1. 22 Jun, 2020 40 commits
    • YuanJunQing's avatar
      MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() · dfb3dbf0
      YuanJunQing authored
      [ Upstream commit 31e1b3ef ]
      
      Register "a1" is unsaved in this function,
       when CONFIG_TRACE_IRQFLAGS is enabled,
       the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
       and this may change register "a1".
       The changed register "a1" as argument will be send
       to do_fpe() and do_msa_fpe().
      Signed-off-by: default avatarYuanJunQing <yuanjunqing66@163.com>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfb3dbf0
    • Jiaxun Yang's avatar
      PCI: Don't disable decoding when mmio_always_on is set · 40a94a1a
      Jiaxun Yang authored
      [ Upstream commit b6caa1d8 ]
      
      Don't disable MEM/IO decoding when a device have both non_compliant_bars
      and mmio_always_on.
      
      That would allow us quirk devices with junk in BARs but can't disable
      their decoding.
      Signed-off-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Acked-by: default avatarBjorn Helgaas <helgaas@kernel.org>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      40a94a1a
    • Alexander Sverdlin's avatar
      macvlan: Skip loopback packets in RX handler · 133b3d24
      Alexander Sverdlin authored
      [ Upstream commit 81f3dc93 ]
      
      Ignore loopback-originatig packets soon enough and don't try to process L2
      header where it doesn't exist. The very similar br_handle_frame() in bridge
      code performs exactly the same check.
      
      This is an example of such ICMPv6 packet:
      
      skb len=96 headroom=40 headlen=96 tailroom=56
      mac=(40,0) net=(40,40) trans=80
      shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
      csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
      hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
      dev name=etha01.212 feat=0x0x0000000040005000
      skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
      skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
      skb headroom: 00000020: 02 40 43 80 00 00 86 dd
      skb linear:   00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
      skb linear:   00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
      skb linear:   00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
      skb linear:   00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
      skb linear:   00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
      skb linear:   00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
      skb tailroom: 00000000: ...
      skb tailroom: 00000010: ...
      skb tailroom: 00000020: ...
      skb tailroom: 00000030: ...
      
      Call Trace, how it happens exactly:
       ...
       macvlan_handle_frame+0x321/0x425 [macvlan]
       ? macvlan_forward_source+0x110/0x110 [macvlan]
       __netif_receive_skb_core+0x545/0xda0
       ? enqueue_task_fair+0xe5/0x8e0
       ? __netif_receive_skb_one_core+0x36/0x70
       __netif_receive_skb_one_core+0x36/0x70
       process_backlog+0x97/0x140
       net_rx_action+0x1eb/0x350
       ? __hrtimer_run_queues+0x136/0x2e0
       __do_softirq+0xe3/0x383
       do_softirq_own_stack+0x2a/0x40
       </IRQ>
       do_softirq.part.4+0x4e/0x50
       netif_rx_ni+0x60/0xd0
       dev_loopback_xmit+0x83/0xf0
       ip6_finish_output2+0x575/0x590 [ipv6]
       ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
       ? __ip6_make_skb+0x38d/0x680 [ipv6]
       ? ip6_output+0x6c/0x140 [ipv6]
       ip6_output+0x6c/0x140 [ipv6]
       ip6_send_skb+0x1e/0x60 [ipv6]
       rawv6_sendmsg+0xc4b/0xe10 [ipv6]
       ? proc_put_long+0xd0/0xd0
       ? rw_copy_check_uvector+0x4e/0x110
       ? sock_sendmsg+0x36/0x40
       sock_sendmsg+0x36/0x40
       ___sys_sendmsg+0x2b6/0x2d0
       ? proc_dointvec+0x23/0x30
       ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
       ? dev_forward_change+0x130/0x130 [ipv6]
       ? _raw_spin_unlock+0x12/0x30
       ? proc_sys_call_handler.isra.14+0x9f/0x110
       ? __call_rcu+0x213/0x510
       ? get_max_files+0x10/0x10
       ? trace_hardirqs_on+0x2c/0xe0
       ? __sys_sendmsg+0x63/0xa0
       __sys_sendmsg+0x63/0xa0
       do_syscall_64+0x6c/0x1e0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      133b3d24
    • Qu Wenruo's avatar
      btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup · 4ab61600
      Qu Wenruo authored
      [ Upstream commit cbab8ade ]
      
      [BUG]
      For the following operation, qgroup is guaranteed to be screwed up due
      to snapshot adding to a new qgroup:
      
        # mkfs.btrfs -f $dev
        # mount $dev $mnt
        # btrfs qgroup en $mnt
        # btrfs subv create $mnt/src
        # xfs_io -f -c "pwrite 0 1m" $mnt/src/file
        # sync
        # btrfs qgroup create 1/0 $mnt/src
        # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot
        # btrfs qgroup show -prce $mnt/src
        qgroupid         rfer         excl     max_rfer     max_excl parent  child
        --------         ----         ----     --------     -------- ------  -----
        0/5          16.00KiB     16.00KiB         none         none ---     ---
        0/257         1.02MiB     16.00KiB         none         none ---     ---
        0/258         1.02MiB     16.00KiB         none         none 1/0     ---
        1/0             0.00B        0.00B         none         none ---     0/258
      	        ^^^^^^^^^^^^^^^^^^^^
      
      [CAUSE]
      The problem is in btrfs_qgroup_inherit(), we don't have good enough
      check to determine if the new relation would break the existing
      accounting.
      
      Unlike btrfs_add_qgroup_relation(), which has proper check to determine
      if we can do quick update without a rescan, in btrfs_qgroup_inherit() we
      can even assign a snapshot to multiple qgroups.
      
      [FIX]
      Fix it by manually marking qgroup inconsistent for snapshot inheritance.
      
      For subvolume creation, since all its extents are exclusively owned, we
      don't need to rescan.
      
      In theory, we should call relation check like quick_update_accounting()
      when doing qgroup inheritance and inform user about qgroup accounting
      inconsistency.
      
      But we don't have good mechanism to relay that back to the user in the
      snapshot creation context, thus we can only silently mark the qgroup
      inconsistent.
      
      Anyway, user shouldn't use qgroup inheritance during snapshot creation,
      and should add qgroup relationship after snapshot creation by 'btrfs
      qgroup assign', which has a much better UI to inform user about qgroup
      inconsistent and kick in rescan automatically.
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4ab61600
    • Finn Thain's avatar
      m68k: mac: Don't call via_flush_cache() on Mac IIfx · 7736adec
      Finn Thain authored
      [ Upstream commit bcc44f6b ]
      
      There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
      This avoids a boot crash which appeared in v5.4.
      
      printk: console [ttyS0] enabled
      printk: bootconsole [debug0] disabled
      printk: bootconsole [debug0] disabled
      Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
      pid_max: default: 32768 minimum: 301
      Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      devtmpfs: initialized
      random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
      clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
      futex hash table entries: 256 (order: -1, 3072 bytes, linear)
      NET: Registered protocol family 16
      Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
      BAD KERNEL BUSERR
      Oops: 00000000
      Modules linked in:
      PC: [<00008a6a>] via_flush_cache+0x12/0x2c
      SR: 2700  SP: 01c1fe3c  a2: 01c24000
      d0: 00001119    d1: 0000000c    d2: 00012000    d3: 0000000f
      d4: 01c06840    d5: 00033b92    a0: 00000000    a1: 00000000
      Process swapper (pid: 1, task=01c24000)
      Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
      baddr=00008a6e dibuf=0000004e ver=f
      Stack from 01c1fec4:
              01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
              01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
              00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
              00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
              004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
              0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
      Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
       [<00010080>] fix_dnrm+0x2/0x18
       [<0000792e>] cache_push+0x46/0x5a
       [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
       [<00040000>] switched_to_dl+0x76/0xd0
       [<004a545e>] dma_atomic_pool_init+0x4e/0x188
       [<00040000>] switched_to_dl+0x76/0xd0
       [<00033b92>] parse_args+0x0/0x370
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<000021e2>] do_one_initcall+0x34/0x1be
       [<00033b92>] parse_args+0x0/0x370
       [<0038507a>] strcpy+0x0/0x1e
       [<000021ae>] do_one_initcall+0x0/0x1be
       [<00020002>] do_proc_dointvec_conv+0x54/0x74
       [<0049f938>] kernel_init_freeable+0x126/0x190
       [<0049f94c>] kernel_init_freeable+0x13a/0x190
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<00041798>] complete+0x0/0x3c
       [<000b9b0c>] kfree+0x0/0x20a
       [<0038df98>] schedule+0x0/0xd0
       [<0038d604>] kernel_init+0x0/0xda
       [<0038d610>] kernel_init+0xc/0xda
       [<0038d604>] kernel_init+0x0/0xda
       [<00002d38>] ret_from_kernel_thread+0xc/0x14
      Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
      Disabling lock debugging due to kernel taint
      Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Thanks to Stan Johnson for capturing the console log and running git
      bisect.
      
      Git bisect said commit 8e3a68fb ("dma-mapping: make
      dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
      know why. Perhaps mach_l2_flush first became reachable with that commit.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-and-tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Cc: Joshua Thompson <funaho@jurai.org>
      Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.auSigned-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7736adec
    • Arvind Sankar's avatar
      x86/mm: Stop printing BRK addresses · 7fe5e915
      Arvind Sankar authored
      [ Upstream commit 67d631b7 ]
      
      This currently leaks kernel physical addresses into userspace.
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarDave Hansen <dave.hansen@intel.com>
      Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fe5e915
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix multi-instance · 06bd7d87
      Nicolas Toromanoff authored
      [ Upstream commit 10b89c43 ]
      
      Ensure CRC algorithm is registered only once in crypto framework when
      there are several instances of CRC devices.
      
      Update the CRC device list management to avoid that only the first CRC
      instance is used.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      06bd7d87
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix run-time self test issue. · a94c7a08
      Nicolas Toromanoff authored
      [ Upstream commit a8cc3128 ]
      
      Fix wrong crc32 initialisation value:
      "alg: shash: stm32_crc32 test failed (wrong result) on test vector 0,
      cfg="init+update+final aligned buffer"
      cra_name="crc32c" expects an init value of 0XFFFFFFFF,
      cra_name="crc32" expects an init value of 0.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a94c7a08
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix ext4 chksum BUG_ON() · b5528bda
      Nicolas Toromanoff authored
      [ Upstream commit 49c2c082 ]
      
      Allow use of crc_update without prior call to crc_init.
      And change (and fix) driver to use CRC device even on unaligned buffers.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5528bda
    • Serge Semin's avatar
      mips: Add udelay lpj numbers adjustment · 240934c2
      Serge Semin authored
      [ Upstream commit ed26aacf ]
      
      Loops-per-jiffies is a special number which represents a number of
      noop-loop cycles per CPU-scheduler quantum - jiffies. As you
      understand aside from CPU-specific implementation it depends on
      the CPU frequency. So when a platform has the CPU frequency fixed,
      we have no problem and the current udelay interface will work
      just fine. But as soon as CPU-freq driver is enabled and the cores
      frequency changes, we'll end up with distorted udelay's. In order
      to fix this we have to accordinly adjust the per-CPU udelay_val
      (the same as the global loops_per_jiffy) number. This can be done
      in the CPU-freq transition event handler. We subscribe to that event
      in the MIPS arch time-inititalization method.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Reviewed-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      240934c2
    • Serge Semin's avatar
      mips: MAAR: Use more precise address mask · 909b50e8
      Serge Semin authored
      [ Upstream commit bbb5946e ]
      
      Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR
      pair register address field either takes [12:31] bits for non-XPA systems
      and [12:55] otherwise. In any case the current address mask is just
      wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits
      of physical address value. This shall cover the 64-bits architecture and
      systems with XPA enabled, and won't cause any problem for non-XPA 32-bit
      systems, since address values exceeding the architecture specific MAAR
      mask will be just truncated with setting zeros in the unsupported upper
      bits.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      909b50e8
    • Arvind Sankar's avatar
      x86/boot: Correct relocation destination on old linkers · 9b7dbeed
      Arvind Sankar authored
      [ Upstream commit 5214028d ]
      
      For the 32-bit kernel, as described in
      
        6d92bc9d ("x86/build: Build compressed x86 kernels as PIE"),
      
      pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the
      startup code does not perform relocation, any reloc entry with R_386_32
      will remain as 0 in the executing code.
      
      Commit
      
        974f221c ("x86/boot: Move compressed kernel to the end of the
                       decompression buffer")
      
      added a new symbol _end but did not mark it hidden, which doesn't give
      the correct offset on older linkers. This causes the compressed kernel
      to be copied beyond the end of the decompression buffer, rather than
      flush against it. This region of memory may be reserved or already
      allocated for other purposes by the bootloader.
      
      Mark _end as hidden to fix. This changes the relocation from R_386_32 to
      R_386_RELATIVE even on the pre-2.26 binutils.
      
      For 64-bit, this is not strictly necessary, as the 64-bit kernel is only
      built as PIE if the linker supports -z noreloc-overflow, which implies
      binutils-2.27+, but for consistency, mark _end as hidden here too.
      
      The below illustrates the before/after impact of the patch using
      binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU.
      
        Disassembly before patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 00 00 00          sub    $0x0,%eax
                                4f: R_386_32    _end
        Disassembly after patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 f0 76 00          sub    $0x76f000,%eax
                                4f: R_386_RELATIVE      *ABS*
      
      Dump from extract_kernel before patch:
      	early console in extract_kernel
      	input_data: 0x0207c098 <--- this is at output + init_size
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Dump from extract_kernel after patch:
      	early console in extract_kernel
      	input_data: 0x0190d098 <--- this is at output + init_size - _end
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Fixes: 974f221c ("x86/boot: Move compressed kernel to the end of the decompression buffer")
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b7dbeed
    • Pali Rohár's avatar
      mwifiex: Fix memory corruption in dump_station · be2ce127
      Pali Rohár authored
      [ Upstream commit 3aa42bae ]
      
      The mwifiex_cfg80211_dump_station() uses static variable for iterating
      over a linked list of all associated stations (when the driver is in UAP
      role). This has a race condition if .dump_station is called in parallel
      for multiple interfaces. This corruption can be triggered by registering
      multiple SSIDs and calling, in parallel for multiple interfaces
          iw dev <iface> station dump
      
      [16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
      ...
      [16750.899173] Call trace:
      [16750.901696]  mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
      [16750.907824]  nl80211_dump_station+0xbc/0x278 [cfg80211]
      [16750.913160]  netlink_dump+0xe8/0x320
      [16750.916827]  netlink_recvmsg+0x1b4/0x338
      [16750.920861]  ____sys_recvmsg+0x7c/0x2b0
      [16750.924801]  ___sys_recvmsg+0x70/0x98
      [16750.928564]  __sys_recvmsg+0x58/0xa0
      [16750.932238]  __arm64_sys_recvmsg+0x28/0x30
      [16750.936453]  el0_svc_common.constprop.3+0x90/0x158
      [16750.941378]  do_el0_svc+0x74/0x90
      [16750.944784]  el0_sync_handler+0x12c/0x1a8
      [16750.948903]  el0_sync+0x114/0x140
      [16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
      [16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
      
      This patch drops the use of the static iterator, and instead every time
      the function is called iterates to the idx-th position of the
      linked-list.
      
      It would be better to convert the code not to use linked list for
      associated stations storage (since the chip has a limited number of
      associated stations anyway - it could just be an array). Such a change
      may be proposed in the future. In the meantime this patch can backported
      into stable kernels in this simple form.
      
      Fixes: 8baca1a3 ("mwifiex: dump station support in uap mode")
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Acked-by: default avatarGanapathi Bhat <ganapathi.bhat@nxp.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      be2ce127
    • Dan Carpenter's avatar
      rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() · 2048a786
      Dan Carpenter authored
      [ Upstream commit beb12813 ]
      
      Seven years ago we tried to fix a leak but actually introduced a double
      free instead.  It was an understandable mistake because the code was a
      bit confusing and the free was done in the wrong place.  The "skb"
      pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
      The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
      and I've cleaned the code up a bit to hopefully make it more clear.
      
      Fixes: 36ef0b47 ("rtlwifi: usb: add missing freeing of skbuff")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200513093951.GD347693@mwandaSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2048a786
    • Erez Shitrit's avatar
      net/mlx5e: IPoIB, Drop multicast packets that this interface sent · dfca13aa
      Erez Shitrit authored
      [ Upstream commit 8b46d424 ]
      
      After enabled loopback packets for IPoIB, we need to drop these packets
      that this HCA has replicated and came back to the same interface that
      sent them.
      
      Fixes: 4c6c615e ("net/mlx5e: IPoIB, Add PKEY child interface nic profile")
      Signed-off-by: default avatarErez Shitrit <erezsh@mellanox.com>
      Reviewed-by: default avatarAlex Vesker <valex@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfca13aa
    • Jesper Dangaard Brouer's avatar
      veth: Adjust hard_start offset on redirect XDP frames · b6c90a7d
      Jesper Dangaard Brouer authored
      [ Upstream commit 5c857225 ]
      
      When native XDP redirect into a veth device, the frame arrives in the
      xdp_frame structure. It is then processed in veth_xdp_rcv_one(),
      which can run a new XDP bpf_prog on the packet. Doing so requires
      converting xdp_frame to xdp_buff, but the tricky part is that
      xdp_frame memory area is located in the top (data_hard_start) memory
      area that xdp_buff will point into.
      
      The current code tried to protect the xdp_frame area, by assigning
      xdp_buff.data_hard_start past this memory. This results in 32 bytes
      less headroom to expand into via BPF-helper bpf_xdp_adjust_head().
      
      This protect step is actually not needed, because BPF-helper
      bpf_xdp_adjust_head() already reserve this area, and don't allow
      BPF-prog to expand into it. Thus, it is safe to point data_hard_start
      directly at xdp_frame memory area.
      
      Fixes: 9fc8d518 ("veth: Handle xdp_frames in xdp napi ring")
      Reported-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarToshiaki Makita <toshiaki.makita1@gmail.com>
      Acked-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/bpf/158945338331.97035.5923525383710752178.stgit@firesoulSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      b6c90a7d
    • Guoqing Jiang's avatar
      md: don't flush workqueue unconditionally in md_open · 868b8e43
      Guoqing Jiang authored
      [ Upstream commit f6766ff6 ]
      
      We need to check mddev->del_work before flush workqueu since the purpose
      of flush is to ensure the previous md is disappeared. Otherwise the similar
      deadlock appeared if LOCKDEP is enabled, it is due to md_open holds the
      bdev->bd_mutex before flush workqueue.
      
      kernel: [  154.522645] ======================================================
      kernel: [  154.522647] WARNING: possible circular locking dependency detected
      kernel: [  154.522650] 5.6.0-rc7-lp151.27-default #25 Tainted: G           O
      kernel: [  154.522651] ------------------------------------------------------
      kernel: [  154.522653] mdadm/2482 is trying to acquire lock:
      kernel: [  154.522655] ffff888078529128 ((wq_completion)md_misc){+.+.}, at: flush_workqueue+0x84/0x4b0
      kernel: [  154.522673]
      kernel: [  154.522673] but task is already holding lock:
      kernel: [  154.522675] ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
      kernel: [  154.522691]
      kernel: [  154.522691] which lock already depends on the new lock.
      kernel: [  154.522691]
      kernel: [  154.522694]
      kernel: [  154.522694] the existing dependency chain (in reverse order) is:
      kernel: [  154.522696]
      kernel: [  154.522696] -> #4 (&bdev->bd_mutex){+.+.}:
      kernel: [  154.522704]        __mutex_lock+0x87/0x950
      kernel: [  154.522706]        __blkdev_get+0x79/0x590
      kernel: [  154.522708]        blkdev_get+0x65/0x140
      kernel: [  154.522709]        blkdev_get_by_dev+0x2f/0x40
      kernel: [  154.522716]        lock_rdev+0x3d/0x90 [md_mod]
      kernel: [  154.522719]        md_import_device+0xd6/0x1b0 [md_mod]
      kernel: [  154.522723]        new_dev_store+0x15e/0x210 [md_mod]
      kernel: [  154.522728]        md_attr_store+0x7a/0xc0 [md_mod]
      kernel: [  154.522732]        kernfs_fop_write+0x117/0x1b0
      kernel: [  154.522735]        vfs_write+0xad/0x1a0
      kernel: [  154.522737]        ksys_write+0xa4/0xe0
      kernel: [  154.522745]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522748]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522749]
      kernel: [  154.522749] -> #3 (&mddev->reconfig_mutex){+.+.}:
      kernel: [  154.522752]        __mutex_lock+0x87/0x950
      kernel: [  154.522756]        new_dev_store+0xc9/0x210 [md_mod]
      kernel: [  154.522759]        md_attr_store+0x7a/0xc0 [md_mod]
      kernel: [  154.522761]        kernfs_fop_write+0x117/0x1b0
      kernel: [  154.522763]        vfs_write+0xad/0x1a0
      kernel: [  154.522765]        ksys_write+0xa4/0xe0
      kernel: [  154.522767]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522769]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522770]
      kernel: [  154.522770] -> #2 (kn->count#253){++++}:
      kernel: [  154.522775]        __kernfs_remove+0x253/0x2c0
      kernel: [  154.522778]        kernfs_remove+0x1f/0x30
      kernel: [  154.522780]        kobject_del+0x28/0x60
      kernel: [  154.522783]        mddev_delayed_delete+0x24/0x30 [md_mod]
      kernel: [  154.522786]        process_one_work+0x2a7/0x5f0
      kernel: [  154.522788]        worker_thread+0x2d/0x3d0
      kernel: [  154.522793]        kthread+0x117/0x130
      kernel: [  154.522795]        ret_from_fork+0x3a/0x50
      kernel: [  154.522796]
      kernel: [  154.522796] -> #1 ((work_completion)(&mddev->del_work)){+.+.}:
      kernel: [  154.522800]        process_one_work+0x27e/0x5f0
      kernel: [  154.522802]        worker_thread+0x2d/0x3d0
      kernel: [  154.522804]        kthread+0x117/0x130
      kernel: [  154.522806]        ret_from_fork+0x3a/0x50
      kernel: [  154.522807]
      kernel: [  154.522807] -> #0 ((wq_completion)md_misc){+.+.}:
      kernel: [  154.522813]        __lock_acquire+0x1392/0x1690
      kernel: [  154.522816]        lock_acquire+0xb4/0x1a0
      kernel: [  154.522818]        flush_workqueue+0xab/0x4b0
      kernel: [  154.522821]        md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522823]        __blkdev_get+0xea/0x590
      kernel: [  154.522825]        blkdev_get+0x65/0x140
      kernel: [  154.522828]        do_dentry_open+0x1d1/0x380
      kernel: [  154.522831]        path_openat+0x567/0xcc0
      kernel: [  154.522834]        do_filp_open+0x9b/0x110
      kernel: [  154.522836]        do_sys_openat2+0x201/0x2a0
      kernel: [  154.522838]        do_sys_open+0x57/0x80
      kernel: [  154.522840]        do_syscall_64+0x64/0x2b0
      kernel: [  154.522842]        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522844]
      kernel: [  154.522844] other info that might help us debug this:
      kernel: [  154.522844]
      kernel: [  154.522846] Chain exists of:
      kernel: [  154.522846]   (wq_completion)md_misc --> &mddev->reconfig_mutex --> &bdev->bd_mutex
      kernel: [  154.522846]
      kernel: [  154.522850]  Possible unsafe locking scenario:
      kernel: [  154.522850]
      kernel: [  154.522852]        CPU0                    CPU1
      kernel: [  154.522853]        ----                    ----
      kernel: [  154.522854]   lock(&bdev->bd_mutex);
      kernel: [  154.522856]                                lock(&mddev->reconfig_mutex);
      kernel: [  154.522858]                                lock(&bdev->bd_mutex);
      kernel: [  154.522860]   lock((wq_completion)md_misc);
      kernel: [  154.522861]
      kernel: [  154.522861]  *** DEADLOCK ***
      kernel: [  154.522861]
      kernel: [  154.522864] 1 lock held by mdadm/2482:
      kernel: [  154.522865]  #0: ffff88804efa9338 (&bdev->bd_mutex){+.+.}, at: __blkdev_get+0x79/0x590
      kernel: [  154.522868]
      kernel: [  154.522868] stack backtrace:
      kernel: [  154.522873] CPU: 1 PID: 2482 Comm: mdadm Tainted: G           O      5.6.0-rc7-lp151.27-default #25
      kernel: [  154.522875] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      kernel: [  154.522878] Call Trace:
      kernel: [  154.522881]  dump_stack+0x8f/0xcb
      kernel: [  154.522884]  check_noncircular+0x194/0x1b0
      kernel: [  154.522888]  ? __lock_acquire+0x1392/0x1690
      kernel: [  154.522890]  __lock_acquire+0x1392/0x1690
      kernel: [  154.522893]  lock_acquire+0xb4/0x1a0
      kernel: [  154.522895]  ? flush_workqueue+0x84/0x4b0
      kernel: [  154.522898]  flush_workqueue+0xab/0x4b0
      kernel: [  154.522900]  ? flush_workqueue+0x84/0x4b0
      kernel: [  154.522905]  ? md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522908]  md_open+0xb6/0xc0 [md_mod]
      kernel: [  154.522910]  __blkdev_get+0xea/0x590
      kernel: [  154.522912]  ? bd_acquire+0xc0/0xc0
      kernel: [  154.522914]  blkdev_get+0x65/0x140
      kernel: [  154.522916]  ? bd_acquire+0xc0/0xc0
      kernel: [  154.522918]  do_dentry_open+0x1d1/0x380
      kernel: [  154.522921]  path_openat+0x567/0xcc0
      kernel: [  154.522923]  ? __lock_acquire+0x380/0x1690
      kernel: [  154.522926]  do_filp_open+0x9b/0x110
      kernel: [  154.522929]  ? __alloc_fd+0xe5/0x1f0
      kernel: [  154.522935]  ? kmem_cache_alloc+0x28c/0x630
      kernel: [  154.522939]  ? do_sys_openat2+0x201/0x2a0
      kernel: [  154.522941]  do_sys_openat2+0x201/0x2a0
      kernel: [  154.522944]  do_sys_open+0x57/0x80
      kernel: [  154.522946]  do_syscall_64+0x64/0x2b0
      kernel: [  154.522948]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      kernel: [  154.522951] RIP: 0033:0x7f98d279d9ae
      
      And md_alloc also flushed the same workqueue, but the thing is different
      here. Because all the paths call md_alloc don't hold bdev->bd_mutex, and
      the flush is necessary to avoid race condition, so leave it as it is.
      Signed-off-by: default avatarGuoqing Jiang <guoqing.jiang@cloud.ionos.com>
      Signed-off-by: default avatarSong Liu <songliubraving@fb.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      868b8e43
    • Ryder Lee's avatar
      mt76: avoid rx reorder buffer overflow · 13964369
      Ryder Lee authored
      [ Upstream commit 7c4f744d ]
      
      Enlarge slot to support 11ax 256 BA (256 MPDUs in an AMPDU)
      Signed-off-by: default avatarChih-Min Chen <chih-min.chen@mediatek.com>
      Signed-off-by: default avatarRyder Lee <ryder.lee@mediatek.com>
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      13964369
    • Bhupesh Sharma's avatar
      net: qed*: Reduce RX and TX default ring count when running inside kdump kernel · 35fde8a6
      Bhupesh Sharma authored
      [ Upstream commit 73e03097 ]
      
      Normally kdump kernel(s) run under severe memory constraint with the
      basic idea being to save the crashdump vmcore reliably when the primary
      kernel panics/hangs.
      
      Currently the qed* ethernet driver ends up consuming a lot of memory in
      the kdump kernel, leading to kdump kernel panic when one tries to save
      the vmcore via ssh/nfs (thus utilizing the services of the underlying
      qed* network interfaces).
      
      An example OOM message log seen in the kdump kernel can be seen here
      [1], with crashkernel size reservation of 512M.
      
      Using tools like memstrack (see [2]), we can track the modules taking up
      the bulk of memory in the kdump kernel and organize the memory usage
      output as per 'highest allocator first'. An example log for the OOM case
      indicates that the qed* modules end up allocating approximately 216M
      memory, which is a large part of the total crashkernel size:
      
       dracut-pre-pivot[676]: ======== Report format module_summary: ========
       dracut-pre-pivot[676]: Module qed using 149.6MB (2394 pages), peak allocation 149.6MB (2394 pages)
       dracut-pre-pivot[676]: Module qede using 65.3MB (1045 pages), peak allocation 65.3MB (1045 pages)
      
      This patch reduces the default RX and TX ring count from 1024 to 64
      when running inside kdump kernel, which leads to a significant memory
      saving.
      
      An example log with the patch applied shows the reduced memory
      allocation in the kdump kernel:
       dracut-pre-pivot[674]: ======== Report format module_summary: ========
       dracut-pre-pivot[674]: Module qed using 141.8MB (2268 pages), peak allocation 141.8MB (2268 pages)
       <..snip..>
      [dracut-pre-pivot[674]: Module qede using 4.8MB (76 pages), peak allocation 4.9MB (78 pages)
      
      Tested crashdump vmcore save via ssh/nfs protocol using underlying qed*
      network interface after applying this patch.
      
      [1] OOM log:
      ------------
      
       kworker/0:6: page allocation failure: order:6,
       mode:0x60c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
       kworker/0:6 cpuset=/ mems_allowed=0
       CPU: 0 PID: 145 Comm: kworker/0:6 Not tainted 4.18.0-109.el8.aarch64 #1
       Hardware name: To be filled by O.E.M. Saber/Saber, BIOS 0ACKL025
       01/18/2019
       Workqueue: events work_for_cpu_fn
       Call trace:
        dump_backtrace+0x0/0x188
        show_stack+0x24/0x30
        dump_stack+0x90/0xb4
        warn_alloc+0xf4/0x178
        __alloc_pages_nodemask+0xcac/0xd58
        alloc_pages_current+0x8c/0xf8
        kmalloc_order_trace+0x38/0x108
        qed_iov_alloc+0x40/0x248 [qed]
        qed_resc_alloc+0x224/0x518 [qed]
        qed_slowpath_start+0x254/0x928 [qed]
         __qede_probe+0xf8/0x5e0 [qede]
        qede_probe+0x68/0xd8 [qede]
        local_pci_probe+0x44/0xa8
        work_for_cpu_fn+0x20/0x30
        process_one_work+0x1ac/0x3e8
        worker_thread+0x44/0x448
        kthread+0x130/0x138
        ret_from_fork+0x10/0x18
        Cannot start slowpath
        qede: probe of 0000:05:00.1 failed with error -12
      
      [2]. Memstrack tool: https://github.com/ryncsn/memstrack
      
      Cc: kexec@lists.infradead.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Ariel Elior <aelior@marvell.com>
      Cc: GR-everest-linux-l2@marvell.com
      Cc: Manish Chopra <manishc@marvell.com>
      Cc: David S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBhupesh Sharma <bhsharma@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      35fde8a6
    • Christophe JAILLET's avatar
      wcn36xx: Fix error handling path in 'wcn36xx_probe()' · ef93244e
      Christophe JAILLET authored
      [ Upstream commit a86308fc ]
      
      In case of error, 'qcom_wcnss_open_channel()' must be undone by a call to
      'rpmsg_destroy_ept()', as already done in the remove function.
      
      Fixes: 5052de8d ("soc: qcom: smd: Transition client drivers from smd to rpmsg")
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200507043619.200051-1-christophe.jaillet@wanadoo.frSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef93244e
    • Rakesh Pillai's avatar
      ath10k: Remove msdu from idr when management pkt send fails · 2bc8b181
      Rakesh Pillai authored
      [ Upstream commit c730c477 ]
      
      Currently when the sending of any management pkt
      via wmi command fails, the packet is being unmapped
      freed in the error handling. But the idr entry added,
      which is used to track these packet is not getting removed.
      
      Hence, during unload, in wmi cleanup, all the entries
      in IDR are removed and the corresponding buffer is
      attempted to be freed. This can cause a situation where
      one packet is attempted to be freed twice.
      
      Fix this error by rmeoving the msdu from the idr
      list when the sending of a management packet over
      wmi fails.
      
      Tested HW: WCN3990
      Tested FW: WLAN.HL.3.1-01040-QCAHLSWMTPLZ-1
      
      Fixes: 1807da49 ("ath10k: wmi: add management tx by reference support over wmi")
      Signed-off-by: default avatarRakesh Pillai <pillair@codeaurora.org>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/1588667015-25490-1-git-send-email-pillair@codeaurora.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bc8b181
    • Christoph Hellwig's avatar
      nvme: refine the Qemu Identify CNS quirk · 15757cfd
      Christoph Hellwig authored
      [ Upstream commit b9a5c3d4 ]
      
      Add a helper to check if we can use Identify CNS values > 1, and refine
      the Qemu quirk to not apply to reported versions larger than 1.1, as the
      Qemu implementation had been fixed by then.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <kbusch@kernel.org>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      15757cfd
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and... · a323c77b
      Hans de Goede authored
      platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types
      
      [ Upstream commit 1fac39fd ]
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
      reporting SW_TABLET_MODE = 1 to userspace on laptops.
      
      Some devices with a detachable keyboard and using the intel-vbnt (INT33D6)
      interface to report if they are in tablet mode (keyboard detached) or not,
      report 32 / "Detachable" as chassis-type, e.g. the HP Pavilion X2 series.
      
      Other devices with a detachable keyboard and using the intel-vbnt (INT33D6)
      interface to report SW_TABLET_MODE, report 8 / "Portable" as chassis-type.
      The Dell Venue 11 Pro 7130 is an example of this.
      
      Extend the DMI chassis-type check to also accept Portables and Detachables
      so that the intel-vbtn driver will report SW_TABLET_MODE on these devices.
      
      Note the chassis-type check was originally added to avoid a false-positive
      tablet-mode report on the Dell XPS 9360 laptop. To the best of my knowledge
      that laptop is using a chassis-type of 9 / "Laptop", so after this commit
      we still ignore the tablet-switch for that chassis-type.
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarMario Limonciello <Mario.limonciello@dell.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a323c77b
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Do not advertise switches to userspace if they are not there · eeb28a17
      Hans de Goede authored
      [ Upstream commit 990fbb48 ]
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a DMI chassis-type check to avoid accidentally
      reporting SW_TABLET_MODE = 1 to userspace on laptops (specifically on the
      Dell XPS 9360), to avoid e.g. userspace ignoring touchpad events because
      userspace thought the device was in tablet-mode.
      
      But if we are not getting the initial status of the switch because the
      device does not have a tablet mode, then we really should not advertise
      the presence of a tablet-mode switch to userspace at all, as userspace may
      use the mere presence of this switch for certain heuristics.
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      eeb28a17
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Split keymap into buttons and switches parts · acb3848d
      Hans de Goede authored
      [ Upstream commit f6ba5249 ]
      
      Split the sparse keymap into 2 separate keymaps, a buttons and a switches
      keymap and combine the 2 to a single map again in intel_vbtn_input_setup().
      
      This is a preparation patch for not telling userspace that we have switches
      when we do not have them (and for doing the same for the buttons).
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      acb3848d
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Use acpi_evaluate_integer() · e8ffc604
      Hans de Goede authored
      [ Upstream commit 18937875 ]
      
      Use acpi_evaluate_integer() instead of open-coding it.
      
      This is a preparation patch for adding a intel_vbtn_has_switches()
      helper function.
      
      Fixes: de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode switch on 2-in-1's")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e8ffc604
    • Brian Foster's avatar
      xfs: fix duplicate verification from xfs_qm_dqflush() · edd94827
      Brian Foster authored
      [ Upstream commit 629dcb38 ]
      
      The pre-flush dquot verification in xfs_qm_dqflush() duplicates the
      read verifier by checking the dquot in the on-disk buffer. Instead,
      verify the in-core variant before it is flushed to the buffer.
      
      Fixes: 7224fa48 ("xfs: add full xfs_dqblk verifier")
      Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarAllison Collins <allison.henderson@oracle.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      edd94827
    • Brian Foster's avatar
      xfs: reset buffer write failure state on successful completion · cc9485cd
      Brian Foster authored
      [ Upstream commit b6983e80 ]
      
      The buffer write failure flag is intended to control the internal
      write retry that XFS has historically implemented to help mitigate
      the severity of transient I/O errors. The flag is set when a buffer
      is resubmitted from the I/O completion path due to a previous
      failure. It is checked on subsequent I/O completions to skip the
      internal retry and fall through to the higher level configurable
      error handling mechanism. The flag is cleared in the synchronous and
      delwri submission paths and also checked in various places to log
      write failure messages.
      
      There are a couple minor problems with the current usage of this
      flag. One is that we issue an internal retry after every submission
      from xfsaild due to how delwri submission clears the flag. This
      results in double the expected or configured number of write
      attempts when under sustained failures. Another more subtle issue is
      that the flag is never cleared on successful I/O completion. This
      can cause xfs_wait_buftarg() to suggest that dirty buffers are being
      thrown away due to the existence of the flag, when the reality is
      that the flag might still be set because the write succeeded on the
      retry.
      
      Clear the write failure flag on successful I/O completion to address
      both of these problems. This means that the internal retry attempt
      occurs once since the last time a buffer write failed and that
      various other contexts only see the flag set when the immediately
      previous write attempt has failed.
      Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarAllison Collins <allison.henderson@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cc9485cd
    • Daniel Thompson's avatar
      kgdb: Fix spurious true from in_dbg_master() · 875e9418
      Daniel Thompson authored
      [ Upstream commit 3fec4aec ]
      
      Currently there is a small window where a badly timed migration could
      cause in_dbg_master() to spuriously return true. Specifically if we
      migrate to a new core after reading the processor id and the previous
      core takes a breakpoint then we will evaluate true if we read
      kgdb_active before we get the IPI to bring us to halt.
      
      Fix this by checking irqs_disabled() first. Interrupts are always
      disabled when we are executing the kgdb trap so this is an acceptable
      prerequisite. This also allows us to replace raw_smp_processor_id()
      with smp_processor_id() since the short circuit logic will prevent
      warnings from PREEMPT_DEBUG.
      
      Fixes: dcc78711 ("kgdb: core changes to support kdb")
      Suggested-by: default avatarWill Deacon <will@kernel.org>
      Link: https://lore.kernel.org/r/20200506164223.2875760-1-daniel.thompson@linaro.orgReviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      875e9418
    • Serge Semin's avatar
      mips: cm: Fix an invalid error code of INTVN_*_ERR · d31ac331
      Serge Semin authored
      [ Upstream commit 8a0efb8b ]
      
      Commit 3885c2b4 ("MIPS: CM: Add support for reporting CM cache
      errors") adds cm2_causes[] array with map of error type ID and
      pointers to the short description string. There is a mistake in
      the table, since according to MIPS32 manual CM2_ERROR_TYPE = {17,18}
      correspond to INTVN_WR_ERR and INTVN_RD_ERR, while the table
      claims they have {0x17,0x18} codes. This is obviously hex-dec
      copy-paste bug. Moreover codes {0x18 - 0x1a} indicate L2 ECC errors.
      
      Fixes: 3885c2b4 ("MIPS: CM: Add support for reporting CM cache errors")
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: linux-pm@vger.kernel.org
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d31ac331
    • Jiaxun Yang's avatar
      MIPS: Truncate link address into 32bit for 32bit kernel · 7ac70ff8
      Jiaxun Yang authored
      [ Upstream commit ff487d41 ]
      
      LLD failed to link vmlinux with 64bit load address for 32bit ELF
      while bfd will strip 64bit address into 32bit silently.
      To fix LLD build, we should truncate load address provided by platform
      into 32bit for 32bit kernel.
      Signed-off-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Link: https://github.com/ClangBuiltLinux/linux/issues/786
      Link: https://sourceware.org/bugzilla/show_bug.cgi?id=25784Reviewed-by: default avatarFangrui Song <maskray@google.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Tested-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Cc: Maciej W. Rozycki <macro@linux-mips.org>
      Tested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7ac70ff8
    • Devulapally Shiva Krishna's avatar
      Crypto/chcr: fix for ccm(aes) failed test · 6d0f96ad
      Devulapally Shiva Krishna authored
      [ Upstream commit 10b0c75d ]
      
      The ccm(aes) test fails when req->assoclen > ~240bytes.
      
      The problem is the value assigned to auth_offset is wrong.
      As auth_offset is unsigned char, it can take max value as 255.
      So fix it by making it unsigned int.
      Signed-off-by: default avatarAyush Sawal <ayush.sawal@chelsio.com>
      Signed-off-by: default avatarDevulapally Shiva Krishna <shiva@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d0f96ad
    • Darrick J. Wong's avatar
      xfs: clean up the error handling in xfs_swap_extents · c69572fd
      Darrick J. Wong authored
      [ Upstream commit 8bc3b5e4 ]
      
      Make sure we release resources properly if we cannot clean out the COW
      extents in preparation for an extent swap.
      
      Fixes: 96987eea ("xfs: cancel COW blocks before swapext")
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c69572fd
    • Jeremy Kerr's avatar
      powerpc/spufs: fix copy_to_user while atomic · a8696209
      Jeremy Kerr authored
      [ Upstream commit 88413a6b ]
      
      Currently, we may perform a copy_to_user (through
      simple_read_from_buffer()) while holding a context's register_lock,
      while accessing the context save area.
      
      This change uses a temporary buffer for the context save area data,
      which we then pass to simple_read_from_buffer.
      
      Includes changes from Christoph Hellwig <hch@lst.de>.
      
      Fixes: bf1ab978 ("[POWERPC] coredump: Add SPU elf notes to coredump.")
      Signed-off-by: default avatarJeremy Kerr <jk@ozlabs.org>
      Reviewed-by: default avatarArnd Bergmann <arnd@arndb.de>
      [hch: renamed to function to avoid ___-prefixes]
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a8696209
    • Yunjian Wang's avatar
      net: allwinner: Fix use correct return type for ndo_start_xmit() · 1ac03c4b
      Yunjian Wang authored
      [ Upstream commit 09f6c44a ]
      
      The method ndo_start_xmit() returns a value of type netdev_tx_t. Fix
      the ndo function to use the correct type. And emac_start_xmit() can
      leak one skb if 'channel' == 3.
      Signed-off-by: default avatarYunjian Wang <wangyunjian@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ac03c4b
    • Dan Carpenter's avatar
      media: cec: silence shift wrapping warning in __cec_s_log_addrs() · 26311fa9
      Dan Carpenter authored
      [ Upstream commit 3b5af317 ]
      
      The log_addrs->log_addr_type[i] value is a u8 which is controlled by
      the user and comes from the ioctl.  If it's over 31 then that results in
      undefined behavior (shift wrapping) and that leads to a Smatch static
      checker warning.  We already cap the value later so we can silence the
      warning just by re-ordering the existing checks.
      
      I think the UBSan checker will also catch this bug at runtime and
      generate a warning.  But otherwise the bug is harmless.
      
      Fixes: 9881fe0c ("[media] cec: add HDMI CEC framework (adapter)")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      26311fa9
    • Wei Yongjun's avatar
      net: lpc-enet: fix error return code in lpc_mii_init() · b0687a01
      Wei Yongjun authored
      [ Upstream commit 88ec7cb2 ]
      
      Fix to return a negative error code from the error handling
      case instead of 0, as done elsewhere in this function.
      
      Fixes: b7370112 ("lpc32xx: Added ethernet driver")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Acked-by: default avatarVladimir Zapolskiy <vz@mleia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b0687a01
    • Shaokun Zhang's avatar
      drivers/perf: hisi: Fix typo in events attribute array · 9b33fbf9
      Shaokun Zhang authored
      [ Upstream commit 88562f06 ]
      
      Fix up one typo: wr_dr_64b -> wr_ddr_64b.
      
      Fixes: 2bab3cf9 ("perf: hisi: Add support for HiSilicon SoC HHA PMU driver")
      Signed-off-by: default avatarShaokun Zhang <zhangshaokun@hisilicon.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Link: https://lore.kernel.org/r/1587643530-34357-1-git-send-email-zhangshaokun@hisilicon.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b33fbf9
    • Peter Zijlstra's avatar
      sched/core: Fix illegal RCU from offline CPUs · 373491f1
      Peter Zijlstra authored
      [ Upstream commit bf2c59fc ]
      
      In the CPU-offline process, it calls mmdrop() after idle entry and the
      subsequent call to cpuhp_report_idle_dead(). Once execution passes the
      call to rcu_report_dead(), RCU is ignoring the CPU, which results in
      lockdep complaining when mmdrop() uses RCU from either memcg or
      debugobjects below.
      
      Fix it by cleaning up the active_mm state from BP instead. Every arch
      which has CONFIG_HOTPLUG_CPU should have already called idle_task_exit()
      from AP. The only exception is parisc because it switches them to
      &init_mm unconditionally (see smp_boot_one_cpu() and smp_cpu_init()),
      but the patch will still work there because it calls mmgrab(&init_mm) in
      smp_cpu_init() and then should call mmdrop(&init_mm) in finish_cpu().
      
        WARNING: suspicious RCU usage
        -----------------------------
        kernel/workqueue.c:710 RCU or wq_pool_mutex should be held!
      
        other info that might help us debug this:
      
        RCU used illegally from offline CPU!
        Call Trace:
         dump_stack+0xf4/0x164 (unreliable)
         lockdep_rcu_suspicious+0x140/0x164
         get_work_pool+0x110/0x150
         __queue_work+0x1bc/0xca0
         queue_work_on+0x114/0x120
         css_release+0x9c/0xc0
         percpu_ref_put_many+0x204/0x230
         free_pcp_prepare+0x264/0x570
         free_unref_page+0x38/0xf0
         __mmdrop+0x21c/0x2c0
         idle_task_exit+0x170/0x1b0
         pnv_smp_cpu_kill_self+0x38/0x2e0
         cpu_die+0x48/0x64
         arch_cpu_idle_dead+0x30/0x50
         do_idle+0x2f4/0x470
         cpu_startup_entry+0x38/0x40
         start_secondary+0x7a8/0xa80
         start_secondary_resume+0x10/0x14
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc)
      Link: https://lkml.kernel.org/r/20200401214033.8448-1-cai@lca.pwSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      373491f1
    • Jann Horn's avatar
      exit: Move preemption fixup up, move blocking operations down · fb020dcd
      Jann Horn authored
      [ Upstream commit 586b58ca ]
      
      With CONFIG_DEBUG_ATOMIC_SLEEP=y and CONFIG_CGROUPS=y, kernel oopses in
      non-preemptible context look untidy; after the main oops, the kernel prints
      a "sleeping function called from invalid context" report because
      exit_signals() -> cgroup_threadgroup_change_begin() -> percpu_down_read()
      can sleep, and that happens before the preempt_count_set(PREEMPT_ENABLED)
      fixup.
      
      It looks like the same thing applies to profile_task_exit() and
      kcov_task_exit().
      
      Fix it by moving the preemption fixup up and the calls to
      profile_task_exit() and kcov_task_exit() down.
      
      Fixes: 1dc0fffc ("sched/core: Robustify preemption leak checks")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Link: https://lkml.kernel.org/r/20200305220657.46800-1-jannh@google.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      fb020dcd