commit 4f447bf95fdc7c8ba933f9eb30b0074933b45cca Author: Greg Kroah-Hartman Date: Wed Sep 9 19:14:34 2020 +0200 Linux 5.8.8 Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 830b08e696f777bfc5cb7739b7f9b0fe4cb3374c Author: Himadri Pandya Date: Thu Aug 27 12:23:55 2020 +0530 net: usb: Fix uninit-was-stored issue in asix_read_phy_addr() commit a092b7233f0e000cc6f2c71a49e2ecc6f917a5fc upstream. The buffer size is 2 Bytes and we expect to receive the same amount of data. But sometimes we receive less data and run into uninit-was-stored issue upon read. Hence modify the error check on the return value to match with the buffer size as a prevention. Reported-and-tested by: syzbot+a7e220df5a81d1ab400e@syzkaller.appspotmail.com Signed-off-by: Himadri Pandya Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 548c1175051d986132046080e94b058c41e469f0 Author: Johannes Berg Date: Wed Aug 19 10:46:48 2020 +0200 cfg80211: regulatory: reject invalid hints commit 47caf685a6854593348f216e0b489b71c10cbe03 upstream. Reject invalid hints early in order to not cause a kernel WARN later if they're restored to or similar. Reported-by: syzbot+d451401ffd00a60677ee@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=d451401ffd00a60677ee Link: https://lore.kernel.org/r/20200819084648.13956-1-johannes@sipsolutions.net Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 9206b03e7fc9cd92062269a67d828b6132ae3549 Author: David Howells Date: Fri Sep 4 16:36:16 2020 -0700 mm/khugepaged.c: fix khugepaged's request size in collapse_file commit e5a59d308f52bb0052af5790c22173651b187465 upstream. collapse_file() in khugepaged passes PAGE_SIZE as the number of pages to be read to page_cache_sync_readahead(). The intent was probably to read a single page. Fix it to use the number of pages to the end of the window instead. Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS") Signed-off-by: David Howells Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Andrew Morton Reviewed-by: Matthew Wilcox (Oracle) Acked-by: Song Liu Acked-by: Yang Shi Acked-by: Pankaj Gupta Cc: Eric Biggers Link: https://lkml.kernel.org/r/20200903140844.14194-2-willy@infradead.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 951e290ad85b8dfa54f8908fb680068655748d61 Author: Muchun Song Date: Fri Sep 4 16:36:13 2020 -0700 mm/hugetlb: fix a race between hugetlb sysctl handlers commit 17743798d81238ab13050e8e2833699b54e15467 upstream. There is a race between the assignment of `table->data` and write value to the pointer of `table->data` in the __do_proc_doulongvec_minmax() on the other thread. CPU0: CPU1: proc_sys_write hugetlb_sysctl_handler proc_sys_call_handler hugetlb_sysctl_handler_common hugetlb_sysctl_handler table->data = &tmp; hugetlb_sysctl_handler_common table->data = &tmp; proc_doulongvec_minmax do_proc_doulongvec_minmax sysctl_head_finish __do_proc_doulongvec_minmax unuse_table i = table->data; *i = val; // corrupt CPU1's stack Fix this by duplicating the `table`, and only update the duplicate of it. And introduce a helper of proc_hugetlb_doulongvec_minmax() to simplify the code. The following oops was seen: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page Code: Bad RIP value. ... Call Trace: ? set_max_huge_pages+0x3da/0x4f0 ? alloc_pool_huge_page+0x150/0x150 ? proc_doulongvec_minmax+0x46/0x60 ? hugetlb_sysctl_handler_common+0x1c7/0x200 ? nr_hugepages_store+0x20/0x20 ? copy_fd_bitmaps+0x170/0x170 ? hugetlb_sysctl_handler+0x1e/0x20 ? proc_sys_call_handler+0x2f1/0x300 ? unregister_sysctl_table+0xb0/0xb0 ? __fd_install+0x78/0x100 ? proc_sys_write+0x14/0x20 ? __vfs_write+0x4d/0x90 ? vfs_write+0xef/0x240 ? ksys_write+0xc0/0x160 ? __ia32_sys_read+0x50/0x50 ? __close_fd+0x129/0x150 ? __x64_sys_write+0x43/0x50 ? do_syscall_64+0x6c/0x200 ? entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: e5ff215941d5 ("hugetlb: multiple hstates for multiple page sizes") Signed-off-by: Muchun Song Signed-off-by: Andrew Morton Reviewed-by: Mike Kravetz Cc: Andi Kleen Link: http://lkml.kernel.org/r/20200828031146.43035-1-songmuchun@bytedance.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e2d4e423205ed6d80794be050c3f0cad1386a932 Author: Li Xinhai Date: Fri Sep 4 16:36:10 2020 -0700 mm/hugetlb: try preferred node first when alloc gigantic page from cma commit 953f064aa6b29debcc211869b60bd59f26d19c34 upstream. Since commit cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma"), the gigantic page would be allocated from node which is not the preferred node, although there are pages available from that node. The reason is that the nid parameter has been ignored in alloc_gigantic_page(). Besides, the __GFP_THISNODE also need be checked if user required to alloc only from the preferred node. After this patch, the preferred node is tried first before other allowed nodes, and don't try to allocate from other nodes if __GFP_THISNODE is specified. If user don't specify the preferred node, the current node will be used as preferred node, which makes sure consistent behavior of allocating gigantic and non-gigantic hugetlb page. Fixes: cf11e85fc08c ("mm: hugetlb: optionally allocate gigantic hugepages using cma") Signed-off-by: Li Xinhai Signed-off-by: Andrew Morton Reviewed-by: Mike Kravetz Acked-by: Michal Hocko Cc: Roman Gushchin Link: https://lkml.kernel.org/r/20200902025016.697260-1-lixinhai.lxh@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3fd08f78f47acffb92cc6b12037236f526b84f28 Author: Alistair Popple Date: Fri Sep 4 16:35:58 2020 -0700 mm/migrate: fixup setting UFFD_WP flag commit ebdf8321eeeb623aed60f7ed16f7445363230118 upstream. Commit f45ec5ff16a75 ("userfaultfd: wp: support swap and page migration") introduced support for tracking the uffd wp bit during page migration. However the non-swap PTE variant was used to set the flag for zone device private pages which are a type of swap page. This leads to corruption of the swap offset if the original PTE has the uffd_wp flag set. Fixes: f45ec5ff16a75 ("userfaultfd: wp: support swap and page migration") Signed-off-by: Alistair Popple Signed-off-by: Andrew Morton Reviewed-by: Peter Xu Cc: Jérôme Glisse Cc: John Hubbard Cc: Ralph Campbell Link: https://lkml.kernel.org/r/20200825064232.10023-1-alistair@popple.id.au Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 658e93f1c3181d805870b27803525b371166ff3b Author: Mrinal Pandey Date: Fri Sep 4 16:35:52 2020 -0700 checkpatch: fix the usage of capture group ( ... ) commit 13e45417cedbfc44b1926124b1846f5ee8c6ba4a upstream. The usage of "capture group (...)" in the immediate condition after `&&` results in `$1` being uninitialized. This issues a warning "Use of uninitialized value $1 in regexp compilation at ./scripts/checkpatch.pl line 2638". I noticed this bug while running checkpatch on the set of commits from v5.7 to v5.8-rc1 of the kernel on the commits with a diff content in their commit message. This bug was introduced in the script by commit e518e9a59ec3 ("checkpatch: emit an error when there's a diff in a changelog"). It has been in the script since then. The author intended to store the match made by capture group in variable `$1`. This should have contained the name of the file as `[\w/]+` matched. However, this couldn't be accomplished due to usage of capture group and `$1` in the same regular expression. Fix this by placing the capture group in the condition before `&&`. Thus, `$1` can be initialized to the text that capture group matches thereby setting it to the desired and required value. Fixes: e518e9a59ec3 ("checkpatch: emit an error when there's a diff in a changelog") Signed-off-by: Mrinal Pandey Signed-off-by: Andrew Morton Tested-by: Lukas Bulwahn Reviewed-by: Lukas Bulwahn Cc: Joe Perches Link: https://lkml.kernel.org/r/20200714032352.f476hanaj2dlmiot@mrinalpandey Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d3498d5e8775fdefd7217259db3c2d243f35dc6e Author: Sowjanya Komatineni Date: Thu Aug 27 10:21:01 2020 -0700 sdhci: tegra: Add missing TMCLK for data timeout commit 8048822bac01936fda2c7b924a52131da81e6198 upstream. commit b5a84ecf025a ("mmc: tegra: Add Tegra210 support") Tegra210 and later has a separate sdmmc_legacy_tm (TMCLK) used by Tegra SDMMC hawdware for data timeout to achive better timeout than using SDCLK and using TMCLK is recommended. USE_TMCLK_FOR_DATA_TIMEOUT bit in Tegra SDMMC register SDHCI_TEGRA_VENDOR_SYS_SW_CTRL can be used to choose either TMCLK or SDCLK for data timeout. Default USE_TMCLK_FOR_DATA_TIMEOUT bit is set to 1 and TMCLK is used for data timeout by Tegra SDMMC hardware and having TMCLK not enabled is not recommended. So, this patch adds quirk NVQUIRK_HAS_TMCLK for SoC having separate timeout clock and keeps TMCLK enabled all the time. Fixes: b5a84ecf025a ("mmc: tegra: Add Tegra210 support") Cc: stable # 5.4 Tested-by: Jon Hunter Reviewed-by: Jon Hunter Acked-by: Adrian Hunter Signed-off-by: Sowjanya Komatineni Link: https://lore.kernel.org/r/1598548861-32373-8-git-send-email-skomatineni@nvidia.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 55eb0f42f465640fe687d15cdf7677cfb642909c Author: Randy Dunlap Date: Wed Aug 26 14:21:43 2020 -0700 kconfig: streamline_config.pl: check defined(ENV variable) before using it commit a73fbfce2cc28883f659414d598e6e60ca2214b4 upstream. A user reported: 'Use of uninitialized value $ENV{"LMC_KEEP"} in split at ./scripts/kconfig/streamline_config.pl line 596.' so first check that $ENV{LMC_KEEP} is defined before trying to use it. Fixes: c027b02d89fd ("streamline_config.pl: add LMC_KEEP to preserve some kconfigs") Signed-off-by: Randy Dunlap Acked-by: Steven Rostedt (VMware) Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 8c4c56846892f7dd3f3b3e31e5e0db051d5bcf0f Author: Wei Li Date: Wed Aug 19 11:19:47 2020 +0800 perf record: Correct the help info of option "--no-bpf-event" commit a060c1f12b525ba828f871eff3127dabf8daa1e6 upstream. The help info of option "--no-bpf-event" is wrongly described as "record bpf events", correct it. Committer testing: $ perf record -h bpf Usage: perf record [] [] or: perf record [] -- [] --clang-opt options passed to clang when compiling BPF scriptlets --clang-path clang binary to use for compiling BPF scriptlets --no-bpf-event do not record bpf events $ Fixes: 71184c6ab7e6 ("perf record: Replace option --bpf-event with --no-bpf-event") Signed-off-by: Wei Li Acked-by: Song Liu Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Hanjun Guo Cc: Jiri Olsa Cc: Li Bin Cc: Mark Rutland Cc: Namhyung Kim Link: http://lore.kernel.org/lkml/20200819031947.12115-1-liwei391@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit bf8fe7b755c2ccdf8fd739ad71dd0d035588511a Author: Jens Axboe Date: Wed Sep 2 09:30:31 2020 -0600 io_uring: no read/write-retry on -EAGAIN error and O_NONBLOCK marked file commit 355afaeb578abac907217c256a844cfafb0337b2 upstream. Actually two things that need fixing up here: - The io_rw_reissue() -EAGAIN retry is explicit to block devices and regular files, so don't ever attempt to do that on other types of files. - If we hit -EAGAIN on a nonblock marked file, don't arm poll handler for it. It should just complete with -EAGAIN. Cc: stable@vger.kernel.org Reported-by: Norman Maurer Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a8bf40a7538fbc9652457506fc3e5ca5c3228732 Author: Alistair Popple Date: Fri Sep 4 16:36:01 2020 -0700 mm/rmap: fixup copying of soft dirty and uffd ptes commit ad7df764b7e1c7dc64e016da7ada2e3e1bb90700 upstream. During memory migration a pte is temporarily replaced with a migration swap pte. Some pte bits from the existing mapping such as the soft-dirty and uffd write-protect bits are preserved by copying these to the temporary migration swap pte. However these bits are not stored at the same location for swap and non-swap ptes. Therefore testing these bits requires using the appropriate helper function for the given pte type. Unfortunately several code locations were found where the wrong helper function is being used to test soft_dirty and uffd_wp bits which leads to them getting incorrectly set or cleared during page-migration. Fix these by using the correct tests based on pte type. Fixes: a5430dda8a3a ("mm/migrate: support un-addressable ZONE_DEVICE page in migration") Fixes: 8c3328f1f36a ("mm/migrate: migrate_vma() unmap page from vma while collecting pages") Fixes: f45ec5ff16a7 ("userfaultfd: wp: support swap and page migration") Signed-off-by: Alistair Popple Signed-off-by: Andrew Morton Reviewed-by: Peter Xu Cc: Jérôme Glisse Cc: John Hubbard Cc: Ralph Campbell Cc: Alistair Popple Cc: Link: https://lkml.kernel.org/r/20200825064232.10023-2-alistair@popple.id.au Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9b4a9e89f6e87516edd5e5a610abe15d1cad5ec9 Author: Yang Shi Date: Fri Sep 4 16:35:55 2020 -0700 mm: madvise: fix vma user-after-free commit 7867fd7cc44e63c6673cd0f8fea155456d34d0de upstream. The syzbot reported the below use-after-free: BUG: KASAN: use-after-free in madvise_willneed mm/madvise.c:293 [inline] BUG: KASAN: use-after-free in madvise_vma mm/madvise.c:942 [inline] BUG: KASAN: use-after-free in do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 Read of size 8 at addr ffff8880a6163eb0 by task syz-executor.0/9996 CPU: 0 PID: 9996 Comm: syz-executor.0 Not tainted 5.9.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 madvise_willneed mm/madvise.c:293 [inline] madvise_vma mm/madvise.c:942 [inline] do_madvise.part.0+0x1c8b/0x1cf0 mm/madvise.c:1145 do_madvise mm/madvise.c:1169 [inline] __do_sys_madvise mm/madvise.c:1171 [inline] __se_sys_madvise mm/madvise.c:1169 [inline] __x64_sys_madvise+0xd9/0x110 mm/madvise.c:1169 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Allocated by task 9992: kmem_cache_alloc+0x138/0x3a0 mm/slab.c:3482 vm_area_alloc+0x1c/0x110 kernel/fork.c:347 mmap_region+0x8e5/0x1780 mm/mmap.c:1743 do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 vm_mmap_pgoff+0x195/0x200 mm/util.c:506 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 9992: kmem_cache_free.part.0+0x67/0x1f0 mm/slab.c:3693 remove_vma+0x132/0x170 mm/mmap.c:184 remove_vma_list mm/mmap.c:2613 [inline] __do_munmap+0x743/0x1170 mm/mmap.c:2869 do_munmap mm/mmap.c:2877 [inline] mmap_region+0x257/0x1780 mm/mmap.c:1716 do_mmap+0xcf9/0x11d0 mm/mmap.c:1545 vm_mmap_pgoff+0x195/0x200 mm/util.c:506 ksys_mmap_pgoff+0x43a/0x560 mm/mmap.c:1596 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 It is because vma is accessed after releasing mmap_lock, but someone else acquired the mmap_lock and the vma is gone. Releasing mmap_lock after accessing vma should fix the problem. Fixes: 692fe62433d4c ("mm: Handle MADV_WILLNEED through vfs_fadvise()") Reported-by: syzbot+b90df26038d1d5d85c97@syzkaller.appspotmail.com Signed-off-by: Yang Shi Signed-off-by: Andrew Morton Reviewed-by: Andrew Morton Reviewed-by: Jan Kara Cc: [5.4+] Link: https://lkml.kernel.org/r/20200816141204.162624-1-shy828301@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 98650804fa530943b45315b27ac5b607f1eacf58 Author: Joerg Roedel Date: Fri Sep 4 16:35:43 2020 -0700 mm: track page table modifications in __apply_to_page_range() commit e80d3909be42f7e38cc350c1ba109cf0aa51956a upstream. __apply_to_page_range() is also used to change and/or allocate page-table pages in the vmalloc area of the address space. Make sure these changes get synchronized to other page-tables in the system by calling arch_sync_kernel_mappings() when necessary. The impact appears limited to x86-32, where apply_to_page_range may miss updating the PMD. That leads to explosions in drivers like BUG: unable to handle page fault for address: fe036000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 00000000 Oops: 0002 [#1] SMP CPU: 3 PID: 1300 Comm: gem_concurrent_ Not tainted 5.9.0-rc1+ #16 Hardware name: /NUC6i3SYB, BIOS SYSKLi35.86A.0024.2015.1027.2142 10/27/2015 EIP: __execlists_context_alloc+0x132/0x2d0 [i915] Code: 31 d2 89 f0 e8 2f 55 02 00 89 45 e8 3d 00 f0 ff ff 0f 87 11 01 00 00 8b 4d e8 03 4b 30 b8 5a 5a 5a 5a ba 01 00 00 00 8d 79 04 01 5a 5a 5a 5a c7 81 fc 0f 00 00 5a 5a 5a 5a 83 e7 fc 29 f9 81 EAX: 5a5a5a5a EBX: f60ca000 ECX: fe036000 EDX: 00000001 ESI: f43b7340 EDI: fe036004 EBP: f6389cb8 ESP: f6389c9c DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010286 CR0: 80050033 CR2: fe036000 CR3: 2d361000 CR4: 001506d0 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: fffe0ff0 DR7: 00000400 Call Trace: execlists_context_alloc+0x10/0x20 [i915] intel_context_alloc_state+0x3f/0x70 [i915] __intel_context_do_pin+0x117/0x170 [i915] i915_gem_do_execbuffer+0xcc7/0x2500 [i915] i915_gem_execbuffer2_ioctl+0xcd/0x1f0 [i915] drm_ioctl_kernel+0x8f/0xd0 drm_ioctl+0x223/0x3d0 __ia32_sys_ioctl+0x1ab/0x760 __do_fast_syscall_32+0x3f/0x70 do_fast_syscall_32+0x29/0x60 do_SYSENTER_32+0x15/0x20 entry_SYSENTER_32+0x9f/0xf2 EIP: 0xb7f28559 Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76 EAX: ffffffda EBX: 00000005 ECX: c0406469 EDX: bf95556c ESI: b7e68000 EDI: c0406469 EBP: 00000005 ESP: bf9554d8 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296 Modules linked in: i915 x86_pkg_temp_thermal intel_powerclamp crc32_pclmul crc32c_intel intel_cstate intel_uncore intel_gtt drm_kms_helper intel_pch_thermal video button autofs4 i2c_i801 i2c_smbus fan CR2: 00000000fe036000 It looks like kasan, xen and i915 are vulnerable. Actual impact is "on thinkpad X60 in 5.9-rc1, screen starts blinking after 30-or-so minutes, and machine is unusable" [sfr@canb.auug.org.au: ARCH_PAGE_TABLE_SYNC_MASK needs vmalloc.h] Link: https://lkml.kernel.org/r/20200825172508.16800a4f@canb.auug.org.au [chris@chris-wilson.co.uk: changelog addition] [pavel@ucw.cz: changelog addition] Fixes: 2ba3e6947aed ("mm/vmalloc: track which page-table levels were modified") Fixes: 86cf69f1d893 ("x86/mm/32: implement arch_sync_kernel_mappings()") Signed-off-by: Joerg Roedel Signed-off-by: Stephen Rothwell Signed-off-by: Andrew Morton Tested-by: Chris Wilson [x86-32] Tested-by: Pavel Machek Acked-by: Linus Torvalds Cc: [5.8+] Link: https://lkml.kernel.org/r/20200821123746.16904-1-joro@8bytes.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3eba981cffc9f31d9455944915bd309b221d09f4 Author: Eugeniu Rosca Date: Fri Sep 4 16:35:30 2020 -0700 mm: slub: fix conversion of freelist_corrupted() commit dc07a728d49cf025f5da2c31add438d839d076c0 upstream. Commit 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()") suffered an update when picked up from LKML [1]. Specifically, relocating 'freelist = NULL' into 'freelist_corrupted()' created a no-op statement. Fix it by sticking to the behavior intended in the original patch [1]. In addition, make freelist_corrupted() immune to passing NULL instead of &freelist. The issue has been spotted via static analysis and code review. [1] https://lore.kernel.org/linux-mm/20200331031450.12182-1-dongli.zhang@oracle.com/ Fixes: 52f23478081ae0 ("mm/slub.c: fix corrupted freechain in deactivate_slab()") Signed-off-by: Eugeniu Rosca Signed-off-by: Andrew Morton Cc: Dongli Zhang Cc: Joe Jin Cc: Christoph Lameter Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Link: https://lkml.kernel.org/r/20200824130643.10291-1-erosca@de.adit-jv.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4469ea5972ab9c3064af6dcc0d76c1dfa6bb7913 Author: Ye Bin Date: Tue Sep 1 14:25:44 2020 +0800 dm thin metadata: Fix use-after-free in dm_bm_set_read_only commit 3a653b205f29b3f9827a01a0c88bfbcb0d169494 upstream. The following error ocurred when testing disk online/offline: [ 301.798344] device-mapper: thin: 253:5: aborting current metadata transaction [ 301.848441] device-mapper: thin: 253:5: failed to abort metadata transaction [ 301.849206] Aborting journal on device dm-26-8. [ 301.850489] EXT4-fs error (device dm-26) in __ext4_new_inode:943: Journal has aborted [ 301.851095] EXT4-fs (dm-26): Delayed block allocation failed for inode 398742 at logical offset 181 with max blocks 19 with error 30 [ 301.854476] BUG: KASAN: use-after-free in dm_bm_set_read_only+0x3a/0x40 [dm_persistent_data] Reason is: metadata_operation_failed abort_transaction dm_pool_abort_metadata __create_persistent_data_objects r = __open_or_format_metadata if (r) --> If failed will free pmd->bm but pmd->bm not set NULL dm_block_manager_destroy(pmd->bm); set_pool_mode dm_pool_metadata_read_only(pool->pmd); dm_bm_set_read_only(pmd->bm); --> use-after-free Add checks to see if pmd->bm is NULL in dm_bm_set_read_only and dm_bm_set_read_write functions. If bm is NULL it means creating the bm failed and so dm_bm_is_read_only must return true. Signed-off-by: Ye Bin Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit b3c76fdbb11988c5775b684980aabc02886e5d41 Author: Ye Bin Date: Tue Sep 1 14:25:43 2020 +0800 dm thin metadata: Avoid returning cmd->bm wild pointer on error commit 219403d7e56f9b716ad80ab87db85d29547ee73e upstream. Maybe __create_persistent_data_objects() caller will use PTR_ERR as a pointer, it will lead to some strange things. Signed-off-by: Ye Bin Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit d02a33a248258cc0c2803f7af318ddcd8d83ba16 Author: Ye Bin Date: Tue Sep 1 14:25:42 2020 +0800 dm cache metadata: Avoid returning cmd->bm wild pointer on error commit d16ff19e69ab57e08bf908faaacbceaf660249de upstream. Maybe __create_persistent_data_objects() caller will use PTR_ERR as a pointer, it will lead to some strange things. Signed-off-by: Ye Bin Cc: stable@vger.kernel.org Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 0a495d145f59939cba68849a721e6cf27babce34 Author: Damien Le Moal Date: Mon Aug 31 14:55:55 2020 +0900 dm crypt: Initialize crypto wait structures commit 7785a9e4c228db6d01086a52d5685cd7336a08b7 upstream. Use the DECLARE_CRYPTO_WAIT() macro to properly initialize the crypto wait structures declared on stack before their use with crypto_wait_req(). Fixes: 39d13a1ac41d ("dm crypt: reuse eboiv skcipher for IV generation") Fixes: bbb1658461ac ("dm crypt: Implement Elephant diffuser for Bitlocker compatibility") Cc: stable@vger.kernel.org Signed-off-by: Damien Le Moal Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 372236a01bc548c3a0fdb02eb362144a3b10a233 Author: Mikulas Patocka Date: Mon Aug 31 09:25:41 2020 -0400 dm integrity: fix error reporting in bitmap mode after creation commit e27fec66f0a94e35a35548bd0b29ae616e62ec62 upstream. The dm-integrity target did not report errors in bitmap mode just after creation. The reason is that the function integrity_recalc didn't clean up ic->recalc_bitmap as it proceeded with recalculation. Fix this by updating the bitmap accordingly -- the double shift serves to rounddown. Signed-off-by: Mikulas Patocka Fixes: 468dfca38b1a ("dm integrity: add a bitmap mode") Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 2c8ee4951f11e18dd328a0e045aa436646cadec0 Author: Mike Snitzer Date: Mon Aug 24 14:19:55 2020 -0400 dm mpath: fix racey management of PG initialization commit c322ee9320eaa4013ca3620b1130992916b19b31 upstream. Commit 935fcc56abc3 ("dm mpath: only flush workqueue when needed") changed flush_multipath_work() to avoid needless workqueue flushing (of a multipath global workqueue). But that change didn't realize the surrounding flush_multipath_work() code should also only run if 'pg_init_in_progress' is set. Fix this by only doing all of flush_multipath_work()'s PG init related work if 'pg_init_in_progress' is set. Otherwise multipath_wait_for_pg_init_completion() will run unconditionally but the preceeding flush_workqueue(kmpath_handlerd) may not. This could lead to deadlock (though only if kmpath_handlerd never runs a corresponding work to decrement 'pg_init_in_progress'). It could also be, though highly unlikely, that the kmpath_handlerd work that does PG init completes before 'pg_init_in_progress' is set, and then an intervening DM table reload's multipath_postsuspend() triggers flush_multipath_work(). Fixes: 935fcc56abc3 ("dm mpath: only flush workqueue when needed") Cc: stable@vger.kernel.org Reported-by: Ben Marzinski Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit cc06bdfc211bec77cd43eeed5f4eed790748667c Author: Mikulas Patocka Date: Mon Aug 24 11:09:47 2020 -0400 dm writecache: handle DAX to partitions on persistent memory correctly commit f9e040efcc28309e5c592f7e79085a9a52e31f58 upstream. The function dax_direct_access doesn't take partitions into account, it always maps pages from the beginning of the device. Therefore, persistent_memory_claim() must get the partition offset using get_start_sect() and add it to the page offsets passed to dax_direct_access(). Signed-off-by: Mikulas Patocka Fixes: 48debafe4f2f ("dm: add writecache target") Cc: stable@vger.kernel.org # 4.18+ Signed-off-by: Mike Snitzer Signed-off-by: Greg Kroah-Hartman commit 67ba86179fc6e67e9a3303918a6cdd1a2a49f6ef Author: Sandeep Raghuraman Date: Thu Aug 27 17:07:33 2020 +0530 drm/amdgpu: Specify get_argument function for ci_smu_funcs commit f7b2e34b4afb8d712913dc199d3292ea9e078637 upstream. Starting in Linux 5.8, the graphics and memory clock frequency were not being reported for CIK cards. This is a regression, since they were reported correctly in Linux 5.7. After investigation, I discovered that the smum_send_msg_to_smc() function, attempts to call the corresponding get_argument() function of ci_smu_funcs. However, the get_argument() function is not defined in ci_smu_funcs. This patch fixes the bug by specifying the correct get_argument() function. Fixes: a0ec225633d9f6 ("drm/amd/powerplay: unified interfaces for message issuing and response checking") Signed-off-by: Sandeep Raghuraman Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit dd8a223d0f5873fe92ebce41adf6a48da026b007 Author: Evan Quan Date: Tue Aug 25 13:51:29 2020 +0800 drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting commit 971df65cbf32da9bc9af52c1196ca504dd316086 upstream. Normally softwareshutdowntemp should be greater than Thotspotlimit. However, on some VEGA10 ASIC, the softwareshutdowntemp is 91C while Thotspotlimit is 105C. This seems not right and may trigger some false alarms. Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 696f8cfee02538d9e84587c6685e534a99cd14a9 Author: Sean Paul Date: Tue Aug 18 11:38:49 2020 -0400 drm/i915: Fix sha_text population code commit 9ab57658a608f879469ffa22b723c4539c05a58f upstream. This patch fixes a few bugs: 1- We weren't taking into account sha_leftovers when adding multiple ksvs to sha_text. As such, we were or'ing the end of ksv[j - 1] with the beginning of ksv[j] 2- In the sha_leftovers == 2 and sha_leftovers == 3 case, bstatus was being placed on the wrong half of sha_text, overlapping the leftover ksv value 3- In the sha_leftovers == 2 case, we need to manually terminate the byte stream with 0x80 since the hardware doesn't have enough room to add it after writing M0 The upside is that all of the HDCP supported HDMI repeaters I could find on Amazon just strip HDCP anyways, so it turns out to be _really_ hard to hit any of these cases without an MST hub, which is not (yet) supported. Oh, and the sha_leftovers == 1 case works perfectly! Fixes: ee5e5e7a5e0f ("drm/i915: Add HDCP framework + base implementation") Cc: Chris Wilson Cc: Ramalingam C Cc: Daniel Vetter Cc: Sean Paul Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Rodrigo Vivi Cc: intel-gfx@lists.freedesktop.org Cc: # v4.17+ Reviewed-by: Ramalingam C Signed-off-by: Sean Paul Signed-off-by: Ramalingam C Link: https://patchwork.freedesktop.org/patch/msgid/20200818153910.27894-2-sean@poorly.run (cherry picked from commit 1f0882214fd0037b74f245d9be75c31516fed040) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 1693c125c0a91e24b1aae5f832a3ad678c7a6e45 Author: Gustavo Pimentel Date: Thu Aug 13 16:14:04 2020 +0200 dmaengine: dw-edma: Fix scatter-gather address calculation commit 05655541c9503bfd01af4e6cbd7f5a29ac748e6c upstream. Fix the source and destination physical address calculation of a peripheral device on scatter-gather implementation. This issue manifested during tests using a 64 bits architecture system. The abnormal behavior wasn't visible before due to all previous tests were done using 32 bits architecture system, that masked his effect. Fixes: e63d79d1ffcd ("dmaengine: Add Synopsys eDMA IP core driver") Cc: stable@vger.kernel.org Signed-off-by: Gustavo Pimentel Link: https://lore.kernel.org/r/8d3ab7e2ba96563fe3495b32f60077fffb85307d.1597327623.git.gustavo.pimentel@synopsys.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 3c761332597d1dc3bc527ba5924f300dc43ae9a2 Author: Tejun Heo Date: Tue Sep 1 14:52:32 2020 -0400 blk-stat: make q->stats->lock irqsafe commit e11d80a849e010f78243bb6f6af7dccef3a71a90 upstream. blk-iocost calls blk_stat_enable_accounting() while holding an irqsafe lock which triggers a lockdep splat because q->stats->lock isn't irqsafe. Let's make it irqsafe. Signed-off-by: Tejun Heo Fixes: cd006509b0a9 ("blk-iocost: account for IO size when testing latencies") Cc: stable@vger.kernel.org # v5.8+ Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 70d22582c3eb6d50c30574019777d546fbd5cc81 Author: Tejun Heo Date: Tue Sep 1 14:52:31 2020 -0400 blk-iocost: ioc_pd_free() shouldn't assume irq disabled commit 5aeac7c4b16069aae49005f0a8d4526baa83341b upstream. ioc_pd_free() grabs irq-safe ioc->lock without ensuring that irq is disabled when it can be called with irq disabled or enabled. This has a small chance of causing A-A deadlocks and triggers lockdep splats. Use irqsave operations instead. Signed-off-by: Tejun Heo Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 57fd9f8eb60389e645256b17fce50b29b0f869ee Author: He Zhe Date: Thu Aug 20 20:54:40 2020 +0800 mips/oprofile: Fix fallthrough placement commit 91dbd73a1739039fa7e9fe5c0169f2817a7f7670 upstream. We want neither " include/linux/compiler_attributes.h:201:41: warning: statement will never be executed [-Wswitch-unreachable] 201 | # define fallthrough __attribute__((__fallthrough__)) | ^~~~~~~~~~~~~ " nor " include/linux/compiler_attributes.h:201:41: warning: attribute 'fallthrough' not preceding a case label or default label 201 | # define fallthrough __attribute__((__fallthrough__)) | ^~~~~~~~~~~~~ " It's not worth adding one more macro. Let's simply place the fallthrough in between the expansions. Fixes: c9b029903466 ("MIPS: Use fallthrough for arch/mips") Cc: stable@vger.kernel.org Signed-off-by: He Zhe Reviewed-by: Gustavo A. R. Silva Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit dea6f05d372a2117b581e17a3638a72d696ac6aa Author: Tejun Heo Date: Wed Sep 2 12:32:45 2020 -0400 libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks commit 3b5455636fe26ea21b4189d135a424a6da016418 upstream. All three generations of Sandisk SSDs lock up hard intermittently. Experiments showed that disabling NCQ lowered the failure rate significantly and the kernel has been disabling NCQ for some models of SD7's and 8's, which is obviously undesirable. Karthik worked with Sandisk to root cause the hard lockups to trim commands larger than 128M. This patch implements ATA_HORKAGE_MAX_TRIM_128M which limits max trim size to 128M and applies it to all three generations of Sandisk SSDs. Signed-off-by: Tejun Heo Cc: Karthik Shivaram Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3264d781e1ad1e0ffc370c1f14d7d68e288ecaa7 Author: Eric Farman Date: Tue Aug 25 03:59:39 2020 +0200 s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig commit 114b9df419bf5db097b322ebb03fcf2f502f9380 upstream. Commit fa686453053b ("sched/rt, s390: Use CONFIG_PREEMPTION") changed a bunch of uses of CONFIG_PREEMPT to _PREEMPTION. Except in the Kconfig it used two T's. That's the only place in the system where that spelling exists, so let's fix that. Fixes: fa686453053b ("sched/rt, s390: Use CONFIG_PREEMPTION") Cc: # 5.6 Signed-off-by: Eric Farman Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit e37bc36aaff38fdf8fafc52bc88ad98ed1ff7a88 Author: Jiufei Xue Date: Tue Sep 1 13:35:02 2020 +0800 io_uring: fix removing the wrong file in __io_sqe_files_update() commit 98dfd5024a2e9e170b85c07078e2d89f20a5dfbd upstream. Index here is already the position of the file in fixed_file_table, we should not use io_file_from_index() again to get it. Otherwise, the wrong file which still in use may be released unexpectedly. Cc: stable@vger.kernel.org # v5.6 Fixes: 05f3fb3c5397 ("io_uring: avoid ring quiesce for fixed file set unregister and update") Signed-off-by: Jiufei Xue Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 329c9ffc81cfb985c6d131e94e6d220d7c1b19ca Author: Jiufei Xue Date: Wed Sep 2 17:59:39 2020 +0800 io_uring: set table->files[i] to NULL when io_sqe_file_register failed commit 95d1c8e5f801e959a89181a2548a3efa60a1a6ce upstream. While io_sqe_file_register() failed in __io_sqe_files_update(), table->files[i] still point to the original file which may freed soon, and that will trigger use-after-free problems. Cc: stable@vger.kernel.org Fixes: f3bd9dae3708 ("io_uring: fix memleak in __io_sqe_files_update()") Signed-off-by: Jiufei Xue Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a7a42c1e5023cdac2bbc1038689509595d279cd2 Author: Jens Axboe Date: Mon Aug 31 11:20:02 2020 -0600 block: ensure bdi->io_pages is always initialized commit de1b0ee490eafdf65fac9eef9925391a8369f2dc upstream. If a driver leaves the limit settings as the defaults, then we don't initialize bdi->io_pages. This means that file systems may need to work around bdi->io_pages == 0, which is somewhat messy. Initialize the default value just like we do for ->ra_pages. Cc: stable@vger.kernel.org Fixes: 9491ae4aade6 ("mm: don't cap request size based on read-ahead setting") Reported-by: OGAWA Hirofumi Reviewed-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b7df98a8b7b8abce596e9696d5c3183fc4c0019d Author: Ming Lei Date: Mon Aug 17 18:00:55 2020 +0800 block: allow for_each_bvec to support zero len bvec commit 7e24969022cbd61ddc586f14824fc205661bb124 upstream. Block layer usually doesn't support or allow zero-length bvec. Since commit 1bdc76aea115 ("iov_iter: use bvec iterator to implement iterate_bvec()"), iterate_bvec() switches to bvec iterator. However, Al mentioned that 'Zero-length segments are not disallowed' in iov_iter. Fixes for_each_bvec() so that it can move on after seeing one zero length bvec. Fixes: 1bdc76aea115 ("iov_iter: use bvec iterator to implement iterate_bvec()") Reported-by: syzbot Signed-off-by: Ming Lei Tested-by: Tetsuo Handa Cc: Al Viro Cc: Matthew Wilcox Cc: Link: https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg2262077.html Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 2221f41d3fb3ca35f6010a9cc7a4babcd6baa5a0 Author: Max Staudt Date: Thu Aug 27 17:49:00 2020 +0200 affs: fix basic permission bits to actually work commit d3a84a8d0dde4e26bc084b36ffcbdc5932ac85e2 upstream. The basic permission bits (protection bits in AmigaOS) have been broken in Linux' AFFS - it would only set bits, but never delete them. Also, contrary to the documentation, the Archived bit was not handled. Let's fix this for good, and set the bits such that Linux and classic AmigaOS can coexist in the most peaceful manner. Also, update the documentation to represent the current state of things. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: stable@vger.kernel.org Signed-off-by: Max Staudt Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 9af0c46a761293ef04c57f001cc2641d4ec1add3 Author: Sean Young Date: Sat Aug 8 13:19:12 2020 +0200 media: rc: uevent sysfs file races with rc_unregister_device() commit 4f0835d6677dc69263f90f976524cb92b257d9f4 upstream. Only report uevent file contents if device still registered, else we might read freed memory. Reported-by: syzbot+ceef16277388d6f24898@syzkaller.appspotmail.com Cc: Hillf Danton Cc: # 4.16+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit bff924ee40ae3857e7373536fdda203378795e3c Author: Sean Young Date: Sat Aug 8 13:38:02 2020 +0200 media: rc: do not access device via sysfs after rc_unregister_device() commit a2e2d73fa28136598e84db9d021091f1b98cbb1a upstream. Device drivers do not expect to have change_protocol or wakeup re-programming to be accesed after rc_unregister_device(). This can cause the device driver to access deallocated resources. Cc: # 4.16+ Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 91994b8489a38622bbe4267b6e50f74dc9ef5e8e Author: Adrian Hunter Date: Wed Aug 19 15:18:48 2020 +0300 mmc: sdhci-pci: Fix SDHCI_RESET_ALL for CQHCI for Intel GLK-based controllers commit df57d73276b863af1debc48546b0e59e44998a55 upstream. For Intel controllers, SDHCI_RESET_ALL resets also CQHCI registers. Normally, SDHCI_RESET_ALL is not used while CQHCI is enabled, but that can happen on the error path. e.g. if mmc_cqe_recovery() fails, mmc_blk_reset() is called which, for a eMMC that does not support HW Reset, will cycle the bus power and the driver will perform SDHCI_RESET_ALL. So whenever performing SDHCI_RESET_ALL ensure CQHCI is deactivated. That will force the driver to reinitialize CQHCI when it is next used. A similar change was done already for sdhci-msm, and other drivers using CQHCI might benefit from a similar change, if they also have CQHCI reset by SDHCI_RESET_ALL. Fixes: 8ee82bda230fc9 ("mmc: sdhci-pci: Add CQHCI support for Intel GLK") Cc: stable@vger.kernel.org # 5.4.x: 0ffa6cfbd949: mmc: cqhci: Add cqhci_deactivate() Cc: stable@vger.kernel.org # 5.4+ Signed-off-by: Adrian Hunter Link: https://lore.kernel.org/r/20200819121848.16967-1-adrian.hunter@intel.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 88df22892d14d829cfc814c3861360a862e1396a Author: Wenbin Mei Date: Fri Aug 14 09:43:44 2020 +0800 mmc: dt-bindings: Add resets/reset-names for Mediatek MMC bindings commit 65557383191de46611dd3d6b639cbcfbade43c4a upstream. Add description for resets/reset-names. Cc: # v5.4+ Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") Signed-off-by: Wenbin Mei Tested-by: Frank Wunderlich Link: https://lore.kernel.org/r/20200814014346.6496-2-wenbin.mei@mediatek.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit 01263d02f5da6ce7ce0500f5d11015c74598dedb Author: Wenbin Mei Date: Fri Aug 14 09:43:46 2020 +0800 mmc: mediatek: add optional module reset property commit 855d388df217989fbf1f18c781ae6490dbb48e86 upstream. This patch fixs eMMC-Access on mt7622/Bpi-64. Before we got these Errors on mounting eMMC ion R64: [ 48.664925] blk_update_request: I/O error, dev mmcblk0, sector 204800 op 0x1:(WRITE) flags 0x800 phys_seg 1 prio class 0 [ 48.676019] Buffer I/O error on dev mmcblk0p1, logical block 0, lost sync page write This patch adds a optional reset management for msdc. Sometimes the bootloader does not bring msdc register to default state, so need reset the msdc controller. Cc: # v5.4+ Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") Signed-off-by: Wenbin Mei Reviewed-by: Philipp Zabel Tested-by: Frank Wunderlich Link: https://lore.kernel.org/r/20200814014346.6496-4-wenbin.mei@mediatek.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit f8916b54514e06cadf0bddc2f5bbe6aead05f69f Author: Wenbin Mei Date: Fri Aug 14 09:43:45 2020 +0800 arm64: dts: mt7622: add reset node for mmc device commit d6f6cbeee4e5ee6976792851e0461c19f1ede864 upstream. This commit adds reset node for mmc device. Cc: # v5.4+ Fixes: 966580ad236e ("mmc: mediatek: add support for MT7622 SoC") Signed-off-by: Wenbin Mei Tested-by: Frank Wunderlich Acked-by: Matthias Brugger Link: https://lore.kernel.org/r/20200814014346.6496-3-wenbin.mei@mediatek.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit ab90e0d7a9858df3e640ea5e99a0dd2519646b81 Author: Takashi Iwai Date: Thu Sep 3 10:33:00 2020 +0200 ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen commit 6a6660d049f88b89fd9a4b9db3581b245f7782fa upstream. There've been quite a few regression reports about the lowered volume (reduced to ca 65% from the previous level) on Lenovo Thinkpad X1 after the commit d2cd795c4ece ("ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen"). Although the commit itself does the right thing from HD-audio POV in order to have a volume control for bass speakers, it seems that the machine has some secret recipe under the hood. Through experiments, Benjamin Poirier found out that the following routing gives the best result: * DAC1 (NID 0x02) -> Speaker pin (NID 0x14) * DAC2 (NID 0x03) -> Shared by both Bass Speaker pin (NID 0x17) & Headphone pin (0x21) * DAC3 (NID 0x06) -> Unused DAC1 seems to have some equalizer internally applied, and you'd get again the output in a bad quality if you connect this to the headphone pin. Hence the headphone is connected to DAC2, which is now shared with the bass speaker pin. DAC3 has no volume amp, hence it's not connected at all. For achieving the routing above, this patch introduced a couple of workarounds: * The connection list of bass speaker pin (NID 0x17) is reduced not to include DAC3 (NID 0x06) * Pass preferred_pairs array to specify the fixed connection Here, both workarounds are needed because the generic parser prefers the individual DAC assignment over others. When the routing above is applied, the generic parser creates the two volume controls "Front" and "Bass Speaker". Since we have only two DACs for three output pins, those are not fully controlling each output individually, and it would confuse PulseAudio. For avoiding the pitfall, in this patch, we rename those volume controls to some unique ones ("DAC1" and "DAC2"). Then PulseAudio ignore them and concentrate only on the still good-working "Master" volume control. If a user still wants to control each DAC volume, they can still change manually via "DAC1" and "DAC2" volume controls. Fixes: d2cd795c4ece ("ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen") Reported-by: Benjamin Poirier Reviewed-by: Jaroslav Kysela Tested-by: Benjamin Poirier Cc: BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207407#c10 BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3214171 BugLink: https://gist.github.com/hamidzr/dd81e429dc86f4327ded7a2030e7d7d9#gistcomment-3276276 Link: https://lore/kernel.org/r/20200829112746.3118-1-benjamin.poirier@gmail.com Link: https://lore.kernel.org/r/20200903083300.6333-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3695decb777193f82b1a259a69b167cd500159fe Author: Adrien Crivelli Date: Wed Aug 26 17:40:14 2020 +0900 ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A commit 8bcea6cb2cbc1f749e574954569323dec5e2920e upstream. The Galaxy Book Ion NT950XCJ-X716A (15 inches) uses the same ALC298 codec as other Samsung laptops which have the no headphone sound bug. I confirmed on my own hardware that this fixes the bug. This also correct the model name for the 13 inches version. It was incorrectly referenced as NT950XCJ-X716A in commit e17f02d05. But it should have been NP930XCJ-K01US. Fixes: e17f02d0559c ("ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207423 Signed-off-by: Adrien Crivelli Cc: Link: https://lore.kernel.org/r/20200826084014.211217-1-adrien.crivelli@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c1e0aff25b1bfe93126763db3749ae0e2405d5c1 Author: Takashi Sakamoto Date: Sun Aug 23 16:55:37 2020 +0900 ALSA; firewire-tascam: exclude Tascam FE-8 from detection commit 0bd8bce897b6697bbc286b8ba473aa0705fe394b upstream. Tascam FE-8 is known to support communication by asynchronous transaction only. The support can be implemented in userspace application and snd-firewire-ctl-services project has the support. However, ALSA firewire-tascam driver is bound to the model. This commit changes device entries so that the model is excluded. In a commit 53b3ffee7885 ("ALSA: firewire-tascam: change device probing processing"), I addressed to the concern that version field in configuration differs depending on installed firmware. However, as long as I checked, the version number is fixed. It's safe to return version number back to modalias. Fixes: 53b3ffee7885 ("ALSA: firewire-tascam: change device probing processing") Cc: # 4.4+ Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20200823075537.56255-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8e83bd51016a35492c58e28312420e60ba8873f1 Author: Dan Crawford Date: Sat Aug 29 12:49:46 2020 +1000 ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO commit 15cbff3fbbc631952c346744f862fb294504b5e2 upstream. Following Christian Lachner's patch for Gigabyte X570-based motherboards, also patch the MSI X570-A PRO motherboard; the ALC1220 codec requires the same workaround for Clevo laptops to enforce the DAC/mixer connection path. Set up a quirk entry for that. I suspect most if all X570 motherboards will require similar patches. [ The entries reordered in the SSID order -- tiwai ] Related buglink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 Signed-off-by: Dan Crawford Cc: Link: https://lore.kernel.org/r/20200829024946.5691-1-dnlcrwfrd@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 48510be50e879f4e08c970ddf0b9d9ef3f5cc620 Author: Takashi Sakamoto Date: Sun Aug 23 16:55:45 2020 +0900 ALSA: firewire-digi00x: exclude Avid Adrenaline from detection commit acd46a6b6de88569654567810acad2b0a0a25cea upstream. Avid Adrenaline is reported that ALSA firewire-digi00x driver is bound to. However, as long as he investigated, the design of this model is hardly similar to the one of Digi 00x family. It's better to exclude the model from modalias of ALSA firewire-digi00x driver. This commit changes device entries so that the model is excluded. $ python3 crpp < ~/git/am-config-rom/misc/avid-adrenaline.img ROM header and bus information block ----------------------------------------------------------------- 400 04203a9c bus_info_length 4, crc_length 32, crc 15004 404 31333934 bus_name "1394" 408 e064a002 irmc 1, cmc 1, isc 1, bmc 0, cyc_clk_acc 100, max_rec 10 (2048) 40c 00a07e01 company_id 00a07e | 410 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 root directory ----------------------------------------------------------------- 414 0005d08c directory_length 5, crc 53388 418 0300a07e vendor 41c 8100000c --> descriptor leaf at 44c 420 0c008380 node capabilities 424 8d000002 --> eui-64 leaf at 42c 428 d1000004 --> unit directory at 438 eui-64 leaf at 42c ----------------------------------------------------------------- 42c 0002410f leaf_length 2, crc 16655 430 00a07e01 company_id 00a07e | 434 00085257 device_id 0100085257 | EUI-64 00a07e0100085257 unit directory at 438 ----------------------------------------------------------------- 438 0004d6c9 directory_length 4, crc 54985 43c 1200a02d specifier id: 1394 TA 440 13014001 version: Vender Unique and AV/C 444 17000001 model 448 81000009 --> descriptor leaf at 46c descriptor leaf at 44c ----------------------------------------------------------------- 44c 00077205 leaf_length 7, crc 29189 450 00000000 textual descriptor 454 00000000 minimal ASCII 458 41766964 "Avid" 45c 20546563 " Tec" 460 686e6f6c "hnol" 464 6f677900 "ogy" 468 00000000 descriptor leaf at 46c ----------------------------------------------------------------- 46c 000599a5 leaf_length 5, crc 39333 470 00000000 textual descriptor 474 00000000 minimal ASCII 478 41647265 "Adre" 47c 6e616c69 "nali" 480 6e650000 "ne" Reported-by: Simon Wood Fixes: 9edf723fd858 ("ALSA: firewire-digi00x: add skeleton for Digi 002/003 family") Cc: # 4.4+ Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20200823075545.56305-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7554ad2ffdad73a096c8bc824aaa11bbfb379e75 Author: Kai Vehmanen Date: Wed Aug 26 20:03:06 2020 +0300 ALSA: hda/hdmi: always check pin power status in i915 pin fixup commit 858e0ad9301d1270c02b5aca97537d2d6ee9dd68 upstream. When system is suspended with active audio playback to HDMI/DP, two alternative sequences can happen at resume: a) monitor is detected first and ALSA prepare follows normal stream setup sequence, or b) ALSA prepare is called first, but monitor is not yet detected, so PCM is restarted without a pin, In case of (b), on i915 systems, haswell_verify_D0() is not called at resume and the pin power state may be incorrect. Result is lack of audio after resume with no error reported back to user-space. Fix the problem by always verifying converter and pin state in the i915_pin_cvt_fixup(). BugLink: https://github.com/thesofproject/linux/issues/2388 Signed-off-by: Kai Vehmanen Cc: Link: https://lore.kernel.org/r/20200826170306.701566-1-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit db5d1d51bef18119b6a2ccd261ed637abb15c242 Author: Takashi Iwai Date: Tue Sep 1 15:18:02 2020 +0200 ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check commit 949a1ebe8cea7b342085cb6a4946b498306b9493 upstream. The PCM OSS mulaw plugin has a check of the format of the counter part whether it's a linear format. The check is with snd_BUG_ON() that emits WARN_ON() when the debug config is set, and it confuses syzkaller as if it were a serious issue. Let's drop snd_BUG_ON() for avoiding that. While we're at it, correct the error code to a more suitable, EINVAL. Reported-by: syzbot+23b22dc2e0b81cbfcc95@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20200901131802.18157-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dfcfc358e366e1d08d915a8ba89c37ba2fb8d538 Author: Joshua Sivec Date: Tue Aug 25 18:55:18 2020 +0200 ALSA: usb-audio: Add implicit feedback quirk for UR22C commit 7c5b892e0871655fea3294ffac6fa3cc3400b60d upstream. This uses the same quirk as the Motu and SSL2 devices. Tested on the UR22C. Fixes bug 208851. Signed-off-by: Joshua Sivec BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208851 Cc: Link: https://lore.kernel.org/r/20200825165515.8239-1-sivec@posteo.net Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3284ababd0c41a2c2e6b14aa48e98b4a3f62eae7 Author: František Kučera Date: Tue Aug 25 17:31:13 2020 +0200 ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2 commit 14335d8b9e1a2bf006f9d969a103f9731cabb210 upstream. This patch extends support for DJM-250MK2 and allows recording. However, DVS is not possible yet (see the comment in code). Signed-off-by: František Kučera Cc: Link: https://lore.kernel.org/r/20200825153113.6352-1-konference@frantovo.cz Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2c9ba98fec4d4cc5e4963bf78882b08064ab19de Author: Tong Zhang Date: Mon Aug 24 18:45:41 2020 -0400 ALSA: ca0106: fix error code handling commit ee0761d1d8222bcc5c86bf10849dc86cf008557c upstream. snd_ca0106_spi_write() returns 1 on error, snd_ca0106_pcm_power_dac() is returning the error code directly, and the caller is expecting an negative error code Signed-off-by: Tong Zhang Cc: Link: https://lore.kernel.org/r/20200824224541.1260307-1-ztong0001@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 9aa4e2c3da1723b6a286d470c24374c993a25c44 Author: Tiezhu Yang Date: Tue Aug 25 17:39:48 2020 +0800 Revert "ALSA: hda: Add support for Loongson 7A1000 controller" commit eed8f88b109aa927fbf0d0c80ff9f8d00444ca7f upstream. This reverts commit 61eee4a7fc40 ("ALSA: hda: Add support for Loongson 7A1000 controller") to fix the following error on the Loongson LS7A platform: rcu: INFO: rcu_preempt self-detected stall on CPU NMI backtrace for cpu 0 CPU: 0 PID: 68 Comm: kworker/0:2 Not tainted 5.8.0+ #3 Hardware name: , BIOS Workqueue: events azx_probe_work [snd_hda_intel] Call Trace: [] show_stack+0x9c/0x130 [] dump_stack+0xb0/0xf0 [] nmi_cpu_backtrace+0x134/0x140 [] nmi_trigger_cpumask_backtrace+0x190/0x200 [] rcu_dump_cpu_stacks+0x12c/0x190 [] rcu_sched_clock_irq+0xa2c/0xfc8 [] update_process_times+0x2c/0xb8 [] tick_sched_timer+0x40/0xb8 [] __hrtimer_run_queues+0x118/0x1d0 [] hrtimer_interrupt+0x12c/0x2d8 [] c0_compare_interrupt+0x74/0xa0 [] __handle_irq_event_percpu+0xa8/0x198 [] handle_irq_event_percpu+0x30/0x90 [] handle_percpu_irq+0x88/0xb8 [] generic_handle_irq+0x44/0x60 [] do_IRQ+0x18/0x28 [] plat_irq_dispatch+0x64/0x100 [] handle_int+0x140/0x14c [] irq_exit+0xf8/0x100 Because AZX_DRIVER_GENERIC can not work well for Loongson LS7A HDA controller, it needs some workarounds which are not merged into the upstream kernel at this time, so it should revert this patch now. Fixes: 61eee4a7fc40 ("ALSA: hda: Add support for Loongson 7A1000 controller") Cc: # 5.9-rc1+ Signed-off-by: Tiezhu Yang Link: https://lore.kernel.org/r/1598348388-2518-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit df7a510200215117436e51ad59bb051b580207d2 Author: Sasha Levin Date: Mon Sep 7 18:22:33 2020 -0400 x86/mm/32: Bring back vmalloc faulting on x86_32 [ Upstream commit 4819e15f740ec884a50bdc431d7f1e7638b6f7d9 ] One can not simply remove vmalloc faulting on x86-32. Upstream commit: 7f0a002b5a21 ("x86/mm: remove vmalloc faulting") removed it on x86 alltogether because previously the arch_sync_kernel_mappings() interface was introduced. This interface added synchronization of vmalloc/ioremap page-table updates to all page-tables in the system at creation time and was thought to make vmalloc faulting obsolete. But that assumption was incredibly naive. It turned out that there is a race window between the time the vmalloc or ioremap code establishes a mapping and the time it synchronizes this change to other page-tables in the system. During this race window another CPU or thread can establish a vmalloc mapping which uses the same intermediate page-table entries (e.g. PMD or PUD) and does no synchronization in the end, because it found all necessary mappings already present in the kernel reference page-table. But when these intermediate page-table entries are not yet synchronized, the other CPU or thread will continue with a vmalloc address that is not yet mapped in the page-table it currently uses, causing an unhandled page fault and oops like below: BUG: unable to handle page fault for address: fe80c000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page *pde = 33183067 *pte = a8648163 Oops: 0002 [#1] SMP CPU: 1 PID: 13514 Comm: cve-2017-17053 Tainted: G ... Call Trace: ldt_dup_context+0x66/0x80 dup_mm+0x2b3/0x480 copy_process+0x133b/0x15c0 _do_fork+0x94/0x3e0 __ia32_sys_clone+0x67/0x80 __do_fast_syscall_32+0x3f/0x70 do_fast_syscall_32+0x29/0x60 do_SYSENTER_32+0x15/0x20 entry_SYSENTER_32+0x9f/0xf2 EIP: 0xb7eef549 So the arch_sync_kernel_mappings() interface is racy, but removing it would mean to re-introduce the vmalloc_sync_all() interface, which is even more awful. Keep arch_sync_kernel_mappings() in place and catch the race condition in the page-fault handler instead. Do a partial revert of above commit to get vmalloc faulting on x86-32 back in place. Fixes: 7f0a002b5a21 ("x86/mm: remove vmalloc faulting") Reported-by: Naresh Kamboju Signed-off-by: Joerg Roedel Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20200902155904.17544-1-joro@8bytes.org [sl: revert 7f0a002b5a21 instead to restore vmalloc faulting for x86-64] Signed-off-by: Sasha Levin commit 98f0b4072c943e3b9f538792893907ccd3c523d0 Author: Max Chou Date: Thu Jul 23 18:47:42 2020 +0800 Bluetooth: Return NOTIFY_DONE for hci_suspend_notifier [ Upstream commit 24b065727ceba53cc5bec0e725672417154df24f ] The original return is NOTIFY_STOP, but notifier_call_chain would stop the future call for register_pm_notifier even registered on other Kernel modules with the same priority which value is zero. Signed-off-by: Max Chou Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 434ed4233877ce6a74fc9269d168a6b780b4173d Author: Qu Wenruo Date: Tue Aug 25 21:42:51 2020 +0800 btrfs: tree-checker: fix the error message for transid error commit f96d6960abbc52e26ad124e69e6815283d3e1674 upstream. The error message for inode transid is the same as for inode generation, which makes us unable to detect the real problem. Reported-by: Tyler Richmond Fixes: 496245cac57e ("btrfs: tree-checker: Verify inode item") CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Marcos Paulo de Souza Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 6b09009a2eaeebb1b30cefc7aa42688b6b05b891 Author: Marcos Paulo de Souza Date: Fri Aug 21 11:54:44 2020 -0300 btrfs: block-group: fix free-space bitmap threshold commit e3e39c72b99f93bbd0420d38c858e7c4a061bb63 upstream. [BUG] After commit 9afc66498a0b ("btrfs: block-group: refactor how we read one block group item"), cache->length is being assigned after calling btrfs_create_block_group_cache. This causes a problem since set_free_space_tree_thresholds calculates the free-space threshold to decide if the free-space tree should convert from extents to bitmaps. The current code calls set_free_space_tree_thresholds with cache->length being 0, which then makes cache->bitmap_high_thresh zero. This implies the system will always use bitmap instead of extents, which is not desired if the block group is not fragmented. This behavior can be seen by a test that expects to repair systems with FREE_SPACE_EXTENT and FREE_SPACE_BITMAP, but the current code only created FREE_SPACE_BITMAP. [FIX] Call set_free_space_tree_thresholds after setting cache->length. There is now a WARN_ON in set_free_space_tree_thresholds to help preventing the same mistake to happen again in the future. Link: https://github.com/kdave/btrfs-progs/issues/251 Fixes: 9afc66498a0b ("btrfs: block-group: refactor how we read one block group item") CC: stable@vger.kernel.org # 5.8+ Reviewed-by: Qu Wenruo Reviewed-by: Filipe Manana Signed-off-by: Marcos Paulo de Souza Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 6d12fbd0c4b7bb481f581110cd171a908317d585 Author: Josef Bacik Date: Mon Aug 10 11:42:31 2020 -0400 btrfs: set the lockdep class for log tree extent buffers commit d3beaa253fd6fa40b8b18a216398e6e5376a9d21 upstream. These are special extent buffers that get rewound in order to lookup the state of the tree at a specific point in time. As such they do not go through the normal initialization paths that set their lockdep class, so handle them appropriately when they are created and before they are locked. CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 7ad3d8ad569c622746dc613243c1471eeb425e2c Author: Josef Bacik Date: Mon Aug 10 11:42:30 2020 -0400 btrfs: set the correct lockdep class for new nodes commit ad24466588ab7d7c879053c5afd919b0c555fec0 upstream. When flipping over to the rw_semaphore I noticed I'd get a lockdep splat in replace_path(), which is weird because we're swapping the reloc root with the actual target root. Turns out this is because we're using the root->root_key.objectid as the root id for the newly allocated tree block when setting the lockdep class, however we need to be using the actual owner of this new block, which is saved in owner. The affected path is through btrfs_copy_root as all other callers of btrfs_alloc_tree_block (which calls init_new_buffer) have root_objectid == root->root_key.objectid . CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Filipe Manana Reviewed-by: Nikolay Borisov Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 42a2fbd05773c04448b9da401ae42b049ee43cce Author: Josef Bacik Date: Mon Aug 10 11:42:29 2020 -0400 btrfs: allocate scrub workqueues outside of locks commit e89c4a9c8e6ce3a84cab4f342687d3fbbb1234eb upstream. I got the following lockdep splat while testing: ====================================================== WARNING: possible circular locking dependency detected 5.8.0-rc7-00172-g021118712e59 #932 Not tainted ------------------------------------------------------ btrfs/229626 is trying to acquire lock: ffffffff828513f0 (cpu_hotplug_lock){++++}-{0:0}, at: alloc_workqueue+0x378/0x450 but task is already holding lock: ffff889dd3889518 (&fs_info->scrub_lock){+.+.}-{3:3}, at: btrfs_scrub_dev+0x11c/0x630 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #7 (&fs_info->scrub_lock){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 btrfs_scrub_dev+0x11c/0x630 btrfs_dev_replace_by_ioctl.cold.21+0x10a/0x1d4 btrfs_ioctl+0x2799/0x30a0 ksys_ioctl+0x83/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #6 (&fs_devs->device_list_mutex){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 btrfs_run_dev_stats+0x49/0x480 commit_cowonly_roots+0xb5/0x2a0 btrfs_commit_transaction+0x516/0xa60 sync_filesystem+0x6b/0x90 generic_shutdown_super+0x22/0x100 kill_anon_super+0xe/0x30 btrfs_kill_super+0x12/0x20 deactivate_locked_super+0x29/0x60 cleanup_mnt+0xb8/0x140 task_work_run+0x6d/0xb0 __prepare_exit_to_usermode+0x1cc/0x1e0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #5 (&fs_info->tree_log_mutex){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 btrfs_commit_transaction+0x4bb/0xa60 sync_filesystem+0x6b/0x90 generic_shutdown_super+0x22/0x100 kill_anon_super+0xe/0x30 btrfs_kill_super+0x12/0x20 deactivate_locked_super+0x29/0x60 cleanup_mnt+0xb8/0x140 task_work_run+0x6d/0xb0 __prepare_exit_to_usermode+0x1cc/0x1e0 do_syscall_64+0x5c/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #4 (&fs_info->reloc_mutex){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 btrfs_record_root_in_trans+0x43/0x70 start_transaction+0xd1/0x5d0 btrfs_dirty_inode+0x42/0xd0 touch_atime+0xa1/0xd0 btrfs_file_mmap+0x3f/0x60 mmap_region+0x3a4/0x640 do_mmap+0x376/0x580 vm_mmap_pgoff+0xd5/0x120 ksys_mmap_pgoff+0x193/0x230 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #3 (&mm->mmap_lock#2){++++}-{3:3}: __might_fault+0x68/0x90 _copy_to_user+0x1e/0x80 perf_read+0x141/0x2c0 vfs_read+0xad/0x1b0 ksys_read+0x5f/0xe0 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #2 (&cpuctx_mutex){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 perf_event_init_cpu+0x88/0x150 perf_event_init+0x1db/0x20b start_kernel+0x3ae/0x53c secondary_startup_64+0xa4/0xb0 -> #1 (pmus_lock){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 perf_event_init_cpu+0x4f/0x150 cpuhp_invoke_callback+0xb1/0x900 _cpu_up.constprop.26+0x9f/0x130 cpu_up+0x7b/0xc0 bringup_nonboot_cpus+0x4f/0x60 smp_init+0x26/0x71 kernel_init_freeable+0x110/0x258 kernel_init+0xa/0x103 ret_from_fork+0x1f/0x30 -> #0 (cpu_hotplug_lock){++++}-{0:0}: __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 cpus_read_lock+0x39/0xb0 alloc_workqueue+0x378/0x450 __btrfs_alloc_workqueue+0x15d/0x200 btrfs_alloc_workqueue+0x51/0x160 scrub_workers_get+0x5a/0x170 btrfs_scrub_dev+0x18c/0x630 btrfs_dev_replace_by_ioctl.cold.21+0x10a/0x1d4 btrfs_ioctl+0x2799/0x30a0 ksys_ioctl+0x83/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 other info that might help us debug this: Chain exists of: cpu_hotplug_lock --> &fs_devs->device_list_mutex --> &fs_info->scrub_lock Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&fs_info->scrub_lock); lock(&fs_devs->device_list_mutex); lock(&fs_info->scrub_lock); lock(cpu_hotplug_lock); *** DEADLOCK *** 2 locks held by btrfs/229626: #0: ffff88bfe8bb86e0 (&fs_devs->device_list_mutex){+.+.}-{3:3}, at: btrfs_scrub_dev+0xbd/0x630 #1: ffff889dd3889518 (&fs_info->scrub_lock){+.+.}-{3:3}, at: btrfs_scrub_dev+0x11c/0x630 stack backtrace: CPU: 15 PID: 229626 Comm: btrfs Kdump: loaded Not tainted 5.8.0-rc7-00172-g021118712e59 #932 Hardware name: Quanta Tioga Pass Single Side 01-0030993006/Tioga Pass Single Side, BIOS F08_3A18 12/20/2018 Call Trace: dump_stack+0x78/0xa0 check_noncircular+0x165/0x180 __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 ? alloc_workqueue+0x378/0x450 cpus_read_lock+0x39/0xb0 ? alloc_workqueue+0x378/0x450 alloc_workqueue+0x378/0x450 ? rcu_read_lock_sched_held+0x52/0x80 __btrfs_alloc_workqueue+0x15d/0x200 btrfs_alloc_workqueue+0x51/0x160 scrub_workers_get+0x5a/0x170 btrfs_scrub_dev+0x18c/0x630 ? start_transaction+0xd1/0x5d0 btrfs_dev_replace_by_ioctl.cold.21+0x10a/0x1d4 btrfs_ioctl+0x2799/0x30a0 ? do_sigaction+0x102/0x250 ? lockdep_hardirqs_on_prepare+0xca/0x160 ? _raw_spin_unlock_irq+0x24/0x30 ? trace_hardirqs_on+0x1c/0xe0 ? _raw_spin_unlock_irq+0x24/0x30 ? do_sigaction+0x102/0x250 ? ksys_ioctl+0x83/0xc0 ksys_ioctl+0x83/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This happens because we're allocating the scrub workqueues under the scrub and device list mutex, which brings in a whole host of other dependencies. Because the work queue allocation is done with GFP_KERNEL, it can trigger reclaim, which can lead to a transaction commit, which in turns needs the device_list_mutex, it can lead to a deadlock. A different problem for which this fix is a solution. Fix this by moving the actual allocation outside of the scrub lock, and then only take the lock once we're ready to actually assign them to the fs_info. We'll now have to cleanup the workqueues in a few more places, so I've added a helper to do the refcount dance to safely free the workqueues. CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 26cf893236fd879d4452403cb96bd84e587254d5 Author: Josef Bacik Date: Mon Aug 10 11:42:27 2020 -0400 btrfs: fix potential deadlock in the search ioctl commit a48b73eca4ceb9b8a4b97f290a065335dbcd8a04 upstream. With the conversion of the tree locks to rwsem I got the following lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 5.8.0-rc7-00165-g04ec4da5f45f-dirty #922 Not tainted ------------------------------------------------------ compsize/11122 is trying to acquire lock: ffff889fabca8768 (&mm->mmap_lock#2){++++}-{3:3}, at: __might_fault+0x3e/0x90 but task is already holding lock: ffff889fe720fe40 (btrfs-fs-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x39/0x180 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (btrfs-fs-00){++++}-{3:3}: down_write_nested+0x3b/0x70 __btrfs_tree_lock+0x24/0x120 btrfs_search_slot+0x756/0x990 btrfs_lookup_inode+0x3a/0xb4 __btrfs_update_delayed_inode+0x93/0x270 btrfs_async_run_delayed_root+0x168/0x230 btrfs_work_helper+0xd4/0x570 process_one_work+0x2ad/0x5f0 worker_thread+0x3a/0x3d0 kthread+0x133/0x150 ret_from_fork+0x1f/0x30 -> #1 (&delayed_node->mutex){+.+.}-{3:3}: __mutex_lock+0x9f/0x930 btrfs_delayed_update_inode+0x50/0x440 btrfs_update_inode+0x8a/0xf0 btrfs_dirty_inode+0x5b/0xd0 touch_atime+0xa1/0xd0 btrfs_file_mmap+0x3f/0x60 mmap_region+0x3a4/0x640 do_mmap+0x376/0x580 vm_mmap_pgoff+0xd5/0x120 ksys_mmap_pgoff+0x193/0x230 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #0 (&mm->mmap_lock#2){++++}-{3:3}: __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 __might_fault+0x68/0x90 _copy_to_user+0x1e/0x80 copy_to_sk.isra.32+0x121/0x300 search_ioctl+0x106/0x200 btrfs_ioctl_tree_search_v2+0x7b/0xf0 btrfs_ioctl+0x106f/0x30a0 ksys_ioctl+0x83/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 other info that might help us debug this: Chain exists of: &mm->mmap_lock#2 --> &delayed_node->mutex --> btrfs-fs-00 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(btrfs-fs-00); lock(&delayed_node->mutex); lock(btrfs-fs-00); lock(&mm->mmap_lock#2); *** DEADLOCK *** 1 lock held by compsize/11122: #0: ffff889fe720fe40 (btrfs-fs-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x39/0x180 stack backtrace: CPU: 17 PID: 11122 Comm: compsize Kdump: loaded Not tainted 5.8.0-rc7-00165-g04ec4da5f45f-dirty #922 Hardware name: Quanta Tioga Pass Single Side 01-0030993006/Tioga Pass Single Side, BIOS F08_3A18 12/20/2018 Call Trace: dump_stack+0x78/0xa0 check_noncircular+0x165/0x180 __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 ? __might_fault+0x3e/0x90 ? find_held_lock+0x72/0x90 __might_fault+0x68/0x90 ? __might_fault+0x3e/0x90 _copy_to_user+0x1e/0x80 copy_to_sk.isra.32+0x121/0x300 ? btrfs_search_forward+0x2a6/0x360 search_ioctl+0x106/0x200 btrfs_ioctl_tree_search_v2+0x7b/0xf0 btrfs_ioctl+0x106f/0x30a0 ? __do_sys_newfstat+0x5a/0x70 ? ksys_ioctl+0x83/0xc0 ksys_ioctl+0x83/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x50/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The problem is we're doing a copy_to_user() while holding tree locks, which can deadlock if we have to do a page fault for the copy_to_user(). This exists even without my locking changes, so it needs to be fixed. Rework the search ioctl to do the pre-fault and then copy_to_user_nofault for the copying. CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 5e85cae6cd52ad2eac3ff6e0bcaeff0311208989 Author: Josef Bacik Date: Mon Aug 10 11:42:26 2020 -0400 btrfs: drop path before adding new uuid tree entry commit 9771a5cf937129307d9f58922d60484d58ababe7 upstream. With the conversion of the tree locks to rwsem I got the following lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 5.8.0-rc7-00167-g0d7ba0c5b375-dirty #925 Not tainted ------------------------------------------------------ btrfs-uuid/7955 is trying to acquire lock: ffff88bfbafec0f8 (btrfs-root-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x39/0x180 but task is already holding lock: ffff88bfbafef2a8 (btrfs-uuid-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x39/0x180 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-uuid-00){++++}-{3:3}: down_read_nested+0x3e/0x140 __btrfs_tree_read_lock+0x39/0x180 __btrfs_read_lock_root_node+0x3a/0x50 btrfs_search_slot+0x4bd/0x990 btrfs_uuid_tree_add+0x89/0x2d0 btrfs_uuid_scan_kthread+0x330/0x390 kthread+0x133/0x150 ret_from_fork+0x1f/0x30 -> #0 (btrfs-root-00){++++}-{3:3}: __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 down_read_nested+0x3e/0x140 __btrfs_tree_read_lock+0x39/0x180 __btrfs_read_lock_root_node+0x3a/0x50 btrfs_search_slot+0x4bd/0x990 btrfs_find_root+0x45/0x1b0 btrfs_read_tree_root+0x61/0x100 btrfs_get_root_ref.part.50+0x143/0x630 btrfs_uuid_tree_iterate+0x207/0x314 btrfs_uuid_rescan_kthread+0x12/0x50 kthread+0x133/0x150 ret_from_fork+0x1f/0x30 other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(btrfs-uuid-00); lock(btrfs-root-00); lock(btrfs-uuid-00); lock(btrfs-root-00); *** DEADLOCK *** 1 lock held by btrfs-uuid/7955: #0: ffff88bfbafef2a8 (btrfs-uuid-00){++++}-{3:3}, at: __btrfs_tree_read_lock+0x39/0x180 stack backtrace: CPU: 73 PID: 7955 Comm: btrfs-uuid Kdump: loaded Not tainted 5.8.0-rc7-00167-g0d7ba0c5b375-dirty #925 Hardware name: Quanta Tioga Pass Single Side 01-0030993006/Tioga Pass Single Side, BIOS F08_3A18 12/20/2018 Call Trace: dump_stack+0x78/0xa0 check_noncircular+0x165/0x180 __lock_acquire+0x1272/0x2310 lock_acquire+0x9e/0x360 ? __btrfs_tree_read_lock+0x39/0x180 ? btrfs_root_node+0x1c/0x1d0 down_read_nested+0x3e/0x140 ? __btrfs_tree_read_lock+0x39/0x180 __btrfs_tree_read_lock+0x39/0x180 __btrfs_read_lock_root_node+0x3a/0x50 btrfs_search_slot+0x4bd/0x990 btrfs_find_root+0x45/0x1b0 btrfs_read_tree_root+0x61/0x100 btrfs_get_root_ref.part.50+0x143/0x630 btrfs_uuid_tree_iterate+0x207/0x314 ? btree_readpage+0x20/0x20 btrfs_uuid_rescan_kthread+0x12/0x50 kthread+0x133/0x150 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x1f/0x30 This problem exists because we have two different rescan threads, btrfs_uuid_scan_kthread which creates the uuid tree, and btrfs_uuid_tree_iterate that goes through and updates or deletes any out of date roots. The problem is they both do things in different order. btrfs_uuid_scan_kthread() reads the tree_root, and then inserts entries into the uuid_root. btrfs_uuid_tree_iterate() scans the uuid_root, but then does a btrfs_get_fs_root() which can read from the tree_root. It's actually easy enough to not be holding the path in btrfs_uuid_scan_kthread() when we add a uuid entry, as we already drop it further down and re-start the search when we loop. So simply move the path release before we add our entry to the uuid tree. This also fixes a problem where we're holding a path open after we do btrfs_end_transaction(), which has it's own problems. CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit be69bb0282644ab4bde4ee4b672af17fce1c975a Author: Mike Rapoport Date: Fri Aug 28 19:39:02 2020 +0300 arc: fix memory initialization for systems with two memory banks commit 4af22ded0ecf23adea1b26ea264c53f9f1cfc310 upstream. Rework of memory map initialization broke initialization of ARC systems with two memory banks. Before these changes, memblock was not aware of nodes configuration and the memory map was always allocated from the "lowmem" bank. After the addition of node information to memblock, the core mm attempts to allocate the memory map for the "highmem" bank from its node. The access to this memory using __va() fails because it can be only accessed using kmap. Anther problem that was uncovered is that {min,max}_high_pfn are calculated from u64 high_mem_start variable which prevents truncation to 32-bit physical address and the PFN values are above the node and zone boundaries. Use phys_addr_t type for high_mem_start and high_mem_size to ensure correspondence between PFNs and highmem zone boundaries and reserve the entire highmem bank until mem_init() to avoid accesses to it before highmem is enabled. To test this: 1. Enable HIGHMEM in ARC config 2. Enable 2 memory banks in haps_hs.dts (uncomment the 2nd bank) Fixes: 51930df5801e ("mm: free_area_init: allow defining max_zone_pfn in descending order") Cc: stable@vger.kernel.org [5.8] Signed-off-by: Mike Rapoport Signed-off-by: Vineet Gupta [vgupta: added instructions to test highmem] Signed-off-by: Greg Kroah-Hartman commit ec96b4b7514c6687a3d095e342275126c4922e95 Author: Vineet Gupta Date: Sun Jul 26 21:51:59 2020 -0700 ARC: perf: don't bail setup if pct irq missing in device-tree commit feb92d7d3813456c11dce215b3421801a78a8986 upstream. Current code inadventely bails if hardware supports sampling/overflow interrupts, but the irq is missing from device tree. | | # perf stat -e cycles,instructions,major-faults,minor-faults ../hackbench | Running with 10 groups 400 process | Time: 0.921 | | Performance counter stats for '../hackbench': | | cycles | instructions | 0 major-faults | 8679 minor-faults This need not be as we can still do simple counting based perf stat. This unborks perf on HSDK-4xD Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 7d5026dcd36278888f268c1189ff57c6d6df104f Author: Mikulas Patocka Date: Sat Sep 5 08:13:02 2020 -0400 xfs: don't update mtime on COW faults commit b17164e258e3888d376a7434415013175d637377 upstream. When running in a dax mode, if the user maps a page with MAP_PRIVATE and PROT_WRITE, the xfs filesystem would incorrectly update ctime and mtime when the user hits a COW fault. This breaks building of the Linux kernel. How to reproduce: 1. extract the Linux kernel tree on dax-mounted xfs filesystem 2. run make clean 3. run make -j12 4. run make -j12 at step 4, make would incorrectly rebuild the whole kernel (although it was already built in step 3). The reason for the breakage is that almost all object files depend on objtool. When we run objtool, it takes COW page fault on its .data section, and these faults will incorrectly update the timestamp of the objtool binary. The updated timestamp causes make to rebuild the whole tree. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9c12f371a2ce2994fde0b515e880e139a65773e7 Author: Mikulas Patocka Date: Sat Sep 5 08:12:01 2020 -0400 ext2: don't update mtime on COW faults commit 1ef6ea0efe8e68d0299dad44c39dc6ad9e5d1f39 upstream. When running in a dax mode, if the user maps a page with MAP_PRIVATE and PROT_WRITE, the ext2 filesystem would incorrectly update ctime and mtime when the user hits a COW fault. This breaks building of the Linux kernel. How to reproduce: 1. extract the Linux kernel tree on dax-mounted ext2 filesystem 2. run make clean 3. run make -j12 4. run make -j12 at step 4, make would incorrectly rebuild the whole kernel (although it was already built in step 3). The reason for the breakage is that almost all object files depend on objtool. When we run objtool, it takes COW page fault on its .data section, and these faults will incorrectly update the timestamp of the objtool binary. The updated timestamp causes make to rebuild the whole tree. Signed-off-by: Mikulas Patocka Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4e99722219f4341fd4ff6f130d4391b2d2d8e0f4 Author: Andy Lutomirski Date: Wed Sep 2 15:25:51 2020 +0200 x86/debug: Allow a single level of #DB recursion commit d5c678aed5eddb944b8e7ce451b107b39245962d upstream. Trying to clear DR7 around a #DB from usermode malfunctions if the tasks schedules when delivering SIGTRAP. Rather than trying to define a special no-recursion region, just allow a single level of recursion. The same mechanism is used for NMI, and it hasn't caused any problems yet. Fixes: 9f58fdde95c9 ("x86/db: Split out dr6/7 handling") Reported-by: Kyle Huey Debugged-by: Josh Poimboeuf Signed-off-by: Andy Lutomirski Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Tested-by: Daniel Thompson Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/8b9bd05f187231df008d48cf818a6a311cbd5c98.1597882384.git.luto@kernel.org Link: https://lore.kernel.org/r/20200902133200.726584153@infradead.org Signed-off-by: Greg Kroah-Hartman commit 231508fa9a6d038565c7bd6654200350ce2f7548 Author: Peter Zijlstra Date: Wed Sep 2 15:25:50 2020 +0200 x86/entry: Fix AC assertion commit 662a0221893a3d58aa72719671844264306f6e4b upstream. The WARN added in commit 3c73b81a9164 ("x86/entry, selftests: Further improve user entry sanity checks") unconditionally triggers on a IVB machine because it does not support SMAP. For !SMAP hardware the CLAC/STAC instructions are patched out and thus if userspace sets AC, it is still have set after entry. Fixes: 3c73b81a9164 ("x86/entry, selftests: Further improve user entry sanity checks") Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Thomas Gleixner Tested-by: Daniel Thompson Acked-by: Andy Lutomirski Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200902133200.666781610@infradead.org Signed-off-by: Greg Kroah-Hartman commit f76c4eab5ce9f082ca9629488f1083748a721a65 Author: Vamshi K Sthambamkadi Date: Fri Aug 28 17:02:46 2020 +0530 tracing/kprobes, x86/ptrace: Fix regs argument order for i386 commit 2356bb4b8221d7dc8c7beb810418122ed90254c9 upstream. On i386, the order of parameters passed on regs is eax,edx,and ecx (as per regparm(3) calling conventions). Change the mapping in regs_get_kernel_argument(), so that arg1=ax arg2=dx, and arg3=cx. Running the selftests testcase kprobes_args_use.tc shows the result as passed. Fixes: 3c88ee194c28 ("x86: ptrace: Add function argument access API") Signed-off-by: Vamshi K Sthambamkadi Signed-off-by: Borislav Petkov Acked-by: Masami Hiramatsu Acked-by: Peter Zijlstra (Intel) Cc: Link: https://lkml.kernel.org/r/20200828113242.GA1424@cosmos Signed-off-by: Greg Kroah-Hartman commit 98176c9f3a770c30ab2701fcdb952bbe684db6cf Author: Chris Wilson Date: Sat Aug 22 17:02:09 2020 +0100 iommu/vt-d: Handle 36bit addressing for x86-32 commit 29aaebbca4abc4cceb38738483051abefafb6950 upstream. Beware that the address size for x86-32 may exceed unsigned long. [ 0.368971] UBSAN: shift-out-of-bounds in drivers/iommu/intel/iommu.c:128:14 [ 0.369055] shift exponent 36 is too large for 32-bit type 'long unsigned int' If we don't handle the wide addresses, the pages are mismapped and the device read/writes go astray, detected as DMAR faults and leading to device failure. The behaviour changed (from working to broken) in commit fa954e683178 ("iommu/vt-d: Delegate the dma domain to upper layer"), but the error looks older. Fixes: fa954e683178 ("iommu/vt-d: Delegate the dma domain to upper layer") Signed-off-by: Chris Wilson Acked-by: Lu Baolu Cc: James Sewart Cc: Lu Baolu Cc: Joerg Roedel Cc: # v5.3+ Link: https://lore.kernel.org/r/20200822160209.28512-1-chris@chris-wilson.co.uk Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit c93d26ef17b44a95aa4f711fdb6ba16fcce58049 Author: Jason Gunthorpe Date: Fri Sep 4 16:36:19 2020 -0700 include/linux/log2.h: add missing () around n in roundup_pow_of_two() [ Upstream commit 428fc0aff4e59399ec719ffcc1f7a5d29a4ee476 ] Otherwise gcc generates warnings if the expression is complicated. Fixes: 312a0c170945 ("[PATCH] LOG2: Alter roundup_pow_of_two() so that it can use a ilog2() on a constant") Signed-off-by: Jason Gunthorpe Signed-off-by: Andrew Morton Link: https://lkml.kernel.org/r/0-v1-8a2697e3c003+41165-log_brackets_jgg@nvidia.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 03ca1f09ab1ff47a24777c13f9bd161394122f41 Author: Or Cohen Date: Thu Sep 3 21:05:28 2020 -0700 net/packet: fix overflow in tpacket_rcv [ Upstream commit acf69c946233259ab4d64f8869d4037a198c7f06 ] Using tp_reserve to calculate netoff can overflow as tp_reserve is unsigned int and netoff is unsigned short. This may lead to macoff receving a smaller value then sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr is set, an out-of-bounds write will occur when calling virtio_net_hdr_from_skb. The bug is fixed by converting netoff to unsigned int and checking if it exceeds USHRT_MAX. This addresses CVE-2020-14386 Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Signed-off-by: Or Cohen Signed-off-by: Eric Dumazet Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 4437dfb7777db4e25d98e141403493336d1801c0 Author: Suravee Suthikulpanit Date: Thu Sep 3 09:38:22 2020 +0000 iommu/amd: Use cmpxchg_double() when updating 128-bit IRTE [ Upstream commit e52d58d54a321d4fe9d0ecdabe4f8774449f0d6e ] When using 128-bit interrupt-remapping table entry (IRTE) (a.k.a GA mode), current driver disables interrupt remapping when it updates the IRTE so that the upper and lower 64-bit values can be updated safely. However, this creates a small window, where the interrupt could arrive and result in IO_PAGE_FAULT (for interrupt) as shown below. IOMMU Driver Device IRQ ============ =========== irte.RemapEn=0 ... change IRTE IRQ from device ==> IO_PAGE_FAULT !! ... irte.RemapEn=1 This scenario has been observed when changing irq affinity on a system running I/O-intensive workload, in which the destination APIC ID in the IRTE is updated. Instead, use cmpxchg_double() to update the 128-bit IRTE at once without disabling the interrupt remapping. However, this means several features, which require GA (128-bit IRTE) support will also be affected if cmpxchg16b is not supported (which is unprecedented for AMD processors w/ IOMMU). Fixes: 880ac60e2538 ("iommu/amd: Introduce interrupt remapping ops structure") Reported-by: Sean Osborne Signed-off-by: Suravee Suthikulpanit Tested-by: Erik Rockstrom Reviewed-by: Joao Martins Link: https://lore.kernel.org/r/20200903093822.52012-3-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6b0caba5205506450fa6f685eb176fb70abcbfc3 Author: Suravee Suthikulpanit Date: Thu Sep 3 09:38:21 2020 +0000 iommu/amd: Restore IRTE.RemapEn bit after programming IRTE [ Upstream commit 26e495f341075c09023ba16dee9a7f37a021e745 ] Currently, the RemapEn (valid) bit is accidentally cleared when programming IRTE w/ guestMode=0. It should be restored to the prior state. Fixes: b9fc6b56f478 ("iommu/amd: Implements irq_set_vcpu_affinity() hook to setup vapic mode for pass-through devices") Signed-off-by: Suravee Suthikulpanit Reviewed-by: Joao Martins Link: https://lore.kernel.org/r/20200903093822.52012-2-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 2551a138792a25f1820a995865814ae5435e6fd1 Author: Veera Vegivada Date: Wed Jul 29 09:52:51 2020 -0700 thermal: qcom-spmi-temp-alarm: Don't suppress negative temp [ Upstream commit 0ffdab6f2dea9e23ec33230de24e492ff0b186d9 ] Currently driver is suppressing the negative temperature readings from the vadc. Consumers of the thermal zones need to read the negative temperature too. Don't suppress the readings. Fixes: c610afaa21d3c6e ("thermal: Add QPNP PMIC temperature alarm driver") Signed-off-by: Veera Vegivada Signed-off-by: Guru Das Srinagesh Reviewed-by: Stephen Boyd Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/944856eb819081268fab783236a916257de120e4.1596040416.git.gurus@codeaurora.org Signed-off-by: Sasha Levin commit 7da369acd79f7361489c022b0a694501bbe48ec9 Author: Tony Lindgren Date: Mon Jul 6 11:33:38 2020 -0700 thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430 [ Upstream commit 30d24faba0532d6972df79a1bf060601994b5873 ] We can sometimes get bogus thermal shutdowns on omap4430 at least with droid4 running idle with a battery charger connected: thermal thermal_zone0: critical temperature reached (143 C), shutting down Dumping out the register values shows we can occasionally get a 0x7f value that is outside the TRM listed values in the ADC conversion table. And then we get a normal value when reading again after that. Reading the register multiple times does not seem help avoiding the bogus values as they stay until the next sample is ready. Looking at the TRM chapter "18.4.10.2.3 ADC Codes Versus Temperature", we should have values from 13 to 107 listed with a total of 95 values. But looking at the omap4430_adc_to_temp array, the values are off, and the end values are missing. And it seems that the 4430 ADC table is similar to omap3630 rather than omap4460. Let's fix the issue by using values based on the omap3630 table and just ignoring invalid values. Compared to the 4430 TRM, the omap3630 table has the missing values added while the TRM table only shows every second value. Note that sometimes the ADC register values within the valid table can also be way off for about 1 out of 10 values. But it seems that those just show about 25 C too low values rather than too high values. So those do not cause a bogus thermal shutdown. Fixes: 1a31270e54d7 ("staging: omap-thermal: add OMAP4 data structures") Cc: Merlijn Wajer Cc: Pavel Machek Cc: Sebastian Reichel Signed-off-by: Tony Lindgren Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200706183338.25622-1-tony@atomide.com Signed-off-by: Sasha Levin commit 7583c56d90928e752c5573bcb9ea2d30f9f25c63 Author: Lu Baolu Date: Fri Aug 28 08:06:15 2020 +0800 iommu/vt-d: Serialize IOMMU GCMD register modifications [ Upstream commit 6e4e9ec65078093165463c13d4eb92b3e8d7b2e8 ] The VT-d spec requires (10.4.4 Global Command Register, GCMD_REG General Description) that: If multiple control fields in this register need to be modified, software must serialize the modifications through multiple writes to this register. However, in irq_remapping.c, modifications of IRE and CFI are done in one write. We need to do two separate writes with STS checking after each. It also checks the status register before writing command register to avoid unnecessary register write. Fixes: af8d102f999a4 ("x86/intel/irq_remapping: Clean up x2apic opt-out security warning mess") Signed-off-by: Lu Baolu Reviewed-by: Kevin Tian Cc: Andy Lutomirski Cc: Jacob Pan Cc: Kevin Tian Cc: Ashok Raj Link: https://lore.kernel.org/r/20200828000615.8281-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit a9c41d6214a8d49bf79914db61c3f6484c2e3720 Author: Huang Ying Date: Fri Sep 4 14:10:47 2020 +0800 x86, fakenuma: Fix invalid starting node ID [ Upstream commit ccae0f36d500aef727f98acd8d0601e6b262a513 ] Commit: cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability") uses "-1" as the starting node ID, which causes the strange kernel log as follows, when "numa=fake=32G" is added to the kernel command line: Faking node -1 at [mem 0x0000000000000000-0x0000000893ffffff] (35136MB) Faking node 0 at [mem 0x0000001840000000-0x000000203fffffff] (32768MB) Faking node 1 at [mem 0x0000000894000000-0x000000183fffffff] (64192MB) Faking node 2 at [mem 0x0000002040000000-0x000000283fffffff] (32768MB) Faking node 3 at [mem 0x0000002840000000-0x000000303fffffff] (32768MB) And finally the kernel crashes: BUG: Bad page state in process swapper pfn:00011 page:(____ptrval____) refcount:0 mapcount:1 mapping:(____ptrval____) index:0x55cd7e44b270 pfn:0x11 failed to read mapping contents, not a valid kernel address? flags: 0x5(locked|uptodate) raw: 0000000000000005 000055cd7e44af30 000055cd7e44af50 0000000100000006 raw: 000055cd7e44b270 000055cd7e44b290 0000000000000000 000055cd7e44b510 page dumped because: page still charged to cgroup page->mem_cgroup:000055cd7e44b510 Modules linked in: CPU: 0 PID: 0 Comm: swapper Not tainted 5.9.0-rc2 #1 Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 Call Trace: dump_stack+0x57/0x80 bad_page.cold+0x63/0x94 __free_pages_ok+0x33f/0x360 memblock_free_all+0x127/0x195 mem_init+0x23/0x1f5 start_kernel+0x219/0x4f5 secondary_startup_64+0xb6/0xc0 Fix this bug via using 0 as the starting node ID. This restores the original behavior before cc9aec03e58f. [ mingo: Massaged the changelog. ] Fixes: cc9aec03e58f ("x86/numa_emulation: Introduce uniform split capability") Signed-off-by: "Huang, Ying" Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20200904061047.612950-1-ying.huang@intel.com Signed-off-by: Sasha Levin commit abbb183229ac70f87ebd86b3407b7c5be44967f3 Author: Michael Chan Date: Thu Sep 3 14:28:54 2020 -0400 tg3: Fix soft lockup when tg3_reset_task() fails. [ Upstream commit 556699341efa98243e08e34401b3f601da91f5a3 ] If tg3_reset_task() fails, the device state is left in an inconsistent state with IFF_RUNNING still set but NAPI state not enabled. A subsequent operation, such as ifdown or AER error can cause it to soft lock up when it tries to disable NAPI state. Fix it by bringing down the device to !IFF_RUNNING state when tg3_reset_task() fails. tg3_reset_task() running from workqueue will now call tg3_close() when the reset fails. We need to modify tg3_reset_task_cancel() slightly to avoid tg3_close() calling cancel_work_sync() to cancel tg3_reset_task(). Otherwise cancel_work_sync() will wait forever for tg3_reset_task() to finish. Reported-by: David Christensen Reported-by: Baptiste Covolato Fixes: db2199737990 ("tg3: Schedule at most one tg3_reset_task run") Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 594adc1bda7ab94a739702f0382667045c80c2a8 Author: YueHaibing Date: Wed Sep 2 22:05:26 2020 +0800 perf bench: The do_run_multi_threaded() function must use IS_ERR(perf_session__new()) [ Upstream commit e4d71f79cf5c10fa8bc6f5d3bebea570c9c438f1 ] In case of error, the function perf_session__new() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR() Committer notes: This wasn't compiling due to an extraneous '{' not matched by a '}', fix it. Fixes: 13edc237200c ("perf bench: Add a multi-threaded synthesize benchmark") Signed-off-by: YueHaibing Cc: Alexander Shishkin Cc: Ian Rogers Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20200902140526.26916-1-yuehaibing@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit f42f9c0d115eb30b16e4efb7c0ba5bd42194c306 Author: Jin Yao Date: Thu Sep 3 09:01:13 2020 +0800 perf stat: Turn off summary for interval mode by default [ Upstream commit ee6a961432e75393bd69bf70ba70bad90396fa82 ] There's a risk that outputting interval mode summaries by default breaks CSV consumers. It already broke pmu-tools/toplev. So now we turn off the summary by default but we create a new option '--summary' to enable the summary. This is active even when not using CSV mode. Before: root@kbl-ppc:~# perf stat -I1000 --interval-count 2 # time counts unit events 1.000265904 8,005.73 msec cpu-clock # 8.006 CPUs utilized 1.000265904 601 context-switches # 0.075 K/sec 1.000265904 10 cpu-migrations # 0.001 K/sec 1.000265904 0 page-faults # 0.000 K/sec 1.000265904 66,746,521 cycles # 0.008 GHz 1.000265904 71,874,398 instructions # 1.08 insn per cycle 1.000265904 13,356,781 branches # 1.668 M/sec 1.000265904 298,756 branch-misses # 2.24% of all branches 2.001857667 8,012.52 msec cpu-clock # 8.013 CPUs utilized 2.001857667 164 context-switches # 0.020 K/sec 2.001857667 10 cpu-migrations # 0.001 K/sec 2.001857667 2 page-faults # 0.000 K/sec 2.001857667 5,822,188 cycles # 0.001 GHz 2.001857667 2,186,170 instructions # 0.38 insn per cycle 2.001857667 442,378 branches # 0.055 M/sec 2.001857667 44,750 branch-misses # 10.12% of all branches Performance counter stats for 'system wide': 16,018.25 msec cpu-clock # 7.993 CPUs utilized 765 context-switches # 0.048 K/sec 20 cpu-migrations # 0.001 K/sec 2 page-faults # 0.000 K/sec 72,568,709 cycles # 0.005 GHz 74,060,568 instructions # 1.02 insn per cycle 13,799,159 branches # 0.861 M/sec 343,506 branch-misses # 2.49% of all branches 2.004118489 seconds time elapsed After: root@kbl-ppc:~# perf stat -I1000 --interval-count 2 # time counts unit events 1.001336393 8,013.28 msec cpu-clock # 8.013 CPUs utilized 1.001336393 82 context-switches # 0.010 K/sec 1.001336393 8 cpu-migrations # 0.001 K/sec 1.001336393 0 page-faults # 0.000 K/sec 1.001336393 4,199,121 cycles # 0.001 GHz 1.001336393 1,373,991 instructions # 0.33 insn per cycle 1.001336393 270,681 branches # 0.034 M/sec 1.001336393 31,659 branch-misses # 11.70% of all branches 2.003905006 8,020.52 msec cpu-clock # 8.021 CPUs utilized 2.003905006 184 context-switches # 0.023 K/sec 2.003905006 8 cpu-migrations # 0.001 K/sec 2.003905006 2 page-faults # 0.000 K/sec 2.003905006 5,446,190 cycles # 0.001 GHz 2.003905006 2,312,547 instructions # 0.42 insn per cycle 2.003905006 451,691 branches # 0.056 M/sec 2.003905006 37,925 branch-misses # 8.40% of all branches root@kbl-ppc:~# perf stat -I1000 --interval-count 2 --summary # time counts unit events 1.001313128 8,013.20 msec cpu-clock # 8.013 CPUs utilized 1.001313128 83 context-switches # 0.010 K/sec 1.001313128 8 cpu-migrations # 0.001 K/sec 1.001313128 0 page-faults # 0.000 K/sec 1.001313128 4,470,950 cycles # 0.001 GHz 1.001313128 1,440,045 instructions # 0.32 insn per cycle 1.001313128 283,222 branches # 0.035 M/sec 1.001313128 33,576 branch-misses # 11.86% of all branches 2.003857385 8,020.34 msec cpu-clock # 8.020 CPUs utilized 2.003857385 154 context-switches # 0.019 K/sec 2.003857385 8 cpu-migrations # 0.001 K/sec 2.003857385 2 page-faults # 0.000 K/sec 2.003857385 4,515,676 cycles # 0.001 GHz 2.003857385 2,180,449 instructions # 0.48 insn per cycle 2.003857385 435,254 branches # 0.054 M/sec 2.003857385 31,179 branch-misses # 7.16% of all branches Performance counter stats for 'system wide': 16,033.53 msec cpu-clock # 7.992 CPUs utilized 237 context-switches # 0.015 K/sec 16 cpu-migrations # 0.001 K/sec 2 page-faults # 0.000 K/sec 8,986,626 cycles # 0.001 GHz 3,620,494 instructions # 0.40 insn per cycle 718,476 branches # 0.045 M/sec 64,755 branch-misses # 9.01% of all branches 2.006124542 seconds time elapsed Fixes: c7e5b328a8d4 ("perf stat: Report summary for interval mode") Signed-off-by: Jin Yao Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20200903010113.32232-1-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit c58ff4b470e8ed3b687cc9bed866b8b2aff6502e Author: Namhyung Kim Date: Fri Sep 4 00:25:10 2020 +0900 perf jevents: Fix suspicious code in fixregex() [ Upstream commit e62458e3940eb3dfb009481850e140fbee183b04 ] The new string should have enough space for the original string and the back slashes IMHO. Fixes: fbc2844e84038ce3 ("perf vendor events: Use more flexible pattern matching for CPU identification for mapfile.csv") Signed-off-by: Namhyung Kim Reviewed-by: Ian Rogers Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: John Garry Cc: Kajol Jain Cc: Mark Rutland Cc: Peter Zijlstra Cc: Stephane Eranian Cc: William Cohen Link: http://lore.kernel.org/lkml/20200903152510.489233-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 62a5784285bf6705b8d459cd60dc26e71f962f3c Author: Darrick J. Wong Date: Wed Sep 2 10:47:02 2020 -0700 xfs: fix xfs_bmap_validate_extent_raw when checking attr fork of rt files [ Upstream commit d0c20d38af135b2b4b90aa59df7878ef0c8fbef4 ] The realtime flag only applies to the data fork, so don't use the realtime block number checks on the attr fork of a realtime file. Fixes: 30b0984d9117 ("xfs: refactor bmap record validation") Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen Signed-off-by: Sasha Levin commit c10fa9458aa6a937e80e3ca741e420b159364c88 Author: Thomas Bogendoerfer Date: Wed Sep 2 23:32:14 2020 +0200 MIPS: SNI: Fix SCSI interrupt [ Upstream commit baf5cb30fbd1c22f6aa03c081794c2ee0f5be4da ] On RM400(a20r) machines ISA and SCSI interrupts share the same interrupt line. Commit 49e6e07e3c80 ("MIPS: pass non-NULL dev_id on shared request_irq()") accidently dropped the IRQF_SHARED bit, which breaks registering SCSI interrupt. Put back IRQF_SHARED and add dev_id for ISA interrupt. Fixes: 49e6e07e3c80 ("MIPS: pass non-NULL dev_id on shared request_irq()") Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit b5c901d96a596a20fe97d85690acf23e85d6b857 Author: Huang Pei Date: Tue Sep 1 14:53:09 2020 +0800 MIPS: add missing MSACSR and upper MSA initialization [ Upstream commit bb06748207cfb1502d11b90325eba7f8c44c9f02 ] In cc97ab235f3f ("MIPS: Simplify FP context initialization), init_fp_ctx just initialize the fp/msa context, and own_fp_inatomic just restore FCSR and 64bit FP regs from it, but miss MSACSR and upper MSA regs for MSA, so MSACSR and MSA upper regs's value from previous task on current cpu can leak into current task and cause unpredictable behavior when MSA context not initialized. Fixes: cc97ab235f3f ("MIPS: Simplify FP context initialization") Signed-off-by: Huang Pei Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 6aef739073384ea855cf694f3c5d43a5a8872141 Author: Dan Murphy Date: Wed Sep 2 14:27:04 2020 -0500 net: dp83867: Fix WoL SecureOn password [ Upstream commit 8b4a11c67da538504d60ae917ffe5254f59b1248 ] Fix the registers being written to as the values were being over written when writing the same registers. Fixes: caabee5b53f5 ("net: phy: dp83867: support Wake on LAN") Signed-off-by: Dan Murphy Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d7983d7b64c46be8fdc24ea861227660855c61a5 Author: Louis Peens Date: Wed Sep 2 17:04:58 2020 +0200 nfp: flower: fix ABI mismatch between driver and firmware [ Upstream commit f614e536704d37326b0975da9cc33dd61d28c378 ] Fix an issue where the driver wrongly detected ipv6 neighbour updates from the NFP as corrupt. Add a reserved field on the kernel side so it is similar to the ipv4 version of the struct and has space for the extra bytes from the card. Fixes: 9ea9bfa12240 ("nfp: flower: support ipv6 tunnel keep-alive messages from fw") Signed-off-by: Louis Peens Signed-off-by: Simon Horman Acked-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5c9f765dcd4ef92b285cd4312cf07a09cfc8cb02 Author: Dan Carpenter Date: Wed Sep 2 14:56:31 2020 +0300 net: gemini: Fix another missing clk_disable_unprepare() in probe [ Upstream commit eb0f3bc463d59d86402f19c59aa44e82dc3fab6d ] We recently added some calls to clk_disable_unprepare() but we missed the last error path if register_netdev() fails. I made a couple cleanups so we avoid mistakes like this in the future. First I reversed the "if (!ret)" condition and pulled the code in one indent level. Also, the "port->netdev = NULL;" is not required because "port" isn't used again outside this function so I deleted that line. Fixes: 4d5ae32f5e1e ("net: ethernet: Add a driver for Gemini gigabit ethernet") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f555d57c8f1b9a6ebe959e690632ff7db173c576 Author: Denis Efremov Date: Wed Sep 2 14:18:45 2020 +0300 net: bcmgenet: fix mask check in bcmgenet_validate_flow() [ Upstream commit 1996cf46e4673a25ef2478eb266714f409a98221 ] VALIDATE_MASK(eth_mask->h_source) is checked twice in a row in bcmgenet_validate_flow(). Add VALIDATE_MASK(eth_mask->h_dest) instead. Fixes: 3e370952287c ("net: bcmgenet: add support for ethtool rxnfc flows") Signed-off-by: Denis Efremov Acked-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 41e233bd64127d95ba4c3fbca69dd790e02c0517 Author: Al Viro Date: Wed Sep 2 11:30:48 2020 -0400 fix regression in "epoll: Keep a reference on files added to the check list" [ Upstream commit 77f4689de17c0887775bb77896f4cc11a39bf848 ] epoll_loop_check_proc() can run into a file already committed to destruction; we can't grab a reference on those and don't need to add them to the set for reverse path check anyway. Tested-by: Marc Zyngier Fixes: a9ed4a6560b8 ("epoll: Keep a reference on files added to the check list") Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 3cdbbaca16813c45efdd15a53aff96f411baefcc Author: Shung-Hsi Yu Date: Mon Aug 31 22:37:09 2020 +0800 net: ethernet: mlx4: Fix memory allocation in mlx4_buddy_init() [ Upstream commit cbedcb044e9cc4e14bbe6658111224bb923094f4 ] On machines with much memory (> 2 TByte) and log_mtts_per_seg == 0, a max_order of 31 will be passed to mlx_buddy_init(), which results in s = BITS_TO_LONGS(1 << 31) becoming a negative value, leading to kvmalloc_array() failure when it is converted to size_t. mlx4_core 0000:b1:00.0: Failed to initialize memory region table, aborting mlx4_core: probe of 0000:b1:00.0 failed with error -12 Fix this issue by changing the left shifting operand from a signed literal to an unsigned one. Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Signed-off-by: Shung-Hsi Yu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5a48e463f50a0a393613c45b1a2e83a2fc172ba4 Author: Al Grant Date: Tue Sep 1 12:10:14 2020 -0300 perf tools: Correct SNOOPX field offset [ Upstream commit 39c0a53b114d0317e5c4e76b631f41d133af5cb0 ] perf_event.h has macros that define the field offsets in the data_src bitmask in perf records. The SNOOPX and REMOTE offsets were both 37. These are distinct fields, and the bitfield layout in perf_mem_data_src confirms that SNOOPX should be at offset 38. Committer notes: This was extracted from a larger patch that also contained kernel changes. Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") Signed-off-by: Al Grant Reviewed-by: Andi Kleen Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/9974f2d0-bf7f-518e-d9f7-4520e5ff1bb0@foss.arm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit f4b9594e02d587d23908cf12322f2a7e322f080b Author: Al Grant Date: Wed Aug 19 16:47:51 2020 +0800 perf intel-pt: Fix corrupt data after perf inject from [ Upstream commit a347306fbec5dcaf7c276777b11d530eab6a4526 ] Commit 42bbabed09ce6208 ("perf tools: Add hw_idx in struct branch_stack") changed the format of branch stacks in perf samples. When samples use this new format, a flag must be set in the corresponding event. Synthesized branch stacks generated from Intel PT were using the new format, but not setting the event attribute, leading to consumers seeing corrupt data. This patch fixes the issue by setting the event attribute to indicate use of the new format. Fixes: 42bbabed09ce6208 ("perf tools: Add hw_idx in struct branch_stack") Signed-off-by: Al Grant Acked-by: Adrian Hunter Reviewed-by: Mathieu Poirier Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Kan Liang Cc: Leo Yan Cc: Mark Rutland Cc: Mike Leach Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Suzuki Poulouse Cc: linux-arm-kernel@lists.infradead.org Link: http://lore.kernel.org/lkml/20200819084751.17686-2-leo.yan@linaro.org Signed-off-by: Leo Yan Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 7ea241e7a0a2faba1534faf63e6b40f72e8dee47 Author: Al Grant Date: Wed Aug 19 16:47:50 2020 +0800 perf cs-etm: Fix corrupt data after perf inject from [ Upstream commit f5f8e7e55fbdb4fdddec73518e23c48083108fbb ] Commit 42bbabed09ce6208 ("perf tools: Add hw_idx in struct branch_stack") changed the format of branch stacks in perf samples. When samples use this new format, a flag must be set in the corresponding event. Synthesized branch stacks generated from CoreSight ETM trace were using the new format, but not setting the event attribute, leading to consumers seeing corrupt data. This patch fixes the issue by setting the event attribute to indicate use of the new format. Fixes: 42bbabed09ce6208 ("perf tools: Add hw_idx in struct branch_stack") Signed-off-by: Al Grant Reviewed-by: Andrea Brunato Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Kan Liang Cc: Mark Rutland Cc: Mathieu Poirier Cc: Mike Leach Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Suzuki Poulouse Cc: linux-arm-kernel@lists.infradead.org Signed-off-by: Leo Yan Link: http://lore.kernel.org/lkml/20200819084751.17686-1-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 8a435d33c26140ce5731241321b69ca40476ab41 Author: Arnaldo Carvalho de Melo Date: Mon Aug 31 16:17:00 2020 -0300 perf top/report: Fix infinite loop in the TUI for grouped events [ Upstream commit d4ccbacb9c217fefb4332a9af81b785690cf1053 ] For a while we need to have a dummy event for doing things like receiving PERF_RECORD_COMM, PERF_RECORD_EXEC, etc for threads being created and dying while we synthesize the pre-existing ones at tool start. This 'dummy' event is needed for keeping track of thread lifetime events early in the session but are uninteresting otherwise, i.e. no need to have it in a initial events menu for the non-grouped case, i.e. for: # perf top -e cycles,instructions or even for plain: # perf top When 'cycles' and that 'dummy' event are in place. The code to remove that 'dummy' event ended up creating an endless loop for the grouped case, i.e.: # perf top -e '{cycles,instructions}' Fix it. Fixes: bee9ca1c8a237ca1 ("perf report TUI: Remove needless 'dummy' event from menu") Cc: Adrian Hunter Cc: Ian Rogers Cc: Jiri Olsa Cc: Namhyung Kim Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 692d0626557451c4b557397f20b7394b612d0289 Author: Christoph Hellwig Date: Tue Sep 1 11:59:41 2020 +0200 block: fix locking in bdev_del_partition [ Upstream commit 08fc1ab6d748ab1a690fd483f41e2938984ce353 ] We need to hold the whole device bd_mutex to protect against other thread concurrently deleting out partition before we get to it, and thus causing a use after free. Fixes: cddae808aeb7 ("block: pass a hd_struct to delete_partition") Reported-by: syzbot+6448f3c229bc52b82f69@syzkaller.appspotmail.com Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bbb1dc4431b0c37eca621a2d618c8d3c1276e5a9 Author: Tiezhu Yang Date: Thu Aug 27 16:03:08 2020 +0800 MIPS: perf: Fix wrong check condition of Loongson event IDs [ Upstream commit a231995700c392c0807da95deea231b23fc51a3c ] According to the user's manual chapter 8.2.1 of Loongson 3A2000 CPU [1] and 3A3000 CPU [2], we should take some event IDs such as 274, 358, 359 and 360 as valid in the check condition, otherwise they are recognized as "not supported", fix it. [1] http://www.loongson.cn/uploadfile/cpu/3A2000/Loongson3A2000_user2.pdf [2] http://www.loongson.cn/uploadfile/cpu/3A3000/Loongson3A3000_3B3000user2.pdf Fixes: e9dfbaaeef1c ("MIPS: perf: Add hardware perf events support for new Loongson-3") Signed-off-by: Tiezhu Yang Acked-by: Huang Pei Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 89639c177d048fc2209e296f924b6cac80ff1922 Author: Grygorii Strashko Date: Sun Aug 30 20:34:32 2020 +0300 net: ethernet: ti: am65-cpsw: fix rmii 100Mbit link mode [ Upstream commit c2f89219f559502c9292d79f695bab9dcec532d1 ] In RMII link mode it's required to set bit 15 IFCTL_A in MAC_SL MAC_CONTROL register to enable support for 100Mbit link speed. Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Grygorii Strashko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit eec98f743e40872647ed2c2879b34f86158f34a3 Author: Potnuri Bharat Teja Date: Fri Aug 28 21:14:40 2020 +0530 cxgb4: fix thermal zone device registration [ Upstream commit 6b6382a857d824c0866056d5736bbcb597a922ed ] When multiple adapters are present in the system, pci hot-removing second adapter leads to the following warning as both the adapters registered thermal zone device with same thermal zone name/type. Therefore, use unique thermal zone name during thermal zone device initialization. Also mark thermal zone dev NULL once unregistered. [ 414.370143] ------------[ cut here ]------------ [ 414.370944] sysfs group 'power' not found for kobject 'hwmon0' [ 414.371747] WARNING: CPU: 9 PID: 2661 at fs/sysfs/group.c:281 sysfs_remove_group+0x76/0x80 [ 414.382550] CPU: 9 PID: 2661 Comm: bash Not tainted 5.8.0-rc6+ #33 [ 414.383593] Hardware name: Supermicro X10SRA-F/X10SRA-F, BIOS 2.0a 06/23/2016 [ 414.384669] RIP: 0010:sysfs_remove_group+0x76/0x80 [ 414.385738] Code: 48 89 df 5b 5d 41 5c e9 d8 b5 ff ff 48 89 df e8 60 b0 ff ff eb cb 49 8b 14 24 48 8b 75 00 48 c7 c7 90 ae 13 bb e8 6a 27 d0 ff <0f> 0b 5b 5d 41 5c c3 0f 1f 00 0f 1f 44 00 00 48 85 f6 74 31 41 54 [ 414.388404] RSP: 0018:ffffa22bc080fcb0 EFLAGS: 00010286 [ 414.389638] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 [ 414.390829] RDX: 0000000000000001 RSI: ffff8ee2de3e9510 RDI: ffff8ee2de3e9510 [ 414.392064] RBP: ffffffffbaef2ee0 R08: 0000000000000000 R09: 0000000000000000 [ 414.393224] R10: 0000000000000000 R11: 000000002b30006c R12: ffff8ee260720008 [ 414.394388] R13: ffff8ee25e0a40e8 R14: ffffa22bc080ff08 R15: ffff8ee2c3be5020 [ 414.395661] FS: 00007fd2a7171740(0000) GS:ffff8ee2de200000(0000) knlGS:0000000000000000 [ 414.396825] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 414.398011] CR2: 00007f178ffe5020 CR3: 000000084c5cc003 CR4: 00000000003606e0 [ 414.399172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 414.400352] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 414.401473] Call Trace: [ 414.402685] device_del+0x89/0x400 [ 414.403819] device_unregister+0x16/0x60 [ 414.405024] hwmon_device_unregister+0x44/0xa0 [ 414.406112] thermal_remove_hwmon_sysfs+0x196/0x200 [ 414.407256] thermal_zone_device_unregister+0x1b5/0x1f0 [ 414.408415] cxgb4_thermal_remove+0x3c/0x4f [cxgb4] [ 414.409668] remove_one+0x212/0x290 [cxgb4] [ 414.410875] pci_device_remove+0x36/0xb0 [ 414.412004] device_release_driver_internal+0xe2/0x1c0 [ 414.413276] pci_stop_bus_device+0x64/0x90 [ 414.414433] pci_stop_and_remove_bus_device_locked+0x16/0x30 [ 414.415609] remove_store+0x75/0x90 [ 414.416790] kernfs_fop_write+0x114/0x1b0 [ 414.417930] vfs_write+0xcf/0x210 [ 414.419059] ksys_write+0xa7/0xe0 [ 414.420120] do_syscall_64+0x4c/0xa0 [ 414.421278] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 414.422335] RIP: 0033:0x7fd2a686afd0 [ 414.423396] Code: Bad RIP value. [ 414.424549] RSP: 002b:00007fffc1446148 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 414.425638] RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd2a686afd0 [ 414.426830] RDX: 0000000000000002 RSI: 00007fd2a7196000 RDI: 0000000000000001 [ 414.427927] RBP: 00007fd2a7196000 R08: 000000000000000a R09: 00007fd2a7171740 [ 414.428923] R10: 00007fd2a7171740 R11: 0000000000000246 R12: 00007fd2a6b43400 [ 414.430082] R13: 0000000000000002 R14: 0000000000000001 R15: 0000000000000000 [ 414.431027] irq event stamp: 76300 [ 414.435678] ---[ end trace 13865acb4d5ab00f ]--- Fixes: b18719157762 ("cxgb4: Add thermal zone support") Signed-off-by: Potnuri Bharat Teja Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e5d5c3b4e4a27ba8b36401d019c37c61e4e45a8c Author: Viresh Kumar Date: Mon Aug 31 13:03:06 2020 +0530 opp: Don't drop reference for an OPP table that was never parsed [ Upstream commit 922ff0759a16299e24cacfc981ac07914d8f1826 ] dev_pm_opp_remove_table() should drop a reference to the OPP table only if the DT OPP table was parsed earlier with a call to dev_pm_opp_of_add_table() earlier. Else it may end up dropping the reference to the OPP table, which was added as a result of other calls like dev_pm_opp_set_clkname(). And would hence result in undesirable behavior later on when caller would try to free the resource again. Fixes: 03758d60265c ("opp: Replace list_kref with a local counter") Reported-by: Naresh Kamboju Reported-by: Anders Roxell Tested-by: Naresh Kamboju Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 3484b664521d5060a911b333d10059af578edde2 Author: Florian Westphal Date: Wed Aug 26 00:07:18 2020 +0200 netfilter: conntrack: do not auto-delete clash entries on reply [ Upstream commit c46172147ebbeb70094db48d76ab7945d96c638b ] Its possible that we have more than one packet with the same ct tuple simultaneously, e.g. when an application emits n packets on same UDP socket from multiple threads. NAT rules might be applied to those packets. With the right set of rules, n packets will be mapped to m destinations, where at least two packets end up with the same destination. When this happens, the existing clash resolution may merge the skb that is processed after the first has been received with the identical tuple already in hash table. However, its possible that this identical tuple is a NAT_CLASH tuple. In that case the second skb will be sent, but no reply can be received since the reply that is processed first removes the NAT_CLASH tuple. Do not auto-delete, this gives a 1 second window for replies to be passed back to originator. Packets that are coming later (udp stream case) will not be affected: they match the original ct entry, not a NAT_CLASH one. Also prevent NAT_CLASH entries from getting offloaded. Fixes: 6a757c07e51f ("netfilter: conntrack: allow insertion of clashing entries") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 4aa6128188fb3684db58490364af147db8b02020 Author: Keith Busch Date: Wed Aug 26 10:53:04 2020 -0700 nvme: fix controller instance leak [ Upstream commit 192f6c29bb28bfd0a17e6ad331d09f1ec84143d0 ] If the driver has to unbind from the controller for an early failure before the subsystem has been set up, there won't be a subsystem holding the controller's instance, so the controller needs to free its own instance in this case. Fixes: 733e4b69d508d ("nvme: Assign subsys instance from first ctrl") Signed-off-by: Keith Busch Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit db8c729bca37919fbe21536af5f484a9580f1136 Author: Christophe JAILLET Date: Fri Aug 21 09:58:19 2020 +0200 nvmet-fc: Fix a missed _irqsave version of spin_lock in 'nvmet_fc_fod_op_done()' [ Upstream commit 70e37988db94aba607d5491a94f80ba08e399b6b ] The way 'spin_lock()' and 'spin_lock_irqsave()' are used is not consistent in this function. Use 'spin_lock_irqsave()' also here, as there is no guarantee that interruptions are disabled at that point, according to surrounding code. Fixes: a97ec51b37ef ("nvmet_fc: Rework target side abort handling") Signed-off-by: Christophe JAILLET Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg Signed-off-by: Sasha Levin commit 4b5158a2f6b79fb8c1a8157712917ae81b41a68b Author: Pablo Neira Ayuso Date: Sun Aug 23 13:55:36 2020 +0200 netfilter: nfnetlink: nfnetlink_unicast() reports EAGAIN instead of ENOBUFS [ Upstream commit ee921183557af39c1a0475f982d43b0fcac25e2e ] Frontend callback reports EAGAIN to nfnetlink to retry a command, this is used to signal that module autoloading is required. Unfortunately, nlmsg_unicast() reports EAGAIN in case the receiver socket buffer gets full, so it enters a busy-loop. This patch updates nfnetlink_unicast() to turn EAGAIN into ENOBUFS and to use nlmsg_unicast(). Remove the flags field in nfnetlink_unicast() since this is always MSG_DONTWAIT in the existing code which is exactly what nlmsg_unicast() passes to netlink_unicast() as parameter. Fixes: 96518518cc41 ("netfilter: add nftables") Reported-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e8df547c81d0ce5ad2d7a6d34a6cf07490902948 Author: Landen Chao Date: Thu Aug 27 17:15:47 2020 +0800 net: dsa: mt7530: fix advertising unsupported 1000baseT_Half [ Upstream commit f272285f6abb9178d029375599626baf3d5f4e8a ] Remove 1000baseT_Half to advertise correct hardware capability in phylink_validate() callback function. Fixes: 38f790a80560 ("net: dsa: mt7530: Add support for port 5") Signed-off-by: Landen Chao Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cbd84d8ef3e95c1fdbf97e1b5736423694cbf471 Author: Jesper Dangaard Brouer Date: Wed Aug 26 10:17:36 2020 +0200 selftests/bpf: Fix massive output from test_maps [ Upstream commit fa4505675e093e895b7ec49a76d44f6b5ad9602e ] When stdout output from the selftests tool 'test_maps' gets redirected into e.g file or pipe, then the output lines increase a lot (from 21 to 33949 lines). This is caused by the printf that happens before the fork() call, and there are user-space buffered printf data that seems to be duplicated into the forked process. To fix this fflush() stdout before the fork loop in __run_parallel(). Fixes: 1a97cf1fe503 ("selftests/bpf: speedup test_maps") Signed-off-by: Jesper Dangaard Brouer Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/159842985651.1050885.2154399297503372406.stgit@firesoul Signed-off-by: Sasha Levin commit 991ca061590244551e8f18bdc339019a9b9547a8 Author: Jacopo Mondi Date: Mon Jun 22 18:43:52 2020 +0200 media: i2c: imx214: select V4L2_FWNODE [ Upstream commit bca82e3557ee1fbfbdacb09033a2d81ac76c86eb ] After the recent conversion of the media build infrastructure to select V4L2 components instead of depending on their presence, which took place in: 32a363d0b0b14 ("media: Kconfig files: use select for V4L2 subdevs and MC") imx214 stands out as being the (only?) media I2C driver that still depends on a V4L2 core symbol instead of selecting it. This confuses the build system which claims it has detected a circular dependency when other drivers select the same symbol as the imx214 driver does. drivers/media/i2c/Kconfig:728:error: recursive dependency detected! drivers/media/i2c/Kconfig:728: symbol VIDEO_IMX214 depends on V4L2_FWNODE drivers/media/v4l2-core/Kconfig:71: symbol V4L2_FWNODE is selected by VIDEO_BCM2835_UNICAM drivers/media/platform/bcm2835/Kconfig:3: symbol VIDEO_BCM2835_UNICAM depends on VIDEO_V4L2_SUBDEV_API drivers/media/v4l2-core/Kconfig:19: symbol VIDEO_V4L2_SUBDEV_API depends on MEDIA_CONTROLLER drivers/media/Kconfig:168: symbol MEDIA_CONTROLLER is selected by VIDEO_IMX214 Fix this by making the imx214 driver select V4L2_FWNODE instead of depending on it and align it with all the other drivers. Fixes: 32a363d0b0b14 ("media: Kconfig files: use select for V4L2 subdevs and MC") Reviewed-by: Laurent Pinchart Signed-off-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 404f3f27b087eecd052a9577c2815c812b6a684e Author: Murali Karicheri Date: Thu Aug 27 10:38:39 2020 -0400 net: ethernet: ti: cpsw_new: fix error handling in cpsw_ndo_vlan_rx_kill_vid() [ Upstream commit af8ea111134624855710a0ef5543b871d49b0162 ] This patch fixes a bunch of issues in cpsw_ndo_vlan_rx_kill_vid() - pm_runtime_get_sync() returns non zero value. This results in non zero value return to caller which will be interpreted as error. So overwrite ret with zero. - If VID matches with port VLAN VID, then set error code. - Currently when VLAN interface is deleted, all of the VLAN mc addresses are removed from ALE table, however the return values from ale function calls are not checked. These functions can return error code -ENOENT. But that shouldn't happen in a normal case. So add error print to catch the situations so that these can be investigated and addressed. return zero in these cases as these are not real error case, but only serve to catch ALE table update related issues and help address the same in the driver. Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac") Signed-off-by: Murali Karicheri Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b3b321d44175f8b9b942d3cbee827bcf84ce7bd6 Author: Ezequiel Garcia Date: Thu Aug 13 21:18:33 2020 +0200 media: cedrus: Add missing v4l2_ctrl_request_hdl_put() [ Upstream commit b30063976f29fc221a99d18d37d22ca035068aa9 ] The check for a required control in the request was missing a call to v4l2_ctrl_request_hdl_put() in the error path. Fix it. Fixes: 50e761516f2b8c ("media: platform: Add Cedrus VPU decoder driver") Signed-off-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 60e9f3f036f340e7bcc181526788f5945151ae0f Author: Hans Verkuil Date: Wed Aug 12 12:30:33 2020 +0200 media: vicodec: add missing v4l2_ctrl_request_hdl_put() [ Upstream commit 2e7c8fb8942773f412fe12f3b63e8bb92c18ab3f ] The check for a required control in the request was missing a call to v4l2_ctrl_request_hdl_put(), so the control request object was never released. Signed-off-by: Hans Verkuil Fixes: 997deb811bf5 ("media: vicodec: Add support for stateless decoder.") Reviewed-by: Ezequiel Garcia Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 72c7309533b464484375a1b15186c2e8c34dc40f Author: Jakub Kicinski Date: Wed Aug 26 12:40:07 2020 -0700 bnxt: don't enable NAPI until rings are ready [ Upstream commit 96ecdcc992eb7f468b2cf829b0f5408a1fad4668 ] Netpoll can try to poll napi as soon as napi_enable() is called. It crashes trying to access a doorbell which is still NULL: BUG: kernel NULL pointer dereference, address: 0000000000000000 CPU: 59 PID: 6039 Comm: ethtool Kdump: loaded Tainted: G S 5.9.0-rc1-00469-g5fd99b5d9950-dirty #26 RIP: 0010:bnxt_poll+0x121/0x1c0 Code: c4 20 44 89 e0 5b 5d 41 5c 41 5d 41 5e 41 5f c3 41 8b 86 a0 01 00 00 41 23 85 18 01 00 00 49 8b 96 a8 01 00 00 0d 00 00 00 24 <89> 02 41 f6 45 77 02 74 cb 49 8b ae d8 01 00 00 31 c0 c7 44 24 1a netpoll_poll_dev+0xbd/0x1a0 __netpoll_send_skb+0x1b2/0x210 netpoll_send_udp+0x2c9/0x406 write_ext_msg+0x1d7/0x1f0 console_unlock+0x23c/0x520 vprintk_emit+0xe0/0x1d0 printk+0x58/0x6f x86_vector_activate.cold+0xf/0x46 __irq_domain_activate_irq+0x50/0x80 __irq_domain_activate_irq+0x32/0x80 __irq_domain_activate_irq+0x32/0x80 irq_domain_activate_irq+0x25/0x40 __setup_irq+0x2d2/0x700 request_threaded_irq+0xfb/0x160 __bnxt_open_nic+0x3b1/0x750 bnxt_open_nic+0x19/0x30 ethtool_set_channels+0x1ac/0x220 dev_ethtool+0x11ba/0x2240 dev_ioctl+0x1cf/0x390 sock_do_ioctl+0x95/0x130 Reported-by: Rob Sherwood Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Jakub Kicinski Reviewed-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 531c6cb9ad1e7de98e09e9b7d23aaca0e3f5babd Author: Eric Sandeen Date: Wed Aug 26 14:11:58 2020 -0700 xfs: fix boundary test in xfs_attr_shortform_verify [ Upstream commit f4020438fab05364018c91f7e02ebdd192085933 ] The boundary test for the fixed-offset parts of xfs_attr_sf_entry in xfs_attr_shortform_verify is off by one, because the variable array at the end is defined as nameval[1] not nameval[]. Hence we need to subtract 1 from the calculation. This can be shown by: # touch file # setfattr -n root.a file and verifications will fail when it's written to disk. This only matters for a last attribute which has a single-byte name and no value, otherwise the combination of namelen & valuelen will push endp further out and this test won't fail. Fixes: 1e1bbd8e7ee06 ("xfs: create structure verifier function for shortform xattrs") Signed-off-by: Eric Sandeen Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 91565765b6de29982b4d44c092eca2ea2a123385 Author: Brian Foster Date: Tue Aug 18 08:05:58 2020 -0700 xfs: finish dfops on every insert range shift iteration [ Upstream commit 9c516e0e4554e8f26ab73d46cbc789d7d8db664d ] The recent change to make insert range an atomic operation used the incorrect transaction rolling mechanism. The explicit transaction roll does not finish deferred operations. This means that intents for rmapbt updates caused by extent shifts are not logged until the final transaction commits. Thus if a crash occurs during an insert range, log recovery might leave the rmapbt in an inconsistent state. This was discovered by repeated runs of generic/455. Update insert range to finish dfops on every shift iteration. This is similar to collapse range and ensures that intents are logged with the transactions that make associated changes. Fixes: dd87f87d87fa ("xfs: rework insert range into an atomic operation") Signed-off-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 81fbc28873ef481780a4a55cb01f006b24cba0d4 Author: Edwin Peer Date: Wed Aug 26 01:08:37 2020 -0400 bnxt_en: fix HWRM error when querying VF temperature [ Upstream commit 12cce90b934bf2b0ed9c339b4d5503e69954351a ] Firmware returns RESOURCE_ACCESS_DENIED for HWRM_TEMP_MONITORY_QUERY for VFs. This produces unpleasing error messages in the log when temp1_input is queried via the hwmon sysfs interface from a VF. The error is harmless and expected, so silence it and return unknown as the value. Since the device temperature is not particularly sensitive information, provide flexibility to change this policy in future by silencing the error rather than avoiding the HWRM call entirely for VFs. Fixes: cde49a42a9bb ("bnxt_en: Add hwmon sysfs support to read temperature") Cc: Marc Smith Reported-by: Marc Smith Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e4d07b93a26beb89158555da30c55d0571095f3c Author: Michael Chan Date: Wed Aug 26 01:08:36 2020 -0400 bnxt_en: Fix possible crash in bnxt_fw_reset_task(). [ Upstream commit b148bb238c02f0c7797efed026e9bba5892d2172 ] bnxt_fw_reset_task() is run from a delayed workqueue. The current code is not cancelling the workqueue in the driver's .remove() method and it can potentially crash if the device is removed with the workqueue still pending. The fix is to clear the BNXT_STATE_IN_FW_RESET flag and then cancel the delayed workqueue in bnxt_remove_one(). bnxt_queue_fw_reset_work() also needs to check that this flag is set before scheduling. This will guarantee that no rescheduling will be done after it is cancelled. Fixes: 230d1f0de754 ("bnxt_en: Handle firmware reset.") Reviewed-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e0543e56fa6234ca93689b0f8a3e4f74c364af4e Author: Vasundhara Volam Date: Wed Aug 26 01:08:35 2020 -0400 bnxt_en: Fix PCI AER error recovery flow [ Upstream commit df3875ec550396974b1d8a518bd120d034738236 ] When a PCI error is detected the PCI state could be corrupt, save the PCI state after initialization and restore it after the slot reset. Fixes: 6316ea6db93d ("bnxt_en: Enable AER support.") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 214c198323335c277e7bf998194c348c72652dd0 Author: Michael Chan Date: Wed Aug 26 01:08:34 2020 -0400 bnxt_en: Fix ethtool -S statitics with XDP or TCs enabled. [ Upstream commit 7de651490c27ebc5edb5c7224c368bd0cd5b3862 ] We are returning the wrong count for ETH_SS_STATS in get_sset_count() when XDP or TCs are enabled. In a recent commit, we got rid of irrelevant counters when the ring is RX only or TX only, but we did not make the proper adjustments for the count. As a result, when we have XDP or TCs enabled, we are returning an excess count because some of the rings are TX only. This causes ethtool -S to display extra counters with no counter names. Fix bnxt_get_num_ring_stats() by not assuming that all rings will always have RX and TX counters in combined mode. Fixes: 125592fbf467 ("bnxt_en: show only relevant ethtool stats for a TX or RX ring") Reviewed-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 376326004a42a194216ee3a210996e6f193fd2de Author: Vasundhara Volam Date: Wed Aug 26 01:08:33 2020 -0400 bnxt_en: Check for zero dir entries in NVRAM. [ Upstream commit dbbfa96ad920c50d58bcaefa57f5f33ceef9d00e ] If firmware goes into unstable state, HWRM_NVM_GET_DIR_INFO firmware command may return zero dir entries. Return error in such case to avoid zero length dma buffer request. Fixes: c0c050c58d84 ("bnxt_en: New Broadcom ethernet driver.") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8fd4262bc8e4ca94cd1d6782ff49e59b1e91e849 Author: Pavan Chebbi Date: Wed Aug 26 01:08:32 2020 -0400 bnxt_en: Don't query FW when netif_running() is false. [ Upstream commit c1c2d77408022a398a1a7c51cf20488c922629de ] In rare conditions like two stage OS installation, the ethtool's get_channels function may be called when the device is in D3 state, leading to uncorrectable PCI error. Check netif_running() first before making any query to FW which involves writing to BAR. Fixes: db4723b3cd2d ("bnxt_en: Check max_tx_scheduler_inputs value from firmware.") Signed-off-by: Pavan Chebbi Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b12fefddb43f88be0c9764c9be4a2cf05e98115c Author: Murali Karicheri Date: Mon Aug 24 11:10:53 2020 -0400 net: ethernet: ti: cpsw_new: fix clean up of vlan mc entries for host port [ Upstream commit 2c6500e82e5190b038f0b79f85a20da55bdd4b86 ] To flush the vid + mc entries from ALE, which is required when a VLAN interface is removed, driver needs to call cpsw_ale_flush_multicast() with ALE_PORT_HOST for port mask as these entries are added only for host port. Without this, these entries remain in the ALE table even after removing the VLAN interface. cpsw_ale_flush_multicast() calls cpsw_ale_flush_mcast which expects a port mask to do the job. Fixes: ed3525eda4c4 ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac") Signed-off-by: Murali Karicheri Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 634b47d46f936d88de5ad0929467a5edfc8f7837 Author: Murali Karicheri Date: Mon Aug 24 11:10:52 2020 -0400 net: ethernet: ti: cpsw: fix clean up of vlan mc entries for host port [ Upstream commit 99d469fc64d06f0c81c0fe2a1c01645a67e0cbf0 ] To flush the vid + mc entries from ALE, which is required when a VLAN interface is removed, driver needs to call cpsw_ale_flush_multicast() with ALE_PORT_HOST for port mask as these entries are added only for host port. Without this, these entries remain in the ALE table even after removing the VLAN interface. cpsw_ale_flush_multicast() calls cpsw_ale_flush_mcast which expects a port mask to do the job. Fixes: 15180eca569b ("net: ethernet: ti: cpsw: fix vlan mcast") Signed-off-by: Murali Karicheri Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e4fe6bfddafe0535ef8d78deddb86866d865da3d Author: Nicolas Dichtel Date: Tue Aug 25 14:59:40 2020 +0200 gtp: add GTPA_LINK info to msg sent to userspace [ Upstream commit b274e47d9e3f4dcd4ad4028a316ec22dc4533ac7 ] During a dump, this attribute is essential, it enables the userspace to know on which interface the context is linked to. Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)") Signed-off-by: Nicolas Dichtel Tested-by: Gabriel Ganne Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f276f4e1b7431572d124a225bda00cea87fe4e5f Author: Peter Ujfalusi Date: Mon Aug 24 15:01:08 2020 +0300 dmaengine: ti: k3-udma: Fix the TR initialization for prep_slave_sg [ Upstream commit 33ebffa105990c43bf336cabe26c77384f59fe70 ] The TR which needs to be initialized for the next sg entry is indexed by tr_idx and not by the running i counter. In case any sub element in the SG needs more than one TR, the code would corrupt an already configured TR. Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200824120108.9178-1-peter.ujfalusi@ti.com Fixes: 6cf668a4ef829 ("dmaengine: ti: k3-udma: Use the TR counter helper for slave_sg and cyclic") Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 1185d129364a37e3e3a8fdc230eecece201a5ebb Author: Marek Szyprowski Date: Tue Aug 25 08:46:17 2020 +0200 dmaengine: pl330: Fix burst length if burst size is smaller than bus width [ Upstream commit 0661cef675d37e2c4b66a996389ebeae8568e49e ] Move the burst len fixup after setting the generic value for it. This finally enables the fixup introduced by commit 137bd11090d8 ("dmaengine: pl330: Align DMA memcpy operations to MFIFO width"), which otherwise was overwritten by the generic value. Reported-by: kernel test robot Fixes: 137bd11090d8 ("dmaengine: pl330: Align DMA memcpy operations to MFIFO width") Signed-off-by: Marek Szyprowski Link: https://lore.kernel.org/r/20200825064617.16193-1-m.szyprowski@samsung.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ad32766990e2a8de5be08e24cda3ef6180ea96d9 Author: Yonghong Song Date: Fri Aug 21 12:10:54 2020 -0700 bpf: Fix a buffer out-of-bound access when filling raw_tp link_info [ Upstream commit b474959d5afda6e341a02c85f9595d85d39189ae ] Commit f2e10bff16a0 ("bpf: Add support for BPF_OBJ_GET_INFO_BY_FD for bpf_link") added link query for raw_tp. One of fields in link_info is to fill a user buffer with tp_name. The Scurrent checking only declares "ulen && !ubuf" as invalid. So "!ulen && ubuf" will be valid. Later on, we do "copy_to_user(ubuf, tp_name, ulen - 1)" which may overwrite user memory incorrectly. This patch fixed the problem by disallowing "!ulen && ubuf" case as well. Fixes: f2e10bff16a0 ("bpf: Add support for BPF_OBJ_GET_INFO_BY_FD for bpf_link") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200821191054.714731-1-yhs@fb.com Signed-off-by: Sasha Levin commit bb3eebda4e22c0a1999aa0d23639ffdd01818934 Author: Dinghao Liu Date: Sun Aug 23 16:56:47 2020 +0800 net: arc_emac: Fix memleak in arc_mdio_probe [ Upstream commit e2d79cd8875fa8c3cc7defa98a8cc99a1ed0c62f ] When devm_gpiod_get_optional() fails, bus should be freed just like when of_mdiobus_register() fails. Fixes: 1bddd96cba03d ("net: arc_emac: support the phy reset for emac driver") Signed-off-by: Dinghao Liu Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9ea477348bd2ed3a3da34ed3701d2e96cf73775f Author: Yuusuke Ashizuka Date: Thu Aug 20 18:43:07 2020 +0900 ravb: Fixed to be able to unload modules [ Upstream commit 1838d6c62f57836639bd3d83e7855e0ee4f6defc ] When this driver is built as a module, I cannot rmmod it after insmoding it. This is because that this driver calls ravb_mdio_init() at the time of probe, and module->refcnt is incremented by alloc_mdio_bitbang() called after that. Therefore, even if ifup is not performed, the driver is in use and rmmod cannot be performed. $ lsmod Module Size Used by ravb 40960 1 $ rmmod ravb rmmod: ERROR: Module ravb is in use Call ravb_mdio_init() at open and free_mdio_bitbang() at close, thereby rmmod is possible in the ifdown state. Fixes: c156633f1353 ("Renesas Ethernet AVB driver proper") Signed-off-by: Yuusuke Ashizuka Reviewed-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ab1423e5b4d10061700c551cfe6caccee552b20e Author: Dinghao Liu Date: Mon Aug 24 13:58:31 2020 +0800 net: systemport: Fix memleak in bcm_sysport_probe [ Upstream commit 7ef1fc57301f3cef7201497aa27e89ccb91737fe ] When devm_kcalloc() fails, dev should be freed just like what we've done in the subsequent error paths. Fixes: 7b78be48a8eb6 ("net: systemport: Dynamically allocate number of TX rings") Signed-off-by: Dinghao Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0c14725cb0631f3a31c74664a1dba98b3bd27bc1 Author: Dinghao Liu Date: Mon Aug 24 13:44:42 2020 +0800 net: hns: Fix memleak in hns_nic_dev_probe [ Upstream commit 100e3345c6e719d2291e1efd5de311cc24bb9c0b ] hns_nic_dev_probe allocates ndev, but not free it on two error handling paths, which may lead to memleak. Fixes: 63434888aaf1b ("net: hns: net: hns: enet adds support of acpi") Signed-off-by: Dinghao Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a949770022f48cd4de554d5fc68fdc06c22874fc Author: Florian Westphal Date: Thu Aug 20 21:05:50 2020 +0200 netfilter: nf_tables: fix destination register zeroing [ Upstream commit 1e105e6afa6c3d32bfb52c00ffa393894a525c27 ] Following bug was reported via irc: nft list ruleset set knock_candidates_ipv4 { type ipv4_addr . inet_service size 65535 elements = { 127.0.0.1 . 123, 127.0.0.1 . 123 } } .. udp dport 123 add @knock_candidates_ipv4 { ip saddr . 123 } udp dport 123 add @knock_candidates_ipv4 { ip saddr . udp dport } It should not have been possible to add a duplicate set entry. After some debugging it turned out that the problem is the immediate value (123) in the second-to-last rule. Concatenations use 32bit registers, i.e. the elements are 8 bytes each, not 6 and it turns out the kernel inserted inet firewall @knock_candidates_ipv4 element 0100007f ffff7b00 : 0 [end] element 0100007f 00007b00 : 0 [end] Note the non-zero upper bits of the first element. It turns out that nft_immediate doesn't zero the destination register, but this is needed when the length isn't a multiple of 4. Furthermore, the zeroing in nft_payload is broken. We can't use [len / 4] = 0 -- if len is a multiple of 4, index is off by one. Skip zeroing in this case and use a conditional instead of (len -1) / 4. Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit b7d77de2fe794f260f2af6d29a4dcff3b9479f0b Author: Pablo Neira Ayuso Date: Thu Aug 20 14:12:55 2020 +0200 netfilter: nf_tables: incorrect enum nft_list_attributes definition [ Upstream commit da9125df854ea48a6240c66e8a67be06e2c12c03 ] This should be NFTA_LIST_UNSPEC instead of NFTA_LIST_UNPEC, all other similar attribute definitions are postfixed with _UNSPEC. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit e8261af70717a359d1364a2fc23ba9299051f169 Author: Pablo Neira Ayuso Date: Thu Aug 20 14:12:54 2020 +0200 netfilter: nf_tables: add NFTA_SET_USERDATA if not null [ Upstream commit 6f03bf43ee05b31d3822def2a80f11b3591c55b3 ] Kernel sends an empty NFTA_SET_USERDATA attribute with no value if userspace adds a set with no NFTA_SET_USERDATA attribute. Fixes: e6d8ecac9e68 ("netfilter: nf_tables: Add new attributes into nft_set to store user data.") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 20a7ee03beba4e071b85ebeba2166f892a94d24d Author: Tiezhu Yang Date: Tue Aug 18 20:30:37 2020 +0800 perf top: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set [ Upstream commit 0c5f1acc2a14416bf30023f373558d369afdbfc8 ] When I execute 'perf top' without HAVE_LIBBPF_SUPPORT, there exists the following segmentation fault, skip the side-band event setup to fix it, this is similar with commit 1101c872c8c7 ("perf record: Skip side-band event setup if HAVE_LIBBPF_SUPPORT is not set"). [yangtiezhu@linux perf]$ ./perf top perf: Segmentation fault Obtained 6 stack frames. ./perf(sighandler_dump_stack+0x5c) [0x12011b604] [0xffffffc010] ./perf(perf_mmap__read_init+0x3e) [0x1201feeae] ./perf() [0x1200d715c] /lib64/libpthread.so.0(+0xab9c) [0xffee10ab9c] /lib64/libc.so.6(+0x128f4c) [0xffedc08f4c] Segmentation fault [yangtiezhu@linux perf]$ I use git bisect to find commit b38d85ef49cf ("perf bpf: Decouple creating the evlist from adding the SB event") is the first bad commit, so also add the Fixes tag. Committer testing: First build perf explicitely disabling libbpf: $ make NO_LIBBPF=1 O=/tmp/build/perf -C tools/perf install-bin && perf test python Now make sure it isn't linked: $ perf -vv | grep -w bpf bpf: [ OFF ] # HAVE_LIBBPF_SUPPORT $ $ nm ~/bin/perf | grep libbpf $ And now try to run 'perf top': # perf top perf: Segmentation fault -------- backtrace -------- perf[0x5bcd6d] /lib64/libc.so.6(+0x3ca6f)[0x7fd0f5a66a6f] perf(perf_mmap__read_init+0x1e)[0x5e1afe] perf[0x4cc468] /lib64/libpthread.so.0(+0x9431)[0x7fd0f645a431] /lib64/libc.so.6(clone+0x42)[0x7fd0f5b2b912] # Applying this patch fixes the issue. Fixes: b38d85ef49cf ("perf bpf: Decouple creating the evlist from adding the SB event") Signed-off-by: Tiezhu Yang Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Xuefeng Li Link: http://lore.kernel.org/lkml/1597753837-16222-1-git-send-email-yangtiezhu@loongson.cn Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 06a1d6e334b0a36edcc52d8841a71674af6640e6 Author: David Ahern Date: Mon Aug 17 11:09:42 2020 -0600 perf sched timehist: Fix use of CPU list with summary option [ Upstream commit a74eaf1605d42391c2357a70e94e5a2c7780fea9 ] Do not update thread stats or show idle summary unless CPU is in the list of interest. Fixes: c30d630d1bcfad8d ("perf sched timehist: Add support for filtering on CPU") Signed-off-by: David Ahern Acked-by: Namhyung Kim Cc: Jiri Olsa Link: http://lore.kernel.org/lkml/20200817170943.1486-1-dsahern@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b1c9e29c933e06b54ff2ffce634ba7806cea8a62 Author: Raul E Rangel Date: Wed Aug 19 13:00:19 2020 -0600 mmc: sdhci-acpi: Fix HS400 tuning for AMDI0040 [ Upstream commit 61d7437ed13906984c44697970ee792ac6271a31 ] The AMD eMMC Controller can only use the tuned clock while in HS200 and HS400 mode. If we switch to a different mode, we need to disable the tuned clock. If we have previously performed tuning and switch back to HS200 or HS400, we can re-enable the tuned clock. Previously the tuned clock was not getting disabled when switching to DDR52 which is part of the HS400 tuning sequence. Fixes: 34597a3f60b1 ("mmc: sdhci-acpi: Add support for ACPI HID of AMD Controller with HS400") Signed-off-by: Raul E Rangel Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20200819125832.v2.1.Ie8f0689ec9f449203328b37409d1cf06b565f331@changeid Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 17c1b210b6eae92193bd0f442136a27ac93c9064 Author: Florian Fainelli Date: Wed Aug 19 11:26:45 2020 -0700 MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores [ Upstream commit e14f633b66902615cf7faa5d032b45ab8b6fb158 ] The initialization done by bmips_cpu_setup() typically affects both threads of a given core, on 7435 which supports 2 cores and 2 threads, logical CPU number 2 and 3 would not run this initialization. Fixes: 738a3f79027b ("MIPS: BMIPS: Add early CPU initialization code") Signed-off-by: Florian Fainelli Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit f39c875a8eeb88ac0fe37e58385a2f23176f10a4 Author: Florian Fainelli Date: Wed Aug 19 11:26:44 2020 -0700 MIPS: mm: BMIPS5000 has inclusive physical caches [ Upstream commit dbfc95f98f0158958d1f1e6bf06d74be38dbd821 ] When the BMIPS generic cpu-feature-overrides.h file was introduced, cpu_has_inclusive_caches/MIPS_CPU_INCLUSIVE_CACHES was not set for BMIPS5000 CPUs. Correct this when we have initialized the MIPS secondary cache successfully. Fixes: f337967d6d87 ("MIPS: BMIPS: Add cpu-feature-overrides.h") Signed-off-by: Florian Fainelli Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit feb72ac627bcf0891bc3783112b67ec7f6c7e9ac Author: David Howells Date: Thu Aug 20 15:13:00 2020 +0100 rxrpc: Make rxrpc_kernel_get_srtt() indicate validity [ Upstream commit 1d4adfaf65746203861c72d9d78de349eb97d528 ] Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned smoothed RTT. If we haven't had any valid samples yet, the SRTT isn't useful. Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout") Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 26457829b759c6a696c09988fe361f7cc15f824e Author: David Howells Date: Wed Aug 19 23:29:16 2020 +0100 rxrpc: Fix loss of RTT samples due to interposed ACK [ Upstream commit 4700c4d80b7bb171f6996016ef121e1508860b42 ] The Rx protocol has a mechanism to help generate RTT samples that works by a client transmitting a REQUESTED-type ACK when it receives a DATA packet that has the REQUEST_ACK flag set. The peer, however, may interpose other ACKs before transmitting the REQUESTED-ACK, as can be seen in the following trace excerpt: rxrpc_tx_data: c=00000044 DATA d0b5ece8:00000001 00000001 q=00000001 fl=07 rxrpc_rx_ack: c=00000044 00000001 PNG r=00000000 f=00000002 p=00000000 n=0 rxrpc_rx_ack: c=00000044 00000002 REQ r=00000001 f=00000002 p=00000001 n=0 ... DATA packet 1 (q=xx) has REQUEST_ACK set (bit 1 of fl=xx). The incoming ping (labelled PNG) hard-acks the request DATA packet (f=xx exceeds the sequence number of the DATA packet), causing it to be discarded from the Tx ring. The ACK that was requested (labelled REQ, r=xx references the serial of the DATA packet) comes after the ping, but the sk_buff holding the timestamp has gone and the RTT sample is lost. This is particularly noticeable on RPC calls used to probe the service offered by the peer. A lot of peers end up with an unknown RTT because we only ever sent a single RPC. This confuses the server rotation algorithm. Fix this by caching the information about the outgoing packet in RTT calculations in the rxrpc_call struct rather than looking in the Tx ring. A four-deep buffer is maintained and both REQUEST_ACK-flagged DATA and PING-ACK transmissions are recorded in there. When the appropriate response ACK is received, the buffer is checked for a match and, if found, an RTT sample is recorded. If a received ACK refers to a packet with a later serial number than an entry in the cache, that entry is presumed lost and the entry is made available to record a new transmission. ACKs types other than REQUESTED-type and PING-type cause any matching sample to be cancelled as they don't necessarily represent a useful measurement. If there's no space in the buffer on ping/data transmission, the sample base is discarded. Fixes: 50235c4b5a2f ("rxrpc: Obtain RTT data by requesting ACKs on DATA packets") Signed-off-by: David Howells Signed-off-by: Sasha Levin commit e2674459be67d4ee25ec12a01a0929b31be626dd Author: David Howells Date: Thu Aug 20 14:12:33 2020 +0100 rxrpc: Keep the ACK serial in a var in rxrpc_input_ack() [ Upstream commit 68528d937dcd675e79973061c1a314db598162d1 ] Keep the ACK serial number in a variable in rxrpc_input_ack() as it's used frequently. Signed-off-by: David Howells Signed-off-by: Sasha Levin commit eff6dcb0c388bb3cb7c55b84a605ec825d2bb14d Author: Yu Kuai Date: Mon Aug 17 19:57:28 2020 +0800 dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate() [ Upstream commit e097eb7473d9e70da9e03276f61cd392ccb9d79f ] If memory allocation for 'atslave' succeed, at_dma_xlate() doesn't have a corresponding kfree() in exception handling. Thus add kfree() for this function implementation. Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20200817115728.1706719-4-yukuai3@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 159db733b2acc0f78f9ae53d506a9e12ea278431 Author: Yu Kuai Date: Mon Aug 17 19:57:27 2020 +0800 dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate() [ Upstream commit 3832b78b3ec2cf51e07102f9b4480e343459b20f ] If of_find_device_by_node() succeed, at_dma_xlate() doesn't have a corresponding put_device(). Thus add put_device() to fix the exception handling for this function implementation. Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20200817115728.1706719-3-yukuai3@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit e3149ca07e92d20ea8ecf2a9bdfadf7adf4525c9 Author: Yu Kuai Date: Mon Aug 17 19:57:26 2020 +0800 dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate() [ Upstream commit 0cef8e2c5a07d482ec907249dbd6687e8697677f ] The reurn value of of_find_device_by_node() is not checked, thus null pointer dereference will be triggered if of_find_device_by_node() failed. Fixes: bbe89c8e3d59 ("at_hdmac: move to generic DMA binding") Signed-off-by: Yu Kuai Link: https://lore.kernel.org/r/20200817115728.1706719-2-yukuai3@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c6156f0064b14af0c8acb52860b8cc3eb175867b Author: Jussi Kivilinna Date: Tue Aug 18 17:46:10 2020 +0300 batman-adv: bla: use netif_rx_ni when not in interrupt context [ Upstream commit 279e89b2281af3b1a9f04906e157992c19c9f163 ] batadv_bla_send_claim() gets called from worker thread context through batadv_bla_periodic_work(), thus netif_rx_ni needs to be used in that case. This fixes "NOHZ: local_softirq_pending 08" log messages seen when batman-adv is enabled. Fixes: 23721387c409 ("batman-adv: add basic bridge loop avoidance code") Signed-off-by: Jussi Kivilinna Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin commit cb6560a41c455805e51741f26169e622c4af5654 Author: Linus Lüssing Date: Thu Jul 23 14:28:08 2020 +0200 batman-adv: Fix own OGM check in aggregated OGMs [ Upstream commit d8bf0c01642275c7dca1e5d02c34e4199c200b1f ] The own OGM check is currently misplaced and can lead to the following issues: For one thing we might receive an aggregated OGM from a neighbor node which has our own OGM in the first place. We would then not only skip our own OGM but erroneously also any other, following OGM in the aggregate. For another, we might receive an OGM aggregate which has our own OGM in a place other then the first one. Then we would wrongly not skip this OGM, leading to populating the orginator and gateway table with ourself. Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") Signed-off-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin commit 27cc30cdc8f4941a40f1a7b21c07459e7f886ca9 Author: Sven Eckelmann Date: Wed Jul 22 20:36:43 2020 +0200 batman-adv: Avoid uninitialized chaddr when handling DHCP [ Upstream commit 303216e76dcab6049c9d42390b1032f0649a8206 ] The gateway client code can try to optimize the delivery of DHCP packets to avoid broadcasting them through the whole mesh. But also transmissions to the client can be optimized by looking up the destination via the chaddr of the DHCP packet. But the chaddr is currently only done when chaddr is fully inside the non-paged area of the skbuff. Otherwise it will not be initialized and the unoptimized path should have been taken. But the implementation didn't handle this correctly. It didn't retrieve the correct chaddr but still tried to perform the TT lookup with this uninitialized memory. Reported-by: syzbot+ab16e463b903f5a37036@syzkaller.appspotmail.com Fixes: 6c413b1c22a2 ("batman-adv: send every DHCP packet as bat-unicast") Signed-off-by: Sven Eckelmann Acked-by: Antonio Quartulli Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin commit 4b805451419cdfcb4ea4ee1dfaf2aded4ba4376f Author: Peter Ujfalusi Date: Thu Aug 6 13:49:28 2020 +0300 dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling [ Upstream commit 5b2aa9f918f6837ae943557f8cec02c34fcf80e7 ] of_dma_xlate callback can return ERR_PTR as well NULL in case of failure. If error code is returned (not NULL) then the route should be released and the router should not be registered for the channel. Fixes: 56f13c0d9524c ("dmaengine: of_dma: Support for DMA routers") Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200806104928.25975-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 6f88924528c849be601f93067313e57cfc389dd0 Author: Linus Torvalds Date: Sat Aug 29 13:50:56 2020 -0700 fsldma: fix very broken 32-bit ppc ioread64 functionality [ Upstream commit 0a4c56c80f90797e9b9f8426c6aae4c0cf1c9785 ] Commit ef91bb196b0d ("kernel.h: Silence sparse warning in lower_32_bits") caused new warnings to show in the fsldma driver, but that commit was not to blame: it only exposed some very incorrect code that tried to take the low 32 bits of an address. That made no sense for multiple reasons, the most notable one being that that code was intentionally limited to only 32-bit ppc builds, so "only low 32 bits of an address" was completely nonsensical. There were no high bits to mask off to begin with. But even more importantly fropm a correctness standpoint, turning the address into an integer then caused the subsequent address arithmetic to be completely wrong too, and the "+1" actually incremented the address by one, rather than by four. Which again was incorrect, since the code was reading two 32-bit values and trying to make a 64-bit end result of it all. Surprisingly, the iowrite64() did not suffer from the same odd and incorrect model. This code has never worked, but it's questionable whether anybody cared: of the two users that actually read the 64-bit value (by way of some C preprocessor hackery and eventually the 'get_cdar()' inline function), one of them explicitly ignored the value, and the other one might just happen to work despite the incorrect value being read. This patch at least makes it not fail the build any more, and makes the logic superficially sane. Whether it makes any difference to the code _working_ or not shall remain a mystery. Compile-tested-by: Guenter Roeck Reviewed-by: Guenter Roeck Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit adaa55616567ebbe24c7c3a4ad48f8a983c852dd Author: Simon Leiner Date: Tue Aug 25 11:31:52 2020 +0200 xen/xenbus: Fix granting of vmalloc'd memory [ Upstream commit d742db70033c745e410523e00522ee0cfe2aa416 ] On some architectures (like ARM), virt_to_gfn cannot be used for vmalloc'd memory because of its reliance on virt_to_phys. This patch introduces a check for vmalloc'd addresses and obtains the PFN using vmalloc_to_pfn in that case. Signed-off-by: Simon Leiner Reviewed-by: Stefano Stabellini Link: https://lore.kernel.org/r/20200825093153.35500-1-simon@leiner.me Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 2c97832bae0870363b7d97f967ef4d9ef7a042b2 Author: Dinghao Liu Date: Wed Aug 26 21:24:58 2020 +0800 drm/amd/display: Fix memleak in amdgpu_dm_mode_config_init [ Upstream commit b67a468a4ccef593cd8df6a02ba3d167b77f0c81 ] When amdgpu_display_modeset_create_props() fails, state and state->context should be freed to prevent memleak. It's the same when amdgpu_dm_audio_init() fails. Signed-off-by: Dinghao Liu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit fe4e0121247843c66e6ccdc52b951679b15263a8 Author: Wayne Lin Date: Tue Aug 18 11:19:42 2020 +0800 drm/amd/display: Retry AUX write when fail occurs [ Upstream commit ef67d792a2fc578319399f605fbec2f99ecc06ea ] [Why] In dm_dp_aux_transfer() now, we forget to handle AUX_WR fail cases. We suppose every write wil get done successfully and hence some AUX commands might not sent out indeed. [How] Check if AUX_WR success. If not, retry it. Signed-off-by: Wayne Lin Reviewed-by: Hersen Wu Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a3a943b6f211c7323250009f1c3c5102a9c77418 Author: Brandon Syu Date: Wed Jun 10 16:44:33 2020 +0800 drm/amd/display: Keep current gain when ABM disable immediately [ Upstream commit cba4b52e431e5de3d8012281cfe194f1c39a9052 ] [Why] When system enters s3/s0i3, backlight PWM would set user level. [How] ABM disable function add keep current gain to avoid it. Signed-off-by: Brandon Syu Reviewed-by: Josip Pavic Acked-by: Eryk Brol Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e7ea083125583716bf7861b8559ddbcd8691fd7e Author: Samson Tam Date: Thu Aug 13 10:50:21 2020 -0400 drm/amd/display: Fix passive dongle mistaken as active dongle in EDID emulation [ Upstream commit efbde23a3b0164cef27fd394e7d548f46af5b51d ] [Why] dongle_type is set during dongle connection but for passive dongles, dongle_type is not set. If user starts with an active dongle and then switches to a passive dongle, it will still report as an active dongle. Trying to emulate the wrong connecter type results in display not lighting up. [How] Set dpcd_caps.dongle_type for passive dongles in detect_dp(). Signed-off-by: Samson Tam Reviewed-by: Joshua Aberback Acked-by: Eryk Brol Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 151ed59e03a9fd747db40f051410517c2bdfb2a9 Author: Jaehyun Chung Date: Mon Aug 10 16:02:47 2020 -0400 drm/amd/display: Revert HDCP disable sequence change [ Upstream commit b61f05622ace5b9498ae279cdfd1c9f0c1ce3f75 ] [Why] Revert HDCP disable sequence change that blanks stream before disabling HDCP. PSP and HW teams are currently investigating the root cause of why HDCP cannot be disabled before stream blank, which is expected to work without issues. Signed-off-by: Jaehyun Chung Reviewed-by: Wenjing Liu Acked-by: Eryk Brol Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit af7dceeda1162eed4c165b7ea54819b09214601e Author: Furquan Shaikh Date: Thu Aug 20 00:52:41 2020 -0700 drivers: gpu: amd: Initialize amdgpu_dm_backlight_caps object to 0 in amdgpu_dm_update_backlight_caps [ Upstream commit 5896585512e5156482335e902f7c7393b940da51 ] In `amdgpu_dm_update_backlight_caps()`, there is a local `amdgpu_dm_backlight_caps` object that is filled in by `amdgpu_acpi_get_backlight_caps()`. However, this object is uninitialized before the call and hence the subsequent check for aux_support can fail since it is not initialized by `amdgpu_acpi_get_backlight_caps()` as well. This change initializes this local `amdgpu_dm_backlight_caps` object to 0. Reviewed-by: Christian König Signed-off-by: Furquan Shaikh Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 47fd4ba5cc95a6bcea5653c39ad51243cbba2336 Author: Nicholas Kazlauskas Date: Wed Aug 19 13:37:54 2020 -0400 drm/amd/display: Reject overlay plane configurations in multi-display scenarios [ Upstream commit 168f09cdadbd547c2b202246ef9a8183da725f13 ] [Why] These aren't stable on some platform configurations when driving multiple displays, especially on higher resolution. In particular the delay in asserting p-state and validating from x86 outweights any power or performance benefit from the hardware composition. Under some configurations this will manifest itself as extreme stutter or unresponsiveness especially when combined with cursor movement. [How] Disable these for now. Exposing overlays to userspace doesn't guarantee that they'll be able to use them in any and all configurations and it's part of the DRM contract to have userspace gracefully handle validation failures when they occur. Valdiation occurs as part of DC and this in particular affects RV, so disable this in dcn10_global_validation. Signed-off-by: Nicholas Kazlauskas Reviewed-by: Hersen Wu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 35950cec85472ea62bf6b91562e3bd52a4267a17 Author: Tong Zhang Date: Sun Aug 16 03:32:12 2020 -0400 drm/amd/display: should check error using DC_OK [ Upstream commit ed9ab229fea24cbcab17f484297dc8344afb7ea9 ] core_link_read_dpcd returns only DC_OK(1) and DC_ERROR_UNEXPECTED(-1), the caller should check error using DC_OK instead of checking against 0 Signed-off-by: Tong Zhang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit bd5f4d49094c919f91a7964614d3e5f9bfbedcea Author: Sven Schnelle Date: Thu Aug 20 09:48:23 2020 +0200 s390: don't trace preemption in percpu macros [ Upstream commit 1196f12a2c960951d02262af25af0bb1775ebcc2 ] Since commit a21ee6055c30 ("lockdep: Change hardirq{s_enabled,_context} to per-cpu variables") the lockdep code itself uses percpu variables. This leads to recursions because the percpu macros are calling preempt_enable() which might call trace_preempt_on(). Signed-off-by: Sven Schnelle Reviewed-by: Vasily Gorbik Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit c3bf0387a0a91de0d91c8db3cab5102f83d01de0 Author: Hou Pu Date: Mon Aug 10 08:00:44 2020 -0400 nbd: restore default timeout when setting it to zero [ Upstream commit acb19e17c5134dd78668c429ecba5b481f038e6a ] If we configured io timeout of nbd0 to 100s. Later after we finished using it, we configured nbd0 again and set the io timeout to 0. We expect it would timeout after 30 seconds and keep retry. But in fact we could not change the timeout when we set it to 0. the timeout is still the original 100s. So change the timeout to default 30s when we set it to zero. It also behaves same as commit 2da22da57348 ("nbd: fix zero cmd timeout handling v2"). It becomes more important if we were reconfigure a nbd device and the io timeout it set to zero. Because it could take 30s to detect the new socket and thus io could be completed more quickly compared to 100s. Signed-off-by: Hou Pu Reviewed-by: Josef Bacik Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0f6c545bddd31e8b9bac209614f815f2ec55ed2c Author: Peter Zijlstra Date: Thu Aug 20 16:47:24 2020 +0200 cpuidle: Fixup IRQ state [ Upstream commit 49d9c5936314e44d314c605c39cce0fd947f9c3a ] Match the pattern elsewhere in this file. Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steven Rostedt (VMware) Reviewed-by: Thomas Gleixner Acked-by: Rafael J. Wysocki Tested-by: Marco Elver Link: https://lkml.kernel.org/r/20200821085348.251340558@infradead.org Signed-off-by: Sasha Levin commit a3c2bcb3e9e3ca601691a903807ff2141b17063d Author: Paul Cercueil Date: Wed Aug 19 20:06:02 2020 +0200 irqchip/ingenic: Leave parent IRQ unmasked on suspend [ Upstream commit 821fc9e261f3af235752f46e59084467cfd440c4 ] All the wakeup sources we possibly want will go through the interrupt controller, so the parent IRQ must not be masked during suspend, or there won't be any way to wake up the system. Signed-off-by: Paul Cercueil Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200819180602.136969-1-paul@crapouillou.net Signed-off-by: Sasha Levin commit 2659c526f928c968a1af80e54c3a37e0270427b0 Author: Tomi Valkeinen Date: Wed Aug 19 13:30:21 2020 +0300 drm/omap: fix incorrect lock state [ Upstream commit 7fd5b25499bcec157dd4de9a713425efcf4571cd ] After commit 92cc68e35863c1c61c449efa2b2daef6e9926048 ("drm/vblank: Use spin_(un)lock_irq() in drm_crtc_vblank_on()") omapdrm locking is broken: WARNING: inconsistent lock state 5.8.0-rc2-00483-g92cc68e35863 #13 Tainted: G W -------------------------------- inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-W} usage. swapper/0/0 [HC1[1]:SC0[0]:HE0:SE1] takes: ea98222c (&dev->event_lock#2){?.+.}-{2:2}, at: drm_handle_vblank+0x4c/0x520 [drm] {HARDIRQ-ON-W} state was registered at: trace_hardirqs_on+0x9c/0x1ec _raw_spin_unlock_irq+0x20/0x58 omap_crtc_atomic_enable+0x54/0xa0 [omapdrm] drm_atomic_helper_commit_modeset_enables+0x218/0x270 [drm_kms_helper] omap_atomic_commit_tail+0x48/0xc4 [omapdrm] commit_tail+0x9c/0x190 [drm_kms_helper] drm_atomic_helper_commit+0x154/0x188 [drm_kms_helper] drm_client_modeset_commit_atomic+0x228/0x268 [drm] drm_client_modeset_commit_locked+0x60/0x1d0 [drm] drm_client_modeset_commit+0x24/0x40 [drm] drm_fb_helper_restore_fbdev_mode_unlocked+0x54/0xa8 [drm_kms_helper] drm_fb_helper_set_par+0x2c/0x5c [drm_kms_helper] drm_fb_helper_hotplug_event.part.0+0xa0/0xbc [drm_kms_helper] drm_kms_helper_hotplug_event+0x24/0x30 [drm_kms_helper] output_poll_execute+0x1a8/0x1c0 [drm_kms_helper] process_one_work+0x268/0x800 worker_thread+0x30/0x4e0 kthread+0x164/0x190 ret_from_fork+0x14/0x20 The reason for this is that omapdrm calls drm_crtc_vblank_on() while holding event_lock taken with spin_lock_irq(). It is not clear why drm_crtc_vblank_on() and drm_crtc_vblank_get() are called while holding event_lock. I don't see any problem with moving those calls outside the lock, which is what this patch does. Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20200819103021.440288-1-tomi.valkeinen@ti.com Reviewed-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 01a28ac6e917d023ca9777256e058f937698541a Author: Ray Jui Date: Fri Aug 14 15:40:08 2020 -0700 i2c: iproc: Fix shifting 31 bits [ Upstream commit 0204081128d582965e9e39ca83ee6e4f7d27142b ] Fix undefined behaviour in the iProc I2C driver by using 'BIT' marcro. Reported-by: Wolfram Sang Signed-off-by: Ray Jui Acked-by: Florian Fainelli [wsa: in commit msg, don't say 'checkpatch' but name the issue] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 46653857d015656ff970d763dcb1429a0871b143 Author: Jeff Layton Date: Thu Aug 20 11:00:26 2020 -0400 ceph: don't allow setlease on cephfs [ Upstream commit 496ceaf12432b3d136dcdec48424312e71359ea7 ] Leases don't currently work correctly on kcephfs, as they are not broken when caps are revoked. They could eventually be implemented similarly to how we did them in libcephfs, but for now don't allow them. [ idryomov: no need for simple_nosetlease() in ceph_dir_fops and ceph_snapdir_fops ] Signed-off-by: Jeff Layton Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 94fd015fe91f7f3980218ab363c045b2d80122ba Author: Vineeth Pillai Date: Fri Aug 21 15:28:49 2020 +0000 hv_utils: drain the timesync packets on onchannelcallback [ Upstream commit b46b4a8a57c377b72a98c7930a9f6969d2d4784e ] There could be instances where a system stall prevents the timesync packets to be consumed. And this might lead to more than one packet pending in the ring buffer. Current code empties one packet per callback and it might be a stale one. So drain all the packets from ring buffer on each callback. Signed-off-by: Vineeth Pillai Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20200821152849.99517-1-viremana@linux.microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 6a725c83a08d41f2bc1630835712a4edc2e6caad Author: Vineeth Pillai Date: Fri Aug 21 15:25:23 2020 +0000 hv_utils: return error if host timesysnc update is stale [ Upstream commit 90b125f4cd2697f949f5877df723a0b710693dd0 ] If for any reason, host timesync messages were not processed by the guest, hv_ptp_gettime() returns a stale value and the caller (clock_gettime, PTP ioctl etc) has no means to know this now. Return an error so that the caller knows about this. Signed-off-by: Vineeth Pillai Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20200821152523.99364-1-viremana@linux.microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 4f3ffd5fcbf77a0bb497a89c1b28c2a4532a9101 Author: Bob Peterson Date: Fri Aug 21 08:50:34 2020 -0500 gfs2: add some much needed cleanup for log flushes that fail [ Upstream commit 462582b99b6079a6fbcdfc65bac49f5c2a27cfff ] When a log flush fails due to io errors, it signals the failure but does not clean up after itself very well. This is because buffers are added to the transaction tr_buf and tr_databuf queue, but the io error causes gfs2_log_flush to bypass the "after_commit" functions responsible for dequeueing the bd elements. If the bd elements are added to the ail list before the error, function ail_drain takes care of dequeueing them. But if they haven't gotten that far, the elements are forgotten and make the transactions unable to be freed. This patch introduces new function trans_drain which drains the bd elements from the transaction so they can be freed properly. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit 2ed484c404e02ae83fc8a4108c35900c1236e8e6 Author: Dmitry Baryshkov Date: Thu Aug 20 12:36:22 2020 +0300 drm/msm/a6xx: fix gmu start on newer firmware [ Upstream commit f5749d6181fa7df5ae741788e5d96f593d3a60b6 ] New Qualcomm firmware has changed a way it reports back the 'started' event. Support new register values. Signed-off-by: Dmitry Baryshkov Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 2ad613d97f9675d03b2aba68588b5d950cbf1507 Author: Ofir Bitton Date: Tue Aug 11 08:57:45 2020 +0300 habanalabs: check correct vmalloc return code [ Upstream commit 0839152f8c1efc1cc2d515d1ff1e253ca9402ad3 ] vmalloc can return different return code than NULL and a valid pointer. We must validate it in order to dereference a non valid pointer. Signed-off-by: Ofir Bitton Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 72038388869bc808f219734d111a4121d2ff99d5 Author: Ofir Bitton Date: Tue Aug 11 09:19:53 2020 +0300 habanalabs: validate FW file size [ Upstream commit bce382a8bb080ed5f2f3a06754526dc58b91cca2 ] We must validate FW size in order not to corrupt memory in case a malicious FW file will be present in system. Signed-off-by: Ofir Bitton Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 9a3acad9ae0ea859d6408bacbb7ffaf8adc5dcf2 Author: Oded Gabbay Date: Sat Aug 8 23:34:47 2020 +0300 habanalabs: set max power according to card type [ Upstream commit 58361aae4b0eed388680a89ac153d27177f40510 ] In Gaudi, the default max power setting is different between PCI and PMC cards. Therefore, the driver need to set the default after knowing what is the card type. The current code has a bug where it limits the maximum power of the PMC card to 200W after a reset occurs. Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 3a24b9420ee0a0f146840c29883d671327e00f4c Author: Ofir Bitton Date: Thu Aug 6 11:33:27 2020 +0300 habanalabs: proper handling of alloc size in coresight [ Upstream commit 36545279f076afeb77104f5ffeab850da3b6d107 ] Allocation size can go up to 64bit but truncated to 32bit, we should make sure it is not truncated and validate no address overflow. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit a8d7e55996142aea8747d701d17d32560d86496a Author: Ofir Bitton Date: Tue Aug 4 13:38:43 2020 +0300 habanalabs: set clock gating according to mask [ Upstream commit f44d23b9095abd91dad9f5f3add2a3149833ec83 ] Once clock gating is set we enable clock gating according to mask, we should also disable clock gating according to relevant bits. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit fb8b4592f9585a9f50683ad3423c74a21c9f0991 Author: Ofir Bitton Date: Thu Jul 30 14:56:38 2020 +0300 habanalabs: validate packet id during CB parse [ Upstream commit bc75be24fa88ef10eecaff2b2a9ada8189e5ab5d ] During command buffer parsing, driver extracts packet id from user buffer. Driver must validate this packet id, since it is being used in order to extract information from internal structures. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit b18c6071868cef30e178bdae8f4479e162ec0747 Author: Ofir Bitton Date: Thu Jul 16 13:33:52 2020 +0300 habanalabs: unmap PCI bars upon iATU failure [ Upstream commit f1aae40e8dbd2655e3b10cae381a1e8292b19d57 ] In case the driver fails to configure the PCI controller iATU, it needs to unmap the PCI bars before exiting so if the driver is removed, the bars won't be left mapped. Signed-off-by: Ofir Bitton Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 4e2beff0b638f17ba9a8c6d15aff986f83213e06 Author: Rob Clark Date: Tue Aug 18 09:31:19 2020 -0700 drm/msm: enable vblank during atomic commits [ Upstream commit 43906812eaab06423f56af5cca9a9fcdbb4ac454 ] This has roughly the same effect as drm_atomic_helper_wait_for_vblanks(), basically just ensuring that vblank accounting is enabled so that we get valid timestamp/seqn on pageflip events. Signed-off-by: Rob Clark Tested-by: Stephen Boyd Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 3fe50ada2a5603d8e6502b2d6f51dc04446f665c Author: Amit Engel Date: Wed Aug 19 11:31:11 2020 +0300 nvmet: Disable keep-alive timer when kato is cleared to 0h [ Upstream commit 0d3b6a8d213a30387b5104b2fb25376d18636f23 ] Based on nvme spec, when keep alive timeout is set to zero the keep-alive timer should be disabled. Signed-off-by: Amit Engel Signed-off-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 64c064ba11c6292aa88d11482a1b5b3a48ee7ced Author: Tom Rix Date: Thu Aug 20 06:19:32 2020 -0700 hwmon: (applesmc) check status earlier. [ Upstream commit cecf7560f00a8419396a2ed0f6e5d245ccb4feac ] clang static analysis reports this representative problem applesmc.c:758:10: warning: 1st function call argument is an uninitialized value left = be16_to_cpu(*(__be16 *)(buffer + 6)) >> 2; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ buffer is filled by the earlier call ret = applesmc_read_key(LIGHT_SENSOR_LEFT_KEY, ... This problem is reported because a goto skips the status check. Other similar problems use data from applesmc_read_key before checking the status. So move the checks to before the use. Signed-off-by: Tom Rix Reviewed-by: Henrik Rydberg Link: https://lore.kernel.org/r/20200820131932.10590-1-trix@redhat.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 56ed34ea6cd73c2fd5384d03a9034e6f229a390a Author: Krishna Manikandan Date: Mon Jun 1 16:33:22 2020 +0530 drm/msm: add shutdown support for display platform_driver [ Upstream commit 9d5cbf5fe46e350715389d89d0c350d83289a102 ] Define shutdown callback for display drm driver, so as to disable all the CRTCS when shutdown notification is received by the driver. This change will turn off the timing engine so that no display transactions are requested while mmu translations are getting disabled during reboot sequence. Signed-off-by: Krishna Manikandan Changes in v2: - Remove NULL check from msm_pdev_shutdown (Stephen Boyd) - Change commit text to reflect when this issue was uncovered (Sai Prakash Ranjan) Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 87371d8581013aa6cf8987565a54c0ac3694774d Author: John Stultz Date: Tue Aug 11 02:50:44 2020 +0000 tty: serial: qcom_geni_serial: Drop __init from qcom_geni_console_setup [ Upstream commit 975efc66d4e654207c17f939eb737ac591ac38fe ] When booting with heavily modularized config, the serial console may not be able to load until after init when modules that satisfy needed dependencies have time to load. Unfortunately, as qcom_geni_console_setup is marked as __init, the function may have been freed before we get to run it, causing boot time crashes such as: [ 6.469057] Unable to handle kernel paging request at virtual address ffffffe645d4e6cc [ 6.481623] Mem abort info: [ 6.484466] ESR = 0x86000007 [ 6.487557] EC = 0x21: IABT (current EL), IL = 32 bits [ 6.492929] SET = 0, FnV = 0g [ 6.496016] EA = 0, S1PTW = 0 [ 6.499202] swapper pgtable: 4k pages, 39-bit VAs, pgdp=000000008151e000 [ 6.501286] ufshcd-qcom 1d84000.ufshc: ufshcd_print_pwr_info:[RX, TX]: gear=[3, 3], lane[2, 2], pwr[FAST MODE, FAST MODE], rate = 2 [ 6.505977] [ffffffe645d4e6cc] pgd=000000017df9f003, p4d=000000017df9f003, pud=000000017df9f003, pmd=000000017df9c003, pte=0000000000000000 [ 6.505990] Internal error: Oops: 86000007 [#1] PREEMPT SMP [ 6.505995] Modules linked in: zl10353 zl10039 zl10036 zd1301_demod xc5000 xc4000 ves1x93 ves1820 tuner_xc2028 tuner_simple tuner_types tua9001 tua6100 1 [ 6.506152] isl6405 [ 6.518104] ufshcd-qcom 1d84000.ufshc: ufshcd_find_max_sup_active_icc_level: Regulator capability was not set, actvIccLevel=0 [ 6.530549] horus3a helene fc2580 fc0013 fc0012 fc0011 ec100 e4000 dvb_pll ds3000 drxk drxd drx39xyj dib9000 dib8000 dib7000p dib7000m dib3000mc dibx003 [ 6.624271] CPU: 7 PID: 148 Comm: kworker/7:2 Tainted: G W 5.8.0-mainline-12021-g6defd37ba1cd #3455 [ 6.624273] Hardware name: Thundercomm Dragonboard 845c (DT) [ 6.624290] Workqueue: events deferred_probe_work_func [ 6.624296] pstate: 40c00005 (nZcv daif +PAN +UAO BTYPE=--) [ 6.624307] pc : qcom_geni_console_setup+0x0/0x110 [ 6.624316] lr : try_enable_new_console+0xa0/0x140 [ 6.624318] sp : ffffffc010843a30 [ 6.624320] x29: ffffffc010843a30 x28: ffffffe645c3e7d0 [ 6.624325] x27: ffffff80f8022180 x26: ffffffc010843b28 [ 6.637937] x25: 0000000000000000 x24: ffffffe6462a2000 [ 6.637941] x23: ffffffe646398000 x22: 0000000000000000 [ 6.637945] x21: 0000000000000000 x20: ffffffe6462a5ce8 [ 6.637952] x19: ffffffe646398e38 x18: ffffffffffffffff [ 6.680296] x17: 0000000000000000 x16: ffffffe64492b900 [ 6.680300] x15: ffffffe6461e9d08 x14: 69202930203d2064 [ 6.680305] x13: 7561625f65736162 x12: 202c363331203d20 [ 6.696434] x11: 0000000000000030 x10: 0101010101010101 [ 6.696438] x9 : 4d4d20746120304d x8 : 7f7f7f7f7f7f7f7f [ 6.707249] x7 : feff4c524c787373 x6 : 0000000000008080 [ 6.707253] x5 : 0000000000000000 x4 : 8080000000000000 [ 6.707257] x3 : 0000000000000000 x2 : ffffffe645d4e6cc [ 6.744223] qcom_geni_serial 898000.serial: dev_pm_opp_set_rate: failed to find OPP for freq 102400000 (-34) [ 6.744966] x1 : fffffffefe74e174 x0 : ffffffe6462a5ce8 [ 6.753580] qcom_geni_serial 898000.serial: dev_pm_opp_set_rate: failed to find OPP for freq 102400000 (-34) [ 6.761634] Call trace: [ 6.761639] qcom_geni_console_setup+0x0/0x110 [ 6.761645] register_console+0x29c/0x2f8 [ 6.767981] Bluetooth: hci0: Frame reassembly failed (-84) [ 6.775252] uart_add_one_port+0x438/0x500 [ 6.775258] qcom_geni_serial_probe+0x2c4/0x4a8 [ 6.775266] platform_drv_probe+0x58/0xa8 [ 6.855359] really_probe+0xec/0x398 [ 6.855362] driver_probe_device+0x5c/0xb8 [ 6.855367] __device_attach_driver+0x98/0xb8 [ 7.184945] bus_for_each_drv+0x74/0xd8 [ 7.188825] __device_attach+0xec/0x148 [ 7.192705] device_initial_probe+0x24/0x30 [ 7.196937] bus_probe_device+0x9c/0xa8 [ 7.200816] deferred_probe_work_func+0x7c/0xb8 [ 7.205398] process_one_work+0x20c/0x4b0 [ 7.209456] worker_thread+0x48/0x460 [ 7.213157] kthread+0x14c/0x158 [ 7.216432] ret_from_fork+0x10/0x18 [ 7.220049] Code: bad PC value [ 7.223139] ---[ end trace 73f3b21e251d5a70 ]--- Thus this patch removes the __init avoiding crash in such configs. Cc: Andy Gross Cc: Jiri Slaby Cc: Saravana Kannan Cc: Todd Kjos Cc: Amit Pundir Cc: linux-arm-msm@vger.kernel.org Cc: linux-serial@vger.kernel.org Suggested-by: Saravana Kannan Signed-off-by: John Stultz Reviewed-by: Bjorn Andersson Link: https://lore.kernel.org/r/20200811025044.70626-1-john.stultz@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c92e690c5e23a48561c269c23d5c17ac6b5fec3d Author: Rob Clark Date: Tue Aug 11 14:09:35 2020 -0700 drm/msm/dpu: fix unitialized variable error [ Upstream commit 35c719da95c0d28560bff7bafeaf07ebb212665e ] drivers/gpu/drm/msm/disp/dpu1/dpu_crtc.c:817 dpu_crtc_enable() error: uninitialized symbol 'request_bandwidth'. Reported-by: kernel test robot Signed-off-by: Rob Clark Reviewed-by: Sean Paul Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit d33d9115be043e0eb3a5807e5504d25f61edbf47 Author: Kalyan Thota Date: Thu Jul 30 19:08:56 2020 +0530 drm/msm/dpu: Fix scale params in plane validation [ Upstream commit 4c978caf08aa155bdeadd9e2d4b026d4ce97ebd0 ] Plane validation uses an API drm_calc_scale which will return src/dst value as a scale ratio. when viewing the range on a scale the values should fall in as Upscale ratio < Unity scale < Downscale ratio for src/dst formula Fix the min and max scale ratios to suit the API accordingly. Signed-off-by: Kalyan Thota Tested-by: Kristian H. Kristensen Reviewed-by: Kristian H. Kristensen Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 6ea918a6197d8dc96fdb6d1cf499b0675bf4b645 Author: Kalyan Thota Date: Mon Aug 10 18:19:18 2020 +0530 drm/msm/dpu: Fix reservation failures in modeset [ Upstream commit ccc862b957c6413b008fbe458034372847992d7f ] In TEST_ONLY commit, rm global_state will duplicate the object and request for new reservations, once they pass then the new state will be swapped with the old and will be available for the Atomic Commit. This patch fixes some of missing links in the resource reservation sequence mentioned above. 1) Creation of duplicate state in test_only commit (Rob) 2) Allocate and release the resources on every modeset. 3) Avoid allocation only when active is false. In a modeset operation, swap state happens well before disable. Hence clearing reservations in disable will cause failures in modeset enable. Allow reservations to be cleared/allocated before swap, such that only newly committed resources are pushed to HW. Changes in v1: - Move the rm release to atomic_check. - Ensure resource allocation and free happens when active is not changed i.e only when mode is changed.(Rob) Changes in v2: - Handle dpu_kms_get_global_state API failure as it may return EDEADLK (swboyd). Signed-off-by: Kalyan Thota Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 8ca621939d7668a71ece480f417bcf3c8d7b93d0 Author: Sebastian Parschauer Date: Mon Aug 17 10:36:28 2020 +0200 HID: quirks: Always poll three more Lenovo PixArt mice [ Upstream commit 627a49975bdc3220f360a8237603a6344ee6a588 ] The PixArt OEM mice are known for disconnecting every minute in runlevel 1 or 3 if they are not always polled. One Lenovo PixArt mouse is already fixed. Got two references for 17ef:602e and three references for 17ef:6019 misbehaving like this. Got one direct bug report for 17ef:6093 from Wyatt Ward (wyatt8740). So add HID_QUIRK_ALWAYS_POLL for all of them. Link: https://github.com/sriemer/fix-linux-mouse issue 22 Signed-off-by: Sebastian Parschauer Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 7cd0d11c64089a0ea0caeb63f7e094ca435a9911 Author: Grant Peltier Date: Mon Aug 10 13:36:27 2020 -0500 hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_1 telemetry for RAA228228 [ Upstream commit 51fb91ed5a6fa855a74731610cd5435d83d6e17f ] Per the RAA228228 datasheet, READ_TEMPERATURE_1 is not a supported PMBus command. Signed-off-by: Grant Peltier Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin