1. 12 Feb, 2019 40 commits
    • Paul Elder's avatar
      usb: gadget: musb: fix short isoc packets with inventra dma · bc416257
      Paul Elder authored
      commit c418fd6c upstream.
      
      Handling short packets (length < max packet size) in the Inventra DMA
      engine in the MUSB driver causes the MUSB DMA controller to hang. An
      example of a problem that is caused by this problem is when streaming
      video out of a UVC gadget, only the first video frame is transferred.
      
      For short packets (mode-0 or mode-1 DMA), MUSB_TXCSR_TXPKTRDY must be
      set manually by the driver. This was previously done in musb_g_tx
      (musb_gadget.c), but incorrectly (all csr flags were cleared, and only
      MUSB_TXCSR_MODE and MUSB_TXCSR_TXPKTRDY were set). Fixing that problem
      allows some requests to be transferred correctly, but multiple requests
      were often put together in one USB packet, and caused problems if the
      packet size was not a multiple of 4. Instead, set MUSB_TXCSR_TXPKTRDY
      in dma_controller_irq (musbhsdma.c), just like host mode transfers.
      
      This topic was originally tackled by Nicolas Boichat [0] [1] and is
      discussed further at [2] as part of his GSoC project [3].
      
      [0] https://groups.google.com/forum/?hl=en#!topic/beagleboard-gsoc/k8Azwfp75CU
      [1] https://gitorious.org/beagleboard-usbsniffer/beagleboard-usbsniffer-kernel/commit/b0be3b6cc195ba732189b04f1d43ec843c3e54c9?p=beagleboard-usbsniffer:beagleboard-usbsniffer-kernel.git;a=patch;h=b0be3b6cc195ba732189b04f1d43ec843c3e54c9
      [2] http://beagleboard-usbsniffer.blogspot.com/2010/07/musb-isochronous-transfers-fixed.html
      [3] http://elinux.org/BeagleBoard/GSoC/USBSniffer
      
      Fixes: 550a7375 ("USB: Add MUSB and TUSB support")
      Signed-off-by: default avatarPaul Elder <paul.elder@ideasonboard.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc416257
    • Gustavo A. R. Silva's avatar
      usb: gadget: udc: net2272: Fix bitwise and boolean operations · 77541a0b
      Gustavo A. R. Silva authored
      commit 07c69f11 upstream.
      
      (!x & y) strikes again.
      
      Fix bitwise and boolean operations by enclosing the expression:
      
      	intcsr & (1 << NET2272_PCI_IRQ)
      
      in parentheses, before applying the boolean operator '!'.
      
      Notice that this code has been there since 2011. So, it would
      be helpful if someone can double-check this.
      
      This issue was detected with the help of Coccinelle.
      
      Fixes: ceb80363 ("USB: net2272: driver for PLX NET2272 USB device controller")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77541a0b
    • Tejas Joglekar's avatar
      usb: dwc3: gadget: Handle 0 xfer length for OUT EP · 19bc535e
      Tejas Joglekar authored
      commit 1e19cdc8 upstream.
      
      For OUT endpoints, zero-length transfers require MaxPacketSize buffer as
      per the DWC_usb3 programming guide 3.30a section 4.2.3.3.
      
      This patch fixes this by explicitly checking zero length
      transfer to correctly pad up to MaxPacketSize.
      
      Fixes: c6267a51 ("usb: dwc3: gadget: align transfers to wMaxPacketSize")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTejas Joglekar <joglekar@synopsys.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19bc535e
    • Bin Liu's avatar
      usb: phy: am335x: fix race condition in _probe · a8438c38
      Bin Liu authored
      commit a53469a6 upstream.
      
      power off the phy should be done before populate the phy. Otherwise,
      am335x_init() could be called by the phy owner to power on the phy first,
      then am335x_phy_probe() turns off the phy again without the caller knowing
      it.
      
      Fixes: 2fc711d7 ("usb: phy: am335x: Enable USB remote wakeup using PHY wakeup")
      Cc: stable@vger.kernel.org # v3.18+
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8438c38
    • Marc Zyngier's avatar
      irqchip/gic-v3-its: Plug allocation race for devices sharing a DevID · 8459f1d6
      Marc Zyngier authored
      commit 9791ec7d upstream.
      
      On systems or VMs where multiple devices share a single DevID
      (because they sit behind a PCI bridge, or because the HW is
      broken in funky ways), we reuse the save its_device structure
      in order to reflect this.
      
      It turns out that there is a distinct lack of locking when looking
      up the its_device, and two device being probed concurrently can result
      in double allocations. That's obviously not nice.
      
      A solution for this is to have a per-ITS mutex that serializes device
      allocation.
      
      A similar issue exists on the freeing side, which can run concurrently
      with the allocation. On top of now taking the appropriate lock, we
      also make sure that a shared device is never freed, as we have no way
      to currently track the life cycle of such object.
      Reported-by: default avatarZheng Xiang <zhengxiang9@huawei.com>
      Tested-by: default avatarZheng Xiang <zhengxiang9@huawei.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8459f1d6
    • Thomas Gleixner's avatar
      futex: Handle early deadlock return correctly · ee73954d
      Thomas Gleixner authored
      commit 1a1fb985 upstream.
      
      commit 56222b21 ("futex: Drop hb->lock before enqueueing on the
      rtmutex") changed the locking rules in the futex code so that the hash
      bucket lock is not longer held while the waiter is enqueued into the
      rtmutex wait list. This made the lock and the unlock path symmetric, but
      unfortunately the possible early exit from __rt_mutex_proxy_start() due to
      a detected deadlock was not updated accordingly. That allows a concurrent
      unlocker to observe inconsitent state which triggers the warning in the
      unlock path.
      
      futex_lock_pi()                         futex_unlock_pi()
        lock(hb->lock)
        queue(hb_waiter)				lock(hb->lock)
        lock(rtmutex->wait_lock)
        unlock(hb->lock)
                                              // acquired hb->lock
                                              hb_waiter = futex_top_waiter()
                                              lock(rtmutex->wait_lock)
        __rt_mutex_proxy_start()
           ---> fail
                remove(rtmutex_waiter);
           ---> returns -EDEADLOCK
        unlock(rtmutex->wait_lock)
                                              // acquired wait_lock
                                              wake_futex_pi()
                                              rt_mutex_next_owner()
      					  --> returns NULL
                                                --> WARN
      
        lock(hb->lock)
        unqueue(hb_waiter)
      
      The problem is caused by the remove(rtmutex_waiter) in the failure case of
      __rt_mutex_proxy_start() as this lets the unlocker observe a waiter in the
      hash bucket but no waiter on the rtmutex, i.e. inconsistent state.
      
      The original commit handles this correctly for the other early return cases
      (timeout, signal) by delaying the removal of the rtmutex waiter until the
      returning task reacquired the hash bucket lock.
      
      Treat the failure case of __rt_mutex_proxy_start() in the same way and let
      the existing cleanup code handle the eventual handover of the rtmutex
      gracefully. The regular rt_mutex_proxy_start() gains the rtmutex waiter
      removal for the failure case, so that the other callsites are still
      operating correctly.
      
      Add proper comments to the code so all these details are fully documented.
      
      Thanks to Peter for helping with the analysis and writing the really
      valuable code comments.
      
      Fixes: 56222b21 ("futex: Drop hb->lock before enqueueing on the rtmutex")
      Reported-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Co-developed-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
      Cc: linux-s390@vger.kernel.org
      Cc: Stefan Liebler <stli@linux.ibm.com>
      Cc: Sebastian Sewior <bigeasy@linutronix.de>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/alpine.DEB.2.21.1901292311410.1950@nanos.tec.linutronix.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ee73954d
    • Leonid Iziumtsev's avatar
      dmaengine: imx-dma: fix wrong callback invoke · 4a9e4bcd
      Leonid Iziumtsev authored
      commit 341198ed upstream.
      
      Once the "ld_queue" list is not empty, next descriptor will migrate
      into "ld_active" list. The "desc" variable will be overwritten
      during that transition. And later the dmaengine_desc_get_callback_invoke()
      will use it as an argument. As result we invoke wrong callback.
      
      That behaviour was in place since:
      commit fcaaba6c ("dmaengine: imx-dma: fix callback path in tasklet").
      But after commit 4cd13c21 ("softirq: Let ksoftirqd do its job")
      things got worse, since possible delay between tasklet_schedule()
      from DMA irq handler and actual tasklet function execution got bigger.
      And that gave more time for new DMA request to be submitted and
      to be put into "ld_queue" list.
      
      It has been noticed that DMA issue is causing problems for "mxc-mmc"
      driver. While stressing the system with heavy network traffic and
      writing/reading to/from sd card simultaneously the timeout may happen:
      
      10013000.sdhci: mxcmci_watchdog: read time out (status = 0x30004900)
      
      That often lead to file system corruption.
      Signed-off-by: default avatarLeonid Iziumtsev <leonid.iziumtsev@gmail.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a9e4bcd
    • Lukas Wunner's avatar
      dmaengine: bcm2835: Fix abort of transactions · 84c1d562
      Lukas Wunner authored
      commit 9e528c79 upstream.
      
      There are multiple issues with bcm2835_dma_abort() (which is called on
      termination of a transaction):
      
      * The algorithm to abort the transaction first pauses the channel by
        clearing the ACTIVE flag in the CS register, then waits for the PAUSED
        flag to clear.  Page 49 of the spec documents the latter as follows:
      
        "Indicates if the DMA is currently paused and not transferring data.
         This will occur if the active bit has been cleared [...]"
         https://www.raspberrypi.org/app/uploads/2012/02/BCM2835-ARM-Peripherals.pdf
      
        So the function is entering an infinite loop because it is waiting for
        PAUSED to clear which is always set due to the function having cleared
        the ACTIVE flag.  The only thing that's saving it from itself is the
        upper bound of 10000 loop iterations.
      
        The code comment says that the intention is to "wait for any current
        AXI transfer to complete", so the author probably wanted to check the
        WAITING_FOR_OUTSTANDING_WRITES flag instead.  Amend the function
        accordingly.
      
      * The CS register is only read at the beginning of the function.  It
        needs to be read again after pausing the channel and before checking
        for outstanding writes, otherwise writes which were issued between
        the register read at the beginning of the function and pausing the
        channel may not be waited for.
      
      * The function seeks to abort the transfer by writing 0 to the NEXTCONBK
        register and setting the ABORT and ACTIVE flags.  Thereby, the 0 in
        NEXTCONBK is sought to be loaded into the CONBLK_AD register.  However
        experimentation has shown this approach to not work:  The CONBLK_AD
        register remains the same as before and the CS register contains
        0x00000030 (PAUSED | DREQ_STOPS_DMA).  In other words, the control
        block is not aborted but merely paused and it will be resumed once the
        next DMA transaction is started.  That is absolutely not the desired
        behavior.
      
        A simpler approach is to set the channel's RESET flag instead.  This
        reliably zeroes the NEXTCONBK as well as the CS register.  It requires
        less code and only a single MMIO write.  This is also what popular
        user space DMA drivers do, e.g.:
        https://github.com/metachris/RPIO/blob/master/source/c_pwm/pwm.c
      
        Note that the spec is contradictory whether the NEXTCONBK register
        is writeable at all.  On the one hand, page 41 claims:
      
        "The value loaded into the NEXTCONBK register can be overwritten so
        that the linked list of Control Block data structures can be
        dynamically altered. However it is only safe to do this when the DMA
        is paused."
      
        On the other hand, page 40 specifies:
      
        "Only three registers in each channel's register set are directly
        writeable (CS, CONBLK_AD and DEBUG). The other registers (TI,
        SOURCE_AD, DEST_AD, TXFR_LEN, STRIDE & NEXTCONBK), are automatically
        loaded from a Control Block data structure held in external memory."
      
      Fixes: 96286b57 ("dmaengine: Add support for BCM2835")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: stable@vger.kernel.org # v3.14+
      Cc: Frank Pavlic <f.pavlic@kunbus.de>
      Cc: Martin Sperl <kernel@martin.sperl.org>
      Cc: Florian Meier <florian.meier@koalo.de>
      Cc: Clive Messer <clive.m.messer@gmail.com>
      Cc: Matthias Reichl <hias@horus.com>
      Tested-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Acked-by: default avatarFlorian Kauer <florian.kauer@koalo.de>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      84c1d562
    • Lukas Wunner's avatar
      dmaengine: bcm2835: Fix interrupt race on RT · 916eb6bd
      Lukas Wunner authored
      commit f7da7782 upstream.
      
      If IRQ handlers are threaded (either because CONFIG_PREEMPT_RT_BASE is
      enabled or "threadirqs" was passed on the command line) and if system
      load is sufficiently high that wakeup latency of IRQ threads degrades,
      SPI DMA transactions on the BCM2835 occasionally break like this:
      
      ks8851 spi0.0: SPI transfer timed out
      bcm2835-dma 3f007000.dma: DMA transfer could not be terminated
      ks8851 spi0.0 eth2: ks8851_rdfifo: spi_sync() failed
      
      The root cause is an assumption made by the DMA driver which is
      documented in a code comment in bcm2835_dma_terminate_all():
      
      /*
       * Stop DMA activity: we assume the callback will not be called
       * after bcm_dma_abort() returns (even if it does, it will see
       * c->desc is NULL and exit.)
       */
      
      That assumption falls apart if the IRQ handler bcm2835_dma_callback() is
      threaded: A client may terminate a descriptor and issue a new one
      before the IRQ handler had a chance to run. In fact the IRQ handler may
      miss an *arbitrary* number of descriptors. The result is the following
      race condition:
      
      1. A descriptor finishes, its interrupt is deferred to the IRQ thread.
      2. A client calls dma_terminate_async() which sets channel->desc = NULL.
      3. The client issues a new descriptor. Because channel->desc is NULL,
         bcm2835_dma_issue_pending() immediately starts the descriptor.
      4. Finally the IRQ thread runs and writes BCM2835_DMA_INT to the CS
         register to acknowledge the interrupt. This clears the ACTIVE flag,
         so the newly issued descriptor is paused in the middle of the
         transaction. Because channel->desc is not NULL, the IRQ thread
         finalizes the descriptor and tries to start the next one.
      
      I see two possible solutions: The first is to call synchronize_irq()
      in bcm2835_dma_issue_pending() to wait until the IRQ thread has
      finished before issuing a new descriptor. The downside of this approach
      is unnecessary latency if clients desire rapidly terminating and
      re-issuing descriptors and don't have any use for an IRQ callback.
      (The SPI TX DMA channel is a case in point.)
      
      A better alternative is to make the IRQ thread recognize that it has
      missed descriptors and avoid finalizing the newly issued descriptor.
      So first of all, set the ACTIVE flag when acknowledging the interrupt.
      This keeps a newly issued descriptor running.
      
      If the descriptor was finished, the channel remains idle despite the
      ACTIVE flag being set. However the ACTIVE flag can then no longer be
      used to check whether the channel is idle, so instead check whether
      the register containing the current control block address is zero
      and finalize the current descriptor only if so.
      
      That way, there is no impact on latency and throughput if the client
      doesn't care for the interrupt: Only minimal additional overhead is
      introduced for non-cyclic descriptors as one further MMIO read is
      necessary per interrupt to check for idleness of the channel. Cyclic
      descriptors are sped up slightly by removing one MMIO write per
      interrupt.
      
      Fixes: 96286b57 ("dmaengine: Add support for BCM2835")
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Cc: stable@vger.kernel.org # v3.14+
      Cc: Frank Pavlic <f.pavlic@kunbus.de>
      Cc: Martin Sperl <kernel@martin.sperl.org>
      Cc: Florian Meier <florian.meier@koalo.de>
      Cc: Clive Messer <clive.m.messer@gmail.com>
      Cc: Matthias Reichl <hias@horus.com>
      Tested-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Acked-by: default avatarFlorian Kauer <florian.kauer@koalo.de>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      916eb6bd
    • Vladis Dronov's avatar
      HID: debug: fix the ring buffer implementation · c70374ce
      Vladis Dronov authored
      commit 13054abb upstream.
      
      Ring buffer implementation in hid_debug_event() and hid_debug_events_read()
      is strange allowing lost or corrupted data. After commit 717adfda
      ("HID: debug: check length before copy_to_user()") it is possible to enter
      an infinite loop in hid_debug_events_read() by providing 0 as count, this
      locks up a system. Fix this by rewriting the ring buffer implementation
      with kfifo and simplify the code.
      
      This fixes CVE-2019-3819.
      
      v2: fix an execution logic and add a comment
      v3: use __set_current_state() instead of set_current_state()
      
      Link: https://bugzilla.redhat.com/show_bug.cgi?id=1669187
      Cc: stable@vger.kernel.org # v4.18+
      Fixes: cd667ce2 ("HID: use debugfs for events/reports dumping")
      Fixes: 717adfda ("HID: debug: check length before copy_to_user()")
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Reviewed-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c70374ce
    • Miklos Szeredi's avatar
      fuse: handle zero sized retrieve correctly · 6ccc9e11
      Miklos Szeredi authored
      commit 97e1532e upstream.
      
      Dereferencing req->page_descs[0] will Oops if req->max_pages is zero.
      
      Reported-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
      Tested-by: syzbot+c1e36d30ee3416289cc0@syzkaller.appspotmail.com
      Fixes: b2430d75 ("fuse: add per-page descriptor <offset, length> to fuse_req")
      Cc: <stable@vger.kernel.org> # v3.9
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ccc9e11
    • Miklos Szeredi's avatar
      fuse: decrement NR_WRITEBACK_TEMP on the right page · f99027ab
      Miklos Szeredi authored
      commit a2ebba82 upstream.
      
      NR_WRITEBACK_TEMP is accounted on the temporary page in the request, not
      the page cache page.
      
      Fixes: 8b284dc4 ("fuse: writepages: handle same page rewrites")
      Cc: <stable@vger.kernel.org> # v3.13
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f99027ab
    • Jann Horn's avatar
      fuse: call pipe_buf_release() under pipe lock · 48be0eb0
      Jann Horn authored
      commit 9509941e upstream.
      
      Some of the pipe_buf_release() handlers seem to assume that the pipe is
      locked - in particular, anon_pipe_buf_release() accesses pipe->tmp_page
      without taking any extra locks. From a glance through the callers of
      pipe_buf_release(), it looks like FUSE is the only one that calls
      pipe_buf_release() without having the pipe locked.
      
      This bug should only lead to a memory leak, nothing terrible.
      
      Fixes: dd3bb14f ("fuse: support splice() writing to fuse device")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48be0eb0
    • Jeremy Soller's avatar
      ALSA: hda/realtek - Headset microphone support for System76 darp5 · a57ab2e7
      Jeremy Soller authored
      commit 89e3a568 upstream.
      
      On the System76 Darter Pro (darp5), there is a headset microphone
      input attached to 0x1a that does not have a jack detect.  In order to
      get it working, the pin configuration needs to be set correctly, and
      the ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC fixup needs to be applied.
      This is similar to the MIC_NO_PRESENCE fixups for some Dell laptops,
      except we have a separate microphone jack that is already configured
      correctly.
      Signed-off-by: default avatarJeremy Soller <jeremy@system76.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a57ab2e7
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Use a common helper for hp pin reference · 7cb46877
      Takashi Iwai authored
      commit 35a39f98 upstream.
      
      Replace the open-codes in many places with a new common helper for
      performing the same thing: referring to the primary headphone pin.
      
      This eventually fixes the potentially missing headphone pin on some
      weird devices, too.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cb46877
    • Kailang Yang's avatar
      ALSA: hda/realtek - Fix lose hp_pins for disable auto mute · 65c9a628
      Kailang Yang authored
      commit d561aa0a upstream.
      
      When auto_mute = no or spec->suppress_auto_mute = 1, cfg->hp_pins will
      lose value.
      
      Add this patch to find hp_pins value.
      I add fixed for ALC282 ALC225 ALC256 ALC294 and alc_default_init()
      alc_default_shutup().
      Signed-off-by: default avatarKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65c9a628
    • Takashi Iwai's avatar
      ALSA: hda - Serialize codec registrations · 7fd6d819
      Takashi Iwai authored
      commit 305a0ade upstream.
      
      In the current code, the codec registration may happen both at the
      codec bind time and the end of the controller probe time.  In a rare
      occasion, they race with each other, leading to Oops due to the still
      uninitialized card device.
      
      This patch introduces a simple flag to prevent the codec registration
      at the codec bind time as long as the controller probe is going on.
      The controller probe invokes snd_card_register() that does the whole
      registration task, and we don't need to register each piece
      beforehand.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fd6d819
    • Udo Eberhardt's avatar
      ALSA: usb-audio: Add support for new T+A USB DAC · 2a0aba55
      Udo Eberhardt authored
      commit 3bff2407 upstream.
      
      This patch adds the T+A VID to the generic check in order to enable
      native DSD support for T+A devices. This works with the new T+A USB
      DAC model SD3100HV and will also work with future devices which
      support the XMOS/Thesycon style DSD format.
      Signed-off-by: default avatarUdo Eberhardt <udo.eberhardt@thesycon.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2a0aba55
    • Charles Keepax's avatar
      ALSA: compress: Fix stop handling on compressed capture streams · 93e7d510
      Charles Keepax authored
      commit 4f2ab5e1 upstream.
      
      It is normal user behaviour to start, stop, then start a stream
      again without closing it. Currently this works for compressed
      playback streams but not capture ones.
      
      The states on a compressed capture stream go directly from OPEN to
      PREPARED, unlike a playback stream which moves to SETUP and waits
      for a write of data before moving to PREPARED. Currently however,
      when a stop is sent the state is set to SETUP for both types of
      streams. This leaves a capture stream in the situation where a new
      start can't be sent as that requires the state to be PREPARED and
      a new set_params can't be sent as that requires the state to be
      OPEN. The only option being to close the stream, and then reopen.
      
      Correct this issues by allowing snd_compr_drain_notify to set the
      state depending on the stream direction, as we already do in
      set_params.
      
      Fixes: 49bb6402 ("ALSA: compress_core: Add support for capture streams")
      Signed-off-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93e7d510
    • Brian Foster's avatar
      xfs: eof trim writeback mapping as soon as it is cached · 1f78052b
      Brian Foster authored
      commit aa6ee4ab upstream.
      
      The cached writeback mapping is EOF trimmed to try and avoid races
      between post-eof block management and writeback that result in
      sending cached data to a stale location. The cached mapping is
      currently trimmed on the validation check, which leaves a race
      window between the time the mapping is cached and when it is trimmed
      against the current inode size.
      
      For example, if a new mapping is cached by delalloc conversion on a
      blocksize == page size fs, we could cycle various locks, perform
      memory allocations, etc.  in the writeback codepath before the
      associated mapping is eventually trimmed to i_size. This leaves
      enough time for a post-eof truncate and file append before the
      cached mapping is trimmed. The former event essentially invalidates
      a range of the cached mapping and the latter bumps the inode size
      such the trim on the next writepage event won't trim all of the
      invalid blocks. fstest generic/464 reproduces this scenario
      occasionally and causes a lost writeback and stale delalloc blocks
      warning on inode inactivation.
      
      To work around this problem, trim the cached writeback mapping as
      soon as it is cached in addition to on subsequent validation checks.
      This is a minor tweak to tighten the race window as much as possible
      until a proper invalidation mechanism is available.
      
      Fixes: 40214d12 ("xfs: trim writepage mapping to within eof")
      Cc: <stable@vger.kernel.org> # v4.14+
      Signed-off-by: default avatarBrian Foster <bfoster@redhat.com>
      Reviewed-by: default avatarAllison Henderson <allison.henderson@oracle.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f78052b
    • Raed Salem's avatar
      net/mlx5e: FPGA, fix Innova IPsec TX offload data path performance · 1f1eb00c
      Raed Salem authored
      [ Upstream commit 82eaa1fa ]
      
      At Innova IPsec TX offload data path a special software parser metadata
      is used to pass some packet attributes to the hardware, this metadata
      is passed using the Ethernet control segment of a WQE (a HW descriptor)
      header.
      
      The cited commit might nullify this header, hence the metadata is lost,
      this caused a significant performance drop during hw offloading
      operation.
      
      Fix by restoring the metadata at the Ethernet control segment in case
      it was nullified.
      
      Fixes: 37fdffb2 ("net/mlx5: WQ, fixes for fragmented WQ buffers API")
      Signed-off-by: default avatarRaed Salem <raeds@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f1eb00c
    • Toshiaki Makita's avatar
      virtio_net: Account for tx bytes and packets on sending xdp_frames · 9143e1dc
      Toshiaki Makita authored
      [ Upstream commit 546f2897 ]
      
      Previously virtnet_xdp_xmit() did not account for device tx counters,
      which caused confusions.
      To be consistent with SKBs, account them on freeing xdp_frames.
      Reported-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9143e1dc
    • Dan Carpenter's avatar
      skge: potential memory corruption in skge_get_regs() · c8ba1f79
      Dan Carpenter authored
      [ Upstream commit 294c149a ]
      
      The "p" buffer is 0x4000 bytes long.  B3_RI_WTO_R1 is 0x190.  The value
      of "regs->len" is in the 1-0x4000 range.  The bug here is that
      "regs->len - B3_RI_WTO_R1" can be a negative value which would lead to
      memory corruption and an abrupt crash.
      
      Fixes: c3f8be96 ("[PATCH] skge: expand ethtool debug register dump")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8ba1f79
    • Greg Kroah-Hartman's avatar
      sctp: walk the list of asoc safely · 7c236130
      Greg Kroah-Hartman authored
      [ Upstream commit ba59fb02 ]
      
      In sctp_sendmesg(), when walking the list of endpoint associations, the
      association can be dropped from the list, making the list corrupt.
      Properly handle this by using list_for_each_entry_safe()
      
      Fixes: 49102805 ("sctp: add support for snd flag SCTP_SENDALL process in sendmsg")
      Reported-by: default avatarSecunia Research <vuln@secunia.com>
      Tested-by: default avatarSecunia Research <vuln@secunia.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c236130
    • Xin Long's avatar
      sctp: check and update stream->out_curr when allocating stream_out · 7cd4e833
      Xin Long authored
      [ Upstream commit cfe4bd7a ]
      
      Now when using stream reconfig to add out streams, stream->out
      will get re-allocated, and all old streams' information will
      be copied to the new ones and the old ones will be freed.
      
      So without stream->out_curr updated, next time when trying to
      send from stream->out_curr stream, a panic would be caused.
      
      This patch is to check and update stream->out_curr when
      allocating stream_out.
      
      v1->v2:
        - define fa_index() to get elem index from stream->out_curr.
      v2->v3:
        - repost with no change.
      
      Fixes: 5bbbbe32 ("sctp: introduce stream scheduler foundations")
      Reported-by: default avatarYing Xu <yinxu@redhat.com>
      Reported-by: syzbot+e33a3a138267ca119c7d@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cd4e833
    • Eric Dumazet's avatar
      rxrpc: bad unlock balance in rxrpc_recvmsg · 21b8697e
      Eric Dumazet authored
      [ Upstream commit 6dce3c20 ]
      
      When either "goto wait_interrupted;" or "goto wait_error;"
      paths are taken, socket lock has already been released.
      
      This patch fixes following syzbot splat :
      
      WARNING: bad unlock balance detected!
      5.0.0-rc4+ #59 Not tainted
      -------------------------------------
      syz-executor223/8256 is trying to release lock (sk_lock-AF_RXRPC) at:
      [<ffffffff86651353>] rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
      but there are no more locks to release!
      
      other info that might help us debug this:
      1 lock held by syz-executor223/8256:
       #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: spin_lock_bh include/linux/spinlock.h:334 [inline]
       #0: 00000000fa9ed0f4 (slock-AF_RXRPC){+...}, at: release_sock+0x20/0x1c0 net/core/sock.c:2798
      
      stack backtrace:
      CPU: 1 PID: 8256 Comm: syz-executor223 Not tainted 5.0.0-rc4+ #59
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_unlock_imbalance_bug kernel/locking/lockdep.c:3391 [inline]
       print_unlock_imbalance_bug.cold+0x114/0x123 kernel/locking/lockdep.c:3368
       __lock_release kernel/locking/lockdep.c:3601 [inline]
       lock_release+0x67e/0xa00 kernel/locking/lockdep.c:3860
       sock_release_ownership include/net/sock.h:1471 [inline]
       release_sock+0x183/0x1c0 net/core/sock.c:2808
       rxrpc_recvmsg+0x6d3/0x3099 net/rxrpc/recvmsg.c:598
       sock_recvmsg_nosec net/socket.c:794 [inline]
       sock_recvmsg net/socket.c:801 [inline]
       sock_recvmsg+0xd0/0x110 net/socket.c:797
       __sys_recvfrom+0x1ff/0x350 net/socket.c:1845
       __do_sys_recvfrom net/socket.c:1863 [inline]
       __se_sys_recvfrom net/socket.c:1859 [inline]
       __x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:1859
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446379
      Code: e8 2c b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 09 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fe5da89fd98 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
      RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446379
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
      R13: 0000000000000000 R14: 0000000000000000 R15: 20c49ba5e353f7cf
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: David Howells <dhowells@redhat.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21b8697e
    • Russell King's avatar
      Revert "net: phy: marvell: avoid pause mode on SGMII-to-Copper for 88e151x" · 7c1a5ce6
      Russell King authored
      [ Upstream commit c14f07c6 ]
      
      This reverts commit 6623c0fb.
      
      The original diagnosis was incorrect: it appears that the NIC had
      PHY polling mode enabled, which meant that it overwrote the PHYs
      advertisement register during negotiation.
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Tested-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7c1a5ce6
    • Eric Dumazet's avatar
      rds: fix refcount bug in rds_sock_addref · f2f054c4
      Eric Dumazet authored
      [ Upstream commit 6fa19f56 ]
      
      syzbot was able to catch a bug in rds [1]
      
      The issue here is that the socket might be found in a hash table
      but that its refcount has already be set to 0 by another cpu.
      
      We need to use refcount_inc_not_zero() to be safe here.
      
      [1]
      
      refcount_t: increment on 0; use-after-free.
      WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked lib/refcount.c:153 [inline]
      WARNING: CPU: 1 PID: 23129 at lib/refcount.c:153 refcount_inc_checked+0x61/0x70 lib/refcount.c:151
      Kernel panic - not syncing: panic_on_warn set ...
      CPU: 1 PID: 23129 Comm: syz-executor3 Not tainted 5.0.0-rc4+ #53
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
       panic+0x2cb/0x65c kernel/panic.c:214
       __warn.cold+0x20/0x48 kernel/panic.c:571
       report_bug+0x263/0x2b0 lib/bug.c:186
       fixup_bug arch/x86/kernel/traps.c:178 [inline]
       fixup_bug arch/x86/kernel/traps.c:173 [inline]
       do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
       do_invalid_op+0x37/0x50 arch/x86/kernel/traps.c:290
       invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
      RIP: 0010:refcount_inc_checked lib/refcount.c:153 [inline]
      RIP: 0010:refcount_inc_checked+0x61/0x70 lib/refcount.c:151
      Code: 1d 51 63 c8 06 31 ff 89 de e8 eb 1b f2 fd 84 db 75 dd e8 a2 1a f2 fd 48 c7 c7 60 9f 81 88 c6 05 31 63 c8 06 01 e8 af 65 bb fd <0f> 0b eb c1 90 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 54 49
      RSP: 0018:ffff8880a0cbf1e8 EFLAGS: 00010282
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90006113000
      RDX: 000000000001047d RSI: ffffffff81685776 RDI: 0000000000000005
      RBP: ffff8880a0cbf1f8 R08: ffff888097c9e100 R09: ffffed1015ce5021
      R10: ffffed1015ce5020 R11: ffff8880ae728107 R12: ffff8880723c20c0
      R13: ffff8880723c24b0 R14: dffffc0000000000 R15: ffffed1014197e64
       sock_hold include/net/sock.h:647 [inline]
       rds_sock_addref+0x19/0x20 net/rds/af_rds.c:675
       rds_find_bound+0x97c/0x1080 net/rds/bind.c:82
       rds_recv_incoming+0x3be/0x1430 net/rds/recv.c:362
       rds_loop_xmit+0xf3/0x2a0 net/rds/loop.c:96
       rds_send_xmit+0x1355/0x2a10 net/rds/send.c:355
       rds_sendmsg+0x323c/0x44e0 net/rds/send.c:1368
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg+0xdd/0x130 net/socket.c:631
       __sys_sendto+0x387/0x5f0 net/socket.c:1788
       __do_sys_sendto net/socket.c:1800 [inline]
       __se_sys_sendto net/socket.c:1796 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
       do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x458089
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc266df8c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000458089
      RDX: 0000000000000000 RSI: 00000000204b3fff RDI: 0000000000000005
      RBP: 000000000073bf00 R08: 00000000202b4000 R09: 0000000000000010
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fc266df96d4
      R13: 00000000004c56e4 R14: 00000000004d94a8 R15: 00000000ffffffff
      
      Fixes: cc4dfb7f ("rds: fix two RCU related problems")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
      Cc: Santosh Shilimkar <santosh.shilimkar@oracle.com>
      Cc: rds-devel@oss.oracle.com
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2f054c4
    • Florian Fainelli's avatar
      net: systemport: Fix WoL with password after deep sleep · 2c24ed77
      Florian Fainelli authored
      [ Upstream commit 8dfb8d2c ]
      
      Broadcom STB chips support a deep sleep mode where all register
      contents are lost. Because we were stashing the MagicPacket password
      into some of these registers a suspend into that deep sleep then a
      resumption would not lead to being able to wake-up from MagicPacket with
      password again.
      
      Fix this by keeping a software copy of the password and program it
      during suspend.
      
      Fixes: 83e82f4c ("net: systemport: add Wake-on-LAN support")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2c24ed77
    • Cong Wang's avatar
      net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames · b72ea6ec
      Cong Wang authored
      [ Upstream commit e8c8b53c ]
      
      When an ethernet frame is padded to meet the minimum ethernet frame
      size, the padding octets are not covered by the hardware checksum.
      Fortunately the padding octets are usually zero's, which don't affect
      checksum. However, we have a switch which pads non-zero octets, this
      causes kernel hardware checksum fault repeatedly.
      
      Prior to:
      commit '88078d98 ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE ...")'
      skb checksum was forced to be CHECKSUM_NONE when padding is detected.
      After it, we need to keep skb->csum updated, like what we do for RXFCS.
      However, fixing up CHECKSUM_COMPLETE requires to verify and parse IP
      headers, it is not worthy the effort as the packets are so small that
      CHECKSUM_COMPLETE can't save anything.
      
      Fixes: 88078d98 ("net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends"),
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Tariq Toukan <tariqt@mellanox.com>
      Cc: Nikola Ciprich <nikola.ciprich@linuxbox.cz>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b72ea6ec
    • Rundong Ge's avatar
      net: dsa: slave: Don't propagate flag changes on down slave interfaces · 8104a5e7
      Rundong Ge authored
      [ Upstream commit 17ab4f61 ]
      
      The unbalance of master's promiscuity or allmulti will happen after ifdown
      and ifup a slave interface which is in a bridge.
      
      When we ifdown a slave interface , both the 'dsa_slave_close' and
      'dsa_slave_change_rx_flags' will clear the master's flags. The flags
      of master will be decrease twice.
      In the other hand, if we ifup the slave interface again, since the
      slave's flags were cleared the 'dsa_slave_open' won't set the master's
      flag, only 'dsa_slave_change_rx_flags' that triggered by 'br_add_if'
      will set the master's flags. The flags of master is increase once.
      
      Only propagating flag changes when a slave interface is up makes
      sure this does not happen. The 'vlan_dev_change_rx_flags' had the
      same problem and was fixed, and changes here follows that fix.
      
      Fixes: 91da11f8 ("net: Distributed Switch Architecture protocol support")
      Signed-off-by: default avatarRundong Ge <rdong.ge@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8104a5e7
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Fix counting of ATU violations · 27a2fa00
      Andrew Lunn authored
      [ Upstream commit 75c05a74 ]
      
      The ATU port vector contains a bit per port of the switch. The code
      wrongly used it as a port number, and incremented a port counter. This
      resulted in the wrong interfaces counter being incremented, and
      potentially going off the end of the array of ports.
      
      Fix this by using the source port ID for the violation, which really
      is a port number.
      Reported-by: default avatarChris Healy <Chris.Healy@zii.aero>
      Tested-by: default avatarChris Healy <Chris.Healy@zii.aero>
      Fixes: 65f60e45 ("net: dsa: mv88e6xxx: Keep ATU/VTU violation statistics")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27a2fa00
    • Dan Carpenter's avatar
      net: dsa: Fix NULL checking in dsa_slave_set_eee() · c8dfab5c
      Dan Carpenter authored
      [ Upstream commit 00670cb8 ]
      
      This function can't succeed if dp->pl is NULL.  It will Oops inside the
      call to return phylink_ethtool_get_eee(dp->pl, e);
      
      Fixes: 1be52e97 ("dsa: slave: eee: Allow ports to use phylink")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarVivien Didelot <vivien.didelot@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8dfab5c
    • Marc Zyngier's avatar
      net: dsa: Fix lockdep false positive splat · 98cedccb
      Marc Zyngier authored
      [ Upstream commit c8101f77 ]
      
      Creating a macvtap on a DSA-backed interface results in the following
      splat when lockdep is enabled:
      
      [   19.638080] IPv6: ADDRCONF(NETDEV_CHANGE): lan0: link becomes ready
      [   23.041198] device lan0 entered promiscuous mode
      [   23.043445] device eth0 entered promiscuous mode
      [   23.049255]
      [   23.049557] ============================================
      [   23.055021] WARNING: possible recursive locking detected
      [   23.060490] 5.0.0-rc3-00013-g56c857a1b8d3 #118 Not tainted
      [   23.066132] --------------------------------------------
      [   23.071598] ip/2861 is trying to acquire lock:
      [   23.076171] 00000000f61990cb (_xmit_ETHER){+...}, at: dev_set_rx_mode+0x1c/0x38
      [   23.083693]
      [   23.083693] but task is already holding lock:
      [   23.089696] 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.096774]
      [   23.096774] other info that might help us debug this:
      [   23.103494]  Possible unsafe locking scenario:
      [   23.103494]
      [   23.109584]        CPU0
      [   23.112093]        ----
      [   23.114601]   lock(_xmit_ETHER);
      [   23.117917]   lock(_xmit_ETHER);
      [   23.121233]
      [   23.121233]  *** DEADLOCK ***
      [   23.121233]
      [   23.127325]  May be due to missing lock nesting notation
      [   23.127325]
      [   23.134315] 2 locks held by ip/2861:
      [   23.137987]  #0: 000000003b766c72 (rtnl_mutex){+.+.}, at: rtnetlink_rcv_msg+0x338/0x4e0
      [   23.146231]  #1: 00000000ecf0c3b4 (_xmit_ETHER){+...}, at: dev_uc_add+0x24/0x70
      [   23.153757]
      [   23.153757] stack backtrace:
      [   23.158243] CPU: 0 PID: 2861 Comm: ip Not tainted 5.0.0-rc3-00013-g56c857a1b8d3 #118
      [   23.166212] Hardware name: Globalscale Marvell ESPRESSOBin Board (DT)
      [   23.172843] Call trace:
      [   23.175358]  dump_backtrace+0x0/0x188
      [   23.179116]  show_stack+0x14/0x20
      [   23.182524]  dump_stack+0xb4/0xec
      [   23.185928]  __lock_acquire+0x123c/0x1860
      [   23.190048]  lock_acquire+0xc8/0x248
      [   23.193724]  _raw_spin_lock_bh+0x40/0x58
      [   23.197755]  dev_set_rx_mode+0x1c/0x38
      [   23.201607]  dev_set_promiscuity+0x3c/0x50
      [   23.205820]  dsa_slave_change_rx_flags+0x5c/0x70
      [   23.210567]  __dev_set_promiscuity+0x148/0x1e0
      [   23.215136]  __dev_set_rx_mode+0x74/0x98
      [   23.219167]  dev_uc_add+0x54/0x70
      [   23.222575]  macvlan_open+0x170/0x1d0
      [   23.226336]  __dev_open+0xe0/0x160
      [   23.229830]  __dev_change_flags+0x16c/0x1b8
      [   23.234132]  dev_change_flags+0x20/0x60
      [   23.238074]  do_setlink+0x2d0/0xc50
      [   23.241658]  __rtnl_newlink+0x5f8/0x6e8
      [   23.245601]  rtnl_newlink+0x50/0x78
      [   23.249184]  rtnetlink_rcv_msg+0x360/0x4e0
      [   23.253397]  netlink_rcv_skb+0xe8/0x130
      [   23.257338]  rtnetlink_rcv+0x14/0x20
      [   23.261012]  netlink_unicast+0x190/0x210
      [   23.265043]  netlink_sendmsg+0x288/0x350
      [   23.269075]  sock_sendmsg+0x18/0x30
      [   23.272659]  ___sys_sendmsg+0x29c/0x2c8
      [   23.276602]  __sys_sendmsg+0x60/0xb8
      [   23.280276]  __arm64_sys_sendmsg+0x1c/0x28
      [   23.284488]  el0_svc_common+0xd8/0x138
      [   23.288340]  el0_svc_handler+0x24/0x80
      [   23.292192]  el0_svc+0x8/0xc
      
      This looks fairly harmless (no actual deadlock occurs), and is
      fixed in a similar way to c6894dec ("bridge: fix lockdep
      addr_list_lock false positive splat") by putting the addr_list_lock
      in its own lockdep class.
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98cedccb
    • Sebastian Andrzej Siewior's avatar
      net: dp83640: expire old TX-skb · 8e1428c9
      Sebastian Andrzej Siewior authored
      [ Upstream commit 53bc8d2a ]
      
      During sendmsg() a cloned skb is saved via dp83640_txtstamp() in
      ->tx_queue. After the NIC sends this packet, the PHY will reply with a
      timestamp for that TX packet. If the cable is pulled at the right time I
      don't see that packet. It might gets flushed as part of queue shutdown
      on NIC's side.
      Once the link is up again then after the next sendmsg() we enqueue
      another skb in dp83640_txtstamp() and have two on the list. Then the PHY
      will send a reply and decode_txts() attaches it to the first skb on the
      list.
      No crash occurs since refcounting works but we are one packet behind.
      linuxptp/ptp4l usually closes the socket and opens a new one (in such a
      timeout case) so those "stale" replies never get there. However it does
      not resume normal operation anymore.
      
      Purge old skbs in decode_txts().
      
      Fixes: cb646e2b ("ptp: Added a clock driver for the National Semiconductor PHYTER.")
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: Kurt Kanzenbach's avatarKurt Kanzenbach <kurt@linutronix.de>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e1428c9
    • Bart Van Assche's avatar
      lib/test_rhashtable: Make test_insert_dup() allocate its hash table dynamically · 81733c64
      Bart Van Assche authored
      [ Upstream commit fc42a689 ]
      
      The test_insert_dup() function from lib/test_rhashtable.c passes a
      pointer to a stack object to rhltable_init(). Allocate the hash table
      dynamically to avoid that the following is reported with object
      debugging enabled:
      
      ODEBUG: object (ptrval) is on stack (ptrval), but NOT annotated.
      WARNING: CPU: 0 PID: 1 at lib/debugobjects.c:368 __debug_object_init+0x312/0x480
      Modules linked in:
      EIP: __debug_object_init+0x312/0x480
      Call Trace:
       ? debug_object_init+0x1a/0x20
       ? __init_work+0x16/0x30
       ? rhashtable_init+0x1e1/0x460
       ? sched_clock_cpu+0x57/0xe0
       ? rhltable_init+0xb/0x20
       ? test_insert_dup+0x32/0x20f
       ? trace_hardirqs_on+0x38/0xf0
       ? ida_dump+0x10/0x10
       ? jhash+0x130/0x130
       ? my_hashfn+0x30/0x30
       ? test_rht_init+0x6aa/0xab4
       ? ida_dump+0x10/0x10
       ? test_rhltable+0xc5c/0xc5c
       ? do_one_initcall+0x67/0x28e
       ? trace_hardirqs_off+0x22/0xe0
       ? restore_all_kernel+0xf/0x70
       ? trace_hardirqs_on_thunk+0xc/0x10
       ? restore_all_kernel+0xf/0x70
       ? kernel_init_freeable+0x142/0x213
       ? rest_init+0x230/0x230
       ? kernel_init+0x10/0x110
       ? schedule_tail_wrapper+0x9/0xc
       ? ret_from_fork+0x19/0x24
      
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      81733c64
    • Govindarajulu Varadarajan's avatar
      enic: fix checksum validation for IPv6 · cedc42f5
      Govindarajulu Varadarajan authored
      [ Upstream commit 7596175e ]
      
      In case of IPv6 pkts, ipv4_csum_ok is 0. Because of this, driver does
      not set skb->ip_summed. So IPv6 rx checksum is not offloaded.
      Signed-off-by: default avatarGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cedc42f5
    • Eric Dumazet's avatar
      dccp: fool proof ccid_hc_[rt]x_parse_options() · 15ed55e3
      Eric Dumazet authored
      [ Upstream commit 9b1f19d8 ]
      
      Similarly to commit 276bdb82 ("dccp: check ccid before dereferencing")
      it is wise to test for a NULL ccid.
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.0.0-rc3+ #37
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
      RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
      Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
      kobject: 'loop5' (0000000080f78fc1): kobject_uevent_env
      RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
      RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
      RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
      R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
      R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0defa33518 CR3: 000000008db5e000 CR4: 00000000001406e0
      kobject: 'loop5' (0000000080f78fc1): fill_kobj_path: path = '/devices/virtual/block/loop5'
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       dccp_rcv_state_process+0x2b6/0x1af6 net/dccp/input.c:654
       dccp_v4_do_rcv+0x100/0x190 net/dccp/ipv4.c:688
       sk_backlog_rcv include/net/sock.h:936 [inline]
       __sk_receive_skb+0x3a9/0xea0 net/core/sock.c:473
       dccp_v4_rcv+0x10cb/0x1f80 net/dccp/ipv4.c:880
       ip_protocol_deliver_rcu+0xb6/0xa20 net/ipv4/ip_input.c:208
       ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_local_deliver+0x1f0/0x740 net/ipv4/ip_input.c:255
       dst_input include/net/dst.h:450 [inline]
       ip_rcv_finish+0x1f4/0x2f0 net/ipv4/ip_input.c:414
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_rcv+0xed/0x620 net/ipv4/ip_input.c:524
       __netif_receive_skb_one_core+0x160/0x210 net/core/dev.c:4973
       __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5083
       process_backlog+0x206/0x750 net/core/dev.c:5923
       napi_poll net/core/dev.c:6346 [inline]
       net_rx_action+0x76d/0x1930 net/core/dev.c:6412
       __do_softirq+0x30b/0xb11 kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:654 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:646
       smpboot_thread_fn+0x6ab/0xa10 kernel/smpboot.c:164
       kthread+0x357/0x430 kernel/kthread.c:246
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      Modules linked in:
      ---[ end trace 58a0ba03bea2c376 ]---
      RIP: 0010:ccid_hc_tx_parse_options net/dccp/ccid.h:205 [inline]
      RIP: 0010:dccp_parse_options+0x8d9/0x12b0 net/dccp/options.c:233
      Code: c5 0f b6 75 b3 80 38 00 0f 85 d6 08 00 00 48 b9 00 00 00 00 00 fc ff df 48 8b 45 b8 4c 8b b8 f8 07 00 00 4c 89 f8 48 c1 e8 03 <80> 3c 08 00 0f 85 95 08 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b
      RSP: 0018:ffff8880a94df0b8 EFLAGS: 00010246
      RAX: 0000000000000000 RBX: ffff8880858ac723 RCX: dffffc0000000000
      RDX: 0000000000000100 RSI: 0000000000000007 RDI: 0000000000000001
      RBP: ffff8880a94df140 R08: 0000000000000001 R09: ffff888061b83a80
      R10: ffffed100c370752 R11: ffff888061b83a97 R12: 0000000000000026
      R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff8880ae700000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f0defa33518 CR3: 0000000009871000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15ed55e3
    • Eduardo Valentin's avatar
      thermal: hwmon: inline helpers when CONFIG_THERMAL_HWMON is not set · 56ea9164
      Eduardo Valentin authored
      commit 03334ba8 upstream.
      
      Avoid warnings like this:
      thermal_hwmon.h:29:1: warning: ‘thermal_remove_hwmon_sysfs’ defined but not used [-Wunused-function]
       thermal_remove_hwmon_sysfs(struct thermal_zone_device *tz)
      
      Fixes: 0dd88793 ("thermal: hwmon: move hwmon support to single file")
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarEduardo Valentin <edubezval@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56ea9164
    • Eric Sandeen's avatar
      xfs: fix inverted return from xfs_btree_sblock_verify_crc · 0c802cba
      Eric Sandeen authored
      commit 7d048df4 upstream.
      
      xfs_btree_sblock_verify_crc is a bool so should not be returning
      a failaddr_t; worse, if xfs_log_check_lsn fails it returns
      __this_address which looks like a boolean true (i.e. success)
      to the caller.
      
      (interestingly xfs_btree_lblock_verify_crc doesn't have the issue)
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: default avatarLuis Chamberlain <mcgrof@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0c802cba