Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-18282

The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code.

CVE
#vulnerability#web#ios#mac#google#linux#red_hat#git#oracle

commit b260a0862e3a9fccdac23ec3b783911b098c1c74 Author: Greg Kroah-Hartman Date: Sun Nov 10 11:35:00 2019 +0100 Linux 5.3.10 commit dce5debe6d834649a7dcd1668c42a19ada0497fe Author: Roger Quadros Date: Thu Aug 22 16:40:28 2019 +0300 usb: gadget: udc: core: Fix segfault if udc_bind_to_driver() for pending driver fails commit 163be6ff7739b12ff300d77897d340f661821da2 upstream. If a gadget driver is in the pending drivers list, a UDC becomes available and udc_bind_to_driver() fails, then it gets deleted from the pending list. i.e. list_del(&driver->pending) in check_pending_gadget_drivers(). Then if that gadget driver is unregistered, usb_gadget_unregister_driver() does a list_del(&driver->pending) again thus causing a page fault as that list entry has been poisoned by the previous list_del(). Fix this by using list_del_init() instead of list_del() in check_pending_gadget_drivers(). Test case: - Make sure no UDC is available - modprobe g_mass_storage file=wrongfile - Load UDC driver so it becomes available lun0: unable to open backing file: wrongfile - modprobe -r g_mass_storage [ 60.900431] Unable to handle kernel paging request at virtual address dead000000000108 [ 60.908346] Mem abort info: [ 60.911145] ESR = 0x96000044 [ 60.914227] Exception class = DABT (current EL), IL = 32 bits [ 60.920162] SET = 0, FnV = 0 [ 60.923217] EA = 0, S1PTW = 0 [ 60.926354] Data abort info: [ 60.929228] ISV = 0, ISS = 0x00000044 [ 60.933058] CM = 0, WnR = 1 [ 60.936011] [dead000000000108] address between user and kernel address ranges [ 60.943136] Internal error: Oops: 96000044 [#1] PREEMPT SMP [ 60.948691] Modules linked in: g_mass_storage(-) usb_f_mass_storage libcomposite xhci_plat_hcd xhci_hcd usbcore ti_am335x_adc kfifo_buf omap_rng cdns3 rng_core udc_core crc32_ce xfrm_user crct10dif_ce snd_so6 [ 60.993995] Process modprobe (pid: 834, stack limit = 0x00000000c2aebc69) [ 61.000765] CPU: 0 PID: 834 Comm: modprobe Not tainted 4.19.59-01963-g065f42a60499 #92 [ 61.008658] Hardware name: Texas Instruments SoC (DT) [ 61.014472] pstate: 60000005 (nZCv daif -PAN -UAO) [ 61.019253] pc : usb_gadget_unregister_driver+0x7c/0x108 [udc_core] [ 61.025503] lr : usb_gadget_unregister_driver+0x30/0x108 [udc_core] [ 61.031750] sp : ffff00001338fda0 [ 61.035049] x29: ffff00001338fda0 x28: ffff800846d40000 [ 61.040346] x27: 0000000000000000 x26: 0000000000000000 [ 61.045642] x25: 0000000056000000 x24: 0000000000000800 [ 61.050938] x23: ffff000008d7b0d0 x22: ffff0000088b07c8 [ 61.056234] x21: ffff000001100000 x20: ffff000002020260 [ 61.061530] x19: ffff0000010ffd28 x18: 0000000000000000 [ 61.066825] x17: 0000000000000000 x16: 0000000000000000 [ 61.072121] x15: 0000000000000000 x14: 0000000000000000 [ 61.077417] x13: ffff000000000000 x12: ffffffffffffffff [ 61.082712] x11: 0000000000000030 x10: 7f7f7f7f7f7f7f7f [ 61.088008] x9 : fefefefefefefeff x8 : 0000000000000000 [ 61.093304] x7 : ffffffffffffffff x6 : 000000000000ffff [ 61.098599] x5 : 8080000000000000 x4 : 0000000000000000 [ 61.103895] x3 : ffff000001100020 x2 : ffff800846d40000 [ 61.109190] x1 : dead000000000100 x0 : dead000000000200 [ 61.114486] Call trace: [ 61.116922] usb_gadget_unregister_driver+0x7c/0x108 [udc_core] [ 61.122828] usb_composite_unregister+0x10/0x18 [libcomposite] [ 61.128643] msg_cleanup+0x18/0xfce0 [g_mass_storage] [ 61.133682] __arm64_sys_delete_module+0x17c/0x1f0 [ 61.138458] el0_svc_common+0x90/0x158 [ 61.142192] el0_svc_handler+0x2c/0x80 [ 61.145926] el0_svc+0x8/0xc [ 61.148794] Code: eb03003f d10be033 54ffff21 a94d0281 (f9000420) [ 61.154869] —[ end trace afb22e9b637bd9a7 ]— Segmentation fault Acked-by: Alan Stern Signed-off-by: Roger Quadros Signed-off-by: Felipe Balbi Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 2c10f833cf3d85107bb6e6491b15038824a3aaa2 Author: Suman Anna Date: Thu Aug 8 09:39:28 2019 -0500 arm64: dts: ti: k3-am65-main: Fix gic-its node unit-address commit 389ce1a7c5279ebfb682fab220b4021b2bd49c8b upstream. The gic-its node unit-address has an additional zero compared to the actual reg value. Fix it. Fixes: ea47eed33a3f (“arm64: dts: ti: Add Support for AM654 SoC”) Reported-by: Robert Tivy Signed-off-by: Suman Anna Signed-off-by: Tero Kristo Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 06b1280fc7cfbf235d6a60066f4a819eb478ab94 Author: Peter Ujfalusi Date: Thu Sep 19 10:16:52 2019 +0300 ASoC: pcm3168a: The codec does not support S32_LE commit 7b2db65b59c30d58c129d3c8b2101feca686155a upstream. 24 bits is supported in all modes and 16 bit only when the codec is slave and the DAI is set to RIGHT_J. Remove the unsupported sample format. Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Mathieu Poirier Signed-off-by: Greg Kroah-Hartman commit 879d09bffe4f227d84ab0a6c65d54dafb2ac9260 Author: Desnes A. Nunes do Rosario Date: Thu Oct 3 18:10:10 2019 -0300 selftests/powerpc: Fix compile error on tlbie_test due to newer gcc commit 5b216ea1c40cf06eead15054c70e238c9bd4729e upstream. Newer versions of GCC (>= 9) demand that the size of the string to be copied must be explicitly smaller than the size of the destination. Thus, the NULL char has to be taken into account on strncpy. This will avoid the following compiling error: tlbie_test.c: In function 'main’: tlbie_test.c:639:4: error: ‘strncpy’ specified bound 100 equals destination size strncpy(logdir, optarg, LOGDIR_NAME_SIZE); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors Signed-off-by: Desnes A. Nunes do Rosario Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sandipan Das Signed-off-by: Greg Kroah-Hartman commit c3dbb311ced791d87be8e3738f3ff3f023e0229e Author: Aneesh Kumar K.V Date: Tue Sep 24 09:22:54 2019 +0530 selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue commit 93cad5f789951eaa27c3392b15294b4e51253944 upstream. Signed-off-by: Aneesh Kumar K.V [mpe: Some minor fixes to make it build] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sandipan Das Signed-off-by: Greg Kroah-Hartman commit 6f71cc3d4490b2b8acb91472e5c0406cc1a0f365 Author: Pavel Shilovsky Date: Tue Oct 22 08:41:42 2019 -0700 CIFS: Fix retry mid list corruption on reconnects commit abe57073d08c13b95a46ccf48cc9dc957d5c6fdb upstream. When the client hits reconnect it iterates over the mid pending queue marking entries for retry and moving them to a temporary list to issue callbacks later without holding GlobalMid_Lock. In the same time there is no guarantee that mids can’t be removed from the temporary list or even freed completely by another thread. It may cause a temporary list corruption: [ 430.454897] list_del corruption. prev->next should be ffff98d3a8f316c0, but was 2e885cb266355469 [ 430.464668] ------------[ cut here ]------------ [ 430.466569] kernel BUG at lib/list_debug.c:51! [ 430.468476] invalid opcode: 0000 [#1] SMP PTI [ 430.470286] CPU: 0 PID: 13267 Comm: cifsd Kdump: loaded Not tainted 5.4.0-rc3+ #19 [ 430.473472] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 [ 430.475872] RIP: 0010:__list_del_entry_valid.cold+0x31/0x55 … [ 430.510426] Call Trace: [ 430.511500] cifs_reconnect+0x25e/0x610 [cifs] [ 430.513350] cifs_readv_from_socket+0x220/0x250 [cifs] [ 430.515464] cifs_read_from_socket+0x4a/0x70 [cifs] [ 430.517452] ? try_to_wake_up+0x212/0x650 [ 430.519122] ? cifs_small_buf_get+0x16/0x30 [cifs] [ 430.521086] ? allocate_buffers+0x66/0x120 [cifs] [ 430.523019] cifs_demultiplex_thread+0xdc/0xc30 [cifs] [ 430.525116] kthread+0xfb/0x130 [ 430.526421] ? cifs_handle_standard+0x190/0x190 [cifs] [ 430.528514] ? kthread_park+0x90/0x90 [ 430.530019] ret_from_fork+0x35/0x40 Fix this by obtaining extra references for mids being retried and marking them as MID_DELETED which indicates that such a mid has been dequeued from the pending list. Also move mid cleanup logic from DeleteMidQEntry to _cifs_mid_q_entry_release which is called when the last reference to a particular mid is put. This allows to avoid any use-after-free of response buffers. The patch needs to be backported to stable kernels. A stable tag is not mentioned below because the patch doesn’t apply cleanly to any actively maintained stable kernel. Reviewed-by: Ronnie Sahlberg Reviewed-and-tested-by: David Wysochanski Signed-off-by: Pavel Shilovsky Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 036fb5dc7c9e4c1fd75be4ff95861c7b74168ebb Author: Jan Kiszka Date: Wed Sep 4 08:42:30 2019 +0200 platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table commit ad0d315b4d4e7138f43acf03308192ec00e9614d upstream. The SIMATIC IPC227E uses the PMC clock for on-board components and gets stuck during boot if the clock is disabled. Therefore, add this device to the critical systems list. Fixes: 648e921888ad (“clk: x86: Stop marking clocks as CLK_IS_CRITICAL”) Signed-off-by: Jan Kiszka Signed-off-by: Andy Shevchenko Signed-off-by: Greg Kroah-Hartman commit 76b4d8952ff119a143c25159bbf58417f2b548b4 Author: Eric Dumazet Date: Tue Oct 22 07:57:46 2019 -0700 net/flow_dissector: switch to siphash commit 55667441c84fa5e0911a0aac44fb059c15ba6da2 upstream. UDP IPv6 packets auto flowlabels are using a 32bit secret (static u32 hashrnd in net/core/flow_dissector.c) and apply jhash() over fields known by the receivers. Attackers can easily infer the 32bit secret and use this information to identify a device and/or user, since this 32bit secret is only set at boot time. Really, using jhash() to generate cookies sent on the wire is a serious security concern. Trying to change the rol32(hash, 16) in ip6_make_flowlabel() would be a dead end. Trying to periodically change the secret (like in sch_sfq.c) could change paths taken in the network for long lived flows. Let’s switch to siphash, as we did in commit df453700e8d8 (“inet: switch IP ID generator to siphash”) Using a cryptographically strong pseudo random function will solve this privacy issue and more generally remove other weak points in the stack. Packet schedulers using skb_get_hash_perturb() benefit from this change. Fixes: b56774163f99 (“ipv6: Enable auto flow labels by default”) Fixes: 42240901f7c4 (“ipv6: Implement different admin modes for automatic flow labels”) Fixes: 67800f9b1f4e (“ipv6: Call skb_get_hash_flowi6 to get skb->hash in ip6_make_flowlabel”) Fixes: cb1ce2ef387b (“ipv6: Implement automatic flow label generation on transmit”) Signed-off-by: Eric Dumazet Reported-by: Jonathan Berger Reported-by: Amit Klein Reported-by: Benny Pinkas Cc: Tom Herbert Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cf65d6a7511cef6075f7cba344b23a6b6dc9c160 Author: Doug Berger Date: Wed Oct 16 16:06:32 2019 -0700 net: bcmgenet: reset 40nm EPHY on energy detect [ Upstream commit 25382b991d252aed961cd434176240f9de6bb15f ] The EPHY integrated into the 40nm Set-Top Box devices can falsely detect energy when connected to a disabled peer interface. When the peer interface is enabled the EPHY will detect and report the link as active, but on occasion may get into a state where it is not able to exchange data with the connected GENET MAC. This issue has not been observed when the link parameters are auto-negotiated; however, it has been observed with a manually configured link. It has been empirically determined that issuing a soft reset to the EPHY when energy is detected prevents it from getting into this bad state. Fixes: 1c1008c793fa (“net: bcmgenet: add main driver file”) Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 94573758bdf26b5d10dd0303af84fa45f33f61aa Author: Doug Berger Date: Wed Oct 16 16:06:30 2019 -0700 net: phy: bcm7xxx: define soft_reset for 40nm EPHY [ Upstream commit fe586b823372a9f43f90e2c6aa0573992ce7ccb7 ] The internal 40nm EPHYs use a “Workaround for putting the PHY in IDDQ mode.” These PHYs require a soft reset to restore functionality after they are powered back up. This commit defines the soft_reset function to use genphy_soft_reset during phy_init_hw to accommodate this. Fixes: 6e2d85ec0559 (“net: phy: Stop with excessive soft reset”) Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 85ccbc41331748e170289bc6bf9188c81c8eba71 Author: Jakub Kicinski Date: Fri Oct 18 09:16:58 2019 -0700 net: netem: correct the parent’s backlog when corrupted packet was dropped [ Upstream commit e0ad032e144731a5928f2d75e91c2064ba1a764c ] If packet corruption failed we jump to finish_segs and return NET_XMIT_SUCCESS. Seeing success will make the parent qdisc increment its backlog, that’s incorrect - we need to return NET_XMIT_DROP. Fixes: 6071bd1aa13e (“netem: Segment GSO packets on enqueue”) Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8c684b3736b05a11080309b9802331070ce5cdb2 Author: Kazutoshi Noguchi Date: Mon Oct 21 00:03:07 2019 +0900 r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 [ Upstream commit b3060531979422d5bb18d80226f978910284dc70 ] This device is sold as 'ThinkPad USB-C Dock Gen 2 (40AS)'. Chipset is RTL8153 and works with r8152. Without this, the generic cdc_ether grabs the device, and the device jam connected networks up when the machine suspends. Signed-off-by: Kazutoshi Noguchi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1bee33cd43ae3d447f2cbfadda6fa0da8dddb3fc Author: Andrew Lunn Date: Thu Oct 17 21:29:26 2019 +0200 net: usb: lan78xx: Connect PHY before registering MAC [ Upstream commit 38b4fe320119859c11b1dc06f6b4987a16344fa1 ] As soon as the netdev is registers, the kernel can start using the interface. If the driver connects the MAC to the PHY after the netdev is registered, there is a race condition where the interface can be opened without having the PHY connected. Change the order to close this race condition. Fixes: 92571a1aae40 (“lan78xx: Connect phy early”) Reported-by: Daniel Wagner Signed-off-by: Andrew Lunn Tested-by: Daniel Wagner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d6be9052efc56048811f702f2e16de130e20cfe6 Author: Eric Dumazet Date: Fri Oct 18 15:20:05 2019 -0700 net: reorder ‘struct net’ fields to avoid false sharing [ Upstream commit 2a06b8982f8f2f40d03a3daf634676386bd84dbc ] Intel test robot reported a ~7% regression on TCP_CRR tests that they bisected to the cited commit. Indeed, every time a new TCP socket is created or deleted, the atomic counter net->count is touched (via get_net(net) and put_net(net) calls) So cpus might have to reload a contended cache line in net_hash_mix(net) calls. We need to reorder ‘struct net’ fields to move @hash_mix in a read mostly cache line. We move in the first cache line fields that can be dirtied often. We probably will have to address in a followup patch the __randomize_layout that was added in linux-4.13, since this might break our placement choices. Fixes: 355b98553789 ("netns: provide pure entropy for net_hash_mix()") Signed-off-by: Eric Dumazet Reported-by: kernel test robot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 52d1c8d880841e90702d6c7aec391f0fc8916949 Author: Jakub Kicinski Date: Fri Oct 18 09:16:57 2019 -0700 net: netem: fix error path for corrupted GSO frames [ Upstream commit a7fa12d15855904aff1716e1fc723c03ba38c5cc ] To corrupt a GSO frame we first perform segmentation. We then proceed using the first segment instead of the full GSO skb and requeue the rest of the segments as separate packets. If there are any issues with processing the first segment we still want to process the rest, therefore we jump to the finish_segs label. Commit 177b8007463c (“net: netem: fix backlog accounting for corrupted GSO frames”) started using the pointer to the first segment in the "rest of segments processing", but as mentioned above the first segment may had already been freed at this point. Backlog corrections for parent qdiscs have to be adjusted. Fixes: 177b8007463c (“net: netem: fix backlog accounting for corrupted GSO frames”) Reported-by: kbuild test robot Reported-by: Dan Carpenter Reported-by: Ben Hutchings Signed-off-by: Jakub Kicinski Reviewed-by: Simon Horman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ff24f2c20d56ebde3d6f03e2a5598513447cf3ba Author: Yonglong Liu Date: Fri Oct 18 11:42:59 2019 +0800 net: hns3: fix mis-counting IRQ vector numbers issue [ Upstream commit 580a05f9d4ada3bfb689140d0efec1efdb8a48da ] Currently, the num_msi_left means the vector numbers of NIC, but if the PF supported RoCE, it contains the vector numbers of NIC and RoCE(Not expected). This may cause interrupts lost in some case, because of the NIC module used the vector resources which belongs to RoCE. This patch adds a new variable num_nic_msi to store the vector numbers of NIC, and adjust the default TQP numbers and rss_size according to the value of num_nic_msi. Fixes: 46a3df9f9718 (“net: hns3: Add HNS3 Acceleration Engine & Compatibility Layer Support”) Signed-off-by: Yonglong Liu Signed-off-by: Huazhong Tan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 95753984d8751580180ab0f06e6d3c2d0512da15 Author: Eric Dumazet Date: Wed Oct 16 18:00:56 2019 -0700 net: ensure correct skb->tstamp in various fragmenters [ Upstream commit 9669fffc1415bb0c30e5d2ec98a8e1c3a418cb9c ] Thomas found that some forwarded packets would be stuck in FQ packet scheduler because their skb->tstamp contained timestamps far in the future. We thought we addressed this point in commit 8203e2d844d3 (“net: clear skb->tstamp in forwarding paths”) but there is still an issue when/if a packet needs to be fragmented. In order to meet EDT requirements, we have to make sure all fragments get the original skb->tstamp. Note that this original skb->tstamp should be zero in forwarding path, but might have a non zero value in output path if user decided so. Fixes: fb420d5d91c1 (“tcp/fq: move back to CLOCK_MONOTONIC”) Signed-off-by: Eric Dumazet Reported-by: Thomas Bartschies Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 96ed7673dcb92986956af16d877fb43dc98202c0 Author: Vivien Didelot Date: Fri Oct 18 17:02:46 2019 -0400 net: dsa: fix switch tree list [ Upstream commit 50c7d2ba9de20f60a2d527ad6928209ef67e4cdd ] If there are multiple switch trees on the device, only the last one will be listed, because the arguments of list_add_tail are swapped. Fixes: 83c0afaec7b7 (“net: dsa: Add new binding implementation”) Signed-off-by: Vivien Didelot Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 952f311789b0312217ee4da592534918cc7003c4 Author: Florian Fainelli Date: Sat Oct 5 15:05:18 2019 -0700 net: dsa: b53: Do not clear existing mirrored port mask [ Upstream commit c763ac436b668d7417f0979430ec0312ede4093d ] Clearing the existing bitmask of mirrored ports essentially prevents us from capturing more than one port at any given time. This is clearly wrong, do not clear the bitmask prior to setting up the new port. Reported-by: Hubert Feurstein Fixes: ed3af5fd08eb (“net: dsa: b53: Add support for port mirroring”) Signed-off-by: Florian Fainelli Reviewed-by: Vivien Didelot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 834b3cdd0785bb008b458f53e367ffbee617f937 Author: Doug Berger Date: Wed Oct 16 16:06:29 2019 -0700 net: bcmgenet: don’t set phydev->link from MAC [ Upstream commit 7de48402faa32298c3551ea32c76ccb4f9d3025d ] When commit 28b2e0d2cd13 ("net: phy: remove parameter new_link from phy_mac_interrupt()") removed the new_link parameter it set the phydev->link state from the MAC before invoking phy_mac_interrupt(). However, once commit 88d6272acaaa (“net: phy: avoid unneeded MDIO reads in genphy_read_status”) was added this initialization prevents the proper determination of the connection parameters by the function genphy_read_status(). This commit removes that initialization to restore the proper functionality. Fixes: 88d6272acaaa (“net: phy: avoid unneeded MDIO reads in genphy_read_status”) Signed-off-by: Doug Berger Acked-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dc9df3fc9d80347ba36f7a0fdaa7fca9636cbdb6 Author: Eric Dumazet Date: Sat Oct 19 09:26:37 2019 -0700 ipv4: fix IPSKB_FRAG_PMTU handling with fragmentation [ Upstream commit e7a409c3f46cb0dbc7bfd4f6f9421d53e92614a5 ] This patch removes the iph field from the state structure, which is not properly initialized. Instead, add a new field to make the “do we want to set DF” be the state bit and move the code to set the DF flag from ip_frag_next(). Joint work with Pablo and Linus. Fixes: 19c3401a917b (“net: ipv4: place control buffer handling away from fragmentation iterators”) Reported-by: Patrick Schönthaler Signed-off-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso Signed-off-by: Linus Torvalds Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 372a4ffae4c3ea164a0ef57ca02b7e75b5b24011 Author: Maxim Mikityanskiy Date: Mon Sep 16 14:54:20 2019 +0300 net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget [ Upstream commit 9df86bdb6746d7fcfc2fda715f7a7c3d0ddb2654 ] When CQE compression is enabled, compressed CQEs use the following structure: a title is followed by one or many blocks, each containing 8 mini CQEs (except the last, which may contain fewer mini CQEs). Due to NAPI budget restriction, a complete structure is not always parsed in one NAPI run, and some blocks with mini CQEs may be deferred to the next NAPI poll call - we have the mlx5e_decompress_cqes_cont call in the beginning of mlx5e_poll_rx_cq. However, if the budget is extremely low, some blocks may be left even after that, but the code that follows the mlx5e_decompress_cqes_cont call doesn’t check it and assumes that a new CQE begins, which may not be the case. In such cases, random memory corruptions occur. An extremely low NAPI budget of 8 is used when busy_poll or busy_read is active. This commit adds a check to make sure that the previous compressed CQE has been completely parsed after mlx5e_decompress_cqes_cont, otherwise it prevents a new CQE from being fetched in the middle of a compressed CQE. This commit fixes random crashes in __build_skb, __page_pool_put_page and other not-related-directly places, that used to happen when both CQE compression and busy_poll/busy_read were enabled. Fixes: 7219ab34f184 (“net/mlx5e: CQE compression”) Signed-off-by: Maxim Mikityanskiy Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 8135afc2cecc434c0fc3eee0d85446def2389d71 Author: Aya Levin Date: Wed Oct 2 16:53:21 2019 +0300 net/mlx5e: Fix ethtool self test: link speed [ Upstream commit 534e7366f41b0c689b01af4375aefcd1462adedf ] Ethtool self test contains a test for link speed. This test reads the PTYS register and determines whether the current speed is valid or not. Change current implementation to use the function mlx5e_port_linkspeed() that does the same check and fails when speed is invalid. This code redundancy lead to a bug when mlx5e_port_linkspeed() was updated with expended speeds and the self test was not. Fixes: 2c81bfd5ae56 (“net/mlx5e: Move port speed code from en_ethtool.c to en/port.c”) Signed-off-by: Aya Levin Reviewed-by: Moshe Shemesh Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit e0f21506f2933f81b456afed92f74ce6d86f9955 Author: Heiner Kallweit Date: Fri Nov 1 00:10:21 2019 +0100 r8169: fix wrong PHY ID issue with RTL8168dp [ Upstream commit 62bdc8fd1c21d4263ebd18bec57f82532d09249f ] As reported in [0] at least one RTL8168dp version has problems establishing a link. This chip version has an integrated RTL8211b PHY, however the chip seems to report a wrong PHY ID, resulting in a wrong PHY driver (for Generic Realtek PHY) being loaded. Work around this issue by adding a hook to r8168dp_2_mdio_read() for returning the correct PHY ID. [0] https://bbs.archlinux.org/viewtopic.php?id=246508 Fixes: 242cd9b5866a (“r8169: use phy_resume/phy_suspend”) Signed-off-by: Heiner Kallweit Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0e22b9051704c12e9daffc01d40389b044549226 Author: Jiri Pirko Date: Wed Oct 30 11:04:22 2019 +0200 mlxsw: core: Unpublish devlink parameters during reload [ Upstream commit b7265a0df82c1716bf788096217083ed65a8bb14 ] The devlink parameter “acl_region_rehash_interval” is a runtime parameter whose value is stored in a dynamically allocated memory. While reloading the driver, this memory is freed and then allocated again. A use-after-free might happen if during this time frame someone tries to retrieve its value. Since commit 070c63f20f6c (“net: devlink: allow to change namespaces during reload”) the use-after-free can be reliably triggered when reloading the driver into a namespace, as after freeing the memory (via reload_down() callback) all the parameters are notified. Fix this by unpublishing and then re-publishing the parameters during reload. Fixes: 98bbf70c1c41 (“mlxsw: spectrum: add “acl_region_rehash_interval” devlink param”) Fixes: 7c62cfb8c574 (“devlink: publish params only after driver init is done”) Signed-off-by: Jiri Pirko Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 551486fb7909e4f4507e750d3ec2ca7a05919f62 Author: Parav Pandit Date: Thu Sep 19 15:58:14 2019 -0500 net/mlx5: Fix rtable reference leak [ Upstream commit 2347cee83b2bd868bde2d283db0fac89f22be4e0 ] If the rt entry gateway family is not AF_INET for multipath device, rtable reference is leaked. Hence, fix it by releasing the reference. Fixes: 5fb091e8130b (“net/mlx5e: Use hint to resolve route when in HW multipath mode”) Fixes: e32ee6c78efa (“net/mlx5e: Support tunnel encap over tagged Ethernet”) Signed-off-by: Parav Pandit Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 50028b8eeb62a0f94e38085e3f5cfa490ca84c5c Author: Ursula Braun Date: Tue Oct 29 12:41:26 2019 +0100 net/smc: fix refcounting for non-blocking connect() [ Upstream commit 301428ea3708188dc4a243e6e6b46c03b46a0fbc ] If a nonblocking socket is immediately closed after connect(), the connect worker may not have started. This results in a refcount problem, since sock_hold() is called from the connect worker. This patch moves the sock_hold in front of the connect worker scheduling. Reported-by: [email protected] Fixes: 50717a37db03 (“net/smc: nonblocking connect rework”) Reviewed-by: Karsten Graul Signed-off-by: Ursula Braun Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 46c02b3641fa7e21a0c9022757280fc05baff9e3 Author: Roi Dayan Date: Wed Sep 11 14:44:50 2019 +0300 net/mlx5: Fix flow counter list auto bits struct [ Upstream commit 6dfef396ea13873ae9066ee2e0ad6ee364031fe2 ] The union should contain the extended dest and counter list. Remove the resevered 0x40 bits which is redundant. This change doesn’t break any functionally. Everything works today because the code in fs_cmd.c is using the correct structs if extended dest or the basic dest. Fixes: 1b115498598f (“net/mlx5: Introduce extended destination fields”) Signed-off-by: Roi Dayan Reviewed-by: Mark Bloch Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 3001dbfa21bc4f365bf6063a8df30888ffff4dcf Author: Aya Levin Date: Wed Oct 23 12:57:54 2019 +0300 net/mlx5e: Initialize on stack link modes bitmap [ Upstream commit 926b37f76fb0a22fe93c8873c819fd167180e85c ] Initialize link modes bitmap on stack before using it, otherwise the outcome of ethtool set link ksettings might have unexpected values. Fixes: 4b95840a6ced (“net/mlx5e: Fix matching of speed to PRM link modes”) Signed-off-by: Aya Levin Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit ee50c8f5dbb4d1068d1d28b10355da3e0e4036e4 Author: Dmytro Linkin Date: Thu Aug 29 15:24:27 2019 +0000 net/mlx5e: Remove incorrect match criteria assignment line [ Upstream commit 752d3dc06d6936d5a357a18b6b51d91c7e134e88 ] Driver have function, which enable match criteria for misc parameters in dependence of eswitch capabilities. Fixes: 4f5d1beadc10 (“Merge branch ‘mlx5-next’ of git://git.kernel.org/pub/scm/linux/kernel/git/mellanox/linux”) Signed-off-by: Dmytro Linkin Reviewed-by: Jianbo Liu Reviewed-by: Roi Dayan Reviewed-by: Saeed Mahameed Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 11686ceb20a8996baf750f13b49f3746a6596e2c Author: Dmytro Linkin Date: Wed Sep 4 12:32:49 2019 +0000 net/mlx5e: Determine source port properly for vlan push action [ Upstream commit d5dbcc4e87bc8444bd2f1ca4b8f787e1e5677ec2 ] Termination tables are used for vlan push actions on uplink ports. To support RoCE dual port the source port value was placed in a register. Fix the code to use an API method returning the source port according to the FW capabilities. Fixes: 10caabdaad5a (“net/mlx5e: Use termination table for VLAN push actions”) Signed-off-by: Dmytro Linkin Reviewed-by: Jianbo Liu Reviewed-by: Oz Shlomo Reviewed-by: Roi Dayan Signed-off-by: Saeed Mahameed Signed-off-by: Greg Kroah-Hartman commit 72bf7480108788a9aa60f80255c9fcf3b0a4a266 Author: David Howells Date: Thu Oct 31 12:13:46 2019 +0000 rxrpc: Fix handling of last subpacket of jumbo packet [ Upstream commit f9c32435ab7221d1d6cb35738fa85a2da012b23e ] When rxrpc_recvmsg_data() sets the return value to 1 because it’s drained all the data for the last packet, it checks the last-packet flag on the whole packet - but this is wrong, since the last-packet flag is only set on the final subpacket of the last jumbo packet. This means that a call that receives its last packet in a jumbo packet won’t complete properly. Fix this by having rxrpc_locate_data() determine the last-packet state of the subpacket it’s looking at and passing that back to the caller rather than having the caller look in the packet header. The caller then needs to cache this in the rxrpc_call struct as rxrpc_locate_data() isn’t then called again for this packet. Fixes: 248f219cb8bc (“rxrpc: Rewrite the data and ack handling code”) Fixes: e2de6c404898 (“rxrpc: Use info in skbuff instead of reparsing a jumbo packet”) Signed-off-by: David Howells Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e869fb5b5147b9351d38f2da1eb61426b4b97be6 Author: Florian Fainelli Date: Thu Oct 31 15:42:26 2019 -0700 net: phylink: Fix phylink_dbg() macro [ Upstream commit 9d68db5092c5fac99fccfdeab3f04df0b27d1762 ] The phylink_dbg() macro does not follow dynamic debug or defined(DEBUG) and as a result, it spams the kernel log since a PR_DEBUG level is currently used. Fix it to be defined appropriately whether CONFIG_DYNAMIC_DEBUG or defined(DEBUG) are set. Fixes: 17091180b152 (“net: phylink: Add phylink_{printk, err, warn, info, dbg} macros”) Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f74e13b5814ab952d61a8682e785c195b6bda569 Author: Takeshi Misawa Date: Sat Oct 19 15:34:43 2019 +0900 keys: Fix memory leak in copy_net_ns [ Upstream commit 82ecff655e7968151b0047f1b5de03b249e5c1c4 ] If copy_net_ns() failed after net_alloc(), net->key_domain is leaked. Fix this, by freeing key_domain in error path. syzbot report: BUG: memory leak unreferenced object 0xffff8881175007e0 (size 32): comm "syz-executor902", pid 7069, jiffies 4294944350 (age 28.400s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 … 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 … backtrace: [<00000000a83ed741>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline] [<00000000a83ed741>] slab_post_alloc_hook mm/slab.h:439 [inline] [<00000000a83ed741>] slab_alloc mm/slab.c:3326 [inline] [<00000000a83ed741>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [<0000000059fc92b9>] kmalloc include/linux/slab.h:547 [inline] [<0000000059fc92b9>] kzalloc include/linux/slab.h:742 [inline] [<0000000059fc92b9>] net_alloc net/core/net_namespace.c:398 [inline] [<0000000059fc92b9>] copy_net_ns+0xb2/0x220 net/core/net_namespace.c:445 [<00000000a9d74bbc>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:103 [<000000008047d645>] unshare_nsproxy_namespaces+0x7f/0x100 kernel/nsproxy.c:202 [<000000005993ea6e>] ksys_unshare+0x236/0x490 kernel/fork.c:2674 [<0000000019417e75>] __do_sys_unshare kernel/fork.c:2742 [inline] [<0000000019417e75>] __se_sys_unshare kernel/fork.c:2740 [inline] [<0000000019417e75>] __x64_sys_unshare+0x16/0x20 kernel/fork.c:2740 [<00000000f4c5f2c8>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296 [<0000000038550184>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 syzbot also reported other leak in copy_net_ns -> setup_net. This problem is already fixed by cf47a0b882a4e5f6b34c7949d7b293e9287f1972. Fixes: 9b242610514f (“keys: Network namespace domain tag”) Reported-and-tested-by: [email protected] Signed-off-by: Takeshi Misawa Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ee49b7f3a466bc4c57913e419cf419b4f0edb5fd Author: Ursula Braun Date: Wed Oct 23 15:44:06 2019 +0200 net/smc: keep vlan_id for SMC-R in smc_listen_work() [ Upstream commit ca5f8d2dd5229ccacdd5cfde1ce4d32b0810e454 ] Creating of an SMC-R connection with vlan-id fails, because smc_listen_work() determines the vlan_id of the connection, saves it in struct smc_init_info ini, but clears the ini area again if SMC-D is not applicable. This patch just resets the ISM device before investigating SMC-R availability. Fixes: bc36d2fc93eb (“net/smc: consolidate function parameters”) Signed-off-by: Ursula Braun Signed-off-by: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 129eb19f82d8d1f8afdb5cb39818641809e25507 Author: Ursula Braun Date: Wed Oct 23 15:44:05 2019 +0200 net/smc: fix closing of fallback SMC sockets [ Upstream commit f536dffc0b79738c3104af999318279dccbaa261 ] For SMC sockets forced to fallback to TCP, the file is propagated from the outer SMC to the internal TCP socket. When closing the SMC socket, the internal TCP socket file pointer must be restored to the original NULL value, otherwise memory leaks may show up (found with CONFIG_DEBUG_KMEMLEAK). The internal TCP socket is released in smc_clcsock_release(), which calls __sock_release() function in net/socket.c. This calls the needed iput(SOCK_INODE(sock)) only, if the file pointer has been reset to the original NULL-value. Fixes: 07603b230895 (“net/smc: propagate file from SMC to TCP socket”) Signed-off-by: Ursula Braun Signed-off-by: Karsten Graul Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1c67660f6fb9200f6ee413b7a1b458acf03fbb39 Author: Paolo Abeni Date: Sat Oct 26 11:53:40 2019 +0200 selftests: fib_tests: add more tests for metric update [ Upstream commit 37de3b354150450ba12275397155e68113e99901 ] This patch adds two more tests to ipv4_addr_metric_test() to explicitly cover the scenarios fixed by the previous patch. Suggested-by: David Ahern Signed-off-by: Paolo Abeni Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 5c39c22dcd0e7099629dc893f4b452392516a7d2 Author: Paolo Abeni Date: Sat Oct 26 11:53:39 2019 +0200 ipv4: fix route update on metric change. [ Upstream commit 0b834ba00ab5337e938c727e216e1f5249794717 ] Since commit af4d768ad28c (“net/ipv4: Add support for specifying metric of connected routes”), when updating an IP address with a different metric, the associated connected route is updated, too. Still, the mentioned commit doesn’t handle properly some corner cases: $ ip addr add dev eth0 192.168.1.0/24 $ ip addr add dev eth0 192.168.2.1/32 peer 192.168.2.2 $ ip addr add dev eth0 192.168.3.1/24 $ ip addr change dev eth0 192.168.1.0/24 metric 10 $ ip addr change dev eth0 192.168.2.1/32 peer 192.168.2.2 metric 10 $ ip addr change dev eth0 192.168.3.1/24 metric 10 $ ip -4 route 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.0 192.168.2.2 dev eth0 proto kernel scope link src 192.168.2.1 192.168.3.0/24 dev eth0 proto kernel scope link src 192.168.2.1 metric 10 Only the last route is correctly updated. The problem is the current test in fib_modify_prefix_metric(): if (!(dev->flags & IFF_UP) || ifa->ifa_flags & (IFA_F_SECONDARY | IFA_F_NOPREFIXROUTE) || ipv4_is_zeronet(prefix) || prefix == ifa->ifa_local || ifa->ifa_prefixlen == 32) Which should be the logical ‘not’ of the pre-existing test in fib_add_ifaddr(): if (!ipv4_is_zeronet(prefix) && !(ifa->ifa_flags & IFA_F_SECONDARY) && (prefix != addr || ifa->ifa_prefixlen < 32)) To properly negate the original expression, we need to change the last logical ‘or’ to a logical 'and’. Fixes: af4d768ad28c (“net/ipv4: Add support for specifying metric of connected routes”) Reported-and-suggested-by: Beniamino Galvani Signed-off-by: Paolo Abeni Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2608538f82ea21bce0f66d4155549eb2c3689471 Author: Eric Dumazet Date: Wed Oct 23 22:44:52 2019 -0700 net: add READ_ONCE() annotation in __skb_wait_for_more_packets() [ Upstream commit 7c422d0ce97552dde4a97e6290de70ec6efb0fc6 ] __skb_wait_for_more_packets() can be called while other cpus can feed packets to the socket receive queue. KCSAN reported : BUG: KCSAN: data-race in __skb_wait_for_more_packets / __udp_enqueue_schedule_skb write to 0xffff888102e40b58 of 8 bytes by interrupt on cpu 0: __skb_insert include/linux/skbuff.h:1852 [inline] __skb_queue_before include/linux/skbuff.h:1958 [inline] __skb_queue_tail include/linux/skbuff.h:1991 [inline] __udp_enqueue_schedule_skb+0x2d7/0x410 net/ipv4/udp.c:1470 __udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline] udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057 udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074 udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233 __udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300 udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 read to 0xffff888102e40b58 of 8 bytes by task 13035 on cpu 1: __skb_wait_for_more_packets+0xfa/0x320 net/core/datagram.c:100 __skb_recv_udp+0x374/0x500 net/ipv4/udp.c:1683 udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 13035 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ddd19f01faaa00776f9ce7fd9ffc6dfae5db7442 Author: Eric Dumazet Date: Wed Oct 23 22:44:51 2019 -0700 net: use skb_queue_empty_lockless() in busy poll contexts [ Upstream commit 3f926af3f4d688e2e11e7f8ed04e277a14d4d4a4 ] Busy polling usually runs without locks. Let’s use skb_queue_empty_lockless() instead of skb_queue_empty() Also uses READ_ONCE() in __skb_try_recv_datagram() to address a similar potential problem. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9fcb07822f7df2d9dd0d461d1ddd571ce3119959 Author: Eric Dumazet Date: Wed Oct 23 22:44:50 2019 -0700 net: use skb_queue_empty_lockless() in poll() handlers [ Upstream commit 3ef7cf57c72f32f61e97f8fa401bc39ea1f1a5d4 ] Many poll() handlers are lockless. Using skb_queue_empty_lockless() instead of skb_queue_empty() is more appropriate. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cac7057f3642dd04889fc27ca0ba63f6d79bde75 Author: Eric Dumazet Date: Wed Oct 23 22:44:49 2019 -0700 udp: use skb_queue_empty_lockless() [ Upstream commit 137a0dbe3426fd7bcfe3f8117b36a87b3590e4eb ] syzbot reported a data-race [1]. We should use skb_queue_empty_lockless() to document that we are not ensuring a mutual exclusion and silence KCSAN. [1] BUG: KCSAN: data-race in __skb_recv_udp / __udp_enqueue_schedule_skb write to 0xffff888122474b50 of 8 bytes by interrupt on cpu 0: __skb_insert include/linux/skbuff.h:1852 [inline] __skb_queue_before include/linux/skbuff.h:1958 [inline] __skb_queue_tail include/linux/skbuff.h:1991 [inline] __udp_enqueue_schedule_skb+0x2c1/0x410 net/ipv4/udp.c:1470 __udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline] udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057 udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074 udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233 __udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300 udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 read to 0xffff888122474b50 of 8 bytes by task 8921 on cpu 1: skb_queue_empty include/linux/skbuff.h:1494 [inline] __skb_recv_udp+0x18d/0x500 net/ipv4/udp.c:1653 udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 8921 Comm: syz-executor.4 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit c7dba6a99aec3956f5c5b2c6a4cd1bf5fdc36a5e Author: Eric Dumazet Date: Wed Oct 23 22:44:48 2019 -0700 net: add skb_queue_empty_lockless() [ Upstream commit d7d16a89350ab263484c0aa2b523dd3a234e4a80 ] Some paths call skb_queue_empty() without holding the queue lock. We must use a barrier in order to not let the compiler do strange things, and avoid KCSAN splats. Adding a barrier in skb_queue_empty() might be overkill, I prefer adding a new helper to clearly identify points where the callers might be lockless. This might help us finding real bugs. The corresponding WRITE_ONCE() should add zero cost for current compilers. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 71e92518a9cea75a2e0d6dd8d74684bce9e4b231 Author: Xin Long Date: Tue Oct 29 01:24:32 2019 +0800 vxlan: check tun_info options_len properly [ Upstream commit eadf52cf1852196a1363044dcda22fa5d7f296f7 ] This patch is to improve the tun_info options_len by dropping the skb when TUNNEL_VXLAN_OPT is set but options_len is less than vxlan_metadata. This can void a potential out-of-bounds access on ip_tun_info. Fixes: ee122c79d422 (“vxlan: Flow based tunneling”) Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cebdf3fb370d7a213e87f7138217681a13278735 Author: Eric Dumazet Date: Thu Oct 24 11:43:31 2019 -0700 udp: fix data-race in udp_set_dev_scratch() [ Upstream commit a793183caa9afae907a0d7ddd2ffd57329369bf5 ] KCSAN reported a data-race in udp_set_dev_scratch() [1] The issue here is that we must not write over skb fields if skb is shared. A similar issue has been fixed in commit 89c22d8c3b27 (“net: Fix skb csum races when peeking”) While we are at it, use a helper only dealing with udp_skb_scratch(skb)->csum_unnecessary, as this allows udp_set_dev_scratch() to be called once and thus inlined. [1] BUG: KCSAN: data-race in udp_set_dev_scratch / udpv6_recvmsg write to 0xffff888120278317 of 1 bytes by task 10411 on cpu 1: udp_set_dev_scratch+0xea/0x200 net/ipv4/udp.c:1308 __first_packet_length+0x147/0x420 net/ipv4/udp.c:1556 first_packet_length+0x68/0x2a0 net/ipv4/udp.c:1579 udp_poll+0xea/0x110 net/ipv4/udp.c:2720 sock_poll+0xed/0x250 net/socket.c:1256 vfs_poll include/linux/poll.h:90 [inline] do_select+0x7d0/0x1020 fs/select.c:534 core_sys_select+0x381/0x550 fs/select.c:677 do_pselect.constprop.0+0x11d/0x160 fs/select.c:759 __do_sys_pselect6 fs/select.c:784 [inline] __se_sys_pselect6 fs/select.c:769 [inline] __x64_sys_pselect6+0x12e/0x170 fs/select.c:769 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 read to 0xffff888120278317 of 1 bytes by task 10413 on cpu 0: udp_skb_csum_unnecessary include/net/udp.h:358 [inline] udpv6_recvmsg+0x43e/0xe90 net/ipv6/udp.c:310 inet6_recvmsg+0xbb/0x240 net/ipv6/af_inet6.c:592 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 10413 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 2276f58ac589 (“udp: use a separate rx queue for packet reception”) Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Paolo Abeni Reviewed-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0a3b174d51c4314bbbdf197fe04a5fbde079d460 Author: Wei Wang Date: Thu Oct 31 16:24:36 2019 -0700 selftests: net: reuseport_dualstack: fix uninitalized parameter [ Upstream commit d64479a3e3f9924074ca7b50bd72fa5211dca9c1 ] This test reports EINVAL for getsockopt(SOL_SOCKET, SO_DOMAIN) occasionally due to the uninitialized length parameter. Initialize it to fix this, and also use int for “test_family” to comply with the API standard. Fixes: d6a61f80b871 (“soreuseport: test mixed v4/v6 sockets”) Reported-by: Maciej Żenczykowski Signed-off-by: Eric Dumazet Signed-off-by: Wei Wang Cc: Craig Gallek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 46c2e4f232b1af8e9e98c9ad9f19a558d7c88335 Author: zhanglin Date: Sat Oct 26 15:54:16 2019 +0800 net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() [ Upstream commit 5ff223e86f5addbfae26419cbb5d61d98f6fbf7d ] memset() the structure ethtool_wolinfo that has padded bytes but the padded bytes have not been zeroed out. Signed-off-by: zhanglin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 820a44df2058d7aa41340dd30a55c4b13a64d08c Author: Daniel Wagner Date: Fri Oct 25 10:04:13 2019 +0200 net: usb: lan78xx: Disable interrupts before calling generic_handle_irq() [ Upstream commit 0a29ac5bd3a988dc151c8d26910dec2557421f64 ] lan78xx_status() will run with interrupts enabled due to the change in ed194d136769 (“usb: core: remove local_irq_save() around ->complete() handler”). generic_handle_irq() expects to be run with IRQs disabled. [ 4.886203] 000: irq 79 handler irq_default_primary_handler+0x0/0x8 enabled interrupts [ 4.886243] 000: WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:152 __handle_irq_event_percpu+0x154/0x168 [ 4.896294] 000: Modules linked in: [ 4.896301] 000: CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.3.6 #39 [ 4.896310] 000: Hardware name: Raspberry Pi 3 Model B+ (DT) [ 4.896315] 000: pstate: 60000005 (nZCv daif -PAN -UAO) [ 4.896321] 000: pc : __handle_irq_event_percpu+0x154/0x168 [ 4.896331] 000: lr : __handle_irq_event_percpu+0x154/0x168 [ 4.896339] 000: sp : ffff000010003cc0 [ 4.896346] 000: x29: ffff000010003cc0 x28: 0000000000000060 [ 4.896355] 000: x27: ffff000011021980 x26: ffff00001189c72b [ 4.896364] 000: x25: ffff000011702bc0 x24: ffff800036d6e400 [ 4.896373] 000: x23: 000000000000004f x22: ffff000010003d64 [ 4.896381] 000: x21: 0000000000000000 x20: 0000000000000002 [ 4.896390] 000: x19: ffff8000371c8480 x18: 0000000000000060 [ 4.896398] 000: x17: 0000000000000000 x16: 00000000000000eb [ 4.896406] 000: x15: ffff000011712d18 x14: 7265746e69206465 [ 4.896414] 000: x13: ffff000010003ba0 x12: ffff000011712df0 [ 4.896422] 000: x11: 0000000000000001 x10: ffff000011712e08 [ 4.896430] 000: x9 : 0000000000000001 x8 : 000000000003c920 [ 4.896437] 000: x7 : ffff0000118cc410 x6 : ffff0000118c7f00 [ 4.896445] 000: x5 : 000000000003c920 x4 : 0000000000004510 [ 4.896453] 000: x3 : ffff000011712dc8 x2 : 0000000000000000 [ 4.896461] 000: x1 : 73a3f67df94c1500 x0 : 0000000000000000 [ 4.896466] 000: Call trace: [ 4.896471] 000: __handle_irq_event_percpu+0x154/0x168 [ 4.896481] 000: handle_irq_event_percpu+0x50/0xb0 [ 4.896489] 000: handle_irq_event+0x40/0x98 [ 4.896497] 000: handle_simple_irq+0xa4/0xf0 [ 4.896505] 000: generic_handle_irq+0x24/0x38 [ 4.896513] 000: intr_complete+0xb0/0xe0 [ 4.896525] 000: __usb_hcd_giveback_urb+0x58/0xd8 [ 4.896533] 000: usb_giveback_urb_bh+0xd0/0x170 [ 4.896539] 000: tasklet_action_common.isra.0+0x9c/0x128 [ 4.896549] 000: tasklet_hi_action+0x24/0x30 [ 4.896556] 000: __do_softirq+0x120/0x23c [ 4.896564] 000: irq_exit+0xb8/0xd8 [ 4.896571] 000: __handle_domain_irq+0x64/0xb8 [ 4.896579] 000: bcm2836_arm_irqchip_handle_irq+0x60/0xc0 [ 4.896586] 000: el1_irq+0xb8/0x140 [ 4.896592] 000: arch_cpu_idle+0x10/0x18 [ 4.896601] 000: do_idle+0x200/0x280 [ 4.896608] 000: cpu_startup_entry+0x20/0x28 [ 4.896615] 000: rest_init+0xb4/0xc0 [ 4.896623] 000: arch_call_rest_init+0xc/0x14 [ 4.896632] 000: start_kernel+0x454/0x480 Fixes: ed194d136769 (“usb: core: remove local_irq_save() around ->complete() handler”) Cc: Woojung Huh Cc: Marc Zyngier Cc: Andrew Lunn Cc: Stefan Wahren Cc: Jisheng Zhang Cc: Sebastian Andrzej Siewior Cc: Thomas Gleixner Cc: David Miller Signed-off-by: Daniel Wagner Tested-by: Stefan Wahren Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8de771b80ce8b519e10464b7406852c315671400 Author: Nikolay Aleksandrov Date: Tue Oct 29 13:59:32 2019 +0200 net: rtnetlink: fix a typo fbd -> fdb [ Upstream commit 8b73018fe44521c1cf59d7bac53624c87d3f10e2 ] A simple typo fix in the nl error message (fbd -> fdb). CC: David Ahern Fixes: 8c6e137fbc7f (“rtnetlink: Update rtnl_fdb_dump for strict data checking”) Signed-off-by: Nikolay Aleksandrov Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f10bbdd2c539f7b47086d2f79703de04f889eb81 Author: Guillaume Nault Date: Wed Oct 23 18:39:04 2019 +0200 netns: fix GFP flags in rtnl_net_notifyid() [ Upstream commit d4e4fdf9e4a27c87edb79b1478955075be141f67 ] In rtnl_net_notifyid(), we certainly can’t pass a null GFP flag to rtnl_notify(). A GFP_KERNEL flag would be fine in most circumstances, but there are a few paths calling rtnl_net_notifyid() from atomic context or from RCU critical sections. The later also precludes the use of gfp_any() as it wouldn’t detect the RCU case. Also, the nlmsg_new() call is wrong too, as it uses GFP_KERNEL unconditionally. Therefore, we need to pass the GFP flags as parameter and propagate it through function calls until the proper flags can be determined. In most cases, GFP_KERNEL is fine. The exceptions are: * openvswitch: ovs_vport_cmd_get() and ovs_vport_cmd_dump() indirectly call rtnl_net_notifyid() from RCU critical section, * rtnetlink: rtmsg_ifinfo_build_skb() already receives GFP flags as parameter. Also, in ovs_vport_cmd_build_info(), let’s change the GFP flags used by nlmsg_new(). The function is allowed to sleep, so better make the flags consistent with the ones used in the following ovs_vport_cmd_fill_info() call. Found by code inspection. Fixes: 9a9634545c70 (“netns: notify netns id events”) Signed-off-by: Guillaume Nault Acked-by: Nicolas Dichtel Acked-by: Pravin B Shelar Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 02ccce8bb95c5a9c0fcf886790dd98d910ecb064 Author: Eran Ben Elisha Date: Sun Oct 27 16:39:15 2019 +0200 net/mlx4_core: Dynamically set guaranteed amount of counters per VF [ Upstream commit e19868efea0c103f23b4b7e986fd0a703822111f ] Prior to this patch, the amount of counters guaranteed per VF in the resource tracker was MLX4_VF_COUNTERS_PER_PORT * MLX4_MAX_PORTS. It was set regardless if the VF was single or dual port. This caused several VFs to have no guaranteed counters although the system could satisfy their request. The fix is to dynamically guarantee counters, based on each VF specification. Fixes: 9de92c60beaa (“net/mlx4_core: Adjust counter grant policy in the resource tracker”) Signed-off-by: Eran Ben Elisha Signed-off-by: Jack Morgenstein Signed-off-by: Tariq Toukan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 65e1500e4908a97a01e9e13e22de58d9e9cee63b Author: Jiangfeng Xiao Date: Mon Oct 28 13:09:46 2019 +0800 net: hisilicon: Fix ping latency when deal with high throughput [ Upstream commit e56bd641ca61beb92b135298d5046905f920b734 ] This is due to error in over budget processing. When dealing with high throughput, the used buffers that exceeds the budget is not cleaned up. In addition, it takes a lot of cycles to clean up the used buffer, and then the buffer where the valid data is located can take effect. Signed-off-by: Jiangfeng Xiao Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 311e6005a46384bc82e2ef50c118c5dc24198e43 Author: Tejun Heo Date: Thu Oct 24 13:50:27 2019 -0700 net: fix sk_page_frag() recursion from memory reclaim [ Upstream commit 20eb4f29b60286e0d6dc01d9c260b4bd383c58fb ] sk_page_frag() optimizes skb_frag allocations by using per-task skb_frag cache when it knows it’s the only user. The condition is determined by seeing whether the socket allocation mask allows blocking - if the allocation may block, it obviously owns the task’s context and ergo exclusively owns current->task_frag. Unfortunately, this misses recursion through memory reclaim path. Please take a look at the following backtrace. [2] RIP: 0010:tcp_sendmsg_locked+0xccf/0xe10 … tcp_sendmsg+0x27/0x40 sock_sendmsg+0x30/0x40 sock_xmit.isra.24+0xa1/0x170 [nbd] nbd_send_cmd+0x1d2/0x690 [nbd] nbd_queue_rq+0x1b5/0x3b0 [nbd] __blk_mq_try_issue_directly+0x108/0x1b0 blk_mq_request_issue_directly+0xbd/0xe0 blk_mq_try_issue_list_directly+0x41/0xb0 blk_mq_sched_insert_requests+0xa2/0xe0 blk_mq_flush_plug_list+0x205/0x2a0 blk_flush_plug_list+0xc3/0xf0 [1] blk_finish_plug+0x21/0x2e _xfs_buf_ioapply+0x313/0x460 __xfs_buf_submit+0x67/0x220 xfs_buf_read_map+0x113/0x1a0 xfs_trans_read_buf_map+0xbf/0x330 xfs_btree_read_buf_block.constprop.42+0x95/0xd0 xfs_btree_lookup_get_block+0x95/0x170 xfs_btree_lookup+0xcc/0x470 xfs_bmap_del_extent_real+0x254/0x9a0 __xfs_bunmapi+0x45c/0xab0 xfs_bunmapi+0x15/0x30 xfs_itruncate_extents_flags+0xca/0x250 xfs_free_eofblocks+0x181/0x1e0 xfs_fs_destroy_inode+0xa8/0x1b0 destroy_inode+0x38/0x70 dispose_list+0x35/0x50 prune_icache_sb+0x52/0x70 super_cache_scan+0x120/0x1a0 do_shrink_slab+0x120/0x290 shrink_slab+0x216/0x2b0 shrink_node+0x1b6/0x4a0 do_try_to_free_pages+0xc6/0x370 try_to_free_mem_cgroup_pages+0xe3/0x1e0 try_charge+0x29e/0x790 mem_cgroup_charge_skmem+0x6a/0x100 __sk_mem_raise_allocated+0x18e/0x390 __sk_mem_schedule+0x2a/0x40 [0] tcp_sendmsg_locked+0x8eb/0xe10 tcp_sendmsg+0x27/0x40 sock_sendmsg+0x30/0x40 ___sys_sendmsg+0x26d/0x2b0 __sys_sendmsg+0x57/0xa0 do_syscall_64+0x42/0x100 entry_SYSCALL_64_after_hwframe+0x44/0xa9 In [0], tcp_send_msg_locked() was using current->page_frag when it called sk_wmem_schedule(). It already calculated how many bytes can be fit into current->page_frag. Due to memory pressure, sk_wmem_schedule() called into memory reclaim path which called into xfs and then IO issue path. Because the filesystem in question is backed by nbd, the control goes back into the tcp layer - back into tcp_sendmsg_locked(). nbd sets sk_allocation to (GFP_NOIO | __GFP_MEMALLOC) which makes sense - it’s in the process of freeing memory and wants to be able to, e.g., drop clean pages to make forward progress. However, this confused sk_page_frag() called from [2]. Because it only tests whether the allocation allows blocking which it does, it now thinks current->page_frag can be used again although it already was being used in [0]. After [2] used current->page_frag, the offset would be increased by the used amount. When the control returns to [0], current->page_frag’s offset is increased and the previously calculated number of bytes now may overrun the end of allocated memory leading to silent memory corruptions. Fix it by adding gfpflags_normal_context() which tests sleepable && !reclaim and use it to determine whether to use current->task_frag. v2: Eric didn’t like gfp flags being tested twice. Introduce a new helper gfpflags_normal_context() and combine the two tests. Signed-off-by: Tejun Heo Cc: Josef Bacik Cc: Eric Dumazet Cc: [email protected] Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 60e80e60541c6998dbb1fcc7b318bafdf41cf0ae Author: Benjamin Herrenschmidt Date: Fri Oct 25 13:47:24 2019 +1100 net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum [ Upstream commit 88824e3bf29a2fcacfd9ebbfe03063649f0f3254 ] We are calling the checksum helper after the dma_map_single() call to map the packet. This is incorrect as the checksumming code will touch the packet from the CPU. This means the cache won’t be properly flushes (or the bounce buffering will leave us with the unmodified packet to DMA). This moves the calculation of the checksum & vlan tags to before the DMA mapping. This also has the side effect of fixing another bug: If the checksum helper fails, we goto “drop” to drop the packet, which will not unmap the DMA mapping. Signed-off-by: Benjamin Herrenschmidt Fixes: 05690d633f30 (“ftgmac100: Upgrade to NETIF_F_HW_CSUM”) Reviewed-by: Vijay Khemka Tested-by: Vijay Khemka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit efa7057bc4871763cf17501dba33179463790d6a Author: Florian Fainelli Date: Thu Oct 31 15:54:05 2019 -0700 net: dsa: bcm_sf2: Fix IMP setup for port different than 8 [ Upstream commit 5fc0f21246e50afdf318b5a3a941f7f4f57b8947 ] Since it became possible for the DSA core to use a CPU port different than 8, our bcm_sf2_imp_setup() function was broken because it assumes that registers are applicable to port 8. In particular, the port’s MAC is going to stay disabled, so make sure we clear the RX_DIS and TX_DIS bits if we are not configured for port 8. Fixes: 9f91484f6fcc (“net: dsa: make “label” property optional for dsa2”) Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4e568f6e7575947291e039c5504265c6112ff1a8 Author: Eric Dumazet Date: Tue Oct 29 10:54:44 2019 -0700 net: annotate lockless accesses to sk->sk_napi_id [ Upstream commit ee8d153d46a3b98c064ee15c0c0a3bbf1450e5a1 ] We already annotated most accesses to sk->sk_napi_id We missed sk_mark_napi_id() and sk_mark_napi_id_once() which might be called without socket lock held in UDP stack. KCSAN reported : BUG: KCSAN: data-race in udpv6_queue_rcv_one_skb / udpv6_queue_rcv_one_skb write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 0: sk_mark_napi_id include/net/busy_poll.h:125 [inline] __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline] udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672 udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689 udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832 __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913 udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015 ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409 ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459 dst_input include/net/dst.h:442 [inline] ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 napi_poll net/core/dev.c:6392 [inline] net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 write to 0xffff888121c6d108 of 4 bytes by interrupt on cpu 1: sk_mark_napi_id include/net/busy_poll.h:125 [inline] __udpv6_queue_rcv_skb net/ipv6/udp.c:571 [inline] udpv6_queue_rcv_one_skb+0x70c/0xb40 net/ipv6/udp.c:672 udpv6_queue_rcv_skb+0xb5/0x400 net/ipv6/udp.c:689 udp6_unicast_rcv_skb.isra.0+0xd7/0x180 net/ipv6/udp.c:832 __udp6_lib_rcv+0x69c/0x1770 net/ipv6/udp.c:913 udpv6_rcv+0x2b/0x40 net/ipv6/udp.c:1015 ip6_protocol_deliver_rcu+0x22a/0xbe0 net/ipv6/ip6_input.c:409 ip6_input_finish+0x30/0x50 net/ipv6/ip6_input.c:450 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip6_input+0x177/0x190 net/ipv6/ip6_input.c:459 dst_input include/net/dst.h:442 [inline] ip6_rcv_finish+0x110/0x140 net/ipv6/ip6_input.c:76 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ipv6_rcv+0x1a1/0x1b0 net/ipv6/ip6_input.c:284 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 10890 Comm: syz-executor.0 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: e68b6e50fa35 (“udp: enable busy polling for all sockets”) Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 597f5ff2e37aa1487dd1150787aabe2186151770 Author: Eric Dumazet Date: Wed Oct 30 13:00:04 2019 -0700 net: annotate accesses to sk->sk_incoming_cpu [ Upstream commit 7170a977743b72cf3eb46ef6ef89885dc7ad3621 ] This socket field can be read and written by concurrent cpus. Use READ_ONCE() and WRITE_ONCE() annotations to document this, and avoid some compiler 'optimizations’. KCSAN reported : BUG: KCSAN: data-race in tcp_v4_rcv / tcp_v4_rcv write to 0xffff88812220763c of 4 bytes by interrupt on cpu 0: sk_incoming_cpu_update include/net/sock.h:953 [inline] tcp_v4_rcv+0x1b3c/0x1bb0 net/ipv4/tcp_ipv4.c:1934 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 napi_poll net/core/dev.c:6392 [inline] net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 __do_softirq+0x115/0x33f kernel/softirq.c:292 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082 do_softirq.part.0+0x6b/0x80 kernel/softirq.c:337 do_softirq kernel/softirq.c:329 [inline] __local_bh_enable_ip+0x76/0x80 kernel/softirq.c:189 read to 0xffff88812220763c of 4 bytes by interrupt on cpu 1: sk_incoming_cpu_update include/net/sock.h:952 [inline] tcp_v4_rcv+0x181a/0x1bb0 net/ipv4/tcp_ipv4.c:1934 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 napi_poll net/core/dev.c:6392 [inline] net_rx_action+0x3ae/0xa90 net/core/dev.c:6460 __do_softirq+0x115/0x33f kernel/softirq.c:292 run_ksoftirqd+0x46/0x60 kernel/softirq.c:603 smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 40e068f53a10a25013dc3f0396cee893ba72c068 Author: Eric Dumazet Date: Fri Nov 1 10:32:19 2019 -0700 inet: stop leaking jiffies on the wire [ Upstream commit a904a0693c189691eeee64f6c6b188bd7dc244e9 ] Historically linux tried to stick to RFC 791, 1122, 2003 for IPv4 ID field generation. RFC 6864 made clear that no matter how hard we try, we can not ensure unicity of IP ID within maximum lifetime for all datagrams with a given source address/destination address/protocol tuple. Linux uses a per socket inet generator (inet_id), initialized at connection startup with a XOR of ‘jiffies’ and other fields that appear clear on the wire. Thiemo Nagel pointed that this strategy is a privacy concern as this provides 16 bits of entropy to fingerprint devices. Let’s switch to a random starting point, this is just as good as far as RFC 6864 is concerned and does not leak anything critical. Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”) Signed-off-by: Eric Dumazet Reported-by: Thiemo Nagel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d72b88fe4645c6bace1b8223573163aa046e5491 Author: Xin Long Date: Mon Oct 28 23:19:35 2019 +0800 erspan: fix the tun_info options_len check for erspan [ Upstream commit 2eb8d6d2910cfe3dc67dc056f26f3dd9c63d47cd ] The check for !md doens’t really work for ip_tunnel_info_opts(info) which only does info + 1. Also to avoid out-of-bounds access on info, it should ensure options_len is not less than erspan_metadata in both erspan_xmit() and ip6erspan_tunnel_xmit(). Fixes: 1a66a836da (“gre: add collect_md mode to ERSPAN tunnel”) Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e39bc4391b0ecfcc8a96feadc1c0017e1b01cb6a Author: Eric Dumazet Date: Mon Nov 4 07:57:55 2019 -0800 dccp: do not leak jiffies on the wire [ Upstream commit 3d1e5039f5f87a8731202ceca08764ee7cb010d3 ] For some reason I missed the case of DCCP passive flows in my previous patch. Fixes: a904a0693c18 (“inet: stop leaking jiffies on the wire”) Signed-off-by: Eric Dumazet Reported-by: Thiemo Nagel Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d683933920dcc888a96752c628233a82baa4dd0 Author: Raju Rangoju Date: Wed Oct 23 23:03:55 2019 +0530 cxgb4: request the TX CIDX updates to status page [ Upstream commit 7c3bebc3d8688b84795c11848c314a2fbfe045e0 ] For adapters which support the SGE Doorbell Queue Timer facility, we configured the Ethernet TX Queues to send CIDX Updates to the Associated Ethernet RX Response Queue with CPL_SGE_EGR_UPDATE messages to allow us to respond more quickly to the CIDX Updates. But, this was adding load to PCIe Link RX bandwidth and, potentially, resulting in higher CPU Interrupt load. This patch requests the HW to deliver the CIDX updates to the TX queue status page rather than generating an ingress queue message (as an interrupt). With this patch, the load on RX bandwidth is reduced and a substantial improvement in BW is noticed at lower IO sizes. Fixes: d429005fdf2c (“cxgb4/cxgb4vf: Add support for SGE doorbell queue timer”) Signed-off-by: Raju Rangoju Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7e3c49ad1da9ebd761c6c6654743088f2fef9aab Author: Vishal Kulkarni Date: Wed Oct 30 20:17:57 2019 +0530 cxgb4: fix panic when attaching to ULD fail [ Upstream commit fc89cc358fb64e2429aeae0f37906126636507ec ] Release resources when attaching to ULD fail. Otherwise, data mismatch is seen between LLD and ULD later on, which lead to kernel panic when accessing resources that should not even exist in the first place. Fixes: 94cdb8bb993a (“cxgb4: Add support for dynamic allocation of resources for ULD”) Signed-off-by: Shahjada Abul Husain Signed-off-by: Vishal Kulkarni Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0776cc4bf978d16a3c4b562d1cff5a20777e3329 Author: Josef Bacik Date: Mon Oct 21 15:56:28 2019 -0400 nbd: handle racing with error’ed out commands [ Upstream commit 7ce23e8e0a9cd38338fc8316ac5772666b565ca9 ] We hit the following warning in production print_req_error: I/O error, dev nbd0, sector 7213934408 flags 80700 ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 25 PID: 32407 at lib/refcount.c:190 refcount_sub_and_test_checked+0x53/0x60 Workqueue: knbd-recv recv_work [nbd] RIP: 0010:refcount_sub_and_test_checked+0x53/0x60 Call Trace: blk_mq_free_request+0xb7/0xf0 blk_mq_complete_request+0x62/0xf0 recv_work+0x29/0xa1 [nbd] process_one_work+0x1f5/0x3f0 worker_thread+0x2d/0x3d0 ? rescuer_thread+0x340/0x340 kthread+0x111/0x130 ? kthread_create_on_node+0x60/0x60 ret_from_fork+0x1f/0x30 —[ end trace b079c3c67f98bb7c ]— This was preceded by us timing out everything and shutting down the sockets for the device. The problem is we had a request in the queue at the same time, so we completed the request twice. This can actually happen in a lot of cases, we fail to get a ref on our config, we only have one connection and just error out the command, etc. Fix this by checking cmd->status in nbd_read_stat. We only change this under the cmd->lock, so we are safe to check this here and see if we’ve already error’ed this command out, which would indicate that we’ve completed it as well. Reviewed-by: Mike Christie Signed-off-by: Josef Bacik Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 51c7037bf2765959768c261f5aae9118f8746ff7 Author: Josef Bacik Date: Mon Oct 21 15:56:27 2019 -0400 nbd: protect cmd->status with cmd->lock [ Upstream commit de6346ecbc8f5591ebd6c44ac164e8b8671d71d7 ] We already do this for the most part, except in timeout and clear_req. For the timeout case we take the lock after we grab a ref on the config, but that isn’t really necessary because we’re safe to touch the cmd at this point, so just move the order around. For the clear_req cause this is initiated by the user, so again is safe. Reviewed-by: Mike Christie Signed-off-by: Josef Bacik Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 91980c14b46d23fd2e99bf052ca93ab10bb0ef79 Author: Alan Mikhak Date: Thu Oct 24 09:11:43 2019 -0700 irqchip/sifive-plic: Skip contexts except supervisor in plic_init() [ Upstream commit 41860cc447045c811ce6d5a92f93a065a691fe8e ] Modify plic_init() to skip .dts interrupt contexts other than supervisor external interrupt. The .dts entry for plic may specify multiple interrupt contexts. For example, it may assign two entries IRQ_M_EXT and IRQ_S_EXT, in that order, to the same interrupt controller. This patch modifies plic_init() to skip the IRQ_M_EXT context since IRQ_S_EXT is currently the only supported context. If IRQ_M_EXT is not skipped, plic_init() will report “handler already present for context” when it comes across the IRQ_S_EXT context in the next iteration of its loop. Without this patch, .dts would have to be edited to replace the value of IRQ_M_EXT with -1 for it to be skipped. Signed-off-by: Alan Mikhak Signed-off-by: Marc Zyngier Reviewed-by: Christoph Hellwig Acked-by: Paul Walmsley # arch/riscv Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 65660617526fb406e0e36a959a2e672a527b1f70 Author: Dave Wysochanski Date: Wed Oct 23 05:02:33 2019 -0400 cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs [ Upstream commit d46b0da7a33dd8c99d969834f682267a45444ab3 ] There’s a deadlock that is possible and can easily be seen with a test where multiple readers open/read/close of the same file and a disruption occurs causing reconnect. The deadlock is due a reader thread inside cifs_strict_readv calling down_read and obtaining lock_sem, and then after reconnect inside cifs_reopen_file calling down_read a second time. If in between the two down_read calls, a down_write comes from another process, deadlock occurs. CPU0 CPU1 ---- ---- cifs_strict_readv() down_read(&cifsi->lock_sem); _cifsFileInfo_put OR cifs_new_fileinfo down_write(&cifsi->lock_sem); cifs_reopen_file() down_read(&cifsi->lock_sem); Fix the above by changing all down_write(lock_sem) calls to down_write_trylock(lock_sem)/msleep() loop, which in turn makes the second down_read call benign since it will never block behind the writer while holding lock_sem. Signed-off-by: Dave Wysochanski Suggested-by: Ronnie Sahlberg Reviewed–by: Ronnie Sahlberg Reviewed-by: Pavel Shilovsky Signed-off-by: Sasha Levin commit 41b4bc28cae68869d518308e788fcaca79e3c870 Author: Alain Volmat Date: Tue Oct 15 15:11:58 2019 +0200 i2c: stm32f7: remove warning when compiling with W=1 [ Upstream commit 348e46fbb4cdb2aead79aee1fd8bb25ec5fd25db ] Remove the following warning: drivers/i2c/busses/i2c-stm32f7.c:315: warning: cannot understand function prototype: 'struct stm32f7_i2c_spec i2c_specs[] = Replace a comment starting with /** by simply /* to avoid having it interpreted as a kernel-doc comment. Fixes: aeb068c57214 (“i2c: i2c-stm32f7: add driver”) Signed-off-by: Alain Volmat Reviewed-by: Pierre-Yves MORDRET Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 5e5b7f894b855d8265ad175a88db4f1f454e9b03 Author: Fabrice Gasnier Date: Tue Oct 1 10:51:09 2019 +0200 i2c: stm32f7: fix a race in slave mode with arbitration loss irq [ Upstream commit 6d6b0d0d5afc8c4c84b08261260ba11dfa5206f2 ] When in slave mode, an arbitration loss (ARLO) may be detected before the slave had a chance to detect the stop condition (STOPF in ISR). This is seen when two master + slave adapters switch their roles. It provokes the i2c bus to be stuck, busy as SCL line is stretched. - the I2C_SLAVE_STOP event is never generated due to STOPF flag is set but don’t generate an irq (race with ARLO irq, STOPIE is masked). STOPF flag remains set until next master xfer (e.g. when STOPIE irq get unmasked). In this case, completion is generated too early: immediately upon new transfer request (then it doesn’t send all data). - Some data get stuck in TXDR register. As a consequence, the controller stretches the SCL line: the bus gets busy until a future master transfer triggers the bus busy / recovery mechanism (this can take time… and may never happen at all) So choice is to let the STOPF being detected by the slave isr handler, to properly handle this stop condition. E.g. don’t mask IRQs in error handler, when the slave is running. Fixes: 60d609f30de2 (“i2c: i2c-stm32f7: Add slave support”) Signed-off-by: Fabrice Gasnier Reviewed-by: Pierre-Yves MORDRET Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 8b3153fb1a64764bf5b7a25fd02735a91648693a Author: Fabrice Gasnier Date: Mon Sep 30 17:28:01 2019 +0200 i2c: stm32f7: fix first byte to send in slave mode [ Upstream commit 02e64276c6dbcc4c5f39844f33d18180832a58f3 ] The slave-interface documentation [1] states “the bus driver should transmit the first byte” upon I2C_SLAVE_READ_REQUESTED slave event: - 'val’: backend returns first byte to be sent The driver currently ignores the 1st byte to send on this event. [1] https://www.kernel.org/doc/Documentation/i2c/slave-interface Fixes: 60d609f30de2 (“i2c: i2c-stm32f7: Add slave support”) Signed-off-by: Fabrice Gasnier Reviewed-by: Pierre-Yves MORDRET Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 9a41a6084fd35f3f0efbb4f12796e21733a816b2 Author: Fabien Parent Date: Fri Oct 18 19:32:13 2019 +0200 i2c: mt65xx: fix NULL ptr dereference [ Upstream commit 62931ac2f9015ea38d80494ec37658ab3df6a6d7 ] Since commit abf4923e97c3 (“i2c: mediatek: disable zero-length transfers for mt8183”), there is a NULL pointer dereference for all the SoCs that don’t have any quirk. mtk_i2c_functionality is not checking that the quirks pointer is not NULL before starting to use it. This commit add a call to i2c_check_quirks which will check whether the quirks pointer is set, and if so will check if the IP has the NO_ZERO_LEN quirk. Fixes: abf4923e97c3 (“i2c: mediatek: disable zero-length transfers for mt8183”) Signed-off-by: Fabien Parent Reviewed-by: Cengiz Can Reviewed-by: Hsin-Yi Wang Tested-by: Ulrich Hecht Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit ccd8be0369111c0a0169f984ef3c06d45a9de4f7 Author: Zenghui Yu Date: Wed Oct 23 03:46:26 2019 +0000 irqchip/gic-v3-its: Use the exact ITSList for VMOVP [ Upstream commit 8424312516e5d9baeeb0a95d0e4523579b7aa395 ] On a system without Single VMOVP support (say GITS_TYPER.VMOVP == 0), we will map vPEs only on ITSs that will actually control interrupts for the given VM. And when moving a vPE, the VMOVP command will be issued only for those ITSs. But when issuing VMOVPs we seemed fail to present the exact ITSList to ITSs who are actually included in the synchronization operation. The its_list_map we’re currently using includes all ITSs in the system, even though some of them don’t have the corresponding vPE mapping at all. Introduce get_its_list() to get the per-VM its_list_map, to indicate which ITSs have vPE mappings for the given VM, and use this map as the expected ITSList when building VMOVP. This is hopefully a performance gain not to do some synchronization with those unsuspecting ITSs. And initialize the whole command descriptor to zero at beginning, since the seq_num and its_list should be RES0 when GITS_TYPER.VMOVP == 1. Signed-off-by: Zenghui Yu Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 1523261b166877fe831f975dbcf695069e6668cf Author: Jonas Gorski Date: Tue Oct 22 21:11:00 2019 +0200 MIPS: bmips: mark exception vectors as char arrays [ Upstream commit e4f5cb1a9b27c0f94ef4f5a0178a3fde2d3d0e9e ] The vectors span more than one byte, so mark them as arrays. Fixes the following build error when building when using GCC 8.3: In file included from ./include/linux/string.h:19, from ./include/linux/bitmap.h:9, from ./include/linux/cpumask.h:12, from ./arch/mips/include/asm/processor.h:15, from ./arch/mips/include/asm/thread_info.h:16, from ./include/linux/thread_info.h:38, from ./include/asm-generic/preempt.h:5, from ./arch/mips/include/generated/asm/preempt.h:1, from ./include/linux/preempt.h:81, from ./include/linux/spinlock.h:51, from ./include/linux/mmzone.h:8, from ./include/linux/bootmem.h:8, from arch/mips/bcm63xx/prom.c:10: arch/mips/bcm63xx/prom.c: In function 'prom_init’: ./arch/mips/include/asm/string.h:162:11: error: ‘__builtin_memcpy’ forming offset [2, 32] is out of the bounds [0, 1] of object ‘bmips_smp_movevec’ with type ‘char’ [-Werror=array-bounds] __ret = __builtin_memcpy((dst), (src), __len); \ ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ arch/mips/bcm63xx/prom.c:97:3: note: in expansion of macro ‘memcpy’ memcpy((void *)0xa0000200, &bmips_smp_movevec, 0x20); ^~~~~~ In file included from arch/mips/bcm63xx/prom.c:14: ./arch/mips/include/asm/bmips.h:80:13: note: ‘bmips_smp_movevec’ declared here extern char bmips_smp_movevec; Fixes: 18a1eef92dcd (“MIPS: BMIPS: Introduce bmips.h”) Signed-off-by: Jonas Gorski Reviewed-by: Florian Fainelli Signed-off-by: Paul Burton Cc: [email protected] Cc: Ralf Baechle Cc: James Hogan Signed-off-by: Sasha Levin commit eec2a09f89ffe4285a783775b9c967601c993cd0 Author: Navid Emamdoost Date: Fri Oct 4 13:58:43 2019 -0500 of: unittest: fix memory leak in unittest_data_add [ Upstream commit e13de8fe0d6a51341671bbe384826d527afe8d44 ] In unittest_data_add, a copy buffer is created via kmemdup. This buffer is leaked if of_fdt_unflatten_tree fails. The release for the unittest_data buffer is added. Fixes: b951f9dc7f25 (“Enabling OF selftest to run without machine’s devicetree”) Signed-off-by: Navid Emamdoost Reviewed-by: Frank Rowand Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit dd45d60ecaf78d26a1af4ac3d20afd1cfc18d65f Author: Pan Xiuli Date: Tue Oct 22 14:44:02 2019 -0500 ALSA: hda: Add Tigerlake/Jasperlake PCI ID [ Upstream commit 4750c212174892d26645cdf5ad73fb0e9d594ed3 ] Add HD Audio Device PCI ID for the Intel Tigerlake and Jasperlake platform. Signed-off-by: Pan Xiuli Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit e2ef00292a59c2a280704fa063410d9d158b2c6c Author: Vitaly Kuznetsov Date: Tue Oct 8 20:08:08 2019 +0200 selftests: kvm: fix sync_regs_test with newer gccs [ Upstream commit ef4059809890f732c69cc1726d3a9a108a832a2f ] Commit 204c91eff798a (“KVM: selftests: do not blindly clobber registers in guest asm”) was intended to make test more gcc-proof, however, the result is exactly the opposite: on newer gccs (e.g. 8.2.1) the test breaks with ==== Test Assertion Failure ==== x86_64/sync_regs_test.c:168: run->s.regs.regs.rbx == 0xBAD1DEA + 1 pid=14170 tid=14170 - Invalid argument 1 0x00000000004015b3: main at sync_regs_test.c:166 (discriminator 6) 2 0x00007f413fb66412: ?? ??:0 3 0x000000000040191d: _start at ??:? rbx sync regs value incorrect 0x1. Apparently, compile is still free to play games with registers even when they have variables attached. Re-write guest code with ‘asm volatile’ by embedding ucall there and making sure rbx is preserved. Fixes: 204c91eff798a (“KVM: selftests: do not blindly clobber registers in guest asm”) Signed-off-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit ad9b4e9bd03a37be0c22011b96d9d7aac2711996 Author: Vitaly Kuznetsov Date: Tue Oct 8 21:43:36 2019 +0200 selftests: kvm: vmx_set_nested_state_test: don’t check for VMX support twice [ Upstream commit 700c17d9cec8712f4091692488fb63e2680f7a5d ] vmx_set_nested_state_test() checks if VMX is supported twice: in the very beginning (and skips the whole test if it’s not) and before doing test_vmx_nested_state(). One should be enough. Signed-off-by: Vitaly Kuznetsov Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 4fc9dedf726756ddcc74e7648c6c54ada6b5de75 Author: afzal mohammed Date: Mon Oct 21 06:06:14 2019 +0100 ARM: 8926/1: v7m: remove register save to stack before svc [ Upstream commit 2ecb287998a47cc0a766f6071f63bc185f338540 ] r0-r3 & r12 registers are saved & restored, before & after svc respectively. Intention was to preserve those registers across thread to handler mode switch. On v7-M, hardware saves the register context upon exception in AAPCS complaint way. Restoring r0-r3 & r12 is done from stack location where hardware saves it, not from the location on stack where these registers were saved. To clarify, on stm32f429 discovery board: 1. before svc, sp - 0x90009ff8 2. r0-r3,r12 saved to 0x90009ff8 - 0x9000a00b 3. upon svc, h/w decrements sp by 32 & pushes registers onto stack 4. after svc, sp - 0x90009fd8 5. r0-r3,r12 restored from 0x90009fd8 - 0x90009feb Above means r0-r3,r12 is not restored from the location where they are saved, but since hardware pushes the registers onto stack, the registers are restored correctly. Note that during register saving to stack (step 2), it goes past 0x9000a000. And it seems, based on objdump, there are global symbols residing there, and it perhaps can cause issues on a non-XIP Kernel (on XIP, data section is setup later). Based on the analysis above, manually saving registers onto stack is at best no-op and at worst can cause data section corruption. Hence remove storing of registers onto stack before svc. Fixes: b70cd406d7fe (“ARM: 8671/1: V7M: Preserve registers across switch from Thread to Handler mode”) Signed-off-by: afzal mohammed Acked-by: Vladimir Murzin Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 23f5932abd1c8f3066007d92192debb202b512aa Author: Mihail Atanassov Date: Thu Oct 10 10:30:07 2019 +0000 drm/komeda: Don’t flush inactive pipes [ Upstream commit b88639b8e3808c948169af390bd7e84e909bde8d ] HW doesn’t allow flushing inactive pipes and raises an MERR interrupt if you try to do so. Stop triggering the MERR interrupt in the middle of a commit by calling drm_atomic_helper_commit_planes with the ACTIVE_ONLY flag. Reviewed-by: James Qian Wang (Arm Technology China) Signed-off-by: Mihail Atanassov Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Signed-off-by: Sasha Levin commit 10066e6c21dd4dc8231c8bdd1ca464b49322bb75 Author: Jae Hyun Yoo Date: Wed Oct 9 14:20:34 2019 -0700 i2c: aspeed: fix master pending state handling [ Upstream commit 1f0d9cbeec9bb0a1c2013342836f2c9754d6502b ] In case of master pending state, it should not trigger a master command, otherwise data could be corrupted because this H/W shares the same data buffer for slave and master operations. It also means that H/W command queue handling is unreliable because of the buffer sharing issue. To fix this issue, it clears command queue if a master command is queued in pending state to use S/W solution instead of H/W command queue handling. Also, it refines restarting mechanism of the pending master command. Fixes: 2e57b7cebb98 (“i2c: aspeed: Add multi-master use case support”) Signed-off-by: Jae Hyun Yoo Reviewed-by: Brendan Higgins Acked-by: Joel Stanley Tested-by: Tao Ren Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit b649bffa248785e70f3a2890c683260032df3667 Author: Stefan Wahren Date: Sun Oct 13 12:53:23 2019 +0200 ARM: dts: bcm2837-rpi-cm3: Avoid leds-gpio probing issue [ Upstream commit 626c45d223e22090511acbfb481e0ece1de1356d ] bcm2835-rpi.dtsi defines the behavior of the ACT LED, which is available on all Raspberry Pi boards. But there is no driver for this particual GPIO on CM3 in mainline yet, so this node was left incomplete without the actual GPIO definition. Since commit 025bf37725f1 ("gpio: Fix return value mismatch of function gpiod_get_from_of_node()") this causing probe issues of the leds-gpio driver for users of the CM3 dtsi file. leds-gpio: probe of leds failed with error -2 Until we have the necessary GPIO driver hide the ACT node for CM3 to avoid this. Reported-by: Fredrik Yhlen Signed-off-by: Stefan Wahren Fixes: a54fe8a6cf66 (“ARM: dts: add Raspberry Pi Compute Module 3 and IO board”) Cc: Linus Walleij Cc: Krzysztof Kozlowski Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit e3d2a341b2de3c4a43e39dcbb01b7af20f0e13f4 Author: Zhengjun Xing Date: Fri Oct 18 09:20:34 2019 +0800 tracing: Fix “gfp_t” format for synthetic events [ Upstream commit 9fa8c9c647be624e91b09ecffa7cd97ee0600b40 ] In the format of synthetic events, the “gfp_t” is shown as "signed:1", but in fact the “gfp_t” is "unsigned", should be shown as "signed:0". The issue can be reproduced by the following commands: echo ‘memlatency u64 lat; unsigned int order; gfp_t gfp_flags; int migratetype’ > /sys/kernel/debug/tracing/synthetic_events cat /sys/kernel/debug/tracing/events/synthetic/memlatency/format name: memlatency ID: 2233 format: field:unsigned short common_type; offset:0; size:2; signed:0; field:unsigned char common_flags; offset:2; size:1; signed:0; field:unsigned char common_preempt_count; offset:3; size:1; signed:0; field:int common_pid; offset:4; size:4; signed:1; field:u64 lat; offset:8; size:8; signed:0; field:unsigned int order; offset:16; size:4; signed:0; field:gfp_t gfp_flags; offset:24; size:4; signed:1; field:int migratetype; offset:32; size:4; signed:1; print fmt: "lat=%llu, order=%u, gfp_flags=%x, migratetype=%d", REC->lat, REC->order, REC->gfp_flags, REC->migratetype Link: http://lkml.kernel.org/r/[email protected] Reviewed-by: Tom Zanussi Signed-off-by: Zhengjun Xing Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit c5641f4def8f3d220882876244edc32d9bf9548b Author: Dragos Tarcatu Date: Fri Oct 18 07:38:06 2019 -0500 ASoC: SOF: control: return true when kcontrol values change [ Upstream commit 95a32c98055f664f9b3f34c41e153d4dcedd0eff ] All the kcontrol put() functions are currently returning 0 when successful. This does not go well with alsamixer as it does not seem to get notified on SND_CTL_EVENT_MASK_VALUE callbacks when values change for (some of) the sof kcontrols. This patch fixes that by returning true for volume, switch and enum type kcontrols when values do change in put(). Signed-off-by: Dragos Tarcatu Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f88ba13ccb8353b0e2b674fa53813868ba096339 Author: Chuhong Yuan Date: Thu Oct 17 10:50:44 2019 +0800 ASoC: Intel: sof-rt5682: add a check for devm_clk_get [ Upstream commit e5f0d490fb718254a884453e47fcd48493cd67ea ] sof_audio_probe misses a check for devm_clk_get and may cause problems. Add a check for it to fix the bug. Signed-off-by: Chuhong Yuan Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bcd9343a509f1809b914e212340e6439b6de4765 Author: Don Brace Date: Mon Oct 14 13:03:58 2019 -0500 scsi: hpsa: add missing hunks in reset-patch [ Upstream commit 134993456c28c2ae14bd953236eb0742fe23d577 ] Correct returning from reset before outstanding commands are completed for the device. Link: https://lore.kernel.org/r/157107623870.17997.11208813089704833029.stgit@brunhilda Reviewed-by: Scott Benesh Reviewed-by: Kevin Barnett Signed-off-by: Don Brace Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 3a80b5bb594a61858e1d490d47ec10ea231e047b Author: Bodo Stroesser Date: Mon Oct 14 20:29:04 2019 +0200 scsi: target: core: Do not overwrite CDB byte 1 [ Upstream commit 27e84243cb63601a10e366afe3e2d05bb03c1cb5 ] passthrough_parse_cdb() - used by TCMU and PSCSI - attepts to reset the LUN field of SCSI-2 CDBs (bits 5,6,7 of byte 1). The current code is wrong as for newer commands not having the LUN field it overwrites relevant command bits (e.g. for SECURITY PROTOCOL IN / OUT). We think this code was unnecessary from the beginning or at least it is no longer useful. So we remove it entirely. Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Bodo Stroesser Reviewed-by: Bart Van Assche Reviewed-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 22c5930a37fefb72dd303e581d0115af241a5ec4 Author: Christian König Date: Wed Sep 18 19:42:14 2019 +0200 drm/amdgpu: fix error handling in amdgpu_bo_list_create [ Upstream commit de51a5019ff32960218da8fd899fa3f361b031e9 ] We need to drop normal and userptr BOs separately. Signed-off-by: Christian König Acked-by: Huang Rui Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 378915d2d793049d0e7f1cd1bab607a0dbc3bdb6 Author: Christian König Date: Thu Sep 19 10:38:57 2019 +0200 drm/amdgpu: fix potential VM faults [ Upstream commit 3122051edc7c27cc08534be730f4c7c180919b8a ] When we allocate new page tables under memory pressure we should not evict old ones. Signed-off-by: Christian König Acked-by: Alex Deucher Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 95f02a3411045300cc439f310e073c71d605dcaa Author: Peter Ujfalusi Date: Fri Aug 30 13:22:02 2019 +0300 ARM: davinci: dm365: Fix McBSP dma_slave_map entry [ Upstream commit 564b6bb9d42d31fc80c006658cf38940a9b99616 ] dm365 have only single McBSP, so the device name is without .0 Fixes: 0c750e1fe481d (“ARM: davinci: dm365: Add dma_slave_map to edma”) Signed-off-by: Peter Ujfalusi Signed-off-by: Sekhar Nori Signed-off-by: Sasha Levin commit a1f53246bff5f733b6f446a7f6905c6d0328de1b Author: Yunfeng Ye Date: Wed Oct 16 16:38:45 2019 +0800 perf kmem: Fix memory leak in compact_gfp_flags() [ Upstream commit 1abecfcaa7bba21c9985e0136fa49836164dd8fd ] The memory @orig_flags is allocated by strdup(), it is freed on the normal path, but leak to free on the error path. Fix this by adding free(orig_flags) on the error path. Fixes: 0e11115644b3 (“perf kmem: Print gfp flags in human readable string”) Signed-off-by: Yunfeng Ye Cc: Alexander Shishkin Cc: Feilong Lin Cc: Hu Shiyuan Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit ae4399c1afde926fe98878b1b5bc7041e696966d Author: Colin Ian King Date: Sun Oct 13 23:00:16 2019 +0100 8250-men-mcb: fix error checking when get_num_ports returns -ENODEV [ Upstream commit f50b6805dbb993152025ec04dea094c40cc93a0c ] The current checking for failure on the number of ports fails when -ENODEV is returned from the call to get_num_ports. Fix this by making num_ports and loop counter i signed rather than unsigned ints. Also add check for num_ports being less than zero to check for -ve error returns. Addresses-Coverity: (“Unsigned compared against 0”) Fixes: e2fea54e4592 (“8250-men-mcb: add support for 16z025 and 16z057”) Signed-off-by: Colin Ian King Reviewed-by: Michael Moese Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8a5bedff6833aa88a36ccba49b0039a76077a6d9 Author: Yunfeng Ye Date: Tue Oct 15 10:54:14 2019 +0800 perf c2c: Fix memory leak in build_cl_output() [ Upstream commit ae199c580da1754a2b051321eeb76d6dacd8707b ] There is a memory leak problem in the failure paths of build_cl_output(), so fix it. Signed-off-by: Yunfeng Ye Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Feilong Lin Cc: Hu Shiyuan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit c5096a9ae68b79fb4a8bed4779ba3309e0c9d48f Author: Yunfeng Ye Date: Tue Oct 15 16:30:08 2019 +0800 perf tools: Fix resource leak of closedir() on the error paths [ Upstream commit 6080728ff8e9c9116e52e6f840152356ac2fea56 ] Both build_mem_topology() and rm_rf_depth_pat() have resource leaks of closedir() on the error paths. Fix this by calling closedir() before function returns. Fixes: e2091cedd51b (“perf tools: Add MEM_TOPOLOGY feature to perf data file”) Fixes: cdb6b0235f17 (“perf tools: Add pattern name checking to rm_rf”) Signed-off-by: Yunfeng Ye Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Alexei Starovoitov Cc: Alexey Budankov Cc: Andi Kleen Cc: Daniel Borkmann Cc: Feilong Lin Cc: Hu Shiyuan Cc: Igor Lubashev Cc: Kan Liang Cc: Mark Rutland Cc: Martin KaFai Lau Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Song Liu Cc: Yonghong Song Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 54008ab5c124b91bf52bfe7c3ae4258d8634ce53 Author: Anson Huang Date: Tue Oct 8 08:55:44 2019 +0800 arm64: dts: imx8mm: Use correct clock for usdhc’s ipg clk [ Upstream commit a6a40d5688f2264afd40574ee1c92e5f824b34ba ] On i.MX8MM, usdhc’s ipg clock is from IMX8MM_CLK_IPG_ROOT, assign it explicitly instead of using IMX8MM_CLK_DUMMY. Fixes: a05ea40eb384 (“arm64: dts: imx: Add i.mx8mm dtsi support”) Signed-off-by: Anson Huang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit c1a2c2bcacd14b9c289a06d2ae03a05b1985f650 Author: Anson Huang Date: Tue Oct 8 08:55:43 2019 +0800 arm64: dts: imx8mq: Use correct clock for usdhc’s ipg clk [ Upstream commit b0759297f2c8dda455ff78a1d1ac95e261300ae3 ] On i.MX8MQ, usdhc’s ipg clock is from IMX8MQ_CLK_IPG_ROOT, assign it explicitly instead of using IMX8MQ_CLK_DUMMY. Fixes: 748f908cc882 (“arm64: add basic DTS for i.MX8MQ”) Signed-off-by: Anson Huang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit ccb67164c295b5e9219444ef079c6ee9ca3ecb68 Author: Anson Huang Date: Mon Oct 7 08:43:42 2019 +0800 ARM: dts: imx7s: Correct GPT’s ipg clock source [ Upstream commit 252b9e21bcf46b0d16f733f2e42b21fdc60addee ] i.MX7S/D’s GPT ipg clock should be from GPT clock root and controlled by CCM’s GPT CCGR, using correct clock source for GPT ipg clock instead of IMX7D_CLK_DUMMY. Fixes: 3ef79ca6bd1d (“ARM: dts: imx7d: use imx7s.dtsi as base device tree”) Signed-off-by: Anson Huang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 4525ea414490b8d043c212d4cf49590cba28dba1 Author: Andrey Smirnov Date: Thu Oct 3 22:41:15 2019 -0700 ARM: dts: vf610-zii-scu4-aib: Specify ‘i2c-mux-idle-disconnect’ [ Upstream commit 71936a6d18c33c63b4e9e0359fb987306cbe9fae ] Specify ‘i2c-mux-idle-disconnect’ for both I2C switches present on the board, since both are connected to the same parent bus and all of their children have the same I2C address. Fixes: ca4b4d373fcc (“ARM: dts: vf610: Add ZII SCU4 AIB board”) Signed-off-by: Andrey Smirnov Cc: Shawn Guo Cc: Chris Healy Cc: Cory Tusar Cc: Jeff White Cc: Rick Ramstetter Cc: Lucas Stach Cc: Fabio Estevam Cc: [email protected] Cc: [email protected] Cc: [email protected] Tested-by: Chris Healy Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit aa33539e01e4b166759838f1e3d2783485288af4 Author: Adam Ford Date: Tue Oct 1 19:20:29 2019 -0500 ARM: dts: imx6q-logicpd: Re-Enable SNVS power key [ Upstream commit 52f4d4043d1edc4e9e66ec79cae3e32cfe0e44d6 ] A previous patch disabled the SNVS power key by default which breaks the ability for the imx6q-logicpd board to wake from sleep. This patch re-enables this feature for this board. Fixes: 770856f0da5d (“ARM: dts: imx6qdl: Enable SNVS power key according to board design”) Signed-off-by: Adam Ford Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit fc92ae9dcf896268f1cea95dec8f181b48f9f01e Author: Ran Wang Date: Tue Sep 17 15:33:56 2019 +0800 arm64: dts: lx2160a: Correct CPU core idle state name [ Upstream commit 07159f67c77134dfdfdbdf3d8f657f5890de5b7f ] lx2160a support PW15 but not PW20, correct name to avoid confusing. Signed-off-by: Ran Wang Fixes: 00c5ce8ac023 (“arm64: dts: lx2160a: add cpu idle support”) Acked-by: Li Yang Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 998395dbea1c64dd3d61f7aebe14808292f505c2 Author: Vivek Unune Date: Sat Sep 28 23:22:30 2019 -0400 arm64: dts: rockchip: Fix usb-c on Hugsun X99 TV Box [ Upstream commit 389206e806d892d36de0df6e7b07721432957801 ] Fix usb-c on X99 TV Box. Tested with armbian w/ kernel 5.3 Signed-off-by: Vivek Unune Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit fd635e09c657a142f645a69215f098630cf2ed7f Author: Soeren Moch Date: Fri Oct 4 22:32:13 2019 +0200 arm64: dts: rockchip: fix RockPro64 sdmmc settings [ Upstream commit 5234c14531152702a9f3e575cb552b7e9cea9f94 ] According to the RockPro64 schematic [1] the rk3399 sdmmc controller is connected to a microSD (TF card) slot. Remove the cap-mmc-highspeed property of the sdmmc controller, since no mmc card can be connected here. [1] http://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf Fixes: e4f3fb490967 (“arm64: dts: rockchip: add initial dts support for Rockpro64”) Signed-off-by: Soeren Moch Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 76498b719da8e4a61711858cce8284a8f6d3b770 Author: Vladimir Murzin Date: Thu Oct 10 10:12:20 2019 +0100 ARM: 8914/1: NOMMU: Fix exc_ret for XIP [ Upstream commit 4c0742f65b4ee466546fd24b71b56516cacd4613 ] It was reported that 72cd4064fcca “NOMMU: Toggle only bits in EXC_RETURN we are really care of” breaks NOMMU+XIP combination. It happens because saved EXC_RETURN gets overwritten when data section is relocated. The fix is to propagate EXC_RETURN via register and let relocation code to commit that value into memory. Fixes: 72cd4064fcca (“ARM: 8830/1: NOMMU: Toggle only bits in EXC_RETURN we are really care of”) Reported-by: afzal mohammed Tested-by: afzal mohammed Signed-off-by: Vladimir Murzin Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 0a389a03a6e6ca982b2ddef2f2c0af6da8488a17 Author: Masahiro Yamada Date: Wed Oct 2 11:28:02 2019 +0100 ARM: 8908/1: add __always_inline to functions called from __get_user_check() [ Upstream commit 851140ab0d083c78e5723a8b1cbd258f567a7aff ] KernelCI reports that bcm2835_defconfig is no longer booting since commit ac7c3e4ff401 (“compiler: enable CONFIG_OPTIMIZE_INLINING forcibly”) (https://lkml.org/lkml/2019/9/26/825). I also received a regression report from Nicolas Saenz Julienne (https://lkml.org/lkml/2019/9/27/263). This problem has cropped up on bcm2835_defconfig because it enables CONFIG_CC_OPTIMIZE_FOR_SIZE. The compiler tends to prefer not inlining functions with -Os. I was able to reproduce it with other boards and defconfig files by manually enabling CONFIG_CC_OPTIMIZE_FOR_SIZE. The __get_user_check() specifically uses r0, r1, r2 registers. So, uaccess_save_and_enable() and uaccess_restore() must be inlined. Otherwise, those register assignments would be entirely dropped, according to my analysis of the disassembly. Prior to commit 9012d011660e (“compiler: allow all arches to enable CONFIG_OPTIMIZE_INLINING”), the ‘inline’ marker was always enough for inlining functions, except on x86. Since that commit, all architectures can enable CONFIG_OPTIMIZE_INLINING. So, __always_inline is now the only guaranteed way of forcible inlining. I added __always_inline to 4 functions in the call-graph from the __get_user_check() macro. Fixes: 9012d011660e (“compiler: allow all arches to enable CONFIG_OPTIMIZE_INLINING”) Reported-by: “kernelci.org bot” Reported-by: Nicolas Saenz Julienne Signed-off-by: Masahiro Yamada Tested-by: Nicolas Saenz Julienne Signed-off-by: Russell King Signed-off-by: Sasha Levin commit 99bc1059efc4bbef05549c026b7ba404d5165b31 Author: Thomas Bogendoerfer Date: Wed Oct 9 17:11:28 2019 +0200 scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE [ Upstream commit 8cbf0c173aa096dda526d1ccd66fc751c31da346 ] When building a kernel with SCSI_SNI_53C710 enabled, Kconfig warns: WARNING: unmet direct dependencies detected for 53C700_LE_ON_BE Depends on [n]: SCSI_LOWLEVEL [=y] && SCSI [=y] && SCSI_LASI700 [=n] Selected by [y]: - SCSI_SNI_53C710 [=y] && SCSI_LOWLEVEL [=y] && SNI_RM [=y] && SCSI [=y] Add the missing depends SCSI_SNI_53C710 to 53C700_LE_ON_BE to fix it. Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Thomas Bogendoerfer Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 57f28b1c5691939908c69dc6d8166abae1843035 Author: Thomas Bogendoerfer Date: Wed Oct 9 17:11:18 2019 +0200 scsi: sni_53c710: fix compilation error [ Upstream commit 0ee6211408a8e939428f662833c7301394125b80 ] Drop out memory dev_printk() with wrong device pointer argument. [mkp: typo] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Thomas Bogendoerfer Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2dbbc94651f8cb5a9d5d22c6f6bc4d575b0c015f Author: Hannes Reinecke Date: Mon Oct 7 15:57:01 2019 +0200 scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions [ Upstream commit b6ce6fb121a655aefe41dccc077141c102145a37 ] Some arrays are not capable of returning RTPG data during state transitioning, but rather return an ‘LUN not accessible, asymmetric access state transition’ sense code. In these cases we can set the state to ‘transitioning’ directly and don’t need to evaluate the RTPG data (which we won’t have anyway). Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Laurence Oberman Reviewed-by: Ewan D. Milne Reviewed-by: Bart Van Assche Signed-off-by: Hannes Reinecke Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8669ff2e8537e4eaf0427737c4e95b51daf904fe Author: Allen Pais Date: Wed Sep 18 22:06:58 2019 +0530 scsi: qla2xxx: fix a potential NULL pointer dereference [ Upstream commit 35a79a63517981a8aea395497c548776347deda8 ] alloc_workqueue is not checked for errors and as a result a potential NULL dereference could occur. Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Allen Pais Reviewed-by: Martin Wilck Acked-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 87c9d62f8631befbf01ff7ac6230e4cfbbbbe9fb Author: Russell King Date: Sat Aug 31 17:01:58 2019 +0100 ARM: mm: fix alignment handler faults under memory pressure [ Upstream commit 67e15fa5b487adb9b78a92789eeff2d6ec8f5cee ] When the system has high memory pressure, the page containing the instruction may be paged out. Using probe_kernel_address() means that if the page is swapped out, the resulting page fault will not be handled because page faults are disabled by this function. Use get_user() to read the instruction instead. Reported-by: Jing Xiangfeng Fixes: b255188f90e2 (“ARM: fix scheduling while atomic warning in alignment handling code”) Signed-off-by: Russell King Signed-off-by: Sasha Levin commit ecf4056e38e9170250ebf455241e84446ff0ff59 Author: Tony Lindgren Date: Wed Oct 9 15:11:27 2019 -0700 ARM: dts: Use level interrupt for omap4 & 5 wlcore [ Upstream commit 087a2b7ec973f6f30f6e7b72cb50b6f7734ffdd2 ] Commit 572cf7d7b07d (“ARM: dts: Improve omap l4per idling with wlcore edge sensitive interrupt”) changed wlcore interrupts to use edge interrupt based on what’s specified in the wl1835mod.pdf data sheet. However, there are still cases where we can have lost interrupts as described in omap_gpio_unidle(). And using a level interrupt instead of edge interrupt helps as we avoid the check for untriggered GPIO interrupts in omap_gpio_unidle(). And with commit e6818d29ea15 (“gpio: gpio-omap: configure edge detection for level IRQs for idle wakeup”) GPIOs idle just fine with level interrupts. Let’s change omap4 and 5 wlcore users back to using level interrupt instead of edge interrupt. Let’s not change the others as I’ve only seen this on omap4 and 5, probably because the other SoCs don’t have l4per idle independent of the CPUs. Fixes: 572cf7d7b07d (“ARM: dts: Improve omap l4per idling with wlcore edge sensitive interrupt”) Depends-on: e6818d29ea15 (“gpio: gpio-omap: configure edge detection for level IRQs for idle wakeup”) Cc: Anders Roxell Cc: Eyal Reizer Cc: Guy Mishol Cc: John Stultz Cc: Ulf Hansson Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 87a2ed28b6866e31d116e5b5b6dd139df7f48d31 Author: Daniel Baluta Date: Wed Oct 9 18:36:15 2019 +0300 ASoC: simple_card_utils.h: Fix potential multiple redefinition error [ Upstream commit af6219590b541418d3192e9bfa03989834ca0e78 ] asoc_simple_debug_info and asoc_simple_debug_dai must be static otherwise we might a compilation error if the compiler decides not to inline the given function. Fixes: 0580dde59438686d ("ASoC: simple-card-utils: add asoc_simple_debug_info()") Signed-off-by: Daniel Baluta Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c39b20e705fab14ed3cb70683c1ad5f463415db4 Author: Srinivas Kandagatla Date: Wed Oct 9 12:19:44 2019 +0100 ASoC: msm8916-wcd-digital: add missing MIX2 path for RX1/2 [ Upstream commit bcab05880f9306e94531b0009c627421db110a74 ] This patch adds missing MIX2 path on RX1/2 which take IIR1 and IIR2 as inputs. Without this patch sound card fails to intialize with below warning: ASoC: no sink widget found for RX1 MIX2 INP1 ASoC: Failed to add route IIR1 -> IIR1 -> RX1 MIX2 INP1 ASoC: no sink widget found for RX2 MIX2 INP1 ASoC: Failed to add route IIR1 -> IIR1 -> RX2 MIX2 INP1 ASoC: no sink widget found for RX1 MIX2 INP1 ASoC: Failed to add route IIR2 -> IIR2 -> RX1 MIX2 INP1 ASoC: no sink widget found for RX2 MIX2 INP1 ASoC: Failed to add route IIR2 -> IIR2 -> RX2 MIX2 INP1 Reported-by: Stephan Gerhold Signed-off-by: Srinivas Kandagatla Tested-by: Stephan Gerhold Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 416dbd0ea88e52bb52f8d52fbe03a7f03f3bf8b0 Author: Andrey Smirnov Date: Thu Oct 3 18:45:48 2019 -0700 ARM: dts: am3874-iceboard: Fix ‘i2c-mux-idle-disconnect’ usage [ Upstream commit 647c8977e111c0a62c93a489ebc4b045c833fdb4 ] According to Documentation/devicetree/bindings/i2c/i2c-mux-pca954x.txt, i2c-mux-idle-disconnect is a property of a parent node since it pertains to the mux/switch as a whole, so move it there and drop all of the concurrences in child nodes. Fixes: d031773169df (“ARM: dts: Adds device tree file for McGill’s IceBoard, based on TI AM3874”) Signed-off-by: Andrey Smirnov Cc: Benoît Cousson Cc: Tony Lindgren Cc: Graeme Smecher Cc: [email protected] Cc: [email protected] Cc: [email protected] Tested-by: Graeme Smecher Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit 4fb71c247367c61f7a87cdbd7ae05087200ff509 Author: Lucas Stach Date: Fri Sep 6 19:06:01 2019 +0200 arm64: dts: zii-ultra: fix ARM regulator states [ Upstream commit 21094ba5c1f4b15df096e8f6247a50b6ab57c869 ] The GPIO controlled regulator for the ARM power supply is supplying the higher voltage when the GPIO is driven high. This is opposite to the similar regulator setup on the EVK board and is impacting stability of the board as the ARM domain has been supplied with a too low voltage when to faster OPPs are in use. Fixes: 4a13b3bec3b4 (arm64: dts: imx: add Zii Ultra board support) Signed-off-by: Lucas Stach Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit b1b0e35ae28128ad119282de80811e6f6daae42a Author: Amelie Delaunay Date: Fri Oct 4 14:23:42 2019 +0200 pinctrl: stmfx: fix null pointer on remove [ Upstream commit 2fd215b8fdbe4d3a609adbe3a323696393cb1e53 ] dev_get_platdata(&pdev->dev) returns a pointer on struct stmfx_pinctrl, not on struct stmfx (platform_set_drvdata(pdev, pctl); in probe). Pointer on struct stmfx is stored in driver data of pdev parent (in probe: struct stmfx *stmfx = dev_get_drvdata(pdev->dev.parent);). Fixes: 1490d9f841b1 (“pinctrl: Add STMFX GPIO expander Pinctrl/GPIO driver”) Signed-off-by: Amelie Delaunay Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 19583b2f5a271f8d30a7aa6d5df920470ec203db Author: Dan Carpenter Date: Thu Sep 26 11:14:26 2019 +0300 pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable() [ Upstream commit 39b65fbb813089e366b376bd8acc300b6fd646dc ] The pinctrl->functions[] array has pinctrl->num_functions elements and the pinctrl->groups[] array is the same way. These are set in ns2_pinmux_probe(). So the > comparisons should be >= so that we don’t read one element beyond the end of the array. Fixes: b5aa1006e4a9 (“pinctrl: ns2: add pinmux driver support for Broadcom NS2 SoC”) Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20190926081426.GB2332@mwanda Acked-by: Scott Branden Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 640e6c2045281c3d8c2f721382d76679d90f0b16 Author: Soeren Moch Date: Thu Oct 3 23:50:35 2019 +0200 arm64: dts: rockchip: fix RockPro64 sdhci settings [ Upstream commit 2558b3b1b11a1b32b336be2dd0aabfa6d35ddcb5 ] The RockPro64 schematics [1], [2] show that the rk3399 EMMC_STRB pin is connected to the RESET pin instead of the DATA_STROBE pin of the eMMC module. So the data strobe cannot be used for its intended purpose on this board, and so the HS400 eMMC mode is not functional. Limit the controller to HS200. [1] http://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf [2] http://files.pine64.org/doc/rock64/PINE64_eMMC_Module_20170719.pdf Fixes: e4f3fb490967 (“arm64: dts: rockchip: add initial dts support for Rockpro64”) Signed-off-by: Soeren Moch Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit e48451ef7ae4f16930882fb3a8a041f185557100 Author: Soeren Moch Date: Thu Oct 3 23:50:34 2019 +0200 arm64: dts: rockchip: fix RockPro64 vdd-log regulator settings [ Upstream commit 0990c5e7573098117c69651821647c228483e31b ] The RockPro64 schematic [1] page 18 states a min voltage of 0.8V and a max voltage of 1.4V for the VDD_LOG pwm regulator. However, there is an additional note that the pwm parameter needs to be modified. From the schematics a voltage range of 0.8V to 1.7V can be calculated. Additional voltage measurements on the board show that this fix indeed leads to the correct voltage, while without this fix the voltage was set too high. [1] http://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf Fixes: e4f3fb490967 (“arm64: dts: rockchip: add initial dts support for Rockpro64”) Signed-off-by: Soeren Moch Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit f2c10703d9f937ee15b88b62264449bfa82bef59 Author: Adam Ford Date: Fri Aug 16 17:58:12 2019 -0500 ARM: dts: logicpd-torpedo-som: Remove twl_keypad [ Upstream commit 6b512b0ee091edcb8e46218894e4c917d919d3dc ] The TWL4030 used on the Logit PD Torpedo SOM does not have the keypad pins routed. This patch disables the twl_keypad driver to remove some splat during boot: twl4030_keypad 48070000.i2c:twl@48:keypad: missing or malformed property linux,keymap: -22 twl4030_keypad 48070000.i2c:twl@48:keypad: Failed to build keymap twl4030_keypad: probe of 48070000.i2c:twl@48:keypad failed with error -22 Signed-off-by: Adam Ford [[email protected]: removed error time stamps] Signed-off-by: Tony Lindgren Signed-off-by: Sasha Levin commit d442ad86b07f1ec590cbfc27b01fb0e9e0d4cb57 Author: Hugh Cole-Baker Date: Sat Sep 21 14:14:57 2019 +0100 arm64: dts: rockchip: fix Rockpro64 RK808 interrupt line [ Upstream commit deea9f5fc32040fd6f6132f2260ba410fb5cf98c ] Fix the pinctrl and interrupt specifier for RK808 to use GPIO3_B2. On the Rockpro64 schematic [1] page 16, it shows GPIO3_B2 used for the interrupt line PMIC_INT_L from the RK808, and there’s a note which translates as: "PMU termination GPIO1_C5 changed to this". Tested by setting an RTC wakealarm and checking /proc/interrupts counters. Without this patch, neither the rockchip_gpio_irq counter for the RK808, nor the RTC alarm counter increment when the alarm time is reached. With this patch, both interrupt counters increment by 1 as expected. [1] http://files.pine64.org/doc/rockpro64/rockpro64_v21-SCH.pdf Fixes: e4f3fb490967 (“arm64: dts: rockchip: add initial dts support for Rockpro64”) Signed-off-by: Hugh Cole-Baker Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit aebb7feb7bfcc1be45a8f10bb74b6ff3c938b532 Author: Robin Murphy Date: Wed Oct 2 16:30:37 2019 +0100 ASoc: rockchip: i2s: Fix RPM imbalance [ Upstream commit b1e620e7d32f5aad5353cc3cfc13ed99fea65d3a ] If rockchip_pcm_platform_register() fails, e.g. upon deferring to wait for an absent DMA channel, we return without disabling RPM, which makes subsequent re-probe attempts scream with errors about the unbalanced enable. Don’t do that. Fixes: ebb75c0bdba2 (“ASoC: rockchip: i2s: Adjust devm usage”) Signed-off-by: Robin Murphy Link: https://lore.kernel.org/r/bcb12a849a05437fb18372bc7536c649b94bdf07.1570029862.git.robin.murphy@arm.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 52977cc79d03be4ecbcfdab396504f30d300aa78 Author: Stuart Henderson Date: Wed Oct 2 09:42:40 2019 +0100 ASoC: wm_adsp: Don’t generate kcontrols without READ flags [ Upstream commit 3ae7359c0e39f42a96284d6798fc669acff38140 ] User space always expects to be able to read ALSA controls, so ensure no kcontrols are generated without an appropriate READ flag. In the case of a read of such a control zeros will be returned. Signed-off-by: Stuart Henderson Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dddc4339ebc5f6042cc174345d1954f6a2b1bd13 Author: Yizhuo Date: Sun Sep 29 10:09:57 2019 -0700 regulator: pfuze100-regulator: Variable “val” in pfuze100_regulator_probe() could be uninitialized [ Upstream commit 1252b283141f03c3dffd139292c862cae10e174d ] In function pfuze100_regulator_probe(), variable “val” could be initialized if regmap_read() fails. However, “val” is used to decide the control flow later in the if statement, which is potentially unsafe. Signed-off-by: Yizhuo Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 723d952c4ec1b3458bf2689b86e6402e1be1f04b Author: Jaska Uimonen Date: Fri Sep 27 15:14:05 2019 -0500 ASoC: intel: bytcr_rt5651: add null check to support_button_press [ Upstream commit 2bdf194e2030fce4f2e91300817338353414ab3b ] When removing sof module the support_button_press function will oops because hp_jack pointer is not checked for NULL. So add a check to fix this. Signed-off-by: Jaska Uimonen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 878b8cf18badccd46a21d2319d460f14f9cc1b6d Author: Jaska Uimonen Date: Fri Sep 27 15:14:08 2019 -0500 ASoC: intel: sof_rt5682: add remove function to disable jack [ Upstream commit 6ba5041c23c1062d4e8287b2b76a1181538c6df1 ] When removing sof module the rt5682 jack handler will oops if jack detection is not disabled. So add remove function, which disables the jack detection. Signed-off-by: Jaska Uimonen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ba704b50379ee8358179385c81facc28d96f117e Author: Jaska Uimonen Date: Fri Sep 27 15:14:07 2019 -0500 ASoC: rt5682: add NULL handler to set_jack function [ Upstream commit a315e76fc544f09daf619530a7b2f85865e6b25e ] Implement NULL handler in set_jack function to disable irq’s. Signed-off-by: Jaska Uimonen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fd5a1e812980ea20530c4943bebb6fb2dcdbb0f8 Author: Ranjani Sridharan Date: Fri Sep 27 15:05:38 2019 -0500 ASoC: SOF: Intel: hda: Disable DMI L1 entry during capture [ Upstream commit 43b2ab9009b13bfff47fcc1893de9244b39bdd54 ] There is a known issue on some Intel platforms which causes pause/release to run into xrun’s during capture usecases. The suggested workaround to address the issue is to disable the entry of lower power L1 state in the physical DMI link when there is a capture stream open. Signed-off-by: Ranjani Sridharan Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1049202aee8a3f7dbce63ff03178f75a20931c5c Author: Liam Girdwood Date: Fri Sep 27 15:05:36 2019 -0500 ASoC: SOF: Intel: initialise and verify FW crash dump data. [ Upstream commit ff2be865633e6fa523cd2db3b73197d795dec991 ] FW mailbox offset was not set before use and HDR size was not validated. Fix this. Signed-off-by: Liam Girdwood Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 93c7b11d528743cde1e74a922e1286f371ada393 Author: Kai Vehmanen Date: Fri Sep 27 15:05:35 2019 -0500 ASoC: SOF: Intel: hda: fix warnings during FW load [ Upstream commit 4ff5f6439fe69624e8f7d559915e9b54a6477684 ] The “snd_pcm_substream” handle was not initialized properly in hda-loader.c for firmware load. When the HDA DMAs were used to load the firmware, the interrupts related to firmware load also triggered calls to snd_sof_pcm_period_elapsed() on a non-existent ALSA PCM stream. This caused runtime kernel warnings from pcm_lib.c:snd_pcm_period_elapsed(). Signed-off-by: Kai Vehmanen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0d7eaf15bcca6077c4d2a12a19564762368a27f6 Author: Keyon Jie Date: Fri Sep 27 15:05:27 2019 -0500 ASoC: SOF: topology: fix parse fail issue for byte/bool tuple types [ Upstream commit 2e305a074061121220a2828f97a57d315cf8efba ] We are using sof_parse_word_tokens() to parse tokens with bool/byte/short/word tuple types, here add the missing check, to fix the parsing failure at byte/bool tuple types. Signed-off-by: Keyon Jie Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 635c4447c6192e2f454436f7dc66387f6e083dd1 Author: Pierre-Louis Bossart Date: Fri Sep 27 15:05:26 2019 -0500 ASoC: SOF: loader: fix kernel oops on firmware boot failure [ Upstream commit 798614885a0e1b867ceb0197c30c2d82575c73b0 ] When we fail to boot the firmware, we encounter a kernel oops in hda_dsp_get_registers(), which is called conditionally in hda_dsp_dump() when the sdev_>boot_complete flag is set. Setting this flag _after_ dumping the data fixes the issue and does not change the programming flow. Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8e84c2f5ac71550de5f1bce5bdc83ac9c9ca561f Author: Andy Shevchenko Date: Mon Sep 16 17:47:51 2019 +0300 pinctrl: intel: Allocate IRQ chip dynamic [ Upstream commit 57ff2df1b952c7934d7b0e1d3a2ec403ec76edec ] Keeping the IRQ chip definition static shares it with multiple instances of the GPIO chip in the system. This is bad and now we get this warning from GPIO library: “detected irqchip that is shared with multiple gpiochips: please fix the driver.” Hence, move the IRQ chip definition from being driver static into the struct intel_pinctrl. So a unique IRQ chip is used for each GPIO chip instance. Fixes: ee1a6ca43dba (“pinctrl: intel: Add Intel Broxton pin controller support”) Depends-on: 5ff56b015e85 (“pinctrl: intel: Disable GPIO pin interrupts in suspend”) Reported-by: Federico Ricchiuto Suggested-by: Mika Westerberg Signed-off-by: Andy Shevchenko Signed-off-by: Mika Westerberg Signed-off-by: Sasha Levin commit 25bab2a67b0a143c168ef2d3df2f212a31b601c8 Author: Axel Lin Date: Sun Sep 29 17:58:48 2019 +0800 regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone [ Upstream commit f64db548799e0330897c3203680c2ee795ade518 ] ti_abb_wait_txdone() may return -ETIMEDOUT when ti_abb_check_txdone() returns true in the latest iteration of the while loop because the timeout value is abb->settling_time + 1. Similarly, ti_abb_clear_all_txdone() may return -ETIMEDOUT when ti_abb_check_txdone() returns false in the latest iteration of the while loop. Fix it. Signed-off-by: Axel Lin Acked-by: Nishanth Menon Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8257fd24d14ec3d739c697d3e1a63c08ba74075e Author: Rayagonda Kokatanur Date: Mon Sep 9 14:05:27 2019 +0530 arm64: dts: Fix gpio to pinmux mapping [ Upstream commit 965f6603e3335a953f4f876792074cb36bf65f7f ] There are total of 151 non-secure gpio (0-150) and four pins of pinmux (91, 92, 93 and 94) are not mapped to any gpio pin, hence update same in DT. Fixes: 8aa428cc1e2e (“arm64: dts: Add pinctrl DT nodes for Stingray SOC”) Signed-off-by: Rayagonda Kokatanur Reviewed-by: Ray Jui Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 9bd52a4d7232cde9710c0c3b4af2aca4588a7aba Author: Jernej Skrabec Date: Sun Sep 29 10:52:59 2019 +0200 arm64: dts: allwinner: a64: sopine-baseboard: Add PHY regulator delay [ Upstream commit ccdf3aaa27ded6db9a93eed3ca7468bb2353b8fe ] It turns out that sopine-baseboard needs same fix as pine64-plus for ethernet PHY. Here too Realtek ethernet PHY chip needs additional power on delay to properly initialize. Datasheet mentions that chip needs 30 ms to be properly powered on and that it needs some more time to be initialized. Fix that by adding 100ms ramp delay to regulator responsible for powering PHY. Note that issue was found out and fix tested on pine64-lts, but it’s basically the same as sopine-baseboard, only layout and connectors differ. Fixes: bdfe4cebea11 (“arm64: allwinner: a64: add Ethernet PHY regulator for several boards”) Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit e6faa6886f73e6af1b2083a3e32dcb32773a4588 Author: Vasily Khoruzhick Date: Tue Aug 6 07:01:35 2019 -0700 arm64: dts: allwinner: a64: Drop PMU node [ Upstream commit ed3e9406bcbc32f84dc4aa4cb4767852e5ab086c ] Looks like PMU in A64 is broken, it generates no interrupts at all and as result ‘perf top’ shows no events. Tested on Pine64-LTS. Fixes: 34a97fcc71c2 (“arm64: dts: allwinner: a64: Add PMU node”) Cc: Harald Geyer Cc: Jared D. McNeill Signed-off-by: Vasily Khoruzhick Reviewed-by: Emmanuel Vadot Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 98d7f13298f1d3441f23bf1fd1f0dd2de6db9304 Author: Jernej Skrabec Date: Mon Sep 9 20:42:35 2019 +0200 arm64: dts: allwinner: a64: pine64-plus: Add PHY regulator delay [ Upstream commit 2511366797fa6ab4a404b4b000ef7cd262aaafe8 ] Depending on kernel and bootloader configuration, it’s possible that Realtek ethernet PHY isn’t powered on properly. According to the datasheet, it needs 30ms to power up and then some more time before it can be used. Fix that by adding 100ms ramp delay to regulator responsible for powering PHY. Fixes: 94dcfdc77fc5 (“arm64: allwinner: pine64-plus: Enable dwmac-sun8i”) Suggested-by: Ondrej Jirman Signed-off-by: Jernej Skrabec Signed-off-by: Maxime Ripard Signed-off-by: Sasha Levin commit 77be7f80ade39795d660fff9765b61179a01d746 Author: Dan Carpenter Date: Wed Sep 25 14:06:24 2019 +0300 ASoC: topology: Fix a signedness bug in soc_tplg_dapm_widget_create() [ Upstream commit 752c938a5c14b8cbf0ed3ffbfa637fb166255c3f ] The “template.id” variable is an enum and in this context GCC will treat it as an unsigned int so it can never be less than zero. Fixes: 8a9782346dcc (“ASoC: topology: Add topology core”) Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20190925110624.GR3264@mwanda Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1f2eeb1735f8edf6639a38c9cf94b564dcd6a0ea Author: Marco Felsch Date: Tue Sep 17 14:42:42 2019 +0200 regulator: da9062: fix suspend_enable/disable preparation [ Upstream commit a72865f057820ea9f57597915da4b651d65eb92f ] Currently the suspend reg_field maps to the pmic voltage selection bits and is used during suspend_enabe/disable() and during get_mode(). This seems to be wrong for both use cases. Use case one (suspend_enabe/disable): Those callbacks are used to mark a regulator device as enabled/disabled during suspend. Marking the regulator enabled during suspend is done by the LDOx_CONF/BUCKx_CONF bit within the LDOx_CONT/BUCKx_CONT registers. Setting this bit tells the DA9062 PMIC state machine to keep the regulator on in POWERDOWN mode and switch to suspend voltage. Use case two (get_mode): The get_mode callback is used to retrieve the active mode state. Since the regulator-setting-A is used for the active state and regulator-setting-B for the suspend state there is no need to check which regulator setting is active. Fixes: 4068e5182ada (“regulator: da9062: DA9062 regulator driver”) Signed-off-by: Marco Felsch Reviewed-by: Adam Thomson Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2a19b8e4a07ec796a7632969d32b9f79a284e087 Author: Sylwester Nawrocki Date: Fri Sep 20 15:02:10 2019 +0200 ASoC: wm8994: Do not register inapplicable controls for WM1811 [ Upstream commit ca2347190adb5e4eece73a2b16e96e651c46246b ] In case of WM1811 device there are currently being registered controls referring to registers not existing on that device. It has been noticed when getting values of "AIF1ADC2 Volume", “AIF1DAC2 Volume” controls was failing during ALSA state restoring at boot time: “amixer: Mixer hw:0 load error: Device or resource busy” Reading some registers through I2C was failing with EBUSY error and indeed these registers were not available according to the datasheet. To fix this controls not available on WM1811 are moved to a separate array and registered only for WM8994 and WM8958. There are some further differences between WM8994 and WM1811, e.g. registers 603h, 604h, 605h, which are not covered in this patch. Acked-by: Charles Keepax Acked-by: Krzysztof Kozlowski Signed-off-by: Sylwester Nawrocki Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b0c42336049954e9a3ac82f43033c8b13103ac60 Author: Sylwester Nawrocki Date: Fri Sep 20 15:02:11 2019 +0200 ASoC: samsung: arndale: Add missing OF node dereferencing [ Upstream commit fb629fa2587d0c150792d87e3053664bfc8dc78c ] Ensure there is no OF node references kept when the driver is removed/unbound. Reviewed-by: Charles Keepax Signed-off-by: Sylwester Nawrocki Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 60b66c206adb19771b66860561d299ca5d6a14aa Author: Marco Felsch Date: Tue Sep 17 17:40:20 2019 +0200 regulator: of: fix suspend-min/max-voltage parsing [ Upstream commit 131cb1210d4b58acb0695707dad2eb90dcb50a2a ] Currently the regulator-suspend-min/max-microvolt must be within the root regulator node but the dt-bindings specifies it as subnode properties for the regulator-state-[mem/disk/standby] node. The only DT using this bindings currently is the at91-sama5d2_xplained.dts and this DT uses it correctly. I don’t know if it isn’t tested but it can’t work without this fix. Fixes: f7efad10b5c4 (“regulator: add PM suspend and resume hooks”) Signed-off-by: Marco Felsch Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Mark Brown Signed-off-by: Sasha Levin

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907