1. 08 Sep, 2020 3 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: coalesce multiple notifications into one skbuff · 67cc570e
      Pablo Neira Ayuso authored
      On x86_64, each notification results in one skbuff allocation which
      consumes at least 768 bytes due to the skbuff overhead.
      
      This patch coalesces several notifications into one single skbuff, so
      each notification consumes at least ~211 bytes, that ~3.5 times less
      memory consumption. As a result, this is reducing the chances to exhaust
      the netlink socket receive buffer.
      
      Rule of thumb is that each notification batch only contains netlink
      messages whose report flag is the same, nfnetlink_send() requires this
      to do appropriate delivery to userspace, either via unicast (echo
      mode) or multicast (monitor mode).
      
      The skbuff control buffer is used to annotate the report flag for later
      handling at the new coalescing routine.
      
      The batch skbuff notification size is NLMSG_GOODSIZE, using a larger
      skbuff would allow for more socket receiver buffer savings (to amortize
      the cost of the skbuff even more), however, going over that size might
      break userspace applications, so let's be conservative and stick to
      NLMSG_GOODSIZE.
      Reported-by: default avatarPhil Sutter <phil@nwl.cc>
      Acked-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      67cc570e
    • Will McVicker's avatar
      netfilter: ctnetlink: add a range check for l3/l4 protonum · 1cc5ef91
      Will McVicker authored
      The indexes to the nf_nat_l[34]protos arrays come from userspace. So
      check the tuple's family, e.g. l3num, when creating the conntrack in
      order to prevent an OOB memory access during setup.  Here is an example
      kernel panic on 4.14.180 when userspace passes in an index greater than
      NFPROTO_NUMPROTO.
      
      Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
      Modules linked in:...
      Process poc (pid: 5614, stack limit = 0x00000000a3933121)
      CPU: 4 PID: 5614 Comm: poc Tainted: G S      W  O    4.14.180-g051355490483
      Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM
      task: 000000002a3dfffe task.stack: 00000000a3933121
      pc : __cfi_check_fail+0x1c/0x24
      lr : __cfi_check_fail+0x1c/0x24
      ...
      Call trace:
      __cfi_check_fail+0x1c/0x24
      name_to_dev_t+0x0/0x468
      nfnetlink_parse_nat_setup+0x234/0x258
      ctnetlink_parse_nat_setup+0x4c/0x228
      ctnetlink_new_conntrack+0x590/0xc40
      nfnetlink_rcv_msg+0x31c/0x4d4
      netlink_rcv_skb+0x100/0x184
      nfnetlink_rcv+0xf4/0x180
      netlink_unicast+0x360/0x770
      netlink_sendmsg+0x5a0/0x6a4
      ___sys_sendmsg+0x314/0x46c
      SyS_sendmsg+0xb4/0x108
      el0_svc_naked+0x34/0x38
      
      This crash is not happening since 5.4+, however, ctnetlink still
      allows for creating entries with unsupported layer 3 protocol number.
      
      Fixes: c1d10adb ("[NETFILTER]: Add ctnetlink port for nf_conntrack")
      Signed-off-by: default avatarWill McVicker <willmcvicker@google.com>
      [pablo@netfilter.org: rebased original patch on top of nf.git]
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1cc5ef91
    • Dexuan Cui's avatar
      hv_netvsc: Fix hibernation for mlx5 VF driver · 19162fd4
      Dexuan Cui authored
      mlx5_suspend()/resume() keep the network interface, so during hibernation
      netvsc_unregister_vf() and netvsc_register_vf() are not called, and hence
      netvsc_resume() should call netvsc_vf_changed() to switch the data path
      back to the VF after hibernation. Note: after we close and re-open the
      vmbus channel of the netvsc NIC in netvsc_suspend() and netvsc_resume(),
      the data path is implicitly switched to the netvsc NIC. Similarly,
      netvsc_suspend() should not call netvsc_unregister_vf(), otherwise the VF
      can no longer be used after hibernation.
      
      For mlx4, since the VF network interafce is explicitly destroyed and
      re-created during hibernation (see mlx4_suspend()/resume()), hv_netvsc
      already explicitly switches the data path from and to the VF automatically
      via netvsc_register_vf() and netvsc_unregister_vf(), so mlx4 doesn't need
      this fix. Note: mlx4 can still work with the fix because in
      netvsc_suspend()/resume() ndev_ctx->vf_netdev is NULL for mlx4.
      
      Fixes: 0efeea5f ("hv_netvsc: Add the support of hibernation")
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      19162fd4
  2. 07 Sep, 2020 7 commits
    • Taehee Yoo's avatar
      Revert "netns: don't disable BHs when locking "nsid_lock"" · e1f469cd
      Taehee Yoo authored
      This reverts commit 8d7e5dee.
      
      To protect netns id, the nsid_lock is used when netns id is being
      allocated and removed by peernet2id_alloc() and unhash_nsid().
      The nsid_lock can be used in BH context but only spin_lock() is used
      in this code.
      Using spin_lock() instead of spin_lock_bh() can result in a deadlock in
      the following scenario reported by the lockdep.
      In order to avoid a deadlock, the spin_lock_bh() should be used instead
      of spin_lock() to acquire nsid_lock.
      
      Test commands:
          ip netns del nst
          ip netns add nst
          ip link add veth1 type veth peer name veth2
          ip link set veth1 netns nst
          ip netns exec nst ip link add name br1 type bridge vlan_filtering 1
          ip netns exec nst ip link set dev br1 up
          ip netns exec nst ip link set dev veth1 master br1
          ip netns exec nst ip link set dev veth1 up
          ip netns exec nst ip link add macvlan0 link br1 up type macvlan
      
      Splat looks like:
      [   33.615860][  T607] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
      [   33.617194][  T607] 5.9.0-rc1+ #665 Not tainted
      [ ... ]
      [   33.670615][  T607] Chain exists of:
      [   33.670615][  T607]   &mc->mca_lock --> &bridge_netdev_addr_lock_key --> &net->nsid_lock
      [   33.670615][  T607]
      [   33.673118][  T607]  Possible interrupt unsafe locking scenario:
      [   33.673118][  T607]
      [   33.674599][  T607]        CPU0                    CPU1
      [   33.675557][  T607]        ----                    ----
      [   33.676516][  T607]   lock(&net->nsid_lock);
      [   33.677306][  T607]                                local_irq_disable();
      [   33.678517][  T607]                                lock(&mc->mca_lock);
      [   33.679725][  T607]                                lock(&bridge_netdev_addr_lock_key);
      [   33.681166][  T607]   <Interrupt>
      [   33.681791][  T607]     lock(&mc->mca_lock);
      [   33.682579][  T607]
      [   33.682579][  T607]  *** DEADLOCK ***
      [ ... ]
      [   33.922046][  T607] stack backtrace:
      [   33.922999][  T607] CPU: 3 PID: 607 Comm: ip Not tainted 5.9.0-rc1+ #665
      [   33.924099][  T607] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      [   33.925714][  T607] Call Trace:
      [   33.926238][  T607]  dump_stack+0x78/0xab
      [   33.926905][  T607]  check_irq_usage+0x70b/0x720
      [   33.927708][  T607]  ? iterate_chain_key+0x60/0x60
      [   33.928507][  T607]  ? check_path+0x22/0x40
      [   33.929201][  T607]  ? check_noncircular+0xcf/0x180
      [   33.930024][  T607]  ? __lock_acquire+0x1952/0x1f20
      [   33.930860][  T607]  __lock_acquire+0x1952/0x1f20
      [   33.931667][  T607]  lock_acquire+0xaf/0x3a0
      [   33.932366][  T607]  ? peernet2id_alloc+0x3a/0x170
      [   33.933147][  T607]  ? br_port_fill_attrs+0x54c/0x6b0 [bridge]
      [   33.934140][  T607]  ? br_port_fill_attrs+0x5de/0x6b0 [bridge]
      [   33.935113][  T607]  ? kvm_sched_clock_read+0x14/0x30
      [   33.935974][  T607]  _raw_spin_lock+0x30/0x70
      [   33.936728][  T607]  ? peernet2id_alloc+0x3a/0x170
      [   33.937523][  T607]  peernet2id_alloc+0x3a/0x170
      [   33.938313][  T607]  rtnl_fill_ifinfo+0xb5e/0x1400
      [   33.939091][  T607]  rtmsg_ifinfo_build_skb+0x8a/0xf0
      [   33.939953][  T607]  rtmsg_ifinfo_event.part.39+0x17/0x50
      [   33.940863][  T607]  rtmsg_ifinfo+0x1f/0x30
      [   33.941571][  T607]  __dev_notify_flags+0xa5/0xf0
      [   33.942376][  T607]  ? __irq_work_queue_local+0x49/0x50
      [   33.943249][  T607]  ? irq_work_queue+0x1d/0x30
      [   33.943993][  T607]  ? __dev_set_promiscuity+0x7b/0x1a0
      [   33.944878][  T607]  __dev_set_promiscuity+0x7b/0x1a0
      [   33.945758][  T607]  dev_set_promiscuity+0x1e/0x50
      [   33.946582][  T607]  br_port_set_promisc+0x1f/0x40 [bridge]
      [   33.947487][  T607]  br_manage_promisc+0x8b/0xe0 [bridge]
      [   33.948388][  T607]  __dev_set_promiscuity+0x123/0x1a0
      [   33.949244][  T607]  __dev_set_rx_mode+0x68/0x90
      [   33.950021][  T607]  dev_uc_add+0x50/0x60
      [   33.950720][  T607]  macvlan_open+0x18e/0x1f0 [macvlan]
      [   33.951601][  T607]  __dev_open+0xd6/0x170
      [   33.952269][  T607]  __dev_change_flags+0x181/0x1d0
      [   33.953056][  T607]  rtnl_configure_link+0x2f/0xa0
      [   33.953884][  T607]  __rtnl_newlink+0x6b9/0x8e0
      [   33.954665][  T607]  ? __lock_acquire+0x95d/0x1f20
      [   33.955450][  T607]  ? lock_acquire+0xaf/0x3a0
      [   33.956193][  T607]  ? is_bpf_text_address+0x5/0xe0
      [   33.956999][  T607]  rtnl_newlink+0x47/0x70
      Acked-by: default avatarGuillaume Nault <gnault@redhat.com>
      Fixes: 8d7e5dee ("netns: don't disable BHs when locking "nsid_lock"")
      Reported-by: syzbot+3f960c64a104eaa2c813@syzkaller.appspotmail.com
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e1f469cd
    • Jakub Kicinski's avatar
      ibmvnic: add missing parenthesis in do_reset() · 8ae4dff8
      Jakub Kicinski authored
      Indentation and logic clearly show that this code is missing
      parenthesis.
      
      Fixes: 9f134573 ("ibmvnic fix NULL tx_pools and rx_tools issue at do_reset")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      8ae4dff8
    • Randy Dunlap's avatar
      netdevice.h: fix xdp_state kernel-doc warning · ffa59b0b
      Randy Dunlap authored
      Fix kernel-doc warning in <linux/netdevice.h>:
      
      ../include/linux/netdevice.h:2158: warning: Function parameter or member 'xdp_state' not described in 'net_device'
      
      Fixes: 7f0a8382 ("bpf, xdp: Maintain info on attached XDP BPF programs in net_device")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Andrii Nakryiko <andriin@fb.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffa59b0b
    • Randy Dunlap's avatar
      netdevice.h: fix proto_down_reason kernel-doc warning · eb02d39a
      Randy Dunlap authored
      Fix kernel-doc warning in <linux/netdevice.h>:
      
      ../include/linux/netdevice.h:2158: warning: Function parameter or member 'proto_down_reason' not described in 'net_device'
      
      Fixes: 829eb208 ("rtnetlink: add support for protodown reason")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      eb02d39a
    • Jakub Kicinski's avatar
      Merge branch 'bnxt_en-Two-bug-fixes' · 72bbee2a
      Jakub Kicinski authored
      Michael Chan says:
      
      ====================
      bnxt_en: Two bug fixes.
      
      The first patch fixes AER recovery by reducing the time from several
      minutes to a more reasonable 20 - 30 seconds.  The second patch fixes
      a possible NULL pointer crash during firmware reset.
      ====================
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      72bbee2a
    • Vasundhara Volam's avatar
      bnxt_en: Fix NULL ptr dereference crash in bnxt_fw_reset_task() · b16939b5
      Vasundhara Volam authored
      bnxt_fw_reset_task() which runs from a workqueue can race with
      bnxt_remove_one().  For example, if firmware reset and VF FLR are
      happening at about the same time.
      
      bnxt_remove_one() already cancels the workqueue and waits for it
      to finish, but we need to do this earlier before the devlink
      reporters are destroyed.  This will guarantee that
      the devlink reporters will always be valid when bnxt_fw_reset_task()
      is still running.
      
      Fixes: b148bb23 ("bnxt_en: Fix possible crash in bnxt_fw_reset_task().")
      Reviewed-by: default avatarEdwin Peer <edwin.peer@broadcom.com>
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b16939b5
    • Vasundhara Volam's avatar
      bnxt_en: Avoid sending firmware messages when AER error is detected. · b340dc68
      Vasundhara Volam authored
      When the driver goes through PCIe AER reset in error state, all
      firmware messages will timeout because the PCIe bus is no longer
      accessible.  This can lead to AER reset taking many minutes to
      complete as each firmware command takes time to timeout.
      
      Define a new macro BNXT_NO_FW_ACCESS() to skip these firmware messages
      when either firmware is in fatal error state or when
      pci_channel_offline() is true.  It now takes a more reasonable 20 to
      30 seconds to complete AER recovery.
      
      Fixes: b4fff207 ("bnxt_en: Do not send firmware messages if firmware is in error state.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      b340dc68
  3. 06 Sep, 2020 2 commits
  4. 05 Sep, 2020 7 commits
  5. 04 Sep, 2020 21 commits
    • Linus Torvalds's avatar
      Merge tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · c70672d8
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix GENERIC_LOCKBREAK dependency on PREEMPTION in Kconfig broken
         because of a typo
      
       - Update defconfigs
      
      * tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig
      c70672d8
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 09274aed
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Fix the loading of modules built with binutils-2.35. This version
         produces writable and executable .text.ftrace_trampoline section
         which is rejected by the kernel.
      
       - Remove the exporting of cpu_logical_map() as the Tegra driver has now
         been fixed and no longer uses this function.
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/module: set trampoline section flags regardless of CONFIG_DYNAMIC_FTRACE
        arm64: Remove exporting cpu_logical_map symbol
      09274aed
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 16bf121b
      Linus Torvalds authored
      Pull MIPS fixes from Thomas Bogendoerfer:
       "A few MIPS fixes:
      
         - fallthrough fallout fix
      
         - BMIPS fixes
      
         - MSA fix to avoid leaking MSA register contents
      
         - Loongson perf and cpu feature fix
      
         - SNI interrupt fix"
      
      * tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: SNI: Fix SCSI interrupt
        MIPS: add missing MSACSR and upper MSA initialization
        MIPS: perf: Fix wrong check condition of Loongson event IDs
        mips/oprofile: Fix fallthrough placement
        MIPS: Loongson64: Remove unnecessary inclusion of boot_param.h
        MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
        MIPS: mm: BMIPS5000 has inclusive physical caches
        MIPS: Loongson64: Do not override watch and ejtag feature
      16bf121b
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.9-2' of... · 41bef91c
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - fix documents
      
       - fix warning in 'make localmodconfig'
      
      * tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig: remove redundant assignment prompt = prompt
        kbuild: Documentation: clean up makefiles.rst
        kconfig: streamline_config.pl: check defined(ENV variable) before using it
        Documentation/llvm: Improve formatting of commands, variables, and arguments
      41bef91c
    • Linus Torvalds's avatar
      Merge tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f162626a
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix reference counting in the operating performance points (OPP)
        framework and address a few intel_pstate driver issues, mostly related
        to switching driver operation modes and similar with hardware-managed
        P-states (HWP) enabled.
      
        Specifics:
      
         - Fix reference counting of operating performance points (OPP) tables
           (Viresh Kumar).
      
         - Address intel_pstate driver interface issues, mostly related to
           switching operation modes and handling CPU offline and online and
           system-wide suspend/resume with hardware-managed P-states (HWP)
           enabled (Rafael Wysocki).
      
         - Fix the maximum frequency computation in the intel_pstate driver
           with turbo P-states disabled by the platform firmware and HWP
           enabled (Francisco Jerez)"
      
      * tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
        opp: Don't drop reference for an OPP table that was never parsed
      f162626a
    • Linus Torvalds's avatar
      Merge tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d824e080
      Linus Torvalds authored
      Pull libata fixes from Jens Axboe:
      
       - improve Sandisks ATA_HORKAGE on NCQ (Tejun)
      
       - link printk cleanup (Xu)
      
      * tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
        ata: ahci: use ata_link_info() instead of ata_link_printk()
      d824e080
    • Linus Torvalds's avatar
      Merge tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block · 8075fc3b
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A bit larger than usual this week, mostly due to the NVMe fixes
        arriving late for -rc3 and hence didn't make last weeks pull request.
      
         - NVMe:
              - instance leak and io boundary fixes from Keith
              - fc locking fix from Christophe
              - various tcp/rdma reset during traffic fixes from Sagi
              - pci use-after-free fix from Tong
              - tcp target null deref fix from Ziye
      
         - Locking fix for partition removal (Christoph)
      
         - Ensure bdi->io_pages is always set (me)
      
         - Fixup for hd struct reference (Ming)
      
         - Fix for zero length bvecs (Ming)
      
         - Two small blk-iocost fixes (Tejun)"
      
      * tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        block: allow for_each_bvec to support zero len bvec
        blk-stat: make q->stats->lock irqsafe
        blk-iocost: ioc_pd_free() shouldn't assume irq disabled
        block: fix locking in bdev_del_partition
        block: release disk reference in hd_struct_free_work
        block: ensure bdi->io_pages is always initialized
        nvme-pci: cancel nvme device request before disabling
        nvme: only use power of two io boundaries
        nvme: fix controller instance leak
        nvmet-fc: Fix a missed _irqsave version of spin_lock in 'nvmet_fc_fod_op_done()'
        nvme: Fix NULL dereference for pci nvme controllers
        nvme-rdma: fix reset hang if controller died in the middle of a reset
        nvme-rdma: fix timeout handler
        nvme-rdma: serialize controller teardown sequences
        nvme-tcp: fix reset hang if controller died in the middle of a reset
        nvme-tcp: fix timeout handler
        nvme-tcp: serialize controller teardown sequences
        nvme: have nvme_wait_freeze_timeout return if it timed out
        nvme-fabrics: don't check state NVME_CTRL_NEW for request acceptance
        nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu
      8075fc3b
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d849ca48
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - EAGAIN with O_NONBLOCK retry fix
      
       - Two small fixes for registered files (Jiufei)
      
      * tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        io_uring: no read/write-retry on -EAGAIN error and O_NONBLOCK marked file
        io_uring: set table->files[i] to NULL when io_sqe_file_register failed
        io_uring: fix removing the wrong file in __io_sqe_files_update()
      d849ca48
    • Linus Torvalds's avatar
      Merge tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux · 2fb54791
      Linus Torvalds authored
      Pull thermal fixes from Daniel Lezcano:
      
       - Fix bogus thermal shutdowns for omap4430 where bogus values resulting
         from an incorrect ADC conversion are too high and fire an emergency
         shutdown (Tony Lindgren)
      
       - Don't suppress negative temp for qcom spmi as they are valid and
         userspace needs them (Veera Vegivada)
      
       - Fix use-after-free in thermal_zone_device_unregister reported by
         Kasan (Dmitry Osipenko)
      
      * tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux:
        thermal: core: Fix use-after-free in thermal_zone_device_unregister()
        thermal: qcom-spmi-temp-alarm: Don't suppress negative temp
        thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
      2fb54791
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · e2dacf6c
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "A couple of core fixes and odd driver fixes for dmaengine subsystem:
      
        Core:
         - drop ACPI CSRT table reference after using it
         - fix of_dma_router_xlate() error handling
      
        Drivers fixes in idxd, at_hdmac, pl330, dw-edma and jz478"
      
      * tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
        dmaengine: ti: k3-udma: Update rchan_oes_offset for am654 SYSFW ABI 3.0
        drivers/dma/dma-jz4780: Fix race condition between probe and irq handler
        dmaengine: dw-edma: Fix scatter-gather address calculation
        dmaengine: ti: k3-udma: Fix the TR initialization for prep_slave_sg
        dmaengine: pl330: Fix burst length if burst size is smaller than bus width
        dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate()
        dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()
        dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate()
        dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
        dmaengine: idxd: reset states after device disable or reset
        dmaengine: acpi: Put the CSRT table after using it
      e2dacf6c
    • Linus Torvalds's avatar
      Merge tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 86edf52e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small changes, nothing intrusive:
      
         - remaining tasklet API conversions, now all sound stuff have been
           converted
      
         - a few HD-audio and USB-audio quirks and minor fixes
      
         - FireWire Tascam and Digi00xx fixes
      
         - drop a kernel WARNING from PCM OSS for syzkaller"
      
      * tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (29 commits)
        ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen
        ALSA: hda: use consistent HDAudio spelling in comments/docs
        ALSA: hda: add dev_dbg log when driver is not selected
        ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled
        ALSA: hda: hdmi - add Rocketlake support
        ALSA: ua101: convert tasklets to use new tasklet_setup() API
        ALSA: usb-audio: convert tasklets to use new tasklet_setup() API
        ASoC: txx9: convert tasklets to use new tasklet_setup() API
        ASoC: siu: convert tasklets to use new tasklet_setup() API
        ASoC: fsl_esai: convert tasklets to use new tasklet_setup() API
        ALSA: hdsp: convert tasklets to use new tasklet_setup() API
        ALSA: riptide: convert tasklets to use new tasklet_setup() API
        ALSA: pci/asihpi: convert tasklets to use new tasklet_setup() API
        ALSA: firewire: convert tasklets to use new tasklet_setup() API
        ALSA: core: convert tasklets to use new tasklet_setup() API
        ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
        ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO
        ALSA: hda/hdmi: always check pin power status in i915 pin fixup
        ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A
        ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2
        ...
      86edf52e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm · cf85f5de
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Not much going on this week, nouveau has a display hw bug workaround,
        amdgpu has some PM fixes and CIK regression fixes, one single radeon
        PLL fix, and a couple of i915 display fixes.
      
        amdgpu:
         - Fix for 32bit systems
         - SW CTF fix
         - Update for Sienna Cichlid
         - CIK bug fixes
      
        radeon:
         - PLL fix
      
        i915:
         - Clang build warning fix
         - HDCP fixes
      
        nouveau:
         - display fixes"
      
      * tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau/kms/nv50-gp1xx: add WAR for EVO push buffer HW bug
        drm/nouveau/kms/nv50-gp1xx: disable notifies again after core update
        drm/nouveau/kms/nv50-: add some whitespace before debug message
        drm/nouveau/kms/gv100-: Include correct push header in crcc37d.c
        drm/radeon: Prefer lower feedback dividers
        drm/amdgpu: Fix bug in reporting voltage for CIK
        drm/amdgpu: Specify get_argument function for ci_smu_funcs
        drm/amd/pm: enable MP0 DPM for sienna_cichlid
        drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting
        drm/amd/pm: fix is_dpm_running() run error on 32bit system
        drm/i915: Clear the repeater bit on HDCP disable
        drm/i915: Fix sha_text population code
        drm/i915/display: Ensure that ret is always initialized in icl_combo_phy_verify_state
      cf85f5de
    • Or Cohen's avatar
      net/packet: fix overflow in tpacket_rcv · acf69c94
      Or Cohen authored
      Using tp_reserve to calculate netoff can overflow as
      tp_reserve is unsigned int and netoff is unsigned short.
      
      This may lead to macoff receving a smaller value then
      sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
      is set, an out-of-bounds write will occur when
      calling virtio_net_hdr_from_skb.
      
      The bug is fixed by converting netoff to unsigned int
      and checking if it exceeds USHRT_MAX.
      
      This addresses CVE-2020-14386
      
      Fixes: 8913336a ("packet: add PACKET_RESERVE sockopt")
      Signed-off-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      acf69c94
    • Linus Torvalds's avatar
      Merge branch 'simplify-do_wp_page' · b25d1dc9
      Linus Torvalds authored
      Merge emailed patches from Peter Xu:
       "This is a small series that I picked up from Linus's suggestion to
        simplify cow handling (and also make it more strict) by checking
        against page refcounts rather than mapcounts.
      
        This makes uffd-wp work again (verified by running upmapsort)"
      
      Note: this is horrendously bad timing, and making this kind of
      fundamental vm change after -rc3 is not at all how things should work.
      The saving grace is that it really is a a nice simplification:
      
       8 files changed, 29 insertions(+), 120 deletions(-)
      
      The reason for the bad timing is that it turns out that commit
      17839856 ("gup: document and work around 'COW can break either way'
      issue" broke not just UFFD functionality (as Peter noticed), but Mikulas
      Patocka also reports that it caused issues for strace when running in a
      DAX environment with ext4 on a persistent memory setup.
      
      And we can't just revert that commit without re-introducing the original
      issue that is a potential security hole, so making COW stricter (and in
      the process much simpler) is a step to then undoing the forced COW that
      broke other uses.
      
      Link: https://lore.kernel.org/lkml/alpine.LRH.2.02.2009031328040.6929@file01.intranet.prod.int.rdu2.redhat.com/
      
      * emailed patches from Peter Xu <peterx@redhat.com>:
        mm: Add PGREUSE counter
        mm/gup: Remove enfornced COW mechanism
        mm/ksm: Remove reuse_ksm_page()
        mm: do_wp_page() simplification
      b25d1dc9
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-cpufreq' · f7ce2c3a
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
      f7ce2c3a
    • Peter Xu's avatar
      mm: Add PGREUSE counter · 798a6b87
      Peter Xu authored
      This accounts for wp_page_reuse() case, where we reused a page for COW.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      798a6b87
    • Peter Xu's avatar
      mm/gup: Remove enfornced COW mechanism · a308c71b
      Peter Xu authored
      With the more strict (but greatly simplified) page reuse logic in
      do_wp_page(), we can safely go back to the world where cow is not
      enforced with writes.
      
      This essentially reverts commit 17839856 ("gup: document and work
      around 'COW can break either way' issue").  There are some context
      differences due to some changes later on around it:
      
        2170ecfa ("drm/i915: convert get_user_pages() --> pin_user_pages()", 2020-06-03)
        376a34ef ("mm/gup: refactor and de-duplicate gup_fast() code", 2020-06-03)
      
      Some lines moved back and forth with those, but this revert patch should
      have striped out and covered all the enforced cow bits anyways.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a308c71b
    • Peter Xu's avatar
      mm/ksm: Remove reuse_ksm_page() · 1a0cf263
      Peter Xu authored
      Remove the function as the last reference has gone away with the do_wp_page()
      changes.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a0cf263
    • Linus Torvalds's avatar
      mm: do_wp_page() simplification · 09854ba9
      Linus Torvalds authored
      How about we just make sure we're the only possible valid user fo the
      page before we bother to reuse it?
      
      Simplify, simplify, simplify.
      
      And get rid of the nasty serialization on the page lock at the same time.
      
      [peterx: add subject prefix]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      09854ba9
    • Leon Romanovsky's avatar
      gcov: Disable gcov build with GCC 10 · cfc905f1
      Leon Romanovsky authored
      GCOV built with GCC 10 doesn't initialize n_function variable.  This
      produces different kernel panics as was seen by Colin in Ubuntu and me
      in FC 32.
      
      As a workaround, let's disable GCOV build for broken GCC 10 version.
      
      Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1891288
      Link: https://lore.kernel.org/lkml/20200827133932.3338519-1-leon@kernel.org
      Link: https://lore.kernel.org/lkml/CAHk-=whbijeSdSvx-Xcr0DPMj0BiwhJ+uiNnDSVZcr_h_kg7UA@mail.gmail.com/
      Cc: Colin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cfc905f1
    • Barret Rhoden's avatar
      init: fix error check in clean_path() · 7b81ce7c
      Barret Rhoden authored
      init_stat() returns 0 on success, same as vfs_lstat().  When it replaced
      vfs_lstat(), the '!' was dropped.
      
      Fixes: 716308a5 ("init: add an init_stat helper")
      Signed-off-by: default avatarBarret Rhoden <brho@google.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7b81ce7c