1. 03 Sep, 2020 4 commits
    • Necip Fazil Yildiran's avatar
      net: qrtr: fix usage of idr in port assignment to socket · 8a794b35
      Necip Fazil Yildiran authored
      [ Upstream commit 8dfddfb7 ]
      
      Passing large uint32 sockaddr_qrtr.port numbers for port allocation
      triggers a warning within idr_alloc() since the port number is cast
      to int, and thus interpreted as a negative number. This leads to
      the rejection of such valid port numbers in qrtr_port_assign() as
      idr_alloc() fails.
      
      To avoid the problem, switch to idr_alloc_u32() instead.
      
      Fixes: bdabad3e ("net: Add Qualcomm IPC router")
      Reported-by: syzbot+f31428628ef672716ea8@syzkaller.appspotmail.com
      Signed-off-by: default avatarNecip Fazil Yildiran <necip@google.com>
      Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a794b35
    • Miaohe Lin's avatar
      net: Fix potential wrong skb->protocol in skb_vlan_untag() · ad270a5a
      Miaohe Lin authored
      [ Upstream commit 55eff0eb ]
      
      We may access the two bytes after vlan_hdr in vlan_set_encap_proto(). So
      we should pull VLAN_HLEN + sizeof(unsigned short) in skb_vlan_untag() or
      we may access the wrong data.
      
      Fixes: 0d5501c1 ("net: Always untag vlan-tagged traffic on input.")
      Signed-off-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad270a5a
    • Mark Tomlinson's avatar
      gre6: Fix reception with IP6_TNL_F_RCV_DSCP_COPY · c3f242a6
      Mark Tomlinson authored
      [ Upstream commit 272502fc ]
      
      When receiving an IPv4 packet inside an IPv6 GRE packet, and the
      IP6_TNL_F_RCV_DSCP_COPY flag is set on the tunnel, the IPv4 header would
      get corrupted. This is due to the common ip6_tnl_rcv() function assuming
      that the inner header is always IPv6. This patch checks the tunnel
      protocol for IPv4 inner packets, but still defaults to IPv6.
      
      Fixes: 308edfdf ("gre6: Cleanup GREv6 receive path, call common GRE functions")
      Signed-off-by: default avatarMark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c3f242a6
    • Michael Ellerman's avatar
      powerpc/64s: Don't init FSCR_DSCR in __init_FSCR() · f81b1d34
      Michael Ellerman authored
      commit 0828137e upstream.
      
      __init_FSCR() was added originally in commit 2468dcf6 ("powerpc:
      Add support for context switching the TAR register") (Feb 2013), and
      only set FSCR_TAR.
      
      At that point FSCR (Facility Status and Control Register) was not
      context switched, so the setting was permanent after boot.
      
      Later we added initialisation of FSCR_DSCR to __init_FSCR(), in commit
      54c9b225 ("powerpc: Set DSCR bit in FSCR setup") (Mar 2013), again
      that was permanent after boot.
      
      Then commit 2517617e ("powerpc: Fix context switch DSCR on
      POWER8") (Aug 2013) added a limited context switch of FSCR, just the
      FSCR_DSCR bit was context switched based on thread.dscr_inherit. That
      commit said "This clears the H/FSCR DSCR bit initially", but it
      didn't, it left the initialisation of FSCR_DSCR in __init_FSCR().
      However the initial context switch from init_task to pid 1 would clear
      FSCR_DSCR because thread.dscr_inherit was 0.
      
      That commit also introduced the requirement that FSCR_DSCR be clear
      for user processes, so that we can take the facility unavailable
      interrupt in order to manage dscr_inherit.
      
      Then in commit 152d523e ("powerpc: Create context switch helpers
      save_sprs() and restore_sprs()") (Dec 2015) FSCR was added to
      thread_struct. However it still wasn't fully context switched, we just
      took the existing value and set FSCR_DSCR if the new thread had
      dscr_inherit set. FSCR was still initialised at boot to FSCR_DSCR |
      FSCR_TAR, but that value was not propagated into the thread_struct, so
      the initial context switch set FSCR_DSCR back to 0.
      
      Finally commit b57bd2de ("powerpc: Improve FSCR init and context
      switching") (Jun 2016) added a full context switch of the FSCR, and
      added an initialisation of init_task.thread.fscr to FSCR_TAR |
      FSCR_EBB, but omitted FSCR_DSCR.
      
      The end result is that swapper runs with FSCR_DSCR set because of the
      initialisation in __init_FSCR(), but no other processes do, they use
      the value from init_task.thread.fscr.
      
      Having FSCR_DSCR set for swapper allows it to access SPR 3 from
      userspace, but swapper never runs userspace, so it has no useful
      effect. It's also confusing to have the value initialised in two
      places to two different values.
      
      So remove FSCR_DSCR from __init_FSCR(), this at least gets us to the
      point where there's a single value of FSCR, even if it's still set in
      two places.
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Tested-by: default avatarAlistair Popple <alistair@popple.id.au>
      Link: https://lore.kernel.org/r/20200527145843.2761782-1-mpe@ellerman.id.au
      Cc: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f81b1d34
  2. 26 Aug, 2020 36 commits
    • Greg Kroah-Hartman's avatar
      f6d5cb9e
    • Will Deacon's avatar
      KVM: arm64: Only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is not set · 0f090712
      Will Deacon authored
      commit b5331379 upstream.
      
      When an MMU notifier call results in unmapping a range that spans multiple
      PGDs, we end up calling into cond_resched_lock() when crossing a PGD boundary,
      since this avoids running into RCU stalls during VM teardown. Unfortunately,
      if the VM is destroyed as a result of OOM, then blocking is not permitted
      and the call to the scheduler triggers the following BUG():
      
       | BUG: sleeping function called from invalid context at arch/arm64/kvm/mmu.c:394
       | in_atomic(): 1, irqs_disabled(): 0, non_block: 1, pid: 36, name: oom_reaper
       | INFO: lockdep is turned off.
       | CPU: 3 PID: 36 Comm: oom_reaper Not tainted 5.8.0 #1
       | Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
       | Call trace:
       |  dump_backtrace+0x0/0x284
       |  show_stack+0x1c/0x28
       |  dump_stack+0xf0/0x1a4
       |  ___might_sleep+0x2bc/0x2cc
       |  unmap_stage2_range+0x160/0x1ac
       |  kvm_unmap_hva_range+0x1a0/0x1c8
       |  kvm_mmu_notifier_invalidate_range_start+0x8c/0xf8
       |  __mmu_notifier_invalidate_range_start+0x218/0x31c
       |  mmu_notifier_invalidate_range_start_nonblock+0x78/0xb0
       |  __oom_reap_task_mm+0x128/0x268
       |  oom_reap_task+0xac/0x298
       |  oom_reaper+0x178/0x17c
       |  kthread+0x1e4/0x1fc
       |  ret_from_fork+0x10/0x30
      
      Use the new 'flags' argument to kvm_unmap_hva_range() to ensure that we
      only reschedule if MMU_NOTIFIER_RANGE_BLOCKABLE is set in the notifier
      flags.
      
      Cc: <stable@vger.kernel.org>
      Fixes: 8b3405e3 ("kvm: arm/arm64: Fix locking for kvm_free_stage2_pgd")
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Message-Id: <20200811102725.7121-3-will@kernel.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [will: Backport to 4.19; use 'blockable' instead of non-existent MMU_NOTIFIER_RANGE_BLOCKABLE flag]
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f090712
    • Will Deacon's avatar
      KVM: Pass MMU notifier range flags to kvm_unmap_hva_range() · a53dc164
      Will Deacon authored
      commit fdfe7cbd upstream.
      
      The 'flags' field of 'struct mmu_notifier_range' is used to indicate
      whether invalidate_range_{start,end}() are permitted to block. In the
      case of kvm_mmu_notifier_invalidate_range_start(), this field is not
      forwarded on to the architecture-specific implementation of
      kvm_unmap_hva_range() and therefore the backend cannot sensibly decide
      whether or not to block.
      
      Add an extra 'flags' parameter to kvm_unmap_hva_range() so that
      architectures are aware as to whether or not they are permitted to block.
      
      Cc: <stable@vger.kernel.org>
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Message-Id: <20200811102725.7121-2-will@kernel.org>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      [will: Backport to 4.19; use 'blockable' instead of non-existent range flags]
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a53dc164
    • Stephen Boyd's avatar
      clk: Evict unregistered clks from parent caches · 903c6bd9
      Stephen Boyd authored
      commit bdcf1dc2 upstream.
      
      We leave a dangling pointer in each clk_core::parents array that has an
      unregistered clk as a potential parent when that clk_core pointer is
      freed by clk{_hw}_unregister(). It is impossible for the true parent of
      a clk to be set with clk_set_parent() once the dangling pointer is left
      in the cache because we compare parent pointers in
      clk_fetch_parent_index() instead of checking for a matching clk name or
      clk_hw pointer.
      
      Before commit ede77858 ("clk: Remove global clk traversal on fetch
      parent index"), we would check clk_hw pointers, which has a higher
      chance of being the same between registration and unregistration, but it
      can still be allocated and freed by the clk provider. In fact, this has
      been a long standing problem since commit da0f0b2c ("clk: Correct
      lookup logic in clk_fetch_parent_index()") where we stopped trying to
      compare clk names and skipped over entries in the cache that weren't
      NULL.
      
      There are good (performance) reasons to not do the global tree lookup in
      cases where the cache holds dangling pointers to parents that have been
      unregistered. Let's take the performance hit on the uncommon
      registration path instead. Loop through all the clk_core::parents arrays
      when a clk is unregistered and set the entry to NULL when the parent
      cache entry and clk being unregistered are the same pointer. This will
      fix this problem and avoid the overhead for the "normal" case.
      
      Based on a patch by Bjorn Andersson.
      
      Fixes: da0f0b2c ("clk: Correct lookup logic in clk_fetch_parent_index()")
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Tested-by: default avatarSai Prakash Ranjan <saiprakash.ranjan@codeaurora.org>
      Signed-off-by: default avatarStephen Boyd <sboyd@kernel.org>
      Link: https://lkml.kernel.org/r/20190828181959.204401-1-sboyd@kernel.orgTested-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      903c6bd9
    • Juergen Gross's avatar
      xen: don't reschedule in preemption off sections · da1754a2
      Juergen Gross authored
      For support of long running hypercalls xen_maybe_preempt_hcall() is
      calling cond_resched() in case a hypercall marked as preemptible has
      been interrupted.
      
      Normally this is no problem, as only hypercalls done via some ioctl()s
      are marked to be preemptible. In rare cases when during such a
      preemptible hypercall an interrupt occurs and any softirq action is
      started from irq_exit(), a further hypercall issued by the softirq
      handler will be regarded to be preemptible, too. This might lead to
      rescheduling in spite of the softirq handler potentially having set
      preempt_disable(), leading to splats like:
      
      BUG: sleeping function called from invalid context at drivers/xen/preempt.c:37
      in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 20775, name: xl
      INFO: lockdep is turned off.
      CPU: 1 PID: 20775 Comm: xl Tainted: G D W 5.4.46-1_prgmr_debug.el7.x86_64 #1
      Call Trace:
      <IRQ>
      dump_stack+0x8f/0xd0
      ___might_sleep.cold.76+0xb2/0x103
      xen_maybe_preempt_hcall+0x48/0x70
      xen_do_hypervisor_callback+0x37/0x40
      RIP: e030:xen_hypercall_xen_version+0xa/0x20
      Code: ...
      RSP: e02b:ffffc900400dcc30 EFLAGS: 00000246
      RAX: 000000000004000d RBX: 0000000000000200 RCX: ffffffff8100122a
      RDX: ffff88812e788000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffffffff83ee3ad0 R08: 0000000000000001 R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000000000246 R12: ffff8881824aa0b0
      R13: 0000000865496000 R14: 0000000865496000 R15: ffff88815d040000
      ? xen_hypercall_xen_version+0xa/0x20
      ? xen_force_evtchn_callback+0x9/0x10
      ? check_events+0x12/0x20
      ? xen_restore_fl_direct+0x1f/0x20
      ? _raw_spin_unlock_irqrestore+0x53/0x60
      ? debug_dma_sync_single_for_cpu+0x91/0xc0
      ? _raw_spin_unlock_irqrestore+0x53/0x60
      ? xen_swiotlb_sync_single_for_cpu+0x3d/0x140
      ? mlx4_en_process_rx_cq+0x6b6/0x1110 [mlx4_en]
      ? mlx4_en_poll_rx_cq+0x64/0x100 [mlx4_en]
      ? net_rx_action+0x151/0x4a0
      ? __do_softirq+0xed/0x55b
      ? irq_exit+0xea/0x100
      ? xen_evtchn_do_upcall+0x2c/0x40
      ? xen_do_hypervisor_callback+0x29/0x40
      </IRQ>
      ? xen_hypercall_domctl+0xa/0x20
      ? xen_hypercall_domctl+0x8/0x20
      ? privcmd_ioctl+0x221/0x990 [xen_privcmd]
      ? do_vfs_ioctl+0xa5/0x6f0
      ? ksys_ioctl+0x60/0x90
      ? trace_hardirqs_off_thunk+0x1a/0x20
      ? __x64_sys_ioctl+0x16/0x20
      ? do_syscall_64+0x62/0x250
      ? entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fix that by testing preempt_count() before calling cond_resched().
      
      In kernel 5.8 this can't happen any more due to the entry code rework
      (more than 100 patches, so not a candidate for backporting).
      
      The issue was introduced in kernel 4.3, so this patch should go into
      all stable kernels in [4.3 ... 5.7].
      Reported-by: default avatarSarah Newman <srn@prgmr.com>
      Fixes: 0fa2f5cb ("sched/preempt, xen: Use need_resched() instead of should_resched()")
      Cc: Sarah Newman <srn@prgmr.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Tested-by: default avatarChris Brannon <cmb@prgmr.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da1754a2
    • Peter Xu's avatar
      mm/hugetlb: fix calculation of adjust_range_if_pmd_sharing_possible · 734654ae
      Peter Xu authored
      commit 75802ca6 upstream.
      
      This is found by code observation only.
      
      Firstly, the worst case scenario should assume the whole range was covered
      by pmd sharing.  The old algorithm might not work as expected for ranges
      like (1g-2m, 1g+2m), where the adjusted range should be (0, 1g+2m) but the
      expected range should be (0, 2g).
      
      Since at it, remove the loop since it should not be required.  With that,
      the new code should be faster too when the invalidating range is huge.
      
      Mike said:
      
      : With range (1g-2m, 1g+2m) within a vma (0, 2g) the existing code will only
      : adjust to (0, 1g+2m) which is incorrect.
      :
      : We should cc stable.  The original reason for adjusting the range was to
      : prevent data corruption (getting wrong page).  Since the range is not
      : always adjusted correctly, the potential for corruption still exists.
      :
      : However, I am fairly confident that adjust_range_if_pmd_sharing_possible
      : is only gong to be called in two cases:
      :
      : 1) for a single page
      : 2) for range == entire vma
      :
      : In those cases, the current code should produce the correct results.
      :
      : To be safe, let's just cc stable.
      
      Fixes: 017b1660 ("mm: migration: fix migration of huge PMD shared pages")
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20200730201636.74778-1-peterx@redhat.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      734654ae
    • Al Viro's avatar
      do_epoll_ctl(): clean the failure exits up a bit · dcb6e6ef
      Al Viro authored
      commit 52c47969 upstream.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dcb6e6ef
    • Marc Zyngier's avatar
      epoll: Keep a reference on files added to the check list · 4957d564
      Marc Zyngier authored
      commit a9ed4a65 upstream.
      
      When adding a new fd to an epoll, and that this new fd is an
      epoll fd itself, we recursively scan the fds attached to it
      to detect cycles, and add non-epool files to a "check list"
      that gets subsequently parsed.
      
      However, this check list isn't completely safe when deletions
      can happen concurrently. To sidestep the issue, make sure that
      a struct file placed on the check list sees its f_count increased,
      ensuring that a concurrent deletion won't result in the file
      disapearing from under our feet.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4957d564
    • Li Heng's avatar
      efi: add missed destroy_workqueue when efisubsys_init fails · 2ff3c97b
      Li Heng authored
      commit 98086df8 upstream.
      
      destroy_workqueue() should be called to destroy efi_rts_wq
      when efisubsys_init() init resources fails.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarLi Heng <liheng40@huawei.com>
      Link: https://lore.kernel.org/r/1595229738-10087-1-git-send-email-liheng40@huawei.comSigned-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ff3c97b
    • Vasant Hegde's avatar
      powerpc/pseries: Do not initiate shutdown when system is running on UPS · fa80b284
      Vasant Hegde authored
      commit 90a9b102 upstream.
      
      As per PAPR we have to look for both EPOW sensor value and event
      modifier to identify the type of event and take appropriate action.
      
      In LoPAPR v1.1 section 10.2.2 includes table 136 "EPOW Action Codes":
      
        SYSTEM_SHUTDOWN 3
      
        The system must be shut down. An EPOW-aware OS logs the EPOW error
        log information, then schedules the system to be shut down to begin
        after an OS defined delay internal (default is 10 minutes.)
      
      Then in section 10.3.2.2.8 there is table 146 "Platform Event Log
      Format, Version 6, EPOW Section", which includes the "EPOW Event
      Modifier":
      
        For EPOW sensor value = 3
        0x01 = Normal system shutdown with no additional delay
        0x02 = Loss of utility power, system is running on UPS/Battery
        0x03 = Loss of system critical functions, system should be shutdown
        0x04 = Ambient temperature too high
        All other values = reserved
      
      We have a user space tool (rtas_errd) on LPAR to monitor for
      EPOW_SHUTDOWN_ON_UPS. Once it gets an event it initiates shutdown
      after predefined time. It also starts monitoring for any new EPOW
      events. If it receives "Power restored" event before predefined time
      it will cancel the shutdown. Otherwise after predefined time it will
      shutdown the system.
      
      Commit 79872e35 ("powerpc/pseries: All events of
      EPOW_SYSTEM_SHUTDOWN must initiate shutdown") changed our handling of
      the "on UPS/Battery" case, to immediately shutdown the system. This
      breaks existing setups that rely on the userspace tool to delay
      shutdown and let the system run on the UPS.
      
      Fixes: 79872e35 ("powerpc/pseries: All events of EPOW_SYSTEM_SHUTDOWN must initiate shutdown")
      Cc: stable@vger.kernel.org # v4.0+
      Signed-off-by: default avatarVasant Hegde <hegdevasant@linux.vnet.ibm.com>
      [mpe: Massage change log and add PAPR references]
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20200820061844.306460-1-hegdevasant@linux.vnet.ibm.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa80b284
    • Tom Rix's avatar
      net: dsa: b53: check for timeout · 405ef1b4
      Tom Rix authored
      [ Upstream commit 774d977a ]
      
      clang static analysis reports this problem
      
      b53_common.c:1583:13: warning: The left expression of the compound
        assignment is an uninitialized value. The computed value will
        also be garbage
              ent.port &= ~BIT(port);
              ~~~~~~~~ ^
      
      ent is set by a successful call to b53_arl_read().  Unsuccessful
      calls are caught by an switch statement handling specific returns.
      b32_arl_read() calls b53_arl_op_wait() which fails with the
      unhandled -ETIMEDOUT.
      
      So add -ETIMEDOUT to the switch statement.  Because
      b53_arl_op_wait() already prints out a message, do not add another
      one.
      
      Fixes: 1da6df85 ("net: dsa: b53: Implement ARL add/del/dump operations")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      405ef1b4
    • Haiyang Zhang's avatar
      hv_netvsc: Fix the queue_mapping in netvsc_vf_xmit() · 1bf1ca93
      Haiyang Zhang authored
      [ Upstream commit c3d897e0 ]
      
      netvsc_vf_xmit() / dev_queue_xmit() will call VF NIC’s ndo_select_queue
      or netdev_pick_tx() again. They will use skb_get_rx_queue() to get the
      queue number, so the “skb->queue_mapping - 1” will be used. This may
      cause the last queue of VF not been used.
      
      Use skb_record_rx_queue() here, so that the skb_get_rx_queue() called
      later will get the correct queue number, and VF will be able to use
      all queues.
      
      Fixes: b3bf5666 ("hv_netvsc: defer queue selection to VF")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1bf1ca93
    • Wang Hai's avatar
      net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() · 391d0ad1
      Wang Hai authored
      [ Upstream commit cf96d977 ]
      
      Replace alloc_etherdev_mq with devm_alloc_etherdev_mqs. In this way,
      when probe fails, netdev can be freed automatically.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      391d0ad1
    • Shay Agroskin's avatar
      net: ena: Prevent reset after device destruction · 676f44ce
      Shay Agroskin authored
      [ Upstream commit 63d4a4c1 ]
      
      The reset work is scheduled by the timer routine whenever it
      detects that a device reset is required (e.g. when a keep_alive signal
      is missing).
      When releasing device resources in ena_destroy_device() the driver
      cancels the scheduling of the timer routine without destroying the reset
      work explicitly.
      
      This creates the following bug:
          The driver is suspended and the ena_suspend() function is called
      	-> This function calls ena_destroy_device() to free the net device
      	   resources
      	    -> The driver waits for the timer routine to finish
      	    its execution and then cancels it, thus preventing from it
      	    to be called again.
      
          If, in its final execution, the timer routine schedules a reset,
          the reset routine might be called afterwards,and a redundant call to
          ena_restore_device() would be made.
      
      By changing the reset routine we allow it to read the device's state
      accurately.
      This is achieved by checking whether ENA_FLAG_TRIGGER_RESET flag is set
      before resetting the device and making both the destruction function and
      the flag check are under rtnl lock.
      The ENA_FLAG_TRIGGER_RESET is cleared at the end of the destruction
      routine. Also surround the flag check with 'likely' because
      we expect that the reset routine would be called only when
      ENA_FLAG_TRIGGER_RESET flag is set.
      
      The destruction of the timer and reset services in __ena_shutoff() have to
      stay, even though the timer routine is destroyed in ena_destroy_device().
      This is to avoid a case in which the reset routine is scheduled after
      free_netdev() in __ena_shutoff(), which would create an access to freed
      memory in adapter->flags.
      
      Fixes: 8c5c7abd ("net: ena: add power management ops to the ENA driver")
      Signed-off-by: default avatarShay Agroskin <shayagr@amazon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      676f44ce
    • Jiri Wiesner's avatar
      bonding: fix active-backup failover for current ARP slave · ae405ea9
      Jiri Wiesner authored
      [ Upstream commit 0410d071 ]
      
      When the ARP monitor is used for link detection, ARP replies are
      validated for all slaves (arp_validate=3) and fail_over_mac is set to
      active, two slaves of an active-backup bond may get stuck in a state
      where both of them are active and pass packets that they receive to
      the bond. This state makes IPv6 duplicate address detection fail. The
      state is reached thus:
      1. The current active slave goes down because the ARP target
         is not reachable.
      2. The current ARP slave is chosen and made active.
      3. A new slave is enslaved. This new slave becomes the current active
         slave and can reach the ARP target.
      As a result, the current ARP slave stays active after the enslave
      action has finished and the log is littered with "PROBE BAD" messages:
      > bond0: PROBE: c_arp ens10 && cas ens11 BAD
      The workaround is to remove the slave with "going back" status from
      the bond and re-enslave it. This issue was encountered when DPDK PMD
      interfaces were being enslaved to an active-backup bond.
      
      I would be possible to fix the issue in bond_enslave() or
      bond_change_active_slave() but the ARP monitor was fixed instead to
      keep most of the actions changing the current ARP slave in the ARP
      monitor code. The current ARP slave is set as inactive and backup
      during the commit phase. A new state, BOND_LINK_FAIL, has been
      introduced for slaves in the context of the ARP monitor. This allows
      administrators to see how slaves are rotated for sending ARP requests
      and attempts are made to find a new active slave.
      
      Fixes: b2220cad ("bonding: refactor ARP active-backup monitor")
      Signed-off-by: default avatarJiri Wiesner <jwiesner@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ae405ea9
    • David Howells's avatar
      afs: Fix NULL deref in afs_dynroot_depopulate() · d676b22e
      David Howells authored
      [ Upstream commit 5e0b17b0 ]
      
      If an error occurs during the construction of an afs superblock, it's
      possible that an error occurs after a superblock is created, but before
      we've created the root dentry.  If the superblock has a dynamic root
      (ie.  what's normally mounted on /afs), the afs_kill_super() will call
      afs_dynroot_depopulate() to unpin any created dentries - but this will
      oops if the root hasn't been created yet.
      
      Fix this by skipping that bit of code if there is no root dentry.
      
      This leads to an oops looking like:
      
      	general protection fault, ...
      	KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
      	...
      	RIP: 0010:afs_dynroot_depopulate+0x25f/0x529 fs/afs/dynroot.c:385
      	...
      	Call Trace:
      	 afs_kill_super+0x13b/0x180 fs/afs/super.c:535
      	 deactivate_locked_super+0x94/0x160 fs/super.c:335
      	 afs_get_tree+0x1124/0x1460 fs/afs/super.c:598
      	 vfs_get_tree+0x89/0x2f0 fs/super.c:1547
      	 do_new_mount fs/namespace.c:2875 [inline]
      	 path_mount+0x1387/0x2070 fs/namespace.c:3192
      	 do_mount fs/namespace.c:3205 [inline]
      	 __do_sys_mount fs/namespace.c:3413 [inline]
      	 __se_sys_mount fs/namespace.c:3390 [inline]
      	 __x64_sys_mount+0x27f/0x300 fs/namespace.c:3390
      	 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
      	 entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      which is oopsing on this line:
      
      	inode_lock(root->d_inode);
      
      presumably because sb->s_root was NULL.
      
      Fixes: 0da0b7fd ("afs: Display manually added cells in dynamic root mount")
      Reported-by: syzbot+c1eff8205244ae7e11a6@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d676b22e
    • Selvin Xavier's avatar
      RDMA/bnxt_re: Do not add user qps to flushlist · f0e3b33f
      Selvin Xavier authored
      [ Upstream commit a812f2d6 ]
      
      Driver shall add only the kernel qps to the flush list for clean up.
      During async error events from the HW, driver is adding qps to this list
      without checking if the qp is kernel qp or not.
      
      Add a check to avoid user qp addition to the flush list.
      
      Fixes: 942c9b6c ("RDMA/bnxt_re: Avoid Hard lockup during error CQE processing")
      Fixes: c50866e2 ("bnxt_re: fix the regression due to changes in alloc_pbl")
      Link: https://lore.kernel.org/r/1596689148-4023-1-git-send-email-selvin.xavier@broadcom.comSigned-off-by: default avatarSelvin Xavier <selvin.xavier@broadcom.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@nvidia.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f0e3b33f
    • Randy Dunlap's avatar
      Fix build error when CONFIG_ACPI is not set/enabled: · 32d8e2b4
      Randy Dunlap authored
      [ Upstream commit ee87e155 ]
      
      ../arch/x86/pci/xen.c: In function ‘pci_xen_init’:
      ../arch/x86/pci/xen.c:410:2: error: implicit declaration of function ‘acpi_noirq_set’; did you mean ‘acpi_irq_get’? [-Werror=implicit-function-declaration]
        acpi_noirq_set();
      
      Fixes: 88e9ca16 ("xen/pci: Use acpi_noirq_set() helper to avoid #ifdef")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Bjorn Helgaas <bhelgaas@google.com>
      Cc: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Cc: xen-devel@lists.xenproject.org
      Cc: linux-pci@vger.kernel.org
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      32d8e2b4
    • Juergen Gross's avatar
      efi: avoid error message when booting under Xen · 1eb3a9ed
      Juergen Gross authored
      [ Upstream commit 6163a985 ]
      
      efifb_probe() will issue an error message in case the kernel is booted
      as Xen dom0 from UEFI as EFI_MEMMAP won't be set in this case. Avoid
      that message by calling efi_mem_desc_lookup() only if EFI_MEMMAP is set.
      
      Fixes: 38ac0287 ("fbdev/efifb: Honour UEFI memory map attributes when mapping the FB")
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Acked-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1eb3a9ed
    • Masahiro Yamada's avatar
      kconfig: qconf: fix signal connection to invalid slots · a2152780
      Masahiro Yamada authored
      [ Upstream commit d85de339 ]
      
      If you right-click in the ConfigList window, you will see the following
      messages in the console:
      
      QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:888
      QObject::connect:  (sender name:   'config')
      QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:897
      QObject::connect:  (sender name:   'config')
      QObject::connect: No such slot QAction::setOn(bool) in scripts/kconfig/qconf.cc:906
      QObject::connect:  (sender name:   'config')
      
      Right, there is no such slot in QAction. I think this is a typo of
      setChecked.
      
      Due to this bug, when you toggled the menu "Option->Show Name/Range/Data"
      the state of the context menu was not previously updated. Fix this.
      
      Fixes: d5d973c3 ("Port xconfig to Qt5 - Put back some of the old implementation(part 2)")
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a2152780
    • Masahiro Yamada's avatar
      kconfig: qconf: do not limit the pop-up menu to the first row · f0a40332
      Masahiro Yamada authored
      [ Upstream commit fa8de0a3 ]
      
      If you right-click the first row in the option tree, the pop-up menu
      shows up, but if you right-click the second row or below, the event
      is ignored due to the following check:
      
        if (e->y() <= header()->geometry().bottom()) {
      
      Perhaps, the intention was to show the pop-menu only when the tree
      header was right-clicked, but this handler is not called in that case.
      
      Since the origin of e->y() starts from the bottom of the header,
      this check is odd.
      
      Going forward, you can right-click anywhere in the tree to get the
      pop-up menu.
      Signed-off-by: default avatarMasahiro Yamada <masahiroy@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f0a40332
    • Jim Mattson's avatar
      kvm: x86: Toggling CR4.PKE does not load PDPTEs in PAE mode · e9701d5d
      Jim Mattson authored
      [ Upstream commit cb957adb ]
      
      See the SDM, volume 3, section 4.4.1:
      
      If PAE paging would be in use following an execution of MOV to CR0 or
      MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
      CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
      the PDPTEs are loaded from the address in CR3.
      
      Fixes: b9baba86 ("KVM, pkeys: expose CPUID/CR4 to guest")
      Cc: Huaitong Han <huaitong.han@intel.com>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Reviewed-by: default avatarPeter Shier <pshier@google.com>
      Reviewed-by: default avatarOliver Upton <oupton@google.com>
      Message-Id: <20200817181655.3716509-1-jmattson@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e9701d5d
    • Jim Mattson's avatar
      kvm: x86: Toggling CR4.SMAP does not load PDPTEs in PAE mode · ec877b0e
      Jim Mattson authored
      [ Upstream commit 427890af ]
      
      See the SDM, volume 3, section 4.4.1:
      
      If PAE paging would be in use following an execution of MOV to CR0 or
      MOV to CR4 (see Section 4.1.1) and the instruction is modifying any of
      CR0.CD, CR0.NW, CR0.PG, CR4.PAE, CR4.PGE, CR4.PSE, or CR4.SMEP; then
      the PDPTEs are loaded from the address in CR3.
      
      Fixes: 0be0226f ("KVM: MMU: fix SMAP virtualization")
      Cc: Xiao Guangrong <guangrong.xiao@linux.intel.com>
      Signed-off-by: default avatarJim Mattson <jmattson@google.com>
      Reviewed-by: default avatarPeter Shier <pshier@google.com>
      Reviewed-by: default avatarOliver Upton <oupton@google.com>
      Message-Id: <20200817181655.3716509-2-jmattson@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ec877b0e
    • Alex Williamson's avatar
      vfio/type1: Add proper error unwind for vfio_iommu_replay() · d200964e
      Alex Williamson authored
      [ Upstream commit aae7a75a ]
      
      The vfio_iommu_replay() function does not currently unwind on error,
      yet it does pin pages, perform IOMMU mapping, and modify the vfio_dma
      structure to indicate IOMMU mapping.  The IOMMU mappings are torn down
      when the domain is destroyed, but the other actions go on to cause
      trouble later.  For example, the iommu->domain_list can be empty if we
      only have a non-IOMMU backed mdev attached.  We don't currently check
      if the list is empty before getting the first entry in the list, which
      leads to a bogus domain pointer.  If a vfio_dma entry is erroneously
      marked as iommu_mapped, we'll attempt to use that bogus pointer to
      retrieve the existing physical page addresses.
      
      This is the scenario that uncovered this issue, attempting to hot-add
      a vfio-pci device to a container with an existing mdev device and DMA
      mappings, one of which could not be pinned, causing a failure adding
      the new group to the existing container and setting the conditions
      for a subsequent attempt to explode.
      
      To resolve this, we can first check if the domain_list is empty so
      that we can reject replay of a bogus domain, should we ever encounter
      this inconsistent state again in the future.  The real fix though is
      to add the necessary unwind support, which means cleaning up the
      current pinning if an IOMMU mapping fails, then walking back through
      the r-b tree of DMA entries, reading from the IOMMU which ranges are
      mapped, and unmapping and unpinning those ranges.  To be able to do
      this, we also defer marking the DMA entry as IOMMU mapped until all
      entries are processed, in order to allow the unwind to know the
      disposition of each entry.
      
      Fixes: a54eb550 ("vfio iommu type1: Add support for mediated devices")
      Reported-by: default avatarZhiyi Guo <zhguo@redhat.com>
      Tested-by: default avatarZhiyi Guo <zhguo@redhat.com>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d200964e
    • Dinghao Liu's avatar
      ASoC: intel: Fix memleak in sst_media_open · 6b2dd0c0
      Dinghao Liu authored
      [ Upstream commit 062fa09f ]
      
      When power_up_sst() fails, stream needs to be freed
      just like when try_module_get() fails. However, current
      code is returning directly and ends up leaking memory.
      
      Fixes: 0121327c ("ASoC: Intel: mfld-pcm: add control for powering up/down dsp")
      Signed-off-by: default avatarDinghao Liu <dinghao.liu@zju.edu.cn>
      Acked-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://lore.kernel.org/r/20200813084112.26205-1-dinghao.liu@zju.edu.cnSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6b2dd0c0
    • Srinivas Kandagatla's avatar
      ASoC: msm8916-wcd-analog: fix register Interrupt offset · bd79b3b9
      Srinivas Kandagatla authored
      [ Upstream commit ff69c97e ]
      
      For some reason interrupt set and clear register offsets are
      not set correctly.
      This patch corrects them!
      
      Fixes: 585e881e ("ASoC: codecs: Add msm8916-wcd analog codec")
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Tested-by: default avatarStephan Gerhold <stephan@gerhold.net>
      Reviewed-by: default avatarStephan Gerhold <stephan@gerhold.net>
      Link: https://lore.kernel.org/r/20200811103452.20448-1-srinivas.kandagatla@linaro.orgSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bd79b3b9
    • Heiko Carstens's avatar
      s390/ptrace: fix storage key handling · c5599b90
      Heiko Carstens authored
      [ Upstream commit fd78c594 ]
      
      The key member of the runtime instrumentation control block contains
      only the access key, not the complete storage key. Therefore the value
      must be shifted by four bits. Since existing user space does not
      necessarily query and set the access key correctly, just ignore the
      user space provided key and use the correct one.
      Note: this is only relevant for debugging purposes in case somebody
      compiles a kernel with a default storage access key set to a value not
      equal to zero.
      
      Fixes: 262832bc ("s390/ptrace: add runtime instrumention register get/set")
      Reported-by: default avatarClaudio Imbrenda <imbrenda@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c5599b90
    • Heiko Carstens's avatar
      s390/runtime_instrumentation: fix storage key handling · 5a5120b1
      Heiko Carstens authored
      [ Upstream commit 9eaba29c ]
      
      The key member of the runtime instrumentation control block contains
      only the access key, not the complete storage key. Therefore the value
      must be shifted by four bits.
      Note: this is only relevant for debugging purposes in case somebody
      compiles a kernel with a default storage access key set to a value not
      equal to zero.
      
      Fixes: e4b8b3f3 ("s390: add support for runtime instrumentation")
      Reported-by: default avatarClaudio Imbrenda <imbrenda@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5a5120b1
    • Cong Wang's avatar
      bonding: fix a potential double-unregister · 8dcf1889
      Cong Wang authored
      [ Upstream commit 83270702 ]
      
      When we tear down a network namespace, we unregister all
      the netdevices within it. So we may queue a slave device
      and a bonding device together in the same unregister queue.
      
      If the only slave device is non-ethernet, it would
      automatically unregister the bonding device as well. Thus,
      we may end up unregistering the bonding device twice.
      
      Workaround this special case by checking reg_state.
      
      Fixes: 9b5e383c ("net: Introduce unregister_netdevice_many()")
      Reported-by: syzbot+af23e7f3e0a7e10c8b67@syzkaller.appspotmail.com
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8dcf1889
    • Jarod Wilson's avatar
      bonding: show saner speed for broadcast mode · a74506f2
      Jarod Wilson authored
      [ Upstream commit 4ca0d9ac ]
      
      Broadcast mode bonds transmit a copy of all traffic simultaneously out of
      all interfaces, so the "speed" of the bond isn't really the aggregate of
      all interfaces, but rather, the speed of the slowest active interface.
      
      Also, the type of the speed field is u32, not unsigned long, so adjust
      that accordingly, as required to make min() function here without
      complaining about mismatching types.
      
      Fixes: bb5b052f ("bond: add support to read speed and duplex via ethtool")
      CC: Jay Vosburgh <j.vosburgh@gmail.com>
      CC: Veaceslav Falico <vfalico@gmail.com>
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netdev@vger.kernel.org
      Acked-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a74506f2
    • Fugang Duan's avatar
      net: fec: correct the error path for regulator disable in probe · 99728347
      Fugang Duan authored
      [ Upstream commit c6165cf0 ]
      
      Correct the error path for regulator disable.
      
      Fixes: 9269e556 ("net: fec: add phy-reset-gpios PROBE_DEFER check")
      Signed-off-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      99728347
    • Grzegorz Szczurek's avatar
      i40e: Fix crash during removing i40e driver · 46858b2f
      Grzegorz Szczurek authored
      [ Upstream commit 5b6d4a7f ]
      
      Fix the reason of crashing system by add waiting time to finish reset
      recovery process before starting remove driver procedure.
      Now VSI is releasing if VSI is not in reset recovery mode.
      Without this fix it was possible to start remove driver if other
      processing command need reset recovery procedure which resulted in
      null pointer dereference. VSI used by the ethtool process has been
      cleared by remove driver process.
      
      [ 6731.508665] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [ 6731.508668] #PF: supervisor read access in kernel mode
      [ 6731.508670] #PF: error_code(0x0000) - not-present page
      [ 6731.508671] PGD 0 P4D 0
      [ 6731.508674] Oops: 0000 [#1] SMP PTI
      [ 6731.508679] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0021.032120170601 03/21/2017
      [ 6731.508694] RIP: 0010:i40e_down+0x252/0x310 [i40e]
      [ 6731.508696] Code: c7 78 de fa c0 e8 61 02 3a c1 66 83 bb f6 0c 00 00 00 0f 84 bf 00 00 00 45 31 e4 45 31 ff eb 03 41 89 c7 48 8b 83 98 0c 00 00 <4a> 8b 3c 20 e8 a5 79 02 00 48 83 bb d0 0c 00 00 00 74 10 48 8b 83
      [ 6731.508698] RSP: 0018:ffffb75ac7b3faf0 EFLAGS: 00010246
      [ 6731.508700] RAX: 0000000000000000 RBX: ffff9c9874bd5000 RCX: 0000000000000007
      [ 6731.508701] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff9c987f4d9780
      [ 6731.508703] RBP: ffffb75ac7b3fb30 R08: 0000000000005b60 R09: 0000000000000004
      [ 6731.508704] R10: ffffb75ac64fbd90 R11: 0000000000000001 R12: 0000000000000000
      [ 6731.508706] R13: ffff9c97a08e0000 R14: ffff9c97a08e0a68 R15: 0000000000000000
      [ 6731.508708] FS:  00007f2617cd2740(0000) GS:ffff9c987f4c0000(0000) knlGS:0000000000000000
      [ 6731.508710] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 6731.508711] CR2: 0000000000000000 CR3: 0000001e765c4006 CR4: 00000000003606e0
      [ 6731.508713] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 6731.508714] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 6731.508715] Call Trace:
      [ 6731.508734]  i40e_vsi_close+0x84/0x90 [i40e]
      [ 6731.508742]  i40e_quiesce_vsi.part.98+0x3c/0x40 [i40e]
      [ 6731.508749]  i40e_pf_quiesce_all_vsi+0x55/0x60 [i40e]
      [ 6731.508757]  i40e_prep_for_reset+0x59/0x130 [i40e]
      [ 6731.508765]  i40e_reconfig_rss_queues+0x5a/0x120 [i40e]
      [ 6731.508774]  i40e_set_channels+0xda/0x170 [i40e]
      [ 6731.508778]  ethtool_set_channels+0xe9/0x150
      [ 6731.508781]  dev_ethtool+0x1b94/0x2920
      [ 6731.508805]  dev_ioctl+0xc2/0x590
      [ 6731.508811]  sock_do_ioctl+0xae/0x150
      [ 6731.508813]  sock_ioctl+0x34f/0x3c0
      [ 6731.508821]  ksys_ioctl+0x98/0xb0
      [ 6731.508828]  __x64_sys_ioctl+0x1a/0x20
      [ 6731.508831]  do_syscall_64+0x57/0x1c0
      [ 6731.508835]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 4b816446 ("i40e: Add common function for finding VSI by type")
      Signed-off-by: default avatarGrzegorz Szczurek <grzegorzx.szczurek@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      46858b2f
    • Przemyslaw Patynowski's avatar
      i40e: Set RX_ONLY mode for unicast promiscuous on VLAN · 04efb368
      Przemyslaw Patynowski authored
      [ Upstream commit 4bd5e02a ]
      
      Trusted VF with unicast promiscuous mode set, could listen to TX
      traffic of other VFs.
      Set unicast promiscuous mode to RX traffic, if VSI has port VLAN
      configured. Rename misleading I40E_AQC_SET_VSI_PROMISC_TX bit to
      I40E_AQC_SET_VSI_PROMISC_RX_ONLY. Aligned unicast promiscuous with
      VLAN to the one without VLAN.
      
      Fixes: 6c41a760 ("i40e: Add promiscuous on VLAN support")
      Fixes: 3b120089 ("i40e: When in promisc mode apply promisc mode to Tx Traffic as well")
      Signed-off-by: default avatarPrzemyslaw Patynowski <przemyslawx.patynowski@intel.com>
      Signed-off-by: default avatarAleksandr Loktionov <aleksandr.loktionov@intel.com>
      Signed-off-by: default avatarArkadiusz Kubalewski <arkadiusz.kubalewski@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarTony Nguyen <anthony.l.nguyen@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      04efb368
    • Srinivas Kandagatla's avatar
      ASoC: q6routing: add dummy register read/write function · b9d4cab6
      Srinivas Kandagatla authored
      [ Upstream commit 796a58fe ]
      
      Most of the DAPM widgets for DSP ASoC components reuse reg field
      of the widgets for its internal calculations, however these are not
      real registers. So read/writes to these numbers are not really
      valid. However ASoC core will read these registers to get default
      state during startup.
      
      With recent changes to ASoC core, every register read/write
      failures are reported very verbosely. Prior to this fails to reads
      are totally ignored, so we never saw any error messages.
      
      To fix this add dummy read/write function to return default value.
      
      Fixes: e3a33673 ("ASoC: qdsp6: q6routing: Add q6routing driver")
      Reported-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Link: https://lore.kernel.org/r/20200811120205.21805-2-srinivas.kandagatla@linaro.orgSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b9d4cab6
    • Jan Kara's avatar
      ext4: don't allow overlapping system zones · 1373f884
      Jan Kara authored
      [ Upstream commit bf9a379d ]
      
      Currently, add_system_zone() just silently merges two added system zones
      that overlap. However the overlap should not happen and it generally
      suggests that some unrelated metadata overlap which indicates the fs is
      corrupted. We should have caught such problems earlier (e.g. in
      ext4_check_descriptors()) but add this check as another line of defense.
      In later patch we also use this for stricter checking of journal inode
      extent tree.
      Reviewed-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20200728130437.7804-3-jack@suse.czSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1373f884
    • Eric Sandeen's avatar
      ext4: fix potential negative array index in do_split() · b3ddf6ba
      Eric Sandeen authored
      [ Upstream commit 5872331b ]
      
      If for any reason a directory passed to do_split() does not have enough
      active entries to exceed half the size of the block, we can end up
      iterating over all "count" entries without finding a split point.
      
      In this case, count == move, and split will be zero, and we will
      attempt a negative index into map[].
      
      Guard against this by detecting this case, and falling back to
      split-to-half-of-count instead; in this case we will still have
      plenty of space (> half blocksize) in each split block.
      
      Fixes: ef2b02d3 ("ext34: ensure do_split leaves enough free space in both blocks")
      Signed-off-by: default avatarEric Sandeen <sandeen@redhat.com>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/f53e246b-647c-64bb-16ec-135383c70ad7@redhat.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b3ddf6ba