1. 07 Sep, 2020 1 commit
    • Hoang Huu Le's avatar
      tipc: fix a deadlock when flushing scheduled work · d966ddcc
      Hoang Huu Le authored
      In the commit fdeba99b
      ("tipc: fix use-after-free in tipc_bcast_get_mode"), we're trying
      to make sure the tipc_net_finalize_work work item finished if it
      enqueued. But calling flush_scheduled_work() is not just affecting
      above work item but either any scheduled work. This has turned out
      to be overkill and caused to deadlock as syzbot reported:
      
      ======================================================
      WARNING: possible circular locking dependency detected
      5.9.0-rc2-next-20200828-syzkaller #0 Not tainted
      ------------------------------------------------------
      kworker/u4:6/349 is trying to acquire lock:
      ffff8880aa063d38 ((wq_completion)events){+.+.}-{0:0}, at: flush_workqueue+0xe1/0x13e0 kernel/workqueue.c:2777
      
      but task is already holding lock:
      ffffffff8a879430 (pernet_ops_rwsem){++++}-{3:3}, at: cleanup_net+0x9b/0xb10 net/core/net_namespace.c:565
      
      [...]
       Possible unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        lock(pernet_ops_rwsem);
                                     lock(&sb->s_type->i_mutex_key#13);
                                     lock(pernet_ops_rwsem);
        lock((wq_completion)events);
      
       *** DEADLOCK ***
      [...]
      
      v1:
      To fix the original issue, we replace above calling by introducing
      a bit flag. When a namespace cleaned-up, bit flag is set to zero and:
      - tipc_net_finalize functionial just does return immediately.
      - tipc_net_finalize_work does not enqueue into the scheduled work queue.
      
      v2:
      Use cancel_work_sync() helper to make sure ONLY the
      tipc_net_finalize_work() stopped before releasing bcbase object.
      
      Reported-by: syzbot+d5aa7e0385f6a5d0f4fd@syzkaller.appspotmail.com
      Fixes: fdeba99b ("tipc: fix use-after-free in tipc_bcast_get_mode")
      Acked-by: default avatarJon Maloy <jmaloy@redhat.com>
      Signed-off-by: default avatarHoang Huu Le <hoang.h.le@dektech.com.au>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d966ddcc
  2. 06 Sep, 2020 5 commits
    • Christophe JAILLET's avatar
      enic: switch from 'pci_' to 'dma_' API · 02a20d4f
      Christophe JAILLET authored
      The wrappers in include/linux/pci-dma-compat.h should go away.
      
      The patch has been generated with the coccinelle script below and has been
      hand modified to replace GFP_ with a correct flag.
      It has been compile tested.
      
      When memory is allocated in 'vnic_dev_classifier()', 'vnic_dev_fw_info()',
      'vnic_dev_notify_set()' and 'vnic_dev_stats_dump()' (vnic_dev.c) GFP_ATOMIC
      must be used because its callers take a spinlock before calling these
      functions.
      
      When memory is allocated in '__enic_set_rsskey()' and 'enic_set_rsscpu()'
      GFP_ATOMIC must be used because they can be called with a spinlock.
      The call chain is:
        enic_reset                         <-- takes 'enic->enic_api_lock'
          --> enic_set_rss_nic_cfg
            --> enic_set_rsskey
              --> __enic_set_rsskey        <-- uses dma_alloc_coherent
            --> enic_set_rsscpu            <-- uses dma_alloc_coherent
      
      When memory is allocated in 'vnic_dev_init_prov2()' GFP_ATOMIC must be used
      because a spinlock is hidden in the ENIC_DEVCMD_PROXY_BY_INDEX macro, when
      this function is called in 'enic_set_port_profile()'.
      
      When memory is allocated in 'vnic_dev_alloc_desc_ring()' GFP_KERNEL can be
      used because it is only called from 5 functions ('vnic_dev_init_devcmd2()',
      'vnic_cq_alloc()', 'vnic_rq_alloc()', 'vnic_wq_alloc()' and
      'enic_wq_devcmd2_alloc()'.
      
        'vnic_dev_init_devcmd2()': already uses GFP_KERNEL and no lock is taken
           in the between.
        'enic_wq_devcmd2_alloc()': is called from ' vnic_dev_init_devcmd2()'
           which already uses GFP_KERNEL and no lock is taken in the between.
        'vnic_cq_alloc()', 'vnic_rq_alloc()', 'vnic_wq_alloc()': are called
           from 'enic_alloc_vnic_resources()'
      'enic_alloc_vnic_resources()' has only 2 call chains:
      
        1) enic_probe
            --> enic_dev_init
              --> enic_alloc_vnic_resources
      'enic_probe()' is a probe function and no lock is taken in the between
      
        2) enic_set_ringparam
            --> enic_alloc_vnic_resources
      'enic_set_ringparam()' is a .set_ringparam function (see struct
      ethtool_ops). It seems to only take a mutex and no spinlock.
      
      So all paths are safe to use GFP_KERNEL.
      
      @@
      @@
      -    PCI_DMA_BIDIRECTIONAL
      +    DMA_BIDIRECTIONAL
      
      @@
      @@
      -    PCI_DMA_TODEVICE
      +    DMA_TO_DEVICE
      
      @@
      @@
      -    PCI_DMA_FROMDEVICE
      +    DMA_FROM_DEVICE
      
      @@
      @@
      -    PCI_DMA_NONE
      +    DMA_NONE
      
      @@
      expression e1, e2, e3;
      @@
      -    pci_alloc_consistent(e1, e2, e3)
      +    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
      
      @@
      expression e1, e2, e3;
      @@
      -    pci_zalloc_consistent(e1, e2, e3)
      +    dma_alloc_coherent(&e1->dev, e2, e3, GFP_)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_free_consistent(e1, e2, e3, e4)
      +    dma_free_coherent(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_map_single(e1, e2, e3, e4)
      +    dma_map_single(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_unmap_single(e1, e2, e3, e4)
      +    dma_unmap_single(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4, e5;
      @@
      -    pci_map_page(e1, e2, e3, e4, e5)
      +    dma_map_page(&e1->dev, e2, e3, e4, e5)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_unmap_page(e1, e2, e3, e4)
      +    dma_unmap_page(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_map_sg(e1, e2, e3, e4)
      +    dma_map_sg(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_unmap_sg(e1, e2, e3, e4)
      +    dma_unmap_sg(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_dma_sync_single_for_cpu(e1, e2, e3, e4)
      +    dma_sync_single_for_cpu(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_dma_sync_single_for_device(e1, e2, e3, e4)
      +    dma_sync_single_for_device(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_dma_sync_sg_for_cpu(e1, e2, e3, e4)
      +    dma_sync_sg_for_cpu(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2, e3, e4;
      @@
      -    pci_dma_sync_sg_for_device(e1, e2, e3, e4)
      +    dma_sync_sg_for_device(&e1->dev, e2, e3, e4)
      
      @@
      expression e1, e2;
      @@
      -    pci_dma_mapping_error(e1, e2)
      +    dma_mapping_error(&e1->dev, e2)
      
      @@
      expression e1, e2;
      @@
      -    pci_set_dma_mask(e1, e2)
      +    dma_set_mask(&e1->dev, e2)
      
      @@
      expression e1, e2;
      @@
      -    pci_set_consistent_dma_mask(e1, e2)
      +    dma_set_coherent_mask(&e1->dev, e2)
      Signed-off-by: default avatarChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      02a20d4f
    • Linus Walleij's avatar
      net: gemini: Clean up phy registration · 3e813d61
      Linus Walleij authored
      It's nice if the phy is online before we register the netdev
      so try to do that first.
      
      Stop trying to do "second tried" to register the phy, it
      works perfectly fine the first time.
      
      Stop remvoving the phy in uninit. Remove it when the
      driver is remove():d, symmetric to where it is added, in
      probe().
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reported-by: default avatarDavid Miller <davem@davemloft.net>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      3e813d61
    • Jonathan Neuschäfer's avatar
      ee1a4c84
    • Linus Walleij's avatar
      net: dsa: rtl8366rb: Support setting MTU · 5f4a8ef3
      Linus Walleij authored
      This implements the missing MTU setting for the RTL8366RB
      switch.
      
      Apart from supporting jumboframes, this rids us of annoying
      boot messages like this:
      realtek-smi switch: nonfatal error -95 setting MTU on port 0
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5f4a8ef3
    • Wang Hai's avatar
      net/packet: Remove unused macro BLOCK_PRIV · 383e3f3e
      Wang Hai authored
      BLOCK_PRIV is never used after it was introduced.
      So better to remove it.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      383e3f3e
  3. 05 Sep, 2020 14 commits
  4. 04 Sep, 2020 20 commits
    • Linus Torvalds's avatar
      Merge tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux · c70672d8
      Linus Torvalds authored
      Pull s390 fixes from Vasily Gorbik:
      
       - Fix GENERIC_LOCKBREAK dependency on PREEMPTION in Kconfig broken
         because of a typo
      
       - Update defconfigs
      
      * tag 's390-5.9-5' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
        s390: update defconfigs
        s390: fix GENERIC_LOCKBREAK dependency typo in Kconfig
      c70672d8
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 09274aed
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Fix the loading of modules built with binutils-2.35. This version
         produces writable and executable .text.ftrace_trampoline section
         which is rejected by the kernel.
      
       - Remove the exporting of cpu_logical_map() as the Tegra driver has now
         been fixed and no longer uses this function.
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64/module: set trampoline section flags regardless of CONFIG_DYNAMIC_FTRACE
        arm64: Remove exporting cpu_logical_map symbol
      09274aed
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 16bf121b
      Linus Torvalds authored
      Pull MIPS fixes from Thomas Bogendoerfer:
       "A few MIPS fixes:
      
         - fallthrough fallout fix
      
         - BMIPS fixes
      
         - MSA fix to avoid leaking MSA register contents
      
         - Loongson perf and cpu feature fix
      
         - SNI interrupt fix"
      
      * tag 'mips_fixes_5.9_1' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: SNI: Fix SCSI interrupt
        MIPS: add missing MSACSR and upper MSA initialization
        MIPS: perf: Fix wrong check condition of Loongson event IDs
        mips/oprofile: Fix fallthrough placement
        MIPS: Loongson64: Remove unnecessary inclusion of boot_param.h
        MIPS: BMIPS: Also call bmips_cpu_setup() for secondary cores
        MIPS: mm: BMIPS5000 has inclusive physical caches
        MIPS: Loongson64: Do not override watch and ejtag feature
      16bf121b
    • Linus Torvalds's avatar
      Merge tag 'kbuild-fixes-v5.9-2' of... · 41bef91c
      Linus Torvalds authored
      Merge tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
      
      Pull Kbuild fixes from Masahiro Yamada:
      
       - fix documents
      
       - fix warning in 'make localmodconfig'
      
      * tag 'kbuild-fixes-v5.9-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kconfig: remove redundant assignment prompt = prompt
        kbuild: Documentation: clean up makefiles.rst
        kconfig: streamline_config.pl: check defined(ENV variable) before using it
        Documentation/llvm: Improve formatting of commands, variables, and arguments
      41bef91c
    • Linus Torvalds's avatar
      Merge tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · f162626a
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix reference counting in the operating performance points (OPP)
        framework and address a few intel_pstate driver issues, mostly related
        to switching driver operation modes and similar with hardware-managed
        P-states (HWP) enabled.
      
        Specifics:
      
         - Fix reference counting of operating performance points (OPP) tables
           (Viresh Kumar).
      
         - Address intel_pstate driver interface issues, mostly related to
           switching operation modes and handling CPU offline and online and
           system-wide suspend/resume with hardware-managed P-states (HWP)
           enabled (Rafael Wysocki).
      
         - Fix the maximum frequency computation in the intel_pstate driver
           with turbo P-states disabled by the platform firmware and HWP
           enabled (Francisco Jerez)"
      
      * tag 'pm-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
        opp: Don't drop reference for an OPP table that was never parsed
      f162626a
    • Linus Torvalds's avatar
      Merge tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d824e080
      Linus Torvalds authored
      Pull libata fixes from Jens Axboe:
      
       - improve Sandisks ATA_HORKAGE on NCQ (Tejun)
      
       - link printk cleanup (Xu)
      
      * tag 'libata-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        libata: implement ATA_HORKAGE_MAX_TRIM_128M and apply to Sandisks
        ata: ahci: use ata_link_info() instead of ata_link_printk()
      d824e080
    • Linus Torvalds's avatar
      Merge tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block · 8075fc3b
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A bit larger than usual this week, mostly due to the NVMe fixes
        arriving late for -rc3 and hence didn't make last weeks pull request.
      
         - NVMe:
              - instance leak and io boundary fixes from Keith
              - fc locking fix from Christophe
              - various tcp/rdma reset during traffic fixes from Sagi
              - pci use-after-free fix from Tong
              - tcp target null deref fix from Ziye
      
         - Locking fix for partition removal (Christoph)
      
         - Ensure bdi->io_pages is always set (me)
      
         - Fixup for hd struct reference (Ming)
      
         - Fix for zero length bvecs (Ming)
      
         - Two small blk-iocost fixes (Tejun)"
      
      * tag 'block-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        block: allow for_each_bvec to support zero len bvec
        blk-stat: make q->stats->lock irqsafe
        blk-iocost: ioc_pd_free() shouldn't assume irq disabled
        block: fix locking in bdev_del_partition
        block: release disk reference in hd_struct_free_work
        block: ensure bdi->io_pages is always initialized
        nvme-pci: cancel nvme device request before disabling
        nvme: only use power of two io boundaries
        nvme: fix controller instance leak
        nvmet-fc: Fix a missed _irqsave version of spin_lock in 'nvmet_fc_fod_op_done()'
        nvme: Fix NULL dereference for pci nvme controllers
        nvme-rdma: fix reset hang if controller died in the middle of a reset
        nvme-rdma: fix timeout handler
        nvme-rdma: serialize controller teardown sequences
        nvme-tcp: fix reset hang if controller died in the middle of a reset
        nvme-tcp: fix timeout handler
        nvme-tcp: serialize controller teardown sequences
        nvme: have nvme_wait_freeze_timeout return if it timed out
        nvme-fabrics: don't check state NVME_CTRL_NEW for request acceptance
        nvmet-tcp: Fix NULL dereference when a connect data comes in h2cdata pdu
      8075fc3b
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block · d849ca48
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - EAGAIN with O_NONBLOCK retry fix
      
       - Two small fixes for registered files (Jiufei)
      
      * tag 'io_uring-5.9-2020-09-04' of git://git.kernel.dk/linux-block:
        io_uring: no read/write-retry on -EAGAIN error and O_NONBLOCK marked file
        io_uring: set table->files[i] to NULL when io_sqe_file_register failed
        io_uring: fix removing the wrong file in __io_sqe_files_update()
      d849ca48
    • Linus Torvalds's avatar
      Merge tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux · 2fb54791
      Linus Torvalds authored
      Pull thermal fixes from Daniel Lezcano:
      
       - Fix bogus thermal shutdowns for omap4430 where bogus values resulting
         from an incorrect ADC conversion are too high and fire an emergency
         shutdown (Tony Lindgren)
      
       - Don't suppress negative temp for qcom spmi as they are valid and
         userspace needs them (Veera Vegivada)
      
       - Fix use-after-free in thermal_zone_device_unregister reported by
         Kasan (Dmitry Osipenko)
      
      * tag 'thermal-v5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux:
        thermal: core: Fix use-after-free in thermal_zone_device_unregister()
        thermal: qcom-spmi-temp-alarm: Don't suppress negative temp
        thermal: ti-soc-thermal: Fix bogus thermal shutdowns for omap4430
      2fb54791
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine · e2dacf6c
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "A couple of core fixes and odd driver fixes for dmaengine subsystem:
      
        Core:
         - drop ACPI CSRT table reference after using it
         - fix of_dma_router_xlate() error handling
      
        Drivers fixes in idxd, at_hdmac, pl330, dw-edma and jz478"
      
      * tag 'dmaengine-fix-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/vkoul/dmaengine:
        dmaengine: ti: k3-udma: Update rchan_oes_offset for am654 SYSFW ABI 3.0
        drivers/dma/dma-jz4780: Fix race condition between probe and irq handler
        dmaengine: dw-edma: Fix scatter-gather address calculation
        dmaengine: ti: k3-udma: Fix the TR initialization for prep_slave_sg
        dmaengine: pl330: Fix burst length if burst size is smaller than bus width
        dmaengine: at_hdmac: add missing kfree() call in at_dma_xlate()
        dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()
        dmaengine: at_hdmac: check return value of of_find_device_by_node() in at_dma_xlate()
        dmaengine: of-dma: Fix of_dma_router_xlate's of_dma_xlate handling
        dmaengine: idxd: reset states after device disable or reset
        dmaengine: acpi: Put the CSRT table after using it
      e2dacf6c
    • Linus Torvalds's avatar
      Merge tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 86edf52e
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A collection of small changes, nothing intrusive:
      
         - remaining tasklet API conversions, now all sound stuff have been
           converted
      
         - a few HD-audio and USB-audio quirks and minor fixes
      
         - FireWire Tascam and Digi00xx fixes
      
         - drop a kernel WARNING from PCM OSS for syzkaller"
      
      * tag 'sound-5.9-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (29 commits)
        ALSA: hda/realtek - Improved routing for Thinkpad X1 7th/8th Gen
        ALSA: hda: use consistent HDAudio spelling in comments/docs
        ALSA: hda: add dev_dbg log when driver is not selected
        ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled
        ALSA: hda: hdmi - add Rocketlake support
        ALSA: ua101: convert tasklets to use new tasklet_setup() API
        ALSA: usb-audio: convert tasklets to use new tasklet_setup() API
        ASoC: txx9: convert tasklets to use new tasklet_setup() API
        ASoC: siu: convert tasklets to use new tasklet_setup() API
        ASoC: fsl_esai: convert tasklets to use new tasklet_setup() API
        ALSA: hdsp: convert tasklets to use new tasklet_setup() API
        ALSA: riptide: convert tasklets to use new tasklet_setup() API
        ALSA: pci/asihpi: convert tasklets to use new tasklet_setup() API
        ALSA: firewire: convert tasklets to use new tasklet_setup() API
        ALSA: core: convert tasklets to use new tasklet_setup() API
        ALSA: pcm: oss: Remove superfluous WARN_ON() for mulaw sanity check
        ALSA: hda - Fix silent audio output and corrupted input on MSI X570-A PRO
        ALSA: hda/hdmi: always check pin power status in i915 pin fixup
        ALSA: hda/realtek: Add quirk for Samsung Galaxy Book Ion NT950XCJ-X716A
        ALSA: usb-audio: Add basic capture support for Pioneer DJ DJM-250MK2
        ...
      86edf52e
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm · cf85f5de
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Not much going on this week, nouveau has a display hw bug workaround,
        amdgpu has some PM fixes and CIK regression fixes, one single radeon
        PLL fix, and a couple of i915 display fixes.
      
        amdgpu:
         - Fix for 32bit systems
         - SW CTF fix
         - Update for Sienna Cichlid
         - CIK bug fixes
      
        radeon:
         - PLL fix
      
        i915:
         - Clang build warning fix
         - HDCP fixes
      
        nouveau:
         - display fixes"
      
      * tag 'drm-fixes-2020-09-04' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau/kms/nv50-gp1xx: add WAR for EVO push buffer HW bug
        drm/nouveau/kms/nv50-gp1xx: disable notifies again after core update
        drm/nouveau/kms/nv50-: add some whitespace before debug message
        drm/nouveau/kms/gv100-: Include correct push header in crcc37d.c
        drm/radeon: Prefer lower feedback dividers
        drm/amdgpu: Fix bug in reporting voltage for CIK
        drm/amdgpu: Specify get_argument function for ci_smu_funcs
        drm/amd/pm: enable MP0 DPM for sienna_cichlid
        drm/amd/pm: avoid false alarm due to confusing softwareshutdowntemp setting
        drm/amd/pm: fix is_dpm_running() run error on 32bit system
        drm/i915: Clear the repeater bit on HDCP disable
        drm/i915: Fix sha_text population code
        drm/i915/display: Ensure that ret is always initialized in icl_combo_phy_verify_state
      cf85f5de
    • Or Cohen's avatar
      net/packet: fix overflow in tpacket_rcv · acf69c94
      Or Cohen authored
      Using tp_reserve to calculate netoff can overflow as
      tp_reserve is unsigned int and netoff is unsigned short.
      
      This may lead to macoff receving a smaller value then
      sizeof(struct virtio_net_hdr), and if po->has_vnet_hdr
      is set, an out-of-bounds write will occur when
      calling virtio_net_hdr_from_skb.
      
      The bug is fixed by converting netoff to unsigned int
      and checking if it exceeds USHRT_MAX.
      
      This addresses CVE-2020-14386
      
      Fixes: 8913336a ("packet: add PACKET_RESERVE sockopt")
      Signed-off-by: default avatarOr Cohen <orcohen@paloaltonetworks.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      acf69c94
    • Linus Torvalds's avatar
      Merge branch 'simplify-do_wp_page' · b25d1dc9
      Linus Torvalds authored
      Merge emailed patches from Peter Xu:
       "This is a small series that I picked up from Linus's suggestion to
        simplify cow handling (and also make it more strict) by checking
        against page refcounts rather than mapcounts.
      
        This makes uffd-wp work again (verified by running upmapsort)"
      
      Note: this is horrendously bad timing, and making this kind of
      fundamental vm change after -rc3 is not at all how things should work.
      The saving grace is that it really is a a nice simplification:
      
       8 files changed, 29 insertions(+), 120 deletions(-)
      
      The reason for the bad timing is that it turns out that commit
      17839856 ("gup: document and work around 'COW can break either way'
      issue" broke not just UFFD functionality (as Peter noticed), but Mikulas
      Patocka also reports that it caused issues for strace when running in a
      DAX environment with ext4 on a persistent memory setup.
      
      And we can't just revert that commit without re-introducing the original
      issue that is a potential security hole, so making COW stricter (and in
      the process much simpler) is a step to then undoing the forced COW that
      broke other uses.
      
      Link: https://lore.kernel.org/lkml/alpine.LRH.2.02.2009031328040.6929@file01.intranet.prod.int.rdu2.redhat.com/
      
      * emailed patches from Peter Xu <peterx@redhat.com>:
        mm: Add PGREUSE counter
        mm/gup: Remove enfornced COW mechanism
        mm/ksm: Remove reuse_ksm_page()
        mm: do_wp_page() simplification
      b25d1dc9
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-cpufreq' · f7ce2c3a
      Rafael J. Wysocki authored
      * pm-cpufreq:
        cpufreq: intel_pstate: Fix intel_pstate_get_hwp_max() for turbo disabled
        cpufreq: intel_pstate: Free memory only when turning off
        cpufreq: intel_pstate: Add ->offline and ->online callbacks
        cpufreq: intel_pstate: Tweak the EPP sysfs interface
        cpufreq: intel_pstate: Update cached EPP in the active mode
        cpufreq: intel_pstate: Refuse to turn off with HWP enabled
      f7ce2c3a
    • Peter Xu's avatar
      mm: Add PGREUSE counter · 798a6b87
      Peter Xu authored
      This accounts for wp_page_reuse() case, where we reused a page for COW.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      798a6b87
    • Peter Xu's avatar
      mm/gup: Remove enfornced COW mechanism · a308c71b
      Peter Xu authored
      With the more strict (but greatly simplified) page reuse logic in
      do_wp_page(), we can safely go back to the world where cow is not
      enforced with writes.
      
      This essentially reverts commit 17839856 ("gup: document and work
      around 'COW can break either way' issue").  There are some context
      differences due to some changes later on around it:
      
        2170ecfa ("drm/i915: convert get_user_pages() --> pin_user_pages()", 2020-06-03)
        376a34ef ("mm/gup: refactor and de-duplicate gup_fast() code", 2020-06-03)
      
      Some lines moved back and forth with those, but this revert patch should
      have striped out and covered all the enforced cow bits anyways.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      a308c71b
    • Peter Xu's avatar
      mm/ksm: Remove reuse_ksm_page() · 1a0cf263
      Peter Xu authored
      Remove the function as the last reference has gone away with the do_wp_page()
      changes.
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1a0cf263
    • Linus Torvalds's avatar
      mm: do_wp_page() simplification · 09854ba9
      Linus Torvalds authored
      How about we just make sure we're the only possible valid user fo the
      page before we bother to reuse it?
      
      Simplify, simplify, simplify.
      
      And get rid of the nasty serialization on the page lock at the same time.
      
      [peterx: add subject prefix]
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      09854ba9
    • Leon Romanovsky's avatar
      gcov: Disable gcov build with GCC 10 · cfc905f1
      Leon Romanovsky authored
      GCOV built with GCC 10 doesn't initialize n_function variable.  This
      produces different kernel panics as was seen by Colin in Ubuntu and me
      in FC 32.
      
      As a workaround, let's disable GCOV build for broken GCC 10 version.
      
      Link: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1891288
      Link: https://lore.kernel.org/lkml/20200827133932.3338519-1-leon@kernel.org
      Link: https://lore.kernel.org/lkml/CAHk-=whbijeSdSvx-Xcr0DPMj0BiwhJ+uiNnDSVZcr_h_kg7UA@mail.gmail.com/
      Cc: Colin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@nvidia.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cfc905f1