commit 5805e5eec901e830c7741d4916270d0b9cfd6743 Author: Greg Kroah-Hartman Date: Sun Aug 15 14:00:27 2021 +0200 Linux 5.10.59 Link: https://lore.kernel.org/r/20210813150522.623322501@linuxfoundation.org Tested-by: Shuah Khan Tested-by: Sudip Mukherjee Tested-by: Linux Kernel Functional Testing Tested-by: Fox Chen Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 25cff25ec60690247db8138cd1af8b867df2c489 Author: YueHaibing Date: Wed May 19 10:47:04 2021 +0800 net: xilinx_emaclite: Do not print real IOMEM pointer commit d0d62baa7f505bd4c59cd169692ff07ec49dde37 upstream. Printing kernel pointers is discouraged because they might leak kernel memory layout. This fixes smatch warning: drivers/net/ethernet/xilinx/xilinx_emaclite.c:1191 xemaclite_of_probe() warn: argument 4 to %08lX specifier is cast from pointer Signed-off-by: YueHaibing Signed-off-by: David S. Miller Signed-off-by: Pavel Machek (CIP) Signed-off-by: Greg Kroah-Hartman commit 6a002d48a66076524f67098132538bef17e8445e Author: Miklos Szeredi Date: Mon Aug 9 10:19:47 2021 +0200 ovl: prevent private clone if bind mount is not allowed commit 427215d85e8d1476da1a86b8d67aceb485eb3631 upstream. Add the following checks from __do_loopback() to clone_private_mount() as well: - verify that the mount is in the current namespace - verify that there are no locked children Reported-by: Alois Wohlschlager Fixes: c771d683a62e ("vfs: introduce clone_private_mount()") Cc: # v3.18 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit bffead8d36480e1e9ec574866f63cadbaa4ebb90 Author: Pali Rohár Date: Sat Aug 7 18:00:50 2021 +0200 ppp: Fix generating ppp unit id when ifname is not specified commit 3125f26c514826077f2a4490b75e9b1c7a644c42 upstream. When registering new ppp interface via PPPIOCNEWUNIT ioctl then kernel has to choose interface name as this ioctl API does not support specifying it. Kernel in this case register new interface with name "ppp" where is the ppp unit id, which can be obtained via PPPIOCGUNIT ioctl. This applies also in the case when registering new ppp interface via rtnl without supplying IFLA_IFNAME. PPPIOCNEWUNIT ioctl allows to specify own ppp unit id which will kernel assign to ppp interface, in case this ppp id is not already used by other ppp interface. In case user does not specify ppp unit id then kernel choose the first free ppp unit id. This applies also for case when creating ppp interface via rtnl method as it does not provide a way for specifying own ppp unit id. If some network interface (does not have to be ppp) has name "ppp" with this first free ppp id then PPPIOCNEWUNIT ioctl or rtnl call fails. And registering new ppp interface is not possible anymore, until interface which holds conflicting name is renamed. Or when using rtnl method with custom interface name in IFLA_IFNAME. As list of allocated / used ppp unit ids is not possible to retrieve from kernel to userspace, userspace has no idea what happens nor which interface is doing this conflict. So change the algorithm how ppp unit id is generated. And choose the first number which is not neither used as ppp unit id nor in some network interface with pattern "ppp". This issue can be simply reproduced by following pppd call when there is no ppp interface registered and also no interface with name pattern "ppp": pppd ifname ppp1 +ipv6 noip noauth nolock local nodetach pty "pppd +ipv6 noip noauth nolock local nodetach notty" Or by creating the one ppp interface (which gets assigned ppp unit id 0), renaming it to "ppp1" and then trying to create a new ppp interface (which will always fails as next free ppp unit id is 1, but network interface with name "ppp1" exists). This patch fixes above described issue by generating new and new ppp unit id until some non-conflicting id with network interfaces is generated. Signed-off-by: Pali Rohár Cc: stable@vger.kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5df85901fe45ebb58688df6f1941318e18070c09 Author: Luke D Jones Date: Sat Aug 7 14:58:05 2021 +1200 ALSA: hda: Add quirk for ASUS Flow x13 commit 739d0959fbed23838a96c48fbce01dd2f6fb2c5f upstream. The ASUS GV301QH sound appears to work well with the quirk for ALC294_FIXUP_ASUS_DUAL_SPK. Signed-off-by: Luke D Jones Cc: Link: https://lore.kernel.org/r/20210807025805.27321-1-luke@ljones.dev Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8930f2c60a4596d1d69587192f90c1ab7d68e426 Author: Jeremy Szu Date: Tue Aug 10 18:08:45 2021 +0800 ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 650 G8 Notebook PC commit d07149aba2ef423eae94a9cc2a6365d0cdf6fd51 upstream. The HP ProBook 650 G8 Notebook PC is using ALC236 codec which is using 0x02 to control mute LED and 0x01 to control micmute LED. Therefore, add a quirk to make it works. Signed-off-by: Jeremy Szu Cc: Link: https://lore.kernel.org/r/20210810100846.65844-1-jeremy.szu@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 98c3fa3a9d7a2e405ad5a656793d0117bed00881 Author: Takashi Iwai Date: Sun Aug 8 09:01:16 2021 +0200 ALSA: pcm: Fix mmap breakage without explicit buffer setup commit dc0dc8a73e8e4dc33fba93dfe23356cc5a500c57 upstream. The recent fix c4824ae7db41 ("ALSA: pcm: Fix mmap capability check") restricts the mmap capability only to the drivers that properly set up the buffers, but it caused a regression for a few drivers that manage the buffer on its own way. For those with UNKNOWN buffer type (i.e. the uninitialized / unused substream->dma_buffer), just assume that the driver handles the mmap properly and blindly trust the hardware info bit. Fixes: c4824ae7db41 ("ALSA: pcm: Fix mmap capability check") Reported-and-tested-by: Jeff Woods Cc: Link: https://lore.kernel.org/r/s5him0gpghv.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cc1a4dff23a48a3759b2b024ec62b0f34f200b4d Author: Longfang Liu Date: Fri Apr 9 16:48:01 2021 +0800 USB:ehci:fix Kunpeng920 ehci hardware problem commit 26b75952ca0b8b4b3050adb9582c8e2f44d49687 upstream. Kunpeng920's EHCI controller does not have SBRN register. Reading the SBRN register when the controller driver is initialized will get 0. When rebooting the EHCI driver, ehci_shutdown() will be called. if the sbrn flag is 0, ehci_shutdown() will return directly. The sbrn flag being 0 will cause the EHCI interrupt signal to not be turned off after reboot. this interrupt that is not closed will cause an exception to the device sharing the interrupt. Therefore, the EHCI controller of Kunpeng920 needs to skip the read operation of the SBRN register. Acked-by: Alan Stern Signed-off-by: Longfang Liu Link: https://lore.kernel.org/r/1617958081-17999-1-git-send-email-liulongfang@huawei.com Signed-off-by: Greg Kroah-Hartman commit bd909fd3878d4cec9bba70d74dce3d8f3e7581fd Author: Hans de Goede Date: Thu Jan 21 10:22:27 2021 +0100 vboxsf: Make vboxsf_dir_create() return the handle for the created file commit ab0c29687bc7a890d1a86ac376b0b0fd78b2d9b6 upstream Make vboxsf_dir_create() optionally return the vboxsf-handle for the created file. This is a preparation patch for adding atomic_open support. Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") Signed-off-by: Hans de Goede Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 971703fc19cf578263df5cb772586ba171326985 Author: Hans de Goede Date: Thu Jan 21 10:08:59 2021 +0100 vboxsf: Honor excl flag to the dir-inode create op commit cc3ddee97cff034cea4d095de4a484c92a219bf5 upstream Honor the excl flag to the dir-inode create op, instead of behaving as if it is always set. Note the old behavior still worked most of the time since a non-exclusive open only calls the create op, if there is a race and the file is created between the dentry lookup and the calling of the create call. While at it change the type of the is_dir parameter to the vboxsf_dir_create() helper from an int to a bool, to be consistent with the use of bool for the excl parameter. Fixes: 0fd169576648 ("fs: Add VirtualBox guest shared folder (vboxsf) support") Signed-off-by: Hans de Goede Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 96b2232cb7e59a3d9268638554ca38decc1b46d1 Author: Adam Ford Date: Thu May 13 06:46:16 2021 -0500 arm64: dts: renesas: beacon: Fix USB ref clock references commit ebc666f39ff67a01e748c34d670ddf05a9e45220 upstream The RZ/G2 boards expect there to be an external clock reference for USB2 EHCI controllers. For the Beacon boards, this reference clock is controlled by a programmable versaclock. Because the RZ/G2 family has a special clock driver when using an external clock, the third clock reference in the EHCI node needs to point to this special clock, called usb2_clksel. Since the usb2_clksel does not keep the usb_extal clock enabled, the 4th clock entry for the EHCI nodes needs to reference it to keep the clock running and make USB functional. Signed-off-by: Adam Ford Link: https://lore.kernel.org/r/20210513114617.30191-2-aford173@gmail.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit e0dd4a0ab072faf1bb882f1396159db9247baf10 Author: Adam Ford Date: Thu May 13 06:46:15 2021 -0500 arm64: dts: renesas: beacon: Fix USB extal reference commit 56bc54496f5d6bc638127bfc9df3742cbf0039e7 upstream The USB extal clock reference isn't associated to a crystal, it's associated to a programmable clock, so remove the extal reference, add the usb2_clksel. Since usb_extal is referenced by the versaclock, reference it here so the usb2_clksel can get the proper clock speed of 50MHz. Signed-off-by: Adam Ford Link: https://lore.kernel.org/r/20210513114617.30191-1-aford173@gmail.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit 0f47027d1b9b157bbf5cf2a7b0eb57a82dac67af Author: Adam Ford Date: Mon Dec 28 14:22:21 2020 -0600 arm64: dts: renesas: rzg2: Add usb2_clksel to RZ/G2 M/N/H commit e1076ce07b7736aed269c5d8154f2442970d9137 upstream Per the reference manual for the RZ/G Series, 2nd Generation, the RZ/G2M, RZ/G2N, and RZ/G2H have a bit that can be set to choose between a crystal oscillator and an external oscillator. Because only boards that need this should enable it, it's marked as disabled by default for backwards compatibility with existing boards. Signed-off-by: Adam Ford Link: https://lore.kernel.org/r/20201228202221.2327468-2-aford173@gmail.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman commit eaa7feecd366577148fc17958fd708cea4874a97 Author: Mike Rapoport Date: Wed Aug 11 16:41:39 2021 +0300 mm: make zone_to_nid() and zone_set_nid() available for DISCONTIGMEM Since the commit ce6ee46e0f39 ("mm/page_alloc: fix memory map initialization for descending nodes") initialization of the memory map relies on availability of zone_to_nid() and zone_set_nid methods to link struct page to a node. But in 5.10 zone_to_nid() is only defined for NUMA, but not for DISCONTIGMEM which causes crashes on m68k systems with two memory banks. For instance on ARAnyM with both ST-RAM and FastRAM atari_defconfig build produces the following crash: Unable to handle kernel access at virtual address (ptrval) Oops: 00000000 Modules linked in: PC: [<0005fbbc>] bpf_prog_alloc_no_stats+0x5c/0xba SR: 2200 SP: (ptrval) a2: 016daa90 d0: 0000000c d1: 00000200 d2: 00000001 d3: 00000cc0 d4: 016d1f80 d5: 00034da6 a0: 305c2800 a1: 305c2a00 Process swapper (pid: 1, task=(ptrval)) Frame format=7 eff addr=31800000 ssw=0445 faddr=31800000 wb 1 stat/addr/data: 0000 00000000 00000000 wb 2 stat/addr/data: 0000 00000000 00000000 wb 3 stat/addr/data: 00c5 31800000 00000001 push data: 00000000 00000000 00000000 00000000 Stack from 3058fec8: 00000dc0 00000000 004addc2 3058ff16 0005fc34 00000238 00000000 00000210 004addc2 3058ff16 00281ae0 00000238 00000000 00000000 004addc2 004bc7ec 004aea9e 0048b0c0 3058ff16 00460042 004ba4d2 3058ff8c 004ade6a 0000007e 0000210e 0000007e 00000002 016d1f80 00034da6 000020b4 00000000 004b4764 004bc7ec 00000000 004b4760 004bc7c0 004b4744 001e4cb2 00010001 016d1fe5 016d1ff0 004994d2 003e1589 016d1f80 00412b8c 0000007e 00000001 00000001 Call Trace: [<004addc2>] sock_init+0x0/0xaa [<0005fc34>] bpf_prog_alloc+0x1a/0x66 [<004addc2>] sock_init+0x0/0xaa [<00281ae0>] bpf_prog_create+0x2e/0x7c [<004addc2>] sock_init+0x0/0xaa [<004aea9e>] ptp_classifier_init+0x22/0x44 [<004ade6a>] sock_init+0xa8/0xaa [<0000210e>] do_one_initcall+0x5a/0x150 [<00034da6>] parse_args+0x0/0x208 [<000020b4>] do_one_initcall+0x0/0x150 [<001e4cb2>] strcpy+0x0/0x1c [<00010001>] stwotoxd+0x5/0x1c [<004994d2>] kernel_init_freeable+0x154/0x1a6 [<001e4cb2>] strcpy+0x0/0x1c [<0049951a>] kernel_init_freeable+0x19c/0x1a6 [<004addc2>] sock_init+0x0/0xaa [<00321510>] kernel_init+0x0/0xd8 [<00321518>] kernel_init+0x8/0xd8 [<00321510>] kernel_init+0x0/0xd8 [<00002890>] ret_from_kernel_thread+0xc/0x14 Code: 204b 200b 4cdf 180c 4e75 700c e0aa 3682 <2748> 001c 214b 0140 022b ffbf 0002 206b 001c 2008 0680 0000 0108 2140 0108 2140 Disabling lock debugging due to kernel taint Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Using CONFIG_NEED_MULTIPLE_NODES rather than CONFIG_NUMA to guard definitions of zone_to_nid() and zone_set_nid() fixes the issue. Reported-by: Mikael Pettersson Fixes: ce6ee46e0f39 ("mm/page_alloc: fix memory map initialization for descending nodes") Signed-off-by: Mike Rapoport Tested-by: Mikael Pettersson Signed-off-by: Greg Kroah-Hartman commit 0e709390372fc2c29444ba6592b76e274a98a524 Author: Reinette Chatre Date: Wed Aug 11 16:54:21 2021 -0700 Revert "selftests/resctrl: Use resctrl/info for feature detection" This reverts commit 19eaad1400eab34e97ec4467cd2ab694d1caf20c which is ee0415681eb661efa1eb2db7acc263f2c7df1e23 upstream. This commit is not a stable candidate and was backported without needed dependencies that results in the resctrl tests unable to compile. Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit d8c38598701fab30c8bf205c1a249ef6aa7b2a8d Author: Daniel Borkmann Date: Mon Aug 9 12:43:17 2021 +0200 bpf: Add lockdown check for probe_write_user helper commit 51e1bb9eeaf7868db56e58f47848e364ab4c4129 upstream. Back then, commit 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") added the bpf_probe_write_user() helper in order to allow to override user space memory. Its original goal was to have a facility to "debug, divert, and manipulate execution of semi-cooperative processes" under CAP_SYS_ADMIN. Write to kernel was explicitly disallowed since it would otherwise tamper with its integrity. One use case was shown in cf9b1199de27 ("samples/bpf: Add test/example of using bpf_probe_write_user bpf helper") where the program DNATs traffic at the time of connect(2) syscall, meaning, it rewrites the arguments to a syscall while they're still in userspace, and before the syscall has a chance to copy the argument into kernel space. These days we have better mechanisms in BPF for achieving the same (e.g. for load-balancers), but without having to write to userspace memory. Of course the bpf_probe_write_user() helper can also be used to abuse many other things for both good or bad purpose. Outside of BPF, there is a similar mechanism for ptrace(2) such as PTRACE_PEEK{TEXT,DATA} and PTRACE_POKE{TEXT,DATA}, but would likely require some more effort. Commit 96ae52279594 explicitly dedicated the helper for experimentation purpose only. Thus, move the helper's availability behind a newly added LOCKDOWN_BPF_WRITE_USER lockdown knob so that the helper is disabled under the "integrity" mode. More fine-grained control can be implemented also from LSM side with this change. Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Signed-off-by: Greg Kroah-Hartman commit 5b5064ea9a9451972fc28ee8e326e8ea3ac101ed Author: Allen Pais Date: Mon Jun 14 17:33:17 2021 -0500 firmware: tee_bnxt: Release TEE shm, session, and context during kexec [ Upstream commit 914ab19e471d8fb535ed50dff108b0a615f3c2d8 ] Implement a .shutdown hook that will be called during a kexec operation so that the TEE shared memory, session, and context that were set up during .probe can be properly freed/closed. Additionally, don't use dma-buf backed shared memory for the fw_shm_pool. dma-buf backed shared memory cannot be reliably freed and unregistered during a kexec operation even when tee_shm_free() is called on the shm from a .shutdown hook. The problem occurs because dma_buf_put() calls fput() which then uses task_work_add(), with the TWA_RESUME parameter, to queue tee_shm_release() to be called before the current task returns to user mode. However, the current task never returns to user mode before the kexec completes so the memory is never freed nor unregistered. Use tee_shm_alloc_kernel_buf() to avoid dma-buf backed shared memory allocation so that tee_shm_free() can directly call tee_shm_release(). This will ensure that the shm can be freed and unregistered during a kexec operation. Fixes: 246880958ac9 ("firmware: broadcom: add OP-TEE based BNXT f/w manager") Cc: stable@vger.kernel.org Signed-off-by: Allen Pais Co-developed-by: Tyler Hicks Signed-off-by: Tyler Hicks Reviewed-by: Sumit Garg Acked-by: Florian Fainelli Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin commit c5a625c6a4aca90ef85947dd0ee813e31af8af5c Author: Sumit Garg Date: Mon Jun 14 17:33:15 2021 -0500 tee: Correct inappropriate usage of TEE_SHM_DMA_BUF flag [ Upstream commit 376e4199e327a5cf29b8ec8fb0f64f3d8b429819 ] Currently TEE_SHM_DMA_BUF flag has been inappropriately used to not register shared memory allocated for private usage by underlying TEE driver: OP-TEE in this case. So rather add a new flag as TEE_SHM_PRIV that can be utilized by underlying TEE drivers for private allocation and usage of shared memory. With this corrected, allow tee_shm_alloc_kernel_buf() to allocate a shared memory region without the backing of dma-buf. Cc: stable@vger.kernel.org Signed-off-by: Sumit Garg Co-developed-by: Tyler Hicks Signed-off-by: Tyler Hicks Reviewed-by: Jens Wiklander Reviewed-by: Sumit Garg Signed-off-by: Jens Wiklander Signed-off-by: Sasha Levin commit 9f105d2d4f6c60f92b0a0b5346a19b157d8d7e25 Author: Sean Christopherson Date: Tue Aug 3 09:27:46 2021 -0700 KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB [ Upstream commit 179c6c27bf487273652efc99acd3ba512a23c137 ] Use the raw ASID, not ASID-1, when nullifying the last used VMCB when freeing an SEV ASID. The consumer, pre_sev_run(), indexes the array by the raw ASID, thus KVM could get a false negative when checking for a different VMCB if KVM manages to reallocate the same ASID+VMCB combo for a new VM. Note, this cannot cause a functional issue _in the current code_, as pre_sev_run() also checks which pCPU last did VMRUN for the vCPU, and last_vmentry_cpu is initialized to -1 during vCPU creation, i.e. is guaranteed to mismatch on the first VMRUN. However, prior to commit 8a14fe4f0c54 ("kvm: x86: Move last_cpu into kvm_vcpu_arch as last_vmentry_cpu"), SVM tracked pCPU on its own and zero-initialized the last_cpu variable. Thus it's theoretically possible that older versions of KVM could miss a TLB flush if the first VMRUN is on pCPU0 and the ASID and VMCB exactly match those of a prior VM. Fixes: 70cd94e60c73 ("KVM: SVM: VMRUN should use associated ASID when SEV is enabled") Cc: Tom Lendacky Cc: Brijesh Singh Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin