commit d811d29517d1ea05bc159579231652d3ca1c2a01 Author: Greg Kroah-Hartman Date: Wed Jul 22 09:33:18 2020 +0200 Linux 5.4.53 commit e6c19fa5b6c6444d4b16a2cbff0fba7d4924354c Author: Andy Shevchenko Date: Fri Jun 5 16:40:36 2020 +0300 gpio: pca953x: disable regmap locking for automatic address incrementing commit ec3decd21380081e3b5de4ba8d85d90a95f201a0 upstream. It's a repetition of the commit aa58a21ae378 ("gpio: pca953x: disable regmap locking") which states the following: This driver uses its own locking but regmap silently uses a mutex for all operations too. Add the option to disable locking to the regmap config struct. Fixes: bcf41dc480b1 ("gpio: pca953x: fix handling of automatic address incrementing") Cc: Uwe Kleine-König Signed-off-by: Andy Shevchenko Reviewed-by: Uwe Kleine-König Signed-off-by: Bartosz Golaszewski Signed-off-by: Greg Kroah-Hartman commit 411c8026754111c2ef8ce9a7edabb0730fdfc390 Author: Colin Xu Date: Mon Jun 1 11:06:38 2020 +0800 drm/i915/gvt: Fix two CFL MMIO handling caused by regression. commit fccd0f7cf4d532674d727c7f204f038456675dee upstream. D_CFL was incorrectly removed for: GAMT_CHKN_BIT_REG GEN9_CTX_PREEMPT_REG V2: Update commit message. V3: Rebase and split Fixes and mis-handled MMIO. Fixes: 43226e6fe798 (drm/i915/gvt: replaced register address with name) Reviewed-by: Zhenyu Wang Signed-off-by: Colin Xu Signed-off-by: Zhenyu Wang Link: http://patchwork.freedesktop.org/patch/msgid/20200601030638.16002-1-colin.xu@intel.com Signed-off-by: Greg Kroah-Hartman commit 517708c47c660c9683c3f38cba67f2a644254943 Author: Lu Baolu Date: Tue Jun 23 07:13:40 2020 +0800 iommu/vt-d: Make Intel SVM code 64-bit only commit 9486727f5981a5ec5c0b699fb1777451bd6786e4 upstream. Current Intel SVM is designed by setting the pgd_t of the processor page table to FLPTR field of the PASID entry. The first level translation only supports 4 and 5 level paging structures, hence it's infeasible for the IOMMU to share a processor's page table when it's running in 32-bit mode. Let's disable 32bit support for now and claim support only when all the missing pieces are ready in the future. Fixes: 1c4f88b7f1f92 ("iommu/vt-d: Shared virtual address in scalable mode") Suggested-by: Joerg Roedel Signed-off-by: Lu Baolu Link: https://lore.kernel.org/r/20200622231345.29722-2-baolu.lu@linux.intel.com Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 41389f739a5ef2adf4ce50cff38dbcfe7f2d96df Author: Shannon Nelson Date: Tue Jun 16 08:06:26 2020 -0700 ionic: export features for vlans to use commit ef7232da6bcd4294cbb2d424bc35885721570f01 upstream. Set up vlan_features for use by any vlans above us. Fixes: beead698b173 ("ionic: Add the basic NDO callbacks for netdev support") Signed-off-by: Shannon Nelson Acked-by: Jonathan Toppins Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5d7e2852d7e600d2f0ed9e5fd2b688c8726d0f47 Author: Lingling Xu Date: Tue Jun 2 16:24:15 2020 +0800 spi: sprd: switch the sequence of setting WDG_LOAD_LOW and _HIGH commit 8bdd79dae1ff5397351b95e249abcae126572617 upstream. The watchdog counter consists of WDG_LOAD_LOW and WDG_LOAD_HIGH, which would be loaded to watchdog counter once writing WDG_LOAD_LOW. Fixes: ac1775012058 ("spi: sprd: Add the support of restarting the system") Signed-off-by: Lingling Xu Signed-off-by: Chunyan Zhang Link: https://lore.kernel.org/r/20200602082415.5848-1-zhang.lyra@gmail.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1245a1e0e1c3cf5e62eb34e4536c997233359b45 Author: David Howells Date: Wed Jun 17 22:50:33 2020 +0100 rxrpc: Fix trace string commit aadf9dcef9d4cd68c73a4ab934f93319c4becc47 upstream. The trace symbol printer (__print_symbolic()) ignores symbols that map to an empty string and prints the hex value instead. Fix the symbol for rxrpc_cong_no_change to " -" instead of "" to avoid this. Fixes: b54a134a7de4 ("rxrpc: Fix handling of enums-to-string translation in tracing") Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 07253d24cda3fb46c7e42f561b409bbc9d37dd80 Author: Ilya Dryomov Date: Tue Jun 9 11:57:56 2020 +0200 libceph: don't omit recovery_deletes in target_copy() commit 2f3fead62144002557f322c2a7c15e1255df0653 upstream. Currently target_copy() is used only for sending linger pings, so this doesn't come up, but generally omitting recovery_deletes can result in unneeded resends (force_resend in calc_target()). Fixes: ae78dd8139ce ("libceph: make RECOVERY_DELETES feature create a new interval") Signed-off-by: Ilya Dryomov Reviewed-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit d2ccad3c9ce947664160e47ee80fa8e779f26e2e Author: Ming Lei Date: Sat Jan 11 20:57:43 2020 +0800 block: fix get_max_segment_size() overflow on 32bit arch commit 4a2f704eb2d831a2d73d7f4cdd54f45c49c3c353 upstream. Commit 429120f3df2d starts to take account of segment's start dma address when computing max segment size, and data type of 'unsigned long' is used to do that. However, the segment mask may be 0xffffffff, so the figured out segment size may be overflowed in case of zero physical address on 32bit arch. Fix the issue by returning queue_max_segment_size() directly when that happens. Fixes: 429120f3df2d ("block: fix splitting segments on boundary masks") Reported-by: Guenter Roeck Tested-by: Guenter Roeck Cc: Christoph Hellwig Tested-by: Steven Rostedt (VMware) Signed-off-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 310d75f274d54871a3d6e1dc3b18c519491a0e6c Author: Ming Lei Date: Sun Dec 29 10:32:30 2019 +0800 block: fix splitting segments on boundary masks commit 429120f3df2dba2bf3a4a19f4212a53ecefc7102 upstream. We ran into a problem with a mpt3sas based controller, where we would see random (and hard to reproduce) file corruption). The issue seemed specific to this controller, but wasn't specific to the file system. After a lot of debugging, we find out that it's caused by segments spanning a 4G memory boundary. This shouldn't happen, as the default setting for segment boundary masks is 4G. Turns out there are two issues in get_max_segment_size(): 1) The default segment boundary mask is bypassed 2) The segment start address isn't taken into account when checking segment boundary limit Fix these two issues by removing the bypass of the segment boundary check even if the mask is set to the default value, and taking into account the actual start address of the request when checking if a segment needs splitting. Cc: stable@vger.kernel.org # v5.1+ Reviewed-by: Chris Mason Tested-by: Chris Mason Fixes: dcebd755926b ("block: use bio_for_each_bvec() to compute multi-page bvec count") Signed-off-by: Ming Lei Signed-off-by: Greg Kroah-Hartman Dropped const on the page pointer, ppc page_to_phys() doesn't mark the page as const... Signed-off-by: Jens Axboe commit f2e57ed2f3f855127dd22f145f134aa339e955ac Author: Chris Wilson Date: Sat Jul 11 21:32:36 2020 +0100 drm/i915/gt: Ignore irq enabling on the virtual engines commit 858f1299fd6f7518ddef19ddd304c8398ac79fa5 upstream. We do not use the virtual engines for interrupts (they have physical components), but we do use them to decouple the fence signaling during submission. Currently, when we submit a completed request, we try to enable the interrupt handler for the virtual engine, but we never disarm it. A quick fix is then to mark the irq as enabled, and it will then remain enabled -- and this prevents us from waking the device and never letting it sleep again. Fixes: f8db4d051b5e ("drm/i915: Initialise breadcrumb lists on the virtual engine") Signed-off-by: Chris Wilson Cc: Mika Kuoppala Cc: Tvrtko Ursulin Cc: # v5.5+ Reviewed-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20200711203236.12330-1-chris@chris-wilson.co.uk (cherry picked from commit 4fe6abb8f51355224808ab02a9febf65d184c40b) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit 64a17e1da02ae459cb30c2ea58ee7ce0730a8d4f Author: Xiaojie Yuan Date: Tue Jul 14 15:47:31 2020 +0800 drm/amdgpu/sdma5: fix wptr overwritten in ->get_wptr() commit 05051496b2622e4d12e2036b35165969aa502f89 upstream. "u64 *wptr" points to the the wptr value in write back buffer and "*wptr = (*wptr) >> 2;" results in the value being overwritten each time when ->get_wptr() is called. umr uses /sys/kernel/debug/dri/0/amdgpu_ring_sdma0 to get rptr/wptr and decode ring content and it is affected by this issue. fix and simplify the logic similar as sdma_v4_0_ring_get_wptr(). v2: fix for sdma5.2 as well v3: drop sdma 5.2 changes for 5.8 and stable Suggested-by: Le Ma Signed-off-by: Xiaojie Yuan Reviewed-by: Christian König Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 9f8d3d2f79ba189ecc122d214d32396e5737963b Author: Thomas Gleixner Date: Fri Jul 17 18:00:02 2020 +0200 genirq/affinity: Handle affinity setting on inactive interrupts correctly commit baedb87d1b53532f81b4bd0387f83b05d4f7eb9a upstream. Setting interrupt affinity on inactive interrupts is inconsistent when hierarchical irq domains are enabled. The core code should just store the affinity and not call into the irq chip driver for inactive interrupts because the chip drivers may not be in a state to handle such requests. X86 has a hacky workaround for that but all other irq chips have not which causes problems e.g. on GIC V3 ITS. Instead of adding more ugly hacks all over the place, solve the problem in the core code. If the affinity is set on an inactive interrupt then: - Store it in the irq descriptors affinity mask - Update the effective affinity to reflect that so user space has a consistent view - Don't call into the irq chip driver This is the core equivalent of the X86 workaround and works correctly because the affinity setting is established in the irq chip when the interrupt is activated later on. Note, that this is only effective when hierarchical irq domains are enabled by the architecture. Doing it unconditionally would break legacy irq chip implementations. For hierarchial irq domains this works correctly as none of the drivers can have a dependency on affinity setting in inactive state by design. Remove the X86 workaround as it is not longer required. Fixes: 02edee152d6e ("x86/apic/vector: Ignore set_affinity call for inactive interrupts") Reported-by: Ali Saidi Signed-off-by: Thomas Gleixner Tested-by: Ali Saidi Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200529015501.15771-1-alisaidi@amazon.com Link: https://lkml.kernel.org/r/877dv2rv25.fsf@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit 6aae92ed2c42a94c578fd478cfee0573dab3506b Author: Vincent Guittot Date: Fri Jul 10 17:24:26 2020 +0200 sched/fair: handle case of task_h_load() returning 0 commit 01cfcde9c26d8555f0e6e9aea9d6049f87683998 upstream. task_h_load() can return 0 in some situations like running stress-ng mmapfork, which forks thousands of threads, in a sched group on a 224 cores system. The load balance doesn't handle this correctly because env->imbalance never decreases and it will stop pulling tasks only after reaching loop_max, which can be equal to the number of running tasks of the cfs. Make sure that imbalance will be decreased by at least 1. misfit task is the other feature that doesn't handle correctly such situation although it's probably more difficult to face the problem because of the smaller number of CPUs and running tasks on heterogenous system. We can't simply ensure that task_h_load() returns at least one because it would imply to handle underflow in other places. Signed-off-by: Vincent Guittot Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Valentin Schneider Reviewed-by: Dietmar Eggemann Tested-by: Dietmar Eggemann Cc: # v4.4+ Link: https://lkml.kernel.org/r/20200710152426.16981-1-vincent.guittot@linaro.org Signed-off-by: Greg Kroah-Hartman commit b5b774918816fdbef285ce5280b6a5c80670d40c Author: Mathieu Desnoyers Date: Mon Jul 6 16:49:10 2020 -0400 sched: Fix unreliable rseq cpu_id for new tasks commit ce3614daabea8a2d01c1dd17ae41d1ec5e5ae7db upstream. While integrating rseq into glibc and replacing glibc's sched_getcpu implementation with rseq, glibc's tests discovered an issue with incorrect __rseq_abi.cpu_id field value right after the first time a newly created process issues sched_setaffinity. For the records, it triggers after building glibc and running tests, and then issuing: for x in {1..2000} ; do posix/tst-affinity-static & done and shows up as: error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 2, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 error: Unexpected CPU 138, expected 0 This is caused by the scheduler invoking __set_task_cpu() directly from sched_fork() and wake_up_new_task(), thus bypassing rseq_migrate() which is done by set_task_cpu(). Add the missing rseq_migrate() to both functions. The only other direct use of __set_task_cpu() is done by init_idle(), which does not involve a user-space task. Based on my testing with the glibc test-case, just adding rseq_migrate() to wake_up_new_task() is sufficient to fix the observed issue. Also add it to sched_fork() to keep things consistent. The reason why this never triggered so far with the rseq/basic_test selftest is unclear. The current use of sched_getcpu(3) does not typically require it to be always accurate. However, use of the __rseq_abi.cpu_id field within rseq critical sections requires it to be accurate. If it is not accurate, it can cause corruption in the per-cpu data targeted by rseq critical sections in user-space. Reported-By: Florian Weimer Signed-off-by: Mathieu Desnoyers Signed-off-by: Peter Zijlstra (Intel) Tested-By: Florian Weimer Cc: stable@vger.kernel.org # v4.18+ Link: https://lkml.kernel.org/r/20200707201505.2632-1-mathieu.desnoyers@efficios.com Signed-off-by: Greg Kroah-Hartman commit 5c2450ac7c7a835bb41e2a1bcce241dd2c97b60b Author: Will Deacon Date: Fri Jul 3 12:08:42 2020 +0100 arm64: compat: Ensure upper 32 bits of x0 are zero on syscall return commit 15956689a0e60aa0c795174f3c310b60d8794235 upstream. Although we zero the upper bits of x0 on entry to the kernel from an AArch32 task, we do not clear them on the exception return path and can therefore expose 64-bit sign extended syscall return values to userspace via interfaces such as the 'perf_regs' ABI, which deal exclusively with 64-bit registers. Explicitly clear the upper 32 bits of x0 on return from a compat system call. Cc: Cc: Mark Rutland Cc: Keno Fischer Cc: Luis Machado Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit ed766e740cc97e62e7270fcdc11ce48f7238423a Author: Will Deacon Date: Thu Jul 2 21:16:20 2020 +0100 arm64: ptrace: Consistently use pseudo-singlestep exceptions commit ac2081cdc4d99c57f219c1a6171526e0fa0a6fff upstream. Although the arm64 single-step state machine can be fast-forwarded in cases where we wish to generate a SIGTRAP without actually executing an instruction, this has two major limitations outside of simply skipping an instruction due to emulation. 1. Stepping out of a ptrace signal stop into a signal handler where SIGTRAP is blocked. Fast-forwarding the stepping state machine in this case will result in a forced SIGTRAP, with the handler reset to SIG_DFL. 2. The hardware implicitly fast-forwards the state machine when executing an SVC instruction for issuing a system call. This can interact badly with subsequent ptrace stops signalled during the execution of the system call (e.g. SYSCALL_EXIT or seccomp traps), as they may corrupt the stepping state by updating the PSTATE for the tracee. Resolve both of these issues by injecting a pseudo-singlestep exception on entry to a signal handler and also on return to userspace following a system call. Cc: Cc: Mark Rutland Tested-by: Luis Machado Reported-by: Keno Fischer Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit bdb71132992bad7960f154f72905134cb90c6248 Author: Will Deacon Date: Thu Feb 13 12:06:26 2020 +0000 arm64: ptrace: Override SPSR.SS when single-stepping is enabled commit 3a5a4366cecc25daa300b9a9174f7fdd352b9068 upstream. Luis reports that, when reverse debugging with GDB, single-step does not function as expected on arm64: | I've noticed, under very specific conditions, that a PTRACE_SINGLESTEP | request by GDB won't execute the underlying instruction. As a consequence, | the PC doesn't move, but we return a SIGTRAP just like we would for a | regular successful PTRACE_SINGLESTEP request. The underlying problem is that when the CPU register state is restored as part of a reverse step, the SPSR.SS bit is cleared and so the hardware single-step state can transition to the "active-pending" state, causing an unexpected step exception to be taken immediately if a step operation is attempted. In hindsight, we probably shouldn't have exposed SPSR.SS in the pstate accessible by the GPR regset, but it's a bit late for that now. Instead, simply prevent userspace from configuring the bit to a value which is inconsistent with the TIF_SINGLESTEP state for the task being traced. Cc: Cc: Mark Rutland Cc: Keno Fischer Link: https://lore.kernel.org/r/1eed6d69-d53d-9657-1fc9-c089be07f98c@linaro.org Reported-by: Luis Machado Tested-by: Luis Machado Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d3b7bacd1115400b94482dfc7efffc175c29b831 Author: Finley Xiao Date: Fri Jun 19 17:08:25 2020 +0800 thermal/drivers/cpufreq_cooling: Fix wrong frequency converted from power commit 371a3bc79c11b707d7a1b7a2c938dc3cc042fffb upstream. The function cpu_power_to_freq is used to find a frequency and set the cooling device to consume at most the power to be converted. For example, if the power to be converted is 80mW, and the em table is as follow. struct em_cap_state table[] = { /* KHz mW */ { 1008000, 36, 0 }, { 1200000, 49, 0 }, { 1296000, 59, 0 }, { 1416000, 72, 0 }, { 1512000, 86, 0 }, }; The target frequency should be 1416000KHz, not 1512000KHz. Fixes: 349d39dc5739 ("thermal: cpu_cooling: merge frequency and power tables") Cc: # v4.13+ Signed-off-by: Finley Xiao Acked-by: Viresh Kumar Reviewed-by: Amit Kucheria Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200619090825.32747-1-finley.xiao@rock-chips.com Signed-off-by: Viresh Kumar Signed-off-by: Greg Kroah-Hartman commit 025cec59aa176dec04ddf8588c511cfbbb0c0c6f Author: Alex Hung Date: Mon Jun 15 16:39:57 2020 -0600 thermal: int3403_thermal: Downgrade error message commit f3d7fb38976b1b0a8462ba1c7cbd404ddfaad086 upstream. Downgrade "Unsupported event" message from dev_err to dev_dbg to avoid flooding with this message on some platforms. Cc: stable@vger.kernel.org # v5.4+ Suggested-by: Zhang Rui Signed-off-by: Alex Hung [ rzhang: fix typo in changelog ] Signed-off-by: Zhang Rui Link: https://lore.kernel.org/r/20200615223957.183153-1-alex.hung@canonical.com Signed-off-by: Greg Kroah-Hartman commit 0ab6b541c6f86541e3c4c4c14ac6a5fcae4b48eb Author: Michał Mirosław Date: Wed Jun 24 13:35:41 2020 +0200 misc: atmel-ssc: lock with mutex instead of spinlock commit b037d60a3b1d1227609fd858fa34321f41829911 upstream. Uninterruptible context is not needed in the driver and causes lockdep warning because of mutex taken in of_alias_get_id(). Convert the lock to mutex to avoid the issue. Cc: stable@vger.kernel.org Fixes: 099343c64e16 ("ARM: at91: atmel-ssc: add device tree support") Signed-off-by: Michał Mirosław Link: https://lore.kernel.org/r/50f0d7fa107f318296afb49477c3571e4d6978c5.1592998403.git.mirq-linux@rere.qmqm.pl Signed-off-by: Greg Kroah-Hartman commit 746930d17d14a6f9876039ed3840ff8f0af76854 Author: Robin Gong Date: Tue Jun 30 00:59:58 2020 +0800 dmaengine: fsl-edma-common: correct DSIZE_32BYTE commit e142087b15960a4e1e5932942e5abae1f49d2318 upstream. Correct EDMA_TCD_ATTR_DSIZE_32BYTE define since it's broken by the below: '0x0005 --> BIT(3) | BIT(0))' Fixes: 4d6d3a90e4ac ("dmaengine: fsl-edma: fix macros") Signed-off-by: Robin Gong Tested-by: Angelo Dureghello Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/1593449998-32091-1-git-send-email-yibin.gong@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 5f3fcbf5b57f0995e710f988bd931dbbda9ee54c Author: Krzysztof Kozlowski Date: Thu Jun 11 15:21:05 2020 +0200 dmaengine: mcf-edma: Fix NULL pointer exception in mcf_edma_tx_handler commit 8995aa3d164ddd9200e6abcf25c449cf5298c858 upstream. On Toradex Colibri VF50 (Vybrid VF5xx) with fsl-edma driver NULL pointer exception happens occasionally on serial output initiated by login timeout. This was reproduced only if kernel was built with significant debugging options and EDMA driver is used with serial console. Issue looks like a race condition between interrupt handler fsl_edma_tx_handler() (called as a result of fsl_edma_xfer_desc()) and terminating the transfer with fsl_edma_terminate_all(). The fsl_edma_tx_handler() handles interrupt for a transfer with already freed edesc and idle==true. The mcf-edma driver shares design and lot of code with fsl-edma. It looks like being affected by same problem. Fix this pattern the same way as fix for fsl-edma driver. Fixes: e7a3ff92eaf1 ("dmaengine: fsl-edma: add ColdFire mcf5441x edma support") Cc: Signed-off-by: Krzysztof Kozlowski Reviewed-by: Robin Gong Link: https://lore.kernel.org/r/1591881665-25592-1-git-send-email-krzk@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 9464956544be4e19d19b345a46503accf3e7f324 Author: Krzysztof Kozlowski Date: Thu Jun 11 14:17:41 2020 +0200 dmaengine: fsl-edma: Fix NULL pointer exception in fsl_edma_tx_handler commit f5e5677c420346b4e9788051c2e4d750996c428c upstream. NULL pointer exception happens occasionally on serial output initiated by login timeout. This was reproduced only if kernel was built with significant debugging options and EDMA driver is used with serial console. col-vf50 login: root Password: Login timed out after 60 seconds. Unable to handle kernel NULL pointer dereference at virtual address 00000044 Internal error: Oops: 5 [#1] ARM CPU: 0 PID: 157 Comm: login Not tainted 5.7.0-next-20200610-dirty #4 Hardware name: Freescale Vybrid VF5xx/VF6xx (Device Tree) (fsl_edma_tx_handler) from [<8016eb10>] (__handle_irq_event_percpu+0x64/0x304) (__handle_irq_event_percpu) from [<8016eddc>] (handle_irq_event_percpu+0x2c/0x7c) (handle_irq_event_percpu) from [<8016ee64>] (handle_irq_event+0x38/0x5c) (handle_irq_event) from [<801729e4>] (handle_fasteoi_irq+0xa4/0x160) (handle_fasteoi_irq) from [<8016ddcc>] (generic_handle_irq+0x34/0x44) (generic_handle_irq) from [<8016e40c>] (__handle_domain_irq+0x54/0xa8) (__handle_domain_irq) from [<80508bc8>] (gic_handle_irq+0x4c/0x80) (gic_handle_irq) from [<80100af0>] (__irq_svc+0x70/0x98) Exception stack(0x8459fe80 to 0x8459fec8) fe80: 72286b00 e3359f64 00000001 0000412d a0070013 85c98840 85c98840 a0070013 fea0: 8054e0d4 00000000 00000002 00000000 00000002 8459fed0 8081fbe8 8081fbec fec0: 60070013 ffffffff (__irq_svc) from [<8081fbec>] (_raw_spin_unlock_irqrestore+0x30/0x58) (_raw_spin_unlock_irqrestore) from [<8056cb48>] (uart_flush_buffer+0x88/0xf8) (uart_flush_buffer) from [<80554e60>] (tty_ldisc_hangup+0x38/0x1ac) (tty_ldisc_hangup) from [<8054c7f4>] (__tty_hangup+0x158/0x2bc) (__tty_hangup) from [<80557b90>] (disassociate_ctty.part.1+0x30/0x23c) (disassociate_ctty.part.1) from [<8011fc18>] (do_exit+0x580/0xba0) (do_exit) from [<801214f8>] (do_group_exit+0x3c/0xb4) (do_group_exit) from [<80121580>] (__wake_up_parent+0x0/0x14) Issue looks like race condition between interrupt handler fsl_edma_tx_handler() (called as result of fsl_edma_xfer_desc()) and terminating the transfer with fsl_edma_terminate_all(). The fsl_edma_tx_handler() handles interrupt for a transfer with already freed edesc and idle==true. Fixes: d6be34fbd39b ("dma: Add Freescale eDMA engine driver support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Robin Gong Cc: Link: https://lore.kernel.org/r/1591877861-28156-2-git-send-email-krzk@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 8fd0d85368054814c7a53f499ab612bedee8afe1 Author: Alexander Shishkin Date: Mon Jul 6 19:13:39 2020 +0300 intel_th: Fix a NULL dereference when hub driver is not loaded commit e78e1fdb282726beaf88aa75943682217e6ded0e upstream. Connecting master to an output port when GTH driver module is not loaded triggers a NULL dereference: > RIP: 0010:intel_th_set_output+0x35/0x70 [intel_th] > Call Trace: > ? sth_stm_link+0x12/0x20 [intel_th_sth] > stm_source_link_store+0x164/0x270 [stm_core] > dev_attr_store+0x17/0x30 > sysfs_kf_write+0x3e/0x50 > kernfs_fop_write+0xda/0x1b0 > __vfs_write+0x1b/0x40 > vfs_write+0xb9/0x1a0 > ksys_write+0x67/0xe0 > __x64_sys_write+0x1a/0x20 > do_syscall_64+0x57/0x1d0 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 Make sure the module in question is loaded and return an error if not. Signed-off-by: Alexander Shishkin Fixes: 39f4034693b7c ("intel_th: Add driver infrastructure for Intel(R) Trace Hub devices") Reviewed-by: Andy Shevchenko Reported-by: Ammy Yi Tested-by: Ammy Yi Cc: stable@vger.kernel.org # v4.4 Link: https://lore.kernel.org/r/20200706161339.55468-5-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 55d7092cc8f5cb0bcb8f91afece687cb9c55227c Author: Alexander Shishkin Date: Mon Jul 6 19:13:38 2020 +0300 intel_th: pci: Add Emmitsburg PCH support commit fd73d74a32bfaaf259441322cc5a1c83caaa94f2 upstream. This adds support for the Trace Hub in Emmitsburg PCH. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-4-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 905f20f4946ab04974d55777583eab417fac4182 Author: Alexander Shishkin Date: Mon Jul 6 19:13:37 2020 +0300 intel_th: pci: Add Tiger Lake PCH-H support commit 6227585dc7b6a5405fc08dc322f98cb95e2f0eb4 upstream. This adds support for the Trace Hub in Tiger Lake PCH-H. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-3-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 5c698cc5b6f43d943f2f944e7b41c331800bd71c Author: Alexander Shishkin Date: Mon Jul 6 19:13:36 2020 +0300 intel_th: pci: Add Jasper Lake CPU support commit 203c1f615052921901b7a8fbe2005d8ea6add076 upstream. This adds support for the Trace Hub in Jasper Lake CPU. Signed-off-by: Alexander Shishkin Reviewed-by: Andy Shevchenko Cc: stable@vger.kernel.org # v4.14+ Link: https://lore.kernel.org/r/20200706161339.55468-2-alexander.shishkin@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit c5ce2060f487754f3d1eee36bda5743be22352dd Author: Satheesh Rajendran Date: Fri Jun 19 12:31:13 2020 +0530 powerpc/pseries/svm: Fix incorrect check for shared_lppaca_size commit b710d27bf72068b15b2f0305d825988183e2ff28 upstream. Early secure guest boot hits the below crash while booting with vcpus numbers aligned with page boundary for PAGE size of 64k and LPPACA size of 1k i.e 64, 128 etc. Partition configured for 64 cpus. CPU maps initialized for 1 thread per core ------------[ cut here ]------------ kernel BUG at arch/powerpc/kernel/paca.c:89! Oops: Exception in kernel mode, sig: 5 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries This is due to the BUG_ON() for shared_lppaca_total_size equal to shared_lppaca_size. Instead the code should only BUG_ON() if we have exceeded the total_size, which indicates we've overflowed the array. Fixes: bd104e6db6f0 ("powerpc/pseries/svm: Use shared memory for LPPACA structures") Cc: stable@vger.kernel.org # v5.4+ Signed-off-by: Satheesh Rajendran Reviewed-by: Laurent Dufour Reviewed-by: Thiago Jung Bauermann [mpe: Reword change log to clarify we're fixing not removing the check] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200619070113.16696-1-sathnaga@linux.vnet.ibm.com Signed-off-by: Greg Kroah-Hartman commit 93d1e96b98b24489844749cf679e3047964c4cc0 Author: Aneesh Kumar K.V Date: Sun Jul 12 18:50:47 2020 +0530 powerpc/book3s64/pkeys: Fix pkey_access_permitted() for execute disable pkey commit 192b6a780598976feb7321ff007754f8511a4129 upstream. Even if the IAMR value denies execute access, the current code returns true from pkey_access_permitted() for an execute permission check, if the AMR read pkey bit is cleared. This results in repeated page fault loop with a test like below: #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include #ifdef SYS_pkey_mprotect #undef SYS_pkey_mprotect #endif #ifdef SYS_pkey_alloc #undef SYS_pkey_alloc #endif #ifdef SYS_pkey_free #undef SYS_pkey_free #endif #undef PKEY_DISABLE_EXECUTE #define PKEY_DISABLE_EXECUTE 0x4 #define SYS_pkey_mprotect 386 #define SYS_pkey_alloc 384 #define SYS_pkey_free 385 #define PPC_INST_NOP 0x60000000 #define PPC_INST_BLR 0x4e800020 #define PROT_RWX (PROT_READ | PROT_WRITE | PROT_EXEC) static int sys_pkey_mprotect(void *addr, size_t len, int prot, int pkey) { return syscall(SYS_pkey_mprotect, addr, len, prot, pkey); } static int sys_pkey_alloc(unsigned long flags, unsigned long access_rights) { return syscall(SYS_pkey_alloc, flags, access_rights); } static int sys_pkey_free(int pkey) { return syscall(SYS_pkey_free, pkey); } static void do_execute(void *region) { /* jump to region */ asm volatile( "mtctr %0;" "bctrl" : : "r"(region) : "ctr", "lr"); } static void do_protect(void *region) { size_t pgsize; int i, pkey; pgsize = getpagesize(); pkey = sys_pkey_alloc(0, PKEY_DISABLE_EXECUTE); assert (pkey > 0); /* perform mprotect */ assert(!sys_pkey_mprotect(region, pgsize, PROT_RWX, pkey)); do_execute(region); /* free pkey */ assert(!sys_pkey_free(pkey)); } int main(int argc, char **argv) { size_t pgsize, numinsns; unsigned int *region; int i; /* allocate memory region to protect */ pgsize = getpagesize(); region = memalign(pgsize, pgsize); assert(region != NULL); assert(!mprotect(region, pgsize, PROT_RWX)); /* fill page with NOPs with a BLR at the end */ numinsns = pgsize / sizeof(region[0]); for (i = 0; i < numinsns - 1; i++) region[i] = PPC_INST_NOP; region[i] = PPC_INST_BLR; do_protect(region); return EXIT_SUCCESS; } The fix is to only check the IAMR for an execute check, the AMR value is not relevant. Fixes: f2407ef3ba22 ("powerpc: helper to validate key-access permissions of a pte") Cc: stable@vger.kernel.org # v4.16+ Reported-by: Sandipan Das Signed-off-by: Aneesh Kumar K.V [mpe: Add detail to change log, tweak wording & formatting] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200712132047.1038594-1-aneesh.kumar@linux.ibm.com Signed-off-by: Greg Kroah-Hartman commit d6a76f8eee215c1f674fff394dccd43d72ed3fce Author: Vishwas M Date: Tue Jul 7 19:57:47 2020 +0530 hwmon: (emc2103) fix unable to change fan pwm1_enable attribute commit 14b0e83dc4f1e52b94acaeb85a18fd7fdd46d2dc upstream. This patch fixes a bug which does not let FAN mode to be changed from sysfs(pwm1_enable). i.e pwm1_enable can not be set to 3, it will always remain at 0. This is caused because the device driver handles the result of "read_u8_from_i2c(client, REG_FAN_CONF1, &conf_reg)" incorrectly. The driver thinks an error has occurred if the (result != 0). This has been fixed by changing the condition to (result < 0). Signed-off-by: Vishwas M Link: https://lore.kernel.org/r/20200707142747.118414-1-vishwas.reddy.vr@gmail.com Fixes: 9df7305b5a86 ("hwmon: Add driver for SMSC EMC2103 temperature monitor and fan controller") Cc: stable@vger.kernel.org Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 9125d5762590bb99d65b0f3f1c37c0585a576e67 Author: Andreas Schwab Date: Mon Jul 6 14:32:26 2020 +0200 riscv: use 16KB kernel stack on 64-bit commit 0cac21b02ba5f3095fd2dcc77c26a25a0b2432ed upstream. With the current 8KB stack size there are frequent overflows in a 64-bit configuration. We may split IRQ stacks off in the future, but this fixes a number of issues right now. Signed-off-by: Andreas Schwab Reviewed-by: Anup Patel [Palmer: mention irqstack in the commit text] Fixes: 7db91e57a0ac ("RISC-V: Task implementation") Cc: stable@vger.kernel.org Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit c28501385945f55444b4bc560e5827b6e45d6d16 Author: Frederic Weisbecker Date: Fri Jul 17 16:05:40 2020 +0200 timer: Fix wheel index calculation on last level commit e2a71bdea81690b6ef11f4368261ec6f5b6891aa upstream. When an expiration delta falls into the last level of the wheel, that delta has be compared against the maximum possible delay and reduced to fit in if necessary. However instead of comparing the delta against the maximum, the code compares the actual expiry against the maximum. Then instead of fixing the delta to fit in, it sets the maximum delta as the expiry value. This can result in various undesired outcomes, the worst possible one being a timer expiring 15 days ahead to fire immediately. Fixes: 500462a9de65 ("timers: Switch to a non-cascading wheel") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20200717140551.29076-2-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit 6c2388e2a12b7d9c37b83187e4f499d0596bdf93 Author: Frederic Weisbecker Date: Fri Jul 3 03:06:57 2020 +0200 timer: Prevent base->clk from moving backward commit 30c66fc30ee7a98c4f3adf5fb7e213b61884474f upstream. When a timer is enqueued with a negative delta (ie: expiry is below base->clk), it gets added to the wheel as expiring now (base->clk). Yet the value that gets stored in base->next_expiry, while calling trigger_dyntick_cpu(), is the initial timer->expires value. The resulting state becomes: base->next_expiry < base->clk On the next timer enqueue, forward_timer_base() may accidentally rewind base->clk. As a possible outcome, timers may expire way too early, the worst case being that the highest wheel levels get spuriously processed again. To prevent from that, make sure that base->next_expiry doesn't get below base->clk. Fixes: a683f390b93f ("timers: Forward the wheel clock whenever possible") Signed-off-by: Frederic Weisbecker Signed-off-by: Thomas Gleixner Reviewed-by: Anna-Maria Behnsen Tested-by: Juri Lelli Cc: stable@vger.kernel.org Link: https://lkml.kernel.org/r/20200703010657.2302-1-frederic@kernel.org Signed-off-by: Greg Kroah-Hartman commit e9506de7b305634d5c6d7bdf4edf1ff1f3a9937d Author: Chandrakanth Patil Date: Wed Jul 15 17:31:53 2020 +0530 scsi: megaraid_sas: Remove undefined ENABLE_IRQ_POLL macro commit 07d3f04550023395bbf34b99ec7e00fc50d9859f upstream. As the ENABLE_IRQ_POLL macro is undefined, the check for ENABLE_IRQ_POLL macro in ISR will always be false. This leads to irq polling being non-functional. Remove ENABLE_IRQ_POLL check from ISR. Link: https://lore.kernel.org/r/20200715120153.20512-1-chandrakanth.patil@broadcom.com Fixes: a6ffd5bf6819 ("scsi: megaraid_sas: Call disable_irq from process IRQ") Cc: # v5.3+ Signed-off-by: Chandrakanth Patil Signed-off-by: Kashyap Desai Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit acd3901a62f61fa52dfaef5656f20f3dd7e3751c Author: Esben Haabendal Date: Wed Jul 1 16:56:58 2020 +0200 uio_pdrv_genirq: fix use without device tree and no interrupt commit bf12fdf0ab728ca8e5933aac46dd972c0dd0421e upstream. While e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no interrupt") added support for using uio_pdrv_genirq for devices without interrupt for device tree platforms, the removal of uio_pdrv in 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") broke the support for non device tree platforms. This change fixes this, so that uio_pdrv_genirq can be used without interrupt on all platforms. This still leaves the support that uio_pdrv had for custom interrupt handler lacking, as uio_pdrv_genirq does not handle it (yet). Fixes: 26dac3c49d56 ("uio: Remove uio_pdrv and use uio_pdrv_genirq instead") Signed-off-by: Esben Haabendal Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200701145659.3978-3-esben@geanix.com Signed-off-by: Greg Kroah-Hartman commit 17268122ba5e503548a9e174f177c1b41399cc17 Author: Esben Haabendal Date: Wed Jul 1 16:56:57 2020 +0200 uio_pdrv_genirq: Remove warning when irq is not specified commit 324ac45f25e634eca6346953ae531e8da3e0c73d upstream. Since e3a3c3a20555 ("UIO: fix uio_pdrv_genirq with device tree but no interrupt"), the uio_pdrv_genirq has supported use without interrupt, so the change in 7723f4c5ecdb ("driver core: platform: Add an error message to") added false warnings for those cases. Fixes: 7723f4c5ecdb ("driver core: platform: Add an error message to platform_get_irq*()") Signed-off-by: Esben Haabendal Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200701145659.3978-2-esben@geanix.com Signed-off-by: Greg Kroah-Hartman commit 97f1aecb80e9716c7b0f9163e5953d7976331fc3 Author: Dave Wang Date: Wed Jul 8 22:25:03 2020 -0700 Input: elan_i2c - add more hardware ID for Lenovo laptops commit a50ca29523b18baea548bdf5df9b4b923c2bb4f6 upstream. This adds more hardware IDs for Elan touchpads found in various Lenovo laptops. Signed-off-by: Dave Wang Link: https://lore.kernel.org/r/000201d5a8bd$9fead3f0$dfc07bd0$@emc.com.tw Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 1fb81fe5e18081d971e985ecb8dce0bf36cdd969 Author: David Pedersen Date: Mon Jul 6 18:48:51 2020 -0700 Input: i8042 - add Lenovo XiaoXin Air 12 to i8042 nomux list commit 17d51429da722cd8fc77a365a112f008abf4f8b3 upstream. This fixes two finger trackpad scroll on the Lenovo XiaoXin Air 12. Without nomux, the trackpad behaves as if only one finger is present and moves the cursor when trying to scroll. Signed-off-by: David Pedersen Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200625133754.291325-1-limero1337@gmail.com Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 62dd03054918ff7ad7e8c0a4197e1b61d033be4c Author: Alexander Usyskin Date: Mon Jun 29 01:53:59 2020 +0300 mei: bus: don't clean driver pointer commit e852c2c251ed9c23ae6e3efebc5ec49adb504207 upstream. It's not needed to set driver to NULL in mei_cl_device_remove() which is bus_type remove() handler as this is done anyway in __device_release_driver(). Actually this is causing an endless loop in driver_detach() on ubuntu patched kernel, while removing (rmmod) the mei_hdcp module. The reason list_empty(&drv->p->klist_devices.k_list) is always not-empty. as the check is always true in __device_release_driver() if (dev->driver != drv) return; The non upstream patch is causing this behavior, titled: 'vfio -- release device lock before userspace requests' Nevertheless the fix is correct also for the upstream. Link: https://patchwork.ozlabs.org/project/ubuntu-kernel/patch/20180912085046.3401-2-apw@canonical.com/ Cc: Cc: Andy Whitcroft Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Link: https://lore.kernel.org/r/20200628225359.2185929-1-tomas.winkler@intel.com Signed-off-by: Greg Kroah-Hartman commit 72648019cd52488716891c2cbb096ad1023ab83e Author: Wade Mealing Date: Wed Jun 17 13:49:47 2020 +0200 Revert "zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()" commit 853eab68afc80f59f36bbdeb715e5c88c501e680 upstream. Turns out that the permissions for 0400 really are what we want here, otherwise any user can read from this file. [fixed formatting, added changelog, and made attribute static - gregkh] Reported-by: Wade Mealing Cc: stable Fixes: f40609d1591f ("zram: convert remaining CLASS_ATTR() to CLASS_ATTR_RO()") Link: https://bugzilla.redhat.com/show_bug.cgi?id=1847832 Reviewed-by: Steffen Maier Acked-by: Minchan Kim Link: https://lore.kernel.org/r/20200617114946.GA2131650@kroah.com Signed-off-by: Greg Kroah-Hartman commit 4dd2ad6867040ad1c52e9774595fb0dc6d69d010 Author: Chirantan Ekbote Date: Tue Jul 14 19:26:39 2020 +0900 fuse: Fix parameter for FS_IOC_{GET,SET}FLAGS commit 31070f6ccec09f3bd4f1e28cd1e592fa4f3ba0b6 upstream. The ioctl encoding for this parameter is a long but the documentation says it should be an int and the kernel drivers expect it to be an int. If the fuse driver treats this as a long it might end up scribbling over the stack of a userspace process that only allocated enough space for an int. This was previously discussed in [1] and a patch for fuse was proposed in [2]. From what I can tell the patch in [2] was nacked in favor of adding new, "fixed" ioctls and using those from userspace. However there is still no "fixed" version of these ioctls and the fact is that it's sometimes infeasible to change all userspace to use the new one. Handling the ioctls specially in the fuse driver seems like the most pragmatic way for fuse servers to support them without causing crashes in userspace applications that call them. [1]: https://lore.kernel.org/linux-fsdevel/20131126200559.GH20559@hall.aurel32.net/T/ [2]: https://sourceforge.net/p/fuse/mailman/message/31771759/ Signed-off-by: Chirantan Ekbote Fixes: 59efec7b9039 ("fuse: implement ioctl support") Cc: Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit e8f32a9f5aebfb3763a69b3bda4ccdfee62b2809 Author: Miklos Szeredi Date: Tue Jul 14 14:45:41 2020 +0200 fuse: use ->reconfigure() instead of ->remount_fs() commit 0189a2d367f49729622fdafaef5da73161591859 upstream. s_op->remount_fs() is only called from legacy_reconfigure(), which is not used after being converted to the new API. Convert to using ->reconfigure(). This restores the previous behavior of syncing the filesystem and rejecting MS_MANDLOCK on remount. Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") Cc: # v5.4 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit f96ce4be463a852348155e1662a94965a7a70244 Author: Miklos Szeredi Date: Tue Jul 14 14:45:41 2020 +0200 fuse: ignore 'data' argument of mount(..., MS_REMOUNT) commit e8b20a474cf2c42698d1942f939ff2128819f151 upstream. The command mount -o remount -o unknownoption /mnt/fuse succeeds on kernel versions prior to v5.4 and fails on kernel version at or after. This is because fuse_parse_param() rejects any unrecognised options in case of FS_CONTEXT_FOR_RECONFIGURE, just as for FS_CONTEXT_FOR_MOUNT. This causes a regression in case the fuse filesystem is in fstab, since remount sends all options found there to the kernel; even ones that are meant for the initial mount and are consumed by the userspace fuse server. Fix this by ignoring mount options, just as fuse_remount_fs() did prior to the conversion to the new API. Reported-by: Stefan Priebe Fixes: c30da2e981a7 ("fuse: convert to use the new mount API") Cc: # v5.4 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 09b696bd214915ca72a5d0925690580292bde00c Author: Amir Goldstein Date: Thu Jun 18 18:43:53 2020 +0300 ovl: fix unneeded call to ovl_change_flags() commit 81a33c1ee941c3bb9ffc6bac8f676be13351344e upstream. The check if user has changed the overlay file was wrong, causing unneeded call to ovl_change_flags() including taking f_lock on every file access. Fixes: d989903058a8 ("ovl: do not generate duplicate fsnotify events for "fake" path") Cc: # v4.19+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 93f75b0f0d3b1cbd9503170674f0a65370247c27 Author: Amir Goldstein Date: Wed Jun 17 09:57:11 2020 +0300 ovl: relax WARN_ON() when decoding lower directory file handle commit 124c2de2c0aee96271e4ddab190083d8aa7aa71a upstream. Decoding a lower directory file handle to overlay path with cold inode/dentry cache may go as follows: 1. Decode real lower file handle to lower dir path 2. Check if lower dir is indexed (was copied up) 3. If indexed, get the upper dir path from index 4. Lookup upper dir path in overlay 5. If overlay path found, verify that overlay lower is the lower dir from step 1 On failure to verify step 5 above, user will get an ESTALE error and a WARN_ON will be printed. A mismatch in step 5 could be a result of lower directory that was renamed while overlay was offline, after that lower directory has been copied up and indexed. This is a scripted reproducer based on xfstest overlay/052: # Create lower subdir create_dirs create_test_files $lower/lowertestdir/subdir mount_dirs # Copy up lower dir and encode lower subdir file handle touch $SCRATCH_MNT/lowertestdir test_file_handles $SCRATCH_MNT/lowertestdir/subdir -p -o $tmp.fhandle # Rename lower dir offline unmount_dirs mv $lower/lowertestdir $lower/lowertestdir.new/ mount_dirs # Attempt to decode lower subdir file handle test_file_handles $SCRATCH_MNT -p -i $tmp.fhandle Since this WARN_ON() can be triggered by user we need to relax it. Fixes: 4b91c30a5a19 ("ovl: lookup connected ancestor of dir in inode cache") Cc: # v4.16+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 6270654c7de9a4e5da6f4ec87dcd72136c8f11ca Author: youngjun Date: Tue Jun 16 17:30:43 2020 +0900 ovl: inode reference leak in ovl_is_inuse true case. commit 24f14009b8f1754ec2ae4c168940c01259b0f88a upstream. When "ovl_is_inuse" true case, trap inode reference not put. plus adding the comment explaining sequence of ovl_is_inuse after ovl_setup_trap. Fixes: 0be0bfd2de9d ("ovl: fix regression caused by overlapping layers detection") Cc: # v4.19+ Reviewed-by: Amir Goldstein Signed-off-by: youngjun Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 4996065307c82dd5f8c773ed8e08e6185de961f4 Author: Amir Goldstein Date: Wed Jul 8 16:16:13 2020 +0300 ovl: fix regression with re-formatted lower squashfs commit a888db310195400f050b89c47673f0f8babfbb41 upstream. Commit 9df085f3c9a2 ("ovl: relax requirement for non null uuid of lower fs") relaxed the requirement for non null uuid with single lower layer to allow enabling index and nfs_export features with single lower squashfs. Fabian reported a regression in a setup when overlay re-uses an existing upper layer and re-formats the lower squashfs image. Because squashfs has no uuid, the origin xattr in upper layer are decoded from the new lower layer where they may resolve to a wrong origin file and user may get an ESTALE or EIO error on lookup. To avoid the reported regression while still allowing the new features with single lower squashfs, do not allow decoding origin with lower null uuid unless user opted-in to one of the new features that require following the lower inode of non-dir upper (index, xino, metacopy). Reported-by: Fabian Link: https://lore.kernel.org/linux-unionfs/32532923.JtPX5UtSzP@fgdesktop/ Fixes: 9df085f3c9a2 ("ovl: relax requirement for non null uuid of lower fs") Cc: stable@vger.kernel.org # v4.20+ Signed-off-by: Amir Goldstein Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 2cd065b916811dc197b0d0069cec2f64f7203af0 Author: Chuhong Yuan Date: Thu Jul 9 21:56:08 2020 +0800 serial: mxs-auart: add missed iounmap() in probe failure and remove commit d8edf8eb5f6e921fe6389f96d2cd05862730a6ff upstream. This driver calls ioremap() in probe, but it misses calling iounmap() in probe's error handler and remove. Add the missed calls to fix it. Fixes: 47d37d6f94cc ("serial: Add auart driver for i.MX23/28") Signed-off-by: Chuhong Yuan Cc: stable Link: https://lore.kernel.org/r/20200709135608.68290-1-hslester96@gmail.com Signed-off-by: Greg Kroah-Hartman commit 752641ba871a10af28b5bc0e7061d3e6c821ed2e Author: Alexander Lobakin Date: Tue Jun 23 11:09:33 2020 +0000 virtio: virtio_console: add missing MODULE_DEVICE_TABLE() for rproc serial commit 897c44f0bae574c5fb318c759b060bebf9dd6013 upstream. rproc_serial_id_table lacks an exposure to module devicetable, so when remoteproc firmware requests VIRTIO_ID_RPROC_SERIAL, no uevent is generated and no module autoloading occurs. Add missing MODULE_DEVICE_TABLE() annotation and move the existing one for VIRTIO_ID_CONSOLE right to the table itself. Fixes: 1b6370463e88 ("virtio_console: Add support for remoteproc serial") Cc: # v3.8+ Signed-off-by: Alexander Lobakin Reviewed-by: Amit Shah Link: https://lore.kernel.org/r/x7C_CbeJtoGMy258nwAXASYz3xgFMFpyzmUvOyZzRnQrgWCREBjaqBOpAUS7ol4NnZYvSVwmTsCG0Ohyfvta-ygw6HMHcoeKK0C3QFiAO_Q=@pm.me Signed-off-by: Greg Kroah-Hartman commit 8f4c040f45b924753775ae5ee4abeee19bbc46d3 Author: Jan Kiszka Date: Thu Jun 18 10:11:40 2020 +0200 Revert "tty: xilinx_uartps: Fix missing id assignment to the console" commit 76ed2e105796710cf5b8a4ba43c81eceed948b70 upstream. This reverts commit 2ae11c46d5fdc46cb396e35911c713d271056d35. It turned out to break the ultra96-rev1, e.g., which uses uart1 as serial0 (and stdout-path = "serial0:115200n8"). Fixes: 2ae11c46d5fd ("tty: xilinx_uartps: Fix missing id assignment to the console") Cc: stable Signed-off-by: Jan Kiszka Reviewed-by: Michal Simek Tested-by: Michal Simek Link: https://lore.kernel.org/r/f4092727-d8f5-5f91-2c9f-76643aace993@siemens.com Signed-off-by: Greg Kroah-Hartman commit 1bc2c30d861cbed4d896c92a479a5c16bd1bd191 Author: Hans de Goede Date: Thu Jul 9 14:08:52 2020 +0200 virt: vbox: Fix guest capabilities mask check commit 59d1d2e8e1e7c50d2657d5e4812b53f71f507968 upstream. Check the passed in capabilities against VMMDEV_GUEST_CAPABILITIES_MASK instead of against VMMDEV_EVENT_VALID_EVENT_MASK. This tightens the allowed mask from 0x7ff to 0x7. Fixes: 0ba002bc4393 ("virt: Add vboxguest driver for Virtual Box Guest integration") Cc: stable@vger.kernel.org Acked-by: Arnd Bergmann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20200709120858.63928-3-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 78d85ca8300e8076acb5549ac8abfa49f6c64c07 Author: Hans de Goede Date: Thu Jul 9 14:08:51 2020 +0200 virt: vbox: Fix VBGL_IOCTL_VMMDEV_REQUEST_BIG and _LOG req numbers to match upstream commit f794db6841e5480208f0c3a3ac1df445a96b079e upstream. Until this commit the mainline kernel version (this version) of the vboxguest module contained a bug where it defined VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG using _IOC(_IOC_READ | _IOC_WRITE, 'V', ...) instead of _IO(V, ...) as the out of tree VirtualBox upstream version does. Since the VirtualBox userspace bits are always built against VirtualBox upstream's headers, this means that so far the mainline kernel version of the vboxguest module has been failing these 2 ioctls with -ENOTTY. I guess that VBGL_IOCTL_VMMDEV_REQUEST_BIG is never used causing us to not hit that one and sofar the vboxguest driver has failed to actually log any log messages passed it through VBGL_IOCTL_LOG. This commit changes the VBGL_IOCTL_VMMDEV_REQUEST_BIG and VBGL_IOCTL_LOG defines to match the out of tree VirtualBox upstream vboxguest version, while keeping compatibility with the old wrong request defines so as to not break the kernel ABI in case someone has been using the old request defines. Fixes: f6ddd094f579 ("virt: Add vboxguest driver for Virtual Box Guest integration UAPI") Cc: stable@vger.kernel.org Acked-by: Arnd Bergmann Reviewed-by: Arnd Bergmann Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20200709120858.63928-2-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit cc894ec456c1b8b306a777016f955f9f71324ac3 Author: AceLan Kao Date: Tue Jul 7 16:15:53 2020 +0800 USB: serial: option: add Quectel EG95 LTE modem commit da6902e5b6dbca9081e3d377f9802d4fd0c5ea59 upstream. Add support for Quectel Wireless Solutions Co., Ltd. EG95 LTE modem T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0195 Rev=03.18 S: Manufacturer=Android S: Product=Android C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) Signed-off-by: AceLan Kao Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 4eaf06c9bd35bad9d553ce0ede8f44bb78928c9b Author: Jörgen Storvist Date: Tue Jun 23 00:13:59 2020 +0200 USB: serial: option: add GosunCn GM500 series commit 08d4ef5cc9203a113702f24725f6cf4db476c958 upstream. Add USB IDs for GosunCn GM500 series cellular modules. RNDIS config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 12 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1404 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option MBIM config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1405 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim I: If#=0x4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim ECM config: usb-devices T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 13 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=305a ProdID=1406 Rev=03.18 S: Manufacturer=Android S: Product=Android S: SerialNumber= C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option I: If#=0x3 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether I: If#=0x4 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether Signed-off-by: Jörgen Storvist Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit dcc1df3cdb04146f19d48cd7686dc9b534f51314 Author: Igor Moura Date: Tue Jun 23 05:11:11 2020 -0300 USB: serial: ch341: add new Product ID for CH340 commit 5d0136f8e79f8287e6a36780601f0ce797cf11c2 upstream. Add PID for CH340 that's found on some ESP8266 dev boards made by LilyGO. The specific device that contains such serial converter can be seen here: https://github.com/LilyGO/LILYGO-T-OI. Apparently, it's a regular CH340, but I've confirmed with others that also bought this board that the PID found on this device (0x7522) differs from other devices with the "same" converter (0x7523). Simply adding its PID to the driver and rebuilding it made it work as expected. Signed-off-by: Igor Moura Cc: stable@vger.kernel.org Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit dff0a4f024fc15efaedb0ed3c7ea02a8fc60e55b Author: James Hilliard Date: Tue Jun 16 16:04:03 2020 -0600 USB: serial: cypress_m8: enable Simply Automated UPB PIM commit 5c45d04c5081c1830d674f4d22d4400ea2083afe upstream. This is a UPB (Universal Powerline Bus) PIM (Powerline Interface Module) which allows for controlling multiple UPB compatible devices from Linux using the standard serial interface. Based on vendor application source code there are two different models of USB based PIM devices in addition to a number of RS232 based PIM's. The vendor UPB application source contains the following USB ID's: #define USB_PCS_VENDOR_ID 0x04b4 #define USB_PCS_PIM_PRODUCT_ID 0x5500 #define USB_SAI_VENDOR_ID 0x17dd #define USB_SAI_PIM_PRODUCT_ID 0x5500 The first set of ID's correspond to the PIM variant sold by Powerline Control Systems while the second corresponds to the Simply Automated Incorporated PIM. As the product ID for both of these match the default cypress HID->COM RS232 product ID it assumed that they both use an internal variant of this HID->COM RS232 converter hardware. However as the vendor ID for the Simply Automated variant is different we need to also add it to the cypress_M8 driver so that it is properly detected. Signed-off-by: James Hilliard Link: https://lore.kernel.org/r/20200616220403.1807003-1-james.hilliard1@gmail.com Cc: stable@vger.kernel.org [ johan: amend VID define entry ] Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 18059e953e1f5e61de6ce0c9add40e5332bc3434 Author: Johan Hovold Date: Wed Jul 15 11:02:45 2020 +0200 USB: serial: iuu_phoenix: fix memory corruption commit e7b931bee739e8a77ae216e613d3b99342b6dec0 upstream. The driver would happily overwrite its write buffer with user data in 256 byte increments due to a removed buffer-space sanity check. Fixes: 5fcf62b0f1f2 ("tty: iuu_phoenix: fix locking.") Cc: stable # 2.6.31 Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 72596d0b2acd9a60afa8f36696a9bb13e2e02ae3 Author: Zhang Qiang Date: Mon Jul 6 13:14:55 2020 +0800 usb: gadget: function: fix missing spinlock in f_uac1_legacy commit 8778eb0927ddcd3f431805c37b78fa56481aeed9 upstream. Add a missing spinlock protection for play_queue, because the play_queue may be destroyed when the "playback_work" work func and "f_audio_out_ep_complete" callback func operate this paly_queue at the same time. Fixes: c6994e6f067cf ("USB: gadget: add USB Audio Gadget driver") Cc: stable Signed-off-by: Zhang Qiang Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 01512075a387fbad5423ce8f866ee7c51eb0a9a3 Author: Peter Chen Date: Tue Jul 7 14:06:01 2020 +0800 usb: chipidea: core: add wakeup support for extcon commit 876d4e1e8298ad1f94d9e9392fc90486755437b4 upstream. If wakeup event occurred by extcon event, it needs to call ci_irq again since the first ci_irq calling at extcon notifier only wakes up controller, but do noop for event handling, it causes the extcon use case can't work well from low power mode. Cc: Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") Reported-by: Philippe Schenker Tested-by: Philippe Schenker Signed-off-by: Peter Chen Link: https://lore.kernel.org/r/20200707060601.31907-2-peter.chen@kernel.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 3dd890afedbff90a917a5f1177c2b50b3d47c452 Author: Minas Harutyunyan Date: Sat May 30 11:41:50 2020 +0400 usb: dwc2: Fix shutdown callback in platform commit 4fdf228cdf6925af45a2066d403821e0977bfddb upstream. To avoid lot of interrupts from dwc2 core, which can be asserted in specific conditions need to disable interrupts on HW level instead of disable IRQs on Kernel level, because of IRQ can be shared between drivers. Cc: stable@vger.kernel.org Fixes: a40a00318c7fc ("usb: dwc2: add shutdown callback to platform variant") Tested-by: Frank Mori Hess Reviewed-by: Alan Stern Reviewed-by: Doug Anderson Reviewed-by: Frank Mori Hess Signed-off-by: Minas Harutyunyan Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 4f0addeba0c09002a01a6a2478da5298b99f172e Author: Tom Rix Date: Wed Jul 8 06:12:43 2020 -0700 USB: c67x00: fix use after free in c67x00_giveback_urb commit 211f08347355cba1f769bbf3355816a12b3ddd55 upstream. clang static analysis flags this error c67x00-sched.c:489:55: warning: Use of memory after it is freed [unix.Malloc] usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status); ^~~~~~~~~~~~ Problem happens in this block of code c67x00_release_urb(c67x00, urb); usb_hcd_unlink_urb_from_ep(c67x00_hcd_to_hcd(c67x00), urb); spin_unlock(&c67x00->lock); usb_hcd_giveback_urb(c67x00_hcd_to_hcd(c67x00), urb, urbp->status); In the call to c67x00_release_urb has this freeing of urbp urbp = urb->hcpriv; urb->hcpriv = NULL; list_del(&urbp->hep_node); kfree(urbp); And so urbp is freed before usb_hcd_giveback_urb uses it as its 3rd parameter. Since all is required is the status, pass the status directly as is done in c64x00_urb_dequeue Fixes: e9b29ffc519b ("USB: add Cypress c67x00 OTG controller HCD driver") Signed-off-by: Tom Rix Cc: stable Link: https://lore.kernel.org/r/20200708131243.24336-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit bd422c7fb477b15e0c55059c552d02ea7212aa4e Author: Kailang Yang Date: Thu Jul 16 15:21:59 2020 +0800 ALSA: hda/realtek - Enable Speaker for ASUS UX563 commit 158ae2f5e6fead30be1f0c203037f5556871513b upstream. ASUS UX563 speaker can't output. Add quirk to link suitable model will enable it. This model also could enable headset Mic. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/96dee3ab01a04c28a7b44061e88009dd@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 63d318f05e679706f882669c8f7f07cde3d0fd62 Author: Kailang Yang Date: Thu Jul 16 14:42:33 2020 +0800 ALSA: hda/realtek - Enable Speaker for ASUS UX533 and UX534 commit 473fbe13fd6f9082e413aea37e624ecbce5463cc upstream. ASUS UX533 and UX534 speaker still can't output. End User feedback speaker didn't have output. Add this COEF value will enable it. Fixes: 4e051106730d ("ALSA: hda/realtek: Enable audio jacks of ASUS UX533FD with ALC294") Cc: Signed-off-by: Kailang Yang Link: https://lore.kernel.org/r/80334402a93b48e385f8f4841b59ae09@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e7bafe0c94cc61c699de2cd87cd1ba8946cc565d Author: Jian-Hong Pan Date: Mon Jul 13 14:04:22 2020 +0800 ALSA: hda/realtek: Enable headset mic of Acer TravelMate B311R-31 with ALC256 commit f50a121d2f32bccc1d6b94df925a1ce44ea7eff7 upstream. The Acer TravelMate B311R-31 laptop's audio (1025:1430) with ALC256 cannot detect the headset microphone until ALC256_FIXUP_ACER_MIC_NO_PRESENCE quirk maps the NID 0x19 as the headset mic pin. Signed-off-by: Jian-Hong Pan Cc: Link: https://lore.kernel.org/r/20200713060421.62435-1-jian-hong@endlessm.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4181b271908aa38e6d47250ec58a8240581aea37 Author: Armas Spann Date: Sat Jul 11 13:05:57 2020 +0200 ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G14(G401) series with ALC289 commit ff53664daff2a65f4bf2479ac56dfb3e908deff0 upstream. This patch adds support for headset mic to the ASUS ROG Zephyrus G14(GA401) notebook series by adding the corresponding vendor/pci_device id, as well as adding a new fixup for the used realtek ALC289. The fixup stets the correct pin to get the headset mic correctly recognized on audio-jack. Signed-off-by: Armas Spann Cc: Link: https://lore.kernel.org/r/20200711110557.18681-1-zappel@retarded.farm Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 246b9693026a4f1a3c5d8db69c06e8a7ebd277c7 Author: Kailang Yang Date: Fri Jul 10 15:31:11 2020 +0800 ALSA: hda/realtek - change to suitable link model for ASUS platform commit ef9ddb9dc4f8b1da3b975918cd1fd98ec055b918 upstream. ASUS platform couldn't need to use Headset Mode model. It changes to the suitable model. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/d05bcff170784ec7bb35023407148161@realtek.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 71319db6f3b19f4df89ad3c9e4d6bb66dd8dc29f Author: Takashi Iwai Date: Fri Jul 10 18:06:56 2020 +0200 ALSA: usb-audio: Fix race against the error recovery URB submission commit 9b7e5208a941e2e491a83eb5fa83d889e888fa2f upstream. USB MIDI driver has an error recovery mechanism to resubmit the URB in the delayed timer handler, and this may race with the standard start / stop operations. Although both start and stop operations themselves don't race with each other due to the umidi->mutex protection, but this isn't applied to the timer handler. For fixing this potential race, the following changes are applied: - Since the timer handler can't use the mutex, we apply the umidi->disc_lock protection at each input stream URB submission; this also needs to change the GFP flag to GFP_ATOMIC - Add a check of the URB refcount and skip if already submitted - Move the timer cancel call at disconnection to the beginning of the procedure; this assures the in-flight timer handler is gone properly before killing all pending URBs Reported-by: syzbot+0f4ecfe6a2c322c81728@syzkaller.appspotmail.com Reported-by: syzbot+5f1d24c49c1d2c427497@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/20200710160656.16819-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 25fd7ee3baebb59d896cd54a846c62ac7ca9a391 Author: Takashi Iwai Date: Fri Jul 10 15:59:59 2020 +0200 ALSA: line6: Sync the pending work cancel at disconnection commit 68359a1ad8447c99732ebeab8c169bfed543667a upstream. Recently syzkaller reported a UAF in LINE6 driver, and it's likely because we call cancel_delayed_work() at the disconnect callback instead of cancel_delayed_work_sync(). Let's use the correct one instead. Reported-by: syzbot+145012a46658ac00fc9e@syzkaller.appspotmail.com Suggested-by: Alan Stern Cc: Link: https://lore.kernel.org/r/s5hlfjr4gio.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 91a6d4049c587c5e3c384f3df11a20456bb87f30 Author: Takashi Iwai Date: Fri Jul 10 15:33:51 2020 +0200 ALSA: line6: Perform sanity check for each URB creation commit 6e8a914ad619042c5f25a4feb663357c4170fd8d upstream. LINE6 drivers create stream URBs with a fixed pipe without checking its validity, and this may lead to a kernel WARNING at the submission when a malformed USB descriptor is passed. For avoiding the kernel warning, perform the similar sanity checks for each pipe type at creating a URB. Reported-by: syzbot+c190f6858a04ea7fbc52@syzkaller.appspotmail.com Cc: Link: https://lore.kernel.org/r/s5hv9iv4hq8.wl-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 212425802dc6eab1b9fafe6dd040cefd0b2827ac Author: James Hilliard Date: Tue Jun 23 13:24:15 2020 -0600 HID: quirks: Ignore Simply Automated UPB PIM commit 1ee1369b46de1083238fced60ff718f59de4b8aa upstream. As this is a cypress HID->COM RS232 style device that is handled by the cypress_M8 driver we also need to add it to the ignore list in hid-quirks. Cc: stable Signed-off-by: James Hilliard Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit c0188ab5bc314086956c318d5112ce89444f6b8e Author: Sebastian Parschauer Date: Tue Jun 9 12:00:53 2020 +0200 HID: quirks: Always poll Obins Anne Pro 2 keyboard commit ca28aff0e1dc7dce9e12a7fd9276b7118ce5e73a upstream. The Obins Anne Pro 2 keyboard (04d9:a293) disconnects after a few minutes of inactivity when using it wired and typing does not result in any input events any more. This is a common firmware flaw. So add the ALWAYS_POLL quirk for this device. GitHub user Dietrich Moerman (dietrichm) tested the quirk and requested my help in my project https://github.com/sriemer/fix-linux-mouse issue 22 to provide this patch. Link: https://www.reddit.com/r/AnnePro/comments/gruzcb/anne_pro_2_linux_cant_type_after_inactivity/ Signed-off-by: Sebastian Parschauer Cc: stable@vger.kernel.org # v4.16+ Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit e93ab4628452e0869c24204ac495e558b4163149 Author: Dmitry Torokhov Date: Sun May 24 16:51:34 2020 -0700 HID: magicmouse: do not set up autorepeat commit 6363d2065cd399cf9d6dc9d08c437f8658831100 upstream. Neither the trackpad, nor the mouse want input core to generate autorepeat events for their buttons, so let's reset the bit (as hid-input sets it for these devices based on the usage vendor code). Cc: stable@vger.kernel.org Reported-by: Yariv Tested-by: Yariv Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit bc94605df1f9c792c2b6f0a7b9bd31a91da9b5cb Author: Maciej S. Szmigiero Date: Sun Jul 5 19:34:57 2020 +0200 HID: logitech-hidpp: avoid repeated "multiplier = " log messages commit e13762abf38ead29071407f32b9dcec38f21dc34 upstream. These messages appear each time the mouse wakes from sleep, in my case (Logitech M705), every minute or so. Let's downgrade them to the "debug" level so they don't fill the kernel log by default. While we are at it, let's make clear that this is a wheel multiplier (and not, for example, XY movement multiplier). Fixes: 4435ff2f09a2 ("HID: logitech: Enable high-resolution scrolling on Logitech mice") Cc: stable@vger.kernel.org Signed-off-by: Maciej S. Szmigiero Reviewed-by: Harry Cutts Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 7c4e6cfd922cc2649300274a8e20cf709e18cf0a Author: Saravana Kannan Date: Mon May 11 16:13:34 2020 +0100 slimbus: core: Fix mismatch in of_node_get/put commit 01360857486c0e4435dea3aa2f78b47213b7cf6a upstream. Adding missing corresponding of_node_put Fixes: 7588a511bdb4 ("slimbus: core: add support to device tree helper") Signed-off-by: Saravana Kannan [Srini: added fixes tag, removed NULL check and updated log] Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200511151334.362-3-srinivas.kandagatla@linaro.org Signed-off-by: Greg Kroah-Hartman commit 93b57bf835d2c80ef87d2af5061627ca897c6b87 Author: Vinod Koul Date: Wed May 13 12:24:20 2020 +0530 clk: qcom: gcc: Add missing UFS clocks for SM8150 commit 37c72e4cae37f0dace1abb3711ede7fbc6d0862a upstream. Add the missing ufs card and ufs phy clocks for SM8150. They were missed in earlier addition of clock driver. Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150") Signed-off-by: Vinod Koul Link: https://lkml.kernel.org/r/20200513065420.32735-2-vkoul@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit cb7b7928310f45f2771046f11ec3c54b122b6ac8 Author: Vinod Koul Date: Wed May 13 12:24:19 2020 +0530 clk: qcom: gcc: Add GPU and NPU clocks for SM8150 commit f73a4230d5bbc8fc7e1a2479ac997f786111c7bb upstream. Add the GPU and NPU clocks for SM8150. They were missed in earlier addition of clock driver. Fixes: 2a1d7eb854bb ("clk: qcom: gcc: Add global clock controller driver for SM8150") Signed-off-by: Vinod Koul Link: https://lkml.kernel.org/r/20200513065420.32735-1-vkoul@kernel.org Signed-off-by: Stephen Boyd Signed-off-by: Greg Kroah-Hartman commit cc490ea23f33b89f2d636cf45421efad333f94ec Author: Miquel Raynal Date: Tue May 19 15:00:11 2020 +0200 mtd: rawnand: oxnas: Release all devices in the _remove() path commit 0a5f45e57e35d0840bedb816974ce2e63406cd8b upstream. oxnans_nand_remove() should release all MTD devices and clean all NAND devices, not only the first one registered. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-39-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit f8a2658d0fd7b8fd75980eb7457886f71aa1097d Author: Miquel Raynal Date: Tue May 19 15:00:10 2020 +0200 mtd: rawnand: oxnas: Unregister all devices on error commit b60391eb17b2956ff2fc4c348e5a464da21ff9cb upstream. On error, the oxnas probe path just frees the device which failed and aborts the probe, leaving unreleased resources. Fix this situation by calling mtd_device_unregister()/nand_cleanup() on these. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-38-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 4682749ce329c0d51f050d2faca19788f8225341 Author: Miquel Raynal Date: Tue May 19 15:00:08 2020 +0200 mtd: rawnand: oxnas: Keep track of registered devices commit 383fc3f613e7eac9f2e3c13b6f9fb8c1f39cb9d5 upstream. All initialized and registered devices should be listed somewhere so that we can unregister/free them in the _remove() path. This patch is not a fix per-se but is needed to apply three other fixes coming right after, explaining the Fixes/Cc: stable tags. Fixes: 668592492409 ("mtd: nand: Add OX820 NAND Support") Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200519130035.1883-36-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 8463054e3d4ed0486fbbb639562a87888d9de945 Author: Álvaro Fernández Rojas Date: Fri May 22 14:15:21 2020 +0200 mtd: rawnand: brcmnand: fix CS0 layout commit 3d3fb3c5be9ce07fa85d8f67fb3922e4613b955b upstream. Only v3.3-v5.0 have a different CS0 layout. Controllers before v3.3 use the same layout for every CS. Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller") Signed-off-by: Álvaro Fernández Rojas Acked-by: Florian Fainelli Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200522121524.4161539-3-noltari@gmail.com Signed-off-by: Greg Kroah-Hartman commit ee73c81e386dfc51ba021d66324ef67a5a8fe73b Author: Álvaro Fernández Rojas Date: Tue May 12 10:24:51 2020 +0200 mtd: rawnand: brcmnand: correctly verify erased pages commit dcb351c03f2fa6a599de1061b174167e03ee312b upstream. The current code checks that the whole OOB area is erased. This is a problem when JFFS2 cleanmarkers are added to the OOB, since it will fail due to the usable OOB bytes not being 0xff. Correct this by only checking that data and ECC bytes aren't 0xff. Fixes: 02b88eea9f9c ("mtd: brcmnand: Add check for erased page bitflips") Signed-off-by: Álvaro Fernández Rojas Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20200512082451.771212-1-noltari@gmail.com Signed-off-by: Greg Kroah-Hartman commit e9f5e16f3228938dad4752f557158940d4e8029a Author: Miquel Raynal Date: Tue Apr 28 11:42:55 2020 +0200 mtd: rawnand: timings: Fix default tR_max and tCCS_min timings commit 4d8ec041d9c454029f6cd90622f6d81eb61e781c upstream. tR and tCCS are currently wrongly expressed in femtoseconds, while we expect these values to be expressed in picoseconds. Set right hardcoded values. Fixes: 6a943386ee36 mtd: rawnand: add default values for dynamic timings Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200428094302.14624-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit f1ad0fc9de60d2cf2824089e1bc101dabf71eb58 Author: Miquel Raynal Date: Fri Apr 24 18:44:59 2020 +0200 mtd: rawnand: marvell: Fix probe error path commit c525b7af96714f72e316c70781570a4a3e1c2856 upstream. Ensure all chips are deregistered and cleaned in case of error during the probe. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-5-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit be953ad71ce977b10ee3a4de994823e3f90f24d2 Author: Miquel Raynal Date: Fri Apr 24 18:44:58 2020 +0200 mtd: rawnand: marvell: Use nand_cleanup() when the device is not yet registered commit 7a0c18fb5c71c6ac7d4662a145e4227dcd4a36a3 upstream. Do not call nand_release() while the MTD device has not been registered, use nand_cleanup() instead. Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-4-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 5f59ce425f78aad43fc9d02d3379ce5e3a1c5843 Author: Miquel Raynal Date: Fri Apr 24 18:44:56 2020 +0200 mtd: rawnand: marvell: Fix the condition on a return code commit c27075772d1f1c8aaf276db9943b35adda8a8b65 upstream. In a previous fix, I changed the condition on which the timeout of an IRQ is reached from: if (!ret) into: if (ret && !pending) While having a non-zero return code is usual in the Linux kernel, here ret comes from a wait_for_completion_timeout() which returns 0 when the waiting period is too long. Hence, the revised condition should be: if (!ret && !pending) The faulty patch did not produce any error because of the !pending condition so this change is finally purely cosmetic and does not change the actual driver behavior. Fixes: cafb56dd741e ("mtd: rawnand: marvell: prevent timeouts on a loaded machine") Signed-off-by: Miquel Raynal Reviewed-by: Boris Brezillon Link: https://lore.kernel.org/linux-mtd/20200424164501.26719-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit eec70178983fcd08536ae748c803af0107799a33 Author: Aharon Landau Date: Mon Apr 27 18:46:36 2020 +0300 RDMA/mlx5: Verify that QP is created with RQ or SQ commit 0eacc574aae7300bf46c10c7116c3ba5825505b7 upstream. RAW packet QP and underlay QP must be created with either RQ or SQ, check that. Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") Link: https://lore.kernel.org/r/20200427154636.381474-37-leon@kernel.org Signed-off-by: Aharon Landau Reviewed-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 6b1aaceb0dab5394fea9b3c0ef9648147f7a8a18 Author: Maulik Shah Date: Sun Apr 12 20:20:04 2020 +0530 soc: qcom: rpmh-rsc: Allow using free WAKE TCS for active request commit 38427e5a47bf83299da930bd474c6cb2632ad810 upstream. When there are more than one WAKE TCS available and there is no dedicated ACTIVE TCS available, invalidating all WAKE TCSes and waiting for current transfer to complete in first WAKE TCS blocks using another free WAKE TCS to complete current request. Remove rpmh_rsc_invalidate() to happen from tcs_write() when WAKE TCSes is re-purposed to be used for Active mode. Clear only currently used WAKE TCS's register configuration. Fixes: 2de4b8d33eab (drivers: qcom: rpmh-rsc: allow active requests from wake TCS) Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-7-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit e65ee5ad89038f242358f27c16a5ef04a1c439e9 Author: Raju P.L.S.S.S.N Date: Sun Apr 12 20:20:03 2020 +0530 soc: qcom: rpmh-rsc: Clear active mode configuration for wake TCS commit 15b3bf61b8d48f8e0ccd9d7f1bcb468b543da396 upstream. For RSCs that have sleep & wake TCS but no dedicated active TCS, wake TCS can be re-purposed to send active requests. Once the active requests are sent and response is received, the active mode configuration needs to be cleared so that controller can use wake TCS for sending wake requests. Introduce enable_tcs_irq() to enable completion IRQ for repurposed TCSes. Fixes: 2de4b8d33eab (drivers: qcom: rpmh-rsc: allow active requests from wake TCS) Signed-off-by: Raju P.L.S.S.S.N [mkshah: call enable_tcs_irq() within drv->lock, update commit message] Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-6-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 9e56b18ca5a3311e7cddfe3ff6efdc0aae3547d2 Author: Maulik Shah Date: Sun Apr 12 20:20:01 2020 +0530 soc: qcom: rpmh: Invalidate SLEEP and WAKE TCSes before flushing new data commit f5ac95f9ca2f439179a5baf48e1c0f22f83d936e upstream. TCSes have previously programmed data when rpmh_flush() is called. This can cause old data to trigger along with newly flushed. Fix this by cleaning SLEEP and WAKE TCSes before new data is flushed. With this there is no need to invoke rpmh_rsc_invalidate() call from rpmh_invalidate(). Simplify rpmh_invalidate() by moving invalidate_batch() inside. Fixes: 600513dfeef3 ("drivers: qcom: rpmh: cache sleep/wake state requests") Signed-off-by: Maulik Shah Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-4-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 9edb7370f893192df5fc0cc56f983899dd22db87 Author: Maulik Shah Date: Sun Apr 12 20:20:00 2020 +0530 soc: qcom: rpmh: Update dirty flag only when data changes commit bb7000677a1b287206c8d4327c62442fa3050a8f upstream. Currently rpmh ctrlr dirty flag is set for all cases regardless of data is really changed or not. Add changes to update dirty flag when data is changed to newer values. Update dirty flag everytime when data in batch cache is updated since rpmh_flush() may get invoked from any CPU instead of only last CPU going to low power mode. Also move dirty flag updates to happen from within cache_lock and remove unnecessary INIT_LIST_HEAD() call and a default case from switch. Fixes: 600513dfeef3 ("drivers: qcom: rpmh: cache sleep/wake state requests") Signed-off-by: Maulik Shah Reviewed-by: Srinivas Rao L Reviewed-by: Evan Green Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1586703004-13674-3-git-send-email-mkshah@codeaurora.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 033f56f7d3d62cdbdb9f0874602181bb6d24348f Author: Jin Yao Date: Thu Apr 9 15:07:55 2020 +0800 perf stat: Zero all the 'ena' and 'run' array slot stats for interval mode commit 0e0bf1ea1147fcf74eab19c2d3c853cc3740a72f upstream. As the code comments in perf_stat_process_counter() say, we calculate counter's data every interval, and the display code shows ps->res_stats avg value. We need to zero the stats for interval mode. But the current code only zeros the res_stats[0], it doesn't zero the res_stats[1] and res_stats[2], which are for ena and run of counter. This patch zeros the whole res_stats[] for interval mode. Fixes: 51fd2df1e882 ("perf stat: Fix interval output values") Signed-off-by: Jin Yao Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jin Yao Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20200409070755.17261-1-yao.jin@linux.intel.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit c2e29cac6d89642e1090e10a706a8945f64e7855 Author: Bjorn Helgaas Date: Tue Apr 7 18:23:15 2020 -0500 PCI/PM: Call .bridge_d3() hook only if non-NULL commit c3aaf086701d05a82c8156ee8620af41e5a7d6fe upstream. 26ad34d510a8 ("PCI / ACPI: Whitelist D3 for more PCIe hotplug ports") added the struct pci_platform_pm_ops.bridge_d3() function pointer and platform_pci_bridge_d3() to use it. The .bridge_d3() op is implemented by acpi_pci_platform_pm, but not by mid_pci_platform_pm. We don't expect platform_pci_bridge_d3() to be called on Intel MID platforms, but nothing in the code itself would prevent that. Check the .bridge_d3() pointer for NULL before calling it. Fixes: 26ad34d510a8 ("PCI / ACPI: Whitelist D3 for more PCIe hotplug ports") Signed-off-by: Bjorn Helgaas Reviewed-by: Mika Westerberg Signed-off-by: Greg Kroah-Hartman commit d950d2e79f0fe7bbdbe7949e3a740e5dabf67532 Author: Tomer Tayar Date: Wed Apr 1 19:30:29 2020 +0300 habanalabs: Align protection bits configuration of all TPCs commit 79c823c57e69d9e584a5ee4ee6406eb3854393ae upstream. Align the protection bits configuration of all TPC cores to be as of TPC core 0. Fixes: a513f9a7eca5 ("habanalabs: make tpc registers secured") Signed-off-by: Tomer Tayar Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Greg Kroah-Hartman commit d79e57db45444a4ea9b334fde3fc581fa4846058 Author: John Johansen Date: Mon Mar 30 23:37:54 2020 -0700 apparmor: ensure that dfa state tables have entries commit c27c6bd2c4d6b6bb779f9b722d5607993e1d5e5c upstream. Currently it is possible to specify a state machine table with 0 length, this is not valid as optional tables are specified by not defining the table as present. Further this allows by-passing the base tables range check against the next/check tables. Fixes: d901d6a298dc ("apparmor: dfa split verification of table headers") Reported-by: Mike Salvatore Signed-off-by: John Johansen Signed-off-by: Greg Kroah-Hartman commit b7d9b78ab9015b691461bf99d4ef052813570c72 Author: Srinivas Kandagatla Date: Thu Mar 19 12:14:18 2020 +0000 soc: qcom: socinfo: add missing soc_id sysfs entry commit 27a344139c186889d742764d3c2a62b395949cef upstream. Looks like SoC ID is not exported to sysfs for some reason. This patch adds it! This is mostly used by userspace libraries like Snapdragon Neural Processing Engine (SNPE) SDK for checking supported SoC info. Fixes: efb448d0a3fc ("soc: qcom: Add socinfo driver") Reviewed-by: Stephen Boyd Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20200319121418.5180-1-srinivas.kandagatla@linaro.org Signed-off-by: Bjorn Andersson Signed-off-by: Greg Kroah-Hartman commit 8eeebe37c64e25b224d87dfe74d15ba00cec5504 Author: Sean Wang Date: Sun Mar 8 14:34:37 2020 +0800 arm: dts: mt7623: add phy-mode property for gmac2 commit ff5b89c2858f28006f9f9c0a88c55a679488192c upstream. Add phy-mode property required by phylink on gmac2 Fixes: b8fc9f30821e ("net: ethernet: mediatek: Add basic PHYLINK support") Signed-off-by: Sean Wang Link: https://lore.kernel.org/r/70e3eff31ecd500ed4862d9de28325a4dbd15105.1583648927.git.sean.wang@mediatek.com Signed-off-by: Matthias Brugger Signed-off-by: Greg Kroah-Hartman commit 742b79562142a6bb5dcab3e847caf5aa6471f996 Author: Kevin Buettner Date: Sat Jul 18 00:20:03 2020 -0700 copy_xstate_to_kernel: Fix typo which caused GDB regression commit 5714ee50bb4375bd586858ad800b1d9772847452 upstream. This fixes a regression encountered while running the gdb.base/corefile.exp test in GDB's test suite. In my testing, the typo prevented the sw_reserved field of struct fxregs_state from being output to the kernel XSAVES area. Thus the correct mask corresponding to XCR0 was not present in the core file for GDB to interrogate, resulting in the following behavior: [kev@f32-1 gdb]$ ./gdb -q testsuite/outputs/gdb.base/corefile/corefile testsuite/outputs/gdb.base/corefile/corefile.core Reading symbols from testsuite/outputs/gdb.base/corefile/corefile... [New LWP 232880] warning: Unexpected size of section `.reg-xstate/232880' in core file. With the typo fixed, the test works again as expected. Signed-off-by: Kevin Buettner Fixes: 9e4636545933 ("copy_xstate_to_kernel(): don't leave parts of destination uninitialized") Cc: Al Viro Cc: Dave Airlie Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 319c3c7980c7bf89287e39e3a4c799ea9e96af8b Author: Douglas Anderson Date: Wed Jul 15 16:46:15 2020 -0700 regmap: debugfs: Don't sleep while atomic for fast_io regmaps [ Upstream commit 299632e54b2e692d2830af84be51172480dc1e26 ] If a regmap has "fast_io" set then its lock function uses a spinlock. That doesn't work so well with the functions: * regmap_cache_only_write_file() * regmap_cache_bypass_write_file() Both of the above functions have the pattern: 1. Lock the regmap. 2. Call: debugfs_write_file_bool() copy_from_user() __might_fault() __might_sleep() Let's reorder things a bit so that we do all of our sleepable functions before we grab the lock. Fixes: d3dc5430d68f ("regmap: debugfs: Allow writes to cache state settings") Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20200715164611.1.I35b3533e8a80efde0cec1cc70f71e1e74b2fa0da@changeid Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f62d7f91afa21066404aae3031517c8c4310a9b6 Author: Wei Yongjun Date: Wed Jul 15 23:28:38 2020 +0100 keys: asymmetric: fix error return code in software_key_query() [ Upstream commit 6cbba1f9114a8134cff9138c79add15012fd52b9 ] Fix to return negative error code -ENOMEM from kmalloc() error handling case instead of 0, as done elsewhere in this function. Fixes: f1774cb8956a ("X.509: parse public key parameters from x509 for akcipher") Signed-off-by: Wei Yongjun Signed-off-by: David Howells Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit c5acd9395d4158ed320b4d27aa6afe8faf093d94 Author: Krzysztof Kozlowski Date: Mon Jun 29 10:16:29 2020 +0200 arm64: dts: spcfpga: Align GIC, NAND and UART nodenames with dtschema [ Upstream commit 681a5c71fb829fc2193e3bb524af41525477f5c3 ] Fix dtschema validator warnings like: intc@fffc1000: $nodename:0: 'intc@fffc1000' does not match '^interrupt-controller(@[0-9a-f,]+)*$' Fixes: 78cd6a9d8e15 ("arm64: dts: Add base stratix 10 dtsi") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit 2e224b5d314941509dd0219408d9bd692bf15e64 Author: Krzysztof Kozlowski Date: Fri Jun 26 10:06:02 2020 +0200 ARM: dts: socfpga: Align L2 cache-controller nodename with dtschema [ Upstream commit d7adfe5ffed9faa05f8926223086b101e14f700d ] Fix dtschema validator warnings like: l2-cache@fffff000: $nodename:0: 'l2-cache@fffff000' does not match '^(cache-controller|cpu)(@[0-9a-f,]+)*$' Fixes: 475dc86d08de ("arm: dts: socfpga: Add a base DTSI for Altera's Arria10 SOC") Signed-off-by: Krzysztof Kozlowski Signed-off-by: Dinh Nguyen Signed-off-by: Sasha Levin commit c8a4452da9f4b09c28d904f70247b097d4c14932 Author: Colin Ian King Date: Wed Jul 15 17:26:04 2020 +0100 xprtrdma: fix incorrect header size calculations [ Upstream commit 912288442cb2f431bf3c8cb097a5de83bc6dbac1 ] Currently the header size calculations are using an assignment operator instead of a += operator when accumulating the header size leading to incorrect sizes. Fix this by using the correct operator. Addresses-Coverity: ("Unused value") Fixes: 302d3deb2068 ("xprtrdma: Prevent inline overflow") Signed-off-by: Colin Ian King Reviewed-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit a75a8aabb2f44d22a03585de221a31499e06b736 Author: Enric Balletbo i Serra Date: Tue Jul 7 12:34:12 2020 +0200 Revert "thermal: mediatek: fix register index error" [ Upstream commit a8f62f183021be389561570ab5f8c701a5e70298 ] This reverts commit eb9aecd90d1a39601e91cd08b90d5fee51d321a6 The above patch is supposed to fix a register index error on mt2701. It is not clear if the problem solved is a hang or just an invalid value returned, my guess is the second. The patch introduces, though, a new hang on MT8173 device making them unusable. So, seems reasonable, revert the patch because introduces a worst issue. The reason I send a revert instead of trying to fix the issue for MT8173 is because the information needed to fix the issue is in the datasheet and is not public. So I am not really able to fix it. Fixes the following bug when CONFIG_MTK_THERMAL is set on MT8173 devices. [ 2.222488] Unable to handle kernel paging request at virtual address ffff8000125f5001 [ 2.230421] Mem abort info: [ 2.233207] ESR = 0x96000021 [ 2.236261] EC = 0x25: DABT (current EL), IL = 32 bits [ 2.241571] SET = 0, FnV = 0 [ 2.244623] EA = 0, S1PTW = 0 [ 2.247762] Data abort info: [ 2.250640] ISV = 0, ISS = 0x00000021 [ 2.254473] CM = 0, WnR = 0 [ 2.257544] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041850000 [ 2.264251] [ffff8000125f5001] pgd=000000013ffff003, pud=000000013fffe003, pmd=000000013fff9003, pte=006800001100b707 [ 2.274867] Internal error: Oops: 96000021 [#1] PREEMPT SMP [ 2.280432] Modules linked in: [ 2.283483] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.7.0-rc6+ #162 [ 2.289914] Hardware name: Google Elm (DT) [ 2.294003] pstate: 20000005 (nzCv daif -PAN -UAO) [ 2.298792] pc : mtk_read_temp+0xb8/0x1c8 [ 2.302793] lr : mtk_read_temp+0x7c/0x1c8 [ 2.306794] sp : ffff80001003b930 [ 2.310100] x29: ffff80001003b930 x28: 0000000000000000 [ 2.315404] x27: 0000000000000002 x26: ffff0000f9550b10 [ 2.320709] x25: ffff0000f9550a80 x24: 0000000000000090 [ 2.326014] x23: ffff80001003ba24 x22: 00000000610344c0 [ 2.331318] x21: 0000000000002710 x20: 00000000000001f4 [ 2.336622] x19: 0000000000030d40 x18: ffff800011742ec0 [ 2.341926] x17: 0000000000000001 x16: 0000000000000001 [ 2.347230] x15: ffffffffffffffff x14: ffffff0000000000 [ 2.352535] x13: ffffffffffffffff x12: 0000000000000028 [ 2.357839] x11: 0000000000000003 x10: ffff800011295ec8 [ 2.363143] x9 : 000000000000291b x8 : 0000000000000002 [ 2.368447] x7 : 00000000000000a8 x6 : 0000000000000004 [ 2.373751] x5 : 0000000000000000 x4 : ffff800011295cb0 [ 2.379055] x3 : 0000000000000002 x2 : ffff8000125f5001 [ 2.384359] x1 : 0000000000000001 x0 : ffff0000f9550a80 [ 2.389665] Call trace: [ 2.392105] mtk_read_temp+0xb8/0x1c8 [ 2.395760] of_thermal_get_temp+0x2c/0x40 [ 2.399849] thermal_zone_get_temp+0x78/0x160 [ 2.404198] thermal_zone_device_update.part.0+0x3c/0x1f8 [ 2.409589] thermal_zone_device_update+0x34/0x48 [ 2.414286] of_thermal_set_mode+0x58/0x88 [ 2.418375] thermal_zone_of_sensor_register+0x1a8/0x1d8 [ 2.423679] devm_thermal_zone_of_sensor_register+0x64/0xb0 [ 2.429242] mtk_thermal_probe+0x690/0x7d0 [ 2.433333] platform_drv_probe+0x5c/0xb0 [ 2.437335] really_probe+0xe4/0x448 [ 2.440901] driver_probe_device+0xe8/0x140 [ 2.445077] device_driver_attach+0x7c/0x88 [ 2.449252] __driver_attach+0xac/0x178 [ 2.453082] bus_for_each_dev+0x78/0xc8 [ 2.456909] driver_attach+0x2c/0x38 [ 2.460476] bus_add_driver+0x14c/0x230 [ 2.464304] driver_register+0x6c/0x128 [ 2.468131] __platform_driver_register+0x50/0x60 [ 2.472831] mtk_thermal_driver_init+0x24/0x30 [ 2.477268] do_one_initcall+0x50/0x298 [ 2.481098] kernel_init_freeable+0x1ec/0x264 [ 2.485450] kernel_init+0x1c/0x110 [ 2.488931] ret_from_fork+0x10/0x1c [ 2.492502] Code: f9401081 f9400402 b8a67821 8b010042 (b9400042) [ 2.498599] ---[ end trace e43e3105ed27dc99 ]--- [ 2.503367] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b [ 2.511020] SMP: stopping secondary CPUs [ 2.514941] Kernel Offset: disabled [ 2.518421] CPU features: 0x090002,25006005 [ 2.522595] Memory Limit: none [ 2.525644] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b ]-- Cc: Michael Kao Fixes: eb9aecd90d1a ("thermal: mediatek: fix register index error") Signed-off-by: Enric Balletbo i Serra Reviewed-by: Matthias Brugger Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/20200707103412.1010823-1-enric.balletbo@collabora.com Signed-off-by: Sasha Levin commit cc3188b3bab25391eb345dfd5f2b3e8715bef93c Author: dillon min Date: Tue Jul 14 14:35:07 2020 +0800 ARM: dts: Fix dcan driver probe failed on am437x platform [ Upstream commit 2a4117df9b436a0e4c79d211284ab2097bcd00dc ] Got following d_can probe errors with kernel 5.8-rc1 on am437x [ 10.730822] CAN device driver interface Starting Wait for Network to be Configured... [ OK ] Reached target Network. [ 10.787363] c_can_platform 481cc000.can: probe failed [ 10.792484] c_can_platform: probe of 481cc000.can failed with error -2 [ 10.799457] c_can_platform 481d0000.can: probe failed [ 10.804617] c_can_platform: probe of 481d0000.can failed with error -2 actually, Tony has fixed this issue on am335x with the patch [3] Since am437x has the same clock structure with am335x [1][2], so reuse the code from Tony Lindgren's patch [3] to fix it. [1]: https://www.ti.com/lit/pdf/spruh73 Chapter-23, Figure 23-1. DCAN Integration [2]: https://www.ti.com/lit/pdf/spruhl7 Chapter-25, Figure 25-1. DCAN Integration [3]: commit 516f1117d0fb ("ARM: dts: Configure osc clock for d_can on am335x") Fixes: 1a5cd7c23cc5 ("bus: ti-sysc: Enable all clocks directly during init to read revision") Signed-off-by: dillon min [tony@atomide.com: aligned commit message a bit for readability] Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 408ef501b894e94581c62e4d9aea18589786ddbb Author: Vasily Averin Date: Thu Jun 25 12:39:51 2020 +0300 fuse: don't ignore errors from fuse_writepages_fill() [ Upstream commit 7779b047a57f6824a43d0e1f70de2741b7426b9d ] fuse_writepages() ignores some errors taken from fuse_writepages_fill() I believe it is a bug: if .writepages is called with WB_SYNC_ALL it should either guarantee that all data was successfully saved or return error. Fixes: 26d614df1da9 ("fuse: Implement writepages callback") Signed-off-by: Vasily Averin Signed-off-by: Miklos Szeredi Signed-off-by: Sasha Levin commit 9b810684b1da7bda726e55bdc2a48af223dc5f83 Author: Anna Schumaker Date: Wed Jul 8 10:33:40 2020 -0400 NFS: Fix interrupted slots by sending a solo SEQUENCE operation [ Upstream commit 913fadc5b105c3619d9e8d0fe8899ff1593cc737 ] We used to do this before 3453d5708b33, but this was changed to better handle the NFS4ERR_SEQ_MISORDERED error code. This commit fixed the slot re-use case when the server doesn't receive the interrupted operation, but if the server does receive the operation then it could still end up replying to the client with mis-matched operations from the reply cache. We can fix this by sending a SEQUENCE to the server while recovering from a SEQ_MISORDERED error when we detect that we are in an interrupted slot situation. Fixes: 3453d5708b33 (NFSv4.1: Avoid false retries when RPC calls are interrupted) Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit dc92d84b371fea777937b168e442b7bbb89b9b8f Author: Eddie James Date: Thu Jul 9 14:57:05 2020 -0500 clk: AST2600: Add mux for EMMC clock [ Upstream commit c2407ab3bd55064d459bc822efd1c134e852798c ] The EMMC clock can be derived from either the HPLL or the MPLL. Register a clock mux so that the rate is calculated correctly based upon the parent. Signed-off-by: Eddie James Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20200709195706.12741-2-eajames@linux.ibm.com Acked-by: Joel Stanley Fixes: d3d04f6c330a ("clk: Add support for AST2600 SoC") Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 0392f18139aa97bbb9d2035a4e2898ef52d9d8df Author: Nathan Chancellor Date: Wed Jul 1 13:11:29 2020 -0700 clk: mvebu: ARMADA_AP_CPU_CLK needs to select ARMADA_AP_CP_HELPER [ Upstream commit 8e3709d7e3a67e2d3f42bd1fc2052353a5678944 ] When building arm32 allmodconfig: ld.lld: error: undefined symbol: ap_cp_unique_name >>> referenced by ap-cpu-clk.c >>> clk/mvebu/ap-cpu-clk.o:(ap_cpu_clock_probe) in archive drivers/built-in.a ap_cp_unique_name is only compiled into the kernel image when CONFIG_ARMADA_AP_CP_HELPER is selected (as it is not user selectable). However, CONFIG_ARMADA_AP_CPU_CLK does not select it. This has been a problem since the driver was added to the kernel but it was not built before commit c318ea261749 ("cpufreq: ap806: fix cpufreq driver needs ap cpu clk") so it was never noticed. Fixes: f756e362d938 ("clk: mvebu: add CPU clock driver for Armada 7K/8K") Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20200701201128.2448427-1-natechancellor@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 36e6ac265fc05d113b38b46e0d06fee446f92403 Author: Dan Carpenter Date: Thu Jul 9 13:29:36 2020 +0300 staging: comedi: verify array index is correct before using it [ Upstream commit ef75e14a6c935eec82abac07ab68e388514e39bc ] This code reads from the array before verifying that "trig" is a valid index. If the index is wildly out of bounds then reading from an invalid address could lead to an Oops. Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions") Signed-off-by: Dan Carpenter Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/20200709102936.GA20875@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 62013d49bcf6be22dfed33e4e5bb94a3612c95ed Author: Michał Mirosław Date: Thu May 28 20:35:54 2020 +0200 usb: gadget: udc: atmel: fix uninitialized read in debug printk [ Upstream commit 30517ffeb3bff842e1355cbc32f1959d9dbb5414 ] Fixed commit moved the assignment of 'req', but did not update a reference in the DBG() call. Use the argument as it was renamed. Fixes: 5fb694f96e7c ("usb: gadget: udc: atmel: fix possible oops when unloading module") Signed-off-by: Michał Mirosław Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit e435865c783f5058670cca4b4fe8ae307596b3d7 Author: Marc Kleine-Budde Date: Mon Jul 6 16:34:34 2020 +0200 spi: spi-sun6i: sun6i_spi_transfer_one(): fix setting of clock rate [ Upstream commit ed7815db70d17b1741883f2da8e1d80bc2efe517 ] A SPI transfer defines the _maximum_ speed of the SPI transfer. However the driver doesn't take into account that the clock divider is always rounded down (due to integer arithmetics). This results in a too high clock rate for the SPI transfer. E.g.: with a mclk_rate of 24 MHz and a SPI transfer speed of 10 MHz, the original code calculates a reg of "0", which results in a effective divider of "2" and a 12 MHz clock for the SPI transfer. This patch fixes the issue by using DIV_ROUND_UP() instead of a plain integer division. While there simplify the divider calculation for the CDR1 case, use order_base_2() instead of two ilog2() calculations. Fixes: 3558fe900e8a ("spi: sunxi: Add Allwinner A31 SPI controller driver") Signed-off-by: Marc Kleine-Budde Acked-by: Maxime Ripard Link: https://lore.kernel.org/r/20200706143443.9855-2-mkl@pengutronix.de Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f979982feb0388ecb1f99760a68903c9d20714cf Author: Peter Ujfalusi Date: Wed Jul 1 13:12:25 2020 +0300 dmaengine: dmatest: stop completed threads when running without set channel [ Upstream commit fd17d1abce426b4224a916a242b57be94272771b ] The completed threads were not cleared and consequent run would result threads accumulating: echo 800000 > /sys/module/dmatest/parameters/test_buf_size echo 2000 > /sys/module/dmatest/parameters/timeout echo 50 > /sys/module/dmatest/parameters/iterations echo 1 > /sys/module/dmatest/parameters/max_channels echo "" > /sys/module/dmatest/parameters/channel [ 237.507265] dmatest: Added 1 threads using dma1chan2 echo 1 > /sys/module/dmatest/parameters/run [ 244.713360] dmatest: Started 1 threads using dma1chan2 [ 246.117680] dmatest: dma1chan2-copy0: summary 50 tests, 0 failures 2437.47 iops 977623 KB/s (0) echo 1 > /sys/module/dmatest/parameters/run [ 292.381471] dmatest: No channels configured, continue with any [ 292.389307] dmatest: Added 1 threads using dma1chan3 [ 292.394302] dmatest: Started 1 threads using dma1chan2 [ 292.399454] dmatest: Started 1 threads using dma1chan3 [ 293.800835] dmatest: dma1chan3-copy0: summary 50 tests, 0 failures 2624.53 iops 975014 KB/s (0) echo 1 > /sys/module/dmatest/parameters/run [ 307.301429] dmatest: No channels configured, continue with any [ 307.309212] dmatest: Added 1 threads using dma1chan4 [ 307.314197] dmatest: Started 1 threads using dma1chan2 [ 307.319343] dmatest: Started 1 threads using dma1chan3 [ 307.324492] dmatest: Started 1 threads using dma1chan4 [ 308.730773] dmatest: dma1chan4-copy0: summary 50 tests, 0 failures 2390.28 iops 965436 KB/s (0) Fixes: 6b41030fdc79 ("dmaengine: dmatest: Restore default for channel") Reported-by: Grygorii Strashko Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200701101225.8607-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit e6b46f01d9951bce04ec87b8df92ee8bb48802cb Author: Andy Shevchenko Date: Sun Jul 5 14:56:20 2020 +0300 dmaengine: dw: Initialize channel before each transfer [ Upstream commit 99ba8b9b0d9780e9937eb1d488d120e9e5c2533d ] In some cases DMA can be used only with a consumer which does runtime power management and on the platforms, that have DMA auto power gating logic (see comments in the drivers/acpi/acpi_lpss.c), may result in DMA losing its context. Simple mitigation of this issue is to initialize channel each time the consumer initiates a transfer. Fixes: cfdf5b6cc598 ("dw_dmac: add support for Lynxpoint DMA controllers") Reported-by: Tsuchiya Yuto Signed-off-by: Andy Shevchenko Acked-by: Viresh Kumar BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=206403 Link: https://lore.kernel.org/r/20200705115620.51929-1-andriy.shevchenko@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit a6fe5dde5343d429271f8ac5bf17875e6bc3463c Author: Christophe JAILLET Date: Sun May 17 11:59:53 2020 +0200 iio: adc: ad7780: Fix a resource handling path in 'ad7780_probe()' [ Upstream commit b0536f9826a5ed3328d527b4fc1686867a9f3041 ] If 'ad7780_init_gpios()' fails, we must not release some resources that have not been allocated yet. Return directly instead. Fixes: 5bb30e7daf00 ("staging: iio: ad7780: move regulator to after GPIO init") Fixes: 9085daa4abcc ("staging: iio: ad7780: add gain & filter gpio support") Signed-off-by: Christophe JAILLET Acked-by: Renato Lui Geh Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 28be430bbf13084539c59feb12e8f0d33b044f99 Author: Tony Lindgren Date: Thu Jul 2 13:57:14 2020 -0700 bus: ti-sysc: Do not disable on suspend for no-idle [ Upstream commit a55de412228cc5a2b4bf8d2a09849898102633e2 ] If we have "ti,no-idle" specified for a module we must not disable the the module on suspend to keep things backwards compatible. Fixes: 386cb76681ca ("bus: ti-sysc: Handle missed no-idle property in addition to no-idle-on-init") Reported-by: Grygorii Strashko Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 47ba42786d14d1b3ff0b3a0e631e45db7475aa3d Author: Tony Lindgren Date: Thu Jul 2 10:41:02 2020 -0700 bus: ti-sysc: Fix sleeping function called from invalid context for RTC quirk [ Upstream commit afe6f1eeb08f85e57f0a02b71efb5a0839606aac ] With CONFIG_DEBUG_ATOMIC_SLEEP enabled we can see the following with RTC probe: BUG: sleeping function called from invalid context at drivers/bus/ti-sysc.c:1736 ... (sysc_quirk_rtc) from [] (sysc_write_sysconfig+0x1c/0x60) (sysc_write_sysconfig) from [] (sysc_enable_module+0x11c/0x274) (sysc_enable_module) from [] (sysc_probe+0xe9c/0x1380) (sysc_probe) from [] (platform_drv_probe+0x48/0x98) Fixes: e8639e1c986a ("bus: ti-sysc: Handle module unlock quirk needed for some RTC") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 5a23897f7a411f32d531ac52cfbf46e39f137e87 Author: Tony Lindgren Date: Thu Jul 2 10:44:20 2020 -0700 bus: ti-sysc: Fix wakeirq sleeping function called from invalid context [ Upstream commit 9f9113925018d500a95df539014d9ff11ac2c02d ] With CONFIG_DEBUG_ATOMIC_SLEEP enabled we can see the following with wakeirqs and serial console idled: BUG: sleeping function called from invalid context at drivers/bus/ti-sysc.c:242 ... (sysc_wait_softreset) from [] (sysc_enable_module+0x48/0x274) (sysc_enable_module) from [] (sysc_runtime_resume+0x19c/0x1d8) (sysc_runtime_resume) from [] (sysc_child_runtime_resume+0x58/0x84) (sysc_child_runtime_resume) from [] (__rpm_callback+0x30/0x12c) (__rpm_callback) from [] (rpm_callback+0x20/0x80) (rpm_callback) from [] (rpm_resume+0x638/0x7fc) (rpm_resume) from [] (__pm_runtime_resume+0x60/0x9c) (__pm_runtime_resume) from [] (handle_threaded_wake_irq+0x24/0x60) (handle_threaded_wake_irq) from [] (irq_thread_fn+0x1c/0x78) (irq_thread_fn) from [] (irq_thread+0x140/0x26c) We have __pm_runtime_resume() call the sysc_runtime_resume() with spinlock held and interrupts disabled. Fixes: d46f9fbec719 ("bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit") Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit b2c7d6ce2d5e0ec37f09a7c0f329d4684c5a8783 Author: Neil Armstrong Date: Thu Jun 18 15:27:37 2020 +0200 arm64: dts: meson-gxl-s805x: reduce initial Mali450 core frequency [ Upstream commit b2037dafcf082cd24b88ae9283af628235df36e1 ] When starting at 744MHz, the Mali 450 core crashes on S805X based boards: lima d00c0000.gpu: IRQ ppmmu3 not found lima d00c0000.gpu: IRQ ppmmu4 not found lima d00c0000.gpu: IRQ ppmmu5 not found lima d00c0000.gpu: IRQ ppmmu6 not found lima d00c0000.gpu: IRQ ppmmu7 not found Internal error: synchronous external abort: 96000210 [#1] PREEMPT SMP Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.7.2+ #492 Hardware name: Libre Computer AML-S805X-AC (DT) pstate: 40000005 (nZcv daif -PAN -UAO) pc : lima_gp_init+0x28/0x188 ... Call trace: lima_gp_init+0x28/0x188 lima_device_init+0x334/0x534 lima_pdev_probe+0xa4/0xe4 ... Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b Reverting to a safer 666Mhz frequency on the S805X that doesn't use the GP0 PLL makes it more stable. Fixes: fd47716479f5 ("ARM64: dts: add S805X based P241 board") Fixes: 0449b8e371ac ("arm64: dts: meson: add libretech aml-s805x-ac board") Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Link: https://lore.kernel.org/r/20200618132737.14243-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit cbd8c92a8d51f91bcf3f01963535ee913ccf609e Author: Jerome Brunet Date: Wed Jun 17 14:53:46 2020 +0200 arm64: dts: meson: add missing gxl rng clock [ Upstream commit 95ca6f06dd4827ff63be5154120c7a8511cd9a41 ] The peripheral clock of the RNG is missing for gxl while it is present for gxbb. Fixes: 1b3f6d148692 ("ARM64: dts: meson-gx: add clock CLKID_RNG0 to hwrng node") Signed-off-by: Jerome Brunet Signed-off-by: Kevin Hilman Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20200617125346.1163527-1-jbrunet@baylibre.com Signed-off-by: Sasha Levin commit 1d08f59081e59cadbf9189faa2aa6ff3c71e4ec1 Author: Colin Ian King Date: Thu Jun 25 13:44:28 2020 +0100 phy: sun4i-usb: fix dereference of pointer phy0 before it is null checked [ Upstream commit 38b1927e5bf9bcad4a2e33189ef1c5569f9599ba ] Currently pointer phy0 is being dereferenced via the assignment of phy on the call to phy_get_drvdata before phy0 is null checked, this can lead to a null pointer dereference. Fix this by performing the null check on phy0 before the call to phy_get_drvdata. Also replace the phy0 == NULL check with the more usual !phy0 idiom. Addresses-Coverity: ("Dereference before null check") Fixes: e6f32efb1b12 ("phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20200625124428.83564-1-colin.king@canonical.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 684a5568df11e4206a30857390e4824ac829264d Author: Yoshihiro Shimoda Date: Thu Jun 18 21:07:33 2020 +0900 dmaengine: sh: usb-dmac: set tx_result parameters [ Upstream commit 466257d9968ac79575831250b039dc07566c7b13 ] A client driver (renesas_usbhs) assumed that dmaengine_tx_status() could return the residue even if the transfer was completed. However, this was not correct usage [1] and this caused to break getting the residue after the commit 24461d9792c2 ("dmaengine: virt-dma: Fix access after free in vchan_complete()") actually. So, this is possible to get wrong received size if the usb controller gets a short packet. For example, g_zero driver causes "bad OUT byte" errors. To use the tx_result from the renesas_usbhs driver when the transfer is completed, set the tx_result parameters. Notes that the renesas_usbhs driver needs to update for it. [1] https://lore.kernel.org/dmaengine/20200616165550.GP2324254@vkoul-mobl/ Reported-by: Hien Dang Fixes: 24461d9792c2 ("dmaengine: virt-dma: Fix access after free in vchan_complete()") Signed-off-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/1592482053-19433-1-git-send-email-yoshihiro.shimoda.uh@renesas.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f5c6ebd5146eb9bea0da8856d96174be87da8459 Author: Pierre-Louis Bossart Date: Wed Jun 17 11:35:36 2020 -0500 soundwire: intel: fix memory leak with devm_kasprintf [ Upstream commit bf6d6e68d2028a2d82f4c106f50ec75cc1e6ef89 ] The dais are allocated with devm_kcalloc() but their name isn't resourced managed and never freed. Fix by also using devm_ for the dai names as well. Fixes: c46302ec554c5 ('soundwire: intel: Add audio DAI ops') Signed-off-by: Pierre-Louis Bossart Reviewed-by: Daniel Baluta Reviewed-by: Kai Vehmanen Reviewed-by: Rander Wang Reviewed-by: Guennadi Liakhovetski Reviewed-by: Bard Liao Link: https://lore.kernel.org/r/20200617163536.17401-1-pierre-louis.bossart@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 7005a4885a29602ca4fc85ea12d31640a5b6b528 Author: Jonathan Cameron Date: Sun May 17 18:29:57 2020 +0100 iio:health:afe4404 Fix timestamp alignment and prevent data leak. [ Upstream commit f88ecccac4be348bbcc6d056bdbc622a8955c04d ] One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 40 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 87aec56e27ef ("iio: health: Add driver for the TI AFE4404 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit ba3788d243cfa624e8b19afaa67abb33e0e54882 Author: Christoffer Nielsen Date: Fri Jun 19 13:48:22 2020 +0200 ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Flight S [ Upstream commit 73094608b8e214952444fb104651704c98a37aeb ] Similar to the Kingston HyperX AMP, the Kingston HyperX Cloud Alpha S (0951:0x16ea) uses two interfaces, but only the second interface contains the capture stream. This patch delays the registration until the second interface appears. Signed-off-by: Christoffer Nielsen Cc: Link: https://lore.kernel.org/r/CAOtG2YHOM3zy+ed9KS-J4HkZo_QGzcUG9MigSp4e4_-13r6B=Q@mail.gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1510d8ab7bc94ff04d51c31922c9782a78c6392b Author: Tony Lindgren Date: Sun May 31 12:37:54 2020 -0700 bus: ti-sysc: Use optional clocks on for enable and wait for softreset bit [ Upstream commit d46f9fbec71997420e4fb83c04d9affdf423f879 ] Some modules reset automatically when idled, and when re-enabled, we must wait for the automatic OCP softreset to complete. And if optional clocks are configured, we need to keep the clocks on while waiting for the reset to complete. Let's fix the issue by moving the OCP softreset code to a separate function sysc_wait_softreset(), and call it also from sysc_enable_module() with the optional clocks enabled. This is based on what we're already doing for legacy platform data booting in _enable_sysc(). Fixes: 7324a7a0d5e2 ("bus: ti-sysc: Implement display subsystem reset quirk") Reported-by: Faiz Abbas Cc: Laurent Pinchart Cc: Tomi Valkeinen Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 7637bba4c621017424c03a6ea52aec7460fbdbd0 Author: Paul Menzel Date: Fri May 22 14:22:28 2020 +0200 ACPI: video: Use native backlight on Acer TravelMate 5735Z [ Upstream commit c41c36e900a337b4132b12ccabc97f5578248b44 ] Currently, changing the brightness of the internal display of the Acer TravelMate 5735Z does not work. Pressing the function keys or changing the slider, GNOME Shell 3.36.2 displays the OSD (five steps), but the brightness does not change. The Acer TravelMate 5735Z shipped with Windows 7 and as such does not trigger our "win8 ready" heuristic for preferring the native backlight interface. Still ACPI backlight control doesn't work on this model, where as the native (intel_video) backlight interface does work by adding `acpi_backlight=native` or `acpi_backlight=none` to Linux’ command line. So, add a quirk to force using native backlight control on this model. Link: https://bugzilla.kernel.org/show_bug.cgi?id=207835 Reviewed-by: Hans de Goede Signed-off-by: Paul Menzel Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0a330aa202c936eaf5ea16470396b1936e154015 Author: Stephan Gerhold Date: Sat Apr 25 13:06:31 2020 -0700 Input: mms114 - add extra compatible for mms345l [ Upstream commit 7842087b0196d674ed877d768de8f2a34d7fdc53 ] MMS345L is another first generation touch screen from Melfas, which uses mostly the same registers as MMS152. However, there is some garbage printed during initialization. Apparently MMS345L does not have the MMS152_COMPAT_GROUP register that is read+printed during initialization. TSP FW Rev: bootloader 0x6 / core 0x26 / config 0x26, Compat group: \x06 On earlier kernel versions the compat group was actually printed as an ASCII control character, seems like it gets escaped now. But we probably shouldn't print something from a random register. Add a separate "melfas,mms345l" compatible that avoids reading from the MMS152_COMPAT_GROUP register. This might also help in case there is some other device-specific quirk in the future. Signed-off-by: Stephan Gerhold Reviewed-by: Andi Shyti Link: https://lore.kernel.org/r/20200423102431.2715-1-stephan@gerhold.net Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 75ff2767e85c0bd50524856fb7da1e1f07c52dbd Author: Gregor Pintar Date: Mon Apr 20 23:40:30 2020 +0200 ALSA: usb-audio: Add quirk for Focusrite Scarlett 2i2 [ Upstream commit 6f4ea2074ddf689ac6f892afa58515032dabf2e4 ] Force it to use asynchronous playback. Same quirk has already been added for Focusrite Scarlett Solo (2nd gen) with a commit 46f5710f0b88 ("ALSA: usb-audio: Add quirk for Focusrite Scarlett Solo"). This also seems to prevent regular clicks when playing at 44100Hz on Scarlett 2i2 (2nd gen). I did not notice any side effects. Moved both quirks to snd_usb_audioformat_attributes_quirk() as suggested. Signed-off-by: Gregor Pintar Reviewed-by: Alexander Tsoy Link: https://lore.kernel.org/r/20200420214030.2361-1-grpintar@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 695fcb612bf1e8c6c61d6b372b0ea6c5d7514ec0 Author: Emmanuel Pescosta Date: Sat Apr 4 17:38:43 2020 +0200 ALSA: usb-audio: Add registration quirk for Kingston HyperX Cloud Alpha S [ Upstream commit fd60e0683e8e9107e09cd2e4798f3e27e85d2705 ] Similar to the Kingston HyperX AMP, the Kingston HyperX Cloud Alpha S (0951:16d8) uses two interfaces, but only the second interface contains the capture stream. This patch delays the registration until the second interface appears. Signed-off-by: Emmanuel Pescosta Link: https://lore.kernel.org/r/20200404153843.9288-1-emmanuelpescosta099@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 18f2cbb28730a31571e91128ea1bbc85774a0e89 Author: Hans de Goede Date: Tue Mar 31 14:36:23 2020 +0200 ACPI: video: Use native backlight on Acer Aspire 5783z [ Upstream commit 1c8fbc1f9bfb804ef2f0d4ee9397ab800e33f23a ] The Acer Aspire 5783z shipped with Windows 7 and as such does not trigger our "win8 ready" heuristic for prefering the native backlight interface. Still ACPI backlight control doesn't work on this model, where as the native (intel_video) backlight interface does work. Add a quirk to force using native backlight control on this model. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit dc1e4db658a6597a377397d4ce6f34cbbaa031b5 Author: Takashi Iwai Date: Wed Mar 25 11:33:19 2020 +0100 ALSA: usb-audio: Rewrite registration quirk handling [ Upstream commit d8695bc5b1fe88305396b1f788d3b5f218e28a30 ] A slight refactoring of the registration quirk code. Now it uses the table lookup for easy additions in future. Also the return type was changed to bool, and got a few more comments. Link: https://lore.kernel.org/r/20200325103322.2508-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 592b179fa1492b53554a405924db0669c00548be Author: Haibo Chen Date: Wed Feb 19 16:22:40 2020 +0800 mmc: sdhci: do not enable card detect interrupt for gpio cd type [ Upstream commit e65bb38824711559844ba932132f417bc5a355e2 ] Except SDHCI_QUIRK_BROKEN_CARD_DETECTION and MMC_CAP_NONREMOVABLE, we also do not need to handle controller native card detect interrupt for gpio cd type. If we wrong enabled the card detect interrupt for gpio case, it will cause a lot of unexpected card detect interrupts during data transfer which should not happen. Signed-off-by: Haibo Chen Acked-by: Adrian Hunter Reviewed-by: Linus Walleij Link: https://lore.kernel.org/r/1582100563-20555-2-git-send-email-haibo.chen@nxp.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit e60b02922876b4db2856c1c7e72f87b57e183ae8 Author: Neil Armstrong Date: Fri Feb 21 10:15:30 2020 +0100 doc: dt: bindings: usb: dwc3: Update entries for disabling SS instances in park mode [ Upstream commit 3d157c28d2289edf0439e8308e8de3a06acaaf0e ] This patch updates the documentation with the information related to the quirks that needs to be added for disabling all SuperSpeed XHCI instances in park mode. Cc: Dongjin Kim Cc: Jianxin Pan Cc: Thinh Nguyen Cc: Jun Li Reported-by: Tim Signed-off-by: Neil Armstrong Acked-by: Rob Herring Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 54100aa32f66ca6307e8789561e65b144ad9b0c9 Author: Chris Wulff Date: Sat Mar 14 12:54:49 2020 -0400 ALSA: usb-audio: Create a registration quirk for Kingston HyperX Amp (0951:16d8) [ Upstream commit 55f7326170d9e83e2d828591938e1101982a679c ] Create a quirk that allows special processing and/or skipping the call to snd_card_register. For HyperX AMP, which uses two interfaces, but only has a capture stream in the second, this allows the capture stream to merge with the first PCM. Signed-off-by: Chris Wulff Link: https://lore.kernel.org/r/20200314165449.4086-3-crwulff@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 35aef79e81a14ecc280374911344ab02016fd286 Author: Sergei A. Trusov Date: Thu Mar 5 19:53:06 2020 -0800 Input: goodix - fix touch coordinates on Cube I15-TC [ Upstream commit 1dd5ddc125b4625c3beb8e644ae872445d739bbc ] The touchscreen on the Cube I15-TC don't match the default display, with 0,0 touches being reported when touching at the top-right of the screen. Add a quirk to invert the x coordinate. Reported-and-tested-by: Arkadiy Signed-off-by: Sergei A. Trusov Reviewed-by: Bastien Nocera Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 9c16b5e8b5d94931cadc2dcd17a9204f273fca6d Author: Alexander Tsoy Date: Sat Feb 29 18:18:15 2020 +0300 ALSA: usb-audio: Add support for MOTU MicroBook IIc [ Upstream commit 2edb84e3047b93da2f2b234219cdc304df042d9e ] MicroBook IIc operates in UAC2 mode by default. This patch addresses several issues with it: - MicroBook II and IIc shares the same USB ID. We can distinguish them by interface class. - MaxPacketsOnly attribute is erroneously set in endpoint descriptors. As a result this card produces noise with all sample rates other than 96 KHz. This also causes issues like IOMMU page faults and other problems with host controller. - Sample rate changes takes more than 2 seconds for this device. Clock validity request returns false during that period, so the clock validity quirk is required. Signed-off-by: Alexander Tsoy Link: https://lore.kernel.org/r/20200229151815.14199-1-alexander@tsoy.me Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d70a6425a6e2a3d515bce9334e79cd32417a1572 Author: Tony Lindgren Date: Tue Mar 3 09:31:00 2020 -0800 bus: ti-sysc: Detect EDMA and set quirk flags for tptc [ Upstream commit 25bfaaa73c7d26a6e897559c510d7daff5e9d22d ] In order to probe EDMA with ti-sysc interconnect target module and with device tree data, we need to properly detect EDMA and set the flags for SYSC_QUIRK_SWSUP_SIDLE | SYSC_QUIRK_SWSUP_MSTANDBY for tptc. We have these flags currently set for am4 and dra7, but not for am335x. Let's set them for all the SoCs as the tptc module should behave the same for all of them. It's likely that am335x was never tested to idle EDMA tptc. Cc: Peter Ujfalusi Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit d09e12709acd7dddfaddfb37d75215effbe425cf Author: Neil Armstrong Date: Fri Feb 21 10:15:32 2020 +0100 arm64: dts: g12-common: add parkmode_disable_ss_quirk on DWC3 controller [ Upstream commit a81bcfb6ac20cdd2e8dec3da14c8bbe1d18f6321 ] When high load on the DWC3 SuperSpeed port, the controller crashes with: [ 221.141621] xhci-hcd xhci-hcd.0.auto: xHCI host not responding to stop endpoint command. [ 221.157631] xhci-hcd xhci-hcd.0.auto: Host halt failed, -110 [ 221.157635] xhci-hcd xhci-hcd.0.auto: xHCI host controller not responding, assume dead [ 221.159901] xhci-hcd xhci-hcd.0.auto: xHCI host not responding to stop endpoint command. [ 221.159961] hub 2-1.1:1.0: hub_ext_port_status failed (err = -22) [ 221.160076] xhci-hcd xhci-hcd.0.auto: HC died; cleaning up [ 221.165946] usb 2-1.1-port1: cannot reset (err = -22) Setting the parkmode_disable_ss_quirk quirk fixes the issue. Reported-by: Tim Signed-off-by: Neil Armstrong Signed-off-by: Kevin Hilman Cc: Jianxin Pan CC: Dongjin Kim Link: https://lore.kernel.org/r/20200221091532.8142-4-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit 234021eaddcb860d6705a51b5f7fa631c05d644d Author: Tony Lindgren Date: Mon Feb 24 12:58:03 2020 -0800 bus: ti-sysc: Detect display subsystem related devices [ Upstream commit 77dfece2e6d8bedb6ecd4d61379ae3dc52f389bd ] In order to prepare probing display subsystem (DSS) with ti-sysc interconnect target module driver and device tree data, let's detect DSS related modules. We need to also add reset quirk handling for DSS, but until that's done, let's just enable the optional clock quirks for DSS and omap4 HDMI. The rest is just naming of modules if CONFIG_DEBUG is set. Cc: Jyri Sarha Cc: Laurent Pinchart Cc: Tomi Valkeinen Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit e7e98dd42aaec713e1208b853bfaed35a73bb0a1 Author: Tony Lindgren Date: Mon Feb 24 12:58:03 2020 -0800 bus: ti-sysc: Handle module unlock quirk needed for some RTC [ Upstream commit e8639e1c986a8a9d0f94549170f6db579376c3ae ] The RTC modules on am3 and am4 need quirk handling to unlock and lock them for reset so let's add the quirk handling based on what we already have for legacy platform data. In later patches we will simply drop the RTC related platform data and the old quirk handling. Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit e2c37939a79525c6db47a1590eb73882b8577752 Author: Tony Lindgren Date: Mon Feb 24 12:58:03 2020 -0800 bus: ti-sysc: Consider non-existing registers too when matching quirks [ Upstream commit 590e15c76f1231329d1543570a54058dba2e4ff6 ] We are currently setting -1 for non-existing sysconfig related registers for quirks, but setting -ENODEV elsewhere. And for matching the quirks, we're now just ignoring the non-existing registers. This will cause issues with misdetecting DSS registers as the hardware revision numbers can have duplicates. To avoid this, let's standardize on using -ENODEV also for the quirks instead of -1. That way we can always just test for a match without adding any more complicated logic. Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit f7280837df83461eafcb6f6afc96e4e5fabbb8b3 Author: Tony Lindgren Date: Mon Feb 24 12:58:03 2020 -0800 bus: ti-sysc: Rename clk related quirks to pre_reset and post_reset quirks [ Upstream commit e64c021fd92467e34b9d970a651bcaa8f326f3f2 ] The clk_disable_quirk and clk_enable_quirk should really be called pre_reset_quirk and post_reset_quirk to avoid confusion like we had with hdq1w reset. Let's also rename the related functions so the code is easier to follow. Note that we also have reset_done_quirk that is needed in some cases after checking the separate register for reset done bit. Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 69fbdbb4fa0cbaf95b7f464d62f34cb4c3b2cab9 Author: Diego Elio Pettenò Date: Sun Feb 23 19:11:44 2020 +0000 scsi: sr: remove references to BLK_DEV_SR_VENDOR, leave it enabled [ Upstream commit 679b2ec8e060ca7a90441aff5e7d384720a41b76 ] This kernel configuration is basically enabling/disabling sr driver quirks detection. While these quirks are for fairly rare devices (very old CD burners, and a glucometer), the additional detection of these models is a very minimal amount of code. The logic behind the quirks is always built into the sr driver. This also removes the config from all the defconfig files that are enabling this already. Link: https://lore.kernel.org/r/20200223191144.726-1-flameeyes@flameeyes.com Reviewed-by: Jens Axboe Signed-off-by: Diego Elio Pettenò Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 23a609417361875d72c0cc3399fe7b20428681b8 Author: Andrey Lebedev Date: Wed Feb 19 20:08:55 2020 +0200 drm/sun4i: tcon: Separate quirks for tcon0 and tcon1 on A20 [ Upstream commit cd0ecabdc953397ed0378022b3b90e0c0871c2eb ] Timing controllers on A20 are not equivalent: tcon0 on A20 supports LVDS output and tcon1 does not. Separate the capabilities by introducing independent set of quirks for each of the tcons. Signed-off-by: Andrey Lebedev Signed-off-by: Maxime Ripard Link: https://patchwork.freedesktop.org/patch/msgid/20200219180858.4806-3-andrey.lebedev@gmail.com Signed-off-by: Sasha Levin commit de6d9aa5f7c1ea9010dea942e65faa2a7c5feebb Author: Claudiu Beznea Date: Mon Jan 20 14:10:08 2020 +0200 ARM: at91: pm: add quirk for sam9x60's ulp1 [ Upstream commit bb1a0e87e1c54cd884e9b92b1cec06b186edc7a0 ] On SAM9X60 2 nop operations has to be introduced after setting WAITMODE bit in CKGR_MOR. Signed-off-by: Claudiu Beznea Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/1579522208-19523-9-git-send-email-claudiu.beznea@microchip.com Signed-off-by: Sasha Levin commit 4301497fdc684067ca451a34a9b082d34f7e3273 Author: Hans de Goede Date: Fri Jan 31 13:46:25 2020 +0100 HID: quirks: Remove ITE 8595 entry from hid_have_special_driver [ Upstream commit 3045696d0ce663d67c95dcb8206d3de57f6841ec ] The ITE 8595 chip used in various 2-in-1 keyboard docks works fine with the hid-generic driver (minus the RF_KILL key) and also keeps working fine when swapping drivers, so there is no need to have it in the hid_have_special_driver list. Note the other 2 USB ids in hid-ite.c were never added to hid_have_special_driver. Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 1c96af59a9042101226d96115a30f49ae9c1d979 Author: Linus Walleij Date: Tue Dec 17 15:39:52 2019 +0100 mmc: mmci: Support any block sizes for ux500v2 and qcom variant [ Upstream commit 2253ed4b36dc876d1598c4dab5587e537ec68c34 ] For the ux500v2 variant of the PL18x block, any block sizes are supported. This is necessary to support some SDIO transfers. This also affects the QCOM MMCI variant and the ST micro variant. For Ux500 an additional quirk only allowing DMA on blocks that are a power of two is needed. This might be a bug in the DMA engine (DMA40) or the MMCI or in the interconnect, but the most likely is the MMCI, as transfers of these sizes work fine for other devices using the same DMA engine. DMA works fine also with SDIO as long as the blocksize is a power of 2. This patch has proven necessary for enabling SDIO for WLAN on PostmarketOS-based Ux500 platforms. What we managed to test in practice is Broadcom WiFi over SDIO on the Ux500 based Samsung GT-I8190 and GT-S7710. This WiFi chip, BCM4334 works fine after the patch. Before this patch: brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4334-sdio for chip BCM4334/3 mmci-pl18x 80118000.sdi1_per2: unsupported block size (60 bytes) brcmfmac: brcmf_sdiod_ramrw: membytes transfer failed brcmfmac: brcmf_sdio_download_code_file: error -22 on writing 434236 membytes at 0x00000000 brcmfmac: brcmf_sdio_download_firmware: dongle image file download failed After this patch: brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4334/3 wl0: Nov 21 2012 00:21:28 version 6.10.58.813 (B2) FWID 01-0 Bringing up networks, discovering networks with "iw dev wlan0 scan" and connecting works fine from this point. This patch is inspired by Ulf Hansson's patch http://www.spinics.net/lists/linux-mmc/msg12160.html As the DMA engines on these platforms may now get block sizes they were not used to before, make sure to also respect if the DMA engine says "no" to a transfer. Make a drive-by fix for datactrl_blocksz, misspelled. Cc: Ludovic Barre Cc: Brian Masney Cc: Stephan Gerhold Cc: Niklas Cassel Cc: Russell King Signed-off-by: Ulf Hansson Signed-off-by: Srinivas Kandagatla Signed-off-by: Linus Walleij Tested-by: Stephan Gerhold Link: https://lore.kernel.org/r/20191217143952.2885-1-linus.walleij@linaro.org Signed-off-by: Sasha Levin commit cf911ee9f49dfff5404473e3d155248f02e5e87e Author: Suman Anna Date: Thu Dec 12 15:05:41 2019 +0200 ARM: OMAP2+: use separate IOMMU pdata to fix DRA7 IPU1 boot [ Upstream commit 4601832f40501efc3c2fd264a5a69bd1ac17d520 ] The IPU1 MMU has been using common IOMMU pdata quirks defined and used by all IPU IOMMU devices on OMAP4 and beyond. Separate out the pdata for IPU1 MMU with the additional .set_pwrdm_constraint ops plugged in, so that the IPU1 power domain can be restricted to ON state during the boot and active period of the IPU1 remote processor. This eliminates the pre-conditions for the IPU1 boot issue as described in commit afe518400bdb ("iommu/omap: fix boot issue on remoteprocs with AMMU/Unicache"). NOTE: 1. RET is not a valid target power domain state on DRA7 platforms, and IPU power domain is normally programmed for OFF. The IPU1 still fails to boot though, and an unclearable l3_noc error is thrown currently on 4.14 kernel without this fix. This behavior is slightly different from previous 4.9 LTS kernel. 2. The fix is currently applied only to IPU1 on DRA7xx SoC, as the other affected processors on OMAP4/OMAP5/DRA7 are in domains that are not entering RET. IPU2 on DRA7 is in CORE power domain which is only programmed for ON power state. The fix can be easily scaled if these domains do hit RET in the future. 3. The issue was not seen on current DRA7 platforms if any of the DSP remote processors were booted and using one of the GPTimers 5, 6, 7 or 8 on previous 4.9 LTS kernel. This was due to the errata fix for i874 implemented in commit 1cbabcb9807e ("ARM: DRA7: clockdomain: Implement timer workaround for errata i874") which keeps the IPU1 power domain from entering RET when the timers are active. But the timer workaround did not make any difference on 4.14 kernel, and an l3_noc error was seen still without this fix. Signed-off-by: Suman Anna Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 3ea583b09537a2702a07899249eba5f47e160ba0 Author: Suman Anna Date: Thu Dec 12 15:05:39 2019 +0200 ARM: OMAP2+: Add workaround for DRA7 DSP MStandby errata i879 [ Upstream commit 2f14101a1d760db72393910d481fbf7768c44530 ] Errata Title: i879: DSP MStandby requires CD_EMU in SW_WKUP Description: The DSP requires the internal emulation clock to be actively toggling in order to successfully enter a low power mode via execution of the IDLE instruction and PRCM MStandby/Idle handshake. This assumes that other prerequisites and software sequence are followed. Workaround: The emulation clock to the DSP is free-running anytime CCS is connected via JTAG debugger to the DSP subsystem or when the CD_EMU clock domain is set in SW_WKUP mode. The CD_EMU domain can be set in SW_WKUP mode via the CM_EMU_CLKSTCTRL [1:0]CLKTRCTRL field. Implementation: This patch implements this workaround by denying the HW_AUTO mode for the EMU clockdomain during the power-up of any DSP processor and re-enabling the HW_AUTO mode during the shutdown of the last DSP processor (actually done during the enabling and disabling of the respective DSP MDMA MMUs). Reference counting has to be used to manage the independent sequencing between the multiple DSP processors. This switching is done at runtime rather than a static clockdomain flags value to meet the target power domain state for the EMU power domain during suspend. Note that the DSP MStandby behavior is not consistent across all boards prior to this fix. Please see commit 45f871eec6c0 ("ARM: OMAP2+: Extend DRA7 IPU1 MMU pdata quirks to DSP MDMA MMUs") for details. Signed-off-by: Suman Anna Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 8d158e3453ebc0b2fa5bb5bff9e3f545ec9e7546 Author: Tero Kristo Date: Thu Dec 12 15:05:38 2019 +0200 ARM: OMAP4+: remove pdata quirks for omap4+ iommus [ Upstream commit e4c4b540e1e6c21ff8b987e92b2bd170ee006a94 ] IOMMU driver will be using ti-sysc bus driver for power management control going forward, and the pdata quirks are not needed for anything anymore. Signed-off-by: Tero Kristo Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 370cc95c00aefdcdfb5b63ccc904e2aaaf12f90e Author: Russell King Date: Wed Nov 20 11:42:47 2019 +0000 net: sfp: add some quirks for GPON modules [ Upstream commit b0eae33b2583dceb36224619f9fd85e6140ae594 ] Marc Micalizzi reports that Huawei MA5671A and Alcatel/Lucent G-010S-P modules are capable of 2500base-X, but incorrectly report their capabilities in the EEPROM. It seems rather common that GPON modules mis-report. Let's fix these modules by adding some quirks. Signed-off-by: Russell King Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 17918c99abc1b499ba146b5a36ad02bc64ca6a7d Author: Russell King Date: Wed Nov 20 11:42:42 2019 +0000 net: sfp: add support for module quirks [ Upstream commit b34bb2cb5b62c7397c28fcc335e8047a687eada4 ] Add support for applying module quirks to the list of supported ethtool link modes. Signed-off-by: Russell King Reviewed-by: Andrew Lunn Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 11a6ff1df31eed59905c13e30c1d588ca3477fd8 Author: Sasha Levin Date: Fri Jul 17 13:01:26 2020 -0400 Revert "usb/xhci-plat: Set PM runtime as active on resume" This reverts commit 57a1cd87efb9279ab58aae2e5c41920150e31873. Eugeniu Rosca writes: On Thu, Jul 09, 2020 at 09:00:23AM +0200, Eugeniu Rosca wrote: >After integrating v4.14.186 commit 5410d158ca2a50 ("usb/ehci-platform: >Set PM runtime as active on resume") into downstream v4.14.x, we started >to consistently experience below panic [1] on every second s2ram of >R-Car H3 Salvator-X Renesas reference board. > >After some investigations, we concluded the following: > - the issue does not exist in vanilla v5.8-rc4+ > - [bisecting shows that] the panic on v4.14.186 is caused by the lack > of v5.6-rc1 commit 987351e1ea7772 ("phy: core: Add consumer device > link support"). Getting evidence for that is easy. Reverting > 987351e1ea7772 in vanilla leads to a similar backtrace [2]. > >Questions: > - Backporting 987351e1ea7772 ("phy: core: Add consumer device > link support") to v4.14.187 looks challenging enough, so probably not > worth it. Anybody to contradict this? > - Assuming no plans to backport the missing mainline commit to v4.14.x, > should the following three v4.14.186 commits be reverted on v4.14.x? > * baef809ea497a4 ("usb/ohci-platform: Fix a warning when hibernating") > * 9f33eff4958885 ("usb/xhci-plat: Set PM runtime as active on resume") > * 5410d158ca2a50 ("usb/ehci-platform: Set PM runtime as active on resume") Signed-off-by: Sasha Levin commit 4cf55dcd4fa40e1c0c2883b8e306a55de9c2f00d Author: Sasha Levin Date: Fri Jul 17 13:01:10 2020 -0400 Revert "usb/ehci-platform: Set PM runtime as active on resume" This reverts commit 335d720bb4bd9d2808cae5af6f3c636c87f19596. Eugeniu Rosca writes: On Thu, Jul 09, 2020 at 09:00:23AM +0200, Eugeniu Rosca wrote: >After integrating v4.14.186 commit 5410d158ca2a50 ("usb/ehci-platform: >Set PM runtime as active on resume") into downstream v4.14.x, we started >to consistently experience below panic [1] on every second s2ram of >R-Car H3 Salvator-X Renesas reference board. > >After some investigations, we concluded the following: > - the issue does not exist in vanilla v5.8-rc4+ > - [bisecting shows that] the panic on v4.14.186 is caused by the lack > of v5.6-rc1 commit 987351e1ea7772 ("phy: core: Add consumer device > link support"). Getting evidence for that is easy. Reverting > 987351e1ea7772 in vanilla leads to a similar backtrace [2]. > >Questions: > - Backporting 987351e1ea7772 ("phy: core: Add consumer device > link support") to v4.14.187 looks challenging enough, so probably not > worth it. Anybody to contradict this? > - Assuming no plans to backport the missing mainline commit to v4.14.x, > should the following three v4.14.186 commits be reverted on v4.14.x? > * baef809ea497a4 ("usb/ohci-platform: Fix a warning when hibernating") > * 9f33eff4958885 ("usb/xhci-plat: Set PM runtime as active on resume") > * 5410d158ca2a50 ("usb/ehci-platform: Set PM runtime as active on resume") Signed-off-by: Sasha Levin commit add6b48ad376a8db6736b96a985877c2ca2e470a Author: Sasha Levin Date: Fri Jul 17 13:00:47 2020 -0400 Revert "usb/ohci-platform: Fix a warning when hibernating" This reverts commit fbf719e5da126c6b391ea7b1f38d4493582d8aaf. Eugeniu Rosca writes: On Thu, Jul 09, 2020 at 09:00:23AM +0200, Eugeniu Rosca wrote: >After integrating v4.14.186 commit 5410d158ca2a50 ("usb/ehci-platform: >Set PM runtime as active on resume") into downstream v4.14.x, we started >to consistently experience below panic [1] on every second s2ram of >R-Car H3 Salvator-X Renesas reference board. > >After some investigations, we concluded the following: > - the issue does not exist in vanilla v5.8-rc4+ > - [bisecting shows that] the panic on v4.14.186 is caused by the lack > of v5.6-rc1 commit 987351e1ea7772 ("phy: core: Add consumer device > link support"). Getting evidence for that is easy. Reverting > 987351e1ea7772 in vanilla leads to a similar backtrace [2]. > >Questions: > - Backporting 987351e1ea7772 ("phy: core: Add consumer device > link support") to v4.14.187 looks challenging enough, so probably not > worth it. Anybody to contradict this? > - Assuming no plans to backport the missing mainline commit to v4.14.x, > should the following three v4.14.186 commits be reverted on v4.14.x? > * baef809ea497a4 ("usb/ohci-platform: Fix a warning when hibernating") > * 9f33eff4958885 ("usb/xhci-plat: Set PM runtime as active on resume") > * 5410d158ca2a50 ("usb/ehci-platform: Set PM runtime as active on resume") Signed-off-by: Sasha Levin commit 267516d7009e44e1f10be7d8a229194cf7d62021 Author: Sascha Hauer Date: Wed Jun 24 09:00:45 2020 +0200 net: ethernet: mvneta: Add back interface mode validation [ Upstream commit 41c2b6b4f0f807803bb49f65835d136941a70f85 ] When writing the serdes configuration register was moved to mvneta_config_interface() the whole code block was removed from mvneta_port_power_up() in the assumption that its only purpose was to write the serdes configuration register. As mentioned by Russell King its purpose was also to check for valid interface modes early so that later in the driver we do not have to care for unexpected interface modes. Add back the test to let the driver bail out early on unhandled interface modes. Fixes: b4748553f53f ("net: ethernet: mvneta: Fix Serdes configuration for SoCs without comphy") Signed-off-by: Sascha Hauer Reviewed-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit beee39d71e873e3ce7267c07fc108b98bcbf8010 Author: Sascha Hauer Date: Wed Jun 24 09:00:44 2020 +0200 net: ethernet: mvneta: Do not error out in non serdes modes [ Upstream commit d3d239dcb8aae6d7b10642d292b404e57604f7ea ] In mvneta_config_interface() the RGMII modes are catched by the default case which is an error return. The RGMII modes are valid modes for the driver, so instead of returning an error add a break statement to return successfully. This avoids this warning for non comphy SoCs which use RGMII, like SolidRun Clearfog: WARNING: CPU: 0 PID: 268 at drivers/net/ethernet/marvell/mvneta.c:3512 mvneta_start_dev+0x220/0x23c Fixes: b4748553f53f ("net: ethernet: mvneta: Fix Serdes configuration for SoCs without comphy") Signed-off-by: Sascha Hauer Reviewed-by: Russell King Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 131ab7a0cdb85fd35d482f37787c823fb305b1c5 Author: Sasha Levin Date: Fri Jul 17 11:05:03 2020 -0400 net: macb: call pm_runtime_put_sync on failure path [ Upstream commit 0eaf228d574bd82a9aed73e3953bfb81721f4227 ] Call pm_runtime_put_sync() on failure path of at91ether_open. Fixes: e6a41c23df0d ("net: macb: ensure interface is not suspended on at91rm9200") Signed-off-by: Claudiu Beznea Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fefc7580af391a0508133217ff723d46702eb2ea Author: Florian Fainelli Date: Fri Jun 19 11:47:46 2020 -0700 of: of_mdio: Correct loop scanning logic [ Upstream commit 5a8d7f126c97d04d893f5e5be2b286437a0d01b0 ] Commit 209c65b61d94 ("drivers/of/of_mdio.c:fix of_mdiobus_register()") introduced a break of the loop on the premise that a successful registration should exit the loop. The premise is correct but not to code, because rc && rc != -ENODEV is just a special error condition, that means we would exit the loop even with rc == -ENODEV which is absolutely not correct since this is the error code to indicate to the MDIO bus layer that scanning should continue. Fix this by explicitly checking for rc = 0 as the only valid condition to break out of the loop. Fixes: 209c65b61d94 ("drivers/of/of_mdio.c:fix of_mdiobus_register()") Reviewed-by: Andrew Lunn Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3f2f3edcc075c427655b1e5f140737e06b9e059c Author: Florian Fainelli Date: Wed Jun 17 20:42:44 2020 -0700 net: dsa: bcm_sf2: Fix node reference count [ Upstream commit 8dbe4c5d5e40fe140221024f7b16bec9f310bf70 ] of_find_node_by_name() will do an of_node_put() on the "from" argument. With CONFIG_OF_DYNAMIC enabled which checks for device_node reference counts, we would be getting a warning like this: [ 6.347230] refcount_t: increment on 0; use-after-free. [ 6.352498] WARNING: CPU: 3 PID: 77 at lib/refcount.c:156 refcount_inc_checked+0x38/0x44 [ 6.360601] Modules linked in: [ 6.363661] CPU: 3 PID: 77 Comm: kworker/3:1 Tainted: G W 5.4.46-gb78b3e9956e6 #13 [ 6.372546] Hardware name: BCM97278SV (DT) [ 6.376649] Workqueue: events deferred_probe_work_func [ 6.381796] pstate: 60000005 (nZCv daif -PAN -UAO) [ 6.386595] pc : refcount_inc_checked+0x38/0x44 [ 6.391133] lr : refcount_inc_checked+0x38/0x44 ... [ 6.478791] Call trace: [ 6.481243] refcount_inc_checked+0x38/0x44 [ 6.485433] kobject_get+0x3c/0x4c [ 6.488840] of_node_get+0x24/0x34 [ 6.492247] of_irq_find_parent+0x3c/0xe0 [ 6.496263] of_irq_parse_one+0xe4/0x1d0 [ 6.500191] irq_of_parse_and_map+0x44/0x84 [ 6.504381] bcm_sf2_sw_probe+0x22c/0x844 [ 6.508397] platform_drv_probe+0x58/0xa8 [ 6.512413] really_probe+0x238/0x3fc [ 6.516081] driver_probe_device+0x11c/0x12c [ 6.520358] __device_attach_driver+0xa8/0x100 [ 6.524808] bus_for_each_drv+0xb4/0xd0 [ 6.528650] __device_attach+0xd0/0x164 [ 6.532493] device_initial_probe+0x24/0x30 [ 6.536682] bus_probe_device+0x38/0x98 [ 6.540524] deferred_probe_work_func+0xa8/0xd4 [ 6.545061] process_one_work+0x178/0x288 [ 6.549078] process_scheduled_works+0x44/0x48 [ 6.553529] worker_thread+0x218/0x270 [ 6.557285] kthread+0xdc/0xe4 [ 6.560344] ret_from_fork+0x10/0x18 [ 6.563925] ---[ end trace 68f65caf69bb152a ]--- Fix this by adding a of_node_get() to increment the reference count prior to the call. Fixes: afa3b592953b ("net: dsa: bcm_sf2: Ensure correct sub-node is parsed") Signed-off-by: Florian Fainelli Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cb2801017057ccb4153490f9f36bc561f9cb86b6 Author: Krzysztof Kozlowski Date: Mon Jun 22 13:05:41 2020 +0200 spi: spi-fsl-dspi: Fix lockup if device is shutdown during SPI transfer [ Upstream commit 3c525b69e8c1a9a6944e976603c7a1a713e728f9 ] During shutdown, the driver should unregister the SPI controller and stop the hardware. Otherwise the dspi_transfer_one_message() could wait on completion infinitely. Additionally, calling spi_unregister_controller() first in device shutdown reverse-matches the probe function, where SPI controller is registered at the end. Fixes: dc234825997e ("spi: spi-fsl-dspi: Adding shutdown hook") Reported-by: Vladimir Oltean Signed-off-by: Krzysztof Kozlowski Tested-by: Vladimir Oltean Reviewed-by: Vladimir Oltean Cc: Link: https://lore.kernel.org/r/20200622110543.5035-2-krzk@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit baf22f66c9cf3fa9aff0d7eb78725f8cbfa51c6b Author: Jonathan Cameron Date: Sun May 17 18:29:56 2020 +0100 iio:health:afe4403 Fix timestamp alignment and prevent data leak. commit 3f9c6d38797e9903937b007a341dad0c251765d6 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses a 32 byte array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data with alignment explicitly requested. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: eec96d1e2d31 ("iio: health: Add driver for the TI AFE4403 heart monitor") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Andrew F. Davis Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 5f8fe8ab446310c0dddb21bb6603aea11d11cfa8 Author: Jonathan Cameron Date: Sun Jun 7 16:53:57 2020 +0100 iio:pressure:ms5611 Fix buffer element alignment commit 8db4afe163bbdd93dca6fcefbb831ef12ecc6b4d upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. Here there is no data leak possibility so use an explicit structure on the stack to ensure alignment and nice readable fashion. The forced alignment of ts isn't strictly necessary in this driver as the padding will be correct anyway (there isn't any). However it is probably less fragile to have it there and it acts as documentation of the requirement. Fixes: 713bbb4efb9dc ("iio: pressure: ms5611: Add triggered buffer support") Reported-by: Lars-Peter Clausen Signed-off-by: Jonathan Cameron Acked-by: Tomasz Duszynski Cc: Signed-off-by: Greg Kroah-Hartman commit 5a6378911f221b615a55f70070fe742b1900e388 Author: Jonathan Cameron Date: Sun Jun 7 16:53:53 2020 +0100 iio:humidity:hts221 Fix alignment and data leak issues commit 5c49056ad9f3c786f7716da2dd47e4488fc6bd25 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Explicit alignment of ts needed to ensure consistent padding on all architectures (particularly x86_32 with it's 4 byte alignment of s64) Fixes: e4a70e3e7d84 ("iio: humidity: add support to hts221 rh/temp combo device") Reported-by: Lars-Peter Clausen Acked-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 74953efffb3ddb749e95a67ef1fab76067765284 Author: Navid Emamdoost Date: Thu Jun 4 21:44:44 2020 -0500 iio: pressure: zpa2326: handle pm_runtime_get_sync failure commit d88de040e1df38414fc1e4380be9d0e997ab4d58 upstream. Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count. Call pm_runtime_put if pm_runtime_get_sync fails. Signed-off-by: Navid Emamdoost Fixes: 03b262f2bbf4 ("iio:pressure: initial zpa2326 barometer support") Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 4ecff6ee264f6bc07fc43a1d3132dcc08214092b Author: Chuhong Yuan Date: Thu May 28 14:41:21 2020 +0800 iio: mma8452: Add missed iio_device_unregister() call in mma8452_probe() commit d7369ae1f4d7cffa7574d15e1f787dcca184c49d upstream. The function iio_device_register() was called in mma8452_probe(). But the function iio_device_unregister() was not called after a call of the function mma8452_set_freefall_mode() failed. Thus add the missed function call for one error case. Fixes: 1a965d405fc6 ("drivers:iio:accel:mma8452: added cleanup provision in case of failure.") Signed-off-by: Chuhong Yuan Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit b4172e024d48fe6b6323fd0b16b64087742fb3d4 Author: Matt Ranostay Date: Tue Jun 9 06:01:16 2020 +0300 iio: core: add missing IIO_MOD_H2/ETHANOL string identifiers commit 25f02d3242ab4d16d0cee2dec0d89cedb3747fa9 upstream. Add missing strings to iio_modifier_names[] for proper modification of channels. Fixes: b170f7d48443d (iio: Add modifiers for ethanol and H2 gases) Signed-off-by: Matt Ranostay Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit ead750685280f60a24c3ca954aa89abfbffadff0 Author: Dinghao Liu Date: Tue May 26 18:47:17 2020 +0800 iio: magnetometer: ak8974: Fix runtime PM imbalance on error commit 0187294d227dfc42889e1da8f8ce1e44fc25f147 upstream. When devm_regmap_init_i2c() returns an error code, a pairing runtime PM usage counter decrement is needed to keep the counter balanced. For error paths after ak8974_set_power(), ak8974_detect() and ak8974_reset(), things are the same. However, When iio_triggered_buffer_setup() returns an error code, there will be two PM usgae counter decrements. Signed-off-by: Dinghao Liu Fixes: 7c94a8b2ee8c ("iio: magn: add a driver for AK8974") Reviewed-by: Linus Walleij Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 0b16921edc616051f7be911571bac31cb9a2c198 Author: Jonathan Cameron Date: Sun Jun 7 16:53:52 2020 +0100 iio:humidity:hdc100x Fix alignment and data leak issues commit ea5e7a7bb6205d24371373cd80325db1bc15eded upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak apart from previous readings. Fixes: 16bf793f86b2 ("iio: humidity: hdc100x: add triggered buffer support for HDC100X") Reported-by: Lars-Peter Clausen Acked-by: Matt Ranostay Cc: Alison Schofield Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 7cc8cad2bef94917a3d0b133afeb9626852385c9 Author: Jonathan Cameron Date: Sun Jun 7 16:53:49 2020 +0100 iio:magnetometer:ak8974: Fix alignment and data leak issues commit 838e00b13bfd4cac8b24df25bfc58e2eb99bcc70 upstream. One of a class of bugs pointed out by Lars in a recent review. iio_push_to_buffers_with_timestamp assumes the buffer used is aligned to the size of the timestamp (8 bytes). This is not guaranteed in this driver which uses an array of smaller elements on the stack. As Lars also noted this anti pattern can involve a leak of data to userspace and that indeed can happen here. We close both issues by moving to a suitable structure in the iio_priv() data. This data is allocated with kzalloc so no data can leak appart from previous readings. Fixes: 7c94a8b2ee8cf ("iio: magn: add a driver for AK8974") Reported-by: Lars-Peter Clausen Reviewed-by: Linus Walleij Signed-off-by: Jonathan Cameron Cc: Signed-off-by: Greg Kroah-Hartman commit 4c7924060fe0623aeee5edd1d1fff1d82a4c08b7 Author: Ard Biesheuvel Date: Thu Jul 9 15:59:53 2020 +0300 arm64/alternatives: don't patch up internal branches [ Upstream commit 5679b28142193a62f6af93249c0477be9f0c669b ] Commit f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") moved the alternatives replacement sequences into subsections, in order to keep the as close as possible to the code that they replace. Unfortunately, this broke the logic in branch_insn_requires_update, which assumed that any branch into kernel executable code was a branch that required updating, which is no longer the case now that the code sequences that are patched in are in the same section as the patch site itself. So the only way to discriminate branches that require updating and ones that don't is to check whether the branch targets the replacement sequence itself, and so we can drop the call to kernel_text_address() entirely. Fixes: f7b93d42945c ("arm64/alternatives: use subsections for replacement sequences") Reported-by: Alexandru Elisei Signed-off-by: Ard Biesheuvel Tested-by: Alexandru Elisei Link: https://lore.kernel.org/r/20200709125953.30918-1-ardb@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 77a181fba1e58139f5b7939ff5a429ed56eee24d Author: Andy Shevchenko Date: Thu Jul 2 13:15:27 2020 +0300 i2c: eg20t: Load module automatically if ID matches [ Upstream commit 5f90786b31fb7d1e199a8999d46c4e3aea672e11 ] The driver can't be loaded automatically because it misses module alias to be provided. Add corresponding MODULE_DEVICE_TABLE() call to the driver. Signed-off-by: Andy Shevchenko Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 27874115b0597439947d9626132b6c7a13547e1b Author: Bob Peterson Date: Thu Jun 25 13:30:18 2020 -0500 gfs2: read-only mounts should grab the sd_freeze_gl glock [ Upstream commit b780cc615ba4795a7ef0e93b19424828a5ad456a ] Before this patch, only read-write mounts would grab the freeze glock in read-only mode, as part of gfs2_make_fs_rw. So the freeze glock was never initialized. That meant requests to freeze, which request the glock in EX, were granted without any state transition. That meant you could mount a gfs2 file system, which is currently frozen on a different cluster node, in read-only mode. This patch makes read-only mounts lock the freeze glock in SH mode, which will block for file systems that are frozen on another node. Signed-off-by: Bob Peterson Signed-off-by: Sasha Levin commit 827139ad9db5d1f04d79892448c49904e1666d05 Author: Vasily Averin Date: Sat Jun 13 17:18:33 2020 +0300 tpm_tis: extra chip->ops check on error path in tpm_tis_core_init [ Upstream commit ccf6fb858e17a8f8a914a1c6444d277cfedfeae6 ] Found by smatch: drivers/char/tpm/tpm_tis_core.c:1088 tpm_tis_core_init() warn: variable dereferenced before check 'chip->ops' (see line 979) 'chip->ops' is assigned in the beginning of function in tpmm_chip_alloc->tpm_chip_alloc and is used before first possible goto to error path. Signed-off-by: Vasily Averin Reviewed-by: Jerry Snitselaar Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit a8f13826f9c69ca7f0c34fba5d1ff2382e38aae4 Author: Ard Biesheuvel Date: Tue Jun 30 10:19:21 2020 +0200 arm64/alternatives: use subsections for replacement sequences [ Upstream commit f7b93d42945cc71e1346dd5ae07c59061d56745e ] When building very large kernels, the logic that emits replacement sequences for alternatives fails when relative branches are present in the code that is emitted into the .altinstr_replacement section and patched in at the original site and fixed up. The reason is that the linker will insert veneers if relative branches go out of range, and due to the relative distance of the .altinstr_replacement from the .text section where its branch targets usually live, veneers may be emitted at the end of the .altinstr_replacement section, with the relative branches in the sequence pointed at the veneers instead of the actual target. The alternatives patching logic will attempt to fix up the branch to point to its original target, which will be the veneer in this case, but given that the patch site is likely to be far away as well, it will be out of range and so patching will fail. There are other cases where these veneers are problematic, e.g., when the target of the branch is in .text while the patch site is in .init.text, in which case putting the replacement sequence inside .text may not help either. So let's use subsections to emit the replacement code as closely as possible to the patch site, to ensure that veneers are only likely to be emitted if they are required at the patch site as well, in which case they will be in range for the replacement sequence both before and after it is transported to the patch site. This will prevent alternative sequences in non-init code from being released from memory after boot, but this is tolerable given that the entire section is only 512 KB on an allyesconfig build (which weighs in at 500+ MB for the entire Image). Also, note that modules today carry the replacement sequences in non-init sections as well, and any of those that target init code will be emitted into init sections after this change. This fixes an early crash when booting an allyesconfig kernel on a system where any of the alternatives sequences containing relative branches are activated at boot (e.g., ARM64_HAS_PAN on TX2) Signed-off-by: Ard Biesheuvel Cc: Suzuki K Poulose Cc: James Morse Cc: Andre Przywara Cc: Dave P Martin Link: https://lore.kernel.org/r/20200630081921.13443-1-ardb@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 91e81d2262e76fd7885c3fdc9e4917096a6b7178 Author: Ronnie Sahlberg Date: Thu Jul 2 10:55:41 2020 +1000 cifs: prevent truncation from long to int in wait_for_free_credits [ Upstream commit 19e888678bac8c82206eb915eaf72741b2a2615c ] The wait_event_... defines evaluate to long so we should not assign it an int as this may truncate the value. Reported-by: Marshall Midden Signed-off-by: Ronnie Sahlberg Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 43046f786714f75aa833c7c8e4ae649099979d94 Author: Kangmin Park Date: Thu Jun 25 22:51:58 2020 +0900 dt-bindings: mailbox: zynqmp_ipi: fix unit address [ Upstream commit 35b9c0fdb9f666628ecda02b1fc44306933a2d97 ] Fix unit address to match the first address specified in the reg property of the node in example. Signed-off-by: Kangmin Park Link: https://lore.kernel.org/r/20200625135158.5861-1-l4stpr0gr4m@gmail.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit ea9d6016b1a4fe9ca64c1dff97025023208c9dbc Author: Angelo Dureghello Date: Wed Jun 17 09:53:41 2020 +0300 m68k: mm: fix node memblock init [ Upstream commit c43e55796dd4d13f4855971a4d7970ce2cd94db4 ] After pulling 5.7.0 (linux-next merge), mcf5441x mmu boot was hanging silently. memblock_add() seems not appropriate, since using MAX_NUMNODES as node id, while memblock_add_node() sets up memory for node id 0. Signed-off-by: Angelo Dureghello Signed-off-by: Mike Rapoport Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit 560dbf34dec8c791fc178cffe96ede2dc45cc3c5 Author: Mike Rapoport Date: Wed Jun 17 09:53:40 2020 +0300 m68k: nommu: register start of the memory with memblock [ Upstream commit d63bd8c81d8ab64db506ffde569cc8ff197516e2 ] The m68k nommu setup code didn't register the beginning of the physical memory with memblock because it was anyway occupied by the kernel. However, commit fa3354e4ea39 ("mm: free_area_init: use maximal zone PFNs rather than zone sizes") changed zones initialization to use memblock.memory to detect the zone extents and this caused inconsistency between zone PFNs and the actual PFNs: BUG: Bad page state in process swapper pfn:20165 page:41fe0ca0 refcount:0 mapcount:1 mapping:00000000 index:0x0 flags: 0x0() raw: 00000000 00000100 00000122 00000000 00000000 00000000 00000000 00000000 page dumped because: nonzero mapcount CPU: 0 PID: 1 Comm: swapper Not tainted 5.8.0-rc1-00001-g3a38f8a60c65-dirty #1 Stack from 404c9ebc: 404c9ebc 4029ab28 4029ab28 40088470 41fe0ca0 40299e21 40299df1 404ba2a4 00020165 00000000 41fd2c10 402c7ba0 41fd2c04 40088504 41fe0ca0 40299e21 00000000 40088a12 41fe0ca0 41fe0ca4 0000020a 00000000 00000001 402ca000 00000000 41fe0ca0 41fd2c10 41fd2c10 00000000 00000000 402b2388 00000001 400a0934 40091056 404c9f44 404c9f44 40088db4 402c7ba0 00000001 41fd2c04 41fe0ca0 41fd2000 41fe0ca0 40089e02 4026ecf4 40089e4e 41fe0ca0 ffffffff Call Trace: [<40088470>] 0x40088470 [<40088504>] 0x40088504 [<40088a12>] 0x40088a12 [<402ca000>] 0x402ca000 [<400a0934>] 0x400a0934 Adjust the memory registration with memblock to include the beginning of the physical memory and make sure that the area occupied by the kernel is marked as reserved. Signed-off-by: Mike Rapoport Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit c3adbd37c05451b68137876cee8831c715902f8b Author: Hou Tao Date: Tue Apr 28 09:54:56 2020 +0800 blk-mq-debugfs: update blk_queue_flag_name[] accordingly for new flags [ Upstream commit bfe373f608cf81b7626dfeb904001b0e867c5110 ] Else there may be magic numbers in /sys/kernel/debug/block/*/state. Signed-off-by: Hou Tao Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9025a5589c035a7328c920ed4e190c0c2f5d017d Author: Anson Huang Date: Thu Mar 26 22:29:05 2020 +0800 thermal/drivers: imx: Fix missing of_node_put() at probe time [ Upstream commit b45fd13be340e4ed0a2a9673ba299eb2a71ba829 ] After finishing using cpu node got from of_get_cpu_node(), of_node_put() needs to be called. Signed-off-by: Anson Huang Signed-off-by: Daniel Lezcano Link: https://lore.kernel.org/r/1585232945-23368-1-git-send-email-Anson.Huang@nxp.com Signed-off-by: Sasha Levin commit c4db485dd3f2378b4923503aed995f7816e265b7 Author: Petteri Aimonen Date: Tue Jun 16 11:12:57 2020 +0200 x86/fpu: Reset MXCSR to default in kernel_fpu_begin() [ Upstream commit 7ad816762f9bf89e940e618ea40c43138b479e10 ] Previously, kernel floating point code would run with the MXCSR control register value last set by userland code by the thread that was active on the CPU core just before kernel call. This could affect calculation results if rounding mode was changed, or a crash if a FPU/SIMD exception was unmasked. Restore MXCSR to the kernel's default value. [ bp: Carve out from a bigger patch by Petteri, add feature check, add FNINIT call too (amluto). ] Signed-off-by: Petteri Aimonen Signed-off-by: Borislav Petkov Link: https://bugzilla.kernel.org/show_bug.cgi?id=207979 Link: https://lkml.kernel.org/r/20200624114646.28953-2-bp@alien8.de Signed-off-by: Sasha Levin commit d2bfb9eb439c5c5f48b1c07652d8508d8c351576 Author: Navid Emamdoost Date: Mon Jun 15 00:49:28 2020 -0500 drm/exynos: fix ref count leak in mic_pre_enable [ Upstream commit d4f5a095daf0d25f0b385e1ef26338608433a4c5 ] in mic_pre_enable, pm_runtime_get_sync is called which increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit f886b67c6b28d79a5c7b2e081e760662898813ae Author: Marek Szyprowski Date: Mon Jun 1 17:06:30 2020 +0900 drm/exynos: Properly propagate return value in drm_iommu_attach_device() [ Upstream commit b9c633882de4601015625f9136f248e9abca8a7a ] Propagate the proper error codes from the called functions instead of unconditionally returning 0. Reported-by: kbuild test robot Signed-off-by: Marek Szyprowski Merge conflict so merged it manually. Signed-off-by: Inki Dae Signed-off-by: Sasha Levin commit 0885be75f1be7fb7646ae5be0f3ab84b32d47125 Author: Krishna Manikandan Date: Thu May 28 14:04:28 2020 +0530 drm/msm/dpu: allow initialization of encoder locks during encoder init [ Upstream commit 2e7ec6b5297157efabb50e5f82adc628cf90296c ] In the current implementation, mutex initialization for encoder mutex locks are done during encoder setup. This can lead to scenarios where the lock is used before it is initialized. Move mutex_init to dpu_encoder_init to avoid this. Signed-off-by: Krishna Manikandan Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 5d6891a5a627c346e11200ed5f15ed325dfead26 Author: Bernard Zhao Date: Fri Jun 12 09:23:49 2020 +0800 drm/msm: fix potential memleak in error branch [ Upstream commit 177d3819633cd520e3f95df541a04644aab4c657 ] In function msm_submitqueue_create, the queue is a local variable, in return -EINVAL branch, queue didn`t add to ctx`s list yet, and also didn`t kfree, this maybe bring in potential memleak. Signed-off-by: Bernard Zhao [trivial commit msg fixup] Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit f608a77e0cc940ffa74f758ae797d50d68d88d30 Author: Marc Zyngier Date: Mon Jul 6 17:38:01 2020 +0100 arm64: arch_timer: Disable the compat vdso for cores affected by ARM64_WORKAROUND_1418040 commit 4b661d6133c5d3a7c9aca0b4ee5a78c7766eff3f upstream. ARM64_WORKAROUND_1418040 requires that AArch32 EL0 accesses to the virtual counter register are trapped and emulated by the kernel. This makes the vdso pretty pointless, and in some cases livelock prone. Provide a workaround entry that limits the vdso to 64bit tasks. Signed-off-by: Marc Zyngier Acked-by: Mark Rutland Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200706163802.1836732-4-maz@kernel.org Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 86e3c7c70c63a3c9e722bf771255b0498e392745 Author: Marc Zyngier Date: Mon Jul 6 17:38:00 2020 +0100 arm64: arch_timer: Allow an workaround descriptor to disable compat vdso commit c1fbec4ac0d701f350a581941d35643d5a9cd184 upstream. As we are about to disable the vdso for compat tasks in some circumstances, let's allow a workaround descriptor to express exactly that. Signed-off-by: Marc Zyngier Acked-by: Mark Rutland Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200706163802.1836732-3-maz@kernel.org Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 71d65a3fc62888505bcaff5eaabf8ffc6b6d7be2 Author: Marc Zyngier Date: Mon Jul 6 17:37:59 2020 +0100 arm64: Introduce a way to disable the 32bit vdso commit 97884ca8c2925d14c32188e865069f21378b4b4f upstream. [this is a redesign rather than a backport] We have a class of errata (grouped under the ARM64_WORKAROUND_1418040 banner) that force the trapping of counter access from 32bit EL0. We would normally disable the whole vdso for such defect, except that it would disable it for 64bit userspace as well, which is a shame. Instead, add a new vdso_clock_mode, which signals that the vdso isn't usable for compat tasks. This gets checked in the new vdso_clocksource_ok() helper, now provided for the 32bit vdso. Signed-off-by: Marc Zyngier Acked-by: Mark Rutland Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200706163802.1836732-2-maz@kernel.org Signed-off-by: Will Deacon Signed-off-by: Marc Zyngier Signed-off-by: Greg Kroah-Hartman commit 36d60eba862d6842d6da4d3792b3cf1cde1c22b2 Author: Willem de Bruijn Date: Wed Jul 1 16:00:06 2020 -0400 ip: Fix SO_MARK in RST, ACK and ICMP packets [ Upstream commit 0da7536fb47f51df89ccfcb1fa09f249d9accec5 ] When no full socket is available, skbs are sent over a per-netns control socket. Its sk_mark is temporarily adjusted to match that of the real (request or timewait) socket or to reflect an incoming skb, so that the outgoing skb inherits this in __ip_make_skb. Introduction of the socket cookie mark field broke this. Now the skb is set through the cookie and cork: # init sockc.mark from sk_mark or cmsg ip_append_data ip_setup_cork # convert sockc.mark to cork mark ip_push_pending_frames ip_finish_skb __ip_make_skb # set skb->mark to cork mark But I missed these special control sockets. Update all callers of __ip(6)_make_skb that were originally missed. For IPv6, the same two icmp(v6) paths are affected. The third case is not, as commit 92e55f412cff ("tcp: don't annotate mark on control socket from tcp_v6_send_response()") replaced the ctl_sk->sk_mark with passing the mark field directly as a function argument. That commit predates the commit that introduced the bug. Fixes: c6af0c227a22 ("ip: support SO_MARK cmsg") Signed-off-by: Willem de Bruijn Reported-by: Martin KaFai Lau Reviewed-by: Martin KaFai Lau Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 38b122c0af04e8ab77dbbc387e126de7a8738aa4 Author: Cong Wang Date: Thu Jul 9 16:28:44 2020 -0700 cgroup: Fix sock_cgroup_data on big-endian. [ Upstream commit 14b032b8f8fce03a546dcf365454bec8c4a58d7d ] In order for no_refcnt and is_data to be the lowest order two bits in the 'val' we have to pad out the bitfield of the u8. Fixes: ad0f75e5f57c ("cgroup: fix cgroup_sk_alloc() for sk_clone_lock()") Reported-by: Guenter Roeck Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 94886c86e833dbc8995202b6c6aaff592b7abd24 Author: Cong Wang Date: Thu Jul 2 11:52:56 2020 -0700 cgroup: fix cgroup_sk_alloc() for sk_clone_lock() [ Upstream commit ad0f75e5f57ccbceec13274e1e242f2b5a6397ed ] When we clone a socket in sk_clone_lock(), its sk_cgrp_data is copied, so the cgroup refcnt must be taken too. And, unlike the sk_alloc() path, sock_update_netprioidx() is not called here. Therefore, it is safe and necessary to grab the cgroup refcnt even when cgroup_sk_alloc is disabled. sk_clone_lock() is in BH context anyway, the in_interrupt() would terminate this function if called there. And for sk_alloc() skcd->val is always zero. So it's safe to factor out the code to make it more readable. The global variable 'cgroup_sk_alloc_disabled' is used to determine whether to take these reference counts. It is impossible to make the reference counting correct unless we save this bit of information in skcd->val. So, add a new bit there to record whether the socket has already taken the reference counts. This obviously relies on kmalloc() to align cgroup pointers to at least 4 bytes, ARCH_KMALLOC_MINALIGN is certainly larger than that. This bug seems to be introduced since the beginning, commit d979a39d7242 ("cgroup: duplicate cgroup reference when cloning sockets") tried to fix it but not compeletely. It seems not easy to trigger until the recent commit 090e28b229af ("netprio_cgroup: Fix unlimited memory leak of v2 cgroups") was merged. Fixes: bd1060a1d671 ("sock, cgroup: add sock->sk_cgroup") Reported-by: Cameron Berkenpas Reported-by: Peter Geis Reported-by: Lu Fengqi Reported-by: Daniël Sonck Reported-by: Zhang Qiang Tested-by: Cameron Berkenpas Tested-by: Peter Geis Tested-by: Thomas Lamprecht Cc: Daniel Borkmann Cc: Zefan Li Cc: Tejun Heo Cc: Roman Gushchin Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 171644727abfdd0afb1a1fd88fbc653979780e0b Author: Eric Dumazet Date: Wed Jul 1 18:39:33 2020 -0700 tcp: md5: allow changing MD5 keys in all socket states [ Upstream commit 1ca0fafd73c5268e8fc4b997094b8bb2bfe8deea ] This essentially reverts commit 721230326891 ("tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets") Mathieu reported that many vendors BGP implementations can actually switch TCP MD5 on established flows. Quoting Mathieu : Here is a list of a few network vendors along with their behavior with respect to TCP MD5: - Cisco: Allows for password to be changed, but within the hold-down timer (~180 seconds). - Juniper: When password is initially set on active connection it will reset, but after that any subsequent password changes no network resets. - Nokia: No notes on if they flap the tcp connection or not. - Ericsson/RedBack: Allows for 2 password (old/new) to co-exist until both sides are ok with new passwords. - Meta-Switch: Expects the password to be set before a connection is attempted, but no further info on whether they reset the TCP connection on a change. - Avaya: Disable the neighbor, then set password, then re-enable. - Zebos: Would normally allow the change when socket connected. We can revert my prior change because commit 9424e2e7ad93 ("tcp: md5: fix potential overestimation of TCP option space") removed the leak of 4 kernel bytes to the wire that was the main reason for my patch. While doing my investigations, I found a bug when a MD5 key is changed, leading to these commits that stable teams want to consider before backporting this revert : Commit 6a2febec338d ("tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()") Commit e6ced831ef11 ("tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers") Fixes: 721230326891 "tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets" Signed-off-by: Eric Dumazet Reported-by: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ee263bd11afe0b5504367bc7ac3cbd2cb2299d3 Author: Eric Dumazet Date: Wed Jul 1 11:43:04 2020 -0700 tcp: md5: refine tcp_md5_do_add()/tcp_md5_hash_key() barriers [ Upstream commit e6ced831ef11a2a06e8d00aad9d4fc05b610bf38 ] My prior fix went a bit too far, according to Herbert and Mathieu. Since we accept that concurrent TCP MD5 lookups might see inconsistent keys, we can use READ_ONCE()/WRITE_ONCE() instead of smp_rmb()/smp_wmb() Clearing all key->key[] is needed to avoid possible KMSAN reports, if key->keylen is increased. Since tcp_md5_do_add() is not fast path, using __GFP_ZERO to clear all struct tcp_md5sig_key is simpler. data_race() was added in linux-5.8 and will prevent KCSAN reports, this can safely be removed in stable backports, if data_race() is not yet backported. v2: use data_race() both in tcp_md5_hash_key() and tcp_md5_do_add() Fixes: 6a2febec338d ("tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()") Signed-off-by: Eric Dumazet Cc: Mathieu Desnoyers Cc: Herbert Xu Cc: Marco Elver Reviewed-by: Mathieu Desnoyers Acked-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 30d015f5ecd9ce5706ad18a4a0649f364e3e6f7b Author: Toke Høiland-Jørgensen Date: Tue Jul 7 13:03:25 2020 +0200 vlan: consolidate VLAN parsing code and limit max parsing depth [ Upstream commit 469aceddfa3ed16e17ee30533fae45e90f62efd8 ] Toshiaki pointed out that we now have two very similar functions to extract the L3 protocol number in the presence of VLAN tags. And Daniel pointed out that the unbounded parsing loop makes it possible for maliciously crafted packets to loop through potentially hundreds of tags. Fix both of these issues by consolidating the two parsing functions and limiting the VLAN tag parsing to a max depth of 8 tags. As part of this, switch over __vlan_get_protocol() to use skb_header_pointer() instead of pskb_may_pull(), to avoid the possible side effects of the latter and keep the skb pointer 'const' through all the parsing functions. v2: - Use limit of 8 tags instead of 32 (matching XMIT_RECURSION_LIMIT) Reported-by: Toshiaki Makita Reported-by: Daniel Borkmann Fixes: d7bf2ebebc2b ("sched: consistently handle layer3 header accesses in the presence of VLANs") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f40c3a8438fc03a1a340a374ed24504894d0d7ad Author: Eric Dumazet Date: Wed Jul 1 12:41:23 2020 -0700 tcp: md5: do not send silly options in SYNCOOKIES [ Upstream commit e114e1e8ac9d31f25b9dd873bab5d80c1fc482ca ] Whenever cookie_init_timestamp() has been used to encode ECN,SACK,WSCALE options, we can not remove the TS option in the SYNACK. Otherwise, tcp_synack_options() will still advertize options like WSCALE that we can not deduce later when receiving the packet from the client to complete 3WHS. Note that modern linux TCP stacks wont use MD5+TS+SACK in a SYN packet, but we can not know for sure that all TCP stacks have the same logic. Before the fix a tcpdump would exhibit this wrong exchange : 10:12:15.464591 IP C > S: Flags [S], seq 4202415601, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 456965269 ecr 0,nop,wscale 8], length 0 10:12:15.464602 IP S > C: Flags [S.], seq 253516766, ack 4202415602, win 65535, options [nop,nop,md5 valid,mss 1400,nop,nop,sackOK,nop,wscale 8], length 0 10:12:15.464611 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 valid], length 0 10:12:15.464678 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options [nop,nop,md5 valid], length 12 10:12:15.464685 IP S > C: Flags [.], ack 13, win 65535, options [nop,nop,md5 valid], length 0 After this patch the exchange looks saner : 11:59:59.882990 IP C > S: Flags [S], seq 517075944, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508483 ecr 0,nop,wscale 8], length 0 11:59:59.883002 IP S > C: Flags [S.], seq 1902939253, ack 517075945, win 65535, options [nop,nop,md5 valid,mss 1400,sackOK,TS val 1751508479 ecr 1751508483,nop,wscale 8], length 0 11:59:59.883012 IP C > S: Flags [.], ack 1, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 0 11:59:59.883114 IP C > S: Flags [P.], seq 1:13, ack 1, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508479], length 12 11:59:59.883122 IP S > C: Flags [.], ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508483 ecr 1751508483], length 0 11:59:59.883152 IP S > C: Flags [P.], seq 1:13, ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508483], length 12 11:59:59.883170 IP C > S: Flags [.], ack 13, win 256, options [nop,nop,md5 valid,nop,nop,TS val 1751508484 ecr 1751508484], length 0 Of course, no SACK block will ever be added later, but nothing should break. Technically, we could remove the 4 nops included in MD5+TS options, but again some stacks could break seeing not conventional alignment. Fixes: 4957faade11b ("TCPCT part 1g: Responder Cookie => Initiator") Signed-off-by: Eric Dumazet Cc: Florian Westphal Cc: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c8bad567b5d4cd0b20744f7c011aabea0bf28b1 Author: Eric Dumazet Date: Tue Jun 30 16:41:01 2020 -0700 tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key() [ Upstream commit 6a2febec338df7e7699a52d00b2e1207dcf65b28 ] MD5 keys are read with RCU protection, and tcp_md5_do_add() might update in-place a prior key. Normally, typical RCU updates would allocate a new piece of memory. In this case only key->key and key->keylen might be updated, and we do not care if an incoming packet could see the old key, the new one, or some intermediate value, since changing the key on a live flow is known to be problematic anyway. We only want to make sure that in the case key->keylen is changed, cpus in tcp_md5_hash_key() wont try to use uninitialized data, or crash because key->keylen was read twice to feed sg_init_one() and ahash_request_set_crypt() Fixes: 9ea88a153001 ("tcp: md5: check md5 signature without socket lock") Signed-off-by: Eric Dumazet Cc: Mathieu Desnoyers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f52293aefe18516fafe3a3569914c2499419d501 Author: Christoph Paasch Date: Wed Jul 8 16:18:34 2020 -0700 tcp: make sure listeners don't initialize congestion-control state [ Upstream commit ce69e563b325f620863830c246a8698ccea52048 ] syzkaller found its way into setsockopt with TCP_CONGESTION "cdg". tcp_cdg_init() does a kcalloc to store the gradients. As sk_clone_lock just copies all the memory, the allocated pointer will be copied as well, if the app called setsockopt(..., TCP_CONGESTION) on the listener. If now the socket will be destroyed before the congestion-control has properly been initialized (through a call to tcp_init_transfer), we will end up freeing memory that does not belong to that particular socket, opening the door to a double-free: [ 11.413102] ================================================================== [ 11.414181] BUG: KASAN: double-free or invalid-free in tcp_cleanup_congestion_control+0x58/0xd0 [ 11.415329] [ 11.415560] CPU: 3 PID: 4884 Comm: syz-executor.5 Not tainted 5.8.0-rc2 #80 [ 11.416544] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 [ 11.418148] Call Trace: [ 11.418534] [ 11.418834] dump_stack+0x7d/0xb0 [ 11.419297] print_address_description.constprop.0+0x1a/0x210 [ 11.422079] kasan_report_invalid_free+0x51/0x80 [ 11.423433] __kasan_slab_free+0x15e/0x170 [ 11.424761] kfree+0x8c/0x230 [ 11.425157] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.425872] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.426493] inet_csk_destroy_sock+0x153/0x2c0 [ 11.427093] tcp_v4_syn_recv_sock+0xb29/0x1100 [ 11.427731] tcp_get_cookie_sock+0xc3/0x4a0 [ 11.429457] cookie_v4_check+0x13d0/0x2500 [ 11.433189] tcp_v4_do_rcv+0x60e/0x780 [ 11.433727] tcp_v4_rcv+0x2869/0x2e10 [ 11.437143] ip_protocol_deliver_rcu+0x23/0x190 [ 11.437810] ip_local_deliver+0x294/0x350 [ 11.439566] __netif_receive_skb_one_core+0x15d/0x1a0 [ 11.441995] process_backlog+0x1b1/0x6b0 [ 11.443148] net_rx_action+0x37e/0xc40 [ 11.445361] __do_softirq+0x18c/0x61a [ 11.445881] asm_call_on_stack+0x12/0x20 [ 11.446409] [ 11.446716] do_softirq_own_stack+0x34/0x40 [ 11.447259] do_softirq.part.0+0x26/0x30 [ 11.447827] __local_bh_enable_ip+0x46/0x50 [ 11.448406] ip_finish_output2+0x60f/0x1bc0 [ 11.450109] __ip_queue_xmit+0x71c/0x1b60 [ 11.451861] __tcp_transmit_skb+0x1727/0x3bb0 [ 11.453789] tcp_rcv_state_process+0x3070/0x4d3a [ 11.456810] tcp_v4_do_rcv+0x2ad/0x780 [ 11.457995] __release_sock+0x14b/0x2c0 [ 11.458529] release_sock+0x4a/0x170 [ 11.459005] __inet_stream_connect+0x467/0xc80 [ 11.461435] inet_stream_connect+0x4e/0xa0 [ 11.462043] __sys_connect+0x204/0x270 [ 11.465515] __x64_sys_connect+0x6a/0xb0 [ 11.466088] do_syscall_64+0x3e/0x70 [ 11.466617] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.467341] RIP: 0033:0x7f56046dc469 [ 11.467844] Code: Bad RIP value. [ 11.468282] RSP: 002b:00007f5604dccdd8 EFLAGS: 00000246 ORIG_RAX: 000000000000002a [ 11.469326] RAX: ffffffffffffffda RBX: 000000000068bf00 RCX: 00007f56046dc469 [ 11.470379] RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000004 [ 11.471311] RBP: 00000000ffffffff R08: 0000000000000000 R09: 0000000000000000 [ 11.472286] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 [ 11.473341] R13: 000000000041427c R14: 00007f5604dcd5c0 R15: 0000000000000003 [ 11.474321] [ 11.474527] Allocated by task 4884: [ 11.475031] save_stack+0x1b/0x40 [ 11.475548] __kasan_kmalloc.constprop.0+0xc2/0xd0 [ 11.476182] tcp_cdg_init+0xf0/0x150 [ 11.476744] tcp_init_congestion_control+0x9b/0x3a0 [ 11.477435] tcp_set_congestion_control+0x270/0x32f [ 11.478088] do_tcp_setsockopt.isra.0+0x521/0x1a00 [ 11.478744] __sys_setsockopt+0xff/0x1e0 [ 11.479259] __x64_sys_setsockopt+0xb5/0x150 [ 11.479895] do_syscall_64+0x3e/0x70 [ 11.480395] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 11.481097] [ 11.481321] Freed by task 4872: [ 11.481783] save_stack+0x1b/0x40 [ 11.482230] __kasan_slab_free+0x12c/0x170 [ 11.482839] kfree+0x8c/0x230 [ 11.483240] tcp_cleanup_congestion_control+0x58/0xd0 [ 11.483948] tcp_v4_destroy_sock+0x57/0x5a0 [ 11.484502] inet_csk_destroy_sock+0x153/0x2c0 [ 11.485144] tcp_close+0x932/0xfe0 [ 11.485642] inet_release+0xc1/0x1c0 [ 11.486131] __sock_release+0xc0/0x270 [ 11.486697] sock_close+0xc/0x10 [ 11.487145] __fput+0x277/0x780 [ 11.487632] task_work_run+0xeb/0x180 [ 11.488118] __prepare_exit_to_usermode+0x15a/0x160 [ 11.488834] do_syscall_64+0x4a/0x70 [ 11.489326] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Wei Wang fixed a part of these CDG-malloc issues with commit c12014440750 ("tcp: memset ca_priv data to 0 properly"). This patch here fixes the listener-scenario: We make sure that listeners setting the congestion-control through setsockopt won't initialize it (thus CDG never allocates on listeners). For those who use AF_UNSPEC to reuse a socket, tcp_disconnect() is changed to cleanup afterwards. (The issue can be reproduced at least down to v4.4.x.) Cc: Wei Wang Cc: Eric Dumazet Fixes: 2b0a8c9eee81 ("tcp: add CDG congestion control") Signed-off-by: Christoph Paasch Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7eec9f33122339883a99fa403e9444bad2065db5 Author: Eric Dumazet Date: Tue Jun 30 13:51:28 2020 -0700 tcp: fix SO_RCVLOWAT possible hangs under high mem pressure [ Upstream commit ba3bb0e76ccd464bb66665a1941fabe55dadb3ba ] Whenever tcp_try_rmem_schedule() returns an error, we are under trouble and should make sure to wakeup readers so that they can drain socket queues and eventually make room. Fixes: 03f45c883c6f ("tcp: avoid extra wakeups for SO_RCVLOWAT users") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9b7fd81cf9b6ca322cffc6aff4be0f2d54e9689a Author: Toke Høiland-Jørgensen Date: Fri Jul 3 22:26:43 2020 +0200 sched: consistently handle layer3 header accesses in the presence of VLANs [ Upstream commit d7bf2ebebc2bd61ab95e2a8e33541ef282f303d4 ] There are a couple of places in net/sched/ that check skb->protocol and act on the value there. However, in the presence of VLAN tags, the value stored in skb->protocol can be inconsistent based on whether VLAN acceleration is enabled. The commit quoted in the Fixes tag below fixed the users of skb->protocol to use a helper that will always see the VLAN ethertype. However, most of the callers don't actually handle the VLAN ethertype, but expect to find the IP header type in the protocol field. This means that things like changing the ECN field, or parsing diffserv values, stops working if there's a VLAN tag, or if there are multiple nested VLAN tags (QinQ). To fix this, change the helper to take an argument that indicates whether the caller wants to skip the VLAN tags or not. When skipping VLAN tags, we make sure to skip all of them, so behaviour is consistent even in QinQ mode. To make the helper usable from the ECN code, move it to if_vlan.h instead of pkt_sched.h. v3: - Remove empty lines - Move vlan variable definitions inside loop in skb_protocol() - Also use skb_protocol() helper in IP{,6}_ECN_decapsulate() and bpf_skb_ecn_set_ce() v2: - Use eth_type_vlan() helper in skb_protocol() - Also fix code that reads skb->protocol directly - Change a couple of 'if/else if' statements to switch constructs to avoid calling the helper twice Reported-by: Ilya Ponetayev Fixes: d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aafe9dd13f429ddf806bcb08890d3d08a603fe6f Author: AceLan Kao Date: Tue Jul 7 16:14:45 2020 +0800 net: usb: qmi_wwan: add support for Quectel EG95 LTE modem [ Upstream commit f815dd5cf48b905eeecf0a2b990e9b7ab048b4f1 ] Add support for Quectel Wireless Solutions Co., Ltd. EG95 LTE modem T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 5 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=2c7c ProdID=0195 Rev=03.18 S: Manufacturer=Android S: Product=Android C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) Signed-off-by: AceLan Kao Acked-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit edbde451bf3fddd17cd7fdb43fa668112f7b1440 Author: Cong Wang Date: Wed Jul 8 20:13:59 2020 -0700 net_sched: fix a memory leak in atm_tc_init() [ Upstream commit 306381aec7c2b5a658eebca008c8a1b666536cba ] When tcf_block_get() fails inside atm_tc_init(), atm_tc_put() is called to release the qdisc p->link.q. But the flow->ref prevents it to do so, as the flow->ref is still zero. Fix this by moving the p->link.ref initialization before tcf_block_get(). Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure") Reported-and-tested-by: syzbot+d411cff6ab29cc2c311b@syzkaller.appspotmail.com Cc: Jamal Hadi Salim Cc: Jiri Pirko Signed-off-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d55dad8b1d893fae0c4e778abf2ace048bcbad86 Author: Codrin Ciubotariu Date: Thu Jul 2 12:44:50 2020 +0300 net: dsa: microchip: set the correct number of ports [ Upstream commit af199a1a9cb02ec0194804bd46c174b6db262075 ] The number of ports is incorrectly set to the maximum available for a DSA switch. Even if the extra ports are not used, this causes some functions to be called later, like port_disable() and port_stp_state_set(). If the driver doesn't check the port index, it will end up modifying unknown registers. Fixes: b987e98e50ab ("dsa: add DSA switch driver for Microchip KSZ9477") Signed-off-by: Codrin Ciubotariu Reviewed-by: Andrew Lunn Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 64d7822126462e6284fa067402e5b82633e3342f Author: Martin Varghese Date: Sun Jul 5 14:23:49 2020 +0530 net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb [ Upstream commit 394de110a73395de2ca4516b0de435e91b11b604 ] The packets from tunnel devices (eg bareudp) may have only metadata in the dst pointer of skb. Hence a pointer check of neigh_lookup is needed in dst_neigh_lookup_skb Kernel crashes when packets from bareudp device is processed in the kernel neighbour subsytem. [ 133.384484] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 133.385240] #PF: supervisor instruction fetch in kernel mode [ 133.385828] #PF: error_code(0x0010) - not-present page [ 133.386603] PGD 0 P4D 0 [ 133.386875] Oops: 0010 [#1] SMP PTI [ 133.387275] CPU: 0 PID: 5045 Comm: ping Tainted: G W 5.8.0-rc2+ #15 [ 133.388052] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 133.391076] RIP: 0010:0x0 [ 133.392401] Code: Bad RIP value. [ 133.394029] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246 [ 133.396656] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00 [ 133.399018] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400 [ 133.399685] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000 [ 133.400350] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400 [ 133.401010] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003 [ 133.401667] FS: 00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000 [ 133.402412] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 133.402948] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0 [ 133.403611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 133.404270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 133.404933] Call Trace: [ 133.405169] [ 133.405367] __neigh_update+0x5a4/0x8f0 [ 133.405734] arp_process+0x294/0x820 [ 133.406076] ? __netif_receive_skb_core+0x866/0xe70 [ 133.406557] arp_rcv+0x129/0x1c0 [ 133.406882] __netif_receive_skb_one_core+0x95/0xb0 [ 133.407340] process_backlog+0xa7/0x150 [ 133.407705] net_rx_action+0x2af/0x420 [ 133.408457] __do_softirq+0xda/0x2a8 [ 133.408813] asm_call_on_stack+0x12/0x20 [ 133.409290] [ 133.409519] do_softirq_own_stack+0x39/0x50 [ 133.410036] do_softirq+0x50/0x60 [ 133.410401] __local_bh_enable_ip+0x50/0x60 [ 133.410871] ip_finish_output2+0x195/0x530 [ 133.411288] ip_output+0x72/0xf0 [ 133.411673] ? __ip_finish_output+0x1f0/0x1f0 [ 133.412122] ip_send_skb+0x15/0x40 [ 133.412471] raw_sendmsg+0x853/0xab0 [ 133.412855] ? insert_pfn+0xfe/0x270 [ 133.413827] ? vvar_fault+0xec/0x190 [ 133.414772] sock_sendmsg+0x57/0x80 [ 133.415685] __sys_sendto+0xdc/0x160 [ 133.416605] ? syscall_trace_enter+0x1d4/0x2b0 [ 133.417679] ? __audit_syscall_exit+0x1d9/0x280 [ 133.418753] ? __prepare_exit_to_usermode+0x5d/0x1a0 [ 133.419819] __x64_sys_sendto+0x24/0x30 [ 133.420848] do_syscall_64+0x4d/0x90 [ 133.421768] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 133.422833] RIP: 0033:0x7fe013689c03 [ 133.423749] Code: Bad RIP value. [ 133.424624] RSP: 002b:00007ffc7288f418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c [ 133.425940] RAX: ffffffffffffffda RBX: 000056151fc63720 RCX: 00007fe013689c03 [ 133.427225] RDX: 0000000000000040 RSI: 000056151fc63720 RDI: 0000000000000003 [ 133.428481] RBP: 00007ffc72890b30 R08: 000056151fc60500 R09: 0000000000000010 [ 133.429757] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040 [ 133.431041] R13: 000056151fc636e0 R14: 000056151fc616bc R15: 0000000000000080 [ 133.432481] Modules linked in: mpls_iptunnel act_mirred act_tunnel_key cls_flower sch_ingress veth mpls_router ip_tunnel bareudp ip6_udp_tunnel udp_tunnel macsec udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc xt_MASQUERADE iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc ebtable_filter ebtables overlay ip6table_filter ip6_tables iptable_filter sunrpc ext4 mbcache jbd2 pcspkr i2c_piix4 virtio_balloon joydev ip_tables xfs libcrc32c ata_generic qxl pata_acpi drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ata_piix libata virtio_net net_failover virtio_console failover virtio_blk i2c_core virtio_pci virtio_ring serio_raw floppy virtio dm_mirror dm_region_hash dm_log dm_mod [ 133.444045] CR2: 0000000000000000 [ 133.445082] ---[ end trace f4aeee1958fd1638 ]--- [ 133.446236] RIP: 0010:0x0 [ 133.447180] Code: Bad RIP value. [ 133.448152] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246 [ 133.449363] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00 [ 133.450835] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400 [ 133.452237] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000 [ 133.453722] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400 [ 133.455149] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003 [ 133.456520] FS: 00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000 [ 133.458046] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 133.459342] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0 [ 133.460782] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 133.462240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 133.463697] Kernel panic - not syncing: Fatal exception in interrupt [ 133.465226] Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 133.467025] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]--- Fixes: aaa0c23cb901 ("Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug") Signed-off-by: Martin Varghese Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a70a667736ede10bbb28121a4ea20eeadbb2af13 Author: Eric Dumazet Date: Sat Jun 27 13:31:50 2020 -0700 llc: make sure applications use ARPHRD_ETHER [ Upstream commit a9b1110162357689a34992d5c925852948e5b9fd ] syzbot was to trigger a bug by tricking AF_LLC with non sensible addr->sllc_arphrd It seems clear LLC requires an Ethernet device. Back in commit abf9d537fea2 ("llc: add support for SO_BINDTODEVICE") Octavian Purdila added possibility for application to use a zero value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause regressions on existing applications. BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline] BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline] BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline] BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline] BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813 Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27 CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x197/0x210 lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506 kasan_report+0x12/0x20 mm/kasan/common.c:639 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 __read_once_size include/linux/compiler.h:199 [inline] list_empty include/linux/list.h:268 [inline] waitqueue_active include/linux/wait.h:126 [inline] wq_has_sleeper include/linux/wait.h:160 [inline] skwq_has_sleeper include/net/sock.h:2092 [inline] sock_def_write_space+0x642/0x670 net/core/sock.c:2813 sock_wfree+0x1e1/0x260 net/core/sock.c:1958 skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652 skb_release_all+0x16/0x60 net/core/skbuff.c:663 __kfree_skb net/core/skbuff.c:679 [inline] consume_skb net/core/skbuff.c:838 [inline] consume_skb+0xfb/0x410 net/core/skbuff.c:832 __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967 dev_kfree_skb_any include/linux/netdevice.h:3650 [inline] e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963 e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline] e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796 napi_poll net/core/dev.c:6532 [inline] net_rx_action+0x508/0x1120 net/core/dev.c:6600 __do_softirq+0x262/0x98c kernel/softirq.c:292 run_ksoftirqd kernel/softirq.c:603 [inline] run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595 smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Allocated by task 8247: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] __kasan_kmalloc mm/kasan/common.c:513 [inline] __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521 slab_post_alloc_hook mm/slab.h:584 [inline] slab_alloc mm/slab.c:3320 [inline] kmem_cache_alloc+0x121/0x710 mm/slab.c:3484 sock_alloc_inode+0x1c/0x1d0 net/socket.c:240 alloc_inode+0x68/0x1e0 fs/inode.c:230 new_inode_pseudo+0x19/0xf0 fs/inode.c:919 sock_alloc+0x41/0x270 net/socket.c:560 __sock_create+0xc2/0x730 net/socket.c:1384 sock_create net/socket.c:1471 [inline] __sys_socket+0x103/0x220 net/socket.c:1513 __do_sys_socket net/socket.c:1522 [inline] __se_sys_socket net/socket.c:1520 [inline] __ia32_sys_socket+0x73/0xb0 net/socket.c:1520 do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline] do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408 entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139 Freed by task 17: save_stack+0x23/0x90 mm/kasan/common.c:72 set_track mm/kasan/common.c:80 [inline] kasan_set_free_info mm/kasan/common.c:335 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474 kasan_slab_free+0xe/0x10 mm/kasan/common.c:483 __cache_free mm/slab.c:3426 [inline] kmem_cache_free+0x86/0x320 mm/slab.c:3694 sock_free_inode+0x20/0x30 net/socket.c:261 i_callback+0x44/0x80 fs/inode.c:219 __rcu_reclaim kernel/rcu/rcu.h:222 [inline] rcu_do_batch kernel/rcu/tree.c:2183 [inline] rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408 rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417 __do_softirq+0x262/0x98c kernel/softirq.c:292 The buggy address belongs to the object at ffff88801e0b4000 which belongs to the cache sock_inode_cache of size 1152 The buggy address is located 120 bytes inside of 1152-byte region [ffff88801e0b4000, ffff88801e0b4480) The buggy address belongs to the page: page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40 raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb Fixes: abf9d537fea2 ("llc: add support for SO_BINDTODEVICE") Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 73e42f4d2d13478d17534b855d776c7c3236dff7 Author: Xin Long Date: Tue Jul 7 02:02:32 2020 +0800 l2tp: remove skb_dst_set() from l2tp_xmit_skb() [ Upstream commit 27d53323664c549b5bb2dfaaf6f7ad6e0376a64e ] In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set skb's dst. However, it will eventually call inet6_csk_xmit() or ip_queue_xmit() where skb's dst will be overwritten by: skb_dst_set_noref(skb, dst); without releasing the old dst in skb. Then it causes dst/dev refcnt leak: unregister_netdevice: waiting for eth0 to become free. Usage count = 1 This can be reproduced by simply running: # modprobe l2tp_eth && modprobe l2tp_ip # sh ./tools/testing/selftests/net/l2tp.sh So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst should be dropped. This patch is to fix it by removing skb_dst_set() from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core(). Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core") Reported-by: Hangbin Liu Signed-off-by: Xin Long Acked-by: James Chapman Tested-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f8646548ee4677fb51597dee16647640c276176d Author: David Ahern Date: Tue Jul 7 07:39:24 2020 -0600 ipv6: Fix use of anycast address with loopback [ Upstream commit aea23c323d89836bcdcee67e49def997ffca043b ] Thomas reported a regression with IPv6 and anycast using the following reproducer: echo 1 > /proc/sys/net/ipv6/conf/all/forwarding ip -6 a add fc12::1/16 dev lo sleep 2 echo "pinging lo" ping6 -c 2 fc12:: The conversion of addrconf_f6i_alloc to use ip6_route_info_create missed the use of fib6_is_reject which checks addresses added to the loopback interface and sets the REJECT flag as needed. Update fib6_is_reject for loopback checks to handle RTF_ANYCAST addresses. Fixes: c7a1ce397ada ("ipv6: Change addrconf_f6i_alloc to use ip6_route_info_create") Reported-by: thomas.gambier@nexedi.com Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 75270f8196666c5bf4aeecacc08d114765931bee Author: David Ahern Date: Mon Jul 6 11:45:07 2020 -0600 ipv6: fib6_select_path can not use out path for nexthop objects [ Upstream commit 34fe5a1cf95c3f114068fc16d919c9cf4b00e428 ] Brian reported a crash in IPv6 code when using rpfilter with a setup running FRR and external nexthop objects. The root cause of the crash is fib6_select_path setting fib6_nh in the result to NULL because of an improper check for nexthop objects. More specifically, rpfilter invokes ip6_route_lookup with flowi6_oif set causing fib6_select_path to be called with have_oif_match set. fib6_select_path has early check on have_oif_match and jumps to the out label which presumes a builtin fib6_nh. This path is invalid for nexthop objects; for external nexthops fib6_select_path needs to just return if the fib6_nh has already been set in the result otherwise it returns after the call to nexthop_path_fib6_result. Update the check on have_oif_match to not bail on external nexthops. Update selftests for this problem. Fixes: f88d8ea67fbd ("ipv6: Plumb support for nexthop object in a fib6_info") Reported-by: Brian Rak Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1418b60e998b2c329e205a30ce85a4dfb9a40f68 Author: Sabrina Dubroca Date: Fri Jul 3 17:00:32 2020 +0200 ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg [ Upstream commit 5eff06902394425c722f0a44d9545909a8800f79 ] IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to incomplete IPsec ACQUIRE messages being sent to userspace. Currently, both raw sockets and IPv6 ping sockets set those fields. Expected output of "ip xfrm monitor": acquire proto esp sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4 policy src 10.0.2.15/32 dst 8.8.8.8/32 Currently with ping sockets: acquire proto esp sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4 policy src 10.0.2.15/32 dst 8.8.8.8/32 The Libreswan test suite found this problem after Fedora changed the value for the sysctl net.ipv4.ping_group_range. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Reported-by: Paul Wouters Tested-by: Paul Wouters Signed-off-by: Sabrina Dubroca Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b42410d3556fe45a225ced1e7d7e1c88545e147 Author: Sean Tranchetti Date: Tue Jun 30 11:50:17 2020 -0600 genetlink: remove genl_bind [ Upstream commit 1e82a62fec613844da9e558f3493540a5b7a7b67 ] A potential deadlock can occur during registering or unregistering a new generic netlink family between the main nl_table_lock and the cb_lock where each thread wants the lock held by the other, as demonstrated below. 1) Thread 1 is performing a netlink_bind() operation on a socket. As part of this call, it will call netlink_lock_table(), incrementing the nl_table_users count to 1. 2) Thread 2 is registering (or unregistering) a genl_family via the genl_(un)register_family() API. The cb_lock semaphore will be taken for writing. 3) Thread 1 will call genl_bind() as part of the bind operation to handle subscribing to GENL multicast groups at the request of the user. It will attempt to take the cb_lock semaphore for reading, but it will fail and be scheduled away, waiting for Thread 2 to finish the write. 4) Thread 2 will call netlink_table_grab() during the (un)registration call. However, as Thread 1 has incremented nl_table_users, it will not be able to proceed, and both threads will be stuck waiting for the other. genl_bind() is a noop, unless a genl_family implements the mcast_bind() function to handle setting up family-specific multicast operations. Since no one in-tree uses this functionality as Cong pointed out, simply removing the genl_bind() function will remove the possibility for deadlock, as there is no attempt by Thread 1 above to take the cb_lock semaphore. Fixes: c380d9a7afff ("genetlink: pass multicast bind/unbind to families") Suggested-by: Cong Wang Acked-by: Johannes Berg Reported-by: kernel test robot Signed-off-by: Sean Tranchetti Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit aef7a9e21aa6fcc11b8e14330e12857d0059716c Author: Linus Lüssing Date: Sun Jul 5 21:10:17 2020 +0200 bridge: mcast: Fix MLD2 Report IPv6 payload length check [ Upstream commit 5fc6266af7b427243da24f3443a50cd4584aac06 ] Commit e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") introduced a bug in the IPv6 header payload length check which would potentially lead to rejecting a valid MLD2 Report: The check needs to take into account the 2 bytes for the "Number of Sources" field in the "Multicast Address Record" before reading it. And not the size of a pointer to this field. Fixes: e57f61858b7c ("net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling") Acked-by: Nikolay Aleksandrov Signed-off-by: Linus Lüssing Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 587ccf092e28b8130ee30a19da0e37a62fd9594b Author: Taehee Yoo Date: Thu Jul 2 17:08:18 2020 +0000 net: rmnet: fix lower interface leak commit 2a762e9e8cd1cf1242e4269a2244666ed02eecd1 upstream. There are two types of the lower interface of rmnet that are VND and BRIDGE. Each lower interface can have only one type either VND or BRIDGE. But, there is a case, which uses both lower interface types. Due to this unexpected behavior, lower interface leak occurs. Test commands: ip link add dummy0 type dummy ip link add dummy1 type dummy ip link add rmnet0 link dummy0 type rmnet mux_id 1 ip link set dummy1 master rmnet0 ip link add rmnet1 link dummy1 type rmnet mux_id 2 ip link del rmnet0 The dummy1 was attached as BRIDGE interface of rmnet0. Then, it also was attached as VND interface of rmnet1. This is unexpected behavior and there is no code for handling this case. So that below splat occurs when the rmnet0 interface is deleted. Splat looks like: [ 53.254112][ C1] WARNING: CPU: 1 PID: 1192 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0 [ 53.254117][ C1] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nfx [ 53.254182][ C1] CPU: 1 PID: 1192 Comm: ip Not tainted 5.8.0-rc1+ #620 [ 53.254188][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006 [ 53.254192][ C1] RIP: 0010:rollback_registered_many+0x986/0xcf0 [ 53.254200][ C1] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 0f 0b e5 [ 53.254205][ C1] RSP: 0018:ffff888050a5f2e0 EFLAGS: 00010287 [ 53.254214][ C1] RAX: ffff88805756d658 RBX: ffff88804d99c000 RCX: ffffffff8329d323 [ 53.254219][ C1] RDX: 1ffffffff0be6410 RSI: 0000000000000008 RDI: ffffffff85f32080 [ 53.254223][ C1] RBP: dffffc0000000000 R08: fffffbfff0be6411 R09: fffffbfff0be6411 [ 53.254228][ C1] R10: ffffffff85f32087 R11: 0000000000000001 R12: ffff888050a5f480 [ 53.254233][ C1] R13: ffff88804d99c0b8 R14: ffff888050a5f400 R15: ffff8880548ebe40 [ 53.254238][ C1] FS: 00007f6b86b370c0(0000) GS:ffff88806c200000(0000) knlGS:0000000000000000 [ 53.254243][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 53.254248][ C1] CR2: 0000562c62438758 CR3: 000000003f600005 CR4: 00000000000606e0 [ 53.254253][ C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 53.254257][ C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 53.254261][ C1] Call Trace: [ 53.254266][ C1] ? lockdep_hardirqs_on_prepare+0x379/0x540 [ 53.254270][ C1] ? netif_set_real_num_tx_queues+0x780/0x780 [ 53.254275][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] [ 53.254279][ C1] ? __kasan_slab_free+0x126/0x150 [ 53.254283][ C1] ? kfree+0xdc/0x320 [ 53.254288][ C1] ? rmnet_unregister_real_device+0x56/0x90 [rmnet] [ 53.254293][ C1] unregister_netdevice_many.part.135+0x13/0x1b0 [ 53.254297][ C1] rtnl_delete_link+0xbc/0x100 [ 53.254301][ C1] ? rtnl_af_register+0xc0/0xc0 [ 53.254305][ C1] rtnl_dellink+0x2dc/0x840 [ 53.254309][ C1] ? find_held_lock+0x39/0x1d0 [ 53.254314][ C1] ? valid_fdb_dump_strict+0x620/0x620 [ 53.254318][ C1] ? rtnetlink_rcv_msg+0x457/0x890 [ 53.254322][ C1] ? lock_contended+0xd20/0xd20 [ 53.254326][ C1] rtnetlink_rcv_msg+0x4a8/0x890 [ ... ] [ 73.813696][ T1192] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1 Fixes: 037f9cdf72fb ("net: rmnet: use upper/lower device infrastructure") Signed-off-by: Taehee Yoo Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d06c17fcd7c03ba1e038795645be75d0ea16743e Author: Dmitry Bogdanov Date: Wed Jul 8 17:17:10 2020 +0300 net: atlantic: fix ip dst and ipv6 address filters commit a42e6aee7f47a8a68d09923c720fc8f605a04207 upstream. This patch fixes ip dst and ipv6 address filters. There were 2 mistakes in the code, which led to the issue: * invalid register was used for ipv4 dst address; * incorrect write order of dwords for ipv6 addresses. Fixes: 23e7a718a49b ("net: aquantia: add rx-flow filter definitions") Signed-off-by: Dmitry Bogdanov Signed-off-by: Mark Starovoytov Signed-off-by: Alexander Lobakin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit de93c1c104ac45a881117688146dacd8af2cc582 Author: YueHaibing Date: Wed Nov 13 17:55:50 2019 +0800 crypto: atmel - Fix build error of CRYPTO_AUTHENC commit aee1f9f3c30e1e20e7f74729ced61eac7d74ca68 upstream. If CRYPTO_DEV_ATMEL_AUTHENC is m, CRYPTO_DEV_ATMEL_SHA is m, but CRYPTO_DEV_ATMEL_AES is y, building will fail: drivers/crypto/atmel-aes.o: In function `atmel_aes_authenc_init_tfm': atmel-aes.c:(.text+0x670): undefined reference to `atmel_sha_authenc_get_reqsize' atmel-aes.c:(.text+0x67a): undefined reference to `atmel_sha_authenc_spawn' drivers/crypto/atmel-aes.o: In function `atmel_aes_authenc_setkey': atmel-aes.c:(.text+0x7e5): undefined reference to `atmel_sha_authenc_setkey' Make CRYPTO_DEV_ATMEL_AUTHENC depend on CRYPTO_DEV_ATMEL_AES, and select CRYPTO_DEV_ATMEL_SHA and CRYPTO_AUTHENC for it under there. Reported-by: Hulk Robot Suggested-by: Herbert Xu Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to...") Signed-off-by: YueHaibing Reviewed-by: Tudor Ambarus Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1f21bb70d7b1876a7745a0e3c0129844b0e48666 Author: Tudor Ambarus Date: Fri Nov 1 16:40:37 2019 +0000 crypto: atmel - Fix selection of CRYPTO_AUTHENC commit d158367682cd822aca811971e988be6a8d8f679f upstream. The following error is raised when CONFIG_CRYPTO_DEV_ATMEL_AES=y and CONFIG_CRYPTO_DEV_ATMEL_AUTHENC=m: drivers/crypto/atmel-aes.o: In function `atmel_aes_authenc_setkey': atmel-aes.c:(.text+0x9bc): undefined reference to `crypto_authenc_extractkeys' Makefile:1094: recipe for target 'vmlinux' failed Fix it by moving the selection of CRYPTO_AUTHENC under config CRYPTO_DEV_ATMEL_AES. Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to...") Signed-off-by: Tudor Ambarus Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman