linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 5.15 000/177] 5.15.11-rc1 review
@ 2021-12-20 14:32 Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 001/177] reset: tegra-bpmp: Revert Handle errors in BPMP response Greg Kroah-Hartman
                   ` (181 more replies)
  0 siblings, 182 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 5.15.11 release.
There are 177 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.11-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 5.15.11-rc1

Juergen Gross <jgross@suse.com>
    xen/netback: don't queue unlimited number of packages

Juergen Gross <jgross@suse.com>
    xen/netback: fix rx queue stall detection

Juergen Gross <jgross@suse.com>
    xen/console: harden hvc_xen against event channel storms

Juergen Gross <jgross@suse.com>
    xen/netfront: harden netfront against event channel storms

Juergen Gross <jgross@suse.com>
    xen/blkfront: harden blkfront against event channel storms

Magnus Karlsson <magnus.karlsson@intel.com>
    Revert "xsk: Do not sleep in poll() when need_wakeup set"

SeongJae Park <sj@kernel.org>
    selftests/damon: test debugfs file reads/writes with huge count

Tony Lindgren <tony@atomide.com>
    bus: ti-sysc: Fix variable set but not used warning for reinit_modules

Jens Axboe <axboe@kernel.dk>
    io-wq: drop wqe lock before creating new worker

Paul E. McKenney <paulmck@kernel.org>
    rcu: Mark accesses to rcu_state.n_force_qs

Jens Axboe <axboe@kernel.dk>
    io-wq: check for wq exit after adding new worker task_work

Jens Axboe <axboe@kernel.dk>
    io-wq: remove spurious bit clear on task_work addition

George Kennedy <george.kennedy@oracle.com>
    scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()

George Kennedy <george.kennedy@oracle.com>
    scsi: scsi_debug: Fix type in min_t to avoid stack OOB

George Kennedy <george.kennedy@oracle.com>
    scsi: scsi_debug: Don't call kcalloc() if size arg is zero

Miklos Szeredi <mszeredi@redhat.com>
    ovl: fix warning in ovl_create_real()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: annotate lock in fuse_reverse_inval_entry()

Pavel Skripkin <paskripkin@gmail.com>
    media: mxl111sf: change mutex_init() location

Alan Stern <stern@rowland.harvard.edu>
    USB: core: Make do_proc_control() and do_proc_bulk() killable

Alexei Starovoitov <ast@kernel.org>
    bpf: Fix extable address check.

Jie Meng <jmeng@fb.com>
    bpf, x64: Factor out emission of REX byte in more cases

Matthieu Baerts <matthieu.baerts@tessares.net>
    mptcp: add missing documented NL params

Magnus Karlsson <magnus.karlsson@intel.com>
    xsk: Do not sleep in poll() when need_wakeup set

Fabio Estevam <festevam@gmail.com>
    ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name

Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
    can: m_can: pci: use custom bit timings for Elkhart Lake

Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
    can: m_can: make custom bittiming fields const

Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
    Revert "can: m_can: remove support for custom bit timing"

Mario Limonciello <mario.limonciello@amd.com>
    drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC

Hawking Zhang <Hawking.Zhang@amd.com>
    drm/amdgpu: don't override default ECO_BITs setting

Le Ma <le.ma@amd.com>
    drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE

Russell Currey <ruscur@russell.cc>
    powerpc/module_64: Fix livepatching for RO modules

George Kennedy <george.kennedy@oracle.com>
    libata: if T_LENGTH is zero, dma direction should be DMA_NONE

Adrian Hunter <adrian.hunter@intel.com>
    perf inject: Fix segfault due to perf_data__fd() without open

Adrian Hunter <adrian.hunter@intel.com>
    perf inject: Fix segfault due to close without open

Bin Meng <bin.meng@windriver.com>
    riscv: dts: unmatched: Add gpio card detect to mmc-spi-slot

Bin Meng <bin.meng@windriver.com>
    riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot

Zqiang <qiang1.zhang@intel.com>
    locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner()

Thiago Rafael Becker <trbecker@gmail.com>
    cifs: sanitize multiple delimiters in prepath

Yu Liao <liaoyu15@huawei.com>
    timekeeping: Really make sure wall_to_monotonic isn't positive

Ji-Ze Hong (Peter Hong) <hpeter@gmail.com>
    serial: 8250_fintek: Fix garbled text for console

Tejun Heo <tj@kernel.org>
    iocost: Fix divide-by-zero on donation from low hweight cgroup

Naohiro Aota <naohiro.aota@wdc.com>
    zonefs: add MODULE_ALIAS_FS

Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
    btrfs: fix missing blkdev_put() call in btrfs_scan_one_device()

Josef Bacik <josef@toxicpanda.com>
    btrfs: check WRITE_ERR when trying to read an extent buffer

Filipe Manana <fdmanana@suse.com>
    btrfs: fix double free of anon_dev after failure to create subvolume

Jianglei Nie <niejianglei2021@163.com>
    btrfs: fix memory leak in __add_inode_ref()

Scott Mayhew <smayhew@redhat.com>
    selinux: fix sleeping function called from invalid context

Daniele Palmas <dnlplm@gmail.com>
    USB: serial: option: add Telit FN990 compositions

Johan Hovold <johan@kernel.org>
    USB: serial: cp210x: fix CP2105 GPIO registration

Marian Postevca <posteuca@mutex.one>
    usb: gadget: u_ether: fix race in setting MAC address in setup phase

Xu Yang <xu.yang_2@nxp.com>
    usb: typec: tcpm: fix tcpm unregister port but leave a pending timer

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix issue in cdnsp_log_ep trace event

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix incorrect calling of cdnsp_died function

Pawel Laszczak <pawell@cadence.com>
    usb: cdnsp: Fix incorrect status for control request

Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
    usb: xhci: Extend support for runtime power management for AMD's Yellow carp.

Chunfeng Yun <chunfeng.yun@mediatek.com>
    usb: xhci-mtk: fix list_del warning when enable list debug

Stefan Roese <sr@denx.de>
    PCI/MSI: Mask MSI-X vectors only on success

Thomas Gleixner <tglx@linutronix.de>
    PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error

Amelie Delaunay <amelie.delaunay@foss.st.com>
    usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe

Jimmy Wang <wangjm221@gmail.com>
    USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)

Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
    tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Revert "usb: early: convert to readl_poll_timeout_atomic()"

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    USB: gadget: bRequestType is a bitfield, not a enum

Xiaoming Ni <nixiaoming@huawei.com>
    powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n

Martin KaFai Lau <kafai@fb.com>
    bpf, selftests: Fix racing issue in btf_skc_cls_ingress test

Alexei Starovoitov <ast@kernel.org>
    bpf: Fix extable fixup offset.

Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
    arm64: kexec: Fix missing error code 'ret' warning in load_other_segments()

David Howells <dhowells@redhat.com>
    afs: Fix mmap

Eric Dumazet <edumazet@google.com>
    sit: do not call ipip6_dev_free() from sit_init_net()

Florian Fainelli <f.fainelli@gmail.com>
    net: systemport: Add global locking for descriptor lifecycle

D. Wythe <alibuda@linux.alibaba.com>
    net/smc: Prevent smc_release() from long blocking

Gal Pressman <gal@nvidia.com>
    net: Fix double 0x prefix print in SKB dump

Andrey Eremeev <Axtone4all@yandex.ru>
    dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    sfc_ef100: potential dereference of null pointer

John Keeping <john@metanate.com>
    net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup

Willem de Bruijn <willemb@google.com>
    net/packet: rx_owner_map depends on pg_vec

Haimin Zhang <tcs.kernel@gmail.com>
    netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc

Cyril Novikov <cnovikov@lynx.com>
    ixgbe: set X550 MDIO speed before talking to PHY

Robert Schlabbach <robert_s@gmx.net>
    ixgbe: Document how to enable NBASE-T support

Sasha Neftin <sasha.neftin@intel.com>
    igc: Fix typo in i225 LTR functions

Letu Ren <fantasquex@gmail.com>
    igbvf: fix double free in `igbvf_probe`

Karen Sornek <karen.sornek@intel.com>
    igb: Fix removal of unicast MAC filters of VFs

Nathan Chancellor <nathan@kernel.org>
    soc/tegra: fuse: Fix bitwise vs. logical OR warning

Maxim Galaganov <max@internet.ru>
    mptcp: fix deadlock in __mptcp_push_pending()

Florian Westphal <fw@strlen.de>
    mptcp: clear 'kern' flag from fallback sockets

Florian Westphal <fw@strlen.de>
    mptcp: remove tcp ulp setsockopt support

Lang Yu <lang.yu@amd.com>
    drm/amd/pm: fix a potential gpu_metrics_table memory leak

Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
    drm/amd/display: Set exit_optimized_pwr_state for DCN31

Karol Kolacinski <karol.kolacinski@intel.com>
    ice: Don't put stale timestamps in the skb

Karol Kolacinski <karol.kolacinski@intel.com>
    ice: Use div64_u64 instead of div_u64 in adjfine

Hangyu Hua <hbh25y@gmail.com>
    rds: memory leak in __rds_conn_create()

Baowen Zheng <baowen.zheng@corigine.com>
    flow_offload: return EOPNOTSUPP for the unsupported mpls action type

Ong Boon Leong <boon.leong.ong@intel.com>
    net: stmmac: fix tc flower deletion for VLAN priority Rx steering

Johannes Berg <johannes.berg@intel.com>
    mac80211: fix lookup when adding AddBA extension element

Ilan Peer <ilan.peer@intel.com>
    cfg80211: Acquire wiphy mutex on regulatory work

Johannes Berg <johannes.berg@intel.com>
    mac80211: agg-tx: don't schedule_and_wake_txq() under sta->lock

Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
    drm/i915/display: Fix an unsigned subtraction which can never be negative.

Jiasheng Jiang <jiasheng@iscas.ac.cn>
    drm/ast: potential dereference of null pointer

Paolo Abeni <pabeni@redhat.com>
    mptcp: never allow the PM to close a listener subflow

Hangbin Liu <liuhangbin@gmail.com>
    selftest/net/forwarding: declare NETIFS p9 p10

Marek Behún <kabel@kernel.org>
    net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down()

Willem de Bruijn <willemb@google.com>
    selftests/net: toeplitz: fix udp option

Davide Caratti <dcaratti@redhat.com>
    net/sched: sch_ets: don't remove idle classes from the round-robin list

Alejandro Concepcion-Rodriguez <asconcepcion@acoro.eu>
    drm: simpledrm: fix wrong unit with pixel clock

Alyssa Ross <hi@alyssa.is>
    dmaengine: st_fdma: fix MODULE_ALIAS

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix missed completion on abort path

David Ahern <dsahern@kernel.org>
    selftests: Fix IPv6 address bind tests

David Ahern <dsahern@kernel.org>
    selftests: Fix raw socket bind tests with VRF

David Ahern <dsahern@kernel.org>
    selftests: Add duplicate config only for MD5 VRF tests

Yufeng Mo <moyufeng@huawei.com>
    net: hns3: fix race condition in debugfs

Jie Wang <wangjie125@huawei.com>
    net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg

Po-Hsu Lin <po-hsu.lin@canonical.com>
    selftests: icmp_redirect: pass xfail=0 to log_test()

Filip Pokryvka <fpokryvk@redhat.com>
    netdevsim: don't overwrite read only ethtool parms

Eric Dumazet <edumazet@google.com>
    inet_diag: fix kernel-infoleak for UDP sockets

Eric Dumazet <edumazet@google.com>
    sch_cake: do not call cake_destroy() from cake_init()

Philipp Rudo <prudo@redhat.com>
    s390/kexec_file: fix error handling when applying relocations

Jie2x Zhou <jie2x.zhou@intel.com>
    selftests: net: Correct ping6 expected rc from 2 to 1

Javier Martinez Canillas <javierm@redhat.com>
    Revert "drm/fb-helper: improve DRM fbdev emulation device names"

Parav Pandit <parav@nvidia.com>
    vdpa: Consider device id larger than 31

Wei Wang <wei.w.wang@intel.com>
    virtio/vsock: fix the transport to work with VMADDR_CID_ANY

Arnd Bergmann <arnd@arndb.de>
    virtio: always enter drivers/virtio/

Johannes Berg <johannes.berg@intel.com>
    iwlwifi: mvm: don't crash on invalid rate w/o STA

Stephan Gerhold <stephan@gerhold.net>
    soc: imx: Register SoC device only on i.MX boards

Mike Tipton <quic_mdtipton@quicinc.com>
    clk: Don't parent clks until the parent is fully registered

Martin Kepplinger <martink@posteo.de>
    arm64: dts: imx8mq: remove interconnect property from lcdif

Dinh Nguyen <dinguyen@kernel.org>
    ARM: socfpga: dts: fix qspi node compatible

Xiubo Li <xiubli@redhat.com>
    ceph: initialize pathlen variable in reconnect_caps_cb

Hu Weiwen <sehuww@mail.scut.edu.cn>
    ceph: fix duplicate increment of opened_inodes metric

Dan Carpenter <dan.carpenter@oracle.com>
    tee: amdtee: fix an IS_ERR() vs NULL bug

Randy Dunlap <rdunlap@infradead.org>
    hv: utils: add PTP_1588_CLOCK to Kconfig to fix build

Johannes Berg <johannes.berg@intel.com>
    mac80211: track only QoS data frames for admission control

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: fix calling wq quiesce inside spinlock

Dave Jiang <dave.jiang@intel.com>
    dmaengine: idxd: add halt interrupt support

Florian Klink <flokli@flokli.de>
    arm64: dts: rockchip: fix poweroff on helios64

Alex Bee <knaerzche@gmail.com>
    arm64: dts: rockchip: fix audio-supply for Rock Pi 4

John Keeping <john@metanate.com>
    arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply

John Keeping <john@metanate.com>
    arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply

Artem Lapkin <email2tema@gmail.com>
    arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge

Mario Limonciello <mario.limonciello@amd.com>
    pinctrl: amd: Fix wakeups when IRQ is shared with SCI

Ville Syrjälä <ville.syrjala@linux.intel.com>
    drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown()

Jani Nikula <jani.nikula@intel.com>
    drm/i915/hdmi: convert intel_hdmi_to_dev to intel_hdmi_to_i915

Jaegeuk Kim <jaegeuk@kernel.org>
    scsi: ufs: core: Retry START_STOP on UNIT_ATTENTION

Anand Jain <anand.jain@oracle.com>
    btrfs: remove stale comment about the btrfs_show_devname

Anand Jain <anand.jain@oracle.com>
    btrfs: update latest_dev when we create a sprout device

Anand Jain <anand.jain@oracle.com>
    btrfs: use latest_dev in btrfs_show_devname

Anand Jain <anand.jain@oracle.com>
    btrfs: convert latest_bdev type to btrfs_device and rename

Paul Moore <paul@paul-moore.com>
    audit: improve robustness of the audit queue handling

Joe Thornber <ejt@redhat.com>
    dm btree remove: fix use after free in rebalance_children()

Christian Brauner <christian.brauner@ubuntu.com>
    ceph: fix up non-directory creation in SGID directories

Mathew McBride <matt@traverse.com.au>
    arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys

Jerome Marchand <jmarchan@redhat.com>
    recordmcount.pl: look for jgnop instruction as well as bcrl on s390

Sven Schnelle <svens@linux.ibm.com>
    s390/entry: fix duplicate tracking of irq nesting level

Dan Carpenter <dan.carpenter@oracle.com>
    vdpa: check that offsets are within bounds

Will Deacon <will@kernel.org>
    virtio_ring: Fix querying of maximum DMA mapping size for virtio device

Dan Carpenter <dan.carpenter@oracle.com>
    vduse: check that offset is within bounds in get_config()

Dan Carpenter <dan.carpenter@oracle.com>
    vduse: fix memory corruption in vduse_dev_ioctl()

Daniel Borkmann <daniel@iogearbox.net>
    bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer

Daniel Borkmann <daniel@iogearbox.net>
    bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg

Daniel Borkmann <daniel@iogearbox.net>
    bpf, selftests: Add test case trying to taint map value pointer

Daniel Borkmann <daniel@iogearbox.net>
    bpf: Make 32->64 bounds propagation slightly more robust

Daniel Borkmann <daniel@iogearbox.net>
    bpf: Fix signed bounds propagation after mov32

Daniel Borkmann <daniel@iogearbox.net>
    bpf, selftests: Add test case for atomic fetch on spilled pointer

Daniel Borkmann <daniel@iogearbox.net>
    bpf: Fix kernel address leakage in atomic fetch

Sudeep Holla <sudeep.holla@arm.com>
    firmware: arm_scpi: Fix string overflow in SCPI genpd driver

Johannes Berg <johannes.berg@intel.com>
    mac80211: validate extended element ID is present

Felix Fietkau <nbd@nbd.name>
    mac80211: send ADDBA requests using the tid/queue of the aggregation session

Johannes Berg <johannes.berg@intel.com>
    mac80211: mark TX-during-stop for TX in in_reconfig

Felix Fietkau <nbd@nbd.name>
    mac80211: fix regression in SSN handling of addba tx

Felix Fietkau <nbd@nbd.name>
    mac80211: fix rate control for retransmitted frames

Lai Jiangshan <laijs@linux.alibaba.com>
    KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid()

Juergen Gross <jgross@suse.com>
    x86/kvm: remove unused ack_notifier callbacks

Paolo Bonzini <pbonzini@redhat.com>
    KVM: downgrade two BUG_ONs to WARN_ON_ONCE

Vitaly Kuznetsov <vkuznets@redhat.com>
    KVM: selftests: Make sure kvm_create_max_vcpus test won't hit RLIMIT_NOFILE

Paolo Bonzini <pbonzini@redhat.com>
    KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled

Jon Hunter <jonathanh@nvidia.com>
    reset: tegra-bpmp: Revert Handle errors in BPMP response


-------------

Diffstat:

 .../device_drivers/ethernet/intel/ixgbe.rst        |  16 +++
 Makefile                                           |   4 +-
 arch/arm/boot/dts/imx6ull-pinfunc.h                |   2 +-
 arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts   |   2 +-
 arch/arm/boot/dts/socfpga_arria5_socdk.dts         |   2 +-
 arch/arm/boot/dts/socfpga_cyclone5_socdk.dts       |   2 +-
 arch/arm/boot/dts/socfpga_cyclone5_sockit.dts      |   2 +-
 arch/arm/boot/dts/socfpga_cyclone5_socrates.dts    |   2 +-
 arch/arm/boot/dts/socfpga_cyclone5_sodia.dts       |   2 +-
 arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts |   4 +-
 .../arm64/boot/dts/freescale/fsl-ls1088a-ten64.dts |   2 -
 arch/arm64/boot/dts/freescale/imx8mq.dtsi          |   2 -
 arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts     |   2 +-
 .../boot/dts/rockchip/rk3399-khadas-edge.dtsi      |   1 -
 .../boot/dts/rockchip/rk3399-kobol-helios64.dts    |   1 +
 arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts  |   2 +-
 arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi |   2 +-
 arch/arm64/kernel/machine_kexec_file.c             |   1 +
 arch/powerpc/kernel/module_64.c                    |  42 ++++--
 arch/powerpc/platforms/85xx/smp.c                  |   4 +-
 .../riscv/boot/dts/sifive/hifive-unleashed-a00.dts |   1 +
 .../riscv/boot/dts/sifive/hifive-unmatched-a00.dts |   2 +
 arch/s390/kernel/irq.c                             |   9 +-
 arch/s390/kernel/machine_kexec_file.c              |   7 +-
 arch/x86/kvm/ioapic.h                              |   1 -
 arch/x86/kvm/irq.h                                 |   1 -
 arch/x86/kvm/vmx/vmx.c                             |   4 +-
 arch/x86/kvm/x86.c                                 |  14 +-
 arch/x86/net/bpf_jit_comp.c                        | 101 ++++++++++-----
 block/blk-iocost.c                                 |   9 +-
 drivers/Makefile                                   |   3 +-
 drivers/ata/libata-scsi.c                          |  15 ++-
 drivers/block/xen-blkfront.c                       |  15 ++-
 drivers/bus/ti-sysc.c                              |   3 +-
 drivers/clk/clk.c                                  |  15 ++-
 drivers/dma/idxd/irq.c                             |   7 +-
 drivers/dma/idxd/registers.h                       |   1 +
 drivers/dma/idxd/submit.c                          |  18 ++-
 drivers/dma/st_fdma.c                              |   2 +-
 drivers/firmware/scpi_pm_domain.c                  |  10 +-
 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c              |   4 +-
 drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c           |   1 -
 drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c           |   1 -
 drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c           |   1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c            |   1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c            |   1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c            |   1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c            |   1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c            |   2 -
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c  |   1 +
 drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c     |   3 +
 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c     |   3 +
 drivers/gpu/drm/ast/ast_mode.c                     |   5 +-
 drivers/gpu/drm/drm_fb_helper.c                    |   8 +-
 drivers/gpu/drm/i915/display/g4x_hdmi.c            |   1 +
 drivers/gpu/drm/i915/display/intel_ddi.c           |   1 +
 drivers/gpu/drm/i915/display/intel_dmc.c           |   2 +-
 drivers/gpu/drm/i915/display/intel_hdmi.c          |  32 +++--
 drivers/gpu/drm/i915/display/intel_hdmi.h          |   1 +
 drivers/gpu/drm/tiny/simpledrm.c                   |   2 +-
 drivers/hv/Kconfig                                 |   1 +
 drivers/md/persistent-data/dm-btree-remove.c       |   2 +-
 drivers/media/usb/dvb-usb-v2/mxl111sf.c            |  16 ++-
 drivers/net/can/m_can/m_can.c                      |  24 +++-
 drivers/net/can/m_can/m_can.h                      |   3 +
 drivers/net/can/m_can/m_can_pci.c                  |  48 ++++++-
 drivers/net/dsa/mv88e6xxx/chip.c                   |   4 +
 drivers/net/dsa/mv88e6xxx/port.c                   |   4 +-
 drivers/net/ethernet/broadcom/bcmsysport.c         |   5 +-
 drivers/net/ethernet/broadcom/bcmsysport.h         |   1 +
 drivers/net/ethernet/hisilicon/hns3/hnae3.h        |   2 +
 drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c |  20 ++-
 .../ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c   |   3 +-
 drivers/net/ethernet/intel/ice/ice_ptp.c           |  13 +-
 drivers/net/ethernet/intel/ice/ice_ptp.h           |   6 +
 drivers/net/ethernet/intel/igb/igb_main.c          |  28 ++--
 drivers/net/ethernet/intel/igbvf/netdev.c          |   1 +
 drivers/net/ethernet/intel/igc/igc_i225.c          |   2 +-
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c      |   4 +
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c      |   3 +
 drivers/net/ethernet/sfc/ef100_nic.c               |   3 +
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c     |   4 +-
 drivers/net/ethernet/stmicro/stmmac/stmmac.h       |  17 +++
 drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c    |  86 ++++++++++--
 drivers/net/netdevsim/bpf.c                        |   1 +
 drivers/net/netdevsim/ethtool.c                    |   5 +-
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c        |   5 +-
 drivers/net/xen-netback/common.h                   |   1 +
 drivers/net/xen-netback/rx.c                       |  77 +++++++----
 drivers/net/xen-netfront.c                         | 125 +++++++++++++-----
 drivers/pci/msi.c                                  |  15 ++-
 drivers/pinctrl/pinctrl-amd.c                      |  29 ++++-
 drivers/reset/tegra/reset-bpmp.c                   |   9 +-
 drivers/scsi/scsi_debug.c                          |  42 +++---
 drivers/scsi/ufs/ufshcd.c                          |  12 +-
 drivers/soc/imx/soc-imx.c                          |   4 +
 drivers/soc/tegra/fuse/fuse-tegra.c                |   2 +-
 drivers/soc/tegra/fuse/fuse.h                      |   2 +-
 drivers/tee/amdtee/core.c                          |   5 +-
 drivers/tty/hvc/hvc_xen.c                          |  30 ++++-
 drivers/tty/n_hdlc.c                               |  23 +++-
 drivers/tty/serial/8250/8250_fintek.c              |  20 ---
 drivers/usb/cdns3/cdnsp-gadget.c                   |  12 ++
 drivers/usb/cdns3/cdnsp-ring.c                     |  11 +-
 drivers/usb/cdns3/cdnsp-trace.h                    |   4 +-
 drivers/usb/core/devio.c                           | 144 ++++++++++++++++-----
 drivers/usb/core/quirks.c                          |   3 +
 drivers/usb/dwc2/platform.c                        |   3 +
 drivers/usb/early/xhci-dbc.c                       |  15 ++-
 drivers/usb/gadget/composite.c                     |   6 +-
 drivers/usb/gadget/function/u_ether.c              |  16 +--
 drivers/usb/gadget/legacy/dbgp.c                   |   6 +-
 drivers/usb/gadget/legacy/inode.c                  |   6 +-
 drivers/usb/host/xhci-mtk-sch.c                    |   2 +-
 drivers/usb/host/xhci-pci.c                        |   6 +-
 drivers/usb/serial/cp210x.c                        |   6 +-
 drivers/usb/serial/option.c                        |   8 ++
 drivers/usb/typec/tcpm/tcpm.c                      |  18 ++-
 drivers/vdpa/vdpa.c                                |   3 +-
 drivers/vdpa/vdpa_user/vduse_dev.c                 |   6 +-
 drivers/vhost/vdpa.c                               |   2 +-
 drivers/virtio/virtio_ring.c                       |   2 +-
 drivers/xen/events/events_base.c                   |   6 +
 fs/afs/file.c                                      |   5 +-
 fs/afs/super.c                                     |   1 +
 fs/btrfs/disk-io.c                                 |  14 +-
 fs/btrfs/extent_io.c                               |  10 +-
 fs/btrfs/inode.c                                   |   2 +-
 fs/btrfs/super.c                                   |  26 +---
 fs/btrfs/tree-log.c                                |   1 +
 fs/btrfs/volumes.c                                 |  25 ++--
 fs/btrfs/volumes.h                                 |   6 +-
 fs/ceph/caps.c                                     |  16 +--
 fs/ceph/file.c                                     |  18 ++-
 fs/ceph/mds_client.c                               |   3 +-
 fs/cifs/fs_context.c                               |  38 +++++-
 fs/fuse/dir.c                                      |   2 +-
 fs/io-wq.c                                         |  31 ++++-
 fs/overlayfs/dir.c                                 |   3 +-
 fs/overlayfs/overlayfs.h                           |   1 +
 fs/overlayfs/super.c                               |  12 +-
 fs/zonefs/super.c                                  |   1 +
 include/uapi/linux/mptcp.h                         |  18 +--
 include/xen/events.h                               |   1 +
 kernel/audit.c                                     |  21 ++-
 kernel/bpf/verifier.c                              |  49 +++++--
 kernel/locking/rtmutex.c                           |   2 +-
 kernel/rcu/tree.c                                  |  10 +-
 kernel/time/timekeeping.c                          |   3 +-
 net/core/skbuff.c                                  |   2 +-
 net/ipv4/inet_diag.c                               |   4 +-
 net/ipv6/sit.c                                     |   1 -
 net/mac80211/agg-rx.c                              |   5 +-
 net/mac80211/agg-tx.c                              |  16 ++-
 net/mac80211/driver-ops.h                          |   5 +-
 net/mac80211/mlme.c                                |  13 +-
 net/mac80211/sta_info.h                            |   1 +
 net/mac80211/tx.c                                  |   6 +-
 net/mac80211/util.c                                |   7 +-
 net/mptcp/pm_netlink.c                             |   3 +
 net/mptcp/protocol.c                               |   6 +-
 net/mptcp/sockopt.c                                |   1 -
 net/packet/af_packet.c                             |   5 +-
 net/rds/connection.c                               |   1 +
 net/sched/cls_api.c                                |   1 +
 net/sched/sch_cake.c                               |   6 +-
 net/sched/sch_ets.c                                |   4 +-
 net/smc/af_smc.c                                   |   4 +-
 net/vmw_vsock/virtio_transport_common.c            |   3 +-
 net/wireless/reg.c                                 |   7 +-
 scripts/recordmcount.pl                            |   2 +-
 security/selinux/hooks.c                           |  33 +++--
 tools/perf/builtin-inject.c                        |  13 +-
 .../selftests/bpf/prog_tests/btf_skc_cls_ingress.c |  16 ++-
 .../selftests/bpf/verifier/atomic_cmpxchg.c        |  86 ++++++++++++
 .../selftests/bpf/verifier/value_ptr_arith.c       |  23 ++++
 tools/testing/selftests/damon/.gitignore           |   2 +
 tools/testing/selftests/damon/Makefile             |   2 +
 tools/testing/selftests/damon/debugfs_attrs.sh     |  18 +++
 .../selftests/damon/huge_count_read_write.c        |  39 ++++++
 tools/testing/selftests/kvm/kvm_create_max_vcpus.c |  30 +++++
 tools/testing/selftests/net/fcnal-test.sh          |  45 +++++--
 .../net/forwarding/forwarding.config.sample        |   2 +
 tools/testing/selftests/net/icmp_redirect.sh       |   2 +-
 tools/testing/selftests/net/toeplitz.c             |   2 +-
 virt/kvm/kvm_main.c                                |   6 +-
 186 files changed, 1585 insertions(+), 555 deletions(-)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 001/177] reset: tegra-bpmp: Revert Handle errors in BPMP response
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 002/177] KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jon Hunter, Philipp Zabel

From: Jon Hunter <jonathanh@nvidia.com>

commit 69125b4b9440be015783312e1b8753ec96febde0 upstream.

Commit c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP
response") fixed an issue in the Tegra BPMP error handling but has
exposed an issue in the Tegra194 HDA driver and now resetting the
Tegra194 HDA controller is failing. For now revert the commit
c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP response")
while a fix for the Tegra HDA driver is created.

Fixes: c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP response")
Signed-off-by: Jon Hunter <jonathanh@nvidia.com>
Link: https://lore.kernel.org/r/20211112112712.21587-1-jonathanh@nvidia.com
Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/reset/tegra/reset-bpmp.c |    9 +--------
 1 file changed, 1 insertion(+), 8 deletions(-)

--- a/drivers/reset/tegra/reset-bpmp.c
+++ b/drivers/reset/tegra/reset-bpmp.c
@@ -20,7 +20,6 @@ static int tegra_bpmp_reset_common(struc
 	struct tegra_bpmp *bpmp = to_tegra_bpmp(rstc);
 	struct mrq_reset_request request;
 	struct tegra_bpmp_message msg;
-	int err;
 
 	memset(&request, 0, sizeof(request));
 	request.cmd = command;
@@ -31,13 +30,7 @@ static int tegra_bpmp_reset_common(struc
 	msg.tx.data = &request;
 	msg.tx.size = sizeof(request);
 
-	err = tegra_bpmp_transfer(bpmp, &msg);
-	if (err)
-		return err;
-	if (msg.rx.ret)
-		return -EINVAL;
-
-	return 0;
+	return tegra_bpmp_transfer(bpmp, &msg);
 }
 
 static int tegra_bpmp_reset_module(struct reset_controller_dev *rstc,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 002/177] KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 001/177] reset: tegra-bpmp: Revert Handle errors in BPMP response Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 003/177] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini, Sasha Levin

From: Paolo Bonzini <pbonzini@redhat.com>

[ Upstream commit e90e51d5f01d2baae5dcce280866bbb96816e978 ]

There is nothing to synchronize if APICv is disabled, since neither
other vCPUs nor assigned devices can set PIR.ON.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/vmx/vmx.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/x86/kvm/vmx/vmx.c b/arch/x86/kvm/vmx/vmx.c
index dacdf2395f01a..4e212f04268bb 100644
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -7776,10 +7776,10 @@ static __init int hardware_setup(void)
 		ple_window_shrink = 0;
 	}
 
-	if (!cpu_has_vmx_apicv()) {
+	if (!cpu_has_vmx_apicv())
 		enable_apicv = 0;
+	if (!enable_apicv)
 		vmx_x86_ops.sync_pir_to_irr = NULL;
-	}
 
 	if (cpu_has_vmx_tsc_scaling()) {
 		kvm_has_tsc_control = true;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 003/177] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 001/177] reset: tegra-bpmp: Revert Handle errors in BPMP response Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 002/177] KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 004/177] KVM: downgrade two BUG_ONs to WARN_ON_ONCE Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Vitaly Kuznetsov,
	Sean Christopherson, Paolo Bonzini, Sasha Levin

From: Vitaly Kuznetsov <vkuznets@redhat.com>

[ Upstream commit 908fa88e420f30dde6d80f092795a18ec72ca6d3 ]

With the elevated 'KVM_CAP_MAX_VCPUS' value kvm_create_max_vcpus test
may hit RLIMIT_NOFILE limits:

 # ./kvm_create_max_vcpus
 KVM_CAP_MAX_VCPU_ID: 4096
 KVM_CAP_MAX_VCPUS: 1024
 Testing creating 1024 vCPUs, with IDs 0...1023.
 /dev/kvm not available (errno: 24), skipping test

Adjust RLIMIT_NOFILE limits to make sure KVM_CAP_MAX_VCPUS fds can be
opened. Note, raising hard limit ('rlim_max') requires CAP_SYS_RESOURCE
capability which is generally not needed to run kvm selftests (but without
raising the limit the test is doomed to fail anyway).

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20211123135953.667434-1-vkuznets@redhat.com>
[Skip the test if the hard limit can be raised. - Paolo]
Reviewed-by: Sean Christopherson <seanjc@google.com>
Tested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../selftests/kvm/kvm_create_max_vcpus.c      | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/tools/testing/selftests/kvm/kvm_create_max_vcpus.c b/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
index 0299cd81b8ba2..aa3795cd7bd3d 100644
--- a/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
+++ b/tools/testing/selftests/kvm/kvm_create_max_vcpus.c
@@ -12,6 +12,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <sys/resource.h>
 
 #include "test_util.h"
 
@@ -40,10 +41,39 @@ int main(int argc, char *argv[])
 {
 	int kvm_max_vcpu_id = kvm_check_cap(KVM_CAP_MAX_VCPU_ID);
 	int kvm_max_vcpus = kvm_check_cap(KVM_CAP_MAX_VCPUS);
+	/*
+	 * Number of file descriptors reqired, KVM_CAP_MAX_VCPUS for vCPU fds +
+	 * an arbitrary number for everything else.
+	 */
+	int nr_fds_wanted = kvm_max_vcpus + 100;
+	struct rlimit rl;
 
 	pr_info("KVM_CAP_MAX_VCPU_ID: %d\n", kvm_max_vcpu_id);
 	pr_info("KVM_CAP_MAX_VCPUS: %d\n", kvm_max_vcpus);
 
+	/*
+	 * Check that we're allowed to open nr_fds_wanted file descriptors and
+	 * try raising the limits if needed.
+	 */
+	TEST_ASSERT(!getrlimit(RLIMIT_NOFILE, &rl), "getrlimit() failed!");
+
+	if (rl.rlim_cur < nr_fds_wanted) {
+		rl.rlim_cur = nr_fds_wanted;
+		if (rl.rlim_max < nr_fds_wanted) {
+			int old_rlim_max = rl.rlim_max;
+			rl.rlim_max = nr_fds_wanted;
+
+			int r = setrlimit(RLIMIT_NOFILE, &rl);
+			if (r < 0) {
+				printf("RLIMIT_NOFILE hard limit is too low (%d, wanted %d)\n",
+				       old_rlim_max, nr_fds_wanted);
+				exit(KSFT_SKIP);
+			}
+		} else {
+			TEST_ASSERT(!setrlimit(RLIMIT_NOFILE, &rl), "setrlimit() failed!");
+		}
+	}
+
 	/*
 	 * Upstream KVM prior to 4.8 does not support KVM_CAP_MAX_VCPU_ID.
 	 * Userspace is supposed to use KVM_CAP_MAX_VCPUS as the maximum ID
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 004/177] KVM: downgrade two BUG_ONs to WARN_ON_ONCE
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 003/177] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 005/177] x86/kvm: remove unused ack_notifier callbacks Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Paolo Bonzini, Sasha Levin

From: Paolo Bonzini <pbonzini@redhat.com>

[ Upstream commit 5f25e71e311478f9bb0a8ef49e7d8b95316491d7 ]

This is not an unrecoverable situation.  Users of kvm_read_guest_offset_cached
and kvm_write_guest_offset_cached must expect the read/write to fail, and
therefore it is possible to just return early with an error value.

Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 virt/kvm/kvm_main.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
index ce1847bc898b2..c6bfd4e15d28a 100644
--- a/virt/kvm/kvm_main.c
+++ b/virt/kvm/kvm_main.c
@@ -3001,7 +3001,8 @@ int kvm_write_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
 	int r;
 	gpa_t gpa = ghc->gpa + offset;
 
-	BUG_ON(len + offset > ghc->len);
+	if (WARN_ON_ONCE(len + offset > ghc->len))
+		return -EINVAL;
 
 	if (slots->generation != ghc->generation) {
 		if (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))
@@ -3038,7 +3039,8 @@ int kvm_read_guest_offset_cached(struct kvm *kvm, struct gfn_to_hva_cache *ghc,
 	int r;
 	gpa_t gpa = ghc->gpa + offset;
 
-	BUG_ON(len + offset > ghc->len);
+	if (WARN_ON_ONCE(len + offset > ghc->len))
+		return -EINVAL;
 
 	if (slots->generation != ghc->generation) {
 		if (__kvm_gfn_to_hva_cache_init(slots, ghc, ghc->gpa, ghc->len))
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 005/177] x86/kvm: remove unused ack_notifier callbacks
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 004/177] KVM: downgrade two BUG_ONs to WARN_ON_ONCE Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 006/177] KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid() Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Juergen Gross, Paolo Bonzini, Sasha Levin

From: Juergen Gross <jgross@suse.com>

[ Upstream commit 9dba4d24cbb5524dd39ab1e08886373b17f07ff2 ]

Commit f52447261bc8c2 ("KVM: irq ack notification") introduced an
ack_notifier() callback in struct kvm_pic and in struct kvm_ioapic
without using them anywhere. Remove those callbacks again.

Signed-off-by: Juergen Gross <jgross@suse.com>
Message-Id: <20211117071617.19504-1-jgross@suse.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/ioapic.h | 1 -
 arch/x86/kvm/irq.h    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/arch/x86/kvm/ioapic.h b/arch/x86/kvm/ioapic.h
index 27e61ff3ac3e8..f1b2b2a6ff4db 100644
--- a/arch/x86/kvm/ioapic.h
+++ b/arch/x86/kvm/ioapic.h
@@ -81,7 +81,6 @@ struct kvm_ioapic {
 	unsigned long irq_states[IOAPIC_NUM_PINS];
 	struct kvm_io_device dev;
 	struct kvm *kvm;
-	void (*ack_notifier)(void *opaque, int irq);
 	spinlock_t lock;
 	struct rtc_status rtc_status;
 	struct delayed_work eoi_inject;
diff --git a/arch/x86/kvm/irq.h b/arch/x86/kvm/irq.h
index 650642b18d151..c2d7cfe82d004 100644
--- a/arch/x86/kvm/irq.h
+++ b/arch/x86/kvm/irq.h
@@ -56,7 +56,6 @@ struct kvm_pic {
 	struct kvm_io_device dev_master;
 	struct kvm_io_device dev_slave;
 	struct kvm_io_device dev_elcr;
-	void (*ack_notifier)(void *opaque, int irq);
 	unsigned long irq_states[PIC_NUM_PINS];
 };
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 006/177] KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 005/177] x86/kvm: remove unused ack_notifier callbacks Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 007/177] mac80211: fix rate control for retransmitted frames Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Paolo Bonzini, Sasha Levin

From: Lai Jiangshan <laijs@linux.alibaba.com>

[ Upstream commit e45e9e3998f0001079b09555db5bb3b4257f6746 ]

The KVM doesn't know whether any TLB for a specific pcid is cached in
the CPU when tdp is enabled.  So it is better to flush all the guest
TLB when invalidating any single PCID context.

The case is very rare or even impossible since KVM generally doesn't
intercept CR3 write or INVPCID instructions when tdp is enabled, so the
fix is mostly for the sake of overall robustness.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Message-Id: <20211019110154.4091-2-jiangshanlai@gmail.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/x86.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index eff065ce6f8e8..3c9e2d236830c 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -1091,6 +1091,18 @@ static void kvm_invalidate_pcid(struct kvm_vcpu *vcpu, unsigned long pcid)
 	unsigned long roots_to_free = 0;
 	int i;
 
+	/*
+	 * MOV CR3 and INVPCID are usually not intercepted when using TDP, but
+	 * this is reachable when running EPT=1 and unrestricted_guest=0,  and
+	 * also via the emulator.  KVM's TDP page tables are not in the scope of
+	 * the invalidation, but the guest's TLB entries need to be flushed as
+	 * the CPU may have cached entries in its TLB for the target PCID.
+	 */
+	if (unlikely(tdp_enabled)) {
+		kvm_make_request(KVM_REQ_TLB_FLUSH_GUEST, vcpu);
+		return;
+	}
+
 	/*
 	 * If neither the current CR3 nor any of the prev_roots use the given
 	 * PCID, then nothing needs to be done here because a resync will
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 007/177] mac80211: fix rate control for retransmitted frames
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 006/177] KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid() Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 008/177] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Aaro Koskinen, Robert W,
	Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 18688c80ad8a8dd50523dc9276e929932cac86d4 upstream.

Since retransmission clears info->control, rate control needs to be called
again, otherwise the driver might crash due to invalid rates.

Cc: stable@vger.kernel.org # 5.14+
Reported-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Reported-by: Robert W <rwbugreport@lost-in-the-void.net>
Fixes: 03c3911d2d67 ("mac80211: call ieee80211_tx_h_rate_ctrl() when dequeue")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Tested-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Link: https://lore.kernel.org/r/20211122204323.9787-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/tx.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -1821,15 +1821,15 @@ static int invoke_tx_handlers_late(struc
 	struct ieee80211_tx_info *info = IEEE80211_SKB_CB(tx->skb);
 	ieee80211_tx_result res = TX_CONTINUE;
 
+	if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL))
+		CALL_TXH(ieee80211_tx_h_rate_ctrl);
+
 	if (unlikely(info->flags & IEEE80211_TX_INTFL_RETRANSMISSION)) {
 		__skb_queue_tail(&tx->skbs, tx->skb);
 		tx->skb = NULL;
 		goto txh_done;
 	}
 
-	if (!ieee80211_hw_check(&tx->local->hw, HAS_RATE_CONTROL))
-		CALL_TXH(ieee80211_tx_h_rate_ctrl);
-
 	CALL_TXH(ieee80211_tx_h_michael_mic_add);
 	CALL_TXH(ieee80211_tx_h_sequence);
 	CALL_TXH(ieee80211_tx_h_fragment);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 008/177] mac80211: fix regression in SSN handling of addba tx
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 007/177] mac80211: fix rate control for retransmitted frames Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 009/177] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eneas U de Queiroz, Felix Fietkau,
	Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 73111efacd3c6d9e644acca1d132566932be8af0 upstream.

Some drivers that do their own sequence number allocation (e.g. ath9k) rely
on being able to modify params->ssn on starting tx ampdu sessions.
This was broken by a change that modified it to use sta->tid_seq[tid] instead.

Cc: stable@vger.kernel.org
Fixes: 31d8bb4e07f8 ("mac80211: agg-tx: refactor sending addba")
Reported-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20211124094024.43222-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/agg-tx.c   |    4 ++--
 net/mac80211/sta_info.h |    1 +
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -480,8 +480,7 @@ static void ieee80211_send_addba_with_ti
 
 	/* send AddBA request */
 	ieee80211_send_addba_request(sdata, sta->sta.addr, tid,
-				     tid_tx->dialog_token,
-				     sta->tid_seq[tid] >> 4,
+				     tid_tx->dialog_token, tid_tx->ssn,
 				     buf_size, tid_tx->timeout);
 
 	WARN_ON(test_and_set_bit(HT_AGG_STATE_SENT_ADDBA, &tid_tx->state));
@@ -523,6 +522,7 @@ void ieee80211_tx_ba_session_handle_star
 
 	params.ssn = sta->tid_seq[tid] >> 4;
 	ret = drv_ampdu_action(local, sdata, &params);
+	tid_tx->ssn = params.ssn;
 	if (ret == IEEE80211_AMPDU_TX_START_DELAY_ADDBA) {
 		return;
 	} else if (ret == IEEE80211_AMPDU_TX_START_IMMEDIATE) {
--- a/net/mac80211/sta_info.h
+++ b/net/mac80211/sta_info.h
@@ -199,6 +199,7 @@ struct tid_ampdu_tx {
 	u8 stop_initiator;
 	bool tx_stop;
 	u16 buf_size;
+	u16 ssn;
 
 	u16 failed_bar_ssn;
 	bool bar_pending;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 009/177] mac80211: mark TX-during-stop for TX in in_reconfig
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 008/177] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 010/177] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho

From: Johannes Berg <johannes.berg@intel.com>

commit db7205af049d230e7e0abf61c1e74c1aab40f390 upstream.

Mark TXQs as having seen transmit while they were stopped if
we bail out of drv_wake_tx_queue() due to reconfig, so that
the queue wake after this will make them catch up. This is
particularly necessary for when TXQs are used for management
packets since those TXQs won't see a lot of traffic that'd
make them catch up later.

Cc: stable@vger.kernel.org
Fixes: 4856bfd23098 ("mac80211: do not call driver wake_tx_queue op during reconfig")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211129152938.4573a221c0e1.I0d1d5daea3089be3fc0dccc92991b0f8c5677f0c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/driver-ops.h |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/net/mac80211/driver-ops.h
+++ b/net/mac80211/driver-ops.h
@@ -1219,8 +1219,11 @@ static inline void drv_wake_tx_queue(str
 {
 	struct ieee80211_sub_if_data *sdata = vif_to_sdata(txq->txq.vif);
 
-	if (local->in_reconfig)
+	/* In reconfig don't transmit now, but mark for waking later */
+	if (local->in_reconfig) {
+		set_bit(IEEE80211_TXQ_STOP_NETIF_TX, &txq->flags);
 		return;
+	}
 
 	if (!check_sdata_in_driver(sdata))
 		return;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 010/177] mac80211: send ADDBA requests using the tid/queue of the aggregation session
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 009/177] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 011/177] mac80211: validate extended element ID is present Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Felix Fietkau, Johannes Berg

From: Felix Fietkau <nbd@nbd.name>

commit 1fe98f5690c4219d419ea9cc190f94b3401cf324 upstream.

Sending them out on a different queue can cause a race condition where a
number of packets in the queue may be discarded by the receiver, because
the ADDBA request is sent too early.
This affects any driver with software A-MPDU setup which does not allocate
packet seqno in hardware on tx, regardless of whether iTXQ is used or not.
The only driver I've seen that explicitly deals with this issue internally
is mwl8k.

Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20211202124533.80388-1-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/agg-tx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -106,7 +106,7 @@ static void ieee80211_send_addba_request
 	mgmt->u.action.u.addba_req.start_seq_num =
 					cpu_to_le16(start_seq_num << 4);
 
-	ieee80211_tx_skb(sdata, skb);
+	ieee80211_tx_skb_tid(sdata, skb, tid);
 }
 
 void ieee80211_send_bar(struct ieee80211_vif *vif, u8 *ra, u16 tid, u16 ssn)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 011/177] mac80211: validate extended element ID is present
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 010/177] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 012/177] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+59bdff68edce82e393b6, Johannes Berg

From: Johannes Berg <johannes.berg@intel.com>

commit 768c0b19b50665e337c96858aa2b7928d6dcf756 upstream.

Before attempting to parse an extended element, verify that
the extended element ID is present.

Fixes: 41cbb0f5a295 ("mac80211: add support for HE")
Reported-by: syzbot+59bdff68edce82e393b6@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/20211211201023.f30a1b128c07.I5cacc176da94ba316877c6e10fe3ceec8b4dbd7d@changeid
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac80211/util.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -943,7 +943,12 @@ static void ieee80211_parse_extension_el
 					      struct ieee802_11_elems *elems)
 {
 	const void *data = elem->data + 1;
-	u8 len = elem->datalen - 1;
+	u8 len;
+
+	if (!elem->datalen)
+		return;
+
+	len = elem->datalen - 1;
 
 	switch (elem->data[0]) {
 	case WLAN_EID_EXT_HE_MU_EDCA:



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 012/177] firmware: arm_scpi: Fix string overflow in SCPI genpd driver
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 011/177] mac80211: validate extended element ID is present Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 013/177] bpf: Fix kernel address leakage in atomic fetch Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pedro Batista, Sudeep Holla,
	Cristian Marussi, Arnd Bergmann

From: Sudeep Holla <sudeep.holla@arm.com>

commit 865ed67ab955428b9aa771d8b4f1e4fb7fd08945 upstream.

Without the bound checks for scpi_pd->name, it could result in the buffer
overflow when copying the SCPI device name from the corresponding device
tree node as the name string is set at maximum size of 30.

Let us fix it by using devm_kasprintf so that the string buffer is
allocated dynamically.

Fixes: 8bec4337ad40 ("firmware: scpi: add device power domain support using genpd")
Reported-by: Pedro Batista <pedbap.g@gmail.com>
Signed-off-by: Sudeep Holla <sudeep.holla@arm.com>
Cc: stable@vger.kernel.org
Cc: Cristian Marussi <cristian.marussi@arm.com>
Link: https://lore.kernel.org/r/20211209120456.696879-1-sudeep.holla@arm.com'
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/firmware/scpi_pm_domain.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/drivers/firmware/scpi_pm_domain.c
+++ b/drivers/firmware/scpi_pm_domain.c
@@ -16,7 +16,6 @@ struct scpi_pm_domain {
 	struct generic_pm_domain genpd;
 	struct scpi_ops *ops;
 	u32 domain;
-	char name[30];
 };
 
 /*
@@ -110,8 +109,13 @@ static int scpi_pm_domain_probe(struct p
 
 		scpi_pd->domain = i;
 		scpi_pd->ops = scpi_ops;
-		sprintf(scpi_pd->name, "%pOFn.%d", np, i);
-		scpi_pd->genpd.name = scpi_pd->name;
+		scpi_pd->genpd.name = devm_kasprintf(dev, GFP_KERNEL,
+						     "%pOFn.%d", np, i);
+		if (!scpi_pd->genpd.name) {
+			dev_err(dev, "Failed to allocate genpd name:%pOFn.%d\n",
+				np, i);
+			continue;
+		}
 		scpi_pd->genpd.power_off = scpi_pd_power_off;
 		scpi_pd->genpd.power_on = scpi_pd_power_on;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 013/177] bpf: Fix kernel address leakage in atomic fetch
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 012/177] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 014/177] bpf, selftests: Add test case for atomic fetch on spilled pointer Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, n4ke4mry, Brendan Jackman,
	Daniel Borkmann, Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit 7d3baf0afa3aa9102d6a521a8e4c41888bb79882 upstream.

The change in commit 37086bfdc737 ("bpf: Propagate stack bounds to registers
in atomics w/ BPF_FETCH") around check_mem_access() handling is buggy since
this would allow for unprivileged users to leak kernel pointers. For example,
an atomic fetch/and with -1 on a stack destination which holds a spilled
pointer will migrate the spilled register type into a scalar, which can then
be exported out of the program (since scalar != pointer) by dumping it into
a map value.

The original implementation of XADD was preventing this situation by using
a double call to check_mem_access() one with BPF_READ and a subsequent one
with BPF_WRITE, in both cases passing -1 as a placeholder value instead of
register as per XADD semantics since it didn't contain a value fetch. The
BPF_READ also included a check in check_stack_read_fixed_off() which rejects
the program if the stack slot is of __is_pointer_value() if dst_regno < 0.
The latter is to distinguish whether we're dealing with a regular stack spill/
fill or some arithmetical operation which is disallowed on non-scalars, see
also 6e7e63cbb023 ("bpf: Forbid XADD on spilled pointers for unprivileged
users") for more context on check_mem_access() and its handling of placeholder
value -1.

One minimally intrusive option to fix the leak is for the BPF_FETCH case to
initially check the BPF_READ case via check_mem_access() with -1 as register,
followed by the actual load case with non-negative load_reg to propagate
stack bounds to registers.

Fixes: 37086bfdc737 ("bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH")
Reported-by: <n4ke4mry@gmail.com>
Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4417,13 +4417,19 @@ static int check_atomic(struct bpf_verif
 		load_reg = -1;
 	}
 
-	/* check whether we can read the memory */
+	/* Check whether we can read the memory, with second call for fetch
+	 * case to simulate the register fill.
+	 */
 	err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
-			       BPF_SIZE(insn->code), BPF_READ, load_reg, true);
+			       BPF_SIZE(insn->code), BPF_READ, -1, true);
+	if (!err && load_reg >= 0)
+		err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
+				       BPF_SIZE(insn->code), BPF_READ, load_reg,
+				       true);
 	if (err)
 		return err;
 
-	/* check whether we can write into the same memory */
+	/* Check whether we can write into the same memory. */
 	err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
 			       BPF_SIZE(insn->code), BPF_WRITE, -1, true);
 	if (err)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 014/177] bpf, selftests: Add test case for atomic fetch on spilled pointer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 013/177] bpf: Fix kernel address leakage in atomic fetch Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 015/177] bpf: Fix signed bounds propagation after mov32 Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brendan Jackman, Daniel Borkmann,
	Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit 180486b430f4e22cc00a478163d942804baae4b5 upstream.

Test whether unprivileged would be able to leak the spilled pointer either
by exporting the returned value from the atomic{32,64} operation or by reading
and exporting the value from the stack after the atomic operation took place.

Note that for unprivileged, the below atomic cmpxchg test case named "Dest
pointer in r0 - succeed" is failing. The reason is that in the dst memory
location (r10 -8) there is the spilled register r10:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (bf) r0 = r10
  1: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  1: (7b) *(u64 *)(r10 -8) = r0
  2: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=fp
  2: (b7) r1 = 0
  3: R0_w=fp0 R1_w=invP0 R10=fp0 fp-8_w=fp
  3: (db) r0 = atomic64_cmpxchg((u64 *)(r10 -8), r0, r1)
  4: R0_w=fp0 R1_w=invP0 R10=fp0 fp-8_w=mmmmmmmm
  4: (79) r1 = *(u64 *)(r0 -8)
  5: R0_w=fp0 R1_w=invP(id=0) R10=fp0 fp-8_w=mmmmmmmm
  5: (b7) r0 = 0
  6: R0_w=invP0 R1_w=invP(id=0) R10=fp0 fp-8_w=mmmmmmmm
  6: (95) exit

However, allowing this case for unprivileged is a bit useless given an
update with a new pointer will fail anyway:

  0: R1=ctx(id=0,off=0,imm=0) R10=fp0
  0: (bf) r0 = r10
  1: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  1: (7b) *(u64 *)(r10 -8) = r0
  2: R0_w=fp0 R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=fp
  2: (db) r0 = atomic64_cmpxchg((u64 *)(r10 -8), r0, r10)
  R10 leaks addr into mem

Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[only backport one test for 5.15.y - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c |   23 ++++++++++++++++++
 1 file changed, 23 insertions(+)

--- a/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
+++ b/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
@@ -118,4 +118,27 @@
 		BPF_EXIT_INSN(),
 	},
 	.result = ACCEPT,
+	.result_unpriv = REJECT,
+	.errstr_unpriv = "leaking pointer from stack off -8",
+},
+{
+	"Dest pointer in r0 - succeed, check 2",
+	.insns = {
+		/* r0 = &val */
+		BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
+		/* val = r0; */
+		BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
+		/* r5 = &val */
+		BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
+		/* r0 = atomic_cmpxchg(&val, r0, r5); */
+		BPF_ATOMIC_OP(BPF_DW, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+		/* r1 = *r0 */
+		BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
+		/* exit(0); */
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	},
+	.result = ACCEPT,
+	.result_unpriv = REJECT,
+	.errstr_unpriv = "R5 leaks addr into mem",
 },



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 015/177] bpf: Fix signed bounds propagation after mov32
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 014/177] bpf, selftests: Add test case for atomic fetch on spilled pointer Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 016/177] bpf: Make 32->64 bounds propagation slightly more robust Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kuee K1r0a, Daniel Borkmann,
	John Fastabend, Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit 3cf2b61eb06765e27fec6799292d9fb46d0b7e60 upstream.

For the case where both s32_{min,max}_value bounds are positive, the
__reg_assign_32_into_64() directly propagates them to their 64 bit
counterparts, otherwise it pessimises them into [0,u32_max] universe and
tries to refine them later on by learning through the tnum as per comment
in mentioned function. However, that does not always happen, for example,
in mov32 operation we call zext_32_to_64(dst_reg) which invokes the
__reg_assign_32_into_64() as is without subsequent bounds update as
elsewhere thus no refinement based on tnum takes place.

Thus, not calling into the __update_reg_bounds() / __reg_deduce_bounds() /
__reg_bound_offset() triplet as we do, for example, in case of ALU ops via
adjust_scalar_min_max_vals(), will lead to more pessimistic bounds when
dumping the full register state:

Before fix:

  0: (b4) w0 = -1
  1: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

  1: (bc) w0 = w0
  2: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=0,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

Technically, the smin_value=0 and smax_value=4294967295 bounds are not
incorrect, but given the register is still a constant, they break assumptions
about const scalars that smin_value == smax_value and umin_value == umax_value.

After fix:

  0: (b4) w0 = -1
  1: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

  1: (bc) w0 = w0
  2: R0_w=invP4294967295
     (id=0,imm=ffffffff,
      smin_value=4294967295,smax_value=4294967295,
      umin_value=4294967295,umax_value=4294967295,
      var_off=(0xffffffff; 0x0),
      s32_min_value=-1,s32_max_value=-1,
      u32_min_value=-1,u32_max_value=-1)

Without the smin_value == smax_value and umin_value == umax_value invariant
being intact for const scalars, it is possible to leak out kernel pointers
from unprivileged user space if the latter is enabled. For example, when such
registers are involved in pointer arithmtics, then adjust_ptr_min_max_vals()
will taint the destination register into an unknown scalar, and the latter
can be exported and stored e.g. into a BPF map value.

Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
Reported-by: Kuee K1r0a <liulin063@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8120,6 +8120,10 @@ static int check_alu_op(struct bpf_verif
 							 insn->dst_reg);
 				}
 				zext_32_to_64(dst_reg);
+
+				__update_reg_bounds(dst_reg);
+				__reg_deduce_bounds(dst_reg);
+				__reg_bound_offset(dst_reg);
 			}
 		} else {
 			/* case: R = imm



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 016/177] bpf: Make 32->64 bounds propagation slightly more robust
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 015/177] bpf: Fix signed bounds propagation after mov32 Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 017/177] bpf, selftests: Add test case trying to taint map value pointer Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, John Fastabend,
	Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit e572ff80f05c33cd0cb4860f864f5c9c044280b6 upstream.

Make the bounds propagation in __reg_assign_32_into_64() slightly more
robust and readable by aligning it similarly as we did back in the
__reg_combine_64_into_32() counterpart. Meaning, only propagate or
pessimize them as a smin/smax pair.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |   24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1358,22 +1358,28 @@ static void __reg_bound_offset(struct bp
 	reg->var_off = tnum_or(tnum_clear_subreg(var64_off), var32_off);
 }
 
+static bool __reg32_bound_s64(s32 a)
+{
+	return a >= 0 && a <= S32_MAX;
+}
+
 static void __reg_assign_32_into_64(struct bpf_reg_state *reg)
 {
 	reg->umin_value = reg->u32_min_value;
 	reg->umax_value = reg->u32_max_value;
-	/* Attempt to pull 32-bit signed bounds into 64-bit bounds
-	 * but must be positive otherwise set to worse case bounds
-	 * and refine later from tnum.
+
+	/* Attempt to pull 32-bit signed bounds into 64-bit bounds but must
+	 * be positive otherwise set to worse case bounds and refine later
+	 * from tnum.
 	 */
-	if (reg->s32_min_value >= 0 && reg->s32_max_value >= 0)
-		reg->smax_value = reg->s32_max_value;
-	else
-		reg->smax_value = U32_MAX;
-	if (reg->s32_min_value >= 0)
+	if (__reg32_bound_s64(reg->s32_min_value) &&
+	    __reg32_bound_s64(reg->s32_max_value)) {
 		reg->smin_value = reg->s32_min_value;
-	else
+		reg->smax_value = reg->s32_max_value;
+	} else {
 		reg->smin_value = 0;
+		reg->smax_value = U32_MAX;
+	}
 }
 
 static void __reg_combine_32_into_64(struct bpf_reg_state *reg)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 017/177] bpf, selftests: Add test case trying to taint map value pointer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 016/177] bpf: Make 32->64 bounds propagation slightly more robust Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 018/177] bpf: Fix kernel address leakage in atomic cmpxchgs r0 aux reg Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Borkmann, John Fastabend,
	Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit b1a7288dedc6caf9023f2676b4f5ed34cf0d4029 upstream.

Add a test case which tries to taint map value pointer arithmetic into a
unknown scalar with subsequent export through the map.

Before fix:

  # ./test_verifier 1186
  #1186/u map access: trying to leak tained dst reg FAIL
  Unexpected success to load!
  verification time 24 usec
  stack depth 8
  processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
  #1186/p map access: trying to leak tained dst reg FAIL
  Unexpected success to load!
  verification time 8 usec
  stack depth 8
  processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
  Summary: 0 PASSED, 0 SKIPPED, 2 FAILED

After fix:

  # ./test_verifier 1186
  #1186/u map access: trying to leak tained dst reg OK
  #1186/p map access: trying to leak tained dst reg OK
  Summary: 2 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/bpf/verifier/value_ptr_arith.c |   23 +++++++++++++++++
 1 file changed, 23 insertions(+)

--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
@@ -1078,6 +1078,29 @@
 	.errstr_unpriv = "R0 pointer -= pointer prohibited",
 },
 {
+	"map access: trying to leak tained dst reg",
+	.insns = {
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+	BPF_LD_MAP_FD(BPF_REG_1, 0),
+	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+	BPF_EXIT_INSN(),
+	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
+	BPF_MOV32_IMM(BPF_REG_1, 0xFFFFFFFF),
+	BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
+	BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
+	BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
+	BPF_MOV64_IMM(BPF_REG_0, 0),
+	BPF_EXIT_INSN(),
+	},
+	.fixup_map_array_48b = { 4 },
+	.result = REJECT,
+	.errstr = "math between map_value pointer and 4294967295 is not allowed",
+},
+{
 	"32bit pkt_ptr -= scalar",
 	.insns = {
 	BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 018/177] bpf: Fix kernel address leakage in atomic cmpxchgs r0 aux reg
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 017/177] bpf, selftests: Add test case trying to taint map value pointer Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 019/177] bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brendan Jackman, Daniel Borkmann,
	Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit a82fe085f344ef20b452cd5f481010ff96b5c4cd upstream.

The implementation of BPF_CMPXCHG on a high level has the following parameters:

  .-[old-val]                                          .-[new-val]
  BPF_R0 = cmpxchg{32,64}(DST_REG + insn->off, BPF_R0, SRC_REG)
                          `-[mem-loc]          `-[old-val]

Given a BPF insn can only have two registers (dst, src), the R0 is fixed and
used as an auxilliary register for input (old value) as well as output (returning
old value from memory location). While the verifier performs a number of safety
checks, it misses to reject unprivileged programs where R0 contains a pointer as
old value.

Through brute-forcing it takes about ~16sec on my machine to leak a kernel pointer
with BPF_CMPXCHG. The PoC is basically probing for kernel addresses by storing the
guessed address into the map slot as a scalar, and using the map value pointer as
R0 while SRC_REG has a canary value to detect a matching address.

Fix it by checking R0 for pointers, and reject if that's the case for unprivileged
programs.

Fixes: 5ffa25502b5a ("bpf: Add instructions for atomic_[cmp]xchg")
Reported-by: Ryota Shiga (Flatt Security)
Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4386,9 +4386,16 @@ static int check_atomic(struct bpf_verif
 
 	if (insn->imm == BPF_CMPXCHG) {
 		/* Check comparison of R0 with memory location */
-		err = check_reg_arg(env, BPF_REG_0, SRC_OP);
+		const u32 aux_reg = BPF_REG_0;
+
+		err = check_reg_arg(env, aux_reg, SRC_OP);
 		if (err)
 			return err;
+
+		if (is_pointer_value(env, aux_reg)) {
+			verbose(env, "R%d leaks addr into mem\n", aux_reg);
+			return -EACCES;
+		}
 	}
 
 	if (is_pointer_value(env, insn->src_reg)) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 019/177] bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 018/177] bpf: Fix kernel address leakage in atomic cmpxchgs r0 aux reg Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 020/177] vduse: fix memory corruption in vduse_dev_ioctl() Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Brendan Jackman, Daniel Borkmann,
	Alexei Starovoitov

From: Daniel Borkmann <daniel@iogearbox.net>

commit e523102cb719cbad1673b6aa2a4d5c1fa6f13799 upstream.

Fix up unprivileged test case results for 'Dest pointer in r0' verifier tests
given they now need to reject R0 containing a pointer value, and add a couple
of new related ones with 32bit cmpxchg as well.

  root@foo:~/bpf/tools/testing/selftests/bpf# ./test_verifier
  #0/u invalid and of negative number OK
  #0/p invalid and of negative number OK
  [...]
  #1268/p XDP pkt read, pkt_meta' <= pkt_data, bad access 1 OK
  #1269/p XDP pkt read, pkt_meta' <= pkt_data, bad access 2 OK
  #1270/p XDP pkt read, pkt_data <= pkt_meta', good access OK
  #1271/p XDP pkt read, pkt_data <= pkt_meta', bad access 1 OK
  #1272/p XDP pkt read, pkt_data <= pkt_meta', bad access 2 OK
  Summary: 1900 PASSED, 0 SKIPPED, 0 FAILED

Acked-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c |   67 +++++++++++++++++-
 1 file changed, 65 insertions(+), 2 deletions(-)

--- a/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
+++ b/tools/testing/selftests/bpf/verifier/atomic_cmpxchg.c
@@ -71,6 +71,8 @@
 		BPF_EXIT_INSN(),
 	},
 	.result = ACCEPT,
+	.result_unpriv = REJECT,
+	.errstr_unpriv = "R0 leaks addr into mem",
 },
 {
 	"Can't use cmpxchg on uninit src reg",
@@ -119,7 +121,7 @@
 	},
 	.result = ACCEPT,
 	.result_unpriv = REJECT,
-	.errstr_unpriv = "leaking pointer from stack off -8",
+	.errstr_unpriv = "R0 leaks addr into mem",
 },
 {
 	"Dest pointer in r0 - succeed, check 2",
@@ -140,5 +142,66 @@
 	},
 	.result = ACCEPT,
 	.result_unpriv = REJECT,
-	.errstr_unpriv = "R5 leaks addr into mem",
+	.errstr_unpriv = "R0 leaks addr into mem",
+},
+{
+	"Dest pointer in r0 - succeed, check 3",
+	.insns = {
+		/* r0 = &val */
+		BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
+		/* val = r0; */
+		BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
+		/* r5 = &val */
+		BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
+		/* r0 = atomic_cmpxchg(&val, r0, r5); */
+		BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+		/* exit(0); */
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	},
+	.result = REJECT,
+	.errstr = "invalid size of register fill",
+	.errstr_unpriv = "R0 leaks addr into mem",
+},
+{
+	"Dest pointer in r0 - succeed, check 4",
+	.insns = {
+		/* r0 = &val */
+		BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
+		/* val = r0; */
+		BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
+		/* r5 = &val */
+		BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
+		/* r0 = atomic_cmpxchg(&val, r0, r5); */
+		BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+		/* r1 = *r10 */
+		BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_10, -8),
+		/* exit(0); */
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	},
+	.result = ACCEPT,
+	.result_unpriv = REJECT,
+	.errstr_unpriv = "R10 partial copy of pointer",
+},
+{
+	"Dest pointer in r0 - succeed, check 5",
+	.insns = {
+		/* r0 = &val */
+		BPF_MOV32_REG(BPF_REG_0, BPF_REG_10),
+		/* val = r0; */
+		BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
+		/* r5 = &val */
+		BPF_MOV32_REG(BPF_REG_5, BPF_REG_10),
+		/* r0 = atomic_cmpxchg(&val, r0, r5); */
+		BPF_ATOMIC_OP(BPF_W, BPF_CMPXCHG, BPF_REG_10, BPF_REG_5, -8),
+		/* r1 = *r0 */
+		BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -8),
+		/* exit(0); */
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	},
+	.result = REJECT,
+	.errstr = "R0 invalid mem access",
+	.errstr_unpriv = "R10 partial copy of pointer",
 },



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 020/177] vduse: fix memory corruption in vduse_dev_ioctl()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 019/177] bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 021/177] vduse: check that offset is within bounds in get_config() Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Michael S. Tsirkin

From: Dan Carpenter <dan.carpenter@oracle.com>

commit ff9f9c6e74848170fcb45c8403c80d661484c8c9 upstream.

The "config.offset" comes from the user.  There needs to a check to
prevent it being out of bounds.  The "config.offset" and
"dev->config_size" variables are both type u32.  So if the offset if
out of bounds then the "dev->config_size - config.offset" subtraction
results in a very high u32 value.  The out of bounds offset can result
in memory corruption.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211208103307.GA3778@kili
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/vdpa/vdpa_user/vduse_dev.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -975,7 +975,8 @@ static long vduse_dev_ioctl(struct file
 			break;
 
 		ret = -EINVAL;
-		if (config.length == 0 ||
+		if (config.offset > dev->config_size ||
+		    config.length == 0 ||
 		    config.length > dev->config_size - config.offset)
 			break;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 021/177] vduse: check that offset is within bounds in get_config()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 020/177] vduse: fix memory corruption in vduse_dev_ioctl() Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 022/177] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Michael S. Tsirkin

From: Dan Carpenter <dan.carpenter@oracle.com>

commit dc1db0060c02d119fd4196924eff2d1129e9a442 upstream.

This condition checks "len" but it does not check "offset" and that
could result in an out of bounds read if "offset > dev->config_size".
The problem is that since both variables are unsigned the
"dev->config_size - offset" subtraction would result in a very high
unsigned value.

I think these checks might not be necessary because "len" and "offset"
are supposed to already have been validated using the
vhost_vdpa_config_validate() function.  But I do not know the code
perfectly, and I like to be safe.

Fixes: c8a6153b6c59 ("vduse: Introduce VDUSE - vDPA Device in Userspace")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211208150956.GA29160@kili
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/vdpa/vdpa_user/vduse_dev.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/vdpa/vdpa_user/vduse_dev.c
+++ b/drivers/vdpa/vdpa_user/vduse_dev.c
@@ -655,7 +655,8 @@ static void vduse_vdpa_get_config(struct
 {
 	struct vduse_dev *dev = vdpa_to_vduse(vdpa);
 
-	if (len > dev->config_size - offset)
+	if (offset > dev->config_size ||
+	    len > dev->config_size - offset)
 		return;
 
 	memcpy(buf, dev->config + offset, len);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 022/177] virtio_ring: Fix querying of maximum DMA mapping size for virtio device
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 021/177] vduse: check that offset is within bounds in get_config() Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 023/177] vdpa: check that offsets are within bounds Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marc Zyngier, Quentin Perret,
	Michael S. Tsirkin, Jason Wang, Will Deacon, Suzuki K Poulose,
	Joerg Roedel, Konrad Rzeszutek Wilk, Christoph Hellwig,
	Robin Murphy, Steven Price

From: Will Deacon <will@kernel.org>

commit 817fc978b5a29b039db0418a91072b31c9aab152 upstream.

virtio_max_dma_size() returns the maximum DMA mapping size of the virtio
device by querying dma_max_mapping_size() for the device when the DMA
API is in use for the vring. Unfortunately, the device passed is
initialised by register_virtio_device() and does not inherit the DMA
configuration from its parent, resulting in SWIOTLB errors when bouncing
is enabled and the default 256K mapping limit (IO_TLB_SEGSIZE) is not
respected:

  | virtio-pci 0000:00:01.0: swiotlb buffer is full (sz: 294912 bytes), total 1024 (slots), used 725 (slots)

Follow the pattern used elsewhere in the virtio_ring code when calling
into the DMA layer and pass the parent device to dma_max_mapping_size()
instead.

Cc: Marc Zyngier <maz@kernel.org>
Cc: Quentin Perret <qperret@google.com>
Cc: "Michael S. Tsirkin" <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20211201112018.25276-1-will@kernel.org
Acked-by: Jason Wang <jasowang@redhat.com>
Tested-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Fixes: e6d6dd6c875e ("virtio: Introduce virtio_max_dma_size()")
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Robin Murphy <robin.murphy@arm.com>
Signed-off-by: Steven Price <steven.price@arm.com>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable@vger.kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/virtio/virtio_ring.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/virtio/virtio_ring.c
+++ b/drivers/virtio/virtio_ring.c
@@ -268,7 +268,7 @@ size_t virtio_max_dma_size(struct virtio
 	size_t max_segment_size = SIZE_MAX;
 
 	if (vring_use_dma_api(vdev))
-		max_segment_size = dma_max_mapping_size(&vdev->dev);
+		max_segment_size = dma_max_mapping_size(vdev->dev.parent);
 
 	return max_segment_size;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 023/177] vdpa: check that offsets are within bounds
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 022/177] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 024/177] s390/entry: fix duplicate tracking of irq nesting level Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xie Yongji, Dan Carpenter,
	Michael S. Tsirkin

From: Dan Carpenter <dan.carpenter@oracle.com>

commit 3ed21c1451a14d139e1ceb18f2fa70865ce3195a upstream.

In this function "c->off" is a u32 and "size" is a long.  On 64bit systems
if "c->off" is greater than "size" then "size - c->off" is a negative and
we always return -E2BIG.  But on 32bit systems the subtraction is type
promoted to a high positive u32 value and basically any "c->len" is
accepted.

Fixes: 4c8cf31885f6 ("vhost: introduce vDPA-based backend")
Reported-by: Xie Yongji <xieyongji@bytedance.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/20211208103337.GA4047@kili
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/vhost/vdpa.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/vhost/vdpa.c
+++ b/drivers/vhost/vdpa.c
@@ -197,7 +197,7 @@ static int vhost_vdpa_config_validate(st
 	struct vdpa_device *vdpa = v->vdpa;
 	long size = vdpa->config->get_config_size(vdpa);
 
-	if (c->len == 0)
+	if (c->len == 0 || c->off > size)
 		return -EINVAL;
 
 	if (c->len > size - c->off)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 024/177] s390/entry: fix duplicate tracking of irq nesting level
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 023/177] vdpa: check that offsets are within bounds Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 025/177] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mark Rutland, Sven Schnelle, Heiko Carstens

From: Sven Schnelle <svens@linux.ibm.com>

commit c9b12b59e2ea4c3c7cedec7efb071b649652f3a9 upstream.

In the current code, when exiting from idle, rcu_irq_enter() is
called twice during irq entry:

irq_entry_enter()-> rcu_irq_enter()
irq_enter() -> rcu_irq_enter()

This may lead to wrong results from rcu_is_cpu_rrupt_from_idle()
because of a wrong dynticks nmi nesting count. Fix this by only
calling irq_enter_rcu().

Cc: <stable@vger.kernel.org> # 5.12+
Reported-by: Mark Rutland <mark.rutland@arm.com>
Fixes: 56e62a737028 ("s390: convert to generic entry")
Signed-off-by: Sven Schnelle <svens@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/s390/kernel/irq.c |    9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

--- a/arch/s390/kernel/irq.c
+++ b/arch/s390/kernel/irq.c
@@ -138,7 +138,7 @@ void noinstr do_io_irq(struct pt_regs *r
 	struct pt_regs *old_regs = set_irq_regs(regs);
 	int from_idle;
 
-	irq_enter();
+	irq_enter_rcu();
 
 	if (user_mode(regs))
 		update_timer_sys();
@@ -155,7 +155,8 @@ void noinstr do_io_irq(struct pt_regs *r
 			do_irq_async(regs, IO_INTERRUPT);
 	} while (MACHINE_IS_LPAR && irq_pending(regs));
 
-	irq_exit();
+	irq_exit_rcu();
+
 	set_irq_regs(old_regs);
 	irqentry_exit(regs, state);
 
@@ -169,7 +170,7 @@ void noinstr do_ext_irq(struct pt_regs *
 	struct pt_regs *old_regs = set_irq_regs(regs);
 	int from_idle;
 
-	irq_enter();
+	irq_enter_rcu();
 
 	if (user_mode(regs))
 		update_timer_sys();
@@ -184,7 +185,7 @@ void noinstr do_ext_irq(struct pt_regs *
 
 	do_irq_async(regs, EXT_INTERRUPT);
 
-	irq_exit();
+	irq_exit_rcu();
 	set_irq_regs(old_regs);
 	irqentry_exit(regs, state);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 025/177] recordmcount.pl: look for jgnop instruction as well as bcrl on s390
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 024/177] s390/entry: fix duplicate tracking of irq nesting level Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 026/177] arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jerome Marchand, Miroslav Benes,
	Steven Rostedt (VMware),
	Heiko Carstens

From: Jerome Marchand <jmarchan@redhat.com>

commit 85bf17b28f97ca2749968d8786dc423db320d9c2 upstream.

On s390, recordmcount.pl is looking for "bcrl 0,<xxx>" instructions in
the objdump -d outpout. However since binutils 2.37, objdump -d
display "jgnop <xxx>" for the same instruction. Update the
mcount_regex so that it accepts both.

Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
Reviewed-by: Miroslav Benes <mbenes@suse.cz>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211210093827.1623286-1-jmarchan@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 scripts/recordmcount.pl |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/scripts/recordmcount.pl
+++ b/scripts/recordmcount.pl
@@ -219,7 +219,7 @@ if ($arch eq "x86_64") {
 
 } elsif ($arch eq "s390" && $bits == 64) {
     if ($cc =~ /-DCC_USING_HOTPATCH/) {
-	$mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*brcl\\s*0,[0-9a-f]+ <([^\+]*)>\$";
+	$mcount_regex = "^\\s*([0-9a-fA-F]+):\\s*c0 04 00 00 00 00\\s*(bcrl\\s*0,|jgnop\\s*)[0-9a-f]+ <([^\+]*)>\$";
 	$mcount_adjust = 0;
     }
     $alignment = 8;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 026/177] arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 025/177] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 027/177] ceph: fix up non-directory creation in SGID directories Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mathew McBride, Shawn Guo

From: Mathew McBride <matt@traverse.com.au>

commit c88c5e461939a06ae769a01649d5c6b5a156f883 upstream.

gpio-keys already 'inherits' the interrupts from the controller
of the specified GPIO, so having another declaration is redundant.
On >=v5.15 this started causing an oops under gpio_keys_probe as
the IRQ was already claimed.

Signed-off-by: Mathew McBride <matt@traverse.com.au>
Fixes: 418962eea358 ("arm64: dts: add device tree for Traverse Ten64 (LS1088A)")
Cc: stable@vger.kernel.org
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm64/boot/dts/freescale/fsl-ls1088a-ten64.dts |    2 --
 1 file changed, 2 deletions(-)

--- a/arch/arm64/boot/dts/freescale/fsl-ls1088a-ten64.dts
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1088a-ten64.dts
@@ -38,7 +38,6 @@
 		powerdn {
 			label = "External Power Down";
 			gpios = <&gpio1 17 GPIO_ACTIVE_LOW>;
-			interrupts = <&gpio1 17 IRQ_TYPE_EDGE_FALLING>;
 			linux,code = <KEY_POWER>;
 		};
 
@@ -46,7 +45,6 @@
 		admin {
 			label = "ADMIN button";
 			gpios = <&gpio3 8 GPIO_ACTIVE_HIGH>;
-			interrupts = <&gpio3 8 IRQ_TYPE_EDGE_RISING>;
 			linux,code = <KEY_WPS_BUTTON>;
 		};
 	};



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 027/177] ceph: fix up non-directory creation in SGID directories
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 026/177] arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 028/177] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christian Brauner, Jeff Layton, Ilya Dryomov

From: Christian Brauner <christian.brauner@ubuntu.com>

commit fd84bfdddd169c219c3a637889a8b87f70a072c2 upstream.

Ceph always inherits the SGID bit if it is set on the parent inode,
while the generic inode_init_owner does not do this in a few cases where
it can create a possible security problem (cf. [1]).

Update ceph to strip the SGID bit just as inode_init_owner would.

This bug was detected by the mapped mount testsuite in [3]. The
testsuite tests all core VFS functionality and semantics with and
without mapped mounts. That is to say it functions as a generic VFS
testsuite in addition to a mapped mount testsuite. While working on
mapped mount support for ceph, SIGD inheritance was the only failing
test for ceph after the port.

The same bug was detected by the mapped mount testsuite in XFS in
January 2021 (cf. [2]).

[1]: commit 0fa3ecd87848 ("Fix up non-directory creation in SGID directories")
[2]: commit 01ea173e103e ("xfs: fix up non-directory creation in SGID directories")
[3]: https://git.kernel.org/fs/xfs/xfstests-dev.git

Cc: stable@vger.kernel.org
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ceph/file.c |   18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

--- a/fs/ceph/file.c
+++ b/fs/ceph/file.c
@@ -603,13 +603,25 @@ static int ceph_finish_async_create(stru
 	in.cap.realm = cpu_to_le64(ci->i_snap_realm->ino);
 	in.cap.flags = CEPH_CAP_FLAG_AUTH;
 	in.ctime = in.mtime = in.atime = iinfo.btime;
-	in.mode = cpu_to_le32((u32)mode);
 	in.truncate_seq = cpu_to_le32(1);
 	in.truncate_size = cpu_to_le64(-1ULL);
 	in.xattr_version = cpu_to_le64(1);
 	in.uid = cpu_to_le32(from_kuid(&init_user_ns, current_fsuid()));
-	in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_mode & S_ISGID ?
-				dir->i_gid : current_fsgid()));
+	if (dir->i_mode & S_ISGID) {
+		in.gid = cpu_to_le32(from_kgid(&init_user_ns, dir->i_gid));
+
+		/* Directories always inherit the setgid bit. */
+		if (S_ISDIR(mode))
+			mode |= S_ISGID;
+		else if ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP) &&
+			 !in_group_p(dir->i_gid) &&
+			 !capable_wrt_inode_uidgid(&init_user_ns, dir, CAP_FSETID))
+			mode &= ~S_ISGID;
+	} else {
+		in.gid = cpu_to_le32(from_kgid(&init_user_ns, current_fsgid()));
+	}
+	in.mode = cpu_to_le32((u32)mode);
+
 	in.nlink = cpu_to_le32(1);
 	in.max_size = cpu_to_le64(lo->stripe_unit);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 028/177] dm btree remove: fix use after free in rebalance_children()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 027/177] ceph: fix up non-directory creation in SGID directories Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:32 ` [PATCH 5.15 029/177] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Joe Thornber, Mike Snitzer

From: Joe Thornber <ejt@redhat.com>

commit 1b8d2789dad0005fd5e7d35dab26a8e1203fb6da upstream.

Move dm_tm_unlock() after dm_tm_dec().

Cc: stable@vger.kernel.org
Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/persistent-data/dm-btree-remove.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -423,9 +423,9 @@ static int rebalance_children(struct sha
 
 		memcpy(n, dm_block_data(child),
 		       dm_bm_block_size(dm_tm_get_bm(info->tm)));
-		dm_tm_unlock(info->tm, child);
 
 		dm_tm_dec(info->tm, dm_block_location(child));
+		dm_tm_unlock(info->tm, child);
 		return 0;
 	}
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 029/177] audit: improve robustness of the audit queue handling
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 028/177] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
@ 2021-12-20 14:32 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 030/177] btrfs: convert latest_bdev type to btrfs_device and rename Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:32 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gaosheng Cui, Richard Guy Briggs, Paul Moore

From: Paul Moore <paul@paul-moore.com>

commit f4b3ee3c85551d2d343a3ba159304066523f730f upstream.

If the audit daemon were ever to get stuck in a stopped state the
kernel's kauditd_thread() could get blocked attempting to send audit
records to the userspace audit daemon.  With the kernel thread
blocked it is possible that the audit queue could grow unbounded as
certain audit record generating events must be exempt from the queue
limits else the system enter a deadlock state.

This patch resolves this problem by lowering the kernel thread's
socket sending timeout from MAX_SCHEDULE_TIMEOUT to HZ/10 and tweaks
the kauditd_send_queue() function to better manage the various audit
queues when connection problems occur between the kernel and the
audit daemon.  With this patch, the backlog may temporarily grow
beyond the defined limits when the audit daemon is stopped and the
system is under heavy audit pressure, but kauditd_thread() will
continue to make progress and drain the queues as it would for other
connection problems.  For example, with the audit daemon put into a
stopped state and the system configured to audit every syscall it
was still possible to shutdown the system without a kernel panic,
deadlock, etc.; granted, the system was slow to shutdown but that is
to be expected given the extreme pressure of recording every syscall.

The timeout value of HZ/10 was chosen primarily through
experimentation and this developer's "gut feeling".  There is likely
no one perfect value, but as this scenario is limited in scope (root
privileges would be needed to send SIGSTOP to the audit daemon), it
is likely not worth exposing this as a tunable at present.  This can
always be done at a later date if it proves necessary.

Cc: stable@vger.kernel.org
Fixes: 5b52330bbfe63 ("audit: fix auditd/kernel connection state tracking")
Reported-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Tested-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Reviewed-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/audit.c |   21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -718,7 +718,7 @@ static int kauditd_send_queue(struct soc
 {
 	int rc = 0;
 	struct sk_buff *skb;
-	static unsigned int failed = 0;
+	unsigned int failed = 0;
 
 	/* NOTE: kauditd_thread takes care of all our locking, we just use
 	 *       the netlink info passed to us (e.g. sk and portid) */
@@ -735,32 +735,30 @@ static int kauditd_send_queue(struct soc
 			continue;
 		}
 
+retry:
 		/* grab an extra skb reference in case of error */
 		skb_get(skb);
 		rc = netlink_unicast(sk, skb, portid, 0);
 		if (rc < 0) {
-			/* fatal failure for our queue flush attempt? */
+			/* send failed - try a few times unless fatal error */
 			if (++failed >= retry_limit ||
 			    rc == -ECONNREFUSED || rc == -EPERM) {
-				/* yes - error processing for the queue */
 				sk = NULL;
 				if (err_hook)
 					(*err_hook)(skb);
-				if (!skb_hook)
-					goto out;
-				/* keep processing with the skb_hook */
+				if (rc == -EAGAIN)
+					rc = 0;
+				/* continue to drain the queue */
 				continue;
 			} else
-				/* no - requeue to preserve ordering */
-				skb_queue_head(queue, skb);
+				goto retry;
 		} else {
-			/* it worked - drop the extra reference and continue */
+			/* skb sent - drop the extra reference and continue */
 			consume_skb(skb);
 			failed = 0;
 		}
 	}
 
-out:
 	return (rc >= 0 ? 0 : rc);
 }
 
@@ -1609,7 +1607,8 @@ static int __net_init audit_net_init(str
 		audit_panic("cannot initialize netlink socket in namespace");
 		return -ENOMEM;
 	}
-	aunet->sk->sk_sndtimeo = MAX_SCHEDULE_TIMEOUT;
+	/* limit the timeout in case auditd is blocked/stopped */
+	aunet->sk->sk_sndtimeo = HZ / 10;
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 030/177] btrfs: convert latest_bdev type to btrfs_device and rename
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-12-20 14:32 ` [PATCH 5.15 029/177] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 031/177] btrfs: use latest_dev in btrfs_show_devname Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Su Yue, Anand Jain, David Sterba

From: Anand Jain <anand.jain@oracle.com>

Commit d24fa5c1da08026be9959baca309fa0adf8708bf upstream.

In preparation to fix a bug in btrfs_show_devname().

Convert fs_devices::latest_bdev type from struct block_device to struct
btrfs_device and, rename the member to fs_devices::latest_dev.
So that btrfs_show_devname() can use fs_devices::latest_dev::name.

Tested-by: Su Yue <l@damenly.su>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/disk-io.c   |    6 +++---
 fs/btrfs/extent_io.c |    2 +-
 fs/btrfs/inode.c     |    2 +-
 fs/btrfs/super.c     |    2 +-
 fs/btrfs/volumes.c   |   10 +++++-----
 fs/btrfs/volumes.h   |    6 +++++-
 6 files changed, 16 insertions(+), 12 deletions(-)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3229,12 +3229,12 @@ int __cold open_ctree(struct super_block
 	mapping_set_gfp_mask(fs_info->btree_inode->i_mapping, GFP_NOFS);
 	btrfs_init_btree_inode(fs_info);
 
-	invalidate_bdev(fs_devices->latest_bdev);
+	invalidate_bdev(fs_devices->latest_dev->bdev);
 
 	/*
 	 * Read super block and check the signature bytes only
 	 */
-	disk_super = btrfs_read_dev_super(fs_devices->latest_bdev);
+	disk_super = btrfs_read_dev_super(fs_devices->latest_dev->bdev);
 	if (IS_ERR(disk_super)) {
 		err = PTR_ERR(disk_super);
 		goto fail_alloc;
@@ -3466,7 +3466,7 @@ int __cold open_ctree(struct super_block
 	 * below in btrfs_init_dev_replace().
 	 */
 	btrfs_free_extra_devids(fs_devices);
-	if (!fs_devices->latest_bdev) {
+	if (!fs_devices->latest_dev->bdev) {
 		btrfs_err(fs_info, "failed to read devices");
 		goto fail_tree_roots;
 	}
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -3327,7 +3327,7 @@ static int alloc_new_bio(struct btrfs_in
 	if (wbc) {
 		struct block_device *bdev;
 
-		bdev = fs_info->fs_devices->latest_bdev;
+		bdev = fs_info->fs_devices->latest_dev->bdev;
 		bio_set_dev(bio, bdev);
 		wbc_init_bio(wbc, bio);
 	}
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -7967,7 +7967,7 @@ static int btrfs_dio_iomap_begin(struct
 		iomap->type = IOMAP_MAPPED;
 	}
 	iomap->offset = start;
-	iomap->bdev = fs_info->fs_devices->latest_bdev;
+	iomap->bdev = fs_info->fs_devices->latest_dev->bdev;
 	iomap->length = len;
 
 	if (write && btrfs_use_zone_append(BTRFS_I(inode), em->block_start))
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -1705,7 +1705,7 @@ static struct dentry *btrfs_mount_root(s
 		goto error_close_devices;
 	}
 
-	bdev = fs_devices->latest_bdev;
+	bdev = fs_devices->latest_dev->bdev;
 	s = sget(fs_type, btrfs_test_super, btrfs_set_super, flags | SB_NOSEC,
 		 fs_info);
 	if (IS_ERR(s)) {
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1092,7 +1092,7 @@ void btrfs_free_extra_devids(struct btrf
 	list_for_each_entry(seed_dev, &fs_devices->seed_list, seed_list)
 		__btrfs_free_extra_devids(seed_dev, &latest_dev);
 
-	fs_devices->latest_bdev = latest_dev->bdev;
+	fs_devices->latest_dev = latest_dev;
 
 	mutex_unlock(&uuid_mutex);
 }
@@ -1225,7 +1225,7 @@ static int open_fs_devices(struct btrfs_
 		return -EINVAL;
 
 	fs_devices->opened = 1;
-	fs_devices->latest_bdev = latest_dev->bdev;
+	fs_devices->latest_dev = latest_dev;
 	fs_devices->total_rw_bytes = 0;
 	fs_devices->chunk_alloc_policy = BTRFS_CHUNK_ALLOC_REGULAR;
 	fs_devices->read_policy = BTRFS_READ_POLICY_PID;
@@ -1993,7 +1993,7 @@ static struct btrfs_device * btrfs_find_
 }
 
 /*
- * Helper function to check if the given device is part of s_bdev / latest_bdev
+ * Helper function to check if the given device is part of s_bdev / latest_dev
  * and replace it with the provided or the next active device, in the context
  * where this function called, there should be always be another device (or
  * this_dev) which is active.
@@ -2012,8 +2012,8 @@ void __cold btrfs_assign_next_active_dev
 			(fs_info->sb->s_bdev == device->bdev))
 		fs_info->sb->s_bdev = next_device->bdev;
 
-	if (fs_info->fs_devices->latest_bdev == device->bdev)
-		fs_info->fs_devices->latest_bdev = next_device->bdev;
+	if (fs_info->fs_devices->latest_dev->bdev == device->bdev)
+		fs_info->fs_devices->latest_dev = next_device;
 }
 
 /*
--- a/fs/btrfs/volumes.h
+++ b/fs/btrfs/volumes.h
@@ -246,7 +246,11 @@ struct btrfs_fs_devices {
 	/* Highest generation number of seen devices */
 	u64 latest_generation;
 
-	struct block_device *latest_bdev;
+	/*
+	 * The mount device or a device with highest generation after removal
+	 * or replace.
+	 */
+	struct btrfs_device *latest_dev;
 
 	/* all of the devices in the FS, protected by a mutex
 	 * so we can safely walk it to write out the supers without



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 031/177] btrfs: use latest_dev in btrfs_show_devname
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 030/177] btrfs: convert latest_bdev type to btrfs_device and rename Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 032/177] btrfs: update latest_dev when we create a sprout device Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Su Yue, Anand Jain, David Sterba

From: Anand Jain <anand.jain@oracle.com>

Commit 6605fd2f394bba0a0059df2b6cfc87b0b6d393a2 upstream.

The test case btrfs/238 reports the warning below:

 WARNING: CPU: 3 PID: 481 at fs/btrfs/super.c:2509 btrfs_show_devname+0x104/0x1e8 [btrfs]
 CPU: 2 PID: 1 Comm: systemd Tainted: G        W  O 5.14.0-rc1-custom #72
 Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
 Call trace:
   btrfs_show_devname+0x108/0x1b4 [btrfs]
   show_mountinfo+0x234/0x2c4
   m_show+0x28/0x34
   seq_read_iter+0x12c/0x3c4
   vfs_read+0x29c/0x2c8
   ksys_read+0x80/0xec
   __arm64_sys_read+0x28/0x34
   invoke_syscall+0x50/0xf8
   do_el0_svc+0x88/0x138
   el0_svc+0x2c/0x8c
   el0t_64_sync_handler+0x84/0xe4
   el0t_64_sync+0x198/0x19c

Reason:
While btrfs_prepare_sprout() moves the fs_devices::devices into
fs_devices::seed_list, the btrfs_show_devname() searches for the devices
and found none, leading to the warning as in above.

Fix:
latest_dev is updated according to the changes to the device list.
That means we could use the latest_dev->name to show the device name in
/proc/self/mounts, the pointer will be always valid as it's assigned
before the device is deleted from the list in remove or replace.
The RCU protection is sufficient as the device structure is freed after
synchronization.

Reported-by: Su Yue <l@damenly.su>
Tested-by: Su Yue <l@damenly.su>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/super.c |   24 +++++-------------------
 1 file changed, 5 insertions(+), 19 deletions(-)

--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -2463,30 +2463,16 @@ static int btrfs_unfreeze(struct super_b
 static int btrfs_show_devname(struct seq_file *m, struct dentry *root)
 {
 	struct btrfs_fs_info *fs_info = btrfs_sb(root->d_sb);
-	struct btrfs_device *dev, *first_dev = NULL;
 
 	/*
-	 * Lightweight locking of the devices. We should not need
-	 * device_list_mutex here as we only read the device data and the list
-	 * is protected by RCU.  Even if a device is deleted during the list
-	 * traversals, we'll get valid data, the freeing callback will wait at
-	 * least until the rcu_read_unlock.
+	 * There should be always a valid pointer in latest_dev, it may be stale
+	 * for a short moment in case it's being deleted but still valid until
+	 * the end of RCU grace period.
 	 */
 	rcu_read_lock();
-	list_for_each_entry_rcu(dev, &fs_info->fs_devices->devices, dev_list) {
-		if (test_bit(BTRFS_DEV_STATE_MISSING, &dev->dev_state))
-			continue;
-		if (!dev->name)
-			continue;
-		if (!first_dev || dev->devid < first_dev->devid)
-			first_dev = dev;
-	}
-
-	if (first_dev)
-		seq_escape(m, rcu_str_deref(first_dev->name), " \t\n\\");
-	else
-		WARN_ON(1);
+	seq_escape(m, rcu_str_deref(fs_info->fs_devices->latest_dev->name), " \t\n\\");
 	rcu_read_unlock();
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 032/177] btrfs: update latest_dev when we create a sprout device
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 031/177] btrfs: use latest_dev in btrfs_show_devname Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 033/177] btrfs: remove stale comment about the btrfs_show_devname Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Su Yue, Anand Jain, David Sterba

From: Anand Jain <anand.jain@oracle.com>

Commit b7cb29e666fe79dda5dbe5f57fb7c92413bf161c upstream.

When we add a device to the seed filesystem (sprouting) it is a new
filesystem (and fsid) on the device added. Update the latest_dev so
that /proc/self/mounts shows the correct device.

Example:

  $ btrfstune -S1 /dev/vg/seed
  $ mount /dev/vg/seed /btrfs
  mount: /btrfs: WARNING: device write-protected, mounted read-only.

  $ cat /proc/self/mounts | grep btrfs
  /dev/mapper/vg-seed /btrfs btrfs ro,relatime,space_cache,subvolid=5,subvol=/ 0 0

  $ btrfs dev add -f /dev/vg/new /btrfs

Before:

  $ cat /proc/self/mounts | grep btrfs
  /dev/mapper/vg-seed /btrfs btrfs ro,relatime,space_cache,subvolid=5,subvol=/ 0 0

After:

  $ cat /proc/self/mounts | grep btrfs
  /dev/mapper/vg-new /btrfs btrfs ro,relatime,space_cache,subvolid=5,subvol=/ 0 0

Tested-by: Su Yue <l@damenly.su>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/volumes.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -2634,6 +2634,8 @@ int btrfs_init_new_device(struct btrfs_f
 			btrfs_abort_transaction(trans, ret);
 			goto error_trans;
 		}
+		btrfs_assign_next_active_device(fs_info->fs_devices->latest_dev,
+						device);
 	}
 
 	device->fs_devices = fs_devices;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 033/177] btrfs: remove stale comment about the btrfs_show_devname
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 032/177] btrfs: update latest_dev when we create a sprout device Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 034/177] scsi: ufs: core: Retry START_STOP on UNIT_ATTENTION Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Anand Jain, David Sterba

From: Anand Jain <anand.jain@oracle.com>

Commit cdccc03a8a369b59cff5e7ea3292511cfa551120 upstream.

There were few lockdep warnings because btrfs_show_devname() was using
device_list_mutex as recorded in the commits:

  0ccd05285e7f ("btrfs: fix a possible umount deadlock")
  779bf3fefa83 ("btrfs: fix lock dep warning, move scratch dev out of device_list_mutex and uuid_mutex")

And finally, commit 88c14590cdd6 ("btrfs: use RCU in btrfs_show_devname
for device list traversal") removed the device_list_mutex from
btrfs_show_devname for performance reasons.

This patch removes a stale comment about the function
btrfs_show_devname and device_list_mutex.

Signed-off-by: Anand Jain <anand.jain@oracle.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/volumes.c |    7 -------
 1 file changed, 7 deletions(-)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -2312,13 +2312,6 @@ void btrfs_destroy_dev_replace_tgtdev(st
 
 	mutex_unlock(&fs_devices->device_list_mutex);
 
-	/*
-	 * The update_dev_time() with in btrfs_scratch_superblocks()
-	 * may lead to a call to btrfs_show_devname() which will try
-	 * to hold device_list_mutex. And here this device
-	 * is already out of device list, so we don't have to hold
-	 * the device_list_mutex lock.
-	 */
 	btrfs_scratch_superblocks(tgtdev->fs_info, tgtdev->bdev,
 				  tgtdev->name->str);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 034/177] scsi: ufs: core: Retry START_STOP on UNIT_ATTENTION
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 033/177] btrfs: remove stale comment about the btrfs_show_devname Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 035/177] drm/i915/hdmi: convert intel_hdmi_to_dev to intel_hdmi_to_i915 Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Bart Van Assche,
	Jaegeuk Kim, Martin K. Petersen

From: Jaegeuk Kim <jaegeuk@kernel.org>

commit af21c3fd5b3ec540a97b367a70b26616ff7e0c55 upstream.

Commit 57d104c153d3 ("ufs: add UFS power management support") made the UFS
driver submit a REQUEST SENSE command before submitting a power management
command to a WLUN to clear the POWER ON unit attention. Instead of
submitting a REQUEST SENSE command before submitting a power management
command, retry the power management command until it succeeds.

This is the preparation to get rid of all UNIT ATTENTION code which should
be handled by users.

Link: https://lore.kernel.org/r/20211001182015.1347587-2-jaegeuk@kernel.org
Cc: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/ufs/ufshcd.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- a/drivers/scsi/ufs/ufshcd.c
+++ b/drivers/scsi/ufs/ufshcd.c
@@ -8477,7 +8477,7 @@ static int ufshcd_set_dev_pwr_mode(struc
 	struct scsi_sense_hdr sshdr;
 	struct scsi_device *sdp;
 	unsigned long flags;
-	int ret;
+	int ret, retries;
 
 	spin_lock_irqsave(hba->host->host_lock, flags);
 	sdp = hba->sdev_ufs_device;
@@ -8510,8 +8510,14 @@ static int ufshcd_set_dev_pwr_mode(struc
 	 * callbacks hence set the RQF_PM flag so that it doesn't resume the
 	 * already suspended childs.
 	 */
-	ret = scsi_execute(sdp, cmd, DMA_NONE, NULL, 0, NULL, &sshdr,
-			START_STOP_TIMEOUT, 0, 0, RQF_PM, NULL);
+	for (retries = 3; retries > 0; --retries) {
+		ret = scsi_execute(sdp, cmd, DMA_NONE, NULL, 0, NULL, &sshdr,
+				START_STOP_TIMEOUT, 0, 0, RQF_PM, NULL);
+		if (!scsi_status_is_check_condition(ret) ||
+				!scsi_sense_valid(&sshdr) ||
+				sshdr.sense_key != UNIT_ATTENTION)
+			break;
+	}
 	if (ret) {
 		sdev_printk(KERN_WARNING, sdp,
 			    "START_STOP failed for power mode: %d, result %x\n",



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 035/177] drm/i915/hdmi: convert intel_hdmi_to_dev to intel_hdmi_to_i915
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 034/177] scsi: ufs: core: Retry START_STOP on UNIT_ATTENTION Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 036/177] drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown() Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ville Syrjälä, Jani Nikula

From: Jani Nikula <jani.nikula@intel.com>

commit 7ceb751b615900086eed1d65955933923f127d99 upstream.

Prefer i915 over drm pointer.

Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20210921110244.8666-1-jani.nikula@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/display/intel_hdmi.c |   16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

--- a/drivers/gpu/drm/i915/display/intel_hdmi.c
+++ b/drivers/gpu/drm/i915/display/intel_hdmi.c
@@ -53,21 +53,20 @@
 #include "intel_panel.h"
 #include "intel_snps_phy.h"
 
-static struct drm_device *intel_hdmi_to_dev(struct intel_hdmi *intel_hdmi)
+static struct drm_i915_private *intel_hdmi_to_i915(struct intel_hdmi *intel_hdmi)
 {
-	return hdmi_to_dig_port(intel_hdmi)->base.base.dev;
+	return to_i915(hdmi_to_dig_port(intel_hdmi)->base.base.dev);
 }
 
 static void
 assert_hdmi_port_disabled(struct intel_hdmi *intel_hdmi)
 {
-	struct drm_device *dev = intel_hdmi_to_dev(intel_hdmi);
-	struct drm_i915_private *dev_priv = to_i915(dev);
+	struct drm_i915_private *dev_priv = intel_hdmi_to_i915(intel_hdmi);
 	u32 enabled_bits;
 
 	enabled_bits = HAS_DDI(dev_priv) ? DDI_BUF_CTL_ENABLE : SDVO_ENABLE;
 
-	drm_WARN(dev,
+	drm_WARN(&dev_priv->drm,
 		 intel_de_read(dev_priv, intel_hdmi->hdmi_reg) & enabled_bits,
 		 "HDMI port enabled, expecting disabled\n");
 }
@@ -1246,7 +1245,7 @@ static void hsw_set_infoframes(struct in
 
 void intel_dp_dual_mode_set_tmds_output(struct intel_hdmi *hdmi, bool enable)
 {
-	struct drm_i915_private *dev_priv = to_i915(intel_hdmi_to_dev(hdmi));
+	struct drm_i915_private *dev_priv = intel_hdmi_to_i915(hdmi);
 	struct i2c_adapter *adapter =
 		intel_gmbus_get_adapter(dev_priv, hdmi->ddc_bus);
 
@@ -1830,7 +1829,7 @@ hdmi_port_clock_valid(struct intel_hdmi
 		      int clock, bool respect_downstream_limits,
 		      bool has_hdmi_sink)
 {
-	struct drm_i915_private *dev_priv = to_i915(intel_hdmi_to_dev(hdmi));
+	struct drm_i915_private *dev_priv = intel_hdmi_to_i915(hdmi);
 
 	if (clock < 25000)
 		return MODE_CLOCK_LOW;
@@ -1946,8 +1945,7 @@ intel_hdmi_mode_valid(struct drm_connect
 		      struct drm_display_mode *mode)
 {
 	struct intel_hdmi *hdmi = intel_attached_hdmi(to_intel_connector(connector));
-	struct drm_device *dev = intel_hdmi_to_dev(hdmi);
-	struct drm_i915_private *dev_priv = to_i915(dev);
+	struct drm_i915_private *dev_priv = intel_hdmi_to_i915(hdmi);
 	enum drm_mode_status status;
 	int clock = mode->clock;
 	int max_dotclk = to_i915(connector->dev)->max_dotclk_freq;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 036/177] drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 035/177] drm/i915/hdmi: convert intel_hdmi_to_dev to intel_hdmi_to_i915 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 037/177] pinctrl: amd: Fix wakeups when IRQ is shared with SCI Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ville Syrjälä,
	Stanislav Lisovskiy, Rodrigo Vivi

From: Ville Syrjälä <ville.syrjala@linux.intel.com>

commit cecbc0c7eba7983965cac94f88d2db00b913253b upstream.

Looks like our VBIOS/GOP generally fail to turn the DP dual mode adater
TMDS output buffers back on after a reboot. This leads to a black screen
after reboot if we turned the TMDS output buffers off prior to reboot.
And if i915 decides to do a fastboot the black screen will persist even
after i915 takes over.

Apparently this has been a problem ever since commit b2ccb822d376 ("drm/i915:
Enable/disable TMDS output buffers in DP++ adaptor as needed") if one
rebooted while the display was turned off. And things became worse with
commit fe0f1e3bfdfe ("drm/i915: Shut down displays gracefully on reboot")
since now we always turn the display off before a reboot.

This was reported on a RKL, but I confirmed the same behaviour on my
SNB as well. So looks pretty universal.

Let's fix this by explicitly turning the TMDS output buffers back on
in the encoder->shutdown() hook. Note that this gets called after irqs
have been disabled, so the i2c communication with the DP dual mode
adapter has to be performed via polling (which the gmbus code is
perfectly happy to do for us).

We also need a bit of care in handling DDI encoders which may or may
not be set up for HDMI output. Specifically ddc_pin will not be
populated for a DP only DDI encoder, in which case we don't want to
call intel_gmbus_get_adapter(). We can handle that by simply doing
the dual mode adapter type check before calling
intel_gmbus_get_adapter().

Cc: <stable@vger.kernel.org> # v5.11+
Fixes: fe0f1e3bfdfe ("drm/i915: Shut down displays gracefully on reboot")
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/4371
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211029191802.18448-2-ville.syrjala@linux.intel.com
Reviewed-by: Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
(cherry picked from commit 49c55f7b035b87371a6d3c53d9af9f92ddc962db)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/i915/display/g4x_hdmi.c   |    1 +
 drivers/gpu/drm/i915/display/intel_ddi.c  |    1 +
 drivers/gpu/drm/i915/display/intel_hdmi.c |   16 ++++++++++++++--
 drivers/gpu/drm/i915/display/intel_hdmi.h |    1 +
 4 files changed, 17 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/i915/display/g4x_hdmi.c
+++ b/drivers/gpu/drm/i915/display/g4x_hdmi.c
@@ -584,6 +584,7 @@ void g4x_hdmi_init(struct drm_i915_priva
 		else
 			intel_encoder->enable = g4x_enable_hdmi;
 	}
+	intel_encoder->shutdown = intel_hdmi_encoder_shutdown;
 
 	intel_encoder->type = INTEL_OUTPUT_HDMI;
 	intel_encoder->power_domain = intel_port_to_power_domain(port);
--- a/drivers/gpu/drm/i915/display/intel_ddi.c
+++ b/drivers/gpu/drm/i915/display/intel_ddi.c
@@ -4432,6 +4432,7 @@ static void intel_ddi_encoder_shutdown(s
 	enum phy phy = intel_port_to_phy(i915, encoder->port);
 
 	intel_dp_encoder_shutdown(encoder);
+	intel_hdmi_encoder_shutdown(encoder);
 
 	if (!intel_phy_is_tc(i915, phy))
 		return;
--- a/drivers/gpu/drm/i915/display/intel_hdmi.c
+++ b/drivers/gpu/drm/i915/display/intel_hdmi.c
@@ -1246,12 +1246,13 @@ static void hsw_set_infoframes(struct in
 void intel_dp_dual_mode_set_tmds_output(struct intel_hdmi *hdmi, bool enable)
 {
 	struct drm_i915_private *dev_priv = intel_hdmi_to_i915(hdmi);
-	struct i2c_adapter *adapter =
-		intel_gmbus_get_adapter(dev_priv, hdmi->ddc_bus);
+	struct i2c_adapter *adapter;
 
 	if (hdmi->dp_dual_mode.type < DRM_DP_DUAL_MODE_TYPE2_DVI)
 		return;
 
+	adapter = intel_gmbus_get_adapter(dev_priv, hdmi->ddc_bus);
+
 	drm_dbg_kms(&dev_priv->drm, "%s DP dual mode adaptor TMDS output\n",
 		    enable ? "Enabling" : "Disabling");
 
@@ -2258,6 +2259,17 @@ int intel_hdmi_compute_config(struct int
 	return 0;
 }
 
+void intel_hdmi_encoder_shutdown(struct intel_encoder *encoder)
+{
+	struct intel_hdmi *intel_hdmi = enc_to_intel_hdmi(encoder);
+
+	/*
+	 * Give a hand to buggy BIOSen which forget to turn
+	 * the TMDS output buffers back on after a reboot.
+	 */
+	intel_dp_dual_mode_set_tmds_output(intel_hdmi, true);
+}
+
 static void
 intel_hdmi_unset_edid(struct drm_connector *connector)
 {
--- a/drivers/gpu/drm/i915/display/intel_hdmi.h
+++ b/drivers/gpu/drm/i915/display/intel_hdmi.h
@@ -28,6 +28,7 @@ void intel_hdmi_init_connector(struct in
 int intel_hdmi_compute_config(struct intel_encoder *encoder,
 			      struct intel_crtc_state *pipe_config,
 			      struct drm_connector_state *conn_state);
+void intel_hdmi_encoder_shutdown(struct intel_encoder *encoder);
 bool intel_hdmi_handle_sink_scrambling(struct intel_encoder *encoder,
 				       struct drm_connector *connector,
 				       bool high_tmds_clock_ratio,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 037/177] pinctrl: amd: Fix wakeups when IRQ is shared with SCI
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 036/177] drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown() Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 038/177] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joerie de Gram, Mario Limonciello,
	Basavaraj Natikar, Linus Walleij

From: Mario Limonciello <mario.limonciello@amd.com>

commit 2d54067fcd23aae61e23508425ae5b29e973573d upstream.

On some Lenovo AMD Gen2 platforms the IRQ for the SCI and pinctrl drivers
are shared.  Due to how the s2idle loop handling works, this case needs
an extra explicit check whether the interrupt was caused by SCI or by
the GPIO controller.

To fix this rework the existing IRQ handler function to function as a
checker and an IRQ handler depending on the calling arguments.

BugLink: https://gitlab.freedesktop.org/drm/amd/-/issues/1738
Reported-by: Joerie de Gram <j.de.gram@gmail.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Acked-by: Basavaraj Natikar <Basavaraj.Natikar@amd.com>
Link: https://lore.kernel.org/r/20211101014853.6177-2-mario.limonciello@amd.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pinctrl/pinctrl-amd.c |   29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

--- a/drivers/pinctrl/pinctrl-amd.c
+++ b/drivers/pinctrl/pinctrl-amd.c
@@ -598,14 +598,14 @@ static struct irq_chip amd_gpio_irqchip
 
 #define PIN_IRQ_PENDING	(BIT(INTERRUPT_STS_OFF) | BIT(WAKE_STS_OFF))
 
-static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id)
+static bool do_amd_gpio_irq_handler(int irq, void *dev_id)
 {
 	struct amd_gpio *gpio_dev = dev_id;
 	struct gpio_chip *gc = &gpio_dev->gc;
-	irqreturn_t ret = IRQ_NONE;
 	unsigned int i, irqnr;
 	unsigned long flags;
 	u32 __iomem *regs;
+	bool ret = false;
 	u32  regval;
 	u64 status, mask;
 
@@ -627,6 +627,14 @@ static irqreturn_t amd_gpio_irq_handler(
 		/* Each status bit covers four pins */
 		for (i = 0; i < 4; i++) {
 			regval = readl(regs + i);
+			/* caused wake on resume context for shared IRQ */
+			if (irq < 0 && (regval & BIT(WAKE_STS_OFF))) {
+				dev_dbg(&gpio_dev->pdev->dev,
+					"Waking due to GPIO %d: 0x%x",
+					irqnr + i, regval);
+				return true;
+			}
+
 			if (!(regval & PIN_IRQ_PENDING) ||
 			    !(regval & BIT(INTERRUPT_MASK_OFF)))
 				continue;
@@ -650,9 +658,12 @@ static irqreturn_t amd_gpio_irq_handler(
 			}
 			writel(regval, regs + i);
 			raw_spin_unlock_irqrestore(&gpio_dev->lock, flags);
-			ret = IRQ_HANDLED;
+			ret = true;
 		}
 	}
+	/* did not cause wake on resume context for shared IRQ */
+	if (irq < 0)
+		return false;
 
 	/* Signal EOI to the GPIO unit */
 	raw_spin_lock_irqsave(&gpio_dev->lock, flags);
@@ -664,6 +675,16 @@ static irqreturn_t amd_gpio_irq_handler(
 	return ret;
 }
 
+static irqreturn_t amd_gpio_irq_handler(int irq, void *dev_id)
+{
+	return IRQ_RETVAL(do_amd_gpio_irq_handler(irq, dev_id));
+}
+
+static bool __maybe_unused amd_gpio_check_wake(void *dev_id)
+{
+	return do_amd_gpio_irq_handler(-1, dev_id);
+}
+
 static int amd_get_groups_count(struct pinctrl_dev *pctldev)
 {
 	struct amd_gpio *gpio_dev = pinctrl_dev_get_drvdata(pctldev);
@@ -1033,6 +1054,7 @@ static int amd_gpio_probe(struct platfor
 		goto out2;
 
 	platform_set_drvdata(pdev, gpio_dev);
+	acpi_register_wakeup_handler(gpio_dev->irq, amd_gpio_check_wake, gpio_dev);
 
 	dev_dbg(&pdev->dev, "amd gpio driver loaded\n");
 	return ret;
@@ -1050,6 +1072,7 @@ static int amd_gpio_remove(struct platfo
 	gpio_dev = platform_get_drvdata(pdev);
 
 	gpiochip_remove(&gpio_dev->gc);
+	acpi_unregister_wakeup_handler(amd_gpio_check_wake, gpio_dev);
 
 	return 0;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 038/177] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 037/177] pinctrl: amd: Fix wakeups when IRQ is shared with SCI Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 039/177] arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Artem Lapkin, Heiko Stuebner, Sasha Levin

From: Artem Lapkin <email2tema@gmail.com>

[ Upstream commit 6dd0053683804427529ef3523f7872f473440a19 ]

Remove mmc-hs400-enhanced-strobe from the rk3399-khadas-edge dts to
improve compatibility with a wider range of eMMC chips.

Before (BJTD4R 29.1 GiB):

[    7.001493] mmc2: CQHCI version 5.10
[    7.027971] mmc2: SDHCI controller on fe330000.mmc [fe330000.mmc] using ADMA
.......
[    7.207086] mmc2: mmc_select_hs400es failed, error -110
[    7.207129] mmc2: error -110 whilst initialising MMC card
[    7.308893] mmc2: mmc_select_hs400es failed, error -110
[    7.308921] mmc2: error -110 whilst initialising MMC card
[    7.427524] mmc2: mmc_select_hs400es failed, error -110
[    7.427546] mmc2: error -110 whilst initialising MMC card
[    7.590993] mmc2: mmc_select_hs400es failed, error -110
[    7.591012] mmc2: error -110 whilst initialising MMC card

After:

[    6.960785] mmc2: CQHCI version 5.10
[    6.984672] mmc2: SDHCI controller on fe330000.mmc [fe330000.mmc] using ADMA
[    7.175021] mmc2: Command Queue Engine enabled
[    7.175053] mmc2: new HS400 MMC card at address 0001
[    7.175808] mmcblk2: mmc2:0001 BJTD4R 29.1 GiB
[    7.176033] mmcblk2boot0: mmc2:0001 BJTD4R 4.00 MiB
[    7.176245] mmcblk2boot1: mmc2:0001 BJTD4R 4.00 MiB
[    7.176495] mmcblk2rpmb: mmc2:0001 BJTD4R 4.00 MiB, chardev (242:0)

Fixes: c2aacceedc86 ("arm64: dts: rockchip: Add support for Khadas Edge/Edge-V/Captain boards")
Signed-off-by: Artem Lapkin <art@khadas.com>
Link: https://lore.kernel.org/r/20211115083321.2627461-1-art@khadas.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi | 1 -
 1 file changed, 1 deletion(-)

diff --git a/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi
index d5c7648c841dc..f1fcc6b5b402c 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399-khadas-edge.dtsi
@@ -705,7 +705,6 @@ &sdmmc {
 &sdhci {
 	bus-width = <8>;
 	mmc-hs400-1_8v;
-	mmc-hs400-enhanced-strobe;
 	non-removable;
 	status = "okay";
 };
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 039/177] arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 038/177] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 040/177] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Heiko Stuebner, Sasha Levin

From: John Keeping <john@metanate.com>

[ Upstream commit 772fb46109f635dd75db20c86b7eaf48efa46cef ]

Correct a typo in the vin-supply property.  The input supply is
always-on, so this mistake doesn't affect whether the supply is actually
enabled correctly.

Fixes: 4403e1237be3 ("arm64: dts: rockchip: Add devicetree for board roc-rk3308-cc")
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20211102182908.3409670-2-john@metanate.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
index 665b2e69455dd..ea6820902ede0 100644
--- a/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3308-roc-cc.dts
@@ -97,7 +97,7 @@ vcc_sd: vcc-sd {
 		regulator-max-microvolt = <3300000>;
 		regulator-always-on;
 		regulator-boot-on;
-		vim-supply = <&vcc_io>;
+		vin-supply = <&vcc_io>;
 	};
 
 	vdd_core: vdd-core {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 040/177] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 039/177] arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 041/177] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, Heiko Stuebner, Sasha Levin

From: John Keeping <john@metanate.com>

[ Upstream commit 2b454a90e2ccdd6e03f88f930036da4df577be76 ]

Correct a typo in the vin-supply property.  The input supply is
always-on, so this mistake doesn't affect whether the supply is actually
enabled correctly.

Fixes: fc702ed49a86 ("arm64: dts: rockchip: Add dts for Leez RK3399 P710 SBC")
Signed-off-by: John Keeping <john@metanate.com>
Link: https://lore.kernel.org/r/20211102182908.3409670-3-john@metanate.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts b/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts
index 7c93f840bc64f..e890166e7fd43 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-leez-p710.dts
@@ -55,7 +55,7 @@ vcc3v3_lan: vcc3v3-lan {
 		regulator-boot-on;
 		regulator-min-microvolt = <3300000>;
 		regulator-max-microvolt = <3300000>;
-		vim-supply = <&vcc3v3_sys>;
+		vin-supply = <&vcc3v3_sys>;
 	};
 
 	vcc3v3_sys: vcc3v3-sys {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 041/177] arm64: dts: rockchip: fix audio-supply for Rock Pi 4
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 040/177] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 042/177] arm64: dts: rockchip: fix poweroff on helios64 Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alex Bee, Heiko Stuebner, Sasha Levin

From: Alex Bee <knaerzche@gmail.com>

[ Upstream commit 8240e87f16d17a9592c9d67857a3dcdbcb98f10d ]

As stated in the schematics [1] and [2] P5 the APIO5 domain is supplied
by RK808-D Buck4, which in our case vcc1v8_codec - i.e. a 1.8 V regulator.

Currently only white noise comes from the ES8316's output, which - for
whatever reason - came up only after the the correct switch from i2s0_8ch_bus
to i2s0_2ch_bus for i2s0's pinctrl was done.

Fix this by setting the correct regulator for audio-supply.

[1] https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi4_v13_sch_20181112.pdf
[2] https://dl.radxa.com/rockpi4/docs/hw/rockpi4/rockpi_4c_v12_sch_20200620.pdf

Fixes: 1b5715c602fd ("arm64: dts: rockchip: add ROCK Pi 4 DTS support")
Signed-off-by: Alex Bee <knaerzche@gmail.com>
Link: https://lore.kernel.org/r/20211027143726.165809-1-knaerzche@gmail.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
index b28888ea9262e..100a769165ef9 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
+++ b/arch/arm64/boot/dts/rockchip/rk3399-rock-pi-4.dtsi
@@ -457,7 +457,7 @@ &io_domains {
 	status = "okay";
 
 	bt656-supply = <&vcc_3v0>;
-	audio-supply = <&vcc_3v0>;
+	audio-supply = <&vcc1v8_codec>;
 	sdmmc-supply = <&vcc_sdio>;
 	gpio1830-supply = <&vcc_3v0>;
 };
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 042/177] arm64: dts: rockchip: fix poweroff on helios64
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 041/177] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 043/177] dmaengine: idxd: add halt interrupt support Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Klink, Dennis Gilmore,
	Heiko Stuebner, Sasha Levin

From: Florian Klink <flokli@flokli.de>

[ Upstream commit aef4b9a89a376a9cabe5e744729914e7766c59bb ]

Adding the rockchip,system-power-controller property here will use the
rk808 to power off the system.

Fixes: 09e006cfb43e ("arm64: dts: rockchip: Add basic support for Kobol's Helios64")
Signed-off-by: Florian Klink <flokli@flokli.de>
Tested-by: Dennis Gilmore <dgilmore@redhat.com>
Link: https://lore.kernel.org/r/20211020095926.735938-2-flokli@flokli.de
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
index 738cfd21df3ef..354f54767bad8 100644
--- a/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
+++ b/arch/arm64/boot/dts/rockchip/rk3399-kobol-helios64.dts
@@ -269,6 +269,7 @@ rk808: pmic@1b {
 		clock-output-names = "xin32k", "rk808-clkout2";
 		pinctrl-names = "default";
 		pinctrl-0 = <&pmic_int_l>;
+		rockchip,system-power-controller;
 		vcc1-supply = <&vcc5v0_sys>;
 		vcc2-supply = <&vcc5v0_sys>;
 		vcc3-supply = <&vcc5v0_sys>;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 043/177] dmaengine: idxd: add halt interrupt support
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 042/177] arm64: dts: rockchip: fix poweroff on helios64 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 044/177] dmaengine: idxd: fix calling wq quiesce inside spinlock Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dave Jiang, Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 88d97ea82cbe352851a8654ee952d3a694c8c2c6 ]

Add halt interrupt support. Given that the misc interrupt handler already
check halt state, the driver just need to run the halt handling code when
receiving the halt interrupt.

Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/163114224352.846654.14334468363464318828.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/irq.c       | 5 +++++
 drivers/dma/idxd/registers.h | 1 +
 2 files changed, 6 insertions(+)

diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
index ca88fa7a328e7..3261ea247e832 100644
--- a/drivers/dma/idxd/irq.c
+++ b/drivers/dma/idxd/irq.c
@@ -63,6 +63,9 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause)
 	int i;
 	bool err = false;
 
+	if (cause & IDXD_INTC_HALT_STATE)
+		goto halt;
+
 	if (cause & IDXD_INTC_ERR) {
 		spin_lock(&idxd->dev_lock);
 		for (i = 0; i < 4; i++)
@@ -121,6 +124,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause)
 	if (!err)
 		return 0;
 
+halt:
 	gensts.bits = ioread32(idxd->reg_base + IDXD_GENSTATS_OFFSET);
 	if (gensts.state == IDXD_DEVICE_STATE_HALT) {
 		idxd->state = IDXD_DEV_HALTED;
@@ -134,6 +138,7 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause)
 			queue_work(idxd->wq, &idxd->work);
 		} else {
 			spin_lock(&idxd->dev_lock);
+			idxd->state = IDXD_DEV_HALTED;
 			idxd_wqs_quiesce(idxd);
 			idxd_wqs_unmap_portal(idxd);
 			idxd_device_clear_state(idxd);
diff --git a/drivers/dma/idxd/registers.h b/drivers/dma/idxd/registers.h
index ffc7550a77eeb..97ffb06de9b0d 100644
--- a/drivers/dma/idxd/registers.h
+++ b/drivers/dma/idxd/registers.h
@@ -158,6 +158,7 @@ enum idxd_device_reset_type {
 #define IDXD_INTC_CMD			0x02
 #define IDXD_INTC_OCCUPY			0x04
 #define IDXD_INTC_PERFMON_OVFL		0x08
+#define IDXD_INTC_HALT_STATE		0x10
 
 #define IDXD_CMD_OFFSET			0xa0
 union idxd_command_reg {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 044/177] dmaengine: idxd: fix calling wq quiesce inside spinlock
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 043/177] dmaengine: idxd: add halt interrupt support Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 045/177] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Dave Jiang,
	Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit fa51b16d05583c7aebbc06330afb50276243d198 ]

Dan reports that smatch has found idxd_wq_quiesce() is being called inside
the idxd->dev_lock. idxd_wq_quiesce() calls wait_for_completion() and
therefore it can sleep. Move the call outside of the spinlock as it does
not need device lock.

Fixes: 5b0c68c473a1 ("dmaengine: idxd: support reporting of halt interrupt")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/163716858508.1721911.15051495873516709923.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/irq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/idxd/irq.c b/drivers/dma/idxd/irq.c
index 3261ea247e832..6d6af0dc3c0ec 100644
--- a/drivers/dma/idxd/irq.c
+++ b/drivers/dma/idxd/irq.c
@@ -137,10 +137,10 @@ static int process_misc_interrupts(struct idxd_device *idxd, u32 cause)
 			INIT_WORK(&idxd->work, idxd_device_reinit);
 			queue_work(idxd->wq, &idxd->work);
 		} else {
-			spin_lock(&idxd->dev_lock);
 			idxd->state = IDXD_DEV_HALTED;
 			idxd_wqs_quiesce(idxd);
 			idxd_wqs_unmap_portal(idxd);
+			spin_lock(&idxd->dev_lock);
 			idxd_device_clear_state(idxd);
 			dev_err(&idxd->pdev->dev,
 				"idxd halted, need %s.\n",
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 045/177] mac80211: track only QoS data frames for admission control
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 044/177] dmaengine: idxd: fix calling wq quiesce inside spinlock Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 046/177] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+614e82b88a1a4973e534,
	Johannes Berg, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit d5e568c3a4ec2ddd23e7dc5ad5b0c64e4f22981a ]

For admission control, obviously all of that only works for
QoS data frames, otherwise we cannot even access the QoS
field in the header.

Syzbot reported (see below) an uninitialized value here due
to a status of a non-QoS nullfunc packet, which isn't even
long enough to contain the QoS header.

Fix this to only do anything for QoS data packets.

Reported-by: syzbot+614e82b88a1a4973e534@syzkaller.appspotmail.com
Fixes: 02219b3abca5 ("mac80211: add WMM admission control support")
Link: https://lore.kernel.org/r/20211122124737.dad29e65902a.Ieb04587afacb27c14e0de93ec1bfbefb238cc2a0@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/mlme.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index c0ea3b1aa9e1c..dd42d83dbe33e 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -2446,11 +2446,18 @@ static void ieee80211_sta_tx_wmm_ac_notify(struct ieee80211_sub_if_data *sdata,
 					   u16 tx_time)
 {
 	struct ieee80211_if_managed *ifmgd = &sdata->u.mgd;
-	u16 tid = ieee80211_get_tid(hdr);
-	int ac = ieee80211_ac_from_tid(tid);
-	struct ieee80211_sta_tx_tspec *tx_tspec = &ifmgd->tx_tspec[ac];
+	u16 tid;
+	int ac;
+	struct ieee80211_sta_tx_tspec *tx_tspec;
 	unsigned long now = jiffies;
 
+	if (!ieee80211_is_data_qos(hdr->frame_control))
+		return;
+
+	tid = ieee80211_get_tid(hdr);
+	ac = ieee80211_ac_from_tid(tid);
+	tx_tspec = &ifmgd->tx_tspec[ac];
+
 	if (likely(!tx_tspec->admitted_time))
 		return;
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 046/177] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 045/177] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 047/177] tee: amdtee: fix an IS_ERR() vs NULL bug Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Arnd Bergmann, K. Y. Srinivasan, Haiyang Zhang,
	Stephen Hemminger, Wei Liu, Dexuan Cui, linux-hyperv,
	Michael Kelley, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 1dc2f2b81a6a9895da59f3915760f6c0c3074492 ]

The hyperv utilities use PTP clock interfaces and should depend a
a kconfig symbol such that they will be built as a loadable module or
builtin so that linker errors do not happen.

Prevents these build errors:

ld: drivers/hv/hv_util.o: in function `hv_timesync_deinit':
hv_util.c:(.text+0x37d): undefined reference to `ptp_clock_unregister'
ld: drivers/hv/hv_util.o: in function `hv_timesync_init':
hv_util.c:(.text+0x738): undefined reference to `ptp_clock_register'

Fixes: 3716a49a81ba ("hv_utils: implement Hyper-V PTP source")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Wei Liu <wei.liu@kernel.org>
Cc: Dexuan Cui <decui@microsoft.com>
Cc: linux-hyperv@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Reviewed-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/20211126023316.25184-1-rdunlap@infradead.org
Signed-off-by: Wei Liu <wei.liu@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hv/Kconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hv/Kconfig b/drivers/hv/Kconfig
index d1123ceb38f3f..9a074cbdef78c 100644
--- a/drivers/hv/Kconfig
+++ b/drivers/hv/Kconfig
@@ -18,6 +18,7 @@ config HYPERV_TIMER
 config HYPERV_UTILS
 	tristate "Microsoft Hyper-V Utilities driver"
 	depends on HYPERV && CONNECTOR && NLS
+	depends on PTP_1588_CLOCK_OPTIONAL
 	help
 	  Select this option to enable the Hyper-V Utilities.
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 047/177] tee: amdtee: fix an IS_ERR() vs NULL bug
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 046/177] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 048/177] ceph: fix duplicate increment of opened_inodes metric Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Rijo Thomas,
	Jens Wiklander, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 9d7482771fac8d8e38e763263f2ca0ca12dd22c6 ]

The __get_free_pages() function does not return error pointers it returns
NULL so fix this condition to avoid a NULL dereference.

Fixes: 757cc3e9ff1d ("tee: add AMD-TEE driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tee/amdtee/core.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/tee/amdtee/core.c b/drivers/tee/amdtee/core.c
index da6b88e80dc07..297dc62bca298 100644
--- a/drivers/tee/amdtee/core.c
+++ b/drivers/tee/amdtee/core.c
@@ -203,9 +203,8 @@ static int copy_ta_binary(struct tee_context *ctx, void *ptr, void **ta,
 
 	*ta_size = roundup(fw->size, PAGE_SIZE);
 	*ta = (void *)__get_free_pages(GFP_KERNEL, get_order(*ta_size));
-	if (IS_ERR(*ta)) {
-		pr_err("%s: get_free_pages failed 0x%llx\n", __func__,
-		       (u64)*ta);
+	if (!*ta) {
+		pr_err("%s: get_free_pages failed\n", __func__);
 		rc = -ENOMEM;
 		goto rel_fw;
 	}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 048/177] ceph: fix duplicate increment of opened_inodes metric
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 047/177] tee: amdtee: fix an IS_ERR() vs NULL bug Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 049/177] ceph: initialize pathlen variable in reconnect_caps_cb Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hu Weiwen, Xiubo Li, Ilya Dryomov,
	Sasha Levin

From: Hu Weiwen <sehuww@mail.scut.edu.cn>

[ Upstream commit 973e5245637accc4002843f6b888495a6a7762bc ]

opened_inodes is incremented twice when the same inode is opened twice
with O_RDONLY and O_WRONLY respectively.

To reproduce, run this python script, then check the metrics:

import os
for _ in range(10000):
    fd_r = os.open('a', os.O_RDONLY)
    fd_w = os.open('a', os.O_WRONLY)
    os.close(fd_r)
    os.close(fd_w)

Fixes: 1dd8d4708136 ("ceph: metrics for opened files, pinned caps and opened inodes")
Signed-off-by: Hu Weiwen <sehuww@mail.scut.edu.cn>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/caps.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 8f537f1d9d1d3..8be4da2e2b826 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -4349,7 +4349,7 @@ void ceph_get_fmode(struct ceph_inode_info *ci, int fmode, int count)
 {
 	struct ceph_mds_client *mdsc = ceph_sb_to_mdsc(ci->vfs_inode.i_sb);
 	int bits = (fmode << 1) | 1;
-	bool is_opened = false;
+	bool already_opened = false;
 	int i;
 
 	if (count == 1)
@@ -4357,19 +4357,19 @@ void ceph_get_fmode(struct ceph_inode_info *ci, int fmode, int count)
 
 	spin_lock(&ci->i_ceph_lock);
 	for (i = 0; i < CEPH_FILE_MODE_BITS; i++) {
-		if (bits & (1 << i))
-			ci->i_nr_by_mode[i] += count;
-
 		/*
-		 * If any of the mode ref is larger than 1,
+		 * If any of the mode ref is larger than 0,
 		 * that means it has been already opened by
 		 * others. Just skip checking the PIN ref.
 		 */
-		if (i && ci->i_nr_by_mode[i] > 1)
-			is_opened = true;
+		if (i && ci->i_nr_by_mode[i])
+			already_opened = true;
+
+		if (bits & (1 << i))
+			ci->i_nr_by_mode[i] += count;
 	}
 
-	if (!is_opened)
+	if (!already_opened)
 		percpu_counter_inc(&mdsc->metric.opened_inodes);
 	spin_unlock(&ci->i_ceph_lock);
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 049/177] ceph: initialize pathlen variable in reconnect_caps_cb
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 048/177] ceph: fix duplicate increment of opened_inodes metric Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 050/177] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Xiubo Li, Jeff Layton,
	Ilya Dryomov, Sasha Levin

From: Xiubo Li <xiubli@redhat.com>

[ Upstream commit ee2a095d3b24f300a5e11944d208801e928f108c ]

The smatch static checker warned about an uninitialized symbol usage in
this function, in the case where ceph_mdsc_build_path returns an error.

It turns out that that case is harmless, but it just looks sketchy.
Initialize the variable at declaration time, and remove the unneeded
setting of it later.

Fixes: a33f6432b3a6 ("ceph: encode inodes' parent/d_name in cap reconnect message")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/mds_client.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index d64413adc0fd2..e9409c460acd0 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -3772,7 +3772,7 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap,
 	struct ceph_pagelist *pagelist = recon_state->pagelist;
 	struct dentry *dentry;
 	char *path;
-	int pathlen, err;
+	int pathlen = 0, err;
 	u64 pathbase;
 	u64 snap_follows;
 
@@ -3792,7 +3792,6 @@ static int reconnect_caps_cb(struct inode *inode, struct ceph_cap *cap,
 		}
 	} else {
 		path = NULL;
-		pathlen = 0;
 		pathbase = 0;
 	}
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 050/177] ARM: socfpga: dts: fix qspi node compatible
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 049/177] ceph: initialize pathlen variable in reconnect_caps_cb Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 051/177] arm64: dts: imx8mq: remove interconnect property from lcdif Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dinh Nguyen, Sasha Levin

From: Dinh Nguyen <dinguyen@kernel.org>

[ Upstream commit cb25b11943cbcc5a34531129952870420f8be858 ]

The QSPI flash node needs to have the required "jedec,spi-nor" in the
compatible string.

Fixes: 1df99da8953 ("ARM: dts: socfpga: Enable QSPI in Arria10 devkit")
Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts   | 2 +-
 arch/arm/boot/dts/socfpga_arria5_socdk.dts         | 2 +-
 arch/arm/boot/dts/socfpga_cyclone5_socdk.dts       | 2 +-
 arch/arm/boot/dts/socfpga_cyclone5_sockit.dts      | 2 +-
 arch/arm/boot/dts/socfpga_cyclone5_socrates.dts    | 2 +-
 arch/arm/boot/dts/socfpga_cyclone5_sodia.dts       | 2 +-
 arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts | 4 ++--
 7 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts b/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts
index 2b645642b9352..2a745522404d6 100644
--- a/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts
+++ b/arch/arm/boot/dts/socfpga_arria10_socdk_qspi.dts
@@ -12,7 +12,7 @@ &qspi {
 	flash0: n25q00@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q00aa";
+		compatible = "micron,mt25qu02g", "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <100000000>;
 
diff --git a/arch/arm/boot/dts/socfpga_arria5_socdk.dts b/arch/arm/boot/dts/socfpga_arria5_socdk.dts
index 90e676e7019f2..1b02d46496a85 100644
--- a/arch/arm/boot/dts/socfpga_arria5_socdk.dts
+++ b/arch/arm/boot/dts/socfpga_arria5_socdk.dts
@@ -119,7 +119,7 @@ &qspi {
 	flash: flash@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q256a";
+		compatible = "micron,n25q256a", "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <100000000>;
 
diff --git a/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts b/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts
index 6f138b2b26163..51bb436784e24 100644
--- a/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts
+++ b/arch/arm/boot/dts/socfpga_cyclone5_socdk.dts
@@ -124,7 +124,7 @@ &qspi {
 	flash0: n25q00@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q00";
+		compatible = "micron,mt25qu02g", "jedec,spi-nor";
 		reg = <0>;	/* chip select */
 		spi-max-frequency = <100000000>;
 
diff --git a/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts b/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts
index c155ff02eb6e0..cae9ddd5ed38b 100644
--- a/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts
+++ b/arch/arm/boot/dts/socfpga_cyclone5_sockit.dts
@@ -169,7 +169,7 @@ &qspi {
 	flash: flash@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q00";
+		compatible = "micron,mt25qu02g", "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <100000000>;
 
diff --git a/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts b/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts
index 8d5d3996f6f27..ca18b959e6559 100644
--- a/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts
+++ b/arch/arm/boot/dts/socfpga_cyclone5_socrates.dts
@@ -80,7 +80,7 @@ &qspi {
 	flash: flash@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q256a";
+		compatible = "micron,n25q256a", "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <100000000>;
 		m25p,fast-read;
diff --git a/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts b/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts
index 99a71757cdf46..3f7aa7bf0863a 100644
--- a/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts
+++ b/arch/arm/boot/dts/socfpga_cyclone5_sodia.dts
@@ -116,7 +116,7 @@ &qspi {
 	flash0: n25q512a@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q512a";
+		compatible = "micron,n25q512a", "jedec,spi-nor";
 		reg = <0>;
 		spi-max-frequency = <100000000>;
 
diff --git a/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts b/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts
index a060718758b67..25874e1b9c829 100644
--- a/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts
+++ b/arch/arm/boot/dts/socfpga_cyclone5_vining_fpga.dts
@@ -224,7 +224,7 @@ &qspi {
 	n25q128@0 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q128";
+		compatible = "micron,n25q128", "jedec,spi-nor";
 		reg = <0>;		/* chip select */
 		spi-max-frequency = <100000000>;
 		m25p,fast-read;
@@ -241,7 +241,7 @@ n25q128@0 {
 	n25q00@1 {
 		#address-cells = <1>;
 		#size-cells = <1>;
-		compatible = "n25q00";
+		compatible = "micron,mt25qu02g", "jedec,spi-nor";
 		reg = <1>;		/* chip select */
 		spi-max-frequency = <100000000>;
 		m25p,fast-read;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 051/177] arm64: dts: imx8mq: remove interconnect property from lcdif
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 050/177] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 052/177] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Kepplinger, Shawn Guo, Sasha Levin

From: Martin Kepplinger <martin.kepplinger@puri.sm>

[ Upstream commit e5e6268f77badf18bd6ab435364cfe21c7396c31 ]

The mxsfb driver handling imx8mq lcdif doesn't yet request the
interconnect bandwidth that's needed at runtime when the description is
present in the DT node.

So remove that description and bring it back when it's supported.

Fixes: ad1abc8a03fd ("arm64: dts: imx8mq: Add interconnect for lcdif")
Signed-off-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/boot/dts/freescale/imx8mq.dtsi | 2 --
 1 file changed, 2 deletions(-)

diff --git a/arch/arm64/boot/dts/freescale/imx8mq.dtsi b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
index 4066b16126552..2bc57d8f29c7f 100644
--- a/arch/arm64/boot/dts/freescale/imx8mq.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mq.dtsi
@@ -524,8 +524,6 @@ lcdif: lcd-controller@30320000 {
 						  <&clk IMX8MQ_VIDEO_PLL1>,
 						  <&clk IMX8MQ_VIDEO_PLL1_OUT>;
 				assigned-clock-rates = <0>, <0>, <0>, <594000000>;
-				interconnects = <&noc IMX8MQ_ICM_LCDIF &noc IMX8MQ_ICS_DRAM>;
-				interconnect-names = "dram";
 				status = "disabled";
 
 				port@0 {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 052/177] clk: Dont parent clks until the parent is fully registered
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 051/177] arm64: dts: imx8mq: remove interconnect property from lcdif Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 053/177] soc: imx: Register SoC device only on i.MX boards Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mike Tipton, Stephen Boyd, Sasha Levin

From: Mike Tipton <quic_mdtipton@quicinc.com>

[ Upstream commit 54baf56eaa40aa5cdcd02b3c20d593e4e1211220 ]

Before commit fc0c209c147f ("clk: Allow parents to be specified without
string names") child clks couldn't find their parent until the parent
clk was added to a list in __clk_core_init(). After that commit, child
clks can reference their parent clks directly via a clk_hw pointer, or
they can lookup that clk_hw pointer via DT if the parent clk is
registered with an OF clk provider.

The common clk framework treats hw->core being non-NULL as "the clk is
registered" per the logic within clk_core_fill_parent_index():

	parent = entry->hw->core;
	/*
	 * We have a direct reference but it isn't registered yet?
	 * Orphan it and let clk_reparent() update the orphan status
	 * when the parent is registered.
	 */
	if (!parent)

Therefore we need to be extra careful to not set hw->core until the clk
is fully registered with the clk framework. Otherwise we can get into a
situation where a child finds a parent clk and we move the child clk off
the orphan list when the parent isn't actually registered, wrecking our
enable accounting and breaking critical clks.

Consider the following scenario:

  CPU0                                     CPU1
  ----                                     ----
  struct clk_hw clkBad;
  struct clk_hw clkA;

  clkA.init.parent_hws = { &clkBad };

  clk_hw_register(&clkA)                   clk_hw_register(&clkBad)
   ...                                      __clk_register()
					     hw->core = core
					     ...
   __clk_register()
    __clk_core_init()
     clk_prepare_lock()
     __clk_init_parent()
      clk_core_get_parent_by_index()
       clk_core_fill_parent_index()
        if (entry->hw) {
	 parent = entry->hw->core;

At this point, 'parent' points to clkBad even though clkBad hasn't been
fully registered yet. Ouch! A similar problem can happen if a clk
controller registers orphan clks that are referenced in the DT node of
another clk controller.

Let's fix all this by only setting the hw->core pointer underneath the
clk prepare lock in __clk_core_init(). This way we know that
clk_core_fill_parent_index() can't see hw->core be non-NULL until the
clk is fully registered.

Fixes: fc0c209c147f ("clk: Allow parents to be specified without string names")
Signed-off-by: Mike Tipton <quic_mdtipton@quicinc.com>
Link: https://lore.kernel.org/r/20211109043438.4639-1-quic_mdtipton@quicinc.com
[sboyd@kernel.org: Reword commit text, update comment]
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/clk/clk.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/drivers/clk/clk.c b/drivers/clk/clk.c
index 65508eb89ec99..a277fd4f2f0a6 100644
--- a/drivers/clk/clk.c
+++ b/drivers/clk/clk.c
@@ -3415,6 +3415,14 @@ static int __clk_core_init(struct clk_core *core)
 
 	clk_prepare_lock();
 
+	/*
+	 * Set hw->core after grabbing the prepare_lock to synchronize with
+	 * callers of clk_core_fill_parent_index() where we treat hw->core
+	 * being NULL as the clk not being registered yet. This is crucial so
+	 * that clks aren't parented until their parent is fully registered.
+	 */
+	core->hw->core = core;
+
 	ret = clk_pm_runtime_get(core);
 	if (ret)
 		goto unlock;
@@ -3579,8 +3587,10 @@ static int __clk_core_init(struct clk_core *core)
 out:
 	clk_pm_runtime_put(core);
 unlock:
-	if (ret)
+	if (ret) {
 		hlist_del_init(&core->child_node);
+		core->hw->core = NULL;
+	}
 
 	clk_prepare_unlock();
 
@@ -3844,7 +3854,6 @@ __clk_register(struct device *dev, struct device_node *np, struct clk_hw *hw)
 	core->num_parents = init->num_parents;
 	core->min_rate = 0;
 	core->max_rate = ULONG_MAX;
-	hw->core = core;
 
 	ret = clk_core_populate_parent_map(core, init);
 	if (ret)
@@ -3862,7 +3871,7 @@ __clk_register(struct device *dev, struct device_node *np, struct clk_hw *hw)
 		goto fail_create_clk;
 	}
 
-	clk_core_link_consumer(hw->core, hw->clk);
+	clk_core_link_consumer(core, hw->clk);
 
 	ret = __clk_core_init(core);
 	if (!ret)
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 053/177] soc: imx: Register SoC device only on i.MX boards
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 052/177] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 054/177] iwlwifi: mvm: dont crash on invalid rate w/o STA Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peng Fan, Arnd Bergmann,
	Stephan Gerhold, Fabio Estevam, Shawn Guo, Sasha Levin

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit 4ebd29f91629e69da7d57390cdc953772eee03ab ]

At the moment, using the ARM32 multi_v7_defconfig always results in two
SoCs being exposed in sysfs. This is wrong, as far as I'm aware the
Qualcomm DragonBoard 410c does not actually make use of a i.MX SoC. :)

  qcom-db410c:/sys/devices/soc0$ grep . *
  family:Freescale i.MX
  machine:Qualcomm Technologies, Inc. APQ 8016 SBC
  revision:0.0
  serial_number:0000000000000000
  soc_id:Unknown

  qcom-db410c:/sys/devices/soc1$ grep . *
  family:Snapdragon
  machine:APQ8016
  ...

This happens because imx_soc_device_init() registers the soc device
unconditionally, even when running on devices that do not make use of i.MX.
Arnd already reported this more than a year ago and even suggested a fix
similar to this commit, but for some reason it was never submitted.

Fix it by checking if the "__mxc_cpu_type" variable was actually
initialized by earlier platform code. On devices without i.MX it will
simply stay 0.

Cc: Peng Fan <peng.fan@nxp.com>
Fixes: d2199b34871b ("ARM: imx: use device_initcall for imx_soc_device_init")
Reported-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/CAK8P3a0hxO1TmK6oOMQ70AHSWJnP_CAq57YMOutrxkSYNjFeuw@mail.gmail.com/
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Fabio Estevam <festevam@gmail.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/imx/soc-imx.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/soc/imx/soc-imx.c b/drivers/soc/imx/soc-imx.c
index ac6d856ba228d..77bc12039c3d4 100644
--- a/drivers/soc/imx/soc-imx.c
+++ b/drivers/soc/imx/soc-imx.c
@@ -36,6 +36,10 @@ static int __init imx_soc_device_init(void)
 	int ret;
 	int i;
 
+	/* Return early if this is running on devices with different SoCs */
+	if (!__mxc_cpu_type)
+		return 0;
+
 	if (of_machine_is_compatible("fsl,ls1021a"))
 		return 0;
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 054/177] iwlwifi: mvm: dont crash on invalid rate w/o STA
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 053/177] soc: imx: Register SoC device only on i.MX boards Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 055/177] virtio: always enter drivers/virtio/ Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho,
	Kalle Valo, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit d599f714b73e4177dfdfe64fce09175568288ee9 ]

If we get to the WARN_ONCE(..., "Got a HT rate (...)", ...)
here with a NULL sta, then we crash because mvmsta is bad
and we try to dereference it. Fix that by printing -1 as the
state if no station was given.

Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Fixes: 6761a718263a ("iwlwifi: mvm: add explicit check for non-data frames in get Tx rate")
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/iwlwifi.20211203140410.1a1541d7dcb5.I606c746e11447fe168cf046376b70b04e278c3b4@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 0a13c2bda2eed..06fbd9ab37dfe 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -268,17 +268,18 @@ static u32 iwl_mvm_get_tx_rate(struct iwl_mvm *mvm,
 	int rate_idx = -1;
 	u8 rate_plcp;
 	u32 rate_flags = 0;
-	struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
 
 	/* info->control is only relevant for non HW rate control */
 	if (!ieee80211_hw_check(mvm->hw, HAS_RATE_CONTROL)) {
+		struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
 		/* HT rate doesn't make sense for a non data frame */
 		WARN_ONCE(info->control.rates[0].flags & IEEE80211_TX_RC_MCS &&
 			  !ieee80211_is_data(fc),
 			  "Got a HT rate (flags:0x%x/mcs:%d/fc:0x%x/state:%d) for a non data frame\n",
 			  info->control.rates[0].flags,
 			  info->control.rates[0].idx,
-			  le16_to_cpu(fc), mvmsta->sta_state);
+			  le16_to_cpu(fc), sta ? mvmsta->sta_state : -1);
 
 		rate_idx = info->control.rates[0].idx;
 	}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 055/177] virtio: always enter drivers/virtio/
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 054/177] iwlwifi: mvm: dont crash on invalid rate w/o STA Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 056/177] virtio/vsock: fix the transport to work with VMADDR_CID_ANY Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Michael S. Tsirkin,
	Sasha Levin

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit 27d9839f17940e8edc475df616bbd9cf7ede8d05 ]

When neither VIRTIO_PCI_LIB nor VIRTIO are enabled, but the alibaba
vdpa driver is, the kernel runs into a link error because the legacy
virtio module never gets built:

x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_features':
eni_vdpa.c:(.text+0x23f): undefined reference to `vp_legacy_set_features'
x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_state':
eni_vdpa.c:(.text+0x2fe): undefined reference to `vp_legacy_get_queue_enable'
x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_address':
eni_vdpa.c:(.text+0x376): undefined reference to `vp_legacy_set_queue_address'
x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_set_vq_ready':
eni_vdpa.c:(.text+0x3b4): undefined reference to `vp_legacy_set_queue_address'
x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_free_irq':
eni_vdpa.c:(.text+0x460): undefined reference to `vp_legacy_queue_vector'
x86_64-linux-ld: eni_vdpa.c:(.text+0x4b7): undefined reference to `vp_legacy_config_vector'
x86_64-linux-ld: drivers/vdpa/alibaba/eni_vdpa.o: in function `eni_vdpa_reset':

When VIRTIO_PCI_LIB was added, it was correctly added to drivers/Makefile
as well, but for the legacy module, this is missing.  Solve this by always
entering drivers/virtio during the build and letting its Makefile take
care of the individual options, rather than having a separate line for
each sub-option.

Fixes: 64b9f64f80a6 ("vdpa: introduce virtio pci driver")
Fixes: e85087beedca ("eni_vdpa: add vDPA driver for Alibaba ENI")
Fixes: d89c8169bd70 ("virtio-pci: introduce legacy device module")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20211206085034.2836099-1-arnd@kernel.org
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/Makefile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/drivers/Makefile b/drivers/Makefile
index be5d40ae14882..a110338c860c7 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -41,8 +41,7 @@ obj-$(CONFIG_DMADEVICES)	+= dma/
 # SOC specific infrastructure drivers.
 obj-y				+= soc/
 
-obj-$(CONFIG_VIRTIO)		+= virtio/
-obj-$(CONFIG_VIRTIO_PCI_LIB)	+= virtio/
+obj-y				+= virtio/
 obj-$(CONFIG_VDPA)		+= vdpa/
 obj-$(CONFIG_XEN)		+= xen/
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 056/177] virtio/vsock: fix the transport to work with VMADDR_CID_ANY
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 055/177] virtio: always enter drivers/virtio/ Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 057/177] vdpa: Consider device id larger than 31 Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wei Wang, Michael S. Tsirkin,
	Stefano Garzarella, Sasha Levin

From: Wei Wang <wei.w.wang@intel.com>

[ Upstream commit 1db8f5fc2e5c66a5c51e1f6488e0ba7d45c29ae4 ]

The VMADDR_CID_ANY flag used by a socket means that the socket isn't bound
to any specific CID. For example, a host vsock server may want to be bound
with VMADDR_CID_ANY, so that a guest vsock client can connect to the host
server with CID=VMADDR_CID_HOST (i.e. 2), and meanwhile, a host vsock
client can connect to the same local server with CID=VMADDR_CID_LOCAL
(i.e. 1).

The current implementation sets the destination socket's svm_cid to a
fixed CID value after the first client's connection, which isn't an
expected operation. For example, if the guest client first connects to the
host server, the server's svm_cid gets set to VMADDR_CID_HOST, then other
host clients won't be able to connect to the server anymore.

Reproduce steps:
1. Run the host server:
   socat VSOCK-LISTEN:1234,fork -
2. Run a guest client to connect to the host server:
   socat - VSOCK-CONNECT:2:1234
3. Run a host client to connect to the host server:
   socat - VSOCK-CONNECT:1:1234

Without this patch, step 3. above fails to connect, and socat complains
"socat[1720] E connect(5, AF=40 cid:1 port:1234, 16): Connection
reset by peer".
With this patch, the above works well.

Fixes: c0cfa2d8a788 ("vsock: add multi-transports support")
Signed-off-by: Wei Wang <wei.w.wang@intel.com>
Link: https://lore.kernel.org/r/20211126011823.1760-1-wei.w.wang@intel.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/vmw_vsock/virtio_transport_common.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index 59ee1be5a6dd3..ec2c2afbf0d06 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -1299,7 +1299,8 @@ void virtio_transport_recv_pkt(struct virtio_transport *t,
 	space_available = virtio_transport_space_update(sk, pkt);
 
 	/* Update CID in case it has changed after a transport reset event */
-	vsk->local_addr.svm_cid = dst.svm_cid;
+	if (vsk->local_addr.svm_cid != VMADDR_CID_ANY)
+		vsk->local_addr.svm_cid = dst.svm_cid;
 
 	if (space_available)
 		sk->sk_write_space(sk);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 057/177] vdpa: Consider device id larger than 31
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 056/177] virtio/vsock: fix the transport to work with VMADDR_CID_ANY Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 058/177] Revert "drm/fb-helper: improve DRM fbdev emulation device names" Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
	Parav Pandit, Jason Wang, Michael S. Tsirkin, Sasha Levin

From: Parav Pandit <parav@nvidia.com>

[ Upstream commit bb47620be322c5e9e372536cb6b54e17b3a00258 ]

virtio device id value can be more than 31. Hence, use BIT_ULL in
assignment.

Fixes: 33b347503f01 ("vdpa: Define vdpa mgmt device, ops and a netlink interface")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Parav Pandit <parav@nvidia.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20211130042949.88958-1-parav@nvidia.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/vdpa/vdpa.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/vdpa/vdpa.c b/drivers/vdpa/vdpa.c
index 1dc121a07a934..12bf3d16a40ff 100644
--- a/drivers/vdpa/vdpa.c
+++ b/drivers/vdpa/vdpa.c
@@ -353,7 +353,8 @@ static int vdpa_mgmtdev_fill(const struct vdpa_mgmt_dev *mdev, struct sk_buff *m
 		goto msg_err;
 
 	while (mdev->id_table[i].device) {
-		supported_classes |= BIT(mdev->id_table[i].device);
+		if (mdev->id_table[i].device <= 63)
+			supported_classes |= BIT_ULL(mdev->id_table[i].device);
 		i++;
 	}
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 058/177] Revert "drm/fb-helper: improve DRM fbdev emulation device names"
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 057/177] vdpa: Consider device id larger than 31 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 059/177] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Stezenbach,
	Javier Martinez Canillas, Ville Syrjälä,
	Sasha Levin

From: Javier Martinez Canillas <javierm@redhat.com>

[ Upstream commit 842470c4e211f284a224842849b1fa81b130c154 ]

This reverts commit b3484d2b03e4c940a9598aa841a52d69729c582a.

That change attempted to improve the DRM drivers fbdev emulation device
names to avoid having confusing names like "simpledrmdrmfb" in /proc/fb.

But unfortunately, there are user-space programs such as pm-utils that
match against the fbdev names and so broke after the mentioned commit.

Since the names in /proc/fb are used by tools that consider it an uAPI,
let's restore the old names even when this lead to silly names like the
one mentioned above.

Fixes: b3484d2b03e4 ("drm/fb-helper: improve DRM fbdev emulation device names")
Reported-by: Johannes Stezenbach <js@sig21.net>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211020165740.3011927-1-javierm@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/drm_fb_helper.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/drm_fb_helper.c b/drivers/gpu/drm/drm_fb_helper.c
index 8e7a124d6c5a3..22bf690910b25 100644
--- a/drivers/gpu/drm/drm_fb_helper.c
+++ b/drivers/gpu/drm/drm_fb_helper.c
@@ -1743,7 +1743,13 @@ void drm_fb_helper_fill_info(struct fb_info *info,
 			       sizes->fb_width, sizes->fb_height);
 
 	info->par = fb_helper;
-	snprintf(info->fix.id, sizeof(info->fix.id), "%s",
+	/*
+	 * The DRM drivers fbdev emulation device name can be confusing if the
+	 * driver name also has a "drm" suffix on it. Leading to names such as
+	 * "simpledrmdrmfb" in /proc/fb. Unfortunately, it's an uAPI and can't
+	 * be changed due user-space tools (e.g: pm-utils) matching against it.
+	 */
+	snprintf(info->fix.id, sizeof(info->fix.id), "%sdrmfb",
 		 fb_helper->dev->driver->name);
 
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 059/177] selftests: net: Correct ping6 expected rc from 2 to 1
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 058/177] Revert "drm/fb-helper: improve DRM fbdev emulation device names" Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 060/177] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, David Ahern,
	Jie2x Zhou, Jakub Kicinski, Sasha Levin

From: Jie2x Zhou <jie2x.zhou@intel.com>

[ Upstream commit 92816e2629808726af015c7f5b14adc8e4f8b147 ]

./fcnal-test.sh -v -t ipv6_ping
TEST: ping out, VRF bind - ns-B IPv6 LLA                                      [FAIL]
TEST: ping out, VRF bind - multicast IP                                       [FAIL]

ping6 is failing as it should.
COMMAND: ip netns exec ns-A /bin/ping6 -c1 -w1 fe80::7c4c:bcff:fe66:a63a%red
strace of ping6 shows it is failing with '1',
so change the expected rc from 2 to 1.

Fixes: c0644e71df33 ("selftests: Add ipv6 ping tests to fcnal-test")
Reported-by: kernel test robot <lkp@intel.com>
Suggested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jie2x Zhou <jie2x.zhou@intel.com>
Link: https://lore.kernel.org/r/20211209020230.37270-1-jie2x.zhou@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/fcnal-test.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 7f5b265fcb905..966787c2f9f0f 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -2191,7 +2191,7 @@ ipv6_ping_vrf()
 		log_start
 		show_hint "Fails since VRF device does not support linklocal or multicast"
 		run_cmd ${ping6} -c1 -w1 ${a}
-		log_test_addr ${a} $? 2 "ping out, VRF bind"
+		log_test_addr ${a} $? 1 "ping out, VRF bind"
 	done
 
 	for a in ${NSB_IP6} ${NSB_LO_IP6} ${NSB_LINKIP6}%${NSA_DEV} ${MCAST}%${NSA_DEV}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 060/177] s390/kexec_file: fix error handling when applying relocations
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 059/177] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 061/177] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tao Liu, Philipp Rudo,
	Heiko Carstens, Sasha Levin

From: Philipp Rudo <prudo@redhat.com>

[ Upstream commit 41967a37b8eedfee15b81406a9f3015be90d3980 ]

arch_kexec_apply_relocations_add currently ignores all errors returned
by arch_kexec_do_relocs. This means that every unknown relocation is
silently skipped causing unpredictable behavior while the relocated code
runs. Fix this by checking for errors and fail kexec_file_load if an
unknown relocation type is encountered.

The problem was found after gcc changed its behavior and used
R_390_PLT32DBL relocations for brasl instruction and relied on ld to
resolve the relocations in the final link in case direct calls are
possible. As the purgatory code is only linked partially (option -r)
ld didn't resolve the relocations leaving them for arch_kexec_do_relocs.
But arch_kexec_do_relocs doesn't know how to handle R_390_PLT32DBL
relocations so they were silently skipped. This ultimately caused an
endless loop in the purgatory as the brasl instructions kept branching
to itself.

Fixes: 71406883fd35 ("s390/kexec_file: Add kexec_file_load system call")
Reported-by: Tao Liu <ltao@redhat.com>
Signed-off-by: Philipp Rudo <prudo@redhat.com>
Link: https://lore.kernel.org/r/20211208130741.5821-3-prudo@redhat.com
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/kernel/machine_kexec_file.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/arch/s390/kernel/machine_kexec_file.c b/arch/s390/kernel/machine_kexec_file.c
index e7435f3a3d2d2..76cd09879eaf4 100644
--- a/arch/s390/kernel/machine_kexec_file.c
+++ b/arch/s390/kernel/machine_kexec_file.c
@@ -277,6 +277,7 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi,
 {
 	Elf_Rela *relas;
 	int i, r_type;
+	int ret;
 
 	relas = (void *)pi->ehdr + relsec->sh_offset;
 
@@ -311,7 +312,11 @@ int arch_kexec_apply_relocations_add(struct purgatory_info *pi,
 		addr = section->sh_addr + relas[i].r_offset;
 
 		r_type = ELF64_R_TYPE(relas[i].r_info);
-		arch_kexec_do_relocs(r_type, loc, val, addr);
+		ret = arch_kexec_do_relocs(r_type, loc, val, addr);
+		if (ret) {
+			pr_err("Unknown rela relocation: %d\n", r_type);
+			return -ENOEXEC;
+		}
 	}
 	return 0;
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 061/177] sch_cake: do not call cake_destroy() from cake_init()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 060/177] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 062/177] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	Toke Høiland-Jørgensen, Jakub Kicinski, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit ab443c53916730862cec202078d36fd4008bea79 ]

qdiscs are not supposed to call their own destroy() method
from init(), because core stack already does that.

syzbot was able to trigger use after free:

DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock_common kernel/locking/mutex.c:586 [inline]
WARNING: CPU: 0 PID: 21902 at kernel/locking/mutex.c:586 __mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Modules linked in:
CPU: 0 PID: 21902 Comm: syz-executor189 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__mutex_lock_common kernel/locking/mutex.c:586 [inline]
RIP: 0010:__mutex_lock+0x9ec/0x12f0 kernel/locking/mutex.c:740
Code: 08 84 d2 0f 85 19 08 00 00 8b 05 97 38 4b 04 85 c0 0f 85 27 f7 ff ff 48 c7 c6 20 00 ac 89 48 c7 c7 a0 fe ab 89 e8 bf 76 ba ff <0f> 0b e9 0d f7 ff ff 48 8b 44 24 40 48 8d b8 c8 08 00 00 48 89 f8
RSP: 0018:ffffc9000627f290 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: ffff88802315d700 RSI: ffffffff815f1db8 RDI: fffff52000c4fe44
RBP: ffff88818f28e000 R08: 0000000000000000 R09: 0000000000000000
R10: ffffffff815ebb5e R11: 0000000000000000 R12: 0000000000000000
R13: dffffc0000000000 R14: ffffc9000627f458 R15: 0000000093c30000
FS:  0000555556abc400(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fda689c3303 CR3: 000000001cfbb000 CR4: 0000000000350ef0
Call Trace:
 <TASK>
 tcf_chain0_head_change_cb_del+0x2e/0x3d0 net/sched/cls_api.c:810
 tcf_block_put_ext net/sched/cls_api.c:1381 [inline]
 tcf_block_put_ext net/sched/cls_api.c:1376 [inline]
 tcf_block_put+0xbc/0x130 net/sched/cls_api.c:1394
 cake_destroy+0x3f/0x80 net/sched/sch_cake.c:2695
 qdisc_create.constprop.0+0x9da/0x10f0 net/sched/sch_api.c:1293
 tc_modify_qdisc+0x4c5/0x1980 net/sched/sch_api.c:1660
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2496
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x904/0xdf0 net/netlink/af_netlink.c:1921
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f1bb06badb9
Code: Unable to access opcode bytes at RIP 0x7f1bb06bad8f.
RSP: 002b:00007fff3012a658 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f1bb06badb9
RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000003
RBP: 0000000000000000 R08: 0000000000000003 R09: 0000000000000003
R10: 0000000000000003 R11: 0000000000000246 R12: 00007fff3012a688
R13: 00007fff3012a6a0 R14: 00007fff3012a6e0 R15: 00000000000013c2
 </TASK>

Fixes: 046f6fd5daef ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Link: https://lore.kernel.org/r/20211210142046.698336-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_cake.c | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/net/sched/sch_cake.c b/net/sched/sch_cake.c
index 3c2300d144681..857aaebd49f43 100644
--- a/net/sched/sch_cake.c
+++ b/net/sched/sch_cake.c
@@ -2736,7 +2736,7 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt,
 	q->tins = kvcalloc(CAKE_MAX_TINS, sizeof(struct cake_tin_data),
 			   GFP_KERNEL);
 	if (!q->tins)
-		goto nomem;
+		return -ENOMEM;
 
 	for (i = 0; i < CAKE_MAX_TINS; i++) {
 		struct cake_tin_data *b = q->tins + i;
@@ -2766,10 +2766,6 @@ static int cake_init(struct Qdisc *sch, struct nlattr *opt,
 	q->min_netlen = ~0;
 	q->min_adjlen = ~0;
 	return 0;
-
-nomem:
-	cake_destroy(sch);
-	return -ENOMEM;
 }
 
 static int cake_dump(struct Qdisc *sch, struct sk_buff *skb)
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 062/177] inet_diag: fix kernel-infoleak for UDP sockets
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 061/177] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 063/177] netdevsim: dont overwrite read only ethtool parms Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Jakub Kicinski,
	Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 71ddeac8cd1d217744a0e060ff520e147c9328d1 ]

KMSAN reported a kernel-infoleak [1], that can exploited
by unpriv users.

After analysis it turned out UDP was not initializing
r->idiag_expires. Other users of inet_sk_diag_fill()
might make the same mistake in the future, so fix this
in inet_sk_diag_fill().

[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:156 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
 instrument_copy_to_user include/linux/instrumented.h:121 [inline]
 copyout lib/iov_iter.c:156 [inline]
 _copy_to_iter+0x69d/0x25c0 lib/iov_iter.c:670
 copy_to_iter include/linux/uio.h:155 [inline]
 simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
 __skb_datagram_iter+0x2cb/0x1280 net/core/datagram.c:425
 skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
 skb_copy_datagram_msg include/linux/skbuff.h:3657 [inline]
 netlink_recvmsg+0x660/0x1c60 net/netlink/af_netlink.c:1974
 sock_recvmsg_nosec net/socket.c:944 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 sock_read_iter+0x5a9/0x630 net/socket.c:1035
 call_read_iter include/linux/fs.h:2156 [inline]
 new_sync_read fs/read_write.c:400 [inline]
 vfs_read+0x1631/0x1980 fs/read_write.c:481
 ksys_read+0x28c/0x520 fs/read_write.c:619
 __do_sys_read fs/read_write.c:629 [inline]
 __se_sys_read fs/read_write.c:627 [inline]
 __x64_sys_read+0xdb/0x120 fs/read_write.c:627
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1126 [inline]
 netlink_dump+0x3d5/0x16a0 net/netlink/af_netlink.c:2245
 __netlink_dump_start+0xd1c/0xee0 net/netlink/af_netlink.c:2370
 netlink_dump_start include/linux/netlink.h:254 [inline]
 inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1343
 sock_diag_rcv_msg+0x24a/0x620
 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
 sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:276
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 sock_write_iter+0x594/0x690 net/socket.c:1057
 do_iter_readv_writev+0xa7f/0xc70
 do_iter_write+0x52c/0x1500 fs/read_write.c:851
 vfs_writev fs/read_write.c:924 [inline]
 do_writev+0x63f/0xe30 fs/read_write.c:967
 __do_sys_writev fs/read_write.c:1040 [inline]
 __se_sys_writev fs/read_write.c:1037 [inline]
 __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Bytes 68-71 of 312 are uninitialized
Memory access of size 312 starts at ffff88812ab54000
Data copied to user address 0000000020001440

CPU: 1 PID: 6365 Comm: syz-executor801 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011

Fixes: 3c4d05c80567 ("inet_diag: Introduce the inet socket dumping routine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20211209185058.53917-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/inet_diag.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/ipv4/inet_diag.c b/net/ipv4/inet_diag.c
index ef7897226f08e..ae70e07c52445 100644
--- a/net/ipv4/inet_diag.c
+++ b/net/ipv4/inet_diag.c
@@ -261,6 +261,7 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
 	r->idiag_state = sk->sk_state;
 	r->idiag_timer = 0;
 	r->idiag_retrans = 0;
+	r->idiag_expires = 0;
 
 	if (inet_diag_msg_attrs_fill(sk, skb, r, ext,
 				     sk_user_ns(NETLINK_CB(cb->skb).sk),
@@ -314,9 +315,6 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
 		r->idiag_retrans = icsk->icsk_probes_out;
 		r->idiag_expires =
 			jiffies_delta_to_msecs(sk->sk_timer.expires - jiffies);
-	} else {
-		r->idiag_timer = 0;
-		r->idiag_expires = 0;
 	}
 
 	if ((ext & (1 << (INET_DIAG_INFO - 1))) && handler->idiag_info_size) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 063/177] netdevsim: dont overwrite read only ethtool parms
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 062/177] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 064/177] selftests: icmp_redirect: pass xfail=0 to log_test() Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filip Pokryvka, Jakub Kicinski, Sasha Levin

From: Filip Pokryvka <fpokryvk@redhat.com>

[ Upstream commit ee60e626d536da4c710b3634afe68fe7c6d69b59 ]

Ethtool ring feature has _max_pending attributes read-only.
Set only read-write attributes in nsim_set_ringparam.

This patch is useful, if netdevsim device is set-up using NetworkManager,
because NetworkManager sends 0 as MAX values, as it is pointless to
retrieve them in extra call, because they should be read-only. Then,
the device is left in incosistent state (value > MAX).

Fixes: a7fc6db099b5 ("netdevsim: support ethtool ring and coalesce settings")
Signed-off-by: Filip Pokryvka <fpokryvk@redhat.com>
Link: https://lore.kernel.org/r/20211210175032.411872-1-fpokryvk@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/netdevsim/ethtool.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/net/netdevsim/ethtool.c b/drivers/net/netdevsim/ethtool.c
index b03a0513eb7e7..2e7c1cc16cb93 100644
--- a/drivers/net/netdevsim/ethtool.c
+++ b/drivers/net/netdevsim/ethtool.c
@@ -77,7 +77,10 @@ static int nsim_set_ringparam(struct net_device *dev,
 {
 	struct netdevsim *ns = netdev_priv(dev);
 
-	memcpy(&ns->ethtool.ring, ring, sizeof(ns->ethtool.ring));
+	ns->ethtool.ring.rx_pending = ring->rx_pending;
+	ns->ethtool.ring.rx_jumbo_pending = ring->rx_jumbo_pending;
+	ns->ethtool.ring.rx_mini_pending = ring->rx_mini_pending;
+	ns->ethtool.ring.tx_pending = ring->tx_pending;
 	return 0;
 }
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 064/177] selftests: icmp_redirect: pass xfail=0 to log_test()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 063/177] netdevsim: dont overwrite read only ethtool parms Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 065/177] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Po-Hsu Lin, David S. Miller, Sasha Levin

From: Po-Hsu Lin <po-hsu.lin@canonical.com>

[ Upstream commit 3748939bce3fc7a15ef07161826507fbe410bb7a ]

If any sub-test in this icmp_redirect.sh is failing but not expected
to fail. The script will complain:
    ./icmp_redirect.sh: line 72: [: 1: unary operator expected

This is because when the sub-test is not expected to fail, we won't
pass any value for the xfail local variable in log_test() and thus
it's empty. Fix this by passing 0 as the 4th variable to log_test()
for non-xfail cases.

v2: added fixes tag

Fixes: 0a36a75c6818 ("selftests: icmp_redirect: support expected failures")
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/icmp_redirect.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/icmp_redirect.sh b/tools/testing/selftests/net/icmp_redirect.sh
index ecbf57f264ed9..7b9d6e31b8e7d 100755
--- a/tools/testing/selftests/net/icmp_redirect.sh
+++ b/tools/testing/selftests/net/icmp_redirect.sh
@@ -311,7 +311,7 @@ check_exception()
 		ip -netns h1 ro get ${H1_VRF_ARG} ${H2_N2_IP} | \
 		grep -E -v 'mtu|redirected' | grep -q "cache"
 	fi
-	log_test $? 0 "IPv4: ${desc}"
+	log_test $? 0 "IPv4: ${desc}" 0
 
 	# No PMTU info for test "redirect" and "mtu exception plus redirect"
 	if [ "$with_redirect" = "yes" ] && [ "$desc" != "redirect exception plus mtu" ]; then
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 065/177] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 064/177] selftests: icmp_redirect: pass xfail=0 to log_test() Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 066/177] net: hns3: fix race condition in debugfs Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jie Wang, Guangbin Huang,
	David S. Miller, Sasha Levin

From: Jie Wang <wangjie125@huawei.com>

[ Upstream commit 27cbf64a766e86f068ce6214f04c00ceb4db1af4 ]

Currently, the hns3_remove function firstly uninstall client instance,
and then uninstall acceletion engine device. The netdevice is freed in
client instance uninstall process, but acceletion engine device uninstall
process still use it to trace runtime information. This causes a use after
free problem.

So fixes it by check the instance register state to avoid use after free.

Fixes: d8355240cf8f ("net: hns3: add trace event support for PF/VF mailbox")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
index fdc66fae09601..c5ac6ecf36e10 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_mbx.c
@@ -114,7 +114,8 @@ int hclgevf_send_mbx_msg(struct hclgevf_dev *hdev,
 
 	memcpy(&req->msg, send_msg, sizeof(struct hclge_vf_to_pf_msg));
 
-	trace_hclge_vf_mbx_send(hdev, req);
+	if (test_bit(HCLGEVF_STATE_NIC_REGISTERED, &hdev->state))
+		trace_hclge_vf_mbx_send(hdev, req);
 
 	/* synchronous send */
 	if (need_resp) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 066/177] net: hns3: fix race condition in debugfs
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 065/177] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 067/177] selftests: Add duplicate config only for MD5 VRF tests Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yufeng Mo, Guangbin Huang,
	David S. Miller, Sasha Levin

From: Yufeng Mo <moyufeng@huawei.com>

[ Upstream commit 6dde452bceca3f2ed2b33bc46a16ff5682a03a2e ]

When multiple threads concurrently access the debugfs content, data
and pointer exceptions may occur. Therefore, mutex lock protection is
added for debugfs.

Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process")
Signed-off-by: Yufeng Mo <moyufeng@huawei.com>
Signed-off-by: Guangbin Huang <huangguangbin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/hisilicon/hns3/hnae3.h   |  2 ++
 .../ethernet/hisilicon/hns3/hns3_debugfs.c    | 20 +++++++++++++------
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/hisilicon/hns3/hnae3.h b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
index d701451596c82..47bba4c62f040 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hnae3.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hnae3.h
@@ -830,6 +830,8 @@ struct hnae3_handle {
 
 	u8 netdev_flags;
 	struct dentry *hnae3_dbgfs;
+	/* protects concurrent contention between debugfs commands */
+	struct mutex dbgfs_lock;
 
 	/* Network interface message level enabled bits */
 	u32 msg_enable;
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
index e54f96251fea9..3205849bdb95b 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3_debugfs.c
@@ -1021,6 +1021,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 	if (ret)
 		return ret;
 
+	mutex_lock(&handle->dbgfs_lock);
 	save_buf = &hns3_dbg_cmd[index].buf;
 
 	if (!test_bit(HNS3_NIC_STATE_INITED, &priv->state) ||
@@ -1033,15 +1034,15 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 		read_buf = *save_buf;
 	} else {
 		read_buf = kvzalloc(hns3_dbg_cmd[index].buf_len, GFP_KERNEL);
-		if (!read_buf)
-			return -ENOMEM;
+		if (!read_buf) {
+			ret = -ENOMEM;
+			goto out;
+		}
 
 		/* save the buffer addr until the last read operation */
 		*save_buf = read_buf;
-	}
 
-	/* get data ready for the first time to read */
-	if (!*ppos) {
+		/* get data ready for the first time to read */
 		ret = hns3_dbg_read_cmd(dbg_data, hns3_dbg_cmd[index].cmd,
 					read_buf, hns3_dbg_cmd[index].buf_len);
 		if (ret)
@@ -1050,8 +1051,10 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 
 	size = simple_read_from_buffer(buffer, count, ppos, read_buf,
 				       strlen(read_buf));
-	if (size > 0)
+	if (size > 0) {
+		mutex_unlock(&handle->dbgfs_lock);
 		return size;
+	}
 
 out:
 	/* free the buffer for the last read operation */
@@ -1060,6 +1063,7 @@ static ssize_t hns3_dbg_read(struct file *filp, char __user *buffer,
 		*save_buf = NULL;
 	}
 
+	mutex_unlock(&handle->dbgfs_lock);
 	return ret;
 }
 
@@ -1132,6 +1136,8 @@ int hns3_dbg_init(struct hnae3_handle *handle)
 			debugfs_create_dir(hns3_dbg_dentry[i].name,
 					   handle->hnae3_dbgfs);
 
+	mutex_init(&handle->dbgfs_lock);
+
 	for (i = 0; i < ARRAY_SIZE(hns3_dbg_cmd); i++) {
 		if ((hns3_dbg_cmd[i].cmd == HNAE3_DBG_CMD_TM_NODES &&
 		     ae_dev->dev_version <= HNAE3_DEVICE_VERSION_V2) ||
@@ -1158,6 +1164,7 @@ int hns3_dbg_init(struct hnae3_handle *handle)
 	return 0;
 
 out:
+	mutex_destroy(&handle->dbgfs_lock);
 	debugfs_remove_recursive(handle->hnae3_dbgfs);
 	handle->hnae3_dbgfs = NULL;
 	return ret;
@@ -1173,6 +1180,7 @@ void hns3_dbg_uninit(struct hnae3_handle *handle)
 			hns3_dbg_cmd[i].buf = NULL;
 		}
 
+	mutex_destroy(&handle->dbgfs_lock);
 	debugfs_remove_recursive(handle->hnae3_dbgfs);
 	handle->hnae3_dbgfs = NULL;
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 067/177] selftests: Add duplicate config only for MD5 VRF tests
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 066/177] net: hns3: fix race condition in debugfs Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 068/177] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Ahern, David S. Miller, Sasha Levin

From: David Ahern <dsahern@kernel.org>

[ Upstream commit 7e0147592b5c4f9e2eb8c54a7857a56d4863f74e ]

Commit referenced below added configuration in the default VRF that
duplicates a VRF to check MD5 passwords are properly used and fail
when expected. That config should not be added all the time as it
can cause tests to pass that should not (by matching on default VRF
setup when it should not). Move the duplicate setup to a function
that is only called for the MD5 tests and add a cleanup function
to remove it after the MD5 tests.

Fixes: 5cad8bce26e0 ("fcnal-test: Add TCP MD5 tests for VRF")
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/fcnal-test.sh | 26 +++++++++++++++++------
 1 file changed, 20 insertions(+), 6 deletions(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 966787c2f9f0f..8bcbb72f74c1f 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -455,6 +455,22 @@ cleanup()
 	ip netns del ${NSC} >/dev/null 2>&1
 }
 
+cleanup_vrf_dup()
+{
+	ip link del ${NSA_DEV2} >/dev/null 2>&1
+	ip netns pids ${NSC} | xargs kill 2>/dev/null
+	ip netns del ${NSC} >/dev/null 2>&1
+}
+
+setup_vrf_dup()
+{
+	# some VRF tests use ns-C which has the same config as
+	# ns-B but for a device NOT in the VRF
+	create_ns ${NSC} "-" "-"
+	connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
+		   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
+}
+
 setup()
 {
 	local with_vrf=${1}
@@ -484,12 +500,6 @@ setup()
 
 		ip -netns ${NSB} ro add ${VRF_IP}/32 via ${NSA_IP} dev ${NSB_DEV}
 		ip -netns ${NSB} -6 ro add ${VRF_IP6}/128 via ${NSA_IP6} dev ${NSB_DEV}
-
-		# some VRF tests use ns-C which has the same config as
-		# ns-B but for a device NOT in the VRF
-		create_ns ${NSC} "-" "-"
-		connect_ns ${NSA} ${NSA_DEV2} ${NSA_IP}/24 ${NSA_IP6}/64 \
-			   ${NSC} ${NSC_DEV} ${NSB_IP}/24 ${NSB_IP6}/64
 	else
 		ip -netns ${NSA} ro add ${NSB_LO_IP}/32 via ${NSB_IP} dev ${NSA_DEV}
 		ip -netns ${NSA} ro add ${NSB_LO_IP6}/128 via ${NSB_IP6} dev ${NSA_DEV}
@@ -1240,7 +1250,9 @@ ipv4_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
+	setup_vrf_dup
 	ipv4_tcp_md5
+	cleanup_vrf_dup
 
 	#
 	# enable VRF global server
@@ -2719,7 +2731,9 @@ ipv6_tcp_vrf()
 	log_test_addr ${a} $? 1 "Global server, local connection"
 
 	# run MD5 tests
+	setup_vrf_dup
 	ipv6_tcp_md5
+	cleanup_vrf_dup
 
 	#
 	# enable VRF global server
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 068/177] selftests: Fix raw socket bind tests with VRF
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 067/177] selftests: Add duplicate config only for MD5 VRF tests Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 069/177] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li Zhijian, David Ahern,
	David S. Miller, Sasha Levin

From: David Ahern <dsahern@kernel.org>

[ Upstream commit 0f108ae4452025fef529671998f6c7f1c4526790 ]

Commit referenced below added negative socket bind tests for VRF. The
socket binds should fail since the address to bind to is in a VRF yet
the socket is not bound to the VRF or a device within it. Update the
expected return code to check for 1 (bind failure) so the test passes
when the bind fails as expected. Add a 'show_hint' comment to explain
why the bind is expected to fail.

Fixes: 75b2b2b3db4c ("selftests: Add ipv4 address bind tests to fcnal-test")
Reported-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/fcnal-test.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 8bcbb72f74c1f..9d2e8db8827e2 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -1810,8 +1810,9 @@ ipv4_addr_bind_vrf()
 	for a in ${NSA_IP} ${VRF_IP}
 	do
 		log_start
+		show_hint "Socket not bound to VRF, but address is in VRF"
 		run_cmd nettest -s -R -P icmp -l ${a} -b
-		log_test_addr ${a} $? 0 "Raw socket bind to local address"
+		log_test_addr ${a} $? 1 "Raw socket bind to local address"
 
 		log_start
 		run_cmd nettest -s -R -P icmp -l ${a} -I ${NSA_DEV} -b
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 069/177] selftests: Fix IPv6 address bind tests
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 068/177] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 070/177] dmaengine: idxd: fix missed completion on abort path Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Li Zhijian, David Ahern,
	David S. Miller, Sasha Levin

From: David Ahern <dsahern@kernel.org>

[ Upstream commit 28a2686c185e84b6aa6a4d9c9a972360eb7ca266 ]

IPv6 allows binding a socket to a device then binding to an address
not on the device (__inet6_bind -> ipv6_chk_addr with strict flag
not set). Update the bind tests to reflect legacy behavior.

Fixes: 34d0302ab861 ("selftests: Add ipv6 address bind tests to fcnal-test")
Reported-by: Li Zhijian <lizhijian@fujitsu.com>
Signed-off-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/fcnal-test.sh | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/tools/testing/selftests/net/fcnal-test.sh b/tools/testing/selftests/net/fcnal-test.sh
index 9d2e8db8827e2..aec9e784d0b46 100755
--- a/tools/testing/selftests/net/fcnal-test.sh
+++ b/tools/testing/selftests/net/fcnal-test.sh
@@ -3429,11 +3429,14 @@ ipv6_addr_bind_novrf()
 	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
 	log_test_addr ${a} $? 0 "TCP socket bind to local address after device bind"
 
+	# Sadly, the kernel allows binding a socket to a device and then
+	# binding to an address not on the device. So this test passes
+	# when it really should not
 	a=${NSA_LO_IP6}
 	log_start
-	show_hint "Should fail with 'Cannot assign requested address'"
+	show_hint "Tecnically should fail since address is not on device but kernel allows"
 	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
-	log_test_addr ${a} $? 1 "TCP socket bind to out of scope local address"
+	log_test_addr ${a} $? 0 "TCP socket bind to out of scope local address"
 }
 
 ipv6_addr_bind_vrf()
@@ -3474,10 +3477,15 @@ ipv6_addr_bind_vrf()
 	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
 	log_test_addr ${a} $? 0 "TCP socket bind to local address with device bind"
 
+	# Sadly, the kernel allows binding a socket to a device and then
+	# binding to an address not on the device. The only restriction
+	# is that the address is valid in the L3 domain. So this test
+	# passes when it really should not
 	a=${VRF_IP6}
 	log_start
+	show_hint "Tecnically should fail since address is not on device but kernel allows"
 	run_cmd nettest -6 -s -l ${a} -I ${NSA_DEV} -t1 -b
-	log_test_addr ${a} $? 1 "TCP socket bind to VRF address with device bind"
+	log_test_addr ${a} $? 0 "TCP socket bind to VRF address with device bind"
 
 	a=${NSA_LO_IP6}
 	log_start
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 070/177] dmaengine: idxd: fix missed completion on abort path
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 069/177] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 071/177] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ming Li, Dave Jiang, Vinod Koul, Sasha Levin

From: Dave Jiang <dave.jiang@intel.com>

[ Upstream commit 8affd8a4b5ce356c8900cfb037674f3a4a11fbdb ]

Ming reported that with the abort path of the descriptor submission, there
can be a window where a completed descriptor can be missed to be completed
by the irq completion thread:

CPU A				CPU B
Submit (successful)

Submit (fail)
				irq_process_work_list() // empty

llist_abort_desc()
// remove all descs from pending list

				irq_process_pending_llist() // empty
				exit idxd_wq_thread() with no processing

Add opportunistic descriptor completion in the abort path in order to
remove the missed completion.

Fixes: 6b4b87f2c31a ("dmaengine: idxd: fix submission race window")
Reported-by: Ming Li <ming4.li@intel.com>
Signed-off-by: Dave Jiang <dave.jiang@intel.com>
Link: https://lore.kernel.org/r/163898288714.443911.16084982766671976640.stgit@djiang5-desk3.ch.intel.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/idxd/submit.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/dma/idxd/submit.c b/drivers/dma/idxd/submit.c
index de76fb4abac24..83452fbbb168b 100644
--- a/drivers/dma/idxd/submit.c
+++ b/drivers/dma/idxd/submit.c
@@ -106,6 +106,7 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
 {
 	struct idxd_desc *d, *t, *found = NULL;
 	struct llist_node *head;
+	LIST_HEAD(flist);
 
 	desc->completion->status = IDXD_COMP_DESC_ABORT;
 	/*
@@ -120,7 +121,11 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
 				found = desc;
 				continue;
 			}
-			list_add_tail(&desc->list, &ie->work_list);
+
+			if (d->completion->status)
+				list_add_tail(&d->list, &flist);
+			else
+				list_add_tail(&d->list, &ie->work_list);
 		}
 	}
 
@@ -130,6 +135,17 @@ static void llist_abort_desc(struct idxd_wq *wq, struct idxd_irq_entry *ie,
 
 	if (found)
 		complete_desc(found, IDXD_COMPLETE_ABORT);
+
+	/*
+	 * complete_desc() will return desc to allocator and the desc can be
+	 * acquired by a different process and the desc->list can be modified.
+	 * Delete desc from list so the list trasversing does not get corrupted
+	 * by the other process.
+	 */
+	list_for_each_entry_safe(d, t, &flist, list) {
+		list_del_init(&d->list);
+		complete_desc(d, IDXD_COMPLETE_NORMAL);
+	}
 }
 
 int idxd_submit_desc(struct idxd_wq *wq, struct idxd_desc *desc)
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 071/177] dmaengine: st_fdma: fix MODULE_ALIAS
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 070/177] dmaengine: idxd: fix missed completion on abort path Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 072/177] drm: simpledrm: fix wrong unit with pixel clock Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alyssa Ross, Vinod Koul, Sasha Levin

From: Alyssa Ross <hi@alyssa.is>

[ Upstream commit 822c9f2b833c53fc67e8adf6f63ecc3ea24d502c ]

modprobe can't handle spaces in aliases.

Fixes: 6b4cd727eaf1 ("dmaengine: st_fdma: Add STMicroelectronics FDMA engine driver support")
Signed-off-by: Alyssa Ross <hi@alyssa.is>
Link: https://lore.kernel.org/r/20211125154441.2626214-1-hi@alyssa.is
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/dma/st_fdma.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/dma/st_fdma.c b/drivers/dma/st_fdma.c
index 962b6e05287b5..d95c421877fb7 100644
--- a/drivers/dma/st_fdma.c
+++ b/drivers/dma/st_fdma.c
@@ -874,4 +874,4 @@ MODULE_LICENSE("GPL v2");
 MODULE_DESCRIPTION("STMicroelectronics FDMA engine driver");
 MODULE_AUTHOR("Ludovic.barre <Ludovic.barre@st.com>");
 MODULE_AUTHOR("Peter Griffin <peter.griffin@linaro.org>");
-MODULE_ALIAS("platform: " DRIVER_NAME);
+MODULE_ALIAS("platform:" DRIVER_NAME);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 072/177] drm: simpledrm: fix wrong unit with pixel clock
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 071/177] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 073/177] net/sched: sch_ets: dont remove idle classes from the round-robin list Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alejandro Concepcion-Rodriguez,
	Thomas Zimmermann, Sasha Levin

From: Alejandro Concepcion-Rodriguez <asconcepcion@acoro.eu>

[ Upstream commit 5cf06065bd1f7b94fbb80e7eeb033899f77ab5ba ]

Pixel clock has to be set in kHz.

Signed-off-by: Alejandro Concepcion-Rodriguez <asconcepcion@acoro.eu>
Fixes: 11e8f5fd223b ("drm: Add simpledrm driver")
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/6f8554ef-1305-0dda-821c-f7d2e5644a48@acoro.eu
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/tiny/simpledrm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/tiny/simpledrm.c b/drivers/gpu/drm/tiny/simpledrm.c
index 481b48bde0473..5a6e89825bc2f 100644
--- a/drivers/gpu/drm/tiny/simpledrm.c
+++ b/drivers/gpu/drm/tiny/simpledrm.c
@@ -458,7 +458,7 @@ static struct drm_display_mode simpledrm_mode(unsigned int width,
 {
 	struct drm_display_mode mode = { SIMPLEDRM_MODE(width, height) };
 
-	mode.clock = 60 /* Hz */ * mode.hdisplay * mode.vdisplay;
+	mode.clock = mode.hdisplay * mode.vdisplay * 60 / 1000 /* kHz */;
 	drm_mode_set_name(&mode);
 
 	return mode;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 073/177] net/sched: sch_ets: dont remove idle classes from the round-robin list
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 072/177] drm: simpledrm: fix wrong unit with pixel clock Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 074/177] selftests/net: toeplitz: fix udp option Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shuang Li, Davide Caratti,
	David S. Miller, Sasha Levin

From: Davide Caratti <dcaratti@redhat.com>

[ Upstream commit c062f2a0b04d86c5b8c9d973bea43493eaca3d32 ]

Shuang reported that the following script:

 1) tc qdisc add dev ddd0 handle 10: parent 1: ets bands 8 strict 4 priomap 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7 7
 2) mausezahn ddd0  -A 10.10.10.1 -B 10.10.10.2 -c 0 -a own -b 00:c1:a0:c1:a0:00 -t udp &
 3) tc qdisc change dev ddd0 handle 10: ets bands 4 strict 2 quanta 2500 2500 priomap 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3 3

crashes systematically when line 2) is commented:

 list_del corruption, ffff8e028404bd30->next is LIST_POISON1 (dead000000000100)
 ------------[ cut here ]------------
 kernel BUG at lib/list_debug.c:47!
 invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
 CPU: 0 PID: 954 Comm: tc Not tainted 5.16.0-rc4+ #478
 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014
 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
 RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
 RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
 R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
 FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0
 Call Trace:
  <TASK>
  ets_qdisc_change+0x58b/0xa70 [sch_ets]
  tc_modify_qdisc+0x323/0x880
  rtnetlink_rcv_msg+0x169/0x4a0
  netlink_rcv_skb+0x50/0x100
  netlink_unicast+0x1a5/0x280
  netlink_sendmsg+0x257/0x4d0
  sock_sendmsg+0x5b/0x60
  ____sys_sendmsg+0x1f2/0x260
  ___sys_sendmsg+0x7c/0xc0
  __sys_sendmsg+0x57/0xa0
  do_syscall_64+0x3a/0x80
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7efdc8031338
 Code: 89 02 48 c7 c0 ff ff ff ff eb b5 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 25 43 2c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 41 54 41 89 d4 55
 RSP: 002b:00007ffdf1ce9828 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 0000000061b37a97 RCX: 00007efdc8031338
 RDX: 0000000000000000 RSI: 00007ffdf1ce9890 RDI: 0000000000000003
 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000078a940
 R10: 000000000000000c R11: 0000000000000246 R12: 0000000000000001
 R13: 0000000000688880 R14: 0000000000000000 R15: 0000000000000000
  </TASK>
 Modules linked in: sch_ets sch_tbf dummy rfkill iTCO_wdt iTCO_vendor_support intel_rapl_msr intel_rapl_common joydev pcspkr i2c_i801 virtio_balloon i2c_smbus lpc_ich ip_tables xfs libcrc32c crct10dif_pclmul crc32_pclmul crc32c_intel serio_raw ghash_clmulni_intel ahci libahci libata virtio_blk virtio_console virtio_net net_failover failover sunrpc dm_mirror dm_region_hash dm_log dm_mod [last unloaded: sch_ets]
 ---[ end trace f35878d1912655c2 ]---
 RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x47
 Code: fe ff 0f 0b 48 89 c1 4c 89 c6 48 c7 c7 08 42 1b 87 e8 1d c5 fe ff 0f 0b 48 89 fe 48 89 c2 48 c7 c7 98 42 1b 87 e8 09 c5 fe ff <0f> 0b 48 c7 c7 48 43 1b 87 e8 fb c4 fe ff 0f 0b 48 89 f2 48 89 fe
 RSP: 0018:ffffae46807a3888 EFLAGS: 00010246
 RAX: 000000000000004e RBX: 0000000000000007 RCX: 0000000000000202
 RDX: 0000000000000000 RSI: ffffffff871ac536 RDI: 00000000ffffffff
 RBP: ffffae46807a3a10 R08: 0000000000000000 R09: c0000000ffff7fff
 R10: 0000000000000001 R11: ffffae46807a36a8 R12: ffff8e028404b800
 R13: ffff8e028404bd30 R14: dead000000000100 R15: ffff8e02fafa2400
 FS:  00007efdc92e4480(0000) GS:ffff8e02fb600000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000682f48 CR3: 00000001058be000 CR4: 0000000000350ef0
 Kernel panic - not syncing: Fatal exception in interrupt
 Kernel Offset: 0x4e00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
 ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---

we can remove 'q->classes[i].alist' only if DRR class 'i' was part of the
active list. In the ETS scheduler DRR classes belong to that list only if
the queue length is greater than zero: we need to test for non-zero value
of 'q->classes[i].qdisc->q.qlen' before removing from the list, similarly
to what has been done elsewhere in the ETS code.

Fixes: de6d25924c2a ("net/sched: sch_ets: don't peek at classes beyond 'nbands'")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/sch_ets.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/sched/sch_ets.c b/net/sched/sch_ets.c
index 92a686807971b..44fa2532a87c0 100644
--- a/net/sched/sch_ets.c
+++ b/net/sched/sch_ets.c
@@ -668,9 +668,9 @@ static int ets_qdisc_change(struct Qdisc *sch, struct nlattr *opt,
 		}
 	}
 	for (i = q->nbands; i < oldbands; i++) {
-		qdisc_tree_flush_backlog(q->classes[i].qdisc);
-		if (i >= q->nstrict)
+		if (i >= q->nstrict && q->classes[i].qdisc->q.qlen)
 			list_del(&q->classes[i].alist);
+		qdisc_tree_flush_backlog(q->classes[i].qdisc);
 	}
 	q->nstrict = nstrict;
 	memcpy(q->prio2band, priomap, sizeof(priomap));
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 074/177] selftests/net: toeplitz: fix udp option
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 073/177] net/sched: sch_ets: dont remove idle classes from the round-robin list Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 075/177] net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down() Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Willem de Bruijn, David S. Miller,
	Sasha Levin

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit a8d13611b4a7b1b20d17bf2b9a89a3efcabde56c ]

Tiny fix. Option -u ("use udp") does not take an argument.

It can cause the next argument to silently be ignored.

Fixes: 5ebfb4cc3048 ("selftests/net: toeplitz test")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/toeplitz.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tools/testing/selftests/net/toeplitz.c b/tools/testing/selftests/net/toeplitz.c
index 710ac956bdb33..c5489341cfb80 100644
--- a/tools/testing/selftests/net/toeplitz.c
+++ b/tools/testing/selftests/net/toeplitz.c
@@ -498,7 +498,7 @@ static void parse_opts(int argc, char **argv)
 	bool have_toeplitz = false;
 	int index, c;
 
-	while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:u:v", long_options, &index)) != -1) {
+	while ((c = getopt_long(argc, argv, "46C:d:i:k:r:stT:uv", long_options, &index)) != -1) {
 		switch (c) {
 		case '4':
 			cfg_family = AF_INET;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 075/177] net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 074/177] selftests/net: toeplitz: fix udp option Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 076/177] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Behún,
	Russell King (Oracle),
	David S. Miller, Sasha Levin

From: Marek Behún <kabel@kernel.org>

[ Upstream commit 9d591fc028b6bddb38c6585874f331267cbdadae ]

Commit 64d47d50be7a ("net: dsa: mv88e6xxx: configure interface settings
in mac_config") removed forcing of speed and duplex from
mv88e6xxx_mac_config(), where the link is forced down, and left it only
in mv88e6xxx_mac_link_up(), by which time link is unforced.

It seems that (at least on 88E6190) when changing cmode to 2500base-x,
if the link is not forced down, but the speed or duplex are still
forced, the forcing of new settings for speed & duplex doesn't take in
mv88e6xxx_mac_link_up().

Fix this by unforcing speed & duplex in mv88e6xxx_mac_link_down().

Fixes: 64d47d50be7a ("net: dsa: mv88e6xxx: configure interface settings in mac_config")
Signed-off-by: Marek Behún <kabel@kernel.org>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/mv88e6xxx/chip.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
index a31cc0ab7c625..43d126628610b 100644
--- a/drivers/net/dsa/mv88e6xxx/chip.c
+++ b/drivers/net/dsa/mv88e6xxx/chip.c
@@ -769,6 +769,10 @@ static void mv88e6xxx_mac_link_down(struct dsa_switch *ds, int port,
 	if ((!mv88e6xxx_port_ppu_updates(chip, port) ||
 	     mode == MLO_AN_FIXED) && ops->port_sync_link)
 		err = ops->port_sync_link(chip, port, mode, false);
+
+	if (!err && ops->port_set_speed_duplex)
+		err = ops->port_set_speed_duplex(chip, port, SPEED_UNFORCED,
+						 DUPLEX_UNFORCED);
 	mv88e6xxx_reg_unlock(chip);
 
 	if (err)
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 076/177] selftest/net/forwarding: declare NETIFS p9 p10
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 075/177] net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down() Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 077/177] mptcp: never allow the PM to close a listener subflow Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangbin Liu, Ido Schimmel,
	David S. Miller, Sasha Levin

From: Hangbin Liu <liuhangbin@gmail.com>

[ Upstream commit 71da1aec215290e249d09c44c768df859f3a3bba ]

The recent GRE selftests defined NUM_NETIFS=10. If the users copy
forwarding.config.sample to forwarding.config directly, they will get
error "Command line is not complete" when run the GRE tests, because
create_netif_veth() failed with no interface name defined.

Fix it by extending the NETIFS with p9 and p10.

Fixes: 2800f2485417 ("selftests: forwarding: Test multipath hashing on inner IP pkts for GRE tunnel")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/net/forwarding/forwarding.config.sample | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tools/testing/selftests/net/forwarding/forwarding.config.sample b/tools/testing/selftests/net/forwarding/forwarding.config.sample
index e5e2fbeca22ec..e51def39fd801 100644
--- a/tools/testing/selftests/net/forwarding/forwarding.config.sample
+++ b/tools/testing/selftests/net/forwarding/forwarding.config.sample
@@ -13,6 +13,8 @@ NETIFS[p5]=veth4
 NETIFS[p6]=veth5
 NETIFS[p7]=veth6
 NETIFS[p8]=veth7
+NETIFS[p9]=veth8
+NETIFS[p10]=veth9
 
 # Port that does not have a cable connected.
 NETIF_NO_CABLE=eth8
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 077/177] mptcp: never allow the PM to close a listener subflow
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 076/177] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 078/177] drm/ast: potential dereference of null pointer Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mat Martineau, Paolo Abeni,
	Jakub Kicinski, Sasha Levin, syzbot+e4d843bb96a9431e6331

From: Paolo Abeni <pabeni@redhat.com>

[ Upstream commit b0cdc5dbcf2ba0d99785da5aabf1b17943805b8a ]

Currently, when deleting an endpoint the netlink PM treverses
all the local MPTCP sockets, regardless of their status.

If an MPTCP listener socket is bound to the IP matching the
delete endpoint, the listener TCP socket will be closed.
That is unexpected, the PM should only affect data subflows.

Additionally, syzbot was able to trigger a NULL ptr dereference
due to the above:

general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 1 PID: 6550 Comm: syz-executor122 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__lock_acquire+0xd7d/0x54a0 kernel/locking/lockdep.c:4897
Code: 0f 0e 41 be 01 00 00 00 0f 86 c8 00 00 00 89 05 69 cc 0f 0e e9 bd 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <80> 3c 02 00 0f 85 f3 2f 00 00 48 81 3b 20 75 17 8f 0f 84 52 f3 ff
RSP: 0018:ffffc90001f2f818 EFLAGS: 00010016
RAX: dffffc0000000000 RBX: 0000000000000018 RCX: 0000000000000000
RDX: 0000000000000003 RSI: 0000000000000000 RDI: 0000000000000001
RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000000 R11: 000000000000000a R12: 0000000000000000
R13: ffff88801b98d700 R14: 0000000000000000 R15: 0000000000000001
FS:  00007f177cd3d700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f177cd1b268 CR3: 000000001dd55000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 lock_acquire kernel/locking/lockdep.c:5637 [inline]
 lock_acquire+0x1ab/0x510 kernel/locking/lockdep.c:5602
 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
 _raw_spin_lock_irqsave+0x39/0x50 kernel/locking/spinlock.c:162
 finish_wait+0xc0/0x270 kernel/sched/wait.c:400
 inet_csk_wait_for_connect net/ipv4/inet_connection_sock.c:464 [inline]
 inet_csk_accept+0x7de/0x9d0 net/ipv4/inet_connection_sock.c:497
 mptcp_accept+0xe5/0x500 net/mptcp/protocol.c:2865
 inet_accept+0xe4/0x7b0 net/ipv4/af_inet.c:739
 mptcp_stream_accept+0x2e7/0x10e0 net/mptcp/protocol.c:3345
 do_accept+0x382/0x510 net/socket.c:1773
 __sys_accept4_file+0x7e/0xe0 net/socket.c:1816
 __sys_accept4+0xb0/0x100 net/socket.c:1846
 __do_sys_accept net/socket.c:1864 [inline]
 __se_sys_accept net/socket.c:1861 [inline]
 __x64_sys_accept+0x71/0xb0 net/socket.c:1861
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f177cd8b8e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f177cd3d308 EFLAGS: 00000246 ORIG_RAX: 000000000000002b
RAX: ffffffffffffffda RBX: 00007f177ce13408 RCX: 00007f177cd8b8e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f177ce13400 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f177ce1340c
R13: 00007f177cde1004 R14: 6d705f706374706d R15: 0000000000022000
 </TASK>

Fix the issue explicitly skipping MPTCP socket in TCP_LISTEN
status.

Reported-and-tested-by: syzbot+e4d843bb96a9431e6331@syzkaller.appspotmail.com
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Fixes: 740d798e8767 ("mptcp: remove id 0 address")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Link: https://lore.kernel.org/r/ebc7594cdd420d241fb2172ddb8542ba64717657.1639238695.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mptcp/pm_netlink.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/mptcp/pm_netlink.c b/net/mptcp/pm_netlink.c
index 050eea231528b..b79251a36dcbc 100644
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -700,6 +700,9 @@ static void mptcp_pm_nl_rm_addr_or_subflow(struct mptcp_sock *msk,
 
 	msk_owned_by_me(msk);
 
+	if (sk->sk_state == TCP_LISTEN)
+		return;
+
 	if (!rm_list->nr)
 		return;
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 078/177] drm/ast: potential dereference of null pointer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 077/177] mptcp: never allow the PM to close a listener subflow Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 079/177] drm/i915/display: Fix an unsigned subtraction which can never be negative Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiasheng Jiang, Thomas Zimmermann,
	Sasha Levin

From: Jiasheng Jiang <jiasheng@iscas.ac.cn>

[ Upstream commit fea3fdf975dd9f3e5248afaab8fe023db313f005 ]

The return value of kzalloc() needs to be checked.
To avoid use of null pointer '&ast_state->base' in case of the
failure of alloc.

Fixes: f0adbc382b8b ("drm/ast: Allocate initial CRTC state of the correct size")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20211214014126.2211535-1-jiasheng@iscas.ac.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/ast/ast_mode.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/ast/ast_mode.c b/drivers/gpu/drm/ast/ast_mode.c
index 1e30eaeb0e1b3..d5c98f79d58d3 100644
--- a/drivers/gpu/drm/ast/ast_mode.c
+++ b/drivers/gpu/drm/ast/ast_mode.c
@@ -1121,7 +1121,10 @@ static void ast_crtc_reset(struct drm_crtc *crtc)
 	if (crtc->state)
 		crtc->funcs->atomic_destroy_state(crtc, crtc->state);
 
-	__drm_atomic_helper_crtc_reset(crtc, &ast_state->base);
+	if (ast_state)
+		__drm_atomic_helper_crtc_reset(crtc, &ast_state->base);
+	else
+		__drm_atomic_helper_crtc_reset(crtc, NULL);
 }
 
 static struct drm_crtc_state *
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 079/177] drm/i915/display: Fix an unsigned subtraction which can never be negative.
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 078/177] drm/ast: potential dereference of null pointer Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 080/177] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Harshit Mogalapalli, Lucas De Marchi,
	Rodrigo Vivi, Sasha Levin

From: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>

[ Upstream commit 53b3495273282aa844c4613d19c3b30558c70c84 ]

smatch warning:
drivers/gpu/drm/i915/display/intel_dmc.c:601 parse_dmc_fw() warn:
unsigned 'fw->size - offset' is never less than zero

Firmware size is size_t and offset is u32. So the subtraction is
unsigned which can never be less than zero.

Fixes: 3d5928a168a9 ("drm/i915/xelpd: Pipe A DMC plugging")
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Reviewed-by: Lucas De Marchi <lucas.demarchi@intel.com>
Signed-off-by: Lucas De Marchi <lucas.demarchi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20211210044129.12422-1-harshit.m.mogalapalli@oracle.com
(cherry picked from commit 87bb2a410dcfb617b88e4695edf4beb6336dc314)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/i915/display/intel_dmc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/i915/display/intel_dmc.c b/drivers/gpu/drm/i915/display/intel_dmc.c
index b3c8e1c450efb..73076737add75 100644
--- a/drivers/gpu/drm/i915/display/intel_dmc.c
+++ b/drivers/gpu/drm/i915/display/intel_dmc.c
@@ -606,7 +606,7 @@ static void parse_dmc_fw(struct drm_i915_private *dev_priv,
 			continue;
 
 		offset = readcount + dmc->dmc_info[id].dmc_offset * 4;
-		if (fw->size - offset < 0) {
+		if (offset > fw->size) {
 			drm_err(&dev_priv->drm, "Reading beyond the fw_size\n");
 			continue;
 		}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 080/177] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 079/177] drm/i915/display: Fix an unsigned subtraction which can never be negative Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 081/177] cfg80211: Acquire wiphy mutex on regulatory work Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Chris Murphy, Johannes Berg,
	Luca Coelho, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit 06c41bda0ea14aa7fba932a9613c4ee239682cf0 ]

When we call ieee80211_agg_start_txq(), that will in turn call
schedule_and_wake_txq(). Called from ieee80211_stop_tx_ba_cb()
this is done under sta->lock, which leads to certain circular
lock dependencies, as reported by Chris Murphy:
https://lore.kernel.org/r/CAJCQCtSXJ5qA4bqSPY=oLRMbv-irihVvP7A2uGutEbXQVkoNaw@mail.gmail.com

In general, ieee80211_agg_start_txq() is usually not called
with sta->lock held, only in this one place. But it's always
called with sta->ampdu_mlme.mtx held, and that's therefore
clearly sufficient.

Change ieee80211_stop_tx_ba_cb() to also call it without the
sta->lock held, by factoring it out of ieee80211_remove_tid_tx()
(which is only called in this one place).

This breaks the locking chain and makes it less likely that
we'll have similar locking chain problems in the future.

Fixes: ba8c3d6f16a1 ("mac80211: add an intermediate software queue implementation")
Reported-by: Chris Murphy <lists@colorremedies.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211202152554.f519884c8784.I555fef8e67d93fff3d9a304886c4a9f8b322e591@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/agg-tx.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/agg-tx.c b/net/mac80211/agg-tx.c
index 58761ca7da3c5..74a878f213d3e 100644
--- a/net/mac80211/agg-tx.c
+++ b/net/mac80211/agg-tx.c
@@ -9,7 +9,7 @@
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
  * Copyright(c) 2015-2017 Intel Deutschland GmbH
- * Copyright (C) 2018 - 2020 Intel Corporation
+ * Copyright (C) 2018 - 2021 Intel Corporation
  */
 
 #include <linux/ieee80211.h>
@@ -213,6 +213,8 @@ ieee80211_agg_start_txq(struct sta_info *sta, int tid, bool enable)
 	struct ieee80211_txq *txq = sta->sta.txq[tid];
 	struct txq_info *txqi;
 
+	lockdep_assert_held(&sta->ampdu_mlme.mtx);
+
 	if (!txq)
 		return;
 
@@ -290,7 +292,6 @@ static void ieee80211_remove_tid_tx(struct sta_info *sta, int tid)
 	ieee80211_assign_tid_tx(sta, tid, NULL);
 
 	ieee80211_agg_splice_finish(sta->sdata, tid);
-	ieee80211_agg_start_txq(sta, tid, false);
 
 	kfree_rcu(tid_tx, rcu_head);
 }
@@ -889,6 +890,7 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
 {
 	struct ieee80211_sub_if_data *sdata = sta->sdata;
 	bool send_delba = false;
+	bool start_txq = false;
 
 	ht_dbg(sdata, "Stopping Tx BA session for %pM tid %d\n",
 	       sta->sta.addr, tid);
@@ -906,10 +908,14 @@ void ieee80211_stop_tx_ba_cb(struct sta_info *sta, int tid,
 		send_delba = true;
 
 	ieee80211_remove_tid_tx(sta, tid);
+	start_txq = true;
 
  unlock_sta:
 	spin_unlock_bh(&sta->lock);
 
+	if (start_txq)
+		ieee80211_agg_start_txq(sta, tid, false);
+
 	if (send_delba)
 		ieee80211_send_delba(sdata, sta->sta.addr, tid,
 			WLAN_BACK_INITIATOR, WLAN_REASON_QSTA_NOT_USE);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 081/177] cfg80211: Acquire wiphy mutex on regulatory work
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 080/177] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 082/177] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilan Peer, Luca Coelho,
	Johannes Berg, Sasha Levin

From: Ilan Peer <ilan.peer@intel.com>

[ Upstream commit e08ebd6d7b90ae81f21425ca39136f5b2272580f ]

The function cfg80211_reg_can_beacon_relax() expects wiphy
mutex to be held when it is being called. However, when
reg_leave_invalid_chans() is called the mutex is not held.
Fix it by acquiring the lock before calling the function.

Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver")
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211202152831.527686cda037.I40ad9372a47cbad53b4aae7b5a6ccc0dc3fddf8b@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/reg.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/net/wireless/reg.c b/net/wireless/reg.c
index df87c7f3a0492..795e86b371bba 100644
--- a/net/wireless/reg.c
+++ b/net/wireless/reg.c
@@ -2338,6 +2338,7 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
 	struct cfg80211_chan_def chandef = {};
 	struct cfg80211_registered_device *rdev = wiphy_to_rdev(wiphy);
 	enum nl80211_iftype iftype;
+	bool ret;
 
 	wdev_lock(wdev);
 	iftype = wdev->iftype;
@@ -2387,7 +2388,11 @@ static bool reg_wdev_chan_valid(struct wiphy *wiphy, struct wireless_dev *wdev)
 	case NL80211_IFTYPE_AP:
 	case NL80211_IFTYPE_P2P_GO:
 	case NL80211_IFTYPE_ADHOC:
-		return cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype);
+		wiphy_lock(wiphy);
+		ret = cfg80211_reg_can_beacon_relax(wiphy, &chandef, iftype);
+		wiphy_unlock(wiphy);
+
+		return ret;
 	case NL80211_IFTYPE_STATION:
 	case NL80211_IFTYPE_P2P_CLIENT:
 		return cfg80211_chandef_usable(wiphy, &chandef,
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 082/177] mac80211: fix lookup when adding AddBA extension element
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 081/177] cfg80211: Acquire wiphy mutex on regulatory work Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 083/177] net: stmmac: fix tc flower deletion for VLAN priority Rx steering Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johannes Berg, Luca Coelho, Sasha Levin

From: Johannes Berg <johannes.berg@intel.com>

[ Upstream commit 511ab0c1dfb260a6b17b8771109e8d63474473a7 ]

We should be doing the HE capabilities lookup based on the full
interface type so if P2P doesn't have HE but client has it doesn't
get confused. Fix that.

Fixes: 2ab45876756f ("mac80211: add support for the ADDBA extension element")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Link: https://lore.kernel.org/r/iwlwifi.20211129152938.010fc1d61137.If3a468145f29d670cb00a693bed559d8290ba693@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mac80211/agg-rx.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/mac80211/agg-rx.c b/net/mac80211/agg-rx.c
index cce28e3b22323..ef729b1e39ea3 100644
--- a/net/mac80211/agg-rx.c
+++ b/net/mac80211/agg-rx.c
@@ -9,7 +9,7 @@
  * Copyright 2007, Michael Wu <flamingice@sourmilk.net>
  * Copyright 2007-2010, Intel Corporation
  * Copyright(c) 2015-2017 Intel Deutschland GmbH
- * Copyright (C) 2018-2020 Intel Corporation
+ * Copyright (C) 2018-2021 Intel Corporation
  */
 
 /**
@@ -191,7 +191,8 @@ static void ieee80211_add_addbaext(struct ieee80211_sub_if_data *sdata,
 	sband = ieee80211_get_sband(sdata);
 	if (!sband)
 		return;
-	he_cap = ieee80211_get_he_iftype_cap(sband, sdata->vif.type);
+	he_cap = ieee80211_get_he_iftype_cap(sband,
+					     ieee80211_vif_type_p2p(&sdata->vif));
 	if (!he_cap)
 		return;
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 083/177] net: stmmac: fix tc flower deletion for VLAN priority Rx steering
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 082/177] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 084/177] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kurt Kanzenbach, Ong Boon Leong,
	David S. Miller, Sasha Levin

From: Ong Boon Leong <boon.leong.ong@intel.com>

[ Upstream commit aeb7c75cb77478fdbf821628e9c95c4baa9adc63 ]

To replicate the issue:-

1) Add 1 flower filter for VLAN Priority based frame steering:-
$ IFDEVNAME=eth0
$ tc qdisc add dev $IFDEVNAME ingress
$ tc qdisc add dev $IFDEVNAME root mqprio num_tc 8 \
   map 0 1 2 3 4 5 6 7 0 0 0 0 0 0 0 0 \
   queues 1@0 1@1 1@2 1@3 1@4 1@5 1@6 1@7 hw 0
$ tc filter add dev $IFDEVNAME parent ffff: protocol 802.1Q \
   flower vlan_prio 0 hw_tc 0

2) Get the 'pref' id
$ tc filter show dev $IFDEVNAME ingress

3) Delete a specific tc flower record (say pref 49151)
$ tc filter del dev $IFDEVNAME parent ffff: pref 49151

>From dmesg, we will observe kernel NULL pointer ooops

[  197.170464] BUG: kernel NULL pointer dereference, address: 0000000000000000
[  197.171367] #PF: supervisor read access in kernel mode
[  197.171367] #PF: error_code(0x0000) - not-present page
[  197.171367] PGD 0 P4D 0
[  197.171367] Oops: 0000 [#1] PREEMPT SMP NOPTI

<snip>

[  197.171367] RIP: 0010:tc_setup_cls+0x20b/0x4a0 [stmmac]

<snip>

[  197.171367] Call Trace:
[  197.171367]  <TASK>
[  197.171367]  ? __stmmac_disable_all_queues+0xa8/0xe0 [stmmac]
[  197.171367]  stmmac_setup_tc_block_cb+0x70/0x110 [stmmac]
[  197.171367]  tc_setup_cb_destroy+0xb3/0x180
[  197.171367]  fl_hw_destroy_filter+0x94/0xc0 [cls_flower]

The above issue is due to previous incorrect implementation of
tc_del_vlan_flow(), shown below, that uses flow_cls_offload_flow_rule()
to get struct flow_rule *rule which is no longer valid for tc filter
delete operation.

  struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
  struct flow_dissector *dissector = rule->match.dissector;

So, to ensure tc_del_vlan_flow() deletes the right VLAN cls record for
earlier configured RX queue (configured by hw_tc) in tc_add_vlan_flow(),
this patch introduces stmmac_rfs_entry as driver-side flow_cls_offload
record for 'RX frame steering' tc flower, currently used for VLAN
priority. The implementation has taken consideration for future extension
to include other type RX frame steering such as EtherType based.

v2:
 - Clean up overly extensive backtrace and rewrite git message to better
   explain the kernel NULL pointer issue.

Fixes: 0e039f5cf86c ("net: stmmac: add RX frame steering based on VLAN priority in tc flower")
Tested-by: Kurt Kanzenbach <kurt@linutronix.de>
Signed-off-by: Ong Boon Leong <boon.leong.ong@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/stmmac.h  | 17 ++++
 .../net/ethernet/stmicro/stmmac/stmmac_tc.c   | 86 ++++++++++++++++---
 2 files changed, 90 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac.h b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
index 5f129733aabd2..873b9e3e5da25 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
@@ -172,6 +172,19 @@ struct stmmac_flow_entry {
 	int is_l4;
 };
 
+/* Rx Frame Steering */
+enum stmmac_rfs_type {
+	STMMAC_RFS_T_VLAN,
+	STMMAC_RFS_T_MAX,
+};
+
+struct stmmac_rfs_entry {
+	unsigned long cookie;
+	int in_use;
+	int type;
+	int tc;
+};
+
 struct stmmac_priv {
 	/* Frequently used values are kept adjacent for cache effect */
 	u32 tx_coal_frames[MTL_MAX_TX_QUEUES];
@@ -289,6 +302,10 @@ struct stmmac_priv {
 	struct stmmac_tc_entry *tc_entries;
 	unsigned int flow_entries_max;
 	struct stmmac_flow_entry *flow_entries;
+	unsigned int rfs_entries_max[STMMAC_RFS_T_MAX];
+	unsigned int rfs_entries_cnt[STMMAC_RFS_T_MAX];
+	unsigned int rfs_entries_total;
+	struct stmmac_rfs_entry *rfs_entries;
 
 	/* Pulse Per Second output */
 	struct stmmac_pps_cfg pps[STMMAC_PPS_MAX];
diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
index 1c4ea0b1b845b..d0a2b289f4603 100644
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -232,11 +232,33 @@ static int tc_setup_cls_u32(struct stmmac_priv *priv,
 	}
 }
 
+static int tc_rfs_init(struct stmmac_priv *priv)
+{
+	int i;
+
+	priv->rfs_entries_max[STMMAC_RFS_T_VLAN] = 8;
+
+	for (i = 0; i < STMMAC_RFS_T_MAX; i++)
+		priv->rfs_entries_total += priv->rfs_entries_max[i];
+
+	priv->rfs_entries = devm_kcalloc(priv->device,
+					 priv->rfs_entries_total,
+					 sizeof(*priv->rfs_entries),
+					 GFP_KERNEL);
+	if (!priv->rfs_entries)
+		return -ENOMEM;
+
+	dev_info(priv->device, "Enabled RFS Flow TC (entries=%d)\n",
+		 priv->rfs_entries_total);
+
+	return 0;
+}
+
 static int tc_init(struct stmmac_priv *priv)
 {
 	struct dma_features *dma_cap = &priv->dma_cap;
 	unsigned int count;
-	int i;
+	int ret, i;
 
 	if (dma_cap->l3l4fnum) {
 		priv->flow_entries_max = dma_cap->l3l4fnum;
@@ -250,10 +272,14 @@ static int tc_init(struct stmmac_priv *priv)
 		for (i = 0; i < priv->flow_entries_max; i++)
 			priv->flow_entries[i].idx = i;
 
-		dev_info(priv->device, "Enabled Flow TC (entries=%d)\n",
+		dev_info(priv->device, "Enabled L3L4 Flow TC (entries=%d)\n",
 			 priv->flow_entries_max);
 	}
 
+	ret = tc_rfs_init(priv);
+	if (ret)
+		return -ENOMEM;
+
 	if (!priv->plat->fpe_cfg) {
 		priv->plat->fpe_cfg = devm_kzalloc(priv->device,
 						   sizeof(*priv->plat->fpe_cfg),
@@ -607,16 +633,45 @@ static int tc_del_flow(struct stmmac_priv *priv,
 	return ret;
 }
 
+static struct stmmac_rfs_entry *tc_find_rfs(struct stmmac_priv *priv,
+					    struct flow_cls_offload *cls,
+					    bool get_free)
+{
+	int i;
+
+	for (i = 0; i < priv->rfs_entries_total; i++) {
+		struct stmmac_rfs_entry *entry = &priv->rfs_entries[i];
+
+		if (entry->cookie == cls->cookie)
+			return entry;
+		if (get_free && entry->in_use == false)
+			return entry;
+	}
+
+	return NULL;
+}
+
 #define VLAN_PRIO_FULL_MASK (0x07)
 
 static int tc_add_vlan_flow(struct stmmac_priv *priv,
 			    struct flow_cls_offload *cls)
 {
+	struct stmmac_rfs_entry *entry = tc_find_rfs(priv, cls, false);
 	struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
 	struct flow_dissector *dissector = rule->match.dissector;
 	int tc = tc_classid_to_hwtc(priv->dev, cls->classid);
 	struct flow_match_vlan match;
 
+	if (!entry) {
+		entry = tc_find_rfs(priv, cls, true);
+		if (!entry)
+			return -ENOENT;
+	}
+
+	if (priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN] >=
+	    priv->rfs_entries_max[STMMAC_RFS_T_VLAN])
+		return -ENOENT;
+
 	/* Nothing to do here */
 	if (!dissector_uses_key(dissector, FLOW_DISSECTOR_KEY_VLAN))
 		return -EINVAL;
@@ -638,6 +693,12 @@ static int tc_add_vlan_flow(struct stmmac_priv *priv,
 
 		prio = BIT(match.key->vlan_priority);
 		stmmac_rx_queue_prio(priv, priv->hw, prio, tc);
+
+		entry->in_use = true;
+		entry->cookie = cls->cookie;
+		entry->tc = tc;
+		entry->type = STMMAC_RFS_T_VLAN;
+		priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN]++;
 	}
 
 	return 0;
@@ -646,20 +707,19 @@ static int tc_add_vlan_flow(struct stmmac_priv *priv,
 static int tc_del_vlan_flow(struct stmmac_priv *priv,
 			    struct flow_cls_offload *cls)
 {
-	struct flow_rule *rule = flow_cls_offload_flow_rule(cls);
-	struct flow_dissector *dissector = rule->match.dissector;
-	int tc = tc_classid_to_hwtc(priv->dev, cls->classid);
+	struct stmmac_rfs_entry *entry = tc_find_rfs(priv, cls, false);
 
-	/* Nothing to do here */
-	if (!dissector_uses_key(dissector, FLOW_DISSECTOR_KEY_VLAN))
-		return -EINVAL;
+	if (!entry || !entry->in_use || entry->type != STMMAC_RFS_T_VLAN)
+		return -ENOENT;
 
-	if (tc < 0) {
-		netdev_err(priv->dev, "Invalid traffic class\n");
-		return -EINVAL;
-	}
+	stmmac_rx_queue_prio(priv, priv->hw, 0, entry->tc);
+
+	entry->in_use = false;
+	entry->cookie = 0;
+	entry->tc = 0;
+	entry->type = 0;
 
-	stmmac_rx_queue_prio(priv, priv->hw, 0, tc);
+	priv->rfs_entries_cnt[STMMAC_RFS_T_VLAN]--;
 
 	return 0;
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 084/177] flow_offload: return EOPNOTSUPP for the unsupported mpls action type
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 083/177] net: stmmac: fix tc flower deletion for VLAN priority Rx steering Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 085/177] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Baowen Zheng, Simon Horman,
	Jamal Hadi Salim, David S. Miller, Sasha Levin

From: Baowen Zheng <baowen.zheng@corigine.com>

[ Upstream commit 166b6a46b78bf8b9559a6620c3032f9fe492e082 ]

We need to return EOPNOTSUPP for the unsupported mpls action type when
setup the flow action.

In the original implement, we will return 0 for the unsupported mpls
action type, actually we do not setup it and the following actions
to the flow action entry.

Fixes: 9838b20a7fb2 ("net: sched: take rtnl lock in tc_setup_flow_action()")
Signed-off-by: Baowen Zheng <baowen.zheng@corigine.com>
Signed-off-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sched/cls_api.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/sched/cls_api.c b/net/sched/cls_api.c
index 2ef8f5a6205a9..e54f0a42270c1 100644
--- a/net/sched/cls_api.c
+++ b/net/sched/cls_api.c
@@ -3687,6 +3687,7 @@ int tc_setup_flow_action(struct flow_action *flow_action,
 				entry->mpls_mangle.ttl = tcf_mpls_ttl(act);
 				break;
 			default:
+				err = -EOPNOTSUPP;
 				goto err_out_locked;
 			}
 		} else if (is_tcf_skbedit_ptype(act)) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 085/177] rds: memory leak in __rds_conn_create()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 084/177] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 086/177] ice: Use div64_u64 instead of div_u64 in adjfine Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hangyu Hua, Sharath Srinivasan,
	David S. Miller, Sasha Levin

From: Hangyu Hua <hbh25y@gmail.com>

[ Upstream commit 5f9562ebe710c307adc5f666bf1a2162ee7977c0 ]

__rds_conn_create() did not release conn->c_path when loop_trans != 0 and
trans->t_prefer_loopback != 0 and is_outgoing == 0.

Fixes: aced3ce57cd3 ("RDS tcp loopback connection can hang")
Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
Reviewed-by: Sharath Srinivasan <sharath.srinivasan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/rds/connection.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/rds/connection.c b/net/rds/connection.c
index a3bc4b54d4910..b4cc699c5fad3 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -253,6 +253,7 @@ static struct rds_connection *__rds_conn_create(struct net *net,
 				 * should end up here, but if it
 				 * does, reset/destroy the connection.
 				 */
+				kfree(conn->c_path);
 				kmem_cache_free(rds_conn_slab, conn);
 				conn = ERR_PTR(-EOPNOTSUPP);
 				goto out;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 086/177] ice: Use div64_u64 instead of div_u64 in adjfine
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 085/177] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 087/177] ice: Dont put stale timestamps in the skb Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Karol Kolacinski, Gurucharan G,
	Tony Nguyen, Sasha Levin

From: Karol Kolacinski <karol.kolacinski@intel.com>

[ Upstream commit 0013881c1145d36bf26165bb70fdd7560a5507a3 ]

Change the division in ice_ptp_adjfine from div_u64 to div64_u64.
div_u64 is used when the divisor is 32 bit but in this case incval is
64 bit and it caused incorrect calculations and incval adjustments.

Fixes: 06c16d89d2cb ("ice: register 1588 PTP clock device object for E810 devices")
Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
Tested-by: Gurucharan G <gurucharanx.g@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_ptp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
index d1ef3d48a4b03..9df546984de25 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
@@ -459,7 +459,7 @@ static int ice_ptp_adjfine(struct ptp_clock_info *info, long scaled_ppm)
 		scaled_ppm = -scaled_ppm;
 	}
 
-	while ((u64)scaled_ppm > div_u64(U64_MAX, incval)) {
+	while ((u64)scaled_ppm > div64_u64(U64_MAX, incval)) {
 		/* handle overflow by scaling down the scaled_ppm and
 		 * the divisor, losing some precision
 		 */
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 087/177] ice: Dont put stale timestamps in the skb
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 086/177] ice: Use div64_u64 instead of div_u64 in adjfine Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 088/177] drm/amd/display: Set exit_optimized_pwr_state for DCN31 Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Karol Kolacinski, Gurucharan G,
	Tony Nguyen, Sasha Levin

From: Karol Kolacinski <karol.kolacinski@intel.com>

[ Upstream commit 37e738b6fdb14529534dca441e0222313688fde3 ]

The driver has to check if it does not accidentally put the timestamp in
the SKB before previous timestamp gets overwritten.
Timestamp values in the PHY are read only and do not get cleared except
at hardware reset or when a new timestamp value is captured.
The cached_tstamp field is used to detect the case where a new timestamp
has not yet been captured, ensuring that we avoid sending stale
timestamp data to the stack.

Fixes: ea9b847cda64 ("ice: enable transmit timestamps for E810 devices")
Signed-off-by: Karol Kolacinski <karol.kolacinski@intel.com>
Tested-by: Gurucharan G <gurucharanx.g@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ice/ice_ptp.c | 11 ++++-------
 drivers/net/ethernet/intel/ice/ice_ptp.h |  6 ++++++
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.c b/drivers/net/ethernet/intel/ice/ice_ptp.c
index 9df546984de25..ac27a4fe8b94c 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp.c
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.c
@@ -1182,19 +1182,16 @@ static void ice_ptp_tx_tstamp_work(struct kthread_work *work)
 		if (err)
 			continue;
 
-		/* Check if the timestamp is valid */
-		if (!(raw_tstamp & ICE_PTP_TS_VALID))
+		/* Check if the timestamp is invalid or stale */
+		if (!(raw_tstamp & ICE_PTP_TS_VALID) ||
+		    raw_tstamp == tx->tstamps[idx].cached_tstamp)
 			continue;
 
-		/* clear the timestamp register, so that it won't show valid
-		 * again when re-used.
-		 */
-		ice_clear_phy_tstamp(hw, tx->quad, phy_idx);
-
 		/* The timestamp is valid, so we'll go ahead and clear this
 		 * index and then send the timestamp up to the stack.
 		 */
 		spin_lock(&tx->lock);
+		tx->tstamps[idx].cached_tstamp = raw_tstamp;
 		clear_bit(idx, tx->in_use);
 		skb = tx->tstamps[idx].skb;
 		tx->tstamps[idx].skb = NULL;
diff --git a/drivers/net/ethernet/intel/ice/ice_ptp.h b/drivers/net/ethernet/intel/ice/ice_ptp.h
index e1c787bd5b967..8cdd6f7046b73 100644
--- a/drivers/net/ethernet/intel/ice/ice_ptp.h
+++ b/drivers/net/ethernet/intel/ice/ice_ptp.h
@@ -46,15 +46,21 @@ struct ice_perout_channel {
  * struct ice_tx_tstamp - Tracking for a single Tx timestamp
  * @skb: pointer to the SKB for this timestamp request
  * @start: jiffies when the timestamp was first requested
+ * @cached_tstamp: last read timestamp
  *
  * This structure tracks a single timestamp request. The SKB pointer is
  * provided when initiating a request. The start time is used to ensure that
  * we discard old requests that were not fulfilled within a 2 second time
  * window.
+ * Timestamp values in the PHY are read only and do not get cleared except at
+ * hardware reset or when a new timestamp value is captured. The cached_tstamp
+ * field is used to detect the case where a new timestamp has not yet been
+ * captured, ensuring that we avoid sending stale timestamp data to the stack.
  */
 struct ice_tx_tstamp {
 	struct sk_buff *skb;
 	unsigned long start;
+	u64 cached_tstamp;
 };
 
 /**
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 088/177] drm/amd/display: Set exit_optimized_pwr_state for DCN31
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 087/177] ice: Dont put stale timestamps in the skb Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:33 ` [PATCH 5.15 089/177] drm/amd/pm: fix a potential gpu_metrics_table memory leak Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Yang, Pavle Kotarac,
	Daniel Wheeler, Nicholas Kazlauskas, Alex Deucher, Sasha Levin

From: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>

[ Upstream commit 7e4d2f30df3fb48f75ce9e96867d42bdddab83ac ]

[Why]
SMU now respects the PHY refclk disable request from driver.

This causes a hang during hotplug when PHY refclk was disabled
because it's not being re-enabled and the transmitter control
starts on dc_link_detect.

[How]
We normally would re-enable the clk with exit_optimized_pwr_state
but this is only set on DCN21 and DCN301. Set it for dcn31 as well.

This fixes DMCUB timeouts in the PHY.

Fixes: 64b1d0e8d500 ("drm/amd/display: Add DCN3.1 HWSEQ")

Reviewed-by: Eric Yang <Eric.Yang2@amd.com>
Acked-by: Pavle Kotarac <Pavle.Kotarac@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c
index 40011cd3c8ef0..ac8fb202fd5ee 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn31/dcn31_init.c
@@ -100,6 +100,7 @@ static const struct hw_sequencer_funcs dcn31_funcs = {
 	.z10_save_init = dcn31_z10_save_init,
 	.is_abm_supported = dcn31_is_abm_supported,
 	.set_disp_pattern_generator = dcn30_set_disp_pattern_generator,
+	.exit_optimized_pwr_state = dcn21_exit_optimized_pwr_state,
 	.update_visual_confirm_color = dcn20_update_visual_confirm_color,
 };
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 089/177] drm/amd/pm: fix a potential gpu_metrics_table memory leak
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 088/177] drm/amd/display: Set exit_optimized_pwr_state for DCN31 Greg Kroah-Hartman
@ 2021-12-20 14:33 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 090/177] mptcp: remove tcp ulp setsockopt support Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:33 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lang Yu, Lijo Lazar, Alex Deucher,
	Sasha Levin

From: Lang Yu <lang.yu@amd.com>

[ Upstream commit aa464957f7e660abd554f2546a588f6533720e21 ]

Memory is allocated for gpu_metrics_table in renoir_init_smc_tables(),
but not freed in int smu_v12_0_fini_smc_tables(). Free it!

Fixes: 95868b85764a ("drm/amd/powerplay: add Renoir support for gpu metrics export")

Signed-off-by: Lang Yu <lang.yu@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
index d60b8c5e87157..43028f2cd28b5 100644
--- a/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu12/smu_v12_0.c
@@ -191,6 +191,9 @@ int smu_v12_0_fini_smc_tables(struct smu_context *smu)
 	kfree(smu_table->watermarks_table);
 	smu_table->watermarks_table = NULL;
 
+	kfree(smu_table->gpu_metrics_table);
+	smu_table->gpu_metrics_table = NULL;
+
 	return 0;
 }
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 090/177] mptcp: remove tcp ulp setsockopt support
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-12-20 14:33 ` [PATCH 5.15 089/177] drm/amd/pm: fix a potential gpu_metrics_table memory leak Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 091/177] mptcp: clear kern flag from fallback sockets Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+1fd9b69cde42967d1add,
	Florian Westphal, Mat Martineau, Jakub Kicinski, Sasha Levin

From: Florian Westphal <fw@strlen.de>

[ Upstream commit 404cd9a22150f24acf23a8df2ad0c094ba379f57 ]

TCP_ULP setsockopt cannot be used for mptcp because its already
used internally to plumb subflow (tcp) sockets to the mptcp layer.

syzbot managed to trigger a crash for mptcp connections that are
in fallback mode:

KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 1 PID: 1083 Comm: syz-executor.3 Not tainted 5.16.0-rc2-syzkaller #0
RIP: 0010:tls_build_proto net/tls/tls_main.c:776 [inline]
[..]
 __tcp_set_ulp net/ipv4/tcp_ulp.c:139 [inline]
 tcp_set_ulp+0x428/0x4c0 net/ipv4/tcp_ulp.c:160
 do_tcp_setsockopt+0x455/0x37c0 net/ipv4/tcp.c:3391
 mptcp_setsockopt+0x1b47/0x2400 net/mptcp/sockopt.c:638

Remove support for TCP_ULP setsockopt.

Fixes: d9e4c1291810 ("mptcp: only admit explicitly supported sockopt")
Reported-by: syzbot+1fd9b69cde42967d1add@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mptcp/sockopt.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/mptcp/sockopt.c b/net/mptcp/sockopt.c
index 8c03afac5ca03..4bb305342fcc7 100644
--- a/net/mptcp/sockopt.c
+++ b/net/mptcp/sockopt.c
@@ -523,7 +523,6 @@ static bool mptcp_supported_sockopt(int level, int optname)
 		case TCP_NODELAY:
 		case TCP_THIN_LINEAR_TIMEOUTS:
 		case TCP_CONGESTION:
-		case TCP_ULP:
 		case TCP_CORK:
 		case TCP_KEEPIDLE:
 		case TCP_KEEPINTVL:
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 091/177] mptcp: clear kern flag from fallback sockets
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 090/177] mptcp: remove tcp ulp setsockopt support Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 092/177] mptcp: fix deadlock in __mptcp_push_pending() Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Mat Martineau,
	Jakub Kicinski, Sasha Levin

From: Florian Westphal <fw@strlen.de>

[ Upstream commit d6692b3b97bdc165d150f4c1505751a323a80717 ]

The mptcp ULP extension relies on sk->sk_sock_kern being set correctly:
It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from
working for plain tcp sockets (any userspace-exposed socket).

But in case of fallback, accept() can return a plain tcp sk.
In such case, sk is still tagged as 'kernel' and setsockopt will work.

This will crash the kernel, The subflow extension has a NULL ctx->conn
mptcp socket:

BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0
Call Trace:
 tcp_data_ready+0xf8/0x370
 [..]

Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mptcp/protocol.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 421fa62ce5cdf..fdff811c9a0da 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2901,7 +2901,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
 		 */
 		if (WARN_ON_ONCE(!new_mptcp_sock)) {
 			tcp_sk(newsk)->is_mptcp = 0;
-			return newsk;
+			goto out;
 		}
 
 		/* acquire the 2nd reference for the owning socket */
@@ -2913,6 +2913,8 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
 				MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK);
 	}
 
+out:
+	newsk->sk_kern_sock = kern;
 	return newsk;
 }
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 092/177] mptcp: fix deadlock in __mptcp_push_pending()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 091/177] mptcp: clear kern flag from fallback sockets Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 093/177] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Westphal, Maxim Galaganov,
	Mat Martineau, Jakub Kicinski, Sasha Levin

From: Maxim Galaganov <max@internet.ru>

[ Upstream commit 3d79e3756ca90f7a6087b77b62c1d9c0801e0820 ]

__mptcp_push_pending() may call mptcp_flush_join_list() with subflow
socket lock held. If such call hits mptcp_sockopt_sync_all() then
subsequently __mptcp_sockopt_sync() could try to lock the subflow
socket for itself, causing a deadlock.

sysrq: Show Blocked State
task:ss-server       state:D stack:    0 pid:  938 ppid:     1 flags:0x00000000
Call Trace:
 <TASK>
 __schedule+0x2d6/0x10c0
 ? __mod_memcg_state+0x4d/0x70
 ? csum_partial+0xd/0x20
 ? _raw_spin_lock_irqsave+0x26/0x50
 schedule+0x4e/0xc0
 __lock_sock+0x69/0x90
 ? do_wait_intr_irq+0xa0/0xa0
 __lock_sock_fast+0x35/0x50
 mptcp_sockopt_sync_all+0x38/0xc0
 __mptcp_push_pending+0x105/0x200
 mptcp_sendmsg+0x466/0x490
 sock_sendmsg+0x57/0x60
 __sys_sendto+0xf0/0x160
 ? do_wait_intr_irq+0xa0/0xa0
 ? fpregs_restore_userregs+0x12/0xd0
 __x64_sys_sendto+0x20/0x30
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f9ba546c2d0
RSP: 002b:00007ffdc3b762d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f9ba56c8060 RCX: 00007f9ba546c2d0
RDX: 000000000000077a RSI: 0000000000e5e180 RDI: 0000000000000234
RBP: 0000000000cc57f0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9ba56c8060
R13: 0000000000b6ba60 R14: 0000000000cc7840 R15: 41d8685b1d7901b8
 </TASK>

Fix the issue by using __mptcp_flush_join_list() instead of plain
mptcp_flush_join_list() inside __mptcp_push_pending(), as suggested by
Florian. The sockopt sync will be deferred to the workqueue.

Fixes: 1b3e7ede1365 ("mptcp: setsockopt: handle SO_KEEPALIVE and SO_PRIORITY")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/244
Suggested-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Maxim Galaganov <max@internet.ru>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/mptcp/protocol.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index fdff811c9a0da..4c889552cde77 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1549,7 +1549,7 @@ void __mptcp_push_pending(struct sock *sk, unsigned int flags)
 			int ret = 0;
 
 			prev_ssk = ssk;
-			mptcp_flush_join_list(msk);
+			__mptcp_flush_join_list(msk);
 			ssk = mptcp_subflow_get_send(msk);
 
 			/* First check. If the ssk has changed since
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 093/177] soc/tegra: fuse: Fix bitwise vs. logical OR warning
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 092/177] mptcp: fix deadlock in __mptcp_push_pending() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 094/177] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michał Mirosław,
	Nathan Chancellor, Nick Desaulniers, Thierry Reding, Sasha Levin

From: Nathan Chancellor <nathan@kernel.org>

[ Upstream commit a7083763619f7485ccdade160deb81737cf2732f ]

A new warning in clang points out two instances where boolean
expressions are being used with a bitwise OR instead of logical OR:

drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical]
                reg = tegra_fuse_read_spare(i) |
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
                                               ||
drivers/soc/tegra/fuse/speedo-tegra20.c:72:9: note: cast one or both operands to int to silence this warning
drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: warning: use of bitwise '|' with boolean operands [-Wbitwise-instead-of-logical]
                reg = tegra_fuse_read_spare(i) |
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~
                                               ||
drivers/soc/tegra/fuse/speedo-tegra20.c:87:9: note: cast one or both operands to int to silence this warning
2 warnings generated.

The motivation for the warning is that logical operations short circuit
while bitwise operations do not.

In this instance, tegra_fuse_read_spare() is not semantically returning
a boolean, it is returning a bit value. Use u32 for its return type so
that it can be used with either bitwise or boolean operators without any
warnings.

Fixes: 25cd5a391478 ("ARM: tegra: Add speedo-based process identification")
Link: https://github.com/ClangBuiltLinux/linux/issues/1488
Suggested-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/soc/tegra/fuse/fuse-tegra.c | 2 +-
 drivers/soc/tegra/fuse/fuse.h       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/soc/tegra/fuse/fuse-tegra.c b/drivers/soc/tegra/fuse/fuse-tegra.c
index f2151815db585..e714ed3b61bc3 100644
--- a/drivers/soc/tegra/fuse/fuse-tegra.c
+++ b/drivers/soc/tegra/fuse/fuse-tegra.c
@@ -320,7 +320,7 @@ static struct platform_driver tegra_fuse_driver = {
 };
 builtin_platform_driver(tegra_fuse_driver);
 
-bool __init tegra_fuse_read_spare(unsigned int spare)
+u32 __init tegra_fuse_read_spare(unsigned int spare)
 {
 	unsigned int offset = fuse->soc->info->spare + spare * 4;
 
diff --git a/drivers/soc/tegra/fuse/fuse.h b/drivers/soc/tegra/fuse/fuse.h
index de58feba04350..ecff0c08e9595 100644
--- a/drivers/soc/tegra/fuse/fuse.h
+++ b/drivers/soc/tegra/fuse/fuse.h
@@ -65,7 +65,7 @@ struct tegra_fuse {
 void tegra_init_revision(void);
 void tegra_init_apbmisc(void);
 
-bool __init tegra_fuse_read_spare(unsigned int spare);
+u32 __init tegra_fuse_read_spare(unsigned int spare);
 u32 __init tegra_fuse_read_early(unsigned int offset);
 
 u8 tegra_get_major_rev(void);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 094/177] igb: Fix removal of unicast MAC filters of VFs
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 093/177] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 095/177] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Karen Sornek, Konrad Jankowski,
	Tony Nguyen, Sasha Levin

From: Karen Sornek <karen.sornek@intel.com>

[ Upstream commit 584af82154f56e6b2740160fcc84a2966d969e15 ]

Move checking condition of VF MAC filter before clearing
or adding MAC filter to VF to prevent potential blackout caused
by removal of necessary and working VF's MAC filter.

Fixes: 1b8b062a99dc ("igb: add VF trust infrastructure")
Signed-off-by: Karen Sornek <karen.sornek@intel.com>
Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/igb/igb_main.c | 28 +++++++++++------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c
index 8f30577386b6f..533199d819501 100644
--- a/drivers/net/ethernet/intel/igb/igb_main.c
+++ b/drivers/net/ethernet/intel/igb/igb_main.c
@@ -7641,6 +7641,20 @@ static int igb_set_vf_mac_filter(struct igb_adapter *adapter, const int vf,
 	struct vf_mac_filter *entry = NULL;
 	int ret = 0;
 
+	if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) &&
+	    !vf_data->trusted) {
+		dev_warn(&pdev->dev,
+			 "VF %d requested MAC filter but is administratively denied\n",
+			  vf);
+		return -EINVAL;
+	}
+	if (!is_valid_ether_addr(addr)) {
+		dev_warn(&pdev->dev,
+			 "VF %d attempted to set invalid MAC filter\n",
+			  vf);
+		return -EINVAL;
+	}
+
 	switch (info) {
 	case E1000_VF_MAC_FILTER_CLR:
 		/* remove all unicast MAC filters related to the current VF */
@@ -7654,20 +7668,6 @@ static int igb_set_vf_mac_filter(struct igb_adapter *adapter, const int vf,
 		}
 		break;
 	case E1000_VF_MAC_FILTER_ADD:
-		if ((vf_data->flags & IGB_VF_FLAG_PF_SET_MAC) &&
-		    !vf_data->trusted) {
-			dev_warn(&pdev->dev,
-				 "VF %d requested MAC filter but is administratively denied\n",
-				 vf);
-			return -EINVAL;
-		}
-		if (!is_valid_ether_addr(addr)) {
-			dev_warn(&pdev->dev,
-				 "VF %d attempted to set invalid MAC filter\n",
-				 vf);
-			return -EINVAL;
-		}
-
 		/* try to find empty slot in the list */
 		list_for_each(pos, &adapter->vf_macs.l) {
 			entry = list_entry(pos, struct vf_mac_filter, l);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 095/177] igbvf: fix double free in `igbvf_probe`
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 094/177] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 096/177] igc: Fix typo in i225 LTR functions Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Letu Ren, Konrad Jankowski,
	Tony Nguyen, Sasha Levin

From: Letu Ren <fantasquex@gmail.com>

[ Upstream commit b6d335a60dc624c0d279333b22c737faa765b028 ]

In `igbvf_probe`, if register_netdev() fails, the program will go to
label err_hw_init, and then to label err_ioremap. In free_netdev() which
is just below label err_ioremap, there is `list_for_each_entry_safe` and
`netif_napi_del` which aims to delete all entries in `dev->napi_list`.
The program has added an entry `adapter->rx_ring->napi` which is added by
`netif_napi_add` in igbvf_alloc_queues(). However, adapter->rx_ring has
been freed below label err_hw_init. So this a UAF.

In terms of how to patch the problem, we can refer to igbvf_remove() and
delete the entry before `adapter->rx_ring`.

The KASAN logs are as follows:

[   35.126075] BUG: KASAN: use-after-free in free_netdev+0x1fd/0x450
[   35.127170] Read of size 8 at addr ffff88810126d990 by task modprobe/366
[   35.128360]
[   35.128643] CPU: 1 PID: 366 Comm: modprobe Not tainted 5.15.0-rc2+ #14
[   35.129789] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   35.131749] Call Trace:
[   35.132199]  dump_stack_lvl+0x59/0x7b
[   35.132865]  print_address_description+0x7c/0x3b0
[   35.133707]  ? free_netdev+0x1fd/0x450
[   35.134378]  __kasan_report+0x160/0x1c0
[   35.135063]  ? free_netdev+0x1fd/0x450
[   35.135738]  kasan_report+0x4b/0x70
[   35.136367]  free_netdev+0x1fd/0x450
[   35.137006]  igbvf_probe+0x121d/0x1a10 [igbvf]
[   35.137808]  ? igbvf_vlan_rx_add_vid+0x100/0x100 [igbvf]
[   35.138751]  local_pci_probe+0x13c/0x1f0
[   35.139461]  pci_device_probe+0x37e/0x6c0
[   35.165526]
[   35.165806] Allocated by task 366:
[   35.166414]  ____kasan_kmalloc+0xc4/0xf0
[   35.167117]  foo_kmem_cache_alloc_trace+0x3c/0x50 [igbvf]
[   35.168078]  igbvf_probe+0x9c5/0x1a10 [igbvf]
[   35.168866]  local_pci_probe+0x13c/0x1f0
[   35.169565]  pci_device_probe+0x37e/0x6c0
[   35.179713]
[   35.179993] Freed by task 366:
[   35.180539]  kasan_set_track+0x4c/0x80
[   35.181211]  kasan_set_free_info+0x1f/0x40
[   35.181942]  ____kasan_slab_free+0x103/0x140
[   35.182703]  kfree+0xe3/0x250
[   35.183239]  igbvf_probe+0x1173/0x1a10 [igbvf]
[   35.184040]  local_pci_probe+0x13c/0x1f0

Fixes: d4e0fe01a38a0 (igbvf: add new driver to support 82576 virtual functions)
Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Letu Ren <fantasquex@gmail.com>
Tested-by: Konrad Jankowski <konrad0.jankowski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/igbvf/netdev.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/intel/igbvf/netdev.c b/drivers/net/ethernet/intel/igbvf/netdev.c
index d32e72d953c8d..d051918dfdff9 100644
--- a/drivers/net/ethernet/intel/igbvf/netdev.c
+++ b/drivers/net/ethernet/intel/igbvf/netdev.c
@@ -2861,6 +2861,7 @@ static int igbvf_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 	return 0;
 
 err_hw_init:
+	netif_napi_del(&adapter->rx_ring->napi);
 	kfree(adapter->tx_ring);
 	kfree(adapter->rx_ring);
 err_sw_init:
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 096/177] igc: Fix typo in i225 LTR functions
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 095/177] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 097/177] ixgbe: Document how to enable NBASE-T support Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dima Ruinskiy, Sasha Neftin,
	Nechama Kraus, Tony Nguyen, Sasha Levin

From: Sasha Neftin <sasha.neftin@intel.com>

[ Upstream commit 0182d1f3fa640888a2ed7e3f6df2fdb10adee7c8 ]

The LTR maximum value was incorrectly written using the scale from
the LTR minimum value. This would cause incorrect values to be sent,
in cases where the initial calculation lead to different min/max scales.

Fixes: 707abf069548 ("igc: Add initial LTR support")
Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
Signed-off-by: Sasha Neftin <sasha.neftin@intel.com>
Tested-by: Nechama Kraus <nechamax.kraus@linux.intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/igc/igc_i225.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/intel/igc/igc_i225.c b/drivers/net/ethernet/intel/igc/igc_i225.c
index b2ef9fde97b38..b6807e16eea93 100644
--- a/drivers/net/ethernet/intel/igc/igc_i225.c
+++ b/drivers/net/ethernet/intel/igc/igc_i225.c
@@ -636,7 +636,7 @@ s32 igc_set_ltr_i225(struct igc_hw *hw, bool link)
 		ltrv = rd32(IGC_LTRMAXV);
 		if (ltr_max != (ltrv & IGC_LTRMAXV_LTRV_MASK)) {
 			ltrv = IGC_LTRMAXV_LSNP_REQ | ltr_max |
-			       (scale_min << IGC_LTRMAXV_SCALE_SHIFT);
+			       (scale_max << IGC_LTRMAXV_SCALE_SHIFT);
 			wr32(IGC_LTRMAXV, ltrv);
 		}
 	}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 097/177] ixgbe: Document how to enable NBASE-T support
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 096/177] igc: Fix typo in i225 LTR functions Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 098/177] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Robert Schlabbach, Tony Nguyen, Sasha Levin

From: Robert Schlabbach <robert_s@gmx.net>

[ Upstream commit 271225fd57c2f1e0b3f8826df51be6c634affefe ]

Commit a296d665eae1 ("ixgbe: Add ethtool support to enable 2.5 and 5.0
Gbps support") introduced suppression of the advertisement of NBASE-T
speeds by default, according to Todd Fujinaka to accommodate customers
with network switches which could not cope with advertised NBASE-T
speeds, as posted in the E1000-devel mailing list:

https://sourceforge.net/p/e1000/mailman/message/37106269/

However, the suppression was not documented at all, nor was how to
enable NBASE-T support.

Properly document the NBASE-T suppression and how to enable NBASE-T
support.

Fixes: a296d665eae1 ("ixgbe: Add ethtool support to enable 2.5 and 5.0 Gbps support")
Reported-by: Robert Schlabbach <robert_s@gmx.net>
Signed-off-by: Robert Schlabbach <robert_s@gmx.net>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../device_drivers/ethernet/intel/ixgbe.rst      | 16 ++++++++++++++++
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c    |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst b/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst
index f1d5233e5e510..0a233b17c664e 100644
--- a/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst
+++ b/Documentation/networking/device_drivers/ethernet/intel/ixgbe.rst
@@ -440,6 +440,22 @@ NOTE: For 82599-based network connections, if you are enabling jumbo frames in
 a virtual function (VF), jumbo frames must first be enabled in the physical
 function (PF). The VF MTU setting cannot be larger than the PF MTU.
 
+NBASE-T Support
+---------------
+The ixgbe driver supports NBASE-T on some devices. However, the advertisement
+of NBASE-T speeds is suppressed by default, to accommodate broken network
+switches which cannot cope with advertised NBASE-T speeds. Use the ethtool
+command to enable advertising NBASE-T speeds on devices which support it::
+
+  ethtool -s eth? advertise 0x1800000001028
+
+On Linux systems with INTERFACES(5), this can be specified as a pre-up command
+in /etc/network/interfaces so that the interface is always brought up with
+NBASE-T support, e.g.::
+
+  iface eth? inet dhcp
+       pre-up ethtool -s eth? advertise 0x1800000001028 || true
+
 Generic Receive Offload, aka GRO
 --------------------------------
 The driver supports the in-kernel software implementation of GRO. GRO has
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index 13c4782b920a7..750b02bb2fdc2 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -5526,6 +5526,10 @@ static int ixgbe_non_sfp_link_config(struct ixgbe_hw *hw)
 	if (!speed && hw->mac.ops.get_link_capabilities) {
 		ret = hw->mac.ops.get_link_capabilities(hw, &speed,
 							&autoneg);
+		/* remove NBASE-T speeds from default autonegotiation
+		 * to accommodate broken network switches in the field
+		 * which cannot cope with advertised NBASE-T speeds
+		 */
 		speed &= ~(IXGBE_LINK_SPEED_5GB_FULL |
 			   IXGBE_LINK_SPEED_2_5GB_FULL);
 	}
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 098/177] ixgbe: set X550 MDIO speed before talking to PHY
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 097/177] ixgbe: Document how to enable NBASE-T support Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 099/177] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Cyril Novikov, Andrew Lunn,
	Tony Nguyen, Sasha Levin

From: Cyril Novikov <cnovikov@lynx.com>

[ Upstream commit bf0a375055bd1afbbf02a0ef45f7655da7b71317 ]

The MDIO bus speed must be initialized before talking to the PHY the first
time in order to avoid talking to it using a speed that the PHY doesn't
support.

This fixes HW initialization error -17 (IXGBE_ERR_PHY_ADDR_INVALID) on
Denverton CPUs (a.k.a. the Atom C3000 family) on ports with a 10Gb network
plugged in. On those devices, HLREG0[MDCSPD] resets to 1, which combined
with the 10Gb network results in a 24MHz MDIO speed, which is apparently
too fast for the connected PHY. PHY register reads over MDIO bus return
garbage, leading to initialization failure.

Reproduced with Linux kernel 4.19 and 5.15-rc7. Can be reproduced using
the following setup:

* Use an Atom C3000 family system with at least one X552 LAN on the SoC
* Disable PXE or other BIOS network initialization if possible
  (the interface must not be initialized before Linux boots)
* Connect a live 10Gb Ethernet cable to an X550 port
* Power cycle (not reset, doesn't always work) the system and boot Linux
* Observe: ixgbe interfaces w/ 10GbE cables plugged in fail with error -17

Fixes: e84db7272798 ("ixgbe: Introduce function to control MDIO speed")
Signed-off-by: Cyril Novikov <cnovikov@lynx.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
index 9724ffb165189..e4b50c7781ffa 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_x550.c
@@ -3405,6 +3405,9 @@ static s32 ixgbe_reset_hw_X550em(struct ixgbe_hw *hw)
 	/* flush pending Tx transactions */
 	ixgbe_clear_tx_pending(hw);
 
+	/* set MDIO speed before talking to the PHY in case it's the 1st time */
+	ixgbe_set_mdio_speed(hw);
+
 	/* PHY ops must be identified and initialized prior to reset */
 	status = hw->phy.ops.init(hw);
 	if (status == IXGBE_ERR_SFP_NOT_SUPPORTED ||
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 099/177] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 098/177] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 100/177] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jakub Kicinski, Haimin Zhang, Sasha Levin

From: Haimin Zhang <tcs.kernel@gmail.com>

[ Upstream commit 481221775d53d6215a6e5e9ce1cce6d2b4ab9a46 ]

Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
since it may cause a potential kernel information leak issue, as follows:
1. nsim_bpf_map_alloc calls nsim_map_alloc_elem to allocate elements for
a new map.
2. nsim_map_alloc_elem uses kmalloc to allocate map's value, but doesn't
zero it.
3. A user application can use IOCTL BPF_MAP_LOOKUP_ELEM to get specific
element's information in the map.
4. The kernel function map_lookup_elem will call bpf_map_copy_value to get
the information allocated at step-2, then use copy_to_user to copy to the
user buffer.
This can only leak information for an array map.

Fixes: 395cacb5f1a0 ("netdevsim: bpf: support fake map offload")
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Haimin Zhang <tcs.kernel@gmail.com>
Link: https://lore.kernel.org/r/20211215111530.72103-1-tcs.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/netdevsim/bpf.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/netdevsim/bpf.c b/drivers/net/netdevsim/bpf.c
index 90aafb56f1409..a438202129323 100644
--- a/drivers/net/netdevsim/bpf.c
+++ b/drivers/net/netdevsim/bpf.c
@@ -514,6 +514,7 @@ nsim_bpf_map_alloc(struct netdevsim *ns, struct bpf_offloaded_map *offmap)
 				goto err_free;
 			key = nmap->entry[i].key;
 			*key = i;
+			memset(nmap->entry[i].value, 0, offmap->map.value_size);
 		}
 	}
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 100/177] net/packet: rx_owner_map depends on pg_vec
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 099/177] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 101/177] net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Syzbot, Willem de Bruijn,
	Eric Dumazet, Jakub Kicinski, Sasha Levin

From: Willem de Bruijn <willemb@google.com>

[ Upstream commit ec6af094ea28f0f2dda1a6a33b14cd57e36a9755 ]

Packet sockets may switch ring versions. Avoid misinterpreting state
between versions, whose fields share a union. rx_owner_map is only
allocated with a packet ring (pg_vec) and both are swapped together.
If pg_vec is NULL, meaning no packet ring was allocated, then neither
was rx_owner_map. And the field may be old state from a tpacket_v3.

Fixes: 61fad6816fc1 ("net/packet: tpacket_rcv: avoid a producer race condition")
Reported-by: Syzbot <syzbot+1ac0994a0a0c55151121@syzkaller.appspotmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20211215143937.106178-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/packet/af_packet.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2a2bc64f75cfd..1bc7ef49e1487 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -4457,9 +4457,10 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
 	}
 
 out_free_pg_vec:
-	bitmap_free(rx_owner_map);
-	if (pg_vec)
+	if (pg_vec) {
+		bitmap_free(rx_owner_map);
 		free_pg_vec(pg_vec, order, req->tp_block_nr);
+	}
 out:
 	return err;
 }
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 101/177] net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 100/177] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 102/177] sfc_ef100: potential dereference of null pointer Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, John Keeping, David S. Miller, Sasha Levin

From: John Keeping <john@metanate.com>

[ Upstream commit 0546b224cc7717cc8a2db076b0bb069a9c430794 ]

KASAN reports an out-of-bounds read in rk_gmac_setup on the line:

	while (ops->regs[i]) {

This happens for most platforms since the regs flexible array member is
empty, so the memory after the ops structure is being read here.  It
seems that mostly this happens to contain zero anyway, so we get lucky
and everything still works.

To avoid adding redundant data to nearly all the ops structures, add a
new flag to indicate whether the regs field is valid and avoid this loop
when it is not.

Fixes: 3bb3d6b1c195 ("net: stmmac: Add RK3566/RK3568 SoC support")
Signed-off-by: John Keeping <john@metanate.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
index 6924a6aacbd53..c469abc91fa1b 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac-rk.c
@@ -33,6 +33,7 @@ struct rk_gmac_ops {
 	void (*set_rgmii_speed)(struct rk_priv_data *bsp_priv, int speed);
 	void (*set_rmii_speed)(struct rk_priv_data *bsp_priv, int speed);
 	void (*integrated_phy_powerup)(struct rk_priv_data *bsp_priv);
+	bool regs_valid;
 	u32 regs[];
 };
 
@@ -1092,6 +1093,7 @@ static const struct rk_gmac_ops rk3568_ops = {
 	.set_to_rmii = rk3568_set_to_rmii,
 	.set_rgmii_speed = rk3568_set_gmac_speed,
 	.set_rmii_speed = rk3568_set_gmac_speed,
+	.regs_valid = true,
 	.regs = {
 		0xfe2a0000, /* gmac0 */
 		0xfe010000, /* gmac1 */
@@ -1383,7 +1385,7 @@ static struct rk_priv_data *rk_gmac_setup(struct platform_device *pdev,
 	 * to be distinguished.
 	 */
 	res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
-	if (res) {
+	if (res && ops->regs_valid) {
 		int i = 0;
 
 		while (ops->regs[i]) {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 102/177] sfc_ef100: potential dereference of null pointer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 101/177] net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 103/177] dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiasheng Jiang, kernel test robot,
	David S. Miller, Sasha Levin

From: Jiasheng Jiang <jiasheng@iscas.ac.cn>

[ Upstream commit 407ecd1bd726f240123f704620d46e285ff30dd9 ]

The return value of kmalloc() needs to be checked.
To avoid use in efx_nic_update_stats() in case of the failure of alloc.

Fixes: b593b6f1b492 ("sfc_ef100: statistics gathering")
Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/sfc/ef100_nic.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/ethernet/sfc/ef100_nic.c b/drivers/net/ethernet/sfc/ef100_nic.c
index 518268ce20644..d35cafd422b1c 100644
--- a/drivers/net/ethernet/sfc/ef100_nic.c
+++ b/drivers/net/ethernet/sfc/ef100_nic.c
@@ -609,6 +609,9 @@ static size_t ef100_update_stats(struct efx_nic *efx,
 	ef100_common_stat_mask(mask);
 	ef100_ethtool_stat_mask(mask);
 
+	if (!mc_stats)
+		return 0;
+
 	efx_nic_copy_stats(efx, mc_stats);
 	efx_nic_update_stats(ef100_stat_desc, EF100_STAT_COUNT, mask,
 			     stats, mc_stats, false);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 103/177] dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 102/177] sfc_ef100: potential dereference of null pointer Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 104/177] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrey Eremeev, Andrew Lunn,
	David S. Miller, Sasha Levin

From: Andrey Eremeev <Axtone4all@yandex.ru>

[ Upstream commit e08cdf63049b711099efff0811273449083bb958 ]

Debug print uses invalid check to detect if speed is unforced:
(speed != SPEED_UNFORCED) should be used instead of (!speed).

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Andrey Eremeev <Axtone4all@yandex.ru>
Fixes: 96a2b40c7bd3 ("net: dsa: mv88e6xxx: add port's MAC speed setter")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/dsa/mv88e6xxx/port.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/net/dsa/mv88e6xxx/port.c b/drivers/net/dsa/mv88e6xxx/port.c
index d9817b20ea641..ab41619a809b3 100644
--- a/drivers/net/dsa/mv88e6xxx/port.c
+++ b/drivers/net/dsa/mv88e6xxx/port.c
@@ -283,7 +283,7 @@ static int mv88e6xxx_port_set_speed_duplex(struct mv88e6xxx_chip *chip,
 	if (err)
 		return err;
 
-	if (speed)
+	if (speed != SPEED_UNFORCED)
 		dev_dbg(chip->dev, "p%d: Speed set to %d Mbps\n", port, speed);
 	else
 		dev_dbg(chip->dev, "p%d: Speed unforced\n", port);
@@ -516,7 +516,7 @@ int mv88e6393x_port_set_speed_duplex(struct mv88e6xxx_chip *chip, int port,
 	if (err)
 		return err;
 
-	if (speed)
+	if (speed != SPEED_UNFORCED)
 		dev_dbg(chip->dev, "p%d: Speed set to %d Mbps\n", port, speed);
 	else
 		dev_dbg(chip->dev, "p%d: Speed unforced\n", port);
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 104/177] net: Fix double 0x prefix print in SKB dump
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 103/177] dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 105/177] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gal Pressman, David S. Miller, Sasha Levin

From: Gal Pressman <gal@nvidia.com>

[ Upstream commit 8a03ef676ade55182f9b05115763aeda6dc08159 ]

When printing netdev features %pNF already takes care of the 0x prefix,
remove the explicit one.

Fixes: 6413139dfc64 ("skbuff: increase verbosity when dumping skb data")
Signed-off-by: Gal Pressman <gal@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/skbuff.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 38d7dee4bbe9e..f7e003571a356 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -832,7 +832,7 @@ void skb_dump(const char *level, const struct sk_buff *skb, bool full_pkt)
 	       ntohs(skb->protocol), skb->pkt_type, skb->skb_iif);
 
 	if (dev)
-		printk("%sdev name=%s feat=0x%pNF\n",
+		printk("%sdev name=%s feat=%pNF\n",
 		       level, dev->name, &dev->features);
 	if (sk)
 		printk("%ssk family=%hu type=%u proto=%u\n",
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 105/177] net/smc: Prevent smc_release() from long blocking
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 104/177] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 106/177] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tony Lu, Dust Li, D. Wythe,
	Karsten Graul, Jakub Kicinski, Sasha Levin

From: D. Wythe <alibuda@linux.alibaba.com>

[ Upstream commit 5c15b3123f65f8fbb1b445d9a7e8812e0e435df2 ]

In nginx/wrk benchmark, there's a hung problem with high probability
on case likes that: (client will last several minutes to exit)

server: smc_run nginx

client: smc_run wrk -c 10000 -t 1 http://server

Client hangs with the following backtrace:

0 [ffffa7ce8Of3bbf8] __schedule at ffffffff9f9eOd5f
1 [ffffa7ce8Of3bc88] schedule at ffffffff9f9eløe6
2 [ffffa7ce8Of3bcaO] schedule_timeout at ffffffff9f9e3f3c
3 [ffffa7ce8Of3bd2O] wait_for_common at ffffffff9f9el9de
4 [ffffa7ce8Of3bd8O] __flush_work at ffffffff9fOfeOl3
5 [ffffa7ce8øf3bdfO] smc_release at ffffffffcO697d24 [smc]
6 [ffffa7ce8Of3be2O] __sock_release at ffffffff9f8O2e2d
7 [ffffa7ce8Of3be4ø] sock_close at ffffffff9f8ø2ebl
8 [ffffa7ce8øf3be48] __fput at ffffffff9f334f93
9 [ffffa7ce8Of3be78] task_work_run at ffffffff9flOlff5
10 [ffffa7ce8Of3beaO] do_exit at ffffffff9fOe5Ol2
11 [ffffa7ce8Of3bflO] do_group_exit at ffffffff9fOe592a
12 [ffffa7ce8Of3bf38] __x64_sys_exit_group at ffffffff9fOe5994
13 [ffffa7ce8Of3bf4O] do_syscall_64 at ffffffff9f9d4373
14 [ffffa7ce8Of3bfsO] entry_SYSCALL_64_after_hwframe at ffffffff9fa0007c

This issue dues to flush_work(), which is used to wait for
smc_connect_work() to finish in smc_release(). Once lots of
smc_connect_work() was pending or all executing work dangling,
smc_release() has to block until one worker comes to free, which
is equivalent to wait another smc_connnect_work() to finish.

In order to fix this, There are two changes:

1. For those idle smc_connect_work(), cancel it from the workqueue; for
   executing smc_connect_work(), waiting for it to finish. For that
   purpose, replace flush_work() with cancel_work_sync().

2. Since smc_connect() hold a reference for passive closing, if
   smc_connect_work() has been cancelled, release the reference.

Fixes: 24ac3a08e658 ("net/smc: rebuild nonblocking connect")
Reported-by: Tony Lu <tonylu@linux.alibaba.com>
Tested-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: D. Wythe <alibuda@linux.alibaba.com>
Acked-by: Karsten Graul <kgraul@linux.ibm.com>
Link: https://lore.kernel.org/r/1639571361-101128-1-git-send-email-alibuda@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/smc/af_smc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 06e4a07bdcdc1..eea6d4a854e90 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -193,7 +193,9 @@ static int smc_release(struct socket *sock)
 	/* cleanup for a dangling non-blocking connect */
 	if (smc->connect_nonblock && sk->sk_state == SMC_INIT)
 		tcp_abort(smc->clcsock->sk, ECONNABORTED);
-	flush_work(&smc->connect_work);
+
+	if (cancel_work_sync(&smc->connect_work))
+		sock_put(&smc->sk); /* sock_hold in smc_connect for passive closing */
 
 	if (sk->sk_state == SMC_LISTEN)
 		/* smc_close_non_accepted() is called and acquires
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 106/177] net: systemport: Add global locking for descriptor lifecycle
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 105/177] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 107/177] sit: do not call ipip6_dev_free() from sit_init_net() Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Florian Fainelli, Jakub Kicinski,
	Sasha Levin

From: Florian Fainelli <f.fainelli@gmail.com>

[ Upstream commit 8b8e6e782456f1ce02a7ae914bbd5b1053f0b034 ]

The descriptor list is a shared resource across all of the transmit queues, and
the locking mechanism used today only protects concurrency across a given
transmit queue between the transmit and reclaiming. This creates an opportunity
for the SYSTEMPORT hardware to work on corrupted descriptors if we have
multiple producers at once which is the case when using multiple transmit
queues.

This was particularly noticeable when using multiple flows/transmit queues and
it showed up in interesting ways in that UDP packets would get a correct UDP
header checksum being calculated over an incorrect packet length. Similarly TCP
packets would get an equally correct checksum computed by the hardware over an
incorrect packet length.

The SYSTEMPORT hardware maintains an internal descriptor list that it re-arranges
when the driver produces a new descriptor anytime it writes to the
WRITE_PORT_{HI,LO} registers, there is however some delay in the hardware to
re-organize its descriptors and it is possible that concurrent TX queues
eventually break this internal allocation scheme to the point where the
length/status part of the descriptor gets used for an incorrect data buffer.

The fix is to impose a global serialization for all TX queues in the short
section where we are writing to the WRITE_PORT_{HI,LO} registers which solves
the corruption even with multiple concurrent TX queues being used.

Fixes: 80105befdb4b ("net: systemport: add Broadcom SYSTEMPORT Ethernet MAC driver")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20211215202450.4086240-1-f.fainelli@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/broadcom/bcmsysport.c | 5 ++++-
 drivers/net/ethernet/broadcom/bcmsysport.h | 1 +
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/broadcom/bcmsysport.c b/drivers/net/ethernet/broadcom/bcmsysport.c
index 7fa1b695400d7..0877b3d7f88c5 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.c
+++ b/drivers/net/ethernet/broadcom/bcmsysport.c
@@ -1309,11 +1309,11 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
 	struct bcm_sysport_priv *priv = netdev_priv(dev);
 	struct device *kdev = &priv->pdev->dev;
 	struct bcm_sysport_tx_ring *ring;
+	unsigned long flags, desc_flags;
 	struct bcm_sysport_cb *cb;
 	struct netdev_queue *txq;
 	u32 len_status, addr_lo;
 	unsigned int skb_len;
-	unsigned long flags;
 	dma_addr_t mapping;
 	u16 queue;
 	int ret;
@@ -1373,8 +1373,10 @@ static netdev_tx_t bcm_sysport_xmit(struct sk_buff *skb,
 	ring->desc_count--;
 
 	/* Ports are latched, so write upper address first */
+	spin_lock_irqsave(&priv->desc_lock, desc_flags);
 	tdma_writel(priv, len_status, TDMA_WRITE_PORT_HI(ring->index));
 	tdma_writel(priv, addr_lo, TDMA_WRITE_PORT_LO(ring->index));
+	spin_unlock_irqrestore(&priv->desc_lock, desc_flags);
 
 	/* Check ring space and update SW control flow */
 	if (ring->desc_count == 0)
@@ -2013,6 +2015,7 @@ static int bcm_sysport_open(struct net_device *dev)
 	}
 
 	/* Initialize both hardware and software ring */
+	spin_lock_init(&priv->desc_lock);
 	for (i = 0; i < dev->num_tx_queues; i++) {
 		ret = bcm_sysport_init_tx_ring(priv, i);
 		if (ret) {
diff --git a/drivers/net/ethernet/broadcom/bcmsysport.h b/drivers/net/ethernet/broadcom/bcmsysport.h
index 984f76e74b43e..16b73bb9acc78 100644
--- a/drivers/net/ethernet/broadcom/bcmsysport.h
+++ b/drivers/net/ethernet/broadcom/bcmsysport.h
@@ -711,6 +711,7 @@ struct bcm_sysport_priv {
 	int			wol_irq;
 
 	/* Transmit rings */
+	spinlock_t		desc_lock;
 	struct bcm_sysport_tx_ring *tx_rings;
 
 	/* Receive queue */
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 107/177] sit: do not call ipip6_dev_free() from sit_init_net()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 106/177] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 108/177] afs: Fix mmap Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, Jakub Kicinski,
	Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit e28587cc491ef0f3c51258fdc87fbc386b1d4c59 ]

ipip6_dev_free is sit dev->priv_destructor, already called
by register_netdevice() if something goes wrong.

Alternative would be to make ipip6_dev_free() robust against
multiple invocations, but other drivers do not implement this
strategy.

syzbot reported:

dst_release underflow
WARNING: CPU: 0 PID: 5059 at net/core/dst.c:173 dst_release+0xd8/0xe0 net/core/dst.c:173
Modules linked in:
CPU: 1 PID: 5059 Comm: syz-executor.4 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:dst_release+0xd8/0xe0 net/core/dst.c:173
Code: 4c 89 f2 89 d9 31 c0 5b 41 5e 5d e9 da d5 44 f9 e8 1d 90 5f f9 c6 05 87 48 c6 05 01 48 c7 c7 80 44 99 8b 31 c0 e8 e8 67 29 f9 <0f> 0b eb 85 0f 1f 40 00 53 48 89 fb e8 f7 8f 5f f9 48 83 c3 a8 48
RSP: 0018:ffffc9000aa5faa0 EFLAGS: 00010246
RAX: d6894a925dd15a00 RBX: 00000000ffffffff RCX: 0000000000040000
RDX: ffffc90005e19000 RSI: 000000000003ffff RDI: 0000000000040000
RBP: 0000000000000000 R08: ffffffff816a1f42 R09: ffffed1017344f2c
R10: ffffed1017344f2c R11: 0000000000000000 R12: 0000607f462b1358
R13: 1ffffffff1bfd305 R14: ffffe8ffffcb1358 R15: dffffc0000000000
FS:  00007f66c71a2700(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f88aaed5058 CR3: 0000000023e0f000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 dst_cache_destroy+0x107/0x1e0 net/core/dst_cache.c:160
 ipip6_dev_free net/ipv6/sit.c:1414 [inline]
 sit_init_net+0x229/0x550 net/ipv6/sit.c:1936
 ops_init+0x313/0x430 net/core/net_namespace.c:140
 setup_net+0x35b/0x9d0 net/core/net_namespace.c:326
 copy_net_ns+0x359/0x5c0 net/core/net_namespace.c:470
 create_new_namespaces+0x4ce/0xa00 kernel/nsproxy.c:110
 unshare_nsproxy_namespaces+0x11e/0x180 kernel/nsproxy.c:226
 ksys_unshare+0x57d/0xb50 kernel/fork.c:3075
 __do_sys_unshare kernel/fork.c:3146 [inline]
 __se_sys_unshare kernel/fork.c:3144 [inline]
 __x64_sys_unshare+0x34/0x40 kernel/fork.c:3144
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f66c882ce99
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f66c71a2168 EFLAGS: 00000246 ORIG_RAX: 0000000000000110
RAX: ffffffffffffffda RBX: 00007f66c893ff60 RCX: 00007f66c882ce99
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000048040200
RBP: 00007f66c8886ff1 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff6634832f R14: 00007f66c71a2300 R15: 0000000000022000
 </TASK>

Fixes: cf124db566e6 ("net: Fix inconsistent teardown and release of private netdev state.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Link: https://lore.kernel.org/r/20211216111741.1387540-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/sit.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index ef0c7a7c18e23..626cb53aa57ab 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1933,7 +1933,6 @@ static int __net_init sit_init_net(struct net *net)
 	return 0;
 
 err_reg_dev:
-	ipip6_dev_free(sitn->fb_tunnel_dev);
 	free_netdev(sitn->fb_tunnel_dev);
 err_alloc_dev:
 	return err;
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 108/177] afs: Fix mmap
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 107/177] sit: do not call ipip6_dev_free() from sit_init_net() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 109/177] arm64: kexec: Fix missing error code ret warning in load_other_segments() Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable,
	kafs-testing+fedora34_64checkkafs-build-300, Marc Dionne,
	David Howells, linux-afs, Linus Torvalds, Sasha Levin

From: David Howells <dhowells@redhat.com>

[ Upstream commit 1744a22ae948799da7927b53ec97ccc877ff9d61 ]

Fix afs_add_open_map() to check that the vnode isn't already on the list
when it adds it.  It's possible that afs_drop_open_mmap() decremented
the cb_nr_mmap counter, but hadn't yet got into the locked section to
remove it.

Also vnode->cb_mmap_link should be initialised, so fix that too.

Fixes: 6e0e99d58a65 ("afs: Fix mmap coherency vs 3rd-party changes")
Reported-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com
Suggested-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: kafs-testing+fedora34_64checkkafs-build-300@auristor.com
cc: linux-afs@lists.infradead.org
Link: https://lore.kernel.org/r/686465.1639435380@warthog.procyon.org.uk/ # v1
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/afs/file.c  | 5 +++--
 fs/afs/super.c | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/fs/afs/file.c b/fs/afs/file.c
index e6c447ae91f38..b165377179c3c 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -502,8 +502,9 @@ static void afs_add_open_mmap(struct afs_vnode *vnode)
 	if (atomic_inc_return(&vnode->cb_nr_mmap) == 1) {
 		down_write(&vnode->volume->cell->fs_open_mmaps_lock);
 
-		list_add_tail(&vnode->cb_mmap_link,
-			      &vnode->volume->cell->fs_open_mmaps);
+		if (list_empty(&vnode->cb_mmap_link))
+			list_add_tail(&vnode->cb_mmap_link,
+				      &vnode->volume->cell->fs_open_mmaps);
 
 		up_write(&vnode->volume->cell->fs_open_mmaps_lock);
 	}
diff --git a/fs/afs/super.c b/fs/afs/super.c
index d110def8aa8eb..34c68724c98be 100644
--- a/fs/afs/super.c
+++ b/fs/afs/super.c
@@ -667,6 +667,7 @@ static void afs_i_init_once(void *_vnode)
 	INIT_LIST_HEAD(&vnode->pending_locks);
 	INIT_LIST_HEAD(&vnode->granted_locks);
 	INIT_DELAYED_WORK(&vnode->lock_work, afs_lock_work);
+	INIT_LIST_HEAD(&vnode->cb_mmap_link);
 	seqlock_init(&vnode->cb_lock);
 }
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 109/177] arm64: kexec: Fix missing error code ret warning in load_other_segments()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 108/177] afs: Fix mmap Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 110/177] bpf: Fix extable fixup offset Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lakshmi Ramasubramanian,
	kernel test robot, Dan Carpenter, Will Deacon, Catalin Marinas,
	Sasha Levin

From: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>

[ Upstream commit 9c5d89bc10551f1aecd768b00fca3339a7b8c8ee ]

Since commit ac10be5cdbfa ("arm64: Use common
of_kexec_alloc_and_setup_fdt()"), smatch reports the following warning:

  arch/arm64/kernel/machine_kexec_file.c:152 load_other_segments()
  warn: missing error code 'ret'

Return code is not set to an error code in load_other_segments() when
of_kexec_alloc_and_setup_fdt() call returns a NULL dtb. This results
in status success (return code set to 0) being returned from
load_other_segments().

Set return code to -EINVAL if of_kexec_alloc_and_setup_fdt() returns
NULL dtb.

Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: ac10be5cdbfa ("arm64: Use common of_kexec_alloc_and_setup_fdt()")
Link: https://lore.kernel.org/r/20211210010121.101823-1-nramas@linux.microsoft.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm64/kernel/machine_kexec_file.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/arch/arm64/kernel/machine_kexec_file.c b/arch/arm64/kernel/machine_kexec_file.c
index 63634b4d72c15..59c648d518488 100644
--- a/arch/arm64/kernel/machine_kexec_file.c
+++ b/arch/arm64/kernel/machine_kexec_file.c
@@ -149,6 +149,7 @@ int load_other_segments(struct kimage *image,
 					   initrd_len, cmdline, 0);
 	if (!dtb) {
 		pr_err("Preparing for new dtb failed\n");
+		ret = -EINVAL;
 		goto out_err;
 	}
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 110/177] bpf: Fix extable fixup offset.
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 109/177] arm64: kexec: Fix missing error code ret warning in load_other_segments() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 111/177] bpf, selftests: Fix racing issue in btf_skc_cls_ingress test Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexei Starovoitov, Daniel Borkmann,
	Sasha Levin

From: Alexei Starovoitov <ast@kernel.org>

[ Upstream commit 433956e91200734d09958673a56df02d00a917c2 ]

The prog - start_of_ldx is the offset before the faulting ldx to the location
after it, so this will be used to adjust pt_regs->ip for jumping over it and
continuing, and with old temp it would have been fixed up to the wrong offset,
causing crash.

Fixes: 4c5de127598e ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/net/bpf_jit_comp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 9ea57389c554b..462d8e68b3f43 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -1332,7 +1332,7 @@ st:			if (is_imm8(insn->off))
 				 * End result: x86 insn "mov rbx, qword ptr [rax+0x14]"
 				 * of 4 bytes will be ignored and rbx will be zero inited.
 				 */
-				ex->fixup = (prog - temp) | (reg2pt_regs[dst_reg] << 8);
+				ex->fixup = (prog - start_of_ldx) | (reg2pt_regs[dst_reg] << 8);
 			}
 			break;
 
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 111/177] bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 110/177] bpf: Fix extable fixup offset Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 112/177] powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andrii Nakryiko, Martin KaFai Lau,
	Daniel Borkmann, Sasha Levin

From: Martin KaFai Lau <kafai@fb.com>

[ Upstream commit c2fcbf81c332b42382a0c439bfe2414a241e4f5b ]

The libbpf CI reported occasional failure in btf_skc_cls_ingress:

  test_syncookie:FAIL:Unexpected syncookie states gen_cookie:80326634 recv_cookie:0
  bpf prog error at line 97

"error at line 97" means the bpf prog cannot find the listening socket
when the final ack is received.  It then skipped processing
the syncookie in the final ack which then led to "recv_cookie:0".

The problem is the userspace program did not do accept() and went
ahead to close(listen_fd) before the kernel (and the bpf prog) had
a chance to process the final ack.

The fix is to add accept() call so that the userspace will wait for
the kernel to finish processing the final ack first before close()-ing
everything.

Fixes: 9a856cae2217 ("bpf: selftest: Add test_btf_skc_cls_ingress")
Reported-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211216191630.466151-1-kafai@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../bpf/prog_tests/btf_skc_cls_ingress.c         | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c
index 762f6a9da8b5e..664ffc0364f4f 100644
--- a/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c
+++ b/tools/testing/selftests/bpf/prog_tests/btf_skc_cls_ingress.c
@@ -90,7 +90,7 @@ static void print_err_line(void)
 
 static void test_conn(void)
 {
-	int listen_fd = -1, cli_fd = -1, err;
+	int listen_fd = -1, cli_fd = -1, srv_fd = -1, err;
 	socklen_t addrlen = sizeof(srv_sa6);
 	int srv_port;
 
@@ -112,6 +112,10 @@ static void test_conn(void)
 	if (CHECK_FAIL(cli_fd == -1))
 		goto done;
 
+	srv_fd = accept(listen_fd, NULL, NULL);
+	if (CHECK_FAIL(srv_fd == -1))
+		goto done;
+
 	if (CHECK(skel->bss->listen_tp_sport != srv_port ||
 		  skel->bss->req_sk_sport != srv_port,
 		  "Unexpected sk src port",
@@ -134,11 +138,13 @@ static void test_conn(void)
 		close(listen_fd);
 	if (cli_fd != -1)
 		close(cli_fd);
+	if (srv_fd != -1)
+		close(srv_fd);
 }
 
 static void test_syncookie(void)
 {
-	int listen_fd = -1, cli_fd = -1, err;
+	int listen_fd = -1, cli_fd = -1, srv_fd = -1, err;
 	socklen_t addrlen = sizeof(srv_sa6);
 	int srv_port;
 
@@ -161,6 +167,10 @@ static void test_syncookie(void)
 	if (CHECK_FAIL(cli_fd == -1))
 		goto done;
 
+	srv_fd = accept(listen_fd, NULL, NULL);
+	if (CHECK_FAIL(srv_fd == -1))
+		goto done;
+
 	if (CHECK(skel->bss->listen_tp_sport != srv_port,
 		  "Unexpected tp src port",
 		  "listen_tp_sport:%u expected:%u\n",
@@ -188,6 +198,8 @@ static void test_syncookie(void)
 		close(listen_fd);
 	if (cli_fd != -1)
 		close(cli_fd);
+	if (srv_fd != -1)
+		close(srv_fd);
 }
 
 struct test {
-- 
2.33.0




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 112/177] powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 111/177] bpf, selftests: Fix racing issue in btf_skc_cls_ingress test Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 113/177] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Kennedy, Xiaoming Ni,
	Michael Ellerman, Sasha Levin

From: Xiaoming Ni <nixiaoming@huawei.com>

[ Upstream commit 3dc709e518b47386e6af937eaec37bb36539edfd ]

When CONFIG_FSL_PMC is set to n, no value is assigned to cpu_up_prepare
in the mpc85xx_pm_ops structure. As a result, oops is triggered in
smp_85xx_start_cpu().

  smp: Bringing up secondary CPUs ...
  kernel tried to execute user page (0) - exploit attempt? (uid: 0)
  BUG: Unable to handle kernel instruction fetch (NULL pointer?)
  Faulting instruction address: 0x00000000
  Oops: Kernel access of bad area, sig: 11 [#1]
  ...
  NIP [00000000] 0x0
  LR [c0021d2c] smp_85xx_kick_cpu+0xe8/0x568
  Call Trace:
  [c1051da8] [c0021cb8] smp_85xx_kick_cpu+0x74/0x568 (unreliable)
  [c1051de8] [c0011460] __cpu_up+0xc0/0x228
  [c1051e18] [c0031bbc] bringup_cpu+0x30/0x224
  [c1051e48] [c0031f3c] cpu_up.constprop.0+0x180/0x33c
  [c1051e88] [c00322e8] bringup_nonboot_cpus+0x88/0xc8
  [c1051eb8] [c07e67bc] smp_init+0x30/0x78
  [c1051ed8] [c07d9e28] kernel_init_freeable+0x118/0x2a8
  [c1051f18] [c00032d8] kernel_init+0x14/0x124
  [c1051f38] [c0010278] ret_from_kernel_thread+0x14/0x1c

Fixes: c45361abb918 ("powerpc/85xx: fix timebase sync issue when CONFIG_HOTPLUG_CPU=n")
Reported-by: Martin Kennedy <hurricos@gmail.com>
Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
Tested-by: Martin Kennedy <hurricos@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211126041153.16926-1-nixiaoming@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/platforms/85xx/smp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/arch/powerpc/platforms/85xx/smp.c b/arch/powerpc/platforms/85xx/smp.c
index 83f4a6389a282..d7081e9af65c7 100644
--- a/arch/powerpc/platforms/85xx/smp.c
+++ b/arch/powerpc/platforms/85xx/smp.c
@@ -220,7 +220,7 @@ static int smp_85xx_start_cpu(int cpu)
 	local_irq_save(flags);
 	hard_irq_disable();
 
-	if (qoriq_pm_ops)
+	if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
 		qoriq_pm_ops->cpu_up_prepare(cpu);
 
 	/* if cpu is not spinning, reset it */
@@ -292,7 +292,7 @@ static int smp_85xx_kick_cpu(int nr)
 		booting_thread_hwid = cpu_thread_in_core(nr);
 		primary = cpu_first_thread_sibling(nr);
 
-		if (qoriq_pm_ops)
+		if (qoriq_pm_ops && qoriq_pm_ops->cpu_up_prepare)
 			qoriq_pm_ops->cpu_up_prepare(nr);
 
 		/*
-- 
2.34.1




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 113/177] USB: gadget: bRequestType is a bitfield, not a enum
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 112/177] powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 114/177] Revert "usb: early: convert to readl_poll_timeout_atomic()" Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Felipe Balbi, Szymon Heidrich, Sasha Levin

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit f08adf5add9a071160c68bb2a61d697f39ab0758 ]

Szymon rightly pointed out that the previous check for the endpoint
direction in bRequestType was not looking at only the bit involved, but
rather the whole value.  Normally this is ok, but for some request
types, bits other than bit 8 could be set and the check for the endpoint
length could not stall correctly.

Fix that up by only checking the single bit.

Fixes: 153a2d7e3350 ("USB: gadget: detect too-big endpoint 0 requests")
Cc: Felipe Balbi <balbi@kernel.org>
Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
Link: https://lore.kernel.org/r/20211214184621.385828-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/composite.c    | 6 +++---
 drivers/usb/gadget/legacy/dbgp.c  | 6 +++---
 drivers/usb/gadget/legacy/inode.c | 6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/usb/gadget/composite.c b/drivers/usb/gadget/composite.c
index 284eea9f6e4d8..3789c329183ca 100644
--- a/drivers/usb/gadget/composite.c
+++ b/drivers/usb/gadget/composite.c
@@ -1680,14 +1680,14 @@ composite_setup(struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
 	u8				endp;
 
 	if (w_length > USB_COMP_EP0_BUFSIZ) {
-		if (ctrl->bRequestType == USB_DIR_OUT) {
-			goto done;
-		} else {
+		if (ctrl->bRequestType & USB_DIR_IN) {
 			/* Cast away the const, we are going to overwrite on purpose. */
 			__le16 *temp = (__le16 *)&ctrl->wLength;
 
 			*temp = cpu_to_le16(USB_COMP_EP0_BUFSIZ);
 			w_length = USB_COMP_EP0_BUFSIZ;
+		} else {
+			goto done;
 		}
 	}
 
diff --git a/drivers/usb/gadget/legacy/dbgp.c b/drivers/usb/gadget/legacy/dbgp.c
index 355bc7dab9d5f..6bcbad3825802 100644
--- a/drivers/usb/gadget/legacy/dbgp.c
+++ b/drivers/usb/gadget/legacy/dbgp.c
@@ -346,14 +346,14 @@ static int dbgp_setup(struct usb_gadget *gadget,
 	u16 len = 0;
 
 	if (length > DBGP_REQ_LEN) {
-		if (ctrl->bRequestType == USB_DIR_OUT) {
-			return err;
-		} else {
+		if (ctrl->bRequestType & USB_DIR_IN) {
 			/* Cast away the const, we are going to overwrite on purpose. */
 			__le16 *temp = (__le16 *)&ctrl->wLength;
 
 			*temp = cpu_to_le16(DBGP_REQ_LEN);
 			length = DBGP_REQ_LEN;
+		} else {
+			return err;
 		}
 	}
 
diff --git a/drivers/usb/gadget/legacy/inode.c b/drivers/usb/gadget/legacy/inode.c
index 0a4041552ed19..1b223cba4c2c9 100644
--- a/drivers/usb/gadget/legacy/inode.c
+++ b/drivers/usb/gadget/legacy/inode.c
@@ -1337,14 +1337,14 @@ gadgetfs_setup (struct usb_gadget *gadget, const struct usb_ctrlrequest *ctrl)
 	u16				w_length = le16_to_cpu(ctrl->wLength);
 
 	if (w_length > RBUF_SIZE) {
-		if (ctrl->bRequestType == USB_DIR_OUT) {
-			return value;
-		} else {
+		if (ctrl->bRequestType & USB_DIR_IN) {
 			/* Cast away the const, we are going to overwrite on purpose. */
 			__le16 *temp = (__le16 *)&ctrl->wLength;
 
 			*temp = cpu_to_le16(RBUF_SIZE);
 			w_length = RBUF_SIZE;
+		} else {
+			return value;
 		}
 	}
 
-- 
2.34.1




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 114/177] Revert "usb: early: convert to readl_poll_timeout_atomic()"
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 113/177] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 115/177] KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathias Nyman, Peter Zijlstra,
	Jann Horn, Chunfeng Yun, Sasha Levin

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

[ Upstream commit c4d936efa46d8ea183df16c0f3fa4423327da51d ]

This reverts commit 796eed4b2342c9d6b26c958e92af91253a2390e1.

This change causes boot lockups when using "arlyprintk=xdbc" because
ktime can not be used at this point in time in the boot process.  Also,
it is not needed for very small delays like this.

Reported-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Reported-by: Peter Zijlstra <peterz@infradead.org>
Cc: Jann Horn <jannh@google.com>
Cc: Chunfeng Yun <chunfeng.yun@mediatek.com>
Fixes: 796eed4b2342 ("usb: early: convert to readl_poll_timeout_atomic()")
Link: https://lore.kernel.org/r/c2b5c9bb-1b75-bf56-3754-b5b18812d65e@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/early/xhci-dbc.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/usb/early/xhci-dbc.c b/drivers/usb/early/xhci-dbc.c
index be4ecbabdd586..6c0434100e38c 100644
--- a/drivers/usb/early/xhci-dbc.c
+++ b/drivers/usb/early/xhci-dbc.c
@@ -14,7 +14,6 @@
 #include <linux/pci_ids.h>
 #include <linux/memblock.h>
 #include <linux/io.h>
-#include <linux/iopoll.h>
 #include <asm/pci-direct.h>
 #include <asm/fixmap.h>
 #include <linux/bcd.h>
@@ -136,9 +135,17 @@ static int handshake(void __iomem *ptr, u32 mask, u32 done, int wait, int delay)
 {
 	u32 result;
 
-	return readl_poll_timeout_atomic(ptr, result,
-					 ((result & mask) == done),
-					 delay, wait);
+	/* Can not use readl_poll_timeout_atomic() for early boot things */
+	do {
+		result = readl(ptr);
+		result &= mask;
+		if (result == done)
+			return 0;
+		udelay(delay);
+		wait -= delay;
+	} while (wait > 0);
+
+	return -ETIMEDOUT;
 }
 
 static void __init xdbc_bios_handoff(void)
-- 
2.34.1




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 115/177] KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 114/177] Revert "usb: early: convert to readl_poll_timeout_atomic()" Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 116/177] tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson,
	Vitaly Kuznetsov, Paolo Bonzini, Sasha Levin

From: Vitaly Kuznetsov <vkuznets@redhat.com>

[ Upstream commit 1aa2abb33a419090c7c87d4ae842a6347078ee12 ]

The ability to write to MSR_IA32_PERF_CAPABILITIES from the host should
not depend on guest visible CPUID entries, even if just to allow
creating/restoring guest MSRs and CPUIDs in any sequence.

Fixes: 27461da31089 ("KVM: x86/pmu: Support full width counting")
Suggested-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Message-Id: <20211216165213.338923-3-vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/x86/kvm/x86.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c
index 3c9e2d236830c..dea578586fa4e 100644
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -3359,7 +3359,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
 
 		if (!msr_info->host_initiated)
 			return 1;
-		if (guest_cpuid_has(vcpu, X86_FEATURE_PDCM) && kvm_get_msr_feature(&msr_ent))
+		if (kvm_get_msr_feature(&msr_ent))
 			return 1;
 		if (data & ~msr_ent.data)
 			return 1;
-- 
2.34.1




^ permalink raw reply related	[flat|nested] 183+ messages in thread

* [PATCH 5.15 116/177] tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 115/177] KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 117/177] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Linus Torvalds,
	Fabio M. De Francesco, Tetsuo Handa, Jiri Slaby

From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>

commit 1ee33b1ca2b8dabfcc17198ffd049a6b55674a86 upstream.

syzbot is reporting that an unprivileged user who logged in from tty
console can crash the system using a reproducer shown below [1], for
n_hdlc_tty_wakeup() is synchronously calling n_hdlc_send_frames().

----------
  #include <sys/ioctl.h>
  #include <unistd.h>

  int main(int argc, char *argv[])
  {
    const int disc = 0xd;

    ioctl(1, TIOCSETD, &disc);
    while (1) {
      ioctl(1, TCXONC, 0);
      write(1, "", 1);
      ioctl(1, TCXONC, 1); /* Kernel panic - not syncing: scheduling while atomic */
    }
  }
----------

Linus suspected that "struct tty_ldisc"->ops->write_wakeup() must not
sleep, and Jiri confirmed it from include/linux/tty_ldisc.h. Thus, defer
n_hdlc_send_frames() from n_hdlc_tty_wakeup() to a WQ context like
net/nfc/nci/uart.c does.

Link: https://syzkaller.appspot.com/bug?extid=5f47a8cea6a12b77a876 [1]
Reported-by: syzbot <syzbot+5f47a8cea6a12b77a876@syzkaller.appspotmail.com>
Cc: stable <stable@vger.kernel.org>
Analyzed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Confirmed-by: Jiri Slaby <jirislaby@kernel.org>
Reviewed-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Link: https://lore.kernel.org/r/40de8b7e-a3be-4486-4e33-1b1d1da452f8@i-love.sakura.ne.jp
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/n_hdlc.c |   23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

--- a/drivers/tty/n_hdlc.c
+++ b/drivers/tty/n_hdlc.c
@@ -140,6 +140,8 @@ struct n_hdlc {
 	struct n_hdlc_buf_list	rx_buf_list;
 	struct n_hdlc_buf_list	tx_free_buf_list;
 	struct n_hdlc_buf_list	rx_free_buf_list;
+	struct work_struct	write_work;
+	struct tty_struct	*tty_for_write_work;
 };
 
 /*
@@ -154,6 +156,7 @@ static struct n_hdlc_buf *n_hdlc_buf_get
 /* Local functions */
 
 static struct n_hdlc *n_hdlc_alloc(void);
+static void n_hdlc_tty_write_work(struct work_struct *work);
 
 /* max frame size for memory allocations */
 static int maxframe = 4096;
@@ -210,6 +213,8 @@ static void n_hdlc_tty_close(struct tty_
 	wake_up_interruptible(&tty->read_wait);
 	wake_up_interruptible(&tty->write_wait);
 
+	cancel_work_sync(&n_hdlc->write_work);
+
 	n_hdlc_free_buf_list(&n_hdlc->rx_free_buf_list);
 	n_hdlc_free_buf_list(&n_hdlc->tx_free_buf_list);
 	n_hdlc_free_buf_list(&n_hdlc->rx_buf_list);
@@ -241,6 +246,8 @@ static int n_hdlc_tty_open(struct tty_st
 		return -ENFILE;
 	}
 
+	INIT_WORK(&n_hdlc->write_work, n_hdlc_tty_write_work);
+	n_hdlc->tty_for_write_work = tty;
 	tty->disc_data = n_hdlc;
 	tty->receive_room = 65536;
 
@@ -335,6 +342,20 @@ check_again:
 }	/* end of n_hdlc_send_frames() */
 
 /**
+ * n_hdlc_tty_write_work - Asynchronous callback for transmit wakeup
+ * @work: pointer to work_struct
+ *
+ * Called when low level device driver can accept more send data.
+ */
+static void n_hdlc_tty_write_work(struct work_struct *work)
+{
+	struct n_hdlc *n_hdlc = container_of(work, struct n_hdlc, write_work);
+	struct tty_struct *tty = n_hdlc->tty_for_write_work;
+
+	n_hdlc_send_frames(n_hdlc, tty);
+}	/* end of n_hdlc_tty_write_work() */
+
+/**
  * n_hdlc_tty_wakeup - Callback for transmit wakeup
  * @tty: pointer to associated tty instance data
  *
@@ -344,7 +365,7 @@ static void n_hdlc_tty_wakeup(struct tty
 {
 	struct n_hdlc *n_hdlc = tty->disc_data;
 
-	n_hdlc_send_frames(n_hdlc, tty);
+	schedule_work(&n_hdlc->write_work);
 }	/* end of n_hdlc_tty_wakeup() */
 
 /**



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 117/177] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 116/177] tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 118/177] usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, markpearson, Jimmy Wang

From: Jimmy Wang <wangjm221@gmail.com>

commit 0ad3bd562bb91853b9f42bda145b5db6255aee90 upstream.

This device doesn't work well with LPM, losing connectivity intermittently.
Disable LPM to resolve the issue.

Reviewed-by: <markpearson@lenovo.com>
Signed-off-by: Jimmy Wang <wangjm221@gmail.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211214012652.4898-1-wangjm221@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/quirks.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -434,6 +434,9 @@ static const struct usb_device_id usb_qu
 	{ USB_DEVICE(0x1532, 0x0116), .driver_info =
 			USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
 
+	/* Lenovo USB-C to Ethernet Adapter RTL8153-04 */
+	{ USB_DEVICE(0x17ef, 0x720c), .driver_info = USB_QUIRK_NO_LPM },
+
 	/* Lenovo Powered USB-C Travel Hub (4X90S92381, RTL8153 GigE) */
 	{ USB_DEVICE(0x17ef, 0x721e), .driver_info = USB_QUIRK_NO_LPM },
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 118/177] usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 117/177] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 119/177] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Minas Harutyunyan, Amelie Delaunay

From: Amelie Delaunay <amelie.delaunay@foss.st.com>

commit fac6bf87c55f7f0733efb0375565fb6a50cf2caf upstream.

When activate_stm_id_vb_detection is enabled, ID and Vbus detection relies
on sensing comparators. This detection needs time to stabilize.
A delay was already applied in dwc2_resume() when reactivating the
detection, but it wasn't done in dwc2_probe().
This patch adds delay after enabling STM ID/VBUS detection. Then, ID state
is good when initializing gadget and host, and avoid to get a wrong
Connector ID Status Change interrupt.

Fixes: a415083a11cc ("usb: dwc2: add support for STM32MP15 SoCs USB OTG HS and FS")
Cc: stable <stable@vger.kernel.org>
Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
Signed-off-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
Link: https://lore.kernel.org/r/20211207124510.268841-1-amelie.delaunay@foss.st.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/dwc2/platform.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/usb/dwc2/platform.c
+++ b/drivers/usb/dwc2/platform.c
@@ -575,6 +575,9 @@ static int dwc2_driver_probe(struct plat
 		ggpio |= GGPIO_STM32_OTG_GCCFG_IDEN;
 		ggpio |= GGPIO_STM32_OTG_GCCFG_VBDEN;
 		dwc2_writel(hsotg, ggpio, GGPIO);
+
+		/* ID/VBUS detection startup time */
+		usleep_range(5000, 7000);
 	}
 
 	retval = dwc2_drd_init(hsotg);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 119/177] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 118/177] usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 120/177] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Roese, Thomas Gleixner,
	linux-pci, Bjorn Helgaas, Michal Simek, Marek Vasut

From: Thomas Gleixner <tglx@linutronix.de>

commit 94185adbfad56815c2c8401e16d81bdb74a79201 upstream.

PCI_MSIX_FLAGS_MASKALL is set in the MSI-X control register at MSI-X
interrupt setup time. It's cleared on success, but the error handling path
only clears the PCI_MSIX_FLAGS_ENABLE bit.

That's incorrect as the reset state of the PCI_MSIX_FLAGS_MASKALL bit is
zero. That can be observed via lspci:

        Capabilities: [b0] MSI-X: Enable- Count=67 Masked+

Clear the bit in the error path to restore the reset state.

Fixes: 438553958ba1 ("PCI/MSI: Enable and mask MSI-X early")
Reported-by: Stefan Roese <sr@denx.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Stefan Roese <sr@denx.de>
Cc: linux-pci@vger.kernel.org
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Marek Vasut <marex@denx.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/87tufevoqx.ffs@tglx
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pci/msi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -776,7 +776,7 @@ out_free:
 	free_msi_irqs(dev);
 
 out_disable:
-	pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_ENABLE, 0);
+	pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL | PCI_MSIX_FLAGS_ENABLE, 0);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 120/177] PCI/MSI: Mask MSI-X vectors only on success
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 119/177] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 121/177] usb: xhci-mtk: fix list_del warning when enable list debug Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stefan Roese, Thomas Gleixner,
	linux-pci, Bjorn Helgaas, Michal Simek, Marek Vasut

From: Stefan Roese <sr@denx.de>

commit 83dbf898a2d45289be875deb580e93050ba67529 upstream.

Masking all unused MSI-X entries is done to ensure that a crash kernel
starts from a clean slate, which correponds to the reset state of the
device as defined in the PCI-E specificion 3.0 and later:

 Vector Control for MSI-X Table Entries
 --------------------------------------

 "00: Mask bit:  When this bit is set, the function is prohibited from
                 sending a message using this MSI-X Table entry.
                 ...
                 This bit’s state after reset is 1 (entry is masked)."

A Marvell NVME device fails to deliver MSI interrupts after trying to
enable MSI-X interrupts due to that masking. It seems to take the MSI-X
mask bits into account even when MSI-X is disabled.

While not specification compliant, this can be cured by moving the masking
into the success path, so that the MSI-X table entries stay in device reset
state when the MSI-X setup fails.

[ tglx: Move it into the success path, add comment and amend changelog ]

Fixes: aa8092c1d1f1 ("PCI/MSI: Mask all unused MSI-X entries")
Signed-off-by: Stefan Roese <sr@denx.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-pci@vger.kernel.org
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Michal Simek <michal.simek@xilinx.com>
Cc: Marek Vasut <marex@denx.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211210161025.3287927-1-sr@denx.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/pci/msi.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- a/drivers/pci/msi.c
+++ b/drivers/pci/msi.c
@@ -721,9 +721,6 @@ static int msix_capability_init(struct p
 		goto out_disable;
 	}
 
-	/* Ensure that all table entries are masked. */
-	msix_mask_all(base, tsize);
-
 	ret = msix_setup_entries(dev, base, entries, nvec, affd);
 	if (ret)
 		goto out_disable;
@@ -750,6 +747,16 @@ static int msix_capability_init(struct p
 	/* Set MSI-X enabled bits and unmask the function */
 	pci_intx_for_msi(dev, 0);
 	dev->msix_enabled = 1;
+
+	/*
+	 * Ensure that all table entries are masked to prevent
+	 * stale entries from firing in a crash kernel.
+	 *
+	 * Done late to deal with a broken Marvell NVME device
+	 * which takes the MSI-X mask bits into account even
+	 * when MSI-X is disabled, which prevents MSI delivery.
+	 */
+	msix_mask_all(base, tsize);
 	pci_msix_clear_and_set_ctrl(dev, PCI_MSIX_FLAGS_MASKALL, 0);
 
 	pcibios_free_irq(dev);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 121/177] usb: xhci-mtk: fix list_del warning when enable list debug
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 120/177] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 122/177] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chunfeng Yun

From: Chunfeng Yun <chunfeng.yun@mediatek.com>

commit ccc14c6cfd346e85c3ecb970975afd5132763437 upstream.

There is warning of 'list_del corruption' when enable list debug
(CONFIG_DEBUG_LIST=y), fix it by using list_del_init()

Fixes: 4ce186665e7c ("usb: xhci-mtk: Do not use xhci's virt_dev in drop_endpoint")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Chunfeng Yun <chunfeng.yun@mediatek.com>
Link: https://lore.kernel.org/r/20211209025422.17108-1-chunfeng.yun@mediatek.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-mtk-sch.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-mtk-sch.c
+++ b/drivers/usb/host/xhci-mtk-sch.c
@@ -781,7 +781,7 @@ int xhci_mtk_check_bandwidth(struct usb_
 
 	ret = xhci_check_bandwidth(hcd, udev);
 	if (!ret)
-		INIT_LIST_HEAD(&mtk->bw_ep_chk_list);
+		list_del_init(&mtk->bw_ep_chk_list);
 
 	return ret;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 122/177] usb: xhci: Extend support for runtime power management for AMDs Yellow carp.
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 121/177] usb: xhci-mtk: fix list_del warning when enable list debug Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 123/177] usb: cdnsp: Fix incorrect status for control request Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Nehal Bakulchandra Shah

From: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>

commit f886d4fbb7c97b8f5f447c92d2dab99c841803c0 upstream.

AMD's Yellow Carp platform has few more XHCI controllers,
enable the runtime power management support for the same.

Signed-off-by: Nehal Bakulchandra Shah <Nehal-Bakulchandra.shah@amd.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211215093216.1839065-1-Nehal-Bakulchandra.shah@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/host/xhci-pci.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/usb/host/xhci-pci.c
+++ b/drivers/usb/host/xhci-pci.c
@@ -71,6 +71,8 @@
 #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4		0x161e
 #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5		0x15d6
 #define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6		0x15d7
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7		0x161c
+#define PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8		0x161f
 
 #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI			0x1042
 #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI		0x1142
@@ -330,7 +332,9 @@ static void xhci_pci_quirks(struct devic
 	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_3 ||
 	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_4 ||
 	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_5 ||
-	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6))
+	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_6 ||
+	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_7 ||
+	    pdev->device == PCI_DEVICE_ID_AMD_YELLOW_CARP_XHCI_8))
 		xhci->quirks |= XHCI_DEFAULT_PM_RUNTIME_ALLOW;
 
 	if (xhci->quirks & XHCI_RESET_ON_RESUME)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 123/177] usb: cdnsp: Fix incorrect status for control request
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 122/177] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 124/177] usb: cdnsp: Fix incorrect calling of cdnsp_died function Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ken (Jian) He, Peter Chen, Pawel Laszczak

From: Pawel Laszczak <pawell@cadence.com>

commit 99ea221f2e2f2743314e348b25c1e2574b467528 upstream.

Patch fixes incorrect status for control request.
Without this fix all usb_request objects were returned to upper drivers
with usb_reqest->status field set to -EINPROGRESS.

Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
cc: <stable@vger.kernel.org>
Reported-by: Ken (Jian) He <jianhe@ambarella.com>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20211207091838.39572-1-pawell@gli-login.cadence.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-ring.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -1029,6 +1029,8 @@ static void cdnsp_process_ctrl_td(struct
 		return;
 	}
 
+	*status = 0;
+
 	cdnsp_finish_td(pdev, td, event, pep, status);
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 124/177] usb: cdnsp: Fix incorrect calling of cdnsp_died function
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 123/177] usb: cdnsp: Fix incorrect status for control request Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 125/177] usb: cdnsp: Fix issue in cdnsp_log_ep trace event Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Pawel Laszczak

From: Pawel Laszczak <pawell@cadence.com>

commit 16f00d969afe60e233c1a91af7ac840df60d3536 upstream.

Patch restrict calling of cdnsp_died function during removing modules
or software disconnect.
This function was called because after transition controller to HALT
state the driver starts handling the deferred interrupt.
In this case such interrupt can be simple ignored.

Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
cc: <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20211210112945.660-1-pawell@gli-login.cadence.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-ring.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -1525,7 +1525,14 @@ irqreturn_t cdnsp_thread_irq_handler(int
 	spin_lock_irqsave(&pdev->lock, flags);
 
 	if (pdev->cdnsp_state & (CDNSP_STATE_HALTED | CDNSP_STATE_DYING)) {
-		cdnsp_died(pdev);
+		/*
+		 * While removing or stopping driver there may still be deferred
+		 * not handled interrupt which should not be treated as error.
+		 * Driver should simply ignore it.
+		 */
+		if (pdev->gadget_driver)
+			cdnsp_died(pdev);
+
 		spin_unlock_irqrestore(&pdev->lock, flags);
 		return IRQ_HANDLED;
 	}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 125/177] usb: cdnsp: Fix issue in cdnsp_log_ep trace event
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 124/177] usb: cdnsp: Fix incorrect calling of cdnsp_died function Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 126/177] usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Peter Chen, Pawel Laszczak

From: Pawel Laszczak <pawell@cadence.com>

commit 50931ba27d1665c8b038cd1d16c5869301f32fd6 upstream.

Patch fixes incorrect order of __entry->stream_id and __entry->state
parameters in TP_printk macro.

Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
cc: <stable@vger.kernel.org>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Link: https://lore.kernel.org/r/20211213050609.22640-1-pawell@gli-login.cadence.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-trace.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/usb/cdns3/cdnsp-trace.h
+++ b/drivers/usb/cdns3/cdnsp-trace.h
@@ -57,9 +57,9 @@ DECLARE_EVENT_CLASS(cdnsp_log_ep,
 		__entry->first_prime_det = pep->stream_info.first_prime_det;
 		__entry->drbls_count = pep->stream_info.drbls_count;
 	),
-	TP_printk("%s: SID: %08x ep state: %x stream: enabled: %d num  %d "
+	TP_printk("%s: SID: %08x, ep state: %x, stream: enabled: %d num %d "
 		  "tds %d, first prime: %d drbls %d",
-		  __get_str(name), __entry->state, __entry->stream_id,
+		  __get_str(name), __entry->stream_id, __entry->state,
 		  __entry->enabled, __entry->num_streams, __entry->td_count,
 		  __entry->first_prime_det, __entry->drbls_count)
 );



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 126/177] usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 125/177] usb: cdnsp: Fix issue in cdnsp_log_ep trace event Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 127/177] usb: typec: tcpm: fix tcpm unregister port but leave a pending timer Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ken (Jian) He, Pawel Laszczak, Peter Chen

From: Pawel Laszczak <pawell@cadence.com>

commit 4c4e162d9cf38528c4f13df09d5755cbc06f6c77 upstream.

Patch puts content of cdnsp_gadget_pullup function inside
spin_lock_irqsave and spin_lock_restore section.
This construction is required here to keep the data consistency,
otherwise some data can be changed e.g. from interrupt context.

Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
Reported-by: Ken (Jian) He <jianhe@ambarella.com>
cc: <stable@vger.kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/20211214045527.26823-1-pawell@gli-login.cadence.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/cdns3/cdnsp-gadget.c |   12 ++++++++++++
 1 file changed, 12 insertions(+)

--- a/drivers/usb/cdns3/cdnsp-gadget.c
+++ b/drivers/usb/cdns3/cdnsp-gadget.c
@@ -1541,15 +1541,27 @@ static int cdnsp_gadget_pullup(struct us
 {
 	struct cdnsp_device *pdev = gadget_to_cdnsp(gadget);
 	struct cdns *cdns = dev_get_drvdata(pdev->dev);
+	unsigned long flags;
 
 	trace_cdnsp_pullup(is_on);
 
+	/*
+	 * Disable events handling while controller is being
+	 * enabled/disabled.
+	 */
+	disable_irq(cdns->dev_irq);
+	spin_lock_irqsave(&pdev->lock, flags);
+
 	if (!is_on) {
 		cdnsp_reset_device(pdev);
 		cdns_clear_vbus(cdns);
 	} else {
 		cdns_set_vbus(cdns);
 	}
+
+	spin_unlock_irqrestore(&pdev->lock, flags);
+	enable_irq(cdns->dev_irq);
+
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 127/177] usb: typec: tcpm: fix tcpm unregister port but leave a pending timer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 126/177] usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 128/177] usb: gadget: u_ether: fix race in setting MAC address in setup phase Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Heikki Krogerus, Xu Yang

From: Xu Yang <xu.yang_2@nxp.com>

commit ca4d8344a72b91fb9d4c8bfbc22204b4c09c5d8f upstream.

In current design, when the tcpm port is unregisterd, the kthread_worker
will be destroyed in the last step. Inside the kthread_destroy_worker(),
the worker will flush all the works and wait for them to end. However, if
one of the works calls hrtimer_start(), this hrtimer will be pending until
timeout even though tcpm port is removed. Once the hrtimer timeout, many
strange kernel dumps appear.

Thus, we can first complete kthread_destroy_worker(), then cancel all the
hrtimers. This will guarantee that no hrtimer is pending at the end.

Fixes: 3ed8e1c2ac99 ("usb: typec: tcpm: Migrate workqueue to RT priority for processing events")
cc: <stable@vger.kernel.org>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Link: https://lore.kernel.org/r/20211209101507.499096-1-xu.yang_2@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/typec/tcpm/tcpm.c |   18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -324,6 +324,7 @@ struct tcpm_port {
 
 	bool attached;
 	bool connected;
+	bool registered;
 	bool pd_supported;
 	enum typec_port_type port_type;
 
@@ -6291,7 +6292,8 @@ static enum hrtimer_restart state_machin
 {
 	struct tcpm_port *port = container_of(timer, struct tcpm_port, state_machine_timer);
 
-	kthread_queue_work(port->wq, &port->state_machine);
+	if (port->registered)
+		kthread_queue_work(port->wq, &port->state_machine);
 	return HRTIMER_NORESTART;
 }
 
@@ -6299,7 +6301,8 @@ static enum hrtimer_restart vdm_state_ma
 {
 	struct tcpm_port *port = container_of(timer, struct tcpm_port, vdm_state_machine_timer);
 
-	kthread_queue_work(port->wq, &port->vdm_state_machine);
+	if (port->registered)
+		kthread_queue_work(port->wq, &port->vdm_state_machine);
 	return HRTIMER_NORESTART;
 }
 
@@ -6307,7 +6310,8 @@ static enum hrtimer_restart enable_frs_t
 {
 	struct tcpm_port *port = container_of(timer, struct tcpm_port, enable_frs_timer);
 
-	kthread_queue_work(port->wq, &port->enable_frs);
+	if (port->registered)
+		kthread_queue_work(port->wq, &port->enable_frs);
 	return HRTIMER_NORESTART;
 }
 
@@ -6315,7 +6319,8 @@ static enum hrtimer_restart send_discove
 {
 	struct tcpm_port *port = container_of(timer, struct tcpm_port, send_discover_timer);
 
-	kthread_queue_work(port->wq, &port->send_discover_work);
+	if (port->registered)
+		kthread_queue_work(port->wq, &port->send_discover_work);
 	return HRTIMER_NORESTART;
 }
 
@@ -6403,6 +6408,7 @@ struct tcpm_port *tcpm_register_port(str
 	typec_port_register_altmodes(port->typec_port,
 				     &tcpm_altmode_ops, port,
 				     port->port_altmode, ALTMODE_DISCOVERY_MAX);
+	port->registered = true;
 
 	mutex_lock(&port->lock);
 	tcpm_init(port);
@@ -6424,6 +6430,9 @@ void tcpm_unregister_port(struct tcpm_po
 {
 	int i;
 
+	port->registered = false;
+	kthread_destroy_worker(port->wq);
+
 	hrtimer_cancel(&port->send_discover_timer);
 	hrtimer_cancel(&port->enable_frs_timer);
 	hrtimer_cancel(&port->vdm_state_machine_timer);
@@ -6435,7 +6444,6 @@ void tcpm_unregister_port(struct tcpm_po
 	typec_unregister_port(port->typec_port);
 	usb_role_switch_put(port->role_sw);
 	tcpm_debugfs_exit(port);
-	kthread_destroy_worker(port->wq);
 }
 EXPORT_SYMBOL_GPL(tcpm_unregister_port);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 128/177] usb: gadget: u_ether: fix race in setting MAC address in setup phase
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 127/177] usb: typec: tcpm: fix tcpm unregister port but leave a pending timer Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 129/177] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Marian Postevca

From: Marian Postevca <posteuca@mutex.one>

commit 890d5b40908bfd1a79be018d2d297cf9df60f4ee upstream.

When listening for notifications through netlink of a new interface being
registered, sporadically, it is possible for the MAC to be read as zero.
The zero MAC address lasts a short period of time and then switches to a
valid random MAC address.

This causes problems for netd in Android, which assumes that the interface
is malfunctioning and will not use it.

In the good case we get this log:
InterfaceController::getCfg() ifName usb0
 hwAddr 92:a8:f0:73:79:5b ipv4Addr 0.0.0.0 flags 0x1002

In the error case we get these logs:
InterfaceController::getCfg() ifName usb0
 hwAddr 00:00:00:00:00:00 ipv4Addr 0.0.0.0 flags 0x1002

netd : interfaceGetCfg("usb0")
netd : interfaceSetCfg() -> ServiceSpecificException
 (99, "[Cannot assign requested address] : ioctl() failed")

The reason for the issue is the order in which the interface is setup,
it is first registered through register_netdev() and after the MAC
address is set.

Fixed by first setting the MAC address of the net_device and after that
calling register_netdev().

Fixes: bcd4a1c40bee885e ("usb: gadget: u_ether: construct with default values and add setters/getters")
Cc: stable@vger.kernel.org
Signed-off-by: Marian Postevca <posteuca@mutex.one>
Link: https://lore.kernel.org/r/20211204214912.17627-1-posteuca@mutex.one
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/gadget/function/u_ether.c |   16 ++++++----------
 1 file changed, 6 insertions(+), 10 deletions(-)

--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -17,6 +17,7 @@
 #include <linux/etherdevice.h>
 #include <linux/ethtool.h>
 #include <linux/if_vlan.h>
+#include <linux/etherdevice.h>
 
 #include "u_ether.h"
 
@@ -861,19 +862,23 @@ int gether_register_netdev(struct net_de
 {
 	struct eth_dev *dev;
 	struct usb_gadget *g;
-	struct sockaddr sa;
 	int status;
 
 	if (!net->dev.parent)
 		return -EINVAL;
 	dev = netdev_priv(net);
 	g = dev->gadget;
+
+	net->addr_assign_type = NET_ADDR_RANDOM;
+	eth_hw_addr_set(net, dev->dev_mac);
+
 	status = register_netdev(net);
 	if (status < 0) {
 		dev_dbg(&g->dev, "register_netdev failed, %d\n", status);
 		return status;
 	} else {
 		INFO(dev, "HOST MAC %pM\n", dev->host_mac);
+		INFO(dev, "MAC %pM\n", dev->dev_mac);
 
 		/* two kinds of host-initiated state changes:
 		 *  - iff DATA transfer is active, carrier is "on"
@@ -881,15 +886,6 @@ int gether_register_netdev(struct net_de
 		 */
 		netif_carrier_off(net);
 	}
-	sa.sa_family = net->type;
-	memcpy(sa.sa_data, dev->dev_mac, ETH_ALEN);
-	rtnl_lock();
-	status = dev_set_mac_address(net, &sa, NULL);
-	rtnl_unlock();
-	if (status)
-		pr_warn("cannot set self ethernet address: %d\n", status);
-	else
-		INFO(dev, "MAC %pM\n", dev->dev_mac);
 
 	return status;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 129/177] USB: serial: cp210x: fix CP2105 GPIO registration
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 128/177] usb: gadget: u_ether: fix race in setting MAC address in setup phase Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 130/177] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Maarten Brock, Karoly Pados, Johan Hovold

From: Johan Hovold <johan@kernel.org>

commit 83b67041f3eaf33f98a075249aa7f4c7617c2f85 upstream.

When generalising GPIO support and adding support for CP2102N, the GPIO
registration for some CP2105 devices accidentally broke. Specifically,
when all the pins of a port are in "modem" mode, and thus unavailable
for GPIO use, the GPIO chip would now be registered without having
initialised the number of GPIO lines. This would in turn be rejected by
gpiolib and some errors messages would be printed (but importantly probe
would still succeed).

Fix this by initialising the number of GPIO lines before registering the
GPIO chip.

Note that as for the other device types, and as when all CP2105 pins are
muxed for LED function, the GPIO chip is registered also when no pins
are available for GPIO use.

Reported-by: Maarten Brock <m.brock@vanmierlo.com>
Link: https://lore.kernel.org/r/5eb560c81d2ea1a2b4602a92d9f48a89@vanmierlo.com
Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N")
Cc: stable@vger.kernel.org      # 4.19
Cc: Karoly Pados <pados@pados.hu>
Link: https://lore.kernel.org/r/20211126094348.31698-1-johan@kernel.org
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tested-by: Maarten Brock <m.brock@vanmierlo.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/cp210x.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/drivers/usb/serial/cp210x.c
+++ b/drivers/usb/serial/cp210x.c
@@ -1682,6 +1682,8 @@ static int cp2105_gpioconf_init(struct u
 
 	/*  2 banks of GPIO - One for the pins taken from each serial port */
 	if (intf_num == 0) {
+		priv->gc.ngpio = 2;
+
 		if (mode.eci == CP210X_PIN_MODE_MODEM) {
 			/* mark all GPIOs of this interface as reserved */
 			priv->gpio_altfunc = 0xff;
@@ -1692,8 +1694,9 @@ static int cp2105_gpioconf_init(struct u
 		priv->gpio_pushpull = (u8)((le16_to_cpu(config.gpio_mode) &
 						CP210X_ECI_GPIO_MODE_MASK) >>
 						CP210X_ECI_GPIO_MODE_OFFSET);
-		priv->gc.ngpio = 2;
 	} else if (intf_num == 1) {
+		priv->gc.ngpio = 3;
+
 		if (mode.sci == CP210X_PIN_MODE_MODEM) {
 			/* mark all GPIOs of this interface as reserved */
 			priv->gpio_altfunc = 0xff;
@@ -1704,7 +1707,6 @@ static int cp2105_gpioconf_init(struct u
 		priv->gpio_pushpull = (u8)((le16_to_cpu(config.gpio_mode) &
 						CP210X_SCI_GPIO_MODE_MASK) >>
 						CP210X_SCI_GPIO_MODE_OFFSET);
-		priv->gc.ngpio = 3;
 	} else {
 		return -ENODEV;
 	}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 130/177] USB: serial: option: add Telit FN990 compositions
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 129/177] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 131/177] selinux: fix sleeping function called from invalid context Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daniele Palmas, Johan Hovold

From: Daniele Palmas <dnlplm@gmail.com>

commit 2b503c8598d1b232e7fc7526bce9326d92331541 upstream.

Add the following Telit FN990 compositions:

0x1070: tty, adb, rmnet, tty, tty, tty, tty
0x1071: tty, adb, mbim, tty, tty, tty, tty
0x1072: rndis, tty, adb, tty, tty, tty, tty
0x1073: tty, adb, ecm, tty, tty, tty, tty

Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Link: https://lore.kernel.org/r/20211210100714.22587-1-dnlplm@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/serial/option.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1219,6 +1219,14 @@ static const struct usb_device_id option
 	  .driver_info = NCTRL(2) | RSVD(3) },
 	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff),	/* Telit LN920 (ECM) */
 	  .driver_info = NCTRL(0) | RSVD(1) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1070, 0xff),	/* Telit FN990 (rmnet) */
+	  .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1071, 0xff),	/* Telit FN990 (MBIM) */
+	  .driver_info = NCTRL(0) | RSVD(1) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1072, 0xff),	/* Telit FN990 (RNDIS) */
+	  .driver_info = NCTRL(2) | RSVD(3) },
+	{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1073, 0xff),	/* Telit FN990 (ECM) */
+	  .driver_info = NCTRL(0) | RSVD(1) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
 	  .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
 	{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 131/177] selinux: fix sleeping function called from invalid context
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 130/177] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 132/177] btrfs: fix memory leak in __add_inode_ref() Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Scott Mayhew, Paul Moore

From: Scott Mayhew <smayhew@redhat.com>

commit cc274ae7763d9700a56659f3228641d7069e7a3f upstream.

selinux_sb_mnt_opts_compat() is called via sget_fc() under the sb_lock
spinlock, so it can't use GFP_KERNEL allocations:

[  868.565200] BUG: sleeping function called from invalid context at
               include/linux/sched/mm.h:230
[  868.568246] in_atomic(): 1, irqs_disabled(): 0,
               non_block: 0, pid: 4914, name: mount.nfs
[  868.569626] preempt_count: 1, expected: 0
[  868.570215] RCU nest depth: 0, expected: 0
[  868.570809] Preemption disabled at:
[  868.570810] [<0000000000000000>] 0x0
[  868.571848] CPU: 1 PID: 4914 Comm: mount.nfs Kdump: loaded
               Tainted: G        W         5.16.0-rc5.2585cf9dfa #1
[  868.573273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
               BIOS 1.14.0-4.fc34 04/01/2014
[  868.574478] Call Trace:
[  868.574844]  <TASK>
[  868.575156]  dump_stack_lvl+0x34/0x44
[  868.575692]  __might_resched.cold+0xd6/0x10f
[  868.576308]  slab_pre_alloc_hook.constprop.0+0x89/0xf0
[  868.577046]  __kmalloc_track_caller+0x72/0x420
[  868.577684]  ? security_context_to_sid_core+0x48/0x2b0
[  868.578569]  kmemdup_nul+0x22/0x50
[  868.579108]  security_context_to_sid_core+0x48/0x2b0
[  868.579854]  ? _nfs4_proc_pathconf+0xff/0x110 [nfsv4]
[  868.580742]  ? nfs_reconfigure+0x80/0x80 [nfs]
[  868.581355]  security_context_str_to_sid+0x36/0x40
[  868.581960]  selinux_sb_mnt_opts_compat+0xb5/0x1e0
[  868.582550]  ? nfs_reconfigure+0x80/0x80 [nfs]
[  868.583098]  security_sb_mnt_opts_compat+0x2a/0x40
[  868.583676]  nfs_compare_super+0x113/0x220 [nfs]
[  868.584249]  ? nfs_try_mount_request+0x210/0x210 [nfs]
[  868.584879]  sget_fc+0xb5/0x2f0
[  868.585267]  nfs_get_tree_common+0x91/0x4a0 [nfs]
[  868.585834]  vfs_get_tree+0x25/0xb0
[  868.586241]  fc_mount+0xe/0x30
[  868.586605]  do_nfs4_mount+0x130/0x380 [nfsv4]
[  868.587160]  nfs4_try_get_tree+0x47/0xb0 [nfsv4]
[  868.587724]  vfs_get_tree+0x25/0xb0
[  868.588193]  do_new_mount+0x176/0x310
[  868.588782]  __x64_sys_mount+0x103/0x140
[  868.589388]  do_syscall_64+0x3b/0x90
[  868.589935]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[  868.590699] RIP: 0033:0x7f2b371c6c4e
[  868.591239] Code: 48 8b 0d dd 71 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
                     0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00
                     00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d aa 71
                     0e 00 f7 d8 64 89 01 48
[  868.593810] RSP: 002b:00007ffc83775d88 EFLAGS: 00000246
               ORIG_RAX: 00000000000000a5
[  868.594691] RAX: ffffffffffffffda RBX: 00007ffc83775f10 RCX: 00007f2b371c6c4e
[  868.595504] RDX: 0000555d517247a0 RSI: 0000555d51724700 RDI: 0000555d51724540
[  868.596317] RBP: 00007ffc83775f10 R08: 0000555d51726890 R09: 0000555d51726890
[  868.597162] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555d51726890
[  868.598005] R13: 0000000000000003 R14: 0000555d517246e0 R15: 0000555d511ac925
[  868.598826]  </TASK>

Cc: stable@vger.kernel.org
Fixes: 69c4a42d72eb ("lsm,selinux: add new hook to compare new mount to an existing mount")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
[PM: cleanup/line-wrap the backtrace]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 security/selinux/hooks.c |   33 +++++++++++++++++++--------------
 1 file changed, 19 insertions(+), 14 deletions(-)

--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -611,10 +611,11 @@ static int bad_option(struct superblock_
 	return 0;
 }
 
-static int parse_sid(struct super_block *sb, const char *s, u32 *sid)
+static int parse_sid(struct super_block *sb, const char *s, u32 *sid,
+		     gfp_t gfp)
 {
 	int rc = security_context_str_to_sid(&selinux_state, s,
-					     sid, GFP_KERNEL);
+					     sid, gfp);
 	if (rc)
 		pr_warn("SELinux: security_context_str_to_sid"
 		       "(%s) failed for (dev %s, type %s) errno=%d\n",
@@ -685,7 +686,8 @@ static int selinux_set_mnt_opts(struct s
 	 */
 	if (opts) {
 		if (opts->fscontext) {
-			rc = parse_sid(sb, opts->fscontext, &fscontext_sid);
+			rc = parse_sid(sb, opts->fscontext, &fscontext_sid,
+					GFP_KERNEL);
 			if (rc)
 				goto out;
 			if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid,
@@ -694,7 +696,8 @@ static int selinux_set_mnt_opts(struct s
 			sbsec->flags |= FSCONTEXT_MNT;
 		}
 		if (opts->context) {
-			rc = parse_sid(sb, opts->context, &context_sid);
+			rc = parse_sid(sb, opts->context, &context_sid,
+					GFP_KERNEL);
 			if (rc)
 				goto out;
 			if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid,
@@ -703,7 +706,8 @@ static int selinux_set_mnt_opts(struct s
 			sbsec->flags |= CONTEXT_MNT;
 		}
 		if (opts->rootcontext) {
-			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid);
+			rc = parse_sid(sb, opts->rootcontext, &rootcontext_sid,
+					GFP_KERNEL);
 			if (rc)
 				goto out;
 			if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid,
@@ -712,7 +716,8 @@ static int selinux_set_mnt_opts(struct s
 			sbsec->flags |= ROOTCONTEXT_MNT;
 		}
 		if (opts->defcontext) {
-			rc = parse_sid(sb, opts->defcontext, &defcontext_sid);
+			rc = parse_sid(sb, opts->defcontext, &defcontext_sid,
+					GFP_KERNEL);
 			if (rc)
 				goto out;
 			if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid,
@@ -2701,14 +2706,14 @@ static int selinux_sb_mnt_opts_compat(st
 		return (sbsec->flags & SE_MNTMASK) ? 1 : 0;
 
 	if (opts->fscontext) {
-		rc = parse_sid(sb, opts->fscontext, &sid);
+		rc = parse_sid(sb, opts->fscontext, &sid, GFP_NOWAIT);
 		if (rc)
 			return 1;
 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
 			return 1;
 	}
 	if (opts->context) {
-		rc = parse_sid(sb, opts->context, &sid);
+		rc = parse_sid(sb, opts->context, &sid, GFP_NOWAIT);
 		if (rc)
 			return 1;
 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
@@ -2718,14 +2723,14 @@ static int selinux_sb_mnt_opts_compat(st
 		struct inode_security_struct *root_isec;
 
 		root_isec = backing_inode_security(sb->s_root);
-		rc = parse_sid(sb, opts->rootcontext, &sid);
+		rc = parse_sid(sb, opts->rootcontext, &sid, GFP_NOWAIT);
 		if (rc)
 			return 1;
 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
 			return 1;
 	}
 	if (opts->defcontext) {
-		rc = parse_sid(sb, opts->defcontext, &sid);
+		rc = parse_sid(sb, opts->defcontext, &sid, GFP_NOWAIT);
 		if (rc)
 			return 1;
 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))
@@ -2748,14 +2753,14 @@ static int selinux_sb_remount(struct sup
 		return 0;
 
 	if (opts->fscontext) {
-		rc = parse_sid(sb, opts->fscontext, &sid);
+		rc = parse_sid(sb, opts->fscontext, &sid, GFP_KERNEL);
 		if (rc)
 			return rc;
 		if (bad_option(sbsec, FSCONTEXT_MNT, sbsec->sid, sid))
 			goto out_bad_option;
 	}
 	if (opts->context) {
-		rc = parse_sid(sb, opts->context, &sid);
+		rc = parse_sid(sb, opts->context, &sid, GFP_KERNEL);
 		if (rc)
 			return rc;
 		if (bad_option(sbsec, CONTEXT_MNT, sbsec->mntpoint_sid, sid))
@@ -2764,14 +2769,14 @@ static int selinux_sb_remount(struct sup
 	if (opts->rootcontext) {
 		struct inode_security_struct *root_isec;
 		root_isec = backing_inode_security(sb->s_root);
-		rc = parse_sid(sb, opts->rootcontext, &sid);
+		rc = parse_sid(sb, opts->rootcontext, &sid, GFP_KERNEL);
 		if (rc)
 			return rc;
 		if (bad_option(sbsec, ROOTCONTEXT_MNT, root_isec->sid, sid))
 			goto out_bad_option;
 	}
 	if (opts->defcontext) {
-		rc = parse_sid(sb, opts->defcontext, &sid);
+		rc = parse_sid(sb, opts->defcontext, &sid, GFP_KERNEL);
 		if (rc)
 			return rc;
 		if (bad_option(sbsec, DEFCONTEXT_MNT, sbsec->def_sid, sid))



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 132/177] btrfs: fix memory leak in __add_inode_ref()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 131/177] selinux: fix sleeping function called from invalid context Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 133/177] btrfs: fix double free of anon_dev after failure to create subvolume Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Filipe Manana,
	Jianglei Nie, David Sterba

From: Jianglei Nie <niejianglei2021@163.com>

commit f35838a6930296fc1988764cfa54cb3f705c0665 upstream.

Line 1169 (#3) allocates a memory chunk for victim_name by kmalloc(),
but  when the function returns in line 1184 (#4) victim_name allocated
by line 1169 (#3) is not freed, which will lead to a memory leak.
There is a similar snippet of code in this function as allocating a memory
chunk for victim_name in line 1104 (#1) as well as releasing the memory
in line 1116 (#2).

We should kfree() victim_name when the return value of backref_in_log()
is less than zero and before the function returns in line 1184 (#4).

1057 static inline int __add_inode_ref(struct btrfs_trans_handle *trans,
1058 				  struct btrfs_root *root,
1059 				  struct btrfs_path *path,
1060 				  struct btrfs_root *log_root,
1061 				  struct btrfs_inode *dir,
1062 				  struct btrfs_inode *inode,
1063 				  u64 inode_objectid, u64 parent_objectid,
1064 				  u64 ref_index, char *name, int namelen,
1065 				  int *search_done)
1066 {

1104 	victim_name = kmalloc(victim_name_len, GFP_NOFS);
	// #1: kmalloc (victim_name-1)
1105 	if (!victim_name)
1106 		return -ENOMEM;

1112	ret = backref_in_log(log_root, &search_key,
1113			parent_objectid, victim_name,
1114			victim_name_len);
1115	if (ret < 0) {
1116		kfree(victim_name); // #2: kfree (victim_name-1)
1117		return ret;
1118	} else if (!ret) {

1169 	victim_name = kmalloc(victim_name_len, GFP_NOFS);
	// #3: kmalloc (victim_name-2)
1170 	if (!victim_name)
1171 		return -ENOMEM;

1180 	ret = backref_in_log(log_root, &search_key,
1181 			parent_objectid, victim_name,
1182 			victim_name_len);
1183 	if (ret < 0) {
1184 		return ret; // #4: missing kfree (victim_name-2)
1185 	} else if (!ret) {

1241 	return 0;
1242 }

Fixes: d3316c8233bb ("btrfs: Properly handle backref_in_log retval")
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Jianglei Nie <niejianglei2021@163.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/tree-log.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -1153,6 +1153,7 @@ again:
 					     parent_objectid, victim_name,
 					     victim_name_len);
 			if (ret < 0) {
+				kfree(victim_name);
 				return ret;
 			} else if (!ret) {
 				ret = -ENOENT;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 133/177] btrfs: fix double free of anon_dev after failure to create subvolume
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 132/177] btrfs: fix memory leak in __add_inode_ref() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 134/177] btrfs: check WRITE_ERR when trying to read an extent buffer Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Filipe Manana, David Sterba

From: Filipe Manana <fdmanana@suse.com>

commit 33fab972497ae66822c0b6846d4f9382938575b6 upstream.

When creating a subvolume, at create_subvol(), we allocate an anonymous
device and later call btrfs_get_new_fs_root(), which in turn just calls
btrfs_get_root_ref(). There we call btrfs_init_fs_root() which assigns
the anonymous device to the root, but if after that call there's an error,
when we jump to 'fail' label, we call btrfs_put_root(), which frees the
anonymous device and then returns an error that is propagated back to
create_subvol(). Than create_subvol() frees the anonymous device again.

When this happens, if the anonymous device was not reallocated after
the first time it was freed with btrfs_put_root(), we get a kernel
message like the following:

  (...)
  [13950.282466] BTRFS: error (device dm-0) in create_subvol:663: errno=-5 IO failure
  [13950.283027] ida_free called for id=65 which is not allocated.
  [13950.285974] BTRFS info (device dm-0): forced readonly
  (...)

If the anonymous device gets reallocated by another btrfs filesystem
or any other kernel subsystem, then bad things can happen.

So fix this by setting the root's anonymous device to 0 at
btrfs_get_root_ref(), before we call btrfs_put_root(), if an error
happened.

Fixes: 2dfb1e43f57dd3 ("btrfs: preallocate anon block device at first phase of snapshot creation")
CC: stable@vger.kernel.org # 5.10+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/disk-io.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -1731,6 +1731,14 @@ again:
 	}
 	return root;
 fail:
+	/*
+	 * If our caller provided us an anonymous device, then it's his
+	 * responsability to free it in case we fail. So we have to set our
+	 * root's anon_dev to 0 to avoid a double free, once by btrfs_put_root()
+	 * and once again by our caller.
+	 */
+	if (anon_dev)
+		root->anon_dev = 0;
 	btrfs_put_root(root);
 	return ERR_PTR(ret);
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 134/177] btrfs: check WRITE_ERR when trying to read an extent buffer
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 133/177] btrfs: fix double free of anon_dev after failure to create subvolume Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 135/177] btrfs: fix missing blkdev_put() call in btrfs_scan_one_device() Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Filipe Manana, Josef Bacik, David Sterba

From: Josef Bacik <josef@toxicpanda.com>

commit 651740a502411793327e2f0741104749c4eedcd1 upstream.

Filipe reported a hang when we have errors on btrfs.  This turned out to
be a side-effect of my fix c2e39305299f01 ("btrfs: clear extent buffer
uptodate when we fail to write it") which made it so we clear
EXTENT_BUFFER_UPTODATE on an eb when we fail to write it out.

Below is a paste of Filipe's analysis he got from using drgn to debug
the hang

"""
btree readahead code calls read_extent_buffer_pages(), sets ->io_pages to
a value while writeback of all pages has not yet completed:
   --> writeback for the first 3 pages finishes, we clear
       EXTENT_BUFFER_UPTODATE from eb on the first page when we get an
       error.
   --> at this point eb->io_pages is 1 and we cleared Uptodate bit from the
       first 3 pages
   --> read_extent_buffer_pages() does not see EXTENT_BUFFER_UPTODATE() so
       it continues, it's able to lock the pages since we obviously don't
       hold the pages locked during writeback
   --> read_extent_buffer_pages() then computes 'num_reads' as 3, and sets
       eb->io_pages to 3, since only the first page does not have Uptodate
       bit set at this point
   --> writeback for the remaining page completes, we ended decrementing
       eb->io_pages by 1, resulting in eb->io_pages == 2, and therefore
       never calling end_extent_buffer_writeback(), so
       EXTENT_BUFFER_WRITEBACK remains in the eb's flags
   --> of course, when the read bio completes, it doesn't and shouldn't
       call end_extent_buffer_writeback()
   --> we should clear EXTENT_BUFFER_UPTODATE only after all pages of
       the eb finished writeback?  or maybe make the read pages code
       wait for writeback of all pages of the eb to complete before
       checking which pages need to be read, touch ->io_pages, submit
       read bio, etc

writeback bit never cleared means we can hang when aborting a
transaction, at:

    btrfs_cleanup_one_transaction()
       btrfs_destroy_marked_extents()
         wait_on_extent_buffer_writeback()
"""

This is a problem because our writes are not synchronized with reads in
any way.  We clear the UPTODATE flag and then we can easily come in and
try to read the EB while we're still waiting on other bio's to
complete.

We have two options here, we could lock all the pages, and then check to
see if eb->io_pages != 0 to know if we've already got an outstanding
write on the eb.

Or we can simply check to see if we have WRITE_ERR set on this extent
buffer.  We set this bit _before_ we clear UPTODATE, so if the read gets
triggered because we aren't UPTODATE because of a write error we're
guaranteed to have WRITE_ERR set, and in this case we can simply return
-EIO.  This will fix the reported hang.

Reported-by: Filipe Manana <fdmanana@suse.com>
Fixes: c2e39305299f01 ("btrfs: clear extent buffer uptodate when we fail to write it")
CC: stable@vger.kernel.org # 5.4+
Reviewed-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/extent_io.c |    8 ++++++++
 1 file changed, 8 insertions(+)

--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -6547,6 +6547,14 @@ int read_extent_buffer_pages(struct exte
 	if (test_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags))
 		return 0;
 
+	/*
+	 * We could have had EXTENT_BUFFER_UPTODATE cleared by the write
+	 * operation, which could potentially still be in flight.  In this case
+	 * we simply want to return an error.
+	 */
+	if (unlikely(test_bit(EXTENT_BUFFER_WRITE_ERR, &eb->bflags)))
+		return -EIO;
+
 	if (eb->fs_info->sectorsize < PAGE_SIZE)
 		return read_extent_buffer_subpage(eb, wait, mirror_num);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 135/177] btrfs: fix missing blkdev_put() call in btrfs_scan_one_device()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 134/177] btrfs: check WRITE_ERR when trying to read an extent buffer Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 136/177] zonefs: add MODULE_ALIAS_FS Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Shinichiro Kawasaki,
	David Sterba

From: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>

commit 4989d4a0aed3fb30f5b48787a689d7090de6f86d upstream.

The function btrfs_scan_one_device() calls blkdev_get_by_path() and
blkdev_put() to get and release its target block device. However, when
btrfs_sb_log_location_bdev() fails, blkdev_put() is not called and the
block device is left without clean up. This triggered failure of fstests
generic/085. Fix the failure path of btrfs_sb_log_location_bdev() to
call blkdev_put().

Fixes: 12659251ca5df ("btrfs: implement log-structured superblock for ZONED mode")
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Shin'ichiro Kawasaki <shinichiro.kawasaki@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/btrfs/volumes.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1366,8 +1366,10 @@ struct btrfs_device *btrfs_scan_one_devi
 
 	bytenr_orig = btrfs_sb_offset(0);
 	ret = btrfs_sb_log_location_bdev(bdev, 0, READ, &bytenr);
-	if (ret)
-		return ERR_PTR(ret);
+	if (ret) {
+		device = ERR_PTR(ret);
+		goto error_bdev_put;
+	}
 
 	disk_super = btrfs_read_disk_super(bdev, bytenr, bytenr_orig);
 	if (IS_ERR(disk_super)) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 136/177] zonefs: add MODULE_ALIAS_FS
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 135/177] btrfs: fix missing blkdev_put() call in btrfs_scan_one_device() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 137/177] iocost: Fix divide-by-zero on donation from low hweight cgroup Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Naohiro Aota, Johannes Thumshirn,
	Damien Le Moal

From: Naohiro Aota <naohiro.aota@wdc.com>

commit 8ffea2599f63fdbee968b894eab78170abf3ec2c upstream.

Add MODULE_ALIAS_FS() to load the module automatically when you do "mount
-t zonefs".

Fixes: 8dcc1a9d90c1 ("fs: New zonefs file system")
Cc: stable <stable@vger.kernel.org> # 5.6+
Signed-off-by: Naohiro Aota <naohiro.aota@wdc.com>
Reviewed-by: Johannes Thumshirn <jth@kernel.org>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/zonefs/super.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/zonefs/super.c
+++ b/fs/zonefs/super.c
@@ -1787,5 +1787,6 @@ static void __exit zonefs_exit(void)
 MODULE_AUTHOR("Damien Le Moal");
 MODULE_DESCRIPTION("Zone file system for zoned block devices");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS_FS("zonefs");
 module_init(zonefs_init);
 module_exit(zonefs_exit);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 137/177] iocost: Fix divide-by-zero on donation from low hweight cgroup
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 136/177] zonefs: add MODULE_ALIAS_FS Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 138/177] serial: 8250_fintek: Fix garbled text for console Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Tejun Heo, Jens Axboe

From: Tejun Heo <tj@kernel.org>

commit edaa26334c117a584add6053f48d63a988d25a6e upstream.

The donation calculation logic assumes that the donor has non-zero
after-donation hweight, so the lowest active hweight a donating cgroup can
have is 2 so that it can donate 1 while keeping the other 1 for itself.
Earlier, we only donated from cgroups with sizable surpluses so this
condition was always true. However, with the precise donation algorithm
implemented, f1de2439ec43 ("blk-iocost: revamp donation amount
determination") made the donation amount calculation exact enabling even low
hweight cgroups to donate.

This means that in rare occasions, a cgroup with active hweight of 1 can
enter donation calculation triggering the following warning and then a
divide-by-zero oops.

 WARNING: CPU: 4 PID: 0 at block/blk-iocost.c:1928 transfer_surpluses.cold+0x0/0x53 [884/94867]
 ...
 RIP: 0010:transfer_surpluses.cold+0x0/0x53
 Code: 92 ff 48 c7 c7 28 d1 ab b5 65 48 8b 34 25 00 ae 01 00 48 81 c6 90 06 00 00 e8 8b 3f fe ff 48 c7 c0 ea ff ff ff e9 95 ff 92 ff <0f> 0b 48 c7 c7 30 da ab b5 e8 71 3f fe ff 4c 89 e8 4d 85 ed 74 0
4
 ...
 Call Trace:
  <IRQ>
  ioc_timer_fn+0x1043/0x1390
  call_timer_fn+0xa1/0x2c0
  __run_timers.part.0+0x1ec/0x2e0
  run_timer_softirq+0x35/0x70
 ...
 iocg: invalid donation weights in /a/b: active=1 donating=1 after=0

Fix it by excluding cgroups w/ active hweight < 2 from donating. Excluding
these extreme low hweight donations shouldn't affect work conservation in
any meaningful way.

Signed-off-by: Tejun Heo <tj@kernel.org>
Fixes: f1de2439ec43 ("blk-iocost: revamp donation amount determination")
Cc: stable@vger.kernel.org # v5.10+
Link: https://lore.kernel.org/r/Ybfh86iSvpWKxhVM@slm.duckdns.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 block/blk-iocost.c |    9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -2311,7 +2311,14 @@ static void ioc_timer_fn(struct timer_li
 			hwm = current_hweight_max(iocg);
 			new_hwi = hweight_after_donation(iocg, old_hwi, hwm,
 							 usage, &now);
-			if (new_hwi < hwm) {
+			/*
+			 * Donation calculation assumes hweight_after_donation
+			 * to be positive, a condition that a donor w/ hwa < 2
+			 * can't meet. Don't bother with donation if hwa is
+			 * below 2. It's not gonna make a meaningful difference
+			 * anyway.
+			 */
+			if (new_hwi < hwm && hwa >= 2) {
 				iocg->hweight_donating = hwa;
 				iocg->hweight_after_donation = new_hwi;
 				list_add(&iocg->surplus_list, &surpluses);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 138/177] serial: 8250_fintek: Fix garbled text for console
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 137/177] iocost: Fix divide-by-zero on donation from low hweight cgroup Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 139/177] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ji-Ze Hong (Peter Hong)

From: Ji-Ze Hong (Peter Hong) <hpeter@gmail.com>

commit 6c33ff728812aa18792afffaf2c9873b898e7512 upstream.

Commit fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
introduced support to use high baudrate with Fintek SuperIO UARTs. It'll
change clocksources when the UART probed.

But when user add kernel parameter "console=ttyS0,115200 console=tty0" to make
the UART as console output, the console will output garbled text after the
following kernel message.

[    3.681188] Serial: 8250/16550 driver, 32 ports, IRQ sharing enabled

The issue is occurs in following step:
	probe_setup_port() -> fintek_8250_goto_highspeed()

It change clocksource from 115200 to 921600 with wrong time, it should change
clocksource in set_termios() not in probed. The following 3 patches are
implemented change clocksource in fintek_8250_set_termios().

Commit 58178914ae5b ("serial: 8250_fintek: UART dynamic clocksource on Fintek F81216H")
Commit 195638b6d44f ("serial: 8250_fintek: UART dynamic clocksource on Fintek F81866")
Commit 423d9118c624 ("serial: 8250_fintek: Add F81966 Support")

Due to the high baud rate had implemented above 3 patches and the patch
Commit fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
is bugged, So this patch will remove it.

Fixes: fab8a02b73eb ("serial: 8250_fintek: Enable high speed mode on Fintek F81866")
Signed-off-by: Ji-Ze Hong (Peter Hong) <hpeter+linux_kernel@gmail.com>
Link: https://lore.kernel.org/r/20211215075835.2072-1-hpeter+linux_kernel@gmail.com
Cc: stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/serial/8250/8250_fintek.c |   20 --------------------
 1 file changed, 20 deletions(-)

--- a/drivers/tty/serial/8250/8250_fintek.c
+++ b/drivers/tty/serial/8250/8250_fintek.c
@@ -290,25 +290,6 @@ static void fintek_8250_set_max_fifo(str
 	}
 }
 
-static void fintek_8250_goto_highspeed(struct uart_8250_port *uart,
-			      struct fintek_8250 *pdata)
-{
-	sio_write_reg(pdata, LDN, pdata->index);
-
-	switch (pdata->pid) {
-	case CHIP_ID_F81966:
-	case CHIP_ID_F81866: /* set uart clock for high speed serial mode */
-		sio_write_mask_reg(pdata, F81866_UART_CLK,
-			F81866_UART_CLK_MASK,
-			F81866_UART_CLK_14_769MHZ);
-
-		uart->port.uartclk = 921600 * 16;
-		break;
-	default: /* leave clock speed untouched */
-		break;
-	}
-}
-
 static void fintek_8250_set_termios(struct uart_port *port,
 				    struct ktermios *termios,
 				    struct ktermios *old)
@@ -430,7 +411,6 @@ static int probe_setup_port(struct finte
 
 				fintek_8250_set_irq_mode(pdata, level_mode);
 				fintek_8250_set_max_fifo(pdata);
-				fintek_8250_goto_highspeed(uart, pdata);
 
 				fintek_8250_exit_key(addr[i]);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 139/177] timekeeping: Really make sure wall_to_monotonic isnt positive
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 138/177] serial: 8250_fintek: Fix garbled text for console Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 140/177] cifs: sanitize multiple delimiters in prepath Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Liao, Thomas Gleixner

From: Yu Liao <liaoyu15@huawei.com>

commit 4e8c11b6b3f0b6a283e898344f154641eda94266 upstream.

Even after commit e1d7ba873555 ("time: Always make sure wall_to_monotonic
isn't positive") it is still possible to make wall_to_monotonic positive
by running the following code:

    int main(void)
    {
        struct timespec time;

        clock_gettime(CLOCK_MONOTONIC, &time);
        time.tv_nsec = 0;
        clock_settime(CLOCK_REALTIME, &time);
        return 0;
    }

The reason is that the second parameter of timespec64_compare(), ts_delta,
may be unnormalized because the delta is calculated with an open coded
substraction which causes the comparison of tv_sec to yield the wrong
result:

  wall_to_monotonic = { .tv_sec = -10, .tv_nsec =  900000000 }
  ts_delta 	    = { .tv_sec =  -9, .tv_nsec = -900000000 }

That makes timespec64_compare() claim that wall_to_monotonic < ts_delta,
but actually the result should be wall_to_monotonic > ts_delta.

After normalization, the result of timespec64_compare() is correct because
the tv_sec comparison is not longer misleading:

  wall_to_monotonic = { .tv_sec = -10, .tv_nsec =  900000000 }
  ts_delta 	    = { .tv_sec = -10, .tv_nsec =  100000000 }

Use timespec64_sub() to ensure that ts_delta is normalized, which fixes the
issue.

Fixes: e1d7ba873555 ("time: Always make sure wall_to_monotonic isn't positive")
Signed-off-by: Yu Liao <liaoyu15@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211213135727.1656662-1-liaoyu15@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/time/timekeeping.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/kernel/time/timekeeping.c
+++ b/kernel/time/timekeeping.c
@@ -1306,8 +1306,7 @@ int do_settimeofday64(const struct times
 	timekeeping_forward_now(tk);
 
 	xt = tk_xtime(tk);
-	ts_delta.tv_sec = ts->tv_sec - xt.tv_sec;
-	ts_delta.tv_nsec = ts->tv_nsec - xt.tv_nsec;
+	ts_delta = timespec64_sub(*ts, xt);
 
 	if (timespec64_compare(&tk->wall_to_monotonic, &ts_delta) > 0) {
 		ret = -EINVAL;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 140/177] cifs: sanitize multiple delimiters in prepath
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 139/177] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 141/177] locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner() Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ronnie Sahlberg,
	Thiago Rafael Becker, Steve French

From: Thiago Rafael Becker <trbecker@gmail.com>

commit a31080899d5fdafcccf7f39dd214a814a2c82626 upstream.

mount.cifs can pass a device with multiple delimiters in it. This will
cause rename(2) to fail with ENOENT.

V2:
  - Make sanitize_path more readable.
  - Fix multiple delimiters between UNC and prepath.
  - Avoid a memory leak if a bad user starts putting a lot of delimiters
    in the path on purpose.

BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2031200
Fixes: 24e0a1eff9e2 ("cifs: switch to new mount api")
Cc: stable@vger.kernel.org # 5.11+
Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Thiago Rafael Becker <trbecker@gmail.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/cifs/fs_context.c |   38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

--- a/fs/cifs/fs_context.c
+++ b/fs/cifs/fs_context.c
@@ -432,6 +432,42 @@ out:
 }
 
 /*
+ * Remove duplicate path delimiters. Windows is supposed to do that
+ * but there are some bugs that prevent rename from working if there are
+ * multiple delimiters.
+ *
+ * Returns a sanitized duplicate of @path. The caller is responsible for
+ * cleaning up the original.
+ */
+#define IS_DELIM(c) ((c) == '/' || (c) == '\\')
+static char *sanitize_path(char *path)
+{
+	char *cursor1 = path, *cursor2 = path;
+
+	/* skip all prepended delimiters */
+	while (IS_DELIM(*cursor1))
+		cursor1++;
+
+	/* copy the first letter */
+	*cursor2 = *cursor1;
+
+	/* copy the remainder... */
+	while (*(cursor1++)) {
+		/* ... skipping all duplicated delimiters */
+		if (IS_DELIM(*cursor1) && IS_DELIM(*cursor2))
+			continue;
+		*(++cursor2) = *cursor1;
+	}
+
+	/* if the last character is a delimiter, skip it */
+	if (IS_DELIM(*(cursor2 - 1)))
+		cursor2--;
+
+	*(cursor2) = '\0';
+	return kstrdup(path, GFP_KERNEL);
+}
+
+/*
  * Parse a devname into substrings and populate the ctx->UNC and ctx->prepath
  * fields with the result. Returns 0 on success and an error otherwise
  * (e.g. ENOMEM or EINVAL)
@@ -490,7 +526,7 @@ smb3_parse_devname(const char *devname,
 	if (!*pos)
 		return 0;
 
-	ctx->prepath = kstrdup(pos, GFP_KERNEL);
+	ctx->prepath = sanitize_path(pos);
 	if (!ctx->prepath)
 		return -ENOMEM;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 141/177] locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 140/177] cifs: sanitize multiple delimiters in prepath Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 142/177] riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zqiang, Thomas Gleixner

From: Zqiang <qiang1.zhang@intel.com>

commit 8f556a326c93213927e683fc32bbf5be1b62540a upstream.

Optimistic spinning needs to be terminated when the spinning waiter is not
longer the top waiter on the lock, but the condition is negated. It
terminates if the waiter is the top waiter, which is defeating the whole
purpose.

Fixes: c3123c431447 ("locking/rtmutex: Dont dereference waiter lockless")
Signed-off-by: Zqiang <qiang1.zhang@intel.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20211217074207.77425-1-qiang1.zhang@intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/locking/rtmutex.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/locking/rtmutex.c
+++ b/kernel/locking/rtmutex.c
@@ -1373,7 +1373,7 @@ static bool rtmutex_spin_on_owner(struct
 		 *  - the VCPU on which owner runs is preempted
 		 */
 		if (!owner->on_cpu || need_resched() ||
-		    rt_mutex_waiter_is_top_waiter(lock, waiter) ||
+		    !rt_mutex_waiter_is_top_waiter(lock, waiter) ||
 		    vcpu_is_preempted(task_cpu(owner))) {
 			res = false;
 			break;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 142/177] riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 141/177] locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner() Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 143/177] riscv: dts: unmatched: " Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bin Meng, Palmer Dabbelt

From: Bin Meng <bin.meng@windriver.com>

commit 6331b8765cd0634a4e4cdcc1a6f1a74196616b94 upstream.

Per HiFive Unleashed schematics, the card detect signal of the
micro SD card is connected to gpio pin #11, which should be
reflected in the DT via the <gpios> property, as described in
Documentation/devicetree/bindings/mmc/mmc-spi-slot.txt.

[1] https://sifive.cdn.prismic.io/sifive/c52a8e32-05ce-4aaf-95c8-7bf8453f8698_hifive-unleashed-a00-schematics-1.pdf

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Fixes: d573b5558abb ("riscv: dts: add initial board data for the SiFive HiFive Unmatched")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts
+++ b/arch/riscv/boot/dts/sifive/hifive-unleashed-a00.dts
@@ -80,6 +80,7 @@
 		spi-max-frequency = <20000000>;
 		voltage-ranges = <3300 3300>;
 		disable-wp;
+		gpios = <&gpio 11 GPIO_ACTIVE_LOW>;
 	};
 };
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 143/177] riscv: dts: unmatched: Add gpio card detect to mmc-spi-slot
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 142/177] riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 144/177] perf inject: Fix segfault due to close without open Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Bin Meng, Palmer Dabbelt

From: Bin Meng <bin.meng@windriver.com>

commit 298d03c2d7f1b5daacb6d4f4053fd3d677d67087 upstream.

Per HiFive Unmatched schematics, the card detect signal of the
micro SD card is connected to gpio pin #15, which should be
reflected in the DT via the <gpios> property, as described in
Documentation/devicetree/bindings/mmc/mmc-spi-slot.txt.

[1] https://sifive.cdn.prismic.io/sifive/6a06d6c0-6e66-49b5-8e9e-e68ce76f4192_hifive-unmatched-schematics-v3.pdf

Signed-off-by: Bin Meng <bin.meng@windriver.com>
Fixes: d573b5558abb ("riscv: dts: add initial board data for the SiFive HiFive Unmatched")
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
+++ b/arch/riscv/boot/dts/sifive/hifive-unmatched-a00.dts
@@ -2,6 +2,7 @@
 /* Copyright (c) 2020 SiFive, Inc */
 
 #include "fu740-c000.dtsi"
+#include <dt-bindings/gpio/gpio.h>
 #include <dt-bindings/interrupt-controller/irq.h>
 
 /* Clock frequency (in Hz) of the PCB crystal for rtcclk */
@@ -228,6 +229,7 @@
 		spi-max-frequency = <20000000>;
 		voltage-ranges = <3300 3300>;
 		disable-wp;
+		gpios = <&gpio 15 GPIO_ACTIVE_LOW>;
 	};
 };
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 144/177] perf inject: Fix segfault due to close without open
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 143/177] riscv: dts: unmatched: " Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 145/177] perf inject: Fix segfault due to perf_data__fd() " Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter,
	Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim,
	Riccardo Mancini

From: Adrian Hunter <adrian.hunter@intel.com>

commit 0c8e32fe48f549eef27c8c6b0a63530f83c3a643 upstream.

The fixed commit attempts to close inject.output even if it was never
opened e.g.

  $ perf record uname
  Linux
  [ perf record: Woken up 1 times to write data ]
  [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
  $ perf inject -i perf.data --vm-time-correlation=dry-run
  Segmentation fault (core dumped)
  $ gdb --quiet perf
  Reading symbols from perf...
  (gdb) r inject -i perf.data --vm-time-correlation=dry-run
  Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Program received signal SIGSEGV, Segmentation fault.
  0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
  48      iofclose.c: No such file or directory.
  (gdb) bt
  #0  0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
  #1  0x0000557fc7b74f92 in perf_data__close (data=data@entry=0x7ffcdafa6578) at util/data.c:376
  #2  0x0000557fc7a6b807 in cmd_inject (argc=<optimized out>, argv=<optimized out>) at builtin-inject.c:1085
  #3  0x0000557fc7ac4783 in run_builtin (p=0x557fc8074878 <commands+600>, argc=4, argv=0x7ffcdafb6a60) at perf.c:313
  #4  0x0000557fc7a25d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
  #5  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
  #6  main (argc=4, argv=0x7ffcdafb6a60) at perf.c:539
  (gdb)

Fixes: 02e6246f5364d526 ("perf inject: Close inject.output on exit")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Riccardo Mancini <rickyman7@gmail.com>
Cc: stable@vger.kernel.org
Link: http://lore.kernel.org/lkml/20211213084829.114772-2-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/builtin-inject.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/tools/perf/builtin-inject.c
+++ b/tools/perf/builtin-inject.c
@@ -1069,7 +1069,8 @@ out_delete:
 	zstd_fini(&(inject.session->zstd_data));
 	perf_session__delete(inject.session);
 out_close_output:
-	perf_data__close(&inject.output);
+	if (!inject.in_place_update)
+		perf_data__close(&inject.output);
 	free(inject.itrace_synth_opts.vm_tm_corr_args);
 	return ret;
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 145/177] perf inject: Fix segfault due to perf_data__fd() without open
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 144/177] perf inject: Fix segfault due to close without open Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 146/177] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter,
	Arnaldo Carvalho de Melo, Jiri Olsa, Namhyung Kim,
	Riccardo Mancini

From: Adrian Hunter <adrian.hunter@intel.com>

commit c271a55b0c6029fed0cac909fa57999a11467132 upstream.

The fixed commit attempts to get the output file descriptor even if the
file was never opened e.g.

  $ perf record uname
  Linux
  [ perf record: Woken up 1 times to write data ]
  [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
  $ perf inject -i perf.data --vm-time-correlation=dry-run
  Segmentation fault (core dumped)
  $ gdb --quiet perf
  Reading symbols from perf...
  (gdb) r inject -i perf.data --vm-time-correlation=dry-run
  Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
  [Thread debugging using libthread_db enabled]
  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

  Program received signal SIGSEGV, Segmentation fault.
  __GI___fileno (fp=0x0) at fileno.c:35
  35      fileno.c: No such file or directory.
  (gdb) bt
  #0  __GI___fileno (fp=0x0) at fileno.c:35
  #1  0x00005621e48dd987 in perf_data__fd (data=0x7fff4c68bd08) at util/data.h:72
  #2  perf_data__fd (data=0x7fff4c68bd08) at util/data.h:69
  #3  cmd_inject (argc=<optimized out>, argv=0x7fff4c69c1f0) at builtin-inject.c:1017
  #4  0x00005621e4936783 in run_builtin (p=0x5621e4ee6878 <commands+600>, argc=4, argv=0x7fff4c69c1f0) at perf.c:313
  #5  0x00005621e4897d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
  #6  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
  #7  main (argc=4, argv=0x7fff4c69c1f0) at perf.c:539
  (gdb)

Fixes: 0ae03893623dd1dd ("perf tools: Pass a fd to perf_file_header__read_pipe()")
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Riccardo Mancini <rickyman7@gmail.com>
Cc: stable@vger.kernel.org
Link: http://lore.kernel.org/lkml/20211213084829.114772-3-adrian.hunter@intel.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/perf/builtin-inject.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

--- a/tools/perf/builtin-inject.c
+++ b/tools/perf/builtin-inject.c
@@ -755,12 +755,16 @@ static int parse_vm_time_correlation(con
 	return inject->itrace_synth_opts.vm_tm_corr_args ? 0 : -ENOMEM;
 }
 
+static int output_fd(struct perf_inject *inject)
+{
+	return inject->in_place_update ? -1 : perf_data__fd(&inject->output);
+}
+
 static int __cmd_inject(struct perf_inject *inject)
 {
 	int ret = -EINVAL;
 	struct perf_session *session = inject->session;
-	struct perf_data *data_out = &inject->output;
-	int fd = inject->in_place_update ? -1 : perf_data__fd(data_out);
+	int fd = output_fd(inject);
 	u64 output_data_offset;
 
 	signal(SIGINT, sig_handler);
@@ -1006,7 +1010,7 @@ int cmd_inject(int argc, const char **ar
 	}
 
 	inject.session = __perf_session__new(&data, repipe,
-					     perf_data__fd(&inject.output),
+					     output_fd(&inject),
 					     &inject.tool);
 	if (IS_ERR(inject.session)) {
 		ret = PTR_ERR(inject.session);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 146/177] libata: if T_LENGTH is zero, dma direction should be DMA_NONE
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 145/177] perf inject: Fix segfault due to perf_data__fd() " Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 147/177] powerpc/module_64: Fix livepatching for RO modules Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzkaller, George Kennedy, Damien Le Moal

From: George Kennedy <george.kennedy@oracle.com>

commit 5da5231bb47864e5dd6c6731151e98b6ee498827 upstream.

Avoid data corruption by rejecting pass-through commands where
T_LENGTH is zero (No data is transferred) and the dma direction
is not DMA_NONE.

Cc: <stable@vger.kernel.org>
Reported-by: syzkaller<syzkaller@googlegroups.com>
Signed-off-by: George Kennedy<george.kennedy@oracle.com>
Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ata/libata-scsi.c |   15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

--- a/drivers/ata/libata-scsi.c
+++ b/drivers/ata/libata-scsi.c
@@ -2826,8 +2826,19 @@ static unsigned int ata_scsi_pass_thru(s
 		goto invalid_fld;
 	}
 
-	if (ata_is_ncq(tf->protocol) && (cdb[2 + cdb_offset] & 0x3) == 0)
-		tf->protocol = ATA_PROT_NCQ_NODATA;
+	if ((cdb[2 + cdb_offset] & 0x3) == 0) {
+		/*
+		 * When T_LENGTH is zero (No data is transferred), dir should
+		 * be DMA_NONE.
+		 */
+		if (scmd->sc_data_direction != DMA_NONE) {
+			fp = 2 + cdb_offset;
+			goto invalid_fld;
+		}
+
+		if (ata_is_ncq(tf->protocol))
+			tf->protocol = ATA_PROT_NCQ_NODATA;
+	}
 
 	/* enable LBA */
 	tf->flags |= ATA_TFLAG_LBA;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 147/177] powerpc/module_64: Fix livepatching for RO modules
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 146/177] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 148/177] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Lawrence, Russell Currey,
	Michael Ellerman

From: Russell Currey <ruscur@russell.cc>

commit 8734b41b3efe0fc6082c1937b0e88556c396dc96 upstream.

Livepatching a loaded module involves applying relocations through
apply_relocate_add(), which attempts to write to read-only memory when
CONFIG_STRICT_MODULE_RWX=y.  Work around this by performing these
writes through the text poke area by using patch_instruction().

R_PPC_REL24 is the only relocation type generated by the kpatch-build
userspace tool or klp-convert kernel tree that I observed applying a
relocation to a post-init module.

A more comprehensive solution is planned, but using patch_instruction()
for R_PPC_REL24 on should serve as a sufficient fix.

This does have a performance impact, I observed ~15% overhead in
module_load() on POWER8 bare metal with checksum verification off.

Fixes: c35717c71e98 ("powerpc: Set ARCH_HAS_STRICT_MODULE_RWX")
Cc: stable@vger.kernel.org # v5.14+
Reported-by: Joe Lawrence <joe.lawrence@redhat.com>
Signed-off-by: Russell Currey <ruscur@russell.cc>
Tested-by: Joe Lawrence <joe.lawrence@redhat.com>
[mpe: Check return codes from patch_instruction()]
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211214121248.777249-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/kernel/module_64.c |   42 ++++++++++++++++++++++++++++++++--------
 1 file changed, 34 insertions(+), 8 deletions(-)

--- a/arch/powerpc/kernel/module_64.c
+++ b/arch/powerpc/kernel/module_64.c
@@ -422,11 +422,17 @@ static inline int create_stub(const Elf6
 			      const char *name)
 {
 	long reladdr;
+	func_desc_t desc;
+	int i;
 
 	if (is_mprofile_ftrace_call(name))
 		return create_ftrace_stub(entry, addr, me);
 
-	memcpy(entry->jump, ppc64_stub_insns, sizeof(ppc64_stub_insns));
+	for (i = 0; i < sizeof(ppc64_stub_insns) / sizeof(u32); i++) {
+		if (patch_instruction(&entry->jump[i],
+				      ppc_inst(ppc64_stub_insns[i])))
+			return 0;
+	}
 
 	/* Stub uses address relative to r2. */
 	reladdr = (unsigned long)entry - my_r2(sechdrs, me);
@@ -437,10 +443,24 @@ static inline int create_stub(const Elf6
 	}
 	pr_debug("Stub %p get data from reladdr %li\n", entry, reladdr);
 
-	entry->jump[0] |= PPC_HA(reladdr);
-	entry->jump[1] |= PPC_LO(reladdr);
-	entry->funcdata = func_desc(addr);
-	entry->magic = STUB_MAGIC;
+	if (patch_instruction(&entry->jump[0],
+			      ppc_inst(entry->jump[0] | PPC_HA(reladdr))))
+		return 0;
+
+	if (patch_instruction(&entry->jump[1],
+			  ppc_inst(entry->jump[1] | PPC_LO(reladdr))))
+		return 0;
+
+	// func_desc_t is 8 bytes if ABIv2, else 16 bytes
+	desc = func_desc(addr);
+	for (i = 0; i < sizeof(func_desc_t) / sizeof(u32); i++) {
+		if (patch_instruction(((u32 *)&entry->funcdata) + i,
+				      ppc_inst(((u32 *)(&desc))[i])))
+			return 0;
+	}
+
+	if (patch_instruction(&entry->magic, ppc_inst(STUB_MAGIC)))
+		return 0;
 
 	return 1;
 }
@@ -495,8 +515,11 @@ static int restore_r2(const char *name,
 			me->name, *instruction, instruction);
 		return 0;
 	}
+
 	/* ld r2,R2_STACK_OFFSET(r1) */
-	*instruction = PPC_INST_LD_TOC;
+	if (patch_instruction(instruction, ppc_inst(PPC_INST_LD_TOC)))
+		return 0;
+
 	return 1;
 }
 
@@ -636,9 +659,12 @@ int apply_relocate_add(Elf64_Shdr *sechd
 			}
 
 			/* Only replace bits 2 through 26 */
-			*(uint32_t *)location
-				= (*(uint32_t *)location & ~0x03fffffc)
+			value = (*(uint32_t *)location & ~0x03fffffc)
 				| (value & 0x03fffffc);
+
+			if (patch_instruction((u32 *)location, ppc_inst(value)))
+				return -EFAULT;
+
 			break;
 
 		case R_PPC64_REL64:



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 148/177] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 147/177] powerpc/module_64: Fix livepatching for RO modules Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:34 ` [PATCH 5.15 149/177] drm/amdgpu: dont override default ECO_BITs setting Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Le Ma, Hawking Zhang, Alex Deucher

From: Le Ma <le.ma@amd.com>

commit f3a8076eb28cae1553958c629aecec479394bbe2 upstream.

should count on GC IP base address

Signed-off-by: Le Ma <le.ma@amd.com>
Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
Reviewed-by: Hawking Zhang <Hawking.Zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -3061,8 +3061,8 @@ static void gfx_v9_0_init_pg(struct amdg
 			      AMD_PG_SUPPORT_CP |
 			      AMD_PG_SUPPORT_GDS |
 			      AMD_PG_SUPPORT_RLC_SMU_HS)) {
-		WREG32(mmRLC_JUMP_TABLE_RESTORE,
-		       adev->gfx.rlc.cp_table_gpu_addr >> 8);
+		WREG32_SOC15(GC, 0, mmRLC_JUMP_TABLE_RESTORE,
+			     adev->gfx.rlc.cp_table_gpu_addr >> 8);
 		gfx_v9_0_init_gfx_power_gating(adev);
 	}
 }



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 149/177] drm/amdgpu: dont override default ECO_BITs setting
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 148/177] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
@ 2021-12-20 14:34 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 150/177] drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:34 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hawking Zhang, Alex Deucher

From: Hawking Zhang <Hawking.Zhang@amd.com>

commit 841933d5b8aa853abe68e63827f68f50fab37226 upstream.

Leave this bit as hardware default setting

Signed-off-by: Hawking Zhang <Hawking.Zhang@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c |    1 -
 drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c |    1 -
 drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c |    1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c  |    1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c  |    1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c  |    1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c  |    1 -
 drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c  |    2 --
 8 files changed, 9 deletions(-)

--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v1_0.c
@@ -162,7 +162,6 @@ static void gfxhub_v1_0_init_tlb_regs(st
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC);/* XXX for emulation. */
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_0.c
@@ -196,7 +196,6 @@ static void gfxhub_v2_0_init_tlb_regs(st
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC); /* UC, uncached */
 
--- a/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfxhub_v2_1.c
@@ -197,7 +197,6 @@ static void gfxhub_v2_1_init_tlb_regs(st
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, GCMC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC); /* UC, uncached */
 
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_0.c
@@ -145,7 +145,6 @@ static void mmhub_v1_0_init_tlb_regs(str
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC);/* XXX for emulation. */
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v1_7.c
@@ -165,7 +165,6 @@ static void mmhub_v1_7_init_tlb_regs(str
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC);/* XXX for emulation. */
 	tmp = REG_SET_FIELD(tmp, MC_VM_MX_L1_TLB_CNTL, ATC_EN, 1);
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_0.c
@@ -269,7 +269,6 @@ static void mmhub_v2_0_init_tlb_regs(str
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC); /* UC, uncached */
 
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v2_3.c
@@ -194,7 +194,6 @@ static void mmhub_v2_3_init_tlb_regs(str
 			    ENABLE_ADVANCED_DRIVER_MODEL, 1);
 	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
-	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL, ECO_BITS, 0);
 	tmp = REG_SET_FIELD(tmp, MMMC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC); /* UC, uncached */
 
--- a/drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c
+++ b/drivers/gpu/drm/amd/amdgpu/mmhub_v9_4.c
@@ -190,8 +190,6 @@ static void mmhub_v9_4_init_tlb_regs(str
 	tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
 			    SYSTEM_APERTURE_UNMAPPED_ACCESS, 0);
 	tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
-			    ECO_BITS, 0);
-	tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
 			    MTYPE, MTYPE_UC);/* XXX for emulation. */
 	tmp = REG_SET_FIELD(tmp, VMSHAREDVC0_MC_VM_MX_L1_TLB_CNTL,
 			    ATC_EN, 1);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 150/177] drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2021-12-20 14:34 ` [PATCH 5.15 149/177] drm/amdgpu: dont override default ECO_BITs setting Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 151/177] Revert "can: m_can: remove support for custom bit timing" Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mario Limonciello, Alex Deucher

From: Mario Limonciello <mario.limonciello@amd.com>

commit dcd10d879a9d1d4e929d374c2f24aba8fac3252b upstream.

This value does not get cached into adev->pm.fw_version during
startup for smu13 like it does for other SMU like smu12.

Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/smu13/smu_v13_0.c
@@ -197,6 +197,7 @@ int smu_v13_0_check_fw_status(struct smu
 
 int smu_v13_0_check_fw_version(struct smu_context *smu)
 {
+	struct amdgpu_device *adev = smu->adev;
 	uint32_t if_version = 0xff, smu_version = 0xff;
 	uint16_t smu_major;
 	uint8_t smu_minor, smu_debug;
@@ -209,6 +210,8 @@ int smu_v13_0_check_fw_version(struct sm
 	smu_major = (smu_version >> 16) & 0xffff;
 	smu_minor = (smu_version >> 8) & 0xff;
 	smu_debug = (smu_version >> 0) & 0xff;
+	if (smu->is_apu)
+		adev->pm.fw_version = smu_version;
 
 	switch (smu->adev->asic_type) {
 	case CHIP_ALDEBARAN:



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 151/177] Revert "can: m_can: remove support for custom bit timing"
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 150/177] drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 152/177] can: m_can: make custom bittiming fields const Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Marc Kleine-Budde

From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>

commit ea768b2ffec6cc9c3e17c37ef75d0539b8f89ff5 upstream.

The timing limits specified by the Elkhart Lake CPU datasheets do not
match the defaults. Let's reintroduce the support for custom bit timings.

This reverts commit 0ddd83fbebbc5537f9d180d31f659db3564be708.

Link: https://lore.kernel.org/all/00c9e2596b1a548906921a574d4ef7a03c0dace0.1636967198.git.matthias.schiffer@ew.tq-group.com
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/m_can/m_can.c |   24 ++++++++++++++++++------
 drivers/net/can/m_can/m_can.h |    3 +++
 2 files changed, 21 insertions(+), 6 deletions(-)

--- a/drivers/net/can/m_can/m_can.c
+++ b/drivers/net/can/m_can/m_can.c
@@ -1494,20 +1494,32 @@ static int m_can_dev_setup(struct m_can_
 	case 30:
 		/* CAN_CTRLMODE_FD_NON_ISO is fixed with M_CAN IP v3.0.x */
 		can_set_static_ctrlmode(dev, CAN_CTRLMODE_FD_NON_ISO);
-		cdev->can.bittiming_const = &m_can_bittiming_const_30X;
-		cdev->can.data_bittiming_const = &m_can_data_bittiming_const_30X;
+		cdev->can.bittiming_const = cdev->bit_timing ?
+			cdev->bit_timing : &m_can_bittiming_const_30X;
+
+		cdev->can.data_bittiming_const = cdev->data_timing ?
+			cdev->data_timing :
+			&m_can_data_bittiming_const_30X;
 		break;
 	case 31:
 		/* CAN_CTRLMODE_FD_NON_ISO is fixed with M_CAN IP v3.1.x */
 		can_set_static_ctrlmode(dev, CAN_CTRLMODE_FD_NON_ISO);
-		cdev->can.bittiming_const = &m_can_bittiming_const_31X;
-		cdev->can.data_bittiming_const = &m_can_data_bittiming_const_31X;
+		cdev->can.bittiming_const = cdev->bit_timing ?
+			cdev->bit_timing : &m_can_bittiming_const_31X;
+
+		cdev->can.data_bittiming_const = cdev->data_timing ?
+			cdev->data_timing :
+			&m_can_data_bittiming_const_31X;
 		break;
 	case 32:
 	case 33:
 		/* Support both MCAN version v3.2.x and v3.3.0 */
-		cdev->can.bittiming_const = &m_can_bittiming_const_31X;
-		cdev->can.data_bittiming_const = &m_can_data_bittiming_const_31X;
+		cdev->can.bittiming_const = cdev->bit_timing ?
+			cdev->bit_timing : &m_can_bittiming_const_31X;
+
+		cdev->can.data_bittiming_const = cdev->data_timing ?
+			cdev->data_timing :
+			&m_can_data_bittiming_const_31X;
 
 		cdev->can.ctrlmode_supported |=
 			(m_can_niso_supported(cdev) ?
--- a/drivers/net/can/m_can/m_can.h
+++ b/drivers/net/can/m_can/m_can.h
@@ -85,6 +85,9 @@ struct m_can_classdev {
 	struct sk_buff *tx_skb;
 	struct phy *transceiver;
 
+	struct can_bittiming_const *bit_timing;
+	struct can_bittiming_const *data_timing;
+
 	struct m_can_ops *ops;
 
 	int version;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 152/177] can: m_can: make custom bittiming fields const
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 151/177] Revert "can: m_can: remove support for custom bit timing" Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 153/177] can: m_can: pci: use custom bit timings for Elkhart Lake Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Marc Kleine-Budde

From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>

commit ea22ba40debee29ee7257c42002409899e9311c1 upstream.

The assigned timing structs will be defined a const anyway, so we can
avoid a few casts by declaring the struct fields as const as well.

Link: https://lore.kernel.org/all/4508fa4e639164b2584c49a065d90c78a91fa568.1636967198.git.matthias.schiffer@ew.tq-group.com
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/m_can/m_can.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/net/can/m_can/m_can.h
+++ b/drivers/net/can/m_can/m_can.h
@@ -85,8 +85,8 @@ struct m_can_classdev {
 	struct sk_buff *tx_skb;
 	struct phy *transceiver;
 
-	struct can_bittiming_const *bit_timing;
-	struct can_bittiming_const *data_timing;
+	const struct can_bittiming_const *bit_timing;
+	const struct can_bittiming_const *data_timing;
 
 	struct m_can_ops *ops;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 153/177] can: m_can: pci: use custom bit timings for Elkhart Lake
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 152/177] can: m_can: make custom bittiming fields const Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 154/177] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Marc Kleine-Budde

From: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>

commit ea4c1787685dbf9842046f05b6390b6901ee6ba2 upstream.

The relevant datasheet [1] specifies nonstandard limits for the bit timing
parameters. While it is unclear what the exact effect of violating these
limits is, it seems like a good idea to adhere to the documentation.

[1] Intel Atom® x6000E Series, and Intel® Pentium® and Celeron® N and J
    Series Processors for IoT Applications Datasheet,
    Volume 2 (Book 3 of 3), July 2021, Revision 001

Fixes: cab7ffc0324f ("can: m_can: add PCI glue driver for Intel Elkhart Lake")
Link: https://lore.kernel.org/all/9eba5d7c05a48ead4024ffa6e5926f191d8c6b38.1636967198.git.matthias.schiffer@ew.tq-group.com
Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/m_can/m_can_pci.c |   48 ++++++++++++++++++++++++++++++++++----
 1 file changed, 44 insertions(+), 4 deletions(-)

--- a/drivers/net/can/m_can/m_can_pci.c
+++ b/drivers/net/can/m_can/m_can_pci.c
@@ -18,9 +18,14 @@
 
 #define M_CAN_PCI_MMIO_BAR		0
 
-#define M_CAN_CLOCK_FREQ_EHL		200000000
 #define CTL_CSR_INT_CTL_OFFSET		0x508
 
+struct m_can_pci_config {
+	const struct can_bittiming_const *bit_timing;
+	const struct can_bittiming_const *data_timing;
+	unsigned int clock_freq;
+};
+
 struct m_can_pci_priv {
 	struct m_can_classdev cdev;
 
@@ -84,9 +89,40 @@ static struct m_can_ops m_can_pci_ops =
 	.read_fifo = iomap_read_fifo,
 };
 
+static const struct can_bittiming_const m_can_bittiming_const_ehl = {
+	.name = KBUILD_MODNAME,
+	.tseg1_min = 2,		/* Time segment 1 = prop_seg + phase_seg1 */
+	.tseg1_max = 64,
+	.tseg2_min = 1,		/* Time segment 2 = phase_seg2 */
+	.tseg2_max = 128,
+	.sjw_max = 128,
+	.brp_min = 1,
+	.brp_max = 512,
+	.brp_inc = 1,
+};
+
+static const struct can_bittiming_const m_can_data_bittiming_const_ehl = {
+	.name = KBUILD_MODNAME,
+	.tseg1_min = 2,		/* Time segment 1 = prop_seg + phase_seg1 */
+	.tseg1_max = 16,
+	.tseg2_min = 1,		/* Time segment 2 = phase_seg2 */
+	.tseg2_max = 8,
+	.sjw_max = 4,
+	.brp_min = 1,
+	.brp_max = 32,
+	.brp_inc = 1,
+};
+
+static const struct m_can_pci_config m_can_pci_ehl = {
+	.bit_timing = &m_can_bittiming_const_ehl,
+	.data_timing = &m_can_data_bittiming_const_ehl,
+	.clock_freq = 200000000,
+};
+
 static int m_can_pci_probe(struct pci_dev *pci, const struct pci_device_id *id)
 {
 	struct device *dev = &pci->dev;
+	const struct m_can_pci_config *cfg;
 	struct m_can_classdev *mcan_class;
 	struct m_can_pci_priv *priv;
 	void __iomem *base;
@@ -114,6 +150,8 @@ static int m_can_pci_probe(struct pci_de
 	if (!mcan_class)
 		return -ENOMEM;
 
+	cfg = (const struct m_can_pci_config *)id->driver_data;
+
 	priv = cdev_to_priv(mcan_class);
 
 	priv->base = base;
@@ -125,7 +163,9 @@ static int m_can_pci_probe(struct pci_de
 	mcan_class->dev = &pci->dev;
 	mcan_class->net->irq = pci_irq_vector(pci, 0);
 	mcan_class->pm_clock_support = 1;
-	mcan_class->can.clock.freq = id->driver_data;
+	mcan_class->bit_timing = cfg->bit_timing;
+	mcan_class->data_timing = cfg->data_timing;
+	mcan_class->can.clock.freq = cfg->clock_freq;
 	mcan_class->ops = &m_can_pci_ops;
 
 	pci_set_drvdata(pci, mcan_class);
@@ -178,8 +218,8 @@ static SIMPLE_DEV_PM_OPS(m_can_pci_pm_op
 			 m_can_pci_suspend, m_can_pci_resume);
 
 static const struct pci_device_id m_can_pci_id_table[] = {
-	{ PCI_VDEVICE(INTEL, 0x4bc1), M_CAN_CLOCK_FREQ_EHL, },
-	{ PCI_VDEVICE(INTEL, 0x4bc2), M_CAN_CLOCK_FREQ_EHL, },
+	{ PCI_VDEVICE(INTEL, 0x4bc1), (kernel_ulong_t)&m_can_pci_ehl, },
+	{ PCI_VDEVICE(INTEL, 0x4bc2), (kernel_ulong_t)&m_can_pci_ehl, },
 	{  }	/* Terminating Entry */
 };
 MODULE_DEVICE_TABLE(pci, m_can_pci_id_table);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 154/177] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 153/177] can: m_can: pci: use custom bit timings for Elkhart Lake Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 155/177] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, George Makarov, Fabio Estevam, Shawn Guo

From: Fabio Estevam <festevam@gmail.com>

commit 737e65c7956795b3553781fb7bc82fce1c39503f upstream.

According to the i.MX6ULL Reference Manual, pad CSI_DATA07 may
have the ESAI_TX0 functionality, not ESAI_T0.

Also, NXP's i.MX Config Tools 10.0 generates dtsi with the
MX6ULL_PAD_CSI_DATA07__ESAI_TX0 naming, so fix it accordingly.

There are no devicetree users in mainline that use the old name,
so just remove the old entry.

Fixes: c201369d4aa5 ("ARM: dts: imx6ull: add imx6ull support")
Reported-by: George Makarov <georgemakarov1@gmail.com>
Signed-off-by: Fabio Estevam <festevam@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/arm/boot/dts/imx6ull-pinfunc.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/imx6ull-pinfunc.h
+++ b/arch/arm/boot/dts/imx6ull-pinfunc.h
@@ -82,6 +82,6 @@
 #define MX6ULL_PAD_CSI_DATA04__ESAI_TX_FS                         0x01F4 0x0480 0x0000 0x9 0x0
 #define MX6ULL_PAD_CSI_DATA05__ESAI_TX_CLK                        0x01F8 0x0484 0x0000 0x9 0x0
 #define MX6ULL_PAD_CSI_DATA06__ESAI_TX5_RX0                       0x01FC 0x0488 0x0000 0x9 0x0
-#define MX6ULL_PAD_CSI_DATA07__ESAI_T0                            0x0200 0x048C 0x0000 0x9 0x0
+#define MX6ULL_PAD_CSI_DATA07__ESAI_TX0                           0x0200 0x048C 0x0000 0x9 0x0
 
 #endif /* __DTS_IMX6ULL_PINFUNC_H */



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 155/177] xsk: Do not sleep in poll() when need_wakeup set
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 154/177] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 156/177] mptcp: add missing documented NL params Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Keith Wiles, Magnus Karlsson,
	Daniel Borkmann, Maciej Fijalkowski

From: Magnus Karlsson <magnus.karlsson@intel.com>

commit bd0687c18e635b63233dc87f38058cd728802ab4 upstream.

Do not sleep in poll() when the need_wakeup flag is set. When this
flag is set, the application needs to explicitly wake up the driver
with a syscall (poll, recvmsg, sendmsg, etc.) to guarantee that Rx
and/or Tx processing will be processed promptly. But the current code
in poll(), sleeps first then wakes up the driver. This means that no
driver processing will occur (baring any interrupts) until the timeout
has expired.

Fix this by checking the need_wakeup flag first and if set, wake the
driver and return to the application. Only if need_wakeup is not set
should the process sleep if there is a timeout set in the poll() call.

Fixes: 77cd0d7b3f25 ("xsk: add support for need_wakeup flag in AF_XDP rings")
Reported-by: Keith Wiles <keith.wiles@intel.com>
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Link: https://lore.kernel.org/bpf/20211214102607.7677-1-magnus.karlsson@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xdp/xsk.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -692,8 +692,6 @@ static __poll_t xsk_poll(struct file *fi
 	struct xdp_sock *xs = xdp_sk(sk);
 	struct xsk_buff_pool *pool;
 
-	sock_poll_wait(file, sock, wait);
-
 	if (unlikely(!xsk_is_bound(xs)))
 		return mask;
 
@@ -705,6 +703,8 @@ static __poll_t xsk_poll(struct file *fi
 		else
 			/* Poll needs to drive Tx also in copy mode */
 			__xsk_sendmsg(sk);
+	} else {
+		sock_poll_wait(file, sock, wait);
 	}
 
 	if (xs->rx && !xskq_prod_is_empty(xs->rx))



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 156/177] mptcp: add missing documented NL params
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 155/177] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 157/177] bpf, x64: Factor out emission of REX byte in more cases Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthieu Baerts, Mat Martineau,
	Jakub Kicinski

From: Matthieu Baerts <matthieu.baerts@tessares.net>

commit 6813b1928758ce64fabbb8ef157f994b7c2235fa upstream.

'loc_id' and 'rem_id' are set in all events linked to subflows but those
were missing in the events description in the comments.

Fixes: b911c97c7dc7 ("mptcp: add netlink event support")
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/uapi/linux/mptcp.h |   18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

--- a/include/uapi/linux/mptcp.h
+++ b/include/uapi/linux/mptcp.h
@@ -129,19 +129,21 @@ struct mptcp_info {
  * MPTCP_EVENT_REMOVED: token, rem_id
  * An address has been lost by the peer.
  *
- * MPTCP_EVENT_SUB_ESTABLISHED: token, family, saddr4 | saddr6,
- *                              daddr4 | daddr6, sport, dport, backup,
- *                              if_idx [, error]
+ * MPTCP_EVENT_SUB_ESTABLISHED: token, family, loc_id, rem_id,
+ *                              saddr4 | saddr6, daddr4 | daddr6, sport,
+ *                              dport, backup, if_idx [, error]
  * A new subflow has been established. 'error' should not be set.
  *
- * MPTCP_EVENT_SUB_CLOSED: token, family, saddr4 | saddr6, daddr4 | daddr6,
- *                         sport, dport, backup, if_idx [, error]
+ * MPTCP_EVENT_SUB_CLOSED: token, family, loc_id, rem_id, saddr4 | saddr6,
+ *                         daddr4 | daddr6, sport, dport, backup, if_idx
+ *                         [, error]
  * A subflow has been closed. An error (copy of sk_err) could be set if an
  * error has been detected for this subflow.
  *
- * MPTCP_EVENT_SUB_PRIORITY: token, family, saddr4 | saddr6, daddr4 | daddr6,
- *                           sport, dport, backup, if_idx [, error]
- *       The priority of a subflow has changed. 'error' should not be set.
+ * MPTCP_EVENT_SUB_PRIORITY: token, family, loc_id, rem_id, saddr4 | saddr6,
+ *                           daddr4 | daddr6, sport, dport, backup, if_idx
+ *                           [, error]
+ * The priority of a subflow has changed. 'error' should not be set.
  */
 enum mptcp_event_type {
 	MPTCP_EVENT_UNSPEC = 0,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 157/177] bpf, x64: Factor out emission of REX byte in more cases
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 156/177] mptcp: add missing documented NL params Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 158/177] bpf: Fix extable address check Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jie Meng, Daniel Borkmann, Song Liu

From: Jie Meng <jmeng@fb.com>

commit 6364d7d75a0e015a405d1f8a07f267f076c36ca6 upstream.

Introduce a single reg version of maybe_emit_mod() and factor out
common code in more cases.

Signed-off-by: Jie Meng <jmeng@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20211006194135.608932-1-jmeng@fb.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/net/bpf_jit_comp.c |   50 ++++++++++++++++++++++----------------------
 1 file changed, 26 insertions(+), 24 deletions(-)

--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -721,6 +721,20 @@ static void maybe_emit_mod(u8 **pprog, u
 	*pprog = prog;
 }
 
+/*
+ * Similar version of maybe_emit_mod() for a single register
+ */
+static void maybe_emit_1mod(u8 **pprog, u32 reg, bool is64)
+{
+	u8 *prog = *pprog;
+
+	if (is64)
+		EMIT1(add_1mod(0x48, reg));
+	else if (is_ereg(reg))
+		EMIT1(add_1mod(0x40, reg));
+	*pprog = prog;
+}
+
 /* LDX: dst_reg = *(u8*)(src_reg + off) */
 static void emit_ldx(u8 **pprog, u32 size, u32 dst_reg, u32 src_reg, int off)
 {
@@ -951,10 +965,8 @@ static int do_jit(struct bpf_prog *bpf_p
 			/* neg dst */
 		case BPF_ALU | BPF_NEG:
 		case BPF_ALU64 | BPF_NEG:
-			if (BPF_CLASS(insn->code) == BPF_ALU64)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_ALU64);
 			EMIT2(0xF7, add_1reg(0xD8, dst_reg));
 			break;
 
@@ -968,10 +980,8 @@ static int do_jit(struct bpf_prog *bpf_p
 		case BPF_ALU64 | BPF_AND | BPF_K:
 		case BPF_ALU64 | BPF_OR | BPF_K:
 		case BPF_ALU64 | BPF_XOR | BPF_K:
-			if (BPF_CLASS(insn->code) == BPF_ALU64)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_ALU64);
 
 			/*
 			 * b3 holds 'normal' opcode, b2 short form only valid
@@ -1112,10 +1122,8 @@ static int do_jit(struct bpf_prog *bpf_p
 		case BPF_ALU64 | BPF_LSH | BPF_K:
 		case BPF_ALU64 | BPF_RSH | BPF_K:
 		case BPF_ALU64 | BPF_ARSH | BPF_K:
-			if (BPF_CLASS(insn->code) == BPF_ALU64)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_ALU64);
 
 			b3 = simple_alu_opcodes[BPF_OP(insn->code)];
 			if (imm32 == 1)
@@ -1146,10 +1154,8 @@ static int do_jit(struct bpf_prog *bpf_p
 			}
 
 			/* shl %rax, %cl | shr %rax, %cl | sar %rax, %cl */
-			if (BPF_CLASS(insn->code) == BPF_ALU64)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_ALU64);
 
 			b3 = simple_alu_opcodes[BPF_OP(insn->code)];
 			EMIT2(0xD3, add_1reg(b3, dst_reg));
@@ -1459,10 +1465,8 @@ st:			if (is_imm8(insn->off))
 		case BPF_JMP | BPF_JSET | BPF_K:
 		case BPF_JMP32 | BPF_JSET | BPF_K:
 			/* test dst_reg, imm32 */
-			if (BPF_CLASS(insn->code) == BPF_JMP)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_JMP);
 			EMIT2_off32(0xF7, add_1reg(0xC0, dst_reg), imm32);
 			goto emit_cond_jmp;
 
@@ -1495,10 +1499,8 @@ st:			if (is_imm8(insn->off))
 			}
 
 			/* cmp dst_reg, imm8/32 */
-			if (BPF_CLASS(insn->code) == BPF_JMP)
-				EMIT1(add_1mod(0x48, dst_reg));
-			else if (is_ereg(dst_reg))
-				EMIT1(add_1mod(0x40, dst_reg));
+			maybe_emit_1mod(&prog, dst_reg,
+					BPF_CLASS(insn->code) == BPF_JMP);
 
 			if (is_imm8(imm32))
 				EMIT3(0x83, add_1reg(0xF8, dst_reg), imm32);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 158/177] bpf: Fix extable address check.
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 157/177] bpf, x64: Factor out emission of REX byte in more cases Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 159/177] USB: core: Make do_proc_control() and do_proc_bulk() killable Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lorenzo Fontana, Alexei Starovoitov,
	Daniel Borkmann

From: Alexei Starovoitov <ast@kernel.org>

commit 588a25e92458c6efeb7a261d5ca5726f5de89184 upstream.

The verifier checks that PTR_TO_BTF_ID pointer is either valid or NULL,
but it cannot distinguish IS_ERR pointer from valid one.

When offset is added to IS_ERR pointer it may become small positive
value which is a user address that is not handled by extable logic
and has to be checked for at the runtime.

Tighten BPF_PROBE_MEM pointer check code to prevent this case.

Fixes: 4c5de127598e ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
Reported-by: Lorenzo Fontana <lorenzo.fontana@elastic.co>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/net/bpf_jit_comp.c |   49 +++++++++++++++++++++++++++++++++++++-------
 1 file changed, 42 insertions(+), 7 deletions(-)

--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -1280,19 +1280,54 @@ st:			if (is_imm8(insn->off))
 		case BPF_LDX | BPF_MEM | BPF_DW:
 		case BPF_LDX | BPF_PROBE_MEM | BPF_DW:
 			if (BPF_MODE(insn->code) == BPF_PROBE_MEM) {
-				/* test src_reg, src_reg */
-				maybe_emit_mod(&prog, src_reg, src_reg, true); /* always 1 byte */
-				EMIT2(0x85, add_2reg(0xC0, src_reg, src_reg));
-				/* jne start_of_ldx */
-				EMIT2(X86_JNE, 0);
+				/* Though the verifier prevents negative insn->off in BPF_PROBE_MEM
+				 * add abs(insn->off) to the limit to make sure that negative
+				 * offset won't be an issue.
+				 * insn->off is s16, so it won't affect valid pointers.
+				 */
+				u64 limit = TASK_SIZE_MAX + PAGE_SIZE + abs(insn->off);
+				u8 *end_of_jmp1, *end_of_jmp2;
+
+				/* Conservatively check that src_reg + insn->off is a kernel address:
+				 * 1. src_reg + insn->off >= limit
+				 * 2. src_reg + insn->off doesn't become small positive.
+				 * Cannot do src_reg + insn->off >= limit in one branch,
+				 * since it needs two spare registers, but JIT has only one.
+				 */
+
+				/* movabsq r11, limit */
+				EMIT2(add_1mod(0x48, AUX_REG), add_1reg(0xB8, AUX_REG));
+				EMIT((u32)limit, 4);
+				EMIT(limit >> 32, 4);
+				/* cmp src_reg, r11 */
+				maybe_emit_mod(&prog, src_reg, AUX_REG, true);
+				EMIT2(0x39, add_2reg(0xC0, src_reg, AUX_REG));
+				/* if unsigned '<' goto end_of_jmp2 */
+				EMIT2(X86_JB, 0);
+				end_of_jmp1 = prog;
+
+				/* mov r11, src_reg */
+				emit_mov_reg(&prog, true, AUX_REG, src_reg);
+				/* add r11, insn->off */
+				maybe_emit_1mod(&prog, AUX_REG, true);
+				EMIT2_off32(0x81, add_1reg(0xC0, AUX_REG), insn->off);
+				/* jmp if not carry to start_of_ldx
+				 * Otherwise ERR_PTR(-EINVAL) + 128 will be the user addr
+				 * that has to be rejected.
+				 */
+				EMIT2(0x73 /* JNC */, 0);
+				end_of_jmp2 = prog;
+
 				/* xor dst_reg, dst_reg */
 				emit_mov_imm32(&prog, false, dst_reg, 0);
 				/* jmp byte_after_ldx */
 				EMIT2(0xEB, 0);
 
-				/* populate jmp_offset for JNE above */
-				temp[4] = prog - temp - 5 /* sizeof(test + jne) */;
+				/* populate jmp_offset for JB above to jump to xor dst_reg */
+				end_of_jmp1[-1] = end_of_jmp2 - end_of_jmp1;
+				/* populate jmp_offset for JNC above to jump to start_of_ldx */
 				start_of_ldx = prog;
+				end_of_jmp2[-1] = start_of_ldx - end_of_jmp2;
 			}
 			emit_ldx(&prog, BPF_SIZE(insn->code), dst_reg, src_reg, insn->off);
 			if (BPF_MODE(insn->code) == BPF_PROBE_MEM) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 159/177] USB: core: Make do_proc_control() and do_proc_bulk() killable
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 158/177] bpf: Fix extable address check Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 160/177] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Neukum, Alan Stern,
	syzbot+ada0f7d3d9fd2016d927

From: Alan Stern <stern@rowland.harvard.edu>

commit ae8709b296d80c7f45aa1f35c0e7659ad69edce1 upstream.

The USBDEVFS_CONTROL and USBDEVFS_BULK ioctls invoke
usb_start_wait_urb(), which contains an uninterruptible wait with a
user-specified timeout value.  If timeout value is very large and the
device being accessed does not respond in a reasonable amount of time,
the kernel will complain about "Task X blocked for more than N
seconds", as found in testing by syzbot:

INFO: task syz-executor.0:8700 blocked for more than 143 seconds.
      Not tainted 5.14.0-rc7-syzkaller #0
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
task:syz-executor.0  state:D stack:23192 pid: 8700 ppid:  8455 flags:0x00004004
Call Trace:
 context_switch kernel/sched/core.c:4681 [inline]
 __schedule+0xc07/0x11f0 kernel/sched/core.c:5938
 schedule+0x14b/0x210 kernel/sched/core.c:6017
 schedule_timeout+0x98/0x2f0 kernel/time/timer.c:1857
 do_wait_for_common+0x2da/0x480 kernel/sched/completion.c:85
 __wait_for_common kernel/sched/completion.c:106 [inline]
 wait_for_common kernel/sched/completion.c:117 [inline]
 wait_for_completion_timeout+0x46/0x60 kernel/sched/completion.c:157
 usb_start_wait_urb+0x167/0x550 drivers/usb/core/message.c:63
 do_proc_bulk+0x978/0x1080 drivers/usb/core/devio.c:1236
 proc_bulk drivers/usb/core/devio.c:1273 [inline]
 usbdev_do_ioctl drivers/usb/core/devio.c:2547 [inline]
 usbdev_ioctl+0x3441/0x6b10 drivers/usb/core/devio.c:2713
...

To fix this problem, this patch replaces usbfs's calls to
usb_control_msg() and usb_bulk_msg() with special-purpose code that
does essentially the same thing (as recommended in the comment for
usb_start_wait_urb()), except that it always uses a killable wait and
it uses GFP_KERNEL rather than GFP_NOIO.

Reported-and-tested-by: syzbot+ada0f7d3d9fd2016d927@syzkaller.appspotmail.com
Suggested-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20210903175312.GA468440@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/usb/core/devio.c |  144 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 111 insertions(+), 33 deletions(-)

--- a/drivers/usb/core/devio.c
+++ b/drivers/usb/core/devio.c
@@ -32,6 +32,7 @@
 #include <linux/usb.h>
 #include <linux/usbdevice_fs.h>
 #include <linux/usb/hcd.h>	/* for usbcore internals */
+#include <linux/usb/quirks.h>
 #include <linux/cdev.h>
 #include <linux/notifier.h>
 #include <linux/security.h>
@@ -1102,14 +1103,55 @@ static int usbdev_release(struct inode *
 	return 0;
 }
 
+static void usbfs_blocking_completion(struct urb *urb)
+{
+	complete((struct completion *) urb->context);
+}
+
+/*
+ * Much like usb_start_wait_urb, but returns status separately from
+ * actual_length and uses a killable wait.
+ */
+static int usbfs_start_wait_urb(struct urb *urb, int timeout,
+		unsigned int *actlen)
+{
+	DECLARE_COMPLETION_ONSTACK(ctx);
+	unsigned long expire;
+	int rc;
+
+	urb->context = &ctx;
+	urb->complete = usbfs_blocking_completion;
+	*actlen = 0;
+	rc = usb_submit_urb(urb, GFP_KERNEL);
+	if (unlikely(rc))
+		return rc;
+
+	expire = (timeout ? msecs_to_jiffies(timeout) : MAX_SCHEDULE_TIMEOUT);
+	rc = wait_for_completion_killable_timeout(&ctx, expire);
+	if (rc <= 0) {
+		usb_kill_urb(urb);
+		*actlen = urb->actual_length;
+		if (urb->status != -ENOENT)
+			;	/* Completed before it was killed */
+		else if (rc < 0)
+			return -EINTR;
+		else
+			return -ETIMEDOUT;
+	}
+	*actlen = urb->actual_length;
+	return urb->status;
+}
+
 static int do_proc_control(struct usb_dev_state *ps,
 		struct usbdevfs_ctrltransfer *ctrl)
 {
 	struct usb_device *dev = ps->dev;
 	unsigned int tmo;
 	unsigned char *tbuf;
-	unsigned wLength;
+	unsigned int wLength, actlen;
 	int i, pipe, ret;
+	struct urb *urb = NULL;
+	struct usb_ctrlrequest *dr = NULL;
 
 	ret = check_ctrlrecip(ps, ctrl->bRequestType, ctrl->bRequest,
 			      ctrl->wIndex);
@@ -1122,51 +1164,63 @@ static int do_proc_control(struct usb_de
 			sizeof(struct usb_ctrlrequest));
 	if (ret)
 		return ret;
+
+	ret = -ENOMEM;
 	tbuf = (unsigned char *)__get_free_page(GFP_KERNEL);
-	if (!tbuf) {
-		ret = -ENOMEM;
+	if (!tbuf)
 		goto done;
-	}
+	urb = usb_alloc_urb(0, GFP_NOIO);
+	if (!urb)
+		goto done;
+	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
+	if (!dr)
+		goto done;
+
+	dr->bRequestType = ctrl->bRequestType;
+	dr->bRequest = ctrl->bRequest;
+	dr->wValue = cpu_to_le16(ctrl->wValue);
+	dr->wIndex = cpu_to_le16(ctrl->wIndex);
+	dr->wLength = cpu_to_le16(ctrl->wLength);
+
 	tmo = ctrl->timeout;
 	snoop(&dev->dev, "control urb: bRequestType=%02x "
 		"bRequest=%02x wValue=%04x "
 		"wIndex=%04x wLength=%04x\n",
 		ctrl->bRequestType, ctrl->bRequest, ctrl->wValue,
 		ctrl->wIndex, ctrl->wLength);
-	if ((ctrl->bRequestType & USB_DIR_IN) && ctrl->wLength) {
+
+	if ((ctrl->bRequestType & USB_DIR_IN) && wLength) {
 		pipe = usb_rcvctrlpipe(dev, 0);
-		snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT, NULL, 0);
+		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
+				wLength, NULL, NULL);
+		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, NULL, 0);
 
 		usb_unlock_device(dev);
-		i = usb_control_msg(dev, pipe, ctrl->bRequest,
-				    ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
-				    tbuf, ctrl->wLength, tmo);
+		i = usbfs_start_wait_urb(urb, tmo, &actlen);
 		usb_lock_device(dev);
-		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE,
-			  tbuf, max(i, 0));
-		if ((i > 0) && ctrl->wLength) {
-			if (copy_to_user(ctrl->data, tbuf, i)) {
+		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, tbuf, actlen);
+		if (!i && actlen) {
+			if (copy_to_user(ctrl->data, tbuf, actlen)) {
 				ret = -EFAULT;
-				goto done;
+				goto recv_fault;
 			}
 		}
 	} else {
-		if (ctrl->wLength) {
-			if (copy_from_user(tbuf, ctrl->data, ctrl->wLength)) {
+		if (wLength) {
+			if (copy_from_user(tbuf, ctrl->data, wLength)) {
 				ret = -EFAULT;
 				goto done;
 			}
 		}
 		pipe = usb_sndctrlpipe(dev, 0);
-		snoop_urb(dev, NULL, pipe, ctrl->wLength, tmo, SUBMIT,
-			tbuf, ctrl->wLength);
+		usb_fill_control_urb(urb, dev, pipe, (unsigned char *) dr, tbuf,
+				wLength, NULL, NULL);
+		snoop_urb(dev, NULL, pipe, wLength, tmo, SUBMIT, tbuf, wLength);
 
 		usb_unlock_device(dev);
-		i = usb_control_msg(dev, pipe, ctrl->bRequest,
-				    ctrl->bRequestType, ctrl->wValue, ctrl->wIndex,
-				    tbuf, ctrl->wLength, tmo);
+		i = usbfs_start_wait_urb(urb, tmo, &actlen);
 		usb_lock_device(dev);
-		snoop_urb(dev, NULL, pipe, max(i, 0), min(i, 0), COMPLETE, NULL, 0);
+		snoop_urb(dev, NULL, pipe, actlen, i, COMPLETE, NULL, 0);
 	}
 	if (i < 0 && i != -EPIPE) {
 		dev_printk(KERN_DEBUG, &dev->dev, "usbfs: USBDEVFS_CONTROL "
@@ -1174,8 +1228,15 @@ static int do_proc_control(struct usb_de
 			   current->comm, ctrl->bRequestType, ctrl->bRequest,
 			   ctrl->wLength, i);
 	}
-	ret = i;
+	ret = (i < 0 ? i : actlen);
+
+ recv_fault:
+	/* Linger a bit, prior to the next control message. */
+	if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG)
+		msleep(200);
  done:
+	kfree(dr);
+	usb_free_urb(urb);
 	free_page((unsigned long) tbuf);
 	usbfs_decrease_memory_usage(PAGE_SIZE + sizeof(struct urb) +
 			sizeof(struct usb_ctrlrequest));
@@ -1195,10 +1256,11 @@ static int do_proc_bulk(struct usb_dev_s
 		struct usbdevfs_bulktransfer *bulk)
 {
 	struct usb_device *dev = ps->dev;
-	unsigned int tmo, len1, pipe;
-	int len2;
+	unsigned int tmo, len1, len2, pipe;
 	unsigned char *tbuf;
 	int i, ret;
+	struct urb *urb = NULL;
+	struct usb_host_endpoint *ep;
 
 	ret = findintfep(ps->dev, bulk->ep);
 	if (ret < 0)
@@ -1206,14 +1268,17 @@ static int do_proc_bulk(struct usb_dev_s
 	ret = checkintf(ps, ret);
 	if (ret)
 		return ret;
+
+	len1 = bulk->len;
+	if (len1 < 0 || len1 >= (INT_MAX - sizeof(struct urb)))
+		return -EINVAL;
+
 	if (bulk->ep & USB_DIR_IN)
 		pipe = usb_rcvbulkpipe(dev, bulk->ep & 0x7f);
 	else
 		pipe = usb_sndbulkpipe(dev, bulk->ep & 0x7f);
-	if (!usb_maxpacket(dev, pipe, !(bulk->ep & USB_DIR_IN)))
-		return -EINVAL;
-	len1 = bulk->len;
-	if (len1 >= (INT_MAX - sizeof(struct urb)))
+	ep = usb_pipe_endpoint(dev, pipe);
+	if (!ep || !usb_endpoint_maxp(&ep->desc))
 		return -EINVAL;
 	ret = usbfs_increase_memory_usage(len1 + sizeof(struct urb));
 	if (ret)
@@ -1223,17 +1288,29 @@ static int do_proc_bulk(struct usb_dev_s
 	 * len1 can be almost arbitrarily large.  Don't WARN if it's
 	 * too big, just fail the request.
 	 */
+	ret = -ENOMEM;
 	tbuf = kmalloc(len1, GFP_KERNEL | __GFP_NOWARN);
-	if (!tbuf) {
-		ret = -ENOMEM;
+	if (!tbuf)
 		goto done;
+	urb = usb_alloc_urb(0, GFP_KERNEL);
+	if (!urb)
+		goto done;
+
+	if ((ep->desc.bmAttributes & USB_ENDPOINT_XFERTYPE_MASK) ==
+			USB_ENDPOINT_XFER_INT) {
+		pipe = (pipe & ~(3 << 30)) | (PIPE_INTERRUPT << 30);
+		usb_fill_int_urb(urb, dev, pipe, tbuf, len1,
+				NULL, NULL, ep->desc.bInterval);
+	} else {
+		usb_fill_bulk_urb(urb, dev, pipe, tbuf, len1, NULL, NULL);
 	}
+
 	tmo = bulk->timeout;
 	if (bulk->ep & 0x80) {
 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, NULL, 0);
 
 		usb_unlock_device(dev);
-		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
+		i = usbfs_start_wait_urb(urb, tmo, &len2);
 		usb_lock_device(dev);
 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, tbuf, len2);
 
@@ -1253,12 +1330,13 @@ static int do_proc_bulk(struct usb_dev_s
 		snoop_urb(dev, NULL, pipe, len1, tmo, SUBMIT, tbuf, len1);
 
 		usb_unlock_device(dev);
-		i = usb_bulk_msg(dev, pipe, tbuf, len1, &len2, tmo);
+		i = usbfs_start_wait_urb(urb, tmo, &len2);
 		usb_lock_device(dev);
 		snoop_urb(dev, NULL, pipe, len2, i, COMPLETE, NULL, 0);
 	}
 	ret = (i < 0 ? i : len2);
  done:
+	usb_free_urb(urb);
 	kfree(tbuf);
 	usbfs_decrease_memory_usage(len1 + sizeof(struct urb));
 	return ret;



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 160/177] media: mxl111sf: change mutex_init() location
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 159/177] USB: core: Make do_proc_control() and do_proc_bulk() killable Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 161/177] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Sean Young,
	Mauro Carvalho Chehab, syzbot+5ca0bf339f13c4243001

From: Pavel Skripkin <paskripkin@gmail.com>

commit 44870a9e7a3c24acbb3f888b2a7cc22c9bdf7e7f upstream.

Syzbot reported, that mxl111sf_ctrl_msg() uses uninitialized
mutex. The problem was in wrong mutex_init() location.

Previous mutex_init(&state->msg_lock) call was in ->init() function, but
dvb_usbv2_init() has this order of calls:

	dvb_usbv2_init()
	  dvb_usbv2_adapter_init()
	    dvb_usbv2_adapter_frontend_init()
	      props->frontend_attach()

	  props->init()

Since mxl111sf_* devices call mxl111sf_ctrl_msg() in ->frontend_attach()
internally we need to initialize state->msg_lock before
frontend_attach(). To achieve it, ->probe() call added to all mxl111sf_*
devices, which will simply initiaize mutex.

Reported-and-tested-by: syzbot+5ca0bf339f13c4243001@syzkaller.appspotmail.com

Fixes: 8572211842af ("[media] mxl111sf: convert to new DVB USB")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/dvb-usb-v2/mxl111sf.c |   16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/dvb-usb-v2/mxl111sf.c
+++ b/drivers/media/usb/dvb-usb-v2/mxl111sf.c
@@ -931,8 +931,6 @@ static int mxl111sf_init(struct dvb_usb_
 		  .len = sizeof(eeprom), .buf = eeprom },
 	};
 
-	mutex_init(&state->msg_lock);
-
 	ret = get_chip_info(state);
 	if (mxl_fail(ret))
 		pr_err("failed to get chip info during probe");
@@ -1074,6 +1072,14 @@ static int mxl111sf_get_stream_config_dv
 	return 0;
 }
 
+static int mxl111sf_probe(struct dvb_usb_device *dev)
+{
+	struct mxl111sf_state *state = d_to_priv(dev);
+
+	mutex_init(&state->msg_lock);
+	return 0;
+}
+
 static struct dvb_usb_device_properties mxl111sf_props_dvbt = {
 	.driver_name = KBUILD_MODNAME,
 	.owner = THIS_MODULE,
@@ -1083,6 +1089,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_dvbt,
 	.tuner_attach      = mxl111sf_attach_tuner,
@@ -1124,6 +1131,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_atsc,
 	.tuner_attach      = mxl111sf_attach_tuner,
@@ -1165,6 +1173,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_mh,
 	.tuner_attach      = mxl111sf_attach_tuner,
@@ -1233,6 +1242,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_atsc_mh,
 	.tuner_attach      = mxl111sf_attach_tuner,
@@ -1311,6 +1321,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_mercury,
 	.tuner_attach      = mxl111sf_attach_tuner,
@@ -1381,6 +1392,7 @@ static struct dvb_usb_device_properties
 	.generic_bulk_ctrl_endpoint = 0x02,
 	.generic_bulk_ctrl_endpoint_response = 0x81,
 
+	.probe             = mxl111sf_probe,
 	.i2c_algo          = &mxl111sf_i2c_algo,
 	.frontend_attach   = mxl111sf_frontend_attach_mercury_mh,
 	.tuner_attach      = mxl111sf_attach_tuner,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 161/177] fuse: annotate lock in fuse_reverse_inval_entry()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 160/177] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 162/177] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miklos Szeredi, syzbot+9f747458f5990eaa8d43

From: Miklos Szeredi <mszeredi@redhat.com>

commit bda9a71980e083699a0360963c0135657b73f47a upstream.

Add missing inode lock annotatation; found by syzbot.

Reported-and-tested-by: syzbot+9f747458f5990eaa8d43@syzkaller.appspotmail.com
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/fuse/dir.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/dir.c
+++ b/fs/fuse/dir.c
@@ -1079,7 +1079,7 @@ int fuse_reverse_inval_entry(struct fuse
 	if (!parent)
 		return -ENOENT;
 
-	inode_lock(parent);
+	inode_lock_nested(parent, I_MUTEX_PARENT);
 	if (!S_ISDIR(parent->i_mode))
 		goto unlock;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 162/177] ovl: fix warning in ovl_create_real()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 161/177] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 163/177] scsi: scsi_debug: Dont call kcalloc() if size arg is zero Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miklos Szeredi, syzbot+75eab84fd0af9e8bf66b

From: Miklos Szeredi <mszeredi@redhat.com>

commit 1f5573cfe7a7056e80a92c7a037a3e69f3a13d1c upstream.

Syzbot triggered the following warning in ovl_workdir_create() ->
ovl_create_real():

	if (!err && WARN_ON(!newdentry->d_inode)) {

The reason is that the cgroup2 filesystem returns from mkdir without
instantiating the new dentry.

Weird filesystems such as this will be rejected by overlayfs at a later
stage during setup, but to prevent such a warning, call ovl_mkdir_real()
directly from ovl_workdir_create() and reject this case early.

Reported-and-tested-by: syzbot+75eab84fd0af9e8bf66b@syzkaller.appspotmail.com
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/overlayfs/dir.c       |    3 +--
 fs/overlayfs/overlayfs.h |    1 +
 fs/overlayfs/super.c     |   12 ++++++++----
 3 files changed, 10 insertions(+), 6 deletions(-)

--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -137,8 +137,7 @@ kill_whiteout:
 	goto out;
 }
 
-static int ovl_mkdir_real(struct inode *dir, struct dentry **newdentry,
-			  umode_t mode)
+int ovl_mkdir_real(struct inode *dir, struct dentry **newdentry, umode_t mode)
 {
 	int err;
 	struct dentry *d, *dentry = *newdentry;
--- a/fs/overlayfs/overlayfs.h
+++ b/fs/overlayfs/overlayfs.h
@@ -570,6 +570,7 @@ struct ovl_cattr {
 
 #define OVL_CATTR(m) (&(struct ovl_cattr) { .mode = (m) })
 
+int ovl_mkdir_real(struct inode *dir, struct dentry **newdentry, umode_t mode);
 struct dentry *ovl_create_real(struct inode *dir, struct dentry *newdentry,
 			       struct ovl_cattr *attr);
 int ovl_cleanup(struct inode *dir, struct dentry *dentry);
--- a/fs/overlayfs/super.c
+++ b/fs/overlayfs/super.c
@@ -787,10 +787,14 @@ retry:
 			goto retry;
 		}
 
-		work = ovl_create_real(dir, work, OVL_CATTR(attr.ia_mode));
-		err = PTR_ERR(work);
-		if (IS_ERR(work))
-			goto out_err;
+		err = ovl_mkdir_real(dir, &work, attr.ia_mode);
+		if (err)
+			goto out_dput;
+
+		/* Weird filesystem returning with hashed negative (kernfs)? */
+		err = -EINVAL;
+		if (d_really_is_negative(work))
+			goto out_dput;
 
 		/*
 		 * Try to remove POSIX ACL xattrs from workdir.  We are good if:



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 163/177] scsi: scsi_debug: Dont call kcalloc() if size arg is zero
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 162/177] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 164/177] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzkaller, Douglas Gilbert,
	George Kennedy, Martin K. Petersen

From: George Kennedy <george.kennedy@oracle.com>

commit 3344b58b53a76199dae48faa396e9fc37bf86992 upstream.

If the size arg to kcalloc() is zero, it returns ZERO_SIZE_PTR.  Because of
that, for a following NULL pointer check to work on the returned pointer,
kcalloc() must not be called with the size arg equal to zero. Return early
without error before the kcalloc() call if size arg is zero.

BUG: KASAN: null-ptr-deref in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: null-ptr-deref in sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
Write of size 4 at addr 0000000000000010 by task syz-executor.1/22789

CPU: 1 PID: 22789 Comm: syz-executor.1 Not tainted 5.15.0-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 __kasan_report mm/kasan/report.c:446 [inline]
 kasan_report.cold.14+0x112/0x117 mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189
 memcpy+0x3b/0x60 mm/kasan/shadow.c:66
 memcpy include/linux/fortify-string.h:191 [inline]
 sg_copy_buffer+0x138/0x240 lib/scatterlist.c:974
 do_dout_fetch drivers/scsi/scsi_debug.c:2954 [inline]
 do_dout_fetch drivers/scsi/scsi_debug.c:2946 [inline]
 resp_verify+0x49e/0x930 drivers/scsi/scsi_debug.c:4276
 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478
 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]
 scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62
 blk_execute_rq+0xdb/0x360 block/blk-exec.c:102
 sg_scsi_ioctl drivers/scsi/scsi_ioctl.c:621 [inline]
 scsi_ioctl+0x8bb/0x15c0 drivers/scsi/scsi_ioctl.c:930
 sg_ioctl_common+0x172d/0x2710 drivers/scsi/sg.c:1112
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Link: https://lore.kernel.org/r/1636056397-13151-1-git-send-email-george.kennedy@oracle.com
Reported-by: syzkaller <syzkaller@googlegroups.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_debug.c |    4 ++++
 1 file changed, 4 insertions(+)

--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -4259,6 +4259,8 @@ static int resp_verify(struct scsi_cmnd
 		mk_sense_invalid_opcode(scp);
 		return check_condition_result;
 	}
+	if (vnum == 0)
+		return 0;	/* not an error */
 	a_num = is_bytchk3 ? 1 : vnum;
 	/* Treat following check like one for read (i.e. no write) access */
 	ret = check_device_access_params(scp, lba, a_num, false);
@@ -4322,6 +4324,8 @@ static int resp_report_zones(struct scsi
 	}
 	zs_lba = get_unaligned_be64(cmd + 2);
 	alloc_len = get_unaligned_be32(cmd + 10);
+	if (alloc_len == 0)
+		return 0;	/* not an error */
 	rep_opts = cmd[14] & 0x3f;
 	partial = cmd[14] & 0x80;
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 164/177] scsi: scsi_debug: Fix type in min_t to avoid stack OOB
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 163/177] scsi: scsi_debug: Dont call kcalloc() if size arg is zero Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 165/177] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzkaller, Douglas Gilbert,
	George Kennedy, Martin K. Petersen

From: George Kennedy <george.kennedy@oracle.com>

commit 36e07d7ede88a1f1ef8f0f209af5b7612324ac2c upstream.

Change min_t() to use type "u32" instead of type "int" to avoid stack out
of bounds. With min_t() type "int" the values get sign extended and the
larger value gets used causing stack out of bounds.

BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:191 [inline]
BUG: KASAN: stack-out-of-bounds in sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976
Read of size 127 at addr ffff888072607128 by task syz-executor.7/18707

CPU: 1 PID: 18707 Comm: syz-executor.7 Not tainted 5.15.0-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2
Call Trace:
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:256
 __kasan_report mm/kasan/report.c:442 [inline]
 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:459
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x1a3/0x210 mm/kasan/generic.c:189
 memcpy+0x23/0x60 mm/kasan/shadow.c:65
 memcpy include/linux/fortify-string.h:191 [inline]
 sg_copy_buffer+0x1de/0x240 lib/scatterlist.c:976
 sg_copy_from_buffer+0x33/0x40 lib/scatterlist.c:1000
 fill_from_dev_buffer.part.34+0x82/0x130 drivers/scsi/scsi_debug.c:1162
 fill_from_dev_buffer drivers/scsi/scsi_debug.c:1888 [inline]
 resp_readcap16+0x365/0x3b0 drivers/scsi/scsi_debug.c:1887
 schedule_resp+0x4d8/0x1a70 drivers/scsi/scsi_debug.c:5478
 scsi_debug_queuecommand+0x8c9/0x1ec0 drivers/scsi/scsi_debug.c:7533
 scsi_dispatch_cmd drivers/scsi/scsi_lib.c:1520 [inline]
 scsi_queue_rq+0x16b0/0x2d40 drivers/scsi/scsi_lib.c:1699
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1639
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1761
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1838
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:62
 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:836
 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:774
 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:939
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1165
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:874 [inline]
 __se_sys_ioctl fs/ioctl.c:860 [inline]
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:860
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Link: https://lore.kernel.org/r/1636484247-21254-1-git-send-email-george.kennedy@oracle.com
Reported-by: syzkaller <syzkaller@googlegroups.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_debug.c |   34 +++++++++++++++++++---------------
 1 file changed, 19 insertions(+), 15 deletions(-)

--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -1189,7 +1189,7 @@ static int p_fill_from_dev_buffer(struct
 		 __func__, off_dst, scsi_bufflen(scp), act_len,
 		 scsi_get_resid(scp));
 	n = scsi_bufflen(scp) - (off_dst + act_len);
-	scsi_set_resid(scp, min_t(int, scsi_get_resid(scp), n));
+	scsi_set_resid(scp, min_t(u32, scsi_get_resid(scp), n));
 	return 0;
 }
 
@@ -1562,7 +1562,8 @@ static int resp_inquiry(struct scsi_cmnd
 	unsigned char pq_pdt;
 	unsigned char *arr;
 	unsigned char *cmd = scp->cmnd;
-	int alloc_len, n, ret;
+	u32 alloc_len, n;
+	int ret;
 	bool have_wlun, is_disk, is_zbc, is_disk_zbc;
 
 	alloc_len = get_unaligned_be16(cmd + 3);
@@ -1585,7 +1586,8 @@ static int resp_inquiry(struct scsi_cmnd
 		kfree(arr);
 		return check_condition_result;
 	} else if (0x1 & cmd[1]) {  /* EVPD bit set */
-		int lu_id_num, port_group_id, target_dev_id, len;
+		int lu_id_num, port_group_id, target_dev_id;
+		u32 len;
 		char lu_id_str[6];
 		int host_no = devip->sdbg_host->shost->host_no;
 		
@@ -1676,9 +1678,9 @@ static int resp_inquiry(struct scsi_cmnd
 			kfree(arr);
 			return check_condition_result;
 		}
-		len = min(get_unaligned_be16(arr + 2) + 4, alloc_len);
+		len = min_t(u32, get_unaligned_be16(arr + 2) + 4, alloc_len);
 		ret = fill_from_dev_buffer(scp, arr,
-			    min(len, SDEBUG_MAX_INQ_ARR_SZ));
+			    min_t(u32, len, SDEBUG_MAX_INQ_ARR_SZ));
 		kfree(arr);
 		return ret;
 	}
@@ -1714,7 +1716,7 @@ static int resp_inquiry(struct scsi_cmnd
 	}
 	put_unaligned_be16(0x2100, arr + n);	/* SPL-4 no version claimed */
 	ret = fill_from_dev_buffer(scp, arr,
-			    min_t(int, alloc_len, SDEBUG_LONG_INQ_SZ));
+			    min_t(u32, alloc_len, SDEBUG_LONG_INQ_SZ));
 	kfree(arr);
 	return ret;
 }
@@ -1729,8 +1731,8 @@ static int resp_requests(struct scsi_cmn
 	unsigned char *cmd = scp->cmnd;
 	unsigned char arr[SCSI_SENSE_BUFFERSIZE];	/* assume >= 18 bytes */
 	bool dsense = !!(cmd[1] & 1);
-	int alloc_len = cmd[4];
-	int len = 18;
+	u32 alloc_len = cmd[4];
+	u32 len = 18;
 	int stopped_state = atomic_read(&devip->stopped);
 
 	memset(arr, 0, sizeof(arr));
@@ -1774,7 +1776,7 @@ static int resp_requests(struct scsi_cmn
 			arr[7] = 0xa;
 		}
 	}
-	return fill_from_dev_buffer(scp, arr, min_t(int, len, alloc_len));
+	return fill_from_dev_buffer(scp, arr, min_t(u32, len, alloc_len));
 }
 
 static int resp_start_stop(struct scsi_cmnd *scp, struct sdebug_dev_info *devip)
@@ -2312,7 +2314,8 @@ static int resp_mode_sense(struct scsi_c
 {
 	int pcontrol, pcode, subpcode, bd_len;
 	unsigned char dev_spec;
-	int alloc_len, offset, len, target_dev_id;
+	u32 alloc_len, offset, len;
+	int target_dev_id;
 	int target = scp->device->id;
 	unsigned char *ap;
 	unsigned char arr[SDEBUG_MAX_MSENSE_SZ];
@@ -2468,7 +2471,7 @@ static int resp_mode_sense(struct scsi_c
 		arr[0] = offset - 1;
 	else
 		put_unaligned_be16((offset - 2), arr + 0);
-	return fill_from_dev_buffer(scp, arr, min_t(int, alloc_len, offset));
+	return fill_from_dev_buffer(scp, arr, min_t(u32, alloc_len, offset));
 }
 
 #define SDEBUG_MAX_MSELECT_SZ 512
@@ -2583,7 +2586,8 @@ static int resp_ie_l_pg(unsigned char *a
 static int resp_log_sense(struct scsi_cmnd *scp,
 			  struct sdebug_dev_info *devip)
 {
-	int ppc, sp, pcode, subpcode, alloc_len, len, n;
+	int ppc, sp, pcode, subpcode;
+	u32 alloc_len, len, n;
 	unsigned char arr[SDEBUG_MAX_LSENSE_SZ];
 	unsigned char *cmd = scp->cmnd;
 
@@ -2653,9 +2657,9 @@ static int resp_log_sense(struct scsi_cm
 		mk_sense_invalid_fld(scp, SDEB_IN_CDB, 3, -1);
 		return check_condition_result;
 	}
-	len = min_t(int, get_unaligned_be16(arr + 2) + 4, alloc_len);
+	len = min_t(u32, get_unaligned_be16(arr + 2) + 4, alloc_len);
 	return fill_from_dev_buffer(scp, arr,
-		    min_t(int, len, SDEBUG_MAX_INQ_ARR_SZ));
+		    min_t(u32, len, SDEBUG_MAX_INQ_ARR_SZ));
 }
 
 static inline bool sdebug_dev_is_zoned(struct sdebug_dev_info *devip)
@@ -4430,7 +4434,7 @@ static int resp_report_zones(struct scsi
 	put_unaligned_be64(sdebug_capacity - 1, arr + 8);
 
 	rep_len = (unsigned long)desc - (unsigned long)arr;
-	ret = fill_from_dev_buffer(scp, arr, min_t(int, alloc_len, rep_len));
+	ret = fill_from_dev_buffer(scp, arr, min_t(u32, alloc_len, rep_len));
 
 fini:
 	read_unlock(macc_lckp);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 165/177] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 164/177] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 166/177] io-wq: remove spurious bit clear on task_work addition Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzkaller, Douglas Gilbert,
	George Kennedy, Martin K. Petersen

From: George Kennedy <george.kennedy@oracle.com>

commit e0a2c28da11e2c2b963fc01d50acbf03045ac732 upstream.

In resp_mode_select() sanity check the block descriptor len to avoid UAF.

BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
Read of size 1 at addr ffff888026670f50 by task scsicmd/15032

CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Call Trace:
 <TASK>
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257
 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306
 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509
 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483
 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537
 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521
 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640
 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325
 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358
 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762
 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839
 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891
 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474
 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63
 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837
 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775
 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941
 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166
 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50
 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113

Link: https://lore.kernel.org/r/1637262208-28850-1-git-send-email-george.kennedy@oracle.com
Reported-by: syzkaller <syzkaller@googlegroups.com>
Acked-by: Douglas Gilbert <dgilbert@interlog.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/scsi/scsi_debug.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/scsi/scsi_debug.c
+++ b/drivers/scsi/scsi_debug.c
@@ -2502,11 +2502,11 @@ static int resp_mode_select(struct scsi_
 			    __func__, param_len, res);
 	md_len = mselect6 ? (arr[0] + 1) : (get_unaligned_be16(arr + 0) + 2);
 	bd_len = mselect6 ? arr[3] : get_unaligned_be16(arr + 6);
-	if (md_len > 2) {
+	off = bd_len + (mselect6 ? 4 : 8);
+	if (md_len > 2 || off >= res) {
 		mk_sense_invalid_fld(scp, SDEB_IN_DATA, 0, -1);
 		return check_condition_result;
 	}
-	off = bd_len + (mselect6 ? 4 : 8);
 	mpage = arr[off] & 0x3f;
 	ps = !!(arr[off] & 0x80);
 	if (ps) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 166/177] io-wq: remove spurious bit clear on task_work addition
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 165/177] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 167/177] io-wq: check for wq exit after adding new worker task_work Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b60c982cb0efc5e05a47, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit e47498afeca9a0c6d07eeeacc46d563555a3f677 upstream.

There's a small race here where the task_work could finish and drop
the worker itself, so that by the time that task_work_add() returns
with a successful addition we've already put the worker.

The worker callbacks clear this bit themselves, so we don't actually
need to manually clear it in the caller. Get rid of it.

Reported-by: syzbot+b60c982cb0efc5e05a47@syzkaller.appspotmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io-wq.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -359,10 +359,8 @@ static bool io_queue_worker_create(struc
 
 	init_task_work(&worker->create_work, func);
 	worker->create_index = acct->index;
-	if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) {
-		clear_bit_unlock(0, &worker->create_state);
+	if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL))
 		return true;
-	}
 	clear_bit_unlock(0, &worker->create_state);
 fail_release:
 	io_worker_release(worker);



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 167/177] io-wq: check for wq exit after adding new worker task_work
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 166/177] io-wq: remove spurious bit clear on task_work addition Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 168/177] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hao Xu, Jens Axboe,
	syzbot+b60c982cb0efc5e05a47

From: Jens Axboe <axboe@kernel.dk>

commit 71a85387546e50b1a37b0fa45dadcae3bfb35cf6 upstream.

We check IO_WQ_BIT_EXIT before attempting to create a new worker, and
wq exit cancels pending work if we have any. But it's possible to have
a race between the two, where creation checks exit finding it not set,
but we're in the process of exiting. The exit side will cancel pending
creation task_work, but there's a gap where we add task_work after we've
canceled existing creations at exit time.

Fix this by checking the EXIT bit post adding the creation task_work.
If it's set, run the same cancelation that exit does.

Reported-and-tested-by: syzbot+b60c982cb0efc5e05a47@syzkaller.appspotmail.com
Reviewed-by: Hao Xu <haoxu@linux.alibaba.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io-wq.c |   31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -141,6 +141,7 @@ static bool io_acct_cancel_pending_work(
 					struct io_wqe_acct *acct,
 					struct io_cb_cancel_data *match);
 static void create_worker_cb(struct callback_head *cb);
+static void io_wq_cancel_tw_create(struct io_wq *wq);
 
 static bool io_worker_get(struct io_worker *worker)
 {
@@ -357,10 +358,22 @@ static bool io_queue_worker_create(struc
 	    test_and_set_bit_lock(0, &worker->create_state))
 		goto fail_release;
 
+	atomic_inc(&wq->worker_refs);
 	init_task_work(&worker->create_work, func);
 	worker->create_index = acct->index;
-	if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL))
+	if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) {
+		/*
+		 * EXIT may have been set after checking it above, check after
+		 * adding the task_work and remove any creation item if it is
+		 * now set. wq exit does that too, but we can have added this
+		 * work item after we canceled in io_wq_exit_workers().
+		 */
+		if (test_bit(IO_WQ_BIT_EXIT, &wq->state))
+			io_wq_cancel_tw_create(wq);
+		io_worker_ref_put(wq);
 		return true;
+	}
+	io_worker_ref_put(wq);
 	clear_bit_unlock(0, &worker->create_state);
 fail_release:
 	io_worker_release(worker);
@@ -1193,13 +1206,9 @@ void io_wq_exit_start(struct io_wq *wq)
 	set_bit(IO_WQ_BIT_EXIT, &wq->state);
 }
 
-static void io_wq_exit_workers(struct io_wq *wq)
+static void io_wq_cancel_tw_create(struct io_wq *wq)
 {
 	struct callback_head *cb;
-	int node;
-
-	if (!wq->task)
-		return;
 
 	while ((cb = task_work_cancel_match(wq->task, io_task_work_match, wq)) != NULL) {
 		struct io_worker *worker;
@@ -1207,6 +1216,16 @@ static void io_wq_exit_workers(struct io
 		worker = container_of(cb, struct io_worker, create_work);
 		io_worker_cancel_cb(worker);
 	}
+}
+
+static void io_wq_exit_workers(struct io_wq *wq)
+{
+	int node;
+
+	if (!wq->task)
+		return;
+
+	io_wq_cancel_tw_create(wq);
 
 	rcu_read_lock();
 	for_each_node(node) {



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 168/177] rcu: Mark accesses to rcu_state.n_force_qs
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 167/177] io-wq: check for wq exit after adding new worker task_work Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 169/177] io-wq: drop wqe lock before creating new worker Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e08a83a1940ec3846cd5,
	Marco Elver, Paul E. McKenney

From: Paul E. McKenney <paulmck@kernel.org>

commit 2431774f04d1050292054c763070021bade7b151 upstream.

This commit marks accesses to the rcu_state.n_force_qs.  These data
races are hard to make happen, but syzkaller was equal to the task.

Reported-by: syzbot+e08a83a1940ec3846cd5@syzkaller.appspotmail.com
Acked-by: Marco Elver <elver@google.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/rcu/tree.c |   10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

--- a/kernel/rcu/tree.c
+++ b/kernel/rcu/tree.c
@@ -1907,7 +1907,7 @@ static void rcu_gp_fqs(bool first_time)
 	struct rcu_node *rnp = rcu_get_root();
 
 	WRITE_ONCE(rcu_state.gp_activity, jiffies);
-	rcu_state.n_force_qs++;
+	WRITE_ONCE(rcu_state.n_force_qs, rcu_state.n_force_qs + 1);
 	if (first_time) {
 		/* Collect dyntick-idle snapshots. */
 		force_qs_rnp(dyntick_save_progress_counter);
@@ -2550,7 +2550,7 @@ static void rcu_do_batch(struct rcu_data
 	/* Reset ->qlen_last_fqs_check trigger if enough CBs have drained. */
 	if (count == 0 && rdp->qlen_last_fqs_check != 0) {
 		rdp->qlen_last_fqs_check = 0;
-		rdp->n_force_qs_snap = rcu_state.n_force_qs;
+		rdp->n_force_qs_snap = READ_ONCE(rcu_state.n_force_qs);
 	} else if (count < rdp->qlen_last_fqs_check - qhimark)
 		rdp->qlen_last_fqs_check = count;
 
@@ -2898,10 +2898,10 @@ static void __call_rcu_core(struct rcu_d
 		} else {
 			/* Give the grace period a kick. */
 			rdp->blimit = DEFAULT_MAX_RCU_BLIMIT;
-			if (rcu_state.n_force_qs == rdp->n_force_qs_snap &&
+			if (READ_ONCE(rcu_state.n_force_qs) == rdp->n_force_qs_snap &&
 			    rcu_segcblist_first_pend_cb(&rdp->cblist) != head)
 				rcu_force_quiescent_state();
-			rdp->n_force_qs_snap = rcu_state.n_force_qs;
+			rdp->n_force_qs_snap = READ_ONCE(rcu_state.n_force_qs);
 			rdp->qlen_last_fqs_check = rcu_segcblist_n_cbs(&rdp->cblist);
 		}
 	}
@@ -4128,7 +4128,7 @@ int rcutree_prepare_cpu(unsigned int cpu
 	/* Set up local state, ensuring consistent view of global state. */
 	raw_spin_lock_irqsave_rcu_node(rnp, flags);
 	rdp->qlen_last_fqs_check = 0;
-	rdp->n_force_qs_snap = rcu_state.n_force_qs;
+	rdp->n_force_qs_snap = READ_ONCE(rcu_state.n_force_qs);
 	rdp->blimit = blimit;
 	rdp->dynticks_nesting = 1;	/* CPU not up, no tearing. */
 	rcu_dynticks_eqs_online();



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 169/177] io-wq: drop wqe lock before creating new worker
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 168/177] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 170/177] bus: ti-sysc: Fix variable set but not used warning for reinit_modules Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+b18b8be69df33a3918e9, Jens Axboe

From: Jens Axboe <axboe@kernel.dk>

commit d800c65c2d4eccebb27ffb7808e842d5b533823c upstream.

We have two io-wq creation paths:

- On queue enqueue
- When a worker goes to sleep

The latter invokes worker creation with the wqe->lock held, but that can
run into problems if we end up exiting and need to cancel the queued work.
syzbot caught this:

============================================
WARNING: possible recursive locking detected
5.16.0-rc4-syzkaller #0 Not tainted
--------------------------------------------
iou-wrk-6468/6471 is trying to acquire lock:
ffff88801aa98018 (&wqe->lock){+.+.}-{2:2}, at: io_worker_cancel_cb+0xb7/0x210 fs/io-wq.c:187

but task is already holding lock:
ffff88801aa98018 (&wqe->lock){+.+.}-{2:2}, at: io_wq_worker_sleeping+0xb6/0x140 fs/io-wq.c:700

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&wqe->lock);
  lock(&wqe->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

1 lock held by iou-wrk-6468/6471:
 #0: ffff88801aa98018 (&wqe->lock){+.+.}-{2:2}, at: io_wq_worker_sleeping+0xb6/0x140 fs/io-wq.c:700

stack backtrace:
CPU: 1 PID: 6471 Comm: iou-wrk-6468 Not tainted 5.16.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106
 print_deadlock_bug kernel/locking/lockdep.c:2956 [inline]
 check_deadlock kernel/locking/lockdep.c:2999 [inline]
 validate_chain+0x5984/0x8240 kernel/locking/lockdep.c:3788
 __lock_acquire+0x1382/0x2b00 kernel/locking/lockdep.c:5027
 lock_acquire+0x19f/0x4d0 kernel/locking/lockdep.c:5637
 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
 _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154
 io_worker_cancel_cb+0xb7/0x210 fs/io-wq.c:187
 io_wq_cancel_tw_create fs/io-wq.c:1220 [inline]
 io_queue_worker_create+0x3cf/0x4c0 fs/io-wq.c:372
 io_wq_worker_sleeping+0xbe/0x140 fs/io-wq.c:701
 sched_submit_work kernel/sched/core.c:6295 [inline]
 schedule+0x67/0x1f0 kernel/sched/core.c:6323
 schedule_timeout+0xac/0x300 kernel/time/timer.c:1857
 wait_woken+0xca/0x1b0 kernel/sched/wait.c:460
 unix_msg_wait_data net/unix/unix_bpf.c:32 [inline]
 unix_bpf_recvmsg+0x7f9/0xe20 net/unix/unix_bpf.c:77
 unix_stream_recvmsg+0x214/0x2c0 net/unix/af_unix.c:2832
 sock_recvmsg_nosec net/socket.c:944 [inline]
 sock_recvmsg net/socket.c:962 [inline]
 sock_read_iter+0x3a7/0x4d0 net/socket.c:1035
 call_read_iter include/linux/fs.h:2156 [inline]
 io_iter_do_read fs/io_uring.c:3501 [inline]
 io_read fs/io_uring.c:3558 [inline]
 io_issue_sqe+0x144c/0x9590 fs/io_uring.c:6671
 io_wq_submit_work+0x2d8/0x790 fs/io_uring.c:6836
 io_worker_handle_work+0x808/0xdd0 fs/io-wq.c:574
 io_wqe_worker+0x395/0x870 fs/io-wq.c:630
 ret_from_fork+0x1f/0x30

We can safely drop the lock before doing work creation, making the two
contexts the same in that regard.

Reported-by: syzbot+b18b8be69df33a3918e9@syzkaller.appspotmail.com
Fixes: 71a85387546e ("io-wq: check for wq exit after adding new worker task_work")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/io-wq.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -395,7 +395,9 @@ static void io_wqe_dec_running(struct io
 	if (atomic_dec_and_test(&acct->nr_running) && io_acct_run_queue(acct)) {
 		atomic_inc(&acct->nr_running);
 		atomic_inc(&wqe->wq->worker_refs);
+		raw_spin_unlock(&wqe->lock);
 		io_queue_worker_create(worker, acct, create_worker_cb);
+		raw_spin_lock(&wqe->lock);
 	}
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 170/177] bus: ti-sysc: Fix variable set but not used warning for reinit_modules
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 169/177] io-wq: drop wqe lock before creating new worker Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 171/177] selftests/damon: test debugfs file reads/writes with huge count Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, kernel test robot, Tony Lindgren

From: Tony Lindgren <tony@atomide.com>

commit 1b1da99b845337362a3dafe0f7b49927ab4ae041 upstream.

Fix drivers/bus/ti-sysc.c:2494:13: error: variable 'error' set but not
used introduced by commit 9d881361206e ("bus: ti-sysc: Add quirk handling
for reinit on context lost").

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/bus/ti-sysc.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/drivers/bus/ti-sysc.c
+++ b/drivers/bus/ti-sysc.c
@@ -2456,12 +2456,11 @@ static void sysc_reinit_modules(struct s
 	struct sysc_module *module;
 	struct list_head *pos;
 	struct sysc *ddata;
-	int error = 0;
 
 	list_for_each(pos, &sysc_soc->restored_modules) {
 		module = list_entry(pos, struct sysc_module, node);
 		ddata = module->ddata;
-		error = sysc_reinit_module(ddata, ddata->enabled);
+		sysc_reinit_module(ddata, ddata->enabled);
 	}
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 171/177] selftests/damon: test debugfs file reads/writes with huge count
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 170/177] bus: ti-sysc: Fix variable set but not used warning for reinit_modules Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 172/177] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, SeongJae Park, Brendan Higgins,
	Shuah Khan, Andrew Morton, Linus Torvalds

From: SeongJae Park <sj@kernel.org>

commit b4a002889d24979295ed3c2bf1d5fcfb3901026a upstream.

DAMON debugfs interface users were able to trigger warning by writing
some files with arbitrarily large 'count' parameter.  The issue is fixed
with commit db7a347b26fe ("mm/damon/dbgfs: use '__GFP_NOWARN' for
user-specified size buffer allocation").  This commit adds a test case
for the issue in DAMON selftests to avoid future regressions.

Link: https://lkml.kernel.org/r/20211201150440.1088-11-sj@kernel.org
Signed-off-by: SeongJae Park <sj@kernel.org>
Cc: Brendan Higgins <brendanhiggins@google.com>
Cc: Shuah Khan <shuah@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 tools/testing/selftests/damon/.gitignore              |    2 
 tools/testing/selftests/damon/Makefile                |    2 
 tools/testing/selftests/damon/debugfs_attrs.sh        |   18 ++++++++
 tools/testing/selftests/damon/huge_count_read_write.c |   39 ++++++++++++++++++
 4 files changed, 61 insertions(+)
 create mode 100644 tools/testing/selftests/damon/.gitignore
 create mode 100644 tools/testing/selftests/damon/huge_count_read_write.c

--- /dev/null
+++ b/tools/testing/selftests/damon/.gitignore
@@ -0,0 +1,2 @@
+# SPDX-License-Identifier: GPL-2.0-only
+huge_count_read_write
--- a/tools/testing/selftests/damon/Makefile
+++ b/tools/testing/selftests/damon/Makefile
@@ -1,6 +1,8 @@
 # SPDX-License-Identifier: GPL-2.0
 # Makefile for damon selftests
 
+TEST_GEN_FILES += huge_count_read_write
+
 TEST_FILES = _chk_dependency.sh
 TEST_PROGS = debugfs_attrs.sh
 
--- a/tools/testing/selftests/damon/debugfs_attrs.sh
+++ b/tools/testing/selftests/damon/debugfs_attrs.sh
@@ -72,4 +72,22 @@ test_write_succ "$file" "" "$orig_conten
 test_content "$file" "$orig_content" "" "empty input written"
 echo "$orig_content" > "$file"
 
+# Test huge count read write
+# ==========================
+
+dmesg -C
+
+for file in "$DBGFS/"*
+do
+	./huge_count_read_write "$file"
+done
+
+if dmesg | grep -q WARNING
+then
+	dmesg
+	exit 1
+else
+	exit 0
+fi
+
 echo "PASS"
--- /dev/null
+++ b/tools/testing/selftests/damon/huge_count_read_write.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Author: SeongJae Park <sj@kernel.org>
+ */
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+
+void write_read_with_huge_count(char *file)
+{
+	int filedesc = open(file, O_RDWR);
+	char buf[25];
+	int ret;
+
+	printf("%s %s\n", __func__, file);
+	if (filedesc < 0) {
+		fprintf(stderr, "failed opening %s\n", file);
+		exit(1);
+	}
+
+	write(filedesc, "", 0xfffffffful);
+	perror("after write: ");
+	ret = read(filedesc, buf, 0xfffffffful);
+	perror("after read: ");
+	close(filedesc);
+}
+
+int main(int argc, char *argv[])
+{
+	if (argc != 2) {
+		fprintf(stderr, "Usage: %s <file>\n", argv[0]);
+		exit(1);
+	}
+	write_read_with_huge_count(argv[1]);
+
+	return 0;
+}



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 172/177] Revert "xsk: Do not sleep in poll() when need_wakeup set"
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 171/177] selftests/damon: test debugfs file reads/writes with huge count Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 173/177] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Magnus Karlsson, Daniel Borkmann

From: Magnus Karlsson <magnus.karlsson@intel.com>

commit 0706a78f31c4217ca144f630063ec9561a21548d upstream.

This reverts commit bd0687c18e635b63233dc87f38058cd728802ab4.

This patch causes a Tx only workload to go to sleep even when it does
not have to, leading to misserable performance in skb mode. It fixed
one rare problem but created a much worse one, so this need to be
reverted while I try to craft a proper solution to the original
problem.

Fixes: bd0687c18e63 ("xsk: Do not sleep in poll() when need_wakeup set")
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211217145646.26449-1-magnus.karlsson@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/xdp/xsk.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -692,6 +692,8 @@ static __poll_t xsk_poll(struct file *fi
 	struct xdp_sock *xs = xdp_sk(sk);
 	struct xsk_buff_pool *pool;
 
+	sock_poll_wait(file, sock, wait);
+
 	if (unlikely(!xsk_is_bound(xs)))
 		return mask;
 
@@ -703,8 +705,6 @@ static __poll_t xsk_poll(struct file *fi
 		else
 			/* Poll needs to drive Tx also in copy mode */
 			__xsk_sendmsg(sk);
-	} else {
-		sock_poll_wait(file, sock, wait);
 	}
 
 	if (xs->rx && !xskq_prod_is_empty(xs->rx))



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 173/177] xen/blkfront: harden blkfront against event channel storms
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 172/177] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 174/177] xen/netfront: harden netfront " Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich

From: Juergen Gross <jgross@suse.com>

commit 0fd08a34e8e3b67ec9bd8287ac0facf8374b844a upstream.

The Xen blkfront driver is still vulnerable for an attack via excessive
number of events sent by the backend. Fix that by using lateeoi event
channels.

This is part of XSA-391

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/block/xen-blkfront.c |   15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

--- a/drivers/block/xen-blkfront.c
+++ b/drivers/block/xen-blkfront.c
@@ -1511,9 +1511,12 @@ static irqreturn_t blkif_interrupt(int i
 	unsigned long flags;
 	struct blkfront_ring_info *rinfo = (struct blkfront_ring_info *)dev_id;
 	struct blkfront_info *info = rinfo->dev_info;
+	unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
 
-	if (unlikely(info->connected != BLKIF_STATE_CONNECTED))
+	if (unlikely(info->connected != BLKIF_STATE_CONNECTED)) {
+		xen_irq_lateeoi(irq, XEN_EOI_FLAG_SPURIOUS);
 		return IRQ_HANDLED;
+	}
 
 	spin_lock_irqsave(&rinfo->ring_lock, flags);
  again:
@@ -1529,6 +1532,8 @@ static irqreturn_t blkif_interrupt(int i
 		unsigned long id;
 		unsigned int op;
 
+		eoiflag = 0;
+
 		RING_COPY_RESPONSE(&rinfo->ring, i, &bret);
 		id = bret.id;
 
@@ -1645,6 +1650,8 @@ static irqreturn_t blkif_interrupt(int i
 
 	spin_unlock_irqrestore(&rinfo->ring_lock, flags);
 
+	xen_irq_lateeoi(irq, eoiflag);
+
 	return IRQ_HANDLED;
 
  err:
@@ -1652,6 +1659,8 @@ static irqreturn_t blkif_interrupt(int i
 
 	spin_unlock_irqrestore(&rinfo->ring_lock, flags);
 
+	/* No EOI in order to avoid further interrupts. */
+
 	pr_alert("%s disabled for further use\n", info->gd->disk_name);
 	return IRQ_HANDLED;
 }
@@ -1691,8 +1700,8 @@ static int setup_blkring(struct xenbus_d
 	if (err)
 		goto fail;
 
-	err = bind_evtchn_to_irqhandler(rinfo->evtchn, blkif_interrupt, 0,
-					"blkif", rinfo);
+	err = bind_evtchn_to_irqhandler_lateeoi(rinfo->evtchn, blkif_interrupt,
+						0, "blkif", rinfo);
 	if (err <= 0) {
 		xenbus_dev_fatal(dev, err,
 				 "bind_evtchn_to_irqhandler failed");



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 174/177] xen/netfront: harden netfront against event channel storms
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 173/177] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 175/177] xen/console: harden hvc_xen " Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich

From: Juergen Gross <jgross@suse.com>

commit b27d47950e481f292c0a5ad57357edb9d95d03ba upstream.

The Xen netfront driver is still vulnerable for an attack via excessive
number of events sent by the backend. Fix that by using lateeoi event
channels.

For being able to detect the case of no rx responses being added while
the carrier is down a new lock is needed in order to update and test
rsp_cons and the number of seen unconsumed responses atomically.

This is part of XSA-391

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/xen-netfront.c |  125 +++++++++++++++++++++++++++++++++------------
 1 file changed, 94 insertions(+), 31 deletions(-)

--- a/drivers/net/xen-netfront.c
+++ b/drivers/net/xen-netfront.c
@@ -148,6 +148,9 @@ struct netfront_queue {
 	grant_ref_t gref_rx_head;
 	grant_ref_t grant_rx_ref[NET_RX_RING_SIZE];
 
+	unsigned int rx_rsp_unconsumed;
+	spinlock_t rx_cons_lock;
+
 	struct page_pool *page_pool;
 	struct xdp_rxq_info xdp_rxq;
 };
@@ -376,12 +379,13 @@ static int xennet_open(struct net_device
 	return 0;
 }
 
-static void xennet_tx_buf_gc(struct netfront_queue *queue)
+static bool xennet_tx_buf_gc(struct netfront_queue *queue)
 {
 	RING_IDX cons, prod;
 	unsigned short id;
 	struct sk_buff *skb;
 	bool more_to_do;
+	bool work_done = false;
 	const struct device *dev = &queue->info->netdev->dev;
 
 	BUG_ON(!netif_carrier_ok(queue->info->netdev));
@@ -398,6 +402,8 @@ static void xennet_tx_buf_gc(struct netf
 		for (cons = queue->tx.rsp_cons; cons != prod; cons++) {
 			struct xen_netif_tx_response txrsp;
 
+			work_done = true;
+
 			RING_COPY_RESPONSE(&queue->tx, cons, &txrsp);
 			if (txrsp.status == XEN_NETIF_RSP_NULL)
 				continue;
@@ -441,11 +447,13 @@ static void xennet_tx_buf_gc(struct netf
 
 	xennet_maybe_wake_tx(queue);
 
-	return;
+	return work_done;
 
  err:
 	queue->info->broken = true;
 	dev_alert(dev, "Disabled for further use\n");
+
+	return work_done;
 }
 
 struct xennet_gnttab_make_txreq {
@@ -834,6 +842,16 @@ static int xennet_close(struct net_devic
 	return 0;
 }
 
+static void xennet_set_rx_rsp_cons(struct netfront_queue *queue, RING_IDX val)
+{
+	unsigned long flags;
+
+	spin_lock_irqsave(&queue->rx_cons_lock, flags);
+	queue->rx.rsp_cons = val;
+	queue->rx_rsp_unconsumed = RING_HAS_UNCONSUMED_RESPONSES(&queue->rx);
+	spin_unlock_irqrestore(&queue->rx_cons_lock, flags);
+}
+
 static void xennet_move_rx_slot(struct netfront_queue *queue, struct sk_buff *skb,
 				grant_ref_t ref)
 {
@@ -885,7 +903,7 @@ static int xennet_get_extras(struct netf
 		xennet_move_rx_slot(queue, skb, ref);
 	} while (extra.flags & XEN_NETIF_EXTRA_FLAG_MORE);
 
-	queue->rx.rsp_cons = cons;
+	xennet_set_rx_rsp_cons(queue, cons);
 	return err;
 }
 
@@ -1039,7 +1057,7 @@ next:
 	}
 
 	if (unlikely(err))
-		queue->rx.rsp_cons = cons + slots;
+		xennet_set_rx_rsp_cons(queue, cons + slots);
 
 	return err;
 }
@@ -1093,7 +1111,8 @@ static int xennet_fill_frags(struct netf
 			__pskb_pull_tail(skb, pull_to - skb_headlen(skb));
 		}
 		if (unlikely(skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS)) {
-			queue->rx.rsp_cons = ++cons + skb_queue_len(list);
+			xennet_set_rx_rsp_cons(queue,
+					       ++cons + skb_queue_len(list));
 			kfree_skb(nskb);
 			return -ENOENT;
 		}
@@ -1106,7 +1125,7 @@ static int xennet_fill_frags(struct netf
 		kfree_skb(nskb);
 	}
 
-	queue->rx.rsp_cons = cons;
+	xennet_set_rx_rsp_cons(queue, cons);
 
 	return 0;
 }
@@ -1229,7 +1248,9 @@ err:
 
 			if (unlikely(xennet_set_skb_gso(skb, gso))) {
 				__skb_queue_head(&tmpq, skb);
-				queue->rx.rsp_cons += skb_queue_len(&tmpq);
+				xennet_set_rx_rsp_cons(queue,
+						       queue->rx.rsp_cons +
+						       skb_queue_len(&tmpq));
 				goto err;
 			}
 		}
@@ -1253,7 +1274,8 @@ err:
 
 		__skb_queue_tail(&rxq, skb);
 
-		i = ++queue->rx.rsp_cons;
+		i = queue->rx.rsp_cons + 1;
+		xennet_set_rx_rsp_cons(queue, i);
 		work_done++;
 	}
 	if (need_xdp_flush)
@@ -1417,40 +1439,79 @@ static int xennet_set_features(struct ne
 	return 0;
 }
 
-static irqreturn_t xennet_tx_interrupt(int irq, void *dev_id)
+static bool xennet_handle_tx(struct netfront_queue *queue, unsigned int *eoi)
 {
-	struct netfront_queue *queue = dev_id;
 	unsigned long flags;
 
-	if (queue->info->broken)
-		return IRQ_HANDLED;
+	if (unlikely(queue->info->broken))
+		return false;
 
 	spin_lock_irqsave(&queue->tx_lock, flags);
-	xennet_tx_buf_gc(queue);
+	if (xennet_tx_buf_gc(queue))
+		*eoi = 0;
 	spin_unlock_irqrestore(&queue->tx_lock, flags);
 
+	return true;
+}
+
+static irqreturn_t xennet_tx_interrupt(int irq, void *dev_id)
+{
+	unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
+
+	if (likely(xennet_handle_tx(dev_id, &eoiflag)))
+		xen_irq_lateeoi(irq, eoiflag);
+
 	return IRQ_HANDLED;
 }
 
-static irqreturn_t xennet_rx_interrupt(int irq, void *dev_id)
+static bool xennet_handle_rx(struct netfront_queue *queue, unsigned int *eoi)
 {
-	struct netfront_queue *queue = dev_id;
-	struct net_device *dev = queue->info->netdev;
+	unsigned int work_queued;
+	unsigned long flags;
+
+	if (unlikely(queue->info->broken))
+		return false;
 
-	if (queue->info->broken)
-		return IRQ_HANDLED;
+	spin_lock_irqsave(&queue->rx_cons_lock, flags);
+	work_queued = RING_HAS_UNCONSUMED_RESPONSES(&queue->rx);
+	if (work_queued > queue->rx_rsp_unconsumed) {
+		queue->rx_rsp_unconsumed = work_queued;
+		*eoi = 0;
+	} else if (unlikely(work_queued < queue->rx_rsp_unconsumed)) {
+		const struct device *dev = &queue->info->netdev->dev;
+
+		spin_unlock_irqrestore(&queue->rx_cons_lock, flags);
+		dev_alert(dev, "RX producer index going backwards\n");
+		dev_alert(dev, "Disabled for further use\n");
+		queue->info->broken = true;
+		return false;
+	}
+	spin_unlock_irqrestore(&queue->rx_cons_lock, flags);
 
-	if (likely(netif_carrier_ok(dev) &&
-		   RING_HAS_UNCONSUMED_RESPONSES(&queue->rx)))
+	if (likely(netif_carrier_ok(queue->info->netdev) && work_queued))
 		napi_schedule(&queue->napi);
 
+	return true;
+}
+
+static irqreturn_t xennet_rx_interrupt(int irq, void *dev_id)
+{
+	unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
+
+	if (likely(xennet_handle_rx(dev_id, &eoiflag)))
+		xen_irq_lateeoi(irq, eoiflag);
+
 	return IRQ_HANDLED;
 }
 
 static irqreturn_t xennet_interrupt(int irq, void *dev_id)
 {
-	xennet_tx_interrupt(irq, dev_id);
-	xennet_rx_interrupt(irq, dev_id);
+	unsigned int eoiflag = XEN_EOI_FLAG_SPURIOUS;
+
+	if (xennet_handle_tx(dev_id, &eoiflag) &&
+	    xennet_handle_rx(dev_id, &eoiflag))
+		xen_irq_lateeoi(irq, eoiflag);
+
 	return IRQ_HANDLED;
 }
 
@@ -1768,9 +1829,10 @@ static int setup_netfront_single(struct
 	if (err < 0)
 		goto fail;
 
-	err = bind_evtchn_to_irqhandler(queue->tx_evtchn,
-					xennet_interrupt,
-					0, queue->info->netdev->name, queue);
+	err = bind_evtchn_to_irqhandler_lateeoi(queue->tx_evtchn,
+						xennet_interrupt, 0,
+						queue->info->netdev->name,
+						queue);
 	if (err < 0)
 		goto bind_fail;
 	queue->rx_evtchn = queue->tx_evtchn;
@@ -1798,18 +1860,18 @@ static int setup_netfront_split(struct n
 
 	snprintf(queue->tx_irq_name, sizeof(queue->tx_irq_name),
 		 "%s-tx", queue->name);
-	err = bind_evtchn_to_irqhandler(queue->tx_evtchn,
-					xennet_tx_interrupt,
-					0, queue->tx_irq_name, queue);
+	err = bind_evtchn_to_irqhandler_lateeoi(queue->tx_evtchn,
+						xennet_tx_interrupt, 0,
+						queue->tx_irq_name, queue);
 	if (err < 0)
 		goto bind_tx_fail;
 	queue->tx_irq = err;
 
 	snprintf(queue->rx_irq_name, sizeof(queue->rx_irq_name),
 		 "%s-rx", queue->name);
-	err = bind_evtchn_to_irqhandler(queue->rx_evtchn,
-					xennet_rx_interrupt,
-					0, queue->rx_irq_name, queue);
+	err = bind_evtchn_to_irqhandler_lateeoi(queue->rx_evtchn,
+						xennet_rx_interrupt, 0,
+						queue->rx_irq_name, queue);
 	if (err < 0)
 		goto bind_rx_fail;
 	queue->rx_irq = err;
@@ -1911,6 +1973,7 @@ static int xennet_init_queue(struct netf
 
 	spin_lock_init(&queue->tx_lock);
 	spin_lock_init(&queue->rx_lock);
+	spin_lock_init(&queue->rx_cons_lock);
 
 	timer_setup(&queue->rx_refill_timer, rx_refill_timeout, 0);
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 175/177] xen/console: harden hvc_xen against event channel storms
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 174/177] xen/netfront: harden netfront " Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 176/177] xen/netback: fix rx queue stall detection Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich

From: Juergen Gross <jgross@suse.com>

commit fe415186b43df0db1f17fa3a46275fd92107fe71 upstream.

The Xen console driver is still vulnerable for an attack via excessive
number of events sent by the backend. Fix that by using a lateeoi event
channel.

For the normal domU initial console this requires the introduction of
bind_evtchn_to_irq_lateeoi() as there is no xenbus device available
at the time the event channel is bound to the irq.

As the decision whether an interrupt was spurious or not requires to
test for bytes having been read from the backend, move sending the
event into the if statement, as sending an event without having found
any bytes to be read is making no sense at all.

This is part of XSA-391

Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/tty/hvc/hvc_xen.c        |   30 +++++++++++++++++++++++++++---
 drivers/xen/events/events_base.c |    6 ++++++
 include/xen/events.h             |    1 +
 3 files changed, 34 insertions(+), 3 deletions(-)

--- a/drivers/tty/hvc/hvc_xen.c
+++ b/drivers/tty/hvc/hvc_xen.c
@@ -37,6 +37,8 @@ struct xencons_info {
 	struct xenbus_device *xbdev;
 	struct xencons_interface *intf;
 	unsigned int evtchn;
+	XENCONS_RING_IDX out_cons;
+	unsigned int out_cons_same;
 	struct hvc_struct *hvc;
 	int irq;
 	int vtermno;
@@ -138,6 +140,8 @@ static int domU_read_console(uint32_t vt
 	XENCONS_RING_IDX cons, prod;
 	int recv = 0;
 	struct xencons_info *xencons = vtermno_to_xencons(vtermno);
+	unsigned int eoiflag = 0;
+
 	if (xencons == NULL)
 		return -EINVAL;
 	intf = xencons->intf;
@@ -157,7 +161,27 @@ static int domU_read_console(uint32_t vt
 	mb();			/* read ring before consuming */
 	intf->in_cons = cons;
 
-	notify_daemon(xencons);
+	/*
+	 * When to mark interrupt having been spurious:
+	 * - there was no new data to be read, and
+	 * - the backend did not consume some output bytes, and
+	 * - the previous round with no read data didn't see consumed bytes
+	 *   (we might have a race with an interrupt being in flight while
+	 *   updating xencons->out_cons, so account for that by allowing one
+	 *   round without any visible reason)
+	 */
+	if (intf->out_cons != xencons->out_cons) {
+		xencons->out_cons = intf->out_cons;
+		xencons->out_cons_same = 0;
+	}
+	if (recv) {
+		notify_daemon(xencons);
+	} else if (xencons->out_cons_same++ > 1) {
+		eoiflag = XEN_EOI_FLAG_SPURIOUS;
+	}
+
+	xen_irq_lateeoi(xencons->irq, eoiflag);
+
 	return recv;
 }
 
@@ -386,7 +410,7 @@ static int xencons_connect_backend(struc
 	if (ret)
 		return ret;
 	info->evtchn = evtchn;
-	irq = bind_evtchn_to_irq(evtchn);
+	irq = bind_interdomain_evtchn_to_irq_lateeoi(dev, evtchn);
 	if (irq < 0)
 		return irq;
 	info->irq = irq;
@@ -550,7 +574,7 @@ static int __init xen_hvc_init(void)
 			return r;
 
 		info = vtermno_to_xencons(HVC_COOKIE);
-		info->irq = bind_evtchn_to_irq(info->evtchn);
+		info->irq = bind_evtchn_to_irq_lateeoi(info->evtchn);
 	}
 	if (info->irq < 0)
 		info->irq = 0; /* NO_IRQ */
--- a/drivers/xen/events/events_base.c
+++ b/drivers/xen/events/events_base.c
@@ -1251,6 +1251,12 @@ int bind_evtchn_to_irq(evtchn_port_t evt
 }
 EXPORT_SYMBOL_GPL(bind_evtchn_to_irq);
 
+int bind_evtchn_to_irq_lateeoi(evtchn_port_t evtchn)
+{
+	return bind_evtchn_to_irq_chip(evtchn, &xen_lateeoi_chip, NULL);
+}
+EXPORT_SYMBOL_GPL(bind_evtchn_to_irq_lateeoi);
+
 static int bind_ipi_to_irq(unsigned int ipi, unsigned int cpu)
 {
 	struct evtchn_bind_ipi bind_ipi;
--- a/include/xen/events.h
+++ b/include/xen/events.h
@@ -17,6 +17,7 @@ struct xenbus_device;
 unsigned xen_evtchn_nr_channels(void);
 
 int bind_evtchn_to_irq(evtchn_port_t evtchn);
+int bind_evtchn_to_irq_lateeoi(evtchn_port_t evtchn);
 int bind_evtchn_to_irqhandler(evtchn_port_t evtchn,
 			      irq_handler_t handler,
 			      unsigned long irqflags, const char *devname,



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 176/177] xen/netback: fix rx queue stall detection
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 175/177] xen/console: harden hvc_xen " Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 14:35 ` [PATCH 5.15 177/177] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich

From: Juergen Gross <jgross@suse.com>

commit 6032046ec4b70176d247a71836186d47b25d1684 upstream.

Commit 1d5d48523900a4b ("xen-netback: require fewer guest Rx slots when
not using GSO") introduced a security problem in netback, as an
interface would only be regarded to be stalled if no slot is available
in the rx queue ring page. In case the SKB at the head of the queued
requests will need more than one rx slot and only one slot is free the
stall detection logic will never trigger, as the test for that is only
looking for at least one slot to be free.

Fix that by testing for the needed number of slots instead of only one
slot being available.

In order to not have to take the rx queue lock that often, store the
number of needed slots in the queue data. As all SKB dequeue operations
happen in the rx queue kernel thread this is safe, as long as the
number of needed slots is accessed via READ/WRITE_ONCE() only and
updates are always done with the rx queue lock held.

Add a small helper for obtaining the number of free slots.

This is part of XSA-392

Fixes: 1d5d48523900a4b ("xen-netback: require fewer guest Rx slots when not using GSO")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/xen-netback/common.h |    1 
 drivers/net/xen-netback/rx.c     |   65 ++++++++++++++++++++++++---------------
 2 files changed, 42 insertions(+), 24 deletions(-)

--- a/drivers/net/xen-netback/common.h
+++ b/drivers/net/xen-netback/common.h
@@ -203,6 +203,7 @@ struct xenvif_queue { /* Per-queue data
 	unsigned int rx_queue_max;
 	unsigned int rx_queue_len;
 	unsigned long last_rx_time;
+	unsigned int rx_slots_needed;
 	bool stalled;
 
 	struct xenvif_copy_state rx_copy;
--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -33,28 +33,36 @@
 #include <xen/xen.h>
 #include <xen/events.h>
 
-static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+/*
+ * Update the needed ring page slots for the first SKB queued.
+ * Note that any call sequence outside the RX thread calling this function
+ * needs to wake up the RX thread via a call of xenvif_kick_thread()
+ * afterwards in order to avoid a race with putting the thread to sleep.
+ */
+static void xenvif_update_needed_slots(struct xenvif_queue *queue,
+				       const struct sk_buff *skb)
 {
-	RING_IDX prod, cons;
-	struct sk_buff *skb;
-	int needed;
-	unsigned long flags;
+	unsigned int needed = 0;
 
-	spin_lock_irqsave(&queue->rx_queue.lock, flags);
-
-	skb = skb_peek(&queue->rx_queue);
-	if (!skb) {
-		spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
-		return false;
+	if (skb) {
+		needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
+		if (skb_is_gso(skb))
+			needed++;
+		if (skb->sw_hash)
+			needed++;
 	}
 
-	needed = DIV_ROUND_UP(skb->len, XEN_PAGE_SIZE);
-	if (skb_is_gso(skb))
-		needed++;
-	if (skb->sw_hash)
-		needed++;
+	WRITE_ONCE(queue->rx_slots_needed, needed);
+}
 
-	spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
+static bool xenvif_rx_ring_slots_available(struct xenvif_queue *queue)
+{
+	RING_IDX prod, cons;
+	unsigned int needed;
+
+	needed = READ_ONCE(queue->rx_slots_needed);
+	if (!needed)
+		return false;
 
 	do {
 		prod = queue->rx.sring->req_prod;
@@ -80,6 +88,9 @@ void xenvif_rx_queue_tail(struct xenvif_
 
 	spin_lock_irqsave(&queue->rx_queue.lock, flags);
 
+	if (skb_queue_empty(&queue->rx_queue))
+		xenvif_update_needed_slots(queue, skb);
+
 	__skb_queue_tail(&queue->rx_queue, skb);
 
 	queue->rx_queue_len += skb->len;
@@ -100,6 +111,8 @@ static struct sk_buff *xenvif_rx_dequeue
 
 	skb = __skb_dequeue(&queue->rx_queue);
 	if (skb) {
+		xenvif_update_needed_slots(queue, skb_peek(&queue->rx_queue));
+
 		queue->rx_queue_len -= skb->len;
 		if (queue->rx_queue_len < queue->rx_queue_max) {
 			struct netdev_queue *txq;
@@ -487,27 +500,31 @@ void xenvif_rx_action(struct xenvif_queu
 	xenvif_rx_copy_flush(queue);
 }
 
-static bool xenvif_rx_queue_stalled(struct xenvif_queue *queue)
+static RING_IDX xenvif_rx_queue_slots(const struct xenvif_queue *queue)
 {
 	RING_IDX prod, cons;
 
 	prod = queue->rx.sring->req_prod;
 	cons = queue->rx.req_cons;
 
+	return prod - cons;
+}
+
+static bool xenvif_rx_queue_stalled(const struct xenvif_queue *queue)
+{
+	unsigned int needed = READ_ONCE(queue->rx_slots_needed);
+
 	return !queue->stalled &&
-		prod - cons < 1 &&
+		xenvif_rx_queue_slots(queue) < needed &&
 		time_after(jiffies,
 			   queue->last_rx_time + queue->vif->stall_timeout);
 }
 
 static bool xenvif_rx_queue_ready(struct xenvif_queue *queue)
 {
-	RING_IDX prod, cons;
-
-	prod = queue->rx.sring->req_prod;
-	cons = queue->rx.req_cons;
+	unsigned int needed = READ_ONCE(queue->rx_slots_needed);
 
-	return queue->stalled && prod - cons >= 1;
+	return queue->stalled && xenvif_rx_queue_slots(queue) >= needed;
 }
 
 bool xenvif_have_rx_work(struct xenvif_queue *queue, bool test_kthread)



^ permalink raw reply	[flat|nested] 183+ messages in thread

* [PATCH 5.15 177/177] xen/netback: dont queue unlimited number of packages
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 176/177] xen/netback: fix rx queue stall detection Greg Kroah-Hartman
@ 2021-12-20 14:35 ` Greg Kroah-Hartman
  2021-12-20 23:17 ` [PATCH 5.15 000/177] 5.15.11-rc1 review Shuah Khan
                   ` (4 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Greg Kroah-Hartman @ 2021-12-20 14:35 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Juergen Gross, Jan Beulich

From: Juergen Gross <jgross@suse.com>

commit be81992f9086b230623ae3ebbc85ecee4d00a3d3 upstream.

In case a guest isn't consuming incoming network traffic as fast as it
is coming in, xen-netback is buffering network packages in unlimited
numbers today. This can result in host OOM situations.

Commit f48da8b14d04ca8 ("xen-netback: fix unlimited guest Rx internal
queue and carrier flapping") meant to introduce a mechanism to limit
the amount of buffered data by stopping the Tx queue when reaching the
data limit, but this doesn't work for cases like UDP.

When hitting the limit don't queue further SKBs, but drop them instead.
In order to be able to tell Rx packages have been dropped increment the
rx_dropped statistics counter in this case.

It should be noted that the old solution to continue queueing SKBs had
the additional problem of an overflow of the 32-bit rx_queue_len value
would result in intermittent Tx queue enabling.

This is part of XSA-392

Fixes: f48da8b14d04ca8 ("xen-netback: fix unlimited guest Rx internal queue and carrier flapping")
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/xen-netback/rx.c |   18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

--- a/drivers/net/xen-netback/rx.c
+++ b/drivers/net/xen-netback/rx.c
@@ -88,16 +88,19 @@ void xenvif_rx_queue_tail(struct xenvif_
 
 	spin_lock_irqsave(&queue->rx_queue.lock, flags);
 
-	if (skb_queue_empty(&queue->rx_queue))
-		xenvif_update_needed_slots(queue, skb);
-
-	__skb_queue_tail(&queue->rx_queue, skb);
-
-	queue->rx_queue_len += skb->len;
-	if (queue->rx_queue_len > queue->rx_queue_max) {
+	if (queue->rx_queue_len >= queue->rx_queue_max) {
 		struct net_device *dev = queue->vif->dev;
 
 		netif_tx_stop_queue(netdev_get_tx_queue(dev, queue->id));
+		kfree_skb(skb);
+		queue->vif->dev->stats.rx_dropped++;
+	} else {
+		if (skb_queue_empty(&queue->rx_queue))
+			xenvif_update_needed_slots(queue, skb);
+
+		__skb_queue_tail(&queue->rx_queue, skb);
+
+		queue->rx_queue_len += skb->len;
 	}
 
 	spin_unlock_irqrestore(&queue->rx_queue.lock, flags);
@@ -147,6 +150,7 @@ static void xenvif_rx_queue_drop_expired
 			break;
 		xenvif_rx_dequeue(queue);
 		kfree_skb(skb);
+		queue->vif->dev->stats.rx_dropped++;
 	}
 }
 



^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.15 000/177] 5.15.11-rc1 review
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2021-12-20 14:35 ` [PATCH 5.15 177/177] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
@ 2021-12-20 23:17 ` Shuah Khan
  2021-12-21 10:05 ` Naresh Kamboju
                   ` (3 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Shuah Khan @ 2021-12-20 23:17 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 12/20/21 7:32 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.11 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.15 000/177] 5.15.11-rc1 review
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2021-12-20 23:17 ` [PATCH 5.15 000/177] 5.15.11-rc1 review Shuah Khan
@ 2021-12-21 10:05 ` Naresh Kamboju
  2021-12-21 10:56 ` Rudi Heitbaum
                   ` (2 subsequent siblings)
  181 siblings, 0 replies; 183+ messages in thread
From: Naresh Kamboju @ 2021-12-21 10:05 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, shuah, f.fainelli, patches, lkft-triage, jonathanh,
	stable, pavel, akpm, torvalds, linux

On Mon, 20 Dec 2021 at 20:25, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.15.11 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.11-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 5.15.11-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.15.y
* git commit: 6c3eb74f1432213bade7ca82a6a7638d1ad826a5
* git describe: v5.15.10-178-g6c3eb74f1432
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.15.y/build/v5.15.10-178-g6c3eb74f1432

## No Test Regressions (compared to v5.15.7-171-ge18bff95c819)

## No Test Fixes (compared to v5.15.7-171-ge18bff95c819)

## Test result summary
total: 99084, pass: 84368, fail: 937, skip: 12857, xfail: 922

## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 263 total, 257 passed, 6 failed
* arm64: 42 total, 40 passed, 2 failed
* dragonboard-410c: 1 total, 1 passed, 0 failed
* hi6220-hikey: 1 total, 1 passed, 0 failed
* i386: 40 total, 37 passed, 3 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 37 total, 31 passed, 6 failed
* parisc: 14 total, 14 passed, 0 failed
* powerpc: 56 total, 50 passed, 6 failed
* riscv: 28 total, 19 passed, 9 failed
* s390: 22 total, 20 passed, 2 failed
* sh: 26 total, 24 passed, 2 failed
* sparc: 14 total, 14 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 42 total, 40 passed, 2 failed

## Test suites summary
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-arm64/arm64.btitest.bti_c_func
* kselftest-arm64/arm64.btitest.bti_j_func
* kselftest-arm64/arm64.btitest.bti_jc_func
* kselftest-arm64/arm64.btitest.bti_none_func
* kselftest-arm64/arm64.btitest.nohint_func
* kselftest-arm64/arm64.btitest.paciasp_func
* kselftest-arm64/arm64.nobtitest.bti_c_func
* kselftest-arm64/arm64.nobtitest.bti_j_func
* kselftest-arm64/arm64.nobtitest.bti_jc_func
* kselftest-arm64/arm64.nobtitest.bti_none_func
* kselftest-arm64/arm64.nobtitest.nohint_func
* kselftest-arm64/arm64.nobtitest.paciasp_func
* kselftest-bpf
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* rcutorture
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.15 000/177] 5.15.11-rc1 review
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2021-12-21 10:05 ` Naresh Kamboju
@ 2021-12-21 10:56 ` Rudi Heitbaum
  2021-12-21 18:10 ` Florian Fainelli
  2021-12-21 23:14 ` Guenter Roeck
  181 siblings, 0 replies; 183+ messages in thread
From: Rudi Heitbaum @ 2021-12-21 10:56 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

On Mon, Dec 20, 2021 at 03:32:30PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.11 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
> Anything received after that time might be too late.

Hi Greg,

Looking good.

Run tested on:
- Intel Tiger Lake x86_64 (nuc11 i7-1165G7)

In addition: build tested on:
- Allwinner A64
- Allwinner H3
- Allwinner H5
- Allwinner H6
- NXP iMX6
- NXP iMX8
- Qualcomm Dragonboard
- Rockchip RK3288
- Rockchip RK3328
- Rockchip RK3399pro
- Samsung Exynos

Tested-by: Rudi Heitbaum <rudi@heitbaum.com>
--
Rudi

^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.15 000/177] 5.15.11-rc1 review
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2021-12-21 10:56 ` Rudi Heitbaum
@ 2021-12-21 18:10 ` Florian Fainelli
  2021-12-21 23:14 ` Guenter Roeck
  181 siblings, 0 replies; 183+ messages in thread
From: Florian Fainelli @ 2021-12-21 18:10 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, stable



On 12/20/2021 6:32 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.11 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.15.11-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.15.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels:

Tested-by: Florian Fainelli <f.fainelli@gmail.com>
-- 
Florian


^ permalink raw reply	[flat|nested] 183+ messages in thread

* Re: [PATCH 5.15 000/177] 5.15.11-rc1 review
  2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2021-12-21 18:10 ` Florian Fainelli
@ 2021-12-21 23:14 ` Guenter Roeck
  181 siblings, 0 replies; 183+ messages in thread
From: Guenter Roeck @ 2021-12-21 23:14 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, Dec 20, 2021 at 03:32:30PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.15.11 release.
> There are 177 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 22 Dec 2021 14:30:09 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 154 pass: 154 fail: 0
Qemu test results:
	total: 480 pass: 480 fail: 0

Tested-by: Guenter Roeck <linux@roeck-us.net>

Guenter

^ permalink raw reply	[flat|nested] 183+ messages in thread

end of thread, other threads:[~2021-12-21 23:14 UTC | newest]

Thread overview: 183+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-20 14:32 [PATCH 5.15 000/177] 5.15.11-rc1 review Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 001/177] reset: tegra-bpmp: Revert Handle errors in BPMP response Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 002/177] KVM: VMX: clear vmx_x86_ops.sync_pir_to_irr if APICv is disabled Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 003/177] KVM: selftests: Make sure kvm_create_max_vcpus test wont hit RLIMIT_NOFILE Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 004/177] KVM: downgrade two BUG_ONs to WARN_ON_ONCE Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 005/177] x86/kvm: remove unused ack_notifier callbacks Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 006/177] KVM: X86: Fix tlb flush for tdp in kvm_invalidate_pcid() Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 007/177] mac80211: fix rate control for retransmitted frames Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 008/177] mac80211: fix regression in SSN handling of addba tx Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 009/177] mac80211: mark TX-during-stop for TX in in_reconfig Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 010/177] mac80211: send ADDBA requests using the tid/queue of the aggregation session Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 011/177] mac80211: validate extended element ID is present Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 012/177] firmware: arm_scpi: Fix string overflow in SCPI genpd driver Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 013/177] bpf: Fix kernel address leakage in atomic fetch Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 014/177] bpf, selftests: Add test case for atomic fetch on spilled pointer Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 015/177] bpf: Fix signed bounds propagation after mov32 Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 016/177] bpf: Make 32->64 bounds propagation slightly more robust Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 017/177] bpf, selftests: Add test case trying to taint map value pointer Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 018/177] bpf: Fix kernel address leakage in atomic cmpxchgs r0 aux reg Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 019/177] bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 020/177] vduse: fix memory corruption in vduse_dev_ioctl() Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 021/177] vduse: check that offset is within bounds in get_config() Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 022/177] virtio_ring: Fix querying of maximum DMA mapping size for virtio device Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 023/177] vdpa: check that offsets are within bounds Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 024/177] s390/entry: fix duplicate tracking of irq nesting level Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 025/177] recordmcount.pl: look for jgnop instruction as well as bcrl on s390 Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 026/177] arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 027/177] ceph: fix up non-directory creation in SGID directories Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 028/177] dm btree remove: fix use after free in rebalance_children() Greg Kroah-Hartman
2021-12-20 14:32 ` [PATCH 5.15 029/177] audit: improve robustness of the audit queue handling Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 030/177] btrfs: convert latest_bdev type to btrfs_device and rename Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 031/177] btrfs: use latest_dev in btrfs_show_devname Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 032/177] btrfs: update latest_dev when we create a sprout device Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 033/177] btrfs: remove stale comment about the btrfs_show_devname Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 034/177] scsi: ufs: core: Retry START_STOP on UNIT_ATTENTION Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 035/177] drm/i915/hdmi: convert intel_hdmi_to_dev to intel_hdmi_to_i915 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 036/177] drm/i915/hdmi: Turn DP++ TMDS output buffers back on in encoder->shutdown() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 037/177] pinctrl: amd: Fix wakeups when IRQ is shared with SCI Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 038/177] arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 039/177] arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 040/177] arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 041/177] arm64: dts: rockchip: fix audio-supply for Rock Pi 4 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 042/177] arm64: dts: rockchip: fix poweroff on helios64 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 043/177] dmaengine: idxd: add halt interrupt support Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 044/177] dmaengine: idxd: fix calling wq quiesce inside spinlock Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 045/177] mac80211: track only QoS data frames for admission control Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 046/177] hv: utils: add PTP_1588_CLOCK to Kconfig to fix build Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 047/177] tee: amdtee: fix an IS_ERR() vs NULL bug Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 048/177] ceph: fix duplicate increment of opened_inodes metric Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 049/177] ceph: initialize pathlen variable in reconnect_caps_cb Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 050/177] ARM: socfpga: dts: fix qspi node compatible Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 051/177] arm64: dts: imx8mq: remove interconnect property from lcdif Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 052/177] clk: Dont parent clks until the parent is fully registered Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 053/177] soc: imx: Register SoC device only on i.MX boards Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 054/177] iwlwifi: mvm: dont crash on invalid rate w/o STA Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 055/177] virtio: always enter drivers/virtio/ Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 056/177] virtio/vsock: fix the transport to work with VMADDR_CID_ANY Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 057/177] vdpa: Consider device id larger than 31 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 058/177] Revert "drm/fb-helper: improve DRM fbdev emulation device names" Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 059/177] selftests: net: Correct ping6 expected rc from 2 to 1 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 060/177] s390/kexec_file: fix error handling when applying relocations Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 061/177] sch_cake: do not call cake_destroy() from cake_init() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 062/177] inet_diag: fix kernel-infoleak for UDP sockets Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 063/177] netdevsim: dont overwrite read only ethtool parms Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 064/177] selftests: icmp_redirect: pass xfail=0 to log_test() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 065/177] net: hns3: fix use-after-free bug in hclgevf_send_mbx_msg Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 066/177] net: hns3: fix race condition in debugfs Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 067/177] selftests: Add duplicate config only for MD5 VRF tests Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 068/177] selftests: Fix raw socket bind tests with VRF Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 069/177] selftests: Fix IPv6 address bind tests Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 070/177] dmaengine: idxd: fix missed completion on abort path Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 071/177] dmaengine: st_fdma: fix MODULE_ALIAS Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 072/177] drm: simpledrm: fix wrong unit with pixel clock Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 073/177] net/sched: sch_ets: dont remove idle classes from the round-robin list Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 074/177] selftests/net: toeplitz: fix udp option Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 075/177] net: dsa: mv88e6xxx: Unforce speed & duplex in mac_link_down() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 076/177] selftest/net/forwarding: declare NETIFS p9 p10 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 077/177] mptcp: never allow the PM to close a listener subflow Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 078/177] drm/ast: potential dereference of null pointer Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 079/177] drm/i915/display: Fix an unsigned subtraction which can never be negative Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 080/177] mac80211: agg-tx: dont schedule_and_wake_txq() under sta->lock Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 081/177] cfg80211: Acquire wiphy mutex on regulatory work Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 082/177] mac80211: fix lookup when adding AddBA extension element Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 083/177] net: stmmac: fix tc flower deletion for VLAN priority Rx steering Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 084/177] flow_offload: return EOPNOTSUPP for the unsupported mpls action type Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 085/177] rds: memory leak in __rds_conn_create() Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 086/177] ice: Use div64_u64 instead of div_u64 in adjfine Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 087/177] ice: Dont put stale timestamps in the skb Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 088/177] drm/amd/display: Set exit_optimized_pwr_state for DCN31 Greg Kroah-Hartman
2021-12-20 14:33 ` [PATCH 5.15 089/177] drm/amd/pm: fix a potential gpu_metrics_table memory leak Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 090/177] mptcp: remove tcp ulp setsockopt support Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 091/177] mptcp: clear kern flag from fallback sockets Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 092/177] mptcp: fix deadlock in __mptcp_push_pending() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 093/177] soc/tegra: fuse: Fix bitwise vs. logical OR warning Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 094/177] igb: Fix removal of unicast MAC filters of VFs Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 095/177] igbvf: fix double free in `igbvf_probe` Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 096/177] igc: Fix typo in i225 LTR functions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 097/177] ixgbe: Document how to enable NBASE-T support Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 098/177] ixgbe: set X550 MDIO speed before talking to PHY Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 099/177] netdevsim: Zero-initialize memory for new maps value in function nsim_bpf_map_alloc Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 100/177] net/packet: rx_owner_map depends on pg_vec Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 101/177] net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 102/177] sfc_ef100: potential dereference of null pointer Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 103/177] dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 104/177] net: Fix double 0x prefix print in SKB dump Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 105/177] net/smc: Prevent smc_release() from long blocking Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 106/177] net: systemport: Add global locking for descriptor lifecycle Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 107/177] sit: do not call ipip6_dev_free() from sit_init_net() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 108/177] afs: Fix mmap Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 109/177] arm64: kexec: Fix missing error code ret warning in load_other_segments() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 110/177] bpf: Fix extable fixup offset Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 111/177] bpf, selftests: Fix racing issue in btf_skc_cls_ingress test Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 112/177] powerpc/85xx: Fix oops when CONFIG_FSL_PMC=n Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 113/177] USB: gadget: bRequestType is a bitfield, not a enum Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 114/177] Revert "usb: early: convert to readl_poll_timeout_atomic()" Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 115/177] KVM: x86: Drop guest CPUID check for host initiated writes to MSR_IA32_PERF_CAPABILITIES Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 116/177] tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 117/177] USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 118/177] usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 119/177] PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 120/177] PCI/MSI: Mask MSI-X vectors only on success Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 121/177] usb: xhci-mtk: fix list_del warning when enable list debug Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 122/177] usb: xhci: Extend support for runtime power management for AMDs Yellow carp Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 123/177] usb: cdnsp: Fix incorrect status for control request Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 124/177] usb: cdnsp: Fix incorrect calling of cdnsp_died function Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 125/177] usb: cdnsp: Fix issue in cdnsp_log_ep trace event Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 126/177] usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 127/177] usb: typec: tcpm: fix tcpm unregister port but leave a pending timer Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 128/177] usb: gadget: u_ether: fix race in setting MAC address in setup phase Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 129/177] USB: serial: cp210x: fix CP2105 GPIO registration Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 130/177] USB: serial: option: add Telit FN990 compositions Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 131/177] selinux: fix sleeping function called from invalid context Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 132/177] btrfs: fix memory leak in __add_inode_ref() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 133/177] btrfs: fix double free of anon_dev after failure to create subvolume Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 134/177] btrfs: check WRITE_ERR when trying to read an extent buffer Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 135/177] btrfs: fix missing blkdev_put() call in btrfs_scan_one_device() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 136/177] zonefs: add MODULE_ALIAS_FS Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 137/177] iocost: Fix divide-by-zero on donation from low hweight cgroup Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 138/177] serial: 8250_fintek: Fix garbled text for console Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 139/177] timekeeping: Really make sure wall_to_monotonic isnt positive Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 140/177] cifs: sanitize multiple delimiters in prepath Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 141/177] locking/rtmutex: Fix incorrect condition in rtmutex_spin_on_owner() Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 142/177] riscv: dts: unleashed: Add gpio card detect to mmc-spi-slot Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 143/177] riscv: dts: unmatched: " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 144/177] perf inject: Fix segfault due to close without open Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 145/177] perf inject: Fix segfault due to perf_data__fd() " Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 146/177] libata: if T_LENGTH is zero, dma direction should be DMA_NONE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 147/177] powerpc/module_64: Fix livepatching for RO modules Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 148/177] drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE Greg Kroah-Hartman
2021-12-20 14:34 ` [PATCH 5.15 149/177] drm/amdgpu: dont override default ECO_BITs setting Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 150/177] drm/amd/pm: fix reading SMU FW version from amdgpu_firmware_info on YC Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 151/177] Revert "can: m_can: remove support for custom bit timing" Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 152/177] can: m_can: make custom bittiming fields const Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 153/177] can: m_can: pci: use custom bit timings for Elkhart Lake Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 154/177] ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 155/177] xsk: Do not sleep in poll() when need_wakeup set Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 156/177] mptcp: add missing documented NL params Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 157/177] bpf, x64: Factor out emission of REX byte in more cases Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 158/177] bpf: Fix extable address check Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 159/177] USB: core: Make do_proc_control() and do_proc_bulk() killable Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 160/177] media: mxl111sf: change mutex_init() location Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 161/177] fuse: annotate lock in fuse_reverse_inval_entry() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 162/177] ovl: fix warning in ovl_create_real() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 163/177] scsi: scsi_debug: Dont call kcalloc() if size arg is zero Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 164/177] scsi: scsi_debug: Fix type in min_t to avoid stack OOB Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 165/177] scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 166/177] io-wq: remove spurious bit clear on task_work addition Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 167/177] io-wq: check for wq exit after adding new worker task_work Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 168/177] rcu: Mark accesses to rcu_state.n_force_qs Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 169/177] io-wq: drop wqe lock before creating new worker Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 170/177] bus: ti-sysc: Fix variable set but not used warning for reinit_modules Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 171/177] selftests/damon: test debugfs file reads/writes with huge count Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 172/177] Revert "xsk: Do not sleep in poll() when need_wakeup set" Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 173/177] xen/blkfront: harden blkfront against event channel storms Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 174/177] xen/netfront: harden netfront " Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 175/177] xen/console: harden hvc_xen " Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 176/177] xen/netback: fix rx queue stall detection Greg Kroah-Hartman
2021-12-20 14:35 ` [PATCH 5.15 177/177] xen/netback: dont queue unlimited number of packages Greg Kroah-Hartman
2021-12-20 23:17 ` [PATCH 5.15 000/177] 5.15.11-rc1 review Shuah Khan
2021-12-21 10:05 ` Naresh Kamboju
2021-12-21 10:56 ` Rudi Heitbaum
2021-12-21 18:10 ` Florian Fainelli
2021-12-21 23:14 ` Guenter Roeck

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).