All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 5.4 00/78] 5.4.125-rc1 review
@ 2021-06-08 18:26 Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 01/78] btrfs: tree-checker: do not error out if extent ref hash doesnt match Greg Kroah-Hartman
                   ` (83 more replies)
  0 siblings, 84 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.4.125 release.
There are 78 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.125-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.4.125-rc1

David Ahern <dsahern@kernel.org>
    neighbour: allow NUD_NOARP entries to be forced GCed

Roja Rani Yarubandi <rojay@codeaurora.org>
    i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops

Jan Beulich <jbeulich@suse.com>
    xen-pciback: redo VF placement in the virtual topology

Gao Xiang <hsiangkao@redhat.com>
    lib/lz4: explicitly support in-place decompression

Vitaly Kuznetsov <vkuznets@redhat.com>
    x86/kvm: Disable all PV features on crash

Vitaly Kuznetsov <vkuznets@redhat.com>
    x86/kvm: Disable kvmclock on all CPUs on shutdown

Vitaly Kuznetsov <vkuznets@redhat.com>
    x86/kvm: Teardown PV features on boot CPU as well

Marc Zyngier <maz@kernel.org>
    KVM: arm64: Fix debug register indexing

Sean Christopherson <seanjc@google.com>
    KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode

Anand Jain <anand.jain@oracle.com>
    btrfs: fix unmountable seed device after fstrim

Matthew Wilcox (Oracle) <willy@infradead.org>
    mm/filemap: fix storing to a THP shadow entry

Matthew Wilcox (Oracle) <willy@infradead.org>
    XArray: add xas_split

Matthew Wilcox (Oracle) <willy@infradead.org>
    XArray: add xa_get_order

Matthew Wilcox (Oracle) <willy@infradead.org>
    mm: add thp_order

Michael Chan <michael.chan@broadcom.com>
    bnxt_en: Remove the setting of dev_port.

Mina Almasry <almasrymina@google.com>
    mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY

Josef Bacik <josef@toxicpanda.com>
    btrfs: fixup error handling in fixup_inode_link_counts

Josef Bacik <josef@toxicpanda.com>
    btrfs: return errors from btrfs_del_csums in cleanup_ref_head

Josef Bacik <josef@toxicpanda.com>
    btrfs: fix error handling in btrfs_del_csums

Josef Bacik <josef@toxicpanda.com>
    btrfs: mark ordered extent and inode with error if we fail to finish

Thomas Gleixner <tglx@linutronix.de>
    x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing

Nirmoy Das <nirmoy.das@amd.com>
    drm/amdgpu: make sure we unpin the UVD BO

Luben Tuikov <luben.tuikov@amd.com>
    drm/amdgpu: Don't query CE and UE errors

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect

Junxiao Bi <junxiao.bi@oracle.com>
    ocfs2: fix data corruption by fallocate

Mark Rutland <mark.rutland@arm.com>
    pid: take a reference when initializing `cad_pid`

Phil Elwell <phil@raspberrypi.com>
    usb: dwc2: Fix build in periphal-only mode

Ye Bin <yebin10@huawei.com>
    ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed

Marek Vasut <marex@denx.de>
    ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators

Michal Vokáč <michal.vokac@ysoft.com>
    ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch

Carlos M <carlos.marr.pz@gmail.com>
    ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx

Takashi Iwai <tiwai@suse.de>
    ALSA: timer: Fix master timer notification

Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
    HID: multitouch: require Finger field to mark Win8 reports as MT

Johan Hovold <johan@kernel.org>
    HID: magicmouse: fix NULL-deref on disconnect

Johnny Chuang <johnny.chuang.emc@gmail.com>
    HID: i2c-hid: Skip ELAN power-on command after reset

Pavel Skripkin <paskripkin@gmail.com>
    net: caif: fix memory leak in cfusbl_device_notify

Pavel Skripkin <paskripkin@gmail.com>
    net: caif: fix memory leak in caif_device_notify

Pavel Skripkin <paskripkin@gmail.com>
    net: caif: add proper error handling

Pavel Skripkin <paskripkin@gmail.com>
    net: caif: added cfserl_release function

Lin Ma <linma@zju.edu.cn>
    Bluetooth: use correct lock to prevent UAF of hdev object

Lin Ma <linma@zju.edu.cn>
    Bluetooth: fix the erroneous flush_work() order

Hoang Le <hoang.h.le@dektech.com.au>
    tipc: fix unique bearer names sanity check

Hoang Le <hoang.h.le@dektech.com.au>
    tipc: add extack messages for bearer/media failure

Tony Lindgren <tony@atomide.com>
    bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act

Geert Uytterhoeven <geert+renesas@glider.be>
    ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells

Fabio Estevam <festevam@gmail.com>
    ARM: dts: imx7d-pico: Fix the 'tuning-step' property

Fabio Estevam <festevam@gmail.com>
    ARM: dts: imx7d-meerkat96: Fix the 'tuning-step' property

Lucas Stach <l.stach@pengutronix.de>
    arm64: dts: zii-ultra: fix 12V_MAIN voltage

Michael Walle <michael@walle.cc>
    arm64: dts: ls1028a: fix memory node

Magnus Karlsson <magnus.karlsson@intel.com>
    i40e: add correct exception tracing for XDP

Magnus Karlsson <magnus.karlsson@intel.com>
    i40e: optimize for XDP_REDIRECT in xsk path

Roja Rani Yarubandi <rojay@codeaurora.org>
    i2c: qcom-geni: Add shutdown callback for i2c

Dave Ertman <david.m.ertman@intel.com>
    ice: Allow all LLDP packets from PF to Tx

Brett Creeley <brett.creeley@intel.com>
    ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared

Mitch Williams <mitch.a.williams@intel.com>
    ice: write register with correct offset

Coco Li <lixiaoyan@google.com>
    ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions

Magnus Karlsson <magnus.karlsson@intel.com>
    ixgbevf: add correct exception tracing for XDP

Wei Yongjun <weiyongjun1@huawei.com>
    ieee802154: fix error return code in ieee802154_llsec_getparams()

Zhen Lei <thunder.leizhen@huawei.com>
    ieee802154: fix error return code in ieee802154_add_iface()

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_ct: skip expectations for confirmed conntrack

Erik Kaneda <erik.kaneda@intel.com>
    ACPICA: Clean up context mutex during object deletion

Ariel Levkovich <lariel@nvidia.com>
    net/sched: act_ct: Fix ct template allocation for zone 0

Arnd Bergmann <arnd@arndb.de>
    HID: i2c-hid: fix format string mismatch

Zhen Lei <thunder.leizhen@huawei.com>
    HID: pidff: fix error return code in hid_pidff_init()

Julian Anastasov <ja@ssi.bg>
    ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service

Max Gurtovoy <mgurtovoy@nvidia.com>
    vfio/platform: fix module_put call in error flow

Wei Yongjun <weiyongjun1@huawei.com>
    samples: vfio-mdev: fix error handing in mdpy_fb_probe()

Randy Dunlap <rdunlap@infradead.org>
    vfio/pci: zap_vma_ptes() needs MMU

Zhen Lei <thunder.leizhen@huawei.com>
    vfio/pci: Fix error return code in vfio_ecap_init()

Rasmus Villemoes <linux@rasmusvillemoes.dk>
    efi: cper: fix snprintf() use in cper_dimm_err_location()

Heiner Kallweit <hkallweit1@gmail.com>
    efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared

Florian Westphal <fw@strlen.de>
    netfilter: conntrack: unregister ipv4 sockopts on error unwind

Armin Wolf <W_Armin@gmx.de>
    hwmon: (dell-smm-hwmon) Fix index values

Anant Thazhemadam <anant.thazhemadam@gmail.com>
    nl80211: validate key indexes for cfg80211_registered_device

Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
    ALSA: usb: update old-style static const declaration

Grant Grundler <grundler@chromium.org>
    net: usb: cdc_ncm: don't spew notifications

Josef Bacik <josef@toxicpanda.com>
    btrfs: tree-checker: do not error out if extent ref hash doesn't match


-------------

Diffstat:

 Documentation/core-api/xarray.rst                  |  16 +-
 Makefile                                           |   4 +-
 arch/arm/boot/dts/imx6dl-yapp4-common.dtsi         |   6 +-
 arch/arm/boot/dts/imx6q-dhcom-som.dtsi             |  12 ++
 arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi         |   2 +-
 arch/arm/boot/dts/imx7d-meerkat96.dts              |   2 +-
 arch/arm/boot/dts/imx7d-pico.dtsi                  |   2 +-
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi     |   4 +-
 .../arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi |   4 +-
 arch/arm64/kvm/sys_regs.c                          |  42 ++---
 arch/x86/include/asm/apic.h                        |   1 +
 arch/x86/include/asm/kvm_para.h                    |  10 +-
 arch/x86/kernel/apic/apic.c                        |   1 +
 arch/x86/kernel/apic/vector.c                      |  20 ++
 arch/x86/kernel/kvm.c                              |  92 ++++++---
 arch/x86/kernel/kvmclock.c                         |  26 +--
 arch/x86/kvm/svm.c                                 |   8 +-
 drivers/acpi/acpica/utdelete.c                     |   8 +
 drivers/bus/ti-sysc.c                              |   4 +-
 drivers/firmware/efi/cper.c                        |   4 +-
 drivers/firmware/efi/memattr.c                     |   5 -
 drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c            |  16 --
 drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c              |   1 +
 drivers/hid/hid-magicmouse.c                       |   2 +-
 drivers/hid/hid-multitouch.c                       |  10 +-
 drivers/hid/i2c-hid/i2c-hid-core.c                 |  13 +-
 drivers/hid/usbhid/hid-pidff.c                     |   1 +
 drivers/hwmon/dell-smm-hwmon.c                     |   4 +-
 drivers/i2c/busses/i2c-qcom-geni.c                 |  21 ++-
 drivers/net/ethernet/broadcom/bnxt/bnxt.c          |   1 -
 drivers/net/ethernet/intel/i40e/i40e_txrx.c        |   7 +-
 drivers/net/ethernet/intel/i40e/i40e_xsk.c         |  15 +-
 drivers/net/ethernet/intel/ice/ice_hw_autogen.h    |   1 +
 drivers/net/ethernet/intel/ice/ice_txrx.c          |   5 +-
 drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c   |  14 +-
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c  |   3 +
 drivers/net/usb/cdc_ncm.c                          |  12 +-
 drivers/usb/dwc2/core_intr.c                       |   4 +
 drivers/vfio/pci/Kconfig                           |   1 +
 drivers/vfio/pci/vfio_pci_config.c                 |   2 +-
 drivers/vfio/platform/vfio_platform_common.c       |   2 +-
 drivers/xen/xen-pciback/vpci.c                     |  14 +-
 fs/btrfs/extent-tree.c                             |  12 +-
 fs/btrfs/file-item.c                               |  10 +-
 fs/btrfs/inode.c                                   |  12 ++
 fs/btrfs/tree-checker.c                            |  16 +-
 fs/btrfs/tree-log.c                                |  13 +-
 fs/ext4/extents.c                                  |  43 +++--
 fs/ocfs2/file.c                                    |  55 +++++-
 include/linux/huge_mm.h                            |  19 ++
 include/linux/usb/usbnet.h                         |   2 +
 include/linux/xarray.h                             |  22 +++
 include/net/caif/caif_dev.h                        |   2 +-
 include/net/caif/cfcnfg.h                          |   2 +-
 include/net/caif/cfserl.h                          |   1 +
 init/main.c                                        |   2 +-
 lib/lz4/lz4_decompress.c                           |   6 +-
 lib/lz4/lz4defs.h                                  |   2 +
 lib/test_xarray.c                                  |  65 +++++++
 lib/xarray.c                                       | 208 ++++++++++++++++++++-
 mm/filemap.c                                       |  37 +++-
 mm/hugetlb.c                                       |  14 +-
 net/bluetooth/hci_core.c                           |   7 +-
 net/bluetooth/hci_sock.c                           |   4 +-
 net/caif/caif_dev.c                                |  13 +-
 net/caif/caif_usb.c                                |  14 +-
 net/caif/cfcnfg.c                                  |  16 +-
 net/caif/cfserl.c                                  |   5 +
 net/core/neighbour.c                               |   1 +
 net/ieee802154/nl-mac.c                            |   4 +-
 net/ieee802154/nl-phy.c                            |   4 +-
 net/ipv6/route.c                                   |   8 +-
 net/netfilter/ipvs/ip_vs_ctl.c                     |   2 +-
 net/netfilter/nf_conntrack_proto.c                 |   2 +-
 net/netfilter/nfnetlink_cthelper.c                 |   8 +-
 net/netfilter/nft_ct.c                             |   2 +-
 net/nfc/llcp_sock.c                                |   2 +
 net/sched/act_ct.c                                 |   3 -
 net/tipc/bearer.c                                  |  94 +++++++---
 net/wireless/core.h                                |   2 +
 net/wireless/nl80211.c                             |   7 +-
 net/wireless/util.c                                |  39 +++-
 samples/vfio-mdev/mdpy-fb.c                        |  13 +-
 sound/core/timer.c                                 |   3 +-
 sound/pci/hda/patch_realtek.c                      |   1 +
 sound/usb/mixer_quirks.c                           |   2 +-
 86 files changed, 926 insertions(+), 295 deletions(-)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 01/78] btrfs: tree-checker: do not error out if extent ref hash doesnt match
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 02/78] net: usb: cdc_ncm: dont spew notifications Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tuomas Lähdekorpi,
	Filipe Manana, Josef Bacik, David Sterba, Sasha Levin

From: Josef Bacik <josef@toxicpanda.com>

commit 1119a72e223f3073a604f8fccb3a470ccd8a4416 upstream.

The tree checker checks the extent ref hash at read and write time to
make sure we do not corrupt the file system.  Generally extent
references go inline, but if we have enough of them we need to make an
item, which looks like

key.objectid	= <bytenr>
key.type	= <BTRFS_EXTENT_DATA_REF_KEY|BTRFS_TREE_BLOCK_REF_KEY>
key.offset	= hash(tree, owner, offset)

However if key.offset collide with an unrelated extent reference we'll
simply key.offset++ until we get something that doesn't collide.
Obviously this doesn't match at tree checker time, and thus we error
while writing out the transaction.  This is relatively easy to
reproduce, simply do something like the following

  xfs_io -f -c "pwrite 0 1M" file
  offset=2

  for i in {0..10000}
  do
	  xfs_io -c "reflink file 0 ${offset}M 1M" file
	  offset=$(( offset + 2 ))
  done

  xfs_io -c "reflink file 0 17999258914816 1M" file
  xfs_io -c "reflink file 0 35998517829632 1M" file
  xfs_io -c "reflink file 0 53752752058368 1M" file

  btrfs filesystem sync

And the sync will error out because we'll abort the transaction.  The
magic values above are used because they generate hash collisions with
the first file in the main subvol.

The fix for this is to remove the hash value check from tree checker, as
we have no idea which offset ours should belong to.

Reported-by: Tuomas Lähdekorpi <tuomas.lahdekorpi@gmail.com>
Fixes: 0785a9aacf9d ("btrfs: tree-checker: Add EXTENT_DATA_REF check")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
[ add comment]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/tree-checker.c | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/fs/btrfs/tree-checker.c b/fs/btrfs/tree-checker.c
index 7d06842a3d74..368c43c6cbd0 100644
--- a/fs/btrfs/tree-checker.c
+++ b/fs/btrfs/tree-checker.c
@@ -1285,22 +1285,14 @@ static int check_extent_data_ref(struct extent_buffer *leaf,
 		return -EUCLEAN;
 	}
 	for (; ptr < end; ptr += sizeof(*dref)) {
-		u64 root_objectid;
-		u64 owner;
 		u64 offset;
-		u64 hash;
 
+		/*
+		 * We cannot check the extent_data_ref hash due to possible
+		 * overflow from the leaf due to hash collisions.
+		 */
 		dref = (struct btrfs_extent_data_ref *)ptr;
-		root_objectid = btrfs_extent_data_ref_root(leaf, dref);
-		owner = btrfs_extent_data_ref_objectid(leaf, dref);
 		offset = btrfs_extent_data_ref_offset(leaf, dref);
-		hash = hash_extent_data_ref(root_objectid, owner, offset);
-		if (hash != key->offset) {
-			extent_err(leaf, slot,
-	"invalid extent data ref hash, item has 0x%016llx key has 0x%016llx",
-				   hash, key->offset);
-			return -EUCLEAN;
-		}
 		if (!IS_ALIGNED(offset, leaf->fs_info->sectorsize)) {
 			extent_err(leaf, slot,
 	"invalid extent data backref offset, have %llu expect aligned to %u",
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 02/78] net: usb: cdc_ncm: dont spew notifications
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 01/78] btrfs: tree-checker: do not error out if extent ref hash doesnt match Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 03/78] ALSA: usb: update old-style static const declaration Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Grant Grundler, Hayes Wang,
	Jakub Kicinski, Sasha Levin

From: Grant Grundler <grundler@chromium.org>

[ Upstream commit de658a195ee23ca6aaffe197d1d2ea040beea0a2 ]

RTL8156 sends notifications about every 32ms.
Only display/log notifications when something changes.

This issue has been reported by others:
	https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1832472
	https://lkml.org/lkml/2020/8/27/1083

...
[785962.779840] usb 1-1: new high-speed USB device number 5 using xhci_hcd
[785962.929944] usb 1-1: New USB device found, idVendor=0bda, idProduct=8156, bcdDevice=30.00
[785962.929949] usb 1-1: New USB device strings: Mfr=1, Product=2, SerialNumber=6
[785962.929952] usb 1-1: Product: USB 10/100/1G/2.5G LAN
[785962.929954] usb 1-1: Manufacturer: Realtek
[785962.929956] usb 1-1: SerialNumber: 000000001
[785962.991755] usbcore: registered new interface driver cdc_ether
[785963.017068] cdc_ncm 1-1:2.0: MAC-Address: 00:24:27:88:08:15
[785963.017072] cdc_ncm 1-1:2.0: setting rx_max = 16384
[785963.017169] cdc_ncm 1-1:2.0: setting tx_max = 16384
[785963.017682] cdc_ncm 1-1:2.0 usb0: register 'cdc_ncm' at usb-0000:00:14.0-1, CDC NCM, 00:24:27:88:08:15
[785963.019211] usbcore: registered new interface driver cdc_ncm
[785963.023856] usbcore: registered new interface driver cdc_wdm
[785963.025461] usbcore: registered new interface driver cdc_mbim
[785963.038824] cdc_ncm 1-1:2.0 enx002427880815: renamed from usb0
[785963.089586] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
[785963.121673] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
[785963.153682] cdc_ncm 1-1:2.0 enx002427880815: network connection: disconnected
...

This is about 2KB per second and will overwrite all contents of a 1MB
dmesg buffer in under 10 minutes rendering them useless for debugging
many kernel problems.

This is also an extra 180 MB/day in /var/logs (or 1GB per week) rendering
the majority of those logs useless too.

When the link is up (expected state), spew amount is >2x higher:
...
[786139.600992] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
[786139.632997] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
[786139.665097] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
[786139.697100] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
[786139.729094] cdc_ncm 2-1:2.0 enx002427880815: network connection: connected
[786139.761108] cdc_ncm 2-1:2.0 enx002427880815: 2500 mbit/s downlink 2500 mbit/s uplink
...

Chrome OS cannot support RTL8156 until this is fixed.

Signed-off-by: Grant Grundler <grundler@chromium.org>
Reviewed-by: Hayes Wang <hayeswang@realtek.com>
Link: https://lore.kernel.org/r/20210120011208.3768105-1-grundler@chromium.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/cdc_ncm.c  | 12 +++++++++++-
 include/linux/usb/usbnet.h |  2 ++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index cbe7f35eac98..0646bcd26968 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -1589,6 +1589,15 @@ cdc_ncm_speed_change(struct usbnet *dev,
 	uint32_t rx_speed = le32_to_cpu(data->DLBitRRate);
 	uint32_t tx_speed = le32_to_cpu(data->ULBitRate);
 
+	/* if the speed hasn't changed, don't report it.
+	 * RTL8156 shipped before 2021 sends notification about every 32ms.
+	 */
+	if (dev->rx_speed == rx_speed && dev->tx_speed == tx_speed)
+		return;
+
+	dev->rx_speed = rx_speed;
+	dev->tx_speed = tx_speed;
+
 	/*
 	 * Currently the USB-NET API does not support reporting the actual
 	 * device speed. Do print it instead.
@@ -1629,7 +1638,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb)
 		 * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be
 		 * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE.
 		 */
-		usbnet_link_change(dev, !!event->wValue, 0);
+		if (netif_carrier_ok(dev->net) != !!event->wValue)
+			usbnet_link_change(dev, !!event->wValue, 0);
 		break;
 
 	case USB_CDC_NOTIFY_SPEED_CHANGE:
diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h
index d8860f2d0976..fc6ed1311589 100644
--- a/include/linux/usb/usbnet.h
+++ b/include/linux/usb/usbnet.h
@@ -83,6 +83,8 @@ struct usbnet {
 #		define EVENT_LINK_CHANGE	11
 #		define EVENT_SET_RX_MODE	12
 #		define EVENT_NO_IP_ALIGN	13
+	u32			rx_speed;	/* in bps - NOT Mbps */
+	u32			tx_speed;	/* in bps - NOT Mbps */
 };
 
 static inline struct usb_driver *driver_of(struct usb_interface *intf)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 03/78] ALSA: usb: update old-style static const declaration
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 01/78] btrfs: tree-checker: do not error out if extent ref hash doesnt match Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 02/78] net: usb: cdc_ncm: dont spew notifications Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 04/78] nl80211: validate key indexes for cfg80211_registered_device Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pierre-Louis Bossart, Takashi Iwai,
	Sasha Levin

From: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>

[ Upstream commit ff40e0d41af19e36b43693fcb9241b4a6795bb44 ]

GCC reports the following warning with W=1

sound/usb/mixer_quirks.c: In function ‘snd_microii_controls_create’:
sound/usb/mixer_quirks.c:1694:2: warning: ‘static’ is not at beginning
of declaration [-Wold-style-declaration]
 1694 |  const static usb_mixer_elem_resume_func_t resume_funcs[] = {
      |  ^~~~~

Move static to the beginning of declaration

Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20200111214736.3002-3-pierre-louis.bossart@linux.intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/usb/mixer_quirks.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index 5251818e10d3..d926869c031b 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1697,7 +1697,7 @@ static struct snd_kcontrol_new snd_microii_mixer_spdif[] = {
 static int snd_microii_controls_create(struct usb_mixer_interface *mixer)
 {
 	int err, i;
-	const static usb_mixer_elem_resume_func_t resume_funcs[] = {
+	static const usb_mixer_elem_resume_func_t resume_funcs[] = {
 		snd_microii_spdif_default_update,
 		NULL,
 		snd_microii_spdif_switch_update
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 04/78] nl80211: validate key indexes for cfg80211_registered_device
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 03/78] ALSA: usb: update old-style static const declaration Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 05/78] hwmon: (dell-smm-hwmon) Fix index values Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+49d4cab497c2142ee170,
	Johannes Berg, Anant Thazhemadam, Johannes Berg, Zubin Mithra,
	Sasha Levin

From: Anant Thazhemadam <anant.thazhemadam@gmail.com>

commit 2d9463083ce92636a1bdd3e30d1236e3e95d859e upstream

syzbot discovered a bug in which an OOB access was being made because
an unsuitable key_idx value was wrongly considered to be acceptable
while deleting a key in nl80211_del_key().

Since we don't know the cipher at the time of deletion, if
cfg80211_validate_key_settings() were to be called directly in
nl80211_del_key(), even valid keys would be wrongly determined invalid,
and deletion wouldn't occur correctly.
For this reason, a new function - cfg80211_valid_key_idx(), has been
created, to determine if the key_idx value provided is valid or not.
cfg80211_valid_key_idx() is directly called in 2 places -
nl80211_del_key(), and cfg80211_validate_key_settings().

Reported-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Tested-by: syzbot+49d4cab497c2142ee170@syzkaller.appspotmail.com
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
Link: https://lore.kernel.org/r/20201204215825.129879-1-anant.thazhemadam@gmail.com
Cc: stable@vger.kernel.org
[also disallow IGTK key IDs if no IGTK cipher is supported]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/core.h    |  2 ++
 net/wireless/nl80211.c |  7 ++++---
 net/wireless/util.c    | 39 ++++++++++++++++++++++++++++++++++++++-
 3 files changed, 44 insertions(+), 4 deletions(-)

diff --git a/net/wireless/core.h b/net/wireless/core.h
index d83c8e009448..17621d22fb17 100644
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -433,6 +433,8 @@ void cfg80211_sme_abandon_assoc(struct wireless_dev *wdev);
 
 /* internal helpers */
 bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher);
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise);
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr);
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 5bb2316befb9..7b170ed6923e 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -3979,9 +3979,6 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
 	if (err)
 		return err;
 
-	if (key.idx < 0)
-		return -EINVAL;
-
 	if (info->attrs[NL80211_ATTR_MAC])
 		mac_addr = nla_data(info->attrs[NL80211_ATTR_MAC]);
 
@@ -3997,6 +3994,10 @@ static int nl80211_del_key(struct sk_buff *skb, struct genl_info *info)
 	    key.type != NL80211_KEYTYPE_GROUP)
 		return -EINVAL;
 
+	if (!cfg80211_valid_key_idx(rdev, key.idx,
+				    key.type == NL80211_KEYTYPE_PAIRWISE))
+		return -EINVAL;
+
 	if (!rdev->ops->del_key)
 		return -EOPNOTSUPP;
 
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 82244e2fc1f5..4eae6ad32851 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -229,11 +229,48 @@ bool cfg80211_supported_cipher_suite(struct wiphy *wiphy, u32 cipher)
 	return false;
 }
 
+static bool
+cfg80211_igtk_cipher_supported(struct cfg80211_registered_device *rdev)
+{
+	struct wiphy *wiphy = &rdev->wiphy;
+	int i;
+
+	for (i = 0; i < wiphy->n_cipher_suites; i++) {
+		switch (wiphy->cipher_suites[i]) {
+		case WLAN_CIPHER_SUITE_AES_CMAC:
+		case WLAN_CIPHER_SUITE_BIP_CMAC_256:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_128:
+		case WLAN_CIPHER_SUITE_BIP_GMAC_256:
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool cfg80211_valid_key_idx(struct cfg80211_registered_device *rdev,
+			    int key_idx, bool pairwise)
+{
+	int max_key_idx;
+
+	if (pairwise)
+		max_key_idx = 3;
+	else if (cfg80211_igtk_cipher_supported(rdev))
+		max_key_idx = 5;
+	else
+		max_key_idx = 3;
+
+	if (key_idx < 0 || key_idx > max_key_idx)
+		return false;
+
+	return true;
+}
+
 int cfg80211_validate_key_settings(struct cfg80211_registered_device *rdev,
 				   struct key_params *params, int key_idx,
 				   bool pairwise, const u8 *mac_addr)
 {
-	if (key_idx < 0 || key_idx > 5)
+	if (!cfg80211_valid_key_idx(rdev, key_idx, pairwise))
 		return -EINVAL;
 
 	if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN))
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 05/78] hwmon: (dell-smm-hwmon) Fix index values
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 04/78] nl80211: validate key indexes for cfg80211_registered_device Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 06/78] netfilter: conntrack: unregister ipv4 sockopts on error unwind Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Armin Wolf, Pali Rohár,
	Guenter Roeck, Sasha Levin

From: Armin Wolf <W_Armin@gmx.de>

[ Upstream commit 35d470b5fbc9f82feb77b56bb0d5d0b5cd73e9da ]

When support for up to 10 temp sensors and for disabling automatic BIOS
fan control was added, noone updated the index values used for
disallowing fan support and fan type calls.
Fix those values.

Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Reviewed-by: Pali Rohár <pali@kernel.org>
Link: https://lore.kernel.org/r/20210513154546.12430-1-W_Armin@gmx.de
Fixes: 1bb46a20e73b ("hwmon: (dell-smm) Support up to 10 temp sensors")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hwmon/dell-smm-hwmon.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hwmon/dell-smm-hwmon.c b/drivers/hwmon/dell-smm-hwmon.c
index 4212d022d253..35c00420d855 100644
--- a/drivers/hwmon/dell-smm-hwmon.c
+++ b/drivers/hwmon/dell-smm-hwmon.c
@@ -792,10 +792,10 @@ static struct attribute *i8k_attrs[] = {
 static umode_t i8k_is_visible(struct kobject *kobj, struct attribute *attr,
 			      int index)
 {
-	if (disallow_fan_support && index >= 8)
+	if (disallow_fan_support && index >= 20)
 		return 0;
 	if (disallow_fan_type_call &&
-	    (index == 9 || index == 12 || index == 15))
+	    (index == 21 || index == 25 || index == 28))
 		return 0;
 	if (index >= 0 && index <= 1 &&
 	    !(i8k_hwmon_flags & I8K_HWMON_HAVE_TEMP1))
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 06/78] netfilter: conntrack: unregister ipv4 sockopts on error unwind
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 05/78] hwmon: (dell-smm-hwmon) Fix index values Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 07/78] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Pablo Neira Ayuso,
	Sasha Levin

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 22cbdbcfb61acc78d5fc21ebb13ccc0d7e29f793 ]

When ipv6 sockopt register fails, the ipv4 one needs to be removed.

Fixes: a0ae2562c6c ("netfilter: conntrack: remove l3proto abstraction")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_conntrack_proto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index aaf4293ddd45..75e6b429635d 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -660,7 +660,7 @@ int nf_conntrack_proto_init(void)
 
 #if IS_ENABLED(CONFIG_IPV6)
 cleanup_sockopt:
-	nf_unregister_sockopt(&so_getorigdst6);
+	nf_unregister_sockopt(&so_getorigdst);
 #endif
 	return ret;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 07/78] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 06/78] netfilter: conntrack: unregister ipv4 sockopts on error unwind Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 08/78] efi: cper: fix snprintf() use in cper_dimm_err_location() Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Heiner Kallweit, Ard Biesheuvel, Sasha Levin

From: Heiner Kallweit <hkallweit1@gmail.com>

[ Upstream commit 45add3cc99feaaf57d4b6f01d52d532c16a1caee ]

UEFI spec 2.9, p.108, table 4-1 lists the scenario that both attributes
are cleared with the description "No memory access protection is
possible for Entry". So we can have valid entries where both attributes
are cleared, so remove the check.

Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Fixes: 10f0d2f577053 ("efi: Implement generic support for the Memory Attributes table")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/efi/memattr.c | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c
index 58452fde92cc..5d343dc8e535 100644
--- a/drivers/firmware/efi/memattr.c
+++ b/drivers/firmware/efi/memattr.c
@@ -66,11 +66,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out)
 		return false;
 	}
 
-	if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) {
-		pr_warn("Entry attributes invalid: RO and XP bits both cleared\n");
-		return false;
-	}
-
 	if (PAGE_SIZE > EFI_PAGE_SIZE &&
 	    (!PAGE_ALIGNED(in->phys_addr) ||
 	     !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 08/78] efi: cper: fix snprintf() use in cper_dimm_err_location()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 07/78] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 09/78] vfio/pci: Fix error return code in vfio_ecap_init() Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rasmus Villemoes, Ard Biesheuvel,
	Sasha Levin

From: Rasmus Villemoes <linux@rasmusvillemoes.dk>

[ Upstream commit 942859d969de7f6f7f2659a79237a758b42782da ]

snprintf() should be given the full buffer size, not one less. And it
guarantees nul-termination, so doing it manually afterwards is
pointless.

It's even potentially harmful (though probably not in practice because
CPER_REC_LEN is 256), due to the "return how much would have been
written had the buffer been big enough" semantics. I.e., if the bank
and/or device strings are long enough that the "DIMM location ..."
output gets truncated, writing to msg[n] is a buffer overflow.

Signed-off-by: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Fixes: 3760cd20402d4 ("CPER: Adjust code flow of some functions")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/firmware/efi/cper.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c
index b1af0de2e100..e48298687b76 100644
--- a/drivers/firmware/efi/cper.c
+++ b/drivers/firmware/efi/cper.c
@@ -263,8 +263,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
 	if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE))
 		return 0;
 
-	n = 0;
-	len = CPER_REC_LEN - 1;
+	len = CPER_REC_LEN;
 	dmi_memdev_name(mem->mem_dev_handle, &bank, &device);
 	if (bank && device)
 		n = snprintf(msg, len, "DIMM location: %s %s ", bank, device);
@@ -273,7 +272,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg)
 			     "DIMM location: not present. DMI handle: 0x%.4x ",
 			     mem->mem_dev_handle);
 
-	msg[n] = '\0';
 	return n;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 09/78] vfio/pci: Fix error return code in vfio_ecap_init()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 08/78] efi: cper: fix snprintf() use in cper_dimm_err_location() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 10/78] vfio/pci: zap_vma_ptes() needs MMU Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Max Gurtovoy,
	Alex Williamson, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit d1ce2c79156d3baf0830990ab06d296477b93c26 ]

The error code returned from vfio_ext_cap_len() is stored in 'len', not
in 'ret'.

Fixes: 89e1f7d4c66d ("vfio: Add PCI device driver")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Message-Id: <20210515020458.6771-1-thunder.leizhen@huawei.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vfio/pci/vfio_pci_config.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c
index bf32997c557f..50cd17fcf754 100644
--- a/drivers/vfio/pci/vfio_pci_config.c
+++ b/drivers/vfio/pci/vfio_pci_config.c
@@ -1576,7 +1576,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev)
 			if (len == 0xFF) {
 				len = vfio_ext_cap_len(vdev, ecap, epos);
 				if (len < 0)
-					return ret;
+					return len;
 			}
 		}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 10/78] vfio/pci: zap_vma_ptes() needs MMU
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 09/78] vfio/pci: Fix error return code in vfio_ecap_init() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 11/78] samples: vfio-mdev: fix error handing in mdpy_fb_probe() Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Alex Williamson, Cornelia Huck, kvm, Jason Gunthorpe, Eric Auger,
	Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 2a55ca37350171d9b43d561528f23d4130097255 ]

zap_vma_ptes() is only available when CONFIG_MMU is set/enabled.
Without CONFIG_MMU, vfio_pci.o has build errors, so make
VFIO_PCI depend on MMU.

riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `vfio_pci_mmap_open':
vfio_pci.c:(.text+0x1ec): undefined reference to `zap_vma_ptes'
riscv64-linux-ld: drivers/vfio/pci/vfio_pci.o: in function `.L0 ':
vfio_pci.c:(.text+0x165c): undefined reference to `zap_vma_ptes'

Fixes: 11c4cd07ba11 ("vfio-pci: Fault mmaps to enable vma tracking")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Alex Williamson <alex.williamson@redhat.com>
Cc: Cornelia Huck <cohuck@redhat.com>
Cc: kvm@vger.kernel.org
Cc: Jason Gunthorpe <jgg@nvidia.com>
Cc: Eric Auger <eric.auger@redhat.com>
Message-Id: <20210515190856.2130-1-rdunlap@infradead.org>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vfio/pci/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig
index 4abddbebd4b2..c691127bc805 100644
--- a/drivers/vfio/pci/Kconfig
+++ b/drivers/vfio/pci/Kconfig
@@ -2,6 +2,7 @@
 config VFIO_PCI
 	tristate "VFIO support for PCI devices"
 	depends on VFIO && PCI && EVENTFD
+	depends on MMU
 	select VFIO_VIRQFD
 	select IRQ_BYPASS_MANAGER
 	help
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 11/78] samples: vfio-mdev: fix error handing in mdpy_fb_probe()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 10/78] vfio/pci: zap_vma_ptes() needs MMU Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 12/78] vfio/platform: fix module_put call in error flow Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wei Yongjun,
	Alex Williamson, Sasha Levin

From: Wei Yongjun <weiyongjun1@huawei.com>

[ Upstream commit 752774ce7793a1f8baa55aae31f3b4caac49cbe4 ]

Fix to return a negative error code from the framebuffer_alloc() error
handling case instead of 0, also release regions in some error handing
cases.

Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Message-Id: <20210520133641.1421378-1-weiyongjun1@huawei.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 samples/vfio-mdev/mdpy-fb.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/samples/vfio-mdev/mdpy-fb.c b/samples/vfio-mdev/mdpy-fb.c
index 2719bb259653..a760e130bd0d 100644
--- a/samples/vfio-mdev/mdpy-fb.c
+++ b/samples/vfio-mdev/mdpy-fb.c
@@ -117,22 +117,27 @@ static int mdpy_fb_probe(struct pci_dev *pdev,
 	if (format != DRM_FORMAT_XRGB8888) {
 		pci_err(pdev, "format mismatch (0x%x != 0x%x)\n",
 			format, DRM_FORMAT_XRGB8888);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_release_regions;
 	}
 	if (width < 100	 || width > 10000) {
 		pci_err(pdev, "width (%d) out of range\n", width);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_release_regions;
 	}
 	if (height < 100 || height > 10000) {
 		pci_err(pdev, "height (%d) out of range\n", height);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto err_release_regions;
 	}
 	pci_info(pdev, "mdpy found: %dx%d framebuffer\n",
 		 width, height);
 
 	info = framebuffer_alloc(sizeof(struct mdpy_fb_par), &pdev->dev);
-	if (!info)
+	if (!info) {
+		ret = -ENOMEM;
 		goto err_release_regions;
+	}
 	pci_set_drvdata(pdev, info);
 	par = info->par;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 12/78] vfio/platform: fix module_put call in error flow
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 11/78] samples: vfio-mdev: fix error handing in mdpy_fb_probe() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 13/78] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max Gurtovoy, Alex Williamson, Sasha Levin

From: Max Gurtovoy <mgurtovoy@nvidia.com>

[ Upstream commit dc51ff91cf2d1e9a2d941da483602f71d4a51472 ]

The ->parent_module is the one that use in try_module_get. It should
also be the one the we use in module_put during vfio_platform_open().

Fixes: 32a2d71c4e80 ("vfio: platform: introduce vfio-platform-base module")
Signed-off-by: Max Gurtovoy <mgurtovoy@nvidia.com>
Message-Id: <20210518192133.59195-1-mgurtovoy@nvidia.com>
Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vfio/platform/vfio_platform_common.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c
index 152e5188183c..6f727034679f 100644
--- a/drivers/vfio/platform/vfio_platform_common.c
+++ b/drivers/vfio/platform/vfio_platform_common.c
@@ -289,7 +289,7 @@ err_irq:
 	vfio_platform_regions_cleanup(vdev);
 err_reg:
 	mutex_unlock(&driver_lock);
-	module_put(THIS_MODULE);
+	module_put(vdev->parent_module);
 	return ret;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 13/78] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 12/78] vfio/platform: fix module_put call in error flow Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 14/78] HID: pidff: fix error return code in hid_pidff_init() Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Julian Anastasov, Simon Horman,
	Pablo Neira Ayuso, Sasha Levin, syzbot+e562383183e4b1766930

From: Julian Anastasov <ja@ssi.bg>

[ Upstream commit 56e4ee82e850026d71223262c07df7d6af3bd872 ]

syzbot reported memory leak [1] when adding service with
HASHED flag. We should ignore this flag both from sockopt
and netlink provided data, otherwise the service is not
hashed and not visible while releasing resources.

[1]
BUG: memory leak
unreferenced object 0xffff888115227800 (size 512):
  comm "syz-executor263", pid 8658, jiffies 4294951882 (age 12.560s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [<ffffffff83977188>] kmalloc include/linux/slab.h:556 [inline]
    [<ffffffff83977188>] kzalloc include/linux/slab.h:686 [inline]
    [<ffffffff83977188>] ip_vs_add_service+0x598/0x7c0 net/netfilter/ipvs/ip_vs_ctl.c:1343
    [<ffffffff8397d770>] do_ip_vs_set_ctl+0x810/0xa40 net/netfilter/ipvs/ip_vs_ctl.c:2570
    [<ffffffff838449a8>] nf_setsockopt+0x68/0xa0 net/netfilter/nf_sockopt.c:101
    [<ffffffff839ae4e9>] ip_setsockopt+0x259/0x1ff0 net/ipv4/ip_sockglue.c:1435
    [<ffffffff839fa03c>] raw_setsockopt+0x18c/0x1b0 net/ipv4/raw.c:857
    [<ffffffff83691f20>] __sys_setsockopt+0x1b0/0x360 net/socket.c:2117
    [<ffffffff836920f2>] __do_sys_setsockopt net/socket.c:2128 [inline]
    [<ffffffff836920f2>] __se_sys_setsockopt net/socket.c:2125 [inline]
    [<ffffffff836920f2>] __x64_sys_setsockopt+0x22/0x30 net/socket.c:2125
    [<ffffffff84350efa>] do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
    [<ffffffff84400068>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Reported-and-tested-by: syzbot+e562383183e4b1766930@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index 99168af0c28d..f93fa0e21097 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1340,7 +1340,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u,
 	ip_vs_addr_copy(svc->af, &svc->addr, &u->addr);
 	svc->port = u->port;
 	svc->fwmark = u->fwmark;
-	svc->flags = u->flags;
+	svc->flags = u->flags & ~IP_VS_SVC_F_HASHED;
 	svc->timeout = u->timeout * HZ;
 	svc->netmask = u->netmask;
 	svc->ipvs = ipvs;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 14/78] HID: pidff: fix error return code in hid_pidff_init()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 13/78] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 15/78] HID: i2c-hid: fix format string mismatch Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Jiri Kosina,
	Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 3dd653c077efda8152f4dd395359617d577a54cd ]

Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: 224ee88fe395 ("Input: add force feedback driver for PID devices")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/usbhid/hid-pidff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c
index fddac7c72f64..07a9fe97d2e0 100644
--- a/drivers/hid/usbhid/hid-pidff.c
+++ b/drivers/hid/usbhid/hid-pidff.c
@@ -1292,6 +1292,7 @@ int hid_pidff_init(struct hid_device *hid)
 
 	if (pidff->pool[PID_DEVICE_MANAGED_POOL].value &&
 	    pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) {
+		error = -EPERM;
 		hid_notice(hid,
 			   "device does not support device managed pool\n");
 		goto fail;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 15/78] HID: i2c-hid: fix format string mismatch
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 14/78] HID: pidff: fix error return code in hid_pidff_init() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 16/78] net/sched: act_ct: Fix ct template allocation for zone 0 Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Nathan Chancellor,
	Jiri Kosina, Sasha Levin

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit dc5f9f55502e13ba05731d5046a14620aa2ff456 ]

clang doesn't like printing a 32-bit integer using %hX format string:

drivers/hid/i2c-hid/i2c-hid-core.c:994:18: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat]
                 client->name, hid->vendor, hid->product);
                               ^~~~~~~~~~~
drivers/hid/i2c-hid/i2c-hid-core.c:994:31: error: format specifies type 'unsigned short' but the argument has type '__u32' (aka 'unsigned int') [-Werror,-Wformat]
                 client->name, hid->vendor, hid->product);
                                            ^~~~~~~~~~~~

Use an explicit cast to truncate it to the low 16 bits instead.

Fixes: 9ee3e06610fd ("HID: i2c-hid: override HID descriptors for certain devices")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/i2c-hid/i2c-hid-core.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c
index 96898983db99..f67817819f9a 100644
--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -1114,8 +1114,8 @@ static int i2c_hid_probe(struct i2c_client *client,
 	hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID);
 	hid->product = le16_to_cpu(ihid->hdesc.wProductID);
 
-	snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX",
-		 client->name, hid->vendor, hid->product);
+	snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X",
+		 client->name, (u16)hid->vendor, (u16)hid->product);
 	strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys));
 
 	ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 16/78] net/sched: act_ct: Fix ct template allocation for zone 0
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 15/78] HID: i2c-hid: fix format string mismatch Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 17/78] ACPICA: Clean up context mutex during object deletion Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ariel Levkovich,
	Marcelo Ricardo Leitner, Jakub Kicinski, Sasha Levin

From: Ariel Levkovich <lariel@nvidia.com>

[ Upstream commit fb91702b743dec78d6507c53a2dec8a8883f509d ]

Fix current behavior of skipping template allocation in case the
ct action is in zone 0.

Skipping the allocation may cause the datapath ct code to ignore the
entire ct action with all its attributes (commit, nat) in case the ct
action in zone 0 was preceded by a ct clear action.

The ct clear action sets the ct_state to untracked and resets the
skb->_nfct pointer. Under these conditions and without an allocated
ct template, the skb->_nfct pointer will remain NULL which will
cause the tc ct action handler to exit without handling commit and nat
actions, if such exist.

For example, the following rule in OVS dp:
recirc_id(0x2),ct_state(+new-est-rel-rpl+trk),ct_label(0/0x1), \
in_port(eth0),actions:ct_clear,ct(commit,nat(src=10.11.0.12)), \
recirc(0x37a)

Will result in act_ct skipping the commit and nat actions in zone 0.

The change removes the skipping of template allocation for zone 0 and
treats it the same as any other zone.

Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
Signed-off-by: Ariel Levkovich <lariel@nvidia.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://lore.kernel.org/r/20210526170110.54864-1-lariel@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/act_ct.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/net/sched/act_ct.c b/net/sched/act_ct.c
index 6119c31dcd07..31eb8eefc868 100644
--- a/net/sched/act_ct.c
+++ b/net/sched/act_ct.c
@@ -648,9 +648,6 @@ static int tcf_ct_fill_params(struct net *net,
 				   sizeof(p->zone));
 	}
 
-	if (p->zone == NF_CT_DEFAULT_ZONE_ID)
-		return 0;
-
 	nf_ct_zone_init(&zone, p->zone, NF_CT_DEFAULT_ZONE_DIR, 0);
 	tmpl = nf_ct_tmpl_alloc(net, &zone, GFP_KERNEL);
 	if (!tmpl) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 17/78] ACPICA: Clean up context mutex during object deletion
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 16/78] net/sched: act_ct: Fix ct template allocation for zone 0 Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 18/78] netfilter: nft_ct: skip expectations for confirmed conntrack Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Garry, Xiang Chen, Erik Kaneda,
	Bob Moore, Rafael J. Wysocki, Sasha Levin

From: Erik Kaneda <erik.kaneda@intel.com>

[ Upstream commit e4dfe108371214500ee10c2cf19268f53acaa803 ]

ACPICA commit bc43c878fd4ff27ba75b1d111b97ee90d4a82707

Fixes: c27f3d011b08 ("Fix race in GenericSerialBus (I2C) and GPIO OpRegion parameter handling")
Link: https://github.com/acpica/acpica/commit/bc43c878
Reported-by: John Garry <john.garry@huawei.com>
Reported-by: Xiang Chen <chenxiang66@hisilicon.com>
Tested-by: Xiang Chen <chenxiang66@hisilicon.com>
Signed-off-by: Erik Kaneda <erik.kaneda@intel.com>
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/acpica/utdelete.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c
index 4c0d4e434196..72d2c0b65633 100644
--- a/drivers/acpi/acpica/utdelete.c
+++ b/drivers/acpi/acpica/utdelete.c
@@ -285,6 +285,14 @@ static void acpi_ut_delete_internal_obj(union acpi_operand_object *object)
 		}
 		break;
 
+	case ACPI_TYPE_LOCAL_ADDRESS_HANDLER:
+
+		ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS,
+				  "***** Address handler %p\n", object));
+
+		acpi_os_delete_mutex(object->address_space.context_mutex);
+		break;
+
 	default:
 
 		break;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 18/78] netfilter: nft_ct: skip expectations for confirmed conntrack
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 17/78] ACPICA: Clean up context mutex during object deletion Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 19/78] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit 1710eb913bdcda3917f44d383c32de6bdabfc836 ]

nft_ct_expect_obj_eval() calls nf_ct_ext_add() for a confirmed
conntrack entry. However, nf_ct_ext_add() can only be called for
!nf_ct_is_confirmed().

[ 1825.349056] WARNING: CPU: 0 PID: 1279 at net/netfilter/nf_conntrack_extend.c:48 nf_ct_xt_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351391] RIP: 0010:nf_ct_ext_add+0x18e/0x1a0 [nf_conntrack]
[ 1825.351493] Code: 41 5c 41 5d 41 5e 41 5f c3 41 bc 0a 00 00 00 e9 15 ff ff ff ba 09 00 00 00 31 f6 4c 89 ff e8 69 6c 3d e9 eb 96 45 31 ed eb cd <0f> 0b e9 b1 fe ff ff e8 86 79 14 e9 eb bf 0f 1f 40 00 0f 1f 44 00
[ 1825.351721] RSP: 0018:ffffc90002e1f1e8 EFLAGS: 00010202
[ 1825.351790] RAX: 000000000000000e RBX: ffff88814f5783c0 RCX: ffffffffc0e4f887
[ 1825.351881] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff88814f578440
[ 1825.351971] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff88814f578447
[ 1825.352060] R10: ffffed1029eaf088 R11: 0000000000000001 R12: ffff88814f578440
[ 1825.352150] R13: ffff8882053f3a00 R14: 0000000000000000 R15: 0000000000000a20
[ 1825.352240] FS:  00007f992261c900(0000) GS:ffff889faec00000(0000) knlGS:0000000000000000
[ 1825.352343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1825.352417] CR2: 000056070a4d1158 CR3: 000000015efe0000 CR4: 0000000000350ee0
[ 1825.352508] Call Trace:
[ 1825.352544]  nf_ct_helper_ext_add+0x10/0x60 [nf_conntrack]
[ 1825.352641]  nft_ct_expect_obj_eval+0x1b8/0x1e0 [nft_ct]
[ 1825.352716]  nft_do_chain+0x232/0x850 [nf_tables]

Add the ct helper extension only for unconfirmed conntrack. Skip rule
evaluation if the ct helper extension does not exist. Thus, you can
only create expectations from the first packet.

It should be possible to remove this limitation by adding a new action
to attach a generic ct helper to the first packet. Then, use this ct
helper extension from follow up packets to create the ct expectation.

While at it, add a missing check to skip the template conntrack too
and remove check for IPCT_UNTRACK which is implicit to !ct.

Fixes: 857b46027d6f ("netfilter: nft_ct: add ct expectations support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_ct.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 2042c6f4629c..28991730728b 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1218,7 +1218,7 @@ static void nft_ct_expect_obj_eval(struct nft_object *obj,
 	struct nf_conn *ct;
 
 	ct = nf_ct_get(pkt->skb, &ctinfo);
-	if (!ct || ctinfo == IP_CT_UNTRACKED) {
+	if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
 		regs->verdict.code = NFT_BREAK;
 		return;
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 19/78] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 18/78] netfilter: nft_ct: skip expectations for confirmed conntrack Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 20/78] ieee802154: fix error return code in ieee802154_add_iface() Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit 8971ee8b087750a23f3cd4dc55bff2d0303fd267 ]

The private helper data size cannot be updated. However, updates that
contain NFCTH_PRIV_DATA_LEN might bogusly hit EBUSY even if the size is
the same.

Fixes: 12f7a505331e ("netfilter: add user-space connection tracking helper infrastructure")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nfnetlink_cthelper.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c
index 81406b93f126..3d5fc07b2530 100644
--- a/net/netfilter/nfnetlink_cthelper.c
+++ b/net/netfilter/nfnetlink_cthelper.c
@@ -380,10 +380,14 @@ static int
 nfnl_cthelper_update(const struct nlattr * const tb[],
 		     struct nf_conntrack_helper *helper)
 {
+	u32 size;
 	int ret;
 
-	if (tb[NFCTH_PRIV_DATA_LEN])
-		return -EBUSY;
+	if (tb[NFCTH_PRIV_DATA_LEN]) {
+		size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
+		if (size != helper->data_len)
+			return -EBUSY;
+	}
 
 	if (tb[NFCTH_POLICY]) {
 		ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 20/78] ieee802154: fix error return code in ieee802154_add_iface()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 19/78] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 21/78] ieee802154: fix error return code in ieee802154_llsec_getparams() Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Stefan Schmidt,
	Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 79c6b8ed30e54b401c873dbad2511f2a1c525fd5 ]

Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: be51da0f3e34 ("ieee802154: Stop using NLA_PUT*().")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210508062517.2574-1-thunder.leizhen@huawei.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ieee802154/nl-phy.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c
index 2cdc7e63fe17..88215b5c93aa 100644
--- a/net/ieee802154/nl-phy.c
+++ b/net/ieee802154/nl-phy.c
@@ -241,8 +241,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info)
 	}
 
 	if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) ||
-	    nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name))
+	    nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) {
+		rc = -EMSGSIZE;
 		goto nla_put_failure;
+	}
 	dev_put(dev);
 
 	wpan_phy_put(phy);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 21/78] ieee802154: fix error return code in ieee802154_llsec_getparams()
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 20/78] ieee802154: fix error return code in ieee802154_add_iface() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 22/78] ixgbevf: add correct exception tracing for XDP Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wei Yongjun,
	Stefan Schmidt, Sasha Levin

From: Wei Yongjun <weiyongjun1@huawei.com>

[ Upstream commit 373e864cf52403b0974c2f23ca8faf9104234555 ]

Fix to return negative error code -ENOBUFS from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: 3e9c156e2c21 ("ieee802154: add netlink interfaces for llsec")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Link: https://lore.kernel.org/r/20210519141614.3040055-1-weiyongjun1@huawei.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ieee802154/nl-mac.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c
index d19c40c684e8..71be75112321 100644
--- a/net/ieee802154/nl-mac.c
+++ b/net/ieee802154/nl-mac.c
@@ -680,8 +680,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info)
 	    nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) ||
 	    nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER,
 			be32_to_cpu(params.frame_counter)) ||
-	    ieee802154_llsec_fill_key_id(msg, &params.out_key))
+	    ieee802154_llsec_fill_key_id(msg, &params.out_key)) {
+		rc = -ENOBUFS;
 		goto out_free;
+	}
 
 	dev_put(dev);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 22/78] ixgbevf: add correct exception tracing for XDP
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 21/78] ieee802154: fix error return code in ieee802154_llsec_getparams() Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 23/78] ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jesper Dangaard Brouer,
	Magnus Karlsson, Vishakha Jambekar, Tony Nguyen, Sasha Levin

From: Magnus Karlsson <magnus.karlsson@intel.com>

[ Upstream commit faae81420d162551b6ef2d804aafc00f4cd68e0e ]

Add missing exception tracing to XDP when a number of different
errors can occur. The support was only partial. Several errors
where not logged which would confuse the user quite a lot not
knowing where and why the packets disappeared.

Fixes: 21092e9ce8b1 ("ixgbevf: Add support for XDP_TX action")
Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Tested-by: Vishakha Jambekar <vishakha.jambekar@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
index 64ec0e7c64b4..be8e6d4e376e 100644
--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
+++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c
@@ -1079,11 +1079,14 @@ static struct sk_buff *ixgbevf_run_xdp(struct ixgbevf_adapter *adapter,
 	case XDP_TX:
 		xdp_ring = adapter->xdp_ring[rx_ring->queue_index];
 		result = ixgbevf_xmit_xdp_ring(xdp_ring, xdp);
+		if (result == IXGBEVF_XDP_CONSUMED)
+			goto out_failure;
 		break;
 	default:
 		bpf_warn_invalid_xdp_action(act);
 		/* fallthrough */
 	case XDP_ABORTED:
+out_failure:
 		trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
 		/* fallthrough -- handle aborts by dropping packet */
 	case XDP_DROP:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 23/78] ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 22/78] ixgbevf: add correct exception tracing for XDP Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 24/78] ice: write register with correct offset Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Coco Li, David Ahern, Eric Dumazet,
	David S. Miller, Sasha Levin

From: Coco Li <lixiaoyan@google.com>

[ Upstream commit 821bbf79fe46a8b1d18aa456e8ed0a3c208c3754 ]

Reported by syzbot:
HEAD commit:    90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
dashboard link: https://syzkaller.appspot.com/bug?extid=123aa35098fd3c000eb7
compiler:       Debian clang version 11.0.1-2

==================================================================
BUG: KASAN: slab-out-of-bounds in fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
BUG: KASAN: slab-out-of-bounds in fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
Read of size 8 at addr ffff8880145c78f8 by task syz-executor.4/17760

CPU: 0 PID: 17760 Comm: syz-executor.4 Not tainted 5.12.0-rc8-syzkaller #0
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x202/0x31e lib/dump_stack.c:120
 print_address_description+0x5f/0x3b0 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report+0x15c/0x200 mm/kasan/report.c:416
 fib6_nh_get_excptn_bucket net/ipv6/route.c:1604 [inline]
 fib6_nh_flush_exceptions+0xbd/0x360 net/ipv6/route.c:1732
 fib6_nh_release+0x9a/0x430 net/ipv6/route.c:3536
 fib6_info_destroy_rcu+0xcb/0x1c0 net/ipv6/ip6_fib.c:174
 rcu_do_batch kernel/rcu/tree.c:2559 [inline]
 rcu_core+0x8f6/0x1450 kernel/rcu/tree.c:2794
 __do_softirq+0x372/0x7a6 kernel/softirq.c:345
 invoke_softirq kernel/softirq.c:221 [inline]
 __irq_exit_rcu+0x22c/0x260 kernel/softirq.c:422
 irq_exit_rcu+0x5/0x20 kernel/softirq.c:434
 sysvec_apic_timer_interrupt+0x91/0xb0 arch/x86/kernel/apic/apic.c:1100
 </IRQ>
 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch/x86/include/asm/idtentry.h:632
RIP: 0010:lock_acquire+0x1f6/0x720 kernel/locking/lockdep.c:5515
Code: f6 84 24 a1 00 00 00 02 0f 85 8d 02 00 00 f7 c3 00 02 00 00 49 bd 00 00 00 00 00 fc ff df 74 01 fb 48 c7 44 24 40 0e 36 e0 45 <4b> c7 44 3d 00 00 00 00 00 4b c7 44 3d 09 00 00 00 00 43 c7 44 3d
RSP: 0018:ffffc90009e06560 EFLAGS: 00000206
RAX: 1ffff920013c0cc0 RBX: 0000000000000246 RCX: dffffc0000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90009e066e0 R08: dffffc0000000000 R09: fffffbfff1f992b1
R10: fffffbfff1f992b1 R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: 1ffff920013c0cb4
 rcu_lock_acquire+0x2a/0x30 include/linux/rcupdate.h:267
 rcu_read_lock include/linux/rcupdate.h:656 [inline]
 ext4_get_group_info+0xea/0x340 fs/ext4/ext4.h:3231
 ext4_mb_prefetch+0x123/0x5d0 fs/ext4/mballoc.c:2212
 ext4_mb_regular_allocator+0x8a5/0x28f0 fs/ext4/mballoc.c:2379
 ext4_mb_new_blocks+0xc6e/0x24f0 fs/ext4/mballoc.c:4982
 ext4_ext_map_blocks+0x2be3/0x7210 fs/ext4/extents.c:4238
 ext4_map_blocks+0xab3/0x1cb0 fs/ext4/inode.c:638
 ext4_getblk+0x187/0x6c0 fs/ext4/inode.c:848
 ext4_bread+0x2a/0x1c0 fs/ext4/inode.c:900
 ext4_append+0x1a4/0x360 fs/ext4/namei.c:67
 ext4_init_new_dir+0x337/0xa10 fs/ext4/namei.c:2768
 ext4_mkdir+0x4b8/0xc00 fs/ext4/namei.c:2814
 vfs_mkdir+0x45b/0x640 fs/namei.c:3819
 ovl_do_mkdir fs/overlayfs/overlayfs.h:161 [inline]
 ovl_mkdir_real+0x53/0x1a0 fs/overlayfs/dir.c:146
 ovl_create_real+0x280/0x490 fs/overlayfs/dir.c:193
 ovl_workdir_create+0x425/0x600 fs/overlayfs/super.c:788
 ovl_make_workdir+0xed/0x1140 fs/overlayfs/super.c:1355
 ovl_get_workdir fs/overlayfs/super.c:1492 [inline]
 ovl_fill_super+0x39ee/0x5370 fs/overlayfs/super.c:2035
 mount_nodev+0x52/0xe0 fs/super.c:1413
 legacy_get_tree+0xea/0x180 fs/fs_context.c:592
 vfs_get_tree+0x86/0x270 fs/super.c:1497
 do_new_mount fs/namespace.c:2903 [inline]
 path_mount+0x196f/0x2be0 fs/namespace.c:3233
 do_mount fs/namespace.c:3246 [inline]
 __do_sys_mount fs/namespace.c:3454 [inline]
 __se_sys_mount+0x2f9/0x3b0 fs/namespace.c:3431
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665f9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f68f2b87188 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 000000000056bf60 RCX: 00000000004665f9
RDX: 00000000200000c0 RSI: 0000000020000000 RDI: 000000000040000a
RBP: 00000000004bfbb9 R08: 0000000020000100 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf60
R13: 00007ffe19002dff R14: 00007f68f2b87300 R15: 0000000000022000

Allocated by task 17768:
 kasan_save_stack mm/kasan/common.c:38 [inline]
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc+0xc2/0xf0 mm/kasan/common.c:506
 kasan_kmalloc include/linux/kasan.h:233 [inline]
 __kmalloc+0xb4/0x380 mm/slub.c:4055
 kmalloc include/linux/slab.h:559 [inline]
 kzalloc include/linux/slab.h:684 [inline]
 fib6_info_alloc+0x2c/0xd0 net/ipv6/ip6_fib.c:154
 ip6_route_info_create+0x55d/0x1a10 net/ipv6/route.c:3638
 ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
 inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
 rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x319/0x400 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3039 [inline]
 call_rcu+0x1b1/0xa30 kernel/rcu/tree.c:3114
 fib6_info_release include/net/ip6_fib.h:337 [inline]
 ip6_route_info_create+0x10c4/0x1a10 net/ipv6/route.c:3718
 ip6_route_add+0x22/0x120 net/ipv6/route.c:3728
 inet6_rtm_newroute+0x2cd/0x2260 net/ipv6/route.c:5352
 rtnetlink_rcv_msg+0xb34/0xe70 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg net/socket.c:674 [inline]
 ____sys_sendmsg+0x5a2/0x900 net/socket.c:2350
 ___sys_sendmsg net/socket.c:2404 [inline]
 __sys_sendmsg+0x319/0x400 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x27/0x50 mm/kasan/common.c:38
 kasan_record_aux_stack+0xee/0x120 mm/kasan/generic.c:345
 insert_work+0x54/0x400 kernel/workqueue.c:1331
 __queue_work+0x981/0xcc0 kernel/workqueue.c:1497
 queue_work_on+0x111/0x200 kernel/workqueue.c:1524
 queue_work include/linux/workqueue.h:507 [inline]
 call_usermodehelper_exec+0x283/0x470 kernel/umh.c:433
 kobject_uevent_env+0x1349/0x1730 lib/kobject_uevent.c:617
 kvm_uevent_notify_change+0x309/0x3b0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:4809
 kvm_destroy_vm arch/x86/kvm/../../../virt/kvm/kvm_main.c:877 [inline]
 kvm_put_kvm+0x9c/0xd10 arch/x86/kvm/../../../virt/kvm/kvm_main.c:920
 kvm_vcpu_release+0x53/0x60 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3120
 __fput+0x352/0x7b0 fs/file_table.c:280
 task_work_run+0x146/0x1c0 kernel/task_work.c:140
 tracehook_notify_resume include/linux/tracehook.h:189 [inline]
 exit_to_user_mode_loop kernel/entry/common.c:174 [inline]
 exit_to_user_mode_prepare+0x10b/0x1e0 kernel/entry/common.c:208
 __syscall_exit_to_user_mode_work kernel/entry/common.c:290 [inline]
 syscall_exit_to_user_mode+0x26/0x70 kernel/entry/common.c:301
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880145c7800
 which belongs to the cache kmalloc-192 of size 192
The buggy address is located 56 bytes to the right of
 192-byte region [ffff8880145c7800, ffff8880145c78c0)
The buggy address belongs to the page:
page:ffffea00005171c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x145c7
flags: 0xfff00000000200(slab)
raw: 00fff00000000200 ffffea00006474c0 0000000200000002 ffff888010c41a00
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880145c7780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8880145c7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880145c7880: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                                                                ^
 ffff8880145c7900: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880145c7980: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
==================================================================

In the ip6_route_info_create function, in the case that the nh pointer
is not NULL, the fib6_nh in fib6_info has not been allocated.
Therefore, when trying to free fib6_info in this error case using
fib6_info_release, the function will call fib6_info_destroy_rcu,
which it will access fib6_nh_release(f6i->fib6_nh);
However, f6i->fib6_nh doesn't have any refcount yet given the lack of allocation
causing the reported memory issue above.
Therefore, releasing the empty pointer directly instead would be the solution.

Fixes: f88d8ea67fbdb ("ipv6: Plumb support for nexthop object in a fib6_info")
Fixes: 706ec91916462 ("ipv6: Fix nexthop refcnt leak when creating ipv6 route info")
Signed-off-by: Coco Li <lixiaoyan@google.com>
Cc: David Ahern <dsahern@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/route.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 3a9bd9687e7d..b903fe28ce50 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -3688,11 +3688,11 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
 	if (nh) {
 		if (rt->fib6_src.plen) {
 			NL_SET_ERR_MSG(extack, "Nexthops can not be used with source routing");
-			goto out;
+			goto out_free;
 		}
 		if (!nexthop_get(nh)) {
 			NL_SET_ERR_MSG(extack, "Nexthop has been deleted");
-			goto out;
+			goto out_free;
 		}
 		rt->nh = nh;
 		fib6_nh = nexthop_fib6_nh(rt->nh);
@@ -3729,6 +3729,10 @@ static struct fib6_info *ip6_route_info_create(struct fib6_config *cfg,
 out:
 	fib6_info_release(rt);
 	return ERR_PTR(err);
+out_free:
+	ip_fib_metrics_put(rt->fib6_metrics);
+	kfree(rt);
+	return ERR_PTR(err);
 }
 
 int ip6_route_add(struct fib6_config *cfg, gfp_t gfp_flags,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 24/78] ice: write register with correct offset
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 23/78] ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 25/78] ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mitch Williams, Andrew Bowers,
	Jeff Kirsher, Sasha Levin

From: Mitch Williams <mitch.a.williams@intel.com>

[ Upstream commit 395594563b29fbcd8d9a4f0a642484e5d3bb6db1 ]

The VF_MBX_ARQLEN register array is per-PF, not global, so we should not
use the absolute VF ID as an index. Instead, use the per-PF VF ID.

This fixes an issue with VFs on PFs other than 0 not seeing reset.

Signed-off-by: Mitch Williams <mitch.a.williams@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
index e92a00a61755..360c0f7e0384 100644
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
@@ -390,7 +390,7 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr)
 	 * by the time we get here.
 	 */
 	if (!is_pfr)
-		wr32(hw, VF_MBX_ARQLEN(vf_abs_id), 0);
+		wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0);
 
 	/* In the case of a VFLR, the HW has already reset the VF and we
 	 * just need to clean up, so don't hit the VFRTRIG register.
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 25/78] ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 24/78] ice: write register with correct offset Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 26/78] ice: Allow all LLDP packets from PF to Tx Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brett Creeley, Konrad Jankowski,
	Tony Nguyen, Sasha Levin

From: Brett Creeley <brett.creeley@intel.com>

[ Upstream commit 8679f07a9922068b9b6be81b632f52cac45d1b91 ]

Some AVF drivers expect the VF_MBX_ATQLEN register to be cleared for any
type of VFR/VFLR. Fix this by clearing the VF_MBX_ATQLEN register at the
same time as VF_MBX_ARQLEN.

Fixes: 82ba01282cf8 ("ice: clear VF ARQLEN register on reset")
Signed-off-by: Brett Creeley <brett.creeley@intel.com>
Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_hw_autogen.h  |  1 +
 drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c | 12 +++++++-----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
index 9138b19de87e..f2bb83af4d9e 100644
--- a/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
+++ b/drivers/net/ethernet/intel/ice/ice_hw_autogen.h
@@ -34,6 +34,7 @@
 #define PF_FW_ATQLEN_ATQOVFL_M			BIT(29)
 #define PF_FW_ATQLEN_ATQCRIT_M			BIT(30)
 #define VF_MBX_ARQLEN(_VF)			(0x0022BC00 + ((_VF) * 4))
+#define VF_MBX_ATQLEN(_VF)			(0x0022A800 + ((_VF) * 4))
 #define PF_FW_ATQLEN_ATQENABLE_M		BIT(31)
 #define PF_FW_ATQT				0x00080400
 #define PF_MBX_ARQBAH				0x0022E400
diff --git a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
index 360c0f7e0384..5e97fdca5fab 100644
--- a/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
+++ b/drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c
@@ -384,13 +384,15 @@ static void ice_trigger_vf_reset(struct ice_vf *vf, bool is_vflr, bool is_pfr)
 	 */
 	clear_bit(ICE_VF_STATE_INIT, vf->vf_states);
 
-	/* VF_MBX_ARQLEN is cleared by PFR, so the driver needs to clear it
-	 * in the case of VFR. If this is done for PFR, it can mess up VF
-	 * resets because the VF driver may already have started cleanup
-	 * by the time we get here.
+	/* VF_MBX_ARQLEN and VF_MBX_ATQLEN are cleared by PFR, so the driver
+	 * needs to clear them in the case of VFR/VFLR. If this is done for
+	 * PFR, it can mess up VF resets because the VF driver may already
+	 * have started cleanup by the time we get here.
 	 */
-	if (!is_pfr)
+	if (!is_pfr) {
 		wr32(hw, VF_MBX_ARQLEN(vf->vf_id), 0);
+		wr32(hw, VF_MBX_ATQLEN(vf->vf_id), 0);
+	}
 
 	/* In the case of a VFLR, the HW has already reset the VF and we
 	 * just need to clean up, so don't hit the VFRTRIG register.
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 26/78] ice: Allow all LLDP packets from PF to Tx
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 25/78] ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 27/78] i2c: qcom-geni: Add shutdown callback for i2c Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Ertman, Tony Brelinski,
	Tony Nguyen, Sasha Levin

From: Dave Ertman <david.m.ertman@intel.com>

[ Upstream commit f9f83202b7263ac371d616d6894a2c9ed79158ef ]

Currently in the ice driver, the check whether to
allow a LLDP packet to egress the interface from the
PF_VSI is being based on the SKB's priority field.
It checks to see if the packets priority is equal to
TC_PRIO_CONTROL.  Injected LLDP packets do not always
meet this condition.

SCAPY defaults to a sk_buff->protocol value of ETH_P_ALL
(0x0003) and does not set the priority field.  There will
be other injection methods (even ones used by end users)
that will not correctly configure the socket so that
SKB fields are correctly populated.

Then ethernet header has to have to correct value for
the protocol though.

Add a check to also allow packets whose ethhdr->h_proto
matches ETH_P_LLDP (0x88CC).

Fixes: 0c3a6101ff2d ("ice: Allow egress control packets from PF_VSI")
Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_txrx.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_txrx.c b/drivers/net/ethernet/intel/ice/ice_txrx.c
index 33dd103035dc..2b55efe5ed96 100644
--- a/drivers/net/ethernet/intel/ice/ice_txrx.c
+++ b/drivers/net/ethernet/intel/ice/ice_txrx.c
@@ -2109,6 +2109,7 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring)
 	struct ice_tx_offload_params offload = { 0 };
 	struct ice_vsi *vsi = tx_ring->vsi;
 	struct ice_tx_buf *first;
+	struct ethhdr *eth;
 	unsigned int count;
 	int tso, csum;
 
@@ -2156,7 +2157,9 @@ ice_xmit_frame_ring(struct sk_buff *skb, struct ice_ring *tx_ring)
 		goto out_drop;
 
 	/* allow CONTROL frames egress from main VSI if FW LLDP disabled */
-	if (unlikely(skb->priority == TC_PRIO_CONTROL &&
+	eth = (struct ethhdr *)skb_mac_header(skb);
+	if (unlikely((skb->priority == TC_PRIO_CONTROL ||
+		      eth->h_proto == htons(ETH_P_LLDP)) &&
 		     vsi->type == ICE_VSI_PF &&
 		     vsi->port_info->is_sw_lldp))
 		offload.cd_qw1 |= (u64)(ICE_TX_DESC_DTYPE_CTX |
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 27/78] i2c: qcom-geni: Add shutdown callback for i2c
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 26/78] ice: Allow all LLDP packets from PF to Tx Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 28/78] i40e: optimize for XDP_REDIRECT in xsk path Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roja Rani Yarubandi, Stephen Boyd,
	Wolfram Sang, Sasha Levin

From: Roja Rani Yarubandi <rojay@codeaurora.org>

[ Upstream commit 9f78c607600ce4f2a952560de26534715236f612 ]

If the hardware is still accessing memory after SMMU translation
is disabled (as part of smmu shutdown callback), then the
IOVAs (I/O virtual address) which it was using will go on the bus
as the physical addresses which will result in unknown crashes
like NoC/interconnect errors.

So, implement shutdown callback for i2c driver to suspend the bus
during system "reboot" or "shutdown".

Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller")
Signed-off-by: Roja Rani Yarubandi <rojay@codeaurora.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-qcom-geni.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/i2c/busses/i2c-qcom-geni.c b/drivers/i2c/busses/i2c-qcom-geni.c
index b56a427fb928..d4ca00df6a5e 100644
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -641,6 +641,14 @@ static int geni_i2c_remove(struct platform_device *pdev)
 	return 0;
 }
 
+static void geni_i2c_shutdown(struct platform_device *pdev)
+{
+	struct geni_i2c_dev *gi2c = platform_get_drvdata(pdev);
+
+	/* Make client i2c transfers start failing */
+	i2c_mark_adapter_suspended(&gi2c->adap);
+}
+
 static int __maybe_unused geni_i2c_runtime_suspend(struct device *dev)
 {
 	int ret;
@@ -701,6 +709,7 @@ MODULE_DEVICE_TABLE(of, geni_i2c_dt_match);
 static struct platform_driver geni_i2c_driver = {
 	.probe  = geni_i2c_probe,
 	.remove = geni_i2c_remove,
+	.shutdown = geni_i2c_shutdown,
 	.driver = {
 		.name = "geni_i2c",
 		.pm = &geni_i2c_pm_ops,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 28/78] i40e: optimize for XDP_REDIRECT in xsk path
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 27/78] i2c: qcom-geni: Add shutdown callback for i2c Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 29/78] i40e: add correct exception tracing for XDP Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Magnus Karlsson,
	George Kuruvinakunnel, Tony Nguyen, Sasha Levin

From: Magnus Karlsson <magnus.karlsson@intel.com>

[ Upstream commit 346497c78d15cdd5bdc3b642a895009359e5457f ]

Optimize i40e_run_xdp_zc() for the XDP program verdict being
XDP_REDIRECT in the xsk zero-copy path. This path is only used when
having AF_XDP zero-copy on and in that case most packets will be
directed to user space. This provides a little over 100k extra packets
in throughput on my server when running l2fwd in xdpsock.

Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Tested-by: George Kuruvinakunnel <george.kuruvinakunnel@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_xsk.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
index c9d4534fbdf0..17499c0d10bb 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
@@ -212,6 +212,13 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
 
 	xdp->handle = xsk_umem_adjust_offset(umem, xdp->handle, offset);
 
+	if (likely(act == XDP_REDIRECT)) {
+		err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
+		result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
+		rcu_read_unlock();
+		return result;
+	}
+
 	switch (act) {
 	case XDP_PASS:
 		break;
@@ -219,10 +226,6 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
 		xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
 		result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
 		break;
-	case XDP_REDIRECT:
-		err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
-		result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
-		break;
 	default:
 		bpf_warn_invalid_xdp_action(act);
 		/* fall through */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 29/78] i40e: add correct exception tracing for XDP
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 28/78] i40e: optimize for XDP_REDIRECT in xsk path Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:26 ` [PATCH 5.4 30/78] arm64: dts: ls1028a: fix memory node Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jesper Dangaard Brouer,
	Magnus Karlsson, Kiran Bhandare, Tony Nguyen, Sasha Levin

From: Magnus Karlsson <magnus.karlsson@intel.com>

[ Upstream commit f6c10b48f8c8da44adaff730d8e700b6272add2b ]

Add missing exception tracing to XDP when a number of different errors
can occur. The support was only partial. Several errors where not
logged which would confuse the user quite a lot not knowing where and
why the packets disappeared.

Fixes: 74608d17fe29 ("i40e: add support for XDP_TX action")
Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support")
Reported-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Tested-by: Kiran Bhandare <kiranx.bhandare@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_txrx.c | 7 ++++++-
 drivers/net/ethernet/intel/i40e/i40e_xsk.c  | 8 ++++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_txrx.c b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
index 218aada8949d..68a2fcf4c0bf 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_txrx.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_txrx.c
@@ -2233,15 +2233,20 @@ static struct sk_buff *i40e_run_xdp(struct i40e_ring *rx_ring,
 	case XDP_TX:
 		xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
 		result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
+		if (result == I40E_XDP_CONSUMED)
+			goto out_failure;
 		break;
 	case XDP_REDIRECT:
 		err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
-		result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
+		if (err)
+			goto out_failure;
+		result = I40E_XDP_REDIR;
 		break;
 	default:
 		bpf_warn_invalid_xdp_action(act);
 		/* fall through */
 	case XDP_ABORTED:
+out_failure:
 		trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
 		/* fall through -- handle aborts by dropping packet */
 	case XDP_DROP:
diff --git a/drivers/net/ethernet/intel/i40e/i40e_xsk.c b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
index 17499c0d10bb..a9ad788c4913 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_xsk.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_xsk.c
@@ -214,9 +214,10 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
 
 	if (likely(act == XDP_REDIRECT)) {
 		err = xdp_do_redirect(rx_ring->netdev, xdp, xdp_prog);
-		result = !err ? I40E_XDP_REDIR : I40E_XDP_CONSUMED;
+		if (err)
+			goto out_failure;
 		rcu_read_unlock();
-		return result;
+		return I40E_XDP_REDIR;
 	}
 
 	switch (act) {
@@ -225,11 +226,14 @@ static int i40e_run_xdp_zc(struct i40e_ring *rx_ring, struct xdp_buff *xdp)
 	case XDP_TX:
 		xdp_ring = rx_ring->vsi->xdp_rings[rx_ring->queue_index];
 		result = i40e_xmit_xdp_tx_ring(xdp, xdp_ring);
+		if (result == I40E_XDP_CONSUMED)
+			goto out_failure;
 		break;
 	default:
 		bpf_warn_invalid_xdp_action(act);
 		/* fall through */
 	case XDP_ABORTED:
+out_failure:
 		trace_xdp_exception(rx_ring->netdev, xdp_prog, act);
 		/* fallthrough -- handle aborts by dropping packet */
 	case XDP_DROP:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 30/78] arm64: dts: ls1028a: fix memory node
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 29/78] i40e: add correct exception tracing for XDP Greg Kroah-Hartman
@ 2021-06-08 18:26 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 31/78] arm64: dts: zii-ultra: fix 12V_MAIN voltage Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:26 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Walle, Shawn Guo, Sasha Levin

From: Michael Walle <michael@walle.cc>

[ Upstream commit dabea675faf16e8682aa478ff3ce65dd775620bc ]

While enabling EDAC support for the LS1028A it was discovered that the
memory node has a wrong endianness setting as well as a wrong interrupt
assignment. Fix both.

This was tested on a sl28 board. To force ECC errors, you can use the
error injection supported by the controller in hardware (with
CONFIG_EDAC_DEBUG enabled):

 # enable error injection
 $ echo 0x100 > /sys/devices/system/edac/mc/mc0/inject_ctrl
 # flip lowest bit of the data
 $ echo 0x1 > /sys/devices/system/edac/mc/mc0/inject_data_lo

Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC")
Signed-off-by: Michael Walle <michael@walle.cc>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
index bd99fa68b763..5a2a188debd1 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi
@@ -151,8 +151,8 @@
 		ddr: memory-controller@1080000 {
 			compatible = "fsl,qoriq-memory-controller";
 			reg = <0x0 0x1080000 0x0 0x1000>;
-			interrupts = <GIC_SPI 144 IRQ_TYPE_LEVEL_HIGH>;
-			big-endian;
+			interrupts = <GIC_SPI 17 IRQ_TYPE_LEVEL_HIGH>;
+			little-endian;
 		};
 
 		dcfg: syscon@1e00000 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 31/78] arm64: dts: zii-ultra: fix 12V_MAIN voltage
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-06-08 18:26 ` [PATCH 5.4 30/78] arm64: dts: ls1028a: fix memory node Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 32/78] ARM: dts: imx7d-meerkat96: Fix the tuning-step property Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lucas Stach, Shawn Guo, Sasha Levin

From: Lucas Stach <l.stach@pengutronix.de>

[ Upstream commit ac0cbf9d13dccfd09bebc2f8f5697b6d3ffe27c4 ]

As this is a fixed regulator on the board there was no harm in the wrong
voltage being specified, apart from a confusing reporting to userspace.

Fixes: 4a13b3bec3b4 ("arm64: dts: imx: add Zii Ultra board support")
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi b/arch/arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi
index 32ce14936b01..f385b143b308 100644
--- a/arch/arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi
@@ -45,8 +45,8 @@
 	reg_12p0_main: regulator-12p0-main {
 		compatible = "regulator-fixed";
 		regulator-name = "12V_MAIN";
-		regulator-min-microvolt = <5000000>;
-		regulator-max-microvolt = <5000000>;
+		regulator-min-microvolt = <12000000>;
+		regulator-max-microvolt = <12000000>;
 		regulator-always-on;
 	};
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 32/78] ARM: dts: imx7d-meerkat96: Fix the tuning-step property
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 31/78] arm64: dts: zii-ultra: fix 12V_MAIN voltage Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 33/78] ARM: dts: imx7d-pico: " Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Shawn Guo, Sasha Levin

From: Fabio Estevam <festevam@gmail.com>

[ Upstream commit 7c8f0338cdacc90fdf6468adafa8e27952987f00 ]

According to Documentation/devicetree/bindings/mmc/fsl-imx-esdhc.yaml, the
correct name of the property is 'fsl,tuning-step'.

Fix it accordingly.

Signed-off-by: Fabio Estevam <festevam@gmail.com>
Fixes: ae7b3384b61b ("ARM: dts: Add support for 96Boards Meerkat96 board")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx7d-meerkat96.dts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/imx7d-meerkat96.dts b/arch/arm/boot/dts/imx7d-meerkat96.dts
index 5339210b63d0..dd8003bd1fc0 100644
--- a/arch/arm/boot/dts/imx7d-meerkat96.dts
+++ b/arch/arm/boot/dts/imx7d-meerkat96.dts
@@ -193,7 +193,7 @@
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_usdhc1>;
 	keep-power-in-suspend;
-	tuning-step = <2>;
+	fsl,tuning-step = <2>;
 	vmmc-supply = <&reg_3p3v>;
 	no-1-8-v;
 	broken-cd;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 33/78] ARM: dts: imx7d-pico: Fix the tuning-step property
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 32/78] ARM: dts: imx7d-meerkat96: Fix the tuning-step property Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 34/78] ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Shawn Guo, Sasha Levin

From: Fabio Estevam <festevam@gmail.com>

[ Upstream commit 0e2fa4959c4f44815ce33e46e4054eeb0f346053 ]

According to Documentation/devicetree/bindings/mmc/fsl-imx-esdhc.yaml, the
correct name of the property is 'fsl,tuning-step'.

Fix it accordingly.

Signed-off-by: Fabio Estevam <festevam@gmail.com>
Fixes: f13f571ac8a1 ("ARM: dts: imx7d-pico: Extend peripherals support")
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx7d-pico.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/imx7d-pico.dtsi b/arch/arm/boot/dts/imx7d-pico.dtsi
index 6f50ebf31a0a..8a8df54ff563 100644
--- a/arch/arm/boot/dts/imx7d-pico.dtsi
+++ b/arch/arm/boot/dts/imx7d-pico.dtsi
@@ -307,7 +307,7 @@
 	pinctrl-2 = <&pinctrl_usdhc1_200mhz>;
 	cd-gpios = <&gpio5 0 GPIO_ACTIVE_LOW>;
 	bus-width = <4>;
-	tuning-step = <2>;
+	fsl,tuning-step = <2>;
 	vmmc-supply = <&reg_3p3v>;
 	wakeup-source;
 	no-1-8-v;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 34/78] ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 33/78] ARM: dts: imx7d-pico: " Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 35/78] bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geert Uytterhoeven, Laurent Pinchart,
	Shawn Guo, Sasha Levin

From: Geert Uytterhoeven <geert+renesas@glider.be>

[ Upstream commit b73eb6b3b91ff7d76cff5f8c7ab92fe0c51e3829 ]

According to the DT bindings, #gpio-cells must be two.

Fixes: 63e71fedc07c4ece ("ARM: dts: Add support for emtrion emCON-MX6 series")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi b/arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi
index 828cf3e39784..c4e146f3341b 100644
--- a/arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi
+++ b/arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi
@@ -126,7 +126,7 @@
 		compatible = "nxp,pca8574";
 		reg = <0x3a>;
 		gpio-controller;
-		#gpio-cells = <1>;
+		#gpio-cells = <2>;
 	};
 };
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 35/78] bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 34/78] ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 36/78] tipc: add extack messages for bearer/media failure Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carl Philipp Klemm, Ivan Jelincic,
	Merlijn Wajer, Pavel Machek, Sebastian Reichel,
	Sicelo A. Mhlongo, Tony Lindgren, Sasha Levin

From: Tony Lindgren <tony@atomide.com>

[ Upstream commit c8692ad416dcc420ce1b403596a425c8f4c2720b ]

Looks like the swsup_sidle_act quirk handling is unreliable for serial
ports. The serial ports just eventually stop idling until woken up and
re-idled again. As the serial port not idling blocks any deeper SoC idle
states, it's adds an annoying random flakeyness for power management.

Let's just switch to swsup_sidle quirk instead like we already do for
omap3 uarts. This means we manually idle the port instead of trying to
use the hardware autoidle features when not in use.

For more details on why the serial ports have been using swsup_idle_act,
see commit 66dde54e978a ("ARM: OMAP2+: hwmod-data: UART IP needs software
control to manage sidle modes"). It seems that the swsup_idle_act quirk
handling is not enough though, and for example the TI Android kernel
changed to using swsup_sidle with commit 77c34c84e1e0 ("OMAP4: HWMOD:
UART1: disable smart-idle.").

Fixes: b4a9a7a38917 ("bus: ti-sysc: Handle swsup idle mode quirks")
Cc: Carl Philipp Klemm <philipp@uvos.xyz>
Cc: Ivan Jelincic <parazyd@dyne.org>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Cc: Sicelo A. Mhlongo <absicsz@gmail.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bus/ti-sysc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c
index d59e1ca9990b..90053c4a8290 100644
--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -1376,9 +1376,9 @@ static const struct sysc_revision_quirk sysc_revision_quirks[] = {
 		   SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE),
 	/* Uarts on omap4 and later */
 	SYSC_QUIRK("uart", 0, 0x50, 0x54, 0x58, 0x50411e03, 0xffff00ff,
-		   SYSC_QUIRK_SWSUP_SIDLE_ACT | SYSC_QUIRK_LEGACY_IDLE),
+		   SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE),
 	SYSC_QUIRK("uart", 0, 0x50, 0x54, 0x58, 0x47422e03, 0xffffffff,
-		   SYSC_QUIRK_SWSUP_SIDLE_ACT | SYSC_QUIRK_LEGACY_IDLE),
+		   SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_LEGACY_IDLE),
 
 	/* Quirks that need to be set based on the module address */
 	SYSC_QUIRK("mcpdm", 0x40132000, 0, 0x10, -ENODEV, 0x50000800, 0xffffffff,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 36/78] tipc: add extack messages for bearer/media failure
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 35/78] bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 37/78] tipc: fix unique bearer names sanity check Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Hoang Le, David S. Miller,
	Sasha Levin

From: Hoang Le <hoang.h.le@dektech.com.au>

[ Upstream commit b83e214b2e04204f1fc674574362061492c37245 ]

Add extack error messages for -EINVAL errors when enabling bearer,
getting/setting properties for a media/bearer

Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tipc/bearer.c | 50 +++++++++++++++++++++++++++++++++++++----------
 1 file changed, 40 insertions(+), 10 deletions(-)

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 0214aa1c4427..0e0161597749 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -233,7 +233,8 @@ void tipc_bearer_remove_dest(struct net *net, u32 bearer_id, u32 dest)
  */
 static int tipc_enable_bearer(struct net *net, const char *name,
 			      u32 disc_domain, u32 prio,
-			      struct nlattr *attr[])
+			      struct nlattr *attr[],
+			      struct netlink_ext_ack *extack)
 {
 	struct tipc_net *tn = tipc_net(net);
 	struct tipc_bearer_names b_names;
@@ -247,17 +248,20 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 
 	if (!bearer_name_validate(name, &b_names)) {
 		errstr = "illegal name";
+		NL_SET_ERR_MSG(extack, "Illegal name");
 		goto rejected;
 	}
 
 	if (prio > TIPC_MAX_LINK_PRI && prio != TIPC_MEDIA_LINK_PRI) {
 		errstr = "illegal priority";
+		NL_SET_ERR_MSG(extack, "Illegal priority");
 		goto rejected;
 	}
 
 	m = tipc_media_find(b_names.media_name);
 	if (!m) {
 		errstr = "media not registered";
+		NL_SET_ERR_MSG(extack, "Media not registered");
 		goto rejected;
 	}
 
@@ -271,6 +275,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 			break;
 		if (!strcmp(name, b->name)) {
 			errstr = "already enabled";
+			NL_SET_ERR_MSG(extack, "Already enabled");
 			goto rejected;
 		}
 		bearer_id++;
@@ -282,6 +287,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 			name, prio);
 		if (prio == TIPC_MIN_LINK_PRI) {
 			errstr = "cannot adjust to lower";
+			NL_SET_ERR_MSG(extack, "Cannot adjust to lower");
 			goto rejected;
 		}
 		pr_warn("Bearer <%s>: trying with adjusted priority\n", name);
@@ -292,6 +298,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 
 	if (bearer_id >= MAX_BEARERS) {
 		errstr = "max 3 bearers permitted";
+		NL_SET_ERR_MSG(extack, "Max 3 bearers permitted");
 		goto rejected;
 	}
 
@@ -305,6 +312,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 	if (res) {
 		kfree(b);
 		errstr = "failed to enable media";
+		NL_SET_ERR_MSG(extack, "Failed to enable media");
 		goto rejected;
 	}
 
@@ -320,6 +328,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 	if (res) {
 		bearer_disable(net, b);
 		errstr = "failed to create discoverer";
+		NL_SET_ERR_MSG(extack, "Failed to create discoverer");
 		goto rejected;
 	}
 
@@ -862,6 +871,7 @@ int tipc_nl_bearer_get(struct sk_buff *skb, struct genl_info *info)
 	bearer = tipc_bearer_find(net, name);
 	if (!bearer) {
 		err = -EINVAL;
+		NL_SET_ERR_MSG(info->extack, "Bearer not found");
 		goto err_out;
 	}
 
@@ -901,8 +911,10 @@ int __tipc_nl_bearer_disable(struct sk_buff *skb, struct genl_info *info)
 	name = nla_data(attrs[TIPC_NLA_BEARER_NAME]);
 
 	bearer = tipc_bearer_find(net, name);
-	if (!bearer)
+	if (!bearer) {
+		NL_SET_ERR_MSG(info->extack, "Bearer not found");
 		return -EINVAL;
+	}
 
 	bearer_disable(net, bearer);
 
@@ -960,7 +972,8 @@ int __tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
 			prio = nla_get_u32(props[TIPC_NLA_PROP_PRIO]);
 	}
 
-	return tipc_enable_bearer(net, bearer, domain, prio, attrs);
+	return tipc_enable_bearer(net, bearer, domain, prio, attrs,
+				  info->extack);
 }
 
 int tipc_nl_bearer_enable(struct sk_buff *skb, struct genl_info *info)
@@ -999,6 +1012,7 @@ int tipc_nl_bearer_add(struct sk_buff *skb, struct genl_info *info)
 	b = tipc_bearer_find(net, name);
 	if (!b) {
 		rtnl_unlock();
+		NL_SET_ERR_MSG(info->extack, "Bearer not found");
 		return -EINVAL;
 	}
 
@@ -1039,8 +1053,10 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
 	name = nla_data(attrs[TIPC_NLA_BEARER_NAME]);
 
 	b = tipc_bearer_find(net, name);
-	if (!b)
+	if (!b) {
+		NL_SET_ERR_MSG(info->extack, "Bearer not found");
 		return -EINVAL;
+	}
 
 	if (attrs[TIPC_NLA_BEARER_PROP]) {
 		struct nlattr *props[TIPC_NLA_PROP_MAX + 1];
@@ -1059,12 +1075,18 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
 		if (props[TIPC_NLA_PROP_WIN])
 			b->window = nla_get_u32(props[TIPC_NLA_PROP_WIN]);
 		if (props[TIPC_NLA_PROP_MTU]) {
-			if (b->media->type_id != TIPC_MEDIA_TYPE_UDP)
+			if (b->media->type_id != TIPC_MEDIA_TYPE_UDP) {
+				NL_SET_ERR_MSG(info->extack,
+					       "MTU property is unsupported");
 				return -EINVAL;
+			}
 #ifdef CONFIG_TIPC_MEDIA_UDP
 			if (tipc_udp_mtu_bad(nla_get_u32
-					     (props[TIPC_NLA_PROP_MTU])))
+					     (props[TIPC_NLA_PROP_MTU]))) {
+				NL_SET_ERR_MSG(info->extack,
+					       "MTU value is out-of-range");
 				return -EINVAL;
+			}
 			b->mtu = nla_get_u32(props[TIPC_NLA_PROP_MTU]);
 			tipc_node_apply_property(net, b, TIPC_NLA_PROP_MTU);
 #endif
@@ -1192,6 +1214,7 @@ int tipc_nl_media_get(struct sk_buff *skb, struct genl_info *info)
 	rtnl_lock();
 	media = tipc_media_find(name);
 	if (!media) {
+		NL_SET_ERR_MSG(info->extack, "Media not found");
 		err = -EINVAL;
 		goto err_out;
 	}
@@ -1228,9 +1251,10 @@ int __tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
 	name = nla_data(attrs[TIPC_NLA_MEDIA_NAME]);
 
 	m = tipc_media_find(name);
-	if (!m)
+	if (!m) {
+		NL_SET_ERR_MSG(info->extack, "Media not found");
 		return -EINVAL;
-
+	}
 	if (attrs[TIPC_NLA_MEDIA_PROP]) {
 		struct nlattr *props[TIPC_NLA_PROP_MAX + 1];
 
@@ -1246,12 +1270,18 @@ int __tipc_nl_media_set(struct sk_buff *skb, struct genl_info *info)
 		if (props[TIPC_NLA_PROP_WIN])
 			m->window = nla_get_u32(props[TIPC_NLA_PROP_WIN]);
 		if (props[TIPC_NLA_PROP_MTU]) {
-			if (m->type_id != TIPC_MEDIA_TYPE_UDP)
+			if (m->type_id != TIPC_MEDIA_TYPE_UDP) {
+				NL_SET_ERR_MSG(info->extack,
+					       "MTU property is unsupported");
 				return -EINVAL;
+			}
 #ifdef CONFIG_TIPC_MEDIA_UDP
 			if (tipc_udp_mtu_bad(nla_get_u32
-					     (props[TIPC_NLA_PROP_MTU])))
+					     (props[TIPC_NLA_PROP_MTU]))) {
+				NL_SET_ERR_MSG(info->extack,
+					       "MTU value is out-of-range");
 				return -EINVAL;
+			}
 			m->mtu = nla_get_u32(props[TIPC_NLA_PROP_MTU]);
 #endif
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 37/78] tipc: fix unique bearer names sanity check
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 36/78] tipc: add extack messages for bearer/media failure Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 38/78] Bluetooth: fix the erroneous flush_work() order Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jon Maloy, Hoang Le, David S. Miller,
	Sasha Levin

From: Hoang Le <hoang.h.le@dektech.com.au>

[ Upstream commit f20a46c3044c3f75232b3d0e2d09af9b25efaf45 ]

When enabling a bearer by name, we don't sanity check its name with
higher slot in bearer list. This may have the effect that the name
of an already enabled bearer bypasses the check.

To fix the above issue, we just perform an extra checking with all
existing bearers.

Fixes: cb30a63384bc9 ("tipc: refactor function tipc_enable_bearer()")
Cc: stable@vger.kernel.org
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tipc/bearer.c | 46 +++++++++++++++++++++++++++-------------------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 0e0161597749..8bd2454cc89d 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -245,6 +245,7 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 	int bearer_id = 0;
 	int res = -EINVAL;
 	char *errstr = "";
+	u32 i;
 
 	if (!bearer_name_validate(name, &b_names)) {
 		errstr = "illegal name";
@@ -269,31 +270,38 @@ static int tipc_enable_bearer(struct net *net, const char *name,
 		prio = m->priority;
 
 	/* Check new bearer vs existing ones and find free bearer id if any */
-	while (bearer_id < MAX_BEARERS) {
-		b = rtnl_dereference(tn->bearer_list[bearer_id]);
-		if (!b)
-			break;
+	bearer_id = MAX_BEARERS;
+	i = MAX_BEARERS;
+	while (i-- != 0) {
+		b = rtnl_dereference(tn->bearer_list[i]);
+		if (!b) {
+			bearer_id = i;
+			continue;
+		}
 		if (!strcmp(name, b->name)) {
 			errstr = "already enabled";
 			NL_SET_ERR_MSG(extack, "Already enabled");
 			goto rejected;
 		}
-		bearer_id++;
-		if (b->priority != prio)
-			continue;
-		if (++with_this_prio <= 2)
-			continue;
-		pr_warn("Bearer <%s>: already 2 bearers with priority %u\n",
-			name, prio);
-		if (prio == TIPC_MIN_LINK_PRI) {
-			errstr = "cannot adjust to lower";
-			NL_SET_ERR_MSG(extack, "Cannot adjust to lower");
-			goto rejected;
+
+		if (b->priority == prio &&
+		    (++with_this_prio > 2)) {
+			pr_warn("Bearer <%s>: already 2 bearers with priority %u\n",
+				name, prio);
+
+			if (prio == TIPC_MIN_LINK_PRI) {
+				errstr = "cannot adjust to lower";
+				NL_SET_ERR_MSG(extack, "Cannot adjust to lower");
+				goto rejected;
+			}
+
+			pr_warn("Bearer <%s>: trying with adjusted priority\n",
+				name);
+			prio--;
+			bearer_id = MAX_BEARERS;
+			i = MAX_BEARERS;
+			with_this_prio = 1;
 		}
-		pr_warn("Bearer <%s>: trying with adjusted priority\n", name);
-		prio--;
-		bearer_id = 0;
-		with_this_prio = 1;
 	}
 
 	if (bearer_id >= MAX_BEARERS) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 38/78] Bluetooth: fix the erroneous flush_work() order
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 37/78] tipc: fix unique bearer names sanity check Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marcel Holtmann, Johan Hedberg,
	Luiz Augusto von Dentz, David S. Miller, Jakub Kicinski,
	linux-bluetooth, netdev, Lin Ma, Hao Xiong

From: Lin Ma <linma@zju.edu.cn>

commit 6a137caec23aeb9e036cdfd8a46dd8a366460e5d upstream.

In the cleanup routine for failed initialization of HCI device,
the flush_work(&hdev->rx_work) need to be finished before the
flush_work(&hdev->cmd_work). Otherwise, the hci_rx_work() can
possibly invoke new cmd_work and cause a bug, like double free,
in late processings.

This was assigned CVE-2021-3564.

This patch reorder the flush_work() to fix this bug.

Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: Luiz Augusto von Dentz <luiz.dentz@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Hao Xiong <mart1n@zju.edu.cn>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bluetooth/hci_core.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1561,8 +1561,13 @@ setup_failed:
 	} else {
 		/* Init failed, cleanup */
 		flush_work(&hdev->tx_work);
-		flush_work(&hdev->cmd_work);
+
+		/* Since hci_rx_work() is possible to awake new cmd_work
+		 * it should be flushed first to avoid unexpected call of
+		 * hci_cmd_work()
+		 */
 		flush_work(&hdev->rx_work);
+		flush_work(&hdev->cmd_work);
 
 		skb_queue_purge(&hdev->cmd_q);
 		skb_queue_purge(&hdev->rx_q);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 38/78] Bluetooth: fix the erroneous flush_work() order Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-14 14:15   ` Eric Dumazet
  2021-06-08 18:27 ` [PATCH 5.4 40/78] net: caif: added cfserl_release function Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  83 siblings, 1 reply; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lin Ma, Marcel Holtmann

From: Lin Ma <linma@zju.edu.cn>

commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.

The hci_sock_dev_event() function will cleanup the hdev object for
sockets even if this object may still be in used within the
hci_sock_bound_ioctl() function, result in UAF vulnerability.

This patch replace the BH context lock to serialize these affairs
and prevent the race condition.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/bluetooth/hci_sock.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *
 		/* Detach sockets from device */
 		read_lock(&hci_sk_list.lock);
 		sk_for_each(sk, &hci_sk_list.head) {
-			bh_lock_sock_nested(sk);
+			lock_sock(sk);
 			if (hci_pi(sk)->hdev == hdev) {
 				hci_pi(sk)->hdev = NULL;
 				sk->sk_err = EPIPE;
@@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *
 
 				hci_dev_put(hdev);
 			}
-			bh_unlock_sock(sk);
+			release_sock(sk);
 		}
 		read_unlock(&hci_sk_list.lock);
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 40/78] net: caif: added cfserl_release function
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 41/78] net: caif: add proper error handling Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller

From: Pavel Skripkin <paskripkin@gmail.com>

commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream.

Added cfserl_release() function.

Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/caif/cfserl.h |    1 +
 net/caif/cfserl.c         |    5 +++++
 2 files changed, 6 insertions(+)

--- a/include/net/caif/cfserl.h
+++ b/include/net/caif/cfserl.h
@@ -9,4 +9,5 @@
 #include <net/caif/caif_layer.h>
 
 struct cflayer *cfserl_create(int instance, bool use_stx);
+void cfserl_release(struct cflayer *layer);
 #endif
--- a/net/caif/cfserl.c
+++ b/net/caif/cfserl.c
@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye
 static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
 			   int phyid);
 
+void cfserl_release(struct cflayer *layer)
+{
+	kfree(layer);
+}
+
 struct cflayer *cfserl_create(int instance, bool use_stx)
 {
 	struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 41/78] net: caif: add proper error handling
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 40/78] net: caif: added cfserl_release function Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 42/78] net: caif: fix memory leak in caif_device_notify Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller

From: Pavel Skripkin <paskripkin@gmail.com>

commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream.

caif_enroll_dev() can fail in some cases. Ingnoring
these cases can lead to memory leak due to not assigning
link_support pointer to anywhere.

Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/caif/caif_dev.h |    2 +-
 include/net/caif/cfcnfg.h   |    2 +-
 net/caif/caif_dev.c         |    8 +++++---
 net/caif/cfcnfg.c           |   16 +++++++++++-----
 4 files changed, 18 insertions(+), 10 deletions(-)

--- a/include/net/caif/caif_dev.h
+++ b/include/net/caif/caif_dev.h
@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad
  * The link_support layer is used to add any Link Layer specific
  * framing.
  */
-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
 			struct cflayer *link_support, int head_room,
 			struct cflayer **layer, int (**rcv_func)(
 				struct sk_buff *, struct net_device *,
--- a/include/net/caif/cfcnfg.h
+++ b/include/net/caif/cfcnfg.h
@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg);
  * @fcs:	Specify if checksum is used in CAIF Framing Layer.
  * @head_room:	Head space needed by link specific protocol.
  */
-void
+int
 cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
 		     struct net_device *dev, struct cflayer *phy_layer,
 		     enum cfcnfg_phy_preference pref,
--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -307,7 +307,7 @@ static void dev_flowctrl(struct net_devi
 	caifd_put(caifd);
 }
 
-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
 		     struct cflayer *link_support, int head_room,
 		     struct cflayer **layer,
 		     int (**rcv_func)(struct sk_buff *, struct net_device *,
@@ -318,11 +318,12 @@ void caif_enroll_dev(struct net_device *
 	enum cfcnfg_phy_preference pref;
 	struct cfcnfg *cfg = get_cfcnfg(dev_net(dev));
 	struct caif_device_entry_list *caifdevs;
+	int res;
 
 	caifdevs = caif_device_list(dev_net(dev));
 	caifd = caif_device_alloc(dev);
 	if (!caifd)
-		return;
+		return -ENOMEM;
 	*layer = &caifd->layer;
 	spin_lock_init(&caifd->flow_lock);
 
@@ -343,7 +344,7 @@ void caif_enroll_dev(struct net_device *
 	strlcpy(caifd->layer.name, dev->name,
 		sizeof(caifd->layer.name));
 	caifd->layer.transmit = transmit;
-	cfcnfg_add_phy_layer(cfg,
+	res = cfcnfg_add_phy_layer(cfg,
 				dev,
 				&caifd->layer,
 				pref,
@@ -353,6 +354,7 @@ void caif_enroll_dev(struct net_device *
 	mutex_unlock(&caifdevs->lock);
 	if (rcv_func)
 		*rcv_func = receive;
+	return res;
 }
 EXPORT_SYMBOL(caif_enroll_dev);
 
--- a/net/caif/cfcnfg.c
+++ b/net/caif/cfcnfg.c
@@ -450,7 +450,7 @@ unlock:
 	rcu_read_unlock();
 }
 
-void
+int
 cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
 		     struct net_device *dev, struct cflayer *phy_layer,
 		     enum cfcnfg_phy_preference pref,
@@ -459,7 +459,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
 {
 	struct cflayer *frml;
 	struct cfcnfg_phyinfo *phyinfo = NULL;
-	int i;
+	int i, res = 0;
 	u8 phyid;
 
 	mutex_lock(&cnfg->lock);
@@ -473,12 +473,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
 			goto got_phyid;
 	}
 	pr_warn("Too many CAIF Link Layers (max 6)\n");
+	res = -EEXIST;
 	goto out;
 
 got_phyid:
 	phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
-	if (!phyinfo)
+	if (!phyinfo) {
+		res = -ENOMEM;
 		goto out_err;
+	}
 
 	phy_layer->id = phyid;
 	phyinfo->pref = pref;
@@ -492,8 +495,10 @@ got_phyid:
 
 	frml = cffrml_create(phyid, fcs);
 
-	if (!frml)
+	if (!frml) {
+		res = -ENOMEM;
 		goto out_err;
+	}
 	phyinfo->frm_layer = frml;
 	layer_set_up(frml, cnfg->mux);
 
@@ -511,11 +516,12 @@ got_phyid:
 	list_add_rcu(&phyinfo->node, &cnfg->phys);
 out:
 	mutex_unlock(&cnfg->lock);
-	return;
+	return res;
 
 out_err:
 	kfree(phyinfo);
 	mutex_unlock(&cnfg->lock);
+	return res;
 }
 EXPORT_SYMBOL(cfcnfg_add_phy_layer);
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 42/78] net: caif: fix memory leak in caif_device_notify
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 41/78] net: caif: add proper error handling Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 43/78] net: caif: fix memory leak in cfusbl_device_notify Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller,
	syzbot+7ec324747ce876a29db6

From: Pavel Skripkin <paskripkin@gmail.com>

commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream.

In case of caif_enroll_dev() fail, allocated
link_support won't be assigned to the corresponding
structure. So simply free allocated pointer in case
of error

Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
Cc: stable@vger.kernel.org
Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/caif/caif_dev.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/caif/caif_dev.c
+++ b/net/caif/caif_dev.c
@@ -369,6 +369,7 @@ static int caif_device_notify(struct not
 	struct cflayer *layer, *link_support;
 	int head_room = 0;
 	struct caif_device_entry_list *caifdevs;
+	int res;
 
 	cfg = get_cfcnfg(dev_net(dev));
 	caifdevs = caif_device_list(dev_net(dev));
@@ -394,8 +395,10 @@ static int caif_device_notify(struct not
 				break;
 			}
 		}
-		caif_enroll_dev(dev, caifdev, link_support, head_room,
+		res = caif_enroll_dev(dev, caifdev, link_support, head_room,
 				&layer, NULL);
+		if (res)
+			cfserl_release(link_support);
 		caifdev->flowctrl = dev_flowctrl;
 		break;
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 43/78] net: caif: fix memory leak in cfusbl_device_notify
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 42/78] net: caif: fix memory leak in caif_device_notify Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 44/78] HID: i2c-hid: Skip ELAN power-on command after reset Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller

From: Pavel Skripkin <paskripkin@gmail.com>

commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream.

In case of caif_enroll_dev() fail, allocated
link_support won't be assigned to the corresponding
structure. So simply free allocated pointer in case
of error.

Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/caif/caif_usb.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- a/net/caif/caif_usb.c
+++ b/net/caif/caif_usb.c
@@ -115,6 +115,11 @@ static struct cflayer *cfusbl_create(int
 	return (struct cflayer *) this;
 }
 
+static void cfusbl_release(struct cflayer *layer)
+{
+	kfree(layer);
+}
+
 static struct packet_type caif_usb_type __read_mostly = {
 	.type = cpu_to_be16(ETH_P_802_EX1),
 };
@@ -127,6 +132,7 @@ static int cfusbl_device_notify(struct n
 	struct cflayer *layer, *link_support;
 	struct usbnet *usbnet;
 	struct usb_device *usbdev;
+	int res;
 
 	/* Check whether we have a NCM device, and find its VID/PID. */
 	if (!(dev->dev.parent && dev->dev.parent->driver &&
@@ -169,8 +175,11 @@ static int cfusbl_device_notify(struct n
 	if (dev->num_tx_queues > 1)
 		pr_warn("USB device uses more than one tx queue\n");
 
-	caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
+	res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
 			&layer, &caif_usb_type.func);
+	if (res)
+		goto err;
+
 	if (!pack_added)
 		dev_add_pack(&caif_usb_type);
 	pack_added = true;
@@ -178,6 +187,9 @@ static int cfusbl_device_notify(struct n
 	strlcpy(layer->name, dev->name, sizeof(layer->name));
 
 	return 0;
+err:
+	cfusbl_release(link_support);
+	return res;
 }
 
 static struct notifier_block caif_device_notifier = {



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 44/78] HID: i2c-hid: Skip ELAN power-on command after reset
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 43/78] net: caif: fix memory leak in cfusbl_device_notify Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 45/78] HID: magicmouse: fix NULL-deref on disconnect Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johnny Chuang, Harry Cutts,
	Douglas Anderson, Benjamin Tissoires

From: Johnny Chuang <johnny.chuang.emc@gmail.com>

commit ca66a6770bd9d6d99e469debd1c7363ac455daf9 upstream.

For ELAN touchscreen, we found our boot code of IC was not flexible enough
to receive and handle this command.
Once the FW main code of our controller is crashed for some reason,
the controller could not be enumerated successfully to be recognized
by the system host. therefore, it lost touch functionality.

Add quirk for skip send power-on command after reset.
It will impact to ELAN touchscreen and touchpad on HID over I2C projects.

Fixes: 43b7029f475e ("HID: i2c-hid: Send power-on command after reset").

Cc: stable@vger.kernel.org
Signed-off-by: Johnny Chuang <johnny.chuang.emc@gmail.com>
Reviewed-by: Harry Cutts <hcutts@chromium.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Tested-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/i2c-hid/i2c-hid-core.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/hid/i2c-hid/i2c-hid-core.c
+++ b/drivers/hid/i2c-hid/i2c-hid-core.c
@@ -50,6 +50,7 @@
 #define I2C_HID_QUIRK_BOGUS_IRQ			BIT(4)
 #define I2C_HID_QUIRK_RESET_ON_RESUME		BIT(5)
 #define I2C_HID_QUIRK_BAD_INPUT_SIZE		BIT(6)
+#define I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET	BIT(7)
 
 
 /* flags */
@@ -185,6 +186,11 @@ static const struct i2c_hid_quirks {
 		 I2C_HID_QUIRK_RESET_ON_RESUME },
 	{ USB_VENDOR_ID_ITE, I2C_DEVICE_ID_ITE_LENOVO_LEGION_Y720,
 		I2C_HID_QUIRK_BAD_INPUT_SIZE },
+	/*
+	 * Sending the wakeup after reset actually break ELAN touchscreen controller
+	 */
+	{ USB_VENDOR_ID_ELAN, HID_ANY_ID,
+		 I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET },
 	{ 0, 0 }
 };
 
@@ -468,7 +474,8 @@ static int i2c_hid_hwreset(struct i2c_cl
 	}
 
 	/* At least some SIS devices need this after reset */
-	ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
+	if (!(ihid->quirks & I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET))
+		ret = i2c_hid_set_power(client, I2C_HID_PWR_ON);
 
 out_unlock:
 	mutex_unlock(&ihid->reset_lock);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 45/78] HID: magicmouse: fix NULL-deref on disconnect
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 44/78] HID: i2c-hid: Skip ELAN power-on command after reset Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 46/78] HID: multitouch: require Finger field to mark Win8 reports as MT Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+ee6f6e2e68886ca256a8,
	Claudio Mettler, Marek Wyborski, Sean OBrien, Johan Hovold,
	Jiri Kosina

From: Johan Hovold <johan@kernel.org>

commit 4b4f6cecca446abcb686c6e6c451d4f1ec1a7497 upstream.

Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic
Trackpad 2") added a sanity check for an Apple trackpad but returned
success instead of -ENODEV when the check failed. This means that the
remove callback will dereference the never-initialised driver data
pointer when the driver is later unbound (e.g. on USB disconnect).

Reported-by: syzbot+ee6f6e2e68886ca256a8@syzkaller.appspotmail.com
Fixes: 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2")
Cc: stable@vger.kernel.org      # 4.20
Cc: Claudio Mettler <claudio@ponyfleisch.ch>
Cc: Marek Wyborski <marek.wyborski@emwesoft.com>
Cc: Sean O'Brien <seobrien@chromium.org>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-magicmouse.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/hid/hid-magicmouse.c
+++ b/drivers/hid/hid-magicmouse.c
@@ -597,7 +597,7 @@ static int magicmouse_probe(struct hid_d
 	if (id->vendor == USB_VENDOR_ID_APPLE &&
 	    id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 &&
 	    hdev->type != HID_TYPE_USBMOUSE)
-		return 0;
+		return -ENODEV;
 
 	msc = devm_kzalloc(&hdev->dev, sizeof(*msc), GFP_KERNEL);
 	if (msc == NULL) {



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 46/78] HID: multitouch: require Finger field to mark Win8 reports as MT
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 45/78] HID: magicmouse: fix NULL-deref on disconnect Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 47/78] ALSA: timer: Fix master timer notification Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ahelenia Ziemiańska,
	Benjamin Tissoires, Jiri Kosina

From: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>

commit a2353e3b26012ff43bcdf81d37a3eaddd7ecdbf3 upstream.

This effectively changes collection_is_mt from
  contact ID in report->field
to
  (device is Win8 => collection is finger) && contact ID in report->field

Some devices erroneously report Pen for fingers, and Win8 stylus-on-touchscreen
devices report contact ID, but mark the accompanying touchscreen device's
collection correctly

Cc: stable@vger.kernel.org
Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/hid/hid-multitouch.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -611,9 +611,13 @@ static struct mt_report_data *mt_allocat
 		if (!(HID_MAIN_ITEM_VARIABLE & field->flags))
 			continue;
 
-		for (n = 0; n < field->report_count; n++) {
-			if (field->usage[n].hid == HID_DG_CONTACTID)
-				rdata->is_mt_collection = true;
+		if (field->logical == HID_DG_FINGER || td->hdev->group != HID_GROUP_MULTITOUCH_WIN_8) {
+			for (n = 0; n < field->report_count; n++) {
+				if (field->usage[n].hid == HID_DG_CONTACTID) {
+					rdata->is_mt_collection = true;
+					break;
+				}
+			}
 		}
 	}
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 47/78] ALSA: timer: Fix master timer notification
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 46/78] HID: multitouch: require Finger field to mark Win8 reports as MT Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 48/78] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d102fa5b35335a7e544e,
	Jaroslav Kysela, Takashi Iwai

From: Takashi Iwai <tiwai@suse.de>

commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream.

snd_timer_notify1() calls the notification to each slave for a master
event, but it passes a wrong event number.  It should be +10 offset,
corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with
+100 offset.  Casually this was spotted by UBSAN check via syzkaller.

Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com
Reviewed-by: Jaroslav Kysela <perex@perex.cz>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com
Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/core/timer.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/sound/core/timer.c
+++ b/sound/core/timer.c
@@ -491,9 +491,10 @@ static void snd_timer_notify1(struct snd
 		return;
 	if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
 		return;
+	event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */
 	list_for_each_entry(ts, &ti->slave_active_head, active_list)
 		if (ts->ccallback)
-			ts->ccallback(ts, event + 100, &tstamp, resolution);
+			ts->ccallback(ts, event, &tstamp, resolution);
 }
 
 /* start/continue a master timer */



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 48/78] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 47/78] ALSA: timer: Fix master timer notification Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 49/78] ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Carlos M, Takashi Iwai

From: Carlos M <carlos.marr.pz@gmail.com>

commit 901be145a46eb79879367d853194346a549e623d upstream.

For the HP Pavilion 15-CK0xx, with audio subsystem ID 0x103c:0x841c,
adding a line in patch_realtek.c to apply the ALC269_FIXUP_HP_MUTE_LED_MIC3
fix activates the mute key LED.

Signed-off-by: Carlos M <carlos.marr.pz@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210531202026.35427-1-carlos.marr.pz@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 sound/pci/hda/patch_realtek.c |    1 +
 1 file changed, 1 insertion(+)

--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8062,6 +8062,7 @@ static const struct snd_pci_quirk alc269
 	SND_PCI_QUIRK(0x103c, 0x82bf, "HP G3 mini", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x82c0, "HP G3 mini premium", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
 	SND_PCI_QUIRK(0x103c, 0x83b9, "HP Spectre x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+	SND_PCI_QUIRK(0x103c, 0x841c, "HP Pavilion 15-CK0xx", ALC269_FIXUP_HP_MUTE_LED_MIC3),
 	SND_PCI_QUIRK(0x103c, 0x8497, "HP Envy x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
 	SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN),
 	SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 49/78] ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 48/78] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 50/78] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michal Vokáč,
	Andrew Lunn, Shawn Guo

From: Michal Vokáč <michal.vokac@ysoft.com>

commit 0e4a4a08cd78efcaddbc2e4c5ed86b5a5cb8a15e upstream.

The FEC does not have a PHY so it should not have a phy-handle. It is
connected to the switch at RGMII level so we need a fixed-link sub-node
on both ends.

This was not a problem until the qca8k.c driver was converted to PHYLINK
by commit b3591c2a3661 ("net: dsa: qca8k: Switch to PHYLINK instead of
PHYLIB"). That commit revealed the FEC configuration was not correct.

Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards")
Cc: stable@vger.kernel.org
Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/imx6dl-yapp4-common.dtsi |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
+++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi
@@ -99,9 +99,13 @@
 	phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>;
 	phy-reset-duration = <20>;
 	phy-supply = <&sw2_reg>;
-	phy-handle = <&ethphy0>;
 	status = "okay";
 
+	fixed-link {
+		speed = <1000>;
+		full-duplex;
+	};
+
 	mdio {
 		#address-cells = <1>;
 		#size-cells = <0>;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 50/78] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 49/78] ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 51/78] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabio Estevam, Marek Vasut,
	Christoph Niedermaier, Ludwig Zenz, NXP Linux Team, Shawn Guo

From: Marek Vasut <marex@denx.de>

commit 8967b27a6c1c19251989c7ab33c058d16e4a5f53 upstream.

Per schematic, both PU and SOC regulator are supplied from LTC3676 SW1
via VDDSOC_IN rail, add the PU input. Both VDD1P1, VDD2P5 are supplied
from LTC3676 SW2 via VDDHIGH_IN rail, add both inputs.

While no instability or problems are currently observed, the regulators
should be fully described in DT and that description should fully match
the hardware, else this might lead to unforseen issues later. Fix this.

Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2")
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Christoph Niedermaier <cniedermaier@dh-electronics.com>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: Ludwig Zenz <lzenz@dh-electronics.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: stable@vger.kernel.org
Reviewed-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/imx6q-dhcom-som.dtsi |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
+++ b/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
@@ -408,6 +408,18 @@
 	vin-supply = <&sw1_reg>;
 };
 
+&reg_pu {
+	vin-supply = <&sw1_reg>;
+};
+
+&reg_vdd1p1 {
+	vin-supply = <&sw2_reg>;
+};
+
+&reg_vdd2p5 {
+	vin-supply = <&sw2_reg>;
+};
+
 &uart1 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_uart1>;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 51/78] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 50/78] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 52/78] usb: dwc2: Fix build in periphal-only mode Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso

From: Ye Bin <yebin10@huawei.com>

commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream.

We got follow bug_on when run fsstress with injecting IO fault:
[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!
[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP
......
[130747.334329] Call trace:
[130747.334553]  ext4_es_cache_extent+0x150/0x168 [ext4]
[130747.334975]  ext4_cache_extents+0x64/0xe8 [ext4]
[130747.335368]  ext4_find_extent+0x300/0x330 [ext4]
[130747.335759]  ext4_ext_map_blocks+0x74/0x1178 [ext4]
[130747.336179]  ext4_map_blocks+0x2f4/0x5f0 [ext4]
[130747.336567]  ext4_mpage_readpages+0x4a8/0x7a8 [ext4]
[130747.336995]  ext4_readpage+0x54/0x100 [ext4]
[130747.337359]  generic_file_buffered_read+0x410/0xae8
[130747.337767]  generic_file_read_iter+0x114/0x190
[130747.338152]  ext4_file_read_iter+0x5c/0x140 [ext4]
[130747.338556]  __vfs_read+0x11c/0x188
[130747.338851]  vfs_read+0x94/0x150
[130747.339110]  ksys_read+0x74/0xf0

This patch's modification is according to Jan Kara's suggestion in:
https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/
"I see. Now I understand your patch. Honestly, seeing how fragile is trying
to fix extent tree after split has failed in the middle, I would probably
go even further and make sure we fix the tree properly in case of ENOSPC
and EDQUOT (those are easily user triggerable).  Anything else indicates a
HW problem or fs corruption so I'd rather leave the extent tree as is and
don't try to fix it (which also means we will not create overlapping
extents)."

Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ext4/extents.c |   43 +++++++++++++++++++++++--------------------
 1 file changed, 23 insertions(+), 20 deletions(-)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3378,7 +3378,10 @@ static int ext4_split_extent_at(handle_t
 		ext4_ext_mark_unwritten(ex2);
 
 	err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
-	if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) {
+	if (err != -ENOSPC && err != -EDQUOT)
+		goto out;
+
+	if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
 		if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
 			if (split_flag & EXT4_EXT_DATA_VALID1) {
 				err = ext4_ext_zeroout(inode, ex2);
@@ -3404,30 +3407,30 @@ static int ext4_split_extent_at(handle_t
 					      ext4_ext_pblock(&orig_ex));
 		}
 
-		if (err)
-			goto fix_extent_len;
-		/* update the extent length and mark as initialized */
-		ex->ee_len = cpu_to_le16(ee_len);
-		ext4_ext_try_to_merge(handle, inode, path, ex);
-		err = ext4_ext_dirty(handle, inode, path + path->p_depth);
-		if (err)
-			goto fix_extent_len;
-
-		/* update extent status tree */
-		err = ext4_zeroout_es(inode, &zero_ex);
-
-		goto out;
-	} else if (err)
-		goto fix_extent_len;
-
-out:
-	ext4_ext_show_leaf(inode, path);
-	return err;
+		if (!err) {
+			/* update the extent length and mark as initialized */
+			ex->ee_len = cpu_to_le16(ee_len);
+			ext4_ext_try_to_merge(handle, inode, path, ex);
+			err = ext4_ext_dirty(handle, inode, path + path->p_depth);
+			if (!err)
+				/* update extent status tree */
+				err = ext4_zeroout_es(inode, &zero_ex);
+			/* If we failed at this point, we don't know in which
+			 * state the extent tree exactly is so don't try to fix
+			 * length of the original extent as it may do even more
+			 * damage.
+			 */
+			goto out;
+		}
+	}
 
 fix_extent_len:
 	ex->ee_len = orig_ex.ee_len;
 	ext4_ext_dirty(handle, inode, path + path->p_depth);
 	return err;
+out:
+	ext4_ext_show_leaf(inode, path);
+	return err;
 }
 
 /*



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 52/78] usb: dwc2: Fix build in periphal-only mode
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 51/78] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 53/78] pid: take a reference when initializing `cad_pid` Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Phil Elwell

From: Phil Elwell <phil@raspberrypi.com>

In branches to which 24d209dba5a3 ("usb: dwc2: Fix hibernation between
host and device modes.") has been back-ported, the bus_suspended member
of struct dwc2_hsotg is only present in builds that support host-mode.
To avoid having to pull in several more non-Fix commits in order to
get it to compile, wrap the usage of the member in a macro conditional.

Fixes: 24d209dba5a3 ("usb: dwc2: Fix hibernation between host and device modes.")
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/dwc2/core_intr.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/usb/dwc2/core_intr.c
+++ b/drivers/usb/dwc2/core_intr.c
@@ -712,7 +712,11 @@ static inline void dwc_handle_gpwrdn_dis
 	dwc2_writel(hsotg, gpwrdn_tmp, GPWRDN);
 
 	hsotg->hibernated = 0;
+
+#if IS_ENABLED(CONFIG_USB_DWC2_HOST) ||	\
+	IS_ENABLED(CONFIG_USB_DWC2_DUAL_ROLE)
 	hsotg->bus_suspended = 0;
+#endif
 
 	if (gpwrdn & GPWRDN_IDSTS) {
 		hsotg->op_state = OTG_STATE_B_PERIPHERAL;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 53/78] pid: take a reference when initializing `cad_pid`
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 52/78] usb: dwc2: Fix build in periphal-only mode Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 54/78] ocfs2: fix data corruption by fallocate Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Christian Brauner,
	Cedric Le Goater, Christian Brauner, Eric W. Biederman,
	Martin Schwidefsky, Paul Mackerras, Andrew Morton,
	Linus Torvalds

From: Mark Rutland <mark.rutland@arm.com>

commit 0711f0d7050b9e07c44bc159bbc64ac0a1022c7f upstream.

During boot, kernel_init_freeable() initializes `cad_pid` to the init
task's struct pid.  Later on, we may change `cad_pid` via a sysctl, and
when this happens proc_do_cad_pid() will increment the refcount on the
new pid via get_pid(), and will decrement the refcount on the old pid
via put_pid().  As we never called get_pid() when we initialized
`cad_pid`, we decrement a reference we never incremented, can therefore
free the init task's struct pid early.  As there can be dangling
references to the struct pid, we can later encounter a use-after-free
(e.g.  when delivering signals).

This was spotted when fuzzing v5.13-rc3 with Syzkaller, but seems to
have been around since the conversion of `cad_pid` to struct pid in
commit 9ec52099e4b8 ("[PATCH] replace cad_pid by a struct pid") from the
pre-KASAN stone age of v2.6.19.

Fix this by getting a reference to the init task's struct pid when we
assign it to `cad_pid`.

Full KASAN splat below.

   ==================================================================
   BUG: KASAN: use-after-free in ns_of_pid include/linux/pid.h:153 [inline]
   BUG: KASAN: use-after-free in task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509
   Read of size 4 at addr ffff23794dda0004 by task syz-executor.0/273

   CPU: 1 PID: 273 Comm: syz-executor.0 Not tainted 5.12.0-00001-g9aef892b2d15 #1
   Hardware name: linux,dummy-virt (DT)
   Call trace:
    ns_of_pid include/linux/pid.h:153 [inline]
    task_active_pid_ns+0xc0/0xc8 kernel/pid.c:509
    do_notify_parent+0x308/0xe60 kernel/signal.c:1950
    exit_notify kernel/exit.c:682 [inline]
    do_exit+0x2334/0x2bd0 kernel/exit.c:845
    do_group_exit+0x108/0x2c8 kernel/exit.c:922
    get_signal+0x4e4/0x2a88 kernel/signal.c:2781
    do_signal arch/arm64/kernel/signal.c:882 [inline]
    do_notify_resume+0x300/0x970 arch/arm64/kernel/signal.c:936
    work_pending+0xc/0x2dc

   Allocated by task 0:
    slab_post_alloc_hook+0x50/0x5c0 mm/slab.h:516
    slab_alloc_node mm/slub.c:2907 [inline]
    slab_alloc mm/slub.c:2915 [inline]
    kmem_cache_alloc+0x1f4/0x4c0 mm/slub.c:2920
    alloc_pid+0xdc/0xc00 kernel/pid.c:180
    copy_process+0x2794/0x5e18 kernel/fork.c:2129
    kernel_clone+0x194/0x13c8 kernel/fork.c:2500
    kernel_thread+0xd4/0x110 kernel/fork.c:2552
    rest_init+0x44/0x4a0 init/main.c:687
    arch_call_rest_init+0x1c/0x28
    start_kernel+0x520/0x554 init/main.c:1064
    0x0

   Freed by task 270:
    slab_free_hook mm/slub.c:1562 [inline]
    slab_free_freelist_hook+0x98/0x260 mm/slub.c:1600
    slab_free mm/slub.c:3161 [inline]
    kmem_cache_free+0x224/0x8e0 mm/slub.c:3177
    put_pid.part.4+0xe0/0x1a8 kernel/pid.c:114
    put_pid+0x30/0x48 kernel/pid.c:109
    proc_do_cad_pid+0x190/0x1b0 kernel/sysctl.c:1401
    proc_sys_call_handler+0x338/0x4b0 fs/proc/proc_sysctl.c:591
    proc_sys_write+0x34/0x48 fs/proc/proc_sysctl.c:617
    call_write_iter include/linux/fs.h:1977 [inline]
    new_sync_write+0x3ac/0x510 fs/read_write.c:518
    vfs_write fs/read_write.c:605 [inline]
    vfs_write+0x9c4/0x1018 fs/read_write.c:585
    ksys_write+0x124/0x240 fs/read_write.c:658
    __do_sys_write fs/read_write.c:670 [inline]
    __se_sys_write fs/read_write.c:667 [inline]
    __arm64_sys_write+0x78/0xb0 fs/read_write.c:667
    __invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
    invoke_syscall arch/arm64/kernel/syscall.c:49 [inline]
    el0_svc_common.constprop.1+0x16c/0x388 arch/arm64/kernel/syscall.c:129
    do_el0_svc+0xf8/0x150 arch/arm64/kernel/syscall.c:168
    el0_svc+0x28/0x38 arch/arm64/kernel/entry-common.c:416
    el0_sync_handler+0x134/0x180 arch/arm64/kernel/entry-common.c:432
    el0_sync+0x154/0x180 arch/arm64/kernel/entry.S:701

   The buggy address belongs to the object at ffff23794dda0000
    which belongs to the cache pid of size 224
   The buggy address is located 4 bytes inside of
    224-byte region [ffff23794dda0000, ffff23794dda00e0)
   The buggy address belongs to the page:
   page:(____ptrval____) refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x4dda0
   head:(____ptrval____) order:1 compound_mapcount:0
   flags: 0x3fffc0000010200(slab|head)
   raw: 03fffc0000010200 dead000000000100 dead000000000122 ffff23794d40d080
   raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000
   page dumped because: kasan: bad access detected

   Memory state around the buggy address:
    ffff23794dd9ff00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    ffff23794dd9ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
   >ffff23794dda0000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
    ffff23794dda0080: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
    ffff23794dda0100: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
   ==================================================================

Link: https://lkml.kernel.org/r/20210524172230.38715-1-mark.rutland@arm.com
Fixes: 9ec52099e4b8678a ("[PATCH] replace cad_pid by a struct pid")
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Cedric Le Goater <clg@fr.ibm.com>
Cc: Christian Brauner <christian@brauner.io>
Cc: Eric W. Biederman <ebiederm@xmission.com>
Cc: Kees Cook <keescook@chromium.org
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Paul Mackerras <paulus@samba.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 init/main.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/init/main.c
+++ b/init/main.c
@@ -1174,7 +1174,7 @@ static noinline void __init kernel_init_
 	 */
 	set_mems_allowed(node_states[N_MEMORY]);
 
-	cad_pid = task_pid(current);
+	cad_pid = get_pid(task_pid(current));
 
 	smp_prepare_cpus(setup_max_cpus);
 



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 54/78] ocfs2: fix data corruption by fallocate
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 53/78] pid: take a reference when initializing `cad_pid` Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 55/78] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Junxiao Bi, Joseph Qi, Jan Kara,
	Mark Fasheh, Joel Becker, Changwei Ge, Gang He, Jun Piao,
	Andrew Morton, Linus Torvalds

From: Junxiao Bi <junxiao.bi@oracle.com>

commit 6bba4471f0cc1296fe3c2089b9e52442d3074b2e upstream.

When fallocate punches holes out of inode size, if original isize is in
the middle of last cluster, then the part from isize to the end of the
cluster will be zeroed with buffer write, at that time isize is not yet
updated to match the new size, if writeback is kicked in, it will invoke
ocfs2_writepage()->block_write_full_page() where the pages out of inode
size will be dropped.  That will cause file corruption.  Fix this by
zero out eof blocks when extending the inode size.

Running the following command with qemu-image 4.2.1 can get a corrupted
coverted image file easily.

    qemu-img convert -p -t none -T none -f qcow2 $qcow_image \
             -O qcow2 -o compat=1.1 $qcow_image.conv

The usage of fallocate in qemu is like this, it first punches holes out
of inode size, then extend the inode size.

    fallocate(11, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 2276196352, 65536) = 0
    fallocate(11, 0, 2276196352, 65536) = 0

v1: https://www.spinics.net/lists/linux-fsdevel/msg193999.html
v2: https://lore.kernel.org/linux-fsdevel/20210525093034.GB4112@quack2.suse.cz/T/

Link: https://lkml.kernel.org/r/20210528210648.9124-1-junxiao.bi@oracle.com
Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Jan Kara <jack@suse.cz>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ocfs2/file.c |   55 ++++++++++++++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 50 insertions(+), 5 deletions(-)

--- a/fs/ocfs2/file.c
+++ b/fs/ocfs2/file.c
@@ -1856,6 +1856,45 @@ out:
 }
 
 /*
+ * zero out partial blocks of one cluster.
+ *
+ * start: file offset where zero starts, will be made upper block aligned.
+ * len: it will be trimmed to the end of current cluster if "start + len"
+ *      is bigger than it.
+ */
+static int ocfs2_zeroout_partial_cluster(struct inode *inode,
+					u64 start, u64 len)
+{
+	int ret;
+	u64 start_block, end_block, nr_blocks;
+	u64 p_block, offset;
+	u32 cluster, p_cluster, nr_clusters;
+	struct super_block *sb = inode->i_sb;
+	u64 end = ocfs2_align_bytes_to_clusters(sb, start);
+
+	if (start + len < end)
+		end = start + len;
+
+	start_block = ocfs2_blocks_for_bytes(sb, start);
+	end_block = ocfs2_blocks_for_bytes(sb, end);
+	nr_blocks = end_block - start_block;
+	if (!nr_blocks)
+		return 0;
+
+	cluster = ocfs2_bytes_to_clusters(sb, start);
+	ret = ocfs2_get_clusters(inode, cluster, &p_cluster,
+				&nr_clusters, NULL);
+	if (ret)
+		return ret;
+	if (!p_cluster)
+		return 0;
+
+	offset = start_block - ocfs2_clusters_to_blocks(sb, cluster);
+	p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset;
+	return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS);
+}
+
+/*
  * Parts of this function taken from xfs_change_file_space()
  */
 static int __ocfs2_change_file_space(struct file *file, struct inode *inode,
@@ -1865,7 +1904,7 @@ static int __ocfs2_change_file_space(str
 {
 	int ret;
 	s64 llen;
-	loff_t size;
+	loff_t size, orig_isize;
 	struct ocfs2_super *osb = OCFS2_SB(inode->i_sb);
 	struct buffer_head *di_bh = NULL;
 	handle_t *handle;
@@ -1896,6 +1935,7 @@ static int __ocfs2_change_file_space(str
 		goto out_inode_unlock;
 	}
 
+	orig_isize = i_size_read(inode);
 	switch (sr->l_whence) {
 	case 0: /*SEEK_SET*/
 		break;
@@ -1903,7 +1943,7 @@ static int __ocfs2_change_file_space(str
 		sr->l_start += f_pos;
 		break;
 	case 2: /*SEEK_END*/
-		sr->l_start += i_size_read(inode);
+		sr->l_start += orig_isize;
 		break;
 	default:
 		ret = -EINVAL;
@@ -1957,6 +1997,14 @@ static int __ocfs2_change_file_space(str
 	default:
 		ret = -EINVAL;
 	}
+
+	/* zeroout eof blocks in the cluster. */
+	if (!ret && change_size && orig_isize < size) {
+		ret = ocfs2_zeroout_partial_cluster(inode, orig_isize,
+					size - orig_isize);
+		if (!ret)
+			i_size_write(inode, size);
+	}
 	up_write(&OCFS2_I(inode)->ip_alloc_sem);
 	if (ret) {
 		mlog_errno(ret);
@@ -1973,9 +2021,6 @@ static int __ocfs2_change_file_space(str
 		goto out_inode_unlock;
 	}
 
-	if (change_size && i_size_read(inode) < size)
-		i_size_write(inode, size);
-
 	inode->i_ctime = inode->i_mtime = current_time(inode);
 	ret = ocfs2_mark_inode_dirty(handle, inode, di_bh);
 	if (ret < 0)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 55/78] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 54/78] ocfs2: fix data corruption by fallocate Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 56/78] drm/amdgpu: Dont query CE and UE errors Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+80fb126e7f7d8b1a5914,
	butt3rflyh4ck, Krzysztof Kozlowski, Jakub Kicinski

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 4ac06a1e013cf5fdd963317ffd3b968560f33bba upstream.

It's possible to trigger NULL pointer dereference by local unprivileged
user, when calling getsockname() after failed bind() (e.g. the bind
fails because LLCP_SAP_MAX used as SAP):

  BUG: kernel NULL pointer dereference, address: 0000000000000000
  CPU: 1 PID: 426 Comm: llcp_sock_getna Not tainted 5.13.0-rc2-next-20210521+ #9
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1 04/01/2014
  Call Trace:
   llcp_sock_getname+0xb1/0xe0
   __sys_getpeername+0x95/0xc0
   ? lockdep_hardirqs_on_prepare+0xd5/0x180
   ? syscall_enter_from_user_mode+0x1c/0x40
   __x64_sys_getpeername+0x11/0x20
   do_syscall_64+0x36/0x70
   entry_SYSCALL_64_after_hwframe+0x44/0xae

This can be reproduced with Syzkaller C repro (bind followed by
getpeername):
https://syzkaller.appspot.com/x/repro.c?x=14def446e00000

Cc: <stable@vger.kernel.org>
Fixes: d646960f7986 ("NFC: Initial LLCP support")
Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com
Reported-by: butt3rflyh4ck <butterflyhuangxx@gmail.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20210531072138.5219-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/nfc/llcp_sock.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/net/nfc/llcp_sock.c
+++ b/net/nfc/llcp_sock.c
@@ -110,6 +110,7 @@ static int llcp_sock_bind(struct socket
 	if (!llcp_sock->service_name) {
 		nfc_llcp_local_put(llcp_sock->local);
 		llcp_sock->local = NULL;
+		llcp_sock->dev = NULL;
 		ret = -ENOMEM;
 		goto put_dev;
 	}
@@ -119,6 +120,7 @@ static int llcp_sock_bind(struct socket
 		llcp_sock->local = NULL;
 		kfree(llcp_sock->service_name);
 		llcp_sock->service_name = NULL;
+		llcp_sock->dev = NULL;
 		ret = -EADDRINUSE;
 		goto put_dev;
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 56/78] drm/amdgpu: Dont query CE and UE errors
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 55/78] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 57/78] drm/amdgpu: make sure we unpin the UVD BO Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Deucher, Luben Tuikov,
	Christian König, Alex Deucher

From: Luben Tuikov <luben.tuikov@amd.com>

commit dce3d8e1d070900e0feeb06787a319ff9379212c upstream.

On QUERY2 IOCTL don't query counts of correctable
and uncorrectable errors, since when RAS is
enabled and supported on Vega20 server boards,
this takes insurmountably long time, in O(n^3),
which slows the system down to the point of it
being unusable when we have GUI up.

Fixes: ae363a212b14 ("drm/amdgpu: Add a new flag to AMDGPU_CTX_OP_QUERY_STATE2")
Cc: Alexander Deucher <Alexander.Deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Luben Tuikov <luben.tuikov@amd.com>
Reviewed-by: Alexander Deucher <Alexander.Deucher@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c |   16 ----------------
 1 file changed, 16 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c
@@ -351,7 +351,6 @@ static int amdgpu_ctx_query2(struct amdg
 {
 	struct amdgpu_ctx *ctx;
 	struct amdgpu_ctx_mgr *mgr;
-	unsigned long ras_counter;
 
 	if (!fpriv)
 		return -EINVAL;
@@ -376,21 +375,6 @@ static int amdgpu_ctx_query2(struct amdg
 	if (atomic_read(&ctx->guilty))
 		out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_GUILTY;
 
-	/*query ue count*/
-	ras_counter = amdgpu_ras_query_error_count(adev, false);
-	/*ras counter is monotonic increasing*/
-	if (ras_counter != ctx->ras_counter_ue) {
-		out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_RAS_UE;
-		ctx->ras_counter_ue = ras_counter;
-	}
-
-	/*query ce count*/
-	ras_counter = amdgpu_ras_query_error_count(adev, true);
-	if (ras_counter != ctx->ras_counter_ce) {
-		out->state.flags |= AMDGPU_CTX_QUERY2_FLAGS_RAS_CE;
-		ctx->ras_counter_ce = ras_counter;
-	}
-
 	mutex_unlock(&mgr->lock);
 	return 0;
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 57/78] drm/amdgpu: make sure we unpin the UVD BO
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 56/78] drm/amdgpu: Dont query CE and UE errors Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 58/78] x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nirmoy Das, Christian König,
	Alex Deucher

From: Nirmoy Das <nirmoy.das@amd.com>

commit 07438603a07e52f1c6aa731842bd298d2725b7be upstream.

Releasing pinned BOs is illegal now. UVD 6 was missing from:
commit 2f40801dc553 ("drm/amdgpu: make sure we unpin the UVD BO")

Fixes: 2f40801dc553 ("drm/amdgpu: make sure we unpin the UVD BO")
Cc: stable@vger.kernel.org
Signed-off-by: Nirmoy Das <nirmoy.das@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c
@@ -354,6 +354,7 @@ static int uvd_v6_0_enc_ring_test_ib(str
 
 error:
 	dma_fence_put(fence);
+	amdgpu_bo_unpin(bo);
 	amdgpu_bo_unreserve(bo);
 	amdgpu_bo_unref(&bo);
 	return r;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 58/78] x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 57/78] drm/amdgpu: make sure we unpin the UVD BO Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 59/78] btrfs: mark ordered extent and inode with error if we fail to finish Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Imran Khan, Thomas Gleixner, Borislav Petkov

From: Thomas Gleixner <tglx@linutronix.de>

commit 7d65f9e80646c595e8c853640a9d0768a33e204c upstream.

PIC interrupts do not support affinity setting and they can end up on
any online CPU. Therefore, it's required to mark the associated vectors
as system-wide reserved. Otherwise, the corresponding irq descriptors
are copied to the secondary CPUs but the vectors are not marked as
assigned or reserved. This works correctly for the IO/APIC case.

When the IO/APIC is disabled via config, kernel command line or lack of
enumeration then all legacy interrupts are routed through the PIC, but
nothing marks them as system-wide reserved vectors.

As a consequence, a subsequent allocation on a secondary CPU can result in
allocating one of these vectors, which triggers the BUG() in
apic_update_vector() because the interrupt descriptor slot is not empty.

Imran tried to work around that by marking those interrupts as allocated
when a CPU comes online. But that's wrong in case that the IO/APIC is
available and one of the legacy interrupts, e.g. IRQ0, has been switched to
PIC mode because then marking them as allocated will fail as they are
already marked as system vectors.

Stay consistent and update the legacy vectors after attempting IO/APIC
initialization and mark them as system vectors in case that no IO/APIC is
available.

Fixes: 69cde0004a4b ("x86/vector: Use matrix allocator for vector assignment")
Reported-by: Imran Khan <imran.f.khan@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Borislav Petkov <bp@suse.de>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20210519233928.2157496-1-imran.f.khan@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/apic.h   |    1 +
 arch/x86/kernel/apic/apic.c   |    1 +
 arch/x86/kernel/apic/vector.c |   20 ++++++++++++++++++++
 3 files changed, 22 insertions(+)

--- a/arch/x86/include/asm/apic.h
+++ b/arch/x86/include/asm/apic.h
@@ -174,6 +174,7 @@ static inline int apic_is_clustered_box(
 extern int setup_APIC_eilvt(u8 lvt_off, u8 vector, u8 msg_type, u8 mask);
 extern void lapic_assign_system_vectors(void);
 extern void lapic_assign_legacy_vector(unsigned int isairq, bool replace);
+extern void lapic_update_legacy_vectors(void);
 extern void lapic_online(void);
 extern void lapic_offline(void);
 extern bool apic_needs_pit(void);
--- a/arch/x86/kernel/apic/apic.c
+++ b/arch/x86/kernel/apic/apic.c
@@ -2579,6 +2579,7 @@ static void __init apic_bsp_setup(bool u
 	end_local_APIC_setup();
 	irq_remap_enable_fault_handling();
 	setup_IO_APIC();
+	lapic_update_legacy_vectors();
 }
 
 #ifdef CONFIG_UP_LATE_INIT
--- a/arch/x86/kernel/apic/vector.c
+++ b/arch/x86/kernel/apic/vector.c
@@ -680,6 +680,26 @@ void lapic_assign_legacy_vector(unsigned
 	irq_matrix_assign_system(vector_matrix, ISA_IRQ_VECTOR(irq), replace);
 }
 
+void __init lapic_update_legacy_vectors(void)
+{
+	unsigned int i;
+
+	if (IS_ENABLED(CONFIG_X86_IO_APIC) && nr_ioapics > 0)
+		return;
+
+	/*
+	 * If the IO/APIC is disabled via config, kernel command line or
+	 * lack of enumeration then all legacy interrupts are routed
+	 * through the PIC. Make sure that they are marked as legacy
+	 * vectors. PIC_CASCADE_IRQ has already been marked in
+	 * lapic_assign_system_vectors().
+	 */
+	for (i = 0; i < nr_legacy_irqs(); i++) {
+		if (i != PIC_CASCADE_IR)
+			lapic_assign_legacy_vector(i, true);
+	}
+}
+
 void __init lapic_assign_system_vectors(void)
 {
 	unsigned int i, vector = 0;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 59/78] btrfs: mark ordered extent and inode with error if we fail to finish
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 58/78] x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 60/78] btrfs: fix error handling in btrfs_del_csums Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit d61bec08b904cf171835db98168f82bc338e92e4 upstream.

While doing error injection testing I saw that sometimes we'd get an
abort that wouldn't stop the current transaction commit from completing.
This abort was coming from finish ordered IO, but at this point in the
transaction commit we should have gotten an error and stopped.

It turns out the abort came from finish ordered io while trying to write
out the free space cache.  It occurred to me that any failure inside of
finish_ordered_io isn't actually raised to the person doing the writing,
so we could have any number of failures in this path and think the
ordered extent completed successfully and the inode was fine.

Fix this by marking the ordered extent with BTRFS_ORDERED_IOERR, and
marking the mapping of the inode with mapping_set_error, so any callers
that simply call fdatawait will also get the error.

With this we're seeing the IO error on the free space inode when we fail
to do the finish_ordered_io.

CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/inode.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -3359,6 +3359,18 @@ out:
 	if (ret || truncated) {
 		u64 start, end;
 
+		/*
+		 * If we failed to finish this ordered extent for any reason we
+		 * need to make sure BTRFS_ORDERED_IOERR is set on the ordered
+		 * extent, and mark the inode with the error if it wasn't
+		 * already set.  Any error during writeback would have already
+		 * set the mapping error, so we need to set it if we're the ones
+		 * marking this ordered extent as failed.
+		 */
+		if (ret && !test_and_set_bit(BTRFS_ORDERED_IOERR,
+					     &ordered_extent->flags))
+			mapping_set_error(ordered_extent->inode->i_mapping, -EIO);
+
 		if (truncated)
 			start = ordered_extent->file_offset + logical_len;
 		else



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 60/78] btrfs: fix error handling in btrfs_del_csums
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 59/78] btrfs: mark ordered extent and inode with error if we fail to finish Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 61/78] btrfs: return errors from btrfs_del_csums in cleanup_ref_head Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit b86652be7c83f70bf406bed18ecf55adb9bfb91b upstream.

Error injection stress would sometimes fail with checksums on disk that
did not have a corresponding extent.  This occurred because the pattern
in btrfs_del_csums was

	while (1) {
		ret = btrfs_search_slot();
		if (ret < 0)
			break;
	}
	ret = 0;
out:
	btrfs_free_path(path);
	return ret;

If we got an error from btrfs_search_slot we'd clear the error because
we were breaking instead of goto out.  Instead of using goto out, simply
handle the cases where we may leave a random value in ret, and get rid
of the

	ret = 0;
out:

pattern and simply allow break to have the proper error reporting.  With
this fix we properly abort the transaction and do not commit thinking we
successfully deleted the csum.

Reviewed-by: Qu Wenruo <wqu@suse.com>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/file-item.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/fs/btrfs/file-item.c
+++ b/fs/btrfs/file-item.c
@@ -599,7 +599,7 @@ int btrfs_del_csums(struct btrfs_trans_h
 	u64 end_byte = bytenr + len;
 	u64 csum_end;
 	struct extent_buffer *leaf;
-	int ret;
+	int ret = 0;
 	u16 csum_size = btrfs_super_csum_size(fs_info->super_copy);
 	int blocksize_bits = fs_info->sb->s_blocksize_bits;
 
@@ -618,6 +618,7 @@ int btrfs_del_csums(struct btrfs_trans_h
 		path->leave_spinning = 1;
 		ret = btrfs_search_slot(trans, root, &key, path, -1, 1);
 		if (ret > 0) {
+			ret = 0;
 			if (path->slots[0] == 0)
 				break;
 			path->slots[0]--;
@@ -674,7 +675,7 @@ int btrfs_del_csums(struct btrfs_trans_h
 			ret = btrfs_del_items(trans, root, path,
 					      path->slots[0], del_nr);
 			if (ret)
-				goto out;
+				break;
 			if (key.offset == bytenr)
 				break;
 		} else if (key.offset < bytenr && csum_end > end_byte) {
@@ -718,8 +719,9 @@ int btrfs_del_csums(struct btrfs_trans_h
 			ret = btrfs_split_item(trans, root, path, &key, offset);
 			if (ret && ret != -EAGAIN) {
 				btrfs_abort_transaction(trans, ret);
-				goto out;
+				break;
 			}
+			ret = 0;
 
 			key.offset = end_byte - 1;
 		} else {
@@ -729,8 +731,6 @@ int btrfs_del_csums(struct btrfs_trans_h
 		}
 		btrfs_release_path(path);
 	}
-	ret = 0;
-out:
 	btrfs_free_path(path);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 61/78] btrfs: return errors from btrfs_del_csums in cleanup_ref_head
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 60/78] btrfs: fix error handling in btrfs_del_csums Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 62/78] btrfs: fixup error handling in fixup_inode_link_counts Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 856bd270dc4db209c779ce1e9555c7641ffbc88e upstream.

We are unconditionally returning 0 in cleanup_ref_head, despite the fact
that btrfs_del_csums could fail.  We need to return the error so the
transaction gets aborted properly, fix this by returning ret from
btrfs_del_csums in cleanup_ref_head.

Reviewed-by: Qu Wenruo <wqu@suse.com>
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent-tree.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1879,7 +1879,7 @@ static int cleanup_ref_head(struct btrfs
 	trace_run_delayed_ref_head(fs_info, head, 0);
 	btrfs_delayed_ref_unlock(head);
 	btrfs_put_delayed_ref_head(head);
-	return 0;
+	return ret;
 }
 
 static struct btrfs_delayed_ref_head *btrfs_obtain_ref_head(



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 62/78] btrfs: fixup error handling in fixup_inode_link_counts
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 61/78] btrfs: return errors from btrfs_del_csums in cleanup_ref_head Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 63/78] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 011b28acf940eb61c000059dd9e2cfcbf52ed96b upstream.

This function has the following pattern

	while (1) {
		ret = whatever();
		if (ret)
			goto out;
	}
	ret = 0
out:
	return ret;

However several places in this while loop we simply break; when there's
a problem, thus clearing the return value, and in one case we do a
return -EIO, and leak the memory for the path.

Fix this by re-arranging the loop to deal with ret == 1 coming from
btrfs_search_slot, and then simply delete the

	ret = 0;
out:

bit so everybody can break if there is an error, which will allow for
proper error handling to occur.

CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/tree-log.c |   13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1775,6 +1775,7 @@ static noinline int fixup_inode_link_cou
 			break;
 
 		if (ret == 1) {
+			ret = 0;
 			if (path->slots[0] == 0)
 				break;
 			path->slots[0]--;
@@ -1787,17 +1788,19 @@ static noinline int fixup_inode_link_cou
 
 		ret = btrfs_del_item(trans, root, path);
 		if (ret)
-			goto out;
+			break;
 
 		btrfs_release_path(path);
 		inode = read_one_inode(root, key.offset);
-		if (!inode)
-			return -EIO;
+		if (!inode) {
+			ret = -EIO;
+			break;
+		}
 
 		ret = fixup_inode_link_count(trans, root, inode);
 		iput(inode);
 		if (ret)
-			goto out;
+			break;
 
 		/*
 		 * fixup on a directory may create new entries,
@@ -1806,8 +1809,6 @@ static noinline int fixup_inode_link_cou
 		 */
 		key.offset = (u64)-1;
 	}
-	ret = 0;
-out:
 	btrfs_release_path(path);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 63/78] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 62/78] btrfs: fixup error handling in fixup_inode_link_counts Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 64/78] bnxt_en: Remove the setting of dev_port Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mina Almasry, Mike Kravetz,
	Axel Rasmussen, Peter Xu, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Mina Almasry <almasrymina@google.com>

[ Upstream commit d84cf06e3dd8c5c5b547b5d8931015fc536678e5 ]

The userfaultfd hugetlb tests cause a resv_huge_pages underflow.  This
happens when hugetlb_mcopy_atomic_pte() is called with !is_continue on
an index for which we already have a page in the cache.  When this
happens, we allocate a second page, double consuming the reservation,
and then fail to insert the page into the cache and return -EEXIST.

To fix this, we first check if there is a page in the cache which
already consumed the reservation, and return -EEXIST immediately if so.

There is still a rare condition where we fail to copy the page contents
AND race with a call for hugetlb_no_page() for this index and again we
will underflow resv_huge_pages.  That is fixed in a more complicated
patch not targeted for -stable.

Test:

  Hacked the code locally such that resv_huge_pages underflows produce a
  warning, then:

  ./tools/testing/selftests/vm/userfaultfd hugetlb_shared 10
	2 /tmp/kokonut_test/huge/userfaultfd_test && echo test success
  ./tools/testing/selftests/vm/userfaultfd hugetlb 10
	2 /tmp/kokonut_test/huge/userfaultfd_test && echo test success

Both tests succeed and produce no warnings.  After the test runs number
of free/resv hugepages is correct.

[mike.kravetz@oracle.com: changelog fixes]

Link: https://lkml.kernel.org/r/20210528004649.85298-1-almasrymina@google.com
Fixes: 8fb5debc5fcd ("userfaultfd: hugetlbfs: add hugetlb_mcopy_atomic_pte for userfaultfd support")
Signed-off-by: Mina Almasry <almasrymina@google.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 mm/hugetlb.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index 3b08e34a775d..fe15e7d8220a 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -4338,10 +4338,20 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm,
 	struct page *page;
 
 	if (!*pagep) {
-		ret = -ENOMEM;
+		/* If a page already exists, then it's UFFDIO_COPY for
+		 * a non-missing case. Return -EEXIST.
+		 */
+		if (vm_shared &&
+		    hugetlbfs_pagecache_present(h, dst_vma, dst_addr)) {
+			ret = -EEXIST;
+			goto out;
+		}
+
 		page = alloc_huge_page(dst_vma, dst_addr, 0);
-		if (IS_ERR(page))
+		if (IS_ERR(page)) {
+			ret = -ENOMEM;
 			goto out;
+		}
 
 		ret = copy_huge_page_from_user(page,
 						(const void __user *) src_addr,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 87+ messages in thread

* [PATCH 5.4 64/78] bnxt_en: Remove the setting of dev_port.
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 63/78] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 65/78] mm: add thp_order Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Chan, David S. Miller,
	Krzysztof Kozlowski

From: Michael Chan <michael.chan@broadcom.com>

commit 1d86859fdf31a0d50cc82b5d0d6bfb5fe98f6c00 upstream.

The dev_port is meant to distinguish the network ports belonging to
the same PCI function.  Our devices only have one network port
associated with each PCI function and so we should not set it for
correctness.

Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c
@@ -7003,7 +7003,6 @@ static int __bnxt_hwrm_func_qcaps(struct
 
 		pf->fw_fid = le16_to_cpu(resp->fid);
 		pf->port_id = le16_to_cpu(resp->port_id);
-		bp->dev->dev_port = pf->port_id;
 		memcpy(pf->mac_addr, resp->mac_address, ETH_ALEN);
 		pf->first_vf_id = le16_to_cpu(resp->first_vf_id);
 		pf->max_vfs = le16_to_cpu(resp->max_vfs);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 65/78] mm: add thp_order
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 64/78] bnxt_en: Remove the setting of dev_port Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 66/78] XArray: add xa_get_order Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Matthew Wilcox (Oracle),
	Andrew Morton, William Kucharski, Zi Yan, David Hildenbrand,
	Mike Kravetz, Kirill A. Shutemov, Linus Torvalds

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

commit 6ffbb45826f5d9ae09aa60cd88594b7816c96190 upstream

This function returns the order of a transparent huge page.  It compiles
to 0 if CONFIG_TRANSPARENT_HUGEPAGE is disabled.

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Reviewed-by: William Kucharski <william.kucharski@oracle.com>
Reviewed-by: Zi Yan <ziy@nvidia.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com>
Link: http://lkml.kernel.org/r/20200629151959.15779-4-willy@infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/huge_mm.h |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/include/linux/huge_mm.h
+++ b/include/linux/huge_mm.h
@@ -231,6 +231,19 @@ static inline spinlock_t *pud_trans_huge
 	else
 		return NULL;
 }
+
+/**
+ * thp_order - Order of a transparent huge page.
+ * @page: Head page of a transparent huge page.
+ */
+static inline unsigned int thp_order(struct page *page)
+{
+	VM_BUG_ON_PGFLAGS(PageTail(page), page);
+	if (PageHead(page))
+		return HPAGE_PMD_ORDER;
+	return 0;
+}
+
 static inline int hpage_nr_pages(struct page *page)
 {
 	if (unlikely(PageTransHuge(page)))
@@ -290,6 +303,12 @@ static inline struct list_head *page_def
 #define HPAGE_PUD_MASK ({ BUILD_BUG(); 0; })
 #define HPAGE_PUD_SIZE ({ BUILD_BUG(); 0; })
 
+static inline unsigned int thp_order(struct page *page)
+{
+	VM_BUG_ON_PGFLAGS(PageTail(page), page);
+	return 0;
+}
+
 #define hpage_nr_pages(x) 1
 
 static inline bool __transparent_hugepage_enabled(struct vm_area_struct *vma)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 66/78] XArray: add xa_get_order
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 65/78] mm: add thp_order Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 67/78] XArray: add xas_split Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Matthew Wilcox (Oracle),
	Andrew Morton, Kirill A . Shutemov, Qian Cai, Song Liu,
	Linus Torvalds

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

commit 57417cebc96b57122a2207fc84a6077d20c84b4b upstream

Patch series "Fix read-only THP for non-tmpfs filesystems".

As described more verbosely in the [3/3] changelog, we can inadvertently
put an order-0 page in the page cache which occupies 512 consecutive
entries.  Users are running into this if they enable the
READ_ONLY_THP_FOR_FS config option; see
https://bugzilla.kernel.org/show_bug.cgi?id=206569 and Qian Cai has also
reported it here:
https://lore.kernel.org/lkml/20200616013309.GB815@lca.pw/

This is a rather intrusive way of fixing the problem, but has the
advantage that I've actually been testing it with the THP patches, which
means that it sees far more use than it does upstream -- indeed, Song has
been entirely unable to reproduce it.  It also has the advantage that it
removes a few patches from my gargantuan backlog of THP patches.

This patch (of 3):

This function returns the order of the entry at the index.  We need this
because there isn't space in the shadow entry to encode its order.

[akpm@linux-foundation.org: export xa_get_order to modules]

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
Cc: Qian Cai <cai@lca.pw>
Cc: Song Liu <songliubraving@fb.com>
Link: https://lkml.kernel.org/r/20200903183029.14930-1-willy@infradead.org
Link: https://lkml.kernel.org/r/20200903183029.14930-2-willy@infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/xarray.h |    9 +++++++++
 lib/test_xarray.c      |   21 +++++++++++++++++++++
 lib/xarray.c           |   40 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 70 insertions(+)

--- a/include/linux/xarray.h
+++ b/include/linux/xarray.h
@@ -1470,6 +1470,15 @@ void xas_pause(struct xa_state *);
 
 void xas_create_range(struct xa_state *);
 
+#ifdef CONFIG_XARRAY_MULTI
+int xa_get_order(struct xarray *, unsigned long index);
+#else
+static inline int xa_get_order(struct xarray *xa, unsigned long index)
+{
+	return 0;
+}
+#endif
+
 /**
  * xas_reload() - Refetch an entry from the xarray.
  * @xas: XArray operation state.
--- a/lib/test_xarray.c
+++ b/lib/test_xarray.c
@@ -1649,6 +1649,26 @@ static noinline void check_account(struc
 #endif
 }
 
+static noinline void check_get_order(struct xarray *xa)
+{
+	unsigned int max_order = IS_ENABLED(CONFIG_XARRAY_MULTI) ? 20 : 1;
+	unsigned int order;
+	unsigned long i, j;
+
+	for (i = 0; i < 3; i++)
+		XA_BUG_ON(xa, xa_get_order(xa, i) != 0);
+
+	for (order = 0; order < max_order; order++) {
+		for (i = 0; i < 10; i++) {
+			xa_store_order(xa, i << order, order,
+					xa_mk_index(i << order), GFP_KERNEL);
+			for (j = i << order; j < (i + 1) << order; j++)
+				XA_BUG_ON(xa, xa_get_order(xa, j) != order);
+			xa_erase(xa, i << order);
+		}
+	}
+}
+
 static noinline void check_destroy(struct xarray *xa)
 {
 	unsigned long index;
@@ -1697,6 +1717,7 @@ static int xarray_checks(void)
 	check_reserve(&array);
 	check_reserve(&xa0);
 	check_multi_store(&array);
+	check_get_order(&array);
 	check_xa_alloc();
 	check_find(&array);
 	check_find_entry(&array);
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -1592,6 +1592,46 @@ unlock:
 	return xas_result(&xas, NULL);
 }
 EXPORT_SYMBOL(xa_store_range);
+
+/**
+ * xa_get_order() - Get the order of an entry.
+ * @xa: XArray.
+ * @index: Index of the entry.
+ *
+ * Return: A number between 0 and 63 indicating the order of the entry.
+ */
+int xa_get_order(struct xarray *xa, unsigned long index)
+{
+	XA_STATE(xas, xa, index);
+	void *entry;
+	int order = 0;
+
+	rcu_read_lock();
+	entry = xas_load(&xas);
+
+	if (!entry)
+		goto unlock;
+
+	if (!xas.xa_node)
+		goto unlock;
+
+	for (;;) {
+		unsigned int slot = xas.xa_offset + (1 << order);
+
+		if (slot >= XA_CHUNK_SIZE)
+			break;
+		if (!xa_is_sibling(xas.xa_node->slots[slot]))
+			break;
+		order++;
+	}
+
+	order += xas.xa_node->shift;
+unlock:
+	rcu_read_unlock();
+
+	return order;
+}
+EXPORT_SYMBOL(xa_get_order);
 #endif /* CONFIG_XARRAY_MULTI */
 
 /**



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 67/78] XArray: add xas_split
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 66/78] XArray: add xa_get_order Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 68/78] mm/filemap: fix storing to a THP shadow entry Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Matthew Wilcox (Oracle),
	Andrew Morton, Kirill A . Shutemov, Qian Cai, Song Liu,
	Linus Torvalds

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

commit 8fc75643c5e14574c8be59b69182452ece28315a upstream

In order to use multi-index entries for huge pages in the page cache, we
need to be able to split a multi-index entry (eg if a file is truncated in
the middle of a huge page entry).  This version does not support splitting
more than one level of the tree at a time.  This is an acceptable
limitation for the page cache as we do not expect to support order-12
pages in the near future.

[akpm@linux-foundation.org: export xas_split_alloc() to modules]
[willy@infradead.org: fix xarray split]
  Link: https://lkml.kernel.org/r/20200910175450.GV6583@casper.infradead.org
[willy@infradead.org: fix xarray]
  Link: https://lkml.kernel.org/r/20201001233943.GW20115@casper.infradead.org

Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
Cc: Qian Cai <cai@lca.pw>
Cc: Song Liu <songliubraving@fb.com>
Link: https://lkml.kernel.org/r/20200903183029.14930-3-willy@infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 Documentation/core-api/xarray.rst |   14 +--
 include/linux/xarray.h            |   13 ++
 lib/test_xarray.c                 |   44 +++++++++
 lib/xarray.c                      |  168 +++++++++++++++++++++++++++++++++++---
 4 files changed, 224 insertions(+), 15 deletions(-)

--- a/Documentation/core-api/xarray.rst
+++ b/Documentation/core-api/xarray.rst
@@ -461,13 +461,15 @@ or iterations will move the index to the
 Each entry will only be returned once, no matter how many indices it
 occupies.
 
-Using xas_next() or xas_prev() with a multi-index xa_state
-is not supported.  Using either of these functions on a multi-index entry
-will reveal sibling entries; these should be skipped over by the caller.
+Using xas_next() or xas_prev() with a multi-index xa_state is not
+supported.  Using either of these functions on a multi-index entry will
+reveal sibling entries; these should be skipped over by the caller.
 
-Storing ``NULL`` into any index of a multi-index entry will set the entry
-at every index to ``NULL`` and dissolve the tie.  Splitting a multi-index
-entry into entries occupying smaller ranges is not yet supported.
+Storing ``NULL`` into any index of a multi-index entry will set the
+entry at every index to ``NULL`` and dissolve the tie.  A multi-index
+entry can be split into entries occupying smaller ranges by calling
+xas_split_alloc() without the xa_lock held, followed by taking the lock
+and calling xas_split().
 
 Functions and structures
 ========================
--- a/include/linux/xarray.h
+++ b/include/linux/xarray.h
@@ -1472,11 +1472,24 @@ void xas_create_range(struct xa_state *)
 
 #ifdef CONFIG_XARRAY_MULTI
 int xa_get_order(struct xarray *, unsigned long index);
+void xas_split(struct xa_state *, void *entry, unsigned int order);
+void xas_split_alloc(struct xa_state *, void *entry, unsigned int order, gfp_t);
 #else
 static inline int xa_get_order(struct xarray *xa, unsigned long index)
 {
 	return 0;
 }
+
+static inline void xas_split(struct xa_state *xas, void *entry,
+		unsigned int order)
+{
+	xas_store(xas, entry);
+}
+
+static inline void xas_split_alloc(struct xa_state *xas, void *entry,
+		unsigned int order, gfp_t gfp)
+{
+}
 #endif
 
 /**
--- a/lib/test_xarray.c
+++ b/lib/test_xarray.c
@@ -1503,6 +1503,49 @@ static noinline void check_store_range(s
 	}
 }
 
+#ifdef CONFIG_XARRAY_MULTI
+static void check_split_1(struct xarray *xa, unsigned long index,
+							unsigned int order)
+{
+	XA_STATE(xas, xa, index);
+	void *entry;
+	unsigned int i = 0;
+
+	xa_store_order(xa, index, order, xa, GFP_KERNEL);
+
+	xas_split_alloc(&xas, xa, order, GFP_KERNEL);
+	xas_lock(&xas);
+	xas_split(&xas, xa, order);
+	xas_unlock(&xas);
+
+	xa_for_each(xa, index, entry) {
+		XA_BUG_ON(xa, entry != xa);
+		i++;
+	}
+	XA_BUG_ON(xa, i != 1 << order);
+
+	xa_set_mark(xa, index, XA_MARK_0);
+	XA_BUG_ON(xa, !xa_get_mark(xa, index, XA_MARK_0));
+
+	xa_destroy(xa);
+}
+
+static noinline void check_split(struct xarray *xa)
+{
+	unsigned int order;
+
+	XA_BUG_ON(xa, !xa_empty(xa));
+
+	for (order = 1; order < 2 * XA_CHUNK_SHIFT; order++) {
+		check_split_1(xa, 0, order);
+		check_split_1(xa, 1UL << order, order);
+		check_split_1(xa, 3UL << order, order);
+	}
+}
+#else
+static void check_split(struct xarray *xa) { }
+#endif
+
 static void check_align_1(struct xarray *xa, char *name)
 {
 	int i;
@@ -1729,6 +1772,7 @@ static int xarray_checks(void)
 	check_store_range(&array);
 	check_store_iter(&array);
 	check_align(&xa0);
+	check_split(&array);
 
 	check_workingset(&array, 0);
 	check_workingset(&array, 64);
--- a/lib/xarray.c
+++ b/lib/xarray.c
@@ -266,13 +266,14 @@ static void xa_node_free(struct xa_node
  */
 static void xas_destroy(struct xa_state *xas)
 {
-	struct xa_node *node = xas->xa_alloc;
+	struct xa_node *next, *node = xas->xa_alloc;
 
-	if (!node)
-		return;
-	XA_NODE_BUG_ON(node, !list_empty(&node->private_list));
-	kmem_cache_free(radix_tree_node_cachep, node);
-	xas->xa_alloc = NULL;
+	while (node) {
+		XA_NODE_BUG_ON(node, !list_empty(&node->private_list));
+		next = rcu_dereference_raw(node->parent);
+		radix_tree_node_rcu_free(&node->rcu_head);
+		xas->xa_alloc = node = next;
+	}
 }
 
 /**
@@ -304,6 +305,7 @@ bool xas_nomem(struct xa_state *xas, gfp
 	xas->xa_alloc = kmem_cache_alloc(radix_tree_node_cachep, gfp);
 	if (!xas->xa_alloc)
 		return false;
+	xas->xa_alloc->parent = NULL;
 	XA_NODE_BUG_ON(xas->xa_alloc, !list_empty(&xas->xa_alloc->private_list));
 	xas->xa_node = XAS_RESTART;
 	return true;
@@ -339,6 +341,7 @@ static bool __xas_nomem(struct xa_state
 	}
 	if (!xas->xa_alloc)
 		return false;
+	xas->xa_alloc->parent = NULL;
 	XA_NODE_BUG_ON(xas->xa_alloc, !list_empty(&xas->xa_alloc->private_list));
 	xas->xa_node = XAS_RESTART;
 	return true;
@@ -403,7 +406,7 @@ static unsigned long xas_size(const stru
 /*
  * Use this to calculate the maximum index that will need to be created
  * in order to add the entry described by @xas.  Because we cannot store a
- * multiple-index entry at index 0, the calculation is a little more complex
+ * multi-index entry at index 0, the calculation is a little more complex
  * than you might expect.
  */
 static unsigned long xas_max(struct xa_state *xas)
@@ -946,6 +949,153 @@ void xas_init_marks(const struct xa_stat
 }
 EXPORT_SYMBOL_GPL(xas_init_marks);
 
+#ifdef CONFIG_XARRAY_MULTI
+static unsigned int node_get_marks(struct xa_node *node, unsigned int offset)
+{
+	unsigned int marks = 0;
+	xa_mark_t mark = XA_MARK_0;
+
+	for (;;) {
+		if (node_get_mark(node, offset, mark))
+			marks |= 1 << (__force unsigned int)mark;
+		if (mark == XA_MARK_MAX)
+			break;
+		mark_inc(mark);
+	}
+
+	return marks;
+}
+
+static void node_set_marks(struct xa_node *node, unsigned int offset,
+			struct xa_node *child, unsigned int marks)
+{
+	xa_mark_t mark = XA_MARK_0;
+
+	for (;;) {
+		if (marks & (1 << (__force unsigned int)mark)) {
+			node_set_mark(node, offset, mark);
+			if (child)
+				node_mark_all(child, mark);
+		}
+		if (mark == XA_MARK_MAX)
+			break;
+		mark_inc(mark);
+	}
+}
+
+/**
+ * xas_split_alloc() - Allocate memory for splitting an entry.
+ * @xas: XArray operation state.
+ * @entry: New entry which will be stored in the array.
+ * @order: New entry order.
+ * @gfp: Memory allocation flags.
+ *
+ * This function should be called before calling xas_split().
+ * If necessary, it will allocate new nodes (and fill them with @entry)
+ * to prepare for the upcoming split of an entry of @order size into
+ * entries of the order stored in the @xas.
+ *
+ * Context: May sleep if @gfp flags permit.
+ */
+void xas_split_alloc(struct xa_state *xas, void *entry, unsigned int order,
+		gfp_t gfp)
+{
+	unsigned int sibs = (1 << (order % XA_CHUNK_SHIFT)) - 1;
+	unsigned int mask = xas->xa_sibs;
+
+	/* XXX: no support for splitting really large entries yet */
+	if (WARN_ON(xas->xa_shift + 2 * XA_CHUNK_SHIFT < order))
+		goto nomem;
+	if (xas->xa_shift + XA_CHUNK_SHIFT > order)
+		return;
+
+	do {
+		unsigned int i;
+		void *sibling;
+		struct xa_node *node;
+
+		node = kmem_cache_alloc(radix_tree_node_cachep, gfp);
+		if (!node)
+			goto nomem;
+		node->array = xas->xa;
+		for (i = 0; i < XA_CHUNK_SIZE; i++) {
+			if ((i & mask) == 0) {
+				RCU_INIT_POINTER(node->slots[i], entry);
+				sibling = xa_mk_sibling(0);
+			} else {
+				RCU_INIT_POINTER(node->slots[i], sibling);
+			}
+		}
+		RCU_INIT_POINTER(node->parent, xas->xa_alloc);
+		xas->xa_alloc = node;
+	} while (sibs-- > 0);
+
+	return;
+nomem:
+	xas_destroy(xas);
+	xas_set_err(xas, -ENOMEM);
+}
+EXPORT_SYMBOL_GPL(xas_split_alloc);
+
+/**
+ * xas_split() - Split a multi-index entry into smaller entries.
+ * @xas: XArray operation state.
+ * @entry: New entry to store in the array.
+ * @order: New entry order.
+ *
+ * The value in the entry is copied to all the replacement entries.
+ *
+ * Context: Any context.  The caller should hold the xa_lock.
+ */
+void xas_split(struct xa_state *xas, void *entry, unsigned int order)
+{
+	unsigned int sibs = (1 << (order % XA_CHUNK_SHIFT)) - 1;
+	unsigned int offset, marks;
+	struct xa_node *node;
+	void *curr = xas_load(xas);
+	int values = 0;
+
+	node = xas->xa_node;
+	if (xas_top(node))
+		return;
+
+	marks = node_get_marks(node, xas->xa_offset);
+
+	offset = xas->xa_offset + sibs;
+	do {
+		if (xas->xa_shift < node->shift) {
+			struct xa_node *child = xas->xa_alloc;
+
+			xas->xa_alloc = rcu_dereference_raw(child->parent);
+			child->shift = node->shift - XA_CHUNK_SHIFT;
+			child->offset = offset;
+			child->count = XA_CHUNK_SIZE;
+			child->nr_values = xa_is_value(entry) ?
+					XA_CHUNK_SIZE : 0;
+			RCU_INIT_POINTER(child->parent, node);
+			node_set_marks(node, offset, child, marks);
+			rcu_assign_pointer(node->slots[offset],
+					xa_mk_node(child));
+			if (xa_is_value(curr))
+				values--;
+		} else {
+			unsigned int canon = offset - xas->xa_sibs;
+
+			node_set_marks(node, canon, NULL, marks);
+			rcu_assign_pointer(node->slots[canon], entry);
+			while (offset > canon)
+				rcu_assign_pointer(node->slots[offset--],
+						xa_mk_sibling(canon));
+			values += (xa_is_value(entry) - xa_is_value(curr)) *
+					(xas->xa_sibs + 1);
+		}
+	} while (offset-- > xas->xa_offset);
+
+	node->nr_values += values;
+}
+EXPORT_SYMBOL_GPL(xas_split);
+#endif
+
 /**
  * xas_pause() - Pause a walk to drop a lock.
  * @xas: XArray operation state.
@@ -1407,7 +1557,7 @@ EXPORT_SYMBOL(__xa_store);
  * @gfp: Memory allocation flags.
  *
  * After this function returns, loads from this index will return @entry.
- * Storing into an existing multislot entry updates the entry of every index.
+ * Storing into an existing multi-index entry updates the entry of every index.
  * The marks associated with @index are unaffected unless @entry is %NULL.
  *
  * Context: Any context.  Takes and releases the xa_lock.
@@ -1549,7 +1699,7 @@ static void xas_set_range(struct xa_stat
  *
  * After this function returns, loads from any index between @first and @last,
  * inclusive will return @entry.
- * Storing into an existing multislot entry updates the entry of every index.
+ * Storing into an existing multi-index entry updates the entry of every index.
  * The marks associated with @index are unaffected unless @entry is %NULL.
  *
  * Context: Process context.  Takes and releases the xa_lock.  May sleep



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 68/78] mm/filemap: fix storing to a THP shadow entry
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 67/78] XArray: add xas_split Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 69/78] btrfs: fix unmountable seed device after fstrim Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Matthew Wilcox (Oracle),
	Andrew Morton, Song Liu, Kirill A . Shutemov, Qian Cai,
	Linus Torvalds

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

commit 198b62f83eef1d605d70eca32759c92cdcc14175 upstream

When a THP is removed from the page cache by reclaim, we replace it with a
shadow entry that occupies all slots of the XArray previously occupied by
the THP.  If the user then accesses that page again, we only allocate a
single page, but storing it into the shadow entry replaces all entries
with that one page.  That leads to bugs like

page dumped because: VM_BUG_ON_PAGE(page_to_pgoff(page) != offset)
------------[ cut here ]------------
kernel BUG at mm/filemap.c:2529!

https://bugzilla.kernel.org/show_bug.cgi?id=206569

This is hard to reproduce with mainline, but happens regularly with the
THP patchset (as so many more THPs are created).  This solution is take
from the THP patchset.  It splits the shadow entry into order-0 pieces at
the time that we bring a new page into cache.

Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Cc: Song Liu <songliubraving@fb.com>
Cc: "Kirill A . Shutemov" <kirill@shutemov.name>
Cc: Qian Cai <cai@lca.pw>
Link: https://lkml.kernel.org/r/20200903183029.14930-4-willy@infradead.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/filemap.c |   37 ++++++++++++++++++++++++++++---------
 1 file changed, 28 insertions(+), 9 deletions(-)

--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -856,7 +856,6 @@ noinline int __add_to_page_cache_locked(
 	int huge = PageHuge(page);
 	struct mem_cgroup *memcg;
 	int error;
-	void *old;
 
 	VM_BUG_ON_PAGE(!PageLocked(page), page);
 	VM_BUG_ON_PAGE(PageSwapBacked(page), page);
@@ -872,21 +871,41 @@ noinline int __add_to_page_cache_locked(
 	get_page(page);
 	page->mapping = mapping;
 	page->index = offset;
+	gfp_mask &= GFP_RECLAIM_MASK;
 
 	do {
+		unsigned int order = xa_get_order(xas.xa, xas.xa_index);
+		void *entry, *old = NULL;
+
+		if (order > thp_order(page))
+			xas_split_alloc(&xas, xa_load(xas.xa, xas.xa_index),
+					order, gfp_mask);
 		xas_lock_irq(&xas);
-		old = xas_load(&xas);
-		if (old && !xa_is_value(old))
-			xas_set_err(&xas, -EEXIST);
+		xas_for_each_conflict(&xas, entry) {
+			old = entry;
+			if (!xa_is_value(entry)) {
+				xas_set_err(&xas, -EEXIST);
+				goto unlock;
+			}
+		}
+
+		if (old) {
+			if (shadowp)
+				*shadowp = old;
+			/* entry may have been split before we acquired lock */
+			order = xa_get_order(xas.xa, xas.xa_index);
+			if (order > thp_order(page)) {
+				xas_split(&xas, old, order);
+				xas_reset(&xas);
+			}
+		}
+
 		xas_store(&xas, page);
 		if (xas_error(&xas))
 			goto unlock;
 
-		if (xa_is_value(old)) {
+		if (old)
 			mapping->nrexceptional--;
-			if (shadowp)
-				*shadowp = old;
-		}
 		mapping->nrpages++;
 
 		/* hugetlb pages do not participate in page cache accounting */
@@ -894,7 +913,7 @@ noinline int __add_to_page_cache_locked(
 			__inc_node_page_state(page, NR_FILE_PAGES);
 unlock:
 		xas_unlock_irq(&xas);
-	} while (xas_nomem(&xas, gfp_mask & GFP_RECLAIM_MASK));
+	} while (xas_nomem(&xas, gfp_mask));
 
 	if (xas_error(&xas))
 		goto error;



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 69/78] btrfs: fix unmountable seed device after fstrim
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 68/78] mm/filemap: fix storing to a THP shadow entry Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 70/78] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Murphy, Filipe Manana,
	Anand Jain, David Sterba, Sudip Mukherjee

From: Anand Jain <anand.jain@oracle.com>

commit 5e753a817b2d5991dfe8a801b7b1e8e79a1c5a20 upstream.

The following test case reproduces an issue of wrongly freeing in-use
blocks on the readonly seed device when fstrim is called on the rw sprout
device. As shown below.

Create a seed device and add a sprout device to it:

  $ mkfs.btrfs -fq -dsingle -msingle /dev/loop0
  $ btrfstune -S 1 /dev/loop0
  $ mount /dev/loop0 /btrfs
  $ btrfs dev add -f /dev/loop1 /btrfs
  BTRFS info (device loop0): relocating block group 290455552 flags system
  BTRFS info (device loop0): relocating block group 1048576 flags system
  BTRFS info (device loop0): disk added /dev/loop1
  $ umount /btrfs

Mount the sprout device and run fstrim:

  $ mount /dev/loop1 /btrfs
  $ fstrim /btrfs
  $ umount /btrfs

Now try to mount the seed device, and it fails:

  $ mount /dev/loop0 /btrfs
  mount: /btrfs: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.

Block 5292032 is missing on the readonly seed device:

 $ dmesg -kt | tail
 <snip>
 BTRFS error (device loop0): bad tree block start, want 5292032 have 0
 BTRFS warning (device loop0): couldn't read-tree root
 BTRFS error (device loop0): open_ctree failed

>From the dump-tree of the seed device (taken before the fstrim). Block
5292032 belonged to the block group starting at 5242880:

  $ btrfs inspect dump-tree -e /dev/loop0 | grep -A1 BLOCK_GROUP
  <snip>
  item 3 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16169 itemsize 24
  	block group used 114688 chunk_objectid 256 flags METADATA
  <snip>

>From the dump-tree of the sprout device (taken before the fstrim).
fstrim used block-group 5242880 to find the related free space to free:

  $ btrfs inspect dump-tree -e /dev/loop1 | grep -A1 BLOCK_GROUP
  <snip>
  item 1 key (5242880 BLOCK_GROUP_ITEM 8388608) itemoff 16226 itemsize 24
  	block group used 32768 chunk_objectid 256 flags METADATA
  <snip>

BPF kernel tracing the fstrim command finds the missing block 5292032
within the range of the discarded blocks as below:

  kprobe:btrfs_discard_extent {
  	printf("freeing start %llu end %llu num_bytes %llu:\n",
  		arg1, arg1+arg2, arg2);
  }

  freeing start 5259264 end 5406720 num_bytes 147456
  <snip>

Fix this by avoiding the discard command to the readonly seed device.

Reported-by: Chris Murphy <lists@colorremedies.com>
CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent-tree.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1338,16 +1338,20 @@ int btrfs_discard_extent(struct btrfs_fs
 		for (i = 0; i < bbio->num_stripes; i++, stripe++) {
 			u64 bytes;
 			struct request_queue *req_q;
+			struct btrfs_device *device = stripe->dev;
 
-			if (!stripe->dev->bdev) {
+			if (!device->bdev) {
 				ASSERT(btrfs_test_opt(fs_info, DEGRADED));
 				continue;
 			}
-			req_q = bdev_get_queue(stripe->dev->bdev);
+			req_q = bdev_get_queue(device->bdev);
 			if (!blk_queue_discard(req_q))
 				continue;
 
-			ret = btrfs_issue_discard(stripe->dev->bdev,
+			if (!test_bit(BTRFS_DEV_STATE_WRITEABLE, &device->dev_state))
+				continue;
+
+			ret = btrfs_issue_discard(device->bdev,
 						  stripe->physical,
 						  stripe->length,
 						  &bytes);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 70/78] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 69/78] btrfs: fix unmountable seed device after fstrim Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 71/78] KVM: arm64: Fix debug register indexing Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini,
	Sudip Mukherjee

From: Sean Christopherson <seanjc@google.com>

commit 0884335a2e653b8a045083aa1d57ce74269ac81d upstream.

Drop bits 63:32 on loads/stores to/from DRs and CRs when the vCPU is not
in 64-bit mode.  The APM states bits 63:32 are dropped for both DRs and
CRs:

  In 64-bit mode, the operand size is fixed at 64 bits without the need
  for a REX prefix. In non-64-bit mode, the operand size is fixed at 32
  bits and the upper 32 bits of the destination are forced to 0.

Fixes: 7ff76d58a9dc ("KVM: SVM: enhance MOV CR intercept handler")
Fixes: cae3797a4639 ("KVM: SVM: enhance mov DR intercept handler")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210422022128.3464144-4-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
[sudip: manual backport to old file]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/svm.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/arch/x86/kvm/svm.c
+++ b/arch/x86/kvm/svm.c
@@ -4057,7 +4057,7 @@ static int cr_interception(struct vcpu_s
 	err = 0;
 	if (cr >= 16) { /* mov to cr */
 		cr -= 16;
-		val = kvm_register_read(&svm->vcpu, reg);
+		val = kvm_register_readl(&svm->vcpu, reg);
 		switch (cr) {
 		case 0:
 			if (!check_selective_cr0_intercepted(svm, val))
@@ -4102,7 +4102,7 @@ static int cr_interception(struct vcpu_s
 			kvm_queue_exception(&svm->vcpu, UD_VECTOR);
 			return 1;
 		}
-		kvm_register_write(&svm->vcpu, reg, val);
+		kvm_register_writel(&svm->vcpu, reg, val);
 	}
 	return kvm_complete_insn_gp(&svm->vcpu, err);
 }
@@ -4132,13 +4132,13 @@ static int dr_interception(struct vcpu_s
 	if (dr >= 16) { /* mov to DRn */
 		if (!kvm_require_dr(&svm->vcpu, dr - 16))
 			return 1;
-		val = kvm_register_read(&svm->vcpu, reg);
+		val = kvm_register_readl(&svm->vcpu, reg);
 		kvm_set_dr(&svm->vcpu, dr - 16, val);
 	} else {
 		if (!kvm_require_dr(&svm->vcpu, dr))
 			return 1;
 		kvm_get_dr(&svm->vcpu, dr, &val);
-		kvm_register_write(&svm->vcpu, reg, val);
+		kvm_register_writel(&svm->vcpu, reg, val);
 	}
 
 	return kvm_skip_emulated_instruction(&svm->vcpu);



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 71/78] KVM: arm64: Fix debug register indexing
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 70/78] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 72/78] x86/kvm: Teardown PV features on boot CPU as well Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ricardo Koller, Marc Zyngier

From: Marc Zyngier <maz@kernel.org>

commit cb853ded1d25e5b026ce115dbcde69e3d7e2e831 upstream.

Commit 03fdfb2690099 ("KVM: arm64: Don't write junk to sysregs on
reset") flipped the register number to 0 for all the debug registers
in the sysreg table, hereby indicating that these registers live
in a separate shadow structure.

However, the author of this patch failed to realise that all the
accessors are using that particular index instead of the register
encoding, resulting in all the registers hitting index 0. Not quite
a valid implementation of the architecture...

Address the issue by fixing all the accessors to use the CRm field
of the encoding, which contains the debug register index.

Fixes: 03fdfb2690099 ("KVM: arm64: Don't write junk to sysregs on reset")
Reported-by: Ricardo Koller <ricarkol@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm64/kvm/sys_regs.c |   42 +++++++++++++++++++++---------------------
 1 file changed, 21 insertions(+), 21 deletions(-)

--- a/arch/arm64/kvm/sys_regs.c
+++ b/arch/arm64/kvm/sys_regs.c
@@ -432,14 +432,14 @@ static bool trap_bvr(struct kvm_vcpu *vc
 		     struct sys_reg_params *p,
 		     const struct sys_reg_desc *rd)
 {
-	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->reg];
+	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->CRm];
 
 	if (p->is_write)
 		reg_to_dbg(vcpu, p, dbg_reg);
 	else
 		dbg_to_reg(vcpu, p, dbg_reg);
 
-	trace_trap_reg(__func__, rd->reg, p->is_write, *dbg_reg);
+	trace_trap_reg(__func__, rd->CRm, p->is_write, *dbg_reg);
 
 	return true;
 }
@@ -447,7 +447,7 @@ static bool trap_bvr(struct kvm_vcpu *vc
 static int set_bvr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 		const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->CRm];
 
 	if (copy_from_user(r, uaddr, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -457,7 +457,7 @@ static int set_bvr(struct kvm_vcpu *vcpu
 static int get_bvr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 	const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bvr[rd->CRm];
 
 	if (copy_to_user(uaddr, r, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -467,21 +467,21 @@ static int get_bvr(struct kvm_vcpu *vcpu
 static void reset_bvr(struct kvm_vcpu *vcpu,
 		      const struct sys_reg_desc *rd)
 {
-	vcpu->arch.vcpu_debug_state.dbg_bvr[rd->reg] = rd->val;
+	vcpu->arch.vcpu_debug_state.dbg_bvr[rd->CRm] = rd->val;
 }
 
 static bool trap_bcr(struct kvm_vcpu *vcpu,
 		     struct sys_reg_params *p,
 		     const struct sys_reg_desc *rd)
 {
-	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->reg];
+	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->CRm];
 
 	if (p->is_write)
 		reg_to_dbg(vcpu, p, dbg_reg);
 	else
 		dbg_to_reg(vcpu, p, dbg_reg);
 
-	trace_trap_reg(__func__, rd->reg, p->is_write, *dbg_reg);
+	trace_trap_reg(__func__, rd->CRm, p->is_write, *dbg_reg);
 
 	return true;
 }
@@ -489,7 +489,7 @@ static bool trap_bcr(struct kvm_vcpu *vc
 static int set_bcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 		const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->CRm];
 
 	if (copy_from_user(r, uaddr, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -500,7 +500,7 @@ static int set_bcr(struct kvm_vcpu *vcpu
 static int get_bcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 	const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_bcr[rd->CRm];
 
 	if (copy_to_user(uaddr, r, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -510,22 +510,22 @@ static int get_bcr(struct kvm_vcpu *vcpu
 static void reset_bcr(struct kvm_vcpu *vcpu,
 		      const struct sys_reg_desc *rd)
 {
-	vcpu->arch.vcpu_debug_state.dbg_bcr[rd->reg] = rd->val;
+	vcpu->arch.vcpu_debug_state.dbg_bcr[rd->CRm] = rd->val;
 }
 
 static bool trap_wvr(struct kvm_vcpu *vcpu,
 		     struct sys_reg_params *p,
 		     const struct sys_reg_desc *rd)
 {
-	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->reg];
+	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->CRm];
 
 	if (p->is_write)
 		reg_to_dbg(vcpu, p, dbg_reg);
 	else
 		dbg_to_reg(vcpu, p, dbg_reg);
 
-	trace_trap_reg(__func__, rd->reg, p->is_write,
-		vcpu->arch.vcpu_debug_state.dbg_wvr[rd->reg]);
+	trace_trap_reg(__func__, rd->CRm, p->is_write,
+		vcpu->arch.vcpu_debug_state.dbg_wvr[rd->CRm]);
 
 	return true;
 }
@@ -533,7 +533,7 @@ static bool trap_wvr(struct kvm_vcpu *vc
 static int set_wvr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 		const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->CRm];
 
 	if (copy_from_user(r, uaddr, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -543,7 +543,7 @@ static int set_wvr(struct kvm_vcpu *vcpu
 static int get_wvr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 	const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wvr[rd->CRm];
 
 	if (copy_to_user(uaddr, r, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -553,21 +553,21 @@ static int get_wvr(struct kvm_vcpu *vcpu
 static void reset_wvr(struct kvm_vcpu *vcpu,
 		      const struct sys_reg_desc *rd)
 {
-	vcpu->arch.vcpu_debug_state.dbg_wvr[rd->reg] = rd->val;
+	vcpu->arch.vcpu_debug_state.dbg_wvr[rd->CRm] = rd->val;
 }
 
 static bool trap_wcr(struct kvm_vcpu *vcpu,
 		     struct sys_reg_params *p,
 		     const struct sys_reg_desc *rd)
 {
-	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->reg];
+	u64 *dbg_reg = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->CRm];
 
 	if (p->is_write)
 		reg_to_dbg(vcpu, p, dbg_reg);
 	else
 		dbg_to_reg(vcpu, p, dbg_reg);
 
-	trace_trap_reg(__func__, rd->reg, p->is_write, *dbg_reg);
+	trace_trap_reg(__func__, rd->CRm, p->is_write, *dbg_reg);
 
 	return true;
 }
@@ -575,7 +575,7 @@ static bool trap_wcr(struct kvm_vcpu *vc
 static int set_wcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 		const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->CRm];
 
 	if (copy_from_user(r, uaddr, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -585,7 +585,7 @@ static int set_wcr(struct kvm_vcpu *vcpu
 static int get_wcr(struct kvm_vcpu *vcpu, const struct sys_reg_desc *rd,
 	const struct kvm_one_reg *reg, void __user *uaddr)
 {
-	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->reg];
+	__u64 *r = &vcpu->arch.vcpu_debug_state.dbg_wcr[rd->CRm];
 
 	if (copy_to_user(uaddr, r, KVM_REG_SIZE(reg->id)) != 0)
 		return -EFAULT;
@@ -595,7 +595,7 @@ static int get_wcr(struct kvm_vcpu *vcpu
 static void reset_wcr(struct kvm_vcpu *vcpu,
 		      const struct sys_reg_desc *rd)
 {
-	vcpu->arch.vcpu_debug_state.dbg_wcr[rd->reg] = rd->val;
+	vcpu->arch.vcpu_debug_state.dbg_wcr[rd->CRm] = rd->val;
 }
 
 static void reset_amair_el1(struct kvm_vcpu *vcpu, const struct sys_reg_desc *r)



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 72/78] x86/kvm: Teardown PV features on boot CPU as well
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 71/78] KVM: arm64: Fix debug register indexing Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 73/78] x86/kvm: Disable kvmclock on all CPUs on shutdown Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Vitaly Kuznetsov, Paolo Bonzini,
	Andrea Righi, Krzysztof Kozlowski

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit 8b79feffeca28c5459458fe78676b081e87c93a4 upstream.

Various PV features (Async PF, PV EOI, steal time) work through memory
shared with hypervisor and when we restore from hibernation we must
properly teardown all these features to make sure hypervisor doesn't
write to stale locations after we jump to the previously hibernated kernel
(which can try to place anything there). For secondary CPUs the job is
already done by kvm_cpu_down_prepare(), register syscore ops to do
the same for boot CPU.

Krzysztof:
This fixes memory corruption visible after second resume from
hibernation:

  BUG: Bad page state in process dbus-daemon  pfn:18b01
  page:ffffea000062c040 refcount:0 mapcount:0 mapping:0000000000000000 index:0x1 compound_mapcount: -30591
  flags: 0xfffffc0078141(locked|error|workingset|writeback|head|mappedtodisk|reclaim)
  raw: 000fffffc0078141 dead0000000002d0 dead000000000100 0000000000000000
  raw: 0000000000000001 0000000000000000 00000000ffffffff 0000000000000000
  page dumped because: PAGE_FLAGS_CHECK_AT_PREP flag set
  bad because of flags: 0x78141(locked|error|workingset|writeback|head|mappedtodisk|reclaim)

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210414123544.1060604-3-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
[krzysztof: Extend the commit message]
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kernel/kvm.c |   57 +++++++++++++++++++++++++++++++++++---------------
 1 file changed, 41 insertions(+), 16 deletions(-)

--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -24,6 +24,7 @@
 #include <linux/debugfs.h>
 #include <linux/nmi.h>
 #include <linux/swait.h>
+#include <linux/syscore_ops.h>
 #include <asm/timer.h>
 #include <asm/cpu.h>
 #include <asm/traps.h>
@@ -428,6 +429,25 @@ static void __init sev_map_percpu_data(v
 	}
 }
 
+static void kvm_guest_cpu_offline(void)
+{
+	kvm_disable_steal_time();
+	if (kvm_para_has_feature(KVM_FEATURE_PV_EOI))
+		wrmsrl(MSR_KVM_PV_EOI_EN, 0);
+	kvm_pv_disable_apf();
+	apf_task_wake_all();
+}
+
+static int kvm_cpu_online(unsigned int cpu)
+{
+	unsigned long flags;
+
+	local_irq_save(flags);
+	kvm_guest_cpu_init();
+	local_irq_restore(flags);
+	return 0;
+}
+
 #ifdef CONFIG_SMP
 #define KVM_IPI_CLUSTER_SIZE	(2 * BITS_PER_LONG)
 
@@ -547,31 +567,34 @@ static void __init kvm_smp_prepare_boot_
 	kvm_spinlock_init();
 }
 
-static void kvm_guest_cpu_offline(void)
+static int kvm_cpu_down_prepare(unsigned int cpu)
 {
-	kvm_disable_steal_time();
-	if (kvm_para_has_feature(KVM_FEATURE_PV_EOI))
-		wrmsrl(MSR_KVM_PV_EOI_EN, 0);
-	kvm_pv_disable_apf();
-	apf_task_wake_all();
-}
+	unsigned long flags;
 
-static int kvm_cpu_online(unsigned int cpu)
-{
-	local_irq_disable();
-	kvm_guest_cpu_init();
-	local_irq_enable();
+	local_irq_save(flags);
+	kvm_guest_cpu_offline();
+	local_irq_restore(flags);
 	return 0;
 }
 
-static int kvm_cpu_down_prepare(unsigned int cpu)
+#endif
+
+static int kvm_suspend(void)
 {
-	local_irq_disable();
 	kvm_guest_cpu_offline();
-	local_irq_enable();
+
 	return 0;
 }
-#endif
+
+static void kvm_resume(void)
+{
+	kvm_cpu_online(raw_smp_processor_id());
+}
+
+static struct syscore_ops kvm_syscore_ops = {
+	.suspend	= kvm_suspend,
+	.resume		= kvm_resume,
+};
 
 static void __init kvm_apf_trap_init(void)
 {
@@ -649,6 +672,8 @@ static void __init kvm_guest_init(void)
 	kvm_guest_cpu_init();
 #endif
 
+	register_syscore_ops(&kvm_syscore_ops);
+
 	/*
 	 * Hard lockup detection is enabled by default. Disable it, as guests
 	 * can get false positives too easily, for example if the host is



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 73/78] x86/kvm: Disable kvmclock on all CPUs on shutdown
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 72/78] x86/kvm: Teardown PV features on boot CPU as well Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 74/78] x86/kvm: Disable all PV features on crash Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Vitaly Kuznetsov, Paolo Bonzini,
	Andrea Righi, Krzysztof Kozlowski

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit c02027b5742b5aa804ef08a4a9db433295533046 upstream.

Currenly, we disable kvmclock from machine_shutdown() hook and this
only happens for boot CPU. We need to disable it for all CPUs to
guard against memory corruption e.g. on restore from hibernate.

Note, writing '0' to kvmclock MSR doesn't clear memory location, it
just prevents hypervisor from updating the location so for the short
while after write and while CPU is still alive, the clock remains usable
and correct so we don't need to switch to some other clocksource.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210414123544.1060604-4-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/kvm_para.h |    4 ++--
 arch/x86/kernel/kvm.c           |    1 +
 arch/x86/kernel/kvmclock.c      |    5 +----
 3 files changed, 4 insertions(+), 6 deletions(-)

--- a/arch/x86/include/asm/kvm_para.h
+++ b/arch/x86/include/asm/kvm_para.h
@@ -6,8 +6,6 @@
 #include <asm/alternative.h>
 #include <uapi/asm/kvm_para.h>
 
-extern void kvmclock_init(void);
-
 #ifdef CONFIG_KVM_GUEST
 bool kvm_check_and_clear_guest_paused(void);
 #else
@@ -85,6 +83,8 @@ static inline long kvm_hypercall4(unsign
 }
 
 #ifdef CONFIG_KVM_GUEST
+void kvmclock_init(void);
+void kvmclock_disable(void);
 bool kvm_para_available(void);
 unsigned int kvm_arch_para_features(void);
 unsigned int kvm_arch_para_hints(void);
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -436,6 +436,7 @@ static void kvm_guest_cpu_offline(void)
 		wrmsrl(MSR_KVM_PV_EOI_EN, 0);
 	kvm_pv_disable_apf();
 	apf_task_wake_all();
+	kvmclock_disable();
 }
 
 static int kvm_cpu_online(unsigned int cpu)
--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -214,11 +214,9 @@ static void kvm_crash_shutdown(struct pt
 }
 #endif
 
-static void kvm_shutdown(void)
+void kvmclock_disable(void)
 {
 	native_write_msr(msr_kvm_system_time, 0, 0);
-	kvm_disable_steal_time();
-	native_machine_shutdown();
 }
 
 static void __init kvmclock_init_mem(void)
@@ -346,7 +344,6 @@ void __init kvmclock_init(void)
 #endif
 	x86_platform.save_sched_clock_state = kvm_save_sched_clock_state;
 	x86_platform.restore_sched_clock_state = kvm_restore_sched_clock_state;
-	machine_ops.shutdown  = kvm_shutdown;
 #ifdef CONFIG_KEXEC_CORE
 	machine_ops.crash_shutdown  = kvm_crash_shutdown;
 #endif



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 74/78] x86/kvm: Disable all PV features on crash
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 73/78] x86/kvm: Disable kvmclock on all CPUs on shutdown Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 75/78] lib/lz4: explicitly support in-place decompression Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Greg Kroah-Hartman, Vitaly Kuznetsov, Paolo Bonzini, Krzysztof Kozlowski

From: Vitaly Kuznetsov <vkuznets@redhat.com>

commit 3d6b84132d2a57b5a74100f6923a8feb679ac2ce upstream.

Crash shutdown handler only disables kvmclock and steal time, other PV
features remain active so we risk corrupting memory or getting some
side-effects in kdump kernel. Move crash handler to kvm.c and unify
with CPU offline.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20210414123544.1060604-5-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/kvm_para.h |    6 -----
 arch/x86/kernel/kvm.c           |   44 +++++++++++++++++++++++++++++-----------
 arch/x86/kernel/kvmclock.c      |   21 -------------------
 3 files changed, 32 insertions(+), 39 deletions(-)

--- a/arch/x86/include/asm/kvm_para.h
+++ b/arch/x86/include/asm/kvm_para.h
@@ -91,7 +91,6 @@ unsigned int kvm_arch_para_hints(void);
 void kvm_async_pf_task_wait(u32 token, int interrupt_kernel);
 void kvm_async_pf_task_wake(u32 token);
 u32 kvm_read_and_reset_pf_reason(void);
-extern void kvm_disable_steal_time(void);
 void do_async_page_fault(struct pt_regs *regs, unsigned long error_code, unsigned long address);
 
 #ifdef CONFIG_PARAVIRT_SPINLOCKS
@@ -125,11 +124,6 @@ static inline u32 kvm_read_and_reset_pf_
 {
 	return 0;
 }
-
-static inline void kvm_disable_steal_time(void)
-{
-	return;
-}
 #endif
 
 #endif /* _ASM_X86_KVM_PARA_H */
--- a/arch/x86/kernel/kvm.c
+++ b/arch/x86/kernel/kvm.c
@@ -34,6 +34,7 @@
 #include <asm/apicdef.h>
 #include <asm/hypervisor.h>
 #include <asm/tlb.h>
+#include <asm/reboot.h>
 
 static int kvmapf = 1;
 
@@ -352,6 +353,14 @@ static void kvm_pv_disable_apf(void)
 	       smp_processor_id());
 }
 
+static void kvm_disable_steal_time(void)
+{
+	if (!has_steal_clock)
+		return;
+
+	wrmsr(MSR_KVM_STEAL_TIME, 0, 0);
+}
+
 static void kvm_pv_guest_cpu_reboot(void *unused)
 {
 	/*
@@ -394,14 +403,6 @@ static u64 kvm_steal_clock(int cpu)
 	return steal;
 }
 
-void kvm_disable_steal_time(void)
-{
-	if (!has_steal_clock)
-		return;
-
-	wrmsr(MSR_KVM_STEAL_TIME, 0, 0);
-}
-
 static inline void __set_percpu_decrypted(void *ptr, unsigned long size)
 {
 	early_set_memory_decrypted((unsigned long) ptr, size);
@@ -429,13 +430,14 @@ static void __init sev_map_percpu_data(v
 	}
 }
 
-static void kvm_guest_cpu_offline(void)
+static void kvm_guest_cpu_offline(bool shutdown)
 {
 	kvm_disable_steal_time();
 	if (kvm_para_has_feature(KVM_FEATURE_PV_EOI))
 		wrmsrl(MSR_KVM_PV_EOI_EN, 0);
 	kvm_pv_disable_apf();
-	apf_task_wake_all();
+	if (!shutdown)
+		apf_task_wake_all();
 	kvmclock_disable();
 }
 
@@ -573,7 +575,7 @@ static int kvm_cpu_down_prepare(unsigned
 	unsigned long flags;
 
 	local_irq_save(flags);
-	kvm_guest_cpu_offline();
+	kvm_guest_cpu_offline(false);
 	local_irq_restore(flags);
 	return 0;
 }
@@ -582,7 +584,7 @@ static int kvm_cpu_down_prepare(unsigned
 
 static int kvm_suspend(void)
 {
-	kvm_guest_cpu_offline();
+	kvm_guest_cpu_offline(false);
 
 	return 0;
 }
@@ -597,6 +599,20 @@ static struct syscore_ops kvm_syscore_op
 	.resume		= kvm_resume,
 };
 
+/*
+ * After a PV feature is registered, the host will keep writing to the
+ * registered memory location. If the guest happens to shutdown, this memory
+ * won't be valid. In cases like kexec, in which you install a new kernel, this
+ * means a random memory location will be kept being written.
+ */
+#ifdef CONFIG_KEXEC_CORE
+static void kvm_crash_shutdown(struct pt_regs *regs)
+{
+	kvm_guest_cpu_offline(true);
+	native_machine_crash_shutdown(regs);
+}
+#endif
+
 static void __init kvm_apf_trap_init(void)
 {
 	update_intr_gate(X86_TRAP_PF, async_page_fault);
@@ -673,6 +689,10 @@ static void __init kvm_guest_init(void)
 	kvm_guest_cpu_init();
 #endif
 
+#ifdef CONFIG_KEXEC_CORE
+	machine_ops.crash_shutdown = kvm_crash_shutdown;
+#endif
+
 	register_syscore_ops(&kvm_syscore_ops);
 
 	/*
--- a/arch/x86/kernel/kvmclock.c
+++ b/arch/x86/kernel/kvmclock.c
@@ -20,7 +20,6 @@
 #include <asm/hypervisor.h>
 #include <asm/mem_encrypt.h>
 #include <asm/x86_init.h>
-#include <asm/reboot.h>
 #include <asm/kvmclock.h>
 
 static int kvmclock __initdata = 1;
@@ -197,23 +196,6 @@ static void kvm_setup_secondary_clock(vo
 }
 #endif
 
-/*
- * After the clock is registered, the host will keep writing to the
- * registered memory location. If the guest happens to shutdown, this memory
- * won't be valid. In cases like kexec, in which you install a new kernel, this
- * means a random memory location will be kept being written. So before any
- * kind of shutdown from our side, we unregister the clock by writing anything
- * that does not have the 'enable' bit set in the msr
- */
-#ifdef CONFIG_KEXEC_CORE
-static void kvm_crash_shutdown(struct pt_regs *regs)
-{
-	native_write_msr(msr_kvm_system_time, 0, 0);
-	kvm_disable_steal_time();
-	native_machine_crash_shutdown(regs);
-}
-#endif
-
 void kvmclock_disable(void)
 {
 	native_write_msr(msr_kvm_system_time, 0, 0);
@@ -344,9 +326,6 @@ void __init kvmclock_init(void)
 #endif
 	x86_platform.save_sched_clock_state = kvm_save_sched_clock_state;
 	x86_platform.restore_sched_clock_state = kvm_restore_sched_clock_state;
-#ifdef CONFIG_KEXEC_CORE
-	machine_ops.crash_shutdown  = kvm_crash_shutdown;
-#endif
 	kvm_get_preset_lpj();
 
 	/*



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 75/78] lib/lz4: explicitly support in-place decompression
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 74/78] x86/kvm: Disable all PV features on crash Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 76/78] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gao Xiang, Nick Terrell, Yann Collet,
	Miao Xie, Chao Yu, Li Guifu, Guo Xuenan, Andrew Morton,
	Linus Torvalds, Gao Xiang

From: Gao Xiang <hsiangkao@redhat.com>

commit 89b158635ad79574bde8e94d45dad33f8cf09549 upstream.

LZ4 final literal copy could be overlapped when doing
in-place decompression, so it's unsafe to just use memcpy()
on an optimized memcpy approach but memmove() instead.

Upstream LZ4 has updated this years ago [1] (and the impact
is non-sensible [2] plus only a few bytes remain), this commit
just synchronizes LZ4 upstream code to the kernel side as well.

It can be observed as EROFS in-place decompression failure
on specific files when X86_FEATURE_ERMS is unsupported,
memcpy() optimization of commit 59daa706fbec ("x86, mem:
Optimize memcpy by avoiding memory false dependece") will
be enabled then.

Currently most modern x86-CPUs support ERMS, these CPUs just
use "rep movsb" approach so no problem at all. However, it can
still be verified with forcely disabling ERMS feature...

arch/x86/lib/memcpy_64.S:
        ALTERNATIVE_2 "jmp memcpy_orig", "", X86_FEATURE_REP_GOOD, \
-                     "jmp memcpy_erms", X86_FEATURE_ERMS
+                     "jmp memcpy_orig", X86_FEATURE_ERMS

We didn't observe any strange on arm64/arm/x86 platform before
since most memcpy() would behave in an increasing address order
("copy upwards" [3]) and it's the correct order of in-place
decompression but it really needs an update to memmove() for sure
considering it's an undefined behavior according to the standard
and some unique optimization already exists in the kernel.

[1] https://github.com/lz4/lz4/commit/33cb8518ac385835cc17be9a770b27b40cd0e15b
[2] https://github.com/lz4/lz4/pull/717#issuecomment-497818921
[3] https://sourceware.org/bugzilla/show_bug.cgi?id=12518

Link: https://lkml.kernel.org/r/20201122030749.2698994-1-hsiangkao@redhat.com
Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
Reviewed-by: Nick Terrell <terrelln@fb.com>
Cc: Yann Collet <yann.collet.73@gmail.com>
Cc: Miao Xie <miaoxie@huawei.com>
Cc: Chao Yu <yuchao0@huawei.com>
Cc: Li Guifu <bluce.liguifu@huawei.com>
Cc: Guo Xuenan <guoxuenan@huawei.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/lz4/lz4_decompress.c |    6 +++++-
 lib/lz4/lz4defs.h        |    2 ++
 2 files changed, 7 insertions(+), 1 deletion(-)

--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -260,7 +260,11 @@ static FORCE_INLINE int LZ4_decompress_g
 				}
 			}
 
-			memcpy(op, ip, length);
+			/*
+			 * supports overlapping memory regions; only matters
+			 * for in-place decompression scenarios
+			 */
+			LZ4_memmove(op, ip, length);
 			ip += length;
 			op += length;
 
--- a/lib/lz4/lz4defs.h
+++ b/lib/lz4/lz4defs.h
@@ -137,6 +137,8 @@ static FORCE_INLINE void LZ4_writeLE16(v
 	return put_unaligned_le16(value, memPtr);
 }
 
+#define LZ4_memmove(dst, src, size) __builtin_memmove(dst, src, size)
+
 static FORCE_INLINE void LZ4_copy8(void *dst, const void *src)
 {
 #if LZ4_ARCH64



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 76/78] xen-pciback: redo VF placement in the virtual topology
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 75/78] lib/lz4: explicitly support in-place decompression Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 77/78] i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Beulich, Boris Ostrovsky, Juergen Gross

From: Jan Beulich <jbeulich@suse.com>

The commit referenced below was incomplete: It merely affected what
would get written to the vdev-<N> xenstore node. The guest would still
find the function at the original function number as long as
__xen_pcibk_get_pci_dev() wouldn't be in sync. The same goes for AER wrt
__xen_pcibk_get_pcifront_dev().

Undo overriding the function to zero and instead make sure that VFs at
function zero remain alone in their slot. This has the added benefit of
improving overall capacity, considering that there's only a total of 32
slots available right now (PCI segment and bus can both only ever be
zero at present).

This is upstream commit 4ba50e7c423c29639878c00573288869aa627068.

Fixes: 8a5248fe10b1 ("xen PV passthru: assign SR-IOV virtual functions to 
separate virtual slots")
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lore.kernel.org/r/8def783b-404c-3452-196d-3f3fd4d72c9e@suse.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/xen/xen-pciback/vpci.c |   14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

--- a/drivers/xen/xen-pciback/vpci.c
+++ b/drivers/xen/xen-pciback/vpci.c
@@ -69,7 +69,7 @@ static int __xen_pcibk_add_pci_dev(struc
 				   struct pci_dev *dev, int devid,
 				   publish_pci_dev_cb publish_cb)
 {
-	int err = 0, slot, func = -1;
+	int err = 0, slot, func = PCI_FUNC(dev->devfn);
 	struct pci_dev_entry *t, *dev_entry;
 	struct vpci_dev_data *vpci_dev = pdev->pci_dev_data;
 
@@ -94,23 +94,26 @@ static int __xen_pcibk_add_pci_dev(struc
 
 	/*
 	 * Keep multi-function devices together on the virtual PCI bus, except
-	 * virtual functions.
+	 * that we want to keep virtual functions at func 0 on their own. They
+	 * aren't multi-function devices and hence their presence at func 0
+	 * may cause guests to not scan the other functions.
 	 */
-	if (!dev->is_virtfn) {
+	if (!dev->is_virtfn || func) {
 		for (slot = 0; slot < PCI_SLOT_MAX; slot++) {
 			if (list_empty(&vpci_dev->dev_list[slot]))
 				continue;
 
 			t = list_entry(list_first(&vpci_dev->dev_list[slot]),
 				       struct pci_dev_entry, list);
+			if (t->dev->is_virtfn && !PCI_FUNC(t->dev->devfn))
+				continue;
 
 			if (match_slot(dev, t->dev)) {
 				pr_info("vpci: %s: assign to virtual slot %d func %d\n",
 					pci_name(dev), slot,
-					PCI_FUNC(dev->devfn));
+					func);
 				list_add_tail(&dev_entry->list,
 					      &vpci_dev->dev_list[slot]);
-				func = PCI_FUNC(dev->devfn);
 				goto unlock;
 			}
 		}
@@ -123,7 +126,6 @@ static int __xen_pcibk_add_pci_dev(struc
 				pci_name(dev), slot);
 			list_add_tail(&dev_entry->list,
 				      &vpci_dev->dev_list[slot]);
-			func = dev->is_virtfn ? 0 : PCI_FUNC(dev->devfn);
 			goto unlock;
 		}
 	}



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 77/78] i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 76/78] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-08 18:27 ` [PATCH 5.4 78/78] neighbour: allow NUD_NOARP entries to be forced GCed Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Roja Rani Yarubandi, Stephen Boyd,
	Wolfram Sang

From: Roja Rani Yarubandi <rojay@codeaurora.org>

commit 57648e860485de39c800a89f849fdd03c2d31d15 upstream.

Mark bus as suspended during system suspend to block the future
transfers. Implement geni_i2c_resume_noirq() to resume the bus.

Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller")
Signed-off-by: Roja Rani Yarubandi <rojay@codeaurora.org>
Reviewed-by: Stephen Boyd <swboyd@chromium.org>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/i2c/busses/i2c-qcom-geni.c |   12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -685,6 +685,8 @@ static int __maybe_unused geni_i2c_suspe
 {
 	struct geni_i2c_dev *gi2c = dev_get_drvdata(dev);
 
+	i2c_mark_adapter_suspended(&gi2c->adap);
+
 	if (!gi2c->suspended) {
 		geni_i2c_runtime_suspend(dev);
 		pm_runtime_disable(dev);
@@ -694,8 +696,16 @@ static int __maybe_unused geni_i2c_suspe
 	return 0;
 }
 
+static int __maybe_unused geni_i2c_resume_noirq(struct device *dev)
+{
+	struct geni_i2c_dev *gi2c = dev_get_drvdata(dev);
+
+	i2c_mark_adapter_resumed(&gi2c->adap);
+	return 0;
+}
+
 static const struct dev_pm_ops geni_i2c_pm_ops = {
-	SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(geni_i2c_suspend_noirq, NULL)
+	SET_NOIRQ_SYSTEM_SLEEP_PM_OPS(geni_i2c_suspend_noirq, geni_i2c_resume_noirq)
 	SET_RUNTIME_PM_OPS(geni_i2c_runtime_suspend, geni_i2c_runtime_resume,
 									NULL)
 };



^ permalink raw reply	[flat|nested] 87+ messages in thread

* [PATCH 5.4 78/78] neighbour: allow NUD_NOARP entries to be forced GCed
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 77/78] i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops Greg Kroah-Hartman
@ 2021-06-08 18:27 ` Greg Kroah-Hartman
  2021-06-09  2:55 ` [PATCH 5.4 00/78] 5.4.125-rc1 review Shuah Khan
                   ` (5 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-08 18:27 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kasper Dupont,
	Thadeu Lima de Souza Cascardo, David Ahern, David S. Miller

From: David Ahern <dsahern@kernel.org>

commit 7a6b1ab7475fd6478eeaf5c9d1163e7a18125c8f upstream.

IFF_POINTOPOINT interfaces use NUD_NOARP entries for IPv6. It's possible to
fill up the neighbour table with enough entries that it will overflow for
valid connections after that.

This behaviour is more prevalent after commit 58956317c8de ("neighbor:
Improve garbage collection") is applied, as it prevents removal from
entries that are not NUD_FAILED, unless they are more than 5s old.

Fixes: 58956317c8de (neighbor: Improve garbage collection)
Reported-by: Kasper Dupont <kasperd@gjkwv.06.feb.2021.kasperd.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/neighbour.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -239,6 +239,7 @@ static int neigh_forced_gc(struct neigh_
 
 			write_lock(&n->lock);
 			if ((n->nud_state == NUD_FAILED) ||
+			    (n->nud_state == NUD_NOARP) ||
 			    (tbl->is_multicast &&
 			     tbl->is_multicast(n->primary_key)) ||
 			    time_after(tref, n->updated))



^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-06-08 18:27 ` [PATCH 5.4 78/78] neighbour: allow NUD_NOARP entries to be forced GCed Greg Kroah-Hartman
@ 2021-06-09  2:55 ` Shuah Khan
  2021-06-09  9:33 ` Jon Hunter
                   ` (4 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Shuah Khan @ 2021-06-09  2:55 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 6/8/21 12:26 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.125-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-06-09  2:55 ` [PATCH 5.4 00/78] 5.4.125-rc1 review Shuah Khan
@ 2021-06-09  9:33 ` Jon Hunter
  2021-06-09 10:15 ` Naresh Kamboju
                   ` (3 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Jon Hunter @ 2021-06-09  9:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, linux-tegra

On Tue, 08 Jun 2021 20:26:29 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.125-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests passing for Tegra ...

Test results for stable-v5.4:
    12 builds:	12 pass, 0 fail
    26 boots:	26 pass, 0 fail
    59 tests:	59 pass, 0 fail

Linux version:	5.4.125-rc1-g90487dc4fc35
Boards tested:	tegra124-jetson-tk1, tegra186-p2771-0000,
                tegra194-p2972-0000, tegra20-ventana,
                tegra210-p2371-2180, tegra210-p3450-0000,
                tegra30-cardhu-a04

Tested-by: Jon Hunter <jonathanh@nvidia.com>

Jon

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-06-09  9:33 ` Jon Hunter
@ 2021-06-09 10:15 ` Naresh Kamboju
  2021-06-09 18:40 ` Florian Fainelli
                   ` (2 subsequent siblings)
  83 siblings, 0 replies; 87+ messages in thread
From: Naresh Kamboju @ 2021-06-09 10:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Shuah Khan, Florian Fainelli, patches, lkft-triage,
	Jon Hunter, linux-stable, Pavel Machek, Andrew Morton,
	Linus Torvalds, Guenter Roeck

On Wed, 9 Jun 2021 at 00:06, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.125-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 5.4.125-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-5.4.y
* git commit: 90487dc4fc3599ba4b2e00c89edcd0a397d2f051
* git describe: v5.4.124-79-g90487dc4fc35
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.4.y/build/v5.4.124-79-g90487dc4fc35

## No regressions (compared to v5.4.124)

## No fixes (compared to v5.4.124)

## Test result summary
 total: 74682, pass: 60077, fail: 1521, skip: 11846, xfail: 1238,

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 192 total, 192 passed, 0 failed
* arm64: 26 total, 26 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 15 total, 15 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 42 total, 42 passed, 0 failed
* parisc: 9 total, 9 passed, 0 failed
* powerpc: 27 total, 27 passed, 0 failed
* riscv: 18 total, 18 passed, 0 failed
* s390: 9 total, 9 passed, 0 failed
* sh: 18 total, 18 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 26 total, 26 passed, 0 failed

## Test suites summary
* fwts
* install-android-platform-tools-r2600
* kselftest-
* kselftest-android
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-vsyscall-mode-native-
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org
>
> -------------
> Pseudo-Shortlog of commits:
>
> Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>     Linux 5.4.125-rc1
>
> David Ahern <dsahern@kernel.org>
>     neighbour: allow NUD_NOARP entries to be forced GCed
>
> Roja Rani Yarubandi <rojay@codeaurora.org>
>     i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops
>
> Jan Beulich <jbeulich@suse.com>
>     xen-pciback: redo VF placement in the virtual topology
>
> Gao Xiang <hsiangkao@redhat.com>
>     lib/lz4: explicitly support in-place decompression
>
> Vitaly Kuznetsov <vkuznets@redhat.com>
>     x86/kvm: Disable all PV features on crash
>
> Vitaly Kuznetsov <vkuznets@redhat.com>
>     x86/kvm: Disable kvmclock on all CPUs on shutdown
>
> Vitaly Kuznetsov <vkuznets@redhat.com>
>     x86/kvm: Teardown PV features on boot CPU as well
>
> Marc Zyngier <maz@kernel.org>
>     KVM: arm64: Fix debug register indexing
>
> Sean Christopherson <seanjc@google.com>
>     KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode
>
> Anand Jain <anand.jain@oracle.com>
>     btrfs: fix unmountable seed device after fstrim
>
> Matthew Wilcox (Oracle) <willy@infradead.org>
>     mm/filemap: fix storing to a THP shadow entry
>
> Matthew Wilcox (Oracle) <willy@infradead.org>
>     XArray: add xas_split
>
> Matthew Wilcox (Oracle) <willy@infradead.org>
>     XArray: add xa_get_order
>
> Matthew Wilcox (Oracle) <willy@infradead.org>
>     mm: add thp_order
>
> Michael Chan <michael.chan@broadcom.com>
>     bnxt_en: Remove the setting of dev_port.
>
> Mina Almasry <almasrymina@google.com>
>     mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY
>
> Josef Bacik <josef@toxicpanda.com>
>     btrfs: fixup error handling in fixup_inode_link_counts
>
> Josef Bacik <josef@toxicpanda.com>
>     btrfs: return errors from btrfs_del_csums in cleanup_ref_head
>
> Josef Bacik <josef@toxicpanda.com>
>     btrfs: fix error handling in btrfs_del_csums
>
> Josef Bacik <josef@toxicpanda.com>
>     btrfs: mark ordered extent and inode with error if we fail to finish
>
> Thomas Gleixner <tglx@linutronix.de>
>     x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing
>
> Nirmoy Das <nirmoy.das@amd.com>
>     drm/amdgpu: make sure we unpin the UVD BO
>
> Luben Tuikov <luben.tuikov@amd.com>
>     drm/amdgpu: Don't query CE and UE errors
>
> Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
>     nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect
>
> Junxiao Bi <junxiao.bi@oracle.com>
>     ocfs2: fix data corruption by fallocate
>
> Mark Rutland <mark.rutland@arm.com>
>     pid: take a reference when initializing `cad_pid`
>
> Phil Elwell <phil@raspberrypi.com>
>     usb: dwc2: Fix build in periphal-only mode
>
> Ye Bin <yebin10@huawei.com>
>     ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed
>
> Marek Vasut <marex@denx.de>
>     ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators
>
> Michal Vokáč <michal.vokac@ysoft.com>
>     ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch
>
> Carlos M <carlos.marr.pz@gmail.com>
>     ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx
>
> Takashi Iwai <tiwai@suse.de>
>     ALSA: timer: Fix master timer notification
>
> Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
>     HID: multitouch: require Finger field to mark Win8 reports as MT
>
> Johan Hovold <johan@kernel.org>
>     HID: magicmouse: fix NULL-deref on disconnect
>
> Johnny Chuang <johnny.chuang.emc@gmail.com>
>     HID: i2c-hid: Skip ELAN power-on command after reset
>
> Pavel Skripkin <paskripkin@gmail.com>
>     net: caif: fix memory leak in cfusbl_device_notify
>
> Pavel Skripkin <paskripkin@gmail.com>
>     net: caif: fix memory leak in caif_device_notify
>
> Pavel Skripkin <paskripkin@gmail.com>
>     net: caif: add proper error handling
>
> Pavel Skripkin <paskripkin@gmail.com>
>     net: caif: added cfserl_release function
>
> Lin Ma <linma@zju.edu.cn>
>     Bluetooth: use correct lock to prevent UAF of hdev object
>
> Lin Ma <linma@zju.edu.cn>
>     Bluetooth: fix the erroneous flush_work() order
>
> Hoang Le <hoang.h.le@dektech.com.au>
>     tipc: fix unique bearer names sanity check
>
> Hoang Le <hoang.h.le@dektech.com.au>
>     tipc: add extack messages for bearer/media failure
>
> Tony Lindgren <tony@atomide.com>
>     bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act
>
> Geert Uytterhoeven <geert+renesas@glider.be>
>     ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells
>
> Fabio Estevam <festevam@gmail.com>
>     ARM: dts: imx7d-pico: Fix the 'tuning-step' property
>
> Fabio Estevam <festevam@gmail.com>
>     ARM: dts: imx7d-meerkat96: Fix the 'tuning-step' property
>
> Lucas Stach <l.stach@pengutronix.de>
>     arm64: dts: zii-ultra: fix 12V_MAIN voltage
>
> Michael Walle <michael@walle.cc>
>     arm64: dts: ls1028a: fix memory node
>
> Magnus Karlsson <magnus.karlsson@intel.com>
>     i40e: add correct exception tracing for XDP
>
> Magnus Karlsson <magnus.karlsson@intel.com>
>     i40e: optimize for XDP_REDIRECT in xsk path
>
> Roja Rani Yarubandi <rojay@codeaurora.org>
>     i2c: qcom-geni: Add shutdown callback for i2c
>
> Dave Ertman <david.m.ertman@intel.com>
>     ice: Allow all LLDP packets from PF to Tx
>
> Brett Creeley <brett.creeley@intel.com>
>     ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared
>
> Mitch Williams <mitch.a.williams@intel.com>
>     ice: write register with correct offset
>
> Coco Li <lixiaoyan@google.com>
>     ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions
>
> Magnus Karlsson <magnus.karlsson@intel.com>
>     ixgbevf: add correct exception tracing for XDP
>
> Wei Yongjun <weiyongjun1@huawei.com>
>     ieee802154: fix error return code in ieee802154_llsec_getparams()
>
> Zhen Lei <thunder.leizhen@huawei.com>
>     ieee802154: fix error return code in ieee802154_add_iface()
>
> Pablo Neira Ayuso <pablo@netfilter.org>
>     netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches
>
> Pablo Neira Ayuso <pablo@netfilter.org>
>     netfilter: nft_ct: skip expectations for confirmed conntrack
>
> Erik Kaneda <erik.kaneda@intel.com>
>     ACPICA: Clean up context mutex during object deletion
>
> Ariel Levkovich <lariel@nvidia.com>
>     net/sched: act_ct: Fix ct template allocation for zone 0
>
> Arnd Bergmann <arnd@arndb.de>
>     HID: i2c-hid: fix format string mismatch
>
> Zhen Lei <thunder.leizhen@huawei.com>
>     HID: pidff: fix error return code in hid_pidff_init()
>
> Julian Anastasov <ja@ssi.bg>
>     ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service
>
> Max Gurtovoy <mgurtovoy@nvidia.com>
>     vfio/platform: fix module_put call in error flow
>
> Wei Yongjun <weiyongjun1@huawei.com>
>     samples: vfio-mdev: fix error handing in mdpy_fb_probe()
>
> Randy Dunlap <rdunlap@infradead.org>
>     vfio/pci: zap_vma_ptes() needs MMU
>
> Zhen Lei <thunder.leizhen@huawei.com>
>     vfio/pci: Fix error return code in vfio_ecap_init()
>
> Rasmus Villemoes <linux@rasmusvillemoes.dk>
>     efi: cper: fix snprintf() use in cper_dimm_err_location()
>
> Heiner Kallweit <hkallweit1@gmail.com>
>     efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared
>
> Florian Westphal <fw@strlen.de>
>     netfilter: conntrack: unregister ipv4 sockopts on error unwind
>
> Armin Wolf <W_Armin@gmx.de>
>     hwmon: (dell-smm-hwmon) Fix index values
>
> Anant Thazhemadam <anant.thazhemadam@gmail.com>
>     nl80211: validate key indexes for cfg80211_registered_device
>
> Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
>     ALSA: usb: update old-style static const declaration
>
> Grant Grundler <grundler@chromium.org>
>     net: usb: cdc_ncm: don't spew notifications
>
> Josef Bacik <josef@toxicpanda.com>
>     btrfs: tree-checker: do not error out if extent ref hash doesn't match
>
>
> -------------
>
> Diffstat:
>
>  Documentation/core-api/xarray.rst                  |  16 +-
>  Makefile                                           |   4 +-
>  arch/arm/boot/dts/imx6dl-yapp4-common.dtsi         |   6 +-
>  arch/arm/boot/dts/imx6q-dhcom-som.dtsi             |  12 ++
>  arch/arm/boot/dts/imx6qdl-emcon-avari.dtsi         |   2 +-
>  arch/arm/boot/dts/imx7d-meerkat96.dts              |   2 +-
>  arch/arm/boot/dts/imx7d-pico.dtsi                  |   2 +-
>  arch/arm64/boot/dts/freescale/fsl-ls1028a.dtsi     |   4 +-
>  .../arm64/boot/dts/freescale/imx8mq-zii-ultra.dtsi |   4 +-
>  arch/arm64/kvm/sys_regs.c                          |  42 ++---
>  arch/x86/include/asm/apic.h                        |   1 +
>  arch/x86/include/asm/kvm_para.h                    |  10 +-
>  arch/x86/kernel/apic/apic.c                        |   1 +
>  arch/x86/kernel/apic/vector.c                      |  20 ++
>  arch/x86/kernel/kvm.c                              |  92 ++++++---
>  arch/x86/kernel/kvmclock.c                         |  26 +--
>  arch/x86/kvm/svm.c                                 |   8 +-
>  drivers/acpi/acpica/utdelete.c                     |   8 +
>  drivers/bus/ti-sysc.c                              |   4 +-
>  drivers/firmware/efi/cper.c                        |   4 +-
>  drivers/firmware/efi/memattr.c                     |   5 -
>  drivers/gpu/drm/amd/amdgpu/amdgpu_ctx.c            |  16 --
>  drivers/gpu/drm/amd/amdgpu/uvd_v6_0.c              |   1 +
>  drivers/hid/hid-magicmouse.c                       |   2 +-
>  drivers/hid/hid-multitouch.c                       |  10 +-
>  drivers/hid/i2c-hid/i2c-hid-core.c                 |  13 +-
>  drivers/hid/usbhid/hid-pidff.c                     |   1 +
>  drivers/hwmon/dell-smm-hwmon.c                     |   4 +-
>  drivers/i2c/busses/i2c-qcom-geni.c                 |  21 ++-
>  drivers/net/ethernet/broadcom/bnxt/bnxt.c          |   1 -
>  drivers/net/ethernet/intel/i40e/i40e_txrx.c        |   7 +-
>  drivers/net/ethernet/intel/i40e/i40e_xsk.c         |  15 +-
>  drivers/net/ethernet/intel/ice/ice_hw_autogen.h    |   1 +
>  drivers/net/ethernet/intel/ice/ice_txrx.c          |   5 +-
>  drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c   |  14 +-
>  drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c  |   3 +
>  drivers/net/usb/cdc_ncm.c                          |  12 +-
>  drivers/usb/dwc2/core_intr.c                       |   4 +
>  drivers/vfio/pci/Kconfig                           |   1 +
>  drivers/vfio/pci/vfio_pci_config.c                 |   2 +-
>  drivers/vfio/platform/vfio_platform_common.c       |   2 +-
>  drivers/xen/xen-pciback/vpci.c                     |  14 +-
>  fs/btrfs/extent-tree.c                             |  12 +-
>  fs/btrfs/file-item.c                               |  10 +-
>  fs/btrfs/inode.c                                   |  12 ++
>  fs/btrfs/tree-checker.c                            |  16 +-
>  fs/btrfs/tree-log.c                                |  13 +-
>  fs/ext4/extents.c                                  |  43 +++--
>  fs/ocfs2/file.c                                    |  55 +++++-
>  include/linux/huge_mm.h                            |  19 ++
>  include/linux/usb/usbnet.h                         |   2 +
>  include/linux/xarray.h                             |  22 +++
>  include/net/caif/caif_dev.h                        |   2 +-
>  include/net/caif/cfcnfg.h                          |   2 +-
>  include/net/caif/cfserl.h                          |   1 +
>  init/main.c                                        |   2 +-
>  lib/lz4/lz4_decompress.c                           |   6 +-
>  lib/lz4/lz4defs.h                                  |   2 +
>  lib/test_xarray.c                                  |  65 +++++++
>  lib/xarray.c                                       | 208 ++++++++++++++++++++-
>  mm/filemap.c                                       |  37 +++-
>  mm/hugetlb.c                                       |  14 +-
>  net/bluetooth/hci_core.c                           |   7 +-
>  net/bluetooth/hci_sock.c                           |   4 +-
>  net/caif/caif_dev.c                                |  13 +-
>  net/caif/caif_usb.c                                |  14 +-
>  net/caif/cfcnfg.c                                  |  16 +-
>  net/caif/cfserl.c                                  |   5 +
>  net/core/neighbour.c                               |   1 +
>  net/ieee802154/nl-mac.c                            |   4 +-
>  net/ieee802154/nl-phy.c                            |   4 +-
>  net/ipv6/route.c                                   |   8 +-
>  net/netfilter/ipvs/ip_vs_ctl.c                     |   2 +-
>  net/netfilter/nf_conntrack_proto.c                 |   2 +-
>  net/netfilter/nfnetlink_cthelper.c                 |   8 +-
>  net/netfilter/nft_ct.c                             |   2 +-
>  net/nfc/llcp_sock.c                                |   2 +
>  net/sched/act_ct.c                                 |   3 -
>  net/tipc/bearer.c                                  |  94 +++++++---
>  net/wireless/core.h                                |   2 +
>  net/wireless/nl80211.c                             |   7 +-
>  net/wireless/util.c                                |  39 +++-
>  samples/vfio-mdev/mdpy-fb.c                        |  13 +-
>  sound/core/timer.c                                 |   3 +-
>  sound/pci/hda/patch_realtek.c                      |   1 +
>  sound/usb/mixer_quirks.c                           |   2 +-
>  86 files changed, 926 insertions(+), 295 deletions(-)
>
>

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-06-09 10:15 ` Naresh Kamboju
@ 2021-06-09 18:40 ` Florian Fainelli
  2021-06-09 18:49 ` Guenter Roeck
  2021-06-10  9:01 ` Sudip Mukherjee
  83 siblings, 0 replies; 87+ messages in thread
From: Florian Fainelli @ 2021-06-09 18:40 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, stable



On 6/8/2021 11:26 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.4.125-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h


On ARCH_BRCMSTB, using 32-bit and 64-bit ARM kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-06-09 18:40 ` Florian Fainelli
@ 2021-06-09 18:49 ` Guenter Roeck
  2021-06-10  9:01 ` Sudip Mukherjee
  83 siblings, 0 replies; 87+ messages in thread
From: Guenter Roeck @ 2021-06-09 18:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Tue, Jun 08, 2021 at 08:26:29PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 157 pass: 157 fail: 0
Qemu test results:
	total: 428 pass: 428 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 00/78] 5.4.125-rc1 review
  2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-06-09 18:49 ` Guenter Roeck
@ 2021-06-10  9:01 ` Sudip Mukherjee
  83 siblings, 0 replies; 87+ messages in thread
From: Sudip Mukherjee @ 2021-06-10  9:01 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

Hi Greg,

On Tue, Jun 08, 2021 at 08:26:29PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.4.125 release.
> There are 78 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 10 Jun 2021 17:59:18 +0000.
> Anything received after that time might be too late.

Build test:
mips (gcc version 11.1.1 20210523): 65 configs -> no failure
arm (gcc version 11.1.1 20210523): 107 configs -> no new failure
arm64 (gcc version 11.1.1 20210523): 2 configs -> no failure
x86_64 (gcc version 10.2.1 20210110): 2 configs -> no failure

Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression.


Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>

--
Regards
Sudip

^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object
  2021-06-08 18:27 ` [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
@ 2021-06-14 14:15   ` Eric Dumazet
  2021-06-16 15:01     ` Greg Kroah-Hartman
  0 siblings, 1 reply; 87+ messages in thread
From: Eric Dumazet @ 2021-06-14 14:15 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel; +Cc: stable, Lin Ma, Marcel Holtmann



On 6/8/21 8:27 PM, Greg Kroah-Hartman wrote:
> From: Lin Ma <linma@zju.edu.cn>
> 
> commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
> 
> The hci_sock_dev_event() function will cleanup the hdev object for
> sockets even if this object may still be in used within the
> hci_sock_bound_ioctl() function, result in UAF vulnerability.
> 
> This patch replace the BH context lock to serialize these affairs
> and prevent the race condition.
> 
> Signed-off-by: Lin Ma <linma@zju.edu.cn>
> Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> ---
>  net/bluetooth/hci_sock.c |    4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> --- a/net/bluetooth/hci_sock.c
> +++ b/net/bluetooth/hci_sock.c
> @@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *
>  		/* Detach sockets from device */
>  		read_lock(&hci_sk_list.lock);
>  		sk_for_each(sk, &hci_sk_list.head) {
> -			bh_lock_sock_nested(sk);
> +			lock_sock(sk);
>  			if (hci_pi(sk)->hdev == hdev) {
>  				hci_pi(sk)->hdev = NULL;
>  				sk->sk_err = EPIPE;
> @@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *
>  
>  				hci_dev_put(hdev);
>  			}
> -			bh_unlock_sock(sk);
> +			release_sock(sk);
>  		}
>  		read_unlock(&hci_sk_list.lock);
>  	}
> 
> 


This patch is buggy.

lock_sock() can sleep.

But the read_lock(&hci_sk_list.lock) two lines before is not going to allow the sleep.

Hmmm ?



^ permalink raw reply	[flat|nested] 87+ messages in thread

* Re: [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object
  2021-06-14 14:15   ` Eric Dumazet
@ 2021-06-16 15:01     ` Greg Kroah-Hartman
  0 siblings, 0 replies; 87+ messages in thread
From: Greg Kroah-Hartman @ 2021-06-16 15:01 UTC (permalink / raw)
  To: Eric Dumazet, Lin Ma, Marcel Holtmann; +Cc: linux-kernel, stable

On Mon, Jun 14, 2021 at 04:15:02PM +0200, Eric Dumazet wrote:
> 
> 
> On 6/8/21 8:27 PM, Greg Kroah-Hartman wrote:
> > From: Lin Ma <linma@zju.edu.cn>
> > 
> > commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 upstream.
> > 
> > The hci_sock_dev_event() function will cleanup the hdev object for
> > sockets even if this object may still be in used within the
> > hci_sock_bound_ioctl() function, result in UAF vulnerability.
> > 
> > This patch replace the BH context lock to serialize these affairs
> > and prevent the race condition.
> > 
> > Signed-off-by: Lin Ma <linma@zju.edu.cn>
> > Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > ---
> >  net/bluetooth/hci_sock.c |    4 ++--
> >  1 file changed, 2 insertions(+), 2 deletions(-)
> > 
> > --- a/net/bluetooth/hci_sock.c
> > +++ b/net/bluetooth/hci_sock.c
> > @@ -755,7 +755,7 @@ void hci_sock_dev_event(struct hci_dev *
> >  		/* Detach sockets from device */
> >  		read_lock(&hci_sk_list.lock);
> >  		sk_for_each(sk, &hci_sk_list.head) {
> > -			bh_lock_sock_nested(sk);
> > +			lock_sock(sk);
> >  			if (hci_pi(sk)->hdev == hdev) {
> >  				hci_pi(sk)->hdev = NULL;
> >  				sk->sk_err = EPIPE;
> > @@ -764,7 +764,7 @@ void hci_sock_dev_event(struct hci_dev *
> >  
> >  				hci_dev_put(hdev);
> >  			}
> > -			bh_unlock_sock(sk);
> > +			release_sock(sk);
> >  		}
> >  		read_unlock(&hci_sk_list.lock);
> >  	}
> > 
> > 
> 
> 
> This patch is buggy.
> 
> lock_sock() can sleep.
> 
> But the read_lock(&hci_sk_list.lock) two lines before is not going to allow the sleep.
> 
> Hmmm ?
> 
> 

Odd, Lin, did you see any problems with your testing of this?



^ permalink raw reply	[flat|nested] 87+ messages in thread

end of thread, other threads:[~2021-06-16 15:01 UTC | newest]

Thread overview: 87+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-08 18:26 [PATCH 5.4 00/78] 5.4.125-rc1 review Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 01/78] btrfs: tree-checker: do not error out if extent ref hash doesnt match Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 02/78] net: usb: cdc_ncm: dont spew notifications Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 03/78] ALSA: usb: update old-style static const declaration Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 04/78] nl80211: validate key indexes for cfg80211_registered_device Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 05/78] hwmon: (dell-smm-hwmon) Fix index values Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 06/78] netfilter: conntrack: unregister ipv4 sockopts on error unwind Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 07/78] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 08/78] efi: cper: fix snprintf() use in cper_dimm_err_location() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 09/78] vfio/pci: Fix error return code in vfio_ecap_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 10/78] vfio/pci: zap_vma_ptes() needs MMU Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 11/78] samples: vfio-mdev: fix error handing in mdpy_fb_probe() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 12/78] vfio/platform: fix module_put call in error flow Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 13/78] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 14/78] HID: pidff: fix error return code in hid_pidff_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 15/78] HID: i2c-hid: fix format string mismatch Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 16/78] net/sched: act_ct: Fix ct template allocation for zone 0 Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 17/78] ACPICA: Clean up context mutex during object deletion Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 18/78] netfilter: nft_ct: skip expectations for confirmed conntrack Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 19/78] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 20/78] ieee802154: fix error return code in ieee802154_add_iface() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 21/78] ieee802154: fix error return code in ieee802154_llsec_getparams() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 22/78] ixgbevf: add correct exception tracing for XDP Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 23/78] ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 24/78] ice: write register with correct offset Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 25/78] ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 26/78] ice: Allow all LLDP packets from PF to Tx Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 27/78] i2c: qcom-geni: Add shutdown callback for i2c Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 28/78] i40e: optimize for XDP_REDIRECT in xsk path Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 29/78] i40e: add correct exception tracing for XDP Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 5.4 30/78] arm64: dts: ls1028a: fix memory node Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 31/78] arm64: dts: zii-ultra: fix 12V_MAIN voltage Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 32/78] ARM: dts: imx7d-meerkat96: Fix the tuning-step property Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 33/78] ARM: dts: imx7d-pico: " Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 34/78] ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 35/78] bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 36/78] tipc: add extack messages for bearer/media failure Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 37/78] tipc: fix unique bearer names sanity check Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 38/78] Bluetooth: fix the erroneous flush_work() order Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 39/78] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
2021-06-14 14:15   ` Eric Dumazet
2021-06-16 15:01     ` Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 40/78] net: caif: added cfserl_release function Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 41/78] net: caif: add proper error handling Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 42/78] net: caif: fix memory leak in caif_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 43/78] net: caif: fix memory leak in cfusbl_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 44/78] HID: i2c-hid: Skip ELAN power-on command after reset Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 45/78] HID: magicmouse: fix NULL-deref on disconnect Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 46/78] HID: multitouch: require Finger field to mark Win8 reports as MT Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 47/78] ALSA: timer: Fix master timer notification Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 48/78] ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 49/78] ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 50/78] ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 51/78] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 52/78] usb: dwc2: Fix build in periphal-only mode Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 53/78] pid: take a reference when initializing `cad_pid` Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 54/78] ocfs2: fix data corruption by fallocate Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 55/78] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 56/78] drm/amdgpu: Dont query CE and UE errors Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 57/78] drm/amdgpu: make sure we unpin the UVD BO Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 58/78] x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 59/78] btrfs: mark ordered extent and inode with error if we fail to finish Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 60/78] btrfs: fix error handling in btrfs_del_csums Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 61/78] btrfs: return errors from btrfs_del_csums in cleanup_ref_head Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 62/78] btrfs: fixup error handling in fixup_inode_link_counts Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 63/78] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 64/78] bnxt_en: Remove the setting of dev_port Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 65/78] mm: add thp_order Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 66/78] XArray: add xa_get_order Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 67/78] XArray: add xas_split Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 68/78] mm/filemap: fix storing to a THP shadow entry Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 69/78] btrfs: fix unmountable seed device after fstrim Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 70/78] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 71/78] KVM: arm64: Fix debug register indexing Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 72/78] x86/kvm: Teardown PV features on boot CPU as well Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 73/78] x86/kvm: Disable kvmclock on all CPUs on shutdown Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 74/78] x86/kvm: Disable all PV features on crash Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 75/78] lib/lz4: explicitly support in-place decompression Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 76/78] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 77/78] i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 5.4 78/78] neighbour: allow NUD_NOARP entries to be forced GCed Greg Kroah-Hartman
2021-06-09  2:55 ` [PATCH 5.4 00/78] 5.4.125-rc1 review Shuah Khan
2021-06-09  9:33 ` Jon Hunter
2021-06-09 10:15 ` Naresh Kamboju
2021-06-09 18:40 ` Florian Fainelli
2021-06-09 18:49 ` Guenter Roeck
2021-06-10  9:01 ` Sudip Mukherjee

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.