commit 3d77e6a8804abcc0504c904bd6e5cdf3a5cf8162 Author: Linus Torvalds Date: Sun May 31 16:49:15 2020 -0700 Linux 5.7 commit bdc48fa11e46f867ea4d75fa59ee87a7f48be144 Author: Joe Perches Date: Fri May 29 16:12:21 2020 -0700 checkpatch/coding-style: deprecate 80-column warning Yes, staying withing 80 columns is certainly still _preferred_. But it's not the hard limit that the checkpatch warnings imply, and other concerns can most certainly dominate. Increase the default limit to 100 characters. Not because 100 characters is some hard limit either, but that's certainly a "what are you doing" kind of value and less likely to be about the occasional slightly longer lines. Miscellanea: - to avoid unnecessary whitespace changes in files, checkpatch will no longer emit a warning about line length when scanning files unless --strict is also used - Add a bit to coding-style about alignment to open parenthesis Signed-off-by: Joe Perches Signed-off-by: Linus Torvalds commit 8fc984aedcedbbabae91d8496bd0b608c0749a98 Merge: 3d0428232909 aa61b7bb00f7 Author: Linus Torvalds Date: Sun May 31 10:45:11 2020 -0700 Merge tag 'x86-urgent-2020-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "A pile of x86 fixes: - Prevent a memory leak in ioperm which was caused by the stupid assumption that the exit cleanup is always called for current, which is not the case when fork fails after taking a reference on the ioperm bitmap. - Fix an arithmething overflow in the DMA code on 32bit systems - Fill gaps in the xstate copy with defaults instead of leaving them uninitialized - Revert: "Make __X32_SYSCALL_BIT be unsigned long" as it turned out that existing user space fails to build" * tag 'x86-urgent-2020-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/ioperm: Prevent a memory leak when fork fails x86/dma: Fix max PFN arithmetic overflow on 32 bit systems copy_xstate_to_kernel(): don't leave parts of destination uninitialized x86/syscalls: Revert "x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long" commit 3d0428232909d9aa9248c3724f04a333f6f53bb3 Merge: 19835b1ba6b1 18f855e574d9 Author: Linus Torvalds Date: Sun May 31 10:43:17 2020 -0700 Merge tag 'sched-urgent-2020-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fix from Thomas Gleixner: "A single scheduler fix preventing a crash in NUMA balancing. The current->mm check is not reliable as the mm might be temporary due to use_mm() in a kthread. Check for PF_KTHREAD explictly" * tag 'sched-urgent-2020-05-31' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Don't NUMA balance for kthreads commit 19835b1ba6b1f2d3fb5aefffa01ebd626513ff4a Merge: ffeb595d8481 d9a81a225277 Author: Linus Torvalds Date: Sun May 31 10:16:53 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: "Another week, another set of bug fixes: 1) Fix pskb_pull length in __xfrm_transport_prep(), from Xin Long. 2) Fix double xfrm_state put in esp{4,6}_gro_receive(), also from Xin Long. 3) Re-arm discovery timer properly in mac80211 mesh code, from Linus Lüssing. 4) Prevent buffer overflows in nf_conntrack_pptp debug code, from Pablo Neira Ayuso. 5) Fix race in ktls code between tls_sw_recvmsg() and tls_decrypt_done(), from Vinay Kumar Yadav. 6) Fix crashes on TCP fallback in MPTCP code, from Paolo Abeni. 7) More validation is necessary of untrusted GSO packets coming from virtualization devices, from Willem de Bruijn. 8) Fix endianness of bnxt_en firmware message length accesses, from Edwin Peer. 9) Fix infinite loop in sch_fq_pie, from Davide Caratti. 10) Fix lockdep splat in DSA by setting lockless TX in netdev features for slave ports, from Vladimir Oltean. 11) Fix suspend/resume crashes in mlx5, from Mark Bloch. 12) Fix use after free in bpf fmod_ret, from Alexei Starovoitov. 13) ARP retransmit timer guard uses wrong offset, from Hongbin Liu. 14) Fix leak in inetdev_init(), from Yang Yingliang. 15) Don't try to use inet hash and unhash in l2tp code, results in crashes. From Eric Dumazet" * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (77 commits) l2tp: add sk_family checks to l2tp_validate_socket l2tp: do not use inet_hash()/inet_unhash() net: qrtr: Allocate workqueue before kernel_bind mptcp: remove msk from the token container at destruction time. mptcp: fix race between MP_JOIN and close mptcp: fix unblocking connect() net/sched: act_ct: add nat mangle action only for NAT-conntrack devinet: fix memleak in inetdev_init() virtio_vsock: Fix race condition in virtio_transport_recv_pkt drivers/net/ibmvnic: Update VNIC protocol version reporting NFC: st21nfca: add missed kfree_skb() in an error path neigh: fix ARP retransmit timer guard bpf, selftests: Add a verifier test for assigning 32bit reg states to 64bit ones bpf, selftests: Verifier bounds tests need to be updated bpf: Fix a verifier issue when assigning 32bit reg states to 64bit ones bpf: Fix use-after-free in fmod_ret check net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta() net/mlx5e: Fix MLX5_TC_CT dependencies net/mlx5e: Properly set default values when disabling adaptive moderation net/mlx5e: Fix arch depending casting issue in FEC ... commit d9a81a225277686eb629938986d97629ea102633 Author: Eric Dumazet Date: Fri May 29 11:32:25 2020 -0700 l2tp: add sk_family checks to l2tp_validate_socket syzbot was able to trigger a crash after using an ISDN socket and fool l2tp. Fix this by making sure the UDP socket is of the proper family. BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018 CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382 __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523 l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249 genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline] genl_family_rcv_msg net/netlink/genetlink.c:718 [inline] genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 genl_rcv+0x24/0x40 net/netlink/genetlink.c:746 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352 ___sys_sendmsg+0x100/0x170 net/socket.c:2406 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4 Allocated by task 3018: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x161/0x7a0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612 sk_alloc+0x36/0x1100 net/core/sock.c:1666 data_sock_create drivers/isdn/mISDN/socket.c:600 [inline] mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796 __sock_create+0x3cb/0x730 net/socket.c:1428 sock_create net/socket.c:1479 [inline] __sys_socket+0xef/0x200 net/socket.c:1521 __do_sys_socket net/socket.c:1530 [inline] __se_sys_socket net/socket.c:1528 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 2484: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 kvfree+0x42/0x50 mm/util.c:603 __free_fdtable+0x2d/0x70 fs/file.c:31 put_files_struct fs/file.c:420 [inline] put_files_struct+0x248/0x2e0 fs/file.c:413 exit_files+0x7e/0xa0 fs/file.c:445 do_exit+0xb04/0x2dd0 kernel/exit.c:791 do_group_exit+0x125/0x340 kernel/exit.c:894 get_signal+0x47b/0x24e0 kernel/signal.c:2739 do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784 exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff88808ed0c000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1424 bytes inside of 2048-byte region [ffff88808ed0c000, ffff88808ed0c800) The buggy address belongs to the page: page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00 raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Eric Dumazet Cc: James Chapman Cc: Guillaume Nault Reported-by: syzbot Acked-by: Guillaume Nault Signed-off-by: David S. Miller commit 02c71b144c811bcdd865e0a1226d0407d11357e8 Author: Eric Dumazet Date: Fri May 29 11:20:53 2020 -0700 l2tp: do not use inet_hash()/inet_unhash() syzbot recently found a way to crash the kernel [1] Issue here is that inet_hash() & inet_unhash() are currently only meant to be used by TCP & DCCP, since only these protocols provide the needed hashinfo pointer. L2TP uses a single list (instead of a hash table) This old bug became an issue after commit 610236587600 ("bpf: Add new cgroup attach type to enable sock modifications") since after this commit, sk_common_release() can be called while the L2TP socket is still considered 'hashed'. general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600 Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 RSP: 0018:ffffc90001777d30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242 RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008 RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1 R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0 R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00 FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: sk_common_release+0xba/0x370 net/core/sock.c:3210 inet_create net/ipv4/af_inet.c:390 [inline] inet_create+0x966/0xe00 net/ipv4/af_inet.c:248 __sock_create+0x3cb/0x730 net/socket.c:1428 sock_create net/socket.c:1479 [inline] __sys_socket+0xef/0x200 net/socket.c:1521 __do_sys_socket net/socket.c:1530 [inline] __se_sys_socket net/socket.c:1528 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x441e29 Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29 RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000 Modules linked in: ---[ end trace 23b6578228ce553e ]--- RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600 Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00 RSP: 0018:ffffc90001777d30 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242 RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008 RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1 R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0 R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00 FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support") Signed-off-by: Eric Dumazet Cc: James Chapman Cc: Andrii Nakryiko Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com commit c6e08d6251f342090a9b9abccbf26b19bcb54d17 Author: Chris Lew Date: Thu May 28 16:05:26 2020 -0700 net: qrtr: Allocate workqueue before kernel_bind A null pointer dereference in qrtr_ns_data_ready() is seen if a client opens a qrtr socket before qrtr_ns_init() can bind to the control port. When the control port is bound, the ENETRESET error will be broadcasted and clients will close their sockets. This results in DEL_CLIENT packets being sent to the ns and qrtr_ns_data_ready() being called without the workqueue being allocated. Allocate the workqueue before setting sk_data_ready and binding to the control port. This ensures that the work and workqueue structs are allocated and initialized before qrtr_ns_data_ready can be called. Fixes: 0c2204a4ad71 ("net: qrtr: Migrate nameservice to kernel from userspace") Signed-off-by: Chris Lew Reviewed-by: Bjorn Andersson Reviewed-by: Manivannan Sadhasivam Signed-off-by: David S. Miller commit e237659cfef05383b48bc265769f3fa109d6a7c9 Merge: 05aa69e5cba6 c5c79763fac1 Author: David S. Miller Date: Sat May 30 21:39:13 2020 -0700 Merge branch 'mptcp-a-bunch-of-fixes' Paolo Abeni says: ==================== mptcp: a bunch of fixes This patch series pulls together a few bugfixes for MPTCP bug observed while doing stress-test with apache bench - forced to use MPTCP and multiple subflows. ==================== Signed-off-by: David S. Miller commit c5c79763fac115fe827ed6a18ed94fff2432f678 Author: Paolo Abeni Date: Fri May 29 17:43:31 2020 +0200 mptcp: remove msk from the token container at destruction time. Currently we remote the msk from the token container only via mptcp_close(). The MPTCP master socket can be destroyed also via other paths (e.g. if not yet accepted, when shutting down the listener socket). When we hit the latter scenario, dangling msk references are left into the token container, leading to memory corruption and/or UaF. This change addresses the issue by moving the token removal into the msk destructor. Fixes: 79c0949e9a09 ("mptcp: Add key generation and token tree") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit 10f6d46c943d1ccd1d730d2e915226cbdeaad2d5 Author: Paolo Abeni Date: Fri May 29 17:43:30 2020 +0200 mptcp: fix race between MP_JOIN and close If a MP_JOIN subflow completes the 3whs while another CPU is closing the master msk, we can hit the following race: CPU1 CPU2 close() mptcp_close subflow_syn_recv_sock mptcp_token_get_sock mptcp_finish_join inet_sk_state_load mptcp_token_destroy inet_sk_state_store(TCP_CLOSE) __mptcp_flush_join_list() mptcp_sock_graft list_add_tail sk_common_release sock_orphan() The MP_JOIN socket will be leaked. Additionally we can hit UaF for the msk 'struct socket' referenced via the 'conn' field. This change try to address the issue introducing some synchronization between the MP_JOIN 3whs and mptcp_close via the join_list spinlock. If we detect the msk is closing the MP_JOIN socket is closed, too. Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit 41be81a8d3d09acb9033799938306349328861f9 Author: Paolo Abeni Date: Fri May 29 17:43:29 2020 +0200 mptcp: fix unblocking connect() Currently unblocking connect() on MPTCP sockets fails frequently. If mptcp_stream_connect() is invoked to complete a previously attempted unblocking connection, it will still try to create the first subflow via __mptcp_socket_create(). If the 3whs is completed and the 'can_ack' flag is already set, the latter will fail with -EINVAL. This change addresses the issue checking for pending connect and delegating the completion to the first subflow. Additionally do msk addresses and sk_state changes only when needed. Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit 05aa69e5cba61d8900970a364825f854401694ec Author: wenxu Date: Sat May 30 13:54:51 2020 +0800 net/sched: act_ct: add nat mangle action only for NAT-conntrack Currently add nat mangle action with comparing invert and orig tuple. It is better to check IPS_NAT_MASK flags first to avoid non necessary memcmp for non-NAT conntrack. Signed-off-by: wenxu Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit 1b49cd71b52403822731dc9f283185d1da355f97 Author: Yang Yingliang Date: Sat May 30 11:34:33 2020 +0800 devinet: fix memleak in inetdev_init() When devinet_sysctl_register() failed, the memory allocated in neigh_parms_alloc() should be freed. Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default") Signed-off-by: Yang Yingliang Acked-by: Cong Wang Signed-off-by: David S. Miller commit 8692cefc433f282228fd44938dd4d26ed38254a2 Author: Jia He Date: Sat May 30 09:38:28 2020 +0800 virtio_vsock: Fix race condition in virtio_transport_recv_pkt When client on the host tries to connect(SOCK_STREAM, O_NONBLOCK) to the server on the guest, there will be a panic on a ThunderX2 (armv8a server): [ 463.718844] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 463.718848] Mem abort info: [ 463.718849] ESR = 0x96000044 [ 463.718852] EC = 0x25: DABT (current EL), IL = 32 bits [ 463.718853] SET = 0, FnV = 0 [ 463.718854] EA = 0, S1PTW = 0 [ 463.718855] Data abort info: [ 463.718856] ISV = 0, ISS = 0x00000044 [ 463.718857] CM = 0, WnR = 1 [ 463.718859] user pgtable: 4k pages, 48-bit VAs, pgdp=0000008f6f6e9000 [ 463.718861] [0000000000000000] pgd=0000000000000000 [ 463.718866] Internal error: Oops: 96000044 [#1] SMP [...] [ 463.718977] CPU: 213 PID: 5040 Comm: vhost-5032 Tainted: G O 5.7.0-rc7+ #139 [ 463.718980] Hardware name: GIGABYTE R281-T91-00/MT91-FS1-00, BIOS F06 09/25/2018 [ 463.718982] pstate: 60400009 (nZCv daif +PAN -UAO) [ 463.718995] pc : virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] [ 463.718999] lr : virtio_transport_recv_pkt+0x1fc/0xd40 [vmw_vsock_virtio_transport_common] [ 463.719000] sp : ffff80002dbe3c40 [...] [ 463.719025] Call trace: [ 463.719030] virtio_transport_recv_pkt+0x4c8/0xd40 [vmw_vsock_virtio_transport_common] [ 463.719034] vhost_vsock_handle_tx_kick+0x360/0x408 [vhost_vsock] [ 463.719041] vhost_worker+0x100/0x1a0 [vhost] [ 463.719048] kthread+0x128/0x130 [ 463.719052] ret_from_fork+0x10/0x18 The race condition is as follows: Task1 Task2 ===== ===== __sock_release virtio_transport_recv_pkt __vsock_release vsock_find_bound_socket (found sk) lock_sock_nested vsock_remove_sock sock_orphan sk_set_socket(sk, NULL) sk->sk_shutdown = SHUTDOWN_MASK ... release_sock lock_sock virtio_transport_recv_connecting sk->sk_socket->state (panic!) The root cause is that vsock_find_bound_socket can't hold the lock_sock, so there is a small race window between vsock_find_bound_socket() and lock_sock(). If __vsock_release() is running in another task, sk->sk_socket will be set to NULL inadvertently. This fixes it by checking sk->sk_shutdown(suggested by Stefano) after lock_sock since sk->sk_shutdown is set to SHUTDOWN_MASK under the protection of lock_sock_nested. Signed-off-by: Jia He Reviewed-by: Stefano Garzarella Signed-off-by: David S. Miller commit ffeb595d84811dde16a28b33d8a7cf26d51d51b3 Merge: 900db1504704 2f26ed1764b4 Author: Linus Torvalds Date: Sat May 30 12:28:44 2020 -0700 Merge tag 'powerpc-5.7-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - a fix for the recent change to how we restore non-volatile GPRs, which broke our emulation of reading from the DSCR (Data Stream Control Register). - a fix for the recent rewrite of interrupt/syscall exit in C, we need to exclude KCOV from that code, otherwise it can lead to unrecoverable faults. Thanks to Daniel Axtens. * tag 'powerpc-5.7-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s: Disable sanitisers for C syscall/interrupt entry/exit code powerpc/64s: Fix restore of NV GPRs after facility unavailable exception commit 900db15047044ef50b32e23630880f4780ec5b9e Merge: 86852175b016 e9bdf7e655b9 Author: Linus Torvalds Date: Sat May 30 12:26:21 2020 -0700 Merge tag 'gpio-v5.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Here are some (very) late fixes for GPIO, none of them very serious except the one tagged for stable for enabling IRQ on open drain lines: - Fix probing of mvebu chips without PWM - Fix error path on ida_get_simple() on the exar driver - Notify userspace properly about line status changes when flags are changed on lines. - Fix a sleeping while holding spinlock in the mellanox driver. - Fix return value of the PXA and Kona probe calls. - Fix IRQ locking of open drain lines, it is fine to have IRQs on open drain lines flagged for output" * tag 'gpio-v5.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: fix locking open drain IRQ lines gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe() gpio: pxa: Fix return value of pxa_gpio_probe() gpio: mlxbf2: Fix sleeping while holding spinlock gpiolib: notify user-space about line status changes after flags are set gpio: exar: Fix bad handling for ida_simple_get error path gpio: mvebu: Fix probing for chips without PWM commit 784688993ebac34dffe44a9f2fabbe126ebfd4db Author: Thomas Falcon Date: Thu May 28 11:19:17 2020 -0500 drivers/net/ibmvnic: Update VNIC protocol version reporting VNIC protocol version is reported in big-endian format, but it is not byteswapped before logging. Fix that, and remove version comparison as only one protocol version exists at this time. Signed-off-by: Thomas Falcon Signed-off-by: David S. Miller commit 3decabdc714ca56c944f4669b4cdec5c2c1cea23 Author: Chuhong Yuan Date: Thu May 28 18:20:37 2020 +0800 NFC: st21nfca: add missed kfree_skb() in an error path st21nfca_tm_send_atr_res() misses to call kfree_skb() in an error path. Add the missed function call to fix it. Fixes: 1892bf844ea0 ("NFC: st21nfca: Adding P2P support to st21nfca in Initiator & Target mode") Signed-off-by: Chuhong Yuan Signed-off-by: David S. Miller commit 96d10d5b192e7f064457fd957e6a3ce8c2dce4b4 Author: Hangbin Liu Date: Thu May 28 15:15:13 2020 +0800 neigh: fix ARP retransmit timer guard In commit 19e16d220f0a ("neigh: support smaller retrans_time settting") we add more accurate control for ARP and NS. But for ARP I forgot to update the latest guard in neigh_timer_handler(), then the next retransmit would be reset to jiffies + HZ/2 if we set the retrans_time less than 500ms. Fix it by setting the time_before() check to HZ/100. IPv6 does not have this issue. Reported-by: Jianwen Ji Fixes: 19e16d220f0a ("neigh: support smaller retrans_time settting") Signed-off-by: Hangbin Liu Signed-off-by: David S. Miller commit f2b122d3d6ff2f2bef0f23e6cb2b56384da7f92a Merge: f9e0ce3ddc48 a683012a8e77 Author: David S. Miller Date: Fri May 29 16:31:22 2020 -0700 Merge tag 'mlx5-fixes-2020-05-28' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2020-05-28 This series introduces some fixes to mlx5 driver. v1->v2: - Fix bad sha1, Jakub. - Added one more patch by Pablo. net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta() Nothing major, the only patch worth mentioning is the suspend/resume crash fix by adding the missing pci device handlers, the fix is very straight forward and as Dexuan already expressed, the patch is important for Azure users to avoid crash on VM hibernation, patch is marked for -stable v4.6 below. Conflict note: ('net/mlx5e: Fix MLX5_TC_CT dependencies') has a trivial one line conflict with current net-next, which can be resolved by simply using the line from net-next. Please pull and let me know if there is any problem. For -stable v4.6 ('net/mlx5: Fix crash upon suspend/resume') For -stable v5.6 ('net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta()') ==================== Signed-off-by: David S. Miller commit 86852175b016f0c6873dcbc24b93d12b7b246612 Merge: e2fce151d2b4 99706d62fb50 Author: Linus Torvalds Date: Fri May 29 16:10:07 2020 -0700 Merge tag 'armsoc-fixes-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC fixes from Arnd Bergmann: "This time there is one fix for the error path in the mediatek cmdq driver (used by their video driver) and a couple of devicetree fixes, mostly for 32-bit ARM, and fairly harmless: - On OMAP2 there were a few regressions in the ethernet drivers, one of them leading to an external abort trap - One Raspberry Pi version had a misconfigured LED - Interrupts on Broadcom NSP were slightly misconfigured - One i.MX6q board had issues with graphics mode setting - On mmp3 there are some minor fixes that were submitted for v5.8 with a cc:stable tag, so I ended up picking them up here as well - The Mediatek Video Codec needs to run at a higher frequency than configured originally" * tag 'armsoc-fixes-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: ARM: dts: mmp3: Drop usb-nop-xceiv from HSIC phy ARM: dts: mmp3-dell-ariel: Fix the SPI devices ARM: dts: mmp3: Use the MMP3 compatible string for /clocks ARM: dts: bcm: HR2: Fix PPI interrupt types ARM: dts: bcm2835-rpi-zero-w: Fix led polarity ARM: dts/imx6q-bx50v3: Set display interface clock parents soc: mediatek: cmdq: return send msg error code arm64: dts: mt8173: fix vcodec-enc clock ARM: dts: Fix wrong mdio clock for dm814x ARM: dts: am437x: fix networking on boards with ksz9031 phy ARM: dts: am57xx: fix networking on boards with ksz9031 phy commit f9e0ce3ddc48d51d5d16a4722b6406e5094375f6 Merge: 942110fdf2f1 cf66c29bd753 Author: David S. Miller Date: Fri May 29 15:59:08 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Alexei Starovoitov says: ==================== pull-request: bpf 2020-05-29 The following pull-request contains BPF updates for your *net* tree. We've added 6 non-merge commits during the last 7 day(s) which contain a total of 4 files changed, 55 insertions(+), 34 deletions(-). The main changes are: 1) minor verifier fix for fmod_ret progs, from Alexei. 2) af_xdp overflow check, from Bjorn. 3) minor verifier fix for 32bit assignment, from John. 4) powerpc has non-overlapping addr space, from Petr. ==================== Signed-off-by: David S. Miller commit e2fce151d2b4bd9722b3344ae381c768d249761f Merge: 835e36b1197a fb33c114d3ed Author: Linus Torvalds Date: Fri May 29 13:59:54 2020 -0700 Merge tag 'ceph-for-5.7-rc8' of git://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "Cache tiering and cap handling fixups, both marked for stable" * tag 'ceph-for-5.7-rc8' of git://github.com/ceph/ceph-client: ceph: flush release queue when handling caps for unknown inode libceph: ignore pool overlay and cache logic on redirects commit 835e36b1197a4f066d0254c897f2c8b455cbb581 Merge: 4f23460cfa86 20be493b787c Author: Linus Torvalds Date: Fri May 29 13:58:13 2020 -0700 Merge tag 'gfs2-v5.7-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fix from Andreas Gruenbacher: "Fix the previous, flawed gfs2_find_jhead commit" * tag 'gfs2-v5.7-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: gfs2: Even more gfs2_find_jhead fixes commit 4f23460cfa867aa560119e18a73616e784d3cd66 Merge: ef4531be685f ba051f097fc3 Author: Linus Torvalds Date: Fri May 29 13:51:52 2020 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Ensure __cpu_up() returns an error if cpu_online() is false after waiting for completion on cpu_running" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64/kernel: Fix return value when cpu_online() fails in __cpu_up() commit ef4531be685f238594877a8e28e65544d5a022d7 Merge: b58f2140ea86 bf71bc16e021 Author: Linus Torvalds Date: Fri May 29 13:50:31 2020 -0700 Merge branch 'parisc-5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux Pull parisc fix from Helge Deller: "Fix a kernel panic at boot time for some HP-PARISC machines" * 'parisc-5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux: parisc: Fix kernel panic in mem_init() commit b58f2140ea8605ee6ea0530d9c0cb5d049f9c7ca Merge: 75574f1212a7 7cc31613734c Author: Linus Torvalds Date: Fri May 29 13:41:33 2020 -0700 Merge tag 'iommu-fixes-v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: - Two build fixes for issues introduced during the merge window - A fix for a reference count leak in an error path of iommu_group_alloc() * tag 'iommu-fixes-v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu: Fix reference count leak in iommu_group_alloc. x86: Hide the archdata.iommu field behind generic IOMMU_API ia64: Hide the archdata.iommu field behind generic IOMMU_API commit 75574f1212a7b4833367ad56626c30e64a94aa18 Merge: 6ff64d2537f5 b0beb28097fa Author: Linus Torvalds Date: Fri May 29 13:39:26 2020 -0700 Merge tag 'block-5.7-2020-05-29' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Two small fixes: - Revert a block change that mixed up the return values for non-mq devices - NVMe poll race fix" * tag 'block-5.7-2020-05-29' of git://git.kernel.dk/linux-block: Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and REQ_NOWAIT" nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() commit 6ff64d2537f5b445177c30a2fc7779a6f2107ed5 Merge: 411ea6790e73 1acba6a81785 Author: Linus Torvalds Date: Fri May 29 13:35:45 2020 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "Nothing profound here, just a last set of long standing bug fixes: - Incorrect error unwind in qib and pvrdma - User triggerable NULL pointer crash in mlx5 with ODP prefetch - syzkaller RCU race in uverbs - Rare double free crash in ipoib" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode RDMA/core: Fix double destruction of uobject RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() RDMA/mlx5: Fix NULL pointer dereference in destroy_prefetch_work IB/qib: Call kobject_put() when kobject_init_and_add() fails commit cf66c29bd7534813d2e1971fab71e25fe87c7e0a Author: John Fastabend Date: Fri May 29 10:29:18 2020 -0700 bpf, selftests: Add a verifier test for assigning 32bit reg states to 64bit ones Added a verifier test for assigning 32bit reg states to 64bit where 32bit reg holds a constant value of 0. Without previous kernel verifier.c fix, the test in this patch will fail. Signed-off-by: Yonghong Song Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/159077335867.6014.2075350327073125374.stgit@john-Precision-5820-Tower commit e3effcdfe02eb20f23d4f1833c75658ddc49e65a Author: John Fastabend Date: Fri May 29 10:28:59 2020 -0700 bpf, selftests: Verifier bounds tests need to be updated After previous fix for zero extension test_verifier tests #65 and #66 now fail. Before the fix we can see the alu32 mov op at insn 10 10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=4294967168,smax_value=4294967423, umin_value=4294967168,umax_value=4294967423, var_off=(0x0; 0x1ffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 10: (bc) w1 = w1 11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=0,smax_value=2147483647, umin_value=0,umax_value=4294967295, var_off=(0x0; 0xffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm After the fix at insn 10 because we have 's32_min_value < 0' the following step 11 now has 'smax_value=U32_MAX' where before we pulled the s32_max_value bound into the smax_value as seen above in 11 with smax_value=2147483647. 10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=4294967168,smax_value=4294967423, umin_value=4294967168,umax_value=4294967423, var_off=(0x0; 0x1ffffffff), s32_min_value=-2147483648, s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 10: (bc) w1 = w1 11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=0,smax_value=4294967295, umin_value=0,umax_value=4294967295, var_off=(0x0; 0xffffffff), s32_min_value=-2147483648, s32_max_value=2147483647, u32_min_value=0, u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm The fall out of this is by the time we get to the failing instruction at step 14 where previously we had the following: 14: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=72057594021150720,smax_value=72057594029539328, umin_value=72057594021150720,umax_value=72057594029539328, var_off=(0xffffffff000000; 0xffffff), s32_min_value=-16777216,s32_max_value=-1, u32_min_value=-16777216,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 14: (0f) r0 += r1 We now have, 14: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv(id=0, smin_value=0,smax_value=72057594037927935, umin_value=0,umax_value=72057594037927935, var_off=(0x0; 0xffffffffffffff), s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm 14: (0f) r0 += r1 In the original step 14 'smin_value=72057594021150720' this trips the logic in the verifier function check_reg_sane_offset(), if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { verbose(env, "value %lld makes %s pointer be out of bounds\n", smin, reg_type_str[type]); return false; } Specifically, the 'smin <= -BPF_MAX_VAR_OFF' check. But with the fix at step 14 we have bounds 'smin_value=0' so the above check is not tripped because BPF_MAX_VAR_OFF=1<<29. We have a smin_value=0 here because at step 10 the smaller smin_value=0 means the subtractions at steps 11 and 12 bring the smin_value negative. 11: (17) r1 -= 2147483584 12: (17) r1 -= 2147483584 13: (77) r1 >>= 8 Then the shift clears the top bit and smin_value is set to 0. Note we still have the smax_value in the fixed code so any reads will fail. An alternative would be to have reg_sane_check() do both smin and smax value tests. To fix the test we can omit the 'r1 >>=8' at line 13. This will change the err string, but keeps the intention of the test as suggseted by the title, "check after truncation of boundary-crossing range". If the verifier logic changes a different value is likely to be thrown in the error or the error will no longer be thrown forcing this test to be examined. With this change we see the new state at step 13. 13: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP(id=0, smin_value=-4294967168,smax_value=127, umin_value=0,umax_value=18446744073709551615, s32_min_value=-2147483648,s32_max_value=2147483647, u32_min_value=0,u32_max_value=-1) R10=fp0 fp-8_w=mmmmmmmm Giving the expected out of bounds error, "value -4294967168 makes map_value pointer be out of bounds" However, for unpriv case we see a different error now because of the mixed signed bounds pointer arithmatic. This seems OK so I've only added the unpriv_errstr for this. Another optino may have been to do addition on r1 instead of subtraction but I favor the approach above slightly. Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/159077333942.6014.14004320043595756079.stgit@john-Precision-5820-Tower commit 3a71dc366d4aa51a22f385445f2862231d3fda3b Author: John Fastabend Date: Fri May 29 10:28:40 2020 -0700 bpf: Fix a verifier issue when assigning 32bit reg states to 64bit ones With the latest trunk llvm (llvm 11), I hit a verifier issue for test_prog subtest test_verif_scale1. The following simplified example illustrate the issue: w9 = 0 /* R9_w=inv0 */ r8 = *(u32 *)(r1 + 80) /* __sk_buff->data_end */ r7 = *(u32 *)(r1 + 76) /* __sk_buff->data */ ...... w2 = w9 /* R2_w=inv0 */ r6 = r7 /* R6_w=pkt(id=0,off=0,r=0,imm=0) */ r6 += r2 /* R6_w=inv(id=0) */ r3 = r6 /* R3_w=inv(id=0) */ r3 += 14 /* R3_w=inv(id=0) */ if r3 > r8 goto end r5 = *(u32 *)(r6 + 0) /* R6_w=inv(id=0) */ <== error here: R6 invalid mem access 'inv' ... end: In real test_verif_scale1 code, "w9 = 0" and "w2 = w9" are in different basic blocks. In the above, after "r6 += r2", r6 becomes a scalar, which eventually caused the memory access error. The correct register state should be a pkt pointer. The inprecise register state starts at "w2 = w9". The 32bit register w9 is 0, in __reg_assign_32_into_64(), the 64bit reg->smax_value is assigned to be U32_MAX. The 64bit reg->smin_value is 0 and the 64bit register itself remains constant based on reg->var_off. In adjust_ptr_min_max_vals(), the verifier checks for a known constant, smin_val must be equal to smax_val. Since they are not equal, the verifier decides r6 is a unknown scalar, which caused later failure. The llvm10 does not have this issue as it generates different code: w9 = 0 /* R9_w=inv0 */ r8 = *(u32 *)(r1 + 80) /* __sk_buff->data_end */ r7 = *(u32 *)(r1 + 76) /* __sk_buff->data */ ...... r6 = r7 /* R6_w=pkt(id=0,off=0,r=0,imm=0) */ r6 += r9 /* R6_w=pkt(id=0,off=0,r=0,imm=0) */ r3 = r6 /* R3_w=pkt(id=0,off=0,r=0,imm=0) */ r3 += 14 /* R3_w=pkt(id=0,off=14,r=0,imm=0) */ if r3 > r8 goto end ... To fix the above issue, we can include zero in the test condition for assigning the s32_max_value and s32_min_value to their 64-bit equivalents smax_value and smin_value. Further, fix the condition to avoid doing zero extension bounds checks when s32_min_value <= 0. This could allow for the case where bounds 32-bit bounds (-1,1) get incorrectly translated to (0,1) 64-bit bounds. When in-fact the -1 min value needs to force U32_MAX bound. Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/159077331983.6014.5758956193749002737.stgit@john-Precision-5820-Tower commit 411ea6790e736da763d02da7e704107ce9365451 Merge: d54b64ef0df9 202500d21654 Author: Linus Torvalds Date: Fri May 29 13:34:01 2020 -0700 Merge tag 'mmc-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "MMC core: - Fix use-after-free issue for rpmb partition MMC host: - Fix quirk for broken CQE support" * tag 'mmc-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: block: Fix use-after-free issue for rpmb mmc: sdhci: Fix SDHCI_QUIRK_BROKEN_CQE commit d54b64ef0df92101286cff739f95dd89e52ec09d Merge: 170ee4d74781 630e36126e42 Author: Linus Torvalds Date: Fri May 29 13:31:01 2020 -0700 Merge tag 'sound-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Only a few last-minute small fixes: the change in ALSA core hwdep is about the undefined behavior of bit shift, which is almost harmless but still worth to pick up quickly. The rest are all device-specific fixes for HD-audio and USB-audio, and safe to apply at the late stage" * tag 'sound-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek - Add new codec supported for ALC287 ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround ALSA: hwdep: fix a left shifting 1 by 31 UB bug commit 170ee4d74781ed3d7b0f489c0b1c4debc33a2c1d Merge: 86e43b8bf0e6 a76f274182f0 Author: Linus Torvalds Date: Fri May 29 13:29:20 2020 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Two fixes for the new SM8150 and SM8250 Qualcomm clk drivers to fix a randconfig build error and an incorrect parent mapping" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: qcom: gcc: Fix parent for gpll0_out_even clk: qcom: sm8250 gcc depends on QCOM_GDSC commit 18644cec714aabbab173729192c7594ee57a406b Author: Alexei Starovoitov Date: Thu May 28 21:38:36 2020 -0700 bpf: Fix use-after-free in fmod_ret check Fix the following issue: [ 436.749342] BUG: KASAN: use-after-free in bpf_trampoline_put+0x39/0x2a0 [ 436.749995] Write of size 4 at addr ffff8881ef38b8a0 by task kworker/3:5/2243 [ 436.750712] [ 436.752677] Workqueue: events bpf_prog_free_deferred [ 436.753183] Call Trace: [ 436.756483] bpf_trampoline_put+0x39/0x2a0 [ 436.756904] bpf_prog_free_deferred+0x16d/0x3d0 [ 436.757377] process_one_work+0x94a/0x15b0 [ 436.761969] [ 436.762130] Allocated by task 2529: [ 436.763323] bpf_trampoline_lookup+0x136/0x540 [ 436.763776] bpf_check+0x2872/0xa0a8 [ 436.764144] bpf_prog_load+0xb6f/0x1350 [ 436.764539] __do_sys_bpf+0x16d7/0x3720 [ 436.765825] [ 436.765988] Freed by task 2529: [ 436.767084] kfree+0xc6/0x280 [ 436.767397] bpf_trampoline_put+0x1fd/0x2a0 [ 436.767826] bpf_check+0x6832/0xa0a8 [ 436.768197] bpf_prog_load+0xb6f/0x1350 [ 436.768594] __do_sys_bpf+0x16d7/0x3720 prog->aux->trampoline = tr should be set only when prog is valid. Otherwise prog freeing will try to put trampoline via prog->aux->trampoline, but it may not point to a valid trampoline. Fixes: 6ba43b761c41 ("bpf: Attachment verification for BPF_MODIFY_RETURN") Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Acked-by: KP Singh Link: https://lore.kernel.org/bpf/20200529043839.15824-2-alexei.starovoitov@gmail.com commit a683012a8e77675a1947cc8f11f97cdc1d5bb769 Author: Pablo Neira Ayuso Date: Sun Apr 19 14:12:35 2020 +0200 net/mlx5e: replace EINVAL in mlx5e_flower_parse_meta() The drivers reports EINVAL to userspace through netlink on invalid meta match. This is confusing since EINVAL is usually reserved for malformed netlink messages. Replace it by more meaningful codes. Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Saeed Mahameed commit cb9a0641b531ac11cd7e3076de23ceada19b892e Author: Vlad Buslov Date: Mon May 25 16:57:51 2020 +0300 net/mlx5e: Fix MLX5_TC_CT dependencies Change MLX5_TC_CT config dependencies to include MLX5_ESWITCH instead of MLX5_CORE_EN && NET_SWITCHDEV, which are already required by MLX5_ESWITCH. Without this change mlx5 fails to compile if user disables MLX5_ESWITCH without also manually disabling MLX5_TC_CT. Fixes: 4c3844d9e97e ("net/mlx5e: CT: Introduce connection tracking") Signed-off-by: Vlad Buslov Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit ebeaf084ad5c0eeaf8ea3314f62cc28cb79d529f Author: Tal Gilboa Date: Thu Apr 23 13:23:06 2020 +0300 net/mlx5e: Properly set default values when disabling adaptive moderation Add a call to mlx5e_reset_rx/tx_moderation() when enabling/disabling adaptive moderation, in order to select the proper default values. In order to do so, we separate the logic of selecting the moderation values and setting moderion mode (CQE/EQE based). Fixes: 0088cbbc4b66 ("net/mlx5e: Enable CQE based moderation on TX CQ") Fixes: 9908aa292971 ("net/mlx5e: CQE based moderation") Signed-off-by: Tal Gilboa Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit b623603bbb473e7e19af358b98335e63bebb2eb5 Author: Aya Levin Date: Mon Apr 13 11:31:00 2020 +0300 net/mlx5e: Fix arch depending casting issue in FEC Change type of active_fec to u32 to match the type expected by mlx5e_get_fec_mode. Copy active_fec and configured_fec values to unsigned long before preforming bitwise manipulations. Take the same approach when configuring FEC over 50G link modes: copy the policy into an unsigned long and only than preform bitwise operations. Fixes: 2132b71f78d2 ("net/mlx5e: Advertise globaly supported FEC modes") Signed-off-by: Aya Levin Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 20300aafa7a2719f71d50f97a8846459d9869b75 Author: Maor Dickman Date: Sun May 24 09:45:44 2020 +0300 net/mlx5e: Remove warning "devices are not on same switch HW" On tunnel decap rule insertion, the indirect mechanism will attempt to offload the rule on all uplink representors which will trigger the "devices are not on same switch HW, can't offload forwarding" message for the uplink which isn't on the same switch HW as the VF representor. The above flow is valid and shouldn't cause warning message, fix by removing the warning and only report this flow using extack. Fixes: 321348475d54 ("net/mlx5e: Fix allowed tc redirect merged eswitch offload cases") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 0a2a6f498fa060cc0d592d56148da856e9d77bd8 Author: Roi Dayan Date: Wed May 27 21:46:09 2020 +0300 net/mlx5e: Fix stats update for matchall classifier It's bytes, packets, lastused. Fixes: fcb64c0f5640 ("net/mlx5: E-Switch, add ingress rate support") Signed-off-by: Roi Dayan Signed-off-by: Saeed Mahameed commit 8fc3e29be9248048f449793502c15af329f35c6e Author: Mark Bloch Date: Wed May 20 17:32:08 2020 +0000 net/mlx5: Fix crash upon suspend/resume Currently a Linux system with the mlx5 NIC always crashes upon hibernation - suspend/resume. Add basic callbacks so the NIC could be suspended and resumed. Fixes: 9603b61de1ee ("mlx5: Move pci device handling from mlx5_ib to mlx5_core") Tested-by: Dexuan Cui Signed-off-by: Mark Bloch Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit 942110fdf2f1a298e66cdb3b776c854b157cd820 Merge: 7c6d2ecbda83 f6a23d85d078 Author: David S. Miller Date: Fri May 29 13:05:56 2020 -0700 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec Steffen Klassert says: ==================== pull request (net): ipsec 2020-05-29 1) Several fixes for ESP gro/gso in transport and beet mode when IPv6 extension headers are present. From Xin Long. 2) Fix a wrong comment on XFRMA_OFFLOAD_DEV. From Antony Antony. 3) Fix sk_destruct callback handling on ESP in TCP encapsulation. From Sabrina Dubroca. 4) Fix a use after free in xfrm_output_gso when used with vxlan. From Xin Long. 5) Fix secpath handling of VTI when used wiuth IPCOMP. From Xin Long. 6) Fix an oops when deleting a x-netns xfrm interface. From Nicolas Dichtel. 7) Fix a possible warning on policy updates. We had a case where it was possible to add two policies with the same lookup keys. From Xin Long. ==================== Signed-off-by: David S. Miller commit 86e43b8bf0e6b3897e504cdb9230fd063ecd4452 Merge: 75caf310d16c ed9244bd0b26 Author: Linus Torvalds Date: Fri May 29 12:32:46 2020 -0700 Merge tag 'drm-fixes-2020-05-29-1' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "A couple of amdgpu fixes and minor ingenic fixes: amdgpu: - display atomic test fix - Fix soft hang in display vupdate code ingenic: - fix pointer cast - fix crtc atomic check callback" * tag 'drm-fixes-2020-05-29-1' of git://anongit.freedesktop.org/drm/drm: drm/amd/display: Fix potential integer wraparound resulting in a hang drm/amd/display: drop cursor position check in atomic test gpu/drm: Ingenic: Fix opaque pointer casted to wrong type gpu/drm: ingenic: Fix bogus crtc_atomic_check callback commit 20be493b787cd581c9fffad7fcd6bfbe6af1050c Author: Andreas Gruenbacher Date: Tue May 26 20:11:51 2020 +0200 gfs2: Even more gfs2_find_jhead fixes Fix several issues in the previous gfs2_find_jhead fix: * When updating @blocks_submitted, @block refers to the first block block not submitted yet, not the last block submitted, so fix an off-by-one error. * We want to ensure that @blocks_submitted is far enough ahead of @blocks_read to guarantee that there is in-flight I/O. Otherwise, we'll eventually end up waiting for pages that haven't been submitted, yet. * It's much easier to compare the number of blocks added with the number of blocks submitted to limit the maximum bio size. * Even with bio chaining, we can keep adding blocks until we reach the maximum bio size, as long as we stop at a page boundary. This simplifies the logic. Signed-off-by: Andreas Gruenbacher Reviewed-by: Bob Peterson commit bf71bc16e02162388808949b179d59d0b571b965 Author: Helge Deller Date: Thu May 28 22:29:25 2020 +0200 parisc: Fix kernel panic in mem_init() The Debian kernel v5.6 triggers this kernel panic: Kernel panic - not syncing: Bad Address (null pointer deref?) Bad Address (null pointer deref?): Code=26 (Data memory access rights trap) at addr 0000000000000000 CPU: 0 PID: 0 Comm: swapper Not tainted 5.6.0-2-parisc64 #1 Debian 5.6.14-1 IAOQ[0]: mem_init+0xb0/0x150 IAOQ[1]: mem_init+0xb4/0x150 RP(r2): start_kernel+0x6c8/0x1190 Backtrace: [<0000000040101ab4>] start_kernel+0x6c8/0x1190 [<0000000040108574>] start_parisc+0x158/0x1b8 on a HP-PARISC rp3440 machine with this memory layout: Memory Ranges: 0) Start 0x0000000000000000 End 0x000000003fffffff Size 1024 MB 1) Start 0x0000004040000000 End 0x00000040ffdfffff Size 3070 MB Fix the crash by avoiding virt_to_page() and similar functions in mem_init() until the memory zones have been fully set up. Signed-off-by: Helge Deller Cc: stable@vger.kernel.org # v5.0+ commit 7cc31613734c4870ae32f5265d576ef296621343 Author: Qiushi Wu Date: Wed May 27 16:00:19 2020 -0500 iommu: Fix reference count leak in iommu_group_alloc. kobject_init_and_add() takes reference even when it fails. Thus, when kobject_init_and_add() returns an error, kobject_put() must be called to properly clean up the kobject. Fixes: d72e31c93746 ("iommu: IOMMU Groups") Signed-off-by: Qiushi Wu Link: https://lore.kernel.org/r/20200527210020.6522-1-wu000273@umn.edu Signed-off-by: Joerg Roedel commit e9bdf7e655b9ee81ee912fae1d59df48ce7311b6 Author: Linus Walleij Date: Wed May 27 16:07:58 2020 +0200 gpio: fix locking open drain IRQ lines We provided the right semantics on open drain lines being by definition output but incidentally the irq set up function would only allow IRQs on lines that were "not output". Fix the semantics to allow output open drain lines to be used for IRQs. Reported-by: Hans Verkuil Signed-off-by: Linus Walleij Signed-off-by: Hans Verkuil Tested-by: Hans Verkuil Cc: Russell King Cc: stable@vger.kernel.org # v5.3+ Link: https://lore.kernel.org/r/20200527140758.162280-1-linus.walleij@linaro.org Signed-off-by: Linus Walleij commit 2f26ed1764b42a8c40d9c48441c73a70d805decf Author: Daniel Axtens Date: Fri May 29 16:14:46 2020 +1000 powerpc/64s: Disable sanitisers for C syscall/interrupt entry/exit code syzkaller is picking up a bunch of crashes that look like this: Unrecoverable exception 380 at c00000000037ed60 (msr=8000000000001031) Oops: Unrecoverable exception, sig: 6 [#1] LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: CPU: 0 PID: 874 Comm: syz-executor.0 Not tainted 5.7.0-rc7-syzkaller-00016-gb0c3ba31be3e #0 NIP: c00000000037ed60 LR: c00000000004bac8 CTR: c000000000030990 REGS: c0000000555a7230 TRAP: 0380 Not tainted (5.7.0-rc7-syzkaller-00016-gb0c3ba31be3e) MSR: 8000000000001031 CR: 48222882 XER: 20000000 CFAR: c00000000004bac4 IRQMASK: 0 GPR00: c00000000004bb68 c0000000555a74c0 c0000000024b3500 0000000000000005 GPR04: 0000000000000000 0000000000000000 c00000000004bb88 c008000000910000 GPR08: 00000000000b0000 c00000000004bac8 0000000000016000 c000000002503500 GPR12: c000000000030990 c000000003190000 00000000106a5898 00000000106a0000 GPR16: 00000000106a5890 c000000007a92000 c000000008180e00 c000000007a8f700 GPR20: c000000007a904b0 0000000010110000 c00000000259d318 5deadbeef0000100 GPR24: 5deadbeef0000122 c000000078422700 c000000009ee88b8 c000000078422778 GPR28: 0000000000000001 800000000280b033 0000000000000000 c0000000555a75a0 NIP [c00000000037ed60] __sanitizer_cov_trace_pc+0x40/0x50 LR [c00000000004bac8] interrupt_exit_kernel_prepare+0x118/0x310 Call Trace: [c0000000555a74c0] [c00000000004bb68] interrupt_exit_kernel_prepare+0x1b8/0x310 (unreliable) [c0000000555a7530] [c00000000000f9a8] interrupt_return+0x118/0x1c0 --- interrupt: 900 at __sanitizer_cov_trace_pc+0x0/0x50 ...... This is caused by __sanitizer_cov_trace_pc() causing an SLB fault after MSR[RI] has been cleared by __hard_EE_RI_disable(), which we can not recover from. Do not instrument the new syscall/interrupt entry/exit code with KCOV, GCOV or UBSAN. Reported-by: syzbot-ppc64 Fixes: 68b34588e202 ("powerpc/64/sycall: Implement syscall entry/exit logic in C") Signed-off-by: Daniel Axtens Acked-by: Andrew Donnellan Signed-off-by: Michael Ellerman commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 Author: Xin Long Date: Tue May 26 17:41:46 2020 +0800 xfrm: fix a NULL-ptr deref in xfrm_local_error This patch is to fix a crash: [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access [ ] general protection fault: 0000 [#1] SMP KASAN PTI [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0 [ ] Call Trace: [ ] xfrm6_local_error+0x1eb/0x300 [ ] xfrm_local_error+0x95/0x130 [ ] __xfrm6_output+0x65f/0xb50 [ ] xfrm6_output+0x106/0x46f [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel] [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan] [ ] vxlan_xmit+0x6a0/0x4276 [vxlan] [ ] dev_hard_start_xmit+0x165/0x820 [ ] __dev_queue_xmit+0x1ff0/0x2b90 [ ] ip_finish_output2+0xd3e/0x1480 [ ] ip_do_fragment+0x182d/0x2210 [ ] ip_output+0x1d0/0x510 [ ] ip_send_skb+0x37/0xa0 [ ] raw_sendmsg+0x1b4c/0x2b80 [ ] sock_sendmsg+0xc0/0x110 This occurred when sending a v4 skb over vxlan6 over ipsec, in which case skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries to get ipv6 info from a ipv4 sk. This issue was actually fixed by Commit 628e341f319f ("xfrm: make local error reporting more robust"), but brought back by Commit 844d48746e4b ("xfrm: choose protocol family by skb protocol"). So to fix it, we should call xfrm6_local_error() only when skb->protocol is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6. Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol") Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit aa61b7bb00f7c0738823237a06161d568442b93c Merge: 4bfe6cce133c 9e4636545933 Author: Ingo Molnar Date: Fri May 29 11:36:49 2020 +0200 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into x86/urgent Pick up FPU register dump fixes from Al Viro. Signed-off-by: Ingo Molnar commit ed9244bd0b265c4c0866a9246c6e7cca1cca3acf Merge: ed52a9b556f3 abf56fadf0e2 Author: Dave Airlie Date: Fri May 29 12:11:07 2020 +1000 Merge tag 'drm-misc-fixes-2020-05-28' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Two ingenic fixes, one for a wrong cast, the other for a typo in a comparison Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200528110944.hanv4qgc6w7whnj3@gilmour.lan commit 7c6d2ecbda83150b2036a2b36b21381ad4667762 Author: Eric Dumazet Date: Thu May 28 14:57:47 2020 -0700 net: be more gentle about silly gso requests coming from user Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests. When --mss=XXX option is set, packetdrill always provide gso_type & gso_size for its inbound packets, regardless of packet size. if (packet->tcp && packet->mss) { if (packet->ipv4) gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4; else gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6; gso.gso_size = packet->mss; } Since many other programs could do the same, relax virtio_net_hdr_to_skb() to no longer return an error, but instead ignore gso settings. This keeps Willem intent to make sure no malicious packet could reach gso stack. Note that TCP stack has a special logic in tcp_set_skb_tso_segs() to clear gso_size for small packets. Fixes: 6dd912f82680 ("net: check untrusted gso_size at kernel entry") Signed-off-by: Eric Dumazet Cc: Willem de Bruijn Acked-by: Willem de Bruijn Signed-off-by: David S. Miller commit 75caf310d16cc5e2f851c048cd597f5437013368 Merge: d16eea2fa5a1 4377748c7b51 Author: Linus Torvalds Date: Thu May 28 13:04:25 2020 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "5 fixes" * emailed patches from Andrew Morton : include/asm-generic/topology.h: guard cpumask_of_node() macro argument fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() mm,thp: stop leaking unreleased file pages mm/z3fold: silence kmemleak false positives of slots commit 45ebf73ebcec88a34a778f5feaa0b82b1c76069e Author: Jonas Falkevik Date: Wed May 27 11:56:40 2020 +0200 sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event Make sure SCTP_ADDR_{MADE_PRIM,ADDED} are sent only for associations that have been established. These events are described in rfc6458#section-6.1 SCTP_PEER_ADDR_CHANGE: This tag indicates that an address that is part of an existing association has experienced a change of state (e.g., a failure or return to service of the reachability of an endpoint via a specific transport address). Signed-off-by: Jonas Falkevik Acked-by: Marcelo Ricardo Leitner Reviewed-by: Xin Long Signed-off-by: David S. Miller commit d16eea2fa5a1ed9bc1788db39a76017916dc7f25 Merge: 6b5f25909bb8 642aa86eaf8f Author: Linus Torvalds Date: Thu May 28 12:41:11 2020 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input Pull input fixes from Dmitry Torokhov: "Just a few random driver fixups" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: Input: synaptics - add a second working PNP_ID for Lenovo T470s Input: applespi - replace zero-length array with flexible-array Input: axp20x-pek - always register interrupt handlers Input: lm8333 - update contact email Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() Input: synaptics-rmi4 - really fix attn_data use-after-free Input: i8042 - add ThinkPad S230u to i8042 reset list Revert "Input: i8042 - add ThinkPad S230u to i8042 nomux list" Input: dlink-dir685-touchkeys - fix a typo in driver name Input: xpad - add custom init packet for Xbox One S controllers Input: evdev - call input_flush_device() on release(), not flush() Input: i8042 - add ThinkPad S230u to i8042 nomux list Input: usbtouchscreen - add support for BonXeon TP Input: cros_ec_keyb - use cros_ec_cmd_xfer_status helper Input: mms114 - fix handling of mms345l Input: elants_i2c - support palm detection commit 4bfe6cce133cad82cea04490c308795275857782 Author: Jay Lang Date: Sun May 24 12:27:39 2020 -0400 x86/ioperm: Prevent a memory leak when fork fails In the copy_process() routine called by _do_fork(), failure to allocate a PID (or further along in the function) will trigger an invocation to exit_thread(). This is done to clean up from an earlier call to copy_thread_tls(). Naturally, the child task is passed into exit_thread(), however during the process, io_bitmap_exit() nullifies the parent's io_bitmap rather than the child's. As copy_thread_tls() has been called ahead of the failure, the reference count on the calling thread's io_bitmap is incremented as we would expect. However, io_bitmap_exit() doesn't accept any arguments, and thus assumes it should trash the current thread's io_bitmap reference rather than the child's. This is pretty sneaky in practice, because in all instances but this one, exit_thread() is called with respect to the current task and everything works out. A determined attacker can issue an appropriate ioctl (i.e. KDENABIO) to get a bitmap allocated, and force a clone3() syscall to fail by passing in a zeroed clone_args structure. The kernel handles the erroneous struct and the buggy code path is followed, and even though the parent's reference to the io_bitmap is trashed, the child still holds a reference and thus the structure will never be freed. Fix this by tweaking io_bitmap_exit() and its subroutines to accept a task_struct argument which to operate on. Fixes: ea5f1cd7ab49 ("x86/ioperm: Remove bitmap if all permissions dropped") Signed-off-by: Jay Lang Signed-off-by: Thomas Gleixner Cc: stable#@vger.kernel.org Link: https://lkml.kernel.org/r/20200524162742.253727-1-jaytlang@mit.edu commit 6b5f25909bb8a94a0c1d1c6e9530f8fc261d1b5d Merge: b0c3ba31be3e f36e0aab6f1f Author: Linus Torvalds Date: Thu May 28 12:32:56 2020 -0700 Merge tag 'csky-for-linus-5.7-rc8' of git://github.com/c-sky/csky-linux Pull csky fixes from Guo Ren: "Another four fixes for csky: - fix req_syscall debug - fix abiv2 syscall_trace - fix preempt enable - clean up regs usage in entry.S" * tag 'csky-for-linus-5.7-rc8' of git://github.com/c-sky/csky-linux: csky: Fixup CONFIG_DEBUG_RSEQ csky: Coding convention in entry.S csky: Fixup abiv2 syscall_trace break a4 & a5 csky: Fixup CONFIG_PREEMPT panic commit b0beb28097fa04177b3769f4bb7a0d0d9c4ae76e Author: Jens Axboe Date: Thu May 28 13:19:29 2020 -0600 Revert "block: end bio with BLK_STS_AGAIN in case of non-mq devs and REQ_NOWAIT" This reverts commit c58c1f83436b501d45d4050fd1296d71a9760bcb. io_uring does do the right thing for this case, and we're still returning -EAGAIN to userspace for the cases we don't support. Revert this change to avoid doing endless spins of resubmits. Cc: stable@vger.kernel.org # v5.6 Reported-by: Bijan Mottahedeh Signed-off-by: Jens Axboe commit 4377748c7b5187c3342a60fa2ceb60c8a57a8488 Author: Arnd Bergmann Date: Wed May 27 22:20:55 2020 -0700 include/asm-generic/topology.h: guard cpumask_of_node() macro argument drivers/hwmon/amd_energy.c:195:15: error: invalid operands to binary expression ('void' and 'int') (channel - data->nr_cpus)); ~~~~~~~~~^~~~~~~~~~~~~~~~~ include/asm-generic/topology.h:51:42: note: expanded from macro 'cpumask_of_node' #define cpumask_of_node(node) ((void)node, cpu_online_mask) ^~~~ include/linux/cpumask.h:618:72: note: expanded from macro 'cpumask_first_and' #define cpumask_first_and(src1p, src2p) cpumask_next_and(-1, (src1p), (src2p)) ^~~~~ Fixes: f0b848ce6fe9 ("cpumask: Introduce cpumask_of_{node,pcibus} to replace {node,pcibus}_to_cpumask") Fixes: 8abee9566b7e ("hwmon: Add amd_energy driver to report energy counters") Signed-off-by: Arnd Bergmann Signed-off-by: Andrew Morton Acked-by: Guenter Roeck Link: http://lkml.kernel.org/r/20200527134623.930247-1-arnd@arndb.de Signed-off-by: Linus Torvalds commit 1d605416fb7175e1adf094251466caa52093b413 Author: Alexander Potapenko Date: Wed May 27 22:20:52 2020 -0700 fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() KMSAN reported uninitialized data being written to disk when dumping core. As a result, several kilobytes of kmalloc memory may be written to the core file and then read by a non-privileged user. Reported-by: sam Signed-off-by: Alexander Potapenko Signed-off-by: Andrew Morton Acked-by: Kees Cook Cc: Al Viro Cc: Alexey Dobriyan Cc: Link: http://lkml.kernel.org/r/20200419100848.63472-1-glider@google.com Link: https://github.com/google/kmsan/issues/76 Signed-off-by: Linus Torvalds commit 6988f31d558aa8c744464a7f6d91d34ada48ad12 Author: Konstantin Khlebnikov Date: Wed May 27 22:20:47 2020 -0700 mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() Replace superfluous VM_BUG_ON() with comment about correct usage. Technically reverts commit 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()"), but context lines have changed. Function isolate_migratepages_block() runs some checks out of lru_lock when choose pages for migration. After checking PageLRU() it checks extra page references by comparing page_count() and page_mapcount(). Between these two checks page could be removed from lru, freed and taken by slab. As a result this race triggers VM_BUG_ON(PageSlab()) in page_mapcount(). Race window is tiny. For certain workload this happens around once a year. page:ffffea0105ca9380 count:1 mapcount:0 mapping:ffff88ff7712c180 index:0x0 compound_mapcount: 0 flags: 0x500000000008100(slab|head) raw: 0500000000008100 dead000000000100 dead000000000200 ffff88ff7712c180 raw: 0000000000000000 0000000080200020 00000001ffffffff 0000000000000000 page dumped because: VM_BUG_ON_PAGE(PageSlab(page)) ------------[ cut here ]------------ kernel BUG at ./include/linux/mm.h:628! invalid opcode: 0000 [#1] SMP NOPTI CPU: 77 PID: 504 Comm: kcompactd1 Tainted: G W 4.19.109-27 #1 Hardware name: Yandex T175-N41-Y3N/MY81-EX0-Y3N, BIOS R05 06/20/2019 RIP: 0010:isolate_migratepages_block+0x986/0x9b0 The code in isolate_migratepages_block() was added in commit 119d6d59dcc0 ("mm, compaction: avoid isolating pinned pages") before adding VM_BUG_ON into page_mapcount(). This race has been predicted in 2015 by Vlastimil Babka (see link below). [akpm@linux-foundation.org: comment tweaks, per Hugh] Fixes: 1d148e218a0d ("mm: add VM_BUG_ON_PAGE() to page_mapcount()") Signed-off-by: Konstantin Khlebnikov Signed-off-by: Andrew Morton Acked-by: Hugh Dickins Acked-by: Kirill A. Shutemov Acked-by: Vlastimil Babka Cc: David Rientjes Cc: Link: http://lkml.kernel.org/r/159032779896.957378.7852761411265662220.stgit@buzz Link: https://lore.kernel.org/lkml/557710E1.6060103@suse.cz/ Link: https://lore.kernel.org/linux-mm/158937872515.474360.5066096871639561424.stgit@buzz/T/ (v1) Signed-off-by: Linus Torvalds commit 2f33a706027c94cd4f70fcd3e3f4a17c1ce4ea4b Author: Hugh Dickins Date: Wed May 27 22:20:43 2020 -0700 mm,thp: stop leaking unreleased file pages When collapse_file() calls try_to_release_page(), it has already isolated the page: so if releasing buffers happens to fail (as it sometimes does), remember to putback_lru_page(): otherwise that page is left unreclaimable and unfreeable, and the file extent uncollapsible. Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS") Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Acked-by: Song Liu Acked-by: Kirill A. Shutemov Acked-by: Johannes Weiner Cc: Rik van Riel Cc: [5.4+] Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2005231837500.1766@eggly.anvils Signed-off-by: Linus Torvalds commit af4798a5bba60af881626780cbc6457cb162bfd1 Author: Qian Cai Date: Wed May 27 22:20:40 2020 -0700 mm/z3fold: silence kmemleak false positives of slots Kmemleak reported many leaks while under memory pressue in, slots = alloc_slots(pool, gfp); which is referenced by "zhdr" in init_z3fold_page(), zhdr->slots = slots; However, "zhdr" could be gone without freeing slots as the later will be freed separately when the last "handle" off of "handles" array is freed. It will be within "slots" which is always aligned. unreferenced object 0xc000000fdadc1040 (size 104): comm "oom04", pid 140476, jiffies 4295359280 (age 3454.970s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: z3fold_zpool_malloc+0x7b0/0xe10 alloc_slots at mm/z3fold.c:214 (inlined by) init_z3fold_page at mm/z3fold.c:412 (inlined by) z3fold_alloc at mm/z3fold.c:1161 (inlined by) z3fold_zpool_malloc at mm/z3fold.c:1735 zpool_malloc+0x34/0x50 zswap_frontswap_store+0x60c/0xda0 zswap_frontswap_store at mm/zswap.c:1093 __frontswap_store+0x128/0x330 swap_writepage+0x58/0x110 pageout+0x16c/0xa40 shrink_page_list+0x1ac8/0x25c0 shrink_inactive_list+0x270/0x730 shrink_lruvec+0x444/0xf30 shrink_node+0x2a4/0x9c0 do_try_to_free_pages+0x158/0x640 try_to_free_pages+0x1bc/0x5f0 __alloc_pages_slowpath.constprop.60+0x4dc/0x15a0 __alloc_pages_nodemask+0x520/0x650 alloc_pages_vma+0xc0/0x420 handle_mm_fault+0x1174/0x1bf0 Signed-off-by: Qian Cai Signed-off-by: Andrew Morton Acked-by: Vitaly Wool Acked-by: Catalin Marinas Link: http://lkml.kernel.org/r/20200522220052.2225-1-cai@lca.pw Signed-off-by: Linus Torvalds commit 88743470668ef5eb6b7ba9e0f99888e5999bf172 Author: Alexander Dahl Date: Tue May 26 19:57:49 2020 +0200 x86/dma: Fix max PFN arithmetic overflow on 32 bit systems The intermediate result of the old term (4UL * 1024 * 1024 * 1024) is 4 294 967 296 or 0x100000000 which is no problem on 64 bit systems. The patch does not change the later overall result of 0x100000 for MAX_DMA32_PFN (after it has been shifted by PAGE_SHIFT). The new calculation yields the same result, but does not require 64 bit arithmetic. On 32 bit systems the old calculation suffers from an arithmetic overflow in that intermediate term in braces: 4UL aka unsigned long int is 4 byte wide and an arithmetic overflow happens (the 0x100000000 does not fit in 4 bytes), the in braces result is truncated to zero, the following right shift does not alter that, so MAX_DMA32_PFN evaluates to 0 on 32 bit systems. That wrong value is a problem in a comparision against MAX_DMA32_PFN in the init code for swiotlb in pci_swiotlb_detect_4gb() to decide if swiotlb should be active. That comparison yields the opposite result, when compiling on 32 bit systems. This was not possible before 1b7e03ef7570 ("x86, NUMA: Enable emulation on 32bit too") when that MAX_DMA32_PFN was first made visible to x86_32 (and which landed in v3.0). In practice this wasn't a problem, unless CONFIG_SWIOTLB is active on x86-32. However if one has set CONFIG_IOMMU_INTEL, since c5a5dc4cbbf4 ("iommu/vt-d: Don't switch off swiotlb if bounce page is used") there's a dependency on CONFIG_SWIOTLB, which was not necessarily active before. That landed in v5.4, where we noticed it in the fli4l Linux distribution. We have CONFIG_IOMMU_INTEL active on both 32 and 64 bit kernel configs there (I could not find out why, so let's just say historical reasons). The effect is at boot time 64 MiB (default size) were allocated for bounce buffers now, which is a noticeable amount of memory on small systems like pcengines ALIX 2D3 with 256 MiB memory, which are still frequently used as home routers. We noticed this effect when migrating from kernel v4.19 (LTS) to v5.4 (LTS) in fli4l and got that kernel messages for example: Linux version 5.4.22 (buildroot@buildroot) (gcc version 7.3.0 (Buildroot 2018.02.8)) #1 SMP Mon Nov 26 23:40:00 CET 2018 … Memory: 183484K/261756K available (4594K kernel code, 393K rwdata, 1660K rodata, 536K init, 456K bss , 78272K reserved, 0K cma-reserved, 0K highmem) … PCI-DMA: Using software bounce buffering for IO (SWIOTLB) software IO TLB: mapped [mem 0x0bb78000-0x0fb78000] (64MB) The initial analysis and the suggested fix was done by user 'sourcejedi' at stackoverflow and explicitly marked as GPLv2 for inclusion in the Linux kernel: https://unix.stackexchange.com/a/520525/50007 The new calculation, which does not suffer from that overflow, is the same as for arch/mips now as suggested by Robin Murphy. The fix was tested by fli4l users on round about two dozen different systems, including both 32 and 64 bit archs, bare metal and virtualized machines. [ bp: Massage commit message. ] Fixes: 1b7e03ef7570 ("x86, NUMA: Enable emulation on 32bit too") Reported-by: Alan Jenkins Suggested-by: Robin Murphy Signed-off-by: Alexander Dahl Signed-off-by: Borislav Petkov Reviewed-by: Greg Kroah-Hartman Cc: stable@vger.kernel.org Link: https://unix.stackexchange.com/q/520065/50007 Link: https://web.nettworks.org/bugs/browse/FFL-2560 Link: https://lkml.kernel.org/r/20200526175749.20742-1-post@lespocky.de commit a068aab42258e25094bc2c159948d263ed7d7a77 Author: Qiushi Wu Date: Wed May 27 22:10:29 2020 -0500 bonding: Fix reference count leak in bond_sysfs_slave_add. kobject_init_and_add() takes reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Previous commit "b8eb718348b8" fixed a similar problem. Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.") Signed-off-by: Qiushi Wu Acked-by: Jay Vosburgh Signed-off-by: David S. Miller commit 2200313aa054bb698f1a611193f4032339b390f3 Merge: 2b86cb829976 4946ea5c1237 Author: David S. Miller Date: Thu May 28 10:54:18 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Uninitialized when used in __nf_conntrack_update(), from Nathan Chancellor. 2) Comparison of unsigned expression in nf_confirm_cthelper(). 3) Remove 'const' type qualifier with no effect. ==================== Signed-off-by: David S. Miller commit d195b1d1d1196681ac4775e0361e9cca70f740c2 Author: Petr Mladek Date: Wed May 27 14:28:44 2020 +0200 powerpc/bpf: Enable bpf_probe_read{, str}() on powerpc again The commit 0ebeea8ca8a4d1d453a ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work") caused that bpf_probe_read{, str}() functions were not longer available on architectures where the same logical address might have different content in kernel and user memory mapping. These architectures should use probe_read_{user,kernel}_str helpers. For backward compatibility, the problematic functions are still available on architectures where the user and kernel address spaces are not overlapping. This is defined CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE. At the moment, these backward compatible functions are enabled only on x86_64, arm, and arm64. Let's do it also on powerpc that has the non overlapping address space as well. Fixes: 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}() only to archs where they work") Signed-off-by: Petr Mladek Signed-off-by: Daniel Borkmann Acked-by: Michael Ellerman Link: https://lore.kernel.org/lkml/20200527122844.19524-1-pmladek@suse.com commit 15fede122b23e126baeba69558a14c68e5d9359f Merge: 1592cd15eec6 9210c075cef2 Author: Jens Axboe Date: Thu May 28 08:48:12 2020 -0600 Merge branch 'nvme-5.7' of git://git.infradead.org/nvme into block-5.7 Pull NVMe poll fix from Christoph. * 'nvme-5.7' of git://git.infradead.org/nvme: nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() commit ba051f097fc30b00f6b66044386901141351a557 Author: Nobuhiro Iwamatsu Date: Thu May 28 08:34:57 2020 +0900 arm64/kernel: Fix return value when cpu_online() fails in __cpu_up() If boot_secondary() was successful, and cpu_online() was an error in __cpu_up(), -EIO was returned, but 0 is returned by commit d22b115cbfbb7 ("arm64/kernel: Simplify __cpu_up() by bailing out early"). Therefore, bringup_wait_for_ap() causes the primary core to wait for a long time, which may cause boot failure. This commit sets -EIO to return code under the same conditions. Fixes: d22b115cbfbb ("arm64/kernel: Simplify __cpu_up() by bailing out early") Signed-off-by: Nobuhiro Iwamatsu Tested-by: Yuji Ishikawa Acked-by: Will Deacon Cc: Gavin Shan Cc: Mark Rutland Link: https://lore.kernel.org/r/20200527233457.2531118-1-nobuhiro1.iwamatsu@toshiba.co.jp [catalin.marinas@arm.com: return -EIO at the end of the function] Signed-off-by: Catalin Marinas commit ed52a9b556f31c07d1697acb16bd6fdb6ad9f504 Merge: 9cb1fd0efd19 4e5183200d9b Author: Dave Airlie Date: Thu May 28 15:38:42 2020 +1000 Merge tag 'amd-drm-fixes-5.7-2020-05-27' of git://people.freedesktop.org/~agd5f/linux into drm-fixes amd-drm-fixes-5.7-2020-05-27: amdgpu: - Display atomic test fix - Fix soft hang in display vupdate code Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20200527222700.4378-1-alexander.deucher@amd.com commit f36e0aab6f1f78d770ce859df3f07a9c5763ce5f Author: Guo Ren Date: Tue May 26 06:34:50 2020 +0000 csky: Fixup CONFIG_DEBUG_RSEQ Put the rseq_syscall check point at the prologue of the syscall will break the a0 ... a7. This will casue system call bug when DEBUG_RSEQ is enabled. So move it to the epilogue of syscall, but before syscall_trace. Signed-off-by: Guo Ren commit 20f69538b9ab7175e1474a73e2793b8278846e1e Author: Guo Ren Date: Sun May 24 12:14:11 2020 +0000 csky: Coding convention in entry.S There is no fixup or feature in the patch, we only cleanup with: - Remove unnecessary reg used (r11, r12), just use r9 & r10 & syscallid regs as temp useage. - Add _TIF_SYSCALL_WORK and _TIF_WORK_MASK to gather macros. Signed-off-by: Guo Ren commit e0bbb53843b5fdfe464b099217e3b9d97e8a75d7 Author: Guo Ren Date: Sun May 24 10:44:38 2020 +0000 csky: Fixup abiv2 syscall_trace break a4 & a5 Current implementation could destory a4 & a5 when strace, so we need to get them from pt_regs by SAVE_ALL. Signed-off-by: Guo Ren commit 900897591b2bf01154db8f59f6ecf8d60e60f15e Author: Guo Ren Date: Sun May 24 08:03:07 2020 +0000 csky: Fixup CONFIG_PREEMPT panic log: [    0.13373200] Calibrating delay loop... [    0.14077600] ------------[ cut here ]------------ [    0.14116700] WARNING: CPU: 0 PID: 0 at kernel/sched/core.c:3790 preempt_count_add+0xc8/0x11c [    0.14348000] DEBUG_LOCKS_WARN_ON((preempt_count() < 0))Modules linked in: [    0.14395100] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.6.0 #7 [    0.14410800] [    0.14427400] Call Trace: [    0.14450700] [<807cd226>] dump_stack+0x8a/0xe4 [    0.14473500] [<80072792>] __warn+0x10e/0x15c [    0.14495900] [<80072852>] warn_slowpath_fmt+0x72/0xc0 [    0.14518600] [<800a5240>] preempt_count_add+0xc8/0x11c [    0.14544900] [<807ef918>] _raw_spin_lock+0x28/0x68 [    0.14572600] [<800e0eb8>] vprintk_emit+0x84/0x2d8 [    0.14599000] [<800e113a>] vprintk_default+0x2e/0x44 [    0.14625100] [<800e2042>] vprintk_func+0x12a/0x1d0 [    0.14651300] [<800e1804>] printk+0x30/0x48 [    0.14677600] [<80008052>] lockdep_init+0x12/0xb0 [    0.14703800] [<80002080>] start_kernel+0x558/0x7f8 [    0.14730000] [<800052bc>] csky_start+0x58/0x94 [    0.14756600] irq event stamp: 34 [    0.14775100] hardirqs last  enabled at (33): [<80067370>] ret_from_exception+0x2c/0x72 [    0.14793700] hardirqs last disabled at (34): [<800e0eae>] vprintk_emit+0x7a/0x2d8 [    0.14812300] softirqs last  enabled at (32): [<800655b0>] __do_softirq+0x578/0x6d8 [    0.14830800] softirqs last disabled at (25): [<8007b3b8>] irq_exit+0xec/0x128 The preempt_count of reg could be destroyed after csky_do_IRQ without reload from memory. After reference to other architectures (arm64, riscv), we move preempt entry into ret_from_exception and disable irq at the beginning of ret_from_exception instead of RESTORE_ALL. Signed-off-by: Guo Ren Reported-by: Lu Baoquan commit 1acba6a817852d4aa7916d5c4f2c82f702ee9224 Author: Valentine Fatiev Date: Wed May 27 16:47:05 2020 +0300 IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode When connected mode is set, and we have connected and datagram traffic in parallel, ipoib might crash with double free of datagram skb. The current mechanism assumes that the order in the completion queue is the same as the order of sent packets for all QPs. Order is kept only for specific QP, in case of mixed UD and CM traffic we have few QPs (one UD and few CM's) in parallel. The problem: ---------------------------------------------------------- Transmit queue: ----------------- UD skb pointer kept in queue itself, CM skb kept in spearate queue and uses transmit queue as a placeholder to count the number of total transmitted packets. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 .........127 ------------------------------------------------------------ NL ud1 UD2 CM1 ud3 cm2 cm3 ud4 cm4 ud5 NL NL NL ........... ------------------------------------------------------------ ^ ^ tail head Completion queue (problematic scenario) - the order not the same as in the transmit queue: 1 2 3 4 5 6 7 8 9 ------------------------------------ ud1 CM1 UD2 ud3 cm2 cm3 ud4 cm4 ud5 ------------------------------------ 1. CM1 'wc' processing - skb freed in cm separate ring. - tx_tail of transmit queue increased although UD2 is not freed. Now driver assumes UD2 index is already freed and it could be used for new transmitted skb. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 .........127 ------------------------------------------------------------ NL NL UD2 CM1 ud3 cm2 cm3 ud4 cm4 ud5 NL NL NL ........... ------------------------------------------------------------ ^ ^ ^ (Bad)tail head (Bad - Could be used for new SKB) In this case (due to heavy load) UD2 skb pointer could be replaced by new transmitted packet UD_NEW, as the driver assumes its free. At this point we will have to process two 'wc' with same index but we have only one pointer to free. During second attempt to free the same skb we will have NULL pointer exception. 2. UD2 'wc' processing - skb freed according the index we got from 'wc', but it was already overwritten by mistake. So actually the skb that was released is the skb of the new transmitted packet and not the original one. 3. UD_NEW 'wc' processing - attempt to free already freed skb. NUll pointer exception. The fix: ----------------------------------------------------------------------- The fix is to stop using the UD ring as a placeholder for CM packets, the cyclic ring variables tx_head and tx_tail will manage the UD tx_ring, a new cyclic variables global_tx_head and global_tx_tail are introduced for managing and counting the overall outstanding sent packets, then the send queue will be stopped and waken based on these variables only. Note that no locking is needed since global_tx_head is updated in the xmit flow and global_tx_tail is updated in the NAPI flow only. A previous attempt tried to use one variable to count the outstanding sent packets, but it did not work since xmit and NAPI flows can run at the same time and the counter will be updated wrongly. Thus, we use the same simple cyclic head and tail scheme that we have today for the UD tx_ring. Fixes: 2c104ea68350 ("IB/ipoib: Get rid of the tx_outstanding variable in all modes") Link: https://lore.kernel.org/r/20200527134705.480068-1-leon@kernel.org Signed-off-by: Valentine Fatiev Signed-off-by: Alaa Hleihel Signed-off-by: Leon Romanovsky Acked-by: Doug Ledford Signed-off-by: Jason Gunthorpe commit 4e5183200d9b66695c754ef214933402056e7b95 Author: Aric Cyr Date: Tue May 12 11:48:48 2020 -0400 drm/amd/display: Fix potential integer wraparound resulting in a hang [Why] If VUPDATE_END is before VUPDATE_START the delay calculated can become very large, causing a soft hang. [How] Take the absolute value of the difference between START and END. Signed-off-by: Aric Cyr Reviewed-by: Nicholas Kazlauskas Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit f7d5991b92ff824798693ddf231cf814c9d5a88b Author: Simon Ser Date: Sat May 23 11:53:41 2020 +0000 drm/amd/display: drop cursor position check in atomic test get_cursor_position already handles the case where the cursor has negative off-screen coordinates by not setting dc_cursor_position.enabled. Signed-off-by: Simon Ser Fixes: 626bf90fe03f ("drm/amd/display: add basic atomic check for cursor plane") Cc: Alex Deucher Cc: Nicholas Kazlauskas Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 2b86cb8299765688c5119fd18d5f436716c81010 Author: Vladimir Oltean Date: Wed May 27 21:08:05 2020 +0300 net: dsa: declare lockless TX feature for slave ports Be there a platform with the following layout: Regular NIC | +----> DSA master for switch port | +----> DSA master for another switch port After changing DSA back to static lockdep class keys in commit 1a33e10e4a95 ("net: partially revert dynamic lockdep key changes"), this kernel splat can be seen: [ 13.361198] ============================================ [ 13.366524] WARNING: possible recursive locking detected [ 13.371851] 5.7.0-rc4-02121-gc32a05ecd7af-dirty #988 Not tainted [ 13.377874] -------------------------------------------- [ 13.383201] swapper/0/0 is trying to acquire lock: [ 13.388004] ffff0000668ff298 (&dsa_slave_netdev_xmit_lock_key){+.-.}-{2:2}, at: __dev_queue_xmit+0x84c/0xbe0 [ 13.397879] [ 13.397879] but task is already holding lock: [ 13.403727] ffff0000661a1698 (&dsa_slave_netdev_xmit_lock_key){+.-.}-{2:2}, at: __dev_queue_xmit+0x84c/0xbe0 [ 13.413593] [ 13.413593] other info that might help us debug this: [ 13.420140] Possible unsafe locking scenario: [ 13.420140] [ 13.426075] CPU0 [ 13.428523] ---- [ 13.430969] lock(&dsa_slave_netdev_xmit_lock_key); [ 13.435946] lock(&dsa_slave_netdev_xmit_lock_key); [ 13.440924] [ 13.440924] *** DEADLOCK *** [ 13.440924] [ 13.446860] May be due to missing lock nesting notation [ 13.446860] [ 13.453668] 6 locks held by swapper/0/0: [ 13.457598] #0: ffff800010003de0 ((&idev->mc_ifc_timer)){+.-.}-{0:0}, at: call_timer_fn+0x0/0x400 [ 13.466593] #1: ffffd4d3fb478700 (rcu_read_lock){....}-{1:2}, at: mld_sendpack+0x0/0x560 [ 13.474803] #2: ffffd4d3fb478728 (rcu_read_lock_bh){....}-{1:2}, at: ip6_finish_output2+0x64/0xb10 [ 13.483886] #3: ffffd4d3fb478728 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x6c/0xbe0 [ 13.492793] #4: ffff0000661a1698 (&dsa_slave_netdev_xmit_lock_key){+.-.}-{2:2}, at: __dev_queue_xmit+0x84c/0xbe0 [ 13.503094] #5: ffffd4d3fb478728 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x6c/0xbe0 [ 13.512000] [ 13.512000] stack backtrace: [ 13.516369] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-rc4-02121-gc32a05ecd7af-dirty #988 [ 13.530421] Call trace: [ 13.532871] dump_backtrace+0x0/0x1d8 [ 13.536539] show_stack+0x24/0x30 [ 13.539862] dump_stack+0xe8/0x150 [ 13.543271] __lock_acquire+0x1030/0x1678 [ 13.547290] lock_acquire+0xf8/0x458 [ 13.550873] _raw_spin_lock+0x44/0x58 [ 13.554543] __dev_queue_xmit+0x84c/0xbe0 [ 13.558562] dev_queue_xmit+0x24/0x30 [ 13.562232] dsa_slave_xmit+0xe0/0x128 [ 13.565988] dev_hard_start_xmit+0xf4/0x448 [ 13.570182] __dev_queue_xmit+0x808/0xbe0 [ 13.574200] dev_queue_xmit+0x24/0x30 [ 13.577869] neigh_resolve_output+0x15c/0x220 [ 13.582237] ip6_finish_output2+0x244/0xb10 [ 13.586430] __ip6_finish_output+0x1dc/0x298 [ 13.590709] ip6_output+0x84/0x358 [ 13.594116] mld_sendpack+0x2bc/0x560 [ 13.597786] mld_ifc_timer_expire+0x210/0x390 [ 13.602153] call_timer_fn+0xcc/0x400 [ 13.605822] run_timer_softirq+0x588/0x6e0 [ 13.609927] __do_softirq+0x118/0x590 [ 13.613597] irq_exit+0x13c/0x148 [ 13.616918] __handle_domain_irq+0x6c/0xc0 [ 13.621023] gic_handle_irq+0x6c/0x160 [ 13.624779] el1_irq+0xbc/0x180 [ 13.627927] cpuidle_enter_state+0xb4/0x4d0 [ 13.632120] cpuidle_enter+0x3c/0x50 [ 13.635703] call_cpuidle+0x44/0x78 [ 13.639199] do_idle+0x228/0x2c8 [ 13.642433] cpu_startup_entry+0x2c/0x48 [ 13.646363] rest_init+0x1ac/0x280 [ 13.649773] arch_call_rest_init+0x14/0x1c [ 13.653878] start_kernel+0x490/0x4bc Lockdep keys themselves were added in commit ab92d68fc22f ("net: core: add generic lockdep keys"), and it's very likely that this splat existed since then, but I have no real way to check, since this stacked platform wasn't supported by mainline back then. >From Taehee's own words: This patch was considered that all stackable devices have LLTX flag. But the dsa doesn't have LLTX, so this splat happened. After this patch, dsa shares the same lockdep class key. On the nested dsa interface architecture, which you illustrated, the same lockdep class key will be used in __dev_queue_xmit() because dsa doesn't have LLTX. So that lockdep detects deadlock because the same lockdep class key is used recursively although actually the different locks are used. There are some ways to fix this problem. 1. using NETIF_F_LLTX flag. If possible, using the LLTX flag is a very clear way for it. But I'm so sorry I don't know whether the dsa could have LLTX or not. 2. using dynamic lockdep again. It means that each interface uses a separate lockdep class key. So, lockdep will not detect recursive locking. But this way has a problem that it could consume lockdep class key too many. Currently, lockdep can have 8192 lockdep class keys. - you can see this number with the following command. cat /proc/lockdep_stats lock-classes: 1251 [max: 8192] ... The [max: 8192] means that the maximum number of lockdep class keys. If too many lockdep class keys are registered, lockdep stops to work. So, using a dynamic(separated) lockdep class key should be considered carefully. In addition, updating lockdep class key routine might have to be existing. (lockdep_register_key(), lockdep_set_class(), lockdep_unregister_key()) 3. Using lockdep subclass. A lockdep class key could have 8 subclasses. The different subclass is considered different locks by lockdep infrastructure. But "lock-classes" is not counted by subclasses. So, it could avoid stopping lockdep infrastructure by an overflow of lockdep class keys. This approach should also have an updating lockdep class key routine. (lockdep_set_subclass()) 4. Using nonvalidate lockdep class key. The lockdep infrastructure supports nonvalidate lockdep class key type. It means this lockdep is not validated by lockdep infrastructure. So, the splat will not happen but lockdep couldn't detect real deadlock case because lockdep really doesn't validate it. I think this should be used for really special cases. (lockdep_set_novalidate_class()) Further discussion here: https://patchwork.ozlabs.org/project/netdev/patch/20200503052220.4536-2-xiyou.wangcong@gmail.com/ There appears to be no negative side-effect to declaring lockless TX for the DSA virtual interfaces, which means they handle their own locking. So that's what we do to make the splat go away. Patch tested in a wide variety of cases: unicast, multicast, PTP, etc. Fixes: ab92d68fc22f ("net: core: add generic lockdep keys") Suggested-by: Taehee Yoo Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 9e4636545933131de15e1ecd06733538ae939b2f Author: Al Viro Date: Tue May 26 18:39:49 2020 -0400 copy_xstate_to_kernel(): don't leave parts of destination uninitialized copy the corresponding pieces of init_fpstate into the gaps instead. Cc: stable@kernel.org Tested-by: Alexander Potapenko Acked-by: Borislav Petkov Signed-off-by: Al Viro commit 183be6f967fe37c3154bfac39e913c3bafe89d1b Author: Vladimir Oltean Date: Wed May 27 19:48:03 2020 +0300 net: dsa: felix: send VLANs on CPU port as egress-tagged As explained in other commits before (b9cd75e66895 and 87b0f983f66f), ocelot switches have a single egress-untagged VLAN per port, and the driver would deny adding a second one while an egress-untagged VLAN already exists. But on the CPU port (where the VLAN configuration is implicit, because there is no net device for the bridge to control), the DSA core attempts to add a VLAN using the same flags as were used for the front-panel port. This would make adding any untagged VLAN fail due to the CPU port rejecting the configuration: bridge vlan add dev swp0 vid 100 pvid untagged [ 1865.854253] mscc_felix 0000:00:00.5: Port already has a native VLAN: 1 [ 1865.860824] mscc_felix 0000:00:00.5: Failed to add VLAN 100 to port 5: -16 (note that port 5 is the CPU port and not the front-panel swp0). So this hardware will send all VLANs as tagged towards the CPU. Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit b3b6a84c6a920c60fd1393c43818b3955441424b Author: Arnd Bergmann Date: Wed May 27 15:51:13 2020 +0200 bridge: multicast: work around clang bug Clang-10 and clang-11 run into a corner case of the register allocator on 32-bit ARM, leading to excessive stack usage from register spilling: net/bridge/br_multicast.c:2422:6: error: stack frame size of 1472 bytes in function 'br_multicast_get_stats' [-Werror,-Wframe-larger-than=] Work around this by marking one of the internal functions as noinline_for_stack. Link: https://bugs.llvm.org/show_bug.cgi?id=45802#c9 Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller commit 9210c075cef29c1f764b4252f93105103bdfb292 Author: Dongli Zhang Date: Wed May 27 09:13:52 2020 -0700 nvme-pci: avoid race between nvme_reap_pending_cqes() and nvme_poll() There may be a race between nvme_reap_pending_cqes() and nvme_poll(), e.g., when doing live reset while polling the nvme device. CPU X CPU Y nvme_poll() nvme_dev_disable() -> nvme_stop_queues() -> nvme_suspend_io_queues() -> nvme_suspend_queue() -> spin_lock(&nvmeq->cq_poll_lock); -> nvme_reap_pending_cqes() -> nvme_process_cq() -> nvme_process_cq() In the above scenario, the nvme_process_cq() for the same queue may be running on both CPU X and CPU Y concurrently. It is much more easier to reproduce the issue when CONFIG_PREEMPT is enabled in kernel. When CONFIG_PREEMPT is disabled, it would take longer time for nvme_stop_queues()-->blk_mq_quiesce_queue() to wait for grace period. This patch protects nvme_process_cq() with nvmeq->cq_poll_lock in nvme_reap_pending_cqes(). Fixes: fa46c6fb5d61 ("nvme/pci: move cqe check after device shutdown") Signed-off-by: Dongli Zhang Reviewed-by: Ming Lei Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 Author: Stefano Garzarella Date: Wed May 27 09:56:55 2020 +0200 vsock: fix timeout in vsock_accept() The accept(2) is an "input" socket interface, so we should use SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout. So this patch replace sock_sndtimeo() with sock_rcvtimeo() to use the right timeout in the vsock_accept(). Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") Signed-off-by: Stefano Garzarella Reviewed-by: Jorgen Hansen Signed-off-by: David S. Miller commit 5b186cd60f033110960a3db424ffbd6de4cee528 Author: Heinrich Kuhn Date: Wed May 27 09:44:20 2020 +0200 nfp: flower: fix used time of merge flow statistics Prior to this change the correct value for the used counter is calculated but not stored nor, therefore, propagated to user-space. In use-cases such as OVS use-case at least this results in active flows being removed from the hardware datapath. Which results in both unnecessary flow tear-down and setup, and packet processing on the host. This patch addresses the problem by saving the calculated used value which allows the value to propagate to user-space. Found by inspection. Fixes: aa6ce2ea0c93 ("nfp: flower: support stats update for merge flows") Signed-off-by: Heinrich Kuhn Signed-off-by: Simon Horman Signed-off-by: David S. Miller commit bb2f930d6dd708469a587dc9ed1efe1ef969c0bf Author: Davide Caratti Date: Wed May 27 02:04:26 2020 +0200 net/sched: fix infinite loop in sch_fq_pie this command hangs forever: # tc qdisc add dev eth0 root fq_pie flows 65536 watchdog: BUG: soft lockup - CPU#1 stuck for 23s! [tc:1028] [...] CPU: 1 PID: 1028 Comm: tc Not tainted 5.7.0-rc6+ #167 RIP: 0010:fq_pie_init+0x60e/0x8b7 [sch_fq_pie] Code: 4c 89 65 50 48 89 f8 48 c1 e8 03 42 80 3c 30 00 0f 85 2a 02 00 00 48 8d 7d 10 4c 89 65 58 48 89 f8 48 c1 e8 03 42 80 3c 30 00 <0f> 85 a7 01 00 00 48 8d 7d 18 48 c7 45 10 46 c3 23 00 48 89 f8 48 RSP: 0018:ffff888138d67468 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: 1ffff9200018d2b2 RBX: ffff888139c1c400 RCX: ffffffffffffffff RDX: 000000000000c5e8 RSI: ffffc900000e5000 RDI: ffffc90000c69590 RBP: ffffc90000c69580 R08: fffffbfff79a9699 R09: fffffbfff79a9699 R10: 0000000000000700 R11: fffffbfff79a9698 R12: ffffc90000c695d0 R13: 0000000000000000 R14: dffffc0000000000 R15: 000000002347c5e8 FS: 00007f01e1850e40(0000) GS:ffff88814c880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000067c340 CR3: 000000013864c000 CR4: 0000000000340ee0 Call Trace: qdisc_create+0x3fd/0xeb0 tc_modify_qdisc+0x3be/0x14a0 rtnetlink_rcv_msg+0x5f3/0x920 netlink_rcv_skb+0x121/0x350 netlink_unicast+0x439/0x630 netlink_sendmsg+0x714/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5b4/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x9a/0x370 entry_SYSCALL_64_after_hwframe+0x44/0xa9 we can't accept 65536 as a valid number for 'nflows', because the loop on 'idx' in fq_pie_init() will never end. The extack message is correct, but it doesn't say that 0 is not a valid number for 'flows': while at it, fix this also. Add a tdc selftest to check correct validation of 'flows'. CC: Ivan Vecera Fixes: ec97ecf1ebe4 ("net: sched: add Flow Queue PIE packet scheduler") Signed-off-by: Davide Caratti Reviewed-by: Ivan Vecera Signed-off-by: David S. Miller commit b0c3ba31be3e45a130e13b278cf3b90f69bda6f6 Merge: 3301f6ae2d4c f17936993af0 Author: Linus Torvalds Date: Wed May 27 11:03:24 2020 -0700 Merge tag 'fsnotify_for_v5.7-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs Pull fanotify FAN_DIR_MODIFY disabling from Jan Kara: "A single patch that disables FAN_DIR_MODIFY support that was merged in this merge window. When discussing further functionality we realized it may be more logical to guard it with a feature flag or to call things slightly differently (or maybe not) so let's not set the API in stone for now." * tag 'fsnotify_for_v5.7-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs: fanotify: turn off support for FAN_DIR_MODIFY commit 3301f6ae2d4cb396ae0c103329a5680d14f7a5c6 Merge: 006f38a1c3dc eec8fd0277e3 Author: Linus Torvalds Date: Wed May 27 10:58:19 2020 -0700 Merge branch 'for-5.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup Pull cgroup fixes from Tejun Heo: - Reverted stricter synchronization for cgroup recursive stats which was prepping it for event counter usage which never got merged. The change was causing performation regressions in some cases. - Restore bpf-based device-cgroup operation even when cgroup1 device cgroup is disabled. - An out-param init fix. * 'for-5.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup: device_cgroup: Cleanup cgroup eBPF device filter code xattr: fix uninitialized out-param Revert "cgroup: Add memory barriers to plug cgroup_rstat_updated() race window" commit c85f4abe66bea0b5db8d28d55da760c4fe0a0301 Author: Jason Gunthorpe Date: Wed May 27 16:55:34 2020 +0300 RDMA/core: Fix double destruction of uobject Fix use after free when user user space request uobject concurrently for the same object, within the RCU grace period. In that case, remove_handle_idr_uobject() is called twice and we will have an extra put on the uobject which cause use after free. Fix it by leaving the uobject write locked after it was removed from the idr. Call to rdma_lookup_put_uobject with UVERBS_LOOKUP_DESTROY instead of UVERBS_LOOKUP_WRITE will do the work. refcount_t: underflow; use-after-free. WARNING: CPU: 0 PID: 1381 at lib/refcount.c:28 refcount_warn_saturate+0xfe/0x1a0 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 1381 Comm: syz-executor.0 Not tainted 5.5.0-rc3 #8 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0x94/0xce panic+0x234/0x56f __warn+0x1cc/0x1e1 report_bug+0x200/0x310 fixup_bug.part.11+0x32/0x80 do_error_trap+0xd3/0x100 do_invalid_op+0x31/0x40 invalid_op+0x1e/0x30 RIP: 0010:refcount_warn_saturate+0xfe/0x1a0 Code: 0f 0b eb 9b e8 23 f6 6d ff 80 3d 6c d4 19 03 00 75 8d e8 15 f6 6d ff 48 c7 c7 c0 02 55 bd c6 05 57 d4 19 03 01 e8 a2 58 49 ff <0f> 0b e9 6e ff ff ff e8 f6 f5 6d ff 80 3d 42 d4 19 03 00 0f 85 5c RSP: 0018:ffffc90002df7b98 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff88810f6a193c RCX: ffffffffba649009 RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88811b0283cc RBP: 0000000000000003 R08: ffffed10236060e3 R09: ffffed10236060e3 R10: 0000000000000001 R11: ffffed10236060e2 R12: ffff88810f6a193c R13: ffffc90002df7d60 R14: 0000000000000000 R15: ffff888116ae6a08 uverbs_uobject_put+0xfd/0x140 __uobj_perform_destroy+0x3d/0x60 ib_uverbs_close_xrcd+0x148/0x170 ib_uverbs_write+0xaa5/0xdf0 __vfs_write+0x7c/0x100 vfs_write+0x168/0x4a0 ksys_write+0xc8/0x200 do_syscall_64+0x9c/0x390 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x465b49 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f759d122c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 0000000000465b49 RDX: 000000000000000c RSI: 0000000020000080 RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f759d1236bc R13: 00000000004ca27c R14: 000000000070de40 R15: 00000000ffffffff Dumping ftrace buffer: (ftrace buffer empty) Kernel Offset: 0x39400000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) Fixes: 7452a3c745a2 ("IB/uverbs: Allow RDMA_REMOVE_DESTROY to work concurrently with disassociate") Link: https://lore.kernel.org/r/20200527135534.482279-1-leon@kernel.org Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit f17936993af054b16725d0c54baa58115f9e052a Author: Amir Goldstein Date: Wed May 27 15:54:55 2020 +0300 fanotify: turn off support for FAN_DIR_MODIFY FAN_DIR_MODIFY has been enabled by commit 44d705b0370b ("fanotify: report name info for FAN_DIR_MODIFY event") in 5.7-rc1. Now we are planning further extensions to the fanotify API and during that we realized that FAN_DIR_MODIFY may behave slightly differently to be more consistent with extensions we plan. So until we finalize these extensions, let's not bind our hands with exposing FAN_DIR_MODIFY to userland. Signed-off-by: Amir Goldstein Signed-off-by: Jan Kara commit 006f38a1c3dcbe237a75e725fe457bd59cb489c4 Merge: 444fc5cde643 a4ae32c71fe9 Author: Linus Torvalds Date: Wed May 27 09:53:25 2020 -0700 Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull execve fix from Eric Biederman: "While working on my exec cleanups I found a bug in exec that winds up miscomputing the ambient credentials during exec. Andy appears to have to been confused as to why credentials are computed for both the script and the interpreter From the original patch description: [3] Linux very confusingly processes both the script and the interpreter if applicable, for reasons that elude me. The results from thinking about a script's file capabilities and/or setuid bits are mostly discarded. The only value in struct cred that gets changed in cap_bprm_set_creds that I could find that might persist between the script and the interpreter was cap_ambient. Which is fixed with this trivial change" * 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: exec: Always set cap_ambient in cap_bprm_set_creds commit ed3119e45519880a246b085ba6a96aa1074da532 Author: Krzysztof Kozlowski Date: Mon May 18 14:08:55 2020 +0200 x86: Hide the archdata.iommu field behind generic IOMMU_API There is a generic, kernel wide configuration symbol for enabling the IOMMU specific bits: CONFIG_IOMMU_API. Implementations (including INTEL_IOMMU and AMD_IOMMU driver) select it so use it here as well. This makes the conditional archdata.iommu field consistent with other platforms and also fixes any compile test builds of other IOMMU drivers, when INTEL_IOMMU or AMD_IOMMU are not selected). For the case when INTEL_IOMMU/AMD_IOMMU and COMPILE_TEST are not selected, this should create functionally equivalent code/choice. With COMPILE_TEST this field could appear if other IOMMU drivers are chosen but neither INTEL_IOMMU nor AMD_IOMMU are not. Reported-by: kbuild test robot Fixes: e93a1695d7fb ("iommu: Enable compile testing for some of drivers") Signed-off-by: Krzysztof Kozlowski Acked-by: Borislav Petkov Link: https://lore.kernel.org/r/20200518120855.27822-2-krzk@kernel.org Signed-off-by: Joerg Roedel commit e18a8c104d777af46aa5c8573c8a19ba2b5de597 Author: Krzysztof Kozlowski Date: Mon May 18 14:08:54 2020 +0200 ia64: Hide the archdata.iommu field behind generic IOMMU_API There is a generic, kernel wide configuration symbol for enabling the IOMMU specific bits: CONFIG_IOMMU_API. Implementations (including INTEL_IOMMU driver) select it so use it here as well. This makes the conditional archdata.iommu field consistent with other platforms and also fixes any compile test builds of other IOMMU drivers, when INTEL_IOMMU is not selected). For the case when INTEL_IOMMU and COMPILE_TEST are not selected, this should create functionally equivalent code/choice. With COMPILE_TEST this field could appear if other IOMMU drivers are chosen but INTEL_IOMMU not. Reported-by: kbuild test robot Fixes: e93a1695d7fb ("iommu: Enable compile testing for some of drivers") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200518120855.27822-1-krzk@kernel.org Signed-off-by: Joerg Roedel commit ad3073bcb903674b11ba3395361f3b94806bb2b6 Merge: e75dfba311f4 98f7d1b15e87 Author: Linus Walleij Date: Wed May 27 15:38:26 2020 +0200 Merge tag 'gpio-fixes-for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into fixes gpio fixes for v5.7 - fix mutex and spinlock ordering in gpio-mlxbf2 - fix the return value checks on devm_platform_ioremap_resource in gpio-pxa and gpio-bcm-kona commit 4946ea5c1237036155c3b3a24f049fd5f849f8f6 Author: Pablo Neira Ayuso Date: Wed May 27 12:24:10 2020 +0200 netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build >> include/linux/netfilter/nf_conntrack_pptp.h:13:20: warning: 'const' type qualifier on return type has no effect [-Wignored-qualifiers] extern const char *const pptp_msg_name(u_int16_t msg); ^~~~~~ Reported-by: kbuild test robot Fixes: 4c559f15efcc ("netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code") Signed-off-by: Pablo Neira Ayuso commit 94945ad2b330207cded0fd8d4abebde43a776dfb Author: Pablo Neira Ayuso Date: Wed May 27 12:17:34 2020 +0200 netfilter: conntrack: comparison of unsigned in cthelper confirmation net/netfilter/nf_conntrack_core.c: In function nf_confirm_cthelper: net/netfilter/nf_conntrack_core.c:2117:15: warning: comparison of unsigned expression in < 0 is always false [-Wtype-limits] 2117 | if (protoff < 0 || (frag_off & htons(~0x7)) != 0) | ^ ipv6_skip_exthdr() returns a signed integer. Reported-by: Colin Ian King Fixes: 703acd70f249 ("netfilter: nfnetlink_cthelper: unbreak userspace helper support") Signed-off-by: Pablo Neira Ayuso commit 46c1e0621a72e0469ec4edfdb6ed4d387ec34f8a Author: Nathan Chancellor Date: Wed May 27 01:10:39 2020 -0700 netfilter: conntrack: Pass value of ctinfo to __nf_conntrack_update Clang warns: net/netfilter/nf_conntrack_core.c:2068:21: warning: variable 'ctinfo' is uninitialized when used here [-Wuninitialized] nf_ct_set(skb, ct, ctinfo); ^~~~~~ net/netfilter/nf_conntrack_core.c:2024:2: note: variable 'ctinfo' is declared here enum ip_conntrack_info ctinfo; ^ 1 warning generated. nf_conntrack_update was split up into nf_conntrack_update and __nf_conntrack_update, where the assignment of ctinfo is in nf_conntrack_update but it is used in __nf_conntrack_update. Pass the value of ctinfo from nf_conntrack_update to __nf_conntrack_update so that uninitialized memory is not used and everything works properly. Fixes: ee04805ff54a ("netfilter: conntrack: make conntrack userspace helpers work again") Link: https://github.com/ClangBuiltLinux/linux/issues/1039 Signed-off-by: Nathan Chancellor Signed-off-by: Pablo Neira Ayuso commit fb33c114d3ed5bdac230716f5b0a93b56b92a90d Author: Jeff Layton Date: Wed May 20 10:36:07 2020 -0400 ceph: flush release queue when handling caps for unknown inode It's possible for the VFS to completely forget about an inode, but for it to still be sitting on the cap release queue. If the MDS sends the client a cap message for such an inode, it just ignores it today, which can lead to a stall of up to 5s until the cap release queue is flushed. If we get a cap message for an inode that can't be located, then go ahead and flush the cap release queue. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/45532 Fixes: 1e9c2eb6811e ("ceph: delete stale dentry when last reference is dropped") Reported-and-Tested-by: Andrej Filipčič Suggested-by: Yan, Zheng Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov commit 890bd0f8997ae6ac0a367dd5146154a3963306dd Author: Jerry Lee Date: Mon May 18 16:03:09 2020 +0800 libceph: ignore pool overlay and cache logic on redirects OSD client should ignore cache/overlay flag if got redirect reply. Otherwise, the client hangs when the cache tier is in forward mode. [ idryomov: Redirects are effectively deprecated and no longer used or tested. The original tiering modes based on redirects are inherently flawed because redirects can race and reorder, potentially resulting in data corruption. The new proxy and readproxy tiering modes should be used instead of forward and readforward. Still marking for stable as obviously correct, though. ] Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/23296 URL: https://tracker.ceph.com/issues/36406 Signed-off-by: Jerry Lee Reviewed-by: Ilya Dryomov Signed-off-by: Ilya Dryomov commit 630e36126e420e1756378b3427b42711ce0b9ddd Author: Kailang Yang Date: Wed May 27 14:10:26 2020 +0800 ALSA: hda/realtek - Add new codec supported for ALC287 Enable new codec supported for ALC287. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/dcf5ce5507104d0589a917cbb71dc3c6@realtek.com Signed-off-by: Takashi Iwai commit a4976a3ef844c510ae9120290b23e9f3f47d6bce Author: Eric Dumazet Date: Tue May 26 17:28:56 2020 -0700 crypto: chelsio/chtls: properly set tp->lsndtime TCP tp->lsndtime unit/base is tcp_jiffies32, not tcp_time_stamp() Fixes: 36bedb3f2e5b ("crypto: chtls - Inline TLS record Tx") Signed-off-by: Eric Dumazet Cc: Ayush Sawal Cc: Vinay Kumar Yadav Signed-off-by: David S. Miller commit 642aa86eaf8f1e6fe894f20fd7f12f0db52ee03c Author: Dennis Kadioglu Date: Tue May 26 23:03:13 2020 -0700 Input: synaptics - add a second working PNP_ID for Lenovo T470s The Lenovo Thinkpad T470s I own has a different touchpad with "LEN007a" instead of the already included PNP ID "LEN006c". However, my touchpad seems to work well without any problems using RMI. So this patch adds the other PNP ID. Signed-off-by: Dennis Kadioglu Link: https://lore.kernel.org/r/ff770543cd53ae818363c0fe86477965@mail.eclipso.de Signed-off-by: Dmitry Torokhov commit 7f5ad9c9003425175f46c94df380e8c9e558cfb5 Author: Takashi Iwai Date: Tue May 26 10:28:10 2020 +0200 ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio Gigabyte TRX40 Aorus Master is equipped with two USB-audio devices, a Realtek ALC1220-VB codec (USB ID 0414:a001) and an ESS SABRE9218 DAC (USB ID 0414:a000). The latter serves solely for the headphone output on the front panel while the former serves for the rest I/Os (mostly for the I/Os in the rear panel but also including the front mic). Both chips do work more or less with the unmodified USB-audio driver, but there are a few glitches. The ALC1220-VB returns an error for an inquiry to some jacks, as already seen on other TRX40-based mobos. However this machine has a slightly incompatible configuration, hence the existing mapping cannot be used as is. Meanwhile the ESS chip seems working without any quirk. But since both audio devices don't provide any specific names, both cards appear as "USB-Audio", and it's quite confusing for users. This patch is an attempt to overcome those issues: - The specific mapping table for ALC1220-VB is provided, reducing the non-working nodes and renaming the badly chosen controls. The connector map isn't needed here unlike other TRX40 quirks. - For both USB IDs (0414:a000 and 0414:a001), provide specific card name strings, so that user-space can identify more easily; and more importantly, UCM profile can be applied to each. Reported-by: Linus Torvalds Cc: Link: https://lore.kernel.org/r/20200526082810.29506-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 9a233d329ec5cd2dd64737d24018c1463ad88f26 Author: Chris Packham Date: Tue May 26 10:55:59 2020 +1200 net: sctp: Fix spelling in Kconfig help Change 'handeled' to 'handled' in the Kconfig help for SCTP. Signed-off-by: Chris Packham Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit 09cb9f269bac3ed667105cbbd8600b7f37ba9193 Merge: 591612aa578c 2a5a8800fa91 Author: David S. Miller Date: Tue May 26 20:30:48 2020 -0700 Merge branch 'bnxt_en-Bug-fixes' Michael Chan says: ==================== bnxt_en: Bug fixes. 3 bnxt_en driver fixes, covering a bug in preserving the counters during some resets, proper error code when flashing NVRAM fails, and an endian bug when extracting the firmware response message length. ==================== Signed-off-by: David S. Miller commit 2a5a8800fa915bd9bc272c91ca64728e6aa84c0a Author: Edwin Peer Date: Mon May 25 17:41:19 2020 -0400 bnxt_en: fix firmware message length endianness The explicit mask and shift is not the appropriate way to parse fields out of a little endian struct. The length field is internally __le16 and the strategy employed only happens to work on little endian machines because the offset used is actually incorrect (length is at offset 6). Also remove the related and no longer used definitions from bnxt.h. Fixes: 845adfe40c2a ("bnxt_en: Improve valid bit checking in firmware response message.") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: David S. Miller commit 95ec1f470b976858264d7635a6ef76bc33c3875b Author: Vasundhara Volam Date: Mon May 25 17:41:18 2020 -0400 bnxt_en: Fix return code to "flash_device". When NVRAM directory is not found, return the error code properly as per firmware command failure instead of the hardcode -ENOBUFS. Fixes: 3a707bed13b7 ("bnxt_en: Return -EAGAIN if fw command returns BUSY") Signed-off-by: Vasundhara Volam Signed-off-by: Michael Chan Signed-off-by: David S. Miller commit b8056e8434b037fdab08158fea99ed7bc8ef3a74 Author: Michael Chan Date: Mon May 25 17:41:17 2020 -0400 bnxt_en: Fix accumulation of bp->net_stats_prev. We have logic to maintain network counters across resets by storing the counters in bp->net_stats_prev before reset. But not all resets will clear the counters. Certain resets that don't need to change the number of rings do not clear the counters. The current logic accumulates the counters before all resets, causing big jumps in the counters after some resets, such as ethtool -G. Fix it by only accumulating the counters during reset if the irq_re_init parameter is set. The parameter signifies that all rings and interrupts will be reset and that means that the counters will also be reset. Reported-by: Vijayendra Suman Fixes: b8875ca356f1 ("bnxt_en: Save ring statistics before reset.") Signed-off-by: Michael Chan Signed-off-by: David S. Miller commit 591612aa578cd7148b7b9d74869ef40118978389 Author: Daniele Palmas Date: Mon May 25 23:25:37 2020 +0200 net: usb: qmi_wwan: add Telit LE910C1-EUX composition Add support for Telit LE910C1-EUX composition 0x1031: tty, tty, tty, rmnet Signed-off-by: Daniele Palmas Acked-by: Bjørn Mork Signed-off-by: David S. Miller commit 6dd912f82680761d8fb6b1bb274a69d4c7010988 Author: Willem de Bruijn Date: Mon May 25 15:07:40 2020 -0400 net: check untrusted gso_size at kernel entry Syzkaller again found a path to a kernel crash through bad gso input: a packet with gso size exceeding len. These packets are dropped in tcp_gso_segment and udp[46]_ufo_fragment. But they may affect gso size calculations earlier in the path. Now that we have thlen as of commit 9274124f023b ("net: stricter validation of untrusted gso packets"), check gso_size at entry too. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller commit 0a82e230c68860b7286dad8644d9d9f7cfd755d2 Author: Paolo Abeni Date: Mon May 25 16:38:47 2020 +0200 mptcp: avoid NULL-ptr derefence on fallback In the MPTCP receive path we must cope with TCP fallback on blocking recvmsg(). Currently in such code path we detect the fallback condition, but we don't fetch the struct socket required for fallback. The above allowed syzkaller to trigger a NULL pointer dereference: general protection fault, probably for non-canonical address 0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027] CPU: 1 PID: 7226 Comm: syz-executor523 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:sock_recvmsg_nosec net/socket.c:886 [inline] RIP: 0010:sock_recvmsg+0x92/0x110 net/socket.c:904 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 44 89 6c 24 04 e8 53 18 1d fb 4d 8d 6f 20 4c 89 e8 48 c1 e8 03 48 b9 00 00 00 00 00 fc ff df <80> 3c 08 00 74 08 4c 89 ef e8 20 12 5b fb bd a0 00 00 00 49 03 6d RSP: 0018:ffffc90001077b98 EFLAGS: 00010202 RAX: 0000000000000004 RBX: ffffc90001077dc0 RCX: dffffc0000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: ffffffff86565e59 R09: ffffed10115afeaa R10: ffffed10115afeaa R11: 0000000000000000 R12: 1ffff9200020efbc R13: 0000000000000020 R14: ffffc90001077de0 R15: 0000000000000000 FS: 00007fc6a3abe700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004d0050 CR3: 00000000969f0000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: mptcp_recvmsg+0x18d5/0x19b0 net/mptcp/protocol.c:891 inet_recvmsg+0xf6/0x1d0 net/ipv4/af_inet.c:838 sock_recvmsg_nosec net/socket.c:886 [inline] sock_recvmsg net/socket.c:904 [inline] __sys_recvfrom+0x2f3/0x470 net/socket.c:2057 __do_sys_recvfrom net/socket.c:2075 [inline] __se_sys_recvfrom net/socket.c:2071 [inline] __x64_sys_recvfrom+0xda/0xf0 net/socket.c:2071 do_syscall_64+0xf3/0x1b0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Address the issue initializing the struct socket reference before entering the fallback code. Reported-and-tested-by: syzbot+c6bfc3db991edc918432@syzkaller.appspotmail.com Suggested-by: Ondrej Mosnacek Fixes: 8ab183deb26a ("mptcp: cope with later TCP fallback") Signed-off-by: Paolo Abeni Reviewed-by: Mat Martineau Signed-off-by: David S. Miller commit a76f274182f054481182c81cd62bb8794a5450a6 Author: Vinod Koul Date: Thu May 21 10:57:28 2020 +0530 clk: qcom: gcc: Fix parent for gpll0_out_even Documentation says that gpll0 is parent of gpll0_out_even, somehow driver coded that as bi_tcxo, so fix it Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150") Reported-by: Jonathan Marek Signed-off-by: Vinod Koul Link: https://lkml.kernel.org/r/20200521052728.2141377-1-vkoul@kernel.org Reviewed-by: Bjorn Andersson Signed-off-by: Stephen Boyd commit 3a4ef4ca1166d4bad5649c27028906ea92324cc3 Author: Jonathan Marek Date: Sat May 23 00:09:47 2020 -0400 clk: qcom: sm8250 gcc depends on QCOM_GDSC The driver will always fail to probe without QCOM_GDSC, so select it. Signed-off-by: Jonathan Marek Link: https://lkml.kernel.org/r/20200523040947.31946-1-jonathan@marek.ca Reviewed-by: Bjorn Andersson Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") Signed-off-by: Stephen Boyd commit f2fb6b6275eba9d312957ca44c487bd780da6169 Author: Fugang Duan Date: Mon May 25 16:18:14 2020 +0800 net: stmmac: enable timestamp snapshot for required PTP packets in dwmac v5.10a For rx filter 'HWTSTAMP_FILTER_PTP_V2_EVENT', it should be PTP v2/802.AS1, any layer, any kind of event packet, but HW only take timestamp snapshot for below PTP message: sync, Pdelay_req, Pdelay_resp. Then it causes below issue when test E2E case: ptp4l[2479.534]: port 1: received DELAY_REQ without timestamp ptp4l[2481.423]: port 1: received DELAY_REQ without timestamp ptp4l[2481.758]: port 1: received DELAY_REQ without timestamp ptp4l[2483.524]: port 1: received DELAY_REQ without timestamp ptp4l[2484.233]: port 1: received DELAY_REQ without timestamp ptp4l[2485.750]: port 1: received DELAY_REQ without timestamp ptp4l[2486.888]: port 1: received DELAY_REQ without timestamp ptp4l[2487.265]: port 1: received DELAY_REQ without timestamp ptp4l[2487.316]: port 1: received DELAY_REQ without timestamp Timestamp snapshot dependency on register bits in received path: SNAPTYPSEL TSMSTRENA TSEVNTENA PTP_Messages 01 x 0 SYNC, Follow_Up, Delay_Req, Delay_Resp, Pdelay_Req, Pdelay_Resp, Pdelay_Resp_Follow_Up 01 0 1 SYNC, Pdelay_Req, Pdelay_Resp For dwmac v5.10a, enabling all events by setting register DWC_EQOS_TIME_STAMPING[SNAPTYPSEL] to 2’b01, clearing bit [TSEVNTENA] to 0’b0, which can support all required events. Signed-off-by: Fugang Duan Signed-off-by: David S. Miller commit 4d5c32ec7512ac17986288ccbb158a14b21fc937 Merge: 963bdfc75cfa 1fd1c768f362 Author: David S. Miller Date: Tue May 26 16:06:07 2020 -0700 Merge branch 'nexthop-group-fixes' David Ahern says: ==================== nexthops: Fix 2 fundamental flaws with nexthop groups Nik's torture tests have exposed 2 fundamental mistakes with the initial nexthop code for groups. First, the nexthops entries and num_nh in the nh_grp struct should not be modified once the struct is set under rcu. Doing so has major affects on the datapath seeing valid nexthop entries. Second, the helpers in the header file were convenient for not repeating code, but they cause datapath walks to potentially see 2 different group structs after an rcu replace, disrupting a walk of the path objects. This second problem applies solely to IPv4 as I re-used too much of the existing code in walking legs of a multipath route. Patches 1 is refactoring change to simplify the overhead of reviewing and understanding the change in patch 2 which fixes the update of nexthop groups when a compnent leg is removed. Patches 3-5 address the second problem. Patch 3 inlines the multipath check such that the mpath lookup and subsequent calls all use the same nh_grp struct. Patches 4 and 5 fix datapath uses of fib_info_num_path with iterative calls to fib_info_nhc. fib_info_num_path can be used in control plane path in a 'for loop' with subsequent fib_info_nhc calls to get each leg since the nh_grp struct is only changed while holding the rtnl; the combination can not be used in the data plane with external nexthops as it involves repeated dereferences of nh_grp struct which can change between calls. Similarly, nexthop_is_multipath can be used for branching decisions in the datapath since the nexthop type can not be changed (a group can not be converted to standalone and vice versa). Patch set developed in coordination with Nikolay Aleksandrov. He did a lot of work creating a good reproducer, discussing options to fix it and testing iterations. I have adapted Nik's commands into additional tests in the nexthops selftest script which I will send against -next. v2 - fixed whitespace errors ==================== Signed-off-by: David S. Miller commit 1fd1c768f3624a5e66766e7b4ddb9b607cd834a5 Author: David Ahern Date: Tue May 26 12:56:18 2020 -0600 ipv4: nexthop version of fib_info_nh_uses_dev Similar to the last path, need to fix fib_info_nh_uses_dev for external nexthops to avoid referencing multiple nh_grp structs. Move the device check in fib_info_nh_uses_dev to a helper and create a nexthop version that is called if the fib_info uses an external nexthop. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: David Ahern Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller commit af7888ad9edbd8ba7f6449d1c27ce281ad4b26fd Author: David Ahern Date: Tue May 26 12:56:17 2020 -0600 ipv4: Refactor nhc evaluation in fib_table_lookup FIB lookups can return an entry that references an external nexthop. While walking the nexthop struct we do not want to make multiple calls into the nexthop code which can result in 2 different structs getting accessed - one returning the number of paths the rest of the loop seeing a different nh_grp struct. If the nexthop group shrunk, the result is an attempt to access a fib_nh_common that does not exist for the new nh_grp struct but did for the old one. To fix that move the device evaluation code to a helper that can be used for inline fib_nh path as well as external nexthops. Update the existing check for fi->nh in fib_table_lookup to call a new helper, nexthop_get_nhc_lookup, which walks the external nexthop with a single rcu dereference. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: David Ahern Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller commit 0b5e2e39739e861fa5fc84ab27a35dbe62a15330 Author: David Ahern Date: Tue May 26 12:56:16 2020 -0600 nexthop: Expand nexthop_is_multipath in a few places I got too fancy consolidating checks on multipath type. The result is that path lookups can access 2 different nh_grp structs as exposed by Nik's torture tests. Expand nexthop_is_multipath within nexthop.h to avoid multiple, nh_grp dereferences and make decisions based on the consistent struct. Only 2 places left using nexthop_is_multipath are within IPv6, both only check that the nexthop is a multipath for a branching decision which are acceptable. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: David Ahern Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller commit 90f33bffa382598a32cc82abfeb20adc92d041b6 Author: Nikolay Aleksandrov Date: Tue May 26 12:56:15 2020 -0600 nexthops: don't modify published nexthop groups We must avoid modifying published nexthop groups while they might be in use, otherwise we might see NULL ptr dereferences. In order to do that we allocate 2 nexthoup group structures upon nexthop creation and swap between them when we have to delete an entry. The reason is that we can't fail nexthop group removal, so we can't handle allocation failure thus we move the extra allocation on creation where we can safely fail and return ENOMEM. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: Nikolay Aleksandrov Signed-off-by: David Ahern Signed-off-by: David S. Miller commit ac21753a5c2c9a6a2019997481a2ac12bbde48c8 Author: David Ahern Date: Tue May 26 12:56:14 2020 -0600 nexthops: Move code from remove_nexthop_from_groups to remove_nh_grp_entry Move nh_grp dereference and check for removing nexthop group due to all members gone into remove_nh_grp_entry. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: David Ahern Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller commit a4ae32c71fe90794127b32d26d7ad795813b502e Author: Eric W. Biederman Date: Mon May 25 12:56:15 2020 -0500 exec: Always set cap_ambient in cap_bprm_set_creds An invariant of cap_bprm_set_creds is that every field in the new cred structure that cap_bprm_set_creds might set, needs to be set every time to ensure the fields does not get a stale value. The field cap_ambient is not set every time cap_bprm_set_creds is called, which means that if there is a suid or sgid script with an interpreter that has neither the suid nor the sgid bits set the interpreter should be able to accept ambient credentials. Unfortuantely because cap_ambient is not reset to it's original value the interpreter can not accept ambient credentials. Given that the ambient capability set is expected to be controlled by the caller, I don't think this is particularly serious. But it is definitely worth fixing so the code works correctly. I have tested to verify my reading of the code is correct and the interpreter of a sgid can receive ambient capabilities with this change and cannot receive ambient capabilities without this change. Cc: stable@vger.kernel.org Cc: Andy Lutomirski Fixes: 58319057b784 ("capabilities: ambient capabilities") Signed-off-by: "Eric W. Biederman" commit 18f855e574d9799a0e7489f8ae6fd8447d0dd74a Author: Jens Axboe Date: Tue May 26 09:38:31 2020 -0600 sched/fair: Don't NUMA balance for kthreads Stefano reported a crash with using SQPOLL with io_uring: BUG: kernel NULL pointer dereference, address: 00000000000003b0 CPU: 2 PID: 1307 Comm: io_uring-sq Not tainted 5.7.0-rc7 #11 RIP: 0010:task_numa_work+0x4f/0x2c0 Call Trace: task_work_run+0x68/0xa0 io_sq_thread+0x252/0x3d0 kthread+0xf9/0x130 ret_from_fork+0x35/0x40 which is task_numa_work() oopsing on current->mm being NULL. The task work is queued by task_tick_numa(), which checks if current->mm is NULL at the time of the call. But this state isn't necessarily persistent, if the kthread is using use_mm() to temporarily adopt the mm of a task. Change the task_tick_numa() check to exclude kernel threads in general, as it doesn't make sense to attempt ot balance for kthreads anyway. Reported-by: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Ingo Molnar Acked-by: Peter Zijlstra Link: https://lore.kernel.org/r/865de121-8190-5d30-ece5-3b097dc74431@kernel.dk commit 700d3a5a664df267f01ec8887fd2d8ff98f67e7f Author: Andy Lutomirski Date: Fri May 8 17:25:32 2020 -0700 x86/syscalls: Revert "x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long" Revert 45e29d119e99 ("x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long") and add a comment to discourage someone else from making the same mistake again. It turns out that some user code fails to compile if __X32_SYSCALL_BIT is unsigned long. See, for example [1] below. [ bp: Massage and do the same thing in the respective tools/ header. ] Fixes: 45e29d119e99 ("x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long") Reported-by: Thorsten Glaser Signed-off-by: Andy Lutomirski Signed-off-by: Borislav Petkov Cc: stable@kernel.org Link: [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954294 Link: https://lkml.kernel.org/r/92e55442b744a5951fdc9cfee10badd0a5f7f828.1588983892.git.luto@kernel.org commit 595d153dd1022392083ac93a1550382cbee127e0 Author: Michael Ellerman Date: Tue May 26 16:18:08 2020 +1000 powerpc/64s: Fix restore of NV GPRs after facility unavailable exception Commit 702f09805222 ("powerpc/64s/exception: Remove lite interrupt return") changed the interrupt return path to not restore non-volatile registers by default, and explicitly restore them in paths where it is required. But it missed that the facility unavailable exception can sometimes modify user registers, ie. when it does emulation of move from DSCR. This is seen as a failure of the dscr_sysfs_thread_test: test: dscr_sysfs_thread_test [cpu 0] User DSCR should be 1 but is 0 failure: dscr_sysfs_thread_test So restore non-volatile GPRs after facility unavailable exceptions. Currently the hypervisor facility unavailable exception is also wired up to call facility_unavailable_exception(). In practice we should never take a hypervisor facility unavailable exception for the DSCR. On older bare metal systems we set HFSCR_DSCR unconditionally in __init_HFSCR, or on newer systems it should be enabled via the "data-stream-control-register" device tree CPU feature. Even if it's not, since commit f3c99f97a3cd ("KVM: PPC: Book3S HV: Don't access HFSCR, LPIDR or LPCR when running nested"), the KVM code has unconditionally set HFSCR_DSCR when running guests. So we should only get a hypervisor facility unavailable for the DSCR if skiboot has disabled the "data-stream-control-register" feature, and we are somehow in guest context but not via KVM. Given all that, it should be unnecessary to add a restore of non-volatile GPRs after the hypervisor facility exception, because we never expect to hit that path. But equally we may as well add the restore, because we never expect to hit that path, and if we ever did, at least we would correctly restore the registers to their post emulation state. In future we can split the non-HV and HV facility unavailable handling so that there is no emulation in the HV handler, and then remove the restore for the HV case. Fixes: 702f09805222 ("powerpc/64s/exception: Remove lite interrupt return") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200526061808.2472279-1-mpe@ellerman.id.au commit 4020d1ccbe55bdf67b31d718d2400506eaf4b43f Author: Chris Chiu Date: Tue May 26 14:26:13 2020 +0800 ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC The Asus USB DAC is a USB type-C audio dongle for connecting to the headset and headphone. The volume minimum value -23040 which is 0xa600 in hexadecimal with the resolution value 1 indicates this should be endianness issue caused by the firmware bug. Add a volume quirk to fix the volume control problem. Also fixes this warning: Warning! Unlikely big volume range (=23040), cval->res is probably wrong. [5] FU [Headset Capture Volume] ch = 1, val = -23040/0/1 Warning! Unlikely big volume range (=23040), cval->res is probably wrong. [7] FU [Headset Playback Volume] ch = 1, val = -23040/0/1 Signed-off-by: Chris Chiu Cc: Link: https://lore.kernel.org/r/20200526062613.55401-1-chiu@endlessm.com Signed-off-by: Takashi Iwai commit 399c01aa49e548c82d40f8161915a5941dd3c60e Author: Takashi Iwai Date: Tue May 26 08:24:06 2020 +0200 ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround We fixed the regression of the speaker volume for some Thinkpad models (e.g. T570) by the commit 54947cd64c1b ("ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570"). Essentially it fixes the DAC / pin pairing by a static table. It was confirmed and merged to stable kernel later. Now, interestingly, we got another regression report for the very same model (T570) about the similar problem, and the commit above was the culprit. That is, by some reason, there are devices that prefer the DAC1, and another device DAC2! Unfortunately those have the same ID and we have no idea what can differentiate, in this patch, a new fixup model "tpt470-dock-fix" is provided, so that users with such a machine can apply it manually. When model=tpt470-dock-fix option is passed to snd-hda-intel module, it avoids the fixed DAC pairing and the DAC1 is assigned to the speaker like the earlier versions. Fixes: 54947cd64c1b ("ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570") BugLink: https://apibugzilla.suse.com/show_bug.cgi?id=1172017 Cc: Link: https://lore.kernel.org/r/20200526062406.9799-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit fb8cd6481ffd126f35e9e146a0dcf0c4e8899f2e Author: Changming Liu Date: Tue May 26 00:39:21 2020 +0000 ALSA: hwdep: fix a left shifting 1 by 31 UB bug The "info.index" variable can be 31 in "1 << info.index". This might trigger an undefined behavior since 1 is signed. Fix this by casting 1 to 1u just to be sure "1u << 31" is defined. Signed-off-by: Changming Liu Cc: Link: https://lore.kernel.org/r/BL0PR06MB4548170B842CB055C9AF695DE5B00@BL0PR06MB4548.namprd06.prod.outlook.com Signed-off-by: Takashi Iwai commit 963bdfc75cfa20c53bde64928af57a6ca175fc01 Merge: 1a6da4fcdd02 703acd70f249 Author: David S. Miller Date: Mon May 25 18:28:42 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Set VLAN tag in tcp reset/icmp unreachable packets to reject connections in the bridge family, from Michael Braun. 2) Incorrect subcounter flag update in ipset, from Phil Sutter. 3) Possible buffer overflow in the pptp conntrack helper, based on patch from Dan Carpenter. 4) Restore userspace conntrack helper hook logic that broke after hook consolidation rework. 5) Unbreak userspace conntrack helper registration via nfnetlink_cthelper. ==================== Signed-off-by: David S. Miller commit 1a6da4fcdd02d5cb2c1deaec1a5cc2b06efd2a4d Merge: 15c973858903 0bbab5f03015 Author: David S. Miller Date: Mon May 25 18:18:26 2020 -0700 Merge tag 'mac80211-for-net-2020-05-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 Johannes Berg says: ==================== A few changes: * fix a debugfs vs. wiphy rename crash * fix an invalid HE spec definition * fix a mesh timer crash ==================== Signed-off-by: David S. Miller commit 15c973858903009e995b2037683de29dfe968621 Author: Qiushi Wu Date: Mon May 25 03:24:39 2020 -0500 qlcnic: fix missing release in qlcnic_83xx_interrupt_test. In function qlcnic_83xx_interrupt_test(), function qlcnic_83xx_diag_alloc_res() is not handled by function qlcnic_83xx_diag_free_res() after a call of the function qlcnic_alloc_mbx_args() failed. Fix this issue by adding a jump target "fail_mbx_args", and jump to this new target when qlcnic_alloc_mbx_args() failed. Fixes: b6b4316c8b2f ("qlcnic: Handle qlcnic_alloc_mbx_args() failure") Signed-off-by: Qiushi Wu Signed-off-by: David S. Miller commit 5d14c304bfc14b4fd052dc83d5224376b48f52f0 Author: Vladimir Oltean Date: Mon May 25 00:22:51 2020 +0300 dpaa_eth: fix usage as DSA master, try 3 The dpaa-eth driver probes on compatible string for the MAC node, and the fman/mac.c driver allocates a dpaa-ethernet platform device that triggers the probing of the dpaa-eth net device driver. All of this is fine, but the problem is that the struct device of the dpaa_eth net_device is 2 parents away from the MAC which can be referenced via of_node. So of_find_net_device_by_node can't find it, and DSA switches won't be able to probe on top of FMan ports. It would be a bit silly to modify a core function (of_find_net_device_by_node) to look for dev->parent->parent->of_node just for one driver. We're just 1 step away from implementing full recursion. Actually there have already been at least 2 previous attempts to make this work: - Commit a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node") - One or more of the patches in "[v3,0/6] adapt DPAA drivers for DSA": https://patchwork.ozlabs.org/project/netdev/cover/1508178970-28945-1-git-send-email-madalin.bucur@nxp.com/ (I couldn't really figure out which one was supposed to solve the problem and how). Point being, it looks like this is still pretty much a problem today. On T1040, the /sys/class/net/eth0 symlink currently points to ../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/dpaa-ethernet.0/net/eth0 which pretty much illustrates the problem. The closest of_node we've got is the "fsl,fman-memac" at /soc@ffe000000/fman@400000/ethernet@e6000, which is what we'd like to be able to reference from DSA as host port. For of_find_net_device_by_node to find the eth0 port, we would need the parent of the eth0 net_device to not be the "dpaa-ethernet" platform device, but to point 1 level higher, aka the "fsl,fman-memac" node directly. The new sysfs path would look like this: ../../devices/platform/ffe000000.soc/ffe400000.fman/ffe4e6000.ethernet/net/eth0 And this is exactly what SET_NETDEV_DEV does. It sets the parent of the net_device. The new parent has an of_node associated with it, and of_dev_node_match already checks for the of_node of the device or of its parent. Fixes: a1a50c8e4c24 ("fsl/man: Inherit parent device and of_node") Fixes: c6e26ea8c893 ("dpaa_eth: change device used") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit 0cada33241d9de205522e3858b18e506ca5cce2c Author: Vinay Kumar Yadav Date: Sat May 23 01:40:31 2020 +0530 net/tls: fix race condition causing kernel panic tls_sw_recvmsg() and tls_decrypt_done() can be run concurrently. // tls_sw_recvmsg() if (atomic_read(&ctx->decrypt_pending)) crypto_wait_req(-EINPROGRESS, &ctx->async_wait); else reinit_completion(&ctx->async_wait.completion); //tls_decrypt_done() pending = atomic_dec_return(&ctx->decrypt_pending); if (!pending && READ_ONCE(ctx->async_notify)) complete(&ctx->async_wait.completion); Consider the scenario tls_decrypt_done() is about to run complete() if (!pending && READ_ONCE(ctx->async_notify)) and tls_sw_recvmsg() reads decrypt_pending == 0, does reinit_completion(), then tls_decrypt_done() runs complete(). This sequence of execution results in wrong completion. Consequently, for next decrypt request, it will not wait for completion, eventually on connection close, crypto resources freed, there is no way to handle pending decrypt response. This race condition can be avoided by having atomic_read() mutually exclusive with atomic_dec_return(),complete().Intoduced spin lock to ensure the mutual exclution. Addressed similar problem in tx direction. v1->v2: - More readable commit message. - Corrected the lock to fix new race scenario. - Removed barrier which is not needed now. Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance") Signed-off-by: Vinay Kumar Yadav Reviewed-by: Jakub Kicinski Signed-off-by: David S. Miller commit 444fc5cde64330661bf59944c43844e7d4c2ccd8 Merge: 9cb1fd0efd19 3866f217aaa8 Author: Linus Torvalds Date: Mon May 25 17:11:39 2020 -0700 Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm Pull ARM fixes from Russell King: - correct value of decompressor tag size in header - fix DACR value when we have nested exceptions - fix a missing newline on a kernel message - fix mask for ptrace thumb breakpoint hook * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm: ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook ARM: 8973/1: Add missing newline terminator to kernel message ARM: uaccess: fix DACR mismatch with nested exceptions ARM: uaccess: integrate uaccess_save and uaccess_restore ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h ARM: 8970/1: decompressor: increase tag size commit 99706d62fb50486eadb4441eaed311491fd7addf Merge: 364d1ac22971 fb6823a6f980 Author: Arnd Bergmann Date: Tue May 26 00:18:47 2020 +0200 Merge tag 'omap-for-v5.7/cpsw-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes Few cpsw related dts fixes for omaps Recent cpsw driver changes exposed few regressions in the cpsw related dts configuration that would be good to fix: - Few more boards still need to be updated to use rgmii-rxid phy caused by the fallout from commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY" as the rx delay is now disabled unless we use rgmii-rxid. - On dm814x we have been using a wrong clock for mdio that now can produce external abort on some boards * tag 'omap-for-v5.7/cpsw-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: Fix wrong mdio clock for dm814x ARM: dts: am437x: fix networking on boards with ksz9031 phy ARM: dts: am57xx: fix networking on boards with ksz9031 phy Link: https://lore.kernel.org/r/pull-1589472123-367692@atomide.com Signed-off-by: Arnd Bergmann commit b16a87d0aef7a6be766f6618976dc5ff2c689291 Author: Björn Töpel Date: Mon May 25 10:03:59 2020 +0200 xsk: Add overflow check for u64 division, stored into u32 The npgs member of struct xdp_umem is an u32 entity, and stores the number of pages the UMEM consumes. The calculation of npgs npgs = size / PAGE_SIZE can overflow. To avoid overflow scenarios, the division is now first stored in a u64, and the result is verified to fit into 32b. An alternative would be storing the npgs as a u64, however, this wastes memory and is an unrealisticly large packet area. Fixes: c0c77d8fb787 ("xsk: add user memory registration support sockopt") Reported-by: "Minh Bùi Quang" Signed-off-by: Björn Töpel Signed-off-by: Daniel Borkmann Acked-by: Jonathan Lemon Link: https://lore.kernel.org/bpf/CACtPs=GGvV-_Yj6rbpzTVnopgi5nhMoCcTkSkYrJHGQHJWFZMQ@mail.gmail.com/ Link: https://lore.kernel.org/bpf/20200525080400.13195-1-bjorn.topel@gmail.com commit 703acd70f2496537457186211c2f03e792409e68 Author: Pablo Neira Ayuso Date: Sun May 24 21:04:42 2020 +0200 netfilter: nfnetlink_cthelper: unbreak userspace helper support Restore helper data size initialization and fix memcopy of the helper data size. Fixes: 157ffffeb5dc ("netfilter: nfnetlink_cthelper: reject too large userspace allocation requests") Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit ee04805ff54a63ffd90bc6749ebfe73473734ddb Author: Pablo Neira Ayuso Date: Sun May 24 19:52:10 2020 +0200 netfilter: conntrack: make conntrack userspace helpers work again Florian Westphal says: "Problem is that after the helper hook was merged back into the confirm one, the queueing itself occurs from the confirm hook, i.e. we queue from the last netfilter callback in the hook-list. Therefore, on return, the packet bypasses the confirm action and the connection is never committed to the main conntrack table. To fix this there are several ways: 1. revert the 'Fixes' commit and have a extra helper hook again. Works, but has the drawback of adding another indirect call for everyone. 2. Special case this: split the hooks only when userspace helper gets added, so queueing occurs at a lower priority again, and normal enqueue reinject would eventually call the last hook. 3. Extend the existing nf_queue ct update hook to allow a forced confirmation (plus run the seqadj code). This goes for 3)." Fixes: 827318feb69cb ("netfilter: conntrack: remove helper hook again") Reviewed-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 4c559f15efcc43b996f4da528cd7f9483aaca36d Author: Pablo Neira Ayuso Date: Thu May 14 14:14:23 2020 +0200 netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code Dan Carpenter says: "Smatch complains that the value for "cmd" comes from the network and can't be trusted." Add pptp_msg_name() helper function that checks for the array boundary. Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port") Reported-by: Dan Carpenter Signed-off-by: Pablo Neira Ayuso commit a164b95ad6055c50612795882f35e0efda1f1390 Author: Phil Sutter Date: Thu May 14 13:31:21 2020 +0200 netfilter: ipset: Fix subcounter update skip If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE must be set, not unset. Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit e9c284ec4b41c827f4369973d2792992849e4fa5 Author: Michael Braun Date: Wed May 6 11:46:25 2020 +0200 netfilter: nft_reject_bridge: enable reject with bridge vlan Currently, using the bridge reject target with tagged packets results in untagged packets being sent back. Fix this by mirroring the vlan id as well. Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support") Signed-off-by: Michael Braun Signed-off-by: Pablo Neira Ayuso commit db857e6ae548f0f4f4a0f63fffeeedf3cca21f9d Author: Qiushi Wu Date: Fri May 22 22:04:57 2020 -0500 RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() In function pvrdma_pci_probe(), pdev was not disabled in one error path. Thus replace the jump target “err_free_device” by "err_disable_pdev". Fixes: 29c8d9eba550 ("IB: Add vmw_pvrdma driver") Link: https://lore.kernel.org/r/20200523030457.16160-1-wu000273@umn.edu Signed-off-by: Qiushi Wu Signed-off-by: Jason Gunthorpe commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd Author: Xin Long Date: Mon May 25 13:53:37 2020 +0800 xfrm: fix a warning in xfrm_policy_insert_list This waring can be triggered simply by: # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 1 mark 0 mask 0x10 #[1] # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 2 mark 0 mask 0x1 #[2] # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ priority 2 mark 0 mask 0x10 #[3] Then dmesg shows: [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548 [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030 [ ] Call Trace: [ ] xfrm_policy_inexact_insert+0x85/0xe50 [ ] xfrm_policy_insert+0x4ba/0x680 [ ] xfrm_add_policy+0x246/0x4d0 [ ] xfrm_user_rcv_msg+0x331/0x5c0 [ ] netlink_rcv_skb+0x121/0x350 [ ] xfrm_netlink_rcv+0x66/0x80 [ ] netlink_unicast+0x439/0x630 [ ] netlink_sendmsg+0x714/0xbf0 [ ] sock_sendmsg+0xe2/0x110 The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities"). After that, the policies [1] and [2] would be able to be added with different priorities. However, policy [3] will actually match both [1] and [2]. Policy [1] was matched due to the 1st 'return true' in xfrm_policy_mark_match(), and policy [2] was matched due to the 2nd 'return true' in there. It caused WARN_ON() in xfrm_policy_insert_list(). This patch is to fix it by only (the same value and priority) as the same policy in xfrm_policy_mark_match(). Thanks to Yuehaibing, we could make this fix better. v1->v2: - check policy->mark.v == pol->mark.v only without mask. Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities") Reported-by: Xiumei Mu Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit 0bbab5f0301587cad4e923ccc49bb910db86162c Author: Johannes Berg Date: Mon May 25 11:38:17 2020 +0200 cfg80211: fix debugfs rename crash Removing the "if (IS_ERR(dir)) dir = NULL;" check only works if we adjust the remaining code to not rely on it being NULL. Check IS_ERR_OR_NULL() before attempting to dereference it. I'm not actually entirely sure this fixes the syzbot crash as the kernel config indicates that they do have DEBUG_FS in the kernel, but this is what I found when looking there. Cc: stable@vger.kernel.org Fixes: d82574a8e5a4 ("cfg80211: no need to check return value of debugfs_create functions") Reported-by: syzbot+fd5332e429401bf42d18@syzkaller.appspotmail.com Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20200525113816.fc4da3ec3d4b.Ica63a110679819eaa9fb3bc1b7437d96b1fd187d@changeid Signed-off-by: Johannes Berg commit 364d1ac22971a5ea20e435bfd4e933490005302f Merge: ccffeae7afa4 be0ec060b54f Author: Arnd Bergmann Date: Mon May 25 11:25:03 2020 +0200 Merge tag 'arm-soc/for-5.7/devicetree-fixes-part2-v2' of https://github.com/Broadcom/stblinux into arm/fixes This pull request contains Broadcom ARM-based SoCs Device Tree fixes for 5.7, please pull the following: - Vincent fixes the polarity of the ACT LED on the Raspberry Pi Zero W board - Hamish fixes the ARM PPI interrupts sensitivy for the Hurricane 2 SoCs * tag 'arm-soc/for-5.7/devicetree-fixes-part2-v2' of https://github.com/Broadcom/stblinux: ARM: dts: bcm: HR2: Fix PPI interrupt types ARM: dts: bcm2835-rpi-zero-w: Fix led polarity Link: https://lore.kernel.org/r/20200524203714.17035-1-f.fainelli@gmail.com Signed-off-by: Arnd Bergmann commit 98f7d1b15e87c84488b30ecc4ec753b0690b9dbf Author: Tiezhu Yang Date: Fri May 22 12:12:18 2020 +0800 gpio: bcm-kona: Fix return value of bcm_kona_gpio_probe() Propagate the error code returned by devm_platform_ioremap_resource() out of probe() instead of overwriting it. Fixes: 72d8cb715477 ("drivers: gpio: bcm-kona: use devm_platform_ioremap_resource()") Signed-off-by: Tiezhu Yang [Bartosz: tweaked the commit message] Signed-off-by: Bartosz Golaszewski commit 558ab2e8155e5f42ca0a6407957cd4173dc166cc Author: Tiezhu Yang Date: Fri May 22 12:12:19 2020 +0800 gpio: pxa: Fix return value of pxa_gpio_probe() When call function devm_platform_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Fixes: 542c25b7a209 ("drivers: gpio: pxa: use devm_platform_ioremap_resource()") Signed-off-by: Tiezhu Yang Signed-off-by: Bartosz Golaszewski commit e6862430fa5ef557d40c221c7f9bb3beb5feaca4 Author: Axel Lin Date: Thu May 21 09:57:13 2020 +0800 gpio: mlxbf2: Fix sleeping while holding spinlock mutex_lock() can sleep, don't call mutex_lock() while holding spin_lock. Fixes: bc0ae0e737f5 ("gpio: add driver for Mellanox BlueField 2 GPIO controller") Signed-off-by: Axel Lin Acked-by: asmaa@mellanox.com Signed-off-by: Bartosz Golaszewski commit 202500d21654874aa03243e91f96de153ec61860 Author: Peng Hao Date: Fri May 22 09:29:25 2020 +0000 mmc: block: Fix use-after-free issue for rpmb The data structure member “rpmb->md” was passed to a call of the function “mmc_blk_put” after a call of the function “put_device”. Reorder these function calls to keep the data accesses consistent. Fixes: 1c87f7357849 ("mmc: block: Fix bug when removing RPMB chardev ") Signed-off-by: Peng Hao Cc: stable@vger.kernel.org [Uffe: Fixed up mangled patch and updated commit message] Signed-off-by: Ulf Hansson commit d031781bdabe1027858a3220f868866586bf6e7c Author: Pradeep Kumar Chitrapu Date: Wed May 6 03:24:30 2020 -0700 ieee80211: Fix incorrect mask for default PE duration Fixes bitmask for HE opration's default PE duration. Fixes: daa5b83513a7 ("mac80211: update HE operation fields to D3.0") Signed-off-by: Pradeep Kumar Chitrapu Link: https://lore.kernel.org/r/20200506102430.5153-1-pradeepc@codeaurora.org Signed-off-by: Johannes Berg commit e2d4a80f93fcfaf72e2e20daf6a28e39c3b90677 Author: Linus Lüssing Date: Fri May 22 19:04:13 2020 +0200 mac80211: mesh: fix discovery timer re-arming issue / crash On a non-forwarding 802.11s link between two fairly busy neighboring nodes (iperf with -P 16 at ~850MBit/s TCP; 1733.3 MBit/s VHT-MCS 9 80MHz short GI VHT-NSS 4), so with frequent PREQ retries, usually after around 30-40 seconds the following crash would occur: [ 1110.822428] Unable to handle kernel read from unreadable memory at virtual address 00000000 [ 1110.830786] Mem abort info: [ 1110.833573] Exception class = IABT (current EL), IL = 32 bits [ 1110.839494] SET = 0, FnV = 0 [ 1110.842546] EA = 0, S1PTW = 0 [ 1110.845678] user pgtable: 4k pages, 48-bit VAs, pgd = ffff800076386000 [ 1110.852204] [0000000000000000] *pgd=00000000f6322003, *pud=00000000f62de003, *pmd=0000000000000000 [ 1110.861167] Internal error: Oops: 86000004 [#1] PREEMPT SMP [ 1110.866730] Modules linked in: pppoe ppp_async batman_adv ath10k_pci ath10k_core ath pppox ppp_generic nf_conntrack_ipv6 mac80211 iptable_nat ipt_REJECT ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_nat xt_multiport xt_mark xt_mac xt_limit xt_conntrack xt_comment xt_TCPMSS xt_REDIRECT xt_LOG xt_FLOWOFFLOAD slhc nf_reject_ipv4 nf_nat_redirect nf_nat_masquerade_ipv4 nf_conntrack_ipv4 nf_nat_ipv4 nf_nat nf_log_ipv4 nf_flow_table_hw nf_flow_table nf_defrag_ipv6 nf_defrag_ipv4 nf_conntrack_rtcache nf_conntrack iptable_mangle iptable_filter ip_tables crc_ccitt compat nf_log_ipv6 nf_log_common ip6table_mangle ip6table_filter ip6_tables ip6t_REJECT x_tables nf_reject_ipv6 usb_storage xhci_plat_hcd xhci_pci xhci_hcd dwc3 usbcore usb_common [ 1110.932190] Process swapper/3 (pid: 0, stack limit = 0xffff0000090c8000) [ 1110.938884] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 4.14.162 #0 [ 1110.944965] Hardware name: LS1043A RGW Board (DT) [ 1110.949658] task: ffff8000787a81c0 task.stack: ffff0000090c8000 [ 1110.955568] PC is at 0x0 [ 1110.958097] LR is at call_timer_fn.isra.27+0x24/0x78 [ 1110.963055] pc : [<0000000000000000>] lr : [] pstate: 00400145 [ 1110.970440] sp : ffff00000801be10 [ 1110.973744] x29: ffff00000801be10 x28: ffff000008bf7018 [ 1110.979047] x27: ffff000008bf87c8 x26: ffff000008c160c0 [ 1110.984352] x25: 0000000000000000 x24: 0000000000000000 [ 1110.989657] x23: dead000000000200 x22: 0000000000000000 [ 1110.994959] x21: 0000000000000000 x20: 0000000000000101 [ 1111.000262] x19: ffff8000787a81c0 x18: 0000000000000000 [ 1111.005565] x17: ffff0000089167b0 x16: 0000000000000058 [ 1111.010868] x15: ffff0000089167b0 x14: 0000000000000000 [ 1111.016172] x13: ffff000008916788 x12: 0000000000000040 [ 1111.021475] x11: ffff80007fda9af0 x10: 0000000000000001 [ 1111.026777] x9 : ffff00000801bea0 x8 : 0000000000000004 [ 1111.032080] x7 : 0000000000000000 x6 : ffff80007fda9aa8 [ 1111.037383] x5 : ffff00000801bea0 x4 : 0000000000000010 [ 1111.042685] x3 : ffff00000801be98 x2 : 0000000000000614 [ 1111.047988] x1 : 0000000000000000 x0 : 0000000000000000 [ 1111.053290] Call trace: [ 1111.055728] Exception stack(0xffff00000801bcd0 to 0xffff00000801be10) [ 1111.062158] bcc0: 0000000000000000 0000000000000000 [ 1111.069978] bce0: 0000000000000614 ffff00000801be98 0000000000000010 ffff00000801bea0 [ 1111.077798] bd00: ffff80007fda9aa8 0000000000000000 0000000000000004 ffff00000801bea0 [ 1111.085618] bd20: 0000000000000001 ffff80007fda9af0 0000000000000040 ffff000008916788 [ 1111.093437] bd40: 0000000000000000 ffff0000089167b0 0000000000000058 ffff0000089167b0 [ 1111.101256] bd60: 0000000000000000 ffff8000787a81c0 0000000000000101 0000000000000000 [ 1111.109075] bd80: 0000000000000000 dead000000000200 0000000000000000 0000000000000000 [ 1111.116895] bda0: ffff000008c160c0 ffff000008bf87c8 ffff000008bf7018 ffff00000801be10 [ 1111.124715] bdc0: ffff0000080ff29c ffff00000801be10 0000000000000000 0000000000400145 [ 1111.132534] bde0: ffff8000787a81c0 ffff00000801bde8 0000ffffffffffff 000001029eb19be8 [ 1111.140353] be00: ffff00000801be10 0000000000000000 [ 1111.145220] [< (null)>] (null) [ 1111.149917] [] run_timer_softirq+0x184/0x398 [ 1111.155741] [] __do_softirq+0x100/0x1fc [ 1111.161130] [] irq_exit+0x80/0xd8 [ 1111.166002] [] __handle_domain_irq+0x88/0xb0 [ 1111.171825] [] gic_handle_irq+0x68/0xb0 [ 1111.177213] Exception stack(0xffff0000090cbe30 to 0xffff0000090cbf70) [ 1111.183642] be20: 0000000000000020 0000000000000000 [ 1111.191461] be40: 0000000000000001 0000000000000000 00008000771af000 0000000000000000 [ 1111.199281] be60: ffff000008c95180 0000000000000000 ffff000008c19360 ffff0000090cbef0 [ 1111.207101] be80: 0000000000000810 0000000000000400 0000000000000098 ffff000000000000 [ 1111.214920] bea0: 0000000000000001 ffff0000089167b0 0000000000000000 ffff0000089167b0 [ 1111.222740] bec0: 0000000000000000 ffff000008c198e8 ffff000008bf7018 ffff000008c19000 [ 1111.230559] bee0: 0000000000000000 0000000000000000 ffff8000787a81c0 ffff000008018000 [ 1111.238380] bf00: ffff00000801c000 ffff00000913ba34 ffff8000787a81c0 ffff0000090cbf70 [ 1111.246199] bf20: ffff0000080857cc ffff0000090cbf70 ffff0000080857d0 0000000000400145 [ 1111.254020] bf40: ffff000008018000 ffff00000801c000 ffffffffffffffff ffff0000080fa574 [ 1111.261838] bf60: ffff0000090cbf70 ffff0000080857d0 [ 1111.266706] [] el1_irq+0xe8/0x18c [ 1111.271576] [] arch_cpu_idle+0x10/0x18 [ 1111.276880] [] do_idle+0xec/0x1b8 [ 1111.281748] [] cpu_startup_entry+0x20/0x28 [ 1111.287399] [] secondary_start_kernel+0x104/0x110 [ 1111.293662] Code: bad PC value [ 1111.296710] ---[ end trace 555b6ca4363c3edd ]--- [ 1111.301318] Kernel panic - not syncing: Fatal exception in interrupt [ 1111.307661] SMP: stopping secondary CPUs [ 1111.311574] Kernel Offset: disabled [ 1111.315053] CPU features: 0x0002000 [ 1111.318530] Memory Limit: none [ 1111.321575] Rebooting in 3 seconds.. With some added debug output / delays we were able to push the crash from the timer callback runner into the callback function and by that shedding some light on which object holding the timer gets corrupted: [ 401.720899] Unable to handle kernel read from unreadable memory at virtual address 00000868 [...] [ 402.335836] [] _raw_spin_lock_bh+0x14/0x48 [ 402.341548] [] mesh_path_timer+0x10c/0x248 [mac80211] [ 402.348154] [] call_timer_fn.isra.27+0x24/0x78 [ 402.354150] [] run_timer_softirq+0x184/0x398 [ 402.359974] [] __do_softirq+0x100/0x1fc [ 402.365362] [] irq_exit+0x80/0xd8 [ 402.370231] [] __handle_domain_irq+0x88/0xb0 [ 402.376053] [] gic_handle_irq+0x68/0xb0 The issue happens due to the following sequence of events: 1) mesh_path_start_discovery(): -> spin_unlock_bh(&mpath->state_lock) before mesh_path_sel_frame_tx() 2) mesh_path_free_rcu() -> del_timer_sync(&mpath->timer) [...] -> kfree_rcu(mpath) 3) mesh_path_start_discovery(): -> mod_timer(&mpath->timer, ...) [...] -> rcu_read_unlock() 4) mesh_path_free_rcu()'s kfree_rcu(): -> kfree(mpath) 5) mesh_path_timer() starts after timeout, using freed mpath object So a use-after-free issue due to a timer re-arming bug caused by an early spin-unlocking. This patch fixes this issue by re-checking if mpath is about to be free'd and if so bails out of re-arming the timer. Cc: stable@vger.kernel.org Fixes: 050ac52cbe1f ("mac80211: code for on-demand Hybrid Wireless Mesh Protocol") Cc: Simon Wunderlich Signed-off-by: Linus Lüssing Link: https://lore.kernel.org/r/20200522170413.14973-1-linus.luessing@c0d3.blue Signed-off-by: Johannes Berg commit 9cb1fd0efd195590b828b9b865421ad345a4a145 Author: Linus Torvalds Date: Sun May 24 15:32:54 2020 -0700 Linux 5.7-rc7 commit 98790bbac4db1697212ce9462ec35ca09c4a2810 Merge: 667b6249b71c 9bb4cbf4862d Author: Linus Torvalds Date: Sun May 24 10:24:10 2020 -0700 Merge tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull EFI fixes from Thomas Gleixner: "A set of EFI fixes: - Don't return a garbage screen info when EFI framebuffer is not available - Make the early EFI console work properly with wider fonts instead of drawing garbage - Prevent a memory buffer leak in allocate_e820() - Print the firmware error record properly so it can be decoded by users - Fix a symbol clash in the host tool build which only happens with newer compilers. - Add a missing check for the event log version of TPM which caused boot failures on several Dell systems due to an attempt to decode SHA-1 format with the crypto agile algorithm" * tag 'efi-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: tpm: check event log version before reading final events efi: Pull up arch-specific prototype efi_systab_show_arch() x86/boot: Mark global variables as static efi: cper: Add support for printing Firmware Error Record Reference efi/libstub/x86: Avoid EFI map buffer alloc in allocate_e820() efi/earlycon: Fix early printk for wider fonts efi/libstub: Avoid returning uninitialized data from setup_graphics() commit 667b6249b71c30c20fcd2f312f1665d90348635a Merge: 9e61d12bac20 187b96db5ca7 Author: Linus Torvalds Date: Sun May 24 10:21:02 2020 -0700 Merge tag 'x86-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "Two fixes for x86: - Unbreak stack dumps for inactive tasks by interpreting the special first frame left by __switch_to_asm() correctly. The recent change not to skip the first frame so ORC and frame unwinder behave in the same way caused all entries to be unreliable, i.e. prepended with '?'. - Use cpumask_available() instead of an implicit NULL check of a cpumask_var_t in mmio trace to prevent a Clang build warning" * tag 'x86-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables commit 9e61d12bac206e5e70176734604371ac3a6e50fd Merge: caffb99b6929 39f23ce07b93 Author: Linus Torvalds Date: Sun May 24 10:14:58 2020 -0700 Merge tag 'sched-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull scheduler fixes from Thomas Gleixner: "A set of fixes for the scheduler: - Fix handling of throttled parents in enqueue_task_fair() completely. The recent fix overlooked a corner case where the first iteration terminates due to an entity already being on the runqueue which makes the list management incomplete and later triggers the assertion which checks for completeness. - Fix a similar problem in unthrottle_cfs_rq(). - Show the correct uclamp values in procfs which prints the effective value twice instead of requested and effective" * tag 'sched-urgent-2020-05-24' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list sched/debug: Fix requested task uclamp values shown in procfs sched/fair: Fix enqueue_task_fair() warning some more commit caffb99b6929f41a69edbb5aef3a359bf45f3315 Merge: 0cfc8a8d70dc 539d39ad0c61 Author: Linus Torvalds Date: Sat May 23 17:16:18 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: 1) Fix RCU warnings in ipv6 multicast router code, from Madhuparna Bhowmik. 2) Nexthop attributes aren't being checked properly because of mis-initialized iterator, from David Ahern. 3) Revert iop_idents_reserve() change as it caused performance regressions and was just working around what is really a UBSAN bug in the compiler. From Yuqi Jin. 4) Read MAC address properly from ROM in bmac driver (double iteration proceeds past end of address array), from Jeremy Kerr. 5) Add Microsoft Surface device IDs to r8152, from Marc Payne. 6) Prevent reference to freed SKB in __netif_receive_skb_core(), from Boris Sukholitko. 7) Fix ACK discard behavior in rxrpc, from David Howells. 8) Preserve flow hash across packet scrubbing in wireguard, from Jason A. Donenfeld. 9) Cap option length properly for SO_BINDTODEVICE in AX25, from Eric Dumazet. 10) Fix encryption error checking in kTLS code, from Vadim Fedorenko. 11) Missing BPF prog ref release in flow dissector, from Jakub Sitnicki. 12) dst_cache must be used with BH disabled in tipc, from Eric Dumazet. 13) Fix use after free in mlxsw driver, from Jiri Pirko. 14) Order kTLS key destruction properly in mlx5 driver, from Tariq Toukan. 15) Check devm_platform_ioremap_resource() return value properly in several drivers, from Tiezhu Yang. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (71 commits) net: smsc911x: Fix runtime PM imbalance on error net/mlx4_core: fix a memory leak bug. net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend net: phy: mscc: fix initialization of the MACsec protocol mode net: stmmac: don't attach interface until resume finishes net: Fix return value about devm_platform_ioremap_resource() net/mlx5: Fix error flow in case of function_setup failure net/mlx5e: CT: Correctly get flow rule net/mlx5e: Update netdev txq on completions during closure net/mlx5: Annotate mutex destroy for root ns net/mlx5: Don't maintain a case of del_sw_func being null net/mlx5: Fix cleaning unmanaged flow tables net/mlx5: Fix memory leak in mlx5_events_init net/mlx5e: Fix inner tirs handling net/mlx5e: kTLS, Destroy key object after destroying the TIS net/mlx5e: Fix allowed tc redirect merged eswitch offload cases net/mlx5: Avoid processing commands before cmdif is ready net/mlx5: Fix a race when moving command interface to events mode net/mlx5: Add command entry handling completion rxrpc: Fix a memory leak in rxkad_verify_response() ... commit 539d39ad0c61b35f69565a037d7586deaf6d6166 Author: Dinghao Liu Date: Sat May 23 16:08:20 2020 +0800 net: smsc911x: Fix runtime PM imbalance on error Remove runtime PM usage counter decrement when the increment function has not been called to keep the counter balanced. Signed-off-by: Dinghao Liu Signed-off-by: David S. Miller commit e3181e9a72e19bc556e5fba6c1217901e2bc20f4 Merge: febfd9d3c7f7 4f7400d5cbae Author: David S. Miller Date: Sat May 23 16:39:45 2020 -0700 Merge tag 'mlx5-fixes-2020-05-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux Saeed Mahameed says: ==================== mlx5 fixes 2020-05-22 This series introduces some fixes to mlx5 driver. Please pull and let me know if there is any problem. For -stable v4.13 ('net/mlx5: Add command entry handling completion') For -stable v5.2 ('net/mlx5: Fix error flow in case of function_setup failure') ('net/mlx5: Fix memory leak in mlx5_events_init') For -stable v5.3 ('net/mlx5e: Update netdev txq on completions during closure') ('net/mlx5e: kTLS, Destroy key object after destroying the TIS') ('net/mlx5e: Fix inner tirs handling') For -stable v5.6 ('net/mlx5: Fix cleaning unmanaged flow tables') ('net/mlx5: Fix a race when moving command interface to events mode') ==================== Signed-off-by: David S. Miller commit febfd9d3c7f74063e8e630b15413ca91b567f963 Author: Qiushi Wu Date: Fri May 22 14:07:15 2020 -0500 net/mlx4_core: fix a memory leak bug. In function mlx4_opreq_action(), pointer "mailbox" is not released, when mlx4_cmd_box() return and error, causing a memory leak bug. Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can free this pointer. Fixes: fe6f700d6cbb ("net/mlx4_core: Respond to operation request by firmware") Signed-off-by: Qiushi Wu Signed-off-by: David S. Miller commit 4c64b83d03f4aafcdf710caad994cbc855802e74 Author: Grygorii Strashko Date: Fri May 22 20:09:28 2020 +0300 net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during suspend vlan_for_each() are required to be called with rtnl_lock taken, otherwise ASSERT_RTNL() warning will be triggered - which happens now during System resume from suspend: cpsw_suspend() |- cpsw_ndo_stop() |- __hw_addr_ref_unsync_dev() |- cpsw_purge_all_mc() |- vlan_for_each() |- ASSERT_RTNL(); Hence, fix it by surrounding cpsw_ndo_stop() by rtnl_lock/unlock() calls. Fixes: 15180eca569b ("net: ethernet: ti: cpsw: fix vlan mcast") Signed-off-by: Grygorii Strashko Signed-off-by: David S. Miller commit 0ddfee1feece1c85592d49b759286032ef2dd803 Author: Antoine Tenart Date: Fri May 22 17:55:45 2020 +0200 net: phy: mscc: fix initialization of the MACsec protocol mode At the very end of the MACsec block initialization in the MSCC PHY driver, the MACsec "protocol mode" is set. This setting should be set based on the PHY id within the package, as the bank used to access the register used depends on this. This was not done correctly, and only the first bank was used leading to the two upper PHYs being unstable when using the VSC8584. This patch fixes it. Fixes: 1bbe0ecc2a1a ("net: phy: mscc: macsec initialization") Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller commit 31096c3e8b1163c6e966bf4d1f36d8b699008f84 Author: Leon Yu Date: Fri May 22 23:29:43 2020 +0800 net: stmmac: don't attach interface until resume finishes Commit 14b41a2959fb ("net: stmmac: Delete txtimer in suspend") was the first attempt to fix a race between mod_timer() and setup_timer() during stmmac_resume(). However the issue still exists as the commit only addressed half of the issue. Same race can still happen as stmmac_resume() re-attaches interface way too early - even before hardware is fully initialized. Worse, doing so allows network traffic to restart and stmmac_tx_timer_arm() being called in the middle of stmmac_resume(), which re-init tx timers in stmmac_init_coalesce(). timer_list will be corrupted and system crashes as a result of race between mod_timer() and setup_timer(). systemd--1995 2.... 552950018us : stmmac_suspend: 4994 ksoftirq-9 0..s2 553123133us : stmmac_tx_timer_arm: 2276 systemd--1995 0.... 553127896us : stmmac_resume: 5101 systemd--320 7...2 553132752us : stmmac_tx_timer_arm: 2276 (sd-exec-1999 5...2 553135204us : stmmac_tx_timer_arm: 2276 --------------------------------- pc : run_timer_softirq+0x468/0x5e0 lr : run_timer_softirq+0x570/0x5e0 Call trace: run_timer_softirq+0x468/0x5e0 __do_softirq+0x124/0x398 irq_exit+0xd8/0xe0 __handle_domain_irq+0x6c/0xc0 gic_handle_irq+0x60/0xb0 el1_irq+0xb8/0x180 arch_cpu_idle+0x38/0x230 default_idle_call+0x24/0x3c do_idle+0x1e0/0x2b8 cpu_startup_entry+0x28/0x48 secondary_start_kernel+0x1b4/0x208 Fix this by deferring netif_device_attach() to the end of stmmac_resume(). Signed-off-by: Leon Yu Signed-off-by: David S. Miller commit ef24d6c3d6965158dfe23ae961d87e9a343e18a2 Author: Tiezhu Yang Date: Fri May 22 19:03:21 2020 +0800 net: Fix return value about devm_platform_ioremap_resource() When call function devm_platform_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Signed-off-by: Tiezhu Yang Signed-off-by: David S. Miller commit 0cfc8a8d70dcd51db783e8e87917e02149c71458 Author: Mike Rapoport Date: Sat May 23 22:57:18 2020 +0300 sparc32: fix page table traversal in srmmu_nocache_init() The srmmu_nocache_init() uses __nocache_fix() macro to add an offset to page table entry to access srmmu_nocache_pool. But since sparc32 has only three actual page table levels, pgd, p4d and pud are essentially the same thing and pgd_offset() and p4d_offset() are no-ops, the __nocache_fix() should be done only at PUD level. Remove __nocache_fix() for p4d_offset() and pud_offset() and keep it only for PUD and lower levels. Fixes: c2bc26f7ca1f ("sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init()") Signed-off-by: Mike Rapoport Cc: David S. Miller Cc: Anatoly Pugachev Cc: Signed-off-by: Linus Torvalds commit 423b8baf18a8c03f2d6fa99aa447ed0da189bb95 Merge: 23f0dac84841 ca6edee6c6e3 Author: Linus Torvalds Date: Sat May 23 11:21:47 2020 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "11 fixes" * emailed patches from Andrew Morton : MAINTAINERS: add files related to kdump z3fold: fix use-after-free when freeing handles sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() MAINTAINERS: update email address for Naoya Horiguchi sh: include linux/time_types.h for sockios kasan: disable branch tracing for core runtime selftests/vm/write_to_hugetlbfs.c: fix unused variable warning selftests/vm/.gitignore: add mremap_dontunmap rapidio: fix an error in get_user_pages_fast() error handling x86: bitops: fix build regression device-dax: don't leak kernel memory to user space after unloading kmem commit 23f0dac848412dafd197566b62d831d5a68b5b6b Merge: 0e36fd45e37e e6764aa0e553 Author: Linus Torvalds Date: Sat May 23 11:06:13 2020 -0700 Merge tag 'driver-core-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "So, turns out the kobject fix didn't quite work, so here are four patches that in the end, result in just two driver core fixes for reported issues that no one has had problems with. The kobject patch that was originally in here has now been reverted, as Guenter reported boot problems with it on some of his systems" * tag 'driver-core-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: Revert "kobject: Make sure the parent does not get released before its children" kobject: Make sure the parent does not get released before its children driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links driver core: Fix SYNC_STATE_ONLY device link implementation commit 0e36fd45e37e0b4151d70cfae4d7e3e9a75c5c99 Merge: 8f261041b18e 7a839dbab1be Author: Linus Torvalds Date: Sat May 23 11:02:42 2020 -0700 Merge tag 'char-misc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc fixes from Greg KH: "Here are some small char/misc driver fixes for 5.7-rc7 that resolve some reported issues. Included in here are tiny fixes for the mei, coresight, rtsx, ipack, and mhi drivers. All of these have been in linux-next with no reported issues" * tag 'char-misc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: misc: rtsx: Add short delay after exit from ASPM bus: mhi: core: Fix some error return code ipack: tpci200: fix error return code in tpci200_register() coresight: cti: remove incorrect NULL return check mei: release me_cl object reference commit 8f261041b18ee80ad8afdd1621c909c4df9f6cc3 Merge: d3044d7d2205 bcb392871813 Author: Linus Torvalds Date: Sat May 23 10:57:55 2020 -0700 Merge tag 'staging-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging/iio fixes from Greg KH: "Here are some small staging and IIO driver fixes for 5.7-rc7 Nothing major, just a collection of IIO driver fixes for reported issues, and a few small staging driver fixes that people have found. Full details are in the shortlog. All of these have been in linux-next for a while with no reported issues" * tag 'staging-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: wfx: unlock on error path staging: greybus: Fix uninitialized scalar variable staging: kpc2000: fix error return code in kp2000_pcie_probe() iio: sca3000: Remove an erroneous 'get_device()' iio: adc: stm32-dfsdm: fix device used to request dma iio: adc: stm32-adc: fix device used to request dma iio: adc: ti-ads8344: Fix channel selection staging: iio: ad2s1210: Fix SPI reading iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw() iio: chemical: atlas-sensor: correct DO-SM channels commit d3044d7d220529a4ce0cbfe00de63996935908d1 Merge: 9bca7c40850e 17b4efdf4e48 Author: Linus Torvalds Date: Sat May 23 10:50:38 2020 -0700 Merge tag 'tty-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fix from Greg KH: "Here is a single serial driver fix for 5.7-rc7. It resolves an issue with the SiFive serial console init sequence that was reported a number of times. It has been in linux-next for a while now with no reported issues" * tag 'tty-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: serial: add missing spin_lock_init for SiFive serial console commit 9bca7c40850eca2613d79878e6d730faeaa602cf Merge: e644645abf47 4c1cbcbd6c56 Author: Linus Torvalds Date: Sat May 23 10:42:12 2020 -0700 Merge tag 's390-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux Pull s390 fixes from Vasily Gorbik: - Add missing R_390_JMP_SLOT relocation type in KASLR code. - Fix set_huge_pte_at for empty ptes issue which has been uncovered with arch page table helper tests. - Correct initrd location for kdump kernel. - Fix s390_mmio_read/write with MIO in PCI code. * tag 's390-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/kaslr: add support for R_390_JMP_SLOT relocation type s390/mm: fix set_huge_pte_at() for empty ptes s390/kexec_file: fix initrd location for kdump kernel s390/pci: Fix s390_mmio_read/write with MIO commit ca6edee6c6e3fe4ec143ee1964593d755ddbee62 Author: Baoquan He Date: Fri May 22 22:23:15 2020 -0700 MAINTAINERS: add files related to kdump Kdump is implemented based on kexec, however some files are only related to crash dumping and missing, add them to KDUMP entry. Signed-off-by: Baoquan He Signed-off-by: Andrew Morton Acked-by: Dave Young Link: http://lkml.kernel.org/r/20200520103633.GW5029@MiWiFi-R3L-srv Signed-off-by: Linus Torvalds commit d8f117abb380ba968b5e3ef2042d901c02872a4c Author: Uladzislau Rezki Date: Fri May 22 22:23:12 2020 -0700 z3fold: fix use-after-free when freeing handles free_handle() for a foreign handle may race with inter-page compaction, what can lead to memory corruption. To avoid that, take write lock not read lock in free_handle to be synchronized with __release_z3fold_page(). For example KASAN can detect it: ================================================================== BUG: KASAN: use-after-free in LZ4_decompress_safe+0x2c4/0x3b8 Read of size 1 at addr ffffffc976695ca3 by task GoogleApiHandle/4121 CPU: 0 PID: 4121 Comm: GoogleApiHandle Tainted: P S OE 4.19.81-perf+ #162 Hardware name: Sony Mobile Communications. PDX-203(KONA) (DT) Call trace: LZ4_decompress_safe+0x2c4/0x3b8 lz4_decompress_crypto+0x3c/0x70 crypto_decompress+0x58/0x70 zcomp_decompress+0xd4/0x120 ... Apart from that, initialize zhdr->mapped_count in init_z3fold_page() and remove "newpage" variable because it is not used anywhere. Signed-off-by: Uladzislau Rezki Signed-off-by: Vitaly Wool Signed-off-by: Andrew Morton Cc: Qian Cai Cc: Raymond Jennings Cc: Link: http://lkml.kernel.org/r/20200520082100.28876-1-vitaly.wool@konsulko.com Signed-off-by: Linus Torvalds commit c2bc26f7ca1ff1165bb6669a7a4cccc20ffd2ced Author: Mike Rapoport Date: Fri May 22 22:23:09 2020 -0700 sparc32: use PUD rather than PGD to get PMD in srmmu_nocache_init() The kbuild test robot reported the following warning: arch/sparc/mm/srmmu.c: In function 'srmmu_nocache_init': arch/sparc/mm/srmmu.c:300:9: error: variable 'pud' set but not used [-Werror=unused-but-set-variable] 300 | pud_t *pud; This warning is caused by misprint in the page table traversal in srmmu_nocache_init() function which accessed a PMD entry using PGD rather than PUD. Since sparc32 has only 3 page table levels, the PGD and PUD are essentially the same and usage of __nocache_fix() removed the type checking. Use PUD for the consistency and to silence the compiler warning. Fixes: 7235db268a2777bc38 ("sparc32: use pgtable-nopud instead of 4level-fixup") Reported-by: kbuild test robot Signed-off-by: Mike Rapoport Signed-off-by: Andrew Morton Cc: David S. Miller Cc: Anatoly Pugachev Cc: Link: http://lkml.kernel.org/r/20200520132005.GM1059226@linux.ibm.com Signed-off-by: Linus Torvalds commit f7fa1876af81512444631d324adb77383f56c37a Author: Naoya Horiguchi Date: Fri May 22 22:23:06 2020 -0700 MAINTAINERS: update email address for Naoya Horiguchi My email address has changed due to system upgrade, so please update it in MAINTAINERS list. My old address (n-horiguchi@ah.jp.nec.com) will be still active for a few months. Note that my email system has some encoding issue and can't send patches in raw format via git-send-email. So patches from me will be delivered via my free address (nao.horiguchi@gmail.com) or GitHub. Signed-off-by: Naoya Horiguchi Signed-off-by: Andrew Morton Link: http://lkml.kernel.org/r/1589874488-9247-1-git-send-email-naoya.horiguchi@nec.com Signed-off-by: Linus Torvalds commit fc94cf2092c7c1267fa2deb8388d624f50eba808 Author: Arnd Bergmann Date: Fri May 22 22:23:02 2020 -0700 sh: include linux/time_types.h for sockios Using the socket ioctls on arch/sh (and only there) causes build time problems when __kernel_old_timeval/__kernel_old_timespec are not already visible to the compiler. Add an explict include line for the header that defines these structures. Fixes: 8c709f9a0693 ("y2038: sh: remove timeval/timespec usage from headers") Fixes: 0768e17073dc ("net: socket: implement 64-bit timestamps") Reported-by: John Paul Adrian Glaubitz Signed-off-by: Arnd Bergmann Signed-off-by: Andrew Morton Tested-by: John Paul Adrian Glaubitz Cc: Yoshinori Sato Cc: Rich Felker Cc: "David S. Miller" Cc: John Paul Adrian Glaubitz Cc: Link: http://lkml.kernel.org/r/20200519131327.1836482-1-arnd@arndb.de Signed-off-by: Linus Torvalds commit 33cd65e73abd693c00c4156cf23677c453b41b3b Author: Marco Elver Date: Fri May 22 22:22:59 2020 -0700 kasan: disable branch tracing for core runtime During early boot, while KASAN is not yet initialized, it is possible to enter reporting code-path and end up in kasan_report(). While uninitialized, the branch there prevents generating any reports, however, under certain circumstances when branches are being traced (TRACE_BRANCH_PROFILING), we may recurse deep enough to cause kernel reboots without warning. To prevent similar issues in future, we should disable branch tracing for the core runtime. [elver@google.com: remove duplicate DISABLE_BRANCH_PROFILING, per Qian Cai] Link: https://lore.kernel.org/lkml/20200517011732.GE24705@shao2-debian/ Link: http://lkml.kernel.org/r/20200522075207.157349-1-elver@google.com Reported-by: kernel test robot Signed-off-by: Marco Elver Signed-off-by: Andrew Morton Reviewed-by: Andrey Konovalov Cc: Dmitry Vyukov Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Qian Cai Cc: Link: http://lkml.kernel.org/r//20200517011732.GE24705@shao2-debian/ Link: http://lkml.kernel.org/r/20200519182459.87166-1-elver@google.com Signed-off-by: Linus Torvalds commit 380e5c1d9b5e9768315eb4d405c127cb655406b3 Author: John Hubbard Date: Fri May 22 22:22:56 2020 -0700 selftests/vm/write_to_hugetlbfs.c: fix unused variable warning Remove unused variable "i", which was triggering a compiler warning. Fixes: 29750f71a9b4 ("hugetlb_cgroup: add hugetlb_cgroup reservation tests") Signed-off-by: John Hubbard Signed-off-by: Andrew Morton Reviewed-By: Mina Almasry Cc: Brian Geffon Cc: "Kirill A . Shutemov" Cc: Shuah Khan Cc: Ralph Campbell Link: http://lkml.kernel.org/r/20200517001245.361762-2-jhubbard@nvidia.com Signed-off-by: Linus Torvalds commit 98097701cc0bec06e4bc183cceaf6dfa06a69e10 Author: John Hubbard Date: Fri May 22 22:22:53 2020 -0700 selftests/vm/.gitignore: add mremap_dontunmap Add mremap_dontunmap to .gitignore. Fixes: 0c28759ee3c9 ("selftests: add MREMAP_DONTUNMAP selftest") Signed-off-by: John Hubbard Signed-off-by: Andrew Morton Cc: Kirill A. Shutemov Cc: Brian Geffon Link: http://lkml.kernel.org/r/20200517002509.362401-2-jhubbard@nvidia.com Signed-off-by: Linus Torvalds commit ffca476a0a8d26de767cc41d62b8ca7f540ecfdd Author: John Hubbard Date: Fri May 22 22:22:48 2020 -0700 rapidio: fix an error in get_user_pages_fast() error handling In the case of get_user_pages_fast() returning fewer pages than requested, rio_dma_transfer() does not quite do the right thing. It attempts to release all the pages that were requested, rather than just the pages that were pinned. Fix the error handling so that only the pages that were successfully pinned are released. Fixes: e8de370188d0 ("rapidio: add mport char device driver") Signed-off-by: John Hubbard Signed-off-by: Andrew Morton Reviewed-by: Andrew Morton Cc: Matt Porter Cc: Alexandre Bounine Cc: Sumit Semwal Cc: Dan Carpenter Cc: Link: http://lkml.kernel.org/r/20200517235620.205225-2-jhubbard@nvidia.com Signed-off-by: Linus Torvalds commit c071b0f11e7fb944525b12c80e728af69648d967 Author: Nick Desaulniers Date: Fri May 22 22:22:45 2020 -0700 x86: bitops: fix build regression This is easily reproducible via CC=clang + CONFIG_STAGING=y + CONFIG_VT6656=m. It turns out that if your config tickles __builtin_constant_p via differences in choices to inline or not, these statements produce invalid assembly: $ cat foo.c long a(long b, long c) { asm("orb %1, %0" : "+q"(c): "r"(b)); return c; } $ gcc foo.c foo.c: Assembler messages: foo.c:2: Error: `%rax' not allowed with `orb' Use the `%b` "x86 Operand Modifier" to instead force register allocation to select a lower-8-bit GPR operand. The "q" constraint only has meaning on -m32 otherwise is treated as "r". Not all GPRs have low-8-bit aliases for -m32. Fixes: 1651e700664b4 ("x86: Fix bitops.h warning with a moved cast") Reported-by: kernelci.org bot Suggested-by: Andy Shevchenko Suggested-by: Brian Gerst Suggested-by: H. Peter Anvin Suggested-by: Ilie Halip Signed-off-by: Nick Desaulniers Signed-off-by: Andrew Morton Tested-by: Sedat Dilek Tested-by: Nathan Chancellor [build, clang-11] Reviewed-by: Nathan Chancellor Reviewed-By: Brian Gerst Reviewed-by: Jesse Brandeburg Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: Marco Elver Cc: "Paul E. McKenney" Cc: Andrey Ryabinin Cc: Luc Van Oostenryck Cc: Masahiro Yamada Cc: Daniel Axtens Cc: "Peter Zijlstra (Intel)" Link: http://lkml.kernel.org/r/20200508183230.229464-1-ndesaulniers@google.com Link: https://github.com/ClangBuiltLinux/linux/issues/961 Link: https://lore.kernel.org/lkml/20200504193524.GA221287@google.com/ Link: https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#x86Operandmodifiers Signed-off-by: Linus Torvalds commit 60858c00e5f018eda711a3aa84cf62214ef62d61 Author: David Hildenbrand Date: Fri May 22 22:22:42 2020 -0700 device-dax: don't leak kernel memory to user space after unloading kmem Assume we have kmem configured and loaded: [root@localhost ~]# cat /proc/iomem ... 140000000-33fffffff : Persistent Memory$ 140000000-1481fffff : namespace0.0 150000000-33fffffff : dax0.0 150000000-33fffffff : System RAM Assume we try to unload kmem. This force-unloading will work, even if memory cannot get removed from the system. [root@localhost ~]# rmmod kmem [ 86.380228] removing memory fails, because memory [0x0000000150000000-0x0000000157ffffff] is onlined ... [ 86.431225] kmem dax0.0: DAX region [mem 0x150000000-0x33fffffff] cannot be hotremoved until the next reboot Now, we can reconfigure the namespace: [root@localhost ~]# ndctl create-namespace --force --reconfig=namespace0.0 --mode=devdax [ 131.409351] nd_pmem namespace0.0: could not reserve region [mem 0x140000000-0x33fffffff]dax [ 131.410147] nd_pmem: probe of namespace0.0 failed with error -16namespace0.0 --mode=devdax ... This fails as expected due to the busy memory resource, and the memory cannot be used. However, the dax0.0 device is removed, and along its name. The name of the memory resource now points at freed memory (name of the device): [root@localhost ~]# cat /proc/iomem ... 140000000-33fffffff : Persistent Memory 140000000-1481fffff : namespace0.0 150000000-33fffffff : �_�^7_��/_��wR��WQ���^��� ... 150000000-33fffffff : System RAM We have to make sure to duplicate the string. While at it, remove the superfluous setting of the name and fixup a stale comment. Fixes: 9f960da72b25 ("device-dax: "Hotremove" persistent memory that is used like normal RAM") Signed-off-by: David Hildenbrand Signed-off-by: Andrew Morton Cc: Dan Williams Cc: Vishal Verma Cc: Dave Jiang Cc: Pavel Tatashin Cc: Andrew Morton Cc: [5.3] Link: http://lkml.kernel.org/r/20200508084217.9160-2-david@redhat.com Signed-off-by: Linus Torvalds commit e6764aa0e5530066dd969eccea2a1a7d177859a8 Author: Greg Kroah-Hartman Date: Sat May 23 17:11:11 2020 +0200 Revert "kobject: Make sure the parent does not get released before its children" This reverts commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa. Guenter reports: All my arm64be (arm64 big endian) boot tests crash with this patch applied. Reverting it fixes the problem. Crash log and bisect results (from pending-fixes branch) below. And also: arm64 images don't crash but report lots of "poison overwritten" backtraces like the one below. On arm, I see "refcount_t: underflow", also attached. I didn't bisect those, but given the context I would suspect the same culprit. Reported-by: Guenter Roeck Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@linux.intel.com Cc: Naresh Kamboju Cc: kernel test robot Cc: "Rafael J. Wysocki" Cc: Heikki Krogerus Cc: Brendan Higgins Cc: Randy Dunlap Cc: stable Signed-off-by: Greg Kroah-Hartman commit e644645abf4788e919beeb97925fb6bf43e890a2 Merge: a24deb9d68b4 f2e6b75f6ee8 Author: Linus Torvalds Date: Fri May 22 21:43:02 2020 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Three minor fixes, two in drivers, one to fix a hang after reset with iSCSI, and one to avoid a spurious log message; and the final core one to correct a suspend/resume miscount with quiesced devices" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: target: Put lun_ref at end of tmr processing scsi: pm: Balance pm_only counter of request queue during system resume scsi: qla2xxx: Do not log message when reading port speed via sysfs commit a24deb9d68b423f3e5e190b9836d192ee3e0ff9d Merge: 444565650a5f 7d9ff5eed414 Author: Linus Torvalds Date: Fri May 22 21:37:09 2020 -0700 Merge tag 'drm-fixes-2020-05-23' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Things seemed to have quieten down, though no i915 pull (I even gave them an extra 12 hours in case they were late). The amdgpu floating point fix is probably the largest, but it just moves some code around to it doesn't do fpu stuff outside the fpu boundaries. Otherwise it's just a couple of vmwgfx fixes (maintainer change) and two etnaviv fixes. vmwgfx: - change maintainers - fix redundant assignment - fix parameter name - fix return value etnaviv: - memory leak fix when userspace passes a invalid softpin address - off-by-one crashing the kernel in the perfmon domain iteration when the GPU core has both 2D and 3D capabilities amdgpu: - DP fix - Floating point fix - Fix cursor stutter issue" * tag 'drm-fixes-2020-05-23' of git://anongit.freedesktop.org/drm/drm: drm/amd/display: Defer cursor lock until after VUPDATE drm/amd/display: Remove dml_common_def file drm/amd/display: DP training to set properly SCRAMBLING_DISABLE drm/edid: Add Oculus Rift S to non-desktop list drm/etnaviv: Fix a leak in submit_pin_objects() drm/etnaviv: fix perfmon domain interation drm/vmwgfx: Return true in function vmw_fence_obj_signaled() drm/vmwgfx: remove redundant assignment to variable ret drm/vmwgfx: Fix parameter name in vmw_bo_init drm/vmwgfx: update MAINTAINERS entry commit 4f7400d5cbaef676e00cdffb0565bf731c6bb09e Author: Shay Drory Date: Wed May 6 14:52:04 2020 +0300 net/mlx5: Fix error flow in case of function_setup failure Currently, if an error occurred during mlx5_function_setup(), we keep dev->state as DEVICE_STATE_UP. Fixing it by adding a goto label. Fixes: e161105e58da ("net/mlx5: Function setup/teardown procedures") Signed-off-by: Shay Drory Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit d37bd5e81ed0d58f0ebe2e01658c26722e0c033e Author: Roi Dayan Date: Mon May 18 20:21:11 2020 +0300 net/mlx5e: CT: Correctly get flow rule The correct way is to us the flow_cls_offload_flow_rule() wrapper instead of f->rule directly. Fixes: 4c3844d9e97e ("net/mlx5e: CT: Introduce connection tracking") Signed-off-by: Roi Dayan Reviewed-by: Oz Shlomo Signed-off-by: Saeed Mahameed commit 5e911e2c06bd8c17df29147a5e2d4b17fafda024 Author: Moshe Shemesh Date: Tue Apr 7 17:38:28 2020 +0300 net/mlx5e: Update netdev txq on completions during closure On sq closure when we free its descriptors, we should also update netdev txq on completions which would not arrive. Otherwise if we reopen sqs and attach them back, for example on fw fatal recovery flow, we may get tx timeout. Fixes: 29429f3300a3 ("net/mlx5e: Timeout if SQ doesn't flush during close") Signed-off-by: Moshe Shemesh Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit 9ca415399dae133b00273a4283ef31d003a6818d Author: Roi Dayan Date: Thu May 14 23:44:38 2020 +0300 net/mlx5: Annotate mutex destroy for root ns Invoke mutex_destroy() to catch any errors. Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table") Signed-off-by: Roi Dayan Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed commit 6eb7a268a99bad8346d4baa148a14456d061c1c3 Author: Roi Dayan Date: Mon May 11 16:37:11 2020 +0300 net/mlx5: Don't maintain a case of del_sw_func being null Add del_sw_func cb for root ns. Now there is no need to maintain a case of del_sw_func being null when freeing the node. Fixes: 2cc43b494a6c ("net/mlx5_core: Managing root flow table") Signed-off-by: Roi Dayan Reviewed-by: Mark Bloch Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed commit aee37f3d940ca732df71c3df49347bccaafc0b24 Author: Roi Dayan Date: Mon May 11 16:32:09 2020 +0300 net/mlx5: Fix cleaning unmanaged flow tables Unmanaged flow tables doesn't have a parent and tree_put_node() assume there is always a parent if cleaning is needed. fix that. Fixes: 5281a0c90919 ("net/mlx5: fs_core: Introduce unmanaged flow tables") Signed-off-by: Roi Dayan Reviewed-by: Mark Bloch Reviewed-by: Paul Blakey Signed-off-by: Saeed Mahameed commit df14ad1eccb04a4a28c90389214dbacab085b244 Author: Moshe Shemesh Date: Wed Apr 29 23:56:58 2020 +0300 net/mlx5: Fix memory leak in mlx5_events_init Fix memory leak in mlx5_events_init(), in case create_single_thread_workqueue() fails, events struct should be freed. Fixes: 5d3c537f9070 ("net/mlx5: Handle event of power detection in the PCIE slot") Signed-off-by: Moshe Shemesh Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed commit a16b8e0dcf7043bee46174bed0553cc9e36b63a5 Author: Roi Dayan Date: Thu Apr 30 09:16:01 2020 +0300 net/mlx5e: Fix inner tirs handling In the cited commit inner_tirs argument was added to create and destroy inner tirs, and no indication was added to mlx5e_modify_tirs_hash() function. In order to have a consistent handling, use inner_indir_tir[0].tirn in tirs destroy/modify function as an indication to whether inner tirs are created. Inner tirs are not created for representors and before this commit, a call to mlx5e_modify_tirs_hash() was sending HW commands to modify non-existent inner tirs. Fixes: 46dc933cee82 ("net/mlx5e: Provide explicit directive if to create inner indirect tirs") Signed-off-by: Roi Dayan Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed commit 16736e11f43b80a38f98f6add54fab3b8c297df3 Author: Tariq Toukan Date: Mon Apr 27 16:56:59 2020 +0300 net/mlx5e: kTLS, Destroy key object after destroying the TIS The TLS TIS object contains the dek/key ID. By destroying the key first, the TIS would contain an invalid non-existing key ID. Reverse the destroy order, this also acheives the desired assymetry between the destroy and the create flows. Fixes: d2ead1f360e8 ("net/mlx5e: Add kTLS TX HW offload support") Signed-off-by: Tariq Toukan Reviewed-by: Boris Pismenny Signed-off-by: Saeed Mahameed commit 321348475d544aa6705dcfac2135deeccb8dc0bb Author: Maor Dickman Date: Thu Apr 23 15:16:17 2020 +0300 net/mlx5e: Fix allowed tc redirect merged eswitch offload cases After changing the parent_id to be the same for both NICs of same The cited commit wrongly allow offload of tc redirect flows from VF to uplink and vice versa when devcies are on different eswitch, these cases aren't supported by HW. Disallow the above offloads when devcies are on different eswitch and VF LAG is not configured. Fixes: f6dc1264f1c0 ("net/mlx5e: Disallow tc redirect offload cases we don't support") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed commit f7936ddd35d8b849daf0372770c7c9dbe7910fca Author: Eran Ben Elisha Date: Thu Mar 19 21:43:13 2020 +0200 net/mlx5: Avoid processing commands before cmdif is ready When driver is reloading during recovery flow, it can't get new commands till command interface is up again. Otherwise we may get to null pointer trying to access non initialized command structures. Add cmdif state to avoid processing commands while cmdif is not ready. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Eran Ben Elisha Signed-off-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit d43b7007dbd1195a5b6b83213e49b1516aaf6f5e Author: Eran Ben Elisha Date: Wed Mar 18 21:44:32 2020 +0200 net/mlx5: Fix a race when moving command interface to events mode After driver creates (via FW command) an EQ for commands, the driver will be informed on new commands completion by EQE. However, due to a race in driver's internal command mode metadata update, some new commands will still be miss-handled by driver as if we are in polling mode. Such commands can get two non forced completion, leading to already freed command entry access. CREATE_EQ command, that maps EQ to the command queue must be posted to the command queue while it is empty and no other command should be posted. Add SW mechanism that once the CREATE_EQ command is about to be executed, all other commands will return error without being sent to the FW. Allow sending other commands only after successfully changing the driver's internal command mode metadata. We can safely return error to all other commands while creating the command EQ, as all other commands might be sent from the user/application during driver load. Application can rerun them later after driver's load was finished. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Eran Ben Elisha Signed-off-by: Moshe Shemesh Signed-off-by: Saeed Mahameed commit 17d00e839d3b592da9659c1977d45f85b77f986a Author: Moshe Shemesh Date: Fri Dec 27 07:01:53 2019 +0200 net/mlx5: Add command entry handling completion When FW response to commands is very slow and all command entries in use are waiting for completion we can have a race where commands can get timeout before they get out of the queue and handled. Timeout completion on uninitialized command will cause releasing command's buffers before accessing it for initialization and then we will get NULL pointer exception while trying access it. It may also cause releasing buffers of another command since we may have timeout completion before even allocating entry index for this command. Add entry handling completion to avoid this race. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Signed-off-by: Moshe Shemesh Signed-off-by: Eran Ben Elisha Signed-off-by: Saeed Mahameed commit d04322a0da1e86aedaa322ce933cfb8c0191d1eb Merge: 5a730153984d f45d01f4f30b Author: David S. Miller Date: Fri May 22 16:43:58 2020 -0700 Merge tag 'rxrpc-fixes-20200523-v2' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs David Howells says: ==================== rxrpc: Fix a warning and a leak [ver #2] Here are a couple of fixes for AF_RXRPC: (1) Fix an uninitialised variable warning. (2) Fix a leak of the ticket on error in rxkad. ==================== Signed-off-by: David S. Miller commit f45d01f4f30b53c3a0a1c6c1c154acb7ff74ab9f Author: Qiushi Wu Date: Fri May 22 13:45:18 2020 -0500 rxrpc: Fix a memory leak in rxkad_verify_response() A ticket was not released after a call of the function "rxkad_decrypt_ticket" failed. Thus replace the jump target "temporary_error_free_resp" by "temporary_error_free_ticket". Fixes: 8c2f826dc3631 ("rxrpc: Don't put crypto buffers on the stack") Signed-off-by: Qiushi Wu Signed-off-by: David Howells cc: Markus Elfring commit 8a1d24e1cc6d96a17f2dcb1400d370cadbfb7cb6 Author: David Howells Date: Fri May 22 23:58:28 2020 +0100 rxrpc: Fix a warning Fix a warning due to an uninitialised variable. le included from ../fs/afs/fs_probe.c:11: ../fs/afs/fs_probe.c: In function 'afs_fileserver_probe_result': ../fs/afs/internal.h:1453:2: warning: 'rtt_us' may be used uninitialized in this function [-Wmaybe-uninitialized] 1453 | printk("[%-6.6s] "FMT"\n", current->comm ,##__VA_ARGS__) | ^~~~~~ ../fs/afs/fs_probe.c:35:15: note: 'rtt_us' was declared here Signed-off-by: David Howells commit 5a730153984dd13f82ffae93d7170d76eba204e9 Author: Qiushi Wu Date: Fri May 22 16:50:27 2020 -0500 net: sun: fix missing release regions in cas_init_one(). In cas_init_one(), "pdev" is requested by "pci_request_regions", but it was not released after a call of the function “pci_write_config_byte” failed. Thus replace the jump target “err_write_cacheline” by "err_out_free_res". Fixes: 1f26dac32057 ("[NET]: Add Sun Cassini driver.") Signed-off-by: Qiushi Wu Signed-off-by: David S. Miller commit bf655ba212dfd10d1c86afeee3f3372dbd731d46 Author: Vladimir Oltean Date: Fri May 22 00:31:23 2020 +0300 net: mscc: ocelot: fix address ageing time (again) ocelot_set_ageing_time has 2 callers: - felix_set_ageing_time: from drivers/net/dsa/ocelot/felix.c - ocelot_port_attr_ageing_set: from drivers/net/ethernet/mscc/ocelot.c The issue described in the fixed commit below actually happened for the felix_set_ageing_time code path only, since ocelot_port_attr_ageing_set was already dividing by 1000. So to make both paths symmetrical (and to fix addresses getting aged way too fast on Ocelot), stop dividing by 1000 at caller side altogether. Fixes: c0d7eccbc761 ("net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller commit 561535b0f23961ced071b82575d5e83e6351a814 Author: Heiner Kallweit Date: Thu May 21 22:03:08 2020 +0200 r8169: fix OCP access on RTL8117 According to r8168 vendor driver DASHv3 chips like RTL8168fp/RTL8117 need a special addressing for OCP access. Fix is compile-tested only due to missing test hardware. Fixes: 1287723aa139 ("r8169: add support for RTL8117") Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller commit 156ee62bbd8d3234aef26c68f4ba022217591149 Merge: a96ac8a0045e 46ca11177ed5 Author: David S. Miller Date: Fri May 22 16:08:14 2020 -0700 Merge branch 'mlxsw-Various-fixes' Ido Schimmel says: ==================== mlxsw: Various fixes Patch #1 from Jiri fixes a use-after-free discovered while fuzzing mlxsw / devlink with syzkaller. Patch #2 from Amit works around a limitation in new versions of arping, which is used in several selftests. ==================== Signed-off-by: David S. Miller commit 46ca11177ed593f39d534f8d2c74ec5344e90c11 Author: Amit Cohen Date: Thu May 21 15:11:45 2020 +0300 selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer Starting from iputils s20190709 (used in Fedora 31), arping does not support timeout being specified as a decimal: $ arping -c 1 -I swp1 -b 192.0.2.66 -q -w 0.1 arping: invalid argument: '0.1' Previously, such timeouts were rounded to an integer. Fix this by specifying the timeout as an integer. Fixes: a5ee171d087e ("selftests: mlxsw: qos_mc_aware: Add a test for UC awareness") Signed-off-by: Amit Cohen Reviewed-by: Petr Machata Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit 4340f42f207eacb81e7a6b6bb1e3b6afad9a2e26 Author: Jiri Pirko Date: Thu May 21 15:11:44 2020 +0300 mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails In case of reload fail, the mlxsw_sp->ports contains a pointer to a freed memory (either by reload_down() or reload_up() error path). Fix this by initializing the pointer to NULL and checking it before dereferencing in split/unsplit/type_set callpaths. Fixes: 24cc68ad6c46 ("mlxsw: core: Add support for reload") Reported-by: Danielle Ratson Signed-off-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller commit a96ac8a0045e3cbe3e5af6d1b3c78c6c2065dec5 Author: Jonathan McDowell Date: Thu May 21 12:49:34 2020 +0100 net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x The ipq806x_gmac_probe() function enables the PTP clock but not the appropriate interface clocks. This means that if the bootloader hasn't done so attempting to bring up the interface will fail with an error like: [ 59.028131] ipq806x-gmac-dwmac 37600000.ethernet: Failed to reset the dma [ 59.028196] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_hw_setup: DMA engine initialization failed [ 59.034056] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_open: Hw setup failed This patch, a slightly cleaned up version of one posted by Sergey Sergeev in: https://forum.openwrt.org/t/support-for-mikrotik-rb3011uias-rm/4064/257 correctly enables the clock; we have already configured the source just before this. Tested on a MikroTik RB3011. Signed-off-by: Jonathan McDowell Signed-off-by: David S. Miller commit 7a40a2d22b79131a4826777864f39b19eaf7c857 Merge: 4629ed2e481b 4d59e59cf450 Author: David S. Miller Date: Fri May 22 16:05:42 2020 -0700 Merge branch 'netdevsim-Two-small-fixes' Ido Schimmel says: ==================== netdevsim: Two small fixes Fix two bugs observed while analyzing regression failures. Patch #1 fixes a bug where sometimes the drop counter of a packet trap policer would not increase. Patch #2 adds a missing initialization of a variable in a related selftest. ==================== Signed-off-by: David S. Miller commit 4d59e59cf45046fe1263a935f8abc418bb61215c Author: Ido Schimmel Date: Thu May 21 14:46:17 2020 +0300 selftests: netdevsim: Always initialize 'RET' variable The variable is used by log_test() to check if the test case completely successfully or not. In case it is not initialized at the start of a test case, it is possible for the test case to fail despite not encountering any errors. Example: ``` ... TEST: Trap group statistics [ OK ] TEST: Trap policer [FAIL] Policer drop counter was not incremented TEST: Trap policer binding [FAIL] Policer drop counter was not incremented ``` Failure of trap_policer_test() caused trap_policer_bind_test() to fail as well. Fix by adding missing initialization of the variable. Fixes: 5fbff58e27a1 ("selftests: netdevsim: Add test cases for devlink-trap policers") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller commit be43224fc0e4697ad0d03107cbaf1ecf26e7ee72 Author: Ido Schimmel Date: Thu May 21 14:46:16 2020 +0300 netdevsim: Ensure policer drop counter always increases In case the policer drop counter is retrieved when the jiffies value is a multiple of 64, the counter will not be incremented. This randomly breaks a selftest [1] the reads the counter twice and checks that it was incremented: ``` TEST: Trap policer [FAIL] Policer drop counter was not incremented ``` Fix by always incrementing the counter by 1. [1] tools/testing/selftests/drivers/net/netdevsim/devlink_trap.sh Fixes: ad188458d012 ("netdevsim: Add devlink-trap policer support") Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller commit 4629ed2e481b2af421ccb2ca3ba6e6b541789f5a Merge: 79dde73cf9bc 441fdee1eaf0 Author: David S. Miller Date: Fri May 22 15:53:30 2020 -0700 Merge tag 'rxrpc-fixes-20200520' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs David Howells says: ==================== rxrpc: Fix retransmission timeout and ACK discard Here are a couple of fixes and an extra tracepoint for AF_RXRPC: (1) Calculate the RTO pretty much as TCP does, rather than making something up, including an initial 4s timeout (which causes return probes from the fileserver to fail if a packet goes missing), and add backoff. (2) Fix the discarding of out-of-order received ACKs. We mustn't let the hard-ACK point regress, nor do we want to do unnecessary retransmission because the soft-ACK list regresses. This is not trivial, however, due to some loose wording in various old protocol specs, the ACK field that should be used for this sometimes has the wrong information in it. (3) Add a tracepoint to log a discarded ACK. ==================== Signed-off-by: David S. Miller commit 79dde73cf9bcf1dd317a2667f78b758e9fe139ed Author: Valentin Longchamp Date: Wed May 20 17:53:50 2020 +0200 net/ethernet/freescale: rework quiesce/activate for ucc_geth ugeth_quiesce/activate are used to halt the controller when there is a link change that requires to reconfigure the mac. The previous implementation called netif_device_detach(). This however causes the initial activation of the netdevice to fail precisely because it's detached. For details, see [1]. A possible workaround was the revert of commit net: linkwatch: add check for netdevice being present to linkwatch_do_dev However, the check introduced in the above commit is correct and shall be kept. The netif_device_detach() is thus replaced with netif_tx_stop_all_queues() that prevents any tranmission. This allows to perform mac config change required by the link change, without detaching the corresponding netdevice and thus not preventing its initial activation. [1] https://lists.openwall.net/netdev/2020/01/08/201 Signed-off-by: Valentin Longchamp Acked-by: Matteo Ghidoni Signed-off-by: David S. Miller commit d3e8e4c11870413789f029a71e72ae6e971fe678 Author: Jere Leppänen Date: Wed May 20 18:15:31 2020 +0300 sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed Commit bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") starts shutdown when an association is restarted, if in SHUTDOWN-PENDING state and the socket is closed. However, the rationale stated in that commit applies also when in SHUTDOWN-SENT state - we don't want to move an association to ESTABLISHED state when the socket has been closed, because that results in an association that is unreachable from user space. The problem scenario: 1. Client crashes and/or restarts. 2. Server (using one-to-one socket) calls close(). SHUTDOWN is lost. 3. Client reconnects using the same addresses and ports. 4. Server's association is restarted. The association and the socket move to ESTABLISHED state, even though the server process has closed its descriptor. Also, after step 4 when the server process exits, some resources are leaked in an attempt to release the underlying inet sock structure in ESTABLISHED state: IPv4: Attempt to release TCP socket in state 1 00000000377288c7 Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if an association is restarted in SHUTDOWN-SENT state and the socket is closed, then start shutdown and don't move the association or the socket to ESTABLISHED state. Fixes: bdf6fa52f01b ("sctp: handle association restarts when the socket is closed.") Signed-off-by: Jere Leppänen Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit 1378817486d6860f6a927f573491afe65287abf1 Author: Eric Dumazet Date: Thu May 21 11:29:58 2020 -0700 tipc: block BH before using dst_cache dst_cache_get() documents it must be used with BH disabled. sysbot reported : BUG: using smp_processor_id() in preemptible [00000000] code: /21697 caller is dst_cache_get+0x3a/0xb0 net/core/dst_cache.c:68 CPU: 0 PID: 21697 Comm: Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 check_preemption_disabled lib/smp_processor_id.c:47 [inline] debug_smp_processor_id.cold+0x88/0x9b lib/smp_processor_id.c:57 dst_cache_get+0x3a/0xb0 net/core/dst_cache.c:68 tipc_udp_xmit.isra.0+0xb9/0xad0 net/tipc/udp_media.c:164 tipc_udp_send_msg+0x3e6/0x490 net/tipc/udp_media.c:244 tipc_bearer_xmit_skb+0x1de/0x3f0 net/tipc/bearer.c:526 tipc_enable_bearer+0xb2f/0xd60 net/tipc/bearer.c:331 __tipc_nl_bearer_enable+0x2bf/0x390 net/tipc/bearer.c:995 tipc_nl_bearer_enable+0x1e/0x30 net/tipc/bearer.c:1003 genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline] genl_family_rcv_msg net/netlink/genetlink.c:718 [inline] genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 genl_rcv+0x24/0x40 net/netlink/genetlink.c:746 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 ___sys_sendmsg+0x100/0x170 net/socket.c:2416 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca29 Fixes: e9c1a793210f ("tipc: add dst_cache support for udp media") Cc: Xin Long Cc: Jon Maloy Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit 3138a07ce219acde4c0d7ea0b6d54ba64153328b Author: Russell King Date: Wed May 20 12:26:35 2020 +0100 net: mvpp2: fix RX hashing for non-10G ports When rxhash is enabled on any ethernet port except the first in each CP block, traffic flow is prevented. The analysis is below: I've been investigating this afternoon, and what I've found, comparing a kernel without 895586d5dc32 and with 895586d5dc32 applied is: - The table programmed into the hardware via mvpp22_rss_fill_table() appears to be identical with or without the commit. - When rxhash is enabled on eth2, mvpp2_rss_port_c2_enable() reports that c2.attr[0] and c2.attr[2] are written back containing: - with 895586d5dc32, failing: 00200000 40000000 - without 895586d5dc32, working: 04000000 40000000 - When disabling rxhash, c2.attr[0] and c2.attr[2] are written back as: 04000000 00000000 The second value represents the MVPP22_CLS_C2_ATTR2_RSS_EN bit, the first value is the queue number, which comprises two fields. The high 5 bits are 24:29 and the low three are 21:23 inclusive. This comes from: c2.attr[0] = MVPP22_CLS_C2_ATTR0_QHIGH(qh) | MVPP22_CLS_C2_ATTR0_QLOW(ql); So, the working case gives eth2 a queue id of 4.0, or 32 as per port->first_rxq, and the non-working case a queue id of 0.1, or 1. The allocation of queue IDs seems to be in mvpp2_port_probe(): if (priv->hw_version == MVPP21) port->first_rxq = port->id * port->nrxqs; else port->first_rxq = port->id * priv->max_port_rxqs; Where: if (priv->hw_version == MVPP21) priv->max_port_rxqs = 8; else priv->max_port_rxqs = 32; Making the port 0 (eth0 / eth1) have port->first_rxq = 0, and port 1 (eth2) be 32. It seems the idea is that the first 32 queues belong to port 0, the second 32 queues belong to port 1, etc. mvpp2_rss_port_c2_enable() gets the queue number from it's parameter, 'ctx', which comes from mvpp22_rss_ctx(port, 0). This returns port->rss_ctx[0]. mvpp22_rss_context_create() is responsible for allocating that, which it does by looking for an unallocated priv->rss_tables[] pointer. This table is shared amongst all ports on the CP silicon. When we write the tables in mvpp22_rss_fill_table(), the RSS table entry is defined by: u32 sel = MVPP22_RSS_INDEX_TABLE(rss_ctx) | MVPP22_RSS_INDEX_TABLE_ENTRY(i); where rss_ctx is the context ID (queue number) and i is the index in the table. If we look at what is written: - The first table to be written has "sel" values of 00000000..0000001f, containing values 0..3. This appears to be for eth1. This is table 0, RX queue number 0. - The second table has "sel" values of 00000100..0000011f, and appears to be for eth2. These contain values 0x20..0x23. This is table 1, RX queue number 0. - The third table has "sel" values of 00000200..0000021f, and appears to be for eth3. These contain values 0x40..0x43. This is table 2, RX queue number 0. How do queue numbers translate to the RSS table? There is another table - the RXQ2RSS table, indexed by the MVPP22_RSS_INDEX_QUEUE field of MVPP22_RSS_INDEX and accessed through the MVPP22_RXQ2RSS_TABLE register. Before 895586d5dc32, it was: mvpp2_write(priv, MVPP22_RSS_INDEX, MVPP22_RSS_INDEX_QUEUE(port->first_rxq)); mvpp2_write(priv, MVPP22_RXQ2RSS_TABLE, MVPP22_RSS_TABLE_POINTER(port->id)); and after: mvpp2_write(priv, MVPP22_RSS_INDEX, MVPP22_RSS_INDEX_QUEUE(ctx)); mvpp2_write(priv, MVPP22_RXQ2RSS_TABLE, MVPP22_RSS_TABLE_POINTER(ctx)); Before the commit, for eth2, that would've contained '32' for the index and '1' for the table pointer - mapping queue 32 to table 1. Remember that this is queue-high.queue-low of 4.0. After the commit, we appear to map queue 1 to table 1. That again looks fine on the face of it. Section 9.3.1 of the A8040 manual seems indicate the reason that the queue number is separated. queue-low seems to always come from the classifier, whereas queue-high can be from the ingress physical port number or the classifier depending on the MVPP2_CLS_SWFWD_PCTRL_REG. We set the port bit in MVPP2_CLS_SWFWD_PCTRL_REG, meaning that queue-high comes from the MVPP2_CLS_SWFWD_P2HQ_REG() register... and this seems to be where our bug comes from. mvpp2_cls_oversize_rxq_set() sets this up as: mvpp2_write(port->priv, MVPP2_CLS_SWFWD_P2HQ_REG(port->id), (port->first_rxq >> MVPP2_CLS_OVERSIZE_RXQ_LOW_BITS)); val = mvpp2_read(port->priv, MVPP2_CLS_SWFWD_PCTRL_REG); val |= MVPP2_CLS_SWFWD_PCTRL_MASK(port->id); mvpp2_write(port->priv, MVPP2_CLS_SWFWD_PCTRL_REG, val); Setting the MVPP2_CLS_SWFWD_PCTRL_MASK bit means that the queue-high for eth2 is _always_ 4, so only queues 32 through 39 inclusive are available to eth2. Yet, we're trying to tell the classifier to set queue-high, which will be ignored, to zero. Hence, the queue-high field (MVPP22_CLS_C2_ATTR0_QHIGH()) from the classifier will be ignored. This means we end up directing traffic from eth2 not to queue 1, but to queue 33, and then we tell it to look up queue 33 in the RSS table. However, RSS table has not been programmed for queue 33, and so it ends up (presumably) dropping the packets. It seems that mvpp22_rss_context_create() doesn't take account of the fact that the upper 5 bits of the queue ID can't actually be changed due to the settings in mvpp2_cls_oversize_rxq_set(), _or_ it seems that mvpp2_cls_oversize_rxq_set() has been missed in this commit. Either way, these two functions mutually disagree with what queue number should be used. Looking deeper into what mvpp2_cls_oversize_rxq_set() and the MTU validation is doing, it seems that MVPP2_CLS_SWFWD_P2HQ_REG() is used for over-sized packets attempting to egress through this port. With the classifier having had RSS enabled and directing eth2 traffic to queue 1, we may still have packets appearing on queue 32 for this port. However, the only way we may end up with over-sized packets attempting to egress through eth2 - is if the A8040 forwards frames between its ports. From what I can see, we don't support that feature, and the kernel restricts the egress packet size to the MTU. In any case, if we were to attempt to transmit an oversized packet, we have no support in the kernel to deal with that appearing in the port's receive queue. So, this patch attempts to solve the issue by clearing the MVPP2_CLS_SWFWD_PCTRL_MASK() bit, allowing MVPP22_CLS_C2_ATTR0_QHIGH() from the classifier to define the queue-high field of the queue number. My testing seems to confirm my findings above - clearing this bit means that if I enable rxhash on eth2, the interface can then pass traffic, as we are now directing traffic to RX queue 1 rather than queue 33. Traffic still seems to work with rxhash off as well. Reported-by: Matteo Croce Tested-by: Matteo Croce Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables") Signed-off-by: Russell King Signed-off-by: David S. Miller commit d3b968bc2dee06a88682d035a0fde8bf77af39b9 Merge: b4024c9e5c57 5cf65922bb15 Author: David S. Miller Date: Fri May 22 14:35:35 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2020-05-22 The following pull-request contains BPF updates for your *net* tree. We've added 3 non-merge commits during the last 3 day(s) which contain a total of 5 files changed, 69 insertions(+), 11 deletions(-). The main changes are: 1) Fix to reject mmap()'ing read-only array maps as writable since BPF verifier relies on such map content to be frozen, from Andrii Nakryiko. 2) Fix breaking audit from secid_to_secctx() LSM hook by avoiding to use call_int_hook() since this hook is not stackable, from KP Singh. 3) Fix BPF flow dissector program ref leak on netns cleanup, from Jakub Sitnicki. ==================== Signed-off-by: David S. Miller commit b4024c9e5c57902155d3b5e7de482e245f492bff Author: Claudiu Manoil Date: Fri May 22 11:54:34 2020 +0300 felix: Fix initialization of ioremap resources The caller of devm_ioremap_resource(), either accidentally or by wrong assumption, is writing back derived resource data to global static resource initialization tables that should have been constant. Meaning that after it computes the final physical start address it saves the address for no reason in the static tables. This doesn't affect the first driver probing after reboot, but it breaks consecutive driver reloads (i.e. driver unbind & bind) because the initialization tables no longer have the correct initial values. So the next probe() will map the device registers to wrong physical addresses, causing ARM SError async exceptions. This patch fixes all of the above. Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") Signed-off-by: Claudiu Manoil Reviewed-by: Vladimir Oltean Tested-by: Vladimir Oltean Signed-off-by: David S. Miller commit bd6972226f50910a5b97e6b9d443c5d0433bf054 Author: Todd Malsbary Date: Thu May 21 19:10:49 2020 -0700 mptcp: use untruncated hash in ADD_ADDR HMAC There is some ambiguity in the RFC as to whether the ADD_ADDR HMAC is the rightmost 64 bits of the entire hash or of the leftmost 160 bits of the hash. The intention, as clarified with the author of the RFC, is the entire hash. This change returns the entire hash from mptcp_crypto_hmac_sha (instead of only the first 160 bits), and moves any truncation/selection operation on the hash to the caller. Fixes: 12555a2d97e5 ("mptcp: use rightmost 64 bits in ADD_ADDR HMAC") Reviewed-by: Christoph Paasch Reviewed-by: Mat Martineau Signed-off-by: Todd Malsbary Signed-off-by: David S. Miller commit 444565650a5fe9c63ddf153e6198e31705dedeb2 Merge: db9f384785b1 d4ae271dfaae Author: Linus Torvalds Date: Fri May 22 11:12:30 2020 -0700 Merge tag 'io_uring-5.7-2020-05-22' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "A small collection of small fixes that should go into this release: - Two fixes for async request preparation (Pavel) - Busy clear fix for SQPOLL (Xiaoguang) - Don't use kiocb->private for O_DIRECT buf index, some file systems use it (Bijan) - Kill dead check in io_splice() - Ensure sqo_wait is initialized early - Cancel task_work if we fail adding to original process - Only add (IO)pollable requests to iopoll list, fixing a regression in this merge window" * tag 'io_uring-5.7-2020-05-22' of git://git.kernel.dk/linux-block: io_uring: reset -EBUSY error when io sq thread is waken up io_uring: don't add non-IO requests to iopoll pending list io_uring: don't use kiocb.private to store buf_index io_uring: cancel work if task_work_add() fails io_uring: remove dead check in io_splice() io_uring: fix FORCE_ASYNC req preparation io_uring: don't prepare DRAIN reqs twice io_uring: initialize ctx->sqo_wait earlier commit db9f384785b15e8569910c8e2ea1ffc83aedbff6 Merge: b09ca17a2a08 1592cd15eec6 Author: Linus Torvalds Date: Fri May 22 11:10:42 2020 -0700 Merge tag 'block-5.7-2020-05-22' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: "Two fixes for null_blk zone mode" * tag 'block-5.7-2020-05-22' of git://git.kernel.dk/linux-block: null_blk: don't allow discard for zoned mode null_blk: return error for invalid zone size commit b09ca17a2a082299c787025b6c3e614a24a24ca8 Merge: 4286d192c803 8356c379cfba Author: Linus Torvalds Date: Fri May 22 11:08:26 2020 -0700 Merge tag 'riscv-for-linus-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "Two fixes: - Another !MMU build fix that was a straggler from last week - A fix to use the "register" keyword for the GP global register variable" * tag 'riscv-for-linus-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: RISC-V: gp_in_global needs register keyword riscv: Fix print_vm_layout build error if NOMMU commit 9bb4cbf4862dfa139f73e12912129e5b76baea1a Merge: b9bbe6ed63b2 b4f1874c6216 Author: Borislav Petkov Date: Fri May 22 20:06:25 2020 +0200 Merge tag 'efi-fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi into efi/urgent Pull EFI fixes from Ard Biesheuvel: "- fix EFI framebuffer earlycon for wide fonts - avoid filling screen_info with garbage if the EFI framebuffer is not available - fix a potential host tool build error due to a symbol clash on x86 - work around a EFI firmware bug regarding the binary format of the TPM final events table - fix a missing memory free by reworking the E820 table sizing routine to not do the allocation in the first place - add CPER parsing for firmware errors" commit 187b96db5ca79423618dfa29a05c438c34f9e1f0 Author: Josh Poimboeuf Date: Fri May 22 08:54:35 2020 -0500 x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks Normally, show_trace_log_lvl() scans the stack, looking for text addresses to print. In parallel, it unwinds the stack with unwind_next_frame(). If the stack address matches the pointer returned by unwind_get_return_address_ptr() for the current frame, the text address is printed normally without a question mark. Otherwise it's considered a breadcrumb (potentially from a previous call path) and it's printed with a question mark to indicate that the address is unreliable and typically can be ignored. Since the following commit: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks") ... for inactive tasks, show_trace_log_lvl() prints *only* unreliable addresses (prepended with '?'). That happens because, for the first frame of an inactive task, unwind_get_return_address_ptr() returns the wrong return address pointer: one word *below* the task stack pointer. show_trace_log_lvl() starts scanning at the stack pointer itself, so it never finds the first 'reliable' address, causing only guesses to being printed. The first frame of an inactive task isn't a normal stack frame. It's actually just an instance of 'struct inactive_task_frame' which is left behind by __switch_to_asm(). Now that this inactive frame is actually exposed to callers, fix unwind_get_return_address_ptr() to interpret it properly. Fixes: f1d9a2abff66 ("x86/unwind/orc: Don't skip the first frame for inactive tasks") Reported-by: Tetsuo Handa Signed-off-by: Josh Poimboeuf Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20200522135435.vbxs7umku5pyrdbk@treble commit 4286d192c803571e8ca43b0f1f8ea04d663a278a Merge: f5ca7a716102 8cfb347ad0cf Author: Linus Torvalds Date: Fri May 22 09:34:19 2020 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fixes from Catalin Marinas: - Bring the PTRACE_SYSEMU semantics in line with the man page. - Annotate variable assignment in get_user() with the type to avoid sparse warnings. * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: Add get_user() type annotation on the !access_ok() path arm64: Fix PTRACE_SYSEMU semantics commit f5ca7a7161028db5ac5bcd06db03d7f2e340a20d Merge: c8347bbf19f2 259eb8247531 Author: Linus Torvalds Date: Fri May 22 09:22:22 2020 -0700 Merge tag 'sound-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Just a few small fixes: the only significant one is a slight improvement for PCM running position update with no-period-elapsed case while the rest are HD-audio fixups and ice1712 model quirk" * tag 'sound-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek - Add more fixup entries for Clevo machines ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme ALSA: pcm: fix incorrect hw_base increase commit 8cfb347ad0cffdbfc69c82506fb3be9429563211 Author: Al Viro Date: Fri May 22 15:23:21 2020 +0100 arm64: Add get_user() type annotation on the !access_ok() path Sparse reports "Using plain integer as NULL pointer" when the arm64 __get_user_error() assigns 0 to a pointer type. Use proper type annotation. Signed-of-by: Al Viro Reported-by: kbuild test robot Link: http://lkml.kernel.org/r/20200522142321.GP23230@ZenIV.linux.org.uk Signed-off-by: Catalin Marinas commit c8347bbf19f265c1bd254ca148f27caa71e77d61 Merge: 051143e1602d 8659a0e0efdd Author: Linus Torvalds Date: Fri May 22 08:51:39 2020 -0700 Merge tag 'powerpc-5.7-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - a revert of a recent change to the PTE bits for 32-bit BookS, which broke swap. - a "fix" to disable STRICT_KERNEL_RWX for 64-bit in Kconfig, as it's causing crashes for some people. Thanks to Christophe Leroy and Rui Salvaterra. * tag 'powerpc-5.7-5' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/64s: Disable STRICT_KERNEL_RWX Revert "powerpc/32s: reorder Linux PTE bits to better match Hash PTE bits." commit 7a839dbab1be59f5ed3b3b046de29e166784c9b4 Author: Klaus Doth Date: Fri May 22 12:56:04 2020 +0200 misc: rtsx: Add short delay after exit from ASPM DMA transfers to and from the SD card stall for 10 seconds and run into timeout on RTS5260 card readers after ASPM was enabled. Adding a short msleep after disabling ASPM fixes the issue on several Dell Precision 7530/7540 systems I tested. This function is only called when waking up after the chip went into power-save after not transferring data for a few seconds. The added msleep does therefore not change anything in data transfer speed or induce any excessive waiting while data transfers are running, or the chip is sleeping. Only the transition from sleep to active is affected. Signed-off-by: Klaus Doth Cc: stable Link: https://lore.kernel.org/r/4434eaa7-2ee3-a560-faee-6cee63ebd6d4@doth.eu Signed-off-by: Greg Kroah-Hartman commit 5cf65922bb15279402e1e19b5ee8c51d618fa51f Author: Jakub Sitnicki Date: Thu May 21 10:34:35 2020 +0200 flow_dissector: Drop BPF flow dissector prog ref on netns cleanup When attaching a flow dissector program to a network namespace with bpf(BPF_PROG_ATTACH, ...) we grab a reference to bpf_prog. If netns gets destroyed while a flow dissector is still attached, and there are no other references to the prog, we leak the reference and the program remains loaded. Leak can be reproduced by running flow dissector tests from selftests/bpf: # bpftool prog list # ./test_flow_dissector.sh ... selftests: test_flow_dissector [PASS] # bpftool prog list 4: flow_dissector name _dissect tag e314084d332a5338 gpl loaded_at 2020-05-20T18:50:53+0200 uid 0 xlated 552B jited 355B memlock 4096B map_ids 3,4 btf_id 4 # Fix it by detaching the flow dissector program when netns is going away. Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") Signed-off-by: Jakub Sitnicki Signed-off-by: Alexei Starovoitov Reviewed-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20200521083435.560256-1-jakub@cloudflare.com commit 7d9ff5eed4146bf026c69e766ff630bc0bd555bb Merge: 9bf430396900 31ecebee9c36 Author: Dave Airlie Date: Fri May 22 10:30:50 2020 +1000 Merge tag 'amd-drm-fixes-5.7-2020-05-21' of git://people.freedesktop.org/~agd5f/linux into drm-fixes amd-drm-fixes-5.7-2020-05-21: amdgpu: - DP fix - Floating point fix - Fix cursor stutter issue Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20200521222415.4122-1-alexander.deucher@amd.com commit a7654211d0ffeaa8eb0545ea00f8445242cbce05 Author: Tang Bin Date: Wed May 20 17:55:32 2020 +0800 net: sgi: ioc3-eth: Fix return value check in ioc3eth_probe() In the function devm_platform_ioremap_resource(), if get resource failed, the return value is ERR_PTR() not NULL. Thus it must be replaced by IS_ERR(), or else it may result in crashes if a critical error path is encountered. Fixes: 0ce5ebd24d25 ("mfd: ioc3: Add driver for SGI IOC3 chip") Signed-off-by: Zhang Shengju Signed-off-by: Tang Bin Signed-off-by: David S. Miller commit 41b4bd986f86331efc599b9a3f5fb86ad92e9af9 Author: Sabrina Dubroca Date: Wed May 20 11:15:46 2020 +0200 net: don't return invalid table id error when we fall back to PF_UNSPEC In case we can't find a ->dumpit callback for the requested (family,type) pair, we fall back to (PF_UNSPEC,type). In effect, we're in the same situation as if userspace had requested a PF_UNSPEC dump. For RTM_GETROUTE, that handler is rtnl_dump_all, which calls all the registered RTM_GETROUTE handlers. The requested table id may or may not exist for all of those families. commit ae677bbb4441 ("net: Don't return invalid table id error when dumping all families") fixed the problem when userspace explicitly requests a PF_UNSPEC dump, but missed the fallback case. For example, when we pass ipv6.disable=1 to a kernel with CONFIG_IP_MROUTE=y and CONFIG_IP_MROUTE_MULTIPLE_TABLES=y, the (PF_INET6, RTM_GETROUTE) handler isn't registered, so we end up in rtnl_dump_all, and listing IPv6 routes will unexpectedly print: # ip -6 r Error: ipv4: MR table does not exist. Dump terminated commit ae677bbb4441 introduced the dump_all_families variable, which gets set when userspace requests a PF_UNSPEC dump. However, we can't simply set the family to PF_UNSPEC in rtnetlink_rcv_msg in the fallback case to get dump_all_families == true, because some messages types (for example RTM_GETRULE and RTM_GETNEIGH) only register the PF_UNSPEC handler and use the family to filter in the kernel what is dumped to userspace. We would then export more entries, that userspace would have to filter. iproute does that, but other programs may not. Instead, this patch removes dump_all_families and updates the RTM_GETROUTE handlers to check if the family that is being dumped is their own. When it's not, which covers both the intentional PF_UNSPEC dumps (as dump_all_families did) and the fallback case, ignore the missing table id error. Fixes: cb167893f41e ("net: Plumb support for filtering ipv4 and ipv6 multicast route dumps") Signed-off-by: Sabrina Dubroca Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 9bf430396900bfb3642eb753c6d38954e9e92716 Merge: 5a3f610877e9 ad99cb5e783b Author: Dave Airlie Date: Fri May 22 10:24:19 2020 +1000 Merge branch 'etnaviv/fixes' of https://git.pengutronix.de/git/lst/linux into drm-fixes two fixes: - memory leak fix when userspace passes a invalid softpin address - off-by-one crashing the kernel in the perfmon domain iteration when the GPU core has both 2D and 3D capabilities Signed-off-by: Dave Airlie From: Lucas Stach Link: https://patchwork.freedesktop.org/patch/msgid/ca7bce5c8aff0fcbbdc3bf2b9723df5f687c8924.camel@pengutronix.de commit 57ebc8f08504f176eb0f25b3e0fde517dec61a4f Author: Vadim Fedorenko Date: Wed May 20 11:50:48 2020 +0300 net: ipip: fix wrong address family in init error path In case of error with MPLS support the code is misusing AF_INET instead of AF_MPLS. Fixes: 1b69e7e6c4da ("ipip: support MPLS over IPv4") Signed-off-by: Vadim Fedorenko Signed-off-by: David S. Miller commit a5534617007a1c33095db35c36b6455ee7add00b Merge: 04ba6b7dd8ca 635d93981786 Author: David S. Miller Date: Thu May 21 17:20:06 2020 -0700 Merge branch 'net-tls-fix-encryption-error-path' Vadim Fedorenko says: ==================== net/tls: fix encryption error path The problem with data stream corruption was found in KTLS transmit path with small socket send buffers and large amount of data. bpf_exec_tx_verdict() frees open record on any type of error including EAGAIN, ENOMEM and ENOSPC while callers are able to recover this transient errors. Also wrong error code was returned to user space in that case. This patchset fixes the problems. ==================== Acked-by: Jakub Kicinski Signed-off-by: David S. Miller commit 635d9398178659d8ddba79dd061f9451cec0b4d1 Author: Vadim Fedorenko Date: Wed May 20 11:41:44 2020 +0300 net/tls: free record only on encryption error We cannot free record on any transient error because it leads to losing previos data. Check socket error to know whether record must be freed or not. Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") Signed-off-by: Vadim Fedorenko Signed-off-by: David S. Miller commit a7bff11f6f9afa87c25711db8050c9b5324db0e2 Author: Vadim Fedorenko Date: Wed May 20 11:41:43 2020 +0300 net/tls: fix encryption error checking bpf_exec_tx_verdict() can return negative value for copied variable. In that case this value will be pushed back to caller and the real error code will be lost. Fix it using signed type and checking for positive value. Fixes: d10523d0b3d7 ("net/tls: free the record on encryption error") Fixes: d3b18ad31f93 ("tls: add bpf support to sk_msg handling") Signed-off-by: Vadim Fedorenko Signed-off-by: David S. Miller commit 04ba6b7dd8cadeb8ffdc4cba144024c3dad6a6ac Merge: d28ea1fbbf43 1401cf600d54 Author: David S. Miller Date: Thu May 21 17:14:18 2020 -0700 Merge branch 'net-ethernet-ti-fix-some-return-value-check' Wei Yongjun says: ==================== net: ethernet: ti: fix some return value check This patchset convert cpsw_ale_create() to return PTR_ERR() only, and changed all the caller to check IS_ERR() instead of NULL. Since v2: 1) rebased on net.git, as Jakub's suggest 2) split am65-cpsw-nuss.c changes, as Grygorii's suggest ==================== Signed-off-by: David S. Miller commit 1401cf600d548c72f51e20b5841c330d5c11c9e2 Author: Wei Yongjun Date: Wed May 20 11:41:16 2020 +0800 net: ethernet: ti: am65-cpsw-nuss: fix error handling of am65_cpsw_nuss_probe Convert to using IS_ERR() instead of NULL test for cpsw_ale_create() error handling. Also fix to return negative error code from this error handling case instead of 0 in. Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit 3469660d1b15ccfdf7b33295c306b6298ca730aa Author: Wei Yongjun Date: Wed May 20 11:41:15 2020 +0800 net: ethernet: ti: fix some return value check of cpsw_ale_create() cpsw_ale_create() can return both NULL and PTR_ERR(), but all of the caller only check NULL for error handling. This patch convert it to only return PTR_ERR() in all error cases, and the caller using IS_ERR() instead of NULL test. Fixes: 4b41d3436796 ("net: ethernet: ti: cpsw: allow untagged traffic on host port") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller commit d28ea1fbbf437054ef339afec241019f2c4e2bb6 Author: Manivannan Sadhasivam Date: Tue May 19 23:44:16 2020 +0530 net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() Once the traversal of the list is completed with list_for_each_entry(), the iterator (node) will point to an invalid object. So passing this to qrtr_local_enqueue() which is outside of the iterator block is erroneous eventhough the object is not used. So fix this by passing NULL to qrtr_local_enqueue(). Fixes: bdabad3e363d ("net: Add Qualcomm IPC router") Reported-by: kbuild test robot Reported-by: Julia Lawall Signed-off-by: Manivannan Sadhasivam Reviewed-by: Bjorn Andersson Signed-off-by: David S. Miller commit 7c87e32d2e380228ada79d20ac5b7674718ef097 Author: Michal Kubecek Date: Sun May 10 21:04:09 2020 +0200 ethtool: count header size in reply size estimate As ethnl_request_ops::reply_size handlers do not include common header size into calculated/estimated reply size, it needs to be added in ethnl_default_doit() and ethnl_default_notify() before allocating the message. On the other hand, strset_reply_size() should not add common header size. Fixes: 728480f12442 ("ethtool: default handlers for GET requests") Reported-by: Oleksij Rempel Signed-off-by: Michal Kubecek Signed-off-by: David S. Miller commit 189277f3814c36133f4ff0352f4b5194a38486b6 Author: Maor Gottlieb Date: Thu May 21 10:25:04 2020 +0300 RDMA/mlx5: Fix NULL pointer dereference in destroy_prefetch_work q_deferred_work isn't initialized when creating an explicit ODP memory region. This can lead to a NULL pointer dereference when user performs asynchronous prefetch MR. Fix it by initializing q_deferred_work for explicit ODP. BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 4 PID: 6074 Comm: kworker/u16:6 Not tainted 5.7.0-rc1-for-upstream-perf-2020-04-17_07-03-39-64 #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: events_unbound mlx5_ib_prefetch_mr_work [mlx5_ib] RIP: 0010:__wake_up_common+0x49/0x120 Code: 04 89 54 24 0c 89 4c 24 08 74 0a 41 f6 01 04 0f 85 8e 00 00 00 48 8b 47 08 48 83 e8 18 4c 8d 67 08 48 8d 50 18 49 39 d4 74 66 <48> 8b 70 18 31 db 4c 8d 7e e8 eb 17 49 8b 47 18 48 8d 50 e8 49 8d RSP: 0000:ffffc9000097bd88 EFLAGS: 00010082 RAX: ffffffffffffffe8 RBX: ffff888454cd9f90 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff888454cd9f90 RBP: ffffc9000097bdd0 R08: 0000000000000000 R09: ffffc9000097bdd0 R10: 0000000000000000 R11: 0000000000000001 R12: ffff888454cd9f98 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000003 FS: 0000000000000000(0000) GS:ffff88846fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 000000044c19e002 CR4: 0000000000760ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: __wake_up_common_lock+0x7a/0xc0 destroy_prefetch_work+0x5a/0x60 [mlx5_ib] mlx5_ib_prefetch_mr_work+0x64/0x80 [mlx5_ib] process_one_work+0x15b/0x360 worker_thread+0x49/0x3d0 kthread+0xf5/0x130 ? rescuer_thread+0x310/0x310 ? kthread_bind+0x10/0x10 ret_from_fork+0x1f/0x30 Fixes: de5ed007a03d ("IB/mlx5: Fix implicit ODP race") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200521072504.567406-1-leon@kernel.org Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 051143e1602d90ea71887d92363edd539d411de5 Merge: 907fa893258b c54d481d71c6 Author: Linus Torvalds Date: Thu May 21 16:43:35 2020 -0700 Merge tag 'apparmor-pr-2020-05-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor bug fixes from John Johansen: - Fix use-after-free in aa_audit_rule_init - Fix refcnt leak in policy_update - Fix potential label refcnt leak in aa_change_profile * tag 'apparmor-pr-2020-05-21' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: Fix use-after-free in aa_audit_rule_init apparmor: Fix aa_label refcnt leak in policy_update apparmor: fix potential label refcnt leak in aa_change_profile commit 907fa893258ba6076f5fff32900a461decb9e8c5 Author: Namjae Jeon Date: Fri May 22 08:10:10 2020 +0900 exfat: add the dummy mount options to be backward compatible with staging/exfat As Ubuntu and Fedora release new version used kernel version equal to or higher than v5.4, They started to support kernel exfat filesystem. Linus reported a mount error with new version of exfat on Fedora: exfat: Unknown parameter 'namecase' This is because there is a difference in mount option between old staging/exfat and new exfat. And utf8, debug, and codepage options as well as namecase have been removed from new exfat. This patch add the dummy mount options as deprecated option to be backward compatible with old one. Reported-by: Linus Torvalds Signed-off-by: Namjae Jeon Cc: Matthew Wilcox Cc: Al Viro Cc: Eric Sandeen Signed-off-by: Linus Torvalds commit c54d481d71c6849e044690d3960aaebc730224cc Author: Navid Emamdoost Date: Mon Oct 21 10:23:47 2019 -0500 apparmor: Fix use-after-free in aa_audit_rule_init In the implementation of aa_audit_rule_init(), when aa_label_parse() fails the allocated memory for rule is released using aa_audit_rule_free(). But after this release, the return statement tries to access the label field of the rule which results in use-after-free. Before releasing the rule, copy errNo and return it after release. Fixes: 52e8c38001d8 ("apparmor: Fix memory leak of rule on error exit path") Signed-off-by: Navid Emamdoost Signed-off-by: John Johansen commit c6b39f070722ea9963ffe756bfe94e89218c5e63 Author: Xiyu Yang Date: Mon Apr 20 13:35:28 2020 +0800 apparmor: Fix aa_label refcnt leak in policy_update policy_update() invokes begin_current_label_crit_section(), which returns a reference of the updated aa_label object to "label" with increased refcount. When policy_update() returns, "label" becomes invalid, so the refcount should be decreased to keep refcount balanced. The reference counting issue happens in one exception handling path of policy_update(). When aa_may_manage_policy() returns not NULL, the refcnt increased by begin_current_label_crit_section() is not decreased, causing a refcnt leak. Fix this issue by jumping to "end_section" label when aa_may_manage_policy() returns not NULL. Fixes: 5ac8c355ae00 ("apparmor: allow introspecting the loaded policy pre internal transform") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: John Johansen commit a0b845ffa0d91855532b50fc040aeb2d8338dca4 Author: Xiyu Yang Date: Sun Apr 5 13:11:55 2020 +0800 apparmor: fix potential label refcnt leak in aa_change_profile aa_change_profile() invokes aa_get_current_label(), which returns a reference of the current task's label. According to the comment of aa_get_current_label(), the returned reference must be put with aa_put_label(). However, when the original object pointed by "label" becomes unreachable because aa_change_profile() returns or a new object is assigned to "label", reference count increased by aa_get_current_label() is not decreased, causing a refcnt leak. Fix this by calling aa_put_label() before aa_change_profile() return and dropping unnecessary aa_get_current_label(). Fixes: 9fcf78cca198 ("apparmor: update domain transitions that are subsets of confinement at nnp") Signed-off-by: Xiyu Yang Signed-off-by: Xin Tan Signed-off-by: John Johansen commit ccffeae7afa41c8ec6d9070d1b4ca1fb210f9f28 Merge: ed9dc1df9f62 34c4e4072603 Author: Arnd Bergmann Date: Fri May 22 00:09:08 2020 +0200 Merge branch 'v5.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/matthias.bgg/linux into arm/fixes * 'v5.7-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/matthias.bgg/linux: soc: mediatek: cmdq: return send msg error code arm64: dts: mt8173: fix vcodec-enc clock Link: https://lore.kernel.org/r/33a0556a-e2a3-7f0b-b09b-4516642a4bfe@gmail.com Signed-off-by: Arnd Bergmann commit ed9dc1df9f62abbd206e03d96be621d7225531e5 Merge: 1a55b4232d1e 665e7c73a772 Author: Arnd Bergmann Date: Fri May 22 00:08:39 2020 +0200 Merge tag 'imx-fixes-5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.7, round 2: One imx6q-bx50v3 device tree change to fix an issue, attempting atomic modeset while using HDMI and display port at the same time causes LDB clock programming to destroy the programming of HDMI. * tag 'imx-fixes-5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: ARM: dts/imx6q-bx50v3: Set display interface clock parents Link: https://lore.kernel.org/r/20200521150719.GB24084@dragon Signed-off-by: Arnd Bergmann commit 1a55b4232d1e5c5b1ff712cc5a73b6f6aee82a52 Merge: b9bbe6ed63b2 24cf6eef79a7 Author: Arnd Bergmann Date: Thu May 21 23:35:26 2020 +0200 Merge branch 'mmp/fixes' into arm/fixes These three fixes should make it into linux-5.7 and also into the branch for other mmp dt changes for v5.8, so I created a branch for them. * mmp/fixes: ARM: dts: mmp3: Drop usb-nop-xceiv from HSIC phy ARM: dts: mmp3-dell-ariel: Fix the SPI devices ARM: dts: mmp3: Use the MMP3 compatible string for /clocks Signed-off-by: Arnd Bergmann commit 24cf6eef79a7e85cfd2ef9dea52f769c9192fc6e Author: Lubomir Rintel Date: Sun Apr 19 19:11:55 2020 +0200 ARM: dts: mmp3: Drop usb-nop-xceiv from HSIC phy "usb-nop-xceiv" is good enough if we don't lose the configuration done by the firmware, but we'd really prefer a real driver. Unfortunately, the PHY core is odd in that when the node is compatible with "usb-nop-xceiv", it ignores the other compatible strings. Let's just remove it. Signed-off-by: Lubomir Rintel Cc: Signed-off-by: Arnd Bergmann commit 233cbffaa0b9ca874731efee67a11f005da1f87c Author: Lubomir Rintel Date: Sun Apr 19 19:11:57 2020 +0200 ARM: dts: mmp3-dell-ariel: Fix the SPI devices I've managed to get about everything wrong while digging these out of OEM's board file. Correct the bus numbers, the exact model of the NOR flash, polarity of the chip selects and align the SPI frequency with the data sheet. Tested that it works now, with a slight fix to the PXA SSP driver. Link: https://lore.kernel.org/r/20200419171157.672999-16-lkundrak@v3.sk Signed-off-by: Lubomir Rintel Cc: Signed-off-by: Arnd Bergmann commit ec7d12faf81de983efce8ff23f41c5d1bff14c41 Author: Lubomir Rintel Date: Sun Apr 19 19:11:56 2020 +0200 ARM: dts: mmp3: Use the MMP3 compatible string for /clocks Clocks are in fact slightly different on MMP3. In particular, PLL2 is fixed to a different frequency, there's an extra PLL3, and the GPU clocks are configured differently. Link: https://lore.kernel.org/r/20200419171157.672999-15-lkundrak@v3.sk Signed-off-by: Lubomir Rintel Cc: Signed-off-by: Arnd Bergmann commit 8356c379cfba8b1b90b0a2423f6afbbe2cdc5d91 Author: Palmer Dabbelt Date: Thu May 21 13:28:26 2020 -0700 RISC-V: gp_in_global needs register keyword The Intel kernel build robot recently pointed out that I missed the register keyword on this one when I refactored the code to remove local register variables (which aren't supported by LLVM). GCC's manual indicates that global register variables must have the register keyword, As far as I can tell lacking the register keyword causes GCC to ignore the __asm__ and treat this as a regular variable, but I'm not sure how that didn't show up as some sort of failure. Fixes: 52e7c52d2ded ("RISC-V: Stop relying on GCC's register allocator's hueristics") Signed-off-by: Palmer Dabbelt commit d2f8825ab78e4c18686f3e1a756a30255bb00bf3 Merge: cedd54f71336 1b0be99f1a42 Author: Linus Torvalds Date: Thu May 21 12:59:29 2020 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "Fix a couple of build warnings" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vhost: missing __user tags vdpasim: remove unused variable 'ret' commit cedd54f713368d32c902befc3714b91afdec1084 Merge: 57f1b0cf2de8 3a5fd0dbd878 Author: Linus Torvalds Date: Thu May 21 12:07:25 2020 -0700 Merge tag 'dmaengine-fix-5.7-rc7' of git://git.infradead.org/users/vkoul/slave-dma Pull dmaengine fixes from Vinod Koul: "Some driver fixes: - dmatest restoration of defaults - tegra210-adma probe handling fix - k3-udma flags fixed for slave_sg and memcpy - list fix for zynqmp_dma - idxd interrupt completion fix - lock fix for owl" * tag 'dmaengine-fix-5.7-rc7' of git://git.infradead.org/users/vkoul/slave-dma: dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' dmaengine: ti: k3-udma: Fix TR mode flags for slave_sg and memcpy dmaengine: zynqmp_dma: Move list_del inside zynqmp_dma_free_descriptor. dmaengine: dmatest: Restore default for channel dmaengine: idxd: fix interrupt completion after unmasking dmaengine: owl: Use correct lock in owl_dma_get_pchan() commit 57f1b0cf2de82644efcc5e30f5054eae12329bbc Merge: b85051e755b0 959f75845129 Author: Linus Torvalds Date: Thu May 21 11:37:20 2020 -0700 Merge tag 'fiemap-regression-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 Pull ext4 fixes from Ted Ts'o: "Fix regression in ext4's FIEMAP handling introduced in v5.7-rc1" * tag 'fiemap-regression-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4: ext4: fix fiemap size checks for bitmap files ext4: fix EXT4_MAX_LOGICAL_BLOCK macro commit 1592cd15eec6e2952453f9a82da6e8a53e2b8db5 Author: Chaitanya Kulkarni Date: Wed May 20 16:01:52 2020 -0700 null_blk: don't allow discard for zoned mode Zoned block device specification do not define the behavior of discard/trim command as this command is generally replaced by the reset write pointer (zone reset) command. Emulate this in null_blk by making zoned and discard options mutually exclusive. Suggested-by: Damien Le Moal Signed-off-by: Chaitanya Kulkarni Signed-off-by: Jens Axboe commit e274832590211c4b1b1e807ca66fad8b5bb8b328 Author: Chaitanya Kulkarni Date: Wed May 20 16:01:51 2020 -0700 null_blk: return error for invalid zone size In null_init_zone_dev() check if the zone size is larger than device capacity, return error if needed. This also fixes the following oops :- null_blk: changed the number of conventional zones to 4294967295 BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 7d76c5067 P4D 7d76c5067 PUD 7d240c067 PMD 0 Oops: 0002 [#1] SMP NOPTI CPU: 4 PID: 5508 Comm: nullbtests.sh Tainted: G OE 5.7.0-rc4lblk-fnext0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e4 RIP: 0010:null_init_zoned_dev+0x17a/0x27f [null_blk] RSP: 0018:ffffc90007007e00 EFLAGS: 00010246 RAX: 0000000000000020 RBX: ffff8887fb3f3c00 RCX: 0000000000000007 RDX: 0000000000000000 RSI: ffff8887ca09d688 RDI: ffff888810fea510 RBP: 0000000000000010 R08: ffff8887ca09d688 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8887c26e8000 R13: ffffffffa05e9390 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fcb5256f740(0000) GS:ffff888810e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000081e8fe000 CR4: 00000000003406e0 Call Trace: null_add_dev+0x534/0x71b [null_blk] nullb_device_power_store.cold.41+0x8/0x2e [null_blk] configfs_write_file+0xe6/0x150 vfs_write+0xba/0x1e0 ksys_write+0x5f/0xe0 do_syscall_64+0x60/0x250 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x7fcb51c71840 Signed-off-by: Chaitanya Kulkarni Signed-off-by: Jens Axboe commit 8659a0e0efdd975c73355dbc033f79ba3b31e82c Author: Michael Ellerman Date: Wed May 20 23:36:05 2020 +1000 powerpc/64s: Disable STRICT_KERNEL_RWX Several strange crashes have been eventually traced back to STRICT_KERNEL_RWX and its interaction with code patching. Various paths in our ftrace, kprobes and other patching code need to be hardened against patching failures, otherwise we can end up running with partially/incorrectly patched ftrace paths, kprobes or jump labels, which can then cause strange crashes. Although fixes for those are in development, they're not -rc material. There also seem to be problems with the underlying strict RWX logic, which needs further debugging. So for now disable STRICT_KERNEL_RWX on 64-bit to prevent people from enabling the option and tripping over the bugs. Fixes: 1e0fc9d1eb2b ("powerpc/Kconfig: Enable STRICT_KERNEL_RWX for some configs") Cc: stable@vger.kernel.org # v4.13+ Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200520133605.972649-1-mpe@ellerman.id.au commit 4ef12f7198023c09ad6d25b652bd8748c965c7fa Author: Heikki Krogerus Date: Wed May 13 18:18:40 2020 +0300 kobject: Make sure the parent does not get released before its children In the function kobject_cleanup(), kobject_del(kobj) is called before the kobj->release(). That makes it possible to release the parent of the kobject before the kobject itself. To fix that, adding function __kboject_del() that does everything that kobject_del() does except release the parent reference. kobject_cleanup() then calls __kobject_del() instead of kobject_del(), and separately decrements the reference count of the parent kobject after kobj->release() has been called. Reported-by: Naresh Kamboju Reported-by: kernel test robot Fixes: 7589238a8cf3 ("Revert "software node: Simplify software_node_release() function"") Suggested-by: "Rafael J. Wysocki" Signed-off-by: Heikki Krogerus Reviewed-by: Rafael J. Wysocki Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Acked-by: Randy Dunlap Link: https://lore.kernel.org/r/20200513151840.36400-1-heikki.krogerus@linux.intel.com Cc: stable Signed-off-by: Greg Kroah-Hartman commit 44e960490ddf868fc9135151c4a658936e771dc2 Author: Saravana Kannan Date: Tue May 19 21:36:26 2020 -0700 driver core: Fix handling of SYNC_STATE_ONLY + STATELESS device links Commit 21c27f06587d ("driver core: Fix SYNC_STATE_ONLY device link implementation") didn't completely fix STATELESS + SYNC_STATE_ONLY handling. What looks like an optimization in that commit is actually a bug that causes an if condition to always take the else path. This prevents reordering of devices in the dpm_list when a DL_FLAG_STATELESS device link is create on top of an existing DL_FLAG_SYNC_STATE_ONLY device link. Fixes: 21c27f06587d ("driver core: Fix SYNC_STATE_ONLY device link implementation") Signed-off-by: Saravana Kannan Cc: stable Reviewed-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20200520043626.181820-1-saravanak@google.com Signed-off-by: Greg Kroah-Hartman commit d69100b8eee27c2d60ee52df76e0b80a8d492d34 Author: Stephen Worley Date: Tue May 19 21:57:12 2020 -0400 net: nlmsg_cancel() if put fails for nhmsg Fixes data remnant seen when we fail to reserve space for a nexthop group during a larger dump. If we fail the reservation, we goto nla_put_failure and cancel the message. Reproduce with the following iproute2 commands: ===================== ip link add dummy1 type dummy ip link add dummy2 type dummy ip link add dummy3 type dummy ip link add dummy4 type dummy ip link add dummy5 type dummy ip link add dummy6 type dummy ip link add dummy7 type dummy ip link add dummy8 type dummy ip link add dummy9 type dummy ip link add dummy10 type dummy ip link add dummy11 type dummy ip link add dummy12 type dummy ip link add dummy13 type dummy ip link add dummy14 type dummy ip link add dummy15 type dummy ip link add dummy16 type dummy ip link add dummy17 type dummy ip link add dummy18 type dummy ip link add dummy19 type dummy ip link add dummy20 type dummy ip link add dummy21 type dummy ip link add dummy22 type dummy ip link add dummy23 type dummy ip link add dummy24 type dummy ip link add dummy25 type dummy ip link add dummy26 type dummy ip link add dummy27 type dummy ip link add dummy28 type dummy ip link add dummy29 type dummy ip link add dummy30 type dummy ip link add dummy31 type dummy ip link add dummy32 type dummy ip link set dummy1 up ip link set dummy2 up ip link set dummy3 up ip link set dummy4 up ip link set dummy5 up ip link set dummy6 up ip link set dummy7 up ip link set dummy8 up ip link set dummy9 up ip link set dummy10 up ip link set dummy11 up ip link set dummy12 up ip link set dummy13 up ip link set dummy14 up ip link set dummy15 up ip link set dummy16 up ip link set dummy17 up ip link set dummy18 up ip link set dummy19 up ip link set dummy20 up ip link set dummy21 up ip link set dummy22 up ip link set dummy23 up ip link set dummy24 up ip link set dummy25 up ip link set dummy26 up ip link set dummy27 up ip link set dummy28 up ip link set dummy29 up ip link set dummy30 up ip link set dummy31 up ip link set dummy32 up ip link set dummy33 up ip link set dummy34 up ip link set vrf-red up ip link set vrf-blue up ip link set dummyVRFred up ip link set dummyVRFblue up ip ro add 1.1.1.1/32 dev dummy1 ip ro add 1.1.1.2/32 dev dummy2 ip ro add 1.1.1.3/32 dev dummy3 ip ro add 1.1.1.4/32 dev dummy4 ip ro add 1.1.1.5/32 dev dummy5 ip ro add 1.1.1.6/32 dev dummy6 ip ro add 1.1.1.7/32 dev dummy7 ip ro add 1.1.1.8/32 dev dummy8 ip ro add 1.1.1.9/32 dev dummy9 ip ro add 1.1.1.10/32 dev dummy10 ip ro add 1.1.1.11/32 dev dummy11 ip ro add 1.1.1.12/32 dev dummy12 ip ro add 1.1.1.13/32 dev dummy13 ip ro add 1.1.1.14/32 dev dummy14 ip ro add 1.1.1.15/32 dev dummy15 ip ro add 1.1.1.16/32 dev dummy16 ip ro add 1.1.1.17/32 dev dummy17 ip ro add 1.1.1.18/32 dev dummy18 ip ro add 1.1.1.19/32 dev dummy19 ip ro add 1.1.1.20/32 dev dummy20 ip ro add 1.1.1.21/32 dev dummy21 ip ro add 1.1.1.22/32 dev dummy22 ip ro add 1.1.1.23/32 dev dummy23 ip ro add 1.1.1.24/32 dev dummy24 ip ro add 1.1.1.25/32 dev dummy25 ip ro add 1.1.1.26/32 dev dummy26 ip ro add 1.1.1.27/32 dev dummy27 ip ro add 1.1.1.28/32 dev dummy28 ip ro add 1.1.1.29/32 dev dummy29 ip ro add 1.1.1.30/32 dev dummy30 ip ro add 1.1.1.31/32 dev dummy31 ip ro add 1.1.1.32/32 dev dummy32 ip next add id 1 via 1.1.1.1 dev dummy1 ip next add id 2 via 1.1.1.2 dev dummy2 ip next add id 3 via 1.1.1.3 dev dummy3 ip next add id 4 via 1.1.1.4 dev dummy4 ip next add id 5 via 1.1.1.5 dev dummy5 ip next add id 6 via 1.1.1.6 dev dummy6 ip next add id 7 via 1.1.1.7 dev dummy7 ip next add id 8 via 1.1.1.8 dev dummy8 ip next add id 9 via 1.1.1.9 dev dummy9 ip next add id 10 via 1.1.1.10 dev dummy10 ip next add id 11 via 1.1.1.11 dev dummy11 ip next add id 12 via 1.1.1.12 dev dummy12 ip next add id 13 via 1.1.1.13 dev dummy13 ip next add id 14 via 1.1.1.14 dev dummy14 ip next add id 15 via 1.1.1.15 dev dummy15 ip next add id 16 via 1.1.1.16 dev dummy16 ip next add id 17 via 1.1.1.17 dev dummy17 ip next add id 18 via 1.1.1.18 dev dummy18 ip next add id 19 via 1.1.1.19 dev dummy19 ip next add id 20 via 1.1.1.20 dev dummy20 ip next add id 21 via 1.1.1.21 dev dummy21 ip next add id 22 via 1.1.1.22 dev dummy22 ip next add id 23 via 1.1.1.23 dev dummy23 ip next add id 24 via 1.1.1.24 dev dummy24 ip next add id 25 via 1.1.1.25 dev dummy25 ip next add id 26 via 1.1.1.26 dev dummy26 ip next add id 27 via 1.1.1.27 dev dummy27 ip next add id 28 via 1.1.1.28 dev dummy28 ip next add id 29 via 1.1.1.29 dev dummy29 ip next add id 30 via 1.1.1.30 dev dummy30 ip next add id 31 via 1.1.1.31 dev dummy31 ip next add id 32 via 1.1.1.32 dev dummy32 i=100 while [ $i -le 200 ] do ip next add id $i group 1/2/3/4/5/6/7/8/9/10/11/12/13/14/15/16/17/18/19 echo $i ((i++)) done ip next add id 999 group 1/2/3/4/5/6 ip next ls ======================== Fixes: ab84be7e54fc ("net: Initial nexthop code") Signed-off-by: Stephen Worley Reviewed-by: David Ahern Signed-off-by: David S. Miller commit 687775cec056b38a4c8f3291e0dd7a9145f7b667 Author: Eric Dumazet Date: Tue May 19 18:24:43 2020 -0700 ax25: fix setsockopt(SO_BINDTODEVICE) syzbot was able to trigger this trace [1], probably by using a zero optlen. While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ. [1] BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569 CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 strnlen+0xf9/0x170 lib/string.c:569 dev_name_hash net/core/dev.c:207 [inline] netdev_name_node_lookup net/core/dev.c:277 [inline] __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778 ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654 __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403 __do_compat_sys_setsockopt net/compat.c:413 [inline] __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410 __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410 do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline] do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398 entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139 RIP: 0023:0xf7f57dd9 Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101 RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004 RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Local variable ----devname@ax25_setsockopt created at: ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller commit 53cb09953c6ab2ab03c9e667ff8e35e87d605812 Merge: 20a785aa52c8 a9e90d9931f3 Author: David S. Miller Date: Wed May 20 20:55:09 2020 -0700 Merge branch 'wireguard-fixes' Jason A. Donenfeld says: ==================== wireguard fixes for 5.7-rc7 Hopefully these are the last fixes for 5.7: 1) A trivial bump in the selftest harness to support gcc-10. build.wireguard.com is still on gcc-9 but I'll probably switch to gcc-10 in the coming weeks. 2) A concurrency fix regarding userspace modifying the pre-shared key at the same time as packets are being processed, reported by Matt Dunwoodie. 3) We were previously clearing skb->hash on egress, which broke fq_codel, cake, and other things that actually make use of the flow hash for queueing, reported by Dave Taht and Toke Høiland-Jørgensen. 4) A fix for the increased memory usage caused by (3). This can be thought of as part of patch (3), but because of the separate reasoning and breadth of it I thought made it a bit cleaner to put in a standalone commit. Fixes (2), (3), and (4) are -stable material. ==================== Signed-off-by: David S. Miller commit a9e90d9931f3a474f04bab782ccd9d77904941e9 Author: Jason A. Donenfeld Date: Tue May 19 22:49:30 2020 -0600 wireguard: noise: separate receive counter from send counter In "wireguard: queueing: preserve flow hash across packet scrubbing", we were required to slightly increase the size of the receive replay counter to something still fairly small, but an increase nonetheless. It turns out that we can recoup some of the additional memory overhead by splitting up the prior union type into two distinct types. Before, we used the same "noise_counter" union for both sending and receiving, with sending just using a simple atomic64_t, while receiving used the full replay counter checker. This meant that most of the memory being allocated for the sending counter was being wasted. Since the old "noise_counter" type increased in size in the prior commit, now is a good time to split up that union type into a distinct "noise_replay_ counter" for receiving and a boring atomic64_t for sending, each using neither more nor less memory than required. Also, since sometimes the replay counter is accessed without necessitating additional accesses to the bitmap, we can reduce cache misses by hoisting the always-necessary lock above the bitmap in the struct layout. We also change a "noise_replay_counter" stack allocation to kmalloc in a -DDEBUG selftest so that KASAN doesn't trigger a stack frame warning. All and all, removing a bit of abstraction in this commit makes the code simpler and smaller, in addition to the motivating memory usage recuperation. For example, passing around raw "noise_symmetric_key" structs is something that really only makes sense within noise.c, in the one place where the sending and receiving keys can safely be thought of as the same type of object; subsequent to that, it's important that we uniformly access these through keypair->{sending,receiving}, where their distinct roles are always made explicit. So this patch allows us to draw that distinction clearly as well. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit c78a0b4a78839d572d8a80f6a62221c0d7843135 Author: Jason A. Donenfeld Date: Tue May 19 22:49:29 2020 -0600 wireguard: queueing: preserve flow hash across packet scrubbing It's important that we clear most header fields during encapsulation and decapsulation, because the packet is substantially changed, and we don't want any info leak or logic bug due to an accidental correlation. But, for encapsulation, it's wrong to clear skb->hash, since it's used by fq_codel and flow dissection in general. Without it, classification does not proceed as usual. This change might make it easier to estimate the number of innerflows by examining clustering of out of order packets, but this shouldn't open up anything that can't already be inferred otherwise (e.g. syn packet size inference), and fq_codel can be disabled anyway. Furthermore, it might be the case that the hash isn't used or queried at all until after wireguard transmits the encrypted UDP packet, which means skb->hash might still be zero at this point, and thus no hash taken over the inner packet data. In order to address this situation, we force a calculation of skb->hash before encrypting packet data. Of course this means that fq_codel might transmit packets slightly more out of order than usual. Toke did some testing on beefy machines with high quantities of parallel flows and found that increasing the reply-attack counter to 8192 takes care of the most pathological cases pretty well. Reported-by: Dave Taht Reviewed-and-tested-by: Toke Høiland-Jørgensen Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit bc67d371256f5c47d824e2eec51e46c8d62d022e Author: Jason A. Donenfeld Date: Tue May 19 22:49:28 2020 -0600 wireguard: noise: read preshared key while taking lock Prior we read the preshared key after dropping the handshake lock, which isn't an actual crypto issue if it races, but it's still not quite correct. So copy that part of the state into a temporary like we do with the rest of the handshake state variables. Then we can release the lock, operate on the temporary, and zero it out at the end of the function. In performance tests, the impact of this was entirely unnoticable, probably because those bytes are coming from the same cacheline as other things that are being copied out in the same manner. Reported-by: Matt Dunwoodie Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit ee3c1aa3f34b7842c1557cfe5d8c3f7b8c692de8 Author: Jason A. Donenfeld Date: Tue May 19 22:49:27 2020 -0600 wireguard: selftests: use newer iproute2 for gcc-10 gcc-10 switched to defaulting to -fno-common, which broke iproute2-5.4. This was fixed in iproute-5.6, so switch to that. Because we're after a stable testing surface, we generally don't like to bump these unnecessarily, but in this case, being able to actually build is a basic necessity. Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit dfeb376dd4cb2c5004aeb625e2475f58a5ff2ea7 Author: Andrii Nakryiko Date: Mon May 18 22:38:24 2020 -0700 bpf: Prevent mmap()'ing read-only maps as writable As discussed in [0], it's dangerous to allow mapping BPF map, that's meant to be frozen and is read-only on BPF program side, because that allows user-space to actually store a writable view to the page even after it is frozen. This is exacerbated by BPF verifier making a strong assumption that contents of such frozen map will remain unchanged. To prevent this, disallow mapping BPF_F_RDONLY_PROG mmap()'able BPF maps as writable, ever. [0] https://lore.kernel.org/bpf/CAEf4BzYGWYhXdp6BJ7_=9OQPJxQpgug080MMjdSB72i9R+5c6g@mail.gmail.com/ Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Suggested-by: Jann Horn Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Reviewed-by: Jann Horn Link: https://lore.kernel.org/bpf/20200519053824.1089415-1-andriin@fb.com commit 0550cfe8c2c6f8e7a4c348b6603a794576db12dd Author: KP Singh Date: Wed May 20 14:56:16 2020 +0200 security: Fix hook iteration for secid_to_secctx secid_to_secctx is not stackable, and since the BPF LSM registers this hook by default, the call_int_hook logic is not suitable which "bails-on-fail" and casues issues when other LSMs register this hook and eventually breaks Audit. In order to fix this, directly iterate over the security hooks instead of using call_int_hook as suggested in: https: //lore.kernel.org/bpf/9d0eb6c6-803a-ff3a-5603-9ad6d9edfc00@schaufler-ca.com/#t Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") Fixes: 625236ba3832 ("security: Fix the default value of secid_to_secctx hook") Reported-by: Alexei Starovoitov Signed-off-by: KP Singh Signed-off-by: Alexei Starovoitov Acked-by: James Morris Link: https://lore.kernel.org/bpf/20200520125616.193765-1-kpsingh@chromium.org commit be0ec060b54f0481fb95d59086c1484a949c903c Author: Hamish Martin Date: Wed May 20 16:30:42 2020 +1200 ARM: dts: bcm: HR2: Fix PPI interrupt types These error messages are output when booting on a BCM HR2 system: GIC: PPI11 is secure or misconfigured GIC: PPI13 is secure or misconfigured Per ARM documentation these interrupts are triggered on a rising edge. See ARM Cortex A-9 MPCore Technical Reference Manual, Revision r4p1, Section 3.3.8 Interrupt Configuration Registers. The same issue was resolved for NSP systems in commit 5f1aa51c7a1e ("ARM: dts: NSP: Fix PPI interrupt types"). Fixes: b9099ec754b5 ("ARM: dts: Add Broadcom Hurricane 2 DTS include file") Signed-off-by: Hamish Martin Signed-off-by: Florian Fainelli commit 58bb90ab415562eededb932455046924e65df342 Author: Vincent Stehlé Date: Sat Apr 18 14:35:22 2020 +0200 ARM: dts: bcm2835-rpi-zero-w: Fix led polarity The status "ACT" led on the Raspberry Pi Zero W is on when GPIO 47 is low. This has been verified on a board and somewhat confirmed by both the GPIO name ("STATUS_LED_N") and the reduced schematics [1]. [1]: https://www.raspberrypi.org/documentation/hardware/raspberrypi/schematics/rpi_SCH_ZeroW_1p1_reduced.pdf Fixes: 2c7c040c73e9 ("ARM: dts: bcm2835: Add Raspberry Pi Zero W") Signed-off-by: Vincent Stehlé Cc: Stefan Wahren Cc: Florian Fainelli Tested-by: Stefan Wahren Signed-off-by: Florian Fainelli commit 8fa3cdff05f009855a6a99a7d77a41004009bbab Author: Kefeng Wang Date: Thu May 14 19:53:35 2020 +0800 riscv: Fix print_vm_layout build error if NOMMU arch/riscv/mm/init.c: In function ‘print_vm_layout’: arch/riscv/mm/init.c:68:37: error: ‘FIXADDR_START’ undeclared (first use in this function); arch/riscv/mm/init.c:69:20: error: ‘FIXADDR_TOP’ undeclared arch/riscv/mm/init.c:70:37: error: ‘PCI_IO_START’ undeclared arch/riscv/mm/init.c:71:20: error: ‘PCI_IO_END’ undeclared arch/riscv/mm/init.c:72:38: error: ‘VMEMMAP_START’ undeclared arch/riscv/mm/init.c:73:20: error: ‘VMEMMAP_END’ undeclared (first use in this function); Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 31ecebee9c36d5e5e113a357a655d993fa916174 Author: Nicholas Kazlauskas Date: Mon May 4 16:49:28 2020 -0400 drm/amd/display: Defer cursor lock until after VUPDATE [Why] We dropped the delay after changed the cursor functions locking the entire pipe to locking just the CURSOR registers to fix page flip stuttering - this introduced cursor stuttering instead, and an underflow issue. The cursor update can be delayed indefinitely if the cursor update repeatedly happens right around VUPDATE. The underflow issue can happen if we do a viewport update on a pipe on the same frame where a cursor update happens around VUPDATE - the old cursor registers are retained which can be in an invalid position. This can cause a pipe hang and indefinite underflow. [How] The complex, ideal solution to the problem would be a software triple buffering mechanism from the DM layer to program only one cursor update per frame just before VUPDATE. The simple workaround until we have that infrastructure in place is this change - bring back the delay until VUPDATE before locking, but with some corrections to the calculations. This didn't work for all timings before because the calculation for VUPDATE was wrong - it was using the offset from VSTARTUP instead and didn't correctly handle the case where VUPDATE could be in the back porch. Add a new hardware sequencer function to use the existing helper to calculate the real VUPDATE start and VUPDATE end - VUPDATE can last multiple lines after all. Change the udelay to incorporate the width of VUPDATE as well. Signed-off-by: Nicholas Kazlauskas Reviewed-by: Aric Cyr Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher commit 5aa82e35cacfdff7278b7eeffd9575e9c386289e Author: Rodrigo Siqueira Date: Fri Apr 24 09:53:07 2020 -0400 drm/amd/display: Remove dml_common_def file During the rework for removing the FPU issues, I found the following warning: [..] dml_common_defs.o: warning: objtool: dml_round()+0x9: FPU instruction outside of kernel_fpu_{begin,end}() This file has a single function that does not need to be in a specific file. This commit drop dml_common_defs file, and move dml_round function to dml_inline_defs. CC: Christian König CC: Alexander Deucher CC: Peter Zijlstra CC: Tony Cheng CC: Harry Wentland Signed-off-by: Rodrigo Siqueira Reviewed-by: Dmytro Laktyushkin Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher commit b6ef55ccba7ed00fc10e3e6f619c8f886162427f Author: Vladimir Stempen Date: Tue Apr 28 13:04:35 2020 -0400 drm/amd/display: DP training to set properly SCRAMBLING_DISABLE [Why] DP training sequence to set SCRAMBLING_DISABLE bit properly based on training pattern - per DP Spec. [How] Update dpcd_pattern.v1_4.SCRAMBLING_DISABLE with 1 for TPS1, TPS2, TPS3, but not for TPS4. Signed-off-by: Vladimir Stempen Reviewed-by: Wenjing Liu Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher commit b85051e755b0e9d6dd8f17ef1da083851b83287d Merge: fea371e259eb f3a6a6c5e0f5 Author: Linus Torvalds Date: Wed May 20 13:23:55 2020 -0700 Merge tag 'fixes-for-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux Pull MTD fixes from Richard Weinberger: - Fix a PM regression in brcmnand driver - Propagate ECC information correctly on SPI-NAND - Make sure no MTD name is used multiple time in nvmem * tag 'fixes-for-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd:rawnand: brcmnand: Fix PM resume crash mtd: Fix mtd not registered due to nvmem name collision mtd: spinand: Propagate ECC information to the MTD structure commit fea371e259ebcc85d2d51a036743189bee487289 Merge: d303402c2883 0e7572cffe44 Author: Linus Torvalds Date: Wed May 20 13:07:01 2020 -0700 Merge tag 'for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs Pull UBI and UBIFS fixes from Richard Weinberger: - Correctly set next cursor for detailed_erase_block_info debugfs file - Don't use crypto_shash_descsize() for digest size in UBIFS - Remove broken lazytime support from UBIFS * tag 'for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs: ubi: Fix seq_file usage in detailed_erase_block_info debugfs file ubifs: fix wrong use of crypto_shash_descsize() ubifs: remove broken lazytime support commit d303402c288340f9094fa0ba697600335a41bc3e Merge: 2ea1940b84e5 2e27d33d22af Author: Linus Torvalds Date: Wed May 20 12:56:21 2020 -0700 Merge tag 'for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml Pull UML fixes from Richard Weinberger: - Two missing includes which caused build issues on recent systems - Correctly set TRANS_GRE_LEN in our vector network driver * tag 'for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: um: Fix typo in vector driver transport option definition um: syscall.c: include um: Fix xor.h include commit 2ea1940b84e55420a9e8feddcafd173edfe4df11 Merge: 8e2b7f634a85 607b9df63057 Author: Linus Torvalds Date: Wed May 20 11:33:30 2020 -0700 Merge tag 'pm-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "This makes a recently introduced suspend-to-idle wakeup issue on Dell XPS13 9360 go away" * tag 'pm-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive commit 8e2b7f634a851fb711a7e693e00905fc6c05b74b Merge: 566d136289dc 9aafc1b01873 Author: Linus Torvalds Date: Wed May 20 11:28:35 2020 -0700 Merge tag 'ovl-fixes-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs Pull overlayfs fixes from Miklos Szeredi: "Fix two bugs introduced in this cycle and one introduced in v5.5" * tag 'ovl-fixes-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: ovl: potential crash in ovl_fid_to_fh() ovl: clear ATTR_OPEN from attr->ia_valid ovl: clear ATTR_FILE from attr->ia_valid commit 566d136289dc57816ac290de87a9a0f7d9bd3cbb Author: Tetsuo Handa Date: Wed May 20 08:51:59 2020 +0900 pipe: Fix pipe_full() test in opipe_prep(). syzbot is reporting that splice()ing from non-empty read side to already-full write side causes unkillable task, for opipe_prep() is by error not inverting pipe_full() test. CPU: 0 PID: 9460 Comm: syz-executor.5 Not tainted 5.6.0-rc3-next-20200228-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:rol32 include/linux/bitops.h:105 [inline] RIP: 0010:iterate_chain_key kernel/locking/lockdep.c:369 [inline] RIP: 0010:__lock_acquire+0x6a3/0x5270 kernel/locking/lockdep.c:4178 Call Trace: lock_acquire+0x197/0x420 kernel/locking/lockdep.c:4720 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x156/0x13c0 kernel/locking/mutex.c:1103 pipe_lock_nested fs/pipe.c:66 [inline] pipe_double_lock+0x1a0/0x1e0 fs/pipe.c:104 splice_pipe_to_pipe fs/splice.c:1562 [inline] do_splice+0x35f/0x1520 fs/splice.c:1141 __do_sys_splice fs/splice.c:1447 [inline] __se_sys_splice fs/splice.c:1427 [inline] __x64_sys_splice+0x2b5/0x320 fs/splice.c:1427 do_syscall_64+0xf6/0x790 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xbe Reported-by: syzbot+b48daca8639150bc5e73@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=9386d051e11e09973d5a4cf79af5e8cedf79386d Fixes: 8cefc107ca54c8b0 ("pipe: Use head and tail pointers for the ring, not cursor and length") Cc: stable@vger.kernel.org # 5.5+ Signed-off-by: Tetsuo Handa Signed-off-by: Linus Torvalds commit 441fdee1eaf050ef0040bde0d7af075c1c6a6d8b Author: David Howells Date: Wed Apr 29 23:48:43 2020 +0100 rxrpc: Fix ack discard The Rx protocol has a "previousPacket" field in it that is not handled in the same way by all protocol implementations. Sometimes it contains the serial number of the last DATA packet received, sometimes the sequence number of the last DATA packet received and sometimes the highest sequence number so far received. AF_RXRPC is using this to weed out ACKs that are out of date (it's possible for ACK packets to get reordered on the wire), but this does not work with OpenAFS which will just stick the sequence number of the last packet seen into previousPacket. The issue being seen is that big AFS FS.StoreData RPC (eg. of ~256MiB) are timing out when partly sent. A trace was captured, with an additional tracepoint to show ACKs being discarded in rxrpc_input_ack(). Here's an excerpt showing the problem. 52873.203230: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 0002449c q=00024499 fl=09 A DATA packet with sequence number 00024499 has been transmitted (the "q=" field). ... 52873.243296: rxrpc_rx_ack: c=000004ae 00012a2b DLY r=00024499 f=00024497 p=00024496 n=0 52873.243376: rxrpc_rx_ack: c=000004ae 00012a2c IDL r=0002449b f=00024499 p=00024498 n=0 52873.243383: rxrpc_rx_ack: c=000004ae 00012a2d OOS r=0002449d f=00024499 p=0002449a n=2 The Out-Of-Sequence ACK indicates that the server didn't see DATA sequence number 00024499, but did see seq 0002449a (previousPacket, shown as "p=", skipped the number, but firstPacket, "f=", which shows the bottom of the window is set at that point). 52873.252663: rxrpc_retransmit: c=000004ae q=24499 a=02 xp=14581537 52873.252664: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244bc q=00024499 fl=0b *RETRANS* The packet has been retransmitted. Retransmission recurs until the peer says it got the packet. 52873.271013: rxrpc_rx_ack: c=000004ae 00012a31 OOS r=000244a1 f=00024499 p=0002449e n=6 More OOS ACKs indicate that the other packets that are already in the transmission pipeline are being received. The specific-ACK list is up to 6 ACKs and NAKs. ... 52873.284792: rxrpc_rx_ack: c=000004ae 00012a49 OOS r=000244b9 f=00024499 p=000244b6 n=30 52873.284802: rxrpc_retransmit: c=000004ae q=24499 a=0a xp=63505500 52873.284804: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244c2 q=00024499 fl=0b *RETRANS* 52873.287468: rxrpc_rx_ack: c=000004ae 00012a4a OOS r=000244ba f=00024499 p=000244b7 n=31 52873.287478: rxrpc_rx_ack: c=000004ae 00012a4b OOS r=000244bb f=00024499 p=000244b8 n=32 At this point, the server's receive window is full (n=32) with presumably 1 NAK'd packet and 31 ACK'd packets. We can't transmit any more packets. 52873.287488: rxrpc_retransmit: c=000004ae q=24499 a=0a xp=61327980 52873.287489: rxrpc_tx_data: c=000004ae DATA ed1a3584:00000002 000244c3 q=00024499 fl=0b *RETRANS* 52873.293850: rxrpc_rx_ack: c=000004ae 00012a4c DLY r=000244bc f=000244a0 p=00024499 n=25 And now we've received an ACK indicating that a DATA retransmission was received. 7 packets have been processed (the occupied part of the window moved, as indicated by f= and n=). 52873.293853: rxrpc_rx_discard_ack: c=000004ae r=00012a4c 000244a0<00024499 00024499<000244b8 However, the DLY ACK gets discarded because its previousPacket has gone backwards (from p=000244b8, in the ACK at 52873.287478 to p=00024499 in the ACK at 52873.293850). We then end up in a continuous cycle of retransmit/discard. kafs fails to update its window because it's discarding the ACKs and can't transmit an extra packet that would clear the issue because the window is full. OpenAFS doesn't change the previousPacket value in the ACKs because no new DATA packets are received with a different previousPacket number. Fix this by altering the discard check to only discard an ACK based on previousPacket if there was no advance in the firstPacket. This allows us to transmit a new packet which will cause previousPacket to advance in the next ACK. The check, however, needs to allow for the possibility that previousPacket may actually have had the serial number placed in it instead - in which case it will go outside the window and we should ignore it. Fixes: 1a2391c30c0b ("rxrpc: Fix detection of out of order acks") Reported-by: Dave Botsch Signed-off-by: David Howells commit d1f129470e6cb79b8b97fecd12689f6eb49e27fe Author: David Howells Date: Tue Apr 28 22:06:54 2020 +0100 rxrpc: Trace discarded ACKs Add a tracepoint to track received ACKs that are discarded due to being outside of the Tx window. Signed-off-by: David Howells commit d4ae271dfaae2a5f41c015f2f20d62a1deeec734 Author: Xiaoguang Wang Date: Wed May 20 21:24:35 2020 +0800 io_uring: reset -EBUSY error when io sq thread is waken up In io_sq_thread(), currently if we get an -EBUSY error and go to sleep, we will won't clear it again, which will result in io_sq_thread() will never have a chance to submit sqes again. Below test program test.c can reveal this bug: int main(int argc, char *argv[]) { struct io_uring ring; int i, fd, ret; struct io_uring_sqe *sqe; struct io_uring_cqe *cqe; struct iovec *iovecs; void *buf; struct io_uring_params p; if (argc < 2) { printf("%s: file\n", argv[0]); return 1; } memset(&p, 0, sizeof(p)); p.flags = IORING_SETUP_SQPOLL; ret = io_uring_queue_init_params(4, &ring, &p); if (ret < 0) { fprintf(stderr, "queue_init: %s\n", strerror(-ret)); return 1; } fd = open(argv[1], O_RDONLY | O_DIRECT); if (fd < 0) { perror("open"); return 1; } iovecs = calloc(10, sizeof(struct iovec)); for (i = 0; i < 10; i++) { if (posix_memalign(&buf, 4096, 4096)) return 1; iovecs[i].iov_base = buf; iovecs[i].iov_len = 4096; } ret = io_uring_register_files(&ring, &fd, 1); if (ret < 0) { fprintf(stderr, "%s: register %d\n", __FUNCTION__, ret); return ret; } for (i = 0; i < 10; i++) { sqe = io_uring_get_sqe(&ring); if (!sqe) break; io_uring_prep_readv(sqe, 0, &iovecs[i], 1, 0); sqe->flags |= IOSQE_FIXED_FILE; ret = io_uring_submit(&ring); sleep(1); printf("submit %d\n", i); } for (i = 0; i < 10; i++) { io_uring_wait_cqe(&ring, &cqe); printf("receive: %d\n", i); if (cqe->res != 4096) { fprintf(stderr, "ret=%d, wanted 4096\n", cqe->res); ret = 1; } io_uring_cqe_seen(&ring, cqe); } close(fd); io_uring_queue_exit(&ring); return 0; } sudo ./test testfile above command will hang on the tenth request, to fix this bug, when io sq_thread is waken up, we reset the variable 'ret' to be zero. Suggested-by: Jens Axboe Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe commit 40bb0e904212cf7d6f041a98c58c8341b2016670 Author: Christophe Leroy Date: Wed May 20 10:23:45 2020 +0000 Revert "powerpc/32s: reorder Linux PTE bits to better match Hash PTE bits." This reverts commit 697ece78f8f749aeea40f2711389901f0974017a. The implementation of SWAP on powerpc requires page protection bits to not be one of the least significant PTE bits. Until the SWAP implementation is changed and this requirement voids, we have to keep at least _PAGE_RW outside of the 3 last bits. For now, revert to previous PTE bits order. A further rework may come later. Fixes: 697ece78f8f7 ("powerpc/32s: reorder Linux PTE bits to better match Hash PTE bits.") Reported-by: Rui Salvaterra Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/b34706f8de87f84d135abb5f3ede6b6f16fb1f41.1589969799.git.christophe.leroy@csgroup.eu commit 1cf6022bd9161081215028203919c33fcfa6debb Author: Keno Fischer Date: Fri May 15 18:22:53 2020 -0400 arm64: Fix PTRACE_SYSEMU semantics Quoth the man page: ``` If the tracee was restarted by PTRACE_SYSCALL or PTRACE_SYSEMU, the tracee enters syscall-enter-stop just prior to entering any system call (which will not be executed if the restart was using PTRACE_SYSEMU, regardless of any change made to registers at this point or how the tracee is restarted after this stop). ``` The parenthetical comment is currently true on x86 and powerpc, but not currently true on arm64. arm64 re-checks the _TIF_SYSCALL_EMU flag after the syscall entry ptrace stop. However, at this point, it reflects which method was used to re-start the syscall at the entry stop, rather than the method that was used to reach it. Fix that by recording the original flag before performing the ptrace stop, bringing the behavior in line with documentation and x86/powerpc. Fixes: f086f67485c5 ("arm64: ptrace: add support for syscall emulation") Cc: # 5.3.x- Signed-off-by: Keno Fischer Acked-by: Will Deacon Tested-by: Sudeep Holla Tested-by: Bin Lu [catalin.marinas@arm.com: moved 'flags' bit masking] [catalin.marinas@arm.com: changed 'flags' type to unsigned long] Signed-off-by: Catalin Marinas commit 4c1cbcbd6c56c79de2c07159be4f55386bb0bef2 Author: Gerald Schaefer Date: Wed May 6 13:45:52 2020 +0200 s390/kaslr: add support for R_390_JMP_SLOT relocation type With certain kernel configurations, the R_390_JMP_SLOT relocation type might be generated, which is not expected by the KASLR relocation code, and the kernel stops with the message "Unknown relocation type". This was found with a zfcpdump kernel config, where CONFIG_MODULES=n and CONFIG_VFIO=n. In that case, symbol_get() is used on undefined __weak symbols in virt/kvm/vfio.c, which results in the generation of R_390_JMP_SLOT relocation types. Fix this by handling R_390_JMP_SLOT similar to R_390_GLOB_DAT. Fixes: 805bc0bc238f ("s390/kernel: build a relocatable kernel") Cc: # v5.2+ Signed-off-by: Gerald Schaefer Reviewed-by: Philipp Rudo Signed-off-by: Vasily Gorbik commit ac8372f3b4e41015549b331a4f350224661e7fc6 Author: Gerald Schaefer Date: Wed May 6 13:04:07 2020 +0200 s390/mm: fix set_huge_pte_at() for empty ptes On s390, the layout of normal and large ptes (i.e. pmds/puds) differs. Therefore, set_huge_pte_at() does a conversion from a normal pte to the corresponding large pmd/pud. So, when converting an empty pte, this should result in an empty pmd/pud, which would return true for pmd/pud_none(). However, after conversion we also mark the pmd/pud as large, and therefore present. For empty ptes, this will result in an empty pmd/pud that is also marked as large, and pmd/pud_none() would not return true. There is currently no issue with this behaviour, as set_huge_pte_at() does not seem to be called for empty ptes. It would be valid though, so let's fix this by not marking empty ptes as large in set_huge_pte_at(). This was found by testing a patch from from Anshuman Khandual, which is currently discussed on LKML ("mm/debug: Add more arch page table helper tests"). Signed-off-by: Gerald Schaefer Signed-off-by: Vasily Gorbik commit b532576ed39efe3b351ae8320b2ab67a4c4c3719 Author: Jens Axboe Date: Tue May 19 21:20:27 2020 -0600 io_uring: don't add non-IO requests to iopoll pending list We normally disable any commands that aren't specifically poll commands for a ring that is setup for polling, but we do allow buffer provide and remove commands to support buffer selection for polled IO. Once a request is issued, we add it to the poll list to poll for completion. But we should not do that for non-IO commands, as those request complete inline immediately and aren't pollable. If we do, we can leave requests on the iopoll list after they are freed. Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") Signed-off-by: Jens Axboe commit 5a3f610877e9d08968ea7237551049581f02b163 Author: Jan Schmidt Date: Fri May 8 04:06:28 2020 +1000 drm/edid: Add Oculus Rift S to non-desktop list Add a quirk for the Oculus Rift S OVR0012 display so it shows up as a non-desktop display. Signed-off-by: Jan Schmidt Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20200507180628.740936-1-jan@centricular.com commit 665e7c73a7724a393b4ec92d1ae1e029925ef2b7 Author: Robert Beckett Date: Thu May 14 19:02:37 2020 +0200 ARM: dts/imx6q-bx50v3: Set display interface clock parents Avoid LDB and IPU DI clocks both using the same parent. LDB requires pasthrough clock to avoid breaking timing while IPU DI does not. Force IPU DI clocks to use IMX6QDL_CLK_PLL2_PFD0_352M as parent and LDB to use IMX6QDL_CLK_PLL5_VIDEO_DIV. This fixes an issue where attempting atomic modeset while using HDMI and display port at the same time causes LDB clock programming to destroy the programming of HDMI that was done during the same modeset. Cc: stable@vger.kernel.org Signed-off-by: Robert Beckett [Use IMX6QDL_CLK_PLL2_PFD0_352M instead of IMX6QDL_CLK_PLL2_PFD2_396M originally chosen by Robert Beckett to avoid affecting eMMC clock by DRM atomic updates] Signed-off-by: Ian Ray [Squash Robert's and Ian's commits for bisectability, update patch description and add stable tag] Signed-off-by: Sebastian Reichel Signed-off-by: Shawn Guo commit 7b5b38010f4e2cd6387fcd97f704c3ad0ea6aeae Merge: b9bbe6ed63b2 80542002ccd4 Author: Dave Airlie Date: Wed May 20 12:47:03 2020 +1000 Merge branch 'vmwgfx-fixes-5.7' of git://people.freedesktop.org/~sroland/linux into drm-fixes vmwgfx: - change maintainers - fix redundant assignment - fix parameter name - fix return value Signed-off-by: Dave Airlie From: "Roland Scheidegger (VMware)" Link: https://patchwork.freedesktop.org/patch/msgid/20200516050433.7298-1-rscheidegger.oss@gmail.com commit a35cd6447effd5c239b564c80fa109d05ff3d114 Author: Kaike Wan Date: Mon May 11 23:13:28 2020 -0400 IB/qib: Call kobject_put() when kobject_init_and_add() fails When kobject_init_and_add() returns an error in the function qib_create_port_files(), the function kobject_put() is not called for the corresponding kobject, which potentially leads to memory leak. This patch fixes the issue by calling kobject_put() even if kobject_init_and_add() fails. In addition, the ppd->diagc_kobj is released along with other kobjects when the sysfs is unregistered. Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters") Link: https://lore.kernel.org/r/20200512031328.189865.48627.stgit@awfm-01.aw.intel.com Cc: Suggested-by: Lin Yi Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 115a54162a6c0d0ef2aef25ebd0b61fc5e179ebe Merge: 3c9e66568ad4 4e89b7210403 Author: Linus Torvalds Date: Tue May 19 16:33:26 2020 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs fix from Al Viro: "Stable fodder fix: copy_fdtable() would get screwed on 64bit boxen with sysctl_nr_open raised to 512M or higher, which became possible since 2.6.25. Nobody sane would set the things up that way, but..." * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: fix multiplication overflow in copy_fdtable() commit 20a785aa52c82246055a089e55df9dac47d67da1 Author: Neil Horman Date: Tue May 19 16:04:05 2020 -0400 sctp: Don't add the shutdown timer if its already been added This BUG halt was reported a while back, but the patch somehow got missed: PID: 2879 TASK: c16adaa0 CPU: 1 COMMAND: "sctpn" #0 [f418dd28] crash_kexec at c04a7d8c #1 [f418dd7c] oops_end at c0863e02 #2 [f418dd90] do_invalid_op at c040aaca #3 [f418de28] error_code (via invalid_op) at c08631a5 EAX: f34baac0 EBX: 00000090 ECX: f418deb0 EDX: f5542950 EBP: 00000000 DS: 007b ESI: f34ba800 ES: 007b EDI: f418dea0 GS: 00e0 CS: 0060 EIP: c046fa5e ERR: ffffffff EFLAGS: 00010286 #4 [f418de5c] add_timer at c046fa5e #5 [f418de68] sctp_do_sm at f8db8c77 [sctp] #6 [f418df30] sctp_primitive_SHUTDOWN at f8dcc1b5 [sctp] #7 [f418df48] inet_shutdown at c080baf9 #8 [f418df5c] sys_shutdown at c079eedf #9 [f418df70] sys_socketcall at c079fe88 EAX: ffffffda EBX: 0000000d ECX: bfceea90 EDX: 0937af98 DS: 007b ESI: 0000000c ES: 007b EDI: b7150ae4 SS: 007b ESP: bfceea7c EBP: bfceeaa8 GS: 0033 CS: 0073 EIP: b775c424 ERR: 00000066 EFLAGS: 00000282 It appears that the side effect that starts the shutdown timer was processed multiple times, which can happen as multiple paths can trigger it. This of course leads to the BUG halt in add_timer getting called. Fix seems pretty straightforward, just check before the timer is added if its already been started. If it has mod the timer instead to min(current expiration, new expiration) Its been tested but not confirmed to fix the problem, as the issue has only occured in production environments where test kernels are enjoined from being installed. It appears to be a sane fix to me though. Also, recentely, Jere found a reproducer posted on list to confirm that this resolves the issues Signed-off-by: Neil Horman CC: Vlad Yasevich CC: "David S. Miller" CC: jere.leppanen@nokia.com CC: marcelo.leitner@gmail.com CC: netdev@vger.kernel.org Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller commit 3c9e66568ad40dc17518fa00e2b28c3b450040d4 Merge: 03fb3acae4be 7915502377c5 Author: Linus Torvalds Date: Tue May 19 15:40:51 2020 -0700 Merge tag 'arc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc Pull ARC fixes from Vineet Gupta: - fix recent DSP code regression on ARC700 platforms - fix thinkos in ICCM/DCCM size checks - USB regression fix - other small fixes here and there * tag 'arc-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: show_regs: avoid extra line of output ARC: guard dsp early init against non ARCv2 ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT ARC: entry: comment arc: remove #ifndef CONFIG_AS_CFI_SIGNAL_FRAME arc: ptrace: hard-code "arc" instead of UTS_MACHINE ARC: [plat-hsdk]: fix USB regression ARC: Fix ICCM & DCCM runtime size checks commit c0bbbdc32febd4f034ecbf3ea17865785b2c0652 Author: Boris Sukholitko Date: Tue May 19 10:32:37 2020 +0300 __netif_receive_skb_core: pass skb by reference __netif_receive_skb_core may change the skb pointer passed into it (e.g. in rx_handler). The original skb may be freed as a result of this operation. The callers of __netif_receive_skb_core may further process original skb by using pt_prev pointer returned by __netif_receive_skb_core thus leading to unpleasant effects. The solution is to pass skb by reference into __netif_receive_skb_core. v2: Added Fixes tag and comment regarding ppt_prev and skb invariant. Fixes: 88eb1944e18c ("net: core: propagate SKB lists through packet_type lookup") Signed-off-by: Boris Sukholitko Acked-by: Edward Cree Signed-off-by: David S. Miller commit 88d7fcfa3b1fe670f0412b95be785aafca63352b Author: Martin KaFai Lau Date: Mon May 18 17:13:34 2020 -0700 net: inet_csk: Fix so_reuseport bind-address cache in tb->fast* The commit 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk") added a bind-address cache in tb->fast*. The tb->fast* caches the address of a sk which has successfully been binded with SO_REUSEPORT ON. The idea is to avoid the expensive conflict search in inet_csk_bind_conflict(). There is an issue with wildcard matching where sk_reuseport_match() should have returned false but it is currently returning true. It ends up hiding bind conflict. For example, bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */ bind("[::2]:443"); /* with SO_REUSEPORT. Succeed. */ bind("[::]:443"); /* with SO_REUSEPORT. Still Succeed where it shouldn't */ The last bind("[::]:443") with SO_REUSEPORT on should have failed because it should have a conflict with the very first bind("[::1]:443") which has SO_REUSEPORT off. However, the address "[::2]" is cached in tb->fast* in the second bind. In the last bind, the sk_reuseport_match() returns true because the binding sk's wildcard addr "[::]" matches with the "[::2]" cached in tb->fast*. The correct bind conflict is reported by removing the second bind such that tb->fast* cache is not involved and forces the bind("[::]:443") to go through the inet_csk_bind_conflict(): bind("[::1]:443"); /* without SO_REUSEPORT. Succeed. */ bind("[::]:443"); /* with SO_REUSEPORT. -EADDRINUSE */ The expected behavior for sk_reuseport_match() is, it should only allow the "cached" tb->fast* address to be used as a wildcard match but not the address of the binding sk. To do that, the current "bool match_wildcard" arg is split into "bool match_sk1_wildcard" and "bool match_sk2_wildcard". This change only affects the sk_reuseport_match() which is only used by inet_csk (e.g. TCP). The other use cases are calling inet_rcv_saddr_equal() and this patch makes it pass the same "match_wildcard" arg twice to the "ipv[46]_rcv_saddr_equal(..., match_wildcard, match_wildcard)". Cc: Josef Bacik Fixes: 637bc8bbe6c0 ("inet: reset tb->fastreuseport when adding a reuseport sk") Signed-off-by: Martin KaFai Lau Signed-off-by: David S. Miller commit 4e89b7210403fa4a8acafe7c602b6212b7af6c3b Author: Al Viro Date: Tue May 19 17:48:52 2020 -0400 fix multiplication overflow in copy_fdtable() cpy and set really should be size_t; we won't get an overflow on that, since sysctl_nr_open can't be set above ~(size_t)0 / sizeof(void *), so nr that would've managed to overflow size_t on that multiplication won't get anywhere near copy_fdtable() - we'll fail with EMFILE before that. Cc: stable@kernel.org # v2.6.25+ Fixes: 9cfe015aa424 (get rid of NR_OPEN and introduce a sysctl_nr_open) Reported-by: Thiago Macieira Signed-off-by: Al Viro commit 4f4eeba87cc731b200bff9372d14a80f5996b277 Author: Bijan Mottahedeh Date: Tue May 19 14:52:49 2020 -0700 io_uring: don't use kiocb.private to store buf_index kiocb.private is used in iomap_dio_rw() so store buf_index separately. Signed-off-by: Bijan Mottahedeh Move 'buf_index' to a hole in io_kiocb. Signed-off-by: Jens Axboe commit c27a204383616efba5a4194075e90819961ff66a Author: Marc Payne Date: Tue May 19 19:01:46 2020 +0100 r8152: support additional Microsoft Surface Ethernet Adapter variant Device id 0927 is the RTL8153B-based component of the 'Surface USB-C to Ethernet and USB Adapter' and may be used as a component of other devices in future. Tested and working with the r8152 driver. Update the cdc_ether blacklist due to the RTL8153 'network jam on suspend' issue which this device will cause (personally confirmed). Signed-off-by: Marc Payne Signed-off-by: David S. Miller commit 12555a2d97e5784eeb105ca9b1b533d4c95f1115 Author: Todd Malsbary Date: Tue May 19 09:45:34 2020 -0700 mptcp: use rightmost 64 bits in ADD_ADDR HMAC This changes the HMAC used in the ADD_ADDR option from the leftmost 64 bits to the rightmost 64 bits as described in RFC 8684, section 3.4.1. This issue was discovered while adding support to packetdrill for the ADD_ADDR v1 option. Fixes: 3df523ab582c ("mptcp: Add ADD_ADDR handling") Signed-off-by: Todd Malsbary Acked-by: Christoph Paasch Reviewed-by: Matthieu Baerts Signed-off-by: David S. Miller commit f25641c08cbe81f83dc1aca6247244345a9a8f26 Merge: ef01cee2ee1b f92f26f2ed2c Author: David S. Miller Date: Tue May 19 12:09:45 2020 -0700 Merge tag 'wireless-drivers-2020-05-19' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers Kalle Valo says: ==================== wireless-drivers fixes for v5.7 Third and most likely the last set of fixes for v5.7. Only one iwlwifi fix this time. iwlwifi * another fix for QuZ device configuration ==================== Signed-off-by: David S. Miller commit 959f7584512941a614113bfddb41b6812214169d Author: Christoph Hellwig Date: Tue May 5 17:43:15 2020 +0200 ext4: fix fiemap size checks for bitmap files Add an extra validation of the len parameter, as for ext4 some files might have smaller file size limits than others. This also means the redundant size check in ext4_ioctl_get_es_cache can go away, as all size checking is done in the shared fiemap handler. Signed-off-by: Christoph Hellwig Reviewed-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20200505154324.3226743-3-hch@lst.de Signed-off-by: Theodore Ts'o commit ef01cee2ee1b369c57a936166483d40942bcc3e3 Author: Jeremy Kerr Date: Tue May 19 09:05:58 2020 +0800 net: bmac: Fix read of MAC address from ROM In bmac_get_station_address, We're reading two bytes at a time from ROM, but we do that six times, resulting in 12 bytes of read & writes. This means we will write off the end of the six-byte destination buffer. This change fixes the for-loop to only read/write six bytes. Based on a proposed fix from Finn Thain . Signed-off-by: Jeremy Kerr Reported-by: Stan Johnson Tested-by: Stan Johnson Reported-by: Finn Thain Signed-off-by: David S. Miller commit 9f44eda19529b1c3eef50676dc54b8cd0aa86aa3 Author: Ritesh Harjani Date: Tue May 5 17:43:14 2020 +0200 ext4: fix EXT4_MAX_LOGICAL_BLOCK macro ext4 supports max number of logical blocks in a file to be 0xffffffff. (This is since ext4_extent's ee_block is __le32). This means that EXT4_MAX_LOGICAL_BLOCK should be 0xfffffffe (starting from 0 logical offset). This patch fixes this. The issue was seen when ext4 moved to iomap_fiemap API and when overlayfs was mounted on top of ext4. Since overlayfs was missing filemap_check_ranges(), so it could pass a arbitrary huge length which lead to overflow of map.m_len logic. This patch fixes that. Fixes: d3b6f23f7167 ("ext4: move ext4_fiemap to use iomap framework") Reported-by: syzbot+77fa5bdb65cc39711820@syzkaller.appspotmail.com Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20200505154324.3226743-2-hch@lst.de Signed-off-by: Theodore Ts'o commit 03fb3acae4be8a6b680ffedb220a8b6c07260b40 Merge: 97076ea41a09 efa7fb4c6c8e Author: Linus Torvalds Date: Tue May 19 11:52:24 2020 -0700 Merge branch 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux Pull i2c fixes from Wolfram Sang: "A set of driver and core fixes as well as MAINTAINER update" * 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: MAINTAINERS: add maintainer for mediatek i2c controller driver i2c: mux: Replace zero-length array with flexible-array i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' i2c: altera: Fix race between xfer_msg and isr thread i2c: algo-pca: update contact email i2c: at91: Fix pinmux after devm_gpiod_get() for bus recovery i2c: use my kernel.org address from now on i2c: fix missing pm_runtime_put_sync in i2c_device_probe commit 97076ea41a093e67db20d0e40f728a054b799630 Merge: c2b00cbda9f9 38dce4195f0d Author: Linus Torvalds Date: Tue May 19 11:48:21 2020 -0700 Merge tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux Pull hyperv fix from Wei Liu: "One patch from Vitaly to fix reenlightenment notifications" * tag 'hyperv-fixes-signed' of git://git.kernel.org/pub/scm/linux/kernel/git/hyperv/linux: x86/hyperv: Properly suspend/resume reenlightenment notifications commit c2b00cbda9f92820ddbe2ae8f97628dae84ccc37 Merge: 7bd57fbc4a4d bd421264ed30 Author: Linus Torvalds Date: Tue May 19 11:37:11 2020 -0700 Merge tag 'iommu-fixes-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: "All related to the AMD IOMMU driver: - ACPI table parser fix to correctly read the UID of ACPI devices - ACPI UID device matching fix - Fix deferred device attachment to a domain in kdump kernels when the IOMMU driver uses the dma-iommu DMA-API implementation" * tag 'iommu-fixes-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu: Fix deferred domain attachment iommu/amd: Fix get_acpihid_device_id() iommu/amd: Fix over-read of ACPI UID from IVRS table commit 7bd57fbc4a4ddedc664cad0bbced1b469e24e921 Author: Ilya Dryomov Date: Tue May 19 13:26:57 2020 +0200 vsprintf: don't obfuscate NULL and error pointers I don't see what security concern is addressed by obfuscating NULL and IS_ERR() error pointers, printed with %p/%pK. Given the number of sites where %p is used (over 10000) and the fact that NULL pointers aren't uncommon, it probably wouldn't take long for an attacker to find the hash that corresponds to 0. Although harder, the same goes for most common error values, such as -1, -2, -11, -14, etc. The NULL part actually fixes a regression: NULL pointers weren't obfuscated until commit 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers") which went into 5.2. I'm tacking the IS_ERR() part on here because error pointers won't leak kernel addresses and printing them as pointers shouldn't be any different from e.g. %d with PTR_ERR_OR_ZERO(). Obfuscating them just makes debugging based on existing pr_debug and friends excruciating. Note that the "always print 0's for %pK when kptr_restrict == 2" behaviour which goes way back is left as is. Example output with the patch applied: ptr error-ptr NULL %p: 0000000001f8cc5b fffffffffffffff2 0000000000000000 %pK, kptr = 0: 0000000001f8cc5b fffffffffffffff2 0000000000000000 %px: ffff888048c04020 fffffffffffffff2 0000000000000000 %pK, kptr = 1: ffff888048c04020 fffffffffffffff2 0000000000000000 %pK, kptr = 2: 0000000000000000 0000000000000000 0000000000000000 Fixes: 3e5903eb9cff ("vsprintf: Prevent crash when dereferencing invalid pointers") Signed-off-by: Ilya Dryomov Reviewed-by: Petr Mladek Reviewed-by: Sergey Senozhatsky Reviewed-by: Andy Shevchenko Acked-by: Steven Rostedt (VMware) Signed-off-by: Linus Torvalds commit 39f23ce07b9355d05a64ae303ce20d1c4b92b957 Author: Vincent Guittot Date: Wed May 13 15:55:28 2020 +0200 sched/fair: Fix unthrottle_cfs_rq() for leaf_cfs_rq list Although not exactly identical, unthrottle_cfs_rq() and enqueue_task_fair() are quite close and follow the same sequence for enqueuing an entity in the cfs hierarchy. Modify unthrottle_cfs_rq() to use the same pattern as enqueue_task_fair(). This fixes a problem already faced with the latter and add an optimization in the last for_each_sched_entity loop. Fixes: fe61468b2cb (sched/fair: Fix enqueue_task_fair warning) Reported-by Tao Zhou Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Phil Auld Reviewed-by: Ben Segall Link: https://lkml.kernel.org/r/20200513135528.4742-1-vincent.guittot@linaro.org commit ad32bb41fca67936c0c1d6d0bdd6d3e2e9c5432f Author: Pavankumar Kondeti Date: Sun May 10 18:26:41 2020 +0530 sched/debug: Fix requested task uclamp values shown in procfs The intention of commit 96e74ebf8d59 ("sched/debug: Add task uclamp values to SCHED_DEBUG procfs") was to print requested and effective task uclamp values. The requested values printed are read from p->uclamp, which holds the last effective values. Fix this by printing the values from p->uclamp_req. Fixes: 96e74ebf8d59 ("sched/debug: Add task uclamp values to SCHED_DEBUG procfs") Signed-off-by: Pavankumar Kondeti Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Tested-by: Valentin Schneider Link: https://lkml.kernel.org/r/1589115401-26391-1-git-send-email-pkondeti@codeaurora.org commit b34cb07dde7c2346dec73d053ce926aeaa087303 Author: Phil Auld Date: Tue May 12 09:52:22 2020 -0400 sched/fair: Fix enqueue_task_fair() warning some more sched/fair: Fix enqueue_task_fair warning some more The recent patch, fe61468b2cb (sched/fair: Fix enqueue_task_fair warning) did not fully resolve the issues with the rq->tmp_alone_branch != &rq->leaf_cfs_rq_list warning in enqueue_task_fair. There is a case where the first for_each_sched_entity loop exits due to on_rq, having incompletely updated the list. In this case the second for_each_sched_entity loop can further modify se. The later code to fix up the list management fails to do what is needed because se does not point to the sched_entity which broke out of the first loop. The list is not fixed up because the throttled parent was already added back to the list by a task enqueue in a parallel child hierarchy. Address this by calling list_add_leaf_cfs_rq if there are throttled parents while doing the second for_each_sched_entity loop. Fixes: fe61468b2cb ("sched/fair: Fix enqueue_task_fair warning") Suggested-by: Vincent Guittot Signed-off-by: Phil Auld Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Reviewed-by: Vincent Guittot Link: https://lkml.kernel.org/r/20200512135222.GC2201@lorien.usersys.redhat.com commit d7110a26e5905ec2fe3fc88bc6a538901accb72b Author: Nathan Chancellor Date: Wed Apr 8 13:53:23 2020 -0700 x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables When building with Clang + -Wtautological-compare and CONFIG_CPUMASK_OFFSTACK unset: arch/x86/mm/mmio-mod.c:375:6: warning: comparison of array 'downed_cpus' equal to a null pointer is always false [-Wtautological-pointer-compare] if (downed_cpus == NULL && ^~~~~~~~~~~ ~~~~ arch/x86/mm/mmio-mod.c:405:6: warning: comparison of array 'downed_cpus' equal to a null pointer is always false [-Wtautological-pointer-compare] if (downed_cpus == NULL || cpumask_weight(downed_cpus) == 0) ^~~~~~~~~~~ ~~~~ 2 warnings generated. Commit f7e30f01a9e2 ("cpumask: Add helper cpumask_available()") added cpumask_available() to fix warnings of this nature. Use that here so that clang does not warn regardless of CONFIG_CPUMASK_OFFSTACK's value. Reported-by: Sedat Dilek Signed-off-by: Nathan Chancellor Signed-off-by: Borislav Petkov Reviewed-by: Nick Desaulniers Acked-by: Steven Rostedt (VMware) Link: https://github.com/ClangBuiltLinux/linux/issues/982 Link: https://lkml.kernel.org/r/20200408205323.44490-1-natechancellor@gmail.com commit 3a5fd0dbd87853f8bd2ea275a5b3b41d6686e761 Author: Christophe JAILLET Date: Sat May 16 23:42:05 2020 +0200 dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' Commit b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe") has moved some code in the probe function and reordered the error handling path accordingly. However, a goto has been missed. Fix it and goto the right label if 'dma_async_device_register()' fails, so that all resources are released. Fixes: b53611fb1ce9 ("dmaengine: tegra210-adma: Fix crash during probe") Signed-off-by: Christophe JAILLET Reviewed-by: Jon Hunter Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20200516214205.276266-1-christophe.jaillet@wanadoo.fr Signed-off-by: Vinod Koul commit 21c27f06587d2c18150d27ca2382a509ec55c482 Author: Saravana Kannan Date: Mon May 18 23:30:00 2020 -0700 driver core: Fix SYNC_STATE_ONLY device link implementation When SYNC_STATE_ONLY support was added in commit 05ef983e0d65 ("driver core: Add device link support for SYNC_STATE_ONLY flag"), device_link_add() incorrectly skipped adding the new SYNC_STATE_ONLY device link to the supplier's and consumer's "device link" list. This causes multiple issues: - The device link is lost forever from driver core if the caller didn't keep track of it (caller typically isn't expected to). This is a memory leak. - The device link is also never visible to any other code path after device_link_add() returns. If we fix the "device link" list handling, that exposes a bunch of issues. 1. The device link "status" state management code rightfully doesn't handle the case where a DL_FLAG_MANAGED device link exists between a supplier and consumer, but the consumer manages to probe successfully before the supplier. The addition of DL_FLAG_SYNC_STATE_ONLY links break this assumption. This causes device_links_driver_bound() to throw a warning when this happens. Since DL_FLAG_SYNC_STATE_ONLY device links are mainly used for creating proxy device links for child device dependencies and aren't useful once the consumer device probes successfully, this patch just deletes DL_FLAG_SYNC_STATE_ONLY device links once its consumer device probes. This way, we avoid the warning, free up some memory and avoid complicating the device links "status" state management code. 2. Creating a DL_FLAG_STATELESS device link between two devices that already have a DL_FLAG_SYNC_STATE_ONLY device link will result in the DL_FLAG_STATELESS flag not getting set correctly. This patch also fixes this. Lastly, this patch also fixes minor whitespace issues. Cc: stable@vger.kernel.org Fixes: 05ef983e0d65 ("driver core: Add device link support for SYNC_STATE_ONLY flag") Signed-off-by: Saravana Kannan Reviewed-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20200519063000.128819-1-saravanak@google.com Signed-off-by: Greg Kroah-Hartman commit bd421264ed307dd296eab036851221b225071a32 Author: Joerg Roedel Date: Tue May 19 15:03:40 2020 +0200 iommu: Fix deferred domain attachment The IOMMU core code has support for deferring the attachment of a domain to a device. This is needed in kdump kernels where the new domain must not be attached to a device before the device driver takes it over. When the AMD IOMMU driver got converted to use the dma-iommu implementation, the deferred attaching got lost. The code in dma-iommu.c has support for deferred attaching, but it calls into iommu_attach_device() to actually do it. But iommu_attach_device() will check if the device should be deferred in it code-path and do nothing, breaking deferred attachment. Move the is_deferred_attach() check out of the attach_device path and into iommu_group_add_device() to make deferred attaching work from the dma-iommu code. Fixes: 795bbbb9b6f8 ("iommu/dma-iommu: Handle deferred devices") Reported-by: Jerry Snitselaar Suggested-by: Robin Murphy Signed-off-by: Joerg Roedel Tested-by: Jerry Snitselaar Cc: Jerry Snitselaar Cc: Tom Murphy Cc: Robin Murphy Link: https://lore.kernel.org/r/20200519130340.14564-1-joro@8bytes.org commit 3866f217aaa81bf7165c7f27362eee5d7919c496 Author: Fredrik Strupe Date: Mon May 18 19:41:11 2020 +0100 ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook call_undef_hook() in traps.c applies the same instr_mask for both 16-bit and 32-bit thumb instructions. If instr_mask then is only 16 bits wide (0xffff as opposed to 0xffffffff), the first half-word of 32-bit thumb instructions will be masked out. This makes the function match 32-bit thumb instructions where the second half-word is equal to instr_val, regardless of the first half-word. The result in this case is that all undefined 32-bit thumb instructions with the second half-word equal to 0xde01 (udf #1) work as breakpoints and will raise a SIGTRAP instead of a SIGILL, instead of just the one intended 16-bit instruction. An example of such an instruction is 0xeaa0de01, which is unallocated according to Arm ARM and should raise a SIGILL, but instead raises a SIGTRAP. This patch fixes the issue by setting all the bits in instr_mask, which will still match the intended 16-bit thumb instruction (where the upper half is always 0), but not any 32-bit thumb instructions. Cc: Oleg Nesterov Signed-off-by: Fredrik Strupe Signed-off-by: Russell King commit ad99cb5e783bb03d512092db3387ead9504aad3d Author: Dan Carpenter Date: Mon May 18 14:29:55 2020 +0300 drm/etnaviv: Fix a leak in submit_pin_objects() If the mapping address is wrong then we have to release the reference to it before returning -EINVAL. Fixes: 088880ddc0b2 ("drm/etnaviv: implement softpin") Signed-off-by: Dan Carpenter Signed-off-by: Lucas Stach commit 40b697e256ccdb88aaff424b44b4d300eb8460e8 Author: Christian Gmeiner Date: Tue May 19 07:30:15 2020 +0200 drm/etnaviv: fix perfmon domain interation The GC860 has one GPU device which has a 2d and 3d core. In this case we want to expose perfmon information for both cores. The driver has one array which contains all possible perfmon domains with some meta data - doms_meta. Here we can see that for the GC860 two elements of that array are relevant: doms_3d: is at index 0 in the doms_meta array with 8 perfmon domains doms_2d: is at index 1 in the doms_meta array with 1 perfmon domain The userspace driver wants to get a list of all perfmon domains and their perfmon signals. This is done by iterating over all domains and their signals. If the userspace driver wants to access the domain with id 8 the kernel driver fails and returns invalid data from doms_3d with and invalid offset. This results in: Unable to handle kernel paging request at virtual address 00000000 On such a device it is not possible to use the userspace driver at all. The fix for this off-by-one error is quite simple. Reported-by: Paul Cercueil Tested-by: Paul Cercueil Fixes: ed1dd899baa3 ("drm/etnaviv: rework perfmon query infrastructure") Cc: stable@vger.kernel.org Signed-off-by: Christian Gmeiner Signed-off-by: Lucas Stach commit f3a6a6c5e0f5a303fd8ec84ea33c0da5869d715f Author: Kamal Dasu Date: Sat May 2 16:41:36 2020 -0400 mtd:rawnand: brcmnand: Fix PM resume crash This change fixes crash observed on PM resume. This bug was introduced in the change made for flash-edu support. Fixes: a5d53ad26a8b ("mtd: rawnand: brcmnand: Add support for flash-edu for dma transfers") Signed-off-by: Kamal Dasu Acked-by: Florian Fainelli Signed-off-by: Richard Weinberger commit 259eb82475316672a5d682a94dc8bdd53cf8d8c3 Author: PeiSen Hou Date: Tue May 19 08:50:12 2020 +0200 ALSA: hda/realtek - Add more fixup entries for Clevo machines A few known Clevo machines (PC50, PC70, X170) with ALC1220 codec need the existing quirk for pins for PB51 and co. Signed-off-by: PeiSen Hou Cc: Link: https://lore.kernel.org/r/20200519065012.13119-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit b15e62631c5f19fea9895f7632dae9c1b27fe0cd Author: Roman Mashak Date: Sun May 17 08:46:31 2020 -0400 net sched: fix reporting the first-time use timestamp When a new action is installed, firstuse field of 'tcf_t' is explicitly set to 0. Value of zero means "new action, not yet used"; as a packet hits the action, 'firstuse' is stamped with the current jiffies value. tcf_tm_dump() should return 0 for firstuse if action has not yet been hit. Fixes: 48d8ee1694dd ("net sched actions: aggregate dumping of actions timeinfo") Cc: Jamal Hadi Salim Signed-off-by: Roman Mashak Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller commit 7b01b7239d0dc9832e0d0d23605c1ff047422a2c Author: Ricardo Ribalda Delgado Date: Thu Apr 30 15:17:21 2020 +0200 mtd: Fix mtd not registered due to nvmem name collision When the nvmem framework is enabled, a nvmem device is created per mtd device/partition. It is not uncommon that a device can have multiple mtd devices with partitions that have the same name. Eg, when there DT overlay is allowed and the same device with mtd is attached twice. Under that circumstances, the mtd fails to register due to a name duplication on the nvmem framework. With this patch we use the mtdX name instead of the partition name, which is unique. [ 8.948991] sysfs: cannot create duplicate filename '/bus/nvmem/devices/Production Data' [ 8.948992] CPU: 7 PID: 246 Comm: systemd-udevd Not tainted 5.5.0-qtec-standard #13 [ 8.948993] Hardware name: AMD Dibbler/Dibbler, BIOS 05.22.04.0019 10/26/2019 [ 8.948994] Call Trace: [ 8.948996] dump_stack+0x50/0x70 [ 8.948998] sysfs_warn_dup.cold+0x17/0x2d [ 8.949000] sysfs_do_create_link_sd.isra.0+0xc2/0xd0 [ 8.949002] bus_add_device+0x74/0x140 [ 8.949004] device_add+0x34b/0x850 [ 8.949006] nvmem_register.part.0+0x1bf/0x640 ... [ 8.948926] mtd mtd8: Failed to register NVMEM device Fixes: c4dfa25ab307 ("mtd: add support for reading MTD devices via the nvmem API") Signed-off-by: Ricardo Ribalda Delgado Acked-by: Miquel Raynal Signed-off-by: Richard Weinberger commit 3507273d5a4d3c2e46f9d3f9ed9449805f5dff07 Author: Miquel Raynal Date: Wed May 13 15:10:29 2020 +0200 mtd: spinand: Propagate ECC information to the MTD structure This is done by default in the raw NAND core (nand_base.c) but was missing in the SPI-NAND core. Without these two lines the ecc_strength and ecc_step_size values are not exported to the user through sysfs. Fixes: 7529df465248 ("mtd: nand: Add core infrastructure to support SPI NANDs") Cc: stable@vger.kernel.org Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Signed-off-by: Richard Weinberger commit 642b151f45dd54809ea00ecd3976a56c1ec9b53d Merge: 45088963ca9c 843385694721 Author: Linus Torvalds Date: Mon May 18 11:29:21 2020 -0700 Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity Pull integrity fixes from Mimi Zohar: "A couple of miscellaneous bug fixes for the integrity subsystem: IMA: - Properly modify the open flags in order to calculate the file hash. - On systems requiring the IMA policy to be signed, the policy is loaded differently. Don't differentiate between "enforce" and either "log" or "fix" modes how the policy is loaded. EVM: - Two patches to fix an EVM race condition, normally the result of attempting to load an unsupported hash algorithm. - Use the lockless RCU version for walking an append only list" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity: evm: Fix a small race in init_desc() evm: Fix RCU list related warnings ima: Fix return value of ima_write_policy() evm: Check also if *tfm is an error pointer in init_desc() ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() commit b0cb099062b0c18246c3a20caaab4c0afc303255 Author: Scott Bahling Date: Mon May 18 19:57:28 2020 +0200 ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option The ST Audio ADCIII is an STDSP24 card plus extension box. With commit e8a91ae18bdc ("ALSA: ice1712: Add support for STAudio ADCIII") we enabled the ADCIII ports using the model=staudio option but forgot this part to ensure the STDSP24 card is initialized properly. Fixes: e8a91ae18bdc ("ALSA: ice1712: Add support for STAudio ADCIII") Signed-off-by: Scott Bahling Cc: BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1048934 Link: https://lore.kernel.org/r/20200518175728.28766-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 45088963ca9cdc3df50dd7b1b63e1dc9dcc6375e Merge: 9d1be4f4dc5f 94182167ec73 Author: Linus Torvalds Date: Mon May 18 10:33:13 2020 -0700 Merge tag 'for-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat Pull exfat fixes from Namjae Jeon: - Fix potential memory leak in exfat_find - Set exfat's splice_write to iter_file_splice_write to fix a splice failure on direct-opened files * tag 'for-5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/linkinjeon/exfat: exfat: fix possible memory leak in exfat_find() exfat: use iter_file_splice_write commit 9d1be4f4dc5ff1c66c86acfd2c35765d9e3776b3 Author: David Howells Date: Sun May 17 21:21:05 2020 +0100 afs: Don't unlock fetched data pages until the op completes successfully Don't call req->page_done() on each page as we finish filling it with the data coming from the network. Whilst this might speed up the application a bit, it's a problem if there's a network failure and the operation has to be reissued. If this happens, an oops occurs because afs_readpages_page_done() clears the pointer to each page it unlocks and when a retry happens, the pointers to the pages it wants to fill are now NULL (and the pages have been unlocked anyway). Instead, wait till the operation completes successfully and only then release all the pages after clearing any terminal gap (the server can give us less data than we requested as we're allowed to ask for more than is available). KASAN produces a bug like the following, and even without KASAN, it can oops and panic. BUG: KASAN: wild-memory-access in _copy_to_iter+0x323/0x5f4 Write of size 1404 at addr 0005088000000000 by task md5sum/5235 CPU: 0 PID: 5235 Comm: md5sum Not tainted 5.7.0-rc3-fscache+ #250 Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014 Call Trace: memcpy+0x39/0x58 _copy_to_iter+0x323/0x5f4 __skb_datagram_iter+0x89/0x2a6 skb_copy_datagram_iter+0x129/0x135 rxrpc_recvmsg_data.isra.0+0x615/0xd42 rxrpc_kernel_recv_data+0x1e9/0x3ae afs_extract_data+0x139/0x33a yfs_deliver_fs_fetch_data64+0x47a/0x91b afs_deliver_to_call+0x304/0x709 afs_wait_for_call_to_complete+0x1cc/0x4ad yfs_fs_fetch_data+0x279/0x288 afs_fetch_data+0x1e1/0x38d afs_readpages+0x593/0x72e read_pages+0xf5/0x21e __do_page_cache_readahead+0x128/0x23f ondemand_readahead+0x36e/0x37f generic_file_buffered_read+0x234/0x680 new_sync_read+0x109/0x17e vfs_read+0xe6/0x138 ksys_read+0xd8/0x14d do_syscall_64+0x6e/0x8a entry_SYSCALL_64_after_hwframe+0x49/0xb3 Fixes: 196ee9cd2d04 ("afs: Make afs_fs_fetch_data() take a list of pages") Fixes: 30062bd13e36 ("afs: Implement YFS support in the fs client") Signed-off-by: David Howells Reviewed-by: Matthew Wilcox (Oracle) Signed-off-by: Linus Torvalds commit e3aabf9554fd04eb14cd44ae7583fc9d40edd250 Author: Jens Axboe Date: Mon May 18 11:04:17 2020 -0600 io_uring: cancel work if task_work_add() fails We currently move it to the io_wqe_manager for execution, but we cannot safely do so as we may lack some of the state to execute it out of context. As we cancel work anyway when the ring/task exits, just mark this request as canceled and io_async_task_func() will do the right thing. Fixes: aa96bf8a9ee3 ("io_uring: use io-wq manager as backup task if task is exiting") Signed-off-by: Jens Axboe commit 2b17b8d7cc65d333a48c6d32ee44fc489cecb7d9 Author: Adrian Hunter Date: Mon May 18 15:09:39 2020 +0300 mmc: sdhci: Fix SDHCI_QUIRK_BROKEN_CQE Previous to commit 511ce378e16f07 ("mmc: Add MMC host software queue support"), removing MMC_CAP2_CQE was enough to disable command queuing, but now the cqe_ops must also be NULL otherwise ->cqe_enable() will be called. Fix SDHCI_QUIRK_BROKEN_CQE to do that. Signed-off-by: Adrian Hunter Fixes: 511ce378e16f07 ("mmc: Add MMC host software queue support") Link: https://lore.kernel.org/r/20200518120939.1399-1-adrian.hunter@intel.com Signed-off-by: Ulf Hansson commit 607b9df63057a56f6172d560d5366cca6a030c76 Author: Rafael J. Wysocki Date: Fri May 15 12:58:19 2020 +0200 ACPI: EC: PM: Avoid flushing EC work when EC GPE is inactive Flushing the EC work while suspended to idle when the EC GPE status is not set causes some EC wakeup events (notably power button and lid ones) to be missed after a series of spurious wakeups on the Dell XPS13 9360 in my office. If that happens, the machine cannot be woken up from suspend-to-idle by the power button or lid status change and it needs to be woken up in some other way (eg. by a key press). Flushing the EC work only after successful dispatching the EC GPE, which means that its status has been set, avoids the issue, so change the code in question accordingly. Fixes: 7b301750f7f8 ("ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake()") Cc: 5.4+ # 5.4+ Signed-off-by: Rafael J. Wysocki Tested-by: Chris Chiu commit 3ffb93ba326f40b47b17a4e8b3399c0fa2e8cee6 Author: Xin Long Date: Mon May 18 13:35:19 2020 +0800 esp4: improve xfrm4_beet_gso_segment() to be more readable This patch is to improve the code to make xfrm4_beet_gso_segment() more readable, and keep consistent with xfrm6_beet_gso_segment(). Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit d9e8fe0cffbfdd18de96fa68ee2a8b667a0b046e Author: Christian Lachner Date: Mon May 18 07:38:44 2020 +0200 ALSA: hda/realtek - Fix silent output on Gigabyte X570 Aorus Xtreme The Gigabyte X570 Aorus Xtreme motherboard with ALC1220 codec requires a similar workaround for Clevo laptops to enforce the DAC/mixer connection path. Set up a quirk entry for that. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205275 Signed-off-by: Christian Lachner Cc: Link: https://lore.kernel.org/r/20200518053844.42743-2-gladiac@gmail.com Signed-off-by: Takashi Iwai commit e7513c5786f8b33f0c107b3759e433bc6cbb2efa Author: Brent Lu Date: Mon May 18 12:30:38 2020 +0800 ALSA: pcm: fix incorrect hw_base increase There is a corner case that ALSA keeps increasing the hw_ptr but DMA already stop working/updating the position for a long time. In following log we can see the position returned from DMA driver does not move at all but the hw_ptr got increased at some point of time so snd_pcm_avail() will return a large number which seems to be a buffer underrun event from user space program point of view. The program thinks there is space in the buffer and fill more data. [ 418.510086] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 4096 avail 12368 [ 418.510149] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 6910 avail 9554 ... [ 418.681052] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 15102 avail 1362 [ 418.681130] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0 [ 418.726515] sound pcmC0D5p: pos 96 hw_ptr 16464 appl_ptr 16464 avail 16368 This is because the hw_base will be increased by runtime->buffer_size frames unconditionally if the hw_ptr is not updated for over half of buffer time. As the hw_base increases, so does the hw_ptr increased by the same number. The avail value returned from snd_pcm_avail() could exceed the limit (buffer_size) easily becase the hw_ptr itself got increased by same buffer_size samples when the corner case happens. In following log, the buffer_size is 16368 samples but the avail is 21810 samples so CRAS server complains about it. [ 418.851755] sound pcmC0D5p: pos 96 hw_ptr 16464 appl_ptr 27390 avail 5442 [ 418.926491] sound pcmC0D5p: pos 96 hw_ptr 32832 appl_ptr 27390 avail 21810 cras_server[1907]: pcm_avail returned frames larger than buf_size: sof-glkda7219max: :0,5: 21810 > 16368 By updating runtime->hw_ptr_jiffies each time the HWSYNC is called, the hw_base will keep the same when buffer stall happens at long as the interval between each HWSYNC call is shorter than half of buffer time. Following is a log captured by a patched kernel. The hw_base/hw_ptr value is fixed in this corner case and user space program should be aware of the buffer stall and handle it. [ 293.525543] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 4096 avail 12368 [ 293.525606] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 6880 avail 9584 [ 293.525975] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 10976 avail 5488 [ 293.611178] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 15072 avail 1392 [ 293.696429] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0 ... [ 381.139517] sound pcmC0D5p: pos 96 hw_ptr 96 appl_ptr 16464 avail 0 Signed-off-by: Brent Lu Reviewed-by: Jaroslav Kysela Cc: Link: https://lore.kernel.org/r/1589776238-23877-1-git-send-email-brent.lu@intel.com Signed-off-by: Takashi Iwai commit e75dfba311f478f1c2bf928284e1949c20594336 Merge: b9bbe6ed63b2 9fefca775c8d Author: Linus Walleij Date: Mon May 18 09:40:50 2020 +0200 Merge tag 'gpio-fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/brgl/linux into fixes gpio fixes for v5.7-rc6 - fix probing for chips without PWM in gpio-mvebu - fix ida_simple_get() error path in gpio-exar - fix user-space notifications for line state changes commit 94182167ec730dadcaea5fbc6bb8f1136966ef66 Author: Wei Yongjun Date: Wed May 6 14:25:54 2020 +0000 exfat: fix possible memory leak in exfat_find() 'es' is malloced from exfat_get_dentry_set() in exfat_find() and should be freed before leaving from the error handling cases, otherwise it will cause memory leak. Fixes: 5f2aa075070c ("exfat: add inode operations") Signed-off-by: Wei Yongjun Signed-off-by: Namjae Jeon commit 035779483072ff7854943dc0cbae82c4e0070d15 Author: Eric Sandeen Date: Fri May 1 20:34:25 2020 -0500 exfat: use iter_file_splice_write Doing copy_file_range() on exfat with a file opened for direct IO leads to an -EFAULT: # xfs_io -f -d -c "truncate 32768" \ -c "copy_range -d 16384 -l 16384 -f 0" /mnt/test/junk copy_range: Bad address and the reason seems to be that we go through: default_file_splice_write splice_from_pipe __splice_from_pipe write_pipe_buf __kernel_write new_sync_write generic_file_write_iter generic_file_direct_write exfat_direct_IO do_blockdev_direct_IO iov_iter_get_pages and land in iterate_all_kinds(), which does "return -EFAULT" for our kvec iter. Setting exfat's splice_write to iter_file_splice_write fixes this and lets fsx (which originally detected the problem) run to success from the xfstests harness. Signed-off-by: Eric Sandeen Signed-off-by: Namjae Jeon commit b9bbe6ed63b2b9f2c9ee5cbd0f2c946a2723f4ce Author: Linus Torvalds Date: Sun May 17 16:48:37 2020 -0700 Linux 5.7-rc6 commit 8feea6233d2bf8e43ea99e78d8637ed0745d2732 Merge: 9b1f2cbdb6d3 653d37477160 Author: Linus Torvalds Date: Sun May 17 16:07:30 2020 -0700 Merge tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi Pull IPMI update from Corey Minyard: "Convert i2c_new_device() to i2c_new_client_device() Wolfram Sang has asked to have this included in 5.7 so the deprecated API can be removed next release. There should be no functional difference. I think that entire this section of code can be removed; it is leftover from other things that have since changed, but this is the safer thing to do for now. The full removal can happen next release" * tag 'for-linus-5.7-2' of git://github.com/cminyard/linux-ipmi: char: ipmi: convert to use i2c_new_client_device() commit 0e7572cffe442290c347e779bf8bd4306bb0aa7c Author: Richard Weinberger Date: Sat May 2 14:48:02 2020 +0200 ubi: Fix seq_file usage in detailed_erase_block_info debugfs file 3bfa7e141b0b ("fs/seq_file.c: seq_read(): add info message about buggy .next functions") showed that we don't use seq_file correctly. So make sure that our ->next function always updates the position. Fixes: 7bccd12d27b7 ("ubi: Add debugfs file for tracking PEB state") Signed-off-by: Richard Weinberger commit 3c3c32f85b6cc05e5db78693457deff03ac0f434 Author: Eric Biggers Date: Fri May 1 22:59:45 2020 -0700 ubifs: fix wrong use of crypto_shash_descsize() crypto_shash_descsize() returns the size of the shash_desc context needed to compute the hash, not the size of the hash itself. crypto_shash_digestsize() would be correct, or alternatively using c->hash_len and c->hmac_desc_len which already store the correct values. But actually it's simpler to just use stack arrays, so do that instead. Fixes: 49525e5eecca ("ubifs: Add helper functions for authentication support") Fixes: da8ef65f9573 ("ubifs: Authenticate replayed journal") Cc: # v4.20+ Cc: Sascha Hauer Signed-off-by: Eric Biggers Acked-by: Sascha Hauer Signed-off-by: Richard Weinberger commit 948a7749454b1712f1b2f2429f9493eb3e4a89b0 Author: Jens Axboe Date: Sun May 17 14:21:38 2020 -0600 io_uring: remove dead check in io_splice() We checked for 'force_nonblock' higher up, so it's definitely false at this point. Kill the check, it's a remnant of when we tried to do inline splice without always punting to async context. Fixes: 2fb3e82284fc ("io_uring: punt splice async because of inode mutex") Signed-off-by: Jens Axboe commit e3f2d5579c0b8ad9d1fb6a5813cee38a86386e05 Author: Leon Romanovsky Date: Sun May 17 14:53:40 2020 +0300 net: phy: propagate an error back to the callers of phy_sfp_probe The compilation warning below reveals that the errors returned from the sfp_bus_add_upstream() call are not propagated to the callers. Fix it by returning "ret". 14:37:51 drivers/net/phy/phy_device.c: In function 'phy_sfp_probe': 14:37:51 drivers/net/phy/phy_device.c:1236:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] 14:37:51 1236 | int ret; 14:37:51 | ^~~ Fixes: 298e54fa810e ("net: phy: add core phylib sfp support") Signed-off-by: Leon Romanovsky Signed-off-by: David S. Miller commit a6211caa634da39d861a47437ffcda8b38ef421b Author: Yuqi Jin Date: Sat May 16 11:46:49 2020 +0800 net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" Commit adb03115f459 ("net: get rid of an signed integer overflow in ip_idents_reserve()") used atomic_cmpxchg to replace "atomic_add_return" inside the function "ip_idents_reserve". The reason was to avoid UBSAN warning. However, this change has caused performance degrade and in GCC-8, fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer and signed integer overflow is now undefined by default at all optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv /-fno-strict-overflow, so Let's revert it safely. [1] https://gcc.gnu.org/gcc-8/changes.html Suggested-by: Peter Zijlstra Suggested-by: Eric Dumazet Cc: "David S. Miller" Cc: Alexey Kuznetsov Cc: Hideaki YOSHIFUJI Cc: Jakub Kicinski Cc: Jiri Pirko Cc: Arvind Sankar Cc: Peter Zijlstra Cc: Eric Dumazet Cc: Jiong Wang Signed-off-by: Yuqi Jin Signed-off-by: Shaokun Zhang Signed-off-by: David S. Miller commit 9b1f2cbdb6d3062c468d3f9b579501f0f7ce330b Merge: fb27bc034df1 852049594b9a Author: Linus Torvalds Date: Sun May 17 12:33:00 2020 -0700 Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux Pull clk fixes from Stephen Boyd: "Some more clk driver fixes and one core framework fix: - A handful of TI driver fixes for bad of_node_put() and incorrect parent names - Rockchip rk3228 aclk_gpu* creation was interfering with lima GPU work so we use a composite clk now - Resuming from suspend on Tegra Jetson TK1 was broken because an audio PLL calculated an incorrect rate - A fix for devicetree probing on IM-PD1 by actually specifying a clk name which is required to pass clk registration - Avoid list corruption if registration fails for a critical clk" * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux: clk: ti: clkctrl: convert subclocks to use proper names also clk: ti: am33xx: fix RTC clock parent clk: ti: clkctrl: Fix Bad of_node_put within clkctrl_get_name clk: tegra: Fix initial rate for pll_a on Tegra124 clk: impd1: Look up clock-output-names clk: Unlink clock if failed to prepare or enable clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks commit 61d0301e6c05db55446c7c9b3b3294244649e7bc Author: Kurt Kanzenbach Date: Wed May 13 16:02:49 2020 +0200 dt-bindings: net: dsa: b53: Add missing size and address cells to example Add the missing size and address cells to the b53 example. Otherwise, it may not compile or issue warnings if directly copied into a device tree. Signed-off-by: Kurt Kanzenbach Acked-by: Florian Fainelli Signed-off-by: David S. Miller commit fb27bc034df1e2c7930f606928b65aca652fed6a Merge: b48397cb75ac 15753588bcd4 Author: Linus Torvalds Date: Sun May 17 12:31:22 2020 -0700 Merge tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are a number of USB fixes for 5.7-rc6 The "largest" in here is a bunch of raw-gadget fixes and api changes as the driver just showed up in -rc1 and work has been done to fix up some uapi issues found with the original submission, before it shows up in a -final release. Other than that, a bunch of other small USB gadget fixes, xhci fixes, some quirks, andother tiny fixes for reported issues. All of these have been in linux-next with no reported issues" * tag 'usb-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: (26 commits) USB: gadget: fix illegal array access in binding with UDC usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B USB: usbfs: fix mmap dma mismatch usb: host: xhci-plat: keep runtime active when removing host usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list usb: cdns3: gadget: make a bunch of functions static usb: mtu3: constify struct debugfs_reg32 usb: gadget: udc: atmel: Make some symbols static usb: raw-gadget: fix null-ptr-deref when reenabling endpoints usb: raw-gadget: documentation updates usb: raw-gadget: support stalling/halting/wedging endpoints usb: raw-gadget: fix gadget endpoint selection usb: raw-gadget: improve uapi headers comments usb: typec: mux: intel: Fix DP_HPD_LVL bit field usb: raw-gadget: fix return value of ep read ioctls usb: dwc3: select USB_ROLE_SWITCH usb: gadget: legacy: fix error return code in gncm_bind() usb: gadget: legacy: fix error return code in cdc_bind() usb: gadget: legacy: fix redundant initialization warnings usb: gadget: tegra-xudc: Fix idle suspend/resume ... commit b48397cb75ac17a5c6f99b3b41fab0ab1f879826 Merge: ef0d5b9102c4 f87d1c955916 Author: Linus Torvalds Date: Sun May 17 12:23:37 2020 -0700 Merge branch 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull execve fix from Eric Biederman: "While working on my exec cleanups I found a bug in exec that I introduced by accident a couple of years ago. I apparently missed the fact that bprm->file can change. Now I have a very personal motive to clean up exec and make it more approachable. The change is just moving woud_dump to where it acts on the final bprm->file not the initial bprm->file. I have been careful and tested and verify this fix works" * 'exec-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: exec: Move would_dump into flush_old_exec commit ef0d5b9102c4614c45e04ede10d04e572a165ca8 Merge: 43567139f5f3 71c95825289f Author: Linus Torvalds Date: Sun May 17 12:20:14 2020 -0700 Merge tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 stack unwinding fix from Thomas Gleixner: "A single bugfix for the ORC unwinder to ensure that the error flag which tells the unwinding code whether a stack trace can be trusted or not is always set correctly. This was messed up by a couple of changes in the recent past" * tag 'objtool-urgent-2020-05-17' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/unwind/orc: Fix error handling in __unwind_start() commit 43567139f5f3808cda4f61c956576f8a4f2232cb Merge: 5a9ffb954a39 a9a3ed1eff36 Author: Linus Torvalds Date: Sun May 17 11:08:29 2020 -0700 Merge tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fix from Borislav Petkov: "A single fix for early boot crashes of kernels built with gcc10 and stack protector enabled" * tag 'x86_urgent_for_v5.7-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86: Fix early boot crash on gcc-10, third try commit 84be69b869a5a496a6cfde9b3c29509207a1f1fa Author: David Ahern Date: Sun May 17 11:26:32 2020 -0600 nexthop: Fix attribute checking for groups For nexthop groups, attributes after NHA_GROUP_TYPE are invalid, but nh_check_attr_group starts checking at NHA_GROUP. The group type defaults to multipath and the NHA_GROUP_TYPE is currently optional so this has slipped through so far. Fix the attribute checking to handle support of new group types. Fixes: 430a049190de ("nexthop: Add support for nexthop groups") Signed-off-by: ASSOGBA Emery Signed-off-by: David Ahern Signed-off-by: David S. Miller commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 Author: Eric W. Biederman Date: Sat May 16 16:29:20 2020 -0500 exec: Move would_dump into flush_old_exec I goofed when I added mm->user_ns support to would_dump. I missed the fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and binfmt_script bprm->file is reassigned. Which made the move of would_dump from setup_new_exec to __do_execve_file before exec_binprm incorrect as it can result in would_dump running on the script instead of the interpreter of the script. The net result is that the code stopped making unreadable interpreters undumpable. Which allows them to be ptraced and written to disk without special permissions. Oops. The move was necessary because the call in set_new_exec was after bprm->mm was no longer valid. To correct this mistake move the misplaced would_dump from __do_execve_file into flos_old_exec, before exec_mmap is called. I tested and confirmed that without this fix I can attach with gdb to a script with an unreadable interpreter, and with this fix I can not. Cc: stable@vger.kernel.org Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files") Signed-off-by: "Eric W. Biederman" commit bd2ab18a1d6267446eae1b47dd839050452bdf7f Author: Pavel Begunkov Date: Sun May 17 14:02:12 2020 +0300 io_uring: fix FORCE_ASYNC req preparation As for other not inlined requests, alloc req->io for FORCE_ASYNC reqs, so they can be prepared properly. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 650b548129b60b0d23508351800108196f4aa89f Author: Pavel Begunkov Date: Sun May 17 14:02:11 2020 +0300 io_uring: don't prepare DRAIN reqs twice If req->io is not NULL, it's already prepared. Don't do it again, it's dangerous. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 583863ed918136412ddf14de2e12534f17cfdc6f Author: Jens Axboe Date: Sun May 17 09:20:00 2020 -0600 io_uring: initialize ctx->sqo_wait earlier Ensure that ctx->sqo_wait is initialized as soon as the ctx is allocated, instead of deferring it to the offload setup. This fixes a syzbot reported lockdep complaint, which is really due to trying to wake_up on an uninitialized wait queue: RSP: 002b:00007fffb1fb9aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441319 RDX: 0000000000000001 RSI: 0000000020000140 RDI: 000000000000047b RBP: 0000000000010475 R08: 0000000000000001 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402260 R13: 00000000004022f0 R14: 0000000000000000 R15: 0000000000000000 INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 1 PID: 7090 Comm: syz-executor222 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:913 [inline] register_lock_class+0x1664/0x1760 kernel/locking/lockdep.c:1225 __lock_acquire+0x104/0x4c50 kernel/locking/lockdep.c:4234 lock_acquire+0x1f2/0x8f0 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x8c/0xbf kernel/locking/spinlock.c:159 __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:122 io_cqring_ev_posted+0xa5/0x1e0 fs/io_uring.c:1160 io_poll_remove_all fs/io_uring.c:4357 [inline] io_ring_ctx_wait_and_kill+0x2bc/0x5a0 fs/io_uring.c:7305 io_uring_create fs/io_uring.c:7843 [inline] io_uring_setup+0x115e/0x22b0 fs/io_uring.c:7870 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x441319 Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffb1fb9aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 Reported-by: syzbot+8c91f5d054e998721c57@syzkaller.appspotmail.com Signed-off-by: Jens Axboe commit abf56fadf0e208abfb13ad1ac0094416058da0ad Author: Paul Cercueil Date: Sat May 16 23:50:50 2020 +0200 gpu/drm: Ingenic: Fix opaque pointer casted to wrong type The opaque pointer passed to the IRQ handler is a pointer to the drm_device, not a pointer to our ingenic_drm structure. It still worked, because our ingenic_drm structure contains the drm_device as its first field, so the pointer received had the same value, but this was not semantically correct. Cc: stable@vger.kernel.org # v5.3 Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") Signed-off-by: Paul Cercueil Link: https://patchwork.freedesktop.org/patch/msgid/20200516215057.392609-5-paul@crapouillou.net Acked-by: Sam Ravnborg commit a53bcc19876498bdd3b4ef796c787295dcc498b4 Author: Paul Cercueil Date: Sat May 16 23:50:49 2020 +0200 gpu/drm: ingenic: Fix bogus crtc_atomic_check callback The code was comparing the SoC's maximum height with the mode's width, and vice-versa. D'oh. Cc: stable@vger.kernel.org # v5.6 Fixes: a7c909b7c037 ("gpu/drm: ingenic: Check for display size in CRTC atomic check") Signed-off-by: Paul Cercueil Link: https://patchwork.freedesktop.org/patch/msgid/20200516215057.392609-4-paul@crapouillou.net Acked-by: Sam Ravnborg commit b4f1874c62168159fdb419ced4afc77c1b51c475 Author: Loïc Yhuel Date: Tue May 12 06:01:13 2020 +0200 tpm: check event log version before reading final events This fixes the boot issues since 5.3 on several Dell models when the TPM is enabled. Depending on the exact grub binary, booting the kernel would freeze early, or just report an error parsing the final events log. We get an event log in the SHA-1 format, which doesn't have a tcg_efi_specid_event_head in the first event, and there is a final events table which doesn't match the crypto agile format. __calc_tpm2_event_size reads bad "count" and "efispecid->num_algs", and either fails, or loops long enough for the machine to be appear frozen. So we now only parse the final events table, which is per the spec always supposed to be in the crypto agile format, when we got a event log in this format. Fixes: c46f3405692de ("tpm: Reserve the TPM final events table") Fixes: 166a2809d65b2 ("tpm: Don't duplicate events from the final event log in the TCG2 log") Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1779611 Signed-off-by: Loïc Yhuel Link: https://lore.kernel.org/r/20200512040113.277768-1-loic.yhuel@gmail.com Reviewed-by: Javier Martinez Canillas Reviewed-by: Jerry Snitselaar Reviewed-by: Matthew Garrett [ardb: warn when final events table is missing or in the wrong format] Signed-off-by: Ard Biesheuvel commit e8da08a088236aff4b51d4ec97c750051f9fe417 Author: Benjamin Thiel Date: Sat May 16 15:26:47 2020 +0200 efi: Pull up arch-specific prototype efi_systab_show_arch() Pull up arch-specific prototype efi_systab_show_arch() in order to fix a -Wmissing-prototypes warning: arch/x86/platform/efi/efi.c:957:7: warning: no previous prototype for ‘efi_systab_show_arch’ [-Wmissing-prototypes] char *efi_systab_show_arch(char *str) Signed-off-by: Benjamin Thiel Link: https://lore.kernel.org/r/20200516132647.14568-1-b.thiel@posteo.de Signed-off-by: Ard Biesheuvel commit 5a9ffb954a3933d7867f4341684a23e008d6839b Merge: 5d438e071f09 a48137996063 Author: Linus Torvalds Date: Sat May 16 21:43:11 2020 -0700 Merge tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 Pull cifs fixes from Steve French: "Three small cifs/smb3 fixes, one for stable" * tag '5.7-rc5-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6: cifs: fix leaked reference on requeued write cifs: Fix null pointer check in cifs_read CIFS: Spelling s/EACCESS/EACCES/ commit f45a7bccdc190e2cf6ca3a527edbc4c80d7114ef Author: Alex Elder Date: Fri May 15 14:52:03 2020 -0500 net: ipa: don't be a hog in gsi_channel_poll() The iteration count value used in gsi_channel_poll() is intended to limit poll iterations to the budget supplied as an argument. But it's never updated. Fix this bug by incrementing the count each time through the loop. Reported-by: Sharath Chandra Vurukala Signed-off-by: Alex Elder Signed-off-by: David S. Miller commit 5e5502e012b8129e11be616acb0f9c34bc8f8adb Author: DENG Qingfang Date: Wed May 13 23:10:16 2020 +0800 net: dsa: mt7530: fix roaming from DSA user ports When a client moves from a DSA user port to a software port in a bridge, it cannot reach any other clients that connected to the DSA user ports. That is because SA learning on the CPU port is disabled, so the switch ignores the client's frames from the CPU port and still thinks it is at the user port. Fix it by enabling SA learning on the CPU port. To prevent the switch from learning from flooding frames from the CPU port, set skb->offload_fwd_mark to 1 for unicast and broadcast frames, and let the switch flood them instead of trapping to the CPU port. Multicast frames still need to be trapped to the CPU port for snooping, so set the SA_DIS bit of the MTK tag to 1 when transmitting those frames to disable SA learning. Fixes: b8f126a8d543 ("net-next: dsa: add dsa support for Mediatek MT7530 switch") Signed-off-by: DENG Qingfang Signed-off-by: David S. Miller commit b6dd5acde3f165e364881c36de942c5b252e2a27 Author: Madhuparna Bhowmik Date: Sat May 16 13:15:15 2020 +0530 ipv6: Fix suspicious RCU usage warning in ip6mr This patch fixes the following warning: ============================= WARNING: suspicious RCU usage 5.7.0-rc4-next-20200507-syzkaller #0 Not tainted ----------------------------- net/ipv6/ip6mr.c:124 RCU-list traversed in non-reader section!! ipmr_new_table() returns an existing table, but there is no table at init. Therefore the condition: either holding rtnl or the list is empty is used. Fixes: d1db275dd3f6e ("ipv6: ip6mr: support multiple tables") Reported-by: kernel test robot Suggested-by: Jakub Kicinski Signed-off-by: Madhuparna Bhowmik Signed-off-by: David S. Miller commit 5d438e071f09845f0abd1464b52cddee880c2364 Merge: befc42e5dd49 c4e0e4ab4cf3 Author: Linus Torvalds Date: Sat May 16 13:39:22 2020 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "A new testcase for guest debugging (gdbstub) that exposed a bunch of bugs, mostly for AMD processors. And a few other x86 fixes" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c KVM: SVM: Disable AVIC before setting V_IRQ KVM: Introduce kvm_make_all_cpus_request_except() KVM: VMX: pass correct DR6 for GD userspace exit KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6 KVM: SVM: keep DR6 synchronized with vcpu->arch.dr6 KVM: nSVM: trap #DB and #BP to userspace if guest debugging is on KVM: selftests: Add KVM_SET_GUEST_DEBUG test KVM: X86: Fix single-step with KVM_SET_GUEST_DEBUG KVM: X86: Set RTM for DB_VECTOR too for KVM_EXIT_DEBUG KVM: x86: fix DR6 delivery for various cases of #DB injection KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly commit befc42e5dd4977b63dd3b0c0db05e21d56f13c2e Merge: 26b089a7fc33 249c9b0cd193 Author: Linus Torvalds Date: Sat May 16 13:34:45 2020 -0700 Merge tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux Pull powerpc fixes from Michael Ellerman: - A fix for unrecoverable SLB faults in the interrupt exit path, introduced by the recent rewrite of interrupt exit in C. - Four fixes for our KUAP (Kernel Userspace Access Prevention) support on 64-bit. These are all fairly minor with the exception of the change to evaluate the get/put_user() arguments before we enable user access, which reduces the amount of code we run with user access enabled. - A fix for our secure boot IMA rules, if enforcement of module signatures is enabled at runtime rather than build time. - A fix to our 32-bit VDSO clock_getres() which wasn't falling back to the syscall for unknown clocks. - A build fix for CONFIG_PPC_KUAP_DEBUG on 32-bit BookS, and another for 40x. Thanks to: Christophe Leroy, Hugh Dickins, Nicholas Piggin, Aurelien Jarno, Mimi Zohar, Nayna Jain. * tag 'powerpc-5.7-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux: powerpc/40x: Make more space for system call exception powerpc/vdso32: Fallback on getres syscall when clock is unknown powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG powerpc/ima: Fix secure boot rules in ima arch policy powerpc/64s/kuap: Restore AMR in fast_interrupt_return powerpc/64s/kuap: Restore AMR in system reset exception powerpc/64/kuap: Move kuap checks out of MSR[RI]=0 regions of exit code powerpc/64s: Fix unrecoverable SLB crashes due to preemption check powerpc/uaccess: Evaluate macro arguments once, before user access is allowed commit 26b089a7fc3301d8f53f99dd3607513d7700b505 Merge: 5c33696f2b09 51bb38cb7836 Author: Linus Torvalds Date: Sat May 16 13:31:40 2020 -0700 Merge tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux Pull csky updates from Guo Ren: - fix for copy_from/to_user (a hard-to-find bug, thx Viro) - fix for calltrace panic without FRAME_POINT - two fixes for perf - two build fixes - four fixes for non-fatal bugs (msa, rm dis_irq, cleanup psr, gdbmacros.txt) * tag 'csky-for-linus-5.7-rc6' of git://github.com/c-sky/csky-linux: csky: Fixup raw_copy_from_user() csky: Fixup gdbmacros.txt with name sp in thread_struct csky: Fixup remove unnecessary save/restore PSR code csky: Fixup remove duplicate irq_disable csky: Fixup calltrace panic csky: Fixup perf callchain unwind csky: Fixup msa highest 3 bits mask csky: Fixup perf probe -x hungup csky: Fixup compile error for abiv1 entry.S csky/ftrace: Fixup error when disable CONFIG_DYNAMIC_FTRACE commit 5c33696f2b0965f4354462f478dedc9b5e7b8e77 Merge: 3d1c1e5931ce d5fef88ccbd3 Author: Linus Torvalds Date: Sat May 16 13:27:58 2020 -0700 Merge tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc Pull ARM SoC/dt fixes from Arnd Bergmann: "This round of fixes is almost exclusively device tree changes, with trivial defconfig fixes and one compiler warning fix added in. A number of patches are to fix dtc warnings, in particular on Amlogic, i.MX and Rockchips. Other notable changes include: Renesas: - Fix a wrong clock configuration on R-Mobile A1 - Fix IOMMU support on R-Car V3H Allwinner - Multiple audio fixes Qualcomm - Use a safe CPU voltage on MSM8996 - Fixes to match a late audio driver change Rockchip: - Some fixes for the newly added Pinebook Pro NXP i.MX: - Fix I2C1 pinctrl configuration for i.MX27 phytec-phycard board - Fix imx6dl-yapp4-ursa board Ethernet connection OMAP: - A regression fix for non-existing can device on am534x-idk - Fix flakey wlan on droid4 where some devices would not connect at all because of internal pull being used with an external pull - Fix occasional missed wake-up events on droid4 modem uart" * tag 'arm-soc-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (51 commits) ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39 ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings arm64: defconfig: add MEDIA_PLATFORM_SUPPORT arm64: defconfig: ARCH_R8A7795: follow changed config symbol name arm64: defconfig: add DRM_DISPLAY_CONNECTOR arm64: defconfig: DRM_DUMB_VGA_DAC: follow changed config symbol name ARM: oxnas: make ox820_boot_secondary static ARM: dts: r8a7740: Add missing extal2 to CPG node ARM: dts: omap4-droid4: Fix occasional lost wakeirq for uart1 ARM: dts: omap4-droid4: Fix flakey wlan by disabling internal pull for gpio arm64: dts: allwinner: a64: Remove unused SPDIF sound card arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name arm64: dts: meson-g12: remove spurious blank line arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property arm64: dts: meson-g12-common: fix dwc2 clock names arm64: dts: meson-g12b-ugoos-am6: fix usb vbus-supply arm64: dts: freescale: imx8mp: update input_val for AUDIOMIX_BIT_STREAM ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi ... commit 3d1c1e5931ce45b3a3f309385bbc00c78e9951c6 Merge: cf0ca701a01c 394895539751 Author: Linus Torvalds Date: Sat May 16 13:24:41 2020 -0700 Merge tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block Pull block fix from Jens Axboe: "Just a single NVMe pull in here, with a single fix for a missing DMA read memory barrier for completions" * tag 'block-5.7-2020-05-16' of git://git.kernel.dk/linux-block: nvme-pci: dma read memory barrier for completions commit cf0ca701a01cf631333855831fe48b717ed1f20b Merge: 18e70f3a7651 dca4f40742e0 Author: Linus Torvalds Date: Sat May 16 13:20:50 2020 -0700 Merge tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl Pull pin control fixes from Linus Walleij: "A bunch of pin control fixes, some a bit overly ripe, sorry about that. We have important systems like Intel laptops and Qualcomm mobile chips covered. - Pad lock register on Intel Sunrisepoint had the wrong offset - Fix pin config setting for the Baytrail GPIO chip - Fix a compilation warning in the Mediatek driver - Fix a function group name in the Actions driver - Fix a behaviour bug in the edge polarity code in the Qualcomm driver - Add a missing spinlock in the Intel Cherryview driver - Add affinity callbacks to the Qualcomm MSMGPIO chip" * tag 'pinctrl-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl: pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler pinctrl: qcom: fix wrong write in update_dual_edge pinctrl: actions: fix function group name for i2c0_group pinctrl: mediatek: remove shadow variable declaration pinctrl: baytrail: Enable pin configuration setting for GPIO chip pinctrl: sunrisepoint: Fix PAD lock register offset for SPT-H commit 18e70f3a7651b420bf5d8ce0a3fd3d1cd9e5b689 Merge: 12bf0b632ed0 9d9e88a24c1f Author: Linus Torvalds Date: Sat May 16 13:17:41 2020 -0700 Merge tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: "Two small fixes that should go into this release: - Check and handle zero length splice (Pavel) - Fix a regression in this merge window for fixed files used with polled block IO" * tag 'io_uring-5.7-2020-05-15' of git://git.kernel.dk/linux-block: io_uring: polled fixed file must go through free iteration io_uring: fix zero len do_splice() commit 34c4e4072603ff5c174df73b973896abb76cbb51 Author: Dennis YC Hsieh Date: Sun Mar 8 18:52:47 2020 +0800 soc: mediatek: cmdq: return send msg error code Return error code to client if send message fail, so that client has chance to error handling. Fixes: 576f1b4bc802 ("soc: mediatek: Add Mediatek CMDQ helper") Signed-off-by: Dennis YC Hsieh Reviewed-by: CK Hu Link: https://lore.kernel.org/r/1583664775-19382-6-git-send-email-dennis-yc.hsieh@mediatek.com Signed-off-by: Matthias Brugger commit 3948955397511ad5b68dc65fa11fad941d71d307 Merge: 59c7c3caaaf8 b69e2ef24b7b Author: Jens Axboe Date: Sat May 16 09:25:34 2020 -0600 Merge branch 'nvme-5.7' of git://git.infradead.org/nvme into block-5.7 Pull NVMe fix from Christoph. * 'nvme-5.7' of git://git.infradead.org/nvme: nvme-pci: dma read memory barrier for completions commit 80542002ccd41f3703a9ae9e8e95cfbaad370db6 Author: Jason Yan Date: Thu May 7 19:07:14 2020 +0800 drm/vmwgfx: Return true in function vmw_fence_obj_signaled() Fix the following coccicheck warning: drivers/gpu/drm/vmwgfx/vmwgfx_fence.c:518:9-10: WARNING: return of 0/1 in function 'vmw_fence_obj_signaled' with return type bool Signed-off-by: Jason Yan Signed-off-by: Roland Scheidegger commit c594285f30fad8d5039d56ba2428c8a0816b5c7a Author: Colin Ian King Date: Sun Apr 5 13:13:47 2020 +0100 drm/vmwgfx: remove redundant assignment to variable ret The variable ret is being initialized with a value that is never read and it is being updated later with a new value. The initialization is redundant and can be removed. Addresses-Coverity: ("Unused value") Signed-off-by: Colin Ian King Signed-off-by: Roland Scheidegger commit bde26a79d14ca0851dcd80b5a7edbadb913997cd Author: Guixiong Wei Date: Sat Apr 25 00:14:39 2020 +1400 drm/vmwgfx: Fix parameter name in vmw_bo_init The parameter name should be interruptible instead of interuptable. Signed-off-by: Guixiong Wei Signed-off-by: Roland Scheidegger commit e913a9f5e5108b0524499dc175f184fd74d0fa64 Author: Roland Scheidegger Date: Tue May 12 02:27:43 2020 +0200 drm/vmwgfx: update MAINTAINERS entry Maintainer switch from Thomas Hellstrom to Roland Scheidegger Reviewed-by: Charmaine Lee Reviewed-by: Neha Bhende Acked-by: Thomas Hellstrom Signed-off-by: Roland Scheidegger commit d5fef88ccbd3a2d3674e6cc868804a519ef9e5b6 Merge: 495e135643b6 c8e233bfba3b Author: Arnd Bergmann Date: Fri May 15 23:14:36 2020 +0200 Merge tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into arm/fixes Renesas fixes for v5.7 (take two) - Fix a wrong clock configuration on R-Mobile A1, - Minor fixes that are fast-tracked to avoid introducing regressions during conversion of DT bindings to json-schema. * tag 'renesas-fixes-for-v5.7-tag2' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39 ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings ARM: dts: r8a7740: Add missing extal2 to CPG node Link: https://lore.kernel.org/r/20200515125043.22811-1-geert+renesas@glider.be Signed-off-by: Arnd Bergmann commit 495e135643b66111f28bd57823d3f986be710769 Merge: 39572dd33b78 29ee412bb709 Author: Arnd Bergmann Date: Fri May 15 23:13:45 2020 +0200 Merge tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux into arm/fixes Two fixes for the Allwinner SoCs, one to remove some inexistant sound card on the A64, and one to fix the audio codec regulator on the pinetab. * tag 'sunxi-fixes-for-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/sunxi/linux: arm64: dts: allwinner: a64: Remove unused SPDIF sound card arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name Link: https://lore.kernel.org/r/f7a98a47-316d-4b1a-b5a5-0e1e330d5f52.lettre@localhost Signed-off-by: Arnd Bergmann commit 12bf0b632ed090358cbf03e323e5342212d0b2e4 Merge: f85c1598ddfe 8eed292bc8cb Author: Linus Torvalds Date: Fri May 15 14:03:13 2020 -0700 Merge tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs Pull NFS client bugfixes from Trond Myklebust: "Highlights include: Stable fixes: - nfs: fix NULL deference in nfs4_get_valid_delegation Bugfixes: - Fix corruption of the return value in cachefiles_read_or_alloc_pages() - Fix several fscache cookie issues - Fix a fscache queuing race that can trigger a BUG_ON - NFS: Fix two use-after-free regressions due to the RPC_TASK_CRED_NOREF flag - SUNRPC: Fix a use-after-free regression in rpc_free_client_work() - SUNRPC: Fix a race when tearing down the rpc client debugfs directory - SUNRPC: Signalled ASYNC tasks need to exit - NFSv3: fix rpc receive buffer size for MOUNT call" * tag 'nfs-for-5.7-5' of git://git.linux-nfs.org/projects/trondmy/linux-nfs: NFSv3: fix rpc receive buffer size for MOUNT call SUNRPC: 'Directory with parent 'rpc_clnt' already present!' NFS/pnfs: Don't use RPC_TASK_CRED_NOREF with pnfs NFS: Don't use RPC_TASK_CRED_NOREF with delegreturn SUNRPC: Signalled ASYNC tasks need to exit nfs: fix NULL deference in nfs4_get_valid_delegation SUNRPC: fix use-after-free in rpc_free_client_work() cachefiles: Fix race between read_waiter and read_copier involving op->to_do NFSv4: Fix fscache cookie aux_data to ensure change_attr is included NFS: Fix fscache super_cookie allocation NFS: Fix fscache super_cookie index_key from changing after umount cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages() commit f85c1598ddfe83f61d0656bd1d2025fa3b148b99 Merge: d5dfe4f1b44e 8e1381049ed5 Author: Linus Torvalds Date: Fri May 15 13:10:06 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: 1) Fix sk_psock reference count leak on receive, from Xiyu Yang. 2) CONFIG_HNS should be invisible, from Geert Uytterhoeven. 3) Don't allow locking route MTUs in ipv6, RFCs actually forbid this, from Maciej Żenczykowski. 4) ipv4 route redirect backoff wasn't actually enforced, from Paolo Abeni. 5) Fix netprio cgroup v2 leak, from Zefan Li. 6) Fix infinite loop on rmmod in conntrack, from Florian Westphal. 7) Fix tcp SO_RCVLOWAT hangs, from Eric Dumazet. 8) Various bpf probe handling fixes, from Daniel Borkmann. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (68 commits) selftests: mptcp: pm: rm the right tmp file dpaa2-eth: properly handle buffer size restrictions bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range bpf: Restrict bpf_probe_read{, str}() only to archs where they work MAINTAINERS: Mark networking drivers as Maintained. ipmr: Add lockdep expression to ipmr_for_each_table macro ipmr: Fix RCU list debugging warning drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810 tcp: fix error recovery in tcp_zerocopy_receive() MAINTAINERS: Add Jakub to networking drivers. MAINTAINERS: another add of Karsten Graul for S390 networking drivers: ipa: fix typos for ipa_smp2p structure doc pppoe: only process PADT targeted at local interfaces selftests/bpf: Enforce returning 0 for fentry/fexit programs bpf: Enforce returning 0 for fentry/fexit progs net: stmmac: fix num_por initialization security: Fix the default value of secid_to_secctx hook libbpf: Fix register naming in PT_REGS s390 macros ... commit d5dfe4f1b44ed532653c2335267ad9599c8a698e Merge: ce24729667cf ccfdbaa5cf46 Author: Linus Torvalds Date: Fri May 15 13:06:56 2020 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma Pull rdma fixes from Jason Gunthorpe: "A few minor bug fixes for user visible defects, and one regression: - Various bugs from static checkers and syzkaller - Add missing error checking in mlx4 - Prevent RTNL lock recursion in i40iw - Fix segfault in cxgb4 in peer abort cases - Fix a regression added in 5.7 where the IB_EVENT_DEVICE_FATAL could be lost, and wasn't delivered to all the FDs" * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma: RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event RDMA/iw_cxgb4: Fix incorrect function parameters RDMA/core: Fix double put of resource IB/core: Fix potential NULL pointer dereference in pkey cache IB/hfi1: Fix another case where pq is left on waitlist IB/i40iw: Remove bogus call to netdev_master_upper_dev_get() IB/mlx4: Test return value of calls to ib_get_cached_pkey RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info() i40iw: Fix error handling in i40iw_manage_arp_cache() commit ce24729667cf8aaebf290613a6026a50a22c3eee Merge: 67e45621af06 851c4df54dc1 Author: Linus Torvalds Date: Fri May 15 12:57:50 2020 -0700 Merge tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kselftest fixes from Shuah Khan: - lkdtm runner fixes to prevent dmesg clearing and shellcheck errors - ftrace test handling when test module doesn't exist - nsfs test fix to replace zero-length array with flexible-array - dmabuf-heaps test fix to return clear error value * tag 'linux-kselftest-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests/lkdtm: Use grep -E instead of egrep selftests/lkdtm: Don't clear dmesg when running tests selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist tools/testing: Replace zero-length array with flexible-array kselftests: dmabuf-heaps: Fix confused return value on expected error testing commit 67e45621af060a2de53a1ba24d052bd33c3acaa3 Merge: 01d8a7480304 ed1ed4c0da54 Author: Linus Torvalds Date: Fri May 15 12:47:15 2020 -0700 Merge tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "A handful of build fixes, all found by Huawei's autobuilder. None of these patches should have any functional impact on kernels that build, and they're mostly related to various features intermingling with !MMU. While some of these might be better hoisted to generic code, it seems better to have the simple fixes in the meanwhile. As far as I know these are the only outstanding patches for 5.7" * tag 'riscv-for-linus-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id' riscv: pgtable: Fix __kernel_map_pages build error if NOMMU riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU riscv: stacktrace: Fix undefined reference to `walk_stackframe' riscv: Fix unmet direct dependencies built based on SOC_VIRT riscv: perf: RISCV_BASE_PMU should be independent riscv: perf_event: Make some funciton static commit 01d8a7480304a2f0e196459eb4061e171d9e9922 Merge: 051e6b7e34b9 d51c214541c5 Author: Linus Torvalds Date: Fri May 15 11:08:46 2020 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Fix flush_icache_range() second argument in machine_kexec() to be an address rather than size" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: fix the flush_icache_range arguments in machine_kexec commit 8e1381049ed5d213e7a1a7f95bbff83af8c59234 Merge: 9a2dbb59ebd1 59df9f1fb497 Author: David S. Miller Date: Fri May 15 10:57:21 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Alexei Starovoitov says: ==================== pull-request: bpf 2020-05-15 The following pull-request contains BPF updates for your *net* tree. We've added 9 non-merge commits during the last 2 day(s) which contain a total of 14 files changed, 137 insertions(+), 43 deletions(-). The main changes are: 1) Fix secid_to_secctx LSM hook default value, from Anders. 2) Fix bug in mmap of bpf array, from Andrii. 3) Restrict bpf_probe_read to archs where they work, from Daniel. 4) Enforce returning 0 for fentry/fexit progs, from Yonghong. ==================== Signed-off-by: David S. Miller commit c4e0e4ab4cf3ec2b3f0b628ead108d677644ebd9 Author: Jim Mattson Date: Mon May 11 15:56:16 2020 -0700 KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Bank_num is a one-based count of banks, not a zero-based index. It overflows the allocated space only when strictly greater than KVM_MAX_MCE_BANKS. Fixes: a9e38c3e01ad ("KVM: x86: Catch potential overrun in MCE setup") Signed-off-by: Jue Wang Signed-off-by: Jim Mattson Reviewed-by: Peter Shier Message-Id: <20200511225616.19557-1-jmattson@google.com> Reviewed-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini commit f6bfd9c8ffc2d2844042c1c78d8bdca668eea6d5 Merge: 2673cb684972 37486135d3a7 Author: Paolo Bonzini Date: Fri May 15 13:47:57 2020 -0400 Merge branch 'kvm-amd-fixes' into HEAD This topic branch will be included in both kvm/master and kvm/next (for 5.8) in order to simplify testing of kvm/next. commit 9a2dbb59ebd17a91f99a20b0286dfb6445981ecf Author: Matthieu Baerts Date: Fri May 15 17:54:41 2020 +0200 selftests: mptcp: pm: rm the right tmp file "$err" is a variable pointing to a temp file. "$out" is not: only used as a local variable in "check()" and representing the output of a command line. Fixes: eedbc685321b (selftests: add PM netlink functional tests) Signed-off-by: Matthieu Baerts Signed-off-by: David S. Miller commit efa6a7d07523ffbbf6503c1a7eeb52201c15c0e3 Author: Ioana Ciornei Date: Fri May 15 15:30:22 2020 +0300 dpaa2-eth: properly handle buffer size restrictions Depending on the WRIOP version, the buffer size on the RX path must by a multiple of 64 or 256. Handle this restriction properly by aligning down the buffer size to the necessary value. Also, use the new buffer size dynamically computed instead of the compile time one. Fixes: 27c874867c4e ("dpaa2-eth: Use a single page per Rx buffer") Signed-off-by: Ioana Ciornei Signed-off-by: David S. Miller commit 051e6b7e34b9bd24f46725f74994a4d3a653966e Merge: 1742bcd0cb30 333e22db228f Author: Linus Torvalds Date: Fri May 15 10:14:05 2020 -0700 Merge tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging Pull hwmon fixes from Guenter Roeck: - Fix ADC access synchronization problem with da9052 driver - Fix temperature limit and status reporting in nct7904 driver - Fix drivetemp temperature reporting if SCT is supported but SCT data tables are not. * tag 'hwmon-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging: hwmon: (da9052) Synchronize access with mfd hwmon: (nct7904) Fix incorrect range of temperature limit registers hwmon: (nct7904) Read all SMI status registers in probe function hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported commit 1742bcd0cb3047d86e9d17d07fd46710c7ffad1e Merge: e7cea7905815 b590b38ca305 Author: Linus Torvalds Date: Fri May 15 10:06:49 2020 -0700 Merge tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound Pull sound fixes from Takashi Iwai: "Things look good and calming down; the only change to ALSA core is the fix for racy rawmidi buffer accesses spotted by syzkaller, and the rest are all small device-specific quirks for HD-audio and USB-audio devices" * tag 'sound-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 ALSA: hda/realtek: Add quirk for Samsung Notebook ALSA: rawmidi: Fix racy buffer resize under concurrent accesses ALSA: usb-audio: add mapping for ASRock TRX40 Creator ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse Revert "ALSA: hda/realtek: Fix pop noise on ALC225" ALSA: firewire-lib: fix 'function sizeof not defined' error of tracepoints format ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset commit e7cea7905815ac938e6e90b0cb6b91bcd22f6a15 Merge: 1ae7efb38854 1d2a1eb13610 Author: Linus Torvalds Date: Fri May 15 09:59:49 2020 -0700 Merge tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "As mentioned last week an i915 PR came in late, but I left it, so the i915 bits of this cover 2 weeks, which is why it's likely a bit larger than usual. Otherwise it's mostly amdgpu fixes, one tegra fix, one meson fix. i915: - Handle idling during i915_gem_evict_something busy loops (Chris) - Mark current submissions with a weak-dependency (Chris) - Propagate error from completed fences (Chris) - Fixes on execlist to avoid GPU hang situation (Chris) - Fixes couple deadlocks (Chris) - Timeslice preemption fixes (Chris) - Fix Display Port interrupt handling on Tiger Lake (Imre) - Reduce debug noise around Frame Buffer Compression (Peter) - Fix logic around IPC W/a for Coffee Lake and Kaby Lake (Sultan) - Avoid dereferencing a dead context (Chris) tegra: - tegra120/4 smmu fixes amdgpu: - Clockgating fixes - Fix fbdev with scatter/gather display - S4 fix for navi - Soft recovery for gfx10 - Freesync fixes - Atomic check cursor fix - Add a gfxoff quirk - MST fix amdkfd: - Fix GEM reference counting meson: - error code propogation fix" * tag 'drm-fixes-2020-05-15' of git://anongit.freedesktop.org/drm/drm: (29 commits) drm/i915: Handle idling during i915_gem_evict_something busy loops drm/meson: pm resume add return errno branch drm/amd/amdgpu: Update update_config() logic drm/amd/amdgpu: add raven1 part to the gfxoff quirk list drm/i915: Mark concurrent submissions with a weak-dependency drm/i915: Propagate error from completed fences drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance. drm/amd/display: add basic atomic check for cursor plane drm/amd/display: Fix vblank and pageflip event handling for FreeSync drm/amdgpu: implement soft_recovery for gfx10 drm/amdgpu: enable hibernate support on Navi1X drm/amdgpu: Use GEM obj reference for KFD BOs drm/amdgpu: force fbdev into vram drm/amd/powerplay: perform PG ungate prior to CG ungate drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate drm/amdgpu: disable MGCG/MGLS also on gfx CG ungate drm/i915/execlists: Track inflight CCID drm/i915/execlists: Avoid reusing the same logical CCID drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane ... commit 1b0be99f1a426d9f17ced95c4118c6641a2ff13d Author: Michael S. Tsirkin Date: Fri May 15 11:29:53 2020 -0400 vhost: missing __user tags sparse warns about converting void * to void __user *. This is not new but only got noticed now that vhost is built on more systems. This is just a question of __user tags missing in a couple of places, so fix it up. Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache") Reported-by: kbuild test robot Signed-off-by: Michael S. Tsirkin commit 3b1f6c5e4dfaf767f6f2f120cd93b347b5a9f1aa Author: Hsin-Yi Wang Date: Mon May 4 20:44:43 2020 +0800 arm64: dts: mt8173: fix vcodec-enc clock Fix the assigned-clock-parents to higher frequency clock to avoid h264 encode timeout: [ 134.763465] mtk_vpu 10020000.vpu: vpu ipi 4 ack time out ! [ 134.769008] [MTK_VCODEC][ERROR][18]: vpu_enc_send_msg() vpu_ipi_send msg_id c002 len 32 fail -5 [ 134.777707] [MTK_VCODEC][ERROR][18]: vpu_enc_encode() AP_IPIMSG_ENC_ENCODE 0 fail venc_sel is the clock used by h264 encoder, and venclt_sel is the clock used by vp8 encoder. Assign venc_sel to vcodecpll_ck and venclt_sel to vcodecpll_370p5. vcodecpll 1482000000 vcodecpll_ck 494000000 venc_sel 494000000 ... vcodecpll_370p5 370500000 venclt_sel 370500000 Fixes: fbbad0287cec ("arm64: dts: Using standard CCF interface to set vcodec clk") Signed-off-by: Hsin-Yi Wang Link: https://lore.kernel.org/r/20200504124442.208004-1-hsinyi@chromium.org Signed-off-by: Matthias Brugger commit 59df9f1fb4977b40cfad8d07b0d5baeb3a07e22c Merge: 6d74f64b922b b2a5212fb634 Author: Alexei Starovoitov Date: Fri May 15 08:10:36 2020 -0700 Merge branch 'restrict-bpf_probe_read' Daniel Borkmann says: ==================== Small set of fixes in order to restrict BPF helpers for tracing which are broken on archs with overlapping address ranges as per discussion in [0]. I've targetted this for -bpf tree so they can be routed as fixes. Thanks! v1 -> v2: - switch to reusable %pks, %pus format specifiers (Yonghong) - fixate %s on kernel_ds probing for archs with overlapping addr space [0] https://lore.kernel.org/bpf/CAHk-=wjJKo0GVixYLmqPn-Q22WFu0xHaBSjKEo7e7Yw72y5SPQ@mail.gmail.com/T/ ==================== Signed-off-by: Alexei Starovoitov commit b2a5212fb634561bb734c6356904e37f6665b955 Author: Daniel Borkmann Date: Fri May 15 12:11:18 2020 +0200 bpf: Restrict bpf_trace_printk()'s %s usage and add %pks, %pus specifier Usage of plain %s conversion specifier in bpf_trace_printk() suffers from the very same issue as bpf_probe_read{,str}() helpers, that is, it is broken on archs with overlapping address ranges. While the helpers have been addressed through work in 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers"), we need an option for bpf_trace_printk() as well to fix it. Similarly as with the helpers, force users to make an explicit choice by adding %pks and %pus specifier to bpf_trace_printk() which will then pick the corresponding strncpy_from_unsafe*() variant to perform the access under KERNEL_DS or USER_DS. The %pk* (kernel specifier) and %pu* (user specifier) can later also be extended for other objects aside strings that are probed and printed under tracing, and reused out of other facilities like bpf_seq_printf() or BTF based type printing. Existing behavior of %s for current users is still kept working for archs where it is not broken and therefore gated through CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE. For archs not having this property we fall-back to pick probing under KERNEL_DS as a sensible default. Fixes: 8d3b7dce8622 ("bpf: add support for %s specifier to bpf_trace_printk()") Reported-by: Linus Torvalds Reported-by: Christoph Hellwig Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Cc: Masami Hiramatsu Cc: Brendan Gregg Link: https://lore.kernel.org/bpf/20200515101118.6508-4-daniel@iogearbox.net commit 47cc0ed574abcbbde0cf143ddb21a0baed1aa2df Author: Daniel Borkmann Date: Fri May 15 12:11:17 2020 +0200 bpf: Add bpf_probe_read_{user, kernel}_str() to do_refine_retval_range Given bpf_probe_read{,str}() BPF helpers are now only available under CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE, we need to add the drop-in replacements of bpf_probe_read_{kernel,user}_str() to do_refine_retval_range() as well to avoid hitting the same issue as in 849fa50662fbc ("bpf/verifier: refine retval R0 state for bpf_get_stack helper"). Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200515101118.6508-3-daniel@iogearbox.net commit 0ebeea8ca8a4d1d453ad299aef0507dab04f6e8d Author: Daniel Borkmann Date: Fri May 15 12:11:16 2020 +0200 bpf: Restrict bpf_probe_read{, str}() only to archs where they work Given the legacy bpf_probe_read{,str}() BPF helpers are broken on archs with overlapping address ranges, we should really take the next step to disable them from BPF use there. To generally fix the situation, we've recently added new helper variants bpf_probe_read_{user,kernel}() and bpf_probe_read_{user,kernel}_str(). For details on them, see 6ae08ae3dea2 ("bpf: Add probe_read_{user, kernel} and probe_read_{user,kernel}_str helpers"). Given bpf_probe_read{,str}() have been around for ~5 years by now, there are plenty of users at least on x86 still relying on them today, so we cannot remove them entirely w/o breaking the BPF tracing ecosystem. However, their use should be restricted to archs with non-overlapping address ranges where they are working in their current form. Therefore, move this behind a CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE and have x86, arm64, arm select it (other archs supporting it can follow-up on it as well). For the remaining archs, they can workaround easily by relying on the feature probe from bpftool which spills out defines that can be used out of BPF C code to implement the drop-in replacement for old/new kernels via: bpftool feature probe macro Suggested-by: Linus Torvalds Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Reviewed-by: Masami Hiramatsu Acked-by: Linus Torvalds Cc: Brendan Gregg Cc: Christoph Hellwig Link: https://lore.kernel.org/bpf/20200515101118.6508-2-daniel@iogearbox.net commit 1ea34b2988554af8a83a44a0a8e5aaa9e5a60c64 Author: Wei Yongjun Date: Sat May 9 07:56:54 2020 +0000 bus: mhi: core: Fix some error return code Fix to return negative error code from the error handling case instead of 0 in mhi_init_dev_ctxt() and mhi_driver_probe(). Fixes: 3000f85b8f47 ("bus: mhi: core: Add support for basic PM operations") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200509075654.175002-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman commit 133317479f0324f6faaf797c4f5f3e9b1b36ce35 Author: Wei Yongjun Date: Thu May 7 09:42:37 2020 +0000 ipack: tpci200: fix error return code in tpci200_register() Fix to return negative error code -ENOMEM from the ioremap() error handling case instead of 0, as done elsewhere in this function. Fixes: 43986798fd50 ("ipack: add error handling for ioremap_nocache") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Cc: stable Acked-by: Samuel Iglesias Gonsalvez Link: https://lore.kernel.org/r/20200507094237.13599-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman commit 0bedaa2d6a05b8a736339368b7f33aeeef128cfa Author: Calvin Johnson Date: Thu May 7 11:05:47 2020 +0530 coresight: cti: remove incorrect NULL return check fwnode_find_reference() doesn't return NULL and hence that check should be avoided. Signed-off-by: Calvin Johnson Reviewed-by: Mathieu Poirier Link: https://lore.kernel.org/r/20200507053547.13707-1-calvin.johnson@oss.nxp.com Signed-off-by: Greg Kroah-Hartman commit fc9c03ce30f79b71807961bfcb42be191af79873 Author: Alexander Usyskin Date: Wed May 13 01:31:40 2020 +0300 mei: release me_cl object reference Allow me_cl object to be freed by releasing the reference that was acquired by one of the search functions: __mei_me_cl_by_uuid_id() or __mei_me_cl_by_uuid() Cc: Reported-by: 亿一 Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20200512223140.32186-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit bcb392871813ef9e233645557d6dd85bb1a6f41a Merge: f0b9d875faa4 928edefbc18c Author: Greg Kroah-Hartman Date: Fri May 15 16:04:24 2020 +0200 Merge tag 'iio-fixes-for-5.7b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio into staging-linus Jonathan writes: iio-fixes-for-5.7b Second set of fixes for IIO in the 5.7 cycle. Usual mixed bag of breakage in new code and ancient bugs. ad2s1210 - Fix missing CS change needed to actually read anything. atlas-sensor - Avoid clashing scan index with the timestamp channel. sca3000 - Fix a randomly placed get_device in an error message print. st_lsm6dsx - Fix missing unlock in error path. stm32-adc - Fix which device is used to request DMA to ensure it's one that has actually been registered at point of use. stm32-dfsdm - Fix which device is used to request DMA to ensure it's one that has actually been registered at poitn of use. ti-ads8344 - Fix channel selection. vf610 dac - Fix some missing error handling code. * tag 'iio-fixes-for-5.7b' of https://git.kernel.org/pub/scm/linux/kernel/git/jic23/iio: iio: sca3000: Remove an erroneous 'get_device()' iio: adc: stm32-dfsdm: fix device used to request dma iio: adc: stm32-adc: fix device used to request dma iio: adc: ti-ads8344: Fix channel selection staging: iio: ad2s1210: Fix SPI reading iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' iio: imu: st_lsm6dsx: unlock on error in st_lsm6dsx_shub_write_raw() iio: chemical: atlas-sensor: correct DO-SM channels commit 15753588bcd4bbffae1cca33c8ced5722477fe1f Author: Kyungtae Kim Date: Sun May 10 05:43:34 2020 +0000 USB: gadget: fix illegal array access in binding with UDC FuzzUSB (a variant of syzkaller) found an illegal array access using an incorrect index while binding a gadget with UDC. Reference: https://www.spinics.net/lists/linux-usb/msg194331.html This bug occurs when a size variable used for a buffer is misused to access its strcpy-ed buffer. Given a buffer along with its size variable (taken from user input), from which, a new buffer is created using kstrdup(). Due to the original buffer containing 0 value in the middle, the size of the kstrdup-ed buffer becomes smaller than that of the original. So accessing the kstrdup-ed buffer with the same size variable triggers memory access violation. The fix makes sure no zero value in the buffer, by comparing the strlen() of the orignal buffer with the size variable, so that the access to the kstrdup-ed buffer is safe. BUG: KASAN: slab-out-of-bounds in gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 Read of size 1 at addr ffff88806a55dd7e by task syz-executor.0/17208 CPU: 2 PID: 17208 Comm: syz-executor.0 Not tainted 5.6.8 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load1_noabort+0x14/0x20 mm/kasan/generic_report.c:132 gadget_dev_desc_UDC_store+0x1ba/0x200 drivers/usb/gadget/configfs.c:266 flush_write_buffer fs/configfs/file.c:251 [inline] configfs_write_file+0x2f1/0x4c0 fs/configfs/file.c:283 __vfs_write+0x85/0x110 fs/read_write.c:494 vfs_write+0x1cd/0x510 fs/read_write.c:558 ksys_write+0x18a/0x220 fs/read_write.c:611 __do_sys_write fs/read_write.c:623 [inline] __se_sys_write fs/read_write.c:620 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:620 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Kyungtae Kim Reported-and-tested-by: Kyungtae Kim Cc: Felipe Balbi Cc: stable Link: https://lore.kernel.org/r/20200510054326.GA19198@pizza01 Signed-off-by: Greg Kroah-Hartman commit 76e1ef1d81a4129d7e2fb8c48c83b166d1c8e040 Author: Eugeniu Rosca Date: Fri May 15 00:02:46 2020 +0200 usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B On Tue, May 12, 2020 at 09:36:07PM +0800, Kai-Heng Feng wrote [1]: > This patch prevents my Raven Ridge xHCI from getting runtime suspend. The problem described in v5.6 commit 1208f9e1d758c9 ("USB: hub: Fix the broken detection of USB3 device in SMSC hub") applies solely to the USB5534B hub [2] present on the Kingfisher Infotainment Carrier Board, manufactured by Shimafuji Electric Inc [3]. Despite that, the aforementioned commit applied the quirk to _all_ hubs carrying vendor ID 0x424 (i.e. SMSC), of which there are more [4] than initially expected. Consequently, the quirk is now enabled on platforms carrying SMSC/Microchip hub models which potentially don't exhibit the original issue. To avoid reports like [1], further limit the quirk's scope to USB5534B [2], by employing both Vendor and Product ID checks. Tested on H3ULCB + Kingfisher rev. M05. [1] https://lore.kernel.org/linux-renesas-soc/73933975-6F0E-40F5-9584-D2B8F615C0F3@canonical.com/ [2] https://www.microchip.com/wwwproducts/en/USB5534B [3] http://www.shimafuji.co.jp/wp/wp-content/uploads/2018/08/SBEV-RCAR-KF-M06Board_HWSpecificationEN_Rev130.pdf [4] https://devicehunt.com/search/type/usb/vendor/0424/device/any Fixes: 1208f9e1d758c9 ("USB: hub: Fix the broken detection of USB3 device in SMSC hub") Cc: stable@vger.kernel.org # v4.14+ Cc: Alan Stern Cc: Hardik Gajjar Cc: linux-renesas-soc@vger.kernel.org Cc: linux-usb@vger.kernel.org Reported-by: Kai-Heng Feng Signed-off-by: Eugeniu Rosca Tested-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200514220246.13290-1-erosca@de.adit-jv.com Signed-off-by: Greg Kroah-Hartman commit 86e1cf7d17cc8f87fc050bd9d7917b2bc47acd45 Merge: a0e710a7def4 172b14b48ca1 Author: Greg Kroah-Hartman Date: Fri May 15 15:37:20 2020 +0200 Merge tag 'fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: USB: fixes for v5.7-rc6 The main part here are the important fixes for the raw-gadget before it becomes an ABI. We're adding support for stall/halt/wedge which is actually pretty important in many situations. There's also a NULL pointer deref fix. Apart from raw-gadget, I've included some recent sparse fixes to a few drivers. Signed-off-by: Felipe Balbi * tag 'fixes-for-v5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb: usb: cdns3: gadget: make a bunch of functions static usb: mtu3: constify struct debugfs_reg32 usb: gadget: udc: atmel: Make some symbols static usb: raw-gadget: fix null-ptr-deref when reenabling endpoints usb: raw-gadget: documentation updates usb: raw-gadget: support stalling/halting/wedging endpoints usb: raw-gadget: fix gadget endpoint selection usb: raw-gadget: improve uapi headers comments commit 17b4efdf4e4867079012a48ca10d965fe9d68822 Author: Sagar Shrikant Kadam Date: Sat May 9 03:24:12 2020 -0700 tty: serial: add missing spin_lock_init for SiFive serial console An uninitialised spin lock for sifive serial console raises a bad magic spin_lock error as reported and discussed here [1]. Initialising the spin lock resolves the issue. The fix is tested on HiFive Unleashed A00 board with Linux 5.7-rc4 and OpenSBI v0.7 [1] https://lore.kernel.org/linux-riscv/b9fe49483a903f404e7acc15a6efbef756db28ae.camel@wdc.com Fixes: 45c054d0815b ("tty: serial: add driver for the SiFive UART") Reported-by: Atish Patra Signed-off-by: Sagar Shrikant Kadam Reviewed-by: Palmer Dabbelt Acked-by: Palmer Dabbelt Cc: stable Link: https://lore.kernel.org/r/1589019852-21505-2-git-send-email-sagar.kadam@sifive.com Signed-off-by: Greg Kroah-Hartman commit a9a3ed1eff3601b63aea4fb462d8b3b92c7c1e7e Author: Borislav Petkov Date: Wed Apr 22 18:11:30 2020 +0200 x86: Fix early boot crash on gcc-10, third try ... or the odyssey of trying to disable the stack protector for the function which generates the stack canary value. The whole story started with Sergei reporting a boot crash with a kernel built with gcc-10: Kernel panic — not syncing: stack-protector: Kernel stack is corrupted in: start_secondary CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.6.0-rc5—00235—gfffb08b37df9 #139 Hardware name: Gigabyte Technology Co., Ltd. To be filled by O.E.M./H77M—D3H, BIOS F12 11/14/2013 Call Trace: dump_stack panic ? start_secondary __stack_chk_fail start_secondary secondary_startup_64 -—-[ end Kernel panic — not syncing: stack—protector: Kernel stack is corrupted in: start_secondary This happens because gcc-10 tail-call optimizes the last function call in start_secondary() - cpu_startup_entry() - and thus emits a stack canary check which fails because the canary value changes after the boot_init_stack_canary() call. To fix that, the initial attempt was to mark the one function which generates the stack canary with: __attribute__((optimize("-fno-stack-protector"))) ... start_secondary(void *unused) however, using the optimize attribute doesn't work cumulatively as the attribute does not add to but rather replaces previously supplied optimization options - roughly all -fxxx options. The key one among them being -fno-omit-frame-pointer and thus leading to not present frame pointer - frame pointer which the kernel needs. The next attempt to prevent compilers from tail-call optimizing the last function call cpu_startup_entry(), shy of carving out start_secondary() into a separate compilation unit and building it with -fno-stack-protector, was to add an empty asm(""). This current solution was short and sweet, and reportedly, is supported by both compilers but we didn't get very far this time: future (LTO?) optimization passes could potentially eliminate this, which leads us to the third attempt: having an actual memory barrier there which the compiler cannot ignore or move around etc. That should hold for a long time, but hey we said that about the other two solutions too so... Reported-by: Sergei Trofimovich Signed-off-by: Borislav Petkov Tested-by: Kalle Valo Cc: Link: https://lkml.kernel.org/r/20200314164451.346497-1-slyfox@gentoo.org commit efa7fb4c6c8e4171fd29a5935a9dc7a28e363278 Author: Qii Wang Date: Thu May 14 21:09:04 2020 +0800 MAINTAINERS: add maintainer for mediatek i2c controller driver Add Qii Wang as maintainer for mediatek i2c controller driver. Signed-off-by: Qii Wang Signed-off-by: Wolfram Sang commit 8695e0b1b964f6d7caee667f14dceb7e8a4a3b3c Author: Gustavo A. R. Silva Date: Thu May 7 13:53:29 2020 -0500 i2c: mux: Replace zero-length array with flexible-array The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] sizeof(flexible-array-member) triggers a warning because flexible array members have incomplete type[1]. There are some instances of code in which the sizeof operator is being incorrectly/erroneously applied to zero-length arrays and the result is zero. Such instances may be hiding some bugs. So, this work (flexible-array member conversions) will also help to get completely rid of those sorts of issues. This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Reviewed-by: Peter Rosin Signed-off-by: Wolfram Sang commit e9d1a0a41d4486955e96552293c1fcf1fce61602 Author: Christophe JAILLET Date: Wed May 6 21:21:00 2020 +0200 i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' A call to 'i2c_demux_deactivate_master()' is missing in the error handling path, as already done in the remove function. Fixes: 50a5ba876908 ("i2c: mux: demux-pinctrl: add driver") Signed-off-by: Christophe JAILLET Signed-off-by: Wolfram Sang commit 5d4c7977499a736f3f80826bdc9744344ad55589 Author: Atsushi Nemoto Date: Fri May 8 22:12:48 2020 +0900 i2c: altera: Fix race between xfer_msg and isr thread Use a mutex to protect access to idev->msg_len, idev->buf, etc. which are modified by both altr_i2c_xfer_msg() and altr_i2c_isr(). This is the minimal fix for easy backporting. A cleanup to remove the spinlock will be added later. Signed-off-by: Atsushi Nemoto Acked-by: Thor Thayer [wsa: updated commit message] Signed-off-by: Wolfram Sang commit ab7cf7e53ccf1fecec6b72d1a3a13ff88193b490 Author: Wolfram Sang Date: Sat May 2 16:26:49 2020 +0200 i2c: algo-pca: update contact email The 'pengutronix' address is defunct for years. Use the proper contact address. Signed-off-by: Wolfram Sang commit 7d66976fe7476d7c9eefae9815b5ce0c66e6f429 Author: Codrin Ciubotariu Date: Wed Apr 15 10:06:43 2020 +0300 i2c: at91: Fix pinmux after devm_gpiod_get() for bus recovery devm_gpiod_get() usually calls gpio_request_enable() for non-strict pinmux drivers. These puts the pins in GPIO mode, whithout notifying the pinctrl driver. At this point, the I2C bus no longer owns the pins. To mux the pins back to the I2C bus, we use the pinctrl driver to change the state of the pins to GPIO, before using devm_gpiod_get(). After the pins are received as GPIOs, we switch theer pinctrl state back to the default one, Fixes: d3d3fdcc4c90 ("i2c: at91: implement i2c bus recovery") Signed-off-by: Codrin Ciubotariu Acked-by: Ludovic Desroches Signed-off-by: Wolfram Sang commit c8e233bfba3b21cb6b9814b4bfe2502478c7b895 Author: Ricardo Cañuelo Date: Mon May 11 13:06:10 2020 +0200 ARM: dts: iwg20d-q7-dbcm-ca: Remove unneeded properties in hdmi@39 Remove the adi,input-style and adi,input-justification properties of hdmi@39 to make it compliant with the "adi,adv7511w" DT binding. Signed-off-by: Ricardo Cañuelo Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/20200511110611.3142-6-ricardo.canuelo@collabora.com Signed-off-by: Geert Uytterhoeven commit 572f36d4502b8df5bbe5732be3d008f6b9c872b2 Author: Ricardo Cañuelo Date: Mon May 11 13:06:07 2020 +0200 ARM: dts: renesas: Make hdmi encoder nodes compliant with DT bindings Small fixes to make these DTs compliant with the adi,adv7511w and adi,adv7513 bindings: r8a7745-iwg22d-sodimm-dbhd-ca.dts r8a7790-lager.dts r8a7790-stout.dts r8a7791-koelsch.dts r8a7791-porter.dts r8a7792-blanche.dts r8a7793-gose.dts r8a7794-silk.dts: Remove the adi,input-style and adi,input-justification properties. r8a7792-wheat.dts: Reorder the I2C slave addresses of hdmi@3d and hdmi@39 and remove the adi,input-style and adi,input-justification properties. Signed-off-by: Ricardo Cañuelo Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/20200511110611.3142-3-ricardo.canuelo@collabora.com Signed-off-by: Geert Uytterhoeven commit 72676ecfe1662ad5d0e7b456b45fbb2c7339964e Author: Ricardo Cañuelo Date: Mon May 11 13:06:06 2020 +0200 arm64: dts: renesas: Make hdmi encoder nodes compliant with DT bindings Small fixes to make these DTs compliant with the adi,adv7511w binding. r8a77970-eagle.dts, r8a77970-v3msk.dts, r8a77980-condor.dts, r8a77980-v3hsk.dts, r8a77990-ebisu.dts: Remove the adi,input-style and adi,input-justification properties. r8a77995-draak.dts: Reorder the I2C slave addresses of the hdmi-encoder@39 node and remove the adi,input-style and adi,input-justification properties. Signed-off-by: Ricardo Cañuelo Reviewed-by: Laurent Pinchart Link: https://lore.kernel.org/r/20200511110611.3142-2-ricardo.canuelo@collabora.com Signed-off-by: Geert Uytterhoeven commit 71c95825289f585014fe9741b051d32a7a916680 Author: Josh Poimboeuf Date: Thu May 14 15:31:10 2020 -0500 x86/unwind/orc: Fix error handling in __unwind_start() The unwind_state 'error' field is used to inform the reliable unwinding code that the stack trace can't be trusted. Set this field for all errors in __unwind_start(). Also, move the zeroing out of the unwind_state struct to before the ORC table initialization check, to prevent the caller from reading uninitialized data if the ORC table is corrupted. Fixes: af085d9084b4 ("stacktrace/x86: add function for detecting reliable stack traces") Fixes: d3a09104018c ("x86/unwinder/orc: Dont bail on stack overflow") Fixes: 98d0c8ebf77e ("x86/unwind/orc: Prevent unwinding before ORC initialization") Reported-by: Pavel Machek Signed-off-by: Josh Poimboeuf Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/d6ac7215a84ca92b895fdd2e1aa546729417e6e6.1589487277.git.jpoimboe@redhat.com commit 1d2a1eb13610a9c8ec95f6f1e02cef55000f28e3 Merge: 27db6f7b0a79 c54a8f1f3291 Author: Dave Airlie Date: Fri May 15 16:00:53 2020 +1000 Merge tag 'drm-misc-fixes-2020-05-14' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes Just one meson patch this time to propagate an error code Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200514073538.wvdtv5s2mt4wdrdj@gilmour.lan commit be4054b8b6671ebc977eb7774b8e889d2d05d3e3 Author: Peter Ujfalusi Date: Tue May 12 16:45:31 2020 +0300 dmaengine: ti: k3-udma: Fix TR mode flags for slave_sg and memcpy cppi5_tr_csf_set() clears previously set Configuration Specific Flags. Setting the EOP flag clears the SUPR_EVT flag for the last TR which is not desirable as we do not want to have events from the TR. Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200512134531.5742-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul commit ee63fab3ccf9795a8fb014415fefdaa74bb0ba46 Author: Rafał Hibner Date: Wed May 6 12:28:45 2020 +0200 dmaengine: zynqmp_dma: Move list_del inside zynqmp_dma_free_descriptor. List elements are not formally removed from list during zynqmp_dma_reset. Signed-off-by: Rafal Hibner Link: https://lore.kernel.org/r/20200506102844.2259-1-rafal.hibner@secom.com.pl Signed-off-by: Vinod Koul commit 27db6f7b0a79d71eb138683f808328593d8febb1 Merge: f59bcda88357 955da9d77435 Author: Dave Airlie Date: Fri May 15 12:28:46 2020 +1000 Merge tag 'drm-intel-fixes-2020-05-13-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Handle idling during i915_gem_evict_something busy loops (Chris) - Mark current submissions with a weak-dependency (Chris) - Propagate errror from completed fences (Chris) - Fixes on execlist to avoid GPU hang situation (Chris) - Fixes couple deadlocks (Chris) - Timeslice preemption fixes (Chris) - Fix Display Port interrupt handling on Tiger Lake (Imre) - Reduce debug noise around Frame Buffer Compression +(Peter) - Fix logic around IPC W/a for Coffee Lake and Kaby Lake +(Sultan) - Avoid dereferencing a dead context (Chris) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20200514040235.GA2164266@intel.com commit 207b584d0ab87e492412fcd69030e34873c7ed5e Author: David S. Miller Date: Thu May 14 18:04:41 2020 -0700 MAINTAINERS: Mark networking drivers as Maintained. Suggested-by: Andrew Lunn Signed-off-by: David S. Miller commit 7013908c2db285cd6b48fcd427a56354beac2233 Author: Amol Grover Date: Thu May 14 23:31:03 2020 +0530 ipmr: Add lockdep expression to ipmr_for_each_table macro During the initialization process, ipmr_new_table() is called to create new tables which in turn calls ipmr_get_table() which traverses net->ipv4.mr_tables without holding the writer lock. However, this is safe to do so as no tables exist at this time. Hence add a suitable lockdep expression to silence the following false-positive warning: ============================= WARNING: suspicious RCU usage 5.7.0-rc3-next-20200428-syzkaller #0 Not tainted ----------------------------- net/ipv4/ipmr.c:136 RCU-list traversed in non-reader section!! ipmr_get_table+0x130/0x160 net/ipv4/ipmr.c:136 ipmr_new_table net/ipv4/ipmr.c:403 [inline] ipmr_rules_init net/ipv4/ipmr.c:248 [inline] ipmr_net_init+0x133/0x430 net/ipv4/ipmr.c:3089 Fixes: f0ad0860d01e ("ipv4: ipmr: support multiple tables") Reported-by: syzbot+1519f497f2f9f08183c6@syzkaller.appspotmail.com Suggested-by: Jakub Kicinski Signed-off-by: Amol Grover Signed-off-by: David S. Miller commit a14fbcd4f157a5a97b6013289205559d246c5021 Author: Amol Grover Date: Thu May 14 23:31:02 2020 +0530 ipmr: Fix RCU list debugging warning ipmr_for_each_table() macro uses list_for_each_entry_rcu() for traversing outside of an RCU read side critical section but under the protection of rtnl_mutex. Hence, add the corresponding lockdep expression to silence the following false-positive warning at boot: [ 4.319347] ============================= [ 4.319349] WARNING: suspicious RCU usage [ 4.319351] 5.5.4-stable #17 Tainted: G E [ 4.319352] ----------------------------- [ 4.319354] net/ipv4/ipmr.c:1757 RCU-list traversed in non-reader section!! Fixes: f0ad0860d01e ("ipv4: ipmr: support multiple tables") Signed-off-by: Amol Grover Signed-off-by: David S. Miller commit 95f59bf88bb75281cc626e283ecefdd5d5641427 Author: Madhuparna Bhowmik Date: Thu May 14 19:41:15 2020 +0530 drivers: net: hamradio: Fix suspicious RCU usage warning in bpqether.c This patch fixes the following warning: ============================= WARNING: suspicious RCU usage 5.7.0-rc5-next-20200514-syzkaller #0 Not tainted ----------------------------- drivers/net/hamradio/bpqether.c:149 RCU-list traversed in non-reader section!! Since rtnl lock is held, pass this cond in list_for_each_entry_rcu(). Reported-by: syzbot+bb82cafc737c002d11ca@syzkaller.appspotmail.com Signed-off-by: Madhuparna Bhowmik Signed-off-by: David S. Miller commit cc8a677a76f419016b5e231207d09b073f9b1d3f Author: Kevin Lo Date: Thu May 14 08:57:33 2020 +0800 net: phy: broadcom: fix BCM54XX_SHD_SCR3_TRDDAPD value for BCM54810 Set the correct bit when checking for PHY_BRCM_DIS_TXCRXC_NOENRGY on the BCM54810 PHY. Fixes: 0ececcfc9267 ("net: phy: broadcom: Allow BCM54810 to use bcm54xx_adjust_rxrefclk()") Signed-off-by: Kevin Lo Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit f2e6b75f6ee82308ef7b00f29e71e5f1c6b3d52a Author: Bodo Stroesser Date: Wed May 13 17:34:43 2020 +0200 scsi: target: Put lun_ref at end of tmr processing Testing with Loopback I found that, after a Loopback LUN has executed a TMR, I can no longer unlink the LUN. The rm command hangs in transport_clear_lun_ref() at wait_for_completion(&lun->lun_shutdown_comp) The reason is, that transport_lun_remove_cmd() is not called at the end of target_tmr_work(). It seems, that in other fabrics this call happens implicitly when the fabric drivers call transport_generic_free_cmd() during their ->queue_tm_rsp(). Unfortunately Loopback seems to not comply to the common way of calling transport_generic_free_cmd() from ->queue_*(). Instead it calls transport_generic_free_cmd() from its ->check_stop_free() only. But the ->check_stop_free() is called by transport_cmd_check_stop_to_fabric() after it has reset the se_cmd->se_lun pointer. Therefore the following transport_generic_free_cmd() skips the transport_lun_remove_cmd(). So this patch re-adds the transport_lun_remove_cmd() at the end of target_tmr_work(), which was removed during commit 2c9fa49e100f ("scsi: target/core: Make ABORT and LUN RESET handling synchronous"). For fabrics using transport_generic_free_cmd() in the usual way the double call to transport_lun_remove_cmd() doesn't harm, as transport_lun_remove_cmd() checks for this situation and does not release lun_ref twice. Link: https://lore.kernel.org/r/20200513153443.3554-1-bstroesser@ts.fujitsu.com Fixes: 2c9fa49e100f ("scsi: target/core: Make ABORT and LUN RESET handling synchronous") Cc: stable@vger.kernel.org Tested-by: Bryant G. Ly Reviewed-by: Bart van Assche Signed-off-by: Bodo Stroesser Signed-off-by: Martin K. Petersen commit 8433856947217ebb5697a8ff9c4c9cad4639a2cf Author: Dan Carpenter Date: Tue May 12 16:19:17 2020 +0300 evm: Fix a small race in init_desc() The IS_ERR_OR_NULL() function has two conditions and if we got really unlucky we could hit a race where "ptr" started as an error pointer and then was set to NULL. Both conditions would be false even though the pointer at the end was NULL. This patch fixes the problem by ensuring that "*tfm" can only be NULL or valid. I have introduced a "tmp_tfm" variable to make that work. I also reversed a condition and pulled the code in one tab. Reported-by: Roberto Sassu Fixes: 53de3b080d5e ("evm: Check also if *tfm is an error pointer in init_desc()") Signed-off-by: Dan Carpenter Acked-by: Roberto Sassu Acked-by: Krzysztof Struczynski Signed-off-by: Mimi Zohar commit a48137996063d22ffba77e077425f49873856ca5 Author: Adam McCoy Date: Wed May 13 11:53:30 2020 +0000 cifs: fix leaked reference on requeued write Failed async writes that are requeued may not clean up a refcount on the file, which can result in a leaked open. This scenario arises very reliably when using persistent handles and a reconnect occurs while writing. cifs_writev_requeue only releases the reference if the write fails (rc != 0). The server->ops->async_writev operation will take its own reference, so the initial reference can always be released. Signed-off-by: Adam McCoy Signed-off-by: Steve French CC: Stable Reviewed-by: Pavel Shilovsky commit 8eed292bc8cbf737e46fb1c119d4c8f6dcb00650 Author: Olga Kornievskaia Date: Thu May 14 16:09:40 2020 -0400 NFSv3: fix rpc receive buffer size for MOUNT call Prior to commit e3d3ab64dd66 ("SUNRPC: Use au_rslack when computing reply buffer size"), there was enough slack in the reply buffer to commodate filehandles of size 60bytes. However, the real problem was that the reply buffer size for the MOUNT operation was not correctly calculated. Received buffer size used the filehandle size for NFSv2 (32bytes) which is much smaller than the allowed filehandle size for the v3 mounts. Fix the reply buffer size (decode arguments size) for the MNT command. Fixes: 2c94b8eca1a2 ("SUNRPC: Use au_rslack when computing reply buffer size") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust commit e776af608f692a7a647455106295fa34469e7475 Author: Eric Dumazet Date: Thu May 14 13:58:13 2020 -0700 tcp: fix error recovery in tcp_zerocopy_receive() If user provides wrong virtual address in TCP_ZEROCOPY_RECEIVE operation we want to return -EINVAL error. But depending on zc->recv_skip_hint content, we might return -EIO error if the socket has SOCK_DONE set. Make sure to return -EINVAL in this case. BUG: KMSAN: uninit-value in tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] BUG: KMSAN: uninit-value in do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 CPU: 1 PID: 625 Comm: syz-executor.0 Not tainted 5.7.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x220 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 tcp_zerocopy_receive net/ipv4/tcp.c:1833 [inline] do_tcp_getsockopt+0x4494/0x6320 net/ipv4/tcp.c:3685 tcp_getsockopt+0xf8/0x1f0 net/ipv4/tcp.c:3728 sock_common_getsockopt+0x13f/0x180 net/core/sock.c:3131 __sys_getsockopt+0x533/0x7b0 net/socket.c:2177 __do_sys_getsockopt net/socket.c:2192 [inline] __se_sys_getsockopt+0xe1/0x100 net/socket.c:2189 __x64_sys_getsockopt+0x62/0x80 net/socket.c:2189 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:297 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45c829 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f1deeb72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000037 RAX: ffffffffffffffda RBX: 00000000004e01e0 RCX: 000000000045c829 RDX: 0000000000000023 RSI: 0000000000000006 RDI: 0000000000000009 RBP: 000000000078bf00 R08: 0000000020000200 R09: 0000000000000000 R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000001d8 R14: 00000000004d3038 R15: 00007f1deeb736d4 Local variable ----zc@do_tcp_getsockopt created at: do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 do_tcp_getsockopt+0x1a74/0x6320 net/ipv4/tcp.c:3670 Fixes: 05255b823a61 ("tcp: add TCP_ZEROCOPY_RECEIVE support for zerocopy receive") Signed-off-by: Eric Dumazet Reported-by: syzbot Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller commit 7915502377c54c9f58f6ac537bde0c2c342a6742 Author: Vineet Gupta Date: Tue May 5 12:19:22 2020 -0700 ARC: show_regs: avoid extra line of output Signed-off-by: Vineet Gupta commit 70b690547d5ea1a3d135a4cc39cd1e08246d0c3a Author: Philipp Rudo Date: Tue May 12 19:39:56 2020 +0200 s390/kexec_file: fix initrd location for kdump kernel initrd_start must not point at the location the initrd is loaded into the crashkernel memory but at the location it will be after the crashkernel memory is swapped with the memory at 0. Fixes: ee337f5469fd ("s390/kexec_file: Add crash support to image loader") Reported-by: Lianbo Jiang Signed-off-by: Philipp Rudo Tested-by: Lianbo Jiang Link: https://lore.kernel.org/r/20200512193956.15ae3f23@laptop2-ibm.local Signed-off-by: Christian Borntraeger Signed-off-by: Vasily Gorbik commit f058599e22d59e594e5aae1dc10560568d8f4a8b Author: Niklas Schnelle Date: Thu Mar 26 12:22:50 2020 +0100 s390/pci: Fix s390_mmio_read/write with MIO The s390_mmio_read/write syscalls are currently broken when running with MIO. The new pcistb_mio/pcstg_mio/pcilg_mio instructions are executed similiarly to normal load/store instructions and do address translation in the current address space. That means inside the kernel they are aware of mappings into kernel address space while outside the kernel they use user space mappings (usually created through mmap'ing a PCI device file). Now when existing user space applications use the s390_pci_mmio_write and s390_pci_mmio_read syscalls, they pass I/O addresses that are mapped into user space so as to be usable with the new instructions without needing a syscall. Accessing these addresses with the old instructions as done currently leads to a kernel panic. Also, for such a user space mapping there may not exist an equivalent kernel space mapping which means we can't just use the new instructions in kernel space. Instead of replicating user mappings in the kernel which then might collide with other mappings, we can conceptually execute the new instructions as if executed by the user space application using the secondary address space. This even allows us to directly store to the user pointer without the need for copy_to/from_user(). Cc: stable@vger.kernel.org Fixes: 71ba41c9b1d9 ("s390/pci: provide support for MIO instructions") Signed-off-by: Niklas Schnelle Reviewed-by: Sven Schnelle Signed-off-by: Vasily Gorbik commit 653d374771601a345296dd2904a10e6e479ad866 Author: Wolfram Sang Date: Thu Mar 26 22:09:58 2020 +0100 char: ipmi: convert to use i2c_new_client_device() Move away from the deprecated API. Signed-off-by: Wolfram Sang Message-Id: <20200326210958.13051-2-wsa+renesas@sang-engineering.com> Signed-off-by: Corey Minyard commit 933496e9cc02cda16ca8f0c38e56204376d6b0b2 Author: J. Bruce Fields Date: Wed May 13 18:38:40 2020 -0400 SUNRPC: 'Directory with parent 'rpc_clnt' already present!' Each rpc_client has a cl_clid which is allocated from a global ida, and a debugfs directory which is named after cl_clid. We're releasing the cl_clid before we free the debugfs directory named after it. As soon as the cl_clid is released, that value is available for another newly created client. That leaves a window where another client may attempt to create a new debugfs directory with the same name as the not-yet-deleted debugfs directory from the dying client. Symptoms are log messages like Directory 4 with parent 'rpc_clnt' already present! Fixes: 7c4310ff5642 "SUNRPC: defer slow parts of rpc_free_client() to a workqueue." Signed-off-by: J. Bruce Fields Signed-off-by: Trond Myklebust commit 1ae7efb388540adc1653a51a3bc3b2c9cef5ec1a Merge: decd6167bf4f 45a3fe3bf93b Author: Linus Torvalds Date: Thu May 14 13:24:23 2020 -0700 Merge tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc Pull MMC fixes from Ulf Hansson: "MMC core: - Fix a couple of quite severe issues for the CQE request path MMC host: - alcor: Fix a resource leak in the error path for ->probe() - sdhci-acpi: Fix the DMA support for the AMD eMMC v5.0 variant - sdhci-pci-gli: Fix system resume support for GL975x - sdhci-pci-gli: Fix reboot error for GL9750" * tag 'mmc-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc: mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040 mmc: block: Fix request completion in the CQE timeout path mmc: core: Fix recursive locking issue in CQE recovery path mmc: core: Check request type before completing the request mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10 mmc: alcor: Fix a resource leak in the error path for ->probe() mmc: sdhci-pci-gli: Fix no irq handler from suspend commit 1b54f4fa4dec26a0d3b885176ecc8d6d3ca7fd95 Merge: c9e2053d4b1c 340eaff65116 Author: David S. Miller Date: Thu May 14 13:15:02 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix gcc-10 compilation warning in nf_conntrack, from Arnd Bergmann. 2) Add NF_FLOW_HW_PENDING to avoid races between stats and deletion commands, from Paul Blakey. 3) Remove WQ_MEM_RECLAIM from the offload workqueue, from Roi Dayan. 4) Infinite loop when removing nf_conntrack module, from Florian Westphal. 5) Set NF_FLOW_TEARDOWN bit on expiration to avoid races when refreshing the timeout from the software path. 6) Missing nft_set_elem_expired() check in the rbtree, from Phil Sutter. ==================== Signed-off-by: David S. Miller commit c9e2053d4b1c634064bd3160689fe4ed52978d31 Author: David S. Miller Date: Thu May 14 13:13:07 2020 -0700 MAINTAINERS: Add Jakub to networking drivers. Signed-off-by: David S. Miller commit 865e525db666767eb7bbcfc7d4ce7326b2b19271 Author: Ursula Braun Date: Thu May 14 13:45:12 2020 +0200 MAINTAINERS: another add of Karsten Graul for S390 networking Complete adding of Karsten as maintainer for all S390 networking parts in the kernel. Cc: Julian Wiedmann Acked-by: Julian Wiedmann Signed-off-by: Ursula Braun Signed-off-by: David S. Miller commit 16bb1b505c3c6ec6c0ec5943cef67b23f228979a Author: Wang Wenhu Date: Thu May 14 04:02:22 2020 -0700 drivers: ipa: fix typos for ipa_smp2p structure doc Remove the duplicate "mutex", and change "Motex" to "Mutex". Also I recommend it's easier for understanding to make the "ready-interrupt" a bundle for it is a parallel description as "shutdown" which is appended after the slash. Signed-off-by: Wang Wenhu Cc: Alex Elder Signed-off-by: David S. Miller commit b8c158395119be62294da73646a3953c29ac974b Author: Guillaume Nault Date: Thu May 14 12:15:39 2020 +0200 pppoe: only process PADT targeted at local interfaces We don't want to disconnect a session because of a stray PADT arriving while the interface is in promiscuous mode. Furthermore, multicast and broadcast packets make no sense here, so only PACKET_HOST is accepted. Reported-by: David Balažic Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Guillaume Nault Signed-off-by: David S. Miller commit 6d74f64b922b8394dccc52576659cb0dc0a1da7b Author: Yonghong Song Date: Wed May 13 22:32:07 2020 -0700 selftests/bpf: Enforce returning 0 for fentry/fexit programs There are a few fentry/fexit programs returning non-0. The tests with these programs will break with the previous patch which enfoced return-0 rules. Fix them properly. Fixes: ac065870d928 ("selftests/bpf: Add BPF_PROG, BPF_KPROBE, and BPF_KRETPROBE macros") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200514053207.1298479-1-yhs@fb.com commit e92888c72fbdc6f9d07b3b0604c012e81d7c0da7 Author: Yonghong Song Date: Wed May 13 22:32:05 2020 -0700 bpf: Enforce returning 0 for fentry/fexit progs Currently, tracing/fentry and tracing/fexit prog return values are not enforced. In trampoline codes, the fentry/fexit prog return values are ignored. Let us enforce it to be 0 to avoid confusion and allows potential future extension. This patch also explicitly added return value checking for tracing/raw_tp, tracing/fmod_ret, and freplace programs such that these program return values can be anything. The purpose are two folds: 1. to make it explicit about return value expectations for these programs in verifier. 2. for tracing prog_type, if a future attach type is added, the default is -ENOTSUPP which will enforce to specify return value ranges explicitly. Fixes: fec56f5890d9 ("bpf: Introduce BPF trampoline") Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200514053206.1298415-1-yhs@fb.com commit fd4a5177382230d39e0d95632d98103fb2938383 Author: Vinod Koul Date: Thu May 14 11:58:36 2020 +0530 net: stmmac: fix num_por initialization Driver missed initializing num_por which is one of the por values that driver configures to hardware. In order to get these values, add a new structure ethqos_emac_driver_data which holds por and num_por values and populate that in driver probe. Fixes: a7c30e62d4b8 ("net: stmmac: Add driver for Qualcomm ethqos") Reported-by: Rahul Ankushrao Kawadgave Signed-off-by: Vinod Koul Reviewed-by: Amit Kucheria Signed-off-by: David S. Miller commit 625236ba3832ae947cb3ebb7acc1f30788b274ef Author: Anders Roxell Date: Tue May 12 19:46:07 2020 +0200 security: Fix the default value of secid_to_secctx hook security_secid_to_secctx is called by the bpf_lsm hook and a successful return value (i.e 0) implies that the parameter will be consumed by the LSM framework. The current behaviour return success when the pointer isn't initialized when CONFIG_BPF_LSM is enabled, with the default return from kernel/bpf/bpf_lsm.c. This is the internal error: [ 1229.341488][ T2659] usercopy: Kernel memory exposure attempt detected from null address (offset 0, size 280)! [ 1229.374977][ T2659] ------------[ cut here ]------------ [ 1229.376813][ T2659] kernel BUG at mm/usercopy.c:99! [ 1229.378398][ T2659] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 1229.380348][ T2659] Modules linked in: [ 1229.381654][ T2659] CPU: 0 PID: 2659 Comm: systemd-journal Tainted: G B W 5.7.0-rc5-next-20200511-00019-g864e0c6319b8-dirty #13 [ 1229.385429][ T2659] Hardware name: linux,dummy-virt (DT) [ 1229.387143][ T2659] pstate: 80400005 (Nzcv daif +PAN -UAO BTYPE=--) [ 1229.389165][ T2659] pc : usercopy_abort+0xc8/0xcc [ 1229.390705][ T2659] lr : usercopy_abort+0xc8/0xcc [ 1229.392225][ T2659] sp : ffff000064247450 [ 1229.393533][ T2659] x29: ffff000064247460 x28: 0000000000000000 [ 1229.395449][ T2659] x27: 0000000000000118 x26: 0000000000000000 [ 1229.397384][ T2659] x25: ffffa000127049e0 x24: ffffa000127049e0 [ 1229.399306][ T2659] x23: ffffa000127048e0 x22: ffffa000127048a0 [ 1229.401241][ T2659] x21: ffffa00012704b80 x20: ffffa000127049e0 [ 1229.403163][ T2659] x19: ffffa00012704820 x18: 0000000000000000 [ 1229.405094][ T2659] x17: 0000000000000000 x16: 0000000000000000 [ 1229.407008][ T2659] x15: 0000000000000000 x14: 003d090000000000 [ 1229.408942][ T2659] x13: ffff80000d5b25b2 x12: 1fffe0000d5b25b1 [ 1229.410859][ T2659] x11: 1fffe0000d5b25b1 x10: ffff80000d5b25b1 [ 1229.412791][ T2659] x9 : ffffa0001034bee0 x8 : ffff00006ad92d8f [ 1229.414707][ T2659] x7 : 0000000000000000 x6 : ffffa00015eacb20 [ 1229.416642][ T2659] x5 : ffff0000693c8040 x4 : 0000000000000000 [ 1229.418558][ T2659] x3 : ffffa0001034befc x2 : d57a7483a01c6300 [ 1229.420610][ T2659] x1 : 0000000000000000 x0 : 0000000000000059 [ 1229.422526][ T2659] Call trace: [ 1229.423631][ T2659] usercopy_abort+0xc8/0xcc [ 1229.425091][ T2659] __check_object_size+0xdc/0x7d4 [ 1229.426729][ T2659] put_cmsg+0xa30/0xa90 [ 1229.428132][ T2659] unix_dgram_recvmsg+0x80c/0x930 [ 1229.429731][ T2659] sock_recvmsg+0x9c/0xc0 [ 1229.431123][ T2659] ____sys_recvmsg+0x1cc/0x5f8 [ 1229.432663][ T2659] ___sys_recvmsg+0x100/0x160 [ 1229.434151][ T2659] __sys_recvmsg+0x110/0x1a8 [ 1229.435623][ T2659] __arm64_sys_recvmsg+0x58/0x70 [ 1229.437218][ T2659] el0_svc_common.constprop.1+0x29c/0x340 [ 1229.438994][ T2659] do_el0_svc+0xe8/0x108 [ 1229.440587][ T2659] el0_svc+0x74/0x88 [ 1229.441917][ T2659] el0_sync_handler+0xe4/0x8b4 [ 1229.443464][ T2659] el0_sync+0x17c/0x180 [ 1229.444920][ T2659] Code: aa1703e2 aa1603e1 910a8260 97ecc860 (d4210000) [ 1229.447070][ T2659] ---[ end trace 400497d91baeaf51 ]--- [ 1229.448791][ T2659] Kernel panic - not syncing: Fatal exception [ 1229.450692][ T2659] Kernel Offset: disabled [ 1229.452061][ T2659] CPU features: 0x240002,20002004 [ 1229.453647][ T2659] Memory Limit: none [ 1229.455015][ T2659] ---[ end Kernel panic - not syncing: Fatal exception ]--- Rework the so the default return value is -EOPNOTSUPP. There are likely other callbacks such as security_inode_getsecctx() that may have the same problem, and that someone that understand the code better needs to audit them. Thank you Arnd for helping me figure out what went wrong. Fixes: 98e828a0650f ("security: Refactor declaration of LSM hooks") Signed-off-by: Anders Roxell Signed-off-by: Alexei Starovoitov Acked-by: James Morris Cc: Arnd Bergmann Link: https://lore.kernel.org/bpf/20200512174607.9630-1-anders.roxell@linaro.org commit 516d8d497c017a6820019c76acbb7912a24ec57b Author: Sumanth Korikkar Date: Wed May 13 17:44:14 2020 +0200 libbpf: Fix register naming in PT_REGS s390 macros Fix register naming in PT_REGS s390 macros Fixes: b8ebce86ffe6 ("libbpf: Provide CO-RE variants of PT_REGS macros") Signed-off-by: Sumanth Korikkar Signed-off-by: Alexei Starovoitov Reviewed-by: Julian Wiedmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200513154414.29972-1-sumanthk@linux.ibm.com commit 333291ce5055f2039afc907badaf5b66bc1adfdc Author: Andrii Nakryiko Date: Tue May 12 16:59:25 2020 -0700 bpf: Fix bug in mmap() implementation for BPF array map mmap() subsystem allows user-space application to memory-map region with initial page offset. This wasn't taken into account in initial implementation of BPF array memory-mapping. This would result in wrong pages, not taking into account requested page shift, being memory-mmaped into user-space. This patch fixes this gap and adds a test for such scenario. Fixes: fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200512235925.3817805-1-andriin@fb.com commit 23ad04669f81f958e9a4121b0266228d2eb3c357 Author: Matteo Croce Date: Mon May 11 13:32:34 2020 +0200 samples: bpf: Fix build error GCC 10 is very strict about symbol clash, and lwt_len_hist_user contains a symbol which clashes with libbpf: /usr/bin/ld: samples/bpf/lwt_len_hist_user.o:(.bss+0x0): multiple definition of `bpf_log_buf'; samples/bpf/bpf_load.o:(.bss+0x8c0): first defined here collect2: error: ld returned 1 exit status bpf_log_buf here seems to be a leftover, so removing it. Signed-off-by: Matteo Croce Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200511113234.80722-1-mcroce@redhat.com commit decd6167bf4f6bec1284006d0522381b44660df3 Merge: 8c1684bb81f1 13cf04880235 Author: Linus Torvalds Date: Thu May 14 12:26:55 2020 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "7 fixes" * emailed patches from Andrew Morton : kasan: add missing functions declarations to kasan.h kasan: consistently disable debugging features ipc/util.c: sysvipc_find_ipc() incorrectly updates position index userfaultfd: fix remap event with MREMAP_DONTUNMAP mm/gup: fix fixup_user_fault() on multiple retries epoll: call final ep_events_available() check under the lock mm, memcg: fix inconsistent oom event behavior commit 8c1684bb81f173543599f1848c29a2a3b1ee5907 Merge: f44d5c489051 3f2c788a1314 Author: Linus Torvalds Date: Thu May 14 11:52:28 2020 -0700 Merge tag 'for-linus-2020-05-13' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux Pull thread fix from Christian Brauner: "This contains a single fix for all exported legacy fork helpers to block accidental access to clone3() features in the upper 32 bits of their respective flags arguments. I got Cced on a glibc issue where someone reported consistent failures for the legacy clone() syscall on ppc64le when sign extension was performed (since the clone() syscall in glibc exposes the flags argument as an int whereas the kernel uses unsigned long). The legacy clone() syscall is odd in a bunch of ways and here two things interact: - First, legacy clone's flag argument is word-size dependent, i.e. it's an unsigned long whereas most system calls with flag arguments use int or unsigned int. - Second, legacy clone() ignores unknown and deprecated flags. The two of them taken together means that users on 64bit systems can pass garbage for the upper 32bit of the clone() syscall since forever and things would just work fine. The following program compiled on a 64bit kernel prior to v5.7-rc1 will succeed and will fail post v5.7-rc1 with EBADF: int main(int argc, char *argv[]) { pid_t pid; /* Note that legacy clone() has different argument ordering on * different architectures so this won't work everywhere. * * Only set the upper 32 bits. */ pid = syscall(__NR_clone, 0xffffffff00000000 | SIGCHLD, NULL, NULL, NULL, NULL); if (pid < 0) exit(EXIT_FAILURE); if (pid == 0) exit(EXIT_SUCCESS); if (wait(NULL) != pid) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); } Since legacy clone() couldn't be extended this was not a problem so far and nobody really noticed or cared since nothing in the kernel ever bothered to look at the upper 32 bits. But once we introduced clone3() and expanded the flag argument in struct clone_args to 64 bit we opened this can of worms. With the first flag-based extension to clone3() making use of the upper 32 bits of the flag argument we've effectively made it possible for the legacy clone() syscall to reach clone3() only flags on accident. The sign extension scenario is just the odd corner-case that we needed to figure this out. The reason we just realized this now and not already when we introduced CLONE_CLEAR_SIGHAND was that CLONE_INTO_CGROUP assumes that a valid cgroup file descriptor has been given - whereas CLONE_CLEAR_SIGHAND doesn't need to verify anything. It just silently resets the signal handlers to SIG_DFL. So the sign extension (or the user accidently passing garbage for the upper 32 bits) caused the CLONE_INTO_CGROUP bit to be raised and the kernel to error out when it didn't find a valid cgroup file descriptor. Note, I'm also capping kernel_thread()'s flag argument mainly because none of the new features make sense for kernel_thread() and we shouldn't risk them being accidently activated however unlikely. If we wanted to, we could even make kernel_thread() yell when an unknown flag has been set which it doesn't do right now. But it's not worth risking this in a bugfix imho" * tag 'for-linus-2020-05-13' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux: fork: prevent accidental access to clone3 features commit f44d5c489051c2127189abb25d3d1625d9564c2d Merge: f492de9dcf04 da4d401a6b8f Author: Linus Torvalds Date: Thu May 14 11:46:52 2020 -0700 Merge tag 'trace-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull more tracing fixes from Steven Rostedt: "Various tracing fixes: - Fix a crash when having function tracing and function stack tracing on the command line. The ftrace trampolines are created as executable and read only. But the stack tracer tries to modify them with text_poke() which expects all kernel text to still be writable at boot. Keep the trampolines writable at boot, and convert them to read-only with the rest of the kernel. - A selftest was triggering in the ring buffer iterator code, that is no longer valid with the update of keeping the ring buffer writable while a iterator is reading. Just bail after three failed attempts to get an event and remove the warning and disabling of the ring buffer. - While modifying the ring buffer code, decided to remove all the unnecessary BUG() calls" * tag 'trace-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: ring-buffer: Remove all BUG() calls ring-buffer: Don't deactivate the ring buffer on failed iterator reads x86/ftrace: Have ftrace trampolines turn read-only at the end of system boot up commit f492de9dcf04fde2b3671b9e188180fc684aa4e2 Merge: 24085f70a6e1 7b301750f7f8 Author: Linus Torvalds Date: Thu May 14 11:39:21 2020 -0700 Merge tag 'pm-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm Pull power management fix from Rafael Wysocki: "Prevent the suspend-to-idle internal loop from busy spinning after a spurious ACPI SCI wakeup in some cases" * tag 'pm-5.7-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake() commit 13cf04880235cd70d408d70426ada31408ded2ee Author: Andrey Konovalov Date: Wed May 13 17:50:54 2020 -0700 kasan: add missing functions declarations to kasan.h KASAN is currently missing declarations for __asan_report* and __hwasan* functions. This can lead to compiler warnings. Reported-by: Leon Romanovsky Reported-by: Randy Dunlap Signed-off-by: Andrey Konovalov Signed-off-by: Andrew Morton Tested-by: Leon Romanovsky Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Link: http://lkml.kernel.org/r/45b445a76a79208918f0cc44bfabebaea909b54d.1589297433.git.andreyknvl@google.com Signed-off-by: Linus Torvalds commit 8a16c09edc58982d56c49ab577fdcdf830fbc3a5 Author: Andrey Konovalov Date: Wed May 13 17:50:51 2020 -0700 kasan: consistently disable debugging features KASAN is incompatible with some kernel debugging/tracing features. There's been multiple patches that disable those feature for some of KASAN files one by one. Instead of prolonging that, disable these features for all KASAN files at once. Reported-by: Randy Dunlap Signed-off-by: Andrey Konovalov Signed-off-by: Andrew Morton Cc: Andrey Ryabinin Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Leon Romanovsky Link: http://lkml.kernel.org/r/29bd753d5ff5596425905b0b07f51153e2345cc1.1589297433.git.andreyknvl@google.com Signed-off-by: Linus Torvalds commit 5e698222c70257d13ae0816720dde57c56f81e15 Author: Vasily Averin Date: Wed May 13 17:50:48 2020 -0700 ipc/util.c: sysvipc_find_ipc() incorrectly updates position index Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") is causing this bug (seen on 5.6.8): # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages # ipcmk -Q Message queue id: 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 # ipcmk -Q Message queue id: 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcrm -q 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 2 # ipcrm -q 2 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 3 # ipcrm -q 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 Whenever an IPC item with a low id is deleted, the items with higher ids are duplicated, as if filling a hole. new_pos should jump through hole of unused ids, pos can be updated inside "for" cycle. Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") Reported-by: Andreas Schwab Reported-by: Randy Dunlap Signed-off-by: Vasily Averin Signed-off-by: Andrew Morton Acked-by: Waiman Long Cc: NeilBrown Cc: Steven Rostedt Cc: Ingo Molnar Cc: Peter Oberparleiter Cc: Davidlohr Bueso Cc: Manfred Spraul Cc: Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com Signed-off-by: Linus Torvalds commit d1564926066115fb47ca06b2b9d23ed506ca9608 Author: Brian Geffon Date: Wed May 13 17:50:44 2020 -0700 userfaultfd: fix remap event with MREMAP_DONTUNMAP A user is not required to set a new address when using MREMAP_DONTUNMAP as it can be used without MREMAP_FIXED. When doing so the remap event will use new_addr which may not have been set and we didn't propagate it back other then in the return value of remap_to. Because ret is always the new address it's probably more correct to use it rather than new_addr on the remap_event_complete call, and it resolves this bug. Fixes: e346b3813067d4b ("mm/mremap: add MREMAP_DONTUNMAP to mremap()") Reported-by: Randy Dunlap Signed-off-by: Brian Geffon Signed-off-by: Andrew Morton Cc: Lokesh Gidra Cc: Minchan Kim Cc: Kirill A. Shutemov Cc: Vlastimil Babka Cc: "Michael S . Tsirkin" Cc: Andrea Arcangeli Cc: Sonny Rao Cc: Joel Fernandes Link: http://lkml.kernel.org/r/20200506172158.218366-1-bgeffon@google.com Signed-off-by: Linus Torvalds commit 475f4dfc021c5fde69f3b7d3287bde0a50477b05 Author: Peter Xu Date: Wed May 13 17:50:41 2020 -0700 mm/gup: fix fixup_user_fault() on multiple retries This part was overlooked when reworking the gup code on multiple retries. When we get the 2nd+ retry, we'll be with TRIED flag set. Current code will bail out on the 2nd retry because the !TRIED check will fail so the retry logic will be skipped. What's worse is that, it will also return zero which errornously hints the caller that the page is faulted in while it's not. The !TRIED flag check seems to not be needed even before the mutliple retries change because if we get a VM_FAULT_RETRY, it must be the 1st retry, and we should not have TRIED set for that. Fix it by removing the !TRIED check, at the meantime check against fatal signals properly before the page fault so we can still properly respond to the user killing the process during retries. Fixes: 4426e945df58 ("mm/gup: allow VM_FAULT_RETRY for multiple times") Reported-by: Randy Dunlap Signed-off-by: Peter Xu Signed-off-by: Andrew Morton Cc: Alex Williamson Cc: Brian Geffon Link: http://lkml.kernel.org/r/20200502003523.8204-1-peterx@redhat.com Signed-off-by: Linus Torvalds commit 65759097d804d2a9ad2b687db436319704ba7019 Author: Roman Penyaev Date: Wed May 13 17:50:38 2020 -0700 epoll: call final ep_events_available() check under the lock There is a possible race when ep_scan_ready_list() leaves ->rdllist and ->obflist empty for a short period of time although some events are pending. It is quite likely that ep_events_available() observes empty lists and goes to sleep. Since commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") we are conservative in wakeups (there is only one place for wakeup and this is ep_poll_callback()), thus ep_events_available() must always observe correct state of two lists. The easiest and correct way is to do the final check under the lock. This does not impact the performance, since lock is taken anyway for adding a wait entry to the wait queue. The discussion of the problem can be found here: https://lore.kernel.org/linux-fsdevel/a2f22c3c-c25a-4bda-8339-a7bdaf17849e@akamai.com/ In this patch barrierless __set_current_state() is used. This is safe since waitqueue_active() is called under the same lock on wakeup side. Short-circuit for fatal signals (i.e. fatal_signal_pending() check) is moved to the line just before actual events harvesting routine. This is fully compliant to what is said in the comment of the patch where the actual fatal_signal_pending() check was added: c257a340ede0 ("fs, epoll: short circuit fetching events if thread has been killed"). Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") Reported-by: Jason Baron Reported-by: Randy Dunlap Signed-off-by: Roman Penyaev Signed-off-by: Andrew Morton Reviewed-by: Jason Baron Cc: Khazhismel Kumykov Cc: Alexander Viro Cc: Link: http://lkml.kernel.org/r/20200505145609.1865152-1-rpenyaev@suse.de Signed-off-by: Linus Torvalds commit 04fd61a4e01028210a91f0efc408c8bc61a3018c Author: Yafang Shao Date: Wed May 13 17:50:34 2020 -0700 mm, memcg: fix inconsistent oom event behavior A recent commit 9852ae3fe529 ("mm, memcg: consider subtrees in memory.events") changed the behavior of memcg events, which will now consider subtrees in memory.events. But oom_kill event is a special one as it is used in both cgroup1 and cgroup2. In cgroup1, it is displayed in memory.oom_control. The file memory.oom_control is in both root memcg and non root memcg, that is different with memory.event as it only in non-root memcg. That commit is okay for cgroup2, but it is not okay for cgroup1 as it will cause inconsistent behavior between root memcg and non-root memcg. Here's an example on why this behavior is inconsistent in cgroup1. root memcg / memcg foo / memcg bar Suppose there's an oom_kill in memcg bar, then the oon_kill will be root memcg : memory.oom_control(oom_kill) 0 / memcg foo : memory.oom_control(oom_kill) 1 / memcg bar : memory.oom_control(oom_kill) 1 For the non-root memcg, its memory.oom_control(oom_kill) includes its descendants' oom_kill, but for root memcg, it doesn't include its descendants' oom_kill. That means, memory.oom_control(oom_kill) has different meanings in different memcgs. That is inconsistent. Then the user has to know whether the memcg is root or not. If we can't fully support it in cgroup1, for example by adding memory.events.local into cgroup1 as well, then let's don't touch its original behavior. Fixes: 9852ae3fe529 ("mm, memcg: consider subtrees in memory.events") Reported-by: Randy Dunlap Signed-off-by: Yafang Shao Signed-off-by: Andrew Morton Reviewed-by: Shakeel Butt Acked-by: Johannes Weiner Acked-by: Chris Down Acked-by: Michal Hocko Cc: Link: http://lkml.kernel.org/r/20200502141055.7378-1-laoar.shao@gmail.com Signed-off-by: Linus Torvalds commit a0e710a7def471b8eb779ff551fc27701da49599 Author: Greg Kroah-Hartman Date: Thu May 14 13:27:11 2020 +0200 USB: usbfs: fix mmap dma mismatch In commit 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") we switched from always calling remap_pfn_range() to call dma_mmap_coherent() to handle issues with systems with non-coherent USB host controller drivers. Unfortunatly, as syzbot quickly told us, not all the world is host controllers with DMA support, so we need to check what host controller we are attempting to talk to before doing this type of allocation. Thanks to Christoph for the quick idea of how to fix this. Fixes: 2bef9aed6f0e ("usb: usbfs: correct kernel->user page attribute mismatch") Cc: Christoph Hellwig Cc: Hillf Danton Cc: Thomas Gleixner Cc: Jeremy Linton Cc: stable Reported-by: syzbot+353be47c9ce21b68b7ed@syzkaller.appspotmail.com Reviewed-by: Jeremy Linton Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20200514112711.1858252-1-gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 51bb38cb78363fdad1f89e87357b7bc73e39ba88 Author: Al Viro Date: Tue Apr 7 02:40:11 2020 +0100 csky: Fixup raw_copy_from_user() If raw_copy_from_user(to, from, N) returns K, callers expect the first N - K bytes starting at to to have been replaced with the contents of corresponding area starting at from and the last K bytes of destination *left* *unmodified*. What arch/sky/lib/usercopy.c is doing is broken - it can lead to e.g. data corruption on write(2). raw_copy_to_user() is inaccurate about return value, which is a bug, but consequences are less drastic than for raw_copy_from_user(). And just what are those access_ok() doing in there? I mean, look into linux/uaccess.h; that's where we do that check (as well as zero tail on failure in the callers that need zeroing). AFAICS, all of that shouldn't be hard to fix; something like a patch below might make a useful starting point. I would suggest moving these macros into usercopy.c (they are never used anywhere else) and possibly expanding them there; if you leave them alive, please at least rename __copy_user_zeroing(). Again, it must not zero anything on failed read. Said that, I'm not sure we won't be better off simply turning usercopy.c into usercopy.S - all that is left there is a couple of functions, each consisting only of inline asm. Guo Ren reply: Yes, raw_copy_from_user is wrong, it's no need zeroing code. unsigned long _copy_from_user(void *to, const void __user *from, unsigned long n) { unsigned long res = n; might_fault(); if (likely(access_ok(from, n))) { kasan_check_write(to, n); res = raw_copy_from_user(to, from, n); } if (unlikely(res)) memset(to + (n - res), 0, res); return res; } EXPORT_SYMBOL(_copy_from_user); You are right and access_ok() should be removed. but, how about: do { ... "2: stw %3, (%1, 0) \n" \ + " subi %0, 4 \n" \ "9: stw %4, (%1, 4) \n" \ + " subi %0, 4 \n" \ "10: stw %5, (%1, 8) \n" \ + " subi %0, 4 \n" \ "11: stw %6, (%1, 12) \n" \ + " subi %0, 4 \n" \ " addi %2, 16 \n" \ " addi %1, 16 \n" \ Don't expand __ex_table AI Viro reply: Hey, I've no idea about the instruction scheduling on csky - if that doesn't slow the things down, all the better. It's just that copy_to_user() and friends are on fairly hot codepaths, and in quite a few situations they will dominate the speed of e.g. read(2). So I tried to keep the fast path unchanged. Up to the architecture maintainers, obviously. Which would be you... As for the fixups size increase (__ex_table size is unchanged)... You have each of those macros expanded exactly once. So the size is not a serious argument, IMO - useless complexity would be, if it is, in fact, useless; the size... not really, especially since those extra subi will at least offset it. Again, up to you - asm optimizations of (essentially) memcpy()-style loops are tricky and can depend upon the fairly subtle details of architecture. So even on something I know reasonably well I would resort to direct experiments if I can't pass the buck to architecture maintainers. It *is* worth optimizing - this is where read() from a file that is already in page cache spends most of the time, etc. Guo Ren reply: Thx, after fixup some typo “sub %0, 4”, apply the patch. TODO: - user copy/from codes are still need optimizing. Signed-off-by: Al Viro Signed-off-by: Guo Ren commit 67002814cf3b7265900003f6a49657847eeeb57d Author: Guo Ren Date: Thu May 14 16:04:31 2020 +0800 csky: Fixup gdbmacros.txt with name sp in thread_struct The gdbmacros.txt use sp in thread_struct, but csky use ksp. This cause bttnobp fail to excute. TODO: - Still couldn't display the contents of stack. Signed-off-by: Guo Ren commit b590b38ca305d6d7902ec7c4f7e273e0069f3bcc Author: Takashi Iwai Date: Thu May 14 18:05:33 2020 +0200 ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 Lenovo Thinkpad T530 seems to have a sensitive internal mic capture that needs to limit the mic boost like a few other Thinkpad models. Although we may change the quirk for ALC269_FIXUP_LENOVO_DOCK, this hits way too many other laptop models, so let's add a new fixup model that limits the internal mic boost on top of the existing quirk and apply to only T530. BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1171293 Cc: Link: https://lore.kernel.org/r/20200514160533.10337-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 9bd21d4b1a767c3abebec203342f3820dcb84662 Author: Steve French Date: Wed May 13 10:27:16 2020 -0500 cifs: Fix null pointer check in cifs_read Coverity scan noted a redundant null check Coverity-id: 728517 Reported-by: Coverity Signed-off-by: Steve French Reviewed-by: Shyam Prasad N commit da4d401a6b8fda7414033f81982f64ade02c0e27 Author: Steven Rostedt (VMware) Date: Wed May 13 15:36:22 2020 -0400 ring-buffer: Remove all BUG() calls There's a lot of checks to make sure the ring buffer is working, and if an anomaly is detected, it safely shuts itself down. But there's a few cases that it will call BUG(), which defeats the point of being safe (it crashes the kernel when an anomaly is found!). There's no reason for them. Switch them all to either WARN_ON_ONCE() (when no ring buffer descriptor is present), or to RB_WARN_ON() (when a ring buffer descriptor is present). Signed-off-by: Steven Rostedt (VMware) commit 3d2353de81061cab4b9d68b3e1dc69cbec1451ea Author: Steven Rostedt (VMware) Date: Wed May 13 15:18:01 2020 -0400 ring-buffer: Don't deactivate the ring buffer on failed iterator reads If the function tracer is running and the trace file is read (which uses the ring buffer iterator), the iterator can get in sync with the writes, and caues it to fail to find a page with content it can read three times. This causes a warning and deactivation of the ring buffer code. Looking at the other cases of failure to get an event, it appears that there's a chance that the writer could cause them too. Since the iterator is a "best effort" to read the ring buffer if there's an active writer (the consumer reader is made for this case "see trace_pipe"), if it fails to get an event after three tries, simply give up and return NULL. Don't warn, nor disable the ring buffer on this failure. Link: https://lore.kernel.org/r/20200429090508.GG5770@shao2-debian Reported-by: kernel test robot Fixes: ff84c50cfb4b ("ring-buffer: Do not die if rb_iter_peek() fails more than thrice") Tested-by: Sven Schnelle Signed-off-by: Steven Rostedt (VMware) commit 1449cb2c2253d37d998c3714aa9b95416d16d379 Author: Li Jun Date: Thu May 14 14:04:32 2020 +0300 usb: host: xhci-plat: keep runtime active when removing host While removing the host (e.g. for USB role switch from host to device), if runtime pm is enabled by user, below oops occurs on dwc3 and cdns3 platforms. Keeping the xhci-plat device active during host removal, and disabling runtime pm before calling pm_runtime_set_suspended() fixes them. oops1: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000240 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.4.3-00107-g64d454a-dirty Hardware name: FSL i.MX8MP EVK (DT) Workqueue: pm pm_runtime_work pstate: 60000005 (nZCv daif -PAN -UAO) pc : xhci_suspend+0x34/0x698 lr : xhci_plat_runtime_suspend+0x2c/0x38 sp : ffff800011ddbbc0 Call trace: xhci_suspend+0x34/0x698 xhci_plat_runtime_suspend+0x2c/0x38 pm_generic_runtime_suspend+0x28/0x40 __rpm_callback+0xd8/0x138 rpm_callback+0x24/0x98 rpm_suspend+0xe0/0x448 rpm_idle+0x124/0x140 pm_runtime_work+0xa0/0xf8 process_one_work+0x1dc/0x370 worker_thread+0x48/0x468 kthread+0xf0/0x120 ret_from_fork+0x10/0x1c oops2: usb 2-1: USB disconnect, device number 2 xhci-hcd xhci-hcd.1.auto: remove, state 4 usb usb2: USB disconnect, device number 1 xhci-hcd xhci-hcd.1.auto: USB bus 2 deregistered xhci-hcd xhci-hcd.1.auto: remove, state 4 usb usb1: USB disconnect, device number 1 Unable to handle kernel NULL pointer dereference at virtual address 0000000000000138 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 7 Comm: kworker/u8:0 Not tainted 5.6.0-rc4-next-20200304-03578 Hardware name: Freescale i.MX8QXP MEK (DT) Workqueue: 1-0050 tcpm_state_machine_work pstate: 20000005 (nzCv daif -PAN -UAO) pc : xhci_free_dev+0x214/0x270 lr : xhci_plat_runtime_resume+0x78/0x88 sp : ffff80001006b5b0 Call trace: xhci_free_dev+0x214/0x270 xhci_plat_runtime_resume+0x78/0x88 pm_generic_runtime_resume+0x30/0x48 __rpm_callback+0x90/0x148 rpm_callback+0x28/0x88 rpm_resume+0x568/0x758 rpm_resume+0x260/0x758 rpm_resume+0x260/0x758 __pm_runtime_resume+0x40/0x88 device_release_driver_internal+0xa0/0x1c8 device_release_driver+0x1c/0x28 bus_remove_device+0xd4/0x158 device_del+0x15c/0x3a0 usb_disable_device+0xb0/0x268 usb_disconnect+0xcc/0x300 usb_remove_hcd+0xf4/0x1dc xhci_plat_remove+0x78/0xe0 platform_drv_remove+0x30/0x50 device_release_driver_internal+0xfc/0x1c8 device_release_driver+0x1c/0x28 bus_remove_device+0xd4/0x158 device_del+0x15c/0x3a0 platform_device_del.part.0+0x20/0x90 platform_device_unregister+0x28/0x40 cdns3_host_exit+0x20/0x40 cdns3_role_stop+0x60/0x90 cdns3_role_set+0x64/0xd8 usb_role_switch_set_role.part.0+0x3c/0x68 usb_role_switch_set_role+0x20/0x30 tcpm_mux_set+0x60/0xf8 tcpm_reset_port+0xa4/0xf0 tcpm_detach.part.0+0x28/0x50 tcpm_state_machine_work+0x12ac/0x2360 process_one_work+0x1c8/0x470 worker_thread+0x50/0x428 kthread+0xfc/0x128 ret_from_fork+0x10/0x18 Code: c8037c02 35ffffa3 17ffe7c3 f9800011 (c85f7c01) ---[ end trace 45b1a173d2679e44 ]--- [minor commit message cleanup -Mathias] Cc: Baolin Wang Cc: Fixes: b0c69b4bace3 ("usb: host: plat: Enable xHCI plat runtime PM") Reviewed-by: Peter Chen Tested-by: Peter Chen Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 3c6f8cb92c9178fc0c66b580ea3df1fa3ac1155a Author: Sriharsha Allenki Date: Thu May 14 14:04:31 2020 +0300 usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list On platforms with IOMMU enabled, multiple SGs can be coalesced into one by the IOMMU driver. In that case the SG list processing as part of the completion of a urb on a bulk endpoint can result into a NULL pointer dereference with the below stack dump. <6> Unable to handle kernel NULL pointer dereference at virtual address 0000000c <6> pgd = c0004000 <6> [0000000c] *pgd=00000000 <6> Internal error: Oops: 5 [#1] PREEMPT SMP ARM <2> PC is at xhci_queue_bulk_tx+0x454/0x80c <2> LR is at xhci_queue_bulk_tx+0x44c/0x80c <2> pc : [] lr : [] psr: 000000d3 <2> sp : ca337c80 ip : 00000000 fp : ffffffff <2> r10: 00000000 r9 : 50037000 r8 : 00004000 <2> r7 : 00000000 r6 : 00004000 r5 : 00000000 r4 : 00000000 <2> r3 : 00000000 r2 : 00000082 r1 : c2c1a200 r0 : 00000000 <2> Flags: nzcv IRQs off FIQs off Mode SVC_32 ISA ARM Segment none <2> Control: 10c0383d Table: b412c06a DAC: 00000051 <6> Process usb-storage (pid: 5961, stack limit = 0xca336210) <2> [] (xhci_queue_bulk_tx) <2> [] (xhci_urb_enqueue) <2> [] (usb_hcd_submit_urb) <2> [] (usb_sg_wait) <2> [] (usb_stor_bulk_transfer_sglist) <2> [] (usb_stor_bulk_srb) <2> [] (usb_stor_Bulk_transport) <2> [] (usb_stor_invoke_transport) <2> [] (usb_stor_control_thread) <2> [] (kthread) The above NULL pointer dereference is the result of block_len and the sent_len set to zero after the first SG of the list when IOMMU driver is enabled. Because of this the loop of processing the SGs has run more than num_sgs which resulted in a sg_next on the last SG of the list which has SG_END set. Fix this by check for the sg before any attributes of the sg are accessed. [modified reason for null pointer dereference in commit message subject -Mathias] Fixes: f9c589e142d04 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer") Cc: stable@vger.kernel.org Signed-off-by: Sriharsha Allenki Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200514110432.25564-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 56b1b7c667fbb9ee395f7506dfef3c04571e024a Author: Xin Long Date: Wed May 13 18:38:54 2020 +0800 esp6: calculate transport_header correctly when sel.family != AF_INET6 In esp6_init_state() for beet mode when x->sel.family != AF_INET6: x->props.header_len = sizeof(struct ip_esp_hdr) + crypto_aead_ivsize(aead) + IPV4_BEET_PHMAXLEN + (sizeof(struct ipv6hdr) - sizeof(struct iphdr)) In xfrm6_beet_gso_segment() skb->transport_header is supposed to move to the end of the ph header for IPPROTO_BEETPH, so if x->sel.family != AF_INET6 and it's IPPROTO_BEETPH, it should do: skb->transport_header -= (sizeof(struct ipv6hdr) - sizeof(struct iphdr)); skb->transport_header += ph->hdrlen * 8; And IPV4_BEET_PHMAXLEN is only reserved for PH header, so if x->sel.family != AF_INET6 and it's not IPPROTO_BEETPH, it should do: skb->transport_header -= (sizeof(struct ipv6hdr) - sizeof(struct iphdr)); skb->transport_header -= IPV4_BEET_PHMAXLEN; Thanks Sabrina for looking deep into this issue. Fixes: 7f9e40eb18a9 ("esp6: add gso_segment for esp6 beet mode") Reported-by: Sabrina Dubroca Signed-off-by: Xin Long Signed-off-by: Steffen Klassert commit 172b14b48ca10b280482b164506892ea09edb946 Author: Jason Yan Date: Thu Apr 2 20:38:37 2020 +0800 usb: cdns3: gadget: make a bunch of functions static Fix the following sparse warning: drivers/usb/cdns3/gadget.c:85:6: warning: symbol 'cdns3_clear_register_bit' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:140:26: warning: symbol 'cdns3_next_align_buf' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:151:22: warning: symbol 'cdns3_next_priv_request' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:193:5: warning: symbol 'cdns3_ring_size' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:348:6: warning: symbol 'cdns3_move_deq_to_next_trb' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:514:20: warning: symbol 'cdns3_wa2_gadget_giveback' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:554:5: warning: symbol 'cdns3_wa2_gadget_ep_queue' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:839:6: warning: symbol 'cdns3_wa1_restore_cycle_bit' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:1907:6: warning: symbol 'cdns3_stream_ep_reconfig' was not declared. Should it be static? drivers/usb/cdns3/gadget.c:1928:6: warning: symbol 'cdns3_configure_dmult' was not declared. Should it be static? Reported-by: Hulk Robot Reviewed-by: Peter Chen Signed-off-by: Jason Yan Signed-off-by: Felipe Balbi commit 6045dd7e5955f0175c9075f8ba80015369d6b201 Author: Rikard Falkeborn Date: Fri May 8 23:44:21 2020 +0200 usb: mtu3: constify struct debugfs_reg32 mtu3_prb_regs is never changed and can therefore be made const. This allows the compiler to put it in the text section instead of the data section. Before: text data bss dec hex filename 19966 7120 0 27086 69ce drivers/usb/mtu3/mtu3_debugfs.o After: text data bss dec hex filename 20142 6992 0 27134 69fe drivers/usb/mtu3/mtu3_debugfs.o Signed-off-by: Rikard Falkeborn Signed-off-by: Felipe Balbi commit 4210f3a6e4a95e96c1e606f8157e0377b5f8beaa Author: Samuel Zou Date: Tue May 12 10:00:13 2020 +0800 usb: gadget: udc: atmel: Make some symbols static Fix the following sparse warnings: drivers/usb/gadget/udc/atmel_usba_udc.c:188:30: warning: symbol 'queue_dbg_fops' was not declared. drivers/usb/gadget/udc/atmel_usba_udc.c:196:30: warning: symbol 'regs_dbg_fops' was not declared. queue_dbg_fops and regs_dbg_fops have only call within atmel_usba_udc.c They should be static Fixes: 914a3f3b3754 ("USB: add atmel_usba_udc driver") Reported-by: Hulk Robot Signed-off-by: Samuel Zou Signed-off-by: Felipe Balbi commit da39b5ee40bc00ae3edb4ae4e205b10bc52f980e Author: Andrey Konovalov Date: Wed May 13 20:01:42 2020 +0200 usb: raw-gadget: fix null-ptr-deref when reenabling endpoints Currently we preassign gadget endpoints to raw-gadget endpoints during initialization. Fix resetting this assignment in raw_ioctl_ep_disable(), otherwise we will get null-ptr-derefs when an endpoint is reenabled. Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit 61d2658db48af0c563d126cccc5c1105137b1ec9 Author: Andrey Konovalov Date: Thu May 7 19:06:58 2020 +0200 usb: raw-gadget: documentation updates Mention the issue with fixed UDC addresses. Links external examples and test suite. Add more implmenetation details and potential improvements. Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit c61769bd4777a922952aed0d042a2572e5bd9b74 Author: Andrey Konovalov Date: Thu May 7 19:06:57 2020 +0200 usb: raw-gadget: support stalling/halting/wedging endpoints Raw Gadget is currently unable to stall/halt/wedge gadget endpoints, which is required for proper emulation of certain USB classes. This patch adds a few more ioctls: - USB_RAW_IOCTL_EP0_STALL allows to stall control endpoint #0 when there's a pending setup request for it. - USB_RAW_IOCTL_SET/CLEAR_HALT/WEDGE allow to set/clear halt/wedge status on non-control non-isochronous endpoints. Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit 97df5e5758f7d1dd0ca97e3210696818fc45bdb3 Author: Andrey Konovalov Date: Thu May 7 19:06:56 2020 +0200 usb: raw-gadget: fix gadget endpoint selection Currently automatic gadget endpoint selection based on required features doesn't work. Raw Gadget tries iterating over the list of available endpoints and finding one that has the right direction and transfer type. Unfortunately selecting arbitrary gadget endpoints (even if they satisfy feature requirements) doesn't work, as (depending on the UDC driver) they might have fixed addresses, and one also needs to provide matching endpoint addresses in the descriptors sent to the host. The composite framework deals with this by assigning endpoint addresses in usb_ep_autoconfig() before enumeration starts. This approach won't work with Raw Gadget as the endpoints are supposed to be enabled after a set_configuration/set_interface request from the host, so it's too late to patch the endpoint descriptors that had already been sent to the host. For Raw Gadget we take another approach. Similarly to GadgetFS, we allow the user to make the decision as to which gadget endpoints to use. This patch adds another Raw Gadget ioctl USB_RAW_IOCTL_EPS_INFO that exposes information about all non-control endpoints that a currently connected UDC has. This information includes endpoints addresses, as well as their capabilities and limits to allow the user to choose the most fitting gadget endpoint. The USB_RAW_IOCTL_EP_ENABLE ioctl is updated to use the proper endpoint validation routine usb_gadget_ep_match_desc(). These changes affect the portability of the gadgets that use Raw Gadget when running on different UDCs. Nevertheless, as long as the user relies on the information provided by USB_RAW_IOCTL_EPS_INFO to dynamically choose endpoint addresses, UDC-agnostic gadgets can still be written with Raw Gadget. Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit 17ff3b72e742192f11e3136174ac4eafb50e38d4 Author: Andrey Konovalov Date: Thu May 7 19:06:55 2020 +0200 usb: raw-gadget: improve uapi headers comments Fix typo "trasferred" => "transferred". Don't call USB requests URBs. Fix comment style. Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit e78d334a5470ead861590ec83158f3b17bd6c807 Author: Arvind Sankar Date: Mon May 11 18:58:49 2020 -0400 x86/boot: Mark global variables as static Mike Lothian reports that after commit 964124a97b97 ("efi/x86: Remove extra headroom for setup block") gcc 10.1.0 fails with HOSTCC arch/x86/boot/tools/build /usr/lib/gcc/x86_64-pc-linux-gnu/10.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: error: linker defined: multiple definition of '_end' /usr/lib/gcc/x86_64-pc-linux-gnu/10.1.0/../../../../x86_64-pc-linux-gnu/bin/ld: /tmp/ccEkW0jM.o: previous definition here collect2: error: ld returned 1 exit status make[1]: *** [scripts/Makefile.host:103: arch/x86/boot/tools/build] Error 1 make: *** [arch/x86/Makefile:303: bzImage] Error 2 The issue is with the _end variable that was added, to hold the end of the compressed kernel from zoffsets.h (ZO__end). The name clashes with the linker-defined _end symbol that indicates the end of the build program itself. Even when there is no compile-time error, this causes build to use memory past the end of its .bss section. To solve this, mark _end as static, and for symmetry, mark the rest of the variables that keep track of symbols from the compressed kernel as static as well. Fixes: 964124a97b97 ("efi/x86: Remove extra headroom for setup block") Reported-by: Mike Lothian Tested-by: Mike Lothian Signed-off-by: Arvind Sankar Link: https://lore.kernel.org/r/20200511225849.1311869-1-nivedita@alum.mit.edu Signed-off-by: Ard Biesheuvel commit 3d8c11efd528d56972d44ed0de51c4e11a9a4fa9 Author: Punit Agrawal Date: Tue May 12 13:55:02 2020 +0900 efi: cper: Add support for printing Firmware Error Record Reference While debugging a boot failure, the following unknown error record was seen in the boot logs. <...> BERT: Error records from previous boot: [Hardware Error]: event severity: fatal [Hardware Error]: Error 0, type: fatal [Hardware Error]: section type: unknown, 81212a96-09ed-4996-9471-8d729c8e69ed [Hardware Error]: section length: 0x290 [Hardware Error]: 00000000: 00000001 00000000 00000000 00020002 ................ [Hardware Error]: 00000010: 00020002 0000001f 00000320 00000000 ........ ....... [Hardware Error]: 00000020: 00000000 00000000 00000000 00000000 ................ [Hardware Error]: 00000030: 00000000 00000000 00000000 00000000 ................ <...> On further investigation, it was found that the error record with UUID (81212a96-09ed-4996-9471-8d729c8e69ed) has been defined in the UEFI Specification at least since v2.4 and has recently had additional fields defined in v2.7 Section N.2.10 Firmware Error Record Reference. Add support for parsing and printing the defined fields to give users a chance to figure out what went wrong. Signed-off-by: Punit Agrawal Cc: Ard Biesheuvel Cc: "Rafael J. Wysocki" Cc: Borislav Petkov Cc: James Morse Cc: linux-acpi@vger.kernel.org Cc: linux-efi@vger.kernel.org Link: https://lore.kernel.org/r/20200512045502.3810339-1-punit1.agrawal@toshiba.co.jp Signed-off-by: Ard Biesheuvel commit fd62619598069c974739476d1851a00d665041d7 Author: Lenny Szubowicz Date: Thu May 7 14:33:32 2020 -0400 efi/libstub/x86: Avoid EFI map buffer alloc in allocate_e820() In allocate_e820(), call the EFI get_memory_map() service directly instead of indirectly via efi_get_memory_map(). This avoids allocation of a buffer and return of the full EFI memory map, which is not needed here and would otherwise need to be freed. Routine allocate_e820() only needs to know how many EFI memory descriptors there are in the map to allocate an adequately sized e820ext buffer, if it's needed. Note that since efi_get_memory_map() returns a memory map buffer sized with extra headroom, allocate_e820() now needs to explicitly factor that into the e820ext size calculation. Signed-off-by: Lenny Szubowicz Suggested-by: Ard Biesheuvel Signed-off-by: Ard Biesheuvel commit f59bcda883578c40f664d05e07299b81f70b6f55 Merge: 6da9b046af6f 650e723cecf2 Author: Dave Airlie Date: Thu May 14 13:48:16 2020 +1000 Merge tag 'amd-drm-fixes-5.7-2020-05-13' of git://people.freedesktop.org/~agd5f/linux into drm-fixes amd-drm-fixes-5.7-2020-05-13: amdgpu: - Clockgating fixes - Fix fbdev with scatter/gather display - S4 fix for navi - Soft recovery for gfx10 - Freesync fixes - Atomic check cursor fix - Add a gfxoff quirk - MST fix amdkfd: - Fix GEM reference counting Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20200514034046.3988-1-alexander.deucher@amd.com commit 6da9b046af6f2e6b22f5f768e374ee1137dfb250 Merge: 0c77ca2f9d87 4010e729349f Author: Dave Airlie Date: Thu May 14 12:29:45 2020 +1000 Merge tag 'drm/tegra/for-5.7-fixes' of git://anongit.freedesktop.org/tegra/linux into drm-fixes drm/tegra: Fixes for v5.7 This contains a pair of patches which fix SMMU support on Tegra124 and Tegra210 for host1x and the Tegra DRM driver. Signed-off-by: Dave Airlie From: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20200508101355.3031268-1-thierry.reding@gmail.com commit 0c77ca2f9d87b5ba0f93324cd678aeb5de528399 Merge: 2ef96a5bb12b 1bc6a60143a4 Author: Dave Airlie Date: Thu May 14 12:23:54 2020 +1000 Merge tag 'drm-intel-fixes-2020-05-07' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes - Fixes on execlist to avoid GPU hang situation (Chris) - Fixes couple deadlocks (Chris) - Timeslice preemption fixes (Chris) - Fix Display Port interrupt handling on Tiger Lake (Imre) - Reduce debug noise around Frame Buffer Compression (Peter) - Fix logic around IPC W/a for Coffee Lake and Kaby Lake (Sultan) - Avoid dereferencing a dead context (Chris) Signed-off-by: Dave Airlie From: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20200508052437.GA3212215@intel.com commit ed1ed4c0da5447c5e322481ce2ef9f03336c6ffb Author: Kefeng Wang Date: Mon May 11 10:20:01 2020 +0800 riscv: mmiowb: Fix implicit declaration of function 'smp_processor_id' In file included from ./../include/linux/compiler_types.h:68, from : ../include/asm-generic/mmiowb.h: In function ‘mmiowb_set_pending’: ../include/asm-generic/percpu.h:34:38: error: implicit declaration of function ‘smp_processor_id’; did you mean ‘raw_smp_processor_id’? [-Werror=implicit-function-declaration] #define my_cpu_offset per_cpu_offset(smp_processor_id()) ^~~~~~~~~~~~~~~~ ../include/linux/compiler-gcc.h:58:26: note: in definition of macro ‘RELOC_HIDE’ (typeof(ptr)) (__ptr + (off)); \ ^~~ ../include/linux/percpu-defs.h:249:2: note: in expansion of macro ‘SHIFT_PERCPU_PTR’ SHIFT_PERCPU_PTR(ptr, my_cpu_offset); \ ^~~~~~~~~~~~~~~~ ../include/asm-generic/percpu.h:34:23: note: in expansion of macro ‘per_cpu_offset’ #define my_cpu_offset per_cpu_offset(smp_processor_id()) ^~~~~~~~~~~~~~ ../include/linux/percpu-defs.h:249:24: note: in expansion of macro ‘my_cpu_offset’ SHIFT_PERCPU_PTR(ptr, my_cpu_offset); \ ^~~~~~~~~~~~~ ../include/asm-generic/mmiowb.h:30:26: note: in expansion of macro ‘this_cpu_ptr’ #define __mmiowb_state() this_cpu_ptr(&__mmiowb_state) ^~~~~~~~~~~~ ../include/asm-generic/mmiowb.h:37:28: note: in expansion of macro ‘__mmiowb_state’ struct mmiowb_state *ms = __mmiowb_state(); ^~~~~~~~~~~~~~ Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 9a6630aef93394ac54494c7e273e9bc026509375 Author: Kefeng Wang Date: Mon May 11 10:19:59 2020 +0800 riscv: pgtable: Fix __kernel_map_pages build error if NOMMU riscv64-none-linux-gnu-ld: mm/page_alloc.o: in function `.L0 ': page_alloc.c:(.text+0xd34): undefined reference to `__kernel_map_pages' riscv64-none-linux-gnu-ld: page_alloc.c:(.text+0x104a): undefined reference to `__kernel_map_pages' riscv64-none-linux-gnu-ld: mm/page_alloc.o: in function `__pageblock_pfn_to_page': page_alloc.c:(.text+0x145e): undefined reference to `__kernel_map_pages' Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 9de5d235b60a7cdfcdd5461e70c5663e713fde87 Author: Heiner Kallweit Date: Tue May 12 21:45:53 2020 +0200 net: phy: fix aneg restart in phy_ethtool_set_eee phy_restart_aneg() enables aneg in the PHY. That's not what we want if phydev->autoneg is disabled. In this case still update EEE advertisement register, but don't enable aneg and don't trigger an aneg restart. Fixes: f75abeb8338e ("net: phy: restart phy autonegotiation after EEE advertisment change") Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller commit 39572dd33b780e49077a0db038e4e38604719094 Author: Max Krummenacher Date: Mon Apr 27 15:40:02 2020 +0200 arm64: defconfig: add MEDIA_PLATFORM_SUPPORT Commit 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") adds a new Kconfig symbol which now hides drivers currently enabled in the arm64 defconfig. Enable it to get those drivers back. Link: https://lore.kernel.org/r/20200427134003.45188-5-max.krummenacher@toradex.com Signed-off-by: Max Krummenacher Signed-off-by: Arnd Bergmann commit c226669674c2a1665ada2f4bf7c0ddf6cda0d02e Author: Max Krummenacher Date: Mon Apr 27 15:40:01 2020 +0200 arm64: defconfig: ARCH_R8A7795: follow changed config symbol name Completes commit b925adfceb52 ("soc: renesas: Add ARCH_R8A7795[01] for existing R-Car H3") and commit 361c5dbb446e ("arm64: dts: renesas: Remove use of ARCH_R8A7795"). CONFIG_ARCH_R8A7795 was split in CONFIG_ARCH_R8A77950 and CONFIG_ARCH_R8A77951. Link: https://lore.kernel.org/r/20200427134003.45188-4-max.krummenacher@toradex.com Signed-off-by: Max Krummenacher Reviewed-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann commit 50045c730dbed3e54ad31cb020c7923f15e4a9a2 Author: Max Krummenacher Date: Mon Apr 27 15:40:00 2020 +0200 arm64: defconfig: add DRM_DISPLAY_CONNECTOR Add DRM_DISPLAY_CONNECTOR. This got introduced with the bridge rework Which renamed among others DRM_DUMB_VGA_DAC. Link: https://lore.kernel.org/r/20200427134003.45188-3-max.krummenacher@toradex.com Signed-off-by: Max Krummenacher Reviewed-by: Laurent Pinchart Signed-off-by: Arnd Bergmann commit 5f450f6713d6ec81f2b76dcfb7536a77632dff18 Author: Max Krummenacher Date: Mon Apr 27 15:39:59 2020 +0200 arm64: defconfig: DRM_DUMB_VGA_DAC: follow changed config symbol name This occurrence wasn't changed in the original rename commit. Fixes commit 0411374bdf2b3 ("drm/bridge: dumb-vga-dac: Rename driver to simple-bridge"). Link: https://lore.kernel.org/r/20200427134003.45188-2-max.krummenacher@toradex.com Signed-off-by: Max Krummenacher Reviewed-by: Laurent Pinchart Reviewed-by: Geert Uytterhoeven Signed-off-by: Arnd Bergmann commit 6034cc5a37e9b9ffeb81b1fe7bac4fe42fd0ab27 Merge: 43f3b777a69e bd84dff02174 Author: Arnd Bergmann Date: Thu May 14 00:08:06 2020 +0200 Merge tag 'arm-soc-fixes-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/narmstrong/linux-oxnas into arm/fixes - mach-oxnas: make ox820_boot_secondary static to fix sparse warning * tag 'arm-soc-fixes-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/narmstrong/linux-oxnas: ARM: oxnas: make ox820_boot_secondary static Link: https://lore.kernel.org/r/95bf4813-93a1-735d-1d27-2cbe59986845@baylibre.com Signed-off-by: Arnd Bergmann commit 43f3b777a69e0da03cf985fbb05cfc11e63aeefa Merge: deca1d1c3cea adf27a87eb4e Author: Arnd Bergmann Date: Thu May 14 00:07:35 2020 +0200 Merge tag 'amlogic-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic into arm/fixes arm64: dts: fixes for v5.7-rc Misc arm64 DT-only fixes * tag 'amlogic-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/khilman/linux-amlogic: arm64: dts: meson-g12: remove spurious blank line arm64: dts: meson-g12b-khadas-vim3: add missing frddr_a status property arm64: dts: meson-g12-common: fix dwc2 clock names arm64: dts: meson-g12b-ugoos-am6: fix usb vbus-supply Link: https://lore.kernel.org/r/7hmu6iyoc5.fsf@baylibre.com Signed-off-by: Arnd Bergmann commit deca1d1c3cea651bac13bf2e592df2f2e99563d9 Merge: 3b3e88e06720 738b150ecefb Author: Arnd Bergmann Date: Thu May 14 00:06:43 2020 +0200 Merge tag 'omap-for-v5.6/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap into arm/fixes Fixes for omaps for v5.6-rc cycle Few device tree fixes for various devices: - A regression fix for non-existing can device on am534x-idk - Fix missing dma-ranges for dra7 pcie - Fix flakey wlan on droid4 where some devices would not connect at all because of internal pull being used with an external pull - Fix occasional missed wake-up events on droid4 modem uart * tag 'omap-for-v5.6/fixes-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tmlind/linux-omap: ARM: dts: omap4-droid4: Fix occasional lost wakeirq for uart1 ARM: dts: omap4-droid4: Fix flakey wlan by disabling internal pull for gpio ARM: dts: dra7: Fix bus_dma_limit for PCIe ARM: dts: am574x-idk: Disable m_can node Link: https://lore.kernel.org/r/pull-1588872844-804667@atomide.com Signed-off-by: Arnd Bergmann commit 3b3e88e067204e606a3ebf9dab122e39783c0f27 Merge: 6d9ac5160daa 855bdca1781c Author: Arnd Bergmann Date: Thu May 14 00:02:55 2020 +0200 Merge tag 'v5.7-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into arm/fixes Some fixes for the newly added Pinebook Pro and other fixes to make dtc and the new dtscheck against yaml bindings happy. * tag 'v5.7-rockchip-dtsfixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi arm64: dts: rockchip: Fix Pinebook Pro FUSB302 interrupt ARM: dts: rockchip: swap clock-names of gpu nodes arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts arm64: dts: rockchip: remove extra assigned-clocks property from &gmac2phy node in rk3328-evb.dts ARM: dts: rockchip: fix phy nodename for rk3229-xms6 ARM: dts: rockchip: fix phy nodename for rk3228-evb arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy arm64: dts: rockchip: drop #address-cells, #size-cells from rk3399 pmugrf node arm64: dts: rockchip: drop #address-cells, #size-cells from rk3328 grf node arm64: dts: rockchip: drop non-existent gmac2phy pinmux options from rk3328 arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards arm64: dts: rockchip: enable DC charger detection pullup on Pinebook Pro arm64: dts: rockchip: fix inverted headphone detection on Pinebook Pro arm64: dts: rockchip: Correct PMU compatibles for PX30 and RK3308 Link: https://lore.kernel.org/r/1738941.6LdaBJIBqS@phil Signed-off-by: Arnd Bergmann commit 6d9ac5160daac08c71ac1aa81b5d9869202da38f Merge: 5258bba832ec 90670f0ef690 Author: Arnd Bergmann Date: Thu May 14 00:01:43 2020 +0200 Merge tag 'tegra-for-5.7-arm64-defconfig-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux into arm/fixes arm64: tegra: Default configuration fixes This contains a single fix to reenable the Tegra194 PCIe host support by default that was inadvertently dropped as a result of the host/endpoint mode support that was added in v5.7-rc1. * tag 'tegra-for-5.7-arm64-defconfig-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tegra/linux: arm64: defconfig: Re-enable Tegra PCIe host driver Link: https://lore.kernel.org/r/20200430105700.167199-1-thierry.reding@gmail.com Signed-off-by: Arnd Bergmann commit 5258bba832ecff4f383b3c384691b518382e4d33 Merge: 896e18f4dc15 b704fc1da9b8 Author: Arnd Bergmann Date: Thu May 14 00:01:06 2020 +0200 Merge tag 'renesas-fixes-for-v5.7-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel into arm/fixes Renesas fixes for v5.7 - Fix IOMMU support on R-Car V3H, - Minor fixes that are fast-tracked to avoid introducing regressions during conversion of DT bindings to json-schema. * tag 'renesas-fixes-for-v5.7-tag1' of git://git.kernel.org/pub/scm/linux/kernel/git/geert/renesas-devel: ARM: dts: r7s9210: Remove bogus clock-names from OSTM nodes arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes ARM: dts: r8a73a4: Add missing CMT1 interrupts Link: https://lore.kernel.org/r/20200430084834.1384-1-geert+renesas@glider.be Signed-off-by: Arnd Bergmann commit 896e18f4dc15166ffebc041333e7e3ca8e08189a Merge: b130b0ad8a13 1248c86fd639 Author: Arnd Bergmann Date: Thu May 14 00:00:06 2020 +0200 Merge tag 'imx-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux into arm/fixes i.MX fixes for 5.7: - Set correct AHB clock for i.MX8MN SDMA1 device to fix a "Timeout waiting for CH0" error. - Fix a linker error for i.MX6 configurations that have ARM_CPU_SUSPEND=n, which can happen if neither CONFIG_PM, CONFIG_CPU_IDLE, nor ARM_PSCI_FW are selected. - Fix I2C1 pinctrl configuration for i.MX27 phytec-phycard board. - Fix i.MX8M AIPS 'reg' properties to remove DTC simple_bus_reg warnings. - Add missing compatible "fsl,vf610-edma" for LS1028A EDMA device, so that bootloader can fix up the IOMMU entries there. Otherwise, EDMA just doesn't work on LS1028A with shipped bootloader. - Fix imx6dl-yapp4-ursa board Ethernet connection. - Fix input_val for AUDIOMIX_BIT_STREAM pinctrl defines on i.MX8MP according to Reference Manual. * tag 'imx-fixes-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/shawnguo/linux: arm64: dts: freescale: imx8mp: update input_val for AUDIOMIX_BIT_STREAM arm64: dts: imx8m: Fix AIPS reg properties arm64: dts: imx8mn: Change SDMA1 ahb clock for imx8mn ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y ARM: dts: imx6dl-yapp4: Fix Ursa board Ethernet connection arm64: dts: ls1028a: add "fsl,vf610-edma" compatible dt-bindings: dma: fsl-edma: fix ls1028a-edma compatible Link: https://lore.kernel.org/r/20200429063226.GT32592@dragon Signed-off-by: Arnd Bergmann commit b130b0ad8a13990a8dc993a22f5c2d5d651636c8 Merge: 0e698dfa2822 7710f80ecd9c Author: Arnd Bergmann Date: Wed May 13 23:59:57 2020 +0200 Merge tag 'qcom-arm64-fixes-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux into arm/fixes Qualcomm ARM64 DT fixes for v5.7 This reduces the (hard coded) CPU voltage to a safe level on MSM8996 and updates the audio nodes on db820c, db845c and c630 to reflect audio changes that landed late in the cycle. * tag 'qcom-arm64-fixes-for-5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/qcom/linux: arm64: dts: qcom: db820c: fix audio configuration arm64: dts: qcom: db845c: fix asm dai setup arm64: qcom: c630: fix asm dai setup arm64: dts: qcom: msm8996: Reduce vdd_apc voltage Link: https://lore.kernel.org/r/20200429052932.GA2627045@builder.lan Signed-off-by: Arnd Bergmann commit 955da9d77435acac066139e9d7f7723ce7204a1d Author: Chris Wilson Date: Sat May 9 12:52:17 2020 +0100 drm/i915: Handle idling during i915_gem_evict_something busy loops i915_gem_evict_something() is charged with finding a slot within the GTT that we may reuse. Since our goal is not to stall, we first look for a slot that only overlaps idle vma. To this end, on the first pass we move any active vma to the end of the search list. However, we only stopped moving active vma after we see the first active vma twice. If during the search, that first active vma completed, we would not notice and keep on extending the search list. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1746 Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") Fixes: b1e3177bd1d8 ("drm/i915: Coordinate i915_active with its own mutex") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.5+ Reviewed-by: Mika Kuoppala Link: https://patchwork.freedesktop.org/patch/msgid/20200509115217.26853-1-chris@chris-wilson.co.uk (cherry picked from commit 73e28cc40bf00b5d168cb8f5cff1ae63e9097446) Signed-off-by: Rodrigo Vivi commit 99addbe31f5524494f4d7077bcb3f6fa64c5d160 Author: Florian Fainelli Date: Wed May 13 08:51:51 2020 -0700 net: broadcom: Select BROADCOM_PHY for BCMGENET The GENET controller on the Raspberry Pi 4 (2711) is typically interfaced with an external Broadcom PHY via a RGMII electrical interface. To make sure that delays are properly configured at the PHY side, ensure that we the dedicated Broadcom PHY driver (CONFIG_BROADCOM_PHY) is enabled for this to happen. Fixes: 402482a6a78e ("net: bcmgenet: Clear ID_MODE_DIS in EXT_RGMII_OOB_CTRL when not needed") Reported-by: Marek Szyprowski Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller commit 69cad59d8af660998829eed4b4b0344dc5673c57 Merge: f3fbc5a38021 88690b1079d4 Author: David S. Miller Date: Wed May 13 12:33:19 2020 -0700 Merge branch 'tipc-fixes' Tuong Lien says: ==================== tipc: add some patches This series adds patches to fix some issues in TIPC streaming & service subscription. ==================== Signed-off-by: David S. Miller commit 88690b1079d473a44bf4183dfee9b03d4afae866 Author: Tuong Lien Date: Wed May 13 19:33:18 2020 +0700 tipc: fix failed service subscription deletion When a service subscription is expired or canceled by user, it needs to be deleted from the subscription list, so that new subscriptions can be registered (max = 65535 per net). However, there are two issues in code that can cause such an unused subscription to persist: 1) The 'tipc_conn_delete_sub()' has a loop on the subscription list but it makes a break shortly when the 1st subscription differs from the one specified, so the subscription will not be deleted. 2) In case a subscription is canceled, the code to remove the 'TIPC_SUB_CANCEL' flag from the subscription filter does not work if it is a local subscription (i.e. the little endian isn't involved). So, it will be no matches when looking for the subscription to delete later. The subscription(s) will be removed eventually when the user terminates its topology connection but that could be a long time later. Meanwhile, the number of available subscriptions may be exhausted. This commit fixes the two issues above, so as needed a subscription can be deleted correctly. Acked-by: Ying Xue Acked-by: Jon Maloy Signed-off-by: Tuong Lien Signed-off-by: David S. Miller commit 0771d7df819284d46cf5cfb57698621b503ec17f Author: Tuong Lien Date: Wed May 13 19:33:17 2020 +0700 tipc: fix memory leak in service subscripting Upon receipt of a service subscription request from user via a topology connection, one 'sub' object will be allocated in kernel, so it will be able to send an event of the service if any to the user correspondingly then. Also, in case of any failure, the connection will be shutdown and all the pertaining 'sub' objects will be freed. However, there is a race condition as follows resulting in memory leak: receive-work connection send-work | | | sub-1 |<------//-------| | sub-2 |<------//-------| | | |<---------------| evt for sub-x sub-3 |<------//-------| | : : : : : : | /--------| | | | * peer closed | | | | | | | |<-------X-------| evt for sub-y | | |<===============| sub-n |<------/ X shutdown | -> orphan | | That is, the 'receive-work' may get the last subscription request while the 'send-work' is shutting down the connection due to peer close. We had a 'lock' on the connection, so the two actions cannot be carried out simultaneously. If the last subscription is allocated e.g. 'sub-n', before the 'send-work' closes the connection, there will be no issue at all, the 'sub' objects will be freed. In contrast the last subscription will become orphan since the connection was closed, and we released all references. This commit fixes the issue by simply adding one test if the connection remains in 'connected' state right after we obtain the connection lock, then a subscription object can be created as usual, otherwise we ignore it. Acked-by: Ying Xue Acked-by: Jon Maloy Reported-by: Thang Ngo Signed-off-by: Tuong Lien Signed-off-by: David S. Miller commit c72685894506a3fec5978b9b11b94069a7d1c995 Author: Tuong Lien Date: Wed May 13 19:33:16 2020 +0700 tipc: fix large latency in smart Nagle streaming Currently when a connection is in Nagle mode, we set the 'ack_required' bit in the last sending buffer and wait for the corresponding ACK prior to pushing more data. However, on the receiving side, the ACK is issued only when application really reads the whole data. Even if part of the last buffer is received, we will not do the ACK as required. This might cause an unnecessary delay since the receiver does not always fetch the message as fast as the sender, resulting in a large latency in the user message sending, which is: [one RTT + the receiver processing time]. The commit makes Nagle ACK as soon as possible i.e. when a message with the 'ack_required' arrives in the receiving side's stack even before it is processed or put in the socket receive queue... This way, we can limit the streaming latency to one RTT as committed in Nagle mode. Acked-by: Ying Xue Acked-by: Jon Maloy Signed-off-by: Tuong Lien Signed-off-by: David S. Miller commit f3fbc5a38021637aa959a04239d7ef921a7336bc Merge: eead1c2ea250 be7fa20f057e Author: David S. Miller Date: Wed May 13 12:14:51 2020 -0700 Merge branch 's390-fixes' Ursula Braun says: ==================== s390/net: updates 2020-05-13 please apply the fix from Wei Yongjun to netdev's net tree and add Karsten Graul as co-maintainer for drivers/s390/net. ==================== Signed-off-by: David S. Miller commit be7fa20f057e05b31fc08d1999394c43cf2c1a9a Author: Ursula Braun Date: Wed May 13 09:42:30 2020 +0200 MAINTAINERS: add Karsten Graul as S390 NETWORK DRIVERS maintainer Add Karsten as additional maintainer for drivers/s390/net . One of his focal points is the ism driver. Cc: Julian Wiedmann Acked-by: Julian Wiedmann Signed-off-by: Ursula Braun Signed-off-by: David S. Miller commit 29b74cb75e3572d83708745e81e24d37837415f9 Author: Wei Yongjun Date: Wed May 13 09:42:29 2020 +0200 s390/ism: fix error return code in ism_probe() Fix to return negative error code -ENOMEM from the smcd_alloc_dev() error handling case instead of 0, as done elsewhere in this function. Fixes: 684b89bc39ce ("s390/ism: add device driver for internal shared memory") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Ursula Braun Signed-off-by: David S. Miller commit 9d9e88a24c1f20ebfc2f28b1762ce78c0b9e1cb3 Author: Jens Axboe Date: Wed May 13 12:53:19 2020 -0600 io_uring: polled fixed file must go through free iteration When we changed the file registration handling, it became important to iterate the bulk request freeing list for fixed files as well, or we miss dropping the fixed file reference. If not, we're leaking references, and we'll get a kworker stuck waiting for file references to disappear. This also means we can remove the special casing of fixed vs non-fixed files, we need to iterate for both and we can just rely on __io_req_aux_free() doing io_put_file() instead of doing it manually. Fixes: 055895537302 ("io_uring: refactor file register/unregister/update handling") Signed-off-by: Jens Axboe commit 333e22db228f0bd0c839553015a6a8d3db4ba569 Author: Samu Nuutamo Date: Mon May 11 13:02:19 2020 +0200 hwmon: (da9052) Synchronize access with mfd When tsi-as-adc is configured it is possible for in7[0123]_input read to return an incorrect value if a concurrent read to in[456]_input is performed. This is caused by a concurrent manipulation of the mux channel without proper locking as hwmon and mfd use different locks for synchronization. Switch hwmon to use the same lock as mfd when accessing the TSI channel. Fixes: 4f16cab19a3d5 ("hwmon: da9052: Add support for TSI channel") Signed-off-by: Samu Nuutamo [rebase to current master, reword commit message slightly] Signed-off-by: Sebastian Reichel Signed-off-by: Guenter Roeck commit 37486135d3a7b03acc7755b63627a130437f066a Author: Babu Moger Date: Tue May 12 18:59:06 2020 -0500 KVM: x86: Fix pkru save/restore when guest CR4.PKE=0, move it to x86.c Though rdpkru and wrpkru are contingent upon CR4.PKE, the PKRU resource isn't. It can be read with XSAVE and written with XRSTOR. So, if we don't set the guest PKRU value here(kvm_load_guest_xsave_state), the guest can read the host value. In case of kvm_load_host_xsave_state, guest with CR4.PKE clear could potentially use XRSTOR to change the host PKRU value. While at it, move pkru state save/restore to common code and the host_pkru field to kvm_vcpu_arch. This will let SVM support protection keys. Cc: stable@vger.kernel.org Reported-by: Jim Mattson Signed-off-by: Babu Moger Message-Id: <158932794619.44260.14508381096663848853.stgit@naples-babu.amd.com> Signed-off-by: Paolo Bonzini commit 38dce4195f0daefb566279fd9fd51e1fbd62ae1b Author: Vitaly Kuznetsov Date: Tue May 12 18:01:53 2020 +0200 x86/hyperv: Properly suspend/resume reenlightenment notifications Errors during hibernation with reenlightenment notifications enabled were reported: [ 51.730435] PM: hibernation entry [ 51.737435] PM: Syncing filesystems ... ... [ 54.102216] Disabling non-boot CPUs ... [ 54.106633] smpboot: CPU 1 is now offline [ 54.110006] unchecked MSR access error: WRMSR to 0x40000106 (tried to write 0x47c72780000100ee) at rIP: 0xffffffff90062f24 native_write_msr+0x4/0x20) [ 54.110006] Call Trace: [ 54.110006] hv_cpu_die+0xd9/0xf0 ... Normally, hv_cpu_die() just reassigns reenlightenment notifications to some other CPU when the CPU receiving them goes offline. Upon hibernation, there is no other CPU which is still online so cpumask_any_but(cpu_online_mask) returns >= nr_cpu_ids and using it as hv_vp_index index is incorrect. Disable the feature when cpumask_any_but() fails. Also, as we now disable reenlightenment notifications upon hibernation we need to restore them on resume. Check if hv_reenlightenment_cb was previously set and restore from hv_resume(). Signed-off-by: Vitaly Kuznetsov Reviewed-by: Dexuan Cui Reviewed-by: Tianyu Lan Link: https://lore.kernel.org/r/20200512160153.134467-1-vkuznets@redhat.com Signed-off-by: Wei Liu commit 9fefca775c8ddbbbcd97f2860218188b8641819d Author: Bartosz Golaszewski Date: Sat May 9 16:08:13 2020 +0200 gpiolib: notify user-space about line status changes after flags are set Currently we emit the REQUESTED line state event after the line is requested but before the flags are configured. This is obviously wrong as we want to pass the updated lineinfo to user-space together with the event. Since the flags can be configured in different ways depending on how the line is being requested - we need to call the notifier chain in different places separately. Fixes: 51c1064e82e7 ("gpiolib: add new ioctl() for monitoring changes in line info") Signed-off-by: Bartosz Golaszewski commit 7b2fd270af27edaf02acb41a7babe805a9441914 Author: Amy Shih Date: Tue May 12 09:38:06 2020 +0000 hwmon: (nct7904) Fix incorrect range of temperature limit registers The format of temperature limitation registers are 8-bit 2's complement and the range is -128~127. Converts the reading value to signed char to fix the incorrect range of temperature limitation registers. Signed-off-by: Amy Shih Signed-off-by: Guenter Roeck commit 6d44e43f225f96eea2e610f87070718032ad8aaa Author: Amy Shih Date: Tue May 12 02:25:23 2020 +0000 hwmon: (nct7904) Read all SMI status registers in probe function When nct7904 power up, it compares current sensor readings against the default threshold immediately. This results in false alarms on startup. Read all SMI status registers in probe function to clear the alarms. Signed-off-by: Amy Shih [groeck: Reworded description] Signed-off-by: Guenter Roeck commit 4fa7ef69e2918eb89c95e57978d839c0a31f332c Author: Trond Myklebust Date: Wed May 13 09:55:36 2020 -0400 NFS/pnfs: Don't use RPC_TASK_CRED_NOREF with pnfs When we're doing pnfs then the credential being used for the RPC call is not necessarily the same as the one used in the open context, so don't use RPC_TASK_CRED_NOREF. Fixes: 612965072020 ("NFSv4: Avoid referencing the cred unnecessarily during NFSv4 I/O") Signed-off-by: Trond Myklebust commit 5c4edcdbcd97fb3fb657898d0463afb84e4fbbb3 Author: Prashant Malani Date: Mon May 11 02:18:34 2020 -0700 usb: typec: mux: intel: Fix DP_HPD_LVL bit field According to the PMC Type C Subsystem (TCSS) Mux programming guide rev 0.6, the PMC HPD request LVL bit field is bit 4. Fix the definition here to match the programming guide. Since this bit field is changing, explicitly define a field for the HPD_HIGH mode data bit. Signed-off-by: Prashant Malani Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control") Reviewed-by: Benson Leung Acked-by: Heikki Krogerus Link: https://lore.kernel.org/r/20200511091837.102508-1-pmalani@chromium.org Signed-off-by: Greg Kroah-Hartman commit c34a4f9ddf566f4fab9eaa49a1c7a5f7406a3c9f Merge: 2ef96a5bb12b 6e507644209b Author: Greg Kroah-Hartman Date: Wed May 13 14:31:56 2020 +0200 Merge tag 'fixes-for-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus Felipe writes: USB: fixes for v5.7-rc5 Fixing raw-gadget's IOCTL return value. Enabling EXTCON for Intel Merrifield. Couple leaks have been plugged in net2272 and twl6030-usb. Returning an error code when things fail in cdc and ncm legacy gadgets. An old bug on dwc3 regarding HWO bit handling has been fixed. Apart from these, some minor fixes. Signed-off-by: Felipe Balbi * tag 'fixes-for-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb: usb: raw-gadget: fix return value of ep read ioctls usb: dwc3: select USB_ROLE_SWITCH usb: gadget: legacy: fix error return code in gncm_bind() usb: gadget: legacy: fix error return code in cdc_bind() usb: gadget: legacy: fix redundant initialization warnings usb: gadget: tegra-xudc: Fix idle suspend/resume usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' usb: cdns3: gadget: prev_req->trb is NULL for ep0 usb: gadget: audio: Fix a missing error return value in audio_bind() usb: dwc3: pci: Enable extcon driver for Intel Merrifield dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() commit f0b9d875faa4499afe3381404c3795e9da84bc00 Author: Dan Carpenter Date: Tue May 12 11:36:56 2020 +0300 staging: wfx: unlock on error path We need to release the tx_lock on the error path before returning. Fixes: d1c015b4ef6f ("staging: wfx: rewrite wfx_hw_scan()") Signed-off-by: Dan Carpenter Cc: stable Reviewed-by: Jérôme Pouiller Link: https://lore.kernel.org/r/20200512083656.GA251760@mwanda Signed-off-by: Greg Kroah-Hartman commit 34625c1931f8204c234c532b446b9f53c69f4b68 Author: Oscar Carter Date: Sun May 10 12:14:26 2020 +0200 staging: greybus: Fix uninitialized scalar variable In the "gb_tty_set_termios" function the "newline" variable is declared but not initialized. So the "flow_control" member is not initialized and the OR / AND operations with itself results in an undefined value in this member. The purpose of the code is to set the flow control type, so remove the OR / AND self operator and set the value directly. Addresses-Coverity-ID: 1374016 ("Uninitialized scalar variable") Fixes: e55c25206d5c9 ("greybus: uart: Handle CRTSCTS flag in termios") Signed-off-by: Oscar Carter Cc: stable Link: https://lore.kernel.org/r/20200510101426.23631-1-oscar.carter@gmx.com Signed-off-by: Greg Kroah-Hartman commit b17884ccf29e127b16bba6aea1438c851c9f5af1 Author: Wei Yongjun Date: Wed May 6 13:47:35 2020 +0000 staging: kpc2000: fix error return code in kp2000_pcie_probe() Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Also removed var 'rv' since we can use 'err' instead. Fixes: 7dc7967fc39a ("staging: kpc2000: add initial set of Daktronics drivers") Signed-off-by: Wei Yongjun Cc: stable Reviewed-by: Dan Carpenter Link: https://lore.kernel.org/r/20200506134735.102041-1-weiyongjun1@huawei.com Signed-off-by: Greg Kroah-Hartman commit 6b41030fdc79086db5d673c5ed7169f3ee8c13b9 Author: Vladimir Murzin Date: Wed Apr 29 08:15:22 2020 +0100 dmaengine: dmatest: Restore default for channel In case of dmatest is built-in and no channel was configured test doesn't run with: dmatest: Could not start test, no channels configured Even though description to "channel" parameter claims that default is any. Add default channel back as it used to be rather than reject test with no channel configuration. Fixes: d53513d5dc285d9a95a534fc41c5c08af6b60eac ("dmaengine: dmatest: Add support for multi channel testing) Reported-by: Dijil Mohan Signed-off-by: Vladimir Murzin Link: https://lore.kernel.org/r/20200429071522.58148-1-vladimir.murzin@arm.com Signed-off-by: Vinod Koul commit c54a8f1f329197d83d941ad84c4aa38bf282cbbd Author: Bernard Zhao Date: Tue Apr 28 06:17:47 2020 -0700 drm/meson: pm resume add return errno branch pm_resump api did not handle drm_mode_config_helper_resume error. This change add handle to return drm_mode_config_helper_resume`s error number. This code logic is aligned with api pm_suspend. After this change, the code maybe a bit readable. Signed-off-by: Bernard Zhao Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20200428131747.2099-1-bernard@vivo.com commit 9e2ca15322acc5a0a697305e02af9ce5ac881f66 Author: Guo Ren Date: Wed May 13 17:16:26 2020 +0800 csky: Fixup remove unnecessary save/restore PSR code All processes' PSR could success from SETUP_MMU, so need set it in INIT_THREAD again. And use a3 instead of r7 in __switch_to for code convention. Signed-off-by: Guo Ren commit 6633a5aa8eb6bda70eb3a9837efd28a67ccc6e0a Author: Liu Yibin Date: Wed May 13 15:54:15 2020 +0800 csky: Fixup remove duplicate irq_disable Interrupt has been disabled in __schedule() with local_irq_disable() and enabled in finish_task_switch->finish_lock_switch() with local_irq_enabled(), So needn't to disable irq here. Signed-off-by: Liu Yibin Signed-off-by: Guo Ren commit 18c07d23da5a48525b2955aa269b8bb108c19300 Author: Guo Ren Date: Wed May 13 15:15:25 2020 +0800 csky: Fixup calltrace panic The implementation of show_stack will panic with wrong fp: addr = *fp++; because the fp isn't checked properly. The current implementations of show_stack, wchan and stack_trace haven't been designed properly, so just deprecate them. This patch is a reference to riscv's way, all codes are modified from arm's. The patch is passed with: - cat /proc//stack - cat /proc//wchan - echo c > /proc/sysrq-trigger Signed-off-by: Guo Ren commit 229a0ddee1108a3f82a873e6cbbe35c92c540444 Author: Mao Han Date: Mon Apr 20 12:55:23 2020 +0800 csky: Fixup perf callchain unwind [ 5221.974084] Unable to handle kernel paging request at virtual address 0xfffff000, pc: 0x8002c18e [ 5221.985929] Oops: 00000000 [ 5221.989488] [ 5221.989488] CURRENT PROCESS: [ 5221.989488] [ 5221.992877] COMM=callchain_test PID=11962 [ 5221.995213] TEXT=00008000-000087e0 DATA=00009f1c-0000a018 BSS=0000a018-0000b000 [ 5221.999037] USER-STACK=7fc18e20 KERNEL-STACK=be204680 [ 5221.999037] [ 5222.003292] PC: 0x8002c18e (perf_callchain_kernel+0x3e/0xd4) [ 5222.007957] LR: 0x8002c198 (perf_callchain_kernel+0x48/0xd4) [ 5222.074873] Call Trace: [ 5222.074873] [<800a248e>] get_perf_callchain+0x20a/0x29c [ 5222.074873] [<8009d964>] perf_callchain+0x64/0x80 [ 5222.074873] [<8009dc1c>] perf_prepare_sample+0x29c/0x4b8 [ 5222.074873] [<8009de6e>] perf_event_output_forward+0x36/0x98 [ 5222.074873] [<800497e0>] search_exception_tables+0x20/0x44 [ 5222.074873] [<8002cbb6>] do_page_fault+0x92/0x378 [ 5222.074873] [<80098608>] __perf_event_overflow+0x54/0xdc [ 5222.074873] [<80098778>] perf_swevent_hrtimer+0xe8/0x164 [ 5222.074873] [<8002ddd0>] update_mmu_cache+0x0/0xd8 [ 5222.074873] [<8002c014>] user_backtrace+0x58/0xc4 [ 5222.074873] [<8002c0b4>] perf_callchain_user+0x34/0xd0 [ 5222.074873] [<800a2442>] get_perf_callchain+0x1be/0x29c [ 5222.074873] [<8009d964>] perf_callchain+0x64/0x80 [ 5222.074873] [<8009d834>] perf_output_sample+0x78c/0x858 [ 5222.074873] [<8009dc1c>] perf_prepare_sample+0x29c/0x4b8 [ 5222.074873] [<8009de94>] perf_event_output_forward+0x5c/0x98 [ 5222.097846] [ 5222.097846] [<800a0300>] perf_event_exit_task+0x58/0x43c [ 5222.097846] [<8006c874>] hrtimer_interrupt+0x104/0x2ec [ 5222.097846] [<800a0300>] perf_event_exit_task+0x58/0x43c [ 5222.097846] [<80437bb6>] dw_apb_clockevent_irq+0x2a/0x4c [ 5222.097846] [<8006c770>] hrtimer_interrupt+0x0/0x2ec [ 5222.097846] [<8005f2e4>] __handle_irq_event_percpu+0xac/0x19c [ 5222.097846] [<80437bb6>] dw_apb_clockevent_irq+0x2a/0x4c [ 5222.097846] [<8005f408>] handle_irq_event_percpu+0x34/0x88 [ 5222.097846] [<8005f480>] handle_irq_event+0x24/0x64 [ 5222.097846] [<8006218c>] handle_level_irq+0x68/0xdc [ 5222.097846] [<8005ec76>] __handle_domain_irq+0x56/0xa8 [ 5222.097846] [<80450e90>] ck_irq_handler+0xac/0xe4 [ 5222.097846] [<80029012>] csky_do_IRQ+0x12/0x24 [ 5222.097846] [<8002a3a0>] csky_irq+0x70/0x80 [ 5222.097846] [<800ca612>] alloc_set_pte+0xd2/0x238 [ 5222.097846] [<8002ddd0>] update_mmu_cache+0x0/0xd8 [ 5222.097846] [<800a0340>] perf_event_exit_task+0x98/0x43c The original fp check doesn't base on the real kernal stack region. Invalid fp address may cause kernel panic. Signed-off-by: Mao Han Signed-off-by: Guo Ren commit 165f2d2858013253042809df082b8df7e34e86d7 Author: Liu Yibin Date: Tue Apr 21 15:56:28 2020 +0800 csky: Fixup msa highest 3 bits mask Just as comment mentioned, the msa format: cr<30/31, 15> MSA register format: 31 - 29 | 28 - 9 | 8 | 7 | 6 | 5 | 4 | 3 | 2 | 1 | 0 BA Reserved SH WA B SO SEC C D V So we should shift 29 bits not 28 bits for mask Signed-off-by: Liu Yibin Signed-off-by: Guo Ren commit c2e59d1f4df8783856a4e6a05a7d4a76d7cf7082 Author: Guo Ren Date: Tue Apr 14 20:14:12 2020 +0800 csky: Fixup perf probe -x hungup case: # perf probe -x /lib/libc-2.28.9000.so memcpy # perf record -e probe_libc:memcpy -aR sleep 1 System hangup and cpu get in trap_c loop, because our hardware singlestep state could still get interrupt signal. When we get in uprobe_xol singlestep slot, we should disable irq in pt_regs->psr. And is_swbp_insn() need a csky arch implementation with a low 16bit mask. Signed-off-by: Guo Ren Cc: Steven Rostedt (VMware) commit bd11aabd35287b6961d197539aa61da5ab8fc0d7 Author: Guo Ren Date: Wed Apr 8 20:11:03 2020 +0800 csky: Fixup compile error for abiv1 entry.S This bug is from uprobe signal definition in thread_info.h. The instruction (andi) of abiv1 immediate is smaller than abiv2, then it will cause: AS arch/csky/kernel/entry.o arch/csky/kernel/entry.S: Assembler messages: arch/csky/kernel/entry.S:224: Error: Operand 2 immediate is overflow. Signed-off-by: Guo Ren commit a13d5887ffaf128c955432cd6005cd12d50f9124 Author: Guo Ren Date: Wed Apr 8 17:47:33 2020 +0800 csky/ftrace: Fixup error when disable CONFIG_DYNAMIC_FTRACE When CONFIG_DYNAMIC_FTRACE is enabled, static ftrace will fail to boot up and compile. It's a carelessness when developing "dynamic ftrace" and "ftrace with regs". Signed-off-by: Guo Ren commit ea90228c7b2ae6646bb6381385229aabb6f14cd2 Author: Raul E Rangel Date: Mon May 11 10:33:36 2020 -0600 iommu/amd: Fix get_acpihid_device_id() acpi_dev_hid_uid_match() expects a null pointer for UID if it doesn't exist. The acpihid_map_entry contains a char buffer for holding the UID. If no UID was provided in the IVRS table, this buffer will be zeroed. If we pass in a null string, acpi_dev_hid_uid_match() will return false because it will try and match an empty string to the ACPI UID of the device. Fixes: ae5e6c6439c3 ("iommu/amd: Switch to use acpi_dev_hid_uid_match()") Suggested-by: Andy Shevchenko Signed-off-by: Raul E Rangel Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20200511103229.v2.1.I6f1b6f973ee6c8af1348611370c73a0ec0ea53f1@changeid Signed-off-by: Joerg Roedel commit e461b8c991b9202b007ea2059d953e264240b0c9 Author: Alexander Monakov Date: Mon May 11 10:23:52 2020 +0000 iommu/amd: Fix over-read of ACPI UID from IVRS table IVRS parsing code always tries to read 255 bytes from memory when retrieving ACPI device path, and makes an assumption that firmware provides a zero-terminated string. Both of those are bugs: the entry is likely to be shorter than 255 bytes, and zero-termination is not guaranteed. With Acer SF314-42 firmware these issues manifest visibly in dmesg: AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR0\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR1\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR2\xf0\xa5, rdevid:160 AMD-Vi: ivrs, add hid:AMDI0020, uid:\_SB.FUR3>\x83e\x8d\x9a\xd1... The first three lines show how the code over-reads adjacent table entries into the UID, and in the last line it even reads garbage data beyond the end of the IVRS table itself. Since each entry has the length of the UID (uidl member of ivhd_entry struct), use that for memcpy, and manually add a zero terminator. Avoid zero-filling hid and uid arrays up front, and instead ensure the uid array is always zero-terminated. No change needed for the hid array, as it was already properly zero-terminated. Fixes: 2a0cb4e2d423c ("iommu/amd: Add new map for storing IVHD dev entry type HID") Signed-off-by: Alexander Monakov Cc: Joerg Roedel Cc: iommu@lists.linux-foundation.org Link: https://lore.kernel.org/r/20200511102352.1831-1-amonakov@ispras.ru Signed-off-by: Joerg Roedel commit 9aafc1b0187322fa4fd4eb905d0903172237206c Author: Dan Carpenter Date: Tue May 5 21:33:31 2020 +0300 ovl: potential crash in ovl_fid_to_fh() The "buflen" value comes from the user and there is a potential that it could be zero. In do_handle_to_path() we know that "handle->handle_bytes" is non-zero and we do: handle_dwords = handle->handle_bytes >> 2; So values 1-3 become zero. Then in ovl_fh_to_dentry() we do: int len = fh_len << 2; So now len is in the "0,4-128" range and a multiple of 4. But if "buflen" is zero it will try to copy negative bytes when we do the memcpy in ovl_fid_to_fh(). memcpy(&fh->fb, fid, buflen - OVL_FH_WIRE_OFFSET); And that will lead to a crash. Thanks to Amir Goldstein for his help with this patch. Fixes: cbe7fba8edfc ("ovl: make sure that real fid is 32bit aligned in memory") Signed-off-by: Dan Carpenter Reviewed-by: Amir Goldstein Cc: # v5.5 Signed-off-by: Miklos Szeredi commit 852049594b9af58fa2972103699fd58a7ac165c6 Author: Tero Kristo Date: Thu Apr 30 11:34:51 2020 +0300 clk: ti: clkctrl: convert subclocks to use proper names also Addition of the new internal API to get the clkctrl names missed adding the same conversion in place for the subclocks. This leads into missed parent/child relationships (i.e. orphaned clocks) with mixed node name handling, for example with omap4/omap5 where the l4_per clocks are using new naming, but rest are using old. Fix by converting the subclock registration to pick correct names for the clocks also. Fixes: 6c3090520554 ("clk: ti: clkctrl: Fix hidden dependency to node name") Signed-off-by: Tero Kristo Link: https://lkml.kernel.org/r/20200430083451.8562-1-t-kristo@ti.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd commit dc6dbd51009fc412729c307161f442c0a08618f4 Author: Tero Kristo Date: Fri Apr 24 18:23:01 2020 +0300 clk: ti: am33xx: fix RTC clock parent Right now, trying to use RTC purely with the ti-sysc / clkctrl framework fails to enable the RTC module properly. Based on experimentation, this appears to be because RTC is sourced from the clkdiv32k optional clock. TRM is not very clear on this topic, but fix the RTC to use the proper source clock nevertheless. Reported-by: Tony Lindgren Signed-off-by: Tero Kristo Link: https://lkml.kernel.org/r/20200424152301.4018-1-t-kristo@ti.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd commit e1f9e0d28ff025564dfdb1001a7839b4af5db2e2 Author: Tero Kristo Date: Fri Apr 24 15:47:25 2020 +0300 clk: ti: clkctrl: Fix Bad of_node_put within clkctrl_get_name clkctrl_get_name incorrectly calls of_node_put when it is not really doing of_node_get. This causes a boot time warning later on: [ 0.000000] OF: ERROR: Bad of_node_put() on /ocp/interconnect@4a000000/segmen t@0/target-module@5000/cm_core_aon@0/ipu-cm@500/ipu1-clkctrl@20 Fix by dropping the of_node_put from the function. Reported-by: Naresh Kamboju Fixes: 6c3090520554 ("clk: ti: clkctrl: Fix hidden dependency to node name") Signed-off-by: Tero Kristo Link: https://lkml.kernel.org/r/20200424124725.9895-1-t-kristo@ti.com Acked-by: Tony Lindgren Signed-off-by: Stephen Boyd commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 Author: Paolo Abeni Date: Tue May 12 14:43:14 2020 +0200 netlabel: cope with NULL catmap The cipso and calipso code can set the MLS_CAT attribute on successful parsing, even if the corresponding catmap has not been allocated, as per current configuration and external input. Later, selinux code tries to access the catmap if the MLS_CAT flag is present via netlbl_catmap_getlong(). That may cause null ptr dereference while processing incoming network traffic. Address the issue setting the MLS_CAT flag only if the catmap is really allocated. Additionally let netlbl_catmap_getlong() cope with NULL catmap. Reported-by: Matthew Sheets Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions") Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.") Signed-off-by: Paolo Abeni Acked-by: Paul Moore Signed-off-by: David S. Miller commit 69868418e14873638f7fb54e79b3390624af4824 Author: Kefeng Wang Date: Mon May 11 10:19:58 2020 +0800 riscv: Make SYS_SUPPORTS_HUGETLBFS depends on MMU HUGETLBFS only used when MMU enabled, add the dependency. Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 21e2414083e2bad62956312f5c47fc8cbba76d7d Author: Kefeng Wang Date: Mon May 11 10:19:57 2020 +0800 riscv: Disable ARCH_HAS_DEBUG_VIRTUAL if NOMMU DEBUG_VIRTUAL should only used when MMU enabled, add the dependence. Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit fa8174aa225fe3d53b37552e5066e6f0301dbabd Author: Kefeng Wang Date: Mon May 11 10:19:54 2020 +0800 riscv: Add pgprot_writecombine/device and PAGE_SHARED defination if NOMMU Some drivers use PAGE_SHARED, pgprot_writecombine()/pgprot_device(), add the defination to fix build error if NOMMU. Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 0502bee37cdef755d63eee60236562e5605e2480 Author: Kefeng Wang Date: Mon May 11 10:19:53 2020 +0800 riscv: stacktrace: Fix undefined reference to `walk_stackframe' Drop static declaration to fix following build error if FRAME_POINTER disabled, riscv64-linux-ld: arch/riscv/kernel/perf_callchain.o: in function `.L0': perf_callchain.c:(.text+0x2b8): undefined reference to `walk_stackframe' Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit ce0a9d090560c490f29b62a4a01ef128634f0612 Merge: 4d3d641714d1 cec9d101d70a Author: Stephen Boyd Date: Tue May 12 16:36:13 2020 -0700 Merge tag 'v5.7-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip into clk-fixes Pull one Rockchip clk fix from Heiko Stuebner: - Fix for wrongly defines rk3228 aclk_gpu* * tag 'v5.7-rockchip-clk-fixes1' of git://git.kernel.org/pub/scm/linux/kernel/git/mmind/linux-rockchip: clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks commit ab7fbad0c7d7a4f9b320a059a171a92a34b6d409 Author: Kefeng Wang Date: Mon May 11 10:19:52 2020 +0800 riscv: Fix unmet direct dependencies built based on SOC_VIRT Fix unmet direct dependencies Warning and fix Kconfig indent. WARNING: unmet direct dependencies detected for POWER_RESET_SYSCON Depends on [n]: POWER_RESET [=n] && OF [=y] && HAS_IOMEM [=y] Selected by [y]: - SOC_VIRT [=y] WARNING: unmet direct dependencies detected for POWER_RESET_SYSCON_POWEROFF Depends on [n]: POWER_RESET [=n] && OF [=y] && HAS_IOMEM [=y] Selected by [y]: - SOC_VIRT [=y] WARNING: unmet direct dependencies detected for RTC_DRV_GOLDFISH Depends on [n]: RTC_CLASS [=n] && OF [=y] && HAS_IOMEM [=y] && (GOLDFISH [=y] || COMPILE_TEST [=n]) Selected by [y]: - SOC_VIRT [=y] Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 4d3d641714d1f86c19f8d7a1e0889b65d4815817 Author: Thierry Reding Date: Tue May 5 09:16:55 2020 +0200 clk: tegra: Fix initial rate for pll_a on Tegra124 pll_a_out0 and the I2S clocks are already configured to default to rates corresponding to a 44.1 kHz sampling rate, but the pll_a configuration was set to a default that is not listed in the frequency table, which caused the PLL code to compute an invalid configuration. As a result of this invalid configuration, Jetson TK1 fails to resume from suspend. This used to get papered over because the ASoC driver would force audio clocks to a 44.1 kHz configuration on boot. However, that's not really necessary and was hence removed in commit ff5d18cb04f4 ("ASoC: tegra: Enable audio mclk during tegra_asoc_utils_init()"). Fix the initial rate for pll_a so that it matches the 44.1 kHz entry in the pll_a frequency table. Fixes: ff5d18cb04f4 ("ASoC: tegra: Enable audio mclk during tegra_asoc_utils_init()") Signed-off-by: Thierry Reding Link: https://lkml.kernel.org/r/20200505071655.644773-1-thierry.reding@gmail.com Signed-off-by: Stephen Boyd commit 48084c3595cb7429f6ba734cfea1313573b9a7fa Author: Kefeng Wang Date: Thu May 7 23:04:45 2020 +0800 riscv: perf: RISCV_BASE_PMU should be independent Selecting PERF_EVENTS without selecting RISCV_BASE_PMU results in a build error. Signed-off-by: Kefeng Wang [Palmer: commit text] Fixes: 178e9fc47aae("perf: riscv: preliminary RISC-V support") Signed-off-by: Palmer Dabbelt commit 59566b0b622e3e6ea928c0b8cac8a5601b00b383 Author: Steven Rostedt (VMware) Date: Thu Apr 30 20:21:47 2020 -0400 x86/ftrace: Have ftrace trampolines turn read-only at the end of system boot up Booting one of my machines, it triggered the following crash: Kernel/User page tables isolation: enabled ftrace: allocating 36577 entries in 143 pages Starting tracer 'function' BUG: unable to handle page fault for address: ffffffffa000005c #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD 2014067 P4D 2014067 PUD 2015063 PMD 7b253067 PTE 7b252061 Oops: 0003 [#1] PREEMPT SMP PTI CPU: 0 PID: 0 Comm: swapper Not tainted 5.4.0-test+ #24 Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 RIP: 0010:text_poke_early+0x4a/0x58 Code: 34 24 48 89 54 24 08 e8 bf 72 0b 00 48 8b 34 24 48 8b 4c 24 08 84 c0 74 0b 48 89 df f3 a4 48 83 c4 10 5b c3 9c 58 fa 48 89 df a4 50 9d 48 83 c4 10 5b e9 d6 f9 ff ff 0 41 57 49 RSP: 0000:ffffffff82003d38 EFLAGS: 00010046 RAX: 0000000000000046 RBX: ffffffffa000005c RCX: 0000000000000005 RDX: 0000000000000005 RSI: ffffffff825b9a90 RDI: ffffffffa000005c RBP: ffffffffa000005c R08: 0000000000000000 R09: ffffffff8206e6e0 R10: ffff88807b01f4c0 R11: ffffffff8176c106 R12: ffffffff8206e6e0 R13: ffffffff824f2440 R14: 0000000000000000 R15: ffffffff8206eac0 FS: 0000000000000000(0000) GS:ffff88807d400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa000005c CR3: 0000000002012000 CR4: 00000000000006b0 Call Trace: text_poke_bp+0x27/0x64 ? mutex_lock+0x36/0x5d arch_ftrace_update_trampoline+0x287/0x2d5 ? ftrace_replace_code+0x14b/0x160 ? ftrace_update_ftrace_func+0x65/0x6c __register_ftrace_function+0x6d/0x81 ftrace_startup+0x23/0xc1 register_ftrace_function+0x20/0x37 func_set_flag+0x59/0x77 __set_tracer_option.isra.19+0x20/0x3e trace_set_options+0xd6/0x13e apply_trace_boot_options+0x44/0x6d register_tracer+0x19e/0x1ac early_trace_init+0x21b/0x2c9 start_kernel+0x241/0x518 ? load_ucode_intel_bsp+0x21/0x52 secondary_startup_64+0xa4/0xb0 I was able to trigger it on other machines, when I added to the kernel command line of both "ftrace=function" and "trace_options=func_stack_trace". The cause is the "ftrace=function" would register the function tracer and create a trampoline, and it will set it as executable and read-only. Then the "trace_options=func_stack_trace" would then update the same trampoline to include the stack tracer version of the function tracer. But since the trampoline already exists, it updates it with text_poke_bp(). The problem is that text_poke_bp() called while system_state == SYSTEM_BOOTING, it will simply do a memcpy() and not the page mapping, as it would think that the text is still read-write. But in this case it is not, and we take a fault and crash. Instead, lets keep the ftrace trampolines read-write during boot up, and then when the kernel executable text is set to read-only, the ftrace trampolines get set to read-only as well. Link: https://lkml.kernel.org/r/20200430202147.4dc6e2de@oasis.local.home Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Andy Lutomirski Cc: Borislav Petkov Cc: Josh Poimboeuf Cc: "H. Peter Anvin" Cc: stable@vger.kernel.org Fixes: 768ae4406a5c ("x86/ftrace: Use text_poke()") Acked-by: Peter Zijlstra Signed-off-by: Steven Rostedt (VMware) commit fb6823a6f9801dbe86b6551103f477dd3c5d115a Author: Tony Lindgren Date: Wed May 13 08:56:26 2020 -0700 ARM: dts: Fix wrong mdio clock for dm814x Recent PTP-specific cpsw driver changes started exposing an issue on at at least j5eco-evm: Unhandled fault: external abort on non-linefetch (0x1008) at 0xf0169004 ... (davinci_mdio_runtime_suspend) from [] (__rpm_callback+0x84/0x154) (__rpm_callback) from [] (rpm_callback+0x20/0x80) (rpm_callback) from [] (rpm_suspend+0xfc/0x6ac) (rpm_suspend) from [] (pm_runtime_work+0x88/0xa4) (pm_runtime_work) from [] (process_one_work+0x228/0x568) ... Let's fix the issue by using the correct mdio clock as suggested by Grygorii Strashko . The DM814_ETHERNET_CPGMAC0_CLKCTRL clock is the interconnect target module clock and managed by ti-sysc. Fixes: 6398f3478e45 ("ARM: dts: Configure interconnect target module for dm814x cpsw") Cc: Grygorii Strashko Signed-off-by: Tony Lindgren commit ccfdbaa5cf4601b9b71601893029dcc9245c002b Author: Jason Gunthorpe Date: Thu May 7 09:33:48 2020 +0300 RDMA/uverbs: Move IB_EVENT_DEVICE_FATAL to destroy_uobj When multiple async FDs were allowed to exist the idea was for all broadcast events to be delivered to all async FDs, however IB_EVENT_DEVICE_FATAL was missed. Instead of having ib_uverbs_free_hw_resources() special case the global async_fd, have it cause the event during the uobject destruction. Every async fd is now a uobject so simply generate the IB_EVENT_DEVICE_FATAL while destroying the async fd uobject. This ensures every async FD gets a copy of the event. Fixes: d680e88e2013 ("RDMA/core: Add UVERBS_METHOD_ASYNC_EVENT_ALLOC") Link: https://lore.kernel.org/r/20200507063348.98713-3-leon@kernel.org Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit c485b19d52c4ba269dfd027945dee81755fdd530 Author: Jason Gunthorpe Date: Thu May 7 09:33:47 2020 +0300 RDMA/uverbs: Do not discard the IB_EVENT_DEVICE_FATAL event The commit below moved all of the destruction to the disassociate step and cleaned up the event channel during destroy_uobj. However, when ib_uverbs_free_hw_resources() pushes IB_EVENT_DEVICE_FATAL and then immediately goes to destroy all uobjects this causes ib_uverbs_free_event_queue() to discard the queued event if userspace hasn't already read() it. Unlike all other event queues async FD needs to defer the ib_uverbs_free_event_queue() until FD release. This still unregisters the handler from the IB device during disassociation. Fixes: 3e032c0e92aa ("RDMA/core: Make ib_uverbs_async_event_file into a uobject") Link: https://lore.kernel.org/r/20200507063348.98713-2-leon@kernel.org Signed-off-by: Yishai Hadas Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 24adbc1676af4e134e709ddc7f34cf2adc2131e4 Author: Eric Dumazet Date: Tue May 12 06:54:30 2020 -0700 tcp: fix SO_RCVLOWAT hangs with fat skbs We autotune rcvbuf whenever SO_RCVLOWAT is set to account for 100% overhead in tcp_set_rcvlowat() This works well when skb->len/skb->truesize ratio is bigger than 0.5 But if we receive packets with small MSS, we can end up in a situation where not enough bytes are available in the receive queue to satisfy RCVLOWAT setting. As our sk_rcvbuf limit is hit, we send zero windows in ACK packets, preventing remote peer from sending more data. Even autotuning does not help, because it only triggers at the time user process drains the queue. If no EPOLLIN is generated, this can not happen. Note poll() has a similar issue, after commit c7004482e8dc ("tcp: Respect SO_RCVLOWAT in tcp_poll().") Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller commit 92db978f0d686468e527d49268e7c7e8d97d334b Author: Clay McClure Date: Tue May 12 13:02:30 2020 +0300 net: ethernet: ti: Remove TI_CPTS_MOD workaround My recent commit b6d49cab44b5 ("net: Make PTP-specific drivers depend on PTP_1588_CLOCK") exposes a missing dependency in defconfigs that select TI_CPTS without selecting PTP_1588_CLOCK, leading to linker errors of the form: drivers/net/ethernet/ti/cpsw.o: in function `cpsw_ndo_stop': cpsw.c:(.text+0x680): undefined reference to `cpts_unregister' ... That's because TI_CPTS_MOD (which is the symbol gating the _compilation_ of cpts.c) now depends on PTP_1588_CLOCK, and so is not enabled in these configurations, but TI_CPTS (which is the symbol gating _calls_ to the cpts functions) _is_ enabled. So we end up compiling calls to functions that don't exist, resulting in the linker errors. This patch fixes build errors and restores previous behavior by: - ensure PTP_1588_CLOCK=y in TI specific configs and CPTS will be built - remove TI_CPTS_MOD and, instead, add dependencies from CPTS in TI_CPSW/TI_KEYSTONE_NETCP/TI_CPSW_SWITCHDEV as below: config TI_CPSW_SWITCHDEV ... depends on TI_CPTS || !TI_CPTS which will ensure proper dependencies PTP_1588_CLOCK -> TI_CPTS -> TI_CPSW/TI_KEYSTONE_NETCP/TI_CPSW_SWITCHDEV and build type selection. Note. For NFS boot + CPTS all of above configs have to be built-in. Cc: Arnd Bergmann Cc: Dan Murphy Cc: Tony Lindgren Fixes: b6d49cab44b5 ("net: Make PTP-specific drivers depend on PTP_1588_CLOCK") Reported-by: kbuild test robot Signed-off-by: Clay McClure [grygorii.strashko@ti.com: rewording, add deps cpsw/netcp from cpts, drop IS_REACHABLE] Signed-off-by: Grygorii Strashko Reviewed-by: Arnd Bergmann Tested-by: Tony Lindgren Signed-off-by: David S. Miller commit d6718ccb2502fadeaf4abb2337587bb6eb0e3960 Merge: 2c864c78c238 ddc5911b9bd2 Author: David S. Miller Date: Tue May 12 12:12:34 2020 -0700 Merge branch 'ionic-fixes' Shannon Nelson says: ==================== ionic fixes These are a couple more fixes after more fw-upgrade testing. ==================== Signed-off-by: David S. Miller commit ddc5911b9bd228dd69de976a4545292420f45e73 Author: Shannon Nelson Date: Mon May 11 14:04:45 2020 -0700 ionic: call ionic_port_init after fw-upgrade Since the fw has been re-inited, we need to refresh the port information dma address so we can see fresh port information. Let's call ionic_port_init again, and tweak it to allow for a call to simply refresh the existing dma address. Fixes: c672412f6172 ("ionic: remove lifs on fw reset") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller commit f20a4d404122b183b7d66cadea917fcd1340c05b Author: Shannon Nelson Date: Mon May 11 14:04:44 2020 -0700 ionic: leave netdev mac alone after fw-upgrade When running in a bond setup, or some other potential configurations, the netdev mac may have been changed from the default device mac. Since the userland doesn't know about the changes going on under the covers in a fw-upgrade it doesn't know the re-push the mac filter. The driver needs to leave the netdev mac filter alone when rebuilding after the fw-upgrade. Fixes: c672412f6172 ("ionic: remove lifs on fw reset") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller commit 2c864c78c2386ada7433268cdfa8cb77cfe31bf3 Author: Jacob Keller Date: Mon May 11 14:02:15 2020 -0700 ptp: fix struct member comment for do_aux_work The do_aux_work callback had documentation in the structure comment which referred to it as "do_work". Signed-off-by: Jacob Keller Cc: Richard Cochran Acked-by: Richard Cochran Signed-off-by: David S. Miller commit 64d950ae0b01eae96eb668b789c6d145c38ac41c Author: Christoph Paasch Date: Mon May 11 09:24:42 2020 -0700 mptcp: Initialize map_seq upon subflow establishment When the other MPTCP-peer uses 32-bit data-sequence numbers, we rely on map_seq to indicate how to expand to a 64-bit data-sequence number in expand_seq() when receiving data. For new subflows, this field is not initialized, thus results in an "invalid" mapping being discarded. Fix this by initializing map_seq upon subflow establishment time. Fixes: f296234c98a8 ("mptcp: Add handling of incoming MP_JOIN requests") Signed-off-by: Christoph Paasch Reviewed-by: Paolo Abeni Signed-off-by: David S. Miller commit 24085f70a6e1b0cb647ec92623284641d8270637 Merge: 8ec91c0fce15 611d0a95d46b Author: Linus Torvalds Date: Tue May 12 11:06:26 2020 -0700 Merge tag 'trace-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: "Fixes to previous fixes. Unfortunately, the last set of fixes introduced some minor bugs: - The bootconfig apply_xbc() leak fix caused the application to return a positive number on success, when it should have returned zero. - The preempt_irq_delay_thread fix to make the creation code wait for the kthread to finish to prevent it from executing after module unload, can now cause the kthread to exit before it even executes (preventing it to run its tests). - The fix to the bootconfig that fixed the initrd to remove the bootconfig from causing the kernel to panic, now prints a warning that the bootconfig is not found, even when bootconfig is not on the command line" * tag 'trace-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: bootconfig: Fix to prevent warning message if no bootconfig option tracing: Wait for preempt irq delay thread to execute tools/bootconfig: Fix apply_xbc() to return zero on success commit 8ec91c0fce1500306a858d0c35d1383fd9eb6ba6 Merge: e719340f46bd 0cf253eed5d2 Author: Linus Torvalds Date: Tue May 12 10:39:34 2020 -0700 Merge tag 'gpio-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio Pull GPIO fixes from Linus Walleij: "Some GPIO fixes for v5.7, slightly overdue. Been learning MMUs and KASan that is why it's late. Bartosz helped me out, luckily! - Fix pin configuration in the PCA953x driver - Ruggedize the watch/unwatch ioctl() - Possible call to a sleeping function when holding a spinlock, avoid this - Fix UML builds with DT overlays - Mask Tegra GPIO IRQs during shutdown()" * tag 'gpio-v5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio: gpio: tegra: mask GPIO IRQs during IRQ shutdown gpio: of: Build fails if CONFIG_OF_DYNAMIC enabled without CONFIG_OF_GPIO gpiolib: don't call sleeping functions with a spinlock taken gpiolib: improve the robustness of watch/unwatch ioctl() gpio: pca953x: Fix pca953x_gpio_set_config commit e719340f46bd9413590121b140714728862ffe05 Merge: 152036d1379f b14c94908b1b Author: Linus Torvalds Date: Tue May 12 10:32:32 2020 -0700 Merge tag 'gfs2-v5.7-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2 Pull gfs2 fixes from Andreas Gruenbacher: "Various gfs2 fixes. Fixes for bugs prior to v5.7: - Fix random block reads when reading fragmented journals (v5.2) - Fix a possible random memory access in gfs2_walk_metadata (v5.3) Fixes for v5.7: - Fix several overlooked gfs2_qa_get / gfs2_qa_put imbalances - Fix several bugs in the new filesystem withdraw logic" * tag 'gfs2-v5.7-rc1.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2: Revert "gfs2: Don't demote a glock until its revokes are written" gfs2: If go_sync returns error, withdraw but skip invalidate gfs2: Grab glock reference sooner in gfs2_add_revoke gfs2: don't call quota_unhold if quotas are not locked gfs2: move privileged user check to gfs2_quota_lock_check gfs2: remove check for quotas on in gfs2_quota_check gfs2: Change BUG_ON to an assert_withdraw in gfs2_quota_change gfs2: Fix problems regarding gfs2_qa_get and _put gfs2: More gfs2_find_jhead fixes gfs2: Another gfs2_walk_metadata fix gfs2: Fix use-after-free in gfs2_logd after withdraw gfs2: Fix BUG during unmount after file system withdraw gfs2: Fix error exit in do_xmote gfs2: fix withdraw sequence deadlock commit b69e2ef24b7b4867f80f47e2781e95d0bacd15cb Author: Keith Busch Date: Fri May 8 13:04:06 2020 -0700 nvme-pci: dma read memory barrier for completions Control dependencies do not guarantee load order across the condition, allowing a CPU to predict and speculate memory reads. Commit 324b494c2862 inlined verifying a new completion with its handling. At least one architecture was observed to access the contents out of order, resulting in the driver using stale data for the completion. Add a dma read barrier before reading the completion queue entry and after the condition its contents depend on to ensure the read order is determinsitic. Reported-by: John Garry Suggested-by: Will Deacon Signed-off-by: Keith Busch Tested-by: John Garry Acked-by: Will Deacon Reviewed-by: Sagi Grimberg Signed-off-by: Christoph Hellwig commit c8b1f340e54158662acfa41d6dee274846370282 Author: Potnuri Bharat Teja Date: Tue May 12 00:26:08 2020 +0530 RDMA/iw_cxgb4: Fix incorrect function parameters While reading the TCB field in t4_tcb_get_field32() the wrong mask is passed as a parameter which leads the driver eventually to a kernel panic/app segfault from access to an illegal SRQ index while flushing the SRQ completions during connection teardown. Fixes: 11a27e2121a5 ("iw_cxgb4: complete the cached SRQ buffers") Link: https://lore.kernel.org/r/20200511185608.5202-1-bharat@chelsio.com Signed-off-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe commit 50bbe3d34fea74b7c0fabe553c40c2f4a48bb9c3 Author: Maor Gottlieb Date: Thu May 7 09:29:42 2020 +0300 RDMA/core: Fix double put of resource Do not decrease the reference count of resource tracker object twice in the error flow of res_get_common_doit. Fixes: c5dfe0ea6ffa ("RDMA/nldev: Add resource tracker doit callback") Link: https://lore.kernel.org/r/20200507062942.98305-1-leon@kernel.org Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit 1901b91f99821955eac2bd48fe25ee983385dc00 Author: Jack Morgenstein Date: Thu May 7 10:10:12 2020 +0300 IB/core: Fix potential NULL pointer dereference in pkey cache The IB core pkey cache is populated by procedure ib_cache_update(). Initially, the pkey cache pointer is NULL. ib_cache_update allocates a buffer and populates it with the device's pkeys, via repeated calls to procedure ib_query_pkey(). If there is a failure in populating the pkey buffer via ib_query_pkey(), ib_cache_update does not replace the old pkey buffer cache with the updated one -- it leaves the old cache as is. Since initially the pkey buffer cache is NULL, when calling ib_cache_update the first time, a failure in ib_query_pkey() will cause the pkey buffer cache pointer to remain NULL. In this situation, any calls subsequent to ib_get_cached_pkey(), ib_find_cached_pkey(), or ib_find_cached_pkey_exact() will try to dereference the NULL pkey cache pointer, causing a kernel panic. Fix this by checking the ib_cache_update() return value. Fixes: 8faea9fd4a39 ("RDMA/cache: Move the cache per-port data into the main ib_port_data") Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Link: https://lore.kernel.org/r/20200507071012.100594-1-leon@kernel.org Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit fa8dac3968635dec8518a13ac78d662f2aa88e4d Author: Mike Marciniszyn Date: Mon May 4 09:09:17 2020 -0400 IB/hfi1: Fix another case where pq is left on waitlist The commit noted below fixed a case where a pq is left on the sdma wait list. It however missed another case. user_sdma_send_pkts() has two calls from hfi1_user_sdma_process_request(). If the first one fails as indicated by -EBUSY, the pq will be placed on the waitlist as by design. If the second call then succeeds, the pq is still on the waitlist setting up a race with the interrupt handler if a subsequent request uses a different SDMA engine Fix by deleting the first call. The use of pcount and the intent to send a short burst of packets followed by the larger balance of packets was never correctly implemented, because the two calls always send pcount packets no matter what. A subsequent patch will correct that issue. Fixes: 9a293d1e21a6 ("IB/hfi1: Ensure pq is not left on waitlist") Link: https://lore.kernel.org/r/20200504130917.175613.43231.stgit@awfm-01.aw.intel.com Cc: Reviewed-by: Kaike Wan Signed-off-by: Mike Marciniszyn Signed-off-by: Jason Gunthorpe commit 856ec7f64688387b100b7083cdf480ce3ac41227 Author: Denis V. Lunev Date: Tue Apr 28 16:15:11 2020 +0300 IB/i40iw: Remove bogus call to netdev_master_upper_dev_get() Local variable netdev is not used in these calls. It should be noted, that this change is required to work in bonded mode. Otherwise we would get the following assert: "RTNL: assertion failed at net/core/dev.c (5665)" With the calltrace as follows: dump_stack+0x19/0x1b netdev_master_upper_dev_get+0x61/0x70 i40iw_addr_resolve_neigh+0x1e8/0x220 i40iw_make_cm_node+0x296/0x700 ? i40iw_find_listener.isra.10+0xcc/0x110 i40iw_receive_ilq+0x3d4/0x810 i40iw_puda_poll_completion+0x341/0x420 i40iw_process_ceq+0xa5/0x280 i40iw_ceq_dpc+0x1e/0x40 tasklet_action+0x83/0x140 __do_softirq+0x125/0x2bb call_softirq+0x1c/0x30 do_softirq+0x65/0xa0 irq_exit+0x105/0x110 do_IRQ+0x56/0xf0 common_interrupt+0x16a/0x16a ? cpuidle_enter_state+0x57/0xd0 cpuidle_idle_call+0xde/0x230 arch_cpu_idle+0xe/0xc0 cpu_startup_entry+0x14a/0x1e0 start_secondary+0x1f7/0x270 start_cpu+0x5/0x14 Link: https://lore.kernel.org/r/20200428131511.11049-1-den@openvz.org Signed-off-by: Denis V. Lunev Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe commit 6693ca95bd4330a0ad7326967e1f9bcedd6b0800 Author: Jack Morgenstein Date: Sun Apr 26 10:59:21 2020 +0300 IB/mlx4: Test return value of calls to ib_get_cached_pkey In the mlx4_ib_post_send() flow, some functions call ib_get_cached_pkey() without checking its return value. If ib_get_cached_pkey() returns an error code, these functions should return failure. Fixes: 1ffeb2eb8be9 ("IB/mlx4: SR-IOV IB context objects and proxy/tunnel SQP support") Fixes: 225c7b1feef1 ("IB/mlx4: Add a driver Mellanox ConnectX InfiniBand adapters") Fixes: e622f2f4ad21 ("IB: split struct ib_send_wr") Link: https://lore.kernel.org/r/20200426075921.130074-1-leon@kernel.org Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe commit bb43c8e382e5da0ee253e3105d4099820ff4d922 Author: Sudip Mukherjee Date: Sun Apr 26 00:35:45 2020 +0100 RDMA/rxe: Always return ERR_PTR from rxe_create_mmap_info() The commit below modified rxe_create_mmap_info() to return ERR_PTR's but didn't update the callers to handle them. Modify rxe_create_mmap_info() to only return ERR_PTR and fix all error checking after rxe_create_mmap_info() is called. Ensure that all other exit paths properly set the error return. Fixes: ff23dfa13457 ("IB: Pass only ib_udata in function prototypes") Link: https://lore.kernel.org/r/20200425233545.17210-1-sudipm.mukherjee@gmail.com Link: https://lore.kernel.org/r/20200511183742.GB225608@mwanda Cc: stable@vger.kernel.org [5.4+] Signed-off-by: Sudip Mukherjee Signed-off-by: Dan Carpenter Signed-off-by: Jason Gunthorpe commit 611d0a95d46b0977a530b4d538948c69d447b001 Author: Masami Hiramatsu Date: Mon May 11 10:39:24 2020 +0900 bootconfig: Fix to prevent warning message if no bootconfig option Commit de462e5f1071 ("bootconfig: Fix to remove bootconfig data from initrd while boot") causes a cosmetic regression on dmesg, which warns "no bootconfig data" message without bootconfig cmdline option. Fix setup_boot_config() by moving no bootconfig check after commandline option check. Link: http://lkml.kernel.org/r/9b1ba335-071d-c983-89a4-2677b522dcc8@molgen.mpg.de Link: http://lkml.kernel.org/r/158916116468.21787.14558782332170588206.stgit@devnote2 Fixes: de462e5f1071 ("bootconfig: Fix to remove bootconfig data from initrd while boot") Reported-by: Paul Menzel Reviewed-by: Paul Menzel Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit 650e723cecf2738dee828564396f3239829aba83 Author: Leo (Hanghong) Ma Date: Fri May 8 14:18:07 2020 -0400 drm/amd/amdgpu: Update update_config() logic [Why] For MST case: when update_config is called to disable a stream, this clears the settings for all the streams on that link. We should only clear the settings for the stream that was disabled. [How] Clear the settings after the call to remove display is called. Reviewed-by: Harry Wentland Reviewed-by: Bhawanpreet Lakha Signed-off-by: Leo (Hanghong) Ma Signed-off-by: Alex Deucher commit 975f543e7522e17b8a4bf34d7daeac44819aee5a Author: Tom St Denis Date: Thu May 7 08:35:40 2020 -0400 drm/amd/amdgpu: add raven1 part to the gfxoff quirk list On my raven1 system (rev c6) with VBIOS 113-RAVEN-114 GFXOFF is not stable (resulting in large block tiling noise in some applications). Disabling GFXOFF via the quirk list fixes the problems for me. Signed-off-by: Tom St Denis Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit dca4f40742e09ec5d908a7fc2862498e6cf9d911 Author: Venkata Narendra Kumar Gutta Date: Fri May 1 12:00:17 2020 +0530 pinctrl: qcom: Add affinity callbacks to msmgpio IRQ chip Wakeup capable GPIO IRQs routed via PDC are not being migrated when a CPU is hotplugged. Add affinity callbacks to msmgpio IRQ chip to update the affinity of wakeup capable IRQs. Fixes: e35a6ae0eb3a ("pinctrl/msm: Setup GPIO chip in hierarchy") Signed-off-by: Venkata Narendra Kumar Gutta [mkshah: updated commit text and minor code fixes] Signed-off-by: Maulik Shah Tested-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1588314617-4556-1-git-send-email-mkshah@codeaurora.org Signed-off-by: Linus Walleij commit 249c9b0cd193d983c3a0b00f3fd3b92333bfeebe Author: Christophe Leroy Date: Sat May 9 17:05:11 2020 +0000 powerpc/40x: Make more space for system call exception When CONFIG_VIRT_CPU_ACCOUNTING is selected, system call exception handler doesn't fit below 0xd00 and build fails. As exception 0xd00 doesn't exist and is never generated by 40x, comment it out in order to get more space for system call exception. Fixes: 9e27086292aa ("powerpc/32: Warn and return ENOSYS on syscalls from kernel") Reported-by: kbuild test robot Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/633165d72f75b4ef4c0901aebe99d3915c93e9a2.1589043863.git.christophe.leroy@csgroup.eu commit 340eaff651160234bdbce07ef34b92a8e45cd540 Author: Phil Sutter Date: Mon May 11 15:31:41 2020 +0200 netfilter: nft_set_rbtree: Add missing expired checks Expired intervals would still match and be dumped to user space until garbage collection wiped them out. Make sure they stop matching and disappear (from users' perspective) as soon as they expire. Fixes: 8d8540c4f5e03 ("netfilter: nft_set_rbtree: add timeout support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso commit 9ed81c8e0deb7bd2aa0d69371e4a0f9a7b31205d Author: Pablo Neira Ayuso Date: Mon May 11 11:54:31 2020 +0200 netfilter: flowtable: set NF_FLOW_TEARDOWN flag on entry expiration If the flow timer expires, the gc sets on the NF_FLOW_TEARDOWN flag. Otherwise, the flowtable software path might race to refresh the timeout, leaving the state machine in inconsistent state. Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support") Reported-by: Paul Blakey Reviewed-by: Roi Dayan Signed-off-by: Pablo Neira Ayuso commit 8f592ada59b321d248391bae175cd78a12972223 Author: Dave Young Date: Sun Apr 12 10:49:27 2020 +0800 efi/earlycon: Fix early printk for wider fonts When I play with terminus fonts I noticed the efi early printk does not work because the earlycon code assumes font width is 8. Here add the code to adapt with larger fonts. Tested with all kinds of kernel built-in fonts on my laptop. Also tested with a local draft patch for 14x28 !bold terminus font. Signed-off-by: Dave Young Link: https://lore.kernel.org/r/20200412024927.GA6884@dhcp-128-65.nay.redhat.com Signed-off-by: Ard Biesheuvel commit bd84dff0217414d9f9b829a3b75b2487aff857b7 Author: Ma Feng Date: Tue May 12 09:46:13 2020 +0800 ARM: oxnas: make ox820_boot_secondary static Fix sparse warning: arch/arm/mach-oxnas/platsmp.c:30:12: warning: symbol 'ox820_boot_secondary' was not declared. Should it be static? Reported-by: Hulk Robot Signed-off-by: Ma Feng Acked-by: Neil Armstrong Fixes: af76e806b5b7 ("ARM: oxnas: Add OX820 SMP support") Signed-off-by: Neil Armstrong Link: https://lore.kernel.org/r/1589247973-29728-1-git-send-email-mafeng.ma@huawei.com commit 1b94e59d30afecf18254ad413e953e7587645a20 Author: Takashi Iwai Date: Tue May 12 09:32:03 2020 +0200 ALSA: hda/realtek - Add COEF workaround for ASUS ZenBook UX431DA ASUS ZenBook UX431DA requires an additional COEF setup when booted from the recent Windows 10, otherwise it produces the noisy output. The quirk turns on COEF 0x1b bit 10 that has been cleared supposedly due to the pop noise reduction. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207553 Cc: Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20200512073203.14091-1-tiwai@suse.de Signed-off-by: Takashi Iwai commit 475e8423024d4713c8b791b2fa27b09fbcb7d2ca Merge: a9d094dcf784 72a7a9925e2b Author: Rodrigo Vivi Date: Mon May 11 23:55:25 2020 -0700 Merge tag 'gvt-fixes-2020-05-12' of https://github.com/intel/gvt-linux into drm-intel-fixes gvt-fixes-2020-05-12 - Correct transcoder and DPLL initial clock to fix recent guest display probe failure. (Colin) - Fix kernel oops on older guest using aliasing ppgtt. (Zhenyu) Signed-off-by: Rodrigo Vivi From: Zhenyu Wang Link: https://patchwork.freedesktop.org/patch/msgid/20200512024803.GQ18545@zhen-hp.sh.intel.com commit 7900e81797613b92f855f9921392a7430cbdf88c Author: Jian-Hong Pan Date: Tue May 12 14:15:28 2020 +0800 ALSA: hda/realtek: Enable headset mic of ASUS UX581LV with ALC295 The ASUS UX581LV laptop's audio (1043:19e1) with ALC295 can't detect the headset microphone until ALC295_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. Signed-off-by: Jian-Hong Pan Link: https://lore.kernel.org/r/20200512061525.133985-3-jian-hong@endlessm.com Signed-off-by: Takashi Iwai commit ad97d667854c2fbce05a004e107f358ef4b04cf6 Author: Jian-Hong Pan Date: Tue May 12 14:15:26 2020 +0800 ALSA: hda/realtek - Enable headset mic of ASUS UX550GE with ALC295 The ASUS laptop UX550GE with ALC295 can't detect the headset microphone until ALC295_FIXUP_ASUS_MIC_NO_PRESENCE quirk applied. Signed-off-by: Jian-Hong Pan Signed-off-by: Daniel Drake Link: https://lore.kernel.org/r/20200512061525.133985-2-jian-hong@endlessm.com Signed-off-by: Takashi Iwai commit 9e43342b464f1de570a3ad8256ac77645749ef45 Author: Chris Chiu Date: Tue May 12 14:15:24 2020 +0800 ALSA: hda/realtek - Enable headset mic of ASUS GL503VM with ALC295 The ASUS laptop GL503VM with ALC295 can't detect the headset microphone. The headset microphone does not work until pin 0x19 is enabled for it. Signed-off-by: Chris Chiu Signed-off-by: Daniel Drake Signed-off-by: Jian-Hong Pan Link: https://lore.kernel.org/r/20200512061525.133985-1-jian-hong@endlessm.com Signed-off-by: Takashi Iwai commit 05d18ae1cc8a0308b12f37b4ab94afce3535fac9 Author: Can Guo Date: Tue May 5 21:55:35 2020 -0700 scsi: pm: Balance pm_only counter of request queue during system resume During system resume, scsi_resume_device() decreases a request queue's pm_only counter if the scsi device was quiesced before. But after that, if the scsi device's RPM status is RPM_SUSPENDED, the pm_only counter is still held (non-zero). Current SCSI resume hook only sets the RPM status of the scsi_device and its request queue to RPM_ACTIVE, but leaves the pm_only counter unchanged. This may make the request queue's pm_only counter remain non-zero after resume hook returns, hence those who are waiting on the mq_freeze_wq would never be woken up. Fix this by calling blk_post_runtime_resume() if a sdev's RPM status was RPM_SUSPENDED. (struct request_queue)0xFFFFFF815B69E938 pm_only = (counter = 2), rpm_status = 0, dev = 0xFFFFFF815B0511A0, ((struct device)0xFFFFFF815B0511A0)).power is_suspended = FALSE, runtime_status = RPM_ACTIVE, (struct scsi_device)0xffffff815b051000 request_queue = 0xFFFFFF815B69E938, sdev_state = SDEV_RUNNING, quiesced_by = 0x0, B::v.f_/task_0xFFFFFF810C246940 -000|__switch_to(prev = 0xFFFFFF810C246940, next = 0xFFFFFF80A49357C0) -001|context_switch(inline) -001|__schedule(?) -002|schedule() -003|blk_queue_enter(q = 0xFFFFFF815B69E938, flags = 0) -004|generic_make_request(?) -005|submit_bio(bio = 0xFFFFFF80A8195B80) Link: https://lore.kernel.org/r/1588740936-28846-1-git-send-email-cang@codeaurora.org Reviewed-by: Bart Van Assche Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen commit fb9024b0646939e59d8a0b6799b317070619795a Author: Ewan D. Milne Date: Mon May 4 13:54:16 2020 -0400 scsi: qla2xxx: Do not log message when reading port speed via sysfs Calling ql_log() inside qla2x00_port_speed_show() is causing messages to be output to the console for no particularly good reason. The sysfs read routine should just return the information to userspace. The only reason to log a message is when the port speed actually changes, and this already occurs elsewhere. Link: https://lore.kernel.org/r/20200504175416.15417-1-emilne@redhat.com Fixes: 4910b524ac9e ("scsi: qla2xxx: Add support for setting port speed") Cc: # v5.1+ Reviewed-by: Lee Duncan Reviewed-by: Laurence Oberman Reviewed-by: Himanshu Madhani Signed-off-by: Ewan D. Milne Signed-off-by: Martin K. Petersen commit 1abfb181e089868fec0d00404b0cf4615b7df825 Merge: e8a1b0efd632 2c4bb8093c3b Author: David S. Miller Date: Mon May 11 14:00:44 2020 -0700 Merge branch 'net-ipa-fix-cleanup-after-modem-crash' Alex Elder says: ==================== net: ipa: fix cleanup after modem crash The first patch in this series fixes a bug where the size of a data transfer request was never set, meaning it was 0. The consequence of this was that such a transfer request would never complete if attempted, and led to a hung task timeout. This data transfer is required for cleaning up IPA hardware state when recovering from a modem crash. The code to implement this cleanup is already present, but its use was commented out because it hit the bug described above. So the second patch in this series enables the use of that "tag process" cleanup code. ==================== Signed-off-by: David S. Miller commit 8b1fac2e73e84ef0d6391051880a8e1d7044c847 Author: Steven Rostedt (VMware) Date: Sun May 10 11:35:10 2020 -0400 tracing: Wait for preempt irq delay thread to execute A bug report was posted that running the preempt irq delay module on a slow machine, and removing it quickly could lead to the thread created by the modlue to execute after the module is removed, and this could cause the kernel to crash. The fix for this was to call kthread_stop() after creating the thread to make sure it finishes before allowing the module to be removed. Now this caused the opposite problem on fast machines. What now happens is the kthread_stop() can cause the kthread never to execute and the test never to run. To fix this, add a completion and wait for the kthread to execute, then wait for it to end. This issue caused the ftracetest selftests to fail on the preemptirq tests. Link: https://lore.kernel.org/r/20200510114210.15d9e4af@oasis.local.home Cc: stable@vger.kernel.org Fixes: d16a8c31077e ("tracing: Wait for preempt irq delay thread to finish") Reviewed-by: Joel Fernandes (Google) Signed-off-by: Steven Rostedt (VMware) commit 2c4bb8093c3bfebc8113c683a5de83c64d43514c Author: Alex Elder Date: Thu May 7 14:14:04 2020 -0500 net: ipa: use tag process on modem crash One part of recovering from a modem crash is performing a "tag sequence" of several IPA immediate commands, to clear the hardware pipeline. The sequence ends with a data transfer request on the command endpoint (which is not otherwise done). Unfortunately, attempting to do the data transfer led to a hang, so that request plus two other commands were commented out. The previous commit fixes the bug that was causing that hang. And with that bug fixed we can properly issue the tag sequence when the modem crashes, to return the hardware to a known state. Signed-off-by: Alex Elder Signed-off-by: David S. Miller commit c781e1d4f3e23d5fc138dad2fd98ca0e0dd9c592 Author: Alex Elder Date: Thu May 7 14:14:03 2020 -0500 net: ipa: set DMA length in gsi_trans_cmd_add() When a command gets added to a transaction for the AP->command channel we set the DMA address of its scatterlist entry, but not its DMA length. Fix this bug. Signed-off-by: Alex Elder Signed-off-by: David S. Miller commit 9d82ccda2bc5c148060543d249d54f8703741bb4 Author: Steven Rostedt (VMware) Date: Fri May 8 11:07:56 2020 -0400 tools/bootconfig: Fix apply_xbc() to return zero on success The return of apply_xbc() returns the result of the last write() call, which is not what is expected. It should only return zero on success. Link: https://lore.kernel.org/r/20200508093059.GF9365@kadam Fixes: 8842604446d1 ("tools/bootconfig: Fix resource leak in apply_xbc()") Reported-by: Dan Carpenter Acked-by: Masami Hiramatsu Tested-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit e7b146a8bfba50e263745bbdefc11833c3766664 Author: Kefeng Wang Date: Thu May 7 23:04:44 2020 +0800 riscv: perf_event: Make some funciton static Fixes the following warning detected when running make with W=1, ../arch/riscv/kernel/perf_event.c:150:5: warning: no previous prototype for ‘riscv_map_cache_decode’ [-Wmissing-prototypes] int riscv_map_cache_decode(u64 config, unsigned int *type, ^~~~~~~~~~~~~~~~~~~~~~ ../arch/riscv/kernel/perf_event.c:345:13: warning: no previous prototype for ‘riscv_base_pmu_handle_irq’ [-Wmissing-prototypes] irqreturn_t riscv_base_pmu_handle_irq(int irq_num, void *dev) ^~~~~~~~~~~~~~~~~~~~~~~~~ ../arch/riscv/kernel/perf_event.c:364:6: warning: no previous prototype for ‘release_pmc_hardware’ [-Wmissing-prototypes] void release_pmc_hardware(void) ^~~~~~~~~~~~~~~~~~~~ ../arch/riscv/kernel/perf_event.c:467:12: warning: no previous prototype for ‘init_hw_perf_events’ [-Wmissing-prototypes] int __init init_hw_perf_events(void) ^~~~~~~~~~~~~~~~~~~ Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt commit 152036d1379ffd6985262743dcf6b0f9c75f83a4 Merge: 995b819f291e 0a8e7b7d0846 Author: Linus Torvalds Date: Mon May 11 12:04:52 2020 -0700 Merge tag 'nfsd-5.7-rc-2' of git://git.linux-nfs.org/projects/cel/cel-2.6 Pull nfsd fixes from Chuck Lever: "Resolve a data integrity problem with NFSD that I inadvertently introduced last year. The change I made makes the NFS server's duplicate reply cache ineffective when krb5i or krb5p are in use, thus allowing the replay of non-idempotent NFS requests such as RENAME, SETATTR, or even WRITEs" * tag 'nfsd-5.7-rc-2' of git://git.linux-nfs.org/projects/cel/cel-2.6: SUNRPC: Revert 241b1f419f0e ("SUNRPC: Remove xdr_buf_trim()") SUNRPC: Fix GSS privacy computation of auth->au_ralign SUNRPC: Add "@len" parameter to gss_unwrap() commit f304a809a9f1eec23e023f3aae6c768a08495244 Author: Trond Myklebust Date: Mon May 11 10:42:04 2020 -0400 NFS: Don't use RPC_TASK_CRED_NOREF with delegreturn We are not guaranteed that the credential will remain pinned. Fixes: 612965072020 ("NFSv4: Avoid referencing the cred unnecessarily during NFSv4 I/O") Signed-off-by: Trond Myklebust commit 2b666a110b493b3e8fbf561718ae794e13813651 Merge: ce99aa62e1eb 7bb0c5338436 Author: Trond Myklebust Date: Sun May 10 09:30:42 2020 -0400 Merge tag 'fscache-fixes-20200508-2' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs (1) The reorganisation of bmap() use accidentally caused the return value of cachefiles_read_or_alloc_pages() to get corrupted. (2) The NFS superblock index key accidentally got changed to include a number of kernel pointers - meaning that the key isn't matchable after a reboot. (3) A redundant check in nfs_fscache_get_super_cookie(). (4) The NFS change_attr sometimes set in the auxiliary data for the caching of an file and sometimes not, which causes the cache to get discarded when it shouldn't. (5) There's a race between cachefiles_read_waiter() and cachefiles_read_copier() that causes an occasional assertion failure. commit ce99aa62e1eb793e259d023c7f6ccb7c4879917b Author: Chuck Lever Date: Sat May 9 14:07:13 2020 -0400 SUNRPC: Signalled ASYNC tasks need to exit Ensure that signalled ASYNC rpc_tasks exit immediately instead of spinning until a timeout (or forever). To avoid checking for the signal flag on every scheduler iteration, the check is instead introduced in the client's finite state machine. Signed-off-by: Chuck Lever Fixes: ae67bd3821bb ("SUNRPC: Fix up task signalling") Signed-off-by: Trond Myklebust commit 29fe839976266bc7c55b927360a1daae57477723 Author: J. Bruce Fields Date: Mon May 11 10:02:48 2020 -0400 nfs: fix NULL deference in nfs4_get_valid_delegation We add the new state to the nfsi->open_states list, making it potentially visible to other threads, before we've finished initializing it. That wasn't a problem when all the readers were also taking the i_lock (as we do here), but since we switched to RCU, there's now a possibility that a reader could see the partially initialized state. Symptoms observed were a crash when another thread called nfs4_get_valid_delegation() on a NULL inode, resulting in an oops like: BUG: unable to handle page fault for address: ffffffffffffffb0 ... RIP: 0010:nfs4_get_valid_delegation+0x6/0x30 [nfsv4] ... Call Trace: nfs4_open_prepare+0x80/0x1c0 [nfsv4] __rpc_execute+0x75/0x390 [sunrpc] ? finish_task_switch+0x75/0x260 rpc_async_schedule+0x29/0x40 [sunrpc] process_one_work+0x1ad/0x370 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x10c/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x22/0x30 Fixes: 9ae075fdd190 "NFSv4: Convert open state lookup to use RCU" Reviewed-by: Seiichi Ikarashi Tested-by: Daisuke Matsuda Tested-by: Masayoshi Mizuma Signed-off-by: J. Bruce Fields Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Trond Myklebust commit a9d094dcf7845af85f82adcad9f793e51e4d14c8 Author: Chris Wilson Date: Thu May 7 16:51:09 2020 +0100 drm/i915: Mark concurrent submissions with a weak-dependency We recorded the dependencies for WAIT_FOR_SUBMIT in order that we could correctly perform priority inheritance from the parallel branches to the common trunk. However, for the purpose of timeslicing and reset handling, the dependency is weak -- as we the pair of requests are allowed to run in parallel and not in strict succession. The real significance though is that this allows us to rearrange groups of WAIT_FOR_SUBMIT linked requests along the single engine, and so can resolve user level inter-batch scheduling dependencies from user semaphores. Fixes: c81471f5e95c ("drm/i915: Copy across scheduler behaviour flags across submit fences") Testcase: igt/gem_exec_fence/submit Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: # v5.6+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200507155109.8892-1-chris@chris-wilson.co.uk (cherry picked from commit 6b6cd2ebd8d071e55998e32b648bb8081f7f02bb) Signed-off-by: Rodrigo Vivi commit bc850943486887e3859597a266767f95db90aa72 Author: Chris Wilson Date: Wed May 6 17:21:36 2020 +0100 drm/i915: Propagate error from completed fences We need to preserve fatal errors from fences that are being terminated as we hook them up. Fixes: ef4688497512 ("drm/i915: Propagate fence errors") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: Matthew Auld Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20200506162136.3325-1-chris@chris-wilson.co.uk (cherry picked from commit 24fe5f2ab2478053d50a3bc629ada895903a5cbc) Signed-off-by: Rodrigo Vivi commit 995b819f291e872b191893a2e8b0f9c9d8a570d9 Author: Linus Torvalds Date: Mon May 11 10:48:53 2020 -0700 drm: fix trivial field description cut-and-paste error As reported by Amarnath Baliyase, the drm_mode_status enumeration documentation describes MODE_V_ILLEGAL as "mode has illegal horizontal timings". But that's just a cut-and-paste error from the previous line. The "V" stands for vertical, of course. I'm just fixing this directly rather than bothering with going through the proper channels. Less work for everybody. Reported-by: Amarnath Baliyase Signed-off-by: Linus Torvalds commit 54ab49fde95605a1077f759ce454d94e84b5ca45 Author: Florian Westphal Date: Sun May 10 14:28:07 2020 +0200 netfilter: conntrack: fix infinite loop on rmmod 'rmmod nf_conntrack' can hang forever, because the netns exit gets stuck in nf_conntrack_cleanup_net_list(): i_see_dead_people: busy = 0; list_for_each_entry(net, net_exit_list, exit_list) { nf_ct_iterate_cleanup(kill_all, net, 0, 0); if (atomic_read(&net->ct.count) != 0) busy = 1; } if (busy) { schedule(); goto i_see_dead_people; } When nf_ct_iterate_cleanup iterates the conntrack table, all nf_conn structures can be found twice: once for the original tuple and once for the conntracks reply tuple. get_next_corpse() only calls the iterator when the entry is in original direction -- the idea was to avoid unneeded invocations of the iterator callback. When support for clashing entries was added, the assumption that all nf_conn objects are added twice, once in original, once for reply tuple no longer holds -- NF_CLASH_BIT entries are only added in the non-clashing reply direction. Thus, if at least one NF_CLASH entry is in the list then nf_conntrack_cleanup_net_list() always skips it completely. During normal netns destruction, this causes a hang of several seconds, until the gc worker removes the entry (NF_CLASH entries always have a 1 second timeout). But in the rmmod case, the gc worker has already been stopped, so ct.count never becomes 0. We can fix this in two ways: 1. Add a second test for CLASH_BIT and call iterator for those entries as well, or: 2. Skip the original tuple direction and use the reply tuple. 2) is simpler, so do that. Fixes: 6a757c07e51f80ac ("netfilter: conntrack: allow insertion of clashing entries") Reported-by: Chen Yi Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso commit 1d10da0eb09484ae087836da28258316ef4a02be Author: Roi Dayan Date: Sun May 10 13:55:43 2020 +0300 netfilter: flowtable: Remove WQ_MEM_RECLAIM from workqueue This workqueue is in charge of handling offloaded flow tasks like add/del/stats we should not use WQ_MEM_RECLAIM flag. The flag can result in the following warning. [ 485.557189] ------------[ cut here ]------------ [ 485.562976] workqueue: WQ_MEM_RECLAIM nf_flow_table_offload:flow_offload_worr [ 485.562985] WARNING: CPU: 7 PID: 3731 at kernel/workqueue.c:2610 check_flush0 [ 485.590191] Kernel panic - not syncing: panic_on_warn set ... [ 485.597100] CPU: 7 PID: 3731 Comm: kworker/u112:8 Not tainted 5.7.0-rc1.21802 [ 485.606629] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/177 [ 485.615487] Workqueue: nf_flow_table_offload flow_offload_work_handler [nf_f] [ 485.624834] Call Trace: [ 485.628077] dump_stack+0x50/0x70 [ 485.632280] panic+0xfb/0x2d7 [ 485.636083] ? check_flush_dependency+0x110/0x130 [ 485.641830] __warn.cold.12+0x20/0x2a [ 485.646405] ? check_flush_dependency+0x110/0x130 [ 485.652154] ? check_flush_dependency+0x110/0x130 [ 485.657900] report_bug+0xb8/0x100 [ 485.662187] ? sched_clock_cpu+0xc/0xb0 [ 485.666974] do_error_trap+0x9f/0xc0 [ 485.671464] do_invalid_op+0x36/0x40 [ 485.675950] ? check_flush_dependency+0x110/0x130 [ 485.681699] invalid_op+0x28/0x30 Fixes: 7da182a998d6 ("netfilter: flowtable: Use work entry per offload command") Reported-by: Marcelo Ricardo Leitner Signed-off-by: Roi Dayan Reviewed-by: Paul Blakey Signed-off-by: Pablo Neira Ayuso commit c410bf01933e5e09d142c66c3df9ad470a7eec13 Author: David Howells Date: Mon May 11 14:54:34 2020 +0100 rxrpc: Fix the excessive initial retransmission timeout rxrpc currently uses a fixed 4s retransmission timeout until the RTT is sufficiently sampled. This can cause problems with some fileservers with calls to the cache manager in the afs filesystem being dropped from the fileserver because a packet goes missing and the retransmission timeout is greater than the call expiry timeout. Fix this by: (1) Copying the RTT/RTO calculation code from Linux's TCP implementation and altering it to fit rxrpc. (2) Altering the various users of the RTT to make use of the new SRTT value. (3) Replacing the use of rxrpc_resend_timeout to use the calculated RTO value instead (which is needed in jiffies), along with a backoff. Notes: (1) rxrpc provides RTT samples by matching the serial numbers on outgoing DATA packets that have the RXRPC_REQUEST_ACK set and PING ACK packets against the reference serial number in incoming REQUESTED ACK and PING-RESPONSE ACK packets. (2) Each packet that is transmitted on an rxrpc connection gets a new per-connection serial number, even for retransmissions, so an ACK can be cross-referenced to a specific trigger packet. This allows RTT information to be drawn from retransmitted DATA packets also. (3) rxrpc maintains the RTT/RTO state on the rxrpc_peer record rather than on an rxrpc_call because many RPC calls won't live long enough to generate more than one sample. (4) The calculated SRTT value is in units of 8ths of a microsecond rather than nanoseconds. The (S)RTT and RTO values are displayed in /proc/net/rxrpc/peers. Fixes: 17926a79320a ([AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both"") Signed-off-by: David Howells commit 2c8897953f3b2ff5498f3f275708a742bfcdbc24 Author: Paul Blakey Date: Wed May 6 14:24:39 2020 +0300 netfilter: flowtable: Add pending bit for offload work Gc step can queue offloaded flow del work or stats work. Those work items can race each other and a flow could be freed before the stats work is executed and querying it. To avoid that, add a pending bit that if a work exists for a flow don't queue another work for it. This will also avoid adding multiple stats works in case stats work didn't complete but gc step started again. Signed-off-by: Paul Blakey Reviewed-by: Roi Dayan Signed-off-by: Pablo Neira Ayuso commit d51c214541c5154dda3037289ee895ea3ded5ebd Author: Christoph Hellwig Date: Sun May 10 09:54:41 2020 +0200 arm64: fix the flush_icache_range arguments in machine_kexec The second argument is the end "pointer", not the length. Fixes: d28f6df1305a ("arm64/kexec: Add core kexec support") Cc: # 4.8.x- Signed-off-by: Christoph Hellwig Signed-off-by: Catalin Marinas commit 0f8e3823c02c2e7412477dc3d49d179803c3fdfa Author: YueHaibing Date: Fri Apr 10 19:54:22 2020 +0800 vdpasim: remove unused variable 'ret' drivers/vdpa/vdpa_sim/vdpa_sim.c:92:6: warning: variable ‘ret’ set but not used [-Wunused-but-set-variable] Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20200410115422.42308-1-yuehaibing@huawei.com Signed-off-by: Michael S. Tsirkin Acked-by: Jason Wang commit e963b7a28b2bf2416304e1a15df967fcf662aff5 Author: Christophe Leroy Date: Sat May 9 09:42:14 2020 +0000 powerpc/vdso32: Fallback on getres syscall when clock is unknown There are other clocks than the standard ones, for instance per process clocks. Therefore, being above the last standard clock doesn't mean it is a bad clock. So, fallback to syscall instead of returning -EINVAL inconditionaly. Fixes: e33ffc956b08 ("powerpc/vdso32: implement clock_getres entirely") Cc: stable@vger.kernel.org # v5.6+ Reported-by: Aurelien Jarno Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Tested-by: Aurelien Jarno Link: https://lore.kernel.org/r/7316a9e2c0c2517923eb4b0411c4a08d15e675a4.1589017281.git.christophe.leroy@csgroup.eu commit 72a7a9925e2beea09b109dffb3384c9bf920d9da Author: Zhenyu Wang Date: Wed May 6 17:59:18 2020 +0800 drm/i915/gvt: Fix kernel oops for 3-level ppgtt guest As i915 won't allocate extra PDP for current default PML4 table, so for 3-level ppgtt guest, we would hit kernel pointer access failure on extra PDP pointers. So this trys to bypass that now. It won't impact real shadow PPGTT setup, so guest context still works. This is verified on 4.15 guest kernel with i915.enable_ppgtt=1 to force on old aliasing ppgtt behavior. Fixes: 4f15665ccbba ("drm/i915: Add ppgtt to GVT GEM context") Reviewed-by: Xiong Zhang Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20200506095918.124913-1-zhenyuw@linux.intel.com commit 45a3fe3bf93b7cfeddc28ef7386555e05dc57f06 Author: Raul E Rangel Date: Fri May 8 16:54:21 2020 -0600 mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040 The AMD eMMC 5.0 controller does not support 64 bit DMA. Fixes: 34597a3f60b1 ("mmc: sdhci-acpi: Add support for ACPI HID of AMD Controller with HS400") Signed-off-by: Raul E Rangel Link: https://marc.info/?l=linux-mmc&m=158879884514552&w=2 Reviewed-by: Andy Shevchenko Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20200508165344.1.Id5bb8b1ae7ea576f26f9d91c761df7ccffbf58c5@changeid Signed-off-by: Ulf Hansson commit e47cb97f153193d4b41ca8d48127da14513d54c7 Author: Geert Uytterhoeven Date: Fri May 8 11:59:18 2020 +0200 ARM: dts: r8a7740: Add missing extal2 to CPG node The Clock Pulse Generator (CPG) device node lacks the extal2 clock. This may lead to a failure registering the "r" clock, or to a wrong parent for the "usb24s" clock, depending on MD_CK2 pin configuration and boot loader CPG_USBCKCR register configuration. This went unnoticed, as this does not affect the single upstream board configuration, which relies on the first clock input only. Fixes: d9ffd583bf345e2e ("ARM: shmobile: r8a7740: add SoC clocks to DTS") Signed-off-by: Geert Uytterhoeven Reviewed-by: Ulrich Hecht Link: https://lore.kernel.org/r/20200508095918.6061-1-geert+renesas@glider.be commit 7b301750f7f8f6503e11f1af4a03832525f58c66 Author: Rafael J. Wysocki Date: Sat May 9 10:44:41 2020 +0200 ACPI: EC: PM: Avoid premature returns from acpi_s2idle_wake() If the EC GPE status is not set after checking all of the other GPEs, acpi_s2idle_wake() returns 'false', to indicate that the SCI event that has just triggered is not a system wakeup one, but it does that without canceling the pending wakeup and re-arming the SCI for system wakeup which is a mistake, because it may cause s2idle_loop() to busy spin until the next valid wakeup event. [If that happens, the first spurious wakeup is still pending after acpi_s2idle_wake() has returned, so s2idle_enter() does nothing, acpi_s2idle_wake() is called again and it sees that the SCI has triggered, but no GPEs are active, so 'false' is returned again, and so on.] Fix that by moving all of the GPE checking logic from acpi_s2idle_wake() to acpi_ec_dispatch_gpe() and making the latter return 'true' only if a non-EC GPE has triggered and 'false' otherwise, which will cause acpi_s2idle_wake() to cancel the pending SCI wakeup and re-arm the SCI for system wakeup regardless of the EC GPE status. This also addresses a lockup observed on an Elitegroup EF20EA laptop after attempting to wake it up from suspend-to-idle by a key press. Fixes: d5406284ff80 ("ACPI: PM: s2idle: Refine active GPEs check") Link: https://bugzilla.kernel.org/show_bug.cgi?id=207603 Reported-by: Todd Brandt Fixes: fdde0ff8590b ("ACPI: PM: s2idle: Prevent spurious SCIs from waking up the system") Link: https://lore.kernel.org/linux-acpi/CAB4CAwdqo7=MvyG_PE+PGVfeA17AHF5i5JucgaKqqMX6mjArbQ@mail.gmail.com/ Reported-by: Chris Chiu Tested-by: Chris Chiu Cc: 5.4+ # 5.4+ Signed-off-by: Rafael J. Wysocki commit e8a1b0efd632d1c9db7d4e93da66377c7b524862 Author: Luo bin Date: Sun May 10 19:01:08 2020 +0000 hinic: fix a bug of ndo_stop if some function in ndo_stop interface returns failure because of hardware fault, must go on excuting rest steps rather than return failure directly, otherwise will cause memory leak.And bump the timeout for SET_FUNC_STATE to ensure that cmd won't return failure when hw is busy. Otherwise hw may stomp host memory if we free memory regardless of the return value of SET_FUNC_STATE. Fixes: 51ba902a16e6 ("net-next/hinic: Initialize hw interface") Signed-off-by: Luo bin Signed-off-by: Jakub Kicinski commit 31e9a7f353526bbe53165a292f8ea9695ead3168 Author: NeilBrown Date: Sat May 9 07:25:11 2020 +1000 SUNRPC: fix use-after-free in rpc_free_client_work() Parts of rpc_free_client() were recently moved to a separate rpc_free_clent_work(). This introduced a use-after-free as rpc_clnt_remove_pipedir() calls rpc_net_ns(), and that uses clnt->cl_xprt which has already been freed. So move the call to xprt_put() after the call to rpc_clnt_remove_pipedir(). Reported-by: syzbot+22b5ef302c7c40d94ea8@syzkaller.appspotmail.com Fixes: 7c4310ff5642 ("SUNRPC: defer slow parts of rpc_free_client() to a workqueue.") Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust commit 2ef96a5bb12be62ef75b5828c0aab838ebb29cb8 Author: Linus Torvalds Date: Sun May 10 15:16:58 2020 -0700 Linux 5.7-rc5 commit 2c407aca64977ede9b9f35158e919773cae2082f Author: Arnd Bergmann Date: Thu Apr 30 23:30:48 2020 +0200 netfilter: conntrack: avoid gcc-10 zero-length-bounds warning gcc-10 warns around a suspicious access to an empty struct member: net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] 1522 | memset(&ct->__nfct_init_offset[0], 0, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from net/netfilter/nf_conntrack_core.c:37: include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' 90 | u8 __nfct_init_offset[0]; | ^~~~~~~~~~~~~~~~~~ The code is correct but a bit unusual. Rework it slightly in a way that does not trigger the warning, using an empty struct instead of an empty array. There are probably more elegant ways to do this, but this is the smallest change. Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso commit c14cab2688d09b851349acbb83e5fce8e0d4ca42 Merge: 8b00083219af fb9cbbc895eb Author: Linus Torvalds Date: Sun May 10 11:59:53 2020 -0700 Merge tag 'x86-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull x86 fixes from Thomas Gleixner: "A set of fixes for x86: - Ensure that direct mapping alias is always flushed when changing page attributes. The optimization for small ranges failed to do so when the virtual address was in the vmalloc or module space. - Unbreak the trace event registration for syscalls without arguments caused by the refactoring of the SYSCALL_DEFINE0() macro. - Move the printk in the TSC deadline timer code to a place where it is guaranteed to only be called once during boot and cannot be rearmed by clearing warn_once after boot. If it's invoked post boot then lockdep rightfully complains about a potential deadlock as the calling context is different. - A series of fixes for objtool and the ORC unwinder addressing variety of small issues: - Stack offset tracking for indirect CFAs in objtool ignored subsequent pushs and pops - Repair the unwind hints in the register clearing entry ASM code - Make the unwinding in the low level exit to usermode code stop after switching to the trampoline stack. The unwind hint is no longer valid and the ORC unwinder emits a warning as it can't find the registers anymore. - Fix unwind hints in switch_to_asm() and rewind_stack_do_exit() which caused objtool to generate bogus ORC data. - Prevent unwinder warnings when dumping the stack of a non-current task as there is no way to be sure about the validity because the dumped stack can be a moving target. - Make the ORC unwinder behave the same way as the frame pointer unwinder when dumping an inactive tasks stack and do not skip the first frame. - Prevent ORC unwinding before ORC data has been initialized - Immediately terminate unwinding when a unknown ORC entry type is found. - Prevent premature stop of the unwinder caused by IRET frames. - Fix another infinite loop in objtool caused by a negative offset which was not catched. - Address a few build warnings in the ORC unwinder and add missing static/ro_after_init annotations" * tag 'x86-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: x86/unwind/orc: Move ORC sorting variables under !CONFIG_MODULES x86/apic: Move TSC deadline timer debug printk ftrace/x86: Fix trace event registration for syscalls without arguments x86/mm/cpa: Flush direct map alias during cpa objtool: Fix infinite loop in for_offset_range() x86/unwind/orc: Fix premature unwind stoppage due to IRET frames x86/unwind/orc: Fix error path for bad ORC entry type x86/unwind/orc: Prevent unwinding before ORC initialization x86/unwind/orc: Don't skip the first frame for inactive tasks x86/unwind: Prevent false warnings for non-current tasks x86/unwind/orc: Convert global variables to static x86/entry/64: Fix unwind hints in rewind_stack_do_exit() x86/entry/64: Fix unwind hints in __switch_to_asm() x86/entry/64: Fix unwind hints in kernel exit path x86/entry/64: Fix unwind hints in register clearing code objtool: Fix stack offset tracking for indirect CFAs commit 8b00083219af64970e55c756a8d226c85722bb62 Merge: bd2049f87107 1119d265bc20 Author: Linus Torvalds Date: Sun May 10 11:42:14 2020 -0700 Merge tag 'objtool-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull objtool fix from Thomas Gleixner: "A single fix for objtool to prevent an infinite loop in the jump table search which can be triggered when building the kernel with '-ffunction-sections'" * tag 'objtool-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: objtool: Fix infinite loop in find_jump_table() commit bd2049f87107906e4f8dc443ff307c44951d5768 Merge: 27d2dcb1b95c 8101b5a1531f Author: Linus Torvalds Date: Sun May 10 11:39:31 2020 -0700 Merge tag 'locking-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip Pull locking fix from Thomas Gleixner: "A single fix for the fallout of the recent futex uacess rework. With those changes GCC9 fails to analyze arch_futex_atomic_op_inuser() correctly and emits a 'maybe unitialized' warning. While we usually ignore compiler stupidity the conditional store is pointless anyway because the correct case has to store. For the fault case the extra store does no harm" * tag 'locking-urgent-2020-05-10' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: ARM: futex: Address build warning commit 27d2dcb1b95c8c39da417839c11eda2e665cd389 Merge: 0a85ed6e7fce fb3637a11334 Author: Linus Torvalds Date: Sun May 10 11:26:23 2020 -0700 Merge tag 'iommu-fixes-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu Pull iommu fixes from Joerg Roedel: - Race condition fixes for the AMD IOMMU driver. These are five patches fixing two race conditions around increase_address_space(). The first race condition was around the non-atomic update of the domain page-table root pointer and the variable containing the page-table depth (called mode). This is fixed now be merging page-table root and mode into one 64-bit field which is read/written atomically. The second race condition was around updating the page-table root pointer and making it public before the hardware caches were flushed. This could cause addresses to be mapped and returned to drivers which are not reachable by IOMMU hardware yet, causing IO page-faults. This is fixed too by adding the necessary flushes before a new page-table root is published. Related to the race condition fixes these patches also add a missing domain_flush_complete() barrier to update_domain() and a fix to bail out of the loop which tries to increase the address space when the call to increase_address_space() fails. Qian was able to trigger the race conditions under high load and memory pressure within a few days of testing. He confirmed that he has seen no issues anymore with the fixes included here. - Fix for a list-handling bug in the VirtIO IOMMU driver. * tag 'iommu-fixes-v5.7-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu/virtio: Reverse arguments to list_add iommu/amd: Do not flush Device Table in iommu_map_page() iommu/amd: Update Device Table in increase_address_space() iommu/amd: Call domain_flush_complete() in update_domain() iommu/amd: Do not loop forever when trying to increase address space iommu/amd: Fix race in increase_address_space()/fetch_pte() commit 3047211ca11bf77b3ecbce045c0aa544d934b945 Author: Florian Fainelli Date: Sat May 9 16:45:44 2020 -0700 net: dsa: loop: Add module soft dependency There is a soft dependency against dsa_loop_bdinfo.ko which sets up the MDIO device registration, since there are no symbols referenced by dsa_loop.ko, there is no automatic loading of dsa_loop_bdinfo.ko which is needed. Fixes: 98cd1552ea27 ("net: dsa: Mock-up driver") Signed-off-by: Florian Fainelli Signed-off-by: Jakub Kicinski commit 0a85ed6e7fce8075bb3090f8eac05ca1000f5969 Merge: e99332e7b4cd 59c7c3caaaf8 Author: Linus Torvalds Date: Sun May 10 11:16:07 2020 -0700 Merge tag 'block-5.7-2020-05-09' of git://git.kernel.dk/linux-block Pull block fixes from Jens Axboe: - a small series fixing a use-after-free of bdi name (Christoph,Yufen) - NVMe fix for a regression with the smaller CQ update (Alexey) - NVMe fix for a hang at namespace scanning error recovery (Sagi) - fix race with blk-iocost iocg->abs_vdebt updates (Tejun) * tag 'block-5.7-2020-05-09' of git://git.kernel.dk/linux-block: nvme: fix possible hang when ns scanning fails during error recovery nvme-pci: fix "slimmer CQ head update" bdi: add a ->dev_name field to struct backing_dev_info bdi: use bdi_dev_name() to get device name bdi: move bdi_dev_name out of line vboxsf: don't use the source name in the bdi name iocost: protect iocg->abs_vdebt with iocg->waitq.lock commit 14425f1f521fdfe274a7bb390637c786432e08b4 Author: Mike Pozulp Date: Sat May 9 20:28:37 2020 -0700 ALSA: hda/realtek: Add quirk for Samsung Notebook Some models of the Samsung Notebook 9 have very quiet and distorted headphone output. This quirk changes the VREF value of the ALC298 codec NID 0x1a from default HIZ to new 100. [ adjusted to 5.7-base and rearranged in SSID order -- tiwai ] Signed-off-by: Mike Pozulp BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207423 Link: https://lore.kernel.org/r/20200510032838.1989130-1-pozulp.kernel@gmail.com Signed-off-by: Takashi Iwai commit 928edefbc18cd8433f7df235c6e09a9306e7d580 Author: Christophe JAILLET Date: Wed May 6 05:52:06 2020 +0200 iio: sca3000: Remove an erroneous 'get_device()' This looks really unusual to have a 'get_device()' hidden in a 'dev_err()' call. Remove it. While at it add a missing \n at the end of the message. Fixes: 574fb258d636 ("Staging: IIO: VTI sca3000 series accelerometer driver (spi)") Signed-off-by: Christophe JAILLET Cc: Signed-off-by: Jonathan Cameron commit d34fced41e172fae2df7819b1d5a398c62067599 Author: Gustavo A. R. Silva Date: Thu May 7 12:29:54 2020 -0700 Input: applespi - replace zero-length array with flexible-array The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] sizeof(flexible-array-member) triggers a warning because flexible array members have incomplete type[1]. There are some instances of code in which the sizeof operator is being incorrectly/erroneously applied to zero-length arrays and the result is zero. Such instances may be hiding some bugs. So, this work (flexible-array member conversions) will also help to get completely rid of those sorts of issues. This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Link: https://lore.kernel.org/r/20200507185347.GA14499@embeddedor Signed-off-by: Dmitry Torokhov commit 090e28b229af92dc5b40786ca673999d59e73056 Author: Zefan Li Date: Sat May 9 11:32:10 2020 +0800 netprio_cgroup: Fix unlimited memory leak of v2 cgroups If systemd is configured to use hybrid mode which enables the use of both cgroup v1 and v2, systemd will create new cgroup on both the default root (v2) and netprio_cgroup hierarchy (v1) for a new session and attach task to the two cgroups. If the task does some network thing then the v2 cgroup can never be freed after the session exited. One of our machines ran into OOM due to this memory leak. In the scenario described above when sk_alloc() is called cgroup_sk_alloc() thought it's in v2 mode, so it stores the cgroup pointer in sk->sk_cgrp_data and increments the cgroup refcnt, but then sock_update_netprioidx() thought it's in v1 mode, so it stores netprioidx value in sk->sk_cgrp_data, so the cgroup refcnt will never be freed. Currently we do the mode switch when someone writes to the ifpriomap cgroup control file. The easiest fix is to also do the switch when a task is attached to a new cgroup. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Reported-by: Yang Yingliang Tested-by: Yang Yingliang Signed-off-by: Zefan Li Acked-by: Tejun Heo Signed-off-by: Jakub Kicinski commit e99332e7b4cda6e60f5b5916cf9943a79dbef902 Author: Linus Torvalds Date: Sat May 9 17:50:03 2020 -0700 gcc-10: mark more functions __init to avoid section mismatch warnings It seems that for whatever reason, gcc-10 ends up not inlining a couple of functions that used to be inlined before. Even if they only have one single callsite - it looks like gcc may have decided that the code was unlikely, and not worth inlining. The code generation difference is harmless, but caused a few new section mismatch errors, since the (now no longer inlined) function wasn't in the __init section, but called other init functions: Section mismatch in reference from the function kexec_free_initrd() to the function .init.text:free_initrd_mem() Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memremap() Section mismatch in reference from the function tpm2_calc_event_log_size() to the function .init.text:early_memunmap() So add the appropriate __init annotation to make modpost not complain. In both cases there were trivially just a single callsite from another __init function. Signed-off-by: Linus Torvalds commit 2e28f3b13a41b8a7d36a73ddf4bb41972a9c1dd9 Merge: 1a263ae60b04 73cb8e2a5863 Author: Linus Torvalds Date: Sat May 9 16:24:16 2020 -0700 Merge tag 'riscv-for-linus-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux Pull RISC-V fixes from Palmer Dabbelt: "A smattering of fixes and cleanups: - Dead code removal. - Exporting riscv_cpuid_to_hartid_mask for modules. - Per-CPU tracking of ISA features. - Setting max_pfn correctly when probing memory. - Adding a note to the VDSO so glibc can check the kernel's version without a uname(). - A fix to force the bootloader to initialize the boot spin tables, which still get used as a fallback when SBI-0.1 is enabled" * tag 'riscv-for-linus-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux: RISC-V: Remove unused code from STRICT_KERNEL_RWX riscv: force __cpu_up_ variables to put in data section riscv: add Linux note to vdso riscv: set max_pfn to the PFN of the last page RISC-V: Remove N-extension related defines RISC-V: Add bitmap reprensenting ISA features common across CPUs RISC-V: Export riscv_cpuid_to_hartid_mask() API commit 1a263ae60b04de959d9ce9caea4889385eefcc7b Author: Linus Torvalds Date: Sat May 9 15:58:04 2020 -0700 gcc-10: avoid shadowing standard library 'free()' in crypto gcc-10 has started warning about conflicting types for a few new built-in functions, particularly 'free()'. This results in warnings like: crypto/xts.c:325:13: warning: conflicting types for built-in function ‘free’; expected ‘void(void *)’ [-Wbuiltin-declaration-mismatch] because the crypto layer had its local freeing functions called 'free()'. Gcc-10 is in the wrong here, since that function is marked 'static', and thus there is no chance of confusion with any standard library function namespace. But the simplest thing to do is to just use a different name here, and avoid this gcc mis-feature. [ Side note: gcc knowing about 'free()' is in itself not the mis-feature: the semantics of 'free()' are special enough that a compiler can validly do special things when seeing it. So the mis-feature here is that gcc thinks that 'free()' is some restricted name, and you can't shadow it as a local static function. Making the special 'free()' semantics be a function attribute rather than tied to the name would be the much better model ] Signed-off-by: Linus Torvalds commit 99352c79af3e5f2e4724abf37fa5a2a3299b1c81 Author: Arnd Bergmann Date: Sat May 9 14:04:52 2020 +0200 net: freescale: select CONFIG_FIXED_PHY where needed I ran into a randconfig build failure with CONFIG_FIXED_PHY=m and CONFIG_GIANFAR=y: x86_64-linux-ld: drivers/net/ethernet/freescale/gianfar.o:(.rodata+0x418): undefined reference to `fixed_phy_change_carrier' It seems the same thing can happen with dpaa and ucc_geth, so change all three to do an explicit 'select FIXED_PHY'. The fixed-phy driver actually has an alternative stub function that theoretically allows building network drivers when fixed-phy is disabled, but I don't see how that would help here, as the drivers presumably would not work then. Signed-off-by: Arnd Bergmann Acked-by: Florian Fainelli Signed-off-by: Jakub Kicinski commit adc71920969870dfa54e8f40dac8616284832d02 Author: Linus Torvalds Date: Sat May 9 15:45:21 2020 -0700 gcc-10: disable 'restrict' warning for now gcc-10 now warns about passing aliasing pointers to functions that take restricted pointers. That's actually a great warning, and if we ever start using 'restrict' in the kernel, it might be quite useful. But right now we don't, and it turns out that the only thing this warns about is an idiom where we have declared a few functions to be "printf-like" (which seems to make gcc pick up the restricted pointer thing), and then we print to the same buffer that we also use as an input. And people do that as an odd concatenation pattern, with code like this: #define sysfs_show_gen_prop(buffer, fmt, ...) \ snprintf(buffer, PAGE_SIZE, "%s"fmt, buffer, __VA_ARGS__) where we have 'buffer' as both the destination of the final result, and as the initial argument. Yes, it's a bit questionable. And outside of the kernel, people do have standard declarations like int snprintf( char *restrict buffer, size_t bufsz, const char *restrict format, ... ); where that output buffer is marked as a restrict pointer that cannot alias with any other arguments. But in the context of the kernel, that 'use snprintf() to concatenate to the end result' does work, and the pattern shows up in multiple places. And we have not marked our own version of snprintf() as taking restrict pointers, so the warning is incorrect for now, and gcc picks it up on its own. If we do start using 'restrict' in the kernel (and it might be a good idea if people find places where it matters), we'll need to figure out how to avoid this issue for snprintf and friends. But in the meantime, this warning is not useful. Signed-off-by: Linus Torvalds commit 5a76021c2eff7fcf2f0918a08fd8a37ce7922921 Author: Linus Torvalds Date: Sat May 9 15:40:52 2020 -0700 gcc-10: disable 'stringop-overflow' warning for now This is the final array bounds warning removal for gcc-10 for now. Again, the warning is good, and we should re-enable all these warnings when we have converted all the legacy array declaration cases to flexible arrays. But in the meantime, it's just noise. Signed-off-by: Linus Torvalds commit 59c7c3caaaf8750df4ec3255082f15eb4e371514 Author: Sagi Grimberg Date: Wed May 6 15:44:02 2020 -0700 nvme: fix possible hang when ns scanning fails during error recovery When the controller is reconnecting, the host fails I/O and admin commands as the host cannot reach the controller. ns scanning may revalidate namespaces during that period and it is wrong to remove namespaces due to these failures as we may hang (see 205da2434301). One command that may fail is nvme_identify_ns_descs. Since we return success due to having ns identify descriptor list optional, we continue to compare ns identifiers in nvme_revalidate_disk, obviously fail and return -ENODEV to nvme_validate_ns, which will remove the namespace. Exactly what we don't want to happen. Fixes: 22802bf742c2 ("nvme: Namepace identification descriptor list is optional") Tested-by: Anton Eidelman Signed-off-by: Sagi Grimberg Reviewed-by: Keith Busch Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe commit a8de6639169b90e3dc4f27e752a3c5abac5e90da Author: Alexey Dobriyan Date: Thu May 7 23:07:04 2020 +0300 nvme-pci: fix "slimmer CQ head update" Pre-incrementing ->cq_head can't be done in memory because OOB value can be observed by another context. This devalues space savings compared to original code :-\ $ ./scripts/bloat-o-meter ../vmlinux-000 ../obj/vmlinux add/remove: 0/0 grow/shrink: 0/4 up/down: 0/-32 (-32) Function old new delta nvme_poll_irqdisable 464 456 -8 nvme_poll 455 447 -8 nvme_irq 388 380 -8 nvme_dev_disable 955 947 -8 But the code is minimal now: one read for head, one read for q_depth, one increment, one comparison, single instruction phase bit update and one write for new head. Signed-off-by: Alexey Dobriyan Reported-by: John Garry Tested-by: John Garry Fixes: e2a366a4b0feaeb ("nvme-pci: slimmer CQ head update") Signed-off-by: Christoph Hellwig Signed-off-by: Jens Axboe commit 6bd87eec23cbc9ed222bed0f5b5b02bf300e9a8d Author: Christoph Hellwig Date: Mon May 4 14:47:56 2020 +0200 bdi: add a ->dev_name field to struct backing_dev_info Cache a copy of the name for the life time of the backing_dev_info structure so that we can reference it even after unregistering. Fixes: 68f23b89067f ("memcg: fix a crash in wb_workfn when a device disappears") Reported-by: Yufen Yu Signed-off-by: Christoph Hellwig Reviewed-by: Jan Kara Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe commit d51cfc53ade3189455a1b88ec7a2ff0c24597cf8 Author: Yufen Yu Date: Mon May 4 14:47:55 2020 +0200 bdi: use bdi_dev_name() to get device name Use the common interface bdi_dev_name() to get device name. Signed-off-by: Yufen Yu Signed-off-by: Christoph Hellwig Reviewed-by: Greg Kroah-Hartman Reviewed-by: Jan Kara Reviewed-by: Bart Van Assche Add missing include BFQ Signed-off-by: Jens Axboe commit 44720996e2d79e47d508b0abe99b931a726a3197 Author: Linus Torvalds Date: Sat May 9 14:52:44 2020 -0700 gcc-10: disable 'array-bounds' warning for now This is another fine warning, related to the 'zero-length-bounds' one, but hitting the same historical code in the kernel. Because C didn't historically support flexible array members, we have code that instead uses a one-sized array, the same way we have cases of zero-sized arrays. The one-sized arrays come from either not wanting to use the gcc zero-sized array extension, or from a slight convenience-feature, where particularly for strings, the size of the structure now includes the allocation for the final NUL character. So with a "char name[1];" at the end of a structure, you can do things like v = my_malloc(sizeof(struct vendor) + strlen(name)); and avoid the "+1" for the terminator. Yes, the modern way to do that is with a flexible array, and using 'offsetof()' instead of 'sizeof()', and adding the "+1" by hand. That also technically gets the size "more correct" in that it avoids any alignment (and thus padding) issues, but this is another long-term cleanup thing that will not happen for 5.7. So disable the warning for now, even though it's potentially quite useful. Having a slew of warnings that then hide more urgent new issues is not an improvement. Signed-off-by: Linus Torvalds commit 5c45de21a2223fe46cf9488c99a7fbcf01527670 Author: Linus Torvalds Date: Sat May 9 14:30:29 2020 -0700 gcc-10: disable 'zero-length-bounds' warning for now This is a fine warning, but we still have a number of zero-length arrays in the kernel that come from the traditional gcc extension. Yes, they are getting converted to flexible arrays, but in the meantime the gcc-10 warning about zero-length bounds is very verbose, and is hiding other issues. I missed one actual build failure because it was hidden among hundreds of lines of warning. Thankfully I caught it on the second go before pushing things out, but it convinced me that I really need to disable the new warnings for now. We'll hopefully be all done with our conversion to flexible arrays in the not too distant future, and we can then re-enable this warning. Signed-off-by: Linus Torvalds commit 78a5255ffb6a1af189a83e493d916ba1c54d8c75 Author: Linus Torvalds Date: Sat May 9 13:57:10 2020 -0700 Stop the ad-hoc games with -Wno-maybe-initialized We have some rather random rules about when we accept the "maybe-initialized" warnings, and when we don't. For example, we consider it unreliable for gcc versions < 4.9, but also if -O3 is enabled, or if optimizing for size. And then various kernel config options disabled it, because they know that they trigger that warning by confusing gcc sufficiently (ie PROFILE_ALL_BRANCHES). And now gcc-10 seems to be introducing a lot of those warnings too, so it falls under the same heading as 4.9 did. At the same time, we have a very straightforward way to _enable_ that warning when wanted: use "W=2" to enable more warnings. So stop playing these ad-hoc games, and just disable that warning by default, with the known and straight-forward "if you want to work on the extra compiler warnings, use W=123". Would it be great to have code that is always so obvious that it never confuses the compiler whether a variable is used initialized or not? Yes, it would. In a perfect world, the compilers would be smarter, and our source code would be simpler. That's currently not the world we live in, though. Signed-off-by: Linus Torvalds commit bcb543cc3d4034da3f3fd8bc4296a26dfeadf47d Author: Guenter Roeck Date: Sat May 9 13:13:33 2020 -0700 hwmon: (drivetemp) Fix SCT support if SCT data tables are not supported If SCT is supported but SCT data tables are not, the driver unnecessarily tries to fall back to SMART. Use SCT without data tables instead in this situation. Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Signed-off-by: Guenter Roeck commit 1d3962ae3b3d3a945f7fd5c651cf170a27521a35 Merge: d5eeab8d7e26 63ff822358b2 Author: Linus Torvalds Date: Sat May 9 12:02:09 2020 -0700 Merge tag 'io_uring-5.7-2020-05-08' of git://git.kernel.dk/linux-block Pull io_uring fixes from Jens Axboe: - Fix finish_wait() balancing in file cancelation (Xiaoguang) - Ensure early cleanup of resources in ring map failure (Xiaoguang) - Ensure IORING_OP_SLICE does the right file mode checks (Pavel) - Remove file opening from openat/openat2/statx, it's not needed and messes with O_PATH * tag 'io_uring-5.7-2020-05-08' of git://git.kernel.dk/linux-block: io_uring: don't use 'fd' for openat/openat2/statx splice: move f_mode checks to do_{splice,tee}() io_uring: handle -EFAULT properly in io_uring_setup() io_uring: fix mismatched finish_wait() calls in io_uring_cancel_files() commit c96874265cd04b4bd4a8e114ac9af039a6d83cfe Author: Pavel Begunkov Date: Mon May 4 23:00:54 2020 +0300 io_uring: fix zero len do_splice() do_splice() doesn't expect len to be 0. Just always return 0 in this case as splice(2) does. Fixes: 7d67af2c0134 ("io_uring: add splice(2) support") Reported-by: Jann Horn Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 6e507644209b4a043363e165855a3a3050c4d40e Author: Andrey Konovalov Date: Thu May 7 19:06:54 2020 +0200 usb: raw-gadget: fix return value of ep read ioctls They must return the number of bytes transferred during the data stage. Fixes: 068fbff4f860 ("usb: raw-gadget: Fix copy_to/from_user() checks") Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") Signed-off-by: Andrey Konovalov Signed-off-by: Felipe Balbi commit 4748d396399a9383bbb3b391b4661850261efc3f Author: Arnd Bergmann Date: Tue May 5 16:15:09 2020 +0200 usb: dwc3: select USB_ROLE_SWITCH Calling into the role switch API requires that these functions are loaded, if they are in a loadable module and dwc3 itself is built-in, this produces a link error: drivers/usb/dwc3/drd.o: In function `dwc3_usb_role_switch_get': drd.c:(.text+0x26): undefined reference to `usb_role_switch_get_drvdata' drivers/usb/dwc3/drd.o: In function `dwc3_usb_role_switch_set': drd.c:(.text+0x97): undefined reference to `usb_role_switch_get_drvdata' drivers/usb/dwc3/drd.o: In function `dwc3_drd_init': drd.c:(.text+0x1ca7): undefined reference to `usb_role_switch_register' drivers/usb/dwc3/drd.o: In function `dwc3_drd_exit': drd.c:(.text+0x1e92): undefined reference to `usb_role_switch_unregister' Select the USB_ROLE_SWITCH symbol from dwc3 in that configuration. Fixes: 0339f7fbc82e ("usb: dwc3: fix up for role switch API change") Signed-off-by: Arnd Bergmann Signed-off-by: Felipe Balbi commit e27d4b30b71c66986196d8a1eb93cba9f602904a Author: Wei Yongjun Date: Thu May 7 05:13:23 2020 +0000 usb: gadget: legacy: fix error return code in gncm_bind() If 'usb_otg_descriptor_alloc()' fails, we must return a negative error code -ENOMEM, not 0. Fixes: 1156e91dd7cc ("usb: gadget: ncm: allocate and init otg descriptor by otg capabilities") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi commit e8f7f9e3499a6d96f7f63a4818dc7d0f45a7783b Author: Wei Yongjun Date: Thu May 7 05:13:32 2020 +0000 usb: gadget: legacy: fix error return code in cdc_bind() If 'usb_otg_descriptor_alloc()' fails, we must return a negative error code -ENOMEM, not 0. Fixes: ab6796ae9833 ("usb: gadget: cdc2: allocate and init otg descriptor by otg capabilities") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Felipe Balbi commit d13cce757954fa663c69845611957396843ed87a Author: Masahiro Yamada Date: Fri Apr 3 22:16:51 2020 +0900 usb: gadget: legacy: fix redundant initialization warnings Fix the following cppcheck warnings: drivers/usb/gadget/legacy/inode.c:1364:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ value = -EOPNOTSUPP; ^ drivers/usb/gadget/legacy/inode.c:1331:15: note: value is initialized int value = -EOPNOTSUPP; ^ drivers/usb/gadget/legacy/inode.c:1364:8: note: value is overwritten value = -EOPNOTSUPP; ^ drivers/usb/gadget/legacy/inode.c:1817:8: style: Redundant initialization for 'value'. The initialized value is overwritten$ value = -EINVAL; ^ drivers/usb/gadget/legacy/inode.c:1787:18: note: value is initialized ssize_t value = len, length = len; ^ drivers/usb/gadget/legacy/inode.c:1817:8: note: value is overwritten value = -EINVAL; ^ Acked-by: Alan Stern Reported-by: kbuild test robot Signed-off-by: Masahiro Yamada Signed-off-by: Felipe Balbi commit 0534d40160cb9505073b0ecf5e7210daee319a66 Author: Thierry Reding Date: Fri Apr 17 19:05:37 2020 +0200 usb: gadget: tegra-xudc: Fix idle suspend/resume When the XUDC device is idle (i.e. powergated), care must be taken not to access any registers because that would lead to a crash. Move the call to tegra_xudc_device_mode_off() into the same conditional as the tegra_xudc_powergate() call to make sure we only force device mode off if the XUDC is actually powered up. Fixes: 49db427232fe ("usb: gadget: Add UDC driver for tegra XUSB device mode controller") Acked-by: Jon Hunter Tested-by: Jon Hunter Signed-off-by: Thierry Reding Signed-off-by: Felipe Balbi commit ccaef7e6e354fb65758eaddd3eae8065a8b3e295 Author: Christophe JAILLET Date: Mon Apr 27 20:04:23 2020 +0200 usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' 'dev' is allocated in 'net2272_probe_init()'. It must be freed in the error handling path, as already done in the remove function (i.e. 'net2272_plat_remove()') Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi commit f058764d19000d98aef72010468db1f69faf9fa0 Author: Christophe JAILLET Date: Mon Apr 27 22:21:16 2020 +0200 usb: phy: twl6030-usb: Fix a resource leak in an error handling path in 'twl6030_usb_probe()' A call to 'regulator_get()' is hidden in 'twl6030_usb_ldo_init()'. A corresponding put must be performed in the error handling path, as already done in the remove function. While at it, also move a 'free_irq()' call in the error handling path in order to be consistent. Reviewed-by: Dan Carpenter Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi commit 95cd7dc47abd71d1a0c9c43594ff2fa32552f46c Author: Peter Chen Date: Thu Apr 30 15:07:13 2020 +0800 usb: cdns3: gadget: prev_req->trb is NULL for ep0 And there are no multiple TRBs on EP0 and WA1 workaround, so it doesn't need to change TRB for EP0. It fixes below oops. configfs-gadget gadget: high-speed config #1: b android_work: sent uevent USB_STATE=CONFIGURED Unable to handle kernel read from unreadable memory at virtual address 0000000000000008 Mem abort info: android_work: sent uevent USB_STATE=DISCONNECTED ESR = 0x96000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000004 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=00000008b5bb7000 [0000000000000008] pgd=0000000000000000 Internal error: Oops: 96000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 PID: 430 Comm: HwBinder:401_1 Not tainted 5.4.24-06071-g6fa8921409c1-dirty #77 Hardware name: Freescale i.MX8QXP MEK (DT) pstate: 60400085 (nZCv daIf +PAN -UAO) pc : cdns3_gadget_ep_dequeue+0x1d4/0x270 lr : cdns3_gadget_ep_dequeue+0x48/0x270 sp : ffff800012763ba0 x29: ffff800012763ba0 x28: ffff00082c653c00 x27: 0000000000000000 x26: ffff000068fa7b00 x25: ffff0000699b2000 x24: ffff00082c6ac000 x23: ffff000834f0a480 x22: ffff000834e87b9c x21: 0000000000000000 x20: ffff000834e87800 x19: ffff000069eddc00 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000001 x11: ffff80001180fbe8 x10: 0000000000000001 x9 : ffff800012101558 x8 : 0000000000000001 x7 : 0000000000000006 x6 : ffff000835d9c668 x5 : ffff000834f0a4c8 x4 : 0000000096000000 x3 : 0000000000001810 x2 : 0000000000000000 x1 : ffff800024bd001c x0 : 0000000000000001 Call trace: cdns3_gadget_ep_dequeue+0x1d4/0x270 usb_ep_dequeue+0x34/0xf8 composite_dev_cleanup+0x154/0x170 configfs_composite_unbind+0x6c/0xa8 usb_gadget_remove_driver+0x44/0x70 usb_gadget_unregister_driver+0x74/0xe0 unregister_gadget+0x28/0x58 gadget_dev_desc_UDC_store+0x80/0x110 configfs_write_file+0x1e0/0x2a0 __vfs_write+0x48/0x90 vfs_write+0xe4/0x1c8 ksys_write+0x78/0x100 __arm64_sys_write+0x24/0x30 el0_svc_common.constprop.0+0x74/0x168 el0_svc_handler+0x34/0xa0 el0_svc+0x8/0xc Code: 52830203 b9407660 f94042e4 11000400 (b9400841) ---[ end trace 1574516e4c1772ca ]--- Kernel panic - not syncing: Fatal exception SMP: stopping secondary CPUs Kernel Offset: disabled CPU features: 0x0002,20002008 Memory Limit: none Rebooting in 5 seconds.. Fixes: f616c3bda47e ("usb: cdns3: Fix dequeue implementation") Cc: stable Signed-off-by: Peter Chen Signed-off-by: Felipe Balbi commit 19b94c1f9c9a16d41a8de3ccbdb8536cf1aecdbf Author: Christophe JAILLET Date: Sun May 3 12:47:07 2020 +0200 usb: gadget: audio: Fix a missing error return value in audio_bind() If 'usb_otg_descriptor_alloc()' fails, we must return an error code, not 0. Fixes: 56023ce0fd70 ("usb: gadget: audio: allocate and init otg descriptor by otg capabilities") Reviewed-by: Peter Chen Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi commit 066c09593454e89bc605ffdff1c9810061f9b1e1 Author: Andy Shevchenko Date: Mon May 4 12:33:52 2020 +0300 usb: dwc3: pci: Enable extcon driver for Intel Merrifield Intel Merrifield provides a DR support via PMIC which has its own extcon driver. Add a property string to link to that driver. Signed-off-by: Andy Shevchenko Signed-off-by: Felipe Balbi commit 00e21763f2c8cab21b7befa52996d1b18bde5c42 Author: John Stultz Date: Mon May 4 23:12:15 2020 +0000 dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() The check for the HWO flag in dwc3_gadget_ep_reclaim_trb_sg() causes us to break out of the loop before we call dwc3_gadget_ep_reclaim_completed_trb(), which is what likely should be clearing the HWO flag. This can cause odd behavior where we never reclaim all the trbs in the sg list, so we never call giveback on a usb req, and that will causes transfer stalls. This effectively resovles the adb stalls seen on HiKey960 after userland changes started only using AIO in adbd. Cc: YongQin Liu Cc: Anurag Kumar Vulisha Cc: Yang Fei Cc: Thinh Nguyen Cc: Tejas Joglekar Cc: Andrzej Pietrasiewicz Cc: Jack Pham Cc: Josh Gao Cc: Todd Kjos Cc: Felipe Balbi Cc: Greg Kroah-Hartman Cc: linux-usb@vger.kernel.org Cc: stable@vger.kernel.org #4.20+ Signed-off-by: John Stultz Signed-off-by: Felipe Balbi commit 57644431a6c2faac5d754ebd35780cf43a531b1a Author: Paolo Abeni Date: Fri May 8 19:28:34 2020 +0200 net: ipv4: really enforce backoff for redirects In commit b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage") I missed the fact that a 0 'rate_tokens' will bypass the backoff algorithm. Since rate_tokens is cleared after a redirect silence, and never incremented on redirects, if the host keeps receiving packets requiring redirect it will reply ignoring the backoff. Additionally, the 'rate_last' field will be updated with the cadence of the ingress packet requiring redirect. If that rate is high enough, that will prevent the host from generating any other kind of ICMP messages The check for a zero 'rate_tokens' value was likely a shortcut to avoid the more complex backoff algorithm after a redirect silence period. Address the issue checking for 'n_redirects' instead, which is incremented on successful redirect, and does not interfere with other ICMP replies. Fixes: b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage") Reported-and-tested-by: Colin Walters Signed-off-by: Paolo Abeni Signed-off-by: Jakub Kicinski commit 9302bead664f49ef73040fa06fa64552d02fee42 Author: Wei Yongjun Date: Fri May 8 02:15:19 2020 +0000 octeontx2-vf: Fix error return code in otx2vf_probe() Fix to return negative error code -ENOMEM from the alloc failed error handling case instead of 0, as done elsewhere in this function. Fixes: 3184fb5ba96e ("octeontx2-vf: Virtual function driver support") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Jakub Kicinski commit f965b68188ab59a40a421ced1b05a2fea638465c Author: Colin Xu Date: Fri May 8 14:05:06 2020 +0800 drm/i915/gvt: Init DPLL/DDI vreg for virtual display instead of inheritance. Init value of some display vregs rea inherited from host pregs. When host display in different status, i.e. all monitors unpluged, different display configurations, etc., GVT virtual display setup don't consistent thus may lead to guest driver consider display goes malfunctional. The added init vreg values are based on PRMs and fixed by calcuation from current configuration (only PIPE_A) and the virtual EDID. Fixes: 04d348ae3f0a ("drm/i915/gvt: vGPU display virtualization") Acked-by: Zhenyu Wang Signed-off-by: Colin Xu Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20200508060506.216250-1-colin.xu@intel.com commit db803036ada7d61d096783726f9771b3fc540370 Author: Vincent Minet Date: Fri May 8 00:14:22 2020 +0200 umh: fix memory leak on execve failure If a UMH process created by fork_usermode_blob() fails to execute, a pair of struct file allocated by umh_pipe_setup() will leak. Under normal conditions, the caller (like bpfilter) needs to manage the lifetime of the UMH and its two pipes. But when fork_usermode_blob() fails, the caller doesn't really have a way to know what needs to be done. It seems better to do the cleanup ourselves in this case. Fixes: 449325b52b7a ("umh: introduce fork_usermode_blob() helper") Signed-off-by: Vincent Minet Signed-off-by: Jakub Kicinski commit 14d8f7486a344ee64c37641c70b2d67013eb9de6 Merge: 6d32a5119811 81aabbb9fb7b Author: Jakub Kicinski Date: Fri May 8 18:58:39 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf Daniel Borkmann says: ==================== pull-request: bpf 2020-05-09 The following pull-request contains BPF updates for your *net* tree. We've added 4 non-merge commits during the last 9 day(s) which contain a total of 4 files changed, 11 insertions(+), 6 deletions(-). The main changes are: 1) Fix msg_pop_data() helper incorrectly setting an sge length in some cases as well as fixing bpf_tcp_ingress() wrongly accounting bytes in sg.size, from John Fastabend. 2) Fix to return an -EFAULT error when copy_to_user() of the value fails in map_lookup_and_delete_elem(), from Wei Yongjun. 3) Fix sk_psock refcnt leak in tcp_bpf_recvmsg(), from Xiyu Yang. ==================== Signed-off-by: Jakub Kicinski commit 6d32a5119811d2e9b5caa284181944c6f1f192ed Author: Dan Carpenter Date: Fri May 8 17:37:20 2020 +0300 dpaa2-eth: prevent array underflow in update_cls_rule() The "location" is controlled by the user via the ethtool_set_rxnfc() function. This update_cls_rule() function checks for array overflows but it doesn't check if the value is negative. I have changed the type to unsigned to prevent array underflows. Fixes: afb90dbb5f78 ("dpaa2-eth: Add ethtool support for flow classification") Signed-off-by: Dan Carpenter Signed-off-by: Jakub Kicinski commit 5099dea0a59f1c89525bb0ceac36689178a4c125 Author: Wei Yongjun Date: Fri May 8 07:27:35 2020 +0000 nfp: abm: fix error return code in nfp_abm_vnic_alloc() Fix to return negative error code -ENOMEM from the kzalloc() error handling case instead of 0, as done elsewhere in this function. Fixes: 174ab544e3bc ("nfp: abm: add cls_u32 offload for simple band classification") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: Jakub Kicinski commit 1f8492df081bd66255764f3ce82ba1b2c37def49 Author: Heiner Kallweit Date: Fri May 8 08:24:14 2020 +0200 r8169: re-establish support for RTL8401 chip version r8169 never had native support for the RTL8401, however it reportedly worked with the fallback to RTL8101e [0]. Therefore let's add this as an explicit assignment. [0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956868 Fixes: b4cc2dcc9c7c ("r8169: remove default chip versions") Reported-by: Camaleón Signed-off-by: Heiner Kallweit Signed-off-by: Jakub Kicinski commit cc4de047b33be247f9c8150d3e496743a49642b8 Author: Kelly Littlepage Date: Fri May 8 19:58:46 2020 +0000 net: tcp: fix rx timestamp behavior for tcp_recvmsg The stated intent of the original commit is to is to "return the timestamp corresponding to the highest sequence number data returned." The current implementation returns the timestamp for the last byte of the last fully read skb, which is not necessarily the last byte in the recv buffer. This patch converts behavior to the original definition, and to the behavior of the previous draft versions of commit 98aaa913b4ed ("tcp: Extend SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") which also match this behavior. Fixes: 98aaa913b4ed ("tcp: Extend SOF_TIMESTAMPING_RX_SOFTWARE to TCP recvmsg") Co-developed-by: Iris Liu Signed-off-by: Iris Liu Signed-off-by: Kelly Littlepage Signed-off-by: Eric Dumazet Acked-by: Soheil Hassas Yeganeh Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski commit 7bb0c5338436dae953622470d52689265867f032 Author: Lei Xue Date: Thu May 7 08:50:22 2020 -0400 cachefiles: Fix race between read_waiter and read_copier involving op->to_do There is a potential race in fscache operation enqueuing for reading and copying multiple pages from cachefiles to netfs. The problem can be seen easily on a heavy loaded system (for example many processes reading files continually on an NFS share covered by fscache triggered this problem within a few minutes). The race is due to cachefiles_read_waiter() adding the op to the monitor to_do list and then then drop the object->work_lock spinlock before completing fscache_enqueue_operation(). Once the lock is dropped, cachefiles_read_copier() grabs the op, completes processing it, and makes it through fscache_retrieval_complete() which sets the op->state to the final state of FSCACHE_OP_ST_COMPLETE(4). When cachefiles_read_waiter() finally gets through the remainder of fscache_enqueue_operation() it sees the invalid state, and hits the ASSERTCMP and the following oops is seen: [ 2259.612361] FS-Cache: [ 2259.614785] FS-Cache: Assertion failed [ 2259.618639] FS-Cache: 4 == 5 is false [ 2259.622456] ------------[ cut here ]------------ [ 2259.627190] kernel BUG at fs/fscache/operation.c:70! ... [ 2259.791675] RIP: 0010:[] [] fscache_enqueue_operation+0xff/0x170 [fscache] [ 2259.802059] RSP: 0000:ffffa0263d543be0 EFLAGS: 00010046 [ 2259.807521] RAX: 0000000000000019 RBX: ffffa01a4d390480 RCX: 0000000000000006 [ 2259.814847] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffa0263d553890 [ 2259.822176] RBP: ffffa0263d543be8 R08: 0000000000000000 R09: ffffa0263c2d8708 [ 2259.829502] R10: 0000000000001e7f R11: 0000000000000000 R12: ffffa01a4d390480 [ 2259.844483] R13: ffff9fa9546c5920 R14: ffffa0263d543c80 R15: ffffa0293ff9bf10 [ 2259.859554] FS: 00007f4b6efbd700(0000) GS:ffffa0263d540000(0000) knlGS:0000000000000000 [ 2259.875571] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 2259.889117] CR2: 00007f49e1624ff0 CR3: 0000012b38b38000 CR4: 00000000007607e0 [ 2259.904015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 2259.918764] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 2259.933449] PKRU: 55555554 [ 2259.943654] Call Trace: [ 2259.953592] [ 2259.955577] [] cachefiles_read_waiter+0x92/0xf0 [cachefiles] [ 2259.978039] [] __wake_up_common+0x82/0x120 [ 2259.991392] [] __wake_up_common_lock+0x83/0xc0 [ 2260.004930] [] ? task_rq_unlock+0x20/0x20 [ 2260.017863] [] __wake_up+0x13/0x20 [ 2260.030230] [] __wake_up_bit+0x50/0x70 [ 2260.042535] [] unlock_page+0x2b/0x30 [ 2260.054495] [] page_endio+0x29/0x90 [ 2260.066184] [] mpage_end_io+0x51/0x80 CPU1 cachefiles_read_waiter() 20 static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode, 21 int sync, void *_key) 22 { ... 61 spin_lock(&object->work_lock); 62 list_add_tail(&monitor->op_link, &op->to_do); 63 spin_unlock(&object->work_lock); 64 65 fscache_enqueue_retrieval(op); 182 static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op) 183 { 184 fscache_enqueue_operation(&op->op); 185 } 58 void fscache_enqueue_operation(struct fscache_operation *op) 59 { 60 struct fscache_cookie *cookie = op->object->cookie; 61 62 _enter("{OBJ%x OP%x,%u}", 63 op->object->debug_id, op->debug_id, atomic_read(&op->usage)); 64 65 ASSERT(list_empty(&op->pend_link)); 66 ASSERT(op->processor != NULL); 67 ASSERT(fscache_object_is_available(op->object)); 68 ASSERTCMP(atomic_read(&op->usage), >, 0); CPU2 cachefiles_read_copier() 168 while (!list_empty(&op->to_do)) { ... 202 fscache_end_io(op, monitor->netfs_page, error); 203 put_page(monitor->netfs_page); 204 fscache_retrieval_complete(op, 1); CPU1 58 void fscache_enqueue_operation(struct fscache_operation *op) 59 { ... 69 ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS, 70 op->state, ==, FSCACHE_OP_ST_CANCELLED); Signed-off-by: Lei Xue Signed-off-by: Dave Wysochanski Signed-off-by: David Howells commit 50eaa652b54df1e2b48dc398d9e6114c9ed080eb Author: Dave Wysochanski Date: Thu Apr 16 06:06:08 2020 -0400 NFSv4: Fix fscache cookie aux_data to ensure change_attr is included Commit 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") added the aux_data and aux_data_len to parameters to fscache_acquire_cookie(), and updated the callers in the NFS client. In the process it modified the aux_data to include the change_attr, but missed adding change_attr to a couple places where aux_data was used. Specifically, when opening a file and the change_attr is not added, the following attempt to lookup an object will fail inside cachefiles_check_object_xattr() = -116 due to nfs_fscache_inode_check_aux() failing memcmp on auxdata and returning FSCACHE_CHECKAUX_OBSOLETE. Fix this by adding nfs_fscache_update_auxdata() to set the auxdata from all relevant fields in the inode, including the change_attr. Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells commit 15751612734ca0c419ac43ce986c9badcb5e2829 Author: Dave Wysochanski Date: Wed Apr 15 16:14:42 2020 -0400 NFS: Fix fscache super_cookie allocation Commit f2aedb713c28 ("NFS: Add fs_context support.") reworked NFS mount code paths for fs_context support which included super_block initialization. In the process there was an extra return left in the code and so we never call nfs_fscache_get_super_cookie even if 'fsc' is given on as mount option. In addition, there is an extra check inside nfs_fscache_get_super_cookie for the NFS_OPTION_FSCACHE which is unnecessary since the only caller nfs_get_cache_cookie checks this flag. Fixes: f2aedb713c28 ("NFS: Add fs_context support.") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells commit d9bfced1fbcb35b28d8fbed4e785d2807055ed2b Author: Dave Wysochanski Date: Wed Apr 15 16:14:41 2020 -0400 NFS: Fix fscache super_cookie index_key from changing after umount Commit 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") added the index_key and index_key_len parameters to fscache_acquire_cookie(), and updated the callers in the NFS client. One of the callers was inside nfs_fscache_get_super_cookie() and was changed to use the full struct nfs_fscache_key as the index_key. However, a couple members of this structure contain pointers and thus will change each time the same NFS share is remounted. Since index_key is used for fscache_cookie->key_hash and this subsequently is used to compare cookies, the effectiveness of fscache with NFS is reduced to the point at which a umount occurs. Any subsequent remount of the same share will cause a unique NFS super_block index_key and key_hash to be generated for the same data, rendering any prior fscache data unable to be found. A simple reproducer demonstrates the problem. 1. Mount share with 'fsc', create a file, drop page cache systemctl start cachefilesd mount -o vers=3,fsc 127.0.0.1:/export /mnt dd if=/dev/zero of=/mnt/file1.bin bs=4096 count=1 echo 3 > /proc/sys/vm/drop_caches 2. Read file into page cache and fscache, then unmount dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 umount /mnt 3. Remount and re-read which should come from fscache mount -o vers=3,fsc 127.0.0.1:/export /mnt echo 3 > /proc/sys/vm/drop_caches dd if=/mnt/file1.bin of=/dev/null bs=4096 count=1 4. Check for READ ops in mountstats - there should be none grep READ: /proc/self/mountstats Looking at the history and the removed function, nfs_super_get_key(), we should only use nfs_fscache_key.key plus any uniquifier, for the fscache index_key. Fixes: 402cb8dda949 ("fscache: Attach the index key and aux data to the cookie") Signed-off-by: Dave Wysochanski Signed-off-by: David Howells commit 626bf90fe03fa080d8df06bb0397c95c53ae8e27 Author: Simon Ser Date: Mon Mar 30 09:23:21 2020 +0000 drm/amd/display: add basic atomic check for cursor plane This patch adds a basic cursor check when an atomic test-only commit is performed. The position and size of the cursor plane is checked. This should fix user-space relying on atomic checks to assign buffers to planes. Signed-off-by: Simon Ser Reported-by: Roman Gilg References: https://github.com/emersion/libliftoff/issues/46 Cc: Alex Deucher Cc: Harry Wentland Reviewed-by: Nicholas Kazlauskas Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 2346ef47e871536cf4e36b77859bfdeb39b49024 Author: Nicholas Kazlauskas Date: Wed May 6 15:47:54 2020 -0400 drm/amd/display: Fix vblank and pageflip event handling for FreeSync [Why] We're sending the drm vblank event a frame too early in the case where the pageflip happens close to VUPDATE and ends up blocking the signal. The implementation in DM was previously correct *before* we started sending vblank events from VSTARTUP unconditionally to handle cases where HUBP was off, OTG was ON and userspace was still requesting some DRM planes enabled. As part of that patch series we dropped VUPDATE since it was deemed close enough to VSTARTUP, but there's a key difference betweeen VSTARTUP and VUPDATE - the VUPDATE signal can be blocked if we're holding the pipe lock. There was a fix recently to revert the unconditional behavior for the DCN VSTARTUP vblank event since it was sending the pageflip event on the wrong frame - once again, due to blocking VUPDATE and having the address start scanning out two frames later. The problem with this fix is it didn't update the logic that calls drm_crtc_handle_vblank(), so the timestamps are totally bogus now. [How] Essentially reverts most of the original VSTARTUP series but retains the behavior to send back events when active planes == 0. Some refactoring/cleanup was done to not have duplicated code in both the handlers. Fixes: 16f17eda8bad ("drm/amd/display: Send vblank and user events at vsartup for DCN") Fixes: 3a2ce8d66a4b ("drm/amd/display: Disable VUpdate interrupt for DCN hardware") Fixes: 2b5aed9ac3f7 ("drm/amd/display: Fix pageflip event race condition for DCN.") Signed-off-by: Nicholas Kazlauskas Reviewed-and-Tested-by: Mario Kleiner Reviewed-by: Leo Li Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org # 5.6.x commit b14c94908b1b884276a6608dea3d0b1b510338b7 Author: Bob Peterson Date: Fri May 8 15:01:25 2020 -0500 Revert "gfs2: Don't demote a glock until its revokes are written" This reverts commit df5db5f9ee112e76b5202fbc331f990a0fc316d6. This patch fixes a regression: patch df5db5f9ee112 allowed function run_queue() to bypass its call to do_xmote() if revokes were queued for the glock. That's wrong because its call to do_xmote() is what is responsible for calling the go_sync() glops functions to sync both the ail list and any revokes queued for it. By bypassing the call, gfs2 could get into a stand-off where the glock could not be demoted until its revokes are written back, but the revokes would not be written back because do_xmote() was never called. It "sort of" works, however, because there are other mechanisms like the log flush daemon (logd) that can sync the ail items and revokes, if it deems it necessary. The problem is: without file system pressure, it might never deem it necessary. Signed-off-by: Bob Peterson commit b11e1a84f370866a8f47e85040687b49c1eb8705 Author: Bob Peterson Date: Thu May 7 12:12:23 2020 -0500 gfs2: If go_sync returns error, withdraw but skip invalidate Before this patch, if the go_sync operation returned an error during the do_xmote process (such as unable to sync metadata to the journal) the code did goto out. That kept the glock locked, so it could not be given away, which correctly avoids file system corruption. However, it never set the withdraw bit or requeueing the glock work. So it would hang forever, unable to ever demote the glock. This patch changes to goto to a new label, skip_inval, so that errors from go_sync are treated the same way as errors from go_inval: The delayed withdraw bit is set and the work is requeued. That way, the logd should eventually figure out there's a problem and withdraw properly there. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit bff1a6112b09a810d8a1c0c0ea306e58810d4f0b Author: Alex Deucher Date: Fri May 8 14:33:09 2020 -0400 drm/amdgpu: implement soft_recovery for gfx10 Same as gfx9. This allows us to kill the waves for hung shaders. Acked-by: Evan Quan Reviewed-by: Christian König Signed-off-by: Alex Deucher commit b2b6290a23986a5c88384887b8a589a3c4ebe292 Author: Evan Quan Date: Thu May 7 18:17:55 2020 +0800 drm/amdgpu: enable hibernate support on Navi1X BACO is needed to support hibernate on Navi1X. Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit 39b3128d7ffd44e400e581e6f49e88cb42bef9a1 Author: Felix Kuehling Date: Tue May 5 14:02:43 2020 -0400 drm/amdgpu: Use GEM obj reference for KFD BOs Releasing the AMDGPU BO ref directly leads to problems when BOs were exported as DMA bufs. Releasing the GEM reference makes sure that the AMDGPU/TTM BO is not freed too early. Also take a GEM reference when importing BOs from DMABufs to keep references to imported BOs balances properly. Signed-off-by: Felix Kuehling Tested-by: Alex Sierra Acked-by: Christian König Reviewed-by: Alex Sierra Signed-off-by: Alex Deucher commit a6aacb2b26e85aa619cf0c6f98d0ca77314cd2a1 Author: Alex Deucher Date: Tue May 5 09:42:26 2020 -0400 drm/amdgpu: force fbdev into vram We set the fb smem pointer to the offset into the BAR, so keep the fbdev bo in vram. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=207581 Fixes: 6c8d74caa2fa33 ("drm/amdgpu: Enable scatter gather display support") Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org commit f4fcfa4282c1a1bf51475ebb0ffda623eebf1191 Author: Evan Quan Date: Thu Apr 30 14:38:39 2020 +0800 drm/amd/powerplay: perform PG ungate prior to CG ungate Since gfxoff should be disabled first before trying to access those GC registers. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit 1fe48ec08d9f2e26d893a6c05bd6c99a3490f9ef Author: Evan Quan Date: Thu Apr 30 11:24:02 2020 +0800 drm/amdgpu: drop unnecessary cancel_delayed_work_sync on PG ungate As this is already properly handled in amdgpu_gfx_off_ctrl(). In fact, this unnecessary cancel_delayed_work_sync may leave a small time window for race condition and is dangerous. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit ee79be181aee2f59522fdf81c580aaed5753e3af Author: Evan Quan Date: Thu Apr 30 11:15:19 2020 +0800 drm/amdgpu: disable MGCG/MGLS also on gfx CG ungate Otherwise, MGCG/MGLS will be left enabled. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher commit d5eeab8d7e269e8cfc53b915bccd7bd30485bcbf Merge: eb24fdd8e6f5 b36522150e5b Author: Linus Torvalds Date: Fri May 8 10:36:56 2020 -0700 Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi Pull SCSI fixes from James Bottomley: "Four minor fixes, all in drivers (qla2xxx, ibmvfc, ibmvscsi)" * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi: scsi: ibmvscsi: Fix WARN_ON during event pool release scsi: ibmvfc: Don't send implicit logouts prior to NPIV login scsi: qla2xxx: Delete all sessions before unregister local nvme port scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV commit eb24fdd8e6f5c6bb95129748a1801c6476492aba Merge: 4334f30ebf39 12ae44a40a1b Author: Linus Torvalds Date: Fri May 8 10:27:00 2020 -0700 Merge tag 'ceph-for-5.7-rc5' of git://github.com/ceph/ceph-client Pull ceph fixes from Ilya Dryomov: "Fixes for an endianness handling bug that prevented mounts on big-endian arches, a spammy log message and a couple error paths. Also included a MAINTAINERS update" * tag 'ceph-for-5.7-rc5' of git://github.com/ceph/ceph-client: ceph: demote quotarealm lookup warning to a debug message MAINTAINERS: remove myself as ceph co-maintainer ceph: fix double unlock in handle_cap_export() ceph: fix special error code in ceph_try_get_caps() ceph: fix endianness bug when handling MDS session feature bits commit f4e2f5e1a527ce58fc9f85145b03704779a3123e Author: Andreas Gruenbacher Date: Tue May 5 11:56:46 2020 -0500 gfs2: Grab glock reference sooner in gfs2_add_revoke This patch rearranges gfs2_add_revoke so that the extra glock reference is added earlier on in the function to avoid races in which the glock is freed before the new reference is taken. Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson commit c9cb9e381985bbbe8acd2695bbe6bd24bf06b81c Author: Bob Peterson Date: Tue May 5 11:55:03 2020 -0500 gfs2: don't call quota_unhold if quotas are not locked Before this patch, function gfs2_quota_unlock checked if quotas are turned off, and if so, it branched to label out, which called gfs2_quota_unhold. With the new system of gfs2_qa_get and put, we no longer want to call gfs2_quota_unhold or we won't balance our gets and puts. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 4ed0c30811cb4d30ef89850b787a53a84d5d2bcb Author: Bob Peterson Date: Tue May 5 11:53:21 2020 -0500 gfs2: move privileged user check to gfs2_quota_lock_check Before this patch, function gfs2_quota_lock checked if it was called from a privileged user, and if so, it bypassed the quota check: superuser can operate outside the quotas. That's the wrong place for the check because the lock/unlock functions are separate from the lock_check function, and you can do lock and unlock without actually checking the quotas. This patch moves the check to gfs2_quota_lock_check. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit e6ce26e571a813e6992c5148b27f2a4b17952080 Author: Bob Peterson Date: Tue May 5 11:52:51 2020 -0500 gfs2: remove check for quotas on in gfs2_quota_check This patch removes a check from gfs2_quota_check for whether quotas are enabled by the superblock. There is a test just prior for the GIF_QD_LOCKED bit in the inode, and that can only be set by functions that already check that quotas are enabled in the superblock. Therefore, the check is redundant. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit f9615fe3113f1067093f7f68d46d281b4c9a5978 Author: Bob Peterson Date: Tue May 5 11:50:24 2020 -0500 gfs2: Change BUG_ON to an assert_withdraw in gfs2_quota_change Before this patch, gfs2_quota_change() would BUG_ON if the qa_ref counter was not a positive number. This patch changes it to be a withdraw instead. That way we can debug things more easily. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 2297ab6144c2e85c418d0fd47b2f24e294b55dca Author: Bob Peterson Date: Mon May 4 10:18:43 2020 -0500 gfs2: Fix problems regarding gfs2_qa_get and _put This patch fixes a couple of places in which gfs2_qa_get and gfs2_qa_put are not balanced: we now keep references around whenever a file is open for writing (see gfs2_open_common and gfs2_release), so we need to put all references we grab in function gfs2_create_inode. This was broken in the successful case and on one error path. This also means that we don't have a reference to put in gfs2_evict_inode. In addition, gfs2_qa_put was called for the wrong inode in gfs2_link. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 12ae44a40a1be891bdc6463f8c7072b4ede746ef Author: Luis Henriques Date: Tue May 5 13:59:02 2020 +0100 ceph: demote quotarealm lookup warning to a debug message A misconfigured cephx can easily result in having the kernel client flooding the logs with: ceph: Can't lookup inode 1 (err: -13) Change this message to debug level. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/44546 Signed-off-by: Luis Henriques Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov commit 4334f30ebf395b204c6cbeabf371a5a998d6ba7c Merge: c61529f6f59c f0e1d3ac2d7c Author: Linus Torvalds Date: Fri May 8 09:11:53 2020 -0700 Merge tag 'char-misc-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc Pull char/misc driver fixes from Greg KH: "Here are some small driver fixes for 5.7-rc5 that resolve a number of minor reported issues: - mhi bus driver fixes found as people actually use the code - phy driver fixes and compat string additions - most driver fix due to link order changing when the core moved out of staging - mei driver fix - interconnect build warning fix All of these have been in linux-next for a while with no reported issues" * tag 'char-misc-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc: bus: mhi: core: Fix channel device name conflict bus: mhi: core: Fix typo in comment bus: mhi: core: Offload register accesses to the controller bus: mhi: core: Remove link_status() callback bus: mhi: core: Make sure to powerdown if mhi_sync_power_up fails bus: mhi: Fix parsing of mhi_flags mei: me: disable mei interface on LBG servers. phy: qualcomm: usb-hs-28nm: Prepare clocks in init MAINTAINERS: Add Vinod Koul as Generic PHY co-maintainer interconnect: qcom: Move the static keyword to the front of declaration most: core: use function subsys_initcall() bus: mhi: core: Fix a NULL vs IS_ERR check in mhi_create_devices() phy: qcom-qusb2: Re add "qcom,sdm845-qusb2-phy" compat string phy: tegra: Select USB_COMMON for usb_get_maximum_speed() commit c61529f6f59c9e136432cde96f9a053a51ad2a1e Merge: e7a1c733fecd 2a15483b401c Author: Linus Torvalds Date: Fri May 8 09:06:34 2020 -0700 Merge tag 'driver-core-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core Pull driver core fixes from Greg KH: "Here are a number of small driver core fixes for 5.7-rc5 to resolve a bunch of reported issues with the current tree. Biggest here are the reverts and patches from John Stultz to resolve a bunch of deferred probe regressions we have been seeing in 5.7-rc right now. Along with those are some other smaller fixes: - coredump crash fix - devlink fix for when permissive mode was enabled - amba and platform device dma_parms fixes - component error silenced for when deferred probe happens All of these have been in linux-next for a while with no reported issues" * tag 'driver-core-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core: regulator: Revert "Use driver_deferred_probe_timeout for regulator_init_complete_work" driver core: Ensure wait_for_device_probe() waits until the deferred_probe_timeout fires driver core: Use dev_warn() instead of dev_WARN() for deferred_probe_timeout warnings driver core: Revert default driver_deferred_probe_timeout value to 0 component: Silence bind error on -EPROBE_DEFER driver core: Fix handling of fw_devlink=permissive coredump: fix crash when umh is disabled amba: Initialize dma_parms for amba devices driver core: platform: Initialize dma_parms for platform devices commit e7a1c733fecd6bf71f87f74b36ab51bb3eafd8b3 Merge: cbd0e4821373 769acc3656d9 Author: Linus Torvalds Date: Fri May 8 09:03:49 2020 -0700 Merge tag 'staging-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging Pull staging driver fixes from Greg KH: "Here are three small driver fixes for 5.7-rc5. Two of these are documentation fixes: - MAINTAINERS update due to removed driver - removing Wolfram from the ks7010 driver TODO file The other patch is a real fix: - fix gasket driver to proper check the return value of a call All of these have been in linux-next for a while with no reported issues" * tag 'staging-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging: staging: gasket: Check the return value of gasket_get_bar_index() staging: ks7010: remove me from CC list MAINTAINERS: remove entry after hp100 driver removal commit cbd0e4821373ab10833c38edc3b858e3fa1a2976 Merge: 0a0b96b2e27d 2ae11c46d5fd Author: Linus Torvalds Date: Fri May 8 08:56:16 2020 -0700 Merge tag 'tty-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty Pull tty/serial fixes from Greg KH: "Here are three small TTY/Serial/VT fixes for 5.7-rc5: - revert for the bcm63xx driver "fix" that was incorrect - vt unicode console bugfix - xilinx_uartps console driver fix All of these have been in linux next with no reported issues" * tag 'tty-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty: tty: xilinx_uartps: Fix missing id assignment to the console vt: fix unicode console freeing with a common interface Revert "tty: serial: bcm63xx: fix missing clk_put() in bcm63xx_uart" commit 0a0b96b2e27d75c74e254abf8efe17628aa427ad Merge: 775a8e0316bd 91edf63d5022 Author: Linus Torvalds Date: Fri May 8 08:54:00 2020 -0700 Merge tag 'usb-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb Pull USB fixes from Greg KH: "Here are some small USB fixes for 5.7-rc5 to resolve some reported issues: - syzbot found problems fixed - usbfs dma mapping fix - typec bugfixs - chipidea bugfix - usb4/thunderbolt fix - new device ids/quirks All of these have been in linux-next for a while with no reported issues" * tag 'usb-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb: usb: chipidea: msm: Ensure proper controller reset using role switch API usb: typec: mux: intel: Handle alt mode HPD_HIGH usb: usbfs: correct kernel->user page attribute mismatch usb: typec: intel_pmc_mux: Fix the property names USB: core: Fix misleading driver bug report USB: serial: qcserial: Add DW5816e support USB: uas: add quirk for LaCie 2Big Quadra thunderbolt: Check return value of tb_sw_read() in usb4_switch_op() USB: serial: garmin_gps: add sanity checking for data length commit 775a8e0316bd5443a0f3faf771b1bdfb8f8e8342 Merge: af38553c6612 a9fe6f18cde0 Author: Linus Torvalds Date: Fri May 8 08:49:34 2020 -0700 Merge tag 'drm-fixes-2020-05-08' of git://anongit.freedesktop.org/drm/drm Pull drm fixes from Dave Airlie: "Another pretty normal week. I didn't get any i915 fixes yet, so next week I'd expect double the usual i915, but otherwise a bunch of amdgpu and some scattered other fixes. hdcp: - fix HDCP regression amdgpu: - Runtime PM fixes - DC fix for PPC - Misc DC fixes virtio: - fix context ordering issue sun4i: - old gcc warning fix ingenic-drm: - missing module support" * tag 'drm-fixes-2020-05-08' of git://anongit.freedesktop.org/drm/drm: drm/amd/display: Prevent dpcd reads with passive dongles drm/amd/display: fix counter in wait_for_no_pipes_pending drm/amd/display: Update DCN2.1 DV Code Revision drm: Fix HDCP failures when SRM fw is missing sun6i: dsi: fix gcc-4.8 drm: ingenic-drm: add MODULE_DEVICE_TABLE drm/virtio: create context before RESOURCE_CREATE_2D in 3D mode drm/amd/display: work around fp code being emitted outside of DC_FP_START/END drm/amdgpu/dc: Use WARN_ON_ONCE for ASSERT drm/amdgpu: drop redundant cg/pg ungate on runpm enter drm/amdgpu: move kfd suspend after ip_suspend_phase1 commit 851c4df54dc1bcae41d07e46e3d89e035b0a7140 Author: Michael Ellerman Date: Fri May 8 16:53:56 2020 +1000 selftests/lkdtm: Use grep -E instead of egrep shellcheck complains that egrep is deprecated, and the grep man page agrees. Use grep -E instead. Signed-off-by: Michael Ellerman Acked-by: Kees Cook Signed-off-by: Shuah Khan commit f131d9edc29d527df4b8f6840c340415f559f095 Author: Michael Ellerman Date: Fri May 8 16:53:55 2020 +1000 selftests/lkdtm: Don't clear dmesg when running tests It is Very Rude to clear dmesg in test scripts. That's because the script may be part of a larger test run, and clearing dmesg potentially destroys the output of other tests. We can avoid using dmesg -c by saving the content of dmesg before the test, and then using diff to compare that to the dmesg afterward, producing a log with just the added lines. Signed-off-by: Michael Ellerman Acked-by: Kees Cook Signed-off-by: Shuah Khan commit adb571649c7ce7ee16022fa302b62043d1812b4b Author: Po-Hsu Lin Date: Tue May 5 18:14:45 2020 +0800 selftests/ftrace: mark irqsoff_tracer.tc test as unresolved if the test module does not exist The UNRESOLVED state is much more apporiate than the UNSUPPORTED state for the absence of the test module, as it matches "test was set up incorrectly" situation in the README file. A possible scenario is that the function was enabled (supported by the kernel) but the module was not installed properly, in this case we cannot call this as UNSUPPORTED. This change also make it consistent with other module-related tests in ftrace. Signed-off-by: Po-Hsu Lin Acked-by: Steven Rostedt (VMware) Acked-by: Masami Hiramatsu Signed-off-by: Shuah Khan commit d8238f9eb6e0c175c8b657af20164eef6b30c71c Author: Gustavo A. R. Silva Date: Thu May 7 13:56:08 2020 -0500 tools/testing: Replace zero-length array with flexible-array The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] sizeof(flexible-array-member) triggers a warning because flexible array members have incomplete type[1]. There are some instances of code in which the sizeof operator is being incorrectly/erroneously applied to zero-length arrays and the result is zero. Such instances may be hiding some bugs. So, this work (flexible-array member conversions) will also help to get completely rid of those sorts of issues. This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Shuah Khan commit af38553c661207f96464e15f3506bf788daee474 Merge: 79dede78c057 14f69140ff9c Author: Linus Torvalds Date: Fri May 8 08:41:09 2020 -0700 Merge branch 'akpm' (patches from Andrew) Merge misc fixes from Andrew Morton: "14 fixes and one selftest to verify the ipc fixes herein" * emailed patches from Andrew Morton : mm: limit boost_watermark on small zones ubsan: disable UBSAN_ALIGNMENT under COMPILE_TEST mm/vmscan: remove unnecessary argument description of isolate_lru_pages() epoll: atomically remove wait entry on wake up kselftests: introduce new epoll60 testcase for catching lost wakeups percpu: make pcpu_alloc() aware of current gfp context mm/slub: fix incorrect interpretation of s->offset scripts/gdb: repair rb_first() and rb_last() eventpoll: fix missing wakeup for ovflist in ep_poll_callback arch/x86/kvm/svm/sev.c: change flag passed to GUP fast in sev_pin_memory() scripts/decodecode: fix trapping instruction formatting kernel/kcov.c: fix typos in kcov_remote_start documentation mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() mm, memcg: fix error return value of mem_cgroup_css_alloc() ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() commit 4bb9d46d47b105a774f9dca642f5271375bca4b2 Author: John Stultz Date: Fri May 8 04:56:10 2020 +0000 kselftests: dmabuf-heaps: Fix confused return value on expected error testing When I added the expected error testing, I forgot I need to set the return to zero when we successfully see an error. Without this change we only end up testing a single heap before the test quits. Cc: Shuah Khan Cc: Sumit Semwal Cc: Benjamin Gaignard Cc: Brian Starkey Cc: Laura Abbott Cc: "Andrew F. Davis" Cc: linux-kselftest@vger.kernel.org Signed-off-by: John Stultz Signed-off-by: Shuah Khan commit 3f2c788a13143620c5471ac96ac4f033fc9ac3f3 Author: Christian Brauner Date: Thu May 7 12:32:14 2020 +0200 fork: prevent accidental access to clone3 features Jan reported an issue where an interaction between sign-extending clone's flag argument on ppc64le and the new CLONE_INTO_CGROUP feature causes clone() to consistently fail with EBADF. The whole story is a little longer. The legacy clone() syscall is odd in a bunch of ways and here two things interact. First, legacy clone's flag argument is word-size dependent, i.e. it's an unsigned long whereas most system calls with flag arguments use int or unsigned int. Second, legacy clone() ignores unknown and deprecated flags. The two of them taken together means that users on 64bit systems can pass garbage for the upper 32bit of the clone() syscall since forever and things would just work fine. Just try this on a 64bit kernel prior to v5.7-rc1 where this will succeed and on v5.7-rc1 where this will fail with EBADF: int main(int argc, char *argv[]) { pid_t pid; /* Note that legacy clone() has different argument ordering on * different architectures so this won't work everywhere. * * Only set the upper 32 bits. */ pid = syscall(__NR_clone, 0xffffffff00000000 | SIGCHLD, NULL, NULL, NULL, NULL); if (pid < 0) exit(EXIT_FAILURE); if (pid == 0) exit(EXIT_SUCCESS); if (wait(NULL) != pid) exit(EXIT_FAILURE); exit(EXIT_SUCCESS); } Since legacy clone() couldn't be extended this was not a problem so far and nobody really noticed or cared since nothing in the kernel ever bothered to look at the upper 32 bits. But once we introduced clone3() and expanded the flag argument in struct clone_args to 64 bit we opened this can of worms. With the first flag-based extension to clone3() making use of the upper 32 bits of the flag argument we've effectively made it possible for the legacy clone() syscall to reach clone3() only flags. The sign extension scenario is just the odd corner-case that we needed to figure this out. The reason we just realized this now and not already when we introduced CLONE_CLEAR_SIGHAND was that CLONE_INTO_CGROUP assumes that a valid cgroup file descriptor has been given. So the sign extension (or the user accidently passing garbage for the upper 32 bits) caused the CLONE_INTO_CGROUP bit to be raised and the kernel to error out when it didn't find a valid cgroup file descriptor. Let's fix this by always capping the upper 32 bits for all codepaths that are not aware of clone3() features. This ensures that we can't reach clone3() only features by accident via legacy clone as with the sign extension case and also that legacy clone() works exactly like before, i.e. ignoring any unknown flags. This solution risks no regressions and is also pretty clean. Fixes: 7f192e3cd316 ("fork: add clone3") Fixes: ef2c41cf38a7 ("clone3: allow spawning processes into cgroups") Reported-by: Jan Stancek Signed-off-by: Christian Brauner Cc: Arnd Bergmann Cc: Dmitry V. Levin Cc: Andreas Schwab Cc: Florian Weimer Cc: libc-alpha@sourceware.org Cc: stable@vger.kernel.org # 5.3+ Link: https://sourceware.org/pipermail/libc-alpha/2020-May/113596.html Link: https://lore.kernel.org/r/20200507103214.77218-1-christian.brauner@ubuntu.com commit fb3637a113349f53830f7d6ca45891b7192cd28f Author: Julia Lawall Date: Tue May 5 20:47:47 2020 +0200 iommu/virtio: Reverse arguments to list_add Elsewhere in the file, there is a list_for_each_entry with &vdev->resv_regions as the second argument, suggesting that &vdev->resv_regions is the list head. So exchange the arguments on the list_add call to put the list head in the second argument. Fixes: 2a5a31487445 ("iommu/virtio: Add probe request") Signed-off-by: Julia Lawall Reviewed-by: Jean-Philippe Brucker Link: https://lore.kernel.org/r/1588704467-13431-1-git-send-email-Julia.Lawall@inria.fr Signed-off-by: Joerg Roedel commit 2de00450c0126ec8838f72157577578e85cae5d8 Author: Grygorii Strashko Date: Thu May 7 18:12:44 2020 +0300 ARM: dts: am437x: fix networking on boards with ksz9031 phy Since commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") the networking is broken on boards: am437x-gp-evm am437x-sk-evm am437x-idk-evm All above boards have phy-mode = "rgmii" and this is worked before, because KSZ9031 PHY started with default RGMII internal delays configuration (TX off, RX on 1.2 ns) and MAC provided TX delay. After above commit, the KSZ9031 PHY starts handling phy mode properly and disables RX delay, as result networking is become broken. Fix it by switching to phy-mode = "rgmii-rxid" to reflect previous behavior. Cc: Oleksij Rempel Cc: Andrew Lunn Cc: Philippe Schenker Fixes: bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") Reviewed-by: Philippe Schenker Signed-off-by: Grygorii Strashko Signed-off-by: Tony Lindgren commit aa83da7f47b26c9587bade6c4bc4736ffa308f0a Author: Andreas Gruenbacher Date: Tue Apr 28 01:15:41 2020 +0200 gfs2: More gfs2_find_jhead fixes It turns out that when extending an existing bio, gfs2_find_jhead fails to check if the block number is consecutive, which leads to incorrect reads for fragmented journals. In addition, limit the maximum bio size to an arbitrary value of 2 megabytes: since commit 07173c3ec276 ("block: enable multipage bvecs"), if we just keep adding pages until bio_add_page fails, bios will grow much larger than useful, which pins more memory than necessary with barely any additional performance gains. Fixes: f4686c26ecc3 ("gfs2: read journal in large chunks") Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson commit 566a2ab3c9005f62e784bd39022d58d34ef4365c Author: Andreas Gruenbacher Date: Mon Apr 20 19:42:04 2020 +0200 gfs2: Another gfs2_walk_metadata fix Make sure we don't walk past the end of the metadata in gfs2_walk_metadata: the inode holds fewer pointers than indirect blocks. Slightly clean up gfs2_iomap_get. Fixes: a27a0c9b6a20 ("gfs2: gfs2_walk_metadata fix") Cc: stable@vger.kernel.org # v5.3+ Signed-off-by: Andreas Gruenbacher Signed-off-by: Bob Peterson commit d22f69a08dcb0f469170cda1976d5938cb0e5dcf Author: Bob Peterson Date: Fri Apr 24 12:17:33 2020 -0500 gfs2: Fix use-after-free in gfs2_logd after withdraw When the gfs2_logd daemon withdrew, the withdraw sequence called into make_fs_ro() to make the file system read-only. That caused the journal descriptors to be freed. However, those journal descriptors were used by gfs2_logd's call to gfs2_ail_flush_reqd(). This caused a use-after free and NULL pointer dereference. This patch changes function gfs2_logd() so that it stops all logd work until the thread is told to stop. Once a withdraw is done, it only does an interruptible sleep. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 53af80ce0eaeb0fc4ce4b565c30e3a16e8e05de0 Author: Bob Peterson Date: Fri Apr 24 12:15:21 2020 -0500 gfs2: Fix BUG during unmount after file system withdraw Before this patch, when the logd daemon was forced to withdraw, it would try to request its journal be recovered by another cluster node. However, in single-user cases with lock_nolock, there are no other nodes to recover the journal. Function signal_our_withdraw() was recognizing the lock_nolock situation, but not until after it had evicted its journal inode. Since the journal descriptor that points to the inode was never removed from the master list, when the unmount occurred, it did another iput on the evicted inode, which resulted in a BUG_ON(inode->i_state & I_CLEAR). This patch moves the check for this situation earlier in function signal_our_withdraw(), which avoids the extra iput, so the unmount may happen normally. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit a8b7528b69d4dc7e94d0338851ff8c929231fc4b Author: Bob Peterson Date: Thu Apr 23 14:30:57 2020 -0500 gfs2: Fix error exit in do_xmote Before this patch, if an error was detected from glock function go_sync by function do_xmote, it would return. But the function had temporarily unlocked the gl_lockref spin_lock, and it never re-locked it. When the caller of do_xmote tried to unlock it again, it was already unlocked, which resulted in a corrupted spin_lock value. This patch makes sure the gl_lockref spin_lock is re-locked after it is unlocked. Thanks to Wu Bo for reporting this problem. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 7d611233b01613c866259d6e6f44c67f7f7eb2a3 Author: Suravee Suthikulpanit Date: Wed May 6 21:35:39 2020 -0500 KVM: SVM: Disable AVIC before setting V_IRQ The commit 64b5bd270426 ("KVM: nSVM: ignore L1 interrupt window while running L2 with V_INTR_MASKING=1") introduced a WARN_ON, which checks if AVIC is enabled when trying to set V_IRQ in the VMCB for enabling irq window. The following warning is triggered because the requesting vcpu (to deactivate AVIC) does not get to process APICv update request for itself until the next #vmexit. WARNING: CPU: 0 PID: 118232 at arch/x86/kvm/svm/svm.c:1372 enable_irq_window+0x6a/0xa0 [kvm_amd] RIP: 0010:enable_irq_window+0x6a/0xa0 [kvm_amd] Call Trace: kvm_arch_vcpu_ioctl_run+0x6e3/0x1b50 [kvm] ? kvm_vm_ioctl_irq_line+0x27/0x40 [kvm] ? _copy_to_user+0x26/0x30 ? kvm_vm_ioctl+0xb3e/0xd90 [kvm] ? set_next_entity+0x78/0xc0 kvm_vcpu_ioctl+0x236/0x610 [kvm] ksys_ioctl+0x8a/0xc0 __x64_sys_ioctl+0x1a/0x20 do_syscall_64+0x58/0x210 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes by sending APICV update request to all other vcpus, and immediately update APIC for itself. Signed-off-by: Suravee Suthikulpanit Link: https://lkml.org/lkml/2020/5/2/167 Fixes: 64b5bd270426 ("KVM: nSVM: ignore L1 interrupt window while running L2 with V_INTR_MASKING=1") Message-Id: <1588818939-54264-1-git-send-email-suravee.suthikulpanit@amd.com> Signed-off-by: Paolo Bonzini commit 54163a346d4a0a1b93f2ff6dc1f488419a605fa9 Author: Suravee Suthikulpanit Date: Wed May 6 08:17:53 2020 -0500 KVM: Introduce kvm_make_all_cpus_request_except() This allows making request to all other vcpus except the one specified in the parameter. Signed-off-by: Suravee Suthikulpanit Message-Id: <1588771076-73790-2-git-send-email-suravee.suthikulpanit@amd.com> Signed-off-by: Paolo Bonzini commit 45981dedf555bd66d86ccb51e4049d9f7ec45bd5 Author: Paolo Bonzini Date: Wed May 6 05:59:39 2020 -0400 KVM: VMX: pass correct DR6 for GD userspace exit When KVM_EXIT_DEBUG is raised for the disabled-breakpoints case (DR7.GD), DR6 was incorrectly copied from the value in the VM. Instead, DR6.BD should be set in order to catch this case. On AMD this does not need any special code because the processor triggers a #DB exception that is intercepted. However, the testcase would fail without the previous patch because both DR6.BS and DR6.BD would be set. Signed-off-by: Paolo Bonzini commit d67668e9dd76d98136048935723947156737932b Author: Paolo Bonzini Date: Wed May 6 06:40:04 2020 -0400 KVM: x86, SVM: isolate vcpu->arch.dr6 from vmcb->save.dr6 There are two issues with KVM_EXIT_DEBUG on AMD, whose root cause is the different handling of DR6 on intercepted #DB exceptions on Intel and AMD. On Intel, #DB exceptions transmit the DR6 value via the exit qualification field of the VMCS, and the exit qualification only contains the description of the precise event that caused a vmexit. On AMD, instead the DR6 field of the VMCB is filled in as if the #DB exception was to be injected into the guest. This has two effects when guest debugging is in use: * the guest DR6 is clobbered * the kvm_run->debug.arch.dr6 field can accumulate more debug events, rather than just the last one that happened (the testcase in the next patch covers this issue). This patch fixes both issues by emulating, so to speak, the Intel behavior on AMD processors. The important observation is that (after the previous patches) the VMCB value of DR6 is only ever observable from the guest is KVM_DEBUGREG_WONT_EXIT is set. Therefore we can actually set vmcb->save.dr6 to any value we want as long as KVM_DEBUGREG_WONT_EXIT is clear, which it will be if guest debugging is enabled. Therefore it is possible to enter the guest with an all-zero DR6, reconstruct the #DB payload from the DR6 we get at exit time, and let kvm_deliver_exception_payload move the newly set bits into vcpu->arch.dr6. Some extra bits may be included in the payload if KVM_DEBUGREG_WONT_EXIT is set, but this is harmless. This may not be the most optimized way to deal with this, but it is simple and, being confined within SVM code, it gets rid of the set_dr6 callback and kvm_update_dr6. Signed-off-by: Paolo Bonzini commit 5679b803e44ed8947e8c2a7f44cdef1d93ea24d5 Author: Paolo Bonzini Date: Mon May 4 11:28:25 2020 -0400 KVM: SVM: keep DR6 synchronized with vcpu->arch.dr6 kvm_x86_ops.set_dr6 is only ever called with vcpu->arch.dr6 as the second argument. Ensure that the VMCB value is synchronized to vcpu->arch.dr6 on #DB (both "normal" and nested) and nested vmentry, so that the current value of DR6 is always available in vcpu->arch.dr6. The get_dr6 callback can just access vcpu->arch.dr6 and becomes redundant. Signed-off-by: Paolo Bonzini commit f92f26f2ed2c9f92c9270c705bca96310c3cdf5a Author: Luca Coelho Date: Fri Apr 24 12:20:08 2020 +0300 iwlwifi: pcie: handle QuZ configs with killer NICs as well The killer devices were left out of the checks that convert Qu-B0 to QuZ configurations. Add them. Cc: stable@vger.kernel.org # v5.3+ Fixes: 5a8c31aa6357 ("iwlwifi: pcie: fix recognition of QuZ devices") Signed-off-by: Luca Coelho Tested-by: You-Sheng Yang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20200424121518.b715acfbe211.I273a098064a22577e4fca767910fd9cf0013f5cb@changeid commit c077dc5e0620508a29497dac63a2822324ece52a Author: Adrian Hunter Date: Fri May 8 09:22:27 2020 +0300 mmc: block: Fix request completion in the CQE timeout path First, it should be noted that the CQE timeout (60 seconds) is substantial so a CQE request that times out is really stuck, and the race between timeout and completion is extremely unlikely. Nevertheless this patch fixes an issue with it. Commit ad73d6feadbd7b ("mmc: complete requests from ->timeout") preserved the existing functionality, to complete the request. However that had only been necessary because the block layer timeout handler had been marking the request to prevent it from being completed normally. That restriction was removed at the same time, the result being that a request that has gone will have been completed anyway. That is, the completion was unnecessary. At the time, the unnecessary completion was harmless because the block layer would ignore it, although that changed in kernel v5.0. Note for stable, this patch will not apply cleanly without patch "mmc: core: Fix recursive locking issue in CQE recovery path" Signed-off-by: Adrian Hunter Fixes: ad73d6feadbd7b ("mmc: complete requests from ->timeout") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200508062227.23144-1-adrian.hunter@intel.com Signed-off-by: Ulf Hansson commit 39a22f73744d5baee30b5f134ae2e30b668b66ed Author: Sarthak Garg Date: Thu May 7 21:45:33 2020 +0530 mmc: core: Fix recursive locking issue in CQE recovery path Consider the following stack trace -001|raw_spin_lock_irqsave -002|mmc_blk_cqe_complete_rq -003|__blk_mq_complete_request(inline) -003|blk_mq_complete_request(rq) -004|mmc_cqe_timed_out(inline) -004|mmc_mq_timed_out mmc_mq_timed_out acquires the queue_lock for the first time. The mmc_blk_cqe_complete_rq function also tries to acquire the same queue lock resulting in recursive locking where the task is spinning for the same lock which it has already acquired leading to watchdog bark. Fix this issue with the lock only for the required critical section. Cc: Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") Suggested-by: Sahitya Tummala Signed-off-by: Sarthak Garg Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/1588868135-31783-1-git-send-email-vbadigan@codeaurora.org Signed-off-by: Ulf Hansson commit e6bfb1bf00852b55f4c771f47ae67004c04d3c87 Author: Veerabhadrarao Badiganti Date: Wed May 6 20:04:02 2020 +0530 mmc: core: Check request type before completing the request In the request completion path with CQE, request type is being checked after the request is getting completed. This is resulting in returning the wrong request type and leading to the IO hang issue. ASYNC request type is getting returned for DCMD type requests. Because of this mismatch, mq->cqe_busy flag is never getting cleared and the driver is not invoking blk_mq_hw_run_queue. So requests are not getting dispatched to the LLD from the block layer. All these eventually leading to IO hang issues. So, get the request type before completing the request. Cc: Fixes: 1e8e55b67030 ("mmc: block: Add CQE support") Signed-off-by: Veerabhadrarao Badiganti Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/1588775643-18037-2-git-send-email-vbadigan@codeaurora.org Signed-off-by: Ulf Hansson commit a9fe6f18cde03c20facbf75dc910a372c1c1025b Merge: c61b0b97ef10 5fe89a6acd66 Author: Dave Airlie Date: Fri May 8 15:02:49 2020 +1000 Merge tag 'drm-misc-fixes-2020-05-07' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes A few minor fixes for an ordering issue in virtio, an (old) gcc warning in sun4i, a probe issue in ingenic-drm and a regression in the HDCP support. Signed-off-by: Dave Airlie From: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200507160130.id64niqgf5wsha4u@gilmour.lan commit c61b0b97ef10ab7f4022707c516b5c32df2bd738 Merge: 0e698dfa2822 e6142dd51142 Author: Dave Airlie Date: Fri May 8 13:31:38 2020 +1000 Merge tag 'amd-drm-fixes-5.7-2020-05-06' of git://people.freedesktop.org/~agd5f/linux into drm-fixes amd-drm-fixes-5.7-2020-05-06: amdgpu: - Runtime PM fixes - DC fix for PPC - Misc DC fixes Signed-off-by: Dave Airlie From: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20200506212257.3893-1-alexander.deucher@amd.com commit 79dede78c0573618e3137d3d8cbf78c84e25fabd Merge: 192ffb751583 54261af473be Author: Linus Torvalds Date: Thu May 7 19:43:13 2020 -0700 Merge branch 'for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security Pull security subsystem fix from James Morris: "Fix the default value of fs_context_parse_param hook" * 'for-v5.7' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: security: Fix the default value of fs_context_parse_param hook commit 14f69140ff9c92a0928547ceefb153a842e8492c Author: Henry Willard Date: Thu May 7 18:36:27 2020 -0700 mm: limit boost_watermark on small zones Commit 1c30844d2dfe ("mm: reclaim small amounts of memory when an external fragmentation event occurs") adds a boost_watermark() function which increases the min watermark in a zone by at least pageblock_nr_pages or the number of pages in a page block. On Arm64, with 64K pages and 512M huge pages, this is 8192 pages or 512M. It does this regardless of the number of managed pages managed in the zone or the likelihood of success. This can put the zone immediately under water in terms of allocating pages from the zone, and can cause a small machine to fail immediately due to OoM. Unlike set_recommended_min_free_kbytes(), which substantially increases min_free_kbytes and is tied to THP, boost_watermark() can be called even if THP is not active. The problem is most likely to appear on architectures such as Arm64 where pageblock_nr_pages is very large. It is desirable to run the kdump capture kernel in as small a space as possible to avoid wasting memory. In some architectures, such as Arm64, there are restrictions on where the capture kernel can run, and therefore, the space available. A capture kernel running in 768M can fail due to OoM immediately after boost_watermark() sets the min in zone DMA32, where most of the memory is, to 512M. It fails even though there is over 500M of free memory. With boost_watermark() suppressed, the capture kernel can run successfully in 448M. This patch limits boost_watermark() to boosting a zone's min watermark only when there are enough pages that the boost will produce positive results. In this case that is estimated to be four times as many pages as pageblock_nr_pages. Mel said: : There is no harm in marking it stable. Clearly it does not happen very : often but it's not impossible. 32-bit x86 is a lot less common now : which would previously have been vulnerable to triggering this easily. : ppc64 has a larger base page size but typically only has one zone. : arm64 is likely the most vulnerable, particularly when CMA is : configured with a small movable zone. Fixes: 1c30844d2dfe ("mm: reclaim small amounts of memory when an external fragmentation event occurs") Signed-off-by: Henry Willard Signed-off-by: Andrew Morton Reviewed-by: David Hildenbrand Acked-by: Mel Gorman Cc: Vlastimil Babka Cc: Link: http://lkml.kernel.org/r/1588294148-6586-1-git-send-email-henry.willard@oracle.com Signed-off-by: Linus Torvalds commit 8d58f222e85f01da0c0e1fc1e77986c86de889e2 Author: Kees Cook Date: Thu May 7 18:36:23 2020 -0700 ubsan: disable UBSAN_ALIGNMENT under COMPILE_TEST The documentation for UBSAN_ALIGNMENT already mentions that it should not be used on all*config builds (and for efficient-unaligned-access architectures), so just refactor the Kconfig to correctly implement this so randconfigs will stop creating insane images that freak out objtool under CONFIG_UBSAN_TRAP (due to the false positives producing functions that never return, etc). Link: http://lkml.kernel.org/r/202005011433.C42EA3E2D@keescook Fixes: 0887a7ebc977 ("ubsan: add trap instrumentation option") Signed-off-by: Kees Cook Reported-by: Randy Dunlap Link: https://lore.kernel.org/linux-next/202004231224.D6B3B650@keescook/ Signed-off-by: Andrew Morton Cc: Josh Poimboeuf Cc: Stephen Rothwell Cc: Peter Zijlstra Cc: Andrey Ryabinin Signed-off-by: Linus Torvalds commit 17e34526f0a8f81a214d1ee6f7d8ad2a9c9bae33 Author: Qiwu Chen Date: Thu May 7 18:36:20 2020 -0700 mm/vmscan: remove unnecessary argument description of isolate_lru_pages() Since commit a9e7c39fa9fd9 ("mm/vmscan.c: remove 7th argument of isolate_lru_pages()"), the explanation of 'mode' argument has been unnecessary. Let's remove it. Signed-off-by: Qiwu Chen Signed-off-by: Andrew Morton Reviewed-by: Andrew Morton Link: http://lkml.kernel.org/r/20200501090346.2894-1-chenqiwu@xiaomi.com Signed-off-by: Linus Torvalds commit 412895f03cbf9633298111cb4dfde13b7720e2c5 Author: Roman Penyaev Date: Thu May 7 18:36:16 2020 -0700 epoll: atomically remove wait entry on wake up This patch does two things: - fixes a lost wakeup introduced by commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") - improves performance for events delivery. The description of the problem is the following: if N (>1) threads are waiting on ep->wq for new events and M (>1) events come, it is quite likely that >1 wakeups hit the same wait queue entry, because there is quite a big window between __add_wait_queue_exclusive() and the following __remove_wait_queue() calls in ep_poll() function. This can lead to lost wakeups, because thread, which was woken up, can handle not all the events in ->rdllist. (in better words the problem is described here: https://lkml.org/lkml/2019/10/7/905) The idea of the current patch is to use init_wait() instead of init_waitqueue_entry(). Internally init_wait() sets autoremove_wake_function as a callback, which removes the wait entry atomically (under the wq locks) from the list, thus the next coming wakeup hits the next wait entry in the wait queue, thus preventing lost wakeups. Problem is very well reproduced by the epoll60 test case [1]. Wait entry removal on wakeup has also performance benefits, because there is no need to take a ep->lock and remove wait entry from the queue after the successful wakeup. Here is the timing output of the epoll60 test case: With explicit wakeup from ep_scan_ready_list() (the state of the code prior 339ddb53d373): real 0m6.970s user 0m49.786s sys 0m0.113s After this patch: real 0m5.220s user 0m36.879s sys 0m0.019s The other testcase is the stress-epoll [2], where one thread consumes all the events and other threads produce many events: With explicit wakeup from ep_scan_ready_list() (the state of the code prior 339ddb53d373): threads events/ms run-time ms 8 5427 1474 16 6163 2596 32 6824 4689 64 7060 9064 128 6991 18309 After this patch: threads events/ms run-time ms 8 5598 1429 16 7073 2262 32 7502 4265 64 7640 8376 128 7634 16767 (number of "events/ms" represents event bandwidth, thus higher is better; number of "run-time ms" represents overall time spent doing the benchmark, thus lower is better) [1] tools/testing/selftests/filesystems/epoll/epoll_wakeup_test.c [2] https://github.com/rouming/test-tools/blob/master/stress-epoll.c Signed-off-by: Roman Penyaev Signed-off-by: Andrew Morton Reviewed-by: Jason Baron Cc: Khazhismel Kumykov Cc: Alexander Viro Cc: Heiher Cc: Link: http://lkml.kernel.org/r/20200430130326.1368509-2-rpenyaev@suse.de Signed-off-by: Linus Torvalds commit 474328c06e3ee75bb6b92826fec90fdc8ef3c573 Author: Roman Penyaev Date: Thu May 7 18:36:13 2020 -0700 kselftests: introduce new epoll60 testcase for catching lost wakeups This test case catches lost wake up introduced by commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") The test is simple: we have 10 threads and 10 event fds. Each thread can harvest only 1 event. 1 producer fires all 10 events at once and waits that all 10 events will be observed by 10 threads. In case of lost wakeup epoll_wait() will timeout and 0 will be returned. Test case catches two sort of problems: forgotten wakeup on event, which hits the ->ovflist list, this problem was fixed by: 5a2513239750 ("eventpoll: fix missing wakeup for ovflist in ep_poll_callback") the other problem is when several sequential events hit the same waiting thread, thus other waiters get no wakeups. Problem is fixed in the following patch. Signed-off-by: Roman Penyaev Signed-off-by: Andrew Morton Cc: Khazhismel Kumykov Cc: Alexander Viro Cc: Heiher Cc: Jason Baron Link: http://lkml.kernel.org/r/20200430130326.1368509-1-rpenyaev@suse.de Signed-off-by: Linus Torvalds commit 28307d938fb2e4056ed4c982c06d1503d7719813 Author: Filipe Manana Date: Thu May 7 18:36:10 2020 -0700 percpu: make pcpu_alloc() aware of current gfp context Since 5.7-rc1, on btrfs we have a percpu counter initialization for which we always pass a GFP_KERNEL gfp_t argument (this happens since commit 2992df73268f78 ("btrfs: Implement DREW lock")). That is safe in some contextes but not on others where allowing fs reclaim could lead to a deadlock because we are either holding some btrfs lock needed for a transaction commit or holding a btrfs transaction handle open. Because of that we surround the call to the function that initializes the percpu counter with a NOFS context using memalloc_nofs_save() (this is done at btrfs_init_fs_root()). However it turns out that this is not enough to prevent a possible deadlock because percpu_alloc() determines if it is in an atomic context by looking exclusively at the gfp flags passed to it (GFP_KERNEL in this case) and it is not aware that a NOFS context is set. Because percpu_alloc() thinks it is in a non atomic context it locks the pcpu_alloc_mutex. This can result in a btrfs deadlock when pcpu_balance_workfn() is running, has acquired that mutex and is waiting for reclaim, while the btrfs task that called percpu_counter_init() (and therefore percpu_alloc()) is holding either the btrfs commit_root semaphore or a transaction handle (done fs/btrfs/backref.c: iterate_extent_inodes()), which prevents reclaim from finishing as an attempt to commit the current btrfs transaction will deadlock. Lockdep reports this issue with the following trace: ====================================================== WARNING: possible circular locking dependency detected 5.6.0-rc7-btrfs-next-77 #1 Not tainted ------------------------------------------------------ kswapd0/91 is trying to acquire lock: ffff8938a3b3fdc8 (&delayed_node->mutex){+.+.}, at: __btrfs_release_delayed_node.part.0+0x3f/0x320 [btrfs] but task is already holding lock: ffffffffb4f0dbc0 (fs_reclaim){+.+.}, at: __fs_reclaim_acquire+0x5/0x30 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #4 (fs_reclaim){+.+.}: fs_reclaim_acquire.part.0+0x25/0x30 __kmalloc+0x5f/0x3a0 pcpu_create_chunk+0x19/0x230 pcpu_balance_workfn+0x56a/0x680 process_one_work+0x235/0x5f0 worker_thread+0x50/0x3b0 kthread+0x120/0x140 ret_from_fork+0x3a/0x50 -> #3 (pcpu_alloc_mutex){+.+.}: __mutex_lock+0xa9/0xaf0 pcpu_alloc+0x480/0x7c0 __percpu_counter_init+0x50/0xd0 btrfs_drew_lock_init+0x22/0x70 [btrfs] btrfs_get_fs_root+0x29c/0x5c0 [btrfs] resolve_indirect_refs+0x120/0xa30 [btrfs] find_parent_nodes+0x50b/0xf30 [btrfs] btrfs_find_all_leafs+0x60/0xb0 [btrfs] iterate_extent_inodes+0x139/0x2f0 [btrfs] iterate_inodes_from_logical+0xa1/0xe0 [btrfs] btrfs_ioctl_logical_to_ino+0xb4/0x190 [btrfs] btrfs_ioctl+0x165a/0x3130 [btrfs] ksys_ioctl+0x87/0xc0 __x64_sys_ioctl+0x16/0x20 do_syscall_64+0x5c/0x260 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #2 (&fs_info->commit_root_sem){++++}: down_write+0x38/0x70 btrfs_cache_block_group+0x2ec/0x500 [btrfs] find_free_extent+0xc6a/0x1600 [btrfs] btrfs_reserve_extent+0x9b/0x180 [btrfs] btrfs_alloc_tree_block+0xc1/0x350 [btrfs] alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] __btrfs_cow_block+0x122/0x5a0 [btrfs] btrfs_cow_block+0x106/0x240 [btrfs] commit_cowonly_roots+0x55/0x310 [btrfs] btrfs_commit_transaction+0x509/0xb20 [btrfs] sync_filesystem+0x74/0x90 generic_shutdown_super+0x22/0x100 kill_anon_super+0x14/0x30 btrfs_kill_super+0x12/0x20 [btrfs] deactivate_locked_super+0x31/0x70 cleanup_mnt+0x100/0x160 task_work_run+0x93/0xc0 exit_to_usermode_loop+0xf9/0x100 do_syscall_64+0x20d/0x260 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #1 (&space_info->groups_sem){++++}: down_read+0x3c/0x140 find_free_extent+0xef6/0x1600 [btrfs] btrfs_reserve_extent+0x9b/0x180 [btrfs] btrfs_alloc_tree_block+0xc1/0x350 [btrfs] alloc_tree_block_no_bg_flush+0x4a/0x60 [btrfs] __btrfs_cow_block+0x122/0x5a0 [btrfs] btrfs_cow_block+0x106/0x240 [btrfs] btrfs_search_slot+0x50c/0xd60 [btrfs] btrfs_lookup_inode+0x3a/0xc0 [btrfs] __btrfs_update_delayed_inode+0x90/0x280 [btrfs] __btrfs_commit_inode_delayed_items+0x81f/0x870 [btrfs] __btrfs_run_delayed_items+0x8e/0x180 [btrfs] btrfs_commit_transaction+0x31b/0xb20 [btrfs] iterate_supers+0x87/0xf0 ksys_sync+0x60/0xb0 __ia32_sys_sync+0xa/0x10 do_syscall_64+0x5c/0x260 entry_SYSCALL_64_after_hwframe+0x49/0xbe -> #0 (&delayed_node->mutex){+.+.}: __lock_acquire+0xef0/0x1c80 lock_acquire+0xa2/0x1d0 __mutex_lock+0xa9/0xaf0 __btrfs_release_delayed_node.part.0+0x3f/0x320 [btrfs] btrfs_evict_inode+0x40d/0x560 [btrfs] evict+0xd9/0x1c0 dispose_list+0x48/0x70 prune_icache_sb+0x54/0x80 super_cache_scan+0x124/0x1a0 do_shrink_slab+0x176/0x440 shrink_slab+0x23a/0x2c0 shrink_node+0x188/0x6e0 balance_pgdat+0x31d/0x7f0 kswapd+0x238/0x550 kthread+0x120/0x140 ret_from_fork+0x3a/0x50 other info that might help us debug this: Chain exists of: &delayed_node->mutex --> pcpu_alloc_mutex --> fs_reclaim Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(fs_reclaim); lock(pcpu_alloc_mutex); lock(fs_reclaim); lock(&delayed_node->mutex); *** DEADLOCK *** 3 locks held by kswapd0/91: #0: (fs_reclaim){+.+.}, at: __fs_reclaim_acquire+0x5/0x30 #1: (shrinker_rwsem){++++}, at: shrink_slab+0x12f/0x2c0 #2: (&type->s_umount_key#43){++++}, at: trylock_super+0x16/0x50 stack backtrace: CPU: 1 PID: 91 Comm: kswapd0 Not tainted 5.6.0-rc7-btrfs-next-77 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-0-ga698c8995f-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0x8f/0xd0 check_noncircular+0x170/0x190 __lock_acquire+0xef0/0x1c80 lock_acquire+0xa2/0x1d0 __mutex_lock+0xa9/0xaf0 __btrfs_release_delayed_node.part.0+0x3f/0x320 [btrfs] btrfs_evict_inode+0x40d/0x560 [btrfs] evict+0xd9/0x1c0 dispose_list+0x48/0x70 prune_icache_sb+0x54/0x80 super_cache_scan+0x124/0x1a0 do_shrink_slab+0x176/0x440 shrink_slab+0x23a/0x2c0 shrink_node+0x188/0x6e0 balance_pgdat+0x31d/0x7f0 kswapd+0x238/0x550 kthread+0x120/0x140 ret_from_fork+0x3a/0x50 This could be fixed by making btrfs pass GFP_NOFS instead of GFP_KERNEL to percpu_counter_init() in contextes where it is not reclaim safe, however that type of approach is discouraged since memalloc_[nofs|noio]_save() were introduced. Therefore this change makes pcpu_alloc() look up into an existing nofs/noio context before deciding whether it is in an atomic context or not. Signed-off-by: Filipe Manana Signed-off-by: Andrew Morton Reviewed-by: Andrew Morton Acked-by: Tejun Heo Acked-by: Dennis Zhou Cc: Tejun Heo Cc: Christoph Lameter Link: http://lkml.kernel.org/r/20200430164356.15543-1-fdmanana@kernel.org Signed-off-by: Linus Torvalds commit cbfc35a48609ceac978791e3ab9dde0c01f8cb20 Author: Waiman Long Date: Thu May 7 18:36:06 2020 -0700 mm/slub: fix incorrect interpretation of s->offset In a couple of places in the slub memory allocator, the code uses "s->offset" as a check to see if the free pointer is put right after the object. That check is no longer true with commit 3202fa62fb43 ("slub: relocate freelist pointer to middle of object"). As a result, echoing "1" into the validate sysfs file, e.g. of dentry, may cause a bunch of "Freepointer corrupt" error reports like the following to appear with the system in panic afterwards. ============================================================================= BUG dentry(666:pmcd.service) (Tainted: G B): Freepointer corrupt ----------------------------------------------------------------------------- To fix it, use the check "s->offset == s->inuse" in the new helper function freeptr_outside_object() instead. Also add another helper function get_info_end() to return the end of info block (inuse + free pointer if not overlapping with object). Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object") Signed-off-by: Waiman Long Signed-off-by: Andrew Morton Reviewed-by: Matthew Wilcox (Oracle) Reviewed-by: Kees Cook Acked-by: Rafael Aquini Cc: Christoph Lameter Cc: Vitaly Nikolenko Cc: Silvio Cesare Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Cc: Markus Elfring Cc: Changbin Du Link: http://lkml.kernel.org/r/20200429135328.26976-1-longman@redhat.com Signed-off-by: Linus Torvalds commit 50e36be1fb9572b2e4f2753340bdce3116bf2ce7 Author: Aymeric Agon-Rambosson Date: Thu May 7 18:36:03 2020 -0700 scripts/gdb: repair rb_first() and rb_last() The current implementations of the rb_first() and rb_last() gdb functions have a variable that references itself in its instanciation, which causes the function to throw an error if a specific condition on the argument is met. The original author rather intended to reference the argument and made a typo. Referring the argument instead makes the function work as intended. Signed-off-by: Aymeric Agon-Rambosson Signed-off-by: Andrew Morton Reviewed-by: Stephen Boyd Cc: Jan Kiszka Cc: Kieran Bingham Cc: Douglas Anderson Cc: Nikolay Borisov Cc: Jackie Liu Cc: Jason Wessel Link: http://lkml.kernel.org/r/20200427051029.354840-1-aymeric.agon@yandex.com Signed-off-by: Linus Torvalds commit 0c54a6a44bf3d41e76ce3f583a6ece267618df2e Author: Khazhismel Kumykov Date: Thu May 7 18:35:59 2020 -0700 eventpoll: fix missing wakeup for ovflist in ep_poll_callback In the event that we add to ovflist, before commit 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") we would be woken up by ep_scan_ready_list, and did no wakeup in ep_poll_callback. With that wakeup removed, if we add to ovflist here, we may never wake up. Rather than adding back the ep_scan_ready_list wakeup - which was resulting in unnecessary wakeups, trigger a wake-up in ep_poll_callback. We noticed that one of our workloads was missing wakeups starting with 339ddb53d373 and upon manual inspection, this wakeup seemed missing to me. With this patch added, we no longer see missing wakeups. I haven't yet tried to make a small reproducer, but the existing kselftests in filesystem/epoll passed for me with this patch. [khazhy@google.com: use if/elif instead of goto + cleanup suggested by Roman] Link: http://lkml.kernel.org/r/20200424190039.192373-1-khazhy@google.com Fixes: 339ddb53d373 ("fs/epoll: remove unnecessary wakeups of nested epoll") Signed-off-by: Khazhismel Kumykov Signed-off-by: Andrew Morton Reviewed-by: Roman Penyaev Cc: Alexander Viro Cc: Roman Penyaev Cc: Heiher Cc: Jason Baron Cc: Link: http://lkml.kernel.org/r/20200424025057.118641-1-khazhy@google.com Signed-off-by: Linus Torvalds commit 996ed22c7a5251d76dcdfe5026ef8230e90066d9 Author: Janakarajan Natarajan Date: Thu May 7 18:35:56 2020 -0700 arch/x86/kvm/svm/sev.c: change flag passed to GUP fast in sev_pin_memory() When trying to lock read-only pages, sev_pin_memory() fails because FOLL_WRITE is used as the flag for get_user_pages_fast(). Commit 73b0140bf0fe ("mm/gup: change GUP fast to use flags rather than a write 'bool'") updated the get_user_pages_fast() call sites to use flags, but incorrectly updated the call in sev_pin_memory(). As the original coding of this call was correct, revert the change made by that commit. Fixes: 73b0140bf0fe ("mm/gup: change GUP fast to use flags rather than a write 'bool'") Signed-off-by: Janakarajan Natarajan Signed-off-by: Andrew Morton Reviewed-by: Ira Weiny Cc: Paolo Bonzini Cc: Sean Christopherson Cc: Vitaly Kuznetsov Cc: Wanpeng Li Cc: Jim Mattson Cc: Joerg Roedel Cc: Thomas Gleixner Cc: Ingo Molnar Cc: Borislav Petkov Cc: "H . Peter Anvin" Cc: Mike Marshall Cc: Brijesh Singh Link: http://lkml.kernel.org/r/20200423152419.87202-1-Janakarajan.Natarajan@amd.com Signed-off-by: Linus Torvalds commit e08df079b23e2e982df15aa340bfbaf50f297504 Author: Ivan Delalande Date: Thu May 7 18:35:53 2020 -0700 scripts/decodecode: fix trapping instruction formatting If the trapping instruction contains a ':', for a memory access through segment registers for example, the sed substitution will insert the '*' marker in the middle of the instruction instead of the line address: 2b: 65 48 0f c7 0f cmpxchg16b %gs:*(%rdi) <-- trapping instruction I started to think I had forgotten some quirk of the assembly syntax before noticing that it was actually coming from the script. Fix it to add the address marker at the right place for these instructions: 28: 49 8b 06 mov (%r14),%rax 2b:* 65 48 0f c7 0f cmpxchg16b %gs:(%rdi) <-- trapping instruction 30: 0f 94 c0 sete %al Fixes: 18ff44b189e2 ("scripts/decodecode: make faulting insn ptr more robust") Signed-off-by: Ivan Delalande Signed-off-by: Andrew Morton Reviewed-by: Borislav Petkov Link: http://lkml.kernel.org/r/20200419223653.GA31248@visor Signed-off-by: Linus Torvalds commit 324cfb19567c80ed71d7a02f1d5ff4621902f4c3 Author: Maciej Grochowski Date: Thu May 7 18:35:49 2020 -0700 kernel/kcov.c: fix typos in kcov_remote_start documentation Signed-off-by: Maciej Grochowski Signed-off-by: Andrew Morton Reviewed-by: Andrey Konovalov Link: http://lkml.kernel.org/r/20200420030259.31674-1-maciek.grochowski@gmail.com Signed-off-by: Linus Torvalds commit e84fe99b68ce353c37ceeecc95dce9696c976556 Author: David Hildenbrand Date: Thu May 7 18:35:46 2020 -0700 mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() Without CONFIG_PREEMPT, it can happen that we get soft lockups detected, e.g., while booting up. watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:1] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.6.0-next-20200331+ #4 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 RIP: __pageblock_pfn_to_page+0x134/0x1c0 Call Trace: set_zone_contiguous+0x56/0x70 page_alloc_init_late+0x166/0x176 kernel_init_freeable+0xfa/0x255 kernel_init+0xa/0x106 ret_from_fork+0x35/0x40 The issue becomes visible when having a lot of memory (e.g., 4TB) assigned to a single NUMA node - a system that can easily be created using QEMU. Inside VMs on a hypervisor with quite some memory overcommit, this is fairly easy to trigger. Signed-off-by: David Hildenbrand Signed-off-by: Andrew Morton Reviewed-by: Pavel Tatashin Reviewed-by: Pankaj Gupta Reviewed-by: Baoquan He Reviewed-by: Shile Zhang Acked-by: Michal Hocko Cc: Kirill Tkhai Cc: Shile Zhang Cc: Pavel Tatashin Cc: Daniel Jordan Cc: Michal Hocko Cc: Alexander Duyck Cc: Baoquan He Cc: Oscar Salvador Cc: Link: http://lkml.kernel.org/r/20200416073417.5003-1-david@redhat.com Signed-off-by: Linus Torvalds commit 11d6761218d19ca06ae5387f4e3692c4fa9e7493 Author: Yafang Shao Date: Thu May 7 18:35:43 2020 -0700 mm, memcg: fix error return value of mem_cgroup_css_alloc() When I run my memcg testcase which creates lots of memcgs, I found there're unexpected out of memory logs while there're still enough available free memory. The error log is mkdir: cannot create directory 'foo.65533': Cannot allocate memory The reason is when we try to create more than MEM_CGROUP_ID_MAX memcgs, an -ENOMEM errno will be set by mem_cgroup_css_alloc(), but the right errno should be -ENOSPC "No space left on device", which is an appropriate errno for userspace's failed mkdir. As the errno really misled me, we should make it right. After this patch, the error log will be mkdir: cannot create directory 'foo.65533': No space left on device [akpm@linux-foundation.org: s/EBUSY/ENOSPC/, per Michal] [akpm@linux-foundation.org: s/EBUSY/ENOSPC/, per Michal] Fixes: 73f576c04b94 ("mm: memcontrol: fix cgroup creation failure after many small jobs") Suggested-by: Matthew Wilcox Signed-off-by: Yafang Shao Signed-off-by: Andrew Morton Acked-by: Michal Hocko Acked-by: Johannes Weiner Cc: Vladimir Davydov Link: http://lkml.kernel.org/r/20200407063621.GA18914@dhcp22.suse.cz Link: http://lkml.kernel.org/r/1586192163-20099-1-git-send-email-laoar.shao@gmail.com Signed-off-by: Linus Torvalds commit b5f2006144c6ae941726037120fa1001ddede784 Author: Oleg Nesterov Date: Thu May 7 18:35:39 2020 -0700 ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Commit cc731525f26a ("signal: Remove kernel interal si_code magic") changed the value of SI_FROMUSER(SI_MESGQ), this means that mq_notify() no longer works if the sender doesn't have rights to send a signal. Change __do_notify() to use do_send_sig_info() instead of kill_pid_info() to avoid check_kill_permission(). This needs the additional notify.sigev_signo != 0 check, shouldn't we change do_mq_notify() to deny sigev_signo == 0 ? Test-case: #include #include #include #include #include static int notified; static void sigh(int sig) { notified = 1; } int main(void) { signal(SIGIO, sigh); int fd = mq_open("/mq", O_RDWR|O_CREAT, 0666, NULL); assert(fd >= 0); struct sigevent se = { .sigev_notify = SIGEV_SIGNAL, .sigev_signo = SIGIO, }; assert(mq_notify(fd, &se) == 0); if (!fork()) { assert(setuid(1) == 0); mq_send(fd, "",1,0); return 0; } wait(NULL); mq_unlink("/mq"); assert(notified); return 0; } [manfred@colorfullife.com: 1) Add self_exec_id evaluation so that the implementation matches do_notify_parent 2) use PIDTYPE_TGID everywhere] Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic") Reported-by: Yoji Signed-off-by: Oleg Nesterov Signed-off-by: Manfred Spraul Signed-off-by: Andrew Morton Acked-by: "Eric W. Biederman" Cc: Davidlohr Bueso Cc: Markus Elfring Cc: <1vier1@web.de> Cc: Link: http://lkml.kernel.org/r/e2a782e4-eab9-4f5c-c749-c07a8f7a4e66@colorfullife.com Signed-off-by: Linus Torvalds commit 770f60586d2af0590be263f55fd079226313922c Author: Madhuparna Bhowmik Date: Thu Apr 30 21:32:05 2020 +0530 evm: Fix RCU list related warnings This patch fixes the following warning and few other instances of traversal of evm_config_xattrnames list: [ 32.848432] ============================= [ 32.848707] WARNING: suspicious RCU usage [ 32.848966] 5.7.0-rc1-00006-ga8d5875ce5f0b #1 Not tainted [ 32.849308] ----------------------------- [ 32.849567] security/integrity/evm/evm_main.c:231 RCU-list traversed in non-reader section!! Since entries are only added to the list and never deleted, use list_for_each_entry_lockless() instead of list_for_each_entry_rcu for traversing the list. Also, add a relevant comment in evm_secfs.c to indicate this fact. Reported-by: kernel test robot Suggested-by: Paul E. McKenney Signed-off-by: Madhuparna Bhowmik Acked-by: Paul E. McKenney (RCU viewpoint) Signed-off-by: Mimi Zohar commit 2e3a34e9f409ebe83d1af7cd2f49fca7af97dfac Author: Roberto Sassu Date: Mon Apr 27 12:31:28 2020 +0200 ima: Fix return value of ima_write_policy() This patch fixes the return value of ima_write_policy() when a new policy is directly passed to IMA and the current policy requires appraisal of the file containing the policy. Currently, if appraisal is not in ENFORCE mode, ima_write_policy() returns 0 and leads user space applications to an endless loop. Fix this issue by denying the operation regardless of the appraisal mode. Cc: stable@vger.kernel.org # 4.10.x Fixes: 19f8a84713edc ("ima: measure and appraise the IMA policy itself") Signed-off-by: Roberto Sassu Reviewed-by: Krzysztof Struczynski Signed-off-by: Mimi Zohar commit 53de3b080d5eae31d0de219617155dcc34e7d698 Author: Roberto Sassu Date: Mon Apr 27 12:28:56 2020 +0200 evm: Check also if *tfm is an error pointer in init_desc() This patch avoids a kernel panic due to accessing an error pointer set by crypto_alloc_shash(). It occurs especially when there are many files that require an unsupported algorithm, as it would increase the likelihood of the following race condition: Task A: *tfm = crypto_alloc_shash() <= error pointer Task B: if (*tfm == NULL) <= *tfm is not NULL, use it Task B: rc = crypto_shash_init(desc) <= panic Task A: *tfm = NULL This patch uses the IS_ERR_OR_NULL macro to determine whether or not a new crypto context must be created. Cc: stable@vger.kernel.org Fixes: d46eb3699502b ("evm: crypto hash replaced by shash") Co-developed-by: Krzysztof Struczynski Signed-off-by: Krzysztof Struczynski Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar commit 0014cc04e8ec077dc482f00c87dfd949cfe2b98f Author: Roberto Sassu Date: Mon Apr 27 12:28:55 2020 +0200 ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() Commit a408e4a86b36 ("ima: open a new file instance if no read permissions") tries to create a new file descriptor to calculate a file digest if the file has not been opened with O_RDONLY flag. However, if a new file descriptor cannot be obtained, it sets the FMODE_READ flag to file->f_flags instead of file->f_mode. This patch fixes this issue by replacing f_flags with f_mode as it was before that commit. Cc: stable@vger.kernel.org # 4.20.x Fixes: a408e4a86b36 ("ima: open a new file instance if no read permissions") Signed-off-by: Roberto Sassu Reviewed-by: Goldwyn Rodrigues Signed-off-by: Mimi Zohar commit dd912306ff008891c82cd9f63e8181e47a9cb2fb Author: Cong Wang Date: Thu May 7 12:19:03 2020 -0700 net: fix a potential recursive NETDEV_FEAT_CHANGE syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event between bonding master and slave. I managed to find a reproducer for this: ip li set bond0 up ifenslave bond0 eth0 brctl addbr br0 ethtool -K eth0 lro off brctl addif br0 bond0 ip li set br0 up When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave, it captures this and calls bond_compute_features() to fixup its master's and other slaves' features. However, when syncing with its lower devices by netdev_sync_lower_features() this event is triggered again on slaves when the LRO feature fails to change, so it goes back and forth recursively until the kernel stack is exhausted. Commit 17b85d29e82c intentionally lets __netdev_update_features() return -1 for such a failure case, so we have to just rely on the existing check inside netdev_sync_lower_features() and skip NETDEV_FEAT_CHANGE event only for this specific failure case. Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack") Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com Cc: Jarod Wilson Cc: Nikolay Aleksandrov Cc: Josh Poimboeuf Cc: Jann Horn Reviewed-by: Jay Vosburgh Signed-off-by: Cong Wang Acked-by: Nikolay Aleksandrov Signed-off-by: David S. Miller commit 7d14b0d2b9b317cfc14161143e2006b95a5da9b1 Author: Paolo Abeni Date: Thu May 7 18:53:24 2020 +0200 mptcp: set correct vfs info for subflows When a subflow is created via mptcp_subflow_create_socket(), a new 'struct socket' is allocated, with a new i_ino value. When inspecting TCP sockets via the procfs and or the diag interface, the above ones are not related to the process owning the MPTCP master socket, even if they are a logical part of it ('ss -p' shows an empty process field) Additionally, subflows created by the path manager get the uid/gid from the running workqueue. Subflows are part of the owning MPTCP master socket, let's adjust the vfs info to reflect this. After this patch, 'ss' correctly displays subflows as belonging to the msk socket creator. Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket") Signed-off-by: Paolo Abeni Signed-off-by: David S. Miller commit ff8ce319e9c25e920d994cc35236f0bb32dfc8f3 Author: Chuhong Yuan Date: Thu May 7 23:13:20 2020 +0800 net: microchip: encx24j600: add missed kthread_stop This driver calls kthread_run() in probe, but forgets to call kthread_stop() in probe failure and remove. Add the missed kthread_stop() to fix it. Signed-off-by: Chuhong Yuan Signed-off-by: David S. Miller commit 09454fd0a4ce23cb3d8af65066c91a1bf27120dd Author: Maciej Żenczykowski Date: Tue May 5 11:57:23 2020 -0700 Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" This reverts commit 19bda36c4299ce3d7e5bce10bebe01764a655a6d: | ipv6: add mtu lock check in __ip6_rt_update_pmtu | | Prior to this patch, ipv6 didn't do mtu lock check in ip6_update_pmtu. | It leaded to that mtu lock doesn't really work when receiving the pkt | of ICMPV6_PKT_TOOBIG. | | This patch is to add mtu lock check in __ip6_rt_update_pmtu just as ipv4 | did in __ip_rt_update_pmtu. The above reasoning is incorrect. IPv6 *requires* icmp based pmtu to work. There's already a comment to this effect elsewhere in the kernel: $ git grep -p -B1 -A3 'RTAX_MTU lock' net/ipv6/route.c=4813= static int rt6_mtu_change_route(struct fib6_info *f6i, void *p_arg) ... /* In IPv6 pmtu discovery is not optional, so that RTAX_MTU lock cannot disable it. We still use this lock to block changes caused by addrconf/ndisc. */ This reverts to the pre-4.9 behaviour. Cc: Eric Dumazet Cc: Willem de Bruijn Cc: Xin Long Cc: Hannes Frederic Sowa Signed-off-by: Maciej Żenczykowski Fixes: 19bda36c4299 ("ipv6: add mtu lock check in __ip6_rt_update_pmtu") Signed-off-by: David S. Miller commit ee2875566868687a95b8ec23913c0d6bce220efd Author: Arnd Bergmann Date: Tue May 5 19:22:14 2020 +0200 net: bareudp: avoid uninitialized variable warning clang points out that building without IPv6 would lead to returning an uninitialized variable if a packet with family!=AF_INET is passed into bareudp_udp_encap_recv(): drivers/net/bareudp.c:139:6: error: variable 'err' is used uninitialized whenever 'if' condition is false [-Werror,-Wsometimes-uninitialized] if (family == AF_INET) ^~~~~~~~~~~~~~~~~ drivers/net/bareudp.c:146:15: note: uninitialized use occurs here if (unlikely(err)) { ^~~ include/linux/compiler.h:78:42: note: expanded from macro 'unlikely' # define unlikely(x) __builtin_expect(!!(x), 0) ^ drivers/net/bareudp.c:139:2: note: remove the 'if' if its condition is always true if (family == AF_INET) ^~~~~~~~~~~~~~~~~~~~~~ This cannot happen in practice, so change the condition in a way that gcc sees the IPv4 case as unconditionally true here. For consistency, change all the similar constructs in this file the same way, using "if(IS_ENABLED())" instead of #if IS_ENABLED()". Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Signed-off-by: David S. Miller commit 192ffb7515839b1cc8457e0a8c1e09783de019d3 Merge: 9ecc4d775f61 8842604446d1 Author: Linus Torvalds Date: Thu May 7 15:27:11 2020 -0700 Merge tag 'trace-v5.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace Pull tracing fixes from Steven Rostedt: - Fix bootconfig causing kernels to fail with CONFIG_BLK_DEV_RAM enabled - Fix allocation leaks in bootconfig tool - Fix a double initialization of a variable - Fix API bootconfig usage from kprobe boot time events - Reject NULL location for kprobes - Fix crash caused by preempt delay module not cleaning up kthread correctly - Add vmalloc_sync_mappings() to prevent x86_64 page faults from recursively faulting from tracing page faults - Fix comment in gpu/trace kerneldoc header - Fix documentation of how to create a trace event class - Make the local tracing_snapshot_instance_cond() function static * tag 'trace-v5.7-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace: tools/bootconfig: Fix resource leak in apply_xbc() tracing: Make tracing_snapshot_instance_cond() static tracing: Fix doc mistakes in trace sample gpu/trace: Minor comment updates for gpu_mem_total tracepoint tracing: Add a vmalloc_sync_mappings() for safe measure tracing: Wait for preempt irq delay thread to finish tracing/kprobes: Reject new event if loc is NULL tracing/boottime: Fix kprobe event API usage tracing/kprobes: Fix a double initialization typo bootconfig: Fix to remove bootconfig data from initrd while boot commit 9ecc4d775f61fb3fd26a1b8cc70a56a98b3b40d3 Merge: 6e7f2eacf098 66d69e081b52 Author: Linus Torvalds Date: Thu May 7 15:22:08 2020 -0700 Merge tag 'linux-kselftest-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest Pull kselftest fixes from Shuah Khan: "ftrace test fixes and a fix to kvm Makefile for relocatable native/cross builds and installs" * tag 'linux-kselftest-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest: selftests: fix kvm relocatable native/cross builds and installs selftests/ftrace: Make XFAIL green color ftrace/selftest: make unresolved cases cause failure if --fail-unresolved set ftrace/selftests: workaround cgroup RT scheduling issues commit 63ff822358b276137059520cf16e587e8073e80f Author: Jens Axboe Date: Thu May 7 14:56:15 2020 -0600 io_uring: don't use 'fd' for openat/openat2/statx We currently make some guesses as when to open this fd, but in reality we have no business (or need) to do so at all. In fact, it makes certain things fail, like O_PATH. Remove the fd lookup from these opcodes, we're just passing the 'fd' to generic helpers anyway. With that, we can also remove the special casing of fd values in io_req_needs_file(), and the 'fd_non_neg' check that we have. And we can ensure that we only read sqe->fd once. This fixes O_PATH usage with openat/openat2, and ditto statx path side oddities. Cc: stable@vger.kernel.org: # v5.6 Reported-by: Max Kellermann Signed-off-by: Jens Axboe commit c1f6e3c818dd734c30f6a7eeebf232ba2cf3181d Author: Takashi Iwai Date: Thu May 7 13:44:56 2020 +0200 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses The rawmidi core allows user to resize the runtime buffer via ioctl, and this may lead to UAF when performed during concurrent reads or writes: the read/write functions unlock the runtime lock temporarily during copying form/to user-space, and that's the race window. This patch fixes the hole by introducing a reference counter for the runtime buffer read/write access and returns -EBUSY error when the resize is performed concurrently against read/write. Note that the ref count field is a simple integer instead of refcount_t here, since the all contexts accessing the buffer is basically protected with a spinlock, hence we need no expensive atomic ops. Also, note that this busy check is needed only against read / write functions, and not in receive/transmit callbacks; the race can happen only at the spinlock hole mentioned in the above, while the whole function is protected for receive / transmit callbacks. Reported-by: butt3rflyh4ck Cc: Link: https://lore.kernel.org/r/CAFcO6XMWpUVK_yzzCpp8_XP7+=oUpQvuBeCbMffEDkpe8jWrfg@mail.gmail.com Link: https://lore.kernel.org/r/s5heerw3r5z.wl-tiwai@suse.de Signed-off-by: Takashi Iwai commit 8aef199481df0d2b6d110b8be321d5358511fe01 Author: Geert Uytterhoeven Date: Thu May 7 13:45:11 2020 +0200 net: hisilicon: Make CONFIG_HNS invisible The HNS config symbol enables the framework support for the Hisilicon Network Subsystem. It is already selected by all of its users, so there is no reason to make it visible. Signed-off-by: Geert Uytterhoeven Signed-off-by: David S. Miller commit 1a10186e598a5be5bc1cd5e55d9e9598a7c079ac Author: Oliver Neukum Date: Thu May 7 11:49:49 2020 +0200 usb: hso: correct debug message If you do not find the OUT endpoint, you should say so, rather than copy the error message for the IN endpoint. Presumably a copy and paste error. Signed-off-by: Oliver Neukum Signed-off-by: David S. Miller commit 513149cba8f2b2cadf1e0ecc13d008cb78a455c8 Merge: 1f13aa4d5194 71f8af111010 Author: Russell King Date: Thu May 7 20:53:53 2020 +0100 Merge branch 'uaccess' into fixes commit 1f13aa4d5194cbbc7934012069c05a60fc697df9 Author: Geert Uytterhoeven Date: Tue May 5 13:54:36 2020 +0100 ARM: 8973/1: Add missing newline terminator to kernel message Before commit 874f9c7da9a4acbc ("printk: create pr_ functions"), pr_*() calls without a trailing newline characters would be printed with a newline character appended, both on the console and in the output of the dmesg command. After that commit, no new line character is appended, and the output of the next pr_*() call of the same type may be appended: -No ATAGs? -hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers. +No ATAGs?hw-breakpoint: found 5 (+1 reserved) breakpoint and 4 watchpoint registers. While this commit has been reverted in commit a0cba2179ea4c182 ("Revert "printk: create pr_ functions""), it's still good practice to terminate kernel messages with newlines. Signed-off-by: Geert Uytterhoeven Signed-off-by: Russell King commit 8842604446d1f005abcbf8c63c12eabdb5695094 Author: Yunfeng Ye Date: Thu May 7 17:23:36 2020 +0800 tools/bootconfig: Fix resource leak in apply_xbc() Fix the @data and @fd allocations that are leaked in the error path of apply_xbc(). Link: http://lkml.kernel.org/r/583a49c9-c27a-931d-e6c2-6f63a4b18bea@huawei.com Acked-by: Masami Hiramatsu Signed-off-by: Yunfeng Ye Signed-off-by: Steven Rostedt (VMware) commit 820f8a870f6575acda1bf7f1a03c701c43ed5d79 Author: Grygorii Strashko Date: Wed May 6 22:11:24 2020 +0300 ARM: dts: am57xx: fix networking on boards with ksz9031 phy Since commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") the networking is broken on boards: am571x-idk am572x-idk am574x-idk am57xx-beagle-x15 All above boards have phy-mode = "rgmii" and this is worked before because KSZ9031 PHY started with default RGMII internal delays configuration (TX off, RX on 1.2 ns) and MAC provided TX delay. After above commit, the KSZ9031 PHY starts handling phy mode properly and disables RX delay, as result networking is become broken. Fix it by switching to phy-mode = "rgmii-rxid" to reflect previous behavior. Cc: Oleksij Rempel Cc: Andrew Lunn Cc: Philippe Schenker Fixes: bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") Reviewed-by: Philippe Schenker Signed-off-by: Grygorii Strashko Signed-off-by: Tony Lindgren commit 192b7993b3ff92b62b687e940e5e88fa0218d764 Author: Zou Wei Date: Thu Apr 23 12:08:25 2020 +0800 tracing: Make tracing_snapshot_instance_cond() static Fix the following sparse warning: kernel/trace/trace.c:950:6: warning: symbol 'tracing_snapshot_instance_cond' was not declared. Should it be static? Link: http://lkml.kernel.org/r/1587614905-48692-1-git-send-email-zou_wei@huawei.com Reported-by: Hulk Robot Signed-off-by: Zou Wei Signed-off-by: Steven Rostedt (VMware) commit f094a233e1d5b1c61cc797d204aa28b611058827 Author: Wei Yang Date: Tue Apr 28 21:49:59 2020 +0000 tracing: Fix doc mistakes in trace sample As the example below shows, DECLARE_EVENT_CLASS() is used instead of DEFINE_EVENT_CLASS(). Link: http://lkml.kernel.org/r/20200428214959.11259-1-richard.weiyang@gmail.com Signed-off-by: Wei Yang Signed-off-by: Steven Rostedt (VMware) commit 386c82a70319d42dba4f1b30e5e7076f2b4d8c2f Author: Yiwei Zhang Date: Tue Apr 28 15:08:25 2020 -0700 gpu/trace: Minor comment updates for gpu_mem_total tracepoint This change updates the improper comment for the 'size' attribute in the tracepoint definition. Most gfx drivers pre-fault in physical pages instead of making virtual allocations. So we drop the 'Virtual' keyword here and leave this to the implementations. Link: http://lkml.kernel.org/r/20200428220825.169606-1-zzyiwei@google.com Signed-off-by: Yiwei Zhang Signed-off-by: Steven Rostedt (VMware) commit 11f5efc3ab66284f7aaacc926e9351d658e2577b Author: Steven Rostedt (VMware) Date: Wed May 6 10:36:18 2020 -0400 tracing: Add a vmalloc_sync_mappings() for safe measure x86_64 lazily maps in the vmalloc pages, and the way this works with per_cpu areas can be complex, to say the least. Mappings may happen at boot up, and if nothing synchronizes the page tables, those page mappings may not be synced till they are used. This causes issues for anything that might touch one of those mappings in the path of the page fault handler. When one of those unmapped mappings is touched in the page fault handler, it will cause another page fault, which in turn will cause a page fault, and leave us in a loop of page faults. Commit 763802b53a42 ("x86/mm: split vmalloc_sync_all()") split vmalloc_sync_all() into vmalloc_sync_unmappings() and vmalloc_sync_mappings(), as on system exit, it did not need to do a full sync on x86_64 (although it still needed to be done on x86_32). By chance, the vmalloc_sync_all() would synchronize the page mappings done at boot up and prevent the per cpu area from being a problem for tracing in the page fault handler. But when that synchronization in the exit of a task became a nop, it caused the problem to appear. Link: https://lore.kernel.org/r/20200429054857.66e8e333@oasis.local.home Cc: stable@vger.kernel.org Fixes: 737223fbca3b1 ("tracing: Consolidate buffer allocation code") Reported-by: "Tzvetomir Stoyanov (VMware)" Suggested-by: Joerg Roedel Signed-off-by: Steven Rostedt (VMware) commit d16a8c31077e75ecb9427fbfea59b74eed00f698 Author: Steven Rostedt (VMware) Date: Wed May 6 10:20:10 2020 -0400 tracing: Wait for preempt irq delay thread to finish Running on a slower machine, it is possible that the preempt delay kernel thread may still be executing if the module was immediately removed after added, and this can cause the kernel to crash as the kernel thread might be executing after its code has been removed. There's no reason that the caller of the code shouldn't just wait for the delay thread to finish, as the thread can also be created by a trigger in the sysfs code, which also has the same issues. Link: http://lore.kernel.org/r/5EA2B0C8.2080706@cn.fujitsu.com Cc: stable@vger.kernel.org Fixes: 793937236d1ee ("lib: Add module for testing preemptoff/irqsoff latency tracers") Reported-by: Xiao Yang Reviewed-by: Xiao Yang Reviewed-by: Joel Fernandes Signed-off-by: Steven Rostedt (VMware) commit 6e7f2eacf09811d092c1b41263108ac7fe0d089d Merge: 8c16ec94dc76 027d0c7101f5 Author: Linus Torvalds Date: Thu May 7 09:55:58 2020 -0700 Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux Pull arm64 fix from Catalin Marinas: "Avoid potential NULL dereference in huge_pte_alloc() on pmd_alloc() failure" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: hugetlb: avoid potential NULL dereference commit 8c16ec94dc767a4d8c48149d646e8c835512cf8f Merge: de268ccb42d6 2673cb684972 Author: Linus Torvalds Date: Thu May 7 09:50:59 2020 -0700 Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm Pull kvm fixes from Paolo Bonzini: "Bugfixes, mostly for ARM and AMD, and more documentation. Slightly bigger than usual because I couldn't send out what was pending for rc4, but there is nothing worrisome going on. I have more fixes pending for guest debugging support (gdbstub) but I will send them next week" * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits) KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly KVM: selftests: Fix build for evmcs.h kvm: x86: Use KVM CPU capabilities to determine CR4 reserved bits KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path docs/virt/kvm: Document configuring and running nested guests KVM: s390: Remove false WARN_ON_ONCE for the PQAP instruction kvm: ioapic: Restrict lazy EOI update to edge-triggered interrupts KVM: x86: Fixes posted interrupt check for IRQs delivery modes KVM: SVM: fill in kvm_run->debug.arch.dr[67] KVM: nVMX: Replace a BUG_ON(1) with BUG() to squash clang warning KVM: arm64: Fix 32bit PC wrap-around KVM: arm64: vgic-v4: Initialize GICv4.1 even in the absence of a virtual ITS KVM: arm64: Save/restore sp_el0 as part of __guest_enter KVM: arm64: Delete duplicated label in invalid_vector KVM: arm64: vgic-its: Fix memory leak on the error path of vgic_add_lpi() KVM: arm64: vgic-v3: Retire all pending LPIs on vcpu destroy KVM: arm: vgic-v2: Only use the virtual state when userspace accesses pending bits KVM: arm: vgic: Only use the virtual state when userspace accesses enable bits KVM: arm: vgic: Synchronize the whole guest on GIC{D,R}_I{S,C}ACTIVER read KVM: arm64: PSCI: Forbid 64bit functions for 32bit guests ... commit de268ccb42d6ec5475ec5a5e60723b665d6e0af2 Merge: a811c1fa0a02 8aebfffacfa3 Author: Linus Torvalds Date: Thu May 7 09:48:37 2020 -0700 Merge tag 'configfs-for-5.7' of git://git.infradead.org/users/hch/configfs Pull configfs fix from Christoph Hellwig: "Fix a refcount leak in configfs_rmdir (Xiyu Yang)" * tag 'configfs-for-5.7' of git://git.infradead.org/users/hch/configfs: configfs: fix config_item refcnt leak in configfs_rmdir() commit 90da2e3f25c8b4d742b2687b8fed8fc4eb8851da Author: Pavel Begunkov Date: Mon May 4 22:39:35 2020 +0300 splice: move f_mode checks to do_{splice,tee}() do_splice() is used by io_uring, as will be do_tee(). Move f_mode checks from sys_{splice,tee}() to do_{splice,tee}(), so they're enforced for io_uring as well. Fixes: 7d67af2c0134 ("io_uring: add splice(2) support") Reported-by: Jann Horn Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe commit 1119d265bc20226c241e5540fc8a246d9e30b272 Author: Josh Poimboeuf Date: Tue Apr 28 16:45:16 2020 -0500 objtool: Fix infinite loop in find_jump_table() Kristen found a hang in objtool when building with -ffunction-sections. It was caused by evergreen_pcie_gen2_enable.cold() being laid out immediately before evergreen_pcie_gen2_enable(). Since their "pfunc" is always the same, find_jump_table() got into an infinite loop because it didn't recognize the boundary between the two functions. Fix that with a new prev_insn_same_sym() helper, which doesn't cross subfunction boundaries. Reported-by: Kristen Carlson Accardi Signed-off-by: Josh Poimboeuf Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/378b51c9d9c894dc3294bc460b4b0869e950b7c5.1588110291.git.jpoimboe@redhat.com commit 64082b67ba724c5a5acfff38d352068c4992d089 Author: Maciej Żenczykowski Date: Thu May 7 00:58:05 2020 -0700 net: remove spurious declaration of tcp_default_init_rwnd() it doesn't actually exist... Test: builds and 'git grep tcp_default_init_rwnd' comes up empty Signed-off-by: Maciej Żenczykowski Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller commit 01c3259818a11f3cc3cd767adbae6b45849c03c1 Author: Michael S. Tsirkin Date: Thu May 7 03:25:56 2020 -0400 virtio_net: fix lockdep warning on 32 bit When we fill up a receive VQ, try_fill_recv currently tries to count kicks using a 64 bit stats counter. Turns out, on a 32 bit kernel that uses a seqcount. sequence counts are "lock" constructs where you need to make sure that writers are serialized. In turn, this means that we mustn't run two try_fill_recv concurrently. Which of course we don't. We do run try_fill_recv sometimes from a softirq napi context, and sometimes from a fully preemptible context, but the later always runs with napi disabled. However, when it comes to the seqcount, lockdep is trying to enforce the rule that the same lock isn't accessed from preemptible and softirq context - it doesn't know about napi being enabled/disabled. This causes a false-positive warning: WARNING: inconsistent lock state ... inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage. As a work around, shut down the warning by switching to u64_stats_update_begin_irqsave - that works by disabling interrupts on 32 bit only, is a NOP on 64 bit. Reported-by: Thomas Gleixner Suggested-by: Eric Dumazet Signed-off-by: Michael S. Tsirkin Signed-off-by: David S. Miller commit eb7ae5e06bb6e6ac6bb86872d27c43ebab92f6b2 Author: Christoph Hellwig Date: Mon May 4 14:47:54 2020 +0200 bdi: move bdi_dev_name out of line bdi_dev_name is not a fast path function, move it out of line. This prepares for using it from modular callers without having to export an implementation detail like bdi_unknown_name. Signed-off-by: Christoph Hellwig Reviewed-by: Jan Kara Reviewed-by: Greg Kroah-Hartman Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe commit 156c75737255b8db0aa887abcb66b709856cf453 Author: Christoph Hellwig Date: Mon May 4 14:47:53 2020 +0200 vboxsf: don't use the source name in the bdi name Simplify the bdi name to mirror what we are doing elsewhere, and drop them name in favor of just using a number. This avoids a potentially very long bdi name. Signed-off-by: Christoph Hellwig Reviewed-by: Hans de Goede Signed-off-by: Jens Axboe commit b56ff195c317ad28c05d354aeecbb9995b8e08c1 Author: Ben Chuang Date: Mon May 4 14:39:57 2020 +0800 mmc: sdhci-pci-gli: Fix can not access GL9750 after reboot from Windows 10 Need to clear some bits in a vendor-defined register after reboot from Windows 10. Fixes: e51df6ce668a ("mmc: host: sdhci-pci: Add Genesys Logic GL975x support") Reported-by: Grzegorz Kowal Signed-off-by: Ben Chuang Acked-by: Adrian Hunter Tested-by: Grzegorz Kowal Link: https://lore.kernel.org/r/20200504063957.6638-1-benchuanggli@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit 7c277dd2b0ff6a16f1732a66c2c52a29f067163e Author: Christophe JAILLET Date: Sun Apr 26 22:23:55 2020 +0200 mmc: alcor: Fix a resource leak in the error path for ->probe() If devm_request_threaded_irq() fails, the allocated struct mmc_host needs to be freed via calling mmc_free_host(), so let's do that. Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/20200426202355.43055-1-christophe.jaillet@wanadoo.fr Cc: stable@vger.kernel.org Signed-off-by: Ulf Hansson commit 282ede76e47048eebc8ce5324b412890f0ec0a69 Author: Ben Chuang Date: Mon Apr 27 18:30:48 2020 +0800 mmc: sdhci-pci-gli: Fix no irq handler from suspend The kernel prints a message similar to "[ 28.881959] do_IRQ: 5.36 No irq handler for vector" when GL975x resumes from suspend. Implement a resume callback to fix this. Fixes: 31e43f31890c ("mmc: sdhci-pci-gli: Enable MSI interrupt for GL975x") Co-developed-by: Renius Chen Signed-off-by: Renius Chen Tested-by: Dave Flogeras Signed-off-by: Ben Chuang Tested-by: Vineeth Pillai Acked-by: Adrian Hunter Link: https://lore.kernel.org/r/20200427103048.20785-1-benchuanggli@gmail.com Cc: stable@vger.kernel.org Signed-off-by: Samuel Zou [Samuel Zou: Make sdhci_pci_gli_resume() static] Signed-off-by: Ulf Hansson commit 2c19dba6803bfeb694da0b0b50e788b77a37fe75 Author: Paolo Bonzini Date: Thu May 7 07:20:27 2020 -0400 KVM: nSVM: trap #DB and #BP to userspace if guest debugging is on Signed-off-by: Paolo Bonzini commit 449aa906e67e57636086967bf0edc1328fd0ca9f Author: Peter Xu Date: Tue May 5 16:50:00 2020 -0400 KVM: selftests: Add KVM_SET_GUEST_DEBUG test Covers fundamental tests for KVM_SET_GUEST_DEBUG. It is very close to the debug test in kvm-unit-test, but doing it from outside the guest. Signed-off-by: Peter Xu Message-Id: <20200505205000.188252-4-peterx@redhat.com> Signed-off-by: Paolo Bonzini commit d5d260c5ffad0e0e4e59ae2772d4a906d3287e6a Author: Peter Xu Date: Tue May 5 16:49:59 2020 -0400 KVM: X86: Fix single-step with KVM_SET_GUEST_DEBUG When single-step triggered with KVM_SET_GUEST_DEBUG, we should fill in the pc value with current linear RIP rather than the cached singlestep address. Signed-off-by: Peter Xu Message-Id: <20200505205000.188252-3-peterx@redhat.com> Signed-off-by: Paolo Bonzini commit 13196638d5de2564af90387930afa19cf27c1974 Author: Peter Xu Date: Tue May 5 16:49:58 2020 -0400 KVM: X86: Set RTM for DB_VECTOR too for KVM_EXIT_DEBUG RTM should always been set even with KVM_EXIT_DEBUG on #DB. Signed-off-by: Peter Xu Message-Id: <20200505205000.188252-2-peterx@redhat.com> Signed-off-by: Paolo Bonzini commit 4d5523cfd5d298c58743eb31c003886cfc856709 Author: Paolo Bonzini Date: Tue May 5 07:33:20 2020 -0400 KVM: x86: fix DR6 delivery for various cases of #DB injection Go through kvm_queue_exception_p so that the payload is correctly delivered through the exit qualification, and add a kvm_update_dr6 call to kvm_deliver_exception_payload that is needed on AMD. Reported-by: Peter Xu Reviewed-by: Peter Xu Signed-off-by: Paolo Bonzini commit b9b2782cd55aaf5a65573df99376cf391941cb66 Author: Peter Xu Date: Tue May 5 11:47:50 2020 -0400 KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly KVM_CAP_SET_GUEST_DEBUG should be supported for x86 however it's not declared as supported. My wild guess is that userspaces like QEMU are using "#ifdef KVM_CAP_SET_GUEST_DEBUG" to check for the capability instead, but that could be wrong because the compilation host may not be the runtime host. The userspace might still want to keep the old "#ifdef" though to not break the guest debug on old kernels. Signed-off-by: Peter Xu Message-Id: <20200505154750.126300-1-peterx@redhat.com> [Do the same for PPC and s390. - Paolo] Signed-off-by: Paolo Bonzini commit 027d0c7101f50cf03aeea9eebf484afd4920c8d3 Author: Mark Rutland Date: Tue May 5 13:59:30 2020 +0100 arm64: hugetlb: avoid potential NULL dereference The static analyzer in GCC 10 spotted that in huge_pte_alloc() we may pass a NULL pmdp into pte_alloc_map() when pmd_alloc() returns NULL: | CC arch/arm64/mm/pageattr.o | CC arch/arm64/mm/hugetlbpage.o | from arch/arm64/mm/hugetlbpage.c:10: | arch/arm64/mm/hugetlbpage.c: In function ‘huge_pte_alloc’: | ./arch/arm64/include/asm/pgtable-types.h:28:24: warning: dereference of NULL ‘pmdp’ [CWE-690] [-Wanalyzer-null-dereference] | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ | |arch/arm64/mm/hugetlbpage.c:232:10: | |./arch/arm64/include/asm/pgtable-types.h:28:24: | ./arch/arm64/include/asm/pgtable.h:436:26: note: in expansion of macro ‘pmd_val’ | arch/arm64/mm/hugetlbpage.c:242:10: note: in expansion of macro ‘pte_alloc_map’ This can only occur when the kernel cannot allocate a page, and so is unlikely to happen in practice before other systems start failing. We can avoid this by bailing out if pmd_alloc() fails, as we do earlier in the function if pud_alloc() fails. Fixes: 66b3923a1a0f ("arm64: hugetlb: add support for PTE contiguous bit") Signed-off-by: Mark Rutland Reported-by: Kyrill Tkachov Cc: # 4.5.x- Cc: Will Deacon Signed-off-by: Catalin Marinas commit 4833ce06e6855d526234618b746ffb71d6612c9a Author: Christophe Leroy Date: Mon Apr 20 07:47:05 2020 +0000 powerpc/32s: Fix build failure with CONFIG_PPC_KUAP_DEBUG gpr2 is not a parametre of kuap_check(), it doesn't exist. Use gpr instead. Fixes: a68c31fc01ef ("powerpc/32s: Implement Kernel Userspace Access Protection") Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/ea599546f2a7771bde551393889e44e6b2632332.1587368807.git.christophe.leroy@c-s.fr commit fa4f3f56ccd28ac031ab275e673ed4098855fed4 Author: Nayna Jain Date: Fri May 1 10:16:52 2020 -0400 powerpc/ima: Fix secure boot rules in ima arch policy To prevent verifying the kernel module appended signature twice (finit_module), once by the module_sig_check() and again by IMA, powerpc secure boot rules define an IMA architecture specific policy rule only if CONFIG_MODULE_SIG_FORCE is not enabled. This, unfortunately, does not take into account the ability of enabling "sig_enforce" on the boot command line (module.sig_enforce=1). Including the IMA module appraise rule results in failing the finit_module syscall, unless the module signing public key is loaded onto the IMA keyring. This patch fixes secure boot policy rules to be based on CONFIG_MODULE_SIG instead. Fixes: 4238fad366a6 ("powerpc/ima: Add support to initialize ima policy rules") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Signed-off-by: Mimi Zohar Link: https://lore.kernel.org/r/1588342612-14532-1-git-send-email-nayna@linux.ibm.com commit 91edf63d5022bd0464788ffb4acc3d5febbaf81d Author: Bryan O'Donoghue Date: Thu May 7 08:49:18 2020 +0800 usb: chipidea: msm: Ensure proper controller reset using role switch API Currently we check to make sure there is no error state on the extcon handle for VBUS when writing to the HS_PHY_GENCONFIG_2 register. When using the USB role-switch API we still need to write to this register absent an extcon handle. This patch makes the appropriate update to ensure the write happens if role-switching is true. Fixes: 05559f10ed79 ("usb: chipidea: add role switch class support") Cc: stable Cc: Greg Kroah-Hartman Cc: Philipp Zabel Cc: linux-usb@vger.kernel.org Cc: linux-kernel@vger.kernel.org Cc: Stephen Boyd Signed-off-by: Bryan O'Donoghue Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20200507004918.25975-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman commit a811c1fa0a02c062555b54651065899437bacdbe Merge: b9388959ba50 16f8036086a9 Author: Linus Torvalds Date: Wed May 6 20:53:22 2020 -0700 Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net Pull networking fixes from David Miller: 1) Fix reference count leaks in various parts of batman-adv, from Xiyu Yang. 2) Update NAT checksum even when it is zero, from Guillaume Nault. 3) sk_psock reference count leak in tls code, also from Xiyu Yang. 4) Sanity check TCA_FQ_CODEL_DROP_BATCH_SIZE netlink attribute in fq_codel, from Eric Dumazet. 5) Fix panic in choke_reset(), also from Eric Dumazet. 6) Fix VLAN accel handling in bnxt_fix_features(), from Michael Chan. 7) Disallow out of range quantum values in sch_sfq, from Eric Dumazet. 8) Fix crash in x25_disconnect(), from Yue Haibing. 9) Don't pass pointer to local variable back to the caller in nf_osf_hdr_ctx_init(), from Arnd Bergmann. 10) Wireguard should use the ECN decap helper functions, from Toke Høiland-Jørgensen. 11) Fix command entry leak in mlx5 driver, from Moshe Shemesh. 12) Fix uninitialized variable access in mptcp's subflow_syn_recv_sock(), from Paolo Abeni. 13) Fix unnecessary out-of-order ingress frame ordering in macsec, from Scott Dial. 14) IPv6 needs to use a global serial number for dst validation just like ipv4, from David Ahern. 15) Fix up PTP_1588_CLOCK deps, from Clay McClure. 16) Missing NLM_F_MULTI flag in gtp driver netlink messages, from Yoshiyuki Kurauchi. 17) Fix a regression in that dsa user port errors should not be fatal, from Florian Fainelli. 18) Fix iomap leak in enetc driver, from Dejin Zheng. 19) Fix use after free in lec_arp_clear_vccs(), from Cong Wang. 20) Initialize protocol value earlier in neigh code paths when generating events, from Roman Mashak. 21) netdev_update_features() must be called with RTNL mutex in macsec driver, from Antoine Tenart. 22) Validate untrusted GSO packets even more strictly, from Willem de Bruijn. 23) Wireguard decrypt worker needs a cond_resched(), from Jason Donenfeld. * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (111 commits) net: flow_offload: skip hw stats check for FLOW_ACTION_HW_STATS_DONT_CARE MAINTAINERS: put DYNAMIC INTERRUPT MODERATION in proper order wireguard: send/receive: use explicit unlikely branch instead of implicit coalescing wireguard: selftests: initalize ipv6 members to NULL to squelch clang warning wireguard: send/receive: cond_resched() when processing worker ringbuffers wireguard: socket: remove errant restriction on looping to self wireguard: selftests: use normal kernel stack size on ppc64 net: ethernet: ti: am65-cpsw-nuss: fix irqs type ionic: Use debugfs_create_bool() to export bool net: dsa: Do not leave DSA master with NULL netdev_ops net: dsa: remove duplicate assignment in dsa_slave_add_cls_matchall_mirred net: stricter validation of untrusted gso packets seg6: fix SRH processing to comply with RFC8754 net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms net: dsa: ocelot: the MAC table on Felix is twice as large net: dsa: sja1105: the PTP_CLK extts input reacts on both edges selftests: net: tcp_mmap: fix SO_RCVLOWAT setting net: hsr: fix incorrect type usage for protocol variable net: macsec: fix rtnl locking issue net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() ... commit 16f8036086a929694c3c62f577bb5925fe4fd607 Author: Pablo Neira Ayuso Date: Wed May 6 20:34:50 2020 +0200 net: flow_offload: skip hw stats check for FLOW_ACTION_HW_STATS_DONT_CARE This patch adds FLOW_ACTION_HW_STATS_DONT_CARE which tells the driver that the frontend does not need counters, this hw stats type request never fails. The FLOW_ACTION_HW_STATS_DISABLED type explicitly requests the driver to disable the stats, however, if the driver cannot disable counters, it bails out. TCA_ACT_HW_STATS_* maintains the 1:1 mapping with FLOW_ACTION_HW_STATS_* except by disabled which is mapped to FLOW_ACTION_HW_STATS_DISABLED (this is 0 in tc). Add tc_act_hw_stats() to perform the mapping between TCA_ACT_HW_STATS_* and FLOW_ACTION_HW_STATS_*. Fixes: 319a1d19471e ("flow_offload: check for basic action hw stats type") Signed-off-by: Pablo Neira Ayuso Signed-off-by: David S. Miller commit b0956956bbd7b8c93112269a1e9c8309b0ceb0e7 Author: Lukas Bulwahn Date: Wed May 6 22:29:06 2020 +0200 MAINTAINERS: put DYNAMIC INTERRUPT MODERATION in proper order Commit 9b038086f06b ("docs: networking: convert DIM to RST") added a new file entry to DYNAMIC INTERRUPT MODERATION to the end, and not following alphabetical order. So, ./scripts/checkpatch.pl -f MAINTAINERS complains: WARNING: Misordered MAINTAINERS entry - list file patterns in alphabetic order #5966: FILE: MAINTAINERS:5966: +F: lib/dim/ +F: Documentation/networking/net_dim.rst Reorder the file entries to keep MAINTAINERS nicely ordered. Signed-off-by: Lukas Bulwahn Acked-by: Jakub Kicinski Signed-off-by: David S. Miller commit d3f3e6acb26b171e4572aaaafc7d2e918b35be35 Merge: 6f5c27f9c6f8 243f2148937a Author: David S. Miller Date: Wed May 6 20:03:48 2020 -0700 Merge branch 'wireguard-fixes' Jason A. Donenfeld says: ==================== wireguard fixes for 5.7-rc5 With Ubuntu and Debian having backported this into their kernels, we're finally seeing testing from places we hadn't seen prior, which is nice. With that comes more fixes: 1) The CI for PPC64 was running with extremely small stacks for 64-bit, causing spurious crashes in surprising places. 2) There's was an old leftover routing loop restriction, which no longer makes sense given the queueing architecture, and was causing problems for people who really did want nested routing. 3) Not yielding our kthread on CONFIG_PREEMPT_VOLUNTARY systems caused RCU stalls and other issues, reported by Wang Jian, with the fix suggested by Sultan Alsawaf. 4) Clang spewed warnings in a selftest for CONFIG_IPV6=n, reported by Arnd Bergmann. 5) A complicated if statement was simplified to an assignment while also making the likely/unlikely hinting more correct and simple, and increasing readability, suggested by Sultan. Patches (2) and (3) have Fixes: lines and are probably good candidates for stable. ==================== Signed-off-by: David S. Miller commit 243f2148937adc72bcaaa590d482d599c936efde Author: Jason A. Donenfeld Date: Wed May 6 15:33:06 2020 -0600 wireguard: send/receive: use explicit unlikely branch instead of implicit coalescing It's very unlikely that send will become true. It's nearly always false between 0 and 120 seconds of a session, and in most cases becomes true only between 120 and 121 seconds before becoming false again. So, unlikely(send) is clearly the right option here. What happened before was that we had this complex boolean expression with multiple likely and unlikely clauses nested. Since this is evaluated left-to-right anyway, the whole thing got converted to unlikely. So, we can clean this up to better represent what's going on. The generated code is the same. Suggested-by: Sultan Alsawaf Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit 4fed818ef54b08d4b29200e416cce65546ad5312 Author: Jason A. Donenfeld Date: Wed May 6 15:33:05 2020 -0600 wireguard: selftests: initalize ipv6 members to NULL to squelch clang warning Without setting these to NULL, clang complains in certain configurations that have CONFIG_IPV6=n: In file included from drivers/net/wireguard/ratelimiter.c:223: drivers/net/wireguard/selftest/ratelimiter.c:173:34: error: variable 'skb6' is uninitialized when used here [-Werror,-Wuninitialized] ret = timings_test(skb4, hdr4, skb6, hdr6, &test_count); ^~~~ drivers/net/wireguard/selftest/ratelimiter.c:123:29: note: initialize the variable 'skb6' to silence this warning struct sk_buff *skb4, *skb6; ^ = NULL drivers/net/wireguard/selftest/ratelimiter.c:173:40: error: variable 'hdr6' is uninitialized when used here [-Werror,-Wuninitialized] ret = timings_test(skb4, hdr4, skb6, hdr6, &test_count); ^~~~ drivers/net/wireguard/selftest/ratelimiter.c:125:22: note: initialize the variable 'hdr6' to silence this warning struct ipv6hdr *hdr6; ^ We silence this warning by setting the variables to NULL as the warning suggests. Reported-by: Arnd Bergmann Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit 4005f5c3c9d006157ba716594e0d70c88a235c5e Author: Jason A. Donenfeld Date: Wed May 6 15:33:04 2020 -0600 wireguard: send/receive: cond_resched() when processing worker ringbuffers Users with pathological hardware reported CPU stalls on CONFIG_ PREEMPT_VOLUNTARY=y, because the ringbuffers would stay full, meaning these workers would never terminate. That turned out not to be okay on systems without forced preemption, which Sultan observed. This commit adds a cond_resched() to the bottom of each loop iteration, so that these workers don't hog the core. Note that we don't need this on the napi poll worker, since that terminates after its budget is expended. Suggested-by: Sultan Alsawaf Reported-by: Wang Jian Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit b673e24aad36981f327a6570412ffa7754de8911 Author: Jason A. Donenfeld Date: Wed May 6 15:33:03 2020 -0600 wireguard: socket: remove errant restriction on looping to self It's already possible to create two different interfaces and loop packets between them. This has always been possible with tunnels in the kernel, and isn't specific to wireguard. Therefore, the networking stack already needs to deal with that. At the very least, the packet winds up exceeding the MTU and is discarded at that point. So, since this is already something that happens, there's no need to forbid the not very exceptional case of routing a packet back to the same interface; this loop is no different than others, and we shouldn't special case it, but rather rely on generic handling of loops in general. This also makes it easier to do interesting things with wireguard such as onion routing. At the same time, we add a selftest for this, ensuring that both onion routing works and infinite routing loops do not crash the kernel. We also add a test case for wireguard interfaces nesting packets and sending traffic between each other, as well as the loop in this case too. We make sure to send some throughput-heavy traffic for this use case, to stress out any possible recursion issues with the locks around workqueues. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit a0fd7cc87a018df1a17f9d3f0bd994c1f22c6b34 Author: Jason A. Donenfeld Date: Wed May 6 15:33:02 2020 -0600 wireguard: selftests: use normal kernel stack size on ppc64 While at some point it might have made sense to be running these tests on ppc64 with 4k stacks, the kernel hasn't actually used 4k stacks on 64-bit powerpc in a long time, and more interesting things that we test don't really work when we deviate from the default (16k). So, we stop pushing our luck in this commit, and return to the default instead of the minimum. Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller commit c44dc6323cd49d8d742c37e234b952e822c35de4 Author: Nicholas Piggin Date: Wed Apr 29 16:56:53 2020 +1000 powerpc/64s/kuap: Restore AMR in fast_interrupt_return Interrupts that use fast_interrupt_return actually do lock AMR, but they have been ones which tend to come from userspace (or kernel bugs) in radix mode. With kuap on hash, segment interrupts are taken in kernel often, which quickly breaks due to the missing restore. Fixes: 890274c2dc4c ("powerpc/64s: Implement KUAP for Radix MMU") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200429065654.1677541-6-npiggin@gmail.com commit 6f5c27f9c6f89226f5b97476797e5abedd61912c Author: Grygorii Strashko Date: Tue May 5 19:31:26 2020 +0300 net: ethernet: ti: am65-cpsw-nuss: fix irqs type The K3 INTA driver, which is source TX/RX IRQs for CPSW NUSS, defines IRQs triggering type as EDGE by default, but triggering type for CPSW NUSS TX/RX IRQs has to be LEVEL as the EDGE triggering type may cause unnecessary IRQs triggering and NAPI scheduling for empty queues. It was discovered with RT-kernel. Fix it by explicitly specifying CPSW NUSS TX/RX IRQ type as IRQF_TRIGGER_HIGH. Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Grygorii Strashko Signed-off-by: David S. Miller commit 0735ccc9d9a4ce09154395feb70b804de7cc6ebf Author: Geert Uytterhoeven Date: Tue May 5 15:28:09 2020 +0200 ionic: Use debugfs_create_bool() to export bool Currently bool ionic_cq.done_color is exported using debugfs_create_u8(), which requires a cast, preventing further compiler checks. Fix this by switching to debugfs_create_bool(), and dropping the cast. Signed-off-by: Geert Uytterhoeven Acked-by: Shannon Nelson Signed-off-by: David S. Miller commit 050569fc8384c8056bacefcc246bcb2dfe574936 Author: Florian Fainelli Date: Mon May 4 13:18:06 2020 -0700 net: dsa: Do not leave DSA master with NULL netdev_ops When ndo_get_phys_port_name() for the CPU port was added we introduced an early check for when the DSA master network device in dsa_master_ndo_setup() already implements ndo_get_phys_port_name(). When we perform the teardown operation in dsa_master_ndo_teardown() we would not be checking that cpu_dp->orig_ndo_ops was successfully allocated and non-NULL initialized. With network device drivers such as virtio_net, this leads to a NPD as soon as the DSA switch hanging off of it gets torn down because we are now assigning the virtio_net device's netdev_ops a NULL pointer. Fixes: da7b9e9b00d4 ("net: dsa: Add ndo_get_phys_port_name() for CPU port") Reported-by: Allen Pais Signed-off-by: Florian Fainelli Tested-by: Allen Pais Signed-off-by: David S. Miller commit 657221598f820ff860972b67583fb91d9ab7caf4 Author: Vladimir Oltean Date: Mon May 4 22:58:56 2020 +0300 net: dsa: remove duplicate assignment in dsa_slave_add_cls_matchall_mirred This was caused by a poor merge conflict resolution on my side. The "act = &cls->rule->action.entries[0];" assignment was already present in the code prior to the patch mentioned below. Fixes: e13c2075280e ("net: dsa: refactor matchall mirred action to separate function") Signed-off-by: Vladimir Oltean Signed-off-by: David S. Miller commit 9274124f023b5c56dc4326637d4f787968b03607 Author: Willem de Bruijn Date: Mon May 4 12:48:54 2020 -0400 net: stricter validation of untrusted gso packets Syzkaller again found a path to a kernel crash through bad gso input: a packet with transport header extending beyond skb_headlen(skb). Tighten validation at kernel entry: - Verify that the transport header lies within the linear section. To avoid pulling linux/tcp.h, verify just sizeof tcphdr. tcp_gso_segment will call pskb_may_pull (th->doff * 4) before use. - Match the gso_type against the ip_proto found by the flow dissector. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Reported-by: syzbot Signed-off-by: Willem de Bruijn Signed-off-by: David S. Miller commit 0cb7498f234e4e7d75187a8cae6c7c2053f2488a Author: Ahmed Abdelsalam Date: Mon May 4 14:42:11 2020 +0000 seg6: fix SRH processing to comply with RFC8754 The Segment Routing Header (SRH) which defines the SRv6 dataplane is defined in RFC8754. RFC8754 (section 4.1) defines the SR source node behavior which encapsulates packets into an outer IPv6 header and SRH. The SR source node encodes the full list of Segments that defines the packet path in the SRH. Then, the first segment from list of Segments is copied into the Destination address of the outer IPv6 header and the packet is sent to the first hop in its path towards the destination. If the Segment list has only one segment, the SR source node can omit the SRH as he only segment is added in the destination address. RFC8754 (section 4.1.1) defines the Reduced SRH, when a source does not require the entire SID list to be preserved in the SRH. A reduced SRH does not contain the first segment of the related SR Policy (the first segment is the one already in the DA of the IPv6 header), and the Last Entry field is set to n-2, where n is the number of elements in the SR Policy. RFC8754 (section 4.3.1.1) defines the SRH processing and the logic to validate the SRH (S09, S10, S11) which works for both reduced and non-reduced behaviors. This patch updates seg6_validate_srh() to validate the SRH as per RFC8754. Signed-off-by: Ahmed Abdelsalam Signed-off-by: David S. Miller commit 6e0ddb6530b5010b33f91f0939029d2819b2dc3f Merge: 0ba83aa037da c0d7eccbc761 Author: David S. Miller Date: Wed May 6 17:15:38 2020 -0700 Merge branch 'FDB-fixes-for-Felix-and-Ocelot-switches' Vladimir Oltean says: ==================== FDB fixes for Felix and Ocelot switches This series fixes the following problems: - Dynamically learnt addresses never expiring (neither for Ocelot nor for Felix) - Half of the FDB not visible in 'bridge fdb show' (for Felix only) ==================== Signed-off-by: David S. Miller commit c0d7eccbc76115b7eb337956c03d47d6a889cf8c Author: Vladimir Oltean Date: Mon May 4 01:20:27 2020 +0300 net: mscc: ocelot: ANA_AUTOAGE_AGE_PERIOD holds a value in seconds, not ms One may notice that automatically-learnt entries 'never' expire, even though the bridge configures the address age period at 300 seconds. Actually the value written to hardware corresponds to a time interval 1000 times higher than intended, i.e. 83 hours. Fixes: a556c76adc05 ("net: mscc: Add initial Ocelot switch support") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Faineli Signed-off-by: David S. Miller commit 21ce7f3e16fbf89faaf149cfe0f730edfc553914 Author: Vladimir Oltean Date: Mon May 4 01:20:26 2020 +0300 net: dsa: ocelot: the MAC table on Felix is twice as large When running 'bridge fdb dump' on Felix, sometimes learnt and static MAC addresses would appear, sometimes they wouldn't. Turns out, the MAC table has 4096 entries on VSC7514 (Ocelot) and 8192 entries on VSC9959 (Felix), so the existing code from the Ocelot common library only dumped half of Felix's MAC table. They are both organized as a 4-way set-associative TCAM, so we just need a single variable indicating the correct number of rows. Fixes: 56051948773e ("net: dsa: ocelot: add driver for Felix switch family") Signed-off-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller commit b9388959ba507c7a48ac18e4aa3b63b8a910ed99 Merge: 3c40cdb0e93e b31d1d2b1c3a Author: Linus Torvalds Date: Wed May 6 16:40:14 2020 -0700 Merge tag 'tag-chrome-platform-fixes-for-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux Pull chrome platform fix from Benson Leung: "Fix a resource allocation issue in cros_ec_sensorhub.c" * tag 'tag-chrome-platform-fixes-for-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/chrome-platform/linux: platform/chrome: cros_ec_sensorhub: Allocate sensorhub resource before claiming sensors commit 8101b5a1531f3390b3a69fa7934c70a8fd6566ad Author: Thomas Gleixner Date: Tue Apr 14 11:07:22 2020 +0200 ARM: futex: Address build warning Stephen reported the following build warning on a ARM multi_v7_defconfig build with GCC 9.2.1: kernel/futex.c: In function 'do_futex': kernel/futex.c:1676:17: warning: 'oldval' may be used uninitialized in this function [-Wmaybe-uninitialized] 1676 | return oldval == cmparg; | ~~~~~~~^~~~~~~~~ kernel/futex.c:1652:6: note: 'oldval' was declared here 1652 | int oldval, ret; | ^~~~~~ introduced by commit a08971e9488d ("futex: arch_futex_atomic_op_inuser() calling conventions change"). While that change should not make any difference it confuses GCC which fails to work out that oldval is not referenced when the return value is not zero. GCC fails to properly analyze arch_futex_atomic_op_inuser(). It's not the early return, the issue is with the assembly macros. GCC fails to detect that those either set 'ret' to 0 and set oldval or set 'ret' to -EFAULT which makes oldval uninteresting. The store to the callsite supplied oldval pointer is conditional on ret == 0. The straight forward way to solve this is to make the store unconditional. Aside of addressing the build warning this makes sense anyway because it removes the conditional from the fastpath. In the error case the stored value is uninteresting and the extra store does not matter at all. Reported-by: Stephen Rothwell Signed-off-by: Thomas Gleixner Link: https://lkml.kernel.org/r/87pncao2ph.fsf@nanos.tec.linutronix.de commit 1bc6a60143a4f9264cc6e09ceb9919f4e813a872 Author: Chris Wilson Date: Tue Apr 28 19:47:50 2020 +0100 drm/i915/execlists: Track inflight CCID The presumption is that by using a circular counter that is twice as large as the maximum ELSP submission, we would never reuse the same CCID for two inflight contexts. However, if we continually preempt an active context such that it always remains inflight, it can be resubmitted with an arbitrary number of paired contexts. As each of its paired contexts will use a new CCID, eventually it will wrap and submit two ELSP with the same CCID. Rather than use a simple circular counter, switch over to a small bitmap of inflight ids so we can avoid reusing one that is still potentially active. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1796 Fixes: 2935ed5339c4 ("drm/i915: Remove logical HW ID") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: # v5.5+ Reviewed-by: Mika Kuoppala Link: https://patchwork.freedesktop.org/patch/msgid/20200428184751.11257-2-chris@chris-wilson.co.uk (cherry picked from commit 5c4a53e3b1cbc38d0906e382f1037290658759bb) (cherry picked from commit 134711240307d5586ae8e828d2699db70a8b74f2) Signed-off-by: Rodrigo Vivi commit 53b2622e774681943230fb9f31096512fff99fe7 Author: Chris Wilson Date: Tue Apr 28 19:47:49 2020 +0100 drm/i915/execlists: Avoid reusing the same logical CCID The bspec is confusing on the nature of the upper 32bits of the LRC descriptor. Once upon a time, it said that it uses the upper 32b to decide if it should perform a lite-restore, and so we must ensure that each unique context submitted to HW is given a unique CCID [for the duration of it being on the HW]. Currently, this is achieved by using a small circular tag, and assigning every context submitted to HW a new id. However, this tag is being cleared on repinning an inflight context such that we end up re-using the 0 tag for multiple contexts. To avoid accidentally clearing the CCID in the upper 32bits of the LRC descriptor, split the descriptor into two dwords so we can update the GGTT address separately from the CCID. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1796 Fixes: 2935ed5339c4 ("drm/i915: Remove logical HW ID") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: # v5.5+ Reviewed-by: Mika Kuoppala Link: https://patchwork.freedesktop.org/patch/msgid/20200428184751.11257-1-chris@chris-wilson.co.uk (cherry picked from commit 2632f174a2e1a5fd40a70404fa8ccfd0b1f79ebd) (cherry picked from commit a4b70fcc587860f4b972f68217d8ebebe295ec15) Signed-off-by: Rodrigo Vivi commit 47bf7b7a7151bad568b9523d14477a353a450066 Author: Chris Wilson Date: Mon Apr 20 13:53:55 2020 +0100 drm/i915/gem: Remove object_is_locked assertion from unpin_from_display_plane Since moving the obj->vma.list to a spin_lock, and the vm->bound_list to its vm->mutex, along with tracking shrinkable status under its own spinlock, we no long require the object to be locked by the caller. This is fortunate as it appears we can be called with the lock along an error path in flipping: <4> [139.942851] WARN_ON(debug_locks && !lock_is_held(&(&((obj)->base.resv)->lock.base)->dep_map)) <4> [139.943242] WARNING: CPU: 0 PID: 1203 at drivers/gpu/drm/i915/gem/i915_gem_domain.c:405 i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915] <4> [139.943263] Modules linked in: snd_hda_intel i915 vgem snd_hda_codec_realtek snd_hda_codec_generic coretemp snd_intel_dspcfg snd_hda_codec snd_hwdep snd_hda_core r8169 lpc_ich snd_pcm realtek prime_numbers [last unloaded: i915] <4> [139.943347] CPU: 0 PID: 1203 Comm: kms_flip Tainted: G U 5.6.0-gd0fda5c2cf3f1-drmtip_474+ #1 <4> [139.943363] Hardware name: /D510MO, BIOS MOPNV10J.86A.0311.2010.0802.2346 08/02/2010 <4> [139.943589] RIP: 0010:i915_gem_object_unpin_from_display_plane+0x70/0x130 [i915] <4> [139.943589] Code: 85 28 01 00 00 be ff ff ff ff 48 8d 78 60 e8 d7 9b f0 e2 85 c0 75 b9 48 c7 c6 50 b9 38 c0 48 c7 c7 e9 48 3c c0 e8 20 d4 e9 e2 <0f> 0b eb a2 48 c7 c1 08 bb 38 c0 ba 0a 01 00 00 48 c7 c6 88 a3 35 <4> [139.943589] RSP: 0018:ffffb774c0603b48 EFLAGS: 00010282 <4> [139.943589] RAX: 0000000000000000 RBX: ffff9a142fa36e80 RCX: 0000000000000006 <4> [139.943589] RDX: 000000000000160d RSI: ffff9a142c1a88f8 RDI: ffffffffa434a64d <4> [139.943589] RBP: ffff9a1410a513c0 R08: ffff9a142c1a88f8 R09: 0000000000000000 <4> [139.943589] R10: 0000000000000000 R11: 0000000000000000 R12: ffff9a1436ee94b8 <4> [139.943589] R13: 0000000000000001 R14: 00000000ffffffff R15: ffff9a1410960000 <4> [139.943589] FS: 00007fc73a744e40(0000) GS:ffff9a143da00000(0000) knlGS:0000000000000000 <4> [139.943589] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 <4> [139.943589] CR2: 00007fc73997e098 CR3: 000000002f5fe000 CR4: 00000000000006f0 <4> [139.943589] Call Trace: <4> [139.943589] intel_pin_and_fence_fb_obj+0x1c9/0x1f0 [i915] <4> [139.943589] intel_plane_pin_fb+0x3f/0xd0 [i915] <4> [139.943589] intel_prepare_plane_fb+0x13b/0x5c0 [i915] <4> [139.943589] drm_atomic_helper_prepare_planes+0x85/0x110 <4> [139.943589] intel_atomic_commit+0xda/0x390 [i915] <4> [139.943589] drm_atomic_helper_page_flip+0x9c/0xd0 <4> [139.943589] ? drm_event_reserve_init+0x46/0x60 <4> [139.943589] drm_mode_page_flip_ioctl+0x587/0x5d0 This completes the symmetry lost in commit 8b1c78e06e61 ("drm/i915: Avoid calling i915_gem_object_unbind holding object lock"). Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1743 Fixes: 8b1c78e06e61 ("drm/i915: Avoid calling i915_gem_object_unbind holding object lock") Signed-off-by: Chris Wilson Cc: Matthew Auld Cc: Andi Shyti Cc: # v5.6+ Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20200420125356.26614-1-chris@chris-wilson.co.uk (cherry picked from commit a95f3ac21d64d62c746f836598d1467d5837fa28) (cherry picked from commit 2208b85fa1766ee4821a9435d548578b67090531) Signed-off-by: Rodrigo Vivi commit 220dcfc1485bb79e300f08a28b475869feccbb53 Author: Chris Wilson Date: Tue Apr 7 14:08:11 2020 +0100 drm/i915/gt: Yield the timeslice if caught waiting on a user semaphore If we find ourselves waiting on a MI_SEMAPHORE_WAIT, either within the user batch or in our own preamble, the engine raises a GT_WAIT_ON_SEMAPHORE interrupt. We can unmask that interrupt and so respond to a semaphore wait by yielding the timeslice, if we have another context to yield to! The only real complication is that the interrupt is only generated for the start of the semaphore wait, and is asynchronous to our process_csb() -- that is, we may not have registered the timeslice before we see the interrupt. To ensure we don't miss a potential semaphore blocking forward progress (e.g. selftests/live_timeslice_preempt) we mark the interrupt and apply it to the next timeslice regardless of whether it was active at the time. v2: We use semaphores in preempt-to-busy, within the timeslicing implementation itself! Ergo, when we do insert a preemption due to an expired timeslice, the new context may start with the missed semaphore flagged by the retired context and be yielded, ad infinitum. To avoid this, read the context id at the time of the semaphore interrupt and only yield if that context is still active. Fixes: 8ee36e048c98 ("drm/i915/execlists: Minimalistic timeslicing") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Cc: Kenneth Graunke Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200407130811.17321-1-chris@chris-wilson.co.uk (cherry picked from commit c4e8ba7390346a77ffe33ec3f210bc62e0b6c8c6) (cherry picked from commit cd60e4ac4738a6921592c4f7baf87f9a3499f0e2) Signed-off-by: Rodrigo Vivi commit af23facc38c26ac188b6adac2cae2dafaca0c82d Author: Chris Wilson Date: Fri Apr 3 13:01:50 2020 +0100 drm/i915: Check current i915_vma.pin_count status first on unbind Do an early rejection of a i915_vma_unbind() attempt if the i915_vma is currently pinned, without waiting to see if the inflight operations may unpin it. We see this problem with the shrinker trying to unbind the active vma from inside its bind worker: <6> [472.618968] Workqueue: events_unbound fence_work [i915] <4> [472.618970] Call Trace: <4> [472.618974] ? __schedule+0x2e5/0x810 <4> [472.618978] schedule+0x37/0xe0 <4> [472.618982] schedule_preempt_disabled+0xf/0x20 <4> [472.618984] __mutex_lock+0x281/0x9c0 <4> [472.618987] ? mark_held_locks+0x49/0x70 <4> [472.618989] ? _raw_spin_unlock_irqrestore+0x47/0x60 <4> [472.619038] ? i915_vma_unbind+0xae/0x110 [i915] <4> [472.619084] ? i915_vma_unbind+0xae/0x110 [i915] <4> [472.619122] i915_vma_unbind+0xae/0x110 [i915] <4> [472.619165] i915_gem_object_unbind+0x1dc/0x400 [i915] <4> [472.619208] i915_gem_shrink+0x328/0x660 [i915] <4> [472.619250] ? i915_gem_shrink_all+0x38/0x60 [i915] <4> [472.619282] i915_gem_shrink_all+0x38/0x60 [i915] <4> [472.619325] vm_alloc_page.constprop.25+0x1aa/0x240 [i915] <4> [472.619330] ? rcu_read_lock_sched_held+0x4d/0x80 <4> [472.619363] ? __alloc_pd+0xb/0x30 [i915] <4> [472.619366] ? module_assert_mutex_or_preempt+0xf/0x30 <4> [472.619368] ? __module_address+0x23/0xe0 <4> [472.619371] ? is_module_address+0x26/0x40 <4> [472.619374] ? static_obj+0x34/0x50 <4> [472.619376] ? lockdep_init_map+0x4d/0x1e0 <4> [472.619407] setup_page_dma+0xd/0x90 [i915] <4> [472.619437] alloc_pd+0x29/0x50 [i915] <4> [472.619470] __gen8_ppgtt_alloc+0x443/0x6b0 [i915] <4> [472.619503] gen8_ppgtt_alloc+0xd7/0x300 [i915] <4> [472.619535] ppgtt_bind_vma+0x2a/0xe0 [i915] <4> [472.619577] __vma_bind+0x26/0x40 [i915] <4> [472.619611] fence_work+0x1c/0x90 [i915] <4> [472.619617] process_one_work+0x26a/0x620 Fixes: 2850748ef876 ("drm/i915: Pull i915_vma_pin under the vm->mutex") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200403120150.17091-1-chris@chris-wilson.co.uk (cherry picked from commit 614654abe847a42fc75d7eb5096e46f796a438b6) (cherry picked from commit dd086cf516d9bea3878abb267f62ccc53acd764b) Signed-off-by: Rodrigo Vivi commit 0ba83aa037da456bb73868e5cc20558c5a644414 Author: Vladimir Oltean Date: Wed May 6 20:48:13 2020 +0300 net: dsa: sja1105: the PTP_CLK extts input reacts on both edges It looks like the sja1105 external timestamping input is not as generic as we thought. When fed a signal with 50% duty cycle, it will timestamp both the rising and the falling edge. When fed a short pulse signal, only the timestamp of the falling edge will be seen in the PTPSYNCTS register, because that of the rising edge had been overwritten. So the moral is: don't feed it short pulse inputs. Luckily this is not a complete deal breaker, as we can still work with 1 Hz square waves. But the problem is that the extts polling period was not dimensioned enough for this input signal. If we leave the period at half a second, we risk losing timestamps due to jitter in the measuring process. So we need to increase it to 4 times per second. Also, the very least we can do to inform the user is to deny any other flags combination than with PTP_RISING_EDGE and PTP_FALLING_EDGE both set. Fixes: 747e5eb31d59 ("net: dsa: sja1105: configure the PTP_CLK pin as EXT_TS or PER_OUT") Signed-off-by: Vladimir Oltean Acked-by: Richard Cochran Signed-off-by: David S. Miller commit a84724178bd7081cf3bd5b558616dd6a9a4ca63b Author: Eric Dumazet Date: Wed May 6 09:21:15 2020 -0700 selftests: net: tcp_mmap: fix SO_RCVLOWAT setting Since chunk_size is no longer an integer, we can not use it directly as an argument of setsockopt(). This patch should fix tcp_mmap for Big Endian kernels. Fixes: 597b01edafac ("selftests: net: avoid ptl lock contention in tcp_mmap") Signed-off-by: Eric Dumazet Cc: Soheil Hassas Yeganeh Cc: Arjun Roy Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller commit f5dda315b63775fe00f5470687d40ce801ddfb38 Author: Murali Karicheri Date: Wed May 6 11:41:07 2020 -0400 net: hsr: fix incorrect type usage for protocol variable Fix following sparse checker warning:- net/hsr/hsr_slave.c:38:18: warning: incorrect type in assignment (different base types) net/hsr/hsr_slave.c:38:18: expected unsigned short [unsigned] [usertype] protocol net/hsr/hsr_slave.c:38:18: got restricted __be16 [usertype] h_proto net/hsr/hsr_slave.c:39:25: warning: restricted __be16 degrades to integer net/hsr/hsr_slave.c:39:57: warning: restricted __be16 degrades to integer Signed-off-by: Murali Karicheri Acked-by: Vinicius Costa Gomes Signed-off-by: David S. Miller commit 29ca3cdfe13b2792b8624e6f769777e8cb387f9c Author: Antoine Tenart Date: Wed May 6 15:58:30 2020 +0200 net: macsec: fix rtnl locking issue netdev_update_features() must be called with the rtnl lock taken. Not doing so triggers a warning, as ASSERT_RTNL() is used in __netdev_update_features(), the first function called by netdev_update_features(). Fix this. Fixes: c850240b6c41 ("net: macsec: report real_dev features when HW offloading is enabled") Signed-off-by: Antoine Tenart Signed-off-by: David S. Miller commit 722c0f00d4feea77475a5dc943b53d60824a1e4e Author: Dan Carpenter Date: Wed May 6 13:16:56 2020 +0300 net: mvpp2: cls: Prevent buffer overflow in mvpp2_ethtool_cls_rule_del() The "info->fs.location" is a u32 that comes from the user via the ethtool_set_rxnfc() function. We need to check for invalid values to prevent a buffer overflow. I copy and pasted this check from the mvpp2_ethtool_cls_rule_ins() function. Fixes: 90b509b39ac9 ("net: mvpp2: cls: Add Classification offload support") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller commit 39bd16df7c31bb8cf5dfd0c88e42abd5ae10029d Author: Dan Carpenter Date: Wed May 6 13:16:22 2020 +0300 net: mvpp2: prevent buffer overflow in mvpp22_rss_ctx() The "rss_context" variable comes from the user via ethtool_get_rxfh(). It can be any u32 value except zero. Eventually it gets passed to mvpp22_rss_ctx() and if it is over MVPP22_N_RSS_TABLES (8) then it results in an array overflow. Fixes: 895586d5dc32 ("net: mvpp2: cls: Use RSS contexts to handle RSS tables") Signed-off-by: Dan Carpenter Signed-off-by: David S. Miller commit bf5525f3a8e3248be5aa5defe5aaadd60e1c1ba1 Author: Eric Dumazet Date: Tue May 5 20:51:06 2020 -0700 selftests: net: tcp_mmap: clear whole tcp_zerocopy_receive struct We added fields in tcp_zerocopy_receive structure, so make sure to clear all fields to not pass garbage to the kernel. We were lucky because recent additions added 'out' parameters, still we need to clean our reference implementation, before folks copy/paste it. Fixes: c8856c051454 ("tcp-zerocopy: Return inq along with tcp receive zerocopy.") Fixes: 33946518d493 ("tcp-zerocopy: Return sk_err (if set) along with tcp receive zerocopy.") Signed-off-by: Eric Dumazet Cc: Arjun Roy Cc: Soheil Hassas Yeganeh Acked-by: Soheil Hassas Yeganeh Signed-off-by: David S. Miller commit ac9155842829a811c12d3e1868a133fdb8300df0 Author: Bob Peterson Date: Wed Apr 22 14:14:30 2020 -0500 gfs2: fix withdraw sequence deadlock After a gfs2 file system withdraw, any attempt to read metadata is automatically rejected by function gfs2_meta_read() except for reads of the journal inode. This turns out to be a problem because function signal_our_withdraw() repeatedly calls check_journal_clean() which reads the metadata (both its dinode and indirect blocks) to see if the entire journal is mapped. The dinode read works, but reading the indirect blocks returns -EIO which gets sent back up and causes a consistency error. This results in withdraw-from-withdraw, which becomes a deadlock. This patch changes the test in gfs2_meta_read() to allow all metadata reads for the journal. Instead of checking the journal block, it now checks for the journal inode glock which is the same for all blocks in the journal. This allows check_journal_clean() to properly check the journal without trying to withdraw recursively. Signed-off-by: Bob Peterson Signed-off-by: Andreas Gruenbacher commit 3c40cdb0e93ec166f1fa4fee1eb62d45b5451515 Merge: dc56c5acd850 a9a8ba90fa58 Author: Linus Torvalds Date: Wed May 6 10:20:00 2020 -0700 Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 Pull crypto fixes from Herbert Xu: "This fixes a potential scheduling latency problem for the algorithms used by WireGuard" * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: crypto: arch/nhpoly1305 - process in explicit 4k chunks crypto: arch/lib - limit simd usage to 4k chunks commit 084d7e78467534eedaf0d6c72086a6817023d839 Merge: 7990be48ef4d 78d6de3cfbd3 Author: Greg Kroah-Hartman Date: Wed May 6 17:26:35 2020 +0200 Merge tag 'usb-serial-5.7-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial into usb-linus Johan writes: USB-serial fixes for 5.7-rc5 Here's a fix adding a missing input sanity check and a new modem device id. Both have been in linux-next with no reported issues. * tag 'usb-serial-5.7-rc5' of https://git.kernel.org/pub/scm/linux/kernel/git/johan/usb-serial: USB: serial: qcserial: Add DW5816e support USB: serial: garmin_gps: add sanity checking for data length commit 3dc58df0e2436829971c41ffbb07167dda0979f8 Author: Geert Uytterhoeven Date: Tue May 5 15:43:35 2020 +0200 CIFS: Spelling s/EACCESS/EACCES/ As per POSIX, the correct spelling is EACCES: include/uapi/asm-generic/errno-base.h:#define EACCES 13 /* Permission denied */ Fixes: b8f7442bc46e48fb ("CIFS: refactor cifs_get_inode_info()") Signed-off-by: Geert Uytterhoeven Signed-off-by: Steve French commit 4457a9db2bdec2360ddb15242341696108167886 Author: Imre Deak Date: Mon May 4 10:58:28 2020 +0300 drm/i915/tgl+: Fix interrupt handling for DP AUX transactions Unmask/enable AUX interrupts on all ports on TGL+. So far the interrupts worked only on port A, which meant each transaction on other ports took 10ms. Cc: # v5.4+ Signed-off-by: Imre Deak Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200504075828.20348-1-imre.deak@intel.com (cherry picked from commit 054318c7e35f1d7d06b216143fff5f32405047ee) Signed-off-by: Rodrigo Vivi commit 5b4dcd2d201a395ad4054067bfae4a07554fbd65 Author: Masami Hiramatsu Date: Sat Apr 25 14:49:26 2020 +0900 tracing/kprobes: Reject new event if loc is NULL Reject the new event which has NULL location for kprobes. For kprobes, user must specify at least the location. Link: http://lkml.kernel.org/r/158779376597.6082.1411212055469099461.stgit@devnote2 Cc: Tom Zanussi Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: 2a588dd1d5d6 ("tracing: Add kprobe event command generation functions") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit da0f1f4167e3af69e1d8b32d6d65195ddd2bfb64 Author: Masami Hiramatsu Date: Sat Apr 25 14:49:17 2020 +0900 tracing/boottime: Fix kprobe event API usage Fix boottime kprobe events to use API correctly for multiple events. For example, when we set a multiprobe kprobe events in bootconfig like below, ftrace.event.kprobes.myevent { probes = "vfs_read $arg1 $arg2", "vfs_write $arg1 $arg2" } This cause an error; trace_boot: Failed to add probe: p:kprobes/myevent (null) vfs_read $arg1 $arg2 vfs_write $arg1 $arg2 This shows the 1st argument becomes NULL and multiprobes are merged to 1 probe. Link: http://lkml.kernel.org/r/158779375766.6082.201939936008972838.stgit@devnote2 Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: 29a154810546 ("tracing: Change trace_boot to use kprobe_event interface") Reviewed-by: Tom Zanussi Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit dcbd21c9fca5e954fd4e3d91884907eb6d47187e Author: Masami Hiramatsu Date: Sat Apr 25 14:49:09 2020 +0900 tracing/kprobes: Fix a double initialization typo Fix a typo that resulted in an unnecessary double initialization to addr. Link: http://lkml.kernel.org/r/158779374968.6082.2337484008464939919.stgit@devnote2 Cc: Tom Zanussi Cc: Ingo Molnar Cc: stable@vger.kernel.org Fixes: c7411a1a126f ("tracing/kprobe: Check whether the non-suffixed symbol is notrace") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit de462e5f10718517bacf2f84c8aa2804567ef7df Author: Masami Hiramatsu Date: Sun Apr 26 15:53:30 2020 +0900 bootconfig: Fix to remove bootconfig data from initrd while boot If there is a bootconfig data in the tail of initrd/initramfs, initrd image sanity check caused an error while decompression stage as follows. [ 0.883882] Unpacking initramfs... [ 2.696429] Initramfs unpacking failed: invalid magic at start of compressed archive This error will be ignored if CONFIG_BLK_DEV_RAM=n, but CONFIG_BLK_DEV_RAM=y the kernel failed to mount rootfs and causes a panic. To fix this issue, shrink down the initrd_end for removing tailing bootconfig data while boot the kernel. Link: http://lkml.kernel.org/r/158788401014.24243.17424755854115077915.stgit@devnote2 Cc: Borislav Petkov Cc: Kees Cook Cc: Ingo Molnar Cc: Andrew Morton Cc: stable@vger.kernel.org Fixes: 7684b8582c24 ("bootconfig: Load boot config from the tail of initrd") Signed-off-by: Masami Hiramatsu Signed-off-by: Steven Rostedt (VMware) commit 2673cb6849722a4ffd74c27a9200a9ec43f64be3 Merge: 495907ec36de 5615e74f48dc Author: Paolo Bonzini Date: Wed May 6 08:09:17 2020 -0400 Merge tag 'kvm-s390-master-5.7-3' of git://git.kernel.org/pub/scm/linux/kernel/git/kvms390/linux into HEAD KVM: s390: Fix for running nested uner z/VM There are circumstances when running nested under z/VM that would trigger a WARN_ON_ONCE. Remove the WARN_ON_ONCE. Long term we certainly want to make this code more robust and flexible, but just returning instead of WARNING makes guest bootable again. commit 495907ec36def1d28a44e2d1b5a51affe716aacf Author: Peter Xu Date: Tue May 5 11:47:50 2020 -0400 KVM: X86: Declare KVM_CAP_SET_GUEST_DEBUG properly KVM_CAP_SET_GUEST_DEBUG should be supported for x86 however it's not declared as supported. My wild guess is that userspaces like QEMU are using "#ifdef KVM_CAP_SET_GUEST_DEBUG" to check for the capability instead, but that could be wrong because the compilation host may not be the runtime host. The userspace might still want to keep the old "#ifdef" though to not break the guest debug on old kernels. Signed-off-by: Peter Xu Message-Id: <20200505154750.126300-1-peterx@redhat.com> [Do the same for PPC and s390. - Paolo] Signed-off-by: Paolo Bonzini commit 8ffdaf9155ebe517cdec5edbcca19ba6e7ee9c3c Author: Peter Xu Date: Mon May 4 18:06:07 2020 -0400 KVM: selftests: Fix build for evmcs.h I got this error when building kvm selftests: /usr/bin/ld: /home/xz/git/linux/tools/testing/selftests/kvm/libkvm.a(vmx.o):/home/xz/git/linux/tools/testing/selftests/kvm/include/evmcs.h:222: multiple definition of `current_evmcs'; /tmp/cco1G48P.o:/home/xz/git/linux/tools/testing/selftests/kvm/include/evmcs.h:222: first defined here /usr/bin/ld: /home/xz/git/linux/tools/testing/selftests/kvm/libkvm.a(vmx.o):/home/xz/git/linux/tools/testing/selftests/kvm/include/evmcs.h:223: multiple definition of `current_vp_assist'; /tmp/cco1G48P.o:/home/xz/git/linux/tools/testing/selftests/kvm/include/evmcs.h:223: first defined here I think it's because evmcs.h is included both in a test file and a lib file so the structs have multiple declarations when linking. After all it's not a good habit to declare structs in the header files. Cc: Vitaly Kuznetsov Signed-off-by: Peter Xu Message-Id: <20200504220607.99627-1-peterx@redhat.com> Signed-off-by: Paolo Bonzini commit 139f7425fdf54f054463e7524b9f54c41af8407f Author: Paolo Bonzini Date: Tue May 5 09:40:46 2020 -0400 kvm: x86: Use KVM CPU capabilities to determine CR4 reserved bits Using CPUID data can be useful for the processor compatibility check, but that's it. Using it to compute guest-reserved bits can have both false positives (such as LA57 and UMIP which we are already handling) and false negatives: in particular, with this patch we don't allow anymore a KVM guest to set CR4.PKE when CR4.PKE is clear on the host. Fixes: b9dd21e104bc ("KVM: x86: simplify handling of PKRU") Reported-by: Jim Mattson Tested-by: Jim Mattson Signed-off-by: Paolo Bonzini commit c7cb2d650c9e78c03bd2d1c0db89891825f8c0f4 Author: Sean Christopherson Date: Tue May 5 20:53:55 2020 -0700 KVM: VMX: Explicitly clear RFLAGS.CF and RFLAGS.ZF in VM-Exit RSB path Clear CF and ZF in the VM-Exit path after doing __FILL_RETURN_BUFFER so that KVM doesn't interpret clobbered RFLAGS as a VM-Fail. Filling the RSB has always clobbered RFLAGS, its current incarnation just happens clear CF and ZF in the processs. Relying on the macro to clear CF and ZF is extremely fragile, e.g. commit 089dd8e53126e ("x86/speculation: Change FILL_RETURN_BUFFER to work with objtool") tweaks the loop such that the ZF flag is always set. Reported-by: Qian Cai Cc: Rick Edgecombe Cc: Peter Zijlstra (Intel) Cc: Josh Poimboeuf Cc: stable@vger.kernel.org Fixes: f2fde6a5bcfcf ("KVM: VMX: Move RSB stuffing to before the first RET after VM-Exit") Signed-off-by: Sean Christopherson Message-Id: <20200506035355.2242-1-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini commit 27abe57770ff1c4c23a60993816f02657ba94bd1 Author: Kashyap Chamarthy Date: Tue May 5 13:28:39 2020 +0200 docs/virt/kvm: Document configuring and running nested guests This is a rewrite of this[1] Wiki page with further enhancements. The doc also includes a section on debugging problems in nested environments, among other improvements. [1] https://www.linux-kvm.org/page/Nested_Guests Signed-off-by: Kashyap Chamarthy Message-Id: <20200505112839.30534-1-kchamart@redhat.com> Signed-off-by: Paolo Bonzini commit 9747070c11d6ae021ed7a8e96e2950ed46cd53a9 Author: Hans de Goede Date: Tue May 5 19:06:32 2020 -0700 Input: axp20x-pek - always register interrupt handlers On some X86 devices we do not register an input-device, because the power-button is also handled by the soc_button_array (GPIO) input driver, and we want to avoid reporting power-button presses to userspace twice. Sofar when we did this we also did not register our interrupt handlers, since those were only necessary to report input events. But on at least 2 device models the Medion Akoya E1239T and the GPD win, the GPIO pin used by the soc_button_array driver for the power-button cannot wakeup the system from suspend. Why this does not work is not clear, I've tried comparing the value of all relevant registers on the Cherry Trail SoC, with those from models where this does work. I've checked: PMC registers: FUNC_DIS, FUNC_DIS2, SOIX_WAKE_EN, D3_STS_0, D3_STS_1, D3_STDBY_STS_0, D3_STDBY_STS_1; PMC ACPI I/O regs: PM1_STS_EN, GPE0a_EN and they all have identical contents in the working and non working cases. I suspect that the firmware either sets some unknown register to a value causing this, or that it turns off a power-plane which is necessary for GPIO wakeups to work during suspend. What does work on the Medion Akoya E1239T is letting the AXP288 wakeup the system on a power-button press (the GPD win has a different PMIC). Move the registering of the power-button press/release interrupt-handler from axp20x_pek_probe_input_device() to axp20x_pek_probe() so that the PMIC will wakeup the system on a power-button press, even if we do not register an input device. Signed-off-by: Hans de Goede Acked-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20200426155757.297087-1-hdegoede@redhat.com Signed-off-by: Dmitry Torokhov commit 18f423748b986c00216b6574c931d3d7581b393f Author: Wolfram Sang Date: Tue May 5 17:11:02 2020 -0700 Input: lm8333 - update contact email The 'pengutronix' address is defunct for years. Use the proper contact address. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20200502142639.18925-1-wsa@kernel.org Signed-off-by: Dmitry Torokhov commit 73cb8e2a5863ccc5215660f5123db621bd57dff7 Author: Atish Patra Date: Sun May 3 21:03:19 2020 -0700 RISC-V: Remove unused code from STRICT_KERNEL_RWX This patch removes the unused functions set_kernel_text_rw/ro. Currently, it is not being invoked from anywhere and no other architecture (except arm) uses this code. Even in ARM, these functions are not invoked from anywhere currently. Fixes: d27c3c90817e ("riscv: add STRICT_KERNEL_RWX support") Signed-off-by: Atish Patra Reviewed-by: Zong Li Signed-off-by: Palmer Dabbelt commit dc56c5acd8505e1e7f776d62650f3850ad2ce8e7 Merge: 47cf1b422e60 f8a31eca47be Author: Linus Torvalds Date: Tue May 5 16:29:03 2020 -0700 Merge tag 'platform-drivers-x86-v5.7-2' of git://git.infradead.org/linux-platform-drivers-x86 Pull x86 platform driver fixes from Andy Shevchenko: - Avoid loading asus-nb-wmi module on selected laptop models - Fix S0ix debug support for Jasper Lake PMC - Few fixes which have been reported by Hulk bot and others * tag 'platform-drivers-x86-v5.7-2' of git://git.infradead.org/linux-platform-drivers-x86: platform/x86: thinkpad_acpi: Remove always false 'value < 0' statement platform/x86: intel_pmc_core: avoid unused-function warnings platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA platform/x86: intel_pmc_core: Change Jasper Lake S0ix debug reg map back to ICL platform/x86/intel-uncore-freq: make uncore_root_kobj static platform/x86: wmi: Make two functions static platform/x86: surface3_power: Fix a NULL vs IS_ERR() check in probe commit 81aabbb9fb7b4b1efd073b62f0505d3adad442f3 Author: John Fastabend Date: Mon May 4 10:21:44 2020 -0700 bpf, sockmap: bpf_tcp_ingress needs to subtract bytes from sg.size In bpf_tcp_ingress we used apply_bytes to subtract bytes from sg.size which is used to track total bytes in a message. But this is not correct because apply_bytes is itself modified in the main loop doing the mem_charge. Then at the end of this we have sg.size incorrectly set and out of sync with actual sk values. Then we can get a splat if we try to cork the data later and again try to redirect the msg to ingress. To fix instead of trying to track msg.size do the easy thing and include it as part of the sk_msg_xfer logic so that when the msg is moved the sg.size is always correct. To reproduce the below users will need ingress + cork and hit an error path that will then try to 'free' the skmsg. [ 173.699981] BUG: KASAN: null-ptr-deref in sk_msg_free_elem+0xdd/0x120 [ 173.699987] Read of size 8 at addr 0000000000000008 by task test_sockmap/5317 [ 173.700000] CPU: 2 PID: 5317 Comm: test_sockmap Tainted: G I 5.7.0-rc1+ #43 [ 173.700005] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019 [ 173.700009] Call Trace: [ 173.700021] dump_stack+0x8e/0xcb [ 173.700029] ? sk_msg_free_elem+0xdd/0x120 [ 173.700034] ? sk_msg_free_elem+0xdd/0x120 [ 173.700042] __kasan_report+0x102/0x15f [ 173.700052] ? sk_msg_free_elem+0xdd/0x120 [ 173.700060] kasan_report+0x32/0x50 [ 173.700070] sk_msg_free_elem+0xdd/0x120 [ 173.700080] __sk_msg_free+0x87/0x150 [ 173.700094] tcp_bpf_send_verdict+0x179/0x4f0 [ 173.700109] tcp_bpf_sendpage+0x3ce/0x5d0 Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/158861290407.14306.5327773422227552482.stgit@john-Precision-5820-Tower commit 3e104c23816220919ea1b3fd93fabe363c67c484 Author: John Fastabend Date: Mon May 4 10:21:23 2020 -0700 bpf, sockmap: msg_pop_data can incorrecty set an sge length When sk_msg_pop() is called where the pop operation is working on the end of a sge element and there is no additional trailing data and there _is_ data in front of pop, like the following case, |____________a_____________|__pop__| We have out of order operations where we incorrectly set the pop variable so that instead of zero'ing pop we incorrectly leave it untouched, effectively. This can cause later logic to shift the buffers around believing it should pop extra space. The result is we have 'popped' more data then we expected potentially breaking program logic. It took us a while to hit this case because typically we pop headers which seem to rarely be at the end of a scatterlist elements but we can't rely on this. Fixes: 7246d8ed4dcce ("bpf: helper to pop data from messages") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/158861288359.14306.7654891716919968144.stgit@john-Precision-5820-Tower commit 38212bb31fe923d0a2c6299bd2adfbb84cddef2a Author: Roman Mashak Date: Fri May 1 21:34:18 2020 -0400 neigh: send protocol value in neighbor create notification When a new neighbor entry has been added, event is generated but it does not include protocol, because its value is assigned after the event notification routine has run, so move protocol assignment code earlier. Fixes: df9b0e30d44c ("neighbor: Add protocol attribute") Cc: David Ahern Signed-off-by: Roman Mashak Reviewed-by: David Ahern Signed-off-by: David S. Miller commit e6142dd511425cb827b5db869f489eb81f5f994d Author: Aurabindo Pillai Date: Wed Apr 22 14:37:33 2020 -0400 drm/amd/display: Prevent dpcd reads with passive dongles [why] During hotplug, a DP port may be connected to the sink through passive adapter which does not support DPCD reads. Issuing reads without checking for this condition will result in errors [how] Ensure the link is in aux_mode before initiating operation that result in a DPCD read. Signed-off-by: Aurabindo Pillai Reviewed-by: Harry Wentland Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher commit 80797dd6f1a525d1160c463d6a9f9d29af182cbb Author: Roman Li Date: Wed Feb 26 17:30:29 2020 -0500 drm/amd/display: fix counter in wait_for_no_pipes_pending [Why] Wait counter is not being reset for each pipe. [How] Move counter reset into pipe loop scope. Signed-off-by: Roman Li Reviewed-by: Zhan Liu Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher commit b95e51eb9f2ee7b6d6c3203a2f75122349aa77be Author: Sung Lee Date: Mon Apr 20 11:38:30 2020 -0400 drm/amd/display: Update DCN2.1 DV Code Revision [WHY & HOW] There is a problem in hscale_pixel_rate, the bug causes DCN to be more optimistic (more likely to underflow) in upscale cases during prefetch. This commit ports the fix from DV code to address these issues. Signed-off-by: Sung Lee Reviewed-by: Dmytro Laktyushkin Acked-by: Aurabindo Pillai Signed-off-by: Alex Deucher commit 7f13657d141346125f4d0bb93eab4777f40c406e Author: Xiaoguang Wang Date: Tue May 5 16:28:53 2020 +0800 io_uring: handle -EFAULT properly in io_uring_setup() If copy_to_user() in io_uring_setup() failed, we'll leak many kernel resources, which will be recycled until process terminates. This bug can be reproduced by using mprotect to set params to PROT_READ. To fix this issue, refactor io_uring_create() a bit to add a new 'struct io_uring_params __user *params' parameter and move the copy_to_user() in io_uring_setup() to io_uring_setup(), if copy_to_user() failed, we can free kernel resource properly. Suggested-by: Jens Axboe Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe commit 24661081ba00b69a0d77b15d2a194cb172894956 Author: Linus Walleij Date: Thu Apr 16 10:13:48 2020 +0200 clk: impd1: Look up clock-output-names The IM-PD1 still need to pass the clock output names. Signed-off-by: Linus Walleij Link: https://lkml.kernel.org/r/20200416081348.326833-1-linus.walleij@linaro.org Fixes: 84655b762a27 ("clk: versatile: Add device tree probing for IM-PD1 clocks") Signed-off-by: Stephen Boyd commit 018d4671b9bbd4a5c55cf6eab3e1dbc70a50b66e Author: Marc Zyngier Date: Tue May 5 15:09:53 2020 +0100 clk: Unlink clock if failed to prepare or enable On failing to prepare or enable a clock, remove the core structure from the list it has been inserted as it is about to be freed. This otherwise leads to random crashes when subsequent clocks get registered, during which parsing of the clock tree becomes adventurous. Observed with QEMU's RPi-3 emulation. Fixes: 12ead77432f2 ("clk: Don't try to enable critical clocks if prepare failed") Signed-off-by: Marc Zyngier Cc: Guenter Roeck Cc: Stephen Boyd Cc: Michael Turquette Link: https://lkml.kernel.org/r/20200505140953.409430-1-maz@kernel.org Signed-off-by: Stephen Boyd commit 755f5738ff981769211a0bfac709d514ef5b9f86 Author: Dejin Zheng Date: Tue May 5 10:03:29 2020 +0800 net: broadcom: fix a mistake about ioremap resource Commit d7a5502b0bb8b ("net: broadcom: convert to devm_platform_ioremap_resource_byname()") will broke this driver. idm_base and nicpm_base were optional, after this change, they are mandatory. it will probe fails with -22 when the dtb doesn't have them defined. so revert part of this commit and make idm_base and nicpm_base as optional. Fixes: d7a5502b0bb8bde ("net: broadcom: convert to devm_platform_ioremap_resource_byname()") Reported-by: Jonathan Richardson Cc: Scott Branden Cc: Ray Jui Cc: Florian Fainelli Cc: David S. Miller Signed-off-by: Dejin Zheng Acked-by: Florian Fainelli Signed-off-by: David S. Miller commit 5fe89a6acd668cbd1817fcdef5caa9fee568c2e8 Author: Sean Paul Date: Tue Apr 14 15:02:55 2020 -0400 drm: Fix HDCP failures when SRM fw is missing The SRM cleanup in 79643fddd6eb2 ("drm/hdcp: optimizing the srm handling") inadvertently altered the behavior of HDCP auth when the SRM firmware is missing. Before that patch, missing SRM was interpreted as the device having no revoked keys. With that patch, if the SRM fw file is missing we reject _all_ keys. This patch fixes that regression by returning success if the file cannot be found. It also checks the return value from request_srm such that we won't end up trying to parse the ksv list if there is an error fetching it. Fixes: 79643fddd6eb ("drm/hdcp: optimizing the srm handling") Cc: stable@vger.kernel.org Cc: Ramalingam C Cc: Sean Paul Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Reviewed-by: Ramalingam C Signed-off-by: Sean Paul Link: https://patchwork.freedesktop.org/patch/msgid/20200414190258.38873-1-sean@poorly.run Changes in v2: -Noticed a couple other things to clean up Reviewed-by: Ramalingam C commit 738b150ecefbffb6e55cfa8a3b66a844f777d8fb Author: Tony Lindgren Date: Thu Apr 30 09:52:33 2020 -0700 ARM: dts: omap4-droid4: Fix occasional lost wakeirq for uart1 Looks like using the UART CTS pin does not always trigger for a wake-up when the SoC is idle. This is probably because the modem first uses gpio_149 to signal the SoC that data will be sent, and the CTS will only get used later when the data transfer is starting. Let's fix the issue by configuring the gpio_149 pad as the wakeirq for UART. We have gpio_149 managed by the USB PHY for powering up the right USB mode, and after that, the gpio gets recycled as the modem wake-up pin. If needeed, the USB PHY can also later on be configured to use gpio_149 pad as the wakeirq as a shared irq. Let's also configure the missing properties for uart-has-rtscts and current-speed for the modem port while at it. We already configure the hardware flow control pins with uart1_pins pinctrl setting. Cc: maemo-leste@lists.dyne.org Cc: Merlijn Wajer Cc: Pavel Machek Cc: Sebastian Reichel Signed-off-by: Tony Lindgren commit 30fa60c678eaa27b8f2a531920d77f7184658f73 Author: Tony Lindgren Date: Sat Apr 18 10:52:48 2020 -0700 ARM: dts: omap4-droid4: Fix flakey wlan by disabling internal pull for gpio The wlan on droid4 is flakey on some devices, and experiments have shown this gets fixed if we disable the internal pull for wlan gpio interrupt line. The symptoms are that the wlan connection is very slow and almost useless with lots of wlcore firmware reboot warnings in the dmesg. In addition to configuring the wlan gpio pulls, let's also configure the rest of the wlan sd pins. We have not configured those eariler as we're booting using kexec. Signed-off-by: Tony Lindgren commit 333830aa149a87cabeb5d30fbcf12eecc8040d2c Author: Takashi Iwai Date: Wed Apr 29 15:56:54 2020 +0200 gpio: exar: Fix bad handling for ida_simple_get error path The commit 7ecced0934e5 ("gpio: exar: add a check for the return value of ida_simple_get fails") added a goto jump to the common error handler for ida_simple_get() error, but this is wrong in two ways: it doesn't set the proper return code and, more badly, it invokes ida_simple_remove() with a negative index that shall lead to a kernel panic via BUG_ON(). This patch addresses those two issues. Fixes: 7ecced0934e5 ("gpio: exar: add a check for the return value of ida_simple_get fails") Cc: Signed-off-by: Takashi Iwai Signed-off-by: Bartosz Golaszewski commit 0b80f9866e6bbfb905140ed8787ff2af03652c0c Author: Tejun Heo Date: Mon May 4 19:27:54 2020 -0400 iocost: protect iocg->abs_vdebt with iocg->waitq.lock abs_vdebt is an atomic_64 which tracks how much over budget a given cgroup is and controls the activation of use_delay mechanism. Once a cgroup goes over budget from forced IOs, it has to pay it back with its future budget. The progress guarantee on debt paying comes from the iocg being active - active iocgs are processed by the periodic timer, which ensures that as time passes the debts dissipate and the iocg returns to normal operation. However, both iocg activation and vdebt handling are asynchronous and a sequence like the following may happen. 1. The iocg is in the process of being deactivated by the periodic timer. 2. A bio enters ioc_rqos_throttle(), calls iocg_activate() which returns without anything because it still sees that the iocg is already active. 3. The iocg is deactivated. 4. The bio from #2 is over budget but needs to be forced. It increases abs_vdebt and goes over the threshold and enables use_delay. 5. IO control is enabled for the iocg's subtree and now IOs are attributed to the descendant cgroups and the iocg itself no longer issues IOs. This leaves the iocg with stuck abs_vdebt - it has debt but inactive and no further IOs which can activate it. This can end up unduly punishing all the descendants cgroups. The usual throttling path has the same issue - the iocg must be active while throttled to ensure that future event will wake it up - and solves the problem by synchronizing the throttling path with a spinlock. abs_vdebt handling is another form of overage handling and shares a lot of characteristics including the fact that it isn't in the hottest path. This patch fixes the above and other possible races by strictly synchronizing abs_vdebt and use_delay handling with iocg->waitq.lock. Signed-off-by: Tejun Heo Reported-by: Vlad Dmitriev Cc: stable@vger.kernel.org # v5.4+ Fixes: e1518f63f246 ("blk-iocost: Don't let merges push vtime into the future") Signed-off-by: Jens Axboe commit f0e1d3ac2d7c16a5d2c9d67f5a61133db7681af8 Author: Jeffrey Hugo Date: Fri May 1 00:35:55 2020 +0530 bus: mhi: core: Fix channel device name conflict When multiple instances of the same MHI product are present in a system, we can see a splat from mhi_create_devices() - "sysfs: cannot create duplicate filename". This is because the device names assigned to the MHI channel devices are non-unique. They consist of the channel's name, and the channel's pipe id. For identical products, each instance is going to have the same set of channel (both in name and pipe id). To fix this, we prepend the device name of the parent device that the MHI channels belong to. Since different instances of the same product should have unique device names, this makes the MHI channel devices for each product also unique. Additionally, remove the pipe id from the MHI channel device name. This is an internal detail to the MHI product that provides little value, and imposes too much device specific internal details to userspace. It is expected that channel with a specific name (ie "SAHARA") has a specific client, and it does not matter what pipe id that channel is enumerated on. The pipe id is an internal detail between the MHI bus, and the hardware. The client is not expected to make decisions based on the pipe id, and to do so would require the client to have intimate knowledge of the hardware, which is inappropiate as it may violate the layering provided by the MHI bus. The limitation of doing this is that each product may only have one instance of a channel by a unique name. This limitation is appropriate given the usecases of MHI channels. Signed-off-by: Jeffrey Hugo Reviewed-by: Hemant Kumar Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-7-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit af2e58818082ac0db29539444ca17eb1e77f6000 Author: Jeffrey Hugo Date: Fri May 1 00:35:54 2020 +0530 bus: mhi: core: Fix typo in comment There is a typo - "runtimet" should be "runtime". Fix it. Signed-off-by: Jeffrey Hugo Reviewed-by: Hemant Kumar Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-6-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit 45723a44845c90c8e859fd0e2b0bb492322b5d0b Author: Jeffrey Hugo Date: Fri May 1 00:35:53 2020 +0530 bus: mhi: core: Offload register accesses to the controller When reading or writing MHI registers, the core assumes that the physical link is a memory mapped PCI link. This assumption may not hold for all MHI devices. The controller knows what is the physical link (ie PCI, I2C, SPI, etc), and therefore knows the proper methods to access that link. The controller can also handle link specific error scenarios, such as reading -1 when the PCI link went down. Therefore, it is appropriate that the MHI core requests the controller to make register accesses on behalf of the core, which abstracts the core from link specifics, and end up removing an unnecessary assumption. Signed-off-by: Jeffrey Hugo Reviewed-by: Hemant Kumar Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-5-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit 85a087df4a719ebab940efa3c79625e68161f57b Author: Jeffrey Hugo Date: Fri May 1 00:35:52 2020 +0530 bus: mhi: core: Remove link_status() callback If the MHI core detects invalid data due to a PCI read, it calls into the controller via link_status() to double check that the link is infact down. All in all, this is pretty pointless, and racy. There are no good reasons for this, and only drawbacks. Its pointless because chances are, the controller is going to do the same thing to determine if the link is down - attempt a PCI access and compare the result. This does not make the link status decision any smarter. Its racy because its possible that the link was down at the time of the MHI core access, but then recovered before the controller access. In this case, the controller will indicate the link is not down, and the MHI core will precede to use a bad value as the MHI core does not attempt to retry the access. Retrying the access in the MHI core is a bad idea because again, it is racy - what if the link is down again? Furthermore, there may be some higher level state associated with the link status, that is now invalid because the link went down. The only reason why the MHI core could see "invalid" data when doing a PCI access, that is actually valid, is if the register actually contained the PCI spec defined sentinel for an invalid access. In this case, it is arguable that the MHI implementation broken, and should be fixed, not worked around. Therefore, remove the link_status() callback before anyone attempts to implement it. Signed-off-by: Jeffrey Hugo Reviewed-by: Manivannan Sadhasivam Reviewed-by: Hemant Kumar Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-4-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit ce312258084ea0c828e11c831c7b9e8b42b02ef8 Author: Jeffrey Hugo Date: Fri May 1 00:35:51 2020 +0530 bus: mhi: core: Make sure to powerdown if mhi_sync_power_up fails Powerdown is necessary if mhi_sync_power_up fails due to a timeout, to clean up the resources. Otherwise a BUG could be triggered when attempting to clean up MSIs because the IRQ is still active from a request_irq(). Signed-off-by: Jeffrey Hugo Reviewed-by: Hemant Kumar Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-3-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit 115f32512f13c0280161908e9de45a97a87673bb Author: Manivannan Sadhasivam Date: Fri May 1 00:35:50 2020 +0530 bus: mhi: Fix parsing of mhi_flags With the current parsing of mhi_flags, the following statement always return false: eob = !!(flags & MHI_EOB); This is due to the fact that 'enum mhi_flags' starts with index 0 and we are using direct AND operation to extract each bit. Fix this by using BIT() macros for defining the flags so that the reset of the code need not be touched. Fixes: 189ff97cca53 ("bus: mhi: core: Add support for data transfer") Reported-by: Dan Carpenter Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20200430190555.32741-2-manivannan.sadhasivam@linaro.org Signed-off-by: Greg Kroah-Hartman commit d76bc8200f9cf8b6746e66b37317ba477eda25c4 Author: Tomas Winkler Date: Wed Apr 29 00:12:00 2020 +0300 mei: me: disable mei interface on LBG servers. Disable the MEI driver on LBG SPS (server) platforms, some corner flows such as recovery mode does not work, and the driver doesn't have working use cases. Cc: Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20200428211200.12200-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 2f5a55c52c00fcded796db5f961057ba3fec8910 Author: Wolfram Sang Date: Sat May 2 14:18:35 2020 +0200 i2c: use my kernel.org address from now on The old email is still active, but for easier handling, I am going to use my kernel.org address from now on. Also, add a mailmap for the now defunct Pengutronix address. Signed-off-by: Wolfram Sang commit 3c3dd56f760da056e821ac177e3ad0de4209a435 Author: Alain Volmat Date: Thu Apr 30 17:43:21 2020 +0200 i2c: fix missing pm_runtime_put_sync in i2c_device_probe In case of the I2C client exposes the flag I2C_CLIENT_HOST_NOTIFY, pm_runtime_get_sync is called in order to always keep active the adapter. However later on, pm_runtime_put_sync is never called within the function in case of an error. This commit add this error handling. Fixes: 72bfcee11cf8 ("i2c: Prevent runtime suspend of adapter when Host Notify is required") Signed-off-by: Alain Volmat Reviewed-by: Jarkko Nikula Signed-off-by: Wolfram Sang commit 119b2b2c3e256f4bcff7439acc25ac1e9f1aaa4e Author: Joerg Roedel Date: Mon May 4 14:54:13 2020 +0200 iommu/amd: Do not flush Device Table in iommu_map_page() The flush of the Device Table Entries for the domain has already happened in increase_address_space(), if necessary. Do no flush them again in iommu_map_page(). Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-6-joro@8bytes.org Signed-off-by: Joerg Roedel commit 19c6978fba68a2cdedee7d55fb8c3063d47982d9 Author: Joerg Roedel Date: Mon May 4 14:54:12 2020 +0200 iommu/amd: Update Device Table in increase_address_space() The Device Table needs to be updated before the new page-table root can be published in domain->pt_root. Otherwise a concurrent call to fetch_pte might fetch a PTE which is not reachable through the Device Table Entry. Fixes: 92d420ec028d ("iommu/amd: Relax locking in dma_ops path") Reported-by: Qian Cai Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-5-joro@8bytes.org Signed-off-by: Joerg Roedel commit f44a4d7e4f1cdef73c90b1dc749c4d8a7372a8eb Author: Joerg Roedel Date: Mon May 4 14:54:11 2020 +0200 iommu/amd: Call domain_flush_complete() in update_domain() The update_domain() function is expected to also inform the hardware about domain changes. This needs a COMPLETION_WAIT command to be sent to all IOMMUs which use the domain. Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-4-joro@8bytes.org Signed-off-by: Joerg Roedel commit 5b8a9a047b6cad361405c7900c1e1cdd378c4589 Author: Joerg Roedel Date: Mon May 4 14:54:10 2020 +0200 iommu/amd: Do not loop forever when trying to increase address space When increase_address_space() fails to allocate memory, alloc_pte() will call it again until it succeeds. Do not loop forever while trying to increase the address space and just return an error instead. Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-3-joro@8bytes.org Signed-off-by: Joerg Roedel commit eb791aa70b90c559eeb371d807c8813d569393f0 Author: Joerg Roedel Date: Mon May 4 14:54:09 2020 +0200 iommu/amd: Fix race in increase_address_space()/fetch_pte() The 'pt_root' and 'mode' struct members of 'struct protection_domain' need to be get/set atomically, otherwise the page-table of the domain can get corrupted. Merge the fields into one atomic64_t struct member which can be get/set atomically. Fixes: 92d420ec028d ("iommu/amd: Relax locking in dma_ops path") Reported-by: Qian Cai Signed-off-by: Joerg Roedel Tested-by: Qian Cai Link: https://lore.kernel.org/r/20200504125413.16798-2-joro@8bytes.org Signed-off-by: Joerg Roedel commit f8a31eca47bec197f5ec5dc40ad675450c2058a5 Author: Xiongfeng Wang Date: Wed Apr 29 16:59:40 2020 +0800 platform/x86: thinkpad_acpi: Remove always false 'value < 0' statement Since 'value' is declared as unsigned long, the following statement is always false. value < 0 So let's remove it. Reported-by: Hulk Robot Signed-off-by: Xiongfeng Wang Signed-off-by: Andy Shevchenko commit 01f259f3720c3965443109d82a0f12611ea8bb58 Author: Arnd Bergmann Date: Tue Apr 28 23:36:38 2020 +0200 platform/x86: intel_pmc_core: avoid unused-function warnings When both CONFIG_DEBUG_FS and CONFIG_PM_SLEEP are disabled, the functions that got moved out of the #ifdef section now cause a warning: drivers/platform/x86/intel_pmc_core.c:654:13: error: 'pmc_core_lpm_display' defined but not used [-Werror=unused-function] 654 | static void pmc_core_lpm_display(struct pmc_dev *pmcdev, struct device *dev, | ^~~~~~~~~~~~~~~~~~~~ drivers/platform/x86/intel_pmc_core.c:617:13: error: 'pmc_core_slps0_display' defined but not used [-Werror=unused-function] 617 | static void pmc_core_slps0_display(struct pmc_dev *pmcdev, struct device *dev, | ^~~~~~~~~~~~~~~~~~~~~~ Rather than add even more #ifdefs here, remove them entirely and let the compiler work it out, it can actually get rid of all the debugfs calls without problems as long as the struct member is there. The two PM functions just need a __maybe_unused annotations to avoid another warning instead of the #ifdef. Fixes: aae43c2bcdc1 ("platform/x86: intel_pmc_core: Relocate pmc_core_*_display() to outside of CONFIG_DEBUG_FS") Signed-off-by: Arnd Bergmann Signed-off-by: Andy Shevchenko commit 3bd12da7f50b8bc191fcb3bab1f55c582234df59 Author: Hans de Goede Date: Thu Apr 23 00:05:59 2020 +0200 platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA asus-nb-wmi does not add any extra functionality on these Asus Transformer books. They have detachable keyboards, so the hotkeys are send through a HID device (and handled by the hid-asus driver) and also the rfkill functionality is not used on these devices. Besides not adding any extra functionality, initializing the WMI interface on these devices actually has a negative side-effect. For some reason the \_SB.ATKD.INIT() function which asus_wmi_platform_init() calls drives GPO2 (INT33FC:02) pin 8, which is connected to the front facing webcam LED, high and there is no (WMI or other) interface to drive this low again causing the LED to be permanently on, even during suspend. This commit adds a blacklist of DMI system_ids on which not to load the asus-nb-wmi and adds these Transformer books to this list. This fixes the webcam LED being permanently on under Linux. Signed-off-by: Hans de Goede Signed-off-by: Andy Shevchenko commit e87fa339d413c540c065c280ba9e7cc9a8dbcfd1 Author: Archana Patni Date: Tue Apr 21 14:10:19 2020 +0530 platform/x86: intel_pmc_core: Change Jasper Lake S0ix debug reg map back to ICL Jasper Lake uses Icelake PCH IPs and the S0ix debug interfaces are same as Icelake. It uses SLP_S0_DBG register latch/read interface from Icelake generation. It doesn't use Tiger Lake LPM debug registers. Change the Jasper Lake S0ix debug interface to use the ICL reg map. Fixes: 16292bed9c56 ("platform/x86: intel_pmc_core: Add Atom based Jasper Lake (JSL) platform support") Signed-off-by: Archana Patni Acked-by: David E. Box Tested-by: Divagar Mohandass Signed-off-by: Andy Shevchenko commit 7990be48ef4d87163940d6c04c349c93f0bd9ae7 Author: Prashant Malani Date: Tue Apr 28 22:44:28 2020 -0700 usb: typec: mux: intel: Handle alt mode HPD_HIGH According to the PMC Type C Subsystem (TCSS) Mux programming guide rev 0.6, when a device is transitioning to DP Alternate Mode state, if the HPD_STATE (bit 7) field in the status update command VDO is set to HPD_HIGH, the HPD_HIGH field in the Alternate Mode request “mode_data” field (bit 14) should also be set. Ensure the bit is correctly handled while issuing the Alternate Mode request. Signed-off-by: Prashant Malani Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control") Acked-by: Heikki Krogerus Link: https://lore.kernel.org/r/20200429054432.134178-1-pmalani@chromium.org Signed-off-by: Greg Kroah-Hartman commit 2bef9aed6f0e22391c8d4570749b1acc9bc3981e Author: Jeremy Linton Date: Mon May 4 15:13:48 2020 -0500 usb: usbfs: correct kernel->user page attribute mismatch On some architectures (e.g. arm64) requests for IO coherent memory may use non-cachable attributes if the relevant device isn't cache coherent. If these pages are then remapped into userspace as cacheable, they may not be coherent with the non-cacheable mappings. In particular this happens with libusb, when it attempts to create zero-copy buffers for use by rtl-sdr (https://github.com/osmocom/rtl-sdr/). On low end arm devices with non-coherent USB ports, the application will be unexpectedly killed, while continuing to work fine on arm machines with coherent USB controllers. This bug has been discovered/reported a few times over the last few years. In the case of rtl-sdr a compile time option to enable/disable zero copy was implemented to work around it. Rather than relaying on application specific workarounds, dma_mmap_coherent() can be used instead of remap_pfn_range(). The page cache/etc attributes will then be correctly set in userspace to match the kernel mapping. Signed-off-by: Jeremy Linton Cc: stable Link: https://lore.kernel.org/r/20200504201348.1183246-1-jeremy.linton@arm.com Signed-off-by: Greg Kroah-Hartman commit e283f5e89f44a80ca536e4a12903c64e9e9a82e4 Author: Heikki Krogerus Date: Thu Apr 30 16:56:57 2020 +0300 usb: typec: intel_pmc_mux: Fix the property names The device property names for the port index number are "usb2-port-number" and "usb3-port-number", not "usb2-port" and "usb3-port". Fixes: 6701adfa9693 ("usb: typec: driver for Intel PMC mux control") Signed-off-by: Heikki Krogerus Link: https://lore.kernel.org/r/20200430135657.45169-1-heikki.krogerus@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ac854131d9844f79e2fdcef67a7707227538d78a Author: Alan Stern Date: Fri May 1 16:07:28 2020 -0400 USB: core: Fix misleading driver bug report The syzbot fuzzer found a race between URB submission to endpoint 0 and device reset. Namely, during the reset we call usb_ep0_reinit() because the characteristics of ep0 may have changed (if the reset follows a firmware update, for example). While usb_ep0_reinit() is running there is a brief period during which the pointers stored in udev->ep_in[0] and udev->ep_out[0] are set to NULL, and if an URB is submitted to ep0 during that period, usb_urb_ep_type_check() will report it as a driver bug. In the absence of those pointers, the routine thinks that the endpoint doesn't exist. The log message looks like this: ------------[ cut here ]------------ usb 2-1: BOGUS urb xfer, pipe 2 != type 2 WARNING: CPU: 0 PID: 9241 at drivers/usb/core/urb.c:478 usb_submit_urb+0x1188/0x1460 drivers/usb/core/urb.c:478 Now, although submitting an URB while the device is being reset is a questionable thing to do, it shouldn't count as a driver bug as severe as submitting an URB for an endpoint that doesn't exist. Indeed, endpoint 0 always exists, even while the device is in its unconfigured state. To prevent these misleading driver bug reports, this patch updates usb_disable_endpoint() to avoid clearing the ep_in[] and ep_out[] pointers when the endpoint being disabled is ep0. There's no danger of leaving a stale pointer in place, because the usb_host_endpoint structure being pointed to is stored permanently in udev->ep0; it doesn't get deallocated until the entire usb_device structure does. Reported-and-tested-by: syzbot+db339689b2101f6f6071@syzkaller.appspotmail.com Signed-off-by: Alan Stern Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2005011558590.903-100000@netrider.rowland.org Signed-off-by: Greg Kroah-Hartman commit 769acc3656d93aaacada814939743361d284fd87 Author: Oscar Carter Date: Fri May 1 17:51:18 2020 +0200 staging: gasket: Check the return value of gasket_get_bar_index() Check the return value of gasket_get_bar_index function as it can return a negative one (-EINVAL). If this happens, a negative index is used in the "gasket_dev->bar_data" array. Addresses-Coverity-ID: 1438542 ("Negative array index read") Fixes: 9a69f5087ccc2 ("drivers/staging: Gasket driver framework + Apex driver") Signed-off-by: Oscar Carter Cc: stable Reviewed-by: Richard Yeh Link: https://lore.kernel.org/r/20200501155118.13380-1-oscar.carter@gmx.com Signed-off-by: Greg Kroah-Hartman commit 3c5c0805ac925f2f8c68eeb1ba0f8a796a7b4525 Author: Wolfram Sang Date: Sat May 2 13:26:44 2020 +0200 staging: ks7010: remove me from CC list I lost interest in this driver years ago because I could't keep up with testing the incoming janitorial patches. So, drop me from CC. Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20200502112648.6942-1-wsa@the-dreams.de Signed-off-by: Greg Kroah-Hartman commit 5615e74f48dcc982655543e979b6c3f3f877e6f6 Author: Christian Borntraeger Date: Tue May 5 09:27:15 2020 +0200 KVM: s390: Remove false WARN_ON_ONCE for the PQAP instruction In LPAR we will only get an intercept for FC==3 for the PQAP instruction. Running nested under z/VM can result in other intercepts as well as ECA_APIE is an effective bit: If one hypervisor layer has turned this bit off, the end result will be that we will get intercepts for all function codes. Usually the first one will be a query like PQAP(QCI). So the WARN_ON_ONCE is not right. Let us simply remove it. Cc: Pierre Morel Cc: Tony Krowiak Cc: stable@vger.kernel.org # v5.3+ Fixes: e5282de93105 ("s390: ap: kvm: add PQAP interception for AQIC") Link: https://lore.kernel.org/kvm/20200505083515.2720-1-borntraeger@de.ibm.com Reported-by: Qian Cai Signed-off-by: Christian Borntraeger Reviewed-by: David Hildenbrand Reviewed-by: Cornelia Huck Signed-off-by: Christian Borntraeger commit 47cf1b422e6093aee2a3e55d5e162112a2c69870 Merge: 9851a0dee7c2 1e189f267015 Author: Linus Torvalds Date: Mon May 4 18:55:20 2020 -0700 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid Pull HID fixes from Jiri Kosina: - Wacom driver functional and regression fixes from Jason Gerecke - race condition fix in usbhid, found by syzbot and fixed by Alan Stern - a few device-specific quirks and ID additions * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid: HID: quirks: Add HID_QUIRK_NO_INIT_REPORTS quirk for Dell K12A keyboard-dock HID: mcp2221: add gpiolib dependency HID: i2c-hid: reset Synaptics SYNA2393 on resume HID: wacom: Report 2nd-gen Intuos Pro S center button status over BT HID: usbhid: Fix race between usbhid_close() and usbhid_stop() Revert "HID: wacom: generic: read the number of expected touches on a per collection basis" HID: alps: ALPS_1657 is too specific; use U1_UNICORN_LEGACY instead HID: alps: Add AUI1657 device ID HID: logitech: Add support for Logitech G11 extra keys HID: multitouch: add eGalaxTouch P80H84 support HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices commit d6d5161280b3d57163f5310f0a0007cdeb729984 Author: Zong Li Date: Mon May 4 11:54:48 2020 +0800 riscv: force __cpu_up_ variables to put in data section Put __cpu_up_stack_pointer and __cpu_up_task_pointer in data section. Currently, these two variables are put in bss section, there is a potential risk that secondary harts get the uninitialized value before main hart finishing the bss clearing. In this case, all secondary harts would pass the waiting loop and enable the MMU before main hart set up the page table. This issue happens on random booting of multiple harts, which means it will manifest for BBL and OpenSBI v0.6 (or older version). In OpenSBI v0.7 (or higher version), we have HSM extension so all the secondary harts are brought-up by Linux kernel in an orderly fashion. This means we don't need this change for OpenSBI v0.7 (or higher version). Signed-off-by: Zong Li Reviewed-by: Greentime Hu Reviewed-by: Anup Patel Reviewed-by: Atish Patra Signed-off-by: Palmer Dabbelt commit 0a9f2a6161dcd6be057f6c501453d28b3c4a3b0c Author: Andreas Schwab Date: Mon Apr 27 17:13:34 2020 +0200 riscv: add Linux note to vdso The Linux note in the vdso allows glibc to check the running kernel version without having to issue the uname syscall. Signed-off-by: Andreas Schwab Signed-off-by: Palmer Dabbelt commit c749bb2d554825e007cbc43b791f54e124dadfce Author: Vincent Chen Date: Mon Apr 27 14:59:24 2020 +0800 riscv: set max_pfn to the PFN of the last page The current max_pfn equals to zero. In this case, I found it caused users cannot get some page information through /proc such as kpagecount in v5.6 kernel because of new sanity checks. The following message is displayed by stress-ng test suite with the command "stress-ng --verbose --physpage 1 -t 1" on HiFive unleashed board. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [109] 4 processors online, 4 processors configured stress-ng: info: [109] dispatching hogs: 1 physpage stress-ng: debug: [109] cache allocate: reducing cache level from L3 (too high) to L0 stress-ng: debug: [109] get_cpu_cache: invalid cache_level: 0 stress-ng: info: [109] cache allocate: using built-in defaults as no suitable cache found stress-ng: debug: [109] cache allocate: default cache size: 2048K stress-ng: debug: [109] starting stressors stress-ng: debug: [109] 1 stressor spawned stress-ng: debug: [110] stress-ng-physpage: started [110] (instance 0) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd34de000 in /proc/kpagecount, errno=0 (Success) stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) ... stress-ng: error: [110] stress-ng-physpage: cannot read page count for address 0x3fd32db078 in /proc/kpagecount, errno=0 (Success) stress-ng: debug: [110] stress-ng-physpage: exited [110] (instance 0) stress-ng: debug: [109] process [110] terminated stress-ng: info: [109] successful run completed in 1.00s # After applying this patch, the kernel can pass the test. # stress-ng --verbose --physpage 1 -t 1 stress-ng: debug: [104] 4 processors online, 4 processors configured stress-ng: info: [104] dispatching hogs: 1 physpage stress-ng: info: [104] cache allocate: using defaults, can't determine cache details from sysfs stress-ng: debug: [104] cache allocate: default cache size: 2048K stress-ng: debug: [104] starting stressors stress-ng: debug: [104] 1 stressor spawned stress-ng: debug: [105] stress-ng-physpage: started [105] (instance 0) stress-ng: debug: [105] stress-ng-physpage: exited [105] (instance 0) stress-ng: debug: [104] process [105] terminated stress-ng: info: [104] successful run completed in 1.01s # Cc: stable@vger.kernel.org Signed-off-by: Vincent Chen Reviewed-by: Anup Patel Reviewed-by: Yash Shah Tested-by: Yash Shah Signed-off-by: Palmer Dabbelt commit a2da5b181f888b3cdb4727b6c60a8755cedce272 Author: Anup Patel Date: Fri Apr 24 10:29:28 2020 +0530 RISC-V: Remove N-extension related defines The RISC-V N-extension is still in draft state hence remove N-extension related defines from asm/csr.h. Signed-off-by: Anup Patel Signed-off-by: Palmer Dabbelt commit 6bcff51539ccae5431a01f60293419dbae21100f Author: Anup Patel Date: Fri Apr 24 10:29:27 2020 +0530 RISC-V: Add bitmap reprensenting ISA features common across CPUs This patch adds riscv_isa bitmap which represents Host ISA features common across all Host CPUs. The riscv_isa is not same as elf_hwcap because elf_hwcap will only have ISA features relevant for user-space apps whereas riscv_isa will have ISA features relevant to both kernel and user-space apps. One of the use-case for riscv_isa bitmap is in KVM hypervisor where we will use it to do following operations: 1. Check whether hypervisor extension is available 2. Find ISA features that need to be virtualized (e.g. floating point support, vector extension, etc.) Signed-off-by: Anup Patel Signed-off-by: Atish Patra Reviewed-by: Alexander Graf Signed-off-by: Palmer Dabbelt commit 7391efa48d88c8555a802bac562d02a38567127c Author: Anup Patel Date: Fri Apr 24 10:29:26 2020 +0530 RISC-V: Export riscv_cpuid_to_hartid_mask() API The riscv_cpuid_to_hartid_mask() API should be exported to allow building KVM RISC-V as loadable module. Signed-off-by: Anup Patel Reviewed-by: Palmer Dabbelt Signed-off-by: Palmer Dabbelt commit bd4af432cc71b5fbfe4833510359a6ad3ada250d Author: Qiushi Wu Date: Sat May 2 17:42:59 2020 -0500 nfp: abm: fix a memory leak bug In function nfp_abm_vnic_set_mac, pointer nsp is allocated by nfp_nsp_open. But when nfp_nsp_has_hwinfo_lookup fail, the pointer is not released, which can lead to a memory leak bug. Fix this issue by adding nfp_nsp_close(nsp) in the error path. Fixes: f6e71efdf9fb1 ("nfp: abm: look up MAC addresses via management FW") Signed-off-by: Qiushi Wu Acked-by: Jakub Kicinski Signed-off-by: David S. Miller commit 8d9f73c0ad2f20e9fed5380de0a3097825859d03 Author: Cong Wang Date: Fri May 1 11:11:09 2020 -0700 atm: fix a memory leak of vcc->user_back In lec_arp_clear_vccs() only entry->vcc is freed, but vcc could be installed on entry->recv_vcc too in lec_vcc_added(). This fixes the following memory leak: unreferenced object 0xffff8880d9266b90 (size 16): comm "atm2", pid 425, jiffies 4294907980 (age 23.488s) hex dump (first 16 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 6b 6b 6b a5 ............kkk. backtrace: [<(____ptrval____)>] kmem_cache_alloc_trace+0x10e/0x151 [<(____ptrval____)>] lane_ioctl+0x4b3/0x569 [<(____ptrval____)>] do_vcc_ioctl+0x1ea/0x236 [<(____ptrval____)>] svc_ioctl+0x17d/0x198 [<(____ptrval____)>] sock_do_ioctl+0x47/0x12f [<(____ptrval____)>] sock_ioctl+0x2f9/0x322 [<(____ptrval____)>] vfs_ioctl+0x1e/0x2b [<(____ptrval____)>] ksys_ioctl+0x61/0x80 [<(____ptrval____)>] __x64_sys_ioctl+0x16/0x19 [<(____ptrval____)>] do_syscall_64+0x57/0x65 [<(____ptrval____)>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 Cc: Gengming Liu Signed-off-by: Cong Wang Signed-off-by: David S. Miller commit 93a2014afbace907178afc3c9c1e62c9a338595a Author: Cong Wang Date: Fri May 1 11:11:08 2020 -0700 atm: fix a UAF in lec_arp_clear_vccs() Gengming reported a UAF in lec_arp_clear_vccs(), where we add a vcc socket to an entry in a per-device list but free the socket without removing it from the list when vcc->dev is NULL. We need to call lec_vcc_close() to search and remove those entries contain the vcc being destroyed. This can be done by calling vcc->push(vcc, NULL) unconditionally in vcc_destroy_socket(). Another issue discovered by Gengming's reproducer is the vcc->dev may point to the static device lecatm_dev, for which we don't need to register/unregister device, so we can just check for vcc->dev->ops->owner. Reported-by: Gengming Liu Signed-off-by: Cong Wang Signed-off-by: David S. Miller commit 44d95cc6b10ff7439d45839c96c581cb4368c088 Author: Colin Ian King Date: Fri May 1 15:10:16 2020 +0100 net: stmmac: gmac5+: fix potential integer overflow on 32 bit multiply The multiplication of cfg->ctr[1] by 1000000000 is performed using a 32 bit multiplication (since cfg->ctr[1] is a u32) and this can lead to a potential overflow. Fix this by making the constant a ULL to ensure a 64 bit multiply occurs. Fixes: 504723af0d85 ("net: stmmac: Add basic EST support for GMAC5+") Addresses-Coverity: ("Unintentional integer overflow") Signed-off-by: Colin Ian King Signed-off-by: David S. Miller commit a7df4870d79b00742da6cc93ca2f336a71db77f7 Author: Cong Wang Date: Thu Apr 30 20:53:49 2020 -0700 net_sched: fix tcm_parent in tc filter dump When we tell kernel to dump filters from root (ffff:ffff), those filters on ingress (ffff:0000) are matched, but their true parents must be dumped as they are. However, kernel dumps just whatever we tell it, that is either ffff:ffff or ffff:0000: $ nl-cls-list --dev=dummy0 --parent=root cls basic dev dummy0 id none parent root prio 49152 protocol ip match-all cls basic dev dummy0 id :1 parent root prio 49152 protocol ip match-all $ nl-cls-list --dev=dummy0 --parent=ffff: cls basic dev dummy0 id none parent ffff: prio 49152 protocol ip match-all cls basic dev dummy0 id :1 parent ffff: prio 49152 protocol ip match-all This is confusing and misleading, more importantly this is a regression since 4.15, so the old behavior must be restored. And, when tc filters are installed on a tc class, the parent should be the classid, rather than the qdisc handle. Commit edf6711c9840 ("net: sched: remove classid and q fields from tcf_proto") removed the classid we save for filters, we can just restore this classid in tcf_block. Steps to reproduce this: ip li set dev dummy0 up tc qd add dev dummy0 ingress tc filter add dev dummy0 parent ffff: protocol arp basic action pass tc filter show dev dummy0 root Before this patch: filter protocol arp pref 49152 basic filter protocol arp pref 49152 basic handle 0x1 action order 1: gact action pass random type none pass val 0 index 1 ref 1 bind 1 After this patch: filter parent ffff: protocol arp pref 49152 basic filter parent ffff: protocol arp pref 49152 basic handle 0x1 action order 1: gact action pass random type none pass val 0 index 1 ref 1 bind 1 Fixes: a10fa20101ae ("net: sched: propagate q and parent from caller down to tcf_fill_node") Fixes: edf6711c9840 ("net: sched: remove classid and q fields from tcf_proto") Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Acked-by: Jamal Hadi Salim Signed-off-by: David S. Miller commit 071a43e660996d1517d02ea7724491cc5b93bb03 Author: Arnd Bergmann Date: Thu Apr 30 12:39:02 2020 +0200 cxgb4/chcr: avoid -Wreturn-local-addr warning gcc-10 warns about functions that return a pointer to a stack variable. In chcr_write_cpl_set_tcb_ulp(), this does not actually happen, but it's too hard to see for the compiler: drivers/crypto/chelsio/chcr_ktls.c: In function 'chcr_write_cpl_set_tcb_ulp.constprop': drivers/crypto/chelsio/chcr_ktls.c:760:9: error: function may return address of local variable [-Werror=return-local-addr] 760 | return pos; | ^~~ drivers/crypto/chelsio/chcr_ktls.c:712:5: note: declared here 712 | u8 buf[48] = {0}; | ^~~ Split the middle part of the function out into a helper to make it easier to understand by both humans and compilers, which avoids the warning. Fixes: 5a4b9fe7fece ("cxgb4/chcr: complete record tx handling") Signed-off-by: Arnd Bergmann Signed-off-by: David S. Miller commit c649c41d5d0f7d153bd5d5d9c093fec16ee03e00 Author: Julian Wiedmann Date: Mon May 4 19:39:42 2020 +0200 s390/qeth: fix cancelling of TX timer on dev_close() With the introduction of TX coalescing, .ndo_start_xmit now potentially starts the TX completion timer. So only kill the timer _after_ TX has been disabled. Fixes: ee1e52d1e4bb ("s390/qeth: add TX IRQ coalescing support for IQD devices") Signed-off-by: Julian Wiedmann Signed-off-by: David S. Miller commit 9851a0dee7c28514f149f7e4f60ec1b06286cc1b Merge: a16a47e98a30 c7527373fe28 Author: Linus Torvalds Date: Mon May 4 11:20:32 2020 -0700 Merge tag 'gcc-plugins-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux Pull gcc-plugins fixes from Kees Cook: "GCC 10 fixes for gcc-plugins: - Adjust caller of cgraph_create_edge for GCC 10 argument usage - Update common headers to build under GCC 10 (Frédéric Pierret)" * tag 'gcc-plugins-v5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: gcc-common.h: Update for GCC 10 gcc-plugins/stackleak: Avoid assignment for unused macro argument commit a16a47e98a30ae6a424d30ce9f4f99e4d9384713 Merge: 67f852ef9227 0b841030625c Author: Linus Torvalds Date: Mon May 4 11:10:24 2020 -0700 Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost Pull virtio fixes from Michael Tsirkin: "A couple of bug fixes" * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost: vhost: vsock: kick send_pkt worker once device is started virtio-blk: handle block_device_operations callbacks after hot unplug commit 82152d424b6cb6fc1ede7d03d69c04e786688740 Author: Peter Jones Date: Fri Jul 6 15:04:24 2018 -0400 Make the "Reducing compressed framebufer size" message be DRM_INFO_ONCE() This was sort of annoying me: random:~$ dmesg | tail -1 [523884.039227] [drm] Reducing the compressed framebuffer size. This may lead to less power savings than a non-reduced-size. Try to increase stolen memory size if available in BIOS. random:~$ dmesg | grep -c "Reducing the compressed" 47 This patch makes it DRM_INFO_ONCE() just like the similar message farther down in that function is pr_info_once(). Cc: stable@vger.kernel.org Signed-off-by: Peter Jones Acked-by: Rodrigo Vivi Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/1745 Link: https://patchwork.freedesktop.org/patch/msgid/20180706190424.29194-1-pjones@redhat.com [vsyrjala: Rebase due to per-device logging] Signed-off-by: Ville Syrjälä (cherry picked from commit 6b7fc6a3e6af4ff5773949d0fed70d8e7f68d5ce) [Rodrigo: port back to DRM_INFO_ONCE] Signed-off-by: Rodrigo Vivi commit d975cb7ea915e64a3ebcfef8a33051f3e6bf22a8 Author: Dejin Zheng Date: Mon May 4 20:01:27 2020 +0800 net: enetc: fix an issue about leak system resources the related system resources were not released when enetc_hw_alloc() return error in the enetc_pci_mdio_probe(), add iounmap() for error handling label "err_hw_alloc" to fix it. Fixes: 6517798dd3432a ("enetc: Make MDIO accessors more generic and export to include/linux/fsl") Cc: Andy Shevchenko Signed-off-by: Dejin Zheng Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller commit 67f852ef92274116c9487cb312e58105d0e8d3e7 Merge: 9d82973e032e 1e6e9d0f4859 Author: Linus Torvalds Date: Mon May 4 10:47:41 2020 -0700 Merge tag 'flexible-array-member-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux Pull flex-array reverts from Gustavo Silva: "This reverts flexible array changes in include/uapi/ These structures can get embedded in other structures in user-space and cause all sorts of warnings and problems[1]. So, we better don't take any chances and keep the zero-length arrays in place for now" [1] https://lore.kernel.org/lkml/20200424121553.GE26002@ziepe.ca/ * tag 'flexible-array-member-5.7-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gustavoars/linux: uapi: revert flexible-array conversions commit 40e473071dbad04316ddc3613c3a3d1c75458299 Author: Tariq Toukan Date: Mon May 4 11:36:02 2020 +0300 net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() When ENOSPC is set the idx is still valid and gets set to the global MLX4_SINK_COUNTER_INDEX. However gcc's static analysis cannot tell that ENOSPC is impossible from mlx4_cmd_imm() and gives this warning: drivers/net/ethernet/mellanox/mlx4/main.c:2552:28: warning: 'idx' may be used uninitialized in this function [-Wmaybe-uninitialized] 2552 | priv->def_counter[port] = idx; Also, when ENOSPC is returned mlx4_allocate_default_counters should not fail. Fixes: 6de5f7f6a1fa ("net/mlx4_core: Allocate default counter per port") Signed-off-by: Jason Gunthorpe Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller commit bea0c5c942d3b4e9fb6ed45f6a7de74c6b112437 Author: Aya Levin Date: Mon May 4 11:27:46 2020 +0300 devlink: Fix reporter's recovery condition Devlink health core conditions the reporter's recovery with the expiration of the grace period. This is not relevant for the first recovery. Explicitly demand that the grace period will only apply to recoveries other than the first. Fixes: c8e1da0bf923 ("devlink: Add health report functionality") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller commit 421abe200321a2c907ede1a6208c558284ba0b75 Author: Sultan Alsawaf Date: Thu Apr 30 14:46:54 2020 -0700 drm/i915: Don't enable WaIncreaseLatencyIPCEnabled when IPC is disabled In commit 5a7d202b1574, a logical AND was erroneously changed to an OR, causing WaIncreaseLatencyIPCEnabled to be enabled unconditionally for kabylake and coffeelake, even when IPC is disabled. Fix the logic so that WaIncreaseLatencyIPCEnabled is only used when IPC is enabled. Fixes: 5a7d202b1574 ("drm/i915: Drop WaIncreaseLatencyIPCEnabled/1140 for cnl") Cc: stable@vger.kernel.org # 5.3.x+ Signed-off-by: Sultan Alsawaf Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20200430214654.51314-1-sultan@kerneltoast.com (cherry picked from commit 690d22dafa88b82453516387b475664047a6bd14) Signed-off-by: Rodrigo Vivi commit fe5a708267911d55cce42910d93e303924b088fd Author: Chris Wilson Date: Fri May 1 13:22:49 2020 +0100 drm/i915/gt: Make timeslicing an explicit engine property In order to allow userspace to rely on timeslicing to reorder their batches, we must support preemption of those user batches. Declare timeslicing as an explicit property that is a combination of having the kernel support and HW support. Suggested-by: Tvrtko Ursulin Fixes: 8ee36e048c98 ("drm/i915/execlists: Minimalistic timeslicing") Signed-off-by: Chris Wilson Cc: Tvrtko Ursulin Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200501122249.12417-1-chris@chris-wilson.co.uk (cherry picked from commit a211da9c771bf97395a3ced83a3aa383372b13a7) Signed-off-by: Rodrigo Vivi commit 30523408c0232d4f33ca0719004e5bffaf04220c Author: Chris Wilson Date: Tue Apr 28 10:02:55 2020 +0100 drm/i915: Avoid dereferencing a dead context Once the intel_context is closed, the GEM context may be freed and so the link from intel_context.gem_context is invalid. <3>[ 219.782944] BUG: KASAN: use-after-free in intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <3>[ 219.782996] Read of size 8 at addr ffff8881d7dff0b8 by task kworker/0:1/12 <4>[ 219.783052] CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: G U 5.7.0-rc2-g1f3ffd7683d54-kasan_118+ #1 <4>[ 219.783055] Hardware name: System manufacturer System Product Name/Z170 PRO GAMING, BIOS 3402 04/26/2017 <4>[ 219.783105] Workqueue: events heartbeat [i915] <4>[ 219.783109] Call Trace: <4>[ 219.783113] <4>[ 219.783119] dump_stack+0x96/0xdb <4>[ 219.783177] ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <4>[ 219.783182] print_address_description.constprop.6+0x16/0x310 <4>[ 219.783239] ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <4>[ 219.783295] ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <4>[ 219.783300] __kasan_report+0x137/0x190 <4>[ 219.783359] ? intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <4>[ 219.783366] kasan_report+0x32/0x50 <4>[ 219.783426] intel_engine_coredump_alloc+0x1bc3/0x2250 [i915] <4>[ 219.783481] execlists_reset+0x39c/0x13d0 [i915] <4>[ 219.783494] ? mark_held_locks+0x9e/0xe0 <4>[ 219.783546] ? execlists_hold+0xfc0/0xfc0 [i915] <4>[ 219.783551] ? lockdep_hardirqs_on+0x348/0x5f0 <4>[ 219.783557] ? _raw_spin_unlock_irqrestore+0x34/0x60 <4>[ 219.783606] ? execlists_submission_tasklet+0x118/0x3a0 [i915] <4>[ 219.783615] tasklet_action_common.isra.14+0x13b/0x410 <4>[ 219.783623] ? __do_softirq+0x1e4/0x9a7 <4>[ 219.783630] __do_softirq+0x226/0x9a7 <4>[ 219.783643] do_softirq_own_stack+0x2a/0x40 <4>[ 219.783647] <4>[ 219.783692] ? heartbeat+0x3e2/0x10f0 [i915] <4>[ 219.783696] do_softirq.part.13+0x49/0x50 <4>[ 219.783700] __local_bh_enable_ip+0x1a2/0x1e0 <4>[ 219.783748] heartbeat+0x409/0x10f0 [i915] <4>[ 219.783801] ? __live_idle_pulse+0x9f0/0x9f0 [i915] <4>[ 219.783806] ? lock_acquire+0x1ac/0x8a0 <4>[ 219.783811] ? process_one_work+0x811/0x1870 <4>[ 219.783827] ? rcu_read_lock_sched_held+0x9c/0xd0 <4>[ 219.783832] ? rcu_read_lock_bh_held+0xb0/0xb0 <4>[ 219.783836] ? _raw_spin_unlock_irq+0x1f/0x40 <4>[ 219.783845] process_one_work+0x8ca/0x1870 <4>[ 219.783848] ? lock_acquire+0x1ac/0x8a0 <4>[ 219.783852] ? worker_thread+0x1d0/0xb80 <4>[ 219.783864] ? pwq_dec_nr_in_flight+0x2c0/0x2c0 <4>[ 219.783870] ? do_raw_spin_lock+0x129/0x290 <4>[ 219.783886] worker_thread+0x82/0xb80 <4>[ 219.783895] ? __kthread_parkme+0xaf/0x1b0 <4>[ 219.783902] ? process_one_work+0x1870/0x1870 <4>[ 219.783906] kthread+0x34e/0x420 <4>[ 219.783911] ? kthread_create_on_node+0xc0/0xc0 <4>[ 219.783918] ret_from_fork+0x3a/0x50 <3>[ 219.783950] Allocated by task 1264: <4>[ 219.783975] save_stack+0x19/0x40 <4>[ 219.783978] __kasan_kmalloc.constprop.3+0xa0/0xd0 <4>[ 219.784029] i915_gem_create_context+0xa2/0xab8 [i915] <4>[ 219.784081] i915_gem_context_create_ioctl+0x1fa/0x450 [i915] <4>[ 219.784085] drm_ioctl_kernel+0x1d8/0x270 <4>[ 219.784088] drm_ioctl+0x676/0x930 <4>[ 219.784092] ksys_ioctl+0xb7/0xe0 <4>[ 219.784096] __x64_sys_ioctl+0x6a/0xb0 <4>[ 219.784100] do_syscall_64+0x94/0x530 <4>[ 219.784103] entry_SYSCALL_64_after_hwframe+0x49/0xb3 <3>[ 219.784120] Freed by task 12: <4>[ 219.784141] save_stack+0x19/0x40 <4>[ 219.784145] __kasan_slab_free+0x130/0x180 <4>[ 219.784148] kmem_cache_free_bulk+0x1bd/0x500 <4>[ 219.784152] kfree_rcu_work+0x1d8/0x890 <4>[ 219.784155] process_one_work+0x8ca/0x1870 <4>[ 219.784158] worker_thread+0x82/0xb80 <4>[ 219.784162] kthread+0x34e/0x420 <4>[ 219.784165] ret_from_fork+0x3a/0x50 Fixes: 2e46a2a0b014 ("drm/i915: Use explicit flag to mark unreachable intel_context") Signed-off-by: Chris Wilson Acked-by: Akeem G Abodunrin Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200428090255.10035-1-chris@chris-wilson.co.uk (cherry picked from commit 24aac336ff78eb55aedda043ed982c61dc3ac49a) Signed-off-by: Rodrigo Vivi commit f42234ffd531ca6b13d9da02faa60b72eccf8334 Author: Maxim Petrov Date: Mon May 4 09:26:43 2020 +0300 stmmac: fix pointer check after utilization in stmmac_interrupt The paranoidal pointer check in IRQ handler looks very strange - it really protects us only against bogus drivers which request IRQ line with null pointer dev_id. However, the code fragment is incorrect because the dev pointer is used before the actual check which leads to undefined behavior. Remove the check to avoid confusing people with incorrect code. Signed-off-by: Maxim Petrov Signed-off-by: David S. Miller commit 980d69276f3048af43a045be2925dacfb898a7be Author: Tuong Lien Date: Mon May 4 11:15:54 2020 +0700 tipc: fix partial topology connection closure When an application connects to the TIPC topology server and subscribes to some services, a new connection is created along with some objects - 'tipc_subscription' to store related data correspondingly... However, there is one omission in the connection handling that when the connection or application is orderly shutdown (e.g. via SIGQUIT, etc.), the connection is not closed in kernel, the 'tipc_subscription' objects are not freed too. This results in: - The maximum number of subscriptions (65535) will be reached soon, new subscriptions will be rejected; - TIPC module cannot be removed (unless the objects are somehow forced to release first); The commit fixes the issue by closing the connection if the 'recvmsg()' returns '0' i.e. when the peer is shutdown gracefully. It also includes the other unexpected cases. Acked-by: Jon Maloy Acked-by: Ying Xue Signed-off-by: Tuong Lien Signed-off-by: David S. Miller commit 3a5ccecd9af71220e8b303f439ebccbc48385305 Author: Sage Weil Date: Mon Apr 20 13:44:25 2020 +0000 MAINTAINERS: remove myself as ceph co-maintainer Jeff, Ilya, and Dongsheng are doing all of the Ceph maintainance these days. [ idryomov: Remove Sage's git tree too, it hasn't been pushed to in years. ] Signed-off-by: Sage Weil Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov commit 86f8b1c01a0a537a73d2996615133be63cdf75db Author: Florian Fainelli Date: Sun May 3 20:50:57 2020 -0700 net: dsa: Do not make user port errors fatal Prior to 1d27732f411d ("net: dsa: setup and teardown ports"), we would not treat failures to set-up an user port as fatal, but after this commit we would, which is a regression for some systems where interfaces may be declared in the Device Tree, but the underlying hardware may not be present (pluggable daughter cards for instance). Fixes: 1d27732f411d ("net: dsa: setup and teardown ports") Signed-off-by: Florian Fainelli Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller commit 4d8e28ff3106b093d98bfd2eceb9b430c70a8758 Author: Wu Bo Date: Thu Apr 30 14:12:49 2020 +0800 ceph: fix double unlock in handle_cap_export() If the ceph_mdsc_open_export_target_session() return fails, it will do a "goto retry", but the session mutex has already been unlocked. Re-lock the mutex in that case to ensure that we don't unlock it twice. Signed-off-by: Wu Bo Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov commit 7d8976afad18d4548ee472e526b126ab74012807 Author: Wu Bo Date: Wed Apr 29 10:01:55 2020 +0800 ceph: fix special error code in ceph_try_get_caps() There are 3 speical error codes: -EAGAIN/-EFBIG/-ESTALE. After calling try_get_cap_refs, ceph_try_get_caps test for the -EAGAIN twice. Ensure that it tests for -ESTALE instead. Signed-off-by: Wu Bo Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov commit 0fa8263367db9287aa0632f96c1a5f93cc478150 Author: Jeff Layton Date: Tue Apr 28 08:10:22 2020 -0400 ceph: fix endianness bug when handling MDS session feature bits Eduard reported a problem mounting cephfs on s390 arch. The feature mask sent by the MDS is little-endian, so we need to convert it before storing and testing against it. Cc: stable@vger.kernel.org Reported-and-Tested-by: Eduard Shishkin Signed-off-by: Jeff Layton Reviewed-by: "Yan, Zheng" Signed-off-by: Ilya Dryomov commit 37e31d2d26a4124506c24e95434e9baf3405a23a Author: Dan Carpenter Date: Wed Apr 22 12:22:11 2020 +0300 i40iw: Fix error handling in i40iw_manage_arp_cache() The i40iw_arp_table() function can return -EOVERFLOW if i40iw_alloc_resource() fails so we can't just test for "== -1". Fixes: 4e9042e647ff ("i40iw: add hw and utils files") Link: https://lore.kernel.org/r/20200422092211.GA195357@mwanda Signed-off-by: Dan Carpenter Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe commit 2ae11c46d5fdc46cb396e35911c713d271056d35 Author: Shubhrajyoti Datta Date: Mon May 4 16:27:28 2020 +0200 tty: xilinx_uartps: Fix missing id assignment to the console When serial console has been assigned to ttyPS1 (which is serial1 alias) console index is not updated property and pointing to index -1 (statically initialized) which ends up in situation where nothing has been printed on the port. The commit 18cc7ac8a28e ("Revert "serial: uartps: Register own uart console and driver structures"") didn't contain this line which was removed by accident. Fixes: 18cc7ac8a28e ("Revert "serial: uartps: Register own uart console and driver structures"") Signed-off-by: Shubhrajyoti Datta Cc: stable Signed-off-by: Michal Simek Link: https://lore.kernel.org/r/ed3111533ef5bd342ee5ec504812240b870f0853.1588602446.git.michal.simek@xilinx.com Signed-off-by: Greg Kroah-Hartman commit 1e6e9d0f4859ec698d55381ea26f4136eff3afe1 Author: Gustavo A. R. Silva Date: Fri Apr 24 10:50:00 2020 -0500 uapi: revert flexible-array conversions These structures can get embedded in other structures in user-space and cause all sorts of warnings and problems. So, we better don't take any chances and keep the zero-length arrays in place for now. Signed-off-by: Gustavo A. R. Silva commit 8be8f932e3db5fe4ed178b8892eeffeab530273a Author: Paolo Bonzini Date: Mon May 4 12:19:45 2020 -0400 kvm: ioapic: Restrict lazy EOI update to edge-triggered interrupts Commit f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") introduces the following infinite loop: BUG: stack guard page was hit at 000000008f595917 \ (stack is 00000000bdefe5a4..00000000ae2b06f5) kernel stack overflow (double-fault): 0000 [#1] SMP NOPTI RIP: 0010:kvm_set_irq+0x51/0x160 [kvm] Call Trace: irqfd_resampler_ack+0x32/0x90 [kvm] kvm_notify_acked_irq+0x62/0xd0 [kvm] kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm] ioapic_set_irq+0x20e/0x240 [kvm] kvm_ioapic_set_irq+0x5c/0x80 [kvm] kvm_set_irq+0xbb/0x160 [kvm] ? kvm_hv_set_sint+0x20/0x20 [kvm] irqfd_resampler_ack+0x32/0x90 [kvm] kvm_notify_acked_irq+0x62/0xd0 [kvm] kvm_ioapic_update_eoi_one.isra.0+0x30/0x120 [kvm] ioapic_set_irq+0x20e/0x240 [kvm] kvm_ioapic_set_irq+0x5c/0x80 [kvm] kvm_set_irq+0xbb/0x160 [kvm] ? kvm_hv_set_sint+0x20/0x20 [kvm] .... The re-entrancy happens because the irq state is the OR of the interrupt state and the resamplefd state. That is, we don't want to show the state as 0 until we've had a chance to set the resamplefd. But if the interrupt has _not_ gone low then ioapic_set_irq is invoked again, causing an infinite loop. This can only happen for a level-triggered interrupt, otherwise irqfd_inject would immediately set the KVM_USERSPACE_IRQ_SOURCE_ID high and then low. Fortunately, in the case of level-triggered interrupts the VMEXIT already happens because TMR is set. Thus, fix the bug by restricting the lazy invocation of the ack notifier to edge-triggered interrupts, the only ones that need it. Tested-by: Suravee Suthikulpanit Reported-by: borisvk@bstnet.org Suggested-by: Paolo Bonzini Link: https://www.spinics.net/lists/kvm/msg213512.html Fixes: f458d039db7e ("kvm: ioapic: Lazy update IOAPIC EOI") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=207489 Signed-off-by: Paolo Bonzini commit 78d6de3cfbd342918d31cf68d0d2eda401338aef Author: Matt Jolly Date: Sun May 3 01:03:47 2020 +1000 USB: serial: qcserial: Add DW5816e support Add support for Dell Wireless 5816e to drivers/usb/serial/qcserial.c Signed-off-by: Matt Jolly Cc: stable Signed-off-by: Johan Hovold commit 637543a8d61c6afe4e9be64bfb43c78701a83375 Author: Suravee Suthikulpanit Date: Tue Apr 7 01:13:09 2020 -0500 KVM: x86: Fixes posted interrupt check for IRQs delivery modes Current logic incorrectly uses the enum ioapic_irq_destination_types to check the posted interrupt destination types. However, the value was set using APIC_DM_XXX macros, which are left-shifted by 8 bits. Fixes by using the APIC_DM_FIXED and APIC_DM_LOWEST instead. Fixes: (fdcf75621375 'KVM: x86: Disable posted interrupts for non-standard IRQs delivery modes') Cc: Alexander Graf Signed-off-by: Suravee Suthikulpanit Message-Id: <1586239989-58305-1-git-send-email-suravee.suthikulpanit@amd.com> Reviewed-by: Maxim Levitsky Tested-by: Maxim Levitsky Signed-off-by: Paolo Bonzini commit 9d82973e032e246ff5663c9805fbb5407ae932e3 Author: Linus Torvalds Date: Mon May 4 09:16:37 2020 -0700 gcc-10 warnings: fix low-hanging fruit Due to a bug-report that was compiler-dependent, I updated one of my machines to gcc-10. That shows a lot of new warnings. Happily they seem to be mostly the valid kind, but it's going to cause a round of churn for getting rid of them.. This is the really low-hanging fruit of removing a couple of zero-sized arrays in some core code. We have had a round of these patches before, and we'll have many more coming, and there is nothing special about these except that they were particularly trivial, and triggered more warnings than most. Signed-off-by: Linus Torvalds commit 7134fa0709d5939bafacffe4c0e7ab02356d0903 Merge: 9e5e19f58529 0225fd5e0a6a Author: Paolo Bonzini Date: Mon May 4 12:01:37 2020 -0400 Merge tag 'kvmarm-fixes-5.7-2' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm-master KVM/arm fixes for Linux 5.7, take #2 - Fix compilation with Clang - Correctly initialize GICv4.1 in the absence of a virtual ITS - Move SP_EL0 save/restore to the guest entry/exit code - Handle PC wrap around on 32bit guests, and narrow all 32bit registers on userspace access commit 9e5e19f58529ba8beec604b3cf5585e271e32e90 Merge: dee919d15dcf 446c0768f550 Author: Paolo Bonzini Date: Mon May 4 12:01:12 2020 -0400 Merge tag 'kvmarm-fixes-5.7-1' of git://git.kernel.org/pub/scm/linux/kernel/git/kvmarm/kvmarm into kvm-master KVM/arm fixes for Linux 5.7, take #1 - Prevent the userspace API from interacting directly with the HW stage of the virtual GIC - Fix a couple of vGIC memory leaks - Tighten the rules around the use of the 32bit PSCI functions for 64bit guest, as well as the opposite situation (matches the specification) commit dee919d15dcf70f4ce84b7da9b77bdc1c307454c Author: Paolo Bonzini Date: Mon May 4 09:34:10 2020 -0400 KVM: SVM: fill in kvm_run->debug.arch.dr[67] The corresponding code was added for VMX in commit 42dbaa5a057 ("KVM: x86: Virtualize debug registers, 2008-12-15) but never for AMD. Fix this. Signed-off-by: Paolo Bonzini commit f9336e3281880b683137bc18f91848ac34af84c3 Author: Sean Christopherson Date: Mon May 4 08:35:06 2020 -0700 KVM: nVMX: Replace a BUG_ON(1) with BUG() to squash clang warning Use BUG() in the impossible-to-hit default case when switching on the scope of INVEPT to squash a warning with clang 11 due to clang treating the BUG_ON() as conditional. >> arch/x86/kvm/vmx/nested.c:5246:3: warning: variable 'roots_to_free' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] BUG_ON(1); Reported-by: kbuild test robot Fixes: ce8fe7b77bd8 ("KVM: nVMX: Free only the affected contexts when emulating INVEPT") Signed-off-by: Sean Christopherson Message-Id: <20200504153506.28898-1-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini commit c5f9d9db83d9f84d2b4aae5a1b29d9b582ccff2f Author: David Howells Date: Mon May 4 16:12:55 2020 +0100 cachefiles: Fix corruption of the return value in cachefiles_read_or_alloc_pages() The patch which changed cachefiles from calling ->bmap() to using the bmap() wrapper overwrote the running return value with the result of calling bmap(). This causes an assertion failure elsewhere in the code. Fix this by using ret2 rather than ret to hold the return value. The oops looks like: kernel BUG at fs/nfs/fscache.c:468! ... RIP: 0010:__nfs_readpages_from_fscache+0x18b/0x190 [nfs] ... Call Trace: nfs_readpages+0xbf/0x1c0 [nfs] ? __alloc_pages_nodemask+0x16c/0x320 read_pages+0x67/0x1a0 __do_page_cache_readahead+0x1cf/0x1f0 ondemand_readahead+0x172/0x2b0 page_cache_async_readahead+0xaa/0xe0 generic_file_buffered_read+0x852/0xd50 ? mem_cgroup_commit_charge+0x6e/0x140 ? nfs4_have_delegation+0x19/0x30 [nfsv4] generic_file_read_iter+0x100/0x140 ? nfs_revalidate_mapping+0x176/0x2b0 [nfs] nfs_file_read+0x6d/0xc0 [nfs] new_sync_read+0x11a/0x1c0 __vfs_read+0x29/0x40 vfs_read+0x8e/0x140 ksys_read+0x61/0xd0 __x64_sys_read+0x1a/0x20 do_syscall_64+0x60/0x1e0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f5d148267e0 Fixes: 10d83e11a582 ("cachefiles: drop direct usage of ->bmap method.") Reported-by: David Wysochanski Signed-off-by: David Howells Tested-by: David Wysochanski cc: Carlos Maiolino commit d8f1b9716cfd1a1f74c0fedad40c5f65a25aa208 Author: Xiaoguang Wang Date: Sun Apr 26 15:54:43 2020 +0800 io_uring: fix mismatched finish_wait() calls in io_uring_cancel_files() The prepare_to_wait() and finish_wait() calls in io_uring_cancel_files() are mismatched. Currently I don't see any issues related this bug, just find it by learning codes. Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe commit 3a3a71f97c30983f1627c2c550d43566e9b634d2 Author: Arnd Bergmann Date: Tue Apr 28 23:50:51 2020 +0200 sun6i: dsi: fix gcc-4.8 Older compilers warn about initializers with incorrect curly braces: drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c: In function 'sun6i_dsi_encoder_enable': drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c:720:8: error: missing braces around initializer [-Werror=missing-braces] union phy_configure_opts opts = { 0 }; ^ drivers/gpu/drm/sun4i/sun6i_mipi_dsi.c:720:8: error: (near initialization for 'opts.mipi_dphy') [-Werror=missing-braces] Use the GNU empty initializer extension to avoid this. Fixes: bb3b6fcb6849 ("sun6i: dsi: Convert to generic phy handling") Reviewed-by: Paul Kocialkowski Signed-off-by: Arnd Bergmann Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200428215105.3928459-1-arnd@arndb.de commit 29ee412bb7090023a8dba15726d9be2f4f2644a4 Author: Samuel Holland Date: Sun Apr 26 11:16:05 2020 -0500 arm64: dts: allwinner: a64: Remove unused SPDIF sound card As of v5.7-rc2, Linux now prints the following message at boot: [ 33.848525] platform sound_spdif: deferred probe pending This is because sound_spdif is waiting on its CPU DAI &spdif to probe, but &spdif is disabled in the device tree. Exposure of the SPDIF pin is board-specific functionality, so the sound card and codec DAI belong in the individual board DTS, not the SoC DTSI. In fact, no in-tree A64 board DTS enables &spdif, so let's remove the card and DAI entirely. This reverts commit 78e071370a86473f25923e03b51cbbadacf8be0f. Acked-by: Clément Péron Signed-off-by: Samuel Holland Signed-off-by: Maxime Ripard commit 5f39dd232723a76aa7865de0b5be8373490355ef Author: Samuel Holland Date: Sun Apr 26 11:23:53 2020 -0500 arm64: dts: allwinner: a64: pinetab: Fix cpvdd supply name An older version of the analog codec binding referenced the headphone amplifier binding as "hpvcc". However, by the time it was merged in commit 21dd30200e3d ("ASoC: dt-bindings: sun50i-codec-analog: Add headphone amp regulator supply"), the regulator reference was renamed to "cpvdd". This board's device tree still uses the old name, which fails to work at runtime, and which causes a warning from `make dtbs_check`. Resolve both by fixing the name. Fixes: 674ef1d0a7b2 ("arm64: dts: allwinner: a64: add support for PineTab") Signed-off-by: Samuel Holland Signed-off-by: Maxime Ripard commit c59359a02d14a7256cd508a4886b7d2012df2363 Author: H. Nikolaus Schaller Date: Mon May 4 08:35:12 2020 +0200 drm: ingenic-drm: add MODULE_DEVICE_TABLE so that the driver can load by matching the device tree if compiled as module. Cc: stable@vger.kernel.org # v5.3+ Fixes: 90b86fcc47b4 ("DRM: Add KMS driver for the Ingenic JZ47xx SoCs") Signed-off-by: H. Nikolaus Sch