart+0x40/0xa0 [ 66.841122] __do_sys_reboot+0x228/0x250 [ 66.845148] __arm64_sys_reboot+0x28/0x34 [ 66.849264] el0_svc_common.constprop.0+0x74/0x190 [ 66.854187] do_el0_svc+0x24/0x90 [ 66.857595] el0_svc+0x14/0x20 [ 66.860739] el0_sync_handler+0x1a4/0x1b0 [ 66.864858] el0_sync+0x174/0x180 [ 66.868269] Code: 1ac020a0 2a000273 eb02007f 54ffff01 (f9400285) [ 66.874525] ---[ end trace 20dedb2a3229fec8 ]--- Fixes: 9d5cbf5fe46e ("drm/msm: add shutdown support for display platform_driver") Signed-off-by: Dmitry Baryshkov Signed-off-by: Fabio Estevam Signed-off-by: Rob Clark commit 0b8cfa974dfc964e6382c9e25fa6c1bdac6ef499 Author: Jens Axboe Date: Sun Mar 21 14:16:08 2021 -0600 io_uring: don't use {test,clear}_tsk_thread_flag() for current Linus correctly points out that this is both unnecessary and generates much worse code on some archs as going from current to thread_info is actually backwards - and obviously just wasteful, since the thread_info is what we care about. Since io_uring only operates on current for these operations, just use test_thread_flag() instead. For io-wq, we can further simplify and use tracehook_notify_signal() to handle the TIF_NOTIFY_SIGNAL work and clear the flag. The latter isn't an actual bug right now, but it may very well be in the future if we place other work items under TIF_NOTIFY_SIGNAL. Reported-by: Linus Torvalds Link: https://lore.kernel.org/io-uring/CAHk-=wgYhNck33YHKZ14mFB5MzTTk8gqXHcfj=RWTAXKwgQJgg@mail.gmail.com/ Signed-off-by: Jens Axboe commit 2c41fab1c60b02626c8153a1806a7a1e5d62aaf1 Merge: 1d4345eb51a18 0031275d119ef Author: Linus Torvalds Date: Sun Mar 21 12:25:54 2021 -0700 Merge tag 'io_uring-5.12-2021-03-21' of git://git.kernel.dk/linux-block Pull io_uring followup fixes from Jens Axboe: - The SIGSTOP change from Eric, so we properly ignore that for PF_IO_WORKER threads. - Disallow sending signals to PF_IO_WORKER threads in general, we're not interested in having them funnel back to the io_uring owning task. - Stable fix from Stefan, ensuring we properly break links for short send/sendmsg recv/recvmsg if MSG_WAITALL is set. - Catch and loop when needing to run task_work before a PF_IO_WORKER threads goes to sleep. * tag 'io_uring-5.12-2021-03-21' of git://git.kernel.dk/linux-block: io_uring: call req_set_fail_links() on short send[msg]()/recv[msg]() with MSG_WAITALL io-wq: ensure task is running before processing task_work signal: don't allow STOP on PF_IO_WORKER threads signal: don't allow sending any signals to PF_IO_WORKER threads commit 1d4345eb51a185b2ecd11834dbddca79cb922eb5 Merge: 3001c3554f1df 2cafd46a714af Author: Linus Torvalds Date: Sun Mar 21 11:54:04 2021 -0700 Merge tag 'staging-5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging and IIO driver fixes from Greg KH: "Some small staging and IIO driver fixes: - MAINTAINERS changes for the move of the staging mailing list - comedi driver fixes to get request_irq() to work correctly - counter driver fixes for reported issues with iio devices - tiny iio driver fixes for reported issues. All of these have been in linux-next with no reported problems" * tag 'staging-5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: vt665x: fix alignment constraints staging: comedi: cb_pcidas64: fix request_irq() warn staging: comedi: cb_pcidas: fix request_irq() warn MAINTAINERS: move the staging subsystem to lists.linux.dev MAINTAINERS: move some real subsystems off of the staging mailing list iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler iio: hid-sensor-temperature: Fix issues of timestamp channel iio: hid-sensor-humidity: Fix alignment issue of timestamp channel counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register counter: stm32-timer-cnt: fix ceiling write max value counter: stm32-timer-cnt: Report count function when SLAVE_MODE_DISABLED iio: adc: ab8500-gpadc: Fix off by 10 to 3 iio:adc:stm32-adc: Add HAS_IOMEM dependency iio: adis16400: Fix an error code in adis16400_initial_setup() iio: adc: adi-axi-adc: add proper Kconfig dependencies iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask iio: hid-sensor-prox: Fix scale not correct issue iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel commit 3001c3554f1dfac3f2561a6b34c5d209e3592dc0 Merge: 5ee96fa9dd78b 2b8c956ea6ba8 Author: Linus Torvalds Date: Sun Mar 21 11:49:16 2021 -0700 Merge tag 'usb-5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB and Thunderbolt driver fixes from Greg KH: "Here are some small Thunderbolt and USB driver fixes for some reported issues: - thunderbolt fixes for minor problems - typec fixes for power issues - usb-storage quirk addition - usbip bugfix - dwc3 bugfix when stopping transfers - cdnsp bugfix for isoc transfers - gadget use-after-free fix All have been in linux-next this week with no reported issues" * tag 'usb-5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: typec: tcpm: Skip sink_cap query only when VDM sm is busy usb: dwc3: gadget: Prevent EP queuing while stopping transfers usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct usb-storage: Add quirk to defeat Kindle's automatic unload usb: gadget: configfs: Fix KASAN use-after-free usbip: Fix incorrect double assignment to udc->ud.tcp_rx usb: cdnsp: Fixes incorrect value in ISOC TRB thunderbolt: Increase runtime PM reference count on DP tunnel discovery thunderbolt: Initialize HopID IDAs in tb_switch_alloc() commit 5ee96fa9dd78b2dc81b587e33074d877002d7605 Merge: 1c74516c2da40 81e2073c175b8 Author: Linus Torvalds Date: Sun Mar 21 11:34:24 2021 -0700 Merge tag 'irq-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull irq fix from Ingo Molnar: "A change to robustify force-threaded IRQ handlers to always disable interrupts, plus a DocBook fix. The force-threaded IRQ handler change has been accelerated from the normal schedule of such a change to keep the bad pattern/workaround of spin_lock_irqsave() in handlers or IRQF_NOTHREAD as a kludge from spreading" * tag 'irq-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: genirq: Disable interrupts for force threaded handlers genirq/irq_sim: Fix typos in kernel doc (fnode -> fwnode) commit 1c74516c2da40ead2c22c4ac07c117c20f9c31ec Merge: 5ba33b488a04a 2dc0572f2cef8 Author: Linus Torvalds Date: Sun Mar 21 11:26:21 2021 -0700 Merge tag 'perf-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull perf fixes from Ingo Molnar: "Boundary condition fixes for bugs unearthed by the perf fuzzer" * tag 'perf-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: perf/x86/intel: Fix unchecked MSR access error caused by VLBR_EVENT perf/x86/intel: Fix a crash caused by zero PEBS status commit 5ba33b488a04a13268131b0b4748a7c6f3598693 Merge: 92ed88cb4d7cd 38c9358737505 Author: Linus Torvalds Date: Sun Mar 21 11:19:29 2021 -0700 Merge tag 'locking-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fixes from Ingo Molnar: - Get static calls & modules right. Hopefully. - WW mutex fixes * tag 'locking-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: static_call: Fix static_call_update() sanity check static_call: Align static_call_is_init() patching condition static_call: Fix static_call_set_init() locking/ww_mutex: Fix acquire/release imbalance in ww_acquire_init()/ww_acquire_fini() locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling commit 92ed88cb4d7cd01eadb0f71063ceb5202548ce35 Merge: 5e3ddf96e7598 429257a430a0e Author: Linus Torvalds Date: Sun Mar 21 11:11:22 2021 -0700 Merge tag 'efi-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Ingo Molnar: - another missing RT_PROP table related fix, to ensure that the efivarfs pseudo filesystem fails gracefully if variable services are unsupported - use the correct alignment for literal EFI GUIDs - fix a use after unmap issue in the memreserve code * tag 'efi-urgent-2021-03-21' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: efi: use 32-bit alignment for efi_guid_t literals firmware/efi: Fix a use after bug in efi_mem_reserve_persistent efivars: respect EFI_UNSUPPORTED return from firmware commit 5e3ddf96e75983e4c404467fbb61b92d09333a1f Merge: b35660a7cebdf dd926880da8db Author: Linus Torvalds Date: Sun Mar 21 11:04:20 2021 -0700 Merge tag 'x86_urgent_for_v5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Borislav Petkov: "The freshest pile of shiny x86 fixes for 5.12: - Add the arch-specific mapping between physical and logical CPUs to fix devicetree-node lookups - Restore the IRQ2 ignore logic - Fix get_nr_restart_syscall() to return the correct restart syscall number. Split in a 4-patches set to avoid kABI breakage when backporting to dead kernels" * tag 'x86_urgent_for_v5.12-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/apic/of: Fix CPU devicetree-node lookups x86/ioapic: Ignore IRQ2 again x86: Introduce restart_block->arch_data to remove TS_COMPAT_RESTART x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() x86: Move TS_COMPAT back to asm/thread_info.h kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() commit b35660a7cebdf438e01bba05075ae2bcc0125650 Merge: 812da4d39463a cc7a0bb058b85 Author: Linus Torvalds Date: Sun Mar 21 10:57:35 2021 -0700 Merge tag 'powerpc-5.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - Fix a possible stack corruption and subsequent DLPAR failure in the rpadlpar_io PCI hotplug driver - Two build fixes for uncommon configurations Thanks to Christophe Leroy and Tyrel Datwyler. * tag 'powerpc-5.12-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: PCI: rpadlpar: Fix potential drc_name corruption in store functions powerpc: Force inlining of cpu_has_feature() to avoid build failure powerpc/vdso32: Add missing _restgpr_31_x to fix build failure commit 538d2dd0b9920334e6596977a664e9e7bac73703 Author: Hans de Goede Date: Sun Mar 21 17:35:13 2021 +0100 platform/x86: intel-vbtn: Stop reporting SW_DOCK events Stop reporting SW_DOCK events because this breaks suspend-on-lid-close. SW_DOCK should only be reported for docking stations, but all the DSDTs in my DSDT collection which use the intel-vbtn code, always seem to use this for 2-in-1s / convertibles and set SW_DOCK=1 when in laptop-mode (in tandem with setting SW_TABLET_MODE=0). This causes userspace to think the laptop is docked to a port-replicator and to disable suspend-on-lid-close, which is undesirable. Map the dock events to KEY_IGNORE to avoid this broken SW_DOCK reporting. Note this may theoretically cause us to stop reporting SW_DOCK on some device where the 0xCA and 0xCB intel-vbtn events are actually used for reporting docking to a classic docking-station / port-replicator but I'm not aware of any such devices. Also the most important thing is that we only report SW_DOCK when it reliably reports being docked to a classic docking-station without any false positives, which clearly is not the case here. If there is a chance of reporting false positives then it is better to not report SW_DOCK at all. Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321163513.72328-1-hdegoede@redhat.com commit 35471138a9f7193482a2019e39643f575f8098dc Author: Hans de Goede Date: Sun Mar 21 12:59:01 2021 +0100 platform/x86: dell-wmi-sysman: Cleanup create_attributes_level_sysfs_files() Cleanup create_attributes_level_sysfs_files(): 1. There is no need to call sysfs_remove_file() on error, sysman_init() will already call release_attributes_data() on failure which already does this. 2. There is no need for the pr_debug() calls sysfs_create_file() should never fail and if it does it will already complain about the problem itself. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-8-hdegoede@redhat.com commit 32418dd58c957f8fef25b97450d00275967604f1 Author: Hans de Goede Date: Sun Mar 21 12:59:00 2021 +0100 platform/x86: dell-wmi-sysman: Make sysman_init() return -ENODEV of the interfaces are not found When either the attributes or the password interface is not found, then unregister the 2 wmi drivers again and return -ENODEV from sysman_init(). Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Reported-by: Alexander Naumann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-7-hdegoede@redhat.com commit 9c90cd869747e3492a9306dcd8123c17502ff1fc Author: Hans de Goede Date: Sun Mar 21 12:58:59 2021 +0100 platform/x86: dell-wmi-sysman: Cleanup sysman_init() error-exit handling Cleanup sysman_init() error-exit handling: 1. There is no need for the fail_reset_bios and fail_authentication_kset eror-exit cases, these can be handled by release_attributes_data() 2. Rename all the labels from fail_what_failed, to err_what_to_cleanup this is the usual way to name these and avoids the need to rename them when extra steps are added. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-6-hdegoede@redhat.com commit 59bbbeb9c22cc7c55965cd5ea8c16af7f16e61eb Author: Hans de Goede Date: Sun Mar 21 12:58:58 2021 +0100 platform/x86: dell-wmi-sysman: Fix release_attributes_data() getting called twice on init_bios_attributes() failure All calls of init_bios_attributes() will result in a goto fail_create_group if they fail, which calls release_attributes_data(). So there is no need to call release_attributes_data() from init_bios_attributes() on failure itself. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-5-hdegoede@redhat.com commit 2d0c418c91d8c86a1b9fb254dda842ada9919513 Author: Hans de Goede Date: Sun Mar 21 12:58:57 2021 +0100 platform/x86: dell-wmi-sysman: Make it safe to call exit_foo_attributes() multiple times During some of the error-exit paths it is possible that release_attributes_data() will get called multiple times, which results in exit_foo_attributes() getting called multiple times. Make it safe to call exit_foo_attributes() multiple times, avoiding double-free()s in this case. Note that release_attributes_data() really should only be called once during error-exit paths. This will be fixed in a separate patch and it is good to have the exit_foo_attributes() functions modified this way regardless. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-4-hdegoede@redhat.com commit c59ab4cedab70a1a117a2dba3c48bb78e66c55ca Author: Hans de Goede Date: Sun Mar 21 12:58:56 2021 +0100 platform/x86: dell-wmi-sysman: Fix possible NULL pointer deref on exit It is possible for release_attributes_data() to get called when the main_dir_kset has not been created yet, move the removal of the bios-reset sysfs attr to under a if (main_dir_kset) check to avoid a NULL pointer deref. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Reported-by: Alexander Naumann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-3-hdegoede@redhat.com commit d939cd96b9df6dcde1605fab23bbd6307e11f930 Author: Hans de Goede Date: Sun Mar 21 12:58:55 2021 +0100 platform/x86: dell-wmi-sysman: Fix crash caused by calling kset_unregister twice On some system the WMI GUIDs used by dell-wmi-sysman are present but there are no enum type attributes, this causes init_bios_attributes() to return -ENODEV, after which sysman_init() does a "goto fail_create_group" and then calls release_attributes_data(). release_attributes_data() calls kset_unregister(wmi_priv.main_dir_kset); but before this commit it was missing a "wmi_priv.main_dir_kset = NULL;" statement; and after calling release_attributes_data() the sysman_init() error handling does this: if (wmi_priv.main_dir_kset) { kset_unregister(wmi_priv.main_dir_kset); wmi_priv.main_dir_kset = NULL; } Which causes a second kset_unregister(wmi_priv.main_dir_kset), leading to a double-free, which causes a crash. Add the missing "wmi_priv.main_dir_kset = NULL;" statement to release_attributes_data() to fix this double-free crash. Fixes: e8a60aa7404b ("platform/x86: Introduce support for Systems Management Driver over WMI for Dell Systems") Cc: Divya Bharathi Cc: Mario Limonciello Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321115901.35072-2-hdegoede@redhat.com commit ec0e8fc416f70645608c146dcf90d264b2ad6e3c Author: Hans de Goede Date: Sun Mar 21 12:31:08 2021 +0100 platform/x86: thinkpad_acpi: Disable DYTC CQL mode around switching to balanced mode Testing has shown that setting /sys/firmware/acpi/platform_profile to "balanced" when /sys/bus/platform/devices/thinkpad_acpi/dytc_lapmode reports 1, causes dytc_lapmode to get reset to 0 and then it becomes stuck at 0 for aprox. 30 minutes even if the laptop is used on a lap. Disabling CQL (when enabled) before issuing the DYTC_CMD_RESET to get back to balanced mode and re-enabling it afterwards again, like the code already does when switching to low-power / performance mode fixes this. Fixes: c3bfcd4c6762 ("platform/x86: thinkpad_acpi: Add platform profile support") Tested-by: Mark Pearson Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210321113108.7069-1-hdegoede@redhat.com commit 3d677f12ea3a2097a16ded570623567403dea959 Author: Esteve Varela Colominas Date: Mon Mar 15 20:58:24 2021 +0100 platform/x86: thinkpad_acpi: Allow the FnLock LED to change state On many recent ThinkPad laptops, there's a new LED next to the ESC key, that indicates the FnLock status. When the Fn+ESC combo is pressed, FnLock is toggled, which causes the Media Key functionality to change, making it so that the media keys either perform their media key function, or function as an F-key by default. The Fn key can be used the access the alternate function at any time. With the current linux kernel, the LED doens't change state if you press the Fn+ESC key combo. However, the media key functionality *does* change. This is annoying, since the LED will stay on if it was on during bootup, and it makes it hard to keep track what the current state of the FnLock is. This patch calls an ACPI function, that gets the current media key state, when the Fn+ESC key combo is pressed. Through testing it was discovered that this function causes the LED to update correctly to reflect the current state when this function is called. The relevant ACPI calls are the following: \_SB_.PCI0.LPC0.EC0_.HKEY.GMKS: Get media key state, returns 0x603 if the FnLock mode is enabled, and 0x602 if it's disabled. \_SB_.PCI0.LPC0.EC0_.HKEY.SMKS: Set media key state, sending a 1 will enable FnLock mode, and a 0 will disable it. Relevant discussion: https://bugzilla.kernel.org/show_bug.cgi?id=207841 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1881015 Signed-off-by: Esteve Varela Colominas Link: https://lore.kernel.org/r/20210315195823.23212-1-esteve.varela@gmail.com Signed-off-by: Hans de Goede commit 0031275d119efe16711cd93519b595e6f9b4b330 Author: Stefan Metzmacher Date: Sat Mar 20 20:33:36 2021 +0100 io_uring: call req_set_fail_links() on short send[msg]()/recv[msg]() with MSG_WAITALL Without that it's not safe to use them in a linked combination with others. Now combinations like IORING_OP_SENDMSG followed by IORING_OP_SPLICE should be possible. We already handle short reads and writes for the following opcodes: - IORING_OP_READV - IORING_OP_READ_FIXED - IORING_OP_READ - IORING_OP_WRITEV - IORING_OP_WRITE_FIXED - IORING_OP_WRITE - IORING_OP_SPLICE - IORING_OP_TEE Now we have it for these as well: - IORING_OP_SENDMSG - IORING_OP_SEND - IORING_OP_RECVMSG - IORING_OP_RECV For IORING_OP_RECVMSG we also check for the MSG_TRUNC and MSG_CTRUNC flags in order to call req_set_fail_links(). There might be applications arround depending on the behavior that even short send[msg]()/recv[msg]() retuns continue an IOSQE_IO_LINK chain. It's very unlikely that such applications pass in MSG_WAITALL, which is only defined in 'man 2 recvmsg', but not in 'man 2 sendmsg'. It's expected that the low level sock_sendmsg() call just ignores MSG_WAITALL, as MSG_ZEROCOPY is also ignored without explicitly set SO_ZEROCOPY. We also expect the caller to know about the implicit truncation to MAX_RW_COUNT, which we don't detect. cc: netdev@vger.kernel.org Link: https://lore.kernel.org/r/c4e1a4cc0d905314f4d5dc567e65a7b09621aab3.1615908477.git.metze@samba.org Signed-off-by: Stefan Metzmacher Signed-off-by: Jens Axboe commit 00ddff431a458bbf143ea7c4c42d022676da1b17 Author: Jens Axboe Date: Sun Mar 21 07:06:56 2021 -0600 io-wq: ensure task is running before processing task_work Mark the current task as running if we need to run task_work from the io-wq threads as part of work handling. If that is the case, then return as such so that the caller can appropriately loop back and reset if it was part of a going-to-sleep flush. Fixes: 3bfe6106693b ("io-wq: fork worker threads from original task") Signed-off-by: Jens Axboe commit 4db4b1a0d1779dc159f7b87feb97030ec0b12597 Author: Eric W. Biederman Date: Sun Mar 21 09:37:48 2021 -0600 signal: don't allow STOP on PF_IO_WORKER threads Just like we don't allow normal signals to IO threads, don't deliver a STOP to a task that has PF_IO_WORKER set. The IO threads don't take signals in general, and have no means of flushing out a stop either. Longer term, we may want to look into allowing stop of these threads, as it relates to eg process freezing. For now, this prevents a spin issue if a SIGSTOP is delivered to the parent task. Reported-by: Stefan Metzmacher Signed-off-by: Jens Axboe Signed-off-by: "Eric W. Biederman" commit 5be28c8f85ce99ed2d329d2ad8bdd18ea19473a5 Author: Jens Axboe Date: Fri Mar 19 19:25:13 2021 -0600 signal: don't allow sending any signals to PF_IO_WORKER threads They don't take signals individually, and even if they share signals with the parent task, don't allow them to be delivered through the worker thread. Linux does allow this kind of behavior for regular threads, but it's really a compatability thing that we need not care about for the IO threads. Reported-by: Stefan Metzmacher Signed-off-by: Jens Axboe commit 3a85969e9d912d5dd85362ee37b5f81266e00e77 Author: Tetsuo Handa Date: Sun Mar 21 15:49:13 2021 +0900 lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message Since this message is printed when dynamically allocated spinlocks (e.g. kzalloc()) are used without initialization (e.g. spin_lock_init()), suggest