commit 9f4b26f3ea18cb2066c9e58a84ff202c71739a41 Author: Greg Kroah-Hartman Date: Tue Nov 24 13:29:24 2020 +0100 Linux 5.4.80 Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20201123121819.943135899@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit a88f08e78249f5979101684a3afd4aff5dec59e7 Author: Quentin Perret Date: Thu Nov 12 11:12:01 2020 +0000 sched/fair: Fix overutilized update in enqueue_task_fair() commit 8e1ac4299a6e8726de42310d9c1379f188140c71 upstream. enqueue_task_fair() attempts to skip the overutilized update for new tasks as their util_avg is not accurate yet. However, the flag we check to do so is overwritten earlier on in the function, which makes the condition pretty much a nop. Fix this by saving the flag early on. Fixes: 2802bf3cd936 ("sched/fair: Add over-utilization/tipping point indicator") Reported-by: Rick Yiu Signed-off-by: Quentin Perret Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Vincent Guittot Reviewed-by: Valentin Schneider Link: https://lkml.kernel.org/r/20201112111201.2081902-1-qperret@google.com Signed-off-by: Greg Kroah-Hartman commit 10ca291c774924998dadbf001bebc4ef16c096d9 Author: Charan Teja Reddy Date: Thu Aug 6 23:25:24 2020 -0700 mm, page_alloc: skip ->waternark_boost for atomic order-0 allocations commit f80b08fc44536a311a9f3182e50f318b79076425 upstream. When boosting is enabled, it is observed that rate of atomic order-0 allocation failures are high due to the fact that free levels in the system are checked with ->watermark_boost offset. This is not a problem for sleepable allocations but for atomic allocations which looks like regression. This problem is seen frequently on system setup of Android kernel running on Snapdragon hardware with 4GB RAM size. When no extfrag event occurred in the system, ->watermark_boost factor is zero, thus the watermark configurations in the system are: _watermark = ( [WMARK_MIN] = 1272, --> ~5MB [WMARK_LOW] = 9067, --> ~36MB [WMARK_HIGH] = 9385), --> ~38MB watermark_boost = 0 After launching some memory hungry applications in Android which can cause extfrag events in the system to an extent that ->watermark_boost can be set to max i.e. default boost factor makes it to 150% of high watermark. _watermark = ( [WMARK_MIN] = 1272, --> ~5MB [WMARK_LOW] = 9067, --> ~36MB [WMARK_HIGH] = 9385), --> ~38MB watermark_boost = 14077, -->~57MB With default system configuration, for an atomic order-0 allocation to succeed, having free memory of ~2MB will suffice. But boosting makes the min_wmark to ~61MB thus for an atomic order-0 allocation to be successful system should have minimum of ~23MB of free memory(from calculations of zone_watermark_ok(), min = 3/4(min/2)). But failures are observed despite system is having ~20MB of free memory. In the testing, this is reproducible as early as first 300secs since boot and with furtherlowram configurations(<2GB) it is observed as early as first 150secs since boot. These failures can be avoided by excluding the ->watermark_boost in watermark caluculations for atomic order-0 allocations. [akpm@linux-foundation.org: fix comment grammar, reflow comment] [charante@codeaurora.org: fix suggested by Mel Gorman] Link: http://lkml.kernel.org/r/31556793-57b1-1c21-1a9d-22674d9bd938@codeaurora.org Signed-off-by: Charan Teja Reddy Signed-off-by: Andrew Morton Acked-by: Vlastimil Babka Cc: Vinayak Menon Cc: Mel Gorman Link: http://lkml.kernel.org/r/1589882284-21010-1-git-send-email-charante@codeaurora.org Signed-off-by: Linus Torvalds Signed-off-by: Ralph Siemsen Signed-off-by: Greg Kroah-Hartman commit a2761473d50ba678c17cb99fd6616d0c977ec354 Author: Gerald Schaefer Date: Sat Nov 21 22:17:15 2020 -0800 mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() commit bfe8cc1db02ab243c62780f17fc57f65bde0afe1 upstream. Alexander reported a syzkaller / KASAN finding on s390, see below for complete output. In do_huge_pmd_anonymous_page(), the pre-allocated pagetable will be freed in some cases. In the case of userfaultfd_missing(), this will happen after calling handle_userfault(), which might have released the mmap_lock. Therefore, the following pte_free(vma->vm_mm, pgtable) will access an unstable vma->vm_mm, which could have been freed or re-used already. For all architectures other than s390 this will go w/o any negative impact, because pte_free() simply frees the page and ignores the passed-in mm. The implementation for SPARC32 would also access mm->page_table_lock for pte_free(), but there is no THP support in SPARC32, so the buggy code path will not be used there. For s390, the mm->context.pgtable_list is being used to maintain the 2K pagetable fragments, and operating on an already freed or even re-used mm could result in various more or less subtle bugs due to list / pagetable corruption. Fix this by calling pte_free() before handle_userfault(), similar to how it is already done in __do_huge_pmd_anonymous_page() for the WRITE / non-huge_zero_page case. Commit 6b251fc96cf2c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults") actually introduced both, the do_huge_pmd_anonymous_page() and also __do_huge_pmd_anonymous_page() changes wrt to calling handle_userfault(), but only in the latter case it put the pte_free() before calling handle_userfault(). BUG: KASAN: use-after-free in do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744 Read of size 8 at addr 00000000962d6988 by task syz-executor.0/9334 CPU: 1 PID: 9334 Comm: syz-executor.0 Not tainted 5.10.0-rc1-syzkaller-07083-g4c9720875573 #0 Hardware name: IBM 3906 M04 701 (KVM/Linux) Call Trace: do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744 create_huge_pmd mm/memory.c:4256 [inline] __handle_mm_fault+0xe6e/0x1068 mm/memory.c:4480 handle_mm_fault+0x288/0x748 mm/memory.c:4607 do_exception+0x394/0xae0 arch/s390/mm/fault.c:479 do_dat_exception+0x34/0x80 arch/s390/mm/fault.c:567 pgm_check_handler+0x1da/0x22c arch/s390/kernel/entry.S:706 copy_from_user_mvcos arch/s390/lib/uaccess.c:111 [inline] raw_copy_from_user+0x3a/0x88 arch/s390/lib/uaccess.c:174 _copy_from_user+0x48/0xa8 lib/usercopy.c:16 copy_from_user include/linux/uaccess.h:192 [inline] __do_sys_sigaltstack kernel/signal.c:4064 [inline] __s390x_sys_sigaltstack+0xc8/0x240 kernel/signal.c:4060 system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 Allocated by task 9334: slab_alloc_node mm/slub.c:2891 [inline] slab_alloc mm/slub.c:2899 [inline] kmem_cache_alloc+0x118/0x348 mm/slub.c:2904 vm_area_dup+0x9c/0x2b8 kernel/fork.c:356 __split_vma+0xba/0x560 mm/mmap.c:2742 split_vma+0xca/0x108 mm/mmap.c:2800 mlock_fixup+0x4ae/0x600 mm/mlock.c:550 apply_vma_lock_flags+0x2c6/0x398 mm/mlock.c:619 do_mlock+0x1aa/0x718 mm/mlock.c:711 __do_sys_mlock2 mm/mlock.c:738 [inline] __s390x_sys_mlock2+0x86/0xa8 mm/mlock.c:728 system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 Freed by task 9333: slab_free mm/slub.c:3142 [inline] kmem_cache_free+0x7c/0x4b8 mm/slub.c:3158 __vma_adjust+0x7b2/0x2508 mm/mmap.c:960 vma_merge+0x87e/0xce0 mm/mmap.c:1209 userfaultfd_release+0x412/0x6b8 fs/userfaultfd.c:868 __fput+0x22c/0x7a8 fs/file_table.c:281 task_work_run+0x200/0x320 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] do_notify_resume+0x100/0x148 arch/s390/kernel/signal.c:538 system_call+0xe6/0x28c arch/s390/kernel/entry.S:416 The buggy address belongs to the object at 00000000962d6948 which belongs to the cache vm_area_struct of size 200 The buggy address is located 64 bytes inside of 200-byte region [00000000962d6948, 00000000962d6a10) The buggy address belongs to the page: page:00000000313a09fe refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x962d6 flags: 0x3ffff00000000200(slab) raw: 3ffff00000000200 000040000257e080 0000000c0000000c 000000008020ba00 raw: 0000000000000000 000f001e00000000 ffffffff00000001 0000000096959501 page dumped because: kasan: bad access detected page->mem_cgroup:0000000096959501 Memory state around the buggy address: 00000000962d6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000000962d6900: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb >00000000962d6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 00000000962d6a00: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00000000962d6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 6b251fc96cf2c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults") Reported-by: Alexander Egorenkov Signed-off-by: Gerald Schaefer Signed-off-by: Andrew Morton Cc: Andrea Arcangeli Cc: Heiko Carstens Cc: [4.3+] Link: https://lkml.kernel.org/r/20201110190329.11920-1-gerald.schaefer@linux.ibm.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 173e3732230779437e07348ddc58bd7ca27ac0ba Author: Muchun Song Date: Sat Nov 21 22:17:12 2020 -0800 mm: memcg/slab: fix root memcg vmstats commit 8faeb1ffd79593c9cd8a2a80ecdda371e3b826cb upstream. If we reparent the slab objects to the root memcg, when we free the slab object, we need to update the per-memcg vmstats to keep it correct for the root memcg. Now this at least affects the vmstat of NR_KERNEL_STACK_KB for !CONFIG_VMAP_STACK when the thread stack size is smaller than the PAGE_SIZE. David said: "I assume that without this fix that the root memcg's vmstat would always be inflated if we reparented" Fixes: ec9f02384f60 ("mm: workingset: fix vmstat counters for shadow nodes") Signed-off-by: Muchun Song Signed-off-by: Andrew Morton Reviewed-by: Shakeel Butt Acked-by: Roman Gushchin Acked-by: Johannes Weiner Acked-by: David Rientjes Cc: Michal Hocko Cc: Vladimir Davydov Cc: Christopher Lameter Cc: Pekka Enberg Cc: Joonsoo Kim Cc: Roman Gushchin Cc: Vlastimil Babka Cc: Yafang Shao Cc: Chris Down Cc: [5.3+] Link: https://lkml.kernel.org/r/20201110031015.15715-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fc82fd7f7df97beb96c2ae342b3f9613f223d7cb Author: Chen Yu Date: Fri Nov 13 09:59:23 2020 +0800 x86/microcode/intel: Check patch signature before saving microcode for early loading commit 1a371e67dc77125736cc56d3a0893f06b75855b6 upstream. Currently, scan_microcode() leverages microcode_matches() to check if the microcode matches the CPU by comparing the family and model. However, the processor stepping and flags of the microcode signature should also be considered when saving a microcode patch for early update. Use find_matching_signature() in scan_microcode() and get rid of the now-unused microcode_matches() which is a good cleanup in itself. Complete the verification of the patch being saved for early loading in save_microcode_patch() directly. This needs to be done there too because save_mc_for_early() will call save_microcode_patch() too. The second reason why this needs to be done is because the loader still tries to support, at least hypothetically, mixed-steppings systems and thus adds all patches to the cache that belong to the same CPU model albeit with different steppings. For example: microcode: CPU: sig=0x906ec, pf=0x2, rev=0xd6 microcode: mc_saved[0]: sig=0x906e9, pf=0x2a, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[1]: sig=0x906ea, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[2]: sig=0x906eb, pf=0x2, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[3]: sig=0x906ec, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[4]: sig=0x906ed, pf=0x22, rev=0xd6, total size=0x19400, date = 2020-04-23 The patch which is being saved for early loading, however, can only be the one which fits the CPU this runs on so do the signature verification before saving. [ bp: Do signature verification in save_microcode_patch() and rewrite commit message. ] Fixes: ec400ddeff20 ("x86/microcode_intel_early.c: Early update ucode on Intel's CPU") Signed-off-by: Chen Yu Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=208535 Link: https://lkml.kernel.org/r/20201113015923.13960-1-yu.c.chen@intel.com Signed-off-by: Greg Kroah-Hartman commit 09652ebd0dc1a4fd0069410261eea55bd8f6df6c Author: Mickaël Salaün Date: Fri Oct 30 13:38:49 2020 +0100 seccomp: Set PF_SUPERPRIV when checking capability commit fb14528e443646dd3fd02df4437fcf5265b66baa upstream. Replace the use of security_capable(current_cred(), ...) with ns_capable_noaudit() which set PF_SUPERPRIV. Since commit 98f368e9e263 ("kernel: Add noaudit variant of ns_capable()"), a new ns_capable_noaudit() helper is available. Let's use it! Cc: Jann Horn Cc: Kees Cook Cc: Tyler Hicks Cc: Will Drewry Cc: stable@vger.kernel.org Fixes: e2cfabdfd075 ("seccomp: add system call filtering using BPF") Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201030123849.770769-3-mic@digikod.net Signed-off-by: Greg Kroah-Hartman commit fa9ccc177754a608f93bc9ca972f96da8850233f Author: Mickaël Salaün Date: Fri Oct 30 13:38:48 2020 +0100 ptrace: Set PF_SUPERPRIV when checking capability commit cf23705244c947151179f929774fabf71e239eee upstream. Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") replaced the use of ns_capable() with has_ns_capability{,_noaudit}() which doesn't set PF_SUPERPRIV. Commit 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()") replaced has_ns_capability{,_noaudit}() with security_capable(), which doesn't set PF_SUPERPRIV neither. Since commit 98f368e9e263 ("kernel: Add noaudit variant of ns_capable()"), a new ns_capable_noaudit() helper is available. Let's use it! As a result, the signature of ptrace_has_cap() is restored to its original one. Cc: Christian Brauner Cc: Eric Paris Cc: Jann Horn Cc: Kees Cook Cc: Oleg Nesterov Cc: Serge E. Hallyn Cc: Tyler Hicks Cc: stable@vger.kernel.org Fixes: 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()") Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201030123849.770769-2-mic@digikod.net Signed-off-by: Greg Kroah-Hartman commit d51481382c74c5825e285b8bfda97283e3c10704 Author: Adrian Hunter Date: Thu Nov 12 15:36:56 2020 +0200 mmc: sdhci-pci: Prefer SDR25 timing for High Speed mode for BYT-based Intel controllers commit 60d53566100abde4acc5504b524bc97f89015690 upstream. A UHS setting of SDR25 can give better results for High Speed mode. This is because there is no setting corresponding to high speed. Currently SDHCI sets no value, which means zero which is also the setting for SDR12. There was an attempt to change this in sdhci.c but it caused problems for some drivers, so it was reverted and the change was made to sdhci-brcmstb in commit 2fefc7c5f7d16e ("mmc: sdhci-brcmstb: Fix incorrect switch to HS mode"). Several other drivers also do this. Signed-off-by: Adrian Hunter Cc: stable@vger.kernel.org # v5.4+ Link: https://lore.kernel.org/r/20201112133656.20317-1-adrian.hunter@intel.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 5b738014dadcae44e8e5f803ebe1d23e6519cc08 Author: Ville Syrjälä Date: Tue Nov 10 23:04:47 2020 +0200 drm/i915: Handle max_bpc==16 commit d2e3fce9ddafe689c6f7cb355f23560637e30b9d upstream. EDID can declare the maximum supported bpc up to 16, and apparently there are displays that do so. Currently we assume 12 bpc is tha max. Fix the assumption and toss in a MISSING_CASE() for any other value we don't expect to see. This fixes modesets with a display with EDID max bpc > 12. Previously any modeset would just silently fail on platforms that didn't otherwise limit this via the max_bpc property. In particular we don't add the max_bpc property to HDMI ports on gmch platforms, and thus we would see the raw max_bpc coming from the EDID. I suppose we could already adjust this to also allow 16bpc, but seeing as no current platform supports that there is little point. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2632 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20201110210447.27454-1-ville.syrjala@linux.intel.com Reviewed-by: José Roberto de Souza (cherry picked from commit 2ca5a7b85b0c2b97ef08afbd7799b022e29f192e) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit 51cc709ed961887d1167beab92d5a932ec466a78 Author: Alex Deucher Date: Fri Nov 13 02:21:19 2020 -0500 drm/amd/display: Add missing pflip irq for dcn2.0 commit 728321e53045d2668bf2b8627a8d61bc2c480d3b upstream. If we have more than 4 displays we will run into dummy irq calls or flip timout issues. Reviewed-by: Nicholas Kazlauskas Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 1c1add911fd9dcddb33c2678a32ed1d9c077f022 Author: Chris Co Date: Tue Nov 10 19:01:18 2020 +0000 Drivers: hv: vmbus: Allow cleanup of VMBUS_CONNECT_CPU if disconnected commit 92e4dc8b05663d6539b1b8375f3b1cf7b204cfe9 upstream. When invoking kexec() on a Linux guest running on a Hyper-V host, the kernel panics. RIP: 0010:cpuhp_issue_call+0x137/0x140 Call Trace: __cpuhp_remove_state_cpuslocked+0x99/0x100 __cpuhp_remove_state+0x1c/0x30 hv_kexec_handler+0x23/0x30 [hv_vmbus] hv_machine_shutdown+0x1e/0x30 machine_shutdown+0x10/0x20 kernel_kexec+0x6d/0x96 __do_sys_reboot+0x1ef/0x230 __x64_sys_reboot+0x1d/0x20 do_syscall_64+0x6b/0x3d8 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This was due to hv_synic_cleanup() callback returning -EBUSY to cpuhp_issue_call() when tearing down the VMBUS_CONNECT_CPU, even if the vmbus_connection.conn_state = DISCONNECTED. hv_synic_cleanup() should succeed in the case where vmbus_connection.conn_state is DISCONNECTED. Fix is to add an extra condition to test for vmbus_connection.conn_state == CONNECTED on the VMBUS_CONNECT_CPU and only return early if true. This way the kexec() path can still shut everything down while preserving the initial behavior of preventing CPU offlining on the VMBUS_CONNECT_CPU while the VM is running. Fixes: 8a857c55420f29 ("Drivers: hv: vmbus: Always handle the VMBus messages on CPU0") Signed-off-by: Chris Co Reviewed-by: Andrea Parri (Microsoft) Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201110190118.15596-1-chrco@linux.microsoft.com Signed-off-by: Wei Liu Signed-off-by: Greg Kroah-Hartman commit 7411c05a6eea2799fb3c009846f19caedda5c14f Author: Stefan Haberland Date: Mon Nov 16 16:23:47 2020 +0100 s390/dasd: fix null pointer dereference for ERP requests commit 6f117cb854a44a79898d844e6ae3fd23bd94e786 upstream. When requeueing all requests on the device request queue to the blocklayer we might get to an ERP (error recovery) request that is a copy of an original CQR. Those requests do not have blocklayer request information or a pointer to the dasd_queue set. When trying to access those data it will lead to a null pointer dereference in dasd_requeue_all_requests(). Fix by checking if the request is an ERP request that can simply be ignored. The blocklayer request will be requeued by the original CQR that is on the device queue right behind the ERP request. Fixes: 9487cfd3430d ("s390/dasd: fix handling of internal requests") Cc: #4.16 Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e6e76a26fdc8d1c0da94327265da28a297b22c29 Author: Thomas Richter Date: Wed Nov 11 16:26:25 2020 +0100 s390/cpum_sf.c: fix file permission for cpum_sfb_size commit 78d732e1f326f74f240d416af9484928303d9951 upstream. This file is installed by the s390 CPU Measurement sampling facility device driver to export supported minimum and maximum sample buffer sizes. This file is read by lscpumf tool to display the details of the device driver capabilities. The lscpumf tool might be invoked by a non-root user. In this case it does not print anything because the file contents can not be read. Fix this by allowing read access for all users. Reading the file contents is ok, changing the file contents is left to the root user only. For further reference and details see: [1] https://github.com/ibm-s390-tools/s390-tools/issues/97 Fixes: 69f239ed335a ("s390/cpum_sf: Dynamically extend the sampling buffer if overflows occur") Cc: # 3.14 Signed-off-by: Thomas Richter Acked-by: Sumanth Korikkar Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 89d73a97af5cc4ad5c031ff3fd3c624c52f3eeb8 Author: Johannes Berg Date: Thu Nov 12 11:22:04 2020 +0100 mac80211: free sta in sta_info_insert_finish() on errors commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream. If sta_info_insert_finish() fails, we currently keep the station around and free it only in the caller, but there's only one such caller and it always frees it immediately. As syzbot found, another consequence of this split is that we can put things that sleep only into __cleanup_single_sta() and not in sta_info_free(), but this is the only place that requires such of sta_info_free() now. Change this to free the station in sta_info_insert_finish(), in which case we can still sleep. This will also let us unify the cleanup code later. Cc: stable@vger.kernel.org Fixes: dcd479e10a05 ("mac80211: always wind down STA state") Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 945c10ad59ca69af05523a64fc2274e611964a0f Author: Felix Fietkau Date: Wed Nov 11 19:33:59 2020 +0100 mac80211: minstrel: fix tx status processing corner case commit b2911a84396f72149dce310a3b64d8948212c1b3 upstream. Some drivers fill the status rate list without setting the rate index after the final rate to -1. minstrel_ht already deals with this, but minstrel doesn't, which causes it to get stuck at the lowest rate on these drivers. Fix this by checking the count as well. Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20201111183359.43528-3-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 336c331ef01e531cb4f50719b2c6b98f3a321cf2 Author: Felix Fietkau Date: Wed Nov 11 19:33:58 2020 +0100 mac80211: minstrel: remove deferred sampling code commit 4fe40b8e1566dad04c87fbf299049a1d0d4bd58d upstream. Deferring sampling attempts to the second stage has some bad interactions with drivers that process the rate table in hardware and use the probe flag to indicate probing packets (e.g. most mt76 drivers). On affected drivers it can lead to probing not working at all. If the link conditions turn worse, it might not be such a good idea to do a lot of sampling for lower rates in this case. Fix this by simply skipping the sample attempt instead of deferring it, but keep the checks that would allow it to be sampled if it was skipped too often, but only if it has less than 95% success probability. Also ensure that IEEE80211_TX_CTL_RATE_CTRL_PROBE is set for all probing packets. Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20201111183359.43528-2-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 713f903dc4b5a4ba6f7eea1d4165d3153db34f10 Author: Max Filippov Date: Mon Nov 16 01:38:59 2020 -0800 xtensa: disable preemption around cache alias management calls commit 3a860d165eb5f4d7cf0bf81ef6a5b5c5e1754422 upstream. Although cache alias management calls set up and tear down TLB entries and fast_second_level_miss is able to restore TLB entry should it be evicted they absolutely cannot preempt each other because they use the same TLBTEMP area for different purposes. Disable preemption around all cache alias management calls to enforce that. Cc: stable@vger.kernel.org Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman commit 747467f3625be51cbc08a06dae2112a25f290cd9 Author: Max Filippov Date: Mon Nov 16 01:25:56 2020 -0800 xtensa: fix TLBTEMP area placement commit 481535c5b41d191b22775a6873de5ec0e1cdced1 upstream. fast_second_level_miss handler for the TLBTEMP area has an assumption that page table directory entry for the TLBTEMP address range is 0. For it to be true the TLBTEMP area must be aligned to 4MB boundary and not share its 4MB region with anything that may use a page table. This is not true currently: TLBTEMP shares space with vmalloc space which results in the following kinds of runtime errors when fast_second_level_miss loads page table directory entry for the vmalloc space instead of fixing up the TLBTEMP area: Unable to handle kernel paging request at virtual address c7ff0e00 pc = d0009275, ra = 90009478 Oops: sig: 9 [#1] PREEMPT CPU: 1 PID: 61 Comm: kworker/u9:2 Not tainted 5.10.0-rc3-next-20201110-00007-g1fe4962fa983-dirty #58 Workqueue: xprtiod xs_stream_data_receive_workfn a00: 90009478 d11e1dc0 c7ff0e00 00000020 c7ff0000 00000001 7f8b8107 00000000 a08: 900c5992 d11e1d90 d0cc88b8 5506e97c 00000000 5506e97c d06c8074 d11e1d90 pc: d0009275, ps: 00060310, depc: 00000014, excvaddr: c7ff0e00 lbeg: d0009275, lend: d0009287 lcount: 00000003, sar: 00000010 Call Trace: xs_stream_data_receive_workfn+0x43c/0x770 process_one_work+0x1a1/0x324 worker_thread+0x1cc/0x3c0 kthread+0x10d/0x124 ret_from_kernel_thread+0xc/0x18 Cc: stable@vger.kernel.org Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman commit e7ea18de9bb3a10a2810763e8cb787e8d737f79c Author: Michał Mirosław Date: Fri Nov 13 01:20:28 2020 +0100 regulator: workaround self-referent regulators commit f5c042b23f7429e5c2ac987b01a31c69059a978b upstream. Workaround regulators whose supply name happens to be the same as its own name. This fixes boards that used to work before the early supply resolving was removed. The error message is left in place so that offending drivers can be detected. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Reported-by: Ahmad Fatoum Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/d703acde2a93100c3c7a81059d716c50ad1b1f52.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0d233d5766eb794e3c8e2fb5853d0685fd89eafa Author: Michał Mirosław Date: Fri Nov 13 01:20:28 2020 +0100 regulator: avoid resolve_supply() infinite recursion commit 4b639e254d3d4f15ee4ff2b890a447204cfbeea9 upstream. When a regulator's name equals its supply's name the regulator_resolve_supply() recurses indefinitely. Add a check so that debugging the problem is easier. The "fixed" commit just exposed the problem. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Reported-by: Ahmad Fatoum Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/c6171057cfc0896f950c4d8cb82df0f9f1b89ad9.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 65205dfe78ff12635ac40b2f9e0c360dd5576f9a Author: Michał Mirosław Date: Fri Nov 13 01:20:27 2020 +0100 regulator: fix memory leak with repeated set_machine_constraints() commit 57a6ad482af256b2a13de14194fb8f67c1a65f10 upstream. Fixed commit introduced a possible second call to set_machine_constraints() and that allocates memory for rdev->constraints. Move the allocation to the caller so it's easier to manage and done once. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/78c3d4016cebc08d441aad18cb924b4e4d9cf9df.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4cab55d659745ba5ae959e3bff7bae7e20927011 Author: Sean Nyekjaer Date: Tue Nov 10 18:41:13 2020 +0100 regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200} commit 365ec8b61689bd64d6a61e129e0319bf71336407 upstream. Limit the fsl,pfuze-support-disable-sw to the pfuze100 and pfuze200 variants. When enabling fsl,pfuze-support-disable-sw and using a pfuze3000 or pfuze3001, the driver would choose pfuze100_sw_disable_regulator_ops instead of the newly introduced and correct pfuze3000_sw_regulator_ops. Signed-off-by: Sean Nyekjaer Fixes: 6f1cf5257acc ("regualtor: pfuze100: correct sw1a/sw2 on pfuze3000") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201110174113.2066534-1-sean@geanix.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 53a9502d9a69f26a3e0899164514e70564052a03 Author: Lukas Wunner Date: Wed Nov 11 20:07:30 2020 +0100 spi: bcm2835aux: Fix use-after-free on unbind commit e13ee6cc4781edaf8c7321bee19217e3702ed481 upstream. bcm2835aux_spi_remove() accesses the driver's private data after calling spi_unregister_master() even though that function releases the last reference on the spi_master and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: b9dd3f6d4172 ("spi: bcm2835aux: Fix controller unregister order") Signed-off-by: Lukas Wunner Cc: # v4.4+: 123456789abc: spi: Introduce device-managed SPI controller allocation Cc: # v4.4+: b9dd3f6d4172: spi: bcm2835aux: Fix controller unregister order Cc: # v4.4+ Link: https://lore.kernel.org/r/b290b06357d0c0bdee9cecc539b840a90630f101.1605121038.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 2737549129ec16c90c5a4fd4191015adfc0781cf Author: Lukas Wunner Date: Mon Nov 16 09:23:10 2020 +0100 spi: npcm-fiu: Don't leak SPI master in probe error path commit 04a9cd51d3f3308a98cbc6adc07acb12fbade011 upstream. If the calls to of_match_device(), of_alias_get_id(), devm_ioremap_resource(), devm_regmap_init_mmio() or devm_clk_get() fail on probe of the NPCM FIU SPI driver, the spi_controller struct is erroneously not freed. Fix by switching over to the new devm_spi_alloc_master() helper. Fixes: ace55c411b11 ("spi: npcm-fiu: add NPCM FIU controller driver") Signed-off-by: Lukas Wunner Cc: # v5.4+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation Cc: # v5.4+ Cc: Tomer Maimon Link: https://lore.kernel.org/r/a420c23a363a3bc9aa684c6e790c32a8af106d17.1605512876.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 3e04a4976addbedcad326f47b0dd4efc570a1fac Author: Lukas Wunner Date: Wed Nov 11 20:07:10 2020 +0100 spi: Introduce device-managed SPI controller allocation commit 5e844cc37a5cbaa460e68f9a989d321d63088a89 upstream. SPI driver probing currently comprises two steps, whereas removal comprises only one step: spi_alloc_master() spi_register_controller() spi_unregister_controller() That's because spi_unregister_controller() calls device_unregister() instead of device_del(), thereby releasing the reference on the spi_controller which was obtained by spi_alloc_master(). An SPI driver's private data is contained in the same memory allocation as the spi_controller struct. Thus, once spi_unregister_controller() has been called, the private data is inaccessible. But some drivers need to access it after spi_unregister_controller() to perform further teardown steps. Introduce devm_spi_alloc_master() and devm_spi_alloc_slave(), which release a reference on the spi_controller struct only after the driver has unbound, thereby keeping the memory allocation accessible. Change spi_unregister_controller() to not release a reference if the spi_controller was allocated by one of these new devm functions. The present commit is small enough to be backportable to stable. It allows fixing drivers which use the private data in their ->remove() hook after it's been freed. It also allows fixing drivers which neglect to release a reference on the spi_controller in the probe error path. Long-term, most SPI drivers shall be moved over to the devm functions introduced herein. The few that can't shall be changed in a treewide commit to explicitly release the last reference on the controller. That commit shall amend spi_unregister_controller() to no longer release a reference, thereby completing the migration. As a result, the behaviour will be less surprising and more consistent with subsystems such as IIO, which also includes the private data in the allocation of the generic iio_dev struct, but calls device_del() in iio_device_unregister(). Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/272bae2ef08abd21388c98e23729886663d19192.1605121038.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 11bb6ae21c8117642d4c8615407b3181e0cb9241 Author: Lukas Wunner Date: Sun Nov 8 23:41:00 2020 +0100 spi: lpspi: Fix use-after-free on unbind commit 4def49da620c84a682d9361d6bef0a97eed46fe0 upstream. Normally the last reference on an spi_controller is released by spi_unregister_controller(). In the case of the i.MX lpspi driver, the spi_controller is registered with devm_spi_register_controller(), so spi_unregister_controller() is invoked automatically after the driver has unbound. However the driver already releases the last reference in fsl_lpspi_remove() through a gratuitous call to spi_master_put(), causing a use-after-free when spi_unregister_controller() is subsequently invoked by the devres framework. Fix by dropping the superfluous spi_master_put(). Fixes: 944c01a889d9 ("spi: lpspi: enable runtime pm for lpspi") Signed-off-by: Lukas Wunner Cc: # v5.2+ Cc: Han Xu Link: https://lore.kernel.org/r/ab3c0b18bd820501a12c85e440006e09ec0e275f.1604874488.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 760d4e3ee879f7a9bf0421ce2ffa6f7484ed18e2 Author: Fabien Parent Date: Sun Oct 18 21:46:44 2020 +0200 iio: adc: mediatek: fix unset field commit 15207a92e019803d62687455d8aa2ff9eb3dc82c upstream. dev_comp field is used in a couple of places but it is never set. This results in kernel oops when dereferencing a NULL pointer. Set the `dev_comp` field correctly in the probe function. Fixes: 6d97024dce23 ("iio: adc: mediatek: mt6577-auxadc, add mt6765 support") Signed-off-by: Fabien Parent Reviewed-by: Matthias Brugger Cc: Link: https://lore.kernel.org/r/20201018194644.3366846-1-fparent@baylibre.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit d3e27c62334ebce9d9efa6aea6252d6c432c9af0 Author: Hans de Goede Date: Tue Nov 10 14:38:35 2020 +0100 iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode commit e5b1032a656e9aa4c7a4df77cb9156a2a651a5f9 upstream. Some 360 degree hinges (yoga) style 2-in-1 devices use 2 KXCJ91008-s to allow the OS to determine the angle between the display and the base of the device, so that the OS can determine if the 2-in-1 is in laptop or in tablet-mode. On Windows both accelerometers are read by a special HingeAngleService process; and this process calls a DSM (Device Specific Method) on the ACPI KIOX010A device node for the sensor in the display, to let the embedded-controller (EC) know about the mode so that it can disable the kbd and touchpad to avoid spurious input while folded into tablet-mode. This notifying of the EC is problematic because sometimes the EC comes up thinking that device is in tablet-mode and the kbd and touchpad do not work. This happens for example on Irbis NB111 devices after a suspend / resume cycle (after a complete battery drain / hard reset without having booted Windows at least once). Other 2-in-1s which are likely affected too are e.g. the Teclast F5 and F6 series. The kxcjk-1013 driver may seem like a strange place to deal with this, but since it is *the* driver for the ACPI KIOX010A device, it is also the driver which has access to the ACPI handle needed by the DSM. Add support for calling the DSM and on probe unconditionally tell the EC that the device is laptop mode, fixing the kbd and touchpad sometimes not working. Fixes: 7f6232e69539 ("iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID") Reported-and-tested-by: russianneuromancer Signed-off-by: Hans de Goede Cc: Link: https://lore.kernel.org/r/20201110133835.129080-3-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 9f99cc38cf1a206b3f07e2087f4e11d081e2aa27 Author: Hans de Goede Date: Tue Nov 10 14:38:34 2020 +0100 iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum commit 11e94f28c3de35d5ad1ac6a242a5b30f4378991a upstream. Replace the boolean is_smo8500_device variable with an acpi_type enum. For now this can be either ACPI_GENERIC or ACPI_SMO8500, this is a preparation patch for adding special handling for the KIOX010A ACPI HID, which will add a ACPI_KIOX010A acpi_type to the introduced enum. For stable as needed as precursor for next patch. Signed-off-by: Hans de Goede Fixes: 7f6232e69539 ("iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID") Cc: Link: https://lore.kernel.org/r/20201110133835.129080-2-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 308a06ac9fb8f0010a350b42739afbcaf8399fef Author: Jan Kara Date: Wed Nov 18 16:30:32 2020 +0100 ext4: fix bogus warning in ext4_update_dx_flag() commit f902b216501094495ff75834035656e8119c537f upstream. The idea of the warning in ext4_update_dx_flag() is that we should warn when we are clearing EXT4_INODE_INDEX on a filesystem with metadata checksums enabled since after clearing the flag, checksums for internal htree nodes will become invalid. So there's no need to warn (or actually do anything) when EXT4_INODE_INDEX is not set. Link: https://lore.kernel.org/r/20201118153032.17281-1-jack@suse.cz Fixes: 48a34311953d ("ext4: fix checksum errors with indexed dirs") Reported-by: Eric Biggers Reviewed-by: Eric Biggers Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 7f76c608135e5f288db460235faee11ff378bb9a Author: Necip Fazil Yildiran Date: Tue Nov 3 01:35:24 2020 +0300 iio: light: fix kconfig dependency bug for VCNL4035 commit 44a146a44f656fc03d368c1b9248d29a128cd053 upstream. When VCNL4035 is enabled and IIO_BUFFER is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for IIO_TRIGGERED_BUFFER Depends on [n]: IIO [=y] && IIO_BUFFER [=n] Selected by [y]: - VCNL4035 [=y] && IIO [=y] && I2C [=y] The reason is that VCNL4035 selects IIO_TRIGGERED_BUFFER without depending on or selecting IIO_BUFFER while IIO_TRIGGERED_BUFFER depends on IIO_BUFFER. This can also fail building the kernel. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Fixes: 55707294c4eb ("iio: light: Add support for vishay vcnl4035") Signed-off-by: Necip Fazil Yildiran Link: https://bugzilla.kernel.org/show_bug.cgi?id=209883 Link: https://lore.kernel.org/r/20201102223523.572461-1-fazilyildiran@gmail.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 2ba693eea3182090ef4e9217358f2c52bb6eb303 Author: Brian O'Keefe Date: Fri Nov 6 10:10:34 2020 -0500 staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids commit aee9dccc5b64e878cf1b18207436e73f66d74157 upstream. Add 024c:0627 to the list of SDIO device-ids, based on hardware found in the wild. This hardware exists on at least some Acer SW1-011 tablets. Signed-off-by: Brian O'Keefe Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/b9e1523f-2ba7-fb82-646a-37f095b4440e@alum.wpi.edu Cc: stable Signed-off-by: Greg Kroah-Hartman commit f59ef9ec20acde4830a6ed408f3f7f0203a5df5d Author: Vamshi K Sthambamkadi Date: Fri Oct 23 17:24:39 2020 +0530 efivarfs: fix memory leak in efivarfs_create() commit fe5186cf12e30facfe261e9be6c7904a170bd822 upstream. kmemleak report: unreferenced object 0xffff9b8915fcb000 (size 4096): comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s) hex dump (first 32 bytes): 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0 [<000000007d1dfa72>] efivarfs_create+0x6e/0x1a0 [<00000000e6ee18fc>] path_openat+0xe4b/0x1120 [<000000000ad0414f>] do_filp_open+0x91/0x100 [<00000000ce93a198>] do_sys_openat2+0x20c/0x2d0 [<000000002a91be6d>] do_sys_open+0x46/0x80 [<000000000a854999>] __x64_sys_openat+0x20/0x30 [<00000000c50d89c9>] do_syscall_64+0x38/0x90 [<00000000cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 In efivarfs_create(), inode->i_private is setup with efivar_entry object which is never freed. Cc: Signed-off-by: Vamshi K Sthambamkadi Link: https://lore.kernel.org/r/20201023115429.GA2479@cosmos Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman commit d73d0106e354a2612dcd0ef42fe7fe3b6eb0eee4 Author: Hans de Goede Date: Sat Nov 14 10:45:31 2020 +0100 HID: logitech-dj: Fix an error in mse_bluetooth_descriptor commit eec231e060fb79923c349f6e89f022b286f32c1e upstream. Fix an error in the mouse / INPUT(2) descriptor used for quad/bt2.0 combo receivers. Replace INPUT with INPUT (Data,Var,Abs) for the field for the 4 extra buttons which share their report-byte with the low-res hwheel. This is likely a copy and paste error. I've verified that the new 0x81, 0x02 value matches both the mouse descriptor for the currently supported MX5000 / MX5500 receivers, as well as the INPUT(2) mouse descriptors for the Dinovo receivers for which support is being worked on. Cc: stable@vger.kernel.org Fixes: f2113c3020ef ("HID: logitech-dj: add support for Logitech Bluetooth Mini-Receiver") Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 772ff2c77cce7a84f3dc69d5dcb848cb02227352 Author: Fugang Duan Date: Wed Nov 11 10:51:36 2020 +0800 tty: serial: imx: keep console clocks always on commit e67c139c488e84e7eae6c333231e791f0e89b3fb upstream. For below code, there has chance to cause deadlock in SMP system: Thread 1: clk_enable_lock(); pr_info("debug message"); clk_enable_unlock(); Thread 2: imx_uart_console_write() clk_enable() clk_enable_lock(); Thread 1: Acuired clk enable_lock -> printk -> console_trylock_spinning Thread 2: console_unlock() -> imx_uart_console_write -> clk_disable -> Acquite clk enable_lock So the patch is to keep console port clocks always on like other console drivers. Fixes: 1cf93e0d5488 ("serial: imx: remove the uart_console() check") Acked-by: Uwe Kleine-König Signed-off-by: Fugang Duan Link: https://lore.kernel.org/r/20201111025136.29818-1-fugang.duan@nxp.com Cc: stable [fix up build warning - gregkh] Signed-off-by: Greg Kroah-Hartman commit 663f70f1f5e733867a7f8cf7afef73abebd9576d Author: Sam Nobs Date: Tue Nov 10 09:50:06 2020 +1300 tty: serial: imx: fix potential deadlock commit 33f16855dcb973f745c51882d0e286601ff3be2b upstream. Enabling the lock dependency validator has revealed that the way spinlocks are used in the IMX serial port could result in a deadlock. Specifically, imx_uart_int() acquires a spinlock without disabling the interrupts, meaning that another interrupt could come along and try to acquire the same spinlock, potentially causing the two to wait for each other indefinitely. Use spin_lock_irqsave() instead to disable interrupts upon acquisition of the spinlock. Fixes: c974991d2620 ("tty:serial:imx: use spin_lock instead of spin_lock_irqsave in isr") Reviewed-by: Uwe Kleine-König Signed-off-by: Sam Nobs Link: https://lore.kernel.org/r/1604955006-9363-1-git-send-email-samuel.nobs@taitradio.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit a3ac3d213572a530cd35e1f1a70406abb5cdbbbd Author: PeiSen Hou Date: Wed Nov 11 08:58:59 2020 +0100 ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220) commit b5acfe152abaa2721c9ca8aa67f941d7de55d24e upstream. Fix "use as headset mic, without its own jack detect" problem. [ Minor coding style fixes by tiwai ] Signed-off-by: PeiSen Hou Cc: Link: https://lore.kernel.org/r/481963e4a5694ff19f27ae1e283d79ad@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 659f6731bcf487eb40e6a7e36453b7c669946d1e Author: Kailang Yang Date: Mon Nov 2 15:00:12 2020 +0800 ALSA: hda/realtek - Add supported for Lenovo ThinkPad Headset Button commit 446b8185f0c39ac3faadbcd8ac156c50f2fd4ffe upstream. Add supported for Lenovo ThinkPad Headset Button. Thinkpad P1 Gen 3 (0x22c1) Thinkpad X1 Extreme Gen 3 (0x22c2) Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/f39b11d00340408ca2ed2df9b4fc2a09@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c70c1b93f3d1d2659826f12b8dd6c1ea3b365492 Author: Takashi Iwai Date: Thu Nov 19 13:14:40 2020 +0100 ALSA: mixart: Fix mutex deadlock commit d21b96c8ed2aea7e6b7bf4735e1d2503cfbf4072 upstream. The code change for switching to non-atomic mode brought the unexpected mutex deadlock in get_msg(). It converted the spinlock with the existing mutex, but there were calls with the already holding the mutex. Since the only place that needs the extra lock is the code path from snd_mixart_send_msg(), remove the mutex lock in get_msg() and apply in the caller side for fixing the mutex deadlock. Fixes: 8d3a8b5cb57d ("ALSA: mixart: Use nonatomic PCM ops") Reported-by: Dan Carpenter Cc: Link: https://lore.kernel.org/r/20201119121440.18945-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b9a69e5d0b372c13d80f55c7373cc5d3e365f9ed Author: Takashi Sakamoto Date: Fri Nov 13 18:20:43 2020 +0900 ALSA: ctl: fix error path at adding user-defined element set commit 95a793c3bc75cf888e0e641d656e7d080f487d8b upstream. When processing request to add/replace user-defined element set, check of given element identifier and decision of numeric identifier is done in "__snd_ctl_add_replace()" helper function. When the result of check is wrong, the helper function returns error code. The error code shall be returned to userspace application. Current implementation includes bug to return zero to userspace application regardless of the result. This commit fixes the bug. Cc: Fixes: e1a7bfe38079 ("ALSA: control: Fix race between adding and removing a user element") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20201113092043.16148-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 16a5e3748d86376e0e2acb94021989ca9c7c897a Author: Joakim Tjernlund Date: Tue Nov 17 13:28:03 2020 +0100 ALSA: usb-audio: Add delay quirk for all Logitech USB devices commit 54a2a3898f469a915510038fe84ef4f083131d3e upstream. Found one more Logitech device, BCC950 ConferenceCam, which needs the same delay here. This makes 3 out of 3 devices I have tried. Therefore, add a delay for all Logitech devices as it does not hurt. Signed-off-by: Joakim Tjernlund Cc: # 4.19.y, 5.4.y Link: https://lore.kernel.org/r/20201117122803.24310-1-joakim.tjernlund@infinera.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 090ac65f8c7c5b10dac841a94eccad7c5963eecf Author: Dan Carpenter Date: Fri Nov 13 13:12:41 2020 +0300 ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() commit 02a9c6ee4183af2e438454c55098b828a96085fb upstream. The spin_lock/unlock_irq() functions cannot be nested. The problem is that presumably we would want the IRQs to be re-enabled on the second call the spin_unlock_irq() but instead it will be enabled at the first call so IRQs will be enabled earlier than expected. In this situation the copy_resp_to_buf() function is only called from one function and it is called with IRQs disabled. We can just use the regular spin_lock/unlock() functions. Fixes: 555e8a8f7f14 ("ALSA: fireworks: Add command/response functionality into hwdep interface") Signed-off-by: Dan Carpenter Acked-by: Takashi Sakamoto Cc: Link: https://lore.kernel.org/r/20201113101241.GB168908@mwanda Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3b78db264675e47ad3cf9c1e809e85d02fe1de90 Author: Samuel Thibault Date: Tue Nov 10 19:35:41 2020 +0100 speakup: Do not let the line discipline be used several times commit d4122754442799187d5d537a9c039a49a67e57f1 upstream. Speakup has only one speakup_tty variable to store the tty it is managing. This makes sense since its codebase currently assumes that there is only one user who controls the screen reading. That however means that we have to forbid using the line discipline several times, otherwise the second closure would try to free a NULL ldisc_data, leading to general protection fault: 0000 [#1] SMP KASAN PTI RIP: 0010:spk_ttyio_ldisc_close+0x2c/0x60 Call Trace: tty_ldisc_release+0xa2/0x340 tty_release_struct+0x17/0xd0 tty_release+0x9d9/0xcc0 __fput+0x231/0x740 task_work_run+0x12c/0x1a0 do_exit+0x9b5/0x2230 ? release_task+0x1240/0x1240 ? __do_page_fault+0x562/0xa30 do_group_exit+0xd5/0x2a0 __x64_sys_exit_group+0x35/0x40 do_syscall_64+0x89/0x2b0 ? page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Cc: stable@vger.kernel.org Reported-by: 秦世松 Signed-off-by: Samuel Thibault Tested-by: Shisong Qin Link: https://lore.kernel.org/r/20201110183541.fzgnlwhjpgqzjeth@function Signed-off-by: Greg Kroah-Hartman commit 0da75d37d199a7925954c887e5c5ba8d04b73979 Author: Hans de Goede Date: Sat Nov 14 22:20:56 2020 +0100 HID: logitech-dj: Fix Dinovo Mini when paired with a MX5x00 receiver [ Upstream commit b4c00e7976636f33a4f67eab436a11666c8afd60 ] Some users are pairing the Dinovo keyboards with the MX5000 or MX5500 receivers, instead of with the Dinovo receivers. The receivers are mostly the same (and the air protocol obviously is compatible) but currently the Dinovo receivers are handled by hid-lg.c while the MX5x00 receivers are handled by logitech-dj.c. When using a Dinovo keyboard, with its builtin touchpad, through logitech-dj.c then the touchpad stops working because when asking the receiver for paired devices, we get only 1 paired device with a device_type of REPORT_TYPE_KEYBOARD. And since we don't see a paired mouse, we have nowhere to send mouse-events to, so we drop them. Extend the existing fix for the Dinovo Edge for this to also cover the Dinovo Mini keyboard and also add a mapping to logitech-hidpp for the Media key on the Dinovo Mini, so that that keeps working too. BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1811424 Fixes: f2113c3020ef ("HID: logitech-dj: add support for Logitech Bluetooth Mini-Receiver") Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin commit 4e23e329ec17882629cd1ad72d3798da89b1b45c Author: Hans de Goede Date: Mon Nov 2 14:36:56 2020 +0100 HID: logitech-dj: Handle quad/bluetooth keyboards with a builtin trackpad [ Upstream commit ee5e58418a854755201eb4952b1230d873a457d5 ] Some quad/bluetooth keyboards, such as the Dinovo Edge (Y-RAY81) have a builtin touchpad. In this case when asking the receiver for paired devices, we get only 1 paired device with a device_type of REPORT_TYPE_KEYBOARD. This means that we do not instantiate a second dj_hiddev for the mouse (as we normally would) and thus there is no place for us to forward the mouse input reports to, causing the touchpad part of the keyboard to not work. There is no way for us to detect these keyboards, so this commit adds an array with device-ids for such keyboards and when a keyboard is on this list it adds STD_MOUSE to the reports_supported bitmap for the dj_hiddev created for the keyboard fixing the touchpad not working. Using a list of device-ids for this is not ideal, but there are only very few such keyboards so this should be fine. Besides the Dinovo Edge, other known wireless Logitech keyboards with a builtin touchpad are: * Dinovo Mini (TODO add its device-id to the list) * K400 (uses a unifying receiver so is not affected) * K600 (uses a unifying receiver so is not affected) Cc: stable@vger.kernel.org BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1811424 Fixes: f2113c3020ef ("HID: logitech-dj: add support for Logitech Bluetooth Mini-Receiver") Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin commit 770a55072f1293f0aff7d4219280503feed4179c Author: Harry Cutts Date: Wed Oct 21 06:56:12 2020 -0700 HID: logitech-hidpp: Add PID for MX Anywhere 2 [ Upstream commit b59f38dbfd5d19eb7e03d8b639f0c0d385ba8cc5 ] It seems that the PID 0x4072 was missing from the list Logitech gave me for this mouse, as I found one with it in the wild (with which I tested this patch). Fixes: 4435ff2f09a2 ("HID: logitech: Enable high-resolution scrolling on Logitech mice") Signed-off-by: Harry Cutts Acked-by: Peter Hutterer Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 8a411bb0d73f8916670fac78a8691c717bbda816 Author: Yicong Yang Date: Sat Nov 21 22:17:19 2020 -0800 libfs: fix error cast of negative value in simple_attr_write() [ Upstream commit 488dac0c9237647e9b8f788b6a342595bfa40bda ] The attr->set() receive a value of u64, but simple_strtoll() is used for doing the conversion. It will lead to the error cast if user inputs a negative value. Use kstrtoull() instead of simple_strtoll() to convert a string got from the user to an unsigned value. The former will return '-EINVAL' if it gets a negetive value, but the latter can't handle the situation correctly. Make 'val' unsigned long long as what kstrtoull() takes, this will eliminate the compile warning on no 64-bit architectures. Fixes: f7b88631a897 ("fs/libfs.c: fix simple_attr_write() on 32bit machines") Signed-off-by: Yicong Yang Signed-off-by: Andrew Morton Cc: Al Viro Link: https://lkml.kernel.org/r/1605341356-11872-1-git-send-email-yangyicong@hisilicon.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 9d1b5a8c720e6945834e7dc2c4c1e9916e2fb67c Author: Arvind Sankar Date: Tue Nov 10 11:39:19 2020 -0500 efi/x86: Free efi_pgd with free_pages() [ Upstream commit c2fe61d8be491ff8188edaf22e838f819999146b ] Commit d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD") changed the PGD allocation to allocate PGD_ALLOCATION_ORDER pages, so in the error path it should be freed using free_pages() rather than free_page(). Commit 06ace26f4e6f ("x86/efi: Free efi_pgd with free_pages()") fixed one instance of this, but missed another. Move the freeing out-of-line to avoid code duplication and fix this bug. Fixes: d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD") Link: https://lore.kernel.org/r/20201110163919.1134431-1-nivedita@alum.mit.edu Signed-off-by: Arvind Sankar Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 95fafa1cb7a5e65faaeb54f678a21b95e4ea0177 Author: John Fastabend Date: Mon Nov 16 14:28:46 2020 -0800 bpf, sockmap: Avoid returning unneeded EAGAIN when redirecting to self [ Upstream commit 6fa9201a898983da731fca068bb4b5c941537588 ] If a socket redirects to itself and it is under memory pressure it is possible to get a socket stuck so that recv() returns EAGAIN and the socket can not advance for some time. This happens because when redirecting a skb to the same socket we received the skb on we first check if it is OK to enqueue the skb on the receiving socket by checking memory limits. But, if the skb is itself the object holding the memory needed to enqueue the skb we will keep retrying from kernel side and always fail with EAGAIN. Then userspace will get a recv() EAGAIN error if there are no skbs in the psock ingress queue. This will continue until either some skbs get kfree'd causing the memory pressure to reduce far enough that we can enqueue the pending packet or the socket is destroyed. In some cases its possible to get a socket stuck for a noticeable amount of time if the socket is only receiving skbs from sk_skb verdict programs. To reproduce I make the socket memory limits ridiculously low so sockets are always under memory pressure. More often though if under memory pressure it looks like a spurious EAGAIN error on user space side causing userspace to retry and typically enough has moved on the memory side that it works. To fix skip memory checks and skb_orphan if receiving on the same sock as already assigned. For SK_PASS cases this is easy, its always the same socket so we can just omit the orphan/set_owner pair. For backlog cases we need to check skb->sk and decide if the orphan and set_owner pair are needed. Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/160556572660.73229.12566203819812939627.stgit@john-XPS-13-9370 Signed-off-by: Sasha Levin commit a9f3670728a059aa437e2477c7d3ca54af186fbd Author: John Fastabend Date: Mon Nov 16 14:28:26 2020 -0800 bpf, sockmap: Use truesize with sk_rmem_schedule() [ Upstream commit 70796fb751f1d34cc650e640572a174faf009cd4 ] We use skb->size with sk_rmem_scheduled() which is not correct. Instead use truesize to align with socket and tcp stack usage of sk_rmem_schedule. Suggested-by: Daniel Borkman Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/160556570616.73229.17003722112077507863.stgit@john-XPS-13-9370 Signed-off-by: Sasha Levin commit e8b1de6975db11289446ae28f918a7a4a0d5292a Author: John Fastabend Date: Fri Oct 9 11:36:37 2020 -0700 bpf, sockmap: On receive programs try to fast track SK_PASS ingress [ Upstream commit 9ecbfb06a078c4911fb444203e8e41d93d22f886 ] When we receive an skb and the ingress skb verdict program returns SK_PASS we currently set the ingress flag and put it on the workqueue so it can be turned into a sk_msg and put on the sk_msg ingress queue. Then finally telling userspace with data_ready hook. Here we observe that if the workqueue is empty then we can try to convert into a sk_msg type and call data_ready directly without bouncing through a workqueue. Its a common pattern to have a recv verdict program for visibility that always returns SK_PASS. In this case unless there is an ENOMEM error or we overrun the socket we can avoid the workqueue completely only using it when we fall back to error cases caused by memory pressure. By doing this we eliminate another case where data may be dropped if errors occur on memory limits in workqueue. Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/160226859704.5692.12929678876744977669.stgit@john-Precision-5820-Tower Signed-off-by: Sasha Levin commit 329c84430a64d8defb86225bbb2a276b1a1989fe Author: John Fastabend Date: Fri Oct 9 11:36:16 2020 -0700 bpf, sockmap: Skb verdict SK_PASS to self already checked rmem limits [ Upstream commit cfea28f890cf292d5fe90680db64b68086ef25ba ] For sk_skb case where skb_verdict program returns SK_PASS to continue to pass packet up the stack, the memory limits were already checked before enqueuing in skb_queue_tail from TCP side. So, lets remove the extra checks here. The theory is if the TCP stack believes we have memory to receive the packet then lets trust the stack and not double check the limits. In fact the accounting here can cause a drop if sk_rmem_alloc has increased after the stack accepted this packet, but before the duplicate check here. And worse if this happens because TCP stack already believes the data has been received there is no retransmit. Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/160226857664.5692.668205469388498375.stgit@john-Precision-5820-Tower Signed-off-by: Sasha Levin commit 4983ffd34ffc7ed7abcfe80a00b03ca0f054c4dd Author: Darrick J. Wong Date: Thu Nov 19 15:17:50 2020 -0800 xfs: revert "xfs: fix rmap key and record comparison functions" [ Upstream commit eb8409071a1d47e3593cfe077107ac46853182ab ] This reverts commit 6ff646b2ceb0eec916101877f38da0b73e3a5b7f. Your maintainer committed a major braino in the rmap code by adding the attr fork, bmbt, and unwritten extent usage bits into rmap record key comparisons. While XFS uses the usage bits *in the rmap records* for cross-referencing metadata in xfs_scrub and xfs_repair, it only needs the owner and offset information to distinguish between reverse mappings of the same physical extent into the data fork of a file at multiple offsets. The other bits are not important for key comparisons for index lookups, and never have been. Eric Sandeen reports that this causes regressions in generic/299, so undo this patch before it does more damage. Reported-by: Eric Sandeen Fixes: 6ff646b2ceb0 ("xfs: fix rmap key and record comparison functions") Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen Signed-off-by: Sasha Levin commit 989d275ac5928ba00ac4d40bcbd4c281b8ab7c24 Author: Luo Meng Date: Wed Nov 18 22:49:31 2020 +0900 fail_function: Remove a redundant mutex unlock [ Upstream commit 2801a5da5b25b7af9dd2addd19b2315c02d17b64 ] Fix a mutex_unlock() issue where before copy_from_user() is not called mutex_locked. Fixes: 4b1a29a7f542 ("error-injection: Support fault injection framework") Reported-by: Hulk Robot Signed-off-by: Luo Meng Signed-off-by: Masami Hiramatsu Signed-off-by: Alexei Starovoitov Acked-by: Masami Hiramatsu Link: https://lore.kernel.org/bpf/160570737118.263807.8358435412898356284.stgit@devnote2 Signed-off-by: Sasha Levin commit b9589cb07932d34ca91bd3fb200e45bfef4db07d Author: Nishanth Menon Date: Wed Nov 18 08:50:09 2020 -0600 regulator: ti-abb: Fix array out of bound read access on the first transition [ Upstream commit 2ba546ebe0ce2af47833d8912ced9b4a579f13cb ] At the start of driver initialization, we do not know what bias setting the bootloader has configured the system for and we only know for certain the very first time we do a transition. However, since the initial value of the comparison index is -EINVAL, this negative value results in an array out of bound access on the very first transition. Since we don't know what the setting is, we just set the bias configuration as there is nothing to compare against. This prevents the array out of bound access. NOTE: Even though we could use a more relaxed check of "< 0" the only valid values(ignoring cosmic ray induced bitflips) are -EINVAL, 0+. Fixes: 40b1936efebd ("regulator: Introduce TI Adaptive Body Bias(ABB) on-chip LDO driver") Link: https://lore.kernel.org/linux-mm/CA+G9fYuk4imvhyCN7D7T6PMDH6oNp6HDCRiTUKMQ6QXXjBa4ag@mail.gmail.com/ Reported-by: Naresh Kamboju Reviewed-by: Arnd Bergmann Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20201118145009.10492-1-nm@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ad3c4c96bfb719dcfdb422d4cc775107e70fe312 Author: Yu Kuai Date: Wed Nov 18 09:21:26 2020 -0800 xfs: return corresponding errcode if xfs_initialize_perag() fail [ Upstream commit 595189c25c28a55523354336bf24453242c81c15 ] In xfs_initialize_perag(), if kmem_zalloc(), xfs_buf_hash_init(), or radix_tree_preload() failed, the returned value 'error' is not set accordingly. Reported-as-fixing: 8b26c5825e02 ("xfs: handle ENOMEM correctly during initialisation of perag structures") Fixes: 9b2471797942 ("xfs: cache unlinked pointers in an rhashtable") Reported-by: Hulk Robot Signed-off-by: Yu Kuai Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 738ec767062404fa21f96e7d92ea0eefd064e45b Author: Darrick J. Wong Date: Sun Nov 8 16:32:41 2020 -0800 xfs: strengthen rmap record flags checking [ Upstream commit 498fe261f0d6d5189f8e11d283705dd97b474b54 ] We always know the correct state of the rmap record flags (attr, bmbt, unwritten) so check them by direct comparison. Fixes: d852657ccfc0 ("xfs: cross-reference reverse-mapping btree") Signed-off-by: Darrick J. Wong Reviewed-by: Chandan Babu R Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 388ca4a37dcdd09022a8bc12666216c5132322eb Author: Darrick J. Wong Date: Sun Nov 8 16:32:41 2020 -0800 xfs: fix the minrecs logic when dealing with inode root child blocks [ Upstream commit e95b6c3ef1311dd7b20467d932a24b6d0fd88395 ] The comment and logic in xchk_btree_check_minrecs for dealing with inode-rooted btrees isn't quite correct. While the direct children of the inode root are allowed to have fewer records than what would normally be allowed for a regular ondisk btree block, this is only true if there is only one child block and the number of records don't fit in the inode root. Fixes: 08a3a692ef58 ("xfs: btree scrub should check minrecs") Signed-off-by: Darrick J. Wong Reviewed-by: Chandan Babu R Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 56588c1fdd19fbe6cd6c5cbd9ae3630279c574a2 Author: Jarkko Nikula Date: Tue Sep 15 16:47:15 2020 +0300 can: m_can: process interrupt only when not runtime suspended [ Upstream commit a1f634463aaf2c94dfa13001dbdea011303124cc ] Avoid processing bogus interrupt statuses when the HW is runtime suspended and the M_CAN_IR register read may get all bits 1's. Handler can be called if the interrupt request is shared with other peripherals or at the end of free_irq(). Therefore check the runtime suspended status before processing. Fixes: cdf8259d6573 ("can: m_can: Add PM Support") Signed-off-by: Jarkko Nikula Link: https://lore.kernel.org/r/20200915134715.696303-1-jarkko.nikula@linux.intel.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit a3c94201e0a752e7dd80de4c543a4a7d753292fa Author: Marc Kleine-Budde Date: Wed Nov 18 16:01:48 2020 +0100 can: flexcan: flexcan_chip_start(): fix erroneous flexcan_transceiver_enable() during bus-off recovery [ Upstream commit cd9f13c59461351d7a5fd07924264fb49b287359 ] If the CAN controller goes into bus off, the do_set_mode() callback with CAN_MODE_START can be used to recover the controller, which then calls flexcan_chip_start(). If configured, this is done automatically by the framework or manually by the user. In flexcan_chip_start() there is an explicit call to flexcan_transceiver_enable(), which does a regulator_enable() on the transceiver regulator. This results in a net usage counter increase, as there is no corresponding flexcan_transceiver_disable() in the bus off code path. This further leads to the transceiver stuck enabled, even if the CAN interface is shut down. To fix this problem the flexcan_transceiver_enable()/flexcan_transceiver_disable() are moved out of flexcan_chip_start()/flexcan_chip_stop() into flexcan_open()/flexcan_close(). Fixes: e955cead0311 ("CAN: Add Flexcan CAN controller driver") Link: https://lore.kernel.org/r/20201118150148.2664024-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 58f1657c3a5878dee824bda252a7a76dc78ee4e7 Author: Zhenzhong Duan Date: Tue Nov 10 15:19:08 2020 +0800 iommu/vt-d: Avoid panic if iommu init fails in tboot system [ Upstream commit 4d213e76a359e540ca786ee937da7f35faa8e5f8 ] "intel_iommu=off" command line is used to disable iommu but iommu is force enabled in a tboot system for security reason. However for better performance on high speed network device, a new option "intel_iommu=tboot_noforce" is introduced to disable the force on. By default kernel should panic if iommu init fail in tboot for security reason, but it's unnecessory if we use "intel_iommu=tboot_noforce,off". Fix the code setting force_on and move intel_iommu_tboot_noforce from tboot code to intel iommu code. Fixes: 7304e8f28bb2 ("iommu/vt-d: Correctly disable Intel IOMMU force on") Signed-off-by: Zhenzhong Duan Tested-by: Lukasz Hawrylko Acked-by: Lu Baolu Link: https://lore.kernel.org/r/20201110071908.3133-1-zhenzhong.duan@gmail.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 964b02d50bab830c446bf32dff039e9eb637599b Author: Andy Shevchenko Date: Fri Aug 28 19:12:11 2020 +0300 iommu/vt-d: Move intel_iommu_gfx_mapped to Intel IOMMU header [ Upstream commit c7eb900f5f45eeab1ea1bed997a2a12d8b5907bc ] Static analyzer is not happy about intel_iommu_gfx_mapped declaration: .../drivers/iommu/intel/iommu.c:364:5: warning: symbol 'intel_iommu_gfx_mapped' was not declared. Should it be static? Move its declaration to Intel IOMMU header file. Signed-off-by: Andy Shevchenko Reviewed-by: Lu Baolu Link: https://lore.kernel.org/r/20200828161212.71294-1-andriy.shevchenko@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6d184f851182701dd8299d6eaedb936744b3e65e Author: Jimmy Assarsson Date: Sun Nov 15 17:30:23 2020 +0100 can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits [ Upstream commit d003868d7f8579838ed58b6429af91844039b6f8 ] Use correct bittiming limits for the KCAN CAN controller. Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/r/20201115163027.16851-2-jimmyassarsson@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 987bd7901ae397b144ffdb0dbcbab141fe278da6 Author: Jimmy Assarsson Date: Sun Nov 15 17:30:22 2020 +0100 can: kvaser_pciefd: Fix KCAN bittiming limits [ Upstream commit 470e14c00c63752466ac44de392f584dfdddd82e ] Use correct bittiming limits for the KCAN CAN controller. Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices") Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/r/20201115163027.16851-1-jimmyassarsson@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 9df3884a4d6a1009a788a4205aae46f65f7da5c0 Author: John Fastabend Date: Mon Nov 16 14:28:06 2020 -0800 bpf, sockmap: Ensure SO_RCVBUF memory is observed on ingress redirect [ Upstream commit 36cd0e696a832a00247fca522034703566ac8885 ] Fix sockmap sk_skb programs so that they observe sk_rcvbuf limits. This allows users to tune SO_RCVBUF and sockmap will honor them. We can refactor the if(charge) case out in later patches. But, keep this fix to the point. Fixes: 51199405f9672 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Suggested-by: Jakub Sitnicki Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/160556568657.73229.8404601585878439060.stgit@john-XPS-13-9370 Signed-off-by: Sasha Levin commit 58f45daa2d0a30d26b6e7d466dad02b7d030dca1 Author: John Fastabend Date: Mon Nov 16 14:27:46 2020 -0800 bpf, sockmap: Fix partial copy_page_to_iter so progress can still be made [ Upstream commit c9c89dcd872ea33327673fcb97398993a1f22736 ] If copy_page_to_iter() fails or even partially completes, but with fewer bytes copied than expected we currently reset sg.start and return EFAULT. This proves problematic if we already copied data into the user buffer before we return an error. Because we leave the copied data in the user buffer and fail to unwind the scatterlist so kernel side believes data has been copied and user side believes data has _not_ been received. Expected behavior should be to return number of bytes copied and then on the next read we need to return the error assuming its still there. This can happen if we have a copy length spanning multiple scatterlist elements and one or more complete before the error is hit. The error is rare enough though that my normal testing with server side programs, such as nginx, httpd, envoy, etc., I have never seen this. The only reliable way to reproduce that I've found is to stream movies over my browser for a day or so and wait for it to hang. Not very scientific, but with a few extra WARN_ON()s in the code the bug was obvious. When we review the errors from copy_page_to_iter() it seems we are hitting a page fault from copy_page_to_iter_iovec() where the code checks fault_in_pages_writeable(buf, copy) where buf is the user buffer. It also seems typical server applications don't hit this case. The other way to try and reproduce this is run the sockmap selftest tool test_sockmap with data verification enabled, but it doesn't reproduce the fault. Perhaps we can trigger this case artificially somehow from the test tools. I haven't sorted out a way to do that yet though. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/160556566659.73229.15694973114605301063.stgit@john-XPS-13-9370 Signed-off-by: Sasha Levin commit 401afa5f5e5eff9e4b70d9dea739b805a7bfb0e2 Author: Eli Cohen Date: Mon Nov 9 11:35:52 2020 +0200 net/mlx5: E-Switch, Fail mlx5_esw_modify_vport_rate if qos disabled [ Upstream commit 5b8631c7b21ca8bc039f0bc030048973b039e0d2 ] Avoid calling mlx5_esw_modify_vport_rate() if qos is not enabled and avoid unnecessary syndrome messages from firmware. Fixes: fcb64c0f5640 ("net/mlx5: E-Switch, add ingress rate support") Signed-off-by: Eli Cohen Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit a5a1db757da164e3a0d72aff82918d11961fd045 Author: Xiongfeng Wang Date: Mon Nov 16 09:09:29 2020 +0800 drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() [ Upstream commit 6654b57866b98230a270953dd34f67de17ab1708 ] Fix to return a negative error code from the error handling case instead of 0 in function sun8i_dw_hdmi_bind(). Fixes: b7c7436a5ff0 ("drm/sun4i: Implement A83T HDMI driver") Reported-by: Hulk Robot Signed-off-by: Xiongfeng Wang Reviewed-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://patchwork.freedesktop.org/patch/msgid/1605488969-5211-1-git-send-email-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit 5e7f422c38109c0a3ba213db3164e7c23ccf50be Author: Zhang Qilong Date: Fri Nov 13 21:18:56 2020 +0800 MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu [ Upstream commit ac3b57adf87ad9bac7e33ca26bbbb13fae1ed62b ] If the clk_register fails, we should free h before function returns to prevent memleak. Fixes: 474402291a0ad ("MIPS: Alchemy: clock framework integration of onchip clocks") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit cb5ad04eeeb69e0af79aed0e0383913e986840c5 Author: Wang Hai Date: Mon Nov 16 18:16:33 2020 +0800 selftests/bpf: Fix error return code in run_getsockopt_test() [ Upstream commit 2acc3c1bc8e98bc66b1badec42e9ea205b4fcdaa ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 65b4414a05eb ("selftests/bpf: add sockopt test that exercises BPF_F_ALLOW_MULTI") Reported-by: Hulk Robot Signed-off-by: Wang Hai Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20201116101633.64627-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 32ebbc84697becf5ecd6b6e0bd3ae18371a416ef Author: Srinivasa Rao Mandadapu Date: Sun Nov 15 10:26:50 2020 +0530 ASoC: qcom: lpass-platform: Fix memory leak [ Upstream commit bd6327fda2f3ded85b69b3c3125c99aaa51c7881 ] lpass_pcm_data is not freed in error paths. Free it in error paths to avoid memory leak. Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") Signed-off-by: Pavel Machek Signed-off-by: V Sujith Kumar Reddy Signed-off-by: Srinivasa Rao Mandadapu Link: https://lore.kernel.org/r/1605416210-14530-1-git-send-email-srivasam@codeaurora.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 24ce39bf0aa28ca7e907ac8915ba735da5ae6205 Author: Faiz Abbas Date: Tue Aug 25 11:24:42 2020 +0530 can: m_can: m_can_stop(): set device to software init mode before closing [ Upstream commit a584e9bc1b7e88f24f8504886eafbe6c73d8a97c ] There might be some requests pending in the buffer when the interface close sequence occurs. In some devices, these pending requests might lead to the module not shutting down properly when m_can_clk_stop() is called. Therefore, move the device to init state before potentially powering it down. Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Signed-off-by: Faiz Abbas Acked-by: Dan Murphy Link: https://lore.kernel.org/r/20200825055442.16994-1-faiz_abbas@ti.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit db2f5579e725b15245b5052dad28e109d40cbf52 Author: Dan Murphy Date: Thu Feb 27 12:38:29 2020 -0600 can: m_can: m_can_class_free_dev(): introduce new function [ Upstream commit a8c22f5b0c689a29f45ef4a110d09fd391debcbc ] This patch creates a common function that peripherials can call to free the netdev device when failures occur. Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") Reported-by: Marc Kleine-Budde Signed-off-by: Dan Murphy Link: http://lore.kernel.org/r/20200227183829.21854-2-dmurphy@ti.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 9b0596c07da8cdfd4979c0e342bbcb19fbe74de0 Author: Wu Bo Date: Wed Jan 29 10:23:30 2020 +0800 can: m_can: m_can_handle_state_change(): fix state change [ Upstream commit cd0d83eab2e0c26fe87a10debfedbb23901853c1 ] m_can_handle_state_change() is called with the new_state as an argument. In the switch statements for CAN_STATE_ERROR_ACTIVE, the comment and the following code indicate that a CAN_STATE_ERROR_WARNING is handled. This patch fixes this problem by changing the case to CAN_STATE_ERROR_WARNING. Signed-off-by: Wu Bo Link: http://lore.kernel.org/r/20200129022330.21248-2-wubo.oduw@gmail.com Cc: Dan Murphy Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 69851481b342b274db1084299e29022d63431fc4 Author: Marc Kleine-Budde Date: Mon Aug 10 22:23:49 2020 +0200 can: tcan4x5x: tcan4x5x_can_remove(): fix order of deregistration [ Upstream commit c81d0b6ca665477c761f227807010762630b089f ] Change the order in tcan4x5x_can_remove() to be the exact inverse of tcan4x5x_can_probe(). First m_can_class_unregister(), then power down the device. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: Dan Murphy Link: http://lore.kernel.org/r/20201019154233.1262589-10-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit d527bb8bd577f511a6096036cd3f3840a607efff Author: Marc Kleine-Budde Date: Fri Jan 3 11:30:34 2020 +0100 can: tcan4x5x: tcan4x5x_can_probe(): add missing error checking for devm_regmap_init() [ Upstream commit 1ff203badbbf1738027c8395d5b40b0d462b6e4d ] This patch adds the missing error checking when initializing the regmap interface fails. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Cc: Dan Murphy Link: http://lore.kernel.org/r/20201019154233.1262589-7-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 84089205dbd2629ba17b669b00b84342ca66c0c4 Author: Enric Balletbo i Serra Date: Mon Apr 13 16:10:13 2020 +0200 can: tcan4x5x: replace depends on REGMAP_SPI with depends on SPI [ Upstream commit 3fcce133f0d9a50d3a23f8e2bc950197b4e03900 ] regmap is a library function that gets selected by drivers that need it. No driver modules should depend on it. Instead depends on SPI and select REGMAP_SPI. Depending on REGMAP_SPI makes this driver only build if another driver already selected REGMAP_SPI, as the symbol can't be selected through the menu kernel configuration. Signed-off-by: Enric Balletbo i Serra Link: http://lore.kernel.org/r/20200413141013.506613-1-enric.balletbo@collabora.com Reviewed-by: Dan Murphy Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f0c8508bf874ae45092136b63532e9bbef92c9a9 Author: Zhang Qilong Date: Sun Nov 8 16:30:00 2020 +0800 can: flexcan: fix failure handling of pm_runtime_get_sync() [ Upstream commit b7ee5bc3e1006433601a058a6a7c24c5272635f4 ] pm_runtime_get_sync() will increment pm usage at first and it will resume the device later. If runtime of the device has error or device is in inaccessible state(or other error state), resume operation will fail. If we do not call put operation to decrease the reference, it will result in reference leak in the two functions flexcan_get_berr_counter() and flexcan_open(). Moreover, this device cannot enter the idle state and always stay busy or other non-idle state later. So we should fix it through adding pm_runtime_put_noidle(). Fixes: ca10989632d88 ("can: flexcan: implement can Runtime PM") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201108083000.2599705-1-zhangqilong3@huawei.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 73788e8c3b0240c486c1f7c26ea06d46cf7ed949 Author: Colin Ian King Date: Thu Nov 5 11:24:27 2020 +0000 can: peak_usb: fix potential integer overflow on shift of a int [ Upstream commit 8a68cc0d690c9e5730d676b764c6f059343b842c ] The left shift of int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit variable. In the case where time_ref->adapter->ts_used_bits is 32 or more this can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro instead. Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20201105112427.40688-1-colin.king@canonical.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 4a6891e169df7be8c3a59273d2453fcf759e17ea Author: Marc Kleine-Budde Date: Wed Aug 28 21:16:55 2019 +0200 can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() [ Upstream commit 81c9c8e0adef3285336b942f93287c554c89e6c6 ] The driver has to first fill the skb with data and then handle it to can_put_echo_skb(). This patch moves the can_put_echo_skb() down, right before sending the skb out via USB. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Cc: Remigiusz Kołłątaj Link: https://lore.kernel.org/r/20201111221204.1639007-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 85c48dcd8735135077c846f68e7aba5304c6b3f3 Author: Zhang Qilong Date: Sat Nov 14 19:17:08 2020 +0800 can: ti_hecc: Fix memleak in ti_hecc_probe [ Upstream commit 7968c7c79d3be8987feb8021f0c46e6866831408 ] In the error handling, we should goto the probe_exit_candev to free ndev to prevent memory leak. Fixes: dabf54dd1c63 ("can: ti_hecc: Convert TI HECC driver to DT only driver") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201114111708.3465543-1-zhangqilong3@huawei.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 85854e4e552edab857770ca3f9ff7ea0fda2c238 Author: Alejandro Concepcion Rodriguez Date: Thu Nov 5 21:51:47 2020 +0000 can: dev: can_restart(): post buffer from the right context [ Upstream commit a1e654070a60d5d4f7cce59c38f4ca790bb79121 ] netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Co-developed-by: Loris Fauster Signed-off-by: Loris Fauster Signed-off-by: Alejandro Concepcion Rodriguez Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 247b03eca2fd61fffd30140c2e2c1d93e2e63a9f Author: Anant Thazhemadam Date: Wed Nov 4 03:09:06 2020 +0530 can: af_can: prevent potential access of uninitialized member in canfd_rcv() [ Upstream commit 9aa9379d8f868e91719333a7f063ccccc0579acc ] In canfd_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CANFD_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: d4689846881d ("can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by: Anant Thazhemadam Signed-off-by: Anant Thazhemadam Link: https://lore.kernel.org/r/20201103213906.24219-3-anant.thazhemadam@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 5970c08eed35ceb67f0d396ed22d8dd389042cba Author: Anant Thazhemadam Date: Wed Nov 4 03:09:05 2020 +0530 can: af_can: prevent potential access of uninitialized member in can_rcv() [ Upstream commit c8c958a58fc67f353289986850a0edf553435702 ] In can_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CAN_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: 8cb68751c115 ("can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by: Anant Thazhemadam Signed-off-by: Anant Thazhemadam Link: https://lore.kernel.org/r/20201103213906.24219-2-anant.thazhemadam@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit ef097e93aca2f1bec3d0a2e632edbefedf7efb4e Author: Yi-Hung Wei Date: Tue Nov 10 16:16:40 2020 -0800 ip_tunnels: Set tunnel option flag when tunnel metadata is present [ Upstream commit 9c2e14b48119b39446031d29d994044ae958d8fc ] Currently, we may set the tunnel option flag when the size of metadata is zero. For example, we set TUNNEL_GENEVE_OPT in the receive function no matter the geneve option is present or not. As this may result in issues on the tunnel flags consumers, this patch fixes the issue. Related discussion: * https://lore.kernel.org/netdev/1604448694-19351-1-git-send-email-yihung.wei@gmail.com/T/#u Fixes: 256c87c17c53 ("net: check tunnel option type in tunnel flags") Signed-off-by: Yi-Hung Wei Link: https://lore.kernel.org/r/1605053800-74072-1-git-send-email-yihung.wei@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f5d6b6c2e9931e8cedeae29909cd4da362acfc25 Author: Wang Hai Date: Fri Nov 13 19:51:52 2020 +0800 tools, bpftool: Add missing close before bpftool net attach exit [ Upstream commit 50431b45685b600fc2851a3f2b53e24643efe6d3 ] progfd is created by prog_parse_fd() in do_attach() and before the latter returns in case of success, the file descriptor should be closed. Fixes: 04949ccc273e ("tools: bpftool: add net attach command to attach XDP on interface") Signed-off-by: Wang Hai Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20201113115152.53178-1-wanghai38@huawei.com Signed-off-by: Sasha Levin commit 6eadbc3b7ab77f6d19cbaaba254a03799e21038c Author: Leo Yan Date: Wed Nov 4 17:42:29 2020 +0800 perf lock: Don't free "lock_seq_stat" if read_count isn't zero [ Upstream commit b0e5a05cc9e37763c7f19366d94b1a6160c755bc ] When execute command "perf lock report", it hits failure and outputs log as follows: perf: builtin-lock.c:623: report_lock_release_event: Assertion `!(seq->read_count < 0)' failed. Aborted This is an imbalance issue. The locking sequence structure "lock_seq_stat" contains the reader counter and it is used to check if the locking sequence is balance or not between acquiring and releasing. If the tool wrongly frees "lock_seq_stat" when "read_count" isn't zero, the "read_count" will be reset to zero when allocate a new structure at the next time; thus it causes the wrong counting for reader and finally results in imbalance issue. To fix this issue, if detects "read_count" is not zero (means still have read user in the locking sequence), goto the "end" tag to skip freeing structure "lock_seq_stat". Fixes: e4cef1f65061 ("perf lock: Fix state machine to recognize lock sequence") Signed-off-by: Leo Yan Acked-by: Jiri Olsa Link: https://lore.kernel.org/r/20201104094229.17509-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 4c954fe28af154a90c2fb34737aa190fd4d0cdb2 Author: Christoph Hellwig Date: Fri Nov 6 19:19:32 2020 +0100 RMDA/sw: Don't allow drivers using dma_virt_ops on highmem configs [ Upstream commit b1e678bf290db5a76f1b6a9f7c381310e03440d6 ] dma_virt_ops requires that all pages have a kernel virtual address. Introduce a INFINIBAND_VIRT_DMA Kconfig symbol that depends on !HIGHMEM and make all three drivers depend on the new symbol. Also remove the ARCH_DMA_ADDR_T_64BIT dependency, which has been obsolete since commit 4965a68780c5 ("arch: define the ARCH_DMA_ADDR_T_64BIT config symbol in lib/Kconfig") Fixes: 551199aca1c3 ("lib/dma-virt: Add dma_virt_ops") Link: https://lore.kernel.org/r/20201106181941.1878556-2-hch@lst.de Signed-off-by: Christoph Hellwig Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1a358c4e9bb2af62f195a5ae6c5cce3c5a379e18 Author: Qinglang Miao Date: Wed Nov 11 11:22:02 2020 +0800 RDMA/pvrdma: Fix missing kfree() in pvrdma_register_device() [ Upstream commit d035c3f6cdb8e5d5a17adcbb79d7453417a6077d ] Fix missing kfree in pvrdma_register_device() when failure from ib_device_set_netdev(). Fixes: 4b38da75e089 ("RDMA/drivers: Convert easy drivers to use ib_device_set_netdev()") Link: https://lore.kernel.org/r/20201111032202.17925-1-miaoqinglang@huawei.com Reported-by: Hulk Robot Signed-off-by: Qinglang Miao Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1b1ddde970de7d63566af67b35edaedd6200a432 Author: Claire Chang Date: Tue Nov 10 16:49:08 2020 +0800 rfkill: Fix use-after-free in rfkill_resume() [ Upstream commit 94e2bd0b259ed39a755fdded47e6734acf1ce464 ] If a device is getting removed or reprobed during resume, use-after-free might happen. For example, h5_btrtl_resume() schedules a work queue for device reprobing, which of course requires removal first. If the removal happens in parallel with the device_resume() and wins the race to acquire device_lock(), removal may remove the device from the PM lists and all, but device_resume() is already running and will continue when the lock can be acquired, thus calling rfkill_resume(). During this, if rfkill_set_block() is then called after the corresponding *_unregister() and kfree() are called, there will be an use-after-free in hci_rfkill_set_block(): BUG: KASAN: use-after-free in hci_rfkill_set_block+0x58/0xc0 [bluetooth] ... Call trace: dump_backtrace+0x0/0x154 show_stack+0x20/0x2c dump_stack+0xbc/0x12c print_address_description+0x88/0x4b0 __kasan_report+0x144/0x168 kasan_report+0x10/0x18 check_memory_region+0x19c/0x1ac __kasan_check_write+0x18/0x24 hci_rfkill_set_block+0x58/0xc0 [bluetooth] rfkill_set_block+0x9c/0x120 rfkill_resume+0x34/0x70 dpm_run_callback+0xf0/0x1f4 device_resume+0x210/0x22c Fix this by checking rfkill->registered in rfkill_resume(). device_del() in rfkill_unregister() requires device_lock() and the whole rfkill_resume() is also protected by the same lock via device_resume(), we can make sure either the rfkill->registered is false before rfkill_resume() starts or the rfkill device won't be unregistered before rfkill_resume() returns. As async_resume() holds a reference to the device, at this level there can be no use-after-free; only in the user that doesn't expect this scenario. Fixes: 8589086f4efd ("Bluetooth: hci_h5: Turn off RTL8723BS on suspend, reprobe on resume") Signed-off-by: Claire Chang Link: https://lore.kernel.org/r/20201110084908.219088-1-tientzu@chromium.org [edit commit message for clarity and add more info provided later] Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 6490ecdee5510aef71e5c80f120269fadeff80dd Author: Necip Fazil Yildiran Date: Wed Nov 11 17:48:52 2020 -0800 Input: resistive-adc-touch - fix kconfig dependency on IIO_BUFFER [ Upstream commit 676650d007e06fddcf3fe38238251d71bd179641 ] When TOUCHSCREEN_ADC is enabled and IIO_BUFFER is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for IIO_BUFFER_CB Depends on [n]: IIO [=y] && IIO_BUFFER [=n] Selected by [y]: - TOUCHSCREEN_ADC [=y] && !UML && INPUT [=y] && INPUT_TOUCHSCREEN [=y] && IIO [=y] The reason is that TOUCHSCREEN_ADC selects IIO_BUFFER_CB without depending on or selecting IIO_BUFFER while IIO_BUFFER_CB depends on IIO_BUFFER. This can also fail building the kernel. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Fixes: aa132ffb6b0a ("input: touchscreen: resistive-adc-touch: add generic resistive ADC touchscreen") Signed-off-by: Necip Fazil Yildiran Acked-by: Jonathan Cameron Link: https://lore.kernel.org/r/20201102221504.541279-1-fazilyildiran@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 9a4b4a06addf4a88b66efcedad900ce2a2a39845 Author: Fabio Estevam Date: Thu Nov 5 18:13:20 2020 -0300 ARM: dts: imx50-evk: Fix the chip select 1 IOMUX [ Upstream commit 33d0d843872c5ddbe28457a92fc6f2487315fb9f ] The SPI chip selects are represented as: cs-gpios = <&gpio4 11 GPIO_ACTIVE_LOW>, <&gpio4 13 GPIO_ACTIVE_LOW>; , which means that they are used in GPIO function instead of native SPI mode. Fix the IOMUX for the chip select 1 to use GPIO4_13 instead of the native CSPI_SSI function. Fixes: c605cbf5e135 ("ARM: dts: imx: add device tree support for Freescale imx50evk board") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 58e4f34f52a49b6173cccc5da794db7f47c66427 Author: Lucas Stach Date: Thu Nov 5 18:06:12 2020 +0100 arm64: dts: imx8mm: fix voltage for 1.6GHz CPU operating point [ Upstream commit d19d2152ca055baf20339cfacbf039c2cfb8d936 ] The datasheet for both the industrial and consumer variant of the SoC lists a typical voltage of 0.95V for the 1.6GHz CPU operating point. Fixes: e85c9d0faa75 (arm64: dts: imx8mm: Add cpufreq properties) Signed-off-by: Lucas Stach Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit fd278c6359ac7cb8bfe9458858f7760523c440bc Author: Stephen Rothwell Date: Mon Nov 2 12:43:27 2020 +1100 swiotlb: using SIZE_MAX needs limits.h included [ Upstream commit f51778db088b2407ec177f2f4da0f6290602aa3f ] After merging the drm-misc tree, linux-next build (arm multi_v7_defconfig) failed like this: In file included from drivers/gpu/drm/nouveau/nouveau_ttm.c:26: include/linux/swiotlb.h: In function 'swiotlb_max_mapping_size': include/linux/swiotlb.h:99:9: error: 'SIZE_MAX' undeclared (first use in this function) 99 | return SIZE_MAX; | ^~~~~~~~ include/linux/swiotlb.h:7:1: note: 'SIZE_MAX' is defined in header ''; did you forget to '#include '? 6 | #include +++ |+#include 7 | #include include/linux/swiotlb.h:99:9: note: each undeclared identifier is reported only once for each function it appears in 99 | return SIZE_MAX; | ^~~~~~~~ Caused by commit abe420bfae52 ("swiotlb: Introduce swiotlb_max_mapping_size()") but only exposed by commit "drm/nouveu: fix swiotlb include" Fix it by including linux/limits.h as appropriate. Fixes: abe420bfae52 ("swiotlb: Introduce swiotlb_max_mapping_size()") Signed-off-by: Stephen Rothwell Link: https://lore.kernel.org/r/20201102124327.2f82b2a7@canb.auug.org.au Signed-off-by: Michael S. Tsirkin Signed-off-by: Sasha Levin commit cfee2333791a9b80a0312a5d1b9eb5b7e417de35 Author: Sergey Matyukevich Date: Sat Oct 24 23:11:20 2020 +0300 arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy [ Upstream commit 7dd8f0ba88fce98e2953267a66af74c6f4792a56 ] Commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") fixed micrel phy driver adding proper support for phy modes. Adapt imx6q-udoo board phy settings : explicitly set required delay configuration using "rgmii-id". Fixes: cbd54fe0b2bc ("ARM: dts: imx6dl-udoo: Add board support based off imx6q-udoo") Signed-off-by: Sergey Matyukevich Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit a8d6ae10e9fce896749bd81b092e84ec273a0774 Author: Adam Ford Date: Thu Oct 8 13:33:00 2020 -0500 arm64: dts imx8mn: Remove non-existent USB OTG2 [ Upstream commit cf5abb0132193767c07c83e06f91b777d22ba495 ] According to the i.MX8MN TRM, there is only one OTG port. The address for OTG2 is reserved on Nano. This patch removes the non-existent OTG2, usbphynop2, and the usbmisc2 nodes. Fixes: 6c3debcbae47 ("arm64: dts: freescale: Add i.MX8MN dtsi support") Signed-off-by: Adam Ford Reviewed-by: Krzysztof Kozlowski Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b94479198240f68a47e916719efd02489b5f2b62 Author: Nenad Peric Date: Wed Oct 28 12:58:17 2020 +0100 arm64: dts: allwinner: h5: OrangePi Prime: Fix ethernet node [ Upstream commit 107954afc5df667da438644aa4982606663f9b17 ] RX and TX delay are provided by ethernet PHY. Reflect that in ethernet node. Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes") Signed-off-by: Nenad Peric Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201028115817.68113-1-nperic@gmail.com Signed-off-by: Sasha Levin commit cab227c19cd11b19f43f0b20a71f37f56c70cf4b Author: Randy Dunlap Date: Fri Oct 23 12:44:40 2020 -0700 MIPS: export has_transparent_hugepage() for modules [ Upstream commit 31b4d8e172f614adc53ddecb4b6b2f6411a49b84 ] MIPS should export its local version of "has_transparent_hugepage" so that loadable modules (dax) can use it. Fixes this build error: ERROR: modpost: "has_transparent_hugepage" [drivers/dax/dax.ko] undefined! Fixes: fd8cfd300019 ("arch: fix has_transparent_hugepage()") Reported-by: kernel test robot Signed-off-by: Randy Dunlap Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: Dan Williams Cc: Vishal Verma Cc: Dave Jiang Cc: linux-nvdimm@lists.01.org Cc: Hugh Dickins Cc: Andrew Morton Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 93f23689129f49f39a8952a5e31b6ab7776907ea Author: Dan Carpenter Date: Mon Oct 26 17:10:09 2020 -0700 Input: adxl34x - clean up a data type in adxl34x_probe() [ Upstream commit 33b6c39e747c552fa770eecebd1776f1f4a222b1 ] The "revid" is used to store negative error codes so it should be an int type. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Dan Carpenter Acked-by: Michael Hennerich Link: https://lore.kernel.org/r/20201026072824.GA1620546@mwanda Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 29dea2b91871077c134c083a62c1a9676ae1264b Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:15 2020 +0800 arm64: dts: allwinner: a64: bananapi-m64: Enable RGMII RX/TX delay on PHY [ Upstream commit 1a9a8910b2153cd3c4f3f2f8defcb853ead3b1fd ] The Ethernet PHY on the Bananapi M64 has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: e7295499903d ("arm64: allwinner: bananapi-m64: Enable dwmac-sun8i") Fixes: 94f442886711 ("arm64: dts: allwinner: A64: Restore EMAC changes") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Corentin Labbe Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-10-wens@kernel.org Signed-off-by: Sasha Levin commit 794a13015fb61494330f6583e6f08015aa395484 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:13 2020 +0800 ARM: dts: sunxi: bananapi-m2-plus: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit 3914160ffc0bf762d6d605d4b27036b7b89367ea ] The Ethernet PHY on the Bananapi M2+ has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 8c7ba536e709 ("ARM: sun8i: bananapi-m2-plus: Enable dwmac-sun8i") Fixes: 4904337fe34f ("ARM: dts: sunxi: Restore EMAC changes (boards)") Fixes: aa8fee415f46 ("ARM: dts: sun8i: h3: Split out non-SoC-specific parts of Bananapi M2 Plus") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Jernej Skrabec Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-8-wens@kernel.org Signed-off-by: Sasha Levin commit c6e7f6bdcbaa0ec4063247d930b4dcfeb9b84fca Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:12 2020 +0800 ARM: dts: sun9i: Enable both RGMII RX/TX delay on Ethernet PHY [ Upstream commit b1064037e8ecf09d587b7b4966eebe0c362908e5 ] The Ethernet PHY on the Cubieboard 4 and A80 Optimus have the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 98048143b7f8 ("ARM: dts: sun9i: cubieboard4: Enable GMAC") Fixes: bc9bd03a44f9 ("ARM: dts: sun9i: a80-optimus: Enable GMAC") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-7-wens@kernel.org Signed-off-by: Sasha Levin commit 6cb50545fe31e53c8a179bfaff397fb68000f934 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:11 2020 +0800 ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY [ Upstream commit 57dbe558457bf4042169bc1f334e3b53a8480a1c ] The Ethernet PHY on the Bananapi M3 and Cubietruck Plus have the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 039359948a4b ("ARM: dts: sun8i: a83t: Enable Ethernet on two boards") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-6-wens@kernel.org Signed-off-by: Sasha Levin commit cecaad1d3f48f3f4f027ca270ed86c4bf77156d6 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:10 2020 +0800 ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit e080ab31a0aa126b0a7e4f67f2b01b371b852c88 ] The Ethernet PHY on the Orange Pi Plus 2E has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 4904337fe34f ("ARM: dts: sunxi: Restore EMAC changes (boards)") Fixes: 7a78ef92cdc5 ("ARM: sun8i: h3: Enable EMAC with external PHY on Orange Pi Plus 2E") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Jernej Skrabec Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-5-wens@kernel.org Signed-off-by: Sasha Levin commit ec268dd970a58aa0bb223017e9cd1aadcd3c0350 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:09 2020 +0800 ARM: dts: sun7i: bananapi-m1-plus: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit f94f78bd93f567c022f594589dbeecdf59931365 ] The Ethernet PHY on the Bananapi M1+ has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 04c85ecad32a ("ARM: dts: sun7i: Add dts file for Bananapi M1 Plus board") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-4-wens@kernel.org Signed-off-by: Sasha Levin commit 303691562f8f16aed15d6142de8ecfd4382d7d08 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:08 2020 +0800 ARM: dts: sun7i: cubietruck: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit 353c3de1303fc93032164402c0eb8550ecd6f154 ] The Ethernet PHY on the Cubietruck has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 67073d97672d ("ARM: dts: sun7i: cubietruck: Enable the GMAC") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Emilio López Reviewed-by: Emilio López Link: https://lore.kernel.org/r/20201024162515.30032-3-wens@kernel.org Signed-off-by: Sasha Levin commit b55bc15117d6674044facc5c4a8018976597316f Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:07 2020 +0800 ARM: dts: sun6i: a31-hummingbird: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit e76724153f5b4539802cc21b2c6131058668a1c6 ] The Ethernet PHY on the A31 Hummingbird has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: c220aec2bb79 ("ARM: dts: sun6i: Add Merrii A31 Hummingbird support") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-2-wens@kernel.org Signed-off-by: Sasha Levin commit 260ceb0c4aa6f2106cccdb6a7e49201f3e93588b Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:06 2020 +0800 Revert "arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high" [ Upstream commit 8d80e2f00a42ef10b54e1b2d9e97314f8fd046c0 ] This reverts commit 75ee680cbd2e4d0156b94f9fec50076361ab12f2. Turns out the activity and link LEDs on the RJ45 port are active low, just like on the Orange Pi PC. Revert the commit that says otherwise. Fixes: 75ee680cbd2e ("arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high") Fixes: 4904337fe34f ("ARM: dts: sunxi: Restore EMAC changes (boards)") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Jernej Skrabec Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-1-wens@kernel.org Signed-off-by: Sasha Levin commit 1446255d8600d6e8d33dbc92708cc14f96c18023 Author: Jernej Skrabec Date: Sun Oct 25 09:19:49 2020 +0100 ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node [ Upstream commit b3eec3212e66ece33f69be0de98d54e67834e798 ] Ethernet PHY on BananaPi M2 Ultra provides RX and TX delays. Fix ethernet node to reflect that fact. Fixes: c36fd5a48bd2 ("ARM: dts: sun8i: r40: bananapi-m2-ultra: Enable GMAC ethernet controller") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201025081949.783443-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit 31c4a413971b00f0851291d833325aa131c55787 Author: Jernej Skrabec Date: Fri Oct 23 20:48:58 2020 +0200 arm64: dts: allwinner: h5: OrangePi PC2: Fix ethernet node [ Upstream commit b34bf9f6a623ddb82600a5ed5c644224122395e1 ] RX and TX delay are provided by ethernet PHY. Reflect that in ethernet node. Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201023184858.3272918-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit 345d06f5853f7d5b25ee4f16e950b23d583c0fdf Author: Jernej Skrabec Date: Thu Oct 22 23:13:01 2020 +0200 arm64: dts: allwinner: a64: Pine64 Plus: Fix ethernet node [ Upstream commit 927f42fcc1b4f7d04a2ac5cf02f25612aa8923a4 ] According to board schematic, PHY provides both, RX and TX delays. However, according to "fix" Realtek provided for this board, only TX delay should be provided by PHY. Tests show that both variants work but TX only PHY delay works slightly better. Update ethernet node to reflect the fact that PHY provides TX delay. Fixes: 94f442886711 ("arm64: dts: allwinner: A64: Restore EMAC changes") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201022211301.3548422-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit 96bde11bf2b225fe21527b6bbcefc9f679401515 Author: Jernej Skrabec Date: Thu Oct 22 20:58:39 2020 +0200 arm64: dts: allwinner: a64: OrangePi Win: Fix ethernet node [ Upstream commit d7cdff444579e6659459b2fe04340ebb27628d5e ] RX/TX delay on OrangePi Win board is set on PHY. Reflect that in ethernet node. Fixes: 93d6a27cfcc0 ("arm64: dts: allwinner: a64: Orange Pi Win: Add Ethernet node") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201022185839.2779245-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit ba6ebc22844dff91a7f3301695f8a8c7cc2584cb Author: Corentin Labbe Date: Mon Oct 19 06:34:49 2020 +0000 arm64: dts: allwinner: Pine H64: Enable both RGMII RX/TX delay [ Upstream commit 419c65f5000a6c25597ea52488528d75b287cbd0 ] Since commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"), the network is unusable on PineH64 model A. This is due to phy-mode incorrectly set to rgmii instead of rgmii-id. Fixes: 729e1ffcf47e ("arm64: allwinner: h6: add support for the Ethernet on Pine H64") Signed-off-by: Corentin Labbe Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201019063449.33316-1-clabbe@baylibre.com Signed-off-by: Sasha Levin commit 79de663dcb110bd9f6d813eb008f7cd81f87eea3 Author: Clément Péron Date: Sun Oct 18 19:24:09 2020 +0200 arm64: dts: allwinner: beelink-gs1: Enable both RGMII RX/TX delay [ Upstream commit 97a38c1c213b162aa577299de698f39c18ba696b ] Before the commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"), the software overwrite for RX/TX delays of the RTL8211e were not working properly and the Beelink GS1 had both RX/TX delay of RGMII interface set using pull-up on the TXDLY and RXDLY pins. Now that these delays are working properly they overwrite the HW config and set this to 'rgmii' meaning no delay on both RX/TX. This makes the ethernet of this board not working anymore. Set the phy-mode to 'rgmii-id' meaning RGMII with RX/TX delays in the device-tree to keep the correct configuration. Fixes: 089bee8dd119 ("arm64: dts: allwinner: h6: Introduce Beelink GS1 board") Signed-off-by: Clément Péron Signed-off-by: Maxime Ripard Acked-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20201018172409.1754775-1-peron.clem@gmail.com Signed-off-by: Sasha Levin commit 8afc6e00a1d1b569e5628a8171a277dec7e17928 Author: Paul Barker Date: Wed Nov 11 16:46:43 2020 +0000 hwmon: (pwm-fan) Fix RPM calculation [ Upstream commit fd8feec665fef840277515a5c2b9b7c3e3970fad ] To convert the number of pulses counted into an RPM estimation, we need to divide by the width of our measurement interval instead of multiplying by it. If the width of the measurement interval is zero we don't update the RPM value to avoid dividing by zero. We also don't need to do 64-bit division, with 32-bits we can handle a fan running at over 4 million RPM. Signed-off-by: Paul Barker Link: https://lore.kernel.org/r/20201111164643.7087-1-pbarker@konsulko.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit e240b43268870b981da9eabb361e04d121e4586b Author: Zhang Qilong Date: Sun Nov 8 17:27:41 2020 +0800 gfs2: fix possible reference leak in gfs2_check_blk_type [ Upstream commit bc923818b190c8b63c91a47702969c8053574f5b ] In the fail path of gfs2_check_blk_type, forgetting to call gfs2_glock_dq_uninit will result in rgd_gh reference leak. Signed-off-by: Zhang Qilong Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 195f9e1a5457e7d0a24fc59ec698c1f6b9770220 Author: Darrick J. Wong Date: Tue Nov 10 16:49:29 2020 -0800 vfs: remove lockdep bogosity in __sb_start_write [ Upstream commit 22843291efc986ce7722610073fcf85a39b4cb13 ] __sb_start_write has some weird looking lockdep code that claims to exist to handle nested freeze locking requests from xfs. The code as written seems broken -- if we think we hold a read lock on any of the higher freeze levels (e.g. we hold SB_FREEZE_WRITE and are trying to lock SB_FREEZE_PAGEFAULT), it converts a blocking lock attempt into a trylock. However, it's not correct to downgrade a blocking lock attempt to a trylock unless the downgrading code or the callers are prepared to deal with that situation. Neither __sb_start_write nor its callers handle this at all. For example: sb_start_pagefault ignores the return value completely, with the result that if xfs_filemap_fault loses a race with a different thread trying to fsfreeze, it will proceed without pagefault freeze protection (thereby breaking locking rules) and then unlocks the pagefault freeze lock that it doesn't own on its way out (thereby corrupting the lock state), which leads to a system hang shortly afterwards. Normally, this won't happen because our ownership of a read lock on a higher freeze protection level blocks fsfreeze from grabbing a write lock on that higher level. *However*, if lockdep is offline, lock_is_held_type unconditionally returns 1, which means that percpu_rwsem_is_held returns 1, which means that __sb_start_write unconditionally converts blocking freeze lock attempts into trylocks, even when we *don't* hold anything that would block a fsfreeze. Apparently this all held together until 5.10-rc1, when bugs in lockdep caused lockdep to shut itself off early in an fstests run, and once fstests gets to the "race writes with freezer" tests, kaboom. This might explain the long trail of vanishingly infrequent livelocks in fstests after lockdep goes offline that I've never been able to diagnose. We could fix it by spinning on the trylock if wait==true, but AFAICT the locking works fine if lockdep is not built at all (and I didn't see any complaints running fstests overnight), so remove this snippet entirely. NOTE: Commit f4b554af9931 in 2015 created the current weird logic (which used to exist in a different form in commit 5accdf82ba25c from 2012) in __sb_start_write. XFS solved this whole problem in the late 2.6 era by creating a variant of transactions (XFS_TRANS_NO_WRITECOUNT) that don't grab intwrite freeze protection, thus making lockdep's solution unnecessary. The commit claims that Dave Chinner explained that the trylock hack + comment could be removed, but nobody ever did. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Jan Kara Signed-off-by: Sasha Levin commit 54d11983c29cf78a354c01cbb6551c68dfc25e64 Author: Will Deacon Date: Fri Nov 6 10:25:49 2020 +0000 arm64: smp: Tell RCU about CPUs that fail to come online [ Upstream commit 04e613ded8c26489b3e0f9101b44462f780d1a35 ] Commit ce3d31ad3cac ("arm64/smp: Move rcu_cpu_starting() earlier") ensured that RCU is informed early about incoming CPUs that might end up calling into printk() before they are online. However, if such a CPU fails the early CPU feature compatibility checks in check_local_cpu_capabilities(), then it will be powered off or parked without informing RCU, leading to an endless stream of stalls: | rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: | rcu: 2-O...: (0 ticks this GP) idle=002/1/0x4000000000000000 softirq=0/0 fqs=2593 | (detected by 0, t=5252 jiffies, g=9317, q=136) | Task dump for CPU 2: | task:swapper/2 state:R running task stack: 0 pid: 0 ppid: 1 flags:0x00000028 | Call trace: | ret_from_fork+0x0/0x30 Ensure that the dying CPU invokes rcu_report_dead() prior to being powered off or parked. Cc: Qian Cai Cc: "Paul E. McKenney" Reviewed-by: Paul E. McKenney Suggested-by: Qian Cai Link: https://lore.kernel.org/r/20201105222242.GA8842@willie-the-truck Link: https://lore.kernel.org/r/20201106103602.9849-3-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit e8df8c25aa0507e82a1ecf949f215ca4a6916207 Author: Will Deacon Date: Fri Nov 6 09:57:55 2020 +0000 arm64: psci: Avoid printing in cpu_psci_cpu_die() [ Upstream commit 891deb87585017d526b67b59c15d38755b900fea ] cpu_psci_cpu_die() is called in the context of the dying CPU, which will no longer be online or tracked by RCU. It is therefore not generally safe to call printk() if the PSCI "cpu off" request fails, so remove the pr_crit() invocation. Cc: Qian Cai Cc: "Paul E. McKenney" Cc: Catalin Marinas Link: https://lore.kernel.org/r/20201106103602.9849-2-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 71eea3d3df94ccdcf3b616d27d68d6c028c1968f Author: Will Deacon Date: Fri Nov 6 11:14:26 2020 +0000 arm64: errata: Fix handling of 1418040 with late CPU onlining [ Upstream commit f969f03888b9438fdb227b6460d99ede5737326d ] In a surprising turn of events, it transpires that CPU capabilities configured as ARM64_CPUCAP_WEAK_LOCAL_CPU_FEATURE are never set as the result of late-onlining. Therefore our handling of erratum 1418040 does not get activated if it is not required by any of the boot CPUs, even though we allow late-onlining of an affected CPU. In order to get things working again, replace the cpus_have_const_cap() invocation with an explicit check for the current CPU using this_cpu_has_cap(). Cc: Sai Prakash Ranjan Cc: Stephen Boyd Cc: Catalin Marinas Cc: Mark Rutland Reviewed-by: Suzuki K Poulose Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20201106114952.10032-1-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit e6f6e52acb962c40f77c116c21a501de3e114e17 Author: Hans de Goede Date: Sat Nov 7 14:32:54 2020 +0100 ACPI: button: Add DMI quirk for Medion Akoya E2228T [ Upstream commit 7daaa06357bf7f1874b62bb1ea9d66a51d4e567e ] The Medion Akoya E2228T's ACPI _LID implementation is quite broken, it has the same issues as the one from the Medion Akoya E2215T: 1. For notifications it uses an ActiveLow Edge GpioInt, rather then an ActiveBoth one, meaning that the device is only notified when the lid is closed, not when it is opened. 2. Matching with this its _LID method simply always returns 0 (closed) In order for the Linux LID code to work properly with this implementation, the lid_init_state selection needs to be set to ACPI_BUTTON_LID_INIT_OPEN, add a DMI quirk for this. While working on this I also found out that the MD60### part of the model number differs per country/batch while all of the E2215T and E2228T models have this issue, so also remove the " MD60198" part from the E2215T quirk. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 58ced37417899a98947f8ca24798443a0a9db099 Author: Aaron Lewis Date: Mon Oct 12 12:47:13 2020 -0700 selftests: kvm: Fix the segment descriptor layout to match the actual layout [ Upstream commit df11f7dd5834146defa448acba097e8d7703cc42 ] Fix the layout of 'struct desc64' to match the layout described in the SDM Vol 3, Chapter 3 "Protected-Mode Memory Management", section 3.4.5 "Segment Descriptors", Figure 3-8 "Segment Descriptor". The test added later in this series relies on this and crashes if this layout is not correct. Signed-off-by: Aaron Lewis Reviewed-by: Alexander Graf Message-Id: <20201012194716.3950330-2-aaronlewis@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 8ebc41496f6e892627d40fe8273766e131bee8c9 Author: Can Guo Date: Mon Nov 2 22:24:39 2020 -0800 scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() [ Upstream commit da3fecb0040324c08f1587e5bff1f15f36be1872 ] The scsi_block_reqs_cnt increased in ufshcd_hold() is supposed to be decreased back in ufshcd_ungate_work() in a paired way. However, if specific ufshcd_hold/release sequences are met, it is possible that scsi_block_reqs_cnt is increased twice but only one ungate work is queued. To make sure scsi_block_reqs_cnt is handled by ufshcd_hold() and ufshcd_ungate_work() in a paired way, increase it only if queue_work() returns true. Link: https://lore.kernel.org/r/1604384682-15837-2-git-send-email-cang@codeaurora.org Reviewed-by: Hongwu Su Reviewed-by: Stanley Chu Reviewed-by: Bean Huo Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e06dfd53a42ab8e269f034be50cc526aa48bb147 Author: Jianqun Xu Date: Tue Oct 13 14:37:30 2020 +0800 pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq [ Upstream commit 63fbf8013b2f6430754526ef9594f229c7219b1f ] There need to enable pclk_gpio when do irq_create_mapping, since it will do access to gpio controller. Signed-off-by: Jianqun Xu Reviewed-by: Heiko Stuebner Reviewed-by: Kever Yang Link: https://lore.kernel.org/r/20201013063731.3618-3-jay.xu@rock-chips.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9865a26c96203a8f8253ea35de5e7547857d4395 Author: Joel Stanley Date: Tue Nov 17 13:14:48 2020 +1030 net: ftgmac100: Fix crash when removing driver [ Upstream commit 3d5179458d22dc0b4fdc724e4bed4231a655112a ] When removing the driver we would hit BUG_ON(!list_empty(&dev->ptype_specific)) in net/core/dev.c due to still having the NC-SI packet handler registered. # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/unbind ------------[ cut here ]------------ kernel BUG at net/core/dev.c:10254! Internal error: Oops - BUG: 0 [#1] SMP ARM CPU: 0 PID: 115 Comm: sh Not tainted 5.10.0-rc3-next-20201111-00007-g02e0365710c4 #46 Hardware name: Generic DT based system PC is at netdev_run_todo+0x314/0x394 LR is at cpumask_next+0x20/0x24 pc : [<806f5830>] lr : [<80863cb0>] psr: 80000153 sp : 855bbd58 ip : 00000001 fp : 855bbdac r10: 80c03d00 r9 : 80c06228 r8 : 81158c54 r7 : 00000000 r6 : 80c05dec r5 : 80c05d18 r4 : 813b9280 r3 : 813b9054 r2 : 8122c470 r1 : 00000002 r0 : 00000002 Flags: Nzcv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none Control: 00c5387d Table: 85514008 DAC: 00000051 Process sh (pid: 115, stack limit = 0x7cb5703d) ... Backtrace: [<806f551c>] (netdev_run_todo) from [<80707eec>] (rtnl_unlock+0x18/0x1c) r10:00000051 r9:854ed710 r8:81158c54 r7:80c76bb0 r6:81158c10 r5:8115b410 r4:813b9000 [<80707ed4>] (rtnl_unlock) from [<806f5db8>] (unregister_netdev+0x2c/0x30) [<806f5d8c>] (unregister_netdev) from [<805a8180>] (ftgmac100_remove+0x20/0xa8) r5:8115b410 r4:813b9000 [<805a8160>] (ftgmac100_remove) from [<805355e4>] (platform_drv_remove+0x34/0x4c) Fixes: bd466c3fb5a4 ("net/faraday: Support NCSI mode") Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20201117024448.1170761-1-joel@jms.id.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 3f0ccca2729b7a6dbc0de2d3257c2c7b5ef12994 Author: Joel Stanley Date: Thu Nov 12 16:42:10 2020 +1030 net/ncsi: Fix netlink registration [ Upstream commit 1922a46b8c18cb09d33e06a6cc2e43844ac1b9d0 ] If a user unbinds and re-binds a NC-SI aware driver the kernel will attempt to register the netlink interface at runtime. The structure is marked __ro_after_init so registration fails spectacularly at this point. # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/unbind # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/bind ftgmac100 1e660000.ethernet: Read MAC address 52:54:00:12:34:56 from chip ftgmac100 1e660000.ethernet: Using NCSI interface 8<--- cut here --- Unable to handle kernel paging request at virtual address 80a8f858 pgd = 8c768dd6 [80a8f858] *pgd=80a0841e(bad) Internal error: Oops: 80d [#1] SMP ARM CPU: 0 PID: 116 Comm: sh Not tainted 5.10.0-rc3-next-20201111-00003-gdd25b227ec1e #51 Hardware name: Generic DT based system PC is at genl_register_family+0x1f8/0x6d4 LR is at 0xff26ffff pc : [<8073f930>] lr : [] psr: 20000153 sp : 8553bc80 ip : 81406244 fp : 8553bd04 r10: 8085d12c r9 : 80a8f73c r8 : 85739000 r7 : 00000017 r6 : 80a8f860 r5 : 80c8ab98 r4 : 80a8f858 r3 : 00000000 r2 : 00000000 r1 : 81406130 r0 : 00000017 Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none Control: 00c5387d Table: 85524008 DAC: 00000051 Process sh (pid: 116, stack limit = 0x1f1988d6) ... Backtrace: [<8073f738>] (genl_register_family) from [<80860ac0>] (ncsi_init_netlink+0x20/0x48) r10:8085d12c r9:80c8fb0c r8:85739000 r7:00000000 r6:81218000 r5:85739000 r4:8121c000 [<80860aa0>] (ncsi_init_netlink) from [<8085d740>] (ncsi_register_dev+0x1b0/0x210) r5:8121c400 r4:8121c000 [<8085d590>] (ncsi_register_dev) from [<805a8060>] (ftgmac100_probe+0x6e0/0x778) r10:00000004 r9:80950228 r8:8115bc10 r7:8115ab00 r6:9eae2c24 r5:813b6f88 r4:85739000 [<805a7980>] (ftgmac100_probe) from [<805355ec>] (platform_drv_probe+0x58/0xa8) r9:80c76bb0 r8:00000000 r7:80cd4974 r6:80c76bb0 r5:8115bc10 r4:00000000 [<80535594>] (platform_drv_probe) from [<80532d58>] (really_probe+0x204/0x514) r7:80cd4974 r6:00000000 r5:80cd4868 r4:8115bc10 Jakub pointed out that ncsi_register_dev is obviously broken, because there is only one family so it would never work if there was more than one ncsi netdev. Fix the crash by registering the netlink family once on boot, and drop the code to unregister it. Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family") Signed-off-by: Joel Stanley Reviewed-by: Samuel Mendoza-Jonas Link: https://lore.kernel.org/r/20201112061210.914621-1-joel@jms.id.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 9a1ac76ab15e2b0bdb17abad4668f9fd528e6722 Author: Filip Moc Date: Tue Nov 17 18:36:31 2020 +0100 net: usb: qmi_wwan: Set DTR quirk for MR400 [ Upstream commit df8d85d8c69d6837817e54dcb73c84a8b5a13877 ] LTE module MR400 embedded in TL-MR6400 v4 requires DTR to be set. Signed-off-by: Filip Moc Acked-by: Bjørn Mork Link: https://lore.kernel.org/r/20201117173631.GA550981@moc6.cz Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7204f0be5b5e8f93dff3c3d5cd4b3d3e4a1e8cf2 Author: Vladyslav Tarasiuk Date: Wed Oct 21 11:05:41 2020 +0300 net/mlx5: Disable QoS when min_rates on all VFs are zero [ Upstream commit 470b74758260e4abc2508cf1614573c00a00465c ] Currently when QoS is enabled for VF and any min_rate is configured, the driver sets bw_share value to at least 1 and doesn’t allow to set it to 0 to make minimal rate unlimited. It means there is always a minimal rate configured for every VF, even if user tries to remove it. In order to make QoS disable possible, check whether all vports have configured min_rate = 0. If this is true, set their bw_share to 0 to disable min_rate limitations. Fixes: c9497c98901c ("net/mlx5: Add support for setting VF min rate") Signed-off-by: Vladyslav Tarasiuk Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 3f9f112a6329f9c8aa0a2bb510a2194e8a280610 Author: Michael Guralnik Date: Mon Nov 2 17:34:44 2020 +0200 net/mlx5: Add handling of port type in rule deletion [ Upstream commit 8cbcc5ef2a281f6bb10099f4572a08cb765ffbf4 ] Handle destruction of rules with port destination type to enable full destruction of flow. Without this handling of TX rules the deletion of these rules fails. Dmesg of flow destruction failure: [ 203.714146] mlx5_core 0000:00:0b.0: mlx5_cmd_check:753:(pid 342): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0x144b7a) [ 210.547387] ------------[ cut here ]------------ [ 210.548663] refcount_t: decrement hit 0; leaking memory. [ 210.550651] WARNING: CPU: 4 PID: 342 at lib/refcount.c:31 refcount_warn_saturate+0x5c/0x110 [ 210.550654] Modules linked in: mlx5_ib mlx5_core ib_ipoib rdma_ucm rdma_cm iw_cm ib_cm ib_umad ib_uverbs ib_core [ 210.550675] CPU: 4 PID: 342 Comm: test Not tainted 5.8.0-rc2+ #116 [ 210.550678] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 210.550680] RIP: 0010:refcount_warn_saturate+0x5c/0x110 [ 210.550685] Code: c6 d1 1b 01 00 0f 84 ad 00 00 00 5b 5d c3 80 3d b5 d1 1b 01 00 75 f4 48 c7 c7 20 d1 15 82 c6 05 a5 d1 1b 01 01 e8 a7 eb af ff <0f> 0b eb dd 80 3d 99 d1 1b 01 00 75 d4 48 c7 c7 c0 cf 15 82 c6 05 [ 210.550687] RSP: 0018:ffff8881642e77e8 EFLAGS: 00010282 [ 210.550691] RAX: 0000000000000000 RBX: 0000000000000004 RCX: 0000000000000000 [ 210.550694] RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed102c85ceef [ 210.550696] RBP: ffff888161720428 R08: ffffffff8124c10e R09: ffffed103243beae [ 210.550698] R10: ffff8881921df56b R11: ffffed103243bead R12: ffff8881841b4180 [ 210.550701] R13: ffff888161720428 R14: ffff8881616d0000 R15: ffff888161720380 [ 210.550704] FS: 00007fc27f025740(0000) GS:ffff888192000000(0000) knlGS:0000000000000000 [ 210.550706] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 210.550708] CR2: 0000557e4b41a6a0 CR3: 0000000002415004 CR4: 0000000000360ea0 [ 210.550711] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 210.550713] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 210.550715] Call Trace: [ 210.550717] mlx5_del_flow_rules+0x484/0x490 [mlx5_core] [ 210.550720] ? mlx5_cmd_set_fte+0xa80/0xa80 [mlx5_core] [ 210.550722] mlx5_ib_destroy_flow+0x17f/0x280 [mlx5_ib] [ 210.550724] uverbs_free_flow+0x4c/0x90 [ib_uverbs] [ 210.550726] destroy_hw_idr_uobject+0x41/0xb0 [ib_uverbs] [ 210.550728] uverbs_destroy_uobject+0xaa/0x390 [ib_uverbs] [ 210.550731] __uverbs_cleanup_ufile+0x129/0x1b0 [ib_uverbs] [ 210.550733] ? uverbs_destroy_uobject+0x390/0x390 [ib_uverbs] [ 210.550735] uverbs_destroy_ufile_hw+0x78/0x190 [ib_uverbs] [ 210.550737] ib_uverbs_close+0x36/0x140 [ib_uverbs] [ 210.550739] __fput+0x181/0x380 [ 210.550741] task_work_run+0x88/0xd0 [ 210.550743] do_exit+0x5f6/0x13b0 [ 210.550745] ? sched_clock_cpu+0x30/0x140 [ 210.550747] ? is_current_pgrp_orphaned+0x70/0x70 [ 210.550750] ? lock_downgrade+0x360/0x360 [ 210.550752] ? mark_held_locks+0x1d/0x90 [ 210.550754] do_group_exit+0x8a/0x140 [ 210.550756] get_signal+0x20a/0xf50 [ 210.550758] do_signal+0x8c/0xbe0 [ 210.550760] ? hrtimer_nanosleep+0x1d8/0x200 [ 210.550762] ? nanosleep_copyout+0x50/0x50 [ 210.550764] ? restore_sigcontext+0x320/0x320 [ 210.550766] ? __hrtimer_init+0xf0/0xf0 [ 210.550768] ? timespec64_add_safe+0x150/0x150 [ 210.550770] ? mark_held_locks+0x1d/0x90 [ 210.550772] ? lockdep_hardirqs_on_prepare+0x14c/0x240 [ 210.550774] __prepare_exit_to_usermode+0x119/0x170 [ 210.550776] do_syscall_64+0x65/0x300 [ 210.550778] ? trace_hardirqs_off+0x10/0x120 [ 210.550781] ? mark_held_locks+0x1d/0x90 [ 210.550783] ? asm_sysvec_apic_timer_interrupt+0xa/0x20 [ 210.550785] ? lockdep_hardirqs_on+0x112/0x190 [ 210.550787] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 210.550789] RIP: 0033:0x7fc27f1cd157 [ 210.550791] Code: Bad RIP value. [ 210.550793] RSP: 002b:00007ffd4db27ea8 EFLAGS: 00000246 ORIG_RAX: 0000000000000023 [ 210.550798] RAX: fffffffffffffdfc RBX: ffffffffffffff80 RCX: 00007fc27f1cd157 [ 210.550800] RDX: 00007fc27f025740 RSI: 00007ffd4db27eb0 RDI: 00007ffd4db27eb0 [ 210.550803] RBP: 0000000000000016 R08: 0000000000000000 R09: 000000000000000e [ 210.550805] R10: 00007ffd4db27dc7 R11: 0000000000000246 R12: 0000000000400c00 [ 210.550808] R13: 00007ffd4db285f0 R14: 0000000000000000 R15: 0000000000000000 [ 210.550809] irq event stamp: 49399 [ 210.550812] hardirqs last enabled at (49399): [] console_unlock+0x556/0x6f0 [ 210.550815] hardirqs last disabled at (49398): [] console_unlock+0xb7/0x6f0 [ 210.550818] softirqs last enabled at (48706): [] __do_softirq+0x37b/0x60c [ 210.550820] softirqs last disabled at (48697): [] asm_call_on_stack+0xf/0x20 [ 210.550822] ---[ end trace ad18c0e6fa846454 ]--- [ 210.581862] mlx5_core 0000:00:0c.0: mlx5_destroy_flow_table:2132:(pid 342): Flow table 262150 wasn't destroyed, refcount > 1 Fixes: a7ee18bdee83 ("RDMA/mlx5: Allow creating a matcher for a NIC TX flow table") Signed-off-by: Michael Guralnik Reviewed-by: Mark Bloch Reviewed-by: Maor Gottlieb Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 3d6c81f9c96c28c6bf81498898610519288ac9a6 Author: Ryan Sharpelletti Date: Mon Nov 16 17:44:13 2020 +0000 tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate [ Upstream commit 1b9e2a8c99a5c021041bfb2d512dc3ed92a94ffd ] During loss recovery, retransmitted packets are forced to use TCP timestamps to calculate the RTT samples, which have a millisecond granularity. BBR is designed using a microsecond granularity. As a result, multiple RTT samples could be truncated to the same RTT value during loss recovery. This is problematic, as BBR will not enter PROBE_RTT if the RTT sample is <= the current min_rtt sample, meaning that if there are persistent losses, PROBE_RTT will constantly be pushed off and potentially never re-entered. This patch makes sure that BBR enters PROBE_RTT by checking if RTT sample is < the current min_rtt sample, rather than <=. The Netflix transport/TCP team discovered this bug in the Linux TCP BBR code during lab tests. Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control") Signed-off-by: Ryan Sharpelletti Signed-off-by: Neal Cardwell Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: Yuchung Cheng Link: https://lore.kernel.org/r/20201116174412.1433277-1-sharpelletti.kdev@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 04b7fd7609b3c9dde027eef81e506bd20df7f506 Author: Xin Long Date: Sat Nov 14 13:22:53 2020 +0800 sctp: change to hold/put transport for proto_unreach_timer [ Upstream commit 057a10fa1f73d745c8e69aa54ab147715f5630ae ] A call trace was found in Hangbin's Codenomicon testing with debug kernel: [ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp] [ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0 [ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0 [ 2616.191533] Call Trace: [ 2616.194265] [ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0 [ 2616.207336] slab_free_freelist_hook+0xeb/0x140 [ 2616.220971] kfree+0xd6/0x2c0 [ 2616.224293] rcu_do_batch+0x3bd/0xc70 [ 2616.243096] rcu_core+0x8b9/0xd00 [ 2616.256065] __do_softirq+0x23d/0xacd [ 2616.260166] irq_exit+0x236/0x2a0 [ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620 [ 2616.269138] apic_timer_interrupt+0xf/0x20 [ 2616.273711] This is because it holds asoc when transport->proto_unreach_timer starts and puts asoc when the timer stops, and without holding transport the transport could be freed when the timer is still running. So fix it by holding/putting transport instead for proto_unreach_timer in transport, just like other timers in transport. v1->v2: - Also use sctp_transport_put() for the "out_unlock:" path in sctp_generate_proto_unreach_event(), as Marcelo noticed. Fixes: 50b5d6ad6382 ("sctp: Fix a race between ICMP protocol unreachable and connect()") Reported-by: Hangbin Liu Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/102788809b554958b13b95d33440f5448113b8d6.1605331373.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 31790683293b75c149c5ce09293900e78159aa5a Author: Zhang Changzhong Date: Fri Nov 13 14:16:26 2020 +0800 qlcnic: fix error return code in qlcnic_83xx_restart_hw() [ Upstream commit 3beb9be165083c2964eba1923601c3bfac0b02d4 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 3ced0a88cd4c ("qlcnic: Add support to run firmware POST") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1605248186-16013-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5241fa6e7acdfd594853e4fc0a9436bdd28d8ef7 Author: Zhang Changzhong Date: Mon Nov 16 21:07:13 2020 +0800 qed: fix error return code in qed_iwarp_ll2_start() [ Upstream commit cb47d16ea21045c66eebbf5ed792e74a8537e27a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 469981b17a4f ("qed: Add unaligned and packed packet processing") Fixes: fcb39f6c10b2 ("qed: Add mpa buffer descriptors for storing and processing mpa fpdus") Fixes: 1e28eaad07ea ("qed: Add iWARP support for fpdu spanned over more than two tcp packets") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Acked-by: Michal Kalderon  Link: https://lore.kernel.org/r/1605532033-27373-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f8e5578dcaa71f9fbb0fe066d0941e02879b8aa3 Author: Dongli Zhang Date: Sun Nov 15 12:10:29 2020 -0800 page_frag: Recover from memory pressure [ Upstream commit d8c19014bba8f565d8a2f1f46b4e38d1d97bf1a7 ] The ethernet driver may allocate skb (and skb->data) via napi_alloc_skb(). This ends up to page_frag_alloc() to allocate skb->data from page_frag_cache->va. During the memory pressure, page_frag_cache->va may be allocated as pfmemalloc page. As a result, the skb->pfmemalloc is always true as skb->data is from page_frag_cache->va. The skb will be dropped if the sock (receiver) does not have SOCK_MEMALLOC. This is expected behaviour under memory pressure. However, once kernel is not under memory pressure any longer (suppose large amount of memory pages are just reclaimed), the page_frag_alloc() may still re-use the prior pfmemalloc page_frag_cache->va to allocate skb->data. As a result, the skb->pfmemalloc is always true unless page_frag_cache->va is re-allocated, even if the kernel is not under memory pressure any longer. Here is how kernel runs into issue. 1. The kernel is under memory pressure and allocation of PAGE_FRAG_CACHE_MAX_ORDER in __page_frag_cache_refill() will fail. Instead, the pfmemalloc page is allocated for page_frag_cache->va. 2: All skb->data from page_frag_cache->va (pfmemalloc) will have skb->pfmemalloc=true. The skb will always be dropped by sock without SOCK_MEMALLOC. This is an expected behaviour. 3. Suppose a large amount of pages are reclaimed and kernel is not under memory pressure any longer. We expect skb->pfmemalloc drop will not happen. 4. Unfortunately, page_frag_alloc() does not proactively re-allocate page_frag_alloc->va and will always re-use the prior pfmemalloc page. The skb->pfmemalloc is always true even kernel is not under memory pressure any longer. Fix this by freeing and re-allocating the page instead of recycling it. References: https://lore.kernel.org/lkml/20201103193239.1807-1-dongli.zhang@oracle.com/ References: https://lore.kernel.org/linux-mm/20201105042140.5253-1-willy@infradead.org/ Suggested-by: Matthew Wilcox (Oracle) Cc: Aruna Ramakrishna Cc: Bert Barbe Cc: Rama Nichanamatlu Cc: Venkat Venkatsubra Cc: Manjunath Patil Cc: Joe Jin Cc: SRINIVAS Fixes: 79930f5892e1 ("net: do not deplete pfmemalloc reserve") Signed-off-by: Dongli Zhang Acked-by: Vlastimil Babka Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20201115201029.11903-1-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f6f751cb315cd515f55e485802a09acbee1e0151 Author: Xie He Date: Thu Nov 12 02:35:06 2020 -0800 net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request [ Upstream commit 4ee18c179e5e815fa5575e0d2db0c05795a804ee ] The x25_disconnect function in x25_subr.c would decrease the refcount of "x25->neighbour" (struct x25_neigh) and reset this pointer to NULL. However, the x25_rx_call_request function in af_x25.c, which is called when we receive a connection request, does not increase the refcount when it assigns the pointer. Fix this issue by increasing the refcount of "struct x25_neigh" in x25_rx_call_request. This patch fixes frequent kernel crashes when using AF_X25 sockets. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Cc: Martin Schiller Signed-off-by: Xie He Link: https://lore.kernel.org/r/20201112103506.5875-1-xie.he.0141@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 9ecfcf48d7359498b8a52fc6ea64e4c202e26dad Author: Vadim Fedorenko Date: Sun Nov 15 07:16:00 2020 +0300 net/tls: fix corrupted data in recvmsg [ Upstream commit 3fe16edf6767decd640fa2654308bc64f8d656dc ] If tcp socket has more data than Encrypted Handshake Message then tls_sw_recvmsg will try to decrypt next record instead of returning full control message to userspace as mentioned in comment. The next message - usually Application Data - gets corrupted because it uses zero copy for decryption that's why the data is not stored in skb for next iteration. Revert check to not decrypt next record if current is not Application Data. Fixes: 692d7b5d1f91 ("tls: Fix recvmsg() to be able to peek across multiple records") Signed-off-by: Vadim Fedorenko Link: https://lore.kernel.org/r/1605413760-21153-1-git-send-email-vfedorenko@novek.ru Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 9e909956d0c758c35c9a58fc00c4e1c3b323485f Author: Karsten Graul Date: Wed Nov 18 22:40:38 2020 +0100 net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid() [ Upstream commit 41a0be3f8f6be893860b991eb10c47fc3ee09d7f ] Sparse complaints 3 times about: net/smc/smc_ib.c:203:52: warning: incorrect type in argument 1 (different address spaces) net/smc/smc_ib.c:203:52: expected struct net_device const *dev net/smc/smc_ib.c:203:52: got struct net_device [noderef] __rcu *const ndev Fix that by using the existing and validated ndev variable instead of accessing attr->ndev directly. Fixes: 5102eca9039b ("net/smc: Use rdma_read_gid_l2_fields to L2 fields") Signed-off-by: Karsten Graul Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ab1e4b3c406b588d5fe5a3e56b3ba54359881ead Author: Subash Abhinov Kasiviswanathan Date: Fri Nov 13 13:12:05 2020 -0700 net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup [ Upstream commit fc70f5bf5e525dde81565f0a30d5e39168062eba ] During rmnet unregistration, the real device rx_handler is first cleared followed by the removal of rx_handler_data after the rcu synchronization. Any packets in the receive path may observe that the rx_handler is NULL. However, there is no check when dereferencing this value to use the rmnet_port information. This fixes following splat by adding the NULL check. Unable to handle kernel NULL pointer dereference at virtual address 000000000000000d pc : rmnet_rx_handler+0x124/0x284 lr : rmnet_rx_handler+0x124/0x284 rmnet_rx_handler+0x124/0x284 __netif_receive_skb_core+0x758/0xd74 __netif_receive_skb+0x50/0x17c process_backlog+0x15c/0x1b8 napi_poll+0x88/0x284 net_rx_action+0xbc/0x23c __do_softirq+0x20c/0x48c Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by: Sean Tranchetti Signed-off-by: Subash Abhinov Kasiviswanathan Link: https://lore.kernel.org/r/1605298325-3705-1-git-send-email-subashab@codeaurora.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 782a503a369c92fd1a2c1efe02cdc63bb0c48c17 Author: Aya Levin Date: Wed Nov 18 10:19:22 2020 +0200 net/mlx4_core: Fix init_hca fields offset [ Upstream commit 6d9c8d15af0ef20a66a0b432cac0d08319920602 ] Slave function read the following capabilities from the wrong offset: 1. log_mc_entry_sz 2. fs_log_entry_sz 3. log_mc_hash_sz Fix that by adjusting these capabilities offset to match firmware layout. Due to the wrong offset read, the following issues might occur: 1+2. Negative value reported at max_mcast_qp_attach. 3. Driver to init FW with multicast hash size of zero. Fixes: a40ded604365 ("net/mlx4_core: Add masking for a few queries on HCA caps") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Reviewed-by: Eran Ben Elisha Signed-off-by: Tariq Toukan Link: https://lore.kernel.org/r/20201118081922.553-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 75b2b0d38068c3359eb4006acfbb77e3aef6e69e Author: Martin Blumenstingl Date: Sun Nov 15 17:57:57 2020 +0100 net: lantiq: Wait for the GPHY firmware to be ready [ Upstream commit 2a1828e378c1b5ba1ff283ed8f8c5cc37bb391dc ] A user reports (slightly shortened from the original message): libphy: lantiq,xrx200-mdio: probed mdio_bus 1e108000.switch-mii: MDIO device at address 17 is missing. gswip 1e108000.switch lan: no phy at 2 gswip 1e108000.switch lan: failed to connect to port 2: -19 lantiq,xrx200-net 1e10b308.eth eth0: error -19 setting up slave phy This is a single-port board using the internal Fast Ethernet PHY. The user reports that switching to PHY scanning instead of configuring the PHY within device-tree works around this issue. The documentation for the standalone variant of the PHY11G (which is probably very similar to what is used inside the xRX200 SoCs but having the firmware burnt onto that standalone chip in the factory) states that the PHY needs 300ms to be ready for MDIO communication after releasing the reset. Add a 300ms delay after initializing all GPHYs to ensure that the GPHY firmware had enough time to initialize and to appear on the MDIO bus. Unfortunately there is no (known) documentation on what the minimum time to wait after releasing the reset on an internal PHY so play safe and take the one for the external variant. Only wait after the last GPHY firmware is loaded to not slow down the initialization too much ( xRX200 has two GPHYs but newer SoCs have at least three GPHYs). Fixes: 14fceff4771e51 ("net: dsa: Add Lantiq / Intel DSA driver for vrx200") Reviewed-by: Andrew Lunn Signed-off-by: Martin Blumenstingl Acked-by: Hauke Mehrtens Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20201115165757.552641-1-martin.blumenstingl@googlemail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 65a596ec63aa5bb58e7f9f2f4404f52c9fe5c6b6 Author: Paul Moore Date: Fri Nov 13 16:30:40 2020 -0500 netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() [ Upstream commit 1ba86d4366e023d96df3dbe415eea7f1dc08c303 ] Static checking revealed that a previous fix to netlbl_unlabel_staticlist() leaves a stack variable uninitialized, this patches fixes that. Fixes: 866358ec331f ("netlabel: fix our progress tracking in netlbl_unlabel_staticlist()") Reported-by: Dan Carpenter Signed-off-by: Paul Moore Reviewed-by: James Morris Link: https://lore.kernel.org/r/160530304068.15651.18355773009751195447.stgit@sifl Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d9704891f531e6c54c1cc071533b2f87efbd4a72 Author: Paul Moore Date: Sun Nov 8 09:08:26 2020 -0500 netlabel: fix our progress tracking in netlbl_unlabel_staticlist() [ Upstream commit 866358ec331f8faa394995fb4b511af1db0247c8 ] The current NetLabel code doesn't correctly keep track of the netlink dump state in some cases, in particular when multiple interfaces with large configurations are loaded. The problem manifests itself by not reporting the full configuration to userspace, even though it is loaded and active in the kernel. This patch fixes this by ensuring that the dump state is properly reset when necessary inside the netlbl_unlabel_staticlist() function. Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections") Signed-off-by: Paul Moore Link: https://lore.kernel.org/r/160484450633.3752.16512718263560813473.stgit@sifl Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 99ddc32116534e24dc09a72955c0004ec27dcb11 Author: Florian Fainelli Date: Mon Nov 16 19:52:34 2020 -0800 net: Have netpoll bring-up DSA management interface [ Upstream commit 1532b9778478577152201adbafa7738b1e844868 ] DSA network devices rely on having their DSA management interface up and running otherwise their ndo_open() will return -ENETDOWN. Without doing this it would not be possible to use DSA devices as netconsole when configured on the command line. These devices also do not utilize the upper/lower linking so the check about the netpoll device having upper is not going to be a problem. The solution adopted here is identical to the one done for net/ipv4/ipconfig.c with 728c02089a0e ("net: ipv4: handle DSA enabled master network devices"), with the network namespace scope being restricted to that of the process configuring netpoll. Fixes: 04ff53f96a93 ("net: dsa: Add netconsole support") Tested-by: Vladimir Oltean Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20201117035236.22658-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit bd17af3cf3144a047374add757fa26a42395c28e Author: Zhang Changzhong Date: Fri Nov 13 14:49:33 2020 +0800 net: ethernet: ti: cpsw: fix error return code in cpsw_probe() [ Upstream commit 35f735c665114840dcd3142f41148d07870f51f7 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 83a8471ba255 ("net: ethernet: ti: cpsw: refactor probe to group common hw initialization") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1605250173-18438-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 27e9ca6c82a09221ce1a5286d12217d357340bd3 Author: Tobias Waldekranz Date: Thu Nov 12 12:43:35 2020 +0100 net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 [ Upstream commit 92307069a96c07d9b6e74b96b79390e7cd7d2111 ] As soon as you add the second port to a VLAN, all other port membership configuration is overwritten with zeroes. The HW interprets this as all ports being "unmodified members" of the VLAN. In the simple case when all ports belong to the same VLAN, switching will still work. But using multiple VLANs or trying to set multiple ports as tagged members will not work. On the 6352, doing a VTU GetNext op, followed by an STU GetNext op will leave you with both the member- and state- data in the VTU/STU data registers. But on the 6097 (which uses the same implementation), the STU GetNext will override the information gathered from the VTU GetNext. Separate the two stages, parsing the result of the VTU GetNext before doing the STU GetNext. We opt to update the existing implementation for all applicable chips, as opposed to creating a separate callback for 6097, because although the previous implementation did work for (at least) 6352, the datasheet does not mention the masking behavior. Fixes: ef6fcea37f01 ("net: dsa: mv88e6xxx: get STU entry on VTU GetNext") Signed-off-by: Tobias Waldekranz Link: https://lore.kernel.org/r/20201112114335.27371-1-tobias@waldekranz.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 805dfdb26e5462e6aec7d2f940fb6ffac4a35950 Author: Heiner Kallweit Date: Fri Nov 13 10:27:27 2020 +0100 net: bridge: add missing counters to ndo_get_stats64 callback [ Upstream commit 7a30ecc9237681bb125cbd30eee92bef7e86293d ] In br_forward.c and br_input.c fields dev->stats.tx_dropped and dev->stats.multicast are populated, but they are ignored in ndo_get_stats64. Fixes: 28172739f0a2 ("net: fix 64 bit counters on 32 bit arches") Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/58ea9963-77ad-a7cf-8dfd-fc95ab95f606@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit fa03d6177be77698eaba49b3e94804e7071b7ea1 Author: Zhang Changzhong Date: Tue Nov 17 11:02:11 2020 +0800 net: b44: fix error return code in b44_init_one() [ Upstream commit 7b027c249da54f492699c43e26cba486cfd48035 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 39a6f4bce6b4 ("b44: replace the ssb_dma API with the generic DMA API") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Reviewed-by: Michael Chan Link: https://lore.kernel.org/r/1605582131-36735-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 78b9c4a8e338768b9f1927c8612edb8f72504fd4 Author: Ido Schimmel Date: Tue Nov 17 19:33:52 2020 +0200 mlxsw: core: Use variable timeout for EMAD retries [ Upstream commit 1f492eab67bced119a0ac7db75ef2047e29a30c6 ] The driver sends Ethernet Management Datagram (EMAD) packets to the device for configuration purposes and waits for up to 200ms for a reply. A request is retried up to 5 times. When the system is under heavy load, replies are not always processed in time and EMAD transactions fail. Make the process more robust to such delays by using exponential backoff. First wait for up to 200ms, then retransmit and wait for up to 400ms and so on. Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access") Reported-by: Denis Yulevich Tested-by: Denis Yulevich Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c35a7de217cea1b3ab75802c7235a26ea8609c71 Author: Sven Van Asbroeck Date: Thu Nov 12 15:47:41 2020 -0500 lan743x: prevent entire kernel HANG on open, for some platforms [ Upstream commit 796a2665ca3e91ebaba7222f76fd9a035714e2d8 ] On arm imx6, when opening the chip's netdev, the whole Linux kernel intermittently hangs/freezes. This is caused by a bug in the driver code which tests if pcie interrupts are working correctly, using the software interrupt: 1. open: enable the software interrupt 2. open: tell the chip to assert the software interrupt 3. open: wait for flag 4. ISR: acknowledge s/w interrupt, set flag 5. open: notice flag, disable the s/w interrupt, continue Unfortunately the ISR only acknowledges the s/w interrupt, but does not disable it. This will re-trigger the ISR in a tight loop. On some (lucky) platforms, open proceeds to disable the s/w interrupt even while the ISR is 'spinning'. On arm imx6, the spinning ISR does not allow open to proceed, resulting in a hung Linux kernel. Fix minimally by disabling the s/w interrupt in the ISR, which will prevent it from spinning. This won't break anything because the s/w interrupt is used as a one-shot interrupt. Note that this is a minimal fix, overlooking many possible cleanups, e.g.: - lan743x_intr_software_isr() is completely redundant and reads INT_STS twice for no apparent reason - disabling the s/w interrupt in lan743x_intr_test_isr() is now redundant, but harmless - waiting on software_isr_flag can be converted from a sleeping poll loop to wait_event_timeout() Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") Tested-by: Sven Van Asbroeck # arm imx6 lan7430 Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201112204741.12375-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5c7a00aa05d6bacc128e63df89aa321020fcab45 Author: Sven Van Asbroeck Date: Thu Nov 12 13:59:49 2020 -0500 lan743x: fix issue causing intermittent kernel log warnings [ Upstream commit e35df62e04cc6fc4b9d90d054732f138349ff9b1 ] When running this chip on arm imx6, we intermittently observe the following kernel warning in the log, especially when the system is under high load: [ 50.119484] ------------[ cut here ]------------ [ 50.124377] WARNING: CPU: 0 PID: 303 at kernel/softirq.c:169 __local_bh_enable_ip+0x100/0x184 [ 50.132925] IRQs not enabled as expected [ 50.159250] CPU: 0 PID: 303 Comm: rngd Not tainted 5.7.8 #1 [ 50.164837] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 50.171395] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 50.179162] [] (show_stack) from [] (dump_stack+0xac/0xd8) [ 50.186408] [] (dump_stack) from [] (__warn+0xd0/0x10c) [ 50.193391] [] (__warn) from [] (warn_slowpath_fmt+0x98/0xc4) [ 50.200892] [] (warn_slowpath_fmt) from [] (__local_bh_enable_ip+0x100/0x184) [ 50.209860] [] (__local_bh_enable_ip) from [] (destroy_conntrack+0x48/0xd8 [nf_conntrack]) [ 50.220038] [] (destroy_conntrack [nf_conntrack]) from [] (nf_conntrack_destroy+0x94/0x168) [ 50.230160] [] (nf_conntrack_destroy) from [] (skb_release_head_state+0xa0/0xd0) [ 50.239314] [] (skb_release_head_state) from [] (skb_release_all+0xc/0x24) [ 50.247946] [] (skb_release_all) from [] (consume_skb+0x74/0x17c) [ 50.255796] [] (consume_skb) from [] (lan743x_tx_release_desc+0x120/0x124) [ 50.264428] [] (lan743x_tx_release_desc) from [] (lan743x_tx_napi_poll+0x5c/0x18c) [ 50.273755] [] (lan743x_tx_napi_poll) from [] (net_rx_action+0x118/0x4a4) [ 50.282306] [] (net_rx_action) from [] (__do_softirq+0x13c/0x53c) [ 50.290157] [] (__do_softirq) from [] (irq_exit+0x150/0x17c) [ 50.297575] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb0) [ 50.305423] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90) [ 50.313790] [] (gic_handle_irq) from [] (__irq_usr+0x54/0x80) [ 50.321287] Exception stack(0xecd99fb0 to 0xecd99ff8) [ 50.326355] 9fa0: 1cf1aa74 00000001 00000001 00000000 [ 50.334547] 9fc0: 00000001 00000000 00000000 00000000 00000000 00000000 00004097 b6d17d14 [ 50.342738] 9fe0: 00000001 b6d17c60 00000000 b6e71f94 800b0010 ffffffff [ 50.349364] irq event stamp: 2525027 [ 50.352955] hardirqs last enabled at (2525026): [] net_rx_action+0xb4/0x4a4 [ 50.360892] hardirqs last disabled at (2525027): [] _raw_spin_lock_irqsave+0x1c/0x50 [ 50.369517] softirqs last enabled at (2524660): [] __do_softirq+0x38c/0x53c [ 50.377446] softirqs last disabled at (2524693): [] irq_exit+0x150/0x17c [ 50.385027] ---[ end trace c0b571db4bc8087d ]--- The driver is calling dev_kfree_skb() from code inside a spinlock, where h/w interrupts are disabled. This is forbidden, as documented in include/linux/netdevice.h. The correct function to use dev_kfree_skb_irq(), or dev_kfree_skb_any(). Fix by using the correct dev_kfree_skb_xxx() functions: in lan743x_tx_release_desc(): called by lan743x_tx_release_completed_descriptors() called by in lan743x_tx_napi_poll() which holds a spinlock called by lan743x_tx_release_all_descriptors() called by lan743x_tx_close() which can-sleep conclusion: use dev_kfree_skb_any() in lan743x_tx_xmit_frame(): which holds a spinlock conclusion: use dev_kfree_skb_irq() in lan743x_tx_close(): which can-sleep conclusion: use dev_kfree_skb() in lan743x_rx_release_ring_element(): called by lan743x_rx_close() which can-sleep called by lan743x_rx_open() which can-sleep conclusion: use dev_kfree_skb() Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201112185949.11315-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 88a5a3e1530c51b4e46ab36b49f7cdbe6d381105 Author: Zhang Qilong Date: Thu Nov 12 16:09:50 2020 +0800 ipv6: Fix error path to cancel the meseage [ Upstream commit ceb736e1d45c253f5e86b185ca9b497cdd43063f ] genlmsg_cancel() needs to be called in the error path of inet6_fill_ifmcaddr and inet6_fill_ifacaddr to cancel the message. Fixes: 6ecf4c37eb3e ("ipv6: enable IFA_TARGET_NETNSID for RTM_GETADDR") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201112080950.1476302-1-zhangqilong3@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0e8b0213dc60371172da2ae61b37c1310dde4b8a Author: Wang Hai Date: Mon Nov 16 16:20:18 2020 +0800 inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() [ Upstream commit e33de7c5317e2827b2ba6fd120a505e9eb727b05 ] nlmsg_cancel() needs to be called in the error path of inet_req_diag_fill to cancel the message. Fixes: d545caca827b ("net: inet: diag: expose the socket mark to privileged processes.") Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201116082018.16496-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e5fe052c065d8074106bc8b68aed88deffe9c5cf Author: Jeff Dike Date: Thu Nov 12 20:58:15 2020 -0500 Exempt multicast addresses from five-second neighbor lifetime [ Upstream commit 8cf8821e15cd553339a5b48ee555a0439c2b2742 ] Commit 58956317c8de ("neighbor: Improve garbage collection") guarantees neighbour table entries a five-second lifetime. Processes which make heavy use of multicast can fill the neighour table with multicast addresses in five seconds. At that point, neighbour entries can't be GC-ed because they aren't five seconds old yet, the kernel log starts to fill up with "neighbor table overflow!" messages, and sends start to fail. This patch allows multicast addresses to be thrown out before they've lived out their five seconds. This makes room for non-multicast addresses and makes messages to all addresses more reliable in these circumstances. Fixes: 58956317c8de ("neighbor: Improve garbage collection") Signed-off-by: Jeff Dike Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20201113015815.31397-1-jdike@akamai.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 2894a07110c66022555226ecfb087c3d6504643e Author: Wang Hai Date: Fri Nov 13 19:16:22 2020 +0800 devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() [ Upstream commit 849920c703392957f94023f77ec89ca6cf119d43 ] If sb_occ_port_pool_get() failed in devlink_nl_sb_port_pool_fill(), msg should be canceled by genlmsg_cancel(). Fixes: df38dafd2559 ("devlink: implement shared buffer occupancy monitoring interface") Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201113111622.11040-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit bedb089dcbf76fdfc00188a0355dc14f689d71df Author: Edwin Peer Date: Sun Nov 15 19:27:49 2020 -0500 bnxt_en: read EEPROM A2h address using page 0 [ Upstream commit 4260330b32b14330cfe427d568ac5f5b29b5be3d ] The module eeprom address range returned by bnxt_get_module_eeprom() should be 256 bytes of A0h address space, the lower half of the A2h address space, and page 0 for the upper half of the A2h address space. Fix the firmware call by passing page_number 0 for the A2h slave address space. Fixes: 42ee18fe4ca2 ("bnxt_en: Add Support for ETHTOOL_GMODULEINFO and ETHTOOL_GMODULEEEPRO") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 362bd03af5893f28e754d832df9d90bf89aee092 Author: Sebastian Andrzej Siewior Date: Mon Nov 16 17:21:14 2020 +0100 atm: nicstar: Unmap DMA on send error [ Upstream commit 6dceaa9f56e22d0f9b4c4ad2ed9e04e315ce7fe5 ] The `skb' is mapped for DMA in ns_send() but does not unmap DMA in case push_scqe() fails to submit the `skb'. The memory of the `skb' is released so only the DMA mapping is leaking. Unmap the DMA mapping in case push_scqe() failed. Fixes: 864a3ff635fa7 ("atm: [nicstar] remove virt_to_bus() and support 64-bit platforms") Cc: Chas Williams <3chas3@gmail.com> Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b2f95ff764c01fb0934d3f067de342f304db9377 Author: Zhang Changzhong Date: Tue Nov 17 10:45:05 2020 +0800 ah6: fix error return code in ah6_input() [ Upstream commit a5ebcbdf34b65fcc07f38eaf2d60563b42619a59 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1605581105-35295-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman