linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.14 000/125] 5.14.16-rc1 review
@ 2021-11-01  9:16 Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 001/125] ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images Greg Kroah-Hartman
                   ` (128 more replies)
  0 siblings, 129 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.14.16 release.
There are 125 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.14.16-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.14.16-rc1

David Woodhouse <dwmw@amazon.co.uk>
    KVM: x86: Take srcu lock in post_kvm_run_save()

Paolo Bonzini <pbonzini@redhat.com>
    KVM: SEV-ES: fix another issue with string I/O VMGEXITs

David Woodhouse <dwmw@amazon.co.uk>
    KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock

David Woodhouse <dwmw@amazon.co.uk>
    KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block()

Song Liu <songliubraving@fb.com>
    perf script: Check session->header.env.arch before using it

Alexandre Ghiti <alexandre.ghiti@canonical.com>
    riscv: Fix asan-stack clang build

Alexandre Ghiti <alexandre.ghiti@canonical.com>
    riscv: Do not re-populate shadow memory with kasan_populate_early_shadow

Chen Lu <181250012@smail.nju.edu.cn>
    riscv: fix misalgned trap vector base address

Brian King <brking@linux.vnet.ibm.com>
    scsi: ibmvfc: Fix up duplicate response detection

Kan Liang <kan.liang@linux.intel.com>
    perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support

Chanho Park <chanho61.park@samsung.com>
    scsi: ufs: ufs-exynos: Correct timeout value setting registers

Halil Pasic <pasic@linux.ibm.com>
    KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu

Halil Pasic <pasic@linux.ibm.com>
    KVM: s390: clear kicked_mask before sleeping again

Subbaraya Sundeep <sbhatta@marvell.com>
    octeontx2-af: Check whether ipolicers exists

Vincent Whitchurch <vincent.whitchurch@axis.com>
    virtio-ring: fix DMA metadata flags

Guangbin Huang <huangguangbin2@huawei.com>
    net: hns3: expand buffer len for some debugfs command

Jie Wang <wangjie125@huawei.com>
    net: hns3: add more string spaces for dumping packets number of queue info in debugfs

Tejun Heo <tj@kernel.org>
    bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of CONFIG_NET

Jamie Iles <quic_jiles@quicinc.com>
    watchdog: sbsa: only use 32-bit accessors

Stanislav Fomichev <sdf@google.com>
    bpf: Use kvmalloc for map values in syscall

Xin Long <lucien.xin@gmail.com>
    sctp: add vtag check in sctp_sf_ootb

Xin Long <lucien.xin@gmail.com>
    sctp: add vtag check in sctp_sf_do_8_5_1_E_sa

Xin Long <lucien.xin@gmail.com>
    sctp: add vtag check in sctp_sf_violation

Xin Long <lucien.xin@gmail.com>
    sctp: fix the processing for COOKIE_ECHO chunk

Xin Long <lucien.xin@gmail.com>
    sctp: fix the processing for INIT_ACK chunk

Xin Long <lucien.xin@gmail.com>
    sctp: fix the processing for INIT chunk

Xin Long <lucien.xin@gmail.com>
    sctp: use init_tag from inithdr for ABORT chunk

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Do not hold qos mutex twice on QP resume

Mustafa Ismail <mustafa.ismail@intel.com>
    RDMA/irdma: Set VLAN in UD work completion correctly

Shiraz Saleem <shiraz.saleem@intel.com>
    RDMA/irdma: Process extended CQ entries correctly

Andrew Lunn <andrew@lunn.ch>
    phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings

Andrew Lunn <andrew@lunn.ch>
    phy: phy_start_aneg: Add an unlocked version

Andrew Lunn <andrew@lunn.ch>
    phy: phy_ethtool_ksettings_set: Move after phy_start_aneg

Andrew Lunn <andrew@lunn.ch>
    phy: phy_ethtool_ksettings_get: Lock the phy for consistency

Daniel Jordan <daniel.m.jordan@oracle.com>
    net/tls: Fix flipped sign in async_wait.err assignment

Yuiko Oshino <yuiko.oshino@microchip.com>
    net: ethernet: microchip: lan743x: Fix skb allocation failure

Jie Wang <wangjie125@huawei.com>
    net: hns3: fix data endian problem of some functions of debugfs

Guangbin Huang <huangguangbin2@huawei.com>
    net: hns3: fix pause config problem after autoneg disabled

Trevor Woerner <twoerner@gmail.com>
    net: nxp: lpc_eth.c: avoid hang when bringing interface down

Yuiko Oshino <yuiko.oshino@microchip.com>
    net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent

Yuiko Oshino <yuiko.oshino@microchip.com>
    net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails

Ido Schimmel <idosch@nvidia.com>
    mlxsw: pci: Recycle received packet upon allocation failure

Guenter Roeck <linux@roeck-us.net>
    nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST

Jonas Gorski <jonas.gorski@gmail.com>
    gpio: xgs-iproc: fix parsing of ngpios property

Mark Zhang <markzhang@nvidia.com>
    RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string

Aharon Landau <aharonl@nvidia.com>
    RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR

Michael Chan <michael.chan@broadcom.com>
    net: Prevent infinite while loop in skb_tx_hash()

Janusz Dziedzic <janusz.dziedzic@gmail.com>
    cfg80211: correct bridge/4addr mode check

Xin Long <lucien.xin@gmail.com>
    net-sysfs: initialize uid and gid before calling net_ns_get_ownership

Pavel Skripkin <paskripkin@gmail.com>
    net: batman-adv: fix error handling

Yang Yingliang <yangyingliang@huawei.com>
    regmap: Fix possible double-free in regcache_rbtree_exit()

Jim Quinlan <jim2101024@gmail.com>
    reset: brcmstb-rescal: fix incorrect polarity of status bit

Clément Bœsch <u@pkh.me>
    arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node

Yongxin Liu <yongxin.liu@windriver.com>
    ice: check whether PTP is initialized in ice_ptp_release()

Patrisious Haddad <phaddad@nvidia.com>
    RDMA/mlx5: Set user priority for DCT

Dave Ertman <david.m.ertman@intel.com>
    ice: Respond to a NETDEV_UNREGISTER event for LAG

Rakesh Babu Saladi <rsaladi2@marvell.com>
    octeontx2-af: Fix possible null pointer dereference.

Rakesh Babu <rsaladi2@marvell.com>
    octeontx2-af: Display all enabled PF VF rsrc_alloc entries.

Varun Prakash <varun@chelsio.com>
    nvme-tcp: fix possible req->offset corruption

Varun Prakash <varun@chelsio.com>
    nvme-tcp: fix data digest pointer calculation

Varun Prakash <varun@chelsio.com>
    nvmet-tcp: fix data digest pointer calculation

Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    IB/hfi1: Fix abba locking issue with sc_disable()

Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
    IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields

Xu Kuohai <xukuohai@huawei.com>
    bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch()

Toke Høiland-Jørgensen <toke@redhat.com>
    bpf: Fix potential race in tail call compatibility check

Liu Jian <liujian56@huawei.com>
    tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function

Björn Töpel <bjorn@kernel.org>
    riscv, bpf: Fix potential NULL dereference

Quanyang Wang <quanyang.wang@windriver.com>
    cgroup: Fix memory leak caused by missing cgroup_bpf_offline

Guenter Roeck <linux@roeck-us.net>
    Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Fix deadlock when falling back to v2 from v3

Michael Strauss <michael.strauss@amd.com>
    drm/amd/display: Fallback to clocks which meet requested voltage on DCN31

Jake Wang <haonan.wang2@amd.com>
    drm/amd/display: Moved dccg init to after bios golden init

Nikola Cornij <nikola.cornij@amd.com>
    drm/amd/display: Increase watermark latencies for DCN3.1

Eric Yang <Eric.Yang2@amd.com>
    drm/amd/display: increase Z9 latency to workaround underflow in Z9

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1

Nikola Cornij <nikola.cornij@amd.com>
    drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1

Aaron Liu <aaron.liu@amd.com>
    drm/amdgpu: support B0&B1 external revision id for yellow carp

Thelford Williams <tdwilliamsiv@gmail.com>
    drm/amdgpu: fix out of bounds write

Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
    drm/amdgpu: Fix even more out of bound writes from debugfs

Imre Deak <imre.deak@intel.com>
    drm/i915/dp: Skip the HW readout of DPCD on disabled encoders

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Catch yet another unconditioal clflush

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915: Convert unconditional clflush to drm_clflush_virt_range()

Christian König <christian.koenig@amd.com>
    drm/ttm: fix memleak in ttm_transfered_destroy

Johannes Berg <johannes.berg@intel.com>
    mac80211: mesh: fix HE operation element length check

Frieder Schrempf <frieder.schrempf@kontron.de>
    arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are correct

Frieder Schrempf <frieder.schrempf@kontron.de>
    arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV

Frieder Schrempf <frieder.schrempf@kontron.de>
    arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY

Frieder Schrempf <frieder.schrempf@kontron.de>
    arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency

Frieder Schrempf <frieder.schrempf@kontron.de>
    arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2

Yang Shi <shy828301@gmail.com>
    mm: khugepaged: skip huge page collapse for special files

Rongwei Wang <rongwei.wang@linux.alibaba.com>
    mm, thp: bail out early in collapse_file for writeback page

Yang Shi <shy828301@gmail.com>
    mm: filemap: check if THP has hwpoisoned subpage for PMD page fault

Yang Shi <shy828301@gmail.com>
    mm: hwpoison: remove the unnecessary THP check

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Require immediate flip support for DCN3.1 planes

Johan Hovold <johan@kernel.org>
    net: lan78xx: fix division by zero in send path

Johannes Berg <johannes.berg@intel.com>
    cfg80211: fix management registrations locking

Johannes Berg <johannes.berg@intel.com>
    cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()

Steven Rostedt (VMware) <rostedt@goodmis.org>
    ftrace/nds32: Update the proto for ftrace_trace_function to match ftrace_stub

Sagi Grimberg <sagi@grimberg.me>
    nvme-tcp: fix H2CData PDU send accounting (again)

Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
    ocfs2: fix race between searching chunks and release journal_head from buffer_head

Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    block: Fix partition check for host-aware zoned block devices

Haibo Chen <haibo.chen@nxp.com>
    mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield

Shawn Guo <shawn.guo@linaro.org>
    mmc: sdhci: Map more voltage level to SDHCI_POWER_330

Jaehoon Chung <jh80.chung@samsung.com>
    mmc: dw_mmc: exynos: fix the finding clock sample value

Wolfram Sang <wsa+renesas@sang-engineering.com>
    mmc: tmio: reenable card irqs after the reset callback

Wenbin Mei <wenbin.mei@mediatek.com>
    mmc: mediatek: Move cqhci init behind ungate clock

Wenbin Mei <wenbin.mei@mediatek.com>
    mmc: cqhci: clear HALT state after CQE enable

Johan Hovold <johan@kernel.org>
    mmc: vub300: fix control-message timeouts

Daniel Jordan <daniel.m.jordan@oracle.com>
    net/tls: Fix flipped sign in tls_err_abort() calls

Pavel Skripkin <paskripkin@gmail.com>
    Revert "net: mdiobus: Fix memory leak in __mdiobus_register"

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    nfc: port100: fix using -ERRNO as command type mask

Max VA <maxv@sentinelone.com>
    tipc: fix size validations for the MSG_CRYPTO type

Zheyu Ma <zheyuma97@gmail.com>
    ata: sata_mv: Fix the error handling of mv_chip_id()

Sachi King <nakato@nakato.io>
    pinctrl: amd: disable and mask interrupts on probe

Rafał Miłecki <rafal@milecki.pl>
    Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"

Wang Hai <wanghai38@huawei.com>
    usbnet: fix error return code in usbnet_probe()

Oliver Neukum <oneukum@suse.com>
    usbnet: sanity check for maxpacket

LABBE Corentin <clabbe.montjoie@gmail.com>
    ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S

Arnd Bergmann <arnd@arndb.de>
    ARM: 9141/1: only warn about XIP address when not compile testing

Arnd Bergmann <arnd@arndb.de>
    ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype

Arnd Bergmann <arnd@arndb.de>
    ARM: 9138/1: fix link warning with XIP + frame-pointer

Arnd Bergmann <arnd@arndb.de>
    ARM: 9134/1: remove duplicate memcpy() definition

Nick Desaulniers <ndesaulniers@google.com>
    ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned

Lexi Shao <shaolexi@huawei.com>
    ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images


-------------

Diffstat:

 Makefile                                           |   4 +-
 arch/arm/boot/compressed/decompress.c              |   3 +
 arch/arm/include/asm/uaccess.h                     |   4 +-
 arch/arm/kernel/head.S                             |   4 +-
 arch/arm/kernel/vmlinux-xip.lds.S                  |   6 +-
 arch/arm/mm/proc-macros.S                          |   1 +
 arch/arm/probes/kprobes/core.c                     |   2 +-
 .../boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts   |   2 +-
 .../boot/dts/freescale/imx8mm-kontron-n801x-s.dts  |   8 +-
 .../dts/freescale/imx8mm-kontron-n801x-som.dtsi    |   8 +-
 arch/nds32/kernel/ftrace.c                         |   2 +-
 arch/nios2/platform/Kconfig.platform               |   1 +
 arch/riscv/Kconfig                                 |   6 +
 arch/riscv/include/asm/kasan.h                     |   3 +-
 arch/riscv/kernel/head.S                           |   1 +
 arch/riscv/mm/kasan_init.c                         |  14 +-
 arch/riscv/net/bpf_jit_core.c                      |   3 +-
 arch/s390/kvm/interrupt.c                          |   5 +-
 arch/s390/kvm/kvm-s390.c                           |   1 +
 arch/x86/include/asm/kvm_host.h                    |   2 +-
 arch/x86/kvm/svm/sev.c                             |  15 ++-
 arch/x86/kvm/x86.c                                 |  36 +++--
 arch/x86/kvm/xen.c                                 |  27 +++-
 block/blk-settings.c                               |  20 ++-
 drivers/ata/sata_mv.c                              |   4 +-
 drivers/base/regmap/regcache-rbtree.c              |   7 +-
 drivers/gpio/gpio-xgs-iproc.c                      |   2 +-
 drivers/gpu/drm/amd/amdgpu/nv.c                    |   2 +-
 .../drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c  |  20 +--
 .../amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c   |  29 ++--
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c |   7 +-
 .../gpu/drm/amd/display/dc/dcn31/dcn31_resource.c  |  13 +-
 .../amd/display/dc/dml/dcn31/display_mode_vba_31.c |   6 +-
 drivers/gpu/drm/amd/display/include/dal_asic_id.h  |   2 +-
 .../gpu/drm/amd/display/modules/hdcp/hdcp_psp.c    |   6 +-
 drivers/gpu/drm/i915/display/intel_dp.c            |   3 +
 drivers/gpu/drm/i915/gt/intel_timeline.c           |   4 +-
 drivers/gpu/drm/ttm/ttm_bo_util.c                  |   1 +
 drivers/infiniband/core/sa_query.c                 |   5 +-
 drivers/infiniband/hw/hfi1/pio.c                   |   9 +-
 drivers/infiniband/hw/irdma/uk.c                   |   4 +-
 drivers/infiniband/hw/irdma/verbs.c                |   8 +-
 drivers/infiniband/hw/irdma/ws.c                   |  13 +-
 drivers/infiniband/hw/mlx5/mr.c                    |   2 +-
 drivers/infiniband/hw/mlx5/qp.c                    |   2 +
 drivers/infiniband/hw/qib/qib_user_sdma.c          |  33 +++--
 drivers/mmc/host/cqhci-core.c                      |   3 +
 drivers/mmc/host/dw_mmc-exynos.c                   |  14 ++
 drivers/mmc/host/mtk-sd.c                          |  38 +++---
 drivers/mmc/host/sdhci-esdhc-imx.c                 |  16 +++
 drivers/mmc/host/sdhci-pci-core.c                  |  29 +++-
 drivers/mmc/host/sdhci.c                           |   6 +
 drivers/mmc/host/tmio_mmc_core.c                   |  17 ++-
 drivers/mmc/host/vub300.c                          |  18 +--
 drivers/net/ethernet/hisilicon/hns3/hnae3.h        |   1 +
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c |  10 +-
 drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c |  33 +++--
 .../ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c |  30 ++---
 .../ethernet/hisilicon/hns3/hns3pf/hclge_main.c    |  30 +++++
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c  |   2 +-
 .../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h  |   1 +
 drivers/net/ethernet/intel/ice/ice_lag.c           |  18 +--
 drivers/net/ethernet/intel/ice/ice_ptp.c           |   3 +
 .../ethernet/marvell/octeontx2/af/rvu_debugfs.c    | 148 ++++++++++++++++-----
 .../net/ethernet/marvell/octeontx2/af/rvu_nix.c    |   3 +
 drivers/net/ethernet/mellanox/mlxsw/pci.c          |  25 ++--
 drivers/net/ethernet/microchip/lan743x_main.c      |  35 ++++-
 drivers/net/ethernet/nxp/lpc_eth.c                 |   5 +-
 drivers/net/phy/mdio_bus.c                         |   1 -
 drivers/net/phy/phy.c                              | 140 +++++++++++--------
 drivers/net/usb/lan78xx.c                          |   6 +
 drivers/net/usb/usbnet.c                           |   5 +
 drivers/nfc/port100.c                              |   4 +-
 drivers/nvme/host/tcp.c                            |   9 +-
 drivers/nvme/target/tcp.c                          |   2 +-
 drivers/pinctrl/bcm/pinctrl-ns.c                   |  29 ++--
 drivers/pinctrl/pinctrl-amd.c                      |  31 +++++
 drivers/reset/reset-brcmstb-rescal.c               |   2 +-
 drivers/scsi/ibmvscsi/ibmvfc.c                     |   3 +-
 drivers/scsi/ufs/ufs-exynos.c                      |   6 +-
 drivers/virtio/virtio_ring.c                       |   2 +-
 drivers/watchdog/iTCO_wdt.c                        |  12 +-
 drivers/watchdog/sbsa_gwdt.c                       |   4 +-
 fs/ocfs2/suballoc.c                                |  22 +--
 include/linux/bpf.h                                |   7 +-
 include/linux/bpf_types.h                          |   8 +-
 include/linux/page-flags.h                         |  23 ++++
 include/net/cfg80211.h                             |   2 -
 include/net/tls.h                                  |   9 +-
 kernel/bpf/arraymap.c                              |   1 +
 kernel/bpf/core.c                                  |  20 ++-
 kernel/bpf/syscall.c                               |  39 +++---
 kernel/cgroup/cgroup.c                             |   4 +-
 mm/huge_memory.c                                   |   2 +
 mm/khugepaged.c                                    |  26 ++--
 mm/memory-failure.c                                |  28 ++--
 mm/memory.c                                        |   9 ++
 mm/page_alloc.c                                    |   4 +-
 net/batman-adv/bridge_loop_avoidance.c             |   8 +-
 net/batman-adv/main.c                              |  56 +++++---
 net/batman-adv/network-coding.c                    |   4 +-
 net/batman-adv/translation-table.c                 |   4 +-
 net/core/dev.c                                     |   6 +
 net/core/net-sysfs.c                               |   4 +-
 net/ipv4/tcp_bpf.c                                 |  12 ++
 net/mac80211/mesh.c                                |   9 +-
 net/sctp/sm_statefuns.c                            | 139 +++++++++++--------
 net/tipc/crypto.c                                  |  32 +++--
 net/tls/tls_sw.c                                   |  19 ++-
 net/wireless/core.c                                |   2 +-
 net/wireless/core.h                                |   2 +
 net/wireless/mlme.c                                |  26 ++--
 net/wireless/scan.c                                |   7 +-
 net/wireless/util.c                                |  14 +-
 tools/perf/builtin-script.c                        |  14 +-
 115 files changed, 1098 insertions(+), 565 deletions(-)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 001/125] ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 002/125] ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lexi Shao, Russell King (Oracle)

From: Lexi Shao <shaolexi@huawei.com>

commit df909df0770779f1a5560c2bb641a2809655ef28 upstream.

ARM: kasan: Fix __get_user_check failure with kasan

In macro __get_user_check defined in arch/arm/include/asm/uaccess.h,
error code is store in register int __e(r0). When kasan is
enabled, assigning value to kernel address might trigger kasan check,
which unexpectedly overwrites r0 and causes undefined behavior on arm
kasan images.

One example is failure in do_futex and results in process soft lockup.
Log:
watchdog: BUG: soft lockup - CPU#0 stuck for 62946ms! [rs:main
Q:Reg:1151]
...
(__asan_store4) from (futex_wait_setup+0xf8/0x2b4)
(futex_wait_setup) from (futex_wait+0x138/0x394)
(futex_wait) from (do_futex+0x164/0xe40)
(do_futex) from (sys_futex_time32+0x178/0x230)
(sys_futex_time32) from (ret_fast_syscall+0x0/0x50)

The soft lockup happens in function futex_wait_setup. The reason is
function get_futex_value_locked always return EINVAL, thus pc jump
back to retry label and causes looping.

This line in function get_futex_value_locked
	ret = __get_user(*dest, from);
is expanded to
	*dest = (typeof(*(p))) __r2; ,
in macro __get_user_check. Writing to pointer dest triggers kasan check
and overwrites the return value of __get_user_x function.
The assembly code of get_futex_value_locked in kernel/futex.c:
...
c01f6dc8:       eb0b020e        bl      c04b7608 <__get_user_4>
// "x = (typeof(*(p))) __r2;" triggers kasan check and r0 is overwritten
c01f6dCc:       e1a00007        mov     r0, r7
c01f6dd0:       e1a05002        mov     r5, r2
c01f6dd4:       eb04f1e6        bl      c0333574 <__asan_store4>
c01f6dd8:       e5875000        str     r5, [r7]
// save ret value of __get_user(*dest, from), which is dest address now
c01f6ddc:       e1a05000        mov     r5, r0
...
// checking return value of __get_user failed
c01f6e00:       e3550000        cmp     r5, #0
...
c01f6e0c:       01a00005        moveq   r0, r5
// assign return value to EINVAL
c01f6e10:       13e0000d        mvnne   r0, #13

Return value is the destination address of get_user thus certainly
non-zero, so get_futex_value_locked always return EINVAL.

Fix it by using a tmp vairable to store the error code before the
assignment. This fix has no effects to non-kasan images thanks to compiler
optimization. It only affects cases that overwrite r0 due to kasan check.

This should fix bug discussed in Link:
[1] https://lore.kernel.org/linux-arm-kernel/0ef7c2a5-5d8b-c5e0-63fa-31693fd4495c@gmail.com/

Fixes: 421015713b30 ("ARM: 9017/2: Enable KASan for ARM")
Signed-off-by: Lexi Shao <shaolexi@huawei.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/include/asm/uaccess.h |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/arm/include/asm/uaccess.h
+++ b/arch/arm/include/asm/uaccess.h
@@ -200,6 +200,7 @@ extern int __get_user_64t_4(void *);
 		register unsigned long __l asm("r1") = __limit;		\
 		register int __e asm("r0");				\
 		unsigned int __ua_flags = uaccess_save_and_enable();	\
+		int __tmp_e;						\
 		switch (sizeof(*(__p))) {				\
 		case 1:							\
 			if (sizeof((x)) >= 8)				\
@@ -227,9 +228,10 @@ extern int __get_user_64t_4(void *);
 			break;						\
 		default: __e = __get_user_bad(); break;			\
 		}							\
+		__tmp_e = __e;						\
 		uaccess_restore(__ua_flags);				\
 		x = (typeof(*(p))) __r2;				\
-		__e;							\
+		__tmp_e;						\
 	})
 
 #define get_user(x, p)							\



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 002/125] ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 001/125] ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 003/125] ARM: 9134/1: remove duplicate memcpy() definition Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel, Nick Desaulniers,
	Nathan Chancellor, Russell King (Oracle),
	Richard Henderson

From: Nick Desaulniers <ndesaulniers@google.com>

commit e6a0c958bdf9b2e1b57501fc9433a461f0a6aadd upstream.

A kernel built with CONFIG_THUMB2_KERNEL=y and using clang as the
assembler could generate non-naturally-aligned v7wbi_tlb_fns which
results in a boot failure. The original commit adding the macro missed
the .align directive on this data.

Link: https://github.com/ClangBuiltLinux/linux/issues/1447
Link: https://lore.kernel.org/all/0699da7b-354f-aecc-a62f-e25693209af4@linaro.org/
Debugged-by: Ard Biesheuvel <ardb@kernel.org>
Debugged-by: Nathan Chancellor <nathan@kernel.org>
Debugged-by: Richard Henderson <richard.henderson@linaro.org>

Fixes: 66a625a88174 ("ARM: mm: proc-macros: Add generic proc/cache/tlb struct definition macros")
Suggested-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/mm/proc-macros.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/arm/mm/proc-macros.S
+++ b/arch/arm/mm/proc-macros.S
@@ -340,6 +340,7 @@ ENTRY(\name\()_cache_fns)
 
 .macro define_tlb_functions name:req, flags_up:req, flags_smp
 	.type	\name\()_tlb_fns, #object
+	.align 2
 ENTRY(\name\()_tlb_fns)
 	.long	\name\()_flush_user_tlb_range
 	.long	\name\()_flush_kern_tlb_range



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 003/125] ARM: 9134/1: remove duplicate memcpy() definition
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 001/125] ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 002/125] ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 004/125] ARM: 9138/1: fix link warning with XIP + frame-pointer Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Linus Walleij,
	Arnd Bergmann, Russell King (Oracle)

From: Arnd Bergmann <arnd@arndb.de>

commit eaf6cc7165c9c5aa3c2f9faa03a98598123d0afb upstream.

Both the decompressor code and the kasan logic try to override
the memcpy() and memmove()  definitions, which leading to a clash
in a KASAN-enabled kernel with XZ decompression:

arch/arm/boot/compressed/decompress.c:50:9: error: 'memmove' macro redefined [-Werror,-Wmacro-redefined]
 #define memmove memmove
        ^
arch/arm/include/asm/string.h:59:9: note: previous definition is here
 #define memmove(dst, src, len) __memmove(dst, src, len)
        ^
arch/arm/boot/compressed/decompress.c:51:9: error: 'memcpy' macro redefined [-Werror,-Wmacro-redefined]
 #define memcpy memcpy
        ^
arch/arm/include/asm/string.h:58:9: note: previous definition is here
 #define memcpy(dst, src, len) __memcpy(dst, src, len)
        ^

Here we want the set of functions from the decompressor, so undefine
the other macros before the override.

Link: https://lore.kernel.org/linux-arm-kernel/CACRpkdZYJogU_SN3H9oeVq=zJkRgRT1gDz3xp59gdqWXxw-B=w@mail.gmail.com/
Link: https://lore.kernel.org/lkml/202105091112.F5rmd4By-lkp@intel.com/

Fixes: d6d51a96c7d6 ("ARM: 9014/2: Replace string mem* functions for KASan")
Fixes: a7f464f3db93 ("ARM: 7001/2: Wire up support for the XZ decompressor")
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/compressed/decompress.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/arch/arm/boot/compressed/decompress.c
+++ b/arch/arm/boot/compressed/decompress.c
@@ -47,7 +47,10 @@ extern char * strchrnul(const char *, in
 #endif
 
 #ifdef CONFIG_KERNEL_XZ
+/* Prevent KASAN override of string helpers in decompressor */
+#undef memmove
 #define memmove memmove
+#undef memcpy
 #define memcpy memcpy
 #include "../../../../lib/decompress_unxz.c"
 #endif



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 004/125] ARM: 9138/1: fix link warning with XIP + frame-pointer
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 003/125] ARM: 9134/1: remove duplicate memcpy() definition Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 005/125] ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Arnd Bergmann,
	Russell King (Oracle)

From: Arnd Bergmann <arnd@arndb.de>

commit 44cc6412e66b2b84544eaf2e14cf1764301e2a80 upstream.

When frame pointers are used instead of the ARM unwinder,
and the kernel is built using clang with an external assembler
and CONFIG_XIP_KERNEL, every file produces two warnings
like:

arm-linux-gnueabi-ld: warning: orphan section `.ARM.extab' from `net/mac802154/util.o' being placed in section `.ARM.extab'
arm-linux-gnueabi-ld: warning: orphan section `.ARM.exidx' from `net/mac802154/util.o' being placed in section `.ARM.exidx'

The same fix was already merged for the normal (non-XIP)

linker script, with a longer description.

Fixes: c39866f268f8 ("arm/build: Always handle .ARM.exidx and .ARM.extab sections")
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/kernel/vmlinux-xip.lds.S |    4 ++++
 1 file changed, 4 insertions(+)

--- a/arch/arm/kernel/vmlinux-xip.lds.S
+++ b/arch/arm/kernel/vmlinux-xip.lds.S
@@ -40,6 +40,10 @@ SECTIONS
 		ARM_DISCARD
 		*(.alt.smp.init)
 		*(.pv_table)
+#ifndef CONFIG_ARM_UNWIND
+		*(.ARM.exidx) *(.ARM.exidx.*)
+		*(.ARM.extab) *(.ARM.extab.*)
+#endif
 	}
 
 	. = XIP_VIRT_ADDR(CONFIG_XIP_PHYS_ADDR);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 005/125] ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 004/125] ARM: 9138/1: fix link warning with XIP + frame-pointer Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 006/125] ARM: 9141/1: only warn about XIP address when not compile testing Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu, Arnd Bergmann,
	Russell King (Oracle)

From: Arnd Bergmann <arnd@arndb.de>

commit 1f323127cab086e4fd618981b1e5edc396eaf0f4 upstream.

With extra warnings enabled, gcc complains about this function
definition:

arch/arm/probes/kprobes/core.c: In function 'arch_init_kprobes':
arch/arm/probes/kprobes/core.c:465:12: warning: old-style function definition [-Wold-style-definition]
  465 | int __init arch_init_kprobes()

Link: https://lore.kernel.org/all/20201027093057.c685a14b386acacb3c449e3d@kernel.org/

Fixes: 24ba613c9d6c ("ARM kprobes: core code")
Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/probes/kprobes/core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/probes/kprobes/core.c
+++ b/arch/arm/probes/kprobes/core.c
@@ -439,7 +439,7 @@ static struct undef_hook kprobes_arm_bre
 
 #endif /* !CONFIG_THUMB2_KERNEL */
 
-int __init arch_init_kprobes()
+int __init arch_init_kprobes(void)
 {
 	arm_probes_decode_init();
 #ifdef CONFIG_THUMB2_KERNEL



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 006/125] ARM: 9141/1: only warn about XIP address when not compile testing
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 005/125] ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 007/125] ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Russell King (Oracle)

From: Arnd Bergmann <arnd@arndb.de>

commit 48ccc8edf5b90622cdc4f8878e0042ab5883e2ca upstream.

In randconfig builds, we sometimes come across this warning:

arm-linux-gnueabi-ld: XIP start address may cause MPU programming issues

While this is helpful for actual systems to figure out why it
fails, the warning does not provide any benefit for build testing,
so guard it in a check for CONFIG_COMPILE_TEST, which is usually
set on randconfig builds.

Fixes: 216218308cfb ("ARM: 8713/1: NOMMU: Support MPU in XIP configuration")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/kernel/vmlinux-xip.lds.S |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/kernel/vmlinux-xip.lds.S
+++ b/arch/arm/kernel/vmlinux-xip.lds.S
@@ -176,7 +176,7 @@ ASSERT((__arch_info_end - __arch_info_be
 ASSERT((_end - __bss_start) >= 12288, ".bss too small for CONFIG_XIP_DEFLATED_DATA")
 #endif
 
-#ifdef CONFIG_ARM_MPU
+#if defined(CONFIG_ARM_MPU) && !defined(CONFIG_COMPILE_TEST)
 /*
  * Due to PMSAv7 restriction on base address and size we have to
  * enforce minimal alignment restrictions. It was seen that weaker



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 007/125] ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 006/125] ARM: 9141/1: only warn about XIP address when not compile testing Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 008/125] usbnet: sanity check for maxpacket Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Hałasa,
	Corentin Labbe, Russell King (Oracle)

From: LABBE Corentin <clabbe.montjoie@gmail.com>

commit 00568b8a6364e15009b345b462e927e0b9fc2bb9 upstream.

My intel-ixp42x-welltech-epbx100 no longer boot since 4.14.
This is due to commit 463dbba4d189 ("ARM: 9104/2: Fix Keystone 2 kernel
mapping regression")
which forgot to handle CONFIG_CPU_ENDIAN_BE32 as possible BE config.

Suggested-by: Krzysztof Hałasa <khalasa@piap.pl>
Fixes: 463dbba4d189 ("ARM: 9104/2: Fix Keystone 2 kernel mapping regression")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/kernel/head.S |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/arch/arm/kernel/head.S
+++ b/arch/arm/kernel/head.S
@@ -253,7 +253,7 @@ __create_page_tables:
 	add	r0, r4, #KERNEL_OFFSET >> (SECTION_SHIFT - PMD_ORDER)
 	ldr	r6, =(_end - 1)
 	adr_l	r5, kernel_sec_start		@ _pa(kernel_sec_start)
-#ifdef CONFIG_CPU_ENDIAN_BE8
+#if defined CONFIG_CPU_ENDIAN_BE8 || defined CONFIG_CPU_ENDIAN_BE32
 	str	r8, [r5, #4]			@ Save physical start of kernel (BE)
 #else
 	str	r8, [r5]			@ Save physical start of kernel (LE)
@@ -266,7 +266,7 @@ __create_page_tables:
 	bls	1b
 	eor	r3, r3, r7			@ Remove the MMU flags
 	adr_l	r5, kernel_sec_end		@ _pa(kernel_sec_end)
-#ifdef CONFIG_CPU_ENDIAN_BE8
+#if defined CONFIG_CPU_ENDIAN_BE8 || defined CONFIG_CPU_ENDIAN_BE32
 	str	r3, [r5, #4]			@ Save physical end of kernel (BE)
 #else
 	str	r3, [r5]			@ Save physical end of kernel (LE)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 008/125] usbnet: sanity check for maxpacket
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 007/125] ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 009/125] usbnet: fix error return code in usbnet_probe() Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum,
	syzbot+76bb1d34ffa0adc03baa, Johan Hovold, Jakub Kicinski

From: Oliver Neukum <oneukum@suse.com>

commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.

maxpacket of 0 makes no sense and oopses as we need to divide
by it. Give up.

V2: fixed typo in log and stylistic issues

Signed-off-by: Oliver Neukum <oneukum@suse.com>
Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/usbnet.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1788,6 +1788,10 @@ usbnet_probe (struct usb_interface *udev
 	if (!dev->rx_urb_size)
 		dev->rx_urb_size = dev->hard_mtu;
 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+	if (dev->maxpacket == 0) {
+		/* that is a broken device */
+		goto out4;
+	}
 
 	/* let userspace know we have a random address */
 	if (ether_addr_equal(net->dev_addr, node_id))



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 009/125] usbnet: fix error return code in usbnet_probe()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 008/125] usbnet: sanity check for maxpacket Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 010/125] Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Wang Hai, Johan Hovold,
	Jakub Kicinski

From: Wang Hai <wanghai38@huawei.com>

commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.

Return error code if usb_maxpacket() returns 0 in usbnet_probe()

Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/usbnet.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/net/usb/usbnet.c
+++ b/drivers/net/usb/usbnet.c
@@ -1790,6 +1790,7 @@ usbnet_probe (struct usb_interface *udev
 	dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
 	if (dev->maxpacket == 0) {
 		/* that is a broken device */
+		status = -ENODEV;
 		goto out4;
 	}
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 010/125] Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 009/125] usbnet: fix error return code in usbnet_probe() Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 011/125] pinctrl: amd: disable and mask interrupts on probe Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rafał Miłecki, Linus Walleij

From: Rafał Miłecki <rafal@milecki.pl>

commit 6dba4bdfd7a30e77b848a45404b224588bf989e5 upstream.

This reverts commit a49d784d5a8272d0f63c448fe8dc69e589db006e.

The updated binding was wrong / invalid and has been reverted. There
isn't any upstream kernel DTS using it and Broadcom isn't known to use
it neither. There is close to zero chance this will cause regression for
anyone.

Actually in-kernel bcm5301x.dtsi still uses the old good binding and so
it's broken since the driver update. This revert fixes it.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Link: https://lore.kernel.org/r/20211008205938.29925-3-zajec5@gmail.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/bcm/pinctrl-ns.c |   29 ++++++++++-------------------
 1 file changed, 10 insertions(+), 19 deletions(-)

--- a/drivers/pinctrl/bcm/pinctrl-ns.c
+++ b/drivers/pinctrl/bcm/pinctrl-ns.c
@@ -5,7 +5,6 @@
 
 #include <linux/err.h>
 #include <linux/io.h>
-#include <linux/mfd/syscon.h>
 #include <linux/module.h>
 #include <linux/of.h>
 #include <linux/of_device.h>
@@ -13,7 +12,6 @@
 #include <linux/pinctrl/pinctrl.h>
 #include <linux/pinctrl/pinmux.h>
 #include <linux/platform_device.h>
-#include <linux/regmap.h>
 #include <linux/slab.h>
 
 #define FLAG_BCM4708		BIT(1)
@@ -24,8 +22,7 @@ struct ns_pinctrl {
 	struct device *dev;
 	unsigned int chipset_flag;
 	struct pinctrl_dev *pctldev;
-	struct regmap *regmap;
-	u32 offset;
+	void __iomem *base;
 
 	struct pinctrl_desc pctldesc;
 	struct ns_pinctrl_group *groups;
@@ -232,9 +229,9 @@ static int ns_pinctrl_set_mux(struct pin
 		unset |= BIT(pin_number);
 	}
 
-	regmap_read(ns_pinctrl->regmap, ns_pinctrl->offset, &tmp);
+	tmp = readl(ns_pinctrl->base);
 	tmp &= ~unset;
-	regmap_write(ns_pinctrl->regmap, ns_pinctrl->offset, tmp);
+	writel(tmp, ns_pinctrl->base);
 
 	return 0;
 }
@@ -266,13 +263,13 @@ static const struct of_device_id ns_pinc
 static int ns_pinctrl_probe(struct platform_device *pdev)
 {
 	struct device *dev = &pdev->dev;
-	struct device_node *np = dev->of_node;
 	const struct of_device_id *of_id;
 	struct ns_pinctrl *ns_pinctrl;
 	struct pinctrl_desc *pctldesc;
 	struct pinctrl_pin_desc *pin;
 	struct ns_pinctrl_group *group;
 	struct ns_pinctrl_function *function;
+	struct resource *res;
 	int i;
 
 	ns_pinctrl = devm_kzalloc(dev, sizeof(*ns_pinctrl), GFP_KERNEL);
@@ -290,18 +287,12 @@ static int ns_pinctrl_probe(struct platf
 		return -EINVAL;
 	ns_pinctrl->chipset_flag = (uintptr_t)of_id->data;
 
-	ns_pinctrl->regmap = syscon_node_to_regmap(of_get_parent(np));
-	if (IS_ERR(ns_pinctrl->regmap)) {
-		int err = PTR_ERR(ns_pinctrl->regmap);
-
-		dev_err(dev, "Failed to map pinctrl regs: %d\n", err);
-
-		return err;
-	}
-
-	if (of_property_read_u32(np, "offset", &ns_pinctrl->offset)) {
-		dev_err(dev, "Failed to get register offset\n");
-		return -ENOENT;
+	res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
+					   "cru_gpio_control");
+	ns_pinctrl->base = devm_ioremap_resource(dev, res);
+	if (IS_ERR(ns_pinctrl->base)) {
+		dev_err(dev, "Failed to map pinctrl regs\n");
+		return PTR_ERR(ns_pinctrl->base);
 	}
 
 	memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc));



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 011/125] pinctrl: amd: disable and mask interrupts on probe
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 010/125] Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 012/125] ata: sata_mv: Fix the error handling of mv_chip_id() Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sachi King, Linus Walleij

From: Sachi King <nakato@nakato.io>

commit 4e5a04be88fe335ad5331f4f8c17f4ebd357e065 upstream.

Some systems such as the Microsoft Surface Laptop 4 leave interrupts
enabled and configured for use in sleep states on boot, which cause
unexpected behaviour such as spurious wakes and failed resumes in
s2idle states.

As interrupts should not be enabled until they are claimed and
explicitly enabled, disabling any interrupts mistakenly left enabled by
firmware should be safe.

Signed-off-by: Sachi King <nakato@nakato.io>
Link: https://lore.kernel.org/r/20211009033240.21543-1-nakato@nakato.io
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/pinctrl-amd.c |   31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -832,6 +832,34 @@ static const struct pinconf_ops amd_pinc
 	.pin_config_group_set = amd_pinconf_group_set,
 };
 
+static void amd_gpio_irq_init(struct amd_gpio *gpio_dev)
+{
+	struct pinctrl_desc *desc = gpio_dev->pctrl->desc;
+	unsigned long flags;
+	u32 pin_reg, mask;
+	int i;
+
+	mask = BIT(WAKE_CNTRL_OFF_S0I3) | BIT(WAKE_CNTRL_OFF_S3) |
+		BIT(INTERRUPT_MASK_OFF) | BIT(INTERRUPT_ENABLE_OFF) |
+		BIT(WAKE_CNTRL_OFF_S4);
+
+	for (i = 0; i < desc->npins; i++) {
+		int pin = desc->pins[i].number;
+		const struct pin_desc *pd = pin_desc_get(gpio_dev->pctrl, pin);
+
+		if (!pd)
+			continue;
+
+		raw_spin_lock_irqsave(&gpio_dev->lock, flags);
+
+		pin_reg = readl(gpio_dev->base + i * 4);
+		pin_reg &= ~mask;
+		writel(pin_reg, gpio_dev->base + i * 4);
+
+		raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
+	}
+}
+
 #ifdef CONFIG_PM_SLEEP
 static bool amd_gpio_should_save(struct amd_gpio *gpio_dev, unsigned int pin)
 {
@@ -969,6 +997,9 @@ static int amd_gpio_probe(struct platfor
 		return PTR_ERR(gpio_dev->pctrl);
 	}
 
+	/* Disable and mask interrupts */
+	amd_gpio_irq_init(gpio_dev);
+
 	girq = &gpio_dev->gc.irq;
 	girq->chip = &amd_gpio_irqchip;
 	/* This will let us handle the parent IRQ in the driver */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 012/125] ata: sata_mv: Fix the error handling of mv_chip_id()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 011/125] pinctrl: amd: disable and mask interrupts on probe Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 013/125] tipc: fix size validations for the MSG_CRYPTO type Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Damien Le Moal

From: Zheyu Ma <zheyuma97@gmail.com>

commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.

mv_init_host() propagates the value returned by mv_chip_id() which in turn
gets propagated by mv_pci_init_one() and hits local_pci_probe().

During the process of driver probing, the probe function should return < 0
for failure, otherwise, the kernel will treat value > 0 as success.

Since this is a bug rather than a recoverable runtime error we should
use dev_alert() instead of dev_err().

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ata/sata_mv.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/ata/sata_mv.c
+++ b/drivers/ata/sata_mv.c
@@ -3896,8 +3896,8 @@ static int mv_chip_id(struct ata_host *h
 		break;
 
 	default:
-		dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
-		return 1;
+		dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
+		return -EINVAL;
 	}
 
 	hpriv->hp_flags = hp_flags;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 013/125] tipc: fix size validations for the MSG_CRYPTO type
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 012/125] ata: sata_mv: Fix the error handling of mv_chip_id() Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 014/125] nfc: port100: fix using -ERRNO as command type mask Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Max VA, Ying Xue, Jon Maloy, David S. Miller

From: Max VA <maxv@sentinelone.com>

commit fa40d9734a57bcbfa79a280189799f76c88f7bb0 upstream.

The function tipc_crypto_key_rcv is used to parse MSG_CRYPTO messages
to receive keys from other nodes in the cluster in order to decrypt any
further messages from them.
This patch verifies that any supplied sizes in the message body are
valid for the received message.

Fixes: 1ef6f7c9390f ("tipc: add automatic session key exchange")
Signed-off-by: Max VA <maxv@sentinelone.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tipc/crypto.c |   32 +++++++++++++++++++++-----------
 1 file changed, 21 insertions(+), 11 deletions(-)

--- a/net/tipc/crypto.c
+++ b/net/tipc/crypto.c
@@ -2285,43 +2285,53 @@ static bool tipc_crypto_key_rcv(struct t
 	u16 key_gen = msg_key_gen(hdr);
 	u16 size = msg_data_sz(hdr);
 	u8 *data = msg_data(hdr);
+	unsigned int keylen;
+
+	/* Verify whether the size can exist in the packet */
+	if (unlikely(size < sizeof(struct tipc_aead_key) + TIPC_AEAD_KEYLEN_MIN)) {
+		pr_debug("%s: message data size is too small\n", rx->name);
+		goto exit;
+	}
+
+	keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
+
+	/* Verify the supplied size values */
+	if (unlikely(size != keylen + sizeof(struct tipc_aead_key) ||
+		     keylen > TIPC_AEAD_KEY_SIZE_MAX)) {
+		pr_debug("%s: invalid MSG_CRYPTO key size\n", rx->name);
+		goto exit;
+	}
 
 	spin_lock(&rx->lock);
 	if (unlikely(rx->skey || (key_gen == rx->key_gen && rx->key.keys))) {
 		pr_err("%s: key existed <%p>, gen %d vs %d\n", rx->name,
 		       rx->skey, key_gen, rx->key_gen);
-		goto exit;
+		goto exit_unlock;
 	}
 
 	/* Allocate memory for the key */
 	skey = kmalloc(size, GFP_ATOMIC);
 	if (unlikely(!skey)) {
 		pr_err("%s: unable to allocate memory for skey\n", rx->name);
-		goto exit;
+		goto exit_unlock;
 	}
 
 	/* Copy key from msg data */
-	skey->keylen = ntohl(*((__be32 *)(data + TIPC_AEAD_ALG_NAME)));
+	skey->keylen = keylen;
 	memcpy(skey->alg_name, data, TIPC_AEAD_ALG_NAME);
 	memcpy(skey->key, data + TIPC_AEAD_ALG_NAME + sizeof(__be32),
 	       skey->keylen);
 
-	/* Sanity check */
-	if (unlikely(size != tipc_aead_key_size(skey))) {
-		kfree(skey);
-		skey = NULL;
-		goto exit;
-	}
-
 	rx->key_gen = key_gen;
 	rx->skey_mode = msg_key_mode(hdr);
 	rx->skey = skey;
 	rx->nokey = 0;
 	mb(); /* for nokey flag */
 
-exit:
+exit_unlock:
 	spin_unlock(&rx->lock);
 
+exit:
 	/* Schedule the key attaching on this crypto */
 	if (likely(skey && queue_delayed_work(tx->wq, &rx->work, 0)))
 		return true;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 014/125] nfc: port100: fix using -ERRNO as command type mask
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 013/125] tipc: fix size validations for the MSG_CRYPTO type Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 015/125] Revert "net: mdiobus: Fix memory leak in __mdiobus_register" Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, David S. Miller

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.

During probing, the driver tries to get a list (mask) of supported
command types in port100_get_command_type_mask() function.  The value
is u64 and 0 is treated as invalid mask (no commands supported).  The
function however returns also -ERRNO as u64 which will be interpret as
valid command mask.

Return 0 on every error case of port100_get_command_type_mask(), so the
probing will stop.

Cc: <stable@vger.kernel.org>
Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nfc/port100.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/nfc/port100.c
+++ b/drivers/nfc/port100.c
@@ -1003,11 +1003,11 @@ static u64 port100_get_command_type_mask
 
 	skb = port100_alloc_skb(dev, 0);
 	if (!skb)
-		return -ENOMEM;
+		return 0;
 
 	resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
 	if (IS_ERR(resp))
-		return PTR_ERR(resp);
+		return 0;
 
 	if (resp->len < 8)
 		mask = 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 015/125] Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 014/125] nfc: port100: fix using -ERRNO as command type mask Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 016/125] net/tls: Fix flipped sign in tls_err_abort() calls Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yanfei Xu, Pavel Skripkin, Jakub Kicinski

From: Pavel Skripkin <paskripkin@gmail.com>

commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.

This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.

This patch is correct in the sense that we _should_ call device_put() in
case of device_register() failure, but the problem in this code is more
vast.

We need to set bus->state to UNMDIOBUS_REGISTERED before calling
device_register() to correctly release the device in mdiobus_free().
This patch prevents us from doing it, since in case of device_register()
failure put_device() will be called 2 times and it will cause UAF or
something else.

Also, Reported-by: tag in revered commit was wrong, since syzbot
reported different leak in same function.

Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/mdio_bus.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/net/phy/mdio_bus.c
+++ b/drivers/net/phy/mdio_bus.c
@@ -548,7 +548,6 @@ int __mdiobus_register(struct mii_bus *b
 	err = device_register(&bus->dev);
 	if (err) {
 		pr_err("mii_bus %s failed to register\n", bus->id);
-		put_device(&bus->dev);
 		return -EINVAL;
 	}
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 016/125] net/tls: Fix flipped sign in tls_err_abort() calls
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 015/125] Revert "net: mdiobus: Fix memory leak in __mdiobus_register" Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 017/125] mmc: vub300: fix control-message timeouts Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b187b77c8474f9648fae,
	Daniel Jordan, David S. Miller

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream.

sk->sk_err appears to expect a positive value, a convention that ktls
doesn't always follow and that leads to memory corruption in other code.
For instance,

    [kworker]
    tls_encrypt_done(..., err=<negative error from crypto request>)
      tls_err_abort(.., err)
        sk->sk_err = err;

    [task]
    splice_from_pipe_feed
      ...
        tls_sw_do_sendpage
          if (sk->sk_err) {
            ret = -sk->sk_err;  // ret is positive

    splice_from_pipe_feed (continued)
      ret = actor(...)  // ret is still positive and interpreted as bytes
                        // written, resulting in underflow of buf->len and
                        // sd->len, leading to huge buf->offset and bogus
                        // addresses computed in later calls to actor()

Fix all tls_err_abort() callers to pass a negative error code
consistently and centralize the error-prone sign flip there, throwing in
a warning to catch future misuse and uninlining the function so it
really does only warn once.

Cc: stable@vger.kernel.org
Fixes: c46234ebb4d1e ("tls: RX path for ktls")
Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/tls.h |    9 ++-------
 net/tls/tls_sw.c  |   17 +++++++++++++----
 2 files changed, 15 insertions(+), 11 deletions(-)

--- a/include/net/tls.h
+++ b/include/net/tls.h
@@ -358,6 +358,7 @@ int tls_sk_query(struct sock *sk, int op
 		int __user *optlen);
 int tls_sk_attach(struct sock *sk, int optname, char __user *optval,
 		  unsigned int optlen);
+void tls_err_abort(struct sock *sk, int err);
 
 int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx);
 void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx);
@@ -466,12 +467,6 @@ static inline bool tls_is_sk_tx_device_o
 #endif
 }
 
-static inline void tls_err_abort(struct sock *sk, int err)
-{
-	sk->sk_err = err;
-	sk_error_report(sk);
-}
-
 static inline bool tls_bigint_increment(unsigned char *seq, int len)
 {
 	int i;
@@ -512,7 +507,7 @@ static inline void tls_advance_record_sn
 					 struct cipher_context *ctx)
 {
 	if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size))
-		tls_err_abort(sk, EBADMSG);
+		tls_err_abort(sk, -EBADMSG);
 
 	if (prot->version != TLS_1_3_VERSION &&
 	    prot->cipher_type != TLS_CIPHER_CHACHA20_POLY1305)
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -35,6 +35,7 @@
  * SOFTWARE.
  */
 
+#include <linux/bug.h>
 #include <linux/sched/signal.h>
 #include <linux/module.h>
 #include <linux/splice.h>
@@ -43,6 +44,14 @@
 #include <net/strparser.h>
 #include <net/tls.h>
 
+noinline void tls_err_abort(struct sock *sk, int err)
+{
+	WARN_ON_ONCE(err >= 0);
+	/* sk->sk_err should contain a positive error code. */
+	sk->sk_err = -err;
+	sk_error_report(sk);
+}
+
 static int __skb_nsg(struct sk_buff *skb, int offset, int len,
                      unsigned int recursion_level)
 {
@@ -419,7 +428,7 @@ int tls_tx_records(struct sock *sk, int
 
 tx_err:
 	if (rc < 0 && rc != -EAGAIN)
-		tls_err_abort(sk, EBADMSG);
+		tls_err_abort(sk, -EBADMSG);
 
 	return rc;
 }
@@ -763,7 +772,7 @@ static int tls_push_record(struct sock *
 			       msg_pl->sg.size + prot->tail_size, i);
 	if (rc < 0) {
 		if (rc != -EINPROGRESS) {
-			tls_err_abort(sk, EBADMSG);
+			tls_err_abort(sk, -EBADMSG);
 			if (split) {
 				tls_ctx->pending_open_record_frags = true;
 				tls_merge_open_record(sk, rec, tmp, orig_end);
@@ -1827,7 +1836,7 @@ int tls_sw_recvmsg(struct sock *sk,
 		err = decrypt_skb_update(sk, skb, &msg->msg_iter,
 					 &chunk, &zc, async_capable);
 		if (err < 0 && err != -EINPROGRESS) {
-			tls_err_abort(sk, EBADMSG);
+			tls_err_abort(sk, -EBADMSG);
 			goto recv_end;
 		}
 
@@ -2007,7 +2016,7 @@ ssize_t tls_sw_splice_read(struct socket
 		}
 
 		if (err < 0) {
-			tls_err_abort(sk, EBADMSG);
+			tls_err_abort(sk, -EBADMSG);
 			goto splice_read_end;
 		}
 		ctx->decrypted = 1;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 017/125] mmc: vub300: fix control-message timeouts
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 016/125] net/tls: Fix flipped sign in tls_err_abort() calls Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 018/125] mmc: cqhci: clear HALT state after CQE enable Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Ulf Hansson

From: Johan Hovold <johan@kernel.org>

commit 8c8171929116cc23f74743d99251eedadf62341a upstream.

USB control-message timeouts are specified in milliseconds and should
specifically not vary with CONFIG_HZ.

Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Cc: stable@vger.kernel.org      # 3.0
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20211025115608.5287-1-johan@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/vub300.c |   18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -576,7 +576,7 @@ static void check_vub300_port_status(str
 				GET_SYSTEM_PORT_STATUS,
 				USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				0x0000, 0x0000, &vub300->system_port_status,
-				sizeof(vub300->system_port_status), HZ);
+				sizeof(vub300->system_port_status), 1000);
 	if (sizeof(vub300->system_port_status) == retval)
 		new_system_port_status(vub300);
 }
@@ -1241,7 +1241,7 @@ static void __download_offload_pseudocod
 						SET_INTERRUPT_PSEUDOCODE,
 						USB_DIR_OUT | USB_TYPE_VENDOR |
 						USB_RECIP_DEVICE, 0x0000, 0x0000,
-						xfer_buffer, xfer_length, HZ);
+						xfer_buffer, xfer_length, 1000);
 			kfree(xfer_buffer);
 			if (retval < 0)
 				goto copy_error_message;
@@ -1284,7 +1284,7 @@ static void __download_offload_pseudocod
 						SET_TRANSFER_PSEUDOCODE,
 						USB_DIR_OUT | USB_TYPE_VENDOR |
 						USB_RECIP_DEVICE, 0x0000, 0x0000,
-						xfer_buffer, xfer_length, HZ);
+						xfer_buffer, xfer_length, 1000);
 			kfree(xfer_buffer);
 			if (retval < 0)
 				goto copy_error_message;
@@ -1991,7 +1991,7 @@ static void __set_clock_speed(struct vub
 		usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
 				SET_CLOCK_SPEED,
 				USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-				0x00, 0x00, buf, buf_array_size, HZ);
+				0x00, 0x00, buf, buf_array_size, 1000);
 	if (retval != 8) {
 		dev_err(&vub300->udev->dev, "SET_CLOCK_SPEED"
 			" %dkHz failed with retval=%d\n", kHzClock, retval);
@@ -2013,14 +2013,14 @@ static void vub300_mmc_set_ios(struct mm
 		usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
 				SET_SD_POWER,
 				USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-				0x0000, 0x0000, NULL, 0, HZ);
+				0x0000, 0x0000, NULL, 0, 1000);
 		/* must wait for the VUB300 u-proc to boot up */
 		msleep(600);
 	} else if ((ios->power_mode == MMC_POWER_UP) && !vub300->card_powered) {
 		usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
 				SET_SD_POWER,
 				USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-				0x0001, 0x0000, NULL, 0, HZ);
+				0x0001, 0x0000, NULL, 0, 1000);
 		msleep(600);
 		vub300->card_powered = 1;
 	} else if (ios->power_mode == MMC_POWER_ON) {
@@ -2275,14 +2275,14 @@ static int vub300_probe(struct usb_inter
 				GET_HC_INF0,
 				USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				0x0000, 0x0000, &vub300->hc_info,
-				sizeof(vub300->hc_info), HZ);
+				sizeof(vub300->hc_info), 1000);
 	if (retval < 0)
 		goto error5;
 	retval =
 		usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
 				SET_ROM_WAIT_STATES,
 				USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
-				firmware_rom_wait_states, 0x0000, NULL, 0, HZ);
+				firmware_rom_wait_states, 0x0000, NULL, 0, 1000);
 	if (retval < 0)
 		goto error5;
 	dev_info(&vub300->udev->dev,
@@ -2297,7 +2297,7 @@ static int vub300_probe(struct usb_inter
 				GET_SYSTEM_PORT_STATUS,
 				USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				0x0000, 0x0000, &vub300->system_port_status,
-				sizeof(vub300->system_port_status), HZ);
+				sizeof(vub300->system_port_status), 1000);
 	if (retval < 0) {
 		goto error4;
 	} else if (sizeof(vub300->system_port_status) == retval) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 018/125] mmc: cqhci: clear HALT state after CQE enable
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 017/125] mmc: vub300: fix control-message timeouts Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 019/125] mmc: mediatek: Move cqhci init behind ungate clock Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenbin Mei, Adrian Hunter, Ulf Hansson

From: Wenbin Mei <wenbin.mei@mediatek.com>

commit 92b18252b91de567cd875f2e84722b10ab34ee28 upstream.

While mmc0 enter suspend state, we need halt CQE to send legacy cmd(flush
cache) and disable cqe, for resume back, we enable CQE and not clear HALT
state.
In this case MediaTek mmc host controller will keep the value for HALT
state after CQE disable/enable flow, so the next CQE transfer after resume
will be timeout due to CQE is in HALT state, the log as below:
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: timeout for tag 2
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: ============ CQHCI REGISTER DUMP ===========
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Caps:      0x100020b6 | Version:  0x00000510
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Config:    0x00001103 | Control:  0x00000001
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int stat:  0x00000000 | Int enab: 0x00000006
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Int sig:   0x00000006 | Int Coal: 0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: TDL base:  0xfd05f000 | TDL up32: 0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Doorbell:  0x8000203c | TCN:      0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Dev queue: 0x00000000 | Dev Pend: 0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Task clr:  0x00000000 | SSC1:     0x00001000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: SSC2:      0x00000001 | DCMD rsp: 0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: RED mask:  0xfdf9a080 | TERRI:    0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: Resp idx:  0x00000000 | Resp arg: 0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQP:     0x00000000 | CRNQDUN:  0x00000000
<4>.(4)[318:kworker/4:1H]mmc0: cqhci: CRNQIS:    0x00000000 | CRNQIE:   0x00000000

This change check HALT state after CQE enable, if CQE is in HALT state, we
will clear it.

Signed-off-by: Wenbin Mei <wenbin.mei@mediatek.com>
Cc: stable@vger.kernel.org
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: a4080225f51d ("mmc: cqhci: support for command queue enabled host")
Link: https://lore.kernel.org/r/20211026070812.9359-1-wenbin.mei@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/cqhci-core.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/mmc/host/cqhci-core.c
+++ b/drivers/mmc/host/cqhci-core.c
@@ -282,6 +282,9 @@ static void __cqhci_enable(struct cqhci_
 
 	cqhci_writel(cq_host, cqcfg, CQHCI_CFG);
 
+	if (cqhci_readl(cq_host, CQHCI_CTL) & CQHCI_HALT)
+		cqhci_writel(cq_host, 0, CQHCI_CTL);
+
 	mmc->cqe_on = true;
 
 	if (cq_host->ops->enable)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 019/125] mmc: mediatek: Move cqhci init behind ungate clock
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 018/125] mmc: cqhci: clear HALT state after CQE enable Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 020/125] mmc: tmio: reenable card irqs after the reset callback Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wenbin Mei, Chaotian Jing, Ulf Hansson

From: Wenbin Mei <wenbin.mei@mediatek.com>

commit e8a1ff65927080278e6826f797b7c197fb2611a6 upstream.

We must enable clock before cqhci init, because crypto needs read
information from CQHCI registers, otherwise, it will hang in MediaTek mmc
host controller.

Signed-off-by: Wenbin Mei <wenbin.mei@mediatek.com>
Fixes: 88bd652b3c74 ("mmc: mediatek: command queue support")
Cc: stable@vger.kernel.org
Acked-by: Chaotian Jing <chaotian.jing@mediatek.com>
Link: https://lore.kernel.org/r/20211028022049.22129-1-wenbin.mei@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/mtk-sd.c |   38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -2577,6 +2577,25 @@ static int msdc_drv_probe(struct platfor
 		host->dma_mask = DMA_BIT_MASK(32);
 	mmc_dev(mmc)->dma_mask = &host->dma_mask;
 
+	host->timeout_clks = 3 * 1048576;
+	host->dma.gpd = dma_alloc_coherent(&pdev->dev,
+				2 * sizeof(struct mt_gpdma_desc),
+				&host->dma.gpd_addr, GFP_KERNEL);
+	host->dma.bd = dma_alloc_coherent(&pdev->dev,
+				MAX_BD_NUM * sizeof(struct mt_bdma_desc),
+				&host->dma.bd_addr, GFP_KERNEL);
+	if (!host->dma.gpd || !host->dma.bd) {
+		ret = -ENOMEM;
+		goto release_mem;
+	}
+	msdc_init_gpd_bd(host, &host->dma);
+	INIT_DELAYED_WORK(&host->req_timeout, msdc_request_timeout);
+	spin_lock_init(&host->lock);
+
+	platform_set_drvdata(pdev, mmc);
+	msdc_ungate_clock(host);
+	msdc_init_hw(host);
+
 	if (mmc->caps2 & MMC_CAP2_CQE) {
 		host->cq_host = devm_kzalloc(mmc->parent,
 					     sizeof(*host->cq_host),
@@ -2597,25 +2616,6 @@ static int msdc_drv_probe(struct platfor
 		mmc->max_seg_size = 64 * 1024;
 	}
 
-	host->timeout_clks = 3 * 1048576;
-	host->dma.gpd = dma_alloc_coherent(&pdev->dev,
-				2 * sizeof(struct mt_gpdma_desc),
-				&host->dma.gpd_addr, GFP_KERNEL);
-	host->dma.bd = dma_alloc_coherent(&pdev->dev,
-				MAX_BD_NUM * sizeof(struct mt_bdma_desc),
-				&host->dma.bd_addr, GFP_KERNEL);
-	if (!host->dma.gpd || !host->dma.bd) {
-		ret = -ENOMEM;
-		goto release_mem;
-	}
-	msdc_init_gpd_bd(host, &host->dma);
-	INIT_DELAYED_WORK(&host->req_timeout, msdc_request_timeout);
-	spin_lock_init(&host->lock);
-
-	platform_set_drvdata(pdev, mmc);
-	msdc_ungate_clock(host);
-	msdc_init_hw(host);
-
 	ret = devm_request_irq(&pdev->dev, host->irq, msdc_irq,
 			       IRQF_TRIGGER_NONE, pdev->name, host);
 	if (ret)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 020/125] mmc: tmio: reenable card irqs after the reset callback
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 019/125] mmc: mediatek: Move cqhci init behind ungate clock Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 021/125] mmc: dw_mmc: exynos: fix the finding clock sample value Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Biju Das, Wolfram Sang, Ulf Hansson

From: Wolfram Sang <wsa+renesas@sang-engineering.com>

commit 90935eb303e0d12f3d3d0383262e65290321f5f6 upstream.

The reset callback may clear the internal card detect interrupts, so
make sure to reenable them if needed.

Fixes: b4d86f37eacb ("mmc: renesas_sdhi: do hard reset if possible")
Reported-by: Biju Das <biju.das.jz@bp.renesas.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211028195149.8003-1-wsa+renesas@sang-engineering.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/tmio_mmc_core.c |   17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

--- a/drivers/mmc/host/tmio_mmc_core.c
+++ b/drivers/mmc/host/tmio_mmc_core.c
@@ -195,6 +195,10 @@ static void tmio_mmc_reset(struct tmio_m
 	sd_ctrl_write32_as_16_and_16(host, CTL_IRQ_MASK, host->sdcard_irq_mask_all);
 	host->sdcard_irq_mask = host->sdcard_irq_mask_all;
 
+	if (host->native_hotplug)
+		tmio_mmc_enable_mmc_irqs(host,
+				TMIO_STAT_CARD_REMOVE | TMIO_STAT_CARD_INSERT);
+
 	tmio_mmc_set_bus_width(host, host->mmc->ios.bus_width);
 
 	if (host->pdata->flags & TMIO_MMC_SDIO_IRQ) {
@@ -956,8 +960,15 @@ static void tmio_mmc_set_ios(struct mmc_
 	case MMC_POWER_OFF:
 		tmio_mmc_power_off(host);
 		/* For R-Car Gen2+, we need to reset SDHI specific SCC */
-		if (host->pdata->flags & TMIO_MMC_MIN_RCAR2)
+		if (host->pdata->flags & TMIO_MMC_MIN_RCAR2) {
 			host->reset(host);
+
+			if (host->native_hotplug)
+				tmio_mmc_enable_mmc_irqs(host,
+						TMIO_STAT_CARD_REMOVE |
+						TMIO_STAT_CARD_INSERT);
+		}
+
 		host->set_clock(host, 0);
 		break;
 	case MMC_POWER_UP:
@@ -1185,10 +1196,6 @@ int tmio_mmc_host_probe(struct tmio_mmc_
 	_host->set_clock(_host, 0);
 	tmio_mmc_reset(_host);
 
-	if (_host->native_hotplug)
-		tmio_mmc_enable_mmc_irqs(_host,
-				TMIO_STAT_CARD_REMOVE | TMIO_STAT_CARD_INSERT);
-
 	spin_lock_init(&_host->lock);
 	mutex_init(&_host->ios_lock);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 021/125] mmc: dw_mmc: exynos: fix the finding clock sample value
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 020/125] mmc: tmio: reenable card irqs after the reset callback Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 022/125] mmc: sdhci: Map more voltage level to SDHCI_POWER_330 Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jaehoon Chung, Marek Szyprowski,
	Christian Hewitt, Ulf Hansson

From: Jaehoon Chung <jh80.chung@samsung.com>

commit 697542bceae51f7620af333b065dd09d213629fb upstream.

Even though there are candiates value if can't find best value, it's
returned -EIO. It's not proper behavior.
If there is not best value, use a first candiate value to work eMMC.

Signed-off-by: Jaehoon Chung <jh80.chung@samsung.com>
Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
Tested-by: Christian Hewitt <christianshewitt@gmail.com>
Cc: stable@vger.kernel.org
Fixes: c537a1c5ff63 ("mmc: dw_mmc: exynos: add variable delay tuning sequence")
Link: https://lore.kernel.org/r/20211022082106.1557-1-jh80.chung@samsung.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/dw_mmc-exynos.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/drivers/mmc/host/dw_mmc-exynos.c
+++ b/drivers/mmc/host/dw_mmc-exynos.c
@@ -464,6 +464,18 @@ static s8 dw_mci_exynos_get_best_clksmpl
 		}
 	}
 
+	/*
+	 * If there is no cadiates value, then it needs to return -EIO.
+	 * If there are candiates values and don't find bset clk sample value,
+	 * then use a first candiates clock sample value.
+	 */
+	for (i = 0; i < iter; i++) {
+		__c = ror8(candiates, i);
+		if ((__c & 0x1) == 0x1) {
+			loc = i;
+			goto out;
+		}
+	}
 out:
 	return loc;
 }
@@ -494,6 +506,8 @@ static int dw_mci_exynos_execute_tuning(
 		priv->tuned_sample = found;
 	} else {
 		ret = -EIO;
+		dev_warn(&mmc->class_dev,
+			"There is no candiates value about clksmpl!\n");
 	}
 
 	return ret;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 022/125] mmc: sdhci: Map more voltage level to SDHCI_POWER_330
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 021/125] mmc: dw_mmc: exynos: fix the finding clock sample value Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 023/125] mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shawn Guo, Adrian Hunter, Ulf Hansson

From: Shawn Guo <shawn.guo@linaro.org>

commit 4217d07b9fb328751f877d3bd9550122014860a2 upstream.

On Thundercomm TurboX CM2290, the eMMC OCR reports vdd = 23 (3.5 ~ 3.6 V),
which is being treated as an invalid value by sdhci_set_power_noreg().
And thus eMMC is totally broken on the platform.

[    1.436599] ------------[ cut here ]------------
[    1.436606] mmc0: Invalid vdd 0x17
[    1.436640] WARNING: CPU: 2 PID: 69 at drivers/mmc/host/sdhci.c:2048 sdhci_set_power_noreg+0x168/0x2b4
[    1.436655] Modules linked in:
[    1.436662] CPU: 2 PID: 69 Comm: kworker/u8:1 Tainted: G        W         5.15.0-rc1+ #137
[    1.436669] Hardware name: Thundercomm TurboX CM2290 (DT)
[    1.436674] Workqueue: events_unbound async_run_entry_fn
[    1.436685] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[    1.436692] pc : sdhci_set_power_noreg+0x168/0x2b4
[    1.436698] lr : sdhci_set_power_noreg+0x168/0x2b4
[    1.436703] sp : ffff800010803a60
[    1.436705] x29: ffff800010803a60 x28: ffff6a9102465f00 x27: ffff6a9101720a70
[    1.436715] x26: ffff6a91014de1c0 x25: ffff6a91014de010 x24: ffff6a91016af280
[    1.436724] x23: ffffaf7b1b276640 x22: 0000000000000000 x21: ffff6a9101720000
[    1.436733] x20: ffff6a9101720370 x19: ffff6a9101720580 x18: 0000000000000020
[    1.436743] x17: 0000000000000000 x16: 0000000000000004 x15: ffffffffffffffff
[    1.436751] x14: 0000000000000000 x13: 00000000fffffffd x12: ffffaf7b1b84b0bc
[    1.436760] x11: ffffaf7b1b720d10 x10: 000000000000000a x9 : ffff800010803a60
[    1.436769] x8 : 000000000000000a x7 : 000000000000000f x6 : 00000000fffff159
[    1.436778] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 00000000ffffffff
[    1.436787] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff6a9101718d80
[    1.436797] Call trace:
[    1.436800]  sdhci_set_power_noreg+0x168/0x2b4
[    1.436805]  sdhci_set_ios+0xa0/0x7fc
[    1.436811]  mmc_power_up.part.0+0xc4/0x164
[    1.436818]  mmc_start_host+0xa0/0xb0
[    1.436824]  mmc_add_host+0x60/0x90
[    1.436830]  __sdhci_add_host+0x174/0x330
[    1.436836]  sdhci_msm_probe+0x7c0/0x920
[    1.436842]  platform_probe+0x68/0xe0
[    1.436850]  really_probe.part.0+0x9c/0x31c
[    1.436857]  __driver_probe_device+0x98/0x144
[    1.436863]  driver_probe_device+0xc8/0x15c
[    1.436869]  __device_attach_driver+0xb4/0x120
[    1.436875]  bus_for_each_drv+0x78/0xd0
[    1.436881]  __device_attach_async_helper+0xac/0xd0
[    1.436888]  async_run_entry_fn+0x34/0x110
[    1.436895]  process_one_work+0x1d0/0x354
[    1.436903]  worker_thread+0x13c/0x470
[    1.436910]  kthread+0x150/0x160
[    1.436915]  ret_from_fork+0x10/0x20
[    1.436923] ---[ end trace fcfac44cb045c3a8 ]---

Fix the issue by mapping MMC_VDD_35_36 (and MMC_VDD_34_35) to
SDHCI_POWER_330 as well.

Signed-off-by: Shawn Guo <shawn.guo@linaro.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211004024935.15326-1-shawn.guo@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sdhci.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -2042,6 +2042,12 @@ void sdhci_set_power_noreg(struct sdhci_
 			break;
 		case MMC_VDD_32_33:
 		case MMC_VDD_33_34:
+		/*
+		 * 3.4 ~ 3.6V are valid only for those platforms where it's
+		 * known that the voltage range is supported by hardware.
+		 */
+		case MMC_VDD_34_35:
+		case MMC_VDD_35_36:
 			pwr = SDHCI_POWER_330;
 			break;
 		default:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 023/125] mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 022/125] mmc: sdhci: Map more voltage level to SDHCI_POWER_330 Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 024/125] mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Adrian Hunter, Ulf Hansson

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit 6ab4e2eb5e956a61e4d53cea3ab8c866ba79a830 upstream.

Intel Merrifield platform had been converted to use ACPI enumeration.
However, the driver missed an update to retrieve card detect GPIO.
Fix it here.

Unfortunately we can't rely on CD GPIO state because there are two
different PCB designs in the wild that are using the opposite card
detection sense and there is no way to distinguish those platforms,
that's why ignore CD GPIO completely and use it only as an event.

Fixes: 4590d98f5a4f ("sfi: Remove framework for deprecated firmware")
BugLink: https://github.com/edison-fw/meta-intel-edison/issues/135
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211013201723.52212-2-andriy.shevchenko@linux.intel.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sdhci-pci-core.c |   29 ++++++++++++++++++++++++-----
 1 file changed, 24 insertions(+), 5 deletions(-)

--- a/drivers/mmc/host/sdhci-pci-core.c
+++ b/drivers/mmc/host/sdhci-pci-core.c
@@ -616,16 +616,12 @@ static int intel_select_drive_strength(s
 	return intel_host->drv_strength;
 }
 
-static int bxt_get_cd(struct mmc_host *mmc)
+static int sdhci_get_cd_nogpio(struct mmc_host *mmc)
 {
-	int gpio_cd = mmc_gpio_get_cd(mmc);
 	struct sdhci_host *host = mmc_priv(mmc);
 	unsigned long flags;
 	int ret = 0;
 
-	if (!gpio_cd)
-		return 0;
-
 	spin_lock_irqsave(&host->lock, flags);
 
 	if (host->flags & SDHCI_DEVICE_DEAD)
@@ -638,6 +634,21 @@ out:
 	return ret;
 }
 
+static int bxt_get_cd(struct mmc_host *mmc)
+{
+	int gpio_cd = mmc_gpio_get_cd(mmc);
+
+	if (!gpio_cd)
+		return 0;
+
+	return sdhci_get_cd_nogpio(mmc);
+}
+
+static int mrfld_get_cd(struct mmc_host *mmc)
+{
+	return sdhci_get_cd_nogpio(mmc);
+}
+
 #define SDHCI_INTEL_PWR_TIMEOUT_CNT	20
 #define SDHCI_INTEL_PWR_TIMEOUT_UDELAY	100
 
@@ -1341,6 +1352,14 @@ static int intel_mrfld_mmc_probe_slot(st
 					 MMC_CAP_1_8V_DDR;
 		break;
 	case INTEL_MRFLD_SD:
+		slot->cd_idx = 0;
+		slot->cd_override_level = true;
+		/*
+		 * There are two PCB designs of SD card slot with the opposite
+		 * card detection sense. Quirk this out by ignoring GPIO state
+		 * completely in the custom ->get_cd() callback.
+		 */
+		slot->host->mmc_host_ops.get_cd = mrfld_get_cd;
 		slot->host->quirks2 |= SDHCI_QUIRK2_NO_1_8_V;
 		break;
 	case INTEL_MRFLD_SDIO:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 024/125] mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 023/125] mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 025/125] block: Fix partition check for host-aware zoned block devices Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Haibo Chen, Adrian Hunter, Ulf Hansson

From: Haibo Chen <haibo.chen@nxp.com>

commit 9af372dc70e9fdcbb70939dac75365e7b88580b4 upstream.

To reset standard tuning circuit completely, after clear ESDHC_MIX_CTRL_EXE_TUNE,
also need to clear bit buffer_read_ready, this operation will finally clear the
USDHC IP internal logic flag execute_tuning_with_clr_buf, make sure the following
normal data transfer will not be impacted by standard tuning logic used before.

Find this issue when do quick SD card insert/remove stress test. During standard
tuning prodedure, if remove SD card, USDHC standard tuning logic can't clear the
internal flag execute_tuning_with_clr_buf. Next time when insert SD card, all
data related commands can't get any data related interrupts, include data transfer
complete interrupt, data timeout interrupt, data CRC interrupt, data end bit interrupt.
Always trigger software timeout issue. Even reset the USDHC through bits in register
SYS_CTRL (0x2C, bit28 reset tuning, bit26 reset data, bit 25 reset command, bit 24
reset all) can't recover this. From the user's point of view, USDHC stuck, SD can't
be recognized any more.

Fixes: d9370424c948 ("mmc: sdhci-esdhc-imx: reset tuning circuit when power on mmc card")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/1634263236-6111-1-git-send-email-haibo.chen@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/mmc/host/sdhci-esdhc-imx.c |   16 ++++++++++++++++
 1 file changed, 16 insertions(+)

--- a/drivers/mmc/host/sdhci-esdhc-imx.c
+++ b/drivers/mmc/host/sdhci-esdhc-imx.c
@@ -1133,6 +1133,7 @@ static void esdhc_reset_tuning(struct sd
 	struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
 	struct pltfm_imx_data *imx_data = sdhci_pltfm_priv(pltfm_host);
 	u32 ctrl;
+	int ret;
 
 	/* Reset the tuning circuit */
 	if (esdhc_is_usdhc(imx_data)) {
@@ -1145,7 +1146,22 @@ static void esdhc_reset_tuning(struct sd
 		} else if (imx_data->socdata->flags & ESDHC_FLAG_STD_TUNING) {
 			ctrl = readl(host->ioaddr + SDHCI_AUTO_CMD_STATUS);
 			ctrl &= ~ESDHC_MIX_CTRL_SMPCLK_SEL;
+			ctrl &= ~ESDHC_MIX_CTRL_EXE_TUNE;
 			writel(ctrl, host->ioaddr + SDHCI_AUTO_CMD_STATUS);
+			/* Make sure ESDHC_MIX_CTRL_EXE_TUNE cleared */
+			ret = readl_poll_timeout(host->ioaddr + SDHCI_AUTO_CMD_STATUS,
+				ctrl, !(ctrl & ESDHC_MIX_CTRL_EXE_TUNE), 1, 50);
+			if (ret == -ETIMEDOUT)
+				dev_warn(mmc_dev(host->mmc),
+				 "Warning! clear execute tuning bit failed\n");
+			/*
+			 * SDHCI_INT_DATA_AVAIL is W1C bit, set this bit will clear the
+			 * usdhc IP internal logic flag execute_tuning_with_clr_buf, which
+			 * will finally make sure the normal data transfer logic correct.
+			 */
+			ctrl = readl(host->ioaddr + SDHCI_INT_STATUS);
+			ctrl |= SDHCI_INT_DATA_AVAIL;
+			writel(ctrl, host->ioaddr + SDHCI_INT_STATUS);
 		}
 	}
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 025/125] block: Fix partition check for host-aware zoned block devices
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 024/125] mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 026/125] ocfs2: fix race between searching chunks and release journal_head from buffer_head Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shinichiro Kawasaki,
	Johannes Thumshirn, Christoph Hellwig, Jens Axboe

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

commit e0c60d0102a5ad3475401e1a2faa3d3623eefce4 upstream.

Commit a33df75c6328 ("block: use an xarray for disk->part_tbl") modified
the method to check partition existence in host-aware zoned block
devices from disk_has_partitions() helper function call to empty check
of xarray disk->part_tbl. However, disk->part_tbl always has single
entry for disk->part0 and never becomes empty. This resulted in the
host-aware zoned devices always judged to have partitions, and it made
the sysfs queue/zoned attribute to be "none" instead of "host-aware"
regardless of partition existence in the devices.

This also caused DEBUG_LOCKS_WARN_ON(lock->magic != lock) for
sdkp->rev_mutex in scsi layer when the kernel detects host-aware zoned
device. Since block layer handled the host-aware zoned devices as non-
zoned devices, scsi layer did not have chance to initialize the mutex
for zone revalidation. Therefore, the warning was triggered.

To fix the issues, call the helper function disk_has_partitions() in
place of disk->part_tbl empty check. Since the function was removed with
the commit a33df75c6328, reimplement it to walk through entries in the
xarray disk->part_tbl.

Fixes: a33df75c6328 ("block: use an xarray for disk->part_tbl")
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Cc: stable@vger.kernel.org # v5.14+
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20211026060115.753746-1-shinichiro.kawasaki@wdc.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-settings.c |   20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

--- a/block/blk-settings.c
+++ b/block/blk-settings.c
@@ -842,6 +842,24 @@ bool blk_queue_can_use_dma_map_merging(s
 }
 EXPORT_SYMBOL_GPL(blk_queue_can_use_dma_map_merging);
 
+static bool disk_has_partitions(struct gendisk *disk)
+{
+	unsigned long idx;
+	struct block_device *part;
+	bool ret = false;
+
+	rcu_read_lock();
+	xa_for_each(&disk->part_tbl, idx, part) {
+		if (bdev_is_partition(part)) {
+			ret = true;
+			break;
+		}
+	}
+	rcu_read_unlock();
+
+	return ret;
+}
+
 /**
  * blk_queue_set_zoned - configure a disk queue zoned model.
  * @disk:	the gendisk of the queue to configure
@@ -876,7 +894,7 @@ void blk_queue_set_zoned(struct gendisk
 		 * we do nothing special as far as the block layer is concerned.
 		 */
 		if (!IS_ENABLED(CONFIG_BLK_DEV_ZONED) ||
-		    !xa_empty(&disk->part_tbl))
+		    disk_has_partitions(disk))
 			model = BLK_ZONED_NONE;
 		break;
 	case BLK_ZONED_NONE:



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 026/125] ocfs2: fix race between searching chunks and release journal_head from buffer_head
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 025/125] block: Fix partition check for host-aware zoned block devices Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 027/125] nvme-tcp: fix H2CData PDU send accounting (again) Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gautham Ananthakrishna, Joseph Qi,
	rajesh.sivaramasubramaniom, Mark Fasheh, Joel Becker, Junxiao Bi,
	Changwei Ge, Gang He, Jun Piao, Andrew Morton, Linus Torvalds

From: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>

commit 6f1b228529ae49b0f85ab89bcdb6c365df401558 upstream.

Encountered a race between ocfs2_test_bg_bit_allocatable() and
jbd2_journal_put_journal_head() resulting in the below vmcore.

  PID: 106879  TASK: ffff880244ba9c00  CPU: 2   COMMAND: "loop3"
  Call trace:
    panic
    oops_end
    no_context
    __bad_area_nosemaphore
    bad_area_nosemaphore
    __do_page_fault
    do_page_fault
    page_fault
      [exception RIP: ocfs2_block_group_find_clear_bits+316]
    ocfs2_block_group_find_clear_bits [ocfs2]
    ocfs2_cluster_group_search [ocfs2]
    ocfs2_search_chain [ocfs2]
    ocfs2_claim_suballoc_bits [ocfs2]
    __ocfs2_claim_clusters [ocfs2]
    ocfs2_claim_clusters [ocfs2]
    ocfs2_local_alloc_slide_window [ocfs2]
    ocfs2_reserve_local_alloc_bits [ocfs2]
    ocfs2_reserve_clusters_with_limit [ocfs2]
    ocfs2_reserve_clusters [ocfs2]
    ocfs2_lock_refcount_allocators [ocfs2]
    ocfs2_make_clusters_writable [ocfs2]
    ocfs2_replace_cow [ocfs2]
    ocfs2_refcount_cow [ocfs2]
    ocfs2_file_write_iter [ocfs2]
    lo_rw_aio
    loop_queue_work
    kthread_worker_fn
    kthread
    ret_from_fork

When ocfs2_test_bg_bit_allocatable() called bh2jh(bg_bh), the
bg_bh->b_private NULL as jbd2_journal_put_journal_head() raced and
released the jounal head from the buffer head.  Needed to take bit lock
for the bit 'BH_JournalHead' to fix this race.

Link: https://lkml.kernel.org/r/1634820718-6043-1-git-send-email-gautham.ananthakrishna@oracle.com
Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: <rajesh.sivaramasubramaniom@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ocfs2/suballoc.c |   22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

--- a/fs/ocfs2/suballoc.c
+++ b/fs/ocfs2/suballoc.c
@@ -1251,7 +1251,7 @@ static int ocfs2_test_bg_bit_allocatable
 {
 	struct ocfs2_group_desc *bg = (struct ocfs2_group_desc *) bg_bh->b_data;
 	struct journal_head *jh;
-	int ret;
+	int ret = 1;
 
 	if (ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap))
 		return 0;
@@ -1259,14 +1259,18 @@ static int ocfs2_test_bg_bit_allocatable
 	if (!buffer_jbd(bg_bh))
 		return 1;
 
-	jh = bh2jh(bg_bh);
-	spin_lock(&jh->b_state_lock);
-	bg = (struct ocfs2_group_desc *) jh->b_committed_data;
-	if (bg)
-		ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
-	else
-		ret = 1;
-	spin_unlock(&jh->b_state_lock);
+	jbd_lock_bh_journal_head(bg_bh);
+	if (buffer_jbd(bg_bh)) {
+		jh = bh2jh(bg_bh);
+		spin_lock(&jh->b_state_lock);
+		bg = (struct ocfs2_group_desc *) jh->b_committed_data;
+		if (bg)
+			ret = !ocfs2_test_bit(nr, (unsigned long *)bg->bg_bitmap);
+		else
+			ret = 1;
+		spin_unlock(&jh->b_state_lock);
+	}
+	jbd_unlock_bh_journal_head(bg_bh);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 027/125] nvme-tcp: fix H2CData PDU send accounting (again)
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 026/125] ocfs2: fix race between searching chunks and release journal_head from buffer_head Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 028/125] ftrace/nds32: Update the proto for ftrace_trace_function to match ftrace_stub Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Busch, Sagi Grimberg,
	Christoph Hellwig

From: Sagi Grimberg <sagi@grimberg.me>

commit 25e1f67eda4a19c91dc05c84d6d413c53efb447b upstream.

We should not access request members after the last send, even to
determine if indeed it was the last data payload send. The reason is
that a completion could have arrived and trigger a new execution of the
request which overridden these members. This was fixed by commit
825619b09ad3 ("nvme-tcp: fix possible use-after-completion").

Commit e371af033c56 broke that assumption again to address cases where
multiple r2t pdus are sent per request. To fix it, we need to record the
request data_sent and data_len and after the payload network send we
reference these counters to determine weather we should advance the
request iterator.

Fixes: e371af033c56 ("nvme-tcp: fix incorrect h2cdata pdu offset accounting")
Reported-by: Keith Busch <kbusch@kernel.org>
Cc: stable@vger.kernel.org # 5.10+
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/host/tcp.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -913,12 +913,14 @@ static void nvme_tcp_fail_request(struct
 static int nvme_tcp_try_send_data(struct nvme_tcp_request *req)
 {
 	struct nvme_tcp_queue *queue = req->queue;
+	int req_data_len = req->data_len;
 
 	while (true) {
 		struct page *page = nvme_tcp_req_cur_page(req);
 		size_t offset = nvme_tcp_req_cur_offset(req);
 		size_t len = nvme_tcp_req_cur_length(req);
 		bool last = nvme_tcp_pdu_last_send(req, len);
+		int req_data_sent = req->data_sent;
 		int ret, flags = MSG_DONTWAIT;
 
 		if (last && !queue->data_digest && !nvme_tcp_queue_more(queue))
@@ -945,7 +947,7 @@ static int nvme_tcp_try_send_data(struct
 		 * in the request where we don't want to modify it as we may
 		 * compete with the RX path completing the request.
 		 */
-		if (req->data_sent + ret < req->data_len)
+		if (req_data_sent + ret < req_data_len)
 			nvme_tcp_advance_req(req, ret);
 
 		/* fully successful last send in current PDU */



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 028/125] ftrace/nds32: Update the proto for ftrace_trace_function to match ftrace_stub
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 027/125] nvme-tcp: fix H2CData PDU send accounting (again) Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 029/125] cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton, Nick Hu,
	Greentime Hu, Vincent Chen, Masami Hiramatsu, Peter Zijlstra,
	Randy Dunlap, Steven Rostedt (VMware)

From: Steven Rostedt (VMware) <rostedt@goodmis.org>

commit 4e84dc47bb48accbbeeba4e6bb3f31aa7895323c upstream.

The ftrace callback prototype was changed to pass a special ftrace_regs
instead of pt_regs as the last parameter, but the static ftrace for nds32
missed updating ftrace_trace_function and this caused a warning when
compared to ftrace_stub:

../arch/nds32/kernel/ftrace.c: In function '_mcount':
../arch/nds32/kernel/ftrace.c:24:35: error: comparison of distinct pointer types lacks a cast [-Werror]
   24 |         if (ftrace_trace_function != ftrace_stub)
      |                                   ^~

Link: https://lore.kernel.org/all/20211027055554.19372-1-rdunlap@infradead.org/
Link: https://lkml.kernel.org/r/20211027125101.33449969@gandalf.local.home

Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Nick Hu <nickhu@andestech.com>
Cc: Greentime Hu <green.hu@gmail.com>
Cc: Vincent Chen <deanbo422@gmail.com>
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org
Fixes: d19ad0775dcd6 ("ftrace: Have the callbacks receive a struct ftrace_regs instead of pt_regs")
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/nds32/kernel/ftrace.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/nds32/kernel/ftrace.c
+++ b/arch/nds32/kernel/ftrace.c
@@ -6,7 +6,7 @@
 
 #ifndef CONFIG_DYNAMIC_FTRACE
 extern void (*ftrace_trace_function)(unsigned long, unsigned long,
-				     struct ftrace_ops*, struct pt_regs*);
+				     struct ftrace_ops*, struct ftrace_regs*);
 extern void ftrace_graph_caller(void);
 
 noinline void __naked ftrace_stub(unsigned long ip, unsigned long parent_ip,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 029/125] cfg80211: scan: fix RCU in cfg80211_add_nontrans_list()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 028/125] ftrace/nds32: Update the proto for ftrace_trace_function to match ftrace_stub Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 030/125] cfg80211: fix management registrations locking Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit a2083eeb119fb9307258baea9b7c243ca9a2e0b6 upstream.

The SSID pointer is pointing to RCU protected data, so we
need to have it under rcu_read_lock() for the entire use.
Fix this.

Cc: stable@vger.kernel.org
Fixes: 0b8fb8235be8 ("cfg80211: Parsing of Multiple BSSID information in scanning")
Link: https://lore.kernel.org/r/20210930131120.6ddfc603aa1d.I2137344c4e2426525b1a8e4ce5fca82f8ecbfe7e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/scan.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -418,14 +418,17 @@ cfg80211_add_nontrans_list(struct cfg802
 	}
 	ssid_len = ssid[1];
 	ssid = ssid + 2;
-	rcu_read_unlock();
 
 	/* check if nontrans_bss is in the list */
 	list_for_each_entry(bss, &trans_bss->nontrans_list, nontrans_list) {
-		if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len))
+		if (is_bss(bss, nontrans_bss->bssid, ssid, ssid_len)) {
+			rcu_read_unlock();
 			return 0;
+		}
 	}
 
+	rcu_read_unlock();
+
 	/* add to the list */
 	list_add_tail(&nontrans_bss->nontrans_list, &trans_bss->nontrans_list);
 	return 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 030/125] cfg80211: fix management registrations locking
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 029/125] cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 031/125] net: lan78xx: fix division by zero in send path Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jouni Malinen, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit 09b1d5dc6ce1c9151777f6c4e128a59457704c97 upstream.

The management registrations locking was broken, the list was
locked for each wdev, but cfg80211_mgmt_registrations_update()
iterated it without holding all the correct spinlocks, causing
list corruption.

Rather than trying to fix it with fine-grained locking, just
move the lock to the wiphy/rdev (still need the list on each
wdev), we already need to hold the wdev lock to change it, so
there's no contention on the lock in any case. This trivially
fixes the bug since we hold one wdev's lock already, and now
will hold the lock that protects all lists.

Cc: stable@vger.kernel.org
Reported-by: Jouni Malinen <j@w1.fi>
Fixes: 6cd536fe62ef ("cfg80211: change internal management frame registration API")
Link: https://lore.kernel.org/r/20211025133111.5cf733eab0f4.I7b0abb0494ab712f74e2efcd24bb31ac33f7eee9@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/net/cfg80211.h |    2 --
 net/wireless/core.c    |    2 +-
 net/wireless/core.h    |    2 ++
 net/wireless/mlme.c    |   26 ++++++++++++++------------
 4 files changed, 17 insertions(+), 15 deletions(-)

--- a/include/net/cfg80211.h
+++ b/include/net/cfg80211.h
@@ -5350,7 +5350,6 @@ static inline void wiphy_unlock(struct w
  *	netdev and may otherwise be used by driver read-only, will be update
  *	by cfg80211 on change_interface
  * @mgmt_registrations: list of registrations for management frames
- * @mgmt_registrations_lock: lock for the list
  * @mgmt_registrations_need_update: mgmt registrations were updated,
  *	need to propagate the update to the driver
  * @mtx: mutex used to lock data in this struct, may be used by drivers
@@ -5397,7 +5396,6 @@ struct wireless_dev {
 	u32 identifier;
 
 	struct list_head mgmt_registrations;
-	spinlock_t mgmt_registrations_lock;
 	u8 mgmt_registrations_need_update:1;
 
 	struct mutex mtx;
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -524,6 +524,7 @@ use_default_name:
 	INIT_WORK(&rdev->propagate_cac_done_wk, cfg80211_propagate_cac_done_wk);
 	INIT_WORK(&rdev->mgmt_registrations_update_wk,
 		  cfg80211_mgmt_registrations_update_wk);
+	spin_lock_init(&rdev->mgmt_registrations_lock);
 
 #ifdef CONFIG_CFG80211_DEFAULT_PS
 	rdev->wiphy.flags |= WIPHY_FLAG_PS_ON_BY_DEFAULT;
@@ -1279,7 +1280,6 @@ void cfg80211_init_wdev(struct wireless_
 	INIT_LIST_HEAD(&wdev->event_list);
 	spin_lock_init(&wdev->event_lock);
 	INIT_LIST_HEAD(&wdev->mgmt_registrations);
-	spin_lock_init(&wdev->mgmt_registrations_lock);
 	INIT_LIST_HEAD(&wdev->pmsr_list);
 	spin_lock_init(&wdev->pmsr_lock);
 	INIT_WORK(&wdev->pmsr_free_wk, cfg80211_pmsr_free_wk);
--- a/net/wireless/core.h
+++ b/net/wireless/core.h
@@ -100,6 +100,8 @@ struct cfg80211_registered_device {
 	struct work_struct propagate_cac_done_wk;
 
 	struct work_struct mgmt_registrations_update_wk;
+	/* lock for all wdev lists */
+	spinlock_t mgmt_registrations_lock;
 
 	/* must be last because of the way we do wiphy_priv(),
 	 * and it should at least be aligned to NETDEV_ALIGN */
--- a/net/wireless/mlme.c
+++ b/net/wireless/mlme.c
@@ -452,9 +452,9 @@ static void cfg80211_mgmt_registrations_
 
 	lockdep_assert_held(&rdev->wiphy.mtx);
 
-	spin_lock_bh(&wdev->mgmt_registrations_lock);
+	spin_lock_bh(&rdev->mgmt_registrations_lock);
 	if (!wdev->mgmt_registrations_need_update) {
-		spin_unlock_bh(&wdev->mgmt_registrations_lock);
+		spin_unlock_bh(&rdev->mgmt_registrations_lock);
 		return;
 	}
 
@@ -479,7 +479,7 @@ static void cfg80211_mgmt_registrations_
 	rcu_read_unlock();
 
 	wdev->mgmt_registrations_need_update = 0;
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	rdev_update_mgmt_frame_registrations(rdev, wdev, &upd);
 }
@@ -503,6 +503,7 @@ int cfg80211_mlme_register_mgmt(struct w
 				int match_len, bool multicast_rx,
 				struct netlink_ext_ack *extack)
 {
+	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
 	struct cfg80211_mgmt_registration *reg, *nreg;
 	int err = 0;
 	u16 mgmt_type;
@@ -548,7 +549,7 @@ int cfg80211_mlme_register_mgmt(struct w
 	if (!nreg)
 		return -ENOMEM;
 
-	spin_lock_bh(&wdev->mgmt_registrations_lock);
+	spin_lock_bh(&rdev->mgmt_registrations_lock);
 
 	list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
 		int mlen = min(match_len, reg->match_len);
@@ -583,7 +584,7 @@ int cfg80211_mlme_register_mgmt(struct w
 		list_add(&nreg->list, &wdev->mgmt_registrations);
 	}
 	wdev->mgmt_registrations_need_update = 1;
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	cfg80211_mgmt_registrations_update(wdev);
 
@@ -591,7 +592,7 @@ int cfg80211_mlme_register_mgmt(struct w
 
  out:
 	kfree(nreg);
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	return err;
 }
@@ -602,7 +603,7 @@ void cfg80211_mlme_unregister_socket(str
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
 	struct cfg80211_mgmt_registration *reg, *tmp;
 
-	spin_lock_bh(&wdev->mgmt_registrations_lock);
+	spin_lock_bh(&rdev->mgmt_registrations_lock);
 
 	list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
 		if (reg->nlportid != nlportid)
@@ -615,7 +616,7 @@ void cfg80211_mlme_unregister_socket(str
 		schedule_work(&rdev->mgmt_registrations_update_wk);
 	}
 
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	if (nlportid && rdev->crit_proto_nlportid == nlportid) {
 		rdev->crit_proto_nlportid = 0;
@@ -628,15 +629,16 @@ void cfg80211_mlme_unregister_socket(str
 
 void cfg80211_mlme_purge_registrations(struct wireless_dev *wdev)
 {
+	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wdev->wiphy);
 	struct cfg80211_mgmt_registration *reg, *tmp;
 
-	spin_lock_bh(&wdev->mgmt_registrations_lock);
+	spin_lock_bh(&rdev->mgmt_registrations_lock);
 	list_for_each_entry_safe(reg, tmp, &wdev->mgmt_registrations, list) {
 		list_del(&reg->list);
 		kfree(reg);
 	}
 	wdev->mgmt_registrations_need_update = 1;
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	cfg80211_mgmt_registrations_update(wdev);
 }
@@ -784,7 +786,7 @@ bool cfg80211_rx_mgmt_khz(struct wireles
 	data = buf + ieee80211_hdrlen(mgmt->frame_control);
 	data_len = len - ieee80211_hdrlen(mgmt->frame_control);
 
-	spin_lock_bh(&wdev->mgmt_registrations_lock);
+	spin_lock_bh(&rdev->mgmt_registrations_lock);
 
 	list_for_each_entry(reg, &wdev->mgmt_registrations, list) {
 		if (reg->frame_type != ftype)
@@ -808,7 +810,7 @@ bool cfg80211_rx_mgmt_khz(struct wireles
 		break;
 	}
 
-	spin_unlock_bh(&wdev->mgmt_registrations_lock);
+	spin_unlock_bh(&rdev->mgmt_registrations_lock);
 
 	trace_cfg80211_return_bool(result);
 	return result;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 031/125] net: lan78xx: fix division by zero in send path
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 030/125] cfg80211: fix management registrations locking Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 032/125] drm/amd/display: Require immediate flip support for DCN3.1 planes Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Woojung.Huh, Johan Hovold, David S. Miller

From: Johan Hovold <johan@kernel.org>

commit db6c3c064f5d55fa9969f33eafca3cdbefbb3541 upstream.

Add the missing endpoint max-packet sanity check to probe() to avoid
division by zero in lan78xx_tx_bh() in case a malicious device has
broken descriptors (or when doing descriptor fuzz testing).

Note that USB core will reject URBs submitted for endpoints with zero
wMaxPacketSize but that drivers doing packet-size calculations still
need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip
endpoint descriptors with maxpacket=0")).

Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
Cc: stable@vger.kernel.org      # 4.3
Cc: Woojung.Huh@microchip.com <Woojung.Huh@microchip.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/lan78xx.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -3734,6 +3734,12 @@ static int lan78xx_probe(struct usb_inte
 
 	dev->maxpacket = usb_maxpacket(dev->udev, dev->pipe_out, 1);
 
+	/* Reject broken descriptors. */
+	if (dev->maxpacket == 0) {
+		ret = -ENODEV;
+		goto out4;
+	}
+
 	/* driver requires remote-wakeup capability during autosuspend. */
 	intf->needs_remote_wakeup = 1;
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 032/125] drm/amd/display: Require immediate flip support for DCN3.1 planes
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 031/125] net: lan78xx: fix division by zero in send path Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 033/125] mm: hwpoison: remove the unnecessary THP check Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmytro Laktyushkin,
	Agustin Gutierrez Sanchez, Nicholas Kazlauskas, Daniel Wheeler,
	Alex Deucher

From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>

commit 672437486ee9da3ed0e774937e6d0dd570921b39 upstream.

[Why]
Immediate flip can be enabled dynamically and has higher BW requirements
when validating which voltage mode to use.

If we validate when it's not set then potentially DCFCLK will be too low
and we will underflow.

[How]
DM always requires support so always require it as part of DML input
parameters.

This can't be enabled unconditionally on older ASIC because it blocks
some expected modes so only target DCN3.1 for now.

Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
@@ -1591,6 +1591,13 @@ static int dcn31_populate_dml_pipes_from
 		pipe = &res_ctx->pipe_ctx[i];
 		timing = &pipe->stream->timing;
 
+		/*
+		 * Immediate flip can be set dynamically after enabling the plane.
+		 * We need to require support for immediate flip or underflow can be
+		 * intermittently experienced depending on peak b/w requirements.
+		 */
+		pipes[pipe_cnt].pipe.src.immediate_flip = true;
+
 		pipes[pipe_cnt].pipe.src.unbounded_req_mode = false;
 		pipes[pipe_cnt].pipe.src.gpuvm = true;
 		pipes[pipe_cnt].pipe.src.dcc_fraction_of_zs_req_luma = 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 033/125] mm: hwpoison: remove the unnecessary THP check
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 032/125] drm/amd/display: Require immediate flip support for DCN3.1 planes Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 034/125] mm: filemap: check if THP has hwpoisoned subpage for PMD page fault Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Shi, Naoya Horiguchi,
	Hugh Dickins, Kirill A. Shutemov, Matthew Wilcox, Oscar Salvador,
	Peter Xu, Andrew Morton, Linus Torvalds

From: Yang Shi <shy828301@gmail.com>

commit c7cb42e94473aafe553c0f2a3d8ca904599399ed upstream.

When handling THP hwpoison checked if the THP is in allocation or free
stage since hwpoison may mistreat it as hugetlb page.  After commit
415c64c1453a ("mm/memory-failure: split thp earlier in memory error
handling") the problem has been fixed, so this check is no longer
needed.  Remove it.  The side effect of the removal is hwpoison may
report unsplit THP instead of unknown error for shmem THP.  It seems not
like a big deal.

The following patch "mm: filemap: check if THP has hwpoisoned subpage
for PMD page fault" depends on this, which fixes shmem THP with
hwpoisoned subpage(s) are mapped PMD wrongly.  So this patch needs to be
backported to -stable as well.

Link: https://lkml.kernel.org/r/20211020210755.23964-2-shy828301@gmail.com
Signed-off-by: Yang Shi <shy828301@gmail.com>
Suggested-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Acked-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/memory-failure.c |   14 --------------
 1 file changed, 14 deletions(-)

--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1148,20 +1148,6 @@ static int __get_hwpoison_page(struct pa
 	if (!HWPoisonHandlable(head))
 		return -EBUSY;
 
-	if (PageTransHuge(head)) {
-		/*
-		 * Non anonymous thp exists only in allocation/free time. We
-		 * can't handle such a case correctly, so let's give it up.
-		 * This should be better than triggering BUG_ON when kernel
-		 * tries to touch the "partially handled" page.
-		 */
-		if (!PageAnon(head)) {
-			pr_err("Memory failure: %#lx: non anonymous thp\n",
-				page_to_pfn(page));
-			return 0;
-		}
-	}
-
 	if (get_page_unless_zero(head)) {
 		if (head == compound_head(page))
 			return 1;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 034/125] mm: filemap: check if THP has hwpoisoned subpage for PMD page fault
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 033/125] mm: hwpoison: remove the unnecessary THP check Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 035/125] mm, thp: bail out early in collapse_file for writeback page Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Shi, Naoya Horiguchi,
	Kirill A. Shutemov, Hugh Dickins, Matthew Wilcox, Oscar Salvador,
	Peter Xu, Andrew Morton, Linus Torvalds

From: Yang Shi <shy828301@gmail.com>

commit eac96c3efdb593df1a57bb5b95dbe037bfa9a522 upstream.

When handling shmem page fault the THP with corrupted subpage could be
PMD mapped if certain conditions are satisfied.  But kernel is supposed
to send SIGBUS when trying to map hwpoisoned page.

There are two paths which may do PMD map: fault around and regular
fault.

Before commit f9ce0be71d1f ("mm: Cleanup faultaround and finish_fault()
codepaths") the thing was even worse in fault around path.  The THP
could be PMD mapped as long as the VMA fits regardless what subpage is
accessed and corrupted.  After this commit as long as head page is not
corrupted the THP could be PMD mapped.

In the regular fault path the THP could be PMD mapped as long as the
corrupted page is not accessed and the VMA fits.

This loophole could be fixed by iterating every subpage to check if any
of them is hwpoisoned or not, but it is somewhat costly in page fault
path.

So introduce a new page flag called HasHWPoisoned on the first tail
page.  It indicates the THP has hwpoisoned subpage(s).  It is set if any
subpage of THP is found hwpoisoned by memory failure and after the
refcount is bumped successfully, then cleared when the THP is freed or
split.

The soft offline path doesn't need this since soft offline handler just
marks a subpage hwpoisoned when the subpage is migrated successfully.
But shmem THP didn't get split then migrated at all.

Link: https://lkml.kernel.org/r/20211020210755.23964-3-shy828301@gmail.com
Fixes: 800d8c63b2e9 ("shmem: add huge pages support")
Signed-off-by: Yang Shi <shy828301@gmail.com>
Reviewed-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
Suggested-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Oscar Salvador <osalvador@suse.de>
Cc: Peter Xu <peterx@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/page-flags.h |   23 +++++++++++++++++++++++
 mm/huge_memory.c           |    2 ++
 mm/memory-failure.c        |   14 ++++++++++++++
 mm/memory.c                |    9 +++++++++
 mm/page_alloc.c            |    4 +++-
 5 files changed, 51 insertions(+), 1 deletion(-)

--- a/include/linux/page-flags.h
+++ b/include/linux/page-flags.h
@@ -171,6 +171,15 @@ enum pageflags {
 	/* Compound pages. Stored in first tail page's flags */
 	PG_double_map = PG_workingset,
 
+#ifdef CONFIG_MEMORY_FAILURE
+	/*
+	 * Compound pages. Stored in first tail page's flags.
+	 * Indicates that at least one subpage is hwpoisoned in the
+	 * THP.
+	 */
+	PG_has_hwpoisoned = PG_mappedtodisk,
+#endif
+
 	/* non-lru isolated movable page */
 	PG_isolated = PG_reclaim,
 
@@ -703,6 +712,20 @@ PAGEFLAG_FALSE(DoubleMap)
 	TESTSCFLAG_FALSE(DoubleMap)
 #endif
 
+#if defined(CONFIG_MEMORY_FAILURE) && defined(CONFIG_TRANSPARENT_HUGEPAGE)
+/*
+ * PageHasHWPoisoned indicates that at least one subpage is hwpoisoned in the
+ * compound page.
+ *
+ * This flag is set by hwpoison handler.  Cleared by THP split or free page.
+ */
+PAGEFLAG(HasHWPoisoned, has_hwpoisoned, PF_SECOND)
+	TESTSCFLAG(HasHWPoisoned, has_hwpoisoned, PF_SECOND)
+#else
+PAGEFLAG_FALSE(HasHWPoisoned)
+	TESTSCFLAG_FALSE(HasHWPoisoned)
+#endif
+
 /*
  * Check if a page is currently marked HWPoisoned. Note that this check is
  * best effort only and inherently racy: there is no way to synchronize with
--- a/mm/huge_memory.c
+++ b/mm/huge_memory.c
@@ -2452,6 +2452,8 @@ static void __split_huge_page(struct pag
 	/* lock lru list/PageCompound, ref frozen by page_ref_freeze */
 	lruvec = lock_page_lruvec(head);
 
+	ClearPageHasHWPoisoned(head);
+
 	for (i = nr - 1; i >= 1; i--) {
 		__split_huge_page_tail(head, i, lruvec, list);
 		/* Some pages can be beyond i_size: drop them from page cache */
--- a/mm/memory-failure.c
+++ b/mm/memory-failure.c
@@ -1694,6 +1694,20 @@ try_again:
 	}
 
 	if (PageTransHuge(hpage)) {
+		/*
+		 * The flag must be set after the refcount is bumped
+		 * otherwise it may race with THP split.
+		 * And the flag can't be set in get_hwpoison_page() since
+		 * it is called by soft offline too and it is just called
+		 * for !MF_COUNT_INCREASE.  So here seems to be the best
+		 * place.
+		 *
+		 * Don't need care about the above error handling paths for
+		 * get_hwpoison_page() since they handle either free page
+		 * or unhandlable page.  The refcount is bumped iff the
+		 * page is a valid handlable page.
+		 */
+		SetPageHasHWPoisoned(hpage);
 		if (try_to_split_thp_page(p, "Memory Failure") < 0) {
 			action_result(pfn, MF_MSG_UNSPLIT_THP, MF_IGNORED);
 			res = -EBUSY;
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -3906,6 +3906,15 @@ vm_fault_t do_set_pmd(struct vm_fault *v
 		return ret;
 
 	/*
+	 * Just backoff if any subpage of a THP is corrupted otherwise
+	 * the corrupted page may mapped by PMD silently to escape the
+	 * check.  This kind of THP just can be PTE mapped.  Access to
+	 * the corrupted subpage should trigger SIGBUS as expected.
+	 */
+	if (unlikely(PageHasHWPoisoned(page)))
+		return ret;
+
+	/*
 	 * Archs like ppc64 need additional space to store information
 	 * related to pte entry. Use the preallocated table for that.
 	 */
--- a/mm/page_alloc.c
+++ b/mm/page_alloc.c
@@ -1320,8 +1320,10 @@ static __always_inline bool free_pages_p
 
 		VM_BUG_ON_PAGE(compound && compound_order(page) != order, page);
 
-		if (compound)
+		if (compound) {
 			ClearPageDoubleMap(page);
+			ClearPageHasHWPoisoned(page);
+		}
 		for (i = 1; i < (1 << order); i++) {
 			if (compound)
 				bad += free_tail_pages_check(page, page + i);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 035/125] mm, thp: bail out early in collapse_file for writeback page
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 034/125] mm: filemap: check if THP has hwpoisoned subpage for PMD page fault Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 036/125] mm: khugepaged: skip huge page collapse for special files Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rongwei Wang, Xu Yu, Yang Shi,
	Matthew Wilcox (Oracle),
	Kirill A. Shutemov, Song Liu, William Kucharski, Hugh Dickins,
	Mike Kravetz, Andrew Morton, Linus Torvalds

From: Rongwei Wang <rongwei.wang@linux.alibaba.com>

commit 74c42e1baacf206338b1dd6b6199ac964512b5bb upstream.

Currently collapse_file does not explicitly check PG_writeback, instead,
page_has_private and try_to_release_page are used to filter writeback
pages.  This does not work for xfs with blocksize equal to or larger
than pagesize, because in such case xfs has no page->private.

This makes collapse_file bail out early for writeback page.  Otherwise,
xfs end_page_writeback will panic as follows.

  page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:ffff0003f88c86a8 index:0x0 pfn:0x84ef32
  aops:xfs_address_space_operations [xfs] ino:30000b7 dentry name:"libtest.so"
  flags: 0x57fffe0000008027(locked|referenced|uptodate|active|writeback)
  raw: 57fffe0000008027 ffff80001b48bc28 ffff80001b48bc28 ffff0003f88c86a8
  raw: 0000000000000000 0000000000000000 00000000ffffffff ffff0000c3e9a000
  page dumped because: VM_BUG_ON_PAGE(((unsigned int) page_ref_count(page) + 127u <= 127u))
  page->mem_cgroup:ffff0000c3e9a000
  ------------[ cut here ]------------
  kernel BUG at include/linux/mm.h:1212!
  Internal error: Oops - BUG: 0 [#1] SMP
  Modules linked in:
  BUG: Bad page state in process khugepaged  pfn:84ef32
   xfs(E)
  page:fffffe00201bcc80 refcount:0 mapcount:0 mapping:0 index:0x0 pfn:0x84ef32
   libcrc32c(E) rfkill(E) aes_ce_blk(E) crypto_simd(E) ...
  CPU: 25 PID: 0 Comm: swapper/25 Kdump: loaded Tainted: ...
  pstate: 60400005 (nZCv daif +PAN -UAO -TCO BTYPE=--)
  Call trace:
    end_page_writeback+0x1c0/0x214
    iomap_finish_page_writeback+0x13c/0x204
    iomap_finish_ioend+0xe8/0x19c
    iomap_writepage_end_bio+0x38/0x50
    bio_endio+0x168/0x1ec
    blk_update_request+0x278/0x3f0
    blk_mq_end_request+0x34/0x15c
    virtblk_request_done+0x38/0x74 [virtio_blk]
    blk_done_softirq+0xc4/0x110
    __do_softirq+0x128/0x38c
    __irq_exit_rcu+0x118/0x150
    irq_exit+0x1c/0x30
    __handle_domain_irq+0x8c/0xf0
    gic_handle_irq+0x84/0x108
    el1_irq+0xcc/0x180
    arch_cpu_idle+0x18/0x40
    default_idle_call+0x4c/0x1a0
    cpuidle_idle_call+0x168/0x1e0
    do_idle+0xb4/0x104
    cpu_startup_entry+0x30/0x9c
    secondary_start_kernel+0x104/0x180
  Code: d4210000 b0006161 910c8021 94013f4d (d4210000)
  ---[ end trace 4a88c6a074082f8c ]---
  Kernel panic - not syncing: Oops - BUG: Fatal exception in interrupt

Link: https://lkml.kernel.org/r/20211022023052.33114-1-rongwei.wang@linux.alibaba.com
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Rongwei Wang <rongwei.wang@linux.alibaba.com>
Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
Suggested-by: Yang Shi <shy828301@gmail.com>
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Reviewed-by: Yang Shi <shy828301@gmail.com>
Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Song Liu <song@kernel.org>
Cc: William Kucharski <william.kucharski@oracle.com>
Cc: Hugh Dickins <hughd@google.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/khugepaged.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -1763,6 +1763,10 @@ static void collapse_file(struct mm_stru
 				filemap_flush(mapping);
 				result = SCAN_FAIL;
 				goto xa_unlocked;
+			} else if (PageWriteback(page)) {
+				xas_unlock_irq(&xas);
+				result = SCAN_FAIL;
+				goto xa_unlocked;
 			} else if (trylock_page(page)) {
 				get_page(page);
 				xas_unlock_irq(&xas);
@@ -1798,7 +1802,8 @@ static void collapse_file(struct mm_stru
 			goto out_unlock;
 		}
 
-		if (!is_shmem && PageDirty(page)) {
+		if (!is_shmem && (PageDirty(page) ||
+				  PageWriteback(page))) {
 			/*
 			 * khugepaged only works on read-only fd, so this
 			 * page is dirty because it hasn't been flushed



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 036/125] mm: khugepaged: skip huge page collapse for special files
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 035/125] mm, thp: bail out early in collapse_file for writeback page Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 037/125] arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2 Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hugh Dickins, Yang Shi, Hao Sun,
	syzbot+aae069be1de40fb11825, Matthew Wilcox, Kirill A. Shutemov,
	Song Liu, Andrea Righi, Andrew Morton, Linus Torvalds

From: Yang Shi <shy828301@gmail.com>

commit a4aeaa06d45e90f9b279f0b09de84bd00006e733 upstream.

The read-only THP for filesystems will collapse THP for files opened
readonly and mapped with VM_EXEC.  The intended usecase is to avoid TLB
misses for large text segments.  But it doesn't restrict the file types
so a THP could be collapsed for a non-regular file, for example, block
device, if it is opened readonly and mapped with EXEC permission.  This
may cause bugs, like [1] and [2].

This is definitely not the intended usecase, so just collapse THP for
regular files in order to close the attack surface.

[shy828301@gmail.com: fix vm_file check [3]]

Link: https://lore.kernel.org/lkml/CACkBjsYwLYLRmX8GpsDpMthagWOjWWrNxqY6ZLNQVr6yx+f5vA@mail.gmail.com/ [1]
Link: https://lore.kernel.org/linux-mm/000000000000c6a82505ce284e4c@google.com/ [2]
Link: https://lkml.kernel.org/r/CAHbLzkqTW9U3VvTu1Ki5v_cLRC9gHW+znBukg_ycergE0JWj-A@mail.gmail.com [3]
Link: https://lkml.kernel.org/r/20211027195221.3825-1-shy828301@gmail.com
Fixes: 99cb0dbd47a1 ("mm,thp: add read-only THP support for (non-shmem) FS")
Signed-off-by: Hugh Dickins <hughd@google.com>
Signed-off-by: Yang Shi <shy828301@gmail.com>
Reported-by: Hao Sun <sunhao.th@gmail.com>
Reported-by: syzbot+aae069be1de40fb11825@syzkaller.appspotmail.com
Cc: Matthew Wilcox <willy@infradead.org>
Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Andrea Righi <andrea.righi@canonical.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 mm/khugepaged.c |   19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

--- a/mm/khugepaged.c
+++ b/mm/khugepaged.c
@@ -445,22 +445,25 @@ static bool hugepage_vma_check(struct vm
 	if (!transhuge_vma_enabled(vma, vm_flags))
 		return false;
 
+	if (vma->vm_file && !IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) -
+				vma->vm_pgoff, HPAGE_PMD_NR))
+		return false;
+
 	/* Enabled via shmem mount options or sysfs settings. */
-	if (shmem_file(vma->vm_file) && shmem_huge_enabled(vma)) {
-		return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff,
-				HPAGE_PMD_NR);
-	}
+	if (shmem_file(vma->vm_file))
+		return shmem_huge_enabled(vma);
 
 	/* THP settings require madvise. */
 	if (!(vm_flags & VM_HUGEPAGE) && !khugepaged_always())
 		return false;
 
-	/* Read-only file mappings need to be aligned for THP to work. */
+	/* Only regular file is valid */
 	if (IS_ENABLED(CONFIG_READ_ONLY_THP_FOR_FS) && vma->vm_file &&
-	    !inode_is_open_for_write(vma->vm_file->f_inode) &&
 	    (vm_flags & VM_EXEC)) {
-		return IS_ALIGNED((vma->vm_start >> PAGE_SHIFT) - vma->vm_pgoff,
-				HPAGE_PMD_NR);
+		struct inode *inode = vma->vm_file->f_inode;
+
+		return !inode_is_open_for_write(inode) &&
+			S_ISREG(inode->i_mode);
 	}
 
 	if (!vma->anon_vma || vma->vm_ops)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 037/125] arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 036/125] mm: khugepaged: skip huge page collapse for special files Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 038/125] arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 6562d6e350284307e33ea10c7f46a6661ff22770 upstream.

The regulator reg_rst_eth2 should keep the reset signal of the USB ethernet
adapter deasserted anytime. Fix the polarity and mark it as always-on.

Anyway, using the regulator is only a workaround for the missing support of
specifying a reset GPIO for USB devices in a generic way. As we don't
have a solution for this at the moment, at least fix the current
workaround.

Fixes: 8668d8b2e67f ("arm64: dts: Add the Kontron i.MX8M Mini SoMs and baseboards")
Cc: stable@vger.kernel.org
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
@@ -70,7 +70,9 @@
 		regulator-name = "rst-usb-eth2";
 		pinctrl-names = "default";
 		pinctrl-0 = <&pinctrl_usb_eth2>;
-		gpio = <&gpio3 2 GPIO_ACTIVE_LOW>;
+		gpio = <&gpio3 2 GPIO_ACTIVE_HIGH>;
+		enable-active-high;
+		regulator-always-on;
 	};
 
 	reg_vdd_5v: regulator-5v {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 038/125] arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 037/125] arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2 Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 039/125] arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit ca6f9d85d5944046a241b325700c1ca395651c28 upstream.

The MCP2515 can be used with an SPI clock of up to 10 MHz. Set the
limit accordingly to prevent any performance issues caused by the
really low clock speed of 100 kHz.

This removes the arbitrarily low limit on the SPI frequency, that was
caused by a typo in the original dts.

Without this change, receiving CAN messages on the board beyond a
certain bitrate will cause overrun errors (see 'ip -det -stat link show
can0').

With this fix, receiving messages on the bus works without any overrun
errors for bitrates up to 1 MBit.

Fixes: 8668d8b2e67f ("arm64: dts: Add the Kontron i.MX8M Mini SoMs and baseboards")
Cc: stable@vger.kernel.org
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
@@ -97,7 +97,7 @@
 		clocks = <&osc_can>;
 		interrupt-parent = <&gpio4>;
 		interrupts = <28 IRQ_TYPE_EDGE_FALLING>;
-		spi-max-frequency = <100000>;
+		spi-max-frequency = <10000000>;
 		vdd-supply = <&reg_vdd_3v3>;
 		xceiver-supply = <&reg_vdd_5v>;
 	};



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 039/125] arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 038/125] arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 040/125] arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 0b28c41e3c951ea3d4f012cfa9da5ebd6512cf6e upstream.

Previously we falsely relied on the PHY driver to unconditionally
enable the internal RX delay. Since the following fix for the PHY
driver this is not the case anymore:

commit 7b005a1742be ("net: phy: mscc: configure both RX and TX internal
delays for RGMII")

In order to enable the delay we need to set the connection type to
"rgmii-rxid". Without the RX delay the ethernet is not functional at
all.

Fixes: 8668d8b2e67f ("arm64: dts: Add the Kontron i.MX8M Mini SoMs and baseboards")
Cc: stable@vger.kernel.org
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-s.dts
@@ -113,7 +113,7 @@
 &fec1 {
 	pinctrl-names = "default";
 	pinctrl-0 = <&pinctrl_enet>;
-	phy-connection-type = "rgmii";
+	phy-connection-type = "rgmii-rxid";
 	phy-handle = <&ethphy>;
 	status = "okay";
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 040/125] arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 039/125] arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 041/125] arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are correct Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 256a24eba7f897c817fb0103dac73467d3789202 upstream.

According to the datasheet the typical value for VDD_SNVS should be
800 mV, so let's make sure that this is within the range of the
regulator.

Fixes: 8668d8b2e67f ("arm64: dts: Add the Kontron i.MX8M Mini SoMs and baseboards")
Cc: stable@vger.kernel.org
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
@@ -150,7 +150,7 @@
 
 			reg_vdd_snvs: LDO2 {
 				regulator-name = "ldo2";
-				regulator-min-microvolt = <850000>;
+				regulator-min-microvolt = <800000>;
 				regulator-max-microvolt = <900000>;
 				regulator-boot-on;
 				regulator-always-on;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 041/125] arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are correct
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 040/125] arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 042/125] mac80211: mesh: fix HE operation element length check Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Frieder Schrempf, Shawn Guo

From: Frieder Schrempf <frieder.schrempf@kontron.de>

commit 82a4f329b133ad0de66bee12c0be5c67bb8aa188 upstream.

It looks like the voltages for the SOC and DRAM supply weren't properly
validated before. The datasheet and uboot-imx code tells us that VDD_SOC
should be 800 mV in suspend and 850 mV in run mode. VDD_DRAM should be
950 mV for DDR clock frequencies of up to 1.5 GHz.

Let's fix these values to make sure the voltages are within the required
range.

Fixes: 8668d8b2e67f ("arm64: dts: Add the Kontron i.MX8M Mini SoMs and baseboards")
Cc: stable@vger.kernel.org
Signed-off-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mm-kontron-n801x-som.dtsi
@@ -91,10 +91,12 @@
 			reg_vdd_soc: BUCK1 {
 				regulator-name = "buck1";
 				regulator-min-microvolt = <800000>;
-				regulator-max-microvolt = <900000>;
+				regulator-max-microvolt = <850000>;
 				regulator-boot-on;
 				regulator-always-on;
 				regulator-ramp-delay = <3125>;
+				nxp,dvs-run-voltage = <850000>;
+				nxp,dvs-standby-voltage = <800000>;
 			};
 
 			reg_vdd_arm: BUCK2 {
@@ -111,7 +113,7 @@
 			reg_vdd_dram: BUCK3 {
 				regulator-name = "buck3";
 				regulator-min-microvolt = <850000>;
-				regulator-max-microvolt = <900000>;
+				regulator-max-microvolt = <950000>;
 				regulator-boot-on;
 				regulator-always-on;
 			};



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 042/125] mac80211: mesh: fix HE operation element length check
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 041/125] arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are correct Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 043/125] drm/ttm: fix memleak in ttm_transfered_destroy Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit 636707e593120c9fa35f6a908c0d052f6154910d upstream.

The length check here was bad, if the length doesn't at
least include the length of the fixed part, we cannot
call ieee80211_he_oper_size() to determine the total.
Fix this, and convert to cfg80211_find_ext_elem() while
at it.

Cc: stable@vger.kernel.org
Fixes: 70debba3ab7d ("mac80211: save HE oper info in BSS config for mesh")
Link: https://lore.kernel.org/r/20210930131120.b0f940976c56.I954e1be55e9f87cc303165bff5c906afe1e54648@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/mesh.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/net/mac80211/mesh.c
+++ b/net/mac80211/mesh.c
@@ -672,7 +672,7 @@ ieee80211_mesh_update_bss_params(struct
 				 u8 *ie, u8 ie_len)
 {
 	struct ieee80211_supported_band *sband;
-	const u8 *cap;
+	const struct element *cap;
 	const struct ieee80211_he_operation *he_oper = NULL;
 
 	sband = ieee80211_get_sband(sdata);
@@ -687,9 +687,10 @@ ieee80211_mesh_update_bss_params(struct
 
 	sdata->vif.bss_conf.he_support = true;
 
-	cap = cfg80211_find_ext_ie(WLAN_EID_EXT_HE_OPERATION, ie, ie_len);
-	if (cap && cap[1] >= ieee80211_he_oper_size(&cap[3]))
-		he_oper = (void *)(cap + 3);
+	cap = cfg80211_find_ext_elem(WLAN_EID_EXT_HE_OPERATION, ie, ie_len);
+	if (cap && cap->datalen >= 1 + sizeof(*he_oper) &&
+	    cap->datalen >= 1 + ieee80211_he_oper_size(cap->data + 1))
+		he_oper = (void *)(cap->data + 1);
 
 	if (he_oper)
 		sdata->vif.bss_conf.he_oper.params =



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 043/125] drm/ttm: fix memleak in ttm_transfered_destroy
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 042/125] mac80211: mesh: fix HE operation element length check Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 044/125] drm/i915: Convert unconditional clflush to drm_clflush_virt_range() Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian König, Erhard F., Huang Rui

From: Christian König <christian.koenig@amd.com>

commit 0db55f9a1bafbe3dac750ea669de9134922389b5 upstream.

We need to cleanup the fences for ghost objects as well.

Signed-off-by: Christian König <christian.koenig@amd.com>
Reported-by: Erhard F. <erhard_f@mailbox.org>
Tested-by: Erhard F. <erhard_f@mailbox.org>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214029
Bug: https://bugzilla.kernel.org/show_bug.cgi?id=214447
CC: <stable@vger.kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20211020173211.2247-1-christian.koenig@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/ttm/ttm_bo_util.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/gpu/drm/ttm/ttm_bo_util.c
+++ b/drivers/gpu/drm/ttm/ttm_bo_util.c
@@ -190,6 +190,7 @@ static void ttm_transfered_destroy(struc
 	struct ttm_transfer_obj *fbo;
 
 	fbo = container_of(bo, struct ttm_transfer_obj, base);
+	dma_resv_fini(&fbo->base.base._resv);
 	ttm_bo_put(fbo->bo);
 	kfree(fbo);
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 044/125] drm/i915: Convert unconditional clflush to drm_clflush_virt_range()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 043/125] drm/ttm: fix memleak in ttm_transfered_destroy Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 045/125] drm/i915: Catch yet another unconditioal clflush Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten Lankhorst,
	Ville Syrjälä,
	Dave Airlie, Jani Nikula, Thomas Hellström

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit fcf918ffd3b35e288097036c04af7446b2c6f2f1 upstream.

This one is apparently a "clflush for good measure", so bit more
justification (if you can call it that) than some of the others.
Convert to drm_clflush_virt_range() again so that machines without
clflush will survive the ordeal.

Cc: stable@vger.kernel.org
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Hellström <thomas.hellstrom@intel.com> #v1
Fixes: 12ca695d2c1e ("drm/i915: Do not share hwsp across contexts any more, v8.")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211014090941.12159-3-ville.syrjala@linux.intel.com
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit af7b6d234eefa30c461cc16912bafb32b9e6141c)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/gt/intel_timeline.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/gt/intel_timeline.c
+++ b/drivers/gpu/drm/i915/gt/intel_timeline.c
@@ -225,7 +225,7 @@ void intel_timeline_reset_seqno(const st
 
 	memset(hwsp_seqno + 1, 0, TIMELINE_SEQNO_BYTES - sizeof(*hwsp_seqno));
 	WRITE_ONCE(*hwsp_seqno, tl->seqno);
-	clflush(hwsp_seqno);
+	drm_clflush_virt_range(hwsp_seqno, TIMELINE_SEQNO_BYTES);
 }
 
 void intel_timeline_enter(struct intel_timeline *tl)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 045/125] drm/i915: Catch yet another unconditioal clflush
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 044/125] drm/i915: Convert unconditional clflush to drm_clflush_virt_range() Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:16 ` [PATCH 5.14 046/125] drm/i915/dp: Skip the HW readout of DPCD on disabled encoders Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten Lankhorst,
	Thomas Hellström, Ville Syrjälä,
	Dave Airlie, Jani Nikula

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit 9761ffb8f1090289b908590039e2c363cc35cf45 upstream.

Replace the unconditional clflush() with drm_clflush_virt_range()
which does the wbinvd() fallback when clflush is not available.

This time no justification is given for the clflush in the
offending commit.

Cc: stable@vger.kernel.org
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Fixes: 2c8ab3339e39 ("drm/i915: Pin timeline map after first timeline pin, v4.")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211014090941.12159-4-ville.syrjala@linux.intel.com
Reviewed-by: Dave Airlie <airlied@redhat.com>
(cherry picked from commit 9ced12182d0d8401d821e9602e56e276459900fc)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/gt/intel_timeline.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/i915/gt/intel_timeline.c
+++ b/drivers/gpu/drm/i915/gt/intel_timeline.c
@@ -64,7 +64,7 @@ intel_timeline_pin_map(struct intel_time
 
 	timeline->hwsp_map = vaddr;
 	timeline->hwsp_seqno = memset(vaddr + ofs, 0, TIMELINE_SEQNO_BYTES);
-	clflush(vaddr + ofs);
+	drm_clflush_virt_range(vaddr + ofs, TIMELINE_SEQNO_BYTES);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 046/125] drm/i915/dp: Skip the HW readout of DPCD on disabled encoders
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 045/125] drm/i915: Catch yet another unconditioal clflush Greg Kroah-Hartman
@ 2021-11-01  9:16 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 047/125] drm/amdgpu: Fix even more out of bound writes from debugfs Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:16 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mat Jonczyk,
	José Roberto de Souza, Jani Nikula, Ville Syrjälä,
	Imre Deak

From: Imre Deak <imre.deak@intel.com>

commit 6e6f96630805874fa80b0067e1a57aafc06225f6 upstream.

Reading out the DP encoders' DPCD during booting or resume is only
required for enabled encoders: such encoders may be modesetted during
the initial commit and the link training this involves depends on an
initialized DPCD. For DDI encoders reading out the DPCD is skipped, do
the same on pre-DDI platforms.

Atm, the first DPCD readout without a sink connected - which is a likely
scneario if the encoder is disabled - leaves intel_dp->num_common_rates
at 0, which resulted in

intel_dp_sync_state()->intel_dp_max_common_rate()

in a

intel_dp->common_rates[-1]

access. This by definition results in an undefined behaviour, though to
my best knowledge in all HW/compiler configurations it actually results
in accessing the array item type value preceding the array. In this
case the preceding value happens to be intel_dp->num_common_rates,
which is 0, so this issue - by luck - didn't cause a user visible
problem.

Nevertheless it's still an undefined behaviour and in CONFIG_UBSAN
builds leads to a kernel BUG() (which revealed this problem for us),
hence CC:stable.

A related problem in case the encoder is enabled but the sink is not
connected or the DPCD readout fails is fixed by the next patch.

v2: Amend the commit message describing the root cause of the
    CONFIG_UBSAN BUG().

Fixes: a532cde31de3 ("drm/i915/tc: Fix TypeC port init/resume time sanitization")
Reported-and-tested-by: Mat Jonczyk <mat.jonczyk@o2.pl>
Cc: Mat Jonczyk <mat.jonczyk@o2.pl>
Cc: José Roberto de Souza <jose.souza@intel.com>
Cc: Jani Nikula <jani.nikula@intel.com>
Cc: Ville Syrjälä <ville.syrjala@linux.intel.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Imre Deak <imre.deak@intel.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Acked-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211018094154.1407705-2-imre.deak@intel.com
(cherry picked from commit 4ec5ffc341cecbea060739aea1d53398ac2ec3f8)
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/display/intel_dp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -1924,6 +1924,9 @@ void intel_dp_sync_state(struct intel_en
 {
 	struct intel_dp *intel_dp = enc_to_intel_dp(encoder);
 
+	if (!crtc_state)
+		return;
+
 	/*
 	 * Don't clobber DPCD if it's been already read out during output
 	 * setup (eDP) or detect.



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 047/125] drm/amdgpu: Fix even more out of bound writes from debugfs
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-11-01  9:16 ` [PATCH 5.14 046/125] drm/i915/dp: Skip the HW readout of DPCD on disabled encoders Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 048/125] drm/amdgpu: fix out of bounds write Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Patrik Jakobsson, Harry Wentland,
	Alex Deucher

From: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>

commit 3f4e54bd312d3dafb59daf2b97ffa08abebe60f5 upstream.

CVE-2021-42327 was fixed by:

commit f23750b5b3d98653b31d4469592935ef6364ad67
Author: Thelford Williams <tdwilliamsiv@gmail.com>
Date:   Wed Oct 13 16:04:13 2021 -0400

    drm/amdgpu: fix out of bounds write

but amdgpu_dm_debugfs.c contains more of the same issue so fix the
remaining ones.

v2:
	* Add missing fix in dp_max_bpc_write (Harry Wentland)

Fixes: 918698d5c2b5 ("drm/amd/display: Return the number of bytes parsed than allocated")
Signed-off-by: Patrik Jakobsson <pjakobsson@suse.de>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c |   18 +++++++-------
 1 file changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -487,7 +487,7 @@ static ssize_t dp_phy_settings_write(str
 	if (!wr_buf)
 		return -ENOSPC;
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   (long *)param, buf,
 					   max_param_num,
 					   &param_nums)) {
@@ -639,7 +639,7 @@ static ssize_t dp_phy_test_pattern_debug
 	if (!wr_buf)
 		return -ENOSPC;
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   (long *)param, buf,
 					   max_param_num,
 					   &param_nums)) {
@@ -914,7 +914,7 @@ static ssize_t dp_dsc_passthrough_set(st
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   &param, buf,
 					   max_param_num,
 					   &param_nums)) {
@@ -1211,7 +1211,7 @@ static ssize_t trigger_hotplug(struct fi
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 						(long *)param, buf,
 						max_param_num,
 						&param_nums)) {
@@ -1396,7 +1396,7 @@ static ssize_t dp_dsc_clock_en_write(str
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					    (long *)param, buf,
 					    max_param_num,
 					    &param_nums)) {
@@ -1581,7 +1581,7 @@ static ssize_t dp_dsc_slice_width_write(
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					    (long *)param, buf,
 					    max_param_num,
 					    &param_nums)) {
@@ -1766,7 +1766,7 @@ static ssize_t dp_dsc_slice_height_write
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					    (long *)param, buf,
 					    max_param_num,
 					    &param_nums)) {
@@ -1944,7 +1944,7 @@ static ssize_t dp_dsc_bits_per_pixel_wri
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					    (long *)param, buf,
 					    max_param_num,
 					    &param_nums)) {
@@ -2382,7 +2382,7 @@ static ssize_t dp_max_bpc_write(struct f
 		return -ENOSPC;
 	}
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   (long *)param, buf,
 					   max_param_num,
 					   &param_nums)) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 048/125] drm/amdgpu: fix out of bounds write
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 047/125] drm/amdgpu: Fix even more out of bound writes from debugfs Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 049/125] drm/amdgpu: support B0&B1 external revision id for yellow carp Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Thelford Williams, Alex Deucher

From: Thelford Williams <tdwilliamsiv@gmail.com>

commit 5afa7898ab7a0ec9c28556a91df714bf3c2f725e upstream.

Size can be any value and is user controlled resulting in overwriting the
40 byte array wr_buf with an arbitrary length of data from buf.

Signed-off-by: Thelford Williams <tdwilliamsiv@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_debugfs.c
@@ -263,7 +263,7 @@ static ssize_t dp_link_settings_write(st
 	if (!wr_buf)
 		return -ENOSPC;
 
-	if (parse_write_buffer_into_params(wr_buf, size,
+	if (parse_write_buffer_into_params(wr_buf, wr_buf_size,
 					   (long *)param, buf,
 					   max_param_num,
 					   &param_nums)) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 049/125] drm/amdgpu: support B0&B1 external revision id for yellow carp
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 048/125] drm/amdgpu: fix out of bounds write Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 050/125] drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1 Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaron Liu, Huang Rui, Alex Deucher

From: Aaron Liu <aaron.liu@amd.com>

commit 53c2ff8bcb06acd07e24a62e7f5a0247bd7c6f67 upstream.

B0 internal rev_id is 0x01, B1 internal rev_id is 0x02.
The external rev_id for B0 and B1 is 0x20.
The original expression is not suitable for B1.

v2: squash in fix for display code (Alex)

Signed-off-by: Aaron Liu <aaron.liu@amd.com>
Reviewed-by: Huang Rui <ray.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/nv.c                   |    2 +-
 drivers/gpu/drm/amd/display/include/dal_asic_id.h |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/nv.c
+++ b/drivers/gpu/drm/amd/amdgpu/nv.c
@@ -1237,7 +1237,7 @@ static int nv_common_early_init(void *ha
 			AMD_PG_SUPPORT_VCN_DPG |
 			AMD_PG_SUPPORT_JPEG;
 		if (adev->pdev->device == 0x1681)
-			adev->external_rev_id = adev->rev_id + 0x19;
+			adev->external_rev_id = 0x20;
 		else
 			adev->external_rev_id = adev->rev_id + 0x01;
 		break;
--- a/drivers/gpu/drm/amd/display/include/dal_asic_id.h
+++ b/drivers/gpu/drm/amd/display/include/dal_asic_id.h
@@ -227,7 +227,7 @@ enum {
 #define FAMILY_YELLOW_CARP                     146
 
 #define YELLOW_CARP_A0 0x01
-#define YELLOW_CARP_B0 0x1A
+#define YELLOW_CARP_B0 0x20
 #define YELLOW_CARP_UNKNOWN 0xFF
 
 #ifndef ASICREV_IS_YELLOW_CARP



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 050/125] drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 049/125] drm/amdgpu: support B0&B1 external revision id for yellow carp Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 051/125] drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1 Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aric Cyr, Agustin Gutierrez Sanchez,
	Nikola Cornij, Daniel Wheeler, Alex Deucher

From: Nikola Cornij <nikola.cornij@amd.com>

commit c21b105380cf86e829c68586ca1315cfc253ad8c upstream.

[why]
The requirement is that image width up to 4096 shall be supported

Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
@@ -928,7 +928,7 @@ static const struct dc_debug_options deb
 	.disable_dcc = DCC_ENABLE,
 	.vsr_support = true,
 	.performance_trace = false,
-	.max_downscale_src_width = 3840,/*upto 4K*/
+	.max_downscale_src_width = 4096,/*upto true 4K*/
 	.disable_pplib_wm_range = false,
 	.scl_reset_length10 = true,
 	.sanity_checks = false,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 051/125] drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 050/125] drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 052/125] drm/amd/display: increase Z9 latency to workaround underflow in Z9 Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dmytro Laktyushkin,
	Agustin Gutierrez Sanchez, Nicholas Kazlauskas, Daniel Wheeler,
	Alex Deucher

From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>

commit c938aed88f8259dc913b717a32319101c66e87a9 upstream.

[Why]
Prefetch BW calculated is lower than the DML reference because of a
porting error that's excluding cursor and row bandwidth from the
pixel data bandwidth.

[How]
Change the dml_max4 to dml_max3 and include cursor and row bandwidth
in the same calculation as the rest of the pixel data during vactive.

Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn31/display_mode_vba_31.c
@@ -5399,9 +5399,9 @@ void dml31_ModeSupportAndSystemConfigura
 
 					v->MaximumReadBandwidthWithPrefetch =
 							v->MaximumReadBandwidthWithPrefetch
-									+ dml_max4(
-											v->VActivePixelBandwidth[i][j][k],
-											v->VActiveCursorBandwidth[i][j][k]
+									+ dml_max3(
+											v->VActivePixelBandwidth[i][j][k]
+													+ v->VActiveCursorBandwidth[i][j][k]
 													+ v->NoOfDPP[i][j][k]
 															* (v->meta_row_bandwidth[i][j][k]
 																	+ v->dpte_row_bandwidth[i][j][k]),



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 052/125] drm/amd/display: increase Z9 latency to workaround underflow in Z9
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 051/125] drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 053/125] drm/amd/display: Increase watermark latencies for DCN3.1 Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Kazlauskas,
	Agustin Gutierrez Sanchez, Eric Yang, Daniel Wheeler,
	Alex Deucher

From: Eric Yang <Eric.Yang2@amd.com>

commit 4835ea6c173a8d8dfbfdbb21c4cd987d12681610 upstream.

[Why]
Z9 latency is higher than when we originally tuned the watermark
parameters, causing underflow. Increasing the value until the latency
issues is resolved.

Reviewed-by: Nicholas Kazlauskas <Nicholas.Kazlauskas@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Eric Yang <Eric.Yang2@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_resource.c
@@ -217,8 +217,8 @@ struct _vcs_dpi_soc_bounding_box_st dcn3
 	.num_states = 5,
 	.sr_exit_time_us = 9.0,
 	.sr_enter_plus_exit_time_us = 11.0,
-	.sr_exit_z8_time_us = 402.0,
-	.sr_enter_plus_exit_z8_time_us = 520.0,
+	.sr_exit_z8_time_us = 442.0,
+	.sr_enter_plus_exit_z8_time_us = 560.0,
 	.writeback_latency_us = 12.0,
 	.dram_channel_width_bytes = 4,
 	.round_trip_ping_latency_dcfclk_cycles = 106,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 053/125] drm/amd/display: Increase watermark latencies for DCN3.1
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 052/125] drm/amd/display: increase Z9 latency to workaround underflow in Z9 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 054/125] drm/amd/display: Moved dccg init to after bios golden init Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ahmad Othman,
	Agustin Gutierrez Sanchez, Nikola Cornij, Daniel Wheeler,
	Alex Deucher

From: Nikola Cornij <nikola.cornij@amd.com>

commit dd8cb18906d97b2916fde42d32d915ae363c7e55 upstream.

[why]
The original latencies were causing underflow in some modes

[how]
Replace with the up-to-date watermark values based on new measurments

Reviewed-by: Ahmad Othman <ahmad.othman@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Nikola Cornij <nikola.cornij@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c |   16 +++++------
 1 file changed, 8 insertions(+), 8 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c
@@ -366,32 +366,32 @@ static struct wm_table lpddr5_wm_table =
 			.wm_inst = WM_A,
 			.wm_type = WM_TYPE_PSTATE_CHG,
 			.pstate_latency_us = 11.65333,
-			.sr_exit_time_us = 5.32,
-			.sr_enter_plus_exit_time_us = 6.38,
+			.sr_exit_time_us = 11.5,
+			.sr_enter_plus_exit_time_us = 14.5,
 			.valid = true,
 		},
 		{
 			.wm_inst = WM_B,
 			.wm_type = WM_TYPE_PSTATE_CHG,
 			.pstate_latency_us = 11.65333,
-			.sr_exit_time_us = 9.82,
-			.sr_enter_plus_exit_time_us = 11.196,
+			.sr_exit_time_us = 11.5,
+			.sr_enter_plus_exit_time_us = 14.5,
 			.valid = true,
 		},
 		{
 			.wm_inst = WM_C,
 			.wm_type = WM_TYPE_PSTATE_CHG,
 			.pstate_latency_us = 11.65333,
-			.sr_exit_time_us = 9.89,
-			.sr_enter_plus_exit_time_us = 11.24,
+			.sr_exit_time_us = 11.5,
+			.sr_enter_plus_exit_time_us = 14.5,
 			.valid = true,
 		},
 		{
 			.wm_inst = WM_D,
 			.wm_type = WM_TYPE_PSTATE_CHG,
 			.pstate_latency_us = 11.65333,
-			.sr_exit_time_us = 9.748,
-			.sr_enter_plus_exit_time_us = 11.102,
+			.sr_exit_time_us = 11.5,
+			.sr_enter_plus_exit_time_us = 14.5,
 			.valid = true,
 		},
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 054/125] drm/amd/display: Moved dccg init to after bios golden init
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 053/125] drm/amd/display: Increase watermark latencies for DCN3.1 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 055/125] drm/amd/display: Fallback to clocks which meet requested voltage on DCN31 Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aric Cyr, Eric Yang,
	Agustin Gutierrez Sanchez, Jake Wang, Daniel Wheeler,
	Alex Deucher

From: Jake Wang <haonan.wang2@amd.com>

commit 2ef8ea23942f4c2569930c34e7689a0cb1b232cc upstream.

[Why]
bios_golden_init will override dccg_init during init_hw.

[How]
Move dccg_init to after bios_golden_init.

Reviewed-by: Aric Cyr <Aric.Cyr@amd.com>
Reviewed-by: Eric Yang <eric.yang2@amd.com>
Acked-by: Agustin Gutierrez Sanchez <agustin.gutierrez@amd.com>
Signed-off-by: Jake Wang <haonan.wang2@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_hwseq.c
@@ -76,10 +76,6 @@ void dcn31_init_hw(struct dc *dc)
 	if (dc->clk_mgr && dc->clk_mgr->funcs->init_clocks)
 		dc->clk_mgr->funcs->init_clocks(dc->clk_mgr);
 
-	// Initialize the dccg
-	if (res_pool->dccg->funcs->dccg_init)
-		res_pool->dccg->funcs->dccg_init(res_pool->dccg);
-
 	if (IS_FPGA_MAXIMUS_DC(dc->ctx->dce_environment)) {
 
 		REG_WRITE(REFCLK_CNTL, 0);
@@ -106,6 +102,9 @@ void dcn31_init_hw(struct dc *dc)
 		hws->funcs.bios_golden_init(dc);
 		hws->funcs.disable_vga(dc->hwseq);
 	}
+	// Initialize the dccg
+	if (res_pool->dccg->funcs->dccg_init)
+		res_pool->dccg->funcs->dccg_init(res_pool->dccg);
 
 	if (dc->debug.enable_mem_low_power.bits.dmcu) {
 		// Force ERAM to shutdown if DMCU is not enabled



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 055/125] drm/amd/display: Fallback to clocks which meet requested voltage on DCN31
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 054/125] drm/amd/display: Moved dccg init to after bios golden init Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 056/125] drm/amd/display: Fix deadlock when falling back to v2 from v3 Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michael Strauss, Nicholas Kazlauskas,
	Alex Deucher

From: Michael Strauss <michael.strauss@amd.com>

commit 54149d13f369e1ab02f36b91feee02069184c1d8 upstream.

[WHY]
On certain configs, SMU clock table voltages don't match which cause parser
to behave incorrectly by leaving dcfclk and socclk table entries unpopulated.

[HOW]
Currently the function that finds the corresponding clock for a given voltage
only checks for exact voltage level matches. In the case that no match gets
found, parser now falls back to searching for the max clock which meets the
requested voltage (i.e. its corresponding voltage is below requested).

Signed-off-by: Michael Strauss <michael.strauss@amd.com>
Reviewed-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c |   13 ++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c
+++ b/drivers/gpu/drm/amd/display/dc/clk_mgr/dcn31/dcn31_clk_mgr.c
@@ -518,14 +518,21 @@ static unsigned int find_clk_for_voltage
 		unsigned int voltage)
 {
 	int i;
+	int max_voltage = 0;
+	int clock = 0;
 
 	for (i = 0; i < NUM_SOC_VOLTAGE_LEVELS; i++) {
-		if (clock_table->SocVoltage[i] == voltage)
+		if (clock_table->SocVoltage[i] == voltage) {
 			return clocks[i];
+		} else if (clock_table->SocVoltage[i] >= max_voltage &&
+				clock_table->SocVoltage[i] < voltage) {
+			max_voltage = clock_table->SocVoltage[i];
+			clock = clocks[i];
+		}
 	}
 
-	ASSERT(0);
-	return 0;
+	ASSERT(clock);
+	return clock;
 }
 
 void dcn31_clk_mgr_helper_populate_bw_params(



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 056/125] drm/amd/display: Fix deadlock when falling back to v2 from v3
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 055/125] drm/amd/display: Fallback to clocks which meet requested voltage on DCN31 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 057/125] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nicholas Kazlauskas, Aric Cyr, Alex Deucher

From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>

commit ad76744b041d8c87ef1c9adbb04fb7eaa20a179e upstream.

[Why]
A deadlock in the kernel occurs when we fallback from the V3 to V2
add_topology_to_display or remove_topology_to_display because they
both try to acquire the dtm_mutex but recursive locking isn't
supported on mutex_lock().

[How]
Make the mutex_lock/unlock more fine grained and move them up such that
they're only required for the psp invocation itself.

Fixes: bf62221e9d0e ("drm/amd/display: Add DCN3.1 HDCP support")

Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Reviewed-by: Aric Cyr <aric.cyr@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c |    6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

--- a/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
+++ b/drivers/gpu/drm/amd/display/modules/hdcp/hdcp_psp.c
@@ -105,6 +105,7 @@ static enum mod_hdcp_status mod_hdcp_rem
 	dtm_cmd->dtm_status = TA_DTM_STATUS__GENERIC_FAILURE;
 
 	psp_dtm_invoke(psp, dtm_cmd->cmd_id);
+	mutex_unlock(&psp->dtm_context.mutex);
 
 	if (dtm_cmd->dtm_status != TA_DTM_STATUS__SUCCESS) {
 		status = mod_hdcp_remove_display_from_topology_v2(hdcp, index);
@@ -115,8 +116,6 @@ static enum mod_hdcp_status mod_hdcp_rem
 		HDCP_TOP_REMOVE_DISPLAY_TRACE(hdcp, display->index);
 	}
 
-	mutex_unlock(&psp->dtm_context.mutex);
-
 	return status;
 }
 
@@ -218,6 +217,7 @@ static enum mod_hdcp_status mod_hdcp_add
 	dtm_cmd->dtm_in_message.topology_update_v3.link_hdcp_cap = link->hdcp_supported_informational;
 
 	psp_dtm_invoke(psp, dtm_cmd->cmd_id);
+	mutex_unlock(&psp->dtm_context.mutex);
 
 	if (dtm_cmd->dtm_status != TA_DTM_STATUS__SUCCESS) {
 		status = mod_hdcp_add_display_to_topology_v2(hdcp, display);
@@ -227,8 +227,6 @@ static enum mod_hdcp_status mod_hdcp_add
 		HDCP_TOP_ADD_DISPLAY_TRACE(hdcp, display->index);
 	}
 
-	mutex_unlock(&psp->dtm_context.mutex);
-
 	return status;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 057/125] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 056/125] drm/amd/display: Fix deadlock when falling back to v2 from v3 Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 058/125] cgroup: Fix memory leak caused by missing cgroup_bpf_offline Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jan Kiszka, Mantas Mikulėnas,
	Javier S. Pedro, Guenter Roeck, Wim Van Sebroeck

From: Guenter Roeck <linux@roeck-us.net>

commit 6e7733ef0bb9372d5491168635f6ecba8ac3cb8a upstream.

This reverts commit cb011044e34c ("watchdog: iTCO_wdt: Account for
rebooting on second timeout") and commit aec42642d91f ("watchdog: iTCO_wdt:
Fix detection of SMI-off case") since those patches cause a regression
on certain boards (https://bugzilla.kernel.org/show_bug.cgi?id=213809).

While this revert may result in some boards to only reset after twice
the configured timeout value, that is still better than a watchdog reset
after half the configured value.

Fixes: cb011044e34c ("watchdog: iTCO_wdt: Account for rebooting on second timeout")
Fixes: aec42642d91f ("watchdog: iTCO_wdt: Fix detection of SMI-off case")
Cc: Jan Kiszka <jan.kiszka@siemens.com>
Cc: Mantas Mikulėnas <grawity@gmail.com>
Reported-by: Javier S. Pedro <debbugs@javispedro.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20211008003302.1461733-1-linux@roeck-us.net
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/watchdog/iTCO_wdt.c |   12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

--- a/drivers/watchdog/iTCO_wdt.c
+++ b/drivers/watchdog/iTCO_wdt.c
@@ -71,8 +71,6 @@
 #define TCOBASE(p)	((p)->tco_res->start)
 /* SMI Control and Enable Register */
 #define SMI_EN(p)	((p)->smi_res->start)
-#define TCO_EN		(1 << 13)
-#define GBL_SMI_EN	(1 << 0)
 
 #define TCO_RLD(p)	(TCOBASE(p) + 0x00) /* TCO Timer Reload/Curr. Value */
 #define TCOv1_TMR(p)	(TCOBASE(p) + 0x01) /* TCOv1 Timer Initial Value*/
@@ -357,12 +355,8 @@ static int iTCO_wdt_set_timeout(struct w
 
 	tmrval = seconds_to_ticks(p, t);
 
-	/*
-	 * If TCO SMIs are off, the timer counts down twice before rebooting.
-	 * Otherwise, the BIOS generally reboots when the SMI triggers.
-	 */
-	if (p->smi_res &&
-	    (inl(SMI_EN(p)) & (TCO_EN | GBL_SMI_EN)) != (TCO_EN | GBL_SMI_EN))
+	/* For TCO v1 the timer counts down twice before rebooting */
+	if (p->iTCO_version == 1)
 		tmrval /= 2;
 
 	/* from the specs: */
@@ -527,7 +521,7 @@ static int iTCO_wdt_probe(struct platfor
 		 * Disables TCO logic generating an SMI#
 		 */
 		val32 = inl(SMI_EN(p));
-		val32 &= ~TCO_EN;	/* Turn off SMI clearing watchdog */
+		val32 &= 0xffffdfff;	/* Turn off SMI clearing watchdog */
 		outl(val32, SMI_EN(p));
 	}
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 058/125] cgroup: Fix memory leak caused by missing cgroup_bpf_offline
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 057/125] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 059/125] riscv, bpf: Fix potential NULL dereference Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Quanyang Wang, Alexei Starovoitov,
	Roman Gushchin, John Fastabend

From: Quanyang Wang <quanyang.wang@windriver.com>

commit 04f8ef5643bcd8bcde25dfdebef998aea480b2ba upstream.

When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running
the command as below:

    $mount -t cgroup -o none,name=foo cgroup cgroup/
    $umount cgroup/

unreferenced object 0xc3585c40 (size 64):
  comm "mount", pid 425, jiffies 4294959825 (age 31.990s)
  hex dump (first 32 bytes):
    01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00  ......(.........
    00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00  ........lC......
  backtrace:
    [<e95a2f9e>] cgroup_bpf_inherit+0x44/0x24c
    [<1f03679c>] cgroup_setup_root+0x174/0x37c
    [<ed4b0ac5>] cgroup1_get_tree+0x2c0/0x4a0
    [<f85b12fd>] vfs_get_tree+0x24/0x108
    [<f55aec5c>] path_mount+0x384/0x988
    [<e2d5e9cd>] do_mount+0x64/0x9c
    [<208c9cfe>] sys_mount+0xfc/0x1f4
    [<06dd06e0>] ret_fast_syscall+0x0/0x48
    [<a8308cb3>] 0xbeb4daa8

This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce
memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data
is allocated by the function percpu_ref_init in cgroup_bpf_inherit which
is called by cgroup_setup_root when mounting, but not freed along with
root_cgrp when umounting. Adding cgroup_bpf_offline which calls
percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in
umount path.

This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime
of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a
cleanup that frees the resources which are allocated by cgroup_bpf_inherit
in cgroup_setup_root.

And inside cgroup_bpf_offline, cgroup_get() is at the beginning and
cgroup_put is at the end of cgroup_bpf_release which is called by
cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of
cgroup's refcount.

Fixes: 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path")
Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself")
Signed-off-by: Quanyang Wang <quanyang.wang@windriver.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Roman Gushchin <guro@fb.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20211018075623.26884-1-quanyang.wang@windriver.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/cgroup/cgroup.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/kernel/cgroup/cgroup.c
+++ b/kernel/cgroup/cgroup.c
@@ -2174,8 +2174,10 @@ static void cgroup_kill_sb(struct super_
 	 * And don't kill the default root.
 	 */
 	if (list_empty(&root->cgrp.self.children) && root != &cgrp_dfl_root &&
-	    !percpu_ref_is_dying(&root->cgrp.self.refcnt))
+	    !percpu_ref_is_dying(&root->cgrp.self.refcnt)) {
+		cgroup_bpf_offline(&root->cgrp);
 		percpu_ref_kill(&root->cgrp.self.refcnt);
+	}
 	cgroup_put(&root->cgrp);
 	kernfs_kill_sb(sb);
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 059/125] riscv, bpf: Fix potential NULL dereference
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 058/125] cgroup: Fix memory leak caused by missing cgroup_bpf_offline Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 060/125] tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Björn Töpel,
	Daniel Borkmann, Jakub Kicinski

From: Björn Töpel <bjorn@kernel.org>

commit 27de809a3d83a6199664479ebb19712533d6fd9b upstream.

The bpf_jit_binary_free() function requires a non-NULL argument. When
the RISC-V BPF JIT fails to converge in NR_JIT_ITERATIONS steps,
jit_data->header will be NULL, which triggers a NULL
dereference. Avoid this by checking the argument, prior calling the
function.

Fixes: ca6cb5447cec ("riscv, bpf: Factor common RISC-V JIT code")
Signed-off-by: Björn Töpel <bjorn@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20211028125115.514587-1-bjorn@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/net/bpf_jit_core.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/arch/riscv/net/bpf_jit_core.c
+++ b/arch/riscv/net/bpf_jit_core.c
@@ -125,7 +125,8 @@ struct bpf_prog *bpf_int_jit_compile(str
 
 	if (i == NR_JIT_ITERATIONS) {
 		pr_err("bpf-jit: image did not converge in <%d passes!\n", i);
-		bpf_jit_binary_free(jit_data->header);
+		if (jit_data->header)
+			bpf_jit_binary_free(jit_data->header);
 		prog = orig_prog;
 		goto out_offset;
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 060/125] tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 059/125] riscv, bpf: Fix potential NULL dereference Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 061/125] bpf: Fix potential race in tail call compatibility check Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Liu Jian, Alexei Starovoitov, John Fastabend

From: Liu Jian <liujian56@huawei.com>

commit cd9733f5d75c94a32544d6ce5be47e14194cf137 upstream.

With two Msgs, msgA and msgB and a user doing nonblocking sendmsg calls (or
multiple cores) on a single socket 'sk' we could get the following flow.

 msgA, sk                               msgB, sk
 -----------                            ---------------
 tcp_bpf_sendmsg()
 lock(sk)
 psock = sk->psock
                                        tcp_bpf_sendmsg()
                                        lock(sk) ... blocking
tcp_bpf_send_verdict
if (psock->eval == NONE)
   psock->eval = sk_psock_msg_verdict
 ..
 < handle SK_REDIRECT case >
   release_sock(sk)                     < lock dropped so grab here >
   ret = tcp_bpf_sendmsg_redir
                                        psock = sk->psock
                                        tcp_bpf_send_verdict
 lock_sock(sk) ... blocking on B
                                        if (psock->eval == NONE) <- boom.
                                         psock->eval will have msgA state

The problem here is we dropped the lock on msgA and grabbed it with msgB.
Now we have old state in psock and importantly psock->eval has not been
cleared. So msgB will run whatever action was done on A and the verdict
program may never see it.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Liu Jian <liujian56@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20211012052019.184398-1-liujian56@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_bpf.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -232,6 +232,7 @@ static int tcp_bpf_send_verdict(struct s
 	bool cork = false, enospc = sk_msg_full(msg);
 	struct sock *sk_redir;
 	u32 tosend, delta = 0;
+	u32 eval = __SK_NONE;
 	int ret;
 
 more_data:
@@ -275,13 +276,24 @@ more_data:
 	case __SK_REDIRECT:
 		sk_redir = psock->sk_redir;
 		sk_msg_apply_bytes(psock, tosend);
+		if (!psock->apply_bytes) {
+			/* Clean up before releasing the sock lock. */
+			eval = psock->eval;
+			psock->eval = __SK_NONE;
+			psock->sk_redir = NULL;
+		}
 		if (psock->cork) {
 			cork = true;
 			psock->cork = NULL;
 		}
 		sk_msg_return(sk, msg, tosend);
 		release_sock(sk);
+
 		ret = tcp_bpf_sendmsg_redir(sk_redir, msg, tosend, flags);
+
+		if (eval == __SK_REDIRECT)
+			sock_put(sk_redir);
+
 		lock_sock(sk);
 		if (unlikely(ret < 0)) {
 			int free = sk_msg_free_nocharge(sk, msg);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 061/125] bpf: Fix potential race in tail call compatibility check
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 060/125] tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 062/125] bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch() Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Bianconi,
	Toke Høiland-Jørgensen, Alexei Starovoitov

From: Toke Høiland-Jørgensen <toke@redhat.com>

commit 54713c85f536048e685258f880bf298a74c3620d upstream.

Lorenzo noticed that the code testing for program type compatibility of
tail call maps is potentially racy in that two threads could encounter a
map with an unset type simultaneously and both return true even though they
are inserting incompatible programs.

The race window is quite small, but artificially enlarging it by adding a
usleep_range() inside the check in bpf_prog_array_compatible() makes it
trivial to trigger from userspace with a program that does, essentially:

        map_fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, 4, 4, 2, 0);
        pid = fork();
        if (pid) {
                key = 0;
                value = xdp_fd;
        } else {
                key = 1;
                value = tc_fd;
        }
        err = bpf_map_update_elem(map_fd, &key, &value, 0);

While the race window is small, it has potentially serious ramifications in
that triggering it would allow a BPF program to tail call to a program of a
different type. So let's get rid of it by protecting the update with a
spinlock. The commit in the Fixes tag is the last commit that touches the
code in question.

v2:
- Use a spinlock instead of an atomic variable and cmpxchg() (Alexei)
v3:
- Put lock and the members it protects into an embedded 'owner' struct (Daniel)

Fixes: 3324b584b6f6 ("ebpf: misc core cleanup")
Reported-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20211026110019.363464-1-toke@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/bpf.h   |    7 +++++--
 kernel/bpf/arraymap.c |    1 +
 kernel/bpf/core.c     |   20 +++++++++++++-------
 kernel/bpf/syscall.c  |    6 ++++--
 4 files changed, 23 insertions(+), 11 deletions(-)

--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -900,8 +900,11 @@ struct bpf_array_aux {
 	 * stored in the map to make sure that all callers and callees have
 	 * the same prog type and JITed flag.
 	 */
-	enum bpf_prog_type type;
-	bool jited;
+	struct {
+		spinlock_t lock;
+		enum bpf_prog_type type;
+		bool jited;
+	} owner;
 	/* Programs with direct jumps into programs part of this array. */
 	struct list_head poke_progs;
 	struct bpf_map *map;
--- a/kernel/bpf/arraymap.c
+++ b/kernel/bpf/arraymap.c
@@ -1051,6 +1051,7 @@ static struct bpf_map *prog_array_map_al
 	INIT_WORK(&aux->work, prog_array_map_clear_deferred);
 	INIT_LIST_HEAD(&aux->poke_progs);
 	mutex_init(&aux->poke_mutex);
+	spin_lock_init(&aux->owner.lock);
 
 	map = array_map_alloc(attr);
 	if (IS_ERR(map)) {
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1821,20 +1821,26 @@ static unsigned int __bpf_prog_ret0_warn
 bool bpf_prog_array_compatible(struct bpf_array *array,
 			       const struct bpf_prog *fp)
 {
+	bool ret;
+
 	if (fp->kprobe_override)
 		return false;
 
-	if (!array->aux->type) {
+	spin_lock(&array->aux->owner.lock);
+
+	if (!array->aux->owner.type) {
 		/* There's no owner yet where we could check for
 		 * compatibility.
 		 */
-		array->aux->type  = fp->type;
-		array->aux->jited = fp->jited;
-		return true;
+		array->aux->owner.type  = fp->type;
+		array->aux->owner.jited = fp->jited;
+		ret = true;
+	} else {
+		ret = array->aux->owner.type  == fp->type &&
+		      array->aux->owner.jited == fp->jited;
 	}
-
-	return array->aux->type  == fp->type &&
-	       array->aux->jited == fp->jited;
+	spin_unlock(&array->aux->owner.lock);
+	return ret;
 }
 
 static int bpf_check_tail_call(const struct bpf_prog *fp)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -543,8 +543,10 @@ static void bpf_map_show_fdinfo(struct s
 
 	if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) {
 		array = container_of(map, struct bpf_array, map);
-		type  = array->aux->type;
-		jited = array->aux->jited;
+		spin_lock(&array->aux->owner.lock);
+		type  = array->aux->owner.type;
+		jited = array->aux->owner.jited;
+		spin_unlock(&array->aux->owner.lock);
 	}
 
 	seq_printf(m,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 062/125] bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 061/125] bpf: Fix potential race in tail call compatibility check Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 063/125] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Xu Kuohai, Alexei Starovoitov

From: Xu Kuohai <xukuohai@huawei.com>

commit fda7a38714f40b635f5502ec4855602c6b33dad2 upstream.

1. The ufd in generic_map_update_batch() should be read from batch.map_fd;
2. A call to fdget() should be followed by a symmetric call to fdput().

Fixes: aa2e93b8e58e ("bpf: Add generic support for update and delete batch ops")
Signed-off-by: Xu Kuohai <xukuohai@huawei.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20211019032934.1210517-1-xukuohai@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/syscall.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1333,12 +1333,11 @@ int generic_map_update_batch(struct bpf_
 	void __user *values = u64_to_user_ptr(attr->batch.values);
 	void __user *keys = u64_to_user_ptr(attr->batch.keys);
 	u32 value_size, cp, max_count;
-	int ufd = attr->map_fd;
+	int ufd = attr->batch.map_fd;
 	void *key, *value;
 	struct fd f;
 	int err = 0;
 
-	f = fdget(ufd);
 	if (attr->batch.elem_flags & ~BPF_F_LOCK)
 		return -EINVAL;
 
@@ -1363,6 +1362,7 @@ int generic_map_update_batch(struct bpf_
 		return -ENOMEM;
 	}
 
+	f = fdget(ufd); /* bpf_map_do_batch() guarantees ufd is valid */
 	for (cp = 0; cp < max_count; cp++) {
 		err = -EFAULT;
 		if (copy_from_user(key, keys + cp * map->key_size,
@@ -1382,6 +1382,7 @@ int generic_map_update_batch(struct bpf_
 
 	kfree(value);
 	kfree(key);
+	fdput(f);
 	return err;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 063/125] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 062/125] bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch() Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 064/125] IB/hfi1: Fix abba locking issue with sc_disable() Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilja Van Sprundel,
	Dennis Dalessandro, Mike Marciniszyn, Jason Gunthorpe

From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>

commit d39bf40e55e666b5905fdbd46a0dced030ce87be upstream.

Overflowing either addrlimit or bytes_togo can allow userspace to trigger
a buffer overflow of kernel memory. Check for overflows in all the places
doing math on user controlled buffers.

Fixes: f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Link: https://lore.kernel.org/r/20211012175519.7298.77738.stgit@awfm-01.cornelisnetworks.com
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/qib/qib_user_sdma.c |   33 ++++++++++++++++++++----------
 1 file changed, 23 insertions(+), 10 deletions(-)

--- a/drivers/infiniband/hw/qib/qib_user_sdma.c
+++ b/drivers/infiniband/hw/qib/qib_user_sdma.c
@@ -602,7 +602,7 @@ done:
 /*
  * How many pages in this iovec element?
  */
-static int qib_user_sdma_num_pages(const struct iovec *iov)
+static size_t qib_user_sdma_num_pages(const struct iovec *iov)
 {
 	const unsigned long addr  = (unsigned long) iov->iov_base;
 	const unsigned long  len  = iov->iov_len;
@@ -658,7 +658,7 @@ static void qib_user_sdma_free_pkt_frag(
 static int qib_user_sdma_pin_pages(const struct qib_devdata *dd,
 				   struct qib_user_sdma_queue *pq,
 				   struct qib_user_sdma_pkt *pkt,
-				   unsigned long addr, int tlen, int npages)
+				   unsigned long addr, int tlen, size_t npages)
 {
 	struct page *pages[8];
 	int i, j;
@@ -722,7 +722,7 @@ static int qib_user_sdma_pin_pkt(const s
 	unsigned long idx;
 
 	for (idx = 0; idx < niov; idx++) {
-		const int npages = qib_user_sdma_num_pages(iov + idx);
+		const size_t npages = qib_user_sdma_num_pages(iov + idx);
 		const unsigned long addr = (unsigned long) iov[idx].iov_base;
 
 		ret = qib_user_sdma_pin_pages(dd, pq, pkt, addr,
@@ -824,8 +824,8 @@ static int qib_user_sdma_queue_pkts(cons
 		unsigned pktnw;
 		unsigned pktnwc;
 		int nfrags = 0;
-		int npages = 0;
-		int bytes_togo = 0;
+		size_t npages = 0;
+		size_t bytes_togo = 0;
 		int tiddma = 0;
 		int cfur;
 
@@ -885,7 +885,11 @@ static int qib_user_sdma_queue_pkts(cons
 
 			npages += qib_user_sdma_num_pages(&iov[idx]);
 
-			bytes_togo += slen;
+			if (check_add_overflow(bytes_togo, slen, &bytes_togo) ||
+			    bytes_togo > type_max(typeof(pkt->bytes_togo))) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
 			pktnwc += slen >> 2;
 			idx++;
 			nfrags++;
@@ -904,8 +908,7 @@ static int qib_user_sdma_queue_pkts(cons
 		}
 
 		if (frag_size) {
-			int tidsmsize, n;
-			size_t pktsize;
+			size_t tidsmsize, n, pktsize, sz, addrlimit;
 
 			n = npages*((2*PAGE_SIZE/frag_size)+1);
 			pktsize = struct_size(pkt, addr, n);
@@ -923,14 +926,24 @@ static int qib_user_sdma_queue_pkts(cons
 			else
 				tidsmsize = 0;
 
-			pkt = kmalloc(pktsize+tidsmsize, GFP_KERNEL);
+			if (check_add_overflow(pktsize, tidsmsize, &sz)) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
+			pkt = kmalloc(sz, GFP_KERNEL);
 			if (!pkt) {
 				ret = -ENOMEM;
 				goto free_pbc;
 			}
 			pkt->largepkt = 1;
 			pkt->frag_size = frag_size;
-			pkt->addrlimit = n + ARRAY_SIZE(pkt->addr);
+			if (check_add_overflow(n, ARRAY_SIZE(pkt->addr),
+					       &addrlimit) ||
+			    addrlimit > type_max(typeof(pkt->addrlimit))) {
+				ret = -EINVAL;
+				goto free_pbc;
+			}
+			pkt->addrlimit = addrlimit;
 
 			if (tiddma) {
 				char *tidsm = (char *)pkt + pktsize;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 064/125] IB/hfi1: Fix abba locking issue with sc_disable()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 063/125] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 065/125] nvmet-tcp: fix data digest pointer calculation Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Marciniszyn, TOTE Robot,
	Dennis Dalessandro, Jason Gunthorpe

From: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>

commit 13bac861952a78664907a0f927d3e874e9a59034 upstream.

sc_disable() after having disabled the send context wakes up any waiters
by calling hfi1_qp_wakeup() while holding the waitlock for the sc.

This is contrary to the model for all other calls to hfi1_qp_wakeup()
where the waitlock is dropped and a local is used to drive calls to
hfi1_qp_wakeup().

Fix by moving the sc->piowait into a local list and driving the wakeup
calls from the list.

Fixes: 099a884ba4c0 ("IB/hfi1: Handle wakeup of orphaned QPs for pio")
Link: https://lore.kernel.org/r/20211013141852.128104.2682.stgit@awfm-01.cornelisnetworks.com
Signed-off-by: Mike Marciniszyn <mike.marciniszyn@cornelisnetworks.com>
Reported-by: TOTE Robot <oslab@tsinghua.edu.cn>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@cornelisnetworks.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/hfi1/pio.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/infiniband/hw/hfi1/pio.c
+++ b/drivers/infiniband/hw/hfi1/pio.c
@@ -920,6 +920,7 @@ void sc_disable(struct send_context *sc)
 {
 	u64 reg;
 	struct pio_buf *pbuf;
+	LIST_HEAD(wake_list);
 
 	if (!sc)
 		return;
@@ -954,19 +955,21 @@ void sc_disable(struct send_context *sc)
 	spin_unlock(&sc->release_lock);
 
 	write_seqlock(&sc->waitlock);
-	while (!list_empty(&sc->piowait)) {
+	if (!list_empty(&sc->piowait))
+		list_move(&sc->piowait, &wake_list);
+	write_sequnlock(&sc->waitlock);
+	while (!list_empty(&wake_list)) {
 		struct iowait *wait;
 		struct rvt_qp *qp;
 		struct hfi1_qp_priv *priv;
 
-		wait = list_first_entry(&sc->piowait, struct iowait, list);
+		wait = list_first_entry(&wake_list, struct iowait, list);
 		qp = iowait_to_qp(wait);
 		priv = qp->priv;
 		list_del_init(&priv->s_iowait.list);
 		priv->s_iowait.lock = NULL;
 		hfi1_qp_wakeup(qp, RVT_S_WAIT_PIO | HFI1_S_WAIT_PIO_DRAIN);
 	}
-	write_sequnlock(&sc->waitlock);
 
 	spin_unlock_irq(&sc->alloc_lock);
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 065/125] nvmet-tcp: fix data digest pointer calculation
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 064/125] IB/hfi1: Fix abba locking issue with sc_disable() Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 066/125] nvme-tcp: " Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Varun Prakash, Sagi Grimberg,
	Christoph Hellwig

From: Varun Prakash <varun@chelsio.com>

commit e790de54e94a7a15fb725b34724d41d41cbaa60c upstream.

exp_ddgst is of type __le32, &cmd->exp_ddgst + cmd->offset increases
&cmd->exp_ddgst by 4 * cmd->offset, fix this by type casting
&cmd->exp_ddgst to u8 *.

Fixes: 872d26a391da ("nvmet-tcp: add NVMe over TCP target driver")
Signed-off-by: Varun Prakash <varun@chelsio.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/target/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -702,7 +702,7 @@ static int nvmet_try_send_ddgst(struct n
 	struct nvmet_tcp_queue *queue = cmd->queue;
 	struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
 	struct kvec iov = {
-		.iov_base = &cmd->exp_ddgst + cmd->offset,
+		.iov_base = (u8 *)&cmd->exp_ddgst + cmd->offset,
 		.iov_len = NVME_TCP_DIGEST_LENGTH - cmd->offset
 	};
 	int ret;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 066/125] nvme-tcp: fix data digest pointer calculation
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 065/125] nvmet-tcp: fix data digest pointer calculation Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 067/125] nvme-tcp: fix possible req->offset corruption Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Varun Prakash, Sagi Grimberg,
	Christoph Hellwig

From: Varun Prakash <varun@chelsio.com>

commit d89b9f3bbb58e9e378881209756b0723694f22ff upstream.

ddgst is of type __le32, &req->ddgst + req->offset
increases &req->ddgst by 4 * req->offset, fix this by
type casting &req->ddgst to u8 *.

Fixes: 3f2304f8c6d6 ("nvme-tcp: add NVMe over TCP host driver")
Signed-off-by: Varun Prakash <varun@chelsio.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/host/tcp.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1040,7 +1040,7 @@ static int nvme_tcp_try_send_ddgst(struc
 	int ret;
 	struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
 	struct kvec iov = {
-		.iov_base = &req->ddgst + req->offset,
+		.iov_base = (u8 *)&req->ddgst + req->offset,
 		.iov_len = NVME_TCP_DIGEST_LENGTH - req->offset
 	};
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 067/125] nvme-tcp: fix possible req->offset corruption
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 066/125] nvme-tcp: " Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 068/125] octeontx2-af: Display all enabled PF VF rsrc_alloc entries Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Varun Prakash, Keith Busch,
	Sagi Grimberg, Christoph Hellwig

From: Varun Prakash <varun@chelsio.com>

commit ce7723e9cdae4eb3030da082876580f4b2dc0861 upstream.

With commit db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq
context") r2t and response PDU can get processed while send function
is executing.

Current data digest send code uses req->offset after kernel_sendmsg(),
this creates a race condition where req->offset gets reset before it
is used in send function.

This can happen in two cases -
1. Target sends r2t PDU which resets req->offset.
2. Target send response PDU which completes the req and then req is
   used for a new command, nvme_tcp_setup_cmd_pdu() resets req->offset.

Fix this by storing req->offset in a local variable and using
this local variable after kernel_sendmsg().

Fixes: db5ad6b7f8cd ("nvme-tcp: try to send request in queue_rq context")
Signed-off-by: Varun Prakash <varun@chelsio.com>
Reviewed-by: Keith Busch <kbusch@kernel.org>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/nvme/host/tcp.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/nvme/host/tcp.c
+++ b/drivers/nvme/host/tcp.c
@@ -1037,6 +1037,7 @@ static int nvme_tcp_try_send_data_pdu(st
 static int nvme_tcp_try_send_ddgst(struct nvme_tcp_request *req)
 {
 	struct nvme_tcp_queue *queue = req->queue;
+	size_t offset = req->offset;
 	int ret;
 	struct msghdr msg = { .msg_flags = MSG_DONTWAIT };
 	struct kvec iov = {
@@ -1053,7 +1054,7 @@ static int nvme_tcp_try_send_ddgst(struc
 	if (unlikely(ret <= 0))
 		return ret;
 
-	if (req->offset + ret == NVME_TCP_DIGEST_LENGTH) {
+	if (offset + ret == NVME_TCP_DIGEST_LENGTH) {
 		nvme_tcp_done_send_req(queue);
 		return 1;
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 068/125] octeontx2-af: Display all enabled PF VF rsrc_alloc entries.
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 067/125] nvme-tcp: fix possible req->offset corruption Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 069/125] octeontx2-af: Fix possible null pointer dereference Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rakesh Babu, Nithin Dabilpuram,
	Sunil Kovvuri Goutham, David S. Miller

From: Rakesh Babu <rsaladi2@marvell.com>

commit e77bcdd1f639809950c45234b08647ac6d3ffe7b upstream.

Currently, we are using a fixed buffer size of length 2048 to display
rsrc_alloc output. As a result a maximum of 2048 characters of
rsrc_alloc output is displayed, which may lead sometimes to display only
partial output. This patch fixes this dependency on max limit of buffer
size and displays all PF VF entries.

Each column of the debugfs entry "rsrc_alloc" uses a fixed width of 12
characters to print the list of LFs of each block for a PF/VF. If the
length of list of LFs of a block exceeds this fixed width then the list
gets truncated and displays only a part of the list. This patch fixes
this by using the maximum possible length of list of LFs among all
blocks of all PFs and VFs entries as the width size.

Fixes: f7884097141b ("octeontx2-af: Formatting debugfs entry rsrc_alloc.")
Fixes: 23205e6d06d4 ("octeontx2-af: Dump current resource provisioning status")
Signed-off-by: Rakesh Babu <rsaladi2@marvell.com>
Signed-off-by: Nithin Dabilpuram <ndabilpuram@marvell.com>
Signed-off-by: Sunil Kovvuri Goutham <Sunil.Goutham@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c |  138 ++++++++++++----
 1 file changed, 106 insertions(+), 32 deletions(-)

--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -229,18 +229,85 @@ static const struct file_operations rvu_
 
 static void print_nix_qsize(struct seq_file *filp, struct rvu_pfvf *pfvf);
 
+static void get_lf_str_list(struct rvu_block block, int pcifunc,
+			    char *lfs)
+{
+	int lf = 0, seq = 0, len = 0, prev_lf = block.lf.max;
+
+	for_each_set_bit(lf, block.lf.bmap, block.lf.max) {
+		if (lf >= block.lf.max)
+			break;
+
+		if (block.fn_map[lf] != pcifunc)
+			continue;
+
+		if (lf == prev_lf + 1) {
+			prev_lf = lf;
+			seq = 1;
+			continue;
+		}
+
+		if (seq)
+			len += sprintf(lfs + len, "-%d,%d", prev_lf, lf);
+		else
+			len += (len ? sprintf(lfs + len, ",%d", lf) :
+				      sprintf(lfs + len, "%d", lf));
+
+		prev_lf = lf;
+		seq = 0;
+	}
+
+	if (seq)
+		len += sprintf(lfs + len, "-%d", prev_lf);
+
+	lfs[len] = '\0';
+}
+
+static int get_max_column_width(struct rvu *rvu)
+{
+	int index, pf, vf, lf_str_size = 12, buf_size = 256;
+	struct rvu_block block;
+	u16 pcifunc;
+	char *buf;
+
+	buf = kzalloc(buf_size, GFP_KERNEL);
+	if (!buf)
+		return -ENOMEM;
+
+	for (pf = 0; pf < rvu->hw->total_pfs; pf++) {
+		for (vf = 0; vf <= rvu->hw->total_vfs; vf++) {
+			pcifunc = pf << 10 | vf;
+			if (!pcifunc)
+				continue;
+
+			for (index = 0; index < BLK_COUNT; index++) {
+				block = rvu->hw->block[index];
+				if (!strlen(block.name))
+					continue;
+
+				get_lf_str_list(block, pcifunc, buf);
+				if (lf_str_size <= strlen(buf))
+					lf_str_size = strlen(buf) + 1;
+			}
+		}
+	}
+
+	kfree(buf);
+	return lf_str_size;
+}
+
 /* Dumps current provisioning status of all RVU block LFs */
 static ssize_t rvu_dbg_rsrc_attach_status(struct file *filp,
 					  char __user *buffer,
 					  size_t count, loff_t *ppos)
 {
-	int index, off = 0, flag = 0, go_back = 0, len = 0;
+	int index, off = 0, flag = 0, len = 0, i = 0;
 	struct rvu *rvu = filp->private_data;
-	int lf, pf, vf, pcifunc;
+	int bytes_not_copied = 0;
 	struct rvu_block block;
-	int bytes_not_copied;
-	int lf_str_size = 12;
+	int pf, vf, pcifunc;
 	int buf_size = 2048;
+	int lf_str_size;
 	char *lfs;
 	char *buf;
 
@@ -252,6 +319,9 @@ static ssize_t rvu_dbg_rsrc_attach_statu
 	if (!buf)
 		return -ENOSPC;
 
+	/* Get the maximum width of a column */
+	lf_str_size = get_max_column_width(rvu);
+
 	lfs = kzalloc(lf_str_size, GFP_KERNEL);
 	if (!lfs) {
 		kfree(buf);
@@ -265,65 +335,69 @@ static ssize_t rvu_dbg_rsrc_attach_statu
 					 "%-*s", lf_str_size,
 					 rvu->hw->block[index].name);
 		}
+
 	off += scnprintf(&buf[off], buf_size - 1 - off, "\n");
+	bytes_not_copied = copy_to_user(buffer + (i * off), buf, off);
+	if (bytes_not_copied)
+		goto out;
+
+	i++;
+	*ppos += off;
 	for (pf = 0; pf < rvu->hw->total_pfs; pf++) {
 		for (vf = 0; vf <= rvu->hw->total_vfs; vf++) {
+			off = 0;
+			flag = 0;
 			pcifunc = pf << 10 | vf;
 			if (!pcifunc)
 				continue;
 
 			if (vf) {
 				sprintf(lfs, "PF%d:VF%d", pf, vf - 1);
-				go_back = scnprintf(&buf[off],
-						    buf_size - 1 - off,
-						    "%-*s", lf_str_size, lfs);
+				off = scnprintf(&buf[off],
+						buf_size - 1 - off,
+						"%-*s", lf_str_size, lfs);
 			} else {
 				sprintf(lfs, "PF%d", pf);
-				go_back = scnprintf(&buf[off],
-						    buf_size - 1 - off,
-						    "%-*s", lf_str_size, lfs);
+				off = scnprintf(&buf[off],
+						buf_size - 1 - off,
+						"%-*s", lf_str_size, lfs);
 			}
 
-			off += go_back;
-			for (index = 0; index < BLKTYPE_MAX; index++) {
+			for (index = 0; index < BLK_COUNT; index++) {
 				block = rvu->hw->block[index];
 				if (!strlen(block.name))
 					continue;
 				len = 0;
 				lfs[len] = '\0';
-				for (lf = 0; lf < block.lf.max; lf++) {
-					if (block.fn_map[lf] != pcifunc)
-						continue;
+				get_lf_str_list(block, pcifunc, lfs);
+				if (strlen(lfs))
 					flag = 1;
-					len += sprintf(&lfs[len], "%d,", lf);
-				}
 
-				if (flag)
-					len--;
-				lfs[len] = '\0';
 				off += scnprintf(&buf[off], buf_size - 1 - off,
 						 "%-*s", lf_str_size, lfs);
-				if (!strlen(lfs))
-					go_back += lf_str_size;
 			}
-			if (!flag)
-				off -= go_back;
-			else
-				flag = 0;
-			off--;
-			off +=	scnprintf(&buf[off], buf_size - 1 - off, "\n");
+			if (flag) {
+				off +=	scnprintf(&buf[off],
+						  buf_size - 1 - off, "\n");
+				bytes_not_copied = copy_to_user(buffer +
+								(i * off),
+								buf, off);
+				if (bytes_not_copied)
+					goto out;
+
+				i++;
+				*ppos += off;
+			}
 		}
 	}
 
-	bytes_not_copied = copy_to_user(buffer, buf, off);
+out:
 	kfree(lfs);
 	kfree(buf);
-
 	if (bytes_not_copied)
 		return -EFAULT;
 
-	*ppos = off;
-	return off;
+	return *ppos;
 }
 
 RVU_DEBUG_FOPS(rsrc_status, rsrc_attach_status, NULL);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 069/125] octeontx2-af: Fix possible null pointer dereference.
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 068/125] octeontx2-af: Display all enabled PF VF rsrc_alloc entries Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 070/125] ice: Respond to a NETDEV_UNREGISTER event for LAG Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rakesh Babu Saladi,
	Subbaraya Sundeep, Sunil Goutham, David S. Miller

From: Rakesh Babu Saladi <rsaladi2@marvell.com>

commit c2d4c543f74c90f883e8ec62a31973ae8807d354 upstream.

This patch fixes possible null pointer dereference in files
"rvu_debugfs.c" and "rvu_nix.c"

Fixes: 8756828a8148 ("octeontx2-af: Add NPA aura and pool contexts to debugfs")
Fixes: 9a946def264d ("octeontx2-af: Modify nix_vtag_cfg mailbox to support TX VTAG entries")
Signed-off-by: Rakesh Babu Saladi <rsaladi2@marvell.com>
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c |    2 +-
 drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c     |    3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -581,7 +581,7 @@ static ssize_t rvu_dbg_qsize_write(struc
 	if (cmd_buf)
 		ret = -EINVAL;
 
-	if (!strncmp(subtoken, "help", 4) || ret < 0) {
+	if (ret < 0 || !strncmp(subtoken, "help", 4)) {
 		dev_info(rvu->dev, "Use echo <%s-lf > qsize\n", blk_string);
 		goto qsize_write_done;
 	}
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_nix.c
@@ -2146,6 +2146,9 @@ static void nix_free_tx_vtag_entries(str
 		return;
 
 	nix_hw = get_nix_hw(rvu->hw, blkaddr);
+	if (!nix_hw)
+		return;
+
 	vlan = &nix_hw->txvlan;
 
 	mutex_lock(&vlan->rsrc_lock);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 070/125] ice: Respond to a NETDEV_UNREGISTER event for LAG
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 069/125] octeontx2-af: Fix possible null pointer dereference Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 071/125] RDMA/mlx5: Set user priority for DCT Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Ertman, Tony Brelinski, Tony Nguyen

From: Dave Ertman <david.m.ertman@intel.com>

commit 6a8b357278f5f8b9817147277ab8f12879dce8a8 upstream.

When the PF is a member of a link aggregate, and the driver
is removed, the process will hang unless we respond to the
NETDEV_UNREGISTER event that is sent to the event_handler
for LAG.

Add a case statement for the ice_lag_event_handler to unlink
the PF from the link aggregate.

Also remove code that was incorrectly applying a dev_hold to
peer_netdevs that were associated with the ice driver.

Fixes: df006dd4b1dc ("ice: Add initial support framework for LAG")
Signed-off-by: Dave Ertman <david.m.ertman@intel.com>
Tested-by: Tony Brelinski <tony.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/intel/ice/ice_lag.c |   18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

--- a/drivers/net/ethernet/intel/ice/ice_lag.c
+++ b/drivers/net/ethernet/intel/ice/ice_lag.c
@@ -100,9 +100,9 @@ static void ice_display_lag_info(struct
  */
 static void ice_lag_info_event(struct ice_lag *lag, void *ptr)
 {
-	struct net_device *event_netdev, *netdev_tmp;
 	struct netdev_notifier_bonding_info *info;
 	struct netdev_bonding_info *bonding_info;
+	struct net_device *event_netdev;
 	const char *lag_netdev_name;
 
 	event_netdev = netdev_notifier_info_to_dev(ptr);
@@ -123,19 +123,6 @@ static void ice_lag_info_event(struct ic
 		goto lag_out;
 	}
 
-	rcu_read_lock();
-	for_each_netdev_in_bond_rcu(lag->upper_netdev, netdev_tmp) {
-		if (!netif_is_ice(netdev_tmp))
-			continue;
-
-		if (netdev_tmp && netdev_tmp != lag->netdev &&
-		    lag->peer_netdev != netdev_tmp) {
-			dev_hold(netdev_tmp);
-			lag->peer_netdev = netdev_tmp;
-		}
-	}
-	rcu_read_unlock();
-
 	if (bonding_info->slave.state)
 		ice_lag_set_backup(lag);
 	else
@@ -319,6 +306,9 @@ ice_lag_event_handler(struct notifier_bl
 	case NETDEV_BONDING_INFO:
 		ice_lag_info_event(lag, ptr);
 		break;
+	case NETDEV_UNREGISTER:
+		ice_lag_unlink(lag, ptr);
+		break;
 	default:
 		break;
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 071/125] RDMA/mlx5: Set user priority for DCT
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 070/125] ice: Respond to a NETDEV_UNREGISTER event for LAG Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 072/125] ice: check whether PTP is initialized in ice_ptp_release() Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Patrisious Haddad, Maor Gottlieb,
	Leon Romanovsky, Jason Gunthorpe

From: Patrisious Haddad <phaddad@nvidia.com>

commit 1ab52ac1e9bc9391f592c9fa8340a6e3e9c36286 upstream.

Currently, the driver doesn't set the PCP-based priority for DCT, hence
DCT response packets are transmitted without user priority.

Fix it by setting user provided priority in the eth_prio field in the DCT
context, which in turn sets the value in the transmitted packet.

Fixes: 776a3906b692 ("IB/mlx5: Add support for DC target QP")
Link: https://lore.kernel.org/r/5fd2d94a13f5742d8803c218927322257d53205c.1633512672.git.leonro@nvidia.com
Signed-off-by: Patrisious Haddad <phaddad@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/qp.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/infiniband/hw/mlx5/qp.c
+++ b/drivers/infiniband/hw/mlx5/qp.c
@@ -4309,6 +4309,8 @@ static int mlx5_ib_modify_dct(struct ib_
 		MLX5_SET(dctc, dctc, mtu, attr->path_mtu);
 		MLX5_SET(dctc, dctc, my_addr_index, attr->ah_attr.grh.sgid_index);
 		MLX5_SET(dctc, dctc, hop_limit, attr->ah_attr.grh.hop_limit);
+		if (attr->ah_attr.type == RDMA_AH_ATTR_TYPE_ROCE)
+			MLX5_SET(dctc, dctc, eth_prio, attr->ah_attr.sl & 0x7);
 
 		err = mlx5_core_create_dct(dev, &qp->dct.mdct, qp->dct.in,
 					   MLX5_ST_SZ_BYTES(create_dct_in), out,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 072/125] ice: check whether PTP is initialized in ice_ptp_release()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 071/125] RDMA/mlx5: Set user priority for DCT Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 073/125] arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yongxin Liu, Jacob Keller,
	Gurucharan G, Tony Nguyen

From: Yongxin Liu <yongxin.liu@windriver.com>

commit fd1b5beb177a8372cea2a0d014835491e4886f77 upstream.

PTP is currently only supported on E810 devices, it is checked
in ice_ptp_init(). However, there is no check in ice_ptp_release().
For other E800 series devices, ice_ptp_release() will be wrongly executed.

Fix the following calltrace.

  INFO: trying to register non-static key.
  The code is fine but needs lockdep annotation, or maybe
  you didn't initialize this object before use?
  turning off the locking correctness validator.
  Workqueue: ice ice_service_task [ice]
  Call Trace:
   dump_stack_lvl+0x5b/0x82
   dump_stack+0x10/0x12
   register_lock_class+0x495/0x4a0
   ? find_held_lock+0x3c/0xb0
   __lock_acquire+0x71/0x1830
   lock_acquire+0x1e6/0x330
   ? ice_ptp_release+0x3c/0x1e0 [ice]
   ? _raw_spin_lock+0x19/0x70
   ? ice_ptp_release+0x3c/0x1e0 [ice]
   _raw_spin_lock+0x38/0x70
   ? ice_ptp_release+0x3c/0x1e0 [ice]
   ice_ptp_release+0x3c/0x1e0 [ice]
   ice_prepare_for_reset+0xcb/0xe0 [ice]
   ice_do_reset+0x38/0x110 [ice]
   ice_service_task+0x138/0xf10 [ice]
   ? __this_cpu_preempt_check+0x13/0x20
   process_one_work+0x26a/0x650
   worker_thread+0x3f/0x3b0
   ? __kthread_parkme+0x51/0xb0
   ? process_one_work+0x650/0x650
   kthread+0x161/0x190
   ? set_kthread_struct+0x40/0x40
   ret_from_fork+0x1f/0x30

Fixes: 4dd0d5c33c3e ("ice: add lock around Tx timestamp tracker flush")
Signed-off-by: Yongxin Liu <yongxin.liu@windriver.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Tested-by: Gurucharan G <gurucharanx.g@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/intel/ice/ice_ptp.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
@@ -1582,6 +1582,9 @@ err_kworker:
  */
 void ice_ptp_release(struct ice_pf *pf)
 {
+	if (!test_bit(ICE_FLAG_PTP, pf->flags))
+		return;
+
 	/* Disable timestamping for both Tx and Rx */
 	ice_ptp_cfg_timestamp(pf, false);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 073/125] arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 072/125] ice: check whether PTP is initialized in ice_ptp_release() Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 074/125] reset: brcmstb-rescal: fix incorrect polarity of status bit Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Clément Bœsch,
	Jernej Skrabec, Andrew Lunn, Maxime Ripard

From: Clément Bœsch <u@pkh.me>

commit 0764e365dacd0b8f75c1736f9236be280649bd18 upstream.

RX and TX delay are provided by ethernet PHY. Reflect that in ethernet
node.

Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes")
Signed-off-by: Clément Bœsch <u@pkh.me>
Reviewed-by: Jernej Skrabec <jernej.skrabec@gmail.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://lore.kernel.org/r/20210905002027.171984-1-u@pkh.me
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts
+++ b/arch/arm64/boot/dts/allwinner/sun50i-h5-nanopi-neo2.dts
@@ -75,7 +75,7 @@
 	pinctrl-0 = <&emac_rgmii_pins>;
 	phy-supply = <&reg_gmac_3v3>;
 	phy-handle = <&ext_rgmii_phy>;
-	phy-mode = "rgmii";
+	phy-mode = "rgmii-id";
 	status = "okay";
 };
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 074/125] reset: brcmstb-rescal: fix incorrect polarity of status bit
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 073/125] arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 075/125] regmap: Fix possible double-free in regcache_rbtree_exit() Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jim Quinlan, Florian Fainelli, Philipp Zabel

From: Jim Quinlan <jim2101024@gmail.com>

commit f33eb7f29c16ba78db3221ee02346fd832274cdd upstream.

The readl_poll_timeout() should complete when the status bit
is a 1, not 0.

Fixes: 4cf176e52397 ("reset: Add Broadcom STB RESCAL reset controller")
Signed-off-by: Jim Quinlan <jim2101024@gmail.com>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20210914221122.62315-1-f.fainelli@gmail.com
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/reset/reset-brcmstb-rescal.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/reset/reset-brcmstb-rescal.c
+++ b/drivers/reset/reset-brcmstb-rescal.c
@@ -38,7 +38,7 @@ static int brcm_rescal_reset_set(struct
 	}
 
 	ret = readl_poll_timeout(base + BRCM_RESCAL_STATUS, reg,
-				 !(reg & BRCM_RESCAL_STATUS_BIT), 100, 1000);
+				 (reg & BRCM_RESCAL_STATUS_BIT), 100, 1000);
 	if (ret) {
 		dev_err(data->dev, "time out on SATA/PCIe rescal\n");
 		return ret;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 075/125] regmap: Fix possible double-free in regcache_rbtree_exit()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 074/125] reset: brcmstb-rescal: fix incorrect polarity of status bit Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 076/125] net: batman-adv: fix error handling Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Mark Brown

From: Yang Yingliang <yangyingliang@huawei.com>

commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream.

In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
so 'rbnode->block' points a freed memory, in the error handling path of
regcache_rbtree_init(), 'rbnode->block' will be freed again in
regcache_rbtree_exit(), KASAN will report double-free as follows:

BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
Call Trace:
 slab_free_freelist_hook+0x10d/0x240
 kfree+0xce/0x390
 regcache_rbtree_exit+0x15d/0x1a0
 regcache_rbtree_init+0x224/0x2c0
 regcache_init+0x88d/0x1310
 __regmap_init+0x3151/0x4a80
 __devm_regmap_init+0x7d/0x100
 madera_spi_probe+0x10f/0x333 [madera_spi]
 spi_probe+0x183/0x210
 really_probe+0x285/0xc30

To fix this, moving up the assignment of rbnode->block to immediately after
the reallocation has succeeded so that the data structure stays valid even
if the second reallocation fails.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/base/regmap/regcache-rbtree.c |    7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

--- a/drivers/base/regmap/regcache-rbtree.c
+++ b/drivers/base/regmap/regcache-rbtree.c
@@ -281,14 +281,14 @@ static int regcache_rbtree_insert_to_blo
 	if (!blk)
 		return -ENOMEM;
 
+	rbnode->block = blk;
+
 	if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) {
 		present = krealloc(rbnode->cache_present,
 				   BITS_TO_LONGS(blklen) * sizeof(*present),
 				   GFP_KERNEL);
-		if (!present) {
-			kfree(blk);
+		if (!present)
 			return -ENOMEM;
-		}
 
 		memset(present + BITS_TO_LONGS(rbnode->blklen), 0,
 		       (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen))
@@ -305,7 +305,6 @@ static int regcache_rbtree_insert_to_blo
 	}
 
 	/* update the rbnode block, its size and the base register */
-	rbnode->block = blk;
 	rbnode->blklen = blklen;
 	rbnode->base_reg = base_reg;
 	rbnode->cache_present = present;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 076/125] net: batman-adv: fix error handling
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 075/125] regmap: Fix possible double-free in regcache_rbtree_exit() Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 077/125] net-sysfs: initialize uid and gid before calling net_ns_get_ownership Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Sven Eckelmann,
	David S. Miller, syzbot+28b0702ada0bf7381f58

From: Pavel Skripkin <paskripkin@gmail.com>

commit 6f68cd634856f8ca93bafd623ba5357e0f648c68 upstream.

Syzbot reported ODEBUG warning in batadv_nc_mesh_free(). The problem was
in wrong error handling in batadv_mesh_init().

Before this patch batadv_mesh_init() was calling batadv_mesh_free() in case
of any batadv_*_init() calls failure. This approach may work well, when
there is some kind of indicator, which can tell which parts of batadv are
initialized; but there isn't any.

All written above lead to cleaning up uninitialized fields. Even if we hide
ODEBUG warning by initializing bat_priv->nc.work, syzbot was able to hit
GPF in batadv_nc_purge_paths(), because hash pointer in still NULL. [1]

To fix these bugs we can unwind batadv_*_init() calls one by one.
It is good approach for 2 reasons: 1) It fixes bugs on error handling
path 2) It improves the performance, since we won't call unneeded
batadv_*_free() functions.

So, this patch makes all batadv_*_init() clean up all allocated memory
before returning with an error to no call correspoing batadv_*_free()
and open-codes batadv_mesh_free() with proper order to avoid touching
uninitialized fields.

Link: https://lore.kernel.org/netdev/000000000000c87fbd05cef6bcb0@google.com/ [1]
Reported-and-tested-by: syzbot+28b0702ada0bf7381f58@syzkaller.appspotmail.com
Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Acked-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/batman-adv/bridge_loop_avoidance.c |    8 +++-
 net/batman-adv/main.c                  |   56 +++++++++++++++++++++++----------
 net/batman-adv/network-coding.c        |    4 +-
 net/batman-adv/translation-table.c     |    4 +-
 4 files changed, 52 insertions(+), 20 deletions(-)

--- a/net/batman-adv/bridge_loop_avoidance.c
+++ b/net/batman-adv/bridge_loop_avoidance.c
@@ -1556,10 +1556,14 @@ int batadv_bla_init(struct batadv_priv *
 		return 0;
 
 	bat_priv->bla.claim_hash = batadv_hash_new(128);
-	bat_priv->bla.backbone_hash = batadv_hash_new(32);
+	if (!bat_priv->bla.claim_hash)
+		return -ENOMEM;
 
-	if (!bat_priv->bla.claim_hash || !bat_priv->bla.backbone_hash)
+	bat_priv->bla.backbone_hash = batadv_hash_new(32);
+	if (!bat_priv->bla.backbone_hash) {
+		batadv_hash_destroy(bat_priv->bla.claim_hash);
 		return -ENOMEM;
+	}
 
 	batadv_hash_set_lock_class(bat_priv->bla.claim_hash,
 				   &batadv_claim_hash_lock_class_key);
--- a/net/batman-adv/main.c
+++ b/net/batman-adv/main.c
@@ -190,29 +190,41 @@ int batadv_mesh_init(struct net_device *
 
 	bat_priv->gw.generation = 0;
 
-	ret = batadv_v_mesh_init(bat_priv);
-	if (ret < 0)
-		goto err;
-
 	ret = batadv_originator_init(bat_priv);
-	if (ret < 0)
-		goto err;
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_orig;
+	}
 
 	ret = batadv_tt_init(bat_priv);
-	if (ret < 0)
-		goto err;
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_tt;
+	}
+
+	ret = batadv_v_mesh_init(bat_priv);
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_v;
+	}
 
 	ret = batadv_bla_init(bat_priv);
-	if (ret < 0)
-		goto err;
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_bla;
+	}
 
 	ret = batadv_dat_init(bat_priv);
-	if (ret < 0)
-		goto err;
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_dat;
+	}
 
 	ret = batadv_nc_mesh_init(bat_priv);
-	if (ret < 0)
-		goto err;
+	if (ret < 0) {
+		atomic_set(&bat_priv->mesh_state, BATADV_MESH_DEACTIVATING);
+		goto err_nc;
+	}
 
 	batadv_gw_init(bat_priv);
 	batadv_mcast_init(bat_priv);
@@ -222,8 +234,20 @@ int batadv_mesh_init(struct net_device *
 
 	return 0;
 
-err:
-	batadv_mesh_free(soft_iface);
+err_nc:
+	batadv_dat_free(bat_priv);
+err_dat:
+	batadv_bla_free(bat_priv);
+err_bla:
+	batadv_v_mesh_free(bat_priv);
+err_v:
+	batadv_tt_free(bat_priv);
+err_tt:
+	batadv_originator_free(bat_priv);
+err_orig:
+	batadv_purge_outstanding_packets(bat_priv, NULL);
+	atomic_set(&bat_priv->mesh_state, BATADV_MESH_INACTIVE);
+
 	return ret;
 }
 
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -152,8 +152,10 @@ int batadv_nc_mesh_init(struct batadv_pr
 				   &batadv_nc_coding_hash_lock_class_key);
 
 	bat_priv->nc.decoding_hash = batadv_hash_new(128);
-	if (!bat_priv->nc.decoding_hash)
+	if (!bat_priv->nc.decoding_hash) {
+		batadv_hash_destroy(bat_priv->nc.coding_hash);
 		goto err;
+	}
 
 	batadv_hash_set_lock_class(bat_priv->nc.decoding_hash,
 				   &batadv_nc_decoding_hash_lock_class_key);
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -4193,8 +4193,10 @@ int batadv_tt_init(struct batadv_priv *b
 		return ret;
 
 	ret = batadv_tt_global_init(bat_priv);
-	if (ret < 0)
+	if (ret < 0) {
+		batadv_tt_local_table_free(bat_priv);
 		return ret;
+	}
 
 	batadv_tvlv_handler_register(bat_priv, batadv_tt_tvlv_ogm_handler_v1,
 				     batadv_tt_tvlv_unicast_handler_v1,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 077/125] net-sysfs: initialize uid and gid before calling net_ns_get_ownership
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 076/125] net: batman-adv: fix error handling Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 078/125] cfg80211: correct bridge/4addr mode check Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Paolo Abeni, Xin Long,
	Christian Brauner, David S. Miller

From: Xin Long <lucien.xin@gmail.com>

commit f7a1e76d0f608961cc2fc681f867a834f2746bce upstream.

Currently in net_ns_get_ownership() it may not be able to set uid or gid
if make_kuid or make_kgid returns an invalid value, and an uninit-value
issue can be triggered by this.

This patch is to fix it by initializing the uid and gid before calling
net_ns_get_ownership(), as it does in kobject_get_ownership()

Fixes: e6dee9f3893c ("net-sysfs: add netdev_change_owner()")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/net-sysfs.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1973,9 +1973,9 @@ int netdev_register_kobject(struct net_d
 int netdev_change_owner(struct net_device *ndev, const struct net *net_old,
 			const struct net *net_new)
 {
+	kuid_t old_uid = GLOBAL_ROOT_UID, new_uid = GLOBAL_ROOT_UID;
+	kgid_t old_gid = GLOBAL_ROOT_GID, new_gid = GLOBAL_ROOT_GID;
 	struct device *dev = &ndev->dev;
-	kuid_t old_uid, new_uid;
-	kgid_t old_gid, new_gid;
 	int error;
 
 	net_ns_get_ownership(net_old, &old_uid, &old_gid);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 078/125] cfg80211: correct bridge/4addr mode check
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 077/125] net-sysfs: initialize uid and gid before calling net_ns_get_ownership Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 079/125] net: Prevent infinite while loop in skb_tx_hash() Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Janusz Dziedzic, Johannes Berg

From: Janusz Dziedzic <janusz.dziedzic@gmail.com>

commit 689a0a9f505f7bffdefe6f17fddb41c8ab6344f6 upstream.

Without the patch we fail:

$ sudo brctl addbr br0
$ sudo brctl addif br0 wlp1s0
$ sudo iw wlp1s0 set 4addr on
command failed: Device or resource busy (-16)

Last command failed but iface was already in 4addr mode.

Fixes: ad4bb6f8883a ("cfg80211: disallow bridging managed/adhoc interfaces")
Signed-off-by: Janusz Dziedzic <janusz.dziedzic@gmail.com>
Link: https://lore.kernel.org/r/20211024201546.614379-1-janusz.dziedzic@gmail.com
[add fixes tag, fix indentation, edit commit log]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/wireless/util.c |   14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -1028,14 +1028,14 @@ int cfg80211_change_iface(struct cfg8021
 	    !(rdev->wiphy.interface_modes & (1 << ntype)))
 		return -EOPNOTSUPP;
 
-	/* if it's part of a bridge, reject changing type to station/ibss */
-	if (netif_is_bridge_port(dev) &&
-	    (ntype == NL80211_IFTYPE_ADHOC ||
-	     ntype == NL80211_IFTYPE_STATION ||
-	     ntype == NL80211_IFTYPE_P2P_CLIENT))
-		return -EBUSY;
-
 	if (ntype != otype) {
+		/* if it's part of a bridge, reject changing type to station/ibss */
+		if (netif_is_bridge_port(dev) &&
+		    (ntype == NL80211_IFTYPE_ADHOC ||
+		     ntype == NL80211_IFTYPE_STATION ||
+		     ntype == NL80211_IFTYPE_P2P_CLIENT))
+			return -EBUSY;
+
 		dev->ieee80211_ptr->use_4addr = false;
 		dev->ieee80211_ptr->mesh_id_up_len = 0;
 		wdev_lock(dev->ieee80211_ptr);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 079/125] net: Prevent infinite while loop in skb_tx_hash()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 078/125] cfg80211: correct bridge/4addr mode check Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 080/125] RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Gospodarek, Michael Chan,
	David S. Miller

From: Michael Chan <michael.chan@broadcom.com>

commit 0c57eeecc559ca6bc18b8c4e2808bc78dbe769b0 upstream.

Drivers call netdev_set_num_tc() and then netdev_set_tc_queue()
to set the queue count and offset for each TC.  So the queue count
and offset for the TCs may be zero for a short period after dev->num_tc
has been set.  If a TX packet is being transmitted at this time in the
code path netdev_pick_tx() -> skb_tx_hash(), skb_tx_hash() may see
nonzero dev->num_tc but zero qcount for the TC.  The while loop that
keeps looping while hash >= qcount will not end.

Fix it by checking the TC's qcount to be nonzero before using it.

Fixes: eadec877ce9c ("net: Add support for subordinate traffic classes to netdev_pick_tx")
Reviewed-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3246,6 +3246,12 @@ static u16 skb_tx_hash(const struct net_
 
 		qoffset = sb_dev->tc_to_txq[tc].offset;
 		qcount = sb_dev->tc_to_txq[tc].count;
+		if (unlikely(!qcount)) {
+			net_warn_ratelimited("%s: invalid qcount, qoffset %u for tc %u\n",
+					     sb_dev->name, qoffset, tc);
+			qoffset = 0;
+			qcount = dev->real_num_tx_queues;
+		}
 	}
 
 	if (skb_rx_queue_recorded(skb)) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 080/125] RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 079/125] net: Prevent infinite while loop in skb_tx_hash() Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 081/125] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aharon Landau, Maor Gottlieb,
	Leon Romanovsky, Jason Gunthorpe

From: Aharon Landau <aharonl@nvidia.com>

commit 5508546631a0f555d7088203dec2614e41b5106e upstream.

Normally the zero fill would hide the missing initialization, but an
errant set to desc_size in reg_create() causes a crash:

  BUG: unable to handle page fault for address: 0000000800000000
  PGD 0 P4D 0
  Oops: 0000 [#1] SMP PTI
  CPU: 5 PID: 890 Comm: ib_write_bw Not tainted 5.15.0-rc4+ #47
  Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
  RIP: 0010:mlx5_ib_dereg_mr+0x14/0x3b0 [mlx5_ib]
  Code: 48 63 cd 4c 89 f7 48 89 0c 24 e8 37 30 03 e1 48 8b 0c 24 eb a0 90 0f 1f 44 00 00 41 56 41 55 41 54 55 53 48 89 fb 48 83 ec 30 <48> 8b 2f 65 48 8b 04 25 28 00 00 00 48 89 44 24 28 31 c0 8b 87 c8
  RSP: 0018:ffff88811afa3a60 EFLAGS: 00010286
  RAX: 000000000000001c RBX: 0000000800000000 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000800000000
  RBP: 0000000800000000 R08: 0000000000000000 R09: c0000000fffff7ff
  R10: ffff88811afa38f8 R11: ffff88811afa38f0 R12: ffffffffa02c7ac0
  R13: 0000000000000000 R14: ffff88811afa3cd8 R15: ffff88810772fa00
  FS:  00007f47b9080740(0000) GS:ffff88852cd40000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000800000000 CR3: 000000010761e003 CR4: 0000000000370ea0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   mlx5_ib_free_odp_mr+0x95/0xc0 [mlx5_ib]
   mlx5_ib_dereg_mr+0x128/0x3b0 [mlx5_ib]
   ib_dereg_mr_user+0x45/0xb0 [ib_core]
   ? xas_load+0x8/0x80
   destroy_hw_idr_uobject+0x1a/0x50 [ib_uverbs]
   uverbs_destroy_uobject+0x2f/0x150 [ib_uverbs]
   uobj_destroy+0x3c/0x70 [ib_uverbs]
   ib_uverbs_cmd_verbs+0x467/0xb00 [ib_uverbs]
   ? uverbs_finalize_object+0x60/0x60 [ib_uverbs]
   ? ttwu_queue_wakelist+0xa9/0xe0
   ? pty_write+0x85/0x90
   ? file_tty_write.isra.33+0x214/0x330
   ? process_echoes+0x60/0x60
   ib_uverbs_ioctl+0xa7/0x110 [ib_uverbs]
   __x64_sys_ioctl+0x10d/0x8e0
   ? vfs_write+0x17f/0x260
   do_syscall_64+0x3c/0x80
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Add the missing xarray initialization and remove the desc_size set.

Fixes: a639e66703ee ("RDMA/mlx5: Zero out ODP related items in the mlx5_ib_mr")
Link: https://lore.kernel.org/r/a4846a11c9de834663e521770da895007f9f0d30.1634642730.git.leonro@nvidia.com
Signed-off-by: Aharon Landau <aharonl@nvidia.com>
Reviewed-by: Maor Gottlieb <maorg@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/hw/mlx5/mr.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/infiniband/hw/mlx5/mr.c
+++ b/drivers/infiniband/hw/mlx5/mr.c
@@ -1338,7 +1338,6 @@ static struct mlx5_ib_mr *reg_create(str
 		goto err_2;
 	}
 	mr->mmkey.type = MLX5_MKEY_MR;
-	mr->desc_size = sizeof(struct mlx5_mtt);
 	mr->umem = umem;
 	set_mr_fields(dev, mr, umem->length, access_flags);
 	kvfree(in);
@@ -1532,6 +1531,7 @@ static struct ib_mr *create_user_odp_mr(
 		ib_umem_release(&odp->umem);
 		return ERR_CAST(mr);
 	}
+	xa_init(&mr->implicit_children);
 
 	odp->private = mr;
 	err = mlx5r_store_odp_mkey(dev, &mr->mmkey);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 081/125] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 080/125] RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 082/125] gpio: xgs-iproc: fix parsing of ngpios property Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Zhang, Mark Bloch,
	Leon Romanovsky, Jason Gunthorpe

From: Mark Zhang <markzhang@nvidia.com>

commit 64733956ebba7cc629856f4a6ee35a52bc9c023f upstream.

When copying the device name, the length of the data memcpy copied exceeds
the length of the source buffer, which cause the KASAN issue below.  Use
strscpy_pad() instead.

 BUG: KASAN: slab-out-of-bounds in ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
 Read of size 64 at addr ffff88811a10f5e0 by task rping/140263
 CPU: 3 PID: 140263 Comm: rping Not tainted 5.15.0-rc1+ #1
 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
 Call Trace:
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0+0x1d/0xa0
  kasan_report+0xcb/0x110
  kasan_check_range+0x13d/0x180
  memcpy+0x20/0x60
  ib_nl_set_path_rec_attrs+0x136/0x320 [ib_core]
  ib_nl_make_request+0x1c6/0x380 [ib_core]
  send_mad+0x20a/0x220 [ib_core]
  ib_sa_path_rec_get+0x3e3/0x800 [ib_core]
  cma_query_ib_route+0x29b/0x390 [rdma_cm]
  rdma_resolve_route+0x308/0x3e0 [rdma_cm]
  ucma_resolve_route+0xe1/0x150 [rdma_ucm]
  ucma_write+0x17b/0x1f0 [rdma_ucm]
  vfs_write+0x142/0x4d0
  ksys_write+0x133/0x160
  do_syscall_64+0x43/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7f26499aa90f
 Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 29 fd ff ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 5c fd ff ff 48
 RSP: 002b:00007f26495f2dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
 RAX: ffffffffffffffda RBX: 00000000000007d0 RCX: 00007f26499aa90f
 RDX: 0000000000000010 RSI: 00007f26495f2e00 RDI: 0000000000000003
 RBP: 00005632a8315440 R08: 0000000000000000 R09: 0000000000000001
 R10: 0000000000000000 R11: 0000000000000293 R12: 00007f26495f2e00
 R13: 00005632a83154e0 R14: 00005632a8315440 R15: 00005632a830a810

 Allocated by task 131419:
  kasan_save_stack+0x1b/0x40
  __kasan_kmalloc+0x7c/0x90
  proc_self_get_link+0x8b/0x100
  pick_link+0x4f1/0x5c0
  step_into+0x2eb/0x3d0
  walk_component+0xc8/0x2c0
  link_path_walk+0x3b8/0x580
  path_openat+0x101/0x230
  do_filp_open+0x12e/0x240
  do_sys_openat2+0x115/0x280
  __x64_sys_openat+0xce/0x140
  do_syscall_64+0x43/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 2ca546b92a02 ("IB/sa: Route SA pathrecord query through netlink")
Link: https://lore.kernel.org/r/72ede0f6dab61f7f23df9ac7a70666e07ef314b0.1635055496.git.leonro@nvidia.com
Signed-off-by: Mark Zhang <markzhang@nvidia.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Signed-off-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/infiniband/core/sa_query.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/infiniband/core/sa_query.c
+++ b/drivers/infiniband/core/sa_query.c
@@ -760,8 +760,9 @@ static void ib_nl_set_path_rec_attrs(str
 
 	/* Construct the family header first */
 	header = skb_put(skb, NLMSG_ALIGN(sizeof(*header)));
-	memcpy(header->device_name, dev_name(&query->port->agent->device->dev),
-	       LS_DEVICE_NAME_MAX);
+	strscpy_pad(header->device_name,
+		    dev_name(&query->port->agent->device->dev),
+		    LS_DEVICE_NAME_MAX);
 	header->port_num = query->port->port_num;
 
 	if ((comp_mask & IB_SA_PATH_REC_REVERSIBLE) &&



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 082/125] gpio: xgs-iproc: fix parsing of ngpios property
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 081/125] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 083/125] nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonas Gorski, Chris Packham,
	Florian Fainelli, Linus Walleij, Bartosz Golaszewski

From: Jonas Gorski <jonas.gorski@gmail.com>

commit 85fe6415c146d5d42ce300c12f1ecf4d4af47d40 upstream.

of_property_read_u32 returns 0 on success, not true, so we need to
invert the check to actually take over the provided ngpio value.

Fixes: 6a41b6c5fc20 ("gpio: Add xgs-iproc driver")
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
Reviewed-by: Chris Packham <chris.packham@alliedtelesis.co.nz>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Bartosz Golaszewski <brgl@bgdev.pl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpio/gpio-xgs-iproc.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/gpio/gpio-xgs-iproc.c
+++ b/drivers/gpio/gpio-xgs-iproc.c
@@ -224,7 +224,7 @@ static int iproc_gpio_probe(struct platf
 	}
 
 	chip->gc.label = dev_name(dev);
-	if (of_property_read_u32(dn, "ngpios", &num_gpios))
+	if (!of_property_read_u32(dn, "ngpios", &num_gpios))
 		chip->gc.ngpio = num_gpios;
 
 	irq = platform_get_irq(pdev, 0);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 083/125] nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 082/125] gpio: xgs-iproc: fix parsing of ngpios property Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 084/125] mlxsw: pci: Recycle received packet upon allocation failure Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Randy Dunlap, Dinh Nguyen

From: Guenter Roeck <linux@roeck-us.net>

commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream.

nios2:allmodconfig builds fail with

make[1]: *** No rule to make target 'arch/nios2/boot/dts/""',
	needed by 'arch/nios2/boot/dts/built-in.a'.  Stop.
make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored)

This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL,
which in turn enables NIOS2_DTB_SOURCE. This causes the build error
because the default value for NIOS2_DTB_SOURCE is an empty string.
Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error.

Fixes: 2fc8483fdcde ("nios2: Build infrastructure")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/nios2/platform/Kconfig.platform |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/nios2/platform/Kconfig.platform
+++ b/arch/nios2/platform/Kconfig.platform
@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR
 
 config NIOS2_DTB_SOURCE_BOOL
 	bool "Compile and link device tree into kernel image"
+	depends on !COMPILE_TEST
 	help
 	  This allows you to specify a dts (device tree source) file
 	  which will be compiled and linked into the kernel image.



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 084/125] mlxsw: pci: Recycle received packet upon allocation failure
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 083/125] nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 085/125] net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ido Schimmel, Petr Machata, Jakub Kicinski

From: Ido Schimmel <idosch@nvidia.com>

commit 759635760a804b0d8ad0cc677b650f1544cae22f upstream.

When the driver fails to allocate a new Rx buffer, it passes an empty Rx
descriptor (contains zero address and size) to the device and marks it
as invalid by setting the skb pointer in the descriptor's metadata to
NULL.

After processing enough Rx descriptors, the driver will try to process
the invalid descriptor, but will return immediately seeing that the skb
pointer is NULL. Since the driver no longer passes new Rx descriptors to
the device, the Rx queue will eventually become full and the device will
start to drop packets.

Fix this by recycling the received packet if allocation of the new
packet failed. This means that allocation is no longer performed at the
end of the Rx routine, but at the start, before tearing down the DMA
mapping of the received packet.

Remove the comment about the descriptor being zeroed as it is no longer
correct. This is OK because we either use the descriptor as-is (when
recycling) or overwrite its address and size fields with that of the
newly allocated Rx buffer.

The issue was discovered when a process ("perf") consumed too much
memory and put the system under memory pressure. It can be reproduced by
injecting slab allocation failures [1]. After the fix, the Rx queue no
longer comes to a halt.

[1]
 # echo 10 > /sys/kernel/debug/failslab/times
 # echo 1000 > /sys/kernel/debug/failslab/interval
 # echo 100 > /sys/kernel/debug/failslab/probability

 FAULT_INJECTION: forcing a failure.
 name failslab, interval 1000, probability 100, space 0, times 8
 [...]
 Call Trace:
  <IRQ>
  dump_stack_lvl+0x34/0x44
  should_fail.cold+0x32/0x37
  should_failslab+0x5/0x10
  kmem_cache_alloc_node+0x23/0x190
  __alloc_skb+0x1f9/0x280
  __netdev_alloc_skb+0x3a/0x150
  mlxsw_pci_rdq_skb_alloc+0x24/0x90
  mlxsw_pci_cq_tasklet+0x3dc/0x1200
  tasklet_action_common.constprop.0+0x9f/0x100
  __do_softirq+0xb5/0x252
  irq_exit_rcu+0x7a/0xa0
  common_interrupt+0x83/0xa0
  </IRQ>
  asm_common_interrupt+0x1e/0x40
 RIP: 0010:cpuidle_enter_state+0xc8/0x340
 [...]
 mlxsw_spectrum2 0000:06:00.0: Failed to alloc skb for RDQ

Fixes: eda6500a987a ("mlxsw: Add PCI bus implementation")
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://lore.kernel.org/r/20211024064014.1060919-1-idosch@idosch.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/mellanox/mlxsw/pci.c |   25 ++++++++++++-------------
 1 file changed, 12 insertions(+), 13 deletions(-)

--- a/drivers/net/ethernet/mellanox/mlxsw/pci.c
+++ b/drivers/net/ethernet/mellanox/mlxsw/pci.c
@@ -353,13 +353,10 @@ static int mlxsw_pci_rdq_skb_alloc(struc
 	struct sk_buff *skb;
 	int err;
 
-	elem_info->u.rdq.skb = NULL;
 	skb = netdev_alloc_skb_ip_align(NULL, buf_len);
 	if (!skb)
 		return -ENOMEM;
 
-	/* Assume that wqe was previously zeroed. */
-
 	err = mlxsw_pci_wqe_frag_map(mlxsw_pci, wqe, 0, skb->data,
 				     buf_len, DMA_FROM_DEVICE);
 	if (err)
@@ -597,21 +594,26 @@ static void mlxsw_pci_cqe_rdq_handle(str
 	struct pci_dev *pdev = mlxsw_pci->pdev;
 	struct mlxsw_pci_queue_elem_info *elem_info;
 	struct mlxsw_rx_info rx_info = {};
-	char *wqe;
+	char wqe[MLXSW_PCI_WQE_SIZE];
 	struct sk_buff *skb;
 	u16 byte_count;
 	int err;
 
 	elem_info = mlxsw_pci_queue_elem_info_consumer_get(q);
-	skb = elem_info->u.sdq.skb;
-	if (!skb)
-		return;
-	wqe = elem_info->elem;
-	mlxsw_pci_wqe_frag_unmap(mlxsw_pci, wqe, 0, DMA_FROM_DEVICE);
+	skb = elem_info->u.rdq.skb;
+	memcpy(wqe, elem_info->elem, MLXSW_PCI_WQE_SIZE);
 
 	if (q->consumer_counter++ != consumer_counter_limit)
 		dev_dbg_ratelimited(&pdev->dev, "Consumer counter does not match limit in RDQ\n");
 
+	err = mlxsw_pci_rdq_skb_alloc(mlxsw_pci, elem_info);
+	if (err) {
+		dev_err_ratelimited(&pdev->dev, "Failed to alloc skb for RDQ\n");
+		goto out;
+	}
+
+	mlxsw_pci_wqe_frag_unmap(mlxsw_pci, wqe, 0, DMA_FROM_DEVICE);
+
 	if (mlxsw_pci_cqe_lag_get(cqe_v, cqe)) {
 		rx_info.is_lag = true;
 		rx_info.u.lag_id = mlxsw_pci_cqe_lag_id_get(cqe_v, cqe);
@@ -647,10 +649,7 @@ static void mlxsw_pci_cqe_rdq_handle(str
 	skb_put(skb, byte_count);
 	mlxsw_core_skb_receive(mlxsw_pci->core, skb, &rx_info);
 
-	memset(wqe, 0, q->elem_size);
-	err = mlxsw_pci_rdq_skb_alloc(mlxsw_pci, elem_info);
-	if (err)
-		dev_dbg_ratelimited(&pdev->dev, "Failed to alloc skb for RDQ\n");
+out:
 	/* Everything is set up, ring doorbell to pass elem to HW */
 	q->producer_counter++;
 	mlxsw_pci_queue_doorbell_producer_ring(mlxsw_pci, q);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 085/125] net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 084/125] mlxsw: pci: Recycle received packet upon allocation failure Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 086/125] net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yuiko Oshino, David S. Miller

From: Yuiko Oshino <yuiko.oshino@microchip.com>

commit d6423d2ec39cce2bfca418c81ef51792891576bc upstream.

The driver needs to clean up and return when the initialization fails on resume.

Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/microchip/lan743x_main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -3019,6 +3019,8 @@ static int lan743x_pm_resume(struct devi
 	if (ret) {
 		netif_err(adapter, probe, adapter->netdev,
 			  "lan743x_hardware_init returned %d\n", ret);
+		lan743x_pci_cleanup(adapter);
+		return ret;
 	}
 
 	/* open netdev when netdev is at running state while resume.



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 086/125] net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 085/125] net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 087/125] net: nxp: lpc_eth.c: avoid hang when bringing interface down Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yuiko Oshino, David S. Miller

From: Yuiko Oshino <yuiko.oshino@microchip.com>

commit 95a359c9553342d36d408d35331ff0bfce75272f upstream.

The dma failure was reported in the raspberry pi github (issue #4117).
https://github.com/raspberrypi/linux/issues/4117
The use of dma_set_mask_and_coherent fixes the issue.
Tested on 32/64-bit raspberry pi CM4 and 64-bit ubuntu x86 PC with EVB-LAN7430.

Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/microchip/lan743x_main.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1743,6 +1743,16 @@ static int lan743x_tx_ring_init(struct l
 		ret = -EINVAL;
 		goto cleanup;
 	}
+	if (dma_set_mask_and_coherent(&tx->adapter->pdev->dev,
+				      DMA_BIT_MASK(64))) {
+		if (dma_set_mask_and_coherent(&tx->adapter->pdev->dev,
+					      DMA_BIT_MASK(32))) {
+			dev_warn(&tx->adapter->pdev->dev,
+				 "lan743x_: No suitable DMA available\n");
+			ret = -ENOMEM;
+			goto cleanup;
+		}
+	}
 	ring_allocation_size = ALIGN(tx->ring_size *
 				     sizeof(struct lan743x_tx_descriptor),
 				     PAGE_SIZE);
@@ -2276,6 +2286,16 @@ static int lan743x_rx_ring_init(struct l
 		ret = -EINVAL;
 		goto cleanup;
 	}
+	if (dma_set_mask_and_coherent(&rx->adapter->pdev->dev,
+				      DMA_BIT_MASK(64))) {
+		if (dma_set_mask_and_coherent(&rx->adapter->pdev->dev,
+					      DMA_BIT_MASK(32))) {
+			dev_warn(&rx->adapter->pdev->dev,
+				 "lan743x_: No suitable DMA available\n");
+			ret = -ENOMEM;
+			goto cleanup;
+		}
+	}
 	ring_allocation_size = ALIGN(rx->ring_size *
 				     sizeof(struct lan743x_rx_descriptor),
 				     PAGE_SIZE);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 087/125] net: nxp: lpc_eth.c: avoid hang when bringing interface down
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 086/125] net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 088/125] net: hns3: fix pause config problem after autoneg disabled Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Trevor Woerner, Vladimir Zapolskiy,
	David S. Miller

From: Trevor Woerner <twoerner@gmail.com>

commit ace19b992436a257d9a793672e57abc28fe83e2e upstream.

A hard hang is observed whenever the ethernet interface is brought
down. If the PHY is stopped before the LPC core block is reset,
the SoC will hang. Comparing lpc_eth_close() and lpc_eth_open() I
re-arranged the ordering of the functions calls in lpc_eth_close() to
reset the hardware before stopping the PHY.
Fixes: b7370112f519 ("lpc32xx: Added ethernet driver")
Signed-off-by: Trevor Woerner <twoerner@gmail.com>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/nxp/lpc_eth.c |    5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

--- a/drivers/net/ethernet/nxp/lpc_eth.c
+++ b/drivers/net/ethernet/nxp/lpc_eth.c
@@ -1015,9 +1015,6 @@ static int lpc_eth_close(struct net_devi
 	napi_disable(&pldat->napi);
 	netif_stop_queue(ndev);
 
-	if (ndev->phydev)
-		phy_stop(ndev->phydev);
-
 	spin_lock_irqsave(&pldat->lock, flags);
 	__lpc_eth_reset(pldat);
 	netif_carrier_off(ndev);
@@ -1025,6 +1022,8 @@ static int lpc_eth_close(struct net_devi
 	writel(0, LPC_ENET_MAC2(pldat->net_base));
 	spin_unlock_irqrestore(&pldat->lock, flags);
 
+	if (ndev->phydev)
+		phy_stop(ndev->phydev);
 	clk_disable_unprepare(pldat->clk);
 
 	return 0;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 088/125] net: hns3: fix pause config problem after autoneg disabled
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 087/125] net: nxp: lpc_eth.c: avoid hang when bringing interface down Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 089/125] net: hns3: fix data endian problem of some functions of debugfs Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Guangbin Huang, David S. Miller

From: Guangbin Huang <huangguangbin2@huawei.com>

commit 3bda2e5df476417b6d08967e2d84234a59d57b1c upstream.

If a TP port is configured by follow steps:
1.ethtool -s ethx autoneg off speed 100 duplex full
2.ethtool -A ethx rx on tx on
3.ethtool -s ethx autoneg on(rx&tx negotiated pause results are off)
4.ethtool -s ethx autoneg off speed 100 duplex full

In step 3, driver will set rx&tx pause parameters of hardware to off as
pause parameters negotiated with link partner are off.

After step 4, the "ethtool -a ethx" command shows both rx and tx pause
parameters are on. However, pause parameters of hardware are still off
and port has no flow control function actually.

To fix this problem, if autoneg is disabled, driver uses its saved
parameters to restore pause of hardware. If the speed is not changed in
this case, there is no link state changed for phy, it will cause the pause
parameter is not taken effect, so we need to force phy to go down and up.

Fixes: aacbe27e82f0 ("net: hns3: modify how pause options is displayed")
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/hisilicon/hns3/hnae3.h             |    1 
 drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c      |   33 +++++++++++-----
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c |   30 ++++++++++++++
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c   |    2 
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h   |    1 
 5 files changed, 57 insertions(+), 10 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
@@ -568,6 +568,7 @@ struct hnae3_ae_ops {
 			       u32 *auto_neg, u32 *rx_en, u32 *tx_en);
 	int (*set_pauseparam)(struct hnae3_handle *handle,
 			      u32 auto_neg, u32 rx_en, u32 tx_en);
+	int (*restore_pauseparam)(struct hnae3_handle *handle);
 
 	int (*set_autoneg)(struct hnae3_handle *handle, bool enable);
 	int (*get_autoneg)(struct hnae3_handle *handle);
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_ethtool.c
@@ -838,6 +838,26 @@ static int hns3_check_ksettings_param(co
 	return 0;
 }
 
+static int hns3_set_phy_link_ksettings(struct net_device *netdev,
+				       const struct ethtool_link_ksettings *cmd)
+{
+	struct hnae3_handle *handle = hns3_get_handle(netdev);
+	const struct hnae3_ae_ops *ops = handle->ae_algo->ops;
+	int ret;
+
+	if (cmd->base.speed == SPEED_1000 &&
+	    cmd->base.autoneg == AUTONEG_DISABLE)
+		return -EINVAL;
+
+	if (cmd->base.autoneg == AUTONEG_DISABLE && ops->restore_pauseparam) {
+		ret = ops->restore_pauseparam(handle);
+		if (ret)
+			return ret;
+	}
+
+	return phy_ethtool_ksettings_set(netdev->phydev, cmd);
+}
+
 static int hns3_set_link_ksettings(struct net_device *netdev,
 				   const struct ethtool_link_ksettings *cmd)
 {
@@ -856,16 +876,11 @@ static int hns3_set_link_ksettings(struc
 		  cmd->base.autoneg, cmd->base.speed, cmd->base.duplex);
 
 	/* Only support ksettings_set for netdev with phy attached for now */
-	if (netdev->phydev) {
-		if (cmd->base.speed == SPEED_1000 &&
-		    cmd->base.autoneg == AUTONEG_DISABLE)
-			return -EINVAL;
-
-		return phy_ethtool_ksettings_set(netdev->phydev, cmd);
-	} else if (test_bit(HNAE3_DEV_SUPPORT_PHY_IMP_B, ae_dev->caps) &&
-		   ops->set_phy_link_ksettings) {
+	if (netdev->phydev)
+		return hns3_set_phy_link_ksettings(netdev, cmd);
+	else if (test_bit(HNAE3_DEV_SUPPORT_PHY_IMP_B, ae_dev->caps) &&
+		 ops->set_phy_link_ksettings)
 		return ops->set_phy_link_ksettings(handle, cmd);
-	}
 
 	if (ae_dev->dev_version < HNAE3_DEVICE_VERSION_V2)
 		return -EOPNOTSUPP;
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -11014,6 +11014,35 @@ static int hclge_set_pauseparam(struct h
 	return -EOPNOTSUPP;
 }
 
+static int hclge_restore_pauseparam(struct hnae3_handle *handle)
+{
+	struct hclge_vport *vport = hclge_get_vport(handle);
+	struct hclge_dev *hdev = vport->back;
+	u32 auto_neg, rx_pause, tx_pause;
+	int ret;
+
+	hclge_get_pauseparam(handle, &auto_neg, &rx_pause, &tx_pause);
+	/* when autoneg is disabled, the pause setting of phy has no effect
+	 * unless the link goes down.
+	 */
+	ret = phy_suspend(hdev->hw.mac.phydev);
+	if (ret)
+		return ret;
+
+	phy_set_asym_pause(hdev->hw.mac.phydev, rx_pause, tx_pause);
+
+	ret = phy_resume(hdev->hw.mac.phydev);
+	if (ret)
+		return ret;
+
+	ret = hclge_mac_pause_setup_hw(hdev);
+	if (ret)
+		dev_err(&hdev->pdev->dev,
+			"restore pauseparam error, ret = %d.\n", ret);
+
+	return ret;
+}
+
 static void hclge_get_ksettings_an_result(struct hnae3_handle *handle,
 					  u8 *auto_neg, u32 *speed, u8 *duplex)
 {
@@ -12943,6 +12972,7 @@ static const struct hnae3_ae_ops hclge_o
 	.halt_autoneg = hclge_halt_autoneg,
 	.get_pauseparam = hclge_get_pauseparam,
 	.set_pauseparam = hclge_set_pauseparam,
+	.restore_pauseparam = hclge_restore_pauseparam,
 	.set_mtu = hclge_set_mtu,
 	.reset_queue = hclge_reset_tqp,
 	.get_stats = hclge_get_stats,
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
@@ -1435,7 +1435,7 @@ static int hclge_bp_setup_hw(struct hclg
 	return 0;
 }
 
-static int hclge_mac_pause_setup_hw(struct hclge_dev *hdev)
+int hclge_mac_pause_setup_hw(struct hclge_dev *hdev)
 {
 	bool tx_en, rx_en;
 
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
@@ -244,6 +244,7 @@ int hclge_tm_get_pri_weight(struct hclge
 int hclge_tm_get_pri_shaper(struct hclge_dev *hdev, u8 pri_id,
 			    enum hclge_opcode_type cmd,
 			    struct hclge_tm_shaper_para *para);
+int hclge_mac_pause_setup_hw(struct hclge_dev *hdev);
 int hclge_tm_get_q_to_qs_map(struct hclge_dev *hdev, u16 q_id, u16 *qset_id);
 int hclge_tm_get_q_to_tc(struct hclge_dev *hdev, u16 q_id, u8 *tc_id);
 int hclge_tm_get_pg_to_pri_map(struct hclge_dev *hdev, u8 pg_id,



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 089/125] net: hns3: fix data endian problem of some functions of debugfs
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 088/125] net: hns3: fix pause config problem after autoneg disabled Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 090/125] net: ethernet: microchip: lan743x: Fix skb allocation failure Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jie Wang, Guangbin Huang, David S. Miller

From: Jie Wang <wangjie125@huawei.com>

commit 2a21dab594a98c338c4bfbc31864cbca15888549 upstream.

The member data in struct hclge_desc is type of __le32, it needs endian
conversion before using it, and some functions of debugfs didn't do that,
so this patch fixes it.

Fixes: c0ebebb9ccc1 ("net: hns3: Add "dcb register" status information query function")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c |   30 ++++++-------
 1 file changed, 14 insertions(+), 16 deletions(-)

--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_debugfs.c
@@ -391,7 +391,7 @@ static int hclge_dbg_dump_mac(struct hcl
 static int hclge_dbg_dump_dcb_qset(struct hclge_dev *hdev, char *buf, int len,
 				   int *pos)
 {
-	struct hclge_dbg_bitmap_cmd *bitmap;
+	struct hclge_dbg_bitmap_cmd req;
 	struct hclge_desc desc;
 	u16 qset_id, qset_num;
 	int ret;
@@ -408,12 +408,12 @@ static int hclge_dbg_dump_dcb_qset(struc
 		if (ret)
 			return ret;
 
-		bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1];
+		req.bitmap = (u8)le32_to_cpu(desc.data[1]);
 
 		*pos += scnprintf(buf + *pos, len - *pos,
 				  "%04u           %#x            %#x             %#x               %#x\n",
-				  qset_id, bitmap->bit0, bitmap->bit1,
-				  bitmap->bit2, bitmap->bit3);
+				  qset_id, req.bit0, req.bit1, req.bit2,
+				  req.bit3);
 	}
 
 	return 0;
@@ -422,7 +422,7 @@ static int hclge_dbg_dump_dcb_qset(struc
 static int hclge_dbg_dump_dcb_pri(struct hclge_dev *hdev, char *buf, int len,
 				  int *pos)
 {
-	struct hclge_dbg_bitmap_cmd *bitmap;
+	struct hclge_dbg_bitmap_cmd req;
 	struct hclge_desc desc;
 	u8 pri_id, pri_num;
 	int ret;
@@ -439,12 +439,11 @@ static int hclge_dbg_dump_dcb_pri(struct
 		if (ret)
 			return ret;
 
-		bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1];
+		req.bitmap = (u8)le32_to_cpu(desc.data[1]);
 
 		*pos += scnprintf(buf + *pos, len - *pos,
 				  "%03u       %#x           %#x                %#x\n",
-				  pri_id, bitmap->bit0, bitmap->bit1,
-				  bitmap->bit2);
+				  pri_id, req.bit0, req.bit1, req.bit2);
 	}
 
 	return 0;
@@ -453,7 +452,7 @@ static int hclge_dbg_dump_dcb_pri(struct
 static int hclge_dbg_dump_dcb_pg(struct hclge_dev *hdev, char *buf, int len,
 				 int *pos)
 {
-	struct hclge_dbg_bitmap_cmd *bitmap;
+	struct hclge_dbg_bitmap_cmd req;
 	struct hclge_desc desc;
 	u8 pg_id;
 	int ret;
@@ -466,12 +465,11 @@ static int hclge_dbg_dump_dcb_pg(struct
 		if (ret)
 			return ret;
 
-		bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1];
+		req.bitmap = (u8)le32_to_cpu(desc.data[1]);
 
 		*pos += scnprintf(buf + *pos, len - *pos,
 				  "%03u      %#x           %#x               %#x\n",
-				  pg_id, bitmap->bit0, bitmap->bit1,
-				  bitmap->bit2);
+				  pg_id, req.bit0, req.bit1, req.bit2);
 	}
 
 	return 0;
@@ -511,7 +509,7 @@ static int hclge_dbg_dump_dcb_queue(stru
 static int hclge_dbg_dump_dcb_port(struct hclge_dev *hdev, char *buf, int len,
 				   int *pos)
 {
-	struct hclge_dbg_bitmap_cmd *bitmap;
+	struct hclge_dbg_bitmap_cmd req;
 	struct hclge_desc desc;
 	u8 port_id = 0;
 	int ret;
@@ -521,12 +519,12 @@ static int hclge_dbg_dump_dcb_port(struc
 	if (ret)
 		return ret;
 
-	bitmap = (struct hclge_dbg_bitmap_cmd *)&desc.data[1];
+	req.bitmap = (u8)le32_to_cpu(desc.data[1]);
 
 	*pos += scnprintf(buf + *pos, len - *pos, "port_mask: %#x\n",
-			 bitmap->bit0);
+			 req.bit0);
 	*pos += scnprintf(buf + *pos, len - *pos, "port_shaping_pass: %#x\n",
-			 bitmap->bit1);
+			 req.bit1);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 090/125] net: ethernet: microchip: lan743x: Fix skb allocation failure
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 089/125] net: hns3: fix data endian problem of some functions of debugfs Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 091/125] net/tls: Fix flipped sign in async_wait.err assignment Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yuiko Oshino, David S. Miller

From: Yuiko Oshino <yuiko.oshino@microchip.com>

commit e8684db191e4164f3f5f3ad7dec04a6734c25f1c upstream.

The driver allocates skb during ndo_open with GFP_ATOMIC which has high chance of failure when there are multiple instances.
GFP_KERNEL is enough while open and use GFP_ATOMIC only from interrupt context.

Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver")
Signed-off-by: Yuiko Oshino <yuiko.oshino@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/microchip/lan743x_main.c |   13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

--- a/drivers/net/ethernet/microchip/lan743x_main.c
+++ b/drivers/net/ethernet/microchip/lan743x_main.c
@@ -1944,7 +1944,8 @@ static void lan743x_rx_update_tail(struc
 				  index);
 }
 
-static int lan743x_rx_init_ring_element(struct lan743x_rx *rx, int index)
+static int lan743x_rx_init_ring_element(struct lan743x_rx *rx, int index,
+					gfp_t gfp)
 {
 	struct net_device *netdev = rx->adapter->netdev;
 	struct device *dev = &rx->adapter->pdev->dev;
@@ -1958,7 +1959,7 @@ static int lan743x_rx_init_ring_element(
 
 	descriptor = &rx->ring_cpu_ptr[index];
 	buffer_info = &rx->buffer_info[index];
-	skb = __netdev_alloc_skb(netdev, buffer_length, GFP_ATOMIC | GFP_DMA);
+	skb = __netdev_alloc_skb(netdev, buffer_length, gfp);
 	if (!skb)
 		return -ENOMEM;
 	dma_ptr = dma_map_single(dev, skb->data, buffer_length, DMA_FROM_DEVICE);
@@ -2120,7 +2121,8 @@ static int lan743x_rx_process_buffer(str
 
 	/* save existing skb, allocate new skb and map to dma */
 	skb = buffer_info->skb;
-	if (lan743x_rx_init_ring_element(rx, rx->last_head)) {
+	if (lan743x_rx_init_ring_element(rx, rx->last_head,
+					 GFP_ATOMIC | GFP_DMA)) {
 		/* failed to allocate next skb.
 		 * Memory is very low.
 		 * Drop this packet and reuse buffer.
@@ -2335,13 +2337,16 @@ static int lan743x_rx_ring_init(struct l
 
 	rx->last_head = 0;
 	for (index = 0; index < rx->ring_size; index++) {
-		ret = lan743x_rx_init_ring_element(rx, index);
+		ret = lan743x_rx_init_ring_element(rx, index, GFP_KERNEL);
 		if (ret)
 			goto cleanup;
 	}
 	return 0;
 
 cleanup:
+	netif_warn(rx->adapter, ifup, rx->adapter->netdev,
+		   "Error allocating memory for LAN743x\n");
+
 	lan743x_rx_ring_cleanup(rx);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 091/125] net/tls: Fix flipped sign in async_wait.err assignment
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 090/125] net: ethernet: microchip: lan743x: Fix skb allocation failure Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 092/125] phy: phy_ethtool_ksettings_get: Lock the phy for consistency Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Daniel Jordan,
	David S. Miller

From: Daniel Jordan <daniel.m.jordan@oracle.com>

commit 1d9d6fd21ad4a28b16ed9ee5432ae738b9dc58aa upstream.

sk->sk_err contains a positive number, yet async_wait.err wants the
opposite.  Fix the missed sign flip, which Jakub caught by inspection.

Fixes: a42055e8d2c3 ("net/tls: Add support for async encryption of records for performance")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/tls/tls_sw.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -459,7 +459,7 @@ static void tls_encrypt_done(struct cryp
 
 		/* If err is already set on socket, return the same code */
 		if (sk->sk_err) {
-			ctx->async_wait.err = sk->sk_err;
+			ctx->async_wait.err = -sk->sk_err;
 		} else {
 			ctx->async_wait.err = err;
 			tls_err_abort(sk, err);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 092/125] phy: phy_ethtool_ksettings_get: Lock the phy for consistency
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 091/125] net/tls: Fix flipped sign in async_wait.err assignment Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 093/125] phy: phy_ethtool_ksettings_set: Move after phy_start_aneg Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrew Lunn, David S. Miller

From: Andrew Lunn <andrew@lunn.ch>

commit c10a485c3de5ccbf1fff65a382cebcb2730c6b06 upstream.

The PHY structure should be locked while copying information out if
it, otherwise there is no guarantee of self consistency. Without the
lock the PHY state machine could be updating the structure.

Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -299,6 +299,7 @@ EXPORT_SYMBOL(phy_ethtool_ksettings_set)
 void phy_ethtool_ksettings_get(struct phy_device *phydev,
 			       struct ethtool_link_ksettings *cmd)
 {
+	mutex_lock(&phydev->lock);
 	linkmode_copy(cmd->link_modes.supported, phydev->supported);
 	linkmode_copy(cmd->link_modes.advertising, phydev->advertising);
 	linkmode_copy(cmd->link_modes.lp_advertising, phydev->lp_advertising);
@@ -317,6 +318,7 @@ void phy_ethtool_ksettings_get(struct ph
 	cmd->base.autoneg = phydev->autoneg;
 	cmd->base.eth_tp_mdix_ctrl = phydev->mdix_ctrl;
 	cmd->base.eth_tp_mdix = phydev->mdix;
+	mutex_unlock(&phydev->lock);
 }
 EXPORT_SYMBOL(phy_ethtool_ksettings_get);
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 093/125] phy: phy_ethtool_ksettings_set: Move after phy_start_aneg
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 092/125] phy: phy_ethtool_ksettings_get: Lock the phy for consistency Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 094/125] phy: phy_start_aneg: Add an unlocked version Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrew Lunn, David S. Miller

From: Andrew Lunn <andrew@lunn.ch>

commit 64cd92d5e8180c2ded3fdea76862de6f596ae2c9 upstream.

This allows it to make use of a helper which assume the PHY is already
locked.

Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |  106 +++++++++++++++++++++++++-------------------------
 1 file changed, 53 insertions(+), 53 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -243,59 +243,6 @@ static void phy_sanitize_settings(struct
 	}
 }
 
-int phy_ethtool_ksettings_set(struct phy_device *phydev,
-			      const struct ethtool_link_ksettings *cmd)
-{
-	__ETHTOOL_DECLARE_LINK_MODE_MASK(advertising);
-	u8 autoneg = cmd->base.autoneg;
-	u8 duplex = cmd->base.duplex;
-	u32 speed = cmd->base.speed;
-
-	if (cmd->base.phy_address != phydev->mdio.addr)
-		return -EINVAL;
-
-	linkmode_copy(advertising, cmd->link_modes.advertising);
-
-	/* We make sure that we don't pass unsupported values in to the PHY */
-	linkmode_and(advertising, advertising, phydev->supported);
-
-	/* Verify the settings we care about. */
-	if (autoneg != AUTONEG_ENABLE && autoneg != AUTONEG_DISABLE)
-		return -EINVAL;
-
-	if (autoneg == AUTONEG_ENABLE && linkmode_empty(advertising))
-		return -EINVAL;
-
-	if (autoneg == AUTONEG_DISABLE &&
-	    ((speed != SPEED_1000 &&
-	      speed != SPEED_100 &&
-	      speed != SPEED_10) ||
-	     (duplex != DUPLEX_HALF &&
-	      duplex != DUPLEX_FULL)))
-		return -EINVAL;
-
-	phydev->autoneg = autoneg;
-
-	if (autoneg == AUTONEG_DISABLE) {
-		phydev->speed = speed;
-		phydev->duplex = duplex;
-	}
-
-	linkmode_copy(phydev->advertising, advertising);
-
-	linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT,
-			 phydev->advertising, autoneg == AUTONEG_ENABLE);
-
-	phydev->master_slave_set = cmd->base.master_slave_cfg;
-	phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl;
-
-	/* Restart the PHY */
-	phy_start_aneg(phydev);
-
-	return 0;
-}
-EXPORT_SYMBOL(phy_ethtool_ksettings_set);
-
 void phy_ethtool_ksettings_get(struct phy_device *phydev,
 			       struct ethtool_link_ksettings *cmd)
 {
@@ -802,6 +749,59 @@ static int phy_poll_aneg_done(struct phy
 	return ret < 0 ? ret : 0;
 }
 
+int phy_ethtool_ksettings_set(struct phy_device *phydev,
+			      const struct ethtool_link_ksettings *cmd)
+{
+	__ETHTOOL_DECLARE_LINK_MODE_MASK(advertising);
+	u8 autoneg = cmd->base.autoneg;
+	u8 duplex = cmd->base.duplex;
+	u32 speed = cmd->base.speed;
+
+	if (cmd->base.phy_address != phydev->mdio.addr)
+		return -EINVAL;
+
+	linkmode_copy(advertising, cmd->link_modes.advertising);
+
+	/* We make sure that we don't pass unsupported values in to the PHY */
+	linkmode_and(advertising, advertising, phydev->supported);
+
+	/* Verify the settings we care about. */
+	if (autoneg != AUTONEG_ENABLE && autoneg != AUTONEG_DISABLE)
+		return -EINVAL;
+
+	if (autoneg == AUTONEG_ENABLE && linkmode_empty(advertising))
+		return -EINVAL;
+
+	if (autoneg == AUTONEG_DISABLE &&
+	    ((speed != SPEED_1000 &&
+	      speed != SPEED_100 &&
+	      speed != SPEED_10) ||
+	     (duplex != DUPLEX_HALF &&
+	      duplex != DUPLEX_FULL)))
+		return -EINVAL;
+
+	phydev->autoneg = autoneg;
+
+	if (autoneg == AUTONEG_DISABLE) {
+		phydev->speed = speed;
+		phydev->duplex = duplex;
+	}
+
+	linkmode_copy(phydev->advertising, advertising);
+
+	linkmode_mod_bit(ETHTOOL_LINK_MODE_Autoneg_BIT,
+			 phydev->advertising, autoneg == AUTONEG_ENABLE);
+
+	phydev->master_slave_set = cmd->base.master_slave_cfg;
+	phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl;
+
+	/* Restart the PHY */
+	phy_start_aneg(phydev);
+
+	return 0;
+}
+EXPORT_SYMBOL(phy_ethtool_ksettings_set);
+
 /**
  * phy_speed_down - set speed to lowest speed supported by both link partners
  * @phydev: the phy_device struct



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 094/125] phy: phy_start_aneg: Add an unlocked version
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 093/125] phy: phy_ethtool_ksettings_set: Move after phy_start_aneg Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 095/125] phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andrew Lunn, David S. Miller

From: Andrew Lunn <andrew@lunn.ch>

commit 707293a56f95f8e7e0cfae008010c7933fb68973 upstream.

Split phy_start_aneg into a wrapper which takes the PHY lock, and a
helper doing the real work. This will be needed when
phy_ethtook_ksettings_set takes the lock.

Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support")
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |   30 ++++++++++++++++++++++++------
 1 file changed, 24 insertions(+), 6 deletions(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -700,7 +700,7 @@ static int phy_check_link_status(struct
 }
 
 /**
- * phy_start_aneg - start auto-negotiation for this PHY device
+ * _phy_start_aneg - start auto-negotiation for this PHY device
  * @phydev: the phy_device struct
  *
  * Description: Sanitizes the settings (if we're not autonegotiating
@@ -708,25 +708,43 @@ static int phy_check_link_status(struct
  *   If the PHYCONTROL Layer is operating, we change the state to
  *   reflect the beginning of Auto-negotiation or forcing.
  */
-int phy_start_aneg(struct phy_device *phydev)
+static int _phy_start_aneg(struct phy_device *phydev)
 {
 	int err;
 
+	lockdep_assert_held(&phydev->lock);
+
 	if (!phydev->drv)
 		return -EIO;
 
-	mutex_lock(&phydev->lock);
-
 	if (AUTONEG_DISABLE == phydev->autoneg)
 		phy_sanitize_settings(phydev);
 
 	err = phy_config_aneg(phydev);
 	if (err < 0)
-		goto out_unlock;
+		return err;
 
 	if (phy_is_started(phydev))
 		err = phy_check_link_status(phydev);
-out_unlock:
+
+	return err;
+}
+
+/**
+ * phy_start_aneg - start auto-negotiation for this PHY device
+ * @phydev: the phy_device struct
+ *
+ * Description: Sanitizes the settings (if we're not autonegotiating
+ *   them), and then calls the driver's config_aneg function.
+ *   If the PHYCONTROL Layer is operating, we change the state to
+ *   reflect the beginning of Auto-negotiation or forcing.
+ */
+int phy_start_aneg(struct phy_device *phydev)
+{
+	int err;
+
+	mutex_lock(&phydev->lock);
+	err = _phy_start_aneg(phydev);
 	mutex_unlock(&phydev->lock);
 
 	return err;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 095/125] phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 094/125] phy: phy_start_aneg: Add an unlocked version Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 096/125] RDMA/irdma: Process extended CQ entries correctly Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Walter Stoll, Andrew Lunn, David S. Miller

From: Andrew Lunn <andrew@lunn.ch>

commit af1a02aa23c37045e6adfcf074cf7dbac167a403 upstream.

There is a race condition where the PHY state machine can change
members of the phydev structure at the same time userspace requests a
change via ethtool. To prevent this, have phy_ethtool_ksettings_set
take the PHY lock.

Fixes: 2d55173e71b0 ("phy: add generic function to support ksetting support")
Reported-by: Walter Stoll <Walter.Stoll@duagon.com>
Suggested-by: Walter Stoll <Walter.Stoll@duagon.com>
Tested-by: Walter Stoll <Walter.Stoll@duagon.com>
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/phy/phy.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/drivers/net/phy/phy.c
+++ b/drivers/net/phy/phy.c
@@ -798,6 +798,7 @@ int phy_ethtool_ksettings_set(struct phy
 	      duplex != DUPLEX_FULL)))
 		return -EINVAL;
 
+	mutex_lock(&phydev->lock);
 	phydev->autoneg = autoneg;
 
 	if (autoneg == AUTONEG_DISABLE) {
@@ -814,8 +815,9 @@ int phy_ethtool_ksettings_set(struct phy
 	phydev->mdix_ctrl = cmd->base.eth_tp_mdix_ctrl;
 
 	/* Restart the PHY */
-	phy_start_aneg(phydev);
+	_phy_start_aneg(phydev);
 
+	mutex_unlock(&phydev->lock);
 	return 0;
 }
 EXPORT_SYMBOL(phy_ethtool_ksettings_set);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 096/125] RDMA/irdma: Process extended CQ entries correctly
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 095/125] phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 097/125] RDMA/irdma: Set VLAN in UD work completion correctly Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shiraz Saleem, Jason Gunthorpe, Sasha Levin

From: Shiraz Saleem <shiraz.saleem@intel.com>

[ Upstream commit e93c7d8e8c4cf80c6afe56e71c83c1cd31b4fce1 ]

The valid bit for extended CQE's written by HW is retrieved from the
incorrect quad-word. This leads to missed completions for any UD traffic
particularly after a wrap-around.

Get the valid bit for extended CQE's from the correct quad-word in the
descriptor.

Fixes: 551c46edc769 ("RDMA/irdma: Add user/kernel shared libraries")
Link: https://lore.kernel.org/r/20211005182302.374-1-shiraz.saleem@intel.com
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/irdma/uk.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/irdma/uk.c b/drivers/infiniband/hw/irdma/uk.c
index 5fb92de1f015..9b544a3b1288 100644
--- a/drivers/infiniband/hw/irdma/uk.c
+++ b/drivers/infiniband/hw/irdma/uk.c
@@ -1092,12 +1092,12 @@ irdma_uk_cq_poll_cmpl(struct irdma_cq_uk *cq, struct irdma_cq_poll_info *info)
 		if (cq->avoid_mem_cflct) {
 			ext_cqe = (__le64 *)((u8 *)cqe + 32);
 			get_64bit_val(ext_cqe, 24, &qword7);
-			polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword3);
+			polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword7);
 		} else {
 			peek_head = (cq->cq_ring.head + 1) % cq->cq_ring.size;
 			ext_cqe = cq->cq_base[peek_head].buf;
 			get_64bit_val(ext_cqe, 24, &qword7);
-			polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword3);
+			polarity = (u8)FIELD_GET(IRDMA_CQ_VALID, qword7);
 			if (!peek_head)
 				polarity ^= 1;
 		}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 097/125] RDMA/irdma: Set VLAN in UD work completion correctly
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 096/125] RDMA/irdma: Process extended CQ entries correctly Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 098/125] RDMA/irdma: Do not hold qos mutex twice on QP resume Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mustafa Ismail, Shiraz Saleem,
	Jason Gunthorpe, Sasha Levin

From: Mustafa Ismail <mustafa.ismail@intel.com>

[ Upstream commit cc07b73ef11d11d4359fb104d0199b22451dd3d8 ]

Currently VLAN is reported in UD work completion when VLAN id is zero,
i.e. no VLAN case.

Report VLAN in UD work completion only when VLAN id is non-zero.

Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs")
Link: https://lore.kernel.org/r/20211019151654.1943-1-shiraz.saleem@intel.com
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/irdma/verbs.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/drivers/infiniband/hw/irdma/verbs.c b/drivers/infiniband/hw/irdma/verbs.c
index fa393c5ea397..4261705fa19d 100644
--- a/drivers/infiniband/hw/irdma/verbs.c
+++ b/drivers/infiniband/hw/irdma/verbs.c
@@ -3405,9 +3405,13 @@ static void irdma_process_cqe(struct ib_wc *entry,
 		}
 
 		if (cq_poll_info->ud_vlan_valid) {
-			entry->vlan_id = cq_poll_info->ud_vlan & VLAN_VID_MASK;
-			entry->wc_flags |= IB_WC_WITH_VLAN;
+			u16 vlan = cq_poll_info->ud_vlan & VLAN_VID_MASK;
+
 			entry->sl = cq_poll_info->ud_vlan >> VLAN_PRIO_SHIFT;
+			if (vlan) {
+				entry->vlan_id = vlan;
+				entry->wc_flags |= IB_WC_WITH_VLAN;
+			}
 		} else {
 			entry->sl = 0;
 		}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 098/125] RDMA/irdma: Do not hold qos mutex twice on QP resume
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 097/125] RDMA/irdma: Set VLAN in UD work completion correctly Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 099/125] sctp: use init_tag from inithdr for ABORT chunk Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mustafa Ismail, Shiraz Saleem,
	Jason Gunthorpe, Sasha Levin

From: Mustafa Ismail <mustafa.ismail@intel.com>

[ Upstream commit 2dace185caa580720c7cd67fec9efc5ee26108ac ]

When irdma_ws_add fails, irdma_ws_remove is used to cleanup the leaf node.
This lead to holding the qos mutex twice in the QP resume path. Fix this
by avoiding the call to irdma_ws_remove and unwinding the error in
irdma_ws_add. This skips the call to irdma_tc_in_use function which is not
needed in the error unwind cases.

Fixes: 3ae331c75128 ("RDMA/irdma: Add QoS definitions")
Link: https://lore.kernel.org/r/20211019151654.1943-2-shiraz.saleem@intel.com
Signed-off-by: Mustafa Ismail <mustafa.ismail@intel.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/irdma/ws.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/drivers/infiniband/hw/irdma/ws.c b/drivers/infiniband/hw/irdma/ws.c
index b68c575eb78e..b0d6ee0739f5 100644
--- a/drivers/infiniband/hw/irdma/ws.c
+++ b/drivers/infiniband/hw/irdma/ws.c
@@ -330,8 +330,10 @@ enum irdma_status_code irdma_ws_add(struct irdma_sc_vsi *vsi, u8 user_pri)
 
 		tc_node->enable = true;
 		ret = irdma_ws_cqp_cmd(vsi, tc_node, IRDMA_OP_WS_MODIFY_NODE);
-		if (ret)
+		if (ret) {
+			vsi->unregister_qset(vsi, tc_node);
 			goto reg_err;
+		}
 	}
 	ibdev_dbg(to_ibdev(vsi->dev),
 		  "WS: Using node %d which represents VSI %d TC %d\n",
@@ -350,6 +352,10 @@ enum irdma_status_code irdma_ws_add(struct irdma_sc_vsi *vsi, u8 user_pri)
 	}
 	goto exit;
 
+reg_err:
+	irdma_ws_cqp_cmd(vsi, tc_node, IRDMA_OP_WS_DELETE_NODE);
+	list_del(&tc_node->siblings);
+	irdma_free_node(vsi, tc_node);
 leaf_add_err:
 	if (list_empty(&vsi_node->child_list_head)) {
 		if (irdma_ws_cqp_cmd(vsi, vsi_node, IRDMA_OP_WS_DELETE_NODE))
@@ -369,11 +375,6 @@ vsi_add_err:
 exit:
 	mutex_unlock(&vsi->dev->ws_mutex);
 	return ret;
-
-reg_err:
-	mutex_unlock(&vsi->dev->ws_mutex);
-	irdma_ws_remove(vsi, user_pri);
-	return ret;
 }
 
 /**
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 099/125] sctp: use init_tag from inithdr for ABORT chunk
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 098/125] RDMA/irdma: Do not hold qos mutex twice on QP resume Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 100/125] sctp: fix the processing for INIT chunk Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ]

Currently Linux SCTP uses the verification tag of the existing SCTP
asoc when failing to process and sending the packet with the ABORT
chunk. This will result in the peer accepting the ABORT chunk and
removing the SCTP asoc. One could exploit this to terminate a SCTP
asoc.

This patch is to fix it by always using the initiate tag of the
received INIT chunk for the ABORT chunk to be sent.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 32df65f68c12..7f8306968c39 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -6348,6 +6348,7 @@ static struct sctp_packet *sctp_ootb_pkt_new(
 		 * yet.
 		 */
 		switch (chunk->chunk_hdr->type) {
+		case SCTP_CID_INIT:
 		case SCTP_CID_INIT_ACK:
 		{
 			struct sctp_initack_chunk *initack;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 100/125] sctp: fix the processing for INIT chunk
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 099/125] sctp: use init_tag from inithdr for ABORT chunk Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 101/125] sctp: fix the processing for INIT_ACK chunk Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit eae5783908042a762c24e1bd11876edb91d314b1 ]

This patch fixes the problems below:

1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and
   sctp_sf_do_5_2_2_dupinit():

  chunk length check should be done before any checks that may cause
  to send abort, as making packet for abort will access the init_tag
  from init_hdr in sctp_ootb_pkt_new().

2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack():

  The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed
  for sctp_sf_do_9_2_reshutack().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 72 ++++++++++++++++++++++++++---------------
 1 file changed, 46 insertions(+), 26 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 7f8306968c39..9bfa8cca9974 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -156,6 +156,12 @@ static enum sctp_disposition __sctp_sf_do_9_1_abort(
 					void *arg,
 					struct sctp_cmd_seq *commands);
 
+static enum sctp_disposition
+__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
+			   const struct sctp_association *asoc,
+			   const union sctp_subtype type, void *arg,
+			   struct sctp_cmd_seq *commands);
+
 /* Small helper function that checks if the chunk length
  * is of the appropriate length.  The 'required_length' argument
  * is set to be the size of a specific chunk we are testing.
@@ -337,6 +343,14 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
 	if (!chunk->singleton)
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
+	/* Make sure that the INIT chunk has a valid length.
+	 * Normally, this would cause an ABORT with a Protocol Violation
+	 * error, but since we don't have an association, we'll
+	 * just discard the packet.
+	 */
+	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* If the packet is an OOTB packet which is temporarily on the
 	 * control endpoint, respond with an ABORT.
 	 */
@@ -351,14 +365,6 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
 	if (chunk->sctp_hdr->vtag != 0)
 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 
-	/* Make sure that the INIT chunk has a valid length.
-	 * Normally, this would cause an ABORT with a Protocol Violation
-	 * error, but since we don't have an association, we'll
-	 * just discard the packet.
-	 */
-	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
-		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-
 	/* If the INIT is coming toward a closing socket, we'll send back
 	 * and ABORT.  Essentially, this catches the race of INIT being
 	 * backloged to the socket at the same time as the user issues close().
@@ -1524,20 +1530,16 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
 	if (!chunk->singleton)
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
+	/* Make sure that the INIT chunk has a valid length. */
+	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* 3.1 A packet containing an INIT chunk MUST have a zero Verification
 	 * Tag.
 	 */
 	if (chunk->sctp_hdr->vtag != 0)
 		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
 
-	/* Make sure that the INIT chunk has a valid length.
-	 * In this case, we generate a protocol violation since we have
-	 * an association established.
-	 */
-	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
-		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-						  commands);
-
 	if (SCTP_INPUT_CB(chunk->skb)->encap_port != chunk->transport->encap_port)
 		return sctp_sf_new_encap_port(net, ep, asoc, type, arg, commands);
 
@@ -1882,9 +1884,9 @@ static enum sctp_disposition sctp_sf_do_dupcook_a(
 	 * its peer.
 	*/
 	if (sctp_state(asoc, SHUTDOWN_ACK_SENT)) {
-		disposition = sctp_sf_do_9_2_reshutack(net, ep, asoc,
-				SCTP_ST_CHUNK(chunk->chunk_hdr->type),
-				chunk, commands);
+		disposition = __sctp_sf_do_9_2_reshutack(net, ep, asoc,
+							 SCTP_ST_CHUNK(chunk->chunk_hdr->type),
+							 chunk, commands);
 		if (SCTP_DISPOSITION_NOMEM == disposition)
 			goto nomem;
 
@@ -2970,13 +2972,11 @@ enum sctp_disposition sctp_sf_do_9_2_shut_ctsn(
  * that belong to this association, it should discard the INIT chunk and
  * retransmit the SHUTDOWN ACK chunk.
  */
-enum sctp_disposition sctp_sf_do_9_2_reshutack(
-					struct net *net,
-					const struct sctp_endpoint *ep,
-					const struct sctp_association *asoc,
-					const union sctp_subtype type,
-					void *arg,
-					struct sctp_cmd_seq *commands)
+static enum sctp_disposition
+__sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
+			   const struct sctp_association *asoc,
+			   const union sctp_subtype type, void *arg,
+			   struct sctp_cmd_seq *commands)
 {
 	struct sctp_chunk *chunk = arg;
 	struct sctp_chunk *reply;
@@ -3010,6 +3010,26 @@ nomem:
 	return SCTP_DISPOSITION_NOMEM;
 }
 
+enum sctp_disposition
+sctp_sf_do_9_2_reshutack(struct net *net, const struct sctp_endpoint *ep,
+			 const struct sctp_association *asoc,
+			 const union sctp_subtype type, void *arg,
+			 struct sctp_cmd_seq *commands)
+{
+	struct sctp_chunk *chunk = arg;
+
+	if (!chunk->singleton)
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
+	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_init_chunk)))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
+	if (chunk->sctp_hdr->vtag != 0)
+		return sctp_sf_tabort_8_4_8(net, ep, asoc, type, arg, commands);
+
+	return __sctp_sf_do_9_2_reshutack(net, ep, asoc, type, arg, commands);
+}
+
 /*
  * sctp_sf_do_ecn_cwr
  *
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 101/125] sctp: fix the processing for INIT_ACK chunk
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 100/125] sctp: fix the processing for INIT chunk Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 102/125] sctp: fix the processing for COOKIE_ECHO chunk Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 438b95a7c98f77d51cbf4db021f41b602d750a3f ]

Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.

sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().

Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 9bfa8cca9974..672e5308839b 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2343,7 +2343,7 @@ enum sctp_disposition sctp_sf_shutdown_pending_abort(
 	 */
 	if (SCTP_ADDR_DEL ==
 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
-		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
 	if (!sctp_err_chunk_valid(chunk))
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -2389,7 +2389,7 @@ enum sctp_disposition sctp_sf_shutdown_sent_abort(
 	 */
 	if (SCTP_ADDR_DEL ==
 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
-		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
 	if (!sctp_err_chunk_valid(chunk))
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -2659,7 +2659,7 @@ enum sctp_disposition sctp_sf_do_9_1_abort(
 	 */
 	if (SCTP_ADDR_DEL ==
 		    sctp_bind_addr_state(&asoc->base.bind_addr, &chunk->dest))
-		return sctp_sf_discard_chunk(net, ep, asoc, type, arg, commands);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
 	if (!sctp_err_chunk_valid(chunk))
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -3865,6 +3865,11 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net,
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 	}
 
+	/* Make sure that the ASCONF ADDIP chunk has a valid length.  */
+	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
+		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+						  commands);
+
 	/* ADD-IP: Section 4.1.1
 	 * This chunk MUST be sent in an authenticated way by using
 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
@@ -3873,13 +3878,7 @@ enum sctp_disposition sctp_sf_do_asconf(struct net *net,
 	 */
 	if (!asoc->peer.asconf_capable ||
 	    (!net->sctp.addip_noauth && !chunk->auth))
-		return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
-					     commands);
-
-	/* Make sure that the ASCONF ADDIP chunk has a valid length.  */
-	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_addip_chunk)))
-		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-						  commands);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
 	hdr = (struct sctp_addiphdr *)chunk->skb->data;
 	serial = ntohl(hdr->serial);
@@ -4008,6 +4007,12 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
 		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 	}
 
+	/* Make sure that the ADDIP chunk has a valid length.  */
+	if (!sctp_chunk_length_valid(asconf_ack,
+				     sizeof(struct sctp_addip_chunk)))
+		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+						  commands);
+
 	/* ADD-IP, Section 4.1.2:
 	 * This chunk MUST be sent in an authenticated way by using
 	 * the mechanism defined in [I-D.ietf-tsvwg-sctp-auth]. If this chunk
@@ -4016,14 +4021,7 @@ enum sctp_disposition sctp_sf_do_asconf_ack(struct net *net,
 	 */
 	if (!asoc->peer.asconf_capable ||
 	    (!net->sctp.addip_noauth && !asconf_ack->auth))
-		return sctp_sf_discard_chunk(net, ep, asoc, type, arg,
-					     commands);
-
-	/* Make sure that the ADDIP chunk has a valid length.  */
-	if (!sctp_chunk_length_valid(asconf_ack,
-				     sizeof(struct sctp_addip_chunk)))
-		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-						  commands);
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
 
 	addip_hdr = (struct sctp_addiphdr *)asconf_ack->skb->data;
 	rcvd_serial = ntohl(addip_hdr->serial);
@@ -4595,6 +4593,9 @@ enum sctp_disposition sctp_sf_discard_chunk(struct net *net,
 {
 	struct sctp_chunk *chunk = arg;
 
+	if (asoc && !sctp_vtag_verify(chunk, asoc))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* Make sure that the chunk has a valid length.
 	 * Since we don't know the chunk type, we use a general
 	 * chunkhdr structure to make a comparison.
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 102/125] sctp: fix the processing for COOKIE_ECHO chunk
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 101/125] sctp: fix the processing for INIT_ACK chunk Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 103/125] sctp: add vtag check in sctp_sf_violation Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]

1. In closed state: in sctp_sf_do_5_1D_ce():

  When asoc is NULL, making packet for abort will use chunk's vtag
  in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
  should be verified before using peer.i.init_tag to make packet
  for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
  not correct.

2. In the other states: in sctp_sf_do_5_2_4_dupcook():

  asoc always exists, but duplicate cookie_echo's vtag will be
  handled by sctp_tietags_compare() and then take actions, so before
  that we only verify the vtag for the abort sent for invalid chunk
  length.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 672e5308839b..96a069d725e9 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -710,6 +710,9 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 	struct sock *sk;
 	int error = 0;
 
+	if (asoc && !sctp_vtag_verify(chunk, asoc))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* If the packet is an OOTB packet which is temporarily on the
 	 * control endpoint, respond with an ABORT.
 	 */
@@ -724,7 +727,8 @@ enum sctp_disposition sctp_sf_do_5_1D_ce(struct net *net,
 	 * in sctp_unpack_cookie().
 	 */
 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
-		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
+						  commands);
 
 	/* If the endpoint is not listening or if the number of associations
 	 * on the TCP-style socket exceed the max backlog, respond with an
@@ -2204,9 +2208,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
 	 * enough for the chunk header.  Cookie length verification is
 	 * done later.
 	 */
-	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
-		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-						  commands);
+	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr))) {
+		if (!sctp_vtag_verify(chunk, asoc))
+			asoc = NULL;
+		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg, commands);
+	}
 
 	/* "Decode" the chunk.  We have no optional parameters so we
 	 * are in good shape.
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 103/125] sctp: add vtag check in sctp_sf_violation
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 102/125] sctp: fix the processing for COOKIE_ECHO chunk Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 104/125] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ]

sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
in cookie_wait state, and some other places are also using it.

The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 96a069d725e9..36328ab88bdd 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -4669,6 +4669,9 @@ enum sctp_disposition sctp_sf_violation(struct net *net,
 {
 	struct sctp_chunk *chunk = arg;
 
+	if (!sctp_vtag_verify(chunk, asoc))
+		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
 	/* Make sure that the chunk has a valid length. */
 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 104/125] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 103/125] sctp: add vtag check in sctp_sf_violation Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 105/125] sctp: add vtag check in sctp_sf_ootb Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ]

sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
in cookie_wait and cookie_echoed state.

The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.

Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
SHUTDOWN COMPLETE message will still be sent back to peer, but
with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
rfc4960#section-8.4.

While at it, also remove the unnecessary chunk length check from
sctp_sf_shut_8_4_5(), as it's already done in both places where
it calls sctp_sf_shut_8_4_5().

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 36328ab88bdd..a3545498a038 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3803,12 +3803,6 @@ static enum sctp_disposition sctp_sf_shut_8_4_5(
 
 	SCTP_INC_STATS(net, SCTP_MIB_OUTCTRLCHUNKS);
 
-	/* If the chunk length is invalid, we don't want to process
-	 * the reset of the packet.
-	 */
-	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
-		return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
-
 	/* We need to discard the rest of the packet to prevent
 	 * potential boomming attacks from additional bundled chunks.
 	 * This is documented in SCTP Threats ID.
@@ -3836,6 +3830,9 @@ enum sctp_disposition sctp_sf_do_8_5_1_E_sa(struct net *net,
 {
 	struct sctp_chunk *chunk = arg;
 
+	if (!sctp_vtag_verify(chunk, asoc))
+		asoc = NULL;
+
 	/* Make sure that the SHUTDOWN_ACK chunk has a valid length. */
 	if (!sctp_chunk_length_valid(chunk, sizeof(struct sctp_chunkhdr)))
 		return sctp_sf_violation_chunklen(net, ep, asoc, type, arg,
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 105/125] sctp: add vtag check in sctp_sf_ootb
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 104/125] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:17 ` [PATCH 5.14 106/125] bpf: Use kvmalloc for map values in syscall Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xin Long, Marcelo Ricardo Leitner,
	Jakub Kicinski, Sasha Levin

From: Xin Long <lucien.xin@gmail.com>

[ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ]

sctp_sf_ootb() is called when processing DATA chunk in closed state,
and many other places are also using it.

The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.

When fails to verify the vtag from the chunk, this patch sets asoc
to NULL, so that the abort will be made with the vtag from the
received chunk later.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/sm_statefuns.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index a3545498a038..fb3da4d8f4a3 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -3688,6 +3688,9 @@ enum sctp_disposition sctp_sf_ootb(struct net *net,
 
 	SCTP_INC_STATS(net, SCTP_MIB_OUTOFBLUES);
 
+	if (asoc && !sctp_vtag_verify(chunk, asoc))
+		asoc = NULL;
+
 	ch = (struct sctp_chunkhdr *)chunk->chunk_hdr;
 	do {
 		/* Report violation if the chunk is less then minimal */
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 106/125] bpf: Use kvmalloc for map values in syscall
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 105/125] sctp: add vtag check in sctp_sf_ootb Greg Kroah-Hartman
@ 2021-11-01  9:17 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 107/125] watchdog: sbsa: only use 32-bit accessors Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:17 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stanislav Fomichev, Daniel Borkmann,
	Song Liu, Sasha Levin

From: Stanislav Fomichev <sdf@google.com>

[ Upstream commit f0dce1d9b7c81fc3dc9d0cc0bc7ef9b3eae22584 ]

Use kvmalloc/kvfree for temporary value when manipulating a map via
syscall. kmalloc might not be sufficient for percpu maps where the value
is big (and further multiplied by hundreds of CPUs).

Can be reproduced with netcnt test on qemu with "-smp 255".

Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20210818235216.1159202-1-sdf@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/syscall.c | 28 +++++++++++-----------------
 1 file changed, 11 insertions(+), 17 deletions(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index d245061ba318..92ed4b2984b8 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1066,7 +1066,7 @@ static int map_lookup_elem(union bpf_attr *attr)
 	value_size = bpf_map_value_size(map);
 
 	err = -ENOMEM;
-	value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
+	value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
 	if (!value)
 		goto free_key;
 
@@ -1081,7 +1081,7 @@ static int map_lookup_elem(union bpf_attr *attr)
 	err = 0;
 
 free_value:
-	kfree(value);
+	kvfree(value);
 free_key:
 	kfree(key);
 err_put:
@@ -1127,16 +1127,10 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr)
 		goto err_put;
 	}
 
-	if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
-	    map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
-	    map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY ||
-	    map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
-		value_size = round_up(map->value_size, 8) * num_possible_cpus();
-	else
-		value_size = map->value_size;
+	value_size = bpf_map_value_size(map);
 
 	err = -ENOMEM;
-	value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
+	value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
 	if (!value)
 		goto free_key;
 
@@ -1147,7 +1141,7 @@ static int map_update_elem(union bpf_attr *attr, bpfptr_t uattr)
 	err = bpf_map_update_value(map, f, key, value, attr->flags);
 
 free_value:
-	kfree(value);
+	kvfree(value);
 free_key:
 	kfree(key);
 err_put:
@@ -1356,7 +1350,7 @@ int generic_map_update_batch(struct bpf_map *map,
 	if (!key)
 		return -ENOMEM;
 
-	value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
+	value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
 	if (!value) {
 		kfree(key);
 		return -ENOMEM;
@@ -1380,7 +1374,7 @@ int generic_map_update_batch(struct bpf_map *map,
 	if (copy_to_user(&uattr->batch.count, &cp, sizeof(cp)))
 		err = -EFAULT;
 
-	kfree(value);
+	kvfree(value);
 	kfree(key);
 	fdput(f);
 	return err;
@@ -1420,7 +1414,7 @@ int generic_map_lookup_batch(struct bpf_map *map,
 	if (!buf_prevkey)
 		return -ENOMEM;
 
-	buf = kmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN);
+	buf = kvmalloc(map->key_size + value_size, GFP_USER | __GFP_NOWARN);
 	if (!buf) {
 		kfree(buf_prevkey);
 		return -ENOMEM;
@@ -1483,7 +1477,7 @@ int generic_map_lookup_batch(struct bpf_map *map,
 
 free_buf:
 	kfree(buf_prevkey);
-	kfree(buf);
+	kvfree(buf);
 	return err;
 }
 
@@ -1538,7 +1532,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
 	value_size = bpf_map_value_size(map);
 
 	err = -ENOMEM;
-	value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
+	value = kvmalloc(value_size, GFP_USER | __GFP_NOWARN);
 	if (!value)
 		goto free_key;
 
@@ -1570,7 +1564,7 @@ static int map_lookup_and_delete_elem(union bpf_attr *attr)
 	err = 0;
 
 free_value:
-	kfree(value);
+	kvfree(value);
 free_key:
 	kfree(key);
 err_put:
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 107/125] watchdog: sbsa: only use 32-bit accessors
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-11-01  9:17 ` [PATCH 5.14 106/125] bpf: Use kvmalloc for map values in syscall Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 108/125] bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of CONFIG_NET Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jamie Iles, Guenter Roeck,
	Shaokun Zhang, Wim Van Sebroeck, Sasha Levin

From: Jamie Iles <quic_jiles@quicinc.com>

[ Upstream commit f31afb502c3151855df3ed40f5974c7884c10d14 ]

SBSA says of the generic watchdog:

  All registers are 32 bits in size and should be accessed using 32-bit
  reads and writes. If an access size other than 32 bits is used then
  the results are IMPLEMENTATION DEFINED.

and for qemu, the implementation will only allow 32-bit accesses
resulting in a synchronous external abort when configuring the watchdog.
Use lo_hi_* accessors rather than a readq/writeq.

Fixes: abd3ac7902fb ("watchdog: sbsa: Support architecture version 1")
Signed-off-by: Jamie Iles <quic_jiles@quicinc.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Reviewed-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Link: https://lore.kernel.org/r/20210903112101.493552-1-quic_jiles@quicinc.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sbsa_gwdt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/sbsa_gwdt.c b/drivers/watchdog/sbsa_gwdt.c
index ee9ff38929eb..6f4319bdbc50 100644
--- a/drivers/watchdog/sbsa_gwdt.c
+++ b/drivers/watchdog/sbsa_gwdt.c
@@ -130,7 +130,7 @@ static u64 sbsa_gwdt_reg_read(struct sbsa_gwdt *gwdt)
 	if (gwdt->version == 0)
 		return readl(gwdt->control_base + SBSA_GWDT_WOR);
 	else
-		return readq(gwdt->control_base + SBSA_GWDT_WOR);
+		return lo_hi_readq(gwdt->control_base + SBSA_GWDT_WOR);
 }
 
 static void sbsa_gwdt_reg_write(u64 val, struct sbsa_gwdt *gwdt)
@@ -138,7 +138,7 @@ static void sbsa_gwdt_reg_write(u64 val, struct sbsa_gwdt *gwdt)
 	if (gwdt->version == 0)
 		writel((u32)val, gwdt->control_base + SBSA_GWDT_WOR);
 	else
-		writeq(val, gwdt->control_base + SBSA_GWDT_WOR);
+		lo_hi_writeq(val, gwdt->control_base + SBSA_GWDT_WOR);
 }
 
 /*
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 108/125] bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of CONFIG_NET
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 107/125] watchdog: sbsa: only use 32-bit accessors Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 109/125] net: hns3: add more string spaces for dumping packets number of queue info in debugfs Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Tejun Heo,
	Alexei Starovoitov, Martin KaFai Lau, Sasha Levin

From: Tejun Heo <tj@kernel.org>

[ Upstream commit 99d0a3831e3500d945162cdb2310e3a5fce90b60 ]

bpf_types.h has BPF_MAP_TYPE_INODE_STORAGE and BPF_MAP_TYPE_TASK_STORAGE
declared inside #ifdef CONFIG_NET although they are built regardless of
CONFIG_NET. So, when CONFIG_BPF_SYSCALL && !CONFIG_NET, they are built
without the declarations leading to spurious build failures and not
registered to bpf_map_types making them unavailable.

Fix it by moving the BPF_MAP_TYPE for the two map types outside of
CONFIG_NET.

Reported-by: kernel test robot <lkp@intel.com>
Fixes: a10787e6d58c ("bpf: Enable task local storage for tracing programs")
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Link: https://lore.kernel.org/bpf/YXG1cuuSJDqHQfRY@slm.duckdns.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/bpf_types.h | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/include/linux/bpf_types.h b/include/linux/bpf_types.h
index ae3ac3a2018c..2eb9c53468e7 100644
--- a/include/linux/bpf_types.h
+++ b/include/linux/bpf_types.h
@@ -101,14 +101,14 @@ BPF_MAP_TYPE(BPF_MAP_TYPE_STACK_TRACE, stack_trace_map_ops)
 #endif
 BPF_MAP_TYPE(BPF_MAP_TYPE_ARRAY_OF_MAPS, array_of_maps_map_ops)
 BPF_MAP_TYPE(BPF_MAP_TYPE_HASH_OF_MAPS, htab_of_maps_map_ops)
-#ifdef CONFIG_NET
-BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP, dev_map_ops)
-BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP_HASH, dev_map_hash_ops)
-BPF_MAP_TYPE(BPF_MAP_TYPE_SK_STORAGE, sk_storage_map_ops)
 #ifdef CONFIG_BPF_LSM
 BPF_MAP_TYPE(BPF_MAP_TYPE_INODE_STORAGE, inode_storage_map_ops)
 #endif
 BPF_MAP_TYPE(BPF_MAP_TYPE_TASK_STORAGE, task_storage_map_ops)
+#ifdef CONFIG_NET
+BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP, dev_map_ops)
+BPF_MAP_TYPE(BPF_MAP_TYPE_DEVMAP_HASH, dev_map_hash_ops)
+BPF_MAP_TYPE(BPF_MAP_TYPE_SK_STORAGE, sk_storage_map_ops)
 BPF_MAP_TYPE(BPF_MAP_TYPE_CPUMAP, cpu_map_ops)
 #if defined(CONFIG_XDP_SOCKETS)
 BPF_MAP_TYPE(BPF_MAP_TYPE_XSKMAP, xsk_map_ops)
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 109/125] net: hns3: add more string spaces for dumping packets number of queue info in debugfs
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 108/125] bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of CONFIG_NET Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 110/125] net: hns3: expand buffer len for some debugfs command Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jie Wang, Guangbin Huang,
	David S. Miller, Sasha Levin

From: Jie Wang <wangjie125@huawei.com>

[ Upstream commit 6754614a787cbcbf87bae8a75619c24a33ea6791 ]

As the width of packets number registers is 32 bits, they needs at most
10 characters for decimal data printing, but now the string spaces is not
enough, so this patch fixes it.

Fixes: e44c495d95e ("net: hns3: refactor queue info of debugfs")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
index 80461ab0ce9e..ce2fc283fe5c 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
@@ -463,7 +463,7 @@ static const struct hns3_dbg_item rx_queue_info_items[] = {
 	{ "TAIL", 2 },
 	{ "HEAD", 2 },
 	{ "FBDNUM", 2 },
-	{ "PKTNUM", 2 },
+	{ "PKTNUM", 5 },
 	{ "COPYBREAK", 2 },
 	{ "RING_EN", 2 },
 	{ "RX_RING_EN", 2 },
@@ -566,7 +566,7 @@ static const struct hns3_dbg_item tx_queue_info_items[] = {
 	{ "HEAD", 2 },
 	{ "FBDNUM", 2 },
 	{ "OFFSET", 2 },
-	{ "PKTNUM", 2 },
+	{ "PKTNUM", 5 },
 	{ "RING_EN", 2 },
 	{ "TX_RING_EN", 2 },
 	{ "BASE_ADDR", 10 },
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 110/125] net: hns3: expand buffer len for some debugfs command
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 109/125] net: hns3: add more string spaces for dumping packets number of queue info in debugfs Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 111/125] virtio-ring: fix DMA metadata flags Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guangbin Huang, David S. Miller, Sasha Levin

From: Guangbin Huang <huangguangbin2@huawei.com>

[ Upstream commit c7a6e3978ea952efb107ecf511c095c3bbb2945f ]

The specified buffer length for three debugfs files fd_tcam, uc and tqp
is not enough for their maximum needs, so this patch fixes them.

Fixes: b5a0b70d77b9 ("net: hns3: refactor dump fd tcam of debugfs")
Fixes: 1556ea9120ff ("net: hns3: refactor dump mac list of debugfs")
Fixes: d96b0e59468d ("net: hns3: refactor dump reg of debugfs")
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
index ce2fc283fe5c..b22b8baec54c 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
@@ -138,7 +138,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = {
 		.name = "uc",
 		.cmd = HNAE3_DBG_CMD_MAC_UC,
 		.dentry = HNS3_DBG_DENTRY_MAC,
-		.buf_len = HNS3_DBG_READ_LEN,
+		.buf_len = HNS3_DBG_READ_LEN_128KB,
 		.init = hns3_dbg_common_file_init,
 	},
 	{
@@ -257,7 +257,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = {
 		.name = "tqp",
 		.cmd = HNAE3_DBG_CMD_REG_TQP,
 		.dentry = HNS3_DBG_DENTRY_REG,
-		.buf_len = HNS3_DBG_READ_LEN,
+		.buf_len = HNS3_DBG_READ_LEN_128KB,
 		.init = hns3_dbg_common_file_init,
 	},
 	{
@@ -299,7 +299,7 @@ static struct hns3_dbg_cmd_info hns3_dbg_cmd[] = {
 		.name = "fd_tcam",
 		.cmd = HNAE3_DBG_CMD_FD_TCAM,
 		.dentry = HNS3_DBG_DENTRY_FD,
-		.buf_len = HNS3_DBG_READ_LEN,
+		.buf_len = HNS3_DBG_READ_LEN_1MB,
 		.init = hns3_dbg_common_file_init,
 	},
 	{
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 111/125] virtio-ring: fix DMA metadata flags
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 110/125] net: hns3: expand buffer len for some debugfs command Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 112/125] octeontx2-af: Check whether ipolicers exists Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vincent Whitchurch,
	Michael S. Tsirkin, Jason Wang, Sasha Levin

From: Vincent Whitchurch <vincent.whitchurch@axis.com>

[ Upstream commit 890d33561337ffeba0d8ba42517e71288cfee2b6 ]

The flags are currently overwritten, leading to the wrong direction
being passed to the DMA unmap functions.

Fixes: 72b5e8958738aaa4 ("virtio-ring: store DMA metadata in desc_extra for split virtqueue")
Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
Link: https://lore.kernel.org/r/20211026133100.17541-1-vincent.whitchurch@axis.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/virtio/virtio_ring.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c
index dd95dfd85e98..3035bb6f5458 100644
--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -576,7 +576,7 @@ static inline int virtqueue_add_split(struct virtqueue *_vq,
 	/* Last one doesn't continue. */
 	desc[prev].flags &= cpu_to_virtio16(_vq->vdev, ~VRING_DESC_F_NEXT);
 	if (!indirect && vq->use_dma_api)
-		vq->split.desc_extra[prev & (vq->split.vring.num - 1)].flags =
+		vq->split.desc_extra[prev & (vq->split.vring.num - 1)].flags &=
 			~VRING_DESC_F_NEXT;
 
 	if (indirect) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 112/125] octeontx2-af: Check whether ipolicers exists
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 111/125] virtio-ring: fix DMA metadata flags Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 113/125] KVM: s390: clear kicked_mask before sleeping again Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Subbaraya Sundeep, Rakesh Babu,
	Sunil Kovvuri Goutham, David S. Miller, Sasha Levin

From: Subbaraya Sundeep <sbhatta@marvell.com>

[ Upstream commit cc45b96e2de7ada26520f101dada0abafa4ba997 ]

While displaying ingress policers information in
debugfs check whether ingress policers exist in
the hardware or not because some platforms(CN9XXX)
do not have this feature.

Fixes: e7d8971763f3 ("octeontx2-af: cn10k: Debugfs support for bandwidth")
Signed-off-by: Subbaraya Sundeep <sbhatta@marvell.com>
Signed-off-by: Rakesh Babu <rsaladi2@marvell.com>
Signed-off-by: Sunil Kovvuri Goutham <sgoutham@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
index 75794c8590c4..a606de56678d 100644
--- a/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
+++ b/drivers/net/ethernet/marvell/octeontx2/af/rvu_debugfs.c
@@ -1796,6 +1796,10 @@ static int rvu_dbg_nix_band_prof_ctx_display(struct seq_file *m, void *unused)
 	u16 pcifunc;
 	char *str;
 
+	/* Ingress policers do not exist on all platforms */
+	if (!nix_hw->ipolicer)
+		return 0;
+
 	for (layer = 0; layer < BAND_PROF_NUM_LAYERS; layer++) {
 		if (layer == BAND_PROF_INVAL_LAYER)
 			continue;
@@ -1845,6 +1849,10 @@ static int rvu_dbg_nix_band_prof_rsrc_display(struct seq_file *m, void *unused)
 	int layer;
 	char *str;
 
+	/* Ingress policers do not exist on all platforms */
+	if (!nix_hw->ipolicer)
+		return 0;
+
 	seq_puts(m, "\nBandwidth profile resource free count\n");
 	seq_puts(m, "=====================================\n");
 	for (layer = 0; layer < BAND_PROF_NUM_LAYERS; layer++) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 113/125] KVM: s390: clear kicked_mask before sleeping again
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 112/125] octeontx2-af: Check whether ipolicers exists Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 114/125] KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Rosato, Halil Pasic,
	Christian Borntraeger, Michael Mueller, Claudio Imbrenda,
	Sasha Levin

From: Halil Pasic <pasic@linux.ibm.com>

[ Upstream commit 9b57e9d5010bbed7c0d9d445085840f7025e6f9a ]

The idea behind kicked mask is that we should not re-kick a vcpu that
is already in the "kick" process, i.e. that was kicked and is
is about to be dispatched if certain conditions are met.

The problem with the current implementation is, that it assumes the
kicked vcpu is going to enter SIE shortly. But under certain
circumstances, the vcpu we just kicked will be deemed non-runnable and
will remain in wait state. This can happen, if the interrupt(s) this
vcpu got kicked to deal with got already cleared (because the interrupts
got delivered to another vcpu). In this case kvm_arch_vcpu_runnable()
would return false, and the vcpu would remain in kvm_vcpu_block(),
but this time with its kicked_mask bit set. So next time around we
wouldn't kick the vcpu form __airqs_kick_single_vcpu(), but would assume
that we just kicked it.

Let us make sure the kicked_mask is cleared before we give up on
re-dispatching the vcpu.

Fixes: 9f30f6216378 ("KVM: s390: add gib_alert_irq_handler()")
Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019175401.3757927-2-pasic@linux.ibm.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kvm/kvm-s390.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c
index 8580543c5bc3..46ad1bdd53a2 100644
--- a/arch/s390/kvm/kvm-s390.c
+++ b/arch/s390/kvm/kvm-s390.c
@@ -3341,6 +3341,7 @@ int kvm_arch_vcpu_create(struct kvm_vcpu *vcpu)
 
 int kvm_arch_vcpu_runnable(struct kvm_vcpu *vcpu)
 {
+	clear_bit(vcpu->vcpu_idx, vcpu->kvm->arch.gisa_int.kicked_mask);
 	return kvm_s390_vcpu_has_irq(vcpu, 0);
 }
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 114/125] KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 113/125] KVM: s390: clear kicked_mask before sleeping again Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 115/125] scsi: ufs: ufs-exynos: Correct timeout value setting registers Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Halil Pasic, Christian Borntraeger,
	Michael Mueller, Claudio Imbrenda, Sasha Levin

From: Halil Pasic <pasic@linux.ibm.com>

[ Upstream commit 0e9ff65f455dfd0a8aea5e7843678ab6fe097e21 ]

Changing the deliverable mask in __airqs_kick_single_vcpu() is a bug. If
one idle vcpu can't take the interrupts we want to deliver, we should
look for another vcpu that can, instead of saying that we don't want
to deliver these interrupts by clearing the bits from the
deliverable_mask.

Fixes: 9f30f6216378 ("KVM: s390: add gib_alert_irq_handler()")
Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Christian Borntraeger <borntraeger@de.ibm.com>
Reviewed-by: Michael Mueller <mimu@linux.ibm.com>
Reviewed-by: Claudio Imbrenda <imbrenda@linux.ibm.com>
Link: https://lore.kernel.org/r/20211019175401.3757927-3-pasic@linux.ibm.com
Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kvm/interrupt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/s390/kvm/interrupt.c b/arch/s390/kvm/interrupt.c
index 16256e17a544..ee9d052476b5 100644
--- a/arch/s390/kvm/interrupt.c
+++ b/arch/s390/kvm/interrupt.c
@@ -3053,13 +3053,14 @@ static void __airqs_kick_single_vcpu(struct kvm *kvm, u8 deliverable_mask)
 	int vcpu_idx, online_vcpus = atomic_read(&kvm->online_vcpus);
 	struct kvm_s390_gisa_interrupt *gi = &kvm->arch.gisa_int;
 	struct kvm_vcpu *vcpu;
+	u8 vcpu_isc_mask;
 
 	for_each_set_bit(vcpu_idx, kvm->arch.idle_mask, online_vcpus) {
 		vcpu = kvm_get_vcpu(kvm, vcpu_idx);
 		if (psw_ioint_disabled(vcpu))
 			continue;
-		deliverable_mask &= (u8)(vcpu->arch.sie_block->gcr[6] >> 24);
-		if (deliverable_mask) {
+		vcpu_isc_mask = (u8)(vcpu->arch.sie_block->gcr[6] >> 24);
+		if (deliverable_mask & vcpu_isc_mask) {
 			/* lately kicked but not yet running */
 			if (test_and_set_bit(vcpu_idx, gi->kicked_mask))
 				return;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 115/125] scsi: ufs: ufs-exynos: Correct timeout value setting registers
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 114/125] KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 116/125] perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alim Akhtar, Kiwoong Kim,
	Krzysztof Kozlowski, Avri Altman, Chanho Park,
	Martin K. Petersen, Sasha Levin

From: Chanho Park <chanho61.park@samsung.com>

[ Upstream commit 282da7cef078a87b6d5e8ceba8b17e428cf0e37c ]

PA_PWRMODEUSERDATA0 -> DL_FC0PROTTIMEOUTVAL
PA_PWRMODEUSERDATA1 -> DL_TC0REPLAYTIMEOUTVAL
PA_PWRMODEUSERDATA2 -> DL_AFC0REQTIMEOUTVAL

Link: https://lore.kernel.org/r/20211018062841.18226-1-chanho61.park@samsung.com
Fixes: a967ddb22d94 ("scsi: ufs: ufs-exynos: Apply vendor-specific values for three timeouts")
Cc: Alim Akhtar <alim.akhtar@samsung.com>
Cc: Kiwoong Kim <kwmad.kim@samsung.com>
Cc: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Reviewed-by: Alim Akhtar <alim.akhtar@samsung.com>
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Signed-off-by: Chanho Park <chanho61.park@samsung.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/ufs/ufs-exynos.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/scsi/ufs/ufs-exynos.c b/drivers/scsi/ufs/ufs-exynos.c
index 427a2ff7e9da..9cdedbff5b88 100644
--- a/drivers/scsi/ufs/ufs-exynos.c
+++ b/drivers/scsi/ufs/ufs-exynos.c
@@ -642,9 +642,9 @@ static int exynos_ufs_pre_pwr_mode(struct ufs_hba *hba,
 	}
 
 	/* setting for three timeout values for traffic class #0 */
-	ufshcd_dme_set(hba, UIC_ARG_MIB(PA_PWRMODEUSERDATA0), 8064);
-	ufshcd_dme_set(hba, UIC_ARG_MIB(PA_PWRMODEUSERDATA1), 28224);
-	ufshcd_dme_set(hba, UIC_ARG_MIB(PA_PWRMODEUSERDATA2), 20160);
+	ufshcd_dme_set(hba, UIC_ARG_MIB(DL_FC0PROTTIMEOUTVAL), 8064);
+	ufshcd_dme_set(hba, UIC_ARG_MIB(DL_TC0REPLAYTIMEOUTVAL), 28224);
+	ufshcd_dme_set(hba, UIC_ARG_MIB(DL_AFC0REQTIMEOUTVAL), 20160);
 
 	return 0;
 out:
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 116/125] perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 115/125] scsi: ufs: ufs-exynos: Correct timeout value setting registers Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 117/125] scsi: ibmvfc: Fix up duplicate response detection Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Mario, Kajol Jain, Kan Liang,
	Jiri Olsa, Andi Kleen, Arnaldo Carvalho de Melo, Sasha Levin

From: Kan Liang <kan.liang@linux.intel.com>

[ Upstream commit 27730c8cd60d1574d8337276e7a9d7d2ca92e0d1 ]

-F weight in perf script is broken.

  # ./perf mem record
  # ./perf script -F weight
  Samples for 'dummy:HG' event do not have WEIGHT attribute set. Cannot
print 'weight' field.

The sample type, PERF_SAMPLE_WEIGHT_STRUCT, is an alternative of the
PERF_SAMPLE_WEIGHT sample type. They share the same space, weight. The
lower 32 bits are exactly the same for both sample type. The higher 32
bits may be different for different architecture. For a new kernel on
x86, the PERF_SAMPLE_WEIGHT_STRUCT is used. For an old kernel or other
ARCHs, the PERF_SAMPLE_WEIGHT is used.

With -F weight, current perf script will only check the input string
"weight" with the PERF_SAMPLE_WEIGHT sample type. Because the commit
ea8d0ed6eae3 ("perf tools: Support PERF_SAMPLE_WEIGHT_STRUCT") didn't
update the PERF_SAMPLE_WEIGHT_STRUCT sample type for perf script. For a
new kernel on x86, the check fails.

Use PERF_SAMPLE_WEIGHT_TYPE, which supports both sample types, to
replace PERF_SAMPLE_WEIGHT

Fixes: ea8d0ed6eae37b01 ("perf tools: Support PERF_SAMPLE_WEIGHT_STRUCT")
Reported-by: Joe Mario <jmario@redhat.com>
Reviewed-by: Kajol Jain <kjain@linux.ibm.com>
Signed-off-by: Kan Liang <kan.liang@linux.intel.com>
Tested-by: Jiri Olsa <jolsa@redhat.com>
Tested-by: Joe Mario <jmario@redhat.com>
Acked-by: Jiri Olsa <jolsa@redhat.com>
Acked-by: Joe Mario <jmario@redhat.com>
Cc: Andi Kleen <ak@linux.intel.com>
Link: https://lore.kernel.org/r/1632929894-102778-1-git-send-email-kan.liang@linux.intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/perf/builtin-script.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/perf/builtin-script.c b/tools/perf/builtin-script.c
index 064da7f3618d..52ff827ca799 100644
--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -469,7 +469,7 @@ static int evsel__check_attr(struct evsel *evsel, struct perf_session *session)
 		return -EINVAL;
 
 	if (PRINT_FIELD(WEIGHT) &&
-	    evsel__check_stype(evsel, PERF_SAMPLE_WEIGHT, "WEIGHT", PERF_OUTPUT_WEIGHT))
+	    evsel__check_stype(evsel, PERF_SAMPLE_WEIGHT_TYPE, "WEIGHT", PERF_OUTPUT_WEIGHT))
 		return -EINVAL;
 
 	if (PRINT_FIELD(SYM) &&
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 130+ messages in thread

* [PATCH 5.14 117/125] scsi: ibmvfc: Fix up duplicate response detection
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 116/125] perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 118/125] riscv: fix misalgned trap vector base address Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tyrel Datwyler, Brian King,
	Martin K. Petersen

From: Brian King <brking@linux.vnet.ibm.com>

commit e20f80b9b163dc402dca115eed0affba6df5ebb5 upstream.

Commit a264cf5e81c7 ("scsi: ibmvfc: Fix command state accounting and stale
response detection") introduced a regression in detecting duplicate
responses. This was observed in test where a command was sent to the VIOS
and completed before ibmvfc_send_event() set the active flag to 1, which
resulted in the atomic_dec_if_positive() call in ibmvfc_handle_crq()
thinking this was a duplicate response, which resulted in scsi_done() not
getting called, so we then hit a SCSI command timeout for this command once
the timeout expires.  This simply ensures the active flag gets set prior to
making the hcall to send the command to the VIOS, in order to close this
window.

Link: https://lore.kernel.org/r/20211019152129.16558-1-brking@linux.vnet.ibm.com
Fixes: a264cf5e81c7 ("scsi: ibmvfc: Fix command state accounting and stale response detection")
Cc: stable@vger.kernel.org
Acked-by: Tyrel Datwyler <tyreld@linux.ibm.com>
Signed-off-by: Brian King <brking@linux.vnet.ibm.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/ibmvscsi/ibmvfc.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/scsi/ibmvscsi/ibmvfc.c
+++ b/drivers/scsi/ibmvscsi/ibmvfc.c
@@ -1696,6 +1696,7 @@ static int ibmvfc_send_event(struct ibmv
 
 	spin_lock_irqsave(&evt->queue->l_lock, flags);
 	list_add_tail(&evt->queue_list, &evt->queue->sent);
+	atomic_set(&evt->active, 1);
 
 	mb();
 
@@ -1710,6 +1711,7 @@ static int ibmvfc_send_event(struct ibmv
 				     be64_to_cpu(crq_as_u64[1]));
 
 	if (rc) {
+		atomic_set(&evt->active, 0);
 		list_del(&evt->queue_list);
 		spin_unlock_irqrestore(&evt->queue->l_lock, flags);
 		del_timer(&evt->timer);
@@ -1737,7 +1739,6 @@ static int ibmvfc_send_event(struct ibmv
 
 		evt->done(evt);
 	} else {
-		atomic_set(&evt->active, 1);
 		spin_unlock_irqrestore(&evt->queue->l_lock, flags);
 		ibmvfc_trc_start(evt);
 	}



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 118/125] riscv: fix misalgned trap vector base address
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 117/125] scsi: ibmvfc: Fix up duplicate response detection Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 119/125] riscv: Do not re-populate shadow memory with kasan_populate_early_shadow Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chen Lu, Anup Patel, Palmer Dabbelt

From: Chen Lu <181250012@smail.nju.edu.cn>

commit 64a19591a2938b170aa736443d5d3bf4c51e1388 upstream.

The trap vector marked by label .Lsecondary_park must align on a
4-byte boundary, as the {m,s}tvec is defined to require 4-byte
alignment.

Signed-off-by: Chen Lu <181250012@smail.nju.edu.cn>
Reviewed-by: Anup Patel <anup.patel@wdc.com>
Fixes: e011995e826f ("RISC-V: Move relocate and few other functions out of __init")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/kernel/head.S |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/riscv/kernel/head.S
+++ b/arch/riscv/kernel/head.S
@@ -193,6 +193,7 @@ setup_trap_vector:
 	csrw CSR_SCRATCH, zero
 	ret
 
+.align 2
 .Lsecondary_park:
 	/* We lack SMP support or have too many harts, so park this hart */
 	wfi



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 119/125] riscv: Do not re-populate shadow memory with kasan_populate_early_shadow
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 118/125] riscv: fix misalgned trap vector base address Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 120/125] riscv: Fix asan-stack clang build Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexandre Ghiti, Palmer Dabbelt

From: Alexandre Ghiti <alexandre.ghiti@canonical.com>

commit cf11d01135ea1ff7fddb612033e3cb5cde279ff2 upstream.

When calling this function, all the shadow memory is already populated
with kasan_early_shadow_pte which has PAGE_KERNEL protection.
kasan_populate_early_shadow write-protects the mapping of the range
of addresses passed in argument in zero_pte_populate, which actually
write-protects all the shadow memory mapping since kasan_early_shadow_pte
is used for all the shadow memory at this point. And then when using
memblock API to populate the shadow memory, the first write access to the
kernel stack triggers a trap. This becomes visible with the next commit
that contains a fix for asan-stack.

We already manually populate all the shadow memory in kasan_early_init
and we write-protect kasan_early_shadow_pte at the end of kasan_init
which makes the calls to kasan_populate_early_shadow superfluous so
we can remove them.

Signed-off-by: Alexandre Ghiti <alexandre.ghiti@canonical.com>
Fixes: e178d670f251 ("riscv/kasan: add KASAN_VMALLOC support")
Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/mm/kasan_init.c |   11 -----------
 1 file changed, 11 deletions(-)

--- a/arch/riscv/mm/kasan_init.c
+++ b/arch/riscv/mm/kasan_init.c
@@ -172,21 +172,10 @@ void __init kasan_init(void)
 	phys_addr_t p_start, p_end;
 	u64 i;
 
-	/*
-	 * Populate all kernel virtual address space with kasan_early_shadow_page
-	 * except for the linear mapping and the modules/kernel/BPF mapping.
-	 */
-	kasan_populate_early_shadow((void *)KASAN_SHADOW_START,
-				    (void *)kasan_mem_to_shadow((void *)
-								VMEMMAP_END));
 	if (IS_ENABLED(CONFIG_KASAN_VMALLOC))
 		kasan_shallow_populate(
 			(void *)kasan_mem_to_shadow((void *)VMALLOC_START),
 			(void *)kasan_mem_to_shadow((void *)VMALLOC_END));
-	else
-		kasan_populate_early_shadow(
-			(void *)kasan_mem_to_shadow((void *)VMALLOC_START),
-			(void *)kasan_mem_to_shadow((void *)VMALLOC_END));
 
 	/* Populate the linear mapping */
 	for_each_mem_range(i, &p_start, &p_end) {



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 120/125] riscv: Fix asan-stack clang build
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 119/125] riscv: Do not re-populate shadow memory with kasan_populate_early_shadow Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 121/125] perf script: Check session->header.env.arch before using it Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Alexandre Ghiti,
	Palmer Dabbelt

From: Alexandre Ghiti <alexandre.ghiti@canonical.com>

commit 54c5639d8f507ebefa814f574cb6f763033a72a5 upstream.

Nathan reported that because KASAN_SHADOW_OFFSET was not defined in
Kconfig, it prevents asan-stack from getting disabled with clang even
when CONFIG_KASAN_STACK is disabled: fix this by defining the
corresponding config.

Reported-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Alexandre Ghiti <alexandre.ghiti@canonical.com>
Fixes: 8ad8b72721d0 ("riscv: Add KASAN support")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmerdabbelt@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/Kconfig             |    6 ++++++
 arch/riscv/include/asm/kasan.h |    3 +--
 arch/riscv/mm/kasan_init.c     |    3 +++
 3 files changed, 10 insertions(+), 2 deletions(-)

--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -157,6 +157,12 @@ config PAGE_OFFSET
 	default 0xffffffff80000000 if 64BIT && MAXPHYSMEM_2GB
 	default 0xffffffe000000000 if 64BIT && MAXPHYSMEM_128GB
 
+config KASAN_SHADOW_OFFSET
+	hex
+	depends on KASAN_GENERIC
+	default 0xdfffffc800000000 if 64BIT
+	default 0xffffffff if 32BIT
+
 config ARCH_FLATMEM_ENABLE
 	def_bool !NUMA
 
--- a/arch/riscv/include/asm/kasan.h
+++ b/arch/riscv/include/asm/kasan.h
@@ -30,8 +30,7 @@
 #define KASAN_SHADOW_SIZE	(UL(1) << ((CONFIG_VA_BITS - 1) - KASAN_SHADOW_SCALE_SHIFT))
 #define KASAN_SHADOW_START	KERN_VIRT_START
 #define KASAN_SHADOW_END	(KASAN_SHADOW_START + KASAN_SHADOW_SIZE)
-#define KASAN_SHADOW_OFFSET	(KASAN_SHADOW_END - (1ULL << \
-					(64 - KASAN_SHADOW_SCALE_SHIFT)))
+#define KASAN_SHADOW_OFFSET	_AC(CONFIG_KASAN_SHADOW_OFFSET, UL)
 
 void kasan_init(void);
 asmlinkage void kasan_early_init(void);
--- a/arch/riscv/mm/kasan_init.c
+++ b/arch/riscv/mm/kasan_init.c
@@ -17,6 +17,9 @@ asmlinkage void __init kasan_early_init(
 	uintptr_t i;
 	pgd_t *pgd = early_pg_dir + pgd_index(KASAN_SHADOW_START);
 
+	BUILD_BUG_ON(KASAN_SHADOW_OFFSET !=
+		KASAN_SHADOW_END - (1UL << (64 - KASAN_SHADOW_SCALE_SHIFT)));
+
 	for (i = 0; i < PTRS_PER_PTE; ++i)
 		set_pte(kasan_early_shadow_pte + i,
 			mk_pte(virt_to_page(kasan_early_shadow_page),



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 121/125] perf script: Check session->header.env.arch before using it
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 120/125] riscv: Fix asan-stack clang build Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 122/125] KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block() Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Song Liu, Peter Zijlstra,
	kernel-team, Arnaldo Carvalho de Melo

From: Song Liu <songliubraving@fb.com>

commit 29c77550eef31b0d72a45b49eeab03b8963264e8 upstream.

When perf.data is not written cleanly, we would like to process existing
data as much as possible (please see f_header.data.size == 0 condition
in perf_session__read_header). However, perf.data with partial data may
crash perf. Specifically, we see crash in 'perf script' for NULL
session->header.env.arch.

Fix this by checking session->header.env.arch before using it to determine
native_arch. Also split the if condition so it is easier to read.

Committer notes:

If it is a pipe, we already assume is a native arch, so no need to check
session->header.env.arch.

Signed-off-by: Song Liu <songliubraving@fb.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: kernel-team@fb.com
Cc: stable@vger.kernel.org
Link: http://lore.kernel.org/lkml/20211004053238.514936-1-songliubraving@fb.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/builtin-script.c |   12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

--- a/tools/perf/builtin-script.c
+++ b/tools/perf/builtin-script.c
@@ -4024,11 +4024,15 @@ script_found:
 		goto out_delete;
 
 	uname(&uts);
-	if (data.is_pipe ||  /* assume pipe_mode indicates native_arch */
-	    !strcmp(uts.machine, session->header.env.arch) ||
-	    (!strcmp(uts.machine, "x86_64") &&
-	     !strcmp(session->header.env.arch, "i386")))
+	if (data.is_pipe) { /* Assume pipe_mode indicates native_arch */
 		native_arch = true;
+	} else if (session->header.env.arch) {
+		if (!strcmp(uts.machine, session->header.env.arch))
+			native_arch = true;
+		else if (!strcmp(uts.machine, "x86_64") &&
+			 !strcmp(session->header.env.arch, "i386"))
+			native_arch = true;
+	}
 
 	script.session = session;
 	script__setup_sample_type(&script);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 122/125] KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 121/125] perf script: Check session->header.env.arch before using it Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 123/125] KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Woodhouse, Paolo Bonzini

From: David Woodhouse <dwmw@amazon.co.uk>

commit 0985dba842eaa391858972cfe2724c3c174a2827 upstream.

In kvm_vcpu_block, the current task is set to TASK_INTERRUPTIBLE before
making a final check whether the vCPU should be woken from HLT by any
incoming interrupt.

This is a problem for the get_user() in __kvm_xen_has_interrupt(), which
really shouldn't be sleeping when the task state has already been set.
I think it's actually harmless as it would just manifest itself as a
spurious wakeup, but it's causing a debug warning:

[  230.963649] do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000b6bcdbc9>] prepare_to_swait_exclusive+0x30/0x80

Fix the warning by turning it into an *explicit* spurious wakeup. When
invoked with !task_is_running(current) (and we might as well add
in_atomic() there while we're at it), just return 1 to indicate that
an IRQ is pending, which will cause a wakeup and then something will
call it again in a context that *can* sleep so it can fault the page
back in.

Cc: stable@vger.kernel.org
Fixes: 40da8ccd724f ("KVM: x86/xen: Add event channel interrupt vector upcall")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Message-Id: <168bf8c689561da904e48e2ff5ae4713eaef9e2d.camel@infradead.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/xen.c |   27 ++++++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

--- a/arch/x86/kvm/xen.c
+++ b/arch/x86/kvm/xen.c
@@ -191,6 +191,7 @@ void kvm_xen_update_runstate_guest(struc
 
 int __kvm_xen_has_interrupt(struct kvm_vcpu *v)
 {
+	int err;
 	u8 rc = 0;
 
 	/*
@@ -217,13 +218,29 @@ int __kvm_xen_has_interrupt(struct kvm_v
 	if (likely(slots->generation == ghc->generation &&
 		   !kvm_is_error_hva(ghc->hva) && ghc->memslot)) {
 		/* Fast path */
-		__get_user(rc, (u8 __user *)ghc->hva + offset);
-	} else {
-		/* Slow path */
-		kvm_read_guest_offset_cached(v->kvm, ghc, &rc, offset,
-					     sizeof(rc));
+		pagefault_disable();
+		err = __get_user(rc, (u8 __user *)ghc->hva + offset);
+		pagefault_enable();
+		if (!err)
+			return rc;
 	}
 
+	/* Slow path */
+
+	/*
+	 * This function gets called from kvm_vcpu_block() after setting the
+	 * task to TASK_INTERRUPTIBLE, to see if it needs to wake immediately
+	 * from a HLT. So we really mustn't sleep. If the page ended up absent
+	 * at that point, just return 1 in order to trigger an immediate wake,
+	 * and we'll end up getting called again from a context where we *can*
+	 * fault in the page and wait for it.
+	 */
+	if (in_atomic() || !task_is_running(current))
+		return 1;
+
+	kvm_read_guest_offset_cached(v->kvm, ghc, &rc, offset,
+				     sizeof(rc));
+
 	return rc;
 }
 



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 123/125] KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 122/125] KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block() Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 124/125] KVM: SEV-ES: fix another issue with string I/O VMGEXITs Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b282b65c2c68492df769,
	David Woodhouse, Paolo Bonzini

From: David Woodhouse <dwmw@amazon.co.uk>

commit 8228c77d8b56e3f735baf71fefb1b548c23691a7 upstream.

On the preemption path when updating a Xen guest's runstate times, this
lock is taken inside the scheduler rq->lock, which is a raw spinlock.
This was shown in a lockdep warning:

[   89.138354] =============================
[   89.138356] [ BUG: Invalid wait context ]
[   89.138358] 5.15.0-rc5+ #834 Tainted: G S        I E
[   89.138360] -----------------------------
[   89.138361] xen_shinfo_test/2575 is trying to lock:
[   89.138363] ffffa34a0364efd8 (&kvm->arch.pvclock_gtod_sync_lock){....}-{3:3}, at: get_kvmclock_ns+0x1f/0x130 [kvm]
[   89.138442] other info that might help us debug this:
[   89.138444] context-{5:5}
[   89.138445] 4 locks held by xen_shinfo_test/2575:
[   89.138447]  #0: ffff972bdc3b8108 (&vcpu->mutex){+.+.}-{4:4}, at: kvm_vcpu_ioctl+0x77/0x6f0 [kvm]
[   89.138483]  #1: ffffa34a03662e90 (&kvm->srcu){....}-{0:0}, at: kvm_arch_vcpu_ioctl_run+0xdc/0x8b0 [kvm]
[   89.138526]  #2: ffff97331fdbac98 (&rq->__lock){-.-.}-{2:2}, at: __schedule+0xff/0xbd0
[   89.138534]  #3: ffffa34a03662e90 (&kvm->srcu){....}-{0:0}, at: kvm_arch_vcpu_put+0x26/0x170 [kvm]
...
[   89.138695]  get_kvmclock_ns+0x1f/0x130 [kvm]
[   89.138734]  kvm_xen_update_runstate+0x14/0x90 [kvm]
[   89.138783]  kvm_xen_update_runstate_guest+0x15/0xd0 [kvm]
[   89.138830]  kvm_arch_vcpu_put+0xe6/0x170 [kvm]
[   89.138870]  kvm_sched_out+0x2f/0x40 [kvm]
[   89.138900]  __schedule+0x5de/0xbd0

Cc: stable@vger.kernel.org
Reported-by: syzbot+b282b65c2c68492df769@syzkaller.appspotmail.com
Fixes: 30b5c851af79 ("KVM: x86/xen: Add support for vCPU runstate information")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Message-Id: <1b02a06421c17993df337493a68ba923f3bd5c0f.camel@infradead.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/include/asm/kvm_host.h |    2 +-
 arch/x86/kvm/x86.c              |   28 ++++++++++++++--------------
 2 files changed, 15 insertions(+), 15 deletions(-)

--- a/arch/x86/include/asm/kvm_host.h
+++ b/arch/x86/include/asm/kvm_host.h
@@ -1084,7 +1084,7 @@ struct kvm_arch {
 	u64 cur_tsc_generation;
 	int nr_vcpus_matched_tsc;
 
-	spinlock_t pvclock_gtod_sync_lock;
+	raw_spinlock_t pvclock_gtod_sync_lock;
 	bool use_master_clock;
 	u64 master_kernel_ns;
 	u64 master_cycle_now;
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -2537,7 +2537,7 @@ static void kvm_synchronize_tsc(struct k
 	kvm_vcpu_write_tsc_offset(vcpu, offset);
 	raw_spin_unlock_irqrestore(&kvm->arch.tsc_write_lock, flags);
 
-	spin_lock_irqsave(&kvm->arch.pvclock_gtod_sync_lock, flags);
+	raw_spin_lock_irqsave(&kvm->arch.pvclock_gtod_sync_lock, flags);
 	if (!matched) {
 		kvm->arch.nr_vcpus_matched_tsc = 0;
 	} else if (!already_matched) {
@@ -2545,7 +2545,7 @@ static void kvm_synchronize_tsc(struct k
 	}
 
 	kvm_track_tsc_matching(vcpu);
-	spin_unlock_irqrestore(&kvm->arch.pvclock_gtod_sync_lock, flags);
+	raw_spin_unlock_irqrestore(&kvm->arch.pvclock_gtod_sync_lock, flags);
 }
 
 static inline void adjust_tsc_offset_guest(struct kvm_vcpu *vcpu,
@@ -2775,9 +2775,9 @@ static void kvm_gen_update_masterclock(s
 	kvm_make_mclock_inprogress_request(kvm);
 
 	/* no guest entries from this point */
-	spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
 	pvclock_update_vm_gtod_copy(kvm);
-	spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
 
 	kvm_for_each_vcpu(i, vcpu, kvm)
 		kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
@@ -2795,15 +2795,15 @@ u64 get_kvmclock_ns(struct kvm *kvm)
 	unsigned long flags;
 	u64 ret;
 
-	spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
 	if (!ka->use_master_clock) {
-		spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
+		raw_spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
 		return get_kvmclock_base_ns() + ka->kvmclock_offset;
 	}
 
 	hv_clock.tsc_timestamp = ka->master_cycle_now;
 	hv_clock.system_time = ka->master_kernel_ns + ka->kvmclock_offset;
-	spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
 
 	/* both __this_cpu_read() and rdtsc() should be on the same cpu */
 	get_cpu();
@@ -2897,13 +2897,13 @@ static int kvm_guest_time_update(struct
 	 * If the host uses TSC clock, then passthrough TSC as stable
 	 * to the guest.
 	 */
-	spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
 	use_master_clock = ka->use_master_clock;
 	if (use_master_clock) {
 		host_tsc = ka->master_cycle_now;
 		kernel_ns = ka->master_kernel_ns;
 	}
-	spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
+	raw_spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
 
 	/* Keep irq disabled to prevent changes to the clock */
 	local_irq_save(flags);
@@ -6101,13 +6101,13 @@ set_pit2_out:
 		 * is slightly ahead) here we risk going negative on unsigned
 		 * 'system_time' when 'user_ns.clock' is very small.
 		 */
-		spin_lock_irq(&ka->pvclock_gtod_sync_lock);
+		raw_spin_lock_irq(&ka->pvclock_gtod_sync_lock);
 		if (kvm->arch.use_master_clock)
 			now_ns = ka->master_kernel_ns;
 		else
 			now_ns = get_kvmclock_base_ns();
 		ka->kvmclock_offset = user_ns.clock - now_ns;
-		spin_unlock_irq(&ka->pvclock_gtod_sync_lock);
+		raw_spin_unlock_irq(&ka->pvclock_gtod_sync_lock);
 
 		kvm_make_all_cpus_request(kvm, KVM_REQ_CLOCK_UPDATE);
 		break;
@@ -8157,9 +8157,9 @@ static void kvm_hyperv_tsc_notifier(void
 	list_for_each_entry(kvm, &vm_list, vm_list) {
 		struct kvm_arch *ka = &kvm->arch;
 
-		spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
+		raw_spin_lock_irqsave(&ka->pvclock_gtod_sync_lock, flags);
 		pvclock_update_vm_gtod_copy(kvm);
-		spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
+		raw_spin_unlock_irqrestore(&ka->pvclock_gtod_sync_lock, flags);
 
 		kvm_for_each_vcpu(cpu, vcpu, kvm)
 			kvm_make_request(KVM_REQ_CLOCK_UPDATE, vcpu);
@@ -11148,7 +11148,7 @@ int kvm_arch_init_vm(struct kvm *kvm, un
 
 	raw_spin_lock_init(&kvm->arch.tsc_write_lock);
 	mutex_init(&kvm->arch.apic_map_lock);
-	spin_lock_init(&kvm->arch.pvclock_gtod_sync_lock);
+	raw_spin_lock_init(&kvm->arch.pvclock_gtod_sync_lock);
 
 	kvm->arch.kvmclock_offset = -get_kvmclock_base_ns();
 	pvclock_update_vm_gtod_copy(kvm);



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 124/125] KVM: SEV-ES: fix another issue with string I/O VMGEXITs
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 123/125] KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01  9:18 ` [PATCH 5.14 125/125] KVM: x86: Take srcu lock in post_kvm_run_save() Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marc Orr, Paolo Bonzini

From: Paolo Bonzini <pbonzini@redhat.com>

commit 9b0971ca7fc75daca80c0bb6c02e96059daea90a upstream.

If the guest requests string I/O from the hypervisor via VMGEXIT,
SW_EXITINFO2 will contain the REP count.  However, sev_es_string_io
was incorrectly treating it as the size of the GHCB buffer in
bytes.

This fixes the "outsw" test in the experimental SEV tests of
kvm-unit-tests.

Cc: stable@vger.kernel.org
Fixes: 7ed9abfe8e9f ("KVM: SVM: Support string IO operations for an SEV-ES guest")
Reported-by: Marc Orr <marcorr@google.com>
Tested-by: Marc Orr <marcorr@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/svm/sev.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/arch/x86/kvm/svm/sev.c
+++ b/arch/x86/kvm/svm/sev.c
@@ -2592,11 +2592,20 @@ int sev_handle_vmgexit(struct kvm_vcpu *
 
 int sev_es_string_io(struct vcpu_svm *svm, int size, unsigned int port, int in)
 {
-	if (!setup_vmgexit_scratch(svm, in, svm->vmcb->control.exit_info_2))
+	int count;
+	int bytes;
+
+	if (svm->vmcb->control.exit_info_2 > INT_MAX)
+		return -EINVAL;
+
+	count = svm->vmcb->control.exit_info_2;
+	if (unlikely(check_mul_overflow(count, size, &bytes)))
+		return -EINVAL;
+
+	if (!setup_vmgexit_scratch(svm, in, bytes))
 		return -EINVAL;
 
-	return kvm_sev_es_string_io(&svm->vcpu, size, port,
-				    svm->ghcb_sa, svm->ghcb_sa_len / size, in);
+	return kvm_sev_es_string_io(&svm->vcpu, size, port, svm->ghcb_sa, count, in);
 }
 
 void sev_es_init_vmcb(struct vcpu_svm *svm)



^ permalink raw reply	[flat|nested] 130+ messages in thread

* [PATCH 5.14 125/125] KVM: x86: Take srcu lock in post_kvm_run_save()
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 124/125] KVM: SEV-ES: fix another issue with string I/O VMGEXITs Greg Kroah-Hartman
@ 2021-11-01  9:18 ` Greg Kroah-Hartman
  2021-11-01 14:42 ` [PATCH 5.14 000/125] 5.14.16-rc1 review Fox Chen
                   ` (3 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Greg Kroah-Hartman @ 2021-11-01  9:18 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, David Woodhouse, Paolo Bonzini

From: David Woodhouse <dwmw@amazon.co.uk>

commit f3d1436d4bf8ced1c9a62a045d193a65567e1fcc upstream.

The Xen interrupt injection for event channels relies on accessing the
guest's vcpu_info structure in __kvm_xen_has_interrupt(), through a
gfn_to_hva_cache.

This requires the srcu lock to be held, which is mostly the case except
for this code path:

[   11.822877] WARNING: suspicious RCU usage
[   11.822965] -----------------------------
[   11.823013] include/linux/kvm_host.h:664 suspicious rcu_dereference_check() usage!
[   11.823131]
[   11.823131] other info that might help us debug this:
[   11.823131]
[   11.823196]
[   11.823196] rcu_scheduler_active = 2, debug_locks = 1
[   11.823253] 1 lock held by dom:0/90:
[   11.823292]  #0: ffff998956ec8118 (&vcpu->mutex){+.+.}, at: kvm_vcpu_ioctl+0x85/0x680
[   11.823379]
[   11.823379] stack backtrace:
[   11.823428] CPU: 2 PID: 90 Comm: dom:0 Kdump: loaded Not tainted 5.4.34+ #5
[   11.823496] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
[   11.823612] Call Trace:
[   11.823645]  dump_stack+0x7a/0xa5
[   11.823681]  lockdep_rcu_suspicious+0xc5/0x100
[   11.823726]  __kvm_xen_has_interrupt+0x179/0x190
[   11.823773]  kvm_cpu_has_extint+0x6d/0x90
[   11.823813]  kvm_cpu_accept_dm_intr+0xd/0x40
[   11.823853]  kvm_vcpu_ready_for_interrupt_injection+0x20/0x30
              < post_kvm_run_save() inlined here >
[   11.823906]  kvm_arch_vcpu_ioctl_run+0x135/0x6a0
[   11.823947]  kvm_vcpu_ioctl+0x263/0x680

Fixes: 40da8ccd724f ("KVM: x86/xen: Add event channel interrupt vector upcall")
Signed-off-by: David Woodhouse <dwmw@amazon.co.uk>
Cc: stable@vger.kernel.org
Message-Id: <606aaaf29fca3850a63aa4499826104e77a72346.camel@infradead.org>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -8799,9 +8799,17 @@ static void post_kvm_run_save(struct kvm
 
 	kvm_run->cr8 = kvm_get_cr8(vcpu);
 	kvm_run->apic_base = kvm_get_apic_base(vcpu);
+
+	/*
+	 * The call to kvm_ready_for_interrupt_injection() may end up in
+	 * kvm_xen_has_interrupt() which may require the srcu lock to be
+	 * held, to protect against changes in the vcpu_info address.
+	 */
+	vcpu->srcu_idx = srcu_read_lock(&vcpu->kvm->srcu);
 	kvm_run->ready_for_interrupt_injection =
 		pic_in_kernel(vcpu->kvm) ||
 		kvm_vcpu_ready_for_interrupt_injection(vcpu);
+	srcu_read_unlock(&vcpu->kvm->srcu, vcpu->srcu_idx);
 
 	if (is_smm(vcpu))
 		kvm_run->flags |= KVM_RUN_X86_SMM;



^ permalink raw reply	[flat|nested] 130+ messages in thread

* RE: [PATCH 5.14 000/125] 5.14.16-rc1 review
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-11-01  9:18 ` [PATCH 5.14 125/125] KVM: x86: Take srcu lock in post_kvm_run_save() Greg Kroah-Hartman
@ 2021-11-01 14:42 ` Fox Chen
  2021-11-01 21:20 ` Shuah Khan
                   ` (2 subsequent siblings)
  128 siblings, 0 replies; 130+ messages in thread
From: Fox Chen @ 2021-11-01 14:42 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable, Fox Chen

On Mon,  1 Nov 2021 10:16:13 +0100, Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 5.14.16 release.
> There are 125 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.14.16-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

5.14.16-rc1 Successfully Compiled and booted on my Raspberry PI 4b (8g) (bcm2711)
                
Tested-by: Fox Chen <foxhlchen@gmail.com>


^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 5.14 000/125] 5.14.16-rc1 review
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-11-01 14:42 ` [PATCH 5.14 000/125] 5.14.16-rc1 review Fox Chen
@ 2021-11-01 21:20 ` Shuah Khan
  2021-11-01 23:38 ` Guenter Roeck
  2021-11-02  7:19 ` Naresh Kamboju
  128 siblings, 0 replies; 130+ messages in thread
From: Shuah Khan @ 2021-11-01 21:20 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 11/1/21 3:16 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.14.16 release.
> There are 125 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.14.16-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 5.14 000/125] 5.14.16-rc1 review
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-11-01 21:20 ` Shuah Khan
@ 2021-11-01 23:38 ` Guenter Roeck
  2021-11-02  7:19 ` Naresh Kamboju
  128 siblings, 0 replies; 130+ messages in thread
From: Guenter Roeck @ 2021-11-01 23:38 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, Nov 01, 2021 at 10:16:13AM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.14.16 release.
> There are 125 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 154 pass: 154 fail: 0
Qemu test results:
	total: 482 pass: 482 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 130+ messages in thread

* Re: [PATCH 5.14 000/125] 5.14.16-rc1 review
  2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-11-01 23:38 ` Guenter Roeck
@ 2021-11-02  7:19 ` Naresh Kamboju
  128 siblings, 0 replies; 130+ messages in thread
From: Naresh Kamboju @ 2021-11-02  7:19 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, shuah, f.fainelli, patches, lkft-triage, jonathanh,
	stable, pavel, akpm, torvalds, linux

On Mon, 1 Nov 2021 at 14:58, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.14.16 release.
> There are 125 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 03 Nov 2021 08:24:20 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.14.16-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h


Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

NOTE:
With new gcc-11 toolchain arm builds failed.
The fix patch is under review [1].
Due to this reason not considering it as a kernel regression.
* arm, build
    - gcc-11-defconfig FAILED

[1]
ARM: drop cc-option fallbacks for architecture selection
https://lore.kernel.org/linux-arm-kernel/20211018140735.3714254-1-arnd@kernel.org/

## Build
* kernel: 5.14.16-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.14.y
* git commit: c99063ce032cc300f6046ce43af6a0f5155171d3
* git describe: v5.14.15-126-gc99063ce032c
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.14.y/build/v5.14.15-126-gc99063ce032c

## No regressions (compared to v5.14.15)

## No fixes (compared to v5.14.15)

## Test result summary
total: 91356, pass: 77480, fail: 764, skip: 12385, xfail: 727

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 422 total, 370 passed, 52 failed
* arm64: 40 total, 40 passed, 0 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 39 total, 39 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 37 total, 37 passed, 0 failed
* parisc: 12 total, 12 passed, 0 failed
* powerpc: 36 total, 36 passed, 0 failed
* riscv: 24 total, 24 passed, 0 failed
* s390: 18 total, 18 passed, 0 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 40 total, 40 passed, 0 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselfte[
* kselftest-
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-[
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-co[
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 130+ messages in thread

end of thread, other threads:[~2021-11-02  7:19 UTC | newest]

Thread overview: 130+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-01  9:16 [PATCH 5.14 000/125] 5.14.16-rc1 review Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 001/125] ARM: 9132/1: Fix __get_user_check failure with ARM KASAN images Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 002/125] ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 003/125] ARM: 9134/1: remove duplicate memcpy() definition Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 004/125] ARM: 9138/1: fix link warning with XIP + frame-pointer Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 005/125] ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 006/125] ARM: 9141/1: only warn about XIP address when not compile testing Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 007/125] ARM: 9148/1: handle CONFIG_CPU_ENDIAN_BE32 in arch/arm/kernel/head.S Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 008/125] usbnet: sanity check for maxpacket Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 009/125] usbnet: fix error return code in usbnet_probe() Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 010/125] Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 011/125] pinctrl: amd: disable and mask interrupts on probe Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 012/125] ata: sata_mv: Fix the error handling of mv_chip_id() Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 013/125] tipc: fix size validations for the MSG_CRYPTO type Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 014/125] nfc: port100: fix using -ERRNO as command type mask Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 015/125] Revert "net: mdiobus: Fix memory leak in __mdiobus_register" Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 016/125] net/tls: Fix flipped sign in tls_err_abort() calls Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 017/125] mmc: vub300: fix control-message timeouts Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 018/125] mmc: cqhci: clear HALT state after CQE enable Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 019/125] mmc: mediatek: Move cqhci init behind ungate clock Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 020/125] mmc: tmio: reenable card irqs after the reset callback Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 021/125] mmc: dw_mmc: exynos: fix the finding clock sample value Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 022/125] mmc: sdhci: Map more voltage level to SDHCI_POWER_330 Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 023/125] mmc: sdhci-pci: Read card detect from ACPI for Intel Merrifield Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 024/125] mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 025/125] block: Fix partition check for host-aware zoned block devices Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 026/125] ocfs2: fix race between searching chunks and release journal_head from buffer_head Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 027/125] nvme-tcp: fix H2CData PDU send accounting (again) Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 028/125] ftrace/nds32: Update the proto for ftrace_trace_function to match ftrace_stub Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 029/125] cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 030/125] cfg80211: fix management registrations locking Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 031/125] net: lan78xx: fix division by zero in send path Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 032/125] drm/amd/display: Require immediate flip support for DCN3.1 planes Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 033/125] mm: hwpoison: remove the unnecessary THP check Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 034/125] mm: filemap: check if THP has hwpoisoned subpage for PMD page fault Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 035/125] mm, thp: bail out early in collapse_file for writeback page Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 036/125] mm: khugepaged: skip huge page collapse for special files Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 037/125] arm64: dts: imx8mm-kontron: Fix polarity of reg_rst_eth2 Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 038/125] arm64: dts: imx8mm-kontron: Fix CAN SPI clock frequency Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 039/125] arm64: dts: imx8mm-kontron: Fix connection type for VSC8531 RGMII PHY Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 040/125] arm64: dts: imx8mm-kontron: Set lower limit of VDD_SNVS to 800 mV Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 041/125] arm64: dts: imx8mm-kontron: Make sure SOC and DRAM supply voltages are correct Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 042/125] mac80211: mesh: fix HE operation element length check Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 043/125] drm/ttm: fix memleak in ttm_transfered_destroy Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 044/125] drm/i915: Convert unconditional clflush to drm_clflush_virt_range() Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 045/125] drm/i915: Catch yet another unconditioal clflush Greg Kroah-Hartman
2021-11-01  9:16 ` [PATCH 5.14 046/125] drm/i915/dp: Skip the HW readout of DPCD on disabled encoders Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 047/125] drm/amdgpu: Fix even more out of bound writes from debugfs Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 048/125] drm/amdgpu: fix out of bounds write Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 049/125] drm/amdgpu: support B0&B1 external revision id for yellow carp Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 050/125] drm/amd/display: Limit display scaling to up to true 4k for DCN 3.1 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 051/125] drm/amd/display: Fix prefetch bandwidth calculation for DCN3.1 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 052/125] drm/amd/display: increase Z9 latency to workaround underflow in Z9 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 053/125] drm/amd/display: Increase watermark latencies for DCN3.1 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 054/125] drm/amd/display: Moved dccg init to after bios golden init Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 055/125] drm/amd/display: Fallback to clocks which meet requested voltage on DCN31 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 056/125] drm/amd/display: Fix deadlock when falling back to v2 from v3 Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 057/125] Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout" Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 058/125] cgroup: Fix memory leak caused by missing cgroup_bpf_offline Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 059/125] riscv, bpf: Fix potential NULL dereference Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 060/125] tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 061/125] bpf: Fix potential race in tail call compatibility check Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 062/125] bpf: Fix error usage of map_fd and fdget() in generic_map_update_batch() Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 063/125] IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 064/125] IB/hfi1: Fix abba locking issue with sc_disable() Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 065/125] nvmet-tcp: fix data digest pointer calculation Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 066/125] nvme-tcp: " Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 067/125] nvme-tcp: fix possible req->offset corruption Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 068/125] octeontx2-af: Display all enabled PF VF rsrc_alloc entries Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 069/125] octeontx2-af: Fix possible null pointer dereference Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 070/125] ice: Respond to a NETDEV_UNREGISTER event for LAG Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 071/125] RDMA/mlx5: Set user priority for DCT Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 072/125] ice: check whether PTP is initialized in ice_ptp_release() Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 073/125] arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 074/125] reset: brcmstb-rescal: fix incorrect polarity of status bit Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 075/125] regmap: Fix possible double-free in regcache_rbtree_exit() Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 076/125] net: batman-adv: fix error handling Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 077/125] net-sysfs: initialize uid and gid before calling net_ns_get_ownership Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 078/125] cfg80211: correct bridge/4addr mode check Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 079/125] net: Prevent infinite while loop in skb_tx_hash() Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 080/125] RDMA/mlx5: Initialize the ODP xarray when creating an ODP MR Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 081/125] RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 082/125] gpio: xgs-iproc: fix parsing of ngpios property Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 083/125] nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 084/125] mlxsw: pci: Recycle received packet upon allocation failure Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 085/125] net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 086/125] net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 087/125] net: nxp: lpc_eth.c: avoid hang when bringing interface down Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 088/125] net: hns3: fix pause config problem after autoneg disabled Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 089/125] net: hns3: fix data endian problem of some functions of debugfs Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 090/125] net: ethernet: microchip: lan743x: Fix skb allocation failure Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 091/125] net/tls: Fix flipped sign in async_wait.err assignment Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 092/125] phy: phy_ethtool_ksettings_get: Lock the phy for consistency Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 093/125] phy: phy_ethtool_ksettings_set: Move after phy_start_aneg Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 094/125] phy: phy_start_aneg: Add an unlocked version Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 095/125] phy: phy_ethtool_ksettings_set: Lock the PHY while changing settings Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 096/125] RDMA/irdma: Process extended CQ entries correctly Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 097/125] RDMA/irdma: Set VLAN in UD work completion correctly Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 098/125] RDMA/irdma: Do not hold qos mutex twice on QP resume Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 099/125] sctp: use init_tag from inithdr for ABORT chunk Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 100/125] sctp: fix the processing for INIT chunk Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 101/125] sctp: fix the processing for INIT_ACK chunk Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 102/125] sctp: fix the processing for COOKIE_ECHO chunk Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 103/125] sctp: add vtag check in sctp_sf_violation Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 104/125] sctp: add vtag check in sctp_sf_do_8_5_1_E_sa Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 105/125] sctp: add vtag check in sctp_sf_ootb Greg Kroah-Hartman
2021-11-01  9:17 ` [PATCH 5.14 106/125] bpf: Use kvmalloc for map values in syscall Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 107/125] watchdog: sbsa: only use 32-bit accessors Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 108/125] bpf: Move BPF_MAP_TYPE for INODE_STORAGE and TASK_STORAGE outside of CONFIG_NET Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 109/125] net: hns3: add more string spaces for dumping packets number of queue info in debugfs Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 110/125] net: hns3: expand buffer len for some debugfs command Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 111/125] virtio-ring: fix DMA metadata flags Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 112/125] octeontx2-af: Check whether ipolicers exists Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 113/125] KVM: s390: clear kicked_mask before sleeping again Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 114/125] KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 115/125] scsi: ufs: ufs-exynos: Correct timeout value setting registers Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 116/125] perf script: Fix PERF_SAMPLE_WEIGHT_STRUCT support Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 117/125] scsi: ibmvfc: Fix up duplicate response detection Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 118/125] riscv: fix misalgned trap vector base address Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 119/125] riscv: Do not re-populate shadow memory with kasan_populate_early_shadow Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 120/125] riscv: Fix asan-stack clang build Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 121/125] perf script: Check session->header.env.arch before using it Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 122/125] KVM: x86/xen: Fix kvm_xen_has_interrupt() sleeping in kvm_vcpu_block() Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 123/125] KVM: x86: switch pvclock_gtod_sync_lock to a raw spinlock Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 124/125] KVM: SEV-ES: fix another issue with string I/O VMGEXITs Greg Kroah-Hartman
2021-11-01  9:18 ` [PATCH 5.14 125/125] KVM: x86: Take srcu lock in post_kvm_run_save() Greg Kroah-Hartman
2021-11-01 14:42 ` [PATCH 5.14 000/125] 5.14.16-rc1 review Fox Chen
2021-11-01 21:20 ` Shuah Khan
2021-11-01 23:38 ` Guenter Roeck
2021-11-02  7:19 ` Naresh Kamboju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).