commit 5a973f1903850a6257856e72959354eb856085ae Author: Greg Kroah-Hartman Date: Thu Jun 3 09:09:52 2021 +0200 Linux 5.12.9 Link: https://lore.kernel.org/r/20210531130703.762129381@linuxfoundation.org Tested-by: Fox Chen Tested-by: Justin M. Forbes Tested-by: Florian Fainelli Tested-by: Linux Kernel Functional Testing Tested-by: Jason Self Tested-by: Rudi Heitbaum Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 91845668deb8f8bda064e07d6eb66f07c5750e80 Author: Chunfeng Yun Date: Sat Apr 10 09:20:45 2021 +0800 usb: core: reduce power-on-good delay time of root hub commit 90d28fb53d4a51299ff324dede015d5cb11b88a2 upstream. Return the exactly delay time given by root hub descriptor, this helps to reduce resume time etc. Due to the root hub descriptor is usually provided by the host controller driver, if there is compatibility for a root hub, we can fix it easily without affect other root hub Acked-by: Alan Stern Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/1618017645-12259-1-git-send-email-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman commit ef8a81a752f96647dba3f1e5887c98c42bdc603a Author: Chinmay Agarwal Date: Thu Apr 22 01:12:22 2021 +0530 neighbour: Prevent Race condition in neighbour subsytem commit eefb45eef5c4c425e87667af8f5e904fbdd47abf upstream. Following Race Condition was detected: : Executing: __netif_receive_skb() ->__netif_receive_skb_core() -> arp_rcv() -> arp_process().arp_process() calls __neigh_lookup() which takes a reference on neighbour entry 'n'. Moves further along, arp_process() and calls neigh_update()-> __neigh_update(). Neighbour entry is unlocked just before a call to neigh_update_gc_list. This unlocking paves way for another thread that may take a reference on the same and mark it dead and remove it from gc_list. - neigh_flush_dev() is under execution and calls neigh_mark_dead(n) marking the neighbour entry 'n' as dead. Also n will be removed from gc_list. Moves further along neigh_flush_dev() and calls neigh_cleanup_and_release(n), but since reference count increased in t1, 'n' couldn't be destroyed. - Code hits neigh_update_gc_list, with neighbour entry set as dead. - arp_process() finally calls neigh_release(n), destroying the neighbour entry and we have a destroyed ntry still part of gc_list. Fixes: eb4e8fac00d1("neighbour: Prevent a dead entry from updating gc_list") Signed-off-by: Chinmay Agarwal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b4a92b1df59eeb0badee2e242964549dbca0d7ca Author: Jisheng Zhang Date: Tue May 25 10:45:51 2021 +0800 arm64: mm: don't use CON and BLK mapping if KFENCE is enabled commit e69012400b0cb42b2070748322cb72f9effec00f upstream. When we added KFENCE support for arm64, we intended that it would force the entire linear map to be mapped at page granularity, but we only enforced this in arch_add_memory() and not in map_mem(), so memory mapped at boot time can be mapped at a larger granularity. When booting a kernel with KFENCE=y and RODATA_FULL=n, this results in the following WARNING at boot: [ 0.000000] ------------[ cut here ]------------ [ 0.000000] WARNING: CPU: 0 PID: 0 at mm/memory.c:2462 apply_to_pmd_range+0xec/0x190 [ 0.000000] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.13.0-rc1+ #10 [ 0.000000] Hardware name: linux,dummy-virt (DT) [ 0.000000] pstate: 600000c5 (nZCv daIF -PAN -UAO -TCO BTYPE=--) [ 0.000000] pc : apply_to_pmd_range+0xec/0x190 [ 0.000000] lr : __apply_to_page_range+0x94/0x170 [ 0.000000] sp : ffffffc010573e20 [ 0.000000] x29: ffffffc010573e20 x28: ffffff801f400000 x27: ffffff801f401000 [ 0.000000] x26: 0000000000000001 x25: ffffff801f400fff x24: ffffffc010573f28 [ 0.000000] x23: ffffffc01002b710 x22: ffffffc0105fa450 x21: ffffffc010573ee4 [ 0.000000] x20: ffffff801fffb7d0 x19: ffffff801f401000 x18: 00000000fffffffe [ 0.000000] x17: 000000000000003f x16: 000000000000000a x15: ffffffc01060b940 [ 0.000000] x14: 0000000000000000 x13: 0098968000000000 x12: 0000000098968000 [ 0.000000] x11: 0000000000000000 x10: 0000000098968000 x9 : 0000000000000001 [ 0.000000] x8 : 0000000000000000 x7 : ffffffc010573ee4 x6 : 0000000000000001 [ 0.000000] x5 : ffffffc010573f28 x4 : ffffffc01002b710 x3 : 0000000040000000 [ 0.000000] x2 : ffffff801f5fffff x1 : 0000000000000001 x0 : 007800005f400705 [ 0.000000] Call trace: [ 0.000000] apply_to_pmd_range+0xec/0x190 [ 0.000000] __apply_to_page_range+0x94/0x170 [ 0.000000] apply_to_page_range+0x10/0x20 [ 0.000000] __change_memory_common+0x50/0xdc [ 0.000000] set_memory_valid+0x30/0x40 [ 0.000000] kfence_init_pool+0x9c/0x16c [ 0.000000] kfence_init+0x20/0x98 [ 0.000000] start_kernel+0x284/0x3f8 Fixes: 840b23986344 ("arm64, kfence: enable KFENCE for ARM64") Cc: # 5.12.x Signed-off-by: Jisheng Zhang Acked-by: Mark Rutland Acked-by: Marco Elver Tested-by: Marco Elver Link: https://lore.kernel.org/r/20210525104551.2ec37f77@xhacker.debian Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 386178ba519c9a38596bc57d579ebcf612e6bd02 Author: Johan Hovold Date: Wed May 19 14:47:17 2021 +0200 net: hso: bail out on interrupt URB allocation failure commit 4d52ebc7ace491d58f96d1f4a1cb9070c506b2e7 upstream. Commit 31db0dbd7244 ("net: hso: check for allocation failure in hso_create_bulk_serial_device()") recently started returning an error when the driver fails to allocate resources for the interrupt endpoint and tiocmget functionality. For consistency let's bail out from probe also if the URB allocation fails. Signed-off-by: Johan Hovold Reviewed-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5d51d34b1080e8fc142e609add7a82c4c615f029 Author: Greg Kroah-Hartman Date: Thu May 13 21:40:38 2021 +0200 Revert "Revert "ALSA: usx2y: Fix potential NULL pointer dereference"" commit 27b57bb76a897be80494ee11ee4e85326d19383d upstream. This reverts commit 4667a6fc1777ce071504bab570d3599107f4790f. Takashi writes: I have already started working on the bigger cleanup of this driver code based on 5.13-rc1, so could you drop this revert? I missed our previous discussion about this, my fault for applying it. Reported-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f3c4fcab4eec26a4177bf759702aa8df2553d9dd Author: Liu Jian Date: Tue May 25 09:41:39 2021 +0800 bpftool: Add sock_release help info for cgroup attach/prog load command commit a8deba8547e39f26440101164a3bbc2899c5b305 upstream. The help information was not added at the time when the function got added. Fix this and add the missing information to its cli, documentation and bash completion. Fixes: db94cc0b4805 ("bpftool: Add support for BPF_CGROUP_INET_SOCK_RELEASE") Signed-off-by: Liu Jian Signed-off-by: Daniel Borkmann Reviewed-by: Quentin Monnet Link: https://lore.kernel.org/bpf/20210525014139.323859-1-liujian56@huawei.com Signed-off-by: Greg Kroah-Hartman commit 3256697e223e9ac7d80ff3729d3711deb515d7a2 Author: Yunsheng Lin Date: Tue May 18 19:36:03 2021 +0800 net: hns3: check the return of skb_checksum_help() commit 9bb5a495424fd4bfa672eb1f31481248562fa156 upstream. Currently skb_checksum_help()'s return is ignored, but it may return error when it fails to allocate memory when linearizing. So adds checking for the return of skb_checksum_help(). Fixes: 76ad4f0ee747("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC") Fixes: 3db084d28dc0("net: hns3: Fix for vxlan tx checksum bug") Signed-off-by: Yunsheng Lin Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 93534d16f6d32923367251c13ed48f14c4bbf10b Author: Magnus Karlsson Date: Thu May 6 14:43:49 2021 +0200 samples/bpf: Consider frame size in tx_only of xdpsock sample commit 3b80d106e110d39d3f678954d3b55078669cf07e upstream. Fix the tx_only micro-benchmark in xdpsock to take frame size into consideration. It was hardcoded to the default value of frame_size which is 4K. Changing this on the command line to 2K made half of the packets illegal as they were outside the umem and were therefore discarded by the kernel. Fixes: 46738f73ea4f ("samples/bpf: add use of need_wakeup flag in xdpsock") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Maciej Fijalkowski Link: https://lore.kernel.org/bpf/20210506124349.6666-1-magnus.karlsson@gmail.com Signed-off-by: Greg Kroah-Hartman commit 31f675c70e3a805028b2b9e9e326595749fef55e Author: Chuck Lever Date: Wed May 26 15:35:20 2021 -0400 xprtrdma: Revert 586a0787ce35 [ Upstream commit ae605ee9830840f14566a3b1cde27fa8096dbdd4 ] Commit 9ed5af268e88 ("SUNRPC: Clean up the handling of page padding in rpc_prepare_reply_pages()") [Dec 2020] affects RPC Replies that have a data payload (i.e., Write chunks). rpcrdma_prepare_readch(), as its name suggests, sets up Read chunks which are data payloads within RPC Calls. Those payloads are constructed by xdr_write_pages(), which continues to stuff the call buffer's tail kvec with the payload's XDR roundup. Thus removing the tail buffer logic in rpcrdma_prepare_readch() was the wrong thing to do. Fixes: 586a0787ce35 ("xprtrdma: Clean up rpcrdma_prepare_readch()") Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit bb31b40bdffa58ccf9210670e3822c6f93c789e6 Author: Wanpeng Li Date: Tue May 18 05:00:34 2021 -0700 KVM: X86: hyper-v: Task srcu lock when accessing kvm_memslots() [ Upstream commit da6d63a0062a3ee721b84123b83ec093f25759b0 ] WARNING: suspicious RCU usage 5.13.0-rc1 #4 Not tainted ----------------------------- ./include/linux/kvm_host.h:710 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 1 lock held by hyperv_clock/8318: #0: ffffb6b8cb05a7d8 (&hv->hv_lock){+.+.}-{3:3}, at: kvm_hv_invalidate_tsc_page+0x3e/0xa0 [kvm] stack backtrace: CPU: 3 PID: 8318 Comm: hyperv_clock Not tainted 5.13.0-rc1 #4 Call Trace: dump_stack+0x87/0xb7 lockdep_rcu_suspicious+0xce/0xf0 kvm_write_guest_page+0x1c1/0x1d0 [kvm] kvm_write_guest+0x50/0x90 [kvm] kvm_hv_invalidate_tsc_page+0x79/0xa0 [kvm] kvm_gen_update_masterclock+0x1d/0x110 [kvm] kvm_arch_vm_ioctl+0x2a7/0xc50 [kvm] kvm_vm_ioctl+0x123/0x11d0 [kvm] __x64_sys_ioctl+0x3ed/0x9d0 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae kvm_memslots() will be called by kvm_write_guest(), so we should take the srcu lock. Fixes: e880c6ea5 (KVM: x86: hyper-v: Prevent using not-yet-updated TSC page by secondary CPUs) Reviewed-by: Vitaly Kuznetsov Signed-off-by: Wanpeng Li Message-Id: <1621339235-11131-4-git-send-email-wanpengli@tencent.com> Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit a1d17c1aaa4a0743e86b80d5eda6f55749c42496 Author: Yang Yingliang Date: Thu May 27 17:26:40 2021 +0800 thermal/drivers/qcom: Fix error code in adc_tm5_get_dt_channel_data() [ Upstream commit 5d8db38ad7660e4d78f4e2a63f14336f31f07a63 ] Return -EINVAL when args is invalid instead of 'ret' which is set to zero by a previous successful call to a function. Fixes: ca66dca5eda6 ("thermal: qcom: add support for adc-tm5 PMIC thermal monitor") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210527092640.2070555-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 3b028c03d813a37a0aefe783eba777f3fa77be5b Author: Trond Myklebust Date: Tue May 25 18:43:38 2021 -0400 SUNRPC: More fixes for backlog congestion [ Upstream commit e86be3a04bc4aeaf12f93af35f08f8d4385bcd98 ] Ensure that we fix the XPRT_CONGESTED starvation issue for RDMA as well as socket based transports. Ensure we always initialise the request after waking up from the backlog list. Fixes: e877a88d1f06 ("SUNRPC in case of backlog, hand free slots directly to waiting task") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 06397b644b2d699d3672242335f6a0e262b46ba3 Author: Stefan Chulski Date: Tue May 25 19:04:41 2021 +0300 net: mvpp2: add buffer header handling in RX [ Upstream commit 17f9c1b63cdd4439523cfcdf5683e5070b911f24 ] If Link Partner sends frames larger than RX buffer size, MAC mark it as oversize but still would pass it to the Packet Processor. In this scenario, Packet Processor scatter frame between multiple buffers, but only a single buffer would be returned to the Buffer Manager pool and it would not refill the poll. Patch add handling of oversize error with buffer header handling, so all buffers would be returned to the Buffer Manager pool. Fixes: 3f518509dedc ("ethernet: Add new driver for Marvell Armada 375 network unit") Reported-by: Russell King Signed-off-by: Stefan Chulski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 86ab133b695ed7ba1f8786b12f4ca43137ad8c18 Author: Vlad Buslov Date: Tue May 25 16:21:52 2021 +0300 net: zero-initialize tc skb extension on allocation [ Upstream commit 9453d45ecb6c2199d72e73c993e9d98677a2801b ] Function skb_ext_add() doesn't initialize created skb extension with any value and leaves it up to the user. However, since extension of type TC_SKB_EXT originally contained only single value tc_skb_ext->chain its users used to just assign the chain value without setting whole extension memory to zero first. This assumption changed when TC_SKB_EXT extension was extended with additional fields but not all users were updated to initialize the new fields which leads to use of uninitialized memory afterwards. UBSAN log: [ 778.299821] UBSAN: invalid-load in net/openvswitch/flow.c:899:28 [ 778.301495] load of value 107 is not a valid value for type '_Bool' [ 778.303215] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7+ #2 [ 778.304933] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 [ 778.307901] Call Trace: [ 778.308680] [ 778.309358] dump_stack+0xbb/0x107 [ 778.310307] ubsan_epilogue+0x5/0x40 [ 778.311167] __ubsan_handle_load_invalid_value.cold+0x43/0x48 [ 778.312454] ? memset+0x20/0x40 [ 778.313230] ovs_flow_key_extract.cold+0xf/0x14 [openvswitch] [ 778.314532] ovs_vport_receive+0x19e/0x2e0 [openvswitch] [ 778.315749] ? ovs_vport_find_upcall_portid+0x330/0x330 [openvswitch] [ 778.317188] ? create_prof_cpu_mask+0x20/0x20 [ 778.318220] ? arch_stack_walk+0x82/0xf0 [ 778.319153] ? secondary_startup_64_no_verify+0xb0/0xbb [ 778.320399] ? stack_trace_save+0x91/0xc0 [ 778.321362] ? stack_trace_consume_entry+0x160/0x160 [ 778.322517] ? lock_release+0x52e/0x760 [ 778.323444] netdev_frame_hook+0x323/0x610 [openvswitch] [ 778.324668] ? ovs_netdev_get_vport+0xe0/0xe0 [openvswitch] [ 778.325950] __netif_receive_skb_core+0x771/0x2db0 [ 778.327067] ? lock_downgrade+0x6e0/0x6f0 [ 778.328021] ? lock_acquire+0x565/0x720 [ 778.328940] ? generic_xdp_tx+0x4f0/0x4f0 [ 778.329902] ? inet_gro_receive+0x2a7/0x10a0 [ 778.330914] ? lock_downgrade+0x6f0/0x6f0 [ 778.331867] ? udp4_gro_receive+0x4c4/0x13e0 [ 778.332876] ? lock_release+0x52e/0x760 [ 778.333808] ? dev_gro_receive+0xcc8/0x2380 [ 778.334810] ? lock_downgrade+0x6f0/0x6f0 [ 778.335769] __netif_receive_skb_list_core+0x295/0x820 [ 778.336955] ? process_backlog+0x780/0x780 [ 778.337941] ? mlx5e_rep_tc_netdevice_event_unregister+0x20/0x20 [mlx5_core] [ 778.339613] ? seqcount_lockdep_reader_access.constprop.0+0xa7/0xc0 [ 778.341033] ? kvm_clock_get_cycles+0x14/0x20 [ 778.342072] netif_receive_skb_list_internal+0x5f5/0xcb0 [ 778.343288] ? __kasan_kmalloc+0x7a/0x90 [ 778.344234] ? mlx5e_handle_rx_cqe_mpwrq+0x9e0/0x9e0 [mlx5_core] [ 778.345676] ? mlx5e_xmit_xdp_frame_mpwqe+0x14d0/0x14d0 [mlx5_core] [ 778.347140] ? __netif_receive_skb_list_core+0x820/0x820 [ 778.348351] ? mlx5e_post_rx_mpwqes+0xa6/0x25d0 [mlx5_core] [ 778.349688] ? napi_gro_flush+0x26c/0x3c0 [ 778.350641] napi_complete_done+0x188/0x6b0 [ 778.351627] mlx5e_napi_poll+0x373/0x1b80 [mlx5_core] [ 778.352853] __napi_poll+0x9f/0x510 [ 778.353704] ? mlx5_flow_namespace_set_mode+0x260/0x260 [mlx5_core] [ 778.355158] net_rx_action+0x34c/0xa40 [ 778.356060] ? napi_threaded_poll+0x3d0/0x3d0 [ 778.357083] ? sched_clock_cpu+0x18/0x190 [ 778.358041] ? __common_interrupt+0x8e/0x1a0 [ 778.359045] __do_softirq+0x1ce/0x984 [ 778.359938] __irq_exit_rcu+0x137/0x1d0 [ 778.360865] irq_exit_rcu+0xa/0x20 [ 778.361708] common_interrupt+0x80/0xa0 [ 778.362640] [ 778.363212] asm_common_interrupt+0x1e/0x40 [ 778.364204] RIP: 0010:native_safe_halt+0xe/0x10 [ 778.365273] Code: 4f ff ff ff 4c 89 e7 e8 50 3f 40 fe e9 dc fe ff ff 48 89 df e8 43 3f 40 fe eb 90 cc e9 07 00 00 00 0f 00 2d 74 05 62 00 fb f4 90 e9 07 00 00 00 0f 00 2d 64 05 62 00 f4 c3 cc cc 0f 1f 44 00 [ 778.369355] RSP: 0018:ffffffff84407e48 EFLAGS: 00000246 [ 778.370570] RAX: ffff88842de46a80 RBX: ffffffff84425840 RCX: ffffffff83418468 [ 778.372143] RDX: 000000000026f1da RSI: 0000000000000004 RDI: ffffffff8343af5e [ 778.373722] RBP: fffffbfff0884b08 R08: 0000000000000000 R09: ffff88842de46bcb [ 778.375292] R10: ffffed1085bc8d79 R11: 0000000000000001 R12: 0000000000000000 [ 778.376860] R13: ffffffff851124a0 R14: 0000000000000000 R15: dffffc0000000000 [ 778.378491] ? rcu_eqs_enter.constprop.0+0xb8/0xe0 [ 778.379606] ? default_idle_call+0x5e/0xe0 [ 778.380578] default_idle+0xa/0x10 [ 778.381406] default_idle_call+0x96/0xe0 [ 778.382350] do_idle+0x3d4/0x550 [ 778.383153] ? arch_cpu_idle_exit+0x40/0x40 [ 778.384143] cpu_startup_entry+0x19/0x20 [ 778.385078] start_kernel+0x3c7/0x3e5 [ 778.385978] secondary_startup_64_no_verify+0xb0/0xbb Fix the issue by providing new function tc_skb_ext_alloc() that allocates tc skb extension and initializes its memory to 0 before returning it to the caller. Change all existing users to use new API instead of calling skb_ext_add() directly. Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag in act_ct") Fixes: d29334c15d33 ("net/sched: act_api: fix miss set post_ct for ovs after do conntrack in act_ct") Signed-off-by: Vlad Buslov Acked-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0f53116dcd16ab9a750f2ed88cb88c1363ab1d63 Author: Randy Dunlap Date: Sun May 16 17:54:17 2021 -0700 MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c [ Upstream commit fef532ea0cd871afab7d9a7b6e9da99ac2c24371 ] rt2880_wdt.c uses (well, attempts to use) rt_sysc_membase. However, when this watchdog driver is built as a loadable module, there is a build error since the rt_sysc_membase symbol is not exported. Export it to quell the build error. ERROR: modpost: "rt_sysc_membase" [drivers/watchdog/rt2880_wdt.ko] undefined! Fixes: 473cf939ff34 ("watchdog: add ralink watchdog driver") Signed-off-by: Randy Dunlap Cc: Guenter Roeck Cc: Wim Van Sebroeck Cc: John Crispin Cc: linux-mips@vger.kernel.org Cc: linux-watchdog@vger.kernel.org Acked-by: Guenter Roeck Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 3f710418d2da0fdefc0bacf6680ae1a1a363d5fb Author: Randy Dunlap Date: Sun May 16 17:01:08 2021 -0700 MIPS: alchemy: xxs1500: add gpio-au1000.h header file [ Upstream commit ff4cff962a7eedc73e54b5096693da7f86c61346 ] board-xxs1500.c references 2 functions without declaring them, so add the header file to placate the build. ../arch/mips/alchemy/board-xxs1500.c: In function 'board_setup': ../arch/mips/alchemy/board-xxs1500.c:56:2: error: implicit declaration of function 'alchemy_gpio1_input_enable' [-Werror=implicit-function-declaration] 56 | alchemy_gpio1_input_enable(); ../arch/mips/alchemy/board-xxs1500.c:57:2: error: implicit declaration of function 'alchemy_gpio2_enable'; did you mean 'alchemy_uart_enable'? [-Werror=implicit-function-declaration] 57 | alchemy_gpio2_enable(); Fixes: 8e026910fcd4 ("MIPS: Alchemy: merge GPR/MTX-1/XXS1500 board code into single files") Signed-off-by: Randy Dunlap Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: Manuel Lauss Cc: Ralf Baechle Acked-by: Manuel Lauss Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 4ffd1d4a6b306ff69cbe412d2c54d2dd349ff436 Author: George McCollister Date: Mon May 24 13:50:54 2021 -0500 net: hsr: fix mac_len checks [ Upstream commit 48b491a5cc74333c4a6a82fe21cea42c055a3b0b ] Commit 2e9f60932a2c ("net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info") added the following which resulted in -EINVAL always being returned: if (skb->mac_len < sizeof(struct hsr_ethhdr)) return -EINVAL; mac_len was not being set correctly so this check completely broke HSR/PRP since it was always 14, not 20. Set mac_len correctly and modify the mac_len checks to test in the correct places since sometimes it is legitimately 14. Fixes: 2e9f60932a2c ("net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info") Signed-off-by: George McCollister Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit be82e48d65dfae2ba5eaadf6b4e8342d78afe15e Author: Taehee Yoo Date: Sun May 23 14:38:53 2021 +0000 sch_dsmark: fix a NULL deref in qdisc_reset() [ Upstream commit 9b76eade16423ef06829cccfe3e100cfce31afcd ] If Qdisc_ops->init() is failed, Qdisc_ops->reset() would be called. When dsmark_init(Qdisc_ops->init()) is failed, it possibly doesn't initialize dsmark_qdisc_data->q. But dsmark_reset(Qdisc_ops->reset()) uses dsmark_qdisc_data->q pointer wihtout any null checking. So, panic would occur. Test commands: sysctl net.core.default_qdisc=dsmark -w ip link add dummy0 type dummy ip link add vw0 link dummy0 type virt_wifi ip link set vw0 up Splat looks like: KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 3 PID: 684 Comm: ip Not tainted 5.12.0+ #910 RIP: 0010:qdisc_reset+0x2b/0x680 Code: 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54 55 48 89 fd 48 83 c7 18 53 48 89 fa 48 c1 ea 03 48 83 ec 20 <80> 3c 02 00 0f 85 09 06 00 00 4c 8b 65 18 0f 1f 44 00 00 65 8b 1d RSP: 0018:ffff88800fda6bf8 EFLAGS: 00010282 RAX: dffffc0000000000 RBX: ffff8880050ed800 RCX: 0000000000000000 RDX: 0000000000000003 RSI: ffffffff99e34100 RDI: 0000000000000018 RBP: 0000000000000000 R08: fffffbfff346b553 R09: fffffbfff346b553 R10: 0000000000000001 R11: fffffbfff346b552 R12: ffffffffc0824940 R13: ffff888109e83800 R14: 00000000ffffffff R15: ffffffffc08249e0 FS: 00007f5042287680(0000) GS:ffff888119800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055ae1f4dbd90 CR3: 0000000006760002 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? rcu_read_lock_bh_held+0xa0/0xa0 dsmark_reset+0x3d/0xf0 [sch_dsmark] qdisc_reset+0xa9/0x680 qdisc_destroy+0x84/0x370 qdisc_create_dflt+0x1fe/0x380 attach_one_default_qdisc.constprop.41+0xa4/0x180 dev_activate+0x4d5/0x8c0 ? __dev_open+0x268/0x390 __dev_open+0x270/0x390 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 486737ba60210a5e6b0a9e0ac8003cd72e518a7d Author: Stefan Roese Date: Sat May 22 09:56:30 2021 +0200 net: ethernet: mtk_eth_soc: Fix packet statistics support for MT7628/88 [ Upstream commit ad79fd2c42f7626bdf6935cd72134c2a5a59ff2d ] The MT7628/88 SoC(s) have other (limited) packet counter registers than currently supported in the mtk_eth_soc driver. This patch adds support for reading these registers, so that the packet statistics are correctly updated. Additionally the defines for the non-MT7628 variant packet counter registers are added and used in this patch instead of using hard coded values. Signed-off-by: Stefan Roese Fixes: 296c9120752b ("net: ethernet: mediatek: Add MT7628/88 SoC support") Cc: Felix Fietkau Cc: John Crispin Cc: Ilya Lipnitskiy Cc: Reto Schneider Cc: Reto Schneider Cc: David S. Miller Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6fe5587c36690e8a273a09ebf0997930003c598a Author: kernel test robot Date: Sun May 23 02:09:00 2021 +0800 ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static [ Upstream commit 2b899f31f1a6db2db4608bac2ac04fe2c4ad89eb ] sound/usb/mixer_scarlett_gen2.c:2000:5: warning: symbol 'snd_scarlett_gen2_controls_create' was not declared. Should it be static? Fixes: 265d1a90e4fb ("ALSA: usb-audio: scarlett2: Improve driver startup messages") Reported-by: kernel test robot Signed-off-by: kernel test robot Link: https://lore.kernel.org/r/20210522180900.GA83915@f59a3af2f1d9 Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 04ea1e1d2acf5817c36dde4ec74fa5e324fb1e70 Author: Tom Rix Date: Mon May 17 06:24:51 2021 -0700 scsi: aic7xxx: Restore several defines for aic7xxx firmware build [ Upstream commit 7e7606330b167a0ff483fb02caed9267bfab69ee ] With CONFIG_AIC7XXX_BUILD_FIRMWARE, there is this representative error: aicasm: Stopped at file ./drivers/scsi/aic7xxx/aic7xxx.seq, line 271 - Undefined symbol MSG_SIMPLE_Q_TAG referenced MSG_SIMPLE_Q_TAG used to be defined in drivers/scsi/aic7xxx/scsi_message.h as: #define MSG_SIMPLE_Q_TAG 0x20 /* O/O */ The new definition in include/scsi/scsi.h is: #define SIMPLE_QUEUE_TAG 0x20 But aicasm can not handle the all the preprocessor directives in scsi.h, so add MSG_SIMPLE_Q_TAB and other required defines back to scsi_message.h. Link: https://lore.kernel.org/r/20210517132451.1832233-1-trix@redhat.com Fixes: d8cd784ff7b3 ("scsi: aic7xxx: aic79xx: Drop internal SCSI message definition" Signed-off-by: Tom Rix Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2547527b3674e4a542161cc450b484d2837e080f Author: Francesco Ruggeri Date: Fri May 21 13:21:14 2021 -0700 ipv6: record frag_max_size in atomic fragments in input path [ Upstream commit e29f011e8fc04b2cdc742a2b9bbfa1b62518381a ] Commit dbd1759e6a9c ("ipv6: on reassembly, record frag_max_size") filled the frag_max_size field in IP6CB in the input path. The field should also be filled in case of atomic fragments. Fixes: dbd1759e6a9c ('ipv6: on reassembly, record frag_max_size') Signed-off-by: Francesco Ruggeri Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 46dd4abced3cb2c912916f4a5353e0927db0c4a2 Author: Aleksander Jan Bajkowski Date: Fri May 21 16:45:58 2021 +0200 net: lantiq: fix memory corruption in RX ring [ Upstream commit c7718ee96dbc2f9c5fc3b578abdf296dd44b9c20 ] In a situation where memory allocation or dma mapping fails, an invalid address is programmed into the descriptor. This can lead to memory corruption. If the memory allocation fails, DMA should reuse the previous skb and mapping and drop the packet. This patch also increments rx drop counter. Fixes: fe1a56420cf2 ("net: lantiq: Add Lantiq / Intel VRX200 Ethernet driver ") Signed-off-by: Aleksander Jan Bajkowski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 83201d6dec59b58db360194e6bff1913f4ee0151 Author: Dan Carpenter Date: Wed May 19 17:20:27 2021 +0300 scsi: libsas: Use _safe() loop in sas_resume_port() [ Upstream commit 8c7e7b8486cda21269d393245883c5e4737d5ee7 ] If sas_notify_lldd_dev_found() fails then this code calls: sas_unregister_dev(port, dev); which removes "dev", our list iterator, from the list. This could lead to an endless loop. We need to use list_for_each_entry_safe(). Link: https://lore.kernel.org/r/YKUeq6gwfGcvvhty@mwanda Fixes: 303694eeee5e ("[SCSI] libsas: suspend / resume support") Reviewed-by: John Garry Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit af9405227912b81fce2a4185de0bf3a4e07e5d35 Author: Stephen Boyd Date: Wed May 19 18:48:07 2021 -0700 ASoC: qcom: lpass-cpu: Use optional clk APIs [ Upstream commit af2702549d68519ac78228e915d9b2c199056787 ] This driver spits out a warning for me at boot: sc7180-lpass-cpu 62f00000.lpass: asoc_qcom_lpass_cpu_platform_probe() error getting optional null: -2 but it looks like it is all an optional clk. Use the optional clk APIs here so that we don't see this message and everything else is the same. Cc: Srinivas Kandagatla Cc: Banajit Goswami Fixes: 3e53ac8230c1 ("ASoC: qcom: make osr clock optional") Signed-off-by: Stephen Boyd Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210520014807.3749797-1-swboyd@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 027c76ea1f107881babb79ddc04b5dfb27a8d4c3 Author: Jesse Brandeburg Date: Thu May 20 11:18:35 2021 -0700 ixgbe: fix large MTU request from VF [ Upstream commit 63e39d29b3da02e901349f6cd71159818a4737a6 ] Check that the MTU value requested by the VF is in the supported range of MTUs before attempting to set the VF large packet enable, otherwise reject the request. This also avoids unnecessary register updates in the case of the 82599 controller. Fixes: 872844ddb9e4 ("ixgbe: Enable jumbo frames support w/ SR-IOV") Co-developed-by: Piotr Skajewski Signed-off-by: Piotr Skajewski Signed-off-by: Jesse Brandeburg Co-developed-by: Mateusz Palczewski Signed-off-by: Mateusz Palczewski Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ac7ef9fb9d72dd627ce850fd7bbecdfff4e64c8b Author: Jussi Maki Date: Wed May 19 15:47:42 2021 +0000 bpf: Set mac_len in bpf_skb_change_head [ Upstream commit 84316ca4e100d8cbfccd9f774e23817cb2059868 ] The skb_change_head() helper did not set "skb->mac_len", which is problematic when it's used in combination with skb_redirect_peer(). Without it, redirecting a packet from a L3 device such as wireguard to the veth peer device will cause skb->data to point to the middle of the IP header on entry to tcp_v4_rcv() since the L2 header is not pulled correctly due to mac_len=0. Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure") Signed-off-by: Jussi Maki Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20210519154743.2554771-2-joamaki@gmail.com Signed-off-by: Sasha Levin commit 0e55e05374de62195444344ee6fc0e2ca53ff175 Author: Yinjun Zhang Date: Thu May 20 10:58:34 2021 +0200 bpf, offload: Reorder offload callback 'prepare' in verifier [ Upstream commit ceb11679d9fcf3fdb358a310a38760fcbe9b63ed ] Commit 4976b718c355 ("bpf: Introduce pseudo_btf_id") switched the order of resolve_pseudo_ldimm(), in which some pseudo instructions are rewritten. Thus those rewritten instructions cannot be passed to driver via 'prepare' offload callback. Reorder the 'prepare' offload callback to fix it. Fixes: 4976b718c355 ("bpf: Introduce pseudo_btf_id") Signed-off-by: Yinjun Zhang Signed-off-by: Simon Horman Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20210520085834.15023-1-simon.horman@netronome.com Signed-off-by: Sasha Levin commit 8d422046a2bc1a60b4e851589535d4c61c169ce6 Author: Dan Carpenter Date: Thu May 20 08:08:24 2021 +0300 ASoC: cs35l33: fix an error code in probe() [ Upstream commit 833bc4cf9754643acc69b3c6b65988ca78df4460 ] This error path returns zero (success) but it should return -EINVAL. Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.") Signed-off-by: Dan Carpenter Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/YKXuyGEzhPT35R3G@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cbb1cf68e4c6e2422762dc1ccc8f52b0ded8497a Author: Dan Carpenter Date: Wed May 19 17:16:50 2021 +0300 staging: emxx_udc: fix loop in _nbu2ss_nuke() [ Upstream commit e0112a7c9e847ada15a631b88e279d547e8f26a7 ] The _nbu2ss_ep_done() function calls: list_del_init(&req->queue); which means that the loop will never exit. Fixes: ca3d253eb967 ("Staging: emxx_udc: Iterate list using list_for_each_entry") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YKUd0sDyjm/lkJfJ@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 285207a558ab456aa7d8aa877ecc7e91fcc51710 Author: Raju Rangoju Date: Wed May 19 16:48:31 2021 +0530 cxgb4: avoid accessing registers when clearing filters [ Upstream commit 88c380df84fbd03f9b137c2b9d0a44b9f2f553b0 ] Hardware register having the server TID base can contain invalid values when adapter is in bad state (for example, due to AER fatal error). Reading these invalid values in the register can lead to out-of-bound memory access. So, fix by using the saved server TID base when clearing filters. Fixes: b1a79360ee86 ("cxgb4: Delete all hash and TCAM filters before resource cleanup") Signed-off-by: Raju Rangoju Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d7aa782be30b0f707434667678394002299bdbda Author: Lu Baolu Date: Wed May 19 09:50:27 2021 +0800 iommu/vt-d: Use user privilege for RID2PASID translation [ Upstream commit 54c80d907400189b09548039be8f3b6e297e8ae3 ] When first-level page tables are used for IOVA translation, we use user privilege by setting U/S bit in the page table entry. This is to make it consistent with the second level translation, where the U/S enforcement is not available. Clear the SRE (Supervisor Request Enable) field in the pasid table entry of RID2PASID so that requests requesting the supervisor privilege are blocked and treated as DMA remapping faults. Fixes: b802d070a52a1 ("iommu/vt-d: Use iova over first level") Suggested-by: Jacob Pan Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20210512064426.3440915-1-baolu.lu@linux.intel.com Link: https://lore.kernel.org/r/20210519015027.108468-3-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 73b31d8420d8802b2dd2d5d99ad3b5d2c32f1239 Author: Dan Carpenter Date: Wed May 19 09:50:26 2021 +0800 iommu/vt-d: Check for allocation failure in aux_detach_device() [ Upstream commit 1a590a1c8bf46bf80ea12b657ca44c345531ac80 ] In current kernels small allocations never fail, but checking for allocation failure is the correct thing to do. Fixes: 18abda7a2d55 ("iommu/vt-d: Fix general protection fault in aux_detach_device()") Signed-off-by: Dan Carpenter Acked-by: Lu Baolu Link: https://lore.kernel.org/r/YJuobKuSn81dOPLd@mwanda Link: https://lore.kernel.org/r/20210519015027.108468-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 9f6c8176302d43aeed085853306f276a2a851e18 Author: Vlad Buslov Date: Tue Apr 20 15:16:16 2021 +0300 net/mlx5e: Reject mirroring on source port change encap rules [ Upstream commit 7d1a3d08c8a6398e7497a98cf3f7b73ea13d9939 ] Rules with MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE dest flag are translated to destination FT in eswitch. Currently it is not possible to mirror such rules because firmware doesn't support mixing FT and Vport destinations in single rule when one of them adds encapsulation. Since the only use case for MLX5_ESW_DEST_CHAIN_WITH_SRC_PORT_CHANGE destination is support for tunnel endpoints on VF and trying to offload such rule with mirror action causes either crash in fs_core or firmware error with syndrome 0xff6a1d, reject all such rules in mlx5 TC layer. Fixes: 10742efc20a4 ("net/mlx5e: VF tunnel TX traffic offloading") Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit a663fe958a4bdc270b131cb38aaf3328e3d01f6b Author: Roi Dayan Date: Sun May 2 10:25:50 2021 +0300 net/mlx5e: Make sure fib dev exists in fib event [ Upstream commit eb96cc15926f4ddde3a28c42feeffdf002451c24 ] For unreachable route entry the fib dev does not exists. Fixes: 8914add2c9e5 ("net/mlx5e: Handle FIB events to update tunnel endpoint device") Reported-by: Dennis Afanasev Signed-off-by: Roi Dayan Reviewed-by: Maor Dickman Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 9d0c46ad5132574fac0c9384ed1fc86afab49c1a Author: Parav Pandit Date: Fri May 7 10:08:47 2021 +0300 net/mlx5: SF, Fix show state inactive when its inactivated [ Upstream commit 82041634d96e87b41c600a673f10150d9f21f742 ] When a SF is inactivated and when it is in a TEARDOWN_REQUEST state, driver still returns its state as active. This is incorrect. Fix it by treating TEARDOWN_REQEUST as inactive state. When a SF is still attached to the driver, on user request to reactivate EINVAL error is returned. Inform user about it with better code EBUSY and informative error message. Fixes: 6a3273217469 ("net/mlx5: SF, Port function state change support") Signed-off-by: Parav Pandit Reviewed-by: Vu Pham Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit b6267c5fb1c3d6acef4ce7a858dc9dae3ff32cde Author: Huazhong Tan Date: Tue May 18 19:36:02 2021 +0800 net: hns3: fix user's coalesce configuration lost issue [ Upstream commit 73a13d8dbe33e53a12400f2be0f5af169816c67f ] Currently, when adaptive is on, the user's coalesce configuration may be overwritten by the dynamic one. The reason is that user's configurations are saved in struct hns3_enet_tqp_vector whose value maybe changed by the dynamic algorithm. To fix it, use struct hns3_nic_priv instead of struct hns3_enet_tqp_vector to save and get the user's configuration. BTW, operations of storing and restoring coalesce info in the reset process are unnecessary now, so remove them as well. Fixes: 434776a5fae2 ("net: hns3: add ethtool_ops.set_coalesce support to PF") Fixes: 7e96adc46633 ("net: hns3: add ethtool_ops.get_coalesce support to PF") Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0921a0620b5077796fddffb22a8e6bc635a4bb50 Author: Jian Shen Date: Tue May 18 19:36:01 2021 +0800 net: hns3: put off calling register_netdev() until client initialize complete [ Upstream commit a289a7e5c1d49b7d47df9913c1cc81fb48fab613 ] Currently, the netdevice is registered before client initializing complete. So there is a timewindow between netdevice available and usable. In this case, if user try to change the channel number or ring param, it may cause the hns3_set_rx_cpu_rmap() being called twice, and report bug. [47199.416502] hns3 0000:35:00.0 eth1: set channels: tqp_num=1, rxfh=0 [47199.430340] hns3 0000:35:00.0 eth1: already uninitialized [47199.438554] hns3 0000:35:00.0: rss changes from 4 to 1 [47199.511854] hns3 0000:35:00.0: Channels changed, rss_size from 4 to 1, tqps from 4 to 1 [47200.163524] ------------[ cut here ]------------ [47200.171674] kernel BUG at lib/cpu_rmap.c:142! [47200.177847] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [47200.185259] Modules linked in: hclge(+) hns3(-) hns3_cae(O) hns_roce_hw_v2 hnae3 vfio_iommu_type1 vfio_pci vfio_virqfd vfio pv680_mii(O) [last unloaded: hclge] [47200.205912] CPU: 1 PID: 8260 Comm: ethtool Tainted: G O 5.11.0-rc3+ #1 [47200.215601] Hardware name: , xxxxxx 02/04/2021 [47200.223052] pstate: 60400009 (nZCv daif +PAN -UAO -TCO BTYPE=--) [47200.230188] pc : cpu_rmap_add+0x38/0x40 [47200.237472] lr : irq_cpu_rmap_add+0x84/0x140 [47200.243291] sp : ffff800010e93a30 [47200.247295] x29: ffff800010e93a30 x28: ffff082100584880 [47200.254155] x27: 0000000000000000 x26: 0000000000000000 [47200.260712] x25: 0000000000000000 x24: 0000000000000004 [47200.267241] x23: ffff08209ba03000 x22: ffff08209ba038c0 [47200.273789] x21: 000000000000003f x20: ffff0820e2bc1680 [47200.280400] x19: ffff0820c970ec80 x18: 00000000000000c0 [47200.286944] x17: 0000000000000000 x16: ffffb43debe4a0d0 [47200.293456] x15: fffffc2082990600 x14: dead000000000122 [47200.300059] x13: ffffffffffffffff x12: 000000000000003e [47200.306606] x11: ffff0820815b8080 x10: ffff53e411988000 [47200.313171] x9 : 0000000000000000 x8 : ffff0820e2bc1700 [47200.319682] x7 : 0000000000000000 x6 : 000000000000003f [47200.326170] x5 : 0000000000000040 x4 : ffff800010e93a20 [47200.332656] x3 : 0000000000000004 x2 : ffff0820c970ec80 [47200.339168] x1 : ffff0820e2bc1680 x0 : 0000000000000004 [47200.346058] Call trace: [47200.349324] cpu_rmap_add+0x38/0x40 [47200.354300] hns3_set_rx_cpu_rmap+0x6c/0xe0 [hns3] [47200.362294] hns3_reset_notify_init_enet+0x1cc/0x340 [hns3] [47200.370049] hns3_change_channels+0x40/0xb0 [hns3] [47200.376770] hns3_set_channels+0x12c/0x2a0 [hns3] [47200.383353] ethtool_set_channels+0x140/0x250 [47200.389772] dev_ethtool+0x714/0x23d0 [47200.394440] dev_ioctl+0x4cc/0x640 [47200.399277] sock_do_ioctl+0x100/0x2a0 [47200.404574] sock_ioctl+0x28c/0x470 [47200.409079] __arm64_sys_ioctl+0xb4/0x100 [47200.415217] el0_svc_common.constprop.0+0x84/0x210 [47200.422088] do_el0_svc+0x28/0x34 [47200.426387] el0_svc+0x28/0x70 [47200.431308] el0_sync_handler+0x1a4/0x1b0 [47200.436477] el0_sync+0x174/0x180 [47200.441562] Code: 11000405 79000c45 f8247861 d65f03c0 (d4210000) [47200.448869] ---[ end trace a01efe4ce42e5f34 ]--- The process is like below: excuting hns3_client_init | register_netdev() | hns3_set_channels() | | hns3_set_rx_cpu_rmap() hns3_reset_notify_uninit_enet() | | | quit without calling function | hns3_free_rx_cpu_rmap for flag | HNS3_NIC_STATE_INITED is unset. | | | hns3_reset_notify_init_enet() | | set HNS3_NIC_STATE_INITED call hns3_set_rx_cpu_rmap()-- crash Fix it by calling register_netdev() at the end of function hns3_client_init(). Fixes: 08a100689d4b ("net: hns3: re-organize vector handle") Signed-off-by: Jian Shen Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d207c1e8e3fb82aca5ffd14c33d0848b6b820efc Author: Jiaran Zhang Date: Tue May 18 19:36:00 2021 +0800 net: hns3: fix incorrect resp_msg issue [ Upstream commit a710b9ffbebaf713f7dbd4dbd9524907e5d66f33 ] In hclge_mbx_handler(), if there are two consecutive mailbox messages that requires resp_msg, the resp_msg is not cleared after processing the first message, which will cause the resp_msg data of second message incorrect. Fix it by clearing the resp_msg before processing every mailbox message. Fixes: bb5790b71bad ("net: hns3: refactor mailbox response scheme between PF and VF") Signed-off-by: Jiaran Zhang Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2b63009e0b887ca20f79d5b11e1f66b386a3b85e Author: Bixuan Cui Date: Sat May 8 11:14:51 2021 +0800 iommu/virtio: Add missing MODULE_DEVICE_TABLE [ Upstream commit 382d91fc0f4f1b13f8a0dcbf7145f4f175b71a18 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Bixuan Cui Fixes: fa4afd78ea12 ("iommu/virtio: Build virtio-iommu as module") Reviewed-by: Jean-Philippe Brucker Link: https://lore.kernel.org/r/20210508031451.53493-1-cuibixuan@huawei.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit f3f2cf46291a693eab21adb94171b0128c2a9ec1 Author: Jean-Philippe Brucker Date: Thu Apr 22 11:42:19 2021 +0200 iommu/amd: Clear DMA ops when switching domain [ Upstream commit d6177a6556f853785867e2ec6d5b7f4906f0d809 ] Since commit 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group") a user can switch a device between IOMMU and direct DMA through sysfs. This doesn't work for AMD IOMMU at the moment because dev->dma_ops is not cleared when switching from a DMA to an identity IOMMU domain. The DMA layer thus attempts to use the dma-iommu ops on an identity domain, causing an oops: # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/unbind # echo identity > /sys/bus/pci/devices/0000:00:05.0/iommu_group/type # echo 0000:00:05.0 > /sys/sys/bus/pci/drivers/e1000e/bind ... BUG: kernel NULL pointer dereference, address: 0000000000000028 ... Call Trace: iommu_dma_alloc e1000e_setup_tx_resources e1000e_open Since iommu_change_dev_def_domain() calls probe_finalize() again, clear the dma_ops there like Vt-d does. Fixes: 08a27c1c3ecf ("iommu: Add support to change default domain of an iommu group") Signed-off-by: Jean-Philippe Brucker Link: https://lore.kernel.org/r/20210422094216.2282097-1-jean-philippe@linaro.org Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 88eda9598f2d39e4980e69a26b5112e8adafcd83 Author: David Awogbemila Date: Mon May 17 14:08:15 2021 -0700 gve: Correct SKB queue index validation. [ Upstream commit fbd4a28b4fa66faaa7f510c0adc531d37e0a7848 ] SKBs with skb_get_queue_mapping(skb) == tx_cfg.num_queues should also be considered invalid. Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: David Awogbemila Acked-by: Willem de Brujin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a2f429c0bae00f36066abbefd34f2cf81807be28 Author: Catherine Sullivan Date: Mon May 17 14:08:14 2021 -0700 gve: Upgrade memory barrier in poll routine [ Upstream commit f81781835f0adfae8d701545386030d223efcd6f ] As currently written, if the driver checks for more work (via gve_tx_poll or gve_rx_poll) before the device posts work and the irq doorbell is not unmasked (via iowrite32be(GVE_IRQ_ACK | GVE_IRQ_EVENT, ...)) before the device attempts to raise an interrupt, an interrupt is lost and this could potentially lead to the traffic being completely halted. For example, if a tx queue has already been stopped, the driver won't get the chance to complete work and egress will be halted. We need a full memory barrier in the poll routine to ensure that the irq doorbell is unmasked before the driver checks for more work. Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: Catherine Sullivan Signed-off-by: David Awogbemila Acked-by: Willem de Brujin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5278c75266c5094d3c0958793bf12fc90300e580 Author: David Awogbemila Date: Mon May 17 14:08:13 2021 -0700 gve: Add NULL pointer checks when freeing irqs. [ Upstream commit 5218e919c8d06279884aa0baf76778a6817d5b93 ] When freeing notification blocks, we index priv->msix_vectors. If we failed to allocate priv->msix_vectors (see abort_with_msix_vectors) this could lead to a NULL pointer dereference if the driver is unloaded. Fixes: 893ce44df565 ("gve: Add basic driver framework for Compute Engine Virtual NIC") Signed-off-by: David Awogbemila Acked-by: Willem de Brujin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9361862c3bd34a1f87021b6732eed80602222282 Author: David Awogbemila Date: Mon May 17 14:08:12 2021 -0700 gve: Update mgmt_msix_idx if num_ntfy changes [ Upstream commit e96b491a0ffa35a8a9607c193fa4d894ca9fb32f ] If we do not get the expected number of vectors from pci_enable_msix_range, we update priv->num_ntfy_blks but not priv->mgmt_msix_idx. This patch fixes this so that priv->mgmt_msix_idx is updated accordingly. Fixes: f5cedc84a30d ("gve: Add transmit and receive support") Signed-off-by: David Awogbemila Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 59da77df9f3474e3d5a6e1aee730324e5cbe88bc Author: Catherine Sullivan Date: Mon May 17 14:08:11 2021 -0700 gve: Check TX QPL was actually assigned [ Upstream commit 5aec55b46c6238506cdf0c60cd0e42ab77a1e5e0 ] Correctly check the TX QPL was assigned and unassigned if other steps in the allocation fail. Fixes: f5cedc84a30d (gve: Add transmit and receive support) Signed-off-by: Catherine Sullivan Signed-off-by: David Awogbemila Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 40588782f1016c655ae1d302892f61d35af96842 Author: Julian Wiedmann Date: Mon May 17 10:47:06 2021 +0200 net/smc: remove device from smcd_dev_list after failed device_add() [ Upstream commit 444d7be9532dcfda8e0385226c862fd7e986f607 ] If the device_add() for a smcd_dev fails, there's no cleanup step that rolls back the earlier list_add(). The device subsequently gets freed, and we end up with a corrupted list. Add some error handling that removes the device from the list. Fixes: c6ba7c9ba43d ("net/smc: add base infrastructure for SMC-D and ISM") Signed-off-by: Julian Wiedmann Signed-off-by: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a76fb9ba545289379acf409653ad5f74417be59c Author: Taehee Yoo Date: Sun May 16 14:44:42 2021 +0000 mld: fix panic in mld_newpack() [ Upstream commit 020ef930b826d21c5446fdc9db80fd72a791bc21 ] mld_newpack() doesn't allow to allocate high order page, only order-0 allocation is allowed. If headroom size is too large, a kernel panic could occur in skb_put(). Test commands: ip netns del A ip netns del B ip netns add A ip netns add B ip link add veth0 type veth peer name veth1 ip link set veth0 netns A ip link set veth1 netns B ip netns exec A ip link set lo up ip netns exec A ip link set veth0 up ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 ip netns exec B ip link set lo up ip netns exec B ip link set veth1 up ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 for i in {1..99} do let A=$i-1 ip netns exec A ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i ip netns exec A ip link set ip6gre$i up ip netns exec B ip link add ip6gre$i type ip6gre \ local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i ip netns exec B ip link set ip6gre$i up done Splat looks like: kernel BUG at net/core/skbuff.c:110! invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:skb_panic+0x15d/0x15f Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 RSP: 0018:ffff88810091f820 EFLAGS: 00010282 RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 FS: 0000000000000000(0000) GS:ffff888117c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 skb_put.cold.104+0x22/0x22 ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 ? rcu_read_lock_sched_held+0x91/0xc0 mld_newpack+0x398/0x8f0 ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 ? lock_contended+0xc40/0xc40 add_grhead.isra.33+0x280/0x380 add_grec+0x5ca/0xff0 ? mld_sendpack+0xf40/0xf40 ? lock_downgrade+0x690/0x690 mld_send_initial_cr.part.34+0xb9/0x180 ipv6_mc_dad_complete+0x15d/0x1b0 addrconf_dad_completed+0x8d2/0xbb0 ? lock_downgrade+0x690/0x690 ? addrconf_rs_timer+0x660/0x660 ? addrconf_dad_work+0x73c/0x10e0 addrconf_dad_work+0x73c/0x10e0 Allowing high order page allocation could fix this problem. Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ae35950a2ffea160b1063745bc2a485fe2e7b334 Author: Michael Chan Date: Sat May 15 03:25:19 2021 -0400 bnxt_en: Fix context memory setup for 64K page size. [ Upstream commit 702279d2ce4650000bb6302013630304e359dc13 ] There was a typo in the code that checks for 64K BNXT_PAGE_SHIFT in bnxt_hwrm_set_pg_attr(). Fix it and make the code more understandable with a new macro BNXT_SET_CTX_PAGE_ATTR(). Fixes: 1b9394e5a2ad ("bnxt_en: Configure context memory on new devices.") Reviewed-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a5696a3ea4e9c206950e02981ed1bef5aaa522dc Author: Andy Gospodarek Date: Sat May 15 03:25:18 2021 -0400 bnxt_en: Include new P5 HV definition in VF check. [ Upstream commit ab21494be9dc7d62736c5fcd06be65d49df713ee ] Otherwise, some of the recently added HyperV VF IDs would not be recognized as VF devices and they would not initialize properly. Fixes: 7fbf359bb2c1 ("bnxt_en: Add PCI IDs for Hyper-V VF devices.") Reviewed-by: Edwin Peer Signed-off-by: Andy Gospodarek Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 88a9b6126bea3942b7d434d0d247985eb4eef42e Author: Zhen Lei Date: Sat May 15 15:16:05 2021 +0800 net: bnx2: Fix error return code in bnx2_init_board() [ Upstream commit 28c66b6da4087b8cfe81c2ec0a46eb6116dafda9 ] Fix to return -EPERM from the error handling case instead of 0, as done elsewhere in this function. Fixes: b6016b767397 ("[BNX2]: New Broadcom gigabit network driver.") Reported-by: Hulk Robot Signed-off-by: Zhen Lei Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 33c82b6080fbb67f8d1b653bf81ebb477dd91087 Author: Dan Carpenter Date: Fri May 14 17:24:48 2021 +0300 net: hso: check for allocation failure in hso_create_bulk_serial_device() [ Upstream commit 31db0dbd72444abe645d90c20ecb84d668f5af5e ] In current kernels, small allocations never actually fail so this patch shouldn't affect runtime. Originally this error handling code written with the idea that if the "serial->tiocmget" allocation failed, then we would continue operating instead of bailing out early. But in later years we added an unchecked dereference on the next line. serial->tiocmget->serial_state_notification = kzalloc(); ^^^^^^^^^^^^^^^^^^ Since these allocations are never going fail in real life, this is mostly a philosophical debate, but I think bailing out early is the correct behavior that the user would want. And generally it's safer to bail as soon an error happens. Fixes: af0de1303c4e ("usb: hso: obey DMA rules in tiocmget") Signed-off-by: Dan Carpenter Reviewed-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 147189701d2832473b9a867f7f61ad038d70580a Author: Yunsheng Lin Date: Fri May 14 11:17:01 2021 +0800 net: sched: fix tx action reschedule issue with stopped queue [ Upstream commit dcad9ee9e0663d74a89b25b987f9c7be86432812 ] The netdev qeueue might be stopped when byte queue limit has reached or tx hw ring is full, net_tx_action() may still be rescheduled if STATE_MISSED is set, which consumes unnecessary cpu without dequeuing and transmiting any skb because the netdev queue is stopped, see qdisc_run_end(). This patch fixes it by checking the netdev queue state before calling qdisc_run() and clearing STATE_MISSED if netdev queue is stopped during qdisc_run(), the net_tx_action() is rescheduled again when netdev qeueue is restarted, see netif_tx_wake_queue(). As there is time window between netif_xmit_frozen_or_stopped() checking and STATE_MISSED clearing, between which STATE_MISSED may set by net_tx_action() scheduled by netif_tx_wake_queue(), so set the STATE_MISSED again if netdev queue is restarted. Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") Reported-by: Michal Kubecek Acked-by: Jakub Kicinski Signed-off-by: Yunsheng Lin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a1b236c8418c19c0c55dbc370f15505f49ebeff6 Author: Yunsheng Lin Date: Fri May 14 11:17:00 2021 +0800 net: sched: fix tx action rescheduling issue during deactivation [ Upstream commit 102b55ee92f9fda4dde7a45d2b20538e6e3e3d1e ] Currently qdisc_run() checks the STATE_DEACTIVATED of lockless qdisc before calling __qdisc_run(), which ultimately clear the STATE_MISSED when all the skb is dequeued. If STATE_DEACTIVATED is set before clearing STATE_MISSED, there may be rescheduling of net_tx_action() at the end of qdisc_run_end(), see below: CPU0(net_tx_atcion) CPU1(__dev_xmit_skb) CPU2(dev_deactivate) . . . . set STATE_MISSED . . __netif_schedule() . . . set STATE_DEACTIVATED . . qdisc_reset() . . . .<--------------- . synchronize_net() clear __QDISC_STATE_SCHED | . . . | . . . | . some_qdisc_is_busy() . | . return *false* . | . . test STATE_DEACTIVATED | . . __qdisc_run() *not* called | . . . | . . test STATE_MISS | . . __netif_schedule()--------| . . . . . . . . __qdisc_run() is not called by net_tx_atcion() in CPU0 because CPU2 has set STATE_DEACTIVATED flag during dev_deactivate(), and STATE_MISSED is only cleared in __qdisc_run(), __netif_schedule is called at the end of qdisc_run_end(), causing tx action rescheduling problem. qdisc_run() called by net_tx_action() runs in the softirq context, which should has the same semantic as the qdisc_run() called by __dev_xmit_skb() protected by rcu_read_lock_bh(). And there is a synchronize_net() between STATE_DEACTIVATED flag being set and qdisc_reset()/some_qdisc_is_busy in dev_deactivate(), we can safely bail out for the deactived lockless qdisc in net_tx_action(), and qdisc_reset() will reset all skb not dequeued yet. So add the rcu_read_lock() explicitly to protect the qdisc_run() and do the STATE_DEACTIVATED checking in net_tx_action() before calling qdisc_run_begin(). Another option is to do the checking in the qdisc_run_end(), but it will add unnecessary overhead for non-tx_action case, because __dev_queue_xmit() will not see qdisc with STATE_DEACTIVATED after synchronize_net(), the qdisc with STATE_DEACTIVATED can only be seen by net_tx_action() because of __netif_schedule(). The STATE_DEACTIVATED checking in qdisc_run() is to avoid race between net_tx_action() and qdisc_reset(), see: commit d518d2ed8640 ("net/sched: fix race between deactivation and dequeue for NOLOCK qdisc"). As the bailout added above for deactived lockless qdisc in net_tx_action() provides better protection for the race without calling qdisc_run() at all, so remove the STATE_DEACTIVATED checking in qdisc_run(). After qdisc_reset(), there is no skb in qdisc to be dequeued, so clear the STATE_MISSED in dev_reset_queue() too. Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") Acked-by: Jakub Kicinski Signed-off-by: Yunsheng Lin V8: Clearing STATE_MISSED before calling __netif_schedule() has avoid the endless rescheduling problem, but there may still be a unnecessary rescheduling, so adjust the commit log. Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dbc50efd5625bfb2daaa946a61cc778d66d57d36 Author: Yunsheng Lin Date: Fri May 14 11:16:59 2021 +0800 net: sched: fix packet stuck problem for lockless qdisc [ Upstream commit a90c57f2cedd52a511f739fb55e6244e22e1a2fb ] Lockless qdisc has below concurrent problem: cpu0 cpu1 . . q->enqueue . . . qdisc_run_begin() . . . dequeue_skb() . . . sch_direct_xmit() . . . . q->enqueue . qdisc_run_begin() . return and do nothing . . qdisc_run_end() . cpu1 enqueue a skb without calling __qdisc_run() because cpu0 has not released the lock yet and spin_trylock() return false for cpu1 in qdisc_run_begin(), and cpu0 do not see the skb enqueued by cpu1 when calling dequeue_skb() because cpu1 may enqueue the skb after cpu0 calling dequeue_skb() and before cpu0 calling qdisc_run_end(). Lockless qdisc has below another concurrent problem when tx_action is involved: cpu0(serving tx_action) cpu1 cpu2 . . . . q->enqueue . . qdisc_run_begin() . . dequeue_skb() . . . q->enqueue . . . . sch_direct_xmit() . . . qdisc_run_begin() . . return and do nothing . . . clear __QDISC_STATE_SCHED . . qdisc_run_begin() . . return and do nothing . . . . . . qdisc_run_end() . This patch fixes the above data race by: 1. If the first spin_trylock() return false and STATE_MISSED is not set, set STATE_MISSED and retry another spin_trylock() in case other CPU may not see STATE_MISSED after it releases the lock. 2. reschedule if STATE_MISSED is set after the lock is released at the end of qdisc_run_end(). For tx_action case, STATE_MISSED is also set when cpu1 is at the end if qdisc_run_end(), so tx_action will be rescheduled again to dequeue the skb enqueued by cpu2. Clear STATE_MISSED before retrying a dequeuing when dequeuing returns NULL in order to reduce the overhead of the second spin_trylock() and __netif_schedule() calling. Also clear the STATE_MISSED before calling __netif_schedule() at the end of qdisc_run_end() to avoid doing another round of dequeuing in the pfifo_fast_dequeue(). The performance impact of this patch, tested using pktgen and dummy netdev with pfifo_fast qdisc attached: threads without+this_patch with+this_patch delta 1 2.61Mpps 2.60Mpps -0.3% 2 3.97Mpps 3.82Mpps -3.7% 4 5.62Mpps 5.59Mpps -0.5% 8 2.78Mpps 2.77Mpps -0.3% 16 2.22Mpps 2.22Mpps -0.0% Fixes: 6b3ba9146fe6 ("net: sched: allow qdiscs to handle locking") Acked-by: Jakub Kicinski Tested-by: Juergen Gross Signed-off-by: Yunsheng Lin Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 46dc34ab985ad6cff8a34ac368f764e4ceb37796 Author: Jim Ma Date: Fri May 14 11:11:02 2021 +0800 tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT [ Upstream commit 974271e5ed45cfe4daddbeb16224a2156918530e ] In tls_sw_splice_read, checkout MSG_* is inappropriate, should use SPLICE_*, update tls_wait_data to accept nonblock arguments instead of flags for recvmsg and splice. Fixes: c46234ebb4d1 ("tls: RX path for ktls") Signed-off-by: Jim Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 524576c917e12e6b0eef442366b7dff1b1c3f4e7 Author: Tao Liu Date: Thu May 13 21:08:00 2021 +0800 openvswitch: meter: fix race when getting now_ms. [ Upstream commit e4df1b0c24350a0f00229ff895a91f1072bd850d ] We have observed meters working unexpected if traffic is 3+Gbit/s with multiple connections. now_ms is not pretected by meter->lock, we may get a negative long_delta_ms when another cpu updated meter->used, then: delta_ms = (u32)long_delta_ms; which will be a large value. band->bucket += delta_ms * band->rate; then we get a wrong band->bucket. OpenVswitch userspace datapath has fixed the same issue[1] some time ago, and we port the implementation to kernel datapath. [1] https://patchwork.ozlabs.org/project/openvswitch/patch/20191025114436.9746-1-i.maximets@ovn.org/ Fixes: 96fbc13d7e77 ("openvswitch: Add meter infrastructure") Signed-off-by: Tao Liu Suggested-by: Ilya Maximets Reviewed-by: Ilya Maximets Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 70c4ead897211b184f36cbeda213f2a3e8153218 Author: Ayush Sawal Date: Thu May 13 15:11:51 2021 +0530 cxgb4/ch_ktls: Clear resources when pf4 device is removed [ Upstream commit 65e302a9bd57b62872040d57eea1201562a7cbb2 ] This patch maintain the list of active tids and clear all the active connection resources when DETACH notification comes. Fixes: a8c16e8ed624f ("crypto/chcr: move nic TLS functionality to drivers/net") Signed-off-by: Ayush Sawal Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5cc25f886661ef136fbada9ddd22c1b7594e3054 Author: Christophe JAILLET Date: Thu May 13 09:24:55 2021 +0200 net: mdio: octeon: Fix some double free issues [ Upstream commit e1d027dd97e1e750669cdc0d3b016a4f54e473eb ] 'bus->mii_bus' has been allocated with 'devm_mdiobus_alloc_size()' in the probe function. So it must not be freed explicitly or there will be a double free. Remove the incorrect 'mdiobus_free' in the error handling path of the probe function and in remove function. Suggested-By: Andrew Lunn Fixes: 35d2aeac9810 ("phy: mdio-octeon: Use devm_mdiobus_alloc_size()") Signed-off-by: Christophe JAILLET Reviewed-by: Russell King Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bc5b0fb2bb6ba77e2c9cf9034227977d9ce6631f Author: Christophe JAILLET Date: Thu May 13 09:44:49 2021 +0200 net: mdio: thunder: Fix a double free issue in the .remove function [ Upstream commit a93a0a15876d2a077a3bc260b387d2457a051f24 ] 'bus->mii_bus' have been allocated with 'devm_mdiobus_alloc_size()' in the probe function. So it must not be freed explicitly or there will be a double free. Remove the incorrect 'mdiobus_free' in the remove function. Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") Signed-off-by: Christophe JAILLET Reviewed-by: Russell King Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f214044c0beb3318b1ffdcb1933a6d3e126ed3b7 Author: Dan Carpenter Date: Wed May 12 13:02:48 2021 +0300 chelsio/chtls: unlock on error in chtls_pt_recvmsg() [ Upstream commit 832ce924b1a14e139e184a6da9f5a69a5e47b256 ] This error path needs to release some memory and call release_sock(sk); before returning. Fixes: 6919a8264a32 ("Crypto/chtls: add/delete TLS header in driver") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0e38e702f1152479e6afac34f151dbfd99417f99 Author: Christophe JAILLET Date: Wed May 12 13:15:29 2021 +0200 ptp: ocp: Fix a resource leak in an error handling path [ Upstream commit 9c1bb37f8cad5e2ee1933fa1da9a6baa7876a8e4 ] If an error occurs after a successful 'pci_ioremap_bar()' call, it must be undone by a corresponding 'pci_iounmap()' call, as already done in the remove function. Fixes: a7e1abad13f3 ("ptp: Add clock driver for the OpenCompute TimeCard.") Signed-off-by: Christophe JAILLET Acked-by: Richard Cochran Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 389146bc6d2bbb20714d06624b74856320ce40f7 Author: Dan Carpenter Date: Wed May 12 13:11:43 2021 +0300 octeontx2-pf: fix a buffer overflow in otx2_set_rxfh_context() [ Upstream commit e5cc361e21648b75f935f9571d4003aaee480214 ] This function is called from ethtool_set_rxfh() and "*rss_context" comes from the user. Add some bounds checking to prevent memory corruption. Fixes: 81a4362016e7 ("octeontx2-pf: Add RSS multi group support") Signed-off-by: Dan Carpenter Acked-by: Sunil Goutham Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 32a1777fd113335c3f70dc445dffee0ad1c6870f Author: Fugang Duan Date: Wed May 12 10:43:59 2021 +0800 net: fec: fix the potential memory leak in fec_enet_init() [ Upstream commit 619fee9eb13b5d29e4267cb394645608088c28a8 ] If the memory allocated for cbd_base is failed, it should free the memory allocated for the queues, otherwise it causes memory leak. And if the memory allocated for the queues is failed, it can return error directly. Fixes: 59d0f7465644 ("net: fec: init multi queue date structure") Signed-off-by: Fugang Duan Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3fc2072b9ab6f37baee5a416e254820a2ea0fab2 Author: Richard Sanger Date: Wed May 12 13:31:22 2021 +1200 net: packetmmap: fix only tx timestamp on request [ Upstream commit 171c3b151118a2fe0fc1e2a9d1b5a1570cfe82d2 ] The packetmmap tx ring should only return timestamps if requested via setsockopt PACKET_TIMESTAMP, as documented. This allows compatibility with non-timestamp aware user-space code which checks tp_status == TP_STATUS_AVAILABLE; not expecting additional timestamp flags to be set in tp_status. Fixes: b9c32fb27170 ("packet: if hw/sw ts enabled in rx/tx ring, report which ts we got") Cc: Daniel Borkmann Cc: Willem de Bruijn Signed-off-by: Richard Sanger Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 718f5f7cdef1c81406061b5cadbfe487ed7b8389 Author: Paolo Abeni Date: Tue May 11 10:35:21 2021 +0200 net: really orphan skbs tied to closing sk [ Upstream commit 098116e7e640ba677d9e345cbee83d253c13d556 ] If the owing socket is shutting down - e.g. the sock reference count already dropped to 0 and only sk_wmem_alloc is keeping the sock alive, skb_orphan_partial() becomes a no-op. When forwarding packets over veth with GRO enabled, the above causes refcount errors. This change addresses the issue with a plain skb_orphan() call in the critical scenario. Fixes: 9adc89af724f ("net: let skb_orphan_partial wake-up waiters.") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 90ee484984b6c6bdbbba32ce21ed2f09ffff98b8 Author: Andy Shevchenko Date: Tue May 11 17:09:12 2021 +0300 spi: Assume GPIO CS active high in ACPI case [ Upstream commit 6b69546912a57ff8c31061f98e56383cc0beffd3 ] Currently GPIO CS handling, when descriptors are in use, doesn't take into consideration that in ACPI case the default polarity is Active High and can't be altered. Instead we have to use the per-chip definition provided by SPISerialBus() resource. Fixes: 766c6b63aa04 ("spi: fix client driver breakages when using GPIO descriptors") Cc: Liguang Zhang Cc: Jay Fang Cc: Sven Van Asbroeck Signed-off-by: Andy Shevchenko Tested-by: Xin Hao Link: https://lore.kernel.org/r/20210511140912.30757-1-andriy.shevchenko@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 94f668a43c2f4f35c57479223a28beac38e2413c Author: Eric Farman Date: Tue May 11 21:56:29 2021 +0200 vfio-ccw: Check initialized flag in cp_init() [ Upstream commit c6c82e0cd8125d30f2f1b29205c7e1a2f1a6785b ] We have a really nice flag in the channel_program struct that indicates if it had been initialized by cp_init(), and use it as a guard in the other cp accessor routines, but not for a duplicate call into cp_init(). The possibility of this occurring is low, because that flow is protected by the private->io_mutex and FSM CP_PROCESSING state. But then why bother checking it in (for example) cp_prefetch() then? Let's just be consistent and check for that in cp_init() too. Fixes: 71189f263f8a3 ("vfio-ccw: make it safe to access channel programs") Signed-off-by: Eric Farman Reviewed-by: Cornelia Huck Acked-by: Matthew Rosato Message-Id: <20210511195631.3995081-2-farman@linux.ibm.com> Signed-off-by: Cornelia Huck Signed-off-by: Sasha Levin commit a7accb618f40e50d0664e0438da15c8f26978f4c Author: Alex Elder Date: Tue May 11 14:42:04 2021 -0500 net: ipa: memory region array is variable size [ Upstream commit 440c3247cba3d9433ac435d371dd7927d68772a7 ] IPA configuration data includes an array of memory region descriptors. That was a fixed-size array at one time, but at some point we started defining it such that it was only as big as required for a given platform. The actual number of entries in the array is recorded in the configuration data along with the array. A loop in ipa_mem_config() still assumes the array has entries for all defined memory region IDs. As a result, this loop can go past the end of the actual array and attempt to write "canary" values based on nonsensical data. Fix this, by stashing the number of entries in the array, and using that rather than IPA_MEM_COUNT in the initialization loop found in ipa_mem_config(). The only remaining use of IPA_MEM_COUNT is in a validation check to ensure configuration data doesn't have too many entries. That's fine for now. Fixes: 3128aae8c439a ("net: ipa: redefine struct ipa_mem_data") Signed-off-by: Alex Elder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b2693e8fa0d6404fac1a8748b40c041a60b2f434 Author: Joakim Zhang Date: Mon May 10 14:55:09 2021 +0800 net: stmmac: Fix MAC WoL not working if PHY does not support WoL [ Upstream commit 576f9eacc680d2b1f37e8010cff62f7b227ea769 ] Both get and set WoL will check device_can_wakeup(), if MAC supports PMT, it will set device wakeup capability. After commit 1d8e5b0f3f2c ("net: stmmac: Support WOL with phy"), device wakeup capability will be overwrite in stmmac_init_phy() according to phy's Wol feature. If phy doesn't support WoL, then MAC will lose wakeup capability. To fix this issue, only overwrite device wakeup capability when MAC doesn't support PMT. For STMMAC now driver checks MAC's WoL capability if MAC supports PMT, if not support, driver will check PHY's WoL capability. Fixes: 1d8e5b0f3f2c ("net: stmmac: Support WOL with phy") Reviewed-by: Jisheng Zhang Signed-off-by: Joakim Zhang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cbb4de5d764cf6322855e4393fc080a38d9144ab Author: Richard Fitzgerald Date: Tue May 11 14:28:55 2021 +0100 ASoC: cs42l42: Regmap must use_single_read/write [ Upstream commit 0fad605fb0bdc00d8ad78696300ff2fbdee6e048 ] cs42l42 does not support standard burst transfers so the use_single_read and use_single_write flags must be set in the regmap config. Because of this bug, the patch: commit 0a0eb567e1d4 ("ASoC: cs42l42: Minor error paths fixups") broke cs42l42 probe() because without the use_single_* flags it causes regmap to issue a burst read. However, the missing use_single_* could cause problems anyway because the regmap cache can attempt burst transfers if these flags are not set. Fixes: 2c394ca79604 ("ASoC: Add support for CS42L42 codec") Signed-off-by: Richard Fitzgerald Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20210511132855.27159-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b5e4d3de8057c321d0445c40f172109581e9af2d Author: Pawel Laszczak Date: Tue Apr 20 06:28:13 2021 +0200 usb: cdnsp: Fix lack of removing request from pending list. [ Upstream commit 3b414d1b0107fa51ad6063de9752d4b2a8063980 ] Patch fixes lack of removing request from ep->pending_list on failure of the stop endpoint command. Driver even after failing this command must remove request from ep->pending_list. Without this fix driver can stuck in cdnsp_gadget_ep_disable function in loop: while (!list_empty(&pep->pending_list)) { preq = next_request(&pep->pending_list); cdnsp_ep_dequeue(pep, preq); } Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") Signed-off-by: Pawel Laszczak Link: https://lore.kernel.org/r/20210420042813.34917-1-pawell@gli-login.cadence.com Signed-off-by: Peter Chen Signed-off-by: Sasha Levin commit 2e3e26f9a4463b4fbf7dff25b91e00a670786aa8 Author: Zou Wei Date: Tue May 11 11:44:33 2021 +0800 interconnect: qcom: Add missing MODULE_DEVICE_TABLE [ Upstream commit 1fd86e280d8b21762901e43d42d66dbfe8b8e0d3 ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Link: https://lore.kernel.org/r/1620704673-104205-1-git-send-email-zou_wei@huawei.com Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support") Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit 93d1dbe7043b3c9492bdf396b2e98a008435b55b Author: Subbaraman Narayanamurthy Date: Thu Apr 22 11:36:10 2021 -0700 interconnect: qcom: bcm-voter: add a missing of_node_put() [ Upstream commit a00593737f8bac2c9e97b696e7ff84a4446653e8 ] Add a missing of_node_put() in of_bcm_voter_get() to avoid the reference leak. Signed-off-by: Subbaraman Narayanamurthy Reviewed-by: Matthias Kaehlcke Link: https://lore.kernel.org/r/1619116570-13308-1-git-send-email-subbaram@codeaurora.org Fixes: 976daac4a1c5 ("interconnect: qcom: Consolidate interconnect RPMh support") Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit e6b634ddaf9106d33d5d735a335d0a7001483c08 Author: Vladimir Oltean Date: Sun May 9 22:33:38 2021 +0300 net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count [ Upstream commit b94cbc909f1d80378a1f541968309e5c1178c98b ] DSA implements a bunch of 'standardized' ethtool statistics counters, namely tx_packets, tx_bytes, rx_packets, rx_bytes. So whatever the hardware driver returns in .get_sset_count(), we need to add 4 to that. That is ok, except that .get_sset_count() can return a negative error code, for example: b53_get_sset_count -> phy_ethtool_get_sset_count -> return -EIO -EIO is -5, and with 4 added to it, it becomes -1, aka -EPERM. One can imagine that certain error codes may even become positive, although based on code inspection I did not see instances of that. Check the error code first, if it is negative return it as-is. Based on a similar patch for dsa_master_get_strings from Dan Carpenter: https://patchwork.kernel.org/project/netdevbpf/patch/YJaSe3RPgn7gKxZv@mwanda/ Fixes: 91da11f870f0 ("net: Distributed Switch Architecture protocol support") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1c48b0040846e0fce8693dbc0f0c86e1a88d877a Author: Christophe JAILLET Date: Sat May 8 07:38:22 2021 +0200 net: netcp: Fix an error message [ Upstream commit ddb6e00f8413e885ff826e32521cff7924661de0 ] 'ret' is known to be 0 here. The expected error code is stored in 'tx_pipe->dma_queue', so use it instead. While at it, switch from %d to %pe which is more user friendly. Fixes: 84640e27f230 ("net: netcp: Add Keystone NetCP core ethernet driver") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ecd6d94fdcc42f86f49c76545491392201ed347a Author: Leilk Liu Date: Sat May 8 14:02:14 2021 +0800 spi: take the SPI IO-mutex in the spi_set_cs_timing method [ Upstream commit dc5fa590273890a8541ce6e999d606bfb2d73797 ] this patch takes the io_mutex to prevent an unprotected HW register modification in the set_cs_timing callback. Fixes: 4cea6b8cc34e ("spi: add power control when set_cs_timing") Signed-off-by: Leilk Liu Link: https://lore.kernel.org/r/20210508060214.1485-1-leilk.liu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 29258f23d392818bc347f829ea2fd89e61c19c9d Author: Rikard Falkeborn Date: Sat May 22 17:42:02 2021 -0700 linux/bits.h: fix compilation error with GENMASK [ Upstream commit f747e6667ebb2ffb8133486c9cd19800d72b0d98 ] GENMASK() has an input check which uses __builtin_choose_expr() to enable a compile time sanity check of its inputs if they are known at compile time. However, it turns out that __builtin_constant_p() does not always return a compile time constant [0]. It was thought this problem was fixed with gcc 4.9 [1], but apparently this is not the case [2]. Switch to use __is_constexpr() instead which always returns a compile time constant, regardless of its inputs. Link: https://lore.kernel.org/lkml/42b4342b-aefc-a16a-0d43-9f9c0d63ba7a@rasmusvillemoes.dk [0] Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=19449 [1] Link: https://lore.kernel.org/lkml/1ac7bbc2-45d9-26ed-0b33-bf382b8d858b@I-love.SAKURA.ne.jp [2] Link: https://lkml.kernel.org/r/20210511203716.117010-1-rikard.falkeborn@gmail.com Signed-off-by: Rikard Falkeborn Reported-by: Tetsuo Handa Acked-by: Arnd Bergmann Reviewed-by: Andy Shevchenko Cc: Ard Biesheuvel Cc: Yury Norov Cc: Peter Zijlstra Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 1196f05ed95824e6c288fac48bca7988d4d52f1c Author: Gulam Mohamed Date: Fri May 14 15:18:42 2021 +0200 block: fix a race between del_gendisk and BLKRRPART [ Upstream commit bc6a385132601c29a6da1dbf8148c0d3c9ad36dc ] When BLKRRPART is called concurrently with del_gendisk, the partitions rescan can create a stale partition that will never be be cleaned up. Fix this by checking the the disk is up before rescanning partitions while under bd_mutex. Signed-off-by: Gulam Mohamed [hch: split from a larger patch] Signed-off-by: Christoph Hellwig Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20210514131842.1600568-3-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 61b0308ab25d74904fdf570367ea6c5622599640 Author: Hans de Goede Date: Thu May 20 11:32:28 2021 +0200 platform/x86: touchscreen_dmi: Add info for the Chuwi Hi10 Pro (CWI529) tablet [ Upstream commit e68671e9e1275dfdda333c3e83b6d28963af16b6 ] Add touchscreen info for the Chuwi Hi10 Pro (CWI529) tablet. This includes info for getting the firmware directly from the UEFI, so that the user does not need to manually install the firmware in /lib/firmware/silead. This change will make the touchscreen on these devices work OOTB, without requiring any manual setup. Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210520093228.7439-1-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 5700de8917b6be1ce31b86d21772160fa1f83f63 Author: Christian König Date: Tue May 18 17:48:02 2021 +0200 drm/amdgpu: stop touching sched.ready in the backend [ Upstream commit a2b4785f01280a4291edb9fda69032fc2e4bfd3f ] This unfortunately comes up in regular intervals and breaks GPU reset for the engine in question. The sched.ready flag controls if an engine can't get working during hw_init, but should never be set to false during hw_fini. v2: squash in unused variable fix (Alex) Signed-off-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 42cdbad4f1e6845afabffce7aa631f6136b58fb6 Author: Lang Yu Date: Mon May 17 12:47:20 2021 +0800 drm/amd/amdgpu: fix a potential deadlock in gpu reset [ Upstream commit 9c2876d56f1ce9b6b2072f1446fb1e8d1532cb3d ] When amdgpu_ib_ring_tests failed, the reset logic called amdgpu_device_ip_suspend twice, then deadlock occurred. Deadlock log: [ 805.655192] amdgpu 0000:04:00.0: amdgpu: ib ring test failed (-110). [ 806.290952] [drm] free PSP TMR buffer [ 806.319406] ============================================ [ 806.320315] WARNING: possible recursive locking detected [ 806.321225] 5.11.0-custom #1 Tainted: G W OEL [ 806.322135] -------------------------------------------- [ 806.323043] cat/2593 is trying to acquire lock: [ 806.323825] ffff888136b1cdc8 (&adev->dm.dc_lock){+.+.}-{3:3}, at: dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.325668] but task is already holding lock: [ 806.326664] ffff888136b1cdc8 (&adev->dm.dc_lock){+.+.}-{3:3}, at: dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.328430] other info that might help us debug this: [ 806.329539] Possible unsafe locking scenario: [ 806.330549] CPU0 [ 806.330983] ---- [ 806.331416] lock(&adev->dm.dc_lock); [ 806.332086] lock(&adev->dm.dc_lock); [ 806.332738] *** DEADLOCK *** [ 806.333747] May be due to missing lock nesting notation [ 806.334899] 3 locks held by cat/2593: [ 806.335537] #0: ffff888100d3f1b8 (&attr->mutex){+.+.}-{3:3}, at: simple_attr_read+0x4e/0x110 [ 806.337009] #1: ffff888136b1fd78 (&adev->reset_sem){++++}-{3:3}, at: amdgpu_device_lock_adev+0x42/0x94 [amdgpu] [ 806.339018] #2: ffff888136b1cdc8 (&adev->dm.dc_lock){+.+.}-{3:3}, at: dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.340869] stack backtrace: [ 806.341621] CPU: 6 PID: 2593 Comm: cat Tainted: G W OEL 5.11.0-custom #1 [ 806.342921] Hardware name: AMD Celadon-CZN/Celadon-CZN, BIOS WLD0C23N_Weekly_20_12_2 12/23/2020 [ 806.344413] Call Trace: [ 806.344849] dump_stack+0x93/0xbd [ 806.345435] __lock_acquire.cold+0x18a/0x2cf [ 806.346179] lock_acquire+0xca/0x390 [ 806.346807] ? dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.347813] __mutex_lock+0x9b/0x930 [ 806.348454] ? dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.349434] ? amdgpu_device_indirect_rreg+0x58/0x70 [amdgpu] [ 806.350581] ? _raw_spin_unlock_irqrestore+0x47/0x50 [ 806.351437] ? dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.352437] ? rcu_read_lock_sched_held+0x4f/0x80 [ 806.353252] ? rcu_read_lock_sched_held+0x4f/0x80 [ 806.354064] mutex_lock_nested+0x1b/0x20 [ 806.354747] ? mutex_lock_nested+0x1b/0x20 [ 806.355457] dm_suspend+0xb8/0x1d0 [amdgpu] [ 806.356427] ? soc15_common_set_clockgating_state+0x17d/0x19 [amdgpu] [ 806.357736] amdgpu_device_ip_suspend_phase1+0x78/0xd0 [amdgpu] [ 806.360394] amdgpu_device_ip_suspend+0x21/0x70 [amdgpu] [ 806.362926] amdgpu_device_pre_asic_reset+0xb3/0x270 [amdgpu] [ 806.365560] amdgpu_device_gpu_recover.cold+0x679/0x8eb [amdgpu] Signed-off-by: Lang Yu Acked-by: Christian KÃnig Reviewed-by: Andrey Grodzovsky Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d4ea141fd4b40636a8326df5a377d9c5cf9b3faa Author: xinhui pan Date: Tue May 18 10:56:07 2021 +0800 drm/amdgpu: Fix a use-after-free [ Upstream commit 1e5c37385097c35911b0f8a0c67ffd10ee1af9a2 ] looks like we forget to set ttm->sg to NULL. Hit panic below [ 1235.844104] general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b7b4b: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI [ 1235.989074] Call Trace: [ 1235.991751] sg_free_table+0x17/0x20 [ 1235.995667] amdgpu_ttm_backend_unbind.cold+0x4d/0xf7 [amdgpu] [ 1236.002288] amdgpu_ttm_backend_destroy+0x29/0x130 [amdgpu] [ 1236.008464] ttm_tt_destroy+0x1e/0x30 [ttm] [ 1236.013066] ttm_bo_cleanup_memtype_use+0x51/0xa0 [ttm] [ 1236.018783] ttm_bo_release+0x262/0xa50 [ttm] [ 1236.023547] ttm_bo_put+0x82/0xd0 [ttm] [ 1236.027766] amdgpu_bo_unref+0x26/0x50 [amdgpu] [ 1236.032809] amdgpu_amdkfd_gpuvm_alloc_memory_of_gpu+0x7aa/0xd90 [amdgpu] [ 1236.040400] kfd_ioctl_alloc_memory_of_gpu+0xe2/0x330 [amdgpu] [ 1236.046912] kfd_ioctl+0x463/0x690 [amdgpu] Signed-off-by: xinhui pan Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 95a4ec905e51a30c64cf2d78b04a7acbeae5ca94 Author: Jingwen Chen Date: Mon May 17 16:16:10 2021 +0800 drm/amd/amdgpu: fix refcount leak [ Upstream commit fa7e6abc75f3d491bc561734312d065dc9dc2a77 ] [Why] the gem object rfb->base.obj[0] is get according to num_planes in amdgpufb_create, but is not put according to num_planes [How] put rfb->base.obj[0] in amdgpu_fbdev_destroy according to num_planes Signed-off-by: Jingwen Chen Acked-by: Christian König Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4dc5bc4176eb6a9b64b6c124e44c9261a930cf6d Author: Chris Park Date: Tue May 4 16:20:55 2021 -0400 drm/amd/display: Disconnect non-DP with no EDID [ Upstream commit 080039273b126eeb0185a61c045893a25dbc046e ] [Why] Active DP dongles return no EDID when dongle is connected, but VGA display is taken out. Current driver behavior does not remove the active display when this happens, and this is a gap between dongle DTP and dongle behavior. [How] For active DP dongles and non-DP scenario, disconnect sink on detection when no EDID is read due to timeout. Signed-off-by: Chris Park Reviewed-by: Nicholas Kazlauskas Acked-by: Stylon Wang Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 77fbce39d0bdcc5ed03ed7bcb58b60e1fa5a66d8 Author: Steve French Date: Sat May 15 09:52:22 2021 -0500 SMB3: incorrect file id in requests compounded with open [ Upstream commit c0d46717b95735b0eacfddbcca9df37a49de9c7a ] See MS-SMB2 3.2.4.1.4, file ids in compounded requests should be set to 0xFFFFFFFFFFFFFFFF (we were treating it as u32 not u64 and setting it incorrectly). Signed-off-by: Steve French Reported-by: Stefan Metzmacher Reviewed-by: Shyam Prasad N Signed-off-by: Sasha Levin commit 3e57880d38635b115a2cdd08cd2ee06dde61b748 Author: Teava Radu Date: Tue May 4 20:57:46 2021 +0200 platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet [ Upstream commit 39a6172ea88b3117353ae16cbb0a53cd80a9340a ] Add touchscreen info for the Mediacom Winpad 7.0 W700 tablet. Tested on 5.11 hirsute. Note: it's hw clone to Wintron surftab 7. Signed-off-by: Teava Radu Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20210504185746.175461-6-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 5d2dc1f4241857ececf518ab0f89275593073cdb Author: Andy Shevchenko Date: Wed May 19 13:15:21 2021 +0300 platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI [ Upstream commit bc1eca606d8084465e6f89fd646cc71defbad490 ] The intel_punit_ipc driver might be compiled as a module. When udev handles the event of the devices appearing the intel_punit_ipc module is missing. Append MODULE_DEVICE_TABLE for ACPI case to fix the loading issue. Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210519101521.79338-1-andriy.shevchenko@linux.intel.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 550f0513a54349711afc80f789402b2968c07913 Author: Shyam Sundar S K Date: Fri May 14 23:30:47 2021 +0530 platform/x86: hp-wireless: add AMD's hardware id to the supported list [ Upstream commit f048630bdd55eb5379ef35f971639fe52fabe499 ] Newer AMD based laptops uses AMDI0051 as the hardware id to support the airplane mode button. Adding this to the supported list. Signed-off-by: Shyam Sundar S K Link: https://lore.kernel.org/r/20210514180047.1697543-1-Shyam-sundar.S-k@amd.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit dc720b1e658f966702dad0beffcfe8681c87ad2b Author: Takashi Sakamoto Date: Tue May 18 10:25:10 2021 +0900 ALSA: dice: disable double_pcm_frames mode for M-Audio Profire 610, 2626 and Avid M-Box 3 Pro [ Upstream commit 9f079c1bdc9087842dc5ac9d81b1d7f2578e81ce ] ALSA dice driver detects jumbo payload at high sampling transfer frequency for below models: * Avid M-Box 3 Pro * M-Audio Profire 610 * M-Audio Profire 2626 Although many DICE-based devices have a quirk at high sampling transfer frequency to multiplex double number of PCM frames into data block than the number in IEC 61883-1/6, the above devices are just compliant to IEC 61883-1/6. This commit disables the mode of double_pcm_frames for the models. Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20210518012510.37126-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b545442133580dcb2f2496133bf850824d41255c Author: Josef Bacik Date: Fri May 14 10:56:16 2021 -0400 btrfs: do not BUG_ON in link_to_fixup_dir [ Upstream commit 91df99a6eb50d5a1bc70fff4a09a0b7ae6aab96d ] While doing error injection testing I got the following panic kernel BUG at fs/btrfs/tree-log.c:1862! invalid opcode: 0000 [#1] SMP NOPTI CPU: 1 PID: 7836 Comm: mount Not tainted 5.13.0-rc1+ #305 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014 RIP: 0010:link_to_fixup_dir+0xd5/0xe0 RSP: 0018:ffffb5800180fa30 EFLAGS: 00010216 RAX: fffffffffffffffb RBX: 00000000fffffffb RCX: ffff8f595287faf0 RDX: ffffb5800180fa37 RSI: ffff8f5954978800 RDI: 0000000000000000 RBP: ffff8f5953af9450 R08: 0000000000000019 R09: 0000000000000001 R10: 000151f408682970 R11: 0000000120021001 R12: ffff8f5954978800 R13: ffff8f595287faf0 R14: ffff8f5953c77dd0 R15: 0000000000000065 FS: 00007fc5284c8c40(0000) GS:ffff8f59bbd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fc5287f47c0 CR3: 000000011275e002 CR4: 0000000000370ee0 Call Trace: replay_one_buffer+0x409/0x470 ? btree_read_extent_buffer_pages+0xd0/0x110 walk_up_log_tree+0x157/0x1e0 walk_log_tree+0xa6/0x1d0 btrfs_recover_log_trees+0x1da/0x360 ? replay_one_extent+0x7b0/0x7b0 open_ctree+0x1486/0x1720 btrfs_mount_root.cold+0x12/0xea ? __kmalloc_track_caller+0x12f/0x240 legacy_get_tree+0x24/0x40 vfs_get_tree+0x22/0xb0 vfs_kern_mount.part.0+0x71/0xb0 btrfs_mount+0x10d/0x380 ? vfs_parse_fs_string+0x4d/0x90 legacy_get_tree+0x24/0x40 vfs_get_tree+0x22/0xb0 path_mount+0x433/0xa10 __x64_sys_mount+0xe3/0x120 do_syscall_64+0x3d/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae We can get -EIO or any number of legitimate errors from btrfs_search_slot(), panicing here is not the appropriate response. The error path for this code handles errors properly, simply return the error. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 8bf7fa718152fcccac0376b443c0a6a2613a997e Author: Filipe Manana Date: Fri May 14 10:03:40 2021 +0100 btrfs: release path before starting transaction when cloning inline extent [ Upstream commit 6416954ca75baed71640bf3828625bf165fb9b5e ] When cloning an inline extent there are a few cases, such as when we have an implicit hole at file offset 0, where we start a transaction while holding a read lock on a leaf. Starting the transaction results in a call to sb_start_intwrite(), which results in doing a read lock on a percpu semaphore. Lockdep doesn't like this and complains about it: [46.580704] ====================================================== [46.580752] WARNING: possible circular locking dependency detected [46.580799] 5.13.0-rc1 #28 Not tainted [46.580832] ------------------------------------------------------ [46.580877] cloner/3835 is trying to acquire lock: [46.580918] c00000001301d638 (sb_internal#2){.+.+}-{0:0}, at: clone_copy_inline_extent+0xe4/0x5a0 [46.581167] [46.581167] but task is already holding lock: [46.581217] c000000007fa2550 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x70/0x1d0 [46.581293] [46.581293] which lock already depends on the new lock. [46.581293] [46.581351] [46.581351] the existing dependency chain (in reverse order) is: [46.581410] [46.581410] -> #1 (btrfs-tree-00){++++}-{3:3}: [46.581464] down_read_nested+0x68/0x200 [46.581536] __btrfs_tree_read_lock+0x70/0x1d0 [46.581577] btrfs_read_lock_root_node+0x88/0x200 [46.581623] btrfs_search_slot+0x298/0xb70 [46.581665] btrfs_set_inode_index+0xfc/0x260 [46.581708] btrfs_new_inode+0x26c/0x950 [46.581749] btrfs_create+0xf4/0x2b0 [46.581782] lookup_open.isra.57+0x55c/0x6a0 [46.581855] path_openat+0x418/0xd20 [46.581888] do_filp_open+0x9c/0x130 [46.581920] do_sys_openat2+0x2ec/0x430 [46.581961] do_sys_open+0x90/0xc0 [46.581993] system_call_exception+0x3d4/0x410 [46.582037] system_call_common+0xec/0x278 [46.582078] [46.582078] -> #0 (sb_internal#2){.+.+}-{0:0}: [46.582135] __lock_acquire+0x1e90/0x2c50 [46.582176] lock_acquire+0x2b4/0x5b0 [46.582263] start_transaction+0x3cc/0x950 [46.582308] clone_copy_inline_extent+0xe4/0x5a0 [46.582353] btrfs_clone+0x5fc/0x880 [46.582388] btrfs_clone_files+0xd8/0x1c0 [46.582434] btrfs_remap_file_range+0x3d8/0x590 [46.582481] do_clone_file_range+0x10c/0x270 [46.582558] vfs_clone_file_range+0x1b0/0x310 [46.582605] ioctl_file_clone+0x90/0x130 [46.582651] do_vfs_ioctl+0x874/0x1ac0 [46.582697] sys_ioctl+0x6c/0x120 [46.582733] system_call_exception+0x3d4/0x410 [46.582777] system_call_common+0xec/0x278 [46.582822] [46.582822] other info that might help us debug this: [46.582822] [46.582888] Possible unsafe locking scenario: [46.582888] [46.582942] CPU0 CPU1 [46.582984] ---- ---- [46.583028] lock(btrfs-tree-00); [46.583062] lock(sb_internal#2); [46.583119] lock(btrfs-tree-00); [46.583174] lock(sb_internal#2); [46.583212] [46.583212] *** DEADLOCK *** [46.583212] [46.583266] 6 locks held by cloner/3835: [46.583299] #0: c00000001301d448 (sb_writers#12){.+.+}-{0:0}, at: ioctl_file_clone+0x90/0x130 [46.583382] #1: c00000000f6d3768 (&sb->s_type->i_mutex_key#15){+.+.}-{3:3}, at: lock_two_nondirectories+0x58/0xc0 [46.583477] #2: c00000000f6d72a8 (&sb->s_type->i_mutex_key#15/4){+.+.}-{3:3}, at: lock_two_nondirectories+0x9c/0xc0 [46.583574] #3: c00000000f6d7138 (&ei->i_mmap_lock){+.+.}-{3:3}, at: btrfs_remap_file_range+0xd0/0x590 [46.583657] #4: c00000000f6d35f8 (&ei->i_mmap_lock/1){+.+.}-{3:3}, at: btrfs_remap_file_range+0xe0/0x590 [46.583743] #5: c000000007fa2550 (btrfs-tree-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x70/0x1d0 [46.583828] [46.583828] stack backtrace: [46.583872] CPU: 1 PID: 3835 Comm: cloner Not tainted 5.13.0-rc1 #28 [46.583931] Call Trace: [46.583955] [c0000000167c7200] [c000000000c1ee78] dump_stack+0xec/0x144 (unreliable) [46.584052] [c0000000167c7240] [c000000000274058] print_circular_bug.isra.32+0x3a8/0x400 [46.584123] [c0000000167c72e0] [c0000000002741f4] check_noncircular+0x144/0x190 [46.584191] [c0000000167c73b0] [c000000000278fc0] __lock_acquire+0x1e90/0x2c50 [46.584259] [c0000000167c74f0] [c00000000027aa94] lock_acquire+0x2b4/0x5b0 [46.584317] [c0000000167c75e0] [c000000000a0d6cc] start_transaction+0x3cc/0x950 [46.584388] [c0000000167c7690] [c000000000af47a4] clone_copy_inline_extent+0xe4/0x5a0 [46.584457] [c0000000167c77c0] [c000000000af525c] btrfs_clone+0x5fc/0x880 [46.584514] [c0000000167c7990] [c000000000af5698] btrfs_clone_files+0xd8/0x1c0 [46.584583] [c0000000167c7a00] [c000000000af5b58] btrfs_remap_file_range+0x3d8/0x590 [46.584652] [c0000000167c7ae0] [c0000000005d81dc] do_clone_file_range+0x10c/0x270 [46.584722] [c0000000167c7b40] [c0000000005d84f0] vfs_clone_file_range+0x1b0/0x310 [46.584793] [c0000000167c7bb0] [c00000000058bf80] ioctl_file_clone+0x90/0x130 [46.584861] [c0000000167c7c10] [c00000000058c894] do_vfs_ioctl+0x874/0x1ac0 [46.584922] [c0000000167c7d10] [c00000000058db4c] sys_ioctl+0x6c/0x120 [46.584978] [c0000000167c7d60] [c0000000000364a4] system_call_exception+0x3d4/0x410 [46.585046] [c0000000167c7e10] [c00000000000d45c] system_call_common+0xec/0x278 [46.585114] --- interrupt: c00 at 0x7ffff7e22990 [46.585160] NIP: 00007ffff7e22990 LR: 00000001000010ec CTR: 0000000000000000 [46.585224] REGS: c0000000167c7e80 TRAP: 0c00 Not tainted (5.13.0-rc1) [46.585280] MSR: 800000000280f033 CR: 28000244 XER: 00000000 [46.585374] IRQMASK: 0 [46.585374] GPR00: 0000000000000036 00007fffffffdec0 00007ffff7f17100 0000000000000004 [46.585374] GPR04: 000000008020940d 00007fffffffdf40 0000000000000000 0000000000000000 [46.585374] GPR08: 0000000000000004 0000000000000000 0000000000000000 0000000000000000 [46.585374] GPR12: 0000000000000000 00007ffff7ffa940 0000000000000000 0000000000000000 [46.585374] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 [46.585374] GPR20: 0000000000000000 000000009123683e 00007fffffffdf40 0000000000000000 [46.585374] GPR24: 0000000000000000 0000000000000000 0000000000000000 0000000000000004 [46.585374] GPR28: 0000000100030260 0000000100030280 0000000000000003 000000000000005f [46.585919] NIP [00007ffff7e22990] 0x7ffff7e22990 [46.585964] LR [00000001000010ec] 0x1000010ec [46.586010] --- interrupt: c00 This should be a false positive, as both locks are acquired in read mode. Nevertheless, we don't need to hold a leaf locked when we start the transaction, so just release the leaf (path) before starting it. Reported-by: Ritesh Harjani Link: https://lore.kernel.org/linux-btrfs/20210513214404.xks77p566fglzgum@riteshh-domain/ Reviewed-by: Anand Jain Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 063c784cb8e19b993b9895807c1b83806da9b5cf Author: Ajish Koshy Date: Wed May 5 17:31:03 2021 +0530 scsi: pm80xx: Fix drives missing during rmmod/insmod loop [ Upstream commit d1acd81bd6eb685aa9fef25624fb36d297f6404e ] When driver is loaded after rmmod some drives are not showing up during discovery. SATA drives are directly attached to the controller connected phys. During device discovery, the IDENTIFY command (qc timeout (cmd 0xec)) is timing out during revalidation. This will trigger abort from host side and controller successfully aborts the command and returns success. Post this successful abort response ATA library decides to mark the disk as NODEV. To overcome this, inside pm8001_scan_start() after phy_start() call, add get start response and wait for few milliseconds to trigger next phy start. This millisecond delay will give sufficient time for the controller state machine to accept next phy start. Link: https://lore.kernel.org/r/20210505120103.24497-1-ajish.koshy@microchip.com Signed-off-by: Ajish Koshy Signed-off-by: Viswas G Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4414c8145485579a8f160b3af006f6f0f10bbbdf Author: Peter Zijlstra Date: Wed Apr 14 14:45:43 2021 +0200 openrisc: Define memory barrier mb [ Upstream commit 8b549c18ae81dbc36fb11e4aa08b8378c599ca95 ] This came up in the discussion of the requirements of qspinlock on an architecture. OpenRISC uses qspinlock, but it was noticed that the memmory barrier was not defined. Peter defined it in the mail thread writing: As near as I can tell this should do. The arch spec only lists this one instruction and the text makes it sound like a completion barrier. This is correct so applying this patch. Signed-off-by: Peter Zijlstra [shorne@gmail.com:Turned the mail into a patch] Signed-off-by: Stafford Horne Signed-off-by: Sasha Levin commit af847dae6085a0cabd3977e3f308656cfa7b64ab Author: Matt Wang Date: Tue May 11 03:04:37 2021 +0000 scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic [ Upstream commit 56f396146af278135c0ff958c79b5ee1bd22453d ] Commit 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit") introduced a serious issue for 64-bit systems. With this commit, 64-bit kernel will enumerate 8*15 non-existing disks. This is caused by the broken CCB structure. The change from u32 data to void *data increased CCB length on 64-bit system, which introduced an extra 4 byte offset of the CDB. This leads to incorrect response to INQUIRY commands during enumeration. Fix disk enumeration failure by reverting the portion of the commit above which switched the data pointer from u32 to void. Link: https://lore.kernel.org/r/C325637F-1166-4340-8F0F-3BCCD59D4D54@vmware.com Acked-by: Khalid Aziz Signed-off-by: Matt Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 19202ebf8ac35b293b86a951eb6c211f971c0409 Author: Peter Wang Date: Wed May 12 18:01:45 2021 +0800 scsi: ufs: ufs-mediatek: Fix power down spec violation [ Upstream commit c625b80b9d00f3546722cd77527f9697c8c4c911 ] As per spec, e.g. JESD220E chapter 7.2, while powering off the UFS device, RST_N signal should be between VSS(Ground) and VCCQ/VCCQ2. The power down sequence after fixing: Power down: 1. Assert RST_N low 2. Turn-off VCC 3. Turn-off VCCQ/VCCQ2 Link: https://lore.kernel.org/r/1620813706-25331-1-git-send-email-peter.wang@mediatek.com Reviewed-by: Stanley Chu Signed-off-by: Peter Wang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit afd1fca36d26f3896c99a363fc3dbe9c05411e3a Author: Boris Burkov Date: Tue Apr 6 15:31:18 2021 -0700 btrfs: return whole extents in fiemap [ Upstream commit 15c7745c9a0078edad1f7df5a6bb7b80bc8cca23 ] `xfs_io -c 'fiemap ' ` can give surprising results on btrfs that differ from xfs. btrfs prints out extents trimmed to fit the user input. If the user's fiemap request has an offset, then rather than returning each whole extent which intersects that range, we also trim the start extent to not have start < off. Documentation in filesystems/fiemap.txt and the xfs_io man page suggests that returning the whole extent is expected. Some cases which all yield the same fiemap in xfs, but not btrfs: dd if=/dev/zero of=$f bs=4k count=1 sudo xfs_io -c 'fiemap 0 1024' $f 0: [0..7]: 26624..26631 sudo xfs_io -c 'fiemap 2048 1024' $f 0: [4..7]: 26628..26631 sudo xfs_io -c 'fiemap 2048 4096' $f 0: [4..7]: 26628..26631 sudo xfs_io -c 'fiemap 3584 512' $f 0: [7..7]: 26631..26631 sudo xfs_io -c 'fiemap 4091 5' $f 0: [7..6]: 26631..26630 I believe this is a consequence of the logic for merging contiguous extents represented by separate extent items. That logic needs to track the last offset as it loops through the extent items, which happens to pick up the start offset on the first iteration, and trim off the beginning of the full extent. To fix it, start `off` at 0 rather than `start` so that we keep the iteration/merging intact without cutting off the start of the extent. after the fix, all the above commands give: 0: [0..7]: 26624..26631 The merging logic is exercised by fstest generic/483, and I have written a new fstest for checking we don't have backwards or zero-length fiemaps for cases like those above. Reviewed-by: Josef Bacik Signed-off-by: Boris Burkov Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit a0585a33ff57c317068f6aaf2a749084984c09eb Author: Greg Kroah-Hartman Date: Mon May 3 13:57:36 2021 +0200 brcmfmac: properly check for bus register errors [ Upstream commit 419b4a142a7ece36cebcd434f8ce2af59ef94b85 ] The brcmfmac driver ignores any errors on initialization with the different busses by deferring the initialization to a workqueue and ignoring all possible errors that might happen. Fix up all of this by only allowing the module to load if all bus registering worked properly. Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-70-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fbe98b0defed916210f855ec737852ed49c797f9 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:35 2021 +0200 Revert "brcmfmac: add a check for the status of usb_register" [ Upstream commit 30a350947692f794796f563029d29764497f2887 ] This reverts commit 42daad3343be4a4e1ee03e30a5f5cc731dadfef5. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit here did nothing to actually help if usb_register() failed, so it gives a "false sense of security" when there is none. The correct solution is to correctly unwind from this error. Cc: Kangjie Lu Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-69-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b1f9f135e4ec023f472ee3a5340bffaacf621d49 Author: Tom Seewald Date: Mon May 3 13:57:32 2021 +0200 net: liquidio: Add missing null pointer checks [ Upstream commit dbc97bfd3918ed9268bfc174cae8a7d6b3d51aad ] The functions send_rx_ctrl_cmd() in both liquidio/lio_main.c and liquidio/lio_vf_main.c do not check if the call to octeon_alloc_soft_command() fails and returns a null pointer. Both functions also return void so errors are not propagated back to the caller. Fix these issues by updating both instances of send_rx_ctrl_cmd() to return an integer rather than void, and have them return -ENOMEM if an allocation failure occurs. Also update all callers of send_rx_ctrl_cmd() so that they now check the return value. Cc: David S. Miller Signed-off-by: Tom Seewald Link: https://lore.kernel.org/r/20210503115736.2104747-66-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 727041e1b79a80e5ee7bc672c76bf5a05187f73c Author: Greg Kroah-Hartman Date: Mon May 3 13:57:31 2021 +0200 Revert "net: liquidio: fix a NULL pointer dereference" [ Upstream commit 4fd798a5a89114c1892574c50f2aebd49bc5b4f5 ] This reverts commit fe543b2f174f34a7a751aa08b334fe6b105c4569. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. While the original commit does keep the immediate "NULL dereference" from happening, it does not properly propagate the error back to the callers, AND it does not fix this same identical issue in the drivers/net/ethernet/cavium/liquidio/lio_vf_main.c for some reason. Cc: Kangjie Lu Cc: David S. Miller Link: https://lore.kernel.org/r/20210503115736.2104747-65-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit de1fe324cc34a5f2344a2b15c3e11d08e373d856 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:30 2021 +0200 media: gspca: properly check for errors in po1030_probe() [ Upstream commit dacb408ca6f0e34df22b40d8dd5fae7f8e777d84 ] If m5602_write_sensor() or m5602_write_bridge() fail, do not continue to initialize the device but return the error to the calling funtion. Cc: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210503115736.2104747-64-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b10396b3cc1cece4839eafb46f2bbeaf2bfdbb18 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:29 2021 +0200 Revert "media: gspca: Check the return value of write_bridge for timeout" [ Upstream commit 8e23e83c752b54e98102627a1cc09281ad71a299 ] This reverts commit a21a0eb56b4e8fe4a330243af8030f890cde2283. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. Different error values should never be "OR" together and expect anything sane to come out of the result. Cc: Aditya Pakki Cc: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210503115736.2104747-63-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5e74e63423c466a71e4e1c893dcd7bd55c6698e0 Author: Alaa Emad Date: Mon May 3 13:57:28 2021 +0200 media: gspca: mt9m111: Check write_bridge for timeout [ Upstream commit e932f5b458eee63d013578ea128b9ff8ef5f5496 ] If m5602_write_bridge times out, it will return a negative error value. So properly check for this and handle the error correctly instead of just ignoring it. Cc: Mauro Carvalho Chehab Signed-off-by: Alaa Emad Link: https://lore.kernel.org/r/20210503115736.2104747-62-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7117bf771431bb215843e1b98487ef676d72ef72 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:27 2021 +0200 Revert "media: gspca: mt9m111: Check write_bridge for timeout" [ Upstream commit d8c3be2fb2079d0cb4cd29d6aba58dbe54771e42 ] This reverts commit 656025850074f5c1ba2e05be37bda57ba2b8d491. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. Different error values should never be "OR" together and expect anything sane to come out of the result. Cc: Aditya Pakki Cc: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210503115736.2104747-61-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4b747b3d80adc8108d7cca2413b6cd04787bfbaa Author: Alaa Emad Date: Mon May 3 13:57:26 2021 +0200 media: dvb: Add check on sp8870_readreg return [ Upstream commit c6d822c56e7fd29e6fa1b1bb91b98f6a1e942b3c ] The function sp8870_readreg returns a negative value when i2c_transfer fails so properly check for this and return the error if it happens. Cc: Sean Young Cc: Mauro Carvalho Chehab Signed-off-by: Alaa Emad Link: https://lore.kernel.org/r/20210503115736.2104747-60-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b63390ac7dfe572765c8f7a0914ee955b772860c Author: Greg Kroah-Hartman Date: Mon May 3 13:57:25 2021 +0200 Revert "media: dvb: Add check on sp8870_readreg" [ Upstream commit 47e4ff06fa7f5ba4860543a2913bbd0c164640aa ] This reverts commit 467a37fba93f2b4fe3ab597ff6a517b22b566882. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. This commit is not properly checking for an error at all, so if a read succeeds from this device, it will error out. Cc: Aditya Pakki Cc: Sean Young Cc: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210503115736.2104747-59-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 48f71fa588fd9ecd18bb7e075210729bc5d8abaa Author: Greg Kroah-Hartman Date: Mon May 3 13:57:24 2021 +0200 ASoC: cs43130: handle errors in cs43130_probe() properly [ Upstream commit 2da441a6491d93eff8ffff523837fd621dc80389 ] cs43130_probe() does not do any valid error checking of things it initializes, OR what it does, it does not unwind properly if there are errors. Fix this up by moving the sysfs files to an attribute group so the driver core will correctly add/remove them all at once and handle errors with them, and correctly check for creating a new workqueue and unwinding if that fails. Cc: Mark Brown Link: https://lore.kernel.org/r/20210503115736.2104747-58-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e8e8f7379bd835aef0f7ddf394bdfb946c8e76ce Author: Greg Kroah-Hartman Date: Mon May 3 13:57:23 2021 +0200 Revert "ASoC: cs43130: fix a NULL pointer dereference" [ Upstream commit fdda0dd2686ecd1f2e616c9e0366ea71b40c485d ] This reverts commit a2be42f18d409213bb7e7a736e3ef6ba005115bb. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original patch here is not correct, sysfs files that were created are not unwound. Cc: Kangjie Lu Cc: Mark Brown Link: https://lore.kernel.org/r/20210503115736.2104747-57-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a7c7c9ae218e96345c4b7f4b8085574aa78e06eb Author: Greg Kroah-Hartman Date: Mon May 3 13:57:20 2021 +0200 libertas: register sysfs groups properly [ Upstream commit 7e79b38fe9a403b065ac5915465f620a8fb3de84 ] The libertas driver was trying to register sysfs groups "by hand" which causes them to be created _after_ the device is initialized and announced to userspace, which causes races and can prevent userspace tools from seeing the sysfs files correctly. Fix this up by using the built-in sysfs_groups pointers in struct net_device which were created for this very reason, fixing the race condition, and properly allowing for any error that might have occured to be handled properly. Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-54-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 42c4a0cb11bdfe723b38fc4350513d5a2254462f Author: Greg Kroah-Hartman Date: Mon May 3 13:57:19 2021 +0200 Revert "libertas: add checks for the return value of sysfs_create_group" [ Upstream commit 46651077765c80a0d6f87f3469129a72e49ce91b ] This reverts commit 434256833d8eb988cb7f3b8a41699e2fe48d9332. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit was incorrect, the error needs to be propagated back to the caller AND if the second group call fails, the first needs to be removed. There are much better ways to solve this, the driver should NOT be calling sysfs_create_group() on its own as it is racing userspace and loosing. Cc: Kangjie Lu Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-53-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a41d9b51b4640dede2bd60253c95271909d75315 Author: Phillip Potter Date: Mon May 3 13:57:18 2021 +0200 dmaengine: qcom_hidma: comment platform_driver_register call [ Upstream commit 4df2a8b0ad634d98a67e540a4e18a60f943e7d9f ] Place a comment in hidma_mgmt_init explaining why success must currently be assumed, due to the cleanup issue that would need to be considered were this module ever to be unloadable or were this platform_driver_register call ever to fail. Acked-By: Vinod Koul Acked-By: Sinan Kaya Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20210503115736.2104747-52-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5f63e0553408f28ad85dc930e10b18f4b368de65 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:17 2021 +0200 Revert "dmaengine: qcom_hidma: Check for driver register failure" [ Upstream commit 43ed0fcf613a87dd0221ec72d1ade4d6544f2ffc ] This reverts commit a474b3f0428d6b02a538aa10b3c3b722751cb382. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original change is NOT correct, as it does not correctly unwind from the resources that was allocated before the call to platform_driver_register(). Cc: Aditya Pakki Acked-By: Vinod Koul Acked-By: Sinan Kaya Link: https://lore.kernel.org/r/20210503115736.2104747-51-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fb1fbcc4a0b1c6ef329f99b5e7d05bf31ab0aa79 Author: Phillip Potter Date: Mon May 3 13:57:14 2021 +0200 isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info [ Upstream commit 5265db2ccc735e2783b790d6c19fb5cee8c025ed ] Modify return type of hfcusb_ph_info to int, so that we can pass error value up the call stack when allocation of ph_info fails. Also change three of four call sites to actually account for the memory failure. The fourth, in ph_state_nt, is infeasible to change as it is in turn called by ph_state which is used as a function pointer argument to mISDN_initdchannel, which would necessitate changing its signature and updating all the places where it is used (too many). Fixes original flawed commit (38d22659803a) from the University of Minnesota. Cc: David S. Miller Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20210503115736.2104747-48-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7b917ddebdce4bffdb7bdde4a6ef6a1022132181 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:13 2021 +0200 Revert "isdn: mISDN: Fix potential NULL pointer dereference of kzalloc" [ Upstream commit 36a2c87f7ed9e305d05b9a5c044cc6c494771504 ] This reverts commit 38d22659803a033b1b66cd2624c33570c0dde77d. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. While it looks like the original change is correct, it is not, as none of the setup actually happens, and the error value is not propagated upwards. Cc: Aditya Pakki Cc: David S. Miller Link: https://lore.kernel.org/r/20210503115736.2104747-47-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f06a1a92fb523a8c44b9386d2f3a5890b589d3eb Author: Anirudh Rayabharam Date: Mon May 3 13:57:10 2021 +0200 ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd() [ Upstream commit 54433367840b46a1555c8ed36c4c0cfc5dbf1358 ] Propagate error code from failure of ath6kl_wmi_cmd_send() to the caller. Signed-off-by: Anirudh Rayabharam Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-44-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7930082ced4ce683e4ea9029a2bdde3f9a649a4e Author: Greg Kroah-Hartman Date: Mon May 3 13:57:09 2021 +0200 Revert "ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd()" [ Upstream commit efba106f89fc6848726716c101f4c84e88720a9c ] This reverts commit fc6a6521556c8250e356ddc6a3f2391aa62dc976. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The change being reverted does NOTHING as the caller to this function does not even look at the return value of the call. So the "claim" that this fixed an an issue is not true. It will be fixed up properly in a future patch by propagating the error up the stack correctly. Cc: Kangjie Lu Cc: Kalle Valo Link: https://lore.kernel.org/r/20210503115736.2104747-43-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d974cc5decef211faf094545a7afad6e2d234858 Author: Phillip Potter Date: Mon May 3 13:57:08 2021 +0200 isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io [ Upstream commit c446f0d4702d316e1c6bf621f70e79678d28830a ] Move hw->cfg.mode and hw->addr.mode assignments from hw->ci->cfg_mode and hw->ci->addr_mode respectively, to be before the subsequent checks for memory IO mode (and possible ioremap calls in this case). Also introduce ioremap error checks at both locations. This allows resources to be properly freed on ioremap failure, as when the caller of setup_io then subsequently calls release_io via its error path, release_io can now correctly determine the mode as it has been set before the ioremap call. Finally, refactor release_io function so that it will call release_mem_region in the memory IO case, regardless of whether or not hw->cfg.p/hw->addr.p are NULL. This means resources are then properly released on failure. This properly implements the original reverted commit (d721fe99f6ad) from the University of Minnesota, whilst also implementing the ioremap check for the hw->ci->cfg_mode if block as well. Cc: David S. Miller Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20210503115736.2104747-42-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 00b5327a96b348bdf4a2417b166412e8aaa8f982 Author: Greg Kroah-Hartman Date: Mon May 3 13:57:07 2021 +0200 Revert "isdn: mISDNinfineon: fix potential NULL pointer dereference" [ Upstream commit abd7bca23bd4247124265152d00ffd4b2b0d6877 ] This reverts commit d721fe99f6ada070ae8fc0ec3e01ce5a42def0d9. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit was incorrect, it should have never have used "unlikely()" and if it ever does trigger, resources are left grabbed. Given there are no users for this code around, I'll just revert this and leave it "as is" as the odds that ioremap() will ever fail here is horrendiously low. Cc: Kangjie Lu Cc: David S. Miller Link: https://lore.kernel.org/r/20210503115736.2104747-41-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ac19876bd190699fecf2c4a77749bf2a894b2f7d Author: Greg Kroah-Hartman Date: Mon May 3 13:57:03 2021 +0200 Revert "ALSA: usx2y: Fix potential NULL pointer dereference" [ Upstream commit 4667a6fc1777ce071504bab570d3599107f4790f ] This reverts commit a2c6433ee5a35a8de6d563f6512a26f87835ea0f. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original patch was incorrect, and would leak memory if the error path the patch added was hit. Cc: Aditya Pakki Reviewed-by: Takashi Iwai Link: https://lore.kernel.org/r/20210503115736.2104747-37-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 64638f97b5f5d41b76220f89a017c5264958a8f0 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:59 2021 +0200 Revert "ALSA: gus: add a check of the status of snd_ctl_add" [ Upstream commit 1dacca7fa1ebea47d38d20cd2df37094805d2649 ] This reverts commit 0f25e000cb4398081748e54f62a902098aa79ec1. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit did nothing if there was an error, except to print out a message, which is pointless. So remove the commit as it gives a "false sense of doing something". Cc: Kangjie Lu Reviewed-by: Takashi Iwai Link: https://lore.kernel.org/r/20210503115736.2104747-33-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 1d6d3cfe9ee6d1104b9bdd67eb193ba77cbcbd72 Author: Tom Seewald Date: Mon May 3 13:56:56 2021 +0200 char: hpet: add checks after calling ioremap [ Upstream commit b11701c933112d49b808dee01cb7ff854ba6a77a ] The function hpet_resources() calls ioremap() two times, but in both cases it does not check if ioremap() returned a null pointer. Fix this by adding null pointer checks and returning an appropriate error. Signed-off-by: Tom Seewald Link: https://lore.kernel.org/r/20210503115736.2104747-30-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 740b5323b653ed7acfc40d27c828cc330bbc60b6 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:55 2021 +0200 Revert "char: hpet: fix a missing check of ioremap" [ Upstream commit 566f53238da74801b48e985788e5f7c9159e5940 ] This reverts commit 13bd14a41ce3105d5b1f3cd8b4d1e249d17b6d9b. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. While this is technically correct, it is only fixing ONE of these errors in this function, so the patch is not fully correct. I'll leave this revert and provide a fix for this later that resolves this same "problem" everywhere in this function. Cc: Kangjie Lu Link: https://lore.kernel.org/r/20210503115736.2104747-29-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8046e609cdb507a8d864f0721fc44ec2eae6dc83 Author: Du Cheng Date: Mon May 3 13:56:46 2021 +0200 net: caif: remove BUG_ON(dev == NULL) in caif_xmit [ Upstream commit 65a67792e3416f7c5d7daa47d99334cbb19a7449 ] The condition of dev == NULL is impossible in caif_xmit(), hence it is for the removal. Explanation: The static caif_xmit() is only called upon via a function pointer `ndo_start_xmit` defined in include/linux/netdevice.h: ``` struct net_device_ops { ... netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev); ... } ``` The exhausive list of call points are: ``` drivers/net/ethernet/qualcomm/rmnet/rmnet_map_command.c dev->netdev_ops->ndo_start_xmit(skb, dev); ^ ^ drivers/infiniband/ulp/opa_vnic/opa_vnic_netdev.c struct opa_vnic_adapter *adapter = opa_vnic_priv(netdev); ^ ^ return adapter->rn_ops->ndo_start_xmit(skb, netdev); // adapter would crash first ^ ^ drivers/usb/gadget/function/f_ncm.c ncm->netdev->netdev_ops->ndo_start_xmit(NULL, ncm->netdev); ^ ^ include/linux/netdevice.h static inline netdev_tx_t __netdev_start_xmit(... { return ops->ndo_start_xmit(skb, dev); ^ } const struct net_device_ops *ops = dev->netdev_ops; ^ rc = __netdev_start_xmit(ops, skb, dev, more); ^ ``` In each of the enumerated scenarios, it is impossible for the NULL-valued dev to reach the caif_xmit() without crashing the kernel earlier, therefore `BUG_ON(dev == NULL)` is rather useless, hence the removal. Cc: David S. Miller Signed-off-by: Du Cheng Link: https://lore.kernel.org/r/20210503115736.2104747-20-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0b950a05a71a9a64658dc3bba0bb6cae21c912f4 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:45 2021 +0200 Revert "net: caif: replace BUG_ON with recovery code" [ Upstream commit 4df07045fcfd684379a394d0f2aa0cc4067bda2a ] This reverts commit c5dea815834c7d2e9fc633785455bc428b7a1956. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original change here was pointless as dev can never be NULL in this function so the claim in the changelog that this "fixes" anything is incorrect (also the developer forgot about panic_on_warn). A follow-up change will resolve this issue properly. Cc: Aditya Pakki Cc: David S. Miller Link: https://lore.kernel.org/r/20210503115736.2104747-19-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0609385768016447d319f2937c09251ea5793fe7 Author: Anirudh Rayabharam Date: Mon May 3 13:56:44 2021 +0200 net/smc: properly handle workqueue allocation failure [ Upstream commit bbeb18f27a44ce6adb00d2316968bc59dc640b9b ] In smcd_alloc_dev(), if alloc_ordered_workqueue() fails, properly catch it, clean up and return NULL to let the caller know there was a failure. Move the call to alloc_ordered_workqueue higher in the function in order to abort earlier without needing to unwind the call to device_initialize(). Cc: Ursula Braun Cc: David S. Miller Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210503115736.2104747-18-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c0fc080bd134744d3766b3b0fa2de29d12922288 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:43 2021 +0200 Revert "net/smc: fix a NULL pointer dereference" [ Upstream commit 5369ead83f5aff223b6418c99cb1fe9a8f007363 ] This reverts commit e183d4e414b64711baf7a04e214b61969ca08dfa. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original commit causes a memory leak and does not properly fix the issue it claims to fix. I will send a follow-on patch to resolve this properly. Cc: Kangjie Lu Cc: Ursula Braun Cc: David S. Miller Link: https://lore.kernel.org/r/20210503115736.2104747-17-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f14bf57a08779a5dee9936f63ada0149ea89c5e6 Author: Anirudh Rayabharam Date: Mon May 3 13:56:42 2021 +0200 net: fujitsu: fix potential null-ptr-deref [ Upstream commit 52202be1cd996cde6e8969a128dc27ee45a7cb5e ] In fmvj18x_get_hwinfo(), if ioremap fails there will be NULL pointer deref. To fix this, check the return value of ioremap and return -1 to the caller in case of failure. Cc: "David S. Miller" Acked-by: Dominik Brodowski Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20210503115736.2104747-16-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 88ecd31c6eceac70b2eeafd8e6b12b673368bf02 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:41 2021 +0200 Revert "net: fujitsu: fix a potential NULL pointer dereference" [ Upstream commit 5f94eaa4ee23e80841fa359a372f84cfe25daee1 ] This reverts commit 9f4d6358e11bbc7b839f9419636188e4151fb6e4. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. The original change does not change any behavior as the caller of this function onlyu checks for "== -1" as an error condition so this error is not handled properly. Remove this change and it will be fixed up properly in a later commit. Cc: Kangjie Lu Cc: David S. Miller Reviewed-by: Dominik Brodowski Link: https://lore.kernel.org/r/20210503115736.2104747-15-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e1fa6f4c83e92414f35afe22d8f93b5eabcf550e Author: Atul Gopinathan Date: Mon May 3 13:56:38 2021 +0200 serial: max310x: unregister uart driver in case of failure and abort [ Upstream commit 3890e3dea315f1a257d1b940a2a4e2fa16a7b095 ] The macro "spi_register_driver" invokes the function "__spi_register_driver()" which has a return type of int and can fail, returning a negative value in such a case. This is currently ignored and the init() function yields success even if the spi driver failed to register. Fix this by collecting the return value of "__spi_register_driver()" and also unregister the uart driver in case of failure. Cc: Jiri Slaby Signed-off-by: Atul Gopinathan Link: https://lore.kernel.org/r/20210503115736.2104747-12-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 436fbcbb5657fba3ba1f11fb4e7c7e7a01b92e79 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:37 2021 +0200 Revert "serial: max310x: pass return value of spi_register_driver" [ Upstream commit b0a85abbe92e1a6f3e8580a4590fa7245de7090b ] This reverts commit 51f689cc11333944c7a457f25ec75fcb41e99410. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It will be fixed up "correctly" in a later kernel change. This change did not properly unwind from the error condition, so it was not correct. Cc: Kangjie Lu Acked-by: Jiri Slaby Link: https://lore.kernel.org/r/20210503115736.2104747-11-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 66e7057fd0e80f360d7c9ec99931b088cd936f11 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:34 2021 +0200 Revert "ALSA: sb: fix a missing check of snd_ctl_add" [ Upstream commit 4b059ce1f4b368208c2310925f49be77f15e527b ] This reverts commit beae77170c60aa786f3e4599c18ead2854d8694d. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to be incorrect for the reasons below, so it must be reverted. It is safe to ignore this error as the mixer element is optional, and the driver is very legacy. Cc: Aditya Pakki Reviewed-by: Takashi Iwai Link: https://lore.kernel.org/r/20210503115736.2104747-8-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3b5fab1acfb506a600a915091972b17c284fdf13 Author: Greg Kroah-Hartman Date: Mon May 3 13:56:33 2021 +0200 Revert "media: usb: gspca: add a missed check for goto_low_power" [ Upstream commit fd013265e5b5576a74a033920d6c571e08d7c423 ] This reverts commit 5b711870bec4dc9a6d705d41e127e73944fa3650. Because of recent interactions with developers from @umn.edu, all commits from them have been recently re-reviewed to ensure if they were correct or not. Upon review, this commit was found to do does nothing useful as a user can do nothing with this information and if an error did happen, the code would continue on as before. Because of this, just revert it. Cc: Kangjie Lu Cc: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/20210503115736.2104747-7-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 08ebe06ef6573d4e33a61a374dca4098b15b1622 Author: Greg Kroah-Hartman Date: Wed Apr 28 09:49:31 2021 +0200 Revert "crypto: cavium/nitrox - add an error message to explain the failure of pci_request_mem_regions" [ Upstream commit 6a3239a738d86c5e9b5aad17fefe2c2bfd6ced83 ] This reverts commit 9fcddaf2e28d779cb946d23838ba6d50f299aa80 as it was submitted under a fake name and we can not knowingly accept anonymous contributions to the repository. This commit was part of a submission "test" to the Linux kernel community by some "researchers" at umn.edu. As outlined at: https://www-users.cs.umn.edu/%7Ekjlu/papers/full-disclosure.pdf it was done so as an attempt to submit a known-buggy patch to see if it could get by our review. However, the submission turned out to actually be correct, and not have a bug in it as the author did not understand how the PCI driver model works at all, and so the submission was accepted. As this change is of useless consequence, there is no loss of functionality in reverting it. Cc: "David S. Miller" Cc: Christophe JAILLET Cc: linux-crypto@vger.kernel.org Acked-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman Email: Herbert Xu Link: https://lore.kernel.org/r/YIkTi9a3nnL50wMq@kroah.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e4c4047991d14362fab7a537827eac9c0c081209 Author: Zou Wei Date: Wed May 12 11:17:47 2021 +0800 gpio: cadence: Add missing MODULE_DEVICE_TABLE [ Upstream commit 1e948b1752b58c9c570989ab29ceef5b38fdccda ] This patch adds missing MODULE_DEVICE_TABLE definition which generates correct modalias for automatic loading of this driver when it is built as an external module. Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Bartosz Golaszewski Signed-off-by: Sasha Levin commit f5795f9cccb6eb40169eaea3499a1086b762fed8 Author: Kai-Heng Feng Date: Fri Apr 30 14:07:35 2021 +0800 platform/x86: hp_accel: Avoid invoking _INI to speed up resume [ Upstream commit 79d341e26ebcdbc622348aaaab6f8f89b6fdb25f ] hp_accel can take almost two seconds to resume on some HP laptops. The bottleneck is on evaluating _INI, which is only needed to run once. Resolve the issue by only invoking _INI when it's necessary. Namely, on probe and on hibernation restore. Signed-off-by: Kai-Heng Feng Acked-by: Éric Piel Link: https://lore.kernel.org/r/20210430060736.590321-1-kai.heng.feng@canonical.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit dbcde1a10cf3023d6b14b3442c4deccbedffc063 Author: Paolo Abeni Date: Tue May 25 14:23:11 2021 -0700 mptcp: drop unconditional pr_warn on bad opt commit 3812ce895047afdb78dc750a236515416e0ccded upstream. This is a left-over of early day. A malicious peer can flood the kernel logs with useless messages, just drop it. Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 18e7f0580da15cac1e79d73683ada5a9e70980f8 Author: Paolo Abeni Date: Tue May 11 19:13:51 2021 +0200 mptcp: fix data stream corruption commit 29249eac5225429b898f278230a6ca2baa1ae154 upstream. Maxim reported several issues when forcing a TCP transparent proxy to use the MPTCP protocol for the inbound connections. He also provided a clean reproducer. The problem boils down to 'mptcp_frag_can_collapse_to()' assuming that only MPTCP will use the given page_frag. If others - e.g. the plain TCP protocol - allocate page fragments, we can end-up re-using already allocated memory for mptcp_data_frag. Fix the issue ensuring that the to-be-expanded data fragment is located at the current page frag end. v1 -> v2: - added missing fixes tag (Mat) Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/178 Reported-and-tested-by: Maxim Galaganov Fixes: 18b683bff89d ("mptcp: queue data for mptcp level retransmission") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 36a07736d301dcb05a205ee5a26ae309ae9bfbcf Author: Paolo Abeni Date: Tue May 25 14:23:12 2021 -0700 mptcp: avoid error message on infinite mapping commit 3ed0a585bfadb6bd7080f11184adbc9edcce7dbc upstream. Another left-over. Avoid flooding dmesg with useless text, we already have a MIB for that event. Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path") Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 981e08ad823e0ca28d6f979d7359d6eaaee1c2c8 Author: Hou Pu Date: Thu May 20 19:30:45 2021 +0800 nvmet-tcp: fix inline data size comparison in nvmet_tcp_queue_response commit 25df1acd2d36eb72b14c3d00f6b861b1e00b3aab upstream. Using "<=" instead "<" to compare inline data size. Fixes: bdaf13279192 ("nvmet-tcp: fix a segmentation fault during io parsing error") Signed-off-by: Hou Pu Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 2a4115d43df4b2f740e93ce5e77e5544416e2065 Author: Felix Fietkau Date: Tue May 25 18:07:58 2021 +0200 perf jevents: Fix getting maximum number of fds commit 75ea44e356b5de8c817f821c9dd68ae329e82add upstream. On some hosts, rlim.rlim_max can be returned as RLIM_INFINITY. By casting it to int, it is interpreted as -1, which will cause get_maxfds to return 0, causing "Invalid argument" errors in nftw() calls. Fix this by casting the second argument of min() to rlim_t instead. Fixes: 80eeb67fe577 ("perf jevents: Program to convert JSON file") Signed-off-by: Felix Fietkau Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Sukadev Bhattiprolu Link: http://lore.kernel.org/lkml/20210525160758.97829-1-nbd@nbd.name Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 42bf32931a485207aa8ef38498d160bb0dbff0db Author: Ian Rogers Date: Wed May 19 09:44:47 2021 -0700 perf debug: Move debug initialization earlier commit c59870e2110e1229a6e4b2457aece6ffe8d68d99 upstream. This avoids segfaults during option handlers that use pr_err. For example, "perf --debug nopager list" segfaults before this change. Fixes: 8abceacff87d (perf debug: Add debug_set_file function) Signed-off-by: Ian Rogers Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/20210519164447.2672030-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 3c0da3fad3954c303cfa880e0d5d9bcbfd3a3cc0 Author: David Howells Date: Thu May 27 11:24:33 2021 +0100 afs: Fix the nlink handling of dir-over-dir rename commit f610a5a29c3cfb7d37bdfa4ef52f72ea51f24a76 upstream. Fix rename of one directory over another such that the nlink on the deleted directory is cleared to 0 rather than being decremented to 1. This was causing the generic/035 xfstest to fail. Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept") Signed-off-by: David Howells Reviewed-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/162194384460.3999479.7605572278074191079.stgit@warthog.procyon.org.uk/ # v1 Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5f6f6b2eedc455c336ccb005427b0984368f4944 Author: Geert Uytterhoeven Date: Thu May 6 13:15:40 2021 +0200 i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E commit c4740e293c93c747e65d53d9aacc2ba8521d1489 upstream. When switching the Gen3 SoCs to the new clock calculation formulas, the match entry for RZ/G2E added in commit 51243b73455f2d12 ("i2c: sh_mobile: Add support for r8a774c0 (RZ/G2E)") was forgotten. Fixes: e8a27567509b2439 ("i2c: sh_mobile: use new clock calculation formulas for Gen3") Signed-off-by: Geert Uytterhoeven Reviewed-by: Fabrizio Castro Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 1f583d3813f204449037cd2acbfc09168171362a Author: Jean Delvare Date: Tue May 25 17:03:36 2021 +0200 i2c: i801: Don't generate an interrupt on bus reset commit e4d8716c3dcec47f1557024add24e1f3c09eb24b upstream. Now that the i2c-i801 driver supports interrupts, setting the KILL bit in a attempt to recover from a timed out transaction triggers an interrupt. Unfortunately, the interrupt handler (i801_isr) is not prepared for this situation and will try to process the interrupt as if it was signaling the end of a successful transaction. In the case of a block transaction, this can result in an out-of-range memory access. This condition was reproduced several times by syzbot: https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79 So disable interrupts while trying to reset the bus. Interrupts will be enabled again for the following transaction. Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions") Reported-by: syzbot+b4d3fd1dfd53e90afd79@syzkaller.appspotmail.com Signed-off-by: Jean Delvare Acked-by: Andy Shevchenko Cc: Jarkko Nikula Tested-by: Jarkko Nikula Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit b1d777c3704cf2e3a8b7727ade49bffa70452588 Author: Qii Wang Date: Thu May 27 20:04:04 2021 +0800 i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset commit fed1bd51a504eb96caa38b4f13ab138fc169ea75 upstream. The i2c controller driver do dma reset after transfer timeout, but sometimes dma reset will trigger an unexpected DMA_ERR irq. It will cause the i2c controller to continuously send interrupts to the system and cause soft lock-up. So we need to disable i2c start_en and clear intr_stat to stop i2c controller before dma reset when transfer timeout. Fixes: aafced673c06("i2c: mediatek: move dma reset before i2c reset") Signed-off-by: Qii Wang Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit edcf4d5ca958c011fd7e9df57c7846401bb315b1 Author: Krzysztof Kozlowski Date: Wed May 26 08:39:37 2021 -0400 i2c: s3c2410: fix possible NULL pointer deref on read message after write commit 24990423267ec283b9d86f07f362b753eb9b0ed5 upstream. Interrupt handler processes multiple message write requests one after another, till the driver message queue is drained. However if driver encounters a read message without preceding START, it stops the I2C transfer as it is an invalid condition for the controller. At least the comment describes a requirement "the controller forces us to send a new START when we change direction". This stop results in clearing the message queue (i2c->msg = NULL). The code however immediately jumped back to label "retry_write" which dereferenced the "i2c->msg" making it a possible NULL pointer dereference. The Coverity analysis: 1. Condition !is_msgend(i2c), taking false branch. if (!is_msgend(i2c)) { 2. Condition !is_lastmsg(i2c), taking true branch. } else if (!is_lastmsg(i2c)) { 3. Condition i2c->msg->flags & 1, taking true branch. if (i2c->msg->flags & I2C_M_RD) { 4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL. s3c24xx_i2c_stop(i2c, -EINVAL); 5. Jumping to label retry_write. goto retry_write; 6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg. if (!is_msgend(i2c)) {" All previous calls to s3c24xx_i2c_stop() in this interrupt service routine are followed by jumping to end of function (acknowledging the interrupt and returning). This seems a reasonable choice also here since message buffer was entirely emptied. Addresses-Coverity: Explicit null dereferenced Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit bd72115939fe98bc8c80ad518ef024403eaff53d Author: Vladimir Oltean Date: Mon May 24 12:25:22 2021 +0300 net: dsa: sja1105: fix VL lookup command packing for P/Q/R/S commit ba61cf167cb77e54c1ec5adb7aa49a22ab3c9b28 upstream. At the beginning of the sja1105_dynamic_config.c file there is a diagram of the dynamic config interface layout: packed_buf | V +-----------------------------------------+------------------+ | ENTRY BUFFER | COMMAND BUFFER | +-----------------------------------------+------------------+ <----------------------- packed_size ------------------------> So in order to pack/unpack the command bits into the buffer, sja1105_vl_lookup_cmd_packing must first advance the buffer pointer by the length of the entry. This is similar to what the other *cmd_packing functions do. This bug exists because the command packing function for P/Q/R/S was copied from the E/T generation, and on E/T, the command was actually embedded within the entry buffer itself. Fixes: 94f94d4acfb2 ("net: dsa: sja1105: add static tables for virtual links") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 883c1a81e97136ccff8e8bd2defa117fe568656e Author: Vladimir Oltean Date: Mon May 24 12:25:23 2021 +0300 net: dsa: sja1105: call dsa_unregister_switch when allocating memory fails commit dc596e3fe63f88e3d1e509f64e7f761cd4135538 upstream. Unlike other drivers which pretty much end their .probe() execution with dsa_register_switch(), the sja1105 does some extra stuff. When that fails with -ENOMEM, the driver is quick to return that, forgetting to call dsa_unregister_switch(). Not critical, but a bug nonetheless. Fixes: 4d7525085a9b ("net: dsa: sja1105: offload the Credit-Based Shaper qdisc") Fixes: a68578c20a96 ("net: dsa: Make deferred_xmit private to sja1105") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 987e4ab8b8a4fcbf783069e03e7524cd39ffd563 Author: Vladimir Oltean Date: Mon May 24 12:25:24 2021 +0300 net: dsa: sja1105: add error handling in sja1105_setup() commit cec279a898a3b004411682f212215ccaea1cd0fb upstream. If any of sja1105_static_config_load(), sja1105_clocking_setup() or sja1105_devlink_setup() fails, we can't just return in the middle of sja1105_setup() or memory will leak. Add a cleanup path. Fixes: 0a7bdbc23d8a ("net: dsa: sja1105: move devlink param code to sja1105_devlink.c") Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6e3e0c3ad1b09526b027b2ebb3f79086d3d1f8b7 Author: Vladimir Oltean Date: Mon May 24 12:25:25 2021 +0300 net: dsa: sja1105: error out on unsupported PHY mode commit 6729188d2646709941903052e4b78e1d82c239b9 upstream. The driver continues probing when a port is configured for an unsupported PHY interface type, instead it should stop. Fixes: 8aa9ebccae87 ("net: dsa: Introduce driver for NXP SJA1105 5-port L2 switch") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fa43808d8cd1948d37b72f092c832aff68145a47 Author: Vladimir Oltean Date: Mon May 24 12:25:26 2021 +0300 net: dsa: sja1105: use 4095 as the private VLAN for untagged traffic commit ed040abca4c1db72dfd3b8483b6ed6bfb7c2571e upstream. One thing became visible when writing the blamed commit, and that was that STP and PTP frames injected by net/dsa/tag_sja1105.c using the deferred xmit mechanism are always classified to the pvid of the CPU port, regardless of whatever VLAN there might be in these packets. So a decision needed to be taken regarding the mechanism through which we should ensure that delivery of STP and PTP traffic is possible when we are in a VLAN awareness mode that involves tag_8021q. This is because tag_8021q is not concerned with managing the pvid of the CPU port, since as far as tag_8021q is concerned, no traffic should be sent as untagged from the CPU port. So we end up not actually having a pvid on the CPU port if we only listen to tag_8021q, and unless we do something about it. The decision taken at the time was to keep VLAN 1 in the list of priv->dsa_8021q_vlans, and make it a pvid of the CPU port. This ensures that STP and PTP frames can always be sent to the outside world. However there is a problem. If we do the following while we are in the best_effort_vlan_filtering=true mode: ip link add br0 type bridge vlan_filtering 1 ip link set swp2 master br0 bridge vlan del dev swp2 vid 1 Then untagged and pvid-tagged frames should be dropped. But we observe that they aren't, and this is because of the precaution we took that VID 1 is always installed on all ports. So clearly VLAN 1 is not good for this purpose. What about VLAN 0? Well, VLAN 0 is managed by the 8021q module, and that module wants to ensure that 802.1p tagged frames are always received by a port, and are always transmitted as VLAN-tagged (with VLAN ID 0). Whereas we want our STP and PTP frames to be untagged if the stack sent them as untagged - we don't want the driver to just decide out of the blue that it adds VID 0 to some packets. So what to do? Well, there is one other VLAN that is reserved, and that is 4095: $ ip link add link swp2 name swp2.4095 type vlan id 4095 Error: 8021q: Invalid VLAN id. $ bridge vlan add dev swp2 vid 4095 Error: bridge: Vlan id is invalid. After we made this change, VLAN 1 is indeed forwarded and/or dropped according to the bridge VLAN table, there are no further alterations done by the sja1105 driver. Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a9157077bb1b8a1b9f081af71c4f21a41ad7f9f5 Author: Vladimir Oltean Date: Mon May 24 12:25:27 2021 +0300 net: dsa: sja1105: update existing VLANs from the bridge VLAN list commit b38e659de966a122fe2cb178c1e39c9bea06bc62 upstream. When running this sequence of operations: ip link add br0 type bridge vlan_filtering 1 ip link set swp4 master br0 bridge vlan add dev swp4 vid 1 We observe the traffic sent on swp4 is still untagged, even though the bridge has overwritten the existing VLAN entry: port vlan ids swp4 1 PVID br0 1 PVID Egress Untagged This happens because we didn't consider that the 'bridge vlan add' command just overwrites VLANs like it's nothing. We treat the 'vid 1 pvid untagged' and the 'vid 1' as two separate VLANs, and the first still has precedence when calling sja1105_build_vlan_table. Obviously there is a disagreement regarding semantics, and we end up doing something unexpected from the PoV of the bridge. Let's actually consider an "existing VLAN" to be one which is on the same port, and has the same VLAN ID, as one we already have, and update it if it has different flags than we do. The first blamed commit is the one introducing the bug, the second one is the latest on top of which the bugfix still applies. Fixes: ec5ae61076d0 ("net: dsa: sja1105: save/restore VLANs using a delta commit method") Fixes: 5899ee367ab3 ("net: dsa: tag_8021q: add a context structure") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b22466648a4f8e3e94f57ca428d1531866d1373 Author: Dan Carpenter Date: Sat May 8 16:30:35 2021 +0300 net: dsa: fix a crash if ->get_sset_count() fails commit a269333fa5c0c8e53c92b5a28a6076a28cde3e83 upstream. If ds->ops->get_sset_count() fails then it "count" is a negative error code such as -EOPNOTSUPP. Because "i" is an unsigned int, the negative error code is type promoted to a very high value and the loop will corrupt memory until the system crashes. Fix this by checking for error codes and changing the type of "i" to just int. Fixes: badf3ada60ab ("net: dsa: Provide CPU port statistics to master netdev") Signed-off-by: Dan Carpenter Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit efd130611fba1850401872a149db2a486a9adcda Author: Florian Fainelli Date: Fri May 21 10:46:14 2021 -0700 net: dsa: bcm_sf2: Fix bcm_sf2_reg_rgmii_cntrl() call for non-RGMII port commit fc516d3a6aa2c6ffe27d0da8818d13839e023e7e upstream. We cannot call bcm_sf2_reg_rgmii_cntrl() for a port that is not RGMII, yet we do that in bcm_sf2_sw_mac_link_up() irrespective of the port's interface. Move that read until we have properly qualified the PHY interface mode. This avoids triggering a warning on 7278 platforms that have GMII ports. Fixes: 55cfeb396965 ("net: dsa: bcm_sf2: add function finding RGMII register") Signed-off-by: Florian Fainelli Acked-by: Rafał Miłecki Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 82ae35b6c14feae5f216913d5b433e143c756d4e Author: DENG Qingfang Date: Sun May 23 22:51:54 2021 +0800 net: dsa: mt7530: fix VLAN traffic leaks commit 474a2ddaa192777522a7499784f1d60691cd831a upstream. PCR_MATRIX field was set to all 1's when VLAN filtering is enabled, but was not reset when it is disabled, which may cause traffic leaks: ip link add br0 type bridge vlan_filtering 1 ip link add br1 type bridge vlan_filtering 1 ip link set swp0 master br0 ip link set swp1 master br1 ip link set br0 type bridge vlan_filtering 0 ip link set br1 type bridge vlan_filtering 0 # traffic in br0 and br1 will start leaking to each other As port_bridge_{add,del} have set up PCR_MATRIX properly, remove the PCR_MATRIX write from mt7530_port_set_vlan_aware. Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530") Signed-off-by: DENG Qingfang Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8b1e82eb88c4d4d60b1de4632455b31873bda001 Author: Roi Dayan Date: Mon May 10 14:50:24 2021 +0300 netfilter: flowtable: Remove redundant hw refresh bit commit c07531c01d8284aedaf95708ea90e76d11af0e21 upstream. Offloading conns could fail for multiple reasons and a hw refresh bit is set to try to reoffload it in next sw packet. But it could be in some cases and future points that the hw refresh bit is not set but a refresh could succeed. Remove the hw refresh bit and do offload refresh if requested. There won't be a new work entry if a work is already pending anyway as there is the hw pending bit. Fixes: 8b3646d6e0c4 ("net/sched: act_ct: Support refreshing the flow table entries") Signed-off-by: Roi Dayan Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit eb9bc1defe4bd151dbeeaaa631b7b49d1da0d75d Author: Xin Long Date: Mon May 24 22:49:24 2021 -0400 sctp: add the missing setting for asoc encap_port commit 297739bd73f6e49d80bac4bfd27f3598b798c0d4 upstream. This patch is to add the missing setting back for asoc encap_port. Fixes: 8dba29603b5c ("sctp: add SCTP_REMOTE_UDP_ENCAPS_PORT sockopt") Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb21f9f91b9f9ee00df4caaa88b1aef154d213b9 Author: Xin Long Date: Mon May 24 22:49:42 2021 -0400 sctp: fix the proc_handler for sysctl encap_port commit b2540cdce6e22ecf3de54daf5129cc37951348cc upstream. proc_dointvec() cannot do min and max check for setting a value when extra1/extra2 is set, so change it to proc_dointvec_minmax() for sysctl encap_port. Fixes: e8a3001c2120 ("sctp: add encap_port for netns sock asoc and transport") Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 12391be4724acc9269e1845ccbd881df37de4b56 Author: Christophe JAILLET Date: Sun May 9 21:12:27 2021 +0200 spi: spi-fsl-dspi: Fix a resource leak in an error handling path commit 680ec0549a055eb464dce6ffb4bfb736ef87236e upstream. 'dspi_request_dma()' should be undone by a 'dspi_release_dma()' call in the error handling path of the probe function, as already done in the remove function Fixes: 90ba37033cb9 ("spi: spi-fsl-dspi: Add DMA support for Vybrid") Signed-off-by: Christophe JAILLET Reviewed-by: Vladimir Oltean Link: https://lore.kernel.org/r/d51caaac747277a1099ba8dea07acd85435b857e.1620587472.git.christophe.jaillet@wanadoo.fr Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ace300eecbccaa698e2b472843c74a5f33f7dce8 Author: Xin Long Date: Sat May 8 03:57:03 2021 +0800 tipc: skb_linearize the head skb when reassembling msgs commit b7df21cf1b79ab7026f545e7bf837bd5750ac026 upstream. It's not a good idea to append the frag skb to a skb's frag_list if the frag_list already has skbs from elsewhere, such as this skb was created by pskb_copy() where the frag_list was cloned (all the skbs in it were skb_get'ed) and shared by multiple skbs. However, the new appended frag skb should have been only seen by the current skb. Otherwise, it will cause use after free crashes as this appended frag skb are seen by multiple skbs but it only got skb_get called once. The same thing happens with a skb updated by pskb_may_pull() with a skb_cloned skb. Li Shuang has reported quite a few crashes caused by this when doing testing over macvlan devices: [] kernel BUG at net/core/skbuff.c:1970! [] Call Trace: [] skb_clone+0x4d/0xb0 [] macvlan_broadcast+0xd8/0x160 [macvlan] [] macvlan_process_broadcast+0x148/0x150 [macvlan] [] process_one_work+0x1a7/0x360 [] worker_thread+0x30/0x390 [] kernel BUG at mm/usercopy.c:102! [] Call Trace: [] __check_heap_object+0xd3/0x100 [] __check_object_size+0xff/0x16b [] simple_copy_to_iter+0x1c/0x30 [] __skb_datagram_iter+0x7d/0x310 [] __skb_datagram_iter+0x2a5/0x310 [] skb_copy_datagram_iter+0x3b/0x90 [] tipc_recvmsg+0x14a/0x3a0 [tipc] [] ____sys_recvmsg+0x91/0x150 [] ___sys_recvmsg+0x7b/0xc0 [] kernel BUG at mm/slub.c:305! [] Call Trace: [] [] kmem_cache_free+0x3ff/0x400 [] __netif_receive_skb_core+0x12c/0xc40 [] ? kmem_cache_alloc+0x12e/0x270 [] netif_receive_skb_internal+0x3d/0xb0 [] ? get_rx_page_info+0x8e/0xa0 [be2net] [] be_poll+0x6ef/0xd00 [be2net] [] ? irq_exit+0x4f/0x100 [] net_rx_action+0x149/0x3b0 ... This patch is to fix it by linearizing the head skb if it has frag_list set in tipc_buf_append(). Note that we choose to do this before calling skb_unshare(), as __skb_linearize() will avoid skb_copy(). Also, we can not just drop the frag_list either as the early time. Fixes: 45c8b7b175ce ("tipc: allow non-linear first fragment buffer") Reported-by: Li Shuang Signed-off-by: Xin Long Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9f5b7ad4ac3af006443f535b1ce7bff1d130d7d Author: Xin Long Date: Mon May 17 02:28:58 2021 +0800 tipc: wait and exit until all work queues are done commit 04c26faa51d1e2fe71cf13c45791f5174c37f986 upstream. On some host, a crash could be triggered simply by repeating these commands several times: # modprobe tipc # tipc bearer enable media udp name UDP1 localip 127.0.0.1 # rmmod tipc [] BUG: unable to handle kernel paging request at ffffffffc096bb00 [] Workqueue: events 0xffffffffc096bb00 [] Call Trace: [] ? process_one_work+0x1a7/0x360 [] ? worker_thread+0x30/0x390 [] ? create_worker+0x1a0/0x1a0 [] ? kthread+0x116/0x130 [] ? kthread_flush_work_fn+0x10/0x10 [] ? ret_from_fork+0x35/0x40 When removing the TIPC module, the UDP tunnel sock will be delayed to release in a work queue as sock_release() can't be done in rtnl_lock(). If the work queue is schedule to run after the TIPC module is removed, kernel will crash as the work queue function cleanup_beareri() code no longer exists when trying to invoke it. To fix it, this patch introduce a member wq_count in tipc_net to track the numbers of work queues in schedule, and wait and exit until all work queues are done in tipc_exit_net(). Fixes: d0f91938bede ("tipc: add ip/udp media type") Reported-by: Shuang Li Signed-off-by: Xin Long Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5875860d7a751bfb295915a2a51e6f104ab6159f Author: Hoang Le Date: Fri May 14 08:23:03 2021 +0700 Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" commit 75016891357a628d2b8acc09e2b9b2576c18d318 upstream. This reverts commit 6bf24dc0cc0cc43b29ba344b66d78590e687e046. Above fix is not correct and caused memory leak issue. Fixes: 6bf24dc0cc0c ("net:tipc: Fix a double free in tipc_sk_mcast_rcv") Acked-by: Jon Maloy Acked-by: Tung Nguyen Signed-off-by: Hoang Le Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2f2ab04a5c1a6125b2254edc77587937a833413e Author: NeilBrown Date: Mon May 17 09:59:10 2021 +1000 SUNRPC in case of backlog, hand free slots directly to waiting task commit e877a88d1f069edced4160792f42c2a8e2dba942 upstream. If sunrpc.tcp_max_slot_table_entries is small and there are tasks on the backlog queue, then when a request completes it is freed and the first task on the queue is woken. The expectation is that it will wake and claim that request. However if it was a sync task and the waiting process was killed at just that moment, it will wake and NOT claim the request. As long as TASK_CONGESTED remains set, requests can only be claimed by tasks woken from the backlog, and they are woken only as requests are freed, so when a task doesn't claim a request, no other task can ever get that request until TASK_CONGESTED is cleared. Each time this happens the number of available requests is decreased by one. With a sufficiently high workload and sufficiently low setting of max_slot (16 in the case where this was seen), TASK_CONGESTED can remain set for an extended period, and the above scenario (of a process being killed just as its task was woken) can repeat until no requests can be allocated. Then traffic stops. This patch addresses the problem by introducing a positive handover of a request from a completing task to a backlog task - the request is never freed when there is a backlog. When a task is woken it might not already have a request attached in which case it is *not* freed (as with current code) but is initialised (if needed) and used. If it isn't used it will eventually be freed by rpc_exit_task(). xprt_release() is enhanced to be able to correctly release an uninitialised request. Fixes: ba60eb25ff6b ("SUNRPC: Fix a livelock problem in the xprt->backlog queue") Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 068ecf1c3f1816758906c58365d0c2718a453d36 Author: David Matlack Date: Fri May 21 17:38:28 2021 +0000 KVM: selftests: Fix 32-bit truncation of vm_get_max_gfn() commit ef4c9f4f654622fa15b7a94a9bd1f19e76bb7feb upstream. vm_get_max_gfn() casts vm->max_gfn from a uint64_t to an unsigned int, which causes the upper 32-bits of the max_gfn to get truncated. Nobody noticed until now likely because vm_get_max_gfn() is only used as a mechanism to create a memslot in an unused region of the guest physical address space (the top), and the top of the 32-bit physical address space was always good enough. This fix reveals a bug in memslot_modification_stress_test which was trying to create a dummy memslot past the end of guest physical memory. Fix that by moving the dummy memslot lower. Fixes: 52200d0d944e ("KVM: selftests: Remove duplicate guest mode handling") Reviewed-by: Venkatesh Srinivas Signed-off-by: David Matlack Message-Id: <20210521173828.1180619-1-dmatlack@google.com> Reviewed-by: Andrew Jones Reviewed-by: Peter Xu Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 06c97a5bbeb3cef11a1473bdd139f7dcc0b896a6 Author: Joe Richey Date: Fri May 21 01:58:43 2021 -0700 KVM: X86: Use _BITUL() macro in UAPI headers commit fb1070d18edb37daf3979662975bc54625a19953 upstream. Replace BIT() in KVM's UPAI header with _BITUL(). BIT() is not defined in the UAPI headers and its usage may cause userspace build errors. Fixes: fb04a1eddb1a ("KVM: X86: Implement ring-based dirty memory tracking") Signed-off-by: Joe Richey Message-Id: <20210521085849.37676-3-joerichey94@gmail.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3ce7c5a7bbb65d135cf26409fa35d462bdfe913f Author: Wanpeng Li Date: Thu May 27 17:01:36 2021 -0700 KVM: X86: Fix warning caused by stale emulation context commit da6393cdd8aaa354b3a2437cd73ebb34cac958e3 upstream. Reported by syzkaller: WARNING: CPU: 7 PID: 10526 at linux/arch/x86/kvm//x86.c:7621 x86_emulate_instruction+0x41b/0x510 [kvm] RIP: 0010:x86_emulate_instruction+0x41b/0x510 [kvm] Call Trace: kvm_mmu_page_fault+0x126/0x8f0 [kvm] vmx_handle_exit+0x11e/0x680 [kvm_intel] vcpu_enter_guest+0xd95/0x1b40 [kvm] kvm_arch_vcpu_ioctl_run+0x377/0x6a0 [kvm] kvm_vcpu_ioctl+0x389/0x630 [kvm] __x64_sys_ioctl+0x8e/0xd0 do_syscall_64+0x3c/0xb0 entry_SYSCALL_64_after_hwframe+0x44/0xae Commit 4a1e10d5b5d8 ("KVM: x86: handle hardware breakpoints during emulation()) adds hardware breakpoints check before emulation the instruction and parts of emulation context initialization, actually we don't have the EMULTYPE_NO_DECODE flag here and the emulation context will not be reused. Commit c8848cee74ff ("KVM: x86: set ctxt->have_exception in x86_decode_insn()) triggers the warning because it catches the stale emulation context has #UD, however, it is not during instruction decoding which should result in EMULATION_FAILED. This patch fixes it by moving the second part emulation context initialization into init_emulate_ctxt() and before hardware breakpoints check. The ctxt->ud will be dropped by a follow-up patch. syzkaller source: https://syzkaller.appspot.com/x/repro.c?x=134683fdd00000 Reported-by: syzbot+71271244f206d17f6441@syzkaller.appspotmail.com Fixes: 4a1e10d5b5d8 (KVM: x86: handle hardware breakpoints during emulation) Signed-off-by: Wanpeng Li Reviewed-by: Sean Christopherson Message-Id: <1622160097-37633-1-git-send-email-wanpengli@tencent.com> Signed-off-by: Greg Kroah-Hartman commit 844d154523cdd230231f34b44fb6e815edda34c1 Author: Ariel Levkovich Date: Wed Mar 31 10:09:02 2021 +0300 net/mlx5: Set term table as an unmanaged flow table commit 6ff51ab8aa8fcbcddeeefce8ca705b575805d12b upstream. Termination tables are restricted to have the default miss action and cannot be set to forward to another table in case of a miss. If the fs prio of the termination table is not the last one in the list, fs_core will attempt to attach it to another table. Set the unmanaged ft flag when creating the termination table ft and select the tc offload prio for it to prevent fs_core from selecting the forwarding to next ft miss action and use the default one. In addition, set the flow that forwards to the termination table to ignore ft level restrictions since the ft level is not set by fs_core for unamanged fts. Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink") Signed-off-by: Ariel Levkovich Signed-off-by: Greg Kroah-Hartman commit c1780dc23a0d82e9332cb323251b96ae67e7e6e2 Author: Maor Gottlieb Date: Wed May 12 13:52:27 2021 +0300 {net, RDMA}/mlx5: Fix override of log_max_qp by other device commit 3410fbcd47dc6479af4309febf760ccaa5efb472 upstream. mlx5_core_dev holds pointer to static profile, hence when the log_max_qp of the profile is override by some device, then it effect all other mlx5 devices that share the same profile. Fix it by having a profile instance for every mlx5 device. Fixes: 883371c453b9 ("net/mlx5: Check FW limitations on log_max_qp before setting it") Signed-off-by: Maor Gottlieb Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 96941617da28aeb7d061e9d8ee35dccb3e03524a Author: Vladyslav Tarasiuk Date: Sun May 9 09:43:18 2021 +0300 net/mlx4: Fix EEPROM dump support commit db825feefc6868896fed5e361787ba3bee2fd906 upstream. Fix SFP and QSFP* EEPROM queries by setting i2c_address, offset and page number correctly. For SFP set the following params: - I2C address for offsets 0-255 is 0x50. For 256-511 - 0x51. - Page number is zero. - Offset is 0-255. At the same time, QSFP* parameters are different: - I2C address is always 0x50. - Page number is not limited to zero. - Offset is 0-255 for page zero and 128-255 for others. To set parameters accordingly to cable used, implement function to query module ID and implement respective helper functions to set parameters correctly. Fixes: 135dd9594f12 ("net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query") Signed-off-by: Vladyslav Tarasiuk Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bdfd3593a8248eea6ecfcbf7b47b56b86515672d Author: Roi Dayan Date: Mon May 3 18:01:02 2021 +0300 net/mlx5e: Fix null deref accessing lag dev commit 83026d83186bc48bb41ee4872f339b83f31dfc55 upstream. It could be the lag dev is null so stop processing the event. In bond_enslave() the active/backup slave being set before setting the upper dev so first event is without an upper dev. After setting the upper dev with bond_master_upper_dev_link() there is a second event and in that event we have an upper dev. Fixes: 7e51891a237f ("net/mlx5e: Use netdev events to set/del egress acl forward-to-vport rule") Signed-off-by: Roi Dayan Reviewed-by: Maor Dickman Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit bb7b3de0c02d899a60f242a89fac6eb3e887174c Author: Jianbo Liu Date: Fri Apr 30 06:58:29 2021 +0000 net/mlx5: Set reformat action when needed for termination rules commit 442b3d7b671bcb779ebdad46edd08051eb8b28d9 upstream. For remote mirroring, after the tunnel packets are received, they are decapsulated and sent to representor, then re-encapsulated and sent out over another tunnel. So reformat action is set only when the destination is required to do encapsulation. Fixes: 249ccc3c95bd ("net/mlx5e: Add support for offloading traffic from uplink to uplink") Signed-off-by: Jianbo Liu Reviewed-by: Ariel Levkovich Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit efe56592221e1bf58e07c57bf76da46d8f1873ac Author: Dima Chumak Date: Mon Apr 26 15:16:26 2021 +0300 net/mlx5e: Fix nullptr in add_vlan_push_action() commit dca59f4a791960ec73fa15803faa0abe0f92ece2 upstream. The result of dev_get_by_index_rcu() is not checked for NULL and then gets dereferenced immediately. Also, the RCU lock must be held by the caller of dev_get_by_index_rcu(), which isn't satisfied by the call stack. Fix by handling nullptr return value when iflink device is not found. Add RCU locking around dev_get_by_index_rcu() to avoid possible adverse effects while iterating over the net_device's hlist. It is safe not to increment reference count of the net_device pointer in case of a successful lookup, because it's already handled by VLAN code during VLAN device registration (see register_vlan_dev and netdev_upper_dev_link). Fixes: 278748a95aa3 ("net/mlx5e: Offload TC e-switch rules with egress VLAN device") Addresses-Coverity: ("Dereference null return value") Signed-off-by: Dima Chumak Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 5b577d261b476a3b6c71ea8ef72e61f4fbe7282f Author: Dima Chumak Date: Mon Apr 26 15:16:26 2021 +0300 net/mlx5e: Fix nullptr in mlx5e_tc_add_fdb_flow() commit fe7738eb3ca3631a75844e790f6cb576c0fe7b00 upstream. The result of __dev_get_by_index() is not checked for NULL, which then passed to mlx5e_attach_encap() and gets dereferenced. Also, in case of a successful lookup, the net_device reference count is not incremented, which may result in net_device pointer becoming invalid at any time during mlx5e_attach_encap() execution. Fix by using dev_get_by_index(), which does proper reference counting on the net_device pointer. Also, handle nullptr return value when mirred device is not found. It's safe to call dev_put() on the mirred net_device pointer, right after mlx5e_attach_encap() call, because it's not being saved/copied down the call chain. Fixes: 3c37745ec614 ("net/mlx5e: Properly deal with encap flows add/del under neigh update") Addresses-Coverity: ("Dereference null return value") Signed-off-by: Dima Chumak Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 8d9c41741be188c73e33017a2c2673d3206ace85 Author: Eli Cohen Date: Thu Apr 22 15:48:10 2021 +0300 {net,vdpa}/mlx5: Configure interface MAC into mpfs L2 table commit 7c9f131f366ab414691907fa0407124ea2b2f3bc upstream. net/mlx5: Expose MPFS configuration API MPFS is the multi physical function switch that bridges traffic between the physical port and any physical functions associated with it. The driver is required to add or remove MAC entries to properly forward incoming traffic to the correct physical function. We export the API to control MPFS so that other drivers, such as mlx5_vdpa are able to add MAC addresses of their network interfaces. The MAC address of the vdpa interface must be configured into the MPFS L2 address. Failing to do so could cause, in some NIC configurations, failure to forward packets to the vdpa network device instance. Fix this by adding calls to update the MPFS table. CC: CC: CC: Fixes: 1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported mlx5 devices") Signed-off-by: Eli Cohen Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 18db59b29a37fd961edd0d5136582e17b123c075 Author: Aya Levin Date: Wed Apr 21 14:26:31 2021 +0300 net/mlx5e: Fix error path of updating netdev queues commit 5e7923acbd86d0ff29269688d8a9c47ad091dd46 upstream. Avoid division by zero in the error flow. In the driver TC number can be either 1 or 8. When TC count is set to 1, driver zero netdev->num_tc. Hence, need to convert it back from 0 to 1 in the error flow. Fixes: fa3748775b92 ("net/mlx5e: Handle errors from netif_set_real_num_{tx,rx}_queues") Signed-off-by: Aya Levin Reviewed-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit df1bb7132047c41015e69d14a8d1e4a2db833029 Author: Dima Chumak Date: Tue Apr 13 22:43:08 2021 +0300 net/mlx5e: Fix multipath lag activation commit 97817fcc684ed01497bd19d0cd4dea699665b9cf upstream. When handling FIB_EVENT_ENTRY_REPLACE event for a new multipath route, lag activation can be missed if a stale (struct lag_mp)->mfi pointer exists, which was associated with an older multipath route that had been removed. Normally, when a route is removed, it triggers mlx5_lag_fib_event(), which handles FIB_EVENT_ENTRY_DEL and clears mfi pointer. But, if mlx5_lag_check_prereq() condition isn't met, for example when eswitch is in legacy mode, the fib event is skipped and mfi pointer becomes stale. Fix by resetting mfi pointer to NULL every time mlx5_lag_mp_init() is called. Fixes: 544fe7c2e654 ("net/mlx5e: Activate HW multipath and handle port affinity based on FIB events") Signed-off-by: Dima Chumak Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 16c012682565f640403e2a3f6bf0d8d09dc365a0 Author: Saeed Mahameed Date: Thu Feb 25 11:20:00 2021 -0800 net/mlx5e: reset XPS on error flow if netdev isn't registered yet commit 77ecd10d0a8aaa6e4871d8c63626e4c9fc5e47db upstream. mlx5e_attach_netdev can be called prior to registering the netdevice: Example stack: ipoib_new_child_link -> ipoib_intf_init-> rdma_init_netdev-> mlx5_rdma_setup_rn-> mlx5e_attach_netdev-> mlx5e_num_channels_changed -> mlx5e_set_default_xps_cpumasks -> netif_set_xps_queue -> __netif_set_xps_queue -> kmalloc If any later stage fails at any point after mlx5e_num_channels_changed() returns, XPS allocated maps will never be freed as they are only freed during netdev unregistration, which will never happen for yet to be registered netdevs. Fixes: 3909a12e7913 ("net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases") Signed-off-by: Saeed Mahameed Signed-off-by: Aya Levin Reviewed-by: Tariq Toukan Signed-off-by: Greg Kroah-Hartman commit b4b91033a0b11fe9ade58156cd9168f89f4a8c1a Author: Neil Armstrong Date: Fri Apr 30 10:27:44 2021 +0200 drm/meson: fix shutdown crash when component not probed commit 7cfc4ea78fc103ea51ecbacd9236abb5b1c490d2 upstream. When main component is not probed, by example when the dw-hdmi module is not loaded yet or in probe defer, the following crash appears on shutdown: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000038 ... pc : meson_drv_shutdown+0x24/0x50 lr : platform_drv_shutdown+0x20/0x30 ... Call trace: meson_drv_shutdown+0x24/0x50 platform_drv_shutdown+0x20/0x30 device_shutdown+0x158/0x360 kernel_restart_prepare+0x38/0x48 kernel_restart+0x18/0x68 __do_sys_reboot+0x224/0x250 __arm64_sys_reboot+0x24/0x30 ... Simply check if the priv struct has been allocated before using it. Fixes: fa0c16caf3d7 ("drm: meson_drv add shutdown function") Reported-by: Stefan Agner Signed-off-by: Neil Armstrong Tested-by: Martin Blumenstingl Reviewed-by: Martin Blumenstingl Link: https://patchwork.freedesktop.org/patch/msgid/20210430082744.3638743-1-narmstrong@baylibre.com Signed-off-by: Greg Kroah-Hartman commit dd7f6cf84148d7604b5dee26ddd390b6dd4df90b Author: Zhang Xiaoxu Date: Tue May 25 23:32:35 2021 -0400 NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config commit e67afa7ee4a59584d7253e45d7f63b9528819a13 upstream. Since commit bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors"), nfs42_proc_llseek would return -EOPNOTSUPP rather than -ENOTSUPP when SEEK_DATA on NFSv4.0/v4.1. This will lead xfstests generic/285 not run on NFSv4.0/v4.1 when set the CONFIG_NFS_V4_2, rather than run failed. Fixes: bdcc2cd14e4e ("NFSv4.2: handle NFS-specific llseek errors") Cc: # 4.2 Signed-off-by: Zhang Xiaoxu Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 2fe1cac336b55a1f79e603e9ce3552c3623e90eb Author: Trond Myklebust Date: Tue May 25 10:40:12 2021 -0400 NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() commit 0d0ea309357dea0d85a82815f02157eb7fcda39f upstream. The value of mirror->pg_bytes_written should only be updated after a successful attempt to flush out the requests on the list. Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 15ac6f14787649e8ebd75c142e2c5d2a243c8490 Author: Trond Myklebust Date: Tue May 25 10:23:05 2021 -0400 NFS: Fix an Oopsable condition in __nfs_pageio_add_request() commit 56517ab958b7c11030e626250c00b9b1a24b41eb upstream. Ensure that nfs_pageio_error_cleanup() resets the mirror array contents, so that the structure reflects the fact that it is now empty. Also change the test in nfs_pageio_do_add_request() to be more robust by checking whether or not the list is empty rather than relying on the value of pg_count. Fixes: a7d42ddb3099 ("nfs: add mirroring support to pgio layer") Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit d34fb628f6ef522f996205a9e578216bbee09e84 Author: Dan Carpenter Date: Tue May 11 11:49:42 2021 +0300 NFS: fix an incorrect limit in filelayout_decode_layout() commit 769b01ea68b6c49dc3cde6adf7e53927dacbd3a8 upstream. The "sizeof(struct nfs_fh)" is two bytes too large and could lead to memory corruption. It should be NFS_MAXFHSIZE because that's the size of the ->data[] buffer. I reversed the size of the arguments to put the variable on the left. Fixes: 16b374ca439f ("NFSv4.1: pnfs: filelayout: add driver's LAYOUTGET and GETDEVICEINFO infrastructure") Signed-off-by: Dan Carpenter Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 23c2530fc75da1a9e98aa8e14c8bf6f949433aff Author: zhouchuangao Date: Sun May 9 19:34:37 2021 -0700 fs/nfs: Use fatal_signal_pending instead of signal_pending commit bb002388901151fe35b6697ab116f6ed0721a9ed upstream. We set the state of the current process to TASK_KILLABLE via prepare_to_wait(). Should we use fatal_signal_pending() to detect the signal here? Fixes: b4868b44c562 ("NFSv4: Wait for stateid updates after CLOSE/OPEN_DOWNGRADE") Signed-off-by: zhouchuangao Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 3178e0a38f204a61ed4fe5739d6a4732879b34d1 Author: Thadeu Lima de Souza Cascardo Date: Tue Apr 13 13:21:03 2021 -0300 Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails commit 8da3a0b87f4f1c3a3bbc4bfb78cf68476e97d183 upstream. When cmtp_attach_device fails, cmtp_add_connection returns the error value which leads to the caller to doing fput through sockfd_put. But cmtp_session kthread, which is stopped in this path will also call fput, leading to a potential refcount underflow or a use-after-free. Add a refcount before we signal the kthread to stop. The kthread will try to grab the cmtp_session_sem mutex before doing the fput, which is held when get_file is called, so there should be no races there. Reported-by: Ryota Shiga Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 70c886ac93f87ae7214a0c69151a28a8075dd95b Author: Pavel Skripkin Date: Mon May 24 23:02:08 2021 +0300 net: usb: fix memory leak in smsc75xx_bind commit 46a8b29c6306d8bbfd92b614ef65a47c900d8e70 upstream. Syzbot reported memory leak in smsc75xx_bind(). The problem was is non-freed memory in case of errors after memory allocation. backtrace: [] kmalloc include/linux/slab.h:556 [inline] [] kzalloc include/linux/slab.h:686 [inline] [] smsc75xx_bind+0x7a/0x334 drivers/net/usb/smsc75xx.c:1460 [] usbnet_probe+0x3b6/0xc30 drivers/net/usb/usbnet.c:1728 Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver") Cc: stable@kernel.vger.org Reported-and-tested-by: syzbot+b558506ba8165425fee2@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1e0578764d99c6c39564feb7385f536bf7ac36d2 Author: Kyle Tso Date: Sun May 23 09:58:55 2021 +0800 usb: typec: tcpm: Respond Not_Supported if no snk_vdo commit a20dcf53ea9836387b229c4878f9559cf1b55b71 upstream. If snk_vdo is not populated from fwnode, it implies the port does not support responding to SVDM commands. Not_Supported Message shall be sent if the contract is in PD3. And for PD2, the port shall ignore the commands. Fixes: 193a68011fdc ("staging: typec: tcpm: Respond to Discover Identity commands") Cc: stable Reviewed-by: Guenter Roeck Acked-by: Heikki Krogerus Signed-off-by: Kyle Tso Link: https://lore.kernel.org/r/20210523015855.1785484-3-kyletso@google.com Signed-off-by: Greg Kroah-Hartman commit 5d6663b753192296620a3a5161293c6be3165861 Author: Kyle Tso Date: Sun May 23 09:58:54 2021 +0800 usb: typec: tcpm: Properly interrupt VDM AMS commit 0bc3ee92880d910a1d100b73a781904f359e1f1c upstream. When a VDM AMS is interrupted by Messages other than VDM, the AMS needs to be finished properly. Also start a VDM AMS if receiving SVDM Commands from the port partner to complement the functionality of tcpm_vdm_ams(). Fixes: 0908c5aca31e ("usb: typec: tcpm: AMS and Collision Avoidance") Cc: stable Reviewed-by: Guenter Roeck Acked-by: Heikki Krogerus Signed-off-by: Kyle Tso Link: https://lore.kernel.org/r/20210523015855.1785484-2-kyletso@google.com Signed-off-by: Greg Kroah-Hartman commit 4a718eb4f27e0f4e86fb21f0abf6d7a99f450a0b Author: Andy Shevchenko Date: Wed May 19 13:03:58 2021 +0300 usb: typec: tcpm: Use LE to CPU conversion when accessing msg->header commit c58bbe3477f75deb7883983e6cf428404a107555 upstream. Sparse is not happy about strict type handling: .../typec/tcpm/tcpm.c:2720:27: warning: restricted __le16 degrades to integer .../typec/tcpm/tcpm.c:2814:32: warning: restricted __le16 degrades to integer Fix this by converting LE to CPU before use. Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together") Fixes: 64f7c494a3c0 ("typec: tcpm: Add support for sink PPS related messages") Cc: stable Cc: Adam Thomson Reviewed-by: Guenter Roeck Reviewed-by: Adam Thomson Reviewed-by: Heikki Krogerus Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210519100358.64018-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ad4505a13725e0af88ad868c37b4ab34d6d3dde3 Author: Bjorn Andersson Date: Sat May 15 21:09:53 2021 -0700 usb: typec: ucsi: Clear pending after acking connector change commit 8c9b3caab3ac26db1da00b8117901640c55a69dd upstream. It's possible that the interrupt handler for the UCSI driver signals a connector changes after the handler clears the PENDING bit, but before it has sent the acknowledge request. The result is that the handler is invoked yet again, to ack the same connector change. At least some versions of the Qualcomm UCSI firmware will not handle the second - "spurious" - acknowledgment gracefully. So make sure to not clear the pending flag until the change is acknowledged. Any connector changes coming in after the acknowledgment, that would have the pending flag incorrectly cleared, would afaict be covered by the subsequent connector status check. Fixes: 217504a05532 ("usb: typec: ucsi: Work around PPM losing change information") Cc: stable Reviewed-by: Heikki Krogerus Acked-By: Benjamin Berg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20210516040953.622409-1-bjorn.andersson@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit d922fb83ad32c68c956630d8ac34ae083a7ea60c Author: Bjorn Andersson Date: Sat May 15 20:47:30 2021 -0700 usb: typec: mux: Fix matching with typec_altmode_desc commit acf5631c239dfc53489f739c4ad47f490c5181ff upstream. In typec_mux_match() "nval" is assigned the number of elements in the "svid" fwnode property, then the variable is used to store the success of the read and finally attempts to loop between 0 and "success" - i.e. not at all - and the code returns indicating that no match was found. Fix this by using a separate variable to track the success of the read, to allow the loop to get a change to find a match. Fixes: 96a6d031ca99 ("usb: typec: mux: Find the muxes by also matching against the device node") Reviewed-by: Heikki Krogerus Cc: stable Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20210516034730.621461-1-bjorn.andersson@linaro.org Signed-off-by: Greg Kroah-Hartman commit ef05cdbd1429ea67f63d59c6f58c679fedc2f3d8 Author: Yoshihiro Shimoda Date: Mon May 24 15:01:55 2021 +0900 usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() commit e752dbc59e1241b13b8c4f7b6eb582862e7668fe upstream. The usb3_start_pipen() is called by renesas_usb3_ep_queue() and usb3_request_done_pipen() so that usb3_start_pipen() is possible to cause a race when getting usb3_first_req like below: renesas_usb3_ep_queue() spin_lock_irqsave() list_add_tail() spin_unlock_irqrestore() usb3_start_pipen() usb3_first_req = usb3_get_request() --- [1] --- interrupt --- usb3_irq_dma_int() usb3_request_done_pipen() usb3_get_request() usb3_start_pipen() usb3_first_req = usb3_get_request() ... (the req is possible to be finished in the interrupt) The usb3_first_req [1] above may have been finished after the interrupt ended so that this driver caused to start a transfer wrongly. To fix this issue, getting/checking the usb3_first_req are under spin_lock_irqsave() in the same section. Fixes: 746bfe63bba3 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller") Cc: stable Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20210524060155.1178724-1-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Greg Kroah-Hartman commit d26749d23e4e0d7d8c1bf2d13758cc5f8f66ca48 Author: Thinh Nguyen Date: Wed May 12 20:17:09 2021 -0700 usb: dwc3: gadget: Properly track pending and queued SG commit 25dda9fc56bd90d45f9a4516bcfa5211e61b4290 upstream. The driver incorrectly uses req->num_pending_sgs to track both the number of pending and queued SG entries. It only prepares the next request if the previous is done, and it doesn't update num_pending_sgs until there is TRB completion interrupt. This may starve the controller of more TRBs until the num_pending_sgs is decremented. Fix this by decrementing the num_pending_sgs after they are queued and properly track both num_mapped_sgs and num_queued_sgs. Fixes: c96e6725db9d ("usb: dwc3: gadget: Correct the logic for queuing sgs") Cc: Reported-by: Michael Grzeschik Tested-by: Michael Grzeschik Acked-by: Felipe Balbi Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/ba24591dbcaad8f244a3e88bd449bb7205a5aec3.1620874069.git.Thinh.Nguyen@synopsys.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 7add012b45bf71d000da734b1960e6faef09fbe7 Author: Srinivas Pandruvada Date: Fri Apr 30 05:23:43 2021 -0700 thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID commit eb8500b874cf295971a6a2a04e14eb0854197a3c upstream. After commit 81ad4276b505 ("Thermal: Ignore invalid trip points") all user_space governor notifications via RW trip point is broken in intel thermal drivers. This commits marks trip_points with value of 0 during call to thermal_zone_device_register() as invalid. RW trip points can be 0 as user space will set the correct trip temperature later. During driver init, x86_package_temp and all int340x drivers sets RW trip temperature as 0. This results in all these trips marked as invalid by the thermal core. To fix this initialize RW trips to THERMAL_TEMP_INVALID instead of 0. Cc: Signed-off-by: Srinivas Pandruvada Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20210430122343.1789899-1-srinivas.pandruvada@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 21793eca9e1ceee06ccb8aced02b71a9254052ea Author: Zolton Jheng Date: Mon May 10 10:32:00 2021 +0800 USB: serial: pl2303: add device id for ADLINK ND-6530 GC commit f8e8c1b2f782e7391e8a1c25648ce756e2a7d481 upstream. This adds the device id for the ADLINK ND-6530 which is a PL2303GC based device. Signed-off-by: Zolton Jheng Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 6184000d8c3b9aed194015858ccd4bd0f4d18b99 Author: Dominik Andreas Schorpp Date: Thu Apr 22 09:58:52 2021 +0200 USB: serial: ftdi_sio: add IDs for IDS GmbH Products commit c5a80540e425a5f9a82b0f3163e3b6a4331f33bc upstream. Add the IDS GmbH Vendor ID and the Product IDs for SI31A (2xRS232) and CM31A (LoRaWAN Modem). Signed-off-by: Dominik Andreas Schorpp Signed-off-by: Juergen Borleis Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 29dde1a461c946fcf2878f9e8f99950578cccdbd Author: Daniele Palmas Date: Wed Apr 28 09:26:34 2021 +0200 USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 commit e467714f822b5d167a7fb03d34af91b5b6af1827 upstream. Add support for the following Telit LE910-S1 compositions: 0x7010: rndis, tty, tty, tty 0x7011: ecm, tty, tty, tty Signed-off-by: Daniele Palmas Link: https://lore.kernel.org/r/20210428072634.5091-1-dnlplm@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7d4d3d9ea9b01bcd620a2daa2331c6a0825ef655 Author: Sean MacLennan Date: Sat May 1 20:40:45 2021 -0400 USB: serial: ti_usb_3410_5052: add startech.com device id commit 89b1a3d811e6f8065d6ae8a25e7682329b4a31e2 upstream. This adds support for the Startech.com generic serial to USB converter. It seems to be a bone stock TI_3410. I have been using this patch for years. Signed-off-by: Sean MacLennan Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 9b07b6973f7359e2dd6a9fe6db0c142634c823b7 Author: Zheyu Ma Date: Fri May 21 06:08:43 2021 +0000 serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' commit 016002848c82eeb5d460489ce392d91fe18c475c upstream. In 'rp2_probe', the driver registers 'rp2_uart_interrupt' then calls 'rp2_fw_cb' through 'request_firmware_nowait'. In 'rp2_fw_cb', if the firmware don't exists, function just return without initializing ports of 'rp2_card'. But now the interrupt handler function has been registered, and when an interrupt comes, 'rp2_uart_interrupt' may access those ports then causing NULL pointer dereference or other bugs. Because the driver does some initialization work in 'rp2_fw_cb', in order to make the driver ready to handle interrupts, 'request_firmware' should be used instead of asynchronous 'request_firmware_nowait'. This report reveals it: INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xec/0x156 lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:727 [inline] register_lock_class+0x14e5/0x1ba0 kernel/locking/lockdep.c:753 __lock_acquire+0x187/0x3750 kernel/locking/lockdep.c:3303 lock_acquire+0x124/0x340 kernel/locking/lockdep.c:3907 __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] _raw_spin_lock+0x32/0x50 kernel/locking/spinlock.c:144 spin_lock include/linux/spinlock.h:329 [inline] rp2_ch_interrupt drivers/tty/serial/rp2.c:466 [inline] rp2_asic_interrupt.isra.9+0x15d/0x990 drivers/tty/serial/rp2.c:493 rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 8000000056d27067 P4D 8000000056d27067 PUD 56d28067 PMD 0 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef-dirty #45 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59- gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Code: df e8 43 5d c2 05 48 8d 83 e8 01 00 00 48 89 85 60 ff ff ff 48 c1 e8 03 42 80 3c 30 00 0f 85 aa 07 00 00 48 8b 83 e8 01 00 00 <8b> 40 10 89 c1 89 85 68 ff ff ff 48 8b 83 e8 01 00 00 89 48 10 83 RSP: 0018:ffff88806c287cd0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff88806ade6820 RCX: ffffffff814300b1 RDX: 1ffff1100d5bcd06 RSI: 0000000000000004 RDI: ffff88806ade6820 RBP: ffff88806c287db8 R08: ffffed100d5bcd05 R09: ffffed100d5bcd05 R10: 0000000000000001 R11: ffffed100d5bcd04 R12: ffffc90001e00000 R13: ffff888069654e10 R14: dffffc0000000000 R15: ffff888069654df0 FS: 0000000000000000(0000) GS:ffff88806c280000(0000) knlGS: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000006892c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rp2_uart_interrupt+0x49/0xe0 drivers/tty/serial/rp2.c:504 __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 c2 2f 8c 48 89 e5 e8 fb 31 e7 f8 8b 05 75 af 8d 03 85 c0 7e 07 0f 00 2d 8a 61 65 00 fb f4 <5d> c3 90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde RAX: 0000000000000000 RBX: ffffffff8bde7e48 RCX: ffffffff88a21285 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2fc200 RBP: ffff88806b71fcc8 R08: fffffbfff185f840 R09: fffffbfff185f840 R10: 0000000000000001 R11: fffffbfff185f840 R12: 0000000000000002 R13: ffffffff8bea18a0 R14: 0000000000000000 R15: 0000000000000000 arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 cpuidle_idle_call kernel/sched/idle.c:153 [inline] do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 Modules linked in: Dumping ftrace buffer: (ftrace buffer empty) CR2: 0000000000000010 ---[ end trace 11804dbb55cb1a64 ]--- RIP: 0010:readl arch/x86/include/asm/io.h:59 [inline] RIP: 0010:rp2_ch_interrupt drivers/tty/serial/rp2.c:472 [inline] RIP: 0010:rp2_asic_interrupt.isra.9+0x181/0x990 drivers/tty/serial/rp2.c: 493 Code: df e8 43 5d c2 05 48 8d 83 e8 01 00 00 48 89 85 60 ff ff ff 48 c1 e8 03 42 80 3c 30 00 0f 85 aa 07 00 00 48 8b 83 e8 01 00 00 <8b> 40 10 89 c1 89 85 68 ff ff ff 48 8b 83 e8 01 00 00 89 48 10 83 RSP: 0018:ffff88806c287cd0 EFLAGS: 00010046 RAX: 0000000000000000 RBX: ffff88806ade6820 RCX: ffffffff814300b1 RDX: 1ffff1100d5bcd06 RSI: 0000000000000004 RDI: ffff88806ade6820 RBP: ffff88806c287db8 R08: ffffed100d5bcd05 R09: ffffed100d5bcd05 R10: 0000000000000001 R11: ffffed100d5bcd04 R12: ffffc90001e00000 R13: ffff888069654e10 R14: dffffc0000000000 R15: ffff888069654df0 FS: 0000000000000000(0000) GS:ffff88806c280000(0000) knlGS: 0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000006892c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Reported-by: Zheyu Ma Signed-off-by: Zheyu Ma Link: https://lore.kernel.org/r/1621577323-1541-1-git-send-email-zheyuma97@gmail.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 6236ec3f21bb0530de2ff2c84c50f3189696d486 Author: Geert Uytterhoeven Date: Mon May 10 14:07:55 2021 +0200 serial: sh-sci: Fix off-by-one error in FIFO threshold register setting commit 2ea2e019c190ee3973ef7bcaf829d8762e56e635 upstream. The Receive FIFO Data Count Trigger field (RTRG[6:0]) in the Receive FIFO Data Count Trigger Register (HSRTRGR) of HSCIF can only hold values ranging from 0-127. As the FIFO size is equal to 128 on HSCIF, the user can write an out-of-range value, touching reserved bits. Fix this by limiting the trigger value to the FIFO size minus one. Reverse the order of the checks, to avoid rx_trig becoming zero if the FIFO size is one. Note that this change has no impact on other SCIF variants, as their maximum supported trigger value is lower than the FIFO size anyway, and the code below takes care of enforcing these limits. Fixes: a380ed461f66d1b8 ("serial: sh-sci: implement FIFO threshold register setting") Reported-by: Linh Phung Reviewed-by: Wolfram Sang Reviewed-by: Ulrich Hecht Signed-off-by: Geert Uytterhoeven Cc: stable Link: https://lore.kernel.org/r/5eff320aef92ffb33d00e57979fd3603bbb4a70f.1620648218.git.geert+renesas@glider.be Signed-off-by: Greg Kroah-Hartman commit de80eef5508ad13bacee8fee713a6f4f831383f2 Author: Colin Ian King Date: Mon Apr 26 11:55:14 2021 +0100 serial: tegra: Fix a mask operation that is always true commit 3ddb4ce1e6e3bd112778ab93bbd9092f23a878ec upstream. Currently the expression lsr | UART_LSR_TEMT is always true and this seems suspect. I believe the intent was to mask lsr with UART_LSR_TEMT to check that bit, so the expression should be using the & operator instead. Fix this. Fixes: b9c2470fb150 ("serial: tegra: flush the RX fifo on frame error") Signed-off-by: Colin Ian King Cc: stable Link: https://lore.kernel.org/r/20210426105514.23268-1-colin.king@canonical.com Signed-off-by: Greg Kroah-Hartman commit 252c23915546863685ecc68cb3a39e7e80c6c9d4 Author: Rafael J. Wysocki Date: Fri May 14 14:10:15 2021 +0200 drivers: base: Fix device link removal commit 80dd33cf72d1ab4f0af303f1fa242c6d6c8d328f upstream. When device_link_free() drops references to the supplier and consumer devices of the device link going away and the reference being dropped turns out to be the last one for any of those device objects, its ->release callback will be invoked and it may sleep which goes against the SRCU callback execution requirements. To address this issue, make the device link removal code carry out the device_link_free() actions preceded by SRCU synchronization from a separate work item (the "long" workqueue is used for that, because it does not matter when the device link memory is released and it may take time to get to that point) instead of using SRCU callbacks. While at it, make the code work analogously when SRCU is not enabled to reduce the differences between the SRCU and non-SRCU cases. Fixes: 843e600b8a2b ("driver core: Fix sleeping in invalid context during device link deletion") Cc: stable Reported-by: chenxiang (M) Tested-by: chenxiang (M) Reviewed-by: Saravana Kannan Signed-off-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/5722787.lOV4Wx5bFT@kreacher Signed-off-by: Greg Kroah-Hartman commit 4f4bff172f2f075ba0744b982e5c3b0eb79ef22d Author: Mathias Nyman Date: Tue May 25 10:41:00 2021 +0300 xhci: Fix 5.12 regression of missing xHC cache clearing command after a Stall commit a7f2e9272aff1ccfe0fc801dab1d5a7a1c6b7ed2 upstream. If endpoints halts due to a stall then the dequeue pointer read from hardware may already be set ahead of the stalled TRB. After commit 674f8438c121 ("xhci: split handling halted endpoints into two steps") in 5.12 xhci driver won't issue a Set TR Dequeue if hardware dequeue pointer is already in the right place. Turns out the "Set TR Dequeue pointer" command is anyway needed as it in addition to moving the dequeue pointer also clears endpoint state and cache. Fixes: 674f8438c121 ("xhci: split handling halted endpoints into two steps") Cc: # 5.12 Reported-by: Peter Ganzhorn Tested-by: Peter Ganzhorn Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210525074100.1154090-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 1f3b2177d46f9ea598a4a47bb458840837841886 Author: Mathias Nyman Date: Tue May 25 10:40:59 2021 +0300 xhci: fix giving back URB with incorrect status regression in 5.12 commit a80c203c3f1c06d2201c19ae071d0ae770a2b1ca upstream. 5.12 kernel changes how xhci handles cancelled URBs and halted endpoints. Among these changes cancelled and stalled URBs are no longer given back before they are cleared from xHC hardware cache. These changes unfortunately cleared the -EPIPE status of a stalled transfer in one case before giving bak the URB, causing a USB card reader to fail from working. Fixes: 674f8438c121 ("xhci: split handling halted endpoints into two steps") Cc: # 5.12 Reported-by: Peter Ganzhorn Tested-by: Peter Ganzhorn Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20210525074100.1154090-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 9f7cb3f01a10d9064cf13b3d26fb7e7a5827d098 Author: Alan Stern Date: Tue May 18 16:18:35 2021 -0400 USB: usbfs: Don't WARN about excessively large memory allocations commit 4f2629ea67e7225c3fd292c7fe4f5b3c9d6392de upstream. Syzbot found that the kernel generates a WARNing if the user tries to submit a bulk transfer through usbfs with a buffer that is way too large. This isn't a bug in the kernel; it's merely an invalid request from the user and the usbfs code does handle it correctly. In theory the same thing can happen with async transfers, or with the packet descriptor table for isochronous transfers. To prevent the MM subsystem from complaining about these bad allocation requests, add the __GFP_NOWARN flag to the kmalloc calls for these buffers. CC: Andrew Morton CC: Reported-and-tested-by: syzbot+882a85c0c8ec4a3e2281@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/20210518201835.GA1140918@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit 51484429c6108154aba25b97b2e83097a6487e35 Author: Zhu Lingshan Date: Sat May 8 15:11:52 2021 +0800 Revert "irqbypass: do not start cons/prod when failed connect" commit e44b49f623c77bee7451f1a82ccfb969c1028ae2 upstream. This reverts commit a979a6aa009f3c99689432e0cdb5402a4463fb88. The reverted commit may cause VM freeze on arm64 with GICv4, where stopping a consumer is implemented by suspending the VM. Should the connect fail, the VM will not be resumed, which is a bit of a problem. It also erroneously calls the producer destructor unconditionally, which is unexpected. Reported-by: Shaokun Zhang Suggested-by: Marc Zyngier Acked-by: Jason Wang Acked-by: Michael S. Tsirkin Reviewed-by: Eric Auger Tested-by: Shaokun Zhang Signed-off-by: Zhu Lingshan [maz: tags and cc-stable, commit message update] Signed-off-by: Marc Zyngier Fixes: a979a6aa009f ("irqbypass: do not start cons/prod when failed connect") Link: https://lore.kernel.org/r/3a2c66d6-6ca0-8478-d24b-61e8e3241b20@hisilicon.com Link: https://lore.kernel.org/r/20210508071152.722425-1-lingshan.zhu@intel.com Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 9bc02a003a70dbbc94709f0829dc32ff82439ede Author: Johan Hovold Date: Fri May 21 15:31:09 2021 +0200 USB: trancevibrator: fix control-request direction commit 746e4acf87bcacf1406e05ef24a0b7139147c63e upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the set-speed request which erroneously used USB_DIR_IN and update the default timeout argument to match (same value). Fixes: 5638e4d92e77 ("USB: add PlayStation 2 Trance Vibrator driver") Cc: stable@vger.kernel.org # 2.6.19 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210521133109.17396-1-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit e3355f6bd0b9dbf7d47e513fdbde351b7a05483a Author: Christian Gmeiner Date: Thu May 27 11:54:40 2021 +0200 serial: 8250_pci: handle FL_NOIRQ board flag commit 9808f9be31c68af43f6e531f2c851ebb066513fe upstream. In commit 8428413b1d14 ("serial: 8250_pci: Implement MSI(-X) support") the way the irq gets allocated was changed. With that change the handling FL_NOIRQ got lost. Restore the old behaviour. Fixes: 8428413b1d14 ("serial: 8250_pci: Implement MSI(-X) support") Cc: Signed-off-by: Christian Gmeiner Link: https://lore.kernel.org/r/20210527095529.26281-1-christian.gmeiner@gmail.com Signed-off-by: Greg Kroah-Hartman commit 220d8ee78150080493736cac8f569934f85e6b25 Author: Randy Wright Date: Fri May 14 10:26:54 2021 -0600 serial: 8250_pci: Add support for new HPE serial device commit e0e24208792080135248f23fdf6d51aa2e04df05 upstream. Add support for new HPE serial device. It is MSI enabled, but otherwise similar to legacy HP server serial devices. Tested-by: Jerry Hoemann Signed-off-by: Randy Wright Cc: stable Link: https://lore.kernel.org/r/1621009614-28836-1-git-send-email-rwright@hpe.com Signed-off-by: Greg Kroah-Hartman commit e97a4d8f8b863daa7f1149fdc46029d1f439c698 Author: Maximilian Luz Date: Wed May 12 23:04:13 2021 +0200 serial: 8250_dw: Add device HID for new AMD UART controller commit 3c35d2a960c0077a4cb09bf4989f45d289332ea0 upstream. Add device HID AMDI0022 to the AMD UART controller driver match table and create a platform device for it. This controller can be found on Microsoft Surface Laptop 4 devices and seems similar enough that we can just copy the existing AMDI0020 entries. Cc: # 5.10+ Tested-by: Sachi King Acked-by: Andy Shevchenko # for 8250_dw part Signed-off-by: Maximilian Luz Link: https://lore.kernel.org/r/20210512210413.1982933-1-luzmaximilian@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7c94007495b281d657e7ca6d61acc9db3f02e765 Author: Andrew Jeffery Date: Thu May 20 11:43:33 2021 +0930 serial: 8250: Add UART_BUG_TXRACE workaround for Aspeed VUART commit df8f2be2fd0b44b2cb6077068f52e05f0ac40897 upstream. Aspeed Virtual UARTs directly bridge e.g. the system console UART on the LPC bus to the UART interface on the BMC's internal APB. As such there's no RS-232 signalling involved - the UART interfaces on each bus are directly connected as the producers and consumers of the one set of FIFOs. The APB in the AST2600 generally runs at 100MHz while the LPC bus peaks at 33MHz. The difference in clock speeds exposes a race in the VUART design where a Tx data burst on the APB interface can result in a byte lost on the LPC interface. The symptom is LSR[DR] remains clear on the LPC interface despite data being present in its Rx FIFO, while LSR[THRE] remains clear on the APB interface as the host has not consumed the data the BMC has transmitted. In this state, the UART has stalled and no further data can be transmitted without manual intervention (e.g. resetting the FIFOs, resulting in loss of data). The recommended work-around is to insert a read cycle on the APB interface between writes to THR. Cc: ChiaWei Wang Tested-by: ChiaWei Wang Reviewed-by: Jiri Slaby Signed-off-by: Andrew Jeffery Cc: stable Link: https://lore.kernel.org/r/20210520021334.497341-2-andrew@aj.id.au Signed-off-by: Greg Kroah-Hartman commit 0f9df705e0dd267570ce2b82aaab7ea342d2447b Author: Alexandru Ardelean Date: Thu May 13 15:07:44 2021 +0300 iio: adc: ad7192: handle regulator voltage error first commit b0f27fca5a6c7652e265aae6a4452ce2f2ed64da upstream. This change fixes a corner-case, where for a zero regulator value, the driver would exit early, initializing the driver only partially. The driver would be in an unknown state. This change reworks the code to check regulator_voltage() return value for negative (error) first, and return early. This is the more common idiom. Also, this change is removing the 'voltage_uv' variable and using the 'ret' value directly. The only place where 'voltage_uv' is being used is to compute the internal reference voltage, and the type of this variable is 'int' (same are for 'ret'). Using only 'ret' avoids having to assign it on the error path. Fixes: ab0afa65bbc7 ("staging: iio: adc: ad7192: fail probe on get_voltage") Cc: Alexandru Tachici Signed-off-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit d6e18ad1e127cf171e5bf4e17d7674d645dd02d1 Author: Jonathan Cameron Date: Thu May 13 15:07:43 2021 +0300 iio: adc: ad7192: Avoid disabling a clock that was never enabled. commit e32fe6d90f44922ccbb94016cfc3c238359e3e39 upstream. Found by inspection. If the internal clock source is being used, the driver doesn't call clk_prepare_enable() and as such we should not call clk_disable_unprepare() Use the same condition to protect the disable path as is used on the enable one. Note this will all get simplified when the driver moves over to a full devm_ flow, but that would make backporting the fix harder. Fix obviously predates move out of staging, but backporting will become more complex (and is unlikely to happen), hence that patch is given in the fixes tag. Alexandru's sign off is here because he added this patch into a larger series that Jonathan then applied. Fixes: b581f748cce0 ("staging: iio: adc: ad7192: move out of staging") Cc: Alexandru Tachici Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Greg Kroah-Hartman commit f4ab222b7d235ac0e134d844ee8d0fd051d7db15 Author: YueHaibing Date: Fri May 14 16:02:54 2021 +0800 iio: adc: ad7793: Add missing error code in ad7793_setup() commit 4ed243b1da169bcbc1ec5507867e56250c5f1ff9 upstream. Set error code while device ID query failed. Fixes: 88bc30548aae ("IIO: ADC: New driver for AD7792/AD7793 3 Channel SPI ADC") Signed-off-by: YueHaibing Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a4cfd59f1543b1555d71c3c699e68ae1b2c3eeba Author: Jonathan Cameron Date: Sat May 1 17:53:14 2021 +0100 iio: adc: ad7923: Fix undersized rx buffer. commit 01fcf129f61b26d5b3d2d8afb03e770dee271bc8 upstream. Fixes tag is where the max channels became 8, but timestamp space was missing before that. Fixes: 851644a60d20 ("iio: adc: ad7923: Add support for the ad7908/ad7918/ad7928") Signed-off-by: Jonathan Cameron Cc: Daniel Junho Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501165314.511954-3-jic23@kernel.org Cc: Signed-off-by: Greg Kroah-Hartman commit 26da8040eccc6c6b0e415e9a3baf72fd39eb2fdc Author: Jonathan Cameron Date: Thu May 13 15:07:42 2021 +0300 iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers commit f2a772c51206b0c3f262e4f6a3812c89a650191b upstream. Channel numbering must start at 0 and then not have any holes, or it is possible to overflow the available storage. Note this bug was introduced as part of a fix to ensure we didn't rely on the ordering of child nodes. So we need to support arbitrary ordering but they all need to be there somewhere. Note I hit this when using qemu to test the rest of this series. Arguably this isn't the best fix, but it is probably the most minimal option for backporting etc. Alexandru's sign-off is here because he carried this patch in a larger set that Jonathan then applied. Fixes: d7857e4ee1ba6 ("iio: adc: ad7124: Fix DT channel configuration") Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Greg Kroah-Hartman commit af7d9165fbb8ed80fcda8b744c1b7258fc7ef38b Author: Jonathan Cameron Date: Thu May 13 15:07:41 2021 +0300 iio: adc: ad7124: Fix missbalanced regulator enable / disable on error. commit 4573472315f0fa461330545ff2aa2f6da0b1ae76 upstream. If the devm_regulator_get() call succeeded but not the regulator_enable() then regulator_disable() would be called on a regulator that was not enabled. Fix this by moving regulator enabling / disabling over to devm_ management via devm_add_action_or_reset. Alexandru's sign-off here because he pulled Jonathan's patch into a larger set which Jonathan then applied. Fixes: b3af341bbd96 ("iio: adc: Add ad7124 support") Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Alexandru Ardelean Cc: Signed-off-by: Greg Kroah-Hartman commit a4bc913a0ef5eaba382a46a26d218e29d58c2495 Author: Jonathan Cameron Date: Sat May 1 17:53:13 2021 +0100 iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp() commit a1caeebab07e9d72eec534489f47964782b93ba9 upstream. Add space for the timestamp to be inserted. Also ensure correct alignment for passing to iio_push_to_buffers_with_timestamp() Fixes: a5f8c7da3dbe ("iio: adc: Add AD7768-1 ADC basic support") Signed-off-by: Jonathan Cameron Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210501165314.511954-2-jic23@kernel.org Cc: Signed-off-by: Greg Kroah-Hartman commit cd9c0a1a216d1fe36a47ed8da16f06dd07f6dcb9 Author: Andy Shevchenko Date: Mon May 10 12:56:49 2021 +0300 iio: dac: ad5770r: Put fwnode in error case during ->probe() commit 98b7b0ca0828907dbb706387c11356a45463e2ea upstream. device_for_each_child_node() bumps a reference counting of a returned variable. We have to balance it whenever we return to the caller. Fixes: cbbb819837f6 ("iio: dac: ad5770r: Add AD5770R support") Cc: Alexandru Tachici Signed-off-by: Andy Shevchenko Reviewed-by: Alexandru Ardelean Link: https://lore.kernel.org/r/20210510095649.3302835-1-andy.shevchenko@gmail.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 84ae19a9068f88a7cc4673c2b27b8d2321284693 Author: Rui Miguel Silva Date: Wed May 12 23:39:29 2021 +0100 iio: gyro: fxas21002c: balance runtime power in error path commit 2a54c8c9ebc2006bf72554afc84ffc67768979a0 upstream. If we fail to read temperature or axis we need to decrement the runtime pm reference count to trigger autosuspend. Add the call to pm_put to do that in case of error. Fixes: a0701b6263ae ("iio: gyro: add core driver for fxas21002c") Suggested-by: Mauro Carvalho Chehab Signed-off-by: Rui Miguel Silva Link: https://lore.kernel.org/linux-iio/CBBZA9T1OY9C.2611WSV49DV2G@arch-thunder/ Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 9db5a7b6be9eb9c3b636ed0cecfcb9cfa27d9af2 Author: Lucas Stankus Date: Tue May 11 17:54:18 2021 -0300 staging: iio: cdc: ad7746: avoid overwrite of num_channels commit 04f5b9f539ce314f758d919a14dc7a669f3b7838 upstream. AD7745 devices don't have the CIN2 pins and therefore can't handle related channels. Forcing the number of AD7746 channels may lead to enabling more channels than what the hardware actually supports. Avoid num_channels being overwritten after first assignment. Signed-off-by: Lucas Stankus Fixes: 83e416f458d53 ("staging: iio: adc: Replace, rewrite ad7745 from scratch.") Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 1650540ad65358e54eccfeba9830827d40f2bb6d Author: Alexander Usyskin Date: Wed May 26 22:33:34 2021 +0300 mei: request autosuspend after sending rx flow control commit bbf0a94744edfeee298e4a9ab6fd694d639a5cdf upstream. A rx flow control waiting in the control queue may block autosuspend. Re-request autosuspend after flow control been sent to unblock the transition to the low power state. Cc: Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20210526193334.445759-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit a09e273ae7789960c11ccc0fd46f78b001d01b2d Author: Marc Zyngier Date: Mon May 24 18:07:52 2021 +0100 KVM: arm64: Prevent mixed-width VM creation commit 66e94d5cafd4decd4f92d16a022ea587d7f4094f upstream. It looks like we have tolerated creating mixed-width VMs since... forever. However, that was never the intention, and we'd rather not have to support that pointless complexity. Forbid such a setup by making sure all the vcpus have the same register width. Reported-by: Steven Price Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Acked-by: Mark Rutland Link: https://lore.kernel.org/r/20210524170752.1549797-1-maz@kernel.org Signed-off-by: Greg Kroah-Hartman commit 7289a0497d664e0659874fdf17739270901eba7d Author: Marc Zyngier Date: Fri May 14 09:05:41 2021 +0100 KVM: arm64: Fix debug register indexing commit cb853ded1d25e5b026ce115dbcde69e3d7e2e831 upstream. Commit 03fdfb2690099 ("KVM: arm64: Don't write junk to sysregs on reset") flipped the register number to 0 for all the debug registers in the sysreg table, hereby indicating that these registers live in a separate shadow structure. However, the author of this patch failed to realise that all the accessors are using that particular index instead of the register encoding, resulting in all the registers hitting index 0. Not quite a valid implementation of the architecture... Address the issue by fixing all the accessors to use the CRm field of the encoding, which contains the debug register index. Fixes: 03fdfb2690099 ("KVM: arm64: Don't write junk to sysregs on reset") Reported-by: Ricardo Koller Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 911c554e2c2895a3defd07697fce1b3a9a46af3f Author: Marc Zyngier Date: Thu May 6 14:31:42 2021 +0100 KVM: arm64: Move __adjust_pc out of line commit f5e30680616ab09e690b153b7a68ff7dd13e6579 upstream. In order to make it easy to call __adjust_pc() from the EL1 code (in the case of nVHE), rename it to __kvm_adjust_pc() and move it out of line. No expected functional change. Reviewed-by: Alexandru Elisei Reviewed-by: Zenghui Yu Tested-by: Zenghui Yu Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org # 5.11 Signed-off-by: Greg Kroah-Hartman commit 2ce7107febf15d8954762c8e7036912eeb184209 Author: Wanpeng Li Date: Tue May 18 05:00:33 2021 -0700 KVM: X86: Fix vCPU preempted state from guest's point of view commit 1eff0ada88b48e4ac1e3fe26483b3684fedecd27 upstream. Commit 66570e966dd9 (kvm: x86: only provide PV features if enabled in guest's CPUID) avoids to access pv tlb shootdown host side logic when this pv feature is not exposed to guest, however, kvm_steal_time.preempted not only leveraged by pv tlb shootdown logic but also mitigate the lock holder preemption issue. From guest's point of view, vCPU is always preempted since we lose the reset of kvm_steal_time.preempted before vmentry if pv tlb shootdown feature is not exposed. This patch fixes it by clearing kvm_steal_time.preempted before vmentry. Fixes: 66570e966dd9 (kvm: x86: only provide PV features if enabled in guest's CPUID) Reviewed-by: Sean Christopherson Cc: stable@vger.kernel.org Signed-off-by: Wanpeng Li Message-Id: <1621339235-11131-3-git-send-email-wanpengli@tencent.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 92f305778d3a25294dfc75cd2b3081bb91fd3336 Author: Mathias Nyman Date: Tue Apr 27 15:48:29 2021 +0300 thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue commit b106776080a1cf953a1b2fd50cb2a995db4732be upstream. Up to 64 bytes of data can be read from NVM in one go. Read address must be dword aligned. Data is read into a local buffer. If caller asks to read data starting at an unaligned address then full dword is anyway read from NVM into a local buffer. Data is then copied from the local buffer starting at the unaligned offset to the caller buffer. In cases where asked data length + unaligned offset is over 64 bytes we need to make sure we don't read past the 64 bytes in the local buffer when copying to caller buffer, and make sure that we don't skip copying unaligned offset bytes from local buffer anymore after the first round of 64 byte NVM data read. Fixes: 3e13676862f9 ("thunderbolt: Add support for DMA configuration based mailbox") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit d08a4b6c13a6dd9f050b694c04f39b19ae2ec154 Author: Mathias Nyman Date: Thu Mar 25 10:32:50 2021 +0200 thunderbolt: usb4: Fix NVM read buffer bounds and offset issue commit 22c7a18ed5f007faccb7527bc890463763214081 upstream. Up to 64 bytes of data can be read from NVM in one go. Read address must be dword aligned. Data is read into a local buffer. If caller asks to read data starting at an unaligned address then full dword is anyway read from NVM into a local buffer. Data is then copied from the local buffer starting at the unaligned offset to the caller buffer. In cases where asked data length + unaligned offset is over 64 bytes we need to make sure we don't read past the 64 bytes in the local buffer when copying to caller buffer, and make sure that we don't skip copying unaligned offset bytes from local buffer anymore after the first round of 64 byte NVM data read. Fixes: b04079837b20 ("thunderbolt: Add initial support for USB4") Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit a3c3face38cb49932c62adcc1289914f1c742096 Author: Dongliang Mu Date: Fri May 14 20:43:48 2021 +0800 misc/uss720: fix memory leak in uss720_probe commit dcb4b8ad6a448532d8b681b5d1a7036210b622de upstream. uss720_probe forgets to decrease the refcount of usbdev in uss720_probe. Fix this by decreasing the refcount of usbdev by usb_put_dev. BUG: memory leak unreferenced object 0xffff888101113800 (size 2048): comm "kworker/0:1", pid 7, jiffies 4294956777 (age 28.870s) hex dump (first 32 bytes): ff ff ff ff 31 00 00 00 00 00 00 00 00 00 00 00 ....1........... 00 00 00 00 00 00 00 00 00 00 00 00 03 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:554 [inline] [] kzalloc include/linux/slab.h:684 [inline] [] usb_alloc_dev+0x32/0x450 drivers/usb/core/usb.c:582 [] hub_port_connect drivers/usb/core/hub.c:5129 [inline] [] hub_port_connect_change drivers/usb/core/hub.c:5363 [inline] [] port_event drivers/usb/core/hub.c:5509 [inline] [] hub_event+0x1171/0x20c0 drivers/usb/core/hub.c:5591 [] process_one_work+0x2c9/0x600 kernel/workqueue.c:2275 [] worker_thread+0x59/0x5d0 kernel/workqueue.c:2421 [] kthread+0x178/0x1b0 kernel/kthread.c:292 [] ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 Fixes: 0f36163d3abe ("[PATCH] usb: fix uss720 schedule with interrupts off") Cc: stable Reported-by: syzbot+636c58f40a86b4a879e7@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Link: https://lore.kernel.org/r/20210514124348.6587-1-mudongliangabcd@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 8a7a3083c14d5294e7e74e2a156d3d686bed4076 Author: Ondrej Mosnacek Date: Fri May 7 13:57:19 2021 +0200 serial: core: fix suspicious security_locked_down() call commit 5e722b217ad3cf41f5504db80a68062df82b5242 upstream. The commit that added this check did so in a very strange way - first security_locked_down() is called, its value stored into retval, and if it's nonzero, then an additional check is made for (change_irq || change_port), and if this is true, the function returns. However, if the goto exit branch is not taken, the code keeps the retval value and continues executing the function. Then, depending on whether uport->ops->verify_port is set, the retval value may or may not be reset to zero and eventually the error value from security_locked_down() may abort the function a few lines below. I will go out on a limb and assume that this isn't the intended behavior and that an error value from security_locked_down() was supposed to abort the function only in case (change_irq || change_port) is true. Note that security_locked_down() should be called last in any series of checks, since the SELinux implementation of this hook will do a check against the policy and generate an audit record in case of denial. If the operation was to carry on after calling security_locked_down(), then the SELinux denial record would be bogus. See commit 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") for how SELinux implements this hook. Fixes: 794edf30ee6c ("lockdown: Lock down TIOCSSERIAL") Acked-by: Kees Cook Signed-off-by: Ondrej Mosnacek Cc: stable Link: https://lore.kernel.org/r/20210507115719.140799-1-omosnace@redhat.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 571e51e192d819091a242397558a5abe20a39586 Author: Ondrej Mosnacek Date: Fri May 7 14:53:04 2021 +0200 debugfs: fix security_locked_down() call for SELinux commit 5881fa8dc2de9697a89451f6518e8b3a796c09c6 upstream. When (ia->ia_valid & (ATTR_MODE | ATTR_UID | ATTR_GID)) is zero, then the SELinux implementation of the locked_down hook might report a denial even though the operation would actually be allowed. To fix this, make sure that security_locked_down() is called only when the return value will be taken into account (i.e. when changing one of the problematic attributes). Note: this was introduced by commit 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down"), but it didn't matter at that time, as the SELinux support came in later. Fixes: 59438b46471a ("security,lockdown,selinux: implement SELinux lockdown") Cc: stable Signed-off-by: Ondrej Mosnacek Link: https://lore.kernel.org/r/20210507125304.144394-1-omosnace@redhat.com Signed-off-by: Greg Kroah-Hartman commit f65588e7ee56211677b67fc57b6096a91d9bb6ea Author: Sargun Dhillon Date: Mon May 17 12:39:06 2021 -0700 seccomp: Refactor notification handler to prepare for new semantics commit ddc473916955f7710d1eb17c1273d91c8622a9fe upstream. This refactors the user notification code to have a do / while loop around the completion condition. This has a small change in semantic, in that previously we ignored addfd calls upon wakeup if the notification had been responded to, but instead with the new change we check for an outstanding addfd calls prior to returning to userspace. Rodrigo Campos also identified a bug that can result in addfd causing an early return, when the supervisor didn't actually handle the syscall [1]. [1]: https://lore.kernel.org/lkml/20210413160151.3301-1-rodrigo@kinvolk.io/ Fixes: 7cf97b125455 ("seccomp: Introduce addfd ioctl to seccomp user notifier") Signed-off-by: Sargun Dhillon Acked-by: Tycho Andersen Acked-by: Christian Brauner Signed-off-by: Kees Cook Tested-by: Rodrigo Campos Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210517193908.3113-3-sargun@sargun.me Signed-off-by: Greg Kroah-Hartman commit 1b3c5876bb72a143190e435af8e7b0d53b72ee54 Author: Chen Huang Date: Thu Apr 29 07:03:48 2021 +0000 riscv: stacktrace: fix the riscv stacktrace when CONFIG_FRAME_POINTER enabled commit eac2f3059e02382d91f8c887462083841d6ea2a3 upstream. As [1] and [2] said, the arch_stack_walk should not to trace itself, or it will leave the trace unexpectedly when called. The example is when we do "cat /sys/kernel/debug/page_owner", all pages' stack is the same. arch_stack_walk+0x18/0x20 stack_trace_save+0x40/0x60 register_dummy_stack+0x24/0x5e init_page_owner+0x2e So we use __builtin_frame_address(1) as the first frame to be walked. And mark the arch_stack_walk() noinline. We found that pr_cont will affact pages' stack whose task state is RUNNING when testing "echo t > /proc/sysrq-trigger". So move the place of pr_cont and mark the function dump_backtrace() noinline. Also we move the case when task == NULL into else branch, and test for it in "echo c > /proc/sysrq-trigger". [1] https://lore.kernel.org/lkml/20210319184106.5688-1-mark.rutland@arm.com/ [2] https://lore.kernel.org/lkml/20210317142050.57712-1-chenjun102@huawei.com/ Signed-off-by: Chen Huang Fixes: 5d8544e2d007 ("RISC-V: Generic library routines and assembly") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 25c0cef74fe3ce3b62544a226ff3baac94bb484d Author: Sargun Dhillon Date: Mon May 17 12:39:05 2021 -0700 Documentation: seccomp: Fix user notification documentation commit aac902925ea646e461c95edc98a8a57eb0def917 upstream. The documentation had some previously incorrect information about how userspace notifications (and responses) were handled due to a change from a previously proposed patchset. Signed-off-by: Sargun Dhillon Acked-by: Tycho Andersen Acked-by: Christian Brauner Signed-off-by: Kees Cook Fixes: 6a21cc50f0c7 ("seccomp: add a return code to trap to userspace") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210517193908.3113-2-sargun@sargun.me Signed-off-by: Greg Kroah-Hartman commit 3f423c07aaeedc1aa5ff134562942be0ebd0b394 Author: Greg Kroah-Hartman Date: Thu May 20 15:08:39 2021 +0200 kgdb: fix gcc-11 warnings harder commit bda7d3ab06f19c02dcef61fefcb9dd954dfd5e4f upstream. 40cc3a80bb42 ("kgdb: fix gcc-11 warning on indentation") tried to fix up the gcc-11 complaints in this file by just reformatting the #defines. That worked for gcc 11.1.0, but in gcc 11.1.1 as shipped by Fedora 34, the warning came back for one of the #defines. Fix this up again by putting { } around the if statement, now it is quiet again. Fixes: 40cc3a80bb42 ("kgdb: fix gcc-11 warning on indentation") Cc: Arnd Bergmann Cc: Daniel Thompson Cc: Jason Wessel Link: https://lore.kernel.org/r/20210520130839.51987-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit d88d418a246656f347734836a9b48843e69b47f4 Author: James Zhu Date: Wed May 19 11:42:48 2021 -0400 drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate commit ff48f6dbf0ff896c98d167a67a5b975fb034356b upstream. Add cancel_delayed_work_sync before set power gating state to avoid race condition issue when power gating. Signed-off-by: James Zhu Reviewed-by: Leo Liu Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 56db5e8286549edb14d4d449ddc72c6ece84bdb2 Author: James Zhu Date: Wed May 19 11:40:39 2021 -0400 drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate commit 2fb536ea42d557f39f70c755f68e1aa1ad466c55 upstream. Add cancel_delayed_work_sync before set power gating state to avoid race condition issue when power gating. Signed-off-by: James Zhu Reviewed-by: Leo Liu Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 13431a0f3405c616b2c7c0c13a3222e32dfc75c3 Author: James Zhu Date: Wed May 19 11:26:32 2021 -0400 drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate commit 0c6013377b4027e69d8f3e63b6bf556b6cb87802 upstream. Add cancel_delayed_work_sync before set power gating state to avoid race condition issue when power gating. Signed-off-by: James Zhu Reviewed-by: Leo Liu Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 396c76d4b004fd2bac7daf8af842eece71721213 Author: Kevin Wang Date: Wed May 19 11:03:11 2021 +0800 drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error commit ba515a5821dc0d101ded0379b14b1d1471ebfaba upstream. 1.correct KFD SDMA RLC queue register offset error. (all sdma rlc register offset is base on SDMA0.RLC0_RLC0_RB_CNTL) 2.HQD_N_REGS (19+6+7+12) 12: the 2 more resgisters than navi1x (SDMAx_RLCy_MIDCMD_DATA{9,10}) the patch also can be fixed NULL pointer issue when read /sys/kernel/debug/kfd/hqds on sienna_cichlid chip. Signed-off-by: Kevin Wang Reviewed-by: Likun Gao Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit e1b82f668db132295f16990b7d73cdb23012704c Author: James Zhu Date: Tue May 18 10:58:22 2021 -0400 drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate commit b95f045ea35673572ef46d6483ad8bd6d353d63c upstream. Add cancel_delayed_work_sync before set power gating state to avoid race condition issue when power gating. Signed-off-by: James Zhu Reviewed-by: Leo Liu Acked-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 25721a38c9711603758e469ec8f33e8ae0136262 Author: Evan Quan Date: Tue May 18 09:01:47 2021 +0800 drm/amd/pm: correct MGpuFanBoost setting commit 1a0b713c73688c6bafbe6faf8c90390b11b26fc6 upstream. No MGpuFanBoost setting for those ASICs which do not support it. Otherwise, it may breaks their fan control feature. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1580 Signed-off-by: Evan Quan Reviewed-by: Kenneth Feng Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit f2125ebf883a6deab0fc5ea42cb770812f6177a0 Author: Imre Deak Date: Thu May 13 00:28:09 2021 +0300 drm/i915: Reenable LTTPR non-transparent LT mode for DPCD_REV<1.4 commit e11851429fdc23524aa244f76508c3c7aeaefdf6 upstream. The driver currently disables the LTTPR non-transparent link training mode for sinks with a DPCD_REV<1.4, based on the following description of the LTTPR DPCD register range in DP standard 2.0 (at the 0xF0000 register description): "" LTTPR-related registers at DPCD Addresses F0000h through F02FFh are valid only for DPCD r1.4 (or higher). """ The transparent link training mode should still work fine, however the implementation for this in some retimer FWs seems to be broken, see the References: link below. After discussions with DP standard authors the above "DPCD r1.4" does not refer to the DPCD revision (stored in the DPCD_REV reg at 0x00000), rather to the "LTTPR field data structure revision" stored in the 0xF0000 reg. An update request has been filed at vesa.org (see wg/Link/documentComment/3746) for the upcoming v2.1 specification to clarify the above description along the following lines: """ LTTPR-related registers at DPCD Addresses F0000h through F02FFh are valid only for LT_TUNABLE_PHY_REPEATER_FIELD_DATA_STRUCTURE_REV 1.4 (or higher) """ Based on my tests Windows uses the non-transparent link training mode for DPCD_REV==1.2 sinks as well (so presumably for all DPCD_REVs), and forcing it to use transparent mode on ICL/TGL platforms leads to the same LT failure as reported at the References: link. Based on the above let's assume that the transparent link training mode is not well tested/supported and align the code to the correct interpretation of what the r1.4 version refers to. Reported-and-tested-by: Casey Harkins Tested-by: Khaled Almahallawy References: https://gitlab.freedesktop.org/drm/intel/-/issues/3415 Fixes: 264613b406eb ("drm/i915: Disable LTTPR support when the DPCD rev < 1.4") Cc: # v5.11+ Signed-off-by: Imre Deak Reviewed-by: Khaled Almahallawy Link: https://patchwork.freedesktop.org/patch/msgid/20210512212809.1234701-1-imre.deak@intel.com (cherry picked from commit cb4920cc40f630b5a247f4ed7d3dea66749df588) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 67644c14e4de6d0a40e1804c98ac9a16af5415da Author: Christoph Hellwig Date: Wed May 19 08:22:15 2021 +0200 md/raid5: remove an incorrect assert in in_chunk_boundary commit cc146267914950b12c2bdee68c1e9e5453c81cde upstream. Now that the original bdev is stored in the bio this assert is incorrect and will trigger for any partitioned raid5 device. Reported-by: Florian Dazinger Tested-by: Florian Dazinger Cc: stable@vger.kernel.org # 5.12 Fixes: 309dca309fc3 ("block: store a block_device pointer in struct bio"), Reviewed-by: Guoqing Jiang Signed-off-by: Christoph Hellwig Signed-off-by: Song Liu Signed-off-by: Greg Kroah-Hartman commit 42911fb2397878cb3d952ed82482eab85f845c7d Author: Mikulas Patocka Date: Tue May 25 13:17:19 2021 -0400 dm snapshot: properly fix a crash when an origin has no snapshots commit 7e768532b2396bcb7fbf6f82384b85c0f1d2f197 upstream. If an origin target has no snapshots, o->split_boundary is set to 0. This causes BUG_ON(sectors <= 0) in block/bio.c:bio_split(). Fix this by initializing chunk_size, and in turn split_boundary, to rounddown_pow_of_two(UINT_MAX) -- the largest power of two that fits into "unsigned" type. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 063aa9df5ae99e0c9a7a5a76b9b836897de4a048 Author: Sriram R Date: Tue May 11 20:02:58 2021 +0200 ath11k: Clear the fragment cache during key install commit c3944a5621026c176001493d48ee66ff94e1a39a upstream. Currently the fragment cache setup during peer assoc is cleared only during peer delete. In case a key reinstallation happens with the same peer, the same fragment cache with old fragments added before key installation could be clubbed with fragments received after. This might be exploited to mix fragments of different data resulting in a proper unintended reassembled packet to be passed up the stack. Hence flush the fragment cache on every key installation to prevent potential attacks (CVE-2020-24587). Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01734-QCAHKSWPL_SILICONZ-1 v2 Cc: stable@vger.kernel.org Signed-off-by: Sriram R Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.218dc777836f.I9af6fc76215a35936c4152552018afb5079c5d8c@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 839916f1ee0d60891fa228f55fadae8a4d78792a Author: Sriram R Date: Tue May 11 20:02:57 2021 +0200 ath10k: Validate first subframe of A-MSDU before processing the list commit 62a8ff67eba52dae9b107e1fb8827054ed00a265 upstream. In certain scenarios a normal MSDU can be received as an A-MSDU when the A-MSDU present bit of a QoS header gets flipped during reception. Since this bit is unauthenticated, the hardware crypto engine can pass the frame to the driver without any error indication. This could result in processing unintended subframes collected in the A-MSDU list. Hence, validate A-MSDU list by checking if the first frame has a valid subframe header. Comparing the non-aggregated MSDU and an A-MSDU, the fields of the first subframe DA matches the LLC/SNAP header fields of a normal MSDU. In order to avoid processing such frames, add a validation to filter such A-MSDU frames where the first subframe header DA matches with the LLC/SNAP header pattern. Tested-on: QCA9984 hw1.0 PCI 10.4-3.10-00047 Cc: stable@vger.kernel.org Signed-off-by: Sriram R Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.e6f5eb7b9847.I38a77ae26096862527a5eab73caebd7346af8b66@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a15a0151da2134545d5016ea068a39f96d1272f5 Author: Wen Gong Date: Tue May 11 20:02:56 2021 +0200 ath10k: Fix TKIP Michael MIC verification for PCIe commit 0dc267b13f3a7e8424a898815dd357211b737330 upstream. TKIP Michael MIC was not verified properly for PCIe cases since the validation steps in ieee80211_rx_h_michael_mic_verify() in mac80211 did not get fully executed due to unexpected flag values in ieee80211_rx_status. Fix this by setting the flags property to meet mac80211 expectations for performing Michael MIC validation there. This fixes CVE-2020-26141. It does the same as ath10k_htt_rx_proc_rx_ind_hl() for SDIO which passed MIC verification case. This applies only to QCA6174/QCA9377 PCIe. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.c3f1d42c6746.I795593fcaae941c471425b8c7d5f7bb185d29142@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 6433f0051b2950acbb4ec2faae6fc98b33eb642e Author: Wen Gong Date: Tue May 11 20:02:55 2021 +0200 ath10k: drop MPDU which has discard flag set by firmware for SDIO commit 079a108feba474b4b32bd3471db03e11f2f83b81 upstream. When the discard flag is set by the firmware for an MPDU, it should be dropped. This allows a mitigation for CVE-2020-24588 to be implemented in the firmware. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.11968c725b5c.Idd166365ebea2771c0c0a38c78b5060750f90e17@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 24a5e05f631d160cd29288454e1e2831ee6caa6a Author: Wen Gong Date: Tue May 11 20:02:54 2021 +0200 ath10k: drop fragments with multicast DA for SDIO commit 40e7462dad6f3d06efdb17d26539e61ab6e34db1 upstream. Fragmentation is not used with multicast frames. Discard unexpected fragments with multicast DA. This fixes CVE-2020-26145. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.9ca6ca7945a9.I1e18b514590af17c155bda86699bc3a971a8dcf4@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 75ba7513a5ad9cd1a89c3d8f520e86a4c0f8457e Author: Wen Gong Date: Tue May 11 20:02:53 2021 +0200 ath10k: drop fragments with multicast DA for PCIe commit 65c415a144ad8132b6a6d97d4a1919ffc728e2d1 upstream. Fragmentation is not used with multicast frames. Discard unexpected fragments with multicast DA. This fixes CVE-2020-26145. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.5a0bd289bda8.Idd6ebea20038fb1cfee6de924aa595e5647c9eae@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 82f65e7d013804a9718bf1682ffd641222a5b694 Author: Wen Gong Date: Tue May 11 20:02:52 2021 +0200 ath10k: add CCMP PN replay protection for fragmented frames for PCIe commit a1166b2653db2f3de7338b9fb8a0f6e924b904ee upstream. PN replay check for not fragmented frames is finished in the firmware, but this was not done for fragmented frames when ath10k is used with QCA6174/QCA6377 PCIe. mac80211 has the function ieee80211_rx_h_defragment() for PN replay check for fragmented frames, but this does not get checked with QCA6174 due to the ieee80211_has_protected() condition not matching the cleared Protected bit case. Validate the PN of received fragmented frames within ath10k when CCMP is used and drop the fragment if the PN is not correct (incremented by exactly one from the previous fragment). This applies only for QCA6174/QCA6377 PCIe. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.9ba2664866a4.I756e47b67e210dba69966d989c4711ffc02dc6bc@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 3c47cee66b3887c259acb7b502596703c8459397 Author: Wen Gong Date: Tue May 11 20:02:51 2021 +0200 mac80211: extend protection against mixed key and fragment cache attacks commit 3edc6b0d6c061a70d8ca3c3c72eb1f58ce29bfb1 upstream. For some chips/drivers, e.g., QCA6174 with ath10k, the decryption is done by the hardware, and the Protected bit in the Frame Control field is cleared in the lower level driver before the frame is passed to mac80211. In such cases, the condition for ieee80211_has_protected() is not met in ieee80211_rx_h_defragment() of mac80211 and the new security validation steps are not executed. Extend mac80211 to cover the case where the Protected bit has been cleared, but the frame is indicated as having been decrypted by the hardware. This extends protection against mixed key and fragment cache attack for additional drivers/chips. This fixes CVE-2020-24586 and CVE-2020-24587 for such cases. Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00110-QCARMSWP-1 Cc: stable@vger.kernel.org Signed-off-by: Wen Gong Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.037aa5ca0390.I7bb888e2965a0db02a67075fcb5deb50eb7408aa@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a98c4c030cfb69c6ec3d1b951a904b80fea90d8a Author: Johannes Berg Date: Tue May 11 20:02:50 2021 +0200 mac80211: do not accept/forward invalid EAPOL frames commit a8c4d76a8dd4fb9666fc8919a703d85fb8f44ed8 upstream. EAPOL frames are used for authentication and key management between the AP and each individual STA associated in the BSS. Those frames are not supposed to be sent by one associated STA to another associated STA (either unicast for broadcast/multicast). Similarly, in 802.11 they're supposed to be sent to the authenticator (AP) address. Since it is possible for unexpected EAPOL frames to result in misbehavior in supplicant implementations, it is better for the AP to not allow such cases to be forwarded to other clients either directly, or indirectly if the AP interface is part of a bridge. Accept EAPOL (control port) frames only if they're transmitted to the own address, or, due to interoperability concerns, to the PAE group address. Disable forwarding of EAPOL (or well, the configured control port protocol) frames back to wireless medium in all cases. Previously, these frames were accepted from fully authenticated and authorized stations and also from unauthenticated stations for one of the cases. Additionally, to avoid forwarding by the bridge, rewrite the PAE group address case to the local MAC address. Cc: stable@vger.kernel.org Co-developed-by: Jouni Malinen Signed-off-by: Jouni Malinen Link: https://lore.kernel.org/r/20210511200110.cb327ed0cabe.Ib7dcffa2a31f0913d660de65ba3c8aca75b1d10f@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit a241274c8a9a653e2d4b44797516b3c4a050fada Author: Johannes Berg Date: Tue May 11 20:02:49 2021 +0200 mac80211: prevent attacks on TKIP/WEP as well commit 7e44a0b597f04e67eee8cdcbe7ee706c6f5de38b upstream. Similar to the issues fixed in previous patches, TKIP and WEP should be protected even if for TKIP we have the Michael MIC protecting it, and WEP is broken anyway. However, this also somewhat protects potential other algorithms that drivers might implement. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.430e8c202313.Ia37e4e5b6b3eaab1a5ae050e015f6c92859dbe27@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 1f0bf30c01d3f4de7d6c5e27b102a808c5646676 Author: Johannes Berg Date: Tue May 11 20:02:48 2021 +0200 mac80211: check defrag PN against current frame commit bf30ca922a0c0176007e074b0acc77ed345e9990 upstream. As pointed out by Mathy Vanhoef, we implement the RX PN check on fragmented frames incorrectly - we check against the last received PN prior to the new frame, rather than to the one in this frame itself. Prior patches addressed the security issue here, but in order to be able to reason better about the code, fix it to really compare against the current frame's PN, not the last stored one. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.bfbc340ff071.Id0b690e581da7d03d76df90bb0e3fd55930bc8a0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 935ab28b02fb1598748e19e7cfba062ded143a22 Author: Johannes Berg Date: Tue May 11 20:02:47 2021 +0200 mac80211: add fragment cache to sta_info commit 3a11ce08c45b50d69c891d71760b7c5b92074709 upstream. Prior patches protected against fragmentation cache attacks by coloring keys, but this shows that it can lead to issues when multiple stations use the same sequence number. Add a fragment cache to struct sta_info (in addition to the one in the interface) to separate fragments for different stations properly. This then automatically clear most of the fragment cache when a station disconnects (or reassociates) from an AP, or when client interfaces disconnect from the network, etc. On the way, also fix the comment there since this brings us in line with the recommendation in 802.11-2016 ("An AP should support ..."). Additionally, remove a useless condition (since there's no problem purging an already empty list). Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.fc35046b0d52.I1ef101e3784d13e8f6600d83de7ec9a3a45bcd52@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 26ed5ca7b58f4fd466c825a48c564e940a75cfd7 Author: Johannes Berg Date: Tue May 11 20:02:46 2021 +0200 mac80211: drop A-MSDUs on old ciphers commit 270032a2a9c4535799736142e1e7c413ca7b836e upstream. With old ciphers (WEP and TKIP) we shouldn't be using A-MSDUs since A-MSDUs are only supported if we know that they are, and the only practical way for that is HT support which doesn't support old ciphers. However, we would normally accept them anyway. Since we check the MMIC before deaggregating A-MSDUs, and the A-MSDU bit in the QoS header is not protected in TKIP (or WEP), this enables attacks similar to CVE-2020-24588. To prevent that, drop A-MSDUs completely with old ciphers. Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210511200110.076543300172.I548e6e71f1ee9cad4b9a37bf212ae7db723587aa@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 6eec99250f3a0763de58a7ef9ffca53e137356db Author: Mathy Vanhoef Date: Tue May 11 20:02:45 2021 +0200 cfg80211: mitigate A-MSDU aggregation attacks commit 2b8a1fee3488c602aca8bea004a087e60806a5cf upstream. Mitigate A-MSDU injection attacks (CVE-2020-24588) by detecting if the destination address of a subframe equals an RFC1042 (i.e., LLC/SNAP) header, and if so dropping the complete A-MSDU frame. This mitigates known attacks, although new (unknown) aggregation-based attacks may remain possible. This defense works because in A-MSDU aggregation injection attacks, a normal encrypted Wi-Fi frame is turned into an A-MSDU frame. This means the first 6 bytes of the first A-MSDU subframe correspond to an RFC1042 header. In other words, the destination MAC address of the first A-MSDU subframe contains the start of an RFC1042 header during an aggregation attack. We can detect this and thereby prevent this specific attack. For details, see Section 7.2 of "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". Note that for kernel 4.9 and above this patch depends on "mac80211: properly handle A-MSDUs that start with a rfc1042 header". Otherwise this patch has no impact and attacks will remain possible. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.25d93176ddaf.I9e265b597f2cd23eb44573f35b625947b386a9de@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 22e7b1aecdeaabd8b3c0c6520d50a81e3dc4950b Author: Mathy Vanhoef Date: Tue May 11 20:02:44 2021 +0200 mac80211: properly handle A-MSDUs that start with an RFC 1042 header commit a1d5ff5651ea592c67054233b14b30bf4452999c upstream. Properly parse A-MSDUs whose first 6 bytes happen to equal a rfc1042 header. This can occur in practice when the destination MAC address equals AA:AA:03:00:00:00. More importantly, this simplifies the next patch to mitigate A-MSDU injection attacks. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.0b2b886492f0.I23dd5d685fe16d3b0ec8106e8f01b59f499dffed@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 94eebceb18e552c72b845055ca9d12c3debc0c99 Author: Mathy Vanhoef Date: Tue May 11 20:02:43 2021 +0200 mac80211: prevent mixed key and fragment cache attacks commit 94034c40ab4a3fcf581fbc7f8fdf4e29943c4a24 upstream. Simultaneously prevent mixed key attacks (CVE-2020-24587) and fragment cache attacks (CVE-2020-24586). This is accomplished by assigning a unique color to every key (per interface) and using this to track which key was used to decrypt a fragment. When reassembling frames, it is now checked whether all fragments were decrypted using the same key. To assure that fragment cache attacks are also prevented, the ID that is assigned to keys is unique even over (re)associations and (re)connects. This means fragments separated by a (re)association or (re)connect will not be reassembled. Because mac80211 now also prevents the reassembly of mixed encrypted and plaintext fragments, all cache attacks are prevented. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.3f8290e59823.I622a67769ed39257327a362cfc09c812320eb979@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 083ecdde0e861bed1189be90d83b0297f4135e78 Author: Mathy Vanhoef Date: Tue May 11 20:02:42 2021 +0200 mac80211: assure all fragments are encrypted commit 965a7d72e798eb7af0aa67210e37cf7ecd1c9cad upstream. Do not mix plaintext and encrypted fragments in protected Wi-Fi networks. This fixes CVE-2020-26147. Previously, an attacker was able to first forward a legitimate encrypted fragment towards a victim, followed by a plaintext fragment. The encrypted and plaintext fragment would then be reassembled. For further details see Section 6.3 and Appendix D in the paper "Fragment and Forge: Breaking Wi-Fi Through Frame Aggregation and Fragmentation". Because of this change there are now two equivalent conditions in the code to determine if a received fragment requires sequential PNs, so we also move this test to a separate function to make the code easier to maintain. Cc: stable@vger.kernel.org Signed-off-by: Mathy Vanhoef Link: https://lore.kernel.org/r/20210511200110.30c4394bb835.I5acfdb552cc1d20c339c262315950b3eac491397@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 727a2b4fc951ee69847d4904d98961856ea9fbe6 Author: Stefano Brivio Date: Mon May 10 07:58:22 2021 +0200 netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version commit f0b3d338064e1fe7531f0d2977e35f3b334abfb4 upstream. Arturo reported this backtrace: [709732.358791] WARNING: CPU: 3 PID: 456 at arch/x86/kernel/fpu/core.c:128 kernel_fpu_begin_mask+0xae/0xe0 [709732.358793] Modules linked in: binfmt_misc nft_nat nft_chain_nat nf_nat nft_counter nft_ct nf_tables nf_conntrack_netlink nfnetlink 8021q garp stp mrp llc vrf intel_rapl_msr intel_rapl_common skx_edac nfit libnvdimm ipmi_ssif x86_pkg_temp_thermal intel_powerclamp coretemp crc32_pclmul mgag200 ghash_clmulni_intel drm_kms_helper cec aesni_intel drm libaes crypto_simd cryptd glue_helper mei_me dell_smbios iTCO_wdt evdev intel_pmc_bxt iTCO_vendor_support dcdbas pcspkr rapl dell_wmi_descriptor wmi_bmof sg i2c_algo_bit watchdog mei acpi_ipmi ipmi_si button nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ipmi_devintf ipmi_msghandler ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 dm_mod raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor sd_mod t10_pi crc_t10dif crct10dif_generic raid6_pq libcrc32c crc32c_generic raid1 raid0 multipath linear md_mod ahci libahci tg3 libata xhci_pci libphy xhci_hcd ptp usbcore crct10dif_pclmul crct10dif_common bnxt_en crc32c_intel scsi_mod [709732.358941] pps_core i2c_i801 lpc_ich i2c_smbus wmi usb_common [709732.358957] CPU: 3 PID: 456 Comm: jbd2/dm-0-8 Not tainted 5.10.0-0.bpo.5-amd64 #1 Debian 5.10.24-1~bpo10+1 [709732.358959] Hardware name: Dell Inc. PowerEdge R440/04JN2K, BIOS 2.9.3 09/23/2020 [709732.358964] RIP: 0010:kernel_fpu_begin_mask+0xae/0xe0 [709732.358969] Code: ae 54 24 04 83 e3 01 75 38 48 8b 44 24 08 65 48 33 04 25 28 00 00 00 75 33 48 83 c4 10 5b c3 65 8a 05 5e 21 5e 76 84 c0 74 92 <0f> 0b eb 8e f0 80 4f 01 40 48 81 c7 00 14 00 00 e8 dd fb ff ff eb [709732.358972] RSP: 0018:ffffbb9700304740 EFLAGS: 00010202 [709732.358976] RAX: 0000000000000001 RBX: 0000000000000003 RCX: 0000000000000001 [709732.358979] RDX: ffffbb9700304970 RSI: ffff922fe1952e00 RDI: 0000000000000003 [709732.358981] RBP: ffffbb9700304970 R08: ffff922fc868a600 R09: ffff922fc711e462 [709732.358984] R10: 000000000000005f R11: ffff922ff0b27180 R12: ffffbb9700304960 [709732.358987] R13: ffffbb9700304b08 R14: ffff922fc664b6c8 R15: ffff922fc664b660 [709732.358990] FS: 0000000000000000(0000) GS:ffff92371fec0000(0000) knlGS:0000000000000000 [709732.358993] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [709732.358996] CR2: 0000557a6655bdd0 CR3: 000000026020a001 CR4: 00000000007706e0 [709732.358999] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [709732.359001] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [709732.359003] PKRU: 55555554 [709732.359005] Call Trace: [709732.359009] [709732.359035] nft_pipapo_avx2_lookup+0x4c/0x1cba [nf_tables] [709732.359046] ? sched_clock+0x5/0x10 [709732.359054] ? sched_clock_cpu+0xc/0xb0 [709732.359061] ? record_times+0x16/0x80 [709732.359068] ? plist_add+0xc1/0x100 [709732.359073] ? psi_group_change+0x47/0x230 [709732.359079] ? skb_clone+0x4d/0xb0 [709732.359085] ? enqueue_task_rt+0x22b/0x310 [709732.359098] ? bnxt_start_xmit+0x1e8/0xaf0 [bnxt_en] [709732.359102] ? packet_rcv+0x40/0x4a0 [709732.359121] nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359133] nft_do_chain+0x350/0x500 [nf_tables] [709732.359152] ? nft_lookup_eval+0x59/0x160 [nf_tables] [709732.359163] ? nft_do_chain+0x364/0x500 [nf_tables] [709732.359172] ? fib4_rule_action+0x6d/0x80 [709732.359178] ? fib_rules_lookup+0x107/0x250 [709732.359184] nft_nat_do_chain+0x8a/0xf2 [nft_chain_nat] [709732.359193] nf_nat_inet_fn+0xea/0x210 [nf_nat] [709732.359202] nf_nat_ipv4_out+0x14/0xa0 [nf_nat] [709732.359207] nf_hook_slow+0x44/0xc0 [709732.359214] ip_output+0xd2/0x100 [709732.359221] ? __ip_finish_output+0x210/0x210 [709732.359226] ip_forward+0x37d/0x4a0 [709732.359232] ? ip4_key_hashfn+0xb0/0xb0 [709732.359238] ip_sublist_rcv_finish+0x4f/0x60 [709732.359243] ip_sublist_rcv+0x196/0x220 [709732.359250] ? ip_rcv_finish_core.isra.22+0x400/0x400 [709732.359255] ip_list_rcv+0x137/0x160 [709732.359264] __netif_receive_skb_list_core+0x29b/0x2c0 [709732.359272] netif_receive_skb_list_internal+0x1a6/0x2d0 [709732.359280] gro_normal_list.part.156+0x19/0x40 [709732.359286] napi_complete_done+0x67/0x170 [709732.359298] bnxt_poll+0x105/0x190 [bnxt_en] [709732.359304] ? irqentry_exit+0x29/0x30 [709732.359309] ? asm_common_interrupt+0x1e/0x40 [709732.359315] net_rx_action+0x144/0x3c0 [709732.359322] __do_softirq+0xd5/0x29c [709732.359329] asm_call_irq_on_stack+0xf/0x20 [709732.359332] [709732.359339] do_softirq_own_stack+0x37/0x40 [709732.359346] irq_exit_rcu+0x9d/0xa0 [709732.359353] common_interrupt+0x78/0x130 [709732.359358] asm_common_interrupt+0x1e/0x40 [709732.359366] RIP: 0010:crc_41+0x0/0x1e [crc32c_intel] [709732.359370] Code: ff ff f2 4d 0f 38 f1 93 a8 fe ff ff f2 4c 0f 38 f1 81 b0 fe ff ff f2 4c 0f 38 f1 8a b0 fe ff ff f2 4d 0f 38 f1 93 b0 fe ff ff 4c 0f 38 f1 81 b8 fe ff ff f2 4c 0f 38 f1 8a b8 fe ff ff f2 4d [709732.359373] RSP: 0018:ffffbb97008dfcd0 EFLAGS: 00000246 [709732.359377] RAX: 000000000000002a RBX: 0000000000000400 RCX: ffff922fc591dd50 [709732.359379] RDX: ffff922fc591dea0 RSI: 0000000000000a14 RDI: ffffffffc00dddc0 [709732.359382] RBP: 0000000000001000 R08: 000000000342d8c3 R09: 0000000000000000 [709732.359384] R10: 0000000000000000 R11: ffff922fc591dff0 R12: ffffbb97008dfe58 [709732.359386] R13: 000000000000000a R14: ffff922fd2b91e80 R15: ffff922fef83fe38 [709732.359395] ? crc_43+0x1e/0x1e [crc32c_intel] [709732.359403] ? crc32c_pcl_intel_update+0x97/0xb0 [crc32c_intel] [709732.359419] ? jbd2_journal_commit_transaction+0xaec/0x1a30 [jbd2] [709732.359425] ? irq_exit_rcu+0x3e/0xa0 [709732.359447] ? kjournald2+0xbd/0x270 [jbd2] [709732.359454] ? finish_wait+0x80/0x80 [709732.359470] ? commit_timeout+0x10/0x10 [jbd2] [709732.359476] ? kthread+0x116/0x130 [709732.359481] ? kthread_park+0x80/0x80 [709732.359488] ? ret_from_fork+0x1f/0x30 [709732.359494] ---[ end trace 081a19978e5f09f5 ]--- that is, nft_pipapo_avx2_lookup() uses the FPU running from a softirq that interrupted a kthread, also using the FPU. That's exactly the reason why irq_fpu_usable() is there: use it, and if we can't use the FPU, fall back to the non-AVX2 version of the lookup operation, i.e. nft_pipapo_lookup(). Reported-by: Arturo Borrero Gonzalez Cc: # 5.6.x Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation") Signed-off-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 7a1bdec12e43e29cc34a4394590337069d8812ce Author: Davide Caratti Date: Sat May 22 15:15:13 2021 +0200 net/sched: fq_pie: fix OOB access in the traffic path commit e70f7a11876a1a788ceadf75e9e5f7af2c868680 upstream. the following script: # tc qdisc add dev eth0 handle 0x1 root fq_pie flows 2 # tc qdisc add dev eth0 clsact # tc filter add dev eth0 egress matchall action skbedit priority 0x10002 # ping 192.0.2.2 -I eth0 -c2 -w1 -q produces the following splat: BUG: KASAN: slab-out-of-bounds in fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] Read of size 4 at addr ffff888171306924 by task ping/942 CPU: 3 PID: 942 Comm: ping Not tainted 5.12.0+ #441 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 fq_pie_qdisc_enqueue+0x1314/0x19d0 [sch_fq_pie] __dev_queue_xmit+0x1034/0x2b10 ip_finish_output2+0xc62/0x2120 __ip_finish_output+0x553/0xea0 ip_output+0x1ca/0x4d0 ip_send_skb+0x37/0xa0 raw_sendmsg+0x1c4b/0x2d00 sock_sendmsg+0xdb/0x110 __sys_sendto+0x1d7/0x2b0 __x64_sys_sendto+0xdd/0x1b0 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fe69735c3eb Code: 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 75 42 2c 00 41 89 ca 8b 00 85 c0 75 14 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 75 c3 0f 1f 40 00 41 57 4d 89 c7 41 56 41 89 RSP: 002b:00007fff06d7fb38 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000055e961413700 RCX: 00007fe69735c3eb RDX: 0000000000000040 RSI: 000055e961413700 RDI: 0000000000000003 RBP: 0000000000000040 R08: 000055e961410500 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff06d81260 R13: 00007fff06d7fb40 R14: 00007fff06d7fc30 R15: 000055e96140f0a0 Allocated by task 917: kasan_save_stack+0x19/0x40 __kasan_kmalloc+0x7f/0xa0 __kmalloc_node+0x139/0x280 fq_pie_init+0x555/0x8e8 [sch_fq_pie] qdisc_create+0x407/0x11b0 tc_modify_qdisc+0x3c2/0x17e0 rtnetlink_rcv_msg+0x346/0x8e0 netlink_rcv_skb+0x120/0x380 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x3c/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888171306800 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 36 bytes to the right of 256-byte region [ffff888171306800, ffff888171306900) The buggy address belongs to the page: page:00000000bcfb624e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x171306 head:00000000bcfb624e order:1 compound_mapcount:0 flags: 0x17ffffc0010200(slab|head|node=0|zone=2|lastcpupid=0x1fffff) raw: 0017ffffc0010200 dead000000000100 dead000000000122 ffff888100042b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888171306800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888171306880: 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc >ffff888171306900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff888171306980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888171306a00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fix fq_pie traffic path to avoid selecting 'q->flows + q->flows_cnt' as a valid flow: it's an address beyond the allocated memory. Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") CC: stable@vger.kernel.org Signed-off-by: Davide Caratti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 853c759d9dde1e13cddcb6928054afb1e1d67254 Author: Davide Caratti Date: Sat May 22 15:14:45 2021 +0200 net/sched: fq_pie: re-factor fix for fq_pie endless loop commit 3a62fed2fd7b6fea96d720e779cafc30dfb3a22e upstream. the patch that fixed an endless loop in_fq_pie_init() was not considering that 65535 is a valid class id. The correct bugfix for this infinite loop is to change 'idx' to become an u32, like Colin proposed in the past [1]. Fix this as follows: - restore 65536 as maximum possible values of 'flows_cnt' - use u32 'idx' when iterating on 'q->flows' - fix the TDC selftest This reverts commit bb2f930d6dd708469a587dc9ed1efe1ef969c0bf. [1] https://lore.kernel.org/netdev/20210407163808.499027-1-colin.king@canonical.com/ CC: Colin Ian King CC: stable@vger.kernel.org Fixes: bb2f930d6dd7 ("net/sched: fix infinite loop in sch_fq_pie") Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") Signed-off-by: Davide Caratti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 64a7186373a3787288e080e265e54a08d1a88afc Author: Johan Hovold Date: Mon May 24 11:25:11 2021 +0200 net: hso: fix control-request directions commit 1a6e9a9c68c1f183872e4bcc947382111c2e04eb upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the tiocmset and rfkill requests which erroneously used usb_rcvctrlpipe(). Fixes: 72dc1c096c70 ("HSO: add option hso driver") Cc: stable@vger.kernel.org # 2.6.27 Signed-off-by: Johan Hovold Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit df2562b5103124b4208443cb2660c30e73ad1532 Author: Kees Cook Date: Tue May 25 12:37:35 2021 -0700 proc: Check /proc/$pid/attr/ writes against file opener commit bfb819ea20ce8bbeeba17e1a6418bf8bda91fc28 upstream. Fix another "confused deputy" weakness[1]. Writes to /proc/$pid/attr/ files need to check the opener credentials, since these fds do not transition state across execve(). Without this, it is possible to trick another process (which may have different credentials) to write to its own /proc/$pid/attr/ files, leading to unexpected and possibly exploitable behaviors. [1] https://www.kernel.org/doc/html/latest/security/credentials.html?highlight=confused#open-file-credentials Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fcb2ba1469b146c1c9bcaaa94faf7f7b7ac0eb41 Author: Adrian Hunter Date: Fri May 21 12:20:53 2021 +0300 perf scripts python: exported-sql-viewer.py: Fix warning display commit f56299a9c998e0bfbd4ab07cafe9eb8444512448 upstream. Deprecation warnings are useful only for the developer, not an end user. Display warnings only when requested using the python -W option. This stops the display of warnings like: tools/perf/scripts/python/exported-sql-viewer.py:5102: DeprecationWarning: an integer is required (got type PySide2.QtCore.Qt.AlignmentFlag). Implicit conversion to integers using __int__ is deprecated, and may be removed in a future version of Python. err = app.exec_() Since the warning can be fixed only in PySide2, we must wait for it to be finally fixed there. Signed-off-by: Adrian Hunter Cc: Jiri Olsa Cc: stable@vger.kernel.org # v5.3+ Link: http://lore.kernel.org/lkml/20210521092053.25683-4-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit dbe2694fe508d7bfffd6c498a9a059aa3fb65451 Author: Adrian Hunter Date: Fri May 21 12:20:52 2021 +0300 perf scripts python: exported-sql-viewer.py: Fix Array TypeError commit fd931b2e234a7cc451a7bbb1965d6ce623189158 upstream. The 'Array' class is present in more than one python standard library. In some versions of Python 3, the following error occurs: Traceback (most recent call last): File "tools/perf/scripts/python/exported-sql-viewer.py", line 4702, in reports_menu.addAction(CreateAction(label, "Create a new window displaying branch events", lambda a=None,x=dbid: self.NewBranchView(x), self)) File "tools/perf/scripts/python/exported-sql-viewer.py", line 4727, in NewBranchView BranchWindow(self.glb, event_id, ReportVars(), self) File "tools/perf/scripts/python/exported-sql-viewer.py", line 3208, in __init__ self.model = LookupCreateModel(model_name, lambda: BranchModel(glb, event_id, report_vars.where_clause)) File "tools/perf/scripts/python/exported-sql-viewer.py", line 343, in LookupCreateModel model = create_fn() File "tools/perf/scripts/python/exported-sql-viewer.py", line 3208, in self.model = LookupCreateModel(model_name, lambda: BranchModel(glb, event_id, report_vars.where_clause)) File "tools/perf/scripts/python/exported-sql-viewer.py", line 3124, in __init__ self.fetcher = SQLFetcher(glb, sql, prep, self.AddSample) File "tools/perf/scripts/python/exported-sql-viewer.py", line 2658, in __init__ self.buffer = Array(c_char, self.buffer_size, lock=False) TypeError: abstract class This apparently happens because Python can be inconsistent about which class of the name 'Array' gets imported. Fix by importing explicitly by name so that only the desired 'Array' gets imported. Fixes: 8392b74b575c3 ("perf scripts python: exported-sql-viewer.py: Add ability to display all the database tables") Signed-off-by: Adrian Hunter Cc: Jiri Olsa Cc: stable@vger.kernel.org Link: http://lore.kernel.org/lkml/20210521092053.25683-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 577294edbd54a45e61d4472b57315e749e4ac9ab Author: Adrian Hunter Date: Fri May 21 12:20:51 2021 +0300 perf scripts python: exported-sql-viewer.py: Fix copy to clipboard from Top Calls by elapsed Time report commit a6172059758ba1b496ae024cece7d5bdc8d017db upstream. Provide missing argument to prevent following error when copying a selection to the clipboard: Traceback (most recent call last): File "tools/perf/scripts/python/exported-sql-viewer.py", line 4041, in menu.addAction(CreateAction("&Copy selection", "Copy to clipboard", lambda: CopyCellsToClipboardHdr(self.view), self.view)) File "tools/perf/scripts/python/exported-sql-viewer.py", line 4021, in CopyCellsToClipboardHdr CopyCellsToClipboard(view, False, True) File "tools/perf/scripts/python/exported-sql-viewer.py", line 4018, in CopyCellsToClipboard view.CopyCellsToClipboard(view, as_csv, with_hdr) File "tools/perf/scripts/python/exported-sql-viewer.py", line 3871, in CopyTableCellsToClipboard val = model.headerData(col, Qt.Horizontal) TypeError: headerData() missing 1 required positional argument: 'role' Fixes: 96c43b9a7ab3b ("perf scripts python: exported-sql-viewer.py: Add copy to clipboard") Signed-off-by: Adrian Hunter Cc: Jiri Olsa Cc: stable@vger.kernel.org Link: http://lore.kernel.org/lkml/20210521092053.25683-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 9f8cb9eff3aee69351ca621d65571876b7db9c11 Author: Adrian Hunter Date: Wed May 19 10:45:13 2021 +0300 perf intel-pt: Fix transaction abort handling commit cb7987837c31b217b28089bbc78922d5c9187869 upstream. When adding support for power events, some handling of FUP packets was unified. That resulted in breaking reporting of TSX aborts, by not considering the associated TIP packet. Fix that. Example: A machine that supports TSX is required. It will have flag "rtm". Kernel parameter tsx=on may be required. # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done rtm Test program: #include #include int main() { int x = 0; if (_xbegin() == _XBEGIN_STARTED) { x = 1; _xabort(1); } else { printf("x = %d\n", x); } return 0; } Compile with -mrtm i.e. gcc -Wall -Wextra -mrtm xabort.c -o xabort Record: perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort Before: # perf script --itrace=be -F+flags,+addr,-period,-event --ns xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort) xabort 1478 [007] 92161.431348624: jmp 400b96 main+0x29 (/root/xabort) => 400bae main+0x41 (/root/xabort) xabort 1478 [007] 92161.431348624: return 400bb4 main+0x47 (/root/xabort) => 400b87 main+0x1a (/root/xabort) xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort) xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort) xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort) xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort) After: # perf script --itrace=be -F+flags,+addr,-period,-event --ns xabort 1478 [007] 92161.431348552: tr strt 0 [unknown] ([unknown]) => 400b6d main+0x0 (/root/xabort) xabort 1478 [007] 92161.431348624: tx abrt 400b93 main+0x26 (/root/xabort) => 400b87 main+0x1a (/root/xabort) xabort 1478 [007] 92161.431348637: jcc 400b8a main+0x1d (/root/xabort) => 400b98 main+0x2b (/root/xabort) xabort 1478 [007] 92161.431348644: tr end call 400ba9 main+0x3c (/root/xabort) => 40f690 printf+0x0 (/root/xabort) xabort 1478 [007] 92161.431360859: tr strt 0 [unknown] ([unknown]) => 400bae main+0x41 (/root/xabort) xabort 1478 [007] 92161.431360882: tr end return 400bb4 main+0x47 (/root/xabort) => 401139 __libc_start_main+0x309 (/root/xabort) Fixes: a472e65fc490a ("perf intel-pt: Add decoder support for ptwrite and power event packets") Signed-off-by: Adrian Hunter Cc: Andi Kleen Cc: Jiri Olsa Cc: stable@vger.kernel.org Link: http://lore.kernel.org/lkml/20210519074515.9262-2-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 10923c8cf8aff552582bf6b2c53aaf7003423a94 Author: Adrian Hunter Date: Wed May 19 10:45:14 2021 +0300 perf intel-pt: Fix sample instruction bytes commit c954eb72b31a9dc56c99b450253ec5b121add320 upstream. The decoder reports the current instruction if it was decoded. In some cases the current instruction is not decoded, in which case the instruction bytes length must be set to zero. Ensure that is always done. Note perf script can anyway get the instruction bytes for any samples where they are not present. Also note, that there is a redundant "ptq->insn_len = 0" statement which is not removed until a subsequent patch in order to make this patch apply cleanly to stable branches. Example: A machne that supports TSX is required. It will have flag "rtm". Kernel parameter tsx=on may be required. # for w in `cat /proc/cpuinfo | grep -m1 flags `;do echo $w | grep rtm ; done rtm Test program: #include #include int main() { int x = 0; if (_xbegin() == _XBEGIN_STARTED) { x = 1; _xabort(1); } else { printf("x = %d\n", x); } return 0; } Compile with -mrtm i.e. gcc -Wall -Wextra -mrtm xabort.c -o xabort Record: perf record -e intel_pt/cyc/u --filter 'filter main @ ./xabort' ./xabort Before: # perf script --itrace=xe -F+flags,+insn,-period --xed --ns xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) mov $0xffffffff, %eax xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) mov $0xffffffff, %eax After: # perf script --itrace=xe -F+flags,+insn,-period --xed --ns xabort 1478 [007] 92161.431348581: transactions: x 400b81 main+0x14 (/root/xabort) xbegin 0x6 xabort 1478 [007] 92161.431348624: transactions: tx abrt 400b93 main+0x26 (/root/xabort) xabort $0x1 Fixes: faaa87680b25d ("perf intel-pt/bts: Report instruction bytes and length in sample") Signed-off-by: Adrian Hunter Cc: Andi Kleen Cc: Jiri Olsa Cc: stable@vger.kernel.org Link: http://lore.kernel.org/lkml/20210519074515.9262-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit a16be88a3d7e5efcb59a15edea87a8bd369630c6 Author: Stefan Haberland Date: Tue May 25 14:50:06 2021 +0200 s390/dasd: add missing discipline function commit c0c8a8397fa8a74d04915f4d3d28cb4a5d401427 upstream. Fix crash with illegal operation exception in dasd_device_tasklet. Commit b72949328869 ("s390/dasd: Prepare for additional path event handling") renamed the verify_path function for ECKD but not for FBA and DIAG. This leads to a panic when the path verification function is called for a FBA or DIAG device. Fix by defining a wrapper function for dasd_generic_verify_path(). Fixes: b72949328869 ("s390/dasd: Prepare for additional path event handling") Cc: #5.11 Reviewed-by: Jan Hoeppner Signed-off-by: Stefan Haberland Reviewed-by: Cornelia Huck Link: https://lore.kernel.org/r/20210525125006.157531-2-sth@linux.ibm.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ca466561eef36d1ec657673e3944eb6340bddb5b Author: Rolf Eike Beer Date: Tue May 25 15:08:02 2021 +0800 iommu/vt-d: Fix sysfs leak in alloc_iommu() commit 0ee74d5a48635c848c20f152d0d488bf84641304 upstream. iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequent errors. Fixes: 39ab9555c2411 ("iommu: Add sysfs bindings for struct iommu_device") Cc: stable@vger.kernel.org # 4.11.x Signed-off-by: Rolf Eike Beer Acked-by: Lu Baolu Link: https://lore.kernel.org/r/17411490.HIIP88n32C@mobilepool36.emlix.com Link: https://lore.kernel.org/r/20210525070802.361755-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit a20b6eaf4f35046a429cde57bee7eb5f13d6857f Author: Shin'ichiro Kawasaki Date: Sat May 15 16:03:15 2021 +0900 scsi: target: core: Avoid smp_processor_id() in preemptible code commit 70ca3c57ff914113f681e657634f7fbfa68e1ad1 upstream. The BUG message "BUG: using smp_processor_id() in preemptible [00000000] code" was observed for TCMU devices with kernel config DEBUG_PREEMPT. The message was observed when blktests block/005 was run on TCMU devices with fileio backend or user:zbc backend [1]. The commit 1130b499b4a7 ("scsi: target: tcm_loop: Use LIO wq cmd submission helper") triggered the symptom. The commit modified work queue to handle commands and changed 'current->nr_cpu_allowed' at smp_processor_id() call. The message was also observed at system shutdown when TCMU devices were not cleaned up [2]. The function smp_processor_id() was called in SCSI host work queue for abort handling, and triggered the BUG message. This symptom was observed regardless of the commit 1130b499b4a7 ("scsi: target: tcm_loop: Use LIO wq cmd submission helper"). To avoid the preemptible code check at smp_processor_id(), get CPU ID with raw_smp_processor_id() instead. The CPU ID is used for performance improvement then thread move to other CPU will not affect the code. [1] [ 56.468103] run blktests block/005 at 2021-05-12 14:16:38 [ 57.369473] check_preemption_disabled: 85 callbacks suppressed [ 57.369480] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1511 [ 57.369506] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1510 [ 57.369512] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1506 [ 57.369552] caller is __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369606] CPU: 4 PID: 1506 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.369613] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.369617] Call Trace: [ 57.369621] BUG: using smp_processor_id() in preemptible [00000000] code: fio/1507 [ 57.369628] dump_stack+0x6d/0x89 [ 57.369642] check_preemption_disabled+0xc8/0xd0 [ 57.369628] caller is __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369655] __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.369695] target_init_cmd+0x76/0x90 [target_core_mod] [ 57.369732] tcm_loop_queuecommand+0x109/0x210 [tcm_loop] [ 57.369744] scsi_queue_rq+0x38e/0xc40 [ 57.369761] __blk_mq_try_issue_directly+0x109/0x1c0 [ 57.369779] blk_mq_try_issue_directly+0x43/0x90 [ 57.369790] blk_mq_submit_bio+0x4e5/0x5d0 [ 57.369812] submit_bio_noacct+0x46e/0x4e0 [ 57.369830] __blkdev_direct_IO_simple+0x1a3/0x2d0 [ 57.369859] ? set_init_blocksize.isra.0+0x60/0x60 [ 57.369880] generic_file_read_iter+0x89/0x160 [ 57.369898] blkdev_read_iter+0x44/0x60 [ 57.369906] new_sync_read+0x102/0x170 [ 57.369929] vfs_read+0xd4/0x160 [ 57.369941] __x64_sys_pread64+0x6e/0xa0 [ 57.369946] ? lockdep_hardirqs_on+0x79/0x100 [ 57.369958] do_syscall_64+0x3a/0x70 [ 57.369965] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 57.369973] RIP: 0033:0x7f7ed4c1399f [ 57.369979] Code: 08 89 3c 24 48 89 4c 24 18 e8 7d f3 ff ff 4c 8b 54 24 18 48 8b 54 24 10 41 89 c0 48 8b 74 24 08 8b 3c 24 b8 11 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 04 24 e8 cd f3 ff ff 48 8b [ 57.369983] RSP: 002b:00007ffd7918c580 EFLAGS: 00000293 ORIG_RAX: 0000000000000011 [ 57.369990] RAX: ffffffffffffffda RBX: 00000000015b4540 RCX: 00007f7ed4c1399f [ 57.369993] RDX: 0000000000001000 RSI: 00000000015de000 RDI: 0000000000000009 [ 57.369996] RBP: 00000000015b4540 R08: 0000000000000000 R09: 0000000000000001 [ 57.369999] R10: 0000000000e5c000 R11: 0000000000000293 R12: 00007f7eb5269a70 [ 57.370002] R13: 0000000000000000 R14: 0000000000001000 R15: 00000000015b4568 [ 57.370031] CPU: 7 PID: 1507 Comm: fio Not tainted 5.13.0-rc1+ #34 [ 57.370036] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 1302 03/15/2018 [ 57.370039] Call Trace: [ 57.370045] dump_stack+0x6d/0x89 [ 57.370056] check_preemption_disabled+0xc8/0xd0 [ 57.370068] __target_init_cmd+0x157/0x170 [target_core_mod] [ 57.370121] target_init_cmd+0x76/0x90 [target_core_mod] [ 57.370178] tcm_loop_queuecommand+0x109/0x210 [tcm_loop] [ 57.370197] scsi_queue_rq+0x38e/0xc40 [ 57.370224] __blk_mq_try_issue_directly+0x109/0x1c0 ... [2] [ 117.458597] BUG: using smp_processor_id() in preemptible [00000000] code: kworker/u16:8 [ 117.467279] caller is __target_init_cmd+0x157/0x170 [target_core_mod] [ 117.473893] CPU: 1 PID: 418 Comm: kworker/u16:6 Not tainted 5.13.0-rc1+ #34 [ 117.481150] Hardware name: System manufacturer System Product Name/PRIME Z270-A, BIOS 8 [ 117.481153] Workqueue: scsi_tmf_7 scmd_eh_abort_handler [ 117.481156] Call Trace: [ 117.481158] dump_stack+0x6d/0x89 [ 117.481162] check_preemption_disabled+0xc8/0xd0 [ 117.512575] target_submit_tmr+0x41/0x150 [target_core_mod] [ 117.519705] tcm_loop_issue_tmr+0xa7/0x100 [tcm_loop] [ 117.524913] tcm_loop_abort_task+0x43/0x60 [tcm_loop] [ 117.530137] scmd_eh_abort_handler+0x7b/0x230 [ 117.534681] process_one_work+0x268/0x580 [ 117.538862] worker_thread+0x55/0x3b0 [ 117.542652] ? process_one_work+0x580/0x580 [ 117.548351] kthread+0x143/0x160 [ 117.551675] ? kthread_create_worker_on_cpu+0x40/0x40 [ 117.556873] ret_from_fork+0x1f/0x30 Link: https://lore.kernel.org/r/20210515070315.215801-1-shinichiro.kawasaki@wdc.com Fixes: 1526d9f10c61 ("scsi: target: Make state_list per CPU") Cc: stable@vger.kernel.org # v5.11+ Reviewed-by: Mike Christie Signed-off-by: Shin'ichiro Kawasaki Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b090d110e66636bca473fd8b98d5c97b555a965a Author: Anna Schumaker Date: Wed May 19 12:54:51 2021 -0400 NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() commit a421d218603ffa822a0b8045055c03eae394a7eb upstream. Commit de144ff4234f changes _pnfs_return_layout() to call pnfs_mark_matching_lsegs_return() passing NULL as the struct pnfs_layout_range argument. Unfortunately, pnfs_mark_matching_lsegs_return() doesn't check if we have a value here before dereferencing it, causing an oops. I'm able to hit this crash consistently when running connectathon basic tests on NFS v4.1/v4.2 against Ontap. Fixes: de144ff4234f ("NFSv4: Don't discard segments marked for return in _pnfs_return_layout()") Cc: stable@vger.kernel.org Signed-off-by: Anna Schumaker Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b190618d8337b9466d985854e417dc0e8b012e3c Author: Norbert Slusarek Date: Wed May 12 00:43:54 2021 +0200 can: isotp: prevent race between isotp_bind() and isotp_setsockopt() commit 2b17c400aeb44daf041627722581ade527bb3c1d upstream. A race condition was found in isotp_setsockopt() which allows to change socket options after the socket was bound. For the specific case of SF_BROADCAST support, this might lead to possible use-after-free because can_rx_unregister() is not called. Checking for the flag under the socket lock in isotp_bind() and taking the lock in isotp_setsockopt() fixes the issue. Fixes: 921ca574cd38 ("can: isotp: add SF_BROADCAST support for functional addressing") Link: https://lore.kernel.org/r/trinity-e6ae9efa-9afb-4326-84c0-f3609b9b8168-1620773528307@3c-app-gmx-bs06 Reported-by: Norbert Slusarek Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Norbert Slusarek Acked-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 81884e807a72e6999eb55d40e3d29fe3f474454d Author: Miquel Raynal Date: Tue Apr 13 18:18:35 2021 +0200 mtd: rawnand: fsmc: Fix external use of SW Hamming ECC helper commit ad9ffdce453934cdc22fac0a0268119bd630260f upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit d0f8db6c462f62af661e22c0b14fd7ac620416e9 Author: Miquel Raynal Date: Tue Apr 13 18:18:39 2021 +0200 mtd: rawnand: tmio: Fix external use of SW Hamming ECC helper commit 6a4c5ada577467a5f79e06f2c5e69c09983c22fb upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-7-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit da685f24e80ba3605a53da751a5b2535cccec90d Author: Miquel Raynal Date: Tue Apr 13 18:18:37 2021 +0200 mtd: rawnand: ndfc: Fix external use of SW Hamming ECC helper commit 3e09c0252501829b14b10f14e1982aaab77d0b80 upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-5-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit c545bd2d74ff4c5a391d9e6b40b09bc07629e24f Author: Miquel Raynal Date: Tue Apr 13 18:18:36 2021 +0200 mtd: rawnand: lpc32xx_slc: Fix external use of SW Hamming ECC helper commit c4b7d7c480d607e4f52d310d9d16b194868d0917 upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Cc: Vladimir Zapolskiy Reported-by: Trevor Woerner Signed-off-by: Miquel Raynal Tested-by: Trevor Woerner Acked-by: Vladimir Zapolskiy Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-4-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 15b56ed7ee2060b74df2e9f42d28dfa5c57e3a8e Author: Miquel Raynal Date: Tue Apr 13 18:18:38 2021 +0200 mtd: rawnand: sharpsl: Fix external use of SW Hamming ECC helper commit 46fcb57e6b7283533ebf8ba17a6bd30fa88bdc9f upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-6-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 2ee53371eeffce2fa1e3d53bab828a457bc4d27c Author: Miquel Raynal Date: Tue Apr 13 18:18:40 2021 +0200 mtd: rawnand: txx9ndfmc: Fix external use of SW Hamming ECC helper commit 3d227a0b0ce319edbff6fd0d8af4d66689e477cc upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-8-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 9a5d87a6b9c31262fce9277281f0db63c8c70bd2 Author: Miquel Raynal Date: Tue Apr 13 18:18:34 2021 +0200 mtd: rawnand: cs553x: Fix external use of SW Hamming ECC helper commit 56a8d3fd1f342d10ee7b27e9ac0f4d00b5fbb91c upstream. Since the Hamming software ECC engine has been updated to become a proper and independent ECC engine, it is now mandatory to either initialize the engine before using any one of his functions or use one of the bare helpers which only perform the calculations. As there is no actual need for a proper ECC initialization, let's just use the bare helper instead of the rawnand one. Fixes: 90ccf0a0192f ("mtd: nand: ecc-hamming: Rename the exported functions") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20210413161840.345208-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 66f3c30420dc32e55326b3e70071d3e14832ba65 Author: Aurelien Aptel Date: Fri May 21 17:19:27 2021 +0200 cifs: set server->cipher_type to AES-128-CCM for SMB3.0 commit 6d2fcfe6b517fe7cbf2687adfb0a16cdcd5d9243 upstream. SMB3.0 doesn't have encryption negotiate context but simply uses the SMB2_GLOBAL_CAP_ENCRYPTION flag. When that flag is present in the neg response cifs.ko uses AES-128-CCM which is the only cipher available in this context. cipher_type was set to the server cipher only when parsing encryption negotiate context (SMB3.1.1). For SMB3.0 it was set to 0. This means cipher_type value can be 0 or 1 for AES-128-CCM. Fix this by checking for SMB3.0 and encryption capability and setting cipher_type appropriately. Signed-off-by: Aurelien Aptel Cc: Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0c4bfc1b98d75e438e2d4b8fa8f4bc869e984b98 Author: Shyam Prasad N Date: Fri May 21 06:35:52 2021 +0000 cifs: fix string declarations and assignments in tracepoints commit eb0688180549e3b72464e9f78df58cb7a5592c7f upstream. We missed using the variable length string macros in several tracepoints. Fixed them in this change. There's probably more useful macros that we can use to print others like flags etc. But I'll submit sepawrate patches for those at a future date. Signed-off-by: Shyam Prasad N Cc: # v5.12 Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 59ef5291f2994ffaca8f07d7b16de583f41dfd43 Author: Geoffrey D. Bennett Date: Fri May 21 17:50:13 2021 +0930 ALSA: usb-audio: scarlett2: Improve driver startup messages commit 265d1a90e4fb6d3264d8122fbd10760e5e733be6 upstream. Add separate init function to call the existing controls_create function so a custom error can be displayed if initialisation fails. Use info level instead of error for notifications. Display the VID/PID so device_setup is targeted to the right device. Display "enabled" message to easily confirm that the driver is loaded. Signed-off-by: Geoffrey D. Bennett Cc: Link: https://lore.kernel.org/r/b5d140c65f640faf2427e085fbbc0297b32e5fce.1621584566.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ba159455195ee544aba04077e545f3ae7455d83e Author: Geoffrey D. Bennett Date: Fri May 21 17:50:12 2021 +0930 ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci commit 764fa6e686e0107c0357a988d193de04cf047583 upstream. Use usb_rcvctrlpipe() not usb_sndctrlpipe() for USB control input in the Scarlett Gen 2 mixer driver. This fixes the device hang during initialisation when used with the ehci-pci host driver. Fixes: 9e4d5c1be21f ("ALSA: usb-audio: Scarlett Gen 2 mixer interface") Signed-off-by: Geoffrey D. Bennett Cc: Link: https://lore.kernel.org/r/66a3d05dac325d5b53e4930578e143cef1f50dbe.1621584566.git.g@b4.vu Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 601dacd47a34650d96e32df08b375955d4bfa241 Author: Johan Hovold Date: Fri May 21 15:37:42 2021 +0200 ALSA: usb-audio: fix control-request direction commit 51cb8e206afd463e66f16869e5ddc95bef107142 upstream. The direction of the pipe argument must match the request-type direction bit or control requests may fail depending on the host-controller-driver implementation. Fix the UAC2_CS_CUR request which erroneously used usb_sndctrlpipe(). Fixes: 93db51d06b32 ("ALSA: usb-audio: Check valid altsetting at parsing rates for UAC2/3") Cc: stable@vger.kernel.org # 5.10 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20210521133742.18098-1-johan@kernel.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3771c89a16b4465900eab9121a12eed6f1179ba3 Author: Jeremy Szu Date: Thu May 20 01:03:56 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 17 G8 commit 50dbfae972cbe0e3c631e73c7c58cbc48bfc6a49 upstream. The HP ZBook Studio 17.3 Inch G8 is using ALC285 codec which is using 0x04 to control mute LED and 0x01 to control micmute LED. In the other hand, there is no output from right channel of speaker. Therefore, add a quirk to make it works. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210519170357.58410-4-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 54ec6cecf5fcd6ec29647f9238d39bfddb7d5d6c Author: Jeremy Szu Date: Thu May 20 01:03:55 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 15 G8 commit e650c1a959da49f2b873cb56564b825882c22e7a upstream. The HP ZBook Fury 15.6 Inch G8 is using ALC285 codec which is using 0x04 to control mute LED and 0x01 to control micmute LED. In the other hand, there is no output from right channel of speaker. Therefore, add a quirk to make it works. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210519170357.58410-3-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6a79505a4d6663f16da49a07de04fc941aea6416 Author: Jeremy Szu Date: Thu May 20 01:03:54 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook G8 commit bbe183e07817a46cf8d3d7fc88093df81d23a957 upstream. The HP ZBook Studio 15.6 Inch G8 is using ALC285 codec which is using 0x04 to control mute LED and 0x01 to control micmute LED. In the other hand, there is no output from right channel of speaker. Therefore, add a quirk to make it works. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210519170357.58410-2-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2a012daf1ff9358cdfc2e34dfaaaf0f6579603b8 Author: Jeremy Szu Date: Thu May 20 01:03:53 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs for HP 855 G8 commit 0e68c4b11f1e66d211ad242007e9f1076a6b7709 upstream. The HP EliteBook 855 G8 Notebook PC is using ALC285 codec which needs ALC285_FIXUP_HP_MUTE_LED fixup to make it works. After applying the fixup, the mute/micmute LEDs work good. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210519170357.58410-1-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f3c23683d053c54f814986b52d6f88a778cce4d3 Author: Peter Ujfalusi Date: Mon May 24 23:37:26 2021 +0300 ALSA: hda/realtek: Chain in pop reduction fixup for ThinkStation P340 commit 29c8f40b54a45dd23971e2bc395697731bcffbe1 upstream. Lenovo ThinkStation P340 uses ALC623 codec (SSID 17aa:1048) and it produces bug plock/pop noise over line out (green jack on the back) which can be fixed by applying ALC269_FIXUP_NO_SHUTUP tot he machine. Convert the existing entry for the same SSID to chain to apply this fixup as well. Suggested-by: Takashi Iwai Signed-off-by: Peter Ujfalusi Cc: Link: https://lore.kernel.org/r/20210524203726.2278-1-peter.ujfalusi@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3c35570ffb8c44aace6970043d21d0fdb550ffca Author: Hui Wang Date: Sat May 22 11:47:41 2021 +0800 ALSA: hda/realtek: Headphone volume is controlled by Front mixer commit 119b75c150773425a89033215eab4d15d4198f8b upstream. On some ASUS and MSI machines, the audio codec is alc1220 and the Headphone is connected to audio mixer 0xf and DAC 0x5, in theory the Headphone volume is controlled by DAC 0x5 (Heapdhone Playback Volume), but somehow it is controlled by DAC 0x2 (Front Playback Volume), maybe this is a defect on the codec alc1220. Because of this issue, the PA couldn't switch the headphone and Lineout correctly, If we apply the quirk CLEVO_P950 to those machines, the Lineout and Headphone will share the audio mixer 0xc and DAC 0x2, and generate Headphone+LO mixer, then PA could handle them when switching between them. BugLink: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/1206 Cc: Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20210522034741.13415-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 73d862c558605c69d41fadaac608c7b9176a7783 Author: Hui Wang Date: Sat May 22 12:26:45 2021 +0800 ALSA: hda/realtek: the bass speaker can't output sound on Yoga 9i commit 9ebaef0540a981093bce5df15af32354d32391d9 upstream. The Lenovo Yoga 9i has bass speaker, but the bass speaker can't work, that is because there is an i2s amplifier on that speaker, need to run ideapad_s740_coef() to initialize the amplifier. And also needs to apply ALC285_FIXUP_THINKPAD_HEADSET_JACK to rename the speaker's mixer control name, otherwise the PA can't handle them. BugLink: http://bugs.launchpad.net/bugs/1926165 Signed-off-by: Hui Wang Cc: Link: https://lore.kernel.org/r/20210522042645.14221-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman