commit f7900c53e1eb6e613e3eee84bcded55584489568 Author: Greg Kroah-Hartman Date: Sat May 2 08:51:05 2020 +0200 Linux 5.6.9 commit 30f98bd1177299e3898d4217c112e489c76b545b Author: Olivier Moysan Date: Wed Mar 18 15:41:23 2020 +0100 ASoC: stm32: spdifrx: fix regmap status check commit a168dae5ea14283e8992d5282237bb0d6a3e1c06 upstream. Release resources when exiting on error. Fixes: 1a5c0b28fc56 ("ASoC: stm32: spdifrx: manage identification registers") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20200318144125.9163-2-olivier.moysan@st.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9de05285055de4588b83df1c853bdc99855ee573 Author: Pierre-Louis Bossart Date: Mon Mar 9 14:27:43 2020 -0500 ASoC: soc-core: disable route checks for legacy devices commit a22ae72b86a4f754e8d25fbf9ea5a8f77365e531 upstream. v5.4 changes in soc-core tightened the checks on soc_dapm_add_routes, which results in the ASoC card probe failing. Introduce a flag to be set in machine drivers to prevent the probe from stopping in case of incomplete topologies or missing routes. This flag is for backwards compatibility only and shall not be used for newer machine drivers. Example with an HDaudio card with a bad topology: [ 236.177898] skl_hda_dsp_generic skl_hda_dsp_generic: ASoC: Failed to add route iDisp1_out -> direct -> iDisp1 Tx [ 236.177902] skl_hda_dsp_generic skl_hda_dsp_generic: snd_soc_bind_card: snd_soc_dapm_add_routes failed: -19 with the disable_route_checks set: [ 64.031657] skl_hda_dsp_generic skl_hda_dsp_generic: ASoC: Failed to add route iDisp1_out -> direct -> iDisp1 Tx [ 64.031661] skl_hda_dsp_generic skl_hda_dsp_generic: snd_soc_bind_card: disable_route_checks set, ignoring errors on add_routes Fixes: daa480bde6b3a9 ("ASoC: soc-core: tidyup for snd_soc_dapm_add_routes()") Signed-off-by: Pierre-Louis Bossart Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20200309192744.18380-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a6e96b27a7b8b0fd05d4eb9546c5d092d18fef75 Author: Stephan Gerhold Date: Tue Feb 18 11:38:24 2020 +0100 ASoC: soc-pcm: fix regression in soc_new_pcm() commit a4877a6fb2bd2e356a5eaacd86d6b6d69ff84e69 upstream. Commit af4bac11531f ("ASoC: soc-pcm: crash in snd_soc_dapm_new_dai") swapped the SNDRV_PCM_STREAM_* parameter in the snd_soc_dai_stream_valid(cpu_dai, ...) checks. But that works only for codec2codec links. For normal links it breaks registration of playback/capture-only PCM devices. E.g. on qcom/apq8016_sbc there is usually one playback-only and one capture-only PCM device, but they disappeared after the commit. The codec2codec case was added in commit a342031cdd08 ("ASoC: create pcm for codec2codec links as well") as an extra check (e.g. `playback = playback && cpu_playback->channels_min`). We should be able to simplify the code by checking directly for the correct stream type in the loop. This also fixes the regression because we check for PLAYBACK for both codec and cpu dai again when codec2codec is not used. Fixes: af4bac11531f ("ASoC: soc-pcm: crash in snd_soc_dapm_new_dai") Signed-off-by: Stephan Gerhold Tested-by: Jerome Brunet Reviewed-by: Jerome Brunet Cc: Jerome Brunet Cc: Sameer Pujar Link: https://lore.kernel.org/r/20200218103824.26708-1-stephan@gerhold.net Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 09b73f54dc09106c4586dfa279ba12a3397224fa Author: Ritesh Harjani Date: Mon Mar 16 15:00:38 2020 +0530 ext4: check for non-zero journal inum in ext4_calculate_overhead commit f1eec3b0d0a849996ebee733b053efa71803dad5 upstream. While calculating overhead for internal journal, also check that j_inum shouldn't be 0. Otherwise we get below error with xfstests generic/050 with external journal (XXX_LOGDEV config) enabled. It could be simply reproduced with loop device with an external journal and marking blockdev as RO before mounting. [ 3337.146838] EXT4-fs error (device pmem1p2): ext4_get_journal_inode:4634: comm mount: inode #0: comm mount: iget: illegal inode # ------------[ cut here ]------------ generic_make_request: Trying to write to read-only block-device pmem1p2 (partno 2) WARNING: CPU: 107 PID: 115347 at block/blk-core.c:788 generic_make_request_checks+0x6b4/0x7d0 CPU: 107 PID: 115347 Comm: mount Tainted: G L --------- -t - 4.18.0-167.el8.ppc64le #1 NIP: c0000000006f6d44 LR: c0000000006f6d40 CTR: 0000000030041dd4 <...> NIP [c0000000006f6d44] generic_make_request_checks+0x6b4/0x7d0 LR [c0000000006f6d40] generic_make_request_checks+0x6b0/0x7d0 <...> Call Trace: generic_make_request_checks+0x6b0/0x7d0 (unreliable) generic_make_request+0x3c/0x420 submit_bio+0xd8/0x200 submit_bh_wbc+0x1e8/0x250 __sync_dirty_buffer+0xd0/0x210 ext4_commit_super+0x310/0x420 [ext4] __ext4_error+0xa4/0x1e0 [ext4] __ext4_iget+0x388/0xe10 [ext4] ext4_get_journal_inode+0x40/0x150 [ext4] ext4_calculate_overhead+0x5a8/0x610 [ext4] ext4_fill_super+0x3188/0x3260 [ext4] mount_bdev+0x778/0x8f0 ext4_mount+0x28/0x50 [ext4] mount_fs+0x74/0x230 vfs_kern_mount.part.6+0x6c/0x250 do_mount+0x2fc/0x1280 sys_mount+0x158/0x180 system_call+0x5c/0x70 EXT4-fs (pmem1p2): no journal found EXT4-fs (pmem1p2): can't get journal size EXT4-fs (pmem1p2): mounted filesystem without journal. Opts: dax,norecovery Fixes: 3c816ded78bb ("ext4: use journal inode to determine journal overhead") Reported-by: Harish Sriram Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20200316093038.25485-1-riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit 0f054066f8a5dff2ddca545295014412a4d0f484 Author: Yuval Basson Date: Sun Mar 29 20:32:49 2020 +0300 qed: Fix use after free in qed_chain_free commit 8063f761cd7c17fc1d0018728936e0c33a25388a upstream. The qed_chain data structure was modified in commit 1a4a69751f4d ("qed: Chain support for external PBL") to support receiving an external pbl (due to iWARP FW requirements). The pages pointed to by the pbl are allocated in qed_chain_alloc and their virtual address are stored in an virtual addresses array to enable accessing and freeing the data. The physical addresses however weren't stored and were accessed directly from the external-pbl during free. Destroy-qp flow, leads to freeing the external pbl before the chain is freed, when the chain is freed it tries accessing the already freed external pbl, leading to a use-after-free. Therefore we need to store the physical addresses in additional to the virtual addresses in a new data structure. Fixes: 1a4a69751f4d ("qed: Chain support for external PBL") Signed-off-by: Michal Kalderon Signed-off-by: Yuval Bason Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9779f8d5c092ab4f83c695954990ac251b754296 Author: Eric Dumazet Date: Tue Mar 24 19:23:21 2020 -0700 net: use indirect call wrappers for skb_copy_datagram_iter() commit 29f3490ba9d2399d3d1b20c4aa74592d92bd4e11 upstream. TCP recvmsg() calls skb_copy_datagram_iter(), which calls an indirect function (cb pointing to simple_copy_to_iter()) for every MSS (fragment) present in the skb. CONFIG_RETPOLINE=y forces a very expensive operation that we can avoid thanks to indirect call wrappers. This patch gives a 13% increase of performance on a single flow, if the bottleneck is the thread reading the TCP socket. Fixes: 950fcaecd5cc ("datagram: consolidate datagram copy to iter helpers") Signed-off-by: Eric Dumazet Acked-by: Paolo Abeni Acked-by: Willem de Bruijn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit da8825243bf76ac1cf4bf9bb9be919e8c37e816f Author: Ayush Sawal Date: Mon Mar 30 20:48:52 2020 +0530 Crypto: chelsio - Fixes a hang issue during driver registration commit ad59ddd02de26271b89564962e74d689f1a30b49 upstream. This issue occurs only when multiadapters are present. Hang happens because assign_chcr_device returns u_ctx pointer of adapter which is not yet initialized as for this adapter cxgb_up is not been called yet. The last_dev pointer is used to determine u_ctx pointer and it is initialized two times in chcr_uld_add in chcr_dev_add respectively. The fix here is don't initialize the last_dev pointer during chcr_uld_add. Only assign to value to it when the adapter's initialization is completed i.e in chcr_dev_add. Fixes: fef4912b66d62 ("crypto: chelsio - Handle PCI shutdown event"). Signed-off-by: Ayush Sawal Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ba8eb38f67f5892423afa9ee7529a44a7130698a Author: Yuval Basson Date: Wed Mar 25 22:50:43 2020 +0200 qed: Fix race condition between scheduling and destroying the slowpath workqueue commit 3b85720d3fd72e6ef4de252cd2f67548eb645eb4 upstream. Calling queue_delayed_work concurrently with destroy_workqueue might race to an unexpected outcome - scheduled task after wq is destroyed or other resources (like ptt_pool) are freed (yields NULL pointer dereference). cancel_delayed_work prevents the race by cancelling the timer triggered for scheduling a new task. Fixes: 59ccf86fe ("qed: Add driver infrastucture for handling mfw requests") Signed-off-by: Denis Bolotin Signed-off-by: Michal Kalderon Signed-off-by: Yuval Basson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cb07b0e9289dee3a8acb3beccc6068a4dd4e8205 Author: Hoang Le Date: Thu Mar 26 09:50:29 2020 +0700 tipc: Add a missing case of TIPC_DIRECT_MSG type commit 8b1e5b0a99f04bda2d6c85ecfe5e68a356c10914 upstream. In the commit f73b12812a3d ("tipc: improve throughput between nodes in netns"), we're missing a check to handle TIPC_DIRECT_MSG type, it's still using old sending mechanism for this message type. So, throughput improvement is not significant as expected. Besides that, when sending a large message with that type, we're also handle wrong receiving queue, it should be enqueued in socket receiving instead of multicast messages. Fix this by adding the missing case for TIPC_DIRECT_MSG. Fixes: f73b12812a3d ("tipc: improve throughput between nodes in netns") Reported-by: Tuong Lien Signed-off-by: Hoang Le Acked-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eea5bf6e750ac6d06cb56e78ff868e0a5eae1c3b Author: Eugene Syromiatnikov Date: Tue Mar 24 05:19:20 2020 +0100 taprio: do not use BIT() in TCA_TAPRIO_ATTR_FLAG_* definitions commit 673040c3a82a7564423e09c791e242a846591e30 upstream. BIT() macro definition is internal to the Linux kernel and is not to be used in UAPI headers; replace its usage with the _BITUL() macro that is already used elsewhere in the header. Fixes: 9c66d1564676 ("taprio: Add support for hardware offloading") Signed-off-by: Eugene Syromiatnikov Acked-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9cee63443d89cc71b4a1ea574cf259b508d132b6 Author: Jesper Dangaard Brouer Date: Fri Mar 13 14:25:19 2020 +0100 sfc: fix XDP-redirect in this driver commit 86e85bf6981c0c265c427d6bfe9e2a0111797444 upstream. XDP-redirect is broken in this driver sfc. XDP_REDIRECT requires tailroom for skb_shared_info when creating an SKB based on the redirected xdp_frame (both in cpumap and veth). The fix requires some initial explaining. The driver uses RX page-split when possible. It reserves the top 64 bytes in the RX-page for storing dma_addr (struct efx_rx_page_state). It also have the XDP recommended headroom of XDP_PACKET_HEADROOM (256 bytes). As it doesn't reserve any tailroom, it can still fit two standard MTU (1500) frames into one page. The sizeof struct skb_shared_info in 320 bytes. Thus drivers like ixgbe and i40e, reduce their XDP headroom to 192 bytes, which allows them to fit two frames with max 1536 bytes into a 4K page (192+1536+320=2048). The fix is to reduce this drivers headroom to 128 bytes and add the 320 bytes tailroom. This account for reserved top 64 bytes in the page, and still fit two frame in a page for normal MTUs. We must never go below 128 bytes of headroom for XDP, as one cacheline is for xdp_frame area and next cacheline is reserved for metadata area. Fixes: eb9a36be7f3e ("sfc: perform XDP processing on received packets") Signed-off-by: Jesper Dangaard Brouer Acked-by: Edward Cree Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2009b204b6fcbec5b4087c522367dffaaf77923f Author: Sascha Hauer Date: Fri Apr 17 11:28:53 2020 +0200 hwmon: (jc42) Fix name to have no illegal characters [ Upstream commit c843b382e61b5f28a3d917712c69a344f632387c ] The jc42 driver passes I2C client's name as hwmon device name. In case of device tree probed devices this ends up being part of the compatible string, "jc-42.4-temp". This name contains hyphens and the hwmon core doesn't like this: jc42 2-0018: hwmon: 'jc-42.4-temp' is not a valid name attribute, please fix This changes the name to "jc42" which doesn't have any illegal characters. Signed-off-by: Sascha Hauer Link: https://lore.kernel.org/r/20200417092853.31206-1-s.hauer@pengutronix.de Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit e74eadb8af4fc41221cb20a1b18718d90b0194a6 Author: Marc Zyngier Date: Mon Apr 6 08:52:07 2020 +0100 irqchip/meson-gpio: Fix HARDIRQ-safe -> HARDIRQ-unsafe lock order [ Upstream commit 0a66d6f90cf7d704c6a0f663f7058099eb8c97b0 ] Running a lockedp-enabled kernel on a vim3l board (Amlogic SM1) leads to the following splat: [ 13.557138] WARNING: HARDIRQ-safe -> HARDIRQ-unsafe lock order detected [ 13.587485] ip/456 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: [ 13.625922] ffff000059908cf0 (&irq_desc_lock_class){-.-.}-{2:2}, at: __setup_irq+0xf8/0x8d8 [ 13.632273] which would create a new lock dependency: [ 13.637272] (&irq_desc_lock_class){-.-.}-{2:2} -> (&ctl->lock){+.+.}-{2:2} [ 13.644209] [ 13.644209] but this new dependency connects a HARDIRQ-irq-safe lock: [ 13.654122] (&irq_desc_lock_class){-.-.}-{2:2} [ 13.654125] [ 13.654125] ... which became HARDIRQ-irq-safe at: [ 13.664759] lock_acquire+0xec/0x368 [ 13.666926] _raw_spin_lock+0x60/0x88 [ 13.669979] handle_fasteoi_irq+0x30/0x178 [ 13.674082] generic_handle_irq+0x38/0x50 [ 13.678098] __handle_domain_irq+0x6c/0xc8 [ 13.682209] gic_handle_irq+0x5c/0xb0 [ 13.685872] el1_irq+0xd0/0x180 [ 13.689010] arch_cpu_idle+0x40/0x220 [ 13.692732] default_idle_call+0x54/0x60 [ 13.696677] do_idle+0x23c/0x2e8 [ 13.699903] cpu_startup_entry+0x30/0x50 [ 13.703852] rest_init+0x1e0/0x2b4 [ 13.707301] arch_call_rest_init+0x18/0x24 [ 13.711449] start_kernel+0x4ec/0x51c [ 13.715167] [ 13.715167] to a HARDIRQ-irq-unsafe lock: [ 13.722426] (&ctl->lock){+.+.}-{2:2} [ 13.722430] [ 13.722430] ... which became HARDIRQ-irq-unsafe at: [ 13.732319] ... [ 13.732324] lock_acquire+0xec/0x368 [ 13.735985] _raw_spin_lock+0x60/0x88 [ 13.739452] meson_gpio_irq_domain_alloc+0xcc/0x290 [ 13.744392] irq_domain_alloc_irqs_hierarchy+0x24/0x60 [ 13.749586] __irq_domain_alloc_irqs+0x160/0x2f0 [ 13.754254] irq_create_fwspec_mapping+0x118/0x320 [ 13.759073] irq_create_of_mapping+0x78/0xa0 [ 13.763360] of_irq_get+0x6c/0x80 [ 13.766701] of_mdiobus_register_phy+0x10c/0x238 [of_mdio] [ 13.772227] of_mdiobus_register+0x158/0x380 [of_mdio] [ 13.777388] mdio_mux_init+0x180/0x2e8 [mdio_mux] [ 13.782128] g12a_mdio_mux_probe+0x290/0x398 [mdio_mux_meson_g12a] [ 13.788349] platform_drv_probe+0x5c/0xb0 [ 13.792379] really_probe+0xe4/0x448 [ 13.795979] driver_probe_device+0xe8/0x140 [ 13.800189] __device_attach_driver+0x94/0x120 [ 13.804639] bus_for_each_drv+0x84/0xd8 [ 13.808474] __device_attach+0xe4/0x168 [ 13.812361] device_initial_probe+0x1c/0x28 [ 13.816592] bus_probe_device+0xa4/0xb0 [ 13.820430] deferred_probe_work_func+0xa8/0x100 [ 13.825064] process_one_work+0x264/0x688 [ 13.829088] worker_thread+0x4c/0x458 [ 13.832768] kthread+0x154/0x158 [ 13.836018] ret_from_fork+0x10/0x18 [ 13.839612] [ 13.839612] other info that might help us debug this: [ 13.839612] [ 13.850354] Possible interrupt unsafe locking scenario: [ 13.850354] [ 13.855720] CPU0 CPU1 [ 13.858774] ---- ---- [ 13.863242] lock(&ctl->lock); [ 13.866330] local_irq_disable(); [ 13.872233] lock(&irq_desc_lock_class); [ 13.878705] lock(&ctl->lock); [ 13.884297] [ 13.886857] lock(&irq_desc_lock_class); [ 13.891014] [ 13.891014] *** DEADLOCK *** The issue can occur when CPU1 is doing something like irq_set_type() and CPU0 performing an interrupt allocation, for example. Taking an interrupt (like the one being reconfigured) would lead to a deadlock. A solution to this is: - Reorder the locking so that meson_gpio_irq_update_bits takes the lock itself at all times, instead of relying on the caller to lock or not, hence making the RMW sequence atomic, - Rework the critical section in meson_gpio_irq_request_channel to only cover the allocation itself, and let the gpio_irq_sel_pin callback deal with its own locking if required, - Take the private spin-lock with interrupts disabled at all times Reviewed-by: Jerome Brunet Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit ad1251808bcb23c26f1d7c44e74f76d27195e38c Author: John Garry Date: Thu Apr 16 19:18:51 2020 +0800 blk-mq: Put driver tag in blk_mq_dispatch_rq_list() when no budget [ Upstream commit 5fe56de799ad03e92d794c7936bf363922b571df ] If in blk_mq_dispatch_rq_list() we find no budget, then we break of the dispatch loop, but the request may keep the driver tag, evaulated in 'nxt' in the previous loop iteration. Fix by putting the driver tag for that request. Reviewed-by: Ming Lei Signed-off-by: John Garry Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 610e19cce076dc17434974176b23b36487bc4b3a Author: Marc Zyngier Date: Fri Apr 10 11:13:26 2020 +0100 irqchip/gic-v4.1: Add support for VPENDBASER's Dirty+Valid signaling [ Upstream commit 96806229ca033f85310bc5c203410189f8a1d2ee ] When a vPE is made resident, the GIC starts parsing the virtual pending table to deliver pending interrupts. This takes place asynchronously, and can at times take a long while. Long enough that the vcpu enters the guest and hits WFI before any interrupt has been signaled yet. The vcpu then exits, blocks, and now gets a doorbell. Rince, repeat. In order to avoid the above, a (optional on GICv4, mandatory on v4.1) feature allows the GIC to feedback to the hypervisor whether it is done parsing the VPT by clearing the GICR_VPENDBASER.Dirty bit. The hypervisor can then wait until the GIC is ready before actually running the vPE. Plug the detection code as well as polling on vPE schedule. While at it, tidy-up the kernel message that displays the GICv4 optional features. Reviewed-by: Zenghui Yu Signed-off-by: Marc Zyngier Signed-off-by: Sasha Levin commit 5844e6d238007d7a039a8492e93d09e10a33a845 Author: Theodore Ts'o Date: Mon Apr 13 23:33:05 2020 -0400 ext4: convert BUG_ON's to WARN_ON's in mballoc.c [ Upstream commit 907ea529fc4c3296701d2bfc8b831dd2a8121a34 ] If the in-core buddy bitmap gets corrupted (or out of sync with the block bitmap), issue a WARN_ON and try to recover. In most cases this involves skipping trying to allocate out of a particular block group. We can end up declaring the file system corrupted, which is fair, since the file system probably should be checked before we proceed any further. Link: https://lore.kernel.org/r/20200414035649.293164-1-tytso@mit.edu Google-Bug-Id: 34811296 Google-Bug-Id: 34639169 Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit ed3767ff9c736acecdb3ee3deda33983f3f0a133 Author: Theodore Ts'o Date: Mon Apr 13 22:30:52 2020 -0400 ext4: increase wait time needed before reuse of deleted inode numbers [ Upstream commit a17a9d935dc4a50acefaf319d58030f1da7f115a ] Current wait times have proven to be too short to protect against inode reuses that lead to metadata inconsistencies. Now that we will retry the inode allocation if we can't find any recently deleted inodes, it's a lot safer to increase the recently deleted time from 5 seconds to a minute. Link: https://lore.kernel.org/r/20200414023925.273867-1-tytso@mit.edu Google-Bug-Id: 36602237 Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 19f4195b6708d2851c46edd411d9ca5c921dd29e Author: yangerkun Date: Wed Feb 26 12:10:02 2020 +0800 ext4: use matching invalidatepage in ext4_writepage [ Upstream commit c2a559bc0e7ed5a715ad6b947025b33cb7c05ea7 ] Run generic/388 with journal data mode sometimes may trigger the warning in ext4_invalidatepage. Actually, we should use the matching invalidatepage in ext4_writepage. Signed-off-by: yangerkun Signed-off-by: Theodore Ts'o Reviewed-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20200226041002.13914-1-yangerkun@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 4e579d7f93ae4d5b74c83e5c72a12dd8fdf6f3bf Author: Fangrui Song Date: Tue Apr 14 09:32:55 2020 -0700 arm64: Delete the space separator in __emit_inst [ Upstream commit c9a4ef66450145a356a626c833d3d7b1668b3ded ] In assembly, many instances of __emit_inst(x) expand to a directive. In a few places __emit_inst(x) is used as an assembler macro argument. For example, in arch/arm64/kvm/hyp/entry.S ALTERNATIVE(nop, SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN) expands to the following by the C preprocessor: alternative_insn nop, .inst (0xd500401f | ((0) << 16 | (4) << 5) | ((!!1) << 8)), 4, 1 Both comma and space are separators, with an exception that content inside a pair of parentheses/quotes is not split, so the clang integrated assembler splits the arguments to: nop, .inst, (0xd500401f | ((0) << 16 | (4) << 5) | ((!!1) << 8)), 4, 1 GNU as preprocesses the input with do_scrub_chars(). Its arm64 backend (along with many other non-x86 backends) sees: alternative_insn nop,.inst(0xd500401f|((0)<<16|(4)<<5)|((!!1)<<8)),4,1 # .inst(...) is parsed as one argument while its x86 backend sees: alternative_insn nop,.inst (0xd500401f|((0)<<16|(4)<<5)|((!!1)<<8)),4,1 # The extra space before '(' makes the whole .inst (...) parsed as two arguments The non-x86 backend's behavior is considered unintentional (https://sourceware.org/bugzilla/show_bug.cgi?id=25750). So drop the space separator inside `.inst (...)` to make the clang integrated assembler work. Suggested-by: Ilie Halip Signed-off-by: Fangrui Song Reviewed-by: Mark Rutland Link: https://github.com/ClangBuiltLinux/linux/issues/939 Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit cb0986223caa3f2cc9dd8be3b556fd6f03d94f05 Author: Borislav Petkov Date: Fri Mar 27 22:43:34 2020 +0100 sched/vtime: Work around an unitialized variable warning [ Upstream commit e0d648f9d883ec1efab261af158d73aa30e9dd12 ] Work around this warning: kernel/sched/cputime.c: In function ‘kcpustat_field’: kernel/sched/cputime.c:1007:6: warning: ‘val’ may be used uninitialized in this function [-Wmaybe-uninitialized] because GCC can't see that val is used only when err is 0. Acked-by: Peter Zijlstra Signed-off-by: Borislav Petkov Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20200327214334.GF8015@zn.tnic Signed-off-by: Sasha Levin commit 7cc55e70cbe6bbbbf492805cd0af3c5fc3683cf5 Author: Peter Xu Date: Fri Apr 3 18:35:17 2020 -0400 sched/isolation: Allow "isolcpus=" to skip unknown sub-parameters [ Upstream commit 3662daf023500dc084fa3b96f68a6f46179ddc73 ] The "isolcpus=" parameter allows sub-parameters before the cpulist is specified, and if the parser detects an unknown sub-parameters the whole parameter will be ignored. This design is incompatible with itself when new sub-parameters are added. An older kernel will not recognize the new sub-parameter and will invalidate the whole parameter so the CPU isolation will not take effect. It emits a warning: isolcpus: Error, unknown flag The better and compatible way is to allow "isolcpus=" to skip unknown sub-parameters, so that even if new sub-parameters are added an older kernel will still be able to behave as usual even if with the new sub-parameter specified on the command line. Ideally this should have been there when the first sub-parameter for "isolcpus=" was introduced. Suggested-by: Thomas Gleixner Signed-off-by: Peter Xu Signed-off-by: Thomas Gleixner Link: https://lkml.kernel.org/r/20200403223517.406353-1-peterx@redhat.com Signed-off-by: Sasha Levin commit 45c2e2170b9224eb5a89680ffb57f2d8542d1d2e Author: Tamizh chelvam Date: Sat Mar 28 19:23:24 2020 +0530 mac80211: fix channel switch trigger from unknown mesh peer [ Upstream commit 93e2d04a1888668183f3fb48666e90b9b31d29e6 ] Previously mesh channel switch happens if beacon contains CSA IE without checking the mesh peer info. Due to that channel switch happens even if the beacon is not from its own mesh peer. Fixing that by checking if the CSA originated from the same mesh network before proceeding for channel switch. Signed-off-by: Tamizh chelvam Link: https://lore.kernel.org/r/1585403604-29274-1-git-send-email-tamizhr@codeaurora.org Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 9d9b30025ead617fa7d8d90b097ae9734e928f6f Author: Atsushi Nemoto Date: Tue Apr 14 10:12:34 2020 +0900 net: stmmac: socfpga: Allow all RGMII modes [ Upstream commit a7a0d6269652846671312b29992143f56e2866b8 ] Allow all the RGMII modes to be used. (Not only "rgmii", "rgmii-id" but "rgmii-txid", "rgmii-rxid") Signed-off-by: Atsushi Nemoto Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 298cb996bb1bab2c34bd83574bfaddf041db5030 Author: Hui Wang Date: Tue Apr 14 22:27:25 2020 +0800 ALSA: hda: call runtime_allow() for all hda controllers [ Upstream commit 9a6418487b566503c772cb6e7d3d44e652b019b0 ] Before the pci_driver->probe() is called, the pci subsystem calls runtime_forbid() and runtime_get_sync() on this pci dev, so only call runtime_put_autosuspend() is not enough to enable the runtime_pm on this device. For controllers with vgaswitcheroo feature, the pci/quirks.c will call runtime_allow() for this dev, then the controllers could enter rt_idle/suspend/resume, but for non-vgaswitcheroo controllers like Intel hda controllers, the runtime_pm is not enabled because the runtime_allow() is not called. Since it is no harm calling runtime_allow() twice, here let hda driver call runtime_allow() for all controllers. Then the runtime_pm is enabled on all controllers after the put_autosuspend() is called. Signed-off-by: Hui Wang Link: https://lore.kernel.org/r/20200414142725.6020-1-hui.wang@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e89104a0c6186fc4134350db489848cc69f47f1f Author: Juergen Gross Date: Thu Mar 26 09:03:58 2020 +0100 xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status [ Upstream commit 6b51fd3f65a22e3d1471b18a1d56247e246edd46 ] xenbus_map_ring_valloc() maps a ring page and returns the status of the used grant (0 meaning success). There are Xen hypervisors which might return the value 1 for the status of a failed grant mapping due to a bug. Some callers of xenbus_map_ring_valloc() test for errors by testing the returned status to be less than zero, resulting in no error detected and crashing later due to a not available ring page. Set the return value of xenbus_map_ring_valloc() to GNTST_general_error in case the grant status reported by Xen is greater than zero. This is part of XSA-316. Signed-off-by: Juergen Gross Reviewed-by: Wei Liu Link: https://lore.kernel.org/r/20200326080358.1018-1-jgross@suse.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit 87aadc5721aeae0ebed8fee716c77036efb8acc3 Author: Josh Poimboeuf Date: Wed Apr 1 13:23:26 2020 -0500 objtool: Support Clang non-section symbols in ORC dump [ Upstream commit 8782e7cab51b6bf01a5a86471dd82228af1ac185 ] Historically, the relocation symbols for ORC entries have only been section symbols: .text+0: sp:sp+8 bp:(und) type:call end:0 However, the Clang assembler is aggressive about stripping section symbols. In that case we will need to use function symbols: freezing_slow_path+0: sp:sp+8 bp:(und) type:call end:0 In preparation for the generation of such entries in "objtool orc generate", add support for reading them in "objtool orc dump". Signed-off-by: Josh Poimboeuf Signed-off-by: Borislav Petkov Reviewed-by: Miroslav Benes Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/b811b5eb1a42602c3b523576dc5efab9ad1c174d.1585761021.git.jpoimboe@redhat.com Signed-off-by: Sasha Levin commit 99b6aff1b4799f7a6111d5f0b5c6fc87414af80a Author: Josh Poimboeuf Date: Wed Apr 1 13:23:25 2020 -0500 objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings [ Upstream commit bd841d6154f5f41f8a32d3c1b0bc229e326e640a ] CONFIG_UBSAN_TRAP causes GCC to emit a UD2 whenever it encounters an unreachable code path. This includes __builtin_unreachable(). Because the BUG() macro uses __builtin_unreachable() after it emits its own UD2, this results in a double UD2. In this case objtool rightfully detects that the second UD2 is unreachable: init/main.o: warning: objtool: repair_env_string()+0x1c8: unreachable instruction We weren't able to figure out a way to get rid of the double UD2s, so just silence the warning. Reported-by: Randy Dunlap Signed-off-by: Josh Poimboeuf Signed-off-by: Borislav Petkov Reviewed-by: Kees Cook Reviewed-by: Miroslav Benes Acked-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/6653ad73c6b59c049211bd7c11ed3809c20ee9f5.1585761021.git.jpoimboe@redhat.com Signed-off-by: Sasha Levin commit 0e268da76acb3dabfd4c0fcd922f84530ce8d983 Author: Bodo Stroesser Date: Thu Apr 9 12:10:26 2020 +0200 scsi: target: tcmu: reset_ring should reset TCMU_DEV_BIT_BROKEN [ Upstream commit 066f79a5fd6d1b9a5cc57b5cd445b3e4bb68a5b2 ] In case command ring buffer becomes inconsistent, tcmu sets device flag TCMU_DEV_BIT_BROKEN. If the bit is set, tcmu rejects new commands from LIO core with TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE, and no longer processes completions from the ring. The reset_ring attribute can be used to completely clean up the command ring, so after reset_ring the ring no longer is inconsistent. Therefore reset_ring also should reset bit TCMU_DEV_BIT_BROKEN to allow normal processing. Link: https://lore.kernel.org/r/20200409101026.17872-1-bstroesser@ts.fujitsu.com Acked-by: Mike Christie Signed-off-by: Bodo Stroesser Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d31d19b972b1c7404df9fb45eef28dd404c46afb Author: Bodo Stroesser Date: Wed Apr 8 15:26:10 2020 +0200 scsi: target: fix PR IN / READ FULL STATUS for FC [ Upstream commit 8fed04eb79a74cbf471dfaa755900a51b37273ab ] Creation of the response to READ FULL STATUS fails for FC based reservations. Reason is the too high loop limit (< 24) in fc_get_pr_transport_id(). The string representation of FC WWPN is 23 chars long only ("11:22:33:44:55:66:77:88"). So when i is 23, the loop body is executed a last time for the ending '\0' of the string and thus hex2bin() reports an error. Link: https://lore.kernel.org/r/20200408132610.14623-3-bstroesser@ts.fujitsu.com Signed-off-by: Bodo Stroesser Reviewed-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 24b484739f2b0b6d5f73a40e8f4ab4cc6a116d1c Author: Evan Quan Date: Fri Apr 10 15:38:44 2020 +0800 drm/amdgpu: fix wrong vram lost counter increment V2 [ Upstream commit 028cfb2444b94d4f394a6fa4ca46182481236e91 ] Vram lost counter is wrongly increased by two during baco reset. V2: assumed vram lost for mode1 reset on all ASICs Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 999fe8f3a46559349d143e7a59390a4229459d98 Author: Roy Spliet Date: Mon Apr 13 10:20:34 2020 +0200 ALSA: hda: Explicitly permit using autosuspend if runtime PM is supported [ Upstream commit 3ba21113bd33d49f3c300a23fc08cf114c434995 ] This fixes runtime PM not working after a suspend-to-RAM cycle at least for the codec-less HDA device found on NVIDIA GPUs. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043 Signed-off-by: Roy Spliet Link: https://lore.kernel.org/r/20200413082034.25166-7-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 079630266c255cd9fcc3f4341d6417f89d60d31d Author: Takashi Iwai Date: Mon Apr 13 10:20:32 2020 +0200 ALSA: hda: Keep the controller initialization even if no codecs found [ Upstream commit 9479e75fca370a5220784f7596bf598c4dad0b9b ] Currently, when the HD-audio controller driver doesn't detect any codecs, it tries to abort the probe. But this abort happens at the delayed probe, i.e. the primary probe call already returned success, hence the driver is never unbound until user does so explicitly. As a result, it may leave the HD-audio device in the running state without the runtime PM. More badly, if the device is a HD-audio bus that is tied with a GPU, GPU cannot reach to the full power down and consumes unnecessarily much power. This patch changes the logic after no-codec situation; it continues probing without the further codec initialization but keep the controller driver running normally. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043 Tested-by: Roy Spliet Link: https://lore.kernel.org/r/20200413082034.25166-5-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 40a821061c01649494e7b5d36011f3136ad16de2 Author: Takashi Iwai Date: Mon Apr 13 10:20:31 2020 +0200 ALSA: hda: Release resources at error in delayed probe [ Upstream commit 2393e7555b531a534152ffe7bfd1862cacedaacb ] snd-hda-intel driver handles the most of its probe task in the delayed work (either via workqueue or via firmware loader). When an error happens in the later delayed probe, we can't deregister the device itself because the probe callback already returned success and the device was bound. So, for now, we set hda->init_failed flag and make the rest untouched until the device gets really unbound. However, this leaves the device up running, keeping the resources without any use that prevents other operations. In this patch, we release the resources at first when a probe error happens in the delayed probe stage, but keeps the top-level object, so that the PM and other ops can still refer to the object itself. Also for simplicity, snd_hda_intel object is allocated via devm, so that we can get rid of the explicit kfree calls. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207043 Link: https://lore.kernel.org/r/20200413082034.25166-4-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit c3c6875dd2f633fec0105ed609548a35cf679012 Author: Darrick J. Wong Date: Sun Apr 12 13:11:11 2020 -0700 xfs: fix partially uninitialized structure in xfs_reflink_remap_extent [ Upstream commit c142932c29e533ee892f87b44d8abc5719edceec ] In the reflink extent remap function, it turns out that uirec (the block mapping corresponding only to the part of the passed-in mapping that got unmapped) was not fully initialized. Specifically, br_state was not being copied from the passed-in struct to the uirec. This could lead to unpredictable results such as the reflinked mapping being marked unwritten in the destination file. Signed-off-by: Darrick J. Wong Reviewed-by: Brian Foster Signed-off-by: Sasha Levin commit 45b438c14e88397fdc19277b051e732167c2d1e4 Author: David Howells Date: Wed Apr 1 23:32:12 2020 +0100 afs: Fix length of dump of bad YFSFetchStatus record [ Upstream commit 3efe55b09a92a59ed8214db801683cf13c9742c4 ] Fix the length of the dump of a bad YFSFetchStatus record. The function was copied from the AFS version, but the YFS variant contains bigger fields and extra information, so expand the dump to match. Signed-off-by: David Howells Signed-off-by: Sasha Levin commit f632bd49aa2956e3353af9a03878977af772156d Author: Zhiqiang Liu Date: Mon Mar 30 10:18:33 2020 +0800 signal: check sig before setting info in kill_pid_usb_asyncio [ Upstream commit eaec2b0bd30690575c581eebffae64bfb7f684ac ] In kill_pid_usb_asyncio, if signal is not valid, we do not need to set info struct. Signed-off-by: Zhiqiang Liu Acked-by: Christian Brauner Link: https://lore.kernel.org/r/f525fd08-1cf7-fb09-d20c-4359145eb940@huawei.com Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin commit b9a04de7bc7b4d9ed21df82a0a40e8931b900c86 Author: Olaf Hering Date: Tue Apr 7 19:27:39 2020 +0200 x86: hyperv: report value of misc_features [ Upstream commit 97d9f1c43bedd400301d6f1eff54d46e8c636e47 ] A few kernel features depend on ms_hyperv.misc_features, but unlike its siblings ->features and ->hints, the value was never reported during boot. Signed-off-by: Olaf Hering Link: https://lore.kernel.org/r/20200407172739.31371-1-olaf@aepfle.de Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 250b1951e6bf006f90ff34e8f89c6ded9884be09 Author: Martin Fuzzey Date: Thu Apr 2 15:51:27 2020 +0200 net: fec: set GPR bit on suspend by DT configuration. [ Upstream commit da722186f6549d752ea5b5fbc18111833c81a133 ] On some SoCs, such as the i.MX6, it is necessary to set a bit in the SoC level GPR register before suspending for wake on lan to work. The fec platform callback sleep_mode_enable was intended to allow this but the platform implementation was NAK'd back in 2015 [1] This means that, currently, wake on lan is broken on mainline for the i.MX6 at least. So implement the required bit setting in the fec driver by itself by adding a new optional DT property indicating the GPR register and adding the offset and bit information to the driver. [1] https://www.spinics.net/lists/netdev/msg310922.html Signed-off-by: Martin Fuzzey Signed-off-by: Fugang Duan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 34f47fbf3f91ec8c5e318dc9be2ac9f03963251e Author: Jeremy Cline Date: Sat Apr 4 01:14:30 2020 -0400 libbpf: Initialize *nl_pid so gcc 10 is happy [ Upstream commit 4734b0fefbbf98f8c119eb8344efa19dac82cd2c ] Builds of Fedora's kernel-tools package started to fail with "may be used uninitialized" warnings for nl_pid in bpf_set_link_xdp_fd() and bpf_get_link_xdp_info() on the s390 architecture. Although libbpf_netlink_open() always returns a negative number when it does not set *nl_pid, the compiler does not determine this and thus believes the variable might be used uninitialized. Assuage gcc's fears by explicitly initializing nl_pid. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1807781 Signed-off-by: Jeremy Cline Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200404051430.698058-1-jcline@redhat.com Signed-off-by: Sasha Levin commit 133f34d362fb302430e061a5c53307a8a0168634 Author: Eric Biggers Date: Tue Mar 10 08:57:27 2020 -0700 xfs: clear PF_MEMALLOC before exiting xfsaild thread commit 10a98cb16d80be3595fdb165fad898bb28b8b6d2 upstream. Leaving PF_MEMALLOC set when exiting a kthread causes it to remain set during do_exit(). That can confuse things. In particular, if BSD process accounting is enabled, then do_exit() writes data to an accounting file. If that file has FS_SYNC_FL set, then this write occurs synchronously and can misbehave if PF_MEMALLOC is set. For example, if the accounting file is located on an XFS filesystem, then a WARN_ON_ONCE() in iomap_do_writepage() is triggered and the data doesn't get written when it should. Or if the accounting file is located on an ext4 filesystem without a journal, then a WARN_ON_ONCE() in ext4_write_inode() is triggered and the inode doesn't get written. Fix this in xfsaild() by using the helper functions to save and restore PF_MEMALLOC. This can be reproduced as follows in the kvm-xfstests test appliance modified to add the 'acct' Debian package, and with kvm-xfstests's recommended kconfig modified to add CONFIG_BSD_PROCESS_ACCT=y: mkfs.xfs -f /dev/vdb mount /vdb touch /vdb/file chattr +S /vdb/file accton /vdb/file mkfs.xfs -f /dev/vdc mount /vdc umount /vdc It causes: WARNING: CPU: 1 PID: 336 at fs/iomap/buffered-io.c:1534 CPU: 1 PID: 336 Comm: xfsaild/vdc Not tainted 5.6.0-rc5 #3 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191223_100556-anatol 04/01/2014 RIP: 0010:iomap_do_writepage+0x16b/0x1f0 fs/iomap/buffered-io.c:1534 [...] Call Trace: write_cache_pages+0x189/0x4d0 mm/page-writeback.c:2238 iomap_writepages+0x1c/0x33 fs/iomap/buffered-io.c:1642 xfs_vm_writepages+0x65/0x90 fs/xfs/xfs_aops.c:578 do_writepages+0x41/0xe0 mm/page-writeback.c:2344 __filemap_fdatawrite_range+0xd2/0x120 mm/filemap.c:421 file_write_and_wait_range+0x71/0xc0 mm/filemap.c:760 xfs_file_fsync+0x7a/0x2b0 fs/xfs/xfs_file.c:114 generic_write_sync include/linux/fs.h:2867 [inline] xfs_file_buffered_aio_write+0x379/0x3b0 fs/xfs/xfs_file.c:691 call_write_iter include/linux/fs.h:1901 [inline] new_sync_write+0x130/0x1d0 fs/read_write.c:483 __kernel_write+0x54/0xe0 fs/read_write.c:515 do_acct_process+0x122/0x170 kernel/acct.c:522 slow_acct_process kernel/acct.c:581 [inline] acct_process+0x1d4/0x27c kernel/acct.c:607 do_exit+0x83d/0xbc0 kernel/exit.c:791 kthread+0xf1/0x140 kernel/kthread.c:257 ret_from_fork+0x27/0x50 arch/x86/entry/entry_64.S:352 This bug was originally reported by syzbot at https://lore.kernel.org/r/0000000000000e7156059f751d7b@google.com. Reported-by: syzbot+1f9dc49e8de2582d90c2@syzkaller.appspotmail.com Signed-off-by: Eric Biggers Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit a7074b9699046ad1ede92bc6e5a559571b8818e0 Author: Yang Shi Date: Mon Apr 20 18:14:17 2020 -0700 mm: shmem: disable interrupt when acquiring info->lock in userfaultfd_copy path commit 94b7cc01da5a3cc4f3da5e0ff492ef008bb555d6 upstream. Syzbot reported the below lockdep splat: WARNING: possible irq lock inversion dependency detected 5.6.0-rc7-syzkaller #0 Not tainted -------------------------------------------------------- syz-executor.0/10317 just changed the state of lock: ffff888021d16568 (&(&info->lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:338 [inline] ffff888021d16568 (&(&info->lock)->rlock){+.+.}, at: shmem_mfill_atomic_pte+0x1012/0x21c0 mm/shmem.c:2407 but this lock was taken by another, SOFTIRQ-safe lock in the past: (&(&xa->xa_lock)->rlock#5){..-.} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&(&info->lock)->rlock); local_irq_disable(); lock(&(&xa->xa_lock)->rlock#5); lock(&(&info->lock)->rlock); lock(&(&xa->xa_lock)->rlock#5); *** DEADLOCK *** The full report is quite lengthy, please see: https://lore.kernel.org/linux-mm/alpine.LSU.2.11.2004152007370.13597@eggly.anvils/T/#m813b412c5f78e25ca8c6c7734886ed4de43f241d It is because CPU 0 held info->lock with IRQ enabled in userfaultfd_copy path, then CPU 1 is splitting a THP which held xa_lock and info->lock in IRQ disabled context at the same time. If softirq comes in to acquire xa_lock, the deadlock would be triggered. The fix is to acquire/release info->lock with *_irq version instead of plain spin_{lock,unlock} to make it softirq safe. Fixes: 4c27fe4c4c84 ("userfaultfd: shmem: add shmem_mcopy_atomic_pte for userfaultfd support") Reported-by: syzbot+e27980339d305f2dbfd9@syzkaller.appspotmail.com Signed-off-by: Yang Shi Signed-off-by: Andrew Morton Tested-by: syzbot+e27980339d305f2dbfd9@syzkaller.appspotmail.com Acked-by: Hugh Dickins Cc: Andrea Arcangeli Link: http://lkml.kernel.org/r/1587061357-122619-1-git-send-email-yang.shi@linux.alibaba.com Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d55e35e871d5a60eaf14cc6ac6c3ae72f98bcf18 Author: Stanislav Fomichev Date: Tue Apr 21 17:37:53 2020 -0700 selftests/bpf: Fix a couple of broken test_btf cases commit e1cebd841b0aa1ceda771706d54a0501986a3c88 upstream. Commit 51c39bb1d5d1 ("bpf: Introduce function-by-function verification") introduced function linkage flag and changed the error message from "vlen != 0" to "Invalid func linkage" and broke some fake BPF programs. Adjust the test accordingly. AFACT, the programs don't really need any arguments and only look at BTF for maps, so let's drop the args altogether. Before: BTF raw test[103] (func (Non zero vlen)): do_test_raw:3703:FAIL expected err_str:vlen != 0 magic: 0xeb9f version: 1 flags: 0x0 hdr_len: 24 type_off: 0 type_len: 72 str_off: 72 str_len: 10 btf_total_size: 106 [1] INT (anon) size=4 bits_offset=0 nr_bits=32 encoding=SIGNED [2] INT (anon) size=4 bits_offset=0 nr_bits=32 encoding=(none) [3] FUNC_PROTO (anon) return=0 args=(1 a, 2 b) [4] FUNC func type_id=3 Invalid func linkage BTF libbpf test[1] (test_btf_haskv.o): libbpf: load bpf program failed: Invalid argument libbpf: -- BEGIN DUMP LOG --- libbpf: Validating test_long_fname_2() func#1... Arg#0 type PTR in test_long_fname_2() is not supported yet. processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 libbpf: -- END LOG -- libbpf: failed to load program 'dummy_tracepoint' libbpf: failed to load object 'test_btf_haskv.o' do_test_file:4201:FAIL bpf_object__load: -4007 BTF libbpf test[2] (test_btf_newkv.o): libbpf: load bpf program failed: Invalid argument libbpf: -- BEGIN DUMP LOG --- libbpf: Validating test_long_fname_2() func#1... Arg#0 type PTR in test_long_fname_2() is not supported yet. processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 libbpf: -- END LOG -- libbpf: failed to load program 'dummy_tracepoint' libbpf: failed to load object 'test_btf_newkv.o' do_test_file:4201:FAIL bpf_object__load: -4007 BTF libbpf test[3] (test_btf_nokv.o): libbpf: load bpf program failed: Invalid argument libbpf: -- BEGIN DUMP LOG --- libbpf: Validating test_long_fname_2() func#1... Arg#0 type PTR in test_long_fname_2() is not supported yet. processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 libbpf: -- END LOG -- libbpf: failed to load program 'dummy_tracepoint' libbpf: failed to load object 'test_btf_nokv.o' do_test_file:4201:FAIL bpf_object__load: -4007 Fixes: 51c39bb1d5d1 ("bpf: Introduce function-by-function verification") Signed-off-by: Stanislav Fomichev Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200422003753.124921-1-sdf@google.com Signed-off-by: Greg Kroah-Hartman commit cbde2870a193d0a458f30350355694cf45f510b4 Author: Toke Høiland-Jørgensen Date: Fri Apr 24 15:34:27 2020 +0200 bpf: Propagate expected_attach_type when verifying freplace programs commit 03f87c0b45b177ba5f6b4a9bbe9f95e4aba31026 upstream. For some program types, the verifier relies on the expected_attach_type of the program being verified in the verification process. However, for freplace programs, the attach type was not propagated along with the verifier ops, so the expected_attach_type would always be zero for freplace programs. This in turn caused the verifier to sometimes make the wrong call for freplace programs. For all existing uses of expected_attach_type for this purpose, the result of this was only false negatives (i.e., freplace functions would be rejected by the verifier even though they were valid programs for the target they were replacing). However, should a false positive be introduced, this can lead to out-of-bounds accesses and/or crashes. The fix introduced in this patch is to propagate the expected_attach_type to the freplace program during verification, and reset it after that is done. Fixes: be8704ff07d2 ("bpf: Introduce dynamic program extensions") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/158773526726.293902.13257293296560360508.stgit@toke.dk Signed-off-by: Greg Kroah-Hartman commit e9e3f1d113f2c091b723ade73e63255c99f9eec5 Author: Wang YanQing Date: Thu Apr 23 13:06:37 2020 +0800 bpf, x86_32: Fix logic error in BPF_LDX zero-extension commit 5ca1ca01fae1e90f8d010eb1d83374f28dc11ee6 upstream. When verifier_zext is true, we don't need to emit code for zero-extension. Fixes: 836256bf5f37 ("x32: bpf: eliminate zero extension code-gen") Signed-off-by: Wang YanQing Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200423050637.GA4029@udknight Signed-off-by: Greg Kroah-Hartman commit 75d96eb218cd2f4e1b1a2d5dfaa5cd0a6bb02eaf Author: Luke Nelson Date: Wed Apr 22 10:36:30 2020 -0700 bpf, x86_32: Fix clobbering of dst for BPF_JSET commit 50fe7ebb6475711c15b3397467e6424e20026d94 upstream. The current JIT clobbers the destination register for BPF_JSET BPF_X and BPF_K by using "and" and "or" instructions. This is fine when the destination register is a temporary loaded from a register stored on the stack but not otherwise. This patch fixes the problem (for both BPF_K and BPF_X) by always loading the destination register into temporaries since BPF_JSET should not modify the destination register. This bug may not be currently triggerable as BPF_REG_AX is the only register not stored on the stack and the verifier uses it in a limited way. Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32") Signed-off-by: Xi Wang Signed-off-by: Luke Nelson Signed-off-by: Alexei Starovoitov Acked-by: Wang YanQing Link: https://lore.kernel.org/bpf/20200422173630.8351-2-luke.r.nels@gmail.com Signed-off-by: Greg Kroah-Hartman commit fb54076dbf5a643c33dc5071562202682b057251 Author: Luke Nelson Date: Wed Apr 22 10:36:29 2020 -0700 bpf, x86_32: Fix incorrect encoding in BPF_LDX zero-extension commit 5fa9a98fb10380e48a398998cd36a85e4ef711d6 upstream. The current JIT uses the following sequence to zero-extend into the upper 32 bits of the destination register for BPF_LDX BPF_{B,H,W}, when the destination register is not on the stack: EMIT3(0xC7, add_1reg(0xC0, dst_hi), 0); The problem is that C7 /0 encodes a MOV instruction that requires a 4-byte immediate; the current code emits only 1 byte of the immediate. This means that the first 3 bytes of the next instruction will be treated as the rest of the immediate, breaking the stream of instructions. This patch fixes the problem by instead emitting "xor dst_hi,dst_hi" to clear the upper 32 bits. This fixes the problem and is more efficient than using MOV to load a zero immediate. This bug may not be currently triggerable as BPF_REG_AX is the only register not stored on the stack and the verifier uses it in a limited way, and the verifier implements a zero-extension optimization. But the JIT should avoid emitting incorrect encodings regardless. Fixes: 03f5781be2c7b ("bpf, x86_32: add eBPF JIT compiler for ia32") Signed-off-by: Xi Wang Signed-off-by: Luke Nelson Signed-off-by: Alexei Starovoitov Reviewed-by: H. Peter Anvin (Intel) Acked-by: Wang YanQing Link: https://lore.kernel.org/bpf/20200422173630.8351-1-luke.r.nels@gmail.com Signed-off-by: Greg Kroah-Hartman commit bc0cd5b4ff91004f71e0057956277a429c8cdd77 Author: Luke Nelson Date: Sat Apr 18 16:26:53 2020 -0700 bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B commit aee194b14dd2b2bde6252b3acf57d36dccfc743a upstream. This patch fixes an encoding bug in emit_stx for BPF_B when the source register is BPF_REG_FP. The current implementation for BPF_STX BPF_B in emit_stx saves one REX byte when the operands can be encoded using Mod-R/M alone. The lower 8 bits of registers %rax, %rbx, %rcx, and %rdx can be accessed without using a REX prefix via %al, %bl, %cl, and %dl, respectively. Other registers, (e.g., %rsi, %rdi, %rbp, %rsp) require a REX prefix to use their 8-bit equivalents (%sil, %dil, %bpl, %spl). The current code checks if the source for BPF_STX BPF_B is BPF_REG_1 or BPF_REG_2 (which map to %rdi and %rsi), in which case it emits the required REX prefix. However, it misses the case when the source is BPF_REG_FP (mapped to %rbp). The result is that BPF_STX BPF_B with BPF_REG_FP as the source operand will read from register %ch instead of the correct %bpl. This patch fixes the problem by fixing and refactoring the check on which registers need the extra REX byte. Since no BPF registers map to %rsp, there is no need to handle %spl. Fixes: 622582786c9e0 ("net: filter: x86: internal BPF JIT") Signed-off-by: Xi Wang Signed-off-by: Luke Nelson Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200418232655.23870-1-luke.r.nels@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7cc3a7ff2658e8aadfa4656e09d7df153acf4a95 Author: Jann Horn Date: Fri Apr 17 02:00:07 2020 +0200 bpf: Fix handling of XADD on BTF memory commit 8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf upstream. check_xadd() can cause check_ptr_to_btf_access() to be executed with atype==BPF_READ and value_regno==-1 (meaning "just check whether the access is okay, don't tell me what type it will result in"). Handle that case properly and skip writing type information, instead of indexing into the registers at index -1 and writing into out-of-bounds memory. Note that at least at the moment, you can't actually write through a BTF pointer, so check_xadd() will reject the program after calling check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the verifier has already corrupted memory. This patch assumes that BTF pointers are not available in unprivileged programs. Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF") Signed-off-by: Jann Horn Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com Signed-off-by: Greg Kroah-Hartman commit 2538b3dd43a00c9c169317916054deb7b2c2f381 Author: Vitor Massaru Iha Date: Tue Apr 21 21:48:44 2020 -0300 um: ensure `make ARCH=um mrproper` removes arch/$(SUBARCH)/include/generated/ commit 63ec90f18204f2fe072df108de8a021b28b1b173 upstream. In this workflow: $ make ARCH=um defconfig && make ARCH=um -j8 [snip] $ make ARCH=um mrproper [snip] $ make ARCH=um defconfig O=./build_um && make ARCH=um -j8 O=./build_um [snip] CC scripts/mod/empty.o In file included from ../include/linux/types.h:6, from ../include/linux/mod_devicetable.h:12, from ../scripts/mod/devicetable-offsets.c:3: ../include/uapi/linux/types.h:5:10: fatal error: asm/types.h: No such file or directory 5 | #include | ^~~~~~~~~~~~~ compilation terminated. make[2]: *** [../scripts/Makefile.build:100: scripts/mod/devicetable-offsets.s] Error 1 make[2]: *** Waiting for unfinished jobs.... make[1]: *** [/home/iha/sdb/opensource/lkmp/linux-kselftest.git/Makefile:1140: prepare0] Error 2 make[1]: Leaving directory '/home/iha/sdb/opensource/lkmp/linux-kselftest.git/build_um' make: *** [Makefile:180: sub-make] Error 2 The cause of the error was because arch/$(SUBARCH)/include/generated files weren't properly cleaned by `make ARCH=um mrproper`. Fixes: a788b2ed81ab ("kbuild: check arch/$(SRCARCH)/include/generated before out-of-tree build") Reported-by: Theodore Ts'o Suggested-by: Masahiro Yamada Signed-off-by: Vitor Massaru Iha Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Link: https://groups.google.com/forum/#!msg/kunit-dev/QmA27YEgEgI/hvS1kiz2CwAJ Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit d1fb2365b01cd98b0eae28c65cf9f8a6d9d301c2 Author: Waiman Long Date: Tue Apr 21 09:07:55 2020 -0400 blk-iocost: Fix error on iocost_ioc_vrate_adj commit d6c8e949a35d6906d6c03a50e9a9cdf4e494528a upstream. Systemtap 4.2 is unable to correctly interpret the "u32 (*missed_ppm)[2]" argument of the iocost_ioc_vrate_adj trace entry defined in include/trace/events/iocost.h leading to the following error: /tmp/stapAcz0G0/stap_c89c58b83cea1724e26395efa9ed4939_6321_aux_6.c:78:8: error: expected ‘;’, ‘,’ or ‘)’ before ‘*’ token , u32[]* __tracepoint_arg_missed_ppm That argument type is indeed rather complex and hard to read. Looking at block/blk-iocost.c. It is just a 2-entry u32 array. By simplifying the argument to a simple "u32 *missed_ppm" and adjusting the trace entry accordingly, the compilation error was gone. Fixes: 7caa47151ab2 ("blkcg: implement blk-iocost") Acked-by: Steven Rostedt (VMware) Acked-by: Tejun Heo Signed-off-by: Waiman Long Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit be554983e707523a89c0c50761c36a80ecca2446 Author: Kai-Heng Feng Date: Tue Apr 21 16:21:55 2020 +0800 PM: sleep: core: Switch back to async_schedule_dev() commit 09beebd8f93b3c8bf894e342f0a203a5c612478c upstream. Commit 8b9ec6b73277 ("PM core: Use new async_schedule_dev command") introduced a new function for better performance. However commit f2a424f6c613 ("PM / core: Introduce dpm_async_fn() helper") went back to the non-optimized version, async_schedule(). So switch back to the sync_schedule_dev() to improve performance Fixes: f2a424f6c613 ("PM / core: Introduce dpm_async_fn() helper") Signed-off-by: Kai-Heng Feng Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit ae24815d7ae13e5bbe998ca23e146bb3322f2d58 Author: Hillf Danton Date: Sat Apr 18 16:28:32 2020 +0800 netfilter: nat: fix error handling upon registering inet hook commit b4faef1739dd1f3b3981b8bf173a2266ea86b1eb upstream. A case of warning was reported by syzbot. ------------[ cut here ]------------ WARNING: CPU: 0 PID: 19934 at net/netfilter/nf_nat_core.c:1106 nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106 Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 19934 Comm: syz-executor.5 Not tainted 5.6.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 panic+0x2e3/0x75c kernel/panic.c:221 __warn.cold+0x2f/0x35 kernel/panic.c:582 report_bug+0x27b/0x2f0 lib/bug.c:195 fixup_bug arch/x86/kernel/traps.c:175 [inline] fixup_bug arch/x86/kernel/traps.c:170 [inline] do_error_trap+0x12b/0x220 arch/x86/kernel/traps.c:267 do_invalid_op+0x32/0x40 arch/x86/kernel/traps.c:286 invalid_op+0x23/0x30 arch/x86/entry/entry_64.S:1027 RIP: 0010:nf_nat_unregister_fn+0x532/0x5c0 net/netfilter/nf_nat_core.c:1106 Code: ff df 48 c1 ea 03 80 3c 02 00 75 75 48 8b 44 24 10 4c 89 ef 48 c7 00 00 00 00 00 e8 e8 f8 53 fb e9 4d fe ff ff e8 ee 9c 16 fb <0f> 0b e9 41 fe ff ff e8 e2 45 54 fb e9 b5 fd ff ff 48 8b 7c 24 20 RSP: 0018:ffffc90005487208 EFLAGS: 00010246 RAX: 0000000000040000 RBX: 0000000000000004 RCX: ffffc9001444a000 RDX: 0000000000040000 RSI: ffffffff865c94a2 RDI: 0000000000000005 RBP: ffff88808b5cf000 R08: ffff8880a2620140 R09: fffffbfff14bcd79 R10: ffffc90005487208 R11: fffffbfff14bcd78 R12: 0000000000000000 R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000 nf_nat_ipv6_unregister_fn net/netfilter/nf_nat_proto.c:1017 [inline] nf_nat_inet_register_fn net/netfilter/nf_nat_proto.c:1038 [inline] nf_nat_inet_register_fn+0xfc/0x140 net/netfilter/nf_nat_proto.c:1023 nf_tables_register_hook net/netfilter/nf_tables_api.c:224 [inline] nf_tables_addchain.constprop.0+0x82e/0x13c0 net/netfilter/nf_tables_api.c:1981 nf_tables_newchain+0xf68/0x16a0 net/netfilter/nf_tables_api.c:2235 nfnetlink_rcv_batch+0x83a/0x1610 net/netfilter/nfnetlink.c:433 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline] nfnetlink_rcv+0x3af/0x420 net/netfilter/nfnetlink.c:561 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6bf/0x7e0 net/socket.c:2362 ___sys_sendmsg+0x100/0x170 net/socket.c:2416 __sys_sendmsg+0xec/0x1b0 net/socket.c:2449 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 and to quiesce it, unregister NFPROTO_IPV6 hook instead of NFPROTO_INET in case of failing to register NFPROTO_IPV4 hook. Reported-by: syzbot Fixes: d164385ec572 ("netfilter: nat: add inet family nat support") Cc: Florian Westphal Cc: Stefano Brivio Signed-off-by: Hillf Danton Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit d0bccfb1c871012ce88cc164eb4c8a87dd62c442 Author: Ian Rogers Date: Fri Apr 17 11:28:42 2020 -0700 perf/core: fix parent pid/tid in task exit events commit f3bed55e850926614b9898fe982f66d2541a36a5 upstream. Current logic yields the child task as the parent. Before: $ perf record bash -c "perf list > /dev/null" $ perf script -D |grep 'FORK\|EXIT' 4387036190981094 0x5a70 [0x30]: PERF_RECORD_FORK(10472:10472):(10470:10470) 4387036606207580 0xf050 [0x30]: PERF_RECORD_EXIT(10472:10472):(10472:10472) 4387036607103839 0x17150 [0x30]: PERF_RECORD_EXIT(10470:10470):(10470:10470) ^ Note the repeated values here -------------------/ After: 383281514043 0x9d8 [0x30]: PERF_RECORD_FORK(2268:2268):(2266:2266) 383442003996 0x2180 [0x30]: PERF_RECORD_EXIT(2268:2268):(2266:2266) 383451297778 0xb70 [0x30]: PERF_RECORD_EXIT(2266:2266):(2265:2265) Fixes: 94d5d1b2d891 ("perf_counter: Report the cloning task as parent on perf_counter_fork()") Reported-by: KP Singh Signed-off-by: Ian Rogers Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20200417182842.12522-1-irogers@google.com Signed-off-by: Greg Kroah-Hartman commit 5ec78aa305cacac96db7bc332bfbadb69000478c Author: Quentin Perret Date: Thu Apr 16 09:59:56 2020 +0100 sched/core: Fix reset-on-fork from RT with uclamp commit eaf5a92ebde5bca3bb2565616115bd6d579486cd upstream. uclamp_fork() resets the uclamp values to their default when the reset-on-fork flag is set. It also checks whether the task has a RT policy, and sets its uclamp.min to 1024 accordingly. However, during reset-on-fork, the task's policy is lowered to SCHED_NORMAL right after, hence leading to an erroneous uclamp.min setting for the new task if it was forked from RT. Fix this by removing the unnecessary check on rt_task() in uclamp_fork() as this doesn't make sense if the reset-on-fork flag is set. Fixes: 1a00d999971c ("sched/uclamp: Set default clamps for RT tasks") Reported-by: Chitti Babu Theegala Signed-off-by: Quentin Perret Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Patrick Bellasi Reviewed-by: Dietmar Eggemann Link: https://lkml.kernel.org/r/20200416085956.217587-1-qperret@google.com Signed-off-by: Greg Kroah-Hartman commit d525817f44bd4688503c8076952c0595be57e21c Author: Niklas Schnelle Date: Thu Apr 9 09:46:20 2020 +0200 net/mlx5: Fix failing fw tracer allocation on s390 commit a019b36123aec9700b21ae0724710f62928a8bc1 upstream. On s390 FORCE_MAX_ZONEORDER is 9 instead of 11, thus a larger kzalloc() allocation as done for the firmware tracer will always fail. Looking at mlx5_fw_tracer_save_trace(), it is actually the driver itself that copies the debug data into the trace array and there is no need for the allocation to be contiguous in physical memory. We can therefor use kvzalloc() instead of kzalloc() and get rid of the large contiguous allcoation. Fixes: f53aaa31cce7 ("net/mlx5: FW tracer, implement tracer logic") Signed-off-by: Niklas Schnelle Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit b928c91096389f61dda73f4f5d80d5b8338f8a9c Author: Arnd Bergmann Date: Wed Apr 8 17:54:29 2020 +0200 remoteproc: mtk_scp: use dma_addr_t for DMA API commit c2781e4d9bc6d925dfc1ff833dfdaf12b69679de upstream. dma_addr_t and phys_addr_t are distinct types and must not be mixed, as both the values and the size of the type may be different depending on what the remote device uses. In this driver the compiler warns when the two types are different: drivers/remoteproc/mtk_scp.c: In function 'scp_map_memory_region': drivers/remoteproc/mtk_scp.c:454:9: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types] 454 | &scp->phys_addr, GFP_KERNEL); | ^~~~~~~~~~~~~~~ | | | phys_addr_t * {aka unsigned int *} In file included from drivers/remoteproc/mtk_scp.c:7: include/linux/dma-mapping.h:642:15: note: expected 'dma_addr_t *' {aka 'long long unsigned int *'} but argument is of type 'phys_addr_t *' {aka 'unsigned int *'} 642 | dma_addr_t *dma_handle, gfp_t gfp) Change the phys_addr member to be typed and named according to how it is allocated. Fixes: 63c13d61eafe ("remoteproc/mediatek: add SCP support for mt8183") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20200408155450.2186471-1-arnd@arndb.de Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit caba3bc8170e50960051dce5cde2397c6ca35446 Author: Niklas Schnelle Date: Thu Apr 16 13:44:30 2020 +0200 s390/pci: do not set affinity for floating irqs commit 86dbf32da150339ca81509fa2eb84c814b55258b upstream. with the introduction of CPU directed interrupts the kernel parameter pci=force_floating was introduced to fall back to the previous behavior using floating irqs. However we were still setting the affinity in that case, both in __irq_alloc_descs() and via the irq_set_affinity callback in struct irq_chip. For the former only set the affinity in the directed case. The latter is explicitly set in zpci_directed_irq_init() so we can just leave it unset for the floating case. Fixes: e979ce7bced2 ("s390/pci: provide support for CPU directed interrupts") Co-developed-by: Alexander Schmidt Signed-off-by: Alexander Schmidt Signed-off-by: Niklas Schnelle Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit f732e693b0dddc2b6982616de2a775e4b5011295 Author: Toke Høiland-Jørgensen Date: Thu Apr 16 10:31:20 2020 +0200 cpumap: Avoid warning when CONFIG_DEBUG_PER_CPU_MAPS is enabled commit bc23d0e3f717ced21fbfacab3ab887d55e5ba367 upstream. When the kernel is built with CONFIG_DEBUG_PER_CPU_MAPS, the cpumap code can trigger a spurious warning if CONFIG_CPUMASK_OFFSTACK is also set. This happens because in this configuration, NR_CPUS can be larger than nr_cpumask_bits, so the initial check in cpu_map_alloc() is not sufficient to guard against hitting the warning in cpumask_check(). Fix this by explicitly checking the supplied key against the nr_cpumask_bits variable before calling cpu_possible(). Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") Reported-by: Xiumei Mu Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Alexei Starovoitov Tested-by: Xiumei Mu Acked-by: Jesper Dangaard Brouer Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20200416083120.453718-1-toke@redhat.com Signed-off-by: Greg Kroah-Hartman commit 45b777107880e92f533d4abb85ad04afe97a874a Author: Nicolas Saenz Julienne Date: Wed Apr 15 16:42:33 2020 +0200 ARM: dts: bcm283x: Disable dsi0 node commit 90444b958461a5f8fc299ece0fe17eab15cba1e1 upstream. Since its inception the module was meant to be disabled by default, but the original commit failed to add the relevant property. Fixes: 4aba4cf82054 ("ARM: dts: bcm2835: Add the DSI module nodes and clocks") Signed-off-by: Nicolas Saenz Julienne Reviewed-by: Eric Anholt Signed-off-by: Florian Fainelli Signed-off-by: Greg Kroah-Hartman commit 4d8c9f21ff9186660531dea55a1bc681ced6525f Author: Bjorn Helgaas Date: Thu Apr 9 12:43:45 2020 -0500 PCI: Move Apex Edge TPU class quirk to fix BAR assignment commit 0a8f41023e8a3c100b3dc458ed2da651bf961ead upstream. Some Google Apex Edge TPU devices have a class code of 0 (PCI_CLASS_NOT_DEFINED). This prevents the PCI core from assigning resources for the Apex BARs because __dev_sort_resources() ignores classless devices, host bridges, and IOAPICs. On x86, firmware typically assigns those resources, so this was not a problem. But on some architectures, firmware does *not* assign BARs, and since the PCI core didn't do it either, the Apex device didn't work correctly: apex 0000:01:00.0: can't enable device: BAR 0 [mem 0x00000000-0x00003fff 64bit pref] not claimed apex 0000:01:00.0: error enabling PCI device f390d08d8b87 ("staging: gasket: apex: fixup undefined PCI class") added a quirk to fix the class code, but it was in the apex driver, and if the driver was built as a module, it was too late to help. Move the quirk to the PCI core, where it will always run early enough that the PCI core will assign resources if necessary. Link: https://lore.kernel.org/r/CAEzXK1r0Er039iERnc2KJ4jn7ySNUOG9H=Ha8TD8XroVqiZjgg@mail.gmail.com Fixes: f390d08d8b87 ("staging: gasket: apex: fixup undefined PCI class") Reported-by: Luís Mendes Debugged-by: Luís Mendes Tested-by: Luis Mendes Signed-off-by: Bjorn Helgaas Cc: Todd Poynor Signed-off-by: Greg Kroah-Hartman commit 283e581c93e2bf70456102f612268a5e57dbc016 Author: Raymond Pang Date: Fri Mar 27 17:11:48 2020 +0800 PCI: Add ACS quirk for Zhaoxin Root/Downstream Ports commit 299bd044a6f332b4a6c8f708575c27cad70a35c1 upstream. Many Zhaoxin Root Ports and Switch Downstream Ports do provide ACS-like capability but have no ACS Capability Structure. Peer-to-Peer transactions could be blocked between these ports, so add quirk so devices behind them could be assigned to different IOMMU group. Link: https://lore.kernel.org/r/20200327091148.5190-4-RaymondPang-oc@zhaoxin.com Signed-off-by: Raymond Pang Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit 1db302420b7f63b98edea7f90ca5a9cd1ee64cb0 Author: Raymond Pang Date: Fri Mar 27 17:11:47 2020 +0800 PCI: Add ACS quirk for Zhaoxin multi-function devices commit 0325837c51cb7c9a5bd3e354ac0c0cda0667d50e upstream. Some Zhaoxin endpoints are implemented as multi-function devices without an ACS capability, but they actually don't support peer-to-peer transactions. Add ACS quirks to declare DMA isolation. Link: https://lore.kernel.org/r/20200327091148.5190-3-RaymondPang-oc@zhaoxin.com Signed-off-by: Raymond Pang Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit f7505d3113423a1b90c24aa3dea05f1b58be1d59 Author: Raymond Pang Date: Fri Mar 27 17:11:46 2020 +0800 PCI: Add Zhaoxin Vendor ID commit 3375590623e4a132b19a8740512f4deb95728933 upstream. Add Zhaoxin Vendor ID to pci_ids.h Link: https://lore.kernel.org/r/20200327091148.5190-2-RaymondPang-oc@zhaoxin.com Signed-off-by: Raymond Pang Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit c8962892b3b4b0239c0fe9e7c3be9590e91a3b47 Author: Kai-Heng Feng Date: Fri Dec 20 03:20:06 2019 +0800 PCI: Avoid ASMedia XHCI USB PME# from D0 defect commit 2880325bda8d53566dcb9725abc929eec871608e upstream. The ASMedia USB XHCI Controller claims to support generating PME# while in D0: 01:00.0 USB controller: ASMedia Technology Inc. Device 2142 (prog-if 30 [XHCI]) Subsystem: SUNIX Co., Ltd. Device 312b Capabilities: [78] Power Management version 3 Flags: PMEClk- DSI- D1- D2- AuxCurrent=55mA PME(D0+,D1-,D2-,D3hot-,D3cold-) Status: D0 NoSoftRst+ PME-Enable+ DSel=0 DScale=0 PME- However PME# only gets asserted when plugging USB 2.0 or USB 1.1 devices, but not for USB 3.0 devices. Remove PCI_PM_CAP_PME_D0 to avoid using PME under D0. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205919 Link: https://lore.kernel.org/r/20191219192006.16270-1-kai.heng.feng@canonical.com Signed-off-by: Kai-Heng Feng Signed-off-by: Bjorn Helgaas Signed-off-by: Greg Kroah-Hartman commit dcb0084c270eea89fb2775040bdd31d101fb344e Author: Zhu Yanjun Date: Wed Apr 8 14:51:52 2020 +0800 net/mlx5e: Get the latest values from counters in switchdev mode commit dcdf4ce0ff4ba206fc362e149c8ae81d6a2f849c upstream. In the switchdev mode, when running "cat /sys/class/net/NIC/statistics/tx_packets", the ppcnt register is accessed to get the latest values. But currently this command can not get the correct values from ppcnt. From firmware manual, before getting the 802_3 counters, the 802_3 data layout should be set to the ppcnt register. When the command "cat /sys/class/net/NIC/statistics/tx_packets" is run, before updating 802_3 data layout with ppcnt register, the monitor counters are tested. The test result will decide the 802_3 data layout is updated or not. Actually the monitor counters do not support to monitor rx/tx stats of 802_3 in switchdev mode. So the rx/tx counters change will not trigger monitor counters. So the 802_3 data layout will not be updated in ppcnt register. Finally this command can not get the latest values from ppcnt register with 802_3 data layout. Fixes: 5c7e8bbb0257 ("net/mlx5e: Use monitor counters for update stats") Signed-off-by: Zhu Yanjun Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 7058126738f3173afbe3b05daf3cc6589b77370e Author: Maxim Mikityanskiy Date: Tue Feb 11 16:02:35 2020 +0200 net/mlx5e: Don't trigger IRQ multiple times on XSK wakeup to avoid WQ overruns commit e7e0004abdd6f83ae4be5613b29ed396beff576c upstream. XSK wakeup function triggers NAPI by posting a NOP WQE to a special XSK ICOSQ. When the application floods the driver with wakeup requests by calling sendto() in a certain pattern that ends up in mlx5e_trigger_irq, the XSK ICOSQ may overflow. Multiple NOPs are not required and won't accelerate the process, so avoid posting a second NOP if there is one already on the way. This way we also avoid increasing the queue size (which might not help anyway). Fixes: db05815b36cb ("net/mlx5e: Add XSK zero-copy support") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 191e675bc9615e5f29874707c7d7080640a948be Author: Chuck Lever Date: Tue Mar 31 17:02:33 2020 -0400 svcrdma: Fix leak of svc_rdma_recv_ctxt objects commit 23cf1ee1f1869966b75518c59b5cbda4c6c92450 upstream. Utilize the xpo_release_rqst transport method to ensure that each rqstp's svc_rdma_recv_ctxt object is released even when the server cannot return a Reply for that rqstp. Without this fix, each RPC whose Reply cannot be sent leaks one svc_rdma_recv_ctxt. This is a 2.5KB structure, a 4KB DMA-mapped Receive buffer, and any pages that might be part of the Reply message. The leak is infrequent unless the network fabric is unreliable or Kerberos is in use, as GSS sequence window overruns, which result in connection loss, are more common on fast transports. Fixes: 3a88092ee319 ("svcrdma: Preserve Receive buffer until svc_rdma_sendto") Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 6e55153ab2e304a622d1a8f8bccb224b9c3ea22c Author: Chuck Lever Date: Mon Mar 30 14:27:37 2020 -0400 svcrdma: Fix trace point use-after-free race commit e28b4fc652c1830796a4d3e09565f30c20f9a2cf upstream. I hit this while testing nfsd-5.7 with kernel memory debugging enabled on my server: Mar 30 13:21:45 klimt kernel: BUG: unable to handle page fault for address: ffff8887e6c279a8 Mar 30 13:21:45 klimt kernel: #PF: supervisor read access in kernel mode Mar 30 13:21:45 klimt kernel: #PF: error_code(0x0000) - not-present page Mar 30 13:21:45 klimt kernel: PGD 3601067 P4D 3601067 PUD 87c519067 PMD 87c3e2067 PTE 800ffff8193d8060 Mar 30 13:21:45 klimt kernel: Oops: 0000 [#1] SMP DEBUG_PAGEALLOC PTI Mar 30 13:21:45 klimt kernel: CPU: 2 PID: 1933 Comm: nfsd Not tainted 5.6.0-rc6-00040-g881e87a3c6f9 #1591 Mar 30 13:21:45 klimt kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 Mar 30 13:21:45 klimt kernel: RIP: 0010:svc_rdma_post_chunk_ctxt+0xab/0x284 [rpcrdma] Mar 30 13:21:45 klimt kernel: Code: c1 83 34 02 00 00 29 d0 85 c0 7e 72 48 8b bb a0 02 00 00 48 8d 54 24 08 4c 89 e6 48 8b 07 48 8b 40 20 e8 5a 5c 2b e1 41 89 c6 <8b> 45 20 89 44 24 04 8b 05 02 e9 01 00 85 c0 7e 33 e9 5e 01 00 00 Mar 30 13:21:45 klimt kernel: RSP: 0018:ffffc90000dfbdd8 EFLAGS: 00010286 Mar 30 13:21:45 klimt kernel: RAX: 0000000000000000 RBX: ffff8887db8db400 RCX: 0000000000000030 Mar 30 13:21:45 klimt kernel: RDX: 0000000000000040 RSI: 0000000000000000 RDI: 0000000000000246 Mar 30 13:21:45 klimt kernel: RBP: ffff8887e6c27988 R08: 0000000000000000 R09: 0000000000000004 Mar 30 13:21:45 klimt kernel: R10: ffffc90000dfbdd8 R11: 00c068ef00000000 R12: ffff8887eb4e4a80 Mar 30 13:21:45 klimt kernel: R13: ffff8887db8db634 R14: 0000000000000000 R15: ffff8887fc931000 Mar 30 13:21:45 klimt kernel: FS: 0000000000000000(0000) GS:ffff88885bd00000(0000) knlGS:0000000000000000 Mar 30 13:21:45 klimt kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 CR3: 000000081b72e002 CR4: 00000000001606e0 Mar 30 13:21:45 klimt kernel: Call Trace: Mar 30 13:21:45 klimt kernel: ? svc_rdma_vec_to_sg+0x7f/0x7f [rpcrdma] Mar 30 13:21:45 klimt kernel: svc_rdma_send_write_chunk+0x59/0xce [rpcrdma] Mar 30 13:21:45 klimt kernel: svc_rdma_sendto+0xf9/0x3ae [rpcrdma] Mar 30 13:21:45 klimt kernel: ? nfsd_destroy+0x51/0x51 [nfsd] Mar 30 13:21:45 klimt kernel: svc_send+0x105/0x1e3 [sunrpc] Mar 30 13:21:45 klimt kernel: nfsd+0xf2/0x149 [nfsd] Mar 30 13:21:45 klimt kernel: kthread+0xf6/0xfb Mar 30 13:21:45 klimt kernel: ? kthread_queue_delayed_work+0x74/0x74 Mar 30 13:21:45 klimt kernel: ret_from_fork+0x3a/0x50 Mar 30 13:21:45 klimt kernel: Modules linked in: ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue ib_umad ib_ipoib mlx4_ib sb_edac x86_pkg_temp_thermal iTCO_wdt iTCO_vendor_support coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel glue_helper crypto_simd cryptd pcspkr rpcrdma i2c_i801 rdma_ucm lpc_ich mfd_core ib_iser rdma_cm iw_cm ib_cm mei_me raid0 libiscsi mei sg scsi_transport_iscsi ioatdma wmi ipmi_si ipmi_devintf ipmi_msghandler acpi_power_meter nfsd nfs_acl lockd auth_rpcgss grace sunrpc ip_tables xfs libcrc32c mlx4_en sd_mod sr_mod cdrom mlx4_core crc32c_intel igb nvme i2c_algo_bit ahci i2c_core libahci nvme_core dca libata t10_pi qedr dm_mirror dm_region_hash dm_log dm_mod dax qede qed crc8 ib_uverbs ib_core Mar 30 13:21:45 klimt kernel: CR2: ffff8887e6c279a8 Mar 30 13:21:45 klimt kernel: ---[ end trace 87971d2ad3429424 ]--- It's absolutely not safe to use resources pointed to by the @send_wr argument of ib_post_send() _after_ that function returns. Those resources are typically freed by the Send completion handler, which can run before ib_post_send() returns. Thus the trace points currently around ib_post_send() in the server's RPC/RDMA transport are a hazard, even when they are disabled. Rearrange them so that they touch the Work Request only _before_ ib_post_send() is invoked. Fixes: bd2abef33394 ("svcrdma: Trace key RDMA API events") Fixes: 4201c7464753 ("svcrdma: Introduce svc_rdma_send_ctxt") Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit 50f381e5568e24db5afd8d8a56f4d39e79c5e28b Author: Brian Foster Date: Sun Apr 12 13:11:10 2020 -0700 xfs: acquire superblock freeze protection on eofblocks scans commit 4b674b9ac852937af1f8c62f730c325fb6eadcdb upstream. The filesystem freeze sequence in XFS waits on any background eofblocks or cowblocks scans to complete before the filesystem is quiesced. At this point, the freezer has already stopped the transaction subsystem, however, which means a truncate or cowblock cancellation in progress is likely blocked in transaction allocation. This results in a deadlock between freeze and the associated scanner. Fix this problem by holding superblock write protection across calls into the block reapers. Since protection for background scans is acquired from the workqueue task context, trylock to avoid a similar deadlock between freeze and blocking on the write lock. Fixes: d6b636ebb1c9f ("xfs: halt auto-reclamation activities while rebuilding rmap") Reported-by: Paul Furtado Signed-off-by: Brian Foster Reviewed-by: Chandan Rajendra Reviewed-by: Christoph Hellwig Reviewed-by: Allison Collins Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman commit acd9fe793f814b7450efc0bfc07aead684b40044 Author: Tuong Lien Date: Wed Apr 15 18:34:49 2020 +0700 tipc: fix incorrect increasing of link window commit edadedf1c5b4e4404192a0a4c3c0c05e3b7672ab upstream. In commit 16ad3f4022bb ("tipc: introduce variable window congestion control"), we allow link window to change with the congestion avoidance algorithm. However, there is a bug that during the slow-start if packet retransmission occurs, the link will enter the fast-recovery phase, set its window to the 'ssthresh' which is never less than 300, so the link window suddenly increases to that limit instead of decreasing. Consequently, two issues have been observed: - For broadcast-link: it can leave a gap between the link queues that a new packet will be inserted and sent before the previous ones, i.e. not in-order. - For unicast: the algorithm does not work as expected, the link window jumps to the slow-start threshold whereas packet retransmission occurs. This commit fixes the issues by avoiding such the link window increase, but still decreasing if the 'ssthresh' is lowered. Fixes: 16ad3f4022bb ("tipc: introduce variable window congestion control") Acked-by: Jon Maloy Signed-off-by: Tuong Lien Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ef5f2b52f65e5d9031b9cdd2e4daff7c174ae8f Author: Jason Gunthorpe Date: Tue Apr 14 12:27:08 2020 -0300 net/cxgb4: Check the return from t4_query_params properly commit c799fca8baf18d1bbbbad6c3b736eefbde8bdb90 upstream. Positive return values are also failures that don't set val, although this probably can't happen. Fixes gcc 10 warning: drivers/net/ethernet/chelsio/cxgb4/t4_hw.c: In function ‘t4_phy_fw_ver’: drivers/net/ethernet/chelsio/cxgb4/t4_hw.c:3747:14: warning: ‘val’ may be used uninitialized in this function [-Wmaybe-uninitialized] 3747 | *phy_fw_ver = val; Fixes: 01b6961410b7 ("cxgb4: Add PHY firmware support for T420-BT cards") Signed-off-by: Jason Gunthorpe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c9a6fec95586631510b33035678a4ce57c22ece Author: Ard Biesheuvel Date: Thu Apr 9 15:04:34 2020 +0200 efi/x86: Don't remap text<->rodata gap read-only for mixed mode commit f6103162008dfd37567f240b50e5e1ea7cf2e00c upstream. Commit d9e3d2c4f10320 ("efi/x86: Don't map the entire kernel text RW for mixed mode") updated the code that creates the 1:1 memory mapping to use read-only attributes for the 1:1 alias of the kernel's text and rodata sections, to protect it from inadvertent modification. However, it failed to take into account that the unused gap between text and rodata is given to the page allocator for general use. If the vmap'ed stack happens to be allocated from this region, any by-ref output arguments passed to EFI runtime services that are allocated on the stack (such as the 'datasize' argument taken by GetVariable() when invoked from efivar_entry_size()) will be referenced via a read-only mapping, resulting in a page fault if the EFI code tries to write to it: BUG: unable to handle page fault for address: 00000000386aae88 #PF: supervisor write access in kernel mode #PF: error_code(0x0003) - permissions violation PGD fd61063 P4D fd61063 PUD fd62063 PMD 386000e1 Oops: 0003 [#1] SMP PTI CPU: 2 PID: 255 Comm: systemd-sysv-ge Not tainted 5.6.0-rc4-default+ #22 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0008:0x3eaeed95 Code: ... <89> 03 be 05 00 00 80 a1 74 63 b1 3e 83 c0 48 e8 44 d2 ff ff eb 05 RSP: 0018:000000000fd73fa0 EFLAGS: 00010002 RAX: 0000000000000001 RBX: 00000000386aae88 RCX: 000000003e9f1120 RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000001 RBP: 000000000fd73fd8 R08: 00000000386aae88 R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc0f040220000 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f21160ac940(0000) GS:ffff9cf23d500000(0000) knlGS:0000000000000000 CS: 0008 DS: 0018 ES: 0018 CR0: 0000000080050033 CR2: 00000000386aae88 CR3: 000000000fd6c004 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: Modules linked in: CR2: 00000000386aae88 ---[ end trace a8bfbd202e712834 ]--- Let's fix this by remapping text and rodata individually, and leave the gaps mapped read-write. Fixes: d9e3d2c4f10320 ("efi/x86: Don't map the entire kernel text RW for mixed mode") Reported-by: Jiri Slaby Tested-by: Jiri Slaby Signed-off-by: Ard Biesheuvel Signed-off-by: Ingo Molnar Link: https://lore.kernel.org/r/20200409130434.6736-10-ardb@kernel.org Signed-off-by: Greg Kroah-Hartman commit 2648315067b0700c862bc2cbf4338aeccd385698 Author: Pablo Neira Ayuso Date: Tue Apr 7 14:10:38 2020 +0200 netfilter: nf_tables: reintroduce the NFT_SET_CONCAT flag commit ef516e8625ddea90b3a0313f3a0b0baa83db7ac2 upstream. Stefano originally proposed to introduce this flag, users hit EOPNOTSUPP in new binaries with old kernels when defining a set with ranges in a concatenation. Fixes: f3a2181e16f1 ("netfilter: nf_tables: Support for sets with multiple ranged fields") Reviewed-by: Stefano Brivio Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit 6865c1a8a169a28f53987cc13f1ec1572c685144 Author: David Howells Date: Mon Apr 13 13:57:14 2020 +0100 rxrpc: Fix DATA Tx to disable nofrag for UDP on AF_INET6 socket commit 0e631eee17dcea576ab922fa70e4fdbd596ee452 upstream. Fix the DATA packet transmission to disable nofrag for UDPv4 on an AF_INET6 socket as well as UDPv6 when trying to transmit fragmentably. Without this, packets filled to the normal size used by the kernel AFS client of 1412 bytes be rejected by udp_sendmsg() with EMSGSIZE immediately. The ->sk_error_report() notification hook is called, but rxrpc doesn't generate a trace for it. This is a temporary fix; a more permanent solution needs to involve changing the size of the packets being filled in accordance with the MTU, which isn't currently done in AF_RXRPC. The reason for not doing so was that, barring the last packet in an rx jumbo packet, jumbos can only be assembled out of 1412-byte packets - and the plan was to construct jumbos on the fly at transmission time. Also, there's no point turning on IPV6_MTU_DISCOVER, since IPv6 has to engage in this anyway since fragmentation is only done by the sender. We can then condense the switch-statement in rxrpc_send_data_packet(). Fixes: 75b54cb57ca3 ("rxrpc: Add IPv6 support") Signed-off-by: David Howells Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e99be292f041a022b99bd75a95f46bd016fc9c46 Author: Guenter Roeck Date: Wed Apr 8 20:37:30 2020 -0700 hwmon: (drivetemp) Return -ENODATA for invalid temperatures commit ed08ebb7124e90a99420bb913d602907d377d03d upstream. Holger Hoffstätte observed that Samsung 850 Pro may return invalid temperatures for a short period of time after resume. Return -ENODATA to userspace if this is observed. Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Reported-by: Holger Hoffstätte Cc: Holger Hoffstätte Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit f4025026992d374fbfbceaedb9ed23a6e8637931 Author: Arnd Bergmann Date: Wed Apr 8 20:53:51 2020 +0200 rtw88: avoid unused function warnings commit 7dc7c41607d192ff660ba4ea82d517745c1d7523 upstream. The rtw88 driver defines emtpy functions with multiple indirections but gets one of these wrong: drivers/net/wireless/realtek/rtw88/pci.c:1347:12: error: 'rtw_pci_resume' defined but not used [-Werror=unused-function] 1347 | static int rtw_pci_resume(struct device *dev) | ^~~~~~~~~~~~~~ drivers/net/wireless/realtek/rtw88/pci.c:1342:12: error: 'rtw_pci_suspend' defined but not used [-Werror=unused-function] 1342 | static int rtw_pci_suspend(struct device *dev) Better simplify it to rely on the conditional reference in SIMPLE_DEV_PM_OPS(), and mark the functions as __maybe_unused to avoid warning about it. I'm not sure if these are needed at all given that the functions don't do anything, but they were only recently added. Fixes: 44bc17f7f5b3 ("rtw88: support wowlan feature for 8822c") Signed-off-by: Arnd Bergmann Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200408185413.218643-1-arnd@arndb.de Signed-off-by: Greg Kroah-Hartman commit 3e3d0b243a859dcd1cabd2143b36637f025df501 Author: Arnd Bergmann Date: Wed Apr 8 17:53:43 2020 +0200 clk: asm9260: fix __clk_hw_register_fixed_rate_with_accuracy typo commit 924ed1f5c181132897c5928af7f3afd28792889c upstream. The __clk_hw_register_fixed_rate_with_accuracy() function (with two '_') does not exist, and apparently never did: drivers/clk/clk-asm9260.c: In function 'asm9260_acc_init': drivers/clk/clk-asm9260.c:279:7: error: implicit declaration of function '__clk_hw_register_fixed_rate_with_accuracy'; did you mean 'clk_hw_register_fixed_rate_with_accuracy'? [-Werror=implicit-function-declaration] 279 | hw = __clk_hw_register_fixed_rate_with_accuracy(NULL, NULL, pll_clk, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | clk_hw_register_fixed_rate_with_accuracy drivers/clk/clk-asm9260.c:279:5: error: assignment to 'struct clk_hw *' from 'int' makes pointer from integer without a cast [-Werror=int-conversion] 279 | hw = __clk_hw_register_fixed_rate_with_accuracy(NULL, NULL, pll_clk, | ^ From what I can tell, __clk_hw_register_fixed_rate() is the correct API here, so use that instead. Fixes: 728e3096741a ("clk: asm9260: Use parent accuracy in fixed rate clk") Signed-off-by: Arnd Bergmann Link: https://lkml.kernel.org/r/20200408155402.2138446-1-arnd@arndb.de Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 9d183dc3c43964335dcc44021d26ed68c6eb7b23 Author: Ann T Ropea Date: Tue Apr 7 01:55:21 2020 +0200 hwmon: (drivetemp) Use drivetemp's true module name in Kconfig section commit 6bdf8f3efe867c5893e27431a555e41f54ed7f9a upstream. The addition of the support for reading the temperature of ATA drives as per commit 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") lists in the respective Kconfig section the name of the module to be optionally built as "satatemp". However, building the kernel modules with "CONFIG_SENSORS_DRIVETEMP=m", does not generate a file named "satatemp.ko". Instead, the rest of the original commit uses the term "drivetemp" and a file named "drivetemp.ko" ends up in the kernel's modules directory. This file has the right ingredients: $ strings /path/to/drivetemp.ko | grep ^description description=Hard drive temperature monitor and modprobing it produces the expected result: # drivetemp is not loaded $ sensors -u drivetemp-scsi-4-0 Specified sensor(s) not found! $ sudo modprobe drivetemp $ sensors -u drivetemp-scsi-4-0 drivetemp-scsi-4-0 Adapter: SCSI adapter temp1: temp1_input: 35.000 temp1_max: 60.000 temp1_min: 0.000 temp1_crit: 70.000 temp1_lcrit: -40.000 temp1_lowest: 20.000 temp1_highest: 36.000 Fix Kconfig by referring to the true name of the module. Fixes: 5b46903d8bf3 ("hwmon: Driver for disk and solid state drives with temperature sensors") Signed-off-by: Ann T Ropea Link: https://lore.kernel.org/r/20200406235521.185309-1-bedhanger@gmx.de Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit ae451d34d008db55ef7463ef7ffd3f6cce9808d2 Author: Wolfram Sang Date: Fri Mar 27 23:28:26 2020 +0100 i2c: altera: use proper variable to hold errno commit edb2c9dd3948738ef030c32b948543e84f4d3f81 upstream. device_property_read_u32() returns errno or 0, so we should use the integer variable 'ret' and not the u32 'val' to hold the retval. Fixes: 0560ad576268 ("i2c: altera: Add Altera I2C Controller driver") Signed-off-by: Wolfram Sang Reviewed-by: Thor Thayer Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit b0fe9e7c2520bdf14bde0f0c17d30f52d5cb24e4 Author: Rafał Miłecki Date: Fri Mar 27 14:03:07 2020 +0100 brcmfmac: add stub for monitor interface xmit commit 5bf8e6096c7390f8f2c4d5394b5e49823adb004e upstream. According to the struct net_device_ops documentation .ndo_start_xmit is "Required; cannot be NULL.". Missing it may crash kernel easily: [ 341.216709] Unable to handle kernel NULL pointer dereference at virtual address 00000000 [ 341.224836] pgd = 26088755 [ 341.227544] [00000000] *pgd=00000000 [ 341.231135] Internal error: Oops: 80000007 [#1] SMP ARM [ 341.236367] Modules linked in: pppoe ppp_async iptable_nat brcmfmac xt_state xt_nat xt_conntrack xt_REDIRECT xt_MASQU [ 341.304689] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.24 #0 [ 341.310621] Hardware name: BCM5301X [ 341.314116] PC is at 0x0 [ 341.316664] LR is at dev_hard_start_xmit+0x8c/0x11c [ 341.321546] pc : [<00000000>] lr : [] psr: 60000113 [ 341.327821] sp : c0801c30 ip : c610cf00 fp : c08048e4 [ 341.333051] r10: c073a63a r9 : c08044dc r8 : c6c04e00 [ 341.338283] r7 : 00000000 r6 : c60f5000 r5 : 00000000 r4 : c6a9c3c0 [ 341.344820] r3 : 00000000 r2 : bf25a13c r1 : c60f5000 r0 : c6a9c3c0 [ 341.351358] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment none [ 341.358504] Control: 10c5387d Table: 0611c04a DAC: 00000051 [ 341.364257] Process swapper/0 (pid: 0, stack limit = 0xc68ed0ca) [ 341.370271] Stack: (0xc0801c30 to 0xc0802000) [ 341.374633] 1c20: c6e7d480 c0802d00 c60f5050 c0801c6c [ 341.382825] 1c40: c60f5000 c6a9c3c0 c6f90000 c6f9005c c6c04e00 c60f5000 00000000 c6f9005c [ 341.391015] 1c60: 00000000 c04a033c 00f90200 00000010 c6a9c3c0 c6a9c3c0 c6f90000 00000000 [ 341.399205] 1c80: 00000000 00000000 00000000 c046a7ac c6f9005c 00000001 fffffff4 00000000 [ 341.407395] 1ca0: c6f90200 00000000 c60f5000 c0479550 00000000 c6f90200 c6a9c3c0 16000000 [ 341.415586] 1cc0: 0000001c 6f4ad52f c6197040 b6df9387 36000000 c0520404 c073a80c c6a9c3c0 [ 341.423777] 1ce0: 00000000 c6d643c0 c6a9c3c0 c0800024 00000001 00000001 c6d643c8 c6a9c3c0 [ 341.431967] 1d00: c081b9c0 c7abca80 c610c840 c081b9c0 0000001c 00400000 c6bc5e6c c0522fb4 [ 341.440157] 1d20: c6d64400 00000004 c6bc5e0a 00000000 c60f5000 c7abca80 c081b9c0 c0522f54 [ 341.448348] 1d40: c6a9c3c0 c7abca80 c0803e48 c0549c94 c610c828 0000000a c0801d74 00000003 [ 341.456538] 1d60: c6ec8f0a 00000000 c60f5000 c7abca80 c081b9c0 c0548520 0000000a 00000000 [ 341.464728] 1d80: 00000000 003a0000 00000000 00000000 00000000 00000000 00000000 00000000 [ 341.472919] 1da0: 000002ff 00000000 00000000 16000000 00000000 00000000 00000000 00000000 [ 341.481110] 1dc0: 00000000 0000008f 00000000 00000000 00000000 2d132a69 c6bc5e40 00000000 [ 341.489300] 1de0: c6bc5e40 c6a9c3c0 00000000 c6ec8e50 00000001 c054b070 00000001 00000000 [ 341.497490] 1e00: c0807200 c6bc5e00 00000000 ffffe000 00000100 c054aea4 00000000 00000000 [ 341.505681] 1e20: 00000122 00400000 c0802d00 c0172e80 6f56a70e ffffffff 6f56a70e c7eb9cc0 [ 341.513871] 1e40: c7eb82c0 00000000 c0801e60 c017309c 00000000 00000000 07780000 c07382c0 [ 341.522061] 1e60: 00000000 c7eb9cc0 c0739cc0 c0803f74 c0801e70 c0801e70 c0801ea4 c013d380 [ 341.530253] 1e80: 00000000 000000a0 00000001 c0802084 c0802080 40000001 ffffe000 00000100 [ 341.538443] 1ea0: c0802080 c01021e8 c8803100 10c5387d 00000000 c07341f0 c0739880 0000000a [ 341.546633] 1ec0: c0734180 00001017 c0802d00 c062aa98 00200002 c062aa60 c8803100 c073984c [ 341.554823] 1ee0: 00000000 00000001 00000000 c7810000 c8803100 10c5387d 00000000 c011c188 [ 341.563014] 1f00: c073984c c015f0f8 c0804244 c0815ae4 c880210c c8802100 c0801f40 c037c584 [ 341.571204] 1f20: c01035f8 60000013 ffffffff c0801f74 c080afd4 c0800000 10c5387d c0101a8c [ 341.579395] 1f40: 00000000 004ac9dc c7eba4b4 c010ee60 ffffe000 c0803e68 c0803ea8 00000001 [ 341.587587] 1f60: c080afd4 c062ca20 10c5387d 00000000 00000000 c0801f90 c01035f4 c01035f8 [ 341.595776] 1f80: 60000013 ffffffff 00000051 00000000 ffffe000 c013ff50 000000ce c0803e40 [ 341.603967] 1fa0: c082216c 00000000 00000001 c072ba38 10c5387d c0140214 c0822184 c0700df8 [ 341.612157] 1fc0: ffffffff ffffffff 00000000 c070058c c072ba38 2d162e71 00000000 c0700330 [ 341.620348] 1fe0: 00000051 10c0387d 000000ff 00a521d0 413fc090 00000000 00000000 00000000 [ 341.628558] [] (dev_hard_start_xmit) from [] (sch_direct_xmit+0xe4/0x2bc) [ 341.637106] [] (sch_direct_xmit) from [] (__dev_queue_xmit+0x6a4/0x72c) [ 341.645481] [] (__dev_queue_xmit) from [] (ip6_finish_output2+0x18c/0x434) [ 341.654112] [] (ip6_finish_output2) from [] (ip6_output+0x5c/0xd0) [ 341.662053] [] (ip6_output) from [] (mld_sendpack+0x1a0/0x1a8) [ 341.669640] [] (mld_sendpack) from [] (mld_ifc_timer_expire+0x1cc/0x2e4) [ 341.678111] [] (mld_ifc_timer_expire) from [] (call_timer_fn.constprop.3+0x24/0x98) [ 341.687527] [] (call_timer_fn.constprop.3) from [] (run_timer_softirq+0x1a8/0x1e4) [ 341.696860] [] (run_timer_softirq) from [] (__do_softirq+0x120/0x2b0) [ 341.705066] [] (__do_softirq) from [] (irq_exit+0x78/0x84) [ 341.712317] [] (irq_exit) from [] (__handle_domain_irq+0x60/0xb4) [ 341.720179] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90) [ 341.728549] [] (gic_handle_irq) from [] (__irq_svc+0x6c/0x90) Fixes: 20f2c5fa3af0 ("brcmfmac: add initial support for monitor mode") Signed-off-by: Rafał Miłecki Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200327130307.26477-1-zajec5@gmail.com Signed-off-by: Greg Kroah-Hartman commit 3bbd5b9cf3f03722d7d138916db43ab092435bd6 Author: Jann Horn Date: Fri Apr 17 02:00:06 2020 +0200 bpf: Forbid XADD on spilled pointers for unprivileged users commit 6e7e63cbb023976d828cdb22422606bf77baa8a9 upstream. When check_xadd() verifies an XADD operation on a pointer to a stack slot containing a spilled pointer, check_stack_read() verifies that the read, which is part of XADD, is valid. However, since the placeholder value -1 is passed as `value_regno`, check_stack_read() can only return a binary decision and can't return the type of the value that was read. The intent here is to verify whether the value read from the stack slot may be used as a SCALAR_VALUE; but since check_stack_read() doesn't check the type, and the type information is lost when check_stack_read() returns, this is not enforced, and a malicious user can abuse XADD to leak spilled kernel pointers. Fix it by letting check_stack_read() verify that the value is usable as a SCALAR_VALUE if no type information is passed to the caller. To be able to use __is_pointer_value() in check_stack_read(), move it up. Fix up the expected unprivileged error message for a BPF selftest that, until now, assumed that unprivileged users can use XADD on stack-spilled pointers. This also gives us a test for the behavior introduced in this patch for free. In theory, this could also be fixed by forbidding XADD on stack spills entirely, since XADD is a locked operation (for operations on memory with concurrency) and there can't be any concurrency on the BPF stack; but Alexei has said that he wants to keep XADD on stack slots working to avoid changes to the test suite [1]. The following BPF program demonstrates how to leak a BPF map pointer as an unprivileged user using this bug: // r7 = map_pointer BPF_LD_MAP_FD(BPF_REG_7, small_map), // r8 = launder(map_pointer) BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_7, -8), BPF_MOV64_IMM(BPF_REG_1, 0), ((struct bpf_insn) { .code = BPF_STX | BPF_DW | BPF_XADD, .dst_reg = BPF_REG_FP, .src_reg = BPF_REG_1, .off = -8 }), BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_FP, -8), // store r8 into map BPF_MOV64_REG(BPF_REG_ARG1, BPF_REG_7), BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP), BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -4), BPF_ST_MEM(BPF_W, BPF_REG_ARG2, 0, 0), BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN() [1] https://lore.kernel.org/bpf/20200416211116.qxqcza5vo2ddnkdq@ast-mbp.dhcp.thefacebook.com/ Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") Signed-off-by: Jann Horn Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200417000007.10734-1-jannh@google.com Signed-off-by: Greg Kroah-Hartman commit 0970b33246ea116576479281ed98fe87aba3e5d5 Author: Aaro Koskinen Date: Wed Mar 25 23:21:49 2020 +0200 ARM: dts: OMAP3: disable RNG on N950/N9 commit 07bdc492cff6f555538df95e9812fe72e16d154a upstream. Like on N900, we cannot access RNG directly on N950/N9. Mark it disabled in the DTS to allow kernel to boot. Fixes: 308607e5545f ("ARM: dts: Configure omap3 rng") Signed-off-by: Aaro Koskinen Signed-off-by: Tony Lindgren Signed-off-by: Greg Kroah-Hartman commit e29e8c6ed0d988524621f770300854b0da1700d3 Author: Vasily Averin Date: Fri Mar 27 07:50:40 2020 +0300 nfsd: memory corruption in nfsd4_lock() commit e1e8399eee72e9d5246d4d1bcacd793debe34dd3 upstream. New struct nfsd4_blocked_lock allocated in find_or_allocate_block() does not initialized nbl_list and nbl_lru. If conflock allocation fails rollback can call list_del_init() access uninitialized fields and corrupt memory. v2: just initialize nbl_list and nbl_lru right after nbl allocation. Fixes: 76d348fadff5 ("nfsd: have nfsd4_lock use blocking locks for v4.1+ lock") Signed-off-by: Vasily Averin Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Greg Kroah-Hartman commit af4223354de5d09a4f79c7d755fb734fd2c9245c Author: Arnd Bergmann Date: Wed Apr 8 17:52:15 2020 +0200 drivers: soc: xilinx: fix firmware driver Kconfig dependency commit d0384eedcde21276ac51f57c641f875605024b32 upstream. The firmware driver is optional, but the power driver depends on it, which needs to be reflected in Kconfig to avoid link errors: aarch64-linux-ld: drivers/soc/xilinx/zynqmp_power.o: in function `zynqmp_pm_isr': zynqmp_power.c:(.text+0x284): undefined reference to `zynqmp_pm_invoke_fn' The firmware driver can probably be allowed for compile-testing as well, so it's best to drop the dependency on the ZYNQ platform here and allow building as long as the firmware code is built-in. Fixes: ab272643d723 ("drivers: soc: xilinx: Add ZynqMP PM driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20200408155224.2070880-1-arnd@arndb.de Signed-off-by: Michal Simek Signed-off-by: Greg Kroah-Hartman commit 291b46b4f0602b6a2b439bec713c6d73700c21cd Author: Shengjiu Wang Date: Tue Apr 21 19:28:45 2020 +0800 ASoC: wm8960: Fix wrong clock after suspend & resume commit 1e060a453c8604311fb45ae2f84f67ed673329b4 upstream. After suspend & resume, wm8960_hw_params may be called when bias_level is not SND_SOC_BIAS_ON, then wm8960_configure_clocking is not called. But if sample rate is changed at that time, then the output clock rate will be not correct. So judgement of bias_level is SND_SOC_BIAS_ON in wm8960_hw_params is not necessary and it causes above issue. Fixes: 3176bf2d7ccd ("ASoC: wm8960: update pll and clock setting function") Signed-off-by: Shengjiu Wang Acked-by: Charles Keepax Link: https://lore.kernel.org/r/1587468525-27514-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit bc8f4560a993c5aecd27b6004570fb8e4451117b Author: Jerome Brunet Date: Mon Apr 20 13:45:10 2020 +0200 ASoC: meson: axg-card: fix codec-to-codec link setup commit 1164284270779e1865cc2046a2a01b58a1e858a9 upstream. Since the addition of commit 9b5db059366a ("ASoC: soc-pcm: dpcm: Only allow playback/capture if supported"), meson-axg cards which have codec-to-codec links fail to init and Oops: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000128 Internal error: Oops: 96000044 [#1] PREEMPT SMP CPU: 3 PID: 1582 Comm: arecord Not tainted 5.7.0-rc1 pc : invalidate_paths_ep+0x30/0xe0 lr : snd_soc_dapm_dai_get_connected_widgets+0x170/0x1a8 Call trace: invalidate_paths_ep+0x30/0xe0 snd_soc_dapm_dai_get_connected_widgets+0x170/0x1a8 dpcm_path_get+0x38/0xd0 dpcm_fe_dai_open+0x70/0x920 snd_pcm_open_substream+0x564/0x840 snd_pcm_open+0xfc/0x228 snd_pcm_capture_open+0x4c/0x78 snd_open+0xac/0x1a8 ... While initiliazing the links, ASoC treats the codec-to-codec links of this card type as a DPCM backend. This error eventually leads to the Oops. Most of the card driver code is shared between DPCM backends and codec-to-codec links. The property "no_pcm" marking DCPM BE was left set on codec-to-codec links, leading to this problem. This commit fixes that. Fixes: 0a8f1117a680 ("ASoC: meson: axg-card: add basic codec-to-codec link support") Signed-off-by: Jerome Brunet Link: https://lore.kernel.org/r/20200420114511.450560-2-jbrunet@baylibre.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1d44d967775e5086b32faa9d408a43a7f3fb3b7f Author: Philipp Puschmann Date: Tue Apr 14 13:27:54 2020 +0200 ASoC: tas571x: disable regulators on failed probe commit 9df8ba7c63073508e5aa677dade48fcab6a6773e upstream. If probe fails after enabling the regulators regulator_put is called for each supply without having them disabled before. This produces some warnings like WARNING: CPU: 0 PID: 90 at drivers/regulator/core.c:2044 _regulator_put.part.0+0x154/0x15c [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [] (show_stack) from [] (__warn+0xd0/0xf4) [] (__warn) from [] (warn_slowpath_fmt+0x64/0xc4) [] (warn_slowpath_fmt) from [] (_regulator_put.part.0+0x154/0x15c) [] (_regulator_put.part.0) from [] (regulator_put+0x28/0x38) [] (regulator_put) from [] (regulator_bulk_free+0x28/0x38) [] (regulator_bulk_free) from [] (release_nodes+0x1d0/0x22c) [] (release_nodes) from [] (really_probe+0x108/0x34c) [] (really_probe) from [] (driver_probe_device+0xb8/0x16c) [] (driver_probe_device) from [] (device_driver_attach+0x58/0x60) [] (device_driver_attach) from [] (__driver_attach+0x58/0xcc) [] (__driver_attach) from [] (bus_for_each_dev+0x78/0xc0) [] (bus_for_each_dev) from [] (bus_add_driver+0x188/0x1e0) [] (bus_add_driver) from [] (driver_register+0x74/0x108) [] (driver_register) from [] (i2c_register_driver+0x3c/0x88) [] (i2c_register_driver) from [] (do_one_initcall+0x58/0x250) [] (do_one_initcall) from [] (do_init_module+0x60/0x244) [] (do_init_module) from [] (load_module+0x2180/0x2540) [] (load_module) from [] (sys_finit_module+0xd0/0xe8) [] (sys_finit_module) from [] (__sys_trace_return+0x0/0x20) Fixes: 3fd6e7d9a146 (ASoC: tas571x: New driver for TI TAS571x power amplifiers) Signed-off-by: Philipp Puschmann Link: https://lore.kernel.org/r/20200414112754.3365406-1-p.puschmann@pironex.de Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 04ec4ff84107c1cc160387864e390a11fe384fb9 Author: Krzysztof Kozlowski Date: Mon Apr 13 14:45:48 2020 +0200 ASoC: samsung: s3c24xx-i2s: Fix build after removal of DAI suspend/resume commit ec21bdc6dd16d74b3674ef1fd12ae8e4e7418603 upstream. Commit 450312b640f9 ("ASoC: soc-core: remove DAI suspend/resume") removed the DAI side suspend/resume hooks and switched entirely to component suspend/resume. However the Samsung SoC s3c-i2s-v2 driver was not updated. Move the suspend/resume hooks from s3c-i2s-v2.c to s3c2412-i2s.c while changing dai to component which allows to keep the struct snd_soc_component_driver const. This fixes build errors: sound/soc/samsung/s3c-i2s-v2.c: In function ‘s3c_i2sv2_register_component’: sound/soc/samsung/s3c-i2s-v2.c:730:9: error: ‘struct snd_soc_dai_driver’ has no member named ‘suspend’ dai_drv->suspend = s3c2412_i2s_suspend; Reported-by: Arnd Bergmann Fixes: 450312b640f9 ("ASoC: soc-core: remove DAI suspend/resume") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20200413124548.28197-1-krzk@kernel.org Signed-off-by: Mark Brown commit 413168615cb288749d5833ccf2b34290867e6fdb Author: Chris Rorvick Date: Fri Apr 17 09:45:58 2020 +0200 iwlwifi: actually check allocated conf_tlv pointer commit a176e114ace4cca7df0e34b4bd90c301cdc6d653 upstream. Commit 71bc0334a637 ("iwlwifi: check allocated pointer when allocating conf_tlvs") attempted to fix a typoe introduced by commit 17b809c9b22e ("iwlwifi: dbg: move debug data to a struct") but does not implement the check correctly. Fixes: 71bc0334a637 ("iwlwifi: check allocated pointer when allocating conf_tlvs") Tweeted-by: @grsecurity Signed-off-by: Chris Rorvick Signed-off-by: Sedat Dilek Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200417074558.12316-1-sedat.dilek@gmail.com Signed-off-by: Greg Kroah-Hartman commit 992f755d2468e19438bf81578ebc8bee48c4aff3 Author: Stephan Gerhold Date: Wed Apr 15 17:00:50 2020 +0200 ASoC: q6dsp6: q6afe-dai: add missing channels to MI2S DAIs commit 0c824ec094b5cda766c80d88c2036e28c24a4cb1 upstream. For some reason, the MI2S DAIs do not have channels_min/max defined. This means that snd_soc_dai_stream_valid() returns false, i.e. the DAIs have neither valid playback nor capture stream. It's quite surprising that this ever worked correctly, but in 5.7-rc1 this is now failing badly: :) Commit 0e9cf4c452ad ("ASoC: pcm: check if cpu-dai supports a given stream") introduced a check for snd_soc_dai_stream_valid() before calling hw_params(), which means that the q6i2s_hw_params() function was never called, eventually resulting in: qcom-q6afe aprsvc:q6afe:4:4: no line is assigned ... even though "qcom,sd-lines" is set in the device tree. Commit 9b5db059366a ("ASoC: soc-pcm: dpcm: Only allow playback/capture if supported") now even avoids creating PCM devices if the stream is not supported, which means that it is failing even earlier with e.g.: Primary MI2S: ASoC: no backend playback stream Avoid all that trouble by adding channels_min/max for the MI2S DAIs. Fixes: 24c4cbcfac09 ("ASoC: qdsp6: q6afe: Add q6afe dai driver") Signed-off-by: Stephan Gerhold Reviewed-by: Srinivas Kandagatla Cc: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200415150050.616392-1-stephan@gerhold.net Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 69675393dfb77a360d628bea8567cfc44032e87d Author: Philipp Rudo Date: Mon Apr 6 14:47:48 2020 +0200 s390/ftrace: fix potential crashes when switching tracers commit 8ebf6da9db1b2a20bb86cc1bee2552e894d03308 upstream. Switching tracers include instruction patching. To prevent that a instruction is patched while it's read the instruction patching is done in stop_machine 'context'. This also means that any function called during stop_machine must not be traced. Thus add 'notrace' to all functions called within stop_machine. Fixes: 1ec2772e0c3c ("s390/diag: add a statistic for diagnose calls") Fixes: 38f2c691a4b3 ("s390: improve wait logic of stop_machine") Fixes: 4ecf0a43e729 ("processor: get rid of cpu_relax_yield") Signed-off-by: Philipp Rudo Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 04f1f4e826e580232e76fc5b2774da89e3f9c5fe Author: Syed Nayyar Waris Date: Mon Mar 16 18:19:30 2020 +0530 counter: 104-quad-8: Add lock guards - generic interface commit fc069262261c43ed11d639dadcf982e79bfe652b upstream. Add lock protection from race conditions to 104-quad-8 counter driver generic interface code changes. Mutex calls used for protection. Fixes: f1d8a071d45b ("counter: 104-quad-8: Add Generic Counter interface support") Signed-off-by: Syed Nayyar Waris Signed-off-by: William Breathitt Gray Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit c35f275f666c768ca2c33d776a851d5bfbb44cfd Author: Al Viro Date: Mon Apr 27 10:26:22 2020 -0400 propagate_one(): mnt_set_mountpoint() needs mount_lock commit b0d3869ce9eeacbb1bbd541909beeef4126426d5 upstream. ... to protect the modification of mp->m_count done by it. Most of the places that modify that thing also have namespace_lock held, but not all of them can do so, so we really need mount_lock here. Kudos to Piotr Krysiuk , who'd spotted a related bug in pivot_root(2) (fixed unnoticed in 5.3); search for other similar turds has caught out this one. Cc: stable@kernel.org Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 80c212dbb298de5805e68fcdecfa877a159c9cc1 Author: Lorenzo Bianconi Date: Fri Mar 13 18:54:42 2020 +0100 iio: imu: st_lsm6dsx: specify slave odr in slv_odr commit 76551a3c3df151750a842b003c6899e9c62e0fd2 upstream. Introduce slv_odr in ext_info data structure in order to distinguish between sensor hub trigger (accel sensor) odr and i2c slave odr and properly compute samples in FIFO pattern Fixes: e485e2a2cfd6 ("iio: imu: st_lsm6dsx: enable sensor-hub support for lsm6dsm") Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit f01916c8c4562767bce63648426533dd36bf861d Author: Lorenzo Bianconi Date: Fri Mar 13 18:54:41 2020 +0100 iio: imu: st_lsm6dsx: fix read misalignment on untagged FIFO commit 7762902c89c4c78d32ec562f1ada44d02039104b upstream. st_lsm6dsx suffers of a read misalignment on untagged FIFO when all 3 supported sensors (accel, gyro and ext device) are running at different ODRs (the use-case is reported in the LSM6DSM Application Note at pag 100). Fix the issue taking into account decimation factor reading the FIFO pattern. Fixes: e485e2a2cfd6 ("iio: imu: st_lsm6dsx: enable sensor-hub support for lsm6dsm") Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit e64cec32a666b2937a8e80c5f717a9b5aa2df1fb Author: YueHaibing Date: Tue Mar 10 22:16:54 2020 +0800 iio:ad7797: Use correct attribute_group commit 28535877ac5b2b84f0d394fd67a5ec71c0c48b10 upstream. It should use ad7797_attribute_group in ad7797_info, according to commit ("iio:ad7793: Add support for the ad7796 and ad7797"). Scale is fixed for the ad7796 and not programmable, hence should not have the scale_available attribute. Fixes: fd1a8b912841 ("iio:ad7793: Add support for the ad7796 and ad7797") Signed-off-by: YueHaibing Reviewed-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 16a885f51358b734b2cf925a870a56768490bf63 Author: David Howells Date: Fri Apr 24 11:21:14 2020 +0100 afs: Fix to actually set AFS_SERVER_FL_HAVE_EPOCH commit 69cf3978f3ada4e54beae4ad44868b5627864884 upstream. AFS keeps track of the epoch value from the rxrpc protocol to note (a) when a fileserver appears to have restarted and (b) when different endpoints of a fileserver do not appear to be associated with the same fileserver (ie. all probes back from a fileserver from all of its interfaces should carry the same epoch). However, the AFS_SERVER_FL_HAVE_EPOCH flag that indicates that we've received the server's epoch is never set, though it is used. Fix this to set the flag when we first receive an epoch value from a probe sent to the filesystem client from the fileserver. Fixes: 3bf0fb6f33dd ("afs: Probe multiple fileservers simultaneously") Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 8da14df1ab1a8660b58ac257b6d53dee862031ba Author: David Howells Date: Thu Apr 16 18:17:13 2020 +0100 afs: Make record checking use TASK_UNINTERRUPTIBLE when appropriate commit c4bfda16d1b40d1c5941c61b5aa336bdd2d9904a upstream. When an operation is meant to be done uninterruptibly (such as FS.StoreData), we should not be allowing volume and server record checking to be interrupted. Fixes: d2ddc776a458 ("afs: Overhaul volume and server record caching and fileserver rotation") Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 28b572020d8422dc63a5d61df2bfb18fb23f0b56 Author: Cristian Birsan Date: Fri Apr 10 15:14:52 2020 +0300 usb: gadget: udc: atmel: Fix vbus disconnect handling commit 12b94da411f9c6d950beb067d913024fd5617a61 upstream. A DMA transfer can be in progress while vbus is lost due to a cable disconnect. For endpoints that use DMA, this condition can lead to peripheral hang. The patch ensures that endpoints are disabled before the clocks are stopped to prevent this issue. Fixes: a64ef71ddc13 ("usb: gadget: atmel_usba_udc: condition clocks to vbus state") Signed-off-by: Cristian Birsan Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 93935e0bc2ba26c3ec86bfaf5afe995c070b4205 Author: Nathan Chancellor Date: Sat Mar 28 18:12:46 2020 -0700 usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete commit 09b04abb70f096333bef6bc95fa600b662e7ee13 upstream. When building with Clang + -Wtautological-pointer-compare: drivers/usb/gadget/udc/bdc/bdc_ep.c:543:28: warning: comparison of address of 'req->queue' equal to a null pointer is always false [-Wtautological-pointer-compare] if (req == NULL || &req->queue == NULL || &req->usb_req == NULL) ~~~~~^~~~~ ~~~~ drivers/usb/gadget/udc/bdc/bdc_ep.c:543:51: warning: comparison of address of 'req->usb_req' equal to a null pointer is always false [-Wtautological-pointer-compare] if (req == NULL || &req->queue == NULL || &req->usb_req == NULL) ~~~~~^~~~~~~ ~~~~ 2 warnings generated. As it notes, these statements will always evaluate to false so remove them. Fixes: efed421a94e6 ("usb: gadget: Add UDC driver for Broadcom USB3.0 device controller IP BDC") Link: https://github.com/ClangBuiltLinux/linux/issues/749 Signed-off-by: Nathan Chancellor Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 03f852d8070fe6fc78ca912aa61140affca086dd Author: Masahiro Yamada Date: Tue Apr 21 12:35:28 2020 +0900 kbuild: fix DT binding schema rule again to avoid needless rebuilds commit 3d4b2238684ac919394eba7fb51bb7eeeec6ab57 upstream. Since commit 7a0496056064 ("kbuild: fix DT binding schema rule to detect command line changes"), this rule is every time re-run even if you change nothing. cmd_dtc takes one additional parameter to pass to the -O option of dtc. We need to pass 'yaml' to if_changed_rule. Otherwise, cmd-check invoked from if_changed_rule is false positive. Fixes: 7a0496056064 ("kbuild: fix DT binding schema rule to detect command line changes") Signed-off-by: Masahiro Yamada Signed-off-by: Greg Kroah-Hartman commit 9258c67c82dd52895fe45512eb7c286210fde7ab Author: Nicolas Saenz Julienne Date: Thu Mar 26 14:44:13 2020 +0100 ARM: dts: bcm283x: Add cells encoding format to firmware bus commit be08d278eb09210fefbad4c9b27d7843f1c096b2 upstream. With the introduction of 55c7c0621078 ("ARM: dts: bcm283x: Fix vc4's firmware bus DMA limitations") the firmware bus has to comply with /soc's DMA limitations. Ultimately linking both buses to a same dma-ranges property. The patch (and author) missed the fact that a bus' #address-cells and #size-cells properties are not inherited, but set to a fixed value which, in this case, doesn't match /soc's. This, although not breaking Linux's DMA mapping functionality, generates ugly dtc warnings. Fix the issue by adding the correct address and size cells properties under the firmware bus. Fixes: 55c7c0621078 ("ARM: dts: bcm283x: Fix vc4's firmware bus DMA limitations") Signed-off-by: Nicolas Saenz Julienne Link: https://lore.kernel.org/r/20200326134413.12298-1-nsaenzjulienne@suse.de Signed-off-by: Greg Kroah-Hartman commit 458c10b219f6902e7c3063ec26001395c9c7f6e0 Author: Thinh Nguyen Date: Fri Jan 31 16:25:50 2020 -0800 usb: dwc3: gadget: Do link recovery for SS and SSP commit d0550cd20e52558ecf6847a0f96ebd5d944c17e4 upstream. The controller always supports link recovery for device in SS and SSP. Remove the speed limit check. Also, when the device is in RESUME or RESET state, it means the controller received the resume/reset request. The driver must send the link recovery to acknowledge the request. They are valid states for the driver to send link recovery. Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") Fixes: ee5cd41c9117 ("usb: dwc3: Update speed checks for SuperSpeedPlus") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 36750800a4b65fad016051a4c95bbe9e17985f70 Author: Olivier Moysan Date: Fri Apr 17 16:21:22 2020 +0200 ASoC: stm32: sai: fix sai probe commit e2bcb65782f91390952e849e21b82ed7cb05697f upstream. pcm config must be set before snd_dmaengine_pcm_register() call. Fixes: 0d6defc7e0e4 ("ASoC: stm32: sai: manage rebind issue") Signed-off-by: Olivier Moysan Link: https://lore.kernel.org/r/20200417142122.10212-1-olivier.moysan@st.com Signed-off-by: Mark Brown Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 3e295cf681d34198632578bd62a2538817264714 Author: Sergey Senozhatsky Date: Tue Mar 3 20:30:02 2020 +0900 printk: queue wake_up_klogd irq_work only if per-CPU areas are ready commit ab6f762f0f53162d41497708b33c9a3236d3609e upstream. printk_deferred(), similarly to printk_safe/printk_nmi, does not immediately attempt to print a new message on the consoles, avoiding calls into non-reentrant kernel paths, e.g. scheduler or timekeeping, which potentially can deadlock the system. Those printk() flavors, instead, rely on per-CPU flush irq_work to print messages from safer contexts. For same reasons (recursive scheduler or timekeeping calls) printk() uses per-CPU irq_work in order to wake up user space syslog/kmsg readers. However, only printk_safe/printk_nmi do make sure that per-CPU areas have been initialised and that it's safe to modify per-CPU irq_work. This means that, for instance, should printk_deferred() be invoked "too early", that is before per-CPU areas are initialised, printk_deferred() will perform illegal per-CPU access. Lech Perczak [0] reports that after commit 1b710b1b10ef ("char/random: silence a lockdep splat with printk()") user-space syslog/kmsg readers are not able to read new kernel messages. The reason is printk_deferred() being called too early (as was pointed out by Petr and John). Fix printk_deferred() and do not queue per-CPU irq_work before per-CPU areas are initialized. Link: https://lore.kernel.org/lkml/aa0732c6-5c4e-8a8b-a1c1-75ebe3dca05b@camlintechnologies.com/ Reported-by: Lech Perczak Signed-off-by: Sergey Senozhatsky Tested-by: Jann Horn Reviewed-by: Petr Mladek Cc: Greg Kroah-Hartman Cc: Theodore Ts'o Cc: John Ogness Signed-off-by: Linus Torvalds Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e127fd7943cd6f2f8b25a8025de856c4450f6dcf Author: Richard Weinberger Date: Sun Jan 19 22:52:33 2020 +0100 ubifs: Fix ubifs_tnc_lookup() usage in do_kill_orphans() commit 4ab25ac8b2b5514151d5f91cf9514df08dd26938 upstream. Orphans are allowed to point to deleted inodes. So -ENOENT is not a fatal error. Reported-by: Кочетков Максим Reported-and-tested-by: "Christian Berger" Tested-by: Karl Olsen Tested-by: Jef Driesen Fixes: ee1438ce5dc4 ("ubifs: Check link count of inodes when killing orphans.") Signed-off-by: Richard Weinberger Cc: Christian Eggers Signed-off-by: Greg Kroah-Hartman