This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.246-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 4.4.246-rc1
Chen Yu yu.c.chen@intel.com x86/microcode/intel: Check patch signature before saving microcode for early loading
Thomas Richter tmricht@linux.ibm.com s390/cpum_sf.c: fix file permission for cpum_sfb_size
Johannes Berg johannes.berg@intel.com mac80211: free sta in sta_info_insert_finish() on errors
Johannes Berg johannes.berg@intel.com mac80211: allow driver to prevent two stations w/ same address
Felix Fietkau nbd@nbd.name mac80211: minstrel: fix tx status processing corner case
Felix Fietkau nbd@nbd.name mac80211: minstrel: remove deferred sampling code
Max Filippov jcmvbkbc@gmail.com xtensa: disable preemption around cache alias management calls
Jan Kara jack@suse.cz ext4: fix bogus warning in ext4_update_dx_flag()
Vamshi K Sthambamkadi vamshi.k.sthambamkadi@gmail.com efivarfs: fix memory leak in efivarfs_create()
Fugang Duan fugang.duan@nxp.com tty: serial: imx: keep console clocks always on
Takashi Iwai tiwai@suse.de ALSA: mixart: Fix mutex deadlock
Takashi Sakamoto o-takashi@sakamocchi.jp ALSA: ctl: fix error path at adding user-defined element set
Daniel Axtens dja@axtens.net powerpc/uaccess-flush: fix corenet64_smp_defconfig build
Yicong Yang yangyicong@hisilicon.com libfs: fix error cast of negative value in simple_attr_write()
Nishanth Menon nm@ti.com regulator: ti-abb: Fix array out of bound read access on the first transition
Zhang Qilong zhangqilong3@huawei.com MIPS: Alchemy: Fix memleak in alchemy_clk_setup_cpu
Wu Bo wubo.oduw@gmail.com can: m_can: m_can_handle_state_change(): fix state change
Colin Ian King colin.king@canonical.com can: peak_usb: fix potential integer overflow on shift of a int
Alejandro Concepcion Rodriguez alejandro@acoro.eu can: dev: can_restart(): post buffer from the right context
Leo Yan leo.yan@linaro.org perf lock: Don't free "lock_seq_stat" if read_count isn't zero
Fabio Estevam festevam@gmail.com ARM: dts: imx50-evk: Fix the chip select 1 IOMUX
Sergey Matyukevich geomatsi@gmail.com arm: dts: imx6qdl-udoo: fix rgmii phy-mode for ksz9031 phy
Dan Carpenter dan.carpenter@oracle.com Input: adxl34x - clean up a data type in adxl34x_probe()
Paul Burton paul.burton@imgtec.com MIPS: Fix BUILD_ROLLBACK_PROLOGUE for microMIPS
Will Deacon will@kernel.org arm64: psci: Avoid printing in cpu_psci_cpu_die()
Jianqun Xu jay.xu@rock-chips.com pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq
Florian Fainelli f.fainelli@gmail.com net: Have netpoll bring-up DSA management interface
Filip Moc dev@moc6.cz net: usb: qmi_wwan: Set DTR quirk for MR400
Xin Long lucien.xin@gmail.com sctp: change to hold/put transport for proto_unreach_timer
Zhang Changzhong zhangchangzhong@huawei.com qlcnic: fix error return code in qlcnic_83xx_restart_hw()
Xie He xie.he.0141@gmail.com net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request
Aya Levin ayal@nvidia.com net/mlx4_core: Fix init_hca fields offset
Paul Moore paul@paul-moore.com netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()
Paul Moore paul@paul-moore.com netlabel: fix our progress tracking in netlbl_unlabel_staticlist()
Heiner Kallweit hkallweit1@gmail.com net: bridge: add missing counters to ndo_get_stats64 callback
Zhang Changzhong zhangchangzhong@huawei.com net: b44: fix error return code in b44_init_one()
Sebastian Andrzej Siewior bigeasy@linutronix.de atm: nicstar: Unmap DMA on send error
Zhang Changzhong zhangchangzhong@huawei.com ah6: fix error return code in ah6_input()
-------------
Diffstat:
Makefile | 4 +- arch/arm/boot/dts/imx50-evk.dts | 2 +- arch/arm/boot/dts/imx6qdl-udoo.dtsi | 2 +- arch/arm64/kernel/psci.c | 5 +-- arch/mips/alchemy/common/clock.c | 9 +++- arch/mips/kernel/genex.S | 3 +- arch/powerpc/kernel/ppc_ksyms.c | 4 +- arch/s390/kernel/perf_cpum_sf.c | 2 +- arch/x86/kernel/cpu/microcode/intel.c | 49 +--------------------- arch/xtensa/mm/cache.c | 14 +++++++ drivers/atm/nicstar.c | 2 + drivers/input/misc/adxl34x.c | 2 +- drivers/net/can/dev.c | 2 +- drivers/net/can/m_can/m_can.c | 4 +- drivers/net/can/usb/peak_usb/pcan_usb_core.c | 4 +- drivers/net/ethernet/broadcom/b44.c | 3 +- drivers/net/ethernet/mellanox/mlx4/fw.c | 6 +-- drivers/net/ethernet/mellanox/mlx4/fw.h | 4 +- .../net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 3 +- drivers/net/usb/qmi_wwan.c | 2 +- drivers/pinctrl/pinctrl-rockchip.c | 2 + drivers/regulator/ti-abb-regulator.c | 12 +++++- drivers/tty/serial/imx.c | 20 ++------- fs/efivarfs/super.c | 1 + fs/ext4/ext4.h | 3 +- fs/libfs.c | 6 ++- include/net/mac80211.h | 6 +++ net/bridge/br_device.c | 1 + net/core/netpoll.c | 22 ++++++++-- net/ipv6/ah6.c | 3 +- net/mac80211/debugfs.c | 1 + net/mac80211/rc80211_minstrel.c | 27 +++--------- net/mac80211/rc80211_minstrel.h | 1 - net/mac80211/sta_info.c | 32 ++++++++------ net/netlabel/netlabel_unlabeled.c | 17 +++++--- net/sctp/input.c | 4 +- net/sctp/sm_sideeffect.c | 4 +- net/sctp/transport.c | 2 +- net/x25/af_x25.c | 1 + sound/core/control.c | 2 +- sound/pci/mixart/mixart_core.c | 5 +-- tools/perf/builtin-lock.c | 2 +- 42 files changed, 149 insertions(+), 151 deletions(-)
From: Zhang Changzhong zhangchangzhong@huawei.com
[ Upstream commit a5ebcbdf34b65fcc07f38eaf2d60563b42619a59 ]
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Zhang Changzhong zhangchangzhong@huawei.com Link: https://lore.kernel.org/r/1605581105-35295-1-git-send-email-zhangchangzhong@... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/ipv6/ah6.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/ah6.c +++ b/net/ipv6/ah6.c @@ -595,7 +595,8 @@ static int ah6_input(struct xfrm_state * memcpy(auth_data, ah->auth_data, ahp->icv_trunc_len); memset(ah->auth_data, 0, ahp->icv_trunc_len);
- if (ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN)) + err = ipv6_clear_mutable_options(ip6h, hdr_len, XFRM_POLICY_IN); + if (err) goto out_free;
ip6h->priority = 0;
From: Sebastian Andrzej Siewior bigeasy@linutronix.de
[ Upstream commit 6dceaa9f56e22d0f9b4c4ad2ed9e04e315ce7fe5 ]
The `skb' is mapped for DMA in ns_send() but does not unmap DMA in case push_scqe() fails to submit the `skb'. The memory of the `skb' is released so only the DMA mapping is leaking.
Unmap the DMA mapping in case push_scqe() failed.
Fixes: 864a3ff635fa7 ("atm: [nicstar] remove virt_to_bus() and support 64-bit platforms") Cc: Chas Williams 3chas3@gmail.com Signed-off-by: Sebastian Andrzej Siewior bigeasy@linutronix.de Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/atm/nicstar.c | 2 ++ 1 file changed, 2 insertions(+)
--- a/drivers/atm/nicstar.c +++ b/drivers/atm/nicstar.c @@ -1704,6 +1704,8 @@ static int ns_send(struct atm_vcc *vcc,
if (push_scqe(card, vc, scq, &scqe, skb) != 0) { atomic_inc(&vcc->stats->tx_err); + dma_unmap_single(&card->pcidev->dev, NS_PRV_DMA(skb), skb->len, + DMA_TO_DEVICE); dev_kfree_skb_any(skb); return -EIO; }
From: Zhang Changzhong zhangchangzhong@huawei.com
[ Upstream commit 7b027c249da54f492699c43e26cba486cfd48035 ]
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function.
Fixes: 39a6f4bce6b4 ("b44: replace the ssb_dma API with the generic DMA API") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Zhang Changzhong zhangchangzhong@huawei.com Reviewed-by: Michael Chan michael.chan@broadcom.com Link: https://lore.kernel.org/r/1605582131-36735-1-git-send-email-zhangchangzhong@... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/ethernet/broadcom/b44.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/broadcom/b44.c +++ b/drivers/net/ethernet/broadcom/b44.c @@ -2393,7 +2393,8 @@ static int b44_init_one(struct ssb_devic goto err_out_free_dev; }
- if (dma_set_mask_and_coherent(sdev->dma_dev, DMA_BIT_MASK(30))) { + err = dma_set_mask_and_coherent(sdev->dma_dev, DMA_BIT_MASK(30)); + if (err) { dev_err(sdev->dev, "Required 30BIT DMA mask unsupported by the system\n"); goto err_out_powerdown;
From: Heiner Kallweit hkallweit1@gmail.com
[ Upstream commit 7a30ecc9237681bb125cbd30eee92bef7e86293d ]
In br_forward.c and br_input.c fields dev->stats.tx_dropped and dev->stats.multicast are populated, but they are ignored in ndo_get_stats64.
Fixes: 28172739f0a2 ("net: fix 64 bit counters on 32 bit arches") Signed-off-by: Heiner Kallweit hkallweit1@gmail.com Link: https://lore.kernel.org/r/58ea9963-77ad-a7cf-8dfd-fc95ab95f606@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/bridge/br_device.c | 1 + 1 file changed, 1 insertion(+)
--- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -166,6 +166,7 @@ static struct rtnl_link_stats64 *br_get_ sum.rx_packets += tmp.rx_packets; }
+ netdev_stats_to_stats64(stats, &dev->stats); stats->tx_bytes = sum.tx_bytes; stats->tx_packets = sum.tx_packets; stats->rx_bytes = sum.rx_bytes;
From: Paul Moore paul@paul-moore.com
[ Upstream commit 866358ec331f8faa394995fb4b511af1db0247c8 ]
The current NetLabel code doesn't correctly keep track of the netlink dump state in some cases, in particular when multiple interfaces with large configurations are loaded. The problem manifests itself by not reporting the full configuration to userspace, even though it is loaded and active in the kernel. This patch fixes this by ensuring that the dump state is properly reset when necessary inside the netlbl_unlabel_staticlist() function.
Fixes: 8cc44579d1bd ("NetLabel: Introduce static network labels for unlabeled connections") Signed-off-by: Paul Moore paul@paul-moore.com Link: https://lore.kernel.org/r/160484450633.3752.16512718263560813473.stgit@sifl Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/netlabel/netlabel_unlabeled.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-)
--- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1185,12 +1185,13 @@ static int netlbl_unlabel_staticlist(str struct netlbl_unlhsh_walk_arg cb_arg; u32 skip_bkt = cb->args[0]; u32 skip_chain = cb->args[1]; - u32 iter_bkt; - u32 iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; + u32 skip_addr4 = cb->args[2]; + u32 iter_bkt, iter_chain, iter_addr4 = 0, iter_addr6 = 0; struct netlbl_unlhsh_iface *iface; struct list_head *iter_list; struct netlbl_af4list *addr4; #if IS_ENABLED(CONFIG_IPV6) + u32 skip_addr6 = cb->args[3]; struct netlbl_af6list *addr6; #endif
@@ -1201,7 +1202,7 @@ static int netlbl_unlabel_staticlist(str rcu_read_lock(); for (iter_bkt = skip_bkt; iter_bkt < rcu_dereference(netlbl_unlhsh)->size; - iter_bkt++, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0) { + iter_bkt++) { iter_list = &rcu_dereference(netlbl_unlhsh)->tbl[iter_bkt]; list_for_each_entry_rcu(iface, iter_list, list) { if (!iface->valid || @@ -1209,7 +1210,7 @@ static int netlbl_unlabel_staticlist(str continue; netlbl_af4list_foreach_rcu(addr4, &iface->addr4_list) { - if (iter_addr4++ < cb->args[2]) + if (iter_addr4++ < skip_addr4) continue; if (netlbl_unlabel_staticlist_gen( NLBL_UNLABEL_C_STATICLIST, @@ -1222,10 +1223,12 @@ static int netlbl_unlabel_staticlist(str goto unlabel_staticlist_return; } } + iter_addr4 = 0; + skip_addr4 = 0; #if IS_ENABLED(CONFIG_IPV6) netlbl_af6list_foreach_rcu(addr6, &iface->addr6_list) { - if (iter_addr6++ < cb->args[3]) + if (iter_addr6++ < skip_addr6) continue; if (netlbl_unlabel_staticlist_gen( NLBL_UNLABEL_C_STATICLIST, @@ -1238,8 +1241,12 @@ static int netlbl_unlabel_staticlist(str goto unlabel_staticlist_return; } } + iter_addr6 = 0; + skip_addr6 = 0; #endif /* IPv6 */ } + iter_chain = 0; + skip_chain = 0; }
unlabel_staticlist_return:
From: Paul Moore paul@paul-moore.com
[ Upstream commit 1ba86d4366e023d96df3dbe415eea7f1dc08c303 ]
Static checking revealed that a previous fix to netlbl_unlabel_staticlist() leaves a stack variable uninitialized, this patches fixes that.
Fixes: 866358ec331f ("netlabel: fix our progress tracking in netlbl_unlabel_staticlist()") Reported-by: Dan Carpenter dan.carpenter@oracle.com Signed-off-by: Paul Moore paul@paul-moore.com Reviewed-by: James Morris jamorris@linux.microsoft.com Link: https://lore.kernel.org/r/160530304068.15651.18355773009751195447.stgit@sifl Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/netlabel/netlabel_unlabeled.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -1186,7 +1186,7 @@ static int netlbl_unlabel_staticlist(str u32 skip_bkt = cb->args[0]; u32 skip_chain = cb->args[1]; u32 skip_addr4 = cb->args[2]; - u32 iter_bkt, iter_chain, iter_addr4 = 0, iter_addr6 = 0; + u32 iter_bkt, iter_chain = 0, iter_addr4 = 0, iter_addr6 = 0; struct netlbl_unlhsh_iface *iface; struct list_head *iter_list; struct netlbl_af4list *addr4;
From: Aya Levin ayal@nvidia.com
[ Upstream commit 6d9c8d15af0ef20a66a0b432cac0d08319920602 ]
Slave function read the following capabilities from the wrong offset: 1. log_mc_entry_sz 2. fs_log_entry_sz 3. log_mc_hash_sz
Fix that by adjusting these capabilities offset to match firmware layout.
Due to the wrong offset read, the following issues might occur: 1+2. Negative value reported at max_mcast_qp_attach. 3. Driver to init FW with multicast hash size of zero.
Fixes: a40ded604365 ("net/mlx4_core: Add masking for a few queries on HCA caps") Signed-off-by: Aya Levin ayal@nvidia.com Reviewed-by: Moshe Shemesh moshe@nvidia.com Reviewed-by: Eran Ben Elisha eranbe@nvidia.com Signed-off-by: Tariq Toukan tariqt@nvidia.com Link: https://lore.kernel.org/r/20201118081922.553-1-tariqt@nvidia.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/ethernet/mellanox/mlx4/fw.c | 6 +++--- drivers/net/ethernet/mellanox/mlx4/fw.h | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx4/fw.c +++ b/drivers/net/ethernet/mellanox/mlx4/fw.c @@ -1711,14 +1711,14 @@ int mlx4_INIT_HCA(struct mlx4_dev *dev, #define INIT_HCA_LOG_RD_OFFSET (INIT_HCA_QPC_OFFSET + 0x77) #define INIT_HCA_MCAST_OFFSET 0x0c0 #define INIT_HCA_MC_BASE_OFFSET (INIT_HCA_MCAST_OFFSET + 0x00) -#define INIT_HCA_LOG_MC_ENTRY_SZ_OFFSET (INIT_HCA_MCAST_OFFSET + 0x12) -#define INIT_HCA_LOG_MC_HASH_SZ_OFFSET (INIT_HCA_MCAST_OFFSET + 0x16) +#define INIT_HCA_LOG_MC_ENTRY_SZ_OFFSET (INIT_HCA_MCAST_OFFSET + 0x13) +#define INIT_HCA_LOG_MC_HASH_SZ_OFFSET (INIT_HCA_MCAST_OFFSET + 0x17) #define INIT_HCA_UC_STEERING_OFFSET (INIT_HCA_MCAST_OFFSET + 0x18) #define INIT_HCA_LOG_MC_TABLE_SZ_OFFSET (INIT_HCA_MCAST_OFFSET + 0x1b) #define INIT_HCA_DEVICE_MANAGED_FLOW_STEERING_EN 0x6 #define INIT_HCA_FS_PARAM_OFFSET 0x1d0 #define INIT_HCA_FS_BASE_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x00) -#define INIT_HCA_FS_LOG_ENTRY_SZ_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x12) +#define INIT_HCA_FS_LOG_ENTRY_SZ_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x13) #define INIT_HCA_FS_A0_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x18) #define INIT_HCA_FS_LOG_TABLE_SZ_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x1b) #define INIT_HCA_FS_ETH_BITS_OFFSET (INIT_HCA_FS_PARAM_OFFSET + 0x21) --- a/drivers/net/ethernet/mellanox/mlx4/fw.h +++ b/drivers/net/ethernet/mellanox/mlx4/fw.h @@ -184,8 +184,8 @@ struct mlx4_init_hca_param { u64 cmpt_base; u64 mtt_base; u64 global_caps; - u16 log_mc_entry_sz; - u16 log_mc_hash_sz; + u8 log_mc_entry_sz; + u8 log_mc_hash_sz; u16 hca_core_clock; /* Internal Clock Frequency (in MHz) */ u8 log_num_qps; u8 log_num_srqs;
From: Xie He xie.he.0141@gmail.com
[ Upstream commit 4ee18c179e5e815fa5575e0d2db0c05795a804ee ]
The x25_disconnect function in x25_subr.c would decrease the refcount of "x25->neighbour" (struct x25_neigh) and reset this pointer to NULL.
However, the x25_rx_call_request function in af_x25.c, which is called when we receive a connection request, does not increase the refcount when it assigns the pointer.
Fix this issue by increasing the refcount of "struct x25_neigh" in x25_rx_call_request.
This patch fixes frequent kernel crashes when using AF_X25 sockets.
Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Cc: Martin Schiller ms@dev.tdt.de Signed-off-by: Xie He xie.he.0141@gmail.com Link: https://lore.kernel.org/r/20201112103506.5875-1-xie.he.0141@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/x25/af_x25.c | 1 + 1 file changed, 1 insertion(+)
--- a/net/x25/af_x25.c +++ b/net/x25/af_x25.c @@ -1047,6 +1047,7 @@ int x25_rx_call_request(struct sk_buff * makex25->lci = lci; makex25->dest_addr = dest_addr; makex25->source_addr = source_addr; + x25_neigh_hold(nb); makex25->neighbour = nb; makex25->facilities = facilities; makex25->dte_facilities= dte_facilities;
From: Zhang Changzhong zhangchangzhong@huawei.com
[ Upstream commit 3beb9be165083c2964eba1923601c3bfac0b02d4 ]
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function.
Fixes: 3ced0a88cd4c ("qlcnic: Add support to run firmware POST") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Zhang Changzhong zhangchangzhong@huawei.com Link: https://lore.kernel.org/r/1605248186-16013-1-git-send-email-zhangchangzhong@... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c +++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_init.c @@ -2255,7 +2255,8 @@ static int qlcnic_83xx_restart_hw(struct
/* Boot either flash image or firmware image from host file system */ if (qlcnic_load_fw_file == 1) { - if (qlcnic_83xx_load_fw_image_from_host(adapter)) + err = qlcnic_83xx_load_fw_image_from_host(adapter); + if (err) return err; } else { QLC_SHARED_REG_WR32(adapter, QLCNIC_FW_IMG_VALID,
From: Xin Long lucien.xin@gmail.com
[ Upstream commit 057a10fa1f73d745c8e69aa54ab147715f5630ae ]
A call trace was found in Hangbin's Codenomicon testing with debug kernel:
[ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp] [ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0 [ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0 [ 2616.191533] Call Trace: [ 2616.194265] <IRQ> [ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0 [ 2616.207336] slab_free_freelist_hook+0xeb/0x140 [ 2616.220971] kfree+0xd6/0x2c0 [ 2616.224293] rcu_do_batch+0x3bd/0xc70 [ 2616.243096] rcu_core+0x8b9/0xd00 [ 2616.256065] __do_softirq+0x23d/0xacd [ 2616.260166] irq_exit+0x236/0x2a0 [ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620 [ 2616.269138] apic_timer_interrupt+0xf/0x20 [ 2616.273711] </IRQ>
This is because it holds asoc when transport->proto_unreach_timer starts and puts asoc when the timer stops, and without holding transport the transport could be freed when the timer is still running.
So fix it by holding/putting transport instead for proto_unreach_timer in transport, just like other timers in transport.
v1->v2: - Also use sctp_transport_put() for the "out_unlock:" path in sctp_generate_proto_unreach_event(), as Marcelo noticed.
Fixes: 50b5d6ad6382 ("sctp: Fix a race between ICMP protocol unreachable and connect()") Reported-by: Hangbin Liu liuhangbin@gmail.com Signed-off-by: Xin Long lucien.xin@gmail.com Acked-by: Marcelo Ricardo Leitner marcelo.leitner@gmail.com Link: https://lore.kernel.org/r/102788809b554958b13b95d33440f5448113b8d6.160533137... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/sctp/input.c | 4 ++-- net/sctp/sm_sideeffect.c | 4 ++-- net/sctp/transport.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-)
--- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -448,7 +448,7 @@ void sctp_icmp_proto_unreachable(struct else { if (!mod_timer(&t->proto_unreach_timer, jiffies + (HZ/20))) - sctp_association_hold(asoc); + sctp_transport_hold(t); } } else { struct net *net = sock_net(sk); @@ -457,7 +457,7 @@ void sctp_icmp_proto_unreachable(struct "encountered!\n", __func__);
if (del_timer(&t->proto_unreach_timer)) - sctp_association_put(asoc); + sctp_transport_put(t);
sctp_do_sm(net, SCTP_EVENT_T_OTHER, SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH), --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -416,7 +416,7 @@ void sctp_generate_proto_unreach_event(u /* Try again later. */ if (!mod_timer(&transport->proto_unreach_timer, jiffies + (HZ/20))) - sctp_association_hold(asoc); + sctp_transport_hold(transport); goto out_unlock; }
@@ -432,7 +432,7 @@ void sctp_generate_proto_unreach_event(u
out_unlock: bh_unlock_sock(sk); - sctp_association_put(asoc); + sctp_transport_put(transport); }
--- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -148,7 +148,7 @@ void sctp_transport_free(struct sctp_tra
/* Delete the ICMP proto unreachable timer if it's active. */ if (del_timer(&transport->proto_unreach_timer)) - sctp_association_put(transport->asoc); + sctp_transport_put(transport);
sctp_transport_put(transport); }
From: Filip Moc dev@moc6.cz
[ Upstream commit df8d85d8c69d6837817e54dcb73c84a8b5a13877 ]
LTE module MR400 embedded in TL-MR6400 v4 requires DTR to be set.
Signed-off-by: Filip Moc dev@moc6.cz Acked-by: Bjørn Mork bjorn@mork.no Link: https://lore.kernel.org/r/20201117173631.GA550981@moc6.cz Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- drivers/net/usb/qmi_wwan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/qmi_wwan.c +++ b/drivers/net/usb/qmi_wwan.c @@ -702,7 +702,7 @@ static const struct usb_device_id produc {QMI_FIXED_INTF(0x05c6, 0x9011, 4)}, {QMI_FIXED_INTF(0x05c6, 0x9021, 1)}, {QMI_FIXED_INTF(0x05c6, 0x9022, 2)}, - {QMI_FIXED_INTF(0x05c6, 0x9025, 4)}, /* Alcatel-sbell ASB TL131 TDD LTE (China Mobile) */ + {QMI_QUIRK_SET_DTR(0x05c6, 0x9025, 4)}, /* Alcatel-sbell ASB TL131 TDD LTE (China Mobile) */ {QMI_FIXED_INTF(0x05c6, 0x9026, 3)}, {QMI_FIXED_INTF(0x05c6, 0x902e, 5)}, {QMI_FIXED_INTF(0x05c6, 0x9031, 5)},
From: Florian Fainelli f.fainelli@gmail.com
[ Upstream commit 1532b9778478577152201adbafa7738b1e844868 ]
DSA network devices rely on having their DSA management interface up and running otherwise their ndo_open() will return -ENETDOWN. Without doing this it would not be possible to use DSA devices as netconsole when configured on the command line. These devices also do not utilize the upper/lower linking so the check about the netpoll device having upper is not going to be a problem.
The solution adopted here is identical to the one done for net/ipv4/ipconfig.c with 728c02089a0e ("net: ipv4: handle DSA enabled master network devices"), with the network namespace scope being restricted to that of the process configuring netpoll.
Fixes: 04ff53f96a93 ("net: dsa: Add netconsole support") Tested-by: Vladimir Oltean olteanv@gmail.com Signed-off-by: Florian Fainelli f.fainelli@gmail.com Link: https://lore.kernel.org/r/20201117035236.22658-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- net/core/netpoll.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-)
--- a/net/core/netpoll.c +++ b/net/core/netpoll.c @@ -28,6 +28,7 @@ #include <linux/slab.h> #include <linux/export.h> #include <linux/if_vlan.h> +#include <net/dsa.h> #include <net/tcp.h> #include <net/udp.h> #include <net/addrconf.h> @@ -661,15 +662,15 @@ EXPORT_SYMBOL_GPL(__netpoll_setup);
int netpoll_setup(struct netpoll *np) { - struct net_device *ndev = NULL; + struct net_device *ndev = NULL, *dev = NULL; + struct net *net = current->nsproxy->net_ns; struct in_device *in_dev; int err;
rtnl_lock(); - if (np->dev_name) { - struct net *net = current->nsproxy->net_ns; + if (np->dev_name) ndev = __dev_get_by_name(net, np->dev_name); - } + if (!ndev) { np_err(np, "%s doesn't exist, aborting\n", np->dev_name); err = -ENODEV; @@ -677,6 +678,19 @@ int netpoll_setup(struct netpoll *np) } dev_hold(ndev);
+ /* bring up DSA management network devices up first */ + for_each_netdev(net, dev) { + if (!netdev_uses_dsa(dev)) + continue; + + err = dev_change_flags(dev, dev->flags | IFF_UP); + if (err < 0) { + np_err(np, "%s failed to open %s\n", + np->dev_name, dev->name); + goto put; + } + } + if (netdev_master_upper_dev_get(ndev)) { np_err(np, "%s is a slave device, aborting\n", np->dev_name); err = -EBUSY;
From: Jianqun Xu jay.xu@rock-chips.com
[ Upstream commit 63fbf8013b2f6430754526ef9594f229c7219b1f ]
There need to enable pclk_gpio when do irq_create_mapping, since it will do access to gpio controller.
Signed-off-by: Jianqun Xu jay.xu@rock-chips.com Reviewed-by: Heiko Stuebner heiko@sntech.de Reviewed-by: Kever Yangkever.yang@rock-chips.com Link: https://lore.kernel.org/r/20201013063731.3618-3-jay.xu@rock-chips.com Signed-off-by: Linus Walleij linus.walleij@linaro.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/pinctrl/pinctrl-rockchip.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c index 616055b5e9967..eba400df82154 100644 --- a/drivers/pinctrl/pinctrl-rockchip.c +++ b/drivers/pinctrl/pinctrl-rockchip.c @@ -1445,7 +1445,9 @@ static int rockchip_gpio_to_irq(struct gpio_chip *gc, unsigned offset) if (!bank->domain) return -ENXIO;
+ clk_enable(bank->clk); virq = irq_create_mapping(bank->domain, offset); + clk_disable(bank->clk);
return (virq) ? : -ENXIO; }
From: Will Deacon will@kernel.org
[ Upstream commit 891deb87585017d526b67b59c15d38755b900fea ]
cpu_psci_cpu_die() is called in the context of the dying CPU, which will no longer be online or tracked by RCU. It is therefore not generally safe to call printk() if the PSCI "cpu off" request fails, so remove the pr_crit() invocation.
Cc: Qian Cai cai@redhat.com Cc: "Paul E. McKenney" paulmck@kernel.org Cc: Catalin Marinas catalin.marinas@arm.com Link: https://lore.kernel.org/r/20201106103602.9849-2-will@kernel.org Signed-off-by: Will Deacon will@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm64/kernel/psci.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/arch/arm64/kernel/psci.c b/arch/arm64/kernel/psci.c index e6ad81556575c..ae91d202b7475 100644 --- a/arch/arm64/kernel/psci.c +++ b/arch/arm64/kernel/psci.c @@ -136,7 +136,6 @@ static int cpu_psci_cpu_disable(unsigned int cpu)
static void cpu_psci_cpu_die(unsigned int cpu) { - int ret; /* * There are no known implementations of PSCI actually using the * power state field, pass a sensible default for now. @@ -144,9 +143,7 @@ static void cpu_psci_cpu_die(unsigned int cpu) u32 state = PSCI_POWER_STATE_TYPE_POWER_DOWN << PSCI_0_2_POWER_STATE_TYPE_SHIFT;
- ret = psci_ops.cpu_off(state); - - pr_crit("unable to power off CPU%u (%d)\n", cpu, ret); + psci_ops.cpu_off(state); }
static int cpu_psci_cpu_kill(unsigned int cpu)
From: Paul Burton paul.burton@imgtec.com
[ Upstream commit 1eefcbc89cf3a8e252e5aeb25825594699b47360 ]
When the kernel is built for microMIPS, branches targets need to be known to be microMIPS code in order to result in bit 0 of the PC being set. The branch target in the BUILD_ROLLBACK_PROLOGUE macro was simply the end of the macro, which may be pointing at padding rather than at code. This results in recent enough GNU linkers complaining like so:
mips-img-linux-gnu-ld: arch/mips/built-in.o: .text+0x3e3c: Unsupported branch between ISA modes. mips-img-linux-gnu-ld: final link failed: Bad value Makefile:936: recipe for target 'vmlinux' failed make: *** [vmlinux] Error 1
Fix this by changing the branch target to be the start of the appropriate handler, skipping over any padding.
Signed-off-by: Paul Burton paul.burton@imgtec.com Cc: linux-mips@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/14019/ Signed-off-by: Ralf Baechle ralf@linux-mips.org Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/kernel/genex.S | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/arch/mips/kernel/genex.S b/arch/mips/kernel/genex.S index 7ffd158de76e5..1b837d6f73deb 100644 --- a/arch/mips/kernel/genex.S +++ b/arch/mips/kernel/genex.S @@ -142,9 +142,8 @@ LEAF(__r4k_wait) PTR_LA k1, __r4k_wait ori k0, 0x1f /* 32 byte rollback region */ xori k0, 0x1f - bne k0, k1, 9f + bne k0, k1, \handler MTC0 k0, CP0_EPC -9: .set pop .endm
From: Dan Carpenter dan.carpenter@oracle.com
[ Upstream commit 33b6c39e747c552fa770eecebd1776f1f4a222b1 ]
The "revid" is used to store negative error codes so it should be an int type.
Fixes: e27c729219ad ("Input: add driver for ADXL345/346 Digital Accelerometers") Signed-off-by: Dan Carpenter dan.carpenter@oracle.com Acked-by: Michael Hennerich michael.hennerich@analog.com Link: https://lore.kernel.org/r/20201026072824.GA1620546@mwanda Signed-off-by: Dmitry Torokhov dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/input/misc/adxl34x.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/input/misc/adxl34x.c b/drivers/input/misc/adxl34x.c index 2b2d02f408bbb..2e189646d8fe2 100644 --- a/drivers/input/misc/adxl34x.c +++ b/drivers/input/misc/adxl34x.c @@ -696,7 +696,7 @@ struct adxl34x *adxl34x_probe(struct device *dev, int irq, struct input_dev *input_dev; const struct adxl34x_platform_data *pdata; int err, range, i; - unsigned char revid; + int revid;
if (!irq) { dev_err(dev, "no IRQ?\n");
From: Sergey Matyukevich geomatsi@gmail.com
[ Upstream commit 7dd8f0ba88fce98e2953267a66af74c6f4792a56 ]
Commit bcf3440c6dd7 ("net: phy: micrel: add phy-mode support for the KSZ9031 PHY") fixed micrel phy driver adding proper support for phy modes. Adapt imx6q-udoo board phy settings : explicitly set required delay configuration using "rgmii-id".
Fixes: cbd54fe0b2bc ("ARM: dts: imx6dl-udoo: Add board support based off imx6q-udoo") Signed-off-by: Sergey Matyukevich geomatsi@gmail.com Reviewed-by: Fabio Estevam festevam@gmail.com Signed-off-by: Shawn Guo shawnguo@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/imx6qdl-udoo.dtsi | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx6qdl-udoo.dtsi b/arch/arm/boot/dts/imx6qdl-udoo.dtsi index 1211da894ee99..061e6a00b2557 100644 --- a/arch/arm/boot/dts/imx6qdl-udoo.dtsi +++ b/arch/arm/boot/dts/imx6qdl-udoo.dtsi @@ -39,7 +39,7 @@ &fec { pinctrl-names = "default"; pinctrl-0 = <&pinctrl_enet>; - phy-mode = "rgmii"; + phy-mode = "rgmii-id"; status = "okay"; };
From: Fabio Estevam festevam@gmail.com
[ Upstream commit 33d0d843872c5ddbe28457a92fc6f2487315fb9f ]
The SPI chip selects are represented as:
cs-gpios = <&gpio4 11 GPIO_ACTIVE_LOW>, <&gpio4 13 GPIO_ACTIVE_LOW>;
, which means that they are used in GPIO function instead of native SPI mode.
Fix the IOMUX for the chip select 1 to use GPIO4_13 instead of the native CSPI_SSI function.
Fixes: c605cbf5e135 ("ARM: dts: imx: add device tree support for Freescale imx50evk board") Signed-off-by: Fabio Estevam festevam@gmail.com Signed-off-by: Shawn Guo shawnguo@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- arch/arm/boot/dts/imx50-evk.dts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/imx50-evk.dts b/arch/arm/boot/dts/imx50-evk.dts index 27d763c7a307d..4dbd180e72ba6 100644 --- a/arch/arm/boot/dts/imx50-evk.dts +++ b/arch/arm/boot/dts/imx50-evk.dts @@ -66,7 +66,7 @@ MX50_PAD_CSPI_MISO__CSPI_MISO 0x00 MX50_PAD_CSPI_MOSI__CSPI_MOSI 0x00 MX50_PAD_CSPI_SS0__GPIO4_11 0xc4 - MX50_PAD_ECSPI1_MOSI__CSPI_SS1 0xf4 + MX50_PAD_ECSPI1_MOSI__GPIO4_13 0x84 >; };
From: Leo Yan leo.yan@linaro.org
[ Upstream commit b0e5a05cc9e37763c7f19366d94b1a6160c755bc ]
When execute command "perf lock report", it hits failure and outputs log as follows:
perf: builtin-lock.c:623: report_lock_release_event: Assertion `!(seq->read_count < 0)' failed. Aborted
This is an imbalance issue. The locking sequence structure "lock_seq_stat" contains the reader counter and it is used to check if the locking sequence is balance or not between acquiring and releasing.
If the tool wrongly frees "lock_seq_stat" when "read_count" isn't zero, the "read_count" will be reset to zero when allocate a new structure at the next time; thus it causes the wrong counting for reader and finally results in imbalance issue.
To fix this issue, if detects "read_count" is not zero (means still have read user in the locking sequence), goto the "end" tag to skip freeing structure "lock_seq_stat".
Fixes: e4cef1f65061 ("perf lock: Fix state machine to recognize lock sequence") Signed-off-by: Leo Yan leo.yan@linaro.org Acked-by: Jiri Olsa jolsa@redhat.com Link: https://lore.kernel.org/r/20201104094229.17509-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo acme@redhat.com Signed-off-by: Sasha Levin sashal@kernel.org --- tools/perf/builtin-lock.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/perf/builtin-lock.c b/tools/perf/builtin-lock.c index de16aaed516e6..daf2dc0232450 100644 --- a/tools/perf/builtin-lock.c +++ b/tools/perf/builtin-lock.c @@ -616,7 +616,7 @@ static int report_lock_release_event(struct perf_evsel *evsel, case SEQ_STATE_READ_ACQUIRED: seq->read_count--; BUG_ON(seq->read_count < 0); - if (!seq->read_count) { + if (seq->read_count) { ls->nr_release++; goto end; }
From: Alejandro Concepcion Rodriguez alejandro@acoro.eu
[ Upstream commit a1e654070a60d5d4f7cce59c38f4ca790bb79121 ]
netif_rx() is meant to be called from interrupt contexts. can_restart() may be called by can_restart_work(), which is called from a worqueue, so it may run in process context. Use netif_rx_ni() instead.
Fixes: 39549eef3587 ("can: CAN Network device driver and Netlink interface") Co-developed-by: Loris Fauster loris.fauster@ttcontrol.com Signed-off-by: Loris Fauster loris.fauster@ttcontrol.com Signed-off-by: Alejandro Concepcion Rodriguez alejandro@acoro.eu Link: https://lore.kernel.org/r/4e84162b-fb31-3a73-fa9a-9438b4bd5234@acoro.eu [mkl: use netif_rx_ni() instead of netif_rx_any_context()] Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/dev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c index 9579dae54af29..52110017fd401 100644 --- a/drivers/net/can/dev.c +++ b/drivers/net/can/dev.c @@ -525,7 +525,7 @@ static void can_restart(struct net_device *dev) } cf->can_id |= CAN_ERR_RESTARTED;
- netif_rx(skb); + netif_rx_ni(skb);
stats->rx_packets++; stats->rx_bytes += cf->can_dlc;
From: Colin Ian King colin.king@canonical.com
[ Upstream commit 8a68cc0d690c9e5730d676b764c6f059343b842c ]
The left shift of int 32 bit integer constant 1 is evaluated using 32 bit arithmetic and then assigned to a signed 64 bit variable. In the case where time_ref->adapter->ts_used_bits is 32 or more this can lead to an oveflow. Avoid this by shifting using the BIT_ULL macro instead.
Fixes: bb4785551f64 ("can: usb: PEAK-System Technik USB adapters driver core") Signed-off-by: Colin Ian King colin.king@canonical.com Link: https://lore.kernel.org/r/20201105112427.40688-1-colin.king@canonical.com Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/usb/peak_usb/pcan_usb_core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/usb/peak_usb/pcan_usb_core.c b/drivers/net/can/usb/peak_usb/pcan_usb_core.c index 22deddb2dbf5a..7b148174eb760 100644 --- a/drivers/net/can/usb/peak_usb/pcan_usb_core.c +++ b/drivers/net/can/usb/peak_usb/pcan_usb_core.c @@ -176,7 +176,7 @@ void peak_usb_get_ts_tv(struct peak_time_ref *time_ref, u32 ts, if (time_ref->ts_dev_1 < time_ref->ts_dev_2) { /* case when event time (tsw) wraps */ if (ts < time_ref->ts_dev_1) - delta_ts = 1 << time_ref->adapter->ts_used_bits; + delta_ts = BIT_ULL(time_ref->adapter->ts_used_bits);
/* Otherwise, sync time counter (ts_dev_2) has wrapped: * handle case when event time (tsn) hasn't. @@ -188,7 +188,7 @@ void peak_usb_get_ts_tv(struct peak_time_ref *time_ref, u32 ts, * tsn ts */ } else if (time_ref->ts_dev_1 < ts) { - delta_ts = -(1 << time_ref->adapter->ts_used_bits); + delta_ts = -BIT_ULL(time_ref->adapter->ts_used_bits); }
/* add delay between last sync and event timestamps */
From: Wu Bo wubo.oduw@gmail.com
[ Upstream commit cd0d83eab2e0c26fe87a10debfedbb23901853c1 ]
m_can_handle_state_change() is called with the new_state as an argument.
In the switch statements for CAN_STATE_ERROR_ACTIVE, the comment and the following code indicate that a CAN_STATE_ERROR_WARNING is handled.
This patch fixes this problem by changing the case to CAN_STATE_ERROR_WARNING.
Signed-off-by: Wu Bo wubo.oduw@gmail.com Link: http://lore.kernel.org/r/20200129022330.21248-2-wubo.oduw@gmail.com Cc: Dan Murphy dmurphy@ti.com Fixes: e0d1f4816f2a ("can: m_can: add Bosch M_CAN controller support") Signed-off-by: Marc Kleine-Budde mkl@pengutronix.de Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/net/can/m_can/m_can.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/can/m_can/m_can.c b/drivers/net/can/m_can/m_can.c index 195f15edb32e3..0bd7e71647964 100644 --- a/drivers/net/can/m_can/m_can.c +++ b/drivers/net/can/m_can/m_can.c @@ -572,7 +572,7 @@ static int m_can_handle_state_change(struct net_device *dev, unsigned int ecr;
switch (new_state) { - case CAN_STATE_ERROR_ACTIVE: + case CAN_STATE_ERROR_WARNING: /* error warning state */ priv->can.can_stats.error_warning++; priv->can.state = CAN_STATE_ERROR_WARNING; @@ -601,7 +601,7 @@ static int m_can_handle_state_change(struct net_device *dev, __m_can_get_berr_counter(dev, &bec);
switch (new_state) { - case CAN_STATE_ERROR_ACTIVE: + case CAN_STATE_ERROR_WARNING: /* error warning state */ cf->can_id |= CAN_ERR_CRTL; cf->data[1] = (bec.txerr > bec.rxerr) ?
From: Zhang Qilong zhangqilong3@huawei.com
[ Upstream commit ac3b57adf87ad9bac7e33ca26bbbb13fae1ed62b ]
If the clk_register fails, we should free h before function returns to prevent memleak.
Fixes: 474402291a0ad ("MIPS: Alchemy: clock framework integration of onchip clocks") Reported-by: Hulk Robot hulkci@huawei.com Signed-off-by: Zhang Qilong zhangqilong3@huawei.com Signed-off-by: Thomas Bogendoerfer tsbogend@alpha.franken.de Signed-off-by: Sasha Levin sashal@kernel.org --- arch/mips/alchemy/common/clock.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/arch/mips/alchemy/common/clock.c b/arch/mips/alchemy/common/clock.c index bd34f4093cd9f..7b0dec333c964 100644 --- a/arch/mips/alchemy/common/clock.c +++ b/arch/mips/alchemy/common/clock.c @@ -151,6 +151,7 @@ static struct clk __init *alchemy_clk_setup_cpu(const char *parent_name, { struct clk_init_data id; struct clk_hw *h; + struct clk *clk;
h = kzalloc(sizeof(*h), GFP_KERNEL); if (!h) @@ -163,7 +164,13 @@ static struct clk __init *alchemy_clk_setup_cpu(const char *parent_name, id.ops = &alchemy_clkops_cpu; h->init = &id;
- return clk_register(NULL, h); + clk = clk_register(NULL, h); + if (IS_ERR(clk)) { + pr_err("failed to register clock\n"); + kfree(h); + } + + return clk; }
/* AUXPLLs ************************************************************/
From: Nishanth Menon nm@ti.com
[ Upstream commit 2ba546ebe0ce2af47833d8912ced9b4a579f13cb ]
At the start of driver initialization, we do not know what bias setting the bootloader has configured the system for and we only know for certain the very first time we do a transition.
However, since the initial value of the comparison index is -EINVAL, this negative value results in an array out of bound access on the very first transition.
Since we don't know what the setting is, we just set the bias configuration as there is nothing to compare against. This prevents the array out of bound access.
NOTE: Even though we could use a more relaxed check of "< 0" the only valid values(ignoring cosmic ray induced bitflips) are -EINVAL, 0+.
Fixes: 40b1936efebd ("regulator: Introduce TI Adaptive Body Bias(ABB) on-chip LDO driver") Link: https://lore.kernel.org/linux-mm/CA+G9fYuk4imvhyCN7D7T6PMDH6oNp6HDCRiTUKMQ6Q... Reported-by: Naresh Kamboju naresh.kamboju@linaro.org Reviewed-by: Arnd Bergmann arnd@arndb.de Signed-off-by: Nishanth Menon nm@ti.com Link: https://lore.kernel.org/r/20201118145009.10492-1-nm@ti.com Signed-off-by: Mark Brown broonie@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org --- drivers/regulator/ti-abb-regulator.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/drivers/regulator/ti-abb-regulator.c b/drivers/regulator/ti-abb-regulator.c index 6d17357b3a248..5f5f63eb8c762 100644 --- a/drivers/regulator/ti-abb-regulator.c +++ b/drivers/regulator/ti-abb-regulator.c @@ -342,8 +342,17 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel) return ret; }
- /* If data is exactly the same, then just update index, no change */ info = &abb->info[sel]; + /* + * When Linux kernel is starting up, we are'nt sure of the + * Bias configuration that bootloader has configured. + * So, we get to know the actual setting the first time + * we are asked to transition. + */ + if (abb->current_info_idx == -EINVAL) + goto just_set_abb; + + /* If data is exactly the same, then just update index, no change */ oinfo = &abb->info[abb->current_info_idx]; if (!memcmp(info, oinfo, sizeof(*info))) { dev_dbg(dev, "%s: Same data new idx=%d, old idx=%d\n", __func__, @@ -351,6 +360,7 @@ static int ti_abb_set_voltage_sel(struct regulator_dev *rdev, unsigned sel) goto out; }
+just_set_abb: ret = ti_abb_set_opp(rdev, abb, info);
out:
From: Yicong Yang yangyicong@hisilicon.com
[ Upstream commit 488dac0c9237647e9b8f788b6a342595bfa40bda ]
The attr->set() receive a value of u64, but simple_strtoll() is used for doing the conversion. It will lead to the error cast if user inputs a negative value.
Use kstrtoull() instead of simple_strtoll() to convert a string got from the user to an unsigned value. The former will return '-EINVAL' if it gets a negetive value, but the latter can't handle the situation correctly. Make 'val' unsigned long long as what kstrtoull() takes, this will eliminate the compile warning on no 64-bit architectures.
Fixes: f7b88631a897 ("fs/libfs.c: fix simple_attr_write() on 32bit machines") Signed-off-by: Yicong Yang yangyicong@hisilicon.com Signed-off-by: Andrew Morton akpm@linux-foundation.org Cc: Al Viro viro@zeniv.linux.org.uk Link: https://lkml.kernel.org/r/1605341356-11872-1-git-send-email-yangyicong@hisil... Signed-off-by: Linus Torvalds torvalds@linux-foundation.org Signed-off-by: Sasha Levin sashal@kernel.org --- fs/libfs.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/fs/libfs.c b/fs/libfs.c index a33e95f8729bf..01e9cae5b1601 100644 --- a/fs/libfs.c +++ b/fs/libfs.c @@ -827,7 +827,7 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, size_t len, loff_t *ppos) { struct simple_attr *attr; - u64 val; + unsigned long long val; size_t size; ssize_t ret;
@@ -845,7 +845,9 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, goto out;
attr->set_buf[size] = '\0'; - val = simple_strtoll(attr->set_buf, NULL, 0); + ret = kstrtoull(attr->set_buf, 0, &val); + if (ret) + goto out; ret = attr->set(attr->data, val); if (ret == 0) ret = len; /* on success, claim we got the whole input */
From: Daniel Axtens dja@axtens.net
Gunter reports problems with the corenet64_smp_defconfig:
In file included from arch/powerpc/kernel/ppc_ksyms.c:10:0: arch/powerpc/include/asm/book3s/64/kup-radix.h:11:29: error: redefinition of ‘allow_user_access’ static __always_inline void allow_user_access(void __user *to, const void __user *from, ^~~~~~~~~~~~~~~~~ In file included from arch/powerpc/include/asm/uaccess.h:12:0, from arch/powerpc/kernel/ppc_ksyms.c:8: arch/powerpc/include/asm/kup.h:12:20: note: previous definition of ‘allow_user_access’ was here static inline void allow_user_access(void __user *to, const void __user *from, ^~~~~~~~~~~~~~~~~
This is because ppc_ksyms.c imports asm/book3s/64/kup-radix.h guarded by CONFIG_PPC64, rather than CONFIG_PPC_BOOK3S_64 which it should do.
Fix it.
Reported-by: Guenter Roeck linux@roeck-us.net Signed-off-by: Daniel Axtens dja@axtens.net Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org --- arch/powerpc/kernel/ppc_ksyms.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/kernel/ppc_ksyms.c +++ b/arch/powerpc/kernel/ppc_ksyms.c @@ -6,7 +6,7 @@ #include <asm/cacheflush.h> #include <asm/epapr_hcalls.h> #include <asm/uaccess.h> -#ifdef CONFIG_PPC64 +#ifdef CONFIG_PPC_BOOK3S_64 #include <asm/book3s/64/kup-radix.h> #endif
@@ -50,6 +50,6 @@ EXPORT_SYMBOL(current_stack_pointer);
EXPORT_SYMBOL(__arch_clear_user);
-#ifdef CONFIG_PPC64 +#ifdef CONFIG_PPC_BOOK3S_64 EXPORT_SYMBOL(do_uaccess_flush); #endif
From: Takashi Sakamoto o-takashi@sakamocchi.jp
commit 95a793c3bc75cf888e0e641d656e7d080f487d8b upstream.
When processing request to add/replace user-defined element set, check of given element identifier and decision of numeric identifier is done in "__snd_ctl_add_replace()" helper function. When the result of check is wrong, the helper function returns error code. The error code shall be returned to userspace application.
Current implementation includes bug to return zero to userspace application regardless of the result. This commit fixes the bug.
Cc: stable@vger.kernel.org Fixes: e1a7bfe38079 ("ALSA: control: Fix race between adding and removing a user element") Signed-off-by: Takashi Sakamoto o-takashi@sakamocchi.jp Link: https://lore.kernel.org/r/20201113092043.16148-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/core/control.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/core/control.c +++ b/sound/core/control.c @@ -1349,7 +1349,7 @@ static int snd_ctl_elem_add(struct snd_c
unlock: up_write(&card->controls_rwsem); - return 0; + return err; }
static int snd_ctl_elem_add_user(struct snd_ctl_file *file,
From: Takashi Iwai tiwai@suse.de
commit d21b96c8ed2aea7e6b7bf4735e1d2503cfbf4072 upstream.
The code change for switching to non-atomic mode brought the unexpected mutex deadlock in get_msg(). It converted the spinlock with the existing mutex, but there were calls with the already holding the mutex. Since the only place that needs the extra lock is the code path from snd_mixart_send_msg(), remove the mutex lock in get_msg() and apply in the caller side for fixing the mutex deadlock.
Fixes: 8d3a8b5cb57d ("ALSA: mixart: Use nonatomic PCM ops") Reported-by: Dan Carpenter dan.carpenter@oracle.com Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20201119121440.18945-1-tiwai@suse.de Signed-off-by: Takashi Iwai tiwai@suse.de Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- sound/pci/mixart/mixart_core.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-)
--- a/sound/pci/mixart/mixart_core.c +++ b/sound/pci/mixart/mixart_core.c @@ -83,7 +83,6 @@ static int get_msg(struct mixart_mgr *mg unsigned int i; #endif
- mutex_lock(&mgr->msg_lock); err = 0;
/* copy message descriptor from miXart to driver */ @@ -132,8 +131,6 @@ static int get_msg(struct mixart_mgr *mg writel_be(headptr, MIXART_MEM(mgr, MSG_OUTBOUND_FREE_HEAD));
_clean_exit: - mutex_unlock(&mgr->msg_lock); - return err; }
@@ -271,7 +268,9 @@ int snd_mixart_send_msg(struct mixart_mg resp.data = resp_data; resp.size = max_resp_size;
+ mutex_lock(&mgr->msg_lock); err = get_msg(mgr, &resp, msg_frame); + mutex_unlock(&mgr->msg_lock);
if( request->message_id != resp.message_id ) dev_err(&mgr->pci->dev, "RESPONSE ERROR!\n");
From: Fugang Duan fugang.duan@nxp.com
commit e67c139c488e84e7eae6c333231e791f0e89b3fb upstream.
For below code, there has chance to cause deadlock in SMP system: Thread 1: clk_enable_lock(); pr_info("debug message"); clk_enable_unlock();
Thread 2: imx_uart_console_write() clk_enable() clk_enable_lock();
Thread 1: Acuired clk enable_lock -> printk -> console_trylock_spinning Thread 2: console_unlock() -> imx_uart_console_write -> clk_disable -> Acquite clk enable_lock
So the patch is to keep console port clocks always on like other console drivers.
Fixes: 1cf93e0d5488 ("serial: imx: remove the uart_console() check") Acked-by: Uwe Kleine-König u.kleine-koenig@pengutronix.de Signed-off-by: Fugang Duan fugang.duan@nxp.com Link: https://lore.kernel.org/r/20201111025136.29818-1-fugang.duan@nxp.com Cc: stable stable@vger.kernel.org [fix up build warning - gregkh] Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/tty/serial/imx.c | 20 +++----------------- 1 file changed, 3 insertions(+), 17 deletions(-)
--- a/drivers/tty/serial/imx.c +++ b/drivers/tty/serial/imx.c @@ -1628,16 +1628,6 @@ imx_console_write(struct console *co, co unsigned int ucr1; unsigned long flags = 0; int locked = 1; - int retval; - - retval = clk_enable(sport->clk_per); - if (retval) - return; - retval = clk_enable(sport->clk_ipg); - if (retval) { - clk_disable(sport->clk_per); - return; - }
if (sport->port.sysrq) locked = 0; @@ -1673,9 +1663,6 @@ imx_console_write(struct console *co, co
if (locked) spin_unlock_irqrestore(&sport->port.lock, flags); - - clk_disable(sport->clk_ipg); - clk_disable(sport->clk_per); }
/* @@ -1776,15 +1763,14 @@ imx_console_setup(struct console *co, ch
retval = uart_set_options(&sport->port, co, baud, parity, bits, flow);
- clk_disable(sport->clk_ipg); if (retval) { - clk_unprepare(sport->clk_ipg); + clk_disable_unprepare(sport->clk_ipg); goto error_console; }
- retval = clk_prepare(sport->clk_per); + retval = clk_prepare_enable(sport->clk_per); if (retval) - clk_unprepare(sport->clk_ipg); + clk_disable_unprepare(sport->clk_ipg);
error_console: return retval;
From: Vamshi K Sthambamkadi vamshi.k.sthambamkadi@gmail.com
commit fe5186cf12e30facfe261e9be6c7904a170bd822 upstream.
kmemleak report: unreferenced object 0xffff9b8915fcb000 (size 4096): comm "efivarfs.sh", pid 2360, jiffies 4294920096 (age 48.264s) hex dump (first 32 bytes): 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -............... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000cc4d897c>] kmem_cache_alloc_trace+0x155/0x4b0 [<000000007d1dfa72>] efivarfs_create+0x6e/0x1a0 [<00000000e6ee18fc>] path_openat+0xe4b/0x1120 [<000000000ad0414f>] do_filp_open+0x91/0x100 [<00000000ce93a198>] do_sys_openat2+0x20c/0x2d0 [<000000002a91be6d>] do_sys_open+0x46/0x80 [<000000000a854999>] __x64_sys_openat+0x20/0x30 [<00000000c50d89c9>] do_syscall_64+0x38/0x90 [<00000000cecd6b5f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
In efivarfs_create(), inode->i_private is setup with efivar_entry object which is never freed.
Cc: stable@vger.kernel.org Signed-off-by: Vamshi K Sthambamkadi vamshi.k.sthambamkadi@gmail.com Link: https://lore.kernel.org/r/20201023115429.GA2479@cosmos Signed-off-by: Ard Biesheuvel ardb@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/efivarfs/super.c | 1 + 1 file changed, 1 insertion(+)
--- a/fs/efivarfs/super.c +++ b/fs/efivarfs/super.c @@ -23,6 +23,7 @@ LIST_HEAD(efivarfs_list); static void efivarfs_evict_inode(struct inode *inode) { clear_inode(inode); + kfree(inode->i_private); }
static const struct super_operations efivarfs_ops = {
From: Jan Kara jack@suse.cz
commit f902b216501094495ff75834035656e8119c537f upstream.
The idea of the warning in ext4_update_dx_flag() is that we should warn when we are clearing EXT4_INODE_INDEX on a filesystem with metadata checksums enabled since after clearing the flag, checksums for internal htree nodes will become invalid. So there's no need to warn (or actually do anything) when EXT4_INODE_INDEX is not set.
Link: https://lore.kernel.org/r/20201118153032.17281-1-jack@suse.cz Fixes: 48a34311953d ("ext4: fix checksum errors with indexed dirs") Reported-by: Eric Biggers ebiggers@kernel.org Reviewed-by: Eric Biggers ebiggers@google.com Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/ext4/ext4.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -2398,7 +2398,8 @@ int ext4_insert_dentry(struct inode *dir struct ext4_filename *fname); static inline void ext4_update_dx_flag(struct inode *inode) { - if (!ext4_has_feature_dir_index(inode->i_sb)) { + if (!ext4_has_feature_dir_index(inode->i_sb) && + ext4_test_inode_flag(inode, EXT4_INODE_INDEX)) { /* ext4_iget() should have caught this... */ WARN_ON_ONCE(ext4_has_feature_metadata_csum(inode->i_sb)); ext4_clear_inode_flag(inode, EXT4_INODE_INDEX);
From: Max Filippov jcmvbkbc@gmail.com
commit 3a860d165eb5f4d7cf0bf81ef6a5b5c5e1754422 upstream.
Although cache alias management calls set up and tear down TLB entries and fast_second_level_miss is able to restore TLB entry should it be evicted they absolutely cannot preempt each other because they use the same TLBTEMP area for different purposes. Disable preemption around all cache alias management calls to enforce that.
Cc: stable@vger.kernel.org Signed-off-by: Max Filippov jcmvbkbc@gmail.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/xtensa/mm/cache.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
--- a/arch/xtensa/mm/cache.c +++ b/arch/xtensa/mm/cache.c @@ -74,8 +74,10 @@ static inline void kmap_invalidate_coher kvaddr = TLBTEMP_BASE_1 + (page_to_phys(page) & DCACHE_ALIAS_MASK);
+ preempt_disable(); __invalidate_dcache_page_alias(kvaddr, page_to_phys(page)); + preempt_enable(); } } } @@ -162,6 +164,7 @@ void flush_dcache_page(struct page *page if (!alias && !mapping) return;
+ preempt_disable(); virt = TLBTEMP_BASE_1 + (phys & DCACHE_ALIAS_MASK); __flush_invalidate_dcache_page_alias(virt, phys);
@@ -172,6 +175,7 @@ void flush_dcache_page(struct page *page
if (mapping) __invalidate_icache_page_alias(virt, phys); + preempt_enable(); }
/* There shouldn't be an entry in the cache for this page anymore. */ @@ -204,8 +208,10 @@ void local_flush_cache_page(struct vm_ar unsigned long phys = page_to_phys(pfn_to_page(pfn)); unsigned long virt = TLBTEMP_BASE_1 + (address & DCACHE_ALIAS_MASK);
+ preempt_disable(); __flush_invalidate_dcache_page_alias(virt, phys); __invalidate_icache_page_alias(virt, phys); + preempt_enable(); }
#endif @@ -231,11 +237,13 @@ update_mmu_cache(struct vm_area_struct * unsigned long phys = page_to_phys(page); unsigned long tmp;
+ preempt_disable(); tmp = TLBTEMP_BASE_1 + (phys & DCACHE_ALIAS_MASK); __flush_invalidate_dcache_page_alias(tmp, phys); tmp = TLBTEMP_BASE_1 + (addr & DCACHE_ALIAS_MASK); __flush_invalidate_dcache_page_alias(tmp, phys); __invalidate_icache_page_alias(tmp, phys); + preempt_enable();
clear_bit(PG_arch_1, &page->flags); } @@ -269,7 +277,9 @@ void copy_to_user_page(struct vm_area_st
if (alias) { unsigned long t = TLBTEMP_BASE_1 + (vaddr & DCACHE_ALIAS_MASK); + preempt_disable(); __flush_invalidate_dcache_page_alias(t, phys); + preempt_enable(); }
/* Copy data */ @@ -284,9 +294,11 @@ void copy_to_user_page(struct vm_area_st if (alias) { unsigned long t = TLBTEMP_BASE_1 + (vaddr & DCACHE_ALIAS_MASK);
+ preempt_disable(); __flush_invalidate_dcache_range((unsigned long) dst, len); if ((vma->vm_flags & VM_EXEC) != 0) __invalidate_icache_page_alias(t, phys); + preempt_enable();
} else if ((vma->vm_flags & VM_EXEC) != 0) { __flush_dcache_range((unsigned long)dst,len); @@ -308,7 +320,9 @@ extern void copy_from_user_page(struct v
if (alias) { unsigned long t = TLBTEMP_BASE_1 + (vaddr & DCACHE_ALIAS_MASK); + preempt_disable(); __flush_invalidate_dcache_page_alias(t, phys); + preempt_enable(); }
memcpy(dst, src, len);
From: Felix Fietkau nbd@nbd.name
commit 4fe40b8e1566dad04c87fbf299049a1d0d4bd58d upstream.
Deferring sampling attempts to the second stage has some bad interactions with drivers that process the rate table in hardware and use the probe flag to indicate probing packets (e.g. most mt76 drivers). On affected drivers it can lead to probing not working at all.
If the link conditions turn worse, it might not be such a good idea to do a lot of sampling for lower rates in this case.
Fix this by simply skipping the sample attempt instead of deferring it, but keep the checks that would allow it to be sampled if it was skipped too often, but only if it has less than 95% success probability.
Also ensure that IEEE80211_TX_CTL_RATE_CTRL_PROBE is set for all probing packets.
Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau nbd@nbd.name Link: https://lore.kernel.org/r/20201111183359.43528-2-nbd@nbd.name Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/mac80211/rc80211_minstrel.c | 25 ++++--------------------- net/mac80211/rc80211_minstrel.h | 1 - 2 files changed, 4 insertions(+), 22 deletions(-)
--- a/net/mac80211/rc80211_minstrel.c +++ b/net/mac80211/rc80211_minstrel.c @@ -287,12 +287,6 @@ minstrel_tx_status(void *priv, struct ie mi->r[ndx].stats.success += success; }
- if ((info->flags & IEEE80211_TX_CTL_RATE_CTRL_PROBE) && (i >= 0)) - mi->sample_packets++; - - if (mi->sample_deferred > 0) - mi->sample_deferred--; - if (time_after(jiffies, mi->last_stats_update + (mp->update_interval * HZ) / 1000)) minstrel_update_stats(mp, mi); @@ -366,7 +360,7 @@ minstrel_get_rate(void *priv, struct iee #endif
delta = (mi->total_packets * sampling_ratio / 100) - - (mi->sample_packets + mi->sample_deferred / 2); + mi->sample_packets;
/* delta < 0: no sampling required */ prev_sample = mi->prev_sample; @@ -375,7 +369,6 @@ minstrel_get_rate(void *priv, struct iee return;
if (mi->total_packets >= 10000) { - mi->sample_deferred = 0; mi->sample_packets = 0; mi->total_packets = 0; } else if (delta > mi->n_rates * 2) { @@ -400,19 +393,8 @@ minstrel_get_rate(void *priv, struct iee * rate sampling method should be used. * Respect such rates that are not sampled for 20 interations. */ - if (mrr_capable && - msr->perfect_tx_time > mr->perfect_tx_time && - msr->stats.sample_skipped < 20) { - /* Only use IEEE80211_TX_CTL_RATE_CTRL_PROBE to mark - * packets that have the sampling rate deferred to the - * second MRR stage. Increase the sample counter only - * if the deferred sample rate was actually used. - * Use the sample_deferred counter to make sure that - * the sampling is not done in large bursts */ - info->flags |= IEEE80211_TX_CTL_RATE_CTRL_PROBE; - rate++; - mi->sample_deferred++; - } else { + if (msr->perfect_tx_time < mr->perfect_tx_time || + msr->stats.sample_skipped >= 20) { if (!msr->sample_limit) return;
@@ -432,6 +414,7 @@ minstrel_get_rate(void *priv, struct iee
rate->idx = mi->r[ndx].rix; rate->count = minstrel_get_retry_count(&mi->r[ndx], info); + info->flags |= IEEE80211_TX_CTL_RATE_CTRL_PROBE; }
--- a/net/mac80211/rc80211_minstrel.h +++ b/net/mac80211/rc80211_minstrel.h @@ -105,7 +105,6 @@ struct minstrel_sta_info { u8 max_prob_rate; unsigned int total_packets; unsigned int sample_packets; - int sample_deferred;
unsigned int sample_row; unsigned int sample_column;
From: Felix Fietkau nbd@nbd.name
commit b2911a84396f72149dce310a3b64d8948212c1b3 upstream.
Some drivers fill the status rate list without setting the rate index after the final rate to -1. minstrel_ht already deals with this, but minstrel doesn't, which causes it to get stuck at the lowest rate on these drivers.
Fix this by checking the count as well.
Cc: stable@vger.kernel.org Fixes: cccf129f820e ("mac80211: add the 'minstrel' rate control algorithm") Signed-off-by: Felix Fietkau nbd@nbd.name Link: https://lore.kernel.org/r/20201111183359.43528-3-nbd@nbd.name Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/mac80211/rc80211_minstrel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mac80211/rc80211_minstrel.c +++ b/net/mac80211/rc80211_minstrel.c @@ -274,7 +274,7 @@ minstrel_tx_status(void *priv, struct ie success = !!(info->flags & IEEE80211_TX_STAT_ACK);
for (i = 0; i < IEEE80211_TX_MAX_RATES; i++) { - if (ar[i].idx < 0) + if (ar[i].idx < 0 || !ar[i].count) break;
ndx = rix_to_ndx(mi, ar[i].idx);
From: Johannes Berg johannes.berg@intel.com
commit 3110489117581a980537b6d999a3724214ba772c upstream.
Some devices or drivers cannot deal with having the same station address for different virtual interfaces, say as a client to two virtual AP interfaces. Rather than requiring each driver with a limitation like that to enforce it, add a hardware flag for it.
Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- include/net/mac80211.h | 6 ++++++ net/mac80211/debugfs.c | 1 + net/mac80211/sta_info.c | 18 ++++++++++++++++-- 3 files changed, 23 insertions(+), 2 deletions(-)
--- a/include/net/mac80211.h +++ b/include/net/mac80211.h @@ -1915,6 +1915,11 @@ struct ieee80211_txq { * @IEEE80211_HW_BEACON_TX_STATUS: The device/driver provides TX status * for sent beacons. * + * @IEEE80211_HW_NEEDS_UNIQUE_STA_ADDR: Hardware (or driver) requires that each + * station has a unique address, i.e. each station entry can be identified + * by just its MAC address; this prevents, for example, the same station + * from connecting to two virtual AP interfaces at the same time. + * * @NUM_IEEE80211_HW_FLAGS: number of hardware flags, used for sizing arrays */ enum ieee80211_hw_flags { @@ -1950,6 +1955,7 @@ enum ieee80211_hw_flags { IEEE80211_HW_TDLS_WIDER_BW, IEEE80211_HW_SUPPORTS_AMSDU_IN_AMPDU, IEEE80211_HW_BEACON_TX_STATUS, + IEEE80211_HW_NEEDS_UNIQUE_STA_ADDR,
/* keep last, obviously */ NUM_IEEE80211_HW_FLAGS --- a/net/mac80211/debugfs.c +++ b/net/mac80211/debugfs.c @@ -125,6 +125,7 @@ static const char *hw_flag_names[] = { FLAG(TDLS_WIDER_BW), FLAG(SUPPORTS_AMSDU_IN_AMPDU), FLAG(BEACON_TX_STATUS), + FLAG(NEEDS_UNIQUE_STA_ADDR), #undef FLAG };
--- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -457,6 +457,19 @@ static int sta_info_insert_check(struct is_multicast_ether_addr(sta->sta.addr))) return -EINVAL;
+ /* Strictly speaking this isn't necessary as we hold the mutex, but + * the rhashtable code can't really deal with that distinction. We + * do require the mutex for correctness though. + */ + rcu_read_lock(); + lockdep_assert_held(&sdata->local->sta_mtx); + if (ieee80211_hw_check(&sdata->local->hw, NEEDS_UNIQUE_STA_ADDR) && + ieee80211_find_sta_by_ifaddr(&sdata->local->hw, sta->addr, NULL)) { + rcu_read_unlock(); + return -ENOTUNIQ; + } + rcu_read_unlock(); + return 0; }
@@ -585,14 +598,15 @@ int sta_info_insert_rcu(struct sta_info
might_sleep();
+ mutex_lock(&local->sta_mtx); + err = sta_info_insert_check(sta); if (err) { + mutex_unlock(&local->sta_mtx); rcu_read_lock(); goto out_free; }
- mutex_lock(&local->sta_mtx); - err = sta_info_insert_finish(sta); if (err) goto out_free;
From: Johannes Berg johannes.berg@intel.com
commit 7bc40aedf24d31d8bea80e1161e996ef4299fb10 upstream.
If sta_info_insert_finish() fails, we currently keep the station around and free it only in the caller, but there's only one such caller and it always frees it immediately.
As syzbot found, another consequence of this split is that we can put things that sleep only into __cleanup_single_sta() and not in sta_info_free(), but this is the only place that requires such of sta_info_free() now.
Change this to free the station in sta_info_insert_finish(), in which case we can still sleep. This will also let us unify the cleanup code later.
Cc: stable@vger.kernel.org Fixes: dcd479e10a05 ("mac80211: always wind down STA state") Reported-by: syzbot+32c6c38c4812d22f2f0b@syzkaller.appspotmail.com Reported-by: syzbot+4c81fe92e372d26c4246@syzkaller.appspotmail.com Reported-by: syzbot+6a7fe9faf0d1d61bc24a@syzkaller.appspotmail.com Reported-by: syzbot+abed06851c5ffe010921@syzkaller.appspotmail.com Reported-by: syzbot+b7aeb9318541a1c709f1@syzkaller.appspotmail.com Reported-by: syzbot+d5a9416c6cafe53b5dd0@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/20201112112201.ee6b397b9453.I9c31d667a0ea2151441cc... Signed-off-by: Johannes Berg johannes.berg@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- net/mac80211/sta_info.c | 14 ++++---------- 1 file changed, 4 insertions(+), 10 deletions(-)
--- a/net/mac80211/sta_info.c +++ b/net/mac80211/sta_info.c @@ -583,7 +583,7 @@ static int sta_info_insert_finish(struct out_drop_sta: local->num_sta--; synchronize_net(); - __cleanup_single_sta(sta); + cleanup_single_sta(sta); out_err: mutex_unlock(&local->sta_mtx); kfree(sinfo); @@ -602,19 +602,13 @@ int sta_info_insert_rcu(struct sta_info
err = sta_info_insert_check(sta); if (err) { + sta_info_free(local, sta); mutex_unlock(&local->sta_mtx); rcu_read_lock(); - goto out_free; + return err; }
- err = sta_info_insert_finish(sta); - if (err) - goto out_free; - - return 0; - out_free: - sta_info_free(local, sta); - return err; + return sta_info_insert_finish(sta); }
int sta_info_insert(struct sta_info *sta)
From: Thomas Richter tmricht@linux.ibm.com
commit 78d732e1f326f74f240d416af9484928303d9951 upstream.
This file is installed by the s390 CPU Measurement sampling facility device driver to export supported minimum and maximum sample buffer sizes. This file is read by lscpumf tool to display the details of the device driver capabilities. The lscpumf tool might be invoked by a non-root user. In this case it does not print anything because the file contents can not be read.
Fix this by allowing read access for all users. Reading the file contents is ok, changing the file contents is left to the root user only.
For further reference and details see: [1] https://github.com/ibm-s390-tools/s390-tools/issues/97
Fixes: 69f239ed335a ("s390/cpum_sf: Dynamically extend the sampling buffer if overflows occur") Cc: stable@vger.kernel.org # 3.14 Signed-off-by: Thomas Richter tmricht@linux.ibm.com Acked-by: Sumanth Korikkar sumanthk@linux.ibm.com Signed-off-by: Heiko Carstens hca@linux.ibm.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/s390/kernel/perf_cpum_sf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/s390/kernel/perf_cpum_sf.c +++ b/arch/s390/kernel/perf_cpum_sf.c @@ -1666,4 +1666,4 @@ out: return err; } arch_initcall(init_cpum_sampling_pmu); -core_param(cpum_sfb_size, CPUM_SF_MAX_SDB, sfb_size, 0640); +core_param(cpum_sfb_size, CPUM_SF_MAX_SDB, sfb_size, 0644);
From: Chen Yu yu.c.chen@intel.com
commit 1a371e67dc77125736cc56d3a0893f06b75855b6 upstream.
Currently, scan_microcode() leverages microcode_matches() to check if the microcode matches the CPU by comparing the family and model. However, the processor stepping and flags of the microcode signature should also be considered when saving a microcode patch for early update.
Use find_matching_signature() in scan_microcode() and get rid of the now-unused microcode_matches() which is a good cleanup in itself.
Complete the verification of the patch being saved for early loading in save_microcode_patch() directly. This needs to be done there too because save_mc_for_early() will call save_microcode_patch() too.
The second reason why this needs to be done is because the loader still tries to support, at least hypothetically, mixed-steppings systems and thus adds all patches to the cache that belong to the same CPU model albeit with different steppings.
For example:
microcode: CPU: sig=0x906ec, pf=0x2, rev=0xd6 microcode: mc_saved[0]: sig=0x906e9, pf=0x2a, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[1]: sig=0x906ea, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[2]: sig=0x906eb, pf=0x2, rev=0xd6, total size=0x19400, date = 2020-04-23 microcode: mc_saved[3]: sig=0x906ec, pf=0x22, rev=0xd6, total size=0x19000, date = 2020-04-27 microcode: mc_saved[4]: sig=0x906ed, pf=0x22, rev=0xd6, total size=0x19400, date = 2020-04-23
The patch which is being saved for early loading, however, can only be the one which fits the CPU this runs on so do the signature verification before saving.
[ bp: Do signature verification in save_microcode_patch() and rewrite commit message. ]
Fixes: ec400ddeff20 ("x86/microcode_intel_early.c: Early update ucode on Intel's CPU") Signed-off-by: Chen Yu yu.c.chen@intel.com Signed-off-by: Borislav Petkov bp@suse.de Cc: stable@vger.kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=208535 Link: https://lkml.kernel.org/r/20201113015923.13960-1-yu.c.chen@intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/cpu/microcode/intel.c | 49 +--------------------------------- 1 file changed, 2 insertions(+), 47 deletions(-)
--- a/arch/x86/kernel/cpu/microcode/intel.c +++ b/arch/x86/kernel/cpu/microcode/intel.c @@ -132,51 +132,6 @@ load_microcode(struct mc_saved_data *mc_ } }
-/* - * Given CPU signature and a microcode patch, this function finds if the - * microcode patch has matching family and model with the CPU. - */ -static enum ucode_state -matching_model_microcode(struct microcode_header_intel *mc_header, - unsigned long sig) -{ - unsigned int fam, model; - unsigned int fam_ucode, model_ucode; - struct extended_sigtable *ext_header; - unsigned long total_size = get_totalsize(mc_header); - unsigned long data_size = get_datasize(mc_header); - int ext_sigcount, i; - struct extended_signature *ext_sig; - - fam = __x86_family(sig); - model = x86_model(sig); - - fam_ucode = __x86_family(mc_header->sig); - model_ucode = x86_model(mc_header->sig); - - if (fam == fam_ucode && model == model_ucode) - return UCODE_OK; - - /* Look for ext. headers: */ - if (total_size <= data_size + MC_HEADER_SIZE) - return UCODE_NFOUND; - - ext_header = (void *) mc_header + data_size + MC_HEADER_SIZE; - ext_sig = (void *)ext_header + EXT_HEADER_SIZE; - ext_sigcount = ext_header->count; - - for (i = 0; i < ext_sigcount; i++) { - fam_ucode = __x86_family(ext_sig->sig); - model_ucode = x86_model(ext_sig->sig); - - if (fam == fam_ucode && model == model_ucode) - return UCODE_OK; - - ext_sig++; - } - return UCODE_NFOUND; -} - static int save_microcode(struct mc_saved_data *mc_saved_data, struct microcode_intel **mc_saved_src, @@ -321,8 +276,8 @@ get_matching_model_microcode(int cpu, un * the platform, we need to find and save microcode patches * with the same family and model as the BSP. */ - if (matching_model_microcode(mc_header, uci->cpu_sig.sig) != - UCODE_OK) { + if (!find_matching_signature(mc_header, uci->cpu_sig.sig, + uci->cpu_sig.pf)) { ucode_ptr += mc_size; continue; }
On Mon, 23 Nov 2020 13:21:46 +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.246-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
All tests passing for Tegra ...
Test results for stable-v4.4: 6 builds: 6 pass, 0 fail 12 boots: 12 pass, 0 fail 25 tests: 25 pass, 0 fail
Linux version: 4.4.246-rc1-g4524983a3596 Boards tested: tegra124-jetson-tk1, tegra20-ventana, tegra30-cardhu-a04
Tested-by: Jon Hunter jonathanh@nvidia.com
Jon
On Mon, Nov 23, 2020 at 01:21:46PM +0100, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
Build results: total: 165 pass: 165 fail: 0 Qemu test results: total: 328 pass: 328 fail: 0
Guenter
On 11/23/20 5:21 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.246-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan skhan@linuxfoundation.org
thanks, -- Shuah
On Mon, 23 Nov 2020 at 17:54, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
The whole patch series can be found in one patch at: https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.246-rc1... or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y and the diffstat can be found below.
thanks,
greg k-h
Results from Linaro’s test farm. No regressions on arm64, arm, x86_64, and i386.
Summary ------------------------------------------------------------------------
kernel: 4.4.246-rc1 git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git git branch: linux-4.4.y git commit: 4524983a35968dbde7b8818db1dd43d7fb215742 git describe: v4.4.245-39-g4524983a3596 Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.4.y/build/v4.4.24...
No regressions (compared to build v4.4.245)
No fixes (compared to build v4.4.245)
Ran 24777 total tests in the following environments and test suites.
Environments -------------- - arm - arm64 - i386 - juno-r2 - arm64 - mips - qemu-arm64-clang - qemu-arm64-kasan - qemu-x86_64-clang - qemu-x86_64-kasan - qemu_arm - qemu_arm64 - qemu_arm64-compat - qemu_i386 - qemu_x86_64 - qemu_x86_64-compat - sparc - x15 - arm - x86_64 - x86-kasan
Test Suites ----------- * build * libhugetlbfs * linux-log-parser * ltp-cap_bounds-tests * ltp-commands-tests * ltp-controllers-tests * ltp-cpuhotplug-tests * ltp-crypto-tests * ltp-cve-tests * ltp-dio-tests * ltp-fcntl-locktests-tests * ltp-filecaps-tests * ltp-fs-tests * ltp-fs_bind-tests * ltp-fs_perms_simple-tests * ltp-fsx-tests * ltp-hugetlb-tests * ltp-io-tests * ltp-ipc-tests * ltp-math-tests * ltp-mm-tests * ltp-nptl-tests * ltp-open-posix-tests * ltp-pty-tests * ltp-sched-tests * ltp-securebits-tests * ltp-syscalls-tests * ltp-tracing-tests * network-basic-tests * perf * v4l2-compliance * ltp-containers-tests * install-android-platform-tools-r2600 * kvm-unit-tests
Summary ------------------------------------------------------------------------
kernel: 4.4.246-rc1 git repo: https://git.linaro.org/lkft/arm64-stable-rc.git git branch: 4.4.246-rc1-hikey-20201123-865 git commit: 0860acfef9117bf9726adb90dfc46cd717fddd3b git describe: 4.4.246-rc1-hikey-20201123-865 Test details: https://qa-reports.linaro.org/lkft/linaro-hikey-stable-rc-4.4-oe/build/4.4.2...
No regressions (compared to build 4.4.245-rc1-hikey-20201120-861)
No fixes (compared to build 4.4.245-rc1-hikey-20201120-861)
Ran 1800 total tests in the following environments and test suites.
Environments -------------- - hi6220-hikey - arm64
Test Suites ----------- * build * install-android-platform-tools-r2600 * libhugetlbfs * linux-log-parser * ltp-cap_bounds-tests * ltp-commands-tests * ltp-containers-tests * ltp-cpuhotplug-tests * ltp-cve-tests * ltp-dio-tests * ltp-fcntl-locktests-tests * ltp-filecaps-tests * ltp-fs-tests * ltp-fs_bind-tests * ltp-fs_perms_simple-tests * ltp-fsx-tests * ltp-hugetlb-tests * ltp-io-tests * ltp-ipc-tests * ltp-math-tests * ltp-mm-tests * ltp-nptl-tests * ltp-pty-tests * ltp-sched-tests * ltp-securebits-tests * ltp-syscalls-tests * perf * spectre-meltdown-checker-test * v4l2-compliance
On Mon 2020-11-23 13:21:46, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.4.246 release. There are 38 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Wed, 25 Nov 2020 12:17:50 +0000. Anything received after that time might be too late.
And anything before may be too late, too. Why publish date when you release day too early, anyway? It is misleading.
Fortunately CIP testing did not find any problems.
Tested-by: Pavel Machek (CIP) pavel@denx.de
Best regards, Pavel
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Guenter Roeck -
Jon Hunter -
Naresh Kamboju -
Pavel Machek -
Shuah Khan