commit 0c245c5fe93f0e9769de4a8b31f129b2759bf802 Author: Greg Kroah-Hartman Date: Wed Feb 3 23:28:52 2021 +0100 Linux 5.10.13 Tested-by: Pavel Machek (CIP) Tested-by: Jon Hunter Tested-by: Linux Kernel Functional Testing Tested-by: Shuah Khan Tested-by: Guenter Roeck Link: https://lore.kernel.org/r/20210202132957.692094111@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman commit 55d900415b81680bcd5f93be51f26ebfc51ac6fb Author: Alexander Popov Date: Mon Feb 1 11:47:19 2021 +0300 vsock: fix the race conditions in multi-transport support commit c518adafa39f37858697ac9309c6cf1805581446 upstream. There are multiple similar bugs implicitly introduced by the commit c0cfa2d8a788fcf4 ("vsock: add multi-transports support") and commit 6a2c0962105ae8ce ("vsock: prevent transport modules unloading"). The bug pattern: [1] vsock_sock.transport pointer is copied to a local variable, [2] lock_sock() is called, [3] the local variable is used. VSOCK multi-transport support introduced the race condition: vsock_sock.transport value may change between [1] and [2]. Let's copy vsock_sock.transport pointer to local variables after the lock_sock() call. Fixes: c0cfa2d8a788fcf4 ("vsock: add multi-transports support") Signed-off-by: Alexander Popov Reviewed-by: Stefano Garzarella Reviewed-by: Jorgen Hansen Link: https://lore.kernel.org/r/20210201084719.2257066-1-alex.popov@linux.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit a9cd144eb74505420ce73047bed2bd5dca572d50 Author: Pengcheng Yang Date: Sun Jan 24 13:07:14 2021 +0800 tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN commit 62d9f1a6945ba69c125e548e72a36d203b30596e upstream. Upon receiving a cumulative ACK that changes the congestion state from Disorder to Open, the TLP timer is not set. If the sender is app-limited, it can only wait for the RTO timer to expire and retransmit. The reason for this is that the TLP timer is set before the congestion state changes in tcp_ack(), so we delay the time point of calling tcp_set_xmit_timer() until after tcp_fastretrans_alert() returns and remove the FLAG_SET_XMIT_TIMER from ack_flag when the RACK reorder timer is set. This commit has two additional benefits: 1) Make sure to reset RTO according to RFC6298 when receiving ACK, to avoid spurious RTO caused by RTO timer early expires. 2) Reduce the xmit timer reschedule once per ACK when the RACK reorder timer is set. Fixes: df92c8394e6e ("tcp: fix xmit timer to only be reset if data ACKed/SACKed") Link: https://lore.kernel.org/netdev/1611311242-6675-1-git-send-email-yangpc@wangsu.com Signed-off-by: Pengcheng Yang Acked-by: Neal Cardwell Acked-by: Yuchung Cheng Cc: Eric Dumazet Link: https://lore.kernel.org/r/1611464834-23030-1-git-send-email-yangpc@wangsu.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 011c3d9427da318472d1e6f7de518cc288039927 Author: Enke Chen Date: Fri Jan 22 11:13:06 2021 -0800 tcp: make TCP_USER_TIMEOUT accurate for zero window probes commit 344db93ae3ee69fc137bd6ed89a8ff1bf5b0db08 upstream. The TCP_USER_TIMEOUT is checked by the 0-window probe timer. As the timer has backoff with a max interval of about two minutes, the actual timeout for TCP_USER_TIMEOUT can be off by up to two minutes. In this patch the TCP_USER_TIMEOUT is made more accurate by taking it into account when computing the timer value for the 0-window probes. This patch is similar to and builds on top of the one that made TCP_USER_TIMEOUT accurate for RTOs in commit b701a99e431d ("tcp: Add tcp_clamp_rto_to_user_timeout() helper to improve accuracy"). Fixes: 9721e709fa68 ("tcp: simplify window probe aborting on USER_TIMEOUT") Signed-off-by: Enke Chen Reviewed-by: Neal Cardwell Signed-off-by: Eric Dumazet Link: https://lore.kernel.org/r/20210122191306.GA99540@localhost.localdomain Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit bcc83b43e1edde77fba694a6e8ca21290f610fb6 Author: Ivan Vecera Date: Mon Jan 25 08:44:16 2021 +0100 team: protect features update by RCU to avoid deadlock commit f0947d0d21b219e03940b9be6628a43445c0de7a upstream. Function __team_compute_features() is protected by team->lock mutex when it is called from team_compute_features() used when features of an underlying device is changed. This causes a deadlock when NETDEV_FEAT_CHANGE notifier for underlying device is fired due to change propagated from team driver (e.g. MTU change). It's because callbacks like team_change_mtu() or team_vlan_rx_{add,del}_vid() protect their port list traversal by team->lock mutex. Example (r8169 case where this driver disables TSO for certain MTU values): ... [ 6391.348202] __mutex_lock.isra.6+0x2d0/0x4a0 [ 6391.358602] team_device_event+0x9d/0x160 [team] [ 6391.363756] notifier_call_chain+0x47/0x70 [ 6391.368329] netdev_update_features+0x56/0x60 [ 6391.373207] rtl8169_change_mtu+0x14/0x50 [r8169] [ 6391.378457] dev_set_mtu_ext+0xe1/0x1d0 [ 6391.387022] dev_set_mtu+0x52/0x90 [ 6391.390820] team_change_mtu+0x64/0xf0 [team] [ 6391.395683] dev_set_mtu_ext+0xe1/0x1d0 [ 6391.399963] do_setlink+0x231/0xf50 ... In fact team_compute_features() called from team_device_event() does not need to be protected by team->lock mutex and rcu_read_lock() is sufficient there for port list traversal. Fixes: 3d249d4ca7d0 ("net: introduce ethernet teaming device") Cc: Saeed Mahameed Signed-off-by: Ivan Vecera Reviewed-by: Cong Wang Reviewed-by: Jiri Pirko Link: https://lore.kernel.org/r/20210125074416.4056484-1-ivecera@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 01de4bc09d384aeed17d22483700563ea3e0735a Author: Enzo Matsumiya Date: Mon Jan 18 15:49:22 2021 -0300 scsi: qla2xxx: Fix description for parameter ql2xenforce_iocb_limit commit aa2c24e7f415e9c13635cee22ff4e15a80215551 upstream. Parameter ql2xenforce_iocb_limit is enabled by default. Link: https://lore.kernel.org/r/20210118184922.23793-1-ematsumiya@suse.de Fixes: 89c72f4245a8 ("scsi: qla2xxx: Add IOCB resource tracking") Reviewed-by: Daniel Wagner Reviewed-by: Himanshu Madhani Signed-off-by: Enzo Matsumiya Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 1e3a8d94dd6b7e7571c276aeaa89bf643905f079 Author: Dan Carpenter Date: Wed Jan 20 12:59:13 2021 +0300 ASoC: topology: Fix memory corruption in soc_tplg_denum_create_values() commit 543466ef3571069b8eb13a8ff7c7cfc8d8a75c43 upstream. The allocation uses sizeof(u32) when it should use sizeof(unsigned long) so it leads to memory corruption later in the function when the data is initialized. Fixes: 5aebe7c7f9c2 ("ASoC: topology: fix endianness issues") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/YAf+8QZoOv+ct526@mwanda Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 4a97f42a6690ea8b81c4b17bc422934dfd505821 Author: Amadeusz Sławiński Date: Wed Jan 20 16:28:42 2021 +0100 ASoC: topology: Properly unregister DAI on removal commit fc4cb1e15f0c66f2e37314349dc4a82bd946fbb1 upstream. DAIs need to be removed when topology unload function is called (usually done when component is being removed). We can't do this when device is being removed, as structures we operate on when removing DAI can already be freed. Fixes: 6ae4902f2f34 ("ASoC: soc-topology: use devm_snd_soc_register_dai()") Signed-off-by: Amadeusz Sławiński Tested-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210120152846.1703655-2-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 52a2895f122db866ae4a98767c97ec5f807cad0e Author: Tzung-Bi Shih Date: Wed Jan 20 17:22:36 2021 +0800 ASoC: mediatek: mt8183-mt6358: ignore TDM DAI link by default commit 5ac154443e686b06242aa49de30a12b74ea9ca98 upstream. hdmi-codec is an optional property. Ignore to bind TDM DAI link if the property isn't specified. Fixes: f2024dc55fcb ("ASoC: mediatek: mt8183: use hdmi-codec") Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20210120092237.1553938-2-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 8cd91442d9a25195c7d72574ae3203d959707f7b Author: Tzung-Bi Shih Date: Wed Jan 20 17:22:37 2021 +0800 ASoC: mediatek: mt8183-da7219: ignore TDM DAI link by default commit 4d36ed8eb0f749c9e781e0d3b041a7adeedcdaa9 upstream. hdmi-codec is an optional property. Ignore to bind TDM DAI link if the property isn't specified. Fixes: 5bdbe9771177 ("ASoC: mediatek: mt8183-da7219: use hdmi-codec") Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20210120092237.1553938-3-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 5a48918811c82aa9693b216bd3065aa0762ed222 Author: Pan Bian Date: Thu Jan 21 07:37:45 2021 -0800 NFC: fix possible resource leak commit d8f923c3ab96dbbb4e3c22d1afc1dc1d3b195cd8 upstream. Put the device to avoid resource leak on path that the polling flag is invalid. Fixes: a831b9132065 ("NFC: Do not return EBUSY when stopping a poll that's already stopped") Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/20210121153745.122184-1-bianpan2016@163.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit e10a1aad5f7cc969a78424c8b28cafdbb9299c8f Author: Pan Bian Date: Thu Jan 21 07:27:48 2021 -0800 NFC: fix resource leak when target index is invalid commit 3a30537cee233fb7da302491b28c832247d89bbe upstream. Goto to the label put_dev instead of the label error to fix potential resource leak on path that the target index is invalid. Fixes: c4fbb6515a4d ("NFC: The core part should generate the target index") Signed-off-by: Pan Bian Link: https://lore.kernel.org/r/20210121152748.98409-1-bianpan2016@163.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 2e83a57a23a6c08308baebec660d1fdd82b3a4ea Author: Takeshi Misawa Date: Thu Jan 28 10:48:36 2021 +0000 rxrpc: Fix memory leak in rxrpc_lookup_local commit b8323f7288abd71794cd7b11a4c0a38b8637c8b5 upstream. Commit 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") Then release ref in __rxrpc_put_peer and rxrpc_put_peer_locked. struct rxrpc_peer *rxrpc_alloc_peer(struct rxrpc_local *local, gfp_t gfp) - peer->local = local; + peer->local = rxrpc_get_local(local); rxrpc_discard_prealloc also need ref release in discarding. syzbot report: BUG: memory leak unreferenced object 0xffff8881080ddc00 (size 256): comm "syz-executor339", pid 8462, jiffies 4294942238 (age 12.350s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 0a 00 00 00 00 c0 00 08 81 88 ff ff ................ backtrace: [<000000002b6e495f>] kmalloc include/linux/slab.h:552 [inline] [<000000002b6e495f>] kzalloc include/linux/slab.h:682 [inline] [<000000002b6e495f>] rxrpc_alloc_local net/rxrpc/local_object.c:79 [inline] [<000000002b6e495f>] rxrpc_lookup_local+0x1c1/0x760 net/rxrpc/local_object.c:244 [<000000006b43a77b>] rxrpc_bind+0x174/0x240 net/rxrpc/af_rxrpc.c:149 [<00000000fd447a55>] afs_open_socket+0xdb/0x200 fs/afs/rxrpc.c:64 [<000000007fd8867c>] afs_net_init+0x2b4/0x340 fs/afs/main.c:126 [<0000000063d80ec1>] ops_init+0x4e/0x190 net/core/net_namespace.c:152 [<00000000073c5efa>] setup_net+0xde/0x2d0 net/core/net_namespace.c:342 [<00000000a6744d5b>] copy_net_ns+0x19f/0x3e0 net/core/net_namespace.c:483 [<0000000017d3aec3>] create_new_namespaces+0x199/0x4f0 kernel/nsproxy.c:110 [<00000000186271ef>] unshare_nsproxy_namespaces+0x9b/0x120 kernel/nsproxy.c:226 [<000000002de7bac4>] ksys_unshare+0x2fe/0x5c0 kernel/fork.c:2957 [<00000000349b12ba>] __do_sys_unshare kernel/fork.c:3025 [inline] [<00000000349b12ba>] __se_sys_unshare kernel/fork.c:3023 [inline] [<00000000349b12ba>] __x64_sys_unshare+0x12/0x20 kernel/fork.c:3023 [<000000006d178ef7>] do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 [<00000000637076d4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 9ebeddef58c4 ("rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record") Signed-off-by: Takeshi Misawa Reported-and-tested-by: syzbot+305326672fed51b205f7@syzkaller.appspotmail.com Signed-off-by: David Howells Link: https://lore.kernel.org/r/161183091692.3506637.3206605651502458810.stgit@warthog.procyon.org.uk Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 99bacbcd5621375be617d5166886785ff45a002b Author: Danielle Ratson Date: Thu Jan 28 16:48:19 2021 +0200 selftests: forwarding: Specify interface when invoking mausezahn [ Upstream commit 11df27f7fdf02cc2bb354358ad482e1fdd690589 ] Specify the interface through which packets should be transmitted so that the test will pass regardless of the libnet version against which mausezahn is linked. Fixes: cab14d1087d9 ("selftests: Add version of router_multipath.sh using nexthop objects") Fixes: 3d578d879517 ("selftests: forwarding: Test IPv4 weighted nexthops") Signed-off-by: Danielle Ratson Signed-off-by: Ido Schimmel Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit c9e668a196db3a286263c09ef420cec740686e4b Author: Daniel Wagner Date: Wed Jan 27 11:30:33 2021 +0100 nvme-multipath: Early exit if no path is available [ Upstream commit d1bcf006a9d3d63c1bcb65a993cb13756954cd9c ] nvme_round_robin_path() should test if the return ns pointer is valid. nvme_next_ns() will return a NULL pointer if there is no path left. Fixes: 75c10e732724 ("nvme-multipath: round-robin I/O policy") Signed-off-by: Daniel Wagner Reviewed-by: Hannes Reinecke Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit cf7ed01e02c02fc696566509096073894b2fe24f Author: Lu Baolu Date: Tue Jan 19 12:35:00 2021 +0800 iommu/vt-d: Correctly check addr alignment in qi_flush_dev_iotlb_pasid() [ Upstream commit 494b3688bb11a21af12e92a344a1313486693d47 ] An incorrect address mask is being used in the qi_flush_dev_iotlb_pasid() to check the address alignment. This leads to a lot of spurious kernel warnings: [ 485.837093] DMAR: Invalidate non-aligned address 7f76f47f9000, order 0 [ 485.837098] DMAR: Invalidate non-aligned address 7f76f47f9000, order 0 [ 492.494145] qi_flush_dev_iotlb_pasid: 5734 callbacks suppressed [ 492.494147] DMAR: Invalidate non-aligned address 7f7728800000, order 11 [ 492.508965] DMAR: Invalidate non-aligned address 7f7728800000, order 11 Fix it by checking the alignment in right way. Fixes: 288d08e780088 ("iommu/vt-d: Handle non-page aligned address") Reported-and-tested-by: Guo Kaijie Signed-off-by: Lu Baolu Cc: Liu Yi L Link: https://lore.kernel.org/r/20210119043500.1539596-1-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 974b6289e8dac1cdd700c73b555a54cade760feb Author: Suravee Suthikulpanit Date: Wed Jan 20 07:50:02 2021 -0600 iommu/amd: Use IVHD EFR for early initialization of IOMMU features [ Upstream commit a44092e326d403c7878018ba532369f84d31dbfa ] IOMMU Extended Feature Register (EFR) is used to communicate the supported features for each IOMMU to the IOMMU driver. This is normally read from the PCI MMIO register offset 0x30, and used by the iommu_feature() helper function. However, there are certain scenarios where the information is needed prior to PCI initialization, and the iommu_feature() function is used prematurely w/o warning. This has caused incorrect initialization of IOMMU. This is the case for the commit 6d39bdee238f ("iommu/amd: Enforce 4k mapping for certain IOMMU data structures") Since, the EFR is also available in the IVHD header, and is available to the driver prior to PCI initialization. Therefore, default to using the IVHD EFR instead. Fixes: 6d39bdee238f ("iommu/amd: Enforce 4k mapping for certain IOMMU data structures") Signed-off-by: Suravee Suthikulpanit Tested-by: Brijesh Singh Reviewed-by: Robert Richter Link: https://lore.kernel.org/r/20210120135002.2682-1-suravee.suthikulpanit@amd.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 57e2393f5de0368b2e89a69d39cc9c3f1e1043cd Author: Yong Wu Date: Tue Jan 19 18:52:03 2021 +0800 of/device: Update dma_range_map only when dev has valid dma-ranges [ Upstream commit 89c7cb1608ac3c7ecc19436469f35ed12da97e1d ] The commit e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset") always update dma_range_map even though it was already set, like in the sunxi_mbus driver. the issue is reported at [1]. This patch avoid this(Updating it only when dev has valid dma-ranges). Meanwhile, dma_range_map contains the devices' dma_ranges information, This patch moves dma_range_map before of_iommu_configure. The iommu driver may need to know the dma_address requirements of its iommu consumer devices. [1] https://lore.kernel.org/linux-arm-kernel/5c7946f3-b56e-da00-a750-be097c7ceb32@arm.com/ CC: Frank Rowand Fixes: e0d072782c73 ("dma-mapping: introduce DMA range map, supplanting dma_pfn_offset"), Suggested-by: Robin Murphy Signed-off-by: Yong Wu Signed-off-by: Paul Kocialkowski Reviewed-by: Rob Herring Reviewed-by: Robin Murphy Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20210119105203.15530-1-yong.wu@mediatek.com Signed-off-by: Sasha Levin commit aa8604fe63d1441eb49ead16d7e87ee03e4b1ece Author: Moritz Fischer Date: Thu Jan 21 17:24:19 2021 -0800 ACPI/IORT: Do not blindly trust DMA masks from firmware [ Upstream commit a1df829ead5877d4a1061e976a50e2e665a16f24 ] Address issue observed on real world system with suboptimal IORT table where DMA masks of PCI devices would get set to 0 as result. iort_dma_setup() would query the root complex'/named component IORT entry for a DMA mask, and use that over the one the device has been configured with earlier. Ideally we want to use the minimum mask of what the IORT contains for the root complex and what the device was configured with. Fixes: 5ac65e8c8941 ("ACPI/IORT: Support address size limit for root complexes") Signed-off-by: Moritz Fischer Reviewed-by: Robin Murphy Acked-by: Lorenzo Pieralisi Link: https://lore.kernel.org/r/20210122012419.95010-1-mdf@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit f3d8e20e11ae6979c3234bfeb0973aa87b5f034e Author: Dan Carpenter Date: Thu Jan 21 09:08:05 2021 +0300 can: dev: prevent potential information leak in can_fill_info() [ Upstream commit b552766c872f5b0d90323b24e4c9e8fa67486dd5 ] The "bec" struct isn't necessarily always initialized. For example, the mcp251xfd_get_berr_counter() function doesn't initialize anything if the interface is down. Fixes: 52c793f24054 ("can: netlink support for bus-error reporting and counters") Link: https://lore.kernel.org/r/YAkaRdRJncsJO8Ve@mwanda Signed-off-by: Dan Carpenter Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 17dbec01beb9fc5cb96cf44f5d07d558a350aced Author: Paul Blakey Date: Mon Jan 25 17:31:26 2021 +0200 net/mlx5: CT: Fix incorrect removal of tuple_nat_node from nat rhashtable [ Upstream commit e2194a1744e8594e82a861687808c1adca419b85 ] If a non nat tuple entry is inserted just to the regular tuples rhashtable (ct_tuples_ht) and not to natted tuples rhashtable (ct_nat_tuples_ht). Commit bc562be9674b ("net/mlx5e: CT: Save ct entries tuples in hashtables") mixed up the return labels and names sot that on cleanup or failure we still try to remove for the natted tuples rhashtable. Fix that by correctly checking if a natted tuples insertion before removing it. While here make it more readable. Fixes: bc562be9674b ("net/mlx5e: CT: Save ct entries tuples in hashtables") Reviewed-by: Roi Dayan Signed-off-by: Paul Blakey Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit f5430661f2f718e36181e47e4b15654b615d9d39 Author: Maxim Mikityanskiy Date: Fri Dec 11 16:05:01 2020 +0200 net/mlx5e: Revert parameters on errors when changing MTU and LRO state without reset [ Upstream commit 8355060f5ec381abda77659f91f56302203df535 ] Sometimes, channel params are changed without recreating the channels. It happens in two basic cases: when the channels are closed, and when the parameter being changed doesn't affect how channels are configured. Such changes invoke a hardware command that might fail. The whole operation should be reverted in such cases, but the code that restores the parameters' values in the driver was missing. This commit adds this handling. Fixes: 2e20a151205b ("net/mlx5e: Fail safe mtu and lro setting") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit f24b493eba502547cabd246d119dcc664464ae65 Author: Maxim Mikityanskiy Date: Thu Jan 14 12:34:01 2021 +0200 net/mlx5e: Revert parameters on errors when changing trust state without reset [ Upstream commit 912c9b5fcca1ab65b806c19dd3b3cb12d73c6fe2 ] Trust state may be changed without recreating the channels. It happens when the channels are closed, and when channel parameters (min inline mode) stay the same after changing the trust state. Changing the trust state is a hardware command that may fail. The current code didn't restore the channel parameters to their old values if an error happened and the channels were closed. This commit adds handling for this case. Fixes: 6e0504c69811 ("net/mlx5e: Change inline mode correctly when changing trust state") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 890f413ae5241baaf8176d63c2078d8462b2876c Author: Maxim Mikityanskiy Date: Fri Dec 11 12:56:56 2020 +0200 net/mlx5e: Correctly handle changing the number of queues when the interface is down [ Upstream commit 57ac4a31c48377a3e675b2a731ceacbefefcd34d ] This commit addresses two issues related to changing the number of queues when the channels are closed: 1. Missing call to mlx5e_num_channels_changed to update real_num_tx_queues when the number of TCs is changed. 2. When mlx5e_num_channels_changed returns an error, the channel parameters must be reverted. Two Fixes: tags correspond to the first commits where these two issues were introduced. Fixes: 3909a12e7913 ("net/mlx5e: Fix configuration of XPS cpumasks and netdev queues in corner cases") Fixes: fa3748775b92 ("net/mlx5e: Handle errors from netif_set_real_num_{tx,rx}_queues") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit e1e71f1eb74c388f7f66ac4320657692726d98ae Author: Paul Blakey Date: Thu Jan 21 10:06:45 2021 +0200 net/mlx5e: Fix CT rule + encap slow path offload and deletion [ Upstream commit 89e394675818bde8e30e135611c506455fa03fb7 ] Currently, if a neighbour isn't valid when offloading tunnel encap rules, we offload the original match and replace the original action with "goto slow path" action. For this we use a temporary flow attribute based on the original flow attribute and then change the action. Flow flags, which among those is the CT flag, are still shared for the slow path rule offload, so we end up parsing this flow as a CT + goto slow path rule. Besides being unnecessary, CT action offload saves extra information in the passed flow attribute, such as created ct_flow and mod_hdr, which is lost onces the temporary flow attribute is freed. When a neigh is updated and is valid, we offload the original CT rule with original CT action, which again creates a ct_flow and mod_hdr and saves it in the flow's original attribute. Then we delete the slow path rule with a temporary flow attribute based on original updated flow attribute, and we free the relevant ct_flow and mod_hdr. Then when tc deletes this flow, we try to free the ct_flow and mod_hdr on the flow's attribute again. To fix the issue, skip all furture proccesing (CT/Sample/Split rules) in offload/unoffload of slow path rules. Call trace: [ 758.850525] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000218 [ 758.952987] Internal error: Oops: 96000005 [#1] PREEMPT SMP [ 758.964170] Modules linked in: act_csum(E) act_pedit(E) act_tunnel_key(E) act_ct(E) nf_flow_table(E) xt_nat(E) ip6table_filter(E) ip6table_nat(E) xt_comment(E) ip6_tables(E) xt_conntrack(E) xt_MASQUERADE(E) nf_conntrack_netlink(E) xt_addrtype(E) iptable_filter(E) iptable_nat(E) bpfilter(E) br_netfilter(E) bridge(E) stp(E) llc(E) xfrm_user(E) overlay(E) act_mirred(E) act_skbedit(E) rdma_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_umad(OE) esp6_offload(E) esp6(E) esp4_offload(E) esp4(E) xfrm_algo(E) mlx5_ib(OE) ib_uverbs(OE) geneve(E) ip6_udp_tunnel(E) udp_tunnel(E) nfnetlink_cttimeout(E) nfnetlink(E) mlx5_core(OE) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_conncount(E) nf_nat(E) mlxfw(OE) psample(E) nf_conntrack(E) nf_defrag_ipv4(E) vfio_mdev(E) mdev(E) ib_core(OE) mlx_compat(OE) crct10dif_ce(E) uio_pdrv_genirq(E) uio(E) i2c_mlx(E) mlxbf_pmc(E) sbsa_gwdt(E) mlxbf_gige(E) gpio_mlxbf2(E) mlxbf_pka(E) mlx_trio(E) mlx_bootctl(E) bluefield_edac(E) knem(O) [ 758.964225] ip_tables(E) mlxbf_tmfifo(E) ipv6(E) crc_ccitt(E) nf_defrag_ipv6(E) [ 759.154186] CPU: 5 PID: 122 Comm: kworker/u16:1 Tainted: G OE 5.4.60-mlnx.52.gde81e85 #1 [ 759.172870] Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.5.0-2-gc1b5d64 Jan 4 2021 [ 759.195466] Workqueue: mlx5e mlx5e_rep_neigh_update [mlx5_core] [ 759.207344] pstate: a0000005 (NzCv daif -PAN -UAO) [ 759.217003] pc : mlx5_del_flow_rules+0x5c/0x160 [mlx5_core] [ 759.228229] lr : mlx5_del_flow_rules+0x34/0x160 [mlx5_core] [ 759.405858] Call trace: [ 759.410804] mlx5_del_flow_rules+0x5c/0x160 [mlx5_core] [ 759.421337] __mlx5_eswitch_del_rule.isra.43+0x5c/0x1c8 [mlx5_core] [ 759.433963] mlx5_eswitch_del_offloaded_rule_ct+0x34/0x40 [mlx5_core] [ 759.446942] mlx5_tc_rule_delete_ct+0x68/0x74 [mlx5_core] [ 759.457821] mlx5_tc_ct_delete_flow+0x160/0x21c [mlx5_core] [ 759.469051] mlx5e_tc_unoffload_fdb_rules+0x158/0x168 [mlx5_core] [ 759.481325] mlx5e_tc_encap_flows_del+0x140/0x26c [mlx5_core] [ 759.492901] mlx5e_rep_update_flows+0x11c/0x1ec [mlx5_core] [ 759.504127] mlx5e_rep_neigh_update+0x160/0x200 [mlx5_core] [ 759.515314] process_one_work+0x178/0x400 [ 759.523350] worker_thread+0x58/0x3e8 [ 759.530685] kthread+0x100/0x12c [ 759.537152] ret_from_fork+0x10/0x18 [ 759.544320] Code: 97ffef55 51000673 3100067f 54ffff41 (b9421ab3) [ 759.556548] ---[ end trace fab818bb1085832d ]--- Fixes: 4c3844d9e97e ("net/mlx5e: CT: Introduce connection tracking") Signed-off-by: Paul Blakey Reviewed-by: Roi Dayan Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit bf1864854ab24c207008c64431e738dc07a1f6c1 Author: Maor Dickman Date: Sun Jan 24 17:21:25 2021 +0200 net/mlx5e: Disable hw-tc-offload when MLX5_CLS_ACT config is disabled [ Upstream commit 156878d0e697187c7d207ee6c22afe50b7f3678c ] The cited commit introduce new CONFIG_MLX5_CLS_ACT kconfig variable to control compilation of TC hardware offloads implementation. When this configuration is disabled the driver is still wrongly reports in ethtool that hw-tc-offload is supported. Fixed by reporting hw-tc-offload is supported only when CONFIG_MLX5_CLS_ACT is enabled. Fixes: d956873f908c ("net/mlx5e: Introduce kconfig var for TC support") Signed-off-by: Maor Dickman Reviewed-by: Vlad Buslov Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 1a06120d6ff292e2ed09bc1867737fd566fbc3d9 Author: Daniel Jurgens Date: Fri Jan 22 23:13:53 2021 +0200 net/mlx5: Maintain separate page trees for ECPF and PF functions [ Upstream commit 0aa128475d33d2d0095947eeab6b3e4d22dbd578 ] Pages for the host PF and ECPF were stored in the same tree, so the ECPF pages were being freed along with the host PF's when the host driver unloaded. Combine the function ID and ECPF flag to use as an index into the x-array containing the trees to get a different tree for the host PF and ECPF. Fixes: c6168161f693 ("net/mlx5: Add support for release all pages event") Signed-off-by: Daniel Jurgens Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 034bd75f619f28f727f6555933bef7e0910b1ca8 Author: Maor Dickman Date: Tue Jan 19 17:21:38 2021 +0200 net/mlx5e: Reduce tc unsupported key print level [ Upstream commit 48470a90a42a64dd2f70743a149894a292b356e0 ] "Unsupported key used:" appears in kernel log when flows with unsupported key are used, arp fields for example. OpenVSwitch was changed to match on arp fields by default that caused this warning to appear in kernel log for every arp rule, which can be a lot. Fix by lowering print level from warning to debug. Fixes: e3a2b7ed018e ("net/mlx5e: Support offload cls_flower with drop action") Signed-off-by: Maor Dickman Reviewed-by: Roi Dayan Reviewed-by: Saeed Mahameed Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit a1b500010f097172f5a4d3a878a1fa6dec27d541 Author: Pan Bian Date: Wed Jan 20 20:58:30 2021 -0800 net/mlx5e: free page before return [ Upstream commit 258ed19f075fbc834fe5d69d8b54983fc11e0d4a ] Instead of directly return, goto the error handling label to free allocated page. Fixes: 5f29458b77d5 ("net/mlx5e: Support dump callback in TX reporter") Signed-off-by: Pan Bian Reviewed-by: Leon Romanovsky Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 2778913fb080dec00a244faacd2be3f5e7a1e83c Author: Parav Pandit Date: Tue Jan 12 16:13:22 2021 +0200 net/mlx5e: E-switch, Fix rate calculation for overflow [ Upstream commit 1fe3e3166b35240615ab7f8276af2bbf2e51f559 ] rate_bytes_ps is a 64-bit field. It passed as 32-bit field to apply_police_params(). Due to this when police rate is higher than 4Gbps, 32-bit calculation ignores the carry. This results in incorrect rate configurationn the device. Fix it by performing 64-bit calculation. Fixes: fcb64c0f5640 ("net/mlx5: E-Switch, add ingress rate support") Signed-off-by: Parav Pandit Reviewed-by: Eli Cohen Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit d62665cac6038ffcde794afeed4c1992c690afd6 Author: Roi Dayan Date: Tue Jan 12 14:04:29 2021 +0200 net/mlx5: Fix memory leak on flow table creation error flow [ Upstream commit 487c6ef81eb98d0a43cb08be91b1fcc9b4250626 ] When we create the ft object we also init rhltable in ft->fgs_hash. So in error flow before kfree of ft we need to destroy that rhltable. Fixes: 693c6883bbc4 ("net/mlx5: Add hash table for flow groups in flow table") Signed-off-by: Roi Dayan Reviewed-by: Maor Dickman Signed-off-by: Saeed Mahameed Signed-off-by: Sasha Levin commit 4c919b215bb38f63d05bc0eb3701b5392e29e1bb Author: Corinna Vinschen Date: Tue Nov 17 20:50:40 2020 +0100 igc: fix link speed advertising [ Upstream commit 329a3678ec69962aa67c91397efbd46d36635f91 ] Link speed advertising in igc has two problems: - When setting the advertisement via ethtool, the link speed is converted to the legacy 32 bit representation for the intel PHY code. This inadvertently drops ETHTOOL_LINK_MODE_2500baseT_Full_BIT (being beyond bit 31). As a result, any call to `ethtool -s ...' drops the 2500Mbit/s link speed from the PHY settings. Only reloading the driver alleviates that problem. Fix this by converting the ETHTOOL_LINK_MODE_2500baseT_Full_BIT to the Intel PHY ADVERTISE_2500_FULL bit explicitly. - Rather than checking the actual PHY setting, the .get_link_ksettings function always fills link_modes.advertising with all link speeds the device is capable of. Fix this by checking the PHY autoneg_advertised settings and report only the actually advertised speeds up to ethtool. Fixes: 8c5ad0dae93c ("igc: Add ethtool support") Signed-off-by: Corinna Vinschen Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit d11a1402ec1610638bddcb1ab29b1481ed154b59 Author: Stefan Assmann Date: Mon Nov 30 14:12:57 2020 +0100 i40e: acquire VSI pointer only after VF is initialized [ Upstream commit 67a3c6b3cc40bb217c3ff947a55053151a00fea0 ] This change simplifies the VF initialization check and also minimizes the delay between acquiring the VSI pointer and using it. As known by the commit being fixed, there is a risk of the VSI pointer getting changed. Therefore minimize the delay between getting and using the pointer. Fixes: 9889707b06ac ("i40e: Fix crash caused by stress setting of VF MAC addresses") Signed-off-by: Stefan Assmann Reviewed-by: Jacob Keller Tested-by: Konrad Jankowski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b2a76ea0479ead146dd77f32feaac469182ebd94 Author: Brett Creeley Date: Thu Jan 21 10:38:06 2021 -0800 ice: Fix MSI-X vector fallback logic [ Upstream commit f3fe97f64384fa4073d9dc0278c4b351c92e295c ] The current MSI-X enablement logic tries to enable best-case MSI-X vectors and if that fails we only support a bare-minimum set. This includes a single MSI-X for 1 Tx and 1 Rx queue and a single MSI-X for the OICR interrupt. Unfortunately, the driver fails to load when we don't get as many MSI-X as requested for a couple reasons. First, the code to allocate MSI-X in the driver tries to allocate num_online_cpus() MSI-X for LAN traffic without caring about the number of MSI-X actually enabled/requested from the kernel for LAN traffic. So, when calling ice_get_res() for the PF VSI, it returns failure because the number of available vectors is less than requested. Fix this by not allowing the PF VSI to allocation more than pf->num_lan_msix MSI-X vectors and pf->num_lan_msix Rx/Tx queues. Limiting the number of queues is done because we don't want more than 1 Tx/Rx queue per interrupt due to performance conerns. Second, the driver assigns pf->num_lan_msix = 2, to account for LAN traffic and the OICR. However, pf->num_lan_msix is only meant for LAN MSI-X. This is causing a failure when the PF VSI tries to allocate/reserve the minimum pf->num_lan_msix because the OICR MSI-X has already been reserved, so there may not be enough MSI-X vectors left. Fix this by setting pf->num_lan_msix = 1 for the failure case. Then the ICE_MIN_MSIX accounts for the LAN MSI-X and the OICR MSI-X needed for the failure case. Update the related defines used in ice_ena_msix_range() to align with the above behavior and remove the unused RDMA defines because RDMA is currently not supported. Also, remove the now incorrect comment. Fixes: 152b978a1f90 ("ice: Rework ice_ena_msix_range") Signed-off-by: Brett Creeley Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 04cd96db6f888cf8a79c8163c136eb30400ce206 Author: Brett Creeley Date: Thu Jan 21 10:38:05 2021 -0800 ice: Don't allow more channels than LAN MSI-X available [ Upstream commit 943b881e35829403da638fcb34a959125deafef3 ] Currently users could create more channels than LAN MSI-X available. This is happening because there is no check against pf->num_lan_msix when checking the max allowed channels and will cause performance issues if multiple Tx and Rx queues are tied to a single MSI-X. Fix this by not allowing more channels than LAN MSI-X available in pf->num_lan_msix. Fixes: 87324e747fde ("ice: Implement ethtool ops for channels") Signed-off-by: Brett Creeley Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 55717a10a6b837355bf0dc3346346782f9302869 Author: Nick Nunley Date: Fri Nov 20 16:38:33 2020 -0800 ice: update dev_addr in ice_set_mac_address even if HW filter exists [ Upstream commit 13ed5e8a9b9ccd140a79e80283f69d724c9bb2be ] Fix the driver to copy the MAC address configured in ndo_set_mac_address into dev_addr, even if the MAC filter already exists in HW. In some situations (e.g. bonding) the netdev's dev_addr could have been modified outside of the driver, with no change to the HW filter, so the driver cannot assume that they match. Fixes: 757976ab16be ("ice: Fix check for removing/adding mac filters") Signed-off-by: Nick Nunley Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 35c50e69af15e1cbcfbbca4ba7c0f8ed7fb8566c Author: Nick Nunley Date: Fri Nov 20 16:38:31 2020 -0800 ice: Implement flow for IPv6 next header (extension header) [ Upstream commit 1b0b0b581b945ee27beb70e8199270a22dd5a2f6 ] This patch is based on a similar change to i40e by Slawomir Laba: "i40e: Implement flow for IPv6 next header (extension header)". When a packet contains an IPv6 header with next header which is an extension header and not a protocol one, the kernel function skb_transport_header called with such sk_buff will return a pointer to the extension header and not to the TCP one. The above explained call caused a problem with packet processing for skb with encapsulation for tunnel with ICE_TX_CTX_EIPT_IPV6. The extension header was not skipped at all. The ipv6_skip_exthdr function does check if next header of the IPV6 header is an extension header and doesn't modify the l4_proto pointer if it points to a protocol header value so its safe to omit the comparison of exthdr and l4.hdr pointers. The ipv6_skip_exthdr can return value -1. This means that the skipping process failed and there is something wrong with the packet so it will be dropped. Fixes: a4e82a81f573 ("ice: Add support for tunnel offloads") Signed-off-by: Nick Nunley Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit bdcd8b9d8249490e5099d1993ad30ffe82f93018 Author: Henry Tieman Date: Fri Nov 20 16:38:30 2020 -0800 ice: fix FDir IPv6 flexbyte [ Upstream commit 29e2d9eb82647654abff150ff02fa1e07362214f ] The packet classifier would occasionally misrecognize an IPv6 training packet when the next protocol field was 0. The correct value for unspecified protocol is IPPROTO_NONE. Fixes: 165d80d6adab ("ice: Support IPv6 Flow Director filters") Signed-off-by: Henry Tieman Reviewed-by: Paul Menzel Tested-by: Tony Brelinski Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 1c3b27b05a43745a9dfbb4f4b6a5f9d39f319f20 Author: Johannes Berg Date: Fri Jan 22 17:11:16 2021 +0100 mac80211: pause TX while changing interface type [ Upstream commit 054c9939b4800a91475d8d89905827bf9e1ad97a ] syzbot reported a crash that happened when changing the interface type around a lot, and while it might have been easy to fix just the symptom there, a little deeper investigation found that really the reason is that we allowed packets to be transmitted while in the middle of changing the interface type. Disallow TX by stopping the queues while changing the type. Fixes: 34d4bc4d41d2 ("mac80211: support runtime interface type changes") Reported-by: syzbot+d7a3b15976bf7de2238a@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210122171115.b321f98f4d4f.I6997841933c17b093535c31d29355be3c0c39628@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit a59a7b96dc13e277cb1c3b4f1ce6ea8ae3b4275a Author: Johannes Berg Date: Fri Jan 15 13:05:58 2021 +0200 iwlwifi: pcie: reschedule in long-running memory reads [ Upstream commit 3d372c4edfd4dffb7dea71c6b096fb414782b776 ] If we spin for a long time in memory reads that (for some reason in hardware) take a long time, then we'll eventually get messages such as watchdog: BUG: soft lockup - CPU#2 stuck for 24s! [kworker/2:2:272] This is because the reading really does take a very long time, and we don't schedule, so we're hogging the CPU with this task, at least if CONFIG_PREEMPT is not set, e.g. with CONFIG_PREEMPT_VOLUNTARY=y. Previously I misinterpreted the situation and thought that this was only going to happen if we had interrupts disabled, and then fixed this (which is good anyway, however), but that didn't always help; looking at it again now I realized that the spin unlock will only reschedule if CONFIG_PREEMPT is used. In order to avoid this issue, change the code to cond_resched() if we've been spinning for too long here. Signed-off-by: Johannes Berg Fixes: 04516706bb99 ("iwlwifi: pcie: limit memory read spin time") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130253.217a9d6a6a12.If964cb582ab0aaa94e81c4ff3b279eaafda0fd3f@changeid Signed-off-by: Sasha Levin commit bcb9c4009618d37eaf881324ce5ac36b81a8d024 Author: Johannes Berg Date: Fri Jan 15 13:05:57 2021 +0200 iwlwifi: pcie: use jiffies for memory read spin time limit [ Upstream commit 6701317476bbfb1f341aa935ddf75eb73af784f9 ] There's no reason to use ktime_get() since we don't need any better precision than jiffies, and since we no longer disable interrupts around this code (when grabbing NIC access), jiffies will work fine. Use jiffies instead of ktime_get(). This cleanup is preparation for the following patch "iwlwifi: pcie: reschedule in long-running memory reads". The code gets simpler with the weird clock use etc. removed before we add cond_resched(). Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130253.621c948b1fad.I3ee9f4bc4e74a0c9125d42fb7c35cd80df4698a1@changeid Signed-off-by: Sasha Levin commit 05bb42538d90b7f08241ec1e58dc84e4f93be7d5 Author: Johannes Berg Date: Fri Jan 15 13:05:54 2021 +0200 iwlwifi: pcie: set LTR on more devices [ Upstream commit ed0022da8bd9a3ba1c0e1497457be28d52afa7e1 ] To avoid completion timeouts during device boot, set up the LTR timeouts on more devices - similar to what we had before for AX210. This also corrects the AX210 workaround to be done only on discrete (non-integrated) devices, otherwise the registers have no effect. Signed-off-by: Johannes Berg Fixes: edb625208d84 ("iwlwifi: pcie: set LTR to avoid completion timeout") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130252.fb819e19530b.I0396f82922db66426f52fbb70d32a29c8fd66951@changeid Signed-off-by: Sasha Levin commit 92044488a8d366a08114490d803c5e3353e60801 Author: Johannes Berg Date: Fri Jan 15 13:05:51 2021 +0200 iwlwifi: pnvm: don't try to load after failures [ Upstream commit 82a08d0cd7b503be426fb856a0fb73c9c976aae1 ] If loading the PNVM file failed on the first try during the interface up, the file is unlikely to show up later, and we already don't try to reload it if it changes, so just don't try loading it again and again. This also fixes some issues where we may try to load it at resume time, which may not be possible yet. Signed-off-by: Johannes Berg Fixes: 6972592850c0 ("iwlwifi: read and parse PNVM file") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130252.5ac6828a0bbe.I7d308358b21d3c0c84b1086999dbc7267f86e219@changeid Signed-off-by: Sasha Levin commit fb1e501d8a69dc593bfbd4e9781326dbfa0c1fd0 Author: Johannes Berg Date: Fri Jan 15 13:05:50 2021 +0200 iwlwifi: pnvm: don't skip everything when not reloading [ Upstream commit 1c58bed4b7f7551239b9005ad0a9a6566a3d9fbe ] Even if we don't reload the file from disk, we still need to trigger the PNVM load flow with the device; fix that. Signed-off-by: Johannes Berg Fixes: 6972592850c0 ("iwlwifi: read and parse PNVM file") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130252.85ef56c4ef8c.I3b853ce041a0755d45e448035bef1837995d191b@changeid Signed-off-by: Sasha Levin commit c00b0b65b3b3b41d053418d903e21fce045f6020 Author: Johannes Berg Date: Fri Jan 15 13:05:49 2021 +0200 iwlwifi: pcie: avoid potential PNVM leaks [ Upstream commit 34b9434cd0d425330a0467e767f8d047ef62964d ] If we erroneously try to set the PNVM data again after it has already been set, we could leak the old DMA memory. Avoid that and warn, we shouldn't be doing this. Signed-off-by: Johannes Berg Fixes: 6972592850c0 ("iwlwifi: read and parse PNVM file") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210115130252.929c2d680429.I086b9490e6c005f3bcaa881b617e9f61908160f3@changeid Signed-off-by: Sasha Levin commit fd8c453d53f8220c8f1b4bd61a6be7b53d4af847 Author: Stephan Gerhold Date: Mon Jan 25 11:44:42 2021 +0100 ASoC: qcom: lpass: Fix out-of-bounds DAI ID lookup [ Upstream commit 70041000450d0a071bf9931d634c8e2820340236 ] The "dai_id" given into LPAIF_INTFDMA_REG(...) is already the real DAI ID, not an index into v->dai_driver. Looking it up again seems entirely redundant. For IPQ806x (and SC7180 since commit 09a4f6f5d21c ("ASoC: dt-bindings: lpass: Fix and common up lpass dai ids") this is now often an out-of-bounds read because the indexes in the "dai_driver" array no longer match the actual DAI ID. Cc: Srinivasa Rao Mandadapu Cc: Srinivas Kandagatla Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver") Signed-off-by: Stephan Gerhold Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210125104442.135899-1-stephan@gerhold.net Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b030ba7f129498c7cb62eb6e657ff83183eaa29e Author: Pierre-Louis Bossart Date: Thu Jan 21 18:57:24 2021 -0600 ASoC: SOF: Intel: soundwire: fix select/depend unmet dependencies [ Upstream commit bd9038faa9d7f162b47e1577e35ec5eac39f9d90 ] The LKP bot reports the following issue: WARNING: unmet direct dependencies detected for SOUNDWIRE_INTEL Depends on [m]: SOUNDWIRE [=m] && ACPI [=y] && SND_SOC [=y] Selected by [y]: - SND_SOC_SOF_INTEL_SOUNDWIRE [=y] && SOUND [=y] && !UML && SND [=y] && SND_SOC [=y] && SND_SOC_SOF_TOPLEVEL [=y] && SND_SOC_SOF_INTEL_TOPLEVEL [=y] && SND_SOC_SOF_INTEL_PCI [=y] This comes from having tristates being configured independently, when in practice the CONFIG_SOUNDWIRE needs to be aligned with the SOF choices: when the SOF code is compiled as built-in, the CONFIG_SOUNDWIRE also needs to be 'y'. The easiest fix is to replace the 'depends' with a 'select' and have a single user selection to activate SoundWire on Intel platforms. This still allows regmap to be compiled independently as a module. This is just a temporary fix, the select/depend usage will be revisited and the SOF Kconfig re-organized, as suggested by Arnd Bergman. Reported-by: kernel test robot Fixes: a115ab9b8b93e ('ASoC: SOF: Intel: add build support for SoundWire') Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20210122005725.94163-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d46c0d64dbcdba0181505977193cc05c2a87d7ea Author: Trond Myklebust Date: Thu Jan 21 13:51:50 2021 -0500 pNFS/NFSv4: Update the layout barrier when we schedule a layoutreturn [ Upstream commit 1bcf34fdac5f8c2fcd16796495db75744612ca27 ] When we're scheduling a layoutreturn, we need to ignore any further incoming layouts with sequence ids that are going to be affected by the layout return. Fixes: 44ea8dfce021 ("NFS/pnfs: Reference the layout cred in pnfs_prepare_layoutreturn()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit dba0d4b1508bdd981dca1cc5611e172c527787ba Author: Trond Myklebust Date: Thu Jan 21 16:34:37 2021 -0500 pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() [ Upstream commit 814b84971388cd5fb182f2e914265b3827758455 ] If the server returns a new stateid that does not match the one in our cache, then pnfs_layout_process() will leak the layout segments returned by pnfs_mark_layout_stateid_invalid(). Fixes: 9888d837f3cf ("pNFS: Force a retry of LAYOUTGET if the stateid doesn't match our cache") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit ae02c0008c2794bc00b1adc3954249c27df3bf09 Author: Nicholas Piggin Date: Sat Jan 23 16:12:44 2021 +1000 powerpc/64s: prevent recursive replay_soft_interrupts causing superfluous interrupt [ Upstream commit 4025c784c573cab7e3f84746cc82b8033923ec62 ] When an asynchronous interrupt calls irq_exit, it checks for softirqs that may have been created, and runs them. Running softirqs enables local irqs, which can replay pending interrupts causing recursion in replay_soft_interrupts. This abridged trace shows how this can occur: ! NIP replay_soft_interrupts LR interrupt_exit_kernel_prepare Call Trace: interrupt_exit_kernel_prepare (unreliable) interrupt_return --- interrupt: ea0 at __rb_reserve_next NIP __rb_reserve_next LR __rb_reserve_next Call Trace: ring_buffer_lock_reserve trace_function function_trace_call ftrace_call __do_softirq irq_exit timer_interrupt ! replay_soft_interrupts interrupt_exit_kernel_prepare interrupt_return --- interrupt: ea0 at arch_local_irq_restore This can not be prevented easily, because softirqs must not block hard irqs, so it has to be dealt with. The recursion is bounded by design in the softirq code because softirq replay disables softirqs and loops around again to check for new softirqs created while it ran, so that's not a problem. However it does mess up interrupt replay state, causing superfluous interrupts when the second replay_soft_interrupts clears a pending interrupt, leaving it still set in the first call in the 'happened' local variable. Fix this by not caching a copy of irqs_happened across interrupt handler calls. Fixes: 3282a3da25bd ("powerpc/64: Implement soft interrupt replay in C") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20210123061244.2076145-1-npiggin@gmail.com Signed-off-by: Sasha Levin commit 5f78c6ce1f6fa7ab1bd81860f4655cd9f5d5d28a Author: Ricardo Ribalda Date: Thu Jan 21 18:16:43 2021 +0100 ASoC: Intel: Skylake: skl-topology: Fix OOPs ib skl_tplg_complete [ Upstream commit c1c3ba1f78354a20222d291ed6fedd17b7a74fd7 ] If dobj->control is not initialized we end up in an OOPs during skl_tplg_complete: [ 26.553358] BUG: kernel NULL pointer dereference, address: 0000000000000078 [ 26.561151] #PF: supervisor read access in kernel mode [ 26.566897] #PF: error_code(0x0000) - not-present page [ 26.572642] PGD 0 P4D 0 [ 26.575479] Oops: 0000 [#1] PREEMPT SMP PTI [ 26.580158] CPU: 2 PID: 2082 Comm: udevd Tainted: G C 5.4.81 #4 [ 26.588232] Hardware name: HP Soraka/Soraka, BIOS Google_Soraka.10431.106.0 12/03/2019 [ 26.597082] RIP: 0010:skl_tplg_complete+0x70/0x144 [snd_soc_skl] Fixes: 2d744ecf2b98 ("ASoC: Intel: Skylake: Automatic DMIC format configuration according to information from NHL") Signed-off-by: Ricardo Ribalda Reviewed-by: Cezary Rojewski Tested-by: Lukasz Majczak Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20210121171644.131059-1-ribalda@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cea3d7cd951adf26f31305f2e6fac0b4cd405af5 Author: Pan Bian Date: Wed Jan 20 00:26:35 2021 -0800 spi: altera: Fix memory leak on error path [ Upstream commit 55a8b42e8645a6dab88674a30cb6ed328e660680 ] Release master that have been previously allocated if the number of chipselect is invalid. Fixes: 8e04187c1bc7 ("spi: altera: add SPI core parameters support via platform data.") Signed-off-by: Pan Bian Reviewed-by: Tom Rix Link: https://lore.kernel.org/r/20210120082635.49304-1-bianpan2016@163.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2bfc7e605aafb8bed2bd1812f66385f3f0ee7941 Author: Srinivas Kandagatla Date: Tue Jan 19 17:47:00 2021 +0000 ASoC: qcom: lpass-ipq806x: fix bitwidth regmap field [ Upstream commit 1e066a23e76f90c9c39c189fe0dbf7c6e3dd5044 ] BIT_WIDTH field in I2S_CTL register is two bits wide, however recent regmap field conversion patch trimmed it down to one bit. Fix this by correcting the bit range! Fixes: b5022a36d28f ("ASoC: qcom: lpass: Use regmap_field for i2sctl and dmactl registers") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210119174700.32639-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 02e5a1ee97a1eca93cd09f60ffd9a2ab398b484f Author: Srinivas Kandagatla Date: Tue Jan 19 17:15:27 2021 +0000 ASoC: qcom: Fix broken support to MI2S TERTIARY and QUATERNARY [ Upstream commit cd3484f7f1386071b1af159023917ed12c182d39 ] lpass hdmi support patch totally removed support for MI2S TERTIARY and QUATERNARY. One of the major issue was spotted with the design of having separate SoC specific header files for the common lpass driver. This design is prone to break as an when new SoC header is added as the common DAI ids of other SoCs will be overwritten by the new ones. Having a common header qcom,lpass.h should fix the issue and any new DAI ids should be added to the common header. With this change lpass also needs a new of_xlate function to resolve dai name. Fixes: 7cb37b7bd0d3 ("ASoC: qcom: Add support for lpass hdmi driver") Reported-by: Jun Nie Reported-by: Stephan Gerhold Tested-by: Srinivasa Rao Signed-off-by: Srinivas Kandagatla Tested-by: Stephan Gerhold Link: https://lore.kernel.org/r/20210119171527.32145-3-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c74d671e7154374bbd9997bc3b02accc4484b41b Author: Srinivasa Rao Mandadapu Date: Thu Dec 17 13:38:33 2020 +0530 ASoC: qcom: Fix incorrect volatile registers [ Upstream commit 315fbe4cef98ee5fb6085bc54c7f25eb06466c70 ] MI2S and DMA control registers are not volatile, so remove these from volatile registers list. Registers reset state check by reading non volatile registers makes no use, so remove error check from cpu and platform trigger callbacks. Initialized map variable two times in lpass platform trigger API, so remove redundant initialization. Fixes commit b1824968221cc ("ASoC: qcom: Fix enabling BCLK and LRCLK in LPAIF invalid state") Signed-off-by: V Sujith Kumar Reddy Signed-off-by: Srinivasa Rao Mandadapu Link: https://lore.kernel.org/r/1608192514-29695-2-git-send-email-srivasam@codeaurora.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 52178bea2cf5af1fb149ed4abfdbba4282362698 Author: Srinivas Kandagatla Date: Tue Jan 19 17:15:26 2021 +0000 ASoC: dt-bindings: lpass: Fix and common up lpass dai ids [ Upstream commit 09a4f6f5d21cb1f2633f4e8b893336b60eee9a01 ] Existing header file design of having separate SoC specific header files for the common lpass driver has mutiple issues. This design is prone to break as an when new SoC header is added as the common DAI ids of other SoCs will be overwritten by the new ones. One of them surfaced by recent patch that adds support to sc7180, this one totally broke LPASS drivers on other Qualcomm SoCs. Before this gets worst, fix this by having a common header qcom,lpass.h. This should fix the issue and any new DAI ids should be added to the common header. This will be more sustainable then the existing design! Fixes: 12fbfc4cabec6595 ("ASoC: Add sc7180-lpass binding header hdmi define") Reported-by: Jun Nie Reported-by: Stephan Gerhold Tested-by: Srinivasa Rao Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20210119171527.32145-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 571a2dd89818d0d9ef4ad3eff45dba5ba56601de Author: Kamal Heib Date: Thu Jan 14 21:14:23 2021 +0200 RDMA/cxgb4: Fix the reported max_recv_sge value [ Upstream commit a372173bf314d374da4dd1155549d8ca7fc44709 ] The max_recv_sge value is wrongly reported when calling query_qp, This is happening due to a typo when assigning the max_recv_sge value, the value of sq_max_sges was assigned instead of rq_max_sges. Fixes: 3e5c02c9ef9a ("iw_cxgb4: Support query_qp() verb") Link: https://lore.kernel.org/r/20210114191423.423529-1-kamalheib1@gmail.com Signed-off-by: Kamal Heib Reviewed-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0fade2af3eae6f88bf4f3ce6ae6edc177d6849cf Author: Randy Dunlap Date: Fri Jan 15 19:32:59 2021 -0800 firmware: imx: select SOC_BUS to fix firmware build [ Upstream commit 82c082784e03a9a9c043345f9bc04bc8254cf6da ] Fix build error in firmware/imx/ selecting SOC_BUS. riscv32-linux-ld: drivers/firmware/imx/imx-scu-soc.o: in function `.L9': imx-scu-soc.c:(.text+0x1b0): undefined reference to `soc_device_register' Fixes: edbee095fafb ("firmware: imx: add SCU firmware driver support") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Atish Patra Cc: Palmer Dabbelt Cc: Ard Biesheuvel Cc: Anson Huang Cc: Daniel Baluta Reviewed-by: Dong Aisheng Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit bd10eba71351a6a02db692048e7c3e83a59cf3ea Author: Jacky Bai Date: Fri Jan 15 09:18:05 2021 +0800 arm64: dts: imx8mp: Correct the gpio ranges of gpio3 [ Upstream commit b764eb65e1c932f0500b30fcc06417cd9bc3e583 ] On i.MX8MP, The GPIO3's secondary gpio-ranges's 'gpio controller offset' cell value should be 26, so correct it. Signed-off-by: Jacky Bai Fixes: 6d9b8d20431f ("arm64: dts: freescale: Add i.MX8MP dtsi support") Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 50c701d94f648a616d6056439b4d70fd7aa446a6 Author: Russell King Date: Thu Jan 14 10:53:06 2021 +0000 ARM: dts: imx6qdl-sr-som: fix some cubox-i platforms [ Upstream commit 2cc0bfc9c12784188482a8f3d751d44af45b0d97 ] The PHY address bit 2 is configured by the LED pin. Attaching a LED to this pin is not sufficient to guarantee this configuration pin is correctly read. This leads to some platforms having their PHY at address 0 and others at address 4. If there is no phy-handle specified, the FEC driver will scan the PHY bus for a PHY and use that. Consequently, adding the DT configuration of the PHY and the phy properties to the FEC driver broke some boards. Fix this by removing the phy-handle property, and listing two PHY entries for both possible PHY addresses, so that the DT configuration for the PHY can be found by the PHY driver. Fixes: 86b08bd5b994 ("ARM: dts: imx6-sr-som: add ethernet PHY configuration") Reported-by: Christoph Mattheis Signed-off-by: Russell King Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit fd59c86ac9b067b7416f0447b48e5d25a14cc38a Author: Marco Felsch Date: Tue Jan 5 10:24:07 2021 +0100 ARM: dts: imx6qdl-kontron-samx6i: fix i2c_lcd/cam default status [ Upstream commit 70b6ff4c549a62b59b286445f66cfec6c5327ac8 ] Fix typo so the gpio i2c busses are really disabled. Fixes: 2125212785c9 ("ARM: dts: imx6qdl-kontron-samx6i: add Kontron SMARC SoM Support") Signed-off-by: Marco Felsch Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit d871650a7d0651caaad35c7b84e97ee7399441b9 Author: Arnd Bergmann Date: Wed Dec 30 16:17:51 2020 +0100 ARM: imx: fix imx8m dependencies [ Upstream commit 097530bf8cd469ef7b3d52ef00cafb64b33bacb1 ] Selecting ARM_GIC_V3 on non-CP15 processors leads to build failures like arch/arm/include/asm/arch_gicv3.h: In function 'write_ICC_AP1R3_EL1': arch/arm/include/asm/arch_gicv3.h:36:40: error: 'c12' undeclared (first use in this function) 36 | #define __ICC_AP1Rx(x) __ACCESS_CP15(c12, 0, c9, x) | ^~~ Add a dependency to only enable the gic driver when building for at an ARMv7 target, which is the closes approximation to the ARMv8 processor that is actually in this chip. Fixes: fc40200ebf82 ("soc: imx: increase build coverage for imx8m soc driver") Signed-off-by: Arnd Bergmann Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 9f87dd2fe3f2b779a11422967c530e6448b7a60d Author: Michael Walle Date: Tue Dec 15 22:26:22 2020 +0100 arm64: dts: ls1028a: fix the offset of the reset register [ Upstream commit 1653e3d470629d25c64cd8a2f84adb20a9348b0c ] The offset of the reset request register is 0, the absolute address is 0x1e60000. Boards without PSCI support will fail to perform a reset: [ 26.734700] reboot: Restarting system [ 27.743259] Unable to restart system [ 27.746845] Reboot failed -- System halted Fixes: 8897f3255c9c ("arm64: dts: Add support for NXP LS1028A SoC") Signed-off-by: Michael Walle Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 6daa52884c3fd8f534b7ebfd784111cea69daa9d Author: Visa Hankala Date: Wed Dec 30 16:15:53 2020 +0000 xfrm: Fix wraparound in xfrm_policy_addr_delta() [ Upstream commit da64ae2d35d3673233f0403b035d4c6acbf71965 ] Use three-way comparison for address components to avoid integer wraparound in the result of xfrm_policy_addr_delta(). This ensures that the search trees are built and traversed correctly. Treat IPv4 and IPv6 similarly by returning 0 when prefixlen == 0. Prefix /0 has only one equivalence class. Fixes: 9cf545ebd591d ("xfrm: policy: store inexact policies in a tree ordered by destination address") Signed-off-by: Visa Hankala Acked-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 8ea899803bb5c9d3cfb60d75d0c40f68f8227abe Author: Po-Hsu Lin Date: Wed Dec 30 17:52:04 2020 +0800 selftests: xfrm: fix test return value override issue in xfrm_policy.sh [ Upstream commit f6e9ceb7a7fc321a31a9dde93a99b7b4b016a3b3 ] When running this xfrm_policy.sh test script, even with some cases marked as FAIL, the overall test result will still be PASS: $ sudo ./xfrm_policy.sh PASS: policy before exception matches FAIL: expected ping to .254 to fail (exceptions) PASS: direct policy matches (exceptions) PASS: policy matches (exceptions) FAIL: expected ping to .254 to fail (exceptions and block policies) PASS: direct policy matches (exceptions and block policies) PASS: policy matches (exceptions and block policies) FAIL: expected ping to .254 to fail (exceptions and block policies after hresh changes) PASS: direct policy matches (exceptions and block policies after hresh changes) PASS: policy matches (exceptions and block policies after hresh changes) FAIL: expected ping to .254 to fail (exceptions and block policies after hthresh change in ns3) PASS: direct policy matches (exceptions and block policies after hthresh change in ns3) PASS: policy matches (exceptions and block policies after hthresh change in ns3) FAIL: expected ping to .254 to fail (exceptions and block policies after htresh change to normal) PASS: direct policy matches (exceptions and block policies after htresh change to normal) PASS: policy matches (exceptions and block policies after htresh change to normal) PASS: policies with repeated htresh change $ echo $? 0 This is because the $lret in check_xfrm() is not a local variable. Therefore when a test failed in check_exceptions(), the non-zero $lret will later get reset to 0 when the next test calls check_xfrm(). With this fix, the final return value will be 1. Make it easier for testers to spot this failure. Fixes: 39aa6928d462d0 ("xfrm: policy: fix netlink/pf_key policy lookups") Signed-off-by: Po-Hsu Lin Acked-by: Florian Westphal Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit 2f7ecc841daac6394bdd9b3bea69a87c25226c50 Author: Eyal Birger Date: Wed Dec 23 17:00:46 2020 +0200 xfrm: fix disable_xfrm sysctl when used on xfrm interfaces [ Upstream commit 9f8550e4bd9d78a8436c2061ad2530215f875376 ] The disable_xfrm flag signals that xfrm should not be performed during routing towards a device before reaching device xmit. For xfrm interfaces this is usually desired as they perform the outbound policy lookup as part of their xmit using their if_id. Before this change enabling this flag on xfrm interfaces prevented them from xmitting as xfrm_lookup_with_ifid() would not perform a policy lookup in case the original dst had the DST_NOXFRM flag. This optimization is incorrect when the lookup is done by the xfrm interface xmit logic. Fix by performing policy lookup when invoked by xfrmi as if_id != 0. Similarly it's unlikely for the 'no policy exists on net' check to yield any performance benefits when invoked from xfrmi. Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces") Signed-off-by: Eyal Birger Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit f632d34091e645266fb435240cda3dada8464d1b Author: Shmulik Ladkani Date: Mon Dec 14 15:38:32 2020 +0200 xfrm: Fix oops in xfrm_replay_advance_bmp [ Upstream commit 56ce7c25ae1525d83cf80a880cf506ead1914250 ] When setting xfrm replay_window to values higher than 32, a rare page-fault occurs in xfrm_replay_advance_bmp: BUG: unable to handle page fault for address: ffff8af350ad7920 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD ad001067 P4D ad001067 PUD 0 Oops: 0002 [#1] SMP PTI CPU: 3 PID: 30 Comm: ksoftirqd/3 Kdump: loaded Not tainted 5.4.52-050452-generic #202007160732 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 RIP: 0010:xfrm_replay_advance_bmp+0xbb/0x130 RSP: 0018:ffffa1304013ba40 EFLAGS: 00010206 RAX: 000000000000010d RBX: 0000000000000002 RCX: 00000000ffffff4b RDX: 0000000000000018 RSI: 00000000004c234c RDI: 00000000ffb3dbff RBP: ffffa1304013ba50 R08: ffff8af330ad7920 R09: 0000000007fffffa R10: 0000000000000800 R11: 0000000000000010 R12: ffff8af29d6258c0 R13: ffff8af28b95c700 R14: 0000000000000000 R15: ffff8af29d6258fc FS: 0000000000000000(0000) GS:ffff8af339ac0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff8af350ad7920 CR3: 0000000015ee4000 CR4: 00000000001406e0 Call Trace: xfrm_input+0x4e5/0xa10 xfrm4_rcv_encap+0xb5/0xe0 xfrm4_udp_encap_rcv+0x140/0x1c0 Analysis revealed offending code is when accessing: replay_esn->bmp[nr] |= (1U << bitnr); with 'nr' being 0x07fffffa. This happened in an SMP system when reordering of packets was present; A packet arrived with a "too old" sequence number (outside the window, i.e 'diff > replay_window'), and therefore the following calculation: bitnr = replay_esn->replay_window - (diff - pos); yields a negative result, but since bitnr is u32 we get a large unsigned quantity (in crash dump above: 0xffffff4b seen in ecx). This was supposed to be protected by xfrm_input()'s former call to: if (x->repl->check(x, skb, seq)) { However, the state's spinlock x->lock is *released* after '->check()' is performed, and gets re-acquired before '->advance()' - which gives a chance for a different core to update the xfrm state, e.g. by advancing 'replay_esn->seq' when it encounters more packets - leading to a 'diff > replay_window' situation when original core continues to xfrm_replay_advance_bmp(). An attempt to fix this issue was suggested in commit bcf66bf54aab ("xfrm: Perform a replay check after return from async codepaths"), by calling 'x->repl->recheck()' after lock is re-acquired, but fix applied only to asyncronous crypto algorithms. Augment the fix, by *always* calling 'recheck()' - irrespective if we're using async crypto. Fixes: 0ebea8ef3559 ("[IPSEC]: Move state lock into x->type->input") Signed-off-by: Shmulik Ladkani Signed-off-by: Steffen Klassert Signed-off-by: Sasha Levin commit f39005edf513d63a37bb8a0853d1dd7dd075cf31 Author: Maxim Mikityanskiy Date: Tue Jan 26 21:59:07 2021 +0200 Revert "block: simplify set_init_blocksize" to regain lost performance commit 8dc932d3e8afb65e12eba7495f046c83884c49bf upstream. The cited commit introduced a serious regression with SATA write speed, as found by bisecting. This patch reverts this commit, which restores write speed back to the values observed before this commit. The performance tests were done on a Helios4 NAS (2nd batch) with 4 HDDs (WD8003FFBX) using dd (bs=1M count=2000). "Direct" is a test with a single HDD, the rest are different RAID levels built over the first partitions of 4 HDDs. Test results are in MB/s, R is read, W is write. | Direct | RAID0 | RAID10 f2 | RAID10 n2 | RAID6 ----------------+--------+-------+-----------+-----------+-------- 9011495c9466 | R:256 | R:313 | R:276 | R:313 | R:323 (before faulty) | W:254 | W:253 | W:195 | W:204 | W:117 ----------------+--------+-------+-----------+-----------+-------- 5ff9f19231a0 | R:257 | R:398 | R:312 | R:344 | R:391 (faulty commit) | W:154 | W:122 | W:67.7 | W:66.6 | W:67.2 ----------------+--------+-------+-----------+-----------+-------- 5.10.10 | R:256 | R:401 | R:312 | R:356 | R:375 unpatched | W:149 | W:123 | W:64 | W:64.1 | W:61.5 ----------------+--------+-------+-----------+-----------+-------- 5.10.10 | R:255 | R:396 | R:312 | R:340 | R:393 patched | W:247 | W:274 | W:220 | W:225 | W:121 Applying this patch doesn't hurt read performance, while improves the write speed by 1.5x - 3.5x (more impact on RAID tests). The write speed is restored back to the state before the faulty commit, and even a bit higher in RAID tests (which aren't HDD-bound on this device) - that is likely related to other optimizations done between the faulty commit and 5.10.10 which also improved the read speed. Signed-off-by: Maxim Mikityanskiy Fixes: 5ff9f19231a0 ("block: simplify set_init_blocksize") Cc: Christoph Hellwig Cc: Jens Axboe Acked-by: Christoph Hellwig Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 34b0c04c884cbcb327535e55279708e5ca5b96ed Author: Parav Pandit Date: Sun Jan 17 11:26:33 2021 +0200 Revert "RDMA/mlx5: Fix devlink deadlock on net namespace deletion" commit de641d74fb00f5b32f054ee154e31fb037e0db88 upstream. This reverts commit fbdd0049d98d44914fc57d4b91f867f4996c787b. Due to commit in fixes tag, netdevice events were received only in one net namespace of mlx5_core_dev. Due to this when netdevice events arrive in net namespace other than net namespace of mlx5_core_dev, they are missed. This results in empty GID table due to RDMA device being detached from its net device. Hence, revert back to receive netdevice events in all net namespaces to restore back RDMA functionality in non init_net net namespace. The deadlock will have to be addressed in another patch. Fixes: fbdd0049d98d ("RDMA/mlx5: Fix devlink deadlock on net namespace deletion") Link: https://lore.kernel.org/r/20210117092633.10690-1-leon@kernel.org Signed-off-by: Parav Pandit Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 28adabf8cdd23e5749b9711476095322b1da2d8c Author: Pablo Neira Ayuso Date: Sat Jan 16 19:20:15 2021 +0100 netfilter: nft_dynset: add timeout extension to template commit 0c5b7a501e7400869ee905b4f7af3d6717802bcb upstream. Otherwise, the newly create element shows no timeout when listing the ruleset. If the set definition does not specify a default timeout, then the set element only shows the expiration time, but not the timeout. This is a problem when restoring a stateful ruleset listing since it skips the timeout policy entirely. Fixes: 22fe54d5fefc ("netfilter: nf_tables: add support for dynamic set updates") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit fec7ae28d90572fdb61e0e032dcef604679e212d Author: Rob Herring Date: Mon Jan 25 20:39:05 2021 -0600 ARM: zImage: atags_to_fdt: Fix node names on added root nodes commit 30596ae0547dbda469d31a2678d9072fb0a3fa27 upstream. Commit 7536c7e03e74 ("of/fdt: Remove redundant kbasename function call") exposed a bug creating DT nodes in the ATAGS to DT fixup code. Non-existent nodes would mistaken get created with a leading '/'. The problem was fdt_path_offset() takes a full path while creating a node with fdt_add_subnode() takes just the basename. Since this we only add root child nodes, we can just skip over the '/'. Fixes: 7536c7e03e74 ("of/fdt: Remove redundant kbasename function call") Reported-by: Chris Packham Cc: Qi Zheng Cc: Russell King Signed-off-by: Rob Herring Tested-by: Chris Packham Link: https://lore.kernel.org/r/20210126023905.1631161-1-robh@kernel.org Signed-off-by: Greg Kroah-Hartman commit 69da790360f3e373c26050508654cb59985f7896 Author: Max Krummenacher Date: Mon Jan 11 16:17:04 2021 +0100 ARM: imx: build suspend-imx6.S with arm instruction set commit a88afa46b86ff461c89cc33fc3a45267fff053e8 upstream. When the kernel is configured to use the Thumb-2 instruction set "suspend-to-memory" fails to resume. Observed on a Colibri iMX6ULL (i.MX 6ULL) and Apalis iMX6 (i.MX 6Q). It looks like the CPU resumes unconditionally in ARM instruction mode and then chokes on the presented Thumb-2 code it should execute. Fix this by using the arm instruction set for all code in suspend-imx6.S. Signed-off-by: Max Krummenacher Fixes: df595746fa69 ("ARM: imx: add suspend in ocram support for i.mx6q") Acked-by: Oleksandr Suvorov Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit d095985e1ce1bff50ebae8e528fe9174b375e8ad Author: Dmitry Baryshkov Date: Sat Jan 9 04:33:14 2021 +0300 clk: qcom: gcc-sm250: Use floor ops for sdcc clks commit fd2383093593b23f8814a879093b746e502fe3cf upstream. Followup to the commits 5e4b7e82d497 ("clk: qcom: gcc-sdm845: Use floor ops for sdcc clks") and 6d37a8d19283 ("clk: qcom: gcc-sc7180: Use floor ops for sdcc clks"). Use floor ops for sdcc clocks on sm8250. Signed-off-by: Dmitry Baryshkov Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") Link: https://lore.kernel.org/r/20210109013314.3443134-1-dmitry.baryshkov@linaro.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit cee27fcc8ccf918464beafc87c70014a9fd1a0b3 Author: Arnd Bergmann Date: Sun Jan 3 14:54:53 2021 +0100 clk: mmp2: fix build without CONFIG_PM commit c361c5a6c559d1e0a2717abe9162a71aa602954f upstream. pm_clk_suspend()/pm_clk_resume() are defined as NULL pointers rather than empty inline stubs without CONFIG_PM: drivers/clk/mmp/clk-audio.c:402:16: error: called object type 'void *' is not a function or function pointer pm_clk_suspend(dev); drivers/clk/mmp/clk-audio.c:411:15: error: called object type 'void *' is not a function or function pointer pm_clk_resume(dev); I tried redefining the helper functions, but that caused additional problems. This is the simple solution of replacing the __maybe_unused trick with an #ifdef. Fixes: 725262d29139 ("clk: mmp2: Add audio clock controller driver") Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20210103135503.3668784-1-arnd@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit c143ab5556797e746a8913b782135b2bae3a744d Author: Arnd Bergmann Date: Wed Dec 30 16:52:25 2020 +0100 clk: imx: fix Kconfig warning for i.MX SCU clk commit 73f6b7ed9835ad9f953aebd60dd720aabc487b81 upstream. A previous patch introduced a harmless randconfig warning: WARNING: unmet direct dependencies detected for MXC_CLK_SCU Depends on [n]: COMMON_CLK [=y] && ARCH_MXC [=n] && IMX_SCU [=y] && HAVE_ARM_SMCCC [=y] Selected by [m]: - CLK_IMX8QXP [=m] && COMMON_CLK [=y] && (ARCH_MXC [=n] && ARM64 [=y] || COMPILE_TEST [=y]) && IMX_SCU [=y] && HAVE_ARM_SMCCC [=y] Since the symbol is now hidden and only selected by other symbols, just remove the dependencies and require the other drivers to get it right. Fixes: 6247e31b7530 ("clk: imx: scu: fix MXC_CLK_SCU module build break") Reported-by: Anders Roxell Signed-off-by: Arnd Bergmann Link: https://lore.kernel.org/r/20201230155244.981757-1-arnd@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit 20786fdd2fb0c648e8c4895d3839d57b1d78375f Author: Ming Lei Date: Sun Dec 27 19:34:58 2020 +0800 blk-mq: test QUEUE_FLAG_HCTX_ACTIVE for sbitmap_shared in hctx_may_queue commit 2569063c7140c65a0d0ad075e95ddfbcda9ba3c0 upstream. In case of blk_mq_is_sbitmap_shared(), we should test QUEUE_FLAG_HCTX_ACTIVE against q->queue_flags instead of BLK_MQ_S_TAG_ACTIVE. So fix it. Cc: John Garry Cc: Kashyap Desai Fixes: f1b49fdc1c64 ("blk-mq: Record active_queues_shared_sbitmap per tag_set for when using shared sbitmap") Signed-off-by: Ming Lei Reviewed-by: John Garry Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7d6e01e275604c997a08a3fe2ddfab3ddbaa5488 Author: Roger Pau Monne Date: Tue Jan 19 11:57:27 2021 +0100 xen-blkfront: allow discard-* nodes to be optional commit 0549cd67b01016b579047bce045b386202a8bcfc upstream. This is inline with the specification described in blkif.h: * discard-granularity: should be set to the physical block size if node is not present. * discard-alignment, discard-secure: should be set to 0 if node not present. This was detected as QEMU would only create the discard-granularity node but not discard-alignment, and thus the setup done in blkfront_setup_discard would fail. Fix blkfront_setup_discard to not fail on missing nodes, and also fix blkif_set_queue_limits to set the discard granularity to the physical block size if none is specified in xenbus. Fixes: ed30bf317c5ce ('xen-blkfront: Handle discard requests.') Reported-by: Arthur Borsboom Signed-off-by: Roger Pau Monné Reviewed-by: Juergen Gross Tested-By: Arthur Borsboom Link: https://lore.kernel.org/r/20210119105727.95173-1-roger.pau@citrix.com Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit a164789b86c61924bf77d4b97f9cc89d4b6f2352 Author: Rouven Czerwinski Date: Tue Jan 5 11:28:44 2021 +0100 tee: optee: replace might_sleep with cond_resched commit dcb3b06d9c34f33a249f65c08805461fb0c4325b upstream. might_sleep() is a debugging aid and triggers rescheduling only for certain kernel configurations. Replace with an explicit check and reschedule to work for all kernel configurations. Fixes the following trace: [ 572.945146] rcu: INFO: rcu_sched self-detected stall on CPU [ 572.949275] rcu: 0-....: (2099 ticks this GP) idle=572/1/0x40000002 softirq=7412/7412 fqs=974 [ 572.957964] (t=2100 jiffies g=10393 q=21) [ 572.962054] NMI backtrace for cpu 0 [ 572.965540] CPU: 0 PID: 165 Comm: xtest Not tainted 5.8.7 #1 [ 572.971188] Hardware name: STM32 (Device Tree Support) [ 572.976354] [] (unwind_backtrace) from [] (show_stack+0x10/0x14) [ 572.984080] [] (show_stack) from [] (dump_stack+0xc4/0xd8) [ 572.991300] [] (dump_stack) from [] (nmi_cpu_backtrace+0x90/0xc4) [ 572.999130] [] (nmi_cpu_backtrace) from [] (nmi_trigger_cpumask_backtrace+0xec/0x130) [ 573.008706] [] (nmi_trigger_cpumask_backtrace) from [] (rcu_dump_cpu_stacks+0xe8/0x110) [ 573.018453] [] (rcu_dump_cpu_stacks) from [] (rcu_sched_clock_irq+0x7fc/0xa88) [ 573.027416] [] (rcu_sched_clock_irq) from [] (update_process_times+0x30/0x8c) [ 573.036291] [] (update_process_times) from [] (tick_sched_timer+0x4c/0xa8) [ 573.044905] [] (tick_sched_timer) from [] (__hrtimer_run_queues+0x174/0x358) [ 573.053696] [] (__hrtimer_run_queues) from [] (hrtimer_interrupt+0x118/0x2bc) [ 573.062573] [] (hrtimer_interrupt) from [] (arch_timer_handler_virt+0x28/0x30) [ 573.071536] [] (arch_timer_handler_virt) from [] (handle_percpu_devid_irq+0x8c/0x240) [ 573.081109] [] (handle_percpu_devid_irq) from [] (generic_handle_irq+0x34/0x44) [ 573.090156] [] (generic_handle_irq) from [] (__handle_domain_irq+0x5c/0xb0) [ 573.098857] [] (__handle_domain_irq) from [] (gic_handle_irq+0x4c/0x90) [ 573.107209] [] (gic_handle_irq) from [] (__irq_svc+0x6c/0x90) [ 573.114682] Exception stack(0xd90dfcf8 to 0xd90dfd40) [ 573.119732] fce0: ffff0004 00000000 [ 573.127917] fd00: 00000000 00000000 00000000 00000000 00000000 00000000 d93493cc ffff0000 [ 573.136098] fd20: d2bc39c0 be926998 d90dfd58 d90dfd48 c09f3384 c01151f0 400d0013 ffffffff [ 573.144281] [] (__irq_svc) from [] (__arm_smccc_smc+0x10/0x20) [ 573.151854] [] (__arm_smccc_smc) from [] (optee_smccc_smc+0x3c/0x44) [ 573.159948] [] (optee_smccc_smc) from [] (optee_do_call_with_arg+0xb8/0x154) [ 573.168735] [] (optee_do_call_with_arg) from [] (optee_invoke_func+0x110/0x190) [ 573.177786] [] (optee_invoke_func) from [] (tee_ioctl+0x10b8/0x11c0) [ 573.185879] [] (tee_ioctl) from [] (ksys_ioctl+0xe0/0xa4c) [ 573.193101] [] (ksys_ioctl) from [] (ret_fast_syscall+0x0/0x54) [ 573.200750] Exception stack(0xd90dffa8 to 0xd90dfff0) [ 573.205803] ffa0: be926bf4 be926a78 00000003 8010a403 be926908 004e3cf8 [ 573.213987] ffc0: be926bf4 be926a78 00000000 00000036 be926908 be926918 be9269b0 bffdf0f8 [ 573.222162] ffe0: b6d76fb0 be9268fc b6d66621 b6c7e0d8 seen on STM32 DK2 with CONFIG_PREEMPT_NONE. Fixes: 9f02b8f61f29 ("tee: optee: add might_sleep for RPC requests") Signed-off-by: Rouven Czerwinski Tested-by: Sumit Garg [jw: added fixes tag + small adjustments in the code] Signed-off-by: Jens Wiklander Signed-off-by: Greg Kroah-Hartman commit d1fd90bf5554d5196c2c2f026db5d14fe282f2e5 Author: Quentin Perret Date: Fri Jan 8 16:53:49 2021 +0000 KVM: Documentation: Fix spec for KVM_CAP_ENABLE_CAP_VM commit a10f373ad3c760dd40b41e2f69a800ee7b8da15e upstream. The documentation classifies KVM_ENABLE_CAP with KVM_CAP_ENABLE_CAP_VM as a vcpu ioctl, which is incorrect. Fix it by specifying it as a VM ioctl. Fixes: e5d83c74a580 ("kvm: make KVM_CAP_ENABLE_CAP_VM architecture agnostic") Signed-off-by: Quentin Perret Message-Id: <20210108165349.747359-1-qperret@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c48f69093e5e36201ca3a3178e591d0f02ae54de Author: Justin Iurman Date: Thu Jan 21 23:00:44 2021 +0100 uapi: fix big endian definition of ipv6_rpl_sr_hdr commit 07d46d93c9acdfe0614071d73c415dd5f745cc6e upstream. Following RFC 6554 [1], the current order of fields is wrong for big endian definition. Indeed, here is how the header looks like: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Next Header | Hdr Ext Len | Routing Type | Segments Left | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | CmprI | CmprE | Pad | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ This patch reorders fields so that big endian definition is now correct. [1] https://tools.ietf.org/html/rfc6554#section-3 Fixes: cfa933d938d8 ("include: uapi: linux: add rpl sr header definition") Signed-off-by: Justin Iurman Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 921f48afdd3a7a3178c7a26fcb080277443a93cf Author: Pan Bian Date: Thu Jan 21 17:56:40 2021 -0800 drm/i915/selftest: Fix potential memory leak commit 3d480fe1befa0ef434f5c25199e7d45c26870555 upstream. Object out is not released on path that no VMA instance found. The root cause is jumping to an unexpected label on the error path. Fixes: a47e788c2310 ("drm/i915/selftests: Exercise CS TLB invalidation") Signed-off-by: Pan Bian Reviewed-by: Chris Wilson Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20210122015640.16002-1-bianpan2016@163.com (cherry picked from commit 2b015017d5cb01477a79ca184ac25c247d664568) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 7306177c9ed33008376b7d41e39601c308e7a40e Author: Umesh Nerlige Ramappa Date: Thu Jan 21 16:19:35 2021 +0000 drm/i915: Check for all subplatform bits commit 8f6d08c9af284d74276da6681348e4673f13caea upstream. Current code is checking only 2 bits in the subplatform, but actually 3 bits are allocated for the field. Check all 3 bits. Fixes: 805446c8347c ("drm/i915: Introduce concept of a sub-platform") Cc: Tvrtko Ursulin Signed-off-by: Umesh Nerlige Ramappa Reviewed-by: Tvrtko Ursulin Signed-off-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20210121161936.746591-1-tvrtko.ursulin@linux.intel.com (cherry picked from commit 27b695ee1af9bb36605e67055874ec081306ac28) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit e4d2a196fdc5f7eeab21d3d6a27566f3dc1f4d60 Author: Bastian Beranek Date: Thu Jan 21 15:27:36 2021 +0100 drm/nouveau/dispnv50: Restore pushing of all data. commit fd55b61ebd31449549e14c33574825d64de2b29b upstream. Commit f844eb485eb056ad3b67e49f95cbc6c685a73db4 introduced a regression for NV50, which lead to visual artifacts, tearing and eventual crashes. In the changes of f844eb485eb056ad3b67e49f95cbc6c685a73db4 only the first line was correctly translated to the new NVIDIA header macros: - PUSH_NVSQ(push, NV827C, 0x0110, 0, - 0x0114, 0); + PUSH_MTHD(push, NV827C, SET_PROCESSING, + NVDEF(NV827C, SET_PROCESSING, USE_GAIN_OFS, DISABLE)); The lower part ("0x0114, 0") was probably omitted by accident. This patch restores the push of the missing data and fixes the regression. Signed-off-by: Bastian Beranek Fixes: f844eb485eb05 ("drm/nouveau/kms/nv50-: use NVIDIA's headers for wndw image_set()") Link: https://gitlab.freedesktop.org/drm/nouveau/-/issues/14 Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit e50b0cb7da81619dbe32753b62ea2472c949316f Author: Dom Cobley Date: Thu Jan 21 11:57:59 2021 +0100 drm/vc4: Correct POS1_SCL for hvs5 commit f6b57101a6b31277a4bde1d8028c46e898bd2ff2 upstream. Fixes failure with 4096x1080 resolutions [ 284.315379] WARNING: CPU: 1 PID: 901 at drivers/gpu/drm/vc4/vc4_plane.c:981 vc4_plane_mode_set+0x1374/0x13c4 [ 284.315385] Modules linked in: ir_rc5_decoder rpivid_hevc(C) bcm2835_codec(C) bcm2835_isp(C) bcm2835_mmal_vchiq(C) bcm2835_gpiomem v4l2_mem2mem videobuf2_dma_contig videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc cdc_acm xpad ir_rc6_decoder rc_rc6_mce gpio_ir_recv fuse [ 284.315509] CPU: 1 PID: 901 Comm: kodi.bin Tainted: G C 5.10.7 #1 [ 284.315514] Hardware name: BCM2711 [ 284.315518] Backtrace: [ 284.315533] [] (dump_backtrace) from [] (show_stack+0x20/0x24) [ 284.315540] r7:ffffffff r6:00000000 r5:68000013 r4:c18ecf1c [ 284.315549] [] (show_stack) from [] (dump_stack+0xc4/0xf0) [ 284.315558] [] (dump_stack) from [] (__warn+0xfc/0x158) [ 284.315564] r9:00000000 r8:00000009 r7:000003d5 r6:00000009 r5:c08cc7dc r4:c0fd09b8 [ 284.315572] [] (__warn) from [] (warn_slowpath_fmt+0x74/0xe4) [ 284.315577] r7:c08cc7dc r6:000003d5 r5:c0fd09b8 r4:00000000 [ 284.315584] [] (warn_slowpath_fmt) from [] (vc4_plane_mode_set+0x1374/0x13c4) [ 284.315589] r8:00000000 r7:00000000 r6:00001000 r5:c404c600 r4:c2e34600 [ 284.315596] [] (vc4_plane_mode_set) from [] (vc4_plane_atomic_check+0x40/0x1c0) [ 284.315601] r10:00000001 r9:c2e34600 r8:c0e67068 r7:c0fc44e0 r6:c2ce3640 r5:c3d636c0 [ 284.315605] r4:c2e34600 [ 284.315614] [] (vc4_plane_atomic_check) from [] (drm_atomic_helper_check_planes+0xec/0x1ec) [ 284.315620] r9:c2e34600 r8:c0e67068 r7:c0fc44e0 r6:c2ce3640 r5:c3d636c0 r4:00000006 [ 284.315627] [] (drm_atomic_helper_check_planes) from [] (drm_atomic_helper_check+0x54/0x9c) [ 284.315633] r9:c2e35400 r8:00000006 r7:00000000 r6:c2ba7800 r5:c3d636c0 r4:00000000 [ 284.315641] [] (drm_atomic_helper_check) from [] (vc4_atomic_check+0x25c/0x454) [ 284.315645] r7:00000000 r6:c2ba7800 r5:00000001 r4:c3d636c0 [ 284.315652] [] (vc4_atomic_check) from [] (drm_atomic_check_only+0x5cc/0x7e0) [ 284.315658] r10:c404c6c8 r9:ffffffff r8:c472c480 r7:00000003 r6:c3d636c0 r5:00000000 [ 284.315662] r4:0000003c r3:c08b7a4c [ 284.315670] [] (drm_atomic_check_only) from [] (drm_mode_atomic_ioctl+0x758/0xa7c) [ 284.315675] r10:c3d46000 r9:c3d636c0 r8:c2ce8a70 r7:027e3a54 r6:00000043 r5:c1fbb800 [ 284.315679] r4:0281a858 [ 284.315688] [] (drm_mode_atomic_ioctl) from [] (drm_ioctl_kernel+0xc4/0x108) [ 284.315693] r10:c03864bc r9:c1fbb800 r8:c3d47e64 r7:c089b308 r6:00000002 r5:c2ba7800 [ 284.315697] r4:00000000 [ 284.315705] [] (drm_ioctl_kernel) from [] (drm_ioctl+0x1e8/0x3a0) [ 284.315711] r9:c1fbb800 r8:000000bc r7:c3d47e64 r6:00000038 r5:c0e59570 r4:00000038 [ 284.315719] [] (drm_ioctl) from [] (sys_ioctl+0x35c/0x914) [ 284.315724] r10:c2d08200 r9:00000000 r8:c36fa300 r7:befdd870 r6:c03864bc r5:c36fa301 [ 284.315728] r4:c03864bc [ 284.315735] [] (sys_ioctl) from [] (ret_fast_syscall+0x0/0x28) [ 284.315739] Exception stack(0xc3d47fa8 to 0xc3d47ff0) [ 284.315745] 7fa0: 027eb750 befdd870 00000000 c03864bc befdd870 00000000 [ 284.315750] 7fc0: 027eb750 befdd870 c03864bc 00000036 027e3948 0281a640 0281a850 027e3a50 [ 284.315756] 7fe0: b4b64100 befdd844 b4b5ba2c b49c994c [ 284.315762] r10:00000036 r9:c3d46000 r8:c0200204 r7:00000036 r6:c03864bc r5:befdd870 [ 284.315765] r4:027eb750 Fixes: c54619b0bfb3 ("drm/vc4: Add support for the BCM2711 HVS5") Signed-off-by: Dom Cobley Signed-off-by: Maxime Ripard Reviewed-by: Dave Stevenson Tested-By: Lucas Nussbaum Tested-By: Ryutaroh Matsumoto Link: https://patchwork.freedesktop.org/patch/msgid/20210121105759.1262699-2-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit 21e3ad805486e911607b26906ac1e801ff490825 Author: Dom Cobley Date: Thu Jan 21 11:57:58 2021 +0100 drm/vc4: Correct lbm size and calculation commit 78e5330329ee206d6aa4593a90320fd837f7966e upstream. LBM base address is measured in units of pixels per cycle. That is 4 for 2711 (hvs5) and 2 for 2708. We are wasting 75% of lbm by indexing without the scaling. But we were also using too high a size for the lbm resulting in partial corruption (right hand side) of vertically scaled images, usually at 4K or lower resolutions with more layers. The physical RAM of LBM on 2711 is 8 * 1920 * 16 * 12-bit (pixels are stored 12-bits per component regardless of format). The LBM address indexes work in units of pixels per clock, so for 4 pixels per clock that means we have 32 * 1920 = 60K Fixes: c54619b0bfb3 ("drm/vc4: Add support for the BCM2711 HVS5") Signed-off-by: Dom Cobley Signed-off-by: Maxime Ripard Reviewed-by: Dave Stevenson Tested-By: Lucas Nussbaum Tested-By: Ryutaroh Matsumoto Link: https://patchwork.freedesktop.org/patch/msgid/20210121105759.1262699-1-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit 112821f254b6f2d4a0f8e6a39f93cf0db62f95fb Author: Karol Herbst Date: Mon Jan 18 18:16:06 2021 +0100 drm/nouveau/svm: fail NOUVEAU_SVM_INIT ioctl on unsupported devices commit dcd602cc5fe2803bf532d407cde24ba0b7808ff3 upstream. Fixes a crash when trying to create a channel on e.g. Turing GPUs when NOUVEAU_SVM_INIT was called before. Fixes: eeaf06ac1a558 ("drm/nouveau/svm: initial support for shared virtual memory") Signed-off-by: Karol Herbst Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 1310c7a48279e39ed3b178281232efa9aeccab06 Author: Marco Felsch Date: Wed Dec 2 19:05:58 2020 +0100 ARM: dts: imx6qdl-kontron-samx6i: fix pwms for lcd-backlight commit 6337c2353a069b6f1276dc35421e421ef6c1ead9 upstream. The pwms property have to specify the no-/inverted flag since commit fa28d8212ede ("ARM: dts: imx: default to #pwm-cells = <3> in the SoC dtsi files"). Fixes: fa28d8212ede ("ARM: dts: imx: default to #pwm-cells = <3> in the SoC dtsi files") Signed-off-by: Marco Felsch Reviewed-by: Uwe Kleine-König Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit 99bb37ab284caf3c70139b059546b31b5be731b1 Author: Maxim Mikityanskiy Date: Wed Nov 25 13:52:36 2020 +0200 net/mlx5e: Fix IPSEC stats commit 45c9a30835d84009dfe711f5c8836720767c286e upstream. When IPSEC offload isn't active, the number of stats is not zero, but the strings are not filled, leading to exposing stats with empty names. Fix this by using the same condition for NUM_STATS and FILL_STRS. Fixes: 0aab3e1b04ae ("net/mlx5e: IPSec, Expose IPsec HW stat only for supporting HW") Signed-off-by: Maxim Mikityanskiy Reviewed-by: Raed Salem Reviewed-by: Tariq Toukan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 37ef64511f31323f591310fce734979ae11e6a38 Author: Tvrtko Ursulin Date: Mon Jan 18 10:07:24 2021 +0000 drm/i915/pmu: Don't grab wakeref when enabling events commit 171a8e99828144050015672016dd63494c6d200a upstream. Chris found a CI report which points out calling intel_runtime_pm_get from inside i915_pmu_enable hook is not allowed since it can be invoked from hard irq context. This is something we knew but forgot, so lets fix it once again. We do this by syncing the internal book keeping with hardware rc6 counter on driver load. v2: * Always sync on parking and fully sync on init. Signed-off-by: Tvrtko Ursulin Fixes: f4e9894b6952 ("drm/i915/pmu: Correct the rc6 offset upon enabling") Cc: Chris Wilson Reviewed-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20201214094349.3563876-1-tvrtko.ursulin@linux.intel.com (cherry picked from commit dbe13ae1d6abaab417edf3c37601c6a56594a4cd) Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20210118100724.465555-1-chris@chris-wilson.co.uk Signed-off-by: Greg Kroah-Hartman commit 520d05a77b2866eb4cb9e548e1d8c8abcfe60ec5 Author: Chris Wilson Date: Sun Jan 17 09:30:15 2021 +0000 drm/i915/gt: Clear CACHE_MODE prior to clearing residuals commit ef99a60ffd9b918354e038bc5e61f007ff7e901d upstream. Since we do a bare context switch with no restore, the clear residual kernel runs on dirty state, and we must be careful to avoid executing with bad state from context registers inherited from a malicious client. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2955 Fixes: 09aa9e45863e ("drm/i915/gt: Restore clear-residual mitigations for Ivybridge, Baytrail") Testcase: igt/gem_ctx_isolation # ivb,vlv Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Akeem G Abodunrin Reviewed-by: Akeem G Abodunrin Link: https://patchwork.freedesktop.org/patch/msgid/20210117093015.29143-1-chris@chris-wilson.co.uk (cherry picked from commit ace44e13e577c2ae59980e9a6ff5ca253b1cf831) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 800ca7687c87368817b5985b9093363351969363 Author: Matti Gottlieb Date: Fri Jan 22 14:52:40 2021 +0200 iwlwifi: Fix IWL_SUBDEVICE_NO_160 macro to use the correct bit. commit 4886460c4d1576e85b12601b8b328278a483df86 upstream. The bit that indicates if the device supports 160MHZ is bit #9. The macro checks bit #8. Fix IWL_SUBDEVICE_NO_160 macro to use the correct bit. Signed-off-by: Matti Gottlieb Fixes: d6f2134a3831 ("iwlwifi: add mac/rf types and 160MHz to the device tables") Signed-off-by: Luca Coelho Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/iwlwifi.20210122144849.bddbf9b57a75.I16e09e2b1404b16bfff70852a5a654aa468579e2@changeid Signed-off-by: Greg Kroah-Hartman commit 621f05288c3da4055aa93b240f8aa68063db2df3 Author: Lorenzo Bianconi Date: Thu Jan 14 18:10:52 2021 +0100 mt7601u: fix rx buffer refcounting commit d24c790577ef01bfa01da2b131313a38c843a634 upstream. Fix the following crash due to erroneous page refcounting: [ 32.445919] BUG: Bad page state in process swapper/1 pfn:11f65a [ 32.447409] page:00000000938f0632 refcount:0 mapcount:-128 mapping:0000000000000000 index:0x0 pfn:0x11f65a [ 32.449605] flags: 0x8000000000000000() [ 32.450421] raw: 8000000000000000 ffffffff825b0148 ffffea00045ae988 0000000000000000 [ 32.451795] raw: 0000000000000000 0000000000000001 00000000ffffff7f 0000000000000000 [ 32.452999] page dumped because: nonzero mapcount [ 32.453888] Modules linked in: [ 32.454492] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.11.0-rc2+ #1976 [ 32.455695] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-1.fc33 04/01/2014 [ 32.457157] Call Trace: [ 32.457636] [ 32.457993] dump_stack+0x77/0x97 [ 32.458576] bad_page.cold+0x65/0x96 [ 32.459198] get_page_from_freelist+0x46a/0x11f0 [ 32.460008] __alloc_pages_nodemask+0x10a/0x2b0 [ 32.460794] mt7601u_rx_tasklet+0x651/0x720 [ 32.461505] tasklet_action_common.constprop.0+0x6b/0xd0 [ 32.462343] __do_softirq+0x152/0x46c [ 32.462928] asm_call_irq_on_stack+0x12/0x20 [ 32.463610] [ 32.463953] do_softirq_own_stack+0x5b/0x70 [ 32.464582] irq_exit_rcu+0x9f/0xe0 [ 32.465028] common_interrupt+0xae/0x1a0 [ 32.465536] asm_common_interrupt+0x1e/0x40 [ 32.466071] RIP: 0010:default_idle+0x18/0x20 [ 32.468981] RSP: 0018:ffffc90000077f00 EFLAGS: 00000246 [ 32.469648] RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000 [ 32.470550] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff81aac3dd [ 32.471463] RBP: ffff88810022ab00 R08: 0000000000000001 R09: 0000000000000001 [ 32.472335] R10: 0000000000000046 R11: 0000000000005aa0 R12: 0000000000000000 [ 32.473235] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 [ 32.474139] ? default_idle_call+0x4d/0x200 [ 32.474681] default_idle_call+0x74/0x200 [ 32.475192] do_idle+0x1d5/0x250 [ 32.475612] cpu_startup_entry+0x19/0x20 [ 32.476114] secondary_startup_64_no_verify+0xb0/0xbb [ 32.476765] Disabling lock debugging due to kernel taint Fixes: c869f77d6abb ("add mt7601u driver") Co-developed-by: Felix Fietkau Signed-off-by: Felix Fietkau Signed-off-by: Lorenzo Bianconi Acked-by: Jakub Kicinski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/62b2380c8c2091834cfad05e1059b55f945bd114.1610643952.git.lorenzo@kernel.org Signed-off-by: Greg Kroah-Hartman commit cfe3425c5acd0adcc701631b0125c41b6597fa31 Author: Lorenzo Bianconi Date: Thu Jan 14 18:26:47 2021 +0100 mt76: mt7663s: fix rx buffer refcounting commit 952de419b6179ad1424f512d52ec7122662fdf63 upstream. Similar to mt7601u driver, fix erroneous rx page refcounting Fixes: a66cbdd6573d ("mt76: mt7615: introduce mt7663s support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/dca19c9d445156201bc41f7cbb6e894bbc9a678c.1610644945.git.lorenzo@kernel.org Signed-off-by: Greg Kroah-Hartman commit 083274407a8e08b39fcd3093143a36f863350433 Author: Lorenzo Bianconi Date: Sun Jan 17 22:46:01 2021 +0100 mt7601u: fix kernel crash unplugging the device commit 0acb20a5438c36e0cf2b8bf255f314b59fcca6ef upstream. The following crash log can occur unplugging the usb dongle since, after the urb poison in mt7601u_free_tx_queue(), usb_submit_urb() will always fail resulting in a skb kfree while the skb has been already queued. Fix the issue enqueuing the skb only if usb_submit_urb() succeed. Hardware name: Hewlett-Packard 500-539ng/2B2C, BIOS 80.06 04/01/2015 Workqueue: usb_hub_wq hub_event RIP: 0010:skb_trim+0x2c/0x30 RSP: 0000:ffffb4c88005bba8 EFLAGS: 00010206 RAX: 000000004ad483ee RBX: ffff9a236625dee0 RCX: 000000000000662f RDX: 000000000000000c RSI: 0000000000000000 RDI: ffff9a2343179300 RBP: ffff9a2343179300 R08: 0000000000000001 R09: 0000000000000000 R10: ffff9a23748f7840 R11: 0000000000000001 R12: ffff9a236625e4d4 R13: ffff9a236625dee0 R14: 0000000000001080 R15: 0000000000000008 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fd410a34ef8 CR3: 00000001416ee001 CR4: 00000000001706f0 Call Trace: mt7601u_tx_status+0x3e/0xa0 [mt7601u] mt7601u_dma_cleanup+0xca/0x110 [mt7601u] mt7601u_cleanup+0x22/0x30 [mt7601u] mt7601u_disconnect+0x22/0x60 [mt7601u] usb_unbind_interface+0x8a/0x270 ? kernfs_find_ns+0x35/0xd0 __device_release_driver+0x17a/0x230 device_release_driver+0x24/0x30 bus_remove_device+0xdb/0x140 device_del+0x18b/0x430 ? kobject_put+0x98/0x1d0 usb_disable_device+0xc6/0x1f0 usb_disconnect.cold+0x7e/0x20a hub_event+0xbf3/0x1870 process_one_work+0x1b6/0x350 worker_thread+0x53/0x3e0 ? process_one_work+0x350/0x350 kthread+0x11b/0x140 ? __kthread_bind_mask+0x60/0x60 ret_from_fork+0x22/0x30 Fixes: 23377c200b2eb ("mt7601u: fix possible memory leak when the device is disconnected") Signed-off-by: Lorenzo Bianconi Acked-by: Jakub Kicinski Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/3b85219f669a63a8ced1f43686de05915a580489.1610919247.git.lorenzo@kernel.org Signed-off-by: Greg Kroah-Hartman commit b04c1c534b66539ee9b474bdf896ead401a9c19a Author: Bharat Gooty Date: Tue Jan 19 11:04:44 2021 +0530 arm64: dts: broadcom: Fix USB DMA address translation for Stingray commit da8ee66f56071aef0b5b0de41d2c2a97fa30c8a1 upstream. Add a non-empty dma-ranges so that DMA address translation happens. Fixes: 2013a4b684b6 ("arm64: dts: broadcom: clear the warnings caused by empty dma-ranges") Signed-off-by: Bharat Gooty Signed-off-by: Rayagonda Kokatanur Reviewed-by: Arnd Bergmann Acked-by: Ray Jui Signed-off-by: Florian Fainelli Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 736924801c1d0e784af2a7336b4dd92fc6d2bd82 Author: Andrea Righi Date: Wed Nov 25 16:18:22 2020 +0100 leds: trigger: fix potential deadlock with libata commit 27af8e2c90fba242460b01fa020e6e19ed68c495 upstream. We have the following potential deadlock condition: ======================================================== WARNING: possible irq lock inversion dependency detected 5.10.0-rc2+ #25 Not tainted -------------------------------------------------------- swapper/3/0 just changed the state of lock: ffff8880063bd618 (&host->lock){-...}-{2:2}, at: ata_bmdma_interrupt+0x27/0x200 but this lock took another, HARDIRQ-READ-unsafe lock in the past: (&trig->leddev_list_lock){.+.?}-{2:2} and interrupts could create inverse lock ordering between them. other info that might help us debug this: Possible interrupt unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&trig->leddev_list_lock); local_irq_disable(); lock(&host->lock); lock(&trig->leddev_list_lock); lock(&host->lock); *** DEADLOCK *** no locks held by swapper/3/0. the shortest dependencies between 2nd lock and 1st lock: -> (&trig->leddev_list_lock){.+.?}-{2:2} ops: 46 { HARDIRQ-ON-R at: lock_acquire+0x15f/0x420 _raw_read_lock+0x42/0x90 led_trigger_event+0x2b/0x70 rfkill_global_led_trigger_worker+0x94/0xb0 process_one_work+0x240/0x560 worker_thread+0x58/0x3d0 kthread+0x151/0x170 ret_from_fork+0x1f/0x30 IN-SOFTIRQ-R at: lock_acquire+0x15f/0x420 _raw_read_lock+0x42/0x90 led_trigger_event+0x2b/0x70 kbd_bh+0x9e/0xc0 tasklet_action_common.constprop.0+0xe9/0x100 tasklet_action+0x22/0x30 __do_softirq+0xcc/0x46d run_ksoftirqd+0x3f/0x70 smpboot_thread_fn+0x116/0x1f0 kthread+0x151/0x170 ret_from_fork+0x1f/0x30 SOFTIRQ-ON-R at: lock_acquire+0x15f/0x420 _raw_read_lock+0x42/0x90 led_trigger_event+0x2b/0x70 rfkill_global_led_trigger_worker+0x94/0xb0 process_one_work+0x240/0x560 worker_thread+0x58/0x3d0 kthread+0x151/0x170 ret_from_fork+0x1f/0x30 INITIAL READ USE at: lock_acquire+0x15f/0x420 _raw_read_lock+0x42/0x90 led_trigger_event+0x2b/0x70 rfkill_global_led_trigger_worker+0x94/0xb0 process_one_work+0x240/0x560 worker_thread+0x58/0x3d0 kthread+0x151/0x170 ret_from_fork+0x1f/0x30 } ... key at: [] __key.0+0x0/0x10 ... acquired at: _raw_read_lock+0x42/0x90 led_trigger_blink_oneshot+0x3b/0x90 ledtrig_disk_activity+0x3c/0xa0 ata_qc_complete+0x26/0x450 ata_do_link_abort+0xa3/0xe0 ata_port_freeze+0x2e/0x40 ata_hsm_qc_complete+0x94/0xa0 ata_sff_hsm_move+0x177/0x7a0 ata_sff_pio_task+0xc7/0x1b0 process_one_work+0x240/0x560 worker_thread+0x58/0x3d0 kthread+0x151/0x170 ret_from_fork+0x1f/0x30 -> (&host->lock){-...}-{2:2} ops: 69 { IN-HARDIRQ-W at: lock_acquire+0x15f/0x420 _raw_spin_lock_irqsave+0x52/0xa0 ata_bmdma_interrupt+0x27/0x200 __handle_irq_event_percpu+0xd5/0x2b0 handle_irq_event+0x57/0xb0 handle_edge_irq+0x8c/0x230 asm_call_irq_on_stack+0xf/0x20 common_interrupt+0x100/0x1c0 asm_common_interrupt+0x1e/0x40 native_safe_halt+0xe/0x10 arch_cpu_idle+0x15/0x20 default_idle_call+0x59/0x1c0 do_idle+0x22c/0x2c0 cpu_startup_entry+0x20/0x30 start_secondary+0x11d/0x150 secondary_startup_64_no_verify+0xa6/0xab INITIAL USE at: lock_acquire+0x15f/0x420 _raw_spin_lock_irqsave+0x52/0xa0 ata_dev_init+0x54/0xe0 ata_link_init+0x8b/0xd0 ata_port_alloc+0x1f1/0x210 ata_host_alloc+0xf1/0x130 ata_host_alloc_pinfo+0x14/0xb0 ata_pci_sff_prepare_host+0x41/0xa0 ata_pci_bmdma_prepare_host+0x14/0x30 piix_init_one+0x21f/0x600 local_pci_probe+0x48/0x80 pci_device_probe+0x105/0x1c0 really_probe+0x221/0x490 driver_probe_device+0xe9/0x160 device_driver_attach+0xb2/0xc0 __driver_attach+0x91/0x150 bus_for_each_dev+0x81/0xc0 driver_attach+0x1e/0x20 bus_add_driver+0x138/0x1f0 driver_register+0x91/0xf0 __pci_register_driver+0x73/0x80 piix_init+0x1e/0x2e do_one_initcall+0x5f/0x2d0 kernel_init_freeable+0x26f/0x2cf kernel_init+0xe/0x113 ret_from_fork+0x1f/0x30 } ... key at: [] __key.6+0x0/0x10 ... acquired at: __lock_acquire+0x9da/0x2370 lock_acquire+0x15f/0x420 _raw_spin_lock_irqsave+0x52/0xa0 ata_bmdma_interrupt+0x27/0x200 __handle_irq_event_percpu+0xd5/0x2b0 handle_irq_event+0x57/0xb0 handle_edge_irq+0x8c/0x230 asm_call_irq_on_stack+0xf/0x20 common_interrupt+0x100/0x1c0 asm_common_interrupt+0x1e/0x40 native_safe_halt+0xe/0x10 arch_cpu_idle+0x15/0x20 default_idle_call+0x59/0x1c0 do_idle+0x22c/0x2c0 cpu_startup_entry+0x20/0x30 start_secondary+0x11d/0x150 secondary_startup_64_no_verify+0xa6/0xab This lockdep splat is reported after: commit e918188611f0 ("locking: More accurate annotations for read_lock()") To clarify: - read-locks are recursive only in interrupt context (when in_interrupt() returns true) - after acquiring host->lock in CPU1, another cpu (i.e. CPU2) may call write_lock(&trig->leddev_list_lock) that would be blocked by CPU0 that holds trig->leddev_list_lock in read-mode - when CPU1 (ata_ac_complete()) tries to read-lock trig->leddev_list_lock, it would be blocked by the write-lock waiter on CPU2 (because we are not in interrupt context, so the read-lock is not recursive) - at this point if an interrupt happens on CPU0 and ata_bmdma_interrupt() is executed it will try to acquire host->lock, that is held by CPU1, that is currently blocked by CPU2, so: * CPU0 blocked by CPU1 * CPU1 blocked by CPU2 * CPU2 blocked by CPU0 *** DEADLOCK *** The deadlock scenario is better represented by the following schema (thanks to Boqun Feng for the schema and the detailed explanation of the deadlock condition): CPU 0: CPU 1: CPU 2: ----- ----- ----- led_trigger_event(): read_lock(&trig->leddev_list_lock); ata_hsm_qc_complete(): spin_lock_irqsave(&host->lock); write_lock(&trig->leddev_list_lock); ata_port_freeze(): ata_do_link_abort(): ata_qc_complete(): ledtrig_disk_activity(): led_trigger_blink_oneshot(): read_lock(&trig->leddev_list_lock); // ^ not in in_interrupt() context, so could get blocked by CPU 2 ata_bmdma_interrupt(): spin_lock_irqsave(&host->lock); Fix by using read_lock_irqsave/irqrestore() in led_trigger_event(), so that no interrupt can happen in between, preventing the deadlock condition. Apply the same change to led_trigger_blink_setup() as well, since the same deadlock scenario can also happen in power_supply_update_bat_leds() -> led_trigger_blink() -> led_trigger_blink_setup() (workqueue context), and potentially prevent other similar usages. Link: https://lore.kernel.org/lkml/20201101092614.GB3989@xps-13-7390/ Fixes: eb25cb9956cc ("leds: convert IDE trigger to common disk trigger") Signed-off-by: Andrea Righi Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman commit 5f3d54c00f1f2682cee9c590c22655b0330ffd18 Author: David Woodhouse Date: Tue Jan 26 17:01:49 2021 +0000 xen: Fix XenStore initialisation for XS_LOCAL commit 5f46400f7a6a4fad635d5a79e2aa5a04a30ffea1 upstream. In commit 3499ba8198ca ("xen: Fix event channel callback via INTX/GSI") I reworked the triggering of xenbus_probe(). I tried to simplify things by taking out the workqueue based startup triggered from wake_waiting(); the somewhat poorly named xenbus IRQ handler. I missed the fact that in the XS_LOCAL case (Dom0 starting its own xenstored or xenstore-stubdom, which happens after the kernel is booted completely), that IRQ-based trigger is still actually needed. So... put it back, except more cleanly. By just spawning a xenbus_probe thread which waits on xb_waitq and runs the probe the first time it gets woken, just as the workqueue-based hack did. This is actually a nicer approach for *all* the back ends with different interrupt methods, and we can switch them all over to that without the complex conditions for when to trigger it. But not in -rc6. This is the minimal fix for the regression, although it's a step in the right direction instead of doing a partial revert and actually putting the workqueue back. It's also simpler than the workqueue. Fixes: 3499ba8198ca ("xen: Fix event channel callback via INTX/GSI") Reported-by: Juergen Gross Signed-off-by: David Woodhouse Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/4c9af052a6e0f6485d1de43f2c38b1461996db99.camel@infradead.org Signed-off-by: Juergen Gross Cc: Salvatore Bonaccorso Cc: Jason Andryuk Signed-off-by: Greg Kroah-Hartman commit bc79ff0b1a19d1652beebdc93a5a92c0518b3787 Author: Pavel Begunkov Date: Tue Jan 26 23:35:10 2021 +0000 io_uring: fix wqe->lock/completion_lock deadlock commit 907d1df30a51cc1a1d25414a00cde0494b83df7b upstream. Joseph reports following deadlock: CPU0: ... io_kill_linked_timeout // &ctx->completion_lock io_commit_cqring __io_queue_deferred __io_queue_async_work io_wq_enqueue io_wqe_enqueue // &wqe->lock CPU1: ... __io_uring_files_cancel io_wq_cancel_cb io_wqe_cancel_pending_work // &wqe->lock io_cancel_task_cb // &ctx->completion_lock Only __io_queue_deferred() calls queue_async_work() while holding ctx->completion_lock, enqueue drained requests via io_req_task_queue() instead. Cc: stable@vger.kernel.org # 5.9+ Reported-by: Joseph Qi Tested-by: Joseph Qi Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 256a0040c6c9f6d342044897e33f280426a4e315 Author: Marc Zyngier Date: Thu Jan 21 12:08:15 2021 +0000 KVM: Forbid the use of tagged userspace addresses for memslots commit 139bc8a6146d92822c866cf2fd410159c56b3648 upstream. The use of a tagged address could be pretty confusing for the whole memslot infrastructure as well as the MMU notifiers. Forbid it altogether, as it never quite worked the first place. Cc: stable@vger.kernel.org Reported-by: Rick Edgecombe Reviewed-by: Catalin Marinas Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit e895a39a2bcdbb1d602316f3fb416aa93818805a Author: Jay Zhou Date: Mon Jan 18 16:47:20 2021 +0800 KVM: x86: get smi pending status correctly commit 1f7becf1b7e21794fc9d460765fe09679bc9b9e0 upstream. The injection process of smi has two steps: Qemu KVM Step1: cpu->interrupt_request &= \ ~CPU_INTERRUPT_SMI; kvm_vcpu_ioctl(cpu, KVM_SMI) call kvm_vcpu_ioctl_smi() and kvm_make_request(KVM_REQ_SMI, vcpu); Step2: kvm_vcpu_ioctl(cpu, KVM_RUN, 0) call process_smi() if kvm_check_request(KVM_REQ_SMI, vcpu) is true, mark vcpu->arch.smi_pending = true; The vcpu->arch.smi_pending will be set true in step2, unfortunately if vcpu paused between step1 and step2, the kvm_run->immediate_exit will be set and vcpu has to exit to Qemu immediately during step2 before mark vcpu->arch.smi_pending true. During VM migration, Qemu will get the smi pending status from KVM using KVM_GET_VCPU_EVENTS ioctl at the downtime, then the smi pending status will be lost. Signed-off-by: Jay Zhou Signed-off-by: Shengen Zhuang Message-Id: <20210118084720.1585-1-jianjay.zhou@huawei.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 427adbb3be8a0dd790bd892207b166cf27515185 Author: Maxim Levitsky Date: Thu Jan 14 22:54:47 2021 +0200 KVM: nVMX: Sync unsync'd vmcs02 state to vmcs12 on migration commit d51e1d3f6b4236e0352407d8a63f5c5f71ce193d upstream. Even when we are outside the nested guest, some vmcs02 fields may not be in sync vs vmcs12. This is intentional, even across nested VM-exit, because the sync can be delayed until the nested hypervisor performs a VMCLEAR or a VMREAD/VMWRITE that affects those rarely accessed fields. However, during KVM_GET_NESTED_STATE, the vmcs12 has to be up to date to be able to restore it. To fix that, call copy_vmcs02_to_vmcs12_rare() before the vmcs12 contents are copied to userspace. Fixes: 7952d769c29ca ("KVM: nVMX: Sync rarely accessed guest fields only when needed") Reviewed-by: Sean Christopherson Signed-off-by: Maxim Levitsky Message-Id: <20210114205449.8715-2-mlevitsk@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit cffcb5e0fe2c994f0aa5d01b3c16e3f8a59350aa Author: Paolo Bonzini Date: Fri Jan 8 11:43:08 2021 -0500 KVM: x86: allow KVM_REQ_GET_NESTED_STATE_PAGES outside guest mode for VMX commit 9a78e15802a87de2b08dfd1bd88e855201d2c8fa upstream. VMX also uses KVM_REQ_GET_NESTED_STATE_PAGES for the Hyper-V eVMCS, which may need to be loaded outside guest mode. Therefore we cannot WARN in that case. However, that part of nested_get_vmcs12_pages is _not_ needed at vmentry time. Split it out of KVM_REQ_GET_NESTED_STATE_PAGES handling, so that both vmentry and migration (and in the latter case, independent of is_guest_mode) do the parts that are needed. Cc: # 5.10.x: f2c7ef3ba: KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES Cc: # 5.10.x Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0faceb7d6dda6f370ff1fa0464d7180f7e5cb417 Author: Maxim Levitsky Date: Thu Jan 7 11:38:51 2021 +0200 KVM: nSVM: cancel KVM_REQ_GET_NESTED_STATE_PAGES on nested vmexit commit f2c7ef3ba9556d62a7e2bb23b563c6510007d55c upstream. It is possible to exit the nested guest mode, entered by svm_set_nested_state prior to first vm entry to it (e.g due to pending event) if the nested run was not pending during the migration. In this case we must not switch to the nested msr permission bitmap. Also add a warning to catch similar cases in the future. Fixes: a7d5c7ce41ac1 ("KVM: nSVM: delay MSR permission processing to first nested VM run") Signed-off-by: Maxim Levitsky Message-Id: <20210107093854.882483-2-mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit dca38d7f33bf1cbc9c480224c36a5e6babe1c5f5 Author: Marc Zyngier Date: Thu Jan 21 10:56:36 2021 +0000 KVM: arm64: Filter out v8.1+ events on v8.0 HW commit 9529aaa056edc76b3a41df616c71117ebe11e049 upstream. When running on v8.0 HW, make sure we don't try to advertise events in the 0x4000-0x403f range. Cc: stable@vger.kernel.org Fixes: 88865beca9062 ("KVM: arm64: Mask out filtered events in PCMEID{0,1}_EL1") Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20210121105636.1478491-1-maz@kernel.org Signed-off-by: Greg Kroah-Hartman commit a519d980445679c14b50a5a522f8576dff7b7fa7 Author: Like Xu Date: Mon Jan 18 10:58:00 2021 +0800 KVM: x86/pmu: Fix UBSAN shift-out-of-bounds warning in intel_pmu_refresh() commit e61ab2a320c3dfd6209efe18a575979e07470597 upstream. Since we know vPMU will not work properly when (1) the guest bit_width(s) of the [gp|fixed] counters are greater than the host ones, or (2) guest requested architectural events exceeds the range supported by the host, so we can setup a smaller left shift value and refresh the guest cpuid entry, thus fixing the following UBSAN shift-out-of-bounds warning: shift exponent 197 is too large for 64-bit type 'long long unsigned int' Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 intel_pmu_refresh.cold+0x75/0x99 arch/x86/kvm/vmx/pmu_intel.c:348 kvm_vcpu_after_set_cpuid+0x65a/0xf80 arch/x86/kvm/cpuid.c:177 kvm_vcpu_ioctl_set_cpuid2+0x160/0x440 arch/x86/kvm/cpuid.c:308 kvm_arch_vcpu_ioctl+0x11b6/0x2d70 arch/x86/kvm/x86.c:4709 kvm_vcpu_ioctl+0x7b9/0xdb0 arch/x86/kvm/../../../virt/kvm/kvm_main.c:3386 vfs_ioctl fs/ioctl.c:48 [inline] __do_sys_ioctl fs/ioctl.c:753 [inline] __se_sys_ioctl fs/ioctl.c:739 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:739 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+ae488dc136a4cc6ba32b@syzkaller.appspotmail.com Signed-off-by: Like Xu Message-Id: <20210118025800.34620-1-like.xu@linux.intel.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0517693dcc41eeb88a486fa2de9f593d728abe57 Author: Like Xu Date: Wed Dec 30 16:19:16 2020 +0800 KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] commit 98dd2f108e448988d91e296173e773b06fb978b8 upstream. The HW_REF_CPU_CYCLES event on the fixed counter 2 is pseudo-encoded as 0x0300 in the intel_perfmon_event_map[]. Correct its usage. Fixes: 62079d8a4312 ("KVM: PMU: add proper support for fixed counter 2") Signed-off-by: Like Xu Message-Id: <20201230081916.63417-1-like.xu@linux.intel.com> Reviewed-by: Sean Christopherson Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 2175bf57dc9522c58d93dcd474758434a3f05c57 Author: Josef Bacik Date: Fri Jan 15 16:26:17 2021 -0500 btrfs: fix possible free space tree corruption with online conversion commit 2f96e40212d435b328459ba6b3956395eed8fa9f upstream. While running btrfs/011 in a loop I would often ASSERT() while trying to add a new free space entry that already existed, or get an EEXIST while adding a new block to the extent tree, which is another indication of double allocation. This occurs because when we do the free space tree population, we create the new root and then populate the tree and commit the transaction. The problem is when you create a new root, the root node and commit root node are the same. During this initial transaction commit we will run all of the delayed refs that were paused during the free space tree generation, and thus begin to cache block groups. While caching block groups the caching thread will be reading from the main root for the free space tree, so as we make allocations we'll be changing the free space tree, which can cause us to add the same range twice which results in either the ASSERT(ret != -EEXIST); in __btrfs_add_free_space, or in a variety of different errors when running delayed refs because of a double allocation. Fix this by marking the fs_info as unsafe to load the free space tree, and fall back on the old slow method. We could be smarter than this, for example caching the block group while we're populating the free space tree, but since this is a serious problem I've opted for the simplest solution. CC: stable@vger.kernel.org # 4.9+ Fixes: a5ed91828518 ("Btrfs: implement the free space B-tree") Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit f343bf1aaf5517683d77be1f78da0d7117770464 Author: Su Yue Date: Thu Jan 21 19:39:10 2021 +0800 btrfs: fix lockdep warning due to seqcount_mutex on 32bit arch commit c41ec4529d3448df8998950d7bada757a1b321cf upstream. This effectively reverts commit d5c8238849e7 ("btrfs: convert data_seqcount to seqcount_mutex_t"). While running fstests on 32 bits test box, many tests failed because of warnings in dmesg. One of those warnings (btrfs/003): [66.441317] WARNING: CPU: 6 PID: 9251 at include/linux/seqlock.h:279 btrfs_remove_chunk+0x58b/0x7b0 [btrfs] [66.441446] CPU: 6 PID: 9251 Comm: btrfs Tainted: G O 5.11.0-rc4-custom+ #5 [66.441449] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ArchLinux 1.14.0-1 04/01/2014 [66.441451] EIP: btrfs_remove_chunk+0x58b/0x7b0 [btrfs] [66.441472] EAX: 00000000 EBX: 00000001 ECX: c576070c EDX: c6b15803 [66.441475] ESI: 10000000 EDI: 00000000 EBP: c56fbcfc ESP: c56fbc70 [66.441477] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00010246 [66.441481] CR0: 80050033 CR2: 05c8da20 CR3: 04b20000 CR4: 00350ed0 [66.441485] Call Trace: [66.441510] btrfs_relocate_chunk+0xb1/0x100 [btrfs] [66.441529] ? btrfs_lookup_block_group+0x17/0x20 [btrfs] [66.441562] btrfs_balance+0x8ed/0x13b0 [btrfs] [66.441586] ? btrfs_ioctl_balance+0x333/0x3c0 [btrfs] [66.441619] ? __this_cpu_preempt_check+0xf/0x11 [66.441643] btrfs_ioctl_balance+0x333/0x3c0 [btrfs] [66.441664] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [66.441683] btrfs_ioctl+0x414/0x2ae0 [btrfs] [66.441700] ? __lock_acquire+0x35f/0x2650 [66.441717] ? lockdep_hardirqs_on+0x87/0x120 [66.441720] ? lockdep_hardirqs_on_prepare+0xd0/0x1e0 [66.441724] ? call_rcu+0x2d3/0x530 [66.441731] ? __might_fault+0x41/0x90 [66.441736] ? kvm_sched_clock_read+0x15/0x50 [66.441740] ? sched_clock+0x8/0x10 [66.441745] ? sched_clock_cpu+0x13/0x180 [66.441750] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [66.441750] ? btrfs_ioctl_get_supported_features+0x30/0x30 [btrfs] [66.441768] __ia32_sys_ioctl+0x165/0x8a0 [66.441773] ? __this_cpu_preempt_check+0xf/0x11 [66.441785] ? __might_fault+0x89/0x90 [66.441791] __do_fast_syscall_32+0x54/0x80 [66.441796] do_fast_syscall_32+0x32/0x70 [66.441801] do_SYSENTER_32+0x15/0x20 [66.441805] entry_SYSENTER_32+0x9f/0xf2 [66.441808] EIP: 0xab7b5549 [66.441814] EAX: ffffffda EBX: 00000003 ECX: c4009420 EDX: bfa91f5c [66.441816] ESI: 00000003 EDI: 00000001 EBP: 00000000 ESP: bfa91e98 [66.441818] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000292 [66.441833] irq event stamp: 42579 [66.441835] hardirqs last enabled at (42585): [] console_unlock+0x495/0x590 [66.441838] hardirqs last disabled at (42590): [] console_unlock+0x405/0x590 [66.441840] softirqs last enabled at (41698): [] call_on_stack+0x1c/0x60 [66.441843] softirqs last disabled at (41681): [] call_on_stack+0x1c/0x60 ======================================================================== btrfs_remove_chunk+0x58b/0x7b0: __seqprop_mutex_assert at linux/./include/linux/seqlock.h:279 (inlined by) btrfs_device_set_bytes_used at linux/fs/btrfs/volumes.h:212 (inlined by) btrfs_remove_chunk at linux/fs/btrfs/volumes.c:2994 ======================================================================== The warning is produced by lockdep_assert_held() in __seqprop_mutex_assert() if CONFIG_LOCKDEP is enabled. And "olumes.c:2994 is btrfs_device_set_bytes_used() with mutex lock fs_info->chunk_mutex held already. After adding some debug prints, the cause was found that many __alloc_device() are called with NULL @fs_info (during scanning ioctl). Inside the function, btrfs_device_data_ordered_init() is expanded to seqcount_mutex_init(). In this scenario, its second parameter info->chunk_mutex is &NULL->chunk_mutex which equals to offsetof(struct btrfs_fs_info, chunk_mutex) unexpectedly. Thus, seqcount_mutex_init() is called in wrong way. And later btrfs_device_get/set helpers trigger lockdep warnings. The device and filesystem object lifetimes are different and we'd have to synchronize initialization of the btrfs_device::data_seqcount with the fs_info, possibly using some additional synchronization. It would still not prevent concurrent access to the seqcount lock when it's used for read and initialization. Commit d5c8238849e7 ("btrfs: convert data_seqcount to seqcount_mutex_t") does not mention a particular problem being fixed so revert should not cause any harm and we'll get the lockdep warning fixed. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=210139 Reported-by: Erhard F Fixes: d5c8238849e7 ("btrfs: convert data_seqcount to seqcount_mutex_t") CC: stable@vger.kernel.org # 5.10 CC: Davidlohr Bueso Signed-off-by: Su Yue Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 767c8777ce9cbccf8887bbe92d123bf6308285eb Author: Claudiu Beznea Date: Fri Jan 22 14:21:34 2021 +0200 drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] commit 680896556805d3ad3fa47f6002b87b3041a45ac2 upstream. of_match_node() calls __of_match_node() which loops though the entries of matches array. It stops when condition: (matches->name[0] || matches->type[0] || matches->compatible[0]) is false. Thus, add a null entry at the end of at91_soc_allowed_list[] array. Fixes: caab13b49604 ("drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs") Cc: stable@vger.kernel.org #4.12+ Signed-off-by: Claudiu Beznea Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 6975f470ca5dc1f4215b51caf19708f0ff1134c3 Author: Sudeep Holla Date: Fri Dec 11 13:58:46 2020 +0000 drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs commit caab13b4960416b9fee83169a758eb0f31e65109 upstream. Since at91_soc_init is called unconditionally from atmel_soc_device_init, we get the following warning on all non AT91 SoCs: " AT91: Could not find identification node" Fix the same by filtering with allowed AT91 SoC list. Cc: Nicolas Ferre Cc: Alexandre Belloni Cc: Ludovic Desroches Cc: stable@vger.kernel.org #4.12+ Signed-off-by: Sudeep Holla Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20201211135846.1334322-1-sudeep.holla@arm.com Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 326644a0ede089e6b1d92fcbe89a77e637cefcab Author: Herbert Xu Date: Wed Jan 20 16:40:45 2021 +1100 crypto: marvel/cesa - Fix tdma descriptor on 64-bit commit 4f6543f28bb05433d87b6de6c21e9c14c35ecf33 upstream. The patch that added src_dma/dst_dma to struct mv_cesa_tdma_desc is broken on 64-bit systems as the size of the descriptor has been changed. This patch fixes it by using u32 instead of dma_addr_t. Fixes: e62291c1d9f4 ("crypto: marvell/cesa - Fix sparse warnings") Cc: Reported-by: Sven Auhagen Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit c6da541644970a78bf5b1cf26b276471607c9840 Author: Lukas Wunner Date: Thu Dec 31 06:10:32 2020 +0100 efi/apple-properties: Reinstate support for boolean properties commit 355845b738e76445c8522802552146d96cb4afa7 upstream. Since commit 4466bf82821b ("efi/apple-properties: use PROPERTY_ENTRY_U8_ARRAY_LEN"), my MacBook Pro issues a -ENODATA error when trying to assign EFI properties to the discrete GPU: pci 0000:01:00.0: assigning 56 device properties pci 0000:01:00.0: error -61 assigning properties That's because some of the properties have no value. They're booleans whose presence can be checked by drivers, e.g. "use-backlight-blanking". Commit 6e98503dba64 ("efi/apple-properties: Remove redundant attribute initialization from unmarshal_key_value_pairs()") employed a trick to store such booleans as u8 arrays (which is the data type used for all other EFI properties on Macs): It cleared the property_entry's "is_array" flag, thereby denoting that the value is stored inline in the property_entry. Commit 4466bf82821b erroneously removed that trick. It was probably a little fragile to begin with. Reinstate support for boolean properties by explicitly invoking the PROPERTY_ENTRY_BOOL() initializer for properties with zero-length value. Fixes: 4466bf82821b ("efi/apple-properties: use PROPERTY_ENTRY_U8_ARRAY_LEN") Cc: Reviewed-by: Andy Shevchenko Signed-off-by: Lukas Wunner Link: https://lore.kernel.org/r/be958bda75331a011d53c696d1deec8dccd06fd2.1609388549.git.lukas@wunner.de Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman commit 4c973f75074af1422c7f0ef1a3781b60594f64c8 Author: Nick Desaulniers Date: Tue Jan 12 11:46:24 2021 -0800 x86/entry: Emit a symbol for register restoring thunk commit 5e6dca82bcaa49348f9e5fcb48df4881f6d6c4ae upstream. Arnd found a randconfig that produces the warning: arch/x86/entry/thunk_64.o: warning: objtool: missing symbol for insn at offset 0x3e when building with LLVM_IAS=1 (Clang's integrated assembler). Josh notes: With the LLVM assembler not generating section symbols, objtool has no way to reference this code when it generates ORC unwinder entries, because this code is outside of any ELF function. The limitation now being imposed by objtool is that all code must be contained in an ELF symbol. And .L symbols don't create such symbols. So basically, you can use an .L symbol *inside* a function or a code segment, you just can't use the .L symbol to contain the code using a SYM_*_START/END annotation pair. Fangrui notes that this optimization is helpful for reducing image size when compiling with -ffunction-sections and -fdata-sections. I have observed on the order of tens of thousands of symbols for the kernel images built with those flags. A patch has been authored against GNU binutils to match this behavior of not generating unused section symbols ([1]), so this will also become a problem for users of GNU binutils once they upgrade to 2.36. Omit the .L prefix on a label so that the assembler will emit an entry into the symbol table for the label, with STB_LOCAL binding. This enables objtool to generate proper unwind info here with LLVM_IAS=1 or GNU binutils 2.36+. [ bp: Massage commit message. ] Reported-by: Arnd Bergmann Suggested-by: Josh Poimboeuf Suggested-by: Borislav Petkov Suggested-by: Mark Brown Signed-off-by: Nick Desaulniers Signed-off-by: Borislav Petkov Acked-by: Peter Zijlstra (Intel) Acked-by: Josh Poimboeuf Link: https://lkml.kernel.org/r/20210112194625.4181814-1-ndesaulniers@google.com Link: https://github.com/ClangBuiltLinux/linux/issues/1209 Link: https://reviews.llvm.org/D93783 Link: https://sourceware.org/binutils/docs/as/Symbol-Names.html Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=d1bcae833b32f1408485ce69f844dcd7ded093a8 [1] Cc: Chris Clayton Signed-off-by: Greg Kroah-Hartman commit c95981ecd9858a4c5da9f6095dbb5f02ef3befec Author: Laurent Badel Date: Fri Jan 22 17:19:41 2021 +0100 PM: hibernate: flush swap writer after marking commit fef9c8d28e28a808274a18fbd8cc2685817fd62a upstream. Flush the swap writer after, not before, marking the files, to ensure the signature is properly written. Fixes: 6f612af57821 ("PM / Hibernate: Group swap ops") Signed-off-by: Laurent Badel Cc: All applicable Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit e6e9ded8ffa495f3191e90cc945a03e6059d0827 Author: Tony Krowiak Date: Tue Dec 22 20:15:53 2020 -0500 s390/vfio-ap: No need to disable IRQ after queue reset commit 6c12a6384e0c0b96debd88b24028e58f2ebd417b upstream. The queues assigned to a matrix mediated device are currently reset when: * The VFIO_DEVICE_RESET ioctl is invoked * The mdev fd is closed by userspace (QEMU) * The mdev is removed from sysfs. Immediately after the reset of a queue, a call is made to disable interrupts for the queue. This is entirely unnecessary because the reset of a queue disables interrupts, so this will be removed. Furthermore, vfio_ap_irq_disable() does an unconditional PQAP/AQIC which can result in a specification exception (when the corresponding facility is not available), so this is actually a bugfix. Signed-off-by: Tony Krowiak [pasic@linux.ibm.com: minor rework before merging] Signed-off-by: Halil Pasic Fixes: ec89b55e3bce ("s390: ap: implement PAPQ AQIC interception in kernel") Cc: Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 9218a6b031a163a8b7372d8f137a46205f2d97f6 Author: Janosch Frank Date: Wed Jan 13 11:56:26 2021 -0500 s390: uv: Fix sysfs max number of VCPUs reporting commit e82080e1f456467cc185fe65ee69fe9f9bd0b576 upstream. The number reported by the query is N-1 and I think people reading the sysfs file would expect N instead. For users creating VMs there's no actual difference because KVM's limit is currently below the UV's limit. Signed-off-by: Janosch Frank Fixes: a0f60f8431999 ("s390/protvirt: Add sysfs firmware interface for Ultravisor information") Cc: stable@vger.kernel.org Reviewed-by: Claudio Imbrenda Acked-by: Cornelia Huck Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 6c6bd9dd1c8d45db80614b24a0667950ffdb9714 Author: Giacinto Cifelli Date: Wed Jan 20 05:56:50 2021 +0100 net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family commit 7e0e63d09516e96994c879f07c5a3c3269d7015e upstream. Bus 003 Device 009: ID 1e2d:006f Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 239 Miscellaneous Device bDeviceSubClass 2 ? bDeviceProtocol 1 Interface Association bMaxPacketSize0 64 idVendor 0x1e2d idProduct 0x006f bcdDevice 0.00 iManufacturer 3 Cinterion Wireless Modules iProduct 2 PLSx3 iSerial 4 fa3c1419 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 303 bNumInterfaces 9 bConfigurationValue 1 iConfiguration 1 Cinterion Configuration bmAttributes 0xe0 Self Powered Remote Wakeup MaxPower 500mA Interface Association: bLength 8 bDescriptorType 11 bFirstInterface 0 bInterfaceCount 2 bFunctionClass 2 Communications bFunctionSubClass 2 Abstract (modem) bFunctionProtocol 1 AT-commands (v.25ter) iFunction 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 1 CDC Union: bMasterInterface 0 bSlaveInterface 1 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 5 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x82 EP 2 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x01 EP 1 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Interface Association: bLength 8 bDescriptorType 11 bFirstInterface 2 bInterfaceCount 2 bFunctionClass 2 Communications bFunctionSubClass 2 Abstract (modem) bFunctionProtocol 1 AT-commands (v.25ter) iFunction 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 2 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 3 CDC Union: bMasterInterface 2 bSlaveInterface 3 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x83 EP 3 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 5 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 3 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x84 EP 4 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x02 EP 2 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Interface Association: bLength 8 bDescriptorType 11 bFirstInterface 4 bInterfaceCount 2 bFunctionClass 2 Communications bFunctionSubClass 2 Abstract (modem) bFunctionProtocol 1 AT-commands (v.25ter) iFunction 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 4 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 5 CDC Union: bMasterInterface 4 bSlaveInterface 5 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x85 EP 5 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 5 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 5 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x86 EP 6 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x03 EP 3 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Interface Association: bLength 8 bDescriptorType 11 bFirstInterface 6 bInterfaceCount 2 bFunctionClass 2 Communications bFunctionSubClass 2 Abstract (modem) bFunctionProtocol 1 AT-commands (v.25ter) iFunction 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 6 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 2 Communications bInterfaceSubClass 2 Abstract (modem) bInterfaceProtocol 1 AT-commands (v.25ter) iInterface 0 CDC Header: bcdCDC 1.10 CDC ACM: bmCapabilities 0x02 line coding and serial state CDC Call Management: bmCapabilities 0x03 call management use DataInterface bDataInterface 7 CDC Union: bMasterInterface 6 bSlaveInterface 7 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x87 EP 7 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 5 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 7 bAlternateSetting 0 bNumEndpoints 2 bInterfaceClass 10 CDC Data bInterfaceSubClass 0 Unused bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x88 EP 8 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x04 EP 4 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 8 bAlternateSetting 0 bNumEndpoints 3 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 255 Vendor Specific Subclass bInterfaceProtocol 255 Vendor Specific Protocol iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x89 EP 9 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0040 1x 64 bytes bInterval 5 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x8a EP 10 IN bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x05 EP 5 OUT bmAttributes 2 Transfer Type Bulk Synch Type None Usage Type Data wMaxPacketSize 0x0200 1x 512 bytes bInterval 0 Device Qualifier (for other device speed): bLength 10 bDescriptorType 6 bcdUSB 2.00 bDeviceClass 239 Miscellaneous Device bDeviceSubClass 2 ? bDeviceProtocol 1 Interface Association bMaxPacketSize0 64 bNumConfigurations 1 Device Status: 0x0000 (Bus Powered) Cc: stable@vger.kernel.org Signed-off-by: Giacinto Cifelli Acked-by: Bjørn Mork Link: https://lore.kernel.org/r/20210120045650.10855-1-gciofono@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1a39162bac95bfd8730120a9b79f12b5b41e265c Author: Coly Li Date: Thu Jan 28 18:48:47 2021 +0800 bcache: only check feature sets when sb->version >= BCACHE_SB_VERSION_CDEV_WITH_FEATURES commit 0df28cad06eb41cc36bfea69d9c882fb567fd0d6 upstream. For super block version < BCACHE_SB_VERSION_CDEV_WITH_FEATURES, it doesn't make sense to check the feature sets. This patch checks super block version in bch_has_feature_* routines, if the version doesn't have feature sets yet, returns 0 (false) to the caller. Fixes: 5342fd425502 ("bcache: set bcache device into read-only mode for BCH_FEATURE_INCOMPAT_OBSO_LARGE_BUCKET") Fixes: ffa470327572 ("bcache: add bucket_size_hi into struct cache_sb_disk for large bucket") Cc: stable@vger.kernel.org # 5.9+ Reported-and-tested-by: Bockholdt Arne Signed-off-by: Coly Li Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit cc11bd18d4a31abd419f502aded67da1c73e2678 Author: Lyude Paul Date: Mon Jan 18 20:54:12 2021 -0500 drivers/nouveau/kms/nv50-: Reject format modifiers for cursor planes commit 7c6d659868c77da9b518f32348160340dcdfa008 upstream. Nvidia hardware doesn't actually support using tiling formats with the cursor plane, only linear is allowed. In the future, we should write a testcase for this. Fixes: c586f30bf74c ("drm/nouveau/kms: Add format mod prop to base/ovly/nvdisp") Cc: James Jones Cc: Martin Peres Cc: Jeremy Cline Cc: Simon Ser Cc: # v5.8+ Signed-off-by: Lyude Paul Reviewed-by: Simon Ser Reviewed-by: James Jones Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 29d35b73ead4e41aa0d1a954c9bfbdce659ec5d6 Author: Chris Wilson Date: Mon Jan 25 12:50:33 2021 +0000 drm/i915/gt: Always try to reserve GGTT address 0x0 commit 489140b5ba2e7cc4b853c29e0591895ddb462a82 upstream. Since writing to address 0 is a very common mistake, let's try to avoid putting anything sensitive there. References: https://gitlab.freedesktop.org/drm/intel/-/issues/2989 Signed-off-by: Chris Wilson Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20210125125033.23656-1-chris@chris-wilson.co.uk Cc: stable@vger.kernel.org (cherry picked from commit 56b429cc584c6ed8b895d8d8540959655db1ff73) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit aa39818d92564ff2a52a40685e363439b9833959 Author: Chris Wilson Date: Thu Jan 21 23:28:07 2021 +0000 drm/i915: Always flush the active worker before returning from the wait commit f6e98a1809faa02f40e0d089d6cfc1aa372a34c0 upstream. The first thing the active retirement worker does is decrement the i915_active count. The first thing we do during i915_active_wait is try to increment the i915_active count, but only if already active [non-zero]. The wait may see that the retirement is already started and so marked the i915_active as idle, and skip waiting for the retirement handler. However, the caller of i915_active_wait may immediately free the i915_active upon returning (e.g. i915_vma_destroy) so we must not return before the concurrent access from the worker is completed. We must always flush the worker. Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/2473 Fixes: 274cbf20fd10 ("drm/i915: Push the i915_active.retire into a worker") Signed-off-by: Chris Wilson Cc: Matthew Auld Cc: Tvrtko Ursulin Cc: # v5.5+ Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20210121232807.16618-1-chris@chris-wilson.co.uk (cherry picked from commit 977a372e972cb42799746c284035a33c64ebace9) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 5ebb1cbe463f85c32f7bb584b661930ec3edb685 Author: Lyude Paul Date: Mon Jan 18 20:54:14 2021 -0500 drm/nouveau/kms/gk104-gp1xx: Fix > 64x64 cursors commit ba839b7598440a5d78550a115bac21b08d57cc32 upstream. While we do handle the additional cursor sizes introduced in NVE4, it looks like we accidentally broke this when converting over to use Nvidia's display headers. Since we now use NVVAL in dispnv50/head907d.c in order to format the value for the cursor layout and NVD9 only had one byte reserved vs. the 2 bytes reserved in later generations, we end up accidentally stripping the second bit in the cursor layout format parameter - causing us to set the wrong cursor size. This fixes that by adding our own curs_set hook for 917d which uses the NV917D headers. Cc: Martin Peres Cc: Jeremy Cline Cc: Simon Ser Cc: # v5.9+ Signed-off-by: Lyude Paul Fixes: ed0b86a90bf9 ("drm/nouveau/kms/nv50-: use NVIDIA's headers for core head_curs_set()") Signed-off-by: Ben Skeggs Signed-off-by: Greg Kroah-Hartman commit 0634449e9977c74c4bb32564ea3faf925d60039f Author: Alex Deucher Date: Thu Jan 28 13:28:59 2021 -0500 Revert "drm/amdgpu/swsmu: drop set_fan_speed_percent (v2)" commit a119f87b86bcdf14a18ce39a899e97a1e9160f7f upstream. On some boards the rpm interface apparently does not work at all leading to the fan not spinning or spinning at strange speeds. Revert this for now to fix 5.10, 5.11. The follow on patch fixes this properly for 5.12. This reverts commit 8d6e65adc25e23fabbc5293b6cd320195c708dca. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1408 Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 39714b66a8b15a4953f75afdd1c457990b20d0a8 Author: Jaroslav Kysela Date: Wed Jan 20 15:42:11 2021 +0100 ASoC: AMD Renoir - refine DMI entries for some Lenovo products commit 40caffd66ca9ad1baa2d5541232675160bc6c772 upstream. Apparently, the DMI board name LNVNB161216 is also used also for products with the digital microphones connected to the AMD's audio bridge. Refine the DMI table - use product name identifiers extracted from https://bugzilla.redhat.com/show_bug.cgi?id=1892115 . The report for Lenovo Yoga Slim 7 14ARE05 (82A2) is in buglink. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211299 Cc: Signed-off-by: Jaroslav Kysela Cc: Mark Brown Link: https://lore.kernel.org/r/20210120144211.817937-1-perex@perex.cz Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit b444b86e37b296a8ed18479d5b17df9b84cd26a8 Author: Juergen Gross Date: Mon Jan 25 14:42:07 2021 +0100 x86/xen: avoid warning in Xen pv guest with CONFIG_AMD_MEM_ENCRYPT enabled commit 2e92493637a09547734f92c62a2471f6f0cb9a2c upstream. When booting a kernel which has been built with CONFIG_AMD_MEM_ENCRYPT enabled as a Xen pv guest a warning is issued for each processor: [ 5.964347] ------------[ cut here ]------------ [ 5.968314] WARNING: CPU: 0 PID: 1 at /home/gross/linux/head/arch/x86/xen/enlighten_pv.c:660 get_trap_addr+0x59/0x90 [ 5.972321] Modules linked in: [ 5.976313] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 5.11.0-rc5-default #75 [ 5.980313] Hardware name: Dell Inc. OptiPlex 9020/0PC5F7, BIOS A05 12/05/2013 [ 5.984313] RIP: e030:get_trap_addr+0x59/0x90 [ 5.988313] Code: 42 10 83 f0 01 85 f6 74 04 84 c0 75 1d b8 01 00 00 00 c3 48 3d 00 80 83 82 72 08 48 3d 20 81 83 82 72 0c b8 01 00 00 00 eb db <0f> 0b 31 c0 c3 48 2d 00 80 83 82 48 ba 72 1c c7 71 1c c7 71 1c 48 [ 5.992313] RSP: e02b:ffffc90040033d38 EFLAGS: 00010202 [ 5.996313] RAX: 0000000000000001 RBX: ffffffff82a141d0 RCX: ffffffff8222ec38 [ 6.000312] RDX: ffffffff8222ec38 RSI: 0000000000000005 RDI: ffffc90040033d40 [ 6.004313] RBP: ffff8881003984a0 R08: 0000000000000007 R09: ffff888100398000 [ 6.008312] R10: 0000000000000007 R11: ffffc90040246000 R12: ffff8884082182a8 [ 6.012313] R13: 0000000000000100 R14: 000000000000001d R15: ffff8881003982d0 [ 6.016316] FS: 0000000000000000(0000) GS:ffff888408200000(0000) knlGS:0000000000000000 [ 6.020313] CS: e030 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 6.024313] CR2: ffffc900020ef000 CR3: 000000000220a000 CR4: 0000000000050660 [ 6.028314] Call Trace: [ 6.032313] cvt_gate_to_trap.part.7+0x3f/0x90 [ 6.036313] ? asm_exc_double_fault+0x30/0x30 [ 6.040313] xen_convert_trap_info+0x87/0xd0 [ 6.044313] xen_pv_cpu_up+0x17a/0x450 [ 6.048313] bringup_cpu+0x2b/0xc0 [ 6.052313] ? cpus_read_trylock+0x50/0x50 [ 6.056313] cpuhp_invoke_callback+0x80/0x4c0 [ 6.060313] _cpu_up+0xa7/0x140 [ 6.064313] cpu_up+0x98/0xd0 [ 6.068313] bringup_nonboot_cpus+0x4f/0x60 [ 6.072313] smp_init+0x26/0x79 [ 6.076313] kernel_init_freeable+0x103/0x258 [ 6.080313] ? rest_init+0xd0/0xd0 [ 6.084313] kernel_init+0xa/0x110 [ 6.088313] ret_from_fork+0x1f/0x30 [ 6.092313] ---[ end trace be9ecf17dceeb4f3 ]--- Reason is that there is no Xen pv trap entry for X86_TRAP_VC. Fix that by adding a generic trap handler for unknown traps and wire all unknown bare metal handlers to this generic handler, which will just crash the system in case such a trap will ever happen. Fixes: 0786138c78e793 ("x86/sev-es: Add a Runtime #VC Exception Handler") Cc: # v5.10 Signed-off-by: Juergen Gross Reviewed-by: Andrew Cooper Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit d16c5dfe93ef12bd571a6c478a7ab6ea57925839 Author: Johannes Berg Date: Thu Jan 21 17:16:22 2021 +0100 wext: fix NULL-ptr-dereference with cfg80211's lack of commit() commit 5122565188bae59d507d90a9a9fd2fd6107f4439 upstream. Since cfg80211 doesn't implement commit, we never really cared about that code there (and it's configured out w/o CONFIG_WIRELESS_EXT). After all, since it has no commit, it shouldn't return -EIWCOMMIT to indicate commit is needed. However, EIWCOMMIT is actually an alias for EINPROGRESS, which _can_ happen if e.g. we try to change the frequency but we're already in the process of connecting to some network, and drivers could return that value (or even cfg80211 itself might). This then causes us to crash because dev->wireless_handlers is NULL but we try to check dev->wireless_handlers->standard[0]. Fix this by also checking dev->wireless_handlers. Also simplify the code a little bit. Cc: stable@vger.kernel.org Reported-by: syzbot+444248c79e117bc99f46@syzkaller.appspotmail.com Reported-by: syzbot+8b2a88a09653d4084179@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20210121171621.2076e4a37d5a.I5d9c72220fe7bb133fb718751da0180a57ecba4e@changeid Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 442278e4928ee2ce0cfae1064612e1f0b580d43a Author: Koen Vandeputte Date: Thu Jan 7 10:19:06 2021 +0100 ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming commit 5a22747b76ca2384057d8e783265404439d31d7f upstream. 2 regulator descriptions carry identical naming. This leads to following boot warning: [ 0.173138] debugfs: Directory 'vdd1p8' with parent 'regulator' already present! Fix this by renaming the one used for audio. Fixes: 5051bff33102 ("ARM: dts: imx: ventana: add LTC3676 PMIC support") Signed-off-by: Tim Harvey Signed-off-by: Koen Vandeputte Cc: stable@vger.kernel.org # v4.11 Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit a9079d8d3b02f30aca58db15590e14f3570798f7 Author: Linus Walleij Date: Sun Dec 13 23:55:17 2020 +0100 ARM: dts: ux500: Reserve memory carveouts commit 8a996b2d8a03beae3cb6adfc12673778c192085d upstream. The Ux500 platforms have some memory carveouts set aside for communicating with the modem and for the initial secure software (ISSW). These areas are protected by the memory controller and will result in an external abort if accessed like common read/write memory. On the legacy boot loaders, these were set aside by using cmdline arguments such as this: mem=96M@0 mem_mtrace=15M@96M mem_mshared=1M@111M mem_modem=16M@112M mali.mali_mem=32M@128M mem=96M@160M hwmem=127M@256M mem_issw=1M@383M mem_ram_console=1M@384M mem=638M@385M Reserve the relevant areas in the device tree instead. The "mali", "hwmem", "mem_ram_console" and the trailing 1MB at the end of the memory reservations in the list are not relevant for the upstream kernel as these are nowadays replaced with upstream technologies such as CMA. The modem and ISSW reservations are necessary. This was manifested in a bug that surfaced in response to commit 7fef431be9c9 ("mm/page_alloc: place pages to tail in __free_pages_core()") which changes the behaviour of memory allocations in such a way that the platform will sooner run into these dangerous areas, with "Unhandled fault: imprecise external abort (0xc06) at 0xb6fd83dc" or similar: the real reason turns out to be that the PTE is pointing right into one of the reserved memory areas. We were just lucky until now. We need to augment the DB8500 and DB8520 SoCs similarly and also create a new include for the DB9500 used in the Snowball since this does not have a modem and thus does not need the modem memory reservation, albeit it needs the ISSW reservation. Signed-off-by: Linus Walleij Cc: stable@vger.kernel.org Cc: David Hildenbrand Link: https://lore.kernel.org/r/20201213225517.3838501-1-linus.walleij@linaro.org' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 14e3388f2f95449ec868b2ce5263ae5d18e87b3b Author: Soeren Moch Date: Tue Dec 22 16:59:08 2020 +0100 ARM: dts: tbs2910: rename MMC node aliases commit fd25c883667b61f845a4188b6be110bb45de0bac upstream. to be consistent with kernel versions up to v5.9 (mmc aliases not used here). usdhc1 is not wired up on this board and therefore cannot be used. Start mmc aliases with usdhc2. Signed-off-by: Soeren Moch Cc: stable@vger.kernel.org # 5.10.x Signed-off-by: Shawn Guo Signed-off-by: Greg Kroah-Hartman commit b3b75f8cd187cb3d17f4930a817a425b6bb1a418 Author: Sean Young Date: Sun Dec 20 13:29:54 2020 +0100 media: rc: ensure that uevent can be read directly after rc device register commit 896111dc4bcf887b835b3ef54f48b450d4692a1d upstream. There is a race condition where if the /sys/class/rc0/uevent file is read before rc_dev->registered is set to true, -ENODEV will be returned. Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1901089 Cc: stable@vger.kernel.org Fixes: a2e2d73fa281 ("media: rc: do not access device via sysfs after rc_unregister_device()") Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ce9e154a8bcb620a5e6affaf1d6815f5ee0207b3 Author: Matthias Reichl Date: Sat Jan 9 21:10:55 2021 +0100 media: rc: ite-cir: fix min_timeout calculation commit e1def45b5291278590bc3033cc518bf5c964a18d upstream. Commit 528222d853f92 ("media: rc: harmonize infrared durations to microseconds") missed to switch the min_timeout calculation from ns to us. This resulted in a minimum timeout of 1.2 seconds instead of 1.2ms, leading to large delays and long key repeats. Fix this by applying proper ns->us conversion. Cc: stable@vger.kernel.org Fixes: 528222d853f92 ("media: rc: harmonize infrared durations to microseconds") Signed-off-by: Matthias Reichl Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 8429fee291434b3519fa074a15fa979fc63dbee1 Author: Matthias Reichl Date: Tue Jan 5 10:30:23 2021 +0100 media: rc: fix timeout handling after switch to microsecond durations commit 06b831588b639ad9d94e4789b0250562228722c2 upstream. Commit 528222d853f92 ("media: rc: harmonize infrared durations to microseconds") missed to switch some timeout calculations from nanoseconds to microseconds. This resulted in spurious key_up+key_down events at the last scancode if the rc device uses a long timeout (eg 100ms on nuvoton-cir) as the device timeout wasn't properly accounted for in the keyup timeout calculation. Fix this by applying the proper conversion functions. Cc: stable@vger.kernel.org Fixes: 528222d853f92 ("media: rc: harmonize infrared durations to microseconds") Signed-off-by: Matthias Reichl Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 4b5a88b3f45cd0f7a7025c53a4b448f4bab88c00 Author: Ricardo Ribalda Date: Thu Jan 14 14:03:16 2021 +0100 media: hantro: Fix reset_raw_fmt initialization commit e081863ab48d9b2eee9e899cbd05752a2a30308d upstream. raw_fmt->height in never initialized. But width in initialized twice. Fixes: 88d06362d1d05 ("media: hantro: Refactor for V4L2 API spec compliancy") Signed-off-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Cc: Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ae584fbbb6589b8b65becbdc1f66b5276430cfcb Author: Jernej Skrabec Date: Wed Dec 23 12:06:59 2020 +0100 media: cedrus: Fix H264 decoding commit 73bc0b0c2a96b31199da0ce6c3d04be81ef73bb9 upstream. During H264 API overhaul subtle bug was introduced Cedrus driver. Progressive references have both, top and bottom reference flags set. Cedrus reference list expects only bottom reference flag and only when interlaced frames are decoded. However, due to a bug in Cedrus check, exclusivity is not tested and that flag is set also for progressive references. That causes "jumpy" background with many videos. Fix that by checking that only bottom reference flag is set in control and nothing else. Tested-by: Andre Heider Fixes: cfc8c3ed533e ("media: cedrus: h264: Properly configure reference field") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Cc: Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit e76b40d8e9ad2d6ef6c39f8360344fce8d35aae2 Author: Yannick Fertre Date: Fri Jan 15 15:31:44 2021 +0100 media: cec: add stm32 driver commit eaf18a4165141f04dd26f0c48a7e53438e5a3ea2 upstream. Missing stm32 directory to Makefile. Signed-off-by: Yannick Fertre Signed-off-by: Hans Verkuil Fixes: 4be5e8648b0c ("media: move CEC platform drivers to a separate directory") Cc: Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6141f82fd5ee0959a3e81ceb37c8af8816cfa31c Author: Helge Deller Date: Tue Jan 26 20:16:21 2021 +0100 parisc: Enable -mlong-calls gcc option by default when !CONFIG_MODULES commit 00e35f2b0e8acb88d4e1aa96ff0490e3bfe46580 upstream. When building a kernel without module support, the CONFIG_MLONGCALL option needs to be enabled in order to reach symbols which are outside of a 22-bit branch. This patch changes the autodetection in the Kconfig script to always enable CONFIG_MLONGCALL when modules are disabled and uses a far call to preempt_schedule_irq() in intr_do_preempt() to reach the symbol in all cases. Signed-off-by: Helge Deller Reported-by: kernel test robot Cc: stable@vger.kernel.org # v5.6+ Signed-off-by: Greg Kroah-Hartman commit d56e3b6a6b148161805773f52f3921861317542f Author: Takashi Iwai Date: Tue Jan 26 17:56:03 2021 +0100 ALSA: hda/via: Apply the workaround generically for Clevo machines commit 4961167bf7482944ca09a6f71263b9e47f949851 upstream. We've got another report indicating a similar problem wrt the power-saving behavior with VIA codec on Clevo machines. Let's apply the existing workaround generically to all Clevo devices with VIA codecs to cover all in once. BugLink: https://bugzilla.opensuse.org/show_bug.cgi?id=1181330 Cc: Link: https://lore.kernel.org/r/20210126165603.11683-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit eacb5d4e6b647a2e42969027b6f5a8087d1fd267 Author: Jian-Hong Pan Date: Fri Jan 22 13:47:06 2021 +0800 ALSA: hda/realtek: Enable headset of ASUS B1400CEPE with ALC256 commit 5de3b9430221b11a5e1fc2f5687af80777c8392a upstream. ASUS B1400CEPE laptop's headset audio is not enabled until ALC256_FIXUP_ASUS_HPE quirk is applied. Here is the original pin node values: 0x12 0x40000000 0x13 0x411111f0 0x14 0x90170110 0x18 0x411111f0 0x19 0x411111f0 0x1a 0x411111f0 0x1b 0x411111f0 0x1d 0x40461b45 0x1e 0x411111f0 0x21 0x04211020 Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20210122054705.48804-1-jhp@endlessos.org Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit aa9a6dc6261109d72787d0b4c5bc27238ffabdbf Author: Baoquan He Date: Fri Jan 22 15:42:14 2021 +0800 kernel: kexec: remove the lock operation of system_transition_mutex commit 56c91a18432b631ca18438841fd1831ef756cabf upstream. Function kernel_kexec() is called with lock system_transition_mutex held in reboot system call. While inside kernel_kexec(), it will acquire system_transition_mutex agin. This will lead to dead lock. The dead lock should be easily triggered, it hasn't caused any failure report just because the feature 'kexec jump' is almost not used by anyone as far as I know. An inquiry can be made about who is using 'kexec jump' and where it's used. Before that, let's simply remove the lock operation inside CONFIG_KEXEC_JUMP ifdeffery scope. Fixes: 55f2503c3b69 ("PM / reboot: Eliminate race between reboot and suspend") Signed-off-by: Baoquan He Reported-by: Dan Carpenter Reviewed-by: Pingfan Liu Cc: 4.19+ # 4.19+ Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 2aa7eab3e7f0fd6188baf10bb922cb864cd93ca0 Author: Rafael J. Wysocki Date: Thu Jan 14 19:34:22 2021 +0100 ACPI: thermal: Do not call acpi_thermal_check() directly commit 81b704d3e4674e09781d331df73d76675d5ad8cb upstream. Calling acpi_thermal_check() from acpi_thermal_notify() directly is problematic if _TMP triggers Notify () on the thermal zone for which it has been evaluated (which happens on some systems), because it causes a new acpi_thermal_notify() invocation to be queued up every time and if that takes place too often, an indefinite number of pending work items may accumulate in kacpi_notify_wq over time. Besides, it is not really useful to queue up a new invocation of acpi_thermal_check() if one of them is pending already. For these reasons, rework acpi_thermal_notify() to queue up a thermal check instead of calling acpi_thermal_check() directly and only allow one thermal check to be pending at a time. Moreover, only allow one acpi_thermal_check_fn() instance at a time to run thermal_zone_device_update() for one thermal zone and make it return early if it sees other instances running for the same thermal zone. While at it, fold acpi_thermal_check() into acpi_thermal_check_fn(), as it is only called from there after the other changes made here. [This issue appears to have been exposed by commit 6d25be5782e4 ("sched/core, workqueues: Distangle worker accounting from rq lock"), but it is unclear why it was not visible earlier.] BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208877 Reported-by: Stephen Berman Diagnosed-by: Sebastian Andrzej Siewior Signed-off-by: Rafael J. Wysocki Reviewed-by: Sebastian Andrzej Siewior Tested-by: Stephen Berman Cc: All applicable Signed-off-by: Greg Kroah-Hartman commit d6f80e01fade80c472671138114a87559d73335b Author: Kai-Heng Feng Date: Fri Jan 22 20:53:02 2021 +0800 ACPI: sysfs: Prefer "compatible" modalias commit 36af2d5c4433fb40ee2af912c4ac0a30991aecfc upstream. Commit 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present") may create two "MODALIAS=" in one uevent file if specific conditions are met. This breaks systemd-udevd, which assumes each "key" in one uevent file to be unique. The internal implementation of systemd-udevd overwrites the first MODALIAS with the second one, so its kmod rule doesn't load the driver for the first MODALIAS. So if both the ACPI modalias and the OF modalias are present, use the latter to ensure that there will be only one MODALIAS. Link: https://github.com/systemd/systemd/pull/18163 Suggested-by: Mika Westerberg Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present") Signed-off-by: Kai-Heng Feng Reviewed-by: Mika Westerberg Reviewed-by: Greg Kroah-Hartman Cc: 4.1+ # 4.1+ [ rjw: Subject and changelog edits ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 8fe07159fc53d8103da4ca9899be782ec478692f Author: Linus Torvalds Date: Fri Jan 29 12:28:20 2021 -0800 tty: avoid using vfs_iocb_iter_write() for redirected console writes commit a9cbbb80e3e7dd38ceac166e0698f161862a18ae upstream. It turns out that the vfs_iocb_iter_{read,write}() functions are entirely broken, and don't actually use the passed-in file pointer for IO - only for the preparatory work (permission checking and for the write_iter function lookup). That worked fine for overlayfs, which always builds the new iocb with the same file pointer that it passes in, but in the general case it ends up doing nonsensical things (and could cause an iterator call that doesn't even match the passed-in file pointer). This subtly broke the tty conversion to write_iter in commit 9bb48c82aced ("tty: implement write_iter"), because the console redirection didn't actually end up redirecting anything, since the passed-in file pointer was basically ignored, and the actual write was done with the original non-redirected console tty after all. The main visible effect of this is that the console messages were no longer logged to /var/log/boot.log during graphical boot. Fix the issue by simply not using the vfs write "helper" function at all, and just redirecting the write entirely internally to the tty layer. Do the target writability permission checks when actually registering the target tty with TIOCCONS instead of at write time. Fixes: 9bb48c82aced ("tty: implement write_iter") Reported-and-tested-by: Hans de Goede Cc: Greg Kroah-Hartman Cc: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 41f6f4a3143506ea1499cda2f14a16a2f82118a8 Author: Josef Bacik Date: Mon Jan 25 12:21:02 2021 -0500 nbd: freeze the queue while we're adding connections commit b98e762e3d71e893b221f871825dc64694cfb258 upstream. When setting up a device, we can krealloc the config->socks array to add new sockets to the configuration. However if we happen to get a IO request in at this point even though we aren't setup we could hit a UAF, as we deref config->socks without any locking, assuming that the configuration was setup already and that ->socks is safe to access it as we have a reference on the configuration. But there's nothing really preventing IO from occurring at this point of the device setup, we don't want to incur the overhead of a lock to access ->socks when it will never change while the device is running. To fix this UAF scenario simply freeze the queue if we are adding sockets. This will protect us from this particular case without adding any additional overhead for the normal running case. Cc: stable@vger.kernel.org Signed-off-by: Josef Bacik Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 51f58c4882ec7be6a439f8c0185ab9cc53111a7f Author: Eric Dumazet Date: Mon Jan 25 07:09:49 2021 -0800 iwlwifi: provide gso_type to GSO packets commit 81a86e1bd8e7060ebba1718b284d54f1238e9bf9 upstream. net/core/tso.c got recent support for USO, and this broke iwlfifi because the driver implemented a limited form of GSO. Providing ->gso_type allows for skb_is_gso_tcp() to provide a correct result. Fixes: 3d5b459ba0e3 ("net: tso: add UDP segmentation support") Signed-off-by: Eric Dumazet Reported-by: Ben Greear Tested-by: Ben Greear Cc: Luca Coelho Cc: Johannes Berg Link: https://bugzilla.kernel.org/show_bug.cgi?id=209913 Link: https://lore.kernel.org/r/20210125150949.619309-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski Cc: Robert Hancock Signed-off-by: Greg Kroah-Hartman