Update 5.10.x+fslc up to v5.10.60 #418
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 9898cb2 upstream. The ADS7950 requires that CS is deasserted after each SPI word. Before commit e2540da ("iio: adc: ti-ads7950: use SPI_CS_WORD to reduce CPU usage") the driver used a message with one spi transfer per channel where each but the last one had .cs_change set to enforce a CS toggle. This was wrongly translated into a message with a single transfer and .cs_change set which results in a CS toggle after each word but the last which corrupts the first adc conversion of all readouts after the first readout. Fixes: e2540da ("iio: adc: ti-ads7950: use SPI_CS_WORD to reduce CPU usage") Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de> Reviewed-by: David Lechner <david@lechnology.com> Tested-by: David Lechner <david@lechnology.com> Cc: <Stable@vger.kernel.org> Link: https://lore.kernel.org/r/20210709101110.1814294-1-u.kleine-koenig@pengutronix.de Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7e77ef8 upstream. Set reset pin direction to output as the reset pin needs to be an active low output pin. Co-developed-by: Hannu Hartikainen <hannu@hrtk.in> Signed-off-by: Hannu Hartikainen <hannu@hrtk.in> Signed-off-by: Antti Keränen <detegr@rbx.email> Reviewed-by: Nuno Sá <nuno.sa@analog.com> Fixes: ecb010d ("iio: imu: adis: Refactor adis_initial_startup") Link: https://lore.kernel.org/r/20210708095425.13295-1-detegr@rbx.email Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 84edec8 upstream. The datasheets have the following note for the conversion time specification: "This parameter is specified by design and/or characterization and it is not tested in production." Parts have been seen that require more time to do 14-bit conversions for the relative humidity channel. The result is ENXIO due to the address phase of a transfer not getting an ACK. Delay an additional 1 ms per conversion to allow for additional margin. Fixes: 4839367 ("iio: humidity: add HDC100x support") Signed-off-by: Chris Lesiak <chris.lesiak@licor.com> Acked-by: Matt Ranostay <matt.ranostay@konsulko.com> Link: https://lore.kernel.org/r/20210614141820.2034827-1-chris.lesiak@licor.com Cc: <Stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5afc154 upstream. Currently the for-loop that scans for the optimial adc_period iterates through all the possible adc_period levels because the exit logic in the loop is inverted. I believe the comparison should be swapped and the continue replaced with a break to exit the loop at the correct point. Addresses-Coverity: ("Continue has no effect") Fixes: e08e19c ("iio:adc: add iio driver for Palmas (twl6035/7) gpadc") Signed-off-by: Colin Ian King <colin.king@canonical.com> Link: https://lore.kernel.org/r/20210730071651.17394-1-colin.king@canonical.com Cc: <stable@vger.kernel.org> Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8b5d953 upstream. PCM buffers might be allocated dynamically when the buffer preallocation failed or a larger buffer is requested, and it's not guaranteed that substream->dma_buffer points to the actually used buffer. The driver needs to refer to substream->runtime->dma_addr instead for the buffer address. Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20210731084331.32225-1-tiwai@suse.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 42bc62c upstream. PCM buffers might be allocated dynamically when the buffer preallocation failed or a larger buffer is requested, and it's not guaranteed that substream->dma_buffer points to the actually used buffer. The driver needs to refer to substream->runtime->dma_addr instead for the buffer address. Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20210728112353.6675-4-tiwai@suse.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 827f316 upstream. Along with the transition to the managed PCM buffers, the driver now accepts the dynamically allocated buffer, while it still kept the reference to the old preallocated buffer address. This patch corrects to the right reference via runtime->dma_addr. (Although this might have been already buggy before the cleanup with the managed buffer, let's put Fixes tag to point that; it's a corner case, after all.) Fixes: d55894b ("ASoC: uniphier: Use managed buffer allocation") Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20210728112353.6675-5-tiwai@suse.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2c39ca6 upstream. The tlv320aic31xx driver relies on regcache_sync() to restore the register contents after going to _BIAS_OFF, for example during system suspend. This does not work for the jack detection configuration since that is configured via the same register that status is read back from so the register is volatile and not cached. This can also cause issues during init if the jack detection ends up getting set up before the CODEC is initially brought out of _BIAS_OFF, we will reset the CODEC and resync the cache as part of that process. Fix this by explicitly reapplying the jack detection configuration after resyncing the register cache during power on. This issue was found by an engineer working off-list on a product kernel, I just wrote up the upstream fix. Signed-off-by: Mark Brown <broonie@kernel.org> Link: https://lore.kernel.org/r/20210723180200.25105-1-broonie@kernel.org Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2e6b836 upstream. PCM buffers might be allocated dynamically when the buffer preallocation failed or a larger buffer is requested, and it's not guaranteed that substream->dma_buffer points to the actually used buffer. The address should be retrieved from runtime->dma_addr, instead of substream->dma_buffer (and shouldn't use virt_to_phys). Also, remove the line overriding runtime->dma_area superfluously, which was already set up at the PCM buffer allocation. Cc: Cezary Rojewski <cezary.rojewski@intel.com> Cc: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Cc: <stable@vger.kernel.org> Signed-off-by: Takashi Iwai <tiwai@suse.de> Link: https://lore.kernel.org/r/20210728112353.6675-3-tiwai@suse.de Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 86ff25e upstream. If an i2c driver happens to not provide the full amount of data that a user asks for, it is possible that some uninitialized data could be sent to userspace. While all in-kernel drivers look to be safe, just be sure by initializing the buffer to zero before it is passed to the i2c driver so that any future drivers will not have this issue. Also properly copy the amount of data recvieved to the userspace buffer, as pointed out by Dan Carpenter. Reported-by: Eric Dumazet <edumazet@google.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Wolfram Sang <wsa@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7d3fc01 upstream. We used to follow the rule earlier that the create SD context always be a multiple of 8. However, with the change: cifs: refactor create_sd_buf() and and avoid corrupting the buffer ...we recompute the length, and we failed that rule. Fixing that with this change. Cc: <stable@vger.kernel.org> # v5.10+ Signed-off-by: Shyam Prasad N <sprasad@microsoft.com> Signed-off-by: Steve French <stfrench@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…rash commit 9977d88 upstream. The phba->poll_list is traversed in case of an error in lpfc_sli4_hba_setup(), so it must be initialized earlier in case the error path is taken. [ 490.030738] lpfc 0000:65:00.0: 0:1413 Failed to init iocb list. [ 490.036661] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 [ 490.044485] PGD 0 P4D 0 [ 490.047027] Oops: 0000 [Freescale#1] SMP PTI [ 490.050518] CPU: 0 PID: 7 Comm: kworker/0:1 Kdump: loaded Tainted: G I --------- - - 4.18. [ 490.060511] Hardware name: Dell Inc. PowerEdge R440/0WKGTH, BIOS 1.4.8 05/22/2018 [ 490.067994] Workqueue: events work_for_cpu_fn [ 490.072371] RIP: 0010:lpfc_sli4_cleanup_poll_list+0x20/0xb0 [lpfc] [ 490.078546] Code: cf e9 04 f7 fe ff 0f 1f 40 00 0f 1f 44 00 00 41 57 49 89 ff 41 56 41 55 41 54 4d 8d a79 [ 490.097291] RSP: 0018:ffffbd1a463dbcc8 EFLAGS: 00010246 [ 490.102518] RAX: 0000000000008200 RBX: ffff945cdb8c0000 RCX: 0000000000000000 [ 490.109649] RDX: 0000000000018200 RSI: ffff9468d0e16818 RDI: 0000000000000000 [ 490.116783] RBP: ffff945cdb8c1740 R08: 00000000000015c5 R09: 0000000000000042 [ 490.123915] R10: 0000000000000000 R11: ffffbd1a463dbab0 R12: ffff945cdb8c25c0 [ 490.131049] R13: 00000000fffffff4 R14: 0000000000001800 R15: ffff945cdb8c0000 [ 490.138182] FS: 0000000000000000(0000) GS:ffff9468d0e00000(0000) knlGS:0000000000000000 [ 490.146267] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 490.152013] CR2: 0000000000000000 CR3: 000000042ca10002 CR4: 00000000007706f0 [ 490.159146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 490.166277] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 490.173409] PKRU: 55555554 [ 490.176123] Call Trace: [ 490.178598] lpfc_sli4_queue_destroy+0x7f/0x3c0 [lpfc] [ 490.183745] lpfc_sli4_hba_setup+0x1bc7/0x23e0 [lpfc] [ 490.188797] ? kernfs_activate+0x63/0x80 [ 490.192721] ? kernfs_add_one+0xe7/0x130 [ 490.196647] ? __kernfs_create_file+0x80/0xb0 [ 490.201020] ? lpfc_pci_probe_one_s4.isra.48+0x46f/0x9e0 [lpfc] [ 490.206944] lpfc_pci_probe_one_s4.isra.48+0x46f/0x9e0 [lpfc] [ 490.212697] lpfc_pci_probe_one+0x179/0xb70 [lpfc] [ 490.217492] local_pci_probe+0x41/0x90 [ 490.221246] work_for_cpu_fn+0x16/0x20 [ 490.224994] process_one_work+0x1a7/0x360 [ 490.229009] ? create_worker+0x1a0/0x1a0 [ 490.232933] worker_thread+0x1cf/0x390 [ 490.236687] ? create_worker+0x1a0/0x1a0 [ 490.240612] kthread+0x116/0x130 [ 490.243846] ? kthread_flush_work_fn+0x10/0x10 [ 490.248293] ret_from_fork+0x35/0x40 [ 490.251869] Modules linked in: lpfc(+) xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4i [ 490.332609] CR2: 0000000000000000 Link: https://lore.kernel.org/r/20210809150947.18104-1-emilne@redhat.com Fixes: 93a4d6f ("scsi: lpfc: Add registration for CPU Offline/Online events") Cc: stable@vger.kernel.org Reviewed-by: James Smart <jsmart2021@gmail.com> Signed-off-by: Ewan D. Milne <emilne@redhat.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b4d8a58 upstream. The desired behavior is to set the caller's filter count to thread's. This value is reported via /proc, so this fixes the inaccurate count exposed to userspace; it is not used for reference counting, etc. Signed-off-by: Hsuan-Chi Kuo <hsuanchikuo@gmail.com> Link: https://lore.kernel.org/r/20210304233708.420597-1-hsuanchikuo@gmail.com Co-developed-by: Wiktor Garbacz <wiktorg@google.com> Signed-off-by: Wiktor Garbacz <wiktorg@google.com> Link: https://lore.kernel.org/lkml/20210810125158.329849-1-wiktorg@google.com Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Fixes: c818c03 ("seccomp: Report number of loaded filters in /proc/$pid/status") Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…ases commit acc68b8 upstream. The CPSW switchdev driver inherited fix from commit 9421c90 ("net: ethernet: ti: cpsw: fix min eth packet size") which changes min TX packet size to 64bytes (VLAN_ETH_ZLEN, excluding ETH_FCS). It was done to fix HW packed drop issue when packets are sent from Host to the port with PVID and un-tagging enabled. Unfortunately this breaks some other non-switch specific use-cases, like: - [1] CPSW port as DSA CPU port with DSA-tag applied at the end of the packet - [2] Some industrial protocols, which expects min TX packet size 60Bytes (excluding FCS). Fix it by configuring min TX packet size depending on driver mode - 60Bytes (ETH_ZLEN) for multi mac (dual-mac) mode - 64Bytes (VLAN_ETH_ZLEN) for switch mode and update it during driver mode change and annotate with READ_ONCE()/WRITE_ONCE() as it can be read by napi while writing. [1] https://lore.kernel.org/netdev/20210531124051.GA15218@cephalopod/ [2] https://e2e.ti.com/support/arm/sitara_arm/f/791/t/701669 Cc: stable@vger.kernel.org Fixes: ed3525e ("net: ethernet: ti: introduce cpsw switchdev based driver part 1 - dual-emac") Reported-by: Ben Hutchings <ben.hutchings@essensium.com> Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…itch commit 3a715e8 upstream. FPU_STATUS register contains FP exception flags bits which are updated by core as side-effect of FP instructions but can also be manually wiggled such as by glibc C99 functions fe{raise,clear,test}except() etc. To effect the update, the programming model requires OR'ing FWE bit (31). This bit is write-only and RAZ, meaning it is effectively auto-cleared after write and thus needs to be set everytime: which is how glibc implements this. However there's another usecase of FPU_STATUS update, at the time of Linux task switch when incoming task value needs to be programmed into the register. This was added as part of f45ba2b ("ARCv2: fpu: preserve userspace fpu state") which missed OR'ing FWE bit, meaning the new value is effectively not being written at all. This patch remedies that. Interestingly, this snafu was not caught in interm glibc testing as the race window which relies on a specific exception bit to be set/clear is really small specially when it nvolves context switch. Fortunately this was caught by glibc's math/test-fenv-tls test which repeatedly set/clear exception flags in a big loop, concurrently in main program and also in a thread. Fixes: foss-for-synopsys-dwc-arc-processors#54 Fixes: f45ba2b ("ARCv2: fpu: preserve userspace fpu state") Cc: stable@vger.kernel.org Freescale#5.6+ Signed-off-by: Vineet Gupta <vgupta@synopsys.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit bf2ba43 upstream. Function ceph_check_delayed_caps() is called from the mdsc->delayed_work workqueue and it can be kept looping for quite some time if caps keep being added back to the mdsc->cap_delay_list. This may result in the watchdog tainting the kernel with the softlockup flag. This patch breaks this loop if the caps have been recently (i.e. during the loop execution). Any new caps added to the list will be handled in the next run. Also, allow schedule_delayed() callers to explicitly set the delay value instead of defaulting to 5s, so we can ensure that it runs soon afterward if it looks like there is more work. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/46284 Signed-off-by: Luis Henriques <lhenriques@suse.de> Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b93dfa6 upstream. Fix the NFIT parsing code to treat a 0 index in a SPA Range Structure as a special case and not match Region Mapping Structures that use 0 to indicate that they are not mapped. Without this fix some platform BIOS descriptions of "virtual disk" ranges do not result in the pmem driver attaching to the range. Details: In addition to typical persistent memory ranges, the ACPI NFIT may also convey "virtual" ranges. These ranges are indicated by a UUID in the SPA Range Structure of UUID_VOLATILE_VIRTUAL_DISK, UUID_VOLATILE_VIRTUAL_CD, UUID_PERSISTENT_VIRTUAL_DISK, or UUID_PERSISTENT_VIRTUAL_CD. The critical difference between virtual ranges and UUID_PERSISTENT_MEMORY, is that virtual do not support associations with Region Mapping Structures. For this reason the "index" value of virtual SPA Range Structures is allowed to be 0. If a platform BIOS decides to represent NVDIMMs with disconnected "Region Mapping Structures" (range-index == 0), the kernel may falsely associate them with standalone ranges where the "SPA Range Structure Index" is also zero. When this happens the driver may falsely require labels where "virtual disks" are expected to be label-less. I.e. "label-less" is where the namespace-range == region-range and the pmem driver attaches with no user action to create a namespace. Cc: Jacek Zloch <jacek.zloch@intel.com> Cc: Lukasz Sobieraj <lukasz.sobieraj@intel.com> Cc: "Lee, Chun-Yi" <jlee@suse.com> Cc: <stable@vger.kernel.org> Fixes: c2f32ac ("acpi, nfit: treat virtual ramdisk SPA as pmem region") Reported-by: Krzysztof Rusocki <krzysztof.rusocki@intel.com> Reported-by: Damian Bassa <damian.bassa@intel.com> Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Link: https://lore.kernel.org/r/162870796589.2521182.1240403310175570220.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d9cee9f upstream. There are a few scenarios where init_active_labels() can return without registering deactivate_labels() to run when the region is disabled. In particular label error injection creates scenarios where a DIMM is disabled, but labels on other DIMMs in the region become activated. Arrange for init_active_labels() to always register deactivate_labels(). Reported-by: Krzysztof Kensicki <krzysztof.kensicki@intel.com> Cc: <stable@vger.kernel.org> Fixes: bf9bccc ("libnvdimm: pmem label sets and namespace instantiation.") Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Link: https://lore.kernel.org/r/162766356450.3223041.1183118139023841447.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams <dan.j.williams@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c90f626 upstream. Reviewed-by: Dmytro Laktyushkin <Dmytro.Laktyushkin@amd.com> Acked-by: Anson Jacob <Anson.Jacob@amd.com> Signed-off-by: Eric Bernstein <eric.bernstein@amd.com> Cc: stable@vger.kernel.org Tested-by: Daniel Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0cde63a upstream. Replace GFP_KERNEL with GFP_ATOMIC as amdgpu_dm_irq_schedule_work can't sleep. BUG: sleeping function called from invalid context at include/linux/sched/mm.h:196 in_atomic(): 1, irqs_disabled(): 1, non_block: 0, pid: 253, name: kworker/6:1H CPU: 6 PID: 253 Comm: kworker/6:1H Tainted: G W OE 5.11.0-promotion_2021_06_07-18_36_28_prelim_revert_retrain Freescale#8 Hardware name: System manufacturer System Product Name/PRIME X570-PRO, BIOS 3405 02/01/2021 Workqueue: events_highpri dm_irq_work_func [amdgpu] Call Trace: <IRQ> dump_stack+0x5e/0x74 ___might_sleep.cold+0x87/0x98 __might_sleep+0x4b/0x80 kmem_cache_alloc_trace+0x390/0x4f0 amdgpu_dm_irq_handler+0x171/0x230 [amdgpu] amdgpu_irq_dispatch+0xc0/0x1e0 [amdgpu] amdgpu_ih_process+0x81/0x100 [amdgpu] amdgpu_irq_handler+0x26/0xa0 [amdgpu] __handle_irq_event_percpu+0x49/0x190 ? __hrtimer_get_next_event+0x4d/0x80 handle_irq_event_percpu+0x33/0x80 handle_irq_event+0x33/0x60 handle_edge_irq+0x82/0x190 asm_call_irq_on_stack+0x12/0x20 </IRQ> common_interrupt+0xbb/0x140 asm_common_interrupt+0x1e/0x40 RIP: 0010:amdgpu_device_rreg.part.0+0x44/0xf0 [amdgpu] Code: 53 48 89 fb 4c 3b af c8 08 00 00 73 6d 83 e2 02 75 0d f6 87 40 62 01 00 10 0f 85 83 00 00 00 4c 03 ab d0 08 00 00 45 8b 6d 00 <8b> 05 3e b6 52 00 85 c0 7e 62 48 8b 43 08 0f b7 70 3e 65 8b 05 e3 RSP: 0018:ffffae7740fff9e8 EFLAGS: 00000286 RAX: ffffffffc05ee610 RBX: ffff8aaf8f620000 RCX: 0000000000000006 RDX: 0000000000000000 RSI: 0000000000005430 RDI: ffff8aaf8f620000 RBP: ffffae7740fffa08 R08: 0000000000000001 R09: 000000000000000a R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000005430 R13: 0000000071000000 R14: 0000000000000001 R15: 0000000000005430 ? amdgpu_cgs_write_register+0x20/0x20 [amdgpu] amdgpu_device_rreg+0x17/0x20 [amdgpu] amdgpu_cgs_read_register+0x14/0x20 [amdgpu] dm_read_reg_func+0x38/0xb0 [amdgpu] generic_reg_wait+0x80/0x160 [amdgpu] dce_aux_transfer_raw+0x324/0x7c0 [amdgpu] dc_link_aux_transfer_raw+0x43/0x50 [amdgpu] dm_dp_aux_transfer+0x87/0x110 [amdgpu] drm_dp_dpcd_access+0x72/0x110 [drm_kms_helper] drm_dp_dpcd_read+0xb7/0xf0 [drm_kms_helper] drm_dp_get_one_sb_msg+0x349/0x480 [drm_kms_helper] drm_dp_mst_hpd_irq+0xc5/0xe40 [drm_kms_helper] ? drm_dp_mst_hpd_irq+0xc5/0xe40 [drm_kms_helper] dm_handle_hpd_rx_irq+0x184/0x1a0 [amdgpu] ? dm_handle_hpd_rx_irq+0x184/0x1a0 [amdgpu] handle_hpd_rx_irq+0x195/0x240 [amdgpu] ? __switch_to_asm+0x42/0x70 ? __switch_to+0x131/0x450 dm_irq_work_func+0x19/0x20 [amdgpu] process_one_work+0x209/0x400 worker_thread+0x4d/0x3e0 ? cancel_delayed_work+0xa0/0xa0 kthread+0x124/0x160 ? kthread_park+0x90/0x90 ret_from_fork+0x22/0x30 Reviewed-by: Aurabindo Jayamohanan Pillai <Aurabindo.Pillai@amd.com> Acked-by: Anson Jacob <Anson.Jacob@amd.com> Signed-off-by: Anson Jacob <Anson.Jacob@amd.com> Cc: stable@vger.kernel.org Tested-by: Daniel Wheeler <daniel.wheeler@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 202ead5 upstream. If the platform uses BOCO, don't use BACO in runtime suspend. We could end up executing the BACO path if the platform supports both. Bug: https://gitlab.freedesktop.org/drm/amd/-/issues/1669 Reviewed-by: Evan Quan <evan.quan@amd.com> Signed-off-by: Alex Deucher <alexander.deucher@amd.com> Cc: stable@vger.kernel.org Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit e9faf53 ] Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE, MAC802154_HWSIM_EDGE_ATTR_ENDPOINT_ID and MAC802154_HWSIM_EDGE_ATTR_LQI must be present to fix GPF. Fixes: f25da51 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Acked-by: Alexander Aring <aahringo@redhat.com> Link: https://lore.kernel.org/r/20210705131321.217111-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 889d0e7 ] Both MAC802154_HWSIM_ATTR_RADIO_ID and MAC802154_HWSIM_ATTR_RADIO_EDGE must be present to fix GPF. Fixes: f25da51 ("ieee802154: hwsim: add replacement for fakelb") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Acked-by: Alexander Aring <aahringo@redhat.com> Link: https://lore.kernel.org/r/20210707155633.1486603-1-mudongliangabcd@gmail.com Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 798a315 ] Some pin doesn't support PUPD register, if it fails and fallbacks with bias_set_combo case, it will call mtk_pinconf_bias_set_pupd_r1_r0() to modify the PUPD pin again. Since the general bias set are either PU/PD or PULLSEL/PULLEN, try bias_set or bias_set_rev1 for the other fallback case. If the pin doesn't support neither PU/PD nor PULLSEL/PULLEN, it will return -ENOTSUPP. Fixes: 81bd157 ("pinctrl: mediatek: Fix fallback call path") Signed-off-by: Hsin-Yi Wang <hsinyi@chromium.org> Reviewed-by: Chen-Yu Tsai <wenst@chromium.org> Reviewed-by: Zhiyong Tao <zhiyong.tao@mediatek.com> Link: https://lore.kernel.org/r/20210701080955.2660294-1-hsinyi@chromium.org Signed-off-by: Linus Walleij <linus.walleij@linaro.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ee86f68 ] The ADC volume is a signed 8-bit number with range -97 to +12, with -97 being mute. Use a SOC_SINGLE_S8_TLV() to define this and fix the DECLARE_TLV_DB_SCALE() to have the correct start and mute flag. Fixes: 2c394ca ("ASoC: Add support for CS42L42 codec") Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Link: https://lore.kernel.org/r/20210729170929.6589-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 64324ba ] The driver has no support for left-justified protocol so it should not have been allowing this to be passed to cs42l42_set_dai_fmt(). Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 2c394ca ("ASoC: Add support for CS42L42 codec") Link: https://lore.kernel.org/r/20210729170929.6589-2-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 973b393 ] Checking that two values don't have common bits makes no sense, strict equality is meant. Fixes: f3b433e ("ASoC: SOF: Implement Probe IPC API") Reviewed-by: Ranjani Sridharan <ranjani.sridharan@linux.intel.com> Signed-off-by: Guennadi Liakhovetski <guennadi.liakhovetski@linux.intel.com> Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com> Link: https://lore.kernel.org/r/20210802151749.15417-1-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 30615bd ] The underlying register field has inverted sense (0 = enabled) so the control definition must be marked as inverted. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 2c394ca ("ASoC: Add support for CS42L42 codec") Link: https://lore.kernel.org/r/20210803160834.9005-1-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8b353bb ] The driver was defining two ALSA controls that both change the same register field for the wind noise filter corner frequency. The filter response has two corners, at different frequencies, and the duplicate controls most likely were an attempt to be able to set the value using either of the frequencies. However, having two controls changing the same field can be problematic and it is unnecessary. Both frequencies are related to each other so setting one implies exactly what the other would be. Removing a control affects user-side code, but there is currently no known use of the removed control so it would be best to remove it now before it becomes a problem. Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com> Fixes: 2c394ca ("ASoC: Add support for CS42L42 codec") Link: https://lore.kernel.org/r/20210803160834.9005-2-rf@opensource.cirrus.com Signed-off-by: Mark Brown <broonie@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 38ea9de ] It should be added kfree_skb_list() when err is not equal to zero in nf_br_ip_fragment(). v2: keep this aligned with IPv6. v3: modify iter.frag_list to iter.frag. Fixes: 3c171f4 ("netfilter: bridge: add connection tracking system") Signed-off-by: Yajun Deng <yajun.deng@linux.dev> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
commit da181dc upstream. The specification (PCIe r5.0, sec 6.1.4.5) states: For MSI-X, a function is permitted to cache Address and Data values from unmasked MSI-X Table entries. However, anytime software unmasks a currently masked MSI-X Table entry either by clearing its Mask bit or by clearing the Function Mask bit, the function must update any Address or Data values that it cached from that entry. If software changes the Address or Data value of an entry while the entry is unmasked, the result is undefined. The Linux kernel's MSI-X support never enforced that the entry is masked before the entry is modified hence the Fixes tag refers to a commit in: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Enforce the entry to be masked across the update. There is no point in enforcing this to be handled at all possible call sites as this is just pointless code duplication and the common update function is the obvious place to enforce this. Fixes: f036d4e ("[PATCH] ia32 Message Signalled Interrupt support") Reported-by: Kevin Tian <kevin.tian@intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.462096385@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b9255a7 upstream. Nothing enforces the posted writes to be visible when the function returns. Flush them even if the flush might be redundant when the entry is masked already as the unmask will flush as well. This is either setup or a rare affinity change event so the extra flush is not the end of the world. While this is more a theoretical issue especially the logic in the X86 specific msi_set_affinity() function relies on the assumption that the update has reached the hardware when the function returns. Again, as this never has been enforced the Fixes tag refers to a commit in: git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git Fixes: f036d4e ("[PATCH] ia32 Message Signalled Interrupt support") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Acked-by: Bjorn Helgaas <bhelgaas@google.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.515188147@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 361fd37 upstream. msi_mask_irq() takes a mask and a flags argument. The mask argument is used to mask out bits from the cached mask and the flags argument to set bits. Some places invoke it with a flags argument which sets bits which are not used by the device, i.e. when the device supports up to 8 vectors a full unmask in some places sets the mask to 0xFFFFFF00. While devices probably do not care, it's still bad practice. Fixes: 7ba1930 ("PCI MSI: Unmask MSI if setup failed") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.568173099@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 689e6b5 upstream. The comments about preserving the cached state in pci_msi[x]_shutdown() are misleading as the MSI descriptors are freed right after those functions return. So there is nothing to restore. Preparatory change. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.621609423@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d28d4ad upstream. No point in using the raw write function from shutdown. Preparatory change to introduce proper serialization for the msi_desc::masked cache. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.674391354@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 77e89af upstream. Multi-MSI uses a single MSI descriptor and there is a single mask register when the device supports per vector masking. To avoid reading back the mask register the value is cached in the MSI descriptor and updates are done by clearing and setting bits in the cache and writing it to the device. But nothing protects msi_desc::masked and the mask register from being modified concurrently on two different CPUs for two different Linux interrupts which belong to the same multi-MSI descriptor. Add a lock to struct device and protect any operation on the mask and the mask register with it. This makes the update of msi_desc::masked unconditional, but there is no place which requires a modification of the hardware register without updating the masked cache. msi_mask_irq() is now an empty wrapper which will be cleaned up in follow up changes. The problem goes way back to the initial support of multi-MSI, but picking the commit which introduced the mask cache is a valid cut off point (2.6.30). Fixes: f2440d9 ("PCI MSI: Refactor interrupt masking code") Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Tested-by: Marc Zyngier <maz@kernel.org> Reviewed-by: Marc Zyngier <maz@kernel.org> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20210729222542.726833414@linutronix.de Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8241461 upstream. Running an SMP kernel on an UP platform not prepared for it, I encountered the following OOPS: BUG: Kernel NULL pointer dereference on read at 0x00000034 Faulting instruction address: 0xc0a04110 Oops: Kernel access of bad area, sig: 11 [Freescale#1] BE PAGE_SIZE=4K SMP NR_CPUS=2 CMPCPRO Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.13.0-pmac-00001-g230fedfaad21 #5234 NIP: c0a04110 LR: c0a040d8 CTR: c0a04084 REGS: e100dda0 TRAP: 0300 Not tainted (5.13.0-pmac-00001-g230fedfaad21) MSR: 00009032 <EE,ME,IR,DR,RI> CR: 84000284 XER: 00000000 DAR: 00000034 DSISR: 20000000 GPR00: c0006bd4 e100de60 c1033320 00000000 00000000 c0942274 00000000 00000000 GPR08: 00000000 00000000 00000001 00000063 00000007 00000000 c0006f30 00000000 GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000005 GPR24: c0c67d74 c0c67f1c c0c60000 c0c67d70 c0c0c558 1efdf000 c0c00020 00000000 NIP [c0a04110] topology_init+0x8c/0x138 LR [c0a040d8] topology_init+0x54/0x138 Call Trace: [e100de60] [80808080] 0x80808080 (unreliable) [e100de90] [c0006bd4] do_one_initcall+0x48/0x1bc [e100def0] [c0a0150c] kernel_init_freeable+0x1c8/0x278 [e100df20] [c0006f44] kernel_init+0x14/0x10c [e100df30] [c00190fc] ret_from_kernel_thread+0x14/0x1c Instruction dump: 7c692e70 7d290194 7c035040 7c7f1b78 5529103a 546706fe 5468103a 39400001 7c641b78 40800054 80c690b4 7fb9402e <81060034> 7fbeea14 2c080000 7fa3eb78 ---[ end trace b246ffbc6bbbb6fb ]--- Fix it by checking smp_ops before using it, as already done in several other places in the arch/powerpc/kernel/smp.c Fixes: 39f8756 ("powerpc/smp: Move ppc_md.cpu_die() to smp_ops.cpu_offline_self()") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu> Signed-off-by: Michael Ellerman <mpe@ellerman.id.au> Link: https://lore.kernel.org/r/75287841cbb8740edd44880fe60be66d489160d9.1628097995.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c32ac11 upstream. On arm64, the stub only moves the kernel image around in memory if needed, which is typically only for KASLR, given that relocatable kernels (which is the default) can run from any 64k aligned address, which is also the minimum alignment communicated to EFI via the PE/COFF header. Unfortunately, some loaders appear to ignore this header, and load the kernel at some arbitrary offset in memory. We can deal with this, but let's check for this condition anyway, so non-compliant code can be spotted and fixed. Cc: <stable@vger.kernel.org> # v5.10+ Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7b9cae0 upstream. Use the secondary_exec_controls_get() accessor in vmx_has_waitpkg() to effectively get the controls for the current VMCS, as opposed to using vmx->secondary_exec_controls, which is the cached value of KVM's desired controls for vmcs01 and truly not reflective of any particular VMCS. While the waitpkg control is not dynamic, i.e. vmcs01 will always hold the same waitpkg configuration as vmx->secondary_exec_controls, the same does not hold true for vmcs02 if the L1 VMM hides the feature from L2. If L1 hides the feature _and_ does not intercept MSR_IA32_UMWAIT_CONTROL, L2 could incorrectly read/write L1's virtual MSR instead of taking a #GP. Fixes: 6e3ba4a ("KVM: vmx: Emulate MSR IA32_UMWAIT_CONTROL") Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson <seanjc@google.com> Message-Id: <20210810171952.2758100-2-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 18712c1 upstream. Use vmx_need_pf_intercept() when determining if L0 wants to handle a #PF in L2 or if the VM-Exit should be forwarded to L1. The current logic fails to account for the case where #PF is intercepted to handle guest.MAXPHYADDR < host.MAXPHYADDR and ends up reflecting all #PFs into L1. At best, L1 will complain and inject the #PF back into L2. At worst, L1 will eat the unexpected fault and cause L2 to hang on infinite page faults. Note, while the bug was technically introduced by the commit that added support for the MAXPHYADDR madness, the shame is all on commit a0c1343 ("KVM: VMX: introduce vmx_need_pf_intercept"). Fixes: 1dbf5d6 ("KVM: VMX: Add guest physical address check in EPT violation and misconfig") Cc: stable@vger.kernel.org Cc: Peter Shier <pshier@google.com> Cc: Oliver Upton <oupton@google.com> Cc: Jim Mattson <jmattson@google.com> Signed-off-by: Sean Christopherson <seanjc@google.com> Message-Id: <20210812045615.3167686-1-seanjc@google.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 02f840f upstream. Factor out the code to create / release a struct vboxsf_handle into 2 new helper functions. This is a preparation patch for adding atomic_open support. Fixes: 0fd1695 ("fs: Add VirtualBox guest shared folder (vboxsf) support") Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52dfd86 upstream. Opening a new file is done in 2 steps on regular filesystems: 1. Call the create inode-op on the parent-dir to create an inode to hold the meta-data related to the file. 2. Call the open file-op to get a handle for the file. vboxsf however does not really use disk-backed inodes because it is based on passing through file-related system-calls through to the hypervisor. So both steps translate to an open(2) call being passed through to the hypervisor. With the handle returned by the first call immediately being closed again. Making 2 open calls for a single open(..., O_CREATE, ...) calls has 2 problems: a) It is not really efficient. b) It actually breaks some apps. An example of b) is doing a git clone inside a vboxsf mount. When git clone tries to create a tempfile to store the pak files which is downloading the following happens: 1. vboxsf_dir_mkfile() gets called with a mode of 0444 and succeeds. 2. vboxsf_file_open() gets called with file->f_flags containing O_RDWR. When the host is a Linux machine this fails because doing a open(..., O_RDWR) on a file which exists and has mode 0444 results in an -EPERM error. Other network-filesystems and fuse avoid the problem of needing to pass 2 open() calls to the other side by using the atomic_open directory-inode op. This commit fixes git clone not working inside a vboxsf mount, by adding support for the atomic_open directory-inode op. As an added bonus this should also make opening new files faster. The atomic_open implementation is modelled after the atomic_open implementations from the 9p and fuse code. Fixes: 0fd1695 ("fs: Add VirtualBox guest shared folder (vboxsf) support") Reported-by: Ludovic Pouzenc <bugreports@pouzenc.fr> Signed-off-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a6862e6 upstream. Turn some comments into lockdep asserts. Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…p_snap_realm commit df2c0cb upstream. They both say that the snap_rwsem must be held for write, but I don't see any real reason for it, and it's not currently always called that way. The lookup is just walking the rbtree, so holding it for read should be fine there. The "get" is bumping the refcount and (possibly) removing it from the empty list. I see no need to hold the snap_rwsem for write for that. Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8434ffe upstream. There is a race in ceph_put_snap_realm. The change to the nref and the spinlock acquisition are not done atomically, so you could decrement nref, and before you take the spinlock, the nref is incremented again. At that point, you end up putting it on the empty list when it shouldn't be there. Eventually __cleanup_empty_realms runs and frees it when it's still in-use. Fix this by protecting the 1->0 transition with atomic_dec_and_lock, and just drop the spinlock if we can get the rwsem. Because these objects can also undergo a 0->1 refcount transition, we must protect that change as well with the spinlock. Increment locklessly unless the value is at 0, in which case we take the spinlock, increment and then take it off the empty list if it did the 0->1 transition. With these changes, I'm removing the dout() messages from these functions, as well as in __put_snap_realm. They've always been racy, and it's better to not print values that may be misleading. Cc: stable@vger.kernel.org URL: https://tracker.ceph.com/issues/46419 Reported-by: Mark Nelson <mnelson@redhat.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Luis Henriques <lhenriques@suse.de> Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8483788 upstream. A recent change in LLVM causes module_{c,d}tor sections to appear when CONFIG_K{A,C}SAN are enabled, which results in orphan section warnings because these are not handled anywhere: ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_ctor) is being placed in '.text.asan.module_ctor' ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.asan.module_dtor) is being placed in '.text.asan.module_dtor' ld.lld: warning: arch/x86/pci/built-in.a(legacy.o):(.text.tsan.module_ctor) is being placed in '.text.tsan.module_ctor' Fangrui explains: "the function asan.module_ctor has the SHF_GNU_RETAIN flag, so it is in a separate section even with -fno-function-sections (default)". Place them in the TEXT_TEXT section so that these technologies continue to work with the newer compiler versions. All of the KASAN and KCSAN KUnit tests continue to pass after this change. Cc: stable@vger.kernel.org Link: ClangBuiltLinux#1432 Link: llvm/llvm-project@7b78956 Signed-off-by: Nathan Chancellor <nathan@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Reviewed-by: Fangrui Song <maskray@google.com> Acked-by: Marco Elver <elver@google.com> Signed-off-by: Kees Cook <keescook@chromium.org> Link: https://lore.kernel.org/r/20210731023107.1932981-1-nathan@kernel.org [nc: Resolve conflict due to lack of cf68fff] Signed-off-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
…2021-3653) commit 0f923e0 upstream. * Invert the mask of bits that we pick from L2 in nested_vmcb02_prepare_control * Invert and explicitly use VIRQ related bits bitmask in svm_clear_vintr This fixes a security issue that allowed a malicious L1 to run L2 with AVIC enabled, which allowed the L2 to exploit the uninitialized and enabled AVIC to read/write the host physical memory at some offsets. Fixes: 3d6368e ("KVM: SVM: Add VMRUN handler") Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7dfa40 upstream. If L1 disables VMLOAD/VMSAVE intercepts, and doesn't enable Virtual VMLOAD/VMSAVE (currently not supported for the nested hypervisor), then VMLOAD/VMSAVE must operate on the L1 physical memory, which is only possible by making L0 intercept these instructions. Failure to do so allowed the nested guest to run VMLOAD/VMSAVE unintercepted, and thus read/write portions of the host physical memory. Fixes: 89c8a49 ("KVM: SVM: Enable Virtual VMLOAD VMSAVE feature") Suggested-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
… port The ksz8795 and ksz9477 drivers differ in the way they count ports. For ksz8795, ksz_device::port_cnt does not include the host port whereas for ksz9477 it does. This inconsistency was fixed in Linux 5.11 by a series of changes, but remains in 5.10-stable. When probing, the common code treats a port device node with an address >= dev->port_cnt as a fatal error. As a minimal fix, change it to compare again dev->mib_port_cnt. This is the length of the dev->ports array that the port number will be used to index, and always includes the host port. Cc: Woojung Huh <woojung.huh@microchip.com> Cc: Microchip Linux Driver Support <UNGLinuxDriver@microchip.com> Cc: Michael Grzeschik <m.grzeschik@pengutronix.de> Cc: Marek Vasut <marex@denx.de> Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ef3b02a upstream. ksz8795 has never actually enabled PVID tag insertion, and it also programmed the PVID incorrectly. To fix this: * Allow tag insertion to be controlled per ingress port. On most chips, set bit 2 in Global Control 19. On KSZ88x3 this control flag doesn't exist. * When adding a PVID: - Set the appropriate register bits to enable tag insertion on egress at every other port if this was the packet's ingress port. - Mask *out* the VID from the default tag, before or-ing in the new PVID. * When removing a PVID: - Clear the same control bits to disable tag insertion. - Don't update the default tag. This wasn't doing anything useful. Fixes: e66f840 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backport to 5.10: - Drop the KSZ88x3 cases as those chips are not supported here - Handle VID ranges in ksz8795_port_vlan_del()] Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8f4f58f upstream. The switches supported by ksz8795 only have a per-port flag for Tag Removal. This means it is not possible to support both tagged and untagged VLANs on the same port. Reject attempts to add a VLAN that requires the flag to be changed, unless there are no VLANs currently configured. VID 0 is excluded from this check since it is untagged regardless of the state of the flag. On the CPU port we could support tagged and untagged VLANs at the same time. This will be enabled by a later patch. Fixes: e66f840 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backport to 5.10: - This configuration has to be detected and rejected in the port_vlan_prepare operation - ksz8795_port_vlan_add() has to check again to decide whether to change the Tag Removal flag, so put the common condition in a separate function - Handle VID ranges] Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af01754 upstream. When a VLAN is deleted from a port, the flags in struct switchdev_obj_port_vlan are always 0. ksz8_port_vlan_del() copies the BRIDGE_VLAN_INFO_UNTAGGED flag to the port's Tag Removal flag, and therefore always clears it. In case there are multiple VLANs configured as untagged on this port - which seems useless, but is allowed - deleting one of them changes the remaining VLANs to be tagged. It's only ever necessary to change this flag when a VLAN is added to the port, so leave it unchanged in ksz8_port_vlan_del(). Fixes: e66f840 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backport to 5.10: adjust context] Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9130c2d upstream. On the CPU port, we can support both tagged and untagged VLANs at the same time by doing any necessary untagging in software rather than hardware. To enable that, keep the CPU port's Remove Tag flag cleared and set the dsa_switch::untag_bridge_pvid flag. Fixes: e66f840 ("net: dsa: ksz: Add Microchip KSZ8795 DSA driver") Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: David S. Miller <davem@davemloft.net> [bwh: Backport to 5.10: adjust context] Signed-off-by: Ben Hutchings <ben.hutchings@mind.be> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20210816125434.948010115@linuxfoundation.org Link: https://lore.kernel.org/r/20210816171400.936235973@linuxfoundation.org Tested-by: Fox Chen <foxhlchen@gmail.com> Tested-by: Shuah Khan <skhan@linuxfoundation.org> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Hulk Robot <hulkrobot@huawei.com> Tested-by: Pavel Machek (CIP) <pavel@denx.de> Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Tested-by: Guenter Roeck <linux@roeck-us.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This is the 5.10.60 stable release Signed-off-by: Andrey Zhizhikin <andrey.zhizhikin@leica-geosystems.com>
zandrey
added a commit
to zandrey/meta-freescale
that referenced
this pull request
Sep 20, 2021
Kernel repository has been upgraded up to v5.10.60 from stable korg. Following upstream commits are included in this version: ---- 2c5bd949b1df Linux 5.10.60 3a24e121304a net: dsa: microchip: ksz8795: Use software untagging on CPU port 1e78179d75fb net: dsa: microchip: ksz8795: Fix VLAN untagged flag change on deletion 5033d5e23155 net: dsa: microchip: ksz8795: Reject unsupported VLAN configuration 60c007b52779 net: dsa: microchip: ksz8795: Fix PVID tag insertion f365d53c8687 net: dsa: microchip: Fix probing KSZ87xx switch with DT node for host port 3dc5666baf2a KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) c0883f693187 KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) b5f05bdfda28 vmlinux.lds.h: Handle clang's module.{c,d}tor sections 2fe07584a623 ceph: take snap_empty_lock atomically with snaprealm refcount change a23aced54c2c ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm b0efc93271ca ceph: add some lockdep assertions around snaprealm handling dcdb587ac470 vboxsf: Add support for the atomic_open directory-inode op 7cd14c1a7fed vboxsf: Add vboxsf_[create|release]_sf_handle() helpers 433f0b31ebec KVM: nVMX: Use vmx_need_pf_intercept() when deciding if L0 wants a #PF 0ab67e3dfc4d KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation 4a948c579ed6 efi/libstub: arm64: Double check image alignment at entry fc7da433fa16 powerpc/smp: Fix OOPS in topology_init() 312730cd15e0 PCI/MSI: Protect msi_desc::masked for multi-MSI 724d0a985086 PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() 923368751866 PCI/MSI: Correct misleading comments e42fb8e6161e PCI/MSI: Do not set invalid bits in MSI mask 042e03c9cdab PCI/MSI: Enforce MSI[X] entry updates to be visible 0b2509d7a90c PCI/MSI: Enforce that MSI-X table entry is masked for update aa8092c1d1f1 PCI/MSI: Mask all unused MSI-X entries 7e90e81a4b59 PCI/MSI: Enable and mask MSI-X early 2d2c66848027 genirq/timings: Prevent potential array overflow in __irq_timings_store() 355754194b48 genirq/msi: Ensure deactivation on teardown f0736bed18fb x86/resctrl: Fix default monitoring groups reporting 25216ed97da8 x86/ioapic: Force affinity setup before startup 19fb5dabedca x86/msi: Force affinity setup before startup 4e52a4fe6f44 genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP 2a28b52306f2 x86/tools: Fix objdump version check again 4acc0d987141 powerpc/kprobes: Fix kprobe Oops happens in booke 015e2c900b5d efi/libstub: arm64: Relax 2M alignment again for relocatable kernels feb4a01d3ece efi/libstub: arm64: Force Image reallocation if BSS was not reserved afcb84e6cf8c arm64: efi: kaslr: Fix occasional random alloc (and boot) failure e0ee8d9c31b5 nbd: Aovid double completion of a request f5cefe9a52a6 vsock/virtio: avoid potential deadlock when vsock device remove dff830e5e723 xen/events: Fix race in set_evtchn_to_irq 65395b053d03 drm/i915: Only access SFC_DONE when media domain is not fused off 4344440d91b3 net: igmp: increase size of mr_ifc_count 696afe28dc51 tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets 8976606ca347 net: linkwatch: fix failure to restore device state across suspend/resume 4c2af90119ea net: bridge: fix memleak in br_add_if() f333a5ca71c3 net: bridge: fix flags interpretation for extern learn fdb entries e3b949b86d09 net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry 1cad01aca1fa net: dsa: sja1105: fix broken backpressure in .port_fdb_dump 56cc3408ff2a net: dsa: lantiq: fix broken backpressure in .port_fdb_dump f7720b35cd32 net: dsa: lan9303: fix broken backpressure in .port_fdb_dump 24e1b7dbb174 net: igmp: fix data-race in igmp_ifc_timer_expire() 69b13167a636 net: Fix memory leak in ieee802154_raw_deliver dbfaf7a6a23a net: dsa: microchip: ksz8795: Fix VLAN filtering ccc1fe82c878 net: dsa: microchip: Fix ksz_read64() 558092b8ed31 drm/meson: fix colour distortion from HDR set during vendor u-boot 6e1886465dea net/mlx5: Fix return value from tracer initialization 303ba011f5e1 net/mlx5: Synchronize correct IRQ when destroying CQ 00a0c11ddd72 bareudp: Fix invalid read beyond skb's linear data 30b1fc47f765 psample: Add a fwd declaration for skbuff b3f0b170842c iavf: Set RSS LUT and key in reset handle path a6192bae12e4 ice: don't remove netdev->dev_addr from uc sync list bae5b521feaa ice: Prevent probing virtual functions 059238c52c61 net: sched: act_mirred: Reset ct info when mirror/redirect skb f15f7716b047 net/smc: fix wait on already cleared link 51f4965d775e ppp: Fix generating ifname when empty IFLA_IFNAME is specified 046579c9fc28 net: phy: micrel: Fix link detection on ksz87xx switch" e95620c3bdff bpf: Fix integer overflow involving bucket_size 1960c3ac5268 libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT a3e9a3e22844 platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables 53ebbfdd0e37 net: mvvp2: fix short frame size on s390 784320edb6c5 net: dsa: mt7530: add the missing RxUnicast MIB counter 20a80319028c ASoC: cs42l42: Fix LRCLK frame start edge 750503aecf4e pinctrl: tigerlake: Fix GPIO mapping for newer version of software be49d5437d1a netfilter: nf_conntrack_bridge: Fix memory leak when error aa6b17bfefbc ASoC: cs42l42: Remove duplicate control for WNF filter frequency b268f9f6b73f ASoC: cs42l42: Fix inversion of ADC Notch Switch control 2386a8cde18e ASoC: SOF: Intel: hda-ipc: fix reply size checking 0e47f99e8680 ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J 576939671f74 ASoC: cs42l42: Correct definition of ADC Volume control a21963c35f16 pinctrl: mediatek: Fix fallback behavior for bias_set_combo 27188a938291 ieee802154: hwsim: fix GPF in hwsim_new_edge_nl 528f17c02db9 ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi 95de3592f87e drm/amdgpu: don't enable baco on boco platforms in runpm bd80d11a516c drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work ae311a7418f1 drm/amd/display: Remove invalid assert for ODM + MPC case c2351e5faa3e libnvdimm/region: Fix label activation vs errors 366de90ccfa2 ACPI: NFIT: Fix support for virtual SPA ranges f3fcf9d1b759 ceph: reduce contention in ceph_check_delayed_caps() ca6dea44bd8c ARC: fp: set FPU_STATUS.FWE to enable FPU_STATUS update on context switch 4716a2145bbf net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases 561d13128bb8 seccomp: Fix setting loaded filter count during TSYNC 54916988a0fb scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash 3db5cb922800 cifs: create sd context must be a multiple of 8 d1398e3715b1 i2c: dev: zero out array used for i2c reads from userspace b8bceace43dd ASoC: intel: atom: Fix reference to PCM buffer address 261613ef340b ASoC: tlv320aic31xx: Fix jack detection after suspend 7e5a7fa68b27 ASoC: uniphier: Fix reference to PCM buffer address 209eb62b45fe ASoC: xilinx: Fix reference to PCM buffer address c419c4c91b30 ASoC: amd: Fix reference to PCM buffer address 0c9adae11701 iio: adc: Fix incorrect exit of for-loop 632279e5057c iio: humidity: hdc100x: Add margin to the conversion time 45de224b1332 iio: adis: set GPIO reset pin direction d0532ed064d1 iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels ---- Link: https://lore.kernel.org/r/20210813150522.623322501@linuxfoundation.org # v5.10.59 Link: https://lore.kernel.org/r/20210816125434.948010115@linuxfoundation.org # v5.10.60 Link: https://lore.kernel.org/r/20210816171400.936235973@linuxfoundation.org # v5.10.60 Link: Freescale/linux-fslc#418 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
zandrey
added a commit
to zandrey/meta-freescale
that referenced
this pull request
Sep 20, 2021
Kernel repository has been upgraded up to v5.10.60 from stable korg. Following upstream commits are included in this version: ---- 2c5bd949b1df Linux 5.10.60 3a24e121304a net: dsa: microchip: ksz8795: Use software untagging on CPU port 1e78179d75fb net: dsa: microchip: ksz8795: Fix VLAN untagged flag change on deletion 5033d5e23155 net: dsa: microchip: ksz8795: Reject unsupported VLAN configuration 60c007b52779 net: dsa: microchip: ksz8795: Fix PVID tag insertion f365d53c8687 net: dsa: microchip: Fix probing KSZ87xx switch with DT node for host port 3dc5666baf2a KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) c0883f693187 KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) b5f05bdfda28 vmlinux.lds.h: Handle clang's module.{c,d}tor sections 2fe07584a623 ceph: take snap_empty_lock atomically with snaprealm refcount change a23aced54c2c ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm b0efc93271ca ceph: add some lockdep assertions around snaprealm handling dcdb587ac470 vboxsf: Add support for the atomic_open directory-inode op 7cd14c1a7fed vboxsf: Add vboxsf_[create|release]_sf_handle() helpers 433f0b31ebec KVM: nVMX: Use vmx_need_pf_intercept() when deciding if L0 wants a #PF 0ab67e3dfc4d KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation 4a948c579ed6 efi/libstub: arm64: Double check image alignment at entry fc7da433fa16 powerpc/smp: Fix OOPS in topology_init() 312730cd15e0 PCI/MSI: Protect msi_desc::masked for multi-MSI 724d0a985086 PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() 923368751866 PCI/MSI: Correct misleading comments e42fb8e6161e PCI/MSI: Do not set invalid bits in MSI mask 042e03c9cdab PCI/MSI: Enforce MSI[X] entry updates to be visible 0b2509d7a90c PCI/MSI: Enforce that MSI-X table entry is masked for update aa8092c1d1f1 PCI/MSI: Mask all unused MSI-X entries 7e90e81a4b59 PCI/MSI: Enable and mask MSI-X early 2d2c66848027 genirq/timings: Prevent potential array overflow in __irq_timings_store() 355754194b48 genirq/msi: Ensure deactivation on teardown f0736bed18fb x86/resctrl: Fix default monitoring groups reporting 25216ed97da8 x86/ioapic: Force affinity setup before startup 19fb5dabedca x86/msi: Force affinity setup before startup 4e52a4fe6f44 genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP 2a28b52306f2 x86/tools: Fix objdump version check again 4acc0d987141 powerpc/kprobes: Fix kprobe Oops happens in booke 015e2c900b5d efi/libstub: arm64: Relax 2M alignment again for relocatable kernels feb4a01d3ece efi/libstub: arm64: Force Image reallocation if BSS was not reserved afcb84e6cf8c arm64: efi: kaslr: Fix occasional random alloc (and boot) failure e0ee8d9c31b5 nbd: Aovid double completion of a request f5cefe9a52a6 vsock/virtio: avoid potential deadlock when vsock device remove dff830e5e723 xen/events: Fix race in set_evtchn_to_irq 65395b053d03 drm/i915: Only access SFC_DONE when media domain is not fused off 4344440d91b3 net: igmp: increase size of mr_ifc_count 696afe28dc51 tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets 8976606ca347 net: linkwatch: fix failure to restore device state across suspend/resume 4c2af90119ea net: bridge: fix memleak in br_add_if() f333a5ca71c3 net: bridge: fix flags interpretation for extern learn fdb entries e3b949b86d09 net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry 1cad01aca1fa net: dsa: sja1105: fix broken backpressure in .port_fdb_dump 56cc3408ff2a net: dsa: lantiq: fix broken backpressure in .port_fdb_dump f7720b35cd32 net: dsa: lan9303: fix broken backpressure in .port_fdb_dump 24e1b7dbb174 net: igmp: fix data-race in igmp_ifc_timer_expire() 69b13167a636 net: Fix memory leak in ieee802154_raw_deliver dbfaf7a6a23a net: dsa: microchip: ksz8795: Fix VLAN filtering ccc1fe82c878 net: dsa: microchip: Fix ksz_read64() 558092b8ed31 drm/meson: fix colour distortion from HDR set during vendor u-boot 6e1886465dea net/mlx5: Fix return value from tracer initialization 303ba011f5e1 net/mlx5: Synchronize correct IRQ when destroying CQ 00a0c11ddd72 bareudp: Fix invalid read beyond skb's linear data 30b1fc47f765 psample: Add a fwd declaration for skbuff b3f0b170842c iavf: Set RSS LUT and key in reset handle path a6192bae12e4 ice: don't remove netdev->dev_addr from uc sync list bae5b521feaa ice: Prevent probing virtual functions 059238c52c61 net: sched: act_mirred: Reset ct info when mirror/redirect skb f15f7716b047 net/smc: fix wait on already cleared link 51f4965d775e ppp: Fix generating ifname when empty IFLA_IFNAME is specified 046579c9fc28 net: phy: micrel: Fix link detection on ksz87xx switch" e95620c3bdff bpf: Fix integer overflow involving bucket_size 1960c3ac5268 libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT a3e9a3e22844 platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables 53ebbfdd0e37 net: mvvp2: fix short frame size on s390 784320edb6c5 net: dsa: mt7530: add the missing RxUnicast MIB counter 20a80319028c ASoC: cs42l42: Fix LRCLK frame start edge 750503aecf4e pinctrl: tigerlake: Fix GPIO mapping for newer version of software be49d5437d1a netfilter: nf_conntrack_bridge: Fix memory leak when error aa6b17bfefbc ASoC: cs42l42: Remove duplicate control for WNF filter frequency b268f9f6b73f ASoC: cs42l42: Fix inversion of ADC Notch Switch control 2386a8cde18e ASoC: SOF: Intel: hda-ipc: fix reply size checking 0e47f99e8680 ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J 576939671f74 ASoC: cs42l42: Correct definition of ADC Volume control a21963c35f16 pinctrl: mediatek: Fix fallback behavior for bias_set_combo 27188a938291 ieee802154: hwsim: fix GPF in hwsim_new_edge_nl 528f17c02db9 ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi 95de3592f87e drm/amdgpu: don't enable baco on boco platforms in runpm bd80d11a516c drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work ae311a7418f1 drm/amd/display: Remove invalid assert for ODM + MPC case c2351e5faa3e libnvdimm/region: Fix label activation vs errors 366de90ccfa2 ACPI: NFIT: Fix support for virtual SPA ranges f3fcf9d1b759 ceph: reduce contention in ceph_check_delayed_caps() ca6dea44bd8c ARC: fp: set FPU_STATUS.FWE to enable FPU_STATUS update on context switch 4716a2145bbf net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases 561d13128bb8 seccomp: Fix setting loaded filter count during TSYNC 54916988a0fb scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash 3db5cb922800 cifs: create sd context must be a multiple of 8 d1398e3715b1 i2c: dev: zero out array used for i2c reads from userspace b8bceace43dd ASoC: intel: atom: Fix reference to PCM buffer address 261613ef340b ASoC: tlv320aic31xx: Fix jack detection after suspend 7e5a7fa68b27 ASoC: uniphier: Fix reference to PCM buffer address 209eb62b45fe ASoC: xilinx: Fix reference to PCM buffer address c419c4c91b30 ASoC: amd: Fix reference to PCM buffer address 0c9adae11701 iio: adc: Fix incorrect exit of for-loop 632279e5057c iio: humidity: hdc100x: Add margin to the conversion time 45de224b1332 iio: adis: set GPIO reset pin direction d0532ed064d1 iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels ---- Link: https://lore.kernel.org/r/20210813150522.623322501@linuxfoundation.org # v5.10.59 Link: https://lore.kernel.org/r/20210816125434.948010115@linuxfoundation.org # v5.10.60 Link: https://lore.kernel.org/r/20210816171400.936235973@linuxfoundation.org # v5.10.60 Link: Freescale/linux-fslc#418 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
zandrey
added a commit
to zandrey/meta-freescale
that referenced
this pull request
Sep 20, 2021
Kernel repository has been upgraded up to v5.10.60 from stable korg. Following upstream commits are included in this version: ---- 2c5bd949b1df Linux 5.10.60 3a24e121304a net: dsa: microchip: ksz8795: Use software untagging on CPU port 1e78179d75fb net: dsa: microchip: ksz8795: Fix VLAN untagged flag change on deletion 5033d5e23155 net: dsa: microchip: ksz8795: Reject unsupported VLAN configuration 60c007b52779 net: dsa: microchip: ksz8795: Fix PVID tag insertion f365d53c8687 net: dsa: microchip: Fix probing KSZ87xx switch with DT node for host port 3dc5666baf2a KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) c0883f693187 KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) b5f05bdfda28 vmlinux.lds.h: Handle clang's module.{c,d}tor sections 2fe07584a623 ceph: take snap_empty_lock atomically with snaprealm refcount change a23aced54c2c ceph: clean up locking annotation for ceph_get_snap_realm and __lookup_snap_realm b0efc93271ca ceph: add some lockdep assertions around snaprealm handling dcdb587ac470 vboxsf: Add support for the atomic_open directory-inode op 7cd14c1a7fed vboxsf: Add vboxsf_[create|release]_sf_handle() helpers 433f0b31ebec KVM: nVMX: Use vmx_need_pf_intercept() when deciding if L0 wants a #PF 0ab67e3dfc4d KVM: VMX: Use current VMCS to query WAITPKG support for MSR emulation 4a948c579ed6 efi/libstub: arm64: Double check image alignment at entry fc7da433fa16 powerpc/smp: Fix OOPS in topology_init() 312730cd15e0 PCI/MSI: Protect msi_desc::masked for multi-MSI 724d0a985086 PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() 923368751866 PCI/MSI: Correct misleading comments e42fb8e6161e PCI/MSI: Do not set invalid bits in MSI mask 042e03c9cdab PCI/MSI: Enforce MSI[X] entry updates to be visible 0b2509d7a90c PCI/MSI: Enforce that MSI-X table entry is masked for update aa8092c1d1f1 PCI/MSI: Mask all unused MSI-X entries 7e90e81a4b59 PCI/MSI: Enable and mask MSI-X early 2d2c66848027 genirq/timings: Prevent potential array overflow in __irq_timings_store() 355754194b48 genirq/msi: Ensure deactivation on teardown f0736bed18fb x86/resctrl: Fix default monitoring groups reporting 25216ed97da8 x86/ioapic: Force affinity setup before startup 19fb5dabedca x86/msi: Force affinity setup before startup 4e52a4fe6f44 genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP 2a28b52306f2 x86/tools: Fix objdump version check again 4acc0d987141 powerpc/kprobes: Fix kprobe Oops happens in booke 015e2c900b5d efi/libstub: arm64: Relax 2M alignment again for relocatable kernels feb4a01d3ece efi/libstub: arm64: Force Image reallocation if BSS was not reserved afcb84e6cf8c arm64: efi: kaslr: Fix occasional random alloc (and boot) failure e0ee8d9c31b5 nbd: Aovid double completion of a request f5cefe9a52a6 vsock/virtio: avoid potential deadlock when vsock device remove dff830e5e723 xen/events: Fix race in set_evtchn_to_irq 65395b053d03 drm/i915: Only access SFC_DONE when media domain is not fused off 4344440d91b3 net: igmp: increase size of mr_ifc_count 696afe28dc51 tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets 8976606ca347 net: linkwatch: fix failure to restore device state across suspend/resume 4c2af90119ea net: bridge: fix memleak in br_add_if() f333a5ca71c3 net: bridge: fix flags interpretation for extern learn fdb entries e3b949b86d09 net: bridge: validate the NUD_PERMANENT bit when adding an extern_learn FDB entry 1cad01aca1fa net: dsa: sja1105: fix broken backpressure in .port_fdb_dump 56cc3408ff2a net: dsa: lantiq: fix broken backpressure in .port_fdb_dump f7720b35cd32 net: dsa: lan9303: fix broken backpressure in .port_fdb_dump 24e1b7dbb174 net: igmp: fix data-race in igmp_ifc_timer_expire() 69b13167a636 net: Fix memory leak in ieee802154_raw_deliver dbfaf7a6a23a net: dsa: microchip: ksz8795: Fix VLAN filtering ccc1fe82c878 net: dsa: microchip: Fix ksz_read64() 558092b8ed31 drm/meson: fix colour distortion from HDR set during vendor u-boot 6e1886465dea net/mlx5: Fix return value from tracer initialization 303ba011f5e1 net/mlx5: Synchronize correct IRQ when destroying CQ 00a0c11ddd72 bareudp: Fix invalid read beyond skb's linear data 30b1fc47f765 psample: Add a fwd declaration for skbuff b3f0b170842c iavf: Set RSS LUT and key in reset handle path a6192bae12e4 ice: don't remove netdev->dev_addr from uc sync list bae5b521feaa ice: Prevent probing virtual functions 059238c52c61 net: sched: act_mirred: Reset ct info when mirror/redirect skb f15f7716b047 net/smc: fix wait on already cleared link 51f4965d775e ppp: Fix generating ifname when empty IFLA_IFNAME is specified 046579c9fc28 net: phy: micrel: Fix link detection on ksz87xx switch" e95620c3bdff bpf: Fix integer overflow involving bucket_size 1960c3ac5268 libbpf: Fix probe for BPF_PROG_TYPE_CGROUP_SOCKOPT a3e9a3e22844 platform/x86: pcengines-apuv2: Add missing terminating entries to gpio-lookup tables 53ebbfdd0e37 net: mvvp2: fix short frame size on s390 784320edb6c5 net: dsa: mt7530: add the missing RxUnicast MIB counter 20a80319028c ASoC: cs42l42: Fix LRCLK frame start edge 750503aecf4e pinctrl: tigerlake: Fix GPIO mapping for newer version of software be49d5437d1a netfilter: nf_conntrack_bridge: Fix memory leak when error aa6b17bfefbc ASoC: cs42l42: Remove duplicate control for WNF filter frequency b268f9f6b73f ASoC: cs42l42: Fix inversion of ADC Notch Switch control 2386a8cde18e ASoC: SOF: Intel: hda-ipc: fix reply size checking 0e47f99e8680 ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J 576939671f74 ASoC: cs42l42: Correct definition of ADC Volume control a21963c35f16 pinctrl: mediatek: Fix fallback behavior for bias_set_combo 27188a938291 ieee802154: hwsim: fix GPF in hwsim_new_edge_nl 528f17c02db9 ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi 95de3592f87e drm/amdgpu: don't enable baco on boco platforms in runpm bd80d11a516c drm/amd/display: use GFP_ATOMIC in amdgpu_dm_irq_schedule_work ae311a7418f1 drm/amd/display: Remove invalid assert for ODM + MPC case c2351e5faa3e libnvdimm/region: Fix label activation vs errors 366de90ccfa2 ACPI: NFIT: Fix support for virtual SPA ranges f3fcf9d1b759 ceph: reduce contention in ceph_check_delayed_caps() ca6dea44bd8c ARC: fp: set FPU_STATUS.FWE to enable FPU_STATUS update on context switch 4716a2145bbf net: ethernet: ti: cpsw: fix min eth packet size for non-switch use-cases 561d13128bb8 seccomp: Fix setting loaded filter count during TSYNC 54916988a0fb scsi: lpfc: Move initialization of phba->poll_list earlier to avoid crash 3db5cb922800 cifs: create sd context must be a multiple of 8 d1398e3715b1 i2c: dev: zero out array used for i2c reads from userspace b8bceace43dd ASoC: intel: atom: Fix reference to PCM buffer address 261613ef340b ASoC: tlv320aic31xx: Fix jack detection after suspend 7e5a7fa68b27 ASoC: uniphier: Fix reference to PCM buffer address 209eb62b45fe ASoC: xilinx: Fix reference to PCM buffer address c419c4c91b30 ASoC: amd: Fix reference to PCM buffer address 0c9adae11701 iio: adc: Fix incorrect exit of for-loop 632279e5057c iio: humidity: hdc100x: Add margin to the conversion time 45de224b1332 iio: adis: set GPIO reset pin direction d0532ed064d1 iio: adc: ti-ads7950: Ensure CS is deasserted after reading channels ---- Link: https://lore.kernel.org/r/20210813150522.623322501@linuxfoundation.org # v5.10.59 Link: https://lore.kernel.org/r/20210816125434.948010115@linuxfoundation.org # v5.10.60 Link: https://lore.kernel.org/r/20210816171400.936235973@linuxfoundation.org # v5.10.60 Link: Freescale/linux-fslc#418 Signed-off-by: Andrey Zhizhikin <andrey.z@gmail.com>
LeBlue
pushed a commit
to LeBlue/linux-fslc
that referenced
this pull request
Jan 20, 2022
commit 7c0ea59 upstream. running openvswitch on kernels built with KASAN, it's possible to see the following splat while testing fragmentation of IPv4 packets: BUG: KASAN: stack-out-of-bounds in ip_do_fragment+0x1b03/0x1f60 Read of size 1 at addr ffff888112fc713c by task handler2/1367 CPU: 0 PID: 1367 Comm: handler2 Not tainted 5.12.0-rc6+ Freescale#418 Hardware name: Red Hat KVM, BIOS 1.11.1-4.module+el8.1.0+4066+0f1aadab 04/01/2014 Call Trace: dump_stack+0x92/0xc1 print_address_description.constprop.7+0x1a/0x150 kasan_report.cold.13+0x7f/0x111 ip_do_fragment+0x1b03/0x1f60 ovs_fragment+0x5bf/0x840 [openvswitch] do_execute_actions+0x1bd5/0x2400 [openvswitch] ovs_execute_actions+0xc8/0x3d0 [openvswitch] ovs_packet_cmd_execute+0xa39/0x1150 [openvswitch] genl_family_rcv_msg_doit.isra.15+0x227/0x2d0 genl_rcv_msg+0x287/0x490 netlink_rcv_skb+0x120/0x380 genl_rcv+0x24/0x40 netlink_unicast+0x439/0x630 netlink_sendmsg+0x719/0xbf0 sock_sendmsg+0xe2/0x110 ____sys_sendmsg+0x5ba/0x890 ___sys_sendmsg+0xe9/0x160 __sys_sendmsg+0xd3/0x170 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f957079db07 Code: c3 66 90 41 54 41 89 d4 55 48 89 f5 53 89 fb 48 83 ec 10 e8 eb ec ff ff 44 89 e2 48 89 ee 89 df 41 89 c0 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 35 44 89 c7 48 89 44 24 08 e8 24 ed ff ff 48 RSP: 002b:00007f956ce35a50 EFLAGS: 00000293 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000019 RCX: 00007f957079db07 RDX: 0000000000000000 RSI: 00007f956ce35ae0 RDI: 0000000000000019 RBP: 00007f956ce35ae0 R08: 0000000000000000 R09: 00007f9558006730 R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 R13: 00007f956ce37308 R14: 00007f956ce35f80 R15: 00007f956ce35ae0 The buggy address belongs to the page: page:00000000af2a1d93 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x112fc7 flags: 0x17ffffc0000000() raw: 0017ffffc0000000 0000000000000000 dead000000000122 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected addr ffff888112fc713c is located in stack of task handler2/1367 at offset 180 in frame: ovs_fragment+0x0/0x840 [openvswitch] this frame has 2 objects: [32, 144) 'ovs_dst' [192, 424) 'ovs_rt' Memory state around the buggy address: ffff888112fc7000: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7080: 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 >ffff888112fc7100: 00 00 00 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 ^ ffff888112fc7180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888112fc7200: 00 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 for IPv4 packets, ovs_fragment() uses a temporary struct dst_entry. Then, in the following call graph: ip_do_fragment() ip_skb_dst_mtu() ip_dst_mtu_maybe_forward() ip_mtu_locked() the pointer to struct dst_entry is used as pointer to struct rtable: this turns the access to struct members like rt_mtu_locked into an OOB read in the stack. Fix this changing the temporary variable used for IPv4 packets in ovs_fragment(), similarly to what is done for IPv6 few lines below. Fixes: d52e5a7 ("ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmt") Cc: <stable@vger.kernel.org> Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Automatic merge performed, no conflicts reported.
Kernel has been built for both aarch64 (
defconfig) and arm32 (imx_v6_v7_defconfig).-- andrey