commit 66534fe2b9400003b0f49cc94686a162132b64e7 Author: Greg Kroah-Hartman Date: Thu Sep 3 11:29:52 2020 +0200 Linux 5.8.6 Tested-by: Shuah Khan Tested-by: Linux Kernel Functional Testing Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit e54835be930d27f9e9db9ffdbb4a4d9785d06e18 Author: Hector Martin Date: Sun Aug 16 17:44:31 2020 +0900 ALSA: usb-audio: Update documentation comment for MS2109 quirk commit 74a2a7de81a2ef20732ec02087314e92692a7a1b upstream. As the recent fix addressed the channel swap problem more properly, update the comment as well. Fixes: 1b7ecc241a67 ("ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109") Signed-off-by: Hector Martin Link: https://lore.kernel.org/r/20200816084431.102151-1-marcan@marcan.st Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit a34b7526320e5559de993ec7174eefc28a7505cc Author: Dan Carpenter Date: Wed Aug 26 14:33:30 2020 +0300 dma-pool: Fix an uninitialized variable bug in atomic_pool_expand() commit 892fc9f6835ecf075efac20789b012c5c9997fcc upstream. The "page" pointer can be used with out being initialized. Fixes: d7e673ec2c8e ("dma-pool: Only allocate from CMA when in same memory zone") Signed-off-by: Dan Carpenter Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit f880d69b28101a050a2cd1290f9e4191434da1b4 Author: Roland Scheidegger Date: Fri Aug 7 22:04:33 2020 +0200 drm/vmwgfx/ldu: Use drm_mode_config_reset commit 981243371a5d832af5bc572071172e955d02fe88 upstream. Same problem as in stdu, same fix. Fixes: 51f644b40b4b ("drm/atomic-helper: reset vblank on crtc reset") Acked-by: Charmaine Lee Reviewed-by: Zack Rusin Signed-off-by: Roland Scheidegger Signed-off-by: Greg Kroah-Hartman commit 01736d379ece194f04ef5ae1ac7f438b9acfb50e Author: Roland Scheidegger Date: Fri Aug 7 22:03:42 2020 +0200 drm/vmwgfx/sou: Use drm_mode_config_reset commit 1338441cf166e2ef789af5915b961d4e13a4ec31 upstream. Same problem as in stdu, same fix. Fixes: 51f644b40b4b ("drm/atomic-helper: reset vblank on crtc reset") Acked-by: Charmaine Lee Reviewed-by: Zack Rusin Signed-off-by: Roland Scheidegger Signed-off-by: Greg Kroah-Hartman commit 4ba591d72a7033cdc20afcdbc3f3d130e5d80e8b Author: Daniel Vetter Date: Thu Aug 6 17:42:27 2020 +0200 drm/vmwgfx/stdu: Use drm_mode_config_reset commit 68745d1edf1700a668c15ecbed466d18f14c7e9b upstream. When converting to atomic the state reset was done by directly calling the functions, and before the modeset object was fully initialized. This means the various ->dev pointers weren't set up. After commit 51f644b40b4b794b28b982fdd5d0dd8ee63f9272 Author: Daniel Vetter Date: Fri Jun 12 18:00:49 2020 +0200 drm/atomic-helper: reset vblank on crtc reset this started to oops because now we're trying to derefence drm_crtc->dev. Fix this up by entirely switching over to drm_mode_config_reset, called once everything is set up. Fixes: 51f644b40b4b ("drm/atomic-helper: reset vblank on crtc reset") Reported-by: Tetsuo Handa Cc: Tetsuo Handa Signed-off-by: Daniel Vetter Tested-by: Roland Scheidegger Signed-off-by: Roland Scheidegger Signed-off-by: Greg Kroah-Hartman commit 7947e0ba4ccaf4ee364c52d32014d4c782a0a67c Author: Peilin Ye Date: Wed Jul 29 07:37:12 2020 -0400 HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage() commit 25a097f5204675550afb879ee18238ca917cba7a upstream. `uref->usage_index` is not always being properly checked, causing hiddev_ioctl_usage() to go out of bounds under some cases. Fix it. Reported-by: syzbot+34ee1b45d88571c2fa8b@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=f2aebe90b8c56806b050a20b36f51ed6acabe802 Reviewed-by: Dan Carpenter Signed-off-by: Peilin Ye Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 9d960a74b43aaa127608ee5927218aaeadca7d61 Author: Qian Cai Date: Fri Aug 14 17:31:34 2020 -0700 mm/page_counter: fix various data races at memsw commit 6e4bd50f3888fa8fea8bc66a0ad4ad5f1c862961 upstream. Commit 3e32cb2e0a12 ("mm: memcontrol: lockless page counters") could had memcg->memsw->watermark and memcg->memsw->failcnt been accessed concurrently as reported by KCSAN, BUG: KCSAN: data-race in page_counter_try_charge / page_counter_try_charge read to 0xffff8fb18c4cd190 of 8 bytes by task 1081 on cpu 59: page_counter_try_charge+0x4d/0x150 mm/page_counter.c:138 try_charge+0x131/0xd50 mm/memcontrol.c:2405 __memcg_kmem_charge_memcg+0x58/0x140 __memcg_kmem_charge+0xcc/0x280 __alloc_pages_nodemask+0x1e1/0x450 alloc_pages_current+0xa6/0x120 pte_alloc_one+0x17/0xd0 __pte_alloc+0x3a/0x1f0 copy_p4d_range+0xc36/0x1990 copy_page_range+0x21d/0x360 dup_mmap+0x5f5/0x7a0 dup_mm+0xa2/0x240 copy_process+0x1b3f/0x3460 _do_fork+0xaa/0xa20 __x64_sys_clone+0x13b/0x170 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe write to 0xffff8fb18c4cd190 of 8 bytes by task 1153 on cpu 120: page_counter_try_charge+0x5b/0x150 mm/page_counter.c:139 try_charge+0x131/0xd50 mm/memcontrol.c:2405 mem_cgroup_try_charge+0x159/0x460 mem_cgroup_try_charge_delay+0x3d/0xa0 wp_page_copy+0x14d/0x930 do_wp_page+0x107/0x7b0 __handle_mm_fault+0xce6/0xd40 handle_mm_fault+0xfc/0x2f0 do_page_fault+0x263/0x6f9 page_fault+0x34/0x40 BUG: KCSAN: data-race in page_counter_try_charge / page_counter_try_charge write to 0xffff88809bbf2158 of 8 bytes by task 11782 on cpu 0: page_counter_try_charge+0x100/0x170 mm/page_counter.c:129 try_charge+0x185/0xbf0 mm/memcontrol.c:2405 __memcg_kmem_charge_memcg+0x4a/0xe0 mm/memcontrol.c:2837 __memcg_kmem_charge+0xcf/0x1b0 mm/memcontrol.c:2877 __alloc_pages_nodemask+0x26c/0x310 mm/page_alloc.c:4780 read to 0xffff88809bbf2158 of 8 bytes by task 11814 on cpu 1: page_counter_try_charge+0xef/0x170 mm/page_counter.c:129 try_charge+0x185/0xbf0 mm/memcontrol.c:2405 __memcg_kmem_charge_memcg+0x4a/0xe0 mm/memcontrol.c:2837 __memcg_kmem_charge+0xcf/0x1b0 mm/memcontrol.c:2877 __alloc_pages_nodemask+0x26c/0x310 mm/page_alloc.c:4780 Since watermark could be compared or set to garbage due to a data race which would change the code logic, fix it by adding a pair of READ_ONCE() and WRITE_ONCE() in those places. The "failcnt" counter is tolerant of some degree of inaccuracy and is only used to report stats, a data race will not be harmful, thus mark it as an intentional data race using the data_race() macro. Fixes: 3e32cb2e0a12 ("mm: memcontrol: lockless page counters") Reported-by: syzbot+f36cfe60b1006a94f9dc@syzkaller.appspotmail.com Signed-off-by: Qian Cai Signed-off-by: Andrew Morton Acked-by: Michal Hocko Cc: David Hildenbrand Cc: Tetsuo Handa Cc: Marco Elver Cc: Dmitry Vyukov Cc: Johannes Weiner Link: http://lkml.kernel.org/r/1581519682-23594-1-git-send-email-cai@lca.pw Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b65258eb82ccbb1486d0b9bba0e565524cc11cb1 Author: Tetsuo Handa Date: Thu Jul 30 19:47:14 2020 +0900 fbmem: pull fbcon_update_vcs() out of fb_set_var() [ Upstream commit d88ca7e1a27eb2df056bbf37ddef62e1c73d37ea ] syzbot is reporting OOB read bug in vc_do_resize() [1] caused by memcpy() based on outdated old_{rows,row_size} values, for resize_screen() can recurse into vc_do_resize() which changes vc->vc_{cols,rows} that outdates old_{rows,row_size} values which were saved before calling resize_screen(). Daniel Vetter explained that resize_screen() should not recurse into fbcon_update_vcs() path due to FBINFO_MISC_USEREVENT being still set when calling resize_screen(). Instead of masking FBINFO_MISC_USEREVENT before calling fbcon_update_vcs(), we can remove FBINFO_MISC_USEREVENT by calling fbcon_update_vcs() only if fb_set_var() returned 0. This change assumes that it is harmless to call fbcon_update_vcs() when fb_set_var() returned 0 without reaching fb_notifier_call_chain(). [1] https://syzkaller.appspot.com/bug?id=c70c88cfd16dcf6e1d3c7f0ab8648b3144b5b25e Reported-and-tested-by: syzbot Suggested-by: Daniel Vetter Signed-off-by: Tetsuo Handa Reported-by: kernel test robot for missing #include Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/075b7e37-3278-cd7d-31ab-c5073cfa8e92@i-love.sakura.ne.jp Signed-off-by: Sasha Levin commit d88c0bef707013aa59d500ae99284ae736e16b2e Author: Daniel Vetter Date: Fri Jun 12 18:00:49 2020 +0200 drm/atomic-helper: reset vblank on crtc reset [ Upstream commit 51f644b40b4b794b28b982fdd5d0dd8ee63f9272 ] Only when vblanks are supported ofc. Some drivers do this already, but most unfortunately missed it. This opens up bugs after driver load, before the crtc is enabled for the first time. syzbot spotted this when loading vkms as a secondary output. Given how many drivers are buggy it's best to solve this once and for all in shared helper code. Aside from moving the few existing calls to drm_crtc_vblank_reset into helpers (i915 doesn't use helpers, so keeps its own) I think the regression risk is minimal: atomic helpers already rely on drivers calling drm_crtc_vblank_on/off correctly in their hooks when they support vblanks. And driver that's failing to handle vblanks after this is missing those calls already, and vblanks could only work by accident when enabling a CRTC for the first time right after boot. Big thanks to Tetsuo for helping track down what's going wrong here. There's only a few drivers which already had the necessary call and needed some updating: - komeda, atmel and tidss also needed to be changed to call __drm_atomic_helper_crtc_reset() intead of open coding it - tegra and msm even had it in the same place already, just code motion, and malidp already uses __drm_atomic_helper_crtc_reset(). - Laurent noticed that rcar-du and omap open-code their crtc reset and hence would actually be broken by this patch now. So fix them up by reusing the helpers, which brings the drm_crtc_vblank_reset() back. Only call left is in i915, which doesn't use drm_mode_config_reset, but has its own fastboot infrastructure. So that's the only case where we actually want this in the driver still. I've also reviewed all other drivers which set up vblank support with drm_vblank_init. After the previous patch fixing mxsfb all atomic drivers do call drm_crtc_vblank_on/off as they should, the remaining drivers are either legacy kms or legacy dri1 drivers, so not affected by this change to atomic helpers. v2: Use the drm_dev_has_vblank() helper. v3: Laurent pointed out that omap and rcar-du used drm_crtc_vblank_off instead of drm_crtc_vblank_reset. Adjust them too. v4: Laurent noticed that rcar-du and omap open-code their crtc reset and hence would actually be broken by this patch now. So fix them up by reusing the helpers, which brings the drm_crtc_vblank_reset() back. v5: also mention rcar-du and ompadrm in the proper commit message above (Laurent). Reviewed-by: Laurent Pinchart Acked-by: Maxime Ripard Cc: Laurent Pinchart Reviewed-by: Boris Brezillon Acked-by: Liviu Dudau Acked-by: Thierry Reding Link: https://syzkaller.appspot.com/bug?id=0ba17d70d062b2595e1f061231474800f076c7cb Reported-by: Tetsuo Handa Reported-by: syzbot+0871b14ca2e2fb64f6e3@syzkaller.appspotmail.com Cc: Tetsuo Handa Cc: "James (Qian) Wang" Cc: Liviu Dudau Cc: Mihail Atanassov Cc: Brian Starkey Cc: Sam Ravnborg Cc: Boris Brezillon Cc: Nicolas Ferre Cc: Alexandre Belloni Cc: Ludovic Desroches Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: Thierry Reding Cc: Jonathan Hunter Cc: Jyri Sarha Cc: Tomi Valkeinen Cc: Rob Clark Cc: Sean Paul Cc: Brian Masney Cc: Emil Velikov Cc: zhengbin Cc: Thomas Gleixner Cc: linux-tegra@vger.kernel.org Cc: Kieran Bingham Cc: linux-arm-kernel@lists.infradead.org Cc: linux-renesas-soc@vger.kernel.org Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20200612160056.2082681-1-daniel.vetter@ffwll.ch Signed-off-by: Sasha Levin commit e93fd7a49023c16ae6da90ff8605be5d384bb81c Author: Jens Axboe Date: Wed Aug 26 10:36:20 2020 -0600 io_uring: make offset == -1 consistent with preadv2/pwritev2 [ Upstream commit 0fef948363f62494d779cf9dc3c0a86ea1e5f7cd ] The man page for io_uring generally claims were consistent with what preadv2 and pwritev2 accept, but turns out there's a slight discrepancy in how offset == -1 is handled for pipes/streams. preadv doesn't allow it, but preadv2 does. This currently causes io_uring to return -EINVAL if that is attempted, but we should allow that as documented. This change makes us consistent with preadv2/pwritev2 for just passing in a NULL ppos for streams if the offset is -1. Cc: stable@vger.kernel.org # v5.7+ Reported-by: Benedikt Ames Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 9ab83e1c4a31601a0006f8d26353012dc8876a92 Author: Jens Axboe Date: Tue Aug 25 12:27:50 2020 -0600 io_uring: don't use poll handler if file can't be nonblocking read/written [ Upstream commit 9dab14b81807a40dab8e464ec87043935c562c2c ] There's no point in using the poll handler if we can't do a nonblocking IO attempt of the operation, since we'll need to go async anyway. In fact this is actively harmful, as reading from eg pipes won't return 0 to indicate EOF. Cc: stable@vger.kernel.org # v5.7+ Reported-by: Benedikt Ames Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b7e397bcba0a0f8cc7aee8c8d9b5aa9a82c4fbe7 Author: Jens Axboe Date: Sun Aug 23 11:00:37 2020 -0600 io_uring: don't recurse on tsk->sighand->siglock with signalfd [ Upstream commit fd7d6de2241453fc7d042336d366a939a25bc5a9 ] If an application is doing reads on signalfd, and we arm the poll handler because there's no data available, then the wakeup can recurse on the tasks sighand->siglock as the signal delivery from task_work_add() will use TWA_SIGNAL and that attempts to lock it again. We can detect the signalfd case pretty easily by comparing the poll->head wait_queue_head_t with the target task signalfd wait queue. Just use normal task wakeup for this case. Cc: stable@vger.kernel.org # v5.7+ Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b727b92fd33b7d09b986cfb043d71a47ae362633 Author: Badhri Jagan Sridharan Date: Mon Aug 17 11:46:01 2020 -0700 usb: typec: tcpm: Fix Fix source hard reset response for TDA 2.3.1.1 and TDA 2.3.1.2 failures commit 23e26d0577535f5ffe4ff8ed6d06e009553c0bca upstream. The patch addresses the compliance test failures while running TDA 2.3.1.1 and TDA 2.3.1.2 of the "PD Communications Engine USB PD Compliance MOI" test plan published in https://www.usb.org/usbc. For a product to be Type-C compliant, it's expected that these tests are run on usb.org certified Type-C compliance tester as mentioned in https://www.usb.org/usbc. While the purpose of TDA 2.3.1.1 and TDA 2.3.1.2 is to verify that the static and dynamic electrical capabilities of a Source meet the requirements for each PDO offered, while doing so, the tests also monitor that the timing of the VBUS waveform versus the messages meets the requirements for Hard Reset defined in PROT-PROC-HR-TSTR as mentioned in step 11 of TDA.2.3.1.1 and step 15 of TDA.2.3.1.2. TDB.2.2.13.1: PROT-PROC-HR-TSTR Procedure and Checks for Tester Originated Hard Reset Purpose: To perform the appropriate protocol checks relating to any circumstance in which the Hard Reset signal is sent by the Tester. UUT is behaving as source: The Tester sends a Hard Reset signal. 1. Check VBUS stays within present valid voltage range for tPSHardReset min (25ms) after last bit of Hard Reset signal. [PROT_PROC_HR_TSTR_1] 2. Check that VBUS starts to fall below present valid voltage range by tPSHardReset max (35ms). [PROT_PROC_HR_TSTR_2] 3. Check that VBUS reaches vSafe0V within tSafe0v max (650 ms). [PROT_PROC_HR_TSTR_3] 4. Check that VBUS starts rising to vSafe5V after a delay of tSrcRecover (0.66s - 1s) from reaching vSafe0V. [PROT_PROC_HR_TSTR_4] 5. Check that VBUS reaches vSafe5V within tSrcTurnOn max (275ms) of rising above vSafe0v max (0.8V). [PROT_PROC_HR_TSTR_5] Power Delivery Compliance Plan 139 6. Check that Source Capabilities are finished sending within tFirstSourceCap max (250ms) of VBUS reaching vSafe5v min. [PROT_PROC_HR_TSTR_6]. This is in line with 7.1.5 Response to Hard Resets of the USB Power Delivery Specification Revision 3.0, Version 1.2, "Hard Reset Signaling indicates a communication failure has occurred and the Source Shall stop driving VCONN, Shall remove Rp from the VCONN pin and Shall drive VBUS to vSafe0V as shown in Figure 7-9. The USB connection May reset during a Hard Reset since the VBUS voltage will be less than vSafe5V for an extended period of time. After establishing the vSafe0V voltage condition on VBUS, the Source Shall wait tSrcRecover before re-applying VCONN and restoring VBUS to vSafe5V. A Source Shall conform to the VCONN timing as specified in [USB Type-C 1.3]." With the above guidelines from the spec in mind, TCPM does not turn off VCONN while entering SRC_HARD_RESET_VBUS_OFF. The patch makes TCPM turn off VCONN while entering SRC_HARD_RESET_VBUS_OFF and turn it back on while entering SRC_HARD_RESET_VBUS_ON along with vbus instead of having VCONN on through hardreset. Also, the spec clearly states that "After establishing the vSafe0V voltage condition on VBUS", the Source Shall wait tSrcRecover before re-applying VCONN and restoring VBUS to vSafe5V. TCPM does not conform to this requirement. If the TCPC driver calls tcpm_vbus_change with vbus off signal, TCPM right away enters SRC_HARD_RESET_VBUS_ON without waiting for tSrcRecover. For TCPC's which are buggy/does not call tcpm_vbus_change, TCPM assumes that the vsafe0v is instantaneous as TCPM only waits tSrcRecover instead of waiting for tSafe0v + tSrcRecover. This patch also fixes this behavior by making sure that TCPM waits for tSrcRecover before transitioning into SRC_HARD_RESET_VBUS_ON when tcpm_vbus_change is called by TCPC. When TCPC does not call tcpm_vbus_change, TCPM assumes the worst case i.e. tSafe0v + tSrcRecover before transitioning into SRC_HARD_RESET_VBUS_ON. Signed-off-by: Badhri Jagan Sridharan Reviewed-by: Guenter Roeck Reviewed-by: Heikki Krogerus Cc: stable Link: https://lore.kernel.org/r/20200817184601.1899929-1-badhri@google.com Signed-off-by: Greg Kroah-Hartman commit d597f82cc262cd67d49a3e8337ff8ff7ae07cc13 Author: Hans de Goede Date: Sun Aug 9 16:19:04 2020 +0200 usb: typec: ucsi: Hold con->lock for the entire duration of ucsi_register_port() commit bed97b30968ba354035a020989df0623e52b5536 upstream. Commit 081da1325d35 ("usb: typec: ucsi: displayport: Fix a potential race during registration") made the ucsi code hold con->lock in ucsi_register_displayport(). But we really don't want any interactions with the connector to run before the port-registration process is fully complete. This commit moves the taking of con->lock from ucsi_register_displayport() into ucsi_register_port() to achieve this. Cc: stable@vger.kernel.org Fixes: 081da1325d35 ("usb: typec: ucsi: displayport: Fix a potential race during registration") Signed-off-by: Hans de Goede Acked-by: Heikki Krogerus Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200809141904.4317-5-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 3c4cd68799f8d2e43c37b1b5707e1d281d193dae Author: Hans de Goede Date: Sun Aug 9 16:19:03 2020 +0200 usb: typec: ucsi: Rework ppm_lock handling commit 25794e3079d2a98547b6bf5764ef0240aa89b798 upstream. The ppm_lock really only needs to be hold during 2 functions: ucsi_reset_ppm() and ucsi_run_command(). Push the taking of the lock down into these 2 functions, renaming ucsi_run_command() to ucsi_send_command() which was an existing wrapper already taking the lock for its callers. This simplifies things for the callers and removes the difference between ucsi_send_command() and ucsi_run_command() which has led to various locking bugs in the past. Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Acked-by: Heikki Krogerus Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200809141904.4317-4-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 84e29c7cf5913311b72b663d93c3fac03626efd0 Author: Hans de Goede Date: Sun Aug 9 16:19:02 2020 +0200 usb: typec: ucsi: Fix 2 unlocked ucsi_run_command calls commit 7e90057f125c8c852940b848e06e7a72f050fc6f upstream. Fix 2 unlocked ucsi_run_command calls: 1. ucsi_handle_connector_change() contains one ucsi_send_command() call, which takes the ppm_lock for it; and one ucsi_run_command() call which relies on the caller have taking the ppm_lock. ucsi_handle_connector_change() does not take the lock, so the second (ucsi_run_command) calls should also be ucsi_send_command(). 2. ucsi_get_pdos() gets called from ucsi_handle_connector_change() which does not hold the ppm_lock, so it also must use ucsi_send_command(). This commit also adds a WARN_ON(!mutex_is_locked(&ucsi->ppm_lock)); to ucsi_run_command() to avoid similar problems getting re-introduced in the future. Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Acked-by: Heikki Krogerus Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200809141904.4317-3-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 4b59dabd317089f9c7addbc529bd49a45b246a77 Author: Hans de Goede Date: Sun Aug 9 16:19:01 2020 +0200 usb: typec: ucsi: Fix AB BA lock inversion commit 0ff0705a2ef2929e9326c95df48bdbebb0dafaad upstream. Lockdep reports an AB BA lock inversion between ucsi_init() and ucsi_handle_connector_change(): AB order: 1. ucsi_init takes ucsi->ppm_lock (it runs with that locked for the duration of the function) 2. usci_init eventually end up calling ucsi_register_displayport, which takes ucsi_connector->lock BA order: 1. ucsi_handle_connector_change work is started, takes ucsi_connector->lock 2. ucsi_handle_connector_change calls ucsi_send_command which takes ucsi->ppm_lock The ppm_lock really only needs to be hold during 2 functions: ucsi_reset_ppm() and ucsi_run_command(). This commit fixes the AB BA lock inversion by making ucsi_init drop the ucsi->ppm_lock before it starts registering ports; and replacing any ucsi_run_command() calls after this point with ucsi_send_command() (which is a wrapper around run_command taking the lock while handling the command). Some of the replacing of ucsi_run_command with ucsi_send_command in the helpers used during port registration also fixes a number of code paths after registration which call ucsi_run_command() without holding the ppm_lock: 1. ucsi_altmode_update_active() call in ucsi/displayport.c 2. ucsi_register_altmodes() call from ucsi_handle_connector_change() (through ucsi_partner_change()) Cc: stable@vger.kernel.org Signed-off-by: Hans de Goede Acked-by: Heikki Krogerus Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20200809141904.4317-2-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 53965c79c2dbdc898ffc7fdbab37e920594f5e14 Author: Bastien Nocera Date: Tue Aug 18 13:04:45 2020 +0200 USB: Fix device driver race commit d5643d2249b279077427b2c2b2ffae9b70c95b0b upstream. When a new device with a specialised device driver is plugged in, the new driver will be modprobe()'d but the driver core will attach the "generic" driver to the device. After that, nothing will trigger a reprobe when the modprobe()'d device driver has finished initialising, as the device has the "generic" driver attached to it. Trigger a reprobe ourselves when new specialised drivers get registered. Fixes: 88b7381a939d ("USB: Select better matching USB drivers when available") Signed-off-by: Bastien Nocera Cc: stable Acked-by: Alan Stern Link: https://lore.kernel.org/r/20200818110445.509668-3-hadess@hadess.net Signed-off-by: Greg Kroah-Hartman commit a18d5d456c009d69bd032fc96f4751d58e6ccc3a Author: Bastien Nocera Date: Tue Aug 18 13:04:43 2020 +0200 USB: Also match device drivers using the ->match vfunc commit adb6e6ac20eedcf1dce19dc75b224e63c0828ea1 upstream. We only ever used the ID table matching before, but we should also support open-coded match functions. Fixes: 88b7381a939de ("USB: Select better matching USB drivers when available") Signed-off-by: Bastien Nocera Cc: stable Acked-by: Alan Stern Link: https://lore.kernel.org/r/20200818110445.509668-1-hadess@hadess.net Signed-off-by: Greg Kroah-Hartman commit 0ca26ffe3c1f381f95a0c0bbb5e8241d8c7183cc Author: Alan Stern Date: Wed Aug 26 10:32:29 2020 -0400 usb: storage: Add unusual_uas entry for Sony PSZ drives commit 20934c0de13b49a072fb1e0ca79fe0fe0e40eae5 upstream. The PSZ-HA* family of USB disk drives from Sony can't handle the REPORT OPCODES command when using the UAS protocol. This patch adds an appropriate quirks entry. Reported-and-tested-by: Till Dörges Signed-off-by: Alan Stern CC: Link: https://lore.kernel.org/r/20200826143229.GB400430@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit fad19f628f5311feb71c3fd24165f9361496d970 Author: Tom Rix Date: Sat Aug 1 08:21:54 2020 -0700 USB: cdc-acm: rework notification_buffer resizing commit f4b9d8a582f738c24ebeabce5cc15f4b8159d74e upstream. Clang static analysis reports this error cdc-acm.c:409:3: warning: Use of memory after it is freed acm_process_notification(acm, (unsigned char *)dr); There are three problems, the first one is that dr is not reset The variable dr is set with if (acm->nb_index) dr = (struct usb_cdc_notification *)acm->notification_buffer; But if the notification_buffer is too small it is resized with if (acm->nb_size) { kfree(acm->notification_buffer); acm->nb_size = 0; } alloc_size = roundup_pow_of_two(expected_size); /* * kmalloc ensures a valid notification_buffer after a * use of kfree in case the previous allocation was too * small. Final freeing is done on disconnect. */ acm->notification_buffer = kmalloc(alloc_size, GFP_ATOMIC); dr should point to the new acm->notification_buffer. The second problem is any data in the notification_buffer is lost when the pointer is freed. In the normal case, the current data is accumulated in the notification_buffer here. memcpy(&acm->notification_buffer[acm->nb_index], urb->transfer_buffer, copy_size); When a resize happens, anything before notification_buffer[acm->nb_index] is garbage. The third problem is the acm->nb_index is not reset on a resizing buffer error. So switch resizing to using krealloc and reassign dr and reset nb_index. Fixes: ea2583529cd1 ("cdc-acm: reassemble fragmented notifications") Signed-off-by: Tom Rix Cc: stable Acked-by: Oliver Neukum Link: https://lore.kernel.org/r/20200801152154.20683-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit afb4204860164592cdc11e0fe89c5e314715bd98 Author: Thinh Nguyen Date: Thu Aug 6 19:46:35 2020 -0700 usb: dwc3: gadget: Handle ZLP for sg requests commit bc9a2e226ea95e1699f7590845554de095308b75 upstream. Currently dwc3 doesn't handle usb_request->zero for SG requests. This change checks and prepares extra TRBs for the ZLP for SG requests. Cc: # v4.5+ Fixes: 04c03d10e507 ("usb: dwc3: gadget: handle request->zero") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 8301e3aa1c8d34ddcb4011710352604aa6fa1a06 Author: Thinh Nguyen Date: Thu Aug 6 19:46:29 2020 -0700 usb: dwc3: gadget: Fix handling ZLP commit d2ee3ff79e6a3d4105e684021017d100524dc560 upstream. The usb_request->zero doesn't apply for isoc. Also, if we prepare a 0-length (ZLP) TRB for the OUT direction, we need to prepare an extra TRB to pad up to the MPS alignment. Use the same bounce buffer for the ZLP TRB and the extra pad TRB. Cc: # v4.5+ Fixes: d6e5a549cc4d ("usb: dwc3: simplify ZLP handling") Fixes: 04c03d10e507 ("usb: dwc3: gadget: handle request->zero") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit d884a90cec5ace7ca767788ca574e68f9af2998a Author: Thinh Nguyen Date: Thu Aug 6 19:46:23 2020 -0700 usb: dwc3: gadget: Don't setup more than requested commit 5d187c0454ef4c5e046a81af36882d4d515922ec upstream. The SG list may be set up with entry size more than the requested length. Check the usb_request->length and make sure that we don't setup the TRBs to send/receive more than requested. This case may occur when the SG entry is allocated up to a certain minimum size, but the request length is less than that. It can also occur when the request is reused for a different request length. Cc: # v4.18+ Fixes: a31e63b608ff ("usb: dwc3: gadget: Correct handling of scattergather lists") Signed-off-by: Thinh Nguyen Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit 3b9953fe57234e19f0ca333c5ff05b22e38790e2 Author: Andy Shevchenko Date: Wed Aug 26 22:21:19 2020 +0300 USB: gadget: u_f: Unbreak offset calculation in VLAs commit bfd08d06d978d0304eb6f7855b548aa2cd1c5486 upstream. Inadvertently the commit b1cd1b65afba ("USB: gadget: u_f: add overflow checks to VLA macros") makes VLA macros to always return 0 due to different scope of two variables of the same name. Obviously we need to have only one. Fixes: b1cd1b65afba ("USB: gadget: u_f: add overflow checks to VLA macros") Reported-by: Marek Szyprowski Tested-by: Marek Szyprowski Signed-off-by: Andy Shevchenko Cc: Brooke Basile Cc: stable Link: https://lore.kernel.org/r/20200826192119.56450-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit ae6a5394d9fbe118bc95cfe376d6a9d91d7547e8 Author: Brooke Basile Date: Tue Aug 25 09:07:27 2020 -0400 USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb() commit 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 upstream. Some values extracted by ncm_unwrap_ntb() could possibly lead to several different out of bounds reads of memory. Specifically the values passed to netdev_alloc_skb_ip_align() need to be checked so that memory is not overflowed. Resolve this by applying bounds checking to a number of different indexes and lengths of the structure parsing logic. Reported-by: Ilja Van Sprundel Signed-off-by: Brooke Basile Acked-by: Felipe Balbi Cc: stable Signed-off-by: Greg Kroah-Hartman commit 480e17846d321f922c22d1d6d418d270c3d89ba4 Author: Brooke Basile Date: Tue Aug 25 09:05:08 2020 -0400 USB: gadget: u_f: add overflow checks to VLA macros commit b1cd1b65afba95971fa457dfdb2c941c60d38c5b upstream. size can potentially hold an overflowed value if its assigned expression is left unchecked, leading to a smaller than needed allocation when vla_group_size() is used by callers to allocate memory. To fix this, add a test for saturation before declaring variables and an overflow check to (n) * sizeof(type). If the expression results in overflow, vla_group_size() will return SIZE_MAX. Reported-by: Ilja Van Sprundel Suggested-by: Kees Cook Signed-off-by: Brooke Basile Acked-by: Felipe Balbi Cc: stable Signed-off-by: Greg Kroah-Hartman commit ec5c2663d533b583b31d2723ef87d70ab41494e9 Author: Tang Bin Date: Wed Aug 26 22:49:31 2020 +0800 usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe() commit 1d4169834628d18b2392a2da92b7fbf5e8e2ce89 upstream. If the function platform_get_irq() failed, the negative value returned will not be detected here. So fix error handling in exynos_ohci_probe(). And when get irq failed, the function platform_get_irq() logs an error message, so remove redundant message here. Fixes: 62194244cf87 ("USB: Add Samsung Exynos OHCI diver") Signed-off-by: Zhang Shengju Cc: stable Signed-off-by: Tang Bin Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20200826144931.1828-1-tangbin@cmss.chinamobile.com Signed-off-by: Greg Kroah-Hartman commit 27cf2e50545a30c354755d6935c87210d94f2f44 Author: Cyril Roelandt Date: Tue Aug 25 23:22:31 2020 +0200 USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge commit 9aa37788e7ebb3f489fb4b71ce07adadd444264a upstream. This device does not support UAS properly and a similar entry already exists in drivers/usb/storage/unusual_uas.h. Without this patch, storage_probe() defers the handling of this device to UAS, which cannot handle it either. Tested-by: Brice Goglin Fixes: bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron SATA enclosure") Acked-by: Alan Stern CC: Signed-off-by: Cyril Roelandt Link: https://lore.kernel.org/r/20200825212231.46309-1-tipecaml@gmail.com Signed-off-by: Greg Kroah-Hartman commit 7eb94ea0e8e9fc9062b0e6d4d131dac2b23a9799 Author: Alan Stern Date: Wed Aug 26 15:46:24 2020 -0400 USB: quirks: Ignore duplicate endpoint on Sound Devices MixPre-D commit 068834a2773b6a12805105cfadbb3d4229fc6e0a upstream. The Sound Devices MixPre-D audio card suffers from the same defect as the Sound Devices USBPre2: an endpoint shared between a normal audio interface and a vendor-specific interface, in violation of the USB spec. Since the USB core now treats duplicated endpoints as bugs and ignores them, the audio endpoint isn't available and the card can't be used for audio capture. Along the same lines as commit bdd1b147b802 ("USB: quirks: blacklist duplicate ep on Sound Devices USBPre2"), this patch adds a quirks entry saying to ignore ep5in for interface 1, leaving it available for use with standard audio interface 2. Reported-and-tested-by: Jean-Christophe Barnoud Signed-off-by: Alan Stern CC: Fixes: 3e4f8e21c4f2 ("USB: core: fix check for duplicate endpoints") Link: https://lore.kernel.org/r/20200826194624.GA412633@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit 155288e45c8d406b707504cd2707b2cb3992f44b Author: Kai-Heng Feng Date: Fri Jul 31 13:16:20 2020 +0800 USB: quirks: Add no-lpm quirk for another Raydium touchscreen commit 5967116e8358899ebaa22702d09b0af57fef23e1 upstream. There's another Raydium touchscreen needs the no-lpm quirk: [ 1.339149] usb 1-9: New USB device found, idVendor=2386, idProduct=350e, bcdDevice= 0.00 [ 1.339150] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0 [ 1.339151] usb 1-9: Product: Raydium Touch System [ 1.339152] usb 1-9: Manufacturer: Raydium Corporation ... [ 6.450497] usb 1-9: can't set config #1, error -110 BugLink: https://bugs.launchpad.net/bugs/1889446 Signed-off-by: Kai-Heng Feng Cc: stable Link: https://lore.kernel.org/r/20200731051622.28643-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman commit 2b9be3af1037c4b470d9ae3f5a200472ed44ba09 Author: Thinh Nguyen Date: Tue Aug 18 19:27:47 2020 -0700 usb: uas: Add quirk for PNY Pro Elite commit 9a469bc9f32dd33c7aac5744669d21a023a719cd upstream. PNY Pro Elite USB 3.1 Gen 2 device (SSD) doesn't respond to ATA_12 pass-through command (i.e. it just hangs). If it doesn't support this command, it should respond properly to the host. Let's just add a quirk to be able to move forward with other operations. Cc: stable@vger.kernel.org Signed-off-by: Thinh Nguyen Link: https://lore.kernel.org/r/2b0585228b003eedcc82db84697b31477df152e0.1597803605.git.thinhn@synopsys.com Signed-off-by: Greg Kroah-Hartman commit 495f2f1b53d7ae8e5a2d4fa311bc1587e4e46caa Author: Alan Stern Date: Mon Aug 10 14:29:54 2020 -0400 USB: yurex: Fix bad gfp argument commit f176ede3a3bde5b398a6777a7f9ff091baa2d3ff upstream. The syzbot fuzzer identified a bug in the yurex driver: It passes GFP_KERNEL as a memory-allocation flag to usb_submit_urb() at a time when its state is TASK_INTERRUPTIBLE, not TASK_RUNNING: do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000370c7c68>] prepare_to_wait+0xb1/0x2a0 kernel/sched/wait.c:247 WARNING: CPU: 1 PID: 340 at kernel/sched/core.c:7253 __might_sleep+0x135/0x190 kernel/sched/core.c:7253 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 340 Comm: syz-executor677 Not tainted 5.8.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xf6/0x16e lib/dump_stack.c:118 panic+0x2aa/0x6e1 kernel/panic.c:231 __warn.cold+0x20/0x50 kernel/panic.c:600 report_bug+0x1bd/0x210 lib/bug.c:198 handle_bug+0x41/0x80 arch/x86/kernel/traps.c:234 exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254 asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536 RIP: 0010:__might_sleep+0x135/0x190 kernel/sched/core.c:7253 Code: 65 48 8b 1c 25 40 ef 01 00 48 8d 7b 10 48 89 fe 48 c1 ee 03 80 3c 06 00 75 2b 48 8b 73 10 48 c7 c7 e0 9e 06 86 e8 ed 12 f6 ff <0f> 0b e9 46 ff ff ff e8 1f b2 4b 00 e9 29 ff ff ff e8 15 b2 4b 00 RSP: 0018:ffff8881cdb77a28 EFLAGS: 00010282 RAX: 0000000000000000 RBX: ffff8881c6458000 RCX: 0000000000000000 RDX: ffff8881c6458000 RSI: ffffffff8129ec93 RDI: ffffed1039b6ef37 RBP: ffffffff86fdade2 R08: 0000000000000001 R09: ffff8881db32f54f R10: 0000000000000000 R11: 0000000030343354 R12: 00000000000001f2 R13: 0000000000000000 R14: 0000000000000068 R15: ffffffff83c1b1aa slab_pre_alloc_hook.constprop.0+0xea/0x200 mm/slab.h:498 slab_alloc_node mm/slub.c:2816 [inline] slab_alloc mm/slub.c:2900 [inline] kmem_cache_alloc_trace+0x46/0x220 mm/slub.c:2917 kmalloc include/linux/slab.h:554 [inline] dummy_urb_enqueue+0x7a/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1251 usb_hcd_submit_urb+0x2b2/0x22d0 drivers/usb/core/hcd.c:1547 usb_submit_urb+0xb4e/0x13e0 drivers/usb/core/urb.c:570 yurex_write+0x3ea/0x820 drivers/usb/misc/yurex.c:495 This patch changes the call to use GFP_ATOMIC instead of GFP_KERNEL. Reported-and-tested-by: syzbot+c2c3302f9c601a4b1be2@syzkaller.appspotmail.com Signed-off-by: Alan Stern CC: Link: https://lore.kernel.org/r/20200810182954.GB307778@rowland.harvard.edu Signed-off-by: Greg Kroah-Hartman commit ccc9838fed80f04e45a2c317e4a2dacdf2f1e3c2 Author: Evan Quan Date: Tue Aug 25 10:35:11 2020 +0800 drm/amd/pm: correct the thermal alert temperature limit settings commit 28e628645333b7e581c4a7b04d958e4804ea10fe upstream. Do the maths in celsius degree. This can fix the issues caused by the changes below: drm/amd/pm: correct Vega20 swctf limit setting drm/amd/pm: correct Vega12 swctf limit setting drm/amd/pm: correct Vega10 swctf limit setting Signed-off-by: Evan Quan Reviewed-by: Kenneth Feng Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 56ab34c44e851f9316dc3d3e7eb36bce65e09e90 Author: Evan Quan Date: Fri Aug 21 12:21:30 2020 +0800 drm/amd/pm: correct Vega20 swctf limit setting commit 9b51c4b2ba31396f3894ccc7df8bdf067243e9f5 upstream. Correct the Vega20 thermal swctf limit. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 520e40dcea831f72dea4962add16ff72688aa3b2 Author: Evan Quan Date: Fri Aug 21 12:18:58 2020 +0800 drm/amd/pm: correct Vega12 swctf limit setting commit e0ffd340249699ad27a6c91abdfa3e89f7823941 upstream. Correct the Vega12 thermal swctf limit. Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit b46df9eab0cd73b7d15499f50f516c3074ad4889 Author: Evan Quan Date: Fri Aug 21 12:05:03 2020 +0800 drm/amd/pm: correct Vega10 swctf limit setting commit b05d71b51078fc428c6b72582126d9d75d3c1f4c upstream. Correct the Vega10 thermal swctf limit. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1267 Signed-off-by: Evan Quan Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 686a7f065cd8e529bd059d4d9446318401b6b9c8 Author: Nicholas Kazlauskas Date: Fri Aug 14 11:49:13 2020 -0400 drm/amd/powerplay: Fix hardmins not being sent to SMU for RV commit e2bf3723db563457c0abe4eaeedac25bbbbd1d76 upstream. [Why] DC uses these to raise the voltage as needed for higher dispclk/dppclk and to ensure that we have enough bandwidth to drive the displays. There's a bug preventing these from actuially sending messages since it's checking the actual clock (which is 0) instead of the incoming clock (which shouldn't be 0) when deciding to send the hardmin. [How] Check the clocks != 0 instead of the actual clocks. Fixes: 9ed9203c3ee7 ("drm/amd/powerplay: rv dal-pplib interface refactor powerplay part") Signed-off-by: Nicholas Kazlauskas Reviewed-by: Alex Deucher Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit cd9c79f79dd49e6e464f70c25198e6626f35a66e Author: Jiansong Chen Date: Mon Aug 24 18:44:09 2020 +0800 drm/amdgpu/gfx10: refine mgcg setting commit de7a1b0b8753e1b0000084f0e339ffab295d27ef upstream. 1. enable ENABLE_CGTS_LEGACY to fix specviewperf11 random hang. 2. remove obsolete RLC_CGTT_SCLK_OVERRIDE workaround. Signed-off-by: Jiansong Chen Reviewed-by: Hawking Zhang Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 54dc92e1900895401135ffbc95586dae30309a14 Author: Alexander Monakov Date: Tue Aug 4 23:13:13 2020 +0300 drm/amd/display: use correct scale for actual_brightness commit 69d9f4278d0f9d24607645f10e5ac5c59c77a4ac upstream. Documentation for sysfs backlight level interface requires that values in both 'brightness' and 'actual_brightness' files are interpreted to be in range from 0 to the value given in the 'max_brightness' file. With amdgpu, max_brightness gives 255, and values written by the user into 'brightness' are internally rescaled to a wider range. However, reading from 'actual_brightness' gives the raw register value without inverse rescaling. This causes issues for various userspace tools such as PowerTop and systemd that expect the value to be in the correct range. Introduce a helper to retrieve internal backlight range. Use it to reimplement 'convert_brightness' as 'convert_brightness_from_user' and introduce 'convert_brightness_to_user'. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=203905 Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1242 Cc: Alex Deucher Cc: Nicholas Kazlauskas Reviewed-by: Alex Deucher Signed-off-by: Alexander Monakov Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 83ac5203949345ddc000582b7b61c849551e1e5d Author: Alex Deucher Date: Tue Aug 25 11:43:45 2020 -0400 drm/amdgpu: Fix buffer overflow in INFO ioctl commit b5b97cab55eb71daba3283c8b1d2cce456d511a1 upstream. The values for "se_num" and "sh_num" come from the user in the ioctl. They can be in the 0-255 range but if they're more than AMDGPU_GFX_MAX_SE (4) or AMDGPU_GFX_MAX_SH_PER_SE (2) then it results in an out of bounds read. Reported-by: Dan Carpenter Acked-by: Dan Carpenter Signed-off-by: Alex Deucher Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 5f5bd9002bb1fc5d317c2d158f0ffef8ae01250d Author: Daniel Vetter Date: Fri Aug 14 11:38:42 2020 +0200 drm/modeset-lock: Take the modeset BKL for legacy drivers commit 77ef38574beb3e0b414db48e9c0f04633df68ba6 upstream. This fell off in the conversion in commit 9bcaa3fe58ab7559e71df798bcff6e0795158695 Author: Michal Orzel Date: Tue Apr 28 19:10:04 2020 +0200 drm: Replace drm_modeset_lock/unlock_all with DRM_MODESET_LOCK_ALL_* helpers but it's caught by the drm_warn_on_modeset_not_all_locked() that the legacy modeset code uses. Since this is the bkl and it's unclear what's all protected, play it safe and grab it again for legacy drivers. Unfortunately this means we need to sprinkle a few more #includes around. Also we need to add the drm_device as a parameter to the _END macro. Finally remove the mute_lock() from setcrtc, since that's now done by the macro. Cc: Alex Deucher References: https://gitlab.freedesktop.org/drm/amd/-/issues/1224 Fixes: 9bcaa3fe58ab ("drm: Replace drm_modeset_lock/unlock_all with DRM_MODESET_LOCK_ALL_* helpers") Cc: Michal Orzel Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Cc: # v5.8+ Signed-off-by: Daniel Vetter Reviewed-by: Alex Deucher Signed-off-by: Alex Deucher Link: https://patchwork.freedesktop.org/patch/msgid/20200814093842.3048472-1-daniel.vetter@ffwll.ch Signed-off-by: Greg Kroah-Hartman commit 057423349c34d3e721a5f90197db3c0a6fe5b2fc Author: Bhawanpreet Lakha Date: Fri Aug 14 13:01:40 2020 -0400 drm/dp_mst: Don't return error code when crtc is null commit 88fee1c9007a38c19f2c558dc0ab1ddb4c323dc5 upstream. [Why] In certain cases the crtc can be NULL and returning -EINVAL causes atomic check to fail when it shouln't. This leads to valid configurations failing because atomic check fails. [How] Don't early return if crtc is null Signed-off-by: Bhawanpreet Lakha Reviewed-by: Lyude Paul [added stable cc] Signed-off-by: Lyude Paul Fixes: 8ec046716ca8 ("drm/dp_mst: Add helper to trigger modeset on affected DSC MST CRTCs") Cc: # v5.6+ Link: https://patchwork.freedesktop.org/patch/msgid/20200814170140.24917-1-Bhawanpreet.Lakha@amd.com Signed-off-by: Greg Kroah-Hartman commit dd36e041bd5186a024cfe8d45fc151ad75b551be Author: Christian Gmeiner Date: Sun Aug 23 21:09:22 2020 +0200 drm/etnaviv: fix external abort seen on GC600 rev 0x19 commit 2c5bf028ef34745e7b3fe768f9c9355ecc7df101 upstream. It looks like that this GPU core triggers an abort when reading VIVS_HI_CHIP_PRODUCT_ID and/or VIVS_HI_CHIP_ECO_ID. I looked at different versions of Vivante's kernel driver and did not found anything about this issue or what feature flag can be used. So go the simplest route and do not read these two registers on the affected GPU core. Signed-off-by: Christian Gmeiner Reported-by: Josua Mayer Fixes: 815e45bbd4d3 ("drm/etnaviv: determine product, customer and eco id") Cc: stable@vger.kernel.org Tested-by: Josua Mayer Signed-off-by: Lucas Stach Signed-off-by: Greg Kroah-Hartman commit 74e1bbfb842a00f9b99e65ca7ca6a3a82ac875f8 Author: Mika Kuoppala Date: Mon Aug 17 22:59:26 2020 +0300 drm/i915: Fix cmd parser desc matching with masks commit e5f10d6385cda083037915c12b130887c8831d2b upstream. Our variety of defined gpu commands have the actual command id field and possibly length and flags applied. We did start to apply the mask during initialization of the cmd descriptors but forgot to also apply it on comparisons. Fix comparisons in order to properly deny access with associated commands. v2: fix lri with correct mask (Chris) References: 926abff21a8f ("drm/i915/cmdparser: Ignore Length operands during command matching") Reported-by: Nicolai Stange Cc: stable@vger.kernel.org # v5.4+ Cc: Miroslav Benes Cc: Takashi Iwai Cc: Tyler Hicks Cc: Jon Bloomfield Cc: Chris Wilson Signed-off-by: Mika Kuoppala Reviewed-by: Chris Wilson Link: https://patchwork.freedesktop.org/patch/msgid/20200817195926.12671-1-mika.kuoppala@linux.intel.com (cherry picked from commit 3b4efa148da36f158cce3f662e831af2834b8e0f) Signed-off-by: Jani Nikula Signed-off-by: Greg Kroah-Hartman commit f07523a5b09ad92d4b9aa75f834bd61b15a9ae24 Author: Ashok Raj Date: Wed Aug 26 21:12:10 2020 -0700 x86/hotplug: Silence APIC only after all interrupts are migrated commit 52d6b926aabc47643cd910c85edb262b7f44c168 upstream. There is a race when taking a CPU offline. Current code looks like this: native_cpu_disable() { ... apic_soft_disable(); /* * Any existing set bits for pending interrupt to * this CPU are preserved and will be sent via IPI * to another CPU by fixup_irqs(). */ cpu_disable_common(); { .... /* * Race window happens here. Once local APIC has been * disabled any new interrupts from the device to * the old CPU are lost */ fixup_irqs(); // Too late to capture anything in IRR. ... } } The fix is to disable the APIC *after* cpu_disable_common(). Testing was done with a USB NIC that provided a source of frequent interrupts. A script migrated interrupts to a specific CPU and then took that CPU offline. Fixes: 60dcaad5736f ("x86/hotplug: Silence APIC and NMI when CPU is dead") Reported-by: Evan Green Signed-off-by: Ashok Raj Signed-off-by: Thomas Gleixner Tested-by: Mathias Nyman Tested-by: Evan Green Reviewed-by: Evan Green Cc: stable@vger.kernel.org Link: https://lore.kernel.org/lkml/875zdarr4h.fsf@nanos.tec.linutronix.de/ Link: https://lore.kernel.org/r/1598501530-45821-1-git-send-email-ashok.raj@intel.com Signed-off-by: Greg Kroah-Hartman commit bbf423c28efcde2beec2b187806eda0041cb0582 Author: Thomas Gleixner Date: Wed Aug 26 22:21:44 2020 +0200 x86/irq: Unbreak interrupt affinity setting commit e027fffff799cdd70400c5485b1a54f482255985 upstream. Several people reported that 5.8 broke the interrupt affinity setting mechanism. The consolidation of the entry code reused the regular exception entry code for device interrupts and changed the way how the vector number is conveyed from ptregs->orig_ax to a function argument. The low level entry uses the hardware error code slot to push the vector number onto the stack which is retrieved from there into a function argument and the slot on stack is set to -1. The reason for setting it to -1 is that the error code slot is at the position where pt_regs::orig_ax is. A positive value in pt_regs::orig_ax indicates that the entry came via a syscall. If it's not set to a negative value then a signal delivery on return to userspace would try to restart a syscall. But there are other places which rely on pt_regs::orig_ax being a valid indicator for syscall entry. But setting pt_regs::orig_ax to -1 has a nasty side effect vs. the interrupt affinity setting mechanism, which was overlooked when this change was made. Moving interrupts on x86 happens in several steps. A new vector on a different CPU is allocated and the relevant interrupt source is reprogrammed to that. But that's racy and there might be an interrupt already in flight to the old vector. So the old vector is preserved until the first interrupt arrives on the new vector and the new target CPU. Once that happens the old vector is cleaned up, but this cleanup still depends on the vector number being stored in pt_regs::orig_ax, which is now -1. That -1 makes the check for cleanup: pt_regs::orig_ax == new_vector always false. As a consequence the interrupt is moved once, but then it cannot be moved anymore because the cleanup of the old vector never happens. There would be several ways to convey the vector information to that place in the guts of the interrupt handling, but on deeper inspection it turned out that this check is pointless and a leftover from the old affinity model of X86 which supported multi-CPU affinities. Under this model it was possible that an interrupt had an old and a new vector on the same CPU, so the vector match was required. Under the new model the effective affinity of an interrupt is always a single CPU from the requested affinity mask. If the affinity mask changes then either the interrupt stays on the CPU and on the same vector when that CPU is still in the new affinity mask or it is moved to a different CPU, but it is never moved to a different vector on the same CPU. Ergo the cleanup check for the matching vector number is not required and can be removed which makes the dependency on pt_regs:orig_ax go away. The remaining check for new_cpu == smp_processsor_id() is completely sufficient. If it matches then the interrupt was successfully migrated and the cleanup can proceed. For paranoia sake add a warning into the vector assignment code to validate that the assumption of never moving to a different vector on the same CPU holds. Fixes: 633260fa143 ("x86/irq: Convey vector as argument and not in ptregs") Reported-by: Alex bykov Reported-by: Avi Kivity Reported-by: Alexander Graf Signed-off-by: Thomas Gleixner Tested-by: Alexander Graf Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/87wo1ltaxz.fsf@nanos.tec.linutronix.de Signed-off-by: Greg Kroah-Hartman commit 66e1e9bda0224ad84b18cc81cc8d7fb8f898f26a Author: qiuguorui1 Date: Thu Aug 20 11:16:29 2020 +0800 irqchip/stm32-exti: Avoid losing interrupts due to clearing pending bits by mistake commit e579076ac0a3bebb440fab101aef3c42c9f4c709 upstream. In the current code, when the eoi callback of the exti clears the pending bit of the current interrupt, it will first read the values of fpr and rpr, then logically OR the corresponding bit of the interrupt number, and finally write back to fpr and rpr. We found through experiments that if two exti interrupts, we call them int1/int2, arrive almost at the same time. in our scenario, the time difference is 30 microseconds, assuming int1 is triggered first. there will be an extreme scenario: both int's pending bit are set to 1, the irq handle of int1 is executed first, and eoi handle is then executed, at this moment, all pending bits are cleared, but the int 2 has not finally been reported to the cpu yet, which eventually lost int2. According to stm32's TRM description about rpr and fpr: Writing a 1 to this bit will trigger a rising edge event on event x, Writing 0 has no effect. Therefore, when clearing the pending bit, we only need to clear the pending bit of the irq. Fixes: 927abfc4461e7 ("irqchip/stm32: Add stm32mp1 support with hierarchy domain") Signed-off-by: qiuguorui1 Signed-off-by: Marc Zyngier Cc: stable@vger.kernel.org # v4.18+ Link: https://lore.kernel.org/r/20200820031629.15582-1-qiuguorui1@huawei.com Signed-off-by: Greg Kroah-Hartman commit a1b116511aa8e7331cc373504922b879e961c0b3 Author: Thomas Gleixner Date: Sun Aug 30 19:07:53 2020 +0200 genirq/matrix: Deal with the sillyness of for_each_cpu() on UP commit 784a0830377d0761834e385975bc46861fea9fa0 upstream. Most of the CPU mask operations behave the same way, but for_each_cpu() and it's variants ignore the cpumask argument and claim that CPU0 is always in the mask. This is historical, inconsistent and annoying behaviour. The matrix allocator uses for_each_cpu() and can be called on UP with an empty cpumask. The calling code does not expect that this succeeds but until commit e027fffff799 ("x86/irq: Unbreak interrupt affinity setting") this went unnoticed. That commit added a WARN_ON() to catch cases which move an interrupt from one vector to another on the same CPU. The warning triggers on UP. Add a check for the cpumask being empty to prevent this. Fixes: 2f75d9e1c905 ("genirq: Implement bitmap matrix allocator") Reported-by: kernel test robot Signed-off-by: Thomas Gleixner Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 8cb3561d084ef532cd13d4f1f9077a900ff9f740 Author: M. Vefa Bicakci Date: Mon Aug 10 19:00:17 2020 +0300 usbip: Implement a match function to fix usbip commit 7a2f2974f26542b4e7b9b4321edb3cbbf3eeb91a upstream. Commit 88b7381a939d ("USB: Select better matching USB drivers when available") introduced the use of a "match" function to select a non-generic/better driver for a particular USB device. This unfortunately breaks the operation of usbip in general, as reported in the kernel bugzilla with bug 208267 (linked below). Upon inspecting the aforementioned commit, one can observe that the original code in the usb_device_match function used to return 1 unconditionally, but the aforementioned commit makes the usb_device_match function use identifier tables and "match" virtual functions, if either of them are available. Hence, this commit implements a match function for usbip that unconditionally returns true to ensure that usbip is functional again. This change has been verified to restore usbip functionality, with a v5.7.y kernel on an up-to-date version of Qubes OS 4.0, which uses usbip to redirect USB devices between VMs. Thanks to Jonathan Dieter for the effort in bisecting this issue down to the aforementioned commit. Fixes: 88b7381a939d ("USB: Select better matching USB drivers when available") Link: https://bugzilla.kernel.org/show_bug.cgi?id=208267 Link: https://bugzilla.redhat.com/show_bug.cgi?id=1856443 Link: https://github.com/QubesOS/qubes-issues/issues/5905 Signed-off-by: M. Vefa Bicakci Cc: # 5.7 Cc: Valentina Manea Cc: Alan Stern Reviewed-by: Bastien Nocera Reviewed-by: Shuah Khan Link: https://lore.kernel.org/r/20200810160017.46002-1-m.v.b@runbox.com Signed-off-by: Greg Kroah-Hartman commit 3c491c44194253789d568549fac3b34dccdbcecd Author: Herbert Xu Date: Thu Aug 27 17:14:36 2020 +1000 crypto: af_alg - Work around empty control messages without MSG_MORE commit c195d66a8a75c60515819b101975f38b7ec6577f upstream. The iwd daemon uses libell which sets up the skcipher operation with two separate control messages. As the first control message is sent without MSG_MORE, it is interpreted as an empty request. While libell should be fixed to use MSG_MORE where appropriate, this patch works around the bug in the kernel so that existing binaries continue to work. We will print a warning however. A separate issue is that the new kernel code no longer allows the control message to be sent twice within the same request. This restriction is obviously incompatible with what iwd was doing (first setting an IV and then sending the real control message). This patch changes the kernel so that this is explicitly allowed. Reported-by: Caleb Jorden Fixes: f3c802a1f300 ("crypto: algif_aead - Only wake up when...") Cc: Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1d35dfde2a7d9a0627b1e9465e8e4305478fb945 Author: Heikki Krogerus Date: Fri Aug 21 13:53:42 2020 +0300 device property: Fix the secondary firmware node handling in set_primary_fwnode() commit c15e1bdda4365a5f17cdadf22bf1c1df13884a9e upstream. When the primary firmware node pointer is removed from a device (set to NULL) the secondary firmware node pointer, when it exists, is made the primary node for the device. However, the secondary firmware node pointer of the original primary firmware node is never cleared (set to NULL). To avoid situation where the secondary firmware node pointer is pointing to a non-existing object, clearing it properly when the primary node is removed from a device in set_primary_fwnode(). Fixes: 97badf873ab6 ("device property: Make it possible to use secondary firmware nodes") Cc: All applicable Signed-off-by: Heikki Krogerus Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 9a9cc8c9b1c715317c5fc18ac695751577bdf250 Author: Alexey Kardashevskiy Date: Tue Jun 2 12:56:12 2020 +1000 powerpc/perf: Fix crashes with generic_compat_pmu & BHRB commit b460b512417ae9c8b51a3bdcc09020cd6c60ff69 upstream. The bhrb_filter_map ("The Branch History Rolling Buffer") callback is only defined in raw CPUs' power_pmu structs. The "architected" CPUs use generic_compat_pmu, which does not have this callback, and crashes occur if a user tries to enable branch stack for an event. This add a NULL pointer check for bhrb_filter_map() which behaves as if the callback returned an error. This does not add the same check for config_bhrb() as the only caller checks for cpuhw->bhrb_users which remains zero if bhrb_filter_map==0. Fixes: be80e758d0c2 ("powerpc/perf: Add generic compat mode pmu driver") Cc: stable@vger.kernel.org # v5.2+ Signed-off-by: Alexey Kardashevskiy Reviewed-by: Madhavan Srinivasan Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200602025612.62707-1-aik@ozlabs.ru Signed-off-by: Greg Kroah-Hartman commit bdae016706948df7fed1afdc096a655a99dfaac3 Author: Christophe Leroy Date: Thu Aug 27 18:30:27 2020 +0000 powerpc/32s: Disable VMAP stack which CONFIG_ADB_PMU commit 4a133eb351ccc275683ad49305d0b04dde903733 upstream. low_sleep_handler() can't restore the context from virtual stack because the stack can hardly be accessed with MMU OFF. For now, disable VMAP stack when CONFIG_ADB_PMU is selected. Fixes: cd08f109e262 ("powerpc/32s: Enable CONFIG_VMAP_STACK") Cc: stable@vger.kernel.org # v5.6+ Reported-by: Giuseppe Sacco Signed-off-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/ec96c15bfa1a7415ab604ee1c98cd45779c08be0.1598553015.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 3b555853d736825fac9b4023dac7eaec99f54c9a Author: Rafael J. Wysocki Date: Mon Aug 24 19:35:31 2020 +0200 PM: sleep: core: Fix the handling of pending runtime resume requests commit e3eb6e8fba65094328b8dca635d00de74ba75b45 upstream. It has been reported that system-wide suspend may be aborted in the absence of any wakeup events due to unforseen interactions of it with the runtume PM framework. One failing scenario is when there are multiple devices sharing an ACPI power resource and runtime-resume needs to be carried out for one of them during system-wide suspend (for example, because it needs to be reconfigured before the whole system goes to sleep). In that case, the runtime-resume of that device involves turning the ACPI power resource "on" which in turn causes runtime-resume requests to be queued up for all of the other devices sharing it. Those requests go to the runtime PM workqueue which is frozen during system-wide suspend, so they are not actually taken care of until the resume of the whole system, but the pm_runtime_barrier() call in __device_suspend() sees them and triggers system wakeup events for them which then cause the system-wide suspend to be aborted if wakeup source objects are in active use. Of course, the logic that leads to triggering those wakeup events is questionable in the first place, because clearly there are cases in which a pending runtime resume request for a device is not connected to any real wakeup events in any way (like the one above). Moreover, it is racy, because the device may be resuming already by the time the pm_runtime_barrier() runs and so if the driver doesn't take care of signaling the wakeup event as appropriate, it will be lost. However, if the driver does take care of that, the extra pm_wakeup_event() call in the core is redundant. Accordingly, drop the conditional pm_wakeup_event() call fron __device_suspend() and make the latter call pm_runtime_barrier() alone. Also modify the comment next to that call to reflect the new code and extend it to mention the need to avoid unwanted interactions between runtime PM and system-wide device suspend callbacks. Fixes: 1e2ef05bb8cf8 ("PM: Limit race conditions between runtime PM and system sleep (v2)") Signed-off-by: Rafael J. Wysocki Acked-by: Alan Stern Reported-by: Utkarsh H Patel Tested-by: Utkarsh H Patel Tested-by: Pengfei Xu Cc: All applicable Signed-off-by: Greg Kroah-Hartman commit 17d66e62805872ef4d58af2901df077fadafba64 Author: Frank van der Linden Date: Thu Aug 27 23:40:12 2020 +0000 arm64: vdso32: make vdso32 install conditional commit 5d28ba5f8a0cfa3a874fa96c33731b8fcd141b3a upstream. vdso32 should only be installed if CONFIG_COMPAT_VDSO is enabled, since it's not even supposed to be compiled otherwise, and arm64 builds without a 32bit crosscompiler will fail. Fixes: 8d75785a8142 ("ARM64: vdso32: Install vdso32 from vdso_install") Signed-off-by: Frank van der Linden Cc: stable@vger.kernel.org [5.4+] Link: https://lore.kernel.org/r/20200827234012.19757-1-fllinden@amazon.com Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit d36a6712d9f10f558428e50c826b7c4b51c64295 Author: James Morse Date: Fri Aug 21 15:07:07 2020 +0100 KVM: arm64: Set HCR_EL2.PTW to prevent AT taking synchronous exception commit 71a7f8cb1ca4ca7214a700b1243626759b6c11d4 upstream. AT instructions do a translation table walk and return the result, or the fault in PAR_EL1. KVM uses these to find the IPA when the value is not provided by the CPU in HPFAR_EL1. If a translation table walk causes an external abort it is taken as an exception, even if it was due to an AT instruction. (DDI0487F.a's D5.2.11 "Synchronous faults generated by address translation instructions") While we previously made KVM resilient to exceptions taken due to AT instructions, the device access causes mismatched attributes, and may occur speculatively. Prevent this, by forbidding a walk through memory described as device at stage2. Now such AT instructions will report a stage2 fault. Such a fault will cause KVM to restart the guest. If the AT instructions always walk the page tables, but guest execution uses the translation cached in the TLB, the guest can't make forward progress until the TLB entry is evicted. This isn't a problem, as since commit 5dcd0fdbb492 ("KVM: arm64: Defer guest entry when an asynchronous exception is pending"), KVM will return to the host to process IRQs allowing the rest of the system to keep running. Cc: stable@vger.kernel.org # Reviewed-by: Marc Zyngier Signed-off-by: Catalin Marinas Signed-off-by: Greg Kroah-Hartman commit 13f35a2c0fd5c6a4fcd8903542b053bcc914fcf5 Author: Pavel Begunkov Date: Sun Aug 23 20:33:10 2020 +0300 io-wq: fix hang after cancelling pending hashed work commit 204361a77f4018627addd4a06877448f088ddfc0 upstream. Don't forget to update wqe->hash_tail after cancelling a pending work item, if it was hashed. Cc: stable@vger.kernel.org # 5.7+ Reported-by: Dmitry Shulyak Fixes: 86f3cd1b589a1 ("io-wq: handle hashed writes in chains") Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 96d020ddff6adff267a6900bcfcd46a8993f5152 Author: Ding Hui Date: Fri Aug 21 12:15:49 2020 +0300 xhci: Always restore EP_SOFT_CLEAR_TOGGLE even if ep reset failed commit f1ec7ae6c9f8c016db320e204cb519a1da1581b8 upstream. Some device drivers call libusb_clear_halt when target ep queue is not empty. (eg. spice client connected to qemu for usb redir) Before commit f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset"), that works well. But now, we got the error log: EP not empty, refuse reset xhci_endpoint_reset failed and left ep_state's EP_SOFT_CLEAR_TOGGLE bit still set So all the subsequent urb sumbits to the ep will fail with the warn log: Can't enqueue URB while manually clearing toggle We need to clear ep_state EP_SOFT_CLEAR_TOGGLE bit after xhci_endpoint_reset, even if it failed. Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset") Cc: stable # v4.17+ Signed-off-by: Ding Hui Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200821091549.20556-4-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 7d31eaa7e295106233b725aaf97d3ca62a228632 Author: Kai-Heng Feng Date: Fri Aug 21 12:15:48 2020 +0300 xhci: Do warm-reset when both CAS and XDEV_RESUME are set commit 904df64a5f4d5ebd670801d869ca0a6d6a6e8df6 upstream. Sometimes re-plugging a USB device during system sleep renders the device useless: [ 173.418345] xhci_hcd 0000:00:14.0: Get port status 2-4 read: 0x14203e2, return 0x10262 ... [ 176.496485] usb 2-4: Waited 2000ms for CONNECT [ 176.496781] usb usb2-port4: status 0000.0262 after resume, -19 [ 176.497103] usb 2-4: can't resume, status -19 [ 176.497438] usb usb2-port4: logical disconnect Because PLS equals to XDEV_RESUME, xHCI driver reports U3 to usbcore, despite of CAS bit is flagged. So proritize CAS over XDEV_RESUME to let usbcore handle warm-reset for the port. Cc: stable Signed-off-by: Kai-Heng Feng Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200821091549.20556-3-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 50a7c735bc0ab7f604fcb68b8c50955788315175 Author: Li Jun Date: Fri Aug 21 12:15:47 2020 +0300 usb: host: xhci: fix ep context print mismatch in debugfs commit 0077b1b2c8d9ad5f7a08b62fb8524cdb9938388f upstream. dci is 0 based and xhci_get_ep_ctx() will do ep index increment to get the ep context. [rename dci to ep_index -Mathias] Cc: stable # v4.15+ Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") Signed-off-by: Li Jun Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20200821091549.20556-2-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 55c0eeabceb7720a5438b501e2c85c05ca684bc9 Author: JC Kuo Date: Tue Aug 11 17:25:53 2020 +0800 usb: host: xhci-tegra: fix tegra_xusb_get_phy() commit d54343a87732726b04ac5af873916b5ed4f52932 upstream. tegra_xusb_get_phy() should take input argument "name". Signed-off-by: JC Kuo Cc: stable Link: https://lore.kernel.org/r/20200811092553.657762-1-jckuo@nvidia.com Signed-off-by: Greg Kroah-Hartman commit c08e590b07e4e2b7a86cb6b7b45e4ac8c9e804e6 Author: JC Kuo Date: Tue Aug 11 17:31:43 2020 +0800 usb: host: xhci-tegra: otg usb2/usb3 port init commit 316a2868bc269be8c6e69ccc3a1f902a3f518eb9 upstream. tegra_xusb_init_usb_phy() should initialize "otg_usb2_port" and "otg_usb3_port" with -EINVAL because "0" is a valid value represents usb2 port 0 or usb3 port 0. Signed-off-by: JC Kuo Cc: stable Link: https://lore.kernel.org/r/20200811093143.699541-1-jckuo@nvidia.com Signed-off-by: Greg Kroah-Hartman commit 68adec4646bf187d76d8d07dc3ee3b0fbd5e0150 Author: Vinod Koul Date: Tue Aug 18 12:47:39 2020 +0530 usb: renesas-xhci: remove version check commit d66a57be2f9a315fc10d0f524f670fec903e0fb4 upstream. Some devices in wild are reporting bunch of firmware versions, so remove the check for versions in driver Reported by: Anastasios Vacharakis Reported by: Glen Journeay Fixes: 2478be82de44 ("usb: renesas-xhci: Add ROM loader for uPD720201") Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=208911 Signed-off-by: Vinod Koul Cc: stable Link: https://lore.kernel.org/r/20200818071739.789720-1-vkoul@kernel.org Signed-off-by: Greg Kroah-Hartman commit 2b32323f966d252e7615b2afe05f338bd22c82f9 Author: Thomas Gleixner Date: Tue Aug 25 17:22:58 2020 +0200 XEN uses irqdesc::irq_data_common::handler_data to store a per interrupt XEN data pointer which contains XEN specific information. commit c330fb1ddc0a922f044989492b7fcca77ee1db46 upstream. handler data is meant for interrupt handlers and not for storing irq chip specific information as some devices require handler data to store internal per interrupt information, e.g. pinctrl/GPIO chained interrupt handlers. This obviously creates a conflict of interests and crashes the machine because the XEN pointer is overwritten by the driver pointer. As the XEN data is not handler specific it should be stored in irqdesc::irq_data::chip_data instead. A simple sed s/irq_[sg]et_handler_data/irq_[sg]et_chip_data/ cures that. Cc: stable@vger.kernel.org Reported-by: Roman Shaposhnik Signed-off-by: Thomas Gleixner Tested-by: Roman Shaposhnik Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/87lfi2yckt.fsf@nanos.tec.linutronix.de Signed-off-by: Juergen Gross Signed-off-by: Greg Kroah-Hartman commit 05ae7cf354b79c007942ff5703d48827dc32fd17 Author: Jan Kara Date: Fri May 29 16:08:58 2020 +0200 writeback: Fix sync livelock due to b_dirty_time processing commit f9cae926f35e8230330f28c7b743ad088611a8de upstream. When we are processing writeback for sync(2), move_expired_inodes() didn't set any inode expiry value (older_than_this). This can result in writeback never completing if there's steady stream of inodes added to b_dirty_time list as writeback rechecks dirty lists after each writeback round whether there's more work to be done. Fix the problem by using sync(2) start time is inode expiry value when processing b_dirty_time list similarly as for ordinarily dirtied inodes. This requires some refactoring of older_than_this handling which simplifies the code noticeably as a bonus. Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option") CC: stable@vger.kernel.org Reviewed-by: Christoph Hellwig Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit d74c235bd59f00a5236d3537fbffe769f61f2fb4 Author: Jan Kara Date: Fri May 29 15:05:22 2020 +0200 writeback: Avoid skipping inode writeback commit 5afced3bf28100d81fb2fe7e98918632a08feaf5 upstream. Inode's i_io_list list head is used to attach inode to several different lists - wb->{b_dirty, b_dirty_time, b_io, b_more_io}. When flush worker prepares a list of inodes to writeback e.g. for sync(2), it moves inodes to b_io list. Thus it is critical for sync(2) data integrity guarantees that inode is not requeued to any other writeback list when inode is queued for processing by flush worker. That's the reason why writeback_single_inode() does not touch i_io_list (unless the inode is completely clean) and why __mark_inode_dirty() does not touch i_io_list if I_SYNC flag is set. However there are two flaws in the current logic: 1) When inode has only I_DIRTY_TIME set but it is already queued in b_io list due to sync(2), concurrent __mark_inode_dirty(inode, I_DIRTY_SYNC) can still move inode back to b_dirty list resulting in skipping writeback of inode time stamps during sync(2). 2) When inode is on b_dirty_time list and writeback_single_inode() races with __mark_inode_dirty() like: writeback_single_inode() __mark_inode_dirty(inode, I_DIRTY_PAGES) inode->i_state |= I_SYNC __writeback_single_inode() inode->i_state |= I_DIRTY_PAGES; if (inode->i_state & I_SYNC) bail if (!(inode->i_state & I_DIRTY_ALL)) - not true so nothing done We end up with I_DIRTY_PAGES inode on b_dirty_time list and thus standard background writeback will not writeback this inode leading to possible dirty throttling stalls etc. (thanks to Martijn Coenen for this analysis). Fix these problems by tracking whether inode is queued in b_io or b_more_io lists in a new I_SYNC_QUEUED flag. When this flag is set, we know flush worker has queued inode and we should not touch i_io_list. On the other hand we also know that once flush worker is done with the inode it will requeue the inode to appropriate dirty list. When I_SYNC_QUEUED is not set, __mark_inode_dirty() can (and must) move inode to appropriate dirty list. Reported-by: Martijn Coenen Reviewed-by: Martijn Coenen Tested-by: Martijn Coenen Reviewed-by: Christoph Hellwig Fixes: 0ae45f63d4ef ("vfs: add support for a lazytime mount option") CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit dd71dd1dc12fcd2a0839fe4ad8a0669b190cbbbc Author: Jan Kara Date: Wed Jun 10 17:36:03 2020 +0200 writeback: Protect inode->i_io_list with inode->i_lock commit b35250c0816c7cf7d0a8de92f5fafb6a7508a708 upstream. Currently, operations on inode->i_io_list are protected by wb->list_lock. In the following patches we'll need to maintain consistency between inode->i_state and inode->i_io_list so change the code so that inode->i_lock protects also all inode's i_io_list handling. Reviewed-by: Martijn Coenen Reviewed-by: Christoph Hellwig CC: stable@vger.kernel.org # Prerequisite for "writeback: Avoid skipping inode writeback" Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 1506fdcde864b57d7761656a5d8a7142c829f3b8 Author: Jens Axboe Date: Wed Aug 26 18:58:26 2020 -0600 io_uring: clear req->result on IOPOLL re-issue commit 56450c20fe10d4d93f58019109aa4e06fc0b9206 upstream. Make sure we clear req->result, which was set to -EAGAIN for retry purposes, when moving it to the reissue list. Otherwise we can end up retrying a request more than once, which leads to weird results in the io-wq handling (and other spots). Cc: stable@vger.kernel.org Reported-by: Andres Freund Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 116790cfa0b8b8ae801d282166059691b33c965a Author: Sergey Senozhatsky Date: Mon Aug 17 11:26:46 2020 +0900 serial: 8250: change lock order in serial8250_do_startup() commit 205d300aea75623e1ae4aa43e0d265ab9cf195fd upstream. We have a number of "uart.port->desc.lock vs desc.lock->uart.port" lockdep reports coming from 8250 driver; this causes a bit of trouble to people, so let's fix it. The problem is reverse lock order in two different call paths: chain #1: serial8250_do_startup() spin_lock_irqsave(&port->lock); disable_irq_nosync(port->irq); raw_spin_lock_irqsave(&desc->lock) chain #2: __report_bad_irq() raw_spin_lock_irqsave(&desc->lock) for_each_action_of_desc() printk() spin_lock_irqsave(&port->lock); Fix this by changing the order of locks in serial8250_do_startup(): do disable_irq_nosync() first, which grabs desc->lock, and grab uart->port after that, so that chain #1 and chain #2 have same lock order. Full lockdep splat: ====================================================== WARNING: possible circular locking dependency detected 5.4.39 #55 Not tainted ====================================================== swapper/0/0 is trying to acquire lock: ffffffffab65b6c0 (console_owner){-...}, at: console_lock_spinning_enable+0x31/0x57 but task is already holding lock: ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (&irq_desc_lock_class){-.-.}: _raw_spin_lock_irqsave+0x61/0x8d __irq_get_desc_lock+0x65/0x89 __disable_irq_nosync+0x3b/0x93 serial8250_do_startup+0x451/0x75c uart_startup+0x1b4/0x2ff uart_port_activate+0x73/0xa0 tty_port_open+0xae/0x10a uart_open+0x1b/0x26 tty_open+0x24d/0x3a0 chrdev_open+0xd5/0x1cc do_dentry_open+0x299/0x3c8 path_openat+0x434/0x1100 do_filp_open+0x9b/0x10a do_sys_open+0x15f/0x3d7 kernel_init_freeable+0x157/0x1dd kernel_init+0xe/0x105 ret_from_fork+0x27/0x50 -> #1 (&port_lock_key){-.-.}: _raw_spin_lock_irqsave+0x61/0x8d serial8250_console_write+0xa7/0x2a0 console_unlock+0x3b7/0x528 vprintk_emit+0x111/0x17f printk+0x59/0x73 register_console+0x336/0x3a4 uart_add_one_port+0x51b/0x5be serial8250_register_8250_port+0x454/0x55e dw8250_probe+0x4dc/0x5b9 platform_drv_probe+0x67/0x8b really_probe+0x14a/0x422 driver_probe_device+0x66/0x130 device_driver_attach+0x42/0x5b __driver_attach+0xca/0x139 bus_for_each_dev+0x97/0xc9 bus_add_driver+0x12b/0x228 driver_register+0x64/0xed do_one_initcall+0x20c/0x4a6 do_initcall_level+0xb5/0xc5 do_basic_setup+0x4c/0x58 kernel_init_freeable+0x13f/0x1dd kernel_init+0xe/0x105 ret_from_fork+0x27/0x50 -> #0 (console_owner){-...}: __lock_acquire+0x118d/0x2714 lock_acquire+0x203/0x258 console_lock_spinning_enable+0x51/0x57 console_unlock+0x25d/0x528 vprintk_emit+0x111/0x17f printk+0x59/0x73 __report_bad_irq+0xa3/0xba note_interrupt+0x19a/0x1d6 handle_irq_event_percpu+0x57/0x79 handle_irq_event+0x36/0x55 handle_fasteoi_irq+0xc2/0x18a do_IRQ+0xb3/0x157 ret_from_intr+0x0/0x1d cpuidle_enter_state+0x12f/0x1fd cpuidle_enter+0x2e/0x3d do_idle+0x1ce/0x2ce cpu_startup_entry+0x1d/0x1f start_kernel+0x406/0x46a secondary_startup_64+0xa4/0xb0 other info that might help us debug this: Chain exists of: console_owner --> &port_lock_key --> &irq_desc_lock_class Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&irq_desc_lock_class); lock(&port_lock_key); lock(&irq_desc_lock_class); lock(console_owner); *** DEADLOCK *** 2 locks held by swapper/0/0: #0: ffff88810a8e34c0 (&irq_desc_lock_class){-.-.}, at: __report_bad_irq+0x5b/0xba #1: ffffffffab65b5c0 (console_lock){+.+.}, at: console_trylock_spinning+0x20/0x181 stack backtrace: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.39 #55 Hardware name: XXXXXX Call Trace: dump_stack+0xbf/0x133 ? print_circular_bug+0xd6/0xe9 check_noncircular+0x1b9/0x1c3 __lock_acquire+0x118d/0x2714 lock_acquire+0x203/0x258 ? console_lock_spinning_enable+0x31/0x57 console_lock_spinning_enable+0x51/0x57 ? console_lock_spinning_enable+0x31/0x57 console_unlock+0x25d/0x528 ? console_trylock+0x18/0x4e vprintk_emit+0x111/0x17f ? lock_acquire+0x203/0x258 printk+0x59/0x73 __report_bad_irq+0xa3/0xba note_interrupt+0x19a/0x1d6 handle_irq_event_percpu+0x57/0x79 handle_irq_event+0x36/0x55 handle_fasteoi_irq+0xc2/0x18a do_IRQ+0xb3/0x157 common_interrupt+0xf/0xf Signed-off-by: Sergey Senozhatsky Fixes: 768aec0b5bcc ("serial: 8250: fix shared interrupts issues with SMP and RT kernels") Reported-by: Guenter Roeck Reported-by: Raul Rangel BugLink: https://bugs.chromium.org/p/chromium/issues/detail?id=1114800 Link: https://lore.kernel.org/lkml/CAHQZ30BnfX+gxjPm1DUd5psOTqbyDh4EJE=2=VAMW_VDafctkA@mail.gmail.com/T/#u Reviewed-by: Andy Shevchenko Reviewed-by: Guenter Roeck Tested-by: Guenter Roeck Cc: stable Link: https://lore.kernel.org/r/20200817022646.1484638-1-sergey.senozhatsky@gmail.com Signed-off-by: Greg Kroah-Hartman commit 89171ef86bdc70ef4352c8b25a4b625b6e41ccbf Author: Valmer Huhn Date: Thu Aug 13 12:52:55 2020 -0400 serial: 8250_exar: Fix number of ports for Commtech PCIe cards commit c6b9e95dde7b54e6a53c47241201ab5a4035c320 upstream. The following in 8250_exar.c line 589 is used to determine the number of ports for each Exar board: nr_ports = board->num_ports ? board->num_ports : pcidev->device & 0x0f; If the number of ports a card has is not explicitly specified, it defaults to the rightmost 4 bits of the PCI device ID. This is prone to error since not all PCI device IDs contain a number which corresponds to the number of ports that card provides. This particular case involves COMMTECH_4222PCIE, COMMTECH_4224PCIE and COMMTECH_4228PCIE cards with device IDs 0x0022, 0x0020 and 0x0021. Currently the multiport cards receive 2, 0 and 1 port instead of 2, 4 and 8 ports respectively. To fix this, each Commtech Fastcom PCIe card is given a struct where the number of ports is explicitly specified. This ensures 'board->num_ports' is used instead of the default 'pcidev->device & 0x0f'. Fixes: d0aeaa83f0b0 ("serial: exar: split out the exar code from 8250_pci") Signed-off-by: Valmer Huhn Tested-by: Valmer Huhn Cc: stable Link: https://lore.kernel.org/r/20200813165255.GC345440@icarus.concurrent-rt.com Signed-off-by: Greg Kroah-Hartman commit 0a60539b4cd9b51fe4ba0cdefa73dd582bbf15a2 Author: Holger Assmann Date: Thu Aug 13 17:27:57 2020 +0200 serial: stm32: avoid kernel warning on absence of optional IRQ commit fdf16d78941b4f380753053d229955baddd00712 upstream. stm32_init_port() of the stm32-usart may trigger a warning in platform_get_irq() when the device tree specifies no wakeup interrupt. The wakeup interrupt is usually a board-specific GPIO and the driver functions correctly in its absence. The mainline stm32mp151.dtsi does not specify it, so all mainline device trees trigger an unnecessary kernel warning. Use of platform_get_irq_optional() avoids this. Fixes: 2c58e56096dd ("serial: stm32: fix the get_irq error case") Signed-off-by: Holger Assmann Cc: stable Link: https://lore.kernel.org/r/20200813152757.32751-1-h.assmann@pengutronix.de Signed-off-by: Greg Kroah-Hartman commit df26430356bf86fd852ecbfff1496ee735576351 Author: Lukas Wunner Date: Thu Aug 13 12:59:54 2020 +0200 serial: pl011: Don't leak amba_ports entry on driver register error commit 89efbe70b27dd325d8a8c177743a26b885f7faec upstream. pl011_probe() calls pl011_setup_port() to reserve an amba_ports[] entry, then calls pl011_register_port() to register the uart driver with the tty layer. If registration of the uart driver fails, the amba_ports[] entry is not released. If this happens 14 times (value of UART_NR macro), then all amba_ports[] entries will have been leaked and driver probing is no longer possible. (To be fair, that can only happen if the DeviceTree doesn't contain alias IDs since they cause the same entry to be used for a given port.) Fix it. Fixes: ef2889f7ffee ("serial: pl011: Move uart_register_driver call to device") Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org # v3.15+ Cc: Tushar Behera Link: https://lore.kernel.org/r/138f8c15afb2f184d8102583f8301575566064a6.1597316167.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman commit 6648c599db7fb2ed928a224157d3ab55c1914262 Author: Lukas Wunner Date: Thu Aug 13 12:52:40 2020 +0200 serial: pl011: Fix oops on -EPROBE_DEFER commit 27afac93e3bd7fa89749cf11da5d86ac9cde4dba upstream. If probing of a pl011 gets deferred until after free_initmem(), an oops ensues because pl011_console_match() is called which has been freed. Fix by removing the __init attribute from the function and those it calls. Commit 10879ae5f12e ("serial: pl011: add console matching function") introduced pl011_console_match() not just for early consoles but regular preferred consoles, such as those added by acpi_parse_spcr(). Regular consoles may be registered after free_initmem() for various reasons, one being deferred probing, another being dynamic enablement of serial ports using a DeviceTree overlay. Thus, pl011_console_match() must not be declared __init and the functions it calls mustn't either. Stack trace for posterity: Unable to handle kernel paging request at virtual address 80c38b58 Internal error: Oops: 8000000d [#1] PREEMPT SMP ARM PC is at pl011_console_match+0x0/0xfc LR is at register_console+0x150/0x468 [<80187004>] (register_console) [<805a8184>] (uart_add_one_port) [<805b2b68>] (pl011_register_port) [<805b3ce4>] (pl011_probe) [<80569214>] (amba_probe) [<805ca088>] (really_probe) [<805ca2ec>] (driver_probe_device) [<805ca5b0>] (__device_attach_driver) [<805c8060>] (bus_for_each_drv) [<805c9dfc>] (__device_attach) [<805ca630>] (device_initial_probe) [<805c90a8>] (bus_probe_device) [<805c95a8>] (deferred_probe_work_func) Fixes: 10879ae5f12e ("serial: pl011: add console matching function") Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org # v4.10+ Cc: Aleksey Makarov Cc: Peter Hurley Cc: Russell King Cc: Christopher Covington Link: https://lore.kernel.org/r/f827ff09da55b8c57d316a1b008a137677b58921.1597315557.git.lukas@wunner.de Signed-off-by: Greg Kroah-Hartman commit e3f8041d24340eaf84a9489d3d26e72a5b5e0eb3 Author: Tamseel Shams Date: Mon Aug 10 08:30:21 2020 +0530 serial: samsung: Removes the IRQ not found warning commit 8c6c378b0cbe0c9f1390986b5f8ffb5f6ff7593b upstream. In few older Samsung SoCs like s3c2410, s3c2412 and s3c2440, UART IP is having 2 interrupt lines. However, in other SoCs like s3c6400, s5pv210, exynos5433, and exynos4210 UART is having only 1 interrupt line. Due to this, "platform_get_irq(platdev, 1)" call in the driver gives the following false-positive error: "IRQ index 1 not found" on newer SoC's. This patch adds the condition to check for Tx interrupt only for the those SoC's which have 2 interrupt lines. Tested-by: Alim Akhtar Tested-by: Marek Szyprowski Reviewed-by: Krzysztof Kozlowski Reviewed-by: Alim Akhtar Signed-off-by: Tamseel Shams Cc: stable Link: https://lore.kernel.org/r/20200810030021.45348-1-m.shams@samsung.com Signed-off-by: Greg Kroah-Hartman commit edc8a4eb10cfe97b4a9abf8ea095a9594fd38ad3 Author: George Kennedy Date: Fri Jul 31 12:33:12 2020 -0400 vt_ioctl: change VT_RESIZEX ioctl to check for error return from vc_resize() commit bc5269ca765057a1b762e79a1cfd267cd7bf1c46 upstream. vc_resize() can return with an error after failure. Change VT_RESIZEX ioctl to save struct vc_data values that are modified and restore the original values in case of error. Signed-off-by: George Kennedy Cc: stable Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/1596213192-6635-2-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman commit 2392eea66e66604c520190344addca938dcc51ed Author: Tetsuo Handa Date: Wed Jul 29 23:57:01 2020 +0900 vt: defer kfree() of vc_screenbuf in vc_do_resize() commit f8d1653daec02315e06d30246cff4af72e76e54e upstream. syzbot is reporting UAF bug in set_origin() from vc_do_resize() [1], for vc_do_resize() calls kfree(vc->vc_screenbuf) before calling set_origin(). Unfortunately, in set_origin(), vc->vc_sw->con_set_origin() might access vc->vc_pos when scroll is involved in order to manipulate cursor, but vc->vc_pos refers already released vc->vc_screenbuf until vc->vc_pos gets updated based on the result of vc->vc_sw->con_set_origin(). Preserving old buffer and tolerating outdated vc members until set_origin() completes would be easier than preventing vc->vc_sw->con_set_origin() from accessing outdated vc members. [1] https://syzkaller.appspot.com/bug?id=6649da2081e2ebdc65c0642c214b27fe91099db3 Reported-by: syzbot Signed-off-by: Tetsuo Handa Cc: stable Link: https://lore.kernel.org/r/1596034621-4714-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Greg Kroah-Hartman commit e863ac5f53dce11b659df2f0b6f4ced92050a06e Author: Evgeny Novikov Date: Wed Aug 5 12:06:43 2020 +0300 USB: lvtest: return proper error code in probe commit 531412492ce93ea29b9ca3b4eb5e3ed771f851dd upstream. lvs_rh_probe() can return some nonnegative value from usb_control_msg() when it is less than "USB_DT_HUB_NONVAR_SIZE + 2" that is considered as a failure. Make lvs_rh_probe() return -EINVAL in this case. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Cc: stable Link: https://lore.kernel.org/r/20200805090643.3432-1-novikov@ispras.ru Signed-off-by: Greg Kroah-Hartman commit 34cf1aff169dc6dedad8d79da7bf1b4de2773dbc Author: George Kennedy Date: Fri Jul 31 12:33:11 2020 -0400 fbcon: prevent user font height or width change from causing potential out-of-bounds access commit 39b3cffb8cf3111738ea993e2757ab382253d86a upstream. Add a check to fbcon_resize() to ensure that a possible change to user font height or user font width will not allow a font data out-of-bounds access. NOTE: must use original charcount in calculation as font charcount can change and cannot be used to determine the font data allocated size. Signed-off-by: George Kennedy Cc: stable Reported-by: syzbot+38a3699c7eaf165b97a6@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/1596213192-6635-1-git-send-email-george.kennedy@oracle.com Signed-off-by: Greg Kroah-Hartman commit bb77dd02ba169cf10a36de65e9828ea834ec8bbc Author: Boris Burkov Date: Tue Aug 18 11:00:05 2020 -0700 btrfs: detect nocow for swap after snapshot delete commit a84d5d429f9eb56f81b388609841ed993f0ddfca upstream. can_nocow_extent and btrfs_cross_ref_exist both rely on a heuristic for detecting a must cow condition which is not exactly accurate, but saves unnecessary tree traversal. The incorrect assumption is that if the extent was created in a generation smaller than the last snapshot generation, it must be referenced by that snapshot. That is true, except the snapshot could have since been deleted, without affecting the last snapshot generation. The original patch claimed a performance win from this check, but it also leads to a bug where you are unable to use a swapfile if you ever snapshotted the subvolume it's in. Make the check slower and more strict for the swapon case, without modifying the general cow checks as a compromise. Turning swap on does not seem to be a particularly performance sensitive operation, so incurring a possibly unnecessary btrfs_search_slot seems worthwhile for the added usability. Note: Until the snapshot is competely cleaned after deletion, check_committed_refs will still cause the logic to think that cow is necessary, so the user must until 'btrfs subvolu sync' finished before activating the swapfile swapon. CC: stable@vger.kernel.org # 5.4+ Suggested-by: Omar Sandoval Signed-off-by: Boris Burkov Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit b40d12b7da66943d14fa6dacb19fce84b107b4d1 Author: Filipe Manana Date: Fri Aug 14 11:04:09 2020 +0100 btrfs: fix space cache memory leak after transaction abort commit bbc37d6e475eee8ffa2156ec813efc6bbb43c06d upstream. If a transaction aborts it can cause a memory leak of the pages array of a block group's io_ctl structure. The following steps explain how that can happen: 1) Transaction N is committing, currently in state TRANS_STATE_UNBLOCKED and it's about to start writing out dirty extent buffers; 2) Transaction N + 1 already started and another task, task A, just called btrfs_commit_transaction() on it; 3) Block group B was dirtied (extents allocated from it) by transaction N + 1, so when task A calls btrfs_start_dirty_block_groups(), at the very beginning of the transaction commit, it starts writeback for the block group's space cache by calling btrfs_write_out_cache(), which allocates the pages array for the block group's io_ctl with a call to io_ctl_init(). Block group A is added to the io_list of transaction N + 1 by btrfs_start_dirty_block_groups(); 4) While transaction N's commit is writing out the extent buffers, it gets an IO error and aborts transaction N, also setting the file system to RO mode; 5) Task A has already returned from btrfs_start_dirty_block_groups(), is at btrfs_commit_transaction() and has set transaction N + 1 state to TRANS_STATE_COMMIT_START. Immediately after that it checks that the filesystem was turned to RO mode, due to transaction N's abort, and jumps to the "cleanup_transaction" label. After that we end up at btrfs_cleanup_one_transaction() which calls btrfs_cleanup_dirty_bgs(). That helper finds block group B in the transaction's io_list but it never releases the pages array of the block group's io_ctl, resulting in a memory leak. In fact at the point when we are at btrfs_cleanup_dirty_bgs(), the pages array points to pages that were already released by us at __btrfs_write_out_cache() through the call to io_ctl_drop_pages(). We end up freeing the pages array only after waiting for the ordered extent to complete through btrfs_wait_cache_io(), which calls io_ctl_free() to do that. But in the transaction abort case we don't wait for the space cache's ordered extent to complete through a call to btrfs_wait_cache_io(), so that's why we end up with a memory leak - we wait for the ordered extent to complete indirectly by shutting down the work queues and waiting for any jobs in them to complete before returning from close_ctree(). We can solve the leak simply by freeing the pages array right after releasing the pages (with the call to io_ctl_drop_pages()) at __btrfs_write_out_cache(), since we will never use it anymore after that and the pages array points to already released pages at that point, which is currently not a problem since no one will use it after that, but not a good practice anyway since it can easily lead to use-after-free issues. So fix this by freeing the pages array right after releasing the pages at __btrfs_write_out_cache(). This issue can often be reproduced with test case generic/475 from fstests and kmemleak can detect it and reports it with the following trace: unreferenced object 0xffff9bbf009fa600 (size 512): comm "fsstress", pid 38807, jiffies 4298504428 (age 22.028s) hex dump (first 32 bytes): 00 a0 7c 4d 3d ed ff ff 40 a0 7c 4d 3d ed ff ff ..|M=...@.|M=... 80 a0 7c 4d 3d ed ff ff c0 a0 7c 4d 3d ed ff ff ..|M=.....|M=... backtrace: [<00000000f4b5cfe2>] __kmalloc+0x1a8/0x3e0 [<0000000028665e7f>] io_ctl_init+0xa7/0x120 [btrfs] [<00000000a1f95b2d>] __btrfs_write_out_cache+0x86/0x4a0 [btrfs] [<00000000207ea1b0>] btrfs_write_out_cache+0x7f/0xf0 [btrfs] [<00000000af21f534>] btrfs_start_dirty_block_groups+0x27b/0x580 [btrfs] [<00000000c3c23d44>] btrfs_commit_transaction+0xa6f/0xe70 [btrfs] [<000000009588930c>] create_subvol+0x581/0x9a0 [btrfs] [<000000009ef2fd7f>] btrfs_mksubvol+0x3fb/0x4a0 [btrfs] [<00000000474e5187>] __btrfs_ioctl_snap_create+0x119/0x1a0 [btrfs] [<00000000708ee349>] btrfs_ioctl_snap_create_v2+0xb0/0xf0 [btrfs] [<00000000ea60106f>] btrfs_ioctl+0x12c/0x3130 [btrfs] [<000000005c923d6d>] __x64_sys_ioctl+0x83/0xb0 [<0000000043ace2c9>] do_syscall_64+0x33/0x80 [<00000000904efbce>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 CC: stable@vger.kernel.org # 4.9+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit c7e8c6f46869c813b1e4ae0562e88f61b4140353 Author: Josef Bacik Date: Mon Aug 10 17:31:16 2020 -0400 btrfs: check the right error variable in btrfs_del_dir_entries_in_log commit fb2fecbad50964b9f27a3b182e74e437b40753ef upstream. With my new locking code dbench is so much faster that I tripped over a transaction abort from ENOSPC. This turned out to be because btrfs_del_dir_entries_in_log was checking for ret == -ENOSPC, but this function sets err on error, and returns err. So instead of properly marking the inode as needing a full commit, we were returning -ENOSPC and aborting in __btrfs_unlink_inode. Fix this by checking the proper variable so that we return the correct thing in the case of ENOSPC. The ENOENT needs to be checked, because btrfs_lookup_dir_item_index() can return -ENOENT if the dir item isn't in the tree log (which would happen if we hadn't fsync'ed this guy). We actually handle that case in __btrfs_unlink_inode, so it's an expected error to get back. Fixes: 4a500fd178c8 ("Btrfs: Metadata ENOSPC handling for tree log") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Filipe Manana Signed-off-by: Josef Bacik Reviewed-by: David Sterba [ add note and comment about ENOENT ] Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit 204ed5f3f628166d4eea59e87c8197d68bb62096 Author: Marcos Paulo de Souza Date: Mon Aug 3 16:55:01 2020 -0300 btrfs: reset compression level for lzo on remount commit 282dd7d7718444679b046b769d872b188818ca35 upstream. Currently a user can set mount "-o compress" which will set the compression algorithm to zlib, and use the default compress level for zlib (3): relatime,compress=zlib:3,space_cache If the user remounts the fs using "-o compress=lzo", then the old compress_level is used: relatime,compress=lzo:3,space_cache But lzo does not expose any tunable compression level. The same happens if we set any compress argument with different level, also with zstd. Fix this by resetting the compress_level when compress=lzo is specified. With the fix applied, lzo is shown without compress level: relatime,compress=lzo,space_cache CC: stable@vger.kernel.org # 4.4+ Signed-off-by: Marcos Paulo de Souza Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit b4cbbc1305f0cb0a70adb47d026619fad3f4d9cb Author: Ming Lei Date: Mon Aug 17 18:01:15 2020 +0800 blk-mq: order adding requests to hctx->dispatch and checking SCHED_RESTART commit d7d8535f377e9ba87edbf7fbbd634ac942f3f54f upstream. SCHED_RESTART code path is relied to re-run queue for dispatch requests in hctx->dispatch. Meantime the SCHED_RSTART flag is checked when adding requests to hctx->dispatch. memory barriers have to be used for ordering the following two pair of OPs: 1) adding requests to hctx->dispatch and checking SCHED_RESTART in blk_mq_dispatch_rq_list() 2) clearing SCHED_RESTART and checking if there is request in hctx->dispatch in blk_mq_sched_restart(). Without the added memory barrier, either: 1) blk_mq_sched_restart() may miss requests added to hctx->dispatch meantime blk_mq_dispatch_rq_list() observes SCHED_RESTART, and not run queue in dispatch side or 2) blk_mq_dispatch_rq_list still sees SCHED_RESTART, and not run queue in dispatch side, meantime checking if there is request in hctx->dispatch from blk_mq_sched_restart() is missed. IO hang in ltp/fs_fill test is reported by kernel test robot: https://lkml.org/lkml/2020/7/26/77 Turns out it is caused by the above out-of-order OPs. And the IO hang can't be observed any more after applying this patch. Fixes: bd166ef183c2 ("blk-mq-sched: add framework for MQ capable IO schedulers") Reported-by: kernel test robot Signed-off-by: Ming Lei Reviewed-by: Christoph Hellwig Cc: Bart Van Assche Cc: Christoph Hellwig Cc: David Jeffery Cc: Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 649b6c86ccf7a7c0c82846fd71accb4c2f3ea69c Author: Hans de Goede Date: Tue Aug 11 15:39:58 2020 +0200 HID: i2c-hid: Always sleep 60ms after I2C_HID_PWR_ON commands commit eef4016243e94c438f177ca8226876eb873b9c75 upstream. Before this commit i2c_hid_parse() consists of the following steps: 1. Send power on cmd 2. usleep_range(1000, 5000) 3. Send reset cmd 4. Wait for reset to complete (device interrupt, or msleep(100)) 5. Send power on cmd 6. Try to read HID descriptor Notice how there is an usleep_range(1000, 5000) after the first power-on command, but not after the second power-on command. Testing has shown that at least on the BMAX Y13 laptop's i2c-hid touchpad, not having a delay after the second power-on command causes the HID descriptor to read as all zeros. In case we hit this on other devices too, the descriptor being all zeros can be recognized by the following message being logged many, many times: hid-generic 0018:0911:5288.0002: unknown main item tag 0x0 At the same time as the BMAX Y13's touchpad issue was debugged, Kai-Heng was working on debugging some issues with Goodix i2c-hid touchpads. It turns out that these need a delay after a PWR_ON command too, otherwise they stop working after a suspend/resume cycle. According to Goodix a delay of minimal 60ms is needed. Having multiple cases where we need a delay after sending the power-on command, seems to indicate that we should always sleep after the power-on command. This commit fixes the mentioned issues by moving the existing 1ms sleep to the i2c_hid_set_power() function and changing it to a 60ms sleep. Cc: stable@vger.kernel.org BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208247 Reported-by: Kai-Heng Feng Reported-and-tested-by: Andrea Borgia Signed-off-by: Hans de Goede Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 7aaaf975dd4c2c80aaa0859898c6a92517ec2aee Author: Ming Lei Date: Mon Aug 17 18:01:30 2020 +0800 block: loop: set discard granularity and alignment for block device backed loop commit bcb21c8cc9947286211327d663ace69f07d37a76 upstream. In case of block device backend, if the backend supports write zeros, the loop device will set queue flag of QUEUE_FLAG_DISCARD. However, limits.discard_granularity isn't setup, and this way is wrong, see the following description in Documentation/ABI/testing/sysfs-block: A discard_granularity of 0 means that the device does not support discard functionality. Especially 9b15d109a6b2 ("block: improve discard bio alignment in __blkdev_issue_discard()") starts to take q->limits.discard_granularity for computing max discard sectors. And zero discard granularity may cause kernel oops, or fail discard request even though the loop queue claims discard support via QUEUE_FLAG_DISCARD. Fix the issue by setup discard granularity and alignment. Fixes: c52abf563049 ("loop: Better discard support for block devices") Signed-off-by: Ming Lei Reviewed-by: Christoph Hellwig Acked-by: Coly Li Cc: Hannes Reinecke Cc: Xiao Ni Cc: Martin K. Petersen Cc: Evan Green Cc: Gwendal Grignou Cc: Chaitanya Kulkarni Cc: Andrzej Pietrasiewicz Cc: Christoph Hellwig Cc: Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7b85140f7060b623caaf1512cd7eb96392c90f44 Author: Keith Busch Date: Thu Aug 6 14:58:37 2020 -0700 block: fix get_max_io_size() commit e4b469c66f3cbb81c2e94d31123d7bcdf3c1dabd upstream. A previous commit aligning splits to physical block sizes inadvertently modified one return case such that that it now returns 0 length splits when the number of sectors doesn't exceed the physical offset. This later hits a BUG in bio_split(). Restore the previous working behavior. Fixes: 9cc5169cd478b ("block: Improve physical block alignment of split bios") Reported-by: Eric Deal Signed-off-by: Keith Busch Cc: Bart Van Assche Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 8245d79338b7c86d36323e760d820f0ef63d3369 Author: Tim Harvey Date: Thu Aug 27 10:20:24 2020 -0700 hwmon: (gsc-hwmon) Scale temperature to millidegrees commit c1ae18d313e24bc7833e1749dd36dba5d47f259c upstream. The GSC registers report temperature in decidegrees celcius so we need to scale it to represent the hwmon sysfs API of millidegrees. Cc: stable@vger.kernel.org Fixes: 3bce5377ef66 ("hwmon: Add Gateworks System Controller support") Signed-off-by: Tim Harvey Link: https://lore.kernel.org/r/1598548824-16898-1-git-send-email-tharvey@gateworks.com Signed-off-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit faf428a8d81c8d8eb7b884c7c7b14e3b66431b87 Author: Marc Zyngier Date: Fri Jul 31 18:38:24 2020 +0100 arm64: Allow booting of late CPUs affected by erratum 1418040 [ Upstream commit bf87bb0881d0f59181fe3bbcf29c609f36483ff8 ] As we can now switch from a system that isn't affected by 1418040 to a system that globally is affected, let's allow affected CPUs to come in at a later time. Signed-off-by: Marc Zyngier Tested-by: Sai Prakash Ranjan Reviewed-by: Stephen Boyd Reviewed-by: Suzuki K Poulose Acked-by: Will Deacon Link: https://lore.kernel.org/r/20200731173824.107480-3-maz@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit e028fa961a3acf7b4a5b774ac1ae403fa3f93405 Author: Marc Zyngier Date: Fri Jul 31 18:38:23 2020 +0100 arm64: Move handling of erratum 1418040 into C code [ Upstream commit d49f7d7376d0c0daf8680984a37bd07581ac7d38 ] Instead of dealing with erratum 1418040 on each entry and exit, let's move the handling to __switch_to() instead, which has several advantages: - It can be applied when it matters (switching between 32 and 64 bit tasks). - It is written in C (yay!) - It can rely on static keys rather than alternatives Signed-off-by: Marc Zyngier Tested-by: Sai Prakash Ranjan Reviewed-by: Stephen Boyd Acked-by: Will Deacon Link: https://lore.kernel.org/r/20200731173824.107480-2-maz@kernel.org Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit 736d8a6a73be34333e6df0849c8d0efe41ea6ac1 Author: Yauheni Kaliuta Date: Thu Aug 20 14:58:43 2020 +0300 bpf: selftests: global_funcs: Check err_str before strstr [ Upstream commit c210773d6c6f595f5922d56b7391fe343bc7310e ] The error path in libbpf.c:load_program() has calls to pr_warn() which ends up for global_funcs tests to test_global_funcs.c:libbpf_debug_print(). For the tests with no struct test_def::err_str initialized with a string, it causes call of strstr() with NULL as the second argument and it segfaults. Fix it by calling strstr() only for non-NULL err_str. Signed-off-by: Yauheni Kaliuta Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200820115843.39454-1-yauheni.kaliuta@redhat.com Signed-off-by: Sasha Levin commit d5a4d2f25d77133364a1a25d053818981e4bca44 Author: Toke Høiland-Jørgensen Date: Wed Aug 19 13:05:34 2020 +0200 libbpf: Fix map index used in error message [ Upstream commit 1e891e513e16c145cc9b45b1fdb8bf4a4f2f9557 ] The error message emitted by bpf_object__init_user_btf_maps() was using the wrong section ID. Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20200819110534.9058-1-toke@redhat.com Signed-off-by: Sasha Levin commit 1c20c32e8a2a58909adb72aaf9c0be87c9ead0c4 Author: Athira Rajeev Date: Thu Aug 6 08:46:32 2020 -0400 powerpc/perf: Fix soft lockups due to missed interrupt accounting [ Upstream commit 17899eaf88d689529b866371344c8f269ba79b5f ] Performance monitor interrupt handler checks if any counter has overflown and calls record_and_restart() in core-book3s which invokes perf_event_overflow() to record the sample information. Apart from creating sample, perf_event_overflow() also does the interrupt and period checks via perf_event_account_interrupt(). Currently we record information only if the SIAR (Sampled Instruction Address Register) valid bit is set (using siar_valid() check) and hence the interrupt check. But it is possible that we do sampling for some events that are not generating valid SIAR, and hence there is no chance to disable the event if interrupts are more than max_samples_per_tick. This leads to soft lockup. Fix this by adding perf_event_account_interrupt() in the invalid SIAR code path for a sampling event. ie if SIAR is invalid, just do interrupt check and don't record the sample information. Reported-by: Alexey Kardashevskiy Signed-off-by: Athira Rajeev Tested-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/1596717992-7321-1-git-send-email-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit d3499d206c5d8e6fc428f78538a477f54e4c640e Author: brookxu Date: Mon Aug 17 15:36:15 2020 +0800 ext4: limit the length of per-inode prealloc list [ Upstream commit 27bc446e2def38db3244a6eb4bb1d6312936610a ] In the scenario of writing sparse files, the per-inode prealloc list may be very long, resulting in high overhead for ext4_mb_use_preallocated(). To circumvent this problem, we limit the maximum length of per-inode prealloc list to 512 and allow users to modify it. After patching, we observed that the sys ratio of cpu has dropped, and the system throughput has increased significantly. We created a process to write the sparse file, and the running time of the process on the fixed kernel was significantly reduced, as follows: Running time on unfixed kernel: [root@TENCENT64 ~]# time taskset 0x01 ./sparse /data1/sparce.dat real 0m2.051s user 0m0.008s sys 0m2.026s Running time on fixed kernel: [root@TENCENT64 ~]# time taskset 0x01 ./sparse /data1/sparce.dat real 0m0.471s user 0m0.004s sys 0m0.395s Signed-off-by: Chunguang Xu Link: https://lore.kernel.org/r/d7a98178-056b-6db5-6bce-4ead23f4a257@gmail.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 61aacc3594c904947f3e1f7adf77d6b37c597d92 Author: Yonghong Song Date: Tue Aug 18 15:23:10 2020 -0700 bpf: Avoid visit same object multiple times [ Upstream commit e60572b8d4c39572be6857d1ec91fdf979f8775f ] Currently when traversing all tasks, the next tid is always increased by one. This may result in visiting the same task multiple times in a pid namespace. This patch fixed the issue by seting the next tid as pid_nr_ns(pid, ns) + 1, similar to funciton next_tgid(). Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Cc: Rik van Riel Link: https://lore.kernel.org/bpf/20200818222310.2181500-1-yhs@fb.com Signed-off-by: Sasha Levin commit 2d9018e5e6e21ecb611175460fabfcad774c3b40 Author: Yonghong Song Date: Tue Aug 18 15:23:09 2020 -0700 bpf: Fix a rcu_sched stall issue with bpf task/task_file iterator [ Upstream commit e679654a704e5bd676ea6446fa7b764cbabf168a ] In our production system, we observed rcu stalls when 'bpftool prog` is running. rcu: INFO: rcu_sched self-detected stall on CPU rcu: \x097-....: (20999 ticks this GP) idle=302/1/0x4000000000000000 softirq=1508852/1508852 fqs=4913 \x09(t=21031 jiffies g=2534773 q=179750) NMI backtrace for cpu 7 CPU: 7 PID: 184195 Comm: bpftool Kdump: loaded Tainted: G W 5.8.0-00004-g68bfc7f8c1b4 #6 Hardware name: Quanta Twin Lakes MP/Twin Lakes Passive MP, BIOS F09_3A17 05/03/2019 Call Trace: dump_stack+0x57/0x70 nmi_cpu_backtrace.cold+0x14/0x53 ? lapic_can_unplug_cpu.cold+0x39/0x39 nmi_trigger_cpumask_backtrace+0xb7/0xc7 rcu_dump_cpu_stacks+0xa2/0xd0 rcu_sched_clock_irq.cold+0x1ff/0x3d9 ? tick_nohz_handler+0x100/0x100 update_process_times+0x5b/0x90 tick_sched_timer+0x5e/0xf0 __hrtimer_run_queues+0x12a/0x2a0 hrtimer_interrupt+0x10e/0x280 __sysvec_apic_timer_interrupt+0x51/0xe0 asm_call_on_stack+0xf/0x20 sysvec_apic_timer_interrupt+0x6f/0x80 asm_sysvec_apic_timer_interrupt+0x12/0x20 RIP: 0010:task_file_seq_get_next+0x71/0x220 Code: 00 00 8b 53 1c 49 8b 7d 00 89 d6 48 8b 47 20 44 8b 18 41 39 d3 76 75 48 8b 4f 20 8b 01 39 d0 76 61 41 89 d1 49 39 c1 48 19 c0 <48> 8b 49 08 21 d0 48 8d 04 c1 4c 8b 08 4d 85 c9 74 46 49 8b 41 38 RSP: 0018:ffffc90006223e10 EFLAGS: 00000297 RAX: ffffffffffffffff RBX: ffff888f0d172388 RCX: ffff888c8c07c1c0 RDX: 00000000000f017b RSI: 00000000000f017b RDI: ffff888c254702c0 RBP: ffffc90006223e68 R08: ffff888be2a1c140 R09: 00000000000f017b R10: 0000000000000002 R11: 0000000000100000 R12: ffff888f23c24118 R13: ffffc90006223e60 R14: ffffffff828509a0 R15: 00000000ffffffff task_file_seq_next+0x52/0xa0 bpf_seq_read+0xb9/0x320 vfs_read+0x9d/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x38/0x60 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7f8815f4f76e Code: c0 e9 f6 fe ff ff 55 48 8d 3d 76 70 0a 00 48 89 e5 e8 36 06 02 00 66 0f 1f 44 00 00 64 8b 04 25 18 00 00 00 85 c0 75 14 0f 05 <48> 3d 00 f0 ff ff 77 52 c3 66 0f 1f 84 00 00 00 00 00 55 48 89 e5 RSP: 002b:00007fff8f9df578 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 RAX: ffffffffffffffda RBX: 000000000170b9c0 RCX: 00007f8815f4f76e RDX: 0000000000001000 RSI: 00007fff8f9df5b0 RDI: 0000000000000007 RBP: 00007fff8f9e05f0 R08: 0000000000000049 R09: 0000000000000010 R10: 00007f881601fa40 R11: 0000000000000246 R12: 00007fff8f9e05a8 R13: 00007fff8f9e05a8 R14: 0000000001917f90 R15: 000000000000e22e Note that `bpftool prog` actually calls a task_file bpf iterator program to establish an association between prog/map/link/btf anon files and processes. In the case where the above rcu stall occured, we had a process having 1587 tasks and each task having roughly 81305 files. This implied 129 million bpf prog invocations. Unfortunwtely none of these files are prog/map/link/btf files so bpf iterator/prog needs to traverse all these files and not able to return to user space since there are no seq_file buffer overflow. This patch fixed the issue in bpf_seq_read() to limit the number of visited objects. If the maximum number of visited objects is reached, no more objects will be visited in the current syscall. If there is nothing written in the seq_file buffer, -EAGAIN will return to the user so user can try again. The maximum number of visited objects is set at 1 million. In our Intel Xeon D-2191 2.3GHZ 18-core server, bpf_seq_read() visiting 1 million files takes around 0.18 seconds. We did not use cond_resched() since for some iterators, e.g., netlink iterator, where rcu read_lock critical section spans between consecutive seq_ops->next(), which makes impossible to do cond_resched() in the key while loop of function bpf_seq_read(). Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Cc: Paul E. McKenney Link: https://lore.kernel.org/bpf/20200818222309.2181348-1-yhs@fb.com Signed-off-by: Sasha Levin commit 3636ca3d046f436e44ce5e8b8e3a4b82cdb5dd19 Author: Huang Rui Date: Tue Aug 11 13:54:56 2020 +0800 drm/amdkfd: fix the wrong sdma instance query for renoir [ Upstream commit 34174b89bfa495bed9cddcc504fb38feca90fab7 ] Renoir only has one sdma instance, it will get failed once query the sdma1 registers. So use switch-case instead of static register array. Signed-off-by: Huang Rui Reviewed-by: Alex Deucher Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit eb9f5a5bf4022d93dea362f7c4c12177fa8fe664 Author: Guchun Chen Date: Thu Aug 13 14:35:35 2020 +0800 drm/amdgpu: fix NULL pointer access issue when unloading driver [ Upstream commit 1a68d96f81b8e7eb2a121fbf9abf9e5974e58832 ] When unloading driver by "modprobe -r amdgpu", one NULL pointer dereference bug occurs in ras debugfs releasing. The cause is the duplicated debugfs_remove, as drm debugfs_root dir has been cleaned up already by drm_minor_unregister. BUG: kernel NULL pointer dereference, address: 00000000000000a0 PGD 0 P4D 0 Oops: 0002 [#1] SMP PTI CPU: 11 PID: 1526 Comm: modprobe Tainted: G OE 5.6.0-guchchen #1 Hardware name: System manufacturer System Product Name/TUF Z370-PLUS GAMING II, BIOS 0411 09/21/2018 RIP: 0010:down_write+0x15/0x40 Code: eb de e8 7e 17 72 ff cc cc cc cc cc cc cc cc cc cc cc cc cc cc 0f 1f 44 00 00 53 48 89 fb e8 92 d8 ff ff 31 c0 ba 01 00 00 00 48 0f b1 13 75 0f 65 48 8b 04 25 c0 8b 01 00 48 89 43 08 5b c3 RSP: 0018:ffffb1590386fcd0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 00000000000000a0 RCX: 0000000000000000 RDX: 0000000000000001 RSI: ffffffff85b2fcc2 RDI: 00000000000000a0 RBP: ffffb1590386fd30 R08: ffffffff85b2fcc2 R09: 000000000002b3c0 R10: ffff97a330618c40 R11: 00000000000005f6 R12: ffff97a3481beb40 R13: 00000000000000a0 R14: ffff97a3481beb40 R15: 0000000000000000 FS: 00007fb11a717540(0000) GS:ffff97a376cc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000a0 CR3: 00000004066d6006 CR4: 00000000003606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: simple_recursive_removal+0x63/0x370 ? debugfs_remove+0x60/0x60 debugfs_remove+0x40/0x60 amdgpu_ras_fini+0x82/0x230 [amdgpu] ? __kernfs_remove.part.17+0x101/0x1f0 ? kernfs_name_hash+0x12/0x80 amdgpu_device_fini+0x1c0/0x580 [amdgpu] amdgpu_driver_unload_kms+0x3e/0x70 [amdgpu] amdgpu_pci_remove+0x36/0x60 [amdgpu] pci_device_remove+0x3b/0xb0 device_release_driver_internal+0xe5/0x1c0 driver_detach+0x46/0x90 bus_remove_driver+0x58/0xd0 pci_unregister_driver+0x29/0x90 amdgpu_exit+0x11/0x25 [amdgpu] __x64_sys_delete_module+0x13d/0x210 do_syscall_64+0x5f/0x250 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Signed-off-by: Guchun Chen Reviewed-by: Tao Zhou Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 833e41f79c7768d21d3ba4c82959ffc4b91ac4c0 Author: Sumera Priyadarsini Date: Wed Aug 19 00:22:41 2020 +0530 net: gianfar: Add of_node_put() before goto statement [ Upstream commit 989e4da042ca4a56bbaca9223d1a93639ad11e17 ] Every iteration of for_each_available_child_of_node() decrements reference count of the previous node, however when control is transferred from the middle of the loop, as in the case of a return or break or goto, there is no decrement thus ultimately resulting in a memory leak. Fix a potential memory leak in gianfar.c by inserting of_node_put() before the goto statement. Issue found with Coccinelle. Signed-off-by: Sumera Priyadarsini Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a8f90da8480cce708adb1b7b243e714cb089cffd Author: Alvin Šipraga Date: Tue Aug 18 10:51:34 2020 +0200 macvlan: validate setting of multiple remote source MAC addresses [ Upstream commit 8b61fba503904acae24aeb2bd5569b4d6544d48f ] Remote source MAC addresses can be set on a 'source mode' macvlan interface via the IFLA_MACVLAN_MACADDR_DATA attribute. This commit tightens the validation of these MAC addresses to match the validation already performed when setting or adding a single MAC address via the IFLA_MACVLAN_MACADDR attribute. iproute2 uses IFLA_MACVLAN_MACADDR_DATA for its 'macvlan macaddr set' command, and IFLA_MACVLAN_MACADDR for its 'macvlan macaddr add' command, which demonstrates the inconsistent behaviour that this commit addresses: # ip link add link eth0 name macvlan0 type macvlan mode source # ip link set link dev macvlan0 type macvlan macaddr add 01:00:00:00:00:00 RTNETLINK answers: Cannot assign requested address # ip link set link dev macvlan0 type macvlan macaddr set 01:00:00:00:00:00 # ip -d link show macvlan0 5: macvlan0@eth0: mtu 1500 ... link/ether 2e:ac:fd:2d:69:f8 brd ff:ff:ff:ff:ff:ff promiscuity 0 macvlan mode source remotes (1) 01:00:00:00:00:00 numtxqueues 1 ... With this change, the 'set' command will (rightly) fail in the same way as the 'add' command. Signed-off-by: Alvin Šipraga Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cd8e4a8c7416fcbbabdcb6ef045958e03c8c8e1c Author: Saurav Kashyap Date: Thu Aug 6 04:10:13 2020 -0700 Revert "scsi: qla2xxx: Fix crash on qla2x00_mailbox_command" [ Upstream commit de7e6194301ad31c4ce95395eb678e51a1b907e5 ] FCoE adapter initialization failed for ISP8021 with the following patch applied. In addition, reproduction of the issue the patch originally tried to address has been unsuccessful. This reverts commit 3cb182b3fa8b7a61f05c671525494697cba39c6a. Link: https://lore.kernel.org/r/20200806111014.28434-11-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a36de930485f894b7be8418436891c00df8b555b Author: Quinn Tran Date: Thu Aug 6 04:10:12 2020 -0700 scsi: qla2xxx: Fix null pointer access during disconnect from subsystem [ Upstream commit 83949613fac61e8e37eadf8275bf072342302f4e ] NVMEAsync command is being submitted to QLA while the same NVMe controller is in the middle of reset. The reset path has deleted the association and freed aen_op->fcp_req.private. Add a check for this private pointer before issuing the command. ... 6 [ffffb656ca11fce0] page_fault at ffffffff8c00114e [exception RIP: qla_nvme_post_cmd+394] RIP: ffffffffc0d012ba RSP: ffffb656ca11fd98 RFLAGS: 00010206 RAX: ffff8fb039eda228 RBX: ffff8fb039eda200 RCX: 00000000000da161 RDX: ffffffffc0d4d0f0 RSI: ffffffffc0d26c9b RDI: ffff8fb039eda220 RBP: 0000000000000013 R8: ffff8fb47ff6aa80 R9: 0000000000000002 R10: 0000000000000000 R11: ffffb656ca11fdc8 R12: ffff8fb27d04a3b0 R13: ffff8fc46dd98a58 R14: 0000000000000000 R15: ffff8fc4540f0000 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 7 [ffffb656ca11fe08] nvme_fc_start_fcp_op at ffffffffc0241568 [nvme_fc] 8 [ffffb656ca11fe50] nvme_fc_submit_async_event at ffffffffc0241901 [nvme_fc] 9 [ffffb656ca11fe68] nvme_async_event_work at ffffffffc014543d [nvme_core] 10 [ffffb656ca11fe98] process_one_work at ffffffff8b6cd437 11 [ffffb656ca11fed8] worker_thread at ffffffff8b6cdcef 12 [ffffb656ca11ff10] kthread at ffffffff8b6d3402 13 [ffffb656ca11ff50] ret_from_fork at ffffffff8c000255 -- PID: 37824 TASK: ffff8fb033063d80 CPU: 20 COMMAND: "kworker/u97:451" 0 [ffffb656ce1abc28] __schedule at ffffffff8be629e3 1 [ffffb656ce1abcc8] schedule at ffffffff8be62fe8 2 [ffffb656ce1abcd0] schedule_timeout at ffffffff8be671ed 3 [ffffb656ce1abd70] wait_for_completion at ffffffff8be639cf 4 [ffffb656ce1abdd0] flush_work at ffffffff8b6ce2d5 5 [ffffb656ce1abe70] nvme_stop_ctrl at ffffffffc0144900 [nvme_core] 6 [ffffb656ce1abe80] nvme_fc_reset_ctrl_work at ffffffffc0243445 [nvme_fc] 7 [ffffb656ce1abe98] process_one_work at ffffffff8b6cd437 8 [ffffb656ce1abed8] worker_thread at ffffffff8b6cdb50 9 [ffffb656ce1abf10] kthread at ffffffff8b6d3402 10 [ffffb656ce1abf50] ret_from_fork at ffffffff8c000255 Link: https://lore.kernel.org/r/20200806111014.28434-10-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aa6373e5f9d6f33b391d0d7d6367b87104d5cef5 Author: Saurav Kashyap Date: Thu Aug 6 04:10:11 2020 -0700 scsi: qla2xxx: Check if FW supports MQ before enabling [ Upstream commit dffa11453313a115157b19021cc2e27ea98e624c ] OS boot during Boot from SAN was stuck at dracut emergency shell after enabling NVMe driver parameter. For non-MQ support the driver was enabling MQ. Add a check to confirm if FW supports MQ. Link: https://lore.kernel.org/r/20200806111014.28434-9-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3d2419958fc5afe874bdac28504250f42d0631d3 Author: Quinn Tran Date: Thu Aug 6 04:10:07 2020 -0700 scsi: qla2xxx: Fix login timeout [ Upstream commit abb31aeaa9b20680b0620b23fea5475ea4591e31 ] Multipath errors were seen during failback due to login timeout. The remote device sent LOGO, the local host tore down the session and did relogin. The RSCN arrived indicates remote device is going through failover after which the relogin is in a 20s timeout phase. At this point the driver is stuck in the relogin process. Add a fix to delete the session as part of abort/flush the login. Link: https://lore.kernel.org/r/20200806111014.28434-5-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit eb34d23c94734f762624fbd9f98903feeb7fd771 Author: Quinn Tran Date: Thu Aug 6 04:10:06 2020 -0700 scsi: qla2xxx: Indicate correct supported speeds for Mezz card [ Upstream commit 4709272f6327cc4a8ee1dc55771bcf9718346980 ] Correct the supported speeds for 16G Mezz card. Link: https://lore.kernel.org/r/20200806111014.28434-4-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 580ffb7fd6213b0dccc0439a56f7f60e64a77604 Author: Quinn Tran Date: Thu Aug 6 04:10:05 2020 -0700 scsi: qla2xxx: Flush I/O on zone disable [ Upstream commit a117579d0205b5a0592a3a98493e2b875e4da236 ] Perform implicit logout to flush I/O on zone disable. Link: https://lore.kernel.org/r/20200806111014.28434-3-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2626e3b023ffcffedc655bf588398a47b2ac789e Author: Quinn Tran Date: Thu Aug 6 04:10:04 2020 -0700 scsi: qla2xxx: Flush all sessions on zone disable [ Upstream commit 10ae30ba664822f62de169a61628e31c999c7cc8 ] On Zone Disable, certain switches would ignore all commands. This causes timeout for both switch scan command and abort of that command. On detection of this condition, all sessions will be shutdown. Link: https://lore.kernel.org/r/20200806111014.28434-2-njavali@marvell.com Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 018360efe867a9e3282009c5f55ab21907443e92 Author: Douglas Gilbert Date: Thu Aug 13 11:57:38 2020 -0400 scsi: scsi_debug: Fix scp is NULL errors [ Upstream commit 223f91b48079227f914657f07d2d686f7b60aa26 ] John Garry reported 'sdebug_q_cmd_complete: scp is NULL' failures that were mainly seen on aarch64 machines (e.g. RPi 4 with four A72 CPUs). The problem was tracked down to a missing critical section on a "short circuit" path. Namely, the time to process the current command so far has already exceeded the requested command duration (i.e. the number of nanoseconds in the ndelay parameter). The random=1 parameter setting was pivotal in finding this error. The failure scenario involved first taking that "short circuit" path (due to a very short command duration) and then taking the more likely hrtimer_start() path (due to a longer command duration). With random=1 each command's duration is taken from the uniformly distributed [0..ndelay) interval. The fio utility also helped by reliably generating the error scenario at about once per minute on a RPi 4 (64 bit OS). Link: https://lore.kernel.org/r/20200813155738.109298-1-dgilbert@interlog.com Reported-by: John Garry Reviewed-by: Lee Duncan Signed-off-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 56f13789a05ad60a584c99efa0075eae30a81c77 Author: Stanley Chu Date: Tue Aug 11 16:18:58 2020 +0200 scsi: ufs: Clean up completed request without interrupt notification [ Upstream commit b10178ee7fa88b68a9e8adc06534d2605cb0ec23 ] If somehow no interrupt notification is raised for a completed request and its doorbell bit is cleared by host, UFS driver needs to cleanup its outstanding bit in ufshcd_abort(). Otherwise, system may behave abnormally in the following scenario: After ufshcd_abort() returns, this request will be requeued by SCSI layer with its outstanding bit set. Any future completed request will trigger ufshcd_transfer_req_compl() to handle all "completed outstanding bits". At this time the "abnormal outstanding bit" will be detected and the "requeued request" will be chosen to execute request post-processing flow. This is wrong because this request is still "alive". Link: https://lore.kernel.org/r/20200811141859.27399-2-huobean@gmail.com Reviewed-by: Can Guo Acked-by: Avri Altman Signed-off-by: Stanley Chu Signed-off-by: Bean Huo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 91be3977cc3404a55441925b1f6659ac07ce4e42 Author: Adrian Hunter Date: Tue Aug 11 16:39:36 2020 +0300 scsi: ufs: Improve interrupt handling for shared interrupts [ Upstream commit 127d5f7c4b653b8be5eb3b2c7bbe13728f9003ff ] For shared interrupts, the interrupt status might be zero, so check that first. Link: https://lore.kernel.org/r/20200811133936.19171-2-adrian.hunter@intel.com Reviewed-by: Avri Altman Signed-off-by: Adrian Hunter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 33cf91947c845c74f78c8890c8419778ecbff488 Author: Stanley Chu Date: Sun Aug 9 13:07:34 2020 +0800 scsi: ufs: Fix possible infinite loop in ufshcd_hold [ Upstream commit 93b6c5db06028a3b55122bbb74d0715dd8ca4ae0 ] In ufshcd_suspend(), after clk-gating is suspended and link is set as Hibern8 state, ufshcd_hold() is still possibly invoked before ufshcd_suspend() returns. For example, MediaTek's suspend vops may issue UIC commands which would call ufshcd_hold() during the command issuing flow. Now if UFSHCD_CAP_HIBERN8_WITH_CLK_GATING capability is enabled, then ufshcd_hold() may enter infinite loops because there is no clk-ungating work scheduled or pending. In this case, ufshcd_hold() shall just bypass, and keep the link as Hibern8 state. Link: https://lore.kernel.org/r/20200809050734.18740-1-stanley.chu@mediatek.com Reviewed-by: Avri Altman Co-developed-by: Andy Teng Signed-off-by: Andy Teng Signed-off-by: Stanley Chu Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4ef551cd2f8b8c997a63dde466641445c701f66c Author: Mike Christie Date: Fri Aug 7 15:23:33 2020 -0500 scsi: fcoe: Fix I/O path allocation [ Upstream commit fa39ab5184d64563cd36f2fb5f0d3fbad83a432c ] ixgbe_fcoe_ddp_setup() can be called from the main I/O path and is called with a spin_lock held, so we have to use GFP_ATOMIC allocation instead of GFP_KERNEL. Link: https://lore.kernel.org/r/1596831813-9839-1-git-send-email-michael.christie@oracle.com cc: Hannes Reinecke Reviewed-by: Lee Duncan Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 5dd18770d9193429094feff9356b0a43164c6ac8 Author: David Ahern Date: Mon Aug 17 09:43:33 2020 -0600 selftests: disable rp_filter for icmp_redirect.sh [ Upstream commit bcf7ddb0186d366f761f86196b480ea6dd2dc18c ] h1 is initially configured to reach h2 via r1 rather than the more direct path through r2. If rp_filter is set and inherited for r2, forwarding fails since the source address of h1 is reachable from eth0 vs the packet coming to it via r1 and eth1. Since rp_filter setting affects the test, explicitly reset it. Signed-off-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8e6025686c8a00d08c710938488aa1618d570252 Author: Tom Yan Date: Tue Aug 18 01:20:11 2020 +0800 ALSA: usb-audio: ignore broken processing/extension unit [ Upstream commit d8d0db7bb358ef65d60726a61bfcd08eccff0bc0 ] Some devices have broken extension unit where getting current value doesn't work. Attempt that once when creating mixer control for it. If it fails, just ignore it, so that it won't cripple the device entirely (and/or make the error floods). Signed-off-by: Tom Yan Link: https://lore.kernel.org/r/5f3abc52.1c69fb81.9cf2.fe91@mx.google.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ee4dd74d08725c1abc9052e6e900c3105e9e7edc Author: Sylwester Nawrocki Date: Fri Jul 31 19:38:34 2020 +0200 ASoC: wm8994: Avoid attempts to read unreadable registers [ Upstream commit f082bb59b72039a2326ec1a44496899fb8aa6d0e ] The driver supports WM1811, WM8994, WM8958 devices but according to documentation and the regmap definitions the WM8958_DSP2_* registers are only available on WM8958. In current code these registers are being accessed as if they were available on all the three chips. When starting playback on WM1811 CODEC multiple errors like: "wm8994-codec wm8994-codec: ASoC: error at soc_component_read_no_lock on wm8994-codec: -5" can be seen, which is caused by attempts to read an unavailable WM8958_DSP2_PROGRAM register. The issue has been uncovered by recent commit "e2329ee ASoC: soc-component: add soc_component_err()". This patch adds a check in wm8958_aif_ev() callback so the DSP2 handling is only done for WM8958. Signed-off-by: Sylwester Nawrocki Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20200731173834.23832-1-s.nawrocki@samsung.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 42f9f777f953a276bdc74cd75ede984399436594 Author: Vineeth Vijayan Date: Thu Jun 18 16:42:45 2020 +0200 s390/cio: add cond_resched() in the slow_eval_known_fn() loop [ Upstream commit 0b8eb2ee9da1e8c9b8082f404f3948aa82a057b2 ] The scanning through subchannels during the time of an event could take significant amount of time in case of platforms with lots of known subchannels. This might result in higher scheduling latencies for other tasks especially on systems with a single CPU. Add cond_resched() call, as the loop in slow_eval_known_fn() can be executed for a longer duration. Reviewed-by: Peter Oberparleiter Signed-off-by: Vineeth Vijayan Signed-off-by: Heiko Carstens Signed-off-by: Sasha Levin commit f3637a82e1f8fc280afd80252e05ffc01a9120c0 Author: Mike Pozulp Date: Sun Aug 16 21:32:17 2020 -0700 ALSA: hda/realtek: Add model alc298-samsung-headphone [ Upstream commit 23dc958689449be85e39351a8c809c3d344b155b ] The very quiet and distorted headphone output bug that afflicted my Samsung Notebook 9 is appearing in many other Samsung laptops. Expose the quirk which fixed my laptop as a model so other users can try it. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=207423 Signed-off-by: Mike Pozulp Link: https://lore.kernel.org/r/20200817043219.458889-1-pozulp.kernel@gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit effc2c1250cf46be3925bc437090c402833d98ae Author: Xie He Date: Thu Aug 13 11:17:04 2020 -0700 drivers/net/wan/hdlc_x25: Added needed_headroom and a skb->len check [ Upstream commit 77b981c82c1df7c7ad32a046f17f007450b46954 ] 1. Added a skb->len check This driver expects upper layers to include a pseudo header of 1 byte when passing down a skb for transmission. This driver will read this 1-byte header. This patch added a skb->len check before reading the header to make sure the header exists. 2. Added needed_headroom and set hard_header_len to 0 When this driver transmits data, first this driver will remove a pseudo header of 1 byte, then the lapb module will prepend the LAPB header of 2 or 3 bytes. So the value of needed_headroom in this driver should be 3 - 1. Because this driver has no header_ops, according to the logic of af_packet.c, the value of hard_header_len should be 0. Reason of setting needed_headroom and hard_header_len at this place: This driver is written using the API of the hdlc module, the hdlc module enables this driver (the protocol driver) to run on any hardware that has a driver (the hardware driver) written using the API of the hdlc module. Two other hdlc protocol drivers - hdlc_ppp and hdlc_raw_eth, also set things like hard_header_len at this place. In hdlc_ppp, it sets hard_header_len after attach_hdlc_protocol and before setting dev->type. In hdlc_raw_eth, it sets hard_header_len by calling ether_setup after attach_hdlc_protocol and after memcpy the settings. 3. Reset needed_headroom when detaching protocols (in hdlc.c) When detaching a protocol from a hardware device, the hdlc module will reset various parameters of the device (including hard_header_len) to the default values. We add needed_headroom here so that needed_headroom will also be reset. Cc: Willem de Bruijn Cc: Martin Schiller Cc: Andrew Hendry Signed-off-by: Xie He Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1ca28e0d9e49cfc292ed7e4dbe720ceba252e30e Author: Nicolas Saenz Julienne Date: Fri Aug 14 12:26:23 2020 +0200 dma-pool: Only allocate from CMA when in same memory zone [ Upstream commit d7e673ec2c8e0ea39c4c70fc490d67d7fbda869d ] There is no guarantee to CMA's placement, so allocating a zone specific atomic pool from CMA might return memory from a completely different memory zone. To get around this double check CMA's placement before allocating from it. Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 47184b9ddf184cc9a77cf441943a0fe9b7afa575 Author: Christoph Hellwig Date: Fri Aug 14 12:26:24 2020 +0200 dma-pool: fix coherent pool allocations for IOMMU mappings [ Upstream commit 9420139f516d7fbc248ce17f35275cb005ed98ea ] When allocating coherent pool memory for an IOMMU mapping we don't care about the DMA mask. Move the guess for the initial GFP mask into the dma_direct_alloc_pages and pass dma_coherent_ok as a function pointer argument so that it doesn't get applied to the IOMMU case. Signed-off-by: Christoph Hellwig Tested-by: Amit Pundir Signed-off-by: Sasha Levin commit b960e50d61722b3bb7b7e4157ffafb7586e0ef6a Author: Oleksij Rempel Date: Fri Aug 7 12:52:00 2020 +0200 can: j1939: transport: j1939_xtp_rx_dat_one(): compare own packets to detect corruptions [ Upstream commit e052d0540298bfe0f6cbbecdc7e2ea9b859575b2 ] Since the stack relays on receiving own packets, it was overwriting own transmit buffer from received packets. At least theoretically, the received echo buffer can be corrupt or changed and the session partner can request to resend previous data. In this case we will re-send bad data. With this patch we will stop to overwrite own TX buffer and use it for sanity checking. Signed-off-by: Oleksij Rempel Link: https://lore.kernel.org/r/20200807105200.26441-6-o.rempel@pengutronix.de Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit da9c02c50991299d96b61cfc07af3cbe386c5668 Author: Andrii Nakryiko Date: Thu Aug 13 13:49:43 2020 -0700 selftests/bpf: Correct various core_reloc 64-bit assumptions [ Upstream commit 5705d705832f74395c5465ce93192688f543006a ] Ensure that types are memory layout- and field alignment-compatible regardless of 32/64-bitness mix of libbpf and BPF architecture. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200813204945.1020225-8-andriin@fb.com Signed-off-by: Sasha Levin commit 751799b3b2ef690273e919a0f3348c0db7c61f96 Author: Andrii Nakryiko Date: Thu Aug 13 13:49:41 2020 -0700 selftests/bpf: Fix btf_dump test cases on 32-bit arches [ Upstream commit eed7818adf03e874994b966aa33bc00204dd275a ] Fix btf_dump test cases by hard-coding BPF's pointer size of 8 bytes for cases where it's impossible to deterimne the pointer size (no long type in BTF). In cases where it's known, validate libbpf correctly determines it as 8. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200813204945.1020225-6-andriin@fb.com Signed-off-by: Sasha Levin commit daca0c13cb123dcbd51d8fcbb1f07cd79d676faf Author: Andrii Nakryiko Date: Thu Aug 13 13:49:38 2020 -0700 selftest/bpf: Fix compilation warnings in 32-bit mode [ Upstream commit 9028bbcc3e12510cac13a9554f1a1e39667a4387 ] Fix compilation warnings emitted when compiling selftests for 32-bit platform (x86 in my case). Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200813204945.1020225-3-andriin@fb.com Signed-off-by: Sasha Levin commit 50bc5a55666eac57d703117a0fa081bac480f138 Author: Andrii Nakryiko Date: Thu Aug 13 13:49:37 2020 -0700 tools/bpftool: Fix compilation warnings in 32-bit mode [ Upstream commit 09f44b753a7d120becc80213c3459183c8acd26b ] Fix few compilation warnings in bpftool when compiling in 32-bit mode. Abstract away u64 to pointer conversion into a helper function. Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200813204945.1020225-2-andriin@fb.com Signed-off-by: Sasha Levin commit b97071cc83f8ec4e6b899e07720fb0e9be478b87 Author: Toke Høiland-Jørgensen Date: Thu Aug 13 16:29:05 2020 +0200 libbpf: Prevent overriding errno when logging errors [ Upstream commit 23ab656be263813acc3c20623757d3cd1496d9e1 ] Turns out there were a few more instances where libbpf didn't save the errno before writing an error message, causing errno to be overridden by the printf() return and the error disappearing if logging is enabled. Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200813142905.160381-1-toke@redhat.com Signed-off-by: Sasha Levin commit e3a5fa63a2e5b9a785d5ef1d4bdfc48965d3027e Author: Florian Westphal Date: Mon Aug 10 13:52:15 2020 +0200 netfilter: avoid ipv6 -> nf_defrag_ipv6 module dependency [ Upstream commit 2404b73c3f1a5f15726c6ecd226b56f6f992767f ] nf_ct_frag6_gather is part of nf_defrag_ipv6.ko, not ipv6 core. The current use of the netfilter ipv6 stub indirections causes a module dependency between ipv6 and nf_defrag_ipv6. This prevents nf_defrag_ipv6 module from being removed because ipv6 can't be unloaded. Remove the indirection and always use a direct call. This creates a depency from nf_conntrack_bridge to nf_defrag_ipv6 instead: modinfo nf_conntrack depends: nf_conntrack,nf_defrag_ipv6,bridge .. and nf_conntrack already depends on nf_defrag_ipv6 anyway. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 810b3c8b656a7ef46dc8ca044ddd967d23a7ddc5 Author: Jianlin Lv Date: Mon Aug 10 23:39:40 2020 +0800 selftests/bpf: Fix segmentation fault in test_progs [ Upstream commit 0390c429dbed4068bd2cd8dded937d9a5ec24cd2 ] test_progs reports the segmentation fault as below: $ sudo ./test_progs -t mmap --verbose test_mmap:PASS:skel_open_and_load 0 nsec [...] test_mmap:PASS:adv_mmap1 0 nsec test_mmap:PASS:adv_mmap2 0 nsec test_mmap:PASS:adv_mmap3 0 nsec test_mmap:PASS:adv_mmap4 0 nsec Segmentation fault This issue was triggered because mmap() and munmap() used inconsistent length parameters; mmap() creates a new mapping of 3 * page_size, but the length parameter set in the subsequent re-map and munmap() functions is 4 * page_size; this leads to the destruction of the process space. To fix this issue, first create 4 pages of anonymous mapping, then do all the mmap() with MAP_FIXED. Another issue is that when unmap the second page fails, the length parameter to delete tmp1 mappings should be 4 * page_size. Signed-off-by: Jianlin Lv Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20200810153940.125508-1-Jianlin.Lv@arm.com Signed-off-by: Sasha Levin commit 4a5e1c465e84275f265ccbe6fdced67f73ce0c94 Author: Anthony Koo Date: Wed Jul 29 17:43:10 2020 -0400 drm/amd/display: Switch to immediate mode for updating infopackets [ Upstream commit abba907c7a20032c2d504fd5afe3af7d440a09d0 ] [Why] Using FRAME_UPDATE will result in infopacket to be potentially updated one frame late. In commit stream scenarios for previously active stream, some stale infopacket data from previous config might be erroneously sent out on initial frame after stream is re-enabled. [How] Switch to using IMMEDIATE_UPDATE mode Signed-off-by: Anthony Koo Reviewed-by: Ashley Thomas Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 04e7daa61fd7bc2555243ef9ed3d050311e6cbb4 Author: Anthony Koo Date: Wed Jul 29 17:33:27 2020 -0400 drm/amd/display: Fix LFC multiplier changing erratically [ Upstream commit e4ed4dbbc8383d42a197da8fe7ca6434b0f14def ] [Why] 1. There is a calculation that is using frame_time_in_us instead of last_render_time_in_us to calculate whether choosing an LFC multiplier would cause the inserted frame duration to be outside of range. 2. We do not handle unsigned integer subtraction correctly and it underflows to a really large value, which causes some logic errors. [How] 1. Fix logic to calculate 'within range' using last_render_time_in_us 2. Split out delta_from_mid_point_delta_in_us calculation to ensure we don't underflow and wrap around Signed-off-by: Anthony Koo Reviewed-by: Aric Cyr Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 757460fe235155690e7de6142b8740718852f655 Author: Evan Quan Date: Fri Aug 7 17:01:47 2020 +0800 drm/amd/powerplay: correct UVD/VCE PG state on custom pptable uploading [ Upstream commit 2c5b8080d810d98e3e59617680218499b17c84a1 ] The UVD/VCE PG state is managed by UVD and VCE IP. It's error-prone to assume the bootup state in SMU based on the dpm status. Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit eb7eaabb7fb9c77ca35d132126f60019567705f9 Author: Evan Quan Date: Fri Aug 7 15:03:40 2020 +0800 drm/amd/powerplay: correct Vega20 cached smu feature state [ Upstream commit 266d81d9eed30f4994d76a2b237c63ece062eefe ] Correct the cached smu feature state on pp_features sysfs setting. Signed-off-by: Evan Quan Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 5a2bc176c13d020b429f495d46d0dbb865da084f Author: Alain Volmat Date: Mon Aug 10 09:12:38 2020 +0200 spi: stm32: always perform registers configuration prior to transfer [ Upstream commit 60ccb3515fc61a0124c70aa37317f75b67560024 ] SPI registers content may have been lost upon suspend/resume sequence. So, always compute and apply the necessary configuration in stm32_spi_transfer_one_setup routine. Signed-off-by: Alain Volmat Link: https://lore.kernel.org/r/1597043558-29668-6-git-send-email-alain.volmat@st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit accab06770476221101e781925ae1d9c5260d495 Author: Amelie Delaunay Date: Mon Aug 10 09:12:36 2020 +0200 spi: stm32: fix stm32_spi_prepare_mbr in case of odd clk_rate [ Upstream commit 9cc61973bf9385b19ff5dda4a2a7e265fcba85e4 ] Fix spi->clk_rate when it is odd to the nearest lowest even value because minimum SPI divider is 2. Signed-off-by: Amelie Delaunay Signed-off-by: Alain Volmat Link: https://lore.kernel.org/r/1597043558-29668-4-git-send-email-alain.volmat@st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0e92f6b422dbf8e82e08f60f16cd1197318769e6 Author: Amelie Delaunay Date: Mon Aug 10 09:12:35 2020 +0200 spi: stm32: fix fifo threshold level in case of short transfer [ Upstream commit 3373e9004acc0603242622b4378c64bc01d21b5f ] When transfer is shorter than half of the fifo, set the data packet size up to transfer size instead of up to half of the fifo. Check also that threshold is set at least to 1 data frame. Signed-off-by: Amelie Delaunay Signed-off-by: Alain Volmat Link: https://lore.kernel.org/r/1597043558-29668-3-git-send-email-alain.volmat@st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 87fb6c0331bc1823af332df2fdad3224312838b9 Author: Antonio Borneo Date: Mon Aug 10 09:12:34 2020 +0200 spi: stm32h7: fix race condition at end of transfer [ Upstream commit 135dd873d3c76d812ae64c668adef3f2c59ed27f ] The caller of stm32_spi_transfer_one(), spi_transfer_one_message(), is waiting for us to call spi_finalize_current_transfer() and will eventually schedule a new transfer, if available. We should guarantee that the spi controller is really available before calling spi_finalize_current_transfer(). Move the call to spi_finalize_current_transfer() _after_ the call to stm32_spi_disable(). Signed-off-by: Antonio Borneo Signed-off-by: Alain Volmat Link: https://lore.kernel.org/r/1597043558-29668-2-git-send-email-alain.volmat@st.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c13fd34bc60730b0ac731344af0f3b8c60b13135 Author: Xianting Tian Date: Fri Jul 31 12:10:25 2020 -0400 fs: prevent BUG_ON in submit_bh_wbc() [ Upstream commit 377254b2cd2252c7c3151b113cbdf93a7736c2e9 ] If a device is hot-removed --- for example, when a physical device is unplugged from pcie slot or a nbd device's network is shutdown --- this can result in a BUG_ON() crash in submit_bh_wbc(). This is because the when the block device dies, the buffer heads will have their Buffer_Mapped flag get cleared, leading to the crash in submit_bh_wbc. We had attempted to work around this problem in commit a17712c8 ("ext4: check superblock mapped prior to committing"). Unfortunately, it's still possible to hit the BUG_ON(!buffer_mapped(bh)) if the device dies between when the work-around check in ext4_commit_super() and when submit_bh_wbh() is finally called: Code path: ext4_commit_super judge if 'buffer_mapped(sbh)' is false, return <== commit a17712c8 lock_buffer(sbh) ... unlock_buffer(sbh) __sync_dirty_buffer(sbh,... lock_buffer(sbh) judge if 'buffer_mapped(sbh))' is false, return <== added by this patch submit_bh(...,sbh) submit_bh_wbc(...,sbh,...) [100722.966497] kernel BUG at fs/buffer.c:3095! <== BUG_ON(!buffer_mapped(bh))' in submit_bh_wbc() [100722.966503] invalid opcode: 0000 [#1] SMP [100722.966566] task: ffff8817e15a9e40 task.stack: ffffc90024744000 [100722.966574] RIP: 0010:submit_bh_wbc+0x180/0x190 [100722.966575] RSP: 0018:ffffc90024747a90 EFLAGS: 00010246 [100722.966576] RAX: 0000000000620005 RBX: ffff8818a80603a8 RCX: 0000000000000000 [100722.966576] RDX: ffff8818a80603a8 RSI: 0000000000020800 RDI: 0000000000000001 [100722.966577] RBP: ffffc90024747ac0 R08: 0000000000000000 R09: ffff88207f94170d [100722.966578] R10: 00000000000437c8 R11: 0000000000000001 R12: 0000000000020800 [100722.966578] R13: 0000000000000001 R14: 000000000bf9a438 R15: ffff88195f333000 [100722.966580] FS: 00007fa2eee27700(0000) GS:ffff88203d840000(0000) knlGS:0000000000000000 [100722.966580] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [100722.966581] CR2: 0000000000f0b008 CR3: 000000201a622003 CR4: 00000000007606e0 [100722.966582] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [100722.966583] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [100722.966583] PKRU: 55555554 [100722.966583] Call Trace: [100722.966588] __sync_dirty_buffer+0x6e/0xd0 [100722.966614] ext4_commit_super+0x1d8/0x290 [ext4] [100722.966626] __ext4_std_error+0x78/0x100 [ext4] [100722.966635] ? __ext4_journal_get_write_access+0xca/0x120 [ext4] [100722.966646] ext4_reserve_inode_write+0x58/0xb0 [ext4] [100722.966655] ? ext4_dirty_inode+0x48/0x70 [ext4] [100722.966663] ext4_mark_inode_dirty+0x53/0x1e0 [ext4] [100722.966671] ? __ext4_journal_start_sb+0x6d/0xf0 [ext4] [100722.966679] ext4_dirty_inode+0x48/0x70 [ext4] [100722.966682] __mark_inode_dirty+0x17f/0x350 [100722.966686] generic_update_time+0x87/0xd0 [100722.966687] touch_atime+0xa9/0xd0 [100722.966690] generic_file_read_iter+0xa09/0xcd0 [100722.966694] ? page_cache_tree_insert+0xb0/0xb0 [100722.966704] ext4_file_read_iter+0x4a/0x100 [ext4] [100722.966707] ? __inode_security_revalidate+0x4f/0x60 [100722.966709] __vfs_read+0xec/0x160 [100722.966711] vfs_read+0x8c/0x130 [100722.966712] SyS_pread64+0x87/0xb0 [100722.966716] do_syscall_64+0x67/0x1b0 [100722.966719] entry_SYSCALL64_slow_path+0x25/0x25 To address this, add the check of 'buffer_mapped(bh)' to __sync_dirty_buffer(). This also has the benefit of fixing this for other file systems. With this addition, we can drop the workaround in ext4_commit_supper(). [ Commit description rewritten by tytso. ] Signed-off-by: Xianting Tian Link: https://lore.kernel.org/r/1596211825-8750-1-git-send-email-xianting_tian@126.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit e3e46eaa2f33b9e2d8906a9c52be02b48774de55 Author: Jan Kara Date: Tue Jul 28 15:04:37 2020 +0200 ext4: correctly restore system zone info when remount fails [ Upstream commit 0f5bde1db174f6c471f0bd27198575719dabe3e5 ] When remounting filesystem fails late during remount handling and block_validity mount option is also changed during the remount, we fail to restore system zone information to a state matching the mount option. This is mostly harmless, just the block validity checking will not match the situation described by the mount option. Make sure these two are always consistent. Reported-by: Lukas Czerner Reviewed-by: Lukas Czerner Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20200728130437.7804-7-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 6c30edde8a3a710c20b5689a921425a479501cb5 Author: Jan Kara Date: Tue Jul 28 15:04:32 2020 +0200 ext4: handle error of ext4_setup_system_zone() on remount [ Upstream commit d176b1f62f242ab259ff665a26fbac69db1aecba ] ext4_setup_system_zone() can fail. Handle the failure in ext4_remount(). Reviewed-by: Lukas Czerner Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20200728130437.7804-2-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit c27ed2e8d7f85bb93e3449a99dc618354a68f086 Author: Lukas Czerner Date: Thu Jul 23 17:05:26 2020 +0200 ext4: handle option set by mount flags correctly [ Upstream commit f25391ebb475d3ffb3aa61bb90e3594c841749ef ] Currently there is a problem with mount options that can be both set by vfs using mount flags or by a string parsing in ext4. i_version/iversion options gets lost after remount, for example $ mount -o i_version /dev/pmem0 /mnt $ grep pmem0 /proc/self/mountinfo | grep i_version 310 95 259:0 / /mnt rw,relatime shared:163 - ext4 /dev/pmem0 rw,seclabel,i_version $ mount -o remount,ro /mnt $ grep pmem0 /proc/self/mountinfo | grep i_version nolazytime gets ignored by ext4 on remount, for example $ mount -o lazytime /dev/pmem0 /mnt $ grep pmem0 /proc/self/mountinfo | grep lazytime 310 95 259:0 / /mnt rw,relatime shared:163 - ext4 /dev/pmem0 rw,lazytime,seclabel $ mount -o remount,nolazytime /mnt $ grep pmem0 /proc/self/mountinfo | grep lazytime 310 95 259:0 / /mnt rw,relatime shared:163 - ext4 /dev/pmem0 rw,lazytime,seclabel Fix it by applying the SB_LAZYTIME and SB_I_VERSION flags from *flags to s_flags before we parse the option and use the resulting state of the same flags in *flags at the end of successful remount. Signed-off-by: Lukas Czerner Reviewed-by: Ritesh Harjani Link: https://lore.kernel.org/r/20200723150526.19931-1-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 5482fa036756b586b0fd95e22f7709e42d111bde Author: zhangyi (F) Date: Sat Jun 20 10:54:26 2020 +0800 jbd2: abort journal if free a async write error metadata buffer [ Upstream commit c044f3d8360d2ecf831ba2cc9f08cf9fb2c699fb ] If we free a metadata buffer which has been failed to async write out in the background, the jbd2 checkpoint procedure will not detect this failure in jbd2_log_do_checkpoint(), so it may lead to filesystem inconsistency after cleanup journal tail. This patch abort the journal if free a buffer has write_io_error flag to prevent potential further inconsistency. Signed-off-by: zhangyi (F) Link: https://lore.kernel.org/r/20200620025427.1756360-5-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 1ca3e7d0cc006fd35c876d0525c634d3ae5d8fc8 Author: zhangyi (F) Date: Sat Jun 20 10:54:23 2020 +0800 ext4: abort the filesystem if failed to async write metadata buffer [ Upstream commit bc71726c725767205757821df364acff87f92ac5 ] There is a risk of filesystem inconsistency if we failed to async write back metadata buffer in the background. Because of current buffer's end io procedure is handled by end_buffer_async_write() in the block layer, and it only clear the buffer's uptodate flag and mark the write_io_error flag, so ext4 cannot detect such failure immediately. In most cases of getting metadata buffer (e.g. ext4_read_inode_bitmap()), although the buffer's data is actually uptodate, it may still read data from disk because the buffer's uptodate flag has been cleared. Finally, it may lead to on-disk filesystem inconsistency if reading old data from the disk successfully and write them out again. This patch detect bdev mapping->wb_err when getting journal's write access and mark the filesystem error if bdev's mapping->wb_err was increased, this could prevent further writing and potential inconsistency. Signed-off-by: zhangyi (F) Suggested-by: Jan Kara Link: https://lore.kernel.org/r/20200620025427.1756360-2-yi.zhang@huawei.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit c8bf676fff3e217f77c92ac3ac2aeb89f33e9de1 Author: Xin He Date: Wed Jul 22 13:18:51 2020 +0800 drm/virtio: fix memory leak in virtio_gpu_cleanup_object() [ Upstream commit 836b194d65782aaec4485a07d2aab52d3f698505 ] Before setting shmem->pages to NULL, kfree() should be called. Signed-off-by: Xin He Reviewed-by: Qi Liu Link: http://patchwork.freedesktop.org/patch/msgid/20200722051851.72662-1-hexin.op@bytedance.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit f2fb15e7e037989ba559677c31c8443fa73b0f79 Author: Alex Zhuravlev Date: Fri Jun 19 22:08:56 2020 -0400 ext4: skip non-loaded groups at cr=0/1 when scanning for good groups [ Upstream commit c1d2c7d47e15482bb23cda83a5021e60f624a09c ] cr=0 is supposed to be an optimization to save CPU cycles, but if buddy data (in memory) is not initialized then all this makes no sense as we have to do sync IO taking a lot of cycles. Also, at cr=0 mballoc doesn't choose any available chunk. cr=1 also skips groups using heuristic based on avg. fragment size. It's more useful to skip such groups and switch to cr=2 where groups will be scanned for available chunks. However, we always read the first block group in a flex_bg so metadata blocks will get read into the first flex_bg if possible. Using sparse image and dm-slow virtual device of 120TB was simulated, then the image was formatted and filled using debugfs to mark ~85% of available space as busy. mount process w/o the patch couldn't complete in half an hour (according to vmstat it would take ~10-11 hours). With the patch applied mount took ~20 seconds. Lustre-bug-id: https://jira.whamcloud.com/browse/LU-12988 Signed-off-by: Alex Zhuravlev Reviewed-by: Andreas Dilger Reviewed-by: Artem Blagodarenko Signed-off-by: Sasha Levin commit a245fa7062a65ebce580c2bdff17c1053468dcc3 Author: Lukas Czerner Date: Fri Jul 17 11:06:05 2020 +0200 ext4: handle read only external journal device [ Upstream commit 273108fa5015eeffc4bacfa5ce272af3434b96e4 ] Ext4 uses blkdev_get_by_dev() to get the block_device for journal device which does check to see if the read-only block device was opened read-only. As a result ext4 will hapily proceed mounting the file system with external journal on read-only device. This is bad as we would not be able to use the journal leading to errors later on. Instead of simply failing to mount file system in this case, treat it in a similar way we treat internal journal on read-only device. Allow to mount with -o noload in read-only mode. This can be reproduced easily like this: mke2fs -F -O journal_dev $JOURNAL_DEV 100M mkfs.$FSTYPE -F -J device=$JOURNAL_DEV $FS_DEV blockdev --setro $JOURNAL_DEV mount $FS_DEV $MNT touch $MNT/file umount $MNT leading to error like this [ 1307.318713] ------------[ cut here ]------------ [ 1307.323362] generic_make_request: Trying to write to read-only block-device dm-2 (partno 0) [ 1307.331741] WARNING: CPU: 36 PID: 3224 at block/blk-core.c:855 generic_make_request_checks+0x2c3/0x580 [ 1307.341041] Modules linked in: ext4 mbcache jbd2 rfkill intel_rapl_msr intel_rapl_common isst_if_commd [ 1307.419445] CPU: 36 PID: 3224 Comm: jbd2/dm-2 Tainted: G W I 5.8.0-rc5 #2 [ 1307.427359] Hardware name: Dell Inc. PowerEdge R740/01KPX8, BIOS 2.3.10 08/15/2019 [ 1307.434932] RIP: 0010:generic_make_request_checks+0x2c3/0x580 [ 1307.440676] Code: 94 03 00 00 48 89 df 48 8d 74 24 08 c6 05 cf 2b 18 01 01 e8 7f a4 ff ff 48 c7 c7 50e [ 1307.459420] RSP: 0018:ffffc0d70eb5fb48 EFLAGS: 00010286 [ 1307.464646] RAX: 0000000000000000 RBX: ffff9b33b2978300 RCX: 0000000000000000 [ 1307.471780] RDX: ffff9b33e12a81e0 RSI: ffff9b33e1298000 RDI: ffff9b33e1298000 [ 1307.478913] RBP: ffff9b7b9679e0c0 R08: 0000000000000837 R09: 0000000000000024 [ 1307.486044] R10: 0000000000000000 R11: ffffc0d70eb5f9f0 R12: 0000000000000400 [ 1307.493177] R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 [ 1307.500308] FS: 0000000000000000(0000) GS:ffff9b33e1280000(0000) knlGS:0000000000000000 [ 1307.508396] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1307.514142] CR2: 000055eaf4109000 CR3: 0000003dee40a006 CR4: 00000000007606e0 [ 1307.521273] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1307.528407] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 1307.535538] PKRU: 55555554 [ 1307.538250] Call Trace: [ 1307.540708] generic_make_request+0x30/0x340 [ 1307.544985] submit_bio+0x43/0x190 [ 1307.548393] ? bio_add_page+0x62/0x90 [ 1307.552068] submit_bh_wbc+0x16a/0x190 [ 1307.555833] jbd2_write_superblock+0xec/0x200 [jbd2] [ 1307.560803] jbd2_journal_update_sb_log_tail+0x65/0xc0 [jbd2] [ 1307.566557] jbd2_journal_commit_transaction+0x2ae/0x1860 [jbd2] [ 1307.572566] ? check_preempt_curr+0x7a/0x90 [ 1307.576756] ? update_curr+0xe1/0x1d0 [ 1307.580421] ? account_entity_dequeue+0x7b/0xb0 [ 1307.584955] ? newidle_balance+0x231/0x3d0 [ 1307.589056] ? __switch_to_asm+0x42/0x70 [ 1307.592986] ? __switch_to_asm+0x36/0x70 [ 1307.596918] ? lock_timer_base+0x67/0x80 [ 1307.600851] kjournald2+0xbd/0x270 [jbd2] [ 1307.604873] ? finish_wait+0x80/0x80 [ 1307.608460] ? commit_timeout+0x10/0x10 [jbd2] [ 1307.612915] kthread+0x114/0x130 [ 1307.616152] ? kthread_park+0x80/0x80 [ 1307.619816] ret_from_fork+0x22/0x30 [ 1307.623400] ---[ end trace 27490236265b1630 ]--- Signed-off-by: Lukas Czerner Reviewed-by: Andreas Dilger Link: https://lore.kernel.org/r/20200717090605.2612-1-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit d558851e5ff443b020245b7a1a455c55accf740b Author: Jan Kara Date: Fri Jul 10 16:07:59 2020 +0200 ext4: don't BUG on inconsistent journal feature [ Upstream commit 11215630aada28307ba555a43138db6ac54fa825 ] A customer has reported a BUG_ON in ext4_clear_journal_err() hitting during an LTP testing. Either this has been caused by a test setup issue where the filesystem was being overwritten while LTP was mounting it or the journal replay has overwritten the superblock with invalid data. In either case it is preferable we don't take the machine down with a BUG_ON. So handle the situation of unexpectedly missing has_journal feature more gracefully. We issue warning and fail the mount in the cases where the race window is narrow and the failed check is most likely a programming error. In cases where fs corruption is more likely, we do full ext4_error() handling before failing mount / remount. Reviewed-by: Lukas Czerner Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20200710140759.18031-1-jack@suse.cz Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 55be43c8b123b14fcffaa81a7d9a0a4bda28022a Author: Lukas Czerner Date: Wed Jun 17 11:25:49 2020 +0200 jbd2: make sure jh have b_transaction set in refile/unfile_buffer [ Upstream commit 24dc9864914eb5813173cfa53313fcd02e4aea7d ] Callers of __jbd2_journal_unfile_buffer() and __jbd2_journal_refile_buffer() assume that the b_transaction is set. In fact if it's not, we can end up with journal_head refcounting errors leading to crash much later that might be very hard to track down. Add asserts to make sure that is the case. We also make sure that b_next_transaction is NULL in __jbd2_journal_unfile_buffer() since the callers expect that as well and we should not get into that stage in this state anyway, leading to problems later on if we do. Tested with fstests. Signed-off-by: Lukas Czerner Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20200617092549.6712-1-lczerner@redhat.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 9b04463ab4753797df4d7d8433c35955edfd505f Author: Tobias Schramm Date: Tue Aug 4 21:51:36 2020 +0200 spi: stm32: clear only asserted irq flags on interrupt [ Upstream commit ae1ba50f1e706dfd7ce402ac52c1f1f10becad68 ] Previously the stm32h7 interrupt thread cleared all non-masked interrupts. If an interrupt was to occur during the handling of another interrupt its flag would be unset, resulting in a lost interrupt. This patches fixes the issue by clearing only the currently set interrupt flags. Signed-off-by: Tobias Schramm Link: https://lore.kernel.org/r/20200804195136.1485392-1-t.schramm@manjaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a5d6a17faf199bd5dafe6f3572576ac153c02a27 Author: Michael Ellerman Date: Fri Aug 21 20:49:10 2020 +1000 video: fbdev: controlfb: Fix build for COMPILE_TEST=y && PPC_PMAC=n [ Upstream commit 4d618b9f3fcab84e9ec28c180de46fb2c929d096 ] The build is currently broken, if COMPILE_TEST=y and PPC_PMAC=n: linux/drivers/video/fbdev/controlfb.c: In function ‘control_set_hardware’: linux/drivers/video/fbdev/controlfb.c:276:2: error: implicit declaration of function ‘btext_update_display’ 276 | btext_update_display(p->frame_buffer_phys + CTRLFB_OFF, | ^~~~~~~~~~~~~~~~~~~~ Fix it by including btext.h whenever CONFIG_BOOTX_TEXT is enabled. Fixes: a07a63b0e24d ("video: fbdev: controlfb: add COMPILE_TEST support") Signed-off-by: Michael Ellerman Acked-by: Bartlomiej Zolnierkiewicz Link: https://lore.kernel.org/r/20200821104910.3363818-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 7fee32de555b68dd6173e7fc0ecc6b5b8d7089d8 Author: Christophe JAILLET Date: Fri Aug 14 07:55:01 2020 +0200 usb: gadget: f_tcm: Fix some resource leaks in some error paths [ Upstream commit 07c8434150f4eb0b65cae288721c8af1080fde17 ] If a memory allocation fails within a 'usb_ep_alloc_request()' call, the already allocated memory must be released. Fix a mix-up in the code and free the correct requests. Fixes: c52661d60f63 ("usb-gadget: Initial merge of target module for UASP + BOT") Signed-off-by: Christophe JAILLET Signed-off-by: Felipe Balbi Signed-off-by: Sasha Levin commit 2813786a5b89cfed62a1c754b184ff455e16c4b8 Author: Jason Wang Date: Thu Jul 23 17:12:54 2020 +0800 vdpa: ifcvf: free config irq in ifcvf_free_irq() [ Upstream commit 2b9f28d5e8efad34f472542315911c5ee9a65b6c ] We don't free config irq in ifcvf_free_irq() which will trigger a BUG() in pci core since we try to free the vectors that has an action. Fixing this by recording the config irq in ifcvf_hw structure and free it in ifcvf_free_irq(). Fixes: e7991f376a4d ("ifcvf: implement config interrupt in IFCVF") Cc: Zhu Lingshan Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20200723091254.20617-2-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Zhu Lingshan Fixes: e7991f376a4d ("ifcvf: implement config interrupt in IFCVF") Cc: Zhu Lingshan <lingshan.zhu@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Sasha Levin commit 5bd342db2db7cdd5ffaad8c6ee23c5ee38ca076c Author: Jason Wang Date: Thu Jul 23 17:12:53 2020 +0800 vdpa: ifcvf: return err when fail to request config irq [ Upstream commit 9f4ce5d72b8e7a1f750598407c99f9e39dfb12fc ] We ignore the err of requesting config interrupt, fix this. Fixes: e7991f376a4d ("ifcvf: implement config interrupt in IFCVF") Cc: Zhu Lingshan Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20200723091254.20617-1-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Reviewed-by: Zhu Lingshan Fixes: e7991f376a4d ("ifcvf: implement config interrupt in IFCVF") Cc: Zhu Lingshan <lingshan.zhu@intel.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Tested-by: Maxime Coquelin Signed-off-by: Sasha Levin commit b9080a8d8237182f129f7fe81d466b0f4e5b39c9 Author: Wolfram Sang Date: Mon Aug 17 14:19:30 2020 +0200 i2c: rcar: in slave mode, clear NACK earlier [ Upstream commit 914a7b3563b8fb92f976619bbd0fa3a4a708baae ] Currently, a NACK in slave mode is set/cleared when SCL is held low by the IP core right before the bit is about to be pushed out. This is too late for clearing and then a NACK from the previous byte is still used for the current one. Now, let's clear the NACK right after we detected the STOP condition following the NACK. Fixes: de20d1857dd6 ("i2c: rcar: add slave support") Signed-off-by: Wolfram Sang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f24ffc31709b0da51dc84cdbedad4cc6f17052c2 Author: Andy Shevchenko Date: Fri Aug 21 20:03:33 2020 +0300 i2c: core: Don't fail PRP0001 enumeration when no ID table exist [ Upstream commit e3cb82c6d6f6c27ab754e13ae29bdd6b949982e2 ] When commit c64ffff7a9d1 ("i2c: core: Allow empty id_table in ACPI case as well") fixed the enumeration of I²C devices on ACPI enabled platforms when driver has no ID table, it missed the PRP0001 support. i2c_device_match() and i2c_acpi_match_device() differently match driver against given device. Use acpi_driver_match_device(), that is used in the former, in i2c_device_probe() and don't fail PRP0001 enumeration when no ID table exist. Fixes: c64ffff7a9d1 ("i2c: core: Allow empty id_table in ACPI case as well") BugLink: https://stackoverflow.com/q/63519678/2511795 Signed-off-by: Andy Shevchenko Reviewed-by: Mika Westerberg Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit a416b1e870b15a93c492951cc2ee1e1aa06759cd Author: Lucas Stach Date: Mon Aug 24 12:55:37 2020 +0200 drm/etnaviv: always start/stop scheduler in timeout processing [ Upstream commit 50248a3ec0f5e5debd18033eb2a29f0b793a7000 ] The drm scheduler currently expects that the stop/start sequence is always executed in the timeout handling, as the job at the head of the hardware execution list is always removed from the ring mirror before the driver function is called and only inserted back into the list when starting the scheduler. This adds some unnecessary overhead if the timeout handler determines that the GPU is still executing jobs normally and just wished to extend the timeout, but a better solution requires a major rearchitecture of the scheduler, which is not applicable as a fix. Fixes: 135517d3565b ("drm/scheduler: Avoid accessing freed bad job.") Signed-off-by: Lucas Stach Tested-by: Russell King Signed-off-by: Sasha Levin commit 87789f561e39588bafefd6892c9ffccfb6b80b24 Author: Dan Carpenter Date: Mon Aug 3 17:36:36 2020 +0300 habanalabs: Fix memory corruption in debugfs [ Upstream commit eeec23cd325ad4d83927b8ee162693579cf3813f ] This has to be a long instead of a u32 because we write a long value. On 64 bit systems, this will cause memory corruption. Fixes: c216477363a3 ("habanalabs: add debugfs support") Signed-off-by: Dan Carpenter Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 6f43d2f469bf0f0dcd6c1ad3cb4bf03bce8982cd Author: Hou Pu Date: Fri Aug 21 04:34:42 2020 -0400 null_blk: fix passing of REQ_FUA flag in null_handle_rq [ Upstream commit 2d62e6b038e729c3e4bfbfcfbd44800ef0883680 ] REQ_FUA should be checked using rq->cmd_flags instead of req_op(). Fixes: deb78b419dfda ("nullb: emulate cache") Signed-off-by: Hou Pu Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e05f3c879aa898cfa757ec94775fb8dba8a1493f Author: Martin Wilck Date: Thu Aug 6 15:19:31 2020 +0200 nvme: multipath: round-robin: fix single non-optimized path case [ Upstream commit 93eb0381e13d249a18ed4aae203291ff977e7ffb ] If there's only one usable, non-optimized path, nvme_round_robin_path() returns NULL, which is wrong. Fix it by falling back to "old", like in the single optimized path case. Also, if the active path isn't changed, there's no need to re-assign the pointer. Fixes: 3f6e3246db0e ("nvme-multipath: fix logic for non-optimized paths") Signed-off-by: Martin Wilck Signed-off-by: Martin George Reviewed-by: Keith Busch Signed-off-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit afb511ebb78adcd6db8b89d88874b9f9df4ec961 Author: Tianjia Zhang Date: Sun Aug 2 19:15:45 2020 +0800 nvme-fc: Fix wrong return value in __nvme_fc_init_request() [ Upstream commit f34448cd0dc697723fb5f4118f8431d9233b370d ] On an error exit path, a negative error code should be returned instead of a positive return value. Fixes: e399441de9115 ("nvme-fabrics: Add host support for FC transport") Cc: James Smart Signed-off-by: Tianjia Zhang Reviewed-by: Chaitanya Kulkarni Reviewed-by: Christoph Hellwig Signed-off-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 227064b2ca9e62270ed445665ae849c73f0dfb2c Author: Sagi Grimberg Date: Thu Jul 30 11:51:00 2020 -0700 nvmet: fix a memory leak [ Upstream commit 382fee1a8b623e2546a3e15e80517389e0e0673e ] We forgot to free new_model_number Fixes: 013b7ebe5a0d ("nvmet: make ctrl model configurable") Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sagi Grimberg Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 614b266f69fe52409b89854ff1ea68146bf13817 Author: Yufen Yu Date: Mon Aug 10 22:21:16 2020 -0400 blkcg: fix memleak for iolatency [ Upstream commit 27029b4b18aa5d3b060f0bf2c26dae254132cfce ] Normally, blkcg_iolatency_exit() will free related memory in iolatency when cleanup queue. But if blk_throtl_init() return error and queue init fail, blkcg_iolatency_exit() will not do that for us. Then it cause memory leak. Fixes: d70675121546 ("block: introduce blk-iolatency io controller") Signed-off-by: Yufen Yu Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b5ce818355a832da2c01add29208135f1b136e84 Author: Ming Lei Date: Tue Aug 18 17:07:28 2020 +0800 blk-mq: insert request not through ->queue_rq into sw/scheduler queue [ Upstream commit db03f88fae8a2c8007caafa70287798817df2875 ] c616cbee97ae ("blk-mq: punt failed direct issue to dispatch list") supposed to add request which has been through ->queue_rq() to the hw queue dispatch list, however it adds request running out of budget or driver tag to hw queue too. This way basically bypasses request merge, and causes too many request dispatched to LLD, and system% is unnecessary increased. Fixes this issue by adding request not through ->queue_rq into sw/scheduler queue, and this way is safe because no ->queue_rq is called on this request yet. High %system can be observed on Azure storvsc device, and even soft lock is observed. This patch reduces %system during heavy sequential IO, meantime decreases soft lockup risk. Fixes: c616cbee97ae ("blk-mq: punt failed direct issue to dispatch list") Signed-off-by: Ming Lei Cc: Christoph Hellwig Cc: Bart Van Assche Cc: Mike Snitzer Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3cea38246ad47a2cd95628d0c24936138313fec8 Author: Jason Baron Date: Fri Aug 21 12:20:14 2020 -0400 hwmon: (nct7904) Correct divide by 0 [ Upstream commit 8aebbbb2d573d0b4afc08b90ac7d73dba2d9da97 ] We hit a kernel panic due to a divide by 0 in nct7904_read_fan() for the hwmon_fan_min case. Extend the check to hwmon_fan_input case as well for safety. [ 1656.545650] divide error: 0000 [#1] SMP PTI [ 1656.545779] CPU: 12 PID: 18010 Comm: sensors Not tainted 5.4.47 #1 [ 1656.546065] RIP: 0010:nct7904_read+0x1e9/0x510 [nct7904] ... [ 1656.546549] RAX: 0000000000149970 RBX: ffffbd6b86bcbe08 RCX: 0000000000000000 ... [ 1656.547548] Call Trace: [ 1656.547665] hwmon_attr_show+0x32/0xd0 [hwmon] [ 1656.547783] dev_attr_show+0x18/0x50 [ 1656.547898] sysfs_kf_seq_show+0x99/0x120 [ 1656.548013] seq_read+0xd8/0x3e0 [ 1656.548127] vfs_read+0x89/0x130 [ 1656.548234] ksys_read+0x7d/0xb0 [ 1656.548342] do_syscall_64+0x48/0x110 [ 1656.548451] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: d65a5102a99f5 ("hwmon: (nct7904) Convert to use new hwmon registration API") Signed-off-by: Jason Baron Link: https://lore.kernel.org/r/1598026814-2604-1-git-send-email-jbaron@akamai.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 4346396a717d85ac7409bf253a4c13f58dd5f9be Author: Dmitry Monakhov Date: Tue Aug 11 06:43:40 2020 +0000 bfq: fix blkio cgroup leakage v4 [ Upstream commit 2de791ab4918969d8108f15238a701968375f235 ] Changes from v1: - update commit description with proper ref-accounting justification commit db37a34c563b ("block, bfq: get a ref to a group when adding it to a service tree") introduce leak forbfq_group and blkcg_gq objects because of get/put imbalance. In fact whole idea of original commit is wrong because bfq_group entity can not dissapear under us because it is referenced by child bfq_queue's entities from here: -> bfq_init_entity() ->bfqg_and_blkg_get(bfqg); ->entity->parent = bfqg->my_entity -> bfq_put_queue(bfqq) FINAL_PUT ->bfqg_and_blkg_put(bfqq_group(bfqq)) ->kmem_cache_free(bfq_pool, bfqq); So parent entity can not disappear while child entity is in tree, and child entities already has proper protection. This patch revert commit db37a34c563b ("block, bfq: get a ref to a group when adding it to a service tree") bfq_group leak trace caused by bad commit: -> blkg_alloc -> bfq_pq_alloc -> bfqg_get (+1) ->bfq_activate_bfqq ->bfq_activate_requeue_entity -> __bfq_activate_entity ->bfq_get_entity ->bfqg_and_blkg_get (+1) <==== : Note1 ->bfq_del_bfqq_busy ->bfq_deactivate_entity+0x53/0xc0 [bfq] ->__bfq_deactivate_entity+0x1b8/0x210 [bfq] -> bfq_forget_entity(is_in_service = true) entity->on_st_or_in_serv = false <=== :Note2 if (is_in_service) return; ==> do not touch reference -> blkcg_css_offline -> blkcg_destroy_blkgs -> blkg_destroy -> bfq_pd_offline -> __bfq_deactivate_entity if (!entity->on_st_or_in_serv) /* true, because (Note2) return false; -> bfq_pd_free -> bfqg_put() (-1, byt bfqg->ref == 2) because of (Note2) So bfq_group and blkcg_gq will leak forever, see test-case below. ##TESTCASE_BEGIN: #!/bin/bash max_iters=${1:-100} #prep cgroup mounts mount -t tmpfs cgroup_root /sys/fs/cgroup mkdir /sys/fs/cgroup/blkio mount -t cgroup -o blkio none /sys/fs/cgroup/blkio # Prepare blkdev grep blkio /proc/cgroups truncate -s 1M img losetup /dev/loop0 img echo bfq > /sys/block/loop0/queue/scheduler grep blkio /proc/cgroups for ((i=0;i /sys/fs/cgroup/blkio/a/cgroup.procs dd if=/dev/loop0 bs=4k count=1 of=/dev/null iflag=direct 2> /dev/null echo 0 > /sys/fs/cgroup/blkio/cgroup.procs rmdir /sys/fs/cgroup/blkio/a grep blkio /proc/cgroups done ##TESTCASE_END: Fixes: db37a34c563b ("block, bfq: get a ref to a group when adding it to a service tree") Tested-by: Oleksandr Natalenko Signed-off-by: Dmitry Monakhov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 700d01d85ebbbb16c14ed5b1d829232c5b5dd3f6 Author: Matthew Wilcox (Oracle) Date: Mon Aug 17 20:52:06 2020 +0100 block: Fix page_is_mergeable() for compound pages [ Upstream commit d81665198b83e55a28339d1f3e4890ed8a434556 ] If we pass in an offset which is larger than PAGE_SIZE, then page_is_mergeable() thinks it's not mergeable with the previous bio_vec, leading to a large number of bio_vecs being used. Use a slightly more obvious test that the two pages are compatible with each other. Fixes: 52d52d1c98a9 ("block: only allow contiguous page structs in a bio_vec") Signed-off-by: Matthew Wilcox (Oracle) Reviewed-by: Ming Lei Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 103942e19ae4454ed07f23323999d6df1fd9e742 Author: Rob Clark Date: Wed Aug 12 17:03:09 2020 -0700 drm/msm/adreno: fix updating ring fence [ Upstream commit f228af11dfa1d1616bc67f3a4119ab77c36181f1 ] We need to set it to the most recent completed fence, not the most recent submitted. Otherwise we have races where we think we can retire submits that the GPU is not finished with, if the GPU doesn't manage to overwrite the seqno before we look at it. This can show up with hang recovery if one of the submits after the crashing submit also hangs after it is replayed. Fixes: f97decac5f4c ("drm/msm: Support multiple ringbuffers") Signed-off-by: Rob Clark Reviewed-by: Jordan Crouse Signed-off-by: Rob Clark Signed-off-by: Sasha Levin commit 58794696d3d81f26d137b7c7b11dde478a475e73 Author: Ming Lei Date: Mon Aug 17 17:52:40 2020 +0800 block: virtio_blk: fix handling single range discard request [ Upstream commit af822aa68fbdf0a480a17462ed70232998127453 ] 1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") starts to support multi-range discard for virtio-blk. However, the virtio-blk disk may report max discard segment as 1, at least that is exactly what qemu is doing. So far, block layer switches to normal request merge if max discard segment limit is 1, and multiple bios can be merged to single segment. This way may cause memory corruption in virtblk_setup_discard_write_zeroes(). Fix the issue by handling single max discard segment in straightforward way. Fixes: 1f23816b8eb8 ("virtio_blk: add discard and write zeroes support") Signed-off-by: Ming Lei Reviewed-by: Christoph Hellwig Cc: Changpeng Liu Cc: Daniel Verkamp Cc: Michael S. Tsirkin Cc: Stefan Hajnoczi Cc: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b31d83181f99c7faa4b048285f71cc0c0933fe61 Author: Ming Lei Date: Mon Aug 17 17:52:39 2020 +0800 block: respect queue limit of max discard segment [ Upstream commit 943b40c832beb71115e38a1c4d99b640b5342738 ] When queue_max_discard_segments(q) is 1, blk_discard_mergable() will return false for discard request, then normal request merge is applied. However, only queue_max_segments() is checked, so max discard segment limit isn't respected. Check max discard segment limit in the request merge code for fixing the issue. Discard request failure of virtio_blk is fixed. Fixes: 69840466086d ("block: fix the DISCARD request merge") Signed-off-by: Ming Lei Reviewed-by: Christoph Hellwig Cc: Stefano Garzarella Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e2655c17ee2e5118cd41e394c3c4dc8e07caaee8 Author: J. Bruce Fields Date: Wed Aug 5 15:10:11 2020 -0400 nfsd: fix oops on mixed NFSv4/NFSv3 client access [ Upstream commit 34b09af4f54e6485e28f138ccad159611a240cc1 ] If an NFSv2/v3 client breaks an NFSv4 client's delegation, it will hit a NULL dereference in nfsd_breaker_owns_lease(). Easily reproduceable with for example mount -overs=4.2 server:/export /mnt/ sleep 1h Fixes: 28df3d1539de50 ("nfsd: clients don't need to break their own delegations") BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208807 Signed-off-by: J. Bruce Fields Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit ccba36760ca36365ffee5c44d7a2208169700568 Author: Alexander Tsoy Date: Sat Aug 15 03:21:03 2020 +0300 ALSA: usb-audio: Add capture support for Saffire 6 (USB 1.1) [ Upstream commit 470757f5b3a46bd85741bb0d8c1fd3f21048a2af ] Capture and playback endpoints on Saffire 6 (USB 1.1) resides on the same interface. This was not supported by the composite quirk back in the day when initial support for this device was added, thus only playback was enabled until now. Fixes: 11e424e88bd4 ("ALSA: usb-audio: Add support for Focusrite Saffire 6 USB") Signed-off-by: Alexander Tsoy Cc: Link: https://lore.kernel.org/r/20200815002103.29247-1-alexander@tsoy.me Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit be85585a0617403d42693b5d02b4470c9b549a4f Author: Rafael J. Wysocki Date: Tue Jul 28 19:09:32 2020 +0200 cpufreq: intel_pstate: Fix EPP setting via sysfs in active mode [ Upstream commit de002c55cadfc2f6cdf0ed427526f6085d240238 ] Because intel_pstate_set_energy_pref_index() reads and writes the MSR_HWP_REQUEST register without using the cached value of it used by intel_pstate_hwp_boost_up() and intel_pstate_hwp_boost_down(), those functions may overwrite the value written by it and so the EPP value set via sysfs may be lost. To avoid that, make intel_pstate_set_energy_pref_index() take the cached value of MSR_HWP_REQUEST just like the other two routines mentioned above and update it with the new EPP value coming from user space in addition to updating the MSR. Note that the MSR itself still needs to be updated too in case hwp_boost is unset or the boosting mechanism is not active at the EPP change time. Fixes: e0efd5be63e8 ("cpufreq: intel_pstate: Add HWP boost utility and sched util hooks") Reported-by: Francisco Jerez Cc: 4.18+ # 4.18+: 3da97d4db8ee cpufreq: intel_pstate: Rearrange ... Signed-off-by: Rafael J. Wysocki Reviewed-by: Francisco Jerez Signed-off-by: Sasha Levin commit ce9d78bce0efc601675894adc6ad80b32d57a9a4 Author: Chanwoo Choi Date: Mon Jul 27 11:32:31 2020 +0900 PM / devfreq: Fix the wrong end with semicolon [ Upstream commit 27a69714450f5c9288cec2b20f1ae4f7ad34dacf ] Fix the wrong grammar at the end of code line by using semicolon. Cc: stable vger.kernel.org Fixes: 490a421bc575 ("PM / devfreq: Add debugfs support with devfreq_summary file") Signed-off-by: Chanwoo Choi Signed-off-by: Sasha Levin commit 6eacb4639e22145edc8c12b19a27ea9cce61bf6b Author: Ansuel Smith Date: Mon Jun 15 23:06:00 2020 +0200 PCI: qcom: Add missing reset for ipq806x [ Upstream commit ee367e2cdd2202b5714982739e684543cd2cee0e ] Add missing ext reset used by ipq8064 SoC in PCIe qcom driver. Link: https://lore.kernel.org/r/20200615210608.21469-5-ansuelsmth@gmail.com Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") Signed-off-by: Sham Muthayyan Signed-off-by: Ansuel Smith Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Reviewed-by: Philipp Zabel Acked-by: Stanimir Varbanov Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Sasha Levin commit e78ff09ed4c39e052044fde06204f8bff3bc40d1 Author: Abhishek Sahu Date: Mon Jun 15 23:05:59 2020 +0200 PCI: qcom: Change duplicate PCI reset to phy reset [ Upstream commit dd58318c019f10bc94db36df66af6c55d4c0cbba ] The deinit issues reset_control_assert for PCI twice and does not contain phy reset. Link: https://lore.kernel.org/r/20200615210608.21469-4-ansuelsmth@gmail.com Signed-off-by: Abhishek Sahu Signed-off-by: Ansuel Smith Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Acked-by: Stanimir Varbanov Signed-off-by: Sasha Levin commit ff381a46439a69a926ad1beb80475b6cdbea42a7 Author: Ansuel Smith Date: Mon Jun 15 23:05:57 2020 +0200 PCI: qcom: Add missing ipq806x clocks in PCIe driver [ Upstream commit 8b6f0330b5f9a7543356bfa9e76d580f03aa2c1e ] Aux and Ref clk are missing in PCIe qcom driver. Add support for this optional clks for ipq8064/apq8064 SoC. Link: https://lore.kernel.org/r/20200615210608.21469-2-ansuelsmth@gmail.com Fixes: 82a823833f4e ("PCI: qcom: Add Qualcomm PCIe controller driver") Signed-off-by: Sham Muthayyan Signed-off-by: Ansuel Smith Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Acked-by: Stanimir Varbanov Signed-off-by: Sasha Levin commit 0b91c538cedbce2a8dc1ef912af08e90266504ae Author: Tonghao Zhang Date: Thu Aug 27 14:19:52 2020 +0800 net: openvswitch: introduce common code for flushing flows [ Upstream commit 1f3a090b9033f69de380c03db3ea1a1015c850cf ] To avoid some issues, for example RCU usage warning and double free, we should flush the flows under ovs_lock. This patch refactors table_instance_destroy and introduces table_instance_flow_flush which can be invoked by __dp_destroy or ovs_flow_tbl_flush. Fixes: 50b0e61b32ee ("net: openvswitch: fix possible memleak on destroy flow-table") Reported-by: Johan Knöös Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2020-August/050489.html Signed-off-by: Tonghao Zhang Reviewed-by: Cong Wang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2a80aa3a41d4cca4332d7a04475b725a98e64cf1 Author: Kefeng Wang Date: Mon Jul 27 23:29:38 2020 +0800 arm64: Fix __cpu_logical_map undefined issue [ Upstream commit eaecca9e7710281be7c31d892c9f447eafd7ddd9 ] The __cpu_logical_map undefined issue occued when the new tegra194-cpufreq drvier building as a module. ERROR: modpost: "__cpu_logical_map" [drivers/cpufreq/tegra194-cpufreq.ko] undefined! The driver using cpu_logical_map() macro which will expand to __cpu_logical_map, we can't access it in a drvier. Let's turn cpu_logical_map() into a C wrapper and export it to fix the build issue. Also create a function set_cpu_logical_map(cpu, hwid) when assign a value to cpu_logical_map(cpu). Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Catalin Marinas Signed-off-by: Sasha Levin commit d91fe6fa0d84d5147c2f451a11c36ea618ba578c Author: Andrey Konovalov Date: Thu Aug 6 23:25:01 2020 -0700 efi: provide empty efi_enter_virtual_mode implementation [ Upstream commit 2c547f9da0539ad1f7ef7f08c8c82036d61b011a ] When CONFIG_EFI is not enabled, we might get an undefined reference to efi_enter_virtual_mode() error, if this efi_enabled() call isn't inlined into start_kernel(). This happens in particular, if start_kernel() is annodated with __no_sanitize_address. Reported-by: kernel test robot Signed-off-by: Andrey Konovalov Signed-off-by: Andrew Morton Acked-by: Ard Biesheuvel Cc: Alexander Potapenko Cc: Andrey Ryabinin Cc: Catalin Marinas Cc: Dmitry Vyukov Cc: Elena Petrova Cc: Marco Elver Cc: Vincenzo Frascino Cc: Walter Wu Link: http://lkml.kernel.org/r/6514652d3a32d3ed33d6eb5c91d0af63bf0d1a0c.1596544734.git.andreyknvl@google.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 14e6b3725ff07cc165ec1b4ec63cf70dc2795882 Author: Randy Dunlap Date: Mon Jul 27 22:55:45 2020 -0700 pinctrl: mediatek: fix build for tristate changes [ Upstream commit 047cd9a6bd8a2a73e8d92eb97a1b50c7bcd59279 ] Export mtk_is_virt_gpio() for the case when CONFIG_PINCTRL_MTK=y CONFIG_PINCTRL_MTK_V2=y CONFIG_PINCTRL_MTK_MOORE=y CONFIG_PINCTRL_MTK_PARIS=m to fix this build error: ERROR: modpost: "mtk_is_virt_gpio" [drivers/pinctrl/mediatek/pinctrl-paris.ko] undefined! Signed-off-by: Randy Dunlap Cc: Sean Wang Cc: linux-mediatek@lists.infradead.org Link: https://lore.kernel.org/r/d15827a3-d0c8-e231-9f61-8507b3d7be3a@infradead.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 08074471105fefd8adf4014f5cb3e4a44ccd0962 Author: Hanks Chen Date: Thu Jul 23 19:19:53 2020 +0800 pinctrl: mediatek: avoid virtual gpio trying to set reg [ Upstream commit edd546465002621665a3a275abe908a30efdce5b ] for virtual gpios, they should not do reg setting and should behave as expected for eint function. Signed-off-by: Mars Cheng Signed-off-by: Hanks Chen Acked-by: Sean Wang Link: https://lore.kernel.org/r/1595503197-15246-4-git-send-email-hanks.chen@mediatek.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit f02889decdc2ebcacb1e51e00829db835e8133d1 Author: Nicolas Saenz Julienne Date: Tue Jul 21 13:23:02 2020 +0200 brcmfmac: Set timeout value when configuring power save [ Upstream commit 3dc05ffb04436020f63138186dbc4f37bd938552 ] Set the timeout value as per cfg80211's set_power_mgmt() request. If the requested value value is left undefined we set it to 2 seconds, the maximum supported value. Signed-off-by: Nicolas Saenz Julienne Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200721112302.22718-1-nsaenzjulienne@suse.de Signed-off-by: Sasha Levin commit 1bbd2c5daed796a411f2f9bc33699013aff8726a Author: Manish Narani Date: Wed Jul 15 00:42:33 2020 +0530 mmc: sdhci-of-arasan: fix timings allocation code [ Upstream commit 88e1d0b175ec0bfa775c8629eae2a728726e2c6a ] The initial code that was adding delays was doing a cast over undefined memory. This meant that the delays would be all gibberish. This change, allocates all delays on the stack, and assigns them from the ZynqMP & Versal macros/phase-list. And then finally copies them over the common iclk_phase & oclk_phase variables. Signed-off-by: Manish Narani Link: https://lore.kernel.org/r/1594753953-62980-1-git-send-email-manish.narani@xilinx.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit b082d42f1c1733d057b859a26791176c200f36eb Author: Changming Liu Date: Sat Jul 11 00:30:18 2020 -0400 USB: sisusbvga: Fix a potential UB casued by left shifting a negative value [ Upstream commit 2b53a19284f537168fb506f2f40d7fda40a01162 ] The char buffer buf, receives data directly from user space, so its content might be negative and its elements are left shifted to form an unsigned integer. Since left shifting a negative value is undefined behavior, thus change the char to u8 to elimintate this UB. Signed-off-by: Changming Liu Link: https://lore.kernel.org/r/20200711043018.928-1-charley.ashbringer@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7278a1b0a17fdc0f05379bdf055498d51998d61b Author: Sasha Levin Date: Thu Aug 27 18:40:23 2020 -0400 dmaengine: idxd: fix PCI_MSI build errors [ Upstream commit d6a7bb869dd8a516901591136a9a895fd829d6c6 ] Fix build errors when CONFIG_PCI_MSI is not enabled by making the driver depend on PCI_MSI: ld: drivers/dma/idxd/device.o: in function `idxd_mask_msix_vector': device.c:(.text+0x26f): undefined reference to `pci_msi_mask_irq' ld: drivers/dma/idxd/device.o: in function `idxd_unmask_msix_vector': device.c:(.text+0x2af): undefined reference to `pci_msi_unmask_irq' Signed-off-by: Randy Dunlap Cc: Dave Jiang Cc: dmaengine@vger.kernel.org Cc: Vinod Koul Link: https://lore.kernel.org/r/9dee3f46-70d9-ea75-10cb-5527ab297d1d@infradead.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 2757d46ff9cd8d5c203583f3078e5d232df5fe99 Author: Arnd Bergmann Date: Mon Jul 6 15:22:46 2020 +0200 powerpc/spufs: add CONFIG_COREDUMP dependency [ Upstream commit b648a5132ca3237a0f1ce5d871fff342b0efcf8a ] The kernel test robot pointed out a slightly different error message after recent commit 5456ffdee666 ("powerpc/spufs: simplify spufs core dumping") to spufs for a configuration that never worked: powerpc64-linux-ld: arch/powerpc/platforms/cell/spufs/file.o: in function `.spufs_proxydma_info_dump': >> file.c:(.text+0x4c68): undefined reference to `.dump_emit' powerpc64-linux-ld: arch/powerpc/platforms/cell/spufs/file.o: in function `.spufs_dma_info_dump': file.c:(.text+0x4d70): undefined reference to `.dump_emit' powerpc64-linux-ld: arch/powerpc/platforms/cell/spufs/file.o: in function `.spufs_wbox_info_dump': file.c:(.text+0x4df4): undefined reference to `.dump_emit' Add a Kconfig dependency to prevent this from happening again. Reported-by: kernel test robot Signed-off-by: Arnd Bergmann Acked-by: Jeremy Kerr Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200706132302.3885935-1-arnd@arndb.de Signed-off-by: Sasha Levin commit 34f379956e9d7d497fc744b4a896a61ed65be2f5 Author: David Brazdil Date: Thu Jun 25 14:14:06 2020 +0100 KVM: arm64: Fix symbol dependency in __hyp_call_panic_nvhe [ Upstream commit b38b298aa4397e2dc74a89b4dd3eac9e59b64c96 ] __hyp_call_panic_nvhe contains inline assembly which did not declare its dependency on the __hyp_panic_string symbol. The static-declared string has previously been kept alive because of a use in __hyp_call_panic_vhe. Fix this in preparation for separating the source files between VHE and nVHE when the two users land in two different compilation units. The static variable otherwise gets dropped when compiling the nVHE source file, causing an undefined symbol linker error later. Signed-off-by: David Brazdil Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20200625131420.71444-2-dbrazdil@google.com Signed-off-by: Sasha Levin commit 22c3762014e2c9e9d6c108d9fb054d2fce7204fd Author: Qingqing Zhuo Date: Thu Jun 18 13:46:18 2020 -0400 drm/amd/display: fix compilation error on allmodconfig [ Upstream commit 8c823e4ff67c78659ab403d63d071103416f49eb ] when compiled with allmodconfig option, there are error messages as below: ERROR: modpost: "mod_color_is_table_init" [drivers/gpu/drm/amd/amdgpu/amdgpu.ko] undefined! ERROR: modpost: "mod_color_get_table" [drivers/gpu/drm/amd/amdgpu/amdgpu.ko] undefined! ERROR: modpost: "mod_color_set_table_init_state" [drivers/gpu/drm/amd/amdgpu/amdgpu.ko] undefined! To fix the issue, this commits removes CONFIG_DRM_AMD_DC_DCN guard in color/makefile. Signed-off-by: Qingqing Zhuo CC: Lewis Huang CC: Aric Cyr CC: Alexander Deucher CC: Harry Wentland CC: Nicholas Kazlauskas CC: Bhawanpreet Lakha CC: Stephen Rothwell Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ad18857f595804bca35e49bd763daecda0604274 Author: Lewis Huang Date: Wed May 20 18:03:05 2020 +0800 drm/amd/display: change global buffer to local buffer [ Upstream commit 8ae5b155928c9183c2f37b5c4eec21037d958699 ] [Why] Multi-adapter calculate regamma table at the same time. Two thread used the same global variable cause race condition. [How] Change global buffer to local buffer Signed-off-by: Lewis Huang Reviewed-by: Aric Cyr Acked-by: Qingqing Zhuo Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a539e86e839617a3d06cf428339468776d355ed1 Author: Andrey Konovalov Date: Fri Jun 12 15:53:48 2020 +0200 media: i2c: imx290: fix reset GPIO pin handling [ Upstream commit 3909a92d7df622b41b9ceeeea694e641cad7667b ] According to https://www.kernel.org/doc/Documentation/gpio/consumer.txt, - all of the gpiod_set_value_xxx() functions operate with the *logical* value. So in imx290_power_on() the reset signal should be cleared (de-asserted) with gpiod_set_value_cansleep(imx290->rst_gpio, 0), and in imx290_power_off() the value of 1 must be used to apply/assert the reset to the sensor. In the device tree the reset pin is described as GPIO_ACTIVE_LOW, and gpiod_set_value_xxx() functions take this into account, - when devm_gpiod_get_optional() is called with GPIOD_ASIS, the GPIO is not initialized, and the direction must be set later; using a GPIO without setting its direction first is illegal and will result in undefined behavior. Fix this by using GPIOD_OUT_HIGH instead of GPIOD_ASIS (this asserts the reset signal to the sensor initially). Signed-off-by: Andrey Konovalov Reviewed-by: Manivannan Sadhasivam Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 22dcf9b459e49635b2560989e7b6109c57963222 Author: Evgeny Novikov Date: Thu Jul 23 19:04:53 2020 +0200 media: davinci: vpif_capture: fix potential double free [ Upstream commit 602649eadaa0c977e362e641f51ec306bc1d365d ] In case of errors vpif_probe_complete() releases memory for vpif_obj.sd and unregisters the V4L2 device. But then this is done again by vpif_probe() itself. The patch removes the cleaning from vpif_probe_complete(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f2231eeadd1b0642630b8522e475d1009b9592cf Author: Mike Kravetz Date: Tue Aug 11 18:31:35 2020 -0700 hugetlbfs: prevent filesystem stacking of hugetlbfs [ Upstream commit 15568299b7d9988063afce60731df605ab236e2a ] syzbot found issues with having hugetlbfs on a union/overlay as reported in [1]. Due to the limitations (no write) and special functionality of hugetlbfs, it does not work well in filesystem stacking. There are no know use cases for hugetlbfs stacking. Rather than making modifications to get hugetlbfs working in such environments, simply prevent stacking. [1] https://lore.kernel.org/linux-mm/000000000000b4684e05a2968ca6@google.com/ Reported-by: syzbot+d6ec23007e951dadf3de@syzkaller.appspotmail.com Suggested-by: Amir Goldstein Signed-off-by: Mike Kravetz Signed-off-by: Andrew Morton Acked-by: Miklos Szeredi Cc: Al Viro Cc: Matthew Wilcox Cc: Colin Walters Link: http://lkml.kernel.org/r/80f869aa-810d-ef6c-8888-b46cee135907@oracle.com Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a11488640c6f9e7b8509819849f92fb752bab24a Author: Jason Baron Date: Thu Jul 16 14:25:11 2020 -0400 EDAC/ie31200: Fallback if host bridge device is already initialized [ Upstream commit 709ed1bcef12398ac1a35c149f3e582db04456c2 ] The Intel uncore driver may claim some of the pci ids from ie31200 which means that the ie31200 edac driver will not initialize them as part of pci_register_driver(). Let's add a fallback for this case to 'pci_get_device()' to get a reference on the device such that it can still be configured. This is similar in approach to other edac drivers. Signed-off-by: Jason Baron Cc: Borislav Petkov Cc: Mauro Carvalho Chehab Cc: linux-edac Signed-off-by: Tony Luck Link: https://lore.kernel.org/r/1594923911-10885-1-git-send-email-jbaron@akamai.com Signed-off-by: Sasha Levin commit 3e93d48ee60e3755820bdc6c4b9f882311d54158 Author: Jarkko Nikula Date: Thu Jun 18 16:42:40 2020 +0300 i2c: i801: Add support for Intel Tiger Lake PCH-H [ Upstream commit f46efbcad97bfb2caded0397eccce7c71402868c ] Add SMBus PCI ID on Intel Tiger Lake PCH-H. Signed-off-by: Jarkko Nikula Reviewed-by: Jean Delvare Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e805b1ffc9be0bc0043fcd91219a53493f93dd69 Author: Javed Hasan Date: Wed Jul 29 01:18:24 2020 -0700 scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() [ Upstream commit e95b4789ff4380733006836d28e554dc296b2298 ] In fcoe_sysfs_fcf_del(), we first deleted the fcf from the list and then freed it if ctlr_dev was not NULL. This was causing a memory leak. Free the fcf even if ctlr_dev is NULL. Link: https://lore.kernel.org/r/20200729081824.30996-3-jhasan@marvell.com Reviewed-by: Girish Basrur Reviewed-by: Santosh Vernekar Reviewed-by: Saurav Kashyap Reviewed-by: Shyam Sundar Signed-off-by: Javed Hasan Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3bd5dad493e53ef1574e7c4fcecd787a95fa7aba Author: Xiubo Li Date: Mon Jul 6 08:51:35 2020 -0400 ceph: do not access the kiocb after aio requests [ Upstream commit d1d9655052606fd9078e896668ec90191372d513 ] In aio case, if the completion comes very fast just before the ceph_read_iter() returns to fs/aio.c, the kiocb will be freed in the completion callback, then if ceph_read_iter() access again we will potentially hit the use-after-free bug. [ jlayton: initialize direct_lock early, and use it everywhere ] URL: https://tracker.ceph.com/issues/45649 Signed-off-by: Xiubo Li Signed-off-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit e9c34e71a043ff59a05ac626c475539beb0ee3be Author: Xiubo Li Date: Wed Jul 1 01:52:48 2020 -0400 ceph: fix potential mdsc use-after-free crash [ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ] Make sure the delayed work stopped before releasing the resources. cancel_delayed_work_sync() will only guarantee that the work finishes executing if the work is already in the ->worklist. That means after the cancel_delayed_work_sync() returns, it will leave the work requeued if it was rearmed at the end. That can lead to a use after free once the work struct is freed. Fix it by flushing the delayed work instead of trying to cancel it, and ensure that the work doesn't rearm if the mdsc is stopping. URL: https://tracker.ceph.com/issues/46293 Signed-off-by: Xiubo Li Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin commit 8ceddd70a6821601cbcb0486e1c337b7ef32cf2d Author: Pablo Neira Ayuso Date: Sun Aug 2 03:05:25 2020 +0200 netfilter: nf_tables: report EEXIST on overlaps [ Upstream commit 77a92189ecfd061616ad531d386639aab7baaad9 ] Replace EBUSY by EEXIST in the following cases: - If the user adds a chain with a different configuration such as different type, hook and priority. - If the user adds a non-base chain that clashes with an existing basechain. - If the user adds a { key : value } mapping element and the key exists but the value differs. - If the device already belongs to an existing flowtable. User describe that this error reporting is confusing: - https://bugzilla.netfilter.org/show_bug.cgi?id=1176 - https://bugzilla.netfilter.org/show_bug.cgi?id=1413 Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 71e86271b49bb8e2ee5a74a6115746b03402d9d7 Author: Jing Xiangfeng Date: Mon Jun 15 16:12:26 2020 +0800 scsi: iscsi: Do not put host in iscsi_set_flashnode_param() [ Upstream commit 68e12e5f61354eb42cfffbc20a693153fc39738e ] If scsi_host_lookup() fails we will jump to put_host which may cause a panic. Jump to exit_set_fnode instead. Link: https://lore.kernel.org/r/20200615081226.183068-1-jingxiangfeng@huawei.com Reviewed-by: Mike Christie Signed-off-by: Jing Xiangfeng Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b83f035a0fcc2b426fe94328cf6ff3b1c493a162 Author: Nikolay Borisov Date: Wed Jun 3 08:55:46 2020 +0300 btrfs: make btrfs_qgroup_check_reserved_leak take btrfs_inode [ Upstream commit cfdd45921571eb24073e0737fa0bd44b4218f914 ] vfs_inode is used only for the inode number everything else requires btrfs_inode. Signed-off-by: Nikolay Borisov Reviewed-by: David Sterba [ use btrfs_ino ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 3b616321576e13c59f0aafce7b9a7484fbe23fe7 Author: Qu Wenruo Date: Wed Jun 10 09:04:42 2020 +0800 btrfs: file: reserve qgroup space after the hole punch range is locked [ Upstream commit a7f8b1c2ac21bf081b41264c9cfd6260dffa6246 ] The incoming qgroup reserved space timing will move the data reservation to ordered extent completely. However in btrfs_punch_hole_lock_range() will call btrfs_invalidate_page(), which will clear QGROUP_RESERVED bit for the range. In current stage it's OK, but if we're making ordered extents handle the reserved space, then btrfs_punch_hole_lock_range() can clear the QGROUP_RESERVED bit before we submit ordered extent, leading to qgroup reserved space leakage. So here change the timing to make reserve data space after btrfs_punch_hole_lock_range(). The new timing is fine for either current code or the new code. Reviewed-by: Josef Bacik Signed-off-by: Qu Wenruo Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 4754db363cfd5e642ac6fbb204c6ec1902f82998 Author: Chris Wilson Date: Sat Jul 25 19:51:10 2020 +0100 locking/lockdep: Fix overflow in presentation of average lock-time [ Upstream commit a7ef9b28aa8d72a1656fa6f0a01bbd1493886317 ] Though the number of lock-acquisitions is tracked as unsigned long, this is passed as the divisor to div_s64() which interprets it as a s32, giving nonsense values with more than 2 billion acquisitons. E.g. acquisitions holdtime-min holdtime-max holdtime-total holdtime-avg ------------------------------------------------------------------------- 2350439395 0.07 353.38 649647067.36 0.-32 Signed-off-by: Chris Wilson Signed-off-by: Ingo Molnar Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20200725185110.11588-1-chris@chris-wilson.co.uk Signed-off-by: Sasha Levin commit e95673aa1263d42ba855aa56fd59948c6077640a Author: Aditya Pakki Date: Sat Jun 13 20:22:23 2020 -0500 drm/nouveau: Fix reference count leak in nouveau_connector_detect [ Upstream commit 990a1162986e8eff7ca18cc5a0e03b4304392ae2 ] nouveau_connector_detect() calls pm_runtime_get_sync and in turn increments the reference count. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit 62f9a8747340749003da70f0bc942147861233ee Author: Aditya Pakki Date: Sat Jun 13 20:29:18 2020 -0500 drm/nouveau: fix reference count leak in nv50_disp_atomic_commit [ Upstream commit a2cdf39536b0d21fb06113f5e16692513d7bcb9c ] nv50_disp_atomic_commit() calls calls pm_runtime_get_sync and in turn increments the reference count. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit 84708092d685c1eec7149cbee402b5b6f9459d96 Author: Aditya Pakki Date: Sat Jun 13 20:33:42 2020 -0500 drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open [ Upstream commit bfad51c7633325b5d4b32444efe04329d53297b2 ] nouveau_fbcon_open() calls calls pm_runtime_get_sync() that increments the reference count. In case of failure, decrement the ref count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Ben Skeggs Signed-off-by: Sasha Levin commit 02465b9d38c9b7ecca92fc67b3c15982e82e9e5e Author: Li Guifu Date: Fri Jul 24 09:38:11 2020 +0800 f2fs: fix use-after-free issue [ Upstream commit 99c787cfd2bd04926f1f553b30bd7dcea2caaba1 ] During umount, f2fs_put_super() unregisters procfs entries after f2fs_destroy_segment_manager(), it may cause use-after-free issue when umount races with procfs accessing, fix it by relocating f2fs_unregister_sysfs(). [Chao Yu: change commit title/message a bit] Signed-off-by: Li Guifu Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit f9bd216ca5bbfcf7ec0769d92de934dec76cdea9 Author: Ikjoon Jang Date: Tue Jul 21 14:54:09 2020 +0800 HID: quirks: add NOGET quirk for Logitech GROUP [ Upstream commit 68f775ddd2a6f513e225f9a565b054ab48fef142 ] Add HID_QUIRK_NOGET for Logitech GROUP device. Logitech GROUP is a compound with camera and audio. When the HID interface in an audio device is requested to get specific report id, all following control transfers are stalled and never be restored back. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=203419 Signed-off-by: Ikjoon Jang Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit acae5555c9c13d18d8c2d192c4f788c6baaeb92a Author: Pierre-Louis Bossart Date: Fri Jul 17 16:13:33 2020 -0500 ASoC: Intel: sof_sdw_rt711: remove properties in card remove [ Upstream commit cf0418cd06ce42fcf35beb33e315b5a77e596926 ] The rt711 jack detection properties are set from the machine drivers during the card probe, as done in other ASoC examples. KASAN reports a use-after-free error when unbinding drivers due to a confusing sequence between the ACPI core, the device core and the SoundWire device cleanups. Rather than fixing this sequence, follow the recommendation to have the same caller add and remove properties, add an explicit device_remove_properties() in the card .remove() callback. In future patches the use of device_add/remove_properties will be replaced by a direct handling of a swnode, but the sequence will remain the same. Signed-off-by: Bard Liao Signed-off-by: Pierre-Louis Bossart Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20200717211337.31956-3-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 72db989557d993793c01ba84eb98f3cbf2a7f4cf Author: Hans Verkuil Date: Fri Jun 26 12:44:26 2020 +0200 cec-api: prevent leaking memory through hole in structure [ Upstream commit 6c42227c3467549ddc65efe99c869021d2f4a570 ] Fix this smatch warning: drivers/media/cec/core/cec-api.c:156 cec_adap_g_log_addrs() warn: check that 'log_addrs' doesn't leak information (struct has a hole after 'features') Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 41399a7d4f5031abd6a436b836ba3b56765101b7 Author: Dmitry Osipenko Date: Mon Jun 29 06:18:40 2020 +0300 gpu: host1x: Put gather's BO on pinning error [ Upstream commit fd323e9ef0a19112c0c85b85afc4848c0518174b ] This patch fixes gather's BO refcounting on a pinning error. Gather's BO won't be leaked now if something goes wrong. Signed-off-by: Dmitry Osipenko Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 4afc97f8ad5f145b1689c36f54ca9fa51987c5a2 Author: Kaige Li Date: Fri Jul 17 10:51:32 2020 +0800 ALSA: hda: Add support for Loongson 7A1000 controller [ Upstream commit 61eee4a7fc406f94e441778c3cecbbed30373c89 ] Add the new PCI ID 0x0014 0x7a07 to support Loongson 7A1000 controller. Signed-off-by: Kaige Li Link: https://lore.kernel.org/r/1594954292-1703-2-git-send-email-likaige@loongson.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 674772bf76c96e3d8bfdd227d0e6ebee909faca8 Author: Peng Fan Date: Tue Jul 14 20:30:18 2020 +0800 mips/vdso: Fix resource leaks in genvdso.c [ Upstream commit a859647b4e6bfeb192284d27d24b6a0c914cae1d ] Close "fd" before the return of map_vdso() and close "out_file" in main(). Signed-off-by: Peng Fan Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 90019585a6061ba1fc99974548f7be8b809ac25d Author: Reto Schneider Date: Mon Jun 22 15:21:12 2020 +0200 rtlwifi: rtl8192cu: Prevent leaking urb [ Upstream commit 03128643eb5453a798db5770952c73dc64fcaf00 ] If usb_submit_urb fails the allocated urb should be unanchored and released. Signed-off-by: Reto Schneider Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200622132113.14508-3-code@reto-schneider.ch Signed-off-by: Sasha Levin commit d5d5a10574f87bd040da3e875a27b951bf5012ad Author: Yangbo Lu Date: Fri May 22 09:30:52 2020 +0800 ARM: dts: ls1021a: output PPS signal on FIPER2 [ Upstream commit 5656bb3857c4904d1dec6e1b8f876c1c0337274e ] The timer fixed interval period pulse generator register is used to generate periodic pulses. The down count register loads the value programmed in the fixed period interval (FIPER). At every tick of the timer accumulator overflow, the counter decrements by the value of TMR_CTRL[TCLK_PERIOD]. It generates a pulse when the down counter value reaches zero. It reloads the down counter in the cycle following a pulse. To use the TMR_FIPER register to generate desired periodic pulses. The value should programmed is, desired_period - tclk_period Current tmr-fiper2 value is to generate 100us periodic pulses. (But the value should have been 99995, not 99990. The tclk_period is 5.) This patch is to generate 1 second periodic pulses with value 999999995 programmed which is more desired by user. Signed-off-by: Yangbo Lu Acked-by: Richard Cochran Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 24a3bc57b9370d8ba70ccd026ef29d222dab52f1 Author: Qiushi Wu Date: Wed May 27 21:13:22 2020 -0500 PCI: Fix pci_create_slot() reference count leak [ Upstream commit 8a94644b440eef5a7b9c104ac8aa7a7f413e35e5 ] kobject_init_and_add() takes a reference even when it fails. If it returns an error, kobject_put() must be called to clean up the memory associated with the object. When kobject_init_and_add() fails, call kobject_put() instead of kfree(). b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject") fixed a similar problem. Link: https://lore.kernel.org/r/20200528021322.1984-1-wu000273@umn.edu Signed-off-by: Qiushi Wu Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 19aa529aabea451c25281dd53c689b864a6075c4 Author: Aditya Pakki Date: Sat Jun 13 22:05:18 2020 -0500 omapfb: fix multiple reference count leaks due to pm_runtime_get_sync [ Upstream commit 78c2ce9bde70be5be7e3615a2ae7024ed8173087 ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Signed-off-by: Aditya Pakki Cc: kjlu@umn.edu Cc: wu000273@umn.edu Cc: Allison Randal Cc: Thomas Gleixner Cc: Enrico Weigelt cc: "Andrew F. Davis" Cc: Tomi Valkeinen Cc: Alexios Zavras Cc: Greg Kroah-Hartman Cc: YueHaibing Signed-off-by: Bartlomiej Zolnierkiewicz Link: https://patchwork.freedesktop.org/patch/msgid/20200614030528.128064-1-pakki001@umn.edu Signed-off-by: Sasha Levin commit fcd0ea8ff7f8fa3f608a705b8a2f51ff8fc9b1ae Author: Jiaxun Yang Date: Fri Jul 10 14:30:17 2020 +0800 MIPS: KVM: Limit Trap-and-Emulate to MIPS32R2 only [ Upstream commit 01edc5e76ecfecf9a79eec2658f6146ef47bc816 ] After tons of fixes to get Trap-and-Emulate build on Loongson64, I've got panic on host machine when trying to run a VM. I found that it can never work on 64bit systems. Revewing the code, it looks like R6 can't supportrd by TE as well. Signed-off-by: Jiaxun Yang Message-Id: <20200710063047.154611-3-jiaxun.yang@flygoat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 7fafbbefb75802d1c179a0522565bf04e60f0966 Author: Chao Yu Date: Mon Jul 6 18:23:36 2020 +0800 f2fs: fix error path in do_recover_data() [ Upstream commit 9627a7b31f3c4ff8bc8f3be3683983ffe6eaebe6 ] - don't panic kernel if f2fs_get_node_page() fails in f2fs_recover_inline_data() or f2fs_recover_inline_xattr(); - return error number of f2fs_truncate_blocks() to f2fs_recover_inline_data()'s caller; Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 26bf496cd1b68f338bebda625ff266b5338a4ec8 Author: Dehe Gu Date: Fri Jul 3 17:51:29 2020 +0800 f2fs: remove write attribute of main_blkaddr sysfs node [ Upstream commit ffcde4b29a5f20ddca6fe559b48f345818bf1d91 ] Fuzzing main_blkaddr sysfs node will corrupt this field's value, causing kernel panic, remove its write attribute to avoid potential security risk. [Chao Yu: add description] Signed-off-by: Dehe Gu Signed-off-by: Daiyue Zhang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit c06a07ab8a3d6c443d14edff00f56610c7df31b9 Author: Desnes A. Nunes do Rosario Date: Fri Jun 26 13:47:37 2020 -0300 selftests/powerpc: Purge extra count_pmc() calls of ebb selftests [ Upstream commit 3337bf41e0dd70b4064cdf60acdfcdc2d050066c ] An extra count on ebb_state.stats.pmc_count[PMC_INDEX(pmc)] is being per- formed when count_pmc() is used to reset PMCs on a few selftests. This extra pmc_count can occasionally invalidate results, such as the ones from cycles_test shown hereafter. The ebb_check_count() failed with an above the upper limit error due to the extra value on ebb_state.stats.pmc_count. Furthermore, this extra count is also indicated by extra PMC1 trace_log on the output of the cycle test (as well as on pmc56_overflow_test): ========== ... [21]: counter = 8 [22]: register SPRN_MMCR0 = 0x0000000080000080 [23]: register SPRN_PMC1 = 0x0000000080000004 [24]: counter = 9 [25]: register SPRN_MMCR0 = 0x0000000080000080 [26]: register SPRN_PMC1 = 0x0000000080000004 [27]: counter = 10 [28]: register SPRN_MMCR0 = 0x0000000080000080 [29]: register SPRN_PMC1 = 0x0000000080000004 >> [30]: register SPRN_PMC1 = 0x000000004000051e PMC1 count (0x280000546) above upper limit 0x2800003e8 (+0x15e) [FAIL] Test FAILED on line 52 failure: cycles ========== Signed-off-by: Desnes A. Nunes do Rosario Tested-by: Sachin Sant Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200626164737.21943-1-desnesn@linux.ibm.com Signed-off-by: Sasha Levin commit cca4669a976868962fb8ae096c35633810bab328 Author: Mike Christie Date: Wed Jul 1 20:43:18 2020 -0500 scsi: target: Fix xcopy sess release leak [ Upstream commit 3c006c7d23aac928279f7cbe83bbac4361255d53 ] transport_init_session can allocate memory via percpu_ref_init, and target_xcopy_release_pt never frees it. This adds a transport_uninit_session function to handle cleanup of resources allocated in the init function. Link: https://lore.kernel.org/r/1593654203-12442-3-git-send-email-michael.christie@oracle.com Signed-off-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bce0f660a06ad2e25b14a18a17bbe6ef0af6f79d Author: Dave Chinner Date: Mon Jun 29 14:48:45 2020 -0700 xfs: Don't allow logging of XFS_ISTALE inodes [ Upstream commit 96355d5a1f0ee6dcc182c37db4894ec0c29f1692 ] In tracking down a problem in this patchset, I discovered we are reclaiming dirty stale inodes. This wasn't discovered until inodes were always attached to the cluster buffer and then the rcu callback that freed inodes was assert failing because the inode still had an active pointer to the cluster buffer after it had been reclaimed. Debugging the issue indicated that this was a pre-existing issue resulting from the way the inodes are handled in xfs_inactive_ifree. When we free a cluster buffer from xfs_ifree_cluster, all the inodes in cache are marked XFS_ISTALE. Those that are clean have nothing else done to them and so eventually get cleaned up by background reclaim. i.e. it is assumed we'll never dirty/relog an inode marked XFS_ISTALE. On journal commit dirty stale inodes as are handled by both buffer and inode log items to run though xfs_istale_done() and removed from the AIL (buffer log item commit) or the log item will simply unpin it because the buffer log item will clean it. What happens to any specific inode is entirely dependent on which log item wins the commit race, but the result is the same - stale inodes are clean, not attached to the cluster buffer, and not in the AIL. Hence inode reclaim can just free these inodes without further care. However, if the stale inode is relogged, it gets dirtied again and relogged into the CIL. Most of the time this isn't an issue, because relogging simply changes the inode's location in the current checkpoint. Problems arise, however, when the CIL checkpoints between two transactions in the xfs_inactive_ifree() deferops processing. This results in the XFS_ISTALE inode being redirtied and inserted into the CIL without any of the other stale cluster buffer infrastructure being in place. Hence on journal commit, it simply gets unpinned, so it remains dirty in memory. Everything in inode writeback avoids XFS_ISTALE inodes so it can't be written back, and it is not tracked in the AIL so there's not even a trigger to attempt to clean the inode. Hence the inode just sits dirty in memory until inode reclaim comes along, sees that it is XFS_ISTALE, and goes to reclaim it. This reclaiming of a dirty inode caused use after free, list corruptions and other nasty issues later in this patchset. Hence this patch addresses a violation of the "never log XFS_ISTALE inodes" caused by the deferops processing rolling a transaction and relogging a stale inode in xfs_inactive_free. It also adds a bunch of asserts to catch this problem in debug kernels so that we don't reintroduce this problem in future. Reproducer for this issue was generic/558 on a v4 filesystem. Signed-off-by: Dave Chinner Reviewed-by: Brian Foster Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Sasha Levin commit 2b5055b3aa5b557c5f6cc478354eb9205ca01158 Author: Dick Kennedy Date: Tue Jun 30 14:49:54 2020 -0700 scsi: lpfc: Fix shost refcount mismatch when deleting vport [ Upstream commit 03dbfe0668e6692917ac278883e0586cd7f7d753 ] When vports are deleted, it is observed that there is memory/kthread leakage as the vport isn't fully being released. There is a shost reference taken in scsi_add_host_dma that is not released during scsi_remove_host. It was noticed that other drivers resolve this by doing a scsi_host_put after calling scsi_remove_host. The vport_delete routine is taking two references one that corresponds to an access to the scsi_host in the vport_delete routine and another that is released after the adapter mailbox command completes that destroys the VPI that corresponds to the vport. Remove one of the references taken such that the second reference that is put will complete the missing scsi_add_host_dma reference and the shost will be terminated. Link: https://lore.kernel.org/r/20200630215001.70793-8-jsmart2021@gmail.com Signed-off-by: Dick Kennedy Signed-off-by: James Smart Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 04cde704f3295047ac7d2e2859b5bf5075e3c76a Author: Alex Deucher Date: Wed Jun 17 14:43:08 2020 -0400 drm/amdgpu/pm: fix ref count leak when pm_runtime_get_sync fails [ Upstream commit 66429300e1bd9cdfbe96cfc475e4964db2a36921 ] The call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 4e302836dc790a64fc4e9136db63c72a9cde252d Author: Alex Deucher Date: Wed Jun 17 14:52:07 2020 -0400 drm/amdkfd: fix ref count leak when pm_runtime_get_sync fails [ Upstream commit 1c1ada37af6ee6fb9cfc8da6a56cc83208cd8d6f ] The call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Reviewed-by: Rajneesh Bhardwaj Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2e91283fdb45ffefec70112db98f5bb5619125e1 Author: Alex Deucher Date: Wed Jun 17 14:50:02 2020 -0400 drm/amdgpu/fence: fix ref count leak when pm_runtime_get_sync fails [ Upstream commit e520d3e0d2818aafcdf9d8b60916754d8fedc366 ] The call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Reviewed-by: Felix Kuehling Acked-by: Rajneesh Bhardwaj Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e4fdcdb7837c14bf03a8fca2b2e7d3c4ff246d8c Author: Navid Emamdoost Date: Sun Jun 14 02:05:28 2020 -0500 drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails [ Upstream commit f79f94765f8c39db0b7dec1d335ab046aac03f20 ] The call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b86657e328b601a5b98f8c4c21d108d356dbceee Author: Navid Emamdoost Date: Sun Jun 14 02:09:44 2020 -0500 drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config [ Upstream commit e008fa6fb41544b63973a529b704ef342f47cc65 ] in amdgpu_display_crtc_set_config, the call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit c04caca229c44ce250f90fd7a7da33eb64ac2a70 Author: Navid Emamdoost Date: Sun Jun 14 02:14:50 2020 -0500 drm/amd/display: fix ref count leak in amdgpu_drm_ioctl [ Upstream commit 5509ac65f2fe5aa3c0003237ec629ca55024307c ] in amdgpu_drm_ioctl the call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8b73bed1e9640fe01e0077e948c6f040ecd2367f Author: Navid Emamdoost Date: Sun Jun 14 02:12:29 2020 -0500 drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms [ Upstream commit 9ba8923cbbe11564dd1bf9f3602add9a9cfbb5c6 ] in amdgpu_driver_open_kms the call to pm_runtime_get_sync increments the counter even in case of failure, leading to incorrect ref count. In case of failure, decrement the ref count before returning. Signed-off-by: Navid Emamdoost Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit bedae9feaca99326fa33c74b4ed647bcbca41ca1 Author: Aditya Pakki Date: Sat Jun 13 20:55:39 2020 -0500 drm/radeon: fix multiple reference count leak [ Upstream commit 6f2e8acdb48ed166b65d47837c31b177460491ec ] On calling pm_runtime_get_sync() the reference count of the device is incremented. In case of failure, decrement the reference count before returning the error. Signed-off-by: Aditya Pakki Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d312f436dd10bfa2e8fba256fdcb7b1592230b9a Author: Qiushi Wu Date: Sat Jun 13 14:32:26 2020 -0500 drm/amdkfd: Fix reference count leaks. [ Upstream commit 20eca0123a35305e38b344d571cf32768854168c ] kobject_init_and_add() takes reference even when it fails. If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Signed-off-by: Qiushi Wu Reviewed-by: Felix Kuehling Signed-off-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b7850ba6edf0036596828ce540a8a376ea067aba Author: Gwendal Grignou Date: Tue Jun 30 00:52:03 2020 -0700 platform/chrome: cros_ec_sensorhub: Fix EC timestamp overflow [ Upstream commit e48bc01ed5adec203676c735365373b31c3c7600 ] EC is using 32 bit timestamps (us), and before converting it to 64bit they were not casted, so it would overflow every 4s. Regular overflow every ~70 minutes was not taken into account either. Signed-off-by: Gwendal Grignou Signed-off-by: Enric Balletbo i Serra Signed-off-by: Sasha Levin commit c71c249310b535e91b0991489f08a469b678838a Author: Robin Murphy Date: Tue Jun 2 14:08:18 2020 +0100 iommu/iova: Don't BUG on invalid PFNs [ Upstream commit d3e3d2be688b4b5864538de61e750721a311e4fc ] Unlike the other instances which represent a complete loss of consistency within the rcache mechanism itself, or a fundamental and obvious misconfiguration by an IOMMU driver, the BUG_ON() in iova_magazine_free_pfns() can be provoked at more or less any time in a "spooky action-at-a-distance" manner by any old device driver passing nonsense to dma_unmap_*() which then propagates through to queue_iova(). Not only is this well outside the IOVA layer's control, it's also nowhere near fatal enough to justify panicking anyway - all that really achieves is to make debugging the offending driver more difficult. Let's simply WARN and otherwise ignore bogus PFNs. Reported-by: Prakash Gupta Signed-off-by: Robin Murphy Reviewed-by: Prakash Gupta Link: https://lore.kernel.org/r/acbd2d092b42738a03a21b417ce64e27f8c91c86.1591103298.git.robin.murphy@arm.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 8bcd6545f0b409e86b7b9b51ae1a51e037816a7d Author: Andy Shevchenko Date: Thu Jun 25 16:10:36 2020 +0300 mfd: intel-lpss: Add Intel Tiger Lake PCH-H PCI IDs [ Upstream commit bb7fcad48d3804d814b97c785514e2d1657e157f ] Intel Tiger Lake PCH-H has the same LPSS than Intel Broxton. Add the new IDs to the list of supported devices. Signed-off-by: Andy Shevchenko Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit d7570375e9f2265c5b792bc9b8cd90ca0fb56d8a Author: Bodo Stroesser Date: Mon Jun 29 11:37:56 2020 +0200 scsi: target: tcmu: Fix crash on ARM during cmd completion [ Upstream commit 5a0c256d96f020e4771f6fd5524b80f89a2d3132 ] If tcmu_handle_completions() has to process a padding shorter than sizeof(struct tcmu_cmd_entry), the current call to tcmu_flush_dcache_range() with sizeof(struct tcmu_cmd_entry) as length param is wrong and causes crashes on e.g. ARM, because tcmu_flush_dcache_range() in this case calls flush_dcache_page(vmalloc_to_page(start)); with start being an invalid address above the end of the vmalloc'ed area. The fix is to use the minimum of remaining ring space and sizeof(struct tcmu_cmd_entry) as the length param. The patch was tested on kernel 4.19.118. See https://bugzilla.kernel.org/show_bug.cgi?id=208045#c10 Link: https://lore.kernel.org/r/20200629093756.8947-1-bstroesser@ts.fujitsu.com Tested-by: JiangYu Acked-by: Mike Christie Signed-off-by: Bodo Stroesser Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4b0badbe3c9166f9f5eb815f9934c7affc9a3c73 Author: Evgeny Novikov Date: Tue Jun 23 17:12:30 2020 +0300 staging: rts5208: fix memleaks on error handling paths in probe [ Upstream commit 11507bf9a8832741db69efd32bf09a2ab26426bf ] rtsx_probe() allocates host, but does not free it on error handling paths. The patch adds missed scsi_host_put(). Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Link: https://lore.kernel.org/r/20200623141230.7258-1-novikov@ispras.ru Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 46381f4d0c1a7d9bf97b2235b3a2a5e7e6393ce9 Author: Luis Chamberlain Date: Fri Jun 19 20:47:29 2020 +0000 blktrace: ensure our debugfs dir exists [ Upstream commit b431ef837e3374da0db8ff6683170359aaa0859c ] We make an assumption that a debugfs directory exists, but since this can fail ensure it exists before allowing blktrace setup to complete. Otherwise we end up stuffing blktrace files on the debugfs root directory. In the worst case scenario this *in theory* can create an eventual panic *iff* in the future a similarly named file is created prior on the debugfs root directory. This theoretical crash can happen due to a recursive removal followed by a specific dentry removal. This doesn't fix any known crash, however I have seen the files go into the main debugfs root directory in cases where the debugfs directory was not created due to other internal bugs with blktrace now fixed. blktrace is also completely useless without this directory, so this ensures to userspace we only setup blktrace if the kernel can stuff files where they are supposed to go into. debugfs directory creations typically aren't checked for, and we have maintainers doing sweep removals of these checks, but since we need this check to ensure proper userspace blktrace functionality we make sure to annotate the justification for the check. Signed-off-by: Luis Chamberlain Reviewed-by: Christoph Hellwig Reviewed-by: Bart Van Assche Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2145297ac316df0211f0509d6e3cc913f30332bf Author: Alexander Popov Date: Wed Jun 24 15:33:26 2020 +0300 gcc-plugins/stackleak: Don't instrument itself [ Upstream commit 005e696df65d0ff90468ecf38a50aa584dc82421 ] There is no need to try instrumenting functions in kernel/stackleak.c. Otherwise that can cause issues if the cleanup pass of stackleak gcc plugin is disabled. Signed-off-by: Alexander Popov Link: https://lore.kernel.org/r/20200624123330.83226-2-alex.popov@linux.com Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 27a22e3c16450c3018da8254c544de4cd69c4bd9 Author: Jia-Ju Bai Date: Sat May 30 16:42:08 2020 +0200 media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() [ Upstream commit 6499a0db9b0f1e903d52f8244eacc1d4be00eea2 ] The value av7110->debi_virt is stored in DMA memory, and it is assigned to data, and thus data[0] can be modified at any time by malicious hardware. In this case, "if (data[0] < 2)" can be passed, but then data[0] can be changed into a large number, which may cause buffer overflow when the code "av7110->ci_slot[data[0]]" is used. To fix this possible bug, data[0] is assigned to a local variable, which replaces the use of data[0]. Signed-off-by: Jia-Ju Bai Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d75f8e2c9d6a622ff36f2a27e8f29530493f072a Author: Alexey Kardashevskiy Date: Fri Jun 12 14:33:03 2020 +1000 powerpc/xive: Ignore kmemleak false positives [ Upstream commit f0993c839e95dd6c7f054a1015e693c87e33e4fb ] xive_native_provision_pages() allocates memory and passes the pointer to OPAL so kmemleak cannot find the pointer usage in the kernel memory and produces a false positive report (below) (even if the kernel did scan OPAL memory, it is unable to deal with __pa() addresses anyway). This silences the warning. unreferenced object 0xc000200350c40000 (size 65536): comm "qemu-system-ppc", pid 2725, jiffies 4294946414 (age 70776.530s) hex dump (first 32 bytes): 02 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 ....P........... 01 00 08 07 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000081ff046c>] xive_native_alloc_vp_block+0x120/0x250 [<00000000d555d524>] kvmppc_xive_compute_vp_id+0x248/0x350 [kvm] [<00000000d69b9c9f>] kvmppc_xive_connect_vcpu+0xc0/0x520 [kvm] [<000000006acbc81c>] kvm_arch_vcpu_ioctl+0x308/0x580 [kvm] [<0000000089c69580>] kvm_vcpu_ioctl+0x19c/0xae0 [kvm] [<00000000902ae91e>] ksys_ioctl+0x184/0x1b0 [<00000000f3e68bd7>] sys_ioctl+0x48/0xb0 [<0000000001b2c127>] system_call_exception+0x124/0x1f0 [<00000000d2b2ee40>] system_call_common+0xe8/0x214 Signed-off-by: Alexey Kardashevskiy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20200612043303.84894-1-aik@ozlabs.ru Signed-off-by: Sasha Levin commit 970f32a284295522c8531eec9948f19dc7c31103 Author: Stephan Gerhold Date: Fri Jun 5 20:59:15 2020 +0200 arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep [ Upstream commit e2ee9edc282961783d519c760bbaa20fed4dec38 ] The original qcom kernel changed the PDM GPIOs to be pull-down during sleep at some point. Reportedly this was done because there was some "leakage at PDM outputs during sleep": https://source.codeaurora.org/quic/la/kernel/msm-3.10/commit/?id=0f87e08c1cd3e6484a6f7fb3e74e37340bdcdee0 I cannot say how effective this is, but everything seems to work fine with this change so let's apply the same to mainline just to be sure. Cc: Srinivas Kandagatla Signed-off-by: Stephan Gerhold Link: https://lore.kernel.org/r/20200605185916.318494-3-stephan@gerhold.net Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 6a5bd8b333b8f96ce9a6bfa185d72b9b9141abf8 Author: Andy Shevchenko Date: Mon Jun 15 19:10:32 2020 +0300 mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs [ Upstream commit 3ea2e4eab64cefa06055bb0541fcdedad4b48565 ] Intel Emmitsburg PCH has the same LPSS than Intel Ice Lake. Add the new IDs to the list of supported devices. Signed-off-by: Andy Shevchenko Signed-off-by: Lee Jones Signed-off-by: Sasha Levin commit dd80a7201ed7c62a6f4fae8806f2c5f570f5afa6 Author: Qiushi Wu Date: Sat Jun 13 15:44:19 2020 -0500 ASoC: tegra: Fix reference count leaks. [ Upstream commit deca195383a6085be62cb453079e03e04d618d6e ] Calling pm_runtime_get_sync increments the counter even in case of failure, causing incorrect ref count if pm_runtime_put is not called in error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails. Signed-off-by: Qiushi Wu Reviewed-by: Jon Hunter Link: https://lore.kernel.org/r/20200613204422.24484-1-wu000273@umn.edu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d5581a8e323cb3daef929d5d4ffa380f1f395c77 Author: Qiushi Wu Date: Sat Jun 13 22:33:43 2020 -0500 ASoC: img-parallel-out: Fix a reference count leak [ Upstream commit 6b9fbb073636906eee9fe4d4c05a4f445b9e2a23 ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Signed-off-by: Qiushi Wu Link: https://lore.kernel.org/r/20200614033344.1814-1-wu000273@umn.edu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c340a3b9da14cb1632ca86365cf904c4b6320e5a Author: Qiushi Wu Date: Sat Jun 13 22:37:48 2020 -0500 ASoC: img: Fix a reference count leak in img_i2s_in_set_fmt [ Upstream commit c4c59b95b7f7d4cef5071b151be2dadb33f3287b ] pm_runtime_get_sync() increments the runtime PM usage counter even when it returns an error code, causing incorrect ref count if pm_runtime_put_noidle() is not called in error handling paths. Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. Signed-off-by: Qiushi Wu Link: https://lore.kernel.org/r/20200614033749.2975-1-wu000273@umn.edu Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7d60c776063193296c4ef33ddc03ce224d405645 Author: Zhenzhong Duan Date: Wed Jun 10 14:58:46 2020 +0800 EDAC/mc: Call edac_inc_ue_error() before panic [ Upstream commit e9ff6636d3f97a764487999754c0bfee9d2c231e ] By calling edac_inc_ue_error() before panic, we get a correct UE error count for core dump analysis. Signed-off-by: Zhenzhong Duan Signed-off-by: Tony Luck Link: https://lore.kernel.org/r/20200610065846.3626-2-zhenzhong.duan@gmail.com Signed-off-by: Sasha Levin commit ec24c53a4d0cc41d8d1cd25866ad1d0fa9aa4a7d Author: Guchun Chen Date: Tue Jun 2 13:46:22 2020 +0800 drm/amdgpu: fix RAS memory leak in error case [ Upstream commit 5e91160ac0b5cfbbaeb62cbff8b069262095f744 ] RAS context memory needs to freed in failure case. Signed-off-by: Guchun Chen Reviewed-by: Tao Zhou Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9cc4449aae8cdcf80618dc74d387dd56f565d75a Author: Kai-Heng Feng Date: Tue Aug 11 17:53:34 2020 +0800 ALSA: hda/hdmi: Use force connectivity quirk on another HP desktop [ Upstream commit d96f27c80b65437a7b572647ecb4717ec9a50c98 ] There's another HP desktop has buggy BIOS which flags the Port Connectivity bit as no connection. Apply force connectivity quirk to enable DP/HDMI audio. Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200811095336.32396-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3d41fe81e6469b5b77f3fd4e24d61e6fe82232a0 Author: Kai-Heng Feng Date: Fri Aug 7 16:05:12 2020 +0800 ALSA: hda/realtek: Fix pin default on Intel NUC 8 Rugged [ Upstream commit e2d2fded6bdf3f7bb40718a208140dba8b4ec574 ] The jack on Intel NUC 8 Rugged rear panel doesn't work. The spec [1] states that the jack supports both headphone and microphone, so override a Pin Complex which has both Amp-In and Amp-Out to make the jack work. Node 0x1b fits the requirement, and user confirmed the jack now works with new pin config. [1] https://www.intel.com/content/dam/support/us/en/documents/mini-pcs/NUC8CCH_TechProdSpec.pdf BugLink: https://bugs.launchpad.net/bugs/1875199 Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200807080514.15293-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 9a87d126b6624023457bdd43c2c5a9823e549bcd Author: Randy Dunlap Date: Wed Aug 5 19:19:26 2020 -0700 ALSA: pci: delete repeated words in comments [ Upstream commit c7fabbc51352f50cc58242a6dc3b9c1a3599849b ] Drop duplicated words in sound/pci/. {and, the, at} Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20200806021926.32418-1-rdunlap@infradead.org Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ed2cdce0991225e80a6de3e440fcb329335ce4d0 Author: Kai-Heng Feng Date: Tue Aug 4 23:58:34 2020 +0800 ALSA: hda/hdmi: Add quirk to force connectivity [ Upstream commit cd72c317a0a11f64225b9a3f1fe503bb8c7327b5 ] HDMI on some platforms doesn't enable audio support because its Port Connectivity [31:30] is set to AC_JACK_PORT_NONE: Node 0x05 [Pin Complex] wcaps 0x40778d: 8-Channels Digital Amp-Out CP Amp-Out caps: ofs=0x00, nsteps=0x00, stepsize=0x00, mute=1 Amp-Out vals: [0x00 0x00] Pincap 0x0b000094: OUT Detect HBR HDMI DP Pin Default 0x58560010: [N/A] Digital Out at Int HDMI Conn = Digital, Color = Unknown DefAssociation = 0x1, Sequence = 0x0 Pin-ctls: 0x40: OUT Unsolicited: tag=00, enabled=0 Power states: D0 D3 EPSS Power: setting=D0, actual=D0 Devices: 0 Connection: 3 0x02 0x03* 0x04 For now, use a quirk to force connectivity based on SSID. If there are more platforms affected by the same issue, we can eye for a more generic solution. Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20200804155836.16252-1-kai.heng.feng@canonical.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit d4dadf0c5a074e322ac16785c3cc98e77ca079e8 Author: Kai Vehmanen Date: Tue Jul 14 16:28:04 2020 +0300 ASoC: intel/skl/hda - fix probe regression on systems without i915 [ Upstream commit ffc6d45d96f07a32700cb6b7be2d3459e63c255a ] Starting in commit cbc7a6b5a87a ("ASoC: soc-card: add snd_soc_card_add_dai_link()"), error value from ASoc add_dai_link() is no longer ignored. The generic HDA machine driver relied on the old semantics to disable i915 HDMI/DP audio codec at runtime. If no display codec was present, add_dai_link() returned an error, but this was ignored and rest of the card was successfully probed. Fix the problem by changing the machine driver add_dai_link() to not return an error in this case. Fixes: cbc7a6b5a87a ("ASoC: soc-card: add snd_soc_card_add_dai_link()") Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Reviewed-by: Guennadi Liakhovetski BugLink: https://github.com/thesofproject/linux/issues/2261 Link: https://lore.kernel.org/r/20200714132804.3638221-1-kai.vehmanen@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bd331906c61bd364f56ba9336a7ff85c6858b1da Author: Hugh Dickins Date: Thu Aug 6 23:26:25 2020 -0700 khugepaged: khugepaged_test_exit() check mmget_still_valid() [ Upstream commit bbe98f9cadff58cdd6a4acaeba0efa8565dabe65 ] Move collapse_huge_page()'s mmget_still_valid() check into khugepaged_test_exit() itself. collapse_huge_page() is used for anon THP only, and earned its mmget_still_valid() check because it inserts a huge pmd entry in place of the page table's pmd entry; whereas collapse_file()'s retract_page_tables() or collapse_pte_mapped_thp() merely clears the page table's pmd entry. But core dumping without mmap lock must have been as open to mistaking a racily cleared pmd entry for a page table at physical page 0, as exit_mmap() was. And we certainly have no interest in mapping as a THP once dumping core. Fixes: 59ea6d06cfa9 ("coredump: fix race condition between collapse_huge_page() and core dumping") Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Cc: Andrea Arcangeli Cc: Song Liu Cc: Mike Kravetz Cc: Kirill A. Shutemov Cc: [4.8+] Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2008021217020.27773@eggly.anvils Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin