commit 0c88e405c97ed1828443b67891e6d4bb6e56cd4e Author: Greg Kroah-Hartman Date: Tue Nov 24 13:27:27 2020 +0100 Linux 4.19.160 Tested-by: Jon Hunter Tested-by: Guenter Roeck Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Link: https://lore.kernel.org/r/20201123121809.285416732@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit dc94f8e932b596926649fa2778eff8d90495e0ff Author: Gerald Schaefer Date: Sat Nov 21 22:17:15 2020 -0800 mm/userfaultfd: do not access vma->vm_mm after calling handle_userfault() commit bfe8cc1db02ab243c62780f17fc57f65bde0afe1 upstream. Alexander reported a syzkaller / KASAN finding on s390, see below for complete output. In do_huge_pmd_anonymous_page(), the pre-allocated pagetable will be freed in some cases. In the case of userfaultfd_missing(), this will happen after calling handle_userfault(), which might have released the mmap_lock. Therefore, the following pte_free(vma->vm_mm, pgtable) will access an unstable vma->vm_mm, which could have been freed or re-used already. For all architectures other than s390 this will go w/o any negative impact, because pte_free() simply frees the page and ignores the passed-in mm. The implementation for SPARC32 would also access mm->page_table_lock for pte_free(), but there is no THP support in SPARC32, so the buggy code path will not be used there. For s390, the mm->context.pgtable_list is being used to maintain the 2K pagetable fragments, and operating on an already freed or even re-used mm could result in various more or less subtle bugs due to list / pagetable corruption. Fix this by calling pte_free() before handle_userfault(), similar to how it is already done in __do_huge_pmd_anonymous_page() for the WRITE / non-huge_zero_page case. Commit 6b251fc96cf2c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults") actually introduced both, the do_huge_pmd_anonymous_page() and also __do_huge_pmd_anonymous_page() changes wrt to calling handle_userfault(), but only in the latter case it put the pte_free() before calling handle_userfault(). BUG: KASAN: use-after-free in do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744 Read of size 8 at addr 00000000962d6988 by task syz-executor.0/9334 CPU: 1 PID: 9334 Comm: syz-executor.0 Not tainted 5.10.0-rc1-syzkaller-07083-g4c9720875573 #0 Hardware name: IBM 3906 M04 701 (KVM/Linux) Call Trace: do_huge_pmd_anonymous_page+0xcda/0xd90 mm/huge_memory.c:744 create_huge_pmd mm/memory.c:4256 [inline] __handle_mm_fault+0xe6e/0x1068 mm/memory.c:4480 handle_mm_fault+0x288/0x748 mm/memory.c:4607 do_exception+0x394/0xae0 arch/s390/mm/fault.c:479 do_dat_exception+0x34/0x80 arch/s390/mm/fault.c:567 pgm_check_handler+0x1da/0x22c arch/s390/kernel/entry.S:706 copy_from_user_mvcos arch/s390/lib/uaccess.c:111 [inline] raw_copy_from_user+0x3a/0x88 arch/s390/lib/uaccess.c:174 _copy_from_user+0x48/0xa8 lib/usercopy.c:16 copy_from_user include/linux/uaccess.h:192 [inline] __do_sys_sigaltstack kernel/signal.c:4064 [inline] __s390x_sys_sigaltstack+0xc8/0x240 kernel/signal.c:4060 system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 Allocated by task 9334: slab_alloc_node mm/slub.c:2891 [inline] slab_alloc mm/slub.c:2899 [inline] kmem_cache_alloc+0x118/0x348 mm/slub.c:2904 vm_area_dup+0x9c/0x2b8 kernel/fork.c:356 __split_vma+0xba/0x560 mm/mmap.c:2742 split_vma+0xca/0x108 mm/mmap.c:2800 mlock_fixup+0x4ae/0x600 mm/mlock.c:550 apply_vma_lock_flags+0x2c6/0x398 mm/mlock.c:619 do_mlock+0x1aa/0x718 mm/mlock.c:711 __do_sys_mlock2 mm/mlock.c:738 [inline] __s390x_sys_mlock2+0x86/0xa8 mm/mlock.c:728 system_call+0xe0/0x28c arch/s390/kernel/entry.S:415 Freed by task 9333: slab_free mm/slub.c:3142 [inline] kmem_cache_free+0x7c/0x4b8 mm/slub.c:3158 __vma_adjust+0x7b2/0x2508 mm/mmap.c:960 vma_merge+0x87e/0xce0 mm/mmap.c:1209 userfaultfd_release+0x412/0x6b8 fs/userfaultfd.c:868 __fput+0x22c/0x7a8 fs/file_table.c:281 task_work_run+0x200/0x320 kernel/task_work.c:151 tracehook_notify_resume include/linux/tracehook.h:188 [inline] do_notify_resume+0x100/0x148 arch/s390/kernel/signal.c:538 system_call+0xe6/0x28c arch/s390/kernel/entry.S:416 The buggy address belongs to the object at 00000000962d6948 which belongs to the cache vm_area_struct of size 200 The buggy address is located 64 bytes inside of 200-byte region [00000000962d6948, 00000000962d6a10) The buggy address belongs to the page: page:00000000313a09fe refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x962d6 flags: 0x3ffff00000000200(slab) raw: 3ffff00000000200 000040000257e080 0000000c0000000c 000000008020ba00 raw: 0000000000000000 000f001e00000000 ffffffff00000001 0000000096959501 page dumped because: kasan: bad access detected page->mem_cgroup:0000000096959501 Memory state around the buggy address: 00000000962d6880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00000000962d6900: 00 fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb >00000000962d6980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ 00000000962d6a00: fb fb fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00000000962d6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ================================================================== Fixes: 6b251fc96cf2c ("userfaultfd: call handle_userfault() for userfaultfd_missing() faults") Reported-by: Alexander Egorenkov Signed-off-by: Gerald Schaefer Signed-off-by: Andrew Morton Cc: Andrea Arcangeli Cc: Heiko Carstens Cc: [4.3+] Link: https://lkml.kernel.org/r/20201110190329.11920-1-gerald.schaefer@linux.ibm.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 526d963441acf60edb9f0d348eef2b24edfdbffe Author: Chen Yu Date: Fri Nov 13 09:59:23 2020 +0800 x86/microcode/intel: Check patch signature before saving microcode for early loading commit 1a371e67dc77125736cc56d3a0893f06b75855b6 upstream. Currently, scan_microcode() leverages microcode_matches() to check if the microcode matches the CPU by comparing the family and model. However, the processor stepping and flags of the microcode signature should also be considered when saving a microcode patch for early update. Use find_matching_signature() in scan_microcode() and get rid of the now-unused microcode_matches() which is a good cleanup in itself. Complete the verification of the patch being saved for early loading in save_microcode_patch() directly. This needs to be done there too because save_mc_for_early() will call save_microcode_patch() too. The second reason why this needs to be done is because the loader still tries to support, at least hypothetically, mixed-steppings systems and thus adds all patches to the cache that belong to the same CPU model albeit with different steppings. For example: microcode: CPU: sig=0x906ec, pf=0x2, rev=0xd6 microcode: mc_saved[0]: sig=0x906e9, pf=0x2a, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[1]: sig=0x906ea, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[2]: sig=0x906eb, pf=0x2, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[3]: sig=0x906ec, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[4]: sig=0x906ed, pf=0x22, rev=0xd6, total size=0x19400, date = 2020-04-23 The patch which is being saved for early loading, however, can only be the one which fits the CPU this runs on so do the signature verification before saving. [ bp: Do signature verification in save_microcode_patch() and rewrite commit message. ] Fixes: ec400ddeff20 ("x86/microcode_intel_early.c: Early update ucode on Intel's CPU") Signed-off-by: Chen Yu Signed-off-by: Borislav Petkov Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=208535 Link: https://lkml.kernel.org/r/20201113015923.13960-1-yu.c.chen@intel.com Signed-off-by: Greg Kroah-Hartman commit 3863935f06bd8d43a7fb4fbf65a33a5596060974 Author: Mickaël Salaün Date: Fri Oct 30 13:38:49 2020 +0100 seccomp: Set PF_SUPERPRIV when checking capability commit fb14528e443646dd3fd02df4437fcf5265b66baa upstream. Replace the use of security_capable(current_cred(), ...) with ns_capable_noaudit() which set PF_SUPERPRIV. Since commit 98f368e9e263 ("kernel: Add noaudit variant of ns_capable()"), a new ns_capable_noaudit() helper is available. Let's use it! Cc: Jann Horn Cc: Kees Cook Cc: Tyler Hicks Cc: Will Drewry Cc: stable@vger.kernel.org Fixes: e2cfabdfd075 ("seccomp: add system call filtering using BPF") Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201030123849.770769-3-mic@digikod.net Signed-off-by: Greg Kroah-Hartman commit 26c5606ff755a521aa9dcfe111ce89f08b9aac0e Author: Mickaël Salaün Date: Fri Oct 30 13:38:48 2020 +0100 ptrace: Set PF_SUPERPRIV when checking capability commit cf23705244c947151179f929774fabf71e239eee upstream. Commit 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") replaced the use of ns_capable() with has_ns_capability{,_noaudit}() which doesn't set PF_SUPERPRIV. Commit 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()") replaced has_ns_capability{,_noaudit}() with security_capable(), which doesn't set PF_SUPERPRIV neither. Since commit 98f368e9e263 ("kernel: Add noaudit variant of ns_capable()"), a new ns_capable_noaudit() helper is available. Let's use it! As a result, the signature of ptrace_has_cap() is restored to its original one. Cc: Christian Brauner Cc: Eric Paris Cc: Jann Horn Cc: Kees Cook Cc: Oleg Nesterov Cc: Serge E. Hallyn Cc: Tyler Hicks Cc: stable@vger.kernel.org Fixes: 6b3ad6649a4c ("ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()") Fixes: 69f594a38967 ("ptrace: do not audit capability check when outputing /proc/pid/stat") Signed-off-by: Mickaël Salaün Reviewed-by: Jann Horn Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20201030123849.770769-2-mic@digikod.net Signed-off-by: Greg Kroah-Hartman commit 497fc376641993f8d6d2613f3b6c9e39b2f54b3a Author: Stefan Haberland Date: Mon Nov 16 16:23:47 2020 +0100 s390/dasd: fix null pointer dereference for ERP requests commit 6f117cb854a44a79898d844e6ae3fd23bd94e786 upstream. When requeueing all requests on the device request queue to the blocklayer we might get to an ERP (error recovery) request that is a copy of an original CQR. Those requests do not have blocklayer request information or a pointer to the dasd_queue set. When trying to access those data it will lead to a null pointer dereference in dasd_requeue_all_requests(). Fix by checking if the request is an ERP request that can simply be ignored. The blocklayer request will be requeued by the original CQR that is on the device queue right behind the ERP request. Fixes: 9487cfd3430d ("s390/dasd: fix handling of internal requests") Cc: #4.16 Signed-off-by: Stefan Haberland Reviewed-by: Jan Hoeppner Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit a1bf9efcf4a047c80662d5509806da4cf50cfaf6 Author: Thomas Richter Date: Wed Nov 11 16:26:25 2020 +0100 s390/cpum_sf.c: fix file permission for cpum_sfb_size commit 78d732e1f326f74f240d416af9484928303d9951 upstream. This file is installed by the s390 CPU Measurement sampling facility device driver to export supported minimum and maximum sample buffer sizes. This file is read by lscpumf tool to display the details of the device driver capabilities. The lscpumf tool might be invoked by a non-root user. In this case it does not print anything because the file contents can not be read. Fix this by allowing read access for all users. Reading the file contents is ok, changing the file contents is left to the root user only. For further reference and details see: [1] https://github.com/ibm-s390-tools/s390-tools/issues/97 Fixes: 69f239ed335a ("s390/cpum_sf: Dynamically extend the sampling buffer if overflows occur") Cc: # 3.14 Signed-off-by: Thomas Richter Acked-by: Sumanth Korikkar Signed-off-by: Heiko Carstens Signed-off-by: Greg Kroah-Hartman commit 499b109be6889b4a5442b7652c32370bb2d741a2 Author: Johannes Berg Date: Thu Nov 12 11:22:04 2020 +0100 mac80211: free sta in sta_info_insert_finish() on errors commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream. If sta_info_insert_finish() fails, we currently keep the station around and free it only in the caller, but there's only one such caller and it always frees it immediately. As syzbot found, another consequence of this split is that we can put things that sleep only into __cleanup_single_sta() and not in sta_info_free(), but this is the only place that requires such of sta_info_free() now. Change this to free the station in sta_info_insert_finish(), in which case we can still sleep. This will also let us unify the cleanup code later. Cc: stable@vger.kernel.org Fixes: dcd479e10a05 ("mac80211: always wind down STA state") Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc64ed6613d36c18a48e0@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit b48b65efcdf698fb3118c44197b664f3e3bfe708 Author: Felix Fietkau Date: Wed Nov 11 19:33:59 2020 +0100 mac80211: minstrel: fix tx status processing corner case commit b2911a84396f72149dce310a3b64d8948212c1b3 upstream. Some drivers fill the status rate list without setting the rate index after the final rate to -1. minstrel_ht already deals with this, but minstrel doesn't, which causes it to get stuck at the lowest rate on these drivers. Fix this by checking the count as well. Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20201111183359.43528-3-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 2216a93ce6841cde69fb6e59763ca029f15e4ddf Author: Felix Fietkau Date: Wed Nov 11 19:33:58 2020 +0100 mac80211: minstrel: remove deferred sampling code commit 4fe40b8e1566dad04c87fbf299049a1d0d4bd58d upstream. Deferring sampling attempts to the second stage has some bad interactions with drivers that process the rate table in hardware and use the probe flag to indicate probing packets (e.g. most mt76 drivers). On affected drivers it can lead to probing not working at all. If the link conditions turn worse, it might not be such a good idea to do a lot of sampling for lower rates in this case. Fix this by simply skipping the sample attempt instead of deferring it, but keep the checks that would allow it to be sampled if it was skipped too often, but only if it has less than 95% success probability. Also ensure that IEEE80211_TX_CTL_RATE_CTRL_PROBE is set for all probing packets. Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20201111183359.43528-2-nbd@nbd.name Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 7d2f4b758a04748f86786d2a99fe43bbbda2c22f Author: Max Filippov Date: Mon Nov 16 01:38:59 2020 -0800 xtensa: disable preemption around cache alias management calls commit 3a860d165eb5f4d7cf0bf81ef6a5b5c5e1754422 upstream. Although cache alias management calls set up and tear down TLB entries and fast_second_level_miss is able to restore TLB entry should it be evicted they absolutely cannot preempt each other because they use the same TLBTEMP area for different purposes. Disable preemption around all cache alias management calls to enforce that. Cc: stable@vger.kernel.org Signed-off-by: Max Filippov Signed-off-by: Greg Kroah-Hartman commit 47a15b5c7ad24d854e4399a855ff2117ce31e73d Author: Michał Mirosław Date: Fri Nov 13 01:20:28 2020 +0100 regulator: workaround self-referent regulators commit f5c042b23f7429e5c2ac987b01a31c69059a978b upstream. Workaround regulators whose supply name happens to be the same as its own name. This fixes boards that used to work before the early supply resolving was removed. The error message is left in place so that offending drivers can be detected. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Reported-by: Ahmad Fatoum Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/d703acde2a93100c3c7a81059d716c50ad1b1f52.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 00aa5e8d1a3334701cdf0a7d0965e7650a7cd797 Author: Michał Mirosław Date: Fri Nov 13 01:20:28 2020 +0100 regulator: avoid resolve_supply() infinite recursion commit 4b639e254d3d4f15ee4ff2b890a447204cfbeea9 upstream. When a regulator's name equals its supply's name the regulator_resolve_supply() recurses indefinitely. Add a check so that debugging the problem is easier. The "fixed" commit just exposed the problem. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Reported-by: Ahmad Fatoum Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/c6171057cfc0896f950c4d8cb82df0f9f1b89ad9.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 675b9c121c46166b189344fd158f10e064061505 Author: Michał Mirosław Date: Fri Nov 13 01:20:27 2020 +0100 regulator: fix memory leak with repeated set_machine_constraints() commit 57a6ad482af256b2a13de14194fb8f67c1a65f10 upstream. Fixed commit introduced a possible second call to set_machine_constraints() and that allocates memory for rdev->constraints. Move the allocation to the caller so it's easier to manage and done once. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Cc: stable@vger.kernel.org Signed-off-by: Michał Mirosław Tested-by: Ahmad Fatoum # stpmic1 Link: https://lore.kernel.org/r/78c3d4016cebc08d441aad18cb924b4e4d9cf9df.1605226675.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 8f1f52f659b9e0b13bd2202fa7a558adc3b3994e Author: Sean Nyekjaer Date: Tue Nov 10 18:41:13 2020 +0100 regulator: pfuze100: limit pfuze-support-disable-sw to pfuze{100,200} commit 365ec8b61689bd64d6a61e129e0319bf71336407 upstream. Limit the fsl,pfuze-support-disable-sw to the pfuze100 and pfuze200 variants. When enabling fsl,pfuze-support-disable-sw and using a pfuze3000 or pfuze3001, the driver would choose pfuze100_sw_disable_regulator_ops instead of the newly introduced and correct pfuze3000_sw_regulator_ops. Signed-off-by: Sean Nyekjaer Fixes: 6f1cf5257acc ("regualtor: pfuze100: correct sw1a/sw2 on pfuze3000") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201110174113.2066534-1-sean@geanix.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 03fe4c08801afb39635ff44783d22d0b375962aa Author: Hans de Goede Date: Tue Nov 10 14:38:35 2020 +0100 iio: accel: kxcjk1013: Add support for KIOX010A ACPI DSM for setting tablet-mode commit e5b1032a656e9aa4c7a4df77cb9156a2a651a5f9 upstream. Some 360 degree hinges (yoga) style 2-in-1 devices use 2 KXCJ91008-s to allow the OS to determine the angle between the display and the base of the device, so that the OS can determine if the 2-in-1 is in laptop or in tablet-mode. On Windows both accelerometers are read by a special HingeAngleService process; and this process calls a DSM (Device Specific Method) on the ACPI KIOX010A device node for the sensor in the display, to let the embedded-controller (EC) know about the mode so that it can disable the kbd and touchpad to avoid spurious input while folded into tablet-mode. This notifying of the EC is problematic because sometimes the EC comes up thinking that device is in tablet-mode and the kbd and touchpad do not work. This happens for example on Irbis NB111 devices after a suspend / resume cycle (after a complete battery drain / hard reset without having booted Windows at least once). Other 2-in-1s which are likely affected too are e.g. the Teclast F5 and F6 series. The kxcjk-1013 driver may seem like a strange place to deal with this, but since it is *the* driver for the ACPI KIOX010A device, it is also the driver which has access to the ACPI handle needed by the DSM. Add support for calling the DSM and on probe unconditionally tell the EC that the device is laptop mode, fixing the kbd and touchpad sometimes not working. Fixes: 7f6232e69539 ("iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID") Reported-and-tested-by: russianneuromancer Signed-off-by: Hans de Goede Cc: Link: https://lore.kernel.org/r/20201110133835.129080-3-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 1ee67cb29e7c4f2f1c692009e3138aaaab92c678 Author: Hans de Goede Date: Tue Nov 10 14:38:34 2020 +0100 iio: accel: kxcjk1013: Replace is_smo8500_device with an acpi_type enum commit 11e94f28c3de35d5ad1ac6a242a5b30f4378991a upstream. Replace the boolean is_smo8500_device variable with an acpi_type enum. For now this can be either ACPI_GENERIC or ACPI_SMO8500, this is a preparation patch for adding special handling for the KIOX010A ACPI HID, which will add a ACPI_KIOX010A acpi_type to the introduced enum. For stable as needed as precursor for next patch. Signed-off-by: Hans de Goede Fixes: 7f6232e69539 ("iio: accel: kxcjk1013: Add KIOX010A ACPI Hardware-ID") Cc: Link: https://lore.kernel.org/r/20201110133835.129080-2-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit f2a32b26684550173f9fdd326923c0799b552916 Author: Jan Kara Date: Wed Nov 18 16:30:32 2020 +0100 ext4: fix bogus warning in ext4_update_dx_flag() commit f902b216501094495ff75834035656e8119c537f upstream. The idea of the warning in ext4_update_dx_flag() is that we should warn when we are clearing EXT4_INODE_INDEX on a filesystem with metadata checksums enabled since after clearing the flag, checksums for internal htree nodes will become invalid. So there's no need to warn (or actually do anything) when EXT4_INODE_INDEX is not set. Link: https://lore.kernel.org/r/20201118153032.17281-1-jack@suse.cz Fixes: 48a34311953d ("ext4: fix checksum errors with indexed dirs") Reported-by: Eric Biggers Reviewed-by: Eric Biggers Signed-off-by: Jan Kara Signed-off-by: Theodore Ts'o Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit e9bfab3073834efa616ec86184d63eba1a64cfef Author: Brian O'Keefe Date: Fri Nov 6 10:10:34 2020 -0500 staging: rtl8723bs: Add 024c:0627 to the list of SDIO device-ids commit aee9dccc5b64e878cf1b18207436e73f66d74157 upstream. Add 024c:0627 to the list of SDIO device-ids, based on hardware found in the wild. This hardware exists on at least some Acer SW1-011 tablets. Signed-off-by: Brian O'Keefe Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/b9e1523f-2ba7-fb82-646a-37f095b4440e@alum.wpi.edu Cc: stable Signed-off-by: Greg Kroah-Hartman commit 3a07581b04648c8acb634045c7060db392853efe Author: Vamshi K Sthambamkadi Date: Fri Oct 23 17:24:39 2020 +0530 efivarfs: fix memory leak in efivarfs_create() commit fe5186cf12e30facfe261e9be6c7904a170bd822 upstream. kmemleak report: unreferenced object 0xffff9b8915fcb000 (size 4096): comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s) hex dump (first 32 bytes): 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0 [<000000007d1dfa72>] efivarfs_create+0x6e/0x1a0 [<00000000e6ee18fc>] path_openat+0xe4b/0x1120 [<000000000ad0414f>] do_filp_open+0x91/0x100 [<00000000ce93a198>] do_sys_openat2+0x20c/0x2d0 [<000000002a91be6d>] do_sys_open+0x46/0x80 [<000000000a854999>] __x64_sys_openat+0x20/0x30 [<00000000c50d89c9>] do_syscall_64+0x38/0x90 [<00000000cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 In efivarfs_create(), inode->i_private is setup with efivar_entry object which is never freed. Cc: Signed-off-by: Vamshi K Sthambamkadi Link: https://lore.kernel.org/r/20201023115429.GA2479@cosmos Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman commit 123667ed90ef625ced9d0d071dc889985bfc6d55 Author: Fugang Duan Date: Wed Nov 11 10:51:36 2020 +0800 tty: serial: imx: keep console clocks always on commit e67c139c488e84e7eae6c333231e791f0e89b3fb upstream. For below code, there has chance to cause deadlock in SMP system: Thread 1: clk_enable_lock(); pr_info("debug message"); clk_enable_unlock(); Thread 2: imx_uart_console_write() clk_enable() clk_enable_lock(); Thread 1: Acuired clk enable_lock -> printk -> console_trylock_spinning Thread 2: console_unlock() -> imx_uart_console_write -> clk_disable -> Acquite clk enable_lock So the patch is to keep console port clocks always on like other console drivers. Fixes: 1cf93e0d5488 ("serial: imx: remove the uart_console() check") Acked-by: Uwe Kleine-König Signed-off-by: Fugang Duan Link: https://lore.kernel.org/r/20201111025136.29818-1-fugang.duan@nxp.com Cc: stable [fix up build warning - gregkh] Signed-off-by: Greg Kroah-Hartman commit 2d031d2452a969d956c7ce73a9e7988378c2e151 Author: PeiSen Hou Date: Wed Nov 11 08:58:59 2020 +0100 ALSA: hda/realtek: Add some Clove SSID in the ALC293(ALC1220) commit b5acfe152abaa2721c9ca8aa67f941d7de55d24e upstream. Fix "use as headset mic, without its own jack detect" problem. [ Minor coding style fixes by tiwai ] Signed-off-by: PeiSen Hou Cc: Link: https://lore.kernel.org/r/481963e4a5694ff19f27ae1e283d79ad@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 19de211a4a131ef56db05e040d8ef7281830ea8c Author: Takashi Iwai Date: Thu Nov 19 13:14:40 2020 +0100 ALSA: mixart: Fix mutex deadlock commit d21b96c8ed2aea7e6b7bf4735e1d2503cfbf4072 upstream. The code change for switching to non-atomic mode brought the unexpected mutex deadlock in get_msg(). It converted the spinlock with the existing mutex, but there were calls with the already holding the mutex. Since the only place that needs the extra lock is the code path from snd_mixart_send_msg(), remove the mutex lock in get_msg() and apply in the caller side for fixing the mutex deadlock. Fixes: 8d3a8b5cb57d ("ALSA: mixart: Use nonatomic PCM ops") Reported-by: Dan Carpenter Cc: Link: https://lore.kernel.org/r/20201119121440.18945-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2e870e4116e09e870bb915265a66b87efc2d82e2 Author: Takashi Sakamoto Date: Fri Nov 13 18:20:43 2020 +0900 ALSA: ctl: fix error path at adding user-defined element set commit 95a793c3bc75cf888e0e641d656e7d080f487d8b upstream. When processing request to add/replace user-defined element set, check of given element identifier and decision of numeric identifier is done in "__snd_ctl_add_replace()" helper function. When the result of check is wrong, the helper function returns error code. The error code shall be returned to userspace application. Current implementation includes bug to return zero to userspace application regardless of the result. This commit fixes the bug. Cc: Fixes: e1a7bfe38079 ("ALSA: control: Fix race between adding and removing a user element") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20201113092043.16148-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit def6149e400bb8a12a3032214a3fb3f54fec35ab Author: Joakim Tjernlund Date: Tue Nov 17 13:28:03 2020 +0100 ALSA: usb-audio: Add delay quirk for all Logitech USB devices commit 54a2a3898f469a915510038fe84ef4f083131d3e upstream. Found one more Logitech device, BCC950 ConferenceCam, which needs the same delay here. This makes 3 out of 3 devices I have tried. Therefore, add a delay for all Logitech devices as it does not hurt. Signed-off-by: Joakim Tjernlund Cc: # 4.19.y, 5.4.y Link: https://lore.kernel.org/r/20201117122803.24310-1-joakim.tjernlund@infinera.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e711b6e1c8ab0afe900d7a51b45ec4465e73aac8 Author: Dan Carpenter Date: Fri Nov 13 13:12:41 2020 +0300 ALSA: firewire: Clean up a locking issue in copy_resp_to_buf() commit 02a9c6ee4183af2e438454c55098b828a96085fb upstream. The spin_lock/unlock_irq() functions cannot be nested. The problem is that presumably we would want the IRQs to be re-enabled on the second call the spin_unlock_irq() but instead it will be enabled at the first call so IRQs will be enabled earlier than expected. In this situation the copy_resp_to_buf() function is only called from one function and it is called with IRQs disabled. We can just use the regular spin_lock/unlock() functions. Fixes: 555e8a8f7f14 ("ALSA: fireworks: Add command/response functionality into hwdep interface") Signed-off-by: Dan Carpenter Acked-by: Takashi Sakamoto Cc: Link: https://lore.kernel.org/r/20201113101241.GB168908@mwanda Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3560603ef82f11277143a433170bca05bd9288a8 Author: Samuel Thibault Date: Tue Nov 10 19:35:41 2020 +0100 speakup: Do not let the line discipline be used several times commit d4122754442799187d5d537a9c039a49a67e57f1 upstream. Speakup has only one speakup_tty variable to store the tty it is managing. This makes sense since its codebase currently assumes that there is only one user who controls the screen reading. That however means that we have to forbid using the line discipline several times, otherwise the second closure would try to free a NULL ldisc_data, leading to general protection fault: 0000 [#1] SMP KASAN PTI RIP: 0010:spk_ttyio_ldisc_close+0x2c/0x60 Call Trace: tty_ldisc_release+0xa2/0x340 tty_release_struct+0x17/0xd0 tty_release+0x9d9/0xcc0 __fput+0x231/0x740 task_work_run+0x12c/0x1a0 do_exit+0x9b5/0x2230 ? release_task+0x1240/0x1240 ? __do_page_fault+0x562/0xa30 do_group_exit+0xd5/0x2a0 __x64_sys_exit_group+0x35/0x40 do_syscall_64+0x89/0x2b0 ? page_fault+0x8/0x30 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Cc: stable@vger.kernel.org Reported-by: 秦世松 Signed-off-by: Samuel Thibault Tested-by: Shisong Qin Link: https://lore.kernel.org/r/20201110183541.fzgnlwhjpgqzjeth@function Signed-off-by: Greg Kroah-Hartman commit 7dfd3751915578b219cf1a25e312569fe0571739 Author: Yicong Yang Date: Sat Nov 21 22:17:19 2020 -0800 libfs: fix error cast of negative value in simple_attr_write() [ Upstream commit 488dac0c9237647e9b8f788b6a342595bfa40bda ] The attr->set() receive a value of u64, but simple_strtoll() is used for doing the conversion. It will lead to the error cast if user inputs a negative value. Use kstrtoull() instead of simple_strtoll() to convert a string got from the user to an unsigned value. The former will return '-EINVAL' if it gets a negetive value, but the latter can't handle the situation correctly. Make 'val' unsigned long long as what kstrtoull() takes, this will eliminate the compile warning on no 64-bit architectures. Fixes: f7b88631a897 ("fs/libfs.c: fix simple_attr_write() on 32bit machines") Signed-off-by: Yicong Yang Signed-off-by: Andrew Morton Cc: Al Viro Link: https://lkml.kernel.org/r/1605341356-11872-1-git-send-email-yangyicong@hisilicon.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b4013fde63242f76859a236ba3ca1c162cb7ebe5 Author: Arvind Sankar Date: Tue Nov 10 11:39:19 2020 -0500 efi/x86: Free efi_pgd with free_pages() [ Upstream commit c2fe61d8be491ff8188edaf22e838f819999146b ] Commit d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD") changed the PGD allocation to allocate PGD_ALLOCATION_ORDER pages, so in the error path it should be freed using free_pages() rather than free_page(). Commit 06ace26f4e6f ("x86/efi: Free efi_pgd with free_pages()") fixed one instance of this, but missed another. Move the freeing out-of-line to avoid code duplication and fix this bug. Fixes: d9e9a6418065 ("x86/mm/pti: Allocate a separate user PGD") Link: https://lore.kernel.org/r/20201110163919.1134431-1-nivedita@alum.mit.edu Signed-off-by: Arvind Sankar Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 088ad76f42062164775af47464f56c7fc6a13fca Author: Darrick J. Wong Date: Thu Nov 19 15:17:50 2020 -0800 xfs: revert "xfs: fix rmap key and record comparison functions" [ Upstream commit eb8409071a1d47e3593cfe077107ac46853182ab ] This reverts commit 6ff646b2ceb0eec916101877f38da0b73e3a5b7f. Your maintainer committed a major braino in the rmap code by adding the attr fork, bmbt, and unwritten extent usage bits into rmap record key comparisons. While XFS uses the usage bits *in the rmap records* for cross-referencing metadata in xfs_scrub and xfs_repair, it only needs the owner and offset information to distinguish between reverse mappings of the same physical extent into the data fork of a file at multiple offsets. The other bits are not important for key comparisons for index lookups, and never have been. Eric Sandeen reports that this causes regressions in generic/299, so undo this patch before it does more damage. Reported-by: Eric Sandeen Fixes: 6ff646b2ceb0 ("xfs: fix rmap key and record comparison functions") Signed-off-by: Darrick J. Wong Reviewed-by: Eric Sandeen Signed-off-by: Sasha Levin commit 730b192ad262545a269483609f52d29bff503507 Author: Luo Meng Date: Wed Nov 18 22:49:31 2020 +0900 fail_function: Remove a redundant mutex unlock [ Upstream commit 2801a5da5b25b7af9dd2addd19b2315c02d17b64 ] Fix a mutex_unlock() issue where before copy_from_user() is not called mutex_locked. Fixes: 4b1a29a7f542 ("error-injection: Support fault injection framework") Reported-by: Hulk Robot Signed-off-by: Luo Meng Signed-off-by: Masami Hiramatsu Signed-off-by: Alexei Starovoitov Acked-by: Masami Hiramatsu Link: https://lore.kernel.org/bpf/160570737118.263807.8358435412898356284.stgit@devnote2 Signed-off-by: Sasha Levin commit edca48315fc31107f541c10da796e591fc50765b Author: Nishanth Menon Date: Wed Nov 18 08:50:09 2020 -0600 regulator: ti-abb: Fix array out of bound read access on the first transition [ Upstream commit 2ba546ebe0ce2af47833d8912ced9b4a579f13cb ] At the start of driver initialization, we do not know what bias setting the bootloader has configured the system for and we only know for certain the very first time we do a transition. However, since the initial value of the comparison index is -EINVAL, this negative value results in an array out of bound access on the very first transition. Since we don't know what the setting is, we just set the bias configuration as there is nothing to compare against. This prevents the array out of bound access. NOTE: Even though we could use a more relaxed check of "< 0" the only valid values(ignoring cosmic ray induced bitflips) are -EINVAL, 0+. Fixes: 40b1936efebd ("regulator: Introduce TI Adaptive Body Bias(ABB) on-chip LDO driver") Link: https://lore.kernel.org/linux-mm/CA+G9fYuk4imvhyCN7D7T6PMDH6oNp6HDCRiTUKMQ6QXXjBa4ag@mail.gmail.com/ Reported-by: Naresh Kamboju Reviewed-by: Arnd Bergmann Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20201118145009.10492-1-nm@ti.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d88cc6f344a2b4a8095a0c8f392b4fa632707276 Author: Darrick J. Wong Date: Sun Nov 8 16:32:41 2020 -0800 xfs: strengthen rmap record flags checking [ Upstream commit 498fe261f0d6d5189f8e11d283705dd97b474b54 ] We always know the correct state of the rmap record flags (attr, bmbt, unwritten) so check them by direct comparison. Fixes: d852657ccfc0 ("xfs: cross-reference reverse-mapping btree") Signed-off-by: Darrick J. Wong Reviewed-by: Chandan Babu R Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 804b269c252445d3b98497c8b02db0152c65cd63 Author: Darrick J. Wong Date: Sun Nov 8 16:32:41 2020 -0800 xfs: fix the minrecs logic when dealing with inode root child blocks [ Upstream commit e95b6c3ef1311dd7b20467d932a24b6d0fd88395 ] The comment and logic in xchk_btree_check_minrecs for dealing with inode-rooted btrees isn't quite correct. While the direct children of the inode root are allowed to have fewer records than what would normally be allowed for a regular ondisk btree block, this is only true if there is only one child block and the number of records don't fit in the inode root. Fixes: 08a3a692ef58 ("xfs: btree scrub should check minrecs") Signed-off-by: Darrick J. Wong Reviewed-by: Chandan Babu R Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 789cbe71299d4c648ae6aa88945dddff6cabe469 Author: Jimmy Assarsson Date: Sun Nov 15 17:30:23 2020 +0100 can: kvaser_usb: kvaser_usb_hydra: Fix KCAN bittiming limits [ Upstream commit d003868d7f8579838ed58b6429af91844039b6f8 ] Use correct bittiming limits for the KCAN CAN controller. Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/r/20201115163027.16851-2-jimmyassarsson@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f2cd428c31ba89936455125448b627d611da96a8 Author: Xiongfeng Wang Date: Mon Nov 16 09:09:29 2020 +0800 drm/sun4i: dw-hdmi: fix error return code in sun8i_dw_hdmi_bind() [ Upstream commit 6654b57866b98230a270953dd34f67de17ab1708 ] Fix to return a negative error code from the error handling case instead of 0 in function sun8i_dw_hdmi_bind(). Fixes: b7c7436a5ff0 ("drm/sun4i: Implement A83T HDMI driver") Reported-by: Hulk Robot Signed-off-by: Xiongfeng Wang Reviewed-by: Jernej Skrabec Signed-off-by: Jernej Skrabec Link: https://patchwork.freedesktop.org/patch/msgid/1605488969-5211-1-git-send-email-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit 62c285777cf7473f9b91fc31e6d13efca6fa3075 Author: Zhang Qilong Date: Fri Nov 13 21:18:56 2020 +0800 MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu [ Upstream commit ac3b57adf87ad9bac7e33ca26bbbb13fae1ed62b ] If the clk_register fails, we should free h before function returns to prevent memleak. Fixes: 474402291a0ad ("MIPS: Alchemy: clock framework integration of onchip clocks") Reported-by: Hulk Robot Signed-off-by: Zhang Qilong Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit e6f49ea48162b0c2fefcd499b7af1e102750e8e4 Author: Srinivasa Rao Mandadapu Date: Sun Nov 15 10:26:50 2020 +0530 ASoC: qcom: lpass-platform: Fix memory leak [ Upstream commit bd6327fda2f3ded85b69b3c3125c99aaa51c7881 ] lpass_pcm_data is not freed in error paths. Free it in error paths to avoid memory leak. Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") Signed-off-by: Pavel Machek Signed-off-by: V Sujith Kumar Reddy Signed-off-by: Srinivasa Rao Mandadapu Link: https://lore.kernel.org/r/1605416210-14530-1-git-send-email-srivasam@codeaurora.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c8148a10054f5ae23afa2a8c3da0f89890b08a77 Author: Wu Bo Date: Wed Jan 29 10:23:30 2020 +0800 can: m_can: m_can_handle_state_change(): fix state change [ Upstream commit cd0d83eab2e0c26fe87a10debfedbb23901853c1 ] m_can_handle_state_change() is called with the new_state as an argument. In the switch statements for CAN_STATE_ERROR_ACTIVE, the comment and the following code indicate that a CAN_STATE_ERROR_WARNING is handled. This patch fixes this problem by changing the case to CAN_STATE_ERROR_WARNING. Signed-off-by: Wu Bo Link: http://lore.kernel.org/r/20200129022330.21248-2-wubo.oduw@gmail.com Cc: Dan Murphy Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 0069f22dc29ec971161c22b79516c998d01852bb Author: Colin Ian King Date: Thu Nov 5 11:24:27 2020 +0000 can: peak_usb: fix potential integer overflow on shift of a int [ Upstream commit 8a68cc0d690c9e5730d676b764c6f059343b842c ] The left shift of int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit variable. In the case where time_ref->adapter->ts_used_bits is 32 or more this can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro instead. Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20201105112427.40688-1-colin.king@canonical.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 6521ffa41b5b6e59dd72a502bdbea507a8d287a2 Author: Marc Kleine-Budde Date: Wed Aug 28 21:16:55 2019 +0200 can: mcba_usb: mcba_usb_start_xmit(): first fill skb, then pass to can_put_echo_skb() [ Upstream commit 81c9c8e0adef3285336b942f93287c554c89e6c6 ] The driver has to first fill the skb with data and then handle it to can_put_echo_skb(). This patch moves the can_put_echo_skb() down, right before sending the skb out via USB. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Cc: Remigiusz Kołłątaj Link: https://lore.kernel.org/r/20201111221204.1639007-1-mkl@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 80b9f0191a3b458f7cc3c4ed72011963920b59d6 Author: Zhang Qilong Date: Sat Nov 14 19:17:08 2020 +0800 can: ti_hecc: Fix memleak in ti_hecc_probe [ Upstream commit 7968c7c79d3be8987feb8021f0c46e6866831408 ] In the error handling, we should goto the probe_exit_candev to free ndev to prevent memory leak. Fixes: dabf54dd1c63 ("can: ti_hecc: Convert TI HECC driver to DT only driver") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20201114111708.3465543-1-zhangqilong3@huawei.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit cef79b5249ea3bf7889f222999a3bcbc560d9a41 Author: Alejandro Concepcion Rodriguez Date: Thu Nov 5 21:51:47 2020 +0000 can: dev: can_restart(): post buffer from the right context [ Upstream commit a1e654070a60d5d4f7cce59c38f4ca790bb79121 ] netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead. Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Co-developed-by: Loris Fauster Signed-off-by: Loris Fauster Signed-off-by: Alejandro Concepcion Rodriguez Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e2b9ee9fe6c11f1b6ea5965ede224e33ca1358b9 Author: Anant Thazhemadam Date: Wed Nov 4 03:09:06 2020 +0530 can: af_can: prevent potential access of uninitialized member in canfd_rcv() [ Upstream commit 9aa9379d8f868e91719333a7f063ccccc0579acc ] In canfd_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CANFD_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: d4689846881d ("can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by: Anant Thazhemadam Signed-off-by: Anant Thazhemadam Link: https://lore.kernel.org/r/20201103213906.24219-3-anant.thazhemadam@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 038004dfd337b6f10b0fd54b445620132801c180 Author: Anant Thazhemadam Date: Wed Nov 4 03:09:05 2020 +0530 can: af_can: prevent potential access of uninitialized member in can_rcv() [ Upstream commit c8c958a58fc67f353289986850a0edf553435702 ] In can_rcv(), cfd->len is uninitialized when skb->len = 0, and this uninitialized cfd->len is accessed nonetheless by pr_warn_once(). Fix this uninitialized variable access by checking cfd->len's validity condition (cfd->len > CAN_MAX_DLEN) separately after the skb->len's condition is checked, and appropriately modify the log messages that are generated as well. In case either of the required conditions fail, the skb is freed and NET_RX_DROP is returned, same as before. Fixes: 8cb68751c115 ("can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once") Reported-by: syzbot+9bcb0c9409066696d3aa@syzkaller.appspotmail.com Tested-by: Anant Thazhemadam Signed-off-by: Anant Thazhemadam Link: https://lore.kernel.org/r/20201103213906.24219-2-anant.thazhemadam@gmail.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 901e04cd478133ba6458fecbd3b232b528d26f3b Author: Yi-Hung Wei Date: Tue Nov 10 16:16:40 2020 -0800 ip_tunnels: Set tunnel option flag when tunnel metadata is present [ Upstream commit 9c2e14b48119b39446031d29d994044ae958d8fc ] Currently, we may set the tunnel option flag when the size of metadata is zero. For example, we set TUNNEL_GENEVE_OPT in the receive function no matter the geneve option is present or not. As this may result in issues on the tunnel flags consumers, this patch fixes the issue. Related discussion: * https://lore.kernel.org/netdev/1604448694-19351-1-git-send-email-yihung.wei@gmail.com/T/#u Fixes: 256c87c17c53 ("net: check tunnel option type in tunnel flags") Signed-off-by: Yi-Hung Wei Link: https://lore.kernel.org/r/1605053800-74072-1-git-send-email-yihung.wei@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c4d54937576e5b9cdedb84e371eedf1f0ba67c0b Author: Leo Yan Date: Wed Nov 4 17:42:29 2020 +0800 perf lock: Don't free "lock_seq_stat" if read_count isn't zero [ Upstream commit b0e5a05cc9e37763c7f19366d94b1a6160c755bc ] When execute command "perf lock report", it hits failure and outputs log as follows: perf: builtin-lock.c:623: report_lock_release_event: Assertion `!(seq->read_count < 0)' failed. Aborted This is an imbalance issue. The locking sequence structure "lock_seq_stat" contains the reader counter and it is used to check if the locking sequence is balance or not between acquiring and releasing. If the tool wrongly frees "lock_seq_stat" when "read_count" isn't zero, the "read_count" will be reset to zero when allocate a new structure at the next time; thus it causes the wrong counting for reader and finally results in imbalance issue. To fix this issue, if detects "read_count" is not zero (means still have read user in the locking sequence), goto the "end" tag to skip freeing structure "lock_seq_stat". Fixes: e4cef1f65061 ("perf lock: Fix state machine to recognize lock sequence") Signed-off-by: Leo Yan Acked-by: Jiri Olsa Link: https://lore.kernel.org/r/20201104094229.17509-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 5c602c3908c985b31295fd5e95480158cdd6b029 Author: Necip Fazil Yildiran Date: Wed Nov 11 17:48:52 2020 -0800 Input: resistive-adc-touch - fix kconfig dependency on IIO_BUFFER [ Upstream commit 676650d007e06fddcf3fe38238251d71bd179641 ] When TOUCHSCREEN_ADC is enabled and IIO_BUFFER is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for IIO_BUFFER_CB Depends on [n]: IIO [=y] && IIO_BUFFER [=n] Selected by [y]: - TOUCHSCREEN_ADC [=y] && !UML && INPUT [=y] && INPUT_TOUCHSCREEN [=y] && IIO [=y] The reason is that TOUCHSCREEN_ADC selects IIO_BUFFER_CB without depending on or selecting IIO_BUFFER while IIO_BUFFER_CB depends on IIO_BUFFER. This can also fail building the kernel. Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures. Fixes: aa132ffb6b0a ("input: touchscreen: resistive-adc-touch: add generic resistive ADC touchscreen") Signed-off-by: Necip Fazil Yildiran Acked-by: Jonathan Cameron Link: https://lore.kernel.org/r/20201102221504.541279-1-fazilyildiran@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 84820e918532f9d575d532e9a5291b4fdbe9a684 Author: Fabio Estevam Date: Thu Nov 5 18:13:20 2020 -0300 ARM: dts: imx50-evk: Fix the chip select 1 IOMUX [ Upstream commit 33d0d843872c5ddbe28457a92fc6f2487315fb9f ] The SPI chip selects are represented as: cs-gpios = <&gpio4 11 GPIO_ACTIVE_LOW>, <&gpio4 13 GPIO_ACTIVE_LOW>; , which means that they are used in GPIO function instead of native SPI mode. Fix the IOMUX for the chip select 1 to use GPIO4_13 instead of the native CSPI_SSI function. Fixes: c605cbf5e135 ("ARM: dts: imx: add device tree support for Freescale imx50evk board") Signed-off-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit de42130e243d67aea194a4f4d1495d221b6200b7 Author: Sergey Matyukevich Date: Sat Oct 24 23:11:20 2020 +0300 arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy [ Upstream commit 7dd8f0ba88fce98e2953267a66af74c6f4792a56 ] Commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") fixed micrel phy driver adding proper support for phy modes. Adapt imx6q-udoo board phy settings : explicitly set required delay configuration using "rgmii-id". Fixes: cbd54fe0b2bc ("ARM: dts: imx6dl-udoo: Add board support based off imx6q-udoo") Signed-off-by: Sergey Matyukevich Reviewed-by: Fabio Estevam Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 4f25ec59fa3607ad8bcf5b0969848bbeddf0c024 Author: Nenad Peric Date: Wed Oct 28 12:58:17 2020 +0100 arm64: dts: allwinner: h5: OrangePi Prime: Fix ethernet node [ Upstream commit 107954afc5df667da438644aa4982606663f9b17 ] RX and TX delay are provided by ethernet PHY. Reflect that in ethernet node. Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes") Signed-off-by: Nenad Peric Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201028115817.68113-1-nperic@gmail.com Signed-off-by: Sasha Levin commit f09326086d2368c6ab7aa50e5aed18b4092c59a3 Author: Randy Dunlap Date: Fri Oct 23 12:44:40 2020 -0700 MIPS: export has_transparent_hugepage() for modules [ Upstream commit 31b4d8e172f614adc53ddecb4b6b2f6411a49b84 ] MIPS should export its local version of "has_transparent_hugepage" so that loadable modules (dax) can use it. Fixes this build error: ERROR: modpost: "has_transparent_hugepage" [drivers/dax/dax.ko] undefined! Fixes: fd8cfd300019 ("arch: fix has_transparent_hugepage()") Reported-by: kernel test robot Signed-off-by: Randy Dunlap Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: Dan Williams Cc: Vishal Verma Cc: Dave Jiang Cc: linux-nvdimm@lists.01.org Cc: Hugh Dickins Cc: Andrew Morton Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit cc63818d353767d4fec5820072ad9e80bcc495fd Author: Dan Carpenter Date: Mon Oct 26 17:10:09 2020 -0700 Input: adxl34x - clean up a data type in adxl34x_probe() [ Upstream commit 33b6c39e747c552fa770eecebd1776f1f4a222b1 ] The "revid" is used to store negative error codes so it should be an int type. Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Dan Carpenter Acked-by: Michael Hennerich Link: https://lore.kernel.org/r/20201026072824.GA1620546@mwanda Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 5f86796e5b68286687d3b83e6c602ed0e10c2a8c Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:15 2020 +0800 arm64: dts: allwinner: a64: bananapi-m64: Enable RGMII RX/TX delay on PHY [ Upstream commit 1a9a8910b2153cd3c4f3f2f8defcb853ead3b1fd ] The Ethernet PHY on the Bananapi M64 has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: e7295499903d ("arm64: allwinner: bananapi-m64: Enable dwmac-sun8i") Fixes: 94f442886711 ("arm64: dts: allwinner: A64: Restore EMAC changes") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Corentin Labbe Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-10-wens@kernel.org Signed-off-by: Sasha Levin commit 986e9f5de08c794d31a39ef777336aa769ac29da Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:11 2020 +0800 ARM: dts: sun8i: a83t: Enable both RGMII RX/TX delay on Ethernet PHY [ Upstream commit 57dbe558457bf4042169bc1f334e3b53a8480a1c ] The Ethernet PHY on the Bananapi M3 and Cubietruck Plus have the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 039359948a4b ("ARM: dts: sun8i: a83t: Enable Ethernet on two boards") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-6-wens@kernel.org Signed-off-by: Sasha Levin commit 23a1a2eb19f3205f21ec7f30f8914cfab025196a Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:10 2020 +0800 ARM: dts: sun8i: h3: orangepi-plus2e: Enable RGMII RX/TX delay on Ethernet PHY [ Upstream commit e080ab31a0aa126b0a7e4f67f2b01b371b852c88 ] The Ethernet PHY on the Orange Pi Plus 2E has the RX and TX delays enabled on the PHY, using pull-ups on the RXDLY and TXDLY pins. Fix the phy-mode description to correct reflect this so that the implementation doesn't reconfigure the delays incorrectly. This happened with commit bbc4d71d6354 ("net: phy: realtek: fix rtl8211e rx/tx delay config"). Fixes: 4904337fe34f ("ARM: dts: sunxi: Restore EMAC changes (boards)") Fixes: 7a78ef92cdc5 ("ARM: sun8i: h3: Enable EMAC with external PHY on Orange Pi Plus 2E") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Jernej Skrabec Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-5-wens@kernel.org Signed-off-by: Sasha Levin commit 763c1552ba021ca38cc4f54aec5e018037105257 Author: Chen-Yu Tsai Date: Sun Oct 25 00:25:06 2020 +0800 Revert "arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high" [ Upstream commit 8d80e2f00a42ef10b54e1b2d9e97314f8fd046c0 ] This reverts commit 75ee680cbd2e4d0156b94f9fec50076361ab12f2. Turns out the activity and link LEDs on the RJ45 port are active low, just like on the Orange Pi PC. Revert the commit that says otherwise. Fixes: 75ee680cbd2e ("arm: sun8i: orangepi-pc-plus: Set EMAC activity LEDs to active high") Fixes: 4904337fe34f ("ARM: dts: sunxi: Restore EMAC changes (boards)") Signed-off-by: Chen-Yu Tsai Signed-off-by: Maxime Ripard Tested-by: Jernej Skrabec Acked-by: Jernej Skrabec Link: https://lore.kernel.org/r/20201024162515.30032-1-wens@kernel.org Signed-off-by: Sasha Levin commit 135d34f9e2d4a132e3567fa9c09f621df86ee1a0 Author: Jernej Skrabec Date: Sun Oct 25 09:19:49 2020 +0100 ARM: dts: sun8i: r40: bananapi-m2-ultra: Fix ethernet node [ Upstream commit b3eec3212e66ece33f69be0de98d54e67834e798 ] Ethernet PHY on BananaPi M2 Ultra provides RX and TX delays. Fix ethernet node to reflect that fact. Fixes: c36fd5a48bd2 ("ARM: dts: sun8i: r40: bananapi-m2-ultra: Enable GMAC ethernet controller") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201025081949.783443-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit ca174b841b23c482eccc98fdaca91cd8015e0d24 Author: Jernej Skrabec Date: Fri Oct 23 20:48:58 2020 +0200 arm64: dts: allwinner: h5: OrangePi PC2: Fix ethernet node [ Upstream commit b34bf9f6a623ddb82600a5ed5c644224122395e1 ] RX and TX delay are provided by ethernet PHY. Reflect that in ethernet node. Fixes: 44a94c7ef989 ("arm64: dts: allwinner: H5: Restore EMAC changes") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201023184858.3272918-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit 69bad74c825cc2992c22ad8db7f3758a37c9b1c7 Author: Jernej Skrabec Date: Thu Oct 22 23:13:01 2020 +0200 arm64: dts: allwinner: a64: Pine64 Plus: Fix ethernet node [ Upstream commit 927f42fcc1b4f7d04a2ac5cf02f25612aa8923a4 ] According to board schematic, PHY provides both, RX and TX delays. However, according to "fix" Realtek provided for this board, only TX delay should be provided by PHY. Tests show that both variants work but TX only PHY delay works slightly better. Update ethernet node to reflect the fact that PHY provides TX delay. Fixes: 94f442886711 ("arm64: dts: allwinner: A64: Restore EMAC changes") Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20201022211301.3548422-1-jernej.skrabec@siol.net Signed-off-by: Sasha Levin commit c7d7fe001b6fb46d2e625c2f28acecf0c2d7dae6 Author: Darrick J. Wong Date: Tue Nov 10 16:49:29 2020 -0800 vfs: remove lockdep bogosity in __sb_start_write [ Upstream commit 22843291efc986ce7722610073fcf85a39b4cb13 ] __sb_start_write has some weird looking lockdep code that claims to exist to handle nested freeze locking requests from xfs. The code as written seems broken -- if we think we hold a read lock on any of the higher freeze levels (e.g. we hold SB_FREEZE_WRITE and are trying to lock SB_FREEZE_PAGEFAULT), it converts a blocking lock attempt into a trylock. However, it's not correct to downgrade a blocking lock attempt to a trylock unless the downgrading code or the callers are prepared to deal with that situation. Neither __sb_start_write nor its callers handle this at all. For example: sb_start_pagefault ignores the return value completely, with the result that if xfs_filemap_fault loses a race with a different thread trying to fsfreeze, it will proceed without pagefault freeze protection (thereby breaking locking rules) and then unlocks the pagefault freeze lock that it doesn't own on its way out (thereby corrupting the lock state), which leads to a system hang shortly afterwards. Normally, this won't happen because our ownership of a read lock on a higher freeze protection level blocks fsfreeze from grabbing a write lock on that higher level. *However*, if lockdep is offline, lock_is_held_type unconditionally returns 1, which means that percpu_rwsem_is_held returns 1, which means that __sb_start_write unconditionally converts blocking freeze lock attempts into trylocks, even when we *don't* hold anything that would block a fsfreeze. Apparently this all held together until 5.10-rc1, when bugs in lockdep caused lockdep to shut itself off early in an fstests run, and once fstests gets to the "race writes with freezer" tests, kaboom. This might explain the long trail of vanishingly infrequent livelocks in fstests after lockdep goes offline that I've never been able to diagnose. We could fix it by spinning on the trylock if wait==true, but AFAICT the locking works fine if lockdep is not built at all (and I didn't see any complaints running fstests overnight), so remove this snippet entirely. NOTE: Commit f4b554af9931 in 2015 created the current weird logic (which used to exist in a different form in commit 5accdf82ba25c from 2012) in __sb_start_write. XFS solved this whole problem in the late 2.6 era by creating a variant of transactions (XFS_TRANS_NO_WRITECOUNT) that don't grab intwrite freeze protection, thus making lockdep's solution unnecessary. The commit claims that Dave Chinner explained that the trylock hack + comment could be removed, but nobody ever did. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Jan Kara Signed-off-by: Sasha Levin commit 331298e711e7da5c296c55b4e7ec9ee7894126a7 Author: Will Deacon Date: Fri Nov 6 09:57:55 2020 +0000 arm64: psci: Avoid printing in cpu_psci_cpu_die() [ Upstream commit 891deb87585017d526b67b59c15d38755b900fea ] cpu_psci_cpu_die() is called in the context of the dying CPU, which will no longer be online or tracked by RCU. It is therefore not generally safe to call printk() if the PSCI "cpu off" request fails, so remove the pr_crit() invocation. Cc: Qian Cai Cc: "Paul E. McKenney" Cc: Catalin Marinas Link: https://lore.kernel.org/r/20201106103602.9849-2-will@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 2e22375d80bebc8ea9aa930c047da93adb8d2390 Author: Hans de Goede Date: Sat Nov 7 14:32:54 2020 +0100 ACPI: button: Add DMI quirk for Medion Akoya E2228T [ Upstream commit 7daaa06357bf7f1874b62bb1ea9d66a51d4e567e ] The Medion Akoya E2228T's ACPI _LID implementation is quite broken, it has the same issues as the one from the Medion Akoya E2215T: 1. For notifications it uses an ActiveLow Edge GpioInt, rather then an ActiveBoth one, meaning that the device is only notified when the lid is closed, not when it is opened. 2. Matching with this its _LID method simply always returns 0 (closed) In order for the Linux LID code to work properly with this implementation, the lid_init_state selection needs to be set to ACPI_BUTTON_LID_INIT_OPEN, add a DMI quirk for this. While working on this I also found out that the MD60### part of the model number differs per country/batch while all of the E2215T and E2228T models have this issue, so also remove the " MD60198" part from the E2215T quirk. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 496b92f27f1fa5be414a6f537c3afff7afdb006d Author: Aaron Lewis Date: Mon Oct 12 12:47:13 2020 -0700 selftests: kvm: Fix the segment descriptor layout to match the actual layout [ Upstream commit df11f7dd5834146defa448acba097e8d7703cc42 ] Fix the layout of 'struct desc64' to match the layout described in the SDM Vol 3, Chapter 3 "Protected-Mode Memory Management", section 3.4.5 "Segment Descriptors", Figure 3-8 "Segment Descriptor". The test added later in this series relies on this and crashes if this layout is not correct. Signed-off-by: Aaron Lewis Reviewed-by: Alexander Graf Message-Id: <20201012194716.3950330-2-aaronlewis@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4d3413ba2360363f77fa133af128a3034203a021 Author: Can Guo Date: Mon Nov 2 22:24:39 2020 -0800 scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold() [ Upstream commit da3fecb0040324c08f1587e5bff1f15f36be1872 ] The scsi_block_reqs_cnt increased in ufshcd_hold() is supposed to be decreased back in ufshcd_ungate_work() in a paired way. However, if specific ufshcd_hold/release sequences are met, it is possible that scsi_block_reqs_cnt is increased twice but only one ungate work is queued. To make sure scsi_block_reqs_cnt is handled by ufshcd_hold() and ufshcd_ungate_work() in a paired way, increase it only if queue_work() returns true. Link: https://lore.kernel.org/r/1604384682-15837-2-git-send-email-cang@codeaurora.org Reviewed-by: Hongwu Su Reviewed-by: Stanley Chu Reviewed-by: Bean Huo Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6c5f86abc3b58054455f23eaee5537dba353c8d6 Author: Jianqun Xu Date: Tue Oct 13 14:37:30 2020 +0800 pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq [ Upstream commit 63fbf8013b2f6430754526ef9594f229c7219b1f ] There need to enable pclk_gpio when do irq_create_mapping, since it will do access to gpio controller. Signed-off-by: Jianqun Xu Reviewed-by: Heiko Stuebner Reviewed-by: Kever Yang Link: https://lore.kernel.org/r/20201013063731.3618-3-jay.xu@rock-chips.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit fe428936b9157d6254e5d7c09d5f62ed98eb66c6 Author: Joel Stanley Date: Tue Nov 17 13:14:48 2020 +1030 net: ftgmac100: Fix crash when removing driver [ Upstream commit 3d5179458d22dc0b4fdc724e4bed4231a655112a ] When removing the driver we would hit BUG_ON(!list_empty(&dev->ptype_specific)) in net/core/dev.c due to still having the NC-SI packet handler registered. # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/unbind ------------[ cut here ]------------ kernel BUG at net/core/dev.c:10254! Internal error: Oops - BUG: 0 [#1] SMP ARM CPU: 0 PID: 115 Comm: sh Not tainted 5.10.0-rc3-next-20201111-00007-g02e0365710c4 #46 Hardware name: Generic DT based system PC is at netdev_run_todo+0x314/0x394 LR is at cpumask_next+0x20/0x24 pc : [<806f5830>] lr : [<80863cb0>] psr: 80000153 sp : 855bbd58 ip : 00000001 fp : 855bbdac r10: 80c03d00 r9 : 80c06228 r8 : 81158c54 r7 : 00000000 r6 : 80c05dec r5 : 80c05d18 r4 : 813b9280 r3 : 813b9054 r2 : 8122c470 r1 : 00000002 r0 : 00000002 Flags: Nzcv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none Control: 00c5387d Table: 85514008 DAC: 00000051 Process sh (pid: 115, stack limit = 0x7cb5703d) ... Backtrace: [<806f551c>] (netdev_run_todo) from [<80707eec>] (rtnl_unlock+0x18/0x1c) r10:00000051 r9:854ed710 r8:81158c54 r7:80c76bb0 r6:81158c10 r5:8115b410 r4:813b9000 [<80707ed4>] (rtnl_unlock) from [<806f5db8>] (unregister_netdev+0x2c/0x30) [<806f5d8c>] (unregister_netdev) from [<805a8180>] (ftgmac100_remove+0x20/0xa8) r5:8115b410 r4:813b9000 [<805a8160>] (ftgmac100_remove) from [<805355e4>] (platform_drv_remove+0x34/0x4c) Fixes: bd466c3fb5a4 ("net/faraday: Support NCSI mode") Signed-off-by: Joel Stanley Link: https://lore.kernel.org/r/20201117024448.1170761-1-joel@jms.id.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 82e2d2b06485a51191a5a72538e0bef5397f1014 Author: Joel Stanley Date: Thu Nov 12 16:42:10 2020 +1030 net/ncsi: Fix netlink registration [ Upstream commit 1922a46b8c18cb09d33e06a6cc2e43844ac1b9d0 ] If a user unbinds and re-binds a NC-SI aware driver the kernel will attempt to register the netlink interface at runtime. The structure is marked __ro_after_init so registration fails spectacularly at this point. # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/unbind # echo 1e660000.ethernet > /sys/bus/platform/drivers/ftgmac100/bind ftgmac100 1e660000.ethernet: Read MAC address 52:54:00:12:34:56 from chip ftgmac100 1e660000.ethernet: Using NCSI interface 8<--- cut here --- Unable to handle kernel paging request at virtual address 80a8f858 pgd = 8c768dd6 [80a8f858] *pgd=80a0841e(bad) Internal error: Oops: 80d [#1] SMP ARM CPU: 0 PID: 116 Comm: sh Not tainted 5.10.0-rc3-next-20201111-00003-gdd25b227ec1e #51 Hardware name: Generic DT based system PC is at genl_register_family+0x1f8/0x6d4 LR is at 0xff26ffff pc : [<8073f930>] lr : [] psr: 20000153 sp : 8553bc80 ip : 81406244 fp : 8553bd04 r10: 8085d12c r9 : 80a8f73c r8 : 85739000 r7 : 00000017 r6 : 80a8f860 r5 : 80c8ab98 r4 : 80a8f858 r3 : 00000000 r2 : 00000000 r1 : 81406130 r0 : 00000017 Flags: nzCv IRQs on FIQs off Mode SVC_32 ISA ARM Segment none Control: 00c5387d Table: 85524008 DAC: 00000051 Process sh (pid: 116, stack limit = 0x1f1988d6) ... Backtrace: [<8073f738>] (genl_register_family) from [<80860ac0>] (ncsi_init_netlink+0x20/0x48) r10:8085d12c r9:80c8fb0c r8:85739000 r7:00000000 r6:81218000 r5:85739000 r4:8121c000 [<80860aa0>] (ncsi_init_netlink) from [<8085d740>] (ncsi_register_dev+0x1b0/0x210) r5:8121c400 r4:8121c000 [<8085d590>] (ncsi_register_dev) from [<805a8060>] (ftgmac100_probe+0x6e0/0x778) r10:00000004 r9:80950228 r8:8115bc10 r7:8115ab00 r6:9eae2c24 r5:813b6f88 r4:85739000 [<805a7980>] (ftgmac100_probe) from [<805355ec>] (platform_drv_probe+0x58/0xa8) r9:80c76bb0 r8:00000000 r7:80cd4974 r6:80c76bb0 r5:8115bc10 r4:00000000 [<80535594>] (platform_drv_probe) from [<80532d58>] (really_probe+0x204/0x514) r7:80cd4974 r6:00000000 r5:80cd4868 r4:8115bc10 Jakub pointed out that ncsi_register_dev is obviously broken, because there is only one family so it would never work if there was more than one ncsi netdev. Fix the crash by registering the netlink family once on boot, and drop the code to unregister it. Fixes: 955dc68cb9b2 ("net/ncsi: Add generic netlink family") Signed-off-by: Joel Stanley Reviewed-by: Samuel Mendoza-Jonas Link: https://lore.kernel.org/r/20201112061210.914621-1-joel@jms.id.au Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d36ae6f988ad045af852a846288d0dea7ab1447f Author: Filip Moc Date: Tue Nov 17 18:36:31 2020 +0100 net: usb: qmi_wwan: Set DTR quirk for MR400 [ Upstream commit df8d85d8c69d6837817e54dcb73c84a8b5a13877 ] LTE module MR400 embedded in TL-MR6400 v4 requires DTR to be set. Signed-off-by: Filip Moc Acked-by: Bjørn Mork Link: https://lore.kernel.org/r/20201117173631.GA550981@moc6.cz Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ba0046dc414d64fff9bd5d74a0641cd25b214a2a Author: Vladyslav Tarasiuk Date: Wed Oct 21 11:05:41 2020 +0300 net/mlx5: Disable QoS when min_rates on all VFs are zero [ Upstream commit 470b74758260e4abc2508cf1614573c00a00465c ] Currently when QoS is enabled for VF and any min_rate is configured, the driver sets bw_share value to at least 1 and doesn’t allow to set it to 0 to make minimal rate unlimited. It means there is always a minimal rate configured for every VF, even if user tries to remove it. In order to make QoS disable possible, check whether all vports have configured min_rate = 0. If this is true, set their bw_share to 0 to disable min_rate limitations. Fixes: c9497c98901c ("net/mlx5: Add support for setting VF min rate") Signed-off-by: Vladyslav Tarasiuk Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 88c2cfa3f78120bc755e538ffa8b456fc2ecf874 Author: Ryan Sharpelletti Date: Mon Nov 16 17:44:13 2020 +0000 tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate [ Upstream commit 1b9e2a8c99a5c021041bfb2d512dc3ed92a94ffd ] During loss recovery, retransmitted packets are forced to use TCP timestamps to calculate the RTT samples, which have a millisecond granularity. BBR is designed using a microsecond granularity. As a result, multiple RTT samples could be truncated to the same RTT value during loss recovery. This is problematic, as BBR will not enter PROBE_RTT if the RTT sample is <= the current min_rtt sample, meaning that if there are persistent losses, PROBE_RTT will constantly be pushed off and potentially never re-entered. This patch makes sure that BBR enters PROBE_RTT by checking if RTT sample is < the current min_rtt sample, rather than <=. The Netflix transport/TCP team discovered this bug in the Linux TCP BBR code during lab tests. Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control") Signed-off-by: Ryan Sharpelletti Signed-off-by: Neal Cardwell Signed-off-by: Soheil Hassas Yeganeh Signed-off-by: Yuchung Cheng Link: https://lore.kernel.org/r/20201116174412.1433277-1-sharpelletti.kdev@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c962aae4207730ec026a4a1f39128db11626953c Author: Xin Long Date: Sat Nov 14 13:22:53 2020 +0800 sctp: change to hold/put transport for proto_unreach_timer [ Upstream commit 057a10fa1f73d745c8e69aa54ab147715f5630ae ] A call trace was found in Hangbin's Codenomicon testing with debug kernel: [ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp] [ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0 [ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0 [ 2616.191533] Call Trace: [ 2616.194265] [ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0 [ 2616.207336] slab_free_freelist_hook+0xeb/0x140 [ 2616.220971] kfree+0xd6/0x2c0 [ 2616.224293] rcu_do_batch+0x3bd/0xc70 [ 2616.243096] rcu_core+0x8b9/0xd00 [ 2616.256065] __do_softirq+0x23d/0xacd [ 2616.260166] irq_exit+0x236/0x2a0 [ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620 [ 2616.269138] apic_timer_interrupt+0xf/0x20 [ 2616.273711] This is because it holds asoc when transport->proto_unreach_timer starts and puts asoc when the timer stops, and without holding transport the transport could be freed when the timer is still running. So fix it by holding/putting transport instead for proto_unreach_timer in transport, just like other timers in transport. v1->v2: - Also use sctp_transport_put() for the "out_unlock:" path in sctp_generate_proto_unreach_event(), as Marcelo noticed. Fixes: 50b5d6ad6382 ("sctp: Fix a race between ICMP protocol unreachable and connect()") Reported-by: Hangbin Liu Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/102788809b554958b13b95d33440f5448113b8d6.1605331373.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e2776f4b00520aa6042ececcf601f9a71b6ea6e3 Author: Zhang Changzhong Date: Fri Nov 13 14:16:26 2020 +0800 qlcnic: fix error return code in qlcnic_83xx_restart_hw() [ Upstream commit 3beb9be165083c2964eba1923601c3bfac0b02d4 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 3ced0a88cd4c ("qlcnic: Add support to run firmware POST") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1605248186-16013-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 3ac1662ac496f825033dfc44efb03af291c5bcba Author: Zhang Changzhong Date: Mon Nov 16 21:07:13 2020 +0800 qed: fix error return code in qed_iwarp_ll2_start() [ Upstream commit cb47d16ea21045c66eebbf5ed792e74a8537e27a ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 469981b17a4f ("qed: Add unaligned and packed packet processing") Fixes: fcb39f6c10b2 ("qed: Add mpa buffer descriptors for storing and processing mpa fpdus") Fixes: 1e28eaad07ea ("qed: Add iWARP support for fpdu spanned over more than two tcp packets") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Acked-by: Michal Kalderon  Link: https://lore.kernel.org/r/1605532033-27373-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 082b21d03479b566681f43b74677c249f6aad337 Author: Dongli Zhang Date: Sun Nov 15 12:10:29 2020 -0800 page_frag: Recover from memory pressure [ Upstream commit d8c19014bba8f565d8a2f1f46b4e38d1d97bf1a7 ] The ethernet driver may allocate skb (and skb->data) via napi_alloc_skb(). This ends up to page_frag_alloc() to allocate skb->data from page_frag_cache->va. During the memory pressure, page_frag_cache->va may be allocated as pfmemalloc page. As a result, the skb->pfmemalloc is always true as skb->data is from page_frag_cache->va. The skb will be dropped if the sock (receiver) does not have SOCK_MEMALLOC. This is expected behaviour under memory pressure. However, once kernel is not under memory pressure any longer (suppose large amount of memory pages are just reclaimed), the page_frag_alloc() may still re-use the prior pfmemalloc page_frag_cache->va to allocate skb->data. As a result, the skb->pfmemalloc is always true unless page_frag_cache->va is re-allocated, even if the kernel is not under memory pressure any longer. Here is how kernel runs into issue. 1. The kernel is under memory pressure and allocation of PAGE_FRAG_CACHE_MAX_ORDER in __page_frag_cache_refill() will fail. Instead, the pfmemalloc page is allocated for page_frag_cache->va. 2: All skb->data from page_frag_cache->va (pfmemalloc) will have skb->pfmemalloc=true. The skb will always be dropped by sock without SOCK_MEMALLOC. This is an expected behaviour. 3. Suppose a large amount of pages are reclaimed and kernel is not under memory pressure any longer. We expect skb->pfmemalloc drop will not happen. 4. Unfortunately, page_frag_alloc() does not proactively re-allocate page_frag_alloc->va and will always re-use the prior pfmemalloc page. The skb->pfmemalloc is always true even kernel is not under memory pressure any longer. Fix this by freeing and re-allocating the page instead of recycling it. References: https://lore.kernel.org/lkml/20201103193239.1807-1-dongli.zhang@oracle.com/ References: https://lore.kernel.org/linux-mm/20201105042140.5253-1-willy@infradead.org/ Suggested-by: Matthew Wilcox (Oracle) Cc: Aruna Ramakrishna Cc: Bert Barbe Cc: Rama Nichanamatlu Cc: Venkat Venkatsubra Cc: Manjunath Patil Cc: Joe Jin Cc: SRINIVAS Fixes: 79930f5892e1 ("net: do not deplete pfmemalloc reserve") Signed-off-by: Dongli Zhang Acked-by: Vlastimil Babka Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20201115201029.11903-1-dongli.zhang@oracle.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit dd7c76948628fb92faf794bc4fcfb662d6d395ce Author: Xie He Date: Thu Nov 12 02:35:06 2020 -0800 net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request [ Upstream commit 4ee18c179e5e815fa5575e0d2db0c05795a804ee ] The x25_disconnect function in x25_subr.c would decrease the refcount of "x25->neighbour" (struct x25_neigh) and reset this pointer to NULL. However, the x25_rx_call_request function in af_x25.c, which is called when we receive a connection request, does not increase the refcount when it assigns the pointer. Fix this issue by increasing the refcount of "struct x25_neigh" in x25_rx_call_request. This patch fixes frequent kernel crashes when using AF_X25 sockets. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Cc: Martin Schiller Signed-off-by: Xie He Link: https://lore.kernel.org/r/20201112103506.5875-1-xie.he.0141@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit af1b19b16b91b685ce2c093d7cd1f936c2fd7fd8 Author: Subash Abhinov Kasiviswanathan Date: Fri Nov 13 13:12:05 2020 -0700 net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup [ Upstream commit fc70f5bf5e525dde81565f0a30d5e39168062eba ] During rmnet unregistration, the real device rx_handler is first cleared followed by the removal of rx_handler_data after the rcu synchronization. Any packets in the receive path may observe that the rx_handler is NULL. However, there is no check when dereferencing this value to use the rmnet_port information. This fixes following splat by adding the NULL check. Unable to handle kernel NULL pointer dereference at virtual address 000000000000000d pc : rmnet_rx_handler+0x124/0x284 lr : rmnet_rx_handler+0x124/0x284 rmnet_rx_handler+0x124/0x284 __netif_receive_skb_core+0x758/0xd74 __netif_receive_skb+0x50/0x17c process_backlog+0x15c/0x1b8 napi_poll+0x88/0x284 net_rx_action+0xbc/0x23c __do_softirq+0x20c/0x48c Fixes: ceed73a2cf4a ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation") Signed-off-by: Sean Tranchetti Signed-off-by: Subash Abhinov Kasiviswanathan Link: https://lore.kernel.org/r/1605298325-3705-1-git-send-email-subashab@codeaurora.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 32515a2761a8ca0502a95b994706d1fb20c58fd1 Author: Aya Levin Date: Wed Nov 18 10:19:22 2020 +0200 net/mlx4_core: Fix init_hca fields offset [ Upstream commit 6d9c8d15af0ef20a66a0b432cac0d08319920602 ] Slave function read the following capabilities from the wrong offset: 1. log_mc_entry_sz 2. fs_log_entry_sz 3. log_mc_hash_sz Fix that by adjusting these capabilities offset to match firmware layout. Due to the wrong offset read, the following issues might occur: 1+2. Negative value reported at max_mcast_qp_attach. 3. Driver to init FW with multicast hash size of zero. Fixes: a40ded604365 ("net/mlx4_core: Add masking for a few queries on HCA caps") Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Reviewed-by: Eran Ben Elisha Signed-off-by: Tariq Toukan Link: https://lore.kernel.org/r/20201118081922.553-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 57e57c89063963128ef85522c230097cdc1ab4b3 Author: Paul Moore Date: Fri Nov 13 16:30:40 2020 -0500 netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() [ Upstream commit 1ba86d4366e023d96df3dbe415eea7f1dc08c303 ] Static checking revealed that a previous fix to netlbl_unlabel_staticlist() leaves a stack variable uninitialized, this patches fixes that. Fixes: 866358ec331f ("netlabel: fix our progress tracking in netlbl_unlabel_staticlist()") Reported-by: Dan Carpenter Signed-off-by: Paul Moore Reviewed-by: James Morris Link: https://lore.kernel.org/r/160530304068.15651.18355773009751195447.stgit@sifl Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c0e617c4e3c4b4dec1579bbcb02c5c60d1ae3a6c Author: Paul Moore Date: Sun Nov 8 09:08:26 2020 -0500 netlabel: fix our progress tracking in netlbl_unlabel_staticlist() [ Upstream commit 866358ec331f8faa394995fb4b511af1db0247c8 ] The current NetLabel code doesn't correctly keep track of the netlink dump state in some cases, in particular when multiple interfaces with large configurations are loaded. The problem manifests itself by not reporting the full configuration to userspace, even though it is loaded and active in the kernel. This patch fixes this by ensuring that the dump state is properly reset when necessary inside the netlbl_unlabel_staticlist() function. Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections") Signed-off-by: Paul Moore Link: https://lore.kernel.org/r/160484450633.3752.16512718263560813473.stgit@sifl Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 24184dfd51c9fbe0e478570f4cb3c3fbc8d1b594 Author: Florian Fainelli Date: Mon Nov 16 19:52:34 2020 -0800 net: Have netpoll bring-up DSA management interface [ Upstream commit 1532b9778478577152201adbafa7738b1e844868 ] DSA network devices rely on having their DSA management interface up and running otherwise their ndo_open() will return -ENETDOWN. Without doing this it would not be possible to use DSA devices as netconsole when configured on the command line. These devices also do not utilize the upper/lower linking so the check about the netpoll device having upper is not going to be a problem. The solution adopted here is identical to the one done for net/ipv4/ipconfig.c with 728c02089a0e ("net: ipv4: handle DSA enabled master network devices"), with the network namespace scope being restricted to that of the process configuring netpoll. Fixes: 04ff53f96a93 ("net: dsa: Add netconsole support") Tested-by: Vladimir Oltean Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20201117035236.22658-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 16e056beca596f6e03c2597914786f2b1c202f86 Author: Tobias Waldekranz Date: Thu Nov 12 12:43:35 2020 +0100 net: dsa: mv88e6xxx: Avoid VTU corruption on 6097 [ Upstream commit 92307069a96c07d9b6e74b96b79390e7cd7d2111 ] As soon as you add the second port to a VLAN, all other port membership configuration is overwritten with zeroes. The HW interprets this as all ports being "unmodified members" of the VLAN. In the simple case when all ports belong to the same VLAN, switching will still work. But using multiple VLANs or trying to set multiple ports as tagged members will not work. On the 6352, doing a VTU GetNext op, followed by an STU GetNext op will leave you with both the member- and state- data in the VTU/STU data registers. But on the 6097 (which uses the same implementation), the STU GetNext will override the information gathered from the VTU GetNext. Separate the two stages, parsing the result of the VTU GetNext before doing the STU GetNext. We opt to update the existing implementation for all applicable chips, as opposed to creating a separate callback for 6097, because although the previous implementation did work for (at least) 6352, the datasheet does not mention the masking behavior. Fixes: ef6fcea37f01 ("net: dsa: mv88e6xxx: get STU entry on VTU GetNext") Signed-off-by: Tobias Waldekranz Link: https://lore.kernel.org/r/20201112114335.27371-1-tobias@waldekranz.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b1197f5d6f532a3f82a66940c8cec44cf302bf6d Author: Heiner Kallweit Date: Fri Nov 13 10:27:27 2020 +0100 net: bridge: add missing counters to ndo_get_stats64 callback [ Upstream commit 7a30ecc9237681bb125cbd30eee92bef7e86293d ] In br_forward.c and br_input.c fields dev->stats.tx_dropped and dev->stats.multicast are populated, but they are ignored in ndo_get_stats64. Fixes: 28172739f0a2 ("net: fix 64 bit counters on 32 bit arches") Signed-off-by: Heiner Kallweit Link: https://lore.kernel.org/r/58ea9963-77ad-a7cf-8dfd-fc95ab95f606@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit fe43f8dbd1386bc632c5b0348d528c76f80d6e96 Author: Zhang Changzhong Date: Tue Nov 17 11:02:11 2020 +0800 net: b44: fix error return code in b44_init_one() [ Upstream commit 7b027c249da54f492699c43e26cba486cfd48035 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 39a6f4bce6b4 ("b44: replace the ssb_dma API with the generic DMA API") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Reviewed-by: Michael Chan Link: https://lore.kernel.org/r/1605582131-36735-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5ca57e8ee2ccf5dcab7a6be6db8b23f7c26f0cb7 Author: Ido Schimmel Date: Tue Nov 17 19:33:52 2020 +0200 mlxsw: core: Use variable timeout for EMAD retries [ Upstream commit 1f492eab67bced119a0ac7db75ef2047e29a30c6 ] The driver sends Ethernet Management Datagram (EMAD) packets to the device for configuration purposes and waits for up to 200ms for a reply. A request is retried up to 5 times. When the system is under heavy load, replies are not always processed in time and EMAD transactions fail. Make the process more robust to such delays by using exponential backoff. First wait for up to 200ms, then retransmit and wait for up to 400ms and so on. Fixes: caf7297e7ab5 ("mlxsw: core: Introduce support for asynchronous EMAD register access") Reported-by: Denis Yulevich Tested-by: Denis Yulevich Signed-off-by: Ido Schimmel Reviewed-by: Jiri Pirko Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 3e513faa2b7562fd1cce2ecefd60bf9d91981351 Author: Sven Van Asbroeck Date: Thu Nov 12 15:47:41 2020 -0500 lan743x: prevent entire kernel HANG on open, for some platforms [ Upstream commit 796a2665ca3e91ebaba7222f76fd9a035714e2d8 ] On arm imx6, when opening the chip's netdev, the whole Linux kernel intermittently hangs/freezes. This is caused by a bug in the driver code which tests if pcie interrupts are working correctly, using the software interrupt: 1. open: enable the software interrupt 2. open: tell the chip to assert the software interrupt 3. open: wait for flag 4. ISR: acknowledge s/w interrupt, set flag 5. open: notice flag, disable the s/w interrupt, continue Unfortunately the ISR only acknowledges the s/w interrupt, but does not disable it. This will re-trigger the ISR in a tight loop. On some (lucky) platforms, open proceeds to disable the s/w interrupt even while the ISR is 'spinning'. On arm imx6, the spinning ISR does not allow open to proceed, resulting in a hung Linux kernel. Fix minimally by disabling the s/w interrupt in the ISR, which will prevent it from spinning. This won't break anything because the s/w interrupt is used as a one-shot interrupt. Note that this is a minimal fix, overlooking many possible cleanups, e.g.: - lan743x_intr_software_isr() is completely redundant and reads INT_STS twice for no apparent reason - disabling the s/w interrupt in lan743x_intr_test_isr() is now redundant, but harmless - waiting on software_isr_flag can be converted from a sleeping poll loop to wait_event_timeout() Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") Tested-by: Sven Van Asbroeck # arm imx6 lan7430 Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201112204741.12375-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 65be1fe87ebcf45aa1773999435bcc7aa3810091 Author: Sven Van Asbroeck Date: Thu Nov 12 13:59:49 2020 -0500 lan743x: fix issue causing intermittent kernel log warnings [ Upstream commit e35df62e04cc6fc4b9d90d054732f138349ff9b1 ] When running this chip on arm imx6, we intermittently observe the following kernel warning in the log, especially when the system is under high load: [ 50.119484] ------------[ cut here ]------------ [ 50.124377] WARNING: CPU: 0 PID: 303 at kernel/softirq.c:169 __local_bh_enable_ip+0x100/0x184 [ 50.132925] IRQs not enabled as expected [ 50.159250] CPU: 0 PID: 303 Comm: rngd Not tainted 5.7.8 #1 [ 50.164837] Hardware name: Freescale i.MX6 Quad/DualLite (Device Tree) [ 50.171395] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 50.179162] [] (show_stack) from [] (dump_stack+0xac/0xd8) [ 50.186408] [] (dump_stack) from [] (__warn+0xd0/0x10c) [ 50.193391] [] (__warn) from [] (warn_slowpath_fmt+0x98/0xc4) [ 50.200892] [] (warn_slowpath_fmt) from [] (__local_bh_enable_ip+0x100/0x184) [ 50.209860] [] (__local_bh_enable_ip) from [] (destroy_conntrack+0x48/0xd8 [nf_conntrack]) [ 50.220038] [] (destroy_conntrack [nf_conntrack]) from [] (nf_conntrack_destroy+0x94/0x168) [ 50.230160] [] (nf_conntrack_destroy) from [] (skb_release_head_state+0xa0/0xd0) [ 50.239314] [] (skb_release_head_state) from [] (skb_release_all+0xc/0x24) [ 50.247946] [] (skb_release_all) from [] (consume_skb+0x74/0x17c) [ 50.255796] [] (consume_skb) from [] (lan743x_tx_release_desc+0x120/0x124) [ 50.264428] [] (lan743x_tx_release_desc) from [] (lan743x_tx_napi_poll+0x5c/0x18c) [ 50.273755] [] (lan743x_tx_napi_poll) from [] (net_rx_action+0x118/0x4a4) [ 50.282306] [] (net_rx_action) from [] (__do_softirq+0x13c/0x53c) [ 50.290157] [] (__do_softirq) from [] (irq_exit+0x150/0x17c) [ 50.297575] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb0) [ 50.305423] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90) [ 50.313790] [] (gic_handle_irq) from [] (__irq_usr+0x54/0x80) [ 50.321287] Exception stack(0xecd99fb0 to 0xecd99ff8) [ 50.326355] 9fa0: 1cf1aa74 00000001 00000001 00000000 [ 50.334547] 9fc0: 00000001 00000000 00000000 00000000 00000000 00000000 00004097 b6d17d14 [ 50.342738] 9fe0: 00000001 b6d17c60 00000000 b6e71f94 800b0010 ffffffff [ 50.349364] irq event stamp: 2525027 [ 50.352955] hardirqs last enabled at (2525026): [] net_rx_action+0xb4/0x4a4 [ 50.360892] hardirqs last disabled at (2525027): [] _raw_spin_lock_irqsave+0x1c/0x50 [ 50.369517] softirqs last enabled at (2524660): [] __do_softirq+0x38c/0x53c [ 50.377446] softirqs last disabled at (2524693): [] irq_exit+0x150/0x17c [ 50.385027] ---[ end trace c0b571db4bc8087d ]--- The driver is calling dev_kfree_skb() from code inside a spinlock, where h/w interrupts are disabled. This is forbidden, as documented in include/linux/netdevice.h. The correct function to use dev_kfree_skb_irq(), or dev_kfree_skb_any(). Fix by using the correct dev_kfree_skb_xxx() functions: in lan743x_tx_release_desc(): called by lan743x_tx_release_completed_descriptors() called by in lan743x_tx_napi_poll() which holds a spinlock called by lan743x_tx_release_all_descriptors() called by lan743x_tx_close() which can-sleep conclusion: use dev_kfree_skb_any() in lan743x_tx_xmit_frame(): which holds a spinlock conclusion: use dev_kfree_skb_irq() in lan743x_tx_close(): which can-sleep conclusion: use dev_kfree_skb() in lan743x_rx_release_ring_element(): called by lan743x_rx_close() which can-sleep called by lan743x_rx_open() which can-sleep conclusion: use dev_kfree_skb() Fixes: 23f0703c125b ("lan743x: Add main source files for new lan743x driver") Signed-off-by: Sven Van Asbroeck Link: https://lore.kernel.org/r/20201112185949.11315-1-TheSven73@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f0ec2cd03100ab287c9e5fce5ae56a76d6fc17a4 Author: Wang Hai Date: Mon Nov 16 16:20:18 2020 +0800 inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill() [ Upstream commit e33de7c5317e2827b2ba6fd120a505e9eb727b05 ] nlmsg_cancel() needs to be called in the error path of inet_req_diag_fill to cancel the message. Fixes: d545caca827b ("net: inet: diag: expose the socket mark to privileged processes.") Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201116082018.16496-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 8196e11a66d751752a25b62c6dc0e2923a5e6ff0 Author: Wang Hai Date: Fri Nov 13 19:16:22 2020 +0800 devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill() [ Upstream commit 849920c703392957f94023f77ec89ca6cf119d43 ] If sb_occ_port_pool_get() failed in devlink_nl_sb_port_pool_fill(), msg should be canceled by genlmsg_cancel(). Fixes: df38dafd2559 ("devlink: implement shared buffer occupancy monitoring interface") Reported-by: Hulk Robot Signed-off-by: Wang Hai Link: https://lore.kernel.org/r/20201113111622.11040-1-wanghai38@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d05c9bcab23ecbc68632c4fc8eda9af9c89eb647 Author: Edwin Peer Date: Sun Nov 15 19:27:49 2020 -0500 bnxt_en: read EEPROM A2h address using page 0 [ Upstream commit 4260330b32b14330cfe427d568ac5f5b29b5be3d ] The module eeprom address range returned by bnxt_get_module_eeprom() should be 256 bytes of A0h address space, the lower half of the A2h address space, and page 0 for the upper half of the A2h address space. Fix the firmware call by passing page_number 0 for the A2h slave address space. Fixes: 42ee18fe4ca2 ("bnxt_en: Add Support for ETHTOOL_GMODULEINFO and ETHTOOL_GMODULEEEPRO") Signed-off-by: Edwin Peer Signed-off-by: Michael Chan Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 735d1d973e6d0aae5f6875e7d9b087d2ccfed076 Author: Sebastian Andrzej Siewior Date: Mon Nov 16 17:21:14 2020 +0100 atm: nicstar: Unmap DMA on send error [ Upstream commit 6dceaa9f56e22d0f9b4c4ad2ed9e04e315ce7fe5 ] The `skb' is mapped for DMA in ns_send() but does not unmap DMA in case push_scqe() fails to submit the `skb'. The memory of the `skb' is released so only the DMA mapping is leaking. Unmap the DMA mapping in case push_scqe() failed. Fixes: 864a3ff635fa7 ("atm: [nicstar] remove virt_to_bus() and support 64-bit platforms") Cc: Chas Williams <3chas3@gmail.com> Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f8c18eab5413d1edbfdeda8e8102780c5af8c64d Author: Zhang Changzhong Date: Tue Nov 17 10:45:05 2020 +0800 ah6: fix error return code in ah6_input() [ Upstream commit a5ebcbdf34b65fcc07f38eaf2d60563b42619a59 ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Hulk Robot Signed-off-by: Zhang Changzhong Link: https://lore.kernel.org/r/1605581105-35295-1-git-send-email-zhangchangzhong@huawei.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman