All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.4 000/141] 5.4.120-rc1 review
@ 2021-05-17 14:00 Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 001/141] tpm: fix error return code in tpm2_get_cc_attrs_tbl() Greg Kroah-Hartman
                   ` (147 more replies)
  0 siblings, 148 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.4.120 release.
There are 141 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.4.120-rc1

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rsnd: check all BUSIF status when error

Christoph Hellwig <hch@lst.de>
    nvme: do not try to reconfigure APST when the controller is not live

Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
    clk: exynos7: Mark aclk_fsys1_200 as critical

Jonathon Reinhart <jonathon.reinhart@gmail.com>
    netfilter: conntrack: Make global sysctls readonly in non-init netns

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    kobject_uevent: remove warning in init_uevent_argv()

Badhri Jagan Sridharan <badhri@google.com>
    usb: typec: tcpm: Fix error while calculating PPS out values

Ard Biesheuvel <ardb@kernel.org>
    ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section

Ard Biesheuvel <ardb@kernel.org>
    ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address

Ard Biesheuvel <ardb@kernel.org>
    ARM: 9012/1: move device tree mapping out of linear region

Ard Biesheuvel <ardb@kernel.org>
    ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address

Eric Biggers <ebiggers@google.com>
    f2fs: fix error handling in f2fs_end_enable_verity()

Lukasz Luba <lukasz.luba@arm.com>
    thermal/core/fair share: Lock the thermal zone while looping over instances

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: Avoid handcoded DIVU in `__div64_32' altogether

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: Avoid DIVU in `__div64_32' is result would be zero

Maciej W. Rozycki <macro@orcam.me.uk>
    MIPS: Reinstate platform `__div64_32' handler

Maciej W. Rozycki <macro@orcam.me.uk>
    FDDI: defxx: Make MMIO the configuration default except for EISA

Matthew Wilcox (Oracle) <willy@infradead.org>
    mm: fix struct page layout on 32-bit systems

Thomas Gleixner <tglx@linutronix.de>
    KVM: x86: Cancel pvclock_gtod_work on module removal

Oliver Neukum <oneukum@suse.com>
    cdc-wdm: untangle a circular dependency between callback and softint

Colin Ian King <colin.king@canonical.com>
    iio: tsl2583: Fix division by a zero lux_val

Dmitry Osipenko <digetx@gmail.com>
    iio: gyro: mpu3050: Fix reported temperature value

Sandeep Singh <sandeep.singh@amd.com>
    xhci: Add reset resume quirk for AMD xhci controller.

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    xhci: Do not use GFP_KERNEL in (potentially) atomic context

Wesley Cheng <wcheng@codeaurora.org>
    usb: dwc3: gadget: Return success always for kick transfer in ep queue

Chunfeng Yun <chunfeng.yun@mediatek.com>
    usb: core: hub: fix race condition about TRSMRCY of resume

Phil Elwell <phil@raspberrypi.com>
    usb: dwc2: Fix gadget DMA unmap direction

Maximilian Luz <luzmaximilian@gmail.com>
    usb: xhci: Increase timeout for HC halt

Ferry Toth <ftoth@exalondelft.nl>
    usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield

Marcel Hamer <marcel@solidxs.se>
    usb: dwc3: omap: improve extcon initialization

Christoph Hellwig <hch@lst.de>
    iomap: fix sub-page uptodate handling

Bart Van Assche <bvanassche@acm.org>
    blk-mq: Swap two calls in blk_mq_exit_queue()

Sun Ke <sunke32@huawei.com>
    nbd: Fix NULL pointer in flush_workqueue

Omar Sandoval <osandov@fb.com>
    kyber: fix out of bounds access when preempted

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    ACPI: scan: Fix a memory leak in an error handling path

Eddie James <eajames@linux.ibm.com>
    hwmon: (occ) Fix poll rate limiting

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    usb: fotg210-hcd: Fix an error message

Dinghao Liu <dinghao.liu@zju.edu.cn>
    iio: proximity: pulsedlight: Fix rumtime PM imbalance on error

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Avoid div-by-zero on gen2

Kai-Heng Feng <kai.heng.feng@canonical.com>
    drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected

Peter Xu <peterx@redhat.com>
    mm/hugetlb: fix F_SEAL_FUTURE_WRITE

Axel Rasmussen <axelrasmussen@google.com>
    userfaultfd: release page in error path to avoid BUG_ON

Phillip Lougher <phillip@squashfs.org.uk>
    squashfs: fix divide error in calculate_skip()

Jouni Roivas <jouni.roivas@tuxera.com>
    hfsplus: prevent corruption in shrinking truncate

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64s: Fix crashes when toggling entry flush barrier

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/64s: Fix crashes when toggling stf barrier

Vladimir Isaev <isaev@synopsys.com>
    ARC: mm: PAE: use 40-bit physical page mask

Vineet Gupta <vgupta@synopsys.com>
    ARC: entry: fix off-by-one error in syscall number validation

Mateusz Palczewski <mateusz.palczewski@intel.com>
    i40e: Fix PHY type identifiers for 2.5G and 5G adapters

Jaroslaw Gawin <jaroslawx.gawin@intel.com>
    i40e: fix the restart auto-negotiation after FEC modified

Yunjian Wang <wangyunjian@huawei.com>
    i40e: Fix use-after-free in i40e_client_subtask()

Eric Dumazet <edumazet@google.com>
    netfilter: nftables: avoid overflows in nft_hash_buckets()

Jia-Ju Bai <baijiaju1990@gmail.com>
    kernel: kexec_file: fix error return code of kexec_calculate_store_digests()

Odin Ugedal <odin@uged.al>
    sched/fair: Fix unfairness caused by missing load decay

Quentin Perret <qperret@google.com>
    sched: Fix out-of-bound access in uclamp

Marc Kleine-Budde <mkl@pengutronix.de>
    can: m_can: m_can_tx_work_queue(): fix tx_skb race condition

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check

Cong Wang <cong.wang@bytedance.com>
    smc: disallow TCP_ULP in smc_setsockopt()

Maciej Żenczykowski <maze@google.com>
    net: fix nla_strcmp to handle more then one trailing null character

Miaohe Lin <linmiaohe@huawei.com>
    ksm: fix potential missing rmap_item for stable_node

Miaohe Lin <linmiaohe@huawei.com>
    mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page()

Miaohe Lin <linmiaohe@huawei.com>
    mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()

Miaohe Lin <linmiaohe@huawei.com>
    khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate()

Kees Cook <keescook@chromium.org>
    drm/radeon: Avoid power table parsing memory leaks

Kees Cook <keescook@chromium.org>
    drm/radeon: Fix off-by-one power_state index heap overwrite

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: xt_SECMARK: add new revision to fix structure layout

Xin Long <lucien.xin@gmail.com>
    sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    ethernet:enic: Fix a use after free bug in enic_hard_start_xmit

Baptiste Lepers <baptiste.lepers@gmail.com>
    sunrpc: Fix misplaced barrier in call_decode

Anup Patel <anup.patel@wdc.com>
    RISC-V: Fix error code returned by riscv_hartid_to_cpuid()

Xin Long <lucien.xin@gmail.com>
    sctp: do asoc update earlier in sctp_sf_do_dupcook_a

Yufeng Mo <moyufeng@huawei.com>
    net: hns3: disable phy loopback setting in hclge_mac_start_phy

Peng Li <lipeng321@huawei.com>
    net: hns3: use netif_tx_disable to stop the transmit queue

Hao Chen <chenhao288@hisilicon.com>
    net: hns3: fix for vxlan gpe tx checksum bug

Jian Shen <shenjian15@huawei.com>
    net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet()

Yufeng Mo <moyufeng@huawei.com>
    net: hns3: initialize the message content in hclge_get_link_mode()

Yufeng Mo <moyufeng@huawei.com>
    net: hns3: fix incorrect configuration for igu_egu_hw_err

Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
    rtc: ds1307: Fix wday settings for rx8130

Jeff Layton <jlayton@kernel.org>
    ceph: fix inode leak on getattr error in __fh_to_dentry

Michael Walle <michael@walle.cc>
    rtc: fsl-ftm-alarm: add MODULE_TABLE()

Olga Kornievskaia <kolga@netapp.com>
    NFSv4.2 fix handling of sr_eof in SEEK's reply

Nikola Livic <nlivic@gmail.com>
    pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()

Yang Yingliang <yangyingliang@huawei.com>
    PCI: endpoint: Fix missing destroy_workqueue()

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFS: Deal correctly with attribute generation counter overflow

Trond Myklebust <trond.myklebust@hammerspace.com>
    NFSv4.2: Always flush out writes in nfs42_proc_fallocate()

Jia-Ju Bai <baijiaju1990@gmail.com>
    rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data()

Zhen Lei <thunder.leizhen@huawei.com>
    ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook

Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
    PCI: Release OF node in pci_scan_device()'s error path

Pali Rohár <pali@kernel.org>
    PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc()

Colin Ian King <colin.king@canonical.com>
    f2fs: fix a redundant call to f2fs_balance_fs if an error occurs

Jia-Ju Bai <baijiaju1990@gmail.com>
    thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params()

David Ward <david.ward@gatech.edu>
    ASoC: rt286: Make RT286_SET_GPIO_* readable and writable

Sergei Trofimovich <slyfox@gentoo.org>
    ia64: module: fix symbolizer crash on fdescr

Michael Chan <michael.chan@broadcom.com>
    bnxt_en: Add PCI IDs for Hyper-V VF devices.

Felix Fietkau <nbd@nbd.name>
    net: ethernet: mtk_eth_soc: fix RX VLAN offload

Stefan Assmann <sassmann@kpanic.de>
    iavf: remove duplicate free resources calls

Alexey Kardashevskiy <aik@ozlabs.ru>
    powerpc/iommu: Annotate nested lock for lockdep

Lee Gibson <leegib@gmail.com>
    qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth

Gustavo A. R. Silva <gustavoars@kernel.org>
    wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join

Gustavo A. R. Silva <gustavoars@kernel.org>
    wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt

Robin Singh <robin.singh@amd.com>
    drm/amd/display: fixed divide by zero kernel crash during dsc enablement

Michael Ellerman <mpe@ellerman.id.au>
    powerpc/pseries: Stop calling printk in rtas_stop_self()

Yaqi Chen <chendotjs@gmail.com>
    samples/bpf: Fix broken tracex1 due to kprobe argument change

Du Cheng <ducheng2@gmail.com>
    net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule

Gustavo A. R. Silva <gustavoars@kernel.org>
    ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user()

David Ward <david.ward@gatech.edu>
    ASoC: rt286: Generalize support for ALC3263 codec

Srikar Dronamraju <srikar@linux.vnet.ibm.com>
    powerpc/smp: Set numa node before updating mask

Gustavo A. R. Silva <gustavoars@kernel.org>
    flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target()

Gustavo A. R. Silva <gustavoars@kernel.org>
    sctp: Fix out-of-bounds warning in sctp_process_asconf_param()

Kai Vehmanen <kai.vehmanen@linux.intel.com>
    ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume

Mihai Moldovan <ionic@ionic.de>
    kconfig: nconf: stop endless search loops

Yonghong Song <yhs@fb.com>
    selftests: Set CC to clang in lib.mk if LLVM is set

Anthony Wang <anthony1.wang@amd.com>
    drm/amd/display: Force vsync flip when reconfiguring MPCC

Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
    iommu/amd: Remove performance counter pre-initialization test

Paul Menzel <pmenzel@molgen.mpg.de>
    Revert "iommu/amd: Fix performance counter initialization"

Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
    ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init()

Miklos Szeredi <mszeredi@redhat.com>
    cuse: prevent clone

David Bauer <mail@david-bauer.net>
    mt76: mt76x0: disable GTK offloading

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    pinctrl: samsung: use 'int' for register masks in Exynos

Emmanuel Grumbach <emmanuel.grumbach@intel.com>
    mac80211: clear the beacon's CRC after channel switch

Bence Csókás <bence98@sch.bme.hu>
    i2c: Add I2C_AQ_NO_REP_START adapter quirk

Hans de Goede <hdegoede@redhat.com>
    ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet

Eric Dumazet <edumazet@google.com>
    ip6_vti: proper dev_{hold|put} in ndo_[un]init methods

Archie Pusaka <apusaka@chromium.org>
    Bluetooth: check for zapped sk before connecting

Nikolay Aleksandrov <nikolay@nvidia.com>
    net: bridge: when suppression is enabled exclude RARP packets

Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Bluetooth: initialize skb_queue_head at l2cap_chan_create()

Archie Pusaka <apusaka@chromium.org>
    Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: bebob: enable to deliver MIDI messages for multiple ports

Tong Zhang <ztong0001@gmail.com>
    ALSA: rme9652: don't disable if not enabled

Tong Zhang <ztong0001@gmail.com>
    ALSA: hdspm: don't disable if not enabled

Tong Zhang <ztong0001@gmail.com>
    ALSA: hdsp: don't disable if not enabled

Wolfram Sang <wsa+renesas@sang-engineering.com>
    i2c: bail out early when RDWR parameters are wrong

Mikhail Durnev <mikhail_durnev@mentor.com>
    ASoC: rsnd: core: Check convert rate in rsnd_hw_params

Jonathan McDowell <noodles@earth.li>
    net: stmmac: Set FIFO sizes for ipq806x

Hans de Goede <hdegoede@redhat.com>
    ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF

Hoang Le <hoang.h.le@dektech.com.au>
    tipc: convert dest node's address to network order

Alexander Aring <aahringo@redhat.com>
    fs: dlm: fix debugfs dump

Tony Lindgren <tony@atomide.com>
    PM: runtime: Fix unpaired parent child_count for force_resume

Sean Christopherson <seanjc@google.com>
    KVM: x86/mmu: Remove the defunct update_pte() paging hook

Jarkko Sakkinen <jarkko@kernel.org>
    tpm, tpm_tis: Reserve locality in tpm_tis_resume()

Jarkko Sakkinen <jarkko@kernel.org>
    tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt()

Zhen Lei <thunder.leizhen@huawei.com>
    tpm: fix error return code in tpm2_get_cc_attrs_tbl()


-------------

Diffstat:

 Documentation/arm/memory.rst                       |  7 +-
 Makefile                                           |  4 +-
 arch/arc/include/asm/page.h                        | 12 +++
 arch/arc/include/asm/pgtable.h                     | 12 +--
 arch/arc/include/uapi/asm/page.h                   |  1 -
 arch/arc/kernel/entry.S                            |  4 +-
 arch/arc/mm/ioremap.c                              |  5 +-
 arch/arc/mm/tlb.c                                  |  2 +-
 arch/arm/include/asm/fixmap.h                      |  2 +-
 arch/arm/include/asm/memory.h                      |  5 ++
 arch/arm/include/asm/prom.h                        |  4 +-
 arch/arm/kernel/atags.h                            |  4 +-
 arch/arm/kernel/atags_parse.c                      |  6 +-
 arch/arm/kernel/devtree.c                          |  6 +-
 arch/arm/kernel/head.S                             |  9 +--
 arch/arm/kernel/hw_breakpoint.c                    |  2 +-
 arch/arm/kernel/setup.c                            | 19 +++--
 arch/arm/mm/init.c                                 |  1 -
 arch/arm/mm/mmu.c                                  | 20 +++--
 arch/arm/mm/pv-fixup-asm.S                         |  4 +-
 arch/ia64/include/asm/module.h                     |  6 +-
 arch/ia64/kernel/module.c                          | 29 ++++++-
 arch/mips/include/asm/div64.h                      | 55 ++++++++++----
 arch/powerpc/kernel/iommu.c                        |  4 +-
 arch/powerpc/kernel/smp.c                          |  6 +-
 arch/powerpc/lib/feature-fixups.c                  | 35 ++++++++-
 arch/powerpc/platforms/pseries/hotplug-cpu.c       |  3 -
 arch/riscv/kernel/smp.c                            |  2 +-
 arch/x86/include/asm/kvm_host.h                    |  3 -
 arch/x86/kvm/mmu.c                                 | 33 +-------
 arch/x86/kvm/x86.c                                 |  2 +-
 block/bfq-iosched.c                                |  3 +-
 block/blk-mq-sched.c                               |  8 +-
 block/blk-mq.c                                     |  6 +-
 block/kyber-iosched.c                              |  5 +-
 block/mq-deadline.c                                |  3 +-
 drivers/acpi/scan.c                                |  1 +
 drivers/base/power/runtime.c                       | 10 ++-
 drivers/block/nbd.c                                |  3 +-
 drivers/char/tpm/tpm2-cmd.c                        |  1 +
 drivers/char/tpm/tpm_tis_core.c                    | 22 ++++--
 drivers/clk/samsung/clk-exynos7.c                  |  7 +-
 drivers/gpu/drm/amd/display/dc/core/dc.c           |  4 +
 drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c  | 15 ++--
 drivers/gpu/drm/i915/gem/i915_gem_mman.c           |  2 +-
 drivers/gpu/drm/radeon/radeon.h                    |  1 +
 drivers/gpu/drm/radeon/radeon_atombios.c           | 26 +++++--
 drivers/gpu/drm/radeon/radeon_pm.c                 |  8 ++
 drivers/gpu/drm/radeon/si_dpm.c                    |  3 +
 drivers/hwmon/occ/common.c                         |  5 +-
 drivers/hwmon/occ/common.h                         |  2 +-
 drivers/i2c/i2c-dev.c                              |  9 ++-
 drivers/iio/gyro/mpu3050-core.c                    | 13 +++-
 drivers/iio/light/tsl2583.c                        |  8 ++
 drivers/iio/proximity/pulsedlight-lidar-lite-v2.c  |  1 +
 drivers/iommu/amd_iommu_init.c                     | 49 +-----------
 drivers/net/can/m_can/m_can.c                      |  3 +-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c          | 19 ++++-
 drivers/net/ethernet/cisco/enic/enic_main.c        |  7 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c    | 12 ++-
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c |  3 +-
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h |  3 +-
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c |  2 +-
 .../ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c    |  2 +
 drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h  |  6 +-
 drivers/net/ethernet/intel/i40e/i40e_client.c      |  1 +
 drivers/net/ethernet/intel/i40e/i40e_common.c      |  4 +-
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c     |  7 +-
 drivers/net/ethernet/intel/i40e/i40e_type.h        |  7 +-
 drivers/net/ethernet/intel/iavf/iavf_main.c        |  2 -
 drivers/net/ethernet/mediatek/mtk_eth_soc.c        |  2 +-
 drivers/net/ethernet/mediatek/mtk_eth_soc.h        |  1 +
 .../net/ethernet/stmicro/stmmac/dwmac-ipq806x.c    |  2 +
 drivers/net/fddi/Kconfig                           | 15 ++--
 drivers/net/wireless/mediatek/mt76/mt76x02_util.c  |  4 +
 drivers/net/wireless/quantenna/qtnfmac/event.c     |  6 +-
 drivers/net/wireless/wl3501.h                      | 47 ++++++------
 drivers/net/wireless/wl3501_cs.c                   | 54 +++++++------
 drivers/nvme/host/core.c                           |  3 +-
 drivers/pci/controller/pcie-iproc-msi.c            |  2 +-
 drivers/pci/endpoint/functions/pci-epf-test.c      |  3 +
 drivers/pci/probe.c                                |  1 +
 drivers/pinctrl/samsung/pinctrl-exynos.c           | 10 +--
 drivers/rpmsg/qcom_glink_native.c                  |  1 +
 drivers/rtc/rtc-ds1307.c                           | 12 ++-
 drivers/rtc/rtc-fsl-ftm-alarm.c                    |  1 +
 drivers/thermal/fair_share.c                       |  4 +
 drivers/thermal/of-thermal.c                       |  7 +-
 drivers/usb/class/cdc-wdm.c                        | 30 ++++++--
 drivers/usb/core/hub.c                             |  6 +-
 drivers/usb/dwc2/core.h                            |  2 +
 drivers/usb/dwc2/gadget.c                          |  3 +-
 drivers/usb/dwc3/dwc3-omap.c                       |  5 ++
 drivers/usb/dwc3/dwc3-pci.c                        |  1 +
 drivers/usb/dwc3/gadget.c                          |  4 +-
 drivers/usb/host/fotg210-hcd.c                     |  4 +-
 drivers/usb/host/xhci-ext-caps.h                   |  5 +-
 drivers/usb/host/xhci-pci.c                        |  4 +-
 drivers/usb/host/xhci.c                            |  6 +-
 drivers/usb/typec/tcpm/tcpm.c                      |  6 +-
 fs/ceph/export.c                                   |  4 +-
 fs/dlm/debug_fs.c                                  |  1 +
 fs/f2fs/inline.c                                   |  3 +-
 fs/f2fs/verity.c                                   | 75 ++++++++++++------
 fs/fuse/cuse.c                                     |  2 +
 fs/hfsplus/extents.c                               |  7 +-
 fs/hugetlbfs/inode.c                               |  5 ++
 fs/iomap/buffered-io.c                             | 34 ++++++---
 fs/nfs/flexfilelayout/flexfilelayout.c             |  2 +-
 fs/nfs/inode.c                                     |  8 +-
 fs/nfs/nfs42proc.c                                 | 21 ++++--
 fs/squashfs/file.c                                 |  6 +-
 include/linux/elevator.h                           |  2 +-
 include/linux/i2c.h                                |  2 +
 include/linux/iomap.h                              |  1 +
 include/linux/mm.h                                 | 32 ++++++++
 include/linux/mm_types.h                           |  4 +-
 include/linux/pm.h                                 |  1 +
 include/net/page_pool.h                            | 12 ++-
 include/uapi/linux/netfilter/xt_SECMARK.h          |  6 ++
 kernel/kexec_file.c                                |  4 +-
 kernel/sched/core.c                                |  2 +-
 kernel/sched/fair.c                                | 12 ++-
 lib/kobject_uevent.c                               |  9 ++-
 lib/nlattr.c                                       |  2 +-
 mm/hugetlb.c                                       | 11 ++-
 mm/khugepaged.c                                    | 18 ++---
 mm/ksm.c                                           |  1 +
 mm/migrate.c                                       |  7 ++
 mm/shmem.c                                         | 34 ++++-----
 net/bluetooth/l2cap_core.c                         |  4 +
 net/bluetooth/l2cap_sock.c                         |  8 ++
 net/bridge/br_arp_nd_proxy.c                       |  4 +-
 net/core/ethtool.c                                 |  2 +-
 net/core/flow_dissector.c                          |  6 +-
 net/core/page_pool.c                               |  6 +-
 net/ipv6/ip6_vti.c                                 |  2 +-
 net/mac80211/mlme.c                                |  5 ++
 net/netfilter/nf_conntrack_standalone.c            |  5 +-
 net/netfilter/nfnetlink_osf.c                      |  2 +
 net/netfilter/nft_set_hash.c                       | 10 ++-
 net/netfilter/xt_SECMARK.c                         | 88 +++++++++++++++++-----
 net/sched/sch_taprio.c                             |  6 ++
 net/sctp/sm_make_chunk.c                           |  2 +-
 net/sctp/sm_statefuns.c                            | 28 +++++--
 net/smc/af_smc.c                                   |  4 +-
 net/sunrpc/clnt.c                                  | 11 ++-
 net/tipc/netlink_compat.c                          |  2 +-
 samples/bpf/tracex1_kern.c                         |  4 +-
 scripts/kconfig/nconf.c                            |  2 +-
 sound/firewire/bebob/bebob_stream.c                | 12 +--
 sound/pci/hda/patch_hdmi.c                         |  4 +-
 sound/pci/rme9652/hdsp.c                           |  3 +-
 sound/pci/rme9652/hdspm.c                          |  3 +-
 sound/pci/rme9652/rme9652.c                        |  3 +-
 sound/soc/codecs/rt286.c                           | 23 +++---
 sound/soc/intel/boards/bytcr_rt5640.c              | 20 +++++
 sound/soc/sh/rcar/core.c                           | 69 ++++++++++++++++-
 sound/soc/sh/rcar/ssi.c                            | 16 ++--
 tools/testing/selftests/lib.mk                     |  4 +
 160 files changed, 1035 insertions(+), 502 deletions(-)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 001/141] tpm: fix error return code in tpm2_get_cc_attrs_tbl()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 002/141] tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Jarkko Sakkinen

From: Zhen Lei <thunder.leizhen@huawei.com>

commit 1df83992d977355177810c2b711afc30546c81ce upstream.

If the total number of commands queried through TPM2_CAP_COMMANDS is
different from that queried through TPM2_CC_GET_CAPABILITY, it indicates
an unknown error. In this case, an appropriate error code -EFAULT should
be returned. However, we currently do not explicitly assign this error
code to 'rc'. As a result, 0 was incorrectly returned.

Cc: stable@vger.kernel.org
Fixes: 58472f5cd4f6("tpm: validate TPM 2.0 commands")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/tpm/tpm2-cmd.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/char/tpm/tpm2-cmd.c
+++ b/drivers/char/tpm/tpm2-cmd.c
@@ -962,6 +962,7 @@ static int tpm2_get_cc_attrs_tbl(struct
 
 	if (nr_commands !=
 	    be32_to_cpup((__be32 *)&buf.data[TPM_HEADER_SIZE + 5])) {
+		rc = -EFAULT;
 		tpm_buf_destroy(&buf);
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 002/141] tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 001/141] tpm: fix error return code in tpm2_get_cc_attrs_tbl() Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 003/141] tpm, tpm_tis: Reserve locality in tpm_tis_resume() Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Lino Sanfilippo,
	Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko@kernel.org>

commit e630af7dfb450d1c00c30077314acf33032ff9e4 upstream.

The earlier fix (linked) only partially fixed the locality handling bug
in tpm_tis_gen_interrupt(), i.e. only for TPM 1.x.

Extend the locality handling to cover TPM2.

Cc: Hans de Goede <hdegoede@redhat.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/linux-integrity/20210220125534.20707-1-jarkko@kernel.org/
Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()")
Reported-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Tested-by: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/tpm/tpm_tis_core.c |   10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -620,16 +620,14 @@ static int tpm_tis_gen_interrupt(struct
 	cap_t cap;
 	int ret;
 
-	/* TPM 2.0 */
-	if (chip->flags & TPM_CHIP_FLAG_TPM2)
-		return tpm2_get_tpm_pt(chip, 0x100, &cap2, desc);
-
-	/* TPM 1.2 */
 	ret = request_locality(chip, 0);
 	if (ret < 0)
 		return ret;
 
-	ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0);
+	if (chip->flags & TPM_CHIP_FLAG_TPM2)
+		ret = tpm2_get_tpm_pt(chip, 0x100, &cap2, desc);
+	else
+		ret = tpm1_getcap(chip, TPM_CAP_PROP_TIS_TIMEOUT, &cap, desc, 0);
 
 	release_locality(chip, 0);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 003/141] tpm, tpm_tis: Reserve locality in tpm_tis_resume()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 001/141] tpm: fix error return code in tpm2_get_cc_attrs_tbl() Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 002/141] tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 004/141] KVM: x86/mmu: Remove the defunct update_pte() paging hook Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lino Sanfilippo, Hans de Goede,
	Jarkko Sakkinen

From: Jarkko Sakkinen <jarkko@kernel.org>

commit 8a2d296aaebadd68d9c1f6908667df1d1c84c051 upstream.

Reserve locality in tpm_tis_resume(), as it could be unsert after waking
up from a sleep state.

Cc: stable@vger.kernel.org
Cc: Lino Sanfilippo <LinoSanfilippo@gmx.de>
Reported-by: Hans de Goede <hdegoede@redhat.com>
Fixes: a3fbfae82b4c ("tpm: take TPM chip power gating out of tpm_transmit()")
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/tpm/tpm_tis_core.c |   12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

--- a/drivers/char/tpm/tpm_tis_core.c
+++ b/drivers/char/tpm/tpm_tis_core.c
@@ -1035,12 +1035,20 @@ int tpm_tis_resume(struct device *dev)
 	if (ret)
 		return ret;
 
-	/* TPM 1.2 requires self-test on resume. This function actually returns
+	/*
+	 * TPM 1.2 requires self-test on resume. This function actually returns
 	 * an error code but for unknown reason it isn't handled.
 	 */
-	if (!(chip->flags & TPM_CHIP_FLAG_TPM2))
+	if (!(chip->flags & TPM_CHIP_FLAG_TPM2)) {
+		ret = request_locality(chip, 0);
+		if (ret < 0)
+			return ret;
+
 		tpm1_do_selftest(chip);
 
+		release_locality(chip, 0);
+	}
+
 	return 0;
 }
 EXPORT_SYMBOL_GPL(tpm_tis_resume);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 004/141] KVM: x86/mmu: Remove the defunct update_pte() paging hook
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-05-17 14:00 ` [PATCH 5.4 003/141] tpm, tpm_tis: Reserve locality in tpm_tis_resume() Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 005/141] PM: runtime: Fix unpaired parent child_count for force_resume Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yu Zhang, Sean Christopherson,
	Paolo Bonzini, Jack Wang

From: Sean Christopherson <seanjc@google.com>

commit c5e2184d1544f9e56140791eff1a351bea2e63b9 upstream.

Remove the update_pte() shadow paging logic, which was obsoleted by
commit 4731d4c7a077 ("KVM: MMU: out of sync shadow core"), but never
removed.  As pointed out by Yu, KVM never write protects leaf page
tables for the purposes of shadow paging, and instead marks their
associated shadow page as unsync so that the guest can write PTEs at
will.

The update_pte() path, which predates the unsync logic, optimizes COW
scenarios by refreshing leaf SPTEs when they are written, as opposed to
zapping the SPTE, restarting the guest, and installing the new SPTE on
the subsequent fault.  Since KVM no longer write-protects leaf page
tables, update_pte() is unreachable and can be dropped.

Reported-by: Yu Zhang <yu.c.zhang@intel.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210115004051.4099250-1-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
(jwang: backport to 5.4 to fix a warning on AMD nested Virtualization)
Signed-off-by: Jack Wang <jinpu.wang@ionos.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/x86/include/asm/kvm_host.h |    3 ---
 arch/x86/kvm/mmu.c              |   33 ++-------------------------------
 arch/x86/kvm/x86.c              |    1 -
 3 files changed, 2 insertions(+), 35 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -391,8 +391,6 @@ struct kvm_mmu {
 	int (*sync_page)(struct kvm_vcpu *vcpu,
 			 struct kvm_mmu_page *sp);
 	void (*invlpg)(struct kvm_vcpu *vcpu, gva_t gva, hpa_t root_hpa);
-	void (*update_pte)(struct kvm_vcpu *vcpu, struct kvm_mmu_page *sp,
-			   u64 *spte, const void *pte);
 	hpa_t root_hpa;
 	gpa_t root_cr3;
 	union kvm_mmu_role mmu_role;
@@ -944,7 +942,6 @@ struct kvm_arch {
 struct kvm_vm_stat {
 	ulong mmu_shadow_zapped;
 	ulong mmu_pte_write;
-	ulong mmu_pte_updated;
 	ulong mmu_pde_zapped;
 	ulong mmu_flooded;
 	ulong mmu_recycled;
--- a/arch/x86/kvm/mmu.c
+++ b/arch/x86/kvm/mmu.c
@@ -2243,13 +2243,6 @@ static void nonpaging_invlpg(struct kvm_
 {
 }
 
-static void nonpaging_update_pte(struct kvm_vcpu *vcpu,
-				 struct kvm_mmu_page *sp, u64 *spte,
-				 const void *pte)
-{
-	WARN_ON(1);
-}
-
 #define KVM_PAGE_ARRAY_NR 16
 
 struct kvm_mmu_pages {
@@ -4356,7 +4349,6 @@ static void nonpaging_init_context(struc
 	context->gva_to_gpa = nonpaging_gva_to_gpa;
 	context->sync_page = nonpaging_sync_page;
 	context->invlpg = nonpaging_invlpg;
-	context->update_pte = nonpaging_update_pte;
 	context->root_level = 0;
 	context->shadow_root_level = PT32E_ROOT_LEVEL;
 	context->direct_map = true;
@@ -4935,7 +4927,6 @@ static void paging64_init_context_common
 	context->gva_to_gpa = paging64_gva_to_gpa;
 	context->sync_page = paging64_sync_page;
 	context->invlpg = paging64_invlpg;
-	context->update_pte = paging64_update_pte;
 	context->shadow_root_level = level;
 	context->direct_map = false;
 }
@@ -4964,7 +4955,6 @@ static void paging32_init_context(struct
 	context->gva_to_gpa = paging32_gva_to_gpa;
 	context->sync_page = paging32_sync_page;
 	context->invlpg = paging32_invlpg;
-	context->update_pte = paging32_update_pte;
 	context->shadow_root_level = PT32E_ROOT_LEVEL;
 	context->direct_map = false;
 }
@@ -5039,7 +5029,6 @@ static void init_kvm_tdp_mmu(struct kvm_
 	context->page_fault = tdp_page_fault;
 	context->sync_page = nonpaging_sync_page;
 	context->invlpg = nonpaging_invlpg;
-	context->update_pte = nonpaging_update_pte;
 	context->shadow_root_level = kvm_x86_ops->get_tdp_level(vcpu);
 	context->direct_map = true;
 	context->set_cr3 = kvm_x86_ops->set_tdp_cr3;
@@ -5172,7 +5161,6 @@ void kvm_init_shadow_ept_mmu(struct kvm_
 	context->gva_to_gpa = ept_gva_to_gpa;
 	context->sync_page = ept_sync_page;
 	context->invlpg = ept_invlpg;
-	context->update_pte = ept_update_pte;
 	context->root_level = PT64_ROOT_4LEVEL;
 	context->direct_map = false;
 	context->mmu_role.as_u64 = new_role.as_u64;
@@ -5312,19 +5300,6 @@ void kvm_mmu_unload(struct kvm_vcpu *vcp
 }
 EXPORT_SYMBOL_GPL(kvm_mmu_unload);
 
-static void mmu_pte_write_new_pte(struct kvm_vcpu *vcpu,
-				  struct kvm_mmu_page *sp, u64 *spte,
-				  const void *new)
-{
-	if (sp->role.level != PT_PAGE_TABLE_LEVEL) {
-		++vcpu->kvm->stat.mmu_pde_zapped;
-		return;
-        }
-
-	++vcpu->kvm->stat.mmu_pte_updated;
-	vcpu->arch.mmu->update_pte(vcpu, sp, spte, new);
-}
-
 static bool need_remote_flush(u64 old, u64 new)
 {
 	if (!is_shadow_present_pte(old))
@@ -5490,14 +5465,10 @@ static void kvm_mmu_pte_write(struct kvm
 
 		local_flush = true;
 		while (npte--) {
-			u32 base_role = vcpu->arch.mmu->mmu_role.base.word;
-
 			entry = *spte;
 			mmu_page_zap_pte(vcpu->kvm, sp, spte);
-			if (gentry &&
-			      !((sp->role.word ^ base_role)
-			      & mmu_base_role_mask.word) && rmap_can_add(vcpu))
-				mmu_pte_write_new_pte(vcpu, sp, spte, &gentry);
+			if (gentry && sp->role.level != PG_LEVEL_4K)
+				++vcpu->kvm->stat.mmu_pde_zapped;
 			if (need_remote_flush(entry, *spte))
 				remote_flush = true;
 			++spte;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -208,7 +208,6 @@ struct kvm_stats_debugfs_item debugfs_en
 	{ "l1d_flush", VCPU_STAT(l1d_flush) },
 	{ "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
 	{ "mmu_pte_write", VM_STAT(mmu_pte_write) },
-	{ "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
 	{ "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
 	{ "mmu_flooded", VM_STAT(mmu_flooded) },
 	{ "mmu_recycled", VM_STAT(mmu_recycled) },



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 005/141] PM: runtime: Fix unpaired parent child_count for force_resume
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-05-17 14:00 ` [PATCH 5.4 004/141] KVM: x86/mmu: Remove the defunct update_pte() paging hook Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 006/141] fs: dlm: fix debugfs dump Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Lindgren, Ulf Hansson,
	Tomi Valkeinen, Rafael J. Wysocki

From: Tony Lindgren <tony@atomide.com>

commit c745253e2a691a40c66790defe85c104a887e14a upstream.

As pm_runtime_need_not_resume() relies also on usage_count, it can return
a different value in pm_runtime_force_suspend() compared to when called in
pm_runtime_force_resume(). Different return values can happen if anything
calls PM runtime functions in between, and causes the parent child_count
to increase on every resume.

So far I've seen the issue only for omapdrm that does complicated things
with PM runtime calls during system suspend for legacy reasons:

omap_atomic_commit_tail() for omapdrm.0
 dispc_runtime_get()
  wakes up 58000000.dss as it's the dispc parent
   dispc_runtime_resume()
    rpm_resume() increases parent child_count
 dispc_runtime_put() won't idle, PM runtime suspend blocked
pm_runtime_force_suspend() for 58000000.dss, !pm_runtime_need_not_resume()
 __update_runtime_status()
system suspended
pm_runtime_force_resume() for 58000000.dss, pm_runtime_need_not_resume()
 pm_runtime_enable() only called because of pm_runtime_need_not_resume()
omap_atomic_commit_tail() for omapdrm.0
 dispc_runtime_get()
  wakes up 58000000.dss as it's the dispc parent
   dispc_runtime_resume()
    rpm_resume() increases parent child_count
 dispc_runtime_put() won't idle, PM runtime suspend blocked
...
rpm_suspend for 58000000.dss but parent child_count is now unbalanced

Let's fix the issue by adding a flag for needs_force_resume and use it in
pm_runtime_force_resume() instead of pm_runtime_need_not_resume().

Additionally omapdrm system suspend could be simplified later on to avoid
lots of unnecessary PM runtime calls and the complexity it adds. The
driver can just use internal functions that are shared between the PM
runtime and system suspend related functions.

Fixes: 4918e1f87c5f ("PM / runtime: Rework pm_runtime_force_suspend/resume()")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
Tested-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Cc: 4.16+ <stable@vger.kernel.org> # 4.16+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/power/runtime.c |   10 +++++++---
 include/linux/pm.h           |    1 +
 2 files changed, 8 insertions(+), 3 deletions(-)

--- a/drivers/base/power/runtime.c
+++ b/drivers/base/power/runtime.c
@@ -1610,6 +1610,7 @@ void pm_runtime_init(struct device *dev)
 	dev->power.request_pending = false;
 	dev->power.request = RPM_REQ_NONE;
 	dev->power.deferred_resume = false;
+	dev->power.needs_force_resume = 0;
 	INIT_WORK(&dev->power.work, pm_runtime_work);
 
 	dev->power.timer_expires = 0;
@@ -1777,10 +1778,12 @@ int pm_runtime_force_suspend(struct devi
 	 * its parent, but set its status to RPM_SUSPENDED anyway in case this
 	 * function will be called again for it in the meantime.
 	 */
-	if (pm_runtime_need_not_resume(dev))
+	if (pm_runtime_need_not_resume(dev)) {
 		pm_runtime_set_suspended(dev);
-	else
+	} else {
 		__update_runtime_status(dev, RPM_SUSPENDED);
+		dev->power.needs_force_resume = 1;
+	}
 
 	return 0;
 
@@ -1807,7 +1810,7 @@ int pm_runtime_force_resume(struct devic
 	int (*callback)(struct device *);
 	int ret = 0;
 
-	if (!pm_runtime_status_suspended(dev) || pm_runtime_need_not_resume(dev))
+	if (!pm_runtime_status_suspended(dev) || !dev->power.needs_force_resume)
 		goto out;
 
 	/*
@@ -1826,6 +1829,7 @@ int pm_runtime_force_resume(struct devic
 
 	pm_runtime_mark_last_busy(dev);
 out:
+	dev->power.needs_force_resume = 0;
 	pm_runtime_enable(dev);
 	return ret;
 }
--- a/include/linux/pm.h
+++ b/include/linux/pm.h
@@ -608,6 +608,7 @@ struct dev_pm_info {
 	unsigned int		idle_notification:1;
 	unsigned int		request_pending:1;
 	unsigned int		deferred_resume:1;
+	unsigned int		needs_force_resume:1;
 	unsigned int		runtime_auto:1;
 	bool			ignore_children:1;
 	unsigned int		no_callbacks:1;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 006/141] fs: dlm: fix debugfs dump
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-05-17 14:00 ` [PATCH 5.4 005/141] PM: runtime: Fix unpaired parent child_count for force_resume Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:00 ` [PATCH 5.4 007/141] tipc: convert dest nodes address to network order Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland, Sasha Levin

From: Alexander Aring <aahringo@redhat.com>

[ Upstream commit 92c48950b43f4a767388cf87709d8687151a641f ]

This patch fixes the following message which randomly pops up during
glocktop call:

seq_file: buggy .next function table_seq_next did not update position index

The issue is that seq_read_iter() in fs/seq_file.c also needs an
increment of the index in an non next record case as well which this
patch fixes otherwise seq_read_iter() will print out the above message.

Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/debug_fs.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/dlm/debug_fs.c b/fs/dlm/debug_fs.c
index d6bbccb0ed15..d5bd990bcab8 100644
--- a/fs/dlm/debug_fs.c
+++ b/fs/dlm/debug_fs.c
@@ -542,6 +542,7 @@ static void *table_seq_next(struct seq_file *seq, void *iter_ptr, loff_t *pos)
 
 		if (bucket >= ls->ls_rsbtbl_size) {
 			kfree(ri);
+			++*pos;
 			return NULL;
 		}
 		tree = toss ? &ls->ls_rsbtbl[bucket].toss : &ls->ls_rsbtbl[bucket].keep;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 007/141] tipc: convert dest nodes address to network order
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-05-17 14:00 ` [PATCH 5.4 006/141] fs: dlm: fix debugfs dump Greg Kroah-Hartman
@ 2021-05-17 14:00 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 008/141] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:00 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Hoang Le, David S. Miller,
	Sasha Levin

From: Hoang Le <hoang.h.le@dektech.com.au>

[ Upstream commit 1980d37565061ab44bdc2f9e4da477d3b9752e81 ]

(struct tipc_link_info)->dest is in network order (__be32), so we must
convert the value to network order before assigning. The problem detected
by sparse:

net/tipc/netlink_compat.c:699:24: warning: incorrect type in assignment (different base types)
net/tipc/netlink_compat.c:699:24:    expected restricted __be32 [usertype] dest
net/tipc/netlink_compat.c:699:24:    got int

Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tipc/netlink_compat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index 11be9a84f8de..561ea834f732 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -673,7 +673,7 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg,
 	if (err)
 		return err;
 
-	link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]);
+	link_info.dest = htonl(nla_get_flag(link[TIPC_NLA_LINK_DEST]));
 	link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP]));
 	nla_strlcpy(link_info.str, link[TIPC_NLA_LINK_NAME],
 		    TIPC_MAX_LINK_NAME);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 008/141] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-05-17 14:00 ` [PATCH 5.4 007/141] tipc: convert dest nodes address to network order Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 009/141] net: stmmac: Set FIFO sizes for ipq806x Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Pierre-Louis Bossart,
	Mark Brown, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit b7c7203a1f751348f35fc4bcb157572d303f7573 ]

The Asus T100TAF uses the same jack-detect settings as the T100TA,
this has been confirmed on actual hardware.

Add these settings to the T100TAF quirks to enable jack-detect support
on the T100TAF.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20210312114850.13832-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/intel/boards/bytcr_rt5640.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index cfd307717473..006cf1e8b602 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -476,6 +476,9 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
 			DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "T100TAF"),
 		},
 		.driver_data = (void *)(BYT_RT5640_IN1_MAP |
+					BYT_RT5640_JD_SRC_JD2_IN4N |
+					BYT_RT5640_OVCD_TH_2000UA |
+					BYT_RT5640_OVCD_SF_0P75 |
 					BYT_RT5640_MONO_SPEAKER |
 					BYT_RT5640_DIFF_MIC |
 					BYT_RT5640_SSP0_AIF2 |
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 009/141] net: stmmac: Set FIFO sizes for ipq806x
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 008/141] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 010/141] ASoC: rsnd: core: Check convert rate in rsnd_hw_params Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan McDowell, David S. Miller,
	Sasha Levin

From: Jonathan McDowell <noodles@earth.li>

[ Upstream commit e127906b68b49ddb3ecba39ffa36a329c48197d3 ]

Commit eaf4fac47807 ("net: stmmac: Do not accept invalid MTU values")
started using the TX FIFO size to verify what counts as a valid MTU
request for the stmmac driver.  This is unset for the ipq806x variant.
Looking at older patches for this it seems the RX + TXs buffers can be
up to 8k, so set appropriately.

(I sent this as an RFC patch in June last year, but received no replies.
I've been running with this on my hardware (a MikroTik RB3011) since
then with larger MTUs to support both the internal qca8k switch and
VLANs with no problems. Without the patch it's impossible to set the
larger MTU required to support this.)

Signed-off-by: Jonathan McDowell <noodles@earth.li>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
index 826626e870d5..0f56f8e33691 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-ipq806x.c
@@ -351,6 +351,8 @@ static int ipq806x_gmac_probe(struct platform_device *pdev)
 	plat_dat->bsp_priv = gmac;
 	plat_dat->fix_mac_speed = ipq806x_gmac_fix_mac_speed;
 	plat_dat->multicast_filter_bins = 0;
+	plat_dat->tx_fifo_size = 8192;
+	plat_dat->rx_fifo_size = 8192;
 
 	err = stmmac_dvr_probe(&pdev->dev, plat_dat, &stmmac_res);
 	if (err)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 010/141] ASoC: rsnd: core: Check convert rate in rsnd_hw_params
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 009/141] net: stmmac: Set FIFO sizes for ipq806x Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 011/141] i2c: bail out early when RDWR parameters are wrong Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mikhail Durnev, Mark Brown, Sasha Levin

From: Mikhail Durnev <mikhail_durnev@mentor.com>

[ Upstream commit 19c6a63ced5e07e40f3a5255cb1f0fe0d3be7b14 ]

snd_pcm_hw_params_set_rate_near can return incorrect sample rate in
some cases, e.g. when the backend output rate is set to some value higher
than 48000 Hz and the input rate is 8000 Hz. So passing the value returned
by snd_pcm_hw_params_set_rate_near to snd_pcm_hw_params will result in
"FSO/FSI ratio error" and playing no audio at all while the userland
is not properly notified about the issue.

If SRC is unable to convert the requested sample rate to the sample rate
the backend is using, then the requested sample rate should be adjusted in
rsnd_hw_params. The userland will be notified about that change in the
returned hw_params structure.

Signed-off-by: Mikhail Durnev <mikhail_durnev@mentor.com>
Link: https://lore.kernel.org/r/1615870055-13954-1-git-send-email-mikhail_durnev@mentor.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/sh/rcar/core.c | 69 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 68 insertions(+), 1 deletion(-)

diff --git a/sound/soc/sh/rcar/core.c b/sound/soc/sh/rcar/core.c
index a6c1cf987e6e..df8d7b53b760 100644
--- a/sound/soc/sh/rcar/core.c
+++ b/sound/soc/sh/rcar/core.c
@@ -1426,8 +1426,75 @@ static int rsnd_hw_params(struct snd_pcm_substream *substream,
 		}
 		if (io->converted_chan)
 			dev_dbg(dev, "convert channels = %d\n", io->converted_chan);
-		if (io->converted_rate)
+		if (io->converted_rate) {
+			/*
+			 * SRC supports convert rates from params_rate(hw_params)/k_down
+			 * to params_rate(hw_params)*k_up, where k_up is always 6, and
+			 * k_down depends on number of channels and SRC unit.
+			 * So all SRC units can upsample audio up to 6 times regardless
+			 * its number of channels. And all SRC units can downsample
+			 * 2 channel audio up to 6 times too.
+			 */
+			int k_up = 6;
+			int k_down = 6;
+			int channel;
+			struct rsnd_mod *src_mod = rsnd_io_to_mod_src(io);
+
 			dev_dbg(dev, "convert rate     = %d\n", io->converted_rate);
+
+			channel = io->converted_chan ? io->converted_chan :
+				  params_channels(hw_params);
+
+			switch (rsnd_mod_id(src_mod)) {
+			/*
+			 * SRC0 can downsample 4, 6 and 8 channel audio up to 4 times.
+			 * SRC1, SRC3 and SRC4 can downsample 4 channel audio
+			 * up to 4 times.
+			 * SRC1, SRC3 and SRC4 can downsample 6 and 8 channel audio
+			 * no more than twice.
+			 */
+			case 1:
+			case 3:
+			case 4:
+				if (channel > 4) {
+					k_down = 2;
+					break;
+				}
+				fallthrough;
+			case 0:
+				if (channel > 2)
+					k_down = 4;
+				break;
+
+			/* Other SRC units do not support more than 2 channels */
+			default:
+				if (channel > 2)
+					return -EINVAL;
+			}
+
+			if (params_rate(hw_params) > io->converted_rate * k_down) {
+				hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min =
+					io->converted_rate * k_down;
+				hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max =
+					io->converted_rate * k_down;
+				hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE;
+			} else if (params_rate(hw_params) * k_up < io->converted_rate) {
+				hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->min =
+					(io->converted_rate + k_up - 1) / k_up;
+				hw_param_interval(hw_params, SNDRV_PCM_HW_PARAM_RATE)->max =
+					(io->converted_rate + k_up - 1) / k_up;
+				hw_params->cmask |= SNDRV_PCM_HW_PARAM_RATE;
+			}
+
+			/*
+			 * TBD: Max SRC input and output rates also depend on number
+			 * of channels and SRC unit:
+			 * SRC1, SRC3 and SRC4 do not support more than 128kHz
+			 * for 6 channel and 96kHz for 8 channel audio.
+			 * Perhaps this function should return EINVAL if the input or
+			 * the output rate exceeds the limitation.
+			 */
+		}
 	}
 
 	ret = rsnd_dai_call(hw_params, io, substream, hw_params);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 011/141] i2c: bail out early when RDWR parameters are wrong
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 010/141] ASoC: rsnd: core: Check convert rate in rsnd_hw_params Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 012/141] ALSA: hdsp: dont disable if not enabled Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+ffb0b3ffa6cfbc7d7b3f,
	Wolfram Sang, Wolfram Sang, Sasha Levin

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

[ Upstream commit 71581562ee36032d2d574a9b23ad4af6d6a64cf7 ]

The buggy parameters currently get caught later, but emit a noisy WARN.
Userspace should not be able to trigger this, so add similar checks much
earlier. Also avoids some unneeded code paths, of course. Apply kernel
coding stlye to a comment while here.

Reported-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
Tested-by: syzbot+ffb0b3ffa6cfbc7d7b3f@syzkaller.appspotmail.com
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/i2c-dev.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/i2c-dev.c b/drivers/i2c/i2c-dev.c
index 94beacc41302..a3fec3df11b6 100644
--- a/drivers/i2c/i2c-dev.c
+++ b/drivers/i2c/i2c-dev.c
@@ -440,8 +440,13 @@ static long i2cdev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
 				   sizeof(rdwr_arg)))
 			return -EFAULT;
 
-		/* Put an arbitrary limit on the number of messages that can
-		 * be sent at once */
+		if (!rdwr_arg.msgs || rdwr_arg.nmsgs == 0)
+			return -EINVAL;
+
+		/*
+		 * Put an arbitrary limit on the number of messages that can
+		 * be sent at once
+		 */
 		if (rdwr_arg.nmsgs > I2C_RDWR_IOCTL_MAX_MSGS)
 			return -EINVAL;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 012/141] ALSA: hdsp: dont disable if not enabled
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 011/141] i2c: bail out early when RDWR parameters are wrong Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 013/141] ALSA: hdspm: " Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Tong Zhang, Sasha Levin

From: Tong Zhang <ztong0001@gmail.com>

[ Upstream commit 507cdb9adba006a7798c358456426e1aea3d9c4f ]

hdsp wants to disable a not enabled pci device, which makes kernel
throw a warning. Make sure the device is enabled before calling disable.

[    1.758292] snd_hdsp 0000:00:03.0: disabling already-disabled device
[    1.758327] WARNING: CPU: 0 PID: 180 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
[    1.766985] Call Trace:
[    1.767121]  snd_hdsp_card_free+0x94/0xf0 [snd_hdsp]
[    1.767388]  release_card_device+0x4b/0x80 [snd]
[    1.767639]  device_release+0x3b/0xa0
[    1.767838]  kobject_put+0x94/0x1b0
[    1.768027]  put_device+0x13/0x20
[    1.768207]  snd_card_free+0x61/0x90 [snd]
[    1.768430]  snd_hdsp_probe+0x524/0x5e0 [snd_hdsp]

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Link: https://lore.kernel.org/r/20210321153840.378226-2-ztong0001@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/rme9652/hdsp.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
index 5cbdc9be9c7e..c7b3e76ea2d2 100644
--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -5326,7 +5326,8 @@ static int snd_hdsp_free(struct hdsp *hdsp)
 	if (hdsp->port)
 		pci_release_regions(hdsp->pci);
 
-	pci_disable_device(hdsp->pci);
+	if (pci_is_enabled(hdsp->pci))
+		pci_disable_device(hdsp->pci);
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 013/141] ALSA: hdspm: dont disable if not enabled
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 012/141] ALSA: hdsp: dont disable if not enabled Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 014/141] ALSA: rme9652: " Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Tong Zhang, Sasha Levin

From: Tong Zhang <ztong0001@gmail.com>

[ Upstream commit 790f5719b85e12e10c41753b864e74249585ed08 ]

hdspm wants to disable a not enabled pci device, which makes kernel
throw a warning. Make sure the device is enabled before calling disable.

[    1.786391] snd_hdspm 0000:00:03.0: disabling already-disabled device
[    1.786400] WARNING: CPU: 0 PID: 182 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
[    1.795181] Call Trace:
[    1.795320]  snd_hdspm_card_free+0x58/0xa0 [snd_hdspm]
[    1.795595]  release_card_device+0x4b/0x80 [snd]
[    1.795860]  device_release+0x3b/0xa0
[    1.796072]  kobject_put+0x94/0x1b0
[    1.796260]  put_device+0x13/0x20
[    1.796438]  snd_card_free+0x61/0x90 [snd]
[    1.796659]  snd_hdspm_probe+0x97b/0x1440 [snd_hdspm]

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Link: https://lore.kernel.org/r/20210321153840.378226-3-ztong0001@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/rme9652/hdspm.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index 81a6f4b2bd3c..e34f07c9ff47 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -6889,7 +6889,8 @@ static int snd_hdspm_free(struct hdspm * hdspm)
 	if (hdspm->port)
 		pci_release_regions(hdspm->pci);
 
-	pci_disable_device(hdspm->pci);
+	if (pci_is_enabled(hdspm->pci))
+		pci_disable_device(hdspm->pci);
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 014/141] ALSA: rme9652: dont disable if not enabled
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 013/141] ALSA: hdspm: " Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 015/141] ALSA: bebob: enable to deliver MIDI messages for multiple ports Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Tong Zhang, Sasha Levin

From: Tong Zhang <ztong0001@gmail.com>

[ Upstream commit f57a741874bb6995089020e97a1dcdf9b165dcbe ]

rme9652 wants to disable a not enabled pci device, which makes kernel
throw a warning. Make sure the device is enabled before calling disable.

[    1.751595] snd_rme9652 0000:00:03.0: disabling already-disabled device
[    1.751605] WARNING: CPU: 0 PID: 174 at drivers/pci/pci.c:2146 pci_disable_device+0x91/0xb0
[    1.759968] Call Trace:
[    1.760145]  snd_rme9652_card_free+0x76/0xa0 [snd_rme9652]
[    1.760434]  release_card_device+0x4b/0x80 [snd]
[    1.760679]  device_release+0x3b/0xa0
[    1.760874]  kobject_put+0x94/0x1b0
[    1.761059]  put_device+0x13/0x20
[    1.761235]  snd_card_free+0x61/0x90 [snd]
[    1.761454]  snd_rme9652_probe+0x3be/0x700 [snd_rme9652]

Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Tong Zhang <ztong0001@gmail.com>
Link: https://lore.kernel.org/r/20210321153840.378226-4-ztong0001@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/rme9652/rme9652.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sound/pci/rme9652/rme9652.c b/sound/pci/rme9652/rme9652.c
index 4c851f8dcaf8..73ad6e74aac9 100644
--- a/sound/pci/rme9652/rme9652.c
+++ b/sound/pci/rme9652/rme9652.c
@@ -1745,7 +1745,8 @@ static int snd_rme9652_free(struct snd_rme9652 *rme9652)
 	if (rme9652->port)
 		pci_release_regions(rme9652->pci);
 
-	pci_disable_device(rme9652->pci);
+	if (pci_is_enabled(rme9652->pci))
+		pci_disable_device(rme9652->pci);
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 015/141] ALSA: bebob: enable to deliver MIDI messages for multiple ports
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 014/141] ALSA: rme9652: " Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 016/141] Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai, Sasha Levin

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

[ Upstream commit d2b6f15bc18ac8fbce25398290774c21f5b2cd44 ]

Current implementation of bebob driver doesn't correctly handle the case
that the device has multiple MIDI ports. The cause is the number of MIDI
conformant data channels is passed to AM824 data block processing layer.

This commit fixes the bug.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210321032831.340278-4-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/firewire/bebob/bebob_stream.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/sound/firewire/bebob/bebob_stream.c b/sound/firewire/bebob/bebob_stream.c
index ce07ea0d4e71..3935e90c8e8f 100644
--- a/sound/firewire/bebob/bebob_stream.c
+++ b/sound/firewire/bebob/bebob_stream.c
@@ -534,20 +534,22 @@ int snd_bebob_stream_init_duplex(struct snd_bebob *bebob)
 static int keep_resources(struct snd_bebob *bebob, struct amdtp_stream *stream,
 			  unsigned int rate, unsigned int index)
 {
-	struct snd_bebob_stream_formation *formation;
+	unsigned int pcm_channels;
+	unsigned int midi_ports;
 	struct cmp_connection *conn;
 	int err;
 
 	if (stream == &bebob->tx_stream) {
-		formation = bebob->tx_stream_formations + index;
+		pcm_channels = bebob->tx_stream_formations[index].pcm;
+		midi_ports = bebob->midi_input_ports;
 		conn = &bebob->out_conn;
 	} else {
-		formation = bebob->rx_stream_formations + index;
+		pcm_channels = bebob->rx_stream_formations[index].pcm;
+		midi_ports = bebob->midi_output_ports;
 		conn = &bebob->in_conn;
 	}
 
-	err = amdtp_am824_set_parameters(stream, rate, formation->pcm,
-					 formation->midi, false);
+	err = amdtp_am824_set_parameters(stream, rate, pcm_channels, midi_ports, false);
 	if (err < 0)
 		return err;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 016/141] Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 015/141] ALSA: bebob: enable to deliver MIDI messages for multiple ports Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 017/141] Bluetooth: initialize skb_queue_head at l2cap_chan_create() Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Archie Pusaka,
	syzbot+338f014a98367a08a114, Alain Michaud,
	Abhishek Pandit-Subedi, Guenter Roeck, Marcel Holtmann,
	Sasha Levin

From: Archie Pusaka <apusaka@chromium.org>

[ Upstream commit 3a9d54b1947ecea8eea9a902c0b7eb58a98add8a ]

Currently l2cap_chan_set_defaults() reset chan->conf_state to zero.
However, there is a flag CONF_NOT_COMPLETE which is set when
creating the l2cap_chan. It is suggested that the flag should be
cleared when l2cap_chan is ready, but when l2cap_chan_set_defaults()
is called, l2cap_chan is not yet ready. Therefore, we must set this
flag as the default.

Example crash call trace:
__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0xc4/0x118 lib/dump_stack.c:56
panic+0x1c6/0x38b kernel/panic.c:117
__warn+0x170/0x1b9 kernel/panic.c:471
warn_slowpath_fmt+0xc7/0xf8 kernel/panic.c:494
debug_print_object+0x175/0x193 lib/debugobjects.c:260
debug_object_assert_init+0x171/0x1bf lib/debugobjects.c:614
debug_timer_assert_init kernel/time/timer.c:629 [inline]
debug_assert_init kernel/time/timer.c:677 [inline]
del_timer+0x7c/0x179 kernel/time/timer.c:1034
try_to_grab_pending+0x81/0x2e5 kernel/workqueue.c:1230
cancel_delayed_work+0x7c/0x1c4 kernel/workqueue.c:2929
l2cap_clear_timer+0x1e/0x41 include/net/bluetooth/l2cap.h:834
l2cap_chan_del+0x2d8/0x37e net/bluetooth/l2cap_core.c:640
l2cap_chan_close+0x532/0x5d8 net/bluetooth/l2cap_core.c:756
l2cap_sock_shutdown+0x806/0x969 net/bluetooth/l2cap_sock.c:1174
l2cap_sock_release+0x64/0x14d net/bluetooth/l2cap_sock.c:1217
__sock_release+0xda/0x217 net/socket.c:580
sock_close+0x1b/0x1f net/socket.c:1039
__fput+0x322/0x55c fs/file_table.c:208
____fput+0x17/0x19 fs/file_table.c:244
task_work_run+0x19b/0x1d3 kernel/task_work.c:115
exit_task_work include/linux/task_work.h:21 [inline]
do_exit+0xe4c/0x204a kernel/exit.c:766
do_group_exit+0x291/0x291 kernel/exit.c:891
get_signal+0x749/0x1093 kernel/signal.c:2396
do_signal+0xa5/0xcdb arch/x86/kernel/signal.c:737
exit_to_usermode_loop arch/x86/entry/common.c:243 [inline]
prepare_exit_to_usermode+0xed/0x235 arch/x86/entry/common.c:277
syscall_return_slowpath+0x3a7/0x3b3 arch/x86/entry/common.c:348
int_ret_from_sys_call+0x25/0xa3

Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reported-by: syzbot+338f014a98367a08a114@syzkaller.appspotmail.com
Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 3499bace25ec..f5039700d927 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -515,7 +515,9 @@ void l2cap_chan_set_defaults(struct l2cap_chan *chan)
 	chan->flush_to = L2CAP_DEFAULT_FLUSH_TO;
 	chan->retrans_timeout = L2CAP_DEFAULT_RETRANS_TO;
 	chan->monitor_timeout = L2CAP_DEFAULT_MONITOR_TO;
+
 	chan->conf_state = 0;
+	set_bit(CONF_NOT_COMPLETE, &chan->conf_state);
 
 	set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 017/141] Bluetooth: initialize skb_queue_head at l2cap_chan_create()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 016/141] Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 018/141] net: bridge: when suppression is enabled exclude RARP packets Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tetsuo Handa, Marcel Holtmann,
	Sasha Levin, syzbot

From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>

[ Upstream commit be8597239379f0f53c9710dd6ab551bbf535bec6 ]

syzbot is hitting "INFO: trying to register non-static key." message [1],
for "struct l2cap_chan"->tx_q.lock spinlock is not yet initialized when
l2cap_chan_del() is called due to e.g. timeout.

Since "struct l2cap_chan"->lock mutex is initialized at l2cap_chan_create()
immediately after "struct l2cap_chan" is allocated using kzalloc(), let's
as well initialize "struct l2cap_chan"->{tx_q,srej_q}.lock spinlocks there.

[1] https://syzkaller.appspot.com/bug?extid=fadfba6a911f6bf71842

Reported-and-tested-by: syzbot <syzbot+fadfba6a911f6bf71842@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f5039700d927..959a16b13303 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -450,6 +450,8 @@ struct l2cap_chan *l2cap_chan_create(void)
 	if (!chan)
 		return NULL;
 
+	skb_queue_head_init(&chan->tx_q);
+	skb_queue_head_init(&chan->srej_q);
 	mutex_init(&chan->lock);
 
 	/* Set default lock nesting level */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 018/141] net: bridge: when suppression is enabled exclude RARP packets
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 017/141] Bluetooth: initialize skb_queue_head at l2cap_chan_create() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 019/141] Bluetooth: check for zapped sk before connecting Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amer Abdalamer, Nikolay Aleksandrov,
	David S. Miller, Sasha Levin

From: Nikolay Aleksandrov <nikolay@nvidia.com>

[ Upstream commit 0353b4a96b7a9f60fe20d1b3ebd4931a4085f91c ]

Recently we had an interop issue where RARP packets got suppressed with
bridge neigh suppression enabled, but the check in the code was meant to
suppress GARP. Exclude RARP packets from it which would allow some VMWare
setups to work, to quote the report:
"Those RARP packets usually get generated by vMware to notify physical
switches when vMotion occurs. vMware may use random sip/tip or just use
sip=tip=0. So the RARP packet sometimes get properly flooded by the vtep
and other times get dropped by the logic"

Reported-by: Amer Abdalamer <amer@nvidia.com>
Signed-off-by: Nikolay Aleksandrov <nikolay@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bridge/br_arp_nd_proxy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/bridge/br_arp_nd_proxy.c b/net/bridge/br_arp_nd_proxy.c
index b18cdf03edb3..c4e0f4777df5 100644
--- a/net/bridge/br_arp_nd_proxy.c
+++ b/net/bridge/br_arp_nd_proxy.c
@@ -155,7 +155,9 @@ void br_do_proxy_suppress_arp(struct sk_buff *skb, struct net_bridge *br,
 	if (br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED)) {
 		if (p && (p->flags & BR_NEIGH_SUPPRESS))
 			return;
-		if (ipv4_is_zeronet(sip) || sip == tip) {
+		if (parp->ar_op != htons(ARPOP_RREQUEST) &&
+		    parp->ar_op != htons(ARPOP_RREPLY) &&
+		    (ipv4_is_zeronet(sip) || sip == tip)) {
 			/* prevent flooding to neigh suppress ports */
 			BR_INPUT_SKB_CB(skb)->proxyarp_replied = 1;
 			return;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 019/141] Bluetooth: check for zapped sk before connecting
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 018/141] net: bridge: when suppression is enabled exclude RARP packets Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Archie Pusaka,
	syzbot+abfc0f5e668d4099af73, Alain Michaud,
	Abhishek Pandit-Subedi, Guenter Roeck, Marcel Holtmann,
	Sasha Levin

From: Archie Pusaka <apusaka@chromium.org>

[ Upstream commit 3af70b39fa2d415dc86c370e5b24ddb9fdacbd6f ]

There is a possibility of receiving a zapped sock on
l2cap_sock_connect(). This could lead to interesting crashes, one
such case is tearing down an already tore l2cap_sock as is happened
with this call trace:

__dump_stack lib/dump_stack.c:15 [inline]
dump_stack+0xc4/0x118 lib/dump_stack.c:56
register_lock_class kernel/locking/lockdep.c:792 [inline]
register_lock_class+0x239/0x6f6 kernel/locking/lockdep.c:742
__lock_acquire+0x209/0x1e27 kernel/locking/lockdep.c:3105
lock_acquire+0x29c/0x2fb kernel/locking/lockdep.c:3599
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:137 [inline]
_raw_spin_lock_bh+0x38/0x47 kernel/locking/spinlock.c:175
spin_lock_bh include/linux/spinlock.h:307 [inline]
lock_sock_nested+0x44/0xfa net/core/sock.c:2518
l2cap_sock_teardown_cb+0x88/0x2fb net/bluetooth/l2cap_sock.c:1345
l2cap_chan_del+0xa3/0x383 net/bluetooth/l2cap_core.c:598
l2cap_chan_close+0x537/0x5dd net/bluetooth/l2cap_core.c:756
l2cap_chan_timeout+0x104/0x17e net/bluetooth/l2cap_core.c:429
process_one_work+0x7e3/0xcb0 kernel/workqueue.c:2064
worker_thread+0x5a5/0x773 kernel/workqueue.c:2196
kthread+0x291/0x2a6 kernel/kthread.c:211
ret_from_fork+0x4e/0x80 arch/x86/entry/entry_64.S:604

Signed-off-by: Archie Pusaka <apusaka@chromium.org>
Reported-by: syzbot+abfc0f5e668d4099af73@syzkaller.appspotmail.com
Reviewed-by: Alain Michaud <alainm@chromium.org>
Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/l2cap_sock.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 8648c5211ebe..e693fee08623 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -179,9 +179,17 @@ static int l2cap_sock_connect(struct socket *sock, struct sockaddr *addr,
 	struct l2cap_chan *chan = l2cap_pi(sk)->chan;
 	struct sockaddr_l2 la;
 	int len, err = 0;
+	bool zapped;
 
 	BT_DBG("sk %p", sk);
 
+	lock_sock(sk);
+	zapped = sock_flag(sk, SOCK_ZAPPED);
+	release_sock(sk);
+
+	if (zapped)
+		return -EINVAL;
+
 	if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
 	    addr->sa_family != AF_BLUETOOTH)
 		return -EINVAL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 019/141] Bluetooth: check for zapped sk before connecting Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-20  6:16   ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2021-05-17 14:01 ` [PATCH 5.4 021/141] ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  147 siblings, 1 reply; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, David S. Miller, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]

After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
a warning [1]

Issue here is that:

- all dev_put() should be paired with a corresponding prior dev_hold().

- A driver doing a dev_put() in its ndo_uninit() MUST also
  do a dev_hold() in its ndo_init(), only when ndo_init()
  is returning 0.

Otherwise, register_netdevice() would call ndo_uninit()
in its error path and release a refcount too soon.

Therefore, we need to move dev_hold() call from
vti6_tnl_create2() to vti6_dev_init_gen()

[1]
WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31 refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
Modules linked in:
CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
FS:  00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_dec include/linux/refcount.h:344 [inline]
 refcount_dec include/linux/refcount.h:359 [inline]
 dev_put include/linux/netdevice.h:4135 [inline]
 vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
 register_netdevice+0xadf/0x1500 net/core/dev.c:10308
 vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
 vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x331/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmmsg+0x195/0x470 net/socket.c:2490
 __do_sys_sendmmsg net/socket.c:2519 [inline]
 __se_sys_sendmmsg net/socket.c:2516 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/ip6_vti.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index cc6180e08a4f..01ddb0f70c57 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev)
 
 	strcpy(t->parms.name, dev->name);
 
-	dev_hold(dev);
 	vti6_tnl_link(ip6n, t);
 
 	return 0;
@@ -921,6 +920,7 @@ static inline int vti6_dev_init_gen(struct net_device *dev)
 	dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
 	if (!dev->tstats)
 		return -ENOMEM;
+	dev_hold(dev);
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 021/141] ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 022/141] i2c: Add I2C_AQ_NO_REP_START adapter quirk Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans de Goede, Mark Brown, Sasha Levin

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 875c40eadf6ac6644c0f71842a4f30dd9968d281 ]

The Chuwi Hi8 tablet is using an analog mic on IN1 and has its
jack-detect connected to JD2_IN4N, instead of using the default
IN3 for its internal mic and JD1_IN4P for jack-detect.

It also only has 1 speaker.

Add a quirk applying the correct settings for this configuration.

Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20210325221054.22714-1-hdegoede@redhat.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/intel/boards/bytcr_rt5640.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/sound/soc/intel/boards/bytcr_rt5640.c b/sound/soc/intel/boards/bytcr_rt5640.c
index 006cf1e8b602..46a81d4f0b2d 100644
--- a/sound/soc/intel/boards/bytcr_rt5640.c
+++ b/sound/soc/intel/boards/bytcr_rt5640.c
@@ -512,6 +512,23 @@ static const struct dmi_system_id byt_rt5640_quirk_table[] = {
 					BYT_RT5640_SSP0_AIF1 |
 					BYT_RT5640_MCLK_EN),
 	},
+	{
+		/* Chuwi Hi8 (CWI509) */
+		.matches = {
+			DMI_MATCH(DMI_BOARD_VENDOR, "Hampoo"),
+			DMI_MATCH(DMI_BOARD_NAME, "BYT-PA03C"),
+			DMI_MATCH(DMI_SYS_VENDOR, "ilife"),
+			DMI_MATCH(DMI_PRODUCT_NAME, "S806"),
+		},
+		.driver_data = (void *)(BYT_RT5640_IN1_MAP |
+					BYT_RT5640_JD_SRC_JD2_IN4N |
+					BYT_RT5640_OVCD_TH_2000UA |
+					BYT_RT5640_OVCD_SF_0P75 |
+					BYT_RT5640_MONO_SPEAKER |
+					BYT_RT5640_DIFF_MIC |
+					BYT_RT5640_SSP0_AIF1 |
+					BYT_RT5640_MCLK_EN),
+	},
 	{
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "Circuitco"),
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 022/141] i2c: Add I2C_AQ_NO_REP_START adapter quirk
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 021/141] ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 023/141] mac80211: clear the beacons CRC after channel switch Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wolfram Sang, Bence Csókás,
	Sasha Levin

From: Bence Csókás <bence98@sch.bme.hu>

[ Upstream commit aca01415e076aa96cca0f801f4420ee5c10c660d ]

This quirk signifies that the adapter cannot do a repeated
START, it always issues a STOP condition after transfers.

Suggested-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Bence Csókás <bence98@sch.bme.hu>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/i2c.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/include/linux/i2c.h b/include/linux/i2c.h
index 1361637c369d..af2b799d7a66 100644
--- a/include/linux/i2c.h
+++ b/include/linux/i2c.h
@@ -677,6 +677,8 @@ struct i2c_adapter_quirks {
 #define I2C_AQ_NO_ZERO_LEN_READ		BIT(5)
 #define I2C_AQ_NO_ZERO_LEN_WRITE	BIT(6)
 #define I2C_AQ_NO_ZERO_LEN		(I2C_AQ_NO_ZERO_LEN_READ | I2C_AQ_NO_ZERO_LEN_WRITE)
+/* adapter cannot do repeated START */
+#define I2C_AQ_NO_REP_START		BIT(7)
 
 /*
  * i2c_adapter is the structure used to identify a physical i2c bus along
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 023/141] mac80211: clear the beacons CRC after channel switch
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 022/141] i2c: Add I2C_AQ_NO_REP_START adapter quirk Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 024/141] pinctrl: samsung: use int for register masks in Exynos Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Emmanuel Grumbach, Johannes Berg,
	Sasha Levin

From: Emmanuel Grumbach <emmanuel.grumbach@intel.com>

[ Upstream commit d6843d1ee283137723b4a8c76244607ce6db1951 ]

After channel switch, we should consider any beacon with a
CSA IE as a new switch. If the CSA IE is a leftover from
before the switch that the AP forgot to remove, we'll get
a CSA-to-Self.

This caused issues in iwlwifi where the firmware saw a beacon
with a CSA-to-Self with mode = 1 on the new channel after a
switch. The firmware considered this a new switch and closed
its queues. Since the beacon didn't change between before and
after the switch, we wouldn't handle it (the CRC is the same)
and we wouldn't let the firmware open its queues again or
disconnect if the CSA IE stays for too long.

Clear the CRC valid state after we switch to make sure that
we handle the beacon and handle the CSA IE as required.

Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Link: https://lore.kernel.org/r/20210408143124.b9e68aa98304.I465afb55ca2c7d59f7bf610c6046a1fd732b4c28@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/mlme.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 17a3a1c938be..44fd922cc32a 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -1215,6 +1215,11 @@ static void ieee80211_chswitch_post_beacon(struct ieee80211_sub_if_data *sdata)
 
 	sdata->vif.csa_active = false;
 	ifmgd->csa_waiting_bcn = false;
+	/*
+	 * If the CSA IE is still present on the beacon after the switch,
+	 * we need to consider it as a new CSA (possibly to self).
+	 */
+	ifmgd->beacon_crc_valid = false;
 
 	ret = drv_post_channel_switch(sdata);
 	if (ret) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 024/141] pinctrl: samsung: use int for register masks in Exynos
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 023/141] mac80211: clear the beacons CRC after channel switch Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 025/141] mt76: mt76x0: disable GTK offloading Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
	Sylwester Nawrocki, Linus Walleij, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

[ Upstream commit fa0c10a5f3a49130dd11281aa27e7e1c8654abc7 ]

The Special Function Registers on all Exynos SoC, including ARM64, are
32-bit wide, so entire driver uses matching functions like readl() or
writel().  On 64-bit ARM using unsigned long for register masks:
1. makes little sense as immediately after bitwise operation it will be
   cast to 32-bit value when calling writel(),
2. is actually error-prone because it might promote other operands to
   64-bit.

Addresses-Coverity: Unintentional integer overflow
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Link: https://lore.kernel.org/r/20210408195029.69974-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pinctrl/samsung/pinctrl-exynos.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/pinctrl/samsung/pinctrl-exynos.c b/drivers/pinctrl/samsung/pinctrl-exynos.c
index 84501c785473..1cf31fe2674d 100644
--- a/drivers/pinctrl/samsung/pinctrl-exynos.c
+++ b/drivers/pinctrl/samsung/pinctrl-exynos.c
@@ -55,7 +55,7 @@ static void exynos_irq_mask(struct irq_data *irqd)
 	struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
 	struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
 	unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
-	unsigned long mask;
+	unsigned int mask;
 	unsigned long flags;
 
 	spin_lock_irqsave(&bank->slock, flags);
@@ -83,7 +83,7 @@ static void exynos_irq_unmask(struct irq_data *irqd)
 	struct exynos_irq_chip *our_chip = to_exynos_irq_chip(chip);
 	struct samsung_pin_bank *bank = irq_data_get_irq_chip_data(irqd);
 	unsigned long reg_mask = our_chip->eint_mask + bank->eint_offset;
-	unsigned long mask;
+	unsigned int mask;
 	unsigned long flags;
 
 	/*
@@ -474,7 +474,7 @@ static void exynos_irq_eint0_15(struct irq_desc *desc)
 	chained_irq_exit(chip, desc);
 }
 
-static inline void exynos_irq_demux_eint(unsigned long pend,
+static inline void exynos_irq_demux_eint(unsigned int pend,
 						struct irq_domain *domain)
 {
 	unsigned int irq;
@@ -491,8 +491,8 @@ static void exynos_irq_demux_eint16_31(struct irq_desc *desc)
 {
 	struct irq_chip *chip = irq_desc_get_chip(desc);
 	struct exynos_muxed_weint_data *eintd = irq_desc_get_handler_data(desc);
-	unsigned long pend;
-	unsigned long mask;
+	unsigned int pend;
+	unsigned int mask;
 	int i;
 
 	chained_irq_enter(chip, desc);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 025/141] mt76: mt76x0: disable GTK offloading
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 024/141] pinctrl: samsung: use int for register masks in Exynos Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 026/141] cuse: prevent clone Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Bauer, Felix Fietkau, Sasha Levin

From: David Bauer <mail@david-bauer.net>

[ Upstream commit 4b36cc6b390f18dbc59a45fb4141f90d7dfe2b23 ]

When operating two VAP on a MT7610 with encryption (PSK2, SAE, OWE),
only the first one to be created will transmit properly encrypteded
frames.

All subsequently created VAPs will sent out frames with the payload left
unencrypted, breaking multicast traffic (ICMP6 NDP) and potentially
disclosing information to a third party.

Disable GTK offloading and encrypt these frames in software to
circumvent this issue. THis only seems to be necessary on MT7610 chips,
as MT7612 is not affected from our testing.

Signed-off-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/mediatek/mt76/mt76x02_util.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
index de0d6f21c621..075871f52bad 100644
--- a/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
+++ b/drivers/net/wireless/mediatek/mt76/mt76x02_util.c
@@ -450,6 +450,10 @@ int mt76x02_set_key(struct ieee80211_hw *hw, enum set_key_cmd cmd,
 	    !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
 		return -EOPNOTSUPP;
 
+	/* MT76x0 GTK offloading does not work with more than one VIF */
+	if (is_mt76x0(dev) && !(key->flags & IEEE80211_KEY_FLAG_PAIRWISE))
+		return -EOPNOTSUPP;
+
 	msta = sta ? (struct mt76x02_sta *)sta->drv_priv : NULL;
 	wcid = msta ? &msta->wcid : &mvif->group_wcid;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 026/141] cuse: prevent clone
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 025/141] mt76: mt76x0: disable GTK offloading Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 027/141] ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Miklos Szeredi, Sasha Levin

From: Miklos Szeredi <mszeredi@redhat.com>

[ Upstream commit 8217673d07256b22881127bf50dce874d0e51653 ]

For cloned connections cuse_channel_release() will be called more than
once, resulting in use after free.

Prevent device cloning for CUSE, which does not make sense at this point,
and highly unlikely to be used in real life.

Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fuse/cuse.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/fuse/cuse.c b/fs/fuse/cuse.c
index 00015d851382..e51b7019e887 100644
--- a/fs/fuse/cuse.c
+++ b/fs/fuse/cuse.c
@@ -624,6 +624,8 @@ static int __init cuse_init(void)
 	cuse_channel_fops.owner		= THIS_MODULE;
 	cuse_channel_fops.open		= cuse_channel_open;
 	cuse_channel_fops.release	= cuse_channel_release;
+	/* CUSE is not prepared for FUSE_DEV_IOC_CLONE */
+	cuse_channel_fops.unlocked_ioctl	= NULL;
 
 	cuse_class = class_create(THIS_MODULE, "cuse");
 	if (IS_ERR(cuse_class))
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 027/141] ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 026/141] cuse: prevent clone Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 028/141] Revert "iommu/amd: Fix performance counter initialization" Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linh Phung T. Y.,
	Kuninori Morimoto, Mark Brown, Sasha Levin

From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

[ Upstream commit a122a116fc6d8fcf2f202dcd185173a54268f239 ]

Current rsnd needs to call .prepare (P) for clock settings,
.trigger for playback start (S) and stop (E).
It should be called as below from SSI point of view.

	P -> S -> E -> P -> S -> E -> ...

But, if you used MIXer, below case might happen

	              (2)
	1: P -> S ---> E -> ...
	2:         P ----> S -> ...
	          (1)     (3)

P(1) setups clock, but E(2) resets it. and starts playback (3).
In such case, it will reports "SSI parent/child should use same rate".

rsnd_ssi_master_clk_start() which is the main function at (P)
was called from rsnd_ssi_init() (= S) before,
but was moved by below patch to rsnd_soc_dai_prepare() (= P) to avoid
using clk_get_rate() which shouldn't be used under atomic context.

	commit 4d230d1271064 ("ASoC: rsnd: fixup not to call clk_get/set
				under non-atomic")

Because of above patch, rsnd_ssi_master_clk_start() is now called at (P)
which is for non atomic context. But (P) is assuming that spin lock is
*not* used.
One issue now is rsnd_ssi_master_clk_start() is checking ssi->xxx
which should be protected by spin lock.

After above patch, adg.c had below patch for other reasons.

	commit 06e8f5c842f2d ("ASoC: rsnd: don't call clk_get_rate()
				under atomic context")

clk_get_rate() is used at probe() timing by this patch.
In other words, rsnd_ssi_master_clk_start() is no longer using
clk_get_rate() any more.

This means we can call it from rsnd_ssi_init() (= S) again which is
protected by spin lock.
This patch re-move it to under spin lock, and solves
1. checking ssi->xxx without spin lock issue.
2. clk setting / device start / device stop race condition.

Reported-by: Linh Phung T. Y. <linh.phung.jy@renesas.com>
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/875z0x1jt5.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/sh/rcar/ssi.c | 14 +++++---------
 1 file changed, 5 insertions(+), 9 deletions(-)

diff --git a/sound/soc/sh/rcar/ssi.c b/sound/soc/sh/rcar/ssi.c
index 47d5ddb526f2..8926dd69e8b8 100644
--- a/sound/soc/sh/rcar/ssi.c
+++ b/sound/soc/sh/rcar/ssi.c
@@ -507,10 +507,15 @@ static int rsnd_ssi_init(struct rsnd_mod *mod,
 			 struct rsnd_priv *priv)
 {
 	struct rsnd_ssi *ssi = rsnd_mod_to_ssi(mod);
+	int ret;
 
 	if (!rsnd_ssi_is_run_mods(mod, io))
 		return 0;
 
+	ret = rsnd_ssi_master_clk_start(mod, io);
+	if (ret < 0)
+		return ret;
+
 	ssi->usrcnt++;
 
 	rsnd_mod_power_on(mod);
@@ -1060,13 +1065,6 @@ static int rsnd_ssi_pio_pointer(struct rsnd_mod *mod,
 	return 0;
 }
 
-static int rsnd_ssi_prepare(struct rsnd_mod *mod,
-			    struct rsnd_dai_stream *io,
-			    struct rsnd_priv *priv)
-{
-	return rsnd_ssi_master_clk_start(mod, io);
-}
-
 static struct rsnd_mod_ops rsnd_ssi_pio_ops = {
 	.name		= SSI_NAME,
 	.probe		= rsnd_ssi_common_probe,
@@ -1079,7 +1077,6 @@ static struct rsnd_mod_ops rsnd_ssi_pio_ops = {
 	.pointer	= rsnd_ssi_pio_pointer,
 	.pcm_new	= rsnd_ssi_pcm_new,
 	.hw_params	= rsnd_ssi_hw_params,
-	.prepare	= rsnd_ssi_prepare,
 	.get_status	= rsnd_ssi_get_status,
 };
 
@@ -1166,7 +1163,6 @@ static struct rsnd_mod_ops rsnd_ssi_dma_ops = {
 	.pcm_new	= rsnd_ssi_pcm_new,
 	.fallback	= rsnd_ssi_fallback,
 	.hw_params	= rsnd_ssi_hw_params,
-	.prepare	= rsnd_ssi_prepare,
 	.get_status	= rsnd_ssi_get_status,
 };
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 028/141] Revert "iommu/amd: Fix performance counter initialization"
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 027/141] ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 029/141] iommu/amd: Remove performance counter pre-initialization test Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tj (Elloe Linux),
	Shuah Khan, Alexander Monakov, David Coe, Paul Menzel,
	Suravee Suthikulpanit, Joerg Roedel, Sasha Levin

From: Paul Menzel <pmenzel@molgen.mpg.de>

[ Upstream commit 715601e4e36903a653cd4294dfd3ed0019101991 ]

This reverts commit 6778ff5b21bd8e78c8bd547fd66437cf2657fd9b.

The original commit tries to address an issue, where PMC power-gating
causing the IOMMU PMC pre-init test to fail on certain desktop/mobile
platforms where the power-gating is normally enabled.

There have been several reports that the workaround still does not
guarantee to work, and can add up to 100 ms (on the worst case)
to the boot process on certain platforms such as the MSI B350M MORTAR
with AMD Ryzen 3 2200G.

Therefore, revert this commit as a prelude to removing the pre-init
test.

Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753
Cc: Tj (Elloe Linux) <ml.linux@elloe.vision>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Alexander Monakov <amonakov@ispras.ru>
Cc: David Coe <david.coe@live.co.uk>
Signed-off-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Link: https://lore.kernel.org/r/20210409085848.3908-2-suravee.suthikulpanit@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/amd_iommu_init.c | 45 +++++++++-------------------------
 1 file changed, 11 insertions(+), 34 deletions(-)

diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
index ad714ff375f8..31d7e2d4f304 100644
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -12,7 +12,6 @@
 #include <linux/acpi.h>
 #include <linux/list.h>
 #include <linux/bitmap.h>
-#include <linux/delay.h>
 #include <linux/slab.h>
 #include <linux/syscore_ops.h>
 #include <linux/interrupt.h>
@@ -254,8 +253,6 @@ static enum iommu_init_state init_state = IOMMU_START_STATE;
 static int amd_iommu_enable_interrupts(void);
 static int __init iommu_go_to_state(enum iommu_init_state state);
 static void init_device_table_dma(void);
-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
-				u8 fxn, u64 *value, bool is_write);
 
 static bool amd_iommu_pre_enabled = true;
 
@@ -1675,11 +1672,13 @@ static int __init init_iommu_all(struct acpi_table_header *table)
 	return 0;
 }
 
-static void __init init_iommu_perf_ctr(struct amd_iommu *iommu)
+static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
+				u8 fxn, u64 *value, bool is_write);
+
+static void init_iommu_perf_ctr(struct amd_iommu *iommu)
 {
-	int retry;
 	struct pci_dev *pdev = iommu->dev;
-	u64 val = 0xabcd, val2 = 0, save_reg, save_src;
+	u64 val = 0xabcd, val2 = 0, save_reg = 0;
 
 	if (!iommu_feature(iommu, FEATURE_PC))
 		return;
@@ -1687,39 +1686,17 @@ static void __init init_iommu_perf_ctr(struct amd_iommu *iommu)
 	amd_iommu_pc_present = true;
 
 	/* save the value to restore, if writable */
-	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false) ||
-	    iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, false))
-		goto pc_false;
-
-	/*
-	 * Disable power gating by programing the performance counter
-	 * source to 20 (i.e. counts the reads and writes from/to IOMMU
-	 * Reserved Register [MMIO Offset 1FF8h] that are ignored.),
-	 * which never get incremented during this init phase.
-	 * (Note: The event is also deprecated.)
-	 */
-	val = 20;
-	if (iommu_pc_get_set_reg(iommu, 0, 0, 8, &val, true))
+	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
 		goto pc_false;
 
 	/* Check if the performance counters can be written to */
-	val = 0xabcd;
-	for (retry = 5; retry; retry--) {
-		if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true) ||
-		    iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false) ||
-		    val2)
-			break;
-
-		/* Wait about 20 msec for power gating to disable and retry. */
-		msleep(20);
-	}
-
-	/* restore */
-	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true) ||
-	    iommu_pc_get_set_reg(iommu, 0, 0, 8, &save_src, true))
+	if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
+	    (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
+	    (val != val2))
 		goto pc_false;
 
-	if (val != val2)
+	/* restore */
+	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
 		goto pc_false;
 
 	pci_info(pdev, "IOMMU performance counters supported\n");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 029/141] iommu/amd: Remove performance counter pre-initialization test
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 028/141] Revert "iommu/amd: Fix performance counter initialization" Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 030/141] drm/amd/display: Force vsync flip when reconfiguring MPCC Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tj (Elloe Linux),
	Shuah Khan, Alexander Monakov, David Coe, Paul Menzel,
	Suravee Suthikulpanit, Joerg Roedel, Sasha Levin

From: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>

[ Upstream commit 994d6608efe4a4c8834bdc5014c86f4bc6aceea6 ]

In early AMD desktop/mobile platforms (during 2013), when the IOMMU
Performance Counter (PMC) support was first introduced in
commit 30861ddc9cca ("perf/x86/amd: Add IOMMU Performance Counter
resource management"), there was a HW bug where the counters could not
be accessed. The result was reading of the counter always return zero.

At the time, the suggested workaround was to add a test logic prior
to initializing the PMC feature to check if the counters can be programmed
and read back the same value. This has been working fine until the more
recent desktop/mobile platforms start enabling power gating for the PMC,
which prevents access to the counters. This results in the PMC support
being disabled unnecesarily.

Unfortunatly, there is no documentation of since which generation
of hardware the original PMC HW bug was fixed. Although, it was fixed
soon after the first introduction of the PMC. Base on this, we assume
that the buggy platforms are less likely to be in used, and it should
be relatively safe to remove this legacy logic.

Link: https://lore.kernel.org/linux-iommu/alpine.LNX.3.20.13.2006030935570.3181@monopod.intra.ispras.ru/
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201753
Cc: Tj (Elloe Linux) <ml.linux@elloe.vision>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Alexander Monakov <amonakov@ispras.ru>
Cc: David Coe <david.coe@live.co.uk>
Cc: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
Link: https://lore.kernel.org/r/20210409085848.3908-3-suravee.suthikulpanit@amd.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iommu/amd_iommu_init.c | 24 +-----------------------
 1 file changed, 1 insertion(+), 23 deletions(-)

diff --git a/drivers/iommu/amd_iommu_init.c b/drivers/iommu/amd_iommu_init.c
index 31d7e2d4f304..692401e941a7 100644
--- a/drivers/iommu/amd_iommu_init.c
+++ b/drivers/iommu/amd_iommu_init.c
@@ -1672,33 +1672,16 @@ static int __init init_iommu_all(struct acpi_table_header *table)
 	return 0;
 }
 
-static int iommu_pc_get_set_reg(struct amd_iommu *iommu, u8 bank, u8 cntr,
-				u8 fxn, u64 *value, bool is_write);
-
 static void init_iommu_perf_ctr(struct amd_iommu *iommu)
 {
+	u64 val;
 	struct pci_dev *pdev = iommu->dev;
-	u64 val = 0xabcd, val2 = 0, save_reg = 0;
 
 	if (!iommu_feature(iommu, FEATURE_PC))
 		return;
 
 	amd_iommu_pc_present = true;
 
-	/* save the value to restore, if writable */
-	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, false))
-		goto pc_false;
-
-	/* Check if the performance counters can be written to */
-	if ((iommu_pc_get_set_reg(iommu, 0, 0, 0, &val, true)) ||
-	    (iommu_pc_get_set_reg(iommu, 0, 0, 0, &val2, false)) ||
-	    (val != val2))
-		goto pc_false;
-
-	/* restore */
-	if (iommu_pc_get_set_reg(iommu, 0, 0, 0, &save_reg, true))
-		goto pc_false;
-
 	pci_info(pdev, "IOMMU performance counters supported\n");
 
 	val = readl(iommu->mmio_base + MMIO_CNTR_CONF_OFFSET);
@@ -1706,11 +1689,6 @@ static void init_iommu_perf_ctr(struct amd_iommu *iommu)
 	iommu->max_counters = (u8) ((val >> 7) & 0xf);
 
 	return;
-
-pc_false:
-	pci_err(pdev, "Unable to read/write to IOMMU perf counter.\n");
-	amd_iommu_pc_present = false;
-	return;
 }
 
 static ssize_t amd_iommu_show_cap(struct device *dev,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 030/141] drm/amd/display: Force vsync flip when reconfiguring MPCC
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 029/141] iommu/amd: Remove performance counter pre-initialization test Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 031/141] selftests: Set CC to clang in lib.mk if LLVM is set Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anthony Wang, Bindu Ramamurthy,
	Daniel Wheeler, Alex Deucher, Sasha Levin

From: Anthony Wang <anthony1.wang@amd.com>

[ Upstream commit 56d63782af9bbd1271bff1422a6a013123eade4d ]

[Why]
Underflow observed when disabling PIP overlay in-game when
vsync is disabled, due to OTC master lock not working with
game pipe which is immediate flip.

[How]
When performing a full update, override flip_immediate value
to false for all planes, so that flip occurs on vsync.

Signed-off-by: Anthony Wang <anthony1.wang@amd.com>
Acked-by: Bindu Ramamurthy <bindur12@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/core/dc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 092db590087c..14dc1b8719a9 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -2050,6 +2050,10 @@ static void commit_planes_for_stream(struct dc *dc,
 						plane_state->triplebuffer_flips = true;
 				}
 			}
+			if (update_type == UPDATE_TYPE_FULL) {
+				/* force vsync flip when reconfiguring pipes to prevent underflow */
+				plane_state->flip_immediate = false;
+			}
 		}
 	}
 #endif
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 031/141] selftests: Set CC to clang in lib.mk if LLVM is set
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 030/141] drm/amd/display: Force vsync flip when reconfiguring MPCC Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 032/141] kconfig: nconf: stop endless search loops Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yonghong Song, Alexei Starovoitov,
	Andrii Nakryiko, Sasha Levin

From: Yonghong Song <yhs@fb.com>

[ Upstream commit 26e6dd1072763cd5696b75994c03982dde952ad9 ]

selftests/bpf/Makefile includes lib.mk. With the following command
  make -j60 LLVM=1 LLVM_IAS=1  <=== compile kernel
  make -j60 -C tools/testing/selftests/bpf LLVM=1 LLVM_IAS=1 V=1
some files are still compiled with gcc. This patch
fixed lib.mk issue which sets CC to gcc in all cases.

Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20210413153413.3027426-1-yhs@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/lib.mk | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tools/testing/selftests/lib.mk b/tools/testing/selftests/lib.mk
index 3ed0134a764d..67386aa3f31d 100644
--- a/tools/testing/selftests/lib.mk
+++ b/tools/testing/selftests/lib.mk
@@ -1,6 +1,10 @@
 # This mimics the top-level Makefile. We do it explicitly here so that this
 # Makefile can operate with or without the kbuild infrastructure.
+ifneq ($(LLVM),)
+CC := clang
+else
 CC := $(CROSS_COMPILE)gcc
+endif
 
 ifeq (0,$(MAKELEVEL))
     ifeq ($(OUTPUT),)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 032/141] kconfig: nconf: stop endless search loops
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 031/141] selftests: Set CC to clang in lib.mk if LLVM is set Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 033/141] ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mihai Moldovan, Masahiro Yamada, Sasha Levin

From: Mihai Moldovan <ionic@ionic.de>

[ Upstream commit 8c94b430b9f6213dec84e309bb480a71778c4213 ]

If the user selects the very first entry in a page and performs a
search-up operation, or selects the very last entry in a page and
performs a search-down operation that will not succeed (e.g., via
[/]asdfzzz[Up Arrow]), nconf will never terminate searching the page.

The reason is that in this case, the starting point will be set to -1
or n, which is then translated into (n - 1) (i.e., the last entry of
the page) or 0 (i.e., the first entry of the page) and finally the
search begins. This continues to work fine until the index reaches 0 or
(n - 1), at which point it will be decremented to -1 or incremented to
n, but not checked against the starting point right away. Instead, it's
wrapped around to the bottom or top again, after which the starting
point check occurs... and naturally fails.

My original implementation added another check for -1 before wrapping
the running index variable around, but Masahiro Yamada pointed out that
the actual issue is that the comparison point (starting point) exceeds
bounds (i.e., the [0,n-1] interval) in the first place and that,
instead, the starting point should be fixed.

This has the welcome side-effect of also fixing the case where the
starting point was n while searching down, which also lead to an
infinite loop.

OTOH, this code is now essentially all his work.

Amazingly, nobody seems to have been hit by this for 11 years - or at
the very least nobody bothered to debug and fix this.

Signed-off-by: Mihai Moldovan <ionic@ionic.de>
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 scripts/kconfig/nconf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/kconfig/nconf.c b/scripts/kconfig/nconf.c
index b7c1ef757178..331b2cc917ec 100644
--- a/scripts/kconfig/nconf.c
+++ b/scripts/kconfig/nconf.c
@@ -503,8 +503,8 @@ static int get_mext_match(const char *match_str, match_f flag)
 	else if (flag == FIND_NEXT_MATCH_UP)
 		--match_start;
 
+	match_start = (match_start + items_num) % items_num;
 	index = match_start;
-	index = (index + items_num) % items_num;
 	while (true) {
 		char *str = k_menu_items[index].str;
 		if (strcasestr(str, match_str) != NULL)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 033/141] ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 032/141] kconfig: nconf: stop endless search loops Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 034/141] sctp: Fix out-of-bounds warning in sctp_process_asconf_param() Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Kai Vehmanen, Sasha Levin

From: Kai Vehmanen <kai.vehmanen@linux.intel.com>

[ Upstream commit 0c37e2eb6b83e375e8a654d01598292d5591fc65 ]

When snd-hda-codec-hdmi is used with ASoC HDA controller like SOF (acomp
used for ELD notifications), display connection change done during suspend,
can be lost due to following sequence of events:

  1. system in S3 suspend
  2. DP/HDMI receiver connected
  3. system resumed
  4. HDA controller resumed, but card->deferred_resume_work not complete
  5. acomp eld_notify callback
  6. eld_notify ignored as power state is not CTL_POWER_D0
  7. HDA resume deferred work completed, power state set to CTL_POWER_D0

This results in losing the notification, and the jack state reported to
user-space is not correct.

The check on step 6 was added in commit 8ae743e82f0b ("ALSA: hda - Skip
ELD notification during system suspend"). It would seem with the deferred
resume logic in ASoC core, this check is not safe.

Fix the issue by modifying the check to use "dev.power.power_state.event"
instead of ALSA specific card power state variable.

BugLink: https://github.com/thesofproject/linux/issues/2825
Suggested-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
Link: https://lore.kernel.org/r/20210416131157.1881366-1-kai.vehmanen@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/patch_hdmi.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c
index ce38b5d4670d..f620b402b309 100644
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -2567,7 +2567,7 @@ static void generic_acomp_pin_eld_notify(void *audio_ptr, int port, int dev_id)
 	/* skip notification during system suspend (but not in runtime PM);
 	 * the state will be updated at resume
 	 */
-	if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0)
+	if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
 		return;
 	/* ditto during suspend/resume process itself */
 	if (snd_hdac_is_in_pm(&codec->core))
@@ -2772,7 +2772,7 @@ static void intel_pin_eld_notify(void *audio_ptr, int port, int pipe)
 	/* skip notification during system suspend (but not in runtime PM);
 	 * the state will be updated at resume
 	 */
-	if (snd_power_get_state(codec->card) != SNDRV_CTL_POWER_D0)
+	if (codec->core.dev.power.power_state.event == PM_EVENT_SUSPEND)
 		return;
 	/* ditto during suspend/resume process itself */
 	if (snd_hdac_is_in_pm(&codec->core))
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 034/141] sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 033/141] ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 035/141] flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target() Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Gustavo A. R. Silva, Kees Cook, Marcelo Ricardo Leitner,
	David S. Miller, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ]

Fix the following out-of-bounds warning:

net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds]

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_make_chunk.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index d5eda966a706..4ffb9116b6f2 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3134,7 +3134,7 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
 		 * primary.
 		 */
 		if (af->is_any(&addr))
-			memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
+			memcpy(&addr, sctp_source(asconf), sizeof(addr));
 
 		if (security_sctp_bind_connect(asoc->ep->base.sk,
 					       SCTP_PARAM_SET_PRIMARY,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 035/141] flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 034/141] sctp: Fix out-of-bounds warning in sctp_process_asconf_param() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 036/141] powerpc/smp: Set numa node before updating mask Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Gustavo A. R. Silva, David S. Miller, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit 1e3d976dbb23b3fce544752b434bdc32ce64aabc ]

Fix the following out-of-bounds warning:

net/core/flow_dissector.c:835:3: warning: 'memcpy' offset [33, 48] from the object at 'flow_keys' is out of the bounds of referenced subobject 'ipv6_src' with type '__u32[4]' {aka 'unsigned int[4]'} at offset 16 [-Warray-bounds]

The problem is that the original code is trying to copy data into a
couple of struct members adjacent to each other in a single call to
memcpy().  So, the compiler legitimately complains about it. As these
are just a couple of members, fix this by copying each one of them in
separate calls to memcpy().

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/flow_dissector.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index da86c0e1b677..96957a7c732f 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -811,8 +811,10 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
 		key_addrs = skb_flow_dissector_target(flow_dissector,
 						      FLOW_DISSECTOR_KEY_IPV6_ADDRS,
 						      target_container);
-		memcpy(&key_addrs->v6addrs, &flow_keys->ipv6_src,
-		       sizeof(key_addrs->v6addrs));
+		memcpy(&key_addrs->v6addrs.src, &flow_keys->ipv6_src,
+		       sizeof(key_addrs->v6addrs.src));
+		memcpy(&key_addrs->v6addrs.dst, &flow_keys->ipv6_dst,
+		       sizeof(key_addrs->v6addrs.dst));
 		key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 036/141] powerpc/smp: Set numa node before updating mask
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 035/141] flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 037/141] ASoC: rt286: Generalize support for ALC3263 codec Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geetika Moolchandani,
	Srikar Dronamraju, Nathan Lynch, Michael Ellerman, Sasha Levin

From: Srikar Dronamraju <srikar@linux.vnet.ibm.com>

[ Upstream commit 6980d13f0dd189846887bbbfa43793d9a41768d3 ]

Geethika reported a trace when doing a dlpar CPU add.

------------[ cut here ]------------
WARNING: CPU: 152 PID: 1134 at kernel/sched/topology.c:2057
CPU: 152 PID: 1134 Comm: kworker/152:1 Not tainted 5.12.0-rc5-master #5
Workqueue: events cpuset_hotplug_workfn
NIP:  c0000000001cfc14 LR: c0000000001cfc10 CTR: c0000000007e3420
REGS: c0000034a08eb260 TRAP: 0700   Not tainted  (5.12.0-rc5-master+)
MSR:  8000000000029033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28828422  XER: 00000020
CFAR: c0000000001fd888 IRQMASK: 0 #012GPR00: c0000000001cfc10
c0000034a08eb500 c000000001f35400 0000000000000027 #012GPR04:
c0000035abaa8010 c0000035abb30a00 0000000000000027 c0000035abaa8018
#012GPR08: 0000000000000023 c0000035abaaef48 00000035aa540000
c0000035a49dffe8 #012GPR12: 0000000028828424 c0000035bf1a1c80
0000000000000497 0000000000000004 #012GPR16: c00000000347a258
0000000000000140 c00000000203d468 c000000001a1a490 #012GPR20:
c000000001f9c160 c0000034adf70920 c0000034aec9fd20 0000000100087bd3
#012GPR24: 0000000100087bd3 c0000035b3de09f8 0000000000000030
c0000035b3de09f8 #012GPR28: 0000000000000028 c00000000347a280
c0000034aefe0b00 c0000000010a2a68
NIP [c0000000001cfc14] build_sched_domains+0x6a4/0x1500
LR [c0000000001cfc10] build_sched_domains+0x6a0/0x1500
Call Trace:
[c0000034a08eb500] [c0000000001cfc10] build_sched_domains+0x6a0/0x1500 (unreliable)
[c0000034a08eb640] [c0000000001d1e6c] partition_sched_domains_locked+0x3ec/0x530
[c0000034a08eb6e0] [c0000000002936d4] rebuild_sched_domains_locked+0x524/0xbf0
[c0000034a08eb7e0] [c000000000296bb0] rebuild_sched_domains+0x40/0x70
[c0000034a08eb810] [c000000000296e74] cpuset_hotplug_workfn+0x294/0xe20
[c0000034a08ebc30] [c000000000178dd0] process_one_work+0x300/0x670
[c0000034a08ebd10] [c0000000001791b8] worker_thread+0x78/0x520
[c0000034a08ebda0] [c000000000185090] kthread+0x1a0/0x1b0
[c0000034a08ebe10] [c00000000000ccec] ret_from_kernel_thread+0x5c/0x70
Instruction dump:
7d2903a6 4e800421 e8410018 7f67db78 7fe6fb78 7f45d378 7f84e378 7c681b78
3c62ff1a 3863c6f8 4802dc35 60000000 <0fe00000> 3920fff4 f9210070 e86100a0
---[ end trace 532d9066d3d4d7ec ]---

Some of the per-CPU masks use cpu_cpu_mask as a filter to limit the search
for related CPUs. On a dlpar add of a CPU, update cpu_cpu_mask before
updating the per-CPU masks. This will ensure the cpu_cpu_mask is updated
correctly before its used in setting the masks. Setting the numa_node will
ensure that when cpu_cpu_mask() gets called, the correct node number is
used. This code movement helped fix the above call trace.

Reported-by: Geetika Moolchandani <Geetika.Moolchandani1@ibm.com>
Signed-off-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Reviewed-by: Nathan Lynch <nathanl@linux.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210401154200.150077-1-srikar@linux.vnet.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/smp.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c
index ea6adbf6a221..b24d860bbab9 100644
--- a/arch/powerpc/kernel/smp.c
+++ b/arch/powerpc/kernel/smp.c
@@ -1254,6 +1254,9 @@ void start_secondary(void *unused)
 
 	vdso_getcpu_init();
 #endif
+	set_numa_node(numa_cpu_lookup_table[cpu]);
+	set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
+
 	/* Update topology CPU masks */
 	add_cpu_to_masks(cpu);
 
@@ -1266,9 +1269,6 @@ void start_secondary(void *unused)
 	if (!cpumask_equal(cpu_l2_cache_mask(cpu), sibling_mask(cpu)))
 		shared_caches = true;
 
-	set_numa_node(numa_cpu_lookup_table[cpu]);
-	set_numa_mem(local_memory_node(numa_cpu_lookup_table[cpu]));
-
 	smp_wmb();
 	notify_cpu_starting(cpu);
 	set_cpu_online(cpu, true);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 037/141] ASoC: rt286: Generalize support for ALC3263 codec
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 036/141] powerpc/smp: Set numa node before updating mask Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 038/141] ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ward, Pierre-Louis Bossart,
	Mark Brown, Sasha Levin

From: David Ward <david.ward@gatech.edu>

[ Upstream commit aa2f9c12821e6a4ba1df4fb34a3dbc6a2a1ee7fe ]

The ALC3263 codec on the XPS 13 9343 is also found on the Latitude 13 7350
and Venue 11 Pro 7140. They require the same handling for the combo jack to
work with a headset: GPIO pin 6 must be set.

The HDA driver always sets this pin on the ALC3263, which it distinguishes
by the codec vendor/device ID 0x10ec0288 and PCI subsystem vendor ID 0x1028
(Dell). The ASoC driver does not use PCI, so adapt this check to use DMI to
determine if Dell is the system vendor.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=150601
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205961
Signed-off-by: David Ward <david.ward@gatech.edu>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20210418134658.4333-6-david.ward@gatech.edu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/rt286.c | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
index 9593a9a27bf8..03e3e0aa25a2 100644
--- a/sound/soc/codecs/rt286.c
+++ b/sound/soc/codecs/rt286.c
@@ -1115,12 +1115,11 @@ static const struct dmi_system_id force_combo_jack_table[] = {
 	{ }
 };
 
-static const struct dmi_system_id dmi_dell_dino[] = {
+static const struct dmi_system_id dmi_dell[] = {
 	{
-		.ident = "Dell Dino",
+		.ident = "Dell",
 		.matches = {
 			DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
-			DMI_MATCH(DMI_PRODUCT_NAME, "XPS 13 9343")
 		}
 	},
 	{ }
@@ -1131,7 +1130,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
 {
 	struct rt286_platform_data *pdata = dev_get_platdata(&i2c->dev);
 	struct rt286_priv *rt286;
-	int i, ret, val;
+	int i, ret, vendor_id;
 
 	rt286 = devm_kzalloc(&i2c->dev,	sizeof(*rt286),
 				GFP_KERNEL);
@@ -1147,14 +1146,15 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
 	}
 
 	ret = regmap_read(rt286->regmap,
-		RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &val);
+		RT286_GET_PARAM(AC_NODE_ROOT, AC_PAR_VENDOR_ID), &vendor_id);
 	if (ret != 0) {
 		dev_err(&i2c->dev, "I2C error %d\n", ret);
 		return ret;
 	}
-	if (val != RT286_VENDOR_ID && val != RT288_VENDOR_ID) {
+	if (vendor_id != RT286_VENDOR_ID && vendor_id != RT288_VENDOR_ID) {
 		dev_err(&i2c->dev,
-			"Device with ID register %#x is not rt286\n", val);
+			"Device with ID register %#x is not rt286\n",
+			vendor_id);
 		return -ENODEV;
 	}
 
@@ -1178,8 +1178,8 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
 	if (pdata)
 		rt286->pdata = *pdata;
 
-	if (dmi_check_system(force_combo_jack_table) ||
-		dmi_check_system(dmi_dell_dino))
+	if ((vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) ||
+		dmi_check_system(force_combo_jack_table))
 		rt286->pdata.cbj_en = true;
 
 	regmap_write(rt286->regmap, RT286_SET_AUDIO_POWER, AC_PWRST_D3);
@@ -1218,7 +1218,7 @@ static int rt286_i2c_probe(struct i2c_client *i2c,
 	regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL3, 0xf777, 0x4737);
 	regmap_update_bits(rt286->regmap, RT286_DEPOP_CTRL4, 0x00ff, 0x003f);
 
-	if (dmi_check_system(dmi_dell_dino)) {
+	if (vendor_id == RT288_VENDOR_ID && dmi_check_system(dmi_dell)) {
 		regmap_update_bits(rt286->regmap,
 			RT286_SET_GPIO_MASK, 0x40, 0x40);
 		regmap_update_bits(rt286->regmap,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 038/141] ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 037/141] ASoC: rt286: Generalize support for ALC3263 codec Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 039/141] net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Gustavo A. R. Silva, David S. Miller, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit c1d9e34e11281a8ba1a1c54e4db554232a461488 ]

Fix the following out-of-bounds warning:

net/ethtool/ioctl.c:492:2: warning: 'memcpy' offset [49, 84] from the object at 'link_usettings' is out of the bounds of referenced subobject 'base' with type 'struct ethtool_link_settings' at offset 0 [-Warray-bounds]

The problem is that the original code is trying to copy data into a
some struct members adjacent to each other in a single call to
memcpy(). This causes a legitimate compiler warning because memcpy()
overruns the length of &link_usettings.base. Fix this by directly
using &link_usettings and _from_ as destination and source addresses,
instead.

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/ethtool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/ethtool.c b/net/core/ethtool.c
index cd9bc67381b2..76506975d59a 100644
--- a/net/core/ethtool.c
+++ b/net/core/ethtool.c
@@ -589,7 +589,7 @@ store_link_ksettings_for_user(void __user *to,
 {
 	struct ethtool_link_usettings link_usettings;
 
-	memcpy(&link_usettings.base, &from->base, sizeof(link_usettings));
+	memcpy(&link_usettings, from, sizeof(link_usettings));
 	bitmap_to_arr32(link_usettings.link_modes.supported,
 			from->link_modes.supported,
 			__ETHTOOL_LINK_MODE_MASK_NBITS);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 039/141] net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 038/141] ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 040/141] samples/bpf: Fix broken tracex1 due to kprobe argument change Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d50710fd0873a9c6b40c,
	Du Cheng, Cong Wang, David S. Miller, Sasha Levin

From: Du Cheng <ducheng2@gmail.com>

[ Upstream commit ed8157f1ebf1ae81a8fa2653e3f20d2076fad1c9 ]

There is a reproducible sequence from the userland that will trigger a WARN_ON()
condition in taprio_get_start_time, which causes kernel to panic if configured
as "panic_on_warn". Catch this condition in parse_taprio_schedule to
prevent this condition.

Reported as bug on syzkaller:
https://syzkaller.appspot.com/bug?extid=d50710fd0873a9c6b40c

Reported-by: syzbot+d50710fd0873a9c6b40c@syzkaller.appspotmail.com
Signed-off-by: Du Cheng <ducheng2@gmail.com>
Acked-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_taprio.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 09116be99511..a4de4853c79d 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -900,6 +900,12 @@ static int parse_taprio_schedule(struct taprio_sched *q, struct nlattr **tb,
 
 		list_for_each_entry(entry, &new->entries, list)
 			cycle = ktime_add_ns(cycle, entry->interval);
+
+		if (!cycle) {
+			NL_SET_ERR_MSG(extack, "'cycle_time' can never be 0");
+			return -EINVAL;
+		}
+
 		new->cycle_time = cycle;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 040/141] samples/bpf: Fix broken tracex1 due to kprobe argument change
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 039/141] net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 041/141] powerpc/pseries: Stop calling printk in rtas_stop_self() Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yaqi Chen, Alexei Starovoitov,
	Yonghong Song, Sasha Levin

From: Yaqi Chen <chendotjs@gmail.com>

[ Upstream commit 137733d08f4ab14a354dacaa9a8fc35217747605 ]

>From commit c0bbbdc32feb ("__netif_receive_skb_core: pass skb by
reference"), the first argument passed into __netif_receive_skb_core
has changed to reference of a skb pointer.

This commit fixes by using bpf_probe_read_kernel.

Signed-off-by: Yaqi Chen <chendotjs@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210416154803.37157-1-chendotjs@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 samples/bpf/tracex1_kern.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/samples/bpf/tracex1_kern.c b/samples/bpf/tracex1_kern.c
index 107da148820f..9c74b45c5720 100644
--- a/samples/bpf/tracex1_kern.c
+++ b/samples/bpf/tracex1_kern.c
@@ -20,7 +20,7 @@
 SEC("kprobe/__netif_receive_skb_core")
 int bpf_prog1(struct pt_regs *ctx)
 {
-	/* attaches to kprobe netif_receive_skb,
+	/* attaches to kprobe __netif_receive_skb_core,
 	 * looks for packets on loobpack device and prints them
 	 */
 	char devname[IFNAMSIZ];
@@ -29,7 +29,7 @@ int bpf_prog1(struct pt_regs *ctx)
 	int len;
 
 	/* non-portable! works for the given kernel only */
-	skb = (struct sk_buff *) PT_REGS_PARM1(ctx);
+	bpf_probe_read_kernel(&skb, sizeof(skb), (void *)PT_REGS_PARM1(ctx));
 	dev = _(skb->dev);
 	len = _(skb->len);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 041/141] powerpc/pseries: Stop calling printk in rtas_stop_self()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 040/141] samples/bpf: Fix broken tracex1 due to kprobe argument change Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 042/141] drm/amd/display: fixed divide by zero kernel crash during dsc enablement Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman, Sasha Levin

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit ed8029d7b472369a010a1901358567ca3b6dbb0d ]

RCU complains about us calling printk() from an offline CPU:

  =============================
  WARNING: suspicious RCU usage
  5.12.0-rc7-02874-g7cf90e481cb8 #1 Not tainted
  -----------------------------
  kernel/locking/lockdep.c:3568 RCU-list traversed in non-reader section!!

  other info that might help us debug this:

  RCU used illegally from offline CPU!
  rcu_scheduler_active = 2, debug_locks = 1
  no locks held by swapper/0/0.

  stack backtrace:
  CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.12.0-rc7-02874-g7cf90e481cb8 #1
  Call Trace:
    dump_stack+0xec/0x144 (unreliable)
    lockdep_rcu_suspicious+0x124/0x144
    __lock_acquire+0x1098/0x28b0
    lock_acquire+0x128/0x600
    _raw_spin_lock_irqsave+0x6c/0xc0
    down_trylock+0x2c/0x70
    __down_trylock_console_sem+0x60/0x140
    vprintk_emit+0x1a8/0x4b0
    vprintk_func+0xcc/0x200
    printk+0x40/0x54
    pseries_cpu_offline_self+0xc0/0x120
    arch_cpu_idle_dead+0x54/0x70
    do_idle+0x174/0x4a0
    cpu_startup_entry+0x38/0x40
    rest_init+0x268/0x388
    start_kernel+0x748/0x790
    start_here_common+0x1c/0x614

Which happens because by the time we get to rtas_stop_self() we are
already offline. In addition the message can be spammy, and is not that
helpful for users, so remove it.

Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210418135413.1204031-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/pseries/hotplug-cpu.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
index bbda646b63b5..210e6f563eb4 100644
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -91,9 +91,6 @@ static void rtas_stop_self(void)
 
 	BUG_ON(rtas_stop_self_token == RTAS_UNKNOWN_SERVICE);
 
-	printk("cpu %u (hwid %u) Ready to die...\n",
-	       smp_processor_id(), hard_smp_processor_id());
-
 	rtas_call_unlocked(&args, rtas_stop_self_token, 0, 1, NULL);
 
 	panic("Alas, I survived.\n");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 042/141] drm/amd/display: fixed divide by zero kernel crash during dsc enablement
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 041/141] powerpc/pseries: Stop calling printk in rtas_stop_self() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 043/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robin Singh, Harry Wentland,
	Robin Singh, Aurabindo Pillai, Daniel Wheeler, Alex Deucher,
	Sasha Levin

From: Robin Singh <robin.singh@amd.com>

[ Upstream commit 19cc1f3829567e7dca21c1389ea6407b8f5efab4 ]

[why]
During dsc enable, a divide by zero condition triggered the
kernel crash.

[how]
An IGT test, which enable the DSC, was crashing at the time of
restore the default dsc status, becaue of h_totals value
becoming 0. So add a check before divide condition. If h_total
is zero, gracefully ignore and set the default value.

kernel panic log:

	[  128.758827] divide error: 0000 [#1] PREEMPT SMP NOPTI
	[  128.762714] CPU: 5 PID: 4562 Comm: amd_dp_dsc Tainted: G        W         5.4.19-android-x86_64 #1
	[  128.769728] Hardware name: ADVANCED MICRO DEVICES, INC. Mauna/Mauna, BIOS WMN0B13N Nov 11 2020
	[  128.777695] RIP: 0010:hubp2_vready_at_or_After_vsync+0x37/0x7a [amdgpu]
	[  128.785707] Code: 80 02 00 00 48 89 f3 48 8b 7f 08 b ......
	[  128.805696] RSP: 0018:ffffad8f82d43628 EFLAGS: 00010246
	......
	[  128.857707] CR2: 00007106d8465000 CR3: 0000000426530000 CR4: 0000000000140ee0
	[  128.865695] Call Trace:
	[  128.869712] hubp3_setup+0x1f/0x7f [amdgpu]
	[  128.873705] dcn20_update_dchubp_dpp+0xc8/0x54a [amdgpu]
	[  128.877706] dcn20_program_front_end_for_ctx+0x31d/0x463 [amdgpu]
	[  128.885706] dc_commit_state+0x3d2/0x658 [amdgpu]
	[  128.889707] amdgpu_dm_atomic_commit_tail+0x4b3/0x1e7c [amdgpu]
	[  128.897699] ? dm_read_reg_func+0x41/0xb5 [amdgpu]
	[  128.901707] ? dm_read_reg_func+0x41/0xb5 [amdgpu]
	[  128.905706] ? __is_insn_slot_addr+0x43/0x48
	[  128.909706] ? fill_plane_buffer_attributes+0x29e/0x3dc [amdgpu]
	[  128.917705] ? dm_plane_helper_prepare_fb+0x255/0x284 [amdgpu]
	[  128.921700] ? usleep_range+0x7c/0x7c
	[  128.925705] ? preempt_count_sub+0xf/0x18
	[  128.929706] ? _raw_spin_unlock_irq+0x13/0x24
	[  128.933732] ? __wait_for_common+0x11e/0x18f
	[  128.937705] ? _raw_spin_unlock_irq+0x13/0x24
	[  128.941706] ? __wait_for_common+0x11e/0x18f
	[  128.945705] commit_tail+0x8b/0xd2 [drm_kms_helper]
	[  128.949707] drm_atomic_helper_commit+0xd8/0xf5 [drm_kms_helper]
	[  128.957706] amdgpu_dm_atomic_commit+0x337/0x360 [amdgpu]
	[  128.961705] ? drm_atomic_check_only+0x543/0x68d [drm]
	[  128.969705] ? drm_atomic_set_property+0x760/0x7af [drm]
	[  128.973704] ? drm_mode_atomic_ioctl+0x6f3/0x85a [drm]
	[  128.977705] drm_mode_atomic_ioctl+0x6f3/0x85a [drm]
	[  128.985705] ? drm_atomic_set_property+0x7af/0x7af [drm]
	[  128.989706] drm_ioctl_kernel+0x82/0xda [drm]
	[  128.993706] drm_ioctl+0x225/0x319 [drm]
	[  128.997707] ? drm_atomic_set_property+0x7af/0x7af [drm]
	[  129.001706] ? preempt_count_sub+0xf/0x18
	[  129.005713] amdgpu_drm_ioctl+0x4b/0x76 [amdgpu]
	[  129.009705] vfs_ioctl+0x1d/0x2a
	[  129.013705] do_vfs_ioctl+0x419/0x43d
	[  129.017707] ksys_ioctl+0x52/0x71
	[  129.021707] __x64_sys_ioctl+0x16/0x19
	[  129.025706] do_syscall_64+0x78/0x85
	[  129.029705] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Signed-off-by: Robin Singh <robin.singh@amd.com>
Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
Reviewed-by: Robin Singh <Robin.Singh@amd.com>
Acked-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
index 69e2aae42394..b250ef75c163 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn20/dcn20_hubp.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-17 Advanced Micro Devices, Inc.
+ * Copyright 2012-2021 Advanced Micro Devices, Inc.
  *
  * Permission is hereby granted, free of charge, to any person obtaining a
  * copy of this software and associated documentation files (the "Software"),
@@ -179,11 +179,14 @@ void hubp2_vready_at_or_After_vsync(struct hubp *hubp,
 	else
 		Set HUBP_VREADY_AT_OR_AFTER_VSYNC = 0
 	*/
-	if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width
-		+ pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) {
-		value = 1;
-	} else
-		value = 0;
+	if (pipe_dest->htotal != 0) {
+		if ((pipe_dest->vstartup_start - (pipe_dest->vready_offset+pipe_dest->vupdate_width
+			+ pipe_dest->vupdate_offset) / pipe_dest->htotal) <= pipe_dest->vblank_end) {
+			value = 1;
+		} else
+			value = 0;
+	}
+
 	REG_UPDATE(DCHUBP_CNTL, HUBP_VREADY_AT_OR_AFTER_VSYNC, value);
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 043/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 042/141] drm/amd/display: fixed divide by zero kernel crash during dsc enablement Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 044/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Kees Cook,
	Gustavo A. R. Silva, Kalle Valo, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit 820aa37638a252b57967bdf4038a514b1ab85d45 ]

Fix the following out-of-bounds warnings by enclosing structure members
daddr and saddr into new struct addr, in structures wl3501_md_req and
wl3501_md_ind:

arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [18, 23] from the object at 'sig' is out of the bounds of referenced subobject 'daddr' with type 'u8[6]' {aka 'unsigned char[6]'} at offset 11 [-Warray-bounds]

Refactor the code, accordingly:

$ pahole -C wl3501_md_req drivers/net/wireless/wl3501_cs.o
struct wl3501_md_req {
	u16                        next_blk;             /*     0     2 */
	u8                         sig_id;               /*     2     1 */
	u8                         routing;              /*     3     1 */
	u16                        data;                 /*     4     2 */
	u16                        size;                 /*     6     2 */
	u8                         pri;                  /*     8     1 */
	u8                         service_class;        /*     9     1 */
	struct {
		u8                 daddr[6];             /*    10     6 */
		u8                 saddr[6];             /*    16     6 */
	} addr;                                          /*    10    12 */

	/* size: 22, cachelines: 1, members: 8 */
	/* last cacheline: 22 bytes */
};

$ pahole -C wl3501_md_ind drivers/net/wireless/wl3501_cs.o
struct wl3501_md_ind {
	u16                        next_blk;             /*     0     2 */
	u8                         sig_id;               /*     2     1 */
	u8                         routing;              /*     3     1 */
	u16                        data;                 /*     4     2 */
	u16                        size;                 /*     6     2 */
	u8                         reception;            /*     8     1 */
	u8                         pri;                  /*     9     1 */
	u8                         service_class;        /*    10     1 */
	struct {
		u8                 daddr[6];             /*    11     6 */
		u8                 saddr[6];             /*    17     6 */
	} addr;                                          /*    11    12 */

	/* size: 24, cachelines: 1, members: 9 */
	/* padding: 1 */
	/* last cacheline: 24 bytes */
};

The problem is that the original code is trying to copy data into a
couple of arrays adjacent to each other in a single call to memcpy().
Now that a new struct _addr_ enclosing those two adjacent arrays
is introduced, memcpy() doesn't overrun the length of &sig.daddr[0]
and &sig.daddr, because the address of the new struct object _addr_
is used, instead.

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/d260fe56aed7112bff2be5b4d152d03ad7b78e78.1618442265.git.gustavoars@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/wl3501.h    | 12 ++++++++----
 drivers/net/wireless/wl3501_cs.c | 10 ++++++----
 2 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
index efdce9ae36ea..077a934ae3b5 100644
--- a/drivers/net/wireless/wl3501.h
+++ b/drivers/net/wireless/wl3501.h
@@ -471,8 +471,10 @@ struct wl3501_md_req {
 	u16	size;
 	u8	pri;
 	u8	service_class;
-	u8	daddr[ETH_ALEN];
-	u8	saddr[ETH_ALEN];
+	struct {
+		u8	daddr[ETH_ALEN];
+		u8	saddr[ETH_ALEN];
+	} addr;
 };
 
 struct wl3501_md_ind {
@@ -484,8 +486,10 @@ struct wl3501_md_ind {
 	u8	reception;
 	u8	pri;
 	u8	service_class;
-	u8	daddr[ETH_ALEN];
-	u8	saddr[ETH_ALEN];
+	struct {
+		u8	daddr[ETH_ALEN];
+		u8	saddr[ETH_ALEN];
+	} addr;
 };
 
 struct wl3501_md_confirm {
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 007bf6803293..96eb69678855 100644
--- a/drivers/net/wireless/wl3501_cs.c
+++ b/drivers/net/wireless/wl3501_cs.c
@@ -469,6 +469,7 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
 	struct wl3501_md_req sig = {
 		.sig_id = WL3501_SIG_MD_REQ,
 	};
+	size_t sig_addr_len = sizeof(sig.addr);
 	u8 *pdata = (char *)data;
 	int rc = -EIO;
 
@@ -484,9 +485,9 @@ static int wl3501_send_pkt(struct wl3501_card *this, u8 *data, u16 len)
 			goto out;
 		}
 		rc = 0;
-		memcpy(&sig.daddr[0], pdata, 12);
-		pktlen = len - 12;
-		pdata += 12;
+		memcpy(&sig.addr, pdata, sig_addr_len);
+		pktlen = len - sig_addr_len;
+		pdata += sig_addr_len;
 		sig.data = bf;
 		if (((*pdata) * 256 + (*(pdata + 1))) > 1500) {
 			u8 addr4[ETH_ALEN] = {
@@ -980,7 +981,8 @@ static inline void wl3501_md_ind_interrupt(struct net_device *dev,
 	} else {
 		skb->dev = dev;
 		skb_reserve(skb, 2); /* IP headers on 16 bytes boundaries */
-		skb_copy_to_linear_data(skb, (unsigned char *)&sig.daddr, 12);
+		skb_copy_to_linear_data(skb, (unsigned char *)&sig.addr,
+					sizeof(sig.addr));
 		wl3501_receive(this, skb->data, pkt_len);
 		skb_put(skb, pkt_len);
 		skb->protocol	= eth_type_trans(skb, dev);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 044/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 043/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 045/141] qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Gustavo A. R. Silva, Kees Cook, Kalle Valo, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit bb43e5718d8f1b46e7a77e7b39be3c691f293050 ]

Fix the following out-of-bounds warnings by adding a new structure
wl3501_req instead of duplicating the same members in structure
wl3501_join_req and wl3501_scan_confirm:

arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [39, 108] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 36 [-Warray-bounds]
arch/x86/include/asm/string_32.h:182:25: warning: '__builtin_memcpy' offset [25, 95] from the object at 'sig' is out of the bounds of referenced subobject 'beacon_period' with type 'short unsigned int' at offset 22 [-Warray-bounds]

Refactor the code, accordingly:

$ pahole -C wl3501_req drivers/net/wireless/wl3501_cs.o
struct wl3501_req {
        u16                        beacon_period;        /*     0     2 */
        u16                        dtim_period;          /*     2     2 */
        u16                        cap_info;             /*     4     2 */
        u8                         bss_type;             /*     6     1 */
        u8                         bssid[6];             /*     7     6 */
        struct iw_mgmt_essid_pset  ssid;                 /*    13    34 */
        struct iw_mgmt_ds_pset     ds_pset;              /*    47     3 */
        struct iw_mgmt_cf_pset     cf_pset;              /*    50     8 */
        struct iw_mgmt_ibss_pset   ibss_pset;            /*    58     4 */
        struct iw_mgmt_data_rset   bss_basic_rset;       /*    62    10 */

        /* size: 72, cachelines: 2, members: 10 */
        /* last cacheline: 8 bytes */
};

$ pahole -C wl3501_join_req drivers/net/wireless/wl3501_cs.o
struct wl3501_join_req {
        u16                        next_blk;             /*     0     2 */
        u8                         sig_id;               /*     2     1 */
        u8                         reserved;             /*     3     1 */
        struct iw_mgmt_data_rset   operational_rset;     /*     4    10 */
        u16                        reserved2;            /*    14     2 */
        u16                        timeout;              /*    16     2 */
        u16                        probe_delay;          /*    18     2 */
        u8                         timestamp[8];         /*    20     8 */
        u8                         local_time[8];        /*    28     8 */
        struct wl3501_req          req;                  /*    36    72 */

        /* size: 108, cachelines: 2, members: 10 */
        /* last cacheline: 44 bytes */
};

$ pahole -C wl3501_scan_confirm drivers/net/wireless/wl3501_cs.o
struct wl3501_scan_confirm {
        u16                        next_blk;             /*     0     2 */
        u8                         sig_id;               /*     2     1 */
        u8                         reserved;             /*     3     1 */
        u16                        status;               /*     4     2 */
        char                       timestamp[8];         /*     6     8 */
        char                       localtime[8];         /*    14     8 */
        struct wl3501_req          req;                  /*    22    72 */
        /* --- cacheline 1 boundary (64 bytes) was 30 bytes ago --- */
        u8                         rssi;                 /*    94     1 */

        /* size: 96, cachelines: 2, members: 8 */
        /* padding: 1 */
        /* last cacheline: 32 bytes */
};

The problem is that the original code is trying to copy data into a
bunch of struct members adjacent to each other in a single call to
memcpy(). Now that a new struct wl3501_req enclosing all those adjacent
members is introduced, memcpy() doesn't overrun the length of
&sig.beacon_period and &this->bss_set[i].beacon_period, because the
address of the new struct object _req_ is used as the destination,
instead.

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1fbaf516da763b50edac47d792a9145aa4482e29.1618442265.git.gustavoars@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/wl3501.h    | 35 +++++++++++--------------
 drivers/net/wireless/wl3501_cs.c | 44 +++++++++++++++++---------------
 2 files changed, 38 insertions(+), 41 deletions(-)

diff --git a/drivers/net/wireless/wl3501.h b/drivers/net/wireless/wl3501.h
index 077a934ae3b5..a10ee5a68012 100644
--- a/drivers/net/wireless/wl3501.h
+++ b/drivers/net/wireless/wl3501.h
@@ -379,16 +379,7 @@ struct wl3501_get_confirm {
 	u8	mib_value[100];
 };
 
-struct wl3501_join_req {
-	u16			    next_blk;
-	u8			    sig_id;
-	u8			    reserved;
-	struct iw_mgmt_data_rset    operational_rset;
-	u16			    reserved2;
-	u16			    timeout;
-	u16			    probe_delay;
-	u8			    timestamp[8];
-	u8			    local_time[8];
+struct wl3501_req {
 	u16			    beacon_period;
 	u16			    dtim_period;
 	u16			    cap_info;
@@ -401,6 +392,19 @@ struct wl3501_join_req {
 	struct iw_mgmt_data_rset    bss_basic_rset;
 };
 
+struct wl3501_join_req {
+	u16			    next_blk;
+	u8			    sig_id;
+	u8			    reserved;
+	struct iw_mgmt_data_rset    operational_rset;
+	u16			    reserved2;
+	u16			    timeout;
+	u16			    probe_delay;
+	u8			    timestamp[8];
+	u8			    local_time[8];
+	struct wl3501_req	    req;
+};
+
 struct wl3501_join_confirm {
 	u16	next_blk;
 	u8	sig_id;
@@ -443,16 +447,7 @@ struct wl3501_scan_confirm {
 	u16			    status;
 	char			    timestamp[8];
 	char			    localtime[8];
-	u16			    beacon_period;
-	u16			    dtim_period;
-	u16			    cap_info;
-	u8			    bss_type;
-	u8			    bssid[ETH_ALEN];
-	struct iw_mgmt_essid_pset   ssid;
-	struct iw_mgmt_ds_pset	    ds_pset;
-	struct iw_mgmt_cf_pset	    cf_pset;
-	struct iw_mgmt_ibss_pset    ibss_pset;
-	struct iw_mgmt_data_rset    bss_basic_rset;
+	struct wl3501_req	    req;
 	u8			    rssi;
 };
 
diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c
index 96eb69678855..122d36439319 100644
--- a/drivers/net/wireless/wl3501_cs.c
+++ b/drivers/net/wireless/wl3501_cs.c
@@ -590,7 +590,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
 	struct wl3501_join_req sig = {
 		.sig_id		  = WL3501_SIG_JOIN_REQ,
 		.timeout	  = 10,
-		.ds_pset = {
+		.req.ds_pset = {
 			.el = {
 				.id  = IW_MGMT_INFO_ELEMENT_DS_PARAMETER_SET,
 				.len = 1,
@@ -599,7 +599,7 @@ static int wl3501_mgmt_join(struct wl3501_card *this, u16 stas)
 		},
 	};
 
-	memcpy(&sig.beacon_period, &this->bss_set[stas].beacon_period, 72);
+	memcpy(&sig.req, &this->bss_set[stas].req, sizeof(sig.req));
 	return wl3501_esbq_exec(this, &sig, sizeof(sig));
 }
 
@@ -667,35 +667,37 @@ static void wl3501_mgmt_scan_confirm(struct wl3501_card *this, u16 addr)
 	if (sig.status == WL3501_STATUS_SUCCESS) {
 		pr_debug("success");
 		if ((this->net_type == IW_MODE_INFRA &&
-		     (sig.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
+		     (sig.req.cap_info & WL3501_MGMT_CAPABILITY_ESS)) ||
 		    (this->net_type == IW_MODE_ADHOC &&
-		     (sig.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
+		     (sig.req.cap_info & WL3501_MGMT_CAPABILITY_IBSS)) ||
 		    this->net_type == IW_MODE_AUTO) {
 			if (!this->essid.el.len)
 				matchflag = 1;
 			else if (this->essid.el.len == 3 &&
 				 !memcmp(this->essid.essid, "ANY", 3))
 				matchflag = 1;
-			else if (this->essid.el.len != sig.ssid.el.len)
+			else if (this->essid.el.len != sig.req.ssid.el.len)
 				matchflag = 0;
-			else if (memcmp(this->essid.essid, sig.ssid.essid,
+			else if (memcmp(this->essid.essid, sig.req.ssid.essid,
 					this->essid.el.len))
 				matchflag = 0;
 			else
 				matchflag = 1;
 			if (matchflag) {
 				for (i = 0; i < this->bss_cnt; i++) {
-					if (ether_addr_equal_unaligned(this->bss_set[i].bssid, sig.bssid)) {
+					if (ether_addr_equal_unaligned(this->bss_set[i].req.bssid,
+								       sig.req.bssid)) {
 						matchflag = 0;
 						break;
 					}
 				}
 			}
 			if (matchflag && (i < 20)) {
-				memcpy(&this->bss_set[i].beacon_period,
-				       &sig.beacon_period, 73);
+				memcpy(&this->bss_set[i].req,
+				       &sig.req, sizeof(sig.req));
 				this->bss_cnt++;
 				this->rssi = sig.rssi;
+				this->bss_set[i].rssi = sig.rssi;
 			}
 		}
 	} else if (sig.status == WL3501_STATUS_TIMEOUT) {
@@ -887,19 +889,19 @@ static void wl3501_mgmt_join_confirm(struct net_device *dev, u16 addr)
 			if (this->join_sta_bss < this->bss_cnt) {
 				const int i = this->join_sta_bss;
 				memcpy(this->bssid,
-				       this->bss_set[i].bssid, ETH_ALEN);
-				this->chan = this->bss_set[i].ds_pset.chan;
+				       this->bss_set[i].req.bssid, ETH_ALEN);
+				this->chan = this->bss_set[i].req.ds_pset.chan;
 				iw_copy_mgmt_info_element(&this->keep_essid.el,
-						     &this->bss_set[i].ssid.el);
+						     &this->bss_set[i].req.ssid.el);
 				wl3501_mgmt_auth(this);
 			}
 		} else {
 			const int i = this->join_sta_bss;
 
-			memcpy(&this->bssid, &this->bss_set[i].bssid, ETH_ALEN);
-			this->chan = this->bss_set[i].ds_pset.chan;
+			memcpy(&this->bssid, &this->bss_set[i].req.bssid, ETH_ALEN);
+			this->chan = this->bss_set[i].req.ds_pset.chan;
 			iw_copy_mgmt_info_element(&this->keep_essid.el,
-						  &this->bss_set[i].ssid.el);
+						  &this->bss_set[i].req.ssid.el);
 			wl3501_online(dev);
 		}
 	} else {
@@ -1575,30 +1577,30 @@ static int wl3501_get_scan(struct net_device *dev, struct iw_request_info *info,
 	for (i = 0; i < this->bss_cnt; ++i) {
 		iwe.cmd			= SIOCGIWAP;
 		iwe.u.ap_addr.sa_family = ARPHRD_ETHER;
-		memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].bssid, ETH_ALEN);
+		memcpy(iwe.u.ap_addr.sa_data, this->bss_set[i].req.bssid, ETH_ALEN);
 		current_ev = iwe_stream_add_event(info, current_ev,
 						  extra + IW_SCAN_MAX_DATA,
 						  &iwe, IW_EV_ADDR_LEN);
 		iwe.cmd		  = SIOCGIWESSID;
 		iwe.u.data.flags  = 1;
-		iwe.u.data.length = this->bss_set[i].ssid.el.len;
+		iwe.u.data.length = this->bss_set[i].req.ssid.el.len;
 		current_ev = iwe_stream_add_point(info, current_ev,
 						  extra + IW_SCAN_MAX_DATA,
 						  &iwe,
-						  this->bss_set[i].ssid.essid);
+						  this->bss_set[i].req.ssid.essid);
 		iwe.cmd	   = SIOCGIWMODE;
-		iwe.u.mode = this->bss_set[i].bss_type;
+		iwe.u.mode = this->bss_set[i].req.bss_type;
 		current_ev = iwe_stream_add_event(info, current_ev,
 						  extra + IW_SCAN_MAX_DATA,
 						  &iwe, IW_EV_UINT_LEN);
 		iwe.cmd = SIOCGIWFREQ;
-		iwe.u.freq.m = this->bss_set[i].ds_pset.chan;
+		iwe.u.freq.m = this->bss_set[i].req.ds_pset.chan;
 		iwe.u.freq.e = 0;
 		current_ev = iwe_stream_add_event(info, current_ev,
 						  extra + IW_SCAN_MAX_DATA,
 						  &iwe, IW_EV_FREQ_LEN);
 		iwe.cmd = SIOCGIWENCODE;
-		if (this->bss_set[i].cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
+		if (this->bss_set[i].req.cap_info & WL3501_MGMT_CAPABILITY_PRIVACY)
 			iwe.u.data.flags = IW_ENCODE_ENABLED | IW_ENCODE_NOKEY;
 		else
 			iwe.u.data.flags = IW_ENCODE_DISABLED;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 045/141] qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 044/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 046/141] powerpc/iommu: Annotate nested lock for lockdep Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lee Gibson, Kalle Valo, Sasha Levin

From: Lee Gibson <leegib@gmail.com>

[ Upstream commit 130f634da1af649205f4a3dd86cbe5c126b57914 ]

Function qtnf_event_handle_external_auth calls memcpy without
checking the length.
A user could control that length and trigger a buffer overflow.
Fix by checking the length is within the maximum allowed size.

Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/quantenna/qtnfmac/event.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/quantenna/qtnfmac/event.c b/drivers/net/wireless/quantenna/qtnfmac/event.c
index 7846383c8828..3f24dbdae8d0 100644
--- a/drivers/net/wireless/quantenna/qtnfmac/event.c
+++ b/drivers/net/wireless/quantenna/qtnfmac/event.c
@@ -599,8 +599,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif,
 		return 0;
 
 	if (ev->ssid_len) {
-		memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len);
-		auth.ssid.ssid_len = ev->ssid_len;
+		int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);
+
+		memcpy(auth.ssid.ssid, ev->ssid, len);
+		auth.ssid.ssid_len = len;
 	}
 
 	auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 046/141] powerpc/iommu: Annotate nested lock for lockdep
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 045/141] qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 047/141] iavf: remove duplicate free resources calls Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexey Kardashevskiy,
	Michael Ellerman, Sasha Levin

From: Alexey Kardashevskiy <aik@ozlabs.ru>

[ Upstream commit cc7130bf119add37f36238343a593b71ef6ecc1e ]

The IOMMU table is divided into pools for concurrent mappings and each
pool has a separate spinlock. When taking the ownership of an IOMMU group
to pass through a device to a VM, we lock these spinlocks which triggers
a false negative warning in lockdep (below).

This fixes it by annotating the large pool's spinlock as a nest lock
which makes lockdep not complaining when locking nested locks if
the nest lock is locked already.

===
WARNING: possible recursive locking detected
5.11.0-le_syzkaller_a+fstn1 #100 Not tainted
--------------------------------------------
qemu-system-ppc/4129 is trying to acquire lock:
c0000000119bddb0 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0

but task is already holding lock:
c0000000119bdd30 (&(p->lock)/1){....}-{2:2}, at: iommu_take_ownership+0xac/0x1e0

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&(p->lock)/1);
  lock(&(p->lock)/1);
===

Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210301063653.51003-1-aik@ozlabs.ru
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/kernel/iommu.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/kernel/iommu.c b/arch/powerpc/kernel/iommu.c
index 9704f3f76e63..d7d42bd448c4 100644
--- a/arch/powerpc/kernel/iommu.c
+++ b/arch/powerpc/kernel/iommu.c
@@ -1057,7 +1057,7 @@ int iommu_take_ownership(struct iommu_table *tbl)
 
 	spin_lock_irqsave(&tbl->large_pool.lock, flags);
 	for (i = 0; i < tbl->nr_pools; i++)
-		spin_lock(&tbl->pools[i].lock);
+		spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
 
 	iommu_table_release_pages(tbl);
 
@@ -1085,7 +1085,7 @@ void iommu_release_ownership(struct iommu_table *tbl)
 
 	spin_lock_irqsave(&tbl->large_pool.lock, flags);
 	for (i = 0; i < tbl->nr_pools; i++)
-		spin_lock(&tbl->pools[i].lock);
+		spin_lock_nest_lock(&tbl->pools[i].lock, &tbl->large_pool.lock);
 
 	memset(tbl->it_map, 0, sz);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 047/141] iavf: remove duplicate free resources calls
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 046/141] powerpc/iommu: Annotate nested lock for lockdep Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 048/141] net: ethernet: mtk_eth_soc: fix RX VLAN offload Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Assmann, Tony Nguyen, Sasha Levin

From: Stefan Assmann <sassmann@kpanic.de>

[ Upstream commit 1a0e880b028f97478dc689e2900b312741d0d772 ]

Both iavf_free_all_tx_resources() and iavf_free_all_rx_resources() have
already been called in the very same function.
Remove the duplicate calls.

Signed-off-by: Stefan Assmann <sassmann@kpanic.de>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/iavf/iavf_main.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/drivers/net/ethernet/intel/iavf/iavf_main.c b/drivers/net/ethernet/intel/iavf/iavf_main.c
index cffc8c1044f2..a97e1f9ca1ed 100644
--- a/drivers/net/ethernet/intel/iavf/iavf_main.c
+++ b/drivers/net/ethernet/intel/iavf/iavf_main.c
@@ -3906,8 +3906,6 @@ static void iavf_remove(struct pci_dev *pdev)
 
 	iounmap(hw->hw_addr);
 	pci_release_regions(pdev);
-	iavf_free_all_tx_resources(adapter);
-	iavf_free_all_rx_resources(adapter);
 	iavf_free_queues(adapter);
 	kfree(adapter->vf_res);
 	spin_lock_bh(&adapter->mac_vlan_list_lock);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 048/141] net: ethernet: mtk_eth_soc: fix RX VLAN offload
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 047/141] iavf: remove duplicate free resources calls Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 049/141] bnxt_en: Add PCI IDs for Hyper-V VF devices Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Ilya Lipnitskiy,
	David S. Miller, Sasha Levin

From: Felix Fietkau <nbd@nbd.name>

[ Upstream commit 3f57d8c40fea9b20543cab4da12f4680d2ef182c ]

The VLAN ID in the rx descriptor is only valid if the RX_DMA_VTAG bit is
set. Fixes frames wrongly marked with VLAN tags.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
[Ilya: fix commit message]
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/mediatek/mtk_eth_soc.c | 2 +-
 drivers/net/ethernet/mediatek/mtk_eth_soc.h | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
index d01b3a1b40f4..7e3806fd70b2 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
@@ -1315,7 +1315,7 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget,
 		skb->protocol = eth_type_trans(skb, netdev);
 
 		if (netdev->features & NETIF_F_HW_VLAN_CTAG_RX &&
-		    RX_DMA_VID(trxd.rxd3))
+		    (trxd.rxd2 & RX_DMA_VTAG))
 			__vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q),
 					       RX_DMA_VID(trxd.rxd3));
 		skb_record_rx_queue(skb, 0);
diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.h b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
index 1e787f3577aa..1e9202b34d35 100644
--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.h
+++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.h
@@ -293,6 +293,7 @@
 #define RX_DMA_LSO		BIT(30)
 #define RX_DMA_PLEN0(_x)	(((_x) & 0x3fff) << 16)
 #define RX_DMA_GET_PLEN0(_x)	(((_x) >> 16) & 0x3fff)
+#define RX_DMA_VTAG		BIT(15)
 
 /* QDMA descriptor rxd3 */
 #define RX_DMA_VID(_x)		((_x) & 0xfff)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 049/141] bnxt_en: Add PCI IDs for Hyper-V VF devices.
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 048/141] net: ethernet: mtk_eth_soc: fix RX VLAN offload Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 050/141] ia64: module: fix symbolizer crash on fdescr Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vasundhara Volam, Andy Gospodarek,
	Edwin Peer, Michael Chan, David S. Miller, Sasha Levin

From: Michael Chan <michael.chan@broadcom.com>

[ Upstream commit 7fbf359bb2c19c824cbb1954020680824f6ee5a5 ]

Support VF device IDs used by the Hyper-V hypervisor.

Reviewed-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com>
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Edwin Peer <edwin.peer@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
index 588389697cf9..106f2b2ce17f 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -125,7 +125,10 @@ enum board_idx {
 	NETXTREME_E_VF,
 	NETXTREME_C_VF,
 	NETXTREME_S_VF,
+	NETXTREME_C_VF_HV,
+	NETXTREME_E_VF_HV,
 	NETXTREME_E_P5_VF,
+	NETXTREME_E_P5_VF_HV,
 };
 
 /* indexed by enum above */
@@ -173,7 +176,10 @@ static const struct {
 	[NETXTREME_E_VF] = { "Broadcom NetXtreme-E Ethernet Virtual Function" },
 	[NETXTREME_C_VF] = { "Broadcom NetXtreme-C Ethernet Virtual Function" },
 	[NETXTREME_S_VF] = { "Broadcom NetXtreme-S Ethernet Virtual Function" },
+	[NETXTREME_C_VF_HV] = { "Broadcom NetXtreme-C Virtual Function for Hyper-V" },
+	[NETXTREME_E_VF_HV] = { "Broadcom NetXtreme-E Virtual Function for Hyper-V" },
 	[NETXTREME_E_P5_VF] = { "Broadcom BCM5750X NetXtreme-E Ethernet Virtual Function" },
+	[NETXTREME_E_P5_VF_HV] = { "Broadcom BCM5750X NetXtreme-E Virtual Function for Hyper-V" },
 };
 
 static const struct pci_device_id bnxt_pci_tbl[] = {
@@ -225,15 +231,25 @@ static const struct pci_device_id bnxt_pci_tbl[] = {
 	{ PCI_VDEVICE(BROADCOM, 0xd804), .driver_data = BCM58804 },
 #ifdef CONFIG_BNXT_SRIOV
 	{ PCI_VDEVICE(BROADCOM, 0x1606), .driver_data = NETXTREME_E_VF },
+	{ PCI_VDEVICE(BROADCOM, 0x1607), .driver_data = NETXTREME_E_VF_HV },
+	{ PCI_VDEVICE(BROADCOM, 0x1608), .driver_data = NETXTREME_E_VF_HV },
 	{ PCI_VDEVICE(BROADCOM, 0x1609), .driver_data = NETXTREME_E_VF },
+	{ PCI_VDEVICE(BROADCOM, 0x16bd), .driver_data = NETXTREME_E_VF_HV },
 	{ PCI_VDEVICE(BROADCOM, 0x16c1), .driver_data = NETXTREME_E_VF },
+	{ PCI_VDEVICE(BROADCOM, 0x16c2), .driver_data = NETXTREME_C_VF_HV },
+	{ PCI_VDEVICE(BROADCOM, 0x16c3), .driver_data = NETXTREME_C_VF_HV },
+	{ PCI_VDEVICE(BROADCOM, 0x16c4), .driver_data = NETXTREME_E_VF_HV },
+	{ PCI_VDEVICE(BROADCOM, 0x16c5), .driver_data = NETXTREME_E_VF_HV },
 	{ PCI_VDEVICE(BROADCOM, 0x16cb), .driver_data = NETXTREME_C_VF },
 	{ PCI_VDEVICE(BROADCOM, 0x16d3), .driver_data = NETXTREME_E_VF },
 	{ PCI_VDEVICE(BROADCOM, 0x16dc), .driver_data = NETXTREME_E_VF },
 	{ PCI_VDEVICE(BROADCOM, 0x16e1), .driver_data = NETXTREME_C_VF },
 	{ PCI_VDEVICE(BROADCOM, 0x16e5), .driver_data = NETXTREME_C_VF },
+	{ PCI_VDEVICE(BROADCOM, 0x16e6), .driver_data = NETXTREME_C_VF_HV },
 	{ PCI_VDEVICE(BROADCOM, 0x1806), .driver_data = NETXTREME_E_P5_VF },
 	{ PCI_VDEVICE(BROADCOM, 0x1807), .driver_data = NETXTREME_E_P5_VF },
+	{ PCI_VDEVICE(BROADCOM, 0x1808), .driver_data = NETXTREME_E_P5_VF_HV },
+	{ PCI_VDEVICE(BROADCOM, 0x1809), .driver_data = NETXTREME_E_P5_VF_HV },
 	{ PCI_VDEVICE(BROADCOM, 0xd800), .driver_data = NETXTREME_S_VF },
 #endif
 	{ 0 }
@@ -263,7 +279,8 @@ static struct workqueue_struct *bnxt_pf_wq;
 static bool bnxt_vf_pciid(enum board_idx idx)
 {
 	return (idx == NETXTREME_C_VF || idx == NETXTREME_E_VF ||
-		idx == NETXTREME_S_VF || idx == NETXTREME_E_P5_VF);
+		idx == NETXTREME_S_VF || idx == NETXTREME_C_VF_HV ||
+		idx == NETXTREME_E_VF_HV || idx == NETXTREME_E_P5_VF);
 }
 
 #define DB_CP_REARM_FLAGS	(DB_KEY_CP | DB_IDX_VALID)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 050/141] ia64: module: fix symbolizer crash on fdescr
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 049/141] bnxt_en: Add PCI IDs for Hyper-V VF devices Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 051/141] ASoC: rt286: Make RT286_SET_GPIO_* readable and writable Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergei Trofimovich, Andrew Morton,
	Linus Torvalds, Sasha Levin

From: Sergei Trofimovich <slyfox@gentoo.org>

[ Upstream commit 99e729bd40fb3272fa4b0140839d5e957b58588a ]

Noticed failure as a crash on ia64 when tried to symbolize all backtraces
collected by page_owner=on:

    $ cat /sys/kernel/debug/page_owner
    <oops>

    CPU: 1 PID: 2074 Comm: cat Not tainted 5.12.0-rc4 #226
    Hardware name: hp server rx3600, BIOS 04.03 04/08/2008
    ip is at dereference_module_function_descriptor+0x41/0x100

Crash happens at dereference_module_function_descriptor() due to
use-after-free when dereferencing ".opd" section header.

All section headers are already freed after module is laoded successfully.

To keep symbolizer working the change stores ".opd" address and size after
module is relocated to a new place and before section headers are
discarded.

To make similar errors less obscure module_finalize() now zeroes out all
variables relevant to module loading only.

Link: https://lkml.kernel.org/r/20210403074803.3309096-1-slyfox@gentoo.org
Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/ia64/include/asm/module.h |  6 +++++-
 arch/ia64/kernel/module.c      | 29 +++++++++++++++++++++++++----
 2 files changed, 30 insertions(+), 5 deletions(-)

diff --git a/arch/ia64/include/asm/module.h b/arch/ia64/include/asm/module.h
index f319144260ce..9fbf32e6e881 100644
--- a/arch/ia64/include/asm/module.h
+++ b/arch/ia64/include/asm/module.h
@@ -14,16 +14,20 @@
 struct elf64_shdr;			/* forward declration */
 
 struct mod_arch_specific {
+	/* Used only at module load time. */
 	struct elf64_shdr *core_plt;	/* core PLT section */
 	struct elf64_shdr *init_plt;	/* init PLT section */
 	struct elf64_shdr *got;		/* global offset table */
 	struct elf64_shdr *opd;		/* official procedure descriptors */
 	struct elf64_shdr *unwind;	/* unwind-table section */
 	unsigned long gp;		/* global-pointer for module */
+	unsigned int next_got_entry;	/* index of next available got entry */
 
+	/* Used at module run and cleanup time. */
 	void *core_unw_table;		/* core unwind-table cookie returned by unwinder */
 	void *init_unw_table;		/* init unwind-table cookie returned by unwinder */
-	unsigned int next_got_entry;	/* index of next available got entry */
+	void *opd_addr;			/* symbolize uses .opd to get to actual function */
+	unsigned long opd_size;
 };
 
 #define MODULE_PROC_FAMILY	"ia64"
diff --git a/arch/ia64/kernel/module.c b/arch/ia64/kernel/module.c
index 1a42ba885188..ee693c8cec49 100644
--- a/arch/ia64/kernel/module.c
+++ b/arch/ia64/kernel/module.c
@@ -905,9 +905,31 @@ register_unwind_table (struct module *mod)
 int
 module_finalize (const Elf_Ehdr *hdr, const Elf_Shdr *sechdrs, struct module *mod)
 {
+	struct mod_arch_specific *mas = &mod->arch;
+
 	DEBUGP("%s: init: entry=%p\n", __func__, mod->init);
-	if (mod->arch.unwind)
+	if (mas->unwind)
 		register_unwind_table(mod);
+
+	/*
+	 * ".opd" was already relocated to the final destination. Store
+	 * it's address for use in symbolizer.
+	 */
+	mas->opd_addr = (void *)mas->opd->sh_addr;
+	mas->opd_size = mas->opd->sh_size;
+
+	/*
+	 * Module relocation was already done at this point. Section
+	 * headers are about to be deleted. Wipe out load-time context.
+	 */
+	mas->core_plt = NULL;
+	mas->init_plt = NULL;
+	mas->got = NULL;
+	mas->opd = NULL;
+	mas->unwind = NULL;
+	mas->gp = 0;
+	mas->next_got_entry = 0;
+
 	return 0;
 }
 
@@ -926,10 +948,9 @@ module_arch_cleanup (struct module *mod)
 
 void *dereference_module_function_descriptor(struct module *mod, void *ptr)
 {
-	Elf64_Shdr *opd = mod->arch.opd;
+	struct mod_arch_specific *mas = &mod->arch;
 
-	if (ptr < (void *)opd->sh_addr ||
-			ptr >= (void *)(opd->sh_addr + opd->sh_size))
+	if (ptr < mas->opd_addr || ptr >= mas->opd_addr + mas->opd_size)
 		return ptr;
 
 	return dereference_function_descriptor(ptr);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 051/141] ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 050/141] ia64: module: fix symbolizer crash on fdescr Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 052/141] thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ward, Pierre-Louis Bossart,
	Mark Brown, Sasha Levin

From: David Ward <david.ward@gatech.edu>

[ Upstream commit cd8499d5c03ba260e3191e90236d0e5f6b147563 ]

The GPIO configuration cannot be applied if the registers are inaccessible.
This prevented the headset mic from working on the Dell XPS 13 9343.

BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=114171
Signed-off-by: David Ward <david.ward@gatech.edu>
Link: https://lore.kernel.org/r/20210418134658.4333-5-david.ward@gatech.edu
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/codecs/rt286.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/soc/codecs/rt286.c b/sound/soc/codecs/rt286.c
index 03e3e0aa25a2..d8ab8af2c786 100644
--- a/sound/soc/codecs/rt286.c
+++ b/sound/soc/codecs/rt286.c
@@ -171,6 +171,9 @@ static bool rt286_readable_register(struct device *dev, unsigned int reg)
 	case RT286_PROC_COEF:
 	case RT286_SET_AMP_GAIN_ADC_IN1:
 	case RT286_SET_AMP_GAIN_ADC_IN2:
+	case RT286_SET_GPIO_MASK:
+	case RT286_SET_GPIO_DIRECTION:
+	case RT286_SET_GPIO_DATA:
 	case RT286_SET_POWER(RT286_DAC_OUT1):
 	case RT286_SET_POWER(RT286_DAC_OUT2):
 	case RT286_SET_POWER(RT286_ADC_IN1):
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 052/141] thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 051/141] ASoC: rt286: Make RT286_SET_GPIO_* readable and writable Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 053/141] f2fs: fix a redundant call to f2fs_balance_fs if an error occurs Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, TOTE Robot, Jia-Ju Bai,
	Daniel Lezcano, Sasha Levin

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 45c7eaeb29d67224db4ba935deb575586a1fda09 ]

When kcalloc() returns NULL to __tcbp or of_count_phandle_with_args()
returns zero or -ENOENT to count, no error return code of
thermal_of_populate_bind_params() is assigned.
To fix these bugs, ret is assigned with -ENOMEM and -ENOENT in these
cases, respectively.

Fixes: a92bab8919e3 ("of: thermal: Allow multiple devices to share cooling map")
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20210310122423.3266-1-baijiaju1990@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/thermal/of-thermal.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/thermal/of-thermal.c b/drivers/thermal/of-thermal.c
index dc5093be553e..68d0c181ec7b 100644
--- a/drivers/thermal/of-thermal.c
+++ b/drivers/thermal/of-thermal.c
@@ -712,14 +712,17 @@ static int thermal_of_populate_bind_params(struct device_node *np,
 
 	count = of_count_phandle_with_args(np, "cooling-device",
 					   "#cooling-cells");
-	if (!count) {
+	if (count <= 0) {
 		pr_err("Add a cooling_device property with at least one device\n");
+		ret = -ENOENT;
 		goto end;
 	}
 
 	__tcbp = kcalloc(count, sizeof(*__tcbp), GFP_KERNEL);
-	if (!__tcbp)
+	if (!__tcbp) {
+		ret = -ENOMEM;
 		goto end;
+	}
 
 	for (i = 0; i < count; i++) {
 		ret = of_parse_phandle_with_args(np, "cooling-device",
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 053/141] f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 052/141] thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 054/141] PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Chao Yu, Jaegeuk Kim,
	Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit 28e18ee636ba28532dbe425540af06245a0bbecb ]

The  uninitialized variable dn.node_changed does not get set when a
call to f2fs_get_node_page fails.  This uninitialized value gets used
in the call to f2fs_balance_fs() that may or not may not balances
dirty node and dentry pages depending on the uninitialized state of
the variable. Fix this by only calling f2fs_balance_fs if err is
not set.

Thanks to Jaegeuk Kim for suggesting an appropriate fix.

Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: 2a3407607028 ("f2fs: call f2fs_balance_fs only when node was changed")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/f2fs/inline.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
index cbd17e4ff920..c6bd669f4b4e 100644
--- a/fs/f2fs/inline.c
+++ b/fs/f2fs/inline.c
@@ -216,7 +216,8 @@ out:
 
 	f2fs_put_page(page, 1);
 
-	f2fs_balance_fs(sbi, dn.node_changed);
+	if (!err)
+		f2fs_balance_fs(sbi, dn.node_changed);
 
 	return err;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 054/141] PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 053/141] f2fs: fix a redundant call to f2fs_balance_fs if an error occurs Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 055/141] PCI: Release OF node in pci_scan_device()s error path Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pali Rohár, Lorenzo Pieralisi,
	Krzysztof Wilczyński, Ray Jui, Marc Zyngier, Sasha Levin

From: Pali Rohár <pali@kernel.org>

[ Upstream commit 1e83130f01b04c16579ed5a5e03d729bcffc4c5d ]

IRQ domain alloc function should return zero on success. Non-zero value
indicates failure.

Link: https://lore.kernel.org/r/20210303142202.25780-1-pali@kernel.org
Fixes: fc54bae28818 ("PCI: iproc: Allow allocation of multiple MSIs")
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Reviewed-by: Krzysztof Wilczyński <kw@linux.com>
Acked-by: Ray Jui <ray.jui@broadcom.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/controller/pcie-iproc-msi.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/controller/pcie-iproc-msi.c b/drivers/pci/controller/pcie-iproc-msi.c
index a1298f6784ac..f40d17b285c5 100644
--- a/drivers/pci/controller/pcie-iproc-msi.c
+++ b/drivers/pci/controller/pcie-iproc-msi.c
@@ -271,7 +271,7 @@ static int iproc_msi_irq_domain_alloc(struct irq_domain *domain,
 				    NULL, NULL);
 	}
 
-	return hwirq;
+	return 0;
 }
 
 static void iproc_msi_irq_domain_free(struct irq_domain *domain,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 055/141] PCI: Release OF node in pci_scan_device()s error path
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 054/141] PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 056/141] ARM: 9064/1: hw_breakpoint: Do not directly check the events overflow_handler hook Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmitry Baryshkov, Bjorn Helgaas,
	Leon Romanovsky, Sasha Levin

From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>

[ Upstream commit c99e755a4a4c165cad6effb39faffd0f3377c02d ]

In pci_scan_device(), if pci_setup_device() fails for any reason, the code
will not release device's of_node by calling pci_release_of_node().  Fix
that by calling the release function.

Fixes: 98d9f30c820d ("pci/of: Match PCI devices to OF nodes dynamically")
Link: https://lore.kernel.org/r/20210124232826.1879-1-dmitry.baryshkov@linaro.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/probe.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c
index 8fa13486f2f1..f28213b62527 100644
--- a/drivers/pci/probe.c
+++ b/drivers/pci/probe.c
@@ -2299,6 +2299,7 @@ static struct pci_dev *pci_scan_device(struct pci_bus *bus, int devfn)
 	pci_set_of_node(dev);
 
 	if (pci_setup_device(dev)) {
+		pci_release_of_node(dev);
 		pci_bus_put(dev->bus);
 		kfree(dev);
 		return NULL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 056/141] ARM: 9064/1: hw_breakpoint: Do not directly check the events overflow_handler hook
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 055/141] PCI: Release OF node in pci_scan_device()s error path Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 057/141] rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhen Lei, Wang Nan, Will Deacon,
	Russell King, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit a506bd5756290821a4314f502b4bafc2afcf5260 ]

The commit 1879445dfa7b ("perf/core: Set event's default
::overflow_handler()") set a default event->overflow_handler in
perf_event_alloc(), and replace the check event->overflow_handler with
is_default_overflow_handler(), but one is missing.

Currently, the bp->overflow_handler can not be NULL. As a result,
enable_single_step() is always not invoked.

Comments from Zhen Lei:

 https://patchwork.kernel.org/project/linux-arm-kernel/patch/20210207105934.2001-1-thunder.leizhen@huawei.com/

Fixes: 1879445dfa7b ("perf/core: Set event's default ::overflow_handler()")
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Cc: Wang Nan <wangnan0@huawei.com>
Acked-by: Will Deacon <will@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/kernel/hw_breakpoint.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/kernel/hw_breakpoint.c b/arch/arm/kernel/hw_breakpoint.c
index 7021ef0b4e71..b06d9ea07c84 100644
--- a/arch/arm/kernel/hw_breakpoint.c
+++ b/arch/arm/kernel/hw_breakpoint.c
@@ -883,7 +883,7 @@ static void breakpoint_handler(unsigned long unknown, struct pt_regs *regs)
 			info->trigger = addr;
 			pr_debug("breakpoint fired: address = 0x%x\n", addr);
 			perf_bp_event(bp, regs);
-			if (!bp->overflow_handler)
+			if (is_default_overflow_handler(bp))
 				enable_single_step(bp, addr);
 			goto unlock;
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 057/141] rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 056/141] ARM: 9064/1: hw_breakpoint: Do not directly check the events overflow_handler hook Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 058/141] NFSv4.2: Always flush out writes in nfs42_proc_fallocate() Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, TOTE Robot, Jia-Ju Bai,
	Bjorn Andersson, Sasha Levin

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 26594c6bbb60c6bc87e3762a86ceece57d164c66 ]

When idr_find() returns NULL to intent, no error return code of
qcom_glink_rx_data() is assigned.
To fix this bug, ret is assigned with -ENOENT in this case.

Fixes: 64f95f87920d ("rpmsg: glink: Use the local intents when receiving data")
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Link: https://lore.kernel.org/r/20210306133624.17237-1-baijiaju1990@gmail.com
Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rpmsg/qcom_glink_native.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c
index d5114abcde19..0f10b3f84705 100644
--- a/drivers/rpmsg/qcom_glink_native.c
+++ b/drivers/rpmsg/qcom_glink_native.c
@@ -857,6 +857,7 @@ static int qcom_glink_rx_data(struct qcom_glink *glink, size_t avail)
 			dev_err(glink->dev,
 				"no intent found for channel %s intent %d",
 				channel->name, liid);
+			ret = -ENOENT;
 			goto advance_rx;
 		}
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 058/141] NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 057/141] rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 059/141] NFS: Deal correctly with attribute generation counter overflow Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Sasha Levin

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit 99f23783224355e7022ceea9b8d9f62c0fd01bd8 ]

Whether we're allocating or delallocating space, we should flush out the
pending writes in order to avoid races with attribute updates.

Fixes: 1e564d3dbd68 ("NFSv4.2: Fix a race in nfs42_proc_deallocate()")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/nfs42proc.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
index 9b61c80a93e9..5c84e5b8c0d6 100644
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -59,7 +59,8 @@ static int _nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
 static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
 				loff_t offset, loff_t len)
 {
-	struct nfs_server *server = NFS_SERVER(file_inode(filep));
+	struct inode *inode = file_inode(filep);
+	struct nfs_server *server = NFS_SERVER(inode);
 	struct nfs4_exception exception = { };
 	struct nfs_lock_context *lock;
 	int err;
@@ -68,9 +69,13 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
 	if (IS_ERR(lock))
 		return PTR_ERR(lock);
 
-	exception.inode = file_inode(filep);
+	exception.inode = inode;
 	exception.state = lock->open_context->state;
 
+	err = nfs_sync_inode(inode);
+	if (err)
+		goto out;
+
 	do {
 		err = _nfs42_proc_fallocate(msg, filep, lock, offset, len);
 		if (err == -ENOTSUPP) {
@@ -79,7 +84,7 @@ static int nfs42_proc_fallocate(struct rpc_message *msg, struct file *filep,
 		}
 		err = nfs4_handle_exception(server, err, &exception);
 	} while (exception.retry);
-
+out:
 	nfs_put_lock_context(lock);
 	return err;
 }
@@ -117,16 +122,13 @@ int nfs42_proc_deallocate(struct file *filep, loff_t offset, loff_t len)
 		return -EOPNOTSUPP;
 
 	inode_lock(inode);
-	err = nfs_sync_inode(inode);
-	if (err)
-		goto out_unlock;
 
 	err = nfs42_proc_fallocate(&msg, filep, offset, len);
 	if (err == 0)
 		truncate_pagecache_range(inode, offset, (offset + len) -1);
 	if (err == -EOPNOTSUPP)
 		NFS_SERVER(inode)->caps &= ~NFS_CAP_DEALLOCATE;
-out_unlock:
+
 	inode_unlock(inode);
 	return err;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 059/141] NFS: Deal correctly with attribute generation counter overflow
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 058/141] NFSv4.2: Always flush out writes in nfs42_proc_fallocate() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 060/141] PCI: endpoint: Fix missing destroy_workqueue() Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Sasha Levin

From: Trond Myklebust <trond.myklebust@hammerspace.com>

[ Upstream commit 9fdbfad1777cb4638f489eeb62d85432010c0031 ]

We need to use unsigned long subtraction and then convert to signed in
order to deal correcly with C overflow rules.

Fixes: f5062003465c ("NFS: Set an attribute barrier on all updates")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/inode.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/fs/nfs/inode.c b/fs/nfs/inode.c
index 53604cc090ca..8c0f916380c4 100644
--- a/fs/nfs/inode.c
+++ b/fs/nfs/inode.c
@@ -1618,10 +1618,10 @@ EXPORT_SYMBOL_GPL(_nfs_display_fhandle);
  */
 static int nfs_inode_attrs_need_update(const struct inode *inode, const struct nfs_fattr *fattr)
 {
-	const struct nfs_inode *nfsi = NFS_I(inode);
+	unsigned long attr_gencount = NFS_I(inode)->attr_gencount;
 
-	return ((long)fattr->gencount - (long)nfsi->attr_gencount) > 0 ||
-		((long)nfsi->attr_gencount - (long)nfs_read_attr_generation_counter() > 0);
+	return (long)(fattr->gencount - attr_gencount) > 0 ||
+	       (long)(attr_gencount - nfs_read_attr_generation_counter()) > 0;
 }
 
 static int nfs_refresh_inode_locked(struct inode *inode, struct nfs_fattr *fattr)
@@ -2049,7 +2049,7 @@ static int nfs_update_inode(struct inode *inode, struct nfs_fattr *fattr)
 			nfsi->attrtimeo_timestamp = now;
 		}
 		/* Set the barrier to be more recent than this fattr */
-		if ((long)fattr->gencount - (long)nfsi->attr_gencount > 0)
+		if ((long)(fattr->gencount - nfsi->attr_gencount) > 0)
 			nfsi->attr_gencount = fattr->gencount;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 060/141] PCI: endpoint: Fix missing destroy_workqueue()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 059/141] NFS: Deal correctly with attribute generation counter overflow Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 061/141] pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang,
	Lorenzo Pieralisi, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit acaef7981a218813e3617edb9c01837808de063c ]

Add the missing destroy_workqueue() before return from
pci_epf_test_init() in the error handling case and add
destroy_workqueue() in pci_epf_test_exit().

Link: https://lore.kernel.org/r/20210331084012.2091010-1-yangyingliang@huawei.com
Fixes: 349e7a85b25fa ("PCI: endpoint: functions: Add an EP function to test PCI")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/endpoint/functions/pci-epf-test.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/pci/endpoint/functions/pci-epf-test.c b/drivers/pci/endpoint/functions/pci-epf-test.c
index 1cfe3687a211..6dcee39b364a 100644
--- a/drivers/pci/endpoint/functions/pci-epf-test.c
+++ b/drivers/pci/endpoint/functions/pci-epf-test.c
@@ -604,6 +604,7 @@ static int __init pci_epf_test_init(void)
 
 	ret = pci_epf_register_driver(&test_driver);
 	if (ret) {
+		destroy_workqueue(kpcitest_workqueue);
 		pr_err("Failed to register pci epf test driver --> %d\n", ret);
 		return ret;
 	}
@@ -614,6 +615,8 @@ module_init(pci_epf_test_init);
 
 static void __exit pci_epf_test_exit(void)
 {
+	if (kpcitest_workqueue)
+		destroy_workqueue(kpcitest_workqueue);
 	pci_epf_unregister_driver(&test_driver);
 }
 module_exit(pci_epf_test_exit);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 061/141] pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 060/141] PCI: endpoint: Fix missing destroy_workqueue() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 062/141] NFSv4.2 fix handling of sr_eof in SEEKs reply Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikola Livic, Dan Carpenter,
	Trond Myklebust, Sasha Levin

From: Nikola Livic <nlivic@gmail.com>

[ Upstream commit ed34695e15aba74f45247f1ee2cf7e09d449f925 ]

We (adam zabrocki, alexander matrosov, alexander tereshkin, maksym
bazalii) observed the check:

	if (fh->size > sizeof(struct nfs_fh))

should not use the size of the nfs_fh struct which includes an extra two
bytes from the size field.

struct nfs_fh {
	unsigned short         size;
	unsigned char          data[NFS_MAXFHSIZE];
}

but should determine the size from data[NFS_MAXFHSIZE] so the memcpy
will not write 2 bytes beyond destination.  The proposed fix is to
compare against the NFS_MAXFHSIZE directly, as is done elsewhere in fs
code base.

Fixes: d67ae825a59d ("pnfs/flexfiles: Add the FlexFile Layout Driver")
Signed-off-by: Nikola Livic <nlivic@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/flexfilelayout/flexfilelayout.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/nfs/flexfilelayout/flexfilelayout.c b/fs/nfs/flexfilelayout/flexfilelayout.c
index 1741d902b0d8..fa1c920afb49 100644
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -103,7 +103,7 @@ static int decode_nfs_fh(struct xdr_stream *xdr, struct nfs_fh *fh)
 	if (unlikely(!p))
 		return -ENOBUFS;
 	fh->size = be32_to_cpup(p++);
-	if (fh->size > sizeof(struct nfs_fh)) {
+	if (fh->size > NFS_MAXFHSIZE) {
 		printk(KERN_ERR "NFS flexfiles: Too big fh received %d\n",
 		       fh->size);
 		return -EOVERFLOW;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 062/141] NFSv4.2 fix handling of sr_eof in SEEKs reply
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 061/141] pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 063/141] rtc: fsl-ftm-alarm: add MODULE_TABLE() Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Olga Kornievskaia, Trond Myklebust,
	Sasha Levin

From: Olga Kornievskaia <kolga@netapp.com>

[ Upstream commit 73f5c88f521a630ea1628beb9c2d48a2e777a419 ]

Currently the client ignores the value of the sr_eof of the SEEK
operation. According to the spec, if the server didn't find the
requested extent and reached the end of the file, the server
would return sr_eof=true. In case the request for DATA and no
data was found (ie in the middle of the hole), then the lseek
expects that ENXIO would be returned.

Fixes: 1c6dcbe5ceff8 ("NFS: Implement SEEK")
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/nfs42proc.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
index 5c84e5b8c0d6..6b7c926824ae 100644
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -500,7 +500,10 @@ static loff_t _nfs42_proc_llseek(struct file *filep,
 	if (status)
 		return status;
 
-	return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
+	if (whence == SEEK_DATA && res.sr_eof)
+		return -NFS4ERR_NXIO;
+	else
+		return vfs_setpos(filep, res.sr_offset, inode->i_sb->s_maxbytes);
 }
 
 loff_t nfs42_proc_llseek(struct file *filep, loff_t offset, int whence)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 063/141] rtc: fsl-ftm-alarm: add MODULE_TABLE()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 062/141] NFSv4.2 fix handling of sr_eof in SEEKs reply Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 064/141] ceph: fix inode leak on getattr error in __fh_to_dentry Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Walle, Alexandre Belloni,
	Sasha Levin

From: Michael Walle <michael@walle.cc>

[ Upstream commit 7fcb86185978661c9188397d474f90364745b8d9 ]

The module doesn't load automatically. Fix it by adding the missing
MODULE_TABLE().

Fixes: 7b0b551dbc1e ("rtc: fsl-ftm-alarm: add FTM alarm driver")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20210414084006.17933-1-michael@walle.cc
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-fsl-ftm-alarm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/rtc/rtc-fsl-ftm-alarm.c b/drivers/rtc/rtc-fsl-ftm-alarm.c
index 8df2075af9a2..835695bedaac 100644
--- a/drivers/rtc/rtc-fsl-ftm-alarm.c
+++ b/drivers/rtc/rtc-fsl-ftm-alarm.c
@@ -316,6 +316,7 @@ static const struct of_device_id ftm_rtc_match[] = {
 	{ .compatible = "fsl,lx2160a-ftm-alarm", },
 	{ },
 };
+MODULE_DEVICE_TABLE(of, ftm_rtc_match);
 
 static struct platform_driver ftm_rtc_driver = {
 	.probe		= ftm_rtc_probe,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 064/141] ceph: fix inode leak on getattr error in __fh_to_dentry
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 063/141] rtc: fsl-ftm-alarm: add MODULE_TABLE() Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 065/141] rtc: ds1307: Fix wday settings for rx8130 Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeff Layton, Xiubo Li, Ilya Dryomov,
	Sasha Levin

From: Jeff Layton <jlayton@kernel.org>

[ Upstream commit 1775c7ddacfcea29051c67409087578f8f4d751b ]

Fixes: 878dabb64117 ("ceph: don't return -ESTALE if there's still an open file")
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/export.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/ceph/export.c b/fs/ceph/export.c
index e088843a7734..baa6368bece5 100644
--- a/fs/ceph/export.c
+++ b/fs/ceph/export.c
@@ -178,8 +178,10 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, u64 ino)
 		return ERR_CAST(inode);
 	/* We need LINK caps to reliably check i_nlink */
 	err = ceph_do_getattr(inode, CEPH_CAP_LINK_SHARED, false);
-	if (err)
+	if (err) {
+		iput(inode);
 		return ERR_PTR(err);
+	}
 	/* -ESTALE if inode as been unlinked and no file is open */
 	if ((inode->i_nlink == 0) && (atomic_read(&inode->i_count) == 1)) {
 		iput(inode);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 065/141] rtc: ds1307: Fix wday settings for rx8130
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 064/141] ceph: fix inode leak on getattr error in __fh_to_dentry Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 066/141] net: hns3: fix incorrect configuration for igu_egu_hw_err Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nobuhiro Iwamatsu, Alexandre Belloni,
	Sasha Levin

From: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>

[ Upstream commit 204756f016726a380bafe619438ed979088bd04a ]

rx8130 wday specifies the bit position, not BCD.

Fixes: ee0981be7704 ("rtc: ds1307: Add support for Epson RX8130CE")
Signed-off-by: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/20210420023917.1949066-1-nobuhiro1.iwamatsu@toshiba.co.jp
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-ds1307.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/drivers/rtc/rtc-ds1307.c b/drivers/rtc/rtc-ds1307.c
index 1f7e8aefc1eb..99b93f56a2d5 100644
--- a/drivers/rtc/rtc-ds1307.c
+++ b/drivers/rtc/rtc-ds1307.c
@@ -265,7 +265,11 @@ static int ds1307_get_time(struct device *dev, struct rtc_time *t)
 	t->tm_min = bcd2bin(regs[DS1307_REG_MIN] & 0x7f);
 	tmp = regs[DS1307_REG_HOUR] & 0x3f;
 	t->tm_hour = bcd2bin(tmp);
-	t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
+	/* rx8130 is bit position, not BCD */
+	if (ds1307->type == rx_8130)
+		t->tm_wday = fls(regs[DS1307_REG_WDAY] & 0x7f);
+	else
+		t->tm_wday = bcd2bin(regs[DS1307_REG_WDAY] & 0x07) - 1;
 	t->tm_mday = bcd2bin(regs[DS1307_REG_MDAY] & 0x3f);
 	tmp = regs[DS1307_REG_MONTH] & 0x1f;
 	t->tm_mon = bcd2bin(tmp) - 1;
@@ -312,7 +316,11 @@ static int ds1307_set_time(struct device *dev, struct rtc_time *t)
 	regs[DS1307_REG_SECS] = bin2bcd(t->tm_sec);
 	regs[DS1307_REG_MIN] = bin2bcd(t->tm_min);
 	regs[DS1307_REG_HOUR] = bin2bcd(t->tm_hour);
-	regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
+	/* rx8130 is bit position, not BCD */
+	if (ds1307->type == rx_8130)
+		regs[DS1307_REG_WDAY] = 1 << t->tm_wday;
+	else
+		regs[DS1307_REG_WDAY] = bin2bcd(t->tm_wday + 1);
 	regs[DS1307_REG_MDAY] = bin2bcd(t->tm_mday);
 	regs[DS1307_REG_MONTH] = bin2bcd(t->tm_mon + 1);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 066/141] net: hns3: fix incorrect configuration for igu_egu_hw_err
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 065/141] rtc: ds1307: Fix wday settings for rx8130 Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:01 ` [PATCH 5.4 067/141] net: hns3: initialize the message content in hclge_get_link_mode() Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yufeng Mo, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Yufeng Mo <moyufeng@huawei.com>

[ Upstream commit 2867298dd49ee84214b8721521dc7a5a6382520c ]

According to the UM, the type and enable status of igu_egu_hw_err
should be configured separately. Currently, the type field is
incorrect when disable this error. So fix it by configuring these
two fields separately.

Fixes: bf1faf9415dd ("net: hns3: Add enable and process hw errors from IGU, EGU and NCSI")
Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c | 3 ++-
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
index 87dece0e745d..53fd6e4d9e2d 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.c
@@ -753,8 +753,9 @@ static int hclge_config_igu_egu_hw_err_int(struct hclge_dev *hdev, bool en)
 
 	/* configure IGU,EGU error interrupts */
 	hclge_cmd_setup_basic_desc(&desc, HCLGE_IGU_COMMON_INT_EN, false);
+	desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_TYPE);
 	if (en)
-		desc.data[0] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN);
+		desc.data[0] |= cpu_to_le32(HCLGE_IGU_ERR_INT_EN);
 
 	desc.data[1] = cpu_to_le32(HCLGE_IGU_ERR_INT_EN_MASK);
 
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
index 876fd81ad2f1..8eccdb651a3c 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_err.h
@@ -33,7 +33,8 @@
 #define HCLGE_TQP_ECC_ERR_INT_EN_MASK	0x0FFF
 #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN_MASK	0x0F000000
 #define HCLGE_MSIX_SRAM_ECC_ERR_INT_EN	0x0F000000
-#define HCLGE_IGU_ERR_INT_EN	0x0000066F
+#define HCLGE_IGU_ERR_INT_EN	0x0000000F
+#define HCLGE_IGU_ERR_INT_TYPE	0x00000660
 #define HCLGE_IGU_ERR_INT_EN_MASK	0x000F
 #define HCLGE_IGU_TNL_ERR_INT_EN    0x0002AABF
 #define HCLGE_IGU_TNL_ERR_INT_EN_MASK  0x003F
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 067/141] net: hns3: initialize the message content in hclge_get_link_mode()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 066/141] net: hns3: fix incorrect configuration for igu_egu_hw_err Greg Kroah-Hartman
@ 2021-05-17 14:01 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 068/141] net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:01 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yufeng Mo, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Yufeng Mo <moyufeng@huawei.com>

[ Upstream commit 568a54bdf70b143f3e0befa298e22ad469ffc732 ]

The message sent to VF should be initialized, otherwise random
value of some contents may cause improper processing by the target.
So add a initialization to message in hclge_get_link_mode().

Fixes: 9194d18b0577 ("net: hns3: fix the problem that the supported port is empty")
Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
index f5da28a60d00..23a706a1765a 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mbx.c
@@ -455,7 +455,7 @@ static void hclge_get_link_mode(struct hclge_vport *vport,
 	unsigned long advertising;
 	unsigned long supported;
 	unsigned long send_data;
-	u8 msg_data[10];
+	u8 msg_data[10] = {};
 	u8 dest_vfid;
 
 	advertising = hdev->hw.mac.advertising[0];
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 068/141] net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-05-17 14:01 ` [PATCH 5.4 067/141] net: hns3: initialize the message content in hclge_get_link_mode() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 069/141] net: hns3: fix for vxlan gpe tx checksum bug Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jian Shen, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Jian Shen <shenjian15@huawei.com>

[ Upstream commit b4047aac4ec1066bab6c71950623746d7bcf7154 ]

In some cases, the device is not initialized because reset failed.
If another task calls hns3_reset_notify_up_enet() before reset
retry, it will cause an error since uninitialized pointer access.
So add check for HNS3_NIC_STATE_INITED before calling
hns3_nic_net_open() in hns3_reset_notify_up_enet().

Fixes: bb6b94a896d4 ("net: hns3: Add reset interface implementation in client")
Signed-off-by: Jian Shen <shenjian15@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index 696f21543aa7..6b43cbf4f909 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -4280,6 +4280,11 @@ static int hns3_reset_notify_up_enet(struct hnae3_handle *handle)
 	struct hns3_nic_priv *priv = netdev_priv(kinfo->netdev);
 	int ret = 0;
 
+	if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state)) {
+		netdev_err(kinfo->netdev, "device is not initialized yet\n");
+		return -EFAULT;
+	}
+
 	clear_bit(HNS3_NIC_STATE_RESETTING, &priv->state);
 
 	if (netif_running(kinfo->netdev)) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 069/141] net: hns3: fix for vxlan gpe tx checksum bug
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 068/141] net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 070/141] net: hns3: use netif_tx_disable to stop the transmit queue Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hao Chen, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Hao Chen <chenhao288@hisilicon.com>

[ Upstream commit 905416f18fe74bdd4de91bf94ef5a790a36e4b99 ]

When skb->ip_summed is CHECKSUM_PARTIAL, for non-tunnel udp packet,
which has a dest port as the IANA assigned, the hardware is expected
to do the checksum offload, but the hardware whose version is below
V3 will not do the checksum offload when udp dest port is 4790.

So fixes it by doing the checksum in software for this case.

Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
Signed-off-by: Hao Chen <chenhao288@hisilicon.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index 6b43cbf4f909..3dd3b8047968 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -796,7 +796,7 @@ static int hns3_get_l4_protocol(struct sk_buff *skb, u8 *ol4_proto,
  * and it is udp packet, which has a dest port as the IANA assigned.
  * the hardware is expected to do the checksum offload, but the
  * hardware will not do the checksum offload when udp dest port is
- * 4789 or 6081.
+ * 4789, 4790 or 6081.
  */
 static bool hns3_tunnel_csum_bug(struct sk_buff *skb)
 {
@@ -806,7 +806,8 @@ static bool hns3_tunnel_csum_bug(struct sk_buff *skb)
 
 	if (!(!skb->encapsulation &&
 	      (l4.udp->dest == htons(IANA_VXLAN_UDP_PORT) ||
-	      l4.udp->dest == htons(GENEVE_UDP_PORT))))
+	      l4.udp->dest == htons(GENEVE_UDP_PORT) ||
+	      l4.udp->dest == htons(4790))))
 		return false;
 
 	skb_checksum_help(skb);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 070/141] net: hns3: use netif_tx_disable to stop the transmit queue
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 069/141] net: hns3: fix for vxlan gpe tx checksum bug Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 071/141] net: hns3: disable phy loopback setting in hclge_mac_start_phy Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Li, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Peng Li <lipeng321@huawei.com>

[ Upstream commit b416e872be06fdace3c36cf5210130509d0f0e72 ]

Currently, netif_tx_stop_all_queues() is used to ensure that
the xmit is not running, but for the concurrent case it will
not take effect, since netif_tx_stop_all_queues() just sets
a flag without locking to indicate that the xmit queue(s)
should not be run.

So use netif_tx_disable() to replace netif_tx_stop_all_queues(),
it takes the xmit queue lock while marking the queue stopped.

Fixes: 76ad4f0ee747 ("net: hns3: Add support of HNS3 Ethernet Driver for hip08 SoC")
Signed-off-by: Peng Li <lipeng321@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_enet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
index 3dd3b8047968..5f2948bafff2 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_enet.c
@@ -539,8 +539,8 @@ static int hns3_nic_net_stop(struct net_device *netdev)
 	if (h->ae_algo->ops->set_timer_task)
 		h->ae_algo->ops->set_timer_task(priv->ae_handle, false);
 
-	netif_tx_stop_all_queues(netdev);
 	netif_carrier_off(netdev);
+	netif_tx_disable(netdev);
 
 	hns3_nic_net_down(netdev);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 071/141] net: hns3: disable phy loopback setting in hclge_mac_start_phy
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 070/141] net: hns3: use netif_tx_disable to stop the transmit queue Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 072/141] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yufeng Mo, Huazhong Tan,
	David S. Miller, Sasha Levin

From: Yufeng Mo <moyufeng@huawei.com>

[ Upstream commit 472497d0bdae890a896013332a0b673f9acdf2bf ]

If selftest and reset are performed at the same time, the phy
loopback setting may be still in enable state after the reset,
and device cannot link up. So fix this issue by disabling phy
loopback before phy_start().

Fixes: 256727da7395 ("net: hns3: Add MDIO support to HNS3 Ethernet driver for hip08 SoC")
Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
Signed-off-by: Huazhong Tan <tanhuazhong@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
index dc4dfd4602ab..c8f979c55fec 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_mdio.c
@@ -255,6 +255,8 @@ void hclge_mac_start_phy(struct hclge_dev *hdev)
 	if (!phydev)
 		return;
 
+	phy_loopback(phydev, false);
+
 	phy_start(phydev);
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 072/141] sctp: do asoc update earlier in sctp_sf_do_dupcook_a
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 071/141] net: hns3: disable phy loopback setting in hclge_mac_start_phy Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 073/141] RISC-V: Fix error code returned by riscv_hartid_to_cpuid() Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Sverdlin,
	syzbot+bbe538efd1046586f587, Michal Tesar, Xin Long,
	Marcelo Ricardo Leitner, David S. Miller, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ]

There's a panic that occurs in a few of envs, the call trace is as below:

  [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI
  [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp]
  []  sctp_assoc_control_transport+0x1b9/0x210 [sctp]
  []  sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp]
  []  sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp]
  []  sctp_do_sm+0xc3/0x2a0 [sctp]
  []  sctp_generate_timeout_event+0x81/0xf0 [sctp]

This is caused by a transport use-after-free issue. When processing a
duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK
and SHUTDOWN chunks are allocated with the transort from the new asoc.
However, later in the sideeffect machine, the old asoc is used to send
them out and old asoc's shutdown_last_sent_to is set to the transport
that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually
belongs to the new asoc. After the new_asoc is freed and the old asoc
T2 timeout, the old asoc's shutdown_last_sent_to that is already freed
would be accessed in sctp_sf_t2_timer_expire().

Thanks Alexander and Jere for helping dig into this issue.

To fix it, this patch is to do the asoc update first, then allocate
the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This
would make more sense, as a chunk from an asoc shouldn't be sent out
with another asoc. We had fixed quite a few issues caused by this.

Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK")
Reported-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com
Reported-by: Michal Tesar <mtesar@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 84138a07e936..72e4eaffacdb 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
 			SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO));
 	sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL());
 
-	repl = sctp_make_cookie_ack(new_asoc, chunk);
+	/* Update the content of current association. */
+	if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) {
+		struct sctp_chunk *abort;
+
+		abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr));
+		if (abort) {
+			sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0);
+			sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort));
+		}
+		sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED));
+		sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED,
+				SCTP_PERR(SCTP_ERROR_RSRC_LOW));
+		SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS);
+		SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB);
+		goto nomem;
+	}
+
+	repl = sctp_make_cookie_ack(asoc, chunk);
 	if (!repl)
 		goto nomem;
 
 	/* Report association restart to upper layer. */
 	ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0,
-					     new_asoc->c.sinit_num_ostreams,
-					     new_asoc->c.sinit_max_instreams,
+					     asoc->c.sinit_num_ostreams,
+					     asoc->c.sinit_max_instreams,
 					     NULL, GFP_ATOMIC);
 	if (!ev)
 		goto nomem_ev;
 
-	/* Update the content of current association. */
-	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
 	sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev));
 	if ((sctp_state(asoc, SHUTDOWN_PENDING) ||
 	     sctp_state(asoc, SHUTDOWN_SENT)) &&
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 073/141] RISC-V: Fix error code returned by riscv_hartid_to_cpuid()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 072/141] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 074/141] sunrpc: Fix misplaced barrier in call_decode Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anup Patel, Palmer Dabbelt, Sasha Levin

From: Anup Patel <anup.patel@wdc.com>

[ Upstream commit 533b4f3a789d49574e7ae0f6ececed153f651f97 ]

We should return a negative error code upon failure in
riscv_hartid_to_cpuid() instead of NR_CPUS. This is also
aligned with all uses of riscv_hartid_to_cpuid() which
expect negative error code upon failure.

Fixes: 6825c7a80f18 ("RISC-V: Add logical CPU indexing for RISC-V")
Fixes: f99fb607fb2b ("RISC-V: Use Linux logical CPU number instead of hartid")
Signed-off-by: Anup Patel <anup.patel@wdc.com>
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/riscv/kernel/smp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/riscv/kernel/smp.c b/arch/riscv/kernel/smp.c
index 5c9ec78422c2..098c04adbaaf 100644
--- a/arch/riscv/kernel/smp.c
+++ b/arch/riscv/kernel/smp.c
@@ -51,7 +51,7 @@ int riscv_hartid_to_cpuid(int hartid)
 			return i;
 
 	pr_err("Couldn't find cpu id for hartid [%d]\n", hartid);
-	return i;
+	return -ENOENT;
 }
 
 void riscv_cpuid_to_hartid_mask(const struct cpumask *in, struct cpumask *out)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 074/141] sunrpc: Fix misplaced barrier in call_decode
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 073/141] RISC-V: Fix error code returned by riscv_hartid_to_cpuid() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 075/141] ethernet:enic: Fix a use after free bug in enic_hard_start_xmit Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baptiste Lepers, Trond Myklebust,
	Sasha Levin

From: Baptiste Lepers <baptiste.lepers@gmail.com>

[ Upstream commit f8f7e0fb22b2e75be55f2f0c13e229e75b0eac07 ]

Fix a misplaced barrier in call_decode. The struct rpc_rqst is modified
as follows by xprt_complete_rqst:

req->rq_private_buf.len = copied;
/* Ensure all writes are done before we update */
/* req->rq_reply_bytes_recvd */
smp_wmb();
req->rq_reply_bytes_recvd = copied;

And currently read as follows by call_decode:

smp_rmb(); // misplaced
if (!req->rq_reply_bytes_recvd)
   goto out;
req->rq_rcv_buf.len = req->rq_private_buf.len;

This patch places the smp_rmb after the if to ensure that
rq_reply_bytes_recvd and rq_private_buf.len are read in order.

Fixes: 9ba828861c56a ("SUNRPC: Don't try to parse incomplete RPC messages")
Signed-off-by: Baptiste Lepers <baptiste.lepers@gmail.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sunrpc/clnt.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index f1088ca39d44..b6039642df67 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -2505,12 +2505,6 @@ call_decode(struct rpc_task *task)
 		task->tk_flags &= ~RPC_CALL_MAJORSEEN;
 	}
 
-	/*
-	 * Ensure that we see all writes made by xprt_complete_rqst()
-	 * before it changed req->rq_reply_bytes_recvd.
-	 */
-	smp_rmb();
-
 	/*
 	 * Did we ever call xprt_complete_rqst()? If not, we should assume
 	 * the message is incomplete.
@@ -2519,6 +2513,11 @@ call_decode(struct rpc_task *task)
 	if (!req->rq_reply_bytes_recvd)
 		goto out;
 
+	/* Ensure that we see all writes made by xprt_complete_rqst()
+	 * before it changed req->rq_reply_bytes_recvd.
+	 */
+	smp_rmb();
+
 	req->rq_rcv_buf.len = req->rq_private_buf.len;
 
 	/* Check that the softirq receive buffer is valid */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 075/141] ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 074/141] sunrpc: Fix misplaced barrier in call_decode Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 076/141] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lv Yunlong,
	Govindarajulu Varadarajan, David S. Miller, Sasha Levin

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

[ Upstream commit 643001b47adc844ae33510c4bb93c236667008a3 ]

In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside
enic_queue_wq_skb, if some error happens, the skb will be freed
by dev_kfree_skb(skb). But the freed skb is still used in
skb_tx_timestamp(skb).

My patch makes enic_queue_wq_skb() return error and goto spin_unlock()
incase of error. The solution is provided by Govind.
See https://lkml.org/lkml/2021/4/30/961.

Fixes: fb7516d42478e ("enic: add sw timestamp support")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Acked-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cisco/enic/enic_main.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c
index 8314102002b0..03c8af58050c 100644
--- a/drivers/net/ethernet/cisco/enic/enic_main.c
+++ b/drivers/net/ethernet/cisco/enic/enic_main.c
@@ -803,7 +803,7 @@ static inline int enic_queue_wq_skb_encap(struct enic *enic, struct vnic_wq *wq,
 	return err;
 }
 
-static inline void enic_queue_wq_skb(struct enic *enic,
+static inline int enic_queue_wq_skb(struct enic *enic,
 	struct vnic_wq *wq, struct sk_buff *skb)
 {
 	unsigned int mss = skb_shinfo(skb)->gso_size;
@@ -849,6 +849,7 @@ static inline void enic_queue_wq_skb(struct enic *enic,
 		wq->to_use = buf->next;
 		dev_kfree_skb(skb);
 	}
+	return err;
 }
 
 /* netif_tx_lock held, process context with BHs disabled, or BH */
@@ -892,7 +893,8 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb,
 		return NETDEV_TX_BUSY;
 	}
 
-	enic_queue_wq_skb(enic, wq, skb);
+	if (enic_queue_wq_skb(enic, wq, skb))
+		goto error;
 
 	if (vnic_wq_desc_avail(wq) < MAX_SKB_FRAGS + ENIC_DESC_MAX_SPLITS)
 		netif_tx_stop_queue(txq);
@@ -900,6 +902,7 @@ static netdev_tx_t enic_hard_start_xmit(struct sk_buff *skb,
 	if (!netdev_xmit_more() || netif_xmit_stopped(txq))
 		vnic_wq_doorbell(wq);
 
+error:
 	spin_unlock(&enic->wq_lock[txq_map]);
 
 	return NETDEV_TX_OK;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 076/141] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 075/141] ethernet:enic: Fix a use after free bug in enic_hard_start_xmit Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 077/141] netfilter: xt_SECMARK: add new revision to fix structure layout Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcelo Ricardo Leitner, Xin Long,
	David S. Miller, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]

Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
is being deleted.

However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
multiple times but only decrement once at the end.

I was able to reproduce it by using scapy to do the 4-way shakehands,
after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
changed to different values, and SCTP_MIB_CURRESTAB was incremented
multiple times and never went back to 0 even when the asoc was freed.

This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
the state < ESTABLISHED in sctp_sf_do_dupcook_b().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 72e4eaffacdb..82a202d71a31 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -1933,7 +1933,8 @@ static enum sctp_disposition sctp_sf_do_dupcook_b(
 	sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc));
 	sctp_add_cmd_sf(commands, SCTP_CMD_NEW_STATE,
 			SCTP_STATE(SCTP_STATE_ESTABLISHED));
-	SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
+	if (asoc->state < SCTP_STATE_ESTABLISHED)
+		SCTP_INC_STATS(net, SCTP_MIB_CURRESTAB);
 	sctp_add_cmd_sf(commands, SCTP_CMD_HB_TIMERS_START, SCTP_NULL());
 
 	repl = sctp_make_cookie_ack(new_asoc, chunk);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 077/141] netfilter: xt_SECMARK: add new revision to fix structure layout
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 076/141] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 078/141] drm/radeon: Fix off-by-one power_state index heap overwrite Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phil Sutter, Pablo Neira Ayuso, Sasha Levin

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit c7d13358b6a2f49f81a34aa323a2d0878a0532a2 ]

This extension breaks when trying to delete rules, add a new revision to
fix this.

Fixes: 5e6874cdb8de ("[SECMARK]: Add xtables SECMARK target")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/uapi/linux/netfilter/xt_SECMARK.h |  6 ++
 net/netfilter/xt_SECMARK.c                | 88 ++++++++++++++++++-----
 2 files changed, 75 insertions(+), 19 deletions(-)

diff --git a/include/uapi/linux/netfilter/xt_SECMARK.h b/include/uapi/linux/netfilter/xt_SECMARK.h
index 1f2a708413f5..beb2cadba8a9 100644
--- a/include/uapi/linux/netfilter/xt_SECMARK.h
+++ b/include/uapi/linux/netfilter/xt_SECMARK.h
@@ -20,4 +20,10 @@ struct xt_secmark_target_info {
 	char secctx[SECMARK_SECCTX_MAX];
 };
 
+struct xt_secmark_target_info_v1 {
+	__u8 mode;
+	char secctx[SECMARK_SECCTX_MAX];
+	__u32 secid;
+};
+
 #endif /*_XT_SECMARK_H_target */
diff --git a/net/netfilter/xt_SECMARK.c b/net/netfilter/xt_SECMARK.c
index 2317721f3ecb..ea7aeea19b3b 100644
--- a/net/netfilter/xt_SECMARK.c
+++ b/net/netfilter/xt_SECMARK.c
@@ -26,10 +26,9 @@ MODULE_ALIAS("ip6t_SECMARK");
 static u8 mode;
 
 static unsigned int
-secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
+secmark_tg(struct sk_buff *skb, const struct xt_secmark_target_info_v1 *info)
 {
 	u32 secmark = 0;
-	const struct xt_secmark_target_info *info = par->targinfo;
 
 	switch (mode) {
 	case SECMARK_MODE_SEL:
@@ -43,7 +42,7 @@ secmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
 	return XT_CONTINUE;
 }
 
-static int checkentry_lsm(struct xt_secmark_target_info *info)
+static int checkentry_lsm(struct xt_secmark_target_info_v1 *info)
 {
 	int err;
 
@@ -75,15 +74,15 @@ static int checkentry_lsm(struct xt_secmark_target_info *info)
 	return 0;
 }
 
-static int secmark_tg_check(const struct xt_tgchk_param *par)
+static int
+secmark_tg_check(const char *table, struct xt_secmark_target_info_v1 *info)
 {
-	struct xt_secmark_target_info *info = par->targinfo;
 	int err;
 
-	if (strcmp(par->table, "mangle") != 0 &&
-	    strcmp(par->table, "security") != 0) {
+	if (strcmp(table, "mangle") != 0 &&
+	    strcmp(table, "security") != 0) {
 		pr_info_ratelimited("only valid in \'mangle\' or \'security\' table, not \'%s\'\n",
-				    par->table);
+				    table);
 		return -EINVAL;
 	}
 
@@ -118,25 +117,76 @@ static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
 	}
 }
 
-static struct xt_target secmark_tg_reg __read_mostly = {
-	.name       = "SECMARK",
-	.revision   = 0,
-	.family     = NFPROTO_UNSPEC,
-	.checkentry = secmark_tg_check,
-	.destroy    = secmark_tg_destroy,
-	.target     = secmark_tg,
-	.targetsize = sizeof(struct xt_secmark_target_info),
-	.me         = THIS_MODULE,
+static int secmark_tg_check_v0(const struct xt_tgchk_param *par)
+{
+	struct xt_secmark_target_info *info = par->targinfo;
+	struct xt_secmark_target_info_v1 newinfo = {
+		.mode	= info->mode,
+	};
+	int ret;
+
+	memcpy(newinfo.secctx, info->secctx, SECMARK_SECCTX_MAX);
+
+	ret = secmark_tg_check(par->table, &newinfo);
+	info->secid = newinfo.secid;
+
+	return ret;
+}
+
+static unsigned int
+secmark_tg_v0(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	const struct xt_secmark_target_info *info = par->targinfo;
+	struct xt_secmark_target_info_v1 newinfo = {
+		.secid	= info->secid,
+	};
+
+	return secmark_tg(skb, &newinfo);
+}
+
+static int secmark_tg_check_v1(const struct xt_tgchk_param *par)
+{
+	return secmark_tg_check(par->table, par->targinfo);
+}
+
+static unsigned int
+secmark_tg_v1(struct sk_buff *skb, const struct xt_action_param *par)
+{
+	return secmark_tg(skb, par->targinfo);
+}
+
+static struct xt_target secmark_tg_reg[] __read_mostly = {
+	{
+		.name		= "SECMARK",
+		.revision	= 0,
+		.family		= NFPROTO_UNSPEC,
+		.checkentry	= secmark_tg_check_v0,
+		.destroy	= secmark_tg_destroy,
+		.target		= secmark_tg_v0,
+		.targetsize	= sizeof(struct xt_secmark_target_info),
+		.me		= THIS_MODULE,
+	},
+	{
+		.name		= "SECMARK",
+		.revision	= 1,
+		.family		= NFPROTO_UNSPEC,
+		.checkentry	= secmark_tg_check_v1,
+		.destroy	= secmark_tg_destroy,
+		.target		= secmark_tg_v1,
+		.targetsize	= sizeof(struct xt_secmark_target_info_v1),
+		.usersize	= offsetof(struct xt_secmark_target_info_v1, secid),
+		.me		= THIS_MODULE,
+	},
 };
 
 static int __init secmark_tg_init(void)
 {
-	return xt_register_target(&secmark_tg_reg);
+	return xt_register_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
 }
 
 static void __exit secmark_tg_exit(void)
 {
-	xt_unregister_target(&secmark_tg_reg);
+	xt_unregister_targets(secmark_tg_reg, ARRAY_SIZE(secmark_tg_reg));
 }
 
 module_init(secmark_tg_init);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 078/141] drm/radeon: Fix off-by-one power_state index heap overwrite
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 077/141] netfilter: xt_SECMARK: add new revision to fix structure layout Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 079/141] drm/radeon: Avoid power table parsing memory leaks Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Erhard F.,
	Kees Cook, Alex Deucher, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit 5bbf219328849e83878bddb7c226d8d42e84affc ]

An out of bounds write happens when setting the default power state.
KASAN sees this as:

[drm] radeon: 512M of GTT memory ready.
[drm] GART: num cpu pages 131072, num gpu pages 131072
==================================================================
BUG: KASAN: slab-out-of-bounds in
radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
Write of size 4 at addr ffff88810178d858 by task systemd-udevd/157

CPU: 0 PID: 157 Comm: systemd-udevd Not tainted 5.12.0-E620 #50
Hardware name: eMachines        eMachines E620  /Nile       , BIOS V1.03 09/30/2008
Call Trace:
 dump_stack+0xa5/0xe6
 print_address_description.constprop.0+0x18/0x239
 kasan_report+0x170/0x1a8
 radeon_atombios_parse_power_table_1_3+0x1837/0x1998 [radeon]
 radeon_atombios_get_power_modes+0x144/0x1888 [radeon]
 radeon_pm_init+0x1019/0x1904 [radeon]
 rs690_init+0x76e/0x84a [radeon]
 radeon_device_init+0x1c1a/0x21e5 [radeon]
 radeon_driver_load_kms+0xf5/0x30b [radeon]
 drm_dev_register+0x255/0x4a0 [drm]
 radeon_pci_probe+0x246/0x2f6 [radeon]
 pci_device_probe+0x1aa/0x294
 really_probe+0x30e/0x850
 driver_probe_device+0xe6/0x135
 device_driver_attach+0xc1/0xf8
 __driver_attach+0x13f/0x146
 bus_for_each_dev+0xfa/0x146
 bus_add_driver+0x2b3/0x447
 driver_register+0x242/0x2c1
 do_one_initcall+0x149/0x2fd
 do_init_module+0x1ae/0x573
 load_module+0x4dee/0x5cca
 __do_sys_finit_module+0xf1/0x140
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Without KASAN, this will manifest later when the kernel attempts to
allocate memory that was stomped, since it collides with the inline slab
freelist pointer:

invalid opcode: 0000 [#1] SMP NOPTI
CPU: 0 PID: 781 Comm: openrc-run.sh Tainted: G        W 5.10.12-gentoo-E620 #2
Hardware name: eMachines        eMachines E620  /Nile , BIOS V1.03       09/30/2008
RIP: 0010:kfree+0x115/0x230
Code: 89 c5 e8 75 ea ff ff 48 8b 00 0f ba e0 09 72 63 e8 1f f4 ff ff 41 89 c4 48 8b 45 00 0f ba e0 10 72 0a 48 8b 45 08 a8 01 75 02 <0f> 0b 44 89 e1 48 c7 c2 00 f0 ff ff be 06 00 00 00 48 d3 e2 48 c7
RSP: 0018:ffffb42f40267e10 EFLAGS: 00010246
RAX: ffffd61280ee8d88 RBX: 0000000000000004 RCX: 000000008010000d
RDX: 4000000000000000 RSI: ffffffffba1360b0 RDI: ffffd61280ee8d80
RBP: ffffd61280ee8d80 R08: ffffffffb91bebdf R09: 0000000000000000
R10: ffff8fe2c1047ac8 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000100
FS:  00007fe80eff6b68(0000) GS:ffff8fe339c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fe80eec7bc0 CR3: 0000000038012000 CR4: 00000000000006f0
Call Trace:
 __free_fdtable+0x16/0x1f
 put_files_struct+0x81/0x9b
 do_exit+0x433/0x94d
 do_group_exit+0xa6/0xa6
 __x64_sys_exit_group+0xf/0xf
 do_syscall_64+0x33/0x40
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7fe80ef64bea
Code: Unable to access opcode bytes at RIP 0x7fe80ef64bc0.
RSP: 002b:00007ffdb1c47528 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fe80ef64bea
RDX: 00007fe80ef64f60 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000000
R10: 00007fe80ee2c620 R11: 0000000000000246 R12: 00007fe80eff41e0
R13: 00000000ffffffff R14: 0000000000000024 R15: 00007fe80edf9cd0
Modules linked in: radeon(+) ath5k(+) snd_hda_codec_realtek ...

Use a valid power_state index when initializing the "flags" and "misc"
and "misc2" fields.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
Reported-by: Erhard F. <erhard_f@mailbox.org>
Fixes: a48b9b4edb8b ("drm/radeon/kms/pm: add asic specific callbacks for getting power state (v2)")
Fixes: 79daedc94281 ("drm/radeon/kms: minor pm cleanups")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/radeon/radeon_atombios.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 226a7bf0eb7a..97703449e049 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -2266,10 +2266,10 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
 		rdev->pm.default_power_state_index = state_index - 1;
 		rdev->pm.power_state[state_index - 1].default_clock_mode =
 			&rdev->pm.power_state[state_index - 1].clock_info[0];
-		rdev->pm.power_state[state_index].flags &=
+		rdev->pm.power_state[state_index - 1].flags &=
 			~RADEON_PM_STATE_SINGLE_DISPLAY_ONLY;
-		rdev->pm.power_state[state_index].misc = 0;
-		rdev->pm.power_state[state_index].misc2 = 0;
+		rdev->pm.power_state[state_index - 1].misc = 0;
+		rdev->pm.power_state[state_index - 1].misc2 = 0;
 	}
 	return state_index;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 079/141] drm/radeon: Avoid power table parsing memory leaks
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 078/141] drm/radeon: Fix off-by-one power_state index heap overwrite Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 080/141] khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Alex Deucher, Sasha Levin

From: Kees Cook <keescook@chromium.org>

[ Upstream commit c69f27137a38d24301a6b659454a91ad85dff4aa ]

Avoid leaving a hanging pre-allocated clock_info if last mode is
invalid, and avoid heap corruption if no valid modes are found.

Bug: https://bugzilla.kernel.org/show_bug.cgi?id=211537
Fixes: 6991b8f2a319 ("drm/radeon/kms: fix segfault in pm rework")
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/radeon/radeon_atombios.c | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/drivers/gpu/drm/radeon/radeon_atombios.c b/drivers/gpu/drm/radeon/radeon_atombios.c
index 97703449e049..9e0aa357585f 100644
--- a/drivers/gpu/drm/radeon/radeon_atombios.c
+++ b/drivers/gpu/drm/radeon/radeon_atombios.c
@@ -2136,11 +2136,14 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
 		return state_index;
 	/* last mode is usually default, array is low to high */
 	for (i = 0; i < num_modes; i++) {
-		rdev->pm.power_state[state_index].clock_info =
-			kcalloc(1, sizeof(struct radeon_pm_clock_info),
-				GFP_KERNEL);
+		/* avoid memory leaks from invalid modes or unknown frev. */
+		if (!rdev->pm.power_state[state_index].clock_info) {
+			rdev->pm.power_state[state_index].clock_info =
+				kzalloc(sizeof(struct radeon_pm_clock_info),
+					GFP_KERNEL);
+		}
 		if (!rdev->pm.power_state[state_index].clock_info)
-			return state_index;
+			goto out;
 		rdev->pm.power_state[state_index].num_clock_modes = 1;
 		rdev->pm.power_state[state_index].clock_info[0].voltage.type = VOLTAGE_NONE;
 		switch (frev) {
@@ -2259,8 +2262,15 @@ static int radeon_atombios_parse_power_table_1_3(struct radeon_device *rdev)
 			break;
 		}
 	}
+out:
+	/* free any unused clock_info allocation. */
+	if (state_index && state_index < num_modes) {
+		kfree(rdev->pm.power_state[state_index].clock_info);
+		rdev->pm.power_state[state_index].clock_info = NULL;
+	}
+
 	/* last mode is usually default */
-	if (rdev->pm.default_power_state_index == -1) {
+	if (state_index && rdev->pm.default_power_state_index == -1) {
 		rdev->pm.power_state[state_index - 1].type =
 			POWER_STATE_TYPE_DEFAULT;
 		rdev->pm.default_power_state_index = state_index - 1;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 080/141] khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 079/141] drm/radeon: Avoid power table parsing memory leaks Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 081/141] mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Kirill A. Shutemov,
	Dan Carpenter, Ebru Akagunduz, Mike Kravetz, Rik van Riel,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Miaohe Lin <linmiaohe@huawei.com>

[ Upstream commit 74e579bf231a337ab3786d59e64bc94f45ca7b3f ]

In writable and !referenced case, the result value should be
SCAN_LACK_REFERENCED_PAGE for trace_mm_collapse_huge_page_isolate()
instead of default 0 (SCAN_FAIL) here.

Link: https://lkml.kernel.org/r/20210306032947.35921-5-linmiaohe@huawei.com
Fixes: 7d2eba0557c1 ("mm: add tracepoint for scanning pages")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Ebru Akagunduz <ebru.akagunduz@gmail.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Rik van Riel <riel@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/khugepaged.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/mm/khugepaged.c b/mm/khugepaged.c
index f0d7e6483ba3..3c2326568193 100644
--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -628,17 +628,17 @@ static int __collapse_huge_page_isolate(struct vm_area_struct *vma,
 		    mmu_notifier_test_young(vma->vm_mm, address))
 			referenced++;
 	}
-	if (likely(writable)) {
-		if (likely(referenced)) {
-			result = SCAN_SUCCEED;
-			trace_mm_collapse_huge_page_isolate(page, none_or_zero,
-							    referenced, writable, result);
-			return 1;
-		}
-	} else {
+
+	if (unlikely(!writable)) {
 		result = SCAN_PAGE_RO;
+	} else if (unlikely(!referenced)) {
+		result = SCAN_LACK_REFERENCED_PAGE;
+	} else {
+		result = SCAN_SUCCEED;
+		trace_mm_collapse_huge_page_isolate(page, none_or_zero,
+						    referenced, writable, result);
+		return 1;
 	}
-
 out:
 	release_pte_pages(pte, _pte);
 	trace_mm_collapse_huge_page_isolate(page, none_or_zero,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 081/141] mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 080/141] khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 082/141] mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page() Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Feilong Lin,
	Mike Kravetz, Andrew Morton, Linus Torvalds, Sasha Levin

From: Miaohe Lin <linmiaohe@huawei.com>

[ Upstream commit da56388c4397878a65b74f7fe97760f5aa7d316b ]

A rare out of memory error would prevent removal of the reserve map region
for a page.  hugetlb_fix_reserve_counts() handles this rare case to avoid
dangling with incorrect counts.  Unfortunately, hugepage_subpool_get_pages
and hugetlb_acct_memory could possibly fail too.  We should correctly
handle these cases.

Link: https://lkml.kernel.org/r/20210410072348.20437-5-linmiaohe@huawei.com
Fixes: b5cec28d36f5 ("hugetlbfs: truncate_hugepages() takes a range of pages")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Feilong Lin <linfeilong@huawei.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/hugetlb.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 5253c67acb1d..3b08e34a775d 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -591,13 +591,20 @@ void hugetlb_fix_reserve_counts(struct inode *inode)
 {
 	struct hugepage_subpool *spool = subpool_inode(inode);
 	long rsv_adjust;
+	bool reserved = false;
 
 	rsv_adjust = hugepage_subpool_get_pages(spool, 1);
-	if (rsv_adjust) {
+	if (rsv_adjust > 0) {
 		struct hstate *h = hstate_inode(inode);
 
-		hugetlb_acct_memory(h, 1);
+		if (!hugetlb_acct_memory(h, 1))
+			reserved = true;
+	} else if (!rsv_adjust) {
+		reserved = true;
 	}
+
+	if (!reserved)
+		pr_warn("hugetlb: Huge Page Reserved count may go negative.\n");
 }
 
 /*
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 082/141] mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 081/141] mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 083/141] ksm: fix potential missing rmap_item for stable_node Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, David Hildenbrand,
	Alistair Popple, Jerome Glisse, Rafael Aquini, Yang Shi,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Miaohe Lin <linmiaohe@huawei.com>

[ Upstream commit 34f5e9b9d1990d286199084efa752530ee3d8297 ]

If the zone device page does not belong to un-addressable device memory,
the variable entry will be uninitialized and lead to indeterminate pte
entry ultimately.  Fix this unexpected case and warn about it.

Link: https://lkml.kernel.org/r/20210325131524.48181-4-linmiaohe@huawei.com
Fixes: df6ad69838fc ("mm/device-public-memory: device memory cache coherent with CPU")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Reviewed-by: David Hildenbrand <david@redhat.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Jerome Glisse <jglisse@redhat.com>
Cc: Rafael Aquini <aquini@redhat.com>
Cc: Yang Shi <shy828301@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/migrate.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/mm/migrate.c b/mm/migrate.c
index c4c313e47f12..00bbe57c1ce2 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -2771,6 +2771,13 @@ static void migrate_vma_insert_page(struct migrate_vma *migrate,
 
 			swp_entry = make_device_private_entry(page, vma->vm_flags & VM_WRITE);
 			entry = swp_entry_to_pte(swp_entry);
+		} else {
+			/*
+			 * For now we only support migrating to un-addressable
+			 * device memory.
+			 */
+			pr_warn_once("Unsupported ZONE_DEVICE page type.\n");
+			goto abort;
 		}
 	} else {
 		entry = mk_pte(page, vma->vm_page_prot);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 083/141] ksm: fix potential missing rmap_item for stable_node
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 082/141] mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 084/141] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miaohe Lin, Hugh Dickins,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Miaohe Lin <linmiaohe@huawei.com>

[ Upstream commit c89a384e2551c692a9fe60d093fd7080f50afc51 ]

When removing rmap_item from stable tree, STABLE_FLAG of rmap_item is
cleared with head reserved.  So the following scenario might happen: For
ksm page with rmap_item1:

cmp_and_merge_page
  stable_node->head = &migrate_nodes;
  remove_rmap_item_from_tree, but head still equal to stable_node;
  try_to_merge_with_ksm_page failed;
  return;

For the same ksm page with rmap_item2, stable node migration succeed this
time.  The stable_node->head does not equal to migrate_nodes now.  For ksm
page with rmap_item1 again:

cmp_and_merge_page
 stable_node->head != &migrate_nodes && rmap_item->head == stable_node
 return;

We would miss the rmap_item for stable_node and might result in failed
rmap_walk_ksm().  Fix this by set rmap_item->head to NULL when rmap_item
is removed from stable tree.

Link: https://lkml.kernel.org/r/20210330140228.45635-5-linmiaohe@huawei.com
Fixes: 4146d2d673e8 ("ksm: make !merge_across_nodes migration safe")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Cc: Hugh Dickins <hughd@google.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/ksm.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mm/ksm.c b/mm/ksm.c
index e486c54d921b..0bbae78aaaa0 100644
--- a/mm/ksm.c
+++ b/mm/ksm.c
@@ -793,6 +793,7 @@ static void remove_rmap_item_from_tree(struct rmap_item *rmap_item)
 		stable_node->rmap_hlist_len--;
 
 		put_anon_vma(rmap_item->anon_vma);
+		rmap_item->head = NULL;
 		rmap_item->address &= PAGE_MASK;
 
 	} else if (rmap_item->address & UNSTABLE_FLAG) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 084/141] net: fix nla_strcmp to handle more then one trailing null character
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 083/141] ksm: fix potential missing rmap_item for stable_node Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 085/141] smc: disallow TCP_ULP in smc_setsockopt() Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nucca Chen, Cong Wang, David Ahern,
	David S. Miller, Jakub Kicinski, Jamal Hadi Salim, Jiri Pirko,
	Jiri Pirko, Sasha Levin

From: Maciej Żenczykowski <maze@google.com>

[ Upstream commit 2c16db6c92b0ee4aa61e88366df82169e83c3f7e ]

Android userspace has been using TCA_KIND with a char[IFNAMESIZ]
many-null-terminated buffer containing the string 'bpf'.

This works on 4.19 and ceases to work on 5.10.

I'm not entirely sure what fixes tag to use, but I think the issue
was likely introduced in the below mentioned 5.4 commit.

Reported-by: Nucca Chen <nuccachen@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@mellanox.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Fixes: 62794fc4fbf5 ("net_sched: add max len check for TCA_KIND")
Change-Id: I66dc281f165a2858fc29a44869a270a2d698a82b
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/nlattr.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/nlattr.c b/lib/nlattr.c
index cace9b307781..0d84f79cb4b5 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -609,7 +609,7 @@ int nla_strcmp(const struct nlattr *nla, const char *str)
 	int attrlen = nla_len(nla);
 	int d;
 
-	if (attrlen > 0 && buf[attrlen - 1] == '\0')
+	while (attrlen > 0 && buf[attrlen - 1] == '\0')
 		attrlen--;
 
 	d = attrlen - len;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 085/141] smc: disallow TCP_ULP in smc_setsockopt()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 084/141] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 086/141] netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Fastabend, Karsten Graul,
	Cong Wang, David S. Miller, Sasha Levin,
	syzbot+b54a1ce86ba4a623b7f0

From: Cong Wang <cong.wang@bytedance.com>

[ Upstream commit 8621436671f3a4bba5db57482e1ee604708bf1eb ]

syzbot is able to setup kTLS on an SMC socket which coincidentally
uses sk_user_data too. Later, kTLS treats it as psock so triggers a
refcnt warning. The root cause is that smc_setsockopt() simply calls
TCP setsockopt() which includes TCP_ULP. I do not think it makes
sense to setup kTLS on top of SMC sockets, so we should just disallow
this setup.

It is hard to find a commit to blame, but we can apply this patch
since the beginning of TCP_ULP.

Reported-and-tested-by: syzbot+b54a1ce86ba4a623b7f0@syzkaller.appspotmail.com
Fixes: 734942cc4ea6 ("tcp: ULP infrastructure")
Cc: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/smc/af_smc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index dc09a72f8110..51986f7ead81 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1709,6 +1709,9 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
 	struct smc_sock *smc;
 	int val, rc;
 
+	if (level == SOL_TCP && optname == TCP_ULP)
+		return -EOPNOTSUPP;
+
 	smc = smc_sk(sk);
 
 	/* generic setsockopts reaching us here always apply to the
@@ -1730,7 +1733,6 @@ static int smc_setsockopt(struct socket *sock, int level, int optname,
 	if (rc || smc->use_fallback)
 		goto out;
 	switch (optname) {
-	case TCP_ULP:
 	case TCP_FASTOPEN:
 	case TCP_FASTOPEN_CONNECT:
 	case TCP_FASTOPEN_KEY:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 086/141] netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 085/141] smc: disallow TCP_ULP in smc_setsockopt() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 087/141] can: m_can: m_can_tx_work_queue(): fix tx_skb race condition Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit 5e024c325406470d1165a09c6feaf8ec897936be ]

Do not assume that the tcph->doff field is correct when parsing for TCP
options, skb_header_pointer() might fail to fetch these bits.

Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nfnetlink_osf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nfnetlink_osf.c b/net/netfilter/nfnetlink_osf.c
index 916a3c7f9eaf..79fbf37291f3 100644
--- a/net/netfilter/nfnetlink_osf.c
+++ b/net/netfilter/nfnetlink_osf.c
@@ -186,6 +186,8 @@ static const struct tcphdr *nf_osf_hdr_ctx_init(struct nf_osf_hdr_ctx *ctx,
 
 		ctx->optp = skb_header_pointer(skb, ip_hdrlen(skb) +
 				sizeof(struct tcphdr), ctx->optsize, opts);
+		if (!ctx->optp)
+			return NULL;
 	}
 
 	return tcp;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 087/141] can: m_can: m_can_tx_work_queue(): fix tx_skb race condition
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 086/141] netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 088/141] sched: Fix out-of-bound access in uclamp Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Torin Cooper-Bennun,
	Marc Kleine-Budde, Sasha Levin

From: Marc Kleine-Budde <mkl@pengutronix.de>

[ Upstream commit e04b2cfe61072c7966e1a5fb73dd1feb30c206ed ]

The m_can_start_xmit() function checks if the cdev->tx_skb is NULL and
returns with NETDEV_TX_BUSY in case tx_sbk is not NULL.

There is a race condition in the m_can_tx_work_queue(), where first
the skb is send to the driver and then the case tx_sbk is set to NULL.
A TX complete IRQ might come in between and wake the queue, which
results in tx_skb not being cleared yet.

Fixes: f524f829b75a ("can: m_can: Create a m_can platform framework")
Tested-by: Torin Cooper-Bennun <torin@maxiluxsystems.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/m_can/m_can.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c
index b2224113987c..de275ccb4fd0 100644
--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1418,6 +1418,8 @@ static netdev_tx_t m_can_tx_handler(struct m_can_classdev *cdev)
 	int i;
 	int putidx;
 
+	cdev->tx_skb = NULL;
+
 	/* Generate ID field for TX buffer Element */
 	/* Common to all supported M_CAN versions */
 	if (cf->can_id & CAN_EFF_FLAG) {
@@ -1534,7 +1536,6 @@ static void m_can_tx_work_queue(struct work_struct *ws)
 						tx_work);
 
 	m_can_tx_handler(cdev);
-	cdev->tx_skb = NULL;
 }
 
 static netdev_tx_t m_can_start_xmit(struct sk_buff *skb,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 088/141] sched: Fix out-of-bound access in uclamp
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 087/141] can: m_can: m_can_tx_work_queue(): fix tx_skb race condition Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 089/141] sched/fair: Fix unfairness caused by missing load decay Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qais Yousef, Quentin Perret,
	Peter Zijlstra (Intel),
	Vincent Guittot, Dietmar Eggemann, Sasha Levin

From: Quentin Perret <qperret@google.com>

[ Upstream commit 6d2f8909a5fabb73fe2a63918117943986c39b6c ]

Util-clamp places tasks in different buckets based on their clamp values
for performance reasons. However, the size of buckets is currently
computed using a rounding division, which can lead to an off-by-one
error in some configurations.

For instance, with 20 buckets, the bucket size will be 1024/20=51. A
task with a clamp of 1024 will be mapped to bucket id 1024/51=20. Sadly,
correct indexes are in range [0,19], hence leading to an out of bound
memory access.

Clamp the bucket id to fix the issue.

Fixes: 69842cba9ace ("sched/uclamp: Add CPU's clamp buckets refcounting")
Suggested-by: Qais Yousef <qais.yousef@arm.com>
Signed-off-by: Quentin Perret <qperret@google.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
Reviewed-by: Dietmar Eggemann <dietmar.eggemann@arm.com>
Link: https://lkml.kernel.org/r/20210430151412.160913-1-qperret@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 2ce61018e33b..a3e95d7779e1 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -820,7 +820,7 @@ DEFINE_STATIC_KEY_FALSE(sched_uclamp_used);
 
 static inline unsigned int uclamp_bucket_id(unsigned int clamp_value)
 {
-	return clamp_value / UCLAMP_BUCKET_DELTA;
+	return min_t(unsigned int, clamp_value / UCLAMP_BUCKET_DELTA, UCLAMP_BUCKETS - 1);
 }
 
 static inline unsigned int uclamp_bucket_base_value(unsigned int clamp_value)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 089/141] sched/fair: Fix unfairness caused by missing load decay
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 088/141] sched: Fix out-of-bound access in uclamp Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 090/141] kernel: kexec_file: fix error return code of kexec_calculate_store_digests() Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Odin Ugedal, Peter Zijlstra (Intel),
	Vincent Guittot, Sasha Levin

From: Odin Ugedal <odin@uged.al>

[ Upstream commit 0258bdfaff5bd13c4d2383150b7097aecd6b6d82 ]

This fixes an issue where old load on a cfs_rq is not properly decayed,
resulting in strange behavior where fairness can decrease drastically.
Real workloads with equally weighted control groups have ended up
getting a respective 99% and 1%(!!) of cpu time.

When an idle task is attached to a cfs_rq by attaching a pid to a cgroup,
the old load of the task is attached to the new cfs_rq and sched_entity by
attach_entity_cfs_rq. If the task is then moved to another cpu (and
therefore cfs_rq) before being enqueued/woken up, the load will be moved
to cfs_rq->removed from the sched_entity. Such a move will happen when
enforcing a cpuset on the task (eg. via a cgroup) that force it to move.

The load will however not be removed from the task_group itself, making
it look like there is a constant load on that cfs_rq. This causes the
vruntime of tasks on other sibling cfs_rq's to increase faster than they
are supposed to; causing severe fairness issues. If no other task is
started on the given cfs_rq, and due to the cpuset it would not happen,
this load would never be properly unloaded. With this patch the load
will be properly removed inside update_blocked_averages. This also
applies to tasks moved to the fair scheduling class and moved to another
cpu, and this path will also fix that. For fork, the entity is queued
right away, so this problem does not affect that.

This applies to cases where the new process is the first in the cfs_rq,
issue introduced 3d30544f0212 ("sched/fair: Apply more PELT fixes"), and
when there has previously been load on the cgroup but the cgroup was
removed from the leaflist due to having null PELT load, indroduced
in 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing
path").

For a simple cgroup hierarchy (as seen below) with two equally weighted
groups, that in theory should get 50/50 of cpu time each, it often leads
to a load of 60/40 or 70/30.

parent/
  cg-1/
    cpu.weight: 100
    cpuset.cpus: 1
  cg-2/
    cpu.weight: 100
    cpuset.cpus: 1

If the hierarchy is deeper (as seen below), while keeping cg-1 and cg-2
equally weighted, they should still get a 50/50 balance of cpu time.
This however sometimes results in a balance of 10/90 or 1/99(!!) between
the task groups.

$ ps u -C stress
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root       18568  1.1  0.0   3684   100 pts/12   R+   13:36   0:00 stress --cpu 1
root       18580 99.3  0.0   3684   100 pts/12   R+   13:36   0:09 stress --cpu 1

parent/
  cg-1/
    cpu.weight: 100
    sub-group/
      cpu.weight: 1
      cpuset.cpus: 1
  cg-2/
    cpu.weight: 100
    sub-group/
      cpu.weight: 10000
      cpuset.cpus: 1

This can be reproduced by attaching an idle process to a cgroup and
moving it to a given cpuset before it wakes up. The issue is evident in
many (if not most) container runtimes, and has been reproduced
with both crun and runc (and therefore docker and all its "derivatives"),
and with both cgroup v1 and v2.

Fixes: 3d30544f0212 ("sched/fair: Apply more PELT fixes")
Fixes: 039ae8bcf7a5 ("sched/fair: Fix O(nr_cgroups) in the load balancing path")
Signed-off-by: Odin Ugedal <odin@uged.al>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Vincent Guittot <vincent.guittot@linaro.org>
Link: https://lkml.kernel.org/r/20210501141950.23622-2-odin@uged.al
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/fair.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c
index 93ab546b6e16..092aa5e47251 100644
--- a/kernel/sched/fair.c
+++ b/kernel/sched/fair.c
@@ -10146,16 +10146,22 @@ static void propagate_entity_cfs_rq(struct sched_entity *se)
 {
 	struct cfs_rq *cfs_rq;
 
+	list_add_leaf_cfs_rq(cfs_rq_of(se));
+
 	/* Start to propagate at parent */
 	se = se->parent;
 
 	for_each_sched_entity(se) {
 		cfs_rq = cfs_rq_of(se);
 
-		if (cfs_rq_throttled(cfs_rq))
-			break;
+		if (!cfs_rq_throttled(cfs_rq)){
+			update_load_avg(cfs_rq, se, UPDATE_TG);
+			list_add_leaf_cfs_rq(cfs_rq);
+			continue;
+		}
 
-		update_load_avg(cfs_rq, se, UPDATE_TG);
+		if (list_add_leaf_cfs_rq(cfs_rq))
+			break;
 	}
 }
 #else
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 090/141] kernel: kexec_file: fix error return code of kexec_calculate_store_digests()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 089/141] sched/fair: Fix unfairness caused by missing load decay Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 091/141] netfilter: nftables: avoid overflows in nft_hash_buckets() Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jia-Ju Bai, TOTE Robot, Baoquan He,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Jia-Ju Bai <baijiaju1990@gmail.com>

[ Upstream commit 31d82c2c787d5cf65fedd35ebbc0c1bd95c1a679 ]

When vzalloc() returns NULL to sha_regions, no error return code of
kexec_calculate_store_digests() is assigned.  To fix this bug, ret is
assigned with -ENOMEM in this case.

Link: https://lkml.kernel.org/r/20210309083904.24321-1-baijiaju1990@gmail.com
Fixes: a43cac0d9dc2 ("kexec: split kexec_file syscall code to kexec_file.c")
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Acked-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/kexec_file.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/kernel/kexec_file.c b/kernel/kexec_file.c
index 4e74db89bd23..b17998fa03f1 100644
--- a/kernel/kexec_file.c
+++ b/kernel/kexec_file.c
@@ -740,8 +740,10 @@ static int kexec_calculate_store_digests(struct kimage *image)
 
 	sha_region_sz = KEXEC_SEGMENT_MAX * sizeof(struct kexec_sha_region);
 	sha_regions = vzalloc(sha_region_sz);
-	if (!sha_regions)
+	if (!sha_regions) {
+		ret = -ENOMEM;
 		goto out_free_desc;
+	}
 
 	desc->tfm   = tfm;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 091/141] netfilter: nftables: avoid overflows in nft_hash_buckets()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 090/141] kernel: kexec_file: fix error return code of kexec_calculate_store_digests() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 092/141] i40e: Fix use-after-free in i40e_client_subtask() Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	Pablo Neira Ayuso, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit a54754ec9891830ba548e2010c889e3c8146e449 ]

Number of buckets being stored in 32bit variables, we have to
ensure that no overflows occur in nft_hash_buckets()

syzbot injected a size == 0x40000000 and reported:

UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13
shift exponent 64 is too large for 64-bit type 'long unsigned int'
CPU: 1 PID: 29539 Comm: syz-executor.4 Not tainted 5.12.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
 __roundup_pow_of_two include/linux/log2.h:57 [inline]
 nft_hash_buckets net/netfilter/nft_set_hash.c:411 [inline]
 nft_hash_estimate.cold+0x19/0x1e net/netfilter/nft_set_hash.c:652
 nft_select_set_ops net/netfilter/nf_tables_api.c:3586 [inline]
 nf_tables_newset+0xe62/0x3110 net/netfilter/nf_tables_api.c:4322
 nfnetlink_rcv_batch+0xa09/0x24b0 net/netfilter/nfnetlink.c:488
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:612 [inline]
 nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:630
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46

Fixes: 0ed6389c483d ("netfilter: nf_tables: rename set implementations")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_set_hash.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c
index b331a3c9a3a8..9de0eb20e954 100644
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -393,9 +393,17 @@ static void nft_rhash_destroy(const struct nft_set *set)
 				    (void *)set);
 }
 
+/* Number of buckets is stored in u32, so cap our result to 1U<<31 */
+#define NFT_MAX_BUCKETS (1U << 31)
+
 static u32 nft_hash_buckets(u32 size)
 {
-	return roundup_pow_of_two(size * 4 / 3);
+	u64 val = div_u64((u64)size * 4, 3);
+
+	if (val >= NFT_MAX_BUCKETS)
+		return NFT_MAX_BUCKETS;
+
+	return roundup_pow_of_two(val);
 }
 
 static bool nft_rhash_estimate(const struct nft_set_desc *desc, u32 features,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 092/141] i40e: Fix use-after-free in i40e_client_subtask()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 091/141] netfilter: nftables: avoid overflows in nft_hash_buckets() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 093/141] i40e: fix the restart auto-negotiation after FEC modified Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunjian Wang, Tony Nguyen, Sasha Levin

From: Yunjian Wang <wangyunjian@huawei.com>

[ Upstream commit 38318f23a7ef86a8b1862e5e8078c4de121960c3 ]

Currently the call to i40e_client_del_instance frees the object
pf->cinst, however pf->cinst->lan_info is being accessed after
the free. Fix this by adding the missing return.

Addresses-Coverity: ("Read from pointer after free")
Fixes: 7b0b1a6d0ac9 ("i40e: Disable iWARP VSI PETCP_ENA flag on netdev down events")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_client.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_client.c b/drivers/net/ethernet/intel/i40e/i40e_client.c
index e81530ca08d0..5706abb3c0ea 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_client.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_client.c
@@ -377,6 +377,7 @@ void i40e_client_subtask(struct i40e_pf *pf)
 				clear_bit(__I40E_CLIENT_INSTANCE_OPENED,
 					  &cdev->state);
 				i40e_client_del_instance(pf);
+				return;
 			}
 		}
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 093/141] i40e: fix the restart auto-negotiation after FEC modified
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 092/141] i40e: Fix use-after-free in i40e_client_subtask() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 094/141] i40e: Fix PHY type identifiers for 2.5G and 5G adapters Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jaroslaw Gawin, Mateusz Palczewski,
	Dave Switzer, Tony Nguyen, Sasha Levin

From: Jaroslaw Gawin <jaroslawx.gawin@intel.com>

[ Upstream commit 61343e6da7810de81d6b826698946ae4f9070819 ]

When FEC mode was changed the link didn't know it because
the link was not reset and new parameters were not negotiated.
Set a flag 'I40E_AQ_PHY_ENABLE_ATOMIC_LINK' in 'abilities'
to restart the link and make it run with the new settings.

Fixes: 1d96340196f1 ("i40e: Add support FEC configuration for Fortville 25G")
Signed-off-by: Jaroslaw Gawin <jaroslawx.gawin@intel.com>
Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
Tested-by: Dave Switzer <david.switzer@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index b519e5af5ed9..502b4abc0aab 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -1406,7 +1406,8 @@ static int i40e_set_fec_cfg(struct net_device *netdev, u8 fec_cfg)
 
 		memset(&config, 0, sizeof(config));
 		config.phy_type = abilities.phy_type;
-		config.abilities = abilities.abilities;
+		config.abilities = abilities.abilities |
+				   I40E_AQ_PHY_ENABLE_ATOMIC_LINK;
 		config.phy_type_ext = abilities.phy_type_ext;
 		config.link_speed = abilities.link_speed;
 		config.eee_capability = abilities.eee_capability;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 094/141] i40e: Fix PHY type identifiers for 2.5G and 5G adapters
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 093/141] i40e: fix the restart auto-negotiation after FEC modified Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 095/141] ARC: entry: fix off-by-one error in syscall number validation Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dawid Lukwinski, Mateusz Palczewski,
	Aleksandr Loktionov, Dave Switzer, Tony Nguyen, Sasha Levin

From: Mateusz Palczewski <mateusz.palczewski@intel.com>

[ Upstream commit 15395ec4685bd45a43d1b54b8fd9846b87e2c621 ]

Unlike other supported adapters, 2.5G and 5G use different
PHY type identifiers for reading/writing PHY settings
and for reading link status. This commit introduces
separate PHY identifiers for these two operation types.

Fixes: 2e45d3f4677a ("i40e: Add support for X710 B/P & SFP+ cards")
Signed-off-by: Dawid Lukwinski <dawid.lukwinski@intel.com>
Signed-off-by: Mateusz Palczewski <mateusz.palczewski@intel.com>
Reviewed-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Dave Switzer <david.switzer@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h | 6 ++++--
 drivers/net/ethernet/intel/i40e/i40e_common.c     | 4 ++--
 drivers/net/ethernet/intel/i40e/i40e_ethtool.c    | 4 ++--
 drivers/net/ethernet/intel/i40e/i40e_type.h       | 7 ++-----
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
index d7684ac2522e..57a8328e9b4f 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_adminq_cmd.h
@@ -1893,8 +1893,10 @@ enum i40e_aq_phy_type {
 	I40E_PHY_TYPE_25GBASE_LR		= 0x22,
 	I40E_PHY_TYPE_25GBASE_AOC		= 0x23,
 	I40E_PHY_TYPE_25GBASE_ACC		= 0x24,
-	I40E_PHY_TYPE_2_5GBASE_T		= 0x30,
-	I40E_PHY_TYPE_5GBASE_T			= 0x31,
+	I40E_PHY_TYPE_2_5GBASE_T		= 0x26,
+	I40E_PHY_TYPE_5GBASE_T			= 0x27,
+	I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS	= 0x30,
+	I40E_PHY_TYPE_5GBASE_T_LINK_STATUS	= 0x31,
 	I40E_PHY_TYPE_MAX,
 	I40E_PHY_TYPE_NOT_SUPPORTED_HIGH_TEMP	= 0xFD,
 	I40E_PHY_TYPE_EMPTY			= 0xFE,
diff --git a/drivers/net/ethernet/intel/i40e/i40e_common.c b/drivers/net/ethernet/intel/i40e/i40e_common.c
index 66f7deaf46ae..6475f78e85f6 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
@@ -1156,8 +1156,8 @@ static enum i40e_media_type i40e_get_media_type(struct i40e_hw *hw)
 		break;
 	case I40E_PHY_TYPE_100BASE_TX:
 	case I40E_PHY_TYPE_1000BASE_T:
-	case I40E_PHY_TYPE_2_5GBASE_T:
-	case I40E_PHY_TYPE_5GBASE_T:
+	case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS:
+	case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS:
 	case I40E_PHY_TYPE_10GBASE_T:
 		media = I40E_MEDIA_TYPE_BASET;
 		break;
diff --git a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
index 502b4abc0aab..e4d0b7747e84 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_ethtool.c
@@ -839,8 +839,8 @@ static void i40e_get_settings_link_up(struct i40e_hw *hw,
 							     10000baseT_Full);
 		break;
 	case I40E_PHY_TYPE_10GBASE_T:
-	case I40E_PHY_TYPE_5GBASE_T:
-	case I40E_PHY_TYPE_2_5GBASE_T:
+	case I40E_PHY_TYPE_5GBASE_T_LINK_STATUS:
+	case I40E_PHY_TYPE_2_5GBASE_T_LINK_STATUS:
 	case I40E_PHY_TYPE_1000BASE_T:
 	case I40E_PHY_TYPE_100BASE_TX:
 		ethtool_link_ksettings_add_link_mode(ks, supported, Autoneg);
diff --git a/drivers/net/ethernet/intel/i40e/i40e_type.h b/drivers/net/ethernet/intel/i40e/i40e_type.h
index b43ec94a0f29..666a251e8c72 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_type.h
+++ b/drivers/net/ethernet/intel/i40e/i40e_type.h
@@ -253,11 +253,8 @@ struct i40e_phy_info {
 #define I40E_CAP_PHY_TYPE_25GBASE_ACC BIT_ULL(I40E_PHY_TYPE_25GBASE_ACC + \
 					     I40E_PHY_TYPE_OFFSET)
 /* Offset for 2.5G/5G PHY Types value to bit number conversion */
-#define I40E_PHY_TYPE_OFFSET2 (-10)
-#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T + \
-					     I40E_PHY_TYPE_OFFSET2)
-#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T + \
-					     I40E_PHY_TYPE_OFFSET2)
+#define I40E_CAP_PHY_TYPE_2_5GBASE_T BIT_ULL(I40E_PHY_TYPE_2_5GBASE_T)
+#define I40E_CAP_PHY_TYPE_5GBASE_T BIT_ULL(I40E_PHY_TYPE_5GBASE_T)
 #define I40E_HW_CAP_MAX_GPIO			30
 /* Capabilities of a PF or a VF or the whole device */
 struct i40e_hw_capabilities {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 095/141] ARC: entry: fix off-by-one error in syscall number validation
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 094/141] i40e: Fix PHY type identifiers for 2.5G and 5G adapters Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 096/141] ARC: mm: PAE: use 40-bit physical page mask Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Shahab Vahedi, Vineet Gupta

From: Vineet Gupta <vgupta@synopsys.com>

commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream.

We have NR_syscall syscalls from [0 .. NR_syscall-1].
However the check for invalid syscall number is "> NR_syscall" as
opposed to >=. This off-by-one error erronesously allows "NR_syscall"
to be treated as valid syscall causeing out-of-bounds access into
syscall-call table ensuing a crash (holes within syscall table have a
invalid-entry handler but this is beyond the array implementing the
table).

This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10
kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has
NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was
not handled as -ENOSYS but processed leading to a crash.

Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48
Reported-by: Shahab Vahedi <shahab@synopsys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arc/kernel/entry.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arc/kernel/entry.S
+++ b/arch/arc/kernel/entry.S
@@ -165,7 +165,7 @@ tracesys:
 
 	; Do the Sys Call as we normally would.
 	; Validate the Sys Call number
-	cmp     r8,  NR_syscalls
+	cmp     r8,  NR_syscalls - 1
 	mov.hi  r0, -ENOSYS
 	bhi     tracesys_exit
 
@@ -243,7 +243,7 @@ ENTRY(EV_Trap)
 	;============ Normal syscall case
 
 	; syscall num shd not exceed the total system calls avail
-	cmp     r8,  NR_syscalls
+	cmp     r8,  NR_syscalls - 1
 	mov.hi  r0, -ENOSYS
 	bhi     .Lret_from_system_call
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 096/141] ARC: mm: PAE: use 40-bit physical page mask
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 095/141] ARC: entry: fix off-by-one error in syscall number validation Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 097/141] powerpc/64s: Fix crashes when toggling stf barrier Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vladimir Isaev, kernel test robot,
	Vineet Gupta

From: Vladimir Isaev <isaev@synopsys.com>

commit c5f756d8c6265ebb1736a7787231f010a3b782e5 upstream.

32-bit PAGE_MASK can not be used as a mask for physical addresses
when PAE is enabled. PAGE_MASK_PHYS must be used for physical
addresses instead of PAGE_MASK.

Without this, init gets SIGSEGV if pte_modify was called:

| potentially unexpected fatal signal 11.
| Path: /bin/busybox
| CPU: 0 PID: 1 Comm: init Not tainted 5.12.0-rc5-00003-g1e43c377a79f-dirty
| Insn could not be fetched
|     @No matching VMA found
|  ECR: 0x00040000 EFA: 0x00000000 ERET: 0x00000000
| STAT: 0x80080082 [IE U     ]   BTA: 0x00000000
|  SP: 0x5f9ffe44  FP: 0x00000000 BLK: 0xaf3d4
| LPS: 0x000d093e LPE: 0x000d0950 LPC: 0x00000000
| r00: 0x00000002 r01: 0x5f9fff14 r02: 0x5f9fff20
| ...
| Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b

Signed-off-by: Vladimir Isaev <isaev@synopsys.com>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Vineet Gupta <vgupta@synopsys.com>
Cc: stable@vger.kernel.org
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arc/include/asm/page.h      |   12 ++++++++++++
 arch/arc/include/asm/pgtable.h   |   12 +++---------
 arch/arc/include/uapi/asm/page.h |    1 -
 arch/arc/mm/ioremap.c            |    5 +++--
 arch/arc/mm/tlb.c                |    2 +-
 5 files changed, 19 insertions(+), 13 deletions(-)

--- a/arch/arc/include/asm/page.h
+++ b/arch/arc/include/asm/page.h
@@ -7,6 +7,18 @@
 
 #include <uapi/asm/page.h>
 
+#ifdef CONFIG_ARC_HAS_PAE40
+
+#define MAX_POSSIBLE_PHYSMEM_BITS	40
+#define PAGE_MASK_PHYS			(0xff00000000ull | PAGE_MASK)
+
+#else /* CONFIG_ARC_HAS_PAE40 */
+
+#define MAX_POSSIBLE_PHYSMEM_BITS	32
+#define PAGE_MASK_PHYS			PAGE_MASK
+
+#endif /* CONFIG_ARC_HAS_PAE40 */
+
 #ifndef __ASSEMBLY__
 
 #define clear_page(paddr)		memset((paddr), 0, PAGE_SIZE)
--- a/arch/arc/include/asm/pgtable.h
+++ b/arch/arc/include/asm/pgtable.h
@@ -108,8 +108,8 @@
 #define ___DEF (_PAGE_PRESENT | _PAGE_CACHEABLE)
 
 /* Set of bits not changed in pte_modify */
-#define _PAGE_CHG_MASK	(PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL)
-
+#define _PAGE_CHG_MASK	(PAGE_MASK_PHYS | _PAGE_ACCESSED | _PAGE_DIRTY | \
+							   _PAGE_SPECIAL)
 /* More Abbrevaited helpers */
 #define PAGE_U_NONE     __pgprot(___DEF)
 #define PAGE_U_R        __pgprot(___DEF | _PAGE_READ)
@@ -133,13 +133,7 @@
 #define PTE_BITS_IN_PD0		(_PAGE_GLOBAL | _PAGE_PRESENT | _PAGE_HW_SZ)
 #define PTE_BITS_RWX		(_PAGE_EXECUTE | _PAGE_WRITE | _PAGE_READ)
 
-#ifdef CONFIG_ARC_HAS_PAE40
-#define PTE_BITS_NON_RWX_IN_PD1	(0xff00000000 | PAGE_MASK | _PAGE_CACHEABLE)
-#define MAX_POSSIBLE_PHYSMEM_BITS 40
-#else
-#define PTE_BITS_NON_RWX_IN_PD1	(PAGE_MASK | _PAGE_CACHEABLE)
-#define MAX_POSSIBLE_PHYSMEM_BITS 32
-#endif
+#define PTE_BITS_NON_RWX_IN_PD1	(PAGE_MASK_PHYS | _PAGE_CACHEABLE)
 
 /**************************************************************************
  * Mapping of vm_flags (Generic VM) to PTE flags (arch specific)
--- a/arch/arc/include/uapi/asm/page.h
+++ b/arch/arc/include/uapi/asm/page.h
@@ -33,5 +33,4 @@
 
 #define PAGE_MASK	(~(PAGE_SIZE-1))
 
-
 #endif /* _UAPI__ASM_ARC_PAGE_H */
--- a/arch/arc/mm/ioremap.c
+++ b/arch/arc/mm/ioremap.c
@@ -53,9 +53,10 @@ EXPORT_SYMBOL(ioremap);
 void __iomem *ioremap_prot(phys_addr_t paddr, unsigned long size,
 			   unsigned long flags)
 {
+	unsigned int off;
 	unsigned long vaddr;
 	struct vm_struct *area;
-	phys_addr_t off, end;
+	phys_addr_t end;
 	pgprot_t prot = __pgprot(flags);
 
 	/* Don't allow wraparound, zero size */
@@ -72,7 +73,7 @@ void __iomem *ioremap_prot(phys_addr_t p
 
 	/* Mappings have to be page-aligned */
 	off = paddr & ~PAGE_MASK;
-	paddr &= PAGE_MASK;
+	paddr &= PAGE_MASK_PHYS;
 	size = PAGE_ALIGN(end + 1) - paddr;
 
 	/*
--- a/arch/arc/mm/tlb.c
+++ b/arch/arc/mm/tlb.c
@@ -597,7 +597,7 @@ void update_mmu_cache(struct vm_area_str
 		      pte_t *ptep)
 {
 	unsigned long vaddr = vaddr_unaligned & PAGE_MASK;
-	phys_addr_t paddr = pte_val(*ptep) & PAGE_MASK;
+	phys_addr_t paddr = pte_val(*ptep) & PAGE_MASK_PHYS;
 	struct page *page = pfn_to_page(pte_pfn(*ptep));
 
 	create_tlb(vma, vaddr, ptep);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 097/141] powerpc/64s: Fix crashes when toggling stf barrier
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 096/141] ARC: mm: PAE: use 40-bit physical page mask Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 098/141] powerpc/64s: Fix crashes when toggling entry flush barrier Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit 8ec7791bae1327b1c279c5cd6e929c3b12daaf0a upstream.

The STF (store-to-load forwarding) barrier mitigation can be
enabled/disabled at runtime via a debugfs file (stf_barrier), which
causes the kernel to patch itself to enable/disable the relevant
mitigations.

However depending on which mitigation we're using, it may not be safe to
do that patching while other CPUs are active. For example the following
crash:

  User access of kernel address (c00000003fff5af0) - exploit attempt? (uid: 0)
  segfault (11) at c00000003fff5af0 nip 7fff8ad12198 lr 7fff8ad121f8 code 1
  code: 40820128 e93c00d0 e9290058 7c292840 40810058 38600000 4bfd9a81 e8410018
  code: 2c030006 41810154 3860ffb6 e9210098 <e94d8ff0> 7d295279 39400000 40820a3c

Shows that we returned to userspace without restoring the user r13
value, due to executing the partially patched STF exit code.

Fix it by doing the patching under stop machine. The CPUs that aren't
doing the patching will be spinning in the core of the stop machine
logic. That is currently sufficient for our purposes, because none of
the patching we do is to that code or anywhere in the vicinity.

Fixes: a048a07d7f45 ("powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit")
Cc: stable@vger.kernel.org # v4.17+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210506044959.1298123-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/lib/feature-fixups.c |   19 +++++++++++++++++--
 1 file changed, 17 insertions(+), 2 deletions(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -14,6 +14,7 @@
 #include <linux/string.h>
 #include <linux/init.h>
 #include <linux/sched/mm.h>
+#include <linux/stop_machine.h>
 #include <asm/cputable.h>
 #include <asm/code-patching.h>
 #include <asm/page.h>
@@ -221,11 +222,25 @@ static void do_stf_exit_barrier_fixups(e
 		                                           : "unknown");
 }
 
+static int __do_stf_barrier_fixups(void *data)
+{
+	enum stf_barrier_type *types = data;
+
+	do_stf_entry_barrier_fixups(*types);
+	do_stf_exit_barrier_fixups(*types);
+
+	return 0;
+}
 
 void do_stf_barrier_fixups(enum stf_barrier_type types)
 {
-	do_stf_entry_barrier_fixups(types);
-	do_stf_exit_barrier_fixups(types);
+	/*
+	 * The call to the fallback entry flush, and the fallback/sync-ori exit
+	 * flush can not be safely patched in/out while other CPUs are executing
+	 * them. So call __do_stf_barrier_fixups() on one CPU while all other CPUs
+	 * spin in the stop machine core with interrupts hard disabled.
+	 */
+	stop_machine(__do_stf_barrier_fixups, &types, NULL);
 }
 
 void do_uaccess_flush_fixups(enum l1d_flush_type types)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 098/141] powerpc/64s: Fix crashes when toggling entry flush barrier
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 097/141] powerpc/64s: Fix crashes when toggling stf barrier Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 099/141] hfsplus: prevent corruption in shrinking truncate Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Ellerman

From: Michael Ellerman <mpe@ellerman.id.au>

commit aec86b052df6541cc97c5fca44e5934cbea4963b upstream.

The entry flush mitigation can be enabled/disabled at runtime via a
debugfs file (entry_flush), which causes the kernel to patch itself to
enable/disable the relevant mitigations.

However depending on which mitigation we're using, it may not be safe to
do that patching while other CPUs are active. For example the following
crash:

  sleeper[15639]: segfault (11) at c000000000004c20 nip c000000000004c20 lr c000000000004c20

Shows that we returned to userspace with a corrupted LR that points into
the kernel, due to executing the partially patched call to the fallback
entry flush (ie. we missed the LR restore).

Fix it by doing the patching under stop machine. The CPUs that aren't
doing the patching will be spinning in the core of the stop machine
logic. That is currently sufficient for our purposes, because none of
the patching we do is to that code or anywhere in the vicinity.

Fixes: f79643787e0a ("powerpc/64s: flush L1D on kernel entry")
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20210506044959.1298123-2-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/lib/feature-fixups.c |   16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

--- a/arch/powerpc/lib/feature-fixups.c
+++ b/arch/powerpc/lib/feature-fixups.c
@@ -293,8 +293,9 @@ void do_uaccess_flush_fixups(enum l1d_fl
 						: "unknown");
 }
 
-void do_entry_flush_fixups(enum l1d_flush_type types)
+static int __do_entry_flush_fixups(void *data)
 {
+	enum l1d_flush_type types = *(enum l1d_flush_type *)data;
 	unsigned int instrs[3], *dest;
 	long *start, *end;
 	int i;
@@ -345,6 +346,19 @@ void do_entry_flush_fixups(enum l1d_flus
 							: "ori type" :
 		(types &  L1D_FLUSH_MTTRIG)     ? "mttrig type"
 						: "unknown");
+
+	return 0;
+}
+
+void do_entry_flush_fixups(enum l1d_flush_type types)
+{
+	/*
+	 * The call to the fallback flush can not be safely patched in/out while
+	 * other CPUs are executing it. So call __do_entry_flush_fixups() on one
+	 * CPU while all other CPUs spin in the stop machine core with interrupts
+	 * hard disabled.
+	 */
+	stop_machine(__do_entry_flush_fixups, &types, NULL);
 }
 
 void do_rfi_flush_fixups(enum l1d_flush_type types)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 099/141] hfsplus: prevent corruption in shrinking truncate
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 098/141] powerpc/64s: Fix crashes when toggling entry flush barrier Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 100/141] squashfs: fix divide error in calculate_skip() Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jouni Roivas, Anton Altaparmakov,
	Anatoly Trosinenko, Viacheslav Dubeyko, Andrew Morton,
	Linus Torvalds

From: Jouni Roivas <jouni.roivas@tuxera.com>

commit c3187cf32216313fb316084efac4dab3a8459b1d upstream.

I believe there are some issues introduced by commit 31651c607151
("hfsplus: avoid deadlock on file truncation")

HFS+ has extent records which always contains 8 extents.  In case the
first extent record in catalog file gets full, new ones are allocated from
extents overflow file.

In case shrinking truncate happens to middle of an extent record which
locates in extents overflow file, the logic in hfsplus_file_truncate() was
changed so that call to hfs_brec_remove() is not guarded any more.

Right action would be just freeing the extents that exceed the new size
inside extent record by calling hfsplus_free_extents(), and then check if
the whole extent record should be removed.  However since the guard
(blk_cnt > start) is now after the call to hfs_brec_remove(), this has
unfortunate effect that the last matching extent record is removed
unconditionally.

To reproduce this issue, create a file which has at least 10 extents, and
then perform shrinking truncate into middle of the last extent record, so
that the number of remaining extents is not under or divisible by 8.  This
causes the last extent record (8 extents) to be removed totally instead of
truncating into middle of it.  Thus this causes corruption, and lost data.

Fix for this is simply checking if the new truncated end is below the
start of this extent record, making it safe to remove the full extent
record.  However call to hfs_brec_remove() can't be moved to it's previous
place since we're dropping ->tree_lock and it can cause a race condition
and the cached info being invalidated possibly corrupting the node data.

Another issue is related to this one.  When entering into the block
(blk_cnt > start) we are not holding the ->tree_lock.  We break out from
the loop not holding the lock, but hfs_find_exit() does unlock it.  Not
sure if it's possible for someone else to take the lock under our feet,
but it can cause hard to debug errors and premature unlocking.  Even if
there's no real risk of it, the locking should still always be kept in
balance.  Thus taking the lock now just before the check.

Link: https://lkml.kernel.org/r/20210429165139.3082828-1-jouni.roivas@tuxera.com
Fixes: 31651c607151f ("hfsplus: avoid deadlock on file truncation")
Signed-off-by: Jouni Roivas <jouni.roivas@tuxera.com>
Reviewed-by: Anton Altaparmakov <anton@tuxera.com>
Cc: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Cc: Viacheslav Dubeyko <slava@dubeyko.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/hfsplus/extents.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/fs/hfsplus/extents.c
+++ b/fs/hfsplus/extents.c
@@ -598,13 +598,15 @@ void hfsplus_file_truncate(struct inode
 		res = __hfsplus_ext_cache_extent(&fd, inode, alloc_cnt);
 		if (res)
 			break;
-		hfs_brec_remove(&fd);
 
-		mutex_unlock(&fd.tree->tree_lock);
 		start = hip->cached_start;
+		if (blk_cnt <= start)
+			hfs_brec_remove(&fd);
+		mutex_unlock(&fd.tree->tree_lock);
 		hfsplus_free_extents(sb, hip->cached_extents,
 				     alloc_cnt - start, alloc_cnt - blk_cnt);
 		hfsplus_dump_extent(hip->cached_extents);
+		mutex_lock(&fd.tree->tree_lock);
 		if (blk_cnt > start) {
 			hip->extent_state |= HFSPLUS_EXT_DIRTY;
 			break;
@@ -612,7 +614,6 @@ void hfsplus_file_truncate(struct inode
 		alloc_cnt = start;
 		hip->cached_start = hip->cached_blocks = 0;
 		hip->extent_state &= ~(HFSPLUS_EXT_DIRTY | HFSPLUS_EXT_NEW);
-		mutex_lock(&fd.tree->tree_lock);
 	}
 	hfs_find_exit(&fd);
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 100/141] squashfs: fix divide error in calculate_skip()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 099/141] hfsplus: prevent corruption in shrinking truncate Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 101/141] userfaultfd: release page in error path to avoid BUG_ON Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Phillip Lougher,
	syzbot+e8f781243ce16ac2f962, syzbot+7b98870d4fec9447b951,
	Andrew Morton, Linus Torvalds

From: Phillip Lougher <phillip@squashfs.org.uk>

commit d6e621de1fceb3b098ebf435ef7ea91ec4838a1a upstream.

Sysbot has reported a "divide error" which has been identified as being
caused by a corrupted file_size value within the file inode.  This value
has been corrupted to a much larger value than expected.

Calculate_skip() is passed i_size_read(inode) >> msblk->block_log.  Due to
the file_size value corruption this overflows the int argument/variable in
that function, leading to the divide error.

This patch changes the function to use u64.  This will accommodate any
unexpectedly large values due to corruption.

The value returned from calculate_skip() is clamped to be never more than
SQUASHFS_CACHED_BLKS - 1, or 7.  So file_size corruption does not lead to
an unexpectedly large return result here.

Link: https://lkml.kernel.org/r/20210507152618.9447-1-phillip@squashfs.org.uk
Signed-off-by: Phillip Lougher <phillip@squashfs.org.uk>
Reported-by: <syzbot+e8f781243ce16ac2f962@syzkaller.appspotmail.com>
Reported-by: <syzbot+7b98870d4fec9447b951@syzkaller.appspotmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/squashfs/file.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/fs/squashfs/file.c
+++ b/fs/squashfs/file.c
@@ -211,11 +211,11 @@ failure:
  * If the skip factor is limited in this way then the file will use multiple
  * slots.
  */
-static inline int calculate_skip(int blocks)
+static inline int calculate_skip(u64 blocks)
 {
-	int skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
+	u64 skip = blocks / ((SQUASHFS_META_ENTRIES + 1)
 		 * SQUASHFS_META_INDEXES);
-	return min(SQUASHFS_CACHED_BLKS - 1, skip + 1);
+	return min((u64) SQUASHFS_CACHED_BLKS - 1, skip + 1);
 }
 
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 101/141] userfaultfd: release page in error path to avoid BUG_ON
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 100/141] squashfs: fix divide error in calculate_skip() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 102/141] mm/hugetlb: fix F_SEAL_FUTURE_WRITE Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Rasmussen, Hugh Dickins,
	Peter Xu, Andrew Morton, Linus Torvalds

From: Axel Rasmussen <axelrasmussen@google.com>

commit 7ed9d238c7dbb1fdb63ad96a6184985151b0171c upstream.

Consider the following sequence of events:

1. Userspace issues a UFFD ioctl, which ends up calling into
   shmem_mfill_atomic_pte(). We successfully account the blocks, we
   shmem_alloc_page(), but then the copy_from_user() fails. We return
   -ENOENT. We don't release the page we allocated.
2. Our caller detects this error code, tries the copy_from_user() after
   dropping the mmap_lock, and retries, calling back into
   shmem_mfill_atomic_pte().
3. Meanwhile, let's say another process filled up the tmpfs being used.
4. So shmem_mfill_atomic_pte() fails to account blocks this time, and
   immediately returns - without releasing the page.

This triggers a BUG_ON in our caller, which asserts that the page
should always be consumed, unless -ENOENT is returned.

To fix this, detect if we have such a "dangling" page when accounting
fails, and if so, release it before returning.

Link: https://lkml.kernel.org/r/20210428230858.348400-1-axelrasmussen@google.com
Fixes: cb658a453b93 ("userfaultfd: shmem: avoid leaking blocks and used blocks in UFFDIO_COPY")
Signed-off-by: Axel Rasmussen <axelrasmussen@google.com>
Reported-by: Hugh Dickins <hughd@google.com>
Acked-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/shmem.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2327,8 +2327,18 @@ static int shmem_mfill_atomic_pte(struct
 	pgoff_t offset, max_off;
 
 	ret = -ENOMEM;
-	if (!shmem_inode_acct_block(inode, 1))
+	if (!shmem_inode_acct_block(inode, 1)) {
+		/*
+		 * We may have got a page, returned -ENOENT triggering a retry,
+		 * and now we find ourselves with -ENOMEM. Release the page, to
+		 * avoid a BUG_ON in our caller.
+		 */
+		if (unlikely(*pagep)) {
+			put_page(*pagep);
+			*pagep = NULL;
+		}
 		goto out;
+	}
 
 	if (!*pagep) {
 		page = shmem_alloc_page(gfp, info, pgoff);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 102/141] mm/hugetlb: fix F_SEAL_FUTURE_WRITE
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 101/141] userfaultfd: release page in error path to avoid BUG_ON Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 103/141] drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Xu, Hugh Dickins, Mike Kravetz,
	Joel Fernandes (Google),
	Andrew Morton, Linus Torvalds

From: Peter Xu <peterx@redhat.com>

commit 22247efd822e6d263f3c8bd327f3f769aea9b1d9 upstream.

Patch series "mm/hugetlb: Fix issues on file sealing and fork", v2.

Hugh reported issue with F_SEAL_FUTURE_WRITE not applied correctly to
hugetlbfs, which I can easily verify using the memfd_test program, which
seems that the program is hardly run with hugetlbfs pages (as by default
shmem).

Meanwhile I found another probably even more severe issue on that hugetlb
fork won't wr-protect child cow pages, so child can potentially write to
parent private pages.  Patch 2 addresses that.

After this series applied, "memfd_test hugetlbfs" should start to pass.

This patch (of 2):

F_SEAL_FUTURE_WRITE is missing for hugetlb starting from the first day.
There is a test program for that and it fails constantly.

$ ./memfd_test hugetlbfs
memfd-hugetlb: CREATE
memfd-hugetlb: BASIC
memfd-hugetlb: SEAL-WRITE
memfd-hugetlb: SEAL-FUTURE-WRITE
mmap() didn't fail as expected
Aborted (core dumped)

I think it's probably because no one is really running the hugetlbfs test.

Fix it by checking FUTURE_WRITE also in hugetlbfs_file_mmap() as what we
do in shmem_mmap().  Generalize a helper for that.

Link: https://lkml.kernel.org/r/20210503234356.9097-1-peterx@redhat.com
Link: https://lkml.kernel.org/r/20210503234356.9097-2-peterx@redhat.com
Fixes: ab3948f58ff84 ("mm/memfd: add an F_SEAL_FUTURE_WRITE seal to memfd")
Signed-off-by: Peter Xu <peterx@redhat.com>
Reported-by: Hugh Dickins <hughd@google.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Joel Fernandes (Google) <joel@joelfernandes.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/hugetlbfs/inode.c |    5 +++++
 include/linux/mm.h   |   32 ++++++++++++++++++++++++++++++++
 mm/shmem.c           |   22 ++++------------------
 3 files changed, 41 insertions(+), 18 deletions(-)

--- a/fs/hugetlbfs/inode.c
+++ b/fs/hugetlbfs/inode.c
@@ -135,6 +135,7 @@ static void huge_pagevec_release(struct
 static int hugetlbfs_file_mmap(struct file *file, struct vm_area_struct *vma)
 {
 	struct inode *inode = file_inode(file);
+	struct hugetlbfs_inode_info *info = HUGETLBFS_I(inode);
 	loff_t len, vma_len;
 	int ret;
 	struct hstate *h = hstate_file(file);
@@ -150,6 +151,10 @@ static int hugetlbfs_file_mmap(struct fi
 	vma->vm_flags |= VM_HUGETLB | VM_DONTEXPAND;
 	vma->vm_ops = &hugetlb_vm_ops;
 
+	ret = seal_check_future_write(info->seals, vma);
+	if (ret)
+		return ret;
+
 	/*
 	 * page based offset in vm_pgoff could be sufficiently large to
 	 * overflow a loff_t when converted to byte offset.  This can
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2925,5 +2925,37 @@ static inline int pages_identical(struct
 	return !memcmp_pages(page1, page2);
 }
 
+/**
+ * seal_check_future_write - Check for F_SEAL_FUTURE_WRITE flag and handle it
+ * @seals: the seals to check
+ * @vma: the vma to operate on
+ *
+ * Check whether F_SEAL_FUTURE_WRITE is set; if so, do proper check/handling on
+ * the vma flags.  Return 0 if check pass, or <0 for errors.
+ */
+static inline int seal_check_future_write(int seals, struct vm_area_struct *vma)
+{
+	if (seals & F_SEAL_FUTURE_WRITE) {
+		/*
+		 * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
+		 * "future write" seal active.
+		 */
+		if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
+			return -EPERM;
+
+		/*
+		 * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
+		 * MAP_SHARED and read-only, take care to not allow mprotect to
+		 * revert protections on such mappings. Do this only for shared
+		 * mappings. For private mappings, don't need to mask
+		 * VM_MAYWRITE as we still want them to be COW-writable.
+		 */
+		if (vma->vm_flags & VM_SHARED)
+			vma->vm_flags &= ~(VM_MAYWRITE);
+	}
+
+	return 0;
+}
+
 #endif /* __KERNEL__ */
 #endif /* _LINUX_MM_H */
--- a/mm/shmem.c
+++ b/mm/shmem.c
@@ -2208,25 +2208,11 @@ out_nomem:
 static int shmem_mmap(struct file *file, struct vm_area_struct *vma)
 {
 	struct shmem_inode_info *info = SHMEM_I(file_inode(file));
+	int ret;
 
-	if (info->seals & F_SEAL_FUTURE_WRITE) {
-		/*
-		 * New PROT_WRITE and MAP_SHARED mmaps are not allowed when
-		 * "future write" seal active.
-		 */
-		if ((vma->vm_flags & VM_SHARED) && (vma->vm_flags & VM_WRITE))
-			return -EPERM;
-
-		/*
-		 * Since an F_SEAL_FUTURE_WRITE sealed memfd can be mapped as
-		 * MAP_SHARED and read-only, take care to not allow mprotect to
-		 * revert protections on such mappings. Do this only for shared
-		 * mappings. For private mappings, don't need to mask
-		 * VM_MAYWRITE as we still want them to be COW-writable.
-		 */
-		if (vma->vm_flags & VM_SHARED)
-			vma->vm_flags &= ~(VM_MAYWRITE);
-	}
+	ret = seal_check_future_write(info->seals, vma);
+	if (ret)
+		return ret;
 
 	file_accessed(file);
 	vma->vm_ops = &shmem_vm_ops;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 103/141] drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 102/141] mm/hugetlb: fix F_SEAL_FUTURE_WRITE Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 104/141] drm/i915: Avoid div-by-zero on gen2 Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Alex Deucher

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

commit 227545b9a08c68778ddd89428f99c351fc9315ac upstream.

Screen flickers rapidly when two 4K 60Hz monitors are in use. This issue
doesn't happen when one monitor is 4K 60Hz (pixelclock 594MHz) and
another one is 4K 30Hz (pixelclock 297MHz).

The issue is gone after setting "power_dpm_force_performance_level" to
"high". Following the indication, we found that the issue occurs when
sclk is too low.

So resolve the issue by disabling sclk switching when there are two
monitors requires high pixelclock (> 297MHz).

v2:
 - Only apply the fix to Oland.
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/radeon/radeon.h    |    1 +
 drivers/gpu/drm/radeon/radeon_pm.c |    8 ++++++++
 drivers/gpu/drm/radeon/si_dpm.c    |    3 +++
 3 files changed, 12 insertions(+)

--- a/drivers/gpu/drm/radeon/radeon.h
+++ b/drivers/gpu/drm/radeon/radeon.h
@@ -1554,6 +1554,7 @@ struct radeon_dpm {
 	void                    *priv;
 	u32			new_active_crtcs;
 	int			new_active_crtc_count;
+	int			high_pixelclock_count;
 	u32			current_active_crtcs;
 	int			current_active_crtc_count;
 	bool single_display;
--- a/drivers/gpu/drm/radeon/radeon_pm.c
+++ b/drivers/gpu/drm/radeon/radeon_pm.c
@@ -1720,6 +1720,7 @@ static void radeon_pm_compute_clocks_dpm
 	struct drm_device *ddev = rdev->ddev;
 	struct drm_crtc *crtc;
 	struct radeon_crtc *radeon_crtc;
+	struct radeon_connector *radeon_connector;
 
 	if (!rdev->pm.dpm_enabled)
 		return;
@@ -1729,6 +1730,7 @@ static void radeon_pm_compute_clocks_dpm
 	/* update active crtc counts */
 	rdev->pm.dpm.new_active_crtcs = 0;
 	rdev->pm.dpm.new_active_crtc_count = 0;
+	rdev->pm.dpm.high_pixelclock_count = 0;
 	if (rdev->num_crtc && rdev->mode_info.mode_config_initialized) {
 		list_for_each_entry(crtc,
 				    &ddev->mode_config.crtc_list, head) {
@@ -1736,6 +1738,12 @@ static void radeon_pm_compute_clocks_dpm
 			if (crtc->enabled) {
 				rdev->pm.dpm.new_active_crtcs |= (1 << radeon_crtc->crtc_id);
 				rdev->pm.dpm.new_active_crtc_count++;
+				if (!radeon_crtc->connector)
+					continue;
+
+				radeon_connector = to_radeon_connector(radeon_crtc->connector);
+				if (radeon_connector->pixelclock_for_modeset > 297000)
+					rdev->pm.dpm.high_pixelclock_count++;
 			}
 		}
 	}
--- a/drivers/gpu/drm/radeon/si_dpm.c
+++ b/drivers/gpu/drm/radeon/si_dpm.c
@@ -3002,6 +3002,9 @@ static void si_apply_state_adjust_rules(
 		    (rdev->pdev->device == 0x6605)) {
 			max_sclk = 75000;
 		}
+
+		if (rdev->pm.dpm.high_pixelclock_count > 1)
+			disable_sclk_switching = true;
 	}
 
 	if (rps->vce_active) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 104/141] drm/i915: Avoid div-by-zero on gen2
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 103/141] drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 105/141] iio: proximity: pulsedlight: Fix rumtime PM imbalance on error Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Wilson, Ville Syrjälä,
	Jani Nikula

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 4819d16d91145966ce03818a95169df1fd56b299 upstream.

Gen2 tiles are 2KiB in size so i915_gem_object_get_tile_row_size()
can in fact return <4KiB, which leads to div-by-zero here.
Avoid that.

Not sure i915_gem_object_get_tile_row_size() is entirely
sane anyway since it doesn't account for the different tile
layouts on i8xx/i915...

I'm not able to hit this before commit 6846895fde05 ("drm/i915:
Replace PIN_NONFAULT with calls to PIN_NOEVICT") and it looks
like I also need to run recent version of Mesa. With those in
place xonotic trips on this quite easily on my 85x.

Cc: stable@vger.kernel.org
Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk>
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210421153401.13847-2-ville.syrjala@linux.intel.com
(cherry picked from commit ed52c62d386f764194e0184fdb905d5f24194cae)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/gem/i915_gem_mman.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
@@ -181,7 +181,7 @@ compute_partial_view(const struct drm_i9
 	struct i915_ggtt_view view;
 
 	if (i915_gem_object_is_tiled(obj))
-		chunk = roundup(chunk, tile_row_pages(obj));
+		chunk = roundup(chunk, tile_row_pages(obj) ?: 1);
 
 	view.type = I915_GGTT_VIEW_PARTIAL;
 	view.partial.offset = rounddown(page_offset, chunk);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 105/141] iio: proximity: pulsedlight: Fix rumtime PM imbalance on error
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 104/141] drm/i915: Avoid div-by-zero on gen2 Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 106/141] usb: fotg210-hcd: Fix an error message Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Andy Shevchenko,
	Jonathan Cameron, Sasha Levin

From: Dinghao Liu <dinghao.liu@zju.edu.cn>

[ Upstream commit a2fa9242e89f27696515699fe0f0296bf1ac1815 ]

When lidar_write_control() fails, a pairing PM usage counter
decrement is needed to keep the counter balanced.

Fixes: 4ac4e086fd8c5 ("iio: pulsedlight-lidar-lite: add runtime PM")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210412053204.4889-1-dinghao.liu@zju.edu.cn
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/proximity/pulsedlight-lidar-lite-v2.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
index 47af54f14756..67f85268b63d 100644
--- a/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
+++ b/drivers/iio/proximity/pulsedlight-lidar-lite-v2.c
@@ -158,6 +158,7 @@ static int lidar_get_measurement(struct lidar_data *data, u16 *reg)
 	ret = lidar_write_control(data, LIDAR_REG_CONTROL_ACQUIRE);
 	if (ret < 0) {
 		dev_err(&client->dev, "cannot send start measurement command");
+		pm_runtime_put_noidle(&client->dev);
 		return ret;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 106/141] usb: fotg210-hcd: Fix an error message
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 105/141] iio: proximity: pulsedlight: Fix rumtime PM imbalance on error Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 107/141] hwmon: (occ) Fix poll rate limiting Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit a60a34366e0d09ca002c966dd7c43a68c28b1f82 ]

'retval' is known to be -ENODEV here.
This is a hard-coded default error code which is not useful in the error
message. Moreover, another error message is printed at the end of the
error handling path. The corresponding error code (-ENOMEM) is more
informative.

So remove simplify the first error message.

While at it, also remove the useless initialization of 'retval'.

Fixes: 7d50195f6c50 ("usb: host: Faraday fotg210-hcd driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/94531bcff98e46d4f9c20183a90b7f47f699126c.1620333419.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/host/fotg210-hcd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/usb/host/fotg210-hcd.c b/drivers/usb/host/fotg210-hcd.c
index 9e0c98d6bdb0..c3f74d6674e1 100644
--- a/drivers/usb/host/fotg210-hcd.c
+++ b/drivers/usb/host/fotg210-hcd.c
@@ -5571,7 +5571,7 @@ static int fotg210_hcd_probe(struct platform_device *pdev)
 	struct usb_hcd *hcd;
 	struct resource *res;
 	int irq;
-	int retval = -ENODEV;
+	int retval;
 	struct fotg210_hcd *fotg210;
 
 	if (usb_disabled())
@@ -5591,7 +5591,7 @@ static int fotg210_hcd_probe(struct platform_device *pdev)
 	hcd = usb_create_hcd(&fotg210_fotg210_hc_driver, dev,
 			dev_name(dev));
 	if (!hcd) {
-		dev_err(dev, "failed to create hcd with err %d\n", retval);
+		dev_err(dev, "failed to create hcd\n");
 		retval = -ENOMEM;
 		goto fail_create_hcd;
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 107/141] hwmon: (occ) Fix poll rate limiting
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 106/141] usb: fotg210-hcd: Fix an error message Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 108/141] ACPI: scan: Fix a memory leak in an error handling path Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eddie James, Guenter Roeck, Sasha Levin

From: Eddie James <eajames@linux.ibm.com>

[ Upstream commit 5216dff22dc2bbbbe6f00335f9fd2879670e753b ]

The poll rate limiter time was initialized at zero. This breaks the
comparison in time_after if jiffies is large. Switch to storing the
next update time rather than the previous time, and initialize the
time when the device is probed.

Fixes: c10e753d43eb ("hwmon (occ): Add sensor types and versions")
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Link: https://lore.kernel.org/r/20210429151336.18980-1-eajames@linux.ibm.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/occ/common.c | 5 +++--
 drivers/hwmon/occ/common.h | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/hwmon/occ/common.c b/drivers/hwmon/occ/common.c
index 30e18eb60da7..0b689ccbb793 100644
--- a/drivers/hwmon/occ/common.c
+++ b/drivers/hwmon/occ/common.c
@@ -209,9 +209,9 @@ int occ_update_response(struct occ *occ)
 		return rc;
 
 	/* limit the maximum rate of polling the OCC */
-	if (time_after(jiffies, occ->last_update + OCC_UPDATE_FREQUENCY)) {
+	if (time_after(jiffies, occ->next_update)) {
 		rc = occ_poll(occ);
-		occ->last_update = jiffies;
+		occ->next_update = jiffies + OCC_UPDATE_FREQUENCY;
 	} else {
 		rc = occ->last_error;
 	}
@@ -1089,6 +1089,7 @@ int occ_setup(struct occ *occ, const char *name)
 		return rc;
 	}
 
+	occ->next_update = jiffies + OCC_UPDATE_FREQUENCY;
 	occ_parse_poll_response(occ);
 
 	rc = occ_setup_sensor_attrs(occ);
diff --git a/drivers/hwmon/occ/common.h b/drivers/hwmon/occ/common.h
index 67e6968b8978..e6df719770e8 100644
--- a/drivers/hwmon/occ/common.h
+++ b/drivers/hwmon/occ/common.h
@@ -99,7 +99,7 @@ struct occ {
 	u8 poll_cmd_data;		/* to perform OCC poll command */
 	int (*send_cmd)(struct occ *occ, u8 *cmd);
 
-	unsigned long last_update;
+	unsigned long next_update;
 	struct mutex lock;		/* lock OCC access */
 
 	struct device *hwmon;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 108/141] ACPI: scan: Fix a memory leak in an error handling path
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 107/141] hwmon: (occ) Fix poll rate limiting Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 109/141] kyber: fix out of bounds access when preempted Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Andy Shevchenko,
	Rafael J. Wysocki, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 0c8bd174f0fc131bc9dfab35cd8784f59045da87 ]

If 'acpi_device_set_name()' fails, we must free
'acpi_device_bus_id->bus_id' or there is a (potential) memory leak.

Fixes: eb50aaf960e3 ("ACPI: scan: Use unique number for instance_no")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/scan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/scan.c b/drivers/acpi/scan.c
index dbb5919f23e2..95d119ff76b6 100644
--- a/drivers/acpi/scan.c
+++ b/drivers/acpi/scan.c
@@ -706,6 +706,7 @@ int acpi_device_add(struct acpi_device *device,
 
 		result = acpi_device_set_name(device, acpi_device_bus_id);
 		if (result) {
+			kfree_const(acpi_device_bus_id->bus_id);
 			kfree(acpi_device_bus_id);
 			goto err_unlock;
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 109/141] kyber: fix out of bounds access when preempted
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 108/141] ACPI: scan: Fix a memory leak in an error handling path Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 110/141] nbd: Fix NULL pointer in flush_workqueue Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Omar Sandoval,
	Jens Axboe, Sasha Levin

From: Omar Sandoval <osandov@fb.com>

[ Upstream commit efed9a3337e341bd0989161b97453b52567bc59d ]

__blk_mq_sched_bio_merge() gets the ctx and hctx for the current CPU and
passes the hctx to ->bio_merge(). kyber_bio_merge() then gets the ctx
for the current CPU again and uses that to get the corresponding Kyber
context in the passed hctx. However, the thread may be preempted between
the two calls to blk_mq_get_ctx(), and the ctx returned the second time
may no longer correspond to the passed hctx. This "works" accidentally
most of the time, but it can cause us to read garbage if the second ctx
came from an hctx with more ctx's than the first one (i.e., if
ctx->index_hw[hctx->type] > hctx->nr_ctx).

This manifested as this UBSAN array index out of bounds error reported
by Jakub:

UBSAN: array-index-out-of-bounds in ../kernel/locking/qspinlock.c:130:9
index 13106 is out of range for type 'long unsigned int [128]'
Call Trace:
 dump_stack+0xa4/0xe5
 ubsan_epilogue+0x5/0x40
 __ubsan_handle_out_of_bounds.cold.13+0x2a/0x34
 queued_spin_lock_slowpath+0x476/0x480
 do_raw_spin_lock+0x1c2/0x1d0
 kyber_bio_merge+0x112/0x180
 blk_mq_submit_bio+0x1f5/0x1100
 submit_bio_noacct+0x7b0/0x870
 submit_bio+0xc2/0x3a0
 btrfs_map_bio+0x4f0/0x9d0
 btrfs_submit_data_bio+0x24e/0x310
 submit_one_bio+0x7f/0xb0
 submit_extent_page+0xc4/0x440
 __extent_writepage_io+0x2b8/0x5e0
 __extent_writepage+0x28d/0x6e0
 extent_write_cache_pages+0x4d7/0x7a0
 extent_writepages+0xa2/0x110
 do_writepages+0x8f/0x180
 __writeback_single_inode+0x99/0x7f0
 writeback_sb_inodes+0x34e/0x790
 __writeback_inodes_wb+0x9e/0x120
 wb_writeback+0x4d2/0x660
 wb_workfn+0x64d/0xa10
 process_one_work+0x53a/0xa80
 worker_thread+0x69/0x5b0
 kthread+0x20b/0x240
 ret_from_fork+0x1f/0x30

Only Kyber uses the hctx, so fix it by passing the request_queue to
->bio_merge() instead. BFQ and mq-deadline just use that, and Kyber can
map the queues itself to avoid the mismatch.

Fixes: a6088845c2bf ("block: kyber: make kyber more friendly with merging")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Omar Sandoval <osandov@fb.com>
Link: https://lore.kernel.org/r/c7598605401a48d5cfeadebb678abd10af22b83f.1620691329.git.osandov@fb.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/bfq-iosched.c      | 3 +--
 block/blk-mq-sched.c     | 8 +++++---
 block/kyber-iosched.c    | 5 +++--
 block/mq-deadline.c      | 3 +--
 include/linux/elevator.h | 2 +-
 5 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
index c19006d59b79..136232a01f71 100644
--- a/block/bfq-iosched.c
+++ b/block/bfq-iosched.c
@@ -2210,10 +2210,9 @@ static void bfq_remove_request(struct request_queue *q,
 
 }
 
-static bool bfq_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio,
+static bool bfq_bio_merge(struct request_queue *q, struct bio *bio,
 		unsigned int nr_segs)
 {
-	struct request_queue *q = hctx->queue;
 	struct bfq_data *bfqd = q->elevator->elevator_data;
 	struct request *free = NULL;
 	/*
diff --git a/block/blk-mq-sched.c b/block/blk-mq-sched.c
index 7620734d5542..f422c7feea7e 100644
--- a/block/blk-mq-sched.c
+++ b/block/blk-mq-sched.c
@@ -334,14 +334,16 @@ bool __blk_mq_sched_bio_merge(struct request_queue *q, struct bio *bio,
 		unsigned int nr_segs)
 {
 	struct elevator_queue *e = q->elevator;
-	struct blk_mq_ctx *ctx = blk_mq_get_ctx(q);
-	struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, bio->bi_opf, ctx);
+	struct blk_mq_ctx *ctx;
+	struct blk_mq_hw_ctx *hctx;
 	bool ret = false;
 	enum hctx_type type;
 
 	if (e && e->type->ops.bio_merge)
-		return e->type->ops.bio_merge(hctx, bio, nr_segs);
+		return e->type->ops.bio_merge(q, bio, nr_segs);
 
+	ctx = blk_mq_get_ctx(q);
+	hctx = blk_mq_map_queue(q, bio->bi_opf, ctx);
 	type = hctx->type;
 	if ((hctx->flags & BLK_MQ_F_SHOULD_MERGE) &&
 			!list_empty_careful(&ctx->rq_lists[type])) {
diff --git a/block/kyber-iosched.c b/block/kyber-iosched.c
index 34dcea0ef637..77a0fcebdc77 100644
--- a/block/kyber-iosched.c
+++ b/block/kyber-iosched.c
@@ -562,11 +562,12 @@ static void kyber_limit_depth(unsigned int op, struct blk_mq_alloc_data *data)
 	}
 }
 
-static bool kyber_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio,
+static bool kyber_bio_merge(struct request_queue *q, struct bio *bio,
 		unsigned int nr_segs)
 {
+	struct blk_mq_ctx *ctx = blk_mq_get_ctx(q);
+	struct blk_mq_hw_ctx *hctx = blk_mq_map_queue(q, bio->bi_opf, ctx);
 	struct kyber_hctx_data *khd = hctx->sched_data;
-	struct blk_mq_ctx *ctx = blk_mq_get_ctx(hctx->queue);
 	struct kyber_ctx_queue *kcq = &khd->kcqs[ctx->index_hw[hctx->type]];
 	unsigned int sched_domain = kyber_sched_domain(bio->bi_opf);
 	struct list_head *rq_list = &kcq->rq_list[sched_domain];
diff --git a/block/mq-deadline.c b/block/mq-deadline.c
index b490f47fd553..19c6922e85f1 100644
--- a/block/mq-deadline.c
+++ b/block/mq-deadline.c
@@ -459,10 +459,9 @@ static int dd_request_merge(struct request_queue *q, struct request **rq,
 	return ELEVATOR_NO_MERGE;
 }
 
-static bool dd_bio_merge(struct blk_mq_hw_ctx *hctx, struct bio *bio,
+static bool dd_bio_merge(struct request_queue *q, struct bio *bio,
 		unsigned int nr_segs)
 {
-	struct request_queue *q = hctx->queue;
 	struct deadline_data *dd = q->elevator->elevator_data;
 	struct request *free = NULL;
 	bool ret;
diff --git a/include/linux/elevator.h b/include/linux/elevator.h
index 901bda352dcb..7b4d5face204 100644
--- a/include/linux/elevator.h
+++ b/include/linux/elevator.h
@@ -34,7 +34,7 @@ struct elevator_mq_ops {
 	void (*depth_updated)(struct blk_mq_hw_ctx *);
 
 	bool (*allow_merge)(struct request_queue *, struct request *, struct bio *);
-	bool (*bio_merge)(struct blk_mq_hw_ctx *, struct bio *, unsigned int);
+	bool (*bio_merge)(struct request_queue *, struct bio *, unsigned int);
 	int (*request_merge)(struct request_queue *q, struct request **, struct bio *);
 	void (*request_merged)(struct request_queue *, struct request *, enum elv_merge);
 	void (*requests_merged)(struct request_queue *, struct request *, struct request *);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 110/141] nbd: Fix NULL pointer in flush_workqueue
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 109/141] kyber: fix out of bounds access when preempted Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 111/141] blk-mq: Swap two calls in blk_mq_exit_queue() Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sun Ke, Josef Bacik, Jens Axboe, Sasha Levin

From: Sun Ke <sunke32@huawei.com>

[ Upstream commit 79ebe9110fa458d58f1fceb078e2068d7ad37390 ]

Open /dev/nbdX first, the config_refs will be 1 and
the pointers in nbd_device are still null. Disconnect
/dev/nbdX, then reference a null recv_workq. The
protection by config_refs in nbd_genl_disconnect is useless.

[  656.366194] BUG: kernel NULL pointer dereference, address: 0000000000000020
[  656.368943] #PF: supervisor write access in kernel mode
[  656.369844] #PF: error_code(0x0002) - not-present page
[  656.370717] PGD 10cc87067 P4D 10cc87067 PUD 1074b4067 PMD 0
[  656.371693] Oops: 0002 [#1] SMP
[  656.372242] CPU: 5 PID: 7977 Comm: nbd-client Not tainted 5.11.0-rc5-00040-g76c057c84d28 #1
[  656.373661] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20190727_073836-buildvm-ppc64le-16.ppc.fedoraproject.org-3.fc31 04/01/2014
[  656.375904] RIP: 0010:mutex_lock+0x29/0x60
[  656.376627] Code: 00 0f 1f 44 00 00 55 48 89 fd 48 83 05 6f d7 fe 08 01 e8 7a c3 ff ff 48 83 05 6a d7 fe 08 01 31 c0 65 48 8b 14 25 00 6d 01 00 <f0> 48 0f b1 55 d
[  656.378934] RSP: 0018:ffffc900005eb9b0 EFLAGS: 00010246
[  656.379350] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[  656.379915] RDX: ffff888104cf2600 RSI: ffffffffaae8f452 RDI: 0000000000000020
[  656.380473] RBP: 0000000000000020 R08: 0000000000000000 R09: ffff88813bd6b318
[  656.381039] R10: 00000000000000c7 R11: fefefefefefefeff R12: ffff888102710b40
[  656.381599] R13: ffffc900005eb9e0 R14: ffffffffb2930680 R15: ffff88810770ef00
[  656.382166] FS:  00007fdf117ebb40(0000) GS:ffff88813bd40000(0000) knlGS:0000000000000000
[  656.382806] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  656.383261] CR2: 0000000000000020 CR3: 0000000100c84000 CR4: 00000000000006e0
[  656.383819] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  656.384370] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  656.384927] Call Trace:
[  656.385111]  flush_workqueue+0x92/0x6c0
[  656.385395]  nbd_disconnect_and_put+0x81/0xd0
[  656.385716]  nbd_genl_disconnect+0x125/0x2a0
[  656.386034]  genl_family_rcv_msg_doit.isra.0+0x102/0x1b0
[  656.386422]  genl_rcv_msg+0xfc/0x2b0
[  656.386685]  ? nbd_ioctl+0x490/0x490
[  656.386954]  ? genl_family_rcv_msg_doit.isra.0+0x1b0/0x1b0
[  656.387354]  netlink_rcv_skb+0x62/0x180
[  656.387638]  genl_rcv+0x34/0x60
[  656.387874]  netlink_unicast+0x26d/0x590
[  656.388162]  netlink_sendmsg+0x398/0x6c0
[  656.388451]  ? netlink_rcv_skb+0x180/0x180
[  656.388750]  ____sys_sendmsg+0x1da/0x320
[  656.389038]  ? ____sys_recvmsg+0x130/0x220
[  656.389334]  ___sys_sendmsg+0x8e/0xf0
[  656.389605]  ? ___sys_recvmsg+0xa2/0xf0
[  656.389889]  ? handle_mm_fault+0x1671/0x21d0
[  656.390201]  __sys_sendmsg+0x6d/0xe0
[  656.390464]  __x64_sys_sendmsg+0x23/0x30
[  656.390751]  do_syscall_64+0x45/0x70
[  656.391017]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

To fix it, just add if (nbd->recv_workq) to nbd_disconnect_and_put().

Fixes: e9e006f5fcf2 ("nbd: fix max number of supported devs")
Signed-off-by: Sun Ke <sunke32@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20210512114331.1233964-2-sunke32@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/nbd.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index e11fddcb73b9..839364371f9a 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2016,7 +2016,8 @@ static void nbd_disconnect_and_put(struct nbd_device *nbd)
 	 * config ref and try to destroy the workqueue from inside the work
 	 * queue.
 	 */
-	flush_workqueue(nbd->recv_workq);
+	if (nbd->recv_workq)
+		flush_workqueue(nbd->recv_workq);
 	if (test_and_clear_bit(NBD_RT_HAS_CONFIG_REF,
 			       &nbd->config->runtime_flags))
 		nbd_config_put(nbd);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 153+ messages in thread

* [PATCH 5.4 111/141] blk-mq: Swap two calls in blk_mq_exit_queue()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 110/141] nbd: Fix NULL pointer in flush_workqueue Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 112/141] iomap: fix sub-page uptodate handling Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christoph Hellwig, Ming Lei,
	Hannes Reinecke, Bart Van Assche, Jens Axboe, Sasha Levin

From: Bart Van Assche <bvanassche@acm.org>

[ Upstream commit 630ef623ed26c18a457cdc070cf24014e50129c2 ]

If a tag set is shared across request queues (e.g. SCSI LUNs) then the
block layer core keeps track of the number of active request queues in
tags->active_queues. blk_mq_tag_busy() and blk_mq_tag_idle() update that
atomic counter if the hctx flag BLK_MQ_F_TAG_QUEUE_SHARED is set. Make
sure that blk_mq_exit_queue() calls blk_mq_tag_idle() before that flag is
cleared by blk_mq_del_queue_tag_set().

Cc: Christoph Hellwig <hch@infradead.org>
Cc: Ming Lei <ming.lei@redhat.com>
Cc: Hannes Reinecke <hare@suse.com>
Fixes: 0d2602ca30e4 ("blk-mq: improve support for shared tags maps")
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210513171529.7977-1-bvanassche@acm.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 block/blk-mq.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -2970,10 +2970,12 @@ EXPORT_SYMBOL(blk_mq_init_allocated_queu
 /* tags can _not_ be used after returning from blk_mq_exit_queue */
 void blk_mq_exit_queue(struct request_queue *q)
 {
-	struct blk_mq_tag_set	*set = q->tag_set;
+	struct blk_mq_tag_set *set = q->tag_set;
 
-	blk_mq_del_queue_tag_set(q);
+	/* Checks hctx->flags & BLK_MQ_F_TAG_QUEUE_SHARED. */
 	blk_mq_exit_hw_queues(q, set, set->nr_hw_queues);
+	/* May clear BLK_MQ_F_TAG_QUEUE_SHARED in hctx->flags. */
+	blk_mq_del_queue_tag_set(q);
 }
 
 static int __blk_mq_alloc_rq_maps(struct blk_mq_tag_set *set)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 112/141] iomap: fix sub-page uptodate handling
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 111/141] blk-mq: Swap two calls in blk_mq_exit_queue() Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 113/141] usb: dwc3: omap: improve extcon initialization Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Stancek, Christoph Hellwig,
	Dave Chinner, Darrick J. Wong, Matthew Wilcox (Oracle)

From: Christoph Hellwig <hch@lst.de>

commit 1cea335d1db1ce6ab71b3d2f94a807112b738a0f upstream.

bio completions can race when a page spans more than one file system
block.  Add a spinlock to synchronize marking the page uptodate.

Fixes: 9dc55f1389f9 ("iomap: add support for sub-pagesize buffered I/O without buffer heads")
Reported-by: Jan Stancek <jstancek@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/iomap/buffered-io.c |   34 ++++++++++++++++++++++++----------
 include/linux/iomap.h  |    1 +
 2 files changed, 25 insertions(+), 10 deletions(-)

--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -30,6 +30,7 @@ iomap_page_create(struct inode *inode, s
 	iop = kmalloc(sizeof(*iop), GFP_NOFS | __GFP_NOFAIL);
 	atomic_set(&iop->read_count, 0);
 	atomic_set(&iop->write_count, 0);
+	spin_lock_init(&iop->uptodate_lock);
 	bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
 
 	/*
@@ -118,25 +119,38 @@ iomap_adjust_read_range(struct inode *in
 }
 
 static void
-iomap_set_range_uptodate(struct page *page, unsigned off, unsigned len)
+iomap_iop_set_range_uptodate(struct page *page, unsigned off, unsigned len)
 {
 	struct iomap_page *iop = to_iomap_page(page);
 	struct inode *inode = page->mapping->host;
 	unsigned first = off >> inode->i_blkbits;
 	unsigned last = (off + len - 1) >> inode->i_blkbits;
-	unsigned int i;
 	bool uptodate = true;
+	unsigned long flags;
+	unsigned int i;
 
-	if (iop) {
-		for (i = 0; i < PAGE_SIZE / i_blocksize(inode); i++) {
-			if (i >= first && i <= last)
-				set_bit(i, iop->uptodate);
-			else if (!test_bit(i, iop->uptodate))
-				uptodate = false;
-		}
+	spin_lock_irqsave(&iop->uptodate_lock, flags);
+	for (i = 0; i < PAGE_SIZE / i_blocksize(inode); i++) {
+		if (i >= first && i <= last)
+			set_bit(i, iop->uptodate);
+		else if (!test_bit(i, iop->uptodate))
+			uptodate = false;
 	}
 
-	if (uptodate && !PageError(page))
+	if (uptodate)
+		SetPageUptodate(page);
+	spin_unlock_irqrestore(&iop->uptodate_lock, flags);
+}
+
+static void
+iomap_set_range_uptodate(struct page *page, unsigned off, unsigned len)
+{
+	if (PageError(page))
+		return;
+
+	if (page_has_private(page))
+		iomap_iop_set_range_uptodate(page, off, len);
+	else
 		SetPageUptodate(page);
 }
 
--- a/include/linux/iomap.h
+++ b/include/linux/iomap.h
@@ -139,6 +139,7 @@ loff_t iomap_apply(struct inode *inode,
 struct iomap_page {
 	atomic_t		read_count;
 	atomic_t		write_count;
+	spinlock_t		uptodate_lock;
 	DECLARE_BITMAP(uptodate, PAGE_SIZE / 512);
 };
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 113/141] usb: dwc3: omap: improve extcon initialization
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 112/141] iomap: fix sub-page uptodate handling Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 114/141] usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marcel Hamer

From: Marcel Hamer <marcel@solidxs.se>

commit e17b02d4970913233d543c79c9c66e72cac05bdd upstream.

When extcon is used in combination with dwc3, it is assumed that the dwc3
registers are untouched and as such are only configured if VBUS is valid
or ID is tied to ground.

In case VBUS is not valid or ID is floating, the registers are not
configured as such during driver initialization, causing a wrong
default state during boot.

If the registers are not in a default state, because they are for
instance touched by a boot loader, this can cause for a kernel error.

Signed-off-by: Marcel Hamer <marcel@solidxs.se>
Link: https://lore.kernel.org/r/20210427122118.1948340-1-marcel@solidxs.se
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/dwc3-omap.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/dwc3/dwc3-omap.c
+++ b/drivers/usb/dwc3/dwc3-omap.c
@@ -437,8 +437,13 @@ static int dwc3_omap_extcon_register(str
 
 		if (extcon_get_state(edev, EXTCON_USB) == true)
 			dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_VALID);
+		else
+			dwc3_omap_set_mailbox(omap, OMAP_DWC3_VBUS_OFF);
+
 		if (extcon_get_state(edev, EXTCON_USB_HOST) == true)
 			dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_GROUND);
+		else
+			dwc3_omap_set_mailbox(omap, OMAP_DWC3_ID_FLOAT);
 
 		omap->edev = edev;
 	}



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 114/141] usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 113/141] usb: dwc3: omap: improve extcon initialization Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 115/141] usb: xhci: Increase timeout for HC halt Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Ferry Toth

From: Ferry Toth <ftoth@exalondelft.nl>

commit 04357fafea9c7ed34525eb9680c760245c3bb958 upstream.

On Intel Merrifield LPM is causing host to reset port after a timeout.
By disabling LPM entirely this is prevented.

Fixes: 066c09593454 ("usb: dwc3: pci: Enable extcon driver for Intel Merrifield")
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Ferry Toth <ftoth@exalondelft.nl>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210425150947.5862-1-ftoth@exalondelft.nl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/dwc3-pci.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/usb/dwc3/dwc3-pci.c
+++ b/drivers/usb/dwc3/dwc3-pci.c
@@ -138,6 +138,7 @@ static const struct property_entry dwc3_
 	PROPERTY_ENTRY_BOOL("snps,disable_scramble_quirk"),
 	PROPERTY_ENTRY_BOOL("snps,dis_u3_susphy_quirk"),
 	PROPERTY_ENTRY_BOOL("snps,dis_u2_susphy_quirk"),
+	PROPERTY_ENTRY_BOOL("snps,usb2-gadget-lpm-disable"),
 	PROPERTY_ENTRY_BOOL("linux,sysdev_is_parent"),
 	{}
 };



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 115/141] usb: xhci: Increase timeout for HC halt
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 114/141] usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 116/141] usb: dwc2: Fix gadget DMA unmap direction Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maximilian Luz, Mathias Nyman

From: Maximilian Luz <luzmaximilian@gmail.com>

commit ca09b1bea63ab83f4cca3a2ae8bc4f597ec28851 upstream.

On some devices (specifically the SC8180x based Surface Pro X with
QCOM04A6) HC halt / xhci_halt() times out during boot. Manually binding
the xhci-hcd driver at some point later does not exhibit this behavior.
To work around this, double XHCI_MAX_HALT_USEC, which also resolves this
issue.

Cc: <stable@vger.kernel.org>
Signed-off-by: Maximilian Luz <luzmaximilian@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210512080816.866037-5-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-ext-caps.h |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/usb/host/xhci-ext-caps.h
+++ b/drivers/usb/host/xhci-ext-caps.h
@@ -7,8 +7,9 @@
  * Author: Sarah Sharp
  * Some code borrowed from the Linux EHCI driver.
  */
-/* Up to 16 ms to halt an HC */
-#define XHCI_MAX_HALT_USEC	(16*1000)
+
+/* HC should halt within 16 ms, but use 32 ms as some hosts take longer */
+#define XHCI_MAX_HALT_USEC	(32 * 1000)
 /* HC not running - set to 1 when run/stop bit is cleared. */
 #define XHCI_STS_HALT		(1<<0)
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 116/141] usb: dwc2: Fix gadget DMA unmap direction
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 115/141] usb: xhci: Increase timeout for HC halt Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 117/141] usb: core: hub: fix race condition about TRSMRCY of resume Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Minas Harutyunyan, Phil Elwell

From: Phil Elwell <phil@raspberrypi.com>

commit 75a41ce46bae6cbe7d3bb2584eb844291d642874 upstream.

The dwc2 gadget support maps and unmaps DMA buffers as necessary. When
mapping and unmapping it uses the direction of the endpoint to select
the direction of the DMA transfer, but this fails for Control OUT
transfers because the unmap occurs after the endpoint direction has
been reversed for the status phase.

A possible solution would be to unmap the buffer before the direction
is changed, but a safer, less invasive fix is to remember the buffer
direction independently of the endpoint direction.

Fixes: fe0b94abcdf6 ("usb: dwc2: gadget: manage ep0 state in software")
Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Link: https://lore.kernel.org/r/20210506112200.2893922-1-phil@raspberrypi.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc2/core.h   |    2 ++
 drivers/usb/dwc2/gadget.c |    3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/usb/dwc2/core.h
+++ b/drivers/usb/dwc2/core.h
@@ -112,6 +112,7 @@ struct dwc2_hsotg_req;
  * @debugfs: File entry for debugfs file for this endpoint.
  * @dir_in: Set to true if this endpoint is of the IN direction, which
  *          means that it is sending data to the Host.
+ * @map_dir: Set to the value of dir_in when the DMA buffer is mapped.
  * @index: The index for the endpoint registers.
  * @mc: Multi Count - number of transactions per microframe
  * @interval: Interval for periodic endpoints, in frames or microframes.
@@ -161,6 +162,7 @@ struct dwc2_hsotg_ep {
 	unsigned short		fifo_index;
 
 	unsigned char           dir_in;
+	unsigned char           map_dir;
 	unsigned char           index;
 	unsigned char           mc;
 	u16                     interval;
--- a/drivers/usb/dwc2/gadget.c
+++ b/drivers/usb/dwc2/gadget.c
@@ -421,7 +421,7 @@ static void dwc2_hsotg_unmap_dma(struct
 {
 	struct usb_request *req = &hs_req->req;
 
-	usb_gadget_unmap_request(&hsotg->gadget, req, hs_ep->dir_in);
+	usb_gadget_unmap_request(&hsotg->gadget, req, hs_ep->map_dir);
 }
 
 /*
@@ -1242,6 +1242,7 @@ static int dwc2_hsotg_map_dma(struct dwc
 {
 	int ret;
 
+	hs_ep->map_dir = hs_ep->dir_in;
 	ret = usb_gadget_map_request(&hsotg->gadget, req, hs_ep->dir_in);
 	if (ret)
 		goto dma_error;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 117/141] usb: core: hub: fix race condition about TRSMRCY of resume
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 116/141] usb: dwc2: Fix gadget DMA unmap direction Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 118/141] usb: dwc3: gadget: Return success always for kick transfer in ep queue Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tianping Fang, Alan Stern, Chunfeng Yun

From: Chunfeng Yun <chunfeng.yun@mediatek.com>

commit 975f94c7d6c306b833628baa9aec3f79db1eb3a1 upstream.

This may happen if the port becomes resume status exactly
when usb_port_resume() gets port status, it still need provide
a TRSMCRY time before access the device.

CC: <stable@vger.kernel.org>
Reported-by: Tianping Fang <tianping.fang@mediatek.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Link: https://lore.kernel.org/r/20210512020738.52961-1-chunfeng.yun@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/hub.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/core/hub.c
+++ b/drivers/usb/core/hub.c
@@ -3574,9 +3574,6 @@ int usb_port_resume(struct usb_device *u
 		 * sequence.
 		 */
 		status = hub_port_status(hub, port1, &portstatus, &portchange);
-
-		/* TRSMRCY = 10 msec */
-		msleep(10);
 	}
 
  SuspendCleared:
@@ -3591,6 +3588,9 @@ int usb_port_resume(struct usb_device *u
 				usb_clear_port_feature(hub->hdev, port1,
 						USB_PORT_FEAT_C_SUSPEND);
 		}
+
+		/* TRSMRCY = 10 msec */
+		msleep(10);
 	}
 
 	if (udev->persist_enabled)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 118/141] usb: dwc3: gadget: Return success always for kick transfer in ep queue
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 117/141] usb: core: hub: fix race condition about TRSMRCY of resume Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 119/141] xhci: Do not use GFP_KERNEL in (potentially) atomic context Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wesley Cheng

From: Wesley Cheng <wcheng@codeaurora.org>

commit 18ffa988dbae69cc6e9949cddd9606f6fe533894 upstream.

If an error is received when issuing a start or update transfer
command, the error handler will stop all active requests (including
the current USB request), and call dwc3_gadget_giveback() to notify
function drivers of the requests which have been stopped.  Avoid
returning an error for kick transfer during EP queue, to remove
duplicate cleanup operations on the request being queued.

Fixes: 8d99087c2db8 ("usb: dwc3: gadget: Properly handle failed kick_transfer")
cc: stable@vger.kernel.org
Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
Link: https://lore.kernel.org/r/1620410119-24971-1-git-send-email-wcheng@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc3/gadget.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/dwc3/gadget.c
+++ b/drivers/usb/dwc3/gadget.c
@@ -1566,7 +1566,9 @@ static int __dwc3_gadget_ep_queue(struct
 		}
 	}
 
-	return __dwc3_gadget_kick_transfer(dep);
+	__dwc3_gadget_kick_transfer(dep);
+
+	return 0;
 }
 
 static int dwc3_gadget_ep_queue(struct usb_ep *ep, struct usb_request *request,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 119/141] xhci: Do not use GFP_KERNEL in (potentially) atomic context
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 118/141] usb: dwc3: gadget: Return success always for kick transfer in ep queue Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 120/141] xhci: Add reset resume quirk for AMD xhci controller Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Mathias Nyman

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

commit dda32c00c9a0fa103b5d54ef72c477b7aa993679 upstream.

'xhci_urb_enqueue()' is passed a 'mem_flags' argument, because "URBs may be
submitted in interrupt context" (see comment related to 'usb_submit_urb()'
in 'drivers/usb/core/urb.c')

So this flag should be used in all the calling chain.
Up to now, 'xhci_check_maxpacket()' which is only called from
'xhci_urb_enqueue()', uses GFP_KERNEL.

Be safe and pass the mem_flags to this function as well.

Fixes: ddba5cd0aeff ("xhci: Use command structures when queuing commands on the command ring")
Cc: <stable@vger.kernel.org>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210512080816.866037-4-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/host/xhci.c
+++ b/drivers/usb/host/xhci.c
@@ -1397,7 +1397,7 @@ static int xhci_configure_endpoint(struc
  * we need to issue an evaluate context command and wait on it.
  */
 static int xhci_check_maxpacket(struct xhci_hcd *xhci, unsigned int slot_id,
-		unsigned int ep_index, struct urb *urb)
+		unsigned int ep_index, struct urb *urb, gfp_t mem_flags)
 {
 	struct xhci_container_ctx *out_ctx;
 	struct xhci_input_control_ctx *ctrl_ctx;
@@ -1428,7 +1428,7 @@ static int xhci_check_maxpacket(struct x
 		 * changes max packet sizes.
 		 */
 
-		command = xhci_alloc_command(xhci, true, GFP_KERNEL);
+		command = xhci_alloc_command(xhci, true, mem_flags);
 		if (!command)
 			return -ENOMEM;
 
@@ -1524,7 +1524,7 @@ static int xhci_urb_enqueue(struct usb_h
 		 */
 		if (urb->dev->speed == USB_SPEED_FULL) {
 			ret = xhci_check_maxpacket(xhci, slot_id,
-					ep_index, urb);
+					ep_index, urb, mem_flags);
 			if (ret < 0) {
 				xhci_urb_free_priv(urb_priv);
 				urb->hcpriv = NULL;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 120/141] xhci: Add reset resume quirk for AMD xhci controller.
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 119/141] xhci: Do not use GFP_KERNEL in (potentially) atomic context Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 121/141] iio: gyro: mpu3050: Fix reported temperature value Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sandeep Singh, Mathias Nyman

From: Sandeep Singh <sandeep.singh@amd.com>

commit 3c128781d8da463761495aaf8898c9ecb4e71528 upstream.

One of AMD xhci controller require reset on resume.
Occasionally AMD xhci controller does not respond to
Stop endpoint command.
Once the issue happens controller goes into bad state
and in that case controller needs to be reset.

Cc: <stable@vger.kernel.org>
Signed-off-by: Sandeep Singh <sandeep.singh@amd.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20210512080816.866037-6-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -153,8 +153,10 @@ static void xhci_pci_quirks(struct devic
 	    (pdev->device == 0x15e0 || pdev->device == 0x15e1))
 		xhci->quirks |= XHCI_SNPS_BROKEN_SUSPEND;
 
-	if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5)
+	if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5) {
 		xhci->quirks |= XHCI_DISABLE_SPARSE;
+		xhci->quirks |= XHCI_RESET_ON_RESUME;
+	}
 
 	if (pdev->vendor == PCI_VENDOR_ID_AMD)
 		xhci->quirks |= XHCI_TRUST_TX_LENGTH;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 121/141] iio: gyro: mpu3050: Fix reported temperature value
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 120/141] xhci: Add reset resume quirk for AMD xhci controller Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 122/141] iio: tsl2583: Fix division by a zero lux_val Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Svyatoslav Ryhel, Andy Shevchenko,
	Linus Walleij, Dmitry Osipenko, Jean-Baptiste Maneyrol,
	Jonathan Cameron, Maxim Schwalm

From: Dmitry Osipenko <digetx@gmail.com>

commit f73c730774d88a14d7b60feee6d0e13570f99499 upstream.

The raw temperature value is a 16-bit signed integer. The sign casting
is missing in the code, which results in a wrong temperature reported
by userspace tools, fix it.

Cc: stable@vger.kernel.org
Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
Datasheet: https://www.cdiweb.com/datasheets/invensense/mpu-3000a.pdf
Tested-by: Maxim Schwalm <maxim.schwalm@gmail.com> # Asus TF700T
Tested-by: Svyatoslav Ryhel <clamor95@gmail.com> # Asus TF201
Reported-by: Svyatoslav Ryhel <clamor95@gmail.com>
Reviewed-by: Andy Shevchenko <Andy.Shevchenko@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
Link: https://lore.kernel.org/r/20210423020959.5023-1-digetx@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/gyro/mpu3050-core.c |   13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

--- a/drivers/iio/gyro/mpu3050-core.c
+++ b/drivers/iio/gyro/mpu3050-core.c
@@ -271,7 +271,16 @@ static int mpu3050_read_raw(struct iio_d
 	case IIO_CHAN_INFO_OFFSET:
 		switch (chan->type) {
 		case IIO_TEMP:
-			/* The temperature scaling is (x+23000)/280 Celsius */
+			/*
+			 * The temperature scaling is (x+23000)/280 Celsius
+			 * for the "best fit straight line" temperature range
+			 * of -30C..85C.  The 23000 includes room temperature
+			 * offset of +35C, 280 is the precision scale and x is
+			 * the 16-bit signed integer reported by hardware.
+			 *
+			 * Temperature value itself represents temperature of
+			 * the sensor die.
+			 */
 			*val = 23000;
 			return IIO_VAL_INT;
 		default:
@@ -328,7 +337,7 @@ static int mpu3050_read_raw(struct iio_d
 				goto out_read_raw_unlock;
 			}
 
-			*val = be16_to_cpu(raw_val);
+			*val = (s16)be16_to_cpu(raw_val);
 			ret = IIO_VAL_INT;
 
 			goto out_read_raw_unlock;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 122/141] iio: tsl2583: Fix division by a zero lux_val
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 121/141] iio: gyro: mpu3050: Fix reported temperature value Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 123/141] cdc-wdm: untangle a circular dependency between callback and softint Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Stable, Jonathan Cameron

From: Colin Ian King <colin.king@canonical.com>

commit af0e1871d79cfbb91f732d2c6fa7558e45c31038 upstream.

The lux_val returned from tsl2583_get_lux can potentially be zero,
so check for this to avoid a division by zero and an overflowed
gain_trim_val.

Fixes clang scan-build warning:

drivers/iio/light/tsl2583.c:345:40: warning: Either the
condition 'lux_val<0' is redundant or there is division
by zero at line 345. [zerodivcond]

Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/iio/light/tsl2583.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/iio/light/tsl2583.c
+++ b/drivers/iio/light/tsl2583.c
@@ -341,6 +341,14 @@ static int tsl2583_als_calibrate(struct
 		return lux_val;
 	}
 
+	/* Avoid division by zero of lux_value later on */
+	if (lux_val == 0) {
+		dev_err(&chip->client->dev,
+			"%s: lux_val of 0 will produce out of range trim_value\n",
+			__func__);
+		return -ENODATA;
+	}
+
 	gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target)
 			* chip->als_settings.als_gain_trim) / lux_val);
 	if ((gain_trim_val < 250) || (gain_trim_val > 4000)) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 123/141] cdc-wdm: untangle a circular dependency between callback and softint
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 122/141] iio: tsl2583: Fix division by a zero lux_val Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 124/141] KVM: x86: Cancel pvclock_gtod_work on module removal Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Oliver Neukum

From: Oliver Neukum <oneukum@suse.com>

commit 18abf874367456540846319574864e6ff32752e2 upstream.

We have a cycle of callbacks scheduling works which submit
URBs with those callbacks. This needs to be blocked, stopped
and unblocked to untangle the circle.

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Link: https://lore.kernel.org/r/20210426092622.20433-1-oneukum@suse.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/class/cdc-wdm.c |   30 ++++++++++++++++++++++--------
 1 file changed, 22 insertions(+), 8 deletions(-)

--- a/drivers/usb/class/cdc-wdm.c
+++ b/drivers/usb/class/cdc-wdm.c
@@ -321,12 +321,23 @@ exit:
 
 }
 
-static void kill_urbs(struct wdm_device *desc)
+static void poison_urbs(struct wdm_device *desc)
 {
 	/* the order here is essential */
-	usb_kill_urb(desc->command);
-	usb_kill_urb(desc->validity);
-	usb_kill_urb(desc->response);
+	usb_poison_urb(desc->command);
+	usb_poison_urb(desc->validity);
+	usb_poison_urb(desc->response);
+}
+
+static void unpoison_urbs(struct wdm_device *desc)
+{
+	/*
+	 *  the order here is not essential
+	 *  it is symmetrical just to be nice
+	 */
+	usb_unpoison_urb(desc->response);
+	usb_unpoison_urb(desc->validity);
+	usb_unpoison_urb(desc->command);
 }
 
 static void free_urbs(struct wdm_device *desc)
@@ -741,11 +752,12 @@ static int wdm_release(struct inode *ino
 	if (!desc->count) {
 		if (!test_bit(WDM_DISCONNECTING, &desc->flags)) {
 			dev_dbg(&desc->intf->dev, "wdm_release: cleanup\n");
-			kill_urbs(desc);
+			poison_urbs(desc);
 			spin_lock_irq(&desc->iuspin);
 			desc->resp_count = 0;
 			spin_unlock_irq(&desc->iuspin);
 			desc->manage_power(desc->intf, 0);
+			unpoison_urbs(desc);
 		} else {
 			/* must avoid dev_printk here as desc->intf is invalid */
 			pr_debug(KBUILD_MODNAME " %s: device gone - cleaning up\n", __func__);
@@ -1036,9 +1048,9 @@ static void wdm_disconnect(struct usb_in
 	wake_up_all(&desc->wait);
 	mutex_lock(&desc->rlock);
 	mutex_lock(&desc->wlock);
+	poison_urbs(desc);
 	cancel_work_sync(&desc->rxwork);
 	cancel_work_sync(&desc->service_outs_intr);
-	kill_urbs(desc);
 	mutex_unlock(&desc->wlock);
 	mutex_unlock(&desc->rlock);
 
@@ -1079,9 +1091,10 @@ static int wdm_suspend(struct usb_interf
 		set_bit(WDM_SUSPENDING, &desc->flags);
 		spin_unlock_irq(&desc->iuspin);
 		/* callback submits work - order is essential */
-		kill_urbs(desc);
+		poison_urbs(desc);
 		cancel_work_sync(&desc->rxwork);
 		cancel_work_sync(&desc->service_outs_intr);
+		unpoison_urbs(desc);
 	}
 	if (!PMSG_IS_AUTO(message)) {
 		mutex_unlock(&desc->wlock);
@@ -1139,7 +1152,7 @@ static int wdm_pre_reset(struct usb_inte
 	wake_up_all(&desc->wait);
 	mutex_lock(&desc->rlock);
 	mutex_lock(&desc->wlock);
-	kill_urbs(desc);
+	poison_urbs(desc);
 	cancel_work_sync(&desc->rxwork);
 	cancel_work_sync(&desc->service_outs_intr);
 	return 0;
@@ -1150,6 +1163,7 @@ static int wdm_post_reset(struct usb_int
 	struct wdm_device *desc = wdm_find_device(intf);
 	int rv;
 
+	unpoison_urbs(desc);
 	clear_bit(WDM_OVERFLOW, &desc->flags);
 	clear_bit(WDM_RESETTING, &desc->flags);
 	rv = recover_from_urb_loss(desc);



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 124/141] KVM: x86: Cancel pvclock_gtod_work on module removal
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 123/141] cdc-wdm: untangle a circular dependency between callback and softint Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 125/141] mm: fix struct page layout on 32-bit systems Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thomas Gleixner, Paolo Bonzini

From: Thomas Gleixner <tglx@linutronix.de>

commit 594b27e677b35f9734b1969d175ebc6146741109 upstream.

Nothing prevents the following:

  pvclock_gtod_notify()
    queue_work(system_long_wq, &pvclock_gtod_work);
  ...
  remove_module(kvm);
  ...
  work_queue_run()
    pvclock_gtod_work()	<- UAF

Ditto for any other operation on that workqueue list head which touches
pvclock_gtod_work after module removal.

Cancel the work in kvm_arch_exit() to prevent that.

Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -7356,6 +7356,7 @@ void kvm_arch_exit(void)
 	cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE);
 #ifdef CONFIG_X86_64
 	pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier);
+	cancel_work_sync(&pvclock_gtod_work);
 #endif
 	kvm_x86_ops = NULL;
 	kvm_mmu_module_exit();



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 125/141] mm: fix struct page layout on 32-bit systems
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 124/141] KVM: x86: Cancel pvclock_gtod_work on module removal Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 126/141] FDDI: defxx: Make MMIO the configuration default except for EISA Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Wilcox (Oracle),
	Ilias Apalodimas, Jesper Dangaard Brouer, Vlastimil Babka,
	Matteo Croce, Andrew Morton, Linus Torvalds

From: Matthew Wilcox (Oracle) <willy@infradead.org>

commit 9ddb3c14afba8bc5950ed297f02d4ae05ff35cd1 upstream.

32-bit architectures which expect 8-byte alignment for 8-byte integers and
need 64-bit DMA addresses (arm, mips, ppc) had their struct page
inadvertently expanded in 2019.  When the dma_addr_t was added, it forced
the alignment of the union to 8 bytes, which inserted a 4 byte gap between
'flags' and the union.

Fix this by storing the dma_addr_t in one or two adjacent unsigned longs.
This restores the alignment to that of an unsigned long.  We always
store the low bits in the first word to prevent the PageTail bit from
being inadvertently set on a big endian platform.  If that happened,
get_user_pages_fast() racing against a page which was freed and
reallocated to the page_pool could dereference a bogus compound_head(),
which would be hard to trace back to this cause.

Link: https://lkml.kernel.org/r/20210510153211.1504886-1-willy@infradead.org
Fixes: c25fff7171be ("mm: add dma_addr_t to struct page")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Acked-by: Ilias Apalodimas <ilias.apalodimas@linaro.org>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Tested-by: Matteo Croce <mcroce@linux.microsoft.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/mm_types.h |    4 ++--
 include/net/page_pool.h  |   12 +++++++++++-
 net/core/page_pool.c     |    6 +++---
 3 files changed, 16 insertions(+), 6 deletions(-)

--- a/include/linux/mm_types.h
+++ b/include/linux/mm_types.h
@@ -95,10 +95,10 @@ struct page {
 		};
 		struct {	/* page_pool used by netstack */
 			/**
-			 * @dma_addr: might require a 64-bit value even on
+			 * @dma_addr: might require a 64-bit value on
 			 * 32-bit architectures.
 			 */
-			dma_addr_t dma_addr;
+			unsigned long dma_addr[2];
 		};
 		struct {	/* slab, slob and slub */
 			union {
--- a/include/net/page_pool.h
+++ b/include/net/page_pool.h
@@ -185,7 +185,17 @@ static inline void page_pool_release_pag
 
 static inline dma_addr_t page_pool_get_dma_addr(struct page *page)
 {
-	return page->dma_addr;
+	dma_addr_t ret = page->dma_addr[0];
+	if (sizeof(dma_addr_t) > sizeof(unsigned long))
+		ret |= (dma_addr_t)page->dma_addr[1] << 16 << 16;
+	return ret;
+}
+
+static inline void page_pool_set_dma_addr(struct page *page, dma_addr_t addr)
+{
+	page->dma_addr[0] = addr;
+	if (sizeof(dma_addr_t) > sizeof(unsigned long))
+		page->dma_addr[1] = upper_32_bits(addr);
 }
 
 static inline bool is_page_pool_compiled_in(void)
--- a/net/core/page_pool.c
+++ b/net/core/page_pool.c
@@ -157,7 +157,7 @@ static struct page *__page_pool_alloc_pa
 		put_page(page);
 		return NULL;
 	}
-	page->dma_addr = dma;
+	page_pool_set_dma_addr(page, dma);
 
 skip_dma_map:
 	/* Track how many pages are held 'in-flight' */
@@ -216,12 +216,12 @@ static void __page_pool_clean_page(struc
 	if (!(pool->p.flags & PP_FLAG_DMA_MAP))
 		goto skip_dma_unmap;
 
-	dma = page->dma_addr;
+	dma = page_pool_get_dma_addr(page);
 	/* DMA unmap */
 	dma_unmap_page_attrs(pool->p.dev, dma,
 			     PAGE_SIZE << pool->p.order, pool->p.dma_dir,
 			     DMA_ATTR_SKIP_CPU_SYNC);
-	page->dma_addr = 0;
+	page_pool_set_dma_addr(page, 0);
 skip_dma_unmap:
 	/* This may be the last page returned, releasing the pool, so
 	 * it is not safe to reference pool afterwards.



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 126/141] FDDI: defxx: Make MMIO the configuration default except for EISA
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 125/141] mm: fix struct page layout on 32-bit systems Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:02 ` [PATCH 5.4 127/141] MIPS: Reinstate platform `__div64_32 handler Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, David S. Miller

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit 193ced4a79599352d63cb8c9e2f0c6043106eb6a upstream.

Recent versions of the PCI Express specification have deprecated support
for I/O transactions and actually some PCIe host bridges, such as Power
Systems Host Bridge 4 (PHB4), do not implement them.

The default kernel configuration choice for the defxx driver is the use
of I/O ports rather than MMIO for PCI and EISA systems.  It may have
made sense as a conservative backwards compatible choice back when MMIO
operation support was added to the driver as a part of TURBOchannel bus
support.  However nowadays this configuration choice makes the driver
unusable with systems that do not implement I/O transactions for PCIe.

Make DEFXX_MMIO the configuration default then, except where configured
for EISA.  This exception is because an EISA adapter can have its MMIO
decoding disabled with ECU (EISA Configuration Utility) and therefore
not available with the resource allocation infrastructure we implement,
while port I/O is always readily available as it uses slot-specific
addressing, directly mapped to the slot an option card has been placed
in and handled with our EISA bus support core.  Conversely a kernel that
supports modern systems which may not have I/O transactions implemented
for PCIe will usually not be expected to handle legacy EISA systems.

The change of the default will make it easier for people, including but
not limited to distribution packagers, to make a working choice for the
driver.

Update the option description accordingly and while at it replace the
potentially ambiguous PIO acronym with IOP for "port I/O" vs "I/O ports"
according to our nomenclature used elsewhere.

Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: e89a2cfb7d7b ("[TC] defxx: TURBOchannel support")
Cc: stable@vger.kernel.org # v2.6.21+
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/fddi/Kconfig |   15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

--- a/drivers/net/fddi/Kconfig
+++ b/drivers/net/fddi/Kconfig
@@ -40,17 +40,20 @@ config DEFXX
 
 config DEFXX_MMIO
 	bool
-	prompt "Use MMIO instead of PIO" if PCI || EISA
+	prompt "Use MMIO instead of IOP" if PCI || EISA
 	depends on DEFXX
-	default n if PCI || EISA
+	default n if EISA
 	default y
 	---help---
 	  This instructs the driver to use EISA or PCI memory-mapped I/O
-	  (MMIO) as appropriate instead of programmed I/O ports (PIO).
+	  (MMIO) as appropriate instead of programmed I/O ports (IOP).
 	  Enabling this gives an improvement in processing time in parts
-	  of the driver, but it may cause problems with EISA (DEFEA)
-	  adapters.  TURBOchannel does not have the concept of I/O ports,
-	  so MMIO is always used for these (DEFTA) adapters.
+	  of the driver, but it requires a memory window to be configured
+	  for EISA (DEFEA) adapters that may not always be available.
+	  Conversely some PCIe host bridges do not support IOP, so MMIO
+	  may be required to access PCI (DEFPA) adapters on downstream PCI
+	  buses with some systems.  TURBOchannel does not have the concept
+	  of I/O ports, so MMIO is always used for these (DEFTA) adapters.
 
 	  If unsure, say N.
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 127/141] MIPS: Reinstate platform `__div64_32 handler
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 126/141] FDDI: defxx: Make MMIO the configuration default except for EISA Greg Kroah-Hartman
@ 2021-05-17 14:02 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 128/141] MIPS: Avoid DIVU in `__div64_32 is result would be zero Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:02 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Huacai Chen, Maciej W. Rozycki,
	Thomas Bogendoerfer

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit c49f71f60754acbff37505e1d16ca796bf8a8140 upstream.

Our current MIPS platform `__div64_32' handler is inactive, because it
is incorrectly only enabled for 64-bit configurations, for which generic
`do_div' code does not call it anyway.

The handler is not suitable for being called from there though as it
only calculates 32 bits of the quotient under the assumption the 64-bit
divident has been suitably reduced.  Code for such reduction used to be
there, however it has been incorrectly removed with commit c21004cd5b4c
("MIPS: Rewrite <asm/div64.h> to work with gcc 4.4.0."), which should
have only updated an obsoleted constraint for an inline asm involving
$hi and $lo register outputs, while possibly wiring the original MIPS
variant of the `do_div' macro as `__div64_32' handler for the generic
`do_div' implementation

Correct the handler as follows then:

- Revert most of the commit referred, however retaining the current
  formatting, except for the final two instructions of the inline asm
  sequence, which the original commit missed.  Omit the original 64-bit
  parts though.

- Rename the original `do_div' macro to `__div64_32'.  Use the combined
  `x' constraint referring to the MD accumulator as a whole, replacing
  the original individual `h' and `l' constraints used for $hi and $lo
  registers respectively, of which `h' has been obsoleted with GCC 4.4.
  Update surrounding code accordingly.

  We have since removed support for GCC versions before 4.9, so no need
  for a special arrangement here; GCC has supported the `x' constraint
  since forever anyway, or at least going back to 1991.

- Rename the `__base' local variable in `__div64_32' to `__radix' to
  avoid a conflict with a local variable in `do_div'.

- Actually enable this code for 32-bit rather than 64-bit configurations
  by qualifying it with BITS_PER_LONG being 32 instead of 64.  Include
  <asm/bitsperlong.h> for this macro rather than <linux/types.h> as we
  don't need anything else.

- Finally include <asm-generic/div64.h> last rather than first.

This has passed correctness verification with test_div64 and reduced the
module's average execution time down to 1.0668s and 0.2629s from 2.1529s
and 0.5647s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz.
For a reference 64-bit `do_div' code where we have the DDIVU instruction
available to do the whole calculation right away averages at 0.0660s for
the latter CPU.

Fixes: c21004cd5b4c ("MIPS: Rewrite <asm/div64.h> to work with gcc 4.4.0.")
Reported-by: Huacai Chen <chenhuacai@kernel.org>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Cc: stable@vger.kernel.org # v2.6.30+
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/include/asm/div64.h |   57 ++++++++++++++++++++++++++++++------------
 1 file changed, 41 insertions(+), 16 deletions(-)

--- a/arch/mips/include/asm/div64.h
+++ b/arch/mips/include/asm/div64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2000, 2004  Maciej W. Rozycki
+ * Copyright (C) 2000, 2004, 2021  Maciej W. Rozycki
  * Copyright (C) 2003, 07 Ralf Baechle (ralf@linux-mips.org)
  *
  * This file is subject to the terms and conditions of the GNU General Public
@@ -9,25 +9,18 @@
 #ifndef __ASM_DIV64_H
 #define __ASM_DIV64_H
 
-#include <asm-generic/div64.h>
-
-#if BITS_PER_LONG == 64
+#include <asm/bitsperlong.h>
 
-#include <linux/types.h>
+#if BITS_PER_LONG == 32
 
 /*
  * No traps on overflows for any of these...
  */
 
-#define __div64_32(n, base)						\
-({									\
+#define do_div64_32(res, high, low, base) ({				\
 	unsigned long __cf, __tmp, __tmp2, __i;				\
 	unsigned long __quot32, __mod32;				\
-	unsigned long __high, __low;					\
-	unsigned long long __n;						\
 									\
-	__high = *__n >> 32;						\
-	__low = __n;							\
 	__asm__(							\
 	"	.set	push					\n"	\
 	"	.set	noat					\n"	\
@@ -51,18 +44,50 @@
 	"	subu	%0, %0, %z6				\n"	\
 	"	addiu	%2, %2, 1				\n"	\
 	"3:							\n"	\
-	"	bnez	%4, 0b\n\t"					\
-	"	 srl	%5, %1, 0x1f\n\t"				\
+	"	bnez	%4, 0b					\n"	\
+	"	 srl	%5, %1, 0x1f				\n"	\
 	"	.set	pop"						\
 	: "=&r" (__mod32), "=&r" (__tmp),				\
 	  "=&r" (__quot32), "=&r" (__cf),				\
 	  "=&r" (__i), "=&r" (__tmp2)					\
-	: "Jr" (base), "0" (__high), "1" (__low));			\
+	: "Jr" (base), "0" (high), "1" (low));				\
 									\
-	(__n) = __quot32;						\
+	(res) = __quot32;						\
 	__mod32;							\
 })
 
-#endif /* BITS_PER_LONG == 64 */
+#define __div64_32(n, base) ({						\
+	unsigned long __upper, __low, __high, __radix;			\
+	unsigned long long __modquot;					\
+	unsigned long long __quot;					\
+	unsigned long long __div;					\
+	unsigned long __mod;						\
+									\
+	__div = (*n);							\
+	__radix = (base);						\
+									\
+	__high = __div >> 32;						\
+	__low = __div;							\
+	__upper = __high;						\
+									\
+	if (__high) {							\
+		__asm__("divu	$0, %z1, %z2"				\
+		: "=x" (__modquot)					\
+		: "Jr" (__high), "Jr" (__radix));			\
+		__upper = __modquot >> 32;				\
+		__high = __modquot;					\
+	}								\
+									\
+	__mod = do_div64_32(__low, __upper, __low, __radix);		\
+									\
+	__quot = __high;						\
+	__quot = __quot << 32 | __low;					\
+	(*n) = __quot;							\
+	__mod;								\
+})
+
+#endif /* BITS_PER_LONG == 32 */
+
+#include <asm-generic/div64.h>
 
 #endif /* __ASM_DIV64_H */



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 128/141] MIPS: Avoid DIVU in `__div64_32 is result would be zero
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-05-17 14:02 ` [PATCH 5.4 127/141] MIPS: Reinstate platform `__div64_32 handler Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 129/141] MIPS: Avoid handcoded DIVU in `__div64_32 altogether Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Thomas Bogendoerfer

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit c1d337d45ec0a802299688e17d568c4e3a585895 upstream.

We already check the high part of the divident against zero to avoid the
costly DIVU instruction in that case, needed to reduce the high part of
the divident, so we may well check against the divisor instead and set
the high part of the quotient to zero right away.  We need to treat the
high part the divident in that case though as the remainder that would
be calculated by the DIVU instruction we avoided.

This has passed correctness verification with test_div64 and reduced the
module's average execution time down to 1.0445s and 0.2619s from 1.0668s
and 0.2629s respectively for an R3400 CPU @40MHz and a 5Kc CPU @160MHz.

Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/include/asm/div64.h |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/mips/include/asm/div64.h
+++ b/arch/mips/include/asm/div64.h
@@ -68,9 +68,11 @@
 									\
 	__high = __div >> 32;						\
 	__low = __div;							\
-	__upper = __high;						\
 									\
-	if (__high) {							\
+	if (__high < __radix) {						\
+		__upper = __high;					\
+		__high = 0;						\
+	} else {							\
 		__asm__("divu	$0, %z1, %z2"				\
 		: "=x" (__modquot)					\
 		: "Jr" (__high), "Jr" (__radix));			\



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 129/141] MIPS: Avoid handcoded DIVU in `__div64_32 altogether
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 128/141] MIPS: Avoid DIVU in `__div64_32 is result would be zero Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 130/141] thermal/core/fair share: Lock the thermal zone while looping over instances Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Thomas Bogendoerfer

From: Maciej W. Rozycki <macro@orcam.me.uk>

commit 25ab14cbe9d1b66fda44c71a2db7582a31b6f5cd upstream.

Remove the inline asm with a DIVU instruction from `__div64_32' and use
plain C code for the intended DIVMOD calculation instead.  GCC is smart
enough to know that both the quotient and the remainder are calculated
with single DIVU, so with ISAs up to R5 the same instruction is actually
produced with overall similar code.

For R6 compiled code will work, but separate DIVU and MODU instructions
will be produced, which are also interlocked, so scalar implementations
will likely not perform as well as older ISAs with their asynchronous MD
unit.  Likely still faster then the generic algorithm though.

This removes a compilation error for R6 however where the original DIVU
instruction is not supported anymore and the MDU accumulator registers
have been removed and consequently GCC complains as to a constraint it
cannot find a register for:

In file included from ./include/linux/math.h:5,
                 from ./include/linux/kernel.h:13,
                 from mm/page-writeback.c:15:
./include/linux/math64.h: In function 'div_u64_rem':
./arch/mips/include/asm/div64.h:76:17: error: inconsistent operand constraints in an 'asm'
   76 |                 __asm__("divu   $0, %z1, %z2"                           \
      |                 ^~~~~~~
./include/asm-generic/div64.h:245:25: note: in expansion of macro '__div64_32'
  245 |                 __rem = __div64_32(&(n), __base);       \
      |                         ^~~~~~~~~~
./include/linux/math64.h:91:22: note: in expansion of macro 'do_div'
   91 |         *remainder = do_div(dividend, divisor);
      |                      ^~~~~~

This has passed correctness verification with test_div64 and reduced the
module's average execution time down to 1.0404s from 1.0445s with R3400
@40MHz.  The module's MIPS I machine code has also shrunk by 12 bytes or
3 instructions.

Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/mips/include/asm/div64.h |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

--- a/arch/mips/include/asm/div64.h
+++ b/arch/mips/include/asm/div64.h
@@ -58,7 +58,6 @@
 
 #define __div64_32(n, base) ({						\
 	unsigned long __upper, __low, __high, __radix;			\
-	unsigned long long __modquot;					\
 	unsigned long long __quot;					\
 	unsigned long long __div;					\
 	unsigned long __mod;						\
@@ -73,11 +72,8 @@
 		__upper = __high;					\
 		__high = 0;						\
 	} else {							\
-		__asm__("divu	$0, %z1, %z2"				\
-		: "=x" (__modquot)					\
-		: "Jr" (__high), "Jr" (__radix));			\
-		__upper = __modquot >> 32;				\
-		__high = __modquot;					\
+		__upper = __high % __radix;				\
+		__high /= __radix;					\
 	}								\
 									\
 	__mod = do_div64_32(__low, __upper, __low, __radix);		\



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 130/141] thermal/core/fair share: Lock the thermal zone while looping over instances
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 129/141] MIPS: Avoid handcoded DIVU in `__div64_32 altogether Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 131/141] f2fs: fix error handling in f2fs_end_enable_verity() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lukasz Luba, Daniel Lezcano

From: Lukasz Luba <lukasz.luba@arm.com>

commit fef05776eb02238dcad8d5514e666a42572c3f32 upstream.

The tz->lock must be hold during the looping over the instances in that
thermal zone. This lock was missing in the governor code since the
beginning, so it's hard to point into a particular commit.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Lukasz Luba <lukasz.luba@arm.com>
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://lore.kernel.org/r/20210422153624.6074-2-lukasz.luba@arm.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/thermal/fair_share.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/thermal/fair_share.c
+++ b/drivers/thermal/fair_share.c
@@ -82,6 +82,8 @@ static int fair_share_throttle(struct th
 	int total_instance = 0;
 	int cur_trip_level = get_trip_level(tz);
 
+	mutex_lock(&tz->lock);
+
 	list_for_each_entry(instance, &tz->thermal_instances, tz_node) {
 		if (instance->trip != trip)
 			continue;
@@ -110,6 +112,8 @@ static int fair_share_throttle(struct th
 		mutex_unlock(&instance->cdev->lock);
 		thermal_cdev_update(cdev);
 	}
+
+	mutex_unlock(&tz->lock);
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 131/141] f2fs: fix error handling in f2fs_end_enable_verity()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 130/141] thermal/core/fair share: Lock the thermal zone while looping over instances Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 132/141] ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yunlei He, Eric Biggers, Chao Yu,
	Jaegeuk Kim

From: Eric Biggers <ebiggers@google.com>

commit 3c0315424f5e3d2a4113c7272367bee1e8e6a174 upstream.

f2fs didn't properly clean up if verity failed to be enabled on a file:

- It left verity metadata (pages past EOF) in the page cache, which
  would be exposed to userspace if the file was later extended.

- It didn't truncate the verity metadata at all (either from cache or
  from disk) if an error occurred while setting the verity bit.

Fix these bugs by adding a call to truncate_inode_pages() and ensuring
that we truncate the verity metadata (both from cache and from disk) in
all error paths.  Also rework the code to cleanly separate the success
path from the error paths, which makes it much easier to understand.

Finally, log a message if f2fs_truncate() fails, since it might
otherwise fail silently.

Reported-by: Yunlei He <heyunlei@hihonor.com>
Fixes: 95ae251fe828 ("f2fs: add fs-verity support")
Cc: <stable@vger.kernel.org> # v5.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/f2fs/verity.c |   79 ++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 56 insertions(+), 23 deletions(-)

--- a/fs/f2fs/verity.c
+++ b/fs/f2fs/verity.c
@@ -150,40 +150,73 @@ static int f2fs_end_enable_verity(struct
 				  size_t desc_size, u64 merkle_tree_size)
 {
 	struct inode *inode = file_inode(filp);
+	struct f2fs_sb_info *sbi = F2FS_I_SB(inode);
 	u64 desc_pos = f2fs_verity_metadata_pos(inode) + merkle_tree_size;
 	struct fsverity_descriptor_location dloc = {
 		.version = cpu_to_le32(1),
 		.size = cpu_to_le32(desc_size),
 		.pos = cpu_to_le64(desc_pos),
 	};
-	int err = 0;
+	int err = 0, err2 = 0;
 
-	if (desc != NULL) {
-		/* Succeeded; write the verity descriptor. */
-		err = pagecache_write(inode, desc, desc_size, desc_pos);
-
-		/* Write all pages before clearing FI_VERITY_IN_PROGRESS. */
-		if (!err)
-			err = filemap_write_and_wait(inode->i_mapping);
-	}
-
-	/* If we failed, truncate anything we wrote past i_size. */
-	if (desc == NULL || err)
-		f2fs_truncate(inode);
+	/*
+	 * If an error already occurred (which fs/verity/ signals by passing
+	 * desc == NULL), then only clean-up is needed.
+	 */
+	if (desc == NULL)
+		goto cleanup;
+
+	/* Append the verity descriptor. */
+	err = pagecache_write(inode, desc, desc_size, desc_pos);
+	if (err)
+		goto cleanup;
+
+	/*
+	 * Write all pages (both data and verity metadata).  Note that this must
+	 * happen before clearing FI_VERITY_IN_PROGRESS; otherwise pages beyond
+	 * i_size won't be written properly.  For crash consistency, this also
+	 * must happen before the verity inode flag gets persisted.
+	 */
+	err = filemap_write_and_wait(inode->i_mapping);
+	if (err)
+		goto cleanup;
+
+	/* Set the verity xattr. */
+	err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY,
+			    F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc),
+			    NULL, XATTR_CREATE);
+	if (err)
+		goto cleanup;
+
+	/* Finally, set the verity inode flag. */
+	file_set_verity(inode);
+	f2fs_set_inode_flags(inode);
+	f2fs_mark_inode_dirty_sync(inode, true);
 
 	clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
+	return 0;
 
-	if (desc != NULL && !err) {
-		err = f2fs_setxattr(inode, F2FS_XATTR_INDEX_VERITY,
-				    F2FS_XATTR_NAME_VERITY, &dloc, sizeof(dloc),
-				    NULL, XATTR_CREATE);
-		if (!err) {
-			file_set_verity(inode);
-			f2fs_set_inode_flags(inode);
-			f2fs_mark_inode_dirty_sync(inode, true);
-		}
+cleanup:
+	/*
+	 * Verity failed to be enabled, so clean up by truncating any verity
+	 * metadata that was written beyond i_size (both from cache and from
+	 * disk) and clearing FI_VERITY_IN_PROGRESS.
+	 *
+	 * Taking i_gc_rwsem[WRITE] is needed to stop f2fs garbage collection
+	 * from re-instantiating cached pages we are truncating (since unlike
+	 * normal file accesses, garbage collection isn't limited by i_size).
+	 */
+	down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+	truncate_inode_pages(inode->i_mapping, inode->i_size);
+	err2 = f2fs_truncate(inode);
+	if (err2) {
+		f2fs_err(sbi, "Truncating verity metadata failed (errno=%d)",
+			 err2);
+		set_sbi_flag(sbi, SBI_NEED_FSCK);
 	}
-	return err;
+	up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
+	clear_inode_flag(inode, FI_VERITY_IN_PROGRESS);
+	return err ?: err2;
 }
 
 static int f2fs_get_verity_descriptor(struct inode *inode, void *buf,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 132/141] ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 131/141] f2fs: fix error handling in f2fs_end_enable_verity() Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 133/141] ARM: 9012/1: move device tree mapping out of linear region Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Linus Walleij, Nicolas Pitre, Ard Biesheuvel,
	Russell King, Florian Fainelli

From: Ard Biesheuvel <ardb@kernel.org>

commit e9a2f8b599d0bc22a1b13e69527246ac39c697b4 upstream

Before moving the DT mapping out of the linear region, let's prepare
for this change by removing all the phys-to-virt translations of the
__atags_pointer variable, and perform this translation only once at
setup time.

Tested-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Acked-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/prom.h   |    4 ++--
 arch/arm/kernel/atags.h       |    4 ++--
 arch/arm/kernel/atags_parse.c |    6 +++---
 arch/arm/kernel/devtree.c     |    6 +++---
 arch/arm/kernel/setup.c       |   14 +++++++++-----
 arch/arm/mm/mmu.c             |    4 ++--
 6 files changed, 21 insertions(+), 17 deletions(-)

--- a/arch/arm/include/asm/prom.h
+++ b/arch/arm/include/asm/prom.h
@@ -9,12 +9,12 @@
 
 #ifdef CONFIG_OF
 
-extern const struct machine_desc *setup_machine_fdt(unsigned int dt_phys);
+extern const struct machine_desc *setup_machine_fdt(void *dt_virt);
 extern void __init arm_dt_init_cpu_maps(void);
 
 #else /* CONFIG_OF */
 
-static inline const struct machine_desc *setup_machine_fdt(unsigned int dt_phys)
+static inline const struct machine_desc *setup_machine_fdt(void *dt_virt)
 {
 	return NULL;
 }
--- a/arch/arm/kernel/atags.h
+++ b/arch/arm/kernel/atags.h
@@ -2,11 +2,11 @@
 void convert_to_tag_list(struct tag *tags);
 
 #ifdef CONFIG_ATAGS
-const struct machine_desc *setup_machine_tags(phys_addr_t __atags_pointer,
+const struct machine_desc *setup_machine_tags(void *__atags_vaddr,
 	unsigned int machine_nr);
 #else
 static inline const struct machine_desc * __init __noreturn
-setup_machine_tags(phys_addr_t __atags_pointer, unsigned int machine_nr)
+setup_machine_tags(void *__atags_vaddr, unsigned int machine_nr)
 {
 	early_print("no ATAGS support: can't continue\n");
 	while (true);
--- a/arch/arm/kernel/atags_parse.c
+++ b/arch/arm/kernel/atags_parse.c
@@ -176,7 +176,7 @@ static void __init squash_mem_tags(struc
 }
 
 const struct machine_desc * __init
-setup_machine_tags(phys_addr_t __atags_pointer, unsigned int machine_nr)
+setup_machine_tags(void *atags_vaddr, unsigned int machine_nr)
 {
 	struct tag *tags = (struct tag *)&default_tags;
 	const struct machine_desc *mdesc = NULL, *p;
@@ -197,8 +197,8 @@ setup_machine_tags(phys_addr_t __atags_p
 	if (!mdesc)
 		return NULL;
 
-	if (__atags_pointer)
-		tags = phys_to_virt(__atags_pointer);
+	if (atags_vaddr)
+		tags = atags_vaddr;
 	else if (mdesc->atag_offset)
 		tags = (void *)(PAGE_OFFSET + mdesc->atag_offset);
 
--- a/arch/arm/kernel/devtree.c
+++ b/arch/arm/kernel/devtree.c
@@ -203,12 +203,12 @@ static const void * __init arch_get_next
 
 /**
  * setup_machine_fdt - Machine setup when an dtb was passed to the kernel
- * @dt_phys: physical address of dt blob
+ * @dt_virt: virtual address of dt blob
  *
  * If a dtb was passed to the kernel in r2, then use it to choose the
  * correct machine_desc and to setup the system.
  */
-const struct machine_desc * __init setup_machine_fdt(unsigned int dt_phys)
+const struct machine_desc * __init setup_machine_fdt(void *dt_virt)
 {
 	const struct machine_desc *mdesc, *mdesc_best = NULL;
 
@@ -221,7 +221,7 @@ const struct machine_desc * __init setup
 	mdesc_best = &__mach_desc_GENERIC_DT;
 #endif
 
-	if (!dt_phys || !early_init_dt_verify(phys_to_virt(dt_phys)))
+	if (!dt_virt || !early_init_dt_verify(dt_virt))
 		return NULL;
 
 	mdesc = of_flat_dt_match_machine(mdesc_best, arch_get_next_mach);
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -89,6 +89,7 @@ unsigned int cacheid __read_mostly;
 EXPORT_SYMBOL(cacheid);
 
 unsigned int __atags_pointer __initdata;
+void *atags_vaddr __initdata;
 
 unsigned int system_rev;
 EXPORT_SYMBOL(system_rev);
@@ -1075,19 +1076,22 @@ void __init hyp_mode_check(void)
 
 void __init setup_arch(char **cmdline_p)
 {
-	const struct machine_desc *mdesc;
+	const struct machine_desc *mdesc = NULL;
+
+	if (__atags_pointer)
+		atags_vaddr = phys_to_virt(__atags_pointer);
 
 	setup_processor();
-	mdesc = setup_machine_fdt(__atags_pointer);
+	if (atags_vaddr)
+		mdesc = setup_machine_fdt(atags_vaddr);
 	if (!mdesc)
-		mdesc = setup_machine_tags(__atags_pointer, __machine_arch_type);
+		mdesc = setup_machine_tags(atags_vaddr, __machine_arch_type);
 	if (!mdesc) {
 		early_print("\nError: invalid dtb and unrecognized/unsupported machine ID\n");
 		early_print("  r1=0x%08x, r2=0x%08x\n", __machine_arch_type,
 			    __atags_pointer);
 		if (__atags_pointer)
-			early_print("  r2[]=%*ph\n", 16,
-				    phys_to_virt(__atags_pointer));
+			early_print("  r2[]=%*ph\n", 16, atags_vaddr);
 		dump_machine_table();
 	}
 
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -1512,7 +1512,7 @@ static void __init map_lowmem(void)
 }
 
 #ifdef CONFIG_ARM_PV_FIXUP
-extern unsigned long __atags_pointer;
+extern void *atags_vaddr;
 typedef void pgtables_remap(long long offset, unsigned long pgd, void *bdata);
 pgtables_remap lpae_pgtables_remap_asm;
 
@@ -1543,7 +1543,7 @@ static void __init early_paging_init(con
 	 */
 	lpae_pgtables_remap = (pgtables_remap *)(unsigned long)__pa(lpae_pgtables_remap_asm);
 	pa_pgd = __pa(swapper_pg_dir);
-	boot_data = __va(__atags_pointer);
+	boot_data = atags_vaddr;
 	barrier();
 
 	pr_info("Switching physical address space to 0x%08llx\n",



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 133/141] ARM: 9012/1: move device tree mapping out of linear region
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 132/141] ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 134/141] ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Linus Walleij, Nicolas Pitre, Ard Biesheuvel,
	Russell King, Florian Fainelli

From: Ard Biesheuvel <ardb@kernel.org>

commit 7a1be318f5795cb66fa0dc86b3ace427fe68057f upstream

On ARM, setting up the linear region is tricky, given the constraints
around placement and alignment of the memblocks, and how the kernel
itself as well as the DT are placed in physical memory.

Let's simplify matters a bit, by moving the device tree mapping to the
top of the address space, right between the end of the vmalloc region
and the start of the the fixmap region, and create a read-only mapping
for it that is independent of the size of the linear region, and how it
is organized.

Since this region was formerly used as a guard region, which will now be
populated fully on LPAE builds by this read-only mapping (which will
still be able to function as a guard region for stray writes), bump the
start of the [underutilized] fixmap region by 512 KB as well, to ensure
that there is always a proper guard region here. Doing so still leaves
ample room for the fixmap space, even with NR_CPUS set to its maximum
value of 32.

Tested-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/arm/memory.rst  |    7 ++++++-
 arch/arm/include/asm/fixmap.h |    2 +-
 arch/arm/include/asm/memory.h |    5 +++++
 arch/arm/kernel/head.S        |    5 ++---
 arch/arm/kernel/setup.c       |   11 ++++++++---
 arch/arm/mm/init.c            |    1 -
 arch/arm/mm/mmu.c             |   20 ++++++++++++++------
 arch/arm/mm/pv-fixup-asm.S    |    4 ++--
 8 files changed, 38 insertions(+), 17 deletions(-)

--- a/Documentation/arm/memory.rst
+++ b/Documentation/arm/memory.rst
@@ -45,9 +45,14 @@ fffe8000	fffeffff	DTCM mapping area for
 fffe0000	fffe7fff	ITCM mapping area for platforms with
 				ITCM mounted inside the CPU.
 
-ffc00000	ffefffff	Fixmap mapping region.  Addresses provided
+ffc80000	ffefffff	Fixmap mapping region.  Addresses provided
 				by fix_to_virt() will be located here.
 
+ffc00000	ffc7ffff	Guard region
+
+ff800000	ffbfffff	Permanent, fixed read-only mapping of the
+				firmware provided DT blob
+
 fee00000	feffffff	Mapping of PCI I/O space. This is a static
 				mapping within the vmalloc space.
 
--- a/arch/arm/include/asm/fixmap.h
+++ b/arch/arm/include/asm/fixmap.h
@@ -2,7 +2,7 @@
 #ifndef _ASM_FIXMAP_H
 #define _ASM_FIXMAP_H
 
-#define FIXADDR_START		0xffc00000UL
+#define FIXADDR_START		0xffc80000UL
 #define FIXADDR_END		0xfff00000UL
 #define FIXADDR_TOP		(FIXADDR_END - PAGE_SIZE)
 
--- a/arch/arm/include/asm/memory.h
+++ b/arch/arm/include/asm/memory.h
@@ -67,6 +67,10 @@
  */
 #define XIP_VIRT_ADDR(physaddr)  (MODULES_VADDR + ((physaddr) & 0x000fffff))
 
+#define FDT_FIXED_BASE		UL(0xff800000)
+#define FDT_FIXED_SIZE		(2 * PMD_SIZE)
+#define FDT_VIRT_ADDR(physaddr)	((void *)(FDT_FIXED_BASE | (physaddr) % PMD_SIZE))
+
 #if !defined(CONFIG_SMP) && !defined(CONFIG_ARM_LPAE)
 /*
  * Allow 16MB-aligned ioremap pages
@@ -107,6 +111,7 @@ extern unsigned long vectors_base;
 #define MODULES_VADDR		PAGE_OFFSET
 
 #define XIP_VIRT_ADDR(physaddr)  (physaddr)
+#define FDT_VIRT_ADDR(physaddr)  ((void *)(physaddr))
 
 #endif /* !CONFIG_MMU */
 
--- a/arch/arm/kernel/head.S
+++ b/arch/arm/kernel/head.S
@@ -275,9 +275,8 @@ __create_page_tables:
 	 */
 	mov	r0, r2, lsr #SECTION_SHIFT
 	movs	r0, r0, lsl #SECTION_SHIFT
-	subne	r3, r0, r8
-	addne	r3, r3, #PAGE_OFFSET
-	addne	r3, r4, r3, lsr #(SECTION_SHIFT - PMD_ORDER)
+	ldrne	r3, =FDT_FIXED_BASE >> (SECTION_SHIFT - PMD_ORDER)
+	addne	r3, r3, r4
 	orrne	r6, r7, r0
 	strne	r6, [r3], #1 << PMD_ORDER
 	addne	r6, r6, #1 << SECTION_SHIFT
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -18,6 +18,7 @@
 #include <linux/of_platform.h>
 #include <linux/init.h>
 #include <linux/kexec.h>
+#include <linux/libfdt.h>
 #include <linux/of_fdt.h>
 #include <linux/cpu.h>
 #include <linux/interrupt.h>
@@ -89,7 +90,6 @@ unsigned int cacheid __read_mostly;
 EXPORT_SYMBOL(cacheid);
 
 unsigned int __atags_pointer __initdata;
-void *atags_vaddr __initdata;
 
 unsigned int system_rev;
 EXPORT_SYMBOL(system_rev);
@@ -1077,13 +1077,18 @@ void __init hyp_mode_check(void)
 void __init setup_arch(char **cmdline_p)
 {
 	const struct machine_desc *mdesc = NULL;
+	void *atags_vaddr = NULL;
 
 	if (__atags_pointer)
-		atags_vaddr = phys_to_virt(__atags_pointer);
+		atags_vaddr = FDT_VIRT_ADDR(__atags_pointer);
 
 	setup_processor();
-	if (atags_vaddr)
+	if (atags_vaddr) {
 		mdesc = setup_machine_fdt(atags_vaddr);
+		if (mdesc)
+			memblock_reserve(__atags_pointer,
+					 fdt_totalsize(atags_vaddr));
+	}
 	if (!mdesc)
 		mdesc = setup_machine_tags(atags_vaddr, __machine_arch_type);
 	if (!mdesc) {
--- a/arch/arm/mm/init.c
+++ b/arch/arm/mm/init.c
@@ -274,7 +274,6 @@ void __init arm_memblock_init(const stru
 	if (mdesc->reserve)
 		mdesc->reserve();
 
-	early_init_fdt_reserve_self();
 	early_init_fdt_scan_reserved_mem();
 
 	/* reserve memory for DMA contiguous allocations */
--- a/arch/arm/mm/mmu.c
+++ b/arch/arm/mm/mmu.c
@@ -39,6 +39,8 @@
 #include "mm.h"
 #include "tcm.h"
 
+extern unsigned long __atags_pointer;
+
 /*
  * empty_zero_page is a special page that is used for
  * zero-initialized data and COW.
@@ -962,7 +964,7 @@ static void __init create_mapping(struct
 		return;
 	}
 
-	if ((md->type == MT_DEVICE || md->type == MT_ROM) &&
+	if (md->type == MT_DEVICE &&
 	    md->virtual >= PAGE_OFFSET && md->virtual < FIXADDR_START &&
 	    (md->virtual < VMALLOC_START || md->virtual >= VMALLOC_END)) {
 		pr_warn("BUG: mapping for 0x%08llx at 0x%08lx out of vmalloc space\n",
@@ -1352,6 +1354,15 @@ static void __init devicemaps_init(const
 	for (addr = VMALLOC_START; addr < (FIXADDR_TOP & PMD_MASK); addr += PMD_SIZE)
 		pmd_clear(pmd_off_k(addr));
 
+	if (__atags_pointer) {
+		/* create a read-only mapping of the device tree */
+		map.pfn = __phys_to_pfn(__atags_pointer & SECTION_MASK);
+		map.virtual = FDT_FIXED_BASE;
+		map.length = FDT_FIXED_SIZE;
+		map.type = MT_ROM;
+		create_mapping(&map);
+	}
+
 	/*
 	 * Map the kernel if it is XIP.
 	 * It is always first in the modulearea.
@@ -1512,8 +1523,7 @@ static void __init map_lowmem(void)
 }
 
 #ifdef CONFIG_ARM_PV_FIXUP
-extern void *atags_vaddr;
-typedef void pgtables_remap(long long offset, unsigned long pgd, void *bdata);
+typedef void pgtables_remap(long long offset, unsigned long pgd);
 pgtables_remap lpae_pgtables_remap_asm;
 
 /*
@@ -1526,7 +1536,6 @@ static void __init early_paging_init(con
 	unsigned long pa_pgd;
 	unsigned int cr, ttbcr;
 	long long offset;
-	void *boot_data;
 
 	if (!mdesc->pv_fixup)
 		return;
@@ -1543,7 +1552,6 @@ static void __init early_paging_init(con
 	 */
 	lpae_pgtables_remap = (pgtables_remap *)(unsigned long)__pa(lpae_pgtables_remap_asm);
 	pa_pgd = __pa(swapper_pg_dir);
-	boot_data = atags_vaddr;
 	barrier();
 
 	pr_info("Switching physical address space to 0x%08llx\n",
@@ -1579,7 +1587,7 @@ static void __init early_paging_init(con
 	 * needs to be assembly.  It's fairly simple, as we're using the
 	 * temporary tables setup by the initial assembly code.
 	 */
-	lpae_pgtables_remap(offset, pa_pgd, boot_data);
+	lpae_pgtables_remap(offset, pa_pgd);
 
 	/* Re-enable the caches and cacheable TLB walks */
 	asm volatile("mcr p15, 0, %0, c2, c0, 2" : : "r" (ttbcr));
--- a/arch/arm/mm/pv-fixup-asm.S
+++ b/arch/arm/mm/pv-fixup-asm.S
@@ -39,8 +39,8 @@ ENTRY(lpae_pgtables_remap_asm)
 
 	/* Update level 2 entries for the boot data */
 	add	r7, r2, #0x1000
-	add	r7, r7, r3, lsr #SECTION_SHIFT - L2_ORDER
-	bic	r7, r7, #(1 << L2_ORDER) - 1
+	movw	r3, #FDT_FIXED_BASE >> (SECTION_SHIFT - L2_ORDER)
+	add	r7, r7, r3
 	ldrd	r4, r5, [r7]
 	adds	r4, r4, r0
 	adc	r5, r5, r1



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 134/141] ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 133/141] ARM: 9012/1: move device tree mapping out of linear region Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 135/141] ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Joel Stanley, Marek Szyprowski,
	Ard Biesheuvel, Russell King, Florian Fainelli

From: Ard Biesheuvel <ardb@kernel.org>

commit fc2933c133744305236793025b00c2f7d258b687 upstream

Commit

  149a3ffe62b9dbc3 ("9012/1: move device tree mapping out of linear region")

created a permanent, read-only section mapping of the device tree blob
provided by the firmware, and added a set of macros to get the base and
size of the virtually mapped FDT based on the physical address. However,
while the mapping code uses the SECTION_SIZE macro correctly, the macros
use PMD_SIZE instead, which means something entirely different on ARM when
using short descriptors, and is therefore not the right quantity to use
here. So replace PMD_SIZE with SECTION_SIZE. While at it, change the names
of the macro and its parameter to clarify that it returns the virtual
address of the start of the FDT, based on the physical address in memory.

Tested-by: Joel Stanley <joel@jms.id.au>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/memory.h |    6 +++---
 arch/arm/kernel/setup.c       |    2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

--- a/arch/arm/include/asm/memory.h
+++ b/arch/arm/include/asm/memory.h
@@ -68,8 +68,8 @@
 #define XIP_VIRT_ADDR(physaddr)  (MODULES_VADDR + ((physaddr) & 0x000fffff))
 
 #define FDT_FIXED_BASE		UL(0xff800000)
-#define FDT_FIXED_SIZE		(2 * PMD_SIZE)
-#define FDT_VIRT_ADDR(physaddr)	((void *)(FDT_FIXED_BASE | (physaddr) % PMD_SIZE))
+#define FDT_FIXED_SIZE		(2 * SECTION_SIZE)
+#define FDT_VIRT_BASE(physbase)	((void *)(FDT_FIXED_BASE | (physbase) % SECTION_SIZE))
 
 #if !defined(CONFIG_SMP) && !defined(CONFIG_ARM_LPAE)
 /*
@@ -111,7 +111,7 @@ extern unsigned long vectors_base;
 #define MODULES_VADDR		PAGE_OFFSET
 
 #define XIP_VIRT_ADDR(physaddr)  (physaddr)
-#define FDT_VIRT_ADDR(physaddr)  ((void *)(physaddr))
+#define FDT_VIRT_BASE(physbase)  ((void *)(physbase))
 
 #endif /* !CONFIG_MMU */
 
--- a/arch/arm/kernel/setup.c
+++ b/arch/arm/kernel/setup.c
@@ -1080,7 +1080,7 @@ void __init setup_arch(char **cmdline_p)
 	void *atags_vaddr = NULL;
 
 	if (__atags_pointer)
-		atags_vaddr = FDT_VIRT_ADDR(__atags_pointer);
+		atags_vaddr = FDT_VIRT_BASE(__atags_pointer);
 
 	setup_processor();
 	if (atags_vaddr) {



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 135/141] ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 134/141] ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 136/141] usb: typec: tcpm: Fix error while calculating PPS out values Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, kernelci.org bot, Linus Walleij,
	Ard Biesheuvel, Russell King, Florian Fainelli

From: Ard Biesheuvel <ardb@kernel.org>

commit 10fce53c0ef8f6e79115c3d9e0d7ea1338c3fa37 upstream

The early ATAGS/DT mapping code uses SECTION_SHIFT to mask low order
bits of R2, and decides that no ATAGS/DTB were provided if the resulting
value is 0x0.

This means that on systems where DRAM starts at 0x0 (such as Raspberry
Pi), no explicit mapping of the DT will be created if R2 points into the
first 1 MB section of memory. This was not a problem before, because the
decompressed kernel is loaded at the base of DRAM and mapped using
sections as well, and so as long as the DT is referenced via a virtual
address that uses the same translation (the linear map, in this case),
things work fine.

However, commit 7a1be318f579 ("9012/1: move device tree mapping out of
linear region") changes this, and now the DT is referenced via a virtual
address that is disjoint from the linear mapping of DRAM, and so we need
the early code to create the DT mapping unconditionally.

So let's create the early DT mapping for any value of R2 != 0x0.

Reported-by: "kernelci.org bot" <bot@kernelci.org>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/kernel/head.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/kernel/head.S
+++ b/arch/arm/kernel/head.S
@@ -274,10 +274,10 @@ __create_page_tables:
 	 * We map 2 sections in case the ATAGs/DTB crosses a section boundary.
 	 */
 	mov	r0, r2, lsr #SECTION_SHIFT
-	movs	r0, r0, lsl #SECTION_SHIFT
+	cmp	r2, #0
 	ldrne	r3, =FDT_FIXED_BASE >> (SECTION_SHIFT - PMD_ORDER)
 	addne	r3, r3, r4
-	orrne	r6, r7, r0
+	orrne	r6, r7, r0, lsl #SECTION_SHIFT
 	strne	r6, [r3], #1 << PMD_ORDER
 	addne	r6, r6, #1 << SECTION_SHIFT
 	strne	r6, [r3]



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 136/141] usb: typec: tcpm: Fix error while calculating PPS out values
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 135/141] ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 137/141] kobject_uevent: remove warning in init_uevent_argv() Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Badhri Jagan Sridharan

From: Badhri Jagan Sridharan <badhri@google.com>

commit 374157ff88ae1a7f7927331cbc72c1ec11994e8a upstream.

"usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply"
introduced a regression for req_out_volt and req_op_curr calculation.

req_out_volt should consider the newly calculated max voltage instead
of previously accepted max voltage by the port partner. Likewise,
req_op_curr should consider the newly calculated max current instead
of previously accepted max current by the port partner.

Fixes: e3a072022487 ("usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply")
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Link: https://lore.kernel.org/r/20210415050121.1928298-1-badhri@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2339,10 +2339,10 @@ static unsigned int tcpm_pd_select_pps_a
 		port->pps_data.req_max_volt = min(pdo_pps_apdo_max_voltage(src),
 						  pdo_pps_apdo_max_voltage(snk));
 		port->pps_data.req_max_curr = min_pps_apdo_current(src, snk);
-		port->pps_data.req_out_volt = min(port->pps_data.max_volt,
-						  max(port->pps_data.min_volt,
+		port->pps_data.req_out_volt = min(port->pps_data.req_max_volt,
+						  max(port->pps_data.req_min_volt,
 						      port->pps_data.req_out_volt));
-		port->pps_data.req_op_curr = min(port->pps_data.max_curr,
+		port->pps_data.req_op_curr = min(port->pps_data.req_max_curr,
 						 port->pps_data.req_op_curr);
 	}
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 137/141] kobject_uevent: remove warning in init_uevent_argv()
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 136/141] usb: typec: tcpm: Fix error while calculating PPS out values Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 138/141] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rafael J. Wysocki,
	syzbot+92340f7b2b4789907fdb

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit b4104180a2efb85f55e1ba1407885c9421970338 upstream.

syzbot can trigger the WARN() in init_uevent_argv() which isn't the
nicest as the code does properly recover and handle the error.  So
change the WARN() call to pr_warn() and provide some more information on
what the buffer size that was needed.

Link: https://lore.kernel.org/r/20201107082206.GA19079@kroah.com
Cc: "Rafael J. Wysocki" <rafael@kernel.org>
Cc: linux-kernel@vger.kernel.org
Reported-by: syzbot+92340f7b2b4789907fdb@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20210405094852.1348499-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/kobject_uevent.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/lib/kobject_uevent.c
+++ b/lib/kobject_uevent.c
@@ -251,12 +251,13 @@ static int kobj_usermode_filter(struct k
 
 static int init_uevent_argv(struct kobj_uevent_env *env, const char *subsystem)
 {
+	int buffer_size = sizeof(env->buf) - env->buflen;
 	int len;
 
-	len = strlcpy(&env->buf[env->buflen], subsystem,
-		      sizeof(env->buf) - env->buflen);
-	if (len >= (sizeof(env->buf) - env->buflen)) {
-		WARN(1, KERN_ERR "init_uevent_argv: buffer size too small\n");
+	len = strlcpy(&env->buf[env->buflen], subsystem, buffer_size);
+	if (len >= buffer_size) {
+		pr_warn("init_uevent_argv: buffer size of %d too small, needed %d\n",
+			buffer_size, len);
 		return -ENOMEM;
 	}
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 138/141] netfilter: conntrack: Make global sysctls readonly in non-init netns
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 137/141] kobject_uevent: remove warning in init_uevent_argv() Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 139/141] clk: exynos7: Mark aclk_fsys1_200 as critical Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathon Reinhart, David S. Miller

From: Jonathon Reinhart <jonathon.reinhart@gmail.com>

commit 2671fa4dc0109d3fb581bc3078fdf17b5d9080f6 upstream.

These sysctls point to global variables:
- NF_SYSCTL_CT_MAX (&nf_conntrack_max)
- NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max)
- NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user)

Because their data pointers are not updated to point to per-netns
structures, they must be marked read-only in a non-init_net ns.
Otherwise, changes in any net namespace are reflected in (leaked into)
all other net namespaces. This problem has existed since the
introduction of net namespaces.

The current logic marks them read-only only if the net namespace is
owned by an unprivileged user (other than init_user_ns).

Commit d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in
unprivileged namespaces") "exposes all sysctls even if the namespace is
unpriviliged." Since we need to mark them readonly in any case, we can
forego the unprivileged user check altogether.

Fixes: d0febd81ae77 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces")
Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_conntrack_standalone.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -1071,8 +1071,11 @@ static int nf_conntrack_standalone_init_
 #endif
 	}
 
-	if (!net_eq(&init_net, net))
+	if (!net_eq(&init_net, net)) {
+		table[NF_SYSCTL_CT_MAX].mode = 0444;
+		table[NF_SYSCTL_CT_EXPECT_MAX].mode = 0444;
 		table[NF_SYSCTL_CT_BUCKETS].mode = 0444;
+	}
 
 	net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
 	if (!net->ct.sysctl_header)



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 139/141] clk: exynos7: Mark aclk_fsys1_200 as critical
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 138/141] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 140/141] nvme: do not try to reconfigure APST when the controller is not live Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paweł Chmiel,
	Krzysztof Kozlowski, Sylwester Nawrocki

From: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>

commit 34138a59b92c1a30649a18ec442d2e61f3bc34dd upstream.

This clock must be always enabled to allow access to any registers in
fsys1 CMU. Until proper solution based on runtime PM is applied
(similar to what was done for Exynos5433), mark that clock as critical
so it won't be disabled.

It was observed on Samsung Galaxy S6 device (based on Exynos7420), where
UFS module is probed before pmic used to power that device.
In this case defer probe was happening and that clock was disabled by
UFS driver, causing whole boot to hang on next CMU access.

Fixes: 753195a749a6 ("clk: samsung: exynos7: Correct CMU_FSYS1 clocks names")
Signed-off-by: Paweł Chmiel <pawel.mikolaj.chmiel@gmail.com>
Acked-by: Krzysztof Kozlowski <krzk@kernel.org>
Link: https://lore.kernel.org/linux-clk/20201024154346.9589-1-pawel.mikolaj.chmiel@gmail.com
[s.nawrocki: Added comment in the code]
Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/clk/samsung/clk-exynos7.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/drivers/clk/samsung/clk-exynos7.c
+++ b/drivers/clk/samsung/clk-exynos7.c
@@ -537,8 +537,13 @@ static const struct samsung_gate_clock t
 	GATE(CLK_ACLK_FSYS0_200, "aclk_fsys0_200", "dout_aclk_fsys0_200",
 		ENABLE_ACLK_TOP13, 28, CLK_SET_RATE_PARENT |
 		CLK_IS_CRITICAL, 0),
+	/*
+	 * This clock is required for the CMU_FSYS1 registers access, keep it
+	 * enabled permanently until proper runtime PM support is added.
+	 */
 	GATE(CLK_ACLK_FSYS1_200, "aclk_fsys1_200", "dout_aclk_fsys1_200",
-		ENABLE_ACLK_TOP13, 24, CLK_SET_RATE_PARENT, 0),
+		ENABLE_ACLK_TOP13, 24, CLK_SET_RATE_PARENT |
+		CLK_IS_CRITICAL, 0),
 
 	GATE(CLK_SCLK_PHY_FSYS1_26M, "sclk_phy_fsys1_26m",
 		"dout_sclk_phy_fsys1_26m", ENABLE_SCLK_TOP1_FSYS11,



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 140/141] nvme: do not try to reconfigure APST when the controller is not live
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 139/141] clk: exynos7: Mark aclk_fsys1_200 as critical Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 14:03 ` [PATCH 5.4 141/141] ASoC: rsnd: check all BUSIF status when error Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Liu, Christoph Hellwig, Keith Busch

From: Christoph Hellwig <hch@lst.de>

commit 53fe2a30bc168db9700e00206d991ff934973cf1 upstream.

Do not call nvme_configure_apst when the controller is not live, given
that nvme_configure_apst will fail due the lack of an admin queue when
the controller is being torn down and nvme_set_latency_tolerance is
called from dev_pm_qos_hide_latency_tolerance.

Fixes: 510a405d945b("nvme: fix memory leak for power latency tolerance")
Reported-by: Peng Liu <liupeng17@lenovo.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/host/core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -2414,7 +2414,8 @@ static void nvme_set_latency_tolerance(s
 
 	if (ctrl->ps_max_latency_us != latency) {
 		ctrl->ps_max_latency_us = latency;
-		nvme_configure_apst(ctrl);
+		if (ctrl->state == NVME_CTRL_LIVE)
+			nvme_configure_apst(ctrl);
 	}
 }
 



^ permalink raw reply	[flat|nested] 153+ messages in thread

* [PATCH 5.4 141/141] ASoC: rsnd: check all BUSIF status when error
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 140/141] nvme: do not try to reconfigure APST when the controller is not live Greg Kroah-Hartman
@ 2021-05-17 14:03 ` Greg Kroah-Hartman
  2021-05-17 16:33 ` [PATCH 5.4 000/141] 5.4.120-rc1 review Florian Fainelli
                   ` (6 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Greg Kroah-Hartman @ 2021-05-17 14:03 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Kuninori Morimoto, Mark Brown

From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>

commit a4856e15e58b54977f1c0c0299309ad4d1f13365 upstream.

commit 66c705d07d784 ("SoC: rsnd: add interrupt support for SSI BUSIF
buffer") adds __rsnd_ssi_interrupt() checks for BUSIF status,
but is using "break" at for loop.
This means it is not checking all status. Let's check all BUSIF status.

Fixes: commit 66c705d07d784 ("SoC: rsnd: add interrupt support for SSI BUSIF buffer")
Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
Link: https://lore.kernel.org/r/874kgh1jsw.wl-kuninori.morimoto.gx@renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/soc/sh/rcar/ssi.c |    2 --
 1 file changed, 2 deletions(-)

--- a/sound/soc/sh/rcar/ssi.c
+++ b/sound/soc/sh/rcar/ssi.c
@@ -797,7 +797,6 @@ static void __rsnd_ssi_interrupt(struct
 						       SSI_SYS_STATUS(i * 2),
 						       0xf << (id * 4));
 					stop = true;
-					break;
 				}
 			}
 			break;
@@ -815,7 +814,6 @@ static void __rsnd_ssi_interrupt(struct
 						SSI_SYS_STATUS((i * 2) + 1),
 						0xf << 4);
 					stop = true;
-					break;
 				}
 			}
 			break;



^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-05-17 14:03 ` [PATCH 5.4 141/141] ASoC: rsnd: check all BUSIF status when error Greg Kroah-Hartman
@ 2021-05-17 16:33 ` Florian Fainelli
  2021-05-17 17:37 ` Jon Hunter
                   ` (5 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Florian Fainelli @ 2021-05-17 16:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, stable



On 5/17/2021 7:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-05-17 16:33 ` [PATCH 5.4 000/141] 5.4.120-rc1 review Florian Fainelli
@ 2021-05-17 17:37 ` Jon Hunter
  2021-05-17 20:18 ` Shuah Khan
                   ` (4 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Jon Hunter @ 2021-05-17 17:37 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, linux-tegra

On Mon, 17 May 2021 16:00:52 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v5.4:
    12 builds:	12 pass, 0 fail
    26 boots:	26 pass, 0 fail
    59 tests:	59 pass, 0 fail

Linux version:	5.4.120-rc1-gd406e11dbc13
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra210-p3450-0000,
                tegra30-cardhu-a04

Tested-by: Jon Hunter <jonathanh@nvidia.com>

Jon

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-05-17 17:37 ` Jon Hunter
@ 2021-05-17 20:18 ` Shuah Khan
  2021-05-18 10:05 ` Sudip Mukherjee
                   ` (3 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Shuah Khan @ 2021-05-17 20:18 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 5/17/21 8:00 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-05-17 20:18 ` Shuah Khan
@ 2021-05-18 10:05 ` Sudip Mukherjee
  2021-05-18 10:30 ` Naresh Kamboju
                   ` (2 subsequent siblings)
  147 siblings, 0 replies; 153+ messages in thread
From: Sudip Mukherjee @ 2021-05-18 10:05 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

Hi Greg,

On Mon, May 17, 2021 at 04:00:52PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.

Build test:
mips (gcc version 11.1.1 20210430): 65 configs -> no failure
arm (gcc version 11.1.1 20210430): 107 configs -> no new failure
x86_64 (gcc version 10.2.1 20210110): 2 configs -> no failure

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression.

Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>

--
Regards
Sudip


^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-05-18 10:05 ` Sudip Mukherjee
@ 2021-05-18 10:30 ` Naresh Kamboju
  2021-05-18 12:13 ` Samuel Zou
  2021-05-18 21:19 ` Guenter Roeck
  147 siblings, 0 replies; 153+ messages in thread
From: Naresh Kamboju @ 2021-05-18 10:30 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, lkft-triage, Pavel Machek, Jon Hunter,
	Florian Fainelli, linux-stable

On Mon, 17 May 2021 at 19:33, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 5.4.120-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-5.4.y
* git commit: d406e11dbc1324e375ab1f7c4669abc3cbd994f4
* git describe: v5.4.119-142-gd406e11dbc13
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.119-142-gd406e11dbc13

## No regressions (compared to v5.4.119)

## Fixes (compared to v5.4.119)
* arm, build
  - clang-10-axm55xx_defconfig
  - clang-11-axm55xx_defconfig
  - clang-12-axm55xx_defconfig
  - gcc-10-axm55xx_defconfig
  - gcc-8-axm55xx_defconfig
  - gcc-9-axm55xx_defconfig


* mips, build
  - clang-10-allnoconfig
  - clang-10-defconfig
  - clang-10-tinyconfig
  - clang-11-allnoconfig
  - clang-11-defconfig
  - clang-11-tinyconfig
  - clang-12-allnoconfig
  - clang-12-defconfig
  - clang-12-tinyconfig

## Test result summary
 total: 66208, pass: 53791, fail: 1226, skip: 10340, xfail: 851,

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 192 total, 192 passed, 0 failed
* arm64: 26 total, 26 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 15 total, 15 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 45 total, 45 passed, 0 failed
* parisc: 9 total, 9 passed, 0 failed
* powerpc: 27 total, 27 passed, 0 failed
* riscv: 21 total, 21 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 18 total, 18 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 26 total, 26 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* install-android-platform-tools-r2600
* kselftest-android
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-05-18 10:30 ` Naresh Kamboju
@ 2021-05-18 12:13 ` Samuel Zou
  2021-05-18 21:19 ` Guenter Roeck
  147 siblings, 0 replies; 153+ messages in thread
From: Samuel Zou @ 2021-05-18 12:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable



On 2021/5/17 22:00, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.120-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Tested on arm64 and x86 for 5.4.120-rc1,

Kernel repo:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
Branch: linux-5.4.y
Version: 5.4.120-rc1
Commit: d406e11dbc1324e375ab1f7c4669abc3cbd994f4
Compiler: gcc version 7.3.0 (GCC)

arm64:
--------------------------------------------------------------------
Testcase Result Summary:
total: 8895
passed: 8895
failed: 0
timeout: 0
--------------------------------------------------------------------

x86:
--------------------------------------------------------------------
Testcase Result Summary:
total: 8895
passed: 8895
failed: 0
timeout: 0
--------------------------------------------------------------------

Tested-by: Hulk Robot <hulkrobot@huawei.com>

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 000/141] 5.4.120-rc1 review
  2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-05-18 12:13 ` Samuel Zou
@ 2021-05-18 21:19 ` Guenter Roeck
  147 siblings, 0 replies; 153+ messages in thread
From: Guenter Roeck @ 2021-05-18 21:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, May 17, 2021 at 04:00:52PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.120 release.
> There are 141 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 19 May 2021 14:02:20 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 157 pass: 157 fail: 0
Qemu test results:
	total: 428 pass: 428 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  2021-05-17 14:01 ` [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
@ 2021-05-20  6:16   ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2021-05-20  6:27     ` gregkh
  0 siblings, 1 reply; 153+ messages in thread
From: Rantala, Tommi T. (Nokia - FI/Espoo) @ 2021-05-20  6:16 UTC (permalink / raw)
  To: gregkh, linux-kernel; +Cc: sashal, stable, edumazet, davem

On Mon, 2021-05-17 at 16:01 +0200, Greg Kroah-Hartman wrote:
From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]

Hi Greg,

There's fixup to this commit, hit the "unregister_netdevice" problems in 5.4.120
while running kernel selftests.

(also check the "Fixes:" tags, I think not all of them were yet included in 5.4.y)


  commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf
  Author: Eric Dumazet <edumazet@google.com>
  Date:   Wed Mar 31 14:38:11 2021 -0700

    ipv6: remove extra dev_hold() for fallback tunnels
    
    My previous commits added a dev_hold() in tunnels ndo_init(),
    but forgot to remove it from special functions setting up fallback tunnels.
    
    Fallback tunnels do call their respective ndo_init()
    
    This leads to various reports like :
    
    unregister_netdevice: waiting for ip6gre0 to become free. Usage count = 2
    
    Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods")
    Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods")
    Fixes: 40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods")
    Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods")
    Signed-off-by: Eric Dumazet <edumazet@google.com>
    Reported-by: syzbot <syzkaller@googlegroups.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>



After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
a warning [1]

Issue here is that:

- all dev_put() should be paired with a corresponding prior dev_hold().

- A driver doing a dev_put() in its ndo_uninit() MUST also
  do a dev_hold() in its ndo_init(), only when ndo_init()
  is returning 0.

Otherwise, register_netdevice() would call ndo_uninit()
in its error path and release a refcount too soon.

Therefore, we need to move dev_hold() call from
vti6_tnl_create2() to vti6_dev_init_gen()

[1]
WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31
refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
Modules linked in:
CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd
48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8
13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
FS:  00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 __refcount_dec include/linux/refcount.h:344 [inline]
 refcount_dec include/linux/refcount.h:359 [inline]
 dev_put include/linux/netdevice.h:4135 [inline]
 vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
 register_netdevice+0xadf/0x1500 net/core/dev.c:10308
 vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
 vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
 __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x331/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmmsg+0x195/0x470 net/socket.c:2490
 __do_sys_sendmmsg net/socket.c:2519 [inline]
 __se_sys_sendmmsg net/socket.c:2516 [inline]
 __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/ip6_vti.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
index cc6180e08a4f..01ddb0f70c57 100644
--- a/net/ipv6/ip6_vti.c
+++ b/net/ipv6/ip6_vti.c
@@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev)
 
        strcpy(t->parms.name, dev->name);
 
-       dev_hold(dev);
        vti6_tnl_link(ip6n, t);
 
        return 0;
@@ -921,6 +920,7 @@ static inline int vti6_dev_init_gen(struct net_device
*dev)
        dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
        if (!dev->tstats)
                return -ENOMEM;
+       dev_hold(dev);
        return 0;
 }
 

^ permalink raw reply related	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  2021-05-20  6:16   ` Rantala, Tommi T. (Nokia - FI/Espoo)
@ 2021-05-20  6:27     ` gregkh
  2021-05-20  7:55       ` Rantala, Tommi T. (Nokia - FI/Espoo)
  0 siblings, 1 reply; 153+ messages in thread
From: gregkh @ 2021-05-20  6:27 UTC (permalink / raw)
  To: Rantala, Tommi T. (Nokia - FI/Espoo)
  Cc: linux-kernel, sashal, stable, edumazet, davem

On Thu, May 20, 2021 at 06:16:11AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote:
> On Mon, 2021-05-17 at 16:01 +0200, Greg Kroah-Hartman wrote:
> From: Eric Dumazet <edumazet@google.com>
> 
> [ Upstream commit 40cb881b5aaa0b69a7d93dec8440d5c62dae299f ]
> 
> Hi Greg,
> 
> There's fixup to this commit, hit the "unregister_netdevice" problems in 5.4.120
> while running kernel selftests.
> 
> (also check the "Fixes:" tags, I think not all of them were yet included in 5.4.y)
> 
> 
>   commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf
>   Author: Eric Dumazet <edumazet@google.com>
>   Date:   Wed Mar 31 14:38:11 2021 -0700
> 
>     ipv6: remove extra dev_hold() for fallback tunnels
>     
>     My previous commits added a dev_hold() in tunnels ndo_init(),
>     but forgot to remove it from special functions setting up fallback tunnels.
>     
>     Fallback tunnels do call their respective ndo_init()
>     
>     This leads to various reports like :
>     
>     unregister_netdevice: waiting for ip6gre0 to become free. Usage count = 2
>     
>     Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods")
>     Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init methods")
>     Fixes: 40cb881b5aaa ("ip6_vti: proper dev_{hold|put} in ndo_[un]init methods")
>     Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init methods")
>     Signed-off-by: Eric Dumazet <edumazet@google.com>
>     Reported-by: syzbot <syzkaller@googlegroups.com>
>     Signed-off-by: David S. Miller <davem@davemloft.net>
> 
> 
> 
> After adopting CONFIG_PCPU_DEV_REFCNT=n option, syzbot was able to trigger
> a warning [1]
> 
> Issue here is that:
> 
> - all dev_put() should be paired with a corresponding prior dev_hold().
> 
> - A driver doing a dev_put() in its ndo_uninit() MUST also
>   do a dev_hold() in its ndo_init(), only when ndo_init()
>   is returning 0.
> 
> Otherwise, register_netdevice() would call ndo_uninit()
> in its error path and release a refcount too soon.
> 
> Therefore, we need to move dev_hold() call from
> vti6_tnl_create2() to vti6_dev_init_gen()
> 
> [1]
> WARNING: CPU: 0 PID: 15951 at lib/refcount.c:31
> refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
> Modules linked in:
> CPU: 0 PID: 15951 Comm: syz-executor.3 Not tainted 5.12.0-rc4-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:refcount_warn_saturate+0xbf/0x1e0 lib/refcount.c:31
> Code: 1d 6a 5a e8 09 31 ff 89 de e8 8d 1a ab fd 84 db 75 e0 e8 d4 13 ab fd
> 48 c7 c7 a0 e1 c1 89 c6 05 4a 5a e8 09 01 e8 2e 36 fb 04 <0f> 0b eb c4 e8 b8
> 13 ab fd 0f b6 1d 39 5a e8 09 31 ff 89 de e8 58
> RSP: 0018:ffffc90001eaef28 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
> RDX: 0000000000040000 RSI: ffffffff815c51f5 RDI: fffff520003d5dd7
> RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
> R10: ffffffff815bdf8e R11: 0000000000000000 R12: ffff88801bb1c568
> R13: ffff88801f69e800 R14: 00000000ffffffff R15: ffff888050889d40
> FS:  00007fc79314e700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00007f1c1ff47108 CR3: 0000000020fd5000 CR4: 00000000001506f0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  __refcount_dec include/linux/refcount.h:344 [inline]
>  refcount_dec include/linux/refcount.h:359 [inline]
>  dev_put include/linux/netdevice.h:4135 [inline]
>  vti6_dev_uninit+0x31a/0x360 net/ipv6/ip6_vti.c:297
>  register_netdevice+0xadf/0x1500 net/core/dev.c:10308
>  vti6_tnl_create2+0x1b5/0x400 net/ipv6/ip6_vti.c:190
>  vti6_newlink+0x9d/0xd0 net/ipv6/ip6_vti.c:1020
>  __rtnl_newlink+0x1062/0x1710 net/core/rtnetlink.c:3443
>  rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3491
>  rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
>  netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
>  netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
>  netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
>  netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
>  sock_sendmsg_nosec net/socket.c:654 [inline]
>  sock_sendmsg+0xcf/0x120 net/socket.c:674
>  ____sys_sendmsg+0x331/0x810 net/socket.c:2350
>  ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
>  __sys_sendmmsg+0x195/0x470 net/socket.c:2490
>  __do_sys_sendmmsg net/socket.c:2519 [inline]
>  __se_sys_sendmmsg net/socket.c:2516 [inline]
>  __x64_sys_sendmmsg+0x99/0x100 net/socket.c:2516
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
>  net/ipv6/ip6_vti.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/ipv6/ip6_vti.c b/net/ipv6/ip6_vti.c
> index cc6180e08a4f..01ddb0f70c57 100644
> --- a/net/ipv6/ip6_vti.c
> +++ b/net/ipv6/ip6_vti.c
> @@ -192,7 +192,6 @@ static int vti6_tnl_create2(struct net_device *dev)
>  
>         strcpy(t->parms.name, dev->name);
>  
> -       dev_hold(dev);
>         vti6_tnl_link(ip6n, t);
>  
>         return 0;
> @@ -921,6 +920,7 @@ static inline int vti6_dev_init_gen(struct net_device
> *dev)
>         dev->tstats = netdev_alloc_pcpu_stats(struct pcpu_sw_netstats);
>         if (!dev->tstats)
>                 return -ENOMEM;
> +       dev_hold(dev);
>         return 0;
>  }
>  

I do not understand, what needs to be done here?

greg k-h

^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  2021-05-20  6:27     ` gregkh
@ 2021-05-20  7:55       ` Rantala, Tommi T. (Nokia - FI/Espoo)
  2021-05-20  8:31         ` gregkh
  0 siblings, 1 reply; 153+ messages in thread
From: Rantala, Tommi T. (Nokia - FI/Espoo) @ 2021-05-20  7:55 UTC (permalink / raw)
  To: gregkh; +Cc: sashal, stable, edumazet, linux-kernel, davem

> I do not understand, what needs to be done here?

Sorry, email formatting got somehow messed up.

Please cherry-pick this to 5.4.y:

  commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf
  Author: Eric Dumazet <edumazet@google.com>
  Date:   Wed Mar 31 14:38:11 2021 -0700

    ipv6: remove extra dev_hold() for fallback tunnels
    

And these:

    Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in
ndo_[un]init methods")
    Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init
methods")
    Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init
methods")


-Tommi



^ permalink raw reply	[flat|nested] 153+ messages in thread

* Re: [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
  2021-05-20  7:55       ` Rantala, Tommi T. (Nokia - FI/Espoo)
@ 2021-05-20  8:31         ` gregkh
  0 siblings, 0 replies; 153+ messages in thread
From: gregkh @ 2021-05-20  8:31 UTC (permalink / raw)
  To: Rantala, Tommi T. (Nokia - FI/Espoo)
  Cc: sashal, stable, edumazet, linux-kernel, davem

On Thu, May 20, 2021 at 07:55:49AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote:
> > I do not understand, what needs to be done here?
> 
> Sorry, email formatting got somehow messed up.
> 
> Please cherry-pick this to 5.4.y:
> 
>   commit 0d7a7b2014b1a499a0fe24c9f3063d7856b5aaaf
>   Author: Eric Dumazet <edumazet@google.com>
>   Date:   Wed Mar 31 14:38:11 2021 -0700
> 
>     ipv6: remove extra dev_hold() for fallback tunnels
>     
> 
> And these:
> 
>     Fixes: 48bb5697269a ("ip6_tunnel: sit: proper dev_{hold|put} in
> ndo_[un]init methods")
>     Fixes: 6289a98f0817 ("sit: proper dev_{hold|put} in ndo_[un]init
> methods")
>     Fixes: 7f700334be9a ("ip6_gre: proper dev_{hold|put} in ndo_[un]init
> methods")

Ah, that makes sense.  Tricky as the "Fixes:" tag for those other
commits were not backported because they pointed to a feature added to
debug these issues :)

now queued up.

greg k-h

^ permalink raw reply	[flat|nested] 153+ messages in thread

end of thread, other threads:[~2021-05-20  8:31 UTC | newest]

Thread overview: 153+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-17 14:00 [PATCH 5.4 000/141] 5.4.120-rc1 review Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 001/141] tpm: fix error return code in tpm2_get_cc_attrs_tbl() Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 002/141] tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt() Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 003/141] tpm, tpm_tis: Reserve locality in tpm_tis_resume() Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 004/141] KVM: x86/mmu: Remove the defunct update_pte() paging hook Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 005/141] PM: runtime: Fix unpaired parent child_count for force_resume Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 006/141] fs: dlm: fix debugfs dump Greg Kroah-Hartman
2021-05-17 14:00 ` [PATCH 5.4 007/141] tipc: convert dest nodes address to network order Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 008/141] ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 009/141] net: stmmac: Set FIFO sizes for ipq806x Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 010/141] ASoC: rsnd: core: Check convert rate in rsnd_hw_params Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 011/141] i2c: bail out early when RDWR parameters are wrong Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 012/141] ALSA: hdsp: dont disable if not enabled Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 013/141] ALSA: hdspm: " Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 014/141] ALSA: rme9652: " Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 015/141] ALSA: bebob: enable to deliver MIDI messages for multiple ports Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 016/141] Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 017/141] Bluetooth: initialize skb_queue_head at l2cap_chan_create() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 018/141] net: bridge: when suppression is enabled exclude RARP packets Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 019/141] Bluetooth: check for zapped sk before connecting Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 020/141] ip6_vti: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
2021-05-20  6:16   ` Rantala, Tommi T. (Nokia - FI/Espoo)
2021-05-20  6:27     ` gregkh
2021-05-20  7:55       ` Rantala, Tommi T. (Nokia - FI/Espoo)
2021-05-20  8:31         ` gregkh
2021-05-17 14:01 ` [PATCH 5.4 021/141] ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 022/141] i2c: Add I2C_AQ_NO_REP_START adapter quirk Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 023/141] mac80211: clear the beacons CRC after channel switch Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 024/141] pinctrl: samsung: use int for register masks in Exynos Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 025/141] mt76: mt76x0: disable GTK offloading Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 026/141] cuse: prevent clone Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 027/141] ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 028/141] Revert "iommu/amd: Fix performance counter initialization" Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 029/141] iommu/amd: Remove performance counter pre-initialization test Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 030/141] drm/amd/display: Force vsync flip when reconfiguring MPCC Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 031/141] selftests: Set CC to clang in lib.mk if LLVM is set Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 032/141] kconfig: nconf: stop endless search loops Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 033/141] ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 034/141] sctp: Fix out-of-bounds warning in sctp_process_asconf_param() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 035/141] flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 036/141] powerpc/smp: Set numa node before updating mask Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 037/141] ASoC: rt286: Generalize support for ALC3263 codec Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 038/141] ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 039/141] net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 040/141] samples/bpf: Fix broken tracex1 due to kprobe argument change Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 041/141] powerpc/pseries: Stop calling printk in rtas_stop_self() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 042/141] drm/amd/display: fixed divide by zero kernel crash during dsc enablement Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 043/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 044/141] wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 045/141] qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 046/141] powerpc/iommu: Annotate nested lock for lockdep Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 047/141] iavf: remove duplicate free resources calls Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 048/141] net: ethernet: mtk_eth_soc: fix RX VLAN offload Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 049/141] bnxt_en: Add PCI IDs for Hyper-V VF devices Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 050/141] ia64: module: fix symbolizer crash on fdescr Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 051/141] ASoC: rt286: Make RT286_SET_GPIO_* readable and writable Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 052/141] thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 053/141] f2fs: fix a redundant call to f2fs_balance_fs if an error occurs Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 054/141] PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 055/141] PCI: Release OF node in pci_scan_device()s error path Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 056/141] ARM: 9064/1: hw_breakpoint: Do not directly check the events overflow_handler hook Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 057/141] rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 058/141] NFSv4.2: Always flush out writes in nfs42_proc_fallocate() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 059/141] NFS: Deal correctly with attribute generation counter overflow Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 060/141] PCI: endpoint: Fix missing destroy_workqueue() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 061/141] pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 062/141] NFSv4.2 fix handling of sr_eof in SEEKs reply Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 063/141] rtc: fsl-ftm-alarm: add MODULE_TABLE() Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 064/141] ceph: fix inode leak on getattr error in __fh_to_dentry Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 065/141] rtc: ds1307: Fix wday settings for rx8130 Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 066/141] net: hns3: fix incorrect configuration for igu_egu_hw_err Greg Kroah-Hartman
2021-05-17 14:01 ` [PATCH 5.4 067/141] net: hns3: initialize the message content in hclge_get_link_mode() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 068/141] net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 069/141] net: hns3: fix for vxlan gpe tx checksum bug Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 070/141] net: hns3: use netif_tx_disable to stop the transmit queue Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 071/141] net: hns3: disable phy loopback setting in hclge_mac_start_phy Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 072/141] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 073/141] RISC-V: Fix error code returned by riscv_hartid_to_cpuid() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 074/141] sunrpc: Fix misplaced barrier in call_decode Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 075/141] ethernet:enic: Fix a use after free bug in enic_hard_start_xmit Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 076/141] sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 077/141] netfilter: xt_SECMARK: add new revision to fix structure layout Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 078/141] drm/radeon: Fix off-by-one power_state index heap overwrite Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 079/141] drm/radeon: Avoid power table parsing memory leaks Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 080/141] khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 081/141] mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 082/141] mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 083/141] ksm: fix potential missing rmap_item for stable_node Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 084/141] net: fix nla_strcmp to handle more then one trailing null character Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 085/141] smc: disallow TCP_ULP in smc_setsockopt() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 086/141] netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 087/141] can: m_can: m_can_tx_work_queue(): fix tx_skb race condition Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 088/141] sched: Fix out-of-bound access in uclamp Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 089/141] sched/fair: Fix unfairness caused by missing load decay Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 090/141] kernel: kexec_file: fix error return code of kexec_calculate_store_digests() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 091/141] netfilter: nftables: avoid overflows in nft_hash_buckets() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 092/141] i40e: Fix use-after-free in i40e_client_subtask() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 093/141] i40e: fix the restart auto-negotiation after FEC modified Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 094/141] i40e: Fix PHY type identifiers for 2.5G and 5G adapters Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 095/141] ARC: entry: fix off-by-one error in syscall number validation Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 096/141] ARC: mm: PAE: use 40-bit physical page mask Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 097/141] powerpc/64s: Fix crashes when toggling stf barrier Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 098/141] powerpc/64s: Fix crashes when toggling entry flush barrier Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 099/141] hfsplus: prevent corruption in shrinking truncate Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 100/141] squashfs: fix divide error in calculate_skip() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 101/141] userfaultfd: release page in error path to avoid BUG_ON Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 102/141] mm/hugetlb: fix F_SEAL_FUTURE_WRITE Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 103/141] drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 104/141] drm/i915: Avoid div-by-zero on gen2 Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 105/141] iio: proximity: pulsedlight: Fix rumtime PM imbalance on error Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 106/141] usb: fotg210-hcd: Fix an error message Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 107/141] hwmon: (occ) Fix poll rate limiting Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 108/141] ACPI: scan: Fix a memory leak in an error handling path Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 109/141] kyber: fix out of bounds access when preempted Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 110/141] nbd: Fix NULL pointer in flush_workqueue Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 111/141] blk-mq: Swap two calls in blk_mq_exit_queue() Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 112/141] iomap: fix sub-page uptodate handling Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 113/141] usb: dwc3: omap: improve extcon initialization Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 114/141] usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 115/141] usb: xhci: Increase timeout for HC halt Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 116/141] usb: dwc2: Fix gadget DMA unmap direction Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 117/141] usb: core: hub: fix race condition about TRSMRCY of resume Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 118/141] usb: dwc3: gadget: Return success always for kick transfer in ep queue Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 119/141] xhci: Do not use GFP_KERNEL in (potentially) atomic context Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 120/141] xhci: Add reset resume quirk for AMD xhci controller Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 121/141] iio: gyro: mpu3050: Fix reported temperature value Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 122/141] iio: tsl2583: Fix division by a zero lux_val Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 123/141] cdc-wdm: untangle a circular dependency between callback and softint Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 124/141] KVM: x86: Cancel pvclock_gtod_work on module removal Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 125/141] mm: fix struct page layout on 32-bit systems Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 126/141] FDDI: defxx: Make MMIO the configuration default except for EISA Greg Kroah-Hartman
2021-05-17 14:02 ` [PATCH 5.4 127/141] MIPS: Reinstate platform `__div64_32 handler Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 128/141] MIPS: Avoid DIVU in `__div64_32 is result would be zero Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 129/141] MIPS: Avoid handcoded DIVU in `__div64_32 altogether Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 130/141] thermal/core/fair share: Lock the thermal zone while looping over instances Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 131/141] f2fs: fix error handling in f2fs_end_enable_verity() Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 132/141] ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 133/141] ARM: 9012/1: move device tree mapping out of linear region Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 134/141] ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 135/141] ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 136/141] usb: typec: tcpm: Fix error while calculating PPS out values Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 137/141] kobject_uevent: remove warning in init_uevent_argv() Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 138/141] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 139/141] clk: exynos7: Mark aclk_fsys1_200 as critical Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 140/141] nvme: do not try to reconfigure APST when the controller is not live Greg Kroah-Hartman
2021-05-17 14:03 ` [PATCH 5.4 141/141] ASoC: rsnd: check all BUSIF status when error Greg Kroah-Hartman
2021-05-17 16:33 ` [PATCH 5.4 000/141] 5.4.120-rc1 review Florian Fainelli
2021-05-17 17:37 ` Jon Hunter
2021-05-17 20:18 ` Shuah Khan
2021-05-18 10:05 ` Sudip Mukherjee
2021-05-18 10:30 ` Naresh Kamboju
2021-05-18 12:13 ` Samuel Zou
2021-05-18 21:19 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.