commit 2b79150141611d3c6e1b55d4e70f49602482f0b8 Author: Greg Kroah-Hartman Date: Thu Oct 29 09:07:21 2020 +0100 Linux 4.14.203 Tested-by: Jeffrin Jose T Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20201027134909.701581493@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit d0b6efebed6f048d60483c21fe80b749429c4a2e Author: Mukesh Ojha Date: Mon Feb 20 18:52:11 2017 +0530 powerpc/powernv/opal-dump : Use IRQ_HANDLED instead of numbers in interrupt handler [ Upstream commit b29336c0e1785a28bc40a9fd47c2321671e9792e ] Fixes: 8034f715f ("powernv/opal-dump: Convert to irq domain") Converts all the return explicit number to a more proper IRQ_HANDLED, which looks proper incase of interrupt handler returning case. Here, It also removes error message like "nobody cared" which was getting unveiled while returning -1 or 0 from handler. Signed-off-by: Mukesh Ojha Reviewed-by: Vasant Hegde Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 6d6d017a6d7044f99b3b7e5e7c95ab3924a8ee88 Author: Lorenzo Colitti Date: Tue Aug 25 14:55:05 2020 +0900 usb: gadget: f_ncm: allow using NCM in SuperSpeed Plus gadgets. [ Upstream commit 7974ecd7d3c0f42a98566f281e44ea8573a2ad88 ] Currently, enabling f_ncm at SuperSpeed Plus speeds results in an oops in config_ep_by_speed because ncm_set_alt passes in NULL ssp_descriptors. Fix this by re-using the SuperSpeed descriptors. This is safe because usb_assign_descriptors calls usb_copy_descriptors. Tested: enabled f_ncm on a dwc3 gadget and 10Gbps link, ran iperf Reviewed-by: Maciej Żenczykowski Signed-off-by: Lorenzo Colitti Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 8a7e634bd3a2ac5dbe6146d06317b25530112f6e Author: Christian Eggers Date: Tue Jul 28 11:29:59 2020 +0200 eeprom: at25: set minimum read/write access stride to 1 commit 284f52ac1c6cfa1b2e5c11b84653dd90e4e91de7 upstream. SPI eeproms are addressed by byte. Signed-off-by: Christian Eggers Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200728092959.24600-1-ceggers@arri.de Signed-off-by: Greg Kroah-Hartman commit b27b1bcf9261327b66248a26fe2fd15be84ecdd6 Author: Oliver Neukum Date: Mon Sep 28 23:17:55 2020 +0900 USB: cdc-wdm: Make wdm_flush() interruptible and add wdm_fsync(). commit 37d2a36394d954413a495da61da1b2a51ecd28ab upstream. syzbot is reporting hung task at wdm_flush() [1], for there is a circular dependency that wdm_flush() from flip_close() for /dev/cdc-wdm0 forever waits for /dev/raw-gadget to be closed while close() for /dev/raw-gadget cannot be called unless close() for /dev/cdc-wdm0 completes. Tetsuo Handa considered that such circular dependency is an usage error [2] which corresponds to an unresponding broken hardware [3]. But Alan Stern responded that we should be prepared for such hardware [4]. Therefore, this patch changes wdm_flush() to use wait_event_interruptible_timeout() which gives up after 30 seconds, for hardware that remains silent must be ignored. The 30 seconds are coming out of thin air. Changing wait_event() to wait_event_interruptible_timeout() makes error reporting from close() syscall less reliable. To compensate it, this patch also implements wdm_fsync() which does not use timeout. Those who want to be very sure that data has gone out to the device are now advised to call fsync(), with a caveat that fsync() can return -EINVAL when running on older kernels which do not implement wdm_fsync(). This patch also fixes three more problems (listed below) found during exhaustive discussion and testing. Since multiple threads can concurrently call wdm_write()/wdm_flush(), we need to use wake_up_all() whenever clearing WDM_IN_USE in order to make sure that all waiters are woken up. Also, error reporting needs to use fetch-and-clear approach in order not to report same error for multiple times. Since wdm_flush() checks WDM_DISCONNECTING, wdm_write() should as well check WDM_DISCONNECTING. In wdm_flush(), since locks are not held, it is not safe to dereference desc->intf after checking that WDM_DISCONNECTING is not set [5]. Thus, remove dev_err() from wdm_flush(). [1] https://syzkaller.appspot.com/bug?id=e7b761593b23eb50855b9ea31e3be5472b711186 [2] https://lkml.kernel.org/r/27b7545e-8f41-10b8-7c02-e35a08eb1611@i-love.sakura.ne.jp [3] https://lkml.kernel.org/r/79ba410f-e0ef-2465-b94f-6b9a4a82adf5@i-love.sakura.ne.jp [4] https://lkml.kernel.org/r/20200530011040.GB12419@rowland.harvard.edu [5] https://lkml.kernel.org/r/c85331fc-874c-6e46-a77f-0ef1dc075308@i-love.sakura.ne.jp Reported-by: syzbot Cc: stable Co-developed-by: Tetsuo Handa Signed-off-by: Tetsuo Handa Signed-off-by: Oliver Neukum Cc: Alan Stern Link: https://lore.kernel.org/r/20200928141755.3476-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman commit d0528bf559b547a4450a4d9b9b3ea2d2586fff0c Author: Vincent Mailhol Date: Sat Oct 3 00:41:51 2020 +0900 usb: cdc-acm: add quirk to blacklist ETAS ES58X devices commit a4f88430af896bf34ec25a7a5f0e053fb3d928e0 upstream. The ES58X devices has a CDC ACM interface (used for debug purpose). During probing, the device is thus recognized as USB Modem (CDC ACM), preventing the etas-es58x module to load: usbcore: registered new interface driver etas_es58x usb 1-1.1: new full-speed USB device number 14 using xhci_hcd usb 1-1.1: New USB device found, idVendor=108c, idProduct=0159, bcdDevice= 1.00 usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3 usb 1-1.1: Product: ES581.4 usb 1-1.1: Manufacturer: ETAS GmbH usb 1-1.1: SerialNumber: 2204355 cdc_acm 1-1.1:1.0: No union descriptor, testing for castrated device cdc_acm 1-1.1:1.0: ttyACM0: USB ACM device Thus, these have been added to the ignore list in drivers/usb/class/cdc-acm.c N.B. Future firmware release of the ES58X will remove the CDC-ACM interface. `lsusb -v` of the three devices variant (ES581.4, ES582.1 and ES584.1): Bus 001 Device 011: ID 108c:0159 Robert Bosch GmbH ES581.4 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x108c Robert Bosch GmbH idProduct 0x0159 bcdDevice 1.00 iManufacturer 1 ETAS GmbH iProduct 2 ES581.4 iSerial 3 2204355 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0035 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 5 Bus Powered Configuration bmAttributes 0x80 (Bus Powered) MaxPower 100mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 0 iInterface 4 ACM Control Interface CDC Header: bcdCDC 1.10 CDC Call Management: bmCapabilities 0x01 call management bDataInterface 0 CDC ACM: bmCapabilities 0x06 sends break line coding and serial state Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0010 1x 16 bytes bInterval 10 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x03 EP 3 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 0 Device Status: 0x0000 (Bus Powered) Bus 001 Device 012: ID 108c:0168 Robert Bosch GmbH ES582 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x108c Robert Bosch GmbH idProduct 0x0168 bcdDevice 1.00 iManufacturer 1 ETAS GmbH iProduct 2 ES582 iSerial 3 0108933 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0043 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Union: bMasterInterface 0 bSlaveInterface 1 CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) Bus 001 Device 013: ID 108c:0169 Robert Bosch GmbH ES584.1 Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x108c Robert Bosch GmbH idProduct 0x0169 bcdDevice 1.00 iManufacturer 1 ETAS GmbH iProduct 2 ES584.1 iSerial 3 0100320 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0043 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 500mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Union: bMasterInterface 0 bSlaveInterface 1 CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 2 Communications bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) Signed-off-by: Vincent Mailhol Cc: stable Link: https://lore.kernel.org/r/20201002154219.4887-8-mailhol.vincent@wanadoo.fr Signed-off-by: Greg Kroah-Hartman commit 69a0cf3fb401682d50ee4a229c1b4aff884df321 Author: Peng Fan Date: Tue Sep 29 17:55:09 2020 +0800 tty: serial: fsl_lpuart: fix lpuart32_poll_get_char commit 29788ab1d2bf26c130de8f44f9553ee78a27e8d5 upstream. The watermark is set to 1, so we need to input two chars to trigger RDRF using the original logic. With the new logic, we could always get the char when there is data in FIFO. Suggested-by: Fugang Duan Signed-off-by: Peng Fan Link: https://lore.kernel.org/r/20200929095509.21680-1-peng.fan@nxp.com Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 728f57428dc84301f05f8cbc7cd2f6d2dbfe2d5a Author: Valentin Vidic Date: Sun Oct 18 20:42:55 2020 +0200 net: korina: cast KSEG0 address to pointer in kfree [ Upstream commit 3bd57b90554b4bb82dce638e0668ef9dc95d3e96 ] Fixes gcc warning: passing argument 1 of 'kfree' makes pointer from integer without a cast Fixes: 3af5f0f5c74e ("net: korina: fix kfree of rx/tx descriptor array") Reported-by: kernel test robot Signed-off-by: Valentin Vidic Link: https://lore.kernel.org/r/20201018184255.28989-1-vvidic@valentin-vidic.from.hr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 73ff79e48013e11ca778758be31944f9159f555e Author: Zekun Shen Date: Tue Jun 23 18:11:05 2020 -0400 ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() [ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ] The idx in __ath10k_htt_rx_ring_fill_n function lives in consistent dma region writable by the device. Malfunctional or malicious device could manipulate such idx to have a OOB write. Either by htt->rx_ring.netbufs_ring[idx] = skb; or by ath10k_htt_set_paddrs_ring(htt, paddr, idx); The idx can also be negative as it's signed, giving a large memory space to write to. It's possibly exploitable by corruptting a legit pointer with a skb pointer. And then fill skb with payload as rougue object. Part of the log here. Sometimes it appears as UAF when writing to a freed memory by chance. [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 [ 15.595483] #PF: supervisor write access in kernel mode [ 15.596250] #PF: error_code(0x0002) - not-present page [ 15.597013] PGD 0 P4D 0 [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core Signed-off-by: Zekun Shen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com Signed-off-by: Sasha Levin commit 73eae769d588d97ce5f2e8b88fcfbf1052ae77e5 Author: Can Guo Date: Sun Aug 9 05:15:48 2020 -0700 scsi: ufs: ufs-qcom: Fix race conditions caused by ufs_qcom_testbus_config() [ Upstream commit 89dd87acd40a44de8ff3358138aedf8f73f4efc6 ] If ufs_qcom_dump_dbg_regs() calls ufs_qcom_testbus_config() from ufshcd_suspend/resume and/or clk gate/ungate context, pm_runtime_get_sync() and ufshcd_hold() will cause a race condition. Fix this by removing the unnecessary calls of pm_runtime_get_sync() and ufshcd_hold(). Link: https://lore.kernel.org/r/1596975355-39813-3-git-send-email-cang@codeaurora.org Reviewed-by: Hongwu Su Reviewed-by: Avri Altman Reviewed-by: Bean Huo Reviewed-by: Asutosh Das Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 45b99031879842a14c236ee6a1ea7db6258204d4 Author: Eli Billauer Date: Fri Jul 31 08:46:50 2020 +0300 usb: core: Solve race condition in anchor cleanup functions [ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ] usb_kill_anchored_urbs() is commonly used to cancel all URBs on an anchor just before releasing resources which the URBs rely on. By doing so, users of this function rely on that no completer callbacks will take place from any URB on the anchor after it returns. However if this function is called in parallel with __usb_hcd_giveback_urb processing a URB on the anchor, the latter may call the completer callback after usb_kill_anchored_urbs() returns. This can lead to a kernel panic due to use after release of memory in interrupt context. The race condition is that __usb_hcd_giveback_urb() first unanchors the URB and then makes the completer callback. Such URB is hence invisible to usb_kill_anchored_urbs(), allowing it to return before the completer has been called, since the anchor's urb_list is empty. Even worse, if the racing completer callback resubmits the URB, it may remain in the system long after usb_kill_anchored_urbs() returns. Hence list_empty(&anchor->urb_list), which is used in the existing while-loop, doesn't reliably ensure that all URBs of the anchor are gone. A similar problem exists with usb_poison_anchored_urbs() and usb_scuttle_anchored_urbs(). This patch adds an external do-while loop, which ensures that all URBs are indeed handled before these three functions return. This change has no effect at all unless the race condition occurs, in which case the loop will busy-wait until the racing completer callback has finished. This is a rare condition, so the CPU waste of this spinning is negligible. The additional do-while loop relies on usb_anchor_check_wakeup(), which returns true iff the anchor list is empty, and there is no __usb_hcd_giveback_urb() in the system that is in the middle of the unanchor-before-complete phase. The @suspend_wakeups member of struct usb_anchor is used for this purpose, which was introduced to solve another problem which the same race condition causes, in commit 6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up till completion is done"). The surely_empty variable is necessary, because usb_anchor_check_wakeup() must be called with the lock held to prevent races. However the spinlock must be released and reacquired if the outer loop spins with an empty URB list while waiting for the unanchor-before-complete passage to finish: The completer callback may very well attempt to take the very same lock. To summarize, using usb_anchor_check_wakeup() means that the patched functions can return only when the anchor's list is empty, and there is no invisible URB being processed. Since the inner while loop finishes on the empty list condition, the new do-while loop will terminate as well, except for when the said race condition occurs. Signed-off-by: Eli Billauer Acked-by: Oliver Neukum Acked-by: Alan Stern Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 64bd7b8b9062ee0a0c5f98a63507e010ee9fc53a Author: Wang Yufen Date: Mon Jul 20 17:36:05 2020 +0800 brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach [ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ] When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL, we should destroy the workqueue. Reported-by: Hulk Robot Signed-off-by: Wang Yufen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com Signed-off-by: Sasha Levin commit ba2fdbcdbcc19d4c909e41da79c3c4e1349a16ed Author: Tetsuo Handa Date: Fri Aug 21 17:27:19 2020 +0900 mwifiex: don't call del_timer_sync() on uninitialized timer [ Upstream commit 621a3a8b1c0ecf16e1e5667ea5756a76a082b738 ] syzbot is reporting that del_timer_sync() is called from mwifiex_usb_cleanup_tx_aggr() from mwifiex_unregister_dev() without checking timer_setup() from mwifiex_usb_tx_init() was called [1]. Ganapathi Bhat proposed a possibly cleaner fix, but it seems that that fix was forgotten [2]. "grep -FrB1 'del_timer' drivers/ | grep -FA1 '.function)'" says that currently there are 28 locations which call del_timer[_sync]() only if that timer's function field was initialized (because timer_setup() sets that timer's function field). Therefore, let's use same approach here. [1] https://syzkaller.appspot.com/bug?id=26525f643f454dd7be0078423e3cdb0d57744959 [2] https://lkml.kernel.org/r/CA+ASDXMHt2gq9Hy+iP_BYkWXsSreWdp3_bAfMkNcuqJ3K+-jbQ@mail.gmail.com Reported-by: syzbot Cc: Ganapathi Bhat Cc: Brian Norris Signed-off-by: Tetsuo Handa Reviewed-by: Brian Norris Acked-by: Ganapathi Bhat Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200821082720.7716-1-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Sasha Levin commit 5d4fd6d48b5b3f1abcaa7edcb95d555d22c4a7f8 Author: Jan Kara Date: Wed Mar 4 14:01:44 2020 +0100 reiserfs: Fix memory leak in reiserfs_parse_options() [ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ] When a usrjquota or grpjquota mount option is used multiple times, we will leak memory allocated for the file name. Make sure the last setting is used and all the previous ones are properly freed. Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 48723ecc7364b432ac6c16464c53bd6c0023ca5e Author: Peilin Ye Date: Tue Aug 11 03:46:40 2020 -0400 ipvs: Fix uninit-value in do_ip_vs_set_ctl() [ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ] do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is zero. Fix it. Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 Suggested-by: Julian Anastasov Signed-off-by: Peilin Ye Acked-by: Julian Anastasov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 3a51df27232fa3dbe22bbb0a0820639e1eb47e09 Author: Tong Zhang Date: Fri Aug 21 12:19:40 2020 -0400 tty: ipwireless: fix error handling [ Upstream commit db332356222d9429731ab9395c89cca403828460 ] ipwireless_send_packet() can only return 0 on success and -ENOMEM on error, the caller should check non zero for error condition Signed-off-by: Tong Zhang Acked-by: David Sterba Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cd1d81f44541e99e75df66197d14f5f167ca5d05 Author: Nilesh Javali Date: Tue Sep 8 02:56:52 2020 -0700 scsi: qedi: Fix list_del corruption while removing active I/O [ Upstream commit 28b35d17f9f8573d4646dd8df08917a4076a6b63 ] While aborting the I/O, the firmware cleanup task timed out and driver deleted the I/O from active command list. Some time later the firmware sent the cleanup task response and driver again deleted the I/O from active command list causing firmware to send completion for non-existent I/O and list_del corruption of active command list. Add fix to check if I/O is present before deleting it from the active command list to ensure firmware sends valid I/O completion and protect against list_del corruption. Link: https://lore.kernel.org/r/20200908095657.26821-4-mrangankar@marvell.com Signed-off-by: Nilesh Javali Signed-off-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 7de217b9e5874945f5619770ee26bcfa95f740c7 Author: Nilesh Javali Date: Tue Sep 8 02:56:53 2020 -0700 scsi: qedi: Protect active command list to avoid list corruption [ Upstream commit c0650e28448d606c84f76c34333dba30f61de993 ] Protect active command list for non-I/O commands like login response, logout response, text response, and recovery cleanup of active list to avoid list corruption. Link: https://lore.kernel.org/r/20200908095657.26821-5-mrangankar@marvell.com Signed-off-by: Nilesh Javali Signed-off-by: Manish Rangankar Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b519788e73a72d145f4c1a840ed5024da6749d36 Author: Doug Horn Date: Wed Sep 2 14:08:25 2020 -0700 Fix use after free in get_capset_info callback. [ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ] If a response to virtio_gpu_cmd_get_capset_info takes longer than five seconds to return, the callback will access freed kernel memory in vg->capsets. Signed-off-by: Doug Horn Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 5b014df0885dfd7696492e7af736f88f7aca8d19 Author: Chris Chiu Date: Sun Sep 6 12:04:24 2020 +0800 rtl8xxxu: prevent potential memory leak [ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ] Free the skb if usb_submit_urb fails on rx_urb. And free the urb no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb. Signed-off-by: Chris Chiu Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com Signed-off-by: Sasha Levin commit e60457e789f8ef1c7cdfd6e234e9173687db731b Author: Keita Suzuki Date: Tue Sep 8 12:17:41 2020 +0000 brcmsmac: fix memory leak in wlc_phy_attach_lcnphy [ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ] When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be freed in the caller function. Fix this by calling wlc_phy_detach_lcnphy in the error handler of wlc_phy_txpwr_srom_read_lcnphy before returning. Signed-off-by: Keita Suzuki Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp Signed-off-by: Sasha Levin commit efea5d57c505d1e2639e10149cc7c3433ed0176c Author: Jing Xiangfeng Date: Mon Sep 7 16:39:49 2020 +0800 scsi: ibmvfc: Fix error return in ibmvfc_probe() [ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ] Fix to return error code PTR_ERR() from the error handling case instead of 0. Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com Acked-by: Tyrel Datwyler Signed-off-by: Jing Xiangfeng Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c6bd0d0d5f149ff1ca041b6fdfdfd66f318d2b3e Author: Abhishek Pandit-Subedi Date: Fri Sep 11 15:33:18 2020 -0700 Bluetooth: Only mark socket zapped after unlocking [ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ] Since l2cap_sock_teardown_cb doesn't acquire the channel lock before setting the socket as zapped, it could potentially race with l2cap_sock_release which frees the socket. Thus, wait until the cleanup is complete before marking the socket as zapped. This race was reproduced on a JBL GO speaker after the remote device rejected L2CAP connection due to resource unavailability. Here is a dmesg log with debug logs from a repro of this bug: [ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002 [ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0 [ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2 [ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001 [ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952 [ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c [ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00 [ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4 [ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT [ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT [ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3 [ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6 [ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159 [ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053 [ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 [ 3465.430332] Causing a watchdog bite! Signed-off-by: Abhishek Pandit-Subedi Reported-by: Balakrishna Godavarthi Reviewed-by: Manish Mandlik Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit be0083640e7d3f01996d5ab9d43b5de9741af051 Author: Hamish Martin Date: Fri Sep 11 09:25:11 2020 +1200 usb: ohci: Default to per-port over-current protection [ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ] Some integrated OHCI controller hubs do not expose all ports of the hub to pins on the SoC. In some cases the unconnected ports generate spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC contains a nominally 3 port hub but only the first port is wired. Default behaviour for ohci-platform driver is to use global over-current protection mode (AKA "ganged"). This leads to the spurious over-current events affecting all ports in the hub. We now alter the default to use per-port over-current protection. This patch results in the following configuration changes depending on quirks: - For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up for ganged power switching and no over-current protection. - For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching remains at none, while over-current protection is now guaranteed to be set to per-port rather than the previous behaviour where it was either none or global over-current protection depending on the value at function entry. Suggested-by: Alan Stern Acked-by: Alan Stern Signed-off-by: Hamish Martin Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 01413b33575bd89291de605e4dce9c83f4c3886b Author: Darrick J. Wong Date: Wed Sep 9 14:21:06 2020 -0700 xfs: make sure the rt allocator doesn't run off the end [ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ] There's an overflow bug in the realtime allocator. If the rt volume is large enough to handle a single allocation request that is larger than the maximum bmap extent length and the rt bitmap ends exactly on a bitmap block boundary, it's possible that the near allocator will try to check the freeness of a range that extends past the end of the bitmap. This fails with a corruption error and shuts down the fs. Therefore, constrain maxlen so that the range scan cannot run off the end of the rt bitmap. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit a8ca9f684674f73f43793d7410897a8707f8a81e Author: Eric Biggers Date: Sun Jun 28 00:00:57 2020 -0700 reiserfs: only call unlock_new_inode() if I_NEW [ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ] unlock_new_inode() is only meant to be called after a new inode has already been inserted into the hash table. But reiserfs_new_inode() can call it even before it has inserted the inode, triggering the WARNING in unlock_new_inode(). Fix this by only calling unlock_new_inode() if the inode has the I_NEW flag set, indicating that it's in the table. This addresses the syzbot report "WARNING in unlock_new_inode" (https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7). Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 19ca26aac2093293a1a3f7677247298b87c0776e Author: Keita Suzuki Date: Wed Sep 9 07:18:51 2020 +0000 misc: rtsx: Fix memory leak in rtsx_pci_probe [ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ] When mfd_add_devices() fail, pcr->slots should also be freed. However, the current implementation does not free the member, leading to a memory leak. Fix this by adding a new goto label that frees pcr->slots. Signed-off-by: Keita Suzuki Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 795d57a558d106b8a5bc2bd7aeaf707d9a099244 Author: Brooke Basile Date: Fri Sep 11 03:14:27 2020 -0400 ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs() [ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor systems create a race condition in which usb_kill_anchored_urbs() deallocates the URB before the completer callback is called in usb_kill_urb(), resulting in a use-after-free. To fix this, add proper lock protection to usb_kill_urb() calls that can possibly run concurrently with usb_kill_anchored_urbs(). Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf Signed-off-by: Brooke Basile Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com Signed-off-by: Sasha Levin commit dcd5c6006eb2d5d4f3682a10f3cfc64f893b3542 Author: Joakim Zhang Date: Tue Sep 22 16:44:19 2020 +0200 can: flexcan: flexcan_chip_stop(): add error handling and propagate error value [ Upstream commit 9ad02c7f4f279504bdd38ab706fdc97d5f2b2a9c ] This patch implements error handling and propagates the error value of flexcan_chip_stop(). This function will be called from flexcan_suspend() in an upcoming patch in some SoCs which support LPSR mode. Add a new function flexcan_chip_stop_disable_on_error() that tries to disable the chip even in case of errors. Signed-off-by: Joakim Zhang [mkl: introduce flexcan_chip_stop_disable_on_error() and use it in flexcan_close()] Signed-off-by: Marc Kleine-Budde Link: https://lore.kernel.org/r/20200922144429.2613631-11-mkl@pengutronix.de Signed-off-by: Sasha Levin commit 95cc92a38af1979b661308e4fe729134aa3ca894 Author: Johan Hovold Date: Mon Sep 21 15:59:49 2020 +0200 USB: cdc-acm: handle broken union descriptors [ Upstream commit 960c7339de27c6d6fec13b54880501c3576bb08d ] Handle broken union functional descriptors where the master-interface doesn't exist or where its class is of neither Communication or Data type (as required by the specification) by falling back to "combined-interface" probing. Note that this still allows for handling union descriptors with switched interfaces. This specifically makes the Whistler radio scanners TRX series devices work with the driver without adding further quirks to the device-id table. Reported-by: Daniel Caujolle-Bert Tested-by: Daniel Caujolle-Bert Acked-by: Oliver Neukum Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20200921135951.24045-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c4e3e0824e355a67cd339fe5ce3935f80b2f62ec Author: Jan Kara Date: Fri Sep 25 12:14:03 2020 +0200 udf: Avoid accessing uninitialized data on failed inode read [ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ] When we fail to read inode, some data accessed in udf_evict_inode() may be uninitialized. Move the accesses to !is_bad_inode() branch. Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit ac6e0baf7c82b06a1c233c03620dd79617f118f1 Author: Jan Kara Date: Fri Sep 25 14:53:08 2020 +0200 udf: Limit sparing table size [ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ] Although UDF standard allows it, we don't support sparing table larger than a single block. Check it during mount so that we don't try to access memory beyond end of buffer. Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit d9fe88b2a38dc700bf5bd3a09c7cd11bbc248367 Author: Zqiang Date: Fri Jun 5 11:05:33 2020 +0800 usb: gadget: function: printer: fix use-after-free in __lock_acquire [ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ] Fix this by increase object reference count. BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377 CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xce/0x128 lib/dump_stack.c:118 print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:641 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 vfs_ioctl fs/ioctl.c:47 [inline] ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 __do_sys_ioctl fs/ioctl.c:772 [inline] __se_sys_ioctl fs/ioctl.c:770 [inline] __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4531a9 Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9 RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003 RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61 R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff Allocated by task 2393: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 __do_sys_symlinkat fs/namei.c:4242 [inline] __se_sys_symlinkat fs/namei.c:4239 [inline] __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 3368: save_stack+0x21/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:337 [inline] __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 slab_free_hook mm/slub.c:1444 [inline] slab_free_freelist_hook mm/slub.c:1477 [inline] slab_free mm/slub.c:3034 [inline] kfree+0xf7/0x410 mm/slub.c:3995 gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 vfs_unlink+0x287/0x570 fs/namei.c:4073 do_unlinkat+0x4f9/0x620 fs/namei.c:4137 __do_sys_unlink fs/namei.c:4184 [inline] __se_sys_unlink fs/namei.c:4182 [inline] __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8880683b0000 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 24 bytes inside of 1024-byte region [ffff8880683b0000, ffff8880683b0400) The buggy address belongs to the page: page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300 index:0xffff8880683b1800 compound_mapcount: 0 flags: 0x100000000010200(slab|head) raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300 raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Reported-by: Kyungtae Kim Signed-off-by: Zqiang Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 1b5a5face33b913b22259438277a7d10b21beae9 Author: Sherry Sun Date: Tue Sep 29 17:11:05 2020 +0800 misc: vop: add round_up(x,4) for vring_size to avoid kernel panic [ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] Since struct _mic_vring_info and vring are allocated together and follow vring, if the vring_size() is not four bytes aligned, which will cause the start address of struct _mic_vring_info is not four byte aligned. For example, when vring entries is 128, the vring_size() will be 5126 bytes. The _mic_vring_info struct layout in ddr looks like: 0x90002400: 00000000 00390000 EE010000 0000C0FF Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. When EP use ioread32(magic) to reads the magic in RC's share memory, it will cause kernel panic on ARM64 platform due to the cross-byte io read. Here read magic in user space use le32toh(vr0->info->magic) will meet the same issue. So add round_up(x,4) for vring_size, then the struct _mic_vring_info will store in this way: 0x90002400: 00000000 00000000 00000039 C0FFEE01 Which will avoid kernel panic when read magic in struct _mic_vring_info. Signed-off-by: Sherry Sun Signed-off-by: Joakim Zhang Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8ac30068590443ece87acc39c2229a1a7523562a Author: Sherry Sun Date: Tue Sep 29 17:11:06 2020 +0800 mic: vop: copy data to kernel space then write to io memory [ Upstream commit 675f0ad4046946e80412896436164d172cd92238 ] Read and write io memory should address align on ARCH ARM. Change to use memcpy_toio to avoid kernel panic caused by the address un-align issue. Signed-off-by: Sherry Sun Signed-off-by: Joakim Zhang Link: https://lore.kernel.org/r/20200929091106.24624-5-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a07e3351c42d43612f39645e3739980233fb35bb Author: Roman Bolshakov Date: Tue Sep 29 15:59:57 2020 +0300 scsi: target: core: Add CONTROL field for trace events [ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ] trace-cmd report doesn't show events from target subsystem because scsi_command_size() leaks through event format string: [target:target_sequencer_start] function scsi_command_size not defined [target:target_cmd_complete] function scsi_command_size not defined Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't help because an expression is used inside TP_printk(). trace-cmd event parser doesn't understand minus sign inside [ ]: Error: expected ']' but read '-' Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated field for CONTROL byte. Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com Reviewed-by: Mike Christie Signed-off-by: Roman Bolshakov Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e9d7903412d246ec0c78e518fd96b135a61c9c22 Author: Jing Xiangfeng Date: Thu Sep 10 20:38:48 2020 +0800 scsi: mvumi: Fix error return in mvumi_io_attach() [ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ] Return PTR_ERR() from the error handling case instead of 0. Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com Signed-off-by: Jing Xiangfeng Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit e7efc85876753f5a83bafce7a1d748ef7c9e59a5 Author: Christoph Hellwig Date: Fri Sep 25 18:14:47 2020 +0200 PM: hibernate: remove the bogus call to get_gendisk() in software_resume() [ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ] get_gendisk grabs a reference on the disk and file operation, so this code will leak both of them while having absolutely no use for the gendisk itself. This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use get_gendisk to verify partition if resume_file is integer format") Signed-off-by: Christoph Hellwig Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 37f191b98e4c40cdb9622d295ec04b3a3e4353be Author: Thomas Pedersen Date: Mon Oct 5 09:45:21 2020 -0700 mac80211: handle lack of sband->bitrates in rates [ Upstream commit 8b783d104e7f40684333d2ec155fac39219beb2f ] Even though a driver or mac80211 shouldn't produce a legacy bitrate if sband->bitrates doesn't exist, don't crash if that is the case either. This fixes a kernel panic if station dump is run before last_rate can be updated with a data frame when sband->bitrates is missing (eg. in S1G bands). Signed-off-by: Thomas Pedersen Link: https://lore.kernel.org/r/20201005164522.18069-1-thomas@adapt-ip.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit d2918cca649f7457018f2c94176a8302e7a9f311 Author: Rustam Kovhaev Date: Tue Oct 13 16:48:17 2020 -0700 ntfs: add check for mft record size in superblock [ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] Number of bytes allocated for mft record should be equal to the mft record size stored in ntfs superblock as reported by syzbot, userspace might trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Signed-off-by: Rustam Kovhaev Signed-off-by: Andrew Morton Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com Acked-by: Anton Altaparmakov Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 699cbe4895d54792114e7231e0d4195b3ec8d986 Author: Dinghao Liu Date: Sun Jun 28 07:55:23 2020 +0200 media: venus: core: Fix runtime PM imbalance in venus_probe [ Upstream commit bbe516e976fce538db96bd2b7287df942faa14a3 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. For other error paths after this call, things are the same. Fix this by adding pm_runtime_put_noidle() after 'err_runtime_disable' label. But in this case, the error path after pm_runtime_put_sync() will decrease PM usage counter twice. Thus add an extra pm_runtime_get_noresume() in this path to balance PM counter. Signed-off-by: Dinghao Liu Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit eaadbc84174f06b06db5d0252ee1166786d127ec Author: Alexander Aring Date: Thu Aug 27 15:02:51 2020 -0400 fs: dlm: fix configfs memory leak [ Upstream commit 3d2825c8c6105b0f36f3ff72760799fa2e71420e ] This patch fixes the following memory detected by kmemleak and umount gfs2 filesystem which removed the last lockspace: unreferenced object 0xffff9264f482f600 (size 192): comm "dlm_controld", pid 325, jiffies 4294690276 (age 48.136s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 6e 6f 64 65 73 00 00 00 ........nodes... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000060481d7>] make_space+0x41/0x130 [<000000008d905d46>] configfs_mkdir+0x1a2/0x5f0 [<00000000729502cf>] vfs_mkdir+0x155/0x210 [<000000000369bcf1>] do_mkdirat+0x6d/0x110 [<00000000cc478a33>] do_syscall_64+0x33/0x40 [<00000000ce9ccf01>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 The patch just remembers the "nodes" entry pointer in space as I think it's created as subdirectory when parent "spaces" is created. In function drop_space() we will lost the pointer reference to nds because configfs_remove_default_groups(). However as this subdirectory is always available when "spaces" exists it will just be freed when "spaces" will be freed. Signed-off-by: Alexander Aring Signed-off-by: David Teigland Signed-off-by: Sasha Levin commit 03d78253277aa4a44e4c97736756f8523798eca7 Author: Mauro Carvalho Chehab Date: Wed Sep 2 08:37:12 2020 +0200 media: saa7134: avoid a shift overflow [ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ] As reported by smatch: drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type? On a 64-bits Kernel, the shift might be bigger than 32 bits. In real, this should never happen, but let's shut up the warning. Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4d880c0cba3fb6dcd74cceb28c00ecf8b20f2a18 Author: Pali Rohár Date: Mon Jul 27 15:38:34 2020 +0200 mmc: sdio: Check for CISTPL_VERS_1 buffer size [ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ] Before parsing CISTPL_VERS_1 structure check that its size is at least two bytes to prevent buffer overflow. Signed-off-by: Pali Rohár Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit f44836e965162ced9a25c261d884fae6849084be Author: Adam Goode Date: Sun Aug 23 03:21:33 2020 +0200 media: uvcvideo: Ensure all probed info is returned to v4l2 [ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ] bFrameIndex and bFormatIndex can be negotiated by the camera during probing, resulting in the camera choosing a different format than expected. v4l2 can already accommodate such changes, but the code was not updating the proper fields. Without such a change, v4l2 would potentially interpret the payload incorrectly, causing corrupted output. This was happening on the Elgato HD60 S+, which currently always renegotiates to format 1. As an aside, the Elgato firmware is buggy and should not be renegotating, but it is still a valid thing for the camera to do. Both macOS and Windows will properly probe and read uncorrupted images from this camera. With this change, both qv4l2 and chromium can now read uncorrupted video from the Elgato HD60 S+. [Add blank lines, remove periods at the of messages] Signed-off-by: Adam Goode Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6fab85f03cfacc02ff42776985819b4f348ea72c Author: Xiaolong Huang Date: Fri Apr 17 11:52:30 2020 +0200 media: media/pci: prevent memory leak in bttv_probe [ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ] In bttv_probe if some functions such as pci_enable_device, pci_set_dma_mask and request_mem_region fails the allocated memory for btv should be released. Signed-off-by: Xiaolong Huang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit aaa35fd4e1249f112de4367f388dffb6631d6aa0 Author: Dinghao Liu Date: Thu May 21 12:00:21 2020 +0200 media: bdisp: Fix runtime PM imbalance on error [ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. Signed-off-by: Dinghao Liu Reviewed-by: Fabien Dessenne Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e984f79e2df3a02ce184b45ee0f3fb2f4f51a793 Author: Dinghao Liu Date: Thu May 21 12:05:02 2020 +0200 media: platform: sti: hva: Fix runtime PM imbalance on error [ Upstream commit d912a1d9e9afe69c6066c1ceb6bfc09063074075 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. Signed-off-by: Dinghao Liu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a4ef57d1cb5a1b1b937dbdf01646b08039ceb6c0 Author: Dinghao Liu Date: Thu May 21 15:29:33 2020 +0200 media: platform: s3c-camif: Fix runtime PM imbalance on error [ Upstream commit dafa3605fe60d5a61239d670919b2a36e712481e ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. Also, call pm_runtime_disable() when pm_runtime_get_sync() returns an error code. Signed-off-by: Dinghao Liu Reviewed-by: Sylwester Nawrocki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 37b6efc2559a7d3965ab4dbc4bc7bb234239d77f Author: Dinghao Liu Date: Mon Jun 8 07:29:19 2020 +0200 media: vsp1: Fix runtime PM imbalance on error [ Upstream commit 98fae901c8883640202802174a4bd70a1b9118bd ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code. Thus a pairing decrement is needed on the error handling path to keep the counter balanced. Signed-off-by: Dinghao Liu Reviewed-by: Kieran Bingham Reviewed-by: Laurent Pinchart Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7713c060f1c11b435a6f4e57ee39559645454c5c Author: Qiushi Wu Date: Sun Jun 14 05:01:11 2020 +0200 media: exynos4-is: Fix a reference count leak [ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1674941303d341d53342c99992431de5ab6e4312 Author: Qiushi Wu Date: Sun Jun 14 05:10:58 2020 +0200 media: exynos4-is: Fix a reference count leak due to pm_runtime_get_sync [ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9e701ac75c67700de7017da13d15db74431dc376 Author: Qiushi Wu Date: Sun Jun 14 05:18:29 2020 +0200 media: exynos4-is: Fix several reference count leaks due to pm_runtime_get_sync [ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 67aff25b8dbef75dcdaa7bd2d8838bf04f93f235 Author: Qiushi Wu Date: Sun Jun 14 05:31:06 2020 +0200 media: sti: Fix reference count leaks [ Upstream commit 6f4432bae9f2d12fc1815b5e26cc07e69bcad0df ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 36d682798e58d3b4b66e12c5ce48c53f15df7f97 Author: Aditya Pakki Date: Sun Jun 14 05:58:41 2020 +0200 media: st-delta: Fix reference count leak in delta_run_work [ Upstream commit 57cc666d36adc7b45e37ba4cd7bc4e44ec4c43d7 ] delta_run_work() calls delta_get_sync() that increments the reference counter. In case of failure, decrement the reference count by calling delta_put_autosuspend(). Signed-off-by: Aditya Pakki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8134f6b6318c00c6729083970059c16b6f7bb21f Author: Oliver Neukum Date: Wed Sep 16 15:50:51 2020 +0200 media: ati_remote: sanity check for both endpoints [ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] If you do sanity checks, you should do them for both endpoints. Hence introduce checking for endpoint type for the output endpoint, too. Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com Signed-off-by: Oliver Neukum Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6763925003a6ba5ff20a4b99f8709f2aa5a9bf9f Author: Pavel Machek Date: Sun Sep 20 11:01:37 2020 +0200 media: firewire: fix memory leak [ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ] Fix memory leak in node_probe. Signed-off-by: Pavel Machek (CIP) Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f87acd2c40df3d733a04ab9cd47420537c873d52 Author: Pavel Machek Date: Mon Sep 21 13:34:35 2020 +0200 crypto: ccp - fix error handling [ Upstream commit e356c49c6cf0db3f00e1558749170bd56e47652d ] Fix resource leak in error handling. Signed-off-by: Pavel Machek (CIP) Acked-by: John Allen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d40a93fabd7fa36d0992f19ca3081a2cc09c33cb Author: Hans de Goede Date: Wed Oct 14 16:41:58 2020 +0200 i2c: core: Restore acpi_walk_dep_device_list() getting called after registering the ACPI i2c devs [ Upstream commit 8058d69905058ec8f467a120b5ec5bb831ea67f3 ] Commit 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()")'s intention was to only move the acpi_install_address_space_handler() call to the point before where the ACPI declared i2c-children of the adapter where instantiated by i2c_acpi_register_devices(). But i2c_acpi_install_space_handler() had a call to acpi_walk_dep_device_list() hidden (that is I missed it) at the end of it, so as an unwanted side-effect now acpi_walk_dep_device_list() was also being called before i2c_acpi_register_devices(). Move the acpi_walk_dep_device_list() call to the end of i2c_acpi_register_devices(), so that it is once again called *after* the i2c_client-s hanging of the adapter have been created. This fixes the Microsoft Surface Go 2 hanging at boot. Fixes: 21653a4181ff ("i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices()") Link: https://bugzilla.kernel.org/show_bug.cgi?id=209627 Reported-by: Rainer Finke Reported-by: Kieran Bingham Suggested-by: Maximilian Luz Tested-by: Kieran Bingham Signed-off-by: Hans de Goede Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 6e95be106536c962a6d9bd7983c185290fc3fcc7 Author: Al Grant Date: Mon Sep 21 21:46:37 2020 +0100 perf: correct SNOOPX field offset [ Upstream commit f3d301c1f2f5676465cdf3259737ea19cc82731f ] perf_event.h has macros that define the field offsets in the data_src bitmask in perf records. The SNOOPX and REMOTE offsets were both 37. These are distinct fields, and the bitfield layout in perf_mem_data_src confirms that SNOOPX should be at offset 38. Fixes: 52839e653b5629bd ("perf tools: Add support for printing new mem_info encodings") Signed-off-by: Al Grant Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Andi Kleen Link: https://lkml.kernel.org/r/4ac9f5cc-4388-b34a-9999-418a4099415d@foss.arm.com Signed-off-by: Sasha Levin commit 94ae143ca57be1174bbd256a74bb2a1142f5d260 Author: Kaige Li Date: Tue Aug 11 09:59:57 2020 +0800 NTB: hw: amd: fix an issue about leak system resources [ Upstream commit 44a0a3c17919db1498cebb02ecf3cf4abc1ade7b ] The related system resources were not released when pci_set_dma_mask(), pci_set_consistent_dma_mask(), or pci_iomap() return error in the amd_ntb_init_pci() function. Add pci_release_regions() to fix it. Fixes: a1b3695820aa ("NTB: Add support for AMD PCI-Express Non-Transparent Bridge") Signed-off-by: Kaige Li Signed-off-by: Jon Mason Signed-off-by: Sasha Levin commit 477dfe7d985a2c21e3e55c5bf5989a629f296ae1 Author: zhenwei pi Date: Thu Oct 15 09:51:40 2020 +0800 nvmet: fix uninitialized work for zero kato [ Upstream commit 85bd23f3dc09a2ae9e56885420e52c54bf983713 ] When connecting a controller with a zero kato value using the following command line nvme connect -t tcp -n NQN -a ADDR -s PORT --keep-alive-tmo=0 the warning below can be reproduced: WARNING: CPU: 1 PID: 241 at kernel/workqueue.c:1627 __queue_delayed_work+0x6d/0x90 with trace: mod_delayed_work_on+0x59/0x90 nvmet_update_cc+0xee/0x100 [nvmet] nvmet_execute_prop_set+0x72/0x80 [nvmet] nvmet_tcp_try_recv_pdu+0x2f7/0x770 [nvmet_tcp] nvmet_tcp_io_work+0x63f/0xb2d [nvmet_tcp] ... This is caused by queuing up an uninitialized work. Althrough the keep-alive timer is disabled during allocating the controller (fixed in 0d3b6a8d213a), ka_work still has a chance to run (called by nvmet_start_ctrl). Fixes: 0d3b6a8d213a ("nvmet: Disable keep-alive timer when kato is cleared to 0h") Signed-off-by: zhenwei pi Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit b398d1dcf3696ef54a868a3571daf253dd4af3ff Author: Vasant Hegde Date: Sat Oct 17 22:12:10 2020 +0530 powerpc/powernv/dump: Fix race while processing OPAL dump [ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ] Every dump reported by OPAL is exported to userspace through a sysfs interface and notified using kobject_uevent(). The userspace daemon (opal_errd) then reads the dump and acknowledges that the dump is saved safely to disk. Once acknowledged the kernel removes the respective sysfs file entry causing respective resources to be released including kobject. However it's possible the userspace daemon may already be scanning dump entries when a new sysfs dump entry is created by the kernel. User daemon may read this new entry and ack it even before kernel can notify userspace about it through kobject_uevent() call. If that happens then we have a potential race between dump_ack_store->kobject_put() and kobject_uevent which can lead to use-after-free of a kernfs object resulting in a kernel crash. This patch fixes this race by protecting the sysfs file creation/notification by holding a reference count on kobject until we safely send kobject_uevent(). The function create_dump_obj() returns the dump object which if used by caller function will end up in use-after-free problem again. However, the return value of create_dump_obj() function isn't being used today and there is no need as well. Hence change it to return void to make this fix complete. Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface") Signed-off-by: Vasant Hegde Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 09ee728260d766fd299b59f7b24e3142c456fda6 Author: Michal Simek Date: Mon Aug 24 10:59:14 2020 +0200 arm64: dts: zynqmp: Remove additional compatible string for i2c IPs [ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ] DT binding permits only one compatible string which was decribed in past by commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq Ultrascale+ MPSoC"). The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence documentation to YAML") has converted binding to yaml and the following issues is reported: ...: i2c@ff030000: compatible: Additional items are not allowed ('cdns,i2c-r1p10' was unexpected) From schema: .../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds ...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too long The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") has added the second compatible string but without removing origin one. The patch is only keeping one compatible string "cdns,i2c-r1p14". Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") Signed-off-by: Michal Simek Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com Reviewed-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 6572359eba0609e675a032eb19b80e976c10132d Author: Cristian Ciocaltea Date: Fri Aug 28 16:53:17 2020 +0300 ARM: dts: owl-s500: Fix incorrect PPI interrupt specifiers [ Upstream commit 55f6c9931f7c32f19cf221211f099dfd8dab3af9 ] The PPI interrupts for cortex-a9 were incorrectly specified, fix them. Fixes: fdfe7f4f9d85 ("ARM: dts: Add Actions Semi S500 and LeMaker Guitar") Signed-off-by: Cristian Ciocaltea Reviewed-by: Peter Korsgaard Reviewed-by: Manivannan Sadhasivam Signed-off-by: Manivannan Sadhasivam Signed-off-by: Sasha Levin commit 0b1dedc4f0b8329ccc29501b892ba9fa47f825f9 Author: Stephan Gerhold Date: Tue Sep 15 09:12:11 2020 +0200 arm64: dts: qcom: msm8916: Fix MDP/DSI interrupts [ Upstream commit 027cca9eb5b450c3f6bb916ba999144c2ec23cb7 ] The mdss node sets #interrupt-cells = <1>, so its interrupts should be referenced using a single cell (in this case: only the interrupt number). However, right now the mdp/dsi node both have two interrupt cells set, e.g. interrupts = <4 0>. The 0 is probably meant to say IRQ_TYPE_NONE (= 0), but with #interrupt-cells = <1> this is actually interpreted as a second interrupt line. Remove the IRQ flags from both interrupts to fix this. Fixes: 305410ffd1b2 ("arm64: dts: msm8916: Add display support") Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20200915071221.72895-5-stephan@gerhold.net Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 8db94d79456dc2394688aec8f004b7caff0f3e2d Author: Krzysztof Kozlowski Date: Thu Aug 27 09:33:15 2020 +0200 memory: fsl-corenet-cf: Fix handling of platform_get_irq() error [ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org Signed-off-by: Sasha Levin commit 9bff692ae215408f7ae1462fa7be5d7451e13ee6 Author: Dan Carpenter Date: Tue Aug 25 13:47:07 2020 +0300 memory: omap-gpmc: Fix a couple off by ones [ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ] These comparisons should be >= instead of > to prevent reading one element beyond the end of the gpmc_cs[] array. Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash") Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space") Signed-off-by: Dan Carpenter Acked-by: Roger Quadros Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit d5ed2625f0a86f03a4a450626c40566f8b7ee746 Author: Robert Hoo Date: Fri Aug 28 10:23:42 2020 +0800 KVM: x86: emulating RDPID failure shall return #UD rather than #GP [ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ] Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or less what KVM is emulating when MSR_TSC_AUX is not available. In fact, there are no scenarios in which RDPID is supposed to #GP. Fixes: fb6d4d340e ("KVM: x86: emulate RDPID") Signed-off-by: Robert Hoo Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com> Reviewed-by: Jim Mattson Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 8904f1e144b44c009bd1e089c2366262ed2659a6 Author: Krzysztof Kozlowski Date: Tue Sep 15 17:56:40 2020 -0700 Input: sun4i-ps2 - fix handling of platform_get_irq() error [ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller") Signed-off-by: Krzysztof Kozlowski Acked-by: Chen-Yu Tsai Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c024b1a42ee4cb12636841aac98b8bc2f1c6934b Author: Krzysztof Kozlowski Date: Tue Sep 15 17:56:19 2020 -0700 Input: twl4030_keypad - fix handling of platform_get_irq() error [ Upstream commit c277e1f0dc3c7d7b5b028e20dd414df241642036 ] platform_get_irq() returns -ERRNO on error. In such case casting to unsigned and comparing to 0 would pass the check. Fixes: 7abf38d6d13c ("Input: twl4030-keypad - add device tree support") Reported-by: kernel test robot Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200828145744.3636-3-krzk@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit bac6ea43d9ef52e3528583b030ae14eeb4114740 Author: Krzysztof Kozlowski Date: Tue Sep 15 17:52:15 2020 -0700 Input: omap4-keypad - fix handling of platform_get_irq() error [ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 4cf86bec24fad44533462d12cb893f864ac7bba0 Author: Krzysztof Kozlowski Date: Tue Sep 15 17:51:05 2020 -0700 Input: ep93xx_keypad - fix handling of platform_get_irq() error [ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ] platform_get_irq() returns -ERRNO on error. In such case comparison to 0 would pass the check. Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 369c1bb55e8bcb04fddd79f5f43f5562a8b6ded1 Author: YueHaibing Date: Wed Sep 16 10:26:09 2020 -0700 Input: stmfts - fix a & vs && typo [ Upstream commit d04afe14b23651e7a8bc89727a759e982a8458e4 ] In stmfts_sysfs_hover_enable_write(), we should check value and sdata->hover_enabled is all true. Fixes: 78bcac7b2ae1 ("Input: add support for the STMicroelectronics FingerTip touchscreen") Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20200916141941.16684-1-yuehaibing@huawei.com Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 695976722522f481a01eb3afd2f91a50625425f4 Author: Dan Carpenter Date: Mon Sep 14 10:17:01 2020 -0700 Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() [ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ] If imx6ul_tsc_init() fails then we need to clean up the clocks. I reversed the "if (input_dev->users) {" condition to make the code a bit simpler. Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e9caa4e4ac9fd3e0d1f79084e772c3133a9c9b1c Author: Xiaoyang Xu Date: Fri Oct 16 17:35:58 2020 +0800 vfio iommu type1: Fix memory leak in vfio_iommu_type1_pin_pages [ Upstream commit 2e6cfd496f5b57034cf2aec738799571b5a52124 ] pfn is not added to pfn_list when vfio_add_to_pfn_list fails. vfio_unpin_page_external will exit directly without calling vfio_iova_put_vfio_pfn. This will lead to a memory leak. Fixes: a54eb55045ae ("vfio iommu type1: Add support for mediated devices") Signed-off-by: Xiaoyang Xu [aw: simplified logic, add Fixes] Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 1877012c68da28f5e3cf241acdf31f6bf2ce4ce6 Author: Alex Williamson Date: Mon Oct 19 07:13:55 2020 -0600 vfio/pci: Clear token on bypass registration failure [ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ] The eventfd context is used as our irqbypass token, therefore if an eventfd is re-used, our token is the same. The irqbypass code will return an -EBUSY in this case, but we'll still attempt to unregister the producer, where if that duplicate token still exists, results in removing the wrong object. Clear the token of failed producers so that they harmlessly fall out when unregistered. Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer") Reported-by: guomin chen Tested-by: guomin chen Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 7b9009bc09f35701383f0541bee21bff1b7c0b40 Author: Darrick J. Wong Date: Thu Oct 1 15:21:48 2020 -0700 ext4: limit entries returned when counting fsmap records [ Upstream commit af8c53c8bc087459b1aadd4c94805d8272358d79 ] If userspace asked fsmap to try to count the number of entries, we cannot return more than UINT_MAX entries because fmh_entries is u32. Therefore, stop counting if we hit this limit or else we will waste time to return truncated results. Fixes: 0c9ec4beecac ("ext4: support GETFSMAP ioctls") Signed-off-by: Darrick J. Wong Link: https://lore.kernel.org/r/20201001222148.GA49520@magnolia Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 4a90077585b43757e7d6a0fac513177db2f6870b Author: Navid Emamdoost Date: Sun Aug 9 18:11:58 2020 -0500 clk: bcm2835: add missing release if devm_clk_hw_register fails [ Upstream commit f6c992ca7dd4f49042eec61f3fb426c94d901675 ] In the implementation of bcm2835_register_pll(), the allocated pll is leaked if devm_clk_hw_register() fails to register hw. Release pll if devm_clk_hw_register() fails. Signed-off-by: Navid Emamdoost Link: https://lore.kernel.org/r/20200809231202.15811-1-navid.emamdoost@gmail.com Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 33e742a5c7aaf891ebc447e1f313944f085a98f4 Author: Claudiu Beznea Date: Tue Aug 25 09:59:10 2020 +0300 clk: at91: clk-main: update key before writing AT91_CKGR_MOR [ Upstream commit 85d071e7f19a6a9abf30476b90b3819642568756 ] SAMA5D2 datasheet specifies on chapter 33.22.8 (PMC Clock Generator Main Oscillator Register) that writing any value other than 0x37 on KEY field aborts the write operation. Use the key when selecting main clock parent. Fixes: 27cb1c2083373 ("clk: at91: rework main clk implementation") Signed-off-by: Claudiu Beznea Reviewed-by: Alexandre Belloni Link: https://lore.kernel.org/r/1598338751-20607-3-git-send-email-claudiu.beznea@microchip.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 598e40fe3d49028d2fc9fe6135929b3ad0557a75 Author: Mark Tomlinson Date: Mon Aug 3 15:52:40 2020 +1200 PCI: iproc: Set affinity mask on MSI interrupts [ Upstream commit eb7eacaa5b9e4f665bd08d416c8f88e63d2f123c ] The core interrupt code expects the irq_set_affinity call to update the effective affinity for the interrupt. This was not being done, so update iproc_msi_irq_set_affinity() to do so. Link: https://lore.kernel.org/r/20200803035241.7737-1-mark.tomlinson@alliedtelesis.co.nz Fixes: 3bc2b2348835 ("PCI: iproc: Add iProc PCIe MSI support") Signed-off-by: Mark Tomlinson Signed-off-by: Lorenzo Pieralisi Reviewed-by: Ray Jui Signed-off-by: Sasha Levin commit 66da98b20b580dda871983d8ef3ca518bddfdaf7 Author: Dirk Behme Date: Thu Aug 27 11:23:30 2020 +0200 i2c: rcar: Auto select RESET_CONTROLLER [ Upstream commit 5b9bacf28a973a6b16510493416baeefa2c06289 ] The i2c-rcar driver utilizes the Generic Reset Controller kernel feature, so select the RESET_CONTROLLER option when the I2C_RCAR option is selected with a Gen3 SoC. Fixes: 2b16fd63059ab9 ("i2c: rcar: handle RXDMA HW behaviour on Gen3") Signed-off-by: Dirk Behme Signed-off-by: Andy Lowe [erosca: Add "if ARCH_RCAR_GEN3" per Wolfram's request] Signed-off-by: Eugeniu Rosca Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e1d8263a59494079666d2ed7be058f54a127a693 Author: Jassi Brar Date: Fri Oct 16 12:20:56 2020 -0500 mailbox: avoid timer start from callback [ Upstream commit c7dacf5b0f32957b24ef29df1207dc2cd8307743 ] If the txdone is done by polling, it is possible for msg_submit() to start the timer while txdone_hrtimer() callback is running. If the timer needs recheduling, it could already be enqueued by the time hrtimer_forward_now() is called, leading hrtimer to loudly complain. WARNING: CPU: 3 PID: 74 at kernel/time/hrtimer.c:932 hrtimer_forward+0xc4/0x110 CPU: 3 PID: 74 Comm: kworker/u8:1 Not tainted 5.9.0-rc2-00236-gd3520067d01c-dirty #5 Hardware name: Libre Computer AML-S805X-AC (DT) Workqueue: events_freezable_power_ thermal_zone_device_check pstate: 20000085 (nzCv daIf -PAN -UAO BTYPE=--) pc : hrtimer_forward+0xc4/0x110 lr : txdone_hrtimer+0xf8/0x118 [...] This can be fixed by not starting the timer from the callback path. Which requires the timer reloading as long as any message is queued on the channel, and not just when current tx is not done yet. Fixes: 0cc67945ea59 ("mailbox: switch to hrtimer for tx_complete polling") Reported-by: Da Xue Reviewed-by: Sudeep Holla Tested-by: Sudeep Holla Acked-by: Jerome Brunet Tested-by: Jerome Brunet Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit 8e8bdb139d2d11d3840bed493b1e73609c8ddfbe Author: Jing Xiangfeng Date: Thu Oct 15 20:13:18 2020 -0700 rapidio: fix the missed put_device() for rio_mport_add_riodev [ Upstream commit 85094c05eeb47d195a74a25366a2db066f1c9d47 ] rio_mport_add_riodev() misses to call put_device() when the device already exists. Add the missed function call to fix it. Fixes: e8de370188d0 ("rapidio: add mport char device driver") Signed-off-by: Jing Xiangfeng Signed-off-by: Andrew Morton Reviewed-by: Dan Carpenter Cc: Matt Porter Cc: Alexandre Bounine Cc: Gustavo A. R. Silva Cc: John Hubbard Cc: Kees Cook Cc: Madhuparna Bhowmik Link: https://lkml.kernel.org/r/20200922072525.42330-1-jingxiangfeng@huawei.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit abb48d0cdec3dd350ba1efe6d06d4dea737d3c7a Author: Souptick Joarder Date: Thu Oct 15 20:13:15 2020 -0700 rapidio: fix error handling path [ Upstream commit fa63f083b3492b5ed5332b8d7c90b03b5ef24a1d ] rio_dma_transfer() attempts to clamp the return value of pin_user_pages_fast() to be >= 0. However, the attempt fails because nr_pages is overridden a few lines later, and restored to the undesirable -ERRNO value. The return value is ultimately stored in nr_pages, which in turn is passed to unpin_user_pages(), which expects nr_pages >= 0, else, disaster. Fix this by fixing the nesting of the assignment to nr_pages: nr_pages should be clamped to zero if pin_user_pages_fast() returns -ERRNO, or set to the return value of pin_user_pages_fast(), otherwise. [jhubbard@nvidia.com: new changelog] Fixes: e8de370188d09 ("rapidio: add mport char device driver") Signed-off-by: Souptick Joarder Signed-off-by: Andrew Morton Reviewed-by: Ira Weiny Reviewed-by: John Hubbard Cc: Matthew Wilcox Cc: Matt Porter Cc: Alexandre Bounine Cc: Gustavo A. R. Silva Cc: Madhuparna Bhowmik Cc: Dan Carpenter Link: https://lkml.kernel.org/r/1600227737-20785-1-git-send-email-jrdr.linux@gmail.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 2f373fdb25dad065e5fbef8ca866d137721bdb75 Author: Matthew Wilcox (Oracle) Date: Thu Oct 15 20:13:04 2020 -0700 ramfs: fix nommu mmap with gaps in the page cache [ Upstream commit 50b7d85680086126d7bd91dae81d57d4cb1ab6b7 ] ramfs needs to check that pages are both physically contiguous and contiguous in the file. If the page cache happens to have, eg, page A for index 0 of the file, no page for index 1, and page A+1 for index 2, then an mmap of the first two pages of the file will succeed when it should fail. Fixes: 642fb4d1f1dd ("[PATCH] NOMMU: Provide shared-writable mmap support on ramfs") Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Andrew Morton Cc: David Howells Link: https://lkml.kernel.org/r/20200914122239.GO6583@casper.infradead.org Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6f0344af61d575d1192a3dac863e671a5d7ff019 Author: Tobias Jordan Date: Thu Oct 15 20:11:38 2020 -0700 lib/crc32.c: fix trivial typo in preprocessor condition [ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ] Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS. Obviously, the _be function should be governed by the _BE_ define. This probably never pops up as it's hard to come up with a configuration where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using bitwise CRC anyway. Fixes: 46c5801eaf86 ("crc32: bolt on crc32c") Signed-off-by: Tobias Jordan Signed-off-by: Andrew Morton Cc: Krzysztof Kozlowski Cc: Jonathan Corbet Cc: Mauro Carvalho Chehab Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 83dde43b50728377d5d383c50cee42b9a92422c4 Author: Jamie Iles Date: Mon Oct 12 14:09:48 2020 +0100 f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info [ Upstream commit ae284d87abade58c8db7760c808f311ef1ce693c ] syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an f2fs filesystem could result in the following splat: kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250) kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750) ------------[ cut here ]------------ ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98 WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x0/0x4d8 show_stack+0x34/0x48 dump_stack+0x174/0x1f8 panic+0x360/0x7a0 __warn+0x244/0x2ec report_bug+0x240/0x398 bug_handler+0x50/0xc0 call_break_hook+0x160/0x1d8 brk_handler+0x30/0xc0 do_debug_exception+0x184/0x340 el1_dbg+0x48/0xb0 el1_sync_handler+0x170/0x1c8 el1_sync+0x80/0x100 debug_print_object+0x180/0x240 debug_check_no_obj_freed+0x200/0x430 slab_free_freelist_hook+0x190/0x210 kfree+0x13c/0x460 f2fs_put_super+0x624/0xa58 generic_shutdown_super+0x120/0x300 kill_block_super+0x94/0xf8 kill_f2fs_super+0x244/0x308 deactivate_locked_super+0x104/0x150 deactivate_super+0x118/0x148 cleanup_mnt+0x27c/0x3c0 __cleanup_mnt+0x28/0x38 task_work_run+0x10c/0x248 do_notify_resume+0x9d4/0x1188 work_pending+0x8/0x34c Like the error handling for f2fs_register_sysfs(), we need to wait for the kobject to be destroyed before returning to prevent a potential use-after-free. Fixes: bf9e697ecd42 ("f2fs: expose features to sysfs entry") Cc: Jaegeuk Kim Cc: Chao Yu Signed-off-by: Jamie Iles Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 72322fd42ee0b1bee91186ae2ce10d2996ed361b Author: Colin Ian King Date: Thu Oct 8 10:52:04 2020 +0100 IB/rdmavt: Fix sizeof mismatch [ Upstream commit 8e71f694e0c819db39af2336f16eb9689f1ae53f ] An incorrect sizeof is being used, struct rvt_ibport ** is not correct, it should be struct rvt_ibport *. Note that since ** is the same size as * this is not causing any issues. Improve this fix by using sizeof(*rdi->ports) as this allows us to not even reference the type of the pointer. Also remove line breaks as the entire statement can fit on one line. Link: https://lore.kernel.org/r/20201008095204.82683-1-colin.king@canonical.com Addresses-Coverity: ("Sizeof not portable (SIZEOF_MISMATCH)") Fixes: ff6acd69518e ("IB/rdmavt: Add device structure allocation") Signed-off-by: Colin Ian King Reviewed-by: Ira Weiny Acked-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e146abfa0e7169c681af316e7990a5a8de10b292 Author: Srikar Dronamraju Date: Tue Sep 22 13:32:54 2020 +0530 cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_reboot_notifier [ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ] The patch avoids allocating cpufreq_policy on stack hence fixing frame size overflow in 'powernv_cpufreq_reboot_notifier': drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier: drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec") Signed-off-by: Srikar Dronamraju Reviewed-by: Daniel Axtens Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 75b270f8d73f0bd2e70f11a75a6e6961d18de44d Author: Kajol Jain Date: Sat Oct 3 13:19:39 2020 +0530 powerpc/perf/hv-gpci: Fix starting index value [ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ] Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") adds a framework for defining gpci counters. In this patch, they adds starting_index value as '0xffffffffffffffff'. which is wrong as starting_index is of size 32 bits. Because of this, incase we try to run hv-gpci event we get error. In power9 machine: command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 event syntax error: '..bie_count_and_time_tlbie_instructions_issued/' \___ value too big for format, maximum is 4294967295 This patch fix this issue and changes starting_index value to '0xffffffff' After this patch: command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") Signed-off-by: Kajol Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com Signed-off-by: Sasha Levin commit 37fcf4be0ec3fc0282fd4527d098fe633fdb417c Author: Athira Rajeev Date: Mon Sep 21 03:10:04 2020 -0400 powerpc/perf: Exclude pmc5/6 from the irrelevant PMU group constraints [ Upstream commit 3b6c3adbb2fa42749c3d38cfc4d4d0b7e096bb7b ] PMU counter support functions enforces event constraints for group of events to check if all events in a group can be monitored. Incase of event codes using PMC5 and PMC6 ( 500fa and 600f4 respectively ), not all constraints are applicable, say the threshold or sample bits. But current code includes pmc5 and pmc6 in some group constraints (like IC_DC Qualifier bits) which is actually not applicable and hence results in those events not getting counted when scheduled along with group of other events. Patch fixes this by excluding PMC5/6 from constraints which are not relevant for it. Fixes: 7ffd948 ("powerpc/perf: factor out power8 pmu functions") Signed-off-by: Athira Rajeev Reviewed-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1600672204-1610-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit ff615d2f2efaf97717e6cd5f8ae27b9959e05a85 Author: Leon Romanovsky Date: Sun Sep 13 13:29:28 2020 +0300 overflow: Include header file with SIZE_MAX declaration [ Upstream commit a4947e84f23474803b62a2759b5808147e4e15f9 ] The various array_size functions use SIZE_MAX define, but missed limits.h causes to failure to compile code that needs overflow.h. In file included from drivers/infiniband/core/uverbs_std_types_device.c:6: ./include/linux/overflow.h: In function 'array_size': ./include/linux/overflow.h:258:10: error: 'SIZE_MAX' undeclared (first use in this function) 258 | return SIZE_MAX; | ^~~~~~~~ Fixes: 610b15c50e86 ("overflow.h: Add allocation size calculation helpers") Link: https://lore.kernel.org/r/20200913102928.134985-1-leon@kernel.org Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c7d131dae2b5e4f07de3cbbadd16198d3a197ff3 Author: Daniel Thompson Date: Wed Sep 9 15:17:08 2020 +0100 kdb: Fix pager search for multi-line strings [ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ] Currently using forward search doesn't handle multi-line strings correctly. The search routine replaces line breaks with \0 during the search and, for regular searches ("help | grep Common\n"), there is code after the line has been discarded or printed to replace the break character. However during a pager search ("help\n" followed by "/Common\n") when the string is matched we will immediately return to normal output and the code that should restore the \n becomes unreachable. Fix this by restoring the replaced character when we disable the search mode and update the comment accordingly. Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt") Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org Reviewed-by: Douglas Anderson Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin commit 63cda332a306285feeec95d5d1fa91fcc05a0e4c Author: Lijun Ou Date: Thu Sep 17 21:50:15 2020 +0800 RDMA/hns: Set the unsupported wr opcode [ Upstream commit 22d3e1ed2cc837af87f76c3c8a4ccf4455e225c5 ] hip06 does not support IB_WR_LOCAL_INV, so the ps_opcode should be set to an invalid value instead of being left uninitialized. Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver") Fixes: a2f3d4479fe9 ("RDMA/hns: Avoid unncessary initialization") Link: https://lore.kernel.org/r/1600350615-115217-1-git-send-email-oulijun@huawei.com Signed-off-by: Lijun Ou Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 98f78dd3caf9836b1a5fe9b96084319cfcb0c1cb Author: Adrian Hunter Date: Wed Sep 9 11:49:23 2020 +0300 perf intel-pt: Fix "context_switch event has no tid" error [ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ] A context_switch event can have no tid because pids can be detached from a task while the task is still running (in do_exit()). Note this won't happen with per-task contexts because then tracing stops at perf_event_exit_task() If a task with no tid gets preempted, or a dying task gets preempted and its parent releases it, when it subsequently gets switched back in, Intel PT will not be able to determine what task is running and prints an error "context_switch event has no tid". However, it is not really an error because the task is in kernel space and the decoder can continue to decode successfully. Fix by changing the error to be only a logged message, and make allowance for tid == -1. Example: Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g. $ uname -r 5.9.0-rc4 $ grep PREEMPT .config # CONFIG_PREEMPT_NONE is not set # CONFIG_PREEMPT_VOLUNTARY is not set CONFIG_PREEMPT=y CONFIG_PREEMPT_COUNT=y CONFIG_PREEMPTION=y CONFIG_PREEMPT_RCU=y CONFIG_PREEMPT_NOTIFIERS=y CONFIG_DRM_I915_PREEMPT_TIMEOUT=640 CONFIG_DEBUG_PREEMPT=y # CONFIG_PREEMPT_TRACER is not set # CONFIG_PREEMPTIRQ_DELAY_TEST is not set Before: $ cat forkit.c #include #include #include int main() { pid_t child; int status = 0; child = fork(); if (child == 0) return 123; wait(&status); return 0; } $ gcc -o forkit forkit.c $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k & [1] 11016 $ taskset 2 ./forkit $ sudo pkill perf $ [ perf record: Woken up 1 times to write data ] [ perf record: Captured and wrote 17.262 MB perf.data ] [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit context_switch event has no tid taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) After: $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1 :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms]) Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH") Signed-off-by: Adrian Hunter Cc: Andi Kleen Cc: Jiri Olsa Cc: Yu-cheng Yu Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 9fb97ac5b1c9070ec9eaa56c7dcb4a4b2303d598 Author: Finn Thain Date: Sat Sep 5 09:02:20 2020 +1000 powerpc/tau: Disable TAU between measurements [ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ] Enabling CONFIG_TAU_INT causes random crashes: Unrecoverable exception 1700 at c0009414 (msr=1000) Oops: Unrecoverable exception, sig: 6 [#1] BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac Modules linked in: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5 NIP: c0009414 LR: c0009414 CTR: c00116fc REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593) MSR: 00001000 CR: 22000228 XER: 00000100 GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032 GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04 GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c NIP [c0009414] arch_cpu_idle+0x24/0x6c LR [c0009414] arch_cpu_idle+0x24/0x6c Call Trace: [c0799f70] [00000001] 0x1 (unreliable) [c0799f80] [c0060990] do_idle+0xd8/0x17c [c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28 [c0799fb0] [c072d220] start_kernel+0x434/0x44c [c0799ff0] [00003860] 0x3860 Instruction dump: XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6 XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6 ---[ end trace 3a0c9b5cb216db6b ]--- Resolve this problem by disabling each THRMn comparator when handling the associated THRMn interrupt and by disabling the TAU entirely when updating THRMn thresholds. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au Signed-off-by: Sasha Levin commit cbd0b229995bcb691eb5d353a79435fa0331b55d Author: Finn Thain Date: Sat Sep 5 09:02:20 2020 +1000 powerpc/tau: Remove duplicated set_thresholds() call [ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ] The commentary at the call site seems to disagree with the code. The conditional prevents calling set_thresholds() via the exception handler, which appears to crash. Perhaps that's because it immediately triggers another TAU exception. Anyway, calling set_thresholds() from TAUupdate() is redundant because tau_timeout() does so. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au Signed-off-by: Sasha Levin commit 23237a12625dc21414d135f75446355cfb611bb1 Author: Finn Thain Date: Sat Sep 5 09:02:20 2020 +1000 powerpc/tau: Use appropriate temperature sample interval [ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ] According to the MPC750 Users Manual, the SITV value in Thermal Management Register 3 is 13 bits long. The present code calculates the SITV value as 60 * 500 cycles. This would overflow to give 10 us on a 500 MHz CPU rather than the intended 60 us. (But according to the Microprocessor Datasheet, there is also a factor of 266 that has to be applied to this value on certain parts i.e. speed sort above 266 MHz.) Always use the maximum cycle count, as recommended by the Datasheet. Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") Signed-off-by: Finn Thain Tested-by: Stan Johnson Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au Signed-off-by: Sasha Levin commit 3c6d33035908a5e95eb0e5dbed3884dad4b066b1 Author: Michal Kalderon Date: Wed Sep 2 19:57:36 2020 +0300 RDMA/qedr: Fix use of uninitialized field [ Upstream commit a379ad54e55a12618cae7f6333fd1b3071de9606 ] dev->attr.page_size_caps was used uninitialized when setting device attributes Fixes: ec72fce401c6 ("qedr: Add support for RoCE HW init") Link: https://lore.kernel.org/r/20200902165741.8355-4-michal.kalderon@marvell.com Signed-off-by: Michal Kalderon Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1577152a3a131d62d5e04fb6aba4b1be95a54c7f Author: Darrick J. Wong Date: Thu Oct 1 10:56:07 2020 -0700 xfs: limit entries returned when counting fsmap records [ Upstream commit acd1ac3aa22fd58803a12d26b1ab7f70232f8d8d ] If userspace asked fsmap to count the number of entries, we cannot return more than UINT_MAX entries because fmh_entries is u32. Therefore, stop counting if we hit this limit or else we will waste time to return truncated results. Fixes: e89c041338ed ("xfs: implement the GETFSMAP ioctl") Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Chandan Babu R Signed-off-by: Sasha Levin commit f6cb0dcfee62a8b2f811b27714a7326ddc8a1087 Author: Necip Fazil Yildiran Date: Mon Sep 14 14:46:52 2020 +0300 arc: plat-hsdk: fix kconfig dependency warning when !RESET_CONTROLLER [ Upstream commit 63bcf87cb1c57956e1179f1a78dde625c7e3cba7 ] When ARC_SOC_HSDK is enabled and RESET_CONTROLLER is disabled, it results in the following Kbuild warning: WARNING: unmet direct dependencies detected for RESET_HSDK Depends on [n]: RESET_CONTROLLER [=n] && HAS_IOMEM [=y] && (ARC_SOC_HSDK [=y] || COMPILE_TEST [=n]) Selected by [y]: - ARC_SOC_HSDK [=y] && ISA_ARCV2 [=y] The reason is that ARC_SOC_HSDK selects RESET_HSDK without depending on or selecting RESET_CONTROLLER while RESET_HSDK is subordinate to RESET_CONTROLLER. Honor the kconfig menu hierarchy to remove kconfig dependency warnings. Fixes: a528629dfd3b ("ARC: [plat-hsdk] select CONFIG_RESET_HSDK from Kconfig") Signed-off-by: Necip Fazil Yildiran Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit aa273a3236b6ddb241d6f1bf132bfb490dcb503c Author: Guillaume Tucker Date: Tue Sep 1 16:58:06 2020 +0100 ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT values [ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ] The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and instruction prefetch respectively can also be accessed via the L2X0_AUX_CTRL register. They appear to be actually wired together in hardware between the registers. Changing them in the prefetch register only will get undone when restoring the aux control register later on. For this reason, set these bits in both registers during initialisation according to the devicetree property values. Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/ Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior") Signed-off-by: Guillaume Tucker Signed-off-by: Russell King Signed-off-by: Sasha Levin commit b26380cfbf0489ee9f88e68f466cf4cc00520ac3 Author: Mark Tomlinson Date: Thu Sep 3 15:42:17 2020 +1200 mtd: mtdoops: Don't write panic data twice [ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ] If calling mtdoops_write, don't also schedule work to be done later. Although this appears to not be causing an issue, possibly because the scheduled work will never get done, it is confusing. Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly") Signed-off-by: Mark Tomlinson Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz Signed-off-by: Sasha Levin commit 8f781b33b319798a5ffadc35101a01bb4f75d750 Author: Arnd Bergmann Date: Tue May 5 16:01:16 2020 +0200 mtd: lpddr: fix excessive stack usage with clang [ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ] Building lpddr2_nvm with clang can result in a giant stack usage in one function: drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=] The problem is that clang decides to build a copy of the mtd_info structure on the stack and then do a memcpy() into the actual version. It shouldn't really do it that way, but it's not strictly a bug either. As a workaround, use a static const version of the structure to assign most of the members upfront and then only set the few members that require runtime knowledge at probe time. Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") Signed-off-by: Arnd Bergmann Reviewed-by: Nathan Chancellor Acked-by: Miquel Raynal Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de Signed-off-by: Sasha Levin commit 04b709854bb06bdfc7764829d76d5b14d7f60477 Author: Nicholas Mc Guire Date: Wed Jul 4 10:03:27 2018 +0200 powerpc/icp-hv: Fix missing of_node_put() in success path [ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ] Both of_find_compatible_node() and of_find_node_by_type() will return a refcounted node on success - thus for the success path the node must be explicitly released with a of_node_put(). Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver") Signed-off-by: Nicholas Mc Guire Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org Signed-off-by: Sasha Levin commit 912991aea862c16e85bb7064d42f2c97704c185f Author: Nicholas Mc Guire Date: Mon Jul 2 11:08:16 2018 +0200 powerpc/pseries: Fix missing of_node_put() in rng_init() [ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ] The call to of_find_compatible_node() returns a node pointer with refcount incremented thus it must be explicitly decremented here before returning. Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") Signed-off-by: Nicholas Mc Guire Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org Signed-off-by: Sasha Levin commit d0539eb008349455a020f1c8a541c350d4ba6fdd Author: Håkon Bugge Date: Mon Aug 3 08:19:41 2020 +0200 IB/mlx4: Adjust delayed work when a dup is observed [ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ] When scheduling delayed work to clean up the cache, if the entry already has been scheduled for deletion, we adjust the delay. Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4df76024c06ab45354a75cd7cebc93faf093c871 Author: Håkon Bugge Date: Mon Aug 3 08:19:39 2020 +0200 IB/mlx4: Fix starvation in paravirt mux/demux [ Upstream commit 7fd1507df7cee9c533f38152fcd1dd769fcac6ce ] The mlx4 driver will proxy MAD packets through the PF driver. A VM or an instantiated VF will send its MAD packets to the PF driver using loop-back. The PF driver will be informed by an interrupt, but defer the handling and polling of CQEs to a worker thread running on an ordered work-queue. Consider the following scenario: the VMs will in short proximity in time, for example due to a network event, send many MAD packets to the PF driver. Lets say there are K VMs, each sending N packets. The interrupt from the first VM will start the worker thread, which will poll N CQEs. A common case here is where the PF driver will multiplex the packets received from the VMs out on the wire QP. But before the wire QP has returned a send CQE and associated interrupt, the other K - 1 VMs have sent their N packets as well. The PF driver has to multiplex K * N packets out on the wire QP. But the send-queue on the wire QP has a finite capacity. So, in this scenario, if K * N is larger than the send-queue capacity of the wire QP, we will get MAD packets dropped on the floor with this dynamic debug message: mlx4_ib_multiplex_mad: failed sending GSI to wire on behalf of slave 2 (-11) and this despite the fact that the wire send-queue could have capacity, but the PF driver isn't aware, because the wire send CQEs have not yet been polled. We can also have a similar scenario inbound, with a wire recv-queue larger than the tunnel QP's send-queue. If many remote peers send MAD packets to the very same VM, the tunnel send-queue destined to the VM could allegedly be construed to be full by the PF driver. This starvation is fixed by introducing separate work queues for the wire QPs vs. the tunnel QPs. With this fix, using a dual ported HCA, 8 VFs instantiated, we could run cmtime on each of the 18 interfaces towards a similar configured peer, each cmtime instance with 800 QPs (all in all 14400 QPs) without a single CM packet getting lost. Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") Link: https://lore.kernel.org/r/20200803061941.1139994-5-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fc7d33941b6f4b649a540c24a734c05e6c7bb658 Author: Suren Baghdasaryan Date: Tue Oct 13 16:58:35 2020 -0700 mm, oom_adj: don't loop through tasks in __set_oom_adj when not necessary [ Upstream commit 67197a4f28d28d0b073ab0427b03cb2ee5382578 ] Currently __set_oom_adj loops through all processes in the system to keep oom_score_adj and oom_score_adj_min in sync between processes sharing their mm. This is done for any task with more that one mm_users, which includes processes with multiple threads (sharing mm and signals). However for such processes the loop is unnecessary because their signal structure is shared as well. Android updates oom_score_adj whenever a tasks changes its role (background/foreground/...) or binds to/unbinds from a service, making it more/less important. Such operation can happen frequently. We noticed that updates to oom_score_adj became more expensive and after further investigation found out that the patch mentioned in "Fixes" introduced a regression. Using Pixel 4 with a typical Android workload, write time to oom_score_adj increased from ~3.57us to ~362us. Moreover this regression linearly depends on the number of multi-threaded processes running on the system. Mark the mm with a new MMF_MULTIPROCESS flag bit when task is created with (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK). Change __set_oom_adj to use MMF_MULTIPROCESS instead of mm_users to decide whether oom_score_adj update should be synchronized between multiple processes. To prevent races between clone() and __set_oom_adj(), when oom_score_adj of the process being cloned might be modified from userspace, we use oom_adj_mutex. Its scope is changed to global. The combination of (CLONE_VM && !CLONE_THREAD) is rarely used except for the case of vfork(). To prevent performance regressions of vfork(), we skip taking oom_adj_mutex and setting MMF_MULTIPROCESS when CLONE_VFORK is specified. Clearing the MMF_MULTIPROCESS flag (when the last process sharing the mm exits) is left out of this patch to keep it simple and because it is believed that this threading model is rare. Should there ever be a need for optimizing that case as well, it can be done by hooking into the exit path, likely following the mm_update_next_owner pattern. With the combination of (CLONE_VM && !CLONE_THREAD && !CLONE_VFORK) being quite rare, the regression is gone after the change is applied. [surenb@google.com: v3] Link: https://lkml.kernel.org/r/20200902012558.2335613-1-surenb@google.com Fixes: 44a70adec910 ("mm, oom_adj: make sure processes sharing mm have same view of oom_score_adj") Reported-by: Tim Murray Suggested-by: Michal Hocko Signed-off-by: Suren Baghdasaryan Signed-off-by: Andrew Morton Acked-by: Christian Brauner Acked-by: Michal Hocko Acked-by: Oleg Nesterov Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: Eugene Syromiatnikov Cc: Christian Kellner Cc: Adrian Reber Cc: Shakeel Butt Cc: Aleksa Sarai Cc: Alexey Dobriyan Cc: "Eric W. Biederman" Cc: Alexey Gladkov Cc: Michel Lespinasse Cc: Daniel Jordan Cc: Andrei Vagin Cc: Bernd Edlinger Cc: John Johansen Cc: Yafang Shao Link: https://lkml.kernel.org/r/20200824153036.3201505-1-surenb@google.com Debugged-by: Minchan Kim Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 09d2801f39754383dabe8e29829d07fb6138c253 Author: Ralph Campbell Date: Tue Oct 13 16:53:13 2020 -0700 mm/memcg: fix device private memcg accounting [ Upstream commit 9a137153fc8798a89d8fce895cd0a06ea5b8e37c ] The code in mc_handle_swap_pte() checks for non_swap_entry() and returns NULL before checking is_device_private_entry() so device private pages are never handled. Fix this by checking for non_swap_entry() after handling device private swap PTEs. I assume the memory cgroup accounting would be off somehow when moving a process to another memory cgroup. Currently, the device private page is charged like a normal anonymous page when allocated and is uncharged when the page is freed so I think that path is OK. Signed-off-by: Ralph Campbell Signed-off-by: Andrew Morton Acked-by: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Jerome Glisse Cc: Balbir Singh Cc: Ira Weiny Link: https://lkml.kernel.org/r/20201009215952.2726-1-rcampbell@nvidia.com xFixes: c733a82874a7 ("mm/memcontrol: support MEMORY_DEVICE_PRIVATE") Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 11fe3495e92e9e8b0c102f20556ad3da0f5873d3 Author: Valentin Vidic Date: Mon Oct 12 00:03:29 2020 +0200 net: korina: fix kfree of rx/tx descriptor array [ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ] kmalloc returns KSEG0 addresses so convert back from KSEG1 in kfree. Also make sure array is freed when the driver is unloaded from the kernel. Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") Signed-off-by: Valentin Vidic Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 89121da24833efb70d969cd8f3cc4d9999aaa7da Author: Tom Rix Date: Sun Oct 4 06:19:31 2020 -0700 mwifiex: fix double free [ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ] clang static analysis reports this problem: sdio.c:2403:3: warning: Attempt to free released memory kfree(card->mpa_rx.buf); ^~~~~~~~~~~~~~~~~~~~~~~ When mwifiex_init_sdio() fails in its first call to mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it again. If the second alloc of mpa_tx.buf fails, the error handler will try to free the old, previously freed mpa_rx.buf. Reviewing the code, it looks like a second double free would happen with mwifiex_cleanup_sdio(). So set both pointers to NULL when they are freed. Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") Signed-off-by: Tom Rix Reviewed-by: Brian Norris Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com Signed-off-by: Sasha Levin commit 4c0ab952c4229cacf661d0f6c6d511acc5d2fa9d Author: Dan Carpenter Date: Mon Sep 28 12:13:00 2020 +0300 scsi: be2iscsi: Fix a theoretical leak in beiscsi_create_eqs() [ Upstream commit 38b2db564d9ab7797192ef15d7aade30633ceeae ] The be_fill_queue() function can only fail when "eq_vaddress" is NULL and since it's non-NULL here that means the function call can't fail. But imagine if it could, then in that situation we would want to store the "paddr" so that dma memory can be released. Link: https://lore.kernel.org/r/20200928091300.GD377727@mwanda Fixes: bfead3b2cb46 ("[SCSI] be2iscsi: Adding msix and mcc_rings V3") Signed-off-by: Dan Carpenter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4abb2c64ae02368e7bc5dac7b7c9facb64ca3fb7 Author: Minas Harutyunyan Date: Thu Sep 24 18:08:39 2020 +0400 usb: dwc2: Fix INTR OUT transfers in DDMA mode. [ Upstream commit b2c586eb07efab982419f32b7c3bd96829bc8bcd ] In DDMA mode if INTR OUT transfers mps not multiple of 4 then single packet corresponds to single descriptor. Descriptor limit set to mps and desc chain limit set to mps * MAX_DMA_DESC_NUM_GENERIC. On that descriptors complete, to calculate transfer size should be considered correction value for each descriptor. In start request function, if "continue" is true then dma buffer address should be incremmented by offset for all type of transfers, not only for Control DATA_OUT transfers. Fixes: cf77b5fb9b394 ("usb: dwc2: gadget: Transfer length limit checking for DDMA") Fixes: e02f9aa6119e0 ("usb: dwc2: gadget: EP 0 specific DDMA programming") Fixes: aa3e8bc81311e ("usb: dwc2: gadget: DDMA transfer start and complete") Signed-off-by: Minas Harutyunyan Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 1718088a3e7ac0aea158da982b6e0430a1c0e58a Author: Johannes Berg Date: Mon Sep 28 13:07:18 2020 +0200 nl80211: fix non-split wiphy information [ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ] When dumping wiphy information, we try to split the data into many submessages, but for old userspace we still support the old mode where this doesn't happen. However, in this case we were not resetting our state correctly and dumping multiple messages for each wiphy, which would have broken such older userspace. This was broken pretty much immediately afterwards because it only worked in the original commit where non-split dumps didn't have any more data than split dumps... Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising") Signed-off-by: Johannes Berg Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 424f50e64610c762e111997a5d5748a2b799d59b Author: Lorenzo Colitti Date: Wed Aug 19 01:19:49 2020 +0900 usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well [ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ] The u_ether driver has a qmult setting that multiplies the transmit queue length (which by default is 2). The intent is that it should be enabled at high/super speed, but because the code does not explicitly check for USB_SUPER_PLUS, it is disabled at that speed. Fix this by ensuring that the queue multiplier is enabled for any wired link at high speed or above. Using >= for USB_SPEED_* constants seems correct because it is what the gadget_is_xxxspeed functions do. The queue multiplier substantially helps performance at higher speeds. On a direct SuperSpeed Plus link to a Linux laptop, iperf3 single TCP stream: Before (qmult=1): 1.3 Gbps After (qmult=5): 3.2 Gbps Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget") Reviewed-by: Maciej Żenczykowski Signed-off-by: Lorenzo Colitti Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 9144ea5a6cc29fbc2ec9c060188a41e6891ebb99 Author: Lorenzo Colitti Date: Tue Aug 25 14:55:03 2020 +0900 usb: gadget: f_ncm: fix ncm_bitrate for SuperSpeed and above. [ Upstream commit 986499b1569af980a819817f17238015b27793f6 ] Currently, SuperSpeed NCM gadgets report a speed of 851 Mbps in USB_CDC_NOTIFY_SPEED_CHANGE. But the calculation appears to assume 16 packets per microframe, and USB 3 and above no longer use microframes. Maximum speed is actually much higher. On a direct connection, theoretical throughput is at most 3.86 Gbps for gen1x1 and 9.36 Gbps for gen2x1, and I have seen gadget->host iperf throughput of >2 Gbps for gen1x1 and >4 Gbps for gen2x1. Unfortunately the ConnectionSpeedChange defined in the CDC spec only uses 32-bit values, so we can't report accurate numbers for 10Gbps and above. So, report 3.75Gbps for SuperSpeed (which is roughly maximum theoretical performance) and 4.25Gbps for SuperSpeed Plus (which is close to the maximum that we can report in a 32-bit unsigned integer). This results in: [50879.191272] cdc_ncm 2-2:1.0 enx228b127e050c: renamed from usb0 [50879.234778] cdc_ncm 2-2:1.0 enx228b127e050c: 3750 mbit/s downlink 3750 mbit/s uplink on SuperSpeed and: [50798.434527] cdc_ncm 8-2:1.0 enx228b127e050c: renamed from usb0 [50798.524278] cdc_ncm 8-2:1.0 enx228b127e050c: 4250 mbit/s downlink 4250 mbit/s uplink on SuperSpeed Plus. Fixes: 1650113888fe ("usb: gadget: f_ncm: add SuperSpeed descriptors for CDC NCM") Reviewed-by: Maciej Żenczykowski Signed-off-by: Lorenzo Colitti Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit a777eb9e28c5aa7faea4650bf94cd4bbef24434d Author: Emmanuel Grumbach Date: Wed Sep 30 10:31:20 2020 +0300 iwlwifi: mvm: split a print to avoid a WARNING in ROC [ Upstream commit 903b3f9badf1d54f77b468b96706dab679b45b14 ] A print in the remain on channel code was too long and caused a WARNING, split it. Signed-off-by: Emmanuel Grumbach Fixes: dc28e12f2125 ("iwlwifi: mvm: ROC: Extend the ROC max delay duration & limit ROC duration") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20200930102759.58d57c0bdc68.Ib06008665e7bf1199c360aa92691d9c74fb84990@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit dc909a96b458be2230470069eeb71fd39781d894 Author: Dan Carpenter Date: Fri Sep 11 14:33:26 2020 +0300 mfd: sm501: Fix leaks in probe() [ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ] This code should clean up if sm501_init_dev() fails. Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") Signed-off-by: Dan Carpenter Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit d5a8eeea37d34c5bec2150dfbe25cf0fef38256a Author: Thomas Gleixner Date: Tue Sep 29 22:25:10 2020 +0200 net: enic: Cure the enic api locking trainwreck [ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ] enic_dev_wait() has a BUG_ON(in_interrupt()). Chasing the callers of enic_dev_wait() revealed the gems of enic_reset() and enic_tx_hang_reset() which are both invoked through work queues in order to be able to call rtnl_lock(). So far so good. After locking rtnl both functions acquire enic::enic_api_lock which serializes against the (ab)use from infiniband. This is where the trainwreck starts. enic::enic_api_lock is a spin_lock() which implicitly disables preemption, but both functions invoke a ton of functions under that lock which can sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it can't detect the preempt disabled condition. This clearly has never been tested with any of the mandatory debug options for 7+ years, which would have caught that for sure. Cure it by adding a enic_api_busy member to struct enic, which is modified and evaluated with enic::enic_api_lock held. If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true, it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to become false. It would be smarter to wait for a completion of that busy period, but enic_api_devcmd_proxy_by_index() is called with other spin locks held which obviously can't sleep. Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and with proper debugging enabled the problem would have been caught from the debug checks in schedule_timeout(). Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware") Signed-off-by: Thomas Gleixner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c87bee5457d17622277e6ba7581bdb23f5372d81 Author: Colin Ian King Date: Fri Sep 25 14:22:24 2020 +0100 qtnfmac: fix resource leaks on unsupported iftype error return path [ Upstream commit 63f6982075d890d7563e2469643f05a37d193f01 ] Currently if an unsupported iftype is detected the error return path does not free the cmd_skb leading to a resource leak. Fix this by free'ing cmd_skb. Addresses-Coverity: ("Resource leak") Fixes: 805b28c05c8e ("qtnfmac: prepare for AP_VLAN interface type support") Signed-off-by: Colin Ian King Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200925132224.21638-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 9fccdf49813ea8aac9475772264f248f21deb214 Author: Dmitry Torokhov Date: Fri Sep 25 16:35:52 2020 -0700 HID: hid-input: fix stylus battery reporting [ Upstream commit 505f394fa239cecb76d916aa858f87ed7ea7fde4 ] With commit 4f3882177240 hid-input started clearing of "ignored" usages to avoid using garbage that might have been left in them. However "battery strength" usages should not be ignored, as we do want to use them. Fixes: 4f3882177240 ("HID: hid-input: clear unmapped usages") Reported-by: Kenneth Albanowski Tested-by: Kenneth Albanowski Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit d996dee5ff9c0db537fa189f8487544311d85e74 Author: Eric Dumazet Date: Thu Sep 24 11:36:19 2020 -0700 quota: clear padding in v2r1_mem2diskdqb() [ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ] Freshly allocated memory contains garbage, better make sure to init all struct v2r1_disk_dqblk fields to avoid KMSAN report: BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285 qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394 v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 ext4_write_dquot fs/ext4/super.c:5934 [inline] ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 mark_dquot_dirty fs/quota/dquot.c:347 [inline] mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 do_tmpfile fs/namei.c:3316 [inline] path_openat+0x4035/0x6a90 fs/namei.c:3359 do_filp_open+0x2b8/0x710 fs/namei.c:3395 do_sys_openat2+0xa88/0x1140 fs/open.c:1168 do_sys_open fs/open.c:1184 [inline] __do_compat_sys_openat fs/open.c:1242 [inline] __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c RIP: 0023:0xf7ff4549 Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127 RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000 RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline] kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126 kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80 slab_alloc_node mm/slub.c:2907 [inline] slab_alloc mm/slub.c:2916 [inline] __kmalloc+0x2bb/0x4b0 mm/slub.c:3982 kmalloc include/linux/slab.h:559 [inline] getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52 qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378 v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 ext4_write_dquot fs/ext4/super.c:5934 [inline] ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 mark_dquot_dirty fs/quota/dquot.c:347 [inline] mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 do_tmpfile fs/namei.c:3316 [inline] path_openat+0x4035/0x6a90 fs/namei.c:3359 do_filp_open+0x2b8/0x710 fs/namei.c:3395 do_sys_openat2+0xa88/0x1140 fs/open.c:1168 do_sys_open fs/open.c:1184 [inline] __do_compat_sys_openat fs/open.c:1242 [inline] __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 entry_SYSENTER_compat_after_hwframe+0x4d/0x5c Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits") Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com Signed-off-by: Eric Dumazet Cc: Jan Kara Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 285b405b3a4a4b753cbf9bc8cab13581fcd44c9c Author: Nathan Chancellor Date: Fri Jul 24 23:03:54 2020 -0700 usb: dwc2: Fix parameter type in function pointer prototype [ Upstream commit 362b9398c962c9ec563653444e15ef9032ef3a90 ] When booting up on a Raspberry Pi 4 with Control Flow Integrity checking enabled, the following warning/panic happens: [ 1.626435] CFI failure (target: dwc2_set_bcm_params+0x0/0x4): [ 1.632408] WARNING: CPU: 0 PID: 32 at kernel/cfi.c:30 __cfi_check_fail+0x54/0x5c [ 1.640021] Modules linked in: [ 1.643137] CPU: 0 PID: 32 Comm: kworker/0:1 Not tainted 5.8.0-rc6-next-20200724-00051-g89ba619726de #1 [ 1.652693] Hardware name: Raspberry Pi 4 Model B Rev 1.2 (DT) [ 1.658637] Workqueue: events deferred_probe_work_func [ 1.663870] pstate: 60000005 (nZCv daif -PAN -UAO BTYPE=--) [ 1.669542] pc : __cfi_check_fail+0x54/0x5c [ 1.673798] lr : __cfi_check_fail+0x54/0x5c [ 1.678050] sp : ffff8000102bbaa0 [ 1.681419] x29: ffff8000102bbaa0 x28: ffffab09e21c7000 [ 1.686829] x27: 0000000000000402 x26: ffff0000f6e7c228 [ 1.692238] x25: 00000000fb7cdb0d x24: 0000000000000005 [ 1.697647] x23: ffffab09e2515000 x22: ffffab09e069a000 [ 1.703055] x21: 4c550309df1cf4c1 x20: ffffab09e2433c60 [ 1.708462] x19: ffffab09e160dc50 x18: ffff0000f6e8cc78 [ 1.713870] x17: 0000000000000041 x16: ffffab09e0bce6f8 [ 1.719278] x15: ffffab09e1c819b7 x14: 0000000000000003 [ 1.724686] x13: 00000000ffffefff x12: 0000000000000000 [ 1.730094] x11: 0000000000000000 x10: 00000000ffffffff [ 1.735501] x9 : c932f7abfc4bc600 x8 : c932f7abfc4bc600 [ 1.740910] x7 : 077207610770075f x6 : ffff0000f6c38f00 [ 1.746317] x5 : 0000000000000000 x4 : 0000000000000000 [ 1.751723] x3 : 0000000000000000 x2 : 0000000000000000 [ 1.757129] x1 : ffff8000102bb7d8 x0 : 0000000000000032 [ 1.762539] Call trace: [ 1.765030] __cfi_check_fail+0x54/0x5c [ 1.768938] __cfi_check+0x5fa6c/0x66afc [ 1.772932] dwc2_init_params+0xd74/0xd78 [ 1.777012] dwc2_driver_probe+0x484/0x6ec [ 1.781180] platform_drv_probe+0xb4/0x100 [ 1.785350] really_probe+0x228/0x63c [ 1.789076] driver_probe_device+0x80/0xc0 [ 1.793247] __device_attach_driver+0x114/0x160 [ 1.797857] bus_for_each_drv+0xa8/0x128 [ 1.801851] __device_attach.llvm.14901095709067289134+0xc0/0x170 [ 1.808050] bus_probe_device+0x44/0x100 [ 1.812044] deferred_probe_work_func+0x78/0xb8 [ 1.816656] process_one_work+0x204/0x3c4 [ 1.820736] worker_thread+0x2f0/0x4c4 [ 1.824552] kthread+0x174/0x184 [ 1.827837] ret_from_fork+0x10/0x18 CFI validates that all indirect calls go to a function with the same exact function pointer prototype. In this case, dwc2_set_bcm_params is the target, which has a parameter of type 'struct dwc2_hsotg *', but it is being implicitly cast to have a parameter of type 'void *' because that is the set_params function pointer prototype. Make the function pointer protoype match the definitions so that there is no more violation. Fixes: 7de1debcd2de ("usb: dwc2: Remove platform static params") Link: https://github.com/ClangBuiltLinux/linux/issues/1107 Signed-off-by: Nathan Chancellor Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 00b83a8f598187f5de072b5fe11d01eb4b87c4e5 Author: Takashi Iwai Date: Tue Sep 22 10:38:56 2020 +0200 ALSA: seq: oss: Avoid mutex lock for a long-time ioctl [ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ] Recently we applied a fix to cover the whole OSS sequencer ioctls with the mutex for dealing with the possible races. This works fine in general, but in theory, this may lead to unexpectedly long stall if an ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future timestamp was queued. For fixing such a potential stall, this patch changes the mutex lock applied conditionally excluding such an ioctl command. Also, change the mutex_lock() with the interruptible version for user to allow escaping from the big-hammer mutex. Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") Suggested-by: Pavel Machek Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 4f86b0d9563a8c42ae7679d560d0c9100a051864 Author: Souptick Joarder Date: Sun Sep 20 08:21:35 2020 +0530 misc: mic: scif: Fix error handling path [ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ] Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it will call pin_user_pages_fast() to map nr_pages. However, pin_user_pages_fast() might fail with a return value -ERRNO. The return value is stored in pinned_pages->nr_pages. which in turn is passed to unpin_user_pages(), which expects pinned_pages->nr_pages >=0, else disaster. Fix this by assigning pinned_pages->nr_pages to 0 if pin_user_pages_fast() returns -ERRNO. Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration") Cc: John Hubbard Cc: Ira Weiny Cc: Dan Carpenter Reviewed-by: John Hubbard Signed-off-by: Souptick Joarder Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cb25d1885d2ef15d97313b13c62a8e65b8e093ea Author: Dan Carpenter Date: Fri Sep 18 17:27:32 2020 +0300 ath6kl: wmi: prevent a shift wrapping bug in ath6kl_wmi_delete_pstream_cmd() [ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ] The "tsid" is a user controlled u8 which comes from debugfs. Values more than 15 are invalid because "active_tsids" is a 16 bit variable. If the value of "tsid" is more than 31 then that leads to a shift wrapping bug. Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda Signed-off-by: Sasha Levin commit a3cce32a69a27b963120cbaee44211fd5d3c2d4e Author: Thomas Preston Date: Fri Aug 28 22:32:26 2020 +0100 pinctrl: mcp23s08: Fix mcp23x17 precious range [ Upstream commit b9b7fb29433b906635231d0a111224efa009198c ] On page 23 of the datasheet [0] it says "The register remains unchanged until the interrupt is cleared via a read of INTCAP or GPIO." Include INTCAPA and INTCAPB registers in precious range, so that they aren't accidentally cleared when we read via debugfs. [0] https://ww1.microchip.com/downloads/en/DeviceDoc/20001952C.pdf Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") Signed-off-by: Thomas Preston Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20200828213226.1734264-3-thomas.preston@codethink.co.uk Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 5aa9c3a05662cbe8786d899fac01c1e0b6157969 Author: Thomas Preston Date: Fri Aug 28 22:32:25 2020 +0100 pinctrl: mcp23s08: Fix mcp23x17_regmap initialiser [ Upstream commit b445f6237744df5e8d4f56f8733b2108c611220a ] The mcp23x17_regmap is initialised with structs named "mcp23x16". However, the mcp23s08 driver doesn't support the MCP23016 device yet, so this appears to be a typo. Fixes: 8f38910ba4f6 ("pinctrl: mcp23s08: switch to regmap caching") Signed-off-by: Thomas Preston Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20200828213226.1734264-2-thomas.preston@codethink.co.uk Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 8ef9b6440f890fc60f0616aab90fd7c465ce81bd Author: Dan Carpenter Date: Mon Aug 24 11:57:35 2020 +0300 HID: roccat: add bounds checking in kone_sysfs_write_settings() [ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ] This code doesn't check if "settings->startup_profile" is within bounds and that could result in an out of bounds array access. What the code does do is it checks if the settings can be written to the firmware, so it's possible that the firmware has a bounds check? It's safer and easier to verify when the bounds checking is done in the kernel. Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse") Signed-off-by: Dan Carpenter Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit b1d39ad83acf90f48dc2265951542c670a115f9d Author: Tom Rix Date: Wed Aug 5 07:52:08 2020 -0700 video: fbdev: sis: fix null ptr dereference [ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ] Clang static analysis reports this representative error init.c:2501:18: warning: Array access (from variable 'queuedata') results in a null pointer dereference templ |= ((queuedata[i] & 0xc0) << 3); This is the problem block of code if(ModeNo > 0x13) { ... if(SiS_Pr->ChipType == SIS_730) { queuedata = &FQBQData730[0]; } else { queuedata = &FQBQData[0]; } } else { } queuedata is not set in the else block Reviewing the old code, the arrays FQBQData730 and FQBQData were used directly. So hoist the setting of queuedata out of the if-else block. Fixes: 544393fe584d ("[PATCH] sisfb update") Signed-off-by: Tom Rix Cc: Thomas Winischhofer Cc: Andrew Morton Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com Signed-off-by: Sasha Levin commit cba6da8adcc0867ac3957fd1c726783c9385922c Author: Colin Ian King Date: Thu Jul 23 18:02:27 2020 +0100 video: fbdev: vga16fb: fix setting of pixclock because a pass-by-value error [ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ] The pixclock is being set locally because it is being passed as a pass-by-value argument rather than pass-by-reference, so the computed pixclock is never being set in var->pixclock. Fix this by passing by reference. [This dates back to 2002, I found the offending commit from the git history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ] Addresses-Coverity: ("Unused value") Signed-off-by: Colin Ian King Cc: Daniel Vetter Cc: Jani Nikula [b.zolnierkie: minor patch summary fixup] [b.zolnierkie: removed "Fixes:" tag (not in upstream tree)] Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com Signed-off-by: Sasha Levin commit 84949ad704f6861f1da23a7e604877c20bac0cdf Author: Souptick Joarder Date: Wed Sep 2 02:51:11 2020 +0530 drivers/virt/fsl_hypervisor: Fix error handling path [ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ] First, when memory allocation for sg_list_unaligned failed, there is a bug of calling put_pages() as we haven't pinned any pages. Second, if get_user_pages_fast() failed we should unpin num_pinned pages. This will address both. As part of these changes, minor update in documentation. Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") Signed-off-by: Souptick Joarder Reviewed-by: Dan Carpenter Reviewed-by: John Hubbard Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit de01ce3e40e5b1eab1cead0c90b73c166cacce6a Author: Hans de Goede Date: Thu Sep 3 13:23:24 2020 +0200 pwm: lpss: Add range limit check for the base_unit register value [ Upstream commit ef9f60daab309558c8bb3e086a9a11ee40bd6061 ] When the user requests a high enough period ns value, then the calculations in pwm_lpss_prepare() might result in a base_unit value of 0. But according to the data-sheet the way the PWM controller works is that each input clock-cycle the base_unit gets added to a N bit counter and that counter overflowing determines the PWM output frequency. Adding 0 to the counter is a no-op. The data-sheet even explicitly states that writing 0 to the base_unit bits will result in the PWM outputting a continuous 0 signal. When the user requestes a low enough period ns value, then the calculations in pwm_lpss_prepare() might result in a base_unit value which is bigger then base_unit_range - 1. Currently the codes for this deals with this by applying a mask: base_unit &= (base_unit_range - 1); But this means that we let the value overflow the range, we throw away the higher bits and store whatever value is left in the lower bits into the register leading to a random output frequency, rather then clamping the output frequency to the highest frequency which the hardware can do. This commit fixes both issues by clamping the base_unit value to be between 1 and (base_unit_range - 1). Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") Reviewed-by: Andy Shevchenko Acked-by: Thierry Reding Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-5-hdegoede@redhat.com Signed-off-by: Sasha Levin commit d6ccde2f65c317cd45aa9cee4147750d093b4f9b Author: Hans de Goede Date: Thu Sep 3 13:23:23 2020 +0200 pwm: lpss: Fix off by one error in base_unit math in pwm_lpss_prepare() [ Upstream commit 181f4d2f44463fe09fe4df02e03095cb87151c29 ] According to the data-sheet the way the PWM controller works is that each input clock-cycle the base_unit gets added to a N bit counter and that counter overflowing determines the PWM output frequency. So assuming e.g. a 16 bit counter this means that if base_unit is set to 1, after 65535 input clock-cycles the counter has been increased from 0 to 65535 and it will overflow on the next cycle, so it will overflow after every 65536 clock cycles and thus the calculations done in pwm_lpss_prepare() should use 65536 and not 65535. This commit fixes this. Note this also aligns the calculations in pwm_lpss_prepare() with those in pwm_lpss_get_state(). Note this effectively reverts commit 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit"). The next patch in this series really fixes the potential overflow of the base_unit value. Fixes: 684309e5043e ("pwm: lpss: Avoid potential overflow of base_unit") Reviewed-by: Andy Shevchenko Acked-by: Uwe Kleine-König Acked-by: Thierry Reding Signed-off-by: Hans de Goede Link: https://patchwork.freedesktop.org/patch/msgid/20200903112337.4113-4-hdegoede@redhat.com Signed-off-by: Sasha Levin commit 0fb15ffe75d2f0bd9529513008bd0fb62e1211bd Author: Artem Savkov Date: Wed Sep 2 14:00:45 2020 +0200 pty: do tty_flip_buffer_push without port->lock in pty_write [ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ] b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" puts tty_flip_buffer_push under port->lock introducing the following possible circular locking dependency: [30129.876566] ====================================================== [30129.876566] WARNING: possible circular locking dependency detected [30129.876567] 5.9.0-rc2+ #3 Tainted: G S W [30129.876568] ------------------------------------------------------ [30129.876568] sysrq.sh/1222 is trying to acquire lock: [30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90 [30129.876572] but task is already holding lock: [30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca [30129.876576] which lock already depends on the new lock. [30129.876577] the existing dependency chain (in reverse order) is: [30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}: [30129.876581] _raw_spin_lock+0x30/0x70 [30129.876581] __queue_work+0x1a3/0x10f0 [30129.876582] queue_work_on+0x78/0x80 [30129.876582] pty_write+0x165/0x1e0 [30129.876583] n_tty_write+0x47f/0xf00 [30129.876583] tty_write+0x3d6/0x8d0 [30129.876584] vfs_write+0x1a8/0x650 [30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}: [30129.876590] _raw_spin_lock_irqsave+0x3b/0x80 [30129.876591] tty_port_tty_get+0x1d/0xb0 [30129.876592] tty_port_default_wakeup+0xb/0x30 [30129.876592] serial8250_tx_chars+0x3d6/0x970 [30129.876593] serial8250_handle_irq.part.12+0x216/0x380 [30129.876593] serial8250_default_handle_irq+0x82/0xe0 [30129.876594] serial8250_interrupt+0xdd/0x1b0 [30129.876595] __handle_irq_event_percpu+0xfc/0x850 [30129.876602] -> #1 (&port->lock){-.-.}-{2:2}: [30129.876605] _raw_spin_lock_irqsave+0x3b/0x80 [30129.876605] serial8250_console_write+0x12d/0x900 [30129.876606] console_unlock+0x679/0xa90 [30129.876606] register_console+0x371/0x6e0 [30129.876607] univ8250_console_init+0x24/0x27 [30129.876607] console_init+0x2f9/0x45e [30129.876609] -> #0 (console_owner){....}-{0:0}: [30129.876611] __lock_acquire+0x2f70/0x4e90 [30129.876612] lock_acquire+0x1ac/0xad0 [30129.876612] console_unlock+0x460/0xa90 [30129.876613] vprintk_emit+0x130/0x420 [30129.876613] printk+0x9f/0xc5 [30129.876614] show_pwq+0x154/0x618 [30129.876615] show_workqueue_state.cold.55+0x193/0x6ca [30129.876615] __handle_sysrq+0x244/0x460 [30129.876616] write_sysrq_trigger+0x48/0x4a [30129.876616] proc_reg_write+0x1a6/0x240 [30129.876617] vfs_write+0x1a8/0x650 [30129.876619] other info that might help us debug this: [30129.876620] Chain exists of: [30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1 [30129.876625] Possible unsafe locking scenario: [30129.876626] CPU0 CPU1 [30129.876626] ---- ---- [30129.876627] lock(&pool->lock/1); [30129.876628] lock(&port->lock#2); [30129.876630] lock(&pool->lock/1); [30129.876631] lock(console_owner); [30129.876633] *** DEADLOCK *** [30129.876634] 5 locks held by sysrq.sh/1222: [30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650 [30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460 [30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0 [30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca [30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420 [30129.876648] stack backtrace: [30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3 [30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 [30129.876650] Call Trace: [30129.876650] dump_stack+0x9d/0xe0 [30129.876651] check_noncircular+0x34f/0x410 [30129.876653] __lock_acquire+0x2f70/0x4e90 [30129.876656] lock_acquire+0x1ac/0xad0 [30129.876658] console_unlock+0x460/0xa90 [30129.876660] vprintk_emit+0x130/0x420 [30129.876660] printk+0x9f/0xc5 [30129.876661] show_pwq+0x154/0x618 [30129.876662] show_workqueue_state.cold.55+0x193/0x6ca [30129.876664] __handle_sysrq+0x244/0x460 [30129.876665] write_sysrq_trigger+0x48/0x4a [30129.876665] proc_reg_write+0x1a6/0x240 [30129.876666] vfs_write+0x1a8/0x650 It looks like the commit was aimed to protect tty_insert_flip_string and there is no need for tty_flip_buffer_push to be under this lock. Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") Signed-off-by: Artem Savkov Acked-by: Jiri Slaby Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 171408e8ed00ab6e2761e9af78737ecd31a46e1f Author: Tyrel Datwyler Date: Thu Aug 20 18:46:38 2020 -0500 tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() [ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ] The code currently NULLs tty->driver_data in hvcs_close() with the intent of informing the next call to hvcs_open() that device needs to be reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from tty->driver_data which was previoulsy NULLed by hvcs_close() and our call to tty_port_put(&hvcsd->port) doesn't actually do anything since &hvcsd->port ends up translating to NULL by chance. This has the side effect that when hvcs_remove() is called we have one too many port references preventing hvcs_destuct_port() from ever being called. This also prevents us from reusing the /dev/hvcsX node in a future hvcs_probe() and we can eventually run out of /dev/hvcsX devices. Fix this by waiting to NULL tty->driver_data in hvcs_cleanup(). Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install") Signed-off-by: Tyrel Datwyler Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ee042abcf6398bf6948872f93e45c2d9abf0c675 Author: Tong Zhang Date: Fri Aug 28 08:39:50 2020 -0400 tty: serial: earlycon dependency [ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ] parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON should automatically select SERIAL_CORE, otherwise will result in symbol not found error during linking if SERIAL_CORE is not configured as builtin Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon") Signed-off-by: Tong Zhang Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2b8c7395d275caa8bd2bcda282ba889c727095dc Author: Alex Dewar Date: Tue Aug 25 17:45:18 2020 +0100 VMCI: check return value of get_user_pages_fast() for errors [ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ] In a couple of places in qp_host_get_user_memory(), get_user_pages_fast() is called without properly checking for errors. If e.g. -EFAULT is returned, this negative value will then be passed on to qp_release_pages(), which expects a u64 as input. Fix this by only calling qp_release_pages() when we have a positive number returned. Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") Signed-off-by: Alex Dewar Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6630474d70c0c3cb80ad480b4bf0c813dbc4e9db Author: dinghao.liu@zju.edu.cn Date: Thu Aug 20 14:38:17 2020 +0800 backlight: sky81452-backlight: Fix refcount imbalance on error [ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ] When of_property_read_u32_array() returns an error code, a pairing refcount decrement is needed to keep np's refcount balanced. Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver") Signed-off-by: Dinghao Liu Reviewed-by: Daniel Thompson Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit ca27f1e37747814d27c530285da7e84161da5ede Author: Tianjia Zhang Date: Sun Aug 2 19:15:31 2020 +0800 scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() [ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ] On an error exit path, a negative error code should be returned instead of a positive return value. Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix") Cc: Praveen Madhavan Signed-off-by: Tianjia Zhang Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 17b50b33f64f3895d58fb496360428684f5c105d Author: Christophe JAILLET Date: Sun Aug 2 12:15:27 2020 +0200 scsi: qla4xxx: Fix an error handling path in 'qla4xxx_get_host_stats()' [ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()'. Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") Signed-off-by: Christophe JAILLET Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0a36614ebcaf4266be449fd003ee59f68c77f92b Author: Tom Rix Date: Wed Aug 5 13:59:11 2020 -0700 drm/gma500: fix error check [ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ] Reviewing this block of code in cdv_intel_dp_init() ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ... cdv_intel_edp_panel_vdd_off(gma_encoder); if (ret == 0) { /* if this fails, presume the device is a ghost */ DRM_INFO("failed to retrieve link info, disabling eDP\n"); drm_encoder_cleanup(encoder); cdv_intel_dp_destroy(connector); goto err_priv; } else { The (ret == 0) is not strict enough. cdv_intel_dp_aux_native_read() returns > 0 on success otherwise it is failure. So change to <= Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") Signed-off-by: Tom Rix Signed-off-by: Patrik Jakobsson Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com Signed-off-by: Sasha Levin commit b14731f6054cf1a6778115b17ff91944ec4b30fb Author: Christophe JAILLET Date: Sun Aug 9 11:29:06 2020 +0200 mwifiex: Do not use GFP_KERNEL in atomic context [ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ] A possible call chain is as follow: mwifiex_sdio_interrupt (sdio.c) --> mwifiex_main_process (main.c) --> mwifiex_process_cmdresp (cmdevt.c) --> mwifiex_process_sta_cmdresp (sta_cmdresp.c) --> mwifiex_ret_802_11_scan (scan.c) --> mwifiex_parse_single_response_buf (scan.c) 'mwifiex_sdio_interrupt()' is an interrupt function. Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC. So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in 'mwifiex_parse_single_response_buf()'. Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API") or Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly") Signed-off-by: Christophe JAILLET Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 2990874f58dbf7324c984634c2c63592e1b34c4f Author: Tom Rix Date: Sun Aug 2 09:18:04 2020 -0700 brcmfmac: check ndev pointer [ Upstream commit 9c9f015bc9f8839831c7ba0a6d731a3853c464e2 ] Clang static analysis reports this error brcmfmac/core.c:490:4: warning: Dereference of null pointer (*ifp)->ndev->stats.rx_errors++; ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In this block of code if (ret || !(*ifp) || !(*ifp)->ndev) { if (ret != -ENODATA && *ifp) (*ifp)->ndev->stats.rx_errors++; brcmu_pkt_buf_free_skb(skb); return -ENODATA; } (*ifp)->ndev being NULL is caught as an error But then it is used to report the error. So add a check before using it. Fixes: 91b632803ee4 ("brcmfmac: Use net_device_stats from struct net_device") Signed-off-by: Tom Rix Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200802161804.6126-1-trix@redhat.com Signed-off-by: Sasha Levin commit 1525c46a8510cf049059e6c2b84d810ba18bfac0 Author: Rohit kumar Date: Fri Aug 14 16:23:02 2020 +0530 ASoC: qcom: lpass-cpu: fix concurrency issue [ Upstream commit 753a6e17942f6f425ca622e1610625998312ad89 ] i2sctl register value is set to 0 during hw_free(). This impacts any ongoing concurrent session on the same i2s port. As trigger() stop already resets enable bit to 0, there is no need of explicit hw_free. Removing it to fix the issue. Fixes: 80beab8e1d86 ("ASoC: qcom: Add LPASS CPU DAI driver") Signed-off-by: Rohit kumar Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/1597402388-14112-7-git-send-email-rohitkr@codeaurora.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 320354942cf0e20ecfaefb9311c0c38ff0cf7bc4 Author: Rohit kumar Date: Fri Aug 14 16:23:00 2020 +0530 ASoC: qcom: lpass-platform: fix memory leak [ Upstream commit 5fd188215d4eb52703600d8986b22311099a5940 ] lpass_pcm_data is never freed. Free it in close ops to avoid memory leak. Fixes: 022d00ee0b55 ("ASoC: lpass-platform: Fix broken pcm data usage") Signed-off-by: Rohit kumar Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/1597402388-14112-5-git-send-email-rohitkr@codeaurora.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 61afd9570c08e89410578f832986ceaa7f31dfe3 Author: Bryan O'Donoghue Date: Sun Aug 2 01:48:24 2020 +0100 wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 [ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ] Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here. This patch fixes the data-rate declared in the 5GHz table. Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 hardware") Signed-off-by: Bryan O'Donoghue Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit c602739b70f1e73ba680aa401e839cc5817347ce Author: Dan Carpenter Date: Thu Aug 13 17:12:53 2020 +0300 ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() [ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ] The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks it as untrusted so we have to check it before using it as an array offset. This is similar to a bug that syzkaller found in commit e4ff08a4d727 ("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is probably a real issue. Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda Signed-off-by: Sasha Levin commit 3dd51af5f967795f90a4b27a1483ea9c1528575d Author: Dan Carpenter Date: Thu Aug 13 17:13:15 2020 +0300 ath6kl: prevent potential array overflow in ath6kl_add_new_sta() [ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ] The value for "aid" comes from skb->data so Smatch marks it as untrusted. If it's invalid then it can result in an out of bounds array access in ath6kl_add_new_sta(). Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda Signed-off-by: Sasha Levin commit cd27019bc149f20f12ebec943c2b4c775745a5a0 Author: Samuel Holland Date: Sat Aug 1 11:29:56 2020 -0500 Bluetooth: hci_uart: Cancel init work before unregistering [ Upstream commit 3b799254cf6f481460719023d7a18f46651e5e7f ] If hci_uart_tty_close() or hci_uart_unregister_device() is called while hu->init_ready is scheduled, hci_register_dev() could be called after the hci_uart is torn down. Avoid this by ensuring the work is complete or canceled before checking the HCI_UART_REGISTERED flag. Fixes: 9f2aee848fe6 ("Bluetooth: Add delayed init sequence support for UART controllers") Signed-off-by: Samuel Holland Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 685de75751f14ba3b9d787c14b3508ae0ffc812e Author: Venkateswara Naralasetty Date: Mon Jun 15 20:29:03 2020 +0300 ath10k: provide survey info as accumulated data [ Upstream commit 720e5c03e5cb26d33d97f55192b791bb48478aa5 ] It is expected that the returned counters by .get_survey are monotonic increasing. But the data from ath10k gets reset to zero regularly. Channel active/busy time are then showing incorrect values (less than previous or sometimes zero) for the currently active channel during successive survey dump commands. example: $ iw dev wlan0 survey dump Survey data from wlan0 frequency: 5180 MHz [in use] channel active time: 54995 ms channel busy time: 432 ms channel receive time: 0 ms channel transmit time: 59 ms ... $ iw dev wlan0 survey dump Survey data from wlan0 frequency: 5180 MHz [in use] channel active time: 32592 ms channel busy time: 254 ms channel receive time: 0 ms channel transmit time: 0 ms ... The correct way to handle this is to use the non-clearing WMI_BSS_SURVEY_REQ_TYPE_READ wmi_bss_survey_req_type. The firmware will then accumulate the survey data and handle wrap arounds. Tested-on: QCA9984 hw1.0 10.4-3.5.3-00057 Tested-on: QCA988X hw2.0 10.2.4-1.0-00047 Tested-on: QCA9888 hw2.0 10.4-3.9.0.2-00024 Tested-on: QCA4019 hw1.0 10.4-3.6-00140 Fixes: fa7937e3d5c2 ("ath10k: update bss channel survey information") Signed-off-by: Venkateswara Naralasetty Tested-by: Markus Theil Tested-by: John Deere <24601deerej@gmail.com> [sven@narfation.org: adjust commit message] Signed-off-by: Sven Eckelmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1592232686-28712-1-git-send-email-kvalo@codeaurora.org Signed-off-by: Sasha Levin commit 167c3b1f9793a1fb23e75e693f078420850306d4 Author: Michał Mirosław Date: Sat Sep 26 23:32:41 2020 +0200 regulator: resolve supply after creating regulator [ Upstream commit aea6cb99703e17019e025aa71643b4d3e0a24413 ] When creating a new regulator its supply cannot create the sysfs link because the device is not yet published. Remove early supply resolving since it will be done later anyway. This makes the following error disappear and the symlinks get created instead. DCDC_REG1: supplied by VSYS VSYS: could not add device link regulator.3 err -2 Note: It doesn't fix the problem for bypassed regulators, though. Fixes: 45389c47526d ("regulator: core: Add early supply resolution for regulators") Signed-off-by: Michał Mirosław Link: https://lore.kernel.org/r/ba09e0a8617ffeeb25cb4affffe6f3149319cef8.1601155770.git.mirq-linux@rere.qmqm.pl Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0cb5c9607f1642e0c29d1cff72fef6ed9a8efe9c Author: Qiushi Wu Date: Sun Jun 14 04:56:05 2020 +0200 media: ti-vpe: Fix a missing check and reference count leak [ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. And also, when the call of function vpe_runtime_get() failed, we won't call vpe_runtime_put(). Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails inside vpe_runtime_get(). Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver") Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a4c597c385c474e07c672afa8b4406f10b595539 Author: Qiushi Wu Date: Sun Jun 14 04:31:22 2020 +0200 media: s5p-mfc: Fix a reference count leak [ Upstream commit 78741ce98c2e36188e2343434406b0e0bc50b0e7 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Fixes: c5086f130a77 ("[media] s5p-mfc: Use clock gating only on MFC v5 hardware") Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 47aa0f3cf46c5b0087461317f3870aca162cb137 Author: Qiushi Wu Date: Sun Jun 14 01:19:44 2020 +0200 media: platform: fcp: Fix a reference count leak. [ Upstream commit 63e36a381d92a9cded97e90d481ee22566557dd1 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Fixes: 6eaafbdb668b ("[media] v4l: rcar-fcp: Keep the coding style consistent") Signed-off-by: Qiushi Wu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a44cbb02d34964a9482956e0c8071e10c7133e61 Author: Tom Rix Date: Sun Aug 30 18:30:43 2020 +0200 media: tc358743: initialize variable [ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ] clang static analysis flags this error tc358743.c:1468:9: warning: Branch condition evaluates to a garbage value return handled ? IRQ_HANDLED : IRQ_NONE; ^~~~~~~ handled should be initialized to false. Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7221d0a05449e469067552eb9e80443a354320ad Author: Dinghao Liu Date: Wed Aug 26 11:26:04 2020 +0200 media: mx2_emmaprp: Fix memleak in emmaprp_probe [ Upstream commit 21d387b8d372f859d9e87fdcc7c3b4a432737f4d ] When platform_get_irq() fails, we should release vfd and unregister pcdev->v4l2_dev just like the subsequent error paths. Fixes: d4e192cc44914 ("media: mx2_emmaprp: Check for platform_get_irq() error") Signed-off-by: Dinghao Liu Reviewed-by: Fabio Estevam Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c5da13f02748d20aa5d00cac3172183def38e956 Author: Xiaoliang Pang Date: Mon Sep 14 11:00:51 2020 +0800 cypto: mediatek - fix leaks in mtk_desc_ring_alloc [ Upstream commit 228d284aac61283cde508a925d666f854b57af63 ] In the init loop, if an error occurs in function 'dma_alloc_coherent', then goto the err_cleanup section, after run i--, in the array ring, the struct mtk_ring with index i will not be released, causing memory leaks Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") Cc: Ryder Lee Signed-off-by: Xiaoliang Pang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 65119594438d73e049a9df2f3041ce8174f97944 Author: Tero Kristo Date: Mon Sep 7 10:56:24 2020 +0300 crypto: omap-sham - fix digcnt register handling with export/import [ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ] Running export/import for hashes in peculiar order (mostly done by openssl) can mess up the internal book keeping of the OMAP SHA core. Fix by forcibly writing the correct DIGCNT back to hardware. This issue was noticed while transitioning to openssl 1.1 support. Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support") Signed-off-by: Tero Kristo Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4e439ef0f8c1ff2a9699aa5fded4943e975891cb Author: Dinghao Liu Date: Mon Aug 24 08:53:52 2020 +0200 media: omap3isp: Fix memleak in isp_probe [ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ] When devm_ioremap_resource() fails, isp should be freed just like other error paths in isp_probe. Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two") Signed-off-by: Dinghao Liu Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 068e68ba26d7d460e26b58cc9a061cd1641277b3 Author: Laurent Pinchart Date: Sun Jun 7 04:05:49 2020 +0200 media: uvcvideo: Set media controller entity functions [ Upstream commit d6834b4b58d110814aaf3469e7fd87d34ae5ae81 ] The media controller core prints a warning when an entity is registered without a function being set. This affects the uvcvideo driver, as the warning was added without first addressing the issue in existing drivers. The problem is harmless, but unnecessarily worries users. Fix it by mapping UVC entity types to MC entity functions as accurately as possible using the existing functions. Fixes: b50bde4e476d ("[media] v4l2-subdev: use MEDIA_ENT_T_UNKNOWN for new subdevs") Signed-off-by: Laurent Pinchart Reviewed-by: Kieran Bingham Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d5ef7f49970177c3bda598cc32b6d65659c53a7d Author: Tom Rix Date: Sun Jul 19 17:34:47 2020 +0200 media: m5mols: Check function pointer in m5mols_sensor_power [ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ] clang static analysis reports this error m5mols_core.c:767:4: warning: Called function pointer is null (null dereference) [core.CallAndMessage] info->set_power(&client->dev, 0); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In other places, the set_power ptr is checked. So add a check. Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") Signed-off-by: Tom Rix Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d23e4a88cea104dc9dbd5708e651f43faed67359 Author: Sylwester Nawrocki Date: Mon Aug 10 17:32:39 2020 +0200 media: Revert "media: exynos4-is: Add missed check for pinctrl_lookup_state()" [ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ] The "idle" pinctrl state is optional as documented in the DT binding. The change introduced by the commit being reverted makes that pinctrl state mandatory and breaks initialization of the whole media driver, since the "idle" state is not specified in any mainline dts. This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") to fix the regression. Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") Signed-off-by: Sylwester Nawrocki Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c338147e5ba67e3e094a243306fe278aba9c6d47 Author: Tom Rix Date: Sat Aug 22 23:15:47 2020 +0200 media: tuner-simple: fix regression in simple_set_radio_freq [ Upstream commit 505bfc2a142f12ce7bc7a878b44abc3496f2e747 ] clang static analysis reports this problem tuner-simple.c:714:13: warning: Assigned value is garbage or undefined buffer[1] = buffer[3]; ^ ~~~~~~~~~ In simple_set_radio_freq buffer[3] used to be done in-function with a switch of tuner type, now done by a call to simple_radio_bandswitch which has this case case TUNER_TENA_9533_DI: case TUNER_YMEC_TVF_5533MF: tuner_dbg("This tuner doesn't ... return 0; which does not set buffer[3]. In the old logic, this case would have returned 0 from simple_set_radio_freq. Recover this old behavior by returning an error for this codition. Since the old simple_set_radio_freq behavior returned a 0, do the same. Fixes: c7a9f3aa1e1b ("V4L/DVB (7129): tuner-simple: move device-specific code into three separate functions") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2a609fa96a98e88df048fe3eedaf77d8296af246 Author: Christophe JAILLET Date: Sun Aug 2 16:56:48 2020 +0200 crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call [ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ] Update the size used in 'dma_free_coherent()' in order to match the one used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'. Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs") Signed-off-by: Christophe JAILLET Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit bf65f0c0cafb40c41ca37bdaab6e3b36ecbbd934 Author: Tianjia Zhang Date: Sun Aug 2 19:15:32 2020 +0800 crypto: mediatek - Fix wrong return value in mtk_desc_ring_alloc() [ Upstream commit 8cbde6c6a6d2b1599ff90f932304aab7e32fce89 ] In case of memory allocation failure, a negative error code should be returned. Fixes: 785e5c616c849 ("crypto: mediatek - Add crypto driver support for some MediaTek chips") Cc: Ryder Lee Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9751cc18971d1c3e1103a823b5324cb8312058a4 Author: Herbert Xu Date: Fri Jul 31 17:03:27 2020 +1000 crypto: algif_skcipher - EBUSY on aio should be an error [ Upstream commit 2a05b029c1ee045b886ebf9efef9985ca23450de ] I removed the MAY_BACKLOG flag on the aio path a while ago but the error check still incorrectly interpreted EBUSY as success. This may cause the submitter to wait for a request that will never complete. Fixes: dad419970637 ("crypto: algif_skcipher - Do not set...") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4495d432d3bf58ecefa4ad60536d0bfc9d1a7400 Author: Mark Salter Date: Tue Sep 15 16:41:09 2020 -0400 drivers/perf: xgene_pmu: Fix uninitialized resource struct [ Upstream commit a76b8236edcf5b785d044b930f9e14ad02b4a484 ] This splat was reported on newer Fedora kernels booting on certain X-gene based machines: xgene-pmu APMC0D83:00: X-Gene PMU version 3 Unable to handle kernel read from unreadable memory at virtual \ address 0000000000004006 ... Call trace: string+0x50/0x100 vsnprintf+0x160/0x750 devm_kvasprintf+0x5c/0xb4 devm_kasprintf+0x54/0x60 __devm_ioremap_resource+0xdc/0x1a0 devm_ioremap_resource+0x14/0x20 acpi_get_pmu_hw_inf.isra.0+0x84/0x15c acpi_pmu_dev_add+0xbc/0x21c acpi_ns_walk_namespace+0x16c/0x1e4 acpi_walk_namespace+0xb4/0xfc xgene_pmu_probe_pmu_dev+0x7c/0xe0 xgene_pmu_probe.part.0+0x2c0/0x310 xgene_pmu_probe+0x54/0x64 platform_drv_probe+0x60/0xb4 really_probe+0xe8/0x4a0 driver_probe_device+0xe4/0x100 device_driver_attach+0xcc/0xd4 __driver_attach+0xb0/0x17c bus_for_each_dev+0x6c/0xb0 driver_attach+0x30/0x40 bus_add_driver+0x154/0x250 driver_register+0x84/0x140 __platform_driver_register+0x54/0x60 xgene_pmu_driver_init+0x28/0x34 do_one_initcall+0x40/0x204 do_initcalls+0x104/0x144 kernel_init_freeable+0x198/0x210 kernel_init+0x20/0x12c ret_from_fork+0x10/0x18 Code: 91000400 110004e1 eb08009f 540000c0 (38646846) ---[ end trace f08c10566496a703 ]--- This is due to use of an uninitialized local resource struct in the xgene pmu driver. The thunderx2_pmu driver avoids this by using the resource list constructed by acpi_dev_get_resources() rather than using a callback from that function. The callback in the xgene driver didn't fully initialize the resource. So get rid of the callback and search the resource list as done by thunderx2. Fixes: 832c927d119b ("perf: xgene: Add APM X-Gene SoC Performance Monitoring Unit driver") Signed-off-by: Mark Salter Link: https://lore.kernel.org/r/20200915204110.326138-1-msalter@redhat.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit f3eabd796e000ebbd6f0041a15e17d73667ee337 Author: Arvind Sankar Date: Mon Sep 7 17:39:19 2020 -0400 x86/fpu: Allow multiple bits in clearcpuid= parameter [ Upstream commit 0a4bb5e5507a585532cc413125b921c8546fc39f ] Commit 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") changed clearcpuid parsing from __setup() to cmdline_find_option(). While the __setup() function would have been called for each clearcpuid= parameter on the command line, cmdline_find_option() will only return the last one, so the change effectively made it impossible to disable more than one bit. Allow a comma-separated list of bit numbers as the argument for clearcpuid to allow multiple bits to be disabled again. Log the bits being disabled for informational purposes. Also fix the check on the return value of cmdline_find_option(). It returns -1 when the option is not found, so testing as a boolean is incorrect. Fixes: 0c2a3913d6f5 ("x86/fpu: Parse clearcpuid= as early XSAVE argument") Signed-off-by: Arvind Sankar Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20200907213919.2423441-1-nivedita@alum.mit.edu Signed-off-by: Sasha Levin commit 4024c42c6bfc3cc9ab7b18060ae16d69d4a842f9 Author: Dinghao Liu Date: Wed Aug 26 20:14:37 2020 +0800 EDAC/i5100: Fix error handling order in i5100_init_one() [ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ] When pci_get_device_func() fails, the driver doesn't need to execute pci_dev_put(). mci should still be freed, though, to prevent a memory leak. When pci_enable_device() fails, the error injection PCI device "einj" doesn't need to be disabled either. [ bp: Massage commit message, rename label to "bail_mc_free". ] Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0") Signed-off-by: Dinghao Liu Signed-off-by: Borislav Petkov Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn Signed-off-by: Sasha Levin commit 0c1171ba3b01baf04d451535925ed7cc3d0a6b7f Author: Herbert Xu Date: Fri Jul 31 17:03:50 2020 +1000 crypto: algif_aead - Do not set MAY_BACKLOG on the async path commit cbdad1f246dd98e6c9c32a6e5212337f542aa7e0 upstream. The async path cannot use MAY_BACKLOG because it is not meant to block, which is what MAY_BACKLOG does. On the other hand, both the sync and async paths can make use of MAY_SLEEP. Fixes: 83094e5e9e49 ("crypto: af_alg - add async support to...") Cc: Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit d0f7036b12840c55882f680df584d855f599f017 Author: Roberto Sassu Date: Fri Sep 4 11:23:28 2020 +0200 ima: Don't ignore errors from crypto_shash_update() commit 60386b854008adc951c470067f90a2d85b5d520f upstream. Errors returned by crypto_shash_update() are not checked in ima_calc_boot_aggregate_tfm() and thus can be overwritten at the next iteration of the loop. This patch adds a check after calling crypto_shash_update() and returns immediately if the result is not zero. Cc: stable@vger.kernel.org Fixes: 3323eec921efd ("integrity: IMA as an integrity service provider") Signed-off-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Greg Kroah-Hartman commit 47925a53057a93261db01e23ad950c80d0179c6c Author: Suravee Suthikulpanit Date: Sat Oct 3 23:27:07 2020 +0000 KVM: SVM: Initialize prev_ga_tag before use commit f6426ab9c957e97418ac5b0466538792767b1738 upstream. The function amd_ir_set_vcpu_affinity makes use of the parameter struct amd_iommu_pi_data.prev_ga_tag to determine if it should delete struct amd_iommu_pi_data from a list when not running in AVIC mode. However, prev_ga_tag is initialized only when AVIC is enabled. The non-zero uninitialized value can cause unintended code path, which ends up making use of the struct vcpu_svm.ir_list and ir_list_lock without being initialized (since they are intended only for the AVIC case). This triggers NULL pointer dereference bug in the function vm_ir_list_del with the following call trace: svm_update_pi_irte+0x3c2/0x550 [kvm_amd] ? proc_create_single_data+0x41/0x50 kvm_arch_irq_bypass_add_producer+0x40/0x60 [kvm] __connect+0x5f/0xb0 [irqbypass] irq_bypass_register_producer+0xf8/0x120 [irqbypass] vfio_msi_set_vector_signal+0x1de/0x2d0 [vfio_pci] vfio_msi_set_block+0x77/0xe0 [vfio_pci] vfio_pci_set_msi_trigger+0x25c/0x2f0 [vfio_pci] vfio_pci_set_irqs_ioctl+0x88/0xb0 [vfio_pci] vfio_pci_ioctl+0x2ea/0xed0 [vfio_pci] ? alloc_file_pseudo+0xa5/0x100 vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] ? vfio_device_fops_unl_ioctl+0x26/0x30 [vfio] __x64_sys_ioctl+0x96/0xd0 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Therefore, initialize prev_ga_tag to zero before use. This should be safe because ga_tag value 0 is invalid (see function avic_vm_init). Fixes: dfa20099e26e ("KVM: SVM: Refactor AVIC vcpu initialization into avic_init_vcpu()") Signed-off-by: Suravee Suthikulpanit Message-Id: <20201003232707.4662-1-suravee.suthikulpanit@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3f73efb3f97c02450c06f65b79be3e2900b2792c Author: Sean Christopherson Date: Wed Sep 23 11:37:28 2020 -0700 KVM: x86/mmu: Commit zap of remaining invalid pages when recovering lpages commit e89505698c9f70125651060547da4ff5046124fc upstream. Call kvm_mmu_commit_zap_page() after exiting the "prepare zap" loop in kvm_recover_nx_lpages() to finish zapping pages in the unlikely event that the loop exited due to lpage_disallowed_mmu_pages being empty. Because the recovery thread drops mmu_lock() when rescheduling, it's possible that lpage_disallowed_mmu_pages could be emptied by a different thread without to_zap reaching zero despite to_zap being derived from the number of disallowed lpages. Fixes: 1aa9b9572b105 ("kvm: x86: mmu: Recovery of shattered NX large pages") Cc: Junaid Shahid Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20200923183735.584-2-sean.j.christopherson@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 665ec6970ea5d9ec385b22248f2dddee59632166 Author: Shyam Prasad N Date: Thu Oct 15 10:41:31 2020 -0700 cifs: Return the error from crypt_message when enc/dec key not found. commit 0bd294b55a5de442370c29fa53bab17aef3ff318 upstream. In crypt_message, when smb2_get_enc_key returns error, we need to return the error back to the caller. If not, we end up processing the message further, causing a kernel oops due to unwarranted access of memory. Call Trace: smb3_receive_transform+0x120/0x870 [cifs] cifs_demultiplex_thread+0xb53/0xc20 [cifs] ? cifs_handle_standard+0x190/0x190 [cifs] kthread+0x116/0x130 ? kthread_park+0x80/0x80 ret_from_fork+0x1f/0x30 Signed-off-by: Shyam Prasad N Reviewed-by: Pavel Shilovsky Reviewed-by: Ronnie Sahlberg CC: Stable Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 0395d8d0cf596f5159e131dc80e35da03c5c5aa2 Author: Dan Carpenter Date: Wed Sep 16 23:18:21 2020 +0300 cifs: remove bogus debug code commit d367cb960ce88914898cbfa43645c2e43ede9465 upstream. The "end" pointer is either NULL or it points to the next byte to parse. If there isn't a next byte then dereferencing "end" is an off-by-one out of bounds error. And, of course, if it's NULL that leads to an Oops. Printing "*end" doesn't seem very useful so let's delete this code. Also for the last debug statement, I noticed that it should be printing "sequence_end" instead of "end" so fix that as well. Reported-by: Dominik Maier Signed-off-by: Dan Carpenter Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e1b8b57623521b7f4974476a20bd6ff971fde6c4 Author: Eric Dumazet Date: Thu Oct 15 11:42:00 2020 -0700 icmp: randomize the global rate limiter [ Upstream commit b38e7819cae946e2edf869e604af1e65a5d241c5 ] Keyu Man reported that the ICMP rate limiter could be used by attackers to get useful signal. Details will be provided in an upcoming academic publication. Our solution is to add some noise, so that the attackers no longer can get help from the predictable token bucket limiter. Fixes: 4cdf507d5452 ("icmp: add a global rate limitation") Signed-off-by: Eric Dumazet Reported-by: Keyu Man Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit c042da4b2987e42e4365134edb9106c5ee1dc10c Author: Neal Cardwell Date: Thu Oct 22 10:33:31 2020 -0400 tcp: fix to update snd_wl1 in bulk receiver fast path [ Upstream commit 18ded910b589839e38a51623a179837ab4cc3789 ] In the header prediction fast path for a bulk data receiver, if no data is newly acknowledged then we do not call tcp_ack() and do not call tcp_ack_update_window(). This means that a bulk receiver that receives large amounts of data can have the incoming sequence numbers wrap, so that the check in tcp_may_update_window fails: after(ack_seq, tp->snd_wl1) If the incoming receive windows are zero in this state, and then the connection that was a bulk data receiver later wants to send data, that connection can find itself persistently rejecting the window updates in incoming ACKs. This means the connection can persistently fail to discover that the receive window has opened, which in turn means that the connection is unable to send anything, and the connection's sending process can get permanently "stuck". The fix is to update snd_wl1 in the header prediction fast path for a bulk data receiver, so that it keeps up and does not see wrapping problems. This fix is based on a very nice and thorough analysis and diagnosis by Apollon Oikonomopoulos (see link below). This is a stable candidate but there is no Fixes tag here since the bug predates current git history. Just for fun: looks like the bug dates back to when header prediction was added in Linux v2.1.8 in Nov 1996. In that version tcp_rcv_established() was added, and the code only updates snd_wl1 in tcp_ack(), and in the new "Bulk data transfer: receiver" code path it does not call tcp_ack(). This fix seems to apply cleanly at least as far back as v3.2. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Neal Cardwell Reported-by: Apollon Oikonomopoulos Tested-by: Apollon Oikonomopoulos Link: https://www.spinics.net/lists/netdev/msg692430.html Acked-by: Soheil Hassas Yeganeh Acked-by: Yuchung Cheng Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20201022143331.1887495-1-ncardwell.kernel@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 8ac1b0a94a722f35bfaefb86382def18a66142e9 Author: Defang Bo Date: Mon Oct 19 19:38:58 2020 +0800 nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() [ Upstream commit 280e3ebdafb863b3cb50d5842f056267e15bf40c ] Check that the NFC_ATTR_FIRMWARE_NAME attributes are provided by the netlink client prior to accessing them.This prevents potential unhandled NULL pointer dereference exceptions which can be triggered by malicious user-mode programs, if they omit one or both of these attributes. Similar to commit a0323b979f81 ("nfc: Ensure presence of required attributes in the activate_target handler"). Fixes: 9674da8759df ("NFC: Add firmware upload netlink command") Signed-off-by: Defang Bo Link: https://lore.kernel.org/r/1603107538-4744-1-git-send-email-bodefang@126.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 712777b2bc9b2b5c66ef33774ac6d05ef8bb0321 Author: Xie He Date: Mon Oct 19 23:34:20 2020 -0700 net: hdlc_raw_eth: Clear the IFF_TX_SKB_SHARING flag after calling ether_setup [ Upstream commit 5fce1e43e2d5bf2f7e3224d7b99b1c65ab2c26e2 ] This driver calls ether_setup to set up the network device. The ether_setup function would add the IFF_TX_SKB_SHARING flag to the device. This flag indicates that it is safe to transmit shared skbs to the device. However, this is not true. This driver may pad the frame (in eth_tx) before transmission, so the skb may be modified. Fixes: 550fd08c2ceb ("net: Audit drivers to identify those needing IFF_TX_SKB_SHARING cleared") Cc: Neil Horman Cc: Krzysztof Halasa Signed-off-by: Xie He Link: https://lore.kernel.org/r/20201020063420.187497-1-xie.he.0141@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 63881790add61f0dfe0a54193e7ba16c00ae0680 Author: Xie He Date: Mon Oct 19 18:31:52 2020 -0700 net: hdlc: In hdlc_rcv, check to make sure dev is an HDLC device [ Upstream commit 01c4ceae0a38a0bdbfea6896f41efcd985a9c064 ] The hdlc_rcv function is used as hdlc_packet_type.func to process any skb received in the kernel with skb->protocol == htons(ETH_P_HDLC). The purpose of this function is to provide second-stage processing for skbs not assigned a "real" L3 skb->protocol value in the first stage. This function assumes the device from which the skb is received is an HDLC device (a device created by this module). It assumes that netdev_priv(dev) returns a pointer to "struct hdlc_device". However, it is possible that some driver in the kernel (not necessarily in our control) submits a received skb with skb->protocol == htons(ETH_P_HDLC), from a non-HDLC device. In this case, the skb would still be received by hdlc_rcv. This will cause problems. hdlc_rcv should be able to recognize and drop invalid skbs. It should first make sure "dev" is actually an HDLC device, before starting its processing. This patch adds this check to hdlc_rcv. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Cc: Krzysztof Halasa Signed-off-by: Xie He Link: https://lore.kernel.org/r/20201020013152.89259-1-xie.he.0141@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 8ae01b6ed7e07c3a3a0655a8185e20d09324147e Author: Dan Carpenter Date: Wed Oct 7 10:49:28 2020 +0300 ALSA: bebob: potential info leak in hwdep_read() commit b41c15f4e1c1f1657da15c482fa837c1b7384452 upstream. The "count" variable needs to be capped on every path so that we don't copy too much information to the user. Fixes: 618eabeae711 ("ALSA: bebob: Add hwdep interface") Signed-off-by: Dan Carpenter Acked-by: Takashi Sakamoto Cc: Link: https://lore.kernel.org/r/20201007074928.GA2529578@mwanda Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d4c49b6733c3125c3cc71617399d22f5b8ff962f Author: Todd Kjos Date: Fri Oct 9 16:24:55 2020 -0700 binder: fix UAF when releasing todo list commit f3277cbfba763cd2826396521b9296de67cf1bbc upstream. When releasing a thread todo list when tearing down a binder_proc, the following race was possible which could result in a use-after-free: 1. Thread 1: enter binder_release_work from binder_thread_release 2. Thread 2: binder_update_ref_for_handle() -> binder_dec_node_ilocked() 3. Thread 2: dec nodeA --> 0 (will free node) 4. Thread 1: ACQ inner_proc_lock 5. Thread 2: block on inner_proc_lock 6. Thread 1: dequeue work (BINDER_WORK_NODE, part of nodeA) 7. Thread 1: REL inner_proc_lock 8. Thread 2: ACQ inner_proc_lock 9. Thread 2: todo list cleanup, but work was already dequeued 10. Thread 2: free node 11. Thread 2: REL inner_proc_lock 12. Thread 1: deref w->type (UAF) The problem was that for a BINDER_WORK_NODE, the binder_work element must not be accessed after releasing the inner_proc_lock while processing the todo list elements since another thread might be handling a deref on the node containing the binder_work element leading to the node being freed. Signed-off-by: Todd Kjos Link: https://lore.kernel.org/r/20201009232455.4054810-1-tkjos@google.com Cc: # 4.14, 4.19, 5.4, 5.8 Signed-off-by: Greg Kroah-Hartman commit 7ed96d96bfe93d1c8fe1d387105aa27c5791ba65 Author: Heiner Kallweit Date: Thu Oct 1 09:23:02 2020 +0200 r8169: fix data corruption issue on RTL8402 [ Upstream commit ef9da46ddef071e1bbb943afbbe9b38771855554 ] Petr reported that after resume from suspend RTL8402 partially truncates incoming packets, and re-initializing register RxConfig before the actual chip re-initialization sequence is needed to avoid the issue. Reported-by: Petr Tesarik Proposed-by: Petr Tesarik Tested-by: Petr Tesarik Signed-off-by: Heiner Kallweit Signed-off-by: Greg Kroah-Hartman commit af4ccfdb43df537daedd43b3272f45a51c21c4a2 Author: Maciej Żenczykowski Date: Wed Sep 23 13:18:15 2020 -0700 net/ipv4: always honour route mtu during forwarding [ Upstream commit 02a1b175b0e92d9e0fa5df3957ade8d733ceb6a0 ] Documentation/networking/ip-sysctl.txt:46 says: ip_forward_use_pmtu - BOOLEAN By default we don't trust protocol path MTUs while forwarding because they could be easily forged and can lead to unwanted fragmentation by the router. You only need to enable this if you have user-space software which tries to discover path mtus by itself and depends on the kernel honoring this information. This is normally not the case. Default: 0 (disabled) Possible values: 0 - disabled 1 - enabled Which makes it pretty clear that setting it to 1 is a potential security/safety/DoS issue, and yet it is entirely reasonable to want forwarded traffic to honour explicitly administrator configured route mtus (instead of defaulting to device mtu). Indeed, I can't think of a single reason why you wouldn't want to. Since you configured a route mtu you probably know better... It is pretty common to have a higher device mtu to allow receiving large (jumbo) frames, while having some routes via that interface (potentially including the default route to the internet) specify a lower mtu. Note that ipv6 forwarding uses device mtu unless the route is locked (in which case it will use the route mtu). This approach is not usable for IPv4 where an 'mtu lock' on a route also has the side effect of disabling TCP path mtu discovery via disabling the IPv4 DF (don't frag) bit on all outgoing frames. I'm not aware of a way to lock a route from an IPv6 RA, so that also potentially seems wrong. Signed-off-by: Maciej Żenczykowski Cc: Eric Dumazet Cc: Willem de Bruijn Cc: Lorenzo Colitti Cc: Sunmeet Gill (Sunny) Cc: Vinay Paradkar Cc: Tyler Wear Cc: David Ahern Reviewed-by: Eric Dumazet Signed-off-by: Greg Kroah-Hartman commit cdc27eb1f52fe17857496df266da248cdb158d3f Author: Cong Wang Date: Wed Oct 7 21:12:50 2020 -0700 tipc: fix the skb_unshare() in tipc_buf_append() [ Upstream commit ed42989eab57d619667d7e87dfbd8fe207db54fe ] skb_unshare() drops a reference count on the old skb unconditionally, so in the failure case, we end up freeing the skb twice here. And because the skb is allocated in fclone and cloned by caller tipc_msg_reassemble(), the consequence is actually freeing the original skb too, thus triggered the UAF by syzbot. Fix this by replacing this skb_unshare() with skb_cloned()+skb_copy(). Fixes: ff48b6222e65 ("tipc: use skb_unshare() instead in tipc_buf_append()") Reported-and-tested-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com Cc: Jon Maloy Cc: Ying Xue Signed-off-by: Cong Wang Reviewed-by: Xin Long Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 732016c026b7f63badde10a2c2dc13fcdb8f394f Author: Wilken Gottwalt Date: Thu Oct 8 09:21:38 2020 +0200 net: usb: qmi_wwan: add Cellient MPL200 card [ Upstream commit 28802e7c0c9954218d1830f7507edc9d49b03a00 ] Add usb ids of the Cellient MPL200 card. Signed-off-by: Wilken Gottwalt Acked-by: Bjørn Mork Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit b09bf8410dcf78cd61e1e52a95e7fb3d97677241 Author: Jonathan Lemon Date: Thu Oct 8 11:45:26 2020 -0700 mlx4: handle non-napi callers to napi_poll [ Upstream commit b2b8a92733b288128feb57ffa694758cf475106c ] netcons calls napi_poll with a budget of 0 to transmit packets. Handle this by: - skipping RX processing - do not try to recycle TX packets to the RX cache Signed-off-by: Jonathan Lemon Reviewed-by: Tariq Toukan Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f6b47285c4a47f9d8ad9a29161f0df2fdd40e432 Author: David Ahern Date: Fri Oct 9 11:01:01 2020 -0700 ipv4: Restore flowi4_oif update before call to xfrm_lookup_route [ Upstream commit 874fb9e2ca949b443cc419a4f2227cafd4381d39 ] Tobias reported regressions in IPsec tests following the patch referenced by the Fixes tag below. The root cause is dropping the reset of the flowi4_oif after the fib_lookup. Apparently it is needed for xfrm cases, so restore the oif update to ip_route_output_flow right before the call to xfrm_lookup_route. Fixes: 2fbc6e89b2f1 ("ipv4: Update exception handling for multipath routes via same device") Reported-by: Tobias Brunner Signed-off-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit cc8a5643ede8837bd851bb679b087ff0fa715395 Author: David Wilder Date: Tue Oct 13 16:20:14 2020 -0700 ibmveth: Identify ingress large send packets. [ Upstream commit 413f142cc05cb03f2d1ea83388e40c1ddc0d74e9 ] Ingress large send packets are identified by either: The IBMVETH_RXQ_LRG_PKT flag in the receive buffer or with a -1 placed in the ip header checksum. The method used depends on firmware version. Frame geometry and sufficient header validation is performed by the hypervisor eliminating the need for further header checks here. Fixes: 7b5967389f5a ("ibmveth: set correct gso_size and gso_type") Signed-off-by: David Wilder Reviewed-by: Thomas Falcon Reviewed-by: Cristobal Forno Reviewed-by: Pradeep Satyanarayana Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit acf6efa6502d1e7c0b1a03b36eb8bfa01e940521 Author: David Wilder Date: Tue Oct 13 16:20:13 2020 -0700 ibmveth: Switch order of ibmveth_helper calls. [ Upstream commit 5ce9ad815a296374ca21f43f3b1ab5083d202ee1 ] ibmveth_rx_csum_helper() must be called after ibmveth_rx_mss_helper() as ibmveth_rx_csum_helper() may alter ip and tcp checksum values. Fixes: 66aa0678efc2 ("ibmveth: Support to enable LSO/CSO for Trunk VEA.") Signed-off-by: David Wilder Reviewed-by: Thomas Falcon Reviewed-by: Cristobal Forno Reviewed-by: Pradeep Satyanarayana Acked-by: Willem de Bruijn Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman