commit 89bb11da843beec4a6004ef7ecfa44b83a68b56c Author: Greg Kroah-Hartman Date: Wed Dec 2 08:52:03 2020 +0100 Linux 5.9.12 Tested-by: Jon Hunter Tested-by: Jeffrin Jose T Tested-by: Guenter Roeck Tested-by: Linux Kernel Functional Testing https://lore.kernel.org/lkml/20201201084711.707195422@linuxfoundation.org/ Signed-off-by: Greg Kroah-Hartman commit e411ba93ba641189ef6f4a71504478221154046e Author: Likun Gao Date: Wed Sep 30 14:34:08 2020 +0800 drm/amdgpu: add rlc iram and dram firmware support commit 843c7eb2f7571aa092a8ea010c80e8d94c197f67 upstream. Support to load RLC iram and dram ucode when RLC firmware struct use v2.2 Signed-off-by: Likun Gao Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit c39c19b367cbac540247dc4bd4da573e31b45746 Author: Xiaochen Shen Date: Sat Oct 31 03:11:28 2020 +0800 x86/resctrl: Add necessary kernfs_put() calls to prevent refcount leak commit 758999246965eeb8b253d47e72f7bfe508804b16 upstream. On resource group creation via a mkdir an extra kernfs_node reference is obtained by kernfs_get() to ensure that the rdtgroup structure remains accessible for the rdtgroup_kn_unlock() calls where it is removed on deletion. Currently the extra kernfs_node reference count is only dropped by kernfs_put() in rdtgroup_kn_unlock() while the rdtgroup structure is removed in a few other locations that lack the matching reference drop. In call paths of rmdir and umount, when a control group is removed, kernfs_remove() is called to remove the whole kernfs nodes tree of the control group (including the kernfs nodes trees of all child monitoring groups), and then rdtgroup structure is freed by kfree(). The rdtgroup structures of all child monitoring groups under the control group are freed by kfree() in free_all_child_rdtgrp(). Before calling kfree() to free the rdtgroup structures, the kernfs node of the control group itself as well as the kernfs nodes of all child monitoring groups still take the extra references which will never be dropped to 0 and the kernfs nodes will never be freed. It leads to reference count leak and kernfs_node_cache memory leak. For example, reference count leak is observed in these two cases: (1) mount -t resctrl resctrl /sys/fs/resctrl mkdir /sys/fs/resctrl/c1 mkdir /sys/fs/resctrl/c1/mon_groups/m1 umount /sys/fs/resctrl (2) mkdir /sys/fs/resctrl/c1 mkdir /sys/fs/resctrl/c1/mon_groups/m1 rmdir /sys/fs/resctrl/c1 The same reference count leak issue also exists in the error exit paths of mkdir in mkdir_rdt_prepare() and rdtgroup_mkdir_ctrl_mon(). Fix this issue by following changes to make sure the extra kernfs_node reference on rdtgroup is dropped before freeing the rdtgroup structure. (1) Introduce rdtgroup removal helper rdtgroup_remove() to wrap up kernfs_put() and kfree(). (2) Call rdtgroup_remove() in rdtgroup removal path where the rdtgroup structure is about to be freed by kfree(). (3) Call rdtgroup_remove() or kernfs_put() as appropriate in the error exit paths of mkdir where an extra reference is taken by kernfs_get(). Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") Fixes: e02737d5b826 ("x86/intel_rdt: Add tasks files") Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system") Reported-by: Willem de Bruijn Signed-off-by: Xiaochen Shen Signed-off-by: Borislav Petkov Reviewed-by: Reinette Chatre Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1604085088-31707-1-git-send-email-xiaochen.shen@intel.com Signed-off-by: Greg Kroah-Hartman commit 2510f2ffaccd932a2717f774375fc374c05effbe Author: Xiaochen Shen Date: Sat Oct 31 03:10:53 2020 +0800 x86/resctrl: Remove superfluous kernfs_get() calls to prevent refcount leak commit fd8d9db3559a29fd737bcdb7c4fcbe1940caae34 upstream. Willem reported growing of kernfs_node_cache entries in slabtop when repeatedly creating and removing resctrl subdirectories as well as when repeatedly mounting and unmounting the resctrl filesystem. On resource group (control as well as monitoring) creation via a mkdir an extra kernfs_node reference is obtained to ensure that the rdtgroup structure remains accessible for the rdtgroup_kn_unlock() calls where it is removed on deletion. The kernfs_node reference count is dropped by kernfs_put() in rdtgroup_kn_unlock(). With the above explaining the need for one kernfs_get()/kernfs_put() pair in resctrl there are more places where a kernfs_node reference is obtained without a corresponding release. The excessive amount of reference count on kernfs nodes will never be dropped to 0 and the kernfs nodes will never be freed in the call paths of rmdir and umount. It leads to reference count leak and kernfs_node_cache memory leak. Remove the superfluous kernfs_get() calls and expand the existing comments surrounding the remaining kernfs_get()/kernfs_put() pair that remains in use. Superfluous kernfs_get() calls are removed from two areas: (1) In call paths of mount and mkdir, when kernfs nodes for "info", "mon_groups" and "mon_data" directories and sub-directories are created, the reference count of newly created kernfs node is set to 1. But after kernfs_create_dir() returns, superfluous kernfs_get() are called to take an additional reference. (2) kernfs_get() calls in rmdir call paths. Fixes: 17eafd076291 ("x86/intel_rdt: Split resource group removal in two") Fixes: 4af4a88e0c92 ("x86/intel_rdt/cqm: Add mount,umount support") Fixes: f3cbeacaa06e ("x86/intel_rdt/cqm: Add rmdir support") Fixes: d89b7379015f ("x86/intel_rdt/cqm: Add mon_data") Fixes: c7d9aac61311 ("x86/intel_rdt/cqm: Add mkdir support for RDT monitoring") Fixes: 5dc1d5c6bac2 ("x86/intel_rdt: Simplify info and base file lists") Fixes: 60cf5e101fd4 ("x86/intel_rdt: Add mkdir to resctrl file system") Fixes: 4e978d06dedb ("x86/intel_rdt: Add "info" files to resctrl file system") Reported-by: Willem de Bruijn Signed-off-by: Xiaochen Shen Signed-off-by: Borislav Petkov Reviewed-by: Reinette Chatre Tested-by: Willem de Bruijn Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/1604085053-31639-1-git-send-email-xiaochen.shen@intel.com Signed-off-by: Greg Kroah-Hartman commit 63ad714f15d1a6bc44fd58677250459fc3472d02 Author: Anand K Mistry Date: Tue Nov 10 12:33:53 2020 +1100 x86/speculation: Fix prctl() when spectre_v2_user={seccomp,prctl},ibpb commit 33fc379df76b4991e5ae312f07bcd6820811971e upstream. When spectre_v2_user={seccomp,prctl},ibpb is specified on the command line, IBPB is force-enabled and STIPB is conditionally-enabled (or not available). However, since 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") the spectre_v2_user_ibpb variable is set to SPECTRE_V2_USER_{PRCTL,SECCOMP} instead of SPECTRE_V2_USER_STRICT, which is the actual behaviour. Because the issuing of IBPB relies on the switch_mm_*_ibpb static branches, the mitigations behave as expected. Since 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP") this discrepency caused the misreporting of IB speculation via prctl(). On CPUs with STIBP always-on and spectre_v2_user=seccomp,ibpb, prctl(PR_GET_SPECULATION_CTRL) would return PR_SPEC_PRCTL | PR_SPEC_ENABLE instead of PR_SPEC_DISABLE since both IBPB and STIPB are always on. It also allowed prctl(PR_SET_SPECULATION_CTRL) to set the IB speculation mode, even though the flag is ignored. Similarly, for CPUs without SMT, prctl(PR_GET_SPECULATION_CTRL) should also return PR_SPEC_DISABLE since IBPB is always on and STIBP is not available. [ bp: Massage commit message. ] Fixes: 21998a351512 ("x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.") Fixes: 1978b3a53a74 ("x86/speculation: Allow IBPB to be conditionally enabled on CPUs with always-on STIBP") Signed-off-by: Anand K Mistry Signed-off-by: Borislav Petkov Cc: Link: https://lkml.kernel.org/r/20201110123349.1.Id0cbf996d2151f4c143c90f9028651a5b49a5908@changeid Signed-off-by: Greg Kroah-Hartman commit c30b19ac6caecbdb7d57e769cc0fc18dd468ea97 Author: Gabriele Paoloni Date: Fri Nov 27 16:18:15 2020 +0000 x86/mce: Do not overwrite no_way_out if mce_end() fails commit 25bc65d8ddfc17cc1d7a45bd48e9bdc0e729ced3 upstream. Currently, if mce_end() fails, no_way_out - the variable denoting whether the machine can recover from this MCE - is determined by whether the worst severity that was found across the MCA banks associated with the current CPU, is of panic severity. However, at this point no_way_out could have been already set by mca_start() after looking at all severities of all CPUs that entered the MCE handler. If mce_end() fails, check first if no_way_out is already set and, if so, stick to it, otherwise use the local worst value. [ bp: Massage. ] Signed-off-by: Gabriele Paoloni Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Cc: Link: https://lkml.kernel.org/r/20201127161819.3106432-2-gabriele.paoloni@intel.com Signed-off-by: Greg Kroah-Hartman commit 4e184c914a74753a4a8ebd235af45da2e433f0b3 Author: Chen Baozi Date: Tue Nov 17 11:20:15 2020 +0800 irqchip/exiu: Fix the index of fwspec for IRQ type commit d001e41e1b15716e9b759df5ef00510699f85282 upstream. Since fwspec->param_count of ACPI node is two, the index of IRQ type in fwspec->param[] should be 1 rather than 2. Fixes: 3d090a36c8c8 ("irqchip/exiu: Implement ACPI support") Signed-off-by: Chen Baozi Signed-off-by: Marc Zyngier Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20201117032015.11805-1-cbz@baozis.org Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 1617bb15cedd1c1a2ea04a7dc1d9b2b6241fb882 Author: Zhang Qilong Date: Tue Nov 17 10:16:29 2020 +0800 usb: gadget: Fix memleak in gadgetfs_fill_super commit 87bed3d7d26c974948a3d6e7176f304b2d41272b upstream. usb_get_gadget_udc_name will alloc memory for CHIP in "Enomem" branch. we should free it before error returns to prevent memleak. Fixes: 175f712119c57 ("usb: gadget: provide interface for legacy gadgets to get UDC name") Reported-by: Hulk Robot Acked-by: Alan Stern Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201117021629.1470544-3-zhangqilong3@huawei.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 444dd51b88917eec7c46a892520656c84c2b0ef8 Author: penghao Date: Wed Nov 18 20:30:39 2020 +0800 USB: quirks: Add USB_QUIRK_DISCONNECT_SUSPEND quirk for Lenovo A630Z TIO built-in usb-audio card commit 9ca57518361418ad5ae7dc38a2128fbf4855e1a2 upstream. Add a USB_QUIRK_DISCONNECT_SUSPEND quirk for the Lenovo TIO built-in usb-audio. when A630Z going into S3,the system immediately wakeup 7-8 seconds later by usb-audio disconnect interrupt to avoids the issue. eg dmesg: .... [ 626.974091 ] usb 7-1.1: USB disconnect, device number 3 .... .... [ 1774.486691] usb 7-1.1: new full-speed USB device number 5 using xhci_hcd [ 1774.947742] usb 7-1.1: New USB device found, idVendor=17ef, idProduct=a012, bcdDevice= 0.55 [ 1774.956588] usb 7-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [ 1774.964339] usb 7-1.1: Product: Thinkcentre TIO24Gen3 for USB-audio [ 1774.970999] usb 7-1.1: Manufacturer: Lenovo [ 1774.975447] usb 7-1.1: SerialNumber: 000000000000 [ 1775.048590] usb 7-1.1: 2:1: cannot get freq at ep 0x1 ....... Seeking a better fix, we've tried a lot of things, including: - Check that the device's power/wakeup is disabled - Check that remote wakeup is off at the USB level - All the quirks in drivers/usb/core/quirks.c e.g. USB_QUIRK_RESET_RESUME, USB_QUIRK_RESET, USB_QUIRK_IGNORE_REMOTE_WAKEUP, USB_QUIRK_NO_LPM. but none of that makes any difference. There are no errors in the logs showing any suspend/resume-related issues. When the system wakes up due to the modem, log-wise it appears to be a normal resume. Introduce a quirk to disable the port during suspend when the modem is detected. Signed-off-by: penghao Link: https://lore.kernel.org/r/20201118123039.11696-1-penghao@uniontech.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit df373b6f01448f0d9cfc6637e12d03f987fe1c85 Author: Alan Stern Date: Thu Nov 19 12:00:40 2020 -0500 USB: core: Fix regression in Hercules audio card commit 184eead057cc7e803558269babc1f2cfb9113ad1 upstream. Commit 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") aimed to make the USB stack more reliable by detecting and skipping over endpoints that are duplicated between interfaces. This caused a regression for a Hercules audio card (reported as Bugzilla #208357), which contains such non-compliant duplications. Although the duplications are harmless, skipping the valid endpoints prevented the device from working. This patch fixes the regression by adding ENDPOINT_IGNORE quirks for the Hercules card, telling the kernel to ignore the invalid duplicate endpoints and thereby allowing the valid endpoints to be used as intended. Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") CC: Reported-by: Alexander Chalikiopoulos Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20201119170040.GA576844@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit bb92cf0bc99aa1f60a7e4241701f7c396e918fbc Author: Zhang Qilong Date: Tue Nov 17 10:16:28 2020 +0800 usb: gadget: f_midi: Fix memleak in f_midi_alloc commit e7694cb6998379341fd9bf3bd62b48c4e6a79385 upstream. In the error path, if midi is not null, we should free the midi->id if necessary to prevent memleak. Fixes: b85e9de9e818d ("usb: gadget: f_midi: convert to new function interface with backward compatibility") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201117021629.1470544-2-zhangqilong3@huawei.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit b09dd77c6f15413d976616d1197f0a6f231127e8 Author: Alan Stern Date: Thu Nov 19 12:02:28 2020 -0500 USB: core: Change %pK for __user pointers to %px commit f3bc432aa8a7a2bfe9ebb432502be5c5d979d7fe upstream. Commit 2f964780c03b ("USB: core: replace %p with %pK") used the %pK format specifier for a bunch of __user pointers. But as the 'K' in the specifier indicates, it is meant for kernel pointers. The reason for the %pK specifier is to avoid leaks of kernel addresses, but when the pointer is to an address in userspace the security implications are minimal. In particular, no kernel information is leaked. This patch changes the __user %pK specifiers (used in a bunch of debugging output lines) to %px, which will always print the actual address with no mangling. (Notably, there is no printk format specifier particularly intended for __user pointers.) Fixes: 2f964780c03b ("USB: core: replace %p with %pK") CC: Vamsi Krishna Samavedam CC: Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20201119170228.GB576844@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit 794451c393ff407fcebcadb7e0711fe27e916d1d Author: Nathan Chancellor Date: Fri Nov 13 11:07:02 2020 -0700 spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe commit d853b3406903a7dc5b14eb5bada3e8cd677f66a2 upstream. Clang warns: drivers/spi/spi-bcm2835aux.c:532:50: warning: variable 'err' is uninitialized when used here [-Wuninitialized] dev_err(&pdev->dev, "could not get clk: %d\n", err); ^~~ ./include/linux/dev_printk.h:112:32: note: expanded from macro 'dev_err' _dev_err(dev, dev_fmt(fmt), ##__VA_ARGS__) ^~~~~~~~~~~ drivers/spi/spi-bcm2835aux.c:495:9: note: initialize the variable 'err' to silence this warning int err; ^ = 0 1 warning generated. Restore the assignment so that the error value can be used in the dev_err statement and there is no uninitialized memory being leaked. Fixes: e13ee6cc4781 ("spi: bcm2835aux: Fix use-after-free on unbind") Link: https://github.com/ClangBuiltLinux/linux/issues/1199 Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20201113180701.455541-1-natechancellor@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9d0515370447253836160b25337a48f36388c359 Author: Masami Hiramatsu Date: Fri Nov 27 14:48:46 2020 +0900 perf probe: Fix to die_entrypc() returns error correctly [ Upstream commit ab4200c17ba6fe71d2da64317aae8a8aa684624c ] Fix die_entrypc() to return error correctly if the DIE has no DW_AT_ranges attribute. Since dwarf_ranges() will treat the case as an empty ranges and return 0, we have to check it by ourselves. Fixes: 91e2f539eeda ("perf probe: Fix to show function entry line as probe-able") Signed-off-by: Masami Hiramatsu Cc: Sumanth Korikkar Cc: Thomas Richter Link: http://lore.kernel.org/lkml/160645612634.2824037.5284932731175079426.stgit@devnote2 Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit cf15299f99c18103e966c33ebb99d8a88761694a Author: Namhyung Kim Date: Fri Nov 27 13:14:03 2020 +0900 perf stat: Use proper cpu for shadow stats [ Upstream commit c0ee1d5ae8c8650031badcfca6483a28c0f94f38 ] Currently perf stat shows some metrics (like IPC) for defined events. But when no aggregation mode is used (-A option), it shows incorrect values since it used a value from a different cpu. Before: $ perf stat -aA -e cycles,instructions sleep 1 Performance counter stats for 'system wide': CPU0 116,057,380 cycles CPU1 86,084,722 cycles CPU2 99,423,125 cycles CPU3 98,272,994 cycles CPU0 53,369,217 instructions # 0.46 insn per cycle CPU1 33,378,058 instructions # 0.29 insn per cycle CPU2 58,150,086 instructions # 0.50 insn per cycle CPU3 40,029,703 instructions # 0.34 insn per cycle 1.001816971 seconds time elapsed So the IPC for CPU1 should be 0.38 (= 33,378,058 / 86,084,722) but it was 0.29 (= 33,378,058 / 116,057,380) and so on. After: $ perf stat -aA -e cycles,instructions sleep 1 Performance counter stats for 'system wide': CPU0 109,621,384 cycles CPU1 159,026,454 cycles CPU2 99,460,366 cycles CPU3 124,144,142 cycles CPU0 44,396,706 instructions # 0.41 insn per cycle CPU1 120,195,425 instructions # 0.76 insn per cycle CPU2 44,763,978 instructions # 0.45 insn per cycle CPU3 69,049,079 instructions # 0.56 insn per cycle 1.001910444 seconds time elapsed Fixes: 44d49a600259 ("perf stat: Support metrics in --per-core/socket mode") Reported-by: Sam Xi Signed-off-by: Namhyung Kim Reviewed-by: Andi Kleen Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Ian Rogers Cc: Mark Rutland Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/20201127041404.390276-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fe49e7cbdfd5b630126228cd97ea329ec016f704 Author: Namhyung Kim Date: Fri Nov 27 14:43:56 2020 +0900 perf record: Synthesize cgroup events only if needed [ Upstream commit aa50d953c169e876413bf237319e728dd41d9fdd ] It didn't check the tool->cgroup_events bit which is set when the --all-cgroups option is given. Without it, samples will not have cgroup info so no reason to synthesize. We can check the PERF_RECORD_CGROUP records after running perf record *WITHOUT* the --all-cgroups option: Before: $ perf report -D | grep CGROUP 0 0 0x8430 [0x38]: PERF_RECORD_CGROUP cgroup: 1 / CGROUP events: 1 CGROUP events: 0 CGROUP events: 0 After: $ perf report -D | grep CGROUP CGROUP events: 0 CGROUP events: 0 CGROUP events: 0 Committer testing: Before: # perf record -a sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 2.208 MB perf.data (10003 samples) ] # perf report -D | grep "CGROUP events" CGROUP events: 146 CGROUP events: 0 CGROUP events: 0 # After: # perf record -a sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 2.208 MB perf.data (10448 samples) ] # perf report -D | grep "CGROUP events" CGROUP events: 0 CGROUP events: 0 CGROUP events: 0 # With all-cgroups: # perf record --all-cgroups -a sleep 1 [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 2.374 MB perf.data (11526 samples) ] # perf report -D | grep "CGROUP events" CGROUP events: 146 CGROUP events: 0 CGROUP events: 0 # Fixes: 8fb4b67939e16 ("perf record: Add --all-cgroups option") Signed-off-by: Namhyung Kim Tested-by: Arnaldo Carvalho de Melo Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Ian Rogers Cc: Mark Rutland Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/20201127054356.405481-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit a6ac2cacf50b5bd97bd3f3ab34915be77d6dc5ee Author: Marc Kleine-Budde Date: Tue Nov 24 19:47:38 2020 +0100 can: m_can: fix nominal bitiming tseg2 min for version >= 3.1 [ Upstream commit e3409e4192535fbcc86a84b7a65d9351f46039ec ] At lest the revision 3.3.0 of the bosch m_can IP core specifies that valid register values for "Nominal Time segment after sample point (NTSEG2)" are from 1 to 127. As the hardware uses a value of one more than the programmed value, mean tseg2_min is 2. This patch fixes the tseg2_min value accordingly. Cc: Dan Murphy Cc: Mario Huettel Acked-by: Sriram Dash Link: https://lore.kernel.org/r/20201124190751.3972238-1-mkl@pengutronix.de Fixes: b03cfc5bb0e1 ("can: m_can: Enable M_CAN version dependent initialization") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit b34b36a5359729ba8d74844480f39b720fd2ba26 Author: Marc Kleine-Budde Date: Fri Nov 27 08:35:12 2020 +0100 can: m_can: m_can_open(): remove IRQF_TRIGGER_FALLING from request_threaded_irq()'s flags [ Upstream commit 865f5b671b48d0088ce981cff1e822d9f7da441f ] The threaded IRQ handler is used for the tcan4x5x driver only. The IRQ pin of the tcan4x5x controller is active low, so better not use IRQF_TRIGGER_FALLING when requesting the IRQ. As this can result in missing interrupts. Further, if the device tree specified the interrupt as "IRQ_TYPE_LEVEL_LOW", unloading and reloading of the driver results in the following error during ifup: | irq: type mismatch, failed to map hwirq-31 for gpio@20a8000! | tcan4x5x spi1.1: m_can device registered (irq=0, version=32) | tcan4x5x spi1.1 can2: TCAN4X5X successfully initialized. | tcan4x5x spi1.1 can2: failed to request interrupt This patch fixes the problem by removing the IRQF_TRIGGER_FALLING from the request_threaded_irq(). Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework") Cc: Dan Murphy Cc: Sriram Dash Cc: Pankaj Sharma Link: https://lore.kernel.org/r/20201127093548.509253-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit a84974f0e712dcf07051ca017bf2fd77ffc1b623 Author: Yixian Liu Date: Thu Nov 26 18:26:12 2020 +0800 RDMA/hns: Bugfix for memory window mtpt configuration [ Upstream commit 17475e104dcb74217c282781817f8f52b46130d3 ] When a memory window is bound to a memory region, the local write access should be set for its mtpt table. Fixes: c7c28191408b ("RDMA/hns: Add MW support for hip08") Link: https://lore.kernel.org/r/1606386372-21094-1-git-send-email-liweihang@huawei.com Signed-off-by: Yixian Liu Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c16cfa44478bb8738ac3174fb6b893428935881f Author: Wenpeng Liang Date: Thu Nov 26 17:29:37 2020 +0800 RDMA/hns: Fix retry_cnt and rnr_cnt when querying QP [ Upstream commit ab6f7248cc446b85fe9e31091670ad7c4293d7fd ] The maximum number of retransmission should be returned when querying QP, not the value of retransmission counter. Fixes: 99fcf82521d9 ("RDMA/hns: Fix the wrong value of rnr_retry when querying qp") Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") Link: https://lore.kernel.org/r/1606382977-21431-1-git-send-email-liweihang@huawei.com Signed-off-by: Wenpeng Liang Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit df46336c4ab5e3f0563419e6b0e5cb9c3720f846 Author: Wenpeng Liang Date: Thu Nov 26 17:26:52 2020 +0800 RDMA/hns: Fix wrong field of SRQ number the device supports [ Upstream commit ebed7b7ca47f3aa95ebf2185a526227744616ac1 ] The SRQ capacity is got from the firmware, whose field should be ended at bit 19. Fixes: ba6bb7e97421 ("RDMA/hns: Add interfaces to get pf capabilities from firmware") Link: https://lore.kernel.org/r/1606382812-23636-1-git-send-email-liweihang@huawei.com Signed-off-by: Wenpeng Liang Signed-off-by: Weihang Li Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit bd12eb870372b9e4365e63d3b3fba45d0ca1a54d Author: Kaixu Xia Date: Sun Nov 22 13:49:37 2020 +0800 platform/x86: toshiba_acpi: Fix the wrong variable assignment [ Upstream commit 2a72c46ac4d665614faa25e267c3fb27fb729ed7 ] The commit 78429e55e4057 ("platform/x86: toshiba_acpi: Clean up variable declaration") cleans up variable declaration in video_proc_write(). Seems it does the variable assignment in the wrong place, this results in dead code and changes the source code logic. Fix it by doing the assignment at the beginning of the funciton. Fixes: 78429e55e4057 ("platform/x86: toshiba_acpi: Clean up variable declaration") Reported-by: Tosk Robot Signed-off-by: Kaixu Xia Link: https://lore.kernel.org/r/1606024177-16481-1-git-send-email-kaixuxia@tencent.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 83bec121880cc0cf36c9029b0d996cffd7b02fed Author: Benjamin Berg Date: Mon Nov 23 14:21:57 2020 +0100 platform/x86: thinkpad_acpi: Send tablet mode switch at wakeup time [ Upstream commit e40cc1b476d60f22628741e53cf3446a29e6e6b9 ] The lid state may change while the machine is suspended. As such, we may need to re-check the state at wake-up time (at least when waking up from hibernation). Add the appropriate call to the resume handler in order to sync the SW_TABLET_MODE switch state with the hardware state. Fixes: dda3ec0aa631 ("platform/x86: thinkpad_acpi: Implement tablet mode using GMMS method") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=210269 Signed-off-by: Benjamin Berg Acked-by: Henrique de Moraes Holschuh Link: https://lore.kernel.org/r/20201123132157.866303-1-benjamin@sipsolutions.net Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 90198983bd2851dd2831a65f9d07040d55d4bf43 Author: Marc Kleine-Budde Date: Thu Nov 19 14:03:17 2020 +0100 can: gs_usb: fix endianess problem with candleLight firmware [ Upstream commit 4ba1cb39fce4464151517a37ce0ac0a1a3f580d6 ] The firmware on the original USB2CAN by Geschwister Schneider Technologie Entwicklungs- und Vertriebs UG exchanges all data between the host and the device in host byte order. This is done with the struct gs_host_config::byte_order member, which is sent first to indicate the desired byte order. The widely used open source firmware candleLight doesn't support this feature and exchanges the data in little endian byte order. This breaks if a device with candleLight firmware is used on big endianess systems. To fix this problem, all u32 (but not the struct gs_host_frame::echo_id, which is a transparent cookie) are converted to __le32. Cc: Maximilian Schneider Cc: Hubert Denkmair Reported-by: Michael Rausch Link: https://lore.kernel.org/r/b58aace7-61f3-6df7-c6df-69fee2c66906@netadair.de Tested-by: Oleksij Rempel Fixes: d08e973a77d1 ("can: gs_usb: Added support for the GS_USB CAN devices") Link: https://lore.kernel.org/r/20201120103818.3386964-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 32083f0da6869aa6ef11dbda93394aa5f398d594 Author: Matti Hamalainen Date: Fri Nov 20 17:23:38 2020 +0200 drm/nouveau: fix relocations applying logic and a double-free [ Upstream commit 2be65641642ef423f82162c3a5f28c754d1637d2 ] Commit 03e0d26fcf79 ("drm/nouveau: slowpath for pushbuf ioctl") included a logic-bug which results in the relocations not actually getting applied at all as the call to nouveau_gem_pushbuf_reloc_apply() is never reached. This causes a regression with graphical corruption, triggered when relocations need to be done (for example after a suspend/resume cycle.) Fix by setting *apply_relocs value only if there were more than 0 relocations. Additionally, the never reached code had a leftover u_free() call, which, after fixing the logic, now got called and resulted in a double-free. Fix by removing one u_free(), moving the other and adding check for errors. Cc: Daniel Vetter Cc: Ben Skeggs Cc: nouveau@lists.freedesktop.org Cc: dri-devel@lists.freedesktop.org Signed-off-by: Matti Hamalainen Fixes: 03e0d26fcf79 ("drm/nouveau: slowpath for pushbuf ioctl") References: https://gitlab.freedesktop.org/drm/nouveau/-/issues/11 Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20201120152338.1203257-1-ccr@tnsp.org Signed-off-by: Sasha Levin commit 9fd7ba6edc68b3adc1d0bd68f09796cfdf32a982 Author: Min Li Date: Tue Nov 24 21:58:35 2020 -0500 ptp: clockmatrix: bug fix for idtcm_strverscmp [ Upstream commit 3cb2e6d92be637b79d6ba0746d610a8dfcc0400b ] Feed kstrtou8 with NULL terminated string. Changes since v1: -Use sscanf to get rid of adhoc string parse. Changes since v2: -Check if sscanf returns 3. Fixes: 7ea5fda2b132 ("ptp: ptp_clockmatrix: update to support 4.8.7 firmware") Signed-off-by: Min Li Link: https://lore.kernel.org/r/1606273115-25792-1-git-send-email-min.li.xe@renesas.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 237f1cf8914b1f76d7f34b3e3f7cb54e3a667cb4 Author: Vladimir Oltean Date: Wed Nov 25 00:02:59 2020 +0200 enetc: Let the hardware auto-advance the taprio base-time of 0 [ Upstream commit 90cf87d16bd566cff40c2bc8e32e6d4cd3af23f0 ] The tc-taprio base time indicates the beginning of the tc-taprio schedule, which is cyclic by definition (where the length of the cycle in nanoseconds is called the cycle time). The base time is a 64-bit PTP time in the TAI domain. Logically, the base-time should be a future time. But that imposes some restrictions to user space, which has to retrieve the current PTP time from the NIC first, then calculate a base time that will still be larger than the base time by the time the kernel driver programs this value into the hardware. Actually ensuring that the programmed base time is in the future is still a problem even if the kernel alone deals with this. Luckily, the enetc hardware already advances a base-time that is in the past into a congruent time in the immediate future, according to the same formula that can be found in the software implementation of taprio (in taprio_get_start_time): /* Schedule the start time for the beginning of the next * cycle. */ n = div64_s64(ktime_sub_ns(now, base), cycle); *start = ktime_add_ns(base, (n + 1) * cycle); There's only one problem: the driver doesn't let the hardware do that. It interferes with the base-time passed from user space, by special-casing the situation when the base-time is zero, and replaces that with the current PTP time. This changes the intended effective base-time of the schedule, which will in the end have a different phase offset than if the base-time of 0.000000000 was to be advanced by an integer multiple of the cycle-time. Fixes: 34c6adf1977b ("enetc: Configure the Time-Aware Scheduler via tc-taprio offload") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20201124220259.3027991-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 29828838296f7b5dcd16b979f91c88f642eda02c Author: Antonio Borneo Date: Tue Nov 24 23:37:29 2020 +0100 net: stmmac: fix incorrect merge of patch upstream [ Upstream commit 12a8fe56c0f06eaab1f9d89d246c3591bcc7a966 ] Commit 757926247836 ("net: stmmac: add flexible PPS to dwmac 4.10a") was intended to modify the struct dwmac410_ops, but it got somehow badly merged and modified the struct dwmac4_ops. Revert the modification in struct dwmac4_ops and re-apply it properly in struct dwmac410_ops. Fixes: 757926247836 ("net: stmmac: add flexible PPS to dwmac 4.10a") Signed-off-by: Antonio Borneo Reported-by: Ahmad Fatoum Link: https://lore.kernel.org/r/20201124223729.886992-1-antonio.borneo@st.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 038c5ea51f026b1b7b4ff9e4d511d28ae3577c9f Author: Randy Dunlap Date: Mon Nov 16 17:39:51 2020 -0800 RISC-V: fix barrier() use in [ Upstream commit 30aca1bacb398dec6c1ed5eeca33f355bd7b6203 ] riscv's uses barrier() so it should include Fixes this build error: CC [M] drivers/net/ethernet/emulex/benet/be_main.o In file included from ./include/vdso/processor.h:10, from ./arch/riscv/include/asm/processor.h:11, from ./include/linux/prefetch.h:15, from drivers/net/ethernet/emulex/benet/be_main.c:14: ./arch/riscv/include/asm/vdso/processor.h: In function 'cpu_relax': ./arch/riscv/include/asm/vdso/processor.h:14:2: error: implicit declaration of function 'barrier' [-Werror=implicit-function-declaration] 14 | barrier(); This happens with a total of 5 networking drivers -- they all use . rv64 allmodconfig now builds cleanly after this patch. Fixes fallout from: 815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h mutually exclusive") Fixes: ad5d1122b82f ("riscv: use vDSO common flow to reduce the latency of the time-related functions") Reported-by: Andreas Schwab Signed-off-by: Randy Dunlap Acked-by: Arvind Sankar Signed-off-by: Palmer Dabbelt Reviewed-by: Nick Desaulniers Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit b7a80f5900c9a633ee0825708df5050722eb4da8 Author: Anup Patel Date: Fri Nov 6 13:23:59 2020 +0530 RISC-V: Add missing jump label initialization [ Upstream commit 6134b110f97178d6919441a82dc91a7f3664b4e0 ] The jump_label_init() should be called from setup_arch() very early for proper functioning of jump label support. Fixes: ebc00dde8a97 ("riscv: Add jump-label implementation") Signed-off-by: Anup Patel Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit e13b6055d8a94b1a8d95a662783e0392b70ba5af Author: Nathan Chancellor Date: Sun Nov 8 13:37:37 2020 -0700 riscv: Explicitly specify the build id style in vDSO Makefile again [ Upstream commit e553fdc8105ac2ef3f321739da3908bb6673f7de ] Commit a96843372331 ("kbuild: explicitly specify the build id style") explicitly set the build ID style to SHA1. Commit c2c81bb2f691 ("RISC-V: Fix the VDSO symbol generaton for binutils-2.35+") undid this change, likely unintentionally. Restore it so that the build ID style stays consistent across the tree regardless of linker. Fixes: c2c81bb2f691 ("RISC-V: Fix the VDSO symbol generaton for binutils-2.35+") Signed-off-by: Nathan Chancellor Reviewed-by: Nick Desaulniers Reviewed-by: Bill Wendling Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 4e6cdbe9e9b6760e788e7f7ee2fd5913e3849d62 Author: Geert Uytterhoeven Date: Tue Nov 24 20:16:46 2020 +0100 efi: EFI_EARLYCON should depend on EFI [ Upstream commit 36a237526cd81ff4b6829e6ebd60921c6f976e3b ] CONFIG_EFI_EARLYCON defaults to yes, and thus is enabled on systems that do not support EFI, or do not have EFI support enabled, but do satisfy the symbol's other dependencies. While drivers/firmware/efi/ won't be entered during the build phase if CONFIG_EFI=n, and drivers/firmware/efi/earlycon.c itself thus won't be built, enabling EFI_EARLYCON does force-enable CONFIG_FONT_SUPPORT and CONFIG_ARCH_USE_MEMREMAP_PROT, and CONFIG_FONT_8x16, which is undesirable. Fix this by making CONFIG_EFI_EARLYCON depend on CONFIG_EFI. This reduces kernel size on headless systems by more than 4 KiB. Fixes: 69c1f396f25b805a ("efi/x86: Convert x86 EFI earlyprintk into generic earlycon implementation") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20201124191646.3559757-1-geert@linux-m68k.org Reviewed-by: Damien Le Moal Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 749f3d3aa05d789ced4265a20ae105655ac8e4ff Author: Ard Biesheuvel Date: Wed Nov 25 08:45:55 2020 +0100 efivarfs: revert "fix memory leak in efivarfs_create()" [ Upstream commit ff04f3b6f2e27f8ae28a498416af2a8dd5072b43 ] The memory leak addressed by commit fe5186cf12e3 is a false positive: all allocations are recorded in a linked list, and freed when the filesystem is unmounted. This leads to double frees, and as reported by David, leads to crashes if SLUB is configured to self destruct when double frees occur. So drop the redundant kfree() again, and instead, mark the offending pointer variable so the allocation is ignored by kmemleak. Cc: Vamshi K Sthambamkadi Fixes: fe5186cf12e3 ("efivarfs: fix memory leak in efivarfs_create()") Reported-by: David Laight Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit a7783b07c8ef2bf5c9cfec62a7e66a3be33d1a14 Author: Amadeusz Sławiński Date: Mon Nov 23 12:28:17 2020 -0500 efi/efivars: Set generic ops before loading SSDT [ Upstream commit 50bdcf047503e30126327d0be4f0ad7337106d68 ] Efivars allows for overriding of SSDT tables, however starting with commit bf67fad19e493b ("efi: Use more granular check for availability for variable services") this use case is broken. When loading SSDT generic ops should be set first, however mentioned commit reversed order of operations. Fix this by restoring original order of operations. Fixes: bf67fad19e493b ("efi: Use more granular check for availability for variable services") Signed-off-by: Amadeusz Sławiński Link: https://lore.kernel.org/r/20201123172817.124146-1-amadeuszx.slawinski@linux.intel.com Tested-by: Cezary Rojewski Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 5d791068e2abf2096c374ece69e04c494cc2aab9 Author: Dipen Patel Date: Fri Sep 11 19:26:45 2020 -0700 arm64: tegra: Wrong AON HSP reg property size [ Upstream commit 1741e18737948c140ccc4cc643e8126d95ee6e79 ] The AON HSP node's "reg" property size 0xa0000 will overlap with other resources. This patch fixes that wrong value with correct size 0x90000. Reviewed-by: Mikko Perttunen Signed-off-by: Dipen Patel Fixes: a38570c22e9d ("arm64: tegra: Add nodes for TCU on Tegra194") Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3d0f2fa7bbc6caeadd6ec10510ed44411102bbc8 Author: Lu Baolu Date: Wed Nov 25 09:41:24 2020 +0800 x86/tboot: Don't disable swiotlb when iommu is forced on [ Upstream commit e2be2a833ab5338fa5b8b99ba622b911d96f1795 ] After commit 327d5b2fee91c ("iommu/vt-d: Allow 32bit devices to uses DMA domain"), swiotlb could also be used for direct memory access if IOMMU is enabled but a device is configured to pass through the DMA translation. Keep swiotlb when IOMMU is forced on, otherwise, some devices won't work if "iommu=pt" kernel parameter is used. Fixes: 327d5b2fee91 ("iommu/vt-d: Allow 32bit devices to uses DMA domain") Reported-and-tested-by: Adrian Huang Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20201125014124.4070776-1-baolu.lu@linux.intel.com Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=210237 Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 68a9159c832b34f55c9612d492028a589d8e5985 Author: Rui Miguel Silva Date: Fri Nov 13 15:06:04 2020 +0000 optee: add writeback to valid memory type [ Upstream commit 853735e404244f5496cdb6188c5ed9a0f9627ee6 ] Only in smp systems the cache policy is setup as write alloc, in single cpu systems the cache policy is set as writeback and it is normal memory, so, it should pass the is_normal_memory check in the share memory registration. Add the right condition to make it work in no smp systems. Fixes: cdbcf83d29c1 ("tee: optee: check type of registered shared memory") Signed-off-by: Rui Miguel Silva Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin commit 0faa4f7d817bf24bc7804194a1d56e952430a5dd Author: Lijun Pan Date: Mon Nov 23 13:35:47 2020 -0600 ibmvnic: enhance resetting status check during module exit [ Upstream commit 3ada288150fb17ab3fcce2cf5fce20461f86b2ee ] Based on the discussion with Sukadev Bhattiprolu and Dany Madden, we believe that checking adapter->resetting bit is preferred since RESETTING state flag is not as strict as resetting bit. RESETTING state flag is removed since it is verbose now. Fixes: 7d7195a026ba ("ibmvnic: Do not process device remove during device reset") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 97864a21e718dbfb8c040cd4613f0b741d514925 Author: Lijun Pan Date: Mon Nov 23 13:35:46 2020 -0600 ibmvnic: fix NULL pointer dereference in ibmvic_reset_crq [ Upstream commit 0e435befaea45f7ea58682eecab5e37e05b2ce65 ] crq->msgs could be NULL if the previous reset did not complete after freeing crq->msgs. Check for NULL before dereferencing them. Snippet of call trace: ... ibmvnic 30000003 env3 (unregistering): Releasing sub-CRQ ibmvnic 30000003 env3 (unregistering): Releasing CRQ BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0000000000c1a30 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: ibmvnic(E-) rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag tun raw_diag inet_diag unix_diag bridge af_packet_diag netlink_diag stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ibmvnic] CPU: 20 PID: 8426 Comm: kworker/20:0 Tainted: G E 5.10.0-rc1+ #12 Workqueue: events __ibmvnic_reset [ibmvnic] NIP: c0000000000c1a30 LR: c008000001b00c18 CTR: 0000000000000400 REGS: c00000000d05b7a0 TRAP: 0380 Tainted: G E (5.10.0-rc1+) MSR: 800000000280b033 CR: 44002480 XER: 20040000 CFAR: c0000000000c19ec IRQMASK: 0 GPR00: 0000000000000400 c00000000d05ba30 c008000001b17c00 0000000000000000 GPR04: 0000000000000000 0000000000000000 0000000000000000 00000000000001e2 GPR08: 000000000001f400 ffffffffffffd950 0000000000000000 c008000001b0b280 GPR12: c0000000000c19c8 c00000001ec72e00 c00000000019a778 c00000002647b440 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000006 0000000000000001 0000000000000003 0000000000000002 GPR24: 0000000000001000 c008000001b0d570 0000000000000005 c00000007ab5d550 GPR28: c00000007ab5c000 c000000032fcf848 c00000007ab5cc00 c000000032fcf800 NIP [c0000000000c1a30] memset+0x68/0x104 LR [c008000001b00c18] ibmvnic_reset_crq+0x70/0x110 [ibmvnic] Call Trace: [c00000000d05ba30] [0000000000000800] 0x800 (unreliable) [c00000000d05bab0] [c008000001b0a930] do_reset.isra.40+0x224/0x634 [ibmvnic] [c00000000d05bb80] [c008000001b08574] __ibmvnic_reset+0x17c/0x3c0 [ibmvnic] [c00000000d05bc50] [c00000000018d9ac] process_one_work+0x2cc/0x800 [c00000000d05bd20] [c00000000018df58] worker_thread+0x78/0x520 [c00000000d05bdb0] [c00000000019a934] kthread+0x1c4/0x1d0 [c00000000d05be20] [c00000000000d5d0] ret_from_kernel_thread+0x5c/0x6c Fixes: 032c5e82847a ("Driver for IBM System i/p VNIC protocol") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ef9688c67e1424386761f5068ed22da80d601f0b Author: Lijun Pan Date: Mon Nov 23 13:35:45 2020 -0600 ibmvnic: fix NULL pointer dereference in reset_sub_crq_queues [ Upstream commit a0faaa27c71608799e0dd765c5af38a089091802 ] adapter->tx_scrq and adapter->rx_scrq could be NULL if the previous reset did not complete after freeing sub crqs. Check for NULL before dereferencing them. Snippet of call trace: ibmvnic 30000006 env6: Releasing sub-CRQ ibmvnic 30000006 env6: Releasing CRQ ... ibmvnic 30000006 env6: Got Control IP offload Response ibmvnic 30000006 env6: Re-setting tx_scrq[0] BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc008000003dea7cc Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: rpadlpar_io rpaphp xt_CHECKSUM xt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables xsk_diag tcp_diag udp_diag raw_diag inet_diag unix_diag af_packet_diag netlink_diag tun bridge stp llc rfkill sunrpc pseries_rng xts vmx_crypto uio_pdrv_genirq uio binfmt_misc ip_tables xfs libcrc32c sd_mod t10_pi sg ibmvscsi ibmvnic ibmveth scsi_transport_srp dm_mirror dm_region_hash dm_log dm_mod CPU: 80 PID: 1856 Comm: kworker/80:2 Tainted: G W 5.8.0+ #4 Workqueue: events __ibmvnic_reset [ibmvnic] NIP: c008000003dea7cc LR: c008000003dea7bc CTR: 0000000000000000 REGS: c0000007ef7db860 TRAP: 0380 Tainted: G W (5.8.0+) MSR: 800000000280b033 CR: 28002422 XER: 0000000d CFAR: c000000000bd9520 IRQMASK: 0 GPR00: c008000003dea7bc c0000007ef7dbaf0 c008000003df7400 c0000007fa26ec00 GPR04: c0000007fcd0d008 c0000007fcd96350 0000000000000027 c0000007fcd0d010 GPR08: 0000000000000023 0000000000000000 0000000000000000 0000000000000000 GPR12: 0000000000002000 c00000001ec18e00 c0000000001982f8 c0000007bad6e840 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 0000000000000000 fffffffffffffef7 GPR24: 0000000000000402 c0000007fa26f3a8 0000000000000003 c00000016f8ec048 GPR28: 0000000000000000 0000000000000000 0000000000000000 c0000007fa26ec00 NIP [c008000003dea7cc] ibmvnic_reset_init+0x15c/0x258 [ibmvnic] LR [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] Call Trace: [c0000007ef7dbaf0] [c008000003dea7bc] ibmvnic_reset_init+0x14c/0x258 [ibmvnic] (unreliable) [c0000007ef7dbb80] [c008000003de8860] __ibmvnic_reset+0x408/0x970 [ibmvnic] [c0000007ef7dbc50] [c00000000018b7cc] process_one_work+0x2cc/0x800 [c0000007ef7dbd20] [c00000000018bd78] worker_thread+0x78/0x520 [c0000007ef7dbdb0] [c0000000001984c4] kthread+0x1d4/0x1e0 [c0000007ef7dbe20] [c00000000000cea8] ret_from_kernel_thread+0x5c/0x74 Fixes: 57a49436f4e8 ("ibmvnic: Reset sub-crqs during driver reset") Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit aafcf7aa949aec61ee5e32e310656da0da8ff0fc Author: Shay Agroskin Date: Mon Nov 23 21:08:59 2020 +0200 net: ena: fix packet's addresses for rx_offset feature [ Upstream commit 1396d3148bd250db880573f9ed0abe5d6fba1fce ] This patch fixes two lines in which the rx_offset received by the device wasn't taken into account: - prefetch function: In our driver the copied data would reside in rx_info->page + rx_headroom + rx_offset so the prefetch function is changed accordingly. - setting page_offset to zero for descriptors > 1: for every descriptor but the first, the rx_offset is zero. Hence the page_offset value should be set to rx_headroom. The previous implementation changed the value of rx_info after the descriptor was added to the SKB (essentially providing wrong page offset). Fixes: 68f236df93a9 ("net: ena: add support for the rx offset feature") Signed-off-by: Shay Agroskin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9b58e355ccf6c495b131d0e20677d0b620b5f983 Author: Shay Agroskin Date: Mon Nov 23 21:08:58 2020 +0200 net: ena: set initial DMA width to avoid intel iommu issue [ Upstream commit 09323b3bca95181c0da79daebc8b0603e500f573 ] The ENA driver uses the readless mechanism, which uses DMA, to find out what the DMA mask is supposed to be. If DMA is used without setting the dma_mask first, it causes the Intel IOMMU driver to think that ENA is a 32-bit device and therefore disables IOMMU passthrough permanently. This patch sets the dma_mask to be ENA_MAX_PHYS_ADDR_SIZE_BITS=48 before readless initialization in ena_device_init()->ena_com_mmio_reg_read_request_init(), which is large enough to workaround the intel_iommu issue. DMA mask is set again to the correct value after it's received from the device after readless is initialized. The patch also changes the driver to use dma_set_mask_and_coherent() function instead of the two pci_set_dma_mask() and pci_set_consistent_dma_mask() ones. Both methods achieve the same effect. Fixes: 1738cd3ed342 ("net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)") Signed-off-by: Mike Cui Signed-off-by: Arthur Kiyanovski Signed-off-by: Shay Agroskin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2f7b0f3a744f7c3e956898dd9b4b6fbb79b50f3e Author: Shay Agroskin Date: Mon Nov 23 21:08:57 2020 +0200 net: ena: handle bad request id in ena_netdev [ Upstream commit 5b7022cf1dc0d721bd4b5f3bada05bd8ced82fe0 ] After request id is checked in validate_rx_req_id() its value is still used in the line rx_ring->free_ids[next_to_clean] = rx_ring->ena_bufs[i].req_id; even if it was found to be out-of-bound for the array free_ids. The patch moves the request id to an earlier stage in the napi routine and makes sure its value isn't used if it's found out-of-bounds. Fixes: 30623e1ed116 ("net: ena: avoid memory access violation by validating req_id properly") Signed-off-by: Ido Segev Signed-off-by: Shay Agroskin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b7fc59ca8a2bdc342cfdb6f30882151b13c22f33 Author: Krzysztof Kozlowski Date: Mon Nov 23 17:23:51 2020 +0100 nfc: s3fwrn5: use signed integer for parsing GPIO numbers [ Upstream commit d8f0a86795c69f5b697f7d9e5274c124da93c92d ] GPIOs - as returned by of_get_named_gpio() and used by the gpiolib - are signed integers, where negative number indicates error. The return value of of_get_named_gpio() should not be assigned to an unsigned int because in case of !CONFIG_GPIOLIB such number would be a valid GPIO. Fixes: c04c674fadeb ("nfc: s3fwrn5: Add driver for Samsung S3FWRN5 NFC Chip") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20201123162351.209100-1-krzk@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 11446224ef2189460bf283747e20e35e5e56683b Author: Lincoln Ramsay Date: Mon Nov 23 21:40:43 2020 +0000 aquantia: Remove the build_skb path [ Upstream commit 9bd2702d292cb7b565b09e949d30288ab7a26d51 ] When performing IPv6 forwarding, there is an expectation that SKBs will have some headroom. When forwarding a packet from the aquantia driver, this does not always happen, triggering a kernel warning. aq_ring.c has this code (edited slightly for brevity): if (buff->is_eop && buff->len <= AQ_CFG_RX_FRAME_MAX - AQ_SKB_ALIGN) { skb = build_skb(aq_buf_vaddr(&buff->rxdata), AQ_CFG_RX_FRAME_MAX); } else { skb = napi_alloc_skb(napi, AQ_CFG_RX_HDR_SIZE); There is a significant difference between the SKB produced by these 2 code paths. When napi_alloc_skb creates an SKB, there is a certain amount of headroom reserved. However, this is not done in the build_skb codepath. As the hardware buffer that build_skb is built around does not handle the presence of the SKB header, this code path is being removed and the napi_alloc_skb path will always be used. This code path does have to copy the packet header into the SKB, but it adds the packet data as a frag. Fixes: 018423e90bee ("net: ethernet: aquantia: Add ring support code") Signed-off-by: Lincoln Ramsay Link: https://lore.kernel.org/r/MWHPR1001MB23184F3EAFA413E0D1910EC9E8FC0@MWHPR1001MB2318.namprd10.prod.outlook.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3407e486036aec2c6744fcafdffc800ea41e36c9 Author: Joseph Qi Date: Tue Nov 24 15:03:03 2020 +0800 io_uring: fix shift-out-of-bounds when round up cq size [ Upstream commit eb2667b343361863da7b79be26de641e22844ba0 ] Abaci Fuzz reported a shift-out-of-bounds BUG in io_uring_create(): [ 59.598207] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 [ 59.599665] shift exponent 64 is too large for 64-bit type 'long unsigned int' [ 59.601230] CPU: 0 PID: 963 Comm: a.out Not tainted 5.10.0-rc4+ #3 [ 59.602502] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 59.603673] Call Trace: [ 59.604286] dump_stack+0x107/0x163 [ 59.605237] ubsan_epilogue+0xb/0x5a [ 59.606094] __ubsan_handle_shift_out_of_bounds.cold+0xb2/0x20e [ 59.607335] ? lock_downgrade+0x6c0/0x6c0 [ 59.608182] ? rcu_read_lock_sched_held+0xaf/0xe0 [ 59.609166] io_uring_create.cold+0x99/0x149 [ 59.610114] io_uring_setup+0xd6/0x140 [ 59.610975] ? io_uring_create+0x2510/0x2510 [ 59.611945] ? lockdep_hardirqs_on_prepare+0x286/0x400 [ 59.613007] ? syscall_enter_from_user_mode+0x27/0x80 [ 59.614038] ? trace_hardirqs_on+0x5b/0x180 [ 59.615056] do_syscall_64+0x2d/0x40 [ 59.615940] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 59.617007] RIP: 0033:0x7f2bb8a0b239 This is caused by roundup_pow_of_two() if the input entries larger enough, e.g. 2^32-1. For sq_entries, it will check first and we allow at most IORING_MAX_ENTRIES, so it is okay. But for cq_entries, we do round up first, that may overflow and truncate it to 0, which is not the expected behavior. So check the cq size first and then do round up. Fixes: 88ec3211e463 ("io_uring: round-up cq size before comparing with rounded sq size") Reported-by: Abaci Fuzz Signed-off-by: Joseph Qi Reviewed-by: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0fbd464eeecf3fbfdad4eb19a6eb44593f61afdd Author: Clark Wang Date: Tue Nov 24 16:52:47 2020 +0800 spi: imx: fix the unbalanced spi runtime pm management [ Upstream commit 7cd71202961090d8f2d2b863ec66b25ae43e1d39 ] If set active without increase the usage count of pm, the dont use autosuspend function will call the suspend callback to close the two clocks of spi because the usage count is reduced to -1. This will cause the warning dump below when the defer-probe occurs. [ 129.379701] ecspi2_root_clk already disabled [ 129.384005] WARNING: CPU: 1 PID: 33 at drivers/clk/clk.c:952 clk_core_disable+0xa4/0xb0 So add the get noresume function before set active. Fixes: 43b6bf406cd0 spi: imx: fix runtime pm support for !CONFIG_PM Signed-off-by: Clark Wang Link: https://lore.kernel.org/r/20201124085247.18025-1-xiaoning.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 26c42be7d35eff82ea18ef1f60f53b9d4f6b1ff5 Author: Manish Narani Date: Mon Nov 16 19:22:24 2020 +0530 firmware: xilinx: Fix SD DLL node reset issue [ Upstream commit f4426311f927b01776edf8a45f6fad90feae4e72 ] Fix the SD DLL node reset issue where incorrect node is being referenced instead of SD DLL node. Fixes: 426c8d85df7a ("firmware: xilinx: Use APIs instead of IOCTLs") Signed-off-by: Manish Narani Link: https://lore.kernel.org/r/1605534744-15649-1-git-send-email-manish.narani@xilinx.com Signed-off-by: Michal Simek Signed-off-by: Sasha Levin commit b210f24b6de7f3af0d8640ef9783b246a7623c1c Author: Sylwester Dziedziuch Date: Fri Nov 20 10:06:40 2020 -0800 i40e: Fix removing driver while bare-metal VFs pass traffic [ Upstream commit 2980cbd4dce7b1e9bf57df3ced43a7b184986f50 ] Prevent VFs from resetting when PF driver is being unloaded: - introduce new pf state: __I40E_VF_RESETS_DISABLED; - check if pf state has __I40E_VF_RESETS_DISABLED state set, if so, disable any further VFLR event notifications; - when i40e_remove (rmmod i40e) is called, disable any resets on the VFs; Previously if there were bare-metal VFs passing traffic and PF driver was removed, there was a possibility of VFs triggering a Tx timeout right before iavf_remove. This was causing iavf_close to not be called because there is a check in the beginning of iavf_remove that bails out early if adapter->state < IAVF_DOWN_PENDING. This makes it so some resources do not get cleaned up. Fixes: 6a9ddb36eeb8 ("i40e: disable IOV before freeing resources") Signed-off-by: Slawomir Laba Signed-off-by: Brett Creeley Signed-off-by: Sylwester Dziedziuch Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Link: https://lore.kernel.org/r/20201120180640.3654474-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit bf8da8dc44edcb3e4e1c82f84343be2c1d40a5c0 Author: Xiongfeng Wang Date: Fri Nov 20 09:57:02 2020 +0800 IB/mthca: fix return value of error branch in mthca_init_cq() [ Upstream commit 6830ff853a5764c75e56750d59d0bbb6b26f1835 ] We return 'err' in the error branch, but this variable may be set as zero by the above code. Fix it by setting 'err' as a negative value before we goto the error label. Fixes: 74c2174e7be5 ("IB uverbs: add mthca user CQ support") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/1605837422-42724-1-git-send-email-wangxiongfeng2@huawei.com Reported-by: Hulk Robot Signed-off-by: Xiongfeng Wang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit a63d225aca5d51e419d6443f9b25b36ab710e006 Author: Shameer Kolothum Date: Thu Nov 19 16:58:46 2020 +0000 iommu: Check return of __iommu_attach_device() [ Upstream commit 77c38c8cf52ef715bfc5cab3d14222d4f3e776e2 ] Currently iommu_create_device_direct_mappings() is called without checking the return of __iommu_attach_device(). This may result in failures in iommu driver if dev attach returns error. Fixes: ce574c27ae27 ("iommu: Move iommu_group_create_direct_mappings() out of iommu_group_add_device()") Signed-off-by: Shameer Kolothum Link: https://lore.kernel.org/r/20201119165846.34180-1-shameerali.kolothum.thodi@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit a14257e43b909a95f814abeef3a22233aae7a297 Author: Stephen Rothwell Date: Mon Nov 23 18:40:16 2020 +1100 powerpc/64s: Fix allnoconfig build since uaccess flush [ Upstream commit b6b79dd53082db11070b4368d85dd6699ff0b063 ] Using DECLARE_STATIC_KEY_FALSE needs linux/jump_table.h. Otherwise the build fails with eg: arch/powerpc/include/asm/book3s/64/kup-radix.h:66:1: warning: data definition has no type or storage class 66 | DECLARE_STATIC_KEY_FALSE(uaccess_flush_key); Fixes: 9a32a7e78bd0 ("powerpc/64s: flush L1D after user accesses") Signed-off-by: Stephen Rothwell [mpe: Massage change log] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201123184016.693fe464@canb.auug.org.au Signed-off-by: Sasha Levin commit 3274b5b2736f6da5fcacbbc446982aa26132f63c Author: Lijun Pan Date: Fri Nov 20 16:40:12 2020 -0600 ibmvnic: notify peers when failover and migration happen [ Upstream commit 98025bce3a6200a0c4637272a33b5913928ba5b8 ] Commit 61d3e1d9bc2a ("ibmvnic: Remove netdev notify for failover resets") excluded the failover case for notify call because it said netdev_notify_peers() can cause network traffic to stall or halt. Current testing does not show network traffic stall or halt because of the notify call for failover event. netdev_notify_peers may be used when a device wants to inform the rest of the network about some sort of a reconfiguration such as failover or migration. It is unnecessary to call that in other events like FATAL, NON_FATAL, CHANGE_PARAM, and TIMEOUT resets since in those scenarios the hardware does not change. If the driver must do a hard reset, it is necessary to notify peers. Fixes: 61d3e1d9bc2a ("ibmvnic: Remove netdev notify for failover resets") Suggested-by: Brian King Suggested-by: Pradeep Satyanarayana Signed-off-by: Dany Madden Signed-off-by: Lijun Pan Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f937305b5d16ca55e51bb65d7183c60b0710a3b6 Author: Lijun Pan Date: Fri Nov 20 16:40:11 2020 -0600 ibmvnic: fix call_netdevice_notifiers in do_reset [ Upstream commit 8393597579f5250636f1cff157ea73f402b6501e ] When netdev_notify_peers was substituted in commit 986103e7920c ("net/ibmvnic: Fix RTNL deadlock during device reset"), call_netdevice_notifiers(NETDEV_RESEND_IGMP, dev) was missed. Fix it now. Fixes: 986103e7920c ("net/ibmvnic: Fix RTNL deadlock during device reset") Signed-off-by: Lijun Pan Reviewed-by: Dany Madden Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 58a1a33b365e0f0b46f33b978e68375662980ecf Author: Jamie Iles Date: Fri Nov 20 14:28:27 2020 +0000 bonding: wait for sysfs kobject destruction before freeing struct slave [ Upstream commit b9ad3e9f5a7a760ab068e33e1f18d240ba32ce92 ] syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, releasing a struct slave device could result in the following splat: kobject: 'bonding_slave' (00000000cecdd4fe): kobject_release, parent 0000000074ceb2b2 (delayed 1000) bond0 (unregistering): (slave bond_slave_1): Releasing backup interface ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: timer_list hint: workqueue_select_cpu_near kernel/workqueue.c:1549 [inline] ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 kernel/workqueue.c:1600 WARNING: CPU: 1 PID: 842 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 lib/debugobjects.c:485 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 842 Comm: kworker/u4:4 Tainted: G S 5.9.0-rc8+ #96 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net Call trace: dump_backtrace+0x0/0x4d8 include/linux/bitmap.h:239 show_stack+0x34/0x48 arch/arm64/kernel/traps.c:142 __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x174/0x1f8 lib/dump_stack.c:118 panic+0x360/0x7a0 kernel/panic.c:231 __warn+0x244/0x2ec kernel/panic.c:600 report_bug+0x240/0x398 lib/bug.c:198 bug_handler+0x50/0xc0 arch/arm64/kernel/traps.c:974 call_break_hook+0x160/0x1d8 arch/arm64/kernel/debug-monitors.c:322 brk_handler+0x30/0xc0 arch/arm64/kernel/debug-monitors.c:329 do_debug_exception+0x184/0x340 arch/arm64/mm/fault.c:864 el1_dbg+0x48/0xb0 arch/arm64/kernel/entry-common.c:65 el1_sync_handler+0x170/0x1c8 arch/arm64/kernel/entry-common.c:93 el1_sync+0x80/0x100 arch/arm64/kernel/entry.S:594 debug_print_object+0x180/0x240 lib/debugobjects.c:485 __debug_check_no_obj_freed lib/debugobjects.c:967 [inline] debug_check_no_obj_freed+0x200/0x430 lib/debugobjects.c:998 slab_free_hook mm/slub.c:1536 [inline] slab_free_freelist_hook+0x190/0x210 mm/slub.c:1577 slab_free mm/slub.c:3138 [inline] kfree+0x13c/0x460 mm/slub.c:4119 bond_free_slave+0x8c/0xf8 drivers/net/bonding/bond_main.c:1492 __bond_release_one+0xe0c/0xec8 drivers/net/bonding/bond_main.c:2190 bond_slave_netdev_event drivers/net/bonding/bond_main.c:3309 [inline] bond_netdev_event+0x8f0/0xa70 drivers/net/bonding/bond_main.c:3420 notifier_call_chain+0xf0/0x200 kernel/notifier.c:83 __raw_notifier_call_chain kernel/notifier.c:361 [inline] raw_notifier_call_chain+0x44/0x58 kernel/notifier.c:368 call_netdevice_notifiers_info+0xbc/0x150 net/core/dev.c:2033 call_netdevice_notifiers_extack net/core/dev.c:2045 [inline] call_netdevice_notifiers net/core/dev.c:2059 [inline] rollback_registered_many+0x6a4/0xec0 net/core/dev.c:9347 unregister_netdevice_many.part.0+0x2c/0x1c0 net/core/dev.c:10509 unregister_netdevice_many net/core/dev.c:10508 [inline] default_device_exit_batch+0x294/0x338 net/core/dev.c:10992 ops_exit_list.isra.0+0xec/0x150 net/core/net_namespace.c:189 cleanup_net+0x44c/0x888 net/core/net_namespace.c:603 process_one_work+0x96c/0x18c0 kernel/workqueue.c:2269 worker_thread+0x3f0/0xc30 kernel/workqueue.c:2415 kthread+0x390/0x498 kernel/kthread.c:292 ret_from_fork+0x10/0x18 arch/arm64/kernel/entry.S:925 This is a potential use-after-free if the sysfs nodes are being accessed whilst removing the struct slave, so wait for the object destruction to complete before freeing the struct slave itself. Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.") Fixes: a068aab42258 ("bonding: Fix reference count leak in bond_sysfs_slave_add.") Cc: Qiushi Wu Cc: Jay Vosburgh Cc: Veaceslav Falico Cc: Andy Gospodarek Signed-off-by: Jamie Iles Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20201120142827.879226-1-jamie@nuviainc.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3380224c2f510b6fc03f6e319f7b85d0fed2f039 Author: CK Hu Date: Fri Nov 13 11:49:07 2020 +0800 drm/mediatek: dsi: Modify horizontal front/back porch byte formula [ Upstream commit 487778f8d22fcdebb6436f0a5f96484ffa237b0b ] In the patch to be fixed, horizontal_backporch_byte become too large for some panel, so roll back that patch. For small hfp or hbp panel, using vm->hfront_porch + vm->hback_porch to calculate horizontal_backporch_byte would make it negtive, so use horizontal_backporch_byte itself to make it positive. Fixes: 35bf948f1edb ("drm/mediatek: dsi: Fix scrolling of panel with small hfp or hbp") Signed-off-by: CK Hu Signed-off-by: Chun-Kuang Hu Tested-by: Bilal Wasim Signed-off-by: Sasha Levin commit 9f7adaaa65071fa260210cef0561703f6cae962c Author: Julian Wiedmann Date: Fri Nov 20 10:09:39 2020 +0100 s390/qeth: fix tear down of async TX buffers [ Upstream commit 7ed10e16e50daf74460f54bc922e27c6863c8d61 ] When qeth_iqd_tx_complete() detects that a TX buffer requires additional async completion via QAOB, it might fail to replace the queue entry's metadata (and ends up triggering recovery). Assume now that the device gets torn down, overruling the recovery. If the QAOB notification then arrives before the tear down has sufficiently progressed, the buffer state is changed to QETH_QDIO_BUF_HANDLED_DELAYED by qeth_qdio_handle_aob(). The tear down code calls qeth_drain_output_queue(), where qeth_cleanup_handled_pending() will then attempt to replace such a buffer _again_. If it succeeds this time, the buffer ends up dangling in its replacement's ->next_pending list ... where it will never be freed, since there's no further call to qeth_cleanup_handled_pending(). But the second attempt isn't actually needed, we can simply leave the buffer on the queue and re-use it after a potential recovery has completed. The qeth_clear_output_buffer() in qeth_drain_output_queue() will ensure that it's in a clean state again. Fixes: 72861ae792c2 ("qeth: recovery through asynchronous delivery") Signed-off-by: Julian Wiedmann Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 822529ef47911c71846ff18a9a6b3b17f9713453 Author: Julian Wiedmann Date: Fri Nov 20 10:09:38 2020 +0100 s390/qeth: fix af_iucv notification race [ Upstream commit 8908f36d20d8ba610d3a7d110b3049b5853b9bb1 ] The two expected notification sequences are 1. TX_NOTIFY_PENDING with a subsequent TX_NOTIFY_DELAYED_*, when our TX completion code first observed the pending TX and the QAOB then completes at a later time; or 2. TX_NOTIFY_OK, when qeth_qdio_handle_aob() picked up the QAOB completion before our TX completion code even noticed that the TX was pending. But as qeth_iqd_tx_complete() and qeth_qdio_handle_aob() can run concurrently, we may end up with a race that results in a sequence of TX_NOTIFY_DELAYED_* followed by TX_NOTIFY_PENDING. Which would confuse the af_iucv code in its tracking of pending transmits. Rework the notification code, so that qeth_qdio_handle_aob() defers its notification if the TX completion code is still active. Fixes: b333293058aa ("qeth: add support for af_iucv HiperSockets transport") Signed-off-by: Julian Wiedmann Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 35eafcf4f84e1aa26d0b54bc2ff4580a928ef99b Author: Julian Wiedmann Date: Fri Nov 20 10:09:37 2020 +0100 s390/qeth: make af_iucv TX notification call more robust [ Upstream commit 34c7f50f7d0d36fa663c74aee39e25e912505320 ] Calling into socket code is ugly already, at least check whether we are dealing with the expected sk_family. Only looking at skb->protocol is bound to cause troubles (consider eg. af_packet). Fixes: b333293058aa ("qeth: add support for af_iucv HiperSockets transport") Signed-off-by: Julian Wiedmann Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9ad73b2c797a71b51ade9d19e1ca212b684fe6d3 Author: Ioana Ciornei Date: Thu Nov 19 16:51:06 2020 +0200 dpaa2-eth: select XGMAC_MDIO for MDIO bus support [ Upstream commit d2624e70a2f53b6f402fdaeabe7db798148618c5 ] Explicitly enable the FSL_XGMAC_MDIO Kconfig option in order to have MDIO access to internal and external PHYs. Fixes: 719479230893 ("dpaa2-eth: add MAC/PHY support through phylink") Signed-off-by: Ioana Ciornei Link: https://lore.kernel.org/r/20201119145106.712761-1-ciorneiioana@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit db7fdde050461a3f49b9f7569ff0bf3d70292e27 Author: Raju Rangoju Date: Wed Nov 18 20:02:13 2020 +0530 cxgb4: fix the panic caused by non smac rewrite [ Upstream commit bff453921ae105a8dbbad0ed7dd5f5ce424536e7 ] SMT entry is allocated only when loopback Source MAC rewriting is requested. Accessing SMT entry for non smac rewrite cases results in kernel panic. Fix the panic caused by non smac rewrite Fixes: 937d84205884 ("cxgb4: set up filter action after rewrites") Signed-off-by: Raju Rangoju Link: https://lore.kernel.org/r/20201118143213.13319-1-rajur@chelsio.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 788d34df99ad68539f9985e7bb7a4961963416e4 Author: Eric Biggers Date: Wed Nov 11 13:48:55 2020 -0800 block/keyslot-manager: prevent crash when num_slots=1 [ Upstream commit 47a846536e1bf62626f1c0d8488f3718ce5f8296 ] If there is only one keyslot, then blk_ksm_init() computes slot_hashtable_size=1 and log_slot_ht_size=0. This causes blk_ksm_find_keyslot() to crash later because it uses hash_ptr(key, log_slot_ht_size) to find the hash bucket containing the key, and hash_ptr() doesn't support the bits == 0 case. Fix this by making the hash table always have at least 2 buckets. Tested by running: kvm-xfstests -c ext4 -g encrypt -m inlinecrypt \ -o blk-crypto-fallback.num_keyslots=1 Fixes: 1b2628397058 ("block: Keyslot Manager for Inline Encryption") Signed-off-by: Eric Biggers Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4555f3dadc4de58f19795b8c55f9a2f8873523f0 Author: Michael Chan Date: Fri Nov 20 02:44:31 2020 -0500 bnxt_en: Release PCI regions when DMA mask setup fails during probe. [ Upstream commit c54bc3ced5106663c2f2b44071800621f505b00e ] Jump to init_err_release to cleanup. bnxt_unmap_bars() will also be called but it will do nothing if the BARs are not mapped yet. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Reported-by: Jakub Kicinski Signed-off-by: Michael Chan Link: https://lore.kernel.org/r/1605858271-8209-1-git-send-email-michael.chan@broadcom.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8dcd609ae63b24705b27e51326ced754f59611a5 Author: Dexuan Cui Date: Tue Nov 17 16:03:05 2020 -0800 video: hyperv_fb: Fix the cache type when mapping the VRAM [ Upstream commit 5f1251a48c17b54939d7477305e39679a565382c ] x86 Hyper-V used to essentially always overwrite the effective cache type of guest memory accesses to WB. This was problematic in cases where there is a physical device assigned to the VM, since that often requires that the VM should have control over cache types. Thus, on newer Hyper-V since 2018, Hyper-V always honors the VM's cache type, but unexpectedly Linux VM users start to complain that Linux VM's VRAM becomes very slow, and it turns out that Linux VM should not map the VRAM uncacheable by ioremap(). Fix this slowness issue by using ioremap_cache(). On ARM64, ioremap_cache() is also required as the host also maps the VRAM cacheable, otherwise VM Connect can't display properly with ioremap() or ioremap_wc(). With this change, the VRAM on new Hyper-V is as fast as regular RAM, so it's no longer necessary to use the hacks we added to mitigate the slowness, i.e. we no longer need to allocate physical memory and use it to back up the VRAM in Generation-1 VM, and we also no longer need to allocate physical memory to back up the framebuffer in a Generation-2 VM and copy the framebuffer to the real VRAM. A further big change will address these for v5.11. Fixes: 68a2d20b79b1 ("drivers/video: add Hyper-V Synthetic Video Frame Buffer Driver") Tested-by: Boqun Feng Signed-off-by: Dexuan Cui Reviewed-by: Michael Kelley Reviewed-by: Haiyang Zhang Link: https://lore.kernel.org/r/20201118000305.24797-1-decui@microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 5405ac6210c654ce67e9adca3c548e7fbff0901f Author: Zhang Changzhong Date: Thu Nov 19 21:30:21 2020 +0800 bnxt_en: fix error return code in bnxt_init_board() [ Upstream commit 3383176efc0fb0c0900a191026468a58668b4214 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Reviewed-by: Edwin Peer Link: https://lore.kernel.org/r/1605792621-6268-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2f896029ee7d726f420a04f07ddc07db1f02711b Author: Zhang Changzhong Date: Wed Nov 18 20:17:31 2020 +0800 bnxt_en: fix error return code in bnxt_init_one() [ Upstream commit b5f796b62c98cd8c219c4b788ecb6e1218e648cb ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: c213eae8d3cd ("bnxt_en: Improve VF/PF link change logic.") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Reviewed-by: Edwin Peer Link: https://lore.kernel.org/r/1605701851-20270-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 5136d244029d9a45cb22a955827b96f62be03080 Author: Stanley Chu Date: Thu Nov 19 14:29:16 2020 +0800 scsi: ufs: Fix race between shutdown and runtime resume flow [ Upstream commit e92643db514803c2c87d72caf5950b4c0a8faf4a ] If UFS host device is in runtime-suspended state while UFS shutdown callback is invoked, UFS device shall be resumed for register accesses. Currently only UFS local runtime resume function will be invoked to wake up the host. This is not enough because if someone triggers runtime resume from block layer, then race may happen between shutdown and runtime resume flow, and finally lead to unlocked register access. To fix this, in ufshcd_shutdown(), use pm_runtime_get_sync() instead of resuming UFS device by ufshcd_runtime_resume() "internally" to let runtime PM framework manage the whole resume flow. Link: https://lore.kernel.org/r/20201119062916.12931-1-stanley.chu@mediatek.com Fixes: 57d104c153d3 ("ufs: add UFS power management support") Reviewed-by: Can Guo Signed-off-by: Stanley Chu Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit dfff832e3b88499f3fb810264d8e24b0c387fc85 Author: Marc Kleine-Budde Date: Wed Nov 11 15:12:11 2020 +0100 ARM: dts: dra76x: m_can: fix order of clocks [ Upstream commit 05d5de6ba7dbe490dd413b5ca11d0875bd2bc006 ] According to the bosch,m_can.yaml bindings the first clock shall be the "hclk", while the second clock "cclk". This patch fixes the order accordingly. Fixes: 0adbe832f21a ("ARM: dts: dra76x: Add MCAN node") Cc: Faiz Abbas Cc: Tony Lindgren Cc: linux-omap@vger.kernel.org Signed-off-by: Marc Kleine-Budde Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 5da5a1a1256c33570a51ad47b9616106d9083074 Author: Grygorii Strashko Date: Wed Nov 18 16:19:00 2020 +0200 bus: ti-sysc: suppress err msg for timers used as clockevent/source [ Upstream commit 65fb73676112f6fd107c5e542b2cbcfb206fe881 ] GP Timers used as clockevent/source are not available for ti-sysc bus and handled by Kernel timekeeping core. Now ti-sysc produces error message every time such timer is detected: "ti-sysc: probe of 48040000.target-module failed with error -16" Such messages are not necessary, so suppress them by returning -ENXIO instead of -EBUSY. Fixes: 6cfcd5563b4f ("clocksource/drivers/timer-ti-dm: Fix suspend and resume for am3 and am4") Signed-off-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 89aada63529fb0b175d7cb5175163f9f5ee66383 Author: Arnd Bergmann Date: Wed Nov 11 17:52:58 2020 +0100 arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed [ Upstream commit cef397038167ac15d085914493d6c86385773709 ] Stefan Agner reported a bug when using zsram on 32-bit Arm machines with RAM above the 4GB address boundary: Unable to handle kernel NULL pointer dereference at virtual address 00000000 pgd = a27bd01c [00000000] *pgd=236a0003, *pmd=1ffa64003 Internal error: Oops: 207 [#1] SMP ARM Modules linked in: mdio_bcm_unimac(+) brcmfmac cfg80211 brcmutil raspberrypi_hwmon hci_uart crc32_arm_ce bcm2711_thermal phy_generic genet CPU: 0 PID: 123 Comm: mkfs.ext4 Not tainted 5.9.6 #1 Hardware name: BCM2711 PC is at zs_map_object+0x94/0x338 LR is at zram_bvec_rw.constprop.0+0x330/0xa64 pc : [] lr : [] psr: 60000013 sp : e376bbe0 ip : 00000000 fp : c1e2921c r10: 00000002 r9 : c1dda730 r8 : 00000000 r7 : e8ff7a00 r6 : 00000000 r5 : 02f9ffa0 r4 : e3710000 r3 : 000fdffe r2 : c1e0ce80 r1 : ebf979a0 r0 : 00000000 Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user Control: 30c5383d Table: 235c2a80 DAC: fffffffd Process mkfs.ext4 (pid: 123, stack limit = 0x495a22e6) Stack: (0xe376bbe0 to 0xe376c000) As it turns out, zsram needs to know the maximum memory size, which is defined in MAX_PHYSMEM_BITS when CONFIG_SPARSEMEM is set, or in MAX_POSSIBLE_PHYSMEM_BITS on the x86 architecture. The same problem will be hit on all 32-bit architectures that have a physical address space larger than 4GB and happen to not enable sparsemem and include asm/sparsemem.h from asm/pgtable.h. After the initial discussion, I suggested just always defining MAX_POSSIBLE_PHYSMEM_BITS whenever CONFIG_PHYS_ADDR_T_64BIT is set, or provoking a build error otherwise. This addresses all configurations that can currently have this runtime bug, but leaves all other configurations unchanged. I looked up the possible number of bits in source code and datasheets, here is what I found: - on ARC, CONFIG_ARC_HAS_PAE40 controls whether 32 or 40 bits are used - on ARM, CONFIG_LPAE enables 40 bit addressing, without it we never support more than 32 bits, even though supersections in theory allow up to 40 bits as well. - on MIPS, some MIPS32r1 or later chips support 36 bits, and MIPS32r5 XPA supports up to 60 bits in theory, but 40 bits are more than anyone will ever ship - On PowerPC, there are three different implementations of 36 bit addressing, but 32-bit is used without CONFIG_PTE_64BIT - On RISC-V, the normal page table format can support 34 bit addressing. There is no highmem support on RISC-V, so anything above 2GB is unused, but it might be useful to eventually support CONFIG_ZRAM for high pages. Fixes: 61989a80fb3a ("staging: zsmalloc: zsmalloc memory allocation library") Fixes: 02390b87a945 ("mm/zsmalloc: Prepare to variable MAX_PHYSMEM_BITS") Acked-by: Thomas Bogendoerfer Reviewed-by: Stefan Agner Tested-by: Stefan Agner Acked-by: Mike Rapoport Link: https://lore.kernel.org/linux-mm/bdfa44bf1c570b05d6c70898e2bbb0acf234ecdf.1604762181.git.stefan@agner.ch/ Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 2f2311032ec19a01f67a026464b3486ba4efa10b Author: Bryan O'Donoghue Date: Fri Nov 13 15:12:25 2020 +0000 phy: qualcomm: Fix 28 nm Hi-Speed USB PHY OF dependency [ Upstream commit 14839107b51cc0db19579039b1f72cba7a0c8049 ] This Kconfig entry should declare a dependency on OF Fixes: 67b27dbeac4d ("phy: qualcomm: Add Synopsys 28nm Hi-Speed USB PHY driver") Signed-off-by: Bryan O'Donoghue Link: https://lore.kernel.org/r/20201113151225.1657600-3-bryan.odonoghue@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit abd86deef6185d808b2c0e257fd8a36557c7d7ac Author: Bryan O'Donoghue Date: Fri Nov 13 15:12:24 2020 +0000 phy: qualcomm: usb: Fix SuperSpeed PHY OF dependency [ Upstream commit 44786a26a7485e12a1d2aaad2adfb3c82f6ad171 ] This Kconfig entry should declare a dependency on OF Fixes: 6076967a500c ("phy: qualcomm: usb: Add SuperSpeed PHY driver") Reported-by: kernel test robot Link: https://lkml.org/lkml/2020/11/13/414 Signed-off-by: Bryan O'Donoghue Link: https://lore.kernel.org/r/20201113151225.1657600-2-bryan.odonoghue@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 9d9bc23196f00b43767980ef5691c40aafbc386e Author: Peter Chen Date: Tue Nov 3 22:16:00 2020 +0800 usb: cdns3: gadget: calculate TD_SIZE based on TD [ Upstream commit 40252dd7cf7cad81c784c695c36bc475b518f0ea ] The TRB entry TD_SIZE is the packet number for the TD (request) but not the each TRB, so it only needs to be assigned for the first TRB during the TD, and the value of it is for TD too. Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver") Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit f43e7b4513c15e247cd19fcd6c5c112736c3de8c Author: Peter Chen Date: Fri Aug 21 11:14:37 2020 +0800 usb: cdns3: gadget: fix some endian issues [ Upstream commit 8dafb3c04df3b3b5a3ee2c7f5d8285a8b2f0aa78 ] It is found by sparse. Reported-by: kbuild test robot Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 3b065057e10fc4523e32896e434aa3a5f8566724 Author: Taehee Yoo Date: Sun Nov 15 10:30:04 2020 +0000 batman-adv: set .owner to THIS_MODULE [ Upstream commit 14a2e551faea53d45bc11629a9dac88f88950ca7 ] If THIS_MODULE is not set, the module would be removed while debugfs is being used. It eventually makes kernel panic. Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol") Signed-off-by: Taehee Yoo Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin commit b61c6dea3c6e6b0bea312f1f4efd8c9820ac3ae9 Author: Qu Wenruo Date: Wed Nov 11 19:38:18 2020 +0800 btrfs: qgroup: don't commit transaction when we already hold the handle [ Upstream commit 6f23277a49e68f8a9355385c846939ad0b1261e7 ] [BUG] When running the following script, btrfs will trigger an ASSERT(): #/bin/bash mkfs.btrfs -f $dev mount $dev $mnt xfs_io -f -c "pwrite 0 1G" $mnt/file sync btrfs quota enable $mnt btrfs quota rescan -w $mnt # Manually set the limit below current usage btrfs qgroup limit 512M $mnt $mnt # Crash happens touch $mnt/file The dmesg looks like this: assertion failed: refcount_read(&trans->use_count) == 1, in fs/btrfs/transaction.c:2022 ------------[ cut here ]------------ kernel BUG at fs/btrfs/ctree.h:3230! invalid opcode: 0000 [#1] SMP PTI RIP: 0010:assertfail.constprop.0+0x18/0x1a [btrfs] btrfs_commit_transaction.cold+0x11/0x5d [btrfs] try_flush_qgroup+0x67/0x100 [btrfs] __btrfs_qgroup_reserve_meta+0x3a/0x60 [btrfs] btrfs_delayed_update_inode+0xaa/0x350 [btrfs] btrfs_update_inode+0x9d/0x110 [btrfs] btrfs_dirty_inode+0x5d/0xd0 [btrfs] touch_atime+0xb5/0x100 iterate_dir+0xf1/0x1b0 __x64_sys_getdents64+0x78/0x110 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7fb5afe588db [CAUSE] In try_flush_qgroup(), we assume we don't hold a transaction handle at all. This is true for data reservation and mostly true for metadata. Since data space reservation always happens before we start a transaction, and for most metadata operation we reserve space in start_transaction(). But there is an exception, btrfs_delayed_inode_reserve_metadata(). It holds a transaction handle, while still trying to reserve extra metadata space. When we hit EDQUOT inside btrfs_delayed_inode_reserve_metadata(), we will join current transaction and commit, while we still have transaction handle from qgroup code. [FIX] Let's check current->journal before we join the transaction. If current->journal is unset or BTRFS_SEND_TRANS_STUB, it means we are not holding a transaction, thus are able to join and then commit transaction. If current->journal is a valid transaction handle, we avoid committing transaction and just end it This is less effective than committing current transaction, as it won't free metadata reserved space, but we may still free some data space before new data writes. Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1178634 Fixes: c53e9653605d ("btrfs: qgroup: try to flush qgroup space when we get -EDQUOT") Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit f37031a824d404743ab000d147b37d2f6b12db22 Author: Collin Walling Date: Wed Nov 4 13:10:32 2020 -0500 KVM: s390: remove diag318 reset code [ Upstream commit 6cbf1e960fa52e4c63a6dfa4cda8736375b34ccc ] The diag318 data must be set to 0 by VM-wide reset events triggered by diag308. As such, KVM should not handle resetting this data via the VCPU ioctls. Fixes: 23a60f834406 ("s390/kvm: diagnose 0x318 sync and reset") Signed-off-by: Collin Walling Reviewed-by: Christian Borntraeger Reviewed-by: Janosch Frank Acked-by: Cornelia Huck Signed-off-by: Christian Borntraeger Link: https://lore.kernel.org/r/20201104181032.109800-1-walling@linux.ibm.com Signed-off-by: Sasha Levin commit 6169b355ad77df156d01237f9bd19b6003a6cf5c Author: Janosch Frank Date: Tue Oct 20 06:12:07 2020 -0400 KVM: s390: pv: Mark mm as protected after the set secure parameters and improve cleanup [ Upstream commit 1ed576a20cd5c93295f57d6b7400357bd8d01b21 ] We can only have protected guest pages after a successful set secure parameters call as only then the UV allows imports and unpacks. By moving the test we can now also check for it in s390_reset_acc() and do an early return if it is 0. Signed-off-by: Janosch Frank Fixes: 29b40f105ec8 ("KVM: s390: protvirt: Add initial vm and cpu lifecycle handling") Reviewed-by: Cornelia Huck Signed-off-by: Christian Borntraeger Signed-off-by: Sasha Levin commit 4ea1ac270f462f989897a099c4993301009ba22c Author: Avraham Stern Date: Sat Nov 7 10:50:09 2020 +0200 iwlwifi: mvm: write queue_sync_state only for sync [ Upstream commit 97cc16943f23078535fdbce4f6391b948b4ccc08 ] We use mvm->queue_sync_state to wait for synchronous queue sync messages, but if an async one happens inbetween we shouldn't clear mvm->queue_sync_state after sending the async one, that can run concurrently (at least from the CPU POV) with another synchronous queue sync. Signed-off-by: Johannes Berg Fixes: 3c514bf831ac ("iwlwifi: mvm: add a loose synchronization of the NSSN across Rx queues") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201107104557.51a3148f2c14.I0772171dbaec87433a11513e9586d98b5d920b5f@changeid Signed-off-by: Sasha Levin commit 1c82d368928e9c2fb639d20b50a040c341b5600f Author: Emmanuel Grumbach Date: Sat Nov 7 10:50:08 2020 +0200 iwlwifi: mvm: properly cancel a session protection for P2P [ Upstream commit 1cf260e3a75b87726ec609ad1b6b88f515749786 ] We need to feed the configuration id to remove session protection properly. Remember the conf_id when we add the session protection so that we can give it back when we want to remove the session protection. While at it, slightly improve the kernel doc for the conf_id of the notification. Signed-off-by: Emmanuel Grumbach Fixes: fe959c7b2049 ("iwlwifi: mvm: use the new session protection command") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201107104557.3642f730333d.I01a98ecde62096d00d171cf34ad775bf80cb0277@changeid Signed-off-by: Sasha Levin commit c04cb3a60d11a520680156c0ea31a1e8cbe874d0 Author: Emmanuel Grumbach Date: Sat Nov 7 10:50:07 2020 +0200 iwlwifi: mvm: use the HOT_SPOT_CMD to cancel an AUX ROC [ Upstream commit fb8d1b6e97980057b7ebed444b8950e57f268a67 ] The ROC that runs on the AUX ROC (meaning an ROC on the STA vif), was added with the HOT_SPOT_CMD firmware command and must be cancelled with that same command. Signed-off-by: Emmanuel Grumbach Fixes: fe959c7b2049 ("iwlwifi: mvm: use the new session protection command") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20201107104557.a317376154da.I44fa3637373ba4bd421cdff2cabc761bffc0735f@changeid Signed-off-by: Sasha Levin commit c8c20c0067291a341438a82fd2644cf7cdcc19f4 Author: Marc Zyngier Date: Tue Oct 13 10:58:20 2020 +0100 phy: tegra: xusb: Fix dangling pointer on probe failure [ Upstream commit eb9c4dd9bdfdebaa13846c16a8c79b5b336066b6 ] If, for some reason, the xusb PHY fails to probe, it leaves a dangling pointer attached to the platform device structure. This would normally be harmless, but the Tegra XHCI driver then goes and extract that pointer from the PHY device. Things go downhill from there: 8.752082] [004d554e5145533c] address between user and kernel address ranges [ 8.752085] Internal error: Oops: 96000004 [#1] PREEMPT SMP [ 8.752088] Modules linked in: max77620_regulator(E+) xhci_tegra(E+) sdhci_tegra(E+) xhci_hcd(E) sdhci_pltfm(E) cqhci(E) fixed(E) usbcore(E) scsi_mod(E) sdhci(E) host1x(E+) [ 8.752103] CPU: 4 PID: 158 Comm: systemd-udevd Tainted: G S W E 5.9.0-rc7-00298-gf6337624c4fe #1980 [ 8.752105] Hardware name: NVIDIA Jetson TX2 Developer Kit (DT) [ 8.752108] pstate: 20000005 (nzCv daif -PAN -UAO BTYPE=--) [ 8.752115] pc : kobject_put+0x1c/0x21c [ 8.752120] lr : put_device+0x20/0x30 [ 8.752121] sp : ffffffc012eb3840 [ 8.752122] x29: ffffffc012eb3840 x28: ffffffc010e82638 [ 8.752125] x27: ffffffc008d56440 x26: 0000000000000000 [ 8.752128] x25: ffffff81eb508200 x24: 0000000000000000 [ 8.752130] x23: ffffff81eb538800 x22: 0000000000000000 [ 8.752132] x21: 00000000fffffdfb x20: ffffff81eb538810 [ 8.752134] x19: 3d4d554e51455300 x18: 0000000000000020 [ 8.752136] x17: ffffffc008d00270 x16: ffffffc008d00c94 [ 8.752138] x15: 0000000000000004 x14: ffffff81ebd4ae90 [ 8.752140] x13: 0000000000000000 x12: ffffff81eb86a4e8 [ 8.752142] x11: ffffff81eb86a480 x10: ffffff81eb862fea [ 8.752144] x9 : ffffffc01055fb28 x8 : ffffff81eb86a4a8 [ 8.752146] x7 : 0000000000000001 x6 : 0000000000000001 [ 8.752148] x5 : ffffff81dff8bc38 x4 : 0000000000000000 [ 8.752150] x3 : 0000000000000001 x2 : 0000000000000001 [ 8.752152] x1 : 0000000000000002 x0 : 3d4d554e51455300 [ 8.752155] Call trace: [ 8.752157] kobject_put+0x1c/0x21c [ 8.752160] put_device+0x20/0x30 [ 8.752164] tegra_xusb_padctl_put+0x24/0x3c [ 8.752170] tegra_xusb_probe+0x8b0/0xd10 [xhci_tegra] [ 8.752174] platform_drv_probe+0x60/0xb4 [ 8.752176] really_probe+0xf0/0x504 [ 8.752179] driver_probe_device+0x100/0x170 [ 8.752181] device_driver_attach+0xcc/0xd4 [ 8.752183] __driver_attach+0xb0/0x17c [ 8.752185] bus_for_each_dev+0x7c/0xd4 [ 8.752187] driver_attach+0x30/0x3c [ 8.752189] bus_add_driver+0x154/0x250 [ 8.752191] driver_register+0x84/0x140 [ 8.752193] __platform_driver_register+0x54/0x60 [ 8.752197] tegra_xusb_init+0x40/0x1000 [xhci_tegra] [ 8.752201] do_one_initcall+0x54/0x2d0 [ 8.752205] do_init_module+0x68/0x29c [ 8.752207] load_module+0x2178/0x26c0 [ 8.752209] __do_sys_finit_module+0xb0/0x120 [ 8.752211] __arm64_sys_finit_module+0x2c/0x40 [ 8.752215] el0_svc_common.constprop.0+0x80/0x240 [ 8.752218] do_el0_svc+0x30/0xa0 [ 8.752220] el0_svc+0x18/0x50 [ 8.752223] el0_sync_handler+0x90/0x318 [ 8.752225] el0_sync+0x158/0x180 [ 8.752230] Code: a9bd7bfd 910003fd a90153f3 aa0003f3 (3940f000) [ 8.752232] ---[ end trace 90f6c89d62d85ff5 ]--- Reset the pointer on probe failure fixes the issue. Fixes: 53d2a715c2403 ("phy: Add Tegra XUSB pad controller support") Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20201013095820.311376-1-maz@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0e19fe5267c12c007479ca3ce7087128f04f1d73 Author: Tony Lindgren Date: Wed Oct 28 08:03:17 2020 +0200 ARM: OMAP2+: Manage MPU state properly for omap_enter_idle_coupled() [ Upstream commit 294a3317bef52b189139c813b50dd14d344fa9ec ] Based on more testing, commit 8ca5ee624b4c ("ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails") is a poor fix for handling cpu_cluster_pm_enter() returned errors. We should not override the cpuidle states with a hardcoded PWRDM_POWER_ON value. Instead, we should use a configured idle state that does not cause the context to be lost. Otherwise we end up configuring a potentially improper state for the MPUSS. We also want to update the returned state index for the selected state. Let's just select the highest power idle state C1 to ensure no context loss is allowed on cpu_cluster_pm_enter() errors. With these changes we can now unconditionally call omap4_enter_lowpower() for WFI like we did earlier before commit 55be2f50336f ("ARM: OMAP2+: Handle errors for cpu_pm"). And we can return the selected state index. Fixes: 8f04aea048d5 ("ARM: OMAP2+: Restore MPU power domain if cpu_cluster_pm_enter() fails") Fixes: 55be2f50336f ("ARM: OMAP2+: Handle errors for cpu_pm") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit a22c73ed9eabba990fca4b99700ea688dd821448 Author: Tony Lindgren Date: Mon Oct 26 10:08:47 2020 +0200 bus: ti-sysc: Fix bogus resetdone warning on enable for cpsw [ Upstream commit e7ae08d398e094e1305dee823435b1f996d39106 ] Bail out early from sysc_wait_softreset() just like we do in sysc_reset() if there's no sysstatus srst_shift to fix a bogus resetdone warning on enable as suggested by Grygorii Strashko . We do not currently handle resets for modules that need writing to the sysstatus register. If we at some point add that, we also need to add SYSS_QUIRK_RESETDONE_INVERTED flag for cpsw as the sysstatus bit is low when reset is done as described in the am335x TRM "Table 14-202 SOFT_RESET Register Field Descriptions" Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") Suggested-by: Grygorii Strashko Acked-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit e79c3d983c3e81474c0a718908224e60749d5c42 Author: Tony Lindgren Date: Mon Oct 26 10:08:47 2020 +0200 bus: ti-sysc: Fix reset status check for modules with quirks [ Upstream commit e275d2109cdaea8b4554b9eb8a828bdb8f8ba068 ] Commit d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") started showing a "OCP softreset timed out" warning on enable if the interconnect target module is not out of reset. This caused the warning to be often triggered for i2c and hdq while the devices are working properly. Turns out that some interconnect target modules seem to have an unusable reset status bits unless the module specific reset quirks are activated. Let's just skip the reset status check for those modules as we only want to activate the reset quirks when doing a reset, and not on enable. This way we don't see the bogus "OCP softreset timed out" warnings during boot. Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 9b1f3abe41cff596959702e9648cd6f3372d6a22 Author: Andrew Lunn Date: Mon Nov 16 08:43:01 2020 -0800 net: dsa: mv88e6xxx: Wait for EEPROM done after HW reset [ Upstream commit a3dcb3e7e70c72a68a79b30fc3a3adad5612731c ] When the switch is hardware reset, it reads the contents of the EEPROM. This can contain instructions for programming values into registers and to perform waits between such programming. Reading the EEPROM can take longer than the 100ms mv88e6xxx_hardware_reset() waits after deasserting the reset GPIO. So poll the EEPROM done bit to ensure it is complete. Signed-off-by: Andrew Lunn Signed-off-by: Ruslan Sushko Link: https://lore.kernel.org/r/20201116164301.977661-1-rus@sushko.dev Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f6cbd74d5e68113d31ffeebd446597568fbebd7b Author: Thomas Gleixner Date: Tue Nov 17 21:23:34 2020 +0100 x86/dumpstack: Do not try to access user space code of other tasks [ Upstream commit 860aaabac8235cfde10fe556aa82abbbe3117888 ] sysrq-t ends up invoking show_opcodes() for each task which tries to access the user space code of other processes, which is obviously bogus. It either manages to dump where the foreign task's regs->ip points to in a valid mapping of the current task or triggers a pagefault and prints "Code: Bad RIP value.". Both is just wrong. Add a safeguard in copy_code() and check whether the @regs pointer matches currents pt_regs. If not, do not even try to access it. While at it, add commentary why using copy_from_user_nmi() is safe in copy_code() even if the function name suggests otherwise. Reported-by: Oleg Nesterov Signed-off-by: Thomas Gleixner Signed-off-by: Borislav Petkov Reviewed-by: Borislav Petkov Acked-by: Oleg Nesterov Tested-by: Borislav Petkov Link: https://lkml.kernel.org/r/20201117202753.667274723@linutronix.de Signed-off-by: Sasha Levin commit 4381c76f6ca4d7c621f0b1dc8579199067ff0953 Author: Laurent Pinchart Date: Tue Sep 1 00:09:37 2020 +0300 xtensa: uaccess: Add missing __user to strncpy_from_user() prototype [ Upstream commit dc293f2106903ab9c24e9cea18c276e32c394c33 ] When adding __user annotations in commit 2adf5352a34a, the strncpy_from_user() function declaration for the CONFIG_GENERIC_STRNCPY_FROM_USER case was missed. Fix it. Reported-by: kernel test robot Signed-off-by: Laurent Pinchart Message-Id: <20200831210937.17938-1-laurent.pinchart@ideasonboard.com> Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit 30ffb6a74f65af09c5948c10fe5464a7a8e7650a Author: Sami Tolvanen Date: Fri Nov 13 10:31:26 2020 -0800 perf/x86: fix sysfs type mismatches [ Upstream commit ebd19fc372e3e78bf165f230e7c084e304441c08 ] This change switches rapl to use PMU_FORMAT_ATTR, and fixes two other macros to use device_attribute instead of kobj_attribute to avoid callback type mismatches that trip indirect call checking with Clang's Control-Flow Integrity (CFI). Reported-by: Sedat Dilek Signed-off-by: Sami Tolvanen Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kees Cook Link: https://lkml.kernel.org/r/20201113183126.1239404-1-samitolvanen@google.com Signed-off-by: Sasha Levin commit 6e82639f979e71ebfe0778616ed3367ce6f4adab Author: Boqun Feng Date: Fri Nov 13 19:05:03 2020 +0800 lockdep: Put graph lock/unlock under lock_recursion protection [ Upstream commit 43be4388e94b915799a24f0eaf664bf95b85231f ] A warning was hit when running xfstests/generic/068 in a Hyper-V guest: [...] ------------[ cut here ]------------ [...] DEBUG_LOCKS_WARN_ON(lockdep_hardirqs_enabled()) [...] WARNING: CPU: 2 PID: 1350 at kernel/locking/lockdep.c:5280 check_flags.part.0+0x165/0x170 [...] ... [...] Workqueue: events pwq_unbound_release_workfn [...] RIP: 0010:check_flags.part.0+0x165/0x170 [...] ... [...] Call Trace: [...] lock_is_held_type+0x72/0x150 [...] ? lock_acquire+0x16e/0x4a0 [...] rcu_read_lock_sched_held+0x3f/0x80 [...] __send_ipi_one+0x14d/0x1b0 [...] hv_send_ipi+0x12/0x30 [...] __pv_queued_spin_unlock_slowpath+0xd1/0x110 [...] __raw_callee_save___pv_queued_spin_unlock_slowpath+0x11/0x20 [...] .slowpath+0x9/0xe [...] lockdep_unregister_key+0x128/0x180 [...] pwq_unbound_release_workfn+0xbb/0xf0 [...] process_one_work+0x227/0x5c0 [...] worker_thread+0x55/0x3c0 [...] ? process_one_work+0x5c0/0x5c0 [...] kthread+0x153/0x170 [...] ? __kthread_bind_mask+0x60/0x60 [...] ret_from_fork+0x1f/0x30 The cause of the problem is we have call chain lockdep_unregister_key() -> lockdep_unlock() -> arch_spin_unlock() -> __pv_queued_spin_unlock_slowpath() -> pv_kick() -> __send_ipi_one() -> trace_hyperv_send_ipi_one(). Although this particular warning is triggered because Hyper-V has a trace point in ipi sending, but in general arch_spin_unlock() may call another function having a trace point in it, so put the arch_spin_lock() and arch_spin_unlock() after lock_recursion protection to fix this problem and avoid similiar problems. Signed-off-by: Boqun Feng Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20201113110512.1056501-1-boqun.feng@gmail.com Signed-off-by: Sasha Levin commit 2c0cd3cafff19d7fb024348a504fde1cdbf2e031 Author: Mike Christie Date: Fri Nov 13 19:46:18 2020 -0600 scsi: target: iscsi: Fix cmd abort fabric stop race [ Upstream commit f36199355c64a39fe82cfddc7623d827c7e050da ] Maurizio found a race where the abort and cmd stop paths can race as follows: 1. thread1 runs iscsit_release_commands_from_conn and sets CMD_T_FABRIC_STOP. 2. thread2 runs iscsit_aborted_task and then does __iscsit_free_cmd. It then returns from the aborted_task callout and we finish target_handle_abort and do: target_handle_abort -> transport_cmd_check_stop_to_fabric -> lio_check_stop_free -> target_put_sess_cmd The cmd is now freed. 3. thread1 now finishes iscsit_release_commands_from_conn and runs iscsit_free_cmd while accessing a command we just released. In __target_check_io_state we check for CMD_T_FABRIC_STOP and set the CMD_T_ABORTED if the driver is not cleaning up the cmd because of a session shutdown. However, iscsit_release_commands_from_conn only sets the CMD_T_FABRIC_STOP and does not check to see if the abort path has claimed completion ownership of the command. This adds a check in iscsit_release_commands_from_conn so only the abort or fabric stop path cleanup the command. Link: https://lore.kernel.org/r/1605318378-9269-1-git-send-email-michael.christie@oracle.com Reported-by: Maurizio Lombardi Reviewed-by: Maurizio Lombardi Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 464eade52a6fde5febbd57e0f180e5aa05abb45a Author: Lee Duncan Date: Fri Nov 6 11:33:17 2020 -0800 scsi: libiscsi: Fix NOP race condition [ Upstream commit fe0a8a95e7134d0b44cd407bc0085b9ba8d8fe31 ] iSCSI NOPs are sometimes "lost", mistakenly sent to the user-land iscsid daemon instead of handled in the kernel, as they should be, resulting in a message from the daemon like: iscsid: Got nop in, but kernel supports nop handling. This can occur because of the new forward- and back-locks, and the fact that an iSCSI NOP response can occur before processing of the NOP send is complete. This can result in "conn->ping_task" being NULL in iscsi_nop_out_rsp(), when the pointer is actually in the process of being set. To work around this, we add a new state to the "ping_task" pointer. In addition to NULL (not assigned) and a pointer (assigned), we add the state "being set", which is signaled with an INVALID pointer (using "-1"). Link: https://lore.kernel.org/r/20201106193317.16993-1-leeman.duncan@gmail.com Reviewed-by: Mike Christie Signed-off-by: Lee Duncan Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d3bda78e12c5546fdb99649789a1058fe0bde5fc Author: Sugar Zhang Date: Sat Nov 14 11:55:06 2020 +0800 dmaengine: pl330: _prep_dma_memcpy: Fix wrong burst size [ Upstream commit e773ca7da8beeca7f17fe4c9d1284a2b66839cc1 ] Actually, burst size is equal to '1 << desc->rqcfg.brst_size'. we should use burst size, not desc->rqcfg.brst_size. dma memcpy performance on Rockchip RV1126 @ 1512MHz A7, 1056MHz LPDDR3, 200MHz DMA: dmatest: /# echo dma0chan0 > /sys/module/dmatest/parameters/channel /# echo 4194304 > /sys/module/dmatest/parameters/test_buf_size /# echo 8 > /sys/module/dmatest/parameters/iterations /# echo y > /sys/module/dmatest/parameters/norandom /# echo y > /sys/module/dmatest/parameters/verbose /# echo 1 > /sys/module/dmatest/parameters/run dmatest: dma0chan0-copy0: result #1: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #2: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #3: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #4: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #5: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #6: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #7: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 dmatest: dma0chan0-copy0: result #8: 'test passed' with src_off=0x0 dst_off=0x0 len=0x400000 Before: dmatest: dma0chan0-copy0: summary 8 tests, 0 failures 48 iops 200338 KB/s (0) After this patch: dmatest: dma0chan0-copy0: summary 8 tests, 0 failures 179 iops 734873 KB/s (0) After this patch and increase dma clk to 400MHz: dmatest: dma0chan0-copy0: summary 8 tests, 0 failures 259 iops 1062929 KB/s (0) Signed-off-by: Sugar Zhang Link: https://lore.kernel.org/r/1605326106-55681-1-git-send-email-sugar.zhang@rock-chips.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 977865d085b2352d5b2449e6f7b6b333fa279568 Author: Dmitry Osipenko Date: Wed Nov 4 16:21:26 2020 +0300 cpuidle: tegra: Annotate tegra_pm_set_cpu_in_lp2() with RCU_NONIDLE [ Upstream commit c39de538a06e76d89b7e598a71e16688009cd56c ] Annotate tegra_pm_set[clear]_cpu_in_lp2() with RCU_NONIDLE in order to fix lockdep warning about suspicious RCU usage of a spinlock during late idling phase. WARNING: suspicious RCU usage ... include/trace/events/lock.h:13 suspicious rcu_dereference_check() usage! ... (dump_stack) from (lock_acquire) (lock_acquire) from (_raw_spin_lock) (_raw_spin_lock) from (tegra_pm_set_cpu_in_lp2) (tegra_pm_set_cpu_in_lp2) from (tegra_cpuidle_enter) (tegra_cpuidle_enter) from (cpuidle_enter_state) (cpuidle_enter_state) from (cpuidle_enter_state_coupled) (cpuidle_enter_state_coupled) from (cpuidle_enter) (cpuidle_enter) from (do_idle) ... Tested-by: Peter Geis Reported-by: Peter Geis Signed-off-by: Dmitry Osipenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8180cdbb0a35471f97e47fa4aa6e9318ee1c2690 Author: Mike Christie Date: Mon Nov 9 23:33:21 2020 -0600 vhost scsi: fix cmd completion race [ Upstream commit 47a3565e8bb14ec48a75b48daf57aa830e2691f8 ] We might not do the final se_cmd put from vhost_scsi_complete_cmd_work. When the last put happens a little later then we could race where vhost_scsi_complete_cmd_work does vhost_signal, the guest runs and sends more IO, and vhost_scsi_handle_vq runs but does not find any free cmds. This patch has us delay completing the cmd until the last lio core ref is dropped. We then know that once we signal to the guest that the cmd is completed that if it queues a new command it will find a free cmd. Signed-off-by: Mike Christie Reviewed-by: Maurizio Lombardi Link: https://lore.kernel.org/r/1604986403-4931-4-git-send-email-michael.christie@oracle.com Signed-off-by: Michael S. Tsirkin Acked-by: Stefan Hajnoczi Signed-off-by: Sasha Levin commit 517ce96a6a1682b0d357ff57ac8831a50c036997 Author: Mike Christie Date: Mon Nov 9 23:33:20 2020 -0600 vhost scsi: alloc cmds per vq instead of session [ Upstream commit 25b98b64e28423b0769313dcaf96423836b1f93d ] We currently are limited to 256 cmds per session. This leads to problems where if the user has increased virtqueue_size to more than 2 or cmd_per_lun to more than 256 vhost_scsi_get_tag can fail and the guest will get IO errors. This patch moves the cmd allocation to per vq so we can easily match whatever the user has specified for num_queues and virtqueue_size/cmd_per_lun. It also makes it easier to control how much memory we preallocate. For cases, where perf is not as important and we can use the current defaults (1 vq and 128 cmds per vq) memory use from preallocate cmds is cut in half. For cases, where we are willing to use more memory for higher perf, cmd mem use will now increase as the num queues and queue depth increases. Signed-off-by: Mike Christie Link: https://lore.kernel.org/r/1604986403-4931-3-git-send-email-michael.christie@oracle.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Maurizio Lombardi Acked-by: Stefan Hajnoczi Signed-off-by: Sasha Levin commit 9876dea5d8a4d2543e956b3375b6f81a47decf8b Author: Mike Christie Date: Mon Nov 9 23:33:19 2020 -0600 vhost: add helper to check if a vq has been setup [ Upstream commit 6bcf34224ac1e94103797fd68b9836061762f2b2 ] This adds a helper check if a vq has been setup. The next patches will use this when we move the vhost scsi cmd preallocation from per session to per vq. In the per vq case, we only want to allocate cmds for vqs that have actually been setup and not for all the possible vqs. Signed-off-by: Mike Christie Link: https://lore.kernel.org/r/1604986403-4931-2-git-send-email-michael.christie@oracle.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang Acked-by: Stefan Hajnoczi Signed-off-by: Sasha Levin commit f3061e4d0d8b66568b6ef12fa7f0abeec1c9c287 Author: Laurent Vivier Date: Fri Nov 13 16:57:06 2020 +0100 vdpasim: fix "mac_pton" undefined error [ Upstream commit a312db697cb05dfa781848afe8585a1e1f2a5a99 ] ERROR: modpost: "mac_pton" [drivers/vdpa/vdpa_sim/vdpa_sim.ko] undefined! mac_pton() is defined in lib/net_utils.c and is not built if NET is not set. Select GENERIC_NET_UTILS as vdpasim doesn't depend on NET. Reported-by: kernel test robot Signed-off-by: Laurent Vivier Link: https://lore.kernel.org/r/20201113155706.599434-1-lvivier@redhat.com Signed-off-by: Michael S. Tsirkin Acked-by: Randy Dunlap # build-tested Signed-off-by: Sasha Levin commit 32944d89b48b0d7fcb110443f42be743a3bb7099 Author: Jisheng Zhang Date: Fri Nov 13 09:09:02 2020 +0800 net: stmmac: dwmac_lib: enlarge dma reset timeout [ Upstream commit 56311a315da7ebc668dbcc2f1c99689cc10796c4 ] If the phy enables power saving technology, the dwmac's software reset needs more time to complete, enlarge dma reset timeout to 200000us. Signed-off-by: Jisheng Zhang Link: https://lore.kernel.org/r/20201113090902.5c7aab1a@xhacker.debian Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2da8df06f49146eaae94f5bea611115924969053 Author: Jens Axboe Date: Fri Nov 13 16:48:44 2020 -0700 io_uring: handle -EOPNOTSUPP on path resolution [ Upstream commit 944d1444d53f5a213457e5096db370cfd06923d4 ] Any attempt to do path resolution on /proc/self from an async worker will yield -EOPNOTSUPP. We can safely do that resolution from the task itself, and without blocking, so retry it from there. Ideally io_uring would know this upfront and not have to go through the worker thread to find out, but that doesn't currently seem feasible. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 55a3b1ad694631cc2698b5500ac5865d7d0f064e Author: Minwoo Im Date: Thu Nov 5 23:28:47 2020 +0900 nvme: free sq/cq dbbuf pointers when dbbuf set fails [ Upstream commit 0f0d2c876c96d4908a9ef40959a44bec21bdd6cf ] If Doorbell Buffer Config command fails even 'dev->dbbuf_dbs != NULL' which means OACS indicates that NVME_CTRL_OACS_DBBUF_SUPP is set, nvme_dbbuf_update_and_check_event() will check event even it's not been successfully set. This patch fixes mismatch among dbbuf for sq/cqs in case that dbbuf command fails. Signed-off-by: Minwoo Im Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit ba8522fc9648a0cf2be76dccbde6bcdd43de58b1 Author: Jens Axboe Date: Fri Nov 13 16:47:52 2020 -0700 proc: don't allow async path resolution of /proc/self components [ Upstream commit 8d4c3e76e3be11a64df95ddee52e99092d42fc19 ] If this is attempted by a kthread, then return -EOPNOTSUPP as we don't currently support that. Once we can get task_pid_ptr() doing the right thing, then this can go away again. Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bded018ee002bec6e322a13be40eac4277faff54 Author: Hans de Goede Date: Mon Nov 2 14:36:58 2020 +0100 HID: Add Logitech Dinovo Edge battery quirk [ Upstream commit 7940fb035abd88040d56be209962feffa33b03d0 ] The battery status is also being reported by the logitech-hidpp driver, so ignore the standard HID battery status to avoid reporting the same info twice. Note the logitech-hidpp battery driver provides more info, such as properly differentiating between charging and discharging. Also the standard HID battery info seems to be wrong, reporting a capacity of just 26% after fully charging the device. Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin commit b1977be9745add9610697577aa1ff60c6ffe13db Author: Hans de Goede Date: Mon Nov 2 14:36:57 2020 +0100 HID: logitech-hidpp: Add HIDPP_CONSUMER_VENDOR_KEYS quirk for the Dinovo Edge [ Upstream commit c27168a04a438a457c100253b1aaf0c779218aae ] Like the MX5000 and MX5500 quad/bluetooth keyboards the Dinovo Edge also needs the HIDPP_CONSUMER_VENDOR_KEYS quirk for some special keys to work. Specifically without this the "Phone" and the 'A' - 'D' Smart Keys do not send any events. In addition to fixing these keys not sending any events, adding the Bluetooth match, so that hid-logitech-hidpp is used instead of the generic HID driver, also adds battery monitoring support when the keyboard is connected over Bluetooth. Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Sasha Levin commit 06b0f7e8c944eff7fcc9c52ffde97f12c4d15e7c Author: Daniel Latypov Date: Mon Nov 2 15:23:04 2020 -0800 kunit: fix display of failed expectations for strings [ Upstream commit 3084db0e0d5076cd48408274ab0911cd3ccdae88 ] Currently the following expectation KUNIT_EXPECT_STREQ(test, "hi", "bye"); will produce: Expected "hi" == "bye", but "hi" == 1625079497 "bye" == 1625079500 After this patch: Expected "hi" == "bye", but "hi" == hi "bye" == bye KUNIT_INIT_BINARY_STR_ASSERT_STRUCT() was written but just mistakenly not actually used by KUNIT_EXPECT_STREQ() and friends. Signed-off-by: Daniel Latypov Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 3d1a337ba994b646def6ea46dcdf924bd98f38b5 Author: Brian Masney Date: Fri Nov 6 20:11:19 2020 -0500 x86/xen: don't unbind uninitialized lock_kicker_irq [ Upstream commit 65cae18882f943215d0505ddc7e70495877308e6 ] When booting a hyperthreaded system with the kernel parameter 'mitigations=auto,nosmt', the following warning occurs: WARNING: CPU: 0 PID: 1 at drivers/xen/events/events_base.c:1112 unbind_from_irqhandler+0x4e/0x60 ... Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006 ... Call Trace: xen_uninit_lock_cpu+0x28/0x62 xen_hvm_cpu_die+0x21/0x30 takedown_cpu+0x9c/0xe0 ? trace_suspend_resume+0x60/0x60 cpuhp_invoke_callback+0x9a/0x530 _cpu_up+0x11a/0x130 cpu_up+0x7e/0xc0 bringup_nonboot_cpus+0x48/0x50 smp_init+0x26/0x79 kernel_init_freeable+0xea/0x229 ? rest_init+0xaa/0xaa kernel_init+0xa/0x106 ret_from_fork+0x35/0x40 The secondary CPUs are not activated with the nosmt mitigations and only the primary thread on each CPU core is used. In this situation, xen_hvm_smp_prepare_cpus(), and more importantly xen_init_lock_cpu(), is not called, so the lock_kicker_irq is not initialized for the secondary CPUs. Let's fix this by exiting early in xen_uninit_lock_cpu() if the irq is not set to avoid the warning from above for each secondary CPU. Signed-off-by: Brian Masney Link: https://lore.kernel.org/r/20201107011119.631442-1-bmasney@redhat.com Reviewed-by: Juergen Gross Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit 8ed4372eaf200fddcdaea8ea8309b4b346edd0d6 Author: Marc Ferland Date: Wed Nov 4 12:30:04 2020 +0530 dmaengine: xilinx_dma: use readl_poll_timeout_atomic variant [ Upstream commit 0ba2df09f1500d3f27398a3382b86d39c3e6abe2 ] The xilinx_dma_poll_timeout macro is sometimes called while holding a spinlock (see xilinx_dma_issue_pending() for an example) this means we shouldn't sleep when polling the dma channel registers. To address it in xilinx poll timeout macro use readl_poll_timeout_atomic instead of readl_poll_timeout variant. Signed-off-by: Marc Ferland Signed-off-by: Radhey Shyam Pandey Link: https://lore.kernel.org/r/1604473206-32573-2-git-send-email-radhey.shyam.pandey@xilinx.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 81bf3194110837fd61f29c5fbfe8a0b93037d3ad Author: Chris Ye Date: Sun Nov 1 11:34:52 2020 -0800 HID: add HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE for Gamevice devices [ Upstream commit f59ee399de4a8ca4d7d19cdcabb4b63e94867f09 ] Kernel 5.4 introduces HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE, devices need to be set explicitly with this flag. Signed-off-by: Chris Ye Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit d817fbefa48f06a5aa1e5ec6a3f629f9b5430f71 Author: Necip Fazil Yildiran Date: Wed Nov 4 21:15:23 2020 +0300 staging: ralink-gdma: fix kconfig dependency bug for DMA_RALINK [ Upstream commit 06ea594051707c6b8834ef5b24e9b0730edd391b ] When DMA_RALINK is enabled and DMADEVICES is disabled, it results in the following Kbuild warnings: WARNING: unmet direct dependencies detected for DMA_ENGINE Depends on [n]: DMADEVICES [=n] Selected by [y]: - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n] WARNING: unmet direct dependencies detected for DMA_VIRTUAL_CHANNELS Depends on [n]: DMADEVICES [=n] Selected by [y]: - DMA_RALINK [=y] && STAGING [=y] && RALINK [=y] && !SOC_RT288X [=n] The reason is that DMA_RALINK selects DMA_ENGINE and DMA_VIRTUAL_CHANNELS without depending on or selecting DMADEVICES while DMA_ENGINE and DMA_VIRTUAL_CHANNELS are subordinate to DMADEVICES. This can also fail building the kernel as demonstrated in a bug report. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Link: https://bugzilla.kernel.org/show_bug.cgi?id=210055 Signed-off-by: Necip Fazil Yildiran Link: https://lore.kernel.org/r/20201104181522.43567-1-fazilyildiran@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0af78d1b066fd557204347adc1f92c077d9ce63b Author: Pablo Ceballos Date: Mon Nov 2 19:29:39 2020 -0500 HID: hid-sensor-hub: Fix issue with devices with no report ID [ Upstream commit 34a9fa2025d9d3177c99351c7aaf256c5f50691f ] Some HID devices don't use a report ID because they only have a single report. In those cases, the report ID in struct hid_report will be zero and the data for the report will start at the first byte, so don't skip over the first byte. Signed-off-by: Pablo Ceballos Acked-by: Srinivas Pandruvada Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit ed06c39b8592a49ab64749d0124a960f80055f5b Author: Hans de Goede Date: Mon Oct 26 20:53:57 2020 -0700 Input: i8042 - allow insmod to succeed on devices without an i8042 controller [ Upstream commit b1884583fcd17d6a1b1bba94bbb5826e6b5c6e17 ] The i8042 module exports several symbols which may be used by other modules. Before this commit it would refuse to load (when built as a module itself) on systems without an i8042 controller. This is a problem specifically for the asus-nb-wmi module. Many Asus laptops support the Asus WMI interface. Some of them have an i8042 controller and need to use i8042_install_filter() to filter some kbd events. Other models do not have an i8042 controller (e.g. they use an USB attached kbd). Before this commit the asus-nb-wmi driver could not be loaded on Asus models without an i8042 controller, when the i8042 code was built as a module (as Arch Linux does) because the module_init function of the i8042 module would fail with -ENODEV and thus the i8042_install_filter symbol could not be loaded. This commit fixes this by exiting from module_init with a return code of 0 if no controller is found. It also adds a i8042_present bool to make the module_exit function a no-op in this case and also adds a check for i8042_present to the exported i8042_command function. The latter i8042_present check should not really be necessary because when builtin that function can already be used on systems without an i8042 controller, but better safe then sorry. Reported-and-tested-by: Marius Iacob Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20201008112628.3979-2-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 97a6be781d38a67b77c59b340da6c157db074daa Author: Jiri Kosina Date: Wed Sep 30 22:52:31 2020 +0200 HID: add support for Sega Saturn [ Upstream commit 1811977cb11354aef8cbd13e35ff50db716728a4 ] This device needs HID_QUIRK_MULTI_INPUT in order to be presented to userspace in a consistent way. Reported-and-tested-by: David Gámiz Jiménez Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 8db8588ff374de9d7f8a0859bffd9d5a32acd495 Author: Frank Yang Date: Fri Aug 21 03:16:50 2020 +0900 HID: cypress: Support Varmilo Keyboards' media hotkeys [ Upstream commit 652f3d00de523a17b0cebe7b90debccf13aa8c31 ] The Varmilo VA104M Keyboard (04b4:07b1, reported as Varmilo Z104M) exposes media control hotkeys as a USB HID consumer control device, but these keys do not work in the current (5.8-rc1) kernel due to the incorrect HID report descriptor. Fix the problem by modifying the internal HID report descriptor. More specifically, the keyboard report descriptor specifies the logical boundary as 572~10754 (0x023c ~ 0x2a02) while the usage boundary is specified as 0~10754 (0x00 ~ 0x2a02). This results in an incorrect interpretation of input reports, causing inputs to be ignored. By setting the Logical Minimum to zero, we align the logical boundary with the Usage ID boundary. Some notes: * There seem to be multiple variants of the VA104M keyboard. This patch specifically targets 04b4:07b1 variant. * The device works out-of-the-box on Windows platform with the generic consumer control device driver (hidserv.inf). This suggests that Windows either ignores the Logical Minimum/Logical Maximum or interprets the Usage ID assignment differently from the linux implementation; Maybe there are other devices out there that only works on Windows due to this problem? Signed-off-by: Frank Yang Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit bf64741b4049d80d57555879106aa2e2189463b1 Author: Hans de Goede Date: Mon Oct 19 09:48:14 2020 +0200 HID: ite: Replace ABS_MISC 120/121 events with touchpad on/off keypresses [ Upstream commit 3c785a06dee99501a17f8e8cf29b2b7e3f1e94ea ] The usb-hid keyboard-dock for the Acer Switch 10 SW5-012 model declares an application and hid-usage page of 0x0088 for the INPUT(4) report which it sends. This reports contains 2 8-bit fields which are declared as HID_MAIN_ITEM_VARIABLE. The keyboard-touchpad combo never actually generates this report, except when the touchpad is toggled on/off with the Fn + F7 hotkey combo. The toggle on/off is handled inside the keyboard-dock, when the touchpad is toggled off it simply stops sending events. When the touchpad is toggled on/off an INPUT(4) report is generated with the first content byte set to 120/121, before this commit the kernel would report this as ABS_MISC 120/121 events. Patch the descriptor to replace the HID_MAIN_ITEM_VARIABLE with HID_MAIN_ITEM_RELATIVE (because no key-presss release events are send) and add mappings for the 0x00880078 and 0x00880079 usages to generate touchpad on/off key events when the touchpad is toggled on/off. Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit e38bc67bca65ecc4b1f797a14ccd684081259707 Author: Martijn van de Streek Date: Fri Oct 16 08:38:05 2020 +0200 HID: uclogic: Add ID for Trust Flex Design Tablet [ Upstream commit 022fc5315b7aff69d3df2c953b892a6232642d50 ] The Trust Flex Design Tablet has an UGTizer USB ID and requires the same initialization as the UGTizer GP0610 to be detected as a graphics tablet instead of a mouse. Signed-off-by: Martijn van de Streek Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit b7779ee629e45950a0766a7f234f7b1c55c616c8 Author: Rodrigo Siqueira Date: Tue Nov 17 15:25:48 2020 -0500 drm/amd/display: Avoid HDCP initialization in devices without output commit d661155bfca329851a27bb5120fab027db43bd23 upstream. The HDCP feature requires at least one connector attached to the device; however, some GPUs do not have a physical output, making the HDCP initialization irrelevant. This patch disables HDCP initialization when the graphic card does not have output. Acked-by: Alex Deucher Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit a68122a12934fa0e6dbf38481db705d9e307bd9c Author: Kenneth Feng Date: Tue Nov 17 21:10:59 2020 +0800 drm/amd/amdgpu: fix null pointer in runtime pm commit 7acc79eb5f78d3d1aa5dd21fc0a0329f1b7f2be5 upstream. fix the null pointer issue when runtime pm is triggered. Signed-off-by: Kenneth Feng Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 01144c0fda8040539afc67caa2a0a0db9606769a Author: Likun Gao Date: Mon Nov 23 10:28:46 2020 +0800 drm/amdgpu: update golden setting for sienna_cichlid commit 60734bd54679d7998a24a257b0403f7644005572 upstream. Update golden setting for sienna_cichlid. Signed-off-by: Likun Gao Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.9.x Signed-off-by: Greg Kroah-Hartman commit bf31bffa3869df4f859de215b85c0410643a376b Author: Sonny Jiang Date: Fri Nov 20 02:38:09 2020 -0500 drm/amdgpu: fix a page fault commit dbbf2728d50343b7947001a81f4c8cc98e4b44e5 upstream. The UVD firmware is copied to cpu addr in uvd_resume, so it should be used after that. This is to fix a bug introduced by patch drm/amdgpu: fix SI UVD firmware validate resume fail. Signed-off-by: Sonny Jiang Reviewed-by: Leo Liu Signed-off-by: Alex Deucher CC: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 04c870ffa4341860323b47caa252c8e50e3a57f9 Author: Will Deacon Date: Fri Nov 20 13:57:48 2020 +0000 arm64: pgtable: Ensure dirty bit is preserved across pte_wrprotect() commit ff1712f953e27f0b0718762ec17d0adb15c9fd0b upstream. With hardware dirty bit management, calling pte_wrprotect() on a writable, dirty PTE will lose the dirty state and return a read-only, clean entry. Move the logic from ptep_set_wrprotect() into pte_wrprotect() to ensure that the dirty bit is preserved for writable entries, as this is required for soft-dirty bit management if we enable it in the future. Cc: Fixes: 2f4b829c625e ("arm64: Add support for hardware updates of the access and dirty pte bits") Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/20201120143557.6715-3-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 12648226350fd98cf39016316f1bba499d1f05d7 Author: Will Deacon Date: Fri Nov 20 13:28:01 2020 +0000 arm64: pgtable: Fix pte_accessible() commit 07509e10dcc77627f8b6a57381e878fe269958d3 upstream. pte_accessible() is used by ptep_clear_flush() to figure out whether TLB invalidation is necessary when unmapping pages for reclaim. Although our implementation is correct according to the architecture, returning true only for valid, young ptes in the absence of racing page-table modifications, this is in fact flawed due to lazy invalidation of old ptes in ptep_clear_flush_young() where we elide the expensive DSB instruction for completing the TLB invalidation. Rather than penalise the aging path, adjust pte_accessible() to return true for any valid pte, even if the access flag is cleared. Cc: Fixes: 76c714be0e5e ("arm64: pgtable: implement pte_accessible()") Reported-by: Yu Zhao Acked-by: Yu Zhao Reviewed-by: Minchan Kim Reviewed-by: Catalin Marinas Link: https://lore.kernel.org/r/20201120143557.6715-2-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 81fda45887bdffb482f2ee029d63d3e98cef52fc Author: JC Kuo Date: Thu Nov 19 15:23:45 2020 +0800 arm64: tegra: Fix USB_VBUS_EN0 regulator on Jetson TX1 commit f24a2acc15bcc7bbd295f9759efc873b88fbe429 upstream. USB host mode is broken on the OTG port of Jetson TX1 platform because the USB_VBUS_EN0 regulator (regulator@11) is being overwritten by the vdd-cam-1v2 regulator. This commit rearranges USB_VBUS_EN0 to be regulator@14. Fixes: 257c8047be44 ("arm64: tegra: jetson-tx1: Add camera supplies") Cc: stable@vger.kernel.org Signed-off-by: JC Kuo Reviewed-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit eb576c499084fa244b4b0b9c841e5e5d26a556a6 Author: Jon Hunter Date: Wed Nov 11 10:41:17 2020 +0000 arm64: tegra: Correct the UART for Jetson Xavier NX commit 476e23f4c540949ac5ea4fad4f6f6fa0e2d41f42 upstream. The Jetson Xavier NX board routes UARTA to the 40-pin header and UARTC to a 12-pin debug header. The UARTs can be used by either the Tegra Combined UART (TCU) driver or the Tegra 8250 driver. By default, the TCU will use UARTC on Jetson Xavier NX. Currently, device-tree for Xavier NX enables the TCU and the Tegra 8250 node for UARTC. Fix this by disabling the Tegra 8250 node for UARTC and enabling the Tegra 8250 node for UARTA. Fixes: 3f9efbbe57bc ("arm64: tegra: Add support for Jetson Xavier NX") Cc: stable@vger.kernel.org Signed-off-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Greg Kroah-Hartman commit 19d2c29ddead3869e94015ee283aad042a10d2f1 Author: Hui Su Date: Wed Nov 25 00:52:05 2020 +0800 trace: fix potenial dangerous pointer commit fdeb17c70c9ecae655378761accf5a26a55a33cf upstream. The bdi_dev_name() returns a char [64], and the __entry->name is a char [32]. It maybe dangerous to TP_printk("%s", __entry->name) after the strncpy(). CC: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201124165205.GA23937@rlk Acked-by: Steven Rostedt (VMware) Acked-by: Tejun Heo Signed-off-by: Hui Su Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 28072a5219710f7c84a95e4eb28aea086f53cdd6 Author: Pavel Begunkov Date: Mon Nov 23 23:20:27 2020 +0000 io_uring: fix ITER_BVEC check commit 9c3a205c5ffa36e96903c2e37eb5f41c0f03c43e upstream. iov_iter::type is a bitmask that also keeps direction etc., so it shouldn't be directly compared against ITER_*. Use proper helper. Fixes: ff6165b2d7f6 ("io_uring: retain iov_iter state over io_read/io_write calls") Reported-by: David Howells Signed-off-by: Pavel Begunkov Cc: # 5.9 Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 51dbeda5a4f1ddce8931f3d7f8b27e8c6f69ad39 Author: Sonny Jiang Date: Fri Nov 6 16:42:47 2020 -0500 drm/amdgpu: fix SI UVD firmware validate resume fail commit 4d6a95366117b241bb3298e1c318a36ebb7544d0 upstream. The SI UVD firmware validate key is stored at the end of firmware, which is changed during resume while playing video. So get the key at sw_init and store it for fw validate using. Signed-off-by: Sonny Jiang Reviewed-by: Leo Liu Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit a38a99930883fb1e24f2a34b78a05a6598e86150 Author: Amit Sunil Dhamne Date: Mon Nov 23 21:52:41 2020 -0800 firmware: xilinx: Use hash-table for api feature check commit acfdd18591eaac25446e976a0c0d190f8b3dbfb1 upstream. Currently array of fix length PM_API_MAX is used to cache the pm_api version (valid or invalid). However ATF based PM APIs values are much higher then PM_API_MAX. So to include ATF based PM APIs also, use hash-table to store the pm_api version status. Signed-off-by: Amit Sunil Dhamne Reported-by: Arnd Bergmann  Signed-off-by: Ravi Patel Signed-off-by: Rajan Vaja Reviewed-by: Arnd Bergmann Tested-by: Michal Simek Fixes: f3217d6f2f7a ("firmware: xilinx: fix out-of-bounds access") Cc: stable Link: https://lore.kernel.org/r/1606197161-25976-1-git-send-email-rajan.vaja@xilinx.com Signed-off-by: Michal Simek Signed-off-by: Greg Kroah-Hartman commit 5f01565c4942ab1cb19a4993fb076ceac4c8e172 Author: David Woodhouse Date: Thu Nov 26 11:13:51 2020 +0000 iommu/vt-d: Don't read VCCAP register unless it exists commit d76b42e92780c3587c1a998a3a943b501c137553 upstream. My virtual IOMMU implementation is whining that the guest is reading a register that doesn't exist. Only read the VCCAP_REG if the corresponding capability is set in ECAP_REG to indicate that it actually exists. Fixes: 3375303e8287 ("iommu/vt-d: Add custom allocator for IOASID") Signed-off-by: David Woodhouse Reviewed-by: Liu Yi L Cc: stable@vger.kernel.org # v5.7+ Acked-by: Lu Baolu Link: https://lore.kernel.org/r/de32b150ffaa752e0cff8571b17dfb1213fbe71c.camel@infradead.org Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 94e5742868ec0584f0e84a0029a59170f14d1af5 Author: Paolo Bonzini Date: Fri Nov 27 09:18:20 2020 +0100 KVM: x86: Fix split-irqchip vs interrupt injection window request commit 71cc849b7093bb83af966c0e60cb11b7f35cd746 upstream. kvm_cpu_accept_dm_intr and kvm_vcpu_ready_for_interrupt_injection are a hodge-podge of conditions, hacked together to get something that more or less works. But what is actually needed is much simpler; in both cases the fundamental question is, do we have a place to stash an interrupt if userspace does KVM_INTERRUPT? In userspace irqchip mode, that is !vcpu->arch.interrupt.injected. Currently kvm_event_needs_reinjection(vcpu) covers it, but it is unnecessarily restrictive. In split irqchip mode it's a bit more complicated, we need to check kvm_apic_accept_pic_intr(vcpu) (the IRQ window exit is basically an INTACK cycle and thus requires ExtINTs not to be masked) as well as !pending_userspace_extint(vcpu). However, there is no need to check kvm_event_needs_reinjection(vcpu), since split irqchip keeps pending ExtINT state separate from event injection state, and checking kvm_cpu_has_interrupt(vcpu) is wrong too since ExtINT has higher priority than APIC interrupts. In fact the latter fixes a bug: when userspace requests an IRQ window vmexit, an interrupt in the local APIC can cause kvm_cpu_has_interrupt() to be true and thus kvm_vcpu_ready_for_interrupt_injection() to return false. When this happens, vcpu_run does not exit to userspace but the interrupt window vmexits keep occurring. The VM loops without any hope of making progress. Once we try to fix these with something like return kvm_arch_interrupt_allowed(vcpu) && - !kvm_cpu_has_interrupt(vcpu) && - !kvm_event_needs_reinjection(vcpu) && - kvm_cpu_accept_dm_intr(vcpu); + (!lapic_in_kernel(vcpu) + ? !vcpu->arch.interrupt.injected + : (kvm_apic_accept_pic_intr(vcpu) + && !pending_userspace_extint(v))); we realize two things. First, thanks to the previous patch the complex conditional can reuse !kvm_cpu_has_extint(vcpu). Second, the interrupt window request in vcpu_enter_guest() bool req_int_win = dm_request_for_irq_injection(vcpu) && kvm_cpu_accept_dm_intr(vcpu); should be kept in sync with kvm_vcpu_ready_for_interrupt_injection(): it is unnecessary to ask the processor for an interrupt window if we would not be able to return to userspace. Therefore, kvm_cpu_accept_dm_intr(vcpu) is basically !kvm_cpu_has_extint(vcpu) ANDed with the existing check for masked ExtINT. It all makes sense: - we can accept an interrupt from userspace if there is a place to stash it (and, for irqchip split, ExtINTs are not masked). Interrupts from userspace _can_ be accepted even if right now EFLAGS.IF=0. - in order to tell userspace we will inject its interrupt ("IRQ window open" i.e. kvm_vcpu_ready_for_interrupt_injection), both KVM and the vCPU need to be ready to accept the interrupt. ... and this is what the patch implements. Reported-by: David Woodhouse Analyzed-by: David Woodhouse Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Reviewed-by: Nikos Tsironis Reviewed-by: David Woodhouse Tested-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 852bdfb9ab42b2733aa9894c1ebc52fc54863fc3 Author: Paolo Bonzini Date: Fri Nov 27 08:53:52 2020 +0100 KVM: x86: handle !lapic_in_kernel case in kvm_cpu_*_extint commit 72c3bcdcda494cbd600712a32e67702cdee60c07 upstream. Centralize handling of interrupts from the userspace APIC in kvm_cpu_has_extint and kvm_cpu_get_extint, since userspace APIC interrupts are handled more or less the same as ExtINTs are with split irqchip. This removes duplicated code from kvm_cpu_has_injectable_intr and kvm_cpu_has_interrupt, and makes the code more similar between kvm_cpu_has_{extint,interrupt} on one side and kvm_cpu_get_{extint,interrupt} on the other. Cc: stable@vger.kernel.org Reviewed-by: Filippo Sironi Reviewed-by: David Woodhouse Tested-by: David Woodhouse Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c8a286a793973b0a3dbfce5fd906b88756e98a47 Author: Zenghui Yu Date: Tue Nov 17 23:16:29 2020 +0800 KVM: arm64: vgic-v3: Drop the reporting of GICR_TYPER.Last for userspace commit 23bde34771f1ea92fb5e6682c0d8c04304d34b3b upstream. It was recently reported that if GICR_TYPER is accessed before the RD base address is set, we'll suffer from the unset @rdreg dereferencing. Oops... gpa_t last_rdist_typer = rdreg->base + GICR_TYPER + (rdreg->free_index - 1) * KVM_VGIC_V3_REDIST_SIZE; It's "expected" that users will access registers in the redistributor if the RD has been properly configured (e.g., the RD base address is set). But it hasn't yet been covered by the existing documentation. Per discussion on the list [1], the reporting of the GICR_TYPER.Last bit for userspace never actually worked. And it's difficult for us to emulate it correctly given that userspace has the flexibility to access it any time. Let's just drop the reporting of the Last bit for userspace for now (userspace should have full knowledge about it anyway) and it at least prevents kernel from panic ;-) [1] https://lore.kernel.org/kvmarm/c20865a267e44d1e2c0d52ce4e012263@kernel.org/ Fixes: ba7b3f1275fd ("KVM: arm/arm64: Revisit Redistributor TYPER last bit computation") Reported-by: Keqian Zhu Signed-off-by: Zenghui Yu Signed-off-by: Marc Zyngier Reviewed-by: Eric Auger Link: https://lore.kernel.org/r/20201117151629.1738-1-yuzenghui@huawei.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 5acf7d6f5866646db35c24696e33b99662abd8fb Author: Cédric Le Goater Date: Thu Nov 5 14:47:13 2020 +0100 KVM: PPC: Book3S HV: XIVE: Fix possible oops when accessing ESB page commit 75b49620267c700f0a07fec7f27f69852db70e46 upstream. When accessing the ESB page of a source interrupt, the fault handler will retrieve the page address from the XIVE interrupt 'xive_irq_data' structure. If the associated KVM XIVE interrupt is not valid, that is not allocated at the HW level for some reason, the fault handler will dereference a NULL pointer leading to the oops below : WARNING: CPU: 40 PID: 59101 at arch/powerpc/kvm/book3s_xive_native.c:259 xive_native_esb_fault+0xe4/0x240 [kvm] CPU: 40 PID: 59101 Comm: qemu-system-ppc Kdump: loaded Tainted: G W --------- - - 4.18.0-240.el8.ppc64le #1 NIP: c00800000e949fac LR: c00000000044b164 CTR: c00800000e949ec8 REGS: c000001f69617840 TRAP: 0700 Tainted: G W --------- - - (4.18.0-240.el8.ppc64le) MSR: 9000000000029033 CR: 44044282 XER: 00000000 CFAR: c00000000044b160 IRQMASK: 0 GPR00: c00000000044b164 c000001f69617ac0 c00800000e96e000 c000001f69617c10 GPR04: 05faa2b21e000080 0000000000000000 0000000000000005 ffffffffffffffff GPR08: 0000000000000000 0000000000000001 0000000000000000 0000000000000001 GPR12: c00800000e949ec8 c000001ffffd3400 0000000000000000 0000000000000000 GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 GPR20: 0000000000000000 0000000000000000 c000001f5c065160 c000000001c76f90 GPR24: c000001f06f20000 c000001f5c065100 0000000000000008 c000001f0eb98c78 GPR28: c000001dcab40000 c000001dcab403d8 c000001f69617c10 0000000000000011 NIP [c00800000e949fac] xive_native_esb_fault+0xe4/0x240 [kvm] LR [c00000000044b164] __do_fault+0x64/0x220 Call Trace: [c000001f69617ac0] [0000000137a5dc20] 0x137a5dc20 (unreliable) [c000001f69617b50] [c00000000044b164] __do_fault+0x64/0x220 [c000001f69617b90] [c000000000453838] do_fault+0x218/0x930 [c000001f69617bf0] [c000000000456f50] __handle_mm_fault+0x350/0xdf0 [c000001f69617cd0] [c000000000457b1c] handle_mm_fault+0x12c/0x310 [c000001f69617d10] [c00000000007ef44] __do_page_fault+0x264/0xbb0 [c000001f69617df0] [c00000000007f8c8] do_page_fault+0x38/0xd0 [c000001f69617e30] [c00000000000a714] handle_page_fault+0x18/0x38 Instruction dump: 40c2fff0 7c2004ac 2fa90000 409e0118 73e90001 41820080 e8bd0008 7c2004ac 7ca90074 39400000 915c0000 7929d182 <0b090000> 2fa50000 419e0080 e89e0018 ---[ end trace 66c6ff034c53f64f ]--- xive-kvm: xive_native_esb_fault: accessing invalid ESB page for source 8 ! Fix that by checking the validity of the KVM XIVE interrupt structure. Fixes: 6520ca64cde7 ("KVM: PPC: Book3S HV: XIVE: Add a mapping for the source ESB pages") Cc: stable@vger.kernel.org # v5.2+ Reported-by: Greg Kurz Signed-off-by: Cédric Le Goater Tested-by: Greg Kurz Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201105134713.656160-1-clg@kaod.org Signed-off-by: Greg Kroah-Hartman commit 48974162077955ce8d6c55d8ea90100c49a8083c Author: Nicholas Piggin Date: Tue Nov 17 23:56:17 2020 +1000 powerpc/64s/exception: KVM Fix for host DSI being taken in HPT guest MMU context commit cd81acc600a9684ea4b4d25a47900d38a3890eab upstream. Commit 2284ffea8f0c ("powerpc/64s/exception: Only test KVM in SRR interrupts when PR KVM is supported") removed KVM guest tests from interrupts that do not set HV=1, when PR-KVM is not configured. This is wrong for HV-KVM HPT guest MMIO emulation case which attempts to load the faulting instruction word with MSR[DR]=1 and MSR[HV]=1 with the guest MMU context loaded. This can cause host DSI, DSLB interrupts which must test for KVM guest. Restore this and add a comment. Fixes: 2284ffea8f0c ("powerpc/64s/exception: Only test KVM in SRR interrupts when PR KVM is supported") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201117135617.3521127-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7ef4afa137ba64bc6d1cac044753aa382fb0ebbb Author: Nicholas Piggin Date: Sat Nov 14 21:47:43 2020 +1000 powerpc/64s: Fix KVM system reset handling when CONFIG_PPC_PSERIES=y commit 575cba20c421ecb6b563ae352e4e0468e4ca8b3c upstream. pseries guest kernels have a FWNMI handler for SRESET and MCE NMIs, which is basically the same as the regular handlers for those interrupts. The system reset FWNMI handler did not have a KVM guest test in it, although it probably should have because the guest can itself run guests. Commit 4f50541f6703b ("powerpc/64s/exception: Move all interrupt handlers to new style code gen macros") convert the handler faithfully to avoid a KVM test with a "clever" trick to modify the IKVM_REAL setting to 0 when the fwnmi handler is to be generated (PPC_PSERIES=y). This worked when the KVM test was generated in the interrupt entry handlers, but a later patch moved the KVM test to the common handler, and the common handler macro is expanded below the fwnmi entry. This prevents the KVM test from being generated even for the 0x100 entry point as well. The result is NMI IPIs in the host kernel when a guest is running will use gest registers. This goes particularly badly when an HPT guest is running and the MMU is set to guest mode. Remove this trickery and just generate the test always. Fixes: 9600f261acaa ("powerpc/64s/exception: Move KVM test to common code") Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201114114743.3306283-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit 08ed7f88d660be5307d03330b89cd63aebbb5516 Author: Namjae Jeon Date: Mon Nov 9 17:35:33 2020 +0900 cifs: fix a memleak with modefromsid commit 98128572084c3dd8067f48bb588aa3733d1355b5 upstream. kmemleak reported a memory leak allocated in query_info() when cifs is working with modefromsid. backtrace: [<00000000aeef6a1e>] slab_post_alloc_hook+0x58/0x510 [<00000000b2f7a440>] __kmalloc+0x1a0/0x390 [<000000006d470ebc>] query_info+0x5b5/0x700 [cifs] [<00000000bad76ce0>] SMB2_query_acl+0x2b/0x30 [cifs] [<000000001fa09606>] get_smb2_acl_by_path+0x2f3/0x720 [cifs] [<000000001b6ebab7>] get_smb2_acl+0x75/0x90 [cifs] [<00000000abf43904>] cifs_acl_to_fattr+0x13b/0x1d0 [cifs] [<00000000a5372ec3>] cifs_get_inode_info+0x4cd/0x9a0 [cifs] [<00000000388e0a04>] cifs_revalidate_dentry_attr+0x1cd/0x510 [cifs] [<0000000046b6b352>] cifs_getattr+0x8a/0x260 [cifs] [<000000007692c95e>] vfs_getattr_nosec+0xa1/0xc0 [<00000000cbc7d742>] vfs_getattr+0x36/0x40 [<00000000de8acf67>] vfs_statx_fd+0x4a/0x80 [<00000000a58c6adb>] __do_sys_newfstat+0x31/0x70 [<00000000300b3b4e>] __x64_sys_newfstat+0x16/0x20 [<000000006d8e9c48>] do_syscall_64+0x37/0x80 This patch add missing kfree for pntsd when mounting modefromsid option. Cc: Stable # v5.4+ Signed-off-by: Namjae Jeon Reviewed-by: Aurelien Aptel Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0760e665d4d9d8fb8bbe7d72dc610ee5fed4a0a8 Author: Rohith Surabattula Date: Thu Oct 29 06:07:56 2020 +0000 smb3: Handle error case during offload read path commit 1254100030b3377e8302f9c75090ab191d73ee7c upstream. Mid callback needs to be called only when valid data is read into pages. These patches address a problem found during decryption offload: CIFS: VFS: trying to dequeue a deleted mid that could cause a refcount use after free: Workqueue: smb3decryptd smb2_decrypt_offload [cifs] Signed-off-by: Rohith Surabattula Reviewed-by: Pavel Shilovsky CC: Stable #5.4+ Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit fc0caf43667795e39a669acf516fc517ec90349c Author: Rohith Surabattula Date: Thu Oct 29 05:03:10 2020 +0000 smb3: Avoid Mid pending list corruption commit ac873aa3dc21707c47db5db6608b38981c731afe upstream. When reconnect happens Mid queue can be corrupted when both demultiplex and offload thread try to dequeue the MID from the pending list. These patches address a problem found during decryption offload: CIFS: VFS: trying to dequeue a deleted mid that could cause a refcount use after free: Workqueue: smb3decryptd smb2_decrypt_offload [cifs] Signed-off-by: Rohith Surabattula Reviewed-by: Pavel Shilovsky CC: Stable #5.4+ Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 403149b28e8058cdf4cd4aeda099d13e1a8664a3 Author: Rohith Surabattula Date: Wed Oct 28 13:42:21 2020 +0000 smb3: Call cifs reconnect from demultiplex thread commit de9ac0a6e9efdffc8cde18781f48fb56ca4157b7 upstream. cifs_reconnect needs to be called only from demultiplex thread. skip cifs_reconnect in offload thread. So, cifs_reconnect will be called by demultiplex thread in subsequent request. These patches address a problem found during decryption offload: CIFS: VFS: trying to dequeue a deleted mid that can cause a refcount use after free: [ 1271.389453] Workqueue: smb3decryptd smb2_decrypt_offload [cifs] [ 1271.389456] RIP: 0010:refcount_warn_saturate+0xae/0xf0 [ 1271.389457] Code: fa 1d 6a 01 01 e8 c7 44 b1 ff 0f 0b 5d c3 80 3d e7 1d 6a 01 00 75 91 48 c7 c7 d8 be 1d a2 c6 05 d7 1d 6a 01 01 e8 a7 44 b1 ff <0f> 0b 5d c3 80 3d c5 1d 6a 01 00 0f 85 6d ff ff ff 48 c7 c7 30 bf [ 1271.389458] RSP: 0018:ffffa4cdc1f87e30 EFLAGS: 00010286 [ 1271.389458] RAX: 0000000000000000 RBX: ffff9974d2809f00 RCX: ffff9974df898cc8 [ 1271.389459] RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff9974df898cc0 [ 1271.389460] RBP: ffffa4cdc1f87e30 R08: 0000000000000004 R09: 00000000000002c0 [ 1271.389460] R10: 0000000000000000 R11: 0000000000000001 R12: ffff9974b7fdb5c0 [ 1271.389461] R13: ffff9974d2809f00 R14: ffff9974ccea0a80 R15: ffff99748e60db80 [ 1271.389462] FS: 0000000000000000(0000) GS:ffff9974df880000(0000) knlGS:0000000000000000 [ 1271.389462] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1271.389463] CR2: 000055c60f344fe4 CR3: 0000001031a3c002 CR4: 00000000003706e0 [ 1271.389465] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1271.389465] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1271.389466] Call Trace: [ 1271.389483] cifs_mid_q_entry_release+0xce/0x110 [cifs] [ 1271.389499] smb2_decrypt_offload+0xa9/0x1c0 [cifs] [ 1271.389501] process_one_work+0x1e8/0x3b0 [ 1271.389503] worker_thread+0x50/0x370 [ 1271.389504] kthread+0x12f/0x150 [ 1271.389506] ? process_one_work+0x3b0/0x3b0 [ 1271.389507] ? __kthread_bind_mask+0x70/0x70 [ 1271.389509] ret_from_fork+0x22/0x30 Signed-off-by: Rohith Surabattula Reviewed-by: Pavel Shilovsky CC: Stable #5.4+ Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 37555318436b307311ff90b6aec691e21336d4f3 Author: Hugh Dickins Date: Tue Nov 24 08:46:43 2020 -0800 mm: fix VM_BUG_ON(PageTail) and BUG_ON(PageWriteback) commit 073861ed77b6b957c3c8d54a11dc503f7d986ceb upstream. Twice now, when exercising ext4 looped on shmem huge pages, I have crashed on the PF_ONLY_HEAD check inside PageWaiters(): ext4_finish_bio() calling end_page_writeback() calling wake_up_page() on tail of a shmem huge page, no longer an ext4 page at all. The problem is that PageWriteback is not accompanied by a page reference (as the NOTE at the end of test_clear_page_writeback() acknowledges): as soon as TestClearPageWriteback has been done, that page could be removed from page cache, freed, and reused for something else by the time that wake_up_page() is reached. https://lore.kernel.org/linux-mm/20200827122019.GC14765@casper.infradead.org/ Matthew Wilcox suggested avoiding or weakening the PageWaiters() tail check; but I'm paranoid about even looking at an unreferenced struct page, lest its memory might itself have already been reused or hotremoved (and wake_up_page_bit() may modify that memory with its ClearPageWaiters()). Then on crashing a second time, realized there's a stronger reason against that approach. If my testing just occasionally crashes on that check, when the page is reused for part of a compound page, wouldn't it be much more common for the page to get reused as an order-0 page before reaching wake_up_page()? And on rare occasions, might that reused page already be marked PageWriteback by its new user, and already be waited upon? What would that look like? It would look like BUG_ON(PageWriteback) after wait_on_page_writeback() in write_cache_pages() (though I have never seen that crash myself). Matthew Wilcox explaining this to himself: "page is allocated, added to page cache, dirtied, writeback starts, --- thread A --- filesystem calls end_page_writeback() test_clear_page_writeback() --- context switch to thread B --- truncate_inode_pages_range() finds the page, it doesn't have writeback set, we delete it from the page cache. Page gets reallocated, dirtied, writeback starts again. Then we call write_cache_pages(), see PageWriteback() set, call wait_on_page_writeback() --- context switch back to thread A --- wake_up_page(page, PG_writeback); ... thread B is woken, but because the wakeup was for the old use of the page, PageWriteback is still set. Devious" And prior to 2a9127fcf229 ("mm: rewrite wait_on_page_bit_common() logic") this would have been much less likely: before that, wake_page_function()'s non-exclusive case would stop walking and not wake if it found Writeback already set again; whereas now the non-exclusive case proceeds to wake. I have not thought of a fix that does not add a little overhead: the simplest fix is for end_page_writeback() to get_page() before calling test_clear_page_writeback(), then put_page() after wake_up_page(). Was there a chance of missed wakeups before, since a page freed before reaching wake_up_page() would have PageWaiters cleared? I think not, because each waiter does hold a reference on the page. This bug comes when the old use of the page, the one we do TestClearPageWriteback on, had *no* waiters, so no additional page reference beyond the page cache (and whoever racily freed it). The reuse of the page has a waiter holding a reference, and its own PageWriteback set; but the belated wake_up_page() has woken the reuse to hit that BUG_ON(PageWriteback). Reported-by: syzbot+3622cea378100f45d59f@syzkaller.appspotmail.com Reported-by: Qian Cai Fixes: 2a9127fcf229 ("mm: rewrite wait_on_page_bit_common() logic") Signed-off-by: Hugh Dickins Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ec5c0fc8b0ad27d5b8f1b44b301b2ec9589748a8 Author: Sven Schnelle Date: Fri Nov 20 14:17:52 2020 +0100 s390: fix fpu restore in entry.S commit 1179f170b6f0af7bb0b3b7628136eaac450ddf31 upstream. We need to disable interrupts in load_fpu_regs(). Otherwise an interrupt might come in after the registers are loaded, but before CIF_FPU is cleared in load_fpu_regs(). When the interrupt returns, CIF_FPU will be cleared and the registers will never be restored. The entry.S code usually saves the interrupt state in __SF_EMPTY on the stack when disabling/restoring interrupts. sie64a however saves the pointer to the sie control block in __SF_SIE_CONTROL, which references the same location. This is non-obvious to the reader. To avoid thrashing the sie control block pointer in load_fpu_regs(), move the __SIE_* offsets eight bytes after __SF_EMPTY on the stack. Cc: # 5.8 Fixes: 0b0ed657fe00 ("s390: remove critical section cleanup from entry.S") Reported-by: Pierre Morel Signed-off-by: Sven Schnelle Acked-by: Christian Borntraeger Reviewed-by: Heiko Carstens Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 20939c1906ff9edadfd0ff40c72525659cce87b5 Author: Biwen Li Date: Tue Sep 15 15:32:09 2020 +0800 rtc: pcf2127: fix a bug when not specify interrupts property commit 35425bafc772ee189e3c3790d7c672b80ba65909 upstream. Fix a bug when not specify interrupts property in dts as follows, rtc-pcf2127-i2c 1-0051: failed to request alarm irq rtc-pcf2127-i2c: probe of 1-0051 failed with error -22 Signed-off-by: Biwen Li Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20200915073213.12779-1-biwen.li@oss.nxp.com Cc: Rasmus Villemoes Signed-off-by: Greg Kroah-Hartman commit 9608feee5733703c1cb201d7a689f90934232f1e Author: Filipe Manana Date: Mon Nov 23 14:28:44 2020 +0000 btrfs: fix lockdep splat when reading qgroup config on mount commit 3d05cad3c357a2b749912914356072b38435edfa upstream. Lockdep reported the following splat when running test btrfs/190 from fstests: [ 9482.126098] ====================================================== [ 9482.126184] WARNING: possible circular locking dependency detected [ 9482.126281] 5.10.0-rc4-btrfs-next-73 #1 Not tainted [ 9482.126365] ------------------------------------------------------ [ 9482.126456] mount/24187 is trying to acquire lock: [ 9482.126534] ffffa0c869a7dac0 (&fs_info->qgroup_rescan_lock){+.+.}-{3:3}, at: qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.126647] but task is already holding lock: [ 9482.126777] ffffa0c892ebd3a0 (btrfs-quota-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x27/0x120 [btrfs] [ 9482.126886] which lock already depends on the new lock. [ 9482.127078] the existing dependency chain (in reverse order) is: [ 9482.127213] -> #1 (btrfs-quota-00){++++}-{3:3}: [ 9482.127366] lock_acquire+0xd8/0x490 [ 9482.127436] down_read_nested+0x45/0x220 [ 9482.127528] __btrfs_tree_read_lock+0x27/0x120 [btrfs] [ 9482.127613] btrfs_read_lock_root_node+0x41/0x130 [btrfs] [ 9482.127702] btrfs_search_slot+0x514/0xc30 [btrfs] [ 9482.127788] update_qgroup_status_item+0x72/0x140 [btrfs] [ 9482.127877] btrfs_qgroup_rescan_worker+0xde/0x680 [btrfs] [ 9482.127964] btrfs_work_helper+0xf1/0x600 [btrfs] [ 9482.128039] process_one_work+0x24e/0x5e0 [ 9482.128110] worker_thread+0x50/0x3b0 [ 9482.128181] kthread+0x153/0x170 [ 9482.128256] ret_from_fork+0x22/0x30 [ 9482.128327] -> #0 (&fs_info->qgroup_rescan_lock){+.+.}-{3:3}: [ 9482.128464] check_prev_add+0x91/0xc60 [ 9482.128551] __lock_acquire+0x1740/0x3110 [ 9482.128623] lock_acquire+0xd8/0x490 [ 9482.130029] __mutex_lock+0xa3/0xb30 [ 9482.130590] qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.131577] btrfs_read_qgroup_config+0x43a/0x550 [btrfs] [ 9482.132175] open_ctree+0x1228/0x18a0 [btrfs] [ 9482.132756] btrfs_mount_root.cold+0x13/0xed [btrfs] [ 9482.133325] legacy_get_tree+0x30/0x60 [ 9482.133866] vfs_get_tree+0x28/0xe0 [ 9482.134392] fc_mount+0xe/0x40 [ 9482.134908] vfs_kern_mount.part.0+0x71/0x90 [ 9482.135428] btrfs_mount+0x13b/0x3e0 [btrfs] [ 9482.135942] legacy_get_tree+0x30/0x60 [ 9482.136444] vfs_get_tree+0x28/0xe0 [ 9482.136949] path_mount+0x2d7/0xa70 [ 9482.137438] do_mount+0x75/0x90 [ 9482.137923] __x64_sys_mount+0x8e/0xd0 [ 9482.138400] do_syscall_64+0x33/0x80 [ 9482.138873] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 9482.139346] other info that might help us debug this: [ 9482.140735] Possible unsafe locking scenario: [ 9482.141594] CPU0 CPU1 [ 9482.142011] ---- ---- [ 9482.142411] lock(btrfs-quota-00); [ 9482.142806] lock(&fs_info->qgroup_rescan_lock); [ 9482.143216] lock(btrfs-quota-00); [ 9482.143629] lock(&fs_info->qgroup_rescan_lock); [ 9482.144056] *** DEADLOCK *** [ 9482.145242] 2 locks held by mount/24187: [ 9482.145637] #0: ffffa0c8411c40e8 (&type->s_umount_key#44/1){+.+.}-{3:3}, at: alloc_super+0xb9/0x400 [ 9482.146061] #1: ffffa0c892ebd3a0 (btrfs-quota-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x27/0x120 [btrfs] [ 9482.146509] stack backtrace: [ 9482.147350] CPU: 1 PID: 24187 Comm: mount Not tainted 5.10.0-rc4-btrfs-next-73 #1 [ 9482.147788] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 9482.148709] Call Trace: [ 9482.149169] dump_stack+0x8d/0xb5 [ 9482.149628] check_noncircular+0xff/0x110 [ 9482.150090] check_prev_add+0x91/0xc60 [ 9482.150561] ? kvm_clock_read+0x14/0x30 [ 9482.151017] ? kvm_sched_clock_read+0x5/0x10 [ 9482.151470] __lock_acquire+0x1740/0x3110 [ 9482.151941] ? __btrfs_tree_read_lock+0x27/0x120 [btrfs] [ 9482.152402] lock_acquire+0xd8/0x490 [ 9482.152887] ? qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.153354] __mutex_lock+0xa3/0xb30 [ 9482.153826] ? qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.154301] ? qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.154768] ? qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.155226] qgroup_rescan_init+0x43/0xf0 [btrfs] [ 9482.155690] btrfs_read_qgroup_config+0x43a/0x550 [btrfs] [ 9482.156160] open_ctree+0x1228/0x18a0 [btrfs] [ 9482.156643] btrfs_mount_root.cold+0x13/0xed [btrfs] [ 9482.157108] ? rcu_read_lock_sched_held+0x5d/0x90 [ 9482.157567] ? kfree+0x31f/0x3e0 [ 9482.158030] legacy_get_tree+0x30/0x60 [ 9482.158489] vfs_get_tree+0x28/0xe0 [ 9482.158947] fc_mount+0xe/0x40 [ 9482.159403] vfs_kern_mount.part.0+0x71/0x90 [ 9482.159875] btrfs_mount+0x13b/0x3e0 [btrfs] [ 9482.160335] ? rcu_read_lock_sched_held+0x5d/0x90 [ 9482.160805] ? kfree+0x31f/0x3e0 [ 9482.161260] ? legacy_get_tree+0x30/0x60 [ 9482.161714] legacy_get_tree+0x30/0x60 [ 9482.162166] vfs_get_tree+0x28/0xe0 [ 9482.162616] path_mount+0x2d7/0xa70 [ 9482.163070] do_mount+0x75/0x90 [ 9482.163525] __x64_sys_mount+0x8e/0xd0 [ 9482.163986] do_syscall_64+0x33/0x80 [ 9482.164437] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 9482.164902] RIP: 0033:0x7f51e907caaa This happens because at btrfs_read_qgroup_config() we can call qgroup_rescan_init() while holding a read lock on a quota btree leaf, acquired by the previous call to btrfs_search_slot_for_read(), and qgroup_rescan_init() acquires the mutex qgroup_rescan_lock. A qgroup rescan worker does the opposite: it acquires the mutex qgroup_rescan_lock, at btrfs_qgroup_rescan_worker(), and then tries to update the qgroup status item in the quota btree through the call to update_qgroup_status_item(). This inversion of locking order between the qgroup_rescan_lock mutex and quota btree locks causes the splat. Fix this simply by releasing and freeing the path before calling qgroup_rescan_init() at btrfs_read_qgroup_config(). CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 4f23f751dd61095d5a30b2db6c435ad165bdd750 Author: Johannes Thumshirn Date: Wed Nov 18 18:03:26 2020 +0900 btrfs: don't access possibly stale fs_info data for printing duplicate device commit 0697d9a610998b8bdee6b2390836cb2391d8fd1a upstream. Syzbot reported a possible use-after-free when printing a duplicate device warning device_list_add(). At this point it can happen that a btrfs_device::fs_info is not correctly setup yet, so we're accessing stale data, when printing the warning message using the btrfs_printk() wrappers. ================================================================== BUG: KASAN: use-after-free in btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 Read of size 8 at addr ffff8880878e06a8 by task syz-executor225/7068 CPU: 1 PID: 7068 Comm: syz-executor225 Not tainted 5.9.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1d6/0x29e lib/dump_stack.c:118 print_address_description+0x66/0x620 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report+0x132/0x1d0 mm/kasan/report.c:530 btrfs_printk+0x3eb/0x435 fs/btrfs/super.c:245 device_list_add+0x1a88/0x1d60 fs/btrfs/volumes.c:943 btrfs_scan_one_device+0x196/0x490 fs/btrfs/volumes.c:1359 btrfs_mount_root+0x48f/0xb60 fs/btrfs/super.c:1634 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x44840a RSP: 002b:00007ffedfffd608 EFLAGS: 00000293 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 00007ffedfffd670 RCX: 000000000044840a RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffedfffd630 RBP: 00007ffedfffd630 R08: 00007ffedfffd670 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000293 R12: 000000000000001a R13: 0000000000000004 R14: 0000000000000003 R15: 0000000000000003 Allocated by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461 kmalloc_node include/linux/slab.h:577 [inline] kvmalloc_node+0x81/0x110 mm/util.c:574 kvmalloc include/linux/mm.h:757 [inline] kvzalloc include/linux/mm.h:765 [inline] btrfs_mount_root+0xd0/0xb60 fs/btrfs/super.c:1613 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 6945: kasan_save_stack mm/kasan/common.c:48 [inline] kasan_set_track+0x3d/0x70 mm/kasan/common.c:56 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422 __cache_free mm/slab.c:3418 [inline] kfree+0x113/0x200 mm/slab.c:3756 deactivate_locked_super+0xa7/0xf0 fs/super.c:335 btrfs_mount_root+0x72b/0xb60 fs/btrfs/super.c:1678 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 fc_mount fs/namespace.c:978 [inline] vfs_kern_mount+0xc9/0x160 fs/namespace.c:1008 btrfs_mount+0x33c/0xae0 fs/btrfs/super.c:1732 legacy_get_tree+0xea/0x180 fs/fs_context.c:592 vfs_get_tree+0x88/0x270 fs/super.c:1547 do_new_mount fs/namespace.c:2875 [inline] path_mount+0x179d/0x29e0 fs/namespace.c:3192 do_mount fs/namespace.c:3205 [inline] __do_sys_mount fs/namespace.c:3413 [inline] __se_sys_mount+0x126/0x180 fs/namespace.c:3390 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8880878e0000 which belongs to the cache kmalloc-16k of size 16384 The buggy address is located 1704 bytes inside of 16384-byte region [ffff8880878e0000, ffff8880878e4000) The buggy address belongs to the page: page:0000000060704f30 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x878e0 head:0000000060704f30 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffe0000010200(slab|head) raw: 00fffe0000010200 ffffea00028e9a08 ffffea00021e3608 ffff8880aa440b00 raw: 0000000000000000 ffff8880878e0000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880878e0580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880878e0680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880878e0700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880878e0780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The syzkaller reproducer for this use-after-free crafts a filesystem image and loop mounts it twice in a loop. The mount will fail as the crafted image has an invalid chunk tree. When this happens btrfs_mount_root() will call deactivate_locked_super(), which then cleans up fs_info and fs_info::sb. If a second thread now adds the same block-device to the filesystem, it will get detected as a duplicate device and device_list_add() will reject the duplicate and print a warning. But as the fs_info pointer passed in is non-NULL this will result in a use-after-free. Instead of printing possibly uninitialized or already freed memory in btrfs_printk(), explicitly pass in a NULL fs_info so the printing of the device name will be skipped altogether. There was a slightly different approach discussed in https://lore.kernel.org/linux-btrfs/20200114060920.4527-1-anand.jain@oracle.com/t/#u Link: https://lore.kernel.org/linux-btrfs/000000000000c9e14b05afcc41ba@google.com Reported-by: syzbot+582e66e5edf36a22c7b0@syzkaller.appspotmail.com CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Nikolay Borisov Reviewed-by: Anand Jain Signed-off-by: Johannes Thumshirn Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 923ca7ffc3e8f0c850b572476cefc0694e9f6351 Author: David Sterba Date: Mon Nov 16 19:53:52 2020 +0100 btrfs: tree-checker: add missing returns after data_ref alignment checks commit 6d06b0ad94d3dd7e3503d8ad39c39c4634884611 upstream. There are sectorsize alignment checks that are reported but then check_extent_data_ref continues. This was not intended, wrong alignment is not a minor problem and we should return with error. CC: stable@vger.kernel.org # 5.4+ Fixes: 0785a9aacf9d ("btrfs: tree-checker: Add EXTENT_DATA_REF check") Reviewed-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit ce4ae4174bec5bdbf18badaa42dde28ef68e4b5a Author: Daniel Xu Date: Thu Nov 12 17:55:06 2020 -0800 btrfs: tree-checker: add missing return after error in root_item commit 1a49a97df657c63a4e8ffcd1ea9b6ed95581789b upstream. There's a missing return statement after an error is found in the root_item, this can cause further problems when a crafted image triggers the error. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=210181 Fixes: 259ee7754b67 ("btrfs: tree-checker: Add ROOT_ITEM check") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Qu Wenruo Signed-off-by: Daniel Xu Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 2d2cb77c72a680889e6cae7b090b4ac8b4e44032 Author: Filipe Manana Date: Wed Nov 4 11:07:31 2020 +0000 btrfs: fix missing delalloc new bit for new delalloc ranges commit c334730988ee07908ba4eb816ce78d3fe06fecaa upstream. When doing a buffered write, through one of the write family syscalls, we look for ranges which currently don't have allocated extents and set the 'delalloc new' bit on them, so that we can report a correct number of used blocks to the stat(2) syscall until delalloc is flushed and ordered extents complete. However there are a few other places where we can do a buffered write against a range that is mapped to a hole (no extent allocated) and where we do not set the 'new delalloc' bit. Those places are: - Doing a memory mapped write against a hole; - Cloning an inline extent into a hole starting at file offset 0; - Calling btrfs_cont_expand() when the i_size of the file is not aligned to the sector size and is located in a hole. For example when cloning to a destination offset beyond EOF. So after such cases, until the corresponding delalloc range is flushed and the respective ordered extents complete, we can report an incorrect number of blocks used through the stat(2) syscall. In some cases we can end up reporting 0 used blocks to stat(2), which is a particular bad value to report as it may mislead tools to think a file is completely sparse when its i_size is not zero, making them skip reading any data, an undesired consequence for tools such as archivers and other backup tools, as reported a long time ago in the following thread (and other past threads): https://lists.gnu.org/archive/html/bug-tar/2016-07/msg00001.html Example reproducer: $ cat reproducer.sh #!/bin/bash MNT=/mnt/sdi DEV=/dev/sdi mkfs.btrfs -f $DEV > /dev/null # mkfs.xfs -f $DEV > /dev/null # mkfs.ext4 -F $DEV > /dev/null # mkfs.f2fs -f $DEV > /dev/null mount $DEV $MNT xfs_io -f -c "truncate 64K" \ -c "mmap -w 0 64K" \ -c "mwrite -S 0xab 0 64K" \ -c "munmap" \ $MNT/foo blocks_used=$(stat -c %b $MNT/foo) echo "blocks used: $blocks_used" if [ $blocks_used -eq 0 ]; then echo "ERROR: blocks used is 0" fi umount $DEV $ ./reproducer.sh blocks used: 0 ERROR: blocks used is 0 So move the logic that decides to set the 'delalloc bit' bit into the function btrfs_set_extent_delalloc(), since that is what we use for all those missing cases as well as for the cases that currently work well. This change is also preparatory work for an upcoming patch that fixes other problems related to tracking and reporting the number of bytes used by an inode. CC: stable@vger.kernel.org # 4.19+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit d1f17032763e233c13a013780bead98a7243ba22 Author: Shiraz Saleem Date: Tue Nov 24 18:56:16 2020 -0600 RDMA/i40iw: Address an mmap handler exploit in i40iw commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream. i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range without any validation. This is vulnerable to an mmap exploit as described in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com The push feature is disabled in the driver currently and therefore no push mmaps are issued from user-space. The feature does not work as expected in the x722 product. Remove the push module parameter and all VMA attribute manipulations for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound to a single page. Cc: Fixes: d37498417947 ("i40iw: add files for iwarp interface") Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com Reported-by: Di Zhu Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 5732f83596f8a573f2cde814cc76a54e1a8995c7 Author: Dennis Dalessandro Date: Wed Nov 25 16:01:12 2020 -0500 IB/hfi1: Ensure correct mm is used at all times commit 3d2a9d642512c21a12d19b9250e7a835dcb41a79 upstream. Two earlier bug fixes have created a security problem in the hfi1 driver. One fix aimed to solve an issue where current->mm was not valid when closing the hfi1 cdev. It attempted to do this by saving a cached value of the current->mm pointer at file open time. This is a problem if another process with access to the FD calls in via write() or ioctl() to pin pages via the hfi driver. The other fix tried to solve a use after free by taking a reference on the mm. To fix this correctly we use the existing cached value of the mm in the mmu notifier. Now we can check in the insert, evict, etc. routines that current->mm matched what the notifier was registered for. If not, then don't allow access. The register of the mmu notifier will save the mm pointer. Since in do_exit() the exit_mm() is called before exit_files(), which would call our close routine a reference is needed on the mm. We rely on the mmgrab done by the registration of the notifier, whereas before it was explicit. The mmu notifier deregistration happens when the user context is torn down, the creation of which triggered the registration. Also of note is we do not do any explicit work to protect the interval tree notifier. It doesn't seem that this is going to be needed since we aren't actually doing anything with current->mm. The interval tree notifier stuff still has a FIXME noted from a previous commit that will be addressed in a follow on patch. Cc: Fixes: e0cf75deab81 ("IB/hfi1: Fix mm_struct use after free") Fixes: 3faa3d9a308e ("IB/hfi1: Make use of mm consistent") Link: https://lore.kernel.org/r/20201125210112.104301.51331.stgit@awfm-01.aw.intel.com Suggested-by: Jann Horn Reported-by: Jason Gunthorpe Reviewed-by: Ira Weiny Reviewed-by: Mike Marciniszyn Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit f36abf80e9a78f37480bdc4880307f2b76f64ebc Author: Florian Klink Date: Sun Nov 15 23:45:09 2020 +0100 ipv4: use IS_ENABLED instead of ifdef commit c09c8a27b9baa417864b9adc3228b10ae5eeec93 upstream. Checking for ifdef CONFIG_x fails if CONFIG_x=m. Use IS_ENABLED instead, which is true for both built-ins and modules. Otherwise, a > ip -4 route add 1.2.3.4/32 via inet6 fe80::2 dev eth1 fails with the message "Error: IPv6 support not enabled in kernel." if CONFIG_IPV6 is `m`. In the spirit of b8127113d01e53adba15b41aefd37b90ed83d631. Fixes: d15662682db2 ("ipv4: Allow ipv6 gateway with ipv4 routes") Cc: Kim Phillips Signed-off-by: Florian Klink Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20201115224509.2020651-1-flokli@flokli.de Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1213b04905c4784e8d77025b8d01ac60633ec526 Author: Lukas Wunner Date: Wed Nov 11 20:07:20 2020 +0100 spi: bcm2835: Fix use-after-free on unbind commit e1483ac030fb4c57734289742f1c1d38dca61e22 upstream bcm2835_spi_remove() accesses the driver's private data after calling spi_unregister_controller() even though that function releases the last reference on the spi_controller and thereby frees the private data. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound. Fixes: f8043872e796 ("spi: add driver for BCM2835") Reported-by: Sascha Hauer Reported-by: Florian Fainelli Signed-off-by: Lukas Wunner Cc: # v3.10+: 123456789abc: spi: Introduce device-managed SPI controller allocation Cc: # v3.10+ Cc: Vladimir Oltean Tested-by: Florian Fainelli Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/ad66e0a0ad96feb848814842ecf5b6a4539ef35c.1605121038.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 06b146674ca612abfaac2ea3a0ae5ee5b1adb755 Author: Lukas Wunner Date: Wed Nov 11 20:07:40 2020 +0100 spi: bcm-qspi: Fix use-after-free on unbind commit 63c5395bb7a9777a33f0e7b5906f2c0170a23692 upstream bcm_qspi_remove() calls spi_unregister_master() even though bcm_qspi_probe() calls devm_spi_register_master(). The spi_master is therefore unregistered and freed twice on unbind. Moreover, since commit 0392727c261b ("spi: bcm-qspi: Handle clock probe deferral"), bcm_qspi_probe() leaks the spi_master allocation if the call to devm_clk_get_optional() fails. Fix by switching over to the new devm_spi_alloc_master() helper which keeps the private data accessible until the driver has unbound and also avoids the spi_master leak on probe. While at it, fix an ordering issue in bcm_qspi_remove() wherein spi_unregister_master() is called after uninitializing the hardware, disabling the clock and freeing an IRQ data structure. The correct order is to call spi_unregister_master() *before* those teardown steps because bus accesses may still be ongoing until that function returns. Fixes: fa236a7ef240 ("spi: bcm-qspi: Add Broadcom MSPI driver") Signed-off-by: Lukas Wunner Cc: # v4.9+: 123456789abc: spi: Introduce device-managed SPI controller allocation Cc: # v4.9+ Cc: Kamal Dasu Acked-by: Florian Fainelli Tested-by: Florian Fainelli Link: https://lore.kernel.org/r/5e31a9a59fd1c0d0b795b2fe219f25e5ee855f9d.1605121038.git.lukas@wunner.de Signed-off-by: Mark Brown Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 62b4ac11757dd3f7633bb1846d87ea14e145fbf6 Author: Pavel Begunkov Date: Wed Nov 18 14:56:26 2020 +0000 io_uring: order refnode recycling commit e297822b20e7fe683e107aea46e6402adcf99c70 upstream. Don't recycle a refnode until we're done with all requests of nodes ejected before. Signed-off-by: Pavel Begunkov Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Jens Axboe Signed-off-by: Pavel Begunkov Signed-off-by: Greg Kroah-Hartman commit c5772964b583f6a04112884b1e7f0c4c1ddadec4 Author: Pavel Begunkov Date: Wed Nov 18 14:56:25 2020 +0000 io_uring: get an active ref_node from files_data commit 1e5d770bb8a23dd01e28e92f4fb0b1093c8bdbe6 upstream. An active ref_node always can be found in ctx->files_data, it's much safer to get it this way instead of poking into files_data->ref_list. Signed-off-by: Pavel Begunkov Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman