From: Luo Meng luomeng12@huawei.com
[ Upstream commit 16238415eb9886328a89fe7a3cb0b88c7335fe16 ]
When the sum of fl->fl_start and l->l_len overflows, UBSAN shows the following warning:
UBSAN: Undefined behaviour in fs/locks.c:482:29 signed integer overflow: 2 + 9223372036854775806 cannot be represented in type 'long long int' Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0xe4/0x14e lib/dump_stack.c:118 ubsan_epilogue+0xe/0x81 lib/ubsan.c:161 handle_overflow+0x193/0x1e2 lib/ubsan.c:192 flock64_to_posix_lock fs/locks.c:482 [inline] flock_to_posix_lock+0x595/0x690 fs/locks.c:515 fcntl_setlk+0xf3/0xa90 fs/locks.c:2262 do_fcntl+0x456/0xf60 fs/fcntl.c:387 __do_sys_fcntl fs/fcntl.c:483 [inline] __se_sys_fcntl fs/fcntl.c:468 [inline] __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:468 do_syscall_64+0xc8/0x5a0 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fix it by parenthesizing 'l->l_len - 1'.
Signed-off-by: Luo Meng luomeng12@huawei.com Signed-off-by: Jeff Layton jlayton@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/locks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/locks.c b/fs/locks.c index 8252647c6084f..edae232dfc864 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -471,7 +471,7 @@ static int flock64_to_posix_lock(struct file *filp, struct file_lock *fl, if (l->l_len > 0) { if (l->l_len - 1 > OFFSET_MAX - fl->fl_start) return -EOVERFLOW; - fl->fl_end = fl->fl_start + l->l_len - 1; + fl->fl_end = fl->fl_start + (l->l_len - 1);
} else if (l->l_len < 0) { if (fl->fl_start + l->l_len < 0)
From: Arnd Bergmann arnd@arndb.de
[ Upstream commit d9594e0409651a237903a13c9718df889f43d43b ]
clang warns about additions on NULL pointers being undefined in C:
security/tomoyo/securityfs_if.c:226:59: warning: arithmetic on a null pointer treated as a cast from integer to pointer is a GNU extension [-Wnull-pointer-arithmetic] securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key,
Change the code to instead use a cast through uintptr_t to avoid the warning.
Signed-off-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Tetsuo Handa penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Sasha Levin sashal@kernel.org --- security/tomoyo/securityfs_if.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/tomoyo/securityfs_if.c b/security/tomoyo/securityfs_if.c index 06ab41b1ff286..7590dee59f02f 100644 --- a/security/tomoyo/securityfs_if.c +++ b/security/tomoyo/securityfs_if.c @@ -130,8 +130,8 @@ static const struct file_operations tomoyo_self_operations = { */ static int tomoyo_open(struct inode *inode, struct file *file) { - const int key = ((u8 *) file_inode(file)->i_private) - - ((u8 *) NULL); + const u8 key = (uintptr_t) file_inode(file)->i_private; + return tomoyo_open_control(key, file); }
@@ -222,7 +222,7 @@ static const struct file_operations tomoyo_operations = { static void __init tomoyo_create_entry(const char *name, const umode_t mode, struct dentry *parent, const u8 key) { - securityfs_create_file(name, mode, parent, ((u8 *) NULL) + key, + securityfs_create_file(name, mode, parent, (void *) (uintptr_t) key, &tomoyo_operations); }
From: Zhang Qilong zhangqilong3@huawei.com
[ Upstream commit 383e8a823014532ffd81c787ef9009f1c2bd3b79 ]
pm_runtime_get_sync() will increment pm usage counter even when it returns an error code. We should call put operation in error handling paths of omap_aes_hw_init.
Signed-off-by: Zhang Qilong zhangqilong3@huawei.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/crypto/omap-aes.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/crypto/omap-aes.c b/drivers/crypto/omap-aes.c index fe32dd95ae4ff..717cde167873a 100644 --- a/drivers/crypto/omap-aes.c +++ b/drivers/crypto/omap-aes.c @@ -251,6 +251,7 @@ static int omap_aes_hw_init(struct omap_aes_dev *dd)
err = pm_runtime_get_sync(dd->dev); if (err < 0) { + pm_runtime_put_noidle(dd->dev); dev_err(dd->dev, "failed to get sync: %d\n", err); return err; }
From: Randy Dunlap rdunlap@infradead.org
[ Upstream commit 9364a2cf567187c0a075942c22d1f434c758de5d ]
Fix build errors when CONFIG_NET is not enabled. E.g. (trimmed):
ld: drivers/staging/wimax/op-msg.o: in function `wimax_msg_alloc': op-msg.c:(.text+0xa9): undefined reference to `__alloc_skb' ld: op-msg.c:(.text+0xcc): undefined reference to `genlmsg_put' ld: op-msg.c:(.text+0xfc): undefined reference to `nla_put' ld: op-msg.c:(.text+0x168): undefined reference to `kfree_skb' ld: drivers/staging/wimax/op-msg.o: in function `wimax_msg_data_len': op-msg.c:(.text+0x1ba): undefined reference to `nla_find' ld: drivers/staging/wimax/op-msg.o: in function `wimax_msg_send': op-msg.c:(.text+0x311): undefined reference to `init_net' ld: op-msg.c:(.text+0x326): undefined reference to `netlink_broadcast' ld: drivers/staging/wimax/stack.o: in function `__wimax_state_change': stack.c:(.text+0x433): undefined reference to `netif_carrier_off' ld: stack.c:(.text+0x46b): undefined reference to `netif_carrier_on' ld: stack.c:(.text+0x478): undefined reference to `netif_tx_wake_queue' ld: drivers/staging/wimax/stack.o: in function `wimax_subsys_exit': stack.c:(.exit.text+0xe): undefined reference to `genl_unregister_family' ld: drivers/staging/wimax/stack.o: in function `wimax_subsys_init': stack.c:(.init.text+0x1a): undefined reference to `genl_register_family'
Cc: Greg Kroah-Hartman gregkh@linuxfoundation.org Cc: Jakub Kicinski kuba@kernel.org Cc: Arnd Bergmann arnd@arndb.de Cc: netdev@vger.kernel.org Acked-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Randy Dunlap rdunlap@infradead.org Link: https://lore.kernel.org/r/20201102072456.20303-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/wimax/Kconfig | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/wimax/Kconfig b/net/wimax/Kconfig index e4d97ab476d58..945bdf4738eb6 100644 --- a/net/wimax/Kconfig +++ b/net/wimax/Kconfig @@ -4,6 +4,7 @@
menuconfig WIMAX tristate "WiMAX Wireless Broadband support" + depends on NET depends on RFKILL || !RFKILL help
From: akshatzen akshatzen@google.com
[ Upstream commit 48cd6b38eb4f2874f091c4776ea1c26e7e4f967e ]
In function check_fw_ready() we busy wait using udelay. The CPU is not released and we see need_resched failures.
Busy waiting is not necessary since we are in process context and we can sleep instead. Replace udelay with msleep of 20 ms intervals while waiting for firmware to become ready.
It has been verified that check_fw_ready is not being used in interrupt context anywhere, hence it is safe to make this change.
Link: https://lore.kernel.org/r/20201102165528.26510-4-Viswas.G@microchip.com.com Acked-by: Jack Wang jinpu.wang@cloud.ionos.com Signed-off-by: akshatzen akshatzen@google.com Signed-off-by: Viswas G Viswas.G@microchip.com Signed-off-by: Ruksar Devadi Ruksar.devadi@microchip.com Signed-off-by: Radha Ramachandran radha@google.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/scsi/pm8001/pm80xx_hwi.c | 21 +++++++++++---------- drivers/scsi/pm8001/pm80xx_hwi.h | 6 ++++++ 2 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/pm8001/pm80xx_hwi.c b/drivers/scsi/pm8001/pm80xx_hwi.c index df5f0bc295875..50e0890ddc678 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.c +++ b/drivers/scsi/pm8001/pm80xx_hwi.c @@ -692,6 +692,7 @@ static int mpi_init_check(struct pm8001_hba_info *pm8001_ha)
/** * check_fw_ready - The LLDD check if the FW is ready, if not, return error. + * This function sleeps hence it must not be used in atomic context. * @pm8001_ha: our hba card information */ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha) @@ -702,16 +703,16 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha) int ret = 0;
/* reset / PCIe ready */ - max_wait_time = max_wait_count = 100 * 1000; /* 100 milli sec */ + max_wait_time = max_wait_count = 5; /* 100 milli sec */ do { - udelay(1); + msleep(FW_READY_INTERVAL); value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1); } while ((value == 0xFFFFFFFF) && (--max_wait_count));
/* check ila status */ - max_wait_time = max_wait_count = 1000 * 1000; /* 1000 milli sec */ + max_wait_time = max_wait_count = 50; /* 1000 milli sec */ do { - udelay(1); + msleep(FW_READY_INTERVAL); value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1); } while (((value & SCRATCH_PAD_ILA_READY) != SCRATCH_PAD_ILA_READY) && (--max_wait_count)); @@ -724,9 +725,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha) }
/* check RAAE status */ - max_wait_time = max_wait_count = 1800 * 1000; /* 1800 milli sec */ + max_wait_time = max_wait_count = 90; /* 1800 milli sec */ do { - udelay(1); + msleep(FW_READY_INTERVAL); value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1); } while (((value & SCRATCH_PAD_RAAE_READY) != SCRATCH_PAD_RAAE_READY) && (--max_wait_count)); @@ -739,9 +740,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha) }
/* check iop0 status */ - max_wait_time = max_wait_count = 600 * 1000; /* 600 milli sec */ + max_wait_time = max_wait_count = 30; /* 600 milli sec */ do { - udelay(1); + msleep(FW_READY_INTERVAL); value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1); } while (((value & SCRATCH_PAD_IOP0_READY) != SCRATCH_PAD_IOP0_READY) && (--max_wait_count)); @@ -757,9 +758,9 @@ static int check_fw_ready(struct pm8001_hba_info *pm8001_ha) if ((pm8001_ha->chip_id != chip_8008) && (pm8001_ha->chip_id != chip_8009)) { /* 200 milli sec */ - max_wait_time = max_wait_count = 200 * 1000; + max_wait_time = max_wait_count = 10; do { - udelay(1); + msleep(FW_READY_INTERVAL); value = pm8001_cr32(pm8001_ha, 0, MSGU_SCRATCH_PAD_1); } while (((value & SCRATCH_PAD_IOP1_READY) != SCRATCH_PAD_IOP1_READY) && (--max_wait_count)); diff --git a/drivers/scsi/pm8001/pm80xx_hwi.h b/drivers/scsi/pm8001/pm80xx_hwi.h index 411b414a9a0ef..85cdd6d9348a6 100644 --- a/drivers/scsi/pm8001/pm80xx_hwi.h +++ b/drivers/scsi/pm8001/pm80xx_hwi.h @@ -1534,3 +1534,9 @@ typedef struct SASProtocolTimerConfig SASProtocolTimerConfig_t;
#define MEMBASE_II_SHIFT_REGISTER 0x1010 #endif + +/** + * As we know sleep (1~20) ms may result in sleep longer than ~20 ms, hence we + * choose 20 ms interval. + */ +#define FW_READY_INTERVAL 20
From: yuuzheng yuuzheng@google.com
[ Upstream commit 1f889b58716a5f5e3e4fe0e6742c1a4472f29ac1 ]
A use-after-free or null-pointer error occurs when the 251-byte response data is copied from IOMB buffer to response message buffer in function pm8001_mpi_get_nvmd_resp().
After sending the command get_nvmd_data(), the caller begins to sleep by calling wait_for_complete() and waits for the wake-up from calling complete() in pm8001_mpi_get_nvmd_resp(). Due to unexpected events (e.g., interrupt), if response buffer gets freed before memcpy(), a use-after-free error will occur. To fix this, the complete() should be called after memcpy().
Link: https://lore.kernel.org/r/20201102165528.26510-5-Viswas.G@microchip.com.com Acked-by: Jack Wang jinpu.wang@cloud.ionos.com Signed-off-by: yuuzheng yuuzheng@google.com Signed-off-by: Viswas G Viswas.G@microchip.com Signed-off-by: Ruksar Devadi Ruksar.devadi@microchip.com Signed-off-by: Radha Ramachandran radha@google.com Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/scsi/pm8001/pm8001_hwi.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/drivers/scsi/pm8001/pm8001_hwi.c b/drivers/scsi/pm8001/pm8001_hwi.c index f374abfb7f1f8..44a4630fdb2f8 100644 --- a/drivers/scsi/pm8001/pm8001_hwi.c +++ b/drivers/scsi/pm8001/pm8001_hwi.c @@ -3196,10 +3196,15 @@ pm8001_mpi_get_nvmd_resp(struct pm8001_hba_info *pm8001_ha, void *piomb) pm8001_ha->memoryMap.region[NVMD].virt_ptr, fw_control_context->len); kfree(ccb->fw_control_context); + /* To avoid race condition, complete should be + * called after the message is copied to + * fw_control_context->usrAddr + */ + complete(pm8001_ha->nvmd_completion); + PM8001_MSG_DBG(pm8001_ha, pm8001_printk("Set nvm data complete!\n")); ccb->task = NULL; ccb->ccb_tag = 0xFFFFFFFF; pm8001_tag_free(pm8001_ha, tag); - complete(pm8001_ha->nvmd_completion); }
int pm8001_mpi_local_phy_ctl(struct pm8001_hba_info *pm8001_ha, void *piomb)
From: Zhang Qilong zhangqilong3@huawei.com
[ Upstream commit 071dc1787a2f8bb636f864c1f306280deea3b1d5 ]
The 'EPERM' cannot appear in the previous path, we should use '-EPERM' to check it. For example:
Call trace: ->rtl8192_rx_isr ->usb_submit_urb ->usb_hcd_submit_urb ->rh_urb_enqueue ->rh_queue_status ->usb_hcd_link_urb_to_ep
Signed-off-by: Zhang Qilong zhangqilong3@huawei.com Link: https://lore.kernel.org/r/20201028122648.47959-1-zhangqilong3@huawei.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/staging/rtl8192u/r8192U_core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/staging/rtl8192u/r8192U_core.c b/drivers/staging/rtl8192u/r8192U_core.c index fa4c47c7d2166..f5e53df9d49db 100644 --- a/drivers/staging/rtl8192u/r8192U_core.c +++ b/drivers/staging/rtl8192u/r8192U_core.c @@ -970,7 +970,7 @@ static void rtl8192_rx_isr(struct urb *urb) urb->context = skb; skb_queue_tail(&priv->rx_queue, skb); err = usb_submit_urb(urb, GFP_ATOMIC); - if (err && err != EPERM) + if (err && err != -EPERM) netdev_err(dev, "can not submit rxurb, err is %x, URB status is %x\n", err, urb->status);
From: Qinglang Miao miaoqinglang@huawei.com
[ Upstream commit 5a5aa912f687204d50455d0db36f94dd8de601c2 ]
Add the missing iounmap() of gpch->regs before return from ar7_gpio_init() in the error handling case.
Signed-off-by: Qinglang Miao miaoqinglang@huawei.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/ar7/gpio.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/mips/ar7/gpio.c b/arch/mips/ar7/gpio.c index ed5b3d297caf3..83316b5587776 100644 --- a/arch/mips/ar7/gpio.c +++ b/arch/mips/ar7/gpio.c @@ -331,6 +331,7 @@ int __init ar7_gpio_init(void) if (ret) { printk(KERN_ERR "%s: failed to add gpiochip\n", gpch->chip.label); + iounmap(gpch->regs); return ret; } printk(KERN_INFO "%s: registered %d GPIOs\n",
From: "Paul E. McKenney" paulmck@kernel.org
[ Upstream commit 6b74fa0a776e3715d385b23d29db469179c825b0 ]
If an locktorture torture-test run is given a bad kvm.sh argument, the test will complain to the console, which is good. What is bad is that from the user's perspective, it will just hang for the time specified by the --duration argument. This commit therefore forces an immediate kernel shutdown if a lock_torture_init()-time error occurs, thus avoiding the appearance of a hang. It also forces a console splat in this case to clearly indicate the presence of an error.
Signed-off-by: Paul E. McKenney paulmck@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- kernel/locking/locktorture.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/kernel/locking/locktorture.c b/kernel/locking/locktorture.c index b0e41c312c15f..176a2a059ead4 100644 --- a/kernel/locking/locktorture.c +++ b/kernel/locking/locktorture.c @@ -38,6 +38,7 @@ #include <linux/slab.h> #include <linux/percpu-rwsem.h> #include <linux/torture.h> +#include <linux/reboot.h>
MODULE_LICENSE("GPL"); MODULE_AUTHOR("Paul E. McKenney paulmck@us.ibm.com"); @@ -987,6 +988,10 @@ static int __init lock_torture_init(void) unwind: torture_init_end(); lock_torture_cleanup(); + if (shutdown_secs) { + WARN_ON(!IS_MODULE(CONFIG_LOCK_TORTURE_TEST)); + kernel_power_off(); + } return firsterr; }
From: "Paul E. McKenney" paulmck@kernel.org
[ Upstream commit 4994684ce10924a0302567c315c91b0a64eeef46 ]
If an rcutorture torture-test run is given a bad kvm.sh argument, the test will complain to the console, which is good. What is bad is that from the user's perspective, it will just hang for the time specified by the --duration argument. This commit therefore forces an immediate kernel shutdown if a rcu_torture_init()-time error occurs, thus avoiding the appearance of a hang. It also forces a console splat in this case to clearly indicate the presence of an error.
Signed-off-by: Paul E. McKenney paulmck@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- kernel/rcu/rcutorture.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/kernel/rcu/rcutorture.c b/kernel/rcu/rcutorture.c index 5393bbcf3c1ad..1e3c28e9bf0de 100644 --- a/kernel/rcu/rcutorture.c +++ b/kernel/rcu/rcutorture.c @@ -1902,6 +1902,10 @@ rcu_torture_init(void) unwind: torture_init_end(); rcu_torture_cleanup(); + if (shutdown_secs) { + WARN_ON(!IS_MODULE(CONFIG_RCU_TORTURE_TEST)); + kernel_power_off(); + } return firsterr; }
From: Qinglang Miao miaoqinglang@huawei.com
[ Upstream commit f2e66f212a9de04afc2caa5ec79057c0ac75c728 ]
Add the missing platform_driver_unregister() before return from panel_simple_init in the error handling case when failed to register panel_simple_dsi_driver with CONFIG_DRM_MIPI_DSI enabled.
Signed-off-by: Qinglang Miao miaoqinglang@huawei.com Signed-off-by: Sam Ravnborg sam@ravnborg.org Link: https://patchwork.freedesktop.org/patch/msgid/20201031011856.137307-1-miaoqi... Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/gpu/drm/panel/panel-simple.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c index 57f32d1bb3127..05ca6c8a660e4 100644 --- a/drivers/gpu/drm/panel/panel-simple.c +++ b/drivers/gpu/drm/panel/panel-simple.c @@ -1990,8 +1990,10 @@ static int __init panel_simple_init(void)
if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) { err = mipi_dsi_driver_register(&panel_simple_dsi_driver); - if (err < 0) + if (err < 0) { + platform_driver_unregister(&panel_simple_platform_driver); return err; + } }
return 0;
From: Ole Bjørn Midtbø omidtbo@cisco.com
[ Upstream commit cca342d98bef68151a80b024f7bf5f388d1fbdea ]
A different wait queue was used when removing ctrl_wait than when adding it. This effectively made the remove operation without locking compared to other operations on the wait queue ctrl_wait was part of. This caused issues like below where dead000000000100 is LIST_POISON1 and dead000000000200 is LIST_POISON2.
list_add corruption. next->prev should be prev (ffffffc1b0a33a08), \ but was dead000000000200. (next=ffffffc03ac77de0). ------------[ cut here ]------------ CPU: 3 PID: 2138 Comm: bluetoothd Tainted: G O 4.4.238+ #9 ... ---[ end trace 0adc2158f0646eac ]--- Call trace: [<ffffffc000443f78>] __list_add+0x38/0xb0 [<ffffffc0000f0d04>] add_wait_queue+0x4c/0x68 [<ffffffc00020eecc>] __pollwait+0xec/0x100 [<ffffffc000d1556c>] bt_sock_poll+0x74/0x200 [<ffffffc000bdb8a8>] sock_poll+0x110/0x128 [<ffffffc000210378>] do_sys_poll+0x220/0x480 [<ffffffc0002106f0>] SyS_poll+0x80/0x138 [<ffffffc00008510c>] __sys_trace_return+0x0/0x4
Unable to handle kernel paging request at virtual address dead000000000100 ... CPU: 4 PID: 5387 Comm: kworker/u15:3 Tainted: G W O 4.4.238+ #9 ... Call trace: [<ffffffc0000f079c>] __wake_up_common+0x7c/0xa8 [<ffffffc0000f0818>] __wake_up+0x50/0x70 [<ffffffc000be11b0>] sock_def_wakeup+0x58/0x60 [<ffffffc000de5e10>] l2cap_sock_teardown_cb+0x200/0x224 [<ffffffc000d3f2ac>] l2cap_chan_del+0xa4/0x298 [<ffffffc000d45ea0>] l2cap_conn_del+0x118/0x198 [<ffffffc000d45f8c>] l2cap_disconn_cfm+0x6c/0x78 [<ffffffc000d29934>] hci_event_packet+0x564/0x2e30 [<ffffffc000d19b0c>] hci_rx_work+0x10c/0x360 [<ffffffc0000c2218>] process_one_work+0x268/0x460 [<ffffffc0000c2678>] worker_thread+0x268/0x480 [<ffffffc0000c94e0>] kthread+0x118/0x128 [<ffffffc000085070>] ret_from_fork+0x10/0x20 ---[ end trace 0adc2158f0646ead ]---
Signed-off-by: Ole Bjørn Midtbø omidtbo@cisco.com Signed-off-by: Marcel Holtmann marcel@holtmann.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/bluetooth/hidp/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/bluetooth/hidp/core.c b/net/bluetooth/hidp/core.c index 552e00b07196e..9ec37c6c8c4aa 100644 --- a/net/bluetooth/hidp/core.c +++ b/net/bluetooth/hidp/core.c @@ -1282,7 +1282,7 @@ static int hidp_session_thread(void *arg)
/* cleanup runtime environment */ remove_wait_queue(sk_sleep(session->intr_sock->sk), &intr_wait); - remove_wait_queue(sk_sleep(session->intr_sock->sk), &ctrl_wait); + remove_wait_queue(sk_sleep(session->ctrl_sock->sk), &ctrl_wait); wake_up_interruptible(&session->report_queue); hidp_del_timer(session);
From: Alexander Lobakin alobakin@pm.me
[ Upstream commit 8be33ecfc1ffd2da20cc29e957e4cb6eb99310cb ]
Similar to commit fda55eca5a33f ("net: introduce skb_transport_header_was_set()"), avoid resetting transport offsets that were already set by GRO layer. This not only mirrors the behavior of __netif_receive_skb_core(), but also makes sense when it comes to UDP GSO fraglists forwarding: transport offset of such skbs is set only once by GRO receive callback and remains untouched and correct up to the xmitting driver in 1:1 case, but becomes junk after untagging in ingress VLAN case and breaks UDP GSO offload. This does not happen after this change, and all types of forwarding of UDP GSO fraglists work as expected.
Since v1 [1]: - keep the code 1:1 with __netif_receive_skb_core() (Jakub).
[1] https://lore.kernel.org/netdev/zYurwsZRN7BkqSoikWQLVqHyxz18h4LhHU4NFa2Vw@cp4...
Signed-off-by: Alexander Lobakin alobakin@pm.me Link: https://lore.kernel.org/r/7JgIkgEztzt0W6ZtC9V9Cnk5qfkrUFYcpN871syCi8@cp4-web... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/core/skbuff.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a4c4234976862..f38ed5b9f5bf7 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4607,7 +4607,8 @@ struct sk_buff *skb_vlan_untag(struct sk_buff *skb) goto err_free;
skb_reset_network_header(skb); - skb_reset_transport_header(skb); + if (!skb_transport_header_was_set(skb)) + skb_reset_transport_header(skb); skb_reset_mac_len(skb);
return skb;
From: Necip Fazil Yildiran fazilyildiran@gmail.com
[ Upstream commit 09a48cbcd7af9203296938044f1100bb113ce01a ]
When BCM47XX_SSB is enabled and SSB_PCIHOST is disabled, it results in the following Kbuild warning:
WARNING: unmet direct dependencies detected for SSB_B43_PCI_BRIDGE Depends on [n]: SSB [=y] && SSB_PCIHOST [=n] Selected by [y]: - BCM47XX_SSB [=y] && BCM47XX [=y] && PCI [=y]
The reason is that BCM47XX_SSB selects SSB_B43_PCI_BRIDGE without depending on or selecting SSB_PCIHOST while SSB_B43_PCI_BRIDGE depends on SSB_PCIHOST. This can also fail building the kernel as demonstrated in a bug report.
Honor the kconfig dependency to remove unmet direct dependency warnings and avoid any potential build failures.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=210051 Signed-off-by: Necip Fazil Yildiran fazilyildiran@gmail.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/bcm47xx/Kconfig | 1 + 1 file changed, 1 insertion(+)
diff --git a/arch/mips/bcm47xx/Kconfig b/arch/mips/bcm47xx/Kconfig index e970fd9cf7693..83b80ffe803a0 100644 --- a/arch/mips/bcm47xx/Kconfig +++ b/arch/mips/bcm47xx/Kconfig @@ -8,6 +8,7 @@ config BCM47XX_SSB select SSB_DRIVER_MIPS select SSB_DRIVER_EXTIF select SSB_EMBEDDED + select SSB_PCIHOST if PCI select SSB_B43_PCI_BRIDGE if PCI select SSB_DRIVER_PCICORE if PCI select SSB_PCICORE_HOSTMODE if PCI
From: Dinghao Liu dinghao.liu@zju.edu.cn
[ Upstream commit 751341b4d7841e2b76e78eec382c2e119165497f ]
When dbBackSplit() fails, mp should be released to prevent memleak. It's the same when dbJoin() fails.
Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Signed-off-by: Dave Kleikamp dave.kleikamp@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- fs/jfs/jfs_dmap.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c index 2d514c7affc2a..fa14a01950853 100644 --- a/fs/jfs/jfs_dmap.c +++ b/fs/jfs/jfs_dmap.c @@ -2562,15 +2562,19 @@ dbAdjCtl(struct bmap * bmp, s64 blkno, int newval, int alloc, int level) */ if (oldval == NOFREE) { rc = dbBackSplit((dmtree_t *) dcp, leafno); - if (rc) + if (rc) { + release_metapage(mp); return rc; + } oldval = dcp->stree[ti]; } dbSplit((dmtree_t *) dcp, leafno, dcp->budmin, newval); } else { rc = dbJoin((dmtree_t *) dcp, leafno, newval); - if (rc) + if (rc) { + release_metapage(mp); return rc; + } }
/* check if the root of the current dmap control page changed due
From: Evgeny Novikov novikov@ispras.ru
[ Upstream commit af0321a5be3e5647441eb6b79355beaa592df97a ]
zr364xx_start_readpipe() can fail but callers do not care about that. This can result in various negative consequences. The patch adds missed error handling.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov novikov@ispras.ru Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/zr364xx/zr364xx.c | 31 ++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-)
diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c index c5513f55e64e0..8c8c4c9858507 100644 --- a/drivers/media/usb/zr364xx/zr364xx.c +++ b/drivers/media/usb/zr364xx/zr364xx.c @@ -1357,6 +1357,7 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) { struct zr364xx_pipeinfo *pipe = cam->pipe; unsigned long i; + int err;
DBG("board init: %p\n", cam); memset(pipe, 0, sizeof(*pipe)); @@ -1390,9 +1391,8 @@ static int zr364xx_board_init(struct zr364xx_camera *cam)
if (i == 0) { printk(KERN_INFO KBUILD_MODNAME ": out of memory. Aborting\n"); - kfree(cam->pipe->transfer_buffer); - cam->pipe->transfer_buffer = NULL; - return -ENOMEM; + err = -ENOMEM; + goto err_free; } else cam->buffer.dwFrames = i;
@@ -1407,9 +1407,17 @@ static int zr364xx_board_init(struct zr364xx_camera *cam) /*** end create system buffers ***/
/* start read pipe */ - zr364xx_start_readpipe(cam); + err = zr364xx_start_readpipe(cam); + if (err) + goto err_free; + DBG(": board initialized\n"); return 0; + +err_free: + kfree(cam->pipe->transfer_buffer); + cam->pipe->transfer_buffer = NULL; + return err; }
static int zr364xx_probe(struct usb_interface *intf, @@ -1608,10 +1616,19 @@ static int zr364xx_resume(struct usb_interface *intf) if (!cam->was_streaming) return 0;
- zr364xx_start_readpipe(cam); + res = zr364xx_start_readpipe(cam); + if (res) + return res; + res = zr364xx_prepare(cam); - if (!res) - zr364xx_start_acquire(cam); + if (res) + goto err_prepare; + + zr364xx_start_acquire(cam); + return 0; + +err_prepare: + zr364xx_stop_readpipe(cam); return res; } #endif
From: Hans Verkuil hverkuil-cisco@xs4all.nl
[ Upstream commit e91c255733d9bbb4978a372f44fb5ed689ccdbd1 ]
If a CEC device node is unregistered, then it should be marked as unregistered before waking up any filehandles that are waiting for an event.
This ensures that there is no race condition where an application can call CEC_DQEVENT and have the ioctl return 0 instead of ENODEV.
Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/staging/media/cec/cec-core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/staging/media/cec/cec-core.c b/drivers/staging/media/cec/cec-core.c index b0137e247dc9a..bb189f753c3ac 100644 --- a/drivers/staging/media/cec/cec-core.c +++ b/drivers/staging/media/cec/cec-core.c @@ -183,12 +183,12 @@ static void cec_devnode_unregister(struct cec_devnode *devnode) mutex_unlock(&devnode->lock); return; } + devnode->registered = false; + devnode->unregistered = true;
list_for_each_entry(fh, &devnode->fhs, list) wake_up_interruptible(&fh->wait);
- devnode->registered = false; - devnode->unregistered = true; mutex_unlock(&devnode->lock);
device_del(&devnode->dev);
From: Evgeny Novikov novikov@ispras.ru
[ Upstream commit 6651dba2bd838f34cf5a1e84229aaa579b1a94fe ]
isif_probe() invokes iounmap() on error handling paths, but it does not reset the global state. So, later it can invoke iounmap() even when ioremap() fails. This is the case also for isif_remove(). The patch resets the global state after invoking iounmap() to avoid this.
Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Evgeny Novikov novikov@ispras.ru Signed-off-by: Hans Verkuil hverkuil-cisco@xs4all.nl Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/platform/davinci/isif.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/drivers/media/platform/davinci/isif.c b/drivers/media/platform/davinci/isif.c index b51b875c5a612..3507aa867ba12 100644 --- a/drivers/media/platform/davinci/isif.c +++ b/drivers/media/platform/davinci/isif.c @@ -1090,10 +1090,14 @@ static int isif_probe(struct platform_device *pdev) release_mem_region(res->start, resource_size(res)); i--; fail_nobase_res: - if (isif_cfg.base_addr) + if (isif_cfg.base_addr) { iounmap(isif_cfg.base_addr); - if (isif_cfg.linear_tbl0_addr) + isif_cfg.base_addr = NULL; + } + if (isif_cfg.linear_tbl0_addr) { iounmap(isif_cfg.linear_tbl0_addr); + isif_cfg.linear_tbl0_addr = NULL; + }
while (i >= 0) { res = platform_get_resource(pdev, IORESOURCE_MEM, i); @@ -1111,8 +1115,11 @@ static int isif_remove(struct platform_device *pdev) int i = 0;
iounmap(isif_cfg.base_addr); + isif_cfg.base_addr = NULL; iounmap(isif_cfg.linear_tbl0_addr); + isif_cfg.linear_tbl0_addr = NULL; iounmap(isif_cfg.linear_tbl1_addr); + isif_cfg.linear_tbl1_addr = NULL; while (i < 3) { res = platform_get_resource(pdev, IORESOURCE_MEM, i); if (res)
From: Dinghao Liu dinghao.liu@zju.edu.cn
[ Upstream commit 167faadfcf9339088910e9e85a1b711fcbbef8e9 ]
When device_create() fails, dvbdev and dvbdevfops should be freed just like when dvb_register_media_device() fails.
Signed-off-by: Dinghao Liu dinghao.liu@zju.edu.cn Signed-off-by: Sean Young sean@mess.org Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/dvb-core/dvbdev.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/media/dvb-core/dvbdev.c b/drivers/media/dvb-core/dvbdev.c index a1cc1c1e53182..ffd01d54edca8 100644 --- a/drivers/media/dvb-core/dvbdev.c +++ b/drivers/media/dvb-core/dvbdev.c @@ -515,6 +515,9 @@ int dvb_register_device(struct dvb_adapter *adap, struct dvb_device **pdvbdev, if (IS_ERR(clsdev)) { printk(KERN_ERR "%s: failed to create device dvb%d.%s%d (%ld)\n", __func__, adap->num, dnames[type], id, PTR_ERR(clsdev)); + dvb_media_device_free(dvbdev); + kfree(dvbdevfops); + kfree(dvbdev); return PTR_ERR(clsdev); } dprintk(KERN_DEBUG "DVB: register adapter%d/%s%d @ minor: %i (0x%02x)\n",
From: Krzysztof Kozlowski krzk@kernel.org
[ Upstream commit ade8e9d3fb9232ddfb87a4bc641b35b988d9757b ]
Printing kernel pointers is discouraged because they might leak kernel memory layout. This fixes smatch warning:
drivers/mmc/host/tmio_mmc.c:177 tmio_mmc_probe() warn: argument 3 to %08lx specifier is cast from pointer
Reported-by: kernel test robot lkp@intel.com Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Krzysztof Kozlowski krzk@kernel.org Link: https://lore.kernel.org/r/20201116164252.44078-1-krzk@kernel.org Signed-off-by: Ulf Hansson ulf.hansson@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/mmc/host/tmio_mmc.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/mmc/host/tmio_mmc.c b/drivers/mmc/host/tmio_mmc.c index e897e7fc3b14c..052093db7d159 100644 --- a/drivers/mmc/host/tmio_mmc.c +++ b/drivers/mmc/host/tmio_mmc.c @@ -109,8 +109,7 @@ static int tmio_mmc_probe(struct platform_device *pdev) if (ret) goto host_remove;
- pr_info("%s at 0x%08lx irq %d\n", mmc_hostname(host->mmc), - (unsigned long)host->ctl, irq); + pr_info("%s at 0x%p irq %d\n", mmc_hostname(host->mmc), host->ctl, irq);
return 0;
From: Youling Tang tangyouling@loongson.cn
[ Upstream commit 3c5902d270edb6ccc3049acfe5d3e96653c87dcd ]
If the clk_register fails, we should free hw before function returns to prevent memleak.
Signed-off-by: Youling Tang tangyouling@loongson.cn Signed-off-by: Tony Lindgren tony@atomide.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/mach-omap2/clkt2xxx_virt_prcm_set.c | 6 ++++++ 1 file changed, 6 insertions(+)
diff --git a/arch/arm/mach-omap2/clkt2xxx_virt_prcm_set.c b/arch/arm/mach-omap2/clkt2xxx_virt_prcm_set.c index b64d717bfab6c..45fa2a87d5715 100644 --- a/arch/arm/mach-omap2/clkt2xxx_virt_prcm_set.c +++ b/arch/arm/mach-omap2/clkt2xxx_virt_prcm_set.c @@ -247,6 +247,12 @@ void omap2xxx_clkt_vps_init(void) hw->hw.init = &init;
clk = clk_register(NULL, &hw->hw); + if (IS_ERR(clk)) { + printk(KERN_ERR "Failed to register clock\n"); + kfree(hw); + return; + } + clkdev_create(clk, "cpufreq_ck", NULL); return; cleanup:
From: Takashi Iwai tiwai@suse.de
[ Upstream commit 4974b7950929e4a28d4eaee48e4ad07f168ac132 ]
The PCM trigger callback is atomic, hence we must not call a function like usb_set_interface() there. Calling it from there would lead to a kernel Oops.
Fix it by moving the usb_set_interface() call to set_sync_endpoint().
Also, apply the snd_usb_set_interface_quirk() for consistency, too.
Tested-by: Keith Milner kamilner@superlative.org Tested-by: Dylan Robinson dylan_robinson@motu.com Link: https://lore.kernel.org/r/20201123085347.19667-3-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/usb/pcm.c | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/sound/usb/pcm.c b/sound/usb/pcm.c index 95d02e25a3133..77c704847e4ac 100644 --- a/sound/usb/pcm.c +++ b/sound/usb/pcm.c @@ -242,21 +242,6 @@ static int start_endpoints(struct snd_usb_substream *subs) !test_and_set_bit(SUBSTREAM_FLAG_SYNC_EP_STARTED, &subs->flags)) { struct snd_usb_endpoint *ep = subs->sync_endpoint;
- if (subs->data_endpoint->iface != subs->sync_endpoint->iface || - subs->data_endpoint->altsetting != subs->sync_endpoint->altsetting) { - err = usb_set_interface(subs->dev, - subs->sync_endpoint->iface, - subs->sync_endpoint->altsetting); - if (err < 0) { - clear_bit(SUBSTREAM_FLAG_SYNC_EP_STARTED, &subs->flags); - dev_err(&subs->dev->dev, - "%d:%d: cannot set interface (%d)\n", - subs->sync_endpoint->iface, - subs->sync_endpoint->altsetting, err); - return -EIO; - } - } - dev_dbg(&subs->dev->dev, "Starting sync EP @%p\n", ep);
ep->sync_slave = subs->data_endpoint; @@ -499,6 +484,19 @@ static int set_sync_endpoint(struct snd_usb_substream *subs,
subs->data_endpoint->sync_master = subs->sync_endpoint;
+ if (subs->data_endpoint->iface != subs->sync_endpoint->iface || + subs->data_endpoint->altsetting != subs->sync_endpoint->altsetting) { + err = usb_set_interface(subs->dev, + subs->sync_endpoint->iface, + subs->sync_endpoint->altsetting); + if (err < 0) + return err; + dev_dbg(&dev->dev, "setting usb interface %d:%d\n", + subs->sync_endpoint->iface, + subs->sync_endpoint->altsetting); + snd_usb_set_interface_quirk(dev); + } + return 0; }
From: David Howells dhowells@redhat.com
[ Upstream commit d2ae4e918218f543214fbd906db68a6c580efbbb ]
Don't let someone reading a service-side rxrpc-type key get access to the session key that was exchanged with the client. The server application will, at some point, need to be able to read the information in the ticket, but this probably shouldn't include the key material.
Signed-off-by: David Howells dhowells@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- include/keys/rxrpc-type.h | 1 + net/rxrpc/key.c | 8 ++++++-- 2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/include/keys/rxrpc-type.h b/include/keys/rxrpc-type.h index 5de0673f333b7..865629c5484f5 100644 --- a/include/keys/rxrpc-type.h +++ b/include/keys/rxrpc-type.h @@ -88,6 +88,7 @@ struct rxk5_key { */ struct rxrpc_key_token { u16 security_index; /* RxRPC header security index */ + bool no_leak_key; /* Don't copy the key to userspace */ struct rxrpc_key_token *next; /* the next token in the list */ union { struct rxkad_key *kad; diff --git a/net/rxrpc/key.c b/net/rxrpc/key.c index fa475b02bdceb..beb30cca5a4b9 100644 --- a/net/rxrpc/key.c +++ b/net/rxrpc/key.c @@ -1071,7 +1071,8 @@ static long rxrpc_read(const struct key *key, case RXRPC_SECURITY_RXKAD: toksize += 8 * 4; /* viceid, kvno, key*2, begin, * end, primary, tktlen */ - toksize += RND(token->kad->ticket_len); + if (!token->no_leak_key) + toksize += RND(token->kad->ticket_len); break;
case RXRPC_SECURITY_RXK5: @@ -1180,7 +1181,10 @@ static long rxrpc_read(const struct key *key, ENCODE(token->kad->start); ENCODE(token->kad->expiry); ENCODE(token->kad->primary_flag); - ENCODE_DATA(token->kad->ticket_len, token->kad->ticket); + if (token->no_leak_key) + ENCODE(0); + else + ENCODE_DATA(token->kad->ticket_len, token->kad->ticket); break;
case RXRPC_SECURITY_RXK5:
From: Finn Thain fthain@telegraphics.com.au
[ Upstream commit 03fe6a640a05c5dc04b6bcdddfb981d015e84ed4 ]
It is possible that bus_reset_cleanup() or .eh_abort_handler could be invoked during NCR5380_queuecommand(). If that takes place before the new command is enqueued and after the ST-DMA "lock" has been acquired, the ST-DMA "lock" will be released again. This will result in a lost DMA interrupt and a command timeout. Fix this by excluding EH and interrupt handlers while the new command is enqueued.
Link: https://lore.kernel.org/r/af25163257796b50bb99d4ede4025cea55787b8f.160584719... Tested-by: Michael Schmitz schmitzmic@gmail.com Reviewed-by: Michael Schmitz schmitzmic@gmail.com Signed-off-by: Finn Thain fthain@telegraphics.com.au Signed-off-by: Martin K. Petersen martin.petersen@oracle.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/scsi/NCR5380.c | 9 ++++++--- drivers/scsi/atari_scsi.c | 10 +++------- 2 files changed, 9 insertions(+), 10 deletions(-)
diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c index 27270631c70c2..c689b0e8ce4c9 100644 --- a/drivers/scsi/NCR5380.c +++ b/drivers/scsi/NCR5380.c @@ -659,11 +659,14 @@ static int NCR5380_queue_command(struct Scsi_Host *instance,
cmd->result = 0;
- if (!NCR5380_acquire_dma_irq(instance)) - return SCSI_MLQUEUE_HOST_BUSY; - spin_lock_irqsave(&hostdata->lock, flags);
+ if (!NCR5380_acquire_dma_irq(instance)) { + spin_unlock_irqrestore(&hostdata->lock, flags); + + return SCSI_MLQUEUE_HOST_BUSY; + } + /* * Insert the cmd into the issue queue. Note that REQUEST SENSE * commands are added to the head of the queue since any command will diff --git a/drivers/scsi/atari_scsi.c b/drivers/scsi/atari_scsi.c index 9dc4b689f94b0..de06ce9f18810 100644 --- a/drivers/scsi/atari_scsi.c +++ b/drivers/scsi/atari_scsi.c @@ -411,15 +411,11 @@ static int falcon_get_lock(struct Scsi_Host *instance) if (IS_A_TT()) return 1;
- if (stdma_is_locked_by(scsi_falcon_intr) && - instance->hostt->can_queue > 1) + if (stdma_is_locked_by(scsi_falcon_intr)) return 1;
- if (in_interrupt()) - return stdma_try_lock(scsi_falcon_intr, instance); - - stdma_lock(scsi_falcon_intr, instance); - return 1; + /* stdma_lock() may sleep which means it can't be used here */ + return stdma_try_lock(scsi_falcon_intr, instance); }
#ifndef MODULE
From: Zhen Lei thunder.leizhen@huawei.com
[ Upstream commit 30ea026e33c6dda48849d9fe0d15c1d280a92d53 ]
1. Change node name to match '^serial(@[0-9a-f,]+)*$' 2. Change clock-names to "baudclk", "apb_pclk". Both of them use the same clock.
Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Signed-off-by: Wei Xu xuwei5@hisilicon.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/hip01.dtsi | 24 ++++++++++++------------ arch/arm/boot/dts/hip04-d01.dts | 2 +- arch/arm/boot/dts/hip04.dtsi | 6 +++--- 3 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/arch/arm/boot/dts/hip01.dtsi b/arch/arm/boot/dts/hip01.dtsi index 4e9562f806a21..85e201ab216b9 100644 --- a/arch/arm/boot/dts/hip01.dtsi +++ b/arch/arm/boot/dts/hip01.dtsi @@ -46,41 +46,41 @@ amba { compatible = "simple-bus"; ranges;
- uart0: uart@10001000 { + uart0: serial@10001000 { compatible = "snps,dw-apb-uart"; reg = <0x10001000 0x1000>; - clocks = <&hisi_refclk144mhz>; - clock-names = "apb_pclk"; + clocks = <&hisi_refclk144mhz>, <&hisi_refclk144mhz>; + clock-names = "baudclk", "apb_pclk"; reg-shift = <2>; interrupts = <0 32 4>; status = "disabled"; };
- uart1: uart@10002000 { + uart1: serial@10002000 { compatible = "snps,dw-apb-uart"; reg = <0x10002000 0x1000>; - clocks = <&hisi_refclk144mhz>; - clock-names = "apb_pclk"; + clocks = <&hisi_refclk144mhz>, <&hisi_refclk144mhz>; + clock-names = "baudclk", "apb_pclk"; reg-shift = <2>; interrupts = <0 33 4>; status = "disabled"; };
- uart2: uart@10003000 { + uart2: serial@10003000 { compatible = "snps,dw-apb-uart"; reg = <0x10003000 0x1000>; - clocks = <&hisi_refclk144mhz>; - clock-names = "apb_pclk"; + clocks = <&hisi_refclk144mhz>, <&hisi_refclk144mhz>; + clock-names = "baudclk", "apb_pclk"; reg-shift = <2>; interrupts = <0 34 4>; status = "disabled"; };
- uart3: uart@10006000 { + uart3: serial@10006000 { compatible = "snps,dw-apb-uart"; reg = <0x10006000 0x1000>; - clocks = <&hisi_refclk144mhz>; - clock-names = "apb_pclk"; + clocks = <&hisi_refclk144mhz>, <&hisi_refclk144mhz>; + clock-names = "baudclk", "apb_pclk"; reg-shift = <2>; interrupts = <0 4 4>; status = "disabled"; diff --git a/arch/arm/boot/dts/hip04-d01.dts b/arch/arm/boot/dts/hip04-d01.dts index 40a9e33c2654e..9b2499635dc76 100644 --- a/arch/arm/boot/dts/hip04-d01.dts +++ b/arch/arm/boot/dts/hip04-d01.dts @@ -25,7 +25,7 @@ memory@00000000,10000000 { };
soc { - uart0: uart@4007000 { + uart0: serial@4007000 { status = "ok"; }; }; diff --git a/arch/arm/boot/dts/hip04.dtsi b/arch/arm/boot/dts/hip04.dtsi index 44044f2751151..9593a78ccf067 100644 --- a/arch/arm/boot/dts/hip04.dtsi +++ b/arch/arm/boot/dts/hip04.dtsi @@ -253,12 +253,12 @@ arm-pmu { <0 79 4>; };
- uart0: uart@4007000 { + uart0: serial@4007000 { compatible = "snps,dw-apb-uart"; reg = <0x4007000 0x1000>; interrupts = <0 381 4>; - clocks = <&clk_168m>; - clock-names = "uartclk"; + clocks = <&clk_168m>, <&clk_168m>; + clock-names = "baudclk", "apb_pclk"; reg-shift = <2>; status = "disabled"; };
From: Zhen Lei thunder.leizhen@huawei.com
[ Upstream commit 64f5b52554a1de47a53972a47b9b58d8d66ee5aa ]
1. Change node name to match '^usb(@.*)?'
These errors are detected by generic-ehci.yaml and generic-ohci.yaml.
Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Signed-off-by: Wei Xu xuwei5@hisilicon.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/hisi-x5hd2.dtsi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm/boot/dts/hisi-x5hd2.dtsi b/arch/arm/boot/dts/hisi-x5hd2.dtsi index fdcc23d203e5d..62cee3bdc64cf 100644 --- a/arch/arm/boot/dts/hisi-x5hd2.dtsi +++ b/arch/arm/boot/dts/hisi-x5hd2.dtsi @@ -451,14 +451,14 @@ gmac1: ethernet@1841000 { status = "disabled"; };
- usb0: ehci@1890000 { + usb0: usb@1890000 { compatible = "generic-ehci"; reg = <0x1890000 0x1000>; interrupts = <0 66 4>; clocks = <&clock HIX5HD2_USB_CLK>; };
- usb1: ohci@1880000 { + usb1: usb@1880000 { compatible = "generic-ohci"; reg = <0x1880000 0x1000>; interrupts = <0 67 4>;
From: Zhen Lei thunder.leizhen@huawei.com
[ Upstream commit 8e9e8dd7ce093344a89792deaeb6caedde636dcf ]
Change bus node name from "amba" to "amba-bus" to match '^([a-z][a-z0-9\-]+-bus|bus|soc|axi|ahb|apb)(@[0-9a-f]+)?$'
Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Signed-off-by: Wei Xu xuwei5@hisilicon.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/hi3620-hi4511.dts | 2 +- arch/arm/boot/dts/hi3620.dtsi | 2 +- arch/arm/boot/dts/hip01.dtsi | 2 +- arch/arm/boot/dts/hisi-x5hd2.dtsi | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/arch/arm/boot/dts/hi3620-hi4511.dts b/arch/arm/boot/dts/hi3620-hi4511.dts index a579fbf13b5f5..a672c4e4babbd 100644 --- a/arch/arm/boot/dts/hi3620-hi4511.dts +++ b/arch/arm/boot/dts/hi3620-hi4511.dts @@ -25,7 +25,7 @@ memory { reg = <0x40000000 0x20000000>; };
- amba { + amba-bus { dual_timer0: dual_timer@800000 { status = "ok"; }; diff --git a/arch/arm/boot/dts/hi3620.dtsi b/arch/arm/boot/dts/hi3620.dtsi index c85d07e6db612..319ac80612200 100644 --- a/arch/arm/boot/dts/hi3620.dtsi +++ b/arch/arm/boot/dts/hi3620.dtsi @@ -64,7 +64,7 @@ cpu@3 { }; };
- amba { + amba-bus {
#address-cells = <1>; #size-cells = <1>; diff --git a/arch/arm/boot/dts/hip01.dtsi b/arch/arm/boot/dts/hip01.dtsi index 85e201ab216b9..7c11b6e9b779c 100644 --- a/arch/arm/boot/dts/hip01.dtsi +++ b/arch/arm/boot/dts/hip01.dtsi @@ -40,7 +40,7 @@ soc { interrupt-parent = <&gic>; ranges = <0 0x10000000 0x20000000>;
- amba { + amba-bus { #address-cells = <1>; #size-cells = <1>; compatible = "simple-bus"; diff --git a/arch/arm/boot/dts/hisi-x5hd2.dtsi b/arch/arm/boot/dts/hisi-x5hd2.dtsi index 62cee3bdc64cf..d1414bdd9a172 100644 --- a/arch/arm/boot/dts/hisi-x5hd2.dtsi +++ b/arch/arm/boot/dts/hisi-x5hd2.dtsi @@ -31,7 +31,7 @@ soc { interrupt-parent = <&gic>; ranges = <0 0xf8000000 0x8000000>;
- amba { + amba-bus { #address-cells = <1>; #size-cells = <1>; compatible = "simple-bus";
From: Zhen Lei thunder.leizhen@huawei.com
[ Upstream commit 4c246408f0bdbc4100c95a5dad9e0688b4a3cfd0 ]
1. Change clock-names to "sspclk", "apb_pclk". Both of them use the same clock.
Signed-off-by: Zhen Lei thunder.leizhen@huawei.com Signed-off-by: Wei Xu xuwei5@hisilicon.com Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/hi3519.dtsi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/arm/boot/dts/hi3519.dtsi b/arch/arm/boot/dts/hi3519.dtsi index 5729ecfcdc8bf..723c451d1420e 100644 --- a/arch/arm/boot/dts/hi3519.dtsi +++ b/arch/arm/boot/dts/hi3519.dtsi @@ -140,8 +140,8 @@ spi_bus0: spi@12120000 { compatible = "arm,pl022", "arm,primecell"; reg = <0x12120000 0x1000>; interrupts = <GIC_SPI 9 IRQ_TYPE_LEVEL_HIGH>; - clocks = <&crg HI3519_SPI0_CLK>; - clock-names = "apb_pclk"; + clocks = <&crg HI3519_SPI0_CLK>, <&crg HI3519_SPI0_CLK>; + clock-names = "sspclk", "apb_pclk"; num-cs = <1>; #address-cells = <1>; #size-cells = <0>; @@ -152,8 +152,8 @@ spi_bus1: spi@12121000 { compatible = "arm,pl022", "arm,primecell"; reg = <0x12121000 0x1000>; interrupts = <GIC_SPI 10 IRQ_TYPE_LEVEL_HIGH>; - clocks = <&crg HI3519_SPI1_CLK>; - clock-names = "apb_pclk"; + clocks = <&crg HI3519_SPI1_CLK>, <&crg HI3519_SPI1_CLK>; + clock-names = "sspclk", "apb_pclk"; num-cs = <1>; #address-cells = <1>; #size-cells = <0>; @@ -164,8 +164,8 @@ spi_bus2: spi@12122000 { compatible = "arm,pl022", "arm,primecell"; reg = <0x12122000 0x1000>; interrupts = <GIC_SPI 11 IRQ_TYPE_LEVEL_HIGH>; - clocks = <&crg HI3519_SPI2_CLK>; - clock-names = "apb_pclk"; + clocks = <&crg HI3519_SPI2_CLK>, <&crg HI3519_SPI2_CLK>; + clock-names = "sspclk", "apb_pclk"; num-cs = <1>; #address-cells = <1>; #size-cells = <0>;
From: Andy Lutomirski luto@kernel.org
[ Upstream commit 716572b0003ef67a4889bd7d85baf5099c5a0248 ]
Setting GS to 1, 2, or 3 causes a nonsensical part of the IRET microcode to change GS back to zero on a return from kernel mode to user mode. The result is that these tests fail randomly depending on when interrupts happen. Detect when this happens and let the test pass.
Signed-off-by: Andy Lutomirski luto@kernel.org Signed-off-by: Borislav Petkov bp@suse.de Link: https://lkml.kernel.org/r/7567fd44a1d60a9424f25b19a998f12149993b0d.160434659... Signed-off-by: Sasha Levin sashal@kernel.org --- tools/testing/selftests/x86/fsgsbase.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/x86/fsgsbase.c b/tools/testing/selftests/x86/fsgsbase.c index f249e042b3b51..026cd644360f6 100644 --- a/tools/testing/selftests/x86/fsgsbase.c +++ b/tools/testing/selftests/x86/fsgsbase.c @@ -318,8 +318,8 @@ static void set_gs_and_switch_to(unsigned long local, local = read_base(GS);
/* - * Signal delivery seems to mess up weird selectors. Put it - * back. + * Signal delivery is quite likely to change a selector + * of 1, 2, or 3 back to 0 due to IRET being defective. */ asm volatile ("mov %0, %%gs" : : "rm" (force_sel)); } else { @@ -337,6 +337,14 @@ static void set_gs_and_switch_to(unsigned long local, if (base == local && sel_pre_sched == sel_post_sched) { printf("[OK]\tGS/BASE remained 0x%hx/0x%lx\n", sel_pre_sched, local); + } else if (base == local && sel_pre_sched >= 1 && sel_pre_sched <= 3 && + sel_post_sched == 0) { + /* + * IRET is misdesigned and will squash selectors 1, 2, or 3 + * to zero. Don't fail the test just because this happened. + */ + printf("[OK]\tGS/BASE changed from 0x%hx/0x%lx to 0x%hx/0x%lx because IRET is defective\n", + sel_pre_sched, local, sel_post_sched, base); } else { nerrs++; printf("[FAIL]\tGS/BASE changed from 0x%hx/0x%lx to 0x%hx/0x%lx\n",
From: Dmitry Safonov dima@arista.com
[ Upstream commit 01c195de620bb6c3ecda0dbf295fe685d8232e10 ]
bindex can be out of BA window (64): tid 0 seq 2983, start_seq 2915, bindex 68, index 39 tid 0 seq 2984, start_seq 2915, bindex 69, index 40 tid 0 seq 2985, start_seq 2915, bindex 70, index 41 tid 0 seq 2986, start_seq 2915, bindex 71, index 42 tid 0 seq 2879, start_seq 2915, bindex 4060, index 63 tid 0 seq 2854, start_seq 2915, bindex 4035, index 38 tid 0 seq 2795, start_seq 2915, bindex 3976, index 43 tid 0 seq 2989, start_seq 2924, bindex 65, index 45 tid 0 seq 2992, start_seq 2924, bindex 68, index 48 tid 0 seq 2993, start_seq 2924, bindex 69, index 49 tid 0 seq 2994, start_seq 2924, bindex 70, index 50 tid 0 seq 2997, start_seq 2924, bindex 73, index 53 tid 0 seq 2795, start_seq 2941, bindex 3950, index 43 tid 0 seq 2921, start_seq 2941, bindex 4076, index 41 tid 0 seq 2929, start_seq 2941, bindex 4084, index 49 tid 0 seq 3011, start_seq 2946, bindex 65, index 3 tid 0 seq 3012, start_seq 2946, bindex 66, index 4 tid 0 seq 3013, start_seq 2946, bindex 67, index 5
In result isset() will try to dereference something on the stack, causing panics: BUG: unable to handle page fault for address: ffffa742800ed01f #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 6a4e9067 P4D 6a4e9067 PUD 6a4ec067 PMD 6a4ed067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 0 Comm: swapper/1 Kdump: loaded Not tainted 5.8.5-arch1-1-kdump #1 Hardware name: Apple Inc. MacBookAir3,1/Mac-942452F5819B1C1B, BIOS MBA31.88Z.0061.B07.1201241641 01/24/12 RIP: 0010:brcms_c_ampdu_dotxstatus+0x343/0x9f0 [brcmsmac] Code: 54 24 20 66 81 e2 ff 0f 41 83 e4 07 89 d1 0f b7 d2 66 c1 e9 03 0f b7 c9 4c 8d 5c 0c 48 49 8b 4d 10 48 8b 79 68 41 57 44 89 e1 <41> 0f b6 33 41 d3 e0 48 c7 c1 38 e0 ea c0 48 83 c7 10 44 21 c6 4c RSP: 0018:ffffa742800ecdd0 EFLAGS: 00010207 RAX: 0000000000000019 RBX: 000000000000000b RCX: 0000000000000006 RDX: 0000000000000ffe RSI: 0000000000000004 RDI: ffff8fc6ad776800 RBP: ffff8fc6855acb00 R08: 0000000000000001 R09: 00000000000005d9 R10: 00000000fffffffe R11: ffffa742800ed01f R12: 0000000000000006 R13: ffff8fc68d75a000 R14: 00000000000005db R15: 0000000000000019 FS: 0000000000000000(0000) GS:ffff8fc6aad00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffa742800ed01f CR3: 000000002480a000 CR4: 00000000000406e0 Call Trace: <IRQ> brcms_c_dpc+0xb46/0x1020 [brcmsmac] ? wlc_intstatus+0xc8/0x180 [brcmsmac] ? __raise_softirq_irqoff+0x1a/0x80 brcms_dpc+0x37/0xd0 [brcmsmac] tasklet_action_common.constprop.0+0x51/0xb0 __do_softirq+0xff/0x340 ? handle_level_irq+0x1a0/0x1a0 asm_call_on_stack+0x12/0x20 </IRQ> do_softirq_own_stack+0x5f/0x80 irq_exit_rcu+0xcb/0x120 common_interrupt+0xd1/0x200 asm_common_interrupt+0x1e/0x40 RIP: 0010:cpuidle_enter_state+0xb3/0x420
Check if the block is within BA window and only then check block's status. Otherwise as Behan wrote: "When I came back to Dublin I was courtmartialed in my absence and sentenced to death in my absence, so I said they could shoot me in my absence."
Also reported: https://bbs.archlinux.org/viewtopic.php?id=258428 https://lore.kernel.org/linux-wireless/87tuwgi92n.fsf@yujinakao.com/
Reported-by: Yuji Nakao contact@yujinakao.com Signed-off-by: Dmitry Safonov dima@arista.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Link: https://lore.kernel.org/r/20201116030635.645811-1-dima@arista.com Signed-off-by: Sasha Levin sashal@kernel.org --- .../net/wireless/broadcom/brcm80211/brcmsmac/ampdu.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/ampdu.c b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/ampdu.c index fa391e4eb0989..44f65b8bff9e0 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmsmac/ampdu.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmsmac/ampdu.c @@ -953,14 +953,19 @@ brcms_c_ampdu_dotxstatus_complete(struct ampdu_info *ampdu, struct scb *scb, index = TX_SEQ_TO_INDEX(seq); ack_recd = false; if (ba_recd) { + int block_acked; + bindex = MODSUB_POW2(seq, start_seq, SEQNUM_MAX); + if (bindex < AMPDU_TX_BA_MAX_WSIZE) + block_acked = isset(bitmap, bindex); + else + block_acked = 0; brcms_dbg_ht(wlc->hw->d11core, "tid %d seq %d, start_seq %d, bindex %d set %d, index %d\n", tid, seq, start_seq, bindex, - isset(bitmap, bindex), index); + block_acked, index); /* if acked then clear bit and free packet */ - if ((bindex < AMPDU_TX_BA_MAX_WSIZE) - && isset(bitmap, bindex)) { + if (block_acked) { ini->txretry[index] = 0;
/*
From: Nicolin Chen nicoleotsuka@gmail.com
[ Upstream commit d5f583bf8654c231b781096bc1a186065cda72b3 ]
This is used to protect potential race condition at use_count. since probes of client drivers, calling attach_dev(), may run concurrently.
Signed-off-by: Nicolin Chen nicoleotsuka@gmail.com Tested-by: Dmitry Osipenko digetx@gmail.com Reviewed-by: Dmitry Osipenko digetx@gmail.com Acked-by: Thierry Reding treding@nvidia.com Link: https://lore.kernel.org/r/20201125101013.14953-3-nicoleotsuka@gmail.com Signed-off-by: Will Deacon will@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/iommu/tegra-smmu.c | 34 +++++++++++++++++++++------------- 1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/drivers/iommu/tegra-smmu.c b/drivers/iommu/tegra-smmu.c index 04cec050e42bf..ae796342717a6 100644 --- a/drivers/iommu/tegra-smmu.c +++ b/drivers/iommu/tegra-smmu.c @@ -241,26 +241,19 @@ static int tegra_smmu_alloc_asid(struct tegra_smmu *smmu, unsigned int *idp) { unsigned long id;
- mutex_lock(&smmu->lock); - id = find_first_zero_bit(smmu->asids, smmu->soc->num_asids); - if (id >= smmu->soc->num_asids) { - mutex_unlock(&smmu->lock); + if (id >= smmu->soc->num_asids) return -ENOSPC; - }
set_bit(id, smmu->asids); *idp = id;
- mutex_unlock(&smmu->lock); return 0; }
static void tegra_smmu_free_asid(struct tegra_smmu *smmu, unsigned int id) { - mutex_lock(&smmu->lock); clear_bit(id, smmu->asids); - mutex_unlock(&smmu->lock); }
static bool tegra_smmu_capable(enum iommu_cap cap) @@ -395,17 +388,21 @@ static int tegra_smmu_as_prepare(struct tegra_smmu *smmu, struct tegra_smmu_as *as) { u32 value; - int err; + int err = 0; + + mutex_lock(&smmu->lock);
if (as->use_count > 0) { as->use_count++; - return 0; + goto unlock; }
as->pd_dma = dma_map_page(smmu->dev, as->pd, 0, SMMU_SIZE_PD, DMA_TO_DEVICE); - if (dma_mapping_error(smmu->dev, as->pd_dma)) - return -ENOMEM; + if (dma_mapping_error(smmu->dev, as->pd_dma)) { + err = -ENOMEM; + goto unlock; + }
/* We can't handle 64-bit DMA addresses */ if (!smmu_dma_addr_valid(smmu, as->pd_dma)) { @@ -428,24 +425,35 @@ static int tegra_smmu_as_prepare(struct tegra_smmu *smmu, as->smmu = smmu; as->use_count++;
+ mutex_unlock(&smmu->lock); + return 0;
err_unmap: dma_unmap_page(smmu->dev, as->pd_dma, SMMU_SIZE_PD, DMA_TO_DEVICE); +unlock: + mutex_unlock(&smmu->lock); + return err; }
static void tegra_smmu_as_unprepare(struct tegra_smmu *smmu, struct tegra_smmu_as *as) { - if (--as->use_count > 0) + mutex_lock(&smmu->lock); + + if (--as->use_count > 0) { + mutex_unlock(&smmu->lock); return; + }
tegra_smmu_free_asid(smmu, as->id);
dma_unmap_page(smmu->dev, as->pd_dma, SMMU_SIZE_PD, DMA_TO_DEVICE);
as->smmu = NULL; + + mutex_unlock(&smmu->lock); }
static int tegra_smmu_attach_dev(struct iommu_domain *domain,
From: Thara Gopinath thara.gopinath@linaro.org
[ Upstream commit 1148a9654b5a69611d33e14719251c6ec20f5f2c ]
Partial hash was being copied into the final result buffer without the entire message block processed. Depending on how the end user processes this result buffer, errors vary from result buffer corruption to result buffer poisoing. Fix this issue by ensuring that only the final hash value is copied into the result buffer.
Reviewed-by: Bjorn Andersson bjorn.andersson@linaro.org Signed-off-by: Thara Gopinath thara.gopinath@linaro.org Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/crypto/qce/sha.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c index 47e114ac09d01..5502a89c4b01e 100644 --- a/drivers/crypto/qce/sha.c +++ b/drivers/crypto/qce/sha.c @@ -55,7 +55,7 @@ static void qce_ahash_done(void *data) dma_unmap_sg(qce->dev, &rctx->result_sg, 1, DMA_FROM_DEVICE);
memcpy(rctx->digest, result->auth_iv, digestsize); - if (req->result) + if (req->result && rctx->last_blk) memcpy(req->result, result->auth_iv, digestsize);
rctx->byte_count[0] = cpu_to_be32(result->auth_byte_count[0]);
From: Mauro Carvalho Chehab mchehab+huawei@kernel.org
[ Upstream commit d0ac1a26ed5943127cb0156148735f5f52a07075 ]
As reported on: https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.ke...
if gp8psk_usb_in_op() returns an error, the status var is not initialized. Yet, this var is used later on, in order to identify: - if the device was already started; - if firmware has loaded; - if the LNBf was powered on.
Using status = 0 seems to ensure that everything will be properly powered up.
So, instead of the proposed solution, let's just set status = 0.
Reported-by: syzbot syzkaller@googlegroups.com Reported-by: Willem de Bruijn willemb@google.com Signed-off-by: Mauro Carvalho Chehab mchehab+huawei@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/media/usb/dvb-usb/gp8psk.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/usb/dvb-usb/gp8psk.c b/drivers/media/usb/dvb-usb/gp8psk.c index 993bb7a72985f..170a177653c9f 100644 --- a/drivers/media/usb/dvb-usb/gp8psk.c +++ b/drivers/media/usb/dvb-usb/gp8psk.c @@ -186,7 +186,7 @@ static int gp8psk_load_bcm4500fw(struct dvb_usb_device *d)
static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff) { - u8 status, buf; + u8 status = 0, buf; int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct);
if (onoff) {
From: Martin Schiller ms@dev.tdt.de
[ Upstream commit 62480b992ba3fb1d7260b11293aed9d6557831c7 ]
1. DTE interface changes immediately to LAPB_STATE_1 and start sending SABM(E).
2. DCE interface sends N2-times DM and changes to LAPB_STATE_1 afterwards if there is no response in the meantime.
Signed-off-by: Martin Schiller ms@dev.tdt.de Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- net/lapb/lapb_timer.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/lapb/lapb_timer.c b/net/lapb/lapb_timer.c index 355cc3b6fa4d3..3d99205f003da 100644 --- a/net/lapb/lapb_timer.c +++ b/net/lapb/lapb_timer.c @@ -92,11 +92,18 @@ static void lapb_t1timer_expiry(unsigned long param) switch (lapb->state) {
/* - * If we are a DCE, keep going DM .. DM .. DM + * If we are a DCE, send DM up to N2 times, then switch to + * STATE_1 and send SABM(E). */ case LAPB_STATE_0: - if (lapb->mode & LAPB_DCE) + if (lapb->mode & LAPB_DCE && + lapb->n2count != lapb->n2) { + lapb->n2count++; lapb_send_control(lapb, LAPB_DM, LAPB_POLLOFF, LAPB_RESPONSE); + } else { + lapb->state = LAPB_STATE_1; + lapb_establish_data_link(lapb); + } break;
/*
From: Gabriele Paoloni gabriele.paoloni@intel.com
[ Upstream commit 3a866b16fd2360a9c4ebf71cfbf7ebfe968c1409 ]
Right now for LMCE, if no_way_out is set, mce_panic() is called regardless of mca_cfg.tolerant. This is not correct as, if mca_cfg.tolerant = 3, the code should never panic.
Add that check.
[ bp: use local ptr 'cfg'. ]
Signed-off-by: Gabriele Paoloni gabriele.paoloni@intel.com Signed-off-by: Borislav Petkov bp@suse.de Reviewed-by: Tony Luck tony.luck@intel.com Link: https://lkml.kernel.org/r/20201127161819.3106432-4-gabriele.paoloni@intel.co... Signed-off-by: Sasha Levin sashal@kernel.org --- arch/x86/kernel/cpu/mcheck/mce.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c index 07188a0124922..c0e85ad111de8 100644 --- a/arch/x86/kernel/cpu/mcheck/mce.c +++ b/arch/x86/kernel/cpu/mcheck/mce.c @@ -1182,7 +1182,7 @@ void do_machine_check(struct pt_regs *regs, long error_code) * to see it will clear it. */ if (lmce) { - if (no_way_out) + if (no_way_out && cfg->tolerant < 3) mce_panic("Fatal local machine check", &m, msg); } else { order = mce_start(&no_way_out);
From: Jinyang He hejinyang@loongson.cn
[ Upstream commit c0aac3a51cb6364bed367ee3e1a96ed414f386b4 ]
Most platforms do not need to do synci instruction operations when synci_step is 0. But for example, the synci implementation on Loongson64 platform has some changes. On the one hand, it ensures that the memory access instructions have been completed. On the other hand, it guarantees that all prefetch instructions need to be fetched again. And its address information is useless. Thus, only one synci operation is required when synci_step is 0 on Loongson64 platform. I guess that some other platforms have similar implementations on synci, so add judgment conditions in `while` to ensure that at least all platforms perform synci operations once. For those platforms that do not need synci, they just do one more operation similar to nop.
Signed-off-by: Jinyang He hejinyang@loongson.cn Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/kernel/relocate.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/mips/kernel/relocate.c b/arch/mips/kernel/relocate.c index 1958910b75c07..f759aae1e1f3d 100644 --- a/arch/mips/kernel/relocate.c +++ b/arch/mips/kernel/relocate.c @@ -52,7 +52,7 @@ static void __init sync_icache(void *kbase, unsigned long kernel_length) : "r" (kbase));
kbase += step; - } while (kbase < kend); + } while (step && kbase < kend);
/* Completion barrier */ __sync();
From: Zhang Xiaohui ruc_zhangxiaohui@163.com
[ Upstream commit 5c455c5ab332773464d02ba17015acdca198f03d ]
mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy().
Signed-off-by: Zhang Xiaohui ruc_zhangxiaohui@163.com Signed-off-by: Kalle Valo kvalo@codeaurora.org Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/marvell/mwifiex/join.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c index b89596c18b41a..313b5d9fd08ed 100644 --- a/drivers/net/wireless/marvell/mwifiex/join.c +++ b/drivers/net/wireless/marvell/mwifiex/join.c @@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+ if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN) + req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN; memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
From: Anant Thazhemadam anant.thazhemadam@gmail.com
[ Upstream commit 31dcb6c30a26d32650ce134820f27de3c675a45a ]
A kernel-infoleak was reported by syzbot, which was caused because dbells was left uninitialized. Using kzalloc() instead of kmalloc() fixes this issue.
Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com Signed-off-by: Anant Thazhemadam anant.thazhemadam@gmail.com Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.co... Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/misc/vmw_vmci/vmci_context.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/misc/vmw_vmci/vmci_context.c b/drivers/misc/vmw_vmci/vmci_context.c index b9da2c6cc9818..0bdfa90ea6cda 100644 --- a/drivers/misc/vmw_vmci/vmci_context.c +++ b/drivers/misc/vmw_vmci/vmci_context.c @@ -750,7 +750,7 @@ static int vmci_ctx_get_chkpt_doorbells(struct vmci_ctx *context, return VMCI_ERROR_MORE_DATA; }
- dbells = kmalloc(data_size, GFP_ATOMIC); + dbells = kzalloc(data_size, GFP_ATOMIC); if (!dbells) return VMCI_ERROR_NO_MEM;
From: Johannes Berg johannes.berg@intel.com
[ Upstream commit 152fdc0f698896708f9d7889a4ba4da6944b74f7 ]
If we get an error, no longer consider the firmware to be in IWL_TRANS_FW_ALIVE state.
Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201209231352.a9d01e79c1c7.Ib2deb076b392f... Signed-off-by: Luca Coelho luciano.coelho@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h index 0296124a7f9cf..360554727a817 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h +++ b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h @@ -1238,8 +1238,10 @@ static inline void iwl_trans_fw_error(struct iwl_trans *trans) return;
/* prevent double restarts due to the same erroneous FW */ - if (!test_and_set_bit(STATUS_FW_ERROR, &trans->status)) + if (!test_and_set_bit(STATUS_FW_ERROR, &trans->status)) { iwl_op_mode_nic_error(trans->op_mode); + trans->state = IWL_TRANS_NO_FW; + } }
/*****************************************************
From: Johannes Berg johannes.berg@intel.com
[ Upstream commit b2ed841ed070ccbe908016537f429a3a8f0221bf ]
Start tracking not just if the firmware is dead or alive, but also if it's starting.
Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201209231352.33e50d40b688.I8bbd41af7aa5e... Signed-off-by: Luca Coelho luciano.coelho@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/wireless/intel/iwlwifi/iwl-trans.h | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h index 360554727a817..b1cc2b9f82ab6 100644 --- a/drivers/net/wireless/intel/iwlwifi/iwl-trans.h +++ b/drivers/net/wireless/intel/iwlwifi/iwl-trans.h @@ -681,12 +681,14 @@ struct iwl_trans_ops { /** * enum iwl_trans_state - state of the transport layer * - * @IWL_TRANS_NO_FW: no fw has sent an alive response - * @IWL_TRANS_FW_ALIVE: a fw has sent an alive response + * @IWL_TRANS_NO_FW: firmware wasn't started yet, or crashed + * @IWL_TRANS_FW_STARTED: FW was started, but not alive yet + * @IWL_TRANS_FW_ALIVE: FW has sent an alive response */ enum iwl_trans_state { - IWL_TRANS_NO_FW = 0, - IWL_TRANS_FW_ALIVE = 1, + IWL_TRANS_NO_FW, + IWL_TRANS_FW_STARTED, + IWL_TRANS_FW_ALIVE, };
/** @@ -909,12 +911,18 @@ static inline int iwl_trans_start_fw(struct iwl_trans *trans, const struct fw_img *fw, bool run_in_rfkill) { + int ret; + might_sleep();
WARN_ON_ONCE(!trans->rx_mpdu_cmd);
clear_bit(STATUS_FW_ERROR, &trans->status); - return trans->ops->start_fw(trans, fw, run_in_rfkill); + ret = trans->ops->start_fw(trans, fw, run_in_rfkill); + if (ret == 0) + trans->state = IWL_TRANS_FW_STARTED; + + return ret; }
static inline int iwl_trans_update_sf(struct iwl_trans *trans,
From: Avraham Stern avraham.stern@intel.com
[ Upstream commit c837cbad40d949feaff86734d637c7602ae0b56b ]
Accept a scan request with the duration set even if the driver does not support setting the scan dwell. The duration can be used as a hint to the driver, but the driver may use its internal logic for setting the scan dwell.
Signed-off-by: Avraham Stern avraham.stern@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201129172929.9491a12f9226.Ia9c5b24fcefc5... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/wireless/nl80211.c | 6 ------ 1 file changed, 6 deletions(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c index 5bd89f536720d..4820f36807ed7 100644 --- a/net/wireless/nl80211.c +++ b/net/wireless/nl80211.c @@ -6681,12 +6681,6 @@ static int nl80211_trigger_scan(struct sk_buff *skb, struct genl_info *info) }
if (info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]) { - if (!wiphy_ext_feature_isset(wiphy, - NL80211_EXT_FEATURE_SET_SCAN_DWELL)) { - err = -EOPNOTSUPP; - goto out_free; - } - request->duration = nla_get_u16(info->attrs[NL80211_ATTR_MEASUREMENT_DURATION]); request->duration_mandatory =
From: Ilan Peer ilan.peer@intel.com
[ Upstream commit beee246951571cc5452176f3dbfe9aa5a10ba2b9 ]
When custom regulatory was set, only the channels setting was updated, but the regulatory domain was not saved. Fix it by saving it.
Signed-off-by: Ilan Peer ilan.peer@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201129172929.290fa5c5568a.Ic5732aa64de6e... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/wireless/reg.c | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/net/wireless/reg.c b/net/wireless/reg.c index 04da31c52d092..2e115c2a43e90 100644 --- a/net/wireless/reg.c +++ b/net/wireless/reg.c @@ -1793,6 +1793,7 @@ static void handle_band_custom(struct wiphy *wiphy, void wiphy_apply_custom_regulatory(struct wiphy *wiphy, const struct ieee80211_regdomain *regd) { + const struct ieee80211_regdomain *new_regd, *tmp; enum nl80211_band band; unsigned int bands_set = 0;
@@ -1812,6 +1813,13 @@ void wiphy_apply_custom_regulatory(struct wiphy *wiphy, * on your device's supported bands. */ WARN_ON(!bands_set); + new_regd = reg_copy_regd(regd); + if (IS_ERR(new_regd)) + return; + + tmp = get_wiphy_regdom(wiphy); + rcu_assign_pointer(wiphy->regd, new_regd); + rcu_free_regdom(tmp); } EXPORT_SYMBOL(wiphy_apply_custom_regulatory);
From: Johannes Berg johannes.berg@intel.com
[ Upstream commit 3660944a37ce73890292571f44f04891834f9044 ]
If the AP advertises a band switch during CSA, we will not have the right information to continue working with it, since it will likely (have to) change its capabilities and we don't track any capability changes at all. Additionally, we store e.g. supported rates per band, and that information would become invalid.
Since this is a fringe scenario, just disconnect explicitly.
Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201129172929.0e2327107c06.I461adb07704e0... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/mlme.c | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 58b80270e58c2..7b9c02d5590c0 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -1178,6 +1178,17 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, if (res) return;
+ if (sdata->vif.bss_conf.chandef.chan->band != + csa_ie.chandef.chan->band) { + sdata_info(sdata, + "AP %pM switches to different band (%d MHz, width:%d, CF1/2: %d/%d MHz), disconnecting\n", + ifmgd->associated->bssid, + csa_ie.chandef.chan->center_freq, + csa_ie.chandef.width, csa_ie.chandef.center_freq1, + csa_ie.chandef.center_freq2); + goto lock_and_drop_connection; + } + if (!cfg80211_chandef_usable(local->hw.wiphy, &csa_ie.chandef, IEEE80211_CHAN_DISABLED)) { sdata_info(sdata, @@ -1186,9 +1197,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, csa_ie.chandef.chan->center_freq, csa_ie.chandef.width, csa_ie.chandef.center_freq1, csa_ie.chandef.center_freq2); - ieee80211_queue_work(&local->hw, - &ifmgd->csa_connection_drop_work); - return; + goto lock_and_drop_connection; }
if (cfg80211_chandef_identical(&csa_ie.chandef, @@ -1278,6 +1287,9 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, TU_TO_EXP_TIME((csa_ie.count - 1) * cbss->beacon_interval)); return; + lock_and_drop_connection: + mutex_lock(&local->mtx); + mutex_lock(&local->chanctx_mtx); drop_connection: /* * This is just so that the disconnect flow will know that
From: Ilan Peer ilan.peer@intel.com
[ Upstream commit bbf31e88df2f5da20ce613c340ce508d732046b3 ]
When calculating the minimal channel width for channel context, the current operation Rx channel width of a station was used and not the overall channel width capability of the station, i.e., both for Tx and Rx.
Fix ieee80211_get_sta_bw() to use the maximal channel width the station is capable. While at it make the function static.
Signed-off-by: Ilan Peer ilan.peer@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201206145305.4387040b99a0.I74bcf19238f75... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/chan.c | 10 ++++++---- net/mac80211/ieee80211_i.h | 1 - 2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index a0d901d8992ea..48b60b53ff3ff 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -190,11 +190,13 @@ ieee80211_find_reservation_chanctx(struct ieee80211_local *local, return NULL; }
-enum nl80211_chan_width ieee80211_get_sta_bw(struct ieee80211_sta *sta) +static enum nl80211_chan_width ieee80211_get_sta_bw(struct sta_info *sta) { - switch (sta->bandwidth) { + enum ieee80211_sta_rx_bandwidth width = ieee80211_sta_cap_rx_bw(sta); + + switch (width) { case IEEE80211_STA_RX_BW_20: - if (sta->ht_cap.ht_supported) + if (sta->sta.ht_cap.ht_supported) return NL80211_CHAN_WIDTH_20; else return NL80211_CHAN_WIDTH_20_NOHT; @@ -231,7 +233,7 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata) !(sta->sdata->bss && sta->sdata->bss == sdata->bss)) continue;
- max_bw = max(max_bw, ieee80211_get_sta_bw(&sta->sta)); + max_bw = max(max_bw, ieee80211_get_sta_bw(sta)); } rcu_read_unlock();
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h index 0b0de3030e0dc..15d9a61d20116 100644 --- a/net/mac80211/ieee80211_i.h +++ b/net/mac80211/ieee80211_i.h @@ -2102,7 +2102,6 @@ int ieee80211_check_combinations(struct ieee80211_sub_if_data *sdata, enum ieee80211_chanctx_mode chanmode, u8 radar_detect); int ieee80211_max_num_channels(struct ieee80211_local *local); -enum nl80211_chan_width ieee80211_get_sta_bw(struct ieee80211_sta *sta); void ieee80211_recalc_chanctx_chantype(struct ieee80211_local *local, struct ieee80211_chanctx *ctx);
From: Emmanuel Grumbach emmanuel.grumbach@intel.com
[ Upstream commit 189a164d0fc6c59a22c4486d641d0a0a0d33387a ]
I hit a bug in which we started a CSA with an action frame, but the AP changed its mind and didn't change the beacon. The CSA wasn't cancelled and we lost the connection.
The beacons were ignored because they never changed: they never contained any CSA IE. Because they never changed, the CRC of the beacon didn't change either which made us ignore the beacons instead of processing them.
Now what happens is: 1) beacon has CRC X and it is valid. No CSA IE in the beacon 2) as long as beacon's CRC X, don't process their IEs 3) rx action frame with CSA 4) invalidate the beacon's CRC 5) rx beacon, CRC is still X, but now it is invalid 6) process the beacon, detect there is no CSA IE 7) abort CSA
Signed-off-by: Emmanuel Grumbach emmanuel.grumbach@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201206145305.83470b8407e6.I739b907598001... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/mlme.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c index 7b9c02d5590c0..cebaf9a1a9ef4 100644 --- a/net/mac80211/mlme.c +++ b/net/mac80211/mlme.c @@ -1264,6 +1264,7 @@ ieee80211_sta_process_chanswitch(struct ieee80211_sub_if_data *sdata, sdata->csa_chandef = csa_ie.chandef; sdata->csa_block_tx = csa_ie.mode; ifmgd->csa_ignored_same_chan = false; + ifmgd->beacon_crc_valid = false;
if (sdata->csa_block_tx) ieee80211_stop_vif_queues(local, sdata,
From: Ilan Peer ilan.peer@intel.com
[ Upstream commit 44b72ca8163b8cf94384a11fdec716f5478411bf ]
A channel change or a channel bandwidth change can impact the rate control logic. However, the rate control logic was not updated before/after such a change, which might result in unexpected behavior.
Fix this by updating the stations rate control logic when the corresponding channel context changes.
Signed-off-by: Ilan Peer ilan.peer@intel.com Signed-off-by: Luca Coelho luciano.coelho@intel.com Link: https://lore.kernel.org/r/iwlwifi.20201206145305.600d967fe3c9.I48305f25cfcc9... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Sasha Levin sashal@kernel.org --- net/mac80211/chan.c | 61 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c index 48b60b53ff3ff..0d06330aa9321 100644 --- a/net/mac80211/chan.c +++ b/net/mac80211/chan.c @@ -8,6 +8,7 @@ #include <net/cfg80211.h> #include "ieee80211_i.h" #include "driver-ops.h" +#include "rate.h"
static int ieee80211_chanctx_num_assigned(struct ieee80211_local *local, struct ieee80211_chanctx *ctx) @@ -339,10 +340,42 @@ void ieee80211_recalc_chanctx_min_def(struct ieee80211_local *local, drv_change_chanctx(local, ctx, IEEE80211_CHANCTX_CHANGE_MIN_WIDTH); }
+static void ieee80211_chan_bw_change(struct ieee80211_local *local, + struct ieee80211_chanctx *ctx) +{ + struct sta_info *sta; + struct ieee80211_supported_band *sband = + local->hw.wiphy->bands[ctx->conf.def.chan->band]; + + rcu_read_lock(); + list_for_each_entry_rcu(sta, &local->sta_list, + list) { + enum ieee80211_sta_rx_bandwidth new_sta_bw; + + if (!ieee80211_sdata_running(sta->sdata)) + continue; + + if (rcu_access_pointer(sta->sdata->vif.chanctx_conf) != + &ctx->conf) + continue; + + new_sta_bw = ieee80211_sta_cur_vht_bw(sta); + if (new_sta_bw == sta->sta.bandwidth) + continue; + + sta->sta.bandwidth = new_sta_bw; + rate_control_rate_update(local, sband, sta, + IEEE80211_RC_BW_CHANGED); + } + rcu_read_unlock(); +} + static void ieee80211_change_chanctx(struct ieee80211_local *local, struct ieee80211_chanctx *ctx, const struct cfg80211_chan_def *chandef) { + enum nl80211_chan_width width; + if (cfg80211_chandef_identical(&ctx->conf.def, chandef)) { ieee80211_recalc_chanctx_min_def(local, ctx); return; @@ -350,7 +383,25 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local,
WARN_ON(!cfg80211_chandef_compatible(&ctx->conf.def, chandef));
+ width = ctx->conf.def.width; ctx->conf.def = *chandef; + + /* expected to handle only 20/40/80/160 channel widths */ + switch (chandef->width) { + case NL80211_CHAN_WIDTH_20_NOHT: + case NL80211_CHAN_WIDTH_20: + case NL80211_CHAN_WIDTH_40: + case NL80211_CHAN_WIDTH_80: + case NL80211_CHAN_WIDTH_80P80: + case NL80211_CHAN_WIDTH_160: + break; + default: + WARN_ON(1); + } + + if (chandef->width < width) + ieee80211_chan_bw_change(local, ctx); + drv_change_chanctx(local, ctx, IEEE80211_CHANCTX_CHANGE_WIDTH); ieee80211_recalc_chanctx_min_def(local, ctx);
@@ -358,6 +409,9 @@ static void ieee80211_change_chanctx(struct ieee80211_local *local, local->_oper_chandef = *chandef; ieee80211_hw_config(local, 0); } + + if (chandef->width > width) + ieee80211_chan_bw_change(local, ctx); }
static struct ieee80211_chanctx * @@ -1040,8 +1094,14 @@ ieee80211_vif_use_reserved_reassign(struct ieee80211_sub_if_data *sdata) if (WARN_ON(!chandef)) return -EINVAL;
+ if (old_ctx->conf.def.width > new_ctx->conf.def.width) + ieee80211_chan_bw_change(local, new_ctx); + ieee80211_change_chanctx(local, new_ctx, chandef);
+ if (old_ctx->conf.def.width < new_ctx->conf.def.width) + ieee80211_chan_bw_change(local, new_ctx); + vif_chsw[0].vif = &sdata->vif; vif_chsw[0].old_ctx = &old_ctx->conf; vif_chsw[0].new_ctx = &new_ctx->conf; @@ -1434,6 +1494,7 @@ static int ieee80211_vif_use_reserved_switch(struct ieee80211_local *local) ieee80211_recalc_smps_chanctx(local, ctx); ieee80211_recalc_radar_chanctx(local, ctx); ieee80211_recalc_chanctx_min_def(local, ctx); + ieee80211_chan_bw_change(local, ctx);
list_for_each_entry_safe(sdata, sdata_tmp, &ctx->reserved_vifs, reserved_chanctx_list) {
From: Kai Vehmanen kai.vehmanen@linux.intel.com
[ Upstream commit 46c3bbd9827952f92e250fa6ee30a797a4c4e17e ]
The check for infoframe transmit status in hdmi_infoframe_uptodate() makes the assumption that packet buffer index is set to zero.
Align code with specification and explicitly set the index before AC_VERB_GET_HDMI_DIP_XMIT. The packet index setting affects both DIP-Data and DIP-XmitCtrl verbs.
There are no known cases where the old implementation has caused driver to work incorrectly. This change is purely based on code review against the specification (HDA spec rev1.0a).
Signed-off-by: Kai Vehmanen kai.vehmanen@linux.intel.com Link: https://lore.kernel.org/r/20201211131613.3271407-1-kai.vehmanen@linux.intel.... Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Sasha Levin sashal@kernel.org --- sound/pci/hda/patch_hdmi.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_hdmi.c b/sound/pci/hda/patch_hdmi.c index ba0c3a381933e..53eb05d0722b0 100644 --- a/sound/pci/hda/patch_hdmi.c +++ b/sound/pci/hda/patch_hdmi.c @@ -610,11 +610,11 @@ static bool hdmi_infoframe_uptodate(struct hda_codec *codec, hda_nid_t pin_nid, u8 val; int i;
+ hdmi_set_dip_index(codec, pin_nid, 0x0, 0x0); if (snd_hda_codec_read(codec, pin_nid, 0, AC_VERB_GET_HDMI_DIP_XMIT, 0) != AC_DIPXMIT_BEST) return false;
- hdmi_set_dip_index(codec, pin_nid, 0x0, 0x0); for (i = 0; i < size; i++) { val = snd_hda_codec_read(codec, pin_nid, 0, AC_VERB_GET_HDMI_DIP_DATA, 0);
From: Bjorn Helgaas bhelgaas@google.com
[ Upstream commit 059983790a4c963d92943e55a61fca55be427d55 ]
Add function 1 DMA alias quirk for Marvell 88SS9215 PCIe SSD Controller.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=42679#c135 Link: https://lore.kernel.org/r/20201110220516.697934-1-helgaas@kernel.org Reported-by: John Smith LK7S2ED64JHGLKj75shg9klejHWG49h5hk@protonmail.com Signed-off-by: Bjorn Helgaas bhelgaas@google.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/pci/quirks.c | 3 +++ 1 file changed, 3 insertions(+)
diff --git a/drivers/pci/quirks.c b/drivers/pci/quirks.c index 1fdb1ef5eaaeb..0ebf7500e171e 100644 --- a/drivers/pci/quirks.c +++ b/drivers/pci/quirks.c @@ -3911,6 +3911,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9182, /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c46 */ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x91a0, quirk_dma_func1_alias); +/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c135 */ +DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9215, + quirk_dma_func1_alias); /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c127 */ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9220, quirk_dma_func1_alias);
linux-stable-mirror@lists.linaro.org
-
Sasha Levin