commit 5117c0a56aeeb3ab18fb91bd611e739fec3df9c0 Author: Greg Kroah-Hartman Date: Sun Jun 7 13:16:49 2020 +0200 Linux 5.6.17 commit 5438830ea8bc7e4d3bc606844d4f2f77d6e62ad7 Author: Dan Carpenter Date: Wed May 27 21:48:30 2020 +0300 airo: Fix read overflows sending packets commit 11e7a91994c29da96d847f676be023da6a2c1359 upstream. The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from skb->data even when skb->len is less than ETH_ZLEN so it leads to a read overflow. The fix is to pad skb->data to at least ETH_ZLEN bytes. Cc: Reported-by: Hu Jiahui Signed-off-by: Dan Carpenter Reviewed-by: Eric Dumazet Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda Signed-off-by: Greg Kroah-Hartman commit 897b7c720803aacf7c94a0054648210d7c737f06 Author: DENG Qingfang Date: Wed May 13 23:37:17 2020 +0800 net: dsa: mt7530: set CPU port to fallback mode commit 38152ea37d8bdaffa22603e0a5b5b86cfa8714c9 upstream. Currently, setting a bridge's self PVID to other value and deleting the default VID 1 renders untagged ports of that VLAN unable to talk to the CPU port: bridge vlan add dev br0 vid 2 pvid untagged self bridge vlan del dev br0 vid 1 self bridge vlan add dev sw0p0 vid 2 pvid untagged bridge vlan del dev sw0p0 vid 1 # br0 cannot send untagged frames out of sw0p0 anymore That is because the CPU port is set to security mode and its PVID is still 1, and untagged frames are dropped due to VLAN member violation. Set the CPU port to fallback mode so untagged frames can pass through. Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530") Signed-off-by: DENG Qingfang Reviewed-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f9e1486e320b831fa5501414d403dad06e97a68e Author: Sakari Ailus Date: Wed Apr 15 17:40:09 2020 +0200 media: staging: ipu3-imgu: Move alignment attribute to field commit 8c038effd893920facedf18c2c0976cec4a33408 upstream. Move the alignment attribute of struct ipu3_uapi_awb_fr_config_s to the field in struct ipu3_uapi_4a_config, the other location where the struct is used. Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") Reported-by: Tomasz Figa Tested-by: Bingbu Cao Cc: stable@vger.kernel.org # for v5.3 and up Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 75d1f73c2dcc00685169acecebe20a62fb6364c8 Author: Sakari Ailus Date: Wed Apr 15 17:34:05 2020 +0200 media: Revert "staging: imgu: Address a compiler warning on alignment" commit 81d1adeb52c97fbe097e8c94e36c3eb702cdb110 upstream. This reverts commit c9d52c114a9fcc61c30512c7f810247a9f2812af. The patch being reverted changed the memory layout of struct ipu3_uapi_acc_param. Revert it, and address the compiler warning issues in further patches. Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") Reported-by: Tomasz Figa Tested-by: Bingbu Cao Cc: stable@vger.kernel.org # for v5.3 and up Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 5a8c9efd035ba8f1043de05cbdcc0bb79e516301 Author: Jérôme Pouiller Date: Mon May 11 18:19:02 2020 +0200 mmc: fix compilation of user API commit 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 upstream. The definitions of MMC_IOC_CMD and of MMC_IOC_MULTI_CMD rely on MMC_BLOCK_MAJOR: #define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd) #define MMC_IOC_MULTI_CMD _IOWR(MMC_BLOCK_MAJOR, 1, struct mmc_ioc_multi_cmd) However, MMC_BLOCK_MAJOR is defined in linux/major.h and linux/mmc/ioctl.h did not include it. Signed-off-by: Jérôme Pouiller Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200511161902.191405-1-Jerome.Pouiller@silabs.com Signed-off-by: Ulf Hansson Signed-off-by: Greg Kroah-Hartman commit ea6fe1d79ad03792f6f62804274d9c5ca9fa8391 Author: Daniel Axtens Date: Thu Jun 4 16:51:27 2020 -0700 kernel/relay.c: handle alloc_percpu returning NULL in relay_open commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream. alloc_percpu() may return NULL, which means chan->buf may be set to NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an invalid pointer: BUG: Unable to handle kernel data access at 0x7dae0000 Faulting instruction address: 0xc0000000003f3fec ... NIP relay_open+0x29c/0x600 LR relay_open+0x270/0x600 Call Trace: relay_open+0x264/0x600 (unreliable) __blk_trace_setup+0x254/0x600 blk_trace_setup+0x68/0xa0 sg_ioctl+0x7bc/0x2e80 do_vfs_ioctl+0x13c/0x1300 ksys_ioctl+0x94/0x130 sys_ioctl+0x48/0xb0 system_call+0x5c/0x68 Check if alloc_percpu returns NULL. This was found by syzkaller both on x86 and powerpc, and the reproducer it found on powerpc is capable of hitting the issue as an unprivileged user. Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Signed-off-by: Daniel Axtens Signed-off-by: Andrew Morton Reviewed-by: Michael Ellerman Reviewed-by: Andrew Donnellan Acked-by: David Rientjes Cc: Akash Goel Cc: Andrew Donnellan Cc: Guenter Roeck Cc: Salvatore Bonaccorso Cc: [4.10+] Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1b6cffbf78e56d165d5b0c46c364ba77e416978b Author: Herbert Xu Date: Fri Apr 10 16:09:42 2020 +1000 crypto: api - Fix use-after-free and race in crypto_spawn_alg commit 6603523bf5e432c7c8490fb500793bb15d4e5f61 upstream. There are two problems in crypto_spawn_alg. First of all it may return spawn->alg even if spawn->dead is set. This results in a double-free as detected by syzbot. Secondly the setting of the DYING flag is racy because we hold the read-lock instead of the write-lock. We should instead call crypto_shoot_alg in a safe manner by gaining a refcount, dropping the lock, and then releasing the refcount. This patch fixes both problems. Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg") Fixes: 73669cc55646 ("crypto: api - Fix race condition in...") Cc: Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 9a9a8a25f2071f8abe7f94842dd754f27a74953d Author: Matthew Garrett Date: Wed Mar 18 16:07:48 2020 -0700 mt76: mt76x02u: Add support for newer versions of the XBox One wifi adapter commit b2934279c3e9719145ff4090d4ab951e340df17e upstream. The current version has a new USB ID and reports as an 0x7632 device. Adding the IDs results in it working out of the box. Signed-off-by: Matthew Garrett Signed-off-by: Felix Fietkau Signed-off-by: Greg Kroah-Hartman commit a8f56c58a4285fff89795ae3dc8b1b831082d062 Author: Giuseppe Marco Randazzo Date: Mon Apr 6 00:06:59 2020 +0200 p54usb: add AirVasT USB stick device-id commit 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 upstream. This patch adds the AirVasT USB wireless devices 124a:4026 to the list of supported devices. It's using the ISL3886 usb firmware. Without this modification, the wiki adapter is not recognized. Cc: Signed-off-by: Giuseppe Marco Randazzo Signed-off-by: Christian Lamparter [formatted, reworded] Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200405220659.45621-1-chunkeey@gmail.com Signed-off-by: Greg Kroah-Hartman commit a052bb6c199dae36e68aefee2b7c01ef94007840 Author: Julian Sax Date: Tue May 5 17:10:42 2020 +0200 HID: i2c-hid: add Schneider SCL142ALM to descriptor override commit 6507ef10660efdfee93f0f3b9fac24b5e4d83e56 upstream. This device uses the SIPODEV SP1064 touchpad, which does not supply descriptors, so it has to be added to the override list. Cc: stable@vger.kernel.org Signed-off-by: Julian Sax Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit a903ee0f5165aff1c8d0082442c82994759489b1 Author: Benjamin Tissoires Date: Tue May 26 17:07:17 2020 +0200 HID: multitouch: enable multi-input as a quirk for some devices commit 40d5bb87377a599d0405af765290f28aaa6abb1e upstream. Two touchpad/trackstick combos are currently not behaving properly. They define a mouse emulation collection, as per Win8 requirements, but also define a separate mouse collection for the trackstick. The way the kernel currently treat the collections is that it merges both in one device. However, given that the first mouse collection already defines X,Y and left, right buttons, when mapping the events from the second mouse collection, hid-multitouch sees that these events are already mapped, and simply ignores them. To be able to report events from the tracktick, add a new quirked class for it, and manually add the 2 devices we know about. Link: https://bugzilla.kernel.org/show_bug.cgi?id=207235 Cc: stable@vger.kernel.org Tested-by: Kai-Heng Feng Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit fb1186d9ea96c948e11001bc31f693b961934101 Author: Scott Shumate Date: Wed May 13 13:39:26 2020 -0500 HID: sony: Fix for broken buttons on DS3 USB dongles commit e72455b898ac678667c5674668186b4670d87d11 upstream. Fix for non-working buttons on knock-off USB dongles for Sony controllers. These USB dongles are used to connect older Sony DA/DS1/DS2 controllers via USB and are common on Amazon, AliExpress, etc. Without the patch, the square, X, and circle buttons do not function. These dongles used to work prior to kernel 4.10 but removing the global DS3 report fixup in commit e19a267b9987 ("HID: sony: DS3 comply to Linux gamepad spec") exposed the problem. Many people reported the problem on the Ubuntu forums and are working around the problem by falling back to the 4.9 hid-sony driver. The problem stems from these dongles incorrectly reporting their button count as 13 instead of 16. This patch fixes up the report descriptor by changing the button report count to 16 and removing 3 padding bits. Cc: stable@vger.kernel.org Fixes: e19a267b9987 ("HID: sony: DS3 comply to Linux gamepad spec") Signed-off-by: Scott Shumate Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 008c216f317bde31c3fd6fa9a4bc283814139e90 Author: Fan Yang Date: Thu Jun 4 18:22:07 2020 +0800 mm: Fix mremap not considering huge pmd devmap commit 5bfea2d9b17f1034a68147a8b03b9789af5700f9 upstream. The original code in mm/mremap.c checks huge pmd by: if (is_swap_pmd(*old_pmd) || pmd_trans_huge(*old_pmd)) { However, a DAX mapped nvdimm is mapped as huge page (by default) but it is not transparent huge page (_PAGE_PSE | PAGE_DEVMAP). This commit changes the condition to include the case. This addresses CVE-2020-10757. Fixes: 5c7fb56e5e3f ("mm, dax: dax-pmd vs thp-pmd vs hugetlbfs-pmd") Cc: Reported-by: Fan Yang Signed-off-by: Fan Yang Tested-by: Fan Yang Tested-by: Dan Williams Reviewed-by: Dan Williams Acked-by: Kirill A. Shutemov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b2146e81aff1a7345b75e4faf9a08551d4c39127 Author: Dinghao Liu Date: Sat May 23 16:08:20 2020 +0800 net: smsc911x: Fix runtime PM imbalance on error [ Upstream commit 539d39ad0c61b35f69565a037d7586deaf6d6166 ] Remove runtime PM usage counter decrement when the increment function has not been called to keep the counter balanced. Signed-off-by: Dinghao Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4e1fa0e4d8567f2c5fbbaa9fb835cf4e58a1e3fa Author: Tiezhu Yang Date: Fri May 22 19:03:21 2020 +0800 net: Fix return value about devm_platform_ioremap_resource() [ Upstream commit ef24d6c3d6965158dfe23ae961d87e9a343e18a2 ] When call function devm_platform_ioremap_resource(), we should use IS_ERR() to check the return value and return PTR_ERR() if failed. Signed-off-by: Tiezhu Yang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 481e9ce5c82a50e3fd4e0e5b25f049a57c5c5a9e Author: Amit Cohen Date: Thu May 21 15:11:45 2020 +0300 selftests: mlxsw: qos_mc_aware: Specify arping timeout as an integer [ Upstream commit 46ca11177ed593f39d534f8d2c74ec5344e90c11 ] Starting from iputils s20190709 (used in Fedora 31), arping does not support timeout being specified as a decimal: $ arping -c 1 -I swp1 -b 192.0.2.66 -q -w 0.1 arping: invalid argument: '0.1' Previously, such timeouts were rounded to an integer. Fix this by specifying the timeout as an integer. Fixes: a5ee171d087e ("selftests: mlxsw: qos_mc_aware: Add a test for UC awareness") Signed-off-by: Amit Cohen Reviewed-by: Petr Machata Signed-off-by: Ido Schimmel Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3eb22b4641cdcfbc0eecbe7a3221c325031677dc Author: Jonathan McDowell Date: Thu May 21 12:49:34 2020 +0100 net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x [ Upstream commit a96ac8a0045e3cbe3e5af6d1b3c78c6c2065dec5 ] The ipq806x_gmac_probe() function enables the PTP clock but not the appropriate interface clocks. This means that if the bootloader hasn't done so attempting to bring up the interface will fail with an error like: [ 59.028131] ipq806x-gmac-dwmac 37600000.ethernet: Failed to reset the dma [ 59.028196] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_hw_setup: DMA engine initialization failed [ 59.034056] ipq806x-gmac-dwmac 37600000.ethernet eth1: stmmac_open: Hw setup failed This patch, a slightly cleaned up version of one posted by Sergey Sergeev in: https://forum.openwrt.org/t/support-for-mikrotik-rb3011uias-rm/4064/257 correctly enables the clock; we have already configured the source just before this. Tested on a MikroTik RB3011. Signed-off-by: Jonathan McDowell Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2195f2d34b171d8a24081ec81de22169dc2cb57a Author: Valentin Longchamp Date: Wed May 20 17:53:50 2020 +0200 net/ethernet/freescale: rework quiesce/activate for ucc_geth [ Upstream commit 79dde73cf9bcf1dd317a2667f78b758e9fe139ed ] ugeth_quiesce/activate are used to halt the controller when there is a link change that requires to reconfigure the mac. The previous implementation called netif_device_detach(). This however causes the initial activation of the netdevice to fail precisely because it's detached. For details, see [1]. A possible workaround was the revert of commit net: linkwatch: add check for netdevice being present to linkwatch_do_dev However, the check introduced in the above commit is correct and shall be kept. The netif_device_detach() is thus replaced with netif_tx_stop_all_queues() that prevents any tranmission. This allows to perform mac config change required by the link change, without detaching the corresponding netdevice and thus not preventing its initial activation. [1] https://lists.openwall.net/netdev/2020/01/08/201 Signed-off-by: Valentin Longchamp Acked-by: Matteo Ghidoni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2d3832450a6bc656f830cddc07e18bf131580d26 Author: Wei Yongjun Date: Wed May 20 11:41:15 2020 +0800 net: ethernet: ti: fix some return value check of cpsw_ale_create() [ Upstream commit 3469660d1b15ccfdf7b33295c306b6298ca730aa ] cpsw_ale_create() can return both NULL and PTR_ERR(), but all of the caller only check NULL for error handling. This patch convert it to only return PTR_ERR() in all error cases, and the caller using IS_ERR() instead of NULL test. Fixes: 4b41d3436796 ("net: ethernet: ti: cpsw: allow untagged traffic on host port") Reported-by: Hulk Robot Signed-off-by: Wei Yongjun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dc93a4fb8ff2ae87f56ef816a1c7ca100723249f Author: Chaitanya Kulkarni Date: Wed May 20 16:01:51 2020 -0700 null_blk: return error for invalid zone size [ Upstream commit e274832590211c4b1b1e807ca66fad8b5bb8b328 ] In null_init_zone_dev() check if the zone size is larger than device capacity, return error if needed. This also fixes the following oops :- null_blk: changed the number of conventional zones to 4294967295 BUG: kernel NULL pointer dereference, address: 0000000000000010 PGD 7d76c5067 P4D 7d76c5067 PUD 7d240c067 PMD 0 Oops: 0002 [#1] SMP NOPTI CPU: 4 PID: 5508 Comm: nullbtests.sh Tainted: G OE 5.7.0-rc4lblk-fnext0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e4 RIP: 0010:null_init_zoned_dev+0x17a/0x27f [null_blk] RSP: 0018:ffffc90007007e00 EFLAGS: 00010246 RAX: 0000000000000020 RBX: ffff8887fb3f3c00 RCX: 0000000000000007 RDX: 0000000000000000 RSI: ffff8887ca09d688 RDI: ffff888810fea510 RBP: 0000000000000010 R08: ffff8887ca09d688 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8887c26e8000 R13: ffffffffa05e9390 R14: 0000000000000000 R15: 0000000000000001 FS: 00007fcb5256f740(0000) GS:ffff888810e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000081e8fe000 CR4: 00000000003406e0 Call Trace: null_add_dev+0x534/0x71b [null_blk] nullb_device_power_store.cold.41+0x8/0x2e [null_blk] configfs_write_file+0xe6/0x150 vfs_write+0xba/0x1e0 ksys_write+0x5f/0xe0 do_syscall_64+0x60/0x250 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x7fcb51c71840 Signed-off-by: Chaitanya Kulkarni Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit fce90e2b4c37bd8229a2e66730425df3edf29114 Author: Jason A. Donenfeld Date: Tue May 19 22:49:27 2020 -0600 wireguard: selftests: use newer iproute2 for gcc-10 [ Upstream commit ee3c1aa3f34b7842c1557cfe5d8c3f7b8c692de8 ] gcc-10 switched to defaulting to -fno-common, which broke iproute2-5.4. This was fixed in iproute-5.6, so switch to that. Because we're after a stable testing surface, we generally don't like to bump these unnecessarily, but in this case, being able to actually build is a basic necessity. Signed-off-by: Jason A. Donenfeld Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9ee1f45062aa4f326c17cd9af033c030dc4d918f Author: Kefeng Wang Date: Thu May 14 19:53:35 2020 +0800 riscv: Fix print_vm_layout build error if NOMMU [ Upstream commit 8fa3cdff05f009855a6a99a7d77a41004009bbab ] arch/riscv/mm/init.c: In function ‘print_vm_layout’: arch/riscv/mm/init.c:68:37: error: ‘FIXADDR_START’ undeclared (first use in this function); arch/riscv/mm/init.c:69:20: error: ‘FIXADDR_TOP’ undeclared arch/riscv/mm/init.c:70:37: error: ‘PCI_IO_START’ undeclared arch/riscv/mm/init.c:71:20: error: ‘PCI_IO_END’ undeclared arch/riscv/mm/init.c:72:38: error: ‘VMEMMAP_START’ undeclared arch/riscv/mm/init.c:73:20: error: ‘VMEMMAP_END’ undeclared (first use in this function); Reported-by: Hulk Robot Signed-off-by: Kefeng Wang Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit f5db7276340cbdfbaf84fba2116996b669e6dc82 Author: Vladimir Stempen Date: Tue Apr 28 13:04:35 2020 -0400 drm/amd/display: DP training to set properly SCRAMBLING_DISABLE [ Upstream commit b6ef55ccba7ed00fc10e3e6f619c8f886162427f ] [Why] DP training sequence to set SCRAMBLING_DISABLE bit properly based on training pattern - per DP Spec. [How] Update dpcd_pattern.v1_4.SCRAMBLING_DISABLE with 1 for TPS1, TPS2, TPS3, but not for TPS4. Signed-off-by: Vladimir Stempen Reviewed-by: Wenjing Liu Acked-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 072b178cfb53d8260c565db84a9ce20deaf9c335 Author: Xiaoguang Wang Date: Wed May 20 21:24:35 2020 +0800 io_uring: reset -EBUSY error when io sq thread is waken up [ Upstream commit d4ae271dfaae2a5f41c015f2f20d62a1deeec734 ] In io_sq_thread(), currently if we get an -EBUSY error and go to sleep, we will won't clear it again, which will result in io_sq_thread() will never have a chance to submit sqes again. Below test program test.c can reveal this bug: int main(int argc, char *argv[]) { struct io_uring ring; int i, fd, ret; struct io_uring_sqe *sqe; struct io_uring_cqe *cqe; struct iovec *iovecs; void *buf; struct io_uring_params p; if (argc < 2) { printf("%s: file\n", argv[0]); return 1; } memset(&p, 0, sizeof(p)); p.flags = IORING_SETUP_SQPOLL; ret = io_uring_queue_init_params(4, &ring, &p); if (ret < 0) { fprintf(stderr, "queue_init: %s\n", strerror(-ret)); return 1; } fd = open(argv[1], O_RDONLY | O_DIRECT); if (fd < 0) { perror("open"); return 1; } iovecs = calloc(10, sizeof(struct iovec)); for (i = 0; i < 10; i++) { if (posix_memalign(&buf, 4096, 4096)) return 1; iovecs[i].iov_base = buf; iovecs[i].iov_len = 4096; } ret = io_uring_register_files(&ring, &fd, 1); if (ret < 0) { fprintf(stderr, "%s: register %d\n", __FUNCTION__, ret); return ret; } for (i = 0; i < 10; i++) { sqe = io_uring_get_sqe(&ring); if (!sqe) break; io_uring_prep_readv(sqe, 0, &iovecs[i], 1, 0); sqe->flags |= IOSQE_FIXED_FILE; ret = io_uring_submit(&ring); sleep(1); printf("submit %d\n", i); } for (i = 0; i < 10; i++) { io_uring_wait_cqe(&ring, &cqe); printf("receive: %d\n", i); if (cqe->res != 4096) { fprintf(stderr, "ret=%d, wanted 4096\n", cqe->res); ret = 1; } io_uring_cqe_seen(&ring, cqe); } close(fd); io_uring_queue_exit(&ring); return 0; } sudo ./test testfile above command will hang on the tenth request, to fix this bug, when io sq_thread is waken up, we reset the variable 'ret' to be zero. Suggested-by: Jens Axboe Signed-off-by: Xiaoguang Wang Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit f57b5dd4694da1ad4604ae70cb10cc52c852bf52 Author: Gerald Schaefer Date: Wed May 6 13:04:07 2020 +0200 s390/mm: fix set_huge_pte_at() for empty ptes [ Upstream commit ac8372f3b4e41015549b331a4f350224661e7fc6 ] On s390, the layout of normal and large ptes (i.e. pmds/puds) differs. Therefore, set_huge_pte_at() does a conversion from a normal pte to the corresponding large pmd/pud. So, when converting an empty pte, this should result in an empty pmd/pud, which would return true for pmd/pud_none(). However, after conversion we also mark the pmd/pud as large, and therefore present. For empty ptes, this will result in an empty pmd/pud that is also marked as large, and pmd/pud_none() would not return true. There is currently no issue with this behaviour, as set_huge_pte_at() does not seem to be called for empty ptes. It would be valid though, so let's fix this by not marking empty ptes as large in set_huge_pte_at(). This was found by testing a patch from from Anshuman Khandual, which is currently discussed on LKML ("mm/debug: Add more arch page table helper tests"). Signed-off-by: Gerald Schaefer Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 195c164547953ede4994b23cb913f9e1849649fc Author: Jan Schmidt Date: Fri May 8 04:06:28 2020 +1000 drm/edid: Add Oculus Rift S to non-desktop list [ Upstream commit 5a3f610877e9d08968ea7237551049581f02b163 ] Add a quirk for the Oculus Rift S OVR0012 display so it shows up as a non-desktop display. Signed-off-by: Jan Schmidt Signed-off-by: Dave Airlie Link: https://patchwork.freedesktop.org/patch/msgid/20200507180628.740936-1-jan@centricular.com Signed-off-by: Sasha Levin commit 68a61d5acc8ba9caa632f31cf1cc1879e948671a Author: Jeremy Kerr Date: Tue May 19 09:05:58 2020 +0800 net: bmac: Fix read of MAC address from ROM [ Upstream commit ef01cee2ee1b369c57a936166483d40942bcc3e3 ] In bmac_get_station_address, We're reading two bytes at a time from ROM, but we do that six times, resulting in 12 bytes of read & writes. This means we will write off the end of the six-byte destination buffer. This change fixes the for-loop to only read/write six bytes. Based on a proposed fix from Finn Thain . Signed-off-by: Jeremy Kerr Reported-by: Stan Johnson Tested-by: Stan Johnson Reported-by: Finn Thain Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 86941e3bef305ed0631c8320aa114d120c440261 Author: Nathan Chancellor Date: Wed Apr 8 13:53:23 2020 -0700 x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables [ Upstream commit d7110a26e5905ec2fe3fc88bc6a538901accb72b ] When building with Clang + -Wtautological-compare and CONFIG_CPUMASK_OFFSTACK unset: arch/x86/mm/mmio-mod.c:375:6: warning: comparison of array 'downed_cpus' equal to a null pointer is always false [-Wtautological-pointer-compare] if (downed_cpus == NULL && ^~~~~~~~~~~ ~~~~ arch/x86/mm/mmio-mod.c:405:6: warning: comparison of array 'downed_cpus' equal to a null pointer is always false [-Wtautological-pointer-compare] if (downed_cpus == NULL || cpumask_weight(downed_cpus) == 0) ^~~~~~~~~~~ ~~~~ 2 warnings generated. Commit f7e30f01a9e2 ("cpumask: Add helper cpumask_available()") added cpumask_available() to fix warnings of this nature. Use that here so that clang does not warn regardless of CONFIG_CPUMASK_OFFSTACK's value. Reported-by: Sedat Dilek Signed-off-by: Nathan Chancellor Signed-off-by: Borislav Petkov Reviewed-by: Nick Desaulniers Acked-by: Steven Rostedt (VMware) Link: https://github.com/ClangBuiltLinux/linux/issues/982 Link: https://lkml.kernel.org/r/20200408205323.44490-1-natechancellor@gmail.com Signed-off-by: Sasha Levin commit cf8ca068f20128dddf0e81d1ecb05fcd960ed59d Author: Leon Romanovsky Date: Sun May 17 14:53:40 2020 +0300 net: phy: propagate an error back to the callers of phy_sfp_probe [ Upstream commit e3f2d5579c0b8ad9d1fb6a5813cee38a86386e05 ] The compilation warning below reveals that the errors returned from the sfp_bus_add_upstream() call are not propagated to the callers. Fix it by returning "ret". 14:37:51 drivers/net/phy/phy_device.c: In function 'phy_sfp_probe': 14:37:51 drivers/net/phy/phy_device.c:1236:6: warning: variable 'ret' set but not used [-Wunused-but-set-variable] 14:37:51 1236 | int ret; 14:37:51 | ^~~ Fixes: 298e54fa810e ("net: phy: add core phylib sfp support") Signed-off-by: Leon Romanovsky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a04fbca67f33e7d76dcb4779e54b8184f7329c9d Author: Pavel Begunkov Date: Sun May 17 14:02:12 2020 +0300 io_uring: fix FORCE_ASYNC req preparation [ Upstream commit bd2ab18a1d6267446eae1b47dd839050452bdf7f ] As for other not inlined requests, alloc req->io for FORCE_ASYNC reqs, so they can be prepared properly. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e22e5e5e7f41134adb05afe46f7f134a4519fb46 Author: Pavel Begunkov Date: Sun May 17 14:02:11 2020 +0300 io_uring: don't prepare DRAIN reqs twice [ Upstream commit 650b548129b60b0d23508351800108196f4aa89f ] If req->io is not NULL, it's already prepared. Don't do it again, it's dangerous. Signed-off-by: Pavel Begunkov Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 566f16e2d62fb3817529a05147ef46046ecffe6a Author: Jens Axboe Date: Sun May 17 09:20:00 2020 -0600 io_uring: initialize ctx->sqo_wait earlier [ Upstream commit 583863ed918136412ddf14de2e12534f17cfdc6f ] Ensure that ctx->sqo_wait is initialized as soon as the ctx is allocated, instead of deferring it to the offload setup. This fixes a syzbot reported lockdep complaint, which is really due to trying to wake_up on an uninitialized wait queue: RSP: 002b:00007fffb1fb9aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441319 RDX: 0000000000000001 RSI: 0000000020000140 RDI: 000000000000047b RBP: 0000000000010475 R08: 0000000000000001 R09: 00000000004002c8 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402260 R13: 00000000004022f0 R14: 0000000000000000 R15: 0000000000000000 INFO: trying to register non-static key. the code is fine but needs lockdep annotation. turning off the locking correctness validator. CPU: 1 PID: 7090 Comm: syz-executor222 Not tainted 5.7.0-rc1-next-20200415-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 assign_lock_key kernel/locking/lockdep.c:913 [inline] register_lock_class+0x1664/0x1760 kernel/locking/lockdep.c:1225 __lock_acquire+0x104/0x4c50 kernel/locking/lockdep.c:4234 lock_acquire+0x1f2/0x8f0 kernel/locking/lockdep.c:4934 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] _raw_spin_lock_irqsave+0x8c/0xbf kernel/locking/spinlock.c:159 __wake_up_common_lock+0xb4/0x130 kernel/sched/wait.c:122 io_cqring_ev_posted+0xa5/0x1e0 fs/io_uring.c:1160 io_poll_remove_all fs/io_uring.c:4357 [inline] io_ring_ctx_wait_and_kill+0x2bc/0x5a0 fs/io_uring.c:7305 io_uring_create fs/io_uring.c:7843 [inline] io_uring_setup+0x115e/0x22b0 fs/io_uring.c:7870 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x441319 Code: e8 5c ae 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fffb1fb9aa8 EFLAGS: 00000246 ORIG_RAX: 00000000000001a9 Reported-by: syzbot+8c91f5d054e998721c57@syzkaller.appspotmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 7ca1ef4626ce86ca1b2d093e255d5bd0c5a11f42 Author: Atsushi Nemoto Date: Fri May 8 22:12:48 2020 +0900 i2c: altera: Fix race between xfer_msg and isr thread [ Upstream commit 5d4c7977499a736f3f80826bdc9744344ad55589 ] Use a mutex to protect access to idev->msg_len, idev->buf, etc. which are modified by both altr_i2c_xfer_msg() and altr_i2c_isr(). This is the minimal fix for easy backporting. A cleanup to remove the spinlock will be added later. Signed-off-by: Atsushi Nemoto Acked-by: Thor Thayer [wsa: updated commit message] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 9a05a7b37fb1a8dc3b56ea79a512f530fededc6b Author: Peter Ujfalusi Date: Tue May 12 16:45:31 2020 +0300 dmaengine: ti: k3-udma: Fix TR mode flags for slave_sg and memcpy [ Upstream commit be4054b8b6671ebc977eb7774b8e889d2d05d3e3 ] cppi5_tr_csf_set() clears previously set Configuration Specific Flags. Setting the EOP flag clears the SUPR_EVT flag for the last TR which is not desirable as we do not want to have events from the TR. Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20200512134531.5742-1-peter.ujfalusi@ti.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ded1fa1f5b7d1486f8d02b79c9d773332b2951f4 Author: Vitaly Kuznetsov Date: Tue May 12 18:01:53 2020 +0200 x86/hyperv: Properly suspend/resume reenlightenment notifications [ Upstream commit 38dce4195f0daefb566279fd9fd51e1fbd62ae1b ] Errors during hibernation with reenlightenment notifications enabled were reported: [ 51.730435] PM: hibernation entry [ 51.737435] PM: Syncing filesystems ... ... [ 54.102216] Disabling non-boot CPUs ... [ 54.106633] smpboot: CPU 1 is now offline [ 54.110006] unchecked MSR access error: WRMSR to 0x40000106 (tried to write 0x47c72780000100ee) at rIP: 0xffffffff90062f24 native_write_msr+0x4/0x20) [ 54.110006] Call Trace: [ 54.110006] hv_cpu_die+0xd9/0xf0 ... Normally, hv_cpu_die() just reassigns reenlightenment notifications to some other CPU when the CPU receiving them goes offline. Upon hibernation, there is no other CPU which is still online so cpumask_any_but(cpu_online_mask) returns >= nr_cpu_ids and using it as hv_vp_index index is incorrect. Disable the feature when cpumask_any_but() fails. Also, as we now disable reenlightenment notifications upon hibernation we need to restore them on resume. Check if hv_reenlightenment_cb was previously set and restore from hv_resume(). Signed-off-by: Vitaly Kuznetsov Reviewed-by: Dexuan Cui Reviewed-by: Tianyu Lan Link: https://lore.kernel.org/r/20200512160153.134467-1-vkuznets@redhat.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 98b034fecfc32a2abe27bf1d88ea5b9f4591c64f Author: Dave Young Date: Sun Apr 12 10:49:27 2020 +0800 efi/earlycon: Fix early printk for wider fonts [ Upstream commit 8f592ada59b321d248391bae175cd78a12972223 ] When I play with terminus fonts I noticed the efi early printk does not work because the earlycon code assumes font width is 8. Here add the code to adapt with larger fonts. Tested with all kinds of kernel built-in fonts on my laptop. Also tested with a local draft patch for 14x28 !bold terminus font. Signed-off-by: Dave Young Link: https://lore.kernel.org/r/20200412024927.GA6884@dhcp-128-65.nay.redhat.com Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit be1c731c666bf0f076fd7ba22d03e8c10ba18fab Author: Can Guo Date: Tue May 5 21:55:35 2020 -0700 scsi: pm: Balance pm_only counter of request queue during system resume [ Upstream commit 05d18ae1cc8a0308b12f37b4ab94afce3535fac9 ] During system resume, scsi_resume_device() decreases a request queue's pm_only counter if the scsi device was quiesced before. But after that, if the scsi device's RPM status is RPM_SUSPENDED, the pm_only counter is still held (non-zero). Current SCSI resume hook only sets the RPM status of the scsi_device and its request queue to RPM_ACTIVE, but leaves the pm_only counter unchanged. This may make the request queue's pm_only counter remain non-zero after resume hook returns, hence those who are waiting on the mq_freeze_wq would never be woken up. Fix this by calling blk_post_runtime_resume() if a sdev's RPM status was RPM_SUSPENDED. (struct request_queue)0xFFFFFF815B69E938 pm_only = (counter = 2), rpm_status = 0, dev = 0xFFFFFF815B0511A0, ((struct device)0xFFFFFF815B0511A0)).power is_suspended = FALSE, runtime_status = RPM_ACTIVE, (struct scsi_device)0xffffff815b051000 request_queue = 0xFFFFFF815B69E938, sdev_state = SDEV_RUNNING, quiesced_by = 0x0, B::v.f_/task_0xFFFFFF810C246940 -000|__switch_to(prev = 0xFFFFFF810C246940, next = 0xFFFFFF80A49357C0) -001|context_switch(inline) -001|__schedule(?) -002|schedule() -003|blk_queue_enter(q = 0xFFFFFF815B69E938, flags = 0) -004|generic_make_request(?) -005|submit_bio(bio = 0xFFFFFF80A8195B80) Link: https://lore.kernel.org/r/1588740936-28846-1-git-send-email-cang@codeaurora.org Reviewed-by: Bart Van Assche Signed-off-by: Can Guo Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aa98514b3cc2681769ed307b92eeabec3e07aa72 Author: Madhuparna Bhowmik Date: Thu Apr 30 21:32:05 2020 +0530 evm: Fix RCU list related warnings [ Upstream commit 770f60586d2af0590be263f55fd079226313922c ] This patch fixes the following warning and few other instances of traversal of evm_config_xattrnames list: [ 32.848432] ============================= [ 32.848707] WARNING: suspicious RCU usage [ 32.848966] 5.7.0-rc1-00006-ga8d5875ce5f0b #1 Not tainted [ 32.849308] ----------------------------- [ 32.849567] security/integrity/evm/evm_main.c:231 RCU-list traversed in non-reader section!! Since entries are only added to the list and never deleted, use list_for_each_entry_lockless() instead of list_for_each_entry_rcu for traversing the list. Also, add a relevant comment in evm_secfs.c to indicate this fact. Reported-by: kernel test robot Suggested-by: Paul E. McKenney Signed-off-by: Madhuparna Bhowmik Acked-by: Paul E. McKenney (RCU viewpoint) Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit b3482a7a86eb9e3ba9a10bac282478e9a04804fa Author: Heinrich Schuchardt Date: Sun Apr 26 21:49:46 2020 +0200 efi/libstub: Avoid returning uninitialized data from setup_graphics() [ Upstream commit 081d5150845ba3fa49151a2f55d3cc03b0987509 ] Currently, setup_graphics() ignores the return value of efi_setup_gop(). As AllocatePool() does not zero out memory, the screen information table will contain uninitialized data in this case. We should free the screen information table if efi_setup_gop() returns an error code. Signed-off-by: Heinrich Schuchardt Link: https://lore.kernel.org/r/20200426194946.112768-1-xypron.glpk@gmx.de Signed-off-by: Ard Biesheuvel Signed-off-by: Sasha Levin commit 46f4a75fb5034c8d80a5388fe3bb46a8ed05df5b Author: Vineet Gupta Date: Tue Apr 14 11:41:51 2020 -0700 ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT [ Upstream commit 799587d5731db9dcdafaac4002463aa7d9cd6cf7 ] Elide invalid configuration EZNPS + ARCv2, triggered by a make allyesconfig build. Granted the root cause is in source code (asm/barrier.h) where we check for ARCv2 before PLAT_EZNPS, but it is better to avoid such combinations at onset rather then baking subtle nuances into code. Reported-by: kbuild test robot Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 1b7e8a989cdc08b04ce5f435bdb93f58ca35edc2 Author: Eugeniy Paltsev Date: Thu Apr 2 20:54:28 2020 +0300 ARC: Fix ICCM & DCCM runtime size checks [ Upstream commit 43900edf67d7ef3ac8909854d75b8a1fba2d570c ] As of today the ICCM and DCCM size checks are incorrectly using mismatched units (KiB checked against bytes). The CONFIG_ARC_DCCM_SZ and CONFIG_ARC_ICCM_SZ are in KiB, but the size calculated in runtime and stored in cpu->dccm.sz and cpu->iccm.sz is in bytes. Fix that. Reported-by: Paul Greco Signed-off-by: Eugeniy Paltsev Signed-off-by: Vineet Gupta Signed-off-by: Sasha Levin commit 9cf5d5444c78c14bb9f90dd21cef361ee14ba64b Author: Tejun Heo Date: Thu Apr 9 14:55:35 2020 -0400 Revert "cgroup: Add memory barriers to plug cgroup_rstat_updated() race window" [ Upstream commit d8ef4b38cb69d907f9b0e889c44d05fc0f890977 ] This reverts commit 9a9e97b2f1f2 ("cgroup: Add memory barriers to plug cgroup_rstat_updated() race window"). The commit was added in anticipation of memcg rstat conversion which needed synchronous accounting for the event counters (e.g. oom kill count). However, the conversion didn't get merged due to percpu memory overhead concern which couldn't be addressed at the time. Unfortunately, the patch's addition of smp_mb() to cgroup_rstat_updated() meant that every scheduling event now had to go through an additional full barrier and Mel Gorman noticed it as 1% regression in netperf UDP_STREAM test. There's no need to have this barrier in tree now and even if we need synchronous accounting in the future, the right thing to do is separating that out to a separate function so that hot paths which don't care about synchronous behavior don't have to pay the overhead of the full barrier. Let's revert. Signed-off-by: Tejun Heo Reported-by: Mel Gorman Link: http://lkml.kernel.org/r/20200409154413.GK3818@techsingularity.net Cc: v4.18+ Signed-off-by: Sasha Levin commit 2df9b670ad1a2120f54982e1b1dfd17a6ce3cc0c Author: Andy Lutomirski Date: Fri May 8 17:25:32 2020 -0700 x86/syscalls: Revert "x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long" [ Upstream commit 700d3a5a664df267f01ec8887fd2d8ff98f67e7f ] Revert 45e29d119e99 ("x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long") and add a comment to discourage someone else from making the same mistake again. It turns out that some user code fails to compile if __X32_SYSCALL_BIT is unsigned long. See, for example [1] below. [ bp: Massage and do the same thing in the respective tools/ header. ] Fixes: 45e29d119e99 ("x86/syscalls: Make __X32_SYSCALL_BIT be unsigned long") Reported-by: Thorsten Glaser Signed-off-by: Andy Lutomirski Signed-off-by: Borislav Petkov Cc: stable@kernel.org Link: [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=954294 Link: https://lkml.kernel.org/r/92e55442b744a5951fdc9cfee10badd0a5f7f828.1588983892.git.luto@kernel.org Signed-off-by: Sasha Levin