commit b1289d43469be46f07e4841cd3fb68594e5ba0f2 Author: Alexandre Frade Date: Fri Apr 8 20:59:59 2022 +0000 Linux 5.17.2-xanmod1 Signed-off-by: Alexandre Frade commit 0cdfdbc07bc7da15e5f9e972b1912e3c6d6995ef Merge: d541f90b599d 70a10e90d47f Author: Alexandre Frade Date: Fri Apr 8 19:47:41 2022 +0000 Merge tag 'v5.17.2' into 5.17 This is the 5.17.2 stable release commit 70a10e90d47f9b4de9808425521bc9d09fef9b30 Author: Greg Kroah-Hartman Date: Fri Apr 8 13:59:05 2022 +0200 Linux 5.17.2 Link: https://lore.kernel.org/r/20220405070407.513532867@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Fenil Jain Tested-by: Fox Chen Tested-by: Shuah Khan Tested-by: Rudi Heitbaum Tested-by: Ronald Warsow Tested-by: Guenter Roeck Tested-by: Zan Aziz Tested-by: Ronald Warsow Tested-by: Linux Kernel Functional Testing Tested-by: Jon Hunter Tested-by: Ron Economos Tested-by: Bagas Sanjaya Link: https://lore.kernel.org/r/20220406133122.897434068@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Justin M. Forbes Tested-by: Fox Chen Tested-by: Shuah Khan Tested-by: Ronald Warsow Tested-by: Florian Fainelli Tested-by: Ron Economos Tested-by: Jiri Slaby Tested-by: Linux Kernel Functional Testing Reviewed-by: Guenter Roeck Tested-by: Sebastian Dörin Tested-by: Rudi Heitbaum Tested-by: Bagas Sanjaya Signed-off-by: Greg Kroah-Hartman commit 5c6baf808f409b69ad0799a551a704177b5a7ec1 Author: Eric W. Biederman Date: Tue Mar 8 13:04:19 2022 -0600 coredump: Use the vma snapshot in fill_files_note commit 390031c942116d4733310f0684beb8db19885fe6 upstream. Matthew Wilcox reported that there is a missing mmap_lock in file_files_note that could possibly lead to a user after free. Solve this by using the existing vma snapshot for consistency and to avoid the need to take the mmap_lock anywhere in the coredump code except for dump_vma_snapshot. Update the dump_vma_snapshot to capture vm_pgoff and vm_file that are neeeded by fill_files_note. Add free_vma_snapshot to free the captured values of vm_file. Reported-by: Matthew Wilcox Link: https://lkml.kernel.org/r/20220131153740.2396974-1-willy@infradead.org Cc: stable@vger.kernel.org Fixes: a07279c9a8cd ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot") Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files") Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 6b73d7715a9899b0a54565a562db6bae39e4ff35 Author: Eric W. Biederman Date: Mon Jan 31 12:17:38 2022 -0600 coredump/elf: Pass coredump_params into fill_note_info commit 9ec7d3230717b4fe9b6c7afeb4811909c23fa1d7 upstream. Instead of individually passing cprm->siginfo and cprm->regs into fill_note_info pass all of struct coredump_params. This is preparation to allow fill_files_note to use the existing vma snapshot. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 1dabdbebca81331c9713597a18955c53a3f118b7 Author: Eric W. Biederman Date: Tue Mar 8 13:01:19 2022 -0600 coredump: Remove the WARN_ON in dump_vma_snapshot commit 49c1866348f364478a0c4d3dd13fd08bb82d3a5b upstream. The condition is impossible and to the best of my knowledge has never triggered. We are in deep trouble if that conditions happens and we walk past the end of our allocated array. So delete the WARN_ON and the code that makes it look like the kernel can handle the case of walking past the end of it's vma_meta array. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 8a7f9226e3c757c61c426ce62fb1c3fbe6c6e6bc Author: Eric W. Biederman Date: Tue Mar 8 12:55:29 2022 -0600 coredump: Snapshot the vmas in do_coredump commit 95c5436a4883841588dae86fb0b9325f47ba5ad3 upstream. Move the call of dump_vma_snapshot and kvfree(vma_meta) out of the individual coredump routines into do_coredump itself. This makes the code less error prone and easier to maintain. Make the vma snapshot available to the coredump routines in struct coredump_params. This makes it easier to change and update what is captures in the vma snapshot and will be needed for fixing fill_file_notes. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit fd2303d31b21e1b22f1f92043711e39f5a40b7a6 Author: Ulf Hansson Date: Tue Mar 1 12:53:00 2022 +0100 mmc: rtsx: Fix build errors/warnings for unused variable commit 3dd9a926ec2308e49445f22abef149fc64e9332e upstream. The struct device *dev, is no longer needed at various functions, let's therefore drop it to fix the build errors/warnings. Fixes: 7570fb41e450 ("mmc: rtsx: Let MMC core handle runtime PM") Cc: Kai-Heng Feng Reported-by: kernel test robot Signed-off-by: Ulf Hansson Link: https://lore.kernel.org/r/20220301115300.64332-1-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman commit 05dbc1a30dc7bcaa558ec785b24f06f090ebfb6c Author: Kai-Heng Feng Date: Wed Feb 16 13:54:31 2022 +0800 mmc: rtsx: Let MMC core handle runtime PM commit 7570fb41e450ba37bf9335fe3751fa9f502c30fa upstream. Since MMC core handles runtime PM reference counting, we can avoid doing redundant runtime PM work in the driver. That means the only thing commit 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") misses is to always enable runtime PM, to let its parent driver enable ASPM in the runtime idle routine. Fixes: 7499b529d97f ("mmc: rtsx: Use pm_runtime_{get,put}() to handle runtime PM") Reviewed-by: Ulf Hansson Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20220216055435.2335297-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman commit 9d73b40f979737029bac724c39648016da3f914c Author: Jens Axboe Date: Sat Apr 2 11:40:23 2022 -0600 Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()" commit 7198bfc2017644c6b92d2ecef9b8b8e0363bb5fd upstream. This reverts commit 6d35d04a9e18990040e87d2bbf72689252669d54. Both Gabriel and Borislav report that this commit casues a regression with nbd: sysfs: cannot create duplicate filename '/dev/block/43:0' Revert it before 5.18-rc1 and we'll investigage this separately in due time. Link: https://lore.kernel.org/all/YkiJTnFOt9bTv6A2@zn.tnic/ Reported-by: Gabriel L. Somlo Reported-by: Borislav Petkov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b5a000c1f4d38ae158e99f5ec8d631c68737c6b6 Author: Jackie Liu Date: Mon Mar 21 15:12:16 2022 +0800 n64cart: convert bi_disk to bi_bdev->bd_disk fix build commit b2479de38d8fc7ef13d5c78ff5ded6e5a1a4eac0 upstream. My kernel robot report below: drivers/block/n64cart.c: In function ‘n64cart_submit_bio’: drivers/block/n64cart.c:91:26: error: ‘struct bio’ has no member named ‘bi_disk’ 91 | struct device *dev = bio->bi_disk->private_data; | ^~ CC drivers/slimbus/qcom-ctrl.o CC drivers/auxdisplay/hd44780.o CC drivers/watchdog/watchdog_core.o CC drivers/nvme/host/fault_inject.o AR drivers/accessibility/braille/built-in.a make[2]: *** [scripts/Makefile.build:288: drivers/block/n64cart.o] Error 1 Fixes: 309dca309fc3 ("block: store a block_device pointer in struct bio"); Reported-by: k2ci Signed-off-by: Jackie Liu Reviewed-by: Chaitanya Kulkarni Link: https://lore.kernel.org/r/20220321071216.1549596-1-liu.yun@linux.dev Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4c46d8a04969e697c5e7e5390d3b8f690720744d Author: Paul E. McKenney Date: Thu Jan 27 09:39:15 2022 -0800 torture: Make torture.sh help message match reality commit f233673cd32a048f2eed69e56b61174c33fb740b upstream. This commit fixes a couple of typos: s/--doall/--do-all/ and s/--doallmodconfig/--do-allmodconfig/. [ paulmck: Add Fixes: supplied by Paul Menzel. ] Fixes: a115a775a8d5 ("torture: Add "make allmodconfig" to torture.sh") Reported-by: Paul Menzel Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 6cb78cf8775244f39fad7666e25ef1cce79260bd Author: Martin Varghese Date: Mon Mar 28 11:11:48 2022 +0530 openvswitch: Fixed nd target mask field in the flow dump. commit f19c44452b58a84d95e209b847f5495d91c9983a upstream. IPv6 nd target mask was not getting populated in flow dump. In the function __ovs_nla_put_key the icmp code mask field was checked instead of icmp code key field to classify the flow as neighbour discovery. ufid:bdfbe3e5-60c2-43b0-a5ff-dfcac1c37328, recirc_id(0),dp_hash(0/0), skb_priority(0/0),in_port(ovs-nm1),skb_mark(0/0),ct_state(0/0), ct_zone(0/0),ct_mark(0/0),ct_label(0/0), eth(src=00:00:00:00:00:00/00:00:00:00:00:00, dst=00:00:00:00:00:00/00:00:00:00:00:00), eth_type(0x86dd), ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no), icmpv6(type=135,code=0), nd(target=2001::2/::, sll=00:00:00:00:00:00/00:00:00:00:00:00, tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:10, bytes:860, used:0.504s, dp:ovs, actions:ovs-nm2 Fixes: e64457191a25 (openvswitch: Restructure datapath.c and flow.c) Signed-off-by: Martin Varghese Link: https://lore.kernel.org/r/20220328054148.3057-1-martinvarghesenokia@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 50afc6991422ce8143112d50f145ae2669048634 Author: Eli Cohen Date: Mon Mar 21 16:13:03 2022 +0200 vdpa/mlx5: Avoid processing works if workqueue was destroyed commit ad6dc1daaf29f97f23cc810d60ee01c0e83f4c6b upstream. If mlx5_vdpa gets unloaded while a VM is running, the workqueue will be destroyed. However, vhost might still have reference to the kick function and might attempt to push new works. This could lead to null pointer dereference. To fix this, set mvdev->wq to NULL just before destroying and verify that the workqueue is not NULL in mlx5_vdpa_kick_vq before attempting to push a new work. Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20220321141303.9586-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit bc625a29decff4fb13f387abe819bcfd1afc0d40 Author: Maciej Fijalkowski Date: Mon Mar 28 16:21:23 2022 +0200 ice: xsk: Fix indexing in ice_tx_xsk_pool() commit 1ac2524de7b366633fc336db6c94062768d0ab03 upstream. Ice driver tries to always create XDP rings array to be num_possible_cpus() sized, regardless of user's queue count setting that can be changed via ethtool -L for example. Currently, ice_tx_xsk_pool() calculates the qid by decrementing the ring->q_index by the count of XDP queues, but ring->q_index is set to 'i + vsi->alloc_txq'. When user did ethtool -L $IFACE combined 1, alloc_txq is 1, but vsi->num_xdp_txq is still num_possible_cpus(). Then, ice_tx_xsk_pool() will do OOB access and in the final result ring would not get xsk_pool pointer assigned. Then, each ice_xsk_wakeup() call will fail with error and it will not be possible to get into NAPI and do the processing from driver side. Fix this by decrementing vsi->alloc_txq instead of vsi->num_xdp_txq from ring-q_index in ice_tx_xsk_pool() so the calculation is reflected to the setting of ring->q_index. Fixes: 22bf877e528f ("ice: introduce XDP_TX fallback path") Signed-off-by: Maciej Fijalkowski Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220328142123.170157-5-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman commit 53afc1e0173633294d781a8dff57d1e00a71031b Author: Magnus Karlsson Date: Mon Mar 28 16:21:20 2022 +0200 xsk: Do not write NULL in SW ring at allocation failure commit a95a4d9b39b0324402569ed7395aae59b8fd2b11 upstream. For the case when xp_alloc_batch() is used but the batched allocation cannot be used, there is a slow path that uses the non-batched xp_alloc(). When it fails to allocate an entry, it returns NULL. The current code wrote this NULL into the entry of the provided results array (pointer to the driver SW ring usually) and returned. This might not be what the driver expects and to make things simpler, just write successfully allocated xdp_buffs into the SW ring,. The driver might have information in there that is still important after an allocation failure. Note that at this point in time, there are no drivers using xp_alloc_batch() that could trigger this slow path. But one might get added. Fixes: 47e4075df300 ("xsk: Batched buffer allocation for the pool") Signed-off-by: Magnus Karlsson Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220328142123.170157-2-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman commit c459241243ab28e9af1bdbd785ed69230704e1b5 Author: Guilherme G. Piccoli Date: Wed Mar 23 16:07:03 2022 -0700 docs: sysctl/kernel: add missing bit to panic_print commit a1ff1de00db21ecb956213f046b79741b64c6b65 upstream. Patch series "Some improvements on panic_print". This is a mix of a documentation fix with some additions to the "panic_print" syscall / parameter. The goal here is being able to collect all CPUs backtraces during a panic event and also to enable "panic_print" in a kdump event - details of the reasoning and design choices in the patches. This patch (of 3): Commit de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") added a new bit to the sysctl/kernel parameter "panic_print", but the documentation was added only in kernel-parameters.txt, not in the sysctl guide. Fix it here by adding bit 5 to sysctl admin-guide documentation. [rdunlap@infradead.org: fix table format warning] Link: https://lkml.kernel.org/r/20220109055635.6999-1-rdunlap@infradead.org Link: https://lkml.kernel.org/r/20211109202848.610874-1-gpiccoli@igalia.com Link: https://lkml.kernel.org/r/20211109202848.610874-2-gpiccoli@igalia.com Fixes: de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") Signed-off-by: Guilherme G. Piccoli Reviewed-by: Feng Tang Cc: Luis Chamberlain Cc: Kees Cook Cc: Iurii Zaikin Cc: Samuel Iglesias Gonsalvez Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5c73bf3382300bb52d5cfa5aebb8b0468cf5b5a4 Author: Anton Ivanov Date: Tue Feb 22 12:44:10 2022 +0000 um: Fix uml_mconsole stop/go commit 1a3a6a2a035bb6c3a7ef4c788d8fd69a7b2d6284 upstream. Moving to an EPOLL based IRQ controller broke uml_mconsole stop/go commands. This fixes it and restores stop/go functionality. Fixes: ff6a17989c08 ("Epoll based IRQ controller") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 0069f9f7d5f7d3004a79b23bff5c053e1eb2c7a7 Author: Kuldeep Singh Date: Sat Mar 26 09:53:12 2022 +0530 arm64: dts: ls1046a: Update i2c node dma properties commit eeeb4f1075d71d67083c75f69247206e9b3d9f4a upstream. Reorder dmas and dma-names properties for i2c controller node to make it compliant with bindings. Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") Signed-off-by: Kuldeep Singh CC: soc@kernel.org Link: https://lore.kernel.org/r/20220326042313.97862-5-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit f7c25a01906c6ca47e25781aac5669953bbcd049 Author: Kuldeep Singh Date: Sat Mar 26 09:53:11 2022 +0530 arm64: dts: ls1043a: Update i2c dma properties commit aa4df840d1c5eab2bb33695efe4409b3e5526749 upstream. Reorder dmas and dma-names properties for i2c controller node to make it compliant with bindings. Fixes: 6d453cd22357 ("arm64: dts: add Freescale LS1043a SoC support") Signed-off-by: Kuldeep Singh CC: soc@kernel.org Link: https://lore.kernel.org/r/20220326042313.97862-4-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit c5732d8f84203950f3d3e58cb99039cbd871625d Author: Kuldeep Singh Date: Sat Mar 26 09:53:09 2022 +0530 ARM: dts: spear13xx: Update SPI dma properties commit 31d3687d6017c7ce6061695361598d9cda70807a upstream. Reorder dmas and dma-names property for spi controller node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-2-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 3411e96376ec493afa564962819a425193800119 Author: Kuldeep Singh Date: Sat Mar 26 09:53:10 2022 +0530 ARM: dts: spear1340: Update serial node properties commit 583d6b0062640def86f3265aa1042ecb6672516e upstream. Reorder dma and dma-names property for serial node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-3-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit cea17ae1e690db600f3b333e3d294eb864b7d4f8 Author: Leilk Liu Date: Tue Mar 15 11:24:06 2022 +0800 spi: mediatek: support tick_delay without enhance_timing commit 03b1be379dcee2e9c866c2a455a1a4a9581b3efd upstream. this patch support tick_delay bit[31:30] without enhance_timing feature. Fixes: f84d866ab43f("spi: mediatek: add tick_delay support") Signed-off-by: Leilk Liu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220315032411.2826-2-leilk.liu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0f18815bc298eb80662ef03c824c1aaea58f3369 Author: Guodong Liu Date: Wed Feb 16 11:21:24 2022 +0800 pinctrl: canonical rsel resistance selection property commit 7966c5051fc7d52425155ab30ad568d9d97f3b02 upstream. Change "mediatek,rsel_resistance_in_si_unit" to "mediatek,rsel-resistance-in-si-unit" Fixes: fb34a9ae383a ("pinctrl: mediatek: support rsel feature") Signed-off-by: Guodong Liu Link: https://lore.kernel.org/r/20220216032124.28067-4-guodong.liu@mediatek.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 2e8029bd85370ad844e8f3ef561a837d99de8ede Author: Janusz Krzysztofik Date: Mon May 4 00:06:18 2020 +0200 media: ov6650: Fix crop rectangle affected by set format commit 985d2d7a482e9b64ef9643702b066da9cbd6ae8e upstream. According to subdevice interface specification found in V4L2 API documentation, set format pad operations should not affect image geometry set in preceding image processing steps. Unfortunately, that requirement is not respected by the driver implementation of set format as it was not the case when that code was still implementing a pair of now obsolete .s_mbus_fmt() / .try_mbus_fmt() video operations before they have been merged and reused as an implementation of .set_fmt() pad operation by commit 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt"). Exclude non-compliant crop rectangle adjustments from set format try, as well as a call to .set_selection() from set format active processing path, so only frame scaling is applied as needed and crop rectangle is no longer modified. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit fc364cdc3b457ff5572f733882488b30856cb80d Author: Janusz Krzysztofik Date: Mon May 4 00:06:17 2020 +0200 media: ov6650: Add try support to selection API operations commit c74052646496ffe0bc606152e6b9653137020cbf upstream. Try requests are now only supported by format processing pad operations implemented by the driver. The driver selection API operations currently respond to them with -EINVAL. While that is correct, it constraints video device drivers to not use subdevice cropping at all while processing user requested active frame size, otherwise their set try format results might differ from active. As a consequence, we can't fix set format pad operation as not to touch crop rectangle since that would affect users not being able to set arbitrary frame sizes. Moreover, without a working set try selection support we are not able to use pad config crop rectangle as a reference while processing set try format requests. Implement missing try selection support. Moreover, as it will be now possible to maintain the pad config crop rectangle via selection API, start using it instead of the active one as a reference while processing set try format requests. is_unscaled_ok() helper, now also called from set selection operation, has been just moved up in the source file to avoid a prototype, with no functional changes. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7dcbe574bfb3856e1824ddb5f81d3161ffbd7dda Author: Ian Rogers Date: Mon Jan 31 17:58:34 2022 -0800 perf vendor events: Update metrics for SkyLake Server commit 3bad20d7d129c3b3063658a0f83974dfe6dac5c4 upstream. Based on TMA_metrics-full.csv version 4.3 at 01.org: https://download.01.org/perfmon/ Events are updated to version 1.26: https://download.01.org/perfmon/SKX Json files generated by: https://github.com/intel/event-converter-for-linux-perf Fixes were made that allow the skx-metrics.json to successfully generate, bringing back TopdownL1 metrics. Tested: $ perf test ... 6: Parse event definition strings : Ok 7: Simple expression parser : Ok ... 9: Parse perf pmu format : Ok 10: PMU events : 10.1: PMU event table sanity : Ok 10.2: PMU event map aliases : Ok 10.3: Parsing of PMU event table metrics : Ok 10.4: Parsing of PMU event table metrics with fake PMUs : Ok ... 68: Parse and process metrics : Ok ... 88: perf stat metrics (shadow stat) test : Ok 89: perf all metricgroups test : Ok 90: perf all metrics test : Skip 91: perf all PMU test : Ok ... 90 skips due to a lack of floating point samples, which is understandable. Fixes: c4ad8fabd03f76ed ("perf vendor events: Update metrics for SkyLake Server") Reviewed-by: Kan Liang Signed-off-by: Ian Rogers Cc: Alexander Shishkin Cc: Alexandre Torgue Cc: Andi Kleen Cc: Ingo Molnar Cc: James Clark Cc: Jin Yao Cc: Jiri Olsa Cc: John Garry Cc: Mark Rutland Cc: Maxime Coquelin Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Zhengjun Xing Link: https://lore.kernel.org/r/20220201015858.1226914-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit 8870ca9b679eee30cfd95b3bc4203674a179b62f Author: Amadeusz Sławiński Date: Wed Jan 12 18:00:29 2022 +0100 ASoC: topology: Allow TLV control to be either read or write commit feb00b736af64875560f371fe7f58b0b7f239046 upstream. There is no reason to force readwrite access on TLV controls. It can be either read, write or both. This is further evidenced in code where it performs following checks: if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_READ) && !sbe->get) return -EINVAL; if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_WRITE) && !sbe->put) return -EINVAL; Fixes: 1a3232d2f61d ("ASoC: topology: Add support for TLV bytes controls") Signed-off-by: Amadeusz Sławiński Reviewed-by: Cezary Rojewski Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220112170030.569712-3-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9b3c3598c77cc9c0f576f652206437b9823aa978 Author: Zheng Bin Date: Wed Mar 23 17:25:01 2022 +0800 ASoC: SOF: Intel: Fix build error without SND_SOC_SOF_PCI_DEV commit 664d66dc0a64b32e60a5ad59a9aebb08676a612b upstream. If SND_SOC_SOF_PCI_DEV is n, bulding fails: sound/soc/sof/intel/pci-tng.o:(.data+0x1c0): undefined reference to `sof_pci_probe' sound/soc/sof/intel/pci-tng.o:(.data+0x1c8): undefined reference to `sof_pci_remove' sound/soc/sof/intel/pci-tng.o:(.data+0x1e0): undefined reference to `sof_pci_shutdown' sound/soc/sof/intel/pci-tng.o:(.data+0x290): undefined reference to `sof_pci_pm' Make SND_SOC_SOF_MERRIFIELD select SND_SOC_SOF_PCI_DEV to fix this. Fixes: 8d4ba1be3d22 ("ASoC: SOF: pci: split PCI into different drivers") Reported-by: Hulk Robot Signed-off-by: Zheng Bin Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220323092501.145879-1-zhengbin13@huawei.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a903e516f5df44b46d526b403d93e7be1a425538 Author: Eric Dumazet Date: Mon Feb 21 19:21:13 2022 -0800 net: preserve skb_end_offset() in skb_unclone_keeptruesize() commit 2b88cba55883eaafbc9b7cbff0b2c7cdba71ed01 upstream. syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issues in the blamed commits, but forgot that TCP was possibly shifting data after skb_unclone_keeptruesize() has been used, notably from tcp_retrans_try_collapse(). So we not only need to keep same skb->truesize value, we also need to make sure TCP wont fill new tailroom that pskb_expand_head() was able to get from a addr = kmalloc(...) followed by ksize(addr) Split skb_unclone_keeptruesize() into two parts: 1) Inline skb_unclone_keeptruesize() for the common case, when skb is not cloned. 2) Out of line __skb_unclone_keeptruesize() for the 'slow path'. WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Modules linked in: CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa RSP: 0018:ffffc900063af268 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000 RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003 RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000 R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8 R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155 FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline] tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630 tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914 tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025 tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947 tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719 sk_backlog_rcv include/net/sock.h:1037 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2779 release_sock+0x54/0x1b0 net/core/sock.c:3311 sk_wait_data+0x177/0x450 net/core/sock.c:2821 tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457 tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572 inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c4777efa751d ("net: add and use skb_unclone_keeptruesize() helper") Fixes: 097b9146c0e2 ("net: fix up truesize of cloned skb in skb_prepare_for_shift()") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Marco Elver Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 1aea86e15de2f32b186e31d56a7029d92d743f09 Author: Zhihao Cheng Date: Mon Dec 27 11:22:42 2021 +0800 ubi: fastmap: Return error code if memory allocation fails in add_aeb() commit c3c07fc25f37c157fde041b3a0c3dfcb1590cbce upstream. Abort fastmap scanning and return error code if memory allocation fails in add_aeb(). Otherwise ubi will get wrong peb statistics information after scanning. Fixes: dbb7d2a88d2a7b ("UBI: Add fastmap core") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 6fcaefac2b5920eb869324dd9ebfb1d90ebb127c Author: Horatiu Vultur Date: Fri Feb 4 16:35:34 2022 +0100 dt-bindings: pinctrl: pinctrl-microchip-sgpio: Fix example commit a6ff90f3fbd4d902aad8777f0329cef3a2768bde upstream. The blamed commit adds support for irq, but the reqisters for irq are outside of the memory size. They are at address 0x108. Therefore update the memory size to cover all the registers used by the device. Fixes: 01a9350bdd49fb ("dt-bindings: pinctrl: pinctrl-microchip-sgpio: Add irq support") Signed-off-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220204153535.465827-2-horatiu.vultur@microchip.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 4e94de9d1825db5c04197e69aa0c9d674a4c1e89 Author: Chen-Yu Tsai Date: Wed Feb 2 23:35:28 2022 +0800 dt-bindings: pinctrl: mt8195: fix bias-pull-{up,down} checks commit c76eeb14ec4e645a23ed8d627c7e38eca048c527 upstream. When the constraints and description for bias-pull-{up,down} were added, the constraints were not indented correctly, resulting in them being parsed as part of the description. This effectively nullified their purpose. Move the constraints out of the description block, make each description part of the same associative array as the enum its describing, and reindent them correctly so they take effect. Also add "type: boolean" to the list of valid values. This corresponds to having bias-pull-{up,down} without any arguments. Fixes: 91e7edceda96 ("dt-bindings: pinctrl: mt8195: change pull up/down description") Signed-off-by: Chen-Yu Tsai Reviewed-by: Rob Herring Link: https://lore.kernel.org/r/20220202153528.707185-1-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit e3016ecd89bfbd51bbf09173d6a0a895b53da7f3 Author: Yong Wu Date: Thu Jan 13 19:10:53 2022 +0800 dt-bindings: memory: mtk-smi: Correct minItems to 2 for the gals clocks commit 996ebc0e332bfb3091395f9bd286d8349a57be62 upstream. Mute the warning from "make dtbs_check": larb@14017000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml ... larb@16010000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml larb@17010000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml If a platform's larb supports gals, there will be some larbs have one more "gals" clock while the others still only need "apb"/"smi" clocks, then the minItems for clocks and clock-names are 2. Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-4-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit ea26ba73f907ee9e2e185960a0ae8968b6a928be Author: Yong Wu Date: Thu Jan 13 19:10:52 2022 +0800 dt-bindings: memory: mtk-smi: No need mediatek,larb-id for mt8167 commit ddc3a324889686ec9b358de20fdeec0d2668c7a8 upstream. Mute the warning from "make dtbs_check": larb@14016000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml larb@15001000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml larb@16010000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml As the description of mediatek,larb-id, the property is only required when the larbid is not consecutive from its IOMMU point of view. Also, from the description of mediatek,larbs in Documentation/devicetree/bindings/iommu/mediatek,iommu.yaml, all the larbs must sort by the larb index. In mt8167, there is only one IOMMU HW and three larbs. The drivers already know its larb index from the mediatek,larbs property of IOMMU, thus no need this property. Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Acked-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-3-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit f5a5e674082904e66de11655f1febd538520b892 Author: Yong Wu Date: Thu Jan 13 19:10:51 2022 +0800 dt-bindings: memory: mtk-smi: Rename clock to clocks commit 5bf7fa48374eafe29dbb30448a0b0c083853583f upstream. The property "clock" should be rename to "clocks", and delete the "items", the minItems/maxItems should not be put under "items". Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Acked-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-2-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 1d93e01cc84960a2b85518f6e1eb25653a7584cb Author: Martin Kepplinger Date: Tue Jan 11 14:39:37 2022 +0100 media: dt-bindings: media: hynix,hi846: add link-frequencies description commit a44b8e8c9b2615ea7cf2361cbca3c1dff8119c87 upstream. link-frequencies is required but only mentioned in the example. Add it to the description. Fixes: f3ce7200ca18 ("media: dt-bindings: media: document SK Hynix Hi-846 MIPI CSI-2 8M pixel sensor") Signed-off-by: Martin Kepplinger Reviewed-by: Laurent Pinchart Reviewed-by: Rob Herring Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7d2880e324e62b2868bf1a8133ab37e6cb18bdd8 Author: Martin Kepplinger Date: Tue Jan 11 14:39:36 2022 +0100 media: dt-binding: media: hynix,hi846: use $defs/port-base port description commit 6492eba4fafb5a9715ecf78b7155e88f8f88909a upstream. This fixes "make dt_binding_check": Documentation/devicetree/bindings/media/i2c/hynix,hi846.example.dt.yaml: camera@20: port:endpoint: Unevaluated properties are not allowed ('link-frequencies', 'data-lanes' were unexpected) From schema: Documentation/devicetree/bindings/media/i2c/hynix,hi846.yaml [Sakari Ailus: Reword commit message] Fixes: f3ce7200ca18 ("media: dt-bindings: media: document SK Hynix Hi-846 MIPI CSI-2 8M pixel sensor") Reported-by: Geert Uytterhoeven Signed-off-by: Martin Kepplinger Reviewed-by: Laurent Pinchart Reviewed-by: Rob Herring Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f7425887d0335d786e6f11604814cf12aa77e85e Author: Miquel Raynal Date: Thu Dec 16 12:16:33 2021 +0100 dt-bindings: spi: mxic: The interrupt property is not mandatory commit 90c204d3195a795f77f5bce767e311dd1c59ca17 upstream. The interrupt property is not mandatory at all, this property should not be part of the required properties list, so move it into the optional properties list. Fixes: 326e5c8d4a87 ("dt-binding: spi: Document Macronix controller bindings") Signed-off-by: Miquel Raynal Reviewed-by: Rob Herring Reviewed-by: Mark Brown Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-8-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit c28f2bc3c1b9f2405e290a559029dfffdda8fe95 Author: Miquel Raynal Date: Thu Dec 16 12:16:28 2021 +0100 dt-bindings: mtd: nand-controller: Fix a comment in the examples commit 0e7f1b557974ce297e5e4c9d4245720fbb489886 upstream. The controller properties should be in the controller 'parent' node, while properties in the children nodes are specific to the NAND *chip*. This error was already present during the yaml conversion. Fixes: 2d472aba15ff ("mtd: nand: document the NAND controller/NAND chip DT representation") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 01d06d10c3a6d5e9695cf28f443080029e6da9e9 Author: Miquel Raynal Date: Thu Dec 16 12:16:27 2021 +0100 dt-bindings: mtd: nand-controller: Fix the reg property description commit 93f2ec9e401276fb4ea9903194a5bfcf175f9a2c upstream. The reg property of a NAND device always references the chip-selects. The ready/busy lines are described in the nand-rb property. I believe this was a harmless copy/paste error during the conversion to yaml. Fixes: 212e49693592 ("dt-bindings: mtd: Add YAML schemas for the generic NAND options") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 1c0e264df761d78cd32f0af573659f8a5964e772 Author: Kai-Heng Feng Date: Tue Jan 25 13:50:06 2022 +0800 mmc: rtsx: Use pm_runtime_{get,put}() to handle runtime PM commit 7499b529d97f752124fa62fefa1d6d44b371215a upstream. Commit 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") doesn't use pm_runtime_{get,put}() helpers when it should, so the RPM refcount keeps at zero, hence its parent driver, rtsx_pci, has to do lots of weird tricks to keep it from runtime suspending. So use those helpers at right places to properly manage runtime PM. Fixes: 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") Cc: Ricky WU Tested-by: Ricky WU Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20220125055010.1866563-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit c6399f6f2f84921feebbf985e3819b1ad851ebe5 Author: Zhang Wensheng Date: Thu Mar 10 17:32:24 2022 +0800 nbd: fix possible overflow on 'first_minor' in nbd_dev_add() commit 6d35d04a9e18990040e87d2bbf72689252669d54 upstream. When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") Signed-off-by: Zhang Wensheng Reviewed-by: Josef Bacik Link: https://lore.kernel.org/r/20220310093224.4002895-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit ad1aba18528796e6996ece40fe35b4cd97faf4d3 Author: Hengqi Chen Date: Thu Mar 10 23:53:35 2022 +0800 bpf: Fix comment for helper bpf_current_task_under_cgroup() commit 58617014405ad5c9f94f464444f4972dabb71ca7 upstream. Fix the descriptions of the return values of helper bpf_current_task_under_cgroup(). Fixes: c6b5fb8690fa ("bpf: add documentation for eBPF helpers (42-50)") Signed-off-by: Hengqi Chen Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220310155335.1278783-1-hengqi.chen@gmail.com Signed-off-by: Greg Kroah-Hartman commit 6c4f243b58f5362e983386488b2d563764c567af Author: Namhyung Kim Date: Mon Mar 14 11:20:41 2022 -0700 bpf: Adjust BPF stack helper functions to accommodate skip > 0 commit ee2a098851bfbe8bcdd964c0121f4246f00ff41e upstream. Let's say that the caller has storage for num_elem stack frames. Then, the BPF stack helper functions walk the stack for only num_elem frames. This means that if skip > 0, one keeps only 'num_elem - skip' frames. This is because it sets init_nr in the perf_callchain_entry to the end of the buffer to save num_elem entries only. I believe it was because the perf callchain code unwound the stack frames until it reached the global max size (sysctl_perf_event_max_stack). However it now has perf_callchain_entry_ctx.max_stack to limit the iteration locally. This simplifies the code to handle init_nr in the BPF callstack entries and removes the confusion with the perf_event's __PERF_SAMPLE_CALLCHAIN_EARLY which sets init_nr to 0. Also change the comment on bpf_get_stack() in the header file to be more explicit what the return value means. Fixes: c195651e565a ("bpf: add bpf_get_stack helper") Signed-off-by: Namhyung Kim Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/30a7b5d5-6726-1cc2-eaee-8da2828a9a9c@oracle.com Link: https://lore.kernel.org/bpf/20220314182042.71025-1-namhyung@kernel.org Signed-off-by: Greg Kroah-Hartman Based-on-patch-by: Eugene Loh commit 8ed35dc115095a02ad4ac714d806aa24f26a9dfc Author: Toke Høiland-Jørgensen Date: Tue Jan 18 15:13:27 2022 +0100 libbpf: Define BTF_KIND_* constants in btf.h to avoid compilation errors commit eaa266d83a3730a15de2ceebcc89e8f6290e8cf6 upstream. The btf.h header included with libbpf contains inline helper functions to check for various BTF kinds. These helpers directly reference the BTF_KIND_* constants defined in the kernel header, and because the header file is included in user applications, this happens in the user application compile units. This presents a problem if a user application is compiled on a system with older kernel headers because the constants are not available. To avoid this, add #defines of the constants directly in btf.h before using them. Since the kernel header moved to an enum for BTF_KIND_*, the #defines can shadow the enum values without any errors, so we only need #ifndef guards for the constants that predates the conversion to enum. We group these so there's only one guard for groups of values that were added together. [0] Closes: https://github.com/libbpf/libbpf/issues/436 Fixes: 223f903e9c83 ("bpf: Rename BTF_KIND_TAG to BTF_KIND_DECL_TAG") Fixes: 5b84bd10363e ("libbpf: Add support for BTF_KIND_TAG") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Andrii Nakryiko Acked-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/bpf/20220118141327.34231-1-toke@redhat.com Signed-off-by: Greg Kroah-Hartman commit 943625571182d01e84159c68eaa162baa484c627 Author: Kuniyuki Iwashima Date: Thu Mar 17 12:08:09 2022 +0900 af_unix: Support POLLPRI for OOB. commit d9a232d435dcc966738b0f414a86f7edf4f4c8c4 upstream. The commit 314001f0bf92 ("af_unix: Add OOB support") introduced OOB for AF_UNIX, but it lacks some changes for POLLPRI. Let's add the missing piece. In the selftest, normal datagrams are sent followed by OOB data, so this commit replaces `POLLIN | POLLPRI` with just `POLLPRI` in the first test case. Fixes: 314001f0bf92 ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9d4c859d84a14a57a78f6c262d26a7f604a9d7c8 Author: Randy Dunlap Date: Tue Mar 22 14:47:52 2022 -0700 mm/usercopy: return 1 from hardened_usercopy __setup() handler commit 05fe3c103f7e6b8b4fca8a7001dfc9ed4628085b upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off or hardened_usercopy=on but when "hardened_usercopy=foo" is used, there is no Unknown kernel command line parameter. Return 1 to indicate that the boot option has been handled. Print a warning if strtobool() returns an error on the option string, but do not mark this as in unknown command line option and do not cause init's environment to be polluted with this string. Link: https://lkml.kernel.org/r/20220222034249.14795-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: b5cb15d9372ab ("usercopy: Allow boot cmdline disabling of hardening") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Acked-by: Chris von Recklinghausen Cc: Kees Cook Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 070e4b2cdddaa394cc38672fc7b311f23f638d8a Author: Randy Dunlap Date: Tue Mar 22 14:40:31 2022 -0700 mm/memcontrol: return 1 from cgroup.memory __setup() handler commit 460a79e18842caca6fa0c415de4a3ac1e671ac50 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). The only reason that this particular __setup handler does not pollute init's environment is that the setup string contains a '.', as in "cgroup.memory". This causes init/main.c::unknown_boottoption() to consider it to be an "Unused module parameter" and ignore it. (This is for parsing of loadable module parameters any time after kernel init.) Otherwise the string "cgroup.memory=whatever" would be added to init's environment strings. Instead of relying on this '.' quirk, just return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: cgroup.memory=anything_invalid Link: https://lkml.kernel.org/r/20220222005811.10672-1-rdunlap@infradead.org Fixes: f7e1cb6ec51b0 ("mm: memcontrol: account socket memory in unified hierarchy memory controller") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Reviewed-by: Michal Koutný Cc: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f9ccec3a8dfd439a326fa5a580f4823d7f82baa9 Author: Randy Dunlap Date: Sat Mar 12 07:36:09 2022 +0100 ARM: 9187/1: JIVE: fix return value of __setup handler commit 8b2360c7157b462c4870d447d1e65d30ef31f9aa upstream. __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from jive_mtdset(). Fixes: 9db829f485c5 ("[ARM] JIVE: Initial machine support for Logitech Jive") Signed-off-by: Randy Dunlap Cc: Ben Dooks Cc: Krzysztof Kozlowski Cc: Alim Akhtar Cc: linux-arm-kernel@lists.infradead.org Cc: linux-samsung-soc@vger.kernel.org Cc: patches@armlinux.org.uk Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit aaa0d690d4ba981a6aac18ab5cf788aa809b033c Author: Randy Dunlap Date: Tue Mar 22 14:42:27 2022 -0700 mm/mmap: return 1 from stack_guard_gap __setup() handler commit e6d094936988910ce6e8197570f2753898830081 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100 Return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: stack_guard_gap=anything_invalid and 'val' and stack_guard_gap are both set to 0 due to the use of simple_strtoul(). This could be improved by using kstrtoxxx() and checking for an error. It appears that having stack_guard_gap == 0 is valid (if unexpected) since using "stack_guard_gap=0" on the kernel command line does that. Link: https://lkml.kernel.org/r/20220222005817.11087-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1be7107fbe18e ("mm: larger stack guard gap, between vmas") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 145bfd63b7acb30b19457d800ac9f6df31da651f Author: Eric Dumazet Date: Mon Feb 21 19:21:12 2022 -0800 net: add skb_set_end_offset() helper commit 763087dab97547230a6807c865a6a5ae53a59247 upstream. We have multiple places where this helper is convenient, and plan using it in the following patch. Signed-off-by: Eric Dumazet Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 89e346c881522f3551de65d2a1d3f1b2c8648904 Author: Nemanja Rakovic Date: Mon Feb 21 13:12:25 2022 +0100 mips: Enable KCSAN - take 2 commit d1ca45f93c3f95d1590d60b012cf8fcf6db633ee upstream. Replaces KASAN_SANITIZE with KCSAN_SANITIZE in boot/compressed/Makefile. Fixes: e0a8b93efa23 mips: Enable KCSAN Signed-off-by: Nemanja Rakovic Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit e559c751ad887f2235979d00a8669c913924ce44 Author: Steven Rostedt (Google) Date: Fri Mar 18 15:34:32 2022 -0400 tracing: Have type enum modifications copy the strings commit 795301d3c28996219d555023ac6863401b6076bc upstream. When an enum is used in the visible parts of a trace event that is exported to user space, the user space applications like perf and trace-cmd do not have a way to know what the value of the enum is. To solve this, at boot up (or module load) the printk formats are modified to replace the enum with their numeric value in the string output. Array fields of the event are defined by [] in the type portion of the format file so that the user space parsers can correctly parse the array into the appropriate size chunks. But in some trace events, an enum is used in defining the size of the array, which once again breaks the parsing of user space tooling. This was solved the same way as the print formats were, but it modified the type strings of the trace event. This caused crashes in some architectures because, as supposed to the print string, is a const string value. This was not detected on x86, as it appears that const strings are still writable (at least in boot up), but other architectures this is not the case, and writing to a const string will cause a kernel fault. To fix this, use kstrdup() to copy the type before modifying it. If the trace event is for the core kernel there's no need to free it because the string will be in use for the life of the machine being on line. For modules, create a link list to store all the strings being allocated for modules and when the module is removed, free them. Link: https://lore.kernel.org/all/yt9dr1706b4i.fsf@linux.ibm.com/ Link: https://lkml.kernel.org/r/20220318153432.3984b871@gandalf.local.home Tested-by: Marc Zyngier Tested-by: Sven Schnelle Reported-by: Sven Schnelle Fixes: b3bc8547d3be ("tracing: Have TRACE_DEFINE_ENUM affect trace event types as well") Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit f2141881b530738777c28bb51c62175895c8178b Author: Linus Torvalds Date: Mon Mar 28 11:37:05 2022 -0700 Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" commit 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 upstream. Halil Pasic points out [1] that the full revert of that commit (revert in bddac7c1e02b), and that a partial revert that only reverts the problematic case, but still keeps some of the cleanups is probably better.  And that partial revert [2] had already been verified by Oleksandr Natalenko to also fix the issue, I had just missed that in the long discussion. So let's reinstate the cleanups from commit aa6f8dcbab47 ("swiotlb: rework "fix info leak with DMA_FROM_DEVICE""), and effectively only revert the part that caused problems. Link: https://lore.kernel.org/all/20220328013731.017ae3e3.pasic@linux.ibm.com/ [1] Link: https://lore.kernel.org/all/20220324055732.GB12078@lst.de/ [2] Link: https://lore.kernel.org/all/4386660.LvFx2qVVIh@natalenko.name/ [3] Suggested-by: Halil Pasic Tested-by: Oleksandr Natalenko Cc: Christoph Hellwig Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 01619aa347d35ac8b79751757784ec6f507a3215 Author: Duoming Zhou Date: Mon Mar 28 21:00:14 2022 +0800 ax25: fix UAF bug in ax25_send_control() commit 5352a761308397a0e6250fdc629bb3f615b94747 upstream. There are UAF bugs in ax25_send_control(), when we call ax25_release() to deallocate ax25_dev. The possible race condition is shown below: (Thread 1) | (Thread 2) ax25_dev_device_up() //(1) | | ax25_kill_by_device() ax25_bind() //(2) | ax25_connect() | ... ax25->state = AX25_STATE_1 | ... | ax25_dev_device_down() //(3) (Thread 3) ax25_release() | ax25_dev_put() //(4) FREE | case AX25_STATE_1: | ax25_send_control() | alloc_skb() //USE | The refcount of ax25_dev increases in position (1) and (2), and decreases in position (3) and (4). The ax25_dev will be freed before dereference sites in ax25_send_control(). The following is part of the report: [ 102.297448] BUG: KASAN: use-after-free in ax25_send_control+0x33/0x210 [ 102.297448] Read of size 8 at addr ffff888009e6e408 by task ax25_close/602 [ 102.297448] Call Trace: [ 102.303751] ax25_send_control+0x33/0x210 [ 102.303751] ax25_release+0x356/0x450 [ 102.305431] __sock_release+0x6d/0x120 [ 102.305431] sock_close+0xf/0x20 [ 102.305431] __fput+0x11f/0x420 [ 102.305431] task_work_run+0x86/0xd0 [ 102.307130] get_signal+0x1075/0x1220 [ 102.308253] arch_do_signal_or_restart+0x1df/0xc00 [ 102.308253] exit_to_user_mode_prepare+0x150/0x1e0 [ 102.308253] syscall_exit_to_user_mode+0x19/0x50 [ 102.308253] do_syscall_64+0x48/0x90 [ 102.308253] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 102.308253] RIP: 0033:0x405ae7 This patch defers the free operation of ax25_dev and net_device after all corresponding dereference sites in ax25_release() to avoid UAF. Fixes: 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") Signed-off-by: Duoming Zhou Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 69c05c5a011b5efdde294109189945abc5c03d71 Author: Maxim Levitsky Date: Tue Mar 22 19:24:45 2022 +0200 KVM: x86: SVM: fix avic spec based definitions again commit 0dacc3df898e219fa774f39e5e10d686364e0a27 upstream. Due to wrong rebase, commit 4a204f7895878 ("KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255") moved avic spec #defines back to avic.c. Move them back, and while at it extend AVIC_DOORBELL_PHYSICAL_ID_MASK to 12 bits as well (it will be used in nested avic) Signed-off-by: Maxim Levitsky Message-Id: <20220322172449.235575-5-mlevitsk@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 592e05ec98cc8997c53ad73681472aef9dafec9e Author: Jiasheng Jiang Date: Thu Mar 10 11:00:41 2022 +0800 ASoC: soc-compress: Change the check for codec_dai commit ccb4214f7f2a8b75acf493f31128e464ee1a3536 upstream. It should be better to reverse the check on codec_dai and returned early in order to be easier to understand. Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Jiasheng Jiang Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a6258a18a5922085473952b81cdf29881d07953e Author: Will Deacon Date: Wed Mar 9 12:21:37 2022 +0000 arm64: mm: Drop 'const' from conditional arm64_dma_phys_limit definition commit 770093459b9b333380aa71f2c31c60b14895c1df upstream. Commit 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones") introduced different definitions for 'arm64_dma_phys_limit' depending on CONFIG_ZONE_DMA{,32} based on a late suggestion from Pasha. Sadly, this results in a build error when passing W=1: | arch/arm64/mm/init.c:90:19: error: conflicting type qualifiers for 'arm64_dma_phys_limit' Drop the 'const' for now and use '__ro_after_init' consistently. Link: https://lore.kernel.org/r/202203090241.aj7paWeX-lkp@intel.com Link: https://lore.kernel.org/r/CA+CK2bDbbx=8R=UthkMesWOST8eJMtOGJdfMRTFSwVmo0Vn0EA@mail.gmail.com Fixes: 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones") Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d3e0db54cec4f8f0fcfb8daf3d1be7f4e3871b00 Author: Wan Jiabing Date: Mon Feb 28 10:56:41 2022 +0800 docs: fix 'make htmldocs' warning in SCTP.rst commit 70868c6b8fd80db585da57a264c50a69af8fd3c3 upstream. Fix following 'make htmldocs' warnings: ./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 5e50f5d4ff31 ("security: add sctp_assoc_established hook") Signed-off-by: Wan Jiabing Reviewed-by: Xin Long Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit dabb3495831ec73f85b027aa84248129e8c4617d Author: Arınç ÜNAL Date: Tue Feb 15 11:17:24 2022 +0300 staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet commit 25e4f5220efead592c83200241e098e757d37e1f upstream. Fix pinctrl-0 items under the ethernet node to be size-1 items. Current notation would be used on specifications with non-zero cells. Fixes: 0a93c0d75809 ("staging: mt7621-dts: fix pinctrl properties for ethernet") Reported-by: Sander Vanheule Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220215081725.3463-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit a6c5d48769592f47d0aaf6ff2c1a289c130736aa Author: Saurav Kashyap Date: Tue Feb 8 01:39:46 2022 -0800 scsi: qla2xxx: Add qla2x00_async_done() for async routines commit 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 upstream. This done routine will delete the timer and check for its return value and decrease the reference count accordingly. This prevents boot hangs reported after commit 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") was merged. Link: https://lore.kernel.org/r/20220208093946.4471-1-njavali@marvell.com Fixes: 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") Reported-by: Ewan Milne Tested-by: Ewan D. Milne Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 66db8488b9b9e5454a9519dc5a546b83360c82ea Author: Maxime Ripard Date: Wed Feb 2 10:43:40 2022 +0100 drm/connector: Fix typo in documentation commit dca384a3bf5af1c781cfa6aec63904bdb5018c36 upstream. Commit 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444") introduced two new variables in struct drm_display_info and their documentation, but the documentation part had a typo resulting in a doc build warning. Fixes: 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444") Reported-by: Stephen Rothwell Signed-off-by: Maxime Ripard Reviewed-by: Simon Ser Link: https://patchwork.freedesktop.org/patch/msgid/20220202094340.875190-1-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit b06bacfacdcdd8df7800b48814b96554b532b77f Author: Joerg Roedel Date: Mon Mar 21 10:33:51 2022 +0100 x86/sev: Unroll string mmio with CC_ATTR_GUEST_UNROLL_STRING_IO commit 4009a4ac82dd95b8cd2b62bd30019476983f0aff upstream. The io-specific memcpy/memset functions use string mmio accesses to do their work. Under SEV, the hypervisor can't emulate these instructions because they read/write directly from/to encrypted memory. KVM will inject a page fault exception into the guest when it is asked to emulate string mmio instructions for an SEV guest: BUG: unable to handle page fault for address: ffffc90000065068 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8000100000067 P4D 8000100000067 PUD 80001000fb067 PMD 80001000fc067 PTE 80000000fed40173 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.17.0-rc7 #3 As string mmio for an SEV guest can not be supported by the hypervisor, unroll the instructions for CC_ATTR_GUEST_UNROLL_STRING_IO enabled kernels. This issue appears when kernels are launched in recent libvirt-managed SEV virtual machines, because virt-install started to add a tpm-crb device to the guest by default and proactively because, raisins: https://github.com/virt-manager/virt-manager/commit/eb58c09f488b0633ed1eea012cd311e48864401e and as that commit says, the default adding of a TPM can be disabled with "virt-install ... --tpm none". The kernel driver for tpm-crb uses memcpy_to/from_io() functions to access MMIO memory, resulting in a page-fault injected by KVM and crashing the kernel at boot. [ bp: Massage and extend commit message. ] Fixes: d8aa7eea78a1 ('x86/mm: Add Secure Encrypted Virtualization (SEV) support') Signed-off-by: Joerg Roedel Signed-off-by: Borislav Petkov Reviewed-by: Tom Lendacky Cc: Link: https://lore.kernel.org/r/20220321093351.23976-1-joro@8bytes.org Signed-off-by: Greg Kroah-Hartman commit 17145e1caae660761ce273222c71eda59c7c1e84 Author: Yang Zhong Date: Sat Jan 29 09:36:46 2022 -0800 x86/fpu/xstate: Fix the ARCH_REQ_XCOMP_PERM implementation commit 063452fd94d153d4eb38ad58f210f3d37a09cca4 upstream. ARCH_REQ_XCOMP_PERM is supposed to add the requested feature to the permission bitmap of thread_group_leader()->fpu. But the code overwrites the bitmap with the requested feature bit only rather than adding it. Fix the code to add the requested feature bit to the master bitmask. Fixes: db8268df0983 ("x86/arch_prctl: Add controls for dynamic XSTATE components") Signed-off-by: Yang Zhong Signed-off-by: Chang S. Bae Signed-off-by: Thomas Gleixner Cc: Paolo Bonzini Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220129173647.27981-2-chang.seok.bae@intel.com Signed-off-by: Greg Kroah-Hartman commit 2fea16f9009a47d29658f9049ca9587cf8fe163b Author: Lv Ruyi Date: Tue Mar 29 10:40:04 2022 +0000 proc: bootconfig: Add null pointer check commit bed5b60bf67ccd8957b8c0558fead30c4a3f5d3f upstream. kzalloc is a memory allocation function which can return NULL when some internal memory errors happen. It is safer to add null pointer check. Link: https://lkml.kernel.org/r/20220329104004.2376879-1-lv.ruyi@zte.com.cn Cc: stable@vger.kernel.org Fixes: c1a3c36017d4 ("proc: bootconfig: Add /proc/bootconfig to show boot config list") Acked-by: Masami Hiramatsu Reported-by: Zeal Robot Signed-off-by: Lv Ruyi Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit b73b30e58975bc7da2e1093bae2b0e2cebf962e2 Author: Oliver Hartkopp Date: Mon Mar 28 13:36:11 2022 +0200 can: isotp: restore accidentally removed MSG_PEEK feature [ Upstream commit e382fea8ae54f5bb62869c6b69b33993d43adeca ] In commit 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") a new check for recvmsg flags has been introduced that only checked for the flags that are handled in isotp_recvmsg() itself. This accidentally removed the MSG_PEEK feature flag which is processed later in the call chain in __skb_try_recv_from_queue(). Add MSG_PEEK to the set of valid flags to restore the feature. Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1079554254 Link: https://lore.kernel.org/all/20220328113611.3691-1-socketcan@hartkopp.net Reported-by: Derek Will Suggested-by: Derek Will Tested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 4327422df1ede40d12fe9cd541870144908bfa6c Author: Hans de Goede Date: Sat Feb 5 12:28:40 2022 +0100 platform/x86: asus-wmi: Fix regression when probing for fan curve control commit d717e4509af0380a94dbc28b61839df39f17e1eb upstream. The fan curve control patches introduced a regression for at least the TUF FX506 and possibly other TUF series laptops that do not have support for fan curve control. As part of the probing process, asus_wmi_evaluate_method_buf is called to get the factory default fan curve . The WMI management function returns 0 on certain laptops to indicate lack of fan curve control instead of ASUS_WMI_UNSUPPORTED_METHOD. This 0 is transformed to -ENODATA which results in failure when probing. Fixes: 0f0ac158d28f ("platform/x86: asus-wmi: Add support for custom fan curves") Reported-and-tested-by: Abhijeet V Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220205112840.33095-1-hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman commit 4015c654a5f33a85e592447374e264a9bc842590 Author: Prashant Malani Date: Wed Jan 26 19:02:20 2022 +0000 platform/chrome: cros_ec_typec: Check for EC device commit ffebd90532728086007038986900426544e3df4e upstream. The Type C ACPI device on older Chromebooks is not generated correctly (since their EC firmware doesn't support the new commands required). In such cases, the crafted ACPI device doesn't have an EC parent, and it is therefore not useful (it shouldn't be generated in the first place since the EC firmware doesn't support any of the Type C commands). To handle devices which use these older firmware revisions, check for the parent EC device handle, and fail the probe if it's not found. Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") Reported-by: Alyssa Ross Reviewed-by: Tzung-Bi Shih Signed-off-by: Prashant Malani Acked-by: Heikki Krogerus Reviewed-by: Alyssa Ross Tested-by: Alyssa Ross Link: https://lore.kernel.org/r/20220126190219.3095419-1-pmalani@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit 506d09ed182af34293bcfce14da42bf4753581f4 Author: Jon Hunter Date: Mon Mar 7 11:35:29 2022 +0000 spi: Fix Tegra QSPI example commit 320689a1b543ca1396b3ed43bb18045e4a7ffd79 upstream. When running dt_binding_check on the nvidia,tegra210-quad.yaml binding document the following error is reported ... nvidia,tegra210-quad.example.dt.yaml:0:0: /example-0/spi@70410000/flash@0: failed to match any schema with compatible: ['spi-nor'] Update the example in the binding document to fix the above error. Signed-off-by: Jon Hunter Fixes: 9684752e5fe3 ("dt-bindings: spi: Add Tegra Quad SPI device tree binding") Link: https://lore.kernel.org/r/20220307113529.315685-1-jonathanh@nvidia.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a745014c59bbd6b4faeb3b8bac3b44281b3026a3 Author: Anirudh Rayabharam Date: Sat Mar 12 19:41:21 2022 +0530 vhost: handle error while adding split ranges to iotlb commit 03a91c9af2c42ae14afafb829a4b7e6589ab5892 upstream. vhost_iotlb_add_range_ctx() handles the range [0, ULONG_MAX] by splitting it into two ranges and adding them separately. The return value of adding the first range to the iotlb is currently ignored. Check the return value and bail out in case of an error. Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20220312141121.4981-1-mail@anirudhrb.com Signed-off-by: Michael S. Tsirkin Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Reviewed-by: Stefano Garzarella Signed-off-by: Greg Kroah-Hartman commit d7339f2a3938fb56b5f28d53f5345900b5fa0e74 Author: Rafael J. Wysocki Date: Tue Mar 22 17:02:05 2022 +0100 ACPI: CPPC: Avoid out of bounds access when parsing _CPC data commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream. If the NumEntries field in the _CPC return package is less than 2, do not attempt to access the "Revision" element of that package, because it may not be present then. Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC") BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ Reported-by: kernel test robot Signed-off-by: Rafael J. Wysocki Reviewed-by: Huang Rui Signed-off-by: Greg Kroah-Hartman commit 559ea0f38b7edf50d605fa1d32599c1f09a4cb97 Author: Fangrui Song Date: Mon Mar 21 18:26:17 2022 -0700 riscv module: remove (NOLOAD) commit 60210a3d86dc57ce4a76a366e7841dda746a33f7 upstream. On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually inappropriate for .plt, .got, and .got.plt sections which are always SHT_PROGBITS. In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway and (NOLOAD) will be essentially ignored. In ld.lld, since https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to customize the output section type"), ld.lld will report a `section type mismatch` error (later changed to a warning). Just remove (NOLOAD) to fix the warning. [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The section should be marked as not loadable" on https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is outdated for ELF. Link: https://github.com/ClangBuiltLinux/linux/issues/1597 Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") Reported-by: Nathan Chancellor Signed-off-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit 7fa8b228c3f30060b9f4b24bb9aaaf41b0ae83fe Author: Pavel Begunkov Date: Fri Mar 25 16:36:31 2022 +0000 io_uring: fix memory leak of uid in files registration commit c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8 upstream. When there are no files for __io_sqe_files_scm() to process in the range, it'll free everything and return. However, it forgets to put uid. Fixes: 08a451739a9b5 ("io_uring: allow sparse fixed file sets") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/accee442376f33ce8aaebb099d04967533efde92.1648226048.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f3d218c450e5bbc96a107a9882b9450c9421f55a Author: Jens Axboe Date: Tue Mar 22 06:57:25 2022 -0600 io_uring: bump poll refs to full 31-bits commit e2c0cb7c0cc72939b61a7efee376206725796625 upstream. The previous commit: 1bc84c40088 ("io_uring: remove poll entry from list when canceling all") removed a potential overflow condition for the poll references. They are currently limited to 20-bits, even if we have 31-bits available. The upper bit is used to mark for cancelation. Bump the poll ref space to 31-bits, making that kind of situation much harder to trigger in general. We'll separately add overflow checking and handling. Fixes: aa43477b0402 ("io_uring: poll rework") Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 484989ad2a1d333fd96dfafdae6f67b6fd2077aa Author: Jens Axboe Date: Mon Mar 21 19:03:24 2022 -0600 io_uring: remove poll entry from list when canceling all commit 61bc84c4008812d784c398cfb54118c1ba396dfc upstream. When the ring is exiting, as part of the shutdown, poll requests are removed. But io_poll_remove_all() does not remove entries when finding them, and since completions are done out-of-band, we can find and remove the same entry multiple times. We do guard the poll execution by poll ownership, but that does not exclude us from reissuing a new one once the previous removal ownership goes away. This can race with poll execution as well, where we then end up seeing req->apoll be NULL because a previous task_work requeue finished the request. Remove the poll entry when we find it and get ownership of it. This prevents multiple invocations from finding it. Fixes: aa43477b0402 ("io_uring: poll rework") Reported-by: Dylan Yudaken Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4ae431113179d72c668b61df320af0c06d1aa5c5 Author: Stefano Garzarella Date: Tue Mar 22 12:43:13 2022 +0100 virtio: use virtio_device_ready() in virtio_device_restore() commit 8d65bc9a5be3f23c5e2ab36b6b8ef40095165b18 upstream. After waking up a suspended VM, the kernel prints the following trace for virtio drivers which do not directly call virtio_device_ready() in the .restore: PM: suspend exit irq 22: nobody cared (try booting with the "irqpoll" option) Call Trace: dump_stack_lvl+0x38/0x49 dump_stack+0x10/0x12 __report_bad_irq+0x3a/0xaf note_interrupt.cold+0xb/0x60 handle_irq_event+0x71/0x80 handle_fasteoi_irq+0x95/0x1e0 __common_interrupt+0x6b/0x110 common_interrupt+0x63/0xe0 asm_common_interrupt+0x1e/0x40 ? __do_softirq+0x75/0x2f3 irq_exit_rcu+0x93/0xe0 sysvec_apic_timer_interrupt+0xac/0xd0 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch_cpu_idle+0x12/0x20 default_idle_call+0x39/0xf0 do_idle+0x1b5/0x210 cpu_startup_entry+0x20/0x30 start_secondary+0xf3/0x100 secondary_startup_64_no_verify+0xc3/0xcb handlers: [<000000008f9bac49>] vp_interrupt [<000000008f9bac49>] vp_interrupt Disabling IRQ #22 This happens because we don't invoke .enable_cbs callback in virtio_device_restore(). That callback is used by some transports (e.g. virtio-pci) to enable interrupts. Let's fix it, by calling virtio_device_ready() as we do in virtio_dev_probe(). This function calls .enable_cts callback and sets DRIVER_OK status bit. This fix also avoids setting DRIVER_OK twice for those drivers that call virtio_device_ready() in the .restore. Fixes: d50497eb4e55 ("virtio_config: introduce a new .enable_cbs method") Signed-off-by: Stefano Garzarella Link: https://lore.kernel.org/r/20220322114313.116516-1-sgarzare@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit d62708b33a8f84dd5e9f961f7fd5f707f1739570 Author: Jason Wang Date: Wed Mar 23 11:15:24 2022 +0800 Revert "virtio_pci: harden MSI-X interrupts" commit eb4cecb453a19b34d5454b49532e09e9cb0c1529 upstream. This reverts commit 9e35276a5344f74d4a3600fc4100b3dd251d5c56. Issue were reported for the drivers that are using affinity managed IRQ where manually toggling IRQ status is not expected. And we forget to enable the interrupts in the restore path as well. In the future, we will rework on the interrupt hardening. Fixes: 9e35276a5344 ("virtio_pci: harden MSI-X interrupts") Reported-by: Marc Zyngier Reported-by: Stefano Garzarella Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20220323031524.6555-2-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit caa71784e747c6ab75b5a2c126775072bf4526be Author: Jason Wang Date: Wed Mar 23 11:15:23 2022 +0800 Revert "virtio-pci: harden INTX interrupts" commit 7b79edfb862d6b1ecc66479419ae67a7db2d02e3 upstream. This reverts commit 080cd7c3ac8701081d143a15ba17dd9475313188. Since the MSI-X interrupts hardening will be reverted in the next patch. We will rework the interrupt hardening in the future. Fixes: 080cd7c3ac87 ("virtio-pci: harden INTX interrupts") Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20220323031524.6555-1-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 9c2463490b9b5a9d86d9892e0b3eba74ebe548a0 Author: Jiri Slaby Date: Mon Mar 28 10:59:28 2022 +0200 block: restore the old set_task_ioprio() behaviour wrt PF_EXITING commit 15583a563cd5a7358e975599b7de7caacd9e9ce9 upstream. PF_EXITING tasks were silently ignored before the below commits. Continue doing so. Otherwise python-psutil tests fail: ERROR: psutil.tests.test_process.TestProcess.test_zombie_process ---------------------------------------------------------------------- Traceback (most recent call last): File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/build/lib.linux-x86_64-3.9/psutil/_pslinux.py", line 1661, in wrapper return fun(self, *args, **kwargs) File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/build/lib.linux-x86_64-3.9/psutil/_pslinux.py", line 2133, in ionice_set return cext.proc_ioprio_set(self.pid, ioclass, value) ProcessLookupError: [Errno 3] No such process During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/psutil/tests/test_process.py", line 1313, in test_zombie_process succeed_or_zombie_p_exc(fun) File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/psutil/tests/test_process.py", line 1288, in succeed_or_zombie_p_exc return fun() File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/build/lib.linux-x86_64-3.9/psutil/__init__.py", line 792, in ionice return self._proc.ionice_set(ioclass, value) File "/home/abuild/rpmbuild/BUILD/psutil-5.9.0/build/lib.linux-x86_64-3.9/psutil/_pslinux.py", line 1665, in wrapper raise NoSuchProcess(self.pid, self._name) psutil.NoSuchProcess: process no longer exists (pid=2057) Cc: Christoph Hellwig Cc: Jan Kara Cc: Jens Axboe Fixes: 5fc11eebb4 (block: open code create_task_io_context in set_task_ioprio) Fixes: a957b61254 (block: fix error in handling dead task for ioprio setting) Signed-off-by: Jiri Slaby Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20220328085928.7899-1-jslaby@suse.cz Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit fbe2cc4525480ddd20c866bb5c0578071e01451a Author: Christophe JAILLET Date: Sat Mar 26 15:50:46 2022 +0100 block: Fix the maximum minor value is blk_alloc_ext_minor() commit d1868328dec5ae2cf210111025fcbc71f78dd5ca upstream. ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive. So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). This is an issue because in device_add_disk(), this value is used in: ddev->devt = MKDEV(disk->major, disk->first_minor); and NR_EXT_DEVT is '(1 << MINORBITS)'. So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow. Fixes: 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get") Signed-off-by: Christophe JAILLET Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/cc17199798312406b90834e433d2cefe8266823d.1648306232.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 17a703df1b81d91c07fef298852a52d05b4b228d Author: Arnd Bergmann Date: Tue Nov 30 11:16:41 2021 +0100 ARM: iop32x: offset IRQ numbers by 1 commit 9d67412f24cc3a2c05f35f7c856addb07a2960ce upstream. iop32x is one of the last platforms to use IRQ 0, and this has apparently stopped working in a 2014 cleanup without anyone noticing. This interrupt is used for the DMA engine, so most likely this has not actually worked in the past 7 years, but it's also not essential for using this board. I'm splitting out this change from my GENERIC_IRQ_MULTI_HANDLER conversion so it can be backported if anyone cares. Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq") Signed-off-by: Arnd Bergmann [ardb: take +1 offset into account in mask/unmask and init as well] Signed-off-by: Ard Biesheuvel Tested-by: Marc Zyngier Tested-by: Vladimir Murzin # ARMv7M Reviewed-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 5f9e9c223e48c264241d2f34d0bfc29e5fcb5c1b Author: Baokun Li Date: Fri Nov 5 17:30:22 2021 +0800 ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl commit 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e upstream. Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain Fixes: 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev") Reported-by: Hulk Robot Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 2703a716ac245050544b64a280293c4907253cbf Author: Jiaxin Yu Date: Sat Mar 19 20:03:25 2022 +0800 ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs commit a7663c89f4193dbf717572e46e5a3251940dbdc8 upstream. Fixes the following build errors when mt6358 is configured as module: >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-rt1019-rt5682s.ko] undefined! >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-da7219-max98357.ko] undefined! Fixes: 6a8d4198ca80 ("ASoC: mediatek: mt6358: add codec driver") Signed-off-by: Jiaxin Yu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220319120325.11882-1-jiaxin.yu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit bc38dc4ca23bf72465f79bd1adbaf098aef452d7 Author: Meng Tang Date: Fri Mar 18 18:01:46 2022 +0800 ASoC: rockchip: i2s_tdm: Fixup config for SND_SOC_DAIFMT_DSP_A/B commit 2f45a4e2897793cc6ae25f5fe78b485ce7fd01d0 upstream. SND_SOC_DAIFMT_DSP_A: PCM delay 1 bit mode, L data MSB after FRM LRC SND_SOC_DAIFMT_DSP_B: PCM no delay mode, L data MSB during FRM LRC Fixes: 081068fd64140 (ASoC: rockchip: add support for i2s-tdm controller) Signed-off-by: Meng Tang Link: https://lore.kernel.org/r/20220318100146.23991-1-tangmeng@uniontech.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 29b6fa7f2291c93da36c53698218698cc0f5a7ae Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:30 2022 +0100 pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() commit 9d0f18bca3b557ae5d2128661ac06d33b3f45c0a upstream. When compile-testing on 64-bit architectures, GCC complains about the mismatch of types between the %d format specifier and value returned by ARRAY_LENGTH(). Use %zu, which is correct everywhere. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-2-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 77190d5f8e079e04df1c8fb67451ff5dc958c65b Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:31 2022 +0100 pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() commit 603501c16431c56f74eaef1ee1390f60a30c2187 upstream. The name "DS" is defined in arch/x86/um/shared/sysdep/ptrace_64.h, which results in a compiler warning when build-testing on ARCH=um. Rename this driver's "DS" macro to DSTR so avoid this collision. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-3-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit ae90ae9499d11963bb49ebc2a93e9ff1d366fa1f Author: Randy Dunlap Date: Tue Mar 29 18:20:25 2022 -0700 net: sparx5: uses, depends on BRIDGE or !BRIDGE commit f9512d654f62604664251dedd437a22fe484974a upstream. Fix build errors when BRIDGE=m and SPARX5_SWITCH=y: riscv64-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.o: in function `.L305': sparx5_switchdev.c:(.text+0xdb0): undefined reference to `br_vlan_enabled' riscv64-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.o: in function `.L283': sparx5_switchdev.c:(.text+0xee0): undefined reference to `br_vlan_enabled' Fixes: 3cfa11bac9bb ("net: sparx5: add the basic sparx5 driver") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Horatiu Vultur Cc: Lars Povlsen Cc: Steen Hegelund Cc: UNGLinuxDriver@microchip.com Cc: Paolo Abeni Link: https://lore.kernel.org/r/20220330012025.29560-1-rdunlap@infradead.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7992be234573eb1775973f9e3a91ae7313567b3d Author: Miaoqian Lin Date: Wed Jan 5 09:21:13 2022 +0000 watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function commit d055ef3a2c6919cff504ae3b710c96318d545fd2 upstream. If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Miaoqian Lin Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220105092114.23932-1-linmq006@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit e18eeb3e1af4409d8aac3b026137c61760583688 Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:46 2022 +0800 pinctrl: pinconf-generic: Print arguments for bias-pull-* commit 188e5834b930acd03ad3cf7c5e7aa24db9665a29 upstream. The bias-pull-* properties, or PIN_CONFIG_BIAS_PULL_* pin config parameters, accept optional arguments in ohms denoting the strength of the pin bias. Print these values out in debugfs as well. Fixes: eec450713e5c ("pinctrl: pinconf-generic: Add flag to print arguments") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Tested-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-2-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 375cd2536494cfbcdda84ae8b3e35bf19d0250b9 Author: Eric Dumazet Date: Mon Mar 28 18:07:04 2022 +0100 watch_queue: Free the page array when watch_queue is dismantled commit b490207017ba237d97b735b2aa66dc241ccd18f5 upstream. Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the watch_queue is torn down") took care of the bitmap, but not the page array. BUG: memory leak unreferenced object 0xffff88810d9bc140 (size 32): comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s) hex dump (first 32 bytes): 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: kmalloc_array include/linux/slab.h:621 [inline] kcalloc include/linux/slab.h:652 [inline] watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251 pipe_ioctl+0x82/0x140 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] Reported-by: syzbot+25ea042ae28f3888727a@syzkaller.appspotmail.com Fixes: c73be61cede5 ("pipe: Add general notification queue support") Signed-off-by: Eric Dumazet Signed-off-by: David Howells Cc: Jann Horn Link: https://lore.kernel.org/r/20220322004654.618274-1-eric.dumazet@gmail.com/ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 00c932b5534cd6ed86437d04244828bbda757d46 Author: Herbert Xu Date: Thu Mar 17 10:55:13 2022 +1200 crypto: arm/aes-neonbs-cbc - Select generic cbc and aes commit c8bd296cca3434b13b28b074eaeb78a23284de77 upstream. The algorithm __cbc-aes-neonbs requires a fallback so we need to select the config options for them or otherwise it will fail to register on boot-up. Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc...") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 1a0ca96ed2608aa07af3cc60aa88acbbd53370bf Author: Peter Zijlstra Date: Thu Mar 24 00:05:55 2022 +0100 crypto: x86/poly1305 - Fixup SLS commit 7ed7aa4de9421229be6d331ed52d5cd09c99f409 upstream. Due to being a perl generated asm file, it got missed by the mass convertion script. arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_init_x86_64()+0x3a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_x86_64()+0xf2: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_x86_64()+0x37: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_block()+0x6d: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: __poly1305_init_avx()+0x1e8: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx()+0xaf8: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_emit_avx()+0x99: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx2()+0x776: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x18a: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x796: missing int3 after ret arch/x86/crypto/poly1305-x86_64-cryptogams.o: warning: objtool: poly1305_blocks_avx512()+0x10bd: missing int3 after ret Fixes: f94909ceb1ed ("x86: Prepare asm files for straight-line-speculation") Signed-off-by: Peter Zijlstra (Intel) Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit b4dafd9585a6d30651ba5c85b522d629d5324a39 Author: Robin Gong Date: Mon Feb 7 09:52:06 2022 +0800 mailbox: imx: fix wakeup failure from freeze mode commit 892cb524ae8a27bf5e42f711318371acd9a9f74a upstream. Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq can't be used for wakeup source so that can't wakeup from freeze mode. Add pm_system_wakeup() to wakeup from freeze mode. Fixes: b7b2796b9b31e("mailbox: imx: ONLY IPC MU needs IRQF_NO_SUSPEND flag") Reviewed-by: Jacky Bai Reviewed-by: Peng Fan Signed-off-by: Robin Gong Signed-off-by: Peng Fan Signed-off-by: Jassi Brar Signed-off-by: Greg Kroah-Hartman commit 5e3c11144e557a9dbf9a2f6abe444689ef9d8aae Author: David Howells Date: Wed Mar 30 15:39:16 2022 +0100 rxrpc: Fix call timer start racing with call destruction commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 upstream. The rxrpc_call struct has a timer used to handle various timed events relating to a call. This timer can get started from the packet input routines that are run in softirq mode with just the RCU read lock held. Unfortunately, because only the RCU read lock is held - and neither ref or other lock is taken - the call can start getting destroyed at the same time a packet comes in addressed to that call. This causes the timer - which was already stopped - to get restarted. Later, the timer dispatch code may then oops if the timer got deallocated first. Fix this by trying to take a ref on the rxrpc_call struct and, if successful, passing that ref along to the timer. If the timer was already running, the ref is discarded. The timer completion routine can then pass the ref along to the call's work item when it queues it. If the timer or work item where already queued/running, the extra ref is discarded. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Reported-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Marc Dionne Tested-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005073.html Link: https://lore.kernel.org/r/164865115696.2943015.11097991776647323586.stgit@warthog.procyon.org.uk Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 4e1f670e1b440dc783dbeb881d575bca31474f73 Author: Xiaolong Huang Date: Wed Mar 30 15:22:14 2022 +0100 rxrpc: fix some null-ptr-deref bugs in server_key.c commit ff8376ade4f668130385839cef586a0990f8ef87 upstream. Some function calls are not implemented in rxrpc_no_security, there are preparse_server_key, free_preparse_server_key and destroy_server_key. When rxrpc security type is rxrpc_no_security, user can easily trigger a null-ptr-deref bug via ioctl. So judgment should be added to prevent it The crash log: user@syzkaller:~$ ./rxrpc_preparse_s [ 37.956878][T15626] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 37.957645][T15626] #PF: supervisor instruction fetch in kernel mode [ 37.958229][T15626] #PF: error_code(0x0010) - not-present page [ 37.958762][T15626] PGD 4aadf067 P4D 4aadf067 PUD 4aade067 PMD 0 [ 37.959321][T15626] Oops: 0010 [#1] PREEMPT SMP [ 37.959739][T15626] CPU: 0 PID: 15626 Comm: rxrpc_preparse_ Not tainted 5.17.0-01442-gb47d5a4f6b8d #43 [ 37.960588][T15626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 37.961474][T15626] RIP: 0010:0x0 [ 37.961787][T15626] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [ 37.962480][T15626] RSP: 0018:ffffc9000d9abdc0 EFLAGS: 00010286 [ 37.963018][T15626] RAX: ffffffff84335200 RBX: ffff888012a1ce80 RCX: 0000000000000000 [ 37.963727][T15626] RDX: 0000000000000000 RSI: ffffffff84a736dc RDI: ffffc9000d9abe48 [ 37.964425][T15626] RBP: ffffc9000d9abe48 R08: 0000000000000000 R09: 0000000000000002 [ 37.965118][T15626] R10: 000000000000000a R11: f000000000000000 R12: ffff888013145680 [ 37.965836][T15626] R13: 0000000000000000 R14: ffffffffffffffec R15: ffff8880432aba80 [ 37.966441][T15626] FS: 00007f2177907700(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 37.966979][T15626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.967384][T15626] CR2: ffffffffffffffd6 CR3: 000000004aaf1000 CR4: 00000000000006f0 [ 37.967864][T15626] Call Trace: [ 37.968062][T15626] [ 37.968240][T15626] rxrpc_preparse_s+0x59/0x90 [ 37.968541][T15626] key_create_or_update+0x174/0x510 [ 37.968863][T15626] __x64_sys_add_key+0x139/0x1d0 [ 37.969165][T15626] do_syscall_64+0x35/0xb0 [ 37.969451][T15626] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 37.969824][T15626] RIP: 0033:0x43a1f9 Signed-off-by: Xiaolong Huang Tested-by: Xiaolong Huang Signed-off-by: David Howells Acked-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005069.html Fixes: 12da59fcab5a ("rxrpc: Hand server key parsing off to the security class") Link: https://lore.kernel.org/r/164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 3c4903cfc45e37e77185f6d63ee3fc9571a5ea23 Author: Guangbin Huang Date: Wed Mar 30 21:45:06 2022 +0800 net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware commit 7ed258f12ec5ce855f15cdfb5710361dc82fe899 upstream. When user delete vlan 0, as driver will not delete vlan 0 for hardware in function hclge_set_vlan_filter_hw(), so vlan 0 in software vlan talbe should not be deleted. Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed") Signed-off-by: Guangbin Huang Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 7c93be8639a7de45349e3b31eb45b610bad9aec4 Author: Yufeng Mo Date: Wed Mar 30 21:45:05 2022 +0800 net: hns3: fix the concurrency between functions reading debugfs commit 9c9a04212fa380d2e7d1412bb281309955c0a781 upstream. Currently, the debugfs mechanism is that all functions share a global variable to save the pointer for obtaining data. When different functions concurrently access the same file node, repeated release exceptions occur. Therefore, the granularity of the pointer for storing the obtained data is adjusted to be private for each function. Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") Signed-off-by: Yufeng Mo Signed-off-by: Guangbin Huang Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit b376ffc4beb974ebbd0eea001064ec8ff4c1de6d Author: Andrew Price Date: Tue Mar 22 19:05:51 2022 +0000 gfs2: Make sure FITRIM minlen is rounded up to fs block size commit 27ca8273fda398638ca994a207323a85b6d81190 upstream. Per fstrim(8) we must round up the minlen argument to the fs block size. The current calculation doesn't take into account devices that have a discard granularity and requested minlen less than 1 fs block, so the value can get shifted away to zero in the translation to fs blocks. The zero minlen passed to gfs2_rgrp_send_discards() then allows sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL and results in gfs2_rgrp_send_discards() returning -EIO. Make sure minlen is never < 1 fs block by taking the max of the requested minlen and the fs block size before comparing to the device's discard granularity and shifting to fs blocks. Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling") Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit fbb74bc00f9a2a63b646945fd179aaf7249c3a77 Author: Andreas Gruenbacher Date: Thu Mar 17 14:47:24 2022 +0100 gfs2: Fix gfs2_file_buffered_write endless loop workaround commit 46f3e0421ccb5474b5c006b0089b9dfd42534bb6 upstream. Since commit 554c577cee95b, gfs2_file_buffered_write() can accidentally return a truncated iov_iter, which might confuse callers. Fix that. Fixes: 554c577cee95b ("gfs2: Prevent endless loops in gfs2_file_buffered_write") Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit d690d148c63a1cabe7c7d9f813cc79db4eab8d12 Author: Andreas Gruenbacher Date: Fri Dec 10 14:43:36 2021 +0100 gfs2: gfs2_setattr_size error path fix commit 7336905a89f19173bf9301cd50a24421162f417c upstream. When gfs2_setattr_size() fails, it calls gfs2_rs_delete(ip, NULL) to get rid of any reservations the inode may have. Instead, it should pass in the inode's write count as the second parameter to allow gfs2_rs_delete() to figure out if the inode has any writers left. In a next step, there are two instances of gfs2_rs_delete(ip, NULL) left where we know that there can be no other users of the inode. Replace those with gfs2_rs_deltree(&ip->i_res) to avoid the unnecessary write count check. With that, gfs2_rs_delete() is only called with the inode's actual write count, so get rid of the second parameter. Fixes: a097dc7e24cb ("GFS2: Make rgrp reservations part of the gfs2_inode structure") Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit d25ea02f4bfb7420a829bbf2df461129143c49fc Author: Carlos Llamas Date: Tue Mar 29 20:18:15 2022 +0000 loop: fix ioctl calls using compat_loop_info commit f941c51eeac7ebe0f8ec30943bf78e7f60aad039 upstream. Support for cryptoloop was deleted in commit 47e9624616c8 ("block: remove support for cryptoloop and the xor transfer"), making the usage of loop_info->lo_encrypt_type obsolete. However, this member was also removed from the compat_loop_info definition and this breaks userspace ioctl calls for 32-bit binaries and CONFIG_COMPAT=y. This patch restores the compat_loop_info->lo_encrypt_type member and marks it obsolete as well as in the uapi header definitions. Fixes: 47e9624616c8 ("block: remove support for cryptoloop and the xor transfer") Signed-off-by: Carlos Llamas Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220329201815.1347500-1-cmllamas@google.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 11eaa1352d8aea974aeccebe7b0d757f4c1e4bc8 Author: Tom Rix Date: Sat Mar 26 12:42:36 2022 -0700 rtc: check if __rtc_read_time was successful commit 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf upstream. Clang static analysis reports this issue interface.c:810:8: warning: Passed-by-value struct argument contains uninitialized data now = rtc_tm_to_ktime(tm); ^~~~~~~~~~~~~~~~~~~ tm is set by a successful call to __rtc_read_time() but its return status is not checked. Check if it was successful before setting the enabled flag. Move the decl of err to function scope. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Tom Rix Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220326194236.2916310-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit de66e4f28dfd11f954966c447b4430529ed040a2 Author: Miaoqian Lin Date: Wed Mar 9 09:22:25 2022 +0000 rtc: gamecube: Fix refcount leak in gamecube_rtc_read_offset_from_sram commit 4b2dc39ca024990abe36ad5d145c4fe0c06afd34 upstream. The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. Fixes: 86559400b3ef ("rtc: gamecube: Add a RTC driver for the GameCube, Wii and Wii U") Signed-off-by: Miaoqian Lin Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220309092225.6930-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman commit 455014ca5edd6cef34a8399ed7fbf57dad26239c Author: Masahiro Yamada Date: Sat Apr 2 00:56:10 2022 +0900 modpost: restore the warning message for missing symbol versions commit bf5c0c2231bcab677e5cdfb7f73e6c79f6d8c2d4 upstream. This log message was accidentally chopped off. I was wondering why this happened, but checking the ML log, Mark precisely followed my suggestion [1]. I just used "..." because I was too lazy to type the sentence fully. Sorry for the confusion. [1]: https://lore.kernel.org/all/CAK7LNAR6bXXk9-ZzZYpTqzFqdYbQsZHmiWspu27rtsFxvfRuVA@mail.gmail.com/ Fixes: 4a6795933a89 ("kbuild: modpost: Explicitly warn about unprototyped symbols") Signed-off-by: Masahiro Yamada Acked-by: Mark Brown Reviewed-by: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman commit 0fe42c4dad5d2f40de86d9f32d40430894225eb2 Author: Matthew Wilcox (Oracle) Date: Thu Mar 31 08:27:09 2022 -0400 XArray: Update the LRU list in xas_split() commit 3ed4bb77156da0bc732847c8c9df92454c1fbeea upstream. When splitting a value entry, we may need to add the new nodes to the LRU list and remove the parent node from the LRU list. The WARN_ON checks in shadow_lru_isolate() catch this oversight. This bug was latent until we stopped splitting folios in shrink_page_list() with commit 820c4e2e6f51 ("mm/vmscan: Free non-shmem folios without splitting them"). That allows the creation of large shadow entries, and subsequently when trying to page in a small page, we will split the large shadow entry in __filemap_add_folio(). Fixes: 8fc75643c5e1 ("XArray: add xas_split") Reported-by: Hugh Dickins Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 6e9b477fdc850241b1ab931ea3957cbea847b03e Author: Matthew Wilcox (Oracle) Date: Thu Feb 3 16:01:39 2022 -0500 XArray: Include bitmap.h from xarray.h commit 22f56b8e890d4e2835951b437bb6eeebfd1cb18b upstream. xas_find_chunk() calls find_next_bit(), which is defined in find.h, included from bitmap.h. Inside the kernel, this isn't a problem because bitmap.h is included from cpumask.h which is dragged in (eventually) by gfp.h. When building the test-suite, that doesn't happen, so we need to include bitmap.h explicitly. Fixes: 4ade0818cf04 ("tools: sync tools/bitmap with mother linux") Reported-by: Liam Howlett Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit bcb0ab16bf84d99b7aee3c072f47e0f9c9fcdbbb Author: Tom Rix Date: Sat Mar 19 08:31:28 2022 -0700 can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value commit fa7b514d2b2894e052b8e94c7a29feb98e90093f upstream. Clang static analysis reports this issue: | mcp251xfd-core.c:1813:7: warning: The left operand | of '&' is a garbage value | FIELD_GET(MCP251XFD_REG_DEVID_ID_MASK, dev_id), | ^ ~~~~~~ dev_id is set in a successful call to mcp251xfd_register_get_dev_id(). Though the status of calls made by mcp251xfd_register_get_dev_id() are checked and handled, their status' are not returned. So return err. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Link: https://lore.kernel.org/all/20220319153128.2164120-1-trix@redhat.com Signed-off-by: Tom Rix Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit f2ec3cd0f34f8c3f94bc21fbba14868301c9c49d Author: Pavel Skripkin Date: Sun Mar 13 13:09:03 2022 +0300 can: mcba_usb: properly check endpoint type commit 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 upstream. Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. We should check that in endpoint is actually present to prevent this warning. Found pipes are now saved to struct mcba_priv and code uses them directly instead of making pipes in place. Fail log: | usb 5-1: BOGUS urb xfer, pipe 3 != type 1 | WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | Modules linked in: | CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0 | Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 | Workqueue: usb_hub_wq hub_event | RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | ... | Call Trace: | | mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline] | mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858 | usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 | call_driver_probe drivers/base/dd.c:517 [inline] Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Reviewed-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 42a4b0dfd365c4f77f96fd1f73a64b47ae443a38 Author: Hangyu Hua Date: Fri Mar 11 16:02:08 2022 +0800 can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes original skb and can_free_echo_skb() deletes the cloned skb. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 18f13edf3424b3b61814b69d5269b2e14584800c Author: Matthew Wilcox (Oracle) Date: Mon Mar 28 19:25:11 2022 -0400 XArray: Fix xas_create_range() when multi-order entry present commit 3e3c658055c002900982513e289398a1aad4a488 upstream. If there is already an entry present that is of order >= XA_CHUNK_SHIFT when we call xas_create_range(), xas_create_range() will misinterpret that entry as a node and dereference xa_node->parent, generally leading to a crash that looks something like this: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0 RIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline] RIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725 It's deterministically reproducable once you know what the problem is, but producing it in a live kernel requires khugepaged to hit a race. While the problem has been present since xas_create_range() was introduced, I'm not aware of a way to hit it before the page cache was converted to use multi-index entries. Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") Reported-by: syzbot+0d2b0bf32ca5cfd09f2e@syzkaller.appspotmail.com Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit d277108f9ca223ed649d56024cb6728c1cde65fa Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:27 2022 -0400 wireguard: socket: ignore v6 endpoints when ipv6 is disabled commit 77fc73ac89be96ec8f39e8efa53885caa7cb3645 upstream. The previous commit fixed a memory leak on the send path in the event that IPv6 is disabled at compile time, but how did a packet even arrive there to begin with? It turns out we have previously allowed IPv6 endpoints even when IPv6 support is disabled at compile time. This is awkward and inconsistent. Instead, let's just ignore all things IPv6, the same way we do other malformed endpoints, in the case where IPv6 is disabled. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0b19bcb753dbfb74710d12bb2761ec5ed706c726 Author: Wang Hai Date: Tue Mar 29 21:31:26 2022 -0400 wireguard: socket: free skb in send6 when ipv6 is disabled commit bbbf962d9460194993ee1943a793a0a0af4a7fbf upstream. I got a memory leak report: unreferenced object 0xffff8881191fc040 (size 232): comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x84/0x3b0 [] kmem_cache_alloc_node+0x167/0x340 [] __alloc_skb+0x1db/0x200 [] wg_socket_send_buffer_to_peer+0x3d/0xc0 [] wg_packet_send_handshake_initiation+0xfa/0x110 [] wg_packet_handshake_send_worker+0x21/0x30 [] process_one_work+0x2e8/0x770 [] worker_thread+0x4a/0x4b0 [] kthread+0x120/0x160 [] ret_from_fork+0x1f/0x30 In function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_ buffer_to_peer(), the semantics of send6() is required to free skb. But when CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it to fix this bug. Signed-off-by: Wang Hai Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit fdf5fd402a7f68532208ccb16c27eb81f5f95b9c Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:24 2022 -0400 wireguard: queueing: use CFI-safe ptr_ring cleanup function commit ec59f128a9bd4255798abb1e06ac3b442f46ef68 upstream. We make too nuanced use of ptr_ring to entirely move to the skb_array wrappers, but we at least should avoid the naughty function pointer cast when cleaning up skbs. Otherwise RAP/CFI will honk at us. This patch uses the __skb_array_destroy_skb wrapper for the cleanup, rather than directly providing kfree_skb, which is what other drivers in the same situation do too. Reported-by: PaX Team Fixes: 886fcee939ad ("wireguard: receive: use ring buffer for incoming handshakes") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 113aac0632547bf19b174162ca64725034e796ca Author: Pankaj Raghav Date: Tue Mar 22 10:20:48 2022 +0100 nvme: fix the read-only state for zoned namespaces with unsupposed features commit 726be2c72efc0a64c206e854b8996ad3ab9c7507 upstream. commit 2f4c9ba23b88 ("nvme: export zoned namespaces without Zone Append support read-only") marks zoned namespaces without append support read-only. It does iso by setting NVME_NS_FORCE_RO in ns->flags in nvme_update_zone_info and checking for that flag later in nvme_update_disk_info to mark the disk as read-only. But commit 73d90386b559 ("nvme: cleanup zone information initialization") rearranged nvme_update_disk_info to be called before nvme_update_zone_info and thus not marking the disk as read-only. The call order cannot be just reverted because nvme_update_zone_info sets certain queue parameters such as zone_write_granularity that depend on the prior call to nvme_update_disk_info. Remove the call to set_disk_ro in nvme_update_disk_info. and call set_disk_ro after nvme_update_zone_info and nvme_update_disk_info to set the permission for ZNS drives correctly. The same applies to the multipath disk path. Fixes: 73d90386b559 ("nvme: cleanup zone information initialization") Signed-off-by: Pankaj Raghav Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 529a9e8fa819ed187a689fe2947cfd4f550a3045 Author: Sungup Moon Date: Mon Mar 14 20:05:45 2022 +0900 nvme: allow duplicate NSIDs for private namespaces commit 5974ea7ce0f9a5987fc8cf5e08ad6e3e70bb542e upstream. A NVMe subsystem with multiple controller can have private namespaces that use the same NSID under some conditions: "If Namespace Management, ANA Reporting, or NVM Sets are supported, the NSIDs shall be unique within the NVM subsystem. If the Namespace Management, ANA Reporting, and NVM Sets are not supported, then NSIDs: a) for shared namespace shall be unique; and b) for private namespace are not required to be unique." Reference: Section 6.1.6 NSID and Namespace Usage; NVM Express 1.4c spec. Make sure this specific setup is supported in Linux. Fixes: 9ad1927a3bc2 ("nvme: always search for namespace head") Signed-off-by: Sungup Moon [hch: refactored and fixed the controller vs subsystem based naming conflict] Signed-off-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Greg Kroah-Hartman commit 6f36551c4bc0f1560c26868736c02e7556d1781c Author: Baokun Li Date: Tue Feb 15 12:07:36 2022 +0800 ubifs: rename_whiteout: correct old_dir size computing commit 705757274599e2e064dd3054aabc74e8af31a095 upstream. When renaming the whiteout file, the old whiteout file is not deleted. Therefore, we add the old dentry size to the old dir like XFS. Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size` in check_indes. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Reported-by: Zhihao Cheng Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit fbeb2139eed65e929ce806c6468e6601ade01b1b Author: Zhihao Cheng Date: Mon Dec 27 11:22:41 2021 +0800 ubifs: Fix to add refcount once page is set private commit 3b67db8a6ca83e6ff90b756d3da0c966f61cd37b upstream. MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration: page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8 index:0xe2 pfn:0x14c12 aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:"f30e" flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0| zone=1|lastcpupid=0x1fffff) page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0) ------------[ cut here ]------------ kernel BUG at include/linux/page_ref.h:184! invalid opcode: 0000 [#1] SMP CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5 RIP: 0010:migrate_page_move_mapping+0xac3/0xe70 Call Trace: ubifs_migrate_page+0x22/0xc0 [ubifs] move_to_new_page+0xb4/0x600 migrate_pages+0x1523/0x1cc0 compact_zone+0x8c5/0x14b0 kcompactd+0x2bc/0x560 kthread+0x18c/0x1e0 ret_from_fork+0x1f/0x30 Before the time, we should make clean a concept, what does refcount means in page gotten from grab_cache_page_write_begin(). There are 2 situations: Situation 1: refcount is 3, page is created by __page_cache_alloc. TYPE_A - the write process is using this page TYPE_B - page is assigned to one certain mapping by calling __add_to_page_cache_locked() TYPE_C - page is added into pagevec list corresponding current cpu by calling lru_cache_add() Situation 2: refcount is 2, page is gotten from the mapping's tree TYPE_B - page has been assigned to one certain mapping TYPE_A - the write process is using this page (by calling page_cache_get_speculative()) Filesystem releases one refcount by calling put_page() in xxx_write_end(), the released refcount corresponds to TYPE_A (write task is using it). If there are any processes using a page, page migration process will skip the page by judging whether expected_page_refs() equals to page refcount. The BUG is caused by following process: PA(cpu 0) kcompactd(cpu 1) compact_zone ubifs_write_begin page_a = grab_cache_page_write_begin add_to_page_cache_lru lru_cache_add pagevec_add // put page into cpu 0's pagevec (refcnf = 3, for page creation process) ubifs_write_end SetPagePrivate(page_a) // doesn't increase page count ! unlock_page(page_a) put_page(page_a) // refcnt = 2 [...] PB(cpu 0) filemap_read filemap_get_pages add_to_page_cache_lru lru_cache_add __pagevec_lru_add // traverse all pages in cpu 0's pagevec __pagevec_lru_add_fn SetPageLRU(page_a) isolate_migratepages isolate_migratepages_block get_page_unless_zero(page_a) // refcnt = 3 list_add(page_a, from_list) migrate_pages(from_list) __unmap_and_move move_to_new_page ubifs_migrate_page(page_a) migrate_page_move_mapping expected_page_refs get 3 (migration[1] + mapping[1] + private[1]) release_pages put_page_testzero(page_a) // refcnt = 3 page_ref_freeze // refcnt = 0 page_ref_dec_and_test(0 - 1 = -1) page_ref_unfreeze VM_BUG_ON_PAGE(-1 != 0, page) UBIFS doesn't increase the page refcount after setting private flag, which leads to page migration task believes the page is not used by any other processes, so the page is migrated. This causes concurrent accessing on page refcount between put_page() called by other process(eg. read process calls lru_cache_add) and page_ref_unfreeze() called by migration task. Actually zhangjun has tried to fix this problem [2] by recalculating page refcnt in ubifs_migrate_page(). It's better to follow MM rules [1], because just like Kirill suggested in [2], we need to check all users of page_has_private() helper. Like f2fs does in [3], fix it by adding/deleting refcount when setting/clearing private for a page. BTW, according to [4], we set 'page->private' as 1 because ubifs just simply SetPagePrivate(). And, [5] provided a common helper to set/clear page private, ubifs can use this helper following the example of iomap, afs, btrfs, etc. Jump [6] to find a reproducer. [1] https://lore.kernel.org/lkml/2b19b3c4-2bc4-15fa-15cc-27a13e5c7af1@aol.com [2] https://www.spinics.net/lists/linux-mtd/msg04018.html [3] http://lkml.iu.edu/hypermail/linux/kernel/1903.0/03313.html [4] https://lore.kernel.org/linux-f2fs-devel/20210422154705.GO3596236@casper.infradead.org [5] https://lore.kernel.org/all/20200517214718.468-1-guoqing.jiang@cloud.ionos.com [6] https://bugzilla.kernel.org/show_bug.cgi?id=214961 Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 3b7fb89135a20587d57f8877c02e25003e9edbdf Author: Zhihao Cheng Date: Mon Dec 27 11:22:40 2021 +0800 ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() commit 4f2262a334641e05f645364d5ade1f565c85f20b upstream. Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link]. Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214785 Reported-by: Chengsong Ke Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 6262b15000a3564b5608ac135462a05e44cb08c4 Author: Zhihao Cheng Date: Mon Dec 27 11:22:39 2021 +0800 ubifs: setflags: Make dirtied_ino_d 8 bytes aligned commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream. Make 'ui->data_len' aligned with 8 bytes before it is assigned to dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr") applied, 'setflags()' only affects regular files and directories, only xattr inode, symlink inode and special inode(pipe/char_dev/block_dev) have none- zero 'ui->data_len' field, so assertion '!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space(). To avoid assertion fails in future evolution(eg. setflags can operate special inodes), it's better to make dirtied_ino_d 8 bytes aligned, after all aligned size is still zero for regular files. Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 0280853094abe778e5baaa8381f2acd8e3c6c472 Author: Zhihao Cheng Date: Mon Dec 27 11:22:38 2021 +0800 ubifs: Rectify space amount budget for mkdir/tmpfile operations commit a6dab6607d4681d227905d5198710b575dbdb519 upstream. UBIFS should make sure the flash has enough space to store dirty (Data that is newer than disk) data (in memory), space budget is exactly designed to do that. If space budget calculates less data than we need, 'make_reservation()' will do more work(return -ENOSPC if no free space lelf, sometimes we can see "cannot reserve xxx bytes in jhead xxx, error -28" in ubifs error messages) with ubifs inodes locked, which may effect other syscalls. A simple way to decide how much space do we need when make a budget: See how much space is needed by 'make_reservation()' in ubifs_jnl_xxx() function according to corresponding operation. It's better to report ENOSPC in ubifs_budget_space(), as early as we can. Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE") Fixes: 1e51764a3c2ac05 ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 52b18c0b28a58d7f83ed497abdf95c9361189f66 Author: Zhihao Cheng Date: Mon Dec 27 11:22:37 2021 +0800 ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work commit 60eb3b9c9f11206996f57cb89521824304b305ad upstream. 'ui->dirty' is not protected by 'ui_mutex' in function do_tmpfile() which may race with ubifs_write_inode[wb_workfn] to access/update 'ui->dirty', finally dirty space is released twice. open(O_TMPFILE) wb_workfn do_tmpfile ubifs_budget_space(ino_req = { .dirtied_ino = 1}) d_tmpfile // mark inode(tmpfile) dirty ubifs_jnl_update // without holding tmpfile's ui_mutex mark_inode_clean(ui) if (ui->dirty) ubifs_release_dirty_inode_budget(ui) // release first time ubifs_write_inode mutex_lock(&ui->ui_mutex) ubifs_release_dirty_inode_budget(ui) // release second time mutex_unlock(&ui->ui_mutex) ui->dirty = 0 Run generic/476 can reproduce following message easily (See reproducer in [Link]): UBIFS error (ubi0:0 pid 2578): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554 UBIFS warning (ubi0:0 pid 2578): ubifs_ro_mode [ubifs]: switched to read-only mode, error -22 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: ubifs_ro_mode+0x54/0x60 [ubifs] ubifs_assert_failed+0x4b/0x80 [ubifs] ubifs_release_budget+0x468/0x5a0 [ubifs] ubifs_release_dirty_inode_budget+0x53/0x80 [ubifs] ubifs_write_inode+0x121/0x1f0 [ubifs] ... wb_workfn+0x283/0x7b0 Fix it by holding tmpfile ubifs inode lock during ubifs_jnl_update(). Similar problem exists in whiteout renaming, but previous fix("ubifs: Rename whiteout atomically") has solved the problem. Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214765 Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 868de33a39e0e1e91ed3ce4a23a65f30144d2443 Author: Zhihao Cheng Date: Mon Dec 27 11:22:36 2021 +0800 ubifs: Rename whiteout atomically commit 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 upstream. Currently, rename whiteout has 3 steps: 1. create tmpfile(which associates old dentry to tmpfile inode) for whiteout, and store tmpfile to disk 2. link whiteout, associate whiteout inode to old dentry agagin and store old dentry, old inode, new dentry on disk 3. writeback dirty whiteout inode to disk Suddenly power-cut or error occurring(eg. ENOSPC returned by budget, memory allocation failure) during above steps may cause kinds of problems: Problem 1: ENOSPC returned by whiteout space budget (before step 2), old dentry will disappear after rename syscall, whiteout file cannot be found either. ls dir // we get file, whiteout rename(dir/file, dir/whiteout, REANME_WHITEOUT) ENOSPC = ubifs_budget_space(&wht_req) // return ls dir // empty (no file, no whiteout) Problem 2: Power-cut happens before step 3, whiteout inode with 'nlink=1' is not stored on disk, whiteout dentry(old dentry) is written on disk, whiteout file is lost on next mount (We get "dead directory entry" after executing 'ls -l' on whiteout file). Now, we use following 3 steps to finish rename whiteout: 1. create an in-mem inode with 'nlink = 1' as whiteout 2. ubifs_jnl_rename (Write on disk to finish associating old dentry to whiteout inode, associating new dentry with old inode) 3. iput(whiteout) Rely writing in-mem inode on disk by ubifs_jnl_rename() to finish rename whiteout, which avoids middle disk state caused by suddenly power-cut and error occurring. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 085062c6440d10f9955323539eb64ae914dbd6a2 Author: Zhihao Cheng Date: Mon Dec 27 11:22:35 2021 +0800 ubifs: Add missing iput if do_tmpfile() failed in rename whiteout commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream. whiteout inode should be put when do_tmpfile() failed if inode has been initialized. Otherwise we will get following warning during umount: UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930 VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Suggested-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 8b278c8dcfb565cb65eceb62a38cbf7a7c326db5 Author: Zhihao Cheng Date: Mon Dec 27 11:22:33 2021 +0800 ubifs: Fix deadlock in concurrent rename whiteout and inode writeback commit afd427048047e8efdedab30e8888044e2be5aa9c upstream. Following hung tasks: [ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132 [ 77.028820] Call Trace: [ 77.029027] schedule+0x8c/0x1b0 [ 77.029067] mutex_lock+0x50/0x60 [ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs] [ 77.029117] __writeback_single_inode+0x43c/0x570 [ 77.029128] writeback_sb_inodes+0x259/0x740 [ 77.029148] wb_writeback+0x107/0x4d0 [ 77.029163] wb_workfn+0x162/0x7b0 [ 92.390442] task:aa state:D stack: 0 pid: 1506 [ 92.390448] Call Trace: [ 92.390458] schedule+0x8c/0x1b0 [ 92.390461] wb_wait_for_completion+0x82/0xd0 [ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110 [ 92.390472] writeback_inodes_sb_nr+0x14/0x20 [ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs] [ 92.390503] do_rename.cold+0x7f/0x187 [ubifs] [ 92.390549] ubifs_rename+0x8b/0x180 [ubifs] [ 92.390571] vfs_rename+0xdb2/0x1170 [ 92.390580] do_renameat2+0x554/0x770 , are caused by concurrent rename whiteout and inode writeback processes: rename_whiteout(Thread 1) wb_workfn(Thread2) ubifs_rename do_rename lock_4_inodes (Hold ui_mutex) ubifs_budget_space make_free_space shrink_liability __writeback_inodes_sb_nr bdi_split_work_to_wbs (Queue new wb work) wb_do_writeback(wb work) __writeback_single_inode ubifs_write_inode LOCK(ui_mutex) ↑ wb_wait_for_completion (Wait wb work) <-- deadlock! Reproducer (Detail program in [Link]): 1. SYS_renameat2("/mp/dir/file", "/mp/dir/whiteout", RENAME_WHITEOUT) 2. Consume out of space before kernel(mdelay) doing budget for whiteout Fix it by doing whiteout space budget before locking ubifs inodes. BTW, it also fixes wrong goto tag 'out_release' in whiteout budget error handling path(It should at least recover dir i_size and unlock 4 ubifs inodes). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214733 Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 6d7a158a7363c1f6604aa47ae1a280a5c65123dd Author: Zhihao Cheng Date: Mon Dec 27 11:22:32 2021 +0800 ubifs: rename_whiteout: Fix double free for whiteout_ui->data commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream. 'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process: rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free! KASAN reports: ================================================================== BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70 Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 The buggy address belongs to the object at ffff88810238bed8 which belongs to the cache kmalloc-8 of size 8 ================================================================== Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode() -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit e815876cedf5bcea03df18600a23133af28ea472 Author: David Woodhouse Date: Tue Mar 29 13:11:47 2022 -0400 KVM: avoid double put_page with gfn-to-pfn cache commit 79593c086eb95eb2886f36ee6f78a1d6845e1bdf upstream. If the cache's user host virtual address becomes invalid, there is still a path from kvm_gfn_to_pfn_cache_refresh() where __release_gpc() could release the pfn but the gpc->pfn field has not been overwritten with an error value. If this happens, kvm_gfn_to_pfn_cache_unmap will call put_page again on the same page. Cc: stable@vger.kernel.org Fixes: 982ed0de4753 ("KVM: Reinstate gfn_to_pfn_cache with invalidation support") Signed-off-by: David Woodhouse Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit a6ffdebfb6a9c2ffeed902b544b96fe67498210e Author: Yi Wang Date: Wed Mar 9 19:30:25 2022 +0800 KVM: SVM: fix panic on out-of-bounds guest IRQ commit a80ced6ea514000d34bf1239d47553de0d1ee89e upstream. As guest_irq is coming from KVM_IRQFD API call, it may trigger crash in svm_update_pi_irte() due to out-of-bounds: crash> bt PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397 #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9 #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51 #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace [exception RIP: svm_update_pi_irte+227] RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm] #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm] #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm] RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on out-of-bounds guest IRQ), so we can just copy source from that to fix this. Co-developed-by: Yi Liu Signed-off-by: Yi Liu Signed-off-by: Yi Wang Message-Id: <20220309113025.44469-1-wang.yi59@zte.com.cn> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit ec840c90de34c8664413905062c0364b200ddbad Author: Li RongQing Date: Wed Mar 9 16:35:44 2022 +0800 KVM: x86: fix sending PV IPI commit c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e upstream. If apic_id is less than min, and (max - apic_id) is greater than KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but the new apic_id does not fit the bitmask. In this case __send_ipi_mask should send the IPI. This is mostly theoretical, but it can happen if the apic_ids on three iterations of the loop are for example 1, KVM_IPI_CLUSTER_SIZE, 0. Fixes: aaffcfd1e82 ("KVM: X86: Implement PV IPIs in linux guest") Signed-off-by: Li RongQing Message-Id: <1646814944-51801-1-git-send-email-lirongqing@baidu.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9b709d19bb34955de210f1fc2e71d7c9a961f3c1 Author: David Matlack Date: Thu Mar 3 18:33:27 2022 +0000 KVM: Prevent module exit until all VMs are freed commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream. Tie the lifetime the KVM module to the lifetime of each VM via kvm.users_count. This way anything that grabs a reference to the VM via kvm_get_kvm() cannot accidentally outlive the KVM module. Prior to this commit, the lifetime of the KVM module was tied to the lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU file descriptors by their respective file_operations "owner" field. This approach is insufficient because references grabbed via kvm_get_kvm() do not prevent closing any of the aforementioned file descriptors. This fixes a long standing theoretical bug in KVM that at least affects async page faults. kvm_setup_async_pf() grabs a reference via kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing prevents the VM file descriptor from being closed and the KVM module from being unloaded before this callback runs. Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out") Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations") Cc: stable@vger.kernel.org Suggested-by: Ben Gardon [ Based on a patch from Ben implemented for Google's kernel. ] Signed-off-by: David Matlack Message-Id: <20220303183328.1499189-2-dmatlack@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5051c04d70c6e035c2c923c04fbe015a4468b08d Author: Paolo Bonzini Date: Tue Mar 29 12:56:24 2022 -0400 KVM: x86/mmu: do compare-and-exchange of gPTE via the user address commit 2a8859f373b0a86f0ece8ec8312607eacf12485d upstream. FNAME(cmpxchg_gpte) is an inefficient mess. It is at least decent if it can go through get_user_pages_fast(), but if it cannot then it tries to use memremap(); that is not just terribly slow, it is also wrong because it assumes that the VM_PFNMAP VMA is contiguous. The right way to do it would be to do the same thing as hva_to_pfn_remapped() does since commit add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up", 2016-07-05), using follow_pte() and fixup_user_fault() to determine the correct address to use for memremap(). To do this, one could for example extract hva_to_pfn() for use outside virt/kvm/kvm_main.c. But really there is no reason to do that either, because there is already a perfectly valid address to do the cmpxchg() on, only it is a userspace address. That means doing user_access_begin()/user_access_end() and writing the code in assembly to handle exceptions correctly. Worse, the guest PTE can be 8-byte even on i686 so there is the extra complication of using cmpxchg8b to account for. But at least it is an efficient mess. (Thanks to Linus for suggesting improvement on the inline assembly). Reported-by: Qiuhao Li Reported-by: Gaoning Pan Reported-by: Yongkang Jia Reported-by: syzbot+6cde2282daa792c49ab8@syzkaller.appspotmail.com Debugged-by: Tadeusz Struk Tested-by: Maxim Levitsky Cc: stable@vger.kernel.org Fixes: bd53cb35a3e9 ("X86/KVM: Handle PFNs outside of kernel reach when touching GPTEs") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 96795bb3de6cefda762bd1db8f7d077c31c6bf36 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:40 2022 +0100 KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated commit b1e34d325397a33d97d845e312d7cf2a8b646b44 upstream. Setting non-zero values to SYNIC/STIMER MSRs activates certain features, this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. Note, it would've been better to forbid writing anything to SYNIC/STIMER MSRs, including zeroes, however, at least QEMU tries clearing HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat 'special' as writing zero there triggers an action, this also should not happen when SynIC wasn't activated. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9fa2b94443ff41cdecdff6f4d4324d83af01089a Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:39 2022 +0100 KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() commit 00b5f37189d24ac3ed46cb7f11742094778c46ce upstream. When kvm_irq_delivery_to_apic_fast() is called with APIC_DEST_SELF shorthand, 'src' must not be NULL. Crash the VM with KVM_BUG_ON() instead of crashing the host. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-3-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c08175e48f2b3af6d672938da593e481a7b13ba7 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:38 2022 +0100 KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq commit 7ec37d1cbe17d8189d9562178d8b29167fe1c31a upstream. When KVM_CAP_HYPERV_SYNIC{,2} is activated, KVM already checks for irqchip_in_kernel() so normally SynIC irqs should never be set. It is, however, possible for a misbehaving VMM to write to SYNIC/STIMER MSRs causing erroneous behavior. The immediate issue being fixed is that kvm_irq_delivery_to_apic() (kvm_irq_delivery_to_apic_fast()) crashes when called with 'irq.shorthand = APIC_DEST_SELF' and 'src == NULL'. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-2-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit f065aa576bd45b3a7478603339ea516f89769141 Author: Paul Cercueil Date: Thu Mar 31 17:42:00 2022 +0100 MIPS: crypto: Fix CRC32 code commit 41022eff9c2d21e658c7a6fcd31005bf514d28b7 upstream. Commit 67512a8cf5a7 ("MIPS: Avoid macro redefinitions") changed how the MIPS register macros were defined, in order to allow the code to compile under LLVM/Clang. The MIPS CRC32 code however wasn't updated accordingly, causing a build bug when using a MIPS32r6 toolchain without CRC support. Update the CRC32 code to use the macros correctly, to fix the build failures. Fixes: 67512a8cf5a7 ("MIPS: Avoid macro redefinitions") Cc: Signed-off-by: Paul Cercueil Reported-by: kernel test robot Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 02b9147953b1951583820570001968ffb41cc996 Author: Gwendal Grignou Date: Fri Jan 21 16:13:01 2022 -0800 platform: chrome: Split trace include file commit eabd9a3807e17e211690e6c40f1405b427b64c48 upstream. cros_ec_trace.h defined 5 tracing events, 2 for cros_ec_proto and 3 for cros_ec_sensorhub_ring. These 2 files are in different kernel modules, the traces are defined twice in the kernel which leads to problem enabling only some traces. Move sensorhub traces from cros_ec_trace.h to cros_ec_sensorhub_trace.h and enable them only in cros_ec_sensorhub kernel module. Check we can now enable any single traces: without this patch, we can only enable all sensorhub traces or none. Fixes: d453ceb6549a ("platform/chrome: sensorhub: Add trace events for sample") Signed-off-by: Gwendal Grignou Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220122001301.640337-1-gwendal@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit 021256806a669a49dd9ecf8a63b45da26014128b Author: Manish Rangankar Date: Thu Mar 10 01:26:02 2022 -0800 scsi: qla2xxx: Use correct feature type field during RFF_ID processing commit a7e05f7a1bcbe4ee055479242de46c5c16ab03b1 upstream. During SNS Register FC-4 Features (RFF_ID) the initiator driver was sending incorrect type field for NVMe supported device. Use correct feature type field. Link: https://lore.kernel.org/r/20220310092604.22950-12-njavali@marvell.com Fixes: e374f9f59281 ("scsi: qla2xxx: Migrate switch registration commands away from mailbox interface") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d8266a9748a5c35fb9ef765f4995d98b2ff80193 Author: Quinn Tran Date: Thu Mar 10 01:26:00 2022 -0800 scsi: qla2xxx: Reduce false trigger to login commit d2646eed7b19a206912f49101178cbbaa507256c upstream. While a session is in the middle of a relogin, a late RSCN can be delivered from switch. RSCN trigger fabric scan where the scan logic can trigger another session login while a login is in progress. Reduce the extra trigger to prevent multiple logins to the same session. Link: https://lore.kernel.org/r/20220310092604.22950-10-njavali@marvell.com Fixes: bee8b84686c4 ("scsi: qla2xxx: Reduce redundant ADISC command for RSCNs") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b0a42ca2111beb7682dcb19af1d45ede86edcbc8 Author: Quinn Tran Date: Thu Mar 10 01:26:01 2022 -0800 scsi: qla2xxx: Fix stuck session of PRLI reject commit f3502e2e98a92981601edc3dadf4b0f43c79836b upstream. Remove stale recovery code that prevents normal path recovery. Link: https://lore.kernel.org/r/20220310092604.22950-11-njavali@marvell.com Fixes: 1cbc0efcd9be ("scsi: qla2xxx: Fix retry for PRLI RJT with reason of BUSY") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 946b3cebd589d435b00cf695924c1509a2d07b8d Author: Quinn Tran Date: Thu Mar 10 01:25:57 2022 -0800 scsi: qla2xxx: Fix N2N inconsistent PLOGI commit c13ce47c64ea8f14e77eecb40d1e7c2ac667f898 upstream. For N2N topology, ELS Passthrough is used to send PLOGI. On failure of ELS pass through PLOGI, driver flipped over to using LLIOCB PLOGI for N2N. This is not consistent. Delete the session to restart the connection where ELS pass through PLOGI would be used consistently. Link: https://lore.kernel.org/r/20220310092604.22950-7-njavali@marvell.com Fixes: c76ae845ea83 ("scsi: qla2xxx: Add error handling for PLOGI ELS passthrough") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 67f744f73eba870ab96411d0310e831a4adc3713 Author: Arun Easi Date: Thu Mar 10 01:25:56 2022 -0800 scsi: qla2xxx: Fix crash during module load unload test commit 0972252450f90db56dd5415a20e2aec21a08d036 upstream. During purex packet handling the driver was incorrectly freeing a pre-allocated structure. Fix this by skipping that entry. System crashed with the following stack during a module unload test. Call Trace: sbitmap_init_node+0x7f/0x1e0 sbitmap_queue_init_node+0x24/0x150 blk_mq_init_bitmaps+0x3d/0xa0 blk_mq_init_tags+0x68/0x90 blk_mq_alloc_map_and_rqs+0x44/0x120 blk_mq_alloc_set_map_and_rqs+0x63/0x150 blk_mq_alloc_tag_set+0x11b/0x230 scsi_add_host_with_dma.cold+0x3f/0x245 qla2x00_probe_one+0xd5a/0x1b80 [qla2xxx] Call Trace with slub_debug and debug kernel: kasan_report_invalid_free+0x50/0x80 __kasan_slab_free+0x137/0x150 slab_free_freelist_hook+0xc6/0x190 kfree+0xe8/0x2e0 qla2x00_free_device+0x3bb/0x5d0 [qla2xxx] qla2x00_remove_one+0x668/0xcf0 [qla2xxx] Link: https://lore.kernel.org/r/20220310092604.22950-6-njavali@marvell.com Fixes: 62e9dd177732 ("scsi: qla2xxx: Change in PUREX to handle FPIN ELS requests") Cc: stable@vger.kernel.org Reported-by: Marco Patalano Tested-by: Marco Patalano Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c05f4f6485726faae08073f947368ee10439d3f0 Author: Arun Easi Date: Thu Mar 10 01:25:55 2022 -0800 scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests commit c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 upstream. At NVMe ELS request time, request structure is DMA mapped and never unmapped. Fix this by calling the unmap on ELS completion. Link: https://lore.kernel.org/r/20220310092604.22950-5-njavali@marvell.com Fixes: e84067d74301 ("scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c5462ae3c8873ce523d73e4930b1af187020a033 Author: Quinn Tran Date: Thu Mar 10 01:25:59 2022 -0800 scsi: qla2xxx: Fix laggy FC remote port session recovery commit 713b415726f100f6644971e75ebfe1edbef1a390 upstream. For session recovery, driver relies on the dpc thread to initiate certain operations. The dpc thread runs exclusively without the Mailbox interface being occupied. A recent code change for heartbeat check via mailbox cmd 0 is preventing the dpc thread from carrying out its operation. This patch allows the higher priority error recovery to run first before running the lower priority heartbeat check. Link: https://lore.kernel.org/r/20220310092604.22950-9-njavali@marvell.com Fixes: d94d8158e184 ("scsi: qla2xxx: Add heartbeat check") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 445534d787469193261a2ae2687d1a3ed0a1db43 Author: Quinn Tran Date: Thu Mar 10 01:25:58 2022 -0800 scsi: qla2xxx: Fix hang due to session stuck commit c02aada06d19a215c8291bd968a99a270e96f734 upstream. User experienced device lost. The log shows Get port data base command was queued up, failed, and requeued again. Every time it is requeued, it set the FCF_ASYNC_ACTIVE. This prevents any recovery code from occurring because driver thinks a recovery is in progress for this session. In essence, this session is hung. The reason it gets into this place is the session deletion got in front of this call due to link perturbation. Break the requeue cycle and exit. The session deletion code will trigger a session relogin. Link: https://lore.kernel.org/r/20220310092604.22950-8-njavali@marvell.com Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d3afb4e6d8f9d907386fc99381852b3725911acd Author: Quinn Tran Date: Thu Mar 10 01:25:52 2022 -0800 scsi: qla2xxx: Fix incorrect reporting of task management failure commit 58ca5999e0367d131de82a75257fbfd5aed0195d upstream. User experienced no task management error while target device is responding with error. The RSP_CODE field in the status IOCB is in little endian. Driver assumes it's big endian and it picked up erroneous data. Convert the data back to big endian as is on the wire. Link: https://lore.kernel.org/r/20220310092604.22950-2-njavali@marvell.com Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9be42d254def07294a7d5854a28dba17d644edd7 Author: Quinn Tran Date: Thu Mar 10 01:25:53 2022 -0800 scsi: qla2xxx: Fix disk failure to rediscover commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99 upstream. User experienced some of the LUN failed to get rediscovered after long cable pull test. The issue is triggered by a race condition between driver setting session online state vs starting the LUN scan process at the same time. Current code set the online state after notifying the session is available. In this case, trigger to start the LUN scan process happened before driver could set the session in online state. LUN scan ends up with failure due to the session online check was failing. Set the online state before reporting of the availability of the session. Link: https://lore.kernel.org/r/20220310092604.22950-3-njavali@marvell.com Fixes: aecf043443d3 ("scsi: qla2xxx: Fix Remote port registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit a669a22aef0ceff706b885370af74b5a60a8ac85 Author: Saurav Kashyap Date: Sun Jan 9 21:02:15 2022 -0800 scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() commit a60447e7d451df42c7bde43af53b34f10f34f469 upstream. [ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020 [ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1 [ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018 [ 12.356356] Call Trace: [ 12.358821] dump_stack_lvl+0x34/0x44 [ 12.362514] check_preemption_disabled+0xd9/0xe0 [ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx] [ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40 [ 12.384284] local_pci_probe+0x42/0x80 [ 12.390162] ? pci_match_device+0xd7/0x110 [ 12.396366] pci_device_probe+0xfd/0x1b0 [ 12.402372] really_probe+0x1e7/0x3e0 [ 12.408114] __driver_probe_device+0xfe/0x180 [ 12.414544] driver_probe_device+0x1e/0x90 [ 12.420685] __driver_attach+0xc0/0x1c0 [ 12.426536] ? __device_attach_driver+0xe0/0xe0 [ 12.433061] ? __device_attach_driver+0xe0/0xe0 [ 12.439538] bus_for_each_dev+0x78/0xc0 [ 12.445294] bus_add_driver+0x12b/0x1e0 [ 12.451021] driver_register+0x8f/0xe0 [ 12.456631] ? 0xffffffffc07bc000 [ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx] [ 12.468776] do_one_initcall+0x44/0x200 [ 12.474401] ? load_module+0xad3/0xba0 [ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410 [ 12.486268] do_init_module+0x5c/0x280 [ 12.491730] __do_sys_init_module+0x12e/0x1b0 [ 12.497785] do_syscall_64+0x3b/0x90 [ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 12.509764] RIP: 0033:0x7f554f73ab2e Link: https://lore.kernel.org/r/20220110050218.3958-15-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 568b3f32107550977f8e586fa54b6ca459d53b2b Author: Joe Carnuccio Date: Sun Jan 9 21:02:17 2022 -0800 scsi: qla2xxx: Check for firmware dump already collected commit cfbafad7c6032d449a5a07f2d273acd2437bbc6a upstream. While allocating firmware dump, check if dump is already collected and do not re-allocate the buffer. Link: https://lore.kernel.org/r/20220110050218.3958-17-njavali@marvell.com Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit f59a24b7858a53aee2dc766571485d1fd751d723 Author: Joe Carnuccio Date: Sun Jan 9 21:02:16 2022 -0800 scsi: qla2xxx: Add devids and conditionals for 28xx commit 0d6a536cb1fcabb6c3e9c94871c8d0b29bb5813b upstream. This is an update to the original 28xx adapter enablement. Add a bunch of conditionals that are applicable for 28xx. Link: https://lore.kernel.org/r/20220110050218.3958-16-njavali@marvell.com Fixes: ecc89f25e225 ("scsi: qla2xxx: Add Device ID for ISP28XX") Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8bb01af851a4b7ff0e859bb8b481f9e2c2211ecf Author: Joe Carnuccio Date: Sun Jan 9 21:02:14 2022 -0800 scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters commit 4c103a802c69fca63976af6b372ccba39ed74370 upstream. 28XX adapters are capable of detecting both T10 PI tag escape values as well as IP guard. This was missed due to the adapter type missed in the corresponding macros. Fix this by adding support for 28xx in those macros. Link: https://lore.kernel.org/r/20220110050218.3958-14-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Tested-by: Martin K. Petersen Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 4ab396b40e40b6c6bc27703810f881997c9346bb Author: Quinn Tran Date: Sun Jan 9 21:02:13 2022 -0800 scsi: qla2xxx: edif: Fix clang warning commit 73825fd7a37c1a685e9e9e27c9dc91ef1f3e2971 upstream. Silence compile warning due to unaligned memory access. qla_edif.c:713:45: warning: taking address of packed member 'u' of class or structure 'auth_complete_cmd' may result in an unaligned pointer value [-Waddress-of-packed-member] fcport = qla2x00_find_fcport_by_pid(vha, &appplogiok.u.d_id); Link: https://lore.kernel.org/r/20220110050218.3958-13-njavali@marvell.com Cc: stable@vger.kernel.org Reported-by: kernel test robot Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit afd99c5603c54c57a668bb09ef6815bb9e9add2e Author: Arun Easi Date: Sun Jan 9 21:02:11 2022 -0800 scsi: qla2xxx: Fix device reconnect in loop topology commit 8ad4be3d15cf144b5834bdb00d5bbe4050938dc7 upstream. A device logout in loop topology initiates a device connection teardown which loses the FW device handle. In loop topo, the device handle is not regrabbed leading to device login failures and eventually to loss of the device. Fix this by taking the main login path that does it. Link: https://lore.kernel.org/r/20220110050218.3958-11-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e4c91d9ada2c16ce4bb4287bcaad70d2f2dd2319 Author: Nilesh Javali Date: Sun Jan 9 21:02:12 2022 -0800 scsi: qla2xxx: Fix warning for missing error code commit 14cb838d245ae0d523b2f7804af5a02c22e79f5a upstream. Fix smatch-reported warning message: drivers/scsi/qla2xxx/qla_target.c:3324 qlt_xmit_response() warn: missing error code 'res' Link: https://lore.kernel.org/r/20220110050218.3958-12-njavali@marvell.com Fixes: 4a8f71014b4d ("scsi: qla2xxx: Fix unmap of already freed sgl") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 74d13ef2436b7106d18c71253aad524372cd6be3 Author: Bikash Hazarika Date: Sun Jan 9 21:02:09 2022 -0800 scsi: qla2xxx: Fix wrong FDMI data for 64G adapter commit 1cfbbacbee2d6ea3816386a483e3c7a96e5bd657 upstream. Corrected transmission speed mask values for FC. Supported Speed: 16 32 20 Gb/s ===> Should be 64 instead of 20 Supported Speed: 16G 32G 48G ===> Should be 64G instead of 48G Link: https://lore.kernel.org/r/20220110050218.3958-9-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Bikash Hazarika Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 6c125fd5ad035777f7b471553f7ddda76e8e7136 Author: Quinn Tran Date: Sun Jan 9 21:02:06 2022 -0800 scsi: qla2xxx: Fix premature hw access after PCI error commit e35920ab7874d5e2faeb4f958a74bfa793f1ce5a upstream. After a recoverable PCI error has been detected and recovered, qla driver needs to check to see if the error condition still persist and/or wait for the OS to give the resume signal. Sep 8 22:26:03 localhost kernel: WARNING: CPU: 9 PID: 124606 at qla_tmpl.c:440 qla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx] Sep 8 22:26:03 localhost kernel: RIP: 0010:qla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx] Sep 8 22:26:03 localhost kernel: Call Trace: Sep 8 22:26:03 localhost kernel: ? qla27xx_walk_template+0xb1/0x1b0 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla27xx_execute_fwdt_template+0x12a/0x160 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla27xx_fwdump+0xa0/0x1c0 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla2xxx_pci_mmio_enabled+0xfb/0x120 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? report_mmio_enabled+0x44/0x80 Sep 8 22:26:03 localhost kernel: ? report_slot_reset+0x80/0x80 Sep 8 22:26:03 localhost kernel: ? pci_walk_bus+0x70/0x90 Sep 8 22:26:03 localhost kernel: ? aer_dev_correctable_show+0xc0/0xc0 Sep 8 22:26:03 localhost kernel: ? pcie_do_recovery+0x1bb/0x240 Sep 8 22:26:03 localhost kernel: ? aer_recover_work_func+0xaa/0xd0 Sep 8 22:26:03 localhost kernel: ? process_one_work+0x1a7/0x360 .. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-8041:22: detected PCI disconnect. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: qla27xx_fwdt_entry_t262: dump ram MB failed. Area 5h start 198013h end 198013h Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: Unable to capture FW dump Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-1015:22: cmd=0x0, waited 5221 msecs Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-680d:22: mmio enabled returning. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-d04c:22: MBX Command timeout for cmd 0, iocontrol=ffffffff jiffies=10140f2e5 mb[0-3]=[0xffff 0xffff 0xffff 0xffff] Link: https://lore.kernel.org/r/20220110050218.3958-6-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 78612f2fe8e26637476d756a44f0f05cca0d97de Author: Quinn Tran Date: Sun Jan 9 21:02:07 2022 -0800 scsi: qla2xxx: Fix scheduling while atomic commit afd438ff874ca40b74321b3fa19bd61adfd7ca0c upstream. The driver makes a call into midlayer (fc_remote_port_delete) which can put the thread to sleep. The thread that originates the call is in interrupt context. The combination of the two trigger a crash. Schedule the call in non-interrupt context where it is more safe. kernel: BUG: scheduling while atomic: swapper/7/0/0x00010000 kernel: Call Trace: kernel: kernel: dump_stack+0x66/0x81 kernel: __schedule_bug.cold.90+0x5/0x1d kernel: __schedule+0x7af/0x960 kernel: schedule+0x28/0x80 kernel: schedule_timeout+0x26d/0x3b0 kernel: wait_for_completion+0xb4/0x140 kernel: ? wake_up_q+0x70/0x70 kernel: __wait_rcu_gp+0x12c/0x160 kernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod] kernel: synchronize_sched+0x6c/0x80 kernel: ? call_rcu_bh+0x20/0x20 kernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10 kernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod] kernel: starget_for_each_device+0x85/0xb0 [scsi_mod] kernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod] kernel: scsi_init_io+0x388/0x3d0 [scsi_mod] kernel: device_for_each_child+0x54/0x90 kernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc] kernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx] kernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx] kernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx] kernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx] kernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx] kernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx] kernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx] kernel: __handle_irq_event_percpu+0x40/0x180 kernel: handle_irq_event_percpu+0x30/0x80 kernel: handle_irq_event+0x36/0x60 Link: https://lore.kernel.org/r/20220110050218.3958-7-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d8fb8da69e194e0249b3cdb746ef09ce823ae26b Author: Quinn Tran Date: Sun Jan 9 21:02:05 2022 -0800 scsi: qla2xxx: Fix warning message due to adisc being flushed commit 64f24af75b79cba3b86b0760e27e0fa904db570f upstream. Fix warning message due to adisc being flushed. Linux kernel triggered a warning message where a different error code type is not matching up with the expected type. Add additional translation of one error code type to another. WARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498 qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] CPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1 .. GPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000 NIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] LR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] Call Trace: [c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable) [c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx] [c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx] [c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx] [c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx] [c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120 [c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0 [c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100 [c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40 [c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130 [c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [ c00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180 [c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60 [c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20] [c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290 [c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0 [c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330 [c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130 [c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0 [c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278 Link: https://lore.kernel.org/r/20220110050218.3958-5-njavali@marvell.com Cc: stable@vger.kernel.org Reported-by: Abdul Haleem Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8cfb250a8ef841ce51c08ce66e1c905629c66105 Author: Quinn Tran Date: Sun Jan 9 21:02:04 2022 -0800 scsi: qla2xxx: Fix stuck session in gpdb commit 725d3a0d31a51c0debf970011e05f585e805165b upstream. Fix stuck sessions in get port database. When a thread is in the process of re-establishing a session, a flag is set to prevent multiple threads / triggers from doing the same task. This flag was left on, where any attempt to relogin was locked out. Clear this flag, if the attempt has failed. Link: https://lore.kernel.org/r/20220110050218.3958-4-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit ceda7f794f3dfe272491e93e3e93049f8be5f07b Author: Saurav Kashyap Date: Sun Jan 9 21:02:03 2022 -0800 scsi: qla2xxx: Implement ref count for SRB commit 31e6cdbe0eae37badceb5e0d4f06cf051432fd77 upstream. The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer: qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx] Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks. When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one. If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put(). Link: https://lore.kernel.org/r/20220110050218.3958-3-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Co-developed-by: Daniel Wagner Signed-off-by: Daniel Wagner Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 195f11a89c0e696540457b16ea1206e7a642cd9c Author: Daniel Wagner Date: Sun Jan 9 21:02:02 2022 -0800 scsi: qla2xxx: Refactor asynchronous command initialization commit d4523bd6fd5d3afa9f08a86038a8a92176089f5b upstream. Move common open-coded asynchronous command initializing code such as setting up the timer and the done callback into one function. This is a preparation step and allows us later on to change the low level error flow handling at a central place. Link: https://lore.kernel.org/r/20220110050218.3958-2-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Daniel Wagner Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8ef9566aae222639e254a0cdf2e5ca78f280d177 Author: Ville Syrjälä Date: Fri Mar 11 23:28:45 2022 +0200 drm/i915: Reject unsupported TMDS rates on ICL+ commit 9cddf03b2af07443bebdc73cba21acb360c079e8 upstream. ICL+ PLLs can't genenerate certain frequencies. Running the PLL algorithms through for all frequencies 25-594MHz we see a gap just above 500 MHz. Specifically 500-522.8MHZ for TC PLLs, and 500-533.2 MHz for combo PHY PLLs. Reject those frequencies hdmi_port_clock_valid() so that we properly filter out unsupported modes and/or color depths for HDMI. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5247 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220311212845.32358-1-ville.syrjala@linux.intel.com Reviewed-by: Mika Kahola (cherry picked from commit e5086cb3f3d3f94091be29eec38cf13f8a75a778) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit 8c683d4d90bea004721db09cfa1863d2aab04b91 Author: Ville Syrjälä Date: Wed Mar 9 18:49:46 2022 +0200 drm/i915: Fix PSF GV point mask when SAGV is not possible commit 3ef8b5e19ead5a79600ea55f9549658281415893 upstream. Don't just mask off all the PSF GV points when SAGV gets disabled. This should in fact cause the Pcode to reject the request since at least one PSF point must remain enabled at all times. Cc: stable@vger.kernel.org Cc: Stanislav Lisovskiy Fixes: 192fbfb76744 ("drm/i915: Implement PSF GV point support") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220309164948.10671-7-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit 0fed4ddd18f064d2359b430c6e83ee60dd1f49b1) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit df06213334740f4001b10c69ed447b8f6a6f4262 Author: Ville Syrjälä Date: Wed Mar 9 18:49:41 2022 +0200 drm/i915: Treat SAGV block time 0 as SAGV disabled commit 1937f3feb0e84089ae4065e09c871b8ab4676f01 upstream. For modern platforms the spec explicitly states that a SAGV block time of zero means that SAGV is not supported. Let's extend that to all platforms. Supposedly there should be no systems where this isn't true, and it'll allow us to: - use the same code regardless of older vs. newer platform - wm latencies already treat 0 as disabled, so this fits well with other related code - make it a bit more clear when SAGV is used vs. not - avoid overflows from adding U32_MAX with a u16 wm0 latency value which could cause us to miscalculate the SAGV watermarks on tgl+ Cc: stable@vger.kernel.org Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220309164948.10671-2-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit d8f5855b31c0523ea3b171db8dfb998830e8735d) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit ab096ec04c902d351ea1fce3acb8ef9f4a25fc51 Author: Kees Cook Date: Thu Feb 24 19:56:09 2022 -0800 drm/dp: Fix off-by-one in register cache size commit d4da1f27396fb1dde079447a3612f4f512caed07 upstream. The pcon_dsc_dpcd array holds 13 registers (0x92 through 0x9E). Fix the math to calculate the max size. Found from a -Warray-bounds build: drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_pcon_dsc_bpp_incr': drivers/gpu/drm/drm_dp_helper.c:3130:28: error: array subscript 12 is outside array bounds of 'const u8[12]' {aka 'const unsigned char[12]'} [-Werror=array-bounds] 3130 | buf = pcon_dsc_dpcd[DP_PCON_DSC_BPP_INCR - DP_PCON_DSC_ENCODER]; | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/drm_dp_helper.c:3126:39: note: while referencing 'pcon_dsc_dpcd' 3126 | int drm_dp_pcon_dsc_bpp_incr(const u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE]) | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Fixes: e2e16da398d9 ("drm/dp_helper: Add support for Configuring DSC for HDMI2.1 Pcon") Cc: stable@vger.kernel.org Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/lkml/20211214001849.GA62559@embeddedor/ Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220105173310.2420598-1-keescook@chromium.org Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20220225035610.2552144-2-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit 6890b43293d969251dbb07e0cacb0bf06643d64a Author: Anders Roxell Date: Thu Feb 24 17:22:14 2022 +0100 powerpc: Fix build errors with newer binutils commit 8667d0d64dd1f84fd41b5897fd87fa9113ae05e3 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:1190: Error: unrecognized opcode: `stbcix' {standard input}:1433: Error: unrecognized opcode: `lwzcix' {standard input}:1453: Error: unrecognized opcode: `stbcix' {standard input}:1460: Error: unrecognized opcode: `stwcix' {standard input}:1596: Error: unrecognized opcode: `stbcix' ... Rework to add assembler directives [1] around the instruction. Going through them one by one shows that the changes should be safe. Like __get_user_atomic_128_aligned() is only called in p9_hmi_special_emu(), which according to the name is specific to power9. And __raw_rm_read*() are only called in things that are powernv or book3s_hv specific. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Cc: stable@vger.kernel.org Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool [mpe: Make commit subject more descriptive] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-2-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit b9eb4847a54e21503d3d973948a43bc0846d84e7 Author: Christophe Leroy Date: Fri Dec 24 11:07:40 2021 +0000 powerpc: Add set_memory_{p/np}() and remove set_memory_attr() commit f222ab83df92acf72691a2021e1f0d99880dcdf1 upstream. set_memory_attr() was implemented by commit 4d1755b6a762 ("powerpc/mm: implement set_memory_attr()") because the set_memory_xx() couldn't be used at that time to modify memory "on the fly" as explained it the commit. But set_memory_attr() uses set_pte_at() which leads to warnings when CONFIG_DEBUG_VM is selected, because set_pte_at() is unexpected for updating existing page table entries. The check could be bypassed by using __set_pte_at() instead, as it was the case before commit c988cfd38e48 ("powerpc/32: use set_memory_attr()") but since commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") it is now possible to use set_memory_xx() functions to update page table entries "on the fly" because the update is now atomic. For DEBUG_PAGEALLOC we need to clear and set back _PAGE_PRESENT. Add set_memory_np() and set_memory_p() for that. Replace all uses of set_memory_attr() by the relevant set_memory_xx() and remove set_memory_attr(). Fixes: c988cfd38e48 ("powerpc/32: use set_memory_attr()") Cc: stable@vger.kernel.org Reported-by: Maxime Bizon Signed-off-by: Christophe Leroy Tested-by: Maxime Bizon Reviewed-by: Russell Currey Depends-on: 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/cda2b44b55c96f9ac69fa92e68c01084ec9495c5.1640344012.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit c66d34e553d4a124151a992c445c8cb292f5e9ea Author: Anders Roxell Date: Thu Feb 24 17:22:15 2022 +0100 powerpc/lib/sstep: Fix build errors with newer binutils commit 8219d31effa7be5dbc7ff915d7970672e028c701 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:10576: Error: unrecognized opcode: `stbcx.' {standard input}:10680: Error: unrecognized opcode: `lharx' {standard input}:10694: Error: unrecognized opcode: `lbarx' Rework to add assembler directives [1] around the instruction. The problem with this might be that we can trick a power6 into single-stepping through an stbcx. for instance, and it will execute that in kernel mode. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-3-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit 5e0a7755afcc57478a606147cf2dd5b64ee2efc1 Author: Anders Roxell Date: Thu Feb 24 17:22:13 2022 +0100 powerpc/lib/sstep: Fix 'sthcx' instruction commit a633cb1edddaa643fadc70abc88f89a408fa834a upstream. Looks like there been a copy paste mistake when added the instruction 'stbcx' twice and one was probably meant to be 'sthcx'. Changing to 'sthcx' from 'stbcx'. Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Reported-by: Arnd Bergmann Signed-off-by: Anders Roxell Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-1-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit 73d8082c90f17dfba57cad4ca94db5cae323f1b1 Author: Nicholas Piggin Date: Fri Mar 11 12:47:33 2022 +1000 powerpc/tm: Fix more userspace r13 corruption commit 9d71165d3934e607070c4e48458c0cf161b1baea upstream. Commit cf13435b730a ("powerpc/tm: Fix userspace r13 corruption") fixes a problem in treclaim where a SLB miss can occur on the thread_struct->ckpt_regs while SCRATCH0 is live with the saved user r13 value, clobbering it with the kernel r13 and ultimately resulting in kernel r13 being stored in ckpt_regs. There is an equivalent problem in trechkpt where the user r13 value is loaded into r13 from chkpt_regs to be recheckpointed, but a SLB miss could occur on ckpt_regs accesses after that, which will result in r13 being clobbered with a kernel value and that will get recheckpointed and then restored to user registers. The same memory page is accessed right before this critical window where a SLB miss could cause corruption, so hitting the bug requires the SLB entry be removed within a small window of instructions, which is possible if a SLB related MCE hits there. PAPR also permits the hypervisor to discard this SLB entry (because slb_shadow->persistent is only set to SLB_NUM_BOLTED) although it's not known whether any implementations would do this (KVM does not). So this is an extremely unlikely bug, only found by inspection. Fix this by also storing user r13 in a temporary location on the kernel stack and don't change the r13 register from kernel r13 until the RI=0 critical section that does not fault. The SCRATCH0 change is not strictly part of the fix, it's only used in the RI=0 section so it does not have the same problem as the previous SCRATCH0 bug. Fixes: 98ae22e15b43 ("powerpc: Add helper functions for transactional memory context switching") Cc: stable@vger.kernel.org # v3.9+ Signed-off-by: Nicholas Piggin Acked-by: Michael Neuling Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220311024733.48926-1-npiggin@gmail.com Signed-off-by: Greg Kroah-Hartman commit e3d157a4b4f4e0268c98be5b7013bf4b31234bb6 Author: Chen Jingwen Date: Wed Dec 29 11:52:26 2021 +0800 powerpc/kasan: Fix early region not updated correctly commit dd75080aa8409ce10d50fb58981c6b59bf8707d3 upstream. The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan Fixes: cbd18991e24fe ("powerpc/mm: Fix an Oops in kasan_mmu_init()") Cc: stable@vger.kernel.org # 5.4.x Signed-off-by: Chen Jingwen Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211229035226.59159-1-chenjingwen6@huawei.com Signed-off-by: Greg Kroah-Hartman commit 8cdf9e9685a21adf04cd9ae84b5508db830a1ef2 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:42 2022 +0100 KVM: x86: hyper-v: HVCALL_SEND_IPI_EX is an XMM fast hypercall commit 47d3e5cdfe607ec6883eb0faa7acf05b8cb3f92a upstream. It has been proven on practice that at least Windows Server 2019 tries using HVCALL_SEND_IPI_EX in 'XMM fast' mode when it has more than 64 vCPUs and it needs to send an IPI to a vCPU > 63. Similarly to other XMM Fast hypercalls (HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE}{,_EX}), this information is missing in TLFS as of 6.0b. Currently, KVM returns an error (HV_STATUS_INVALID_HYPERCALL_INPUT) and Windows crashes. Note, HVCALL_SEND_IPI is a 'standard' fast hypercall (not 'XMM fast') as all its parameters fit into RDX:R8 and this is handled by KVM correctly. Cc: stable@vger.kernel.org # 5.14.x: 3244867af8c0: KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req Cc: stable@vger.kernel.org # 5.14.x Fixes: d8f5537a8816 ("KVM: hyper-v: Advertise support for fast XMM hypercalls") Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-5-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e30fc87fcc0a3b9c763e554a5be2d0ae762e0813 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:41 2022 +0100 KVM: x86: hyper-v: Fix the maximum number of sparse banks for XMM fast TLB flush hypercalls commit 7321f47eada53a395fb3086d49297eebb19e8e58 upstream. When TLB flush hypercalls (HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE}_EX are issued in 'XMM fast' mode, the maximum number of allowed sparse_banks is not 'HV_HYPERCALL_MAX_XMM_REGISTERS - 1' (5) but twice as many (10) as each XMM register is 128 bit long and can hold two 64 bit long banks. Cc: stable@vger.kernel.org # 5.14.x Fixes: 5974565bc26d ("KVM: x86: kvm_hv_flush_tlb use inputs from XMM registers") Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-4-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8c3c4929e250bf7199b8cf41a0075a088edc384a Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:40 2022 +0100 KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_flush_tlb() commit 82c1ead0d678af31e5d883656c12096a0004178b upstream. 'struct kvm_hv_hcall' has all the required information already, there's no need to pass 'ex' additionally. No functional change intended. Cc: stable@vger.kernel.org # 5.14.x Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-3-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9ae38d8ba3d003b54638077b6d6030950f12739c Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:39 2022 +0100 KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_send_ipi() commit 50e523dd79f6a856d793ce5711719abe27cffbf2 upstream. 'struct kvm_hv_hcall' has all the required information already, there's no need to pass 'ex' additionally. No functional change intended. Cc: stable@vger.kernel.org # 5.14.x Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-2-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 3a87cf9ea83a541faba1df03eb44c9786efa1538 Author: Sean Christopherson Date: Sat Feb 26 00:15:20 2022 +0000 KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU commit 3354ef5a592d219364cf442c2f784ce7ad7629fd upstream. Explicitly check for present SPTEs when clearing dirty bits in the TDP MMU. This isn't strictly required for correctness, as setting the dirty bit in a defunct SPTE will not change the SPTE from !PRESENT to PRESENT. However, the guarded MMU_WARN_ON() in spte_ad_need_write_protect() would complain if anyone actually turned on KVM's MMU debugging. Fixes: a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") Cc: Ben Gardon Signed-off-by: Sean Christopherson Reviewed-by: Ben Gardon Message-Id: <20220226001546.360188-3-seanjc@google.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8cf6f98ab1d16d5e607635a0c21c4231eb15367e Author: Sean Christopherson Date: Wed Dec 15 01:15:56 2021 +0000 KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU commit d62007edf01f5c11f75d0f4b1e538fc52a5b1982 upstream. Zap both valid and invalid roots when zapping/unmapping a gfn range, as KVM must ensure it holds no references to the freed page after returning from the unmap operation. Most notably, the TDP MMU doesn't zap invalid roots in mmu_notifier callbacks. This leads to use-after-free and other issues if the mmu_notifier runs to completion while an invalid root zapper yields as KVM fails to honor the requirement that there must be _no_ references to the page after the mmu_notifier returns. The bug is most easily reproduced by hacking KVM to cause a collision between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug exists between kvm_mmu_notifier_invalidate_range_start() and memslot updates as well. Invalidating a root ensures pages aren't accessible by the guest, and KVM won't read or write page data itself, but KVM will trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing a zap of an invalid root _after_ the mmu_notifier returns is fatal. WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm] RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm] Call Trace: kvm_set_pfn_dirty+0xa8/0xe0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] zap_gfn_range+0x1f3/0x310 [kvm] kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm] kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm] set_nx_huge_pages+0xb4/0x190 [kvm] param_attr_store+0x70/0x100 module_attr_store+0x19/0x30 kernfs_fop_write_iter+0x119/0x1b0 new_sync_write+0x11c/0x1b0 vfs_write+0x1cc/0x270 ksys_write+0x5f/0xe0 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: b7cccd397f31 ("KVM: x86/mmu: Fast invalidation for TDP MMU") Cc: stable@vger.kernel.org Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 2bccda7d377833f65d8c031203f594493e6528ff Author: Sean Christopherson Date: Wed Dec 15 01:15:55 2021 +0000 KVM: x86/mmu: Move "invalid" check out of kvm_tdp_mmu_get_root() commit 04dc4e6ce274fa729feda32aa957b27388a3870c upstream. Move the check for an invalid root out of kvm_tdp_mmu_get_root() and into the one place it actually matters, tdp_mmu_next_root(), as the other user already has an implicit validity check. A future bug fix will need to get references to invalid roots to honor mmu_notifier requests; there's no point in forcing what will be a common path to open code getting a reference to a root. No functional change intended. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit b441a8809cc2e3bb029c0578c2e3c4e5824044f6 Author: Sean Christopherson Date: Wed Dec 15 01:15:54 2021 +0000 KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook commit 83b83a02073ec8d18c77a9bbe0881d710f7a9d32 upstream. Use the common TDP MMU zap helper when handling an MMU notifier unmap event, the two flows are semantically identical. Consolidate the code in preparation for a future bug fix, as both kvm_tdp_mmu_unmap_gfn_range() and __kvm_tdp_mmu_zap_gfn_range() are guilty of not zapping SPTEs in invalid roots. No functional change intended. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 54de76154ab841ac651581f9d520ab702fda6de0 Author: Paolo Bonzini Date: Wed Feb 9 04:56:05 2022 -0500 KVM: x86: Reinitialize context if host userspace toggles EFER.LME commit d6174299365ddbbf491620c0b8c5ca1a6ef2eea5 upstream. While the guest runs, EFER.LME cannot change unless CR0.PG is clear, and therefore EFER.NX is the only bit that can affect the MMU role. However, set_efer accepts a host-initiated change to EFER.LME even with CR0.PG=1. In that case, the MMU has to be reset. Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes") Cc: stable@vger.kernel.org Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit ad0a0b0bf6fe404c3c07ac8b09074b40e8385211 Author: Suravee Suthikulpanit Date: Thu Feb 10 18:08:51 2022 -0600 KVM: SVM: Allow AVIC support on system w/ physical APIC ID > 255 commit 4a204f7895878363ca8211f50ec610408c8c70aa upstream. Expand KVM's mask for the AVIC host physical ID to the full 12 bits defined by the architecture. The number of bits consumed by hardware is model specific, e.g. early CPUs ignored bits 11:8, but there is no way for KVM to enumerate the "true" size. So, KVM must allow using all bits, else it risks rejecting completely legal x2APIC IDs on newer CPUs. This means KVM relies on hardware to not assign x2APIC IDs that exceed the "true" width of the field, but presumably hardware is smart enough to tie the width to the max x2APIC ID. KVM also relies on hardware to support at least 8 bits, as the legacy xAPIC ID is writable by software. But, those assumptions are unavoidable due to the lack of any way to enumerate the "true" width. Cc: stable@vger.kernel.org Cc: Maxim Levitsky Suggested-by: Sean Christopherson Reviewed-by: Sean Christopherson Fixes: 44a95dae1d22 ("KVM: x86: Detect and Initialize AVIC support") Signed-off-by: Suravee Suthikulpanit Message-Id: <20220211000851.185799-1-suravee.suthikulpanit@amd.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 58eb76ae93ccfdd2932088bead6cc8ccf3a8b836 Author: Matt Kramer Date: Tue Mar 22 13:48:17 2022 -0700 ALSA: hda/realtek: Add alc256-samsung-headphone fixup [ Upstream commit ef248d9bd616b04df8be25539a4dc5db4b6c56f4 ] This fixes the near-silence of the headphone jack on the ALC256-based Samsung Galaxy Book Flex Alpha (NP730QCJ). The magic verbs were found through trial and error, using known ALC298 hacks as inspiration. The fixup is auto-enabled only when the NP730QCJ is detected. It can be manually enabled using model=alc256-samsung-headphone. Signed-off-by: Matt Kramer Link: https://lore.kernel.org/r/3168355.aeNJFYEL58@linus Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 55e343e03081eb314d20a60a802ff6cde148e97c Author: Mauro Carvalho Chehab Date: Mon Mar 14 18:11:38 2022 +0100 media: atomisp: fix bad usage at error handling logic [ Upstream commit fc0b582c858ed73f94c8f3375c203ea46f1f7402 ] As warned by sparse: atomisp: drivers/staging/media/atomisp/pci/atomisp_acc.c:508 atomisp_acc_load_extensions() warn: iterator used outside loop: 'acc_fw' The acc_fw interactor is used outside the loop, at the error handling logic. On most cases, this is actually safe there, but, if atomisp_css_set_acc_parameters() has an error, an attempt to use it will pick an invalid value for acc_fw. Reported-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9b9f6227e8d0c7c46b6d9d7b8a5c4e0536049fcf Author: Miaoqian Lin Date: Wed Mar 16 01:40:57 2022 +0000 ASoC: mediatek: Fix error handling in mt8183_da7219_max98357_dev_probe [ Upstream commit 28a265a1ee11febeec5ea73a804f30dcec3181ca ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. Fix this by calling of_node_put() in error handling too. Signed-off-by: Miaoqian Lin Reviewed-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20220316014059.19292-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e07547a45e507be37f6ab0e53c850f7720f6875f Author: Ulf Hansson Date: Thu Mar 3 17:51:42 2022 +0100 mmc: host: Return an error when ->enable_sdio_irq() ops is missing [ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ] Even if the current WARN() notifies the user that something is severely wrong, we can still end up in a PANIC() when trying to invoke the missing ->enable_sdio_irq() ops. Therefore, let's also return an error code and prevent the host from being added. While at it, move the code into a separate function to prepare for subsequent changes and for further host caps validations. Signed-off-by: Ulf Hansson Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org Signed-off-by: Sasha Levin commit 0c53a5c80e6e286733381a1d9f255ba4039e2e45 Author: Steven Rostedt (Google) Date: Thu Mar 10 23:27:38 2022 -0500 tracing: Have TRACE_DEFINE_ENUM affect trace event types as well [ Upstream commit b3bc8547d3be60898818885f5bf22d0a62e2eb48 ] The macro TRACE_DEFINE_ENUM is used to convert enums in the kernel to their actual value when they are exported to user space via the trace event format file. Currently only the enums in the "print fmt" (TP_printk in the TRACE_EVENT macro) have the enums converted. But the enums can be used to denote array size: field:unsigned int fc_ineligible_rc[EXT4_FC_REASON_MAX]; offset:12; size:36; signed:0; The EXT4_FC_REASON_MAX has no meaning to userspace but it needs to know that information to know how to parse the array. Have the array indexes also be parsed as well. Link: https://lore.kernel.org/all/cover.1646922487.git.riteshh@linux.ibm.com/ Reported-by: Ritesh Harjani Tested-by: Ritesh Harjani Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 18c49e2784c650719c46a528d3ba90d17606bbbe Author: Pierre-Louis Bossart Date: Tue Mar 8 13:26:05 2022 -0600 ASoC: Intel: sof_es8336: log all quirks [ Upstream commit 9c818d849192491a8799b1cb14ca0f7aead4fb09 ] We only logged the SSP quirk, make sure the GPIO and DMIC quirks are exposed. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-16-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 811c56ff14bef932b6a55603782827d43d99d91a Author: Pierre-Louis Bossart Date: Tue Mar 8 13:26:03 2022 -0600 ASoC: Intel: Revert "ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021" [ Upstream commit 1b5283483a782f6560999d8d5965b1874d104812 ] This reverts commit ce6a70bfce21bb4edb7c0f29ecfb0522fa34ab71. The next patch will add run-time detection of the required SSP and this hard-coded quirk is not needed. Acked-by: Mauro Carvalho Chehab Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-14-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c831f4ee404c86065740bcbfc84397715f131695 Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:59 2022 -0600 ALSA: intel-dspconfig: add ES8336 support for CNL [ Upstream commit cded07a2dccd5493696a3adce175f01e413423c6 ] We're missing this check for the CNL PCI id Reported-by: Nikolai Kostrigin Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Acked-by: Takashi Iwai Link: https://lore.kernel.org/r/20220308192610.392950-10-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2196c22a5e4f7d970e1073916b64f53e468b8a35 Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:58 2022 -0600 ASoC: Intel: soc-acpi: add more ACPI HIDs for ES83x6 devices [ Upstream commit 1cedb6eabf0f2dd8285d3bb0ce1abd2369529084 ] We only saw ESSX8336 so far, but now with reports of 'ESSX8326' we need to expand to a full list. Let's reuse the 'snd_soc_acpi_codecs' structure to store the information. Note that ES8326 will need a dedicated codec driver, but the plan is to use the same machine driver for all Everest Audio devices. Reported-by: anthony tonitch Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-9-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a97c2533fcf8df7753872bbe655d90ada979b63b Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:57 2022 -0600 ALSA: intel-dsp-config: add more ACPI HIDs for ES83x6 devices [ Upstream commit de24d97fb845ffd2229811ee256438e42b5a8d12 ] We only saw ESSX8336 so far, but now with reports of 'ESSX8326' we need to expand to a full list. Let's reuse the 'snd_soc_acpi_codecs' structure to store the information. Reported-by: anthony tonitch Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Acked-by: Takashi Iwai Link: https://lore.kernel.org/r/20220308192610.392950-8-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d7af34e087e43788c0f131a8b30b7cc7344a07ef Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:54 2022 -0600 ALSA: intel-nhlt: add helper to detect SSP link mask [ Upstream commit 0c470db0399e17310ed2ba54dd1c25cfa16ce0d3 ] The NHLT information can be used to figure out which SSPs are enabled in a platform. The 'SSP' link type is too broad for machine drivers, since it can cover the Bluetooth sideband and the analog audio codec connections, so this helper exposes a parameter to filter with the device type (DEVICE_I2S refers to analog audio codec in NHLT parlance). The helper returns a mask, since more than one SSP may be used for analog audio, e.g. the NHLT spec describes the use of SSP0 for amplifiers and SSP1 for headset codec. Note that if more than one bit is set, it's impossible to determine which SSP is connected to what external component. Additional platform-specific information based on e.g. DMI quirks would still be required in the machine driver to configure the relevant dailinks. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Acked-by: Takashi Iwai Link: https://lore.kernel.org/r/20220308192610.392950-5-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 77b41dc304ae3b4bf596141cdb256ee2757c5941 Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:53 2022 -0600 ASoC: SOF: Intel: hda: retrieve DMIC number for I2S boards [ Upstream commit 92c1b7c0f780f0084f7b114be316ae4e182676e5 ] We currently extract the DMIC number only for HDaudio or SoundWire platforms. For I2S/TDM platforms, this wasn't necessary until now, but with devices with ES8336 we need to find a solution to detect dmics more reliably than with a DMI quirk. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ec872307e0d25cec92a7d44bc8997eedde019b2c Author: Anthony I Gilea Date: Fri Mar 4 14:45:32 2022 -0600 ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13" [ Upstream commit ce73ef6ec67104d1fcc4c5911d77ce83288a0998 ] HP changed the DMI identification for 2022 devices: Product Name: HP Spectre x360 Conv 13-ap0001na Product Name: 8709 This patch relaxes the DMI_MATCH criterion to work with all versions of this product. Reviewed-by: Rander Wang Signed-off-by: Anthony I Gilea Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220304204532.54675-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3c428a62c5018774c6cdd436dba202c08c86cdb1 Author: Pierre-Louis Bossart Date: Fri Mar 4 14:57:32 2022 -0600 ASoC: SOF: debug: clarify operator precedence [ Upstream commit 9188812539d1d9a13dac690c95ec657259859ba4 ] cppcheck warning: for '&' and '?'. [clarifyCalculation] char *level = flags & SOF_DBG_DUMP_OPTIONAL ? KERN_DEBUG : KERN_ERR; ^ sound/soc/sof/debug.c:398:46: style: Clarify calculation precedence Reviewed-by: Ranjani Sridharan Reviewed-by: Péter Ujfalusi Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220304205733.62233-10-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 440722ab7c7f73e4589ade43264bf7ab5f5a69bb Author: Dongliang Mu Date: Fri Feb 18 10:41:30 2022 +0100 media: hdpvr: initialize dev->worker at hdpvr_register_videodev [ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ] hdpvr_register_videodev is responsible to initialize a worker in hdpvr_device. However, the worker is only initialized at hdpvr_start_streaming other than hdpvr_register_videodev. When hdpvr_probe does not initialize its worker, the hdpvr_disconnect will encounter one WARN in flush_work.The stack trace is as follows: hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425 usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1206 [inline] device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237 bus_remove_device+0x108/0x160 drivers/base/bus.c:529 device_del+0x1fe/0x510 drivers/base/core.c:3592 usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228 Fix this by moving the initialization of dev->worker to the starting of hdpvr_register_videodev Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit abf592a68d5d2ebf17f7784ad36d82fb07b05ceb Author: Pavel Skripkin Date: Thu Jan 20 20:37:30 2022 +0100 media: Revert "media: em28xx: add missing em28xx_close_extension" [ Upstream commit fde18c3bac3f964d8333ae53b304d8fee430502b ] This reverts commit 2c98b8a3458df03abdc6945bbef67ef91d181938. Reverted patch causes problems with Hauppauge WinTV dualHD as Maximilian reported [1]. Since quick solution didn't come up let's just revert it to make this device work with upstream kernels. Link: https://lore.kernel.org/all/6a72a37b-e972-187d-0322-16336e12bdc5@elbmurf.de/ [1] Reported-by: Maximilian Böhm Tested-by: Maximilian Böhm Signed-off-by: Pavel Skripkin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 64b2e9721c74655af5a7c42fa9e417286dae6e19 Author: Hans de Goede Date: Thu Feb 3 13:33:12 2022 +0100 media: i2c: ov5648: Fix lockdep error [ Upstream commit d4cb5d3c4cee28aa89b02bc33d930a6cf75e7f79 ] ov5648_state_init() calls ov5648_state_mipi_configure() which uses __v4l2_ctrl_s_ctrl[_int64](). This means that sensor->mutex (which is also sensor->ctrls.handler.lock) must be locked before calling ov5648_state_init(). ov5648_state_mipi_configure() is also used in other places where the lock is already held so it cannot be changed itself. Note this is based on an identical (tested) fix for the ov8865 driver, this has only been compile-tested. Cc: Paul Kocialkowski Reviewed-by: Paul Kocialkowski Signed-off-by: Hans de Goede Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit 809b8cde86320698661eec677222bc5c5df76176 Author: Zheyu Ma Date: Wed Mar 2 22:33:11 2022 +0800 video: fbdev: sm712fb: Fix crash in smtcfb_write() [ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ] When the sm712fb driver writes three bytes to the framebuffer, the driver will crash: BUG: unable to handle page fault for address: ffffc90001ffffff RIP: 0010:smtcfb_write+0x454/0x5b0 Call Trace: vfs_write+0x291/0xd60 ? do_sys_openat2+0x27d/0x350 ? __fget_light+0x54/0x340 ksys_write+0xce/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fix it by removing the open-coded endianness fixup-code. Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 2437cef0b3def06c7bc237fd4c0cfd5d8ea16df7 Author: Vijendar Mukunda Date: Sat Feb 26 01:00:25 2022 +0530 ASoC: amd: vangogh: fix uninitialized symbol warning in machine driver [ Upstream commit 6f989800639a7a29ab9a02e165b04dc144dd4f2b ] Fixed below smatch static checker warning. sound/soc/amd/vangogh/acp5x-mach.c:190 acp5x_cs35l41_hw_params() error: uninitialized symbol 'ret'. Reported-by: Dan Carpenter Signed-off-by: Vijendar Mukunda Link: https://lore.kernel.org/r/20220225193054.24916-4-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 710130b87c07e76670162fe1d36e0eb898045420 Author: Vijendar Mukunda Date: Sat Feb 26 01:00:22 2022 +0530 ASoC: amd: vg: fix for pm resume callback sequence [ Upstream commit 83b713619ee1b15e09eae11a92a7f3305534223d ] The previous condition is used to cross check only the active stream status for I2S HS instance playback and capture use cases. Modified logic to invoke sequence for two i2s controller instances. This also fixes warnings reported by kernel robot: "warning: variable 'frmt_val' set but not used" "warning: variable 'reg_val' set but not used" Reported-by: kernel test robot Signed-off-by: Vijendar Mukunda Link: https://lore.kernel.org/r/20220225193054.24916-1-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8f3c2cf5d62000f606899a968df3d0479d4b1224 Author: Uwe Kleine-König Date: Mon Jul 26 22:01:58 2021 +0200 ARM: mmp: Fix failure to remove sram device [ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ] Make sure in .probe() to set driver data before the function is left to make it possible in .remove() to undo the actions done. This fixes a potential memory leak and stops returning an error code in .remove() that is ignored by the driver core anyhow. Signed-off-by: Uwe Kleine-König Reviewed-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit a51e2c5a13c01cece90bcacd6b5b47492b0946a5 Author: Richard Leitner Date: Wed Dec 1 17:11:48 2021 +0100 ARM: tegra: tamonten: Fix I2C3 pad setting [ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ] This patch fixes the tristate configuration for i2c3 function assigned to the dtf pins on the Tamonten Tegra20 SoM. Signed-off-by: Richard Leitner Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 72df12d11ec59bf5968a865714326ead414002f6 Author: Arnd Bergmann Date: Wed Feb 16 13:48:06 2022 +0100 lib/test_lockup: fix kernel pointer check for separate address spaces [ Upstream commit 5a06fcb15b43d1f7bf740c672950122331cb5655 ] test_kernel_ptr() uses access_ok() to figure out if a given address points to user space instead of kernel space. However on architectures that set CONFIG_ALTERNATE_USER_ADDRESS_SPACE, a pointer can be valid for both, and the check always fails because access_ok() returns true. Make the check for user space pointers conditional on the type of address space layout. Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit ce93c7a9ea566e209d70a011261d31407b4aec1f Author: Arnd Bergmann Date: Mon Feb 14 20:22:10 2022 +0100 uaccess: fix type mismatch warnings from access_ok() [ Upstream commit 23fc539e81295b14b50c6ccc5baeb4f3d59d822d ] On some architectures, access_ok() does not do any argument type checking, so replacing the definition with a generic one causes a few warnings for harmless issues that were never caught before. Fix the ones that I found either through my own test builds or that were reported by the 0-day bot. Reported-by: kernel test robot Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 5e712d66168c4e79ede30c844dd8ccc8d1587d65 Author: Svyatoslav Ryhel Date: Tue Feb 8 00:28:24 2022 +0300 ARM: tegra: transformer: Drop reg-shift for Tegra HS UART [ Upstream commit 79b788bfc787b60699d46b9e273b42ebe18336b3 ] When the Tegra High-Speed UART is used instead of the regular UART, the reg-shift property is implied from the compatible string and should not be explicitly listed. Signed-off-by: Svyatoslav Ryhel Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit bb0446cbe0ee812d557b743b6193d1cd33e9b80d Author: Derek Fang Date: Wed Feb 23 18:14:50 2022 +0800 ASoC: rt5682s: Fix the wrong jack type detected [ Upstream commit c07ac3ee76e5e5506bca9c03fbbb15e40ab28430 ] Some powers were changed during the jack insert detection and clk's enable/disable in CCF. If in parallel, the influence has a chance to detect the wrong jack type. We refer to the below commit of the variant codec (rt5682) to fix this issue. ASoC: rt5682: Fix deadlock on resume 1. Remove rt5682s_headset_detect in rt5682s_jd_check_handler and use jack_detect_work instead of. 2. Use dapm mutex used in CCF to protect most of jack_detect_work. Signed-off-by: Derek Fang Link: https://lore.kernel.org/r/20220223101450.4577-1-derek.fang@realtek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5a0d964168537417d15c433526f9608e60bdaa8e Author: Daniel González Cabanelas Date: Sun Feb 20 19:19:50 2022 +0100 media: cx88-mpeg: clear interrupt status register before streaming video [ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ] Some cx88 video cards may have transport stream status interrupts set to 1 from cold start, causing errors like this: cx88xx: cx88_print_irqbits: core:irq mpeg [0x100000] ts_err?* cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000 According to CX2388x datasheet, the interrupt status register should be cleared before enabling IRQs to stream video. Fix it by clearing the Transport Stream Interrupt Status register. Signed-off-by: Daniel González Cabanelas Signed-off-by: Sasha Levin commit e209e6db2e527db6a93b14c2deedf969caca78fc Author: Ming Qian Date: Mon Feb 7 14:28:43 2022 +0800 media: imx-jpeg: fix a bug of accessing array out of bounds [ Upstream commit 97558d170a1236280407e8d29a7d095d2c2ed554 ] When error occurs in parsing jpeg, the slot isn't acquired yet, it may be the default value MXC_MAX_SLOTS. If the driver access the slot using the incorrect slot number, it will access array out of bounds. The result is the driver will change num_domains, which follows slot_data in struct mxc_jpeg_dev. Then the driver won't detach the pm domain at rmmod, which will lead to kernel panic when trying to insmod again. Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit f0030a55beb8932a9ce9c38fb57d61a11f31de83 Author: Mauro Carvalho Chehab Date: Fri Dec 24 14:09:50 2021 +0100 ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021 [ Upstream commit ce6a70bfce21bb4edb7c0f29ecfb0522fa34ab71 ] Huawei D15 uses SSP_CODEC(0). Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/d560a1c76edb633c37acf04a9a82518b6233a719.1640351150.git.mchehab@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 08646da2f5d11de73c66040b9bc865e71c10290c Author: Shengjiu Wang Date: Thu Feb 10 19:19:12 2022 +0800 ASoC: soc-core: skip zero num_dai component in searching dai name [ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ] In the case like dmaengine which's not a dai but as a component, the num_dai is zero, dmaengine component has the same component_of_node as cpu dai, when cpu dai component is not ready, but dmaengine component is ready, try to get cpu dai name, the snd_soc_get_dai_name() return -EINVAL, not -EPROBE_DEFER, that cause below error: asoc-simple-card : parse error -22 asoc-simple-card: probe of failed with error -22 The sound card failed to probe. So this patch fixes the issue above by skipping the zero num_dai component in searching dai name. Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cf09d44474e49596b70f9e0c0a281e4a74c52905 Author: Richard Schleich Date: Tue Dec 21 23:48:30 2021 +0100 ARM: dts: bcm2711: Add the missing L1/L2 cache information [ Upstream commit 618682b350990f8f1bee718949c4b3858711eb58 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2711 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 5e59394ec01b01d70f439d6cefa7c8901697bbf2 Author: Jing Yao Date: Thu Nov 4 11:52:29 2021 +0000 video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit [ Upstream commit 81a998288956d09d7a7a2303d47e4d60ad55c401 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 381c1e21e40b5aad1ff86aa99beeabf1ca1d24a3 Author: Jing Yao Date: Fri Nov 5 08:20:44 2021 +0000 video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() [ Upstream commit c07a039cbb96748f54c02995bae8131cc9a73b0a ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 4397e43c537e88549e0a9d4987dc848b6ae09448 Author: Jing Yao Date: Fri Nov 5 08:13:33 2021 +0000 video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() [ Upstream commit f63658a59c3d439c8ad7b290f8ec270980e0f384 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit e7381572f588638a15e1eb29521b1ff1161e8927 Author: Marcel Ziswiler Date: Fri Jan 28 17:00:56 2022 +0100 arm64: defconfig: build imx-sdma as a module [ Upstream commit e95622289f263662240544a9f0009b25c19e64d4 ] This avoids firmware load error and sysfs fallback reported as follows: [ 0.199448] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2 [ 0.199487] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 78da6c830dd57b6e2d4a51e63b459c91c1a780a6 Author: Abel Vesa Date: Thu Jan 27 16:10:51 2022 +0200 ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk [ Upstream commit 4cb7df64c732b2b9918424095c11660c2a8c4a33 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. Moreover, the consumer driver of the mentioned clock might gate it and leave the ECSPI2 (the true owner of that gate) hanging. So lets use the audio_mclk_post_div, which is the parent. Signed-off-by: Abel Vesa Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 90f9083c6711acc2c03d39200df7e252fcdcab65 Author: Takashi Iwai Date: Wed Feb 9 09:19:12 2022 +0100 ALSA: hda: Fix driver index handling at re-binding [ Upstream commit 69458e2c27800da7697c87ed908b65323ef3f3bd ] HD-audio driver handles the multiple instances and keeps the static index that is incremented at each probe. This becomes a problem when user tries to re-bind the device via sysfs multiple times; as the device index isn't cleared unlike rmmod case, it points to the next element at re-binding, and eventually later you can't probe any more when it reaches to SNDRV_CARDS_MAX (usually 32). This patch is an attempt to improve the handling at rebinding. Instead of a static device index, now we keep a bitmap and assigns to the first zero bit position. At the driver remove, in return, the bitmap slot is cleared again, so that it'll be available for the next probe. Reported-by: Alexander Sergeyev Link: https://lore.kernel.org/r/20220209081912.20687-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 07b8403b9f5efe610b3be724f4ba1d08c7ecc033 Author: Ard Biesheuvel Date: Sun Jan 23 20:18:33 2022 +0100 ARM: ftrace: avoid redundant loads or clobbering IP [ Upstream commit d11967870815b5ab89843980e35aab616c97c463 ] Tweak the ftrace return paths to avoid redundant loads of SP, as well as unnecessary clobbering of IP. This also fixes the inconsistency of using MOV to perform a function return, which is sub-optimal on recent micro-architectures but more importantly, does not perform an interworking return, unlike compiler generated function returns in Thumb2 builds. Let's fix this by popping PC from the stack like most ordinary code does. Signed-off-by: Ard Biesheuvel Reviewed-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 2a4be3f39f1c436f2f59902247a90d705fe76e2d Author: Tsuchiya Yuto Date: Sun Oct 17 18:23:33 2021 +0200 media: atomisp: fix dummy_ptr check to avoid duplicate active_bo [ Upstream commit 127efdbc51fe6064336c0452ce9c910b3e107cf0 ] The dummy_ptr check in hmm_init() [1] results in the following "hmm_init Failed to create sysfs" error exactly once every two times on atomisp reload by rmmod/insmod (although atomisp module loads and works fine regardless of this error): [ 140.230662] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:03.0/active_bo' [ 140.230668] CPU: 1 PID: 2502 Comm: insmod Tainted: G C OE 5.15.0-rc4-1-surface-mainline #1 b8acf6eb64994414b2e20bad312a7a2c45f748f9 [ 140.230675] Hardware name: OEMB OEMB/OEMB, BIOS 1.51116.238 03/09/2015 [ 140.230678] Call Trace: [ 140.230687] dump_stack_lvl+0x46/0x5a [ 140.230702] sysfs_warn_dup.cold+0x17/0x24 [ 140.230710] sysfs_add_file_mode_ns+0x160/0x170 [ 140.230717] internal_create_group+0x126/0x390 [ 140.230723] hmm_init+0x5c/0x70 [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230811] atomisp_pci_probe.cold+0x1136/0x148e [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230875] local_pci_probe+0x45/0x80 [ 140.230882] ? pci_match_device+0xd7/0x130 [ 140.230887] pci_device_probe+0xfa/0x1b0 [ 140.230892] really_probe+0x1f5/0x3f0 [ 140.230899] __driver_probe_device+0xfe/0x180 [ 140.230903] driver_probe_device+0x1e/0x90 [ 140.230908] __driver_attach+0xc0/0x1c0 [ 140.230912] ? __device_attach_driver+0xe0/0xe0 [ 140.230915] ? __device_attach_driver+0xe0/0xe0 [ 140.230919] bus_for_each_dev+0x89/0xd0 [ 140.230924] bus_add_driver+0x12b/0x1e0 [ 140.230929] driver_register+0x8f/0xe0 [ 140.230933] ? 0xffffffffc153f000 [ 140.230937] do_one_initcall+0x57/0x220 [ 140.230945] do_init_module+0x5c/0x260 [ 140.230952] load_module+0x24bd/0x26a0 [ 140.230962] ? __do_sys_finit_module+0xae/0x110 [ 140.230966] __do_sys_finit_module+0xae/0x110 [ 140.230972] do_syscall_64+0x5c/0x80 [ 140.230979] ? syscall_exit_to_user_mode+0x23/0x40 [ 140.230983] ? do_syscall_64+0x69/0x80 [ 140.230988] ? exc_page_fault+0x72/0x170 [ 140.230991] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 140.230997] RIP: 0033:0x7f7fd5d8718d [ 140.231003] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 140.231006] RSP: 002b:00007ffefc25f0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 140.231012] RAX: ffffffffffffffda RBX: 000055ac3edcd7f0 RCX: 00007f7fd5d8718d [ 140.231015] RDX: 0000000000000000 RSI: 000055ac3d723270 RDI: 0000000000000003 [ 140.231017] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f7fd5e52380 [ 140.231019] R10: 0000000000000003 R11: 0000000000000246 R12: 000055ac3d723270 [ 140.231021] R13: 0000000000000000 R14: 000055ac3edd06e0 R15: 0000000000000000 [ 140.231038] atomisp-isp2 0000:00:03.0: hmm_init Failed to create sysfs The problem is that dummy_ptr == 0 is a valid value. So, change the logic which checks if dummy_ptr was allocated. At this point, atomisp now gives WARN_ON() in hmm_free() [2] on atomisp reload by rmmod/insmod. Again, the check is wrong there. So, change both checks for mmgr_EXCEPTION, which is the error value when HMM allocation fails, and initialize dummy_ptr with such value. [1] added on commit d9ab83953fa7 ("media: atomisp: don't cause a warn if probe failed") [2] added on commit b83cc378dfc4 ("atomisp: clean up the hmm init/cleanup indirections") Link: https://lore.kernel.org/linux-media/20211017162337.44860-3-kitakar@gmail.com Signed-off-by: Tsuchiya Yuto Co-developed-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit dde1a2d837af538ff4733f3b6a1f3051de215855 Author: Hans de Goede Date: Sun Jan 16 22:52:04 2022 +0100 media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards [ Upstream commit 2c39a01154ea57d596470afa1d278e3be3b37f6a ] The TrekStor SurfTab duo W1 10.1 has a hw bug where turning eldo2 back on after having turned it off causes the CPLM3218 ambient-light-sensor on the front camera sensor's I2C bus to crash, hanging the bus. Add a DMI quirk table for systems on which to leave eldo2 on. Note an alternative fix is to turn off the CPLM3218 ambient-light-sensor as long as the camera sensor is being used, this is what Windows seems to do as a workaround (based on analyzing the DSDT). But that is not easy to do cleanly under Linux. Link: https://lore.kernel.org/linux-media/20220116215204.307649-10-hdegoede@redhat.com Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4071b860fc4b50d37635c8691f64fd1ff27ab24c Author: Charles Keepax Date: Thu Feb 3 11:50:25 2022 +0000 ASoC: madera: Add dependencies on MFD [ Upstream commit ec29170c724ca30305fc3a19ba2ee73ecac65509 ] The Madera CODECs use regmap_irq functions but nothing ensures that regmap_irq is built into the kernel. Add dependencies on the ASoC symbols for the relevant MFD component. There is no point in building the ASoC driver if the MFD doesn't support it and the MFD part contains the necessary dependencies to ensure everything is built into the kernel. Reported-by: Mark Brown Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220203115025.16464-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1a8c180d5f0a4bc72e82f6568b0a16f0e5d4b2bf Author: Richard Schleich Date: Sat Dec 18 21:00:09 2021 +0100 ARM: dts: bcm2837: Add the missing L1/L2 cache information [ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2837 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 28def50205efece034d328250724179451fe69eb Author: David Heidelberg Date: Sat Jan 8 18:42:28 2022 +0100 ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 [ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ] IRQ types blindly copied from very similar APQ8064. Fixes warnings as: WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120 ... Tested-by: LogicalErzor # boot-tested on Samsung S3 Signed-off-by: David Heidelberg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz Signed-off-by: Sasha Levin commit fed32b370d86596d52be160c87da80aa56ff9839 Author: Yang Guang Date: Tue Nov 30 08:06:03 2021 +0800 video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit [ Upstream commit 24565bc4115961db7ee64fcc7ad2a7437c0d0a49 ] coccinelle report: ./drivers/video/fbdev/omap2/omapfb/displays/panel-sony-acx565akm.c: 479:9-17: WARNING: use scnprintf or sprintf Use sysfs_emit instead of scnprintf or sprintf makes more sense. Reported-by: Zeal Robot Signed-off-by: Yang Guang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit e498b504f8c81b07efab9febf8503448de4dc9cf Author: George Kennedy Date: Wed Oct 27 15:30:13 2021 -0500 video: fbdev: cirrusfb: check pixclock to avoid divide by zero [ Upstream commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379 ] Do a sanity check on pixclock value to avoid divide by zero. If the pixclock value is zero, the cirrusfb driver will round up pixclock to get the derived frequency as close to maxclock as possible. Syzkaller reported a divide error in cirrusfb_check_pixclock. divide error: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2 RIP: 0010:cirrusfb_check_var+0x6f1/0x1260 Call Trace: fb_set_var+0x398/0xf90 do_fb_ioctl+0x4b8/0x6f0 fb_ioctl+0xeb/0x130 __x64_sys_ioctl+0x19d/0x220 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: George Kennedy Reviewed-by: Geert Uytterhoeven Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 79e4862af519cf6dc081b35171d61ad03117c4de Author: Evgeny Novikov Date: Wed Aug 11 19:58:26 2021 +0300 video: fbdev: w100fb: Reset global state [ Upstream commit 8738ddcac644964ae128ccd3d80d48773c8d528e ] w100fb_probe() did not reset the global state to its initial state. This can result in invocation of iounmap() even when there was not the appropriate successful call of ioremap(). For instance, this may be the case if first probe fails after two successful ioremap() while second probe fails when first ioremap() fails. The similar issue is with w100fb_remove(). The patch fixes both bugs. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Co-developed-by: Kirill Shilimanov Signed-off-by: Kirill Shilimanov Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 41baa86b6c802cdc6ab8ff2d46c083c9be93de81 Author: Tim Gardner Date: Mon Sep 27 09:45:02 2021 -0600 video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow [ Upstream commit 37a1a2e6eeeb101285cd34e12e48a881524701aa ] Coverity complains of a possible buffer overflow. However, given the 'static' scope of nvidia_setup_i2c_bus() it looks like that can't happen after examiniing the call sites. CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 1. fixed_size_dest: You might overrun the 48-character fixed-size string chan->adapter.name by copying name without checking the length. 2. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 89 strcpy(chan->adapter.name, name); Fix this warning by using strscpy() which will silence the warning and prevent any future buffer overflows should the names used to identify the channel become much longer. Cc: Antonino Daplas Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 18ea450ed1b60c1bb336f5efe874f61909ce7bec Author: Yong Wu Date: Mon Jan 17 08:05:02 2022 +0100 media: iommu/mediatek: Add device_link between the consumer and the larb devices [ Upstream commit 635319a4a7444ca97124d781cd96deb277ff4d40 ] MediaTek IOMMU-SMI diagram is like below. all the consumer connect with smi-larb, then connect with smi-common. M4U | smi-common | ------------- | | ... | | larb1 larb2 | | vdec venc When the consumer works, it should enable the smi-larb's power which also need enable the smi-common's power firstly. Thus, First of all, use the device link connect the consumer and the smi-larbs. then add device link between the smi-larb and smi-common. This patch adds device_link between the consumer and the larbs. When device_link_add, I add the flag DL_FLAG_STATELESS to avoid calling pm_runtime_xx to keep the original status of clocks. It can avoid two issues: 1) Display HW show fastlogo abnormally reported in [1]. At the beggining, all the clocks are enabled before entering kernel, but the clocks for display HW(always in larb0) will be gated after clk_enable and clk_disable called from device_link_add(->pm_runtime_resume) and rpm_idle. The clock operation happened before display driver probe. At that time, the display HW will be abnormal. 2) A deadlock issue reported in [2]. Use DL_FLAG_STATELESS to skip pm_runtime_xx to avoid the deadlock. Corresponding, DL_FLAG_AUTOREMOVE_CONSUMER can't be added, then device_link_removed should be added explicitly. Meanwhile, Currently we don't have a device connect with 2 larbs at the same time. Disallow this case, print the error log. [1] https://lore.kernel.org/linux-mediatek/1564213888.22908.4.camel@mhfsdcap03/ [2] https://lore.kernel.org/patchwork/patch/1086569/ Suggested-by: Tomasz Figa Signed-off-by: Yong Wu Tested-by: Frank Wunderlich # BPI-R2/MT7623 Acked-by: Joerg Roedel Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 267fe9ff962fb21c176e14677de5804270d416d4 Author: Yong Wu Date: Mon Jan 17 08:05:00 2022 +0100 media: iommu/mediatek: Return ENODEV if the device is NULL [ Upstream commit 2fb0feed51085db77606de9b9477c96894328809 ] The platform device is created at: of_platform_default_populate_init: arch_initcall_sync ->of_platform_populate ->of_platform_device_create_pdata When entering our probe, all the devices should be already created. if it is null, means NODEV. Currently we don't get the fail case. It's a minor fix, no need add fixes tags. Signed-off-by: Yong Wu Acked-by: Joerg Roedel Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5aaf351607934089afa273a00192e11ea92c0bd1 Author: Yong Wu Date: Mon Jan 17 08:04:59 2022 +0100 media: iommu/mediatek-v1: Free the existed fwspec if the master dev already has [ Upstream commit 822a2ed8c606caf6a11b1a180b8e46292bd77d71 ] When the iommu master device enters of_iommu_xlate, the ops may be NULL(iommu dev is defered), then it will initialize the fwspec here: [] (dev_iommu_fwspec_set) from [] (iommu_fwspec_init+0xbc/0xd4) [] (iommu_fwspec_init) from [] (of_iommu_xlate+0x7c/0x12c) [] (of_iommu_xlate) from [] (of_iommu_configure+0x144/0x1e8) BUT the mtk_iommu_v1.c only supports arm32, the probing flow still is a bit weird. We always expect create the fwspec internally. otherwise it will enter here and return fail. static int mtk_iommu_create_mapping(struct device *dev, struct of_phandle_args *args) { ... if (!fwspec) { .... } else if (dev_iommu_fwspec_get(dev)->ops != &mtk_iommu_ops) { >>>>>>>>>>Enter here. return fail.<<<<<<<<<<<< return -EINVAL; } ... } Thus, Free the existed fwspec if the master device already has fwspec. This issue is reported at: https://lore.kernel.org/linux-mediatek/trinity-7d9ebdc9-4849-4d93-bfb5-429dcb4ee449-1626253158870@3c-app-gmx-bs01/ Reported-by: Frank Wunderlich Tested-by: Frank Wunderlich # BPI-R2/MT7623 Signed-off-by: Yong Wu Acked-by: Joerg Roedel Acked-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e56873309b7d7e7506d9c67462e8847db6d1d7cf Author: Ranjani Sridharan Date: Fri Jan 28 15:00:17 2022 +0200 ASoC: SOF: Intel: hda: Remove link assignment limitation [ Upstream commit 2ce0d008dcc59f9c01f43277b9f9743af7b01dad ] The limitation to assign a link DMA channel for a BE iff the corresponding host DMA channel is assigned to a connected FE is only applicable if the PROCEN_FMT_QUIRK is set. So, remove it for platforms that do not enable the quirk. Complements: a792bfc1c2bc ("ASoC: SOF: Intel: hda-stream: limit PROCEN workaround") Signed-off-by: Ranjani Sridharan Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Reviewed-by: Kai Vehmanen Reviewed-by: Peter Ujfalusi Signed-off-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220128130017.28508-1-peter.ujfalusi@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4eb591c47c82a6a6ad293ed108c3cb77115fbc25 Author: Mirela Rabulea Date: Wed Jan 12 20:12:08 2022 +0100 media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers [ Upstream commit 417591a766b3c040c346044541ff949c0b2bb7b2 ] If the application queues an NV12M jpeg as output buffer, but then queues a single planar capture buffer, the kernel will crash with "Unable to handle kernel NULL pointer dereference" in mxc_jpeg_addrs, prevent this by finishing the job with error. Signed-off-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 336e6ac21d0be4ef91d71852585e8af53ca673a9 Author: Bard Liao Date: Thu Jan 20 17:21:56 2022 -0600 ASoC: SOF: Intel: match sdw version on link_slaves_found [ Upstream commit f67c0c0d3b9048d86ea6ae52e36a2b78c48f265d ] Codecs with the same part id, manufacturer id and part id, but different sdw version should be treated as different codecs. For example, rt711 and rt711-sdca are different. So, we should match sdw version as well. Reported-by: Reddy Muralidhar Reviewed-by: Ranjani Sridharan Reviewed-by: Rander Wang Signed-off-by: Bard Liao Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220120232157.199919-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d398278261f640264f1fe0e1b75bce50f8f5387a Author: Richard Fitzgerald Date: Fri Jan 21 12:04:10 2022 +0000 ASoC: cs42l42: Report full jack status when plug is detected [ Upstream commit 8d06f797f844d04a961f201f886f7f9985edc9bf ] When a plug event is detect report the full state of all status bits, don't assume that there will have been a previous unplug event to clear all the bits. Report the state of both HEADPHONE and MICROPHONE bits according to detected type, and clear all the button status bits. The current button status is already checked and reported at the end of the function. During a system suspend the jack could be unplugged and plugged, possibly changing the jack type. On resume the interrupt status will indicate a plug event - there will not be an unplug event to clear the bits. Signed-off-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20220121120412.672284-2-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7594d4254d63f5bd28deaadf6fc8d4a50d3b26a8 Author: Lad Prabhakar Date: Mon Jan 10 09:47:08 2022 +0000 ASoC: sh: rz-ssi: Make the data structures available before registering the handlers [ Upstream commit 0788785c78342d422f93b1c9831c2b2b7f137937 ] Initialize the spinlock and make the data structures available before registering the interrupt handlers. Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Biju Das Link: https://lore.kernel.org/r/20220110094711.8574-3-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 93ef3fdf3b6633c58f049e5a6be755777dde4340 Author: Peiwei Hu Date: Wed Dec 29 02:15:18 2021 +0100 media: ir_toy: free before error exiting [ Upstream commit 52cdb013036391d9d87aba5b4fc49cdfc6ea4b23 ] Fix leak in error path. Signed-off-by: Peiwei Hu Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit cec06ce3930470bed10479ace64a993eaa4c9548 Author: Eugen Hristev Date: Mon Dec 13 14:49:26 2021 +0100 media: atmel: atmel-isc-base: report frame sizes as full supported range [ Upstream commit 72802a86e11c34e819fbfb38f58c5aef668f833d ] The ISC supports a full broad range of frame sizes. Until now, the subdevice was queried for possible frame sizes and these were reported to the user space. However, the ISC should not care about which frame sizes the subdev supports, as long as this frame size is supported. Thus, report a continuous range from smallest frame size up to the max resolution. Signed-off-by: Eugen Hristev Reviewed-by: Jacopo Mondi Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2abe6b4589ce173f179f69d650967a5bf8a6c89a Author: Hans Verkuil Date: Tue Dec 14 17:16:33 2021 +0100 media: staging: media: zoran: fix various V4L2 compliance errors [ Upstream commit 914941827aad5ecddf9bf3a6dee67fbec1af1fff ] This fixes several issues found with 'v4l2-compliance -s': 1) read()/write() is supported, but not reported in the capabilities 2) S_STD(G_STD()) failed: setting the same standard should just return 0. 3) G_PARM failed to set readbuffers. 4) different field values in the format vs. what v4l2_buffer reported. 5) zero the sequence number when starting streaming. 6) drop VB_USERPTR: makes no sense with dma_contig streaming. Signed-off-by: Hans Verkuil Signed-off-by: Corentin Labbe Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 20811bbe685ca3eddd34b0c750860427d7030910 Author: Corentin Labbe Date: Tue Dec 14 17:16:32 2021 +0100 media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com [ Upstream commit e3b86f4e558cea9eed71d894df2f19b10d60a207 ] On the case tmp_dcim=1, the index of buffer is miscalculated. This generate a NULL pointer dereference later. So let's fix the calcul and add a check to prevent this to reappear. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1e501ec38796f43e995731d1bcd4173cb1ccfce0 Author: Corentin Labbe Date: Tue Dec 14 17:16:26 2021 +0100 media: staging: media: zoran: move videodev alloc [ Upstream commit 82e3a496eb56da0b9f29fdc5b63cedb3289e91de ] Move some code out of zr36057_init() and create new functions for handling zr->video_dev. This permit to ease code reading and fix a zr->video_dev memory leak. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c641087d381a08363e5f14179bc6b0a23eca7c47 Author: Dongliang Mu Date: Tue Mar 22 14:38:39 2022 -0700 ntfs: add sanity check on allocation size [ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ] ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation size. It triggers one BUG in the __ntfs_malloc function. Fix this by adding sanity check on ni->attr_list_size. Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Acked-by: Anton Altaparmakov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit a9ed324426e32034c3c5de6755624db1781b3900 Author: Rohith Surabattula Date: Mon Mar 7 18:37:22 2022 +0000 Adjust cifssb maximum read size [ Upstream commit 06a466565d54a1a42168f9033a062a3f5c40e73b ] When session gets reconnected during mount then read size in super block fs context gets set to zero and after negotiate, rsize is not modified which results in incorrect read with requested bytes as zero. Fixes intermittent failure of xfstest generic/240 Note that stable requires a different version of this patch which will be sent to the stable mailing list. Signed-off-by: Rohith Surabattula Acked-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 1c39a16f99cd08382a597aca30802c9f5a1ce0a0 Author: Chao Yu Date: Wed Mar 16 18:20:00 2022 +0800 f2fs: compress: fix to print raw data size in error path of lz4 decompression [ Upstream commit d284af43f703760e261b1601378a0c13a19d5f1f ] In lz4_decompress_pages(), if size of decompressed data is not equal to expected one, we should print the size rather than size of target buffer for decompressed data, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit ec4187d45cc1c2d69fffeee5fa6aa4cb62477cfb Author: Jaegeuk Kim Date: Mon Mar 7 17:27:46 2022 -0800 f2fs: use spin_lock to avoid hang [ Upstream commit 98237fcda4a24e67b0a4498c17d5aa4ad4537bc7 ] [14696.634553] task:cat state:D stack: 0 pid:1613738 ppid:1613735 flags:0x00000004 [14696.638285] Call Trace: [14696.639038] [14696.640032] __schedule+0x302/0x930 [14696.640969] schedule+0x58/0xd0 [14696.641799] schedule_preempt_disabled+0x18/0x30 [14696.642890] __mutex_lock.constprop.0+0x2fb/0x4f0 [14696.644035] ? mod_objcg_state+0x10c/0x310 [14696.645040] ? obj_cgroup_charge+0xe1/0x170 [14696.646067] __mutex_lock_slowpath+0x13/0x20 [14696.647126] mutex_lock+0x34/0x40 [14696.648070] stat_show+0x25/0x17c0 [f2fs] [14696.649218] seq_read_iter+0x120/0x4b0 [14696.650289] ? aa_file_perm+0x12a/0x500 [14696.651357] ? lru_cache_add+0x1c/0x20 [14696.652470] seq_read+0xfd/0x140 [14696.653445] full_proxy_read+0x5c/0x80 [14696.654535] vfs_read+0xa0/0x1a0 [14696.655497] ksys_read+0x67/0xe0 [14696.656502] __x64_sys_read+0x1a/0x20 [14696.657580] do_syscall_64+0x3b/0xc0 [14696.658671] entry_SYSCALL_64_after_hwframe+0x44/0xae [14696.660068] RIP: 0033:0x7efe39df1cb2 [14696.661133] RSP: 002b:00007ffc8badd948 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [14696.662958] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007efe39df1cb2 [14696.664757] RDX: 0000000000020000 RSI: 00007efe399df000 RDI: 0000000000000003 [14696.666542] RBP: 00007efe399df000 R08: 00007efe399de010 R09: 00007efe399de010 [14696.668363] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000000 [14696.670155] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 [14696.671965] [14696.672826] task:umount state:D stack: 0 pid:1614985 ppid:1614984 flags:0x00004000 [14696.674930] Call Trace: [14696.675903] [14696.676780] __schedule+0x302/0x930 [14696.677927] schedule+0x58/0xd0 [14696.679019] schedule_preempt_disabled+0x18/0x30 [14696.680412] __mutex_lock.constprop.0+0x2fb/0x4f0 [14696.681783] ? destroy_inode+0x65/0x80 [14696.683006] __mutex_lock_slowpath+0x13/0x20 [14696.684305] mutex_lock+0x34/0x40 [14696.685442] f2fs_destroy_stats+0x1e/0x60 [f2fs] [14696.686803] f2fs_put_super+0x158/0x390 [f2fs] [14696.688238] generic_shutdown_super+0x7a/0x120 [14696.689621] kill_block_super+0x27/0x50 [14696.690894] kill_f2fs_super+0x7f/0x100 [f2fs] [14696.692311] deactivate_locked_super+0x35/0xa0 [14696.693698] deactivate_super+0x40/0x50 [14696.694985] cleanup_mnt+0x139/0x190 [14696.696209] __cleanup_mnt+0x12/0x20 [14696.697390] task_work_run+0x64/0xa0 [14696.698587] exit_to_user_mode_prepare+0x1b7/0x1c0 [14696.700053] syscall_exit_to_user_mode+0x27/0x50 [14696.701418] do_syscall_64+0x48/0xc0 [14696.702630] entry_SYSCALL_64_after_hwframe+0x44/0xae Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit d1cb11fb45ebbb1e7dfe5e9038b32ea72c184b14 Author: Josef Bacik Date: Fri Feb 18 10:03:29 2022 -0500 btrfs: do not clean up repair bio if submit fails [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 987b5df1d10355d377315a26e7fb6c72ded83c9f Author: Josef Bacik Date: Fri Feb 18 10:03:27 2022 -0500 btrfs: do not double complete bio on errors during compressed reads [ Upstream commit f9f15de85d74e7eef021af059ca53a15f041cdd8 ] I hit some weird panics while fixing up the error handling from btrfs_lookup_bio_sums(). Turns out the compression path will complete the bio we use if we set up any of the compression bios and then return an error, and then btrfs_submit_data_bio() will also call bio_endio() on the bio. Fix this by making btrfs_submit_compressed_read() responsible for calling bio_endio() on the bio if there are any errors. Currently it was only doing it if we created the compression bios, otherwise it was depending on btrfs_submit_data_bio() to do the right thing. This creates the above problem, so fix up btrfs_submit_compressed_read() to always call bio_endio() in case of an error, and then simply return from btrfs_submit_data_bio() if we had to call btrfs_submit_compressed_read(). Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 50658068dce91207a93300325d4831c3dd8f77b4 Author: Josef Bacik Date: Fri Feb 18 10:03:23 2022 -0500 btrfs: handle csum lookup errors properly on reads [ Upstream commit 1784b7d502a94b561eae58249adde5f72c26eb3c ] Currently any error we get while trying to lookup csums during reads shows up as a missing csum, and then on the read completion side we print an error saying there was a csum mismatch and we increase the device corruption count. However we could have gotten an EIO from the lookup. We could also be inside of a memory constrained container and gotten a ENOMEM while trying to do the read. In either case we don't want to make this look like a file system corruption problem, we want to make it look like the actual error it is. Capture any negative value, convert it to the appropriate blk_status_t, free the csum array if we have one and bail. Note: a possible improvement would be to make the relocation code look up the owning inode and see if it's marked as NODATASUM and set EXTENT_NODATASUM there, that way if there's corruption and there isn't a checksum when we want it we can fail here rather than later. Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 93db0c727d2401da13101a075d09bbb75488af09 Author: Josef Bacik Date: Fri Feb 18 10:03:22 2022 -0500 btrfs: make search_csum_tree return 0 if we get -EFBIG [ Upstream commit 03ddb19d2ea745228879b9334f3b550c88acb10a ] We can either fail to find a csum entry at all and return -ENOENT, or we can find a range that is close, but return -EFBIG. In essence these both mean the same thing when we are doing a lookup for a csum in an existing range, we didn't find a csum. We want to treat both of these errors the same way, complain loudly that there wasn't a csum. This currently happens anyway because we do count = search_csum_tree(); if (count <= 0) { // reloc and error handling } However it forces us to incorrectly treat EIO or ENOMEM errors as on disk corruption. Fix this by returning 0 if we get either -ENOENT or -EFBIG from btrfs_lookup_csum() so we can do proper error handling. Reviewed-by: Boris Burkov Reviewed-by: Johannes Thumshirn Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 9a19873b143c8c63db5de16285363df415c6ca42 Author: Anand Jain Date: Wed Jan 12 13:05:59 2022 +0800 btrfs: harden identification of a stale device [ Upstream commit 770c79fb65506fc7c16459855c3839429f46cb32 ] Identifying and removing the stale device from the fs_uuids list is done by btrfs_free_stale_devices(). btrfs_free_stale_devices() in turn depends on device_path_matched() to check if the device appears in more than one btrfs_device structure. The matching of the device happens by its path, the device path. However, when device mapper is in use, the dm device paths are nothing but a link to the actual block device, which leads to the device_path_matched() failing to match. Fix this by matching the dev_t as provided by lookup_bdev() instead of plain string compare of the device paths. Reported-by: Josef Bacik Signed-off-by: Anand Jain Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 0c9b7c8071a9083e3dd8f3275ec5f55f48d77a6e Author: Jaegeuk Kim Date: Fri Mar 4 09:40:05 2022 -0800 f2fs: don't get FREEZE lock in f2fs_evict_inode in frozen fs [ Upstream commit ba900534f807f0b327c92d5141c85d2313e2d55c ] Let's purge inode cache in order to avoid the below deadlock. [freeze test] shrinkder freeze_super - pwercpu_down_write(SB_FREEZE_FS) - super_cache_scan - down_read(&sb->s_umount) - prune_icache_sb - dispose_list - evict - f2fs_evict_inode thaw_super - down_write(&sb->s_umount); - __percpu_down_read(SB_FREEZE_FS) Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 5bbe11df634012d816734976eec8daca3a9d81bb Author: Chuck Lever Date: Mon Feb 14 15:30:13 2022 -0500 NFSD: Fix nfsd_breaker_owns_lease() return values [ Upstream commit 50719bf3442dd6cd05159e9c98d020b3919ce978 ] These have been incorrect since the function was introduced. A proper kerneldoc comment is added since this function, though static, is part of an external interface. Reported-by: Dai Ngo Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit c12765e3f129b144421c80d3383df885f85ee290 Author: Chao Yu Date: Fri Mar 4 09:49:13 2022 +0800 f2fs: fix to do sanity check on curseg->alloc_type [ Upstream commit f41ee8b91c00770d718be2ff4852a80017ae9ab3 ] As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir test_crash 2. cd test_crash 3. unzip tmp2.zip 4. mkdir mnt 5. ./single_test.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] [ 46.738563] dump_stack_lvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80 [ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs] [ 46.738819] do_write_page+0xef/0x210 [f2fs] [ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs] [ 46.739038] __write_node_page+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs] [ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs] [ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs] [ 46.739507] deactivate_locked_super+0x60/0xc0 [ 46.739517] deactivate_super+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] __cleanup_mnt+0x16/0x20 [ 46.739538] task_work_run+0x67/0xa0 [ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0 [ 46.739559] syscall_exit_to_user_mode+0x26/0x40 [ 46.739568] do_syscall_64+0x46/0xb0 [ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloc_type, result in out-of-bound accessing on sbi->block_count[] array, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 677c9d30e8487bee6c8e3b034070319d98f6e203 Author: Theodore Ts'o Date: Thu Mar 3 09:38:47 2022 -0500 ext4: don't BUG if someone dirty pages without asking ext4 first [ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: Lee Jones Signed-off-by: Theodore Ts'o Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu Signed-off-by: Sasha Levin commit bb0791e28b187f2ebf53f86a7cb41f8b3e72398d Author: Valentin Schneider Date: Thu Jan 20 16:25:20 2022 +0000 sched/tracing: Report TASK_RTLOCK_WAIT tasks as TASK_UNINTERRUPTIBLE [ Upstream commit 25795ef6299f07ce3838f3253a9cb34f64efcfae ] TASK_RTLOCK_WAIT currently isn't part of TASK_REPORT, thus a task blocking on an rtlock will appear as having a task state == 0, IOW TASK_RUNNING. The actual state is saved in p->saved_state, but reading it after reading p->__state has a few issues: o that could still be TASK_RUNNING in the case of e.g. rt_spin_lock o ttwu_state_match() might have changed that to TASK_RUNNING As pointed out by Eric, adding TASK_RTLOCK_WAIT to TASK_REPORT implies exposing a new state to userspace tools which way not know what to do with them. The only information that needs to be conveyed here is that a task is waiting on an rt_mutex, which matches TASK_UNINTERRUPTIBLE - there's no need for a new state. Reported-by: Uwe Kleine-König Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steven Rostedt (Google) Link: https://lore.kernel.org/r/20220120162520.570782-3-valentin.schneider@arm.com Signed-off-by: Sasha Levin commit 803fb0e8240cc16585a5c9df76add1dfaa781773 Author: Ritesh Harjani Date: Wed Feb 16 12:32:44 2022 +0530 ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit [ Upstream commit bfdc502a4a4c058bf4cbb1df0c297761d528f54d ] In case of flex_bg feature (which is by default enabled), extents for any given inode might span across blocks from two different block group. ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the starting block group, but it fails to read it again when the extent length boundary overflows to another block group. Then in this below loop it accesses memory beyond the block group bitmap buffer_head and results into a data abort. for (i = 0; i < clen; i++) if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state) already++; This patch adds this functionality for checking block group boundary in ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different block group. w/o this patch, I was easily able to hit a data access abort using Power platform. <...> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters [ 74.533214] EXT4-fs (loop3): shut down requested (2) [ 74.536705] Aborting journal on device loop3-8. [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000 [ 74.703727] Faulting instruction address: 0xc0000000007bffb8 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060] pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0 lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0 sp: c000000015db7300 msr: 800000000280b033 dar: c00000005e980000 dsisr: 40000000 current = 0xc000000027af6880 paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01 pid = 5167, comm = mount <...> enter ? for help [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250 Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/2609bc8f66fc15870616ee416a18a3d392a209c4.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 6b19b6ee76a67d2fb27660463217ad4bac11e956 Author: Ritesh Harjani Date: Wed Feb 16 12:32:43 2022 +0530 ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb [ Upstream commit a5c0e2fdf7cea535ba03259894dc184e5a4c2800 ] ext4_mb_mark_bb() currently wrongly calculates cluster len (clen) and flex_group->free_clusters. This patch fixes that. Identified based on code review of ext4_mb_mark_bb() function. Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/a0b035d536bafa88110b74456853774b64c8ac40.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit f9d7dcaf201432f1cbc5479c2593fdb2f169172f Author: Waiman Long Date: Thu Feb 10 22:55:26 2022 -0500 locking/lockdep: Iterate lock_classes directly when reading lockdep files [ Upstream commit fb7275acd6fb988313dddd8d3d19efa70d9015ad ] When dumping lock_classes information via /proc/lockdep, we can't take the lockdep lock as the lock hold time is indeterminate. Iterating over all_lock_classes without holding lock can be dangerous as there is a slight chance that it may branch off to other lists leading to infinite loop or even access invalid memory if changes are made to all_lock_classes list in parallel. To avoid this problem, iteration of lock classes is now done directly on the lock_classes array itself. The lock_classes_in_use bitmap is checked to see if the lock class is being used. To avoid iterating the full array all the times, a new max_lock_class_idx value is added to track the maximum lock_class index that is currently being used. We can theoretically take the lockdep lock for iterating all_lock_classes when other lockdep files (lockdep_stats and lock_stat) are accessed as the lock hold time will be shorter for them. For consistency, they are also modified to iterate the lock_classes array directly. Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220211035526.1329503-2-longman@redhat.com Signed-off-by: Sasha Levin commit 781c262033c21967add4da48a858a9875f18138f Author: Mark Rutland Date: Mon Feb 7 10:19:43 2022 +0000 atomics: Fix atomic64_{read_acquire,set_release} fallbacks [ Upstream commit dc1b4df09acdca7a89806b28f235cd6d8dcd3d24 ] Arnd reports that on 32-bit architectures, the fallbacks for atomic64_read_acquire() and atomic64_set_release() are broken as they use smp_load_acquire() and smp_store_release() respectively, which do not work on types larger than the native word size. Since those contain compiletime_assert_atomic_type(), any attempt to use those fallbacks will result in a build-time error. e.g. with the following added to arch/arm/kernel/setup.c: | void test_atomic64(atomic64_t *v) | { | atomic64_set_release(v, 5); | atomic64_read_acquire(v); | } The compiler will complain as follows: | In file included from : | In function 'arch_atomic64_set_release', | inlined from 'test_atomic64' at ./include/linux/atomic/atomic-instrumented.h:669:2: | ././include/linux/compiler_types.h:346:38: error: call to '__compiletime_assert_9' declared with attribute error: Need native word sized stores/loads for atomicity. | 346 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | | ^ | ././include/linux/compiler_types.h:327:4: note: in definition of macro '__compiletime_assert' | 327 | prefix ## suffix(); \ | | ^~~~~~ | ././include/linux/compiler_types.h:346:2: note: in expansion of macro '_compiletime_assert' | 346 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | | ^~~~~~~~~~~~~~~~~~~ | ././include/linux/compiler_types.h:349:2: note: in expansion of macro 'compiletime_assert' | 349 | compiletime_assert(__native_word(t), \ | | ^~~~~~~~~~~~~~~~~~ | ./include/asm-generic/barrier.h:133:2: note: in expansion of macro 'compiletime_assert_atomic_type' | 133 | compiletime_assert_atomic_type(*p); \ | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ./include/asm-generic/barrier.h:164:55: note: in expansion of macro '__smp_store_release' | 164 | #define smp_store_release(p, v) do { kcsan_release(); __smp_store_release(p, v); } while (0) | | ^~~~~~~~~~~~~~~~~~~ | ./include/linux/atomic/atomic-arch-fallback.h:1270:2: note: in expansion of macro 'smp_store_release' | 1270 | smp_store_release(&(v)->counter, i); | | ^~~~~~~~~~~~~~~~~ | make[2]: *** [scripts/Makefile.build:288: arch/arm/kernel/setup.o] Error 1 | make[1]: *** [scripts/Makefile.build:550: arch/arm/kernel] Error 2 | make: *** [Makefile:1831: arch/arm] Error 2 Fix this by only using smp_load_acquire() and smp_store_release() for native atomic types, and otherwise falling back to the regular barriers necessary for acquire/release semantics, as we do in the more generic acquire and release fallbacks. Since the fallback templates are used to generate the atomic64_*() and atomic_*() operations, the __native_word() check is added to both. For the atomic_*() operations, which are always 32-bit, the __native_word() check is redundant but not harmful, as it is always true. For the example above this works as expected on 32-bit, e.g. for arm multi_v7_defconfig: | : | push {r4, r5} | dmb ish | pldw [r0] | mov r2, #5 | mov r3, #0 | ldrexd r4, [r0] | strexd r4, r2, [r0] | teq r4, #0 | bne 484 | ldrexd r2, [r0] | dmb ish | pop {r4, r5} | bx lr ... and also on 64-bit, e.g. for arm64 defconfig: | : | bti c | paciasp | mov x1, #0x5 | stlr x1, [x0] | ldar x0, [x0] | autiasp | ret Reported-by: Arnd Bergmann Signed-off-by: Mark Rutland Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Ard Biesheuvel Reviewed-by: Boqun Feng Link: https://lore.kernel.org/r/20220207101943.439825-1-mark.rutland@arm.com Signed-off-by: Sasha Levin commit dac1438f347d3b8cf892105c94e254f29c5764de Author: Eddie James Date: Thu Mar 17 16:14:26 2022 -0500 spi: fsi: Implement a timeout for polling status [ Upstream commit 89b35e3f28514087d3f1e28e8f5634fbfd07c554 ] The data transfer routines must poll the status register to determine when more data can be shifted in or out. If the hardware gets into a bad state, these polling loops may never exit. Prevent this by returning an error if a timeout is exceeded. Signed-off-by: Eddie James Link: https://lore.kernel.org/r/20220317211426.38940-1-eajames@linux.ibm.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 57bcc9aa20301d77cc978ac14bc502c8ee4f7517 Author: Minghao Chi Date: Tue Mar 15 02:31:38 2022 +0000 spi: tegra20: Use of_device_get_match_data() [ Upstream commit c9839acfcbe20ce43d363c2a9d0772472d9921c0 ] Use of_device_get_match_data() to simplify the code. Reported-by: Zeal Robot Signed-off-by: Minghao Chi Link: https://lore.kernel.org/r/20220315023138.2118293-1-chi.minghao@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 340e26aadb6d2f62165f9765a8bb7dfeed33b28d Author: Chris Leech Date: Tue Feb 15 18:22:49 2022 -0800 nvme-tcp: lockdep: annotate in-kernel sockets [ Upstream commit 841aee4d75f18fdfb53935080b03de0c65e9b92c ] Put NVMe/TCP sockets in their own class to avoid some lockdep warnings. Sockets created by nvme-tcp are not exposed to user-space, and will not trigger certain code paths that the general socket API exposes. Lockdep complains about a circular dependency between the socket and filesystem locks, because setsockopt can trigger a page fault with a socket lock held, but nvme-tcp sends requests on the socket while file system locks are held. ====================================================== WARNING: possible circular locking dependency detected 5.15.0-rc3 #1 Not tainted ------------------------------------------------------ fio/1496 is trying to acquire lock: (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendpage+0x23/0x80 but task is already holding lock: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] which lock already depends on the new lock. other info that might help us debug this: chain exists of: sk_lock-AF_INET --> sb_internal --> &xfs_dir_ilock_class/5 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xfs_dir_ilock_class/5); lock(sb_internal); lock(&xfs_dir_ilock_class/5); lock(sk_lock-AF_INET); *** DEADLOCK *** 6 locks held by fio/1496: #0: (sb_writers#13){.+.+}-{0:0}, at: path_openat+0x9fc/0xa20 #1: (&inode->i_sb->s_type->i_mutex_dir_key){++++}-{3:3}, at: path_openat+0x296/0xa20 #2: (sb_internal){.+.+}-{0:0}, at: xfs_trans_alloc_icreate+0x41/0xd0 [xfs] #3: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] #4: (hctx->srcu){....}-{0:0}, at: hctx_lock+0x51/0xd0 #5: (&queue->send_mutex){+.+.}-{3:3}, at: nvme_tcp_queue_rq+0x33e/0x380 [nvme_tcp] This annotation lets lockdep analyze nvme-tcp controlled sockets independently of what the user-space sockets API does. Link: https://lore.kernel.org/linux-nvme/CAHj4cs9MDYLJ+q+2_GXUK9HxFizv2pxUryUR0toX974M040z7g@mail.gmail.com/ Signed-off-by: Chris Leech Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit ddab9f47bebc8ad9f1369874e3e4718ef7b449f2 Author: John David Anglin Date: Wed Mar 9 21:14:36 2022 +0000 parisc: Fix handling off probe non-access faults [ Upstream commit e00b0a2ab8ec019c344e53bfc76e31c18bb587b7 ] Currently, the parisc kernel does not fully support non-access TLB fault handling for probe instructions. In the fast path, we set the target register to zero if it is not a shadowed register. The slow path is not implemented, so we call do_page_fault. The architecture indicates that non-access faults should not cause a page fault from disk. This change adds to code to provide non-access fault support for probe instructions. It also modifies the handling of faults on userspace so that if the address lies in a valid VMA and the access type matches that for the VMA, the probe target register is set to one. Otherwise, the target register is set to zero. This was done to make probe instructions more useful for userspace. Probe instructions are not very useful if they set the target register to zero whenever a page is not present in memory. Nominally, the purpose of the probe instruction is determine whether read or write access to a given address is allowed. This fixes a problem in function pointer comparison noticed in the glibc testsuite (stdio-common/tst-vfprintf-user-type). The same problem is likely in glibc (_dl_lookup_address). V2 adds flush and lpa instruction support to handle_nadtlb_fault. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit ddca4b82027e2a66333dd40fab21a4beff435c7e Author: John David Anglin Date: Fri Mar 11 17:22:54 2022 +0000 parisc: Fix non-access data TLB cache flush faults [ Upstream commit f839e5f1cef36ce268950c387129b1bfefdaebc9 ] When a page is not present, we get non-access data TLB faults from the fdc and fic instructions in flush_user_dcache_range_asm and flush_user_icache_range_asm. When these occur, the cache line is not invalidated and potentially we get memory corruption. The problem was hidden by the nullification of the flush instructions. These faults also affect performance. With pa8800/pa8900 processors, there will be 32 faults per 4 KB page since the cache line is 128 bytes. There will be more faults with earlier processors. The problem is fixed by using flush_cache_pages(). It does the flush using a tmp alias mapping. The flush_cache_pages() call in flush_cache_range() flushed too large a range. V2: Remove unnecessary preempt_disable() and preempt_enable() calls. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit c7c0ec5a1dcc3eaa1e85c804c2ccf46e457788a3 Author: Dmitry Baryshkov Date: Sat Mar 5 14:02:14 2022 +0300 PM: core: keep irq flags in device_pm_check_callbacks() [ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ] The function device_pm_check_callbacks() can be called under the spin lock (in the reported case it happens from genpd_add_device() -> dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. However this function uncoditionally uses spin_lock_irq() / spin_unlock_irq(), thus not preserving the CPU flags. Use the irqsave/irqrestore instead. The backtrace for the reference: [ 2.752010] ------------[ cut here ]------------ [ 2.756769] raw_local_irq_restore() called with IRQs enabled [ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 [ 2.772338] Modules linked in: [ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 [ 2.781384] Freeing initrd memory: 46024K [ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 [ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 [ 2.785846] sp : ffff80000805b7d0 [ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 [ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 [ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 [ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff [ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 [ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 [ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 [ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 [ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 [ 2.889774] Call trace: [ 2.892290] warn_bogus_irq_restore+0x34/0x50 [ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 [ 2.901690] genpd_unlock_spin+0x20/0x30 [ 2.905724] genpd_add_device+0x100/0x2d0 [ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c [ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 [ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 [ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 [ 2.929102] psci_dt_attach_cpu+0x24/0x90 [ 2.933230] psci_cpuidle_probe+0x2d4/0x46c [ 2.937534] platform_probe+0x68/0xe0 [ 2.941304] really_probe.part.0+0x9c/0x2fc [ 2.945605] __driver_probe_device+0x98/0x144 [ 2.950085] driver_probe_device+0x44/0x15c [ 2.954385] __device_attach_driver+0xb8/0x120 [ 2.958950] bus_for_each_drv+0x78/0xd0 [ 2.962896] __device_attach+0xd8/0x180 [ 2.966843] device_initial_probe+0x14/0x20 [ 2.971144] bus_probe_device+0x9c/0xa4 [ 2.975092] device_add+0x380/0x88c [ 2.978679] platform_device_add+0x114/0x234 [ 2.983067] platform_device_register_full+0x100/0x190 [ 2.988344] psci_idle_init+0x6c/0xb0 [ 2.992113] do_one_initcall+0x74/0x3a0 [ 2.996060] kernel_init_freeable+0x2fc/0x384 [ 3.000543] kernel_init+0x28/0x130 [ 3.004132] ret_from_fork+0x10/0x20 [ 3.007817] irq event stamp: 319826 [ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84 [ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c [ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588 [ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174 [ 3.045607] ---[ end trace 0000000000000000 ]--- Signed-off-by: Dmitry Baryshkov Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 5a3ff7b2f3a3ef6b83019e0eb19c18e48e921862 Author: Darren Hart Date: Tue Mar 8 10:50:48 2022 -0800 ACPI/APEI: Limit printable size of BERT table data [ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ] Platforms with large BERT table data can trigger soft lockup errors while attempting to print the entire BERT table data to the console at boot: watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1] Observed on Ampere Altra systems with a single BERT record of ~250KB. The original bert driver appears to have assumed relatively small table data. Since it is impractical to reassemble large table data from interwoven console messages, and the table data is available in /sys/firmware/acpi/tables/data/BERT limit the size for tables printed to the console to 1024 (for no reason other than it seemed like a good place to kick off the discussion, would appreciate feedback from existing users in terms of what size would maintain their current usage model). Alternatively, we could make printing a CONFIG option, use the bert_disable boot arg (or something similar), or use a debug log level. However, all those solutions require extra steps or change the existing behavior for small table data. Limiting the size preserves existing behavior on existing platforms with small table data, and eliminates the soft lockups for platforms with large table data, while still making it available. Signed-off-by: Darren Hart Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 4083925bd6dc89216d156474a8076feec904e607 Author: Paolo Valente Date: Thu Nov 25 19:15:10 2021 +0100 Revert "Revert "block, bfq: honor already-setup queue merges"" [ Upstream commit 15729ff8143f8135b03988a100a19e66d7cb7ecd ] A crash [1] happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet, the reverted commit was not the one introducing the bug. In fact, it actually triggered a UAF introduced by a different commit, and now fixed by commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change"). So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") out. This commit restores it. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503 Reported-by: Holger Hoffstätte Signed-off-by: Paolo Valente Link: https://lore.kernel.org/r/20211125181510.15004-1-paolo.valente@linaro.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8b3e1cbd6d9f77c1936a808286e20b344c2cf015 Author: Paul Menzel Date: Tue Feb 8 16:21:48 2022 +0100 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 [ Upstream commit 633174a7046ec3b4572bec24ef98e6ee89bce14b ] Buidling raid6test on Ubuntu 21.10 (ppc64le) with GNU Make 4.3 shows the errors below: $ cd lib/raid6/test/ $ make :1:1: error: stray ‘\’ in program :1:2: error: stray ‘#’ in program :1:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ \ before ‘<’ token [...] The errors come from the HAS_ALTIVEC test, which fails, and the POWER optimized versions are not built. That’s also reason nobody noticed on the other architectures. GNU Make 4.3 does not remove the backslash anymore. From the 4.3 release announcment: > * WARNING: Backward-incompatibility! > Number signs (#) appearing inside a macro reference or function invocation > no longer introduce comments and should not be escaped with backslashes: > thus a call such as: > foo := $(shell echo '#') > is legal. Previously the number sign needed to be escaped, for example: > foo := $(shell echo '\#') > Now this latter will resolve to "\#". If you want to write makefiles > portable to both versions, assign the number sign to a variable: > H := \# > foo := $(shell echo '$H') > This was claimed to be fixed in 3.81, but wasn't, for some reason. > To detect this change search for 'nocomment' in the .FEATURES variable. So, do the same as commit 9564a8cf422d ("Kbuild: fix # escaping in .cmd files for future Make") and commit 929bef467771 ("bpf: Use $(pound) instead of \# in Makefiles") and define and use a $(pound) variable. Reference for the change in make: https://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57 Cc: Matt Brown Signed-off-by: Paul Menzel Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 16e614d1b0f93a7e61e2261efc14523db6469ed7 Author: Hans de Goede Date: Wed Feb 23 14:50:32 2022 +0100 ACPI / x86: Add skip i2c clients quirk for Lenovo Yoga Tablet 1050F/L [ Upstream commit 4fecb1e93e4914fc0bc1fb467ca79741f9f94abb ] The Yoga Tablet 1050F/L is a x86 ACPI tablet which ships with Android x86 as factory OS. Its DSDT contains a bunch of I2C devices which are not actually there, causing various resource conflicts (the Android x86 kernel fork ignores I2C devices described in the DSDT). Add a ACPI_QUIRK_SKIP_I2C_CLIENTS for the Nextbook Ares 8 to the acpi_quirk_skip_dmi_ids table to woraround this. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 39db8a6886b75611b75c7a79c4b6f409a4dea6f0 Author: Hans de Goede Date: Wed Feb 23 14:50:31 2022 +0100 ACPI / x86: Add skip i2c clients quirk for Nextbook Ares 8 [ Upstream commit f38312c9b569322edf4baae467568206fe46d57b ] The Nextbook Ares 8 is a x86 ACPI tablet which ships with Android x86 as factory OS. Its DSDT contains a bunch of I2C devices which are not actually there, causing various resource conflicts (the Android x86 kernel fork ignores I2C devices described in the DSDT). Add a ACPI_QUIRK_SKIP_I2C_CLIENTS for the Nextbook Ares 8 to the acpi_quirk_skip_dmi_ids table to woraround this. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 790ae2e5abe027f3c0eebabbf3a7c36766752d80 Author: Rafael J. Wysocki Date: Mon Mar 7 20:28:26 2022 +0100 ACPICA: Avoid walking the ACPI Namespace if it is not there [ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ] ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc Prevent acpi_ns_walk_namespace() from crashing when called with start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been instantiated yet and acpi_gbl_root_node is NULL. For instance, this can happen if the kernel is run with "acpi=off" in the command line. Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/ Reported-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 40b4ba0030e0b02cbacd424ebb9f4c8b0976c786 Author: Zhang Wensheng Date: Thu Mar 3 15:03:34 2022 +0800 bfq: fix use-after-free in bfq_dispatch_request [ Upstream commit ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a ] KASAN reports a use-after-free report when doing normal scsi-mq test [69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blk_mq_run_work_fn [69832.250022] Call Trace: [69832.250541] dump_stack+0x9b/0xce [69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 [69832.252243] print_address_description.constprop.6+0x3e/0x60 [69832.253381] ? __cpuidle_text_end+0x5/0x5 [69832.254211] ? vprintk_func+0x6b/0x120 [69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 [69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 [69832.256914] kasan_report.cold.9+0x22/0x3a [69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 [69832.258755] check_memory_region+0x1c1/0x1e0 [69832.260248] bfq_dispatch_request+0x1045/0x44b0 [69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 [69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 [69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 [69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 [69832.267147] ? __switch_to+0x5f4/0xee0 [69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 [69832.269840] blk_mq_run_work_fn+0x51/0x60 [69832.278170] process_one_work+0x6d4/0xfe0 [69832.278984] worker_thread+0x91/0xc80 [69832.279726] ? __kthread_parkme+0xb0/0x110 [69832.280554] ? process_one_work+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthread_park+0x170/0x170 [69832.282849] ret_from_fork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasan_save_stack+0x19/0x40 [69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmem_cache_alloc_node+0x13f/0x460 [69832.287237] bfq_get_queue+0x3d4/0x1140 [69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 [69832.289015] bfq_init_rq+0x337/0x2d50 [69832.289749] bfq_insert_requests+0x304/0x4e10 [69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 [69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 [69832.292538] blk_flush_plug_list+0x2c5/0x480 [69832.293392] io_schedule_prepare+0xb2/0xd0 [69832.294209] io_schedule_timeout+0x13/0x80 [69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 [69832.296137] submit_bio_wait+0x103/0x1a0 [69832.296932] blkdev_issue_discard+0xe6/0x160 [69832.297794] blk_ioctl_discard+0x219/0x290 [69832.298614] blkdev_common_ioctl+0x50a/0x1750 [69832.304715] blkdev_ioctl+0x470/0x600 [69832.305474] block_ioctl+0xde/0x120 [69832.306232] vfs_ioctl+0x6c/0xc0 [69832.306877] __se_sys_ioctl+0x90/0xa0 [69832.307629] do_syscall_64+0x2d/0x40 [69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasan_save_stack+0x19/0x40 [69832.311121] kasan_set_track+0x1c/0x30 [69832.311868] kasan_set_free_info+0x1b/0x30 [69832.312699] __kasan_slab_free+0x111/0x160 [69832.313524] kmem_cache_free+0x94/0x460 [69832.314367] bfq_put_queue+0x582/0x940 [69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 [69832.317275] bfq_bfqq_expire+0xb27/0x2440 [69832.318084] bfq_dispatch_request+0x697/0x44b0 [69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 [69832.323114] blk_mq_run_work_fn+0x51/0x60 [69832.323942] process_one_work+0x6d4/0xfe0 [69832.324772] worker_thread+0x91/0xc80 [69832.325518] kthread+0x32d/0x3f0 [69832.326205] ret_from_fork+0x1f/0x30 [69832.326932] [69832.338297] The buggy address belongs to the object at ffff88802622b968 [69832.338297] which belongs to the cache bfq_queue of size 512 [69832.340766] The buggy address is located 288 bytes inside of [69832.340766] 512-byte region [ffff88802622b968, ffff88802622bb68) [69832.343091] The buggy address belongs to the page: [69832.344097] page:ffffea0000988a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802622a528 pfn:0x26228 [69832.346214] head:ffffea0000988a00 order:2 compound_mapcount:0 compound_pincount:0 [69832.347719] flags: 0x1fffff80010200(slab|head) [69832.348625] raw: 001fffff80010200 ffffea0000dbac08 ffff888017a57650 ffff8880179fe840 [69832.354972] raw: ffff88802622a528 0000000000120008 00000001ffffffff 0000000000000000 [69832.356547] page dumped because: kasan: bad access detected [69832.357652] [69832.357970] Memory state around the buggy address: [69832.358926] ffff88802622b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.360358] ffff88802622ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.361810] >ffff88802622ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.363273] ^ [69832.363975] ffff88802622bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [69832.375960] ffff88802622bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69832.377405] ================================================================== In bfq_dispatch_requestfunction, it may have function call: bfq_dispatch_request __bfq_dispatch_request bfq_select_queue bfq_bfqq_expire __bfq_bfqd_reset_in_service bfq_put_queue kmem_cache_free In this function call, in_serv_queue has beed expired and meet the conditions to free. In the function bfq_dispatch_request, the address of in_serv_queue pointing to has been released. For getting the value of idle_timer_disabled, it will get flags value from the address which in_serv_queue pointing to, then the problem of use-after-free happens; Fix the problem by check in_serv_queue == bfqd->in_service_queue, to get the value of idle_timer_disabled if in_serve_queue is equel to bfqd->in_service_queue. If the space of in_serv_queue pointing has been released, this judge will aviod use-after-free problem. And if in_serv_queue may be expired or finished, the idle_timer_disabled will be false which would not give effects to bfq_update_dispatch_stats. Reported-by: Hulk Robot Signed-off-by: Zhang Wensheng Link: https://lore.kernel.org/r/20220303070334.3020168-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e47b12f9415169eceda6770fcf45802e0c8d2a66 Author: Wan Jiabing Date: Fri Feb 25 14:38:59 2022 +0800 hwrng: cavium - fix NULL but dereferenced coccicheck error [ Upstream commit e6205ad58a7ac194abfb33897585b38687d797fa ] Fix following coccicheck warning: ./drivers/char/hw_random/cavium-rng-vf.c:182:17-20: ERROR: pdev is NULL but dereferenced. Signed-off-by: Wan Jiabing Reviewed-by: Sunil Goutham Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f99a3870636c76ba183e18f18b12cdd32dfb831c Author: Akira Kawata Date: Thu Jan 27 21:40:16 2022 +0900 fs/binfmt_elf: Fix AT_PHDR for unusual ELF files [ Upstream commit 0da1d5002745cdc721bc018b582a8a9704d56c42 ] BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197921 As pointed out in the discussion of buglink, we cannot calculate AT_PHDR as the sum of load_addr and exec->e_phoff. : The AT_PHDR of ELF auxiliary vectors should point to the memory address : of program header. But binfmt_elf.c calculates this address as follows: : : NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff); : : which is wrong since e_phoff is the file offset of program header and : load_addr is the memory base address from PT_LOAD entry. : : The ld.so uses AT_PHDR as the memory address of program header. In normal : case, since the e_phoff is usually 64 and in the first PT_LOAD region, it : is the correct program header address. : : But if the address of program header isn't equal to the first PT_LOAD : address + e_phoff (e.g. Put the program header in other non-consecutive : PT_LOAD region), ld.so will try to read program header from wrong address : then crash or use incorrect program header. This is because exec->e_phoff is the offset of PHDRs in the file and the address of PHDRs in the memory may differ from it. This patch fixes the bug by calculating the address of program headers from PT_LOADs directly. Signed-off-by: Akira Kawata Reported-by: kernel test robot Acked-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220127124014.338760-2-akirakawata1@gmail.com Signed-off-by: Sasha Levin commit 1c1d2701e1b162f7b54596f97b131af539a43e9f Author: Souptick Joarder (HPE) Date: Fri Feb 18 22:03:03 2022 +0530 irqchip/nvic: Release nvic_base upon failure [ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ] smatch warning was reported as below -> smatch warnings: drivers/irqchip/irq-nvic.c:131 nvic_of_init() warn: 'nvic_base' not released on lines: 97. Release nvic_base upon failure. Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Souptick Joarder (HPE) Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com Signed-off-by: Sasha Levin commit 6d4e81bd479901e7fcea77c8b5891dfd69ba0bb1 Author: Marc Zyngier Date: Thu Feb 24 10:12:25 2022 +0000 irqchip/qcom-pdc: Fix broken locking [ Upstream commit a6aca2f460e203781dc41391913cc5b54f4bc0ce ] pdc_enable_intr() serves as a primitive to qcom_pdc_gic_{en,dis}able, and has a raw spinlock for mutual exclusion, which is uses with interruptible primitives. This means that this critical section can itself be interrupted. Should the interrupt also be a PDC interrupt, and the endpoint driver perform an irq_disable() on that interrupt, we end-up in a deadlock. Fix this by using the irqsave/irqrestore variants of the locking primitives. Signed-off-by: Marc Zyngier Reviewed-by: Maulik Shah Link: https://lore.kernel.org/r/20220224101226.88373-5-maz@kernel.org Signed-off-by: Sasha Levin commit ae07b72baede03a641b7f1dcdb33308dbdf9fe1d Author: Casey Schaufler Date: Mon Feb 28 15:45:32 2022 -0800 Fix incorrect type in assignment of ipv6 port for audit [ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] Remove inappropriate use of ntohs() and assign the port value directly. Reported-by: kernel test robot Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit a24e05905d31c52dc6329bae8f55bcb7e5227746 Author: Chaitanya Kulkarni Date: Tue Feb 15 13:33:07 2022 -0800 loop: use sysfs_emit() in the sysfs xxx show() [ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ] sprintf does not know the PAGE_SIZE maximum of the temporary buffer used for outputting sysfs content and it's possible to overrun the PAGE_SIZE buffer length. Use a generic sysfs_emit function that knows the size of the temporary buffer and ensures that no overrun is done for offset attribute in loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks. Signed-off-by: Chaitanya Kulkarni Reviewed-by: Himanshu Madhani Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b531d4ead7990638c4d0402de1f6b3c6f4aa81be Author: Richard Haines Date: Fri Feb 25 17:54:38 2022 +0000 selinux: allow FIOCLEX and FIONCLEX with policy capability [ Upstream commit 65881e1db4e948614d9eb195b8e1197339822949 ] These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux always allows too. Furthermore, a failed FIOCLEX could result in a file descriptor being leaked to a process that should not have access to it. As this patch removes access controls, a policy capability needs to be enabled in policy to always allow these ioctls. Based-on-patch-by: Demi Marie Obenour Signed-off-by: Richard Haines [PM: subject line tweak] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 6863dccee058039cfb1eeb2eb0b1b6b88f11b166 Author: Fangrui Song Date: Fri Feb 18 00:12:09 2022 -0800 arm64: module: remove (NOLOAD) from linker script [ Upstream commit 4013e26670c590944abdab56c4fa797527b74325 ] On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually inappropriate for .plt and .text.* sections which are always SHT_PROGBITS. In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway and (NOLOAD) will be essentially ignored. In ld.lld, since https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to customize the output section type"), ld.lld will report a `section type mismatch` error. Just remove (NOLOAD) to fix the error. [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The section should be marked as not loadable" on https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is outdated for ELF. Tested-by: Nathan Chancellor Reported-by: Nathan Chancellor Signed-off-by: Fangrui Song Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20220218081209.354383-1-maskray@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit b51658a37469593c118a3477fe3deaf865dfedd6 Author: Daniel Lezcano Date: Sun Jan 30 22:02:04 2022 +0100 powercap/dtpm_cpu: Reset per_cpu variable in the release function [ Upstream commit 0aea2e4ec2a2bfa2d7e8820e37ba5b5ce04f20a5 ] The release function does not reset the per cpu variable when it is called. That will prevent creation again as the variable will be already from the previous creation. Fix it by resetting them. Signed-off-by: Daniel Lezcano Reviewed-by: Ulf Hansson Link: https://lore.kernel.org/r/20220130210210.549877-2-daniel.lezcano@linaro.org Signed-off-by: Sasha Levin commit eef89099bfb41ea739f6fc1211a26915423e3f2c Author: Christian Göttsche Date: Thu Feb 17 15:21:25 2022 +0100 selinux: use correct type for context length [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche [PM: wrapped commit description] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit c01fced8d38fbccc82787065229578006f28e020 Author: Yu Kuai Date: Sat Jan 29 09:59:24 2022 +0800 block, bfq: don't move oom_bfqq [ Upstream commit 8410f70977734f21b8ed45c37e925d311dfda2e7 ] Our test report a UAF: [ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 [ 2073.020411] page dumped because: kasan: bad access detected [ 2073.020412] [ 2073.020414] Memory state around the buggy address: [ 2073.020420] ffff8000ccf64000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020424] ffff8000ccf64080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020428] >ffff8000ccf64100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020430] ^ [ 2073.020434] ffff8000ccf64180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020438] ffff8000ccf64200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020439] ================================================================== The same problem exist in mainline as well. This is because oom_bfqq is moved to a non-root group, thus root_group is freed earlier. Thus fix the problem by don't move oom_bfqq. Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Acked-by: Paolo Valente Link: https://lore.kernel.org/r/20220129015924.3958918-4-yukuai3@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 8f5abddc47e31a87f524ff6af8522e2e20d93467 Author: Kai Ye Date: Fri Feb 11 17:08:18 2022 +0800 crypto: hisilicon/sec - not need to enable sm4 extra mode at HW V3 [ Upstream commit f8a2652826444d13181061840b96a5d975d5b6c6 ] It is not need to enable sm4 extra mode in at HW V3. Here is fix it. Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0e5c88cd471f9e2fbad4ddc14c86777dab5110b2 Author: Herbert Xu Date: Thu Feb 10 13:09:40 2022 +1100 crypto: xts - Add softdep on ecb [ Upstream commit dfe085d8dcd0bb1fe20cc2327e81c8064cead441 ] The xts module needs ecb to be present as it's meant to work on top of ecb. This patch adds a softdep so ecb can be included automatically into the initramfs. Reported-by: rftc Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit dcdd0d0bf877a6a022e65d2eab67bb950490e5a2 Author: Yahu Gao Date: Fri Jan 7 14:58:59 2022 +0800 block/bfq_wf2q: correct weight to ioprio [ Upstream commit bcd2be763252f3a4d5fc4d6008d4d96c601ee74b ] The return value is ioprio * BFQ_WEIGHT_CONVERSION_COEFF or 0. What we want is ioprio or 0. Correct this by changing the calculation. Signed-off-by: Yahu Gao Acked-by: Paolo Valente Link: https://lore.kernel.org/r/20220107065859.25689-1-gaoyahu19@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6a0725b9d78ff6efdc95a37e4f05072e79c63918 Author: Christoph Hellwig Date: Tue Feb 15 10:45:12 2022 +0100 memstick/mspro_block: fix handling of read-only devices [ Upstream commit 6dab421bfe06a59bf8f212a72e34673e8acf2018 ] Use set_disk_ro to propagate the read-only state to the block layer instead of checking for it in ->open and leaking a reference in case of a read-only device. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220215094514.3828912-4-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 4d8dbb61b103bd5b8c65288eec8d740601d308ba Author: Ming Lei Date: Wed Feb 16 12:45:12 2022 +0800 block: throttle split bio in case of iops limit [ Upstream commit 9f5ede3c01f9951b0ae7d68b28762ad51d9bacc8 ] Commit 111be8839817 ("block-throttle: avoid double charge") marks bio as BIO_THROTTLED unconditionally if __blk_throtl_bio() is called on this bio, then this bio won't be called into __blk_throtl_bio() any more. This way is to avoid double charge in case of bio splitting. It is reasonable for read/write throughput limit, but not reasonable for IOPS limit because block layer provides io accounting against split bio. Chunguang Xu has already observed this issue and fixed it in commit 4f1e9630afe6 ("blk-throtl: optimize IOPS throttle for large IO scenarios"). However, that patch only covers bio splitting in __blk_queue_split(), and we have other kind of bio splitting, such as bio_split() & submit_bio_noacct() and other ways. This patch tries to fix the issue in one generic way by always charging the bio for iops limit in blk_throtl_bio(). This way is reasonable: re-submission & fast-cloned bio is charged if it is submitted to same disk/queue, and BIO_THROTTLED will be cleared if bio->bi_bdev is changed. This new approach can get much more smooth/stable iops limit compared with commit 4f1e9630afe6 ("blk-throtl: optimize IOPS throttle for large IO scenarios") since that commit can't throttle current split bios actually. Also this way won't cause new double bio iops charge in blk_throtl_dispatch_work_fn() in which blk_throtl_bio() won't be called any more. Reported-by: Ning Li Acked-by: Tejun Heo Cc: Chunguang Xu Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20220216044514.2903784-7-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 33884c907e6e5a1eb97aa1fa6983c8672850931b Author: Paul E. McKenney Date: Tue Jan 4 10:34:34 2022 -0800 rcu: Mark writes to the rcu_segcblist structure's ->flags field [ Upstream commit c09929031018913b5783872a8b8cdddef4a543c7 ] KCSAN reports data races between the rcu_segcblist_clear_flags() and rcu_segcblist_set_flags() functions, though misreporting the latter as a call to rcu_segcblist_is_enabled() from call_rcu(). This commit converts the updates of this field to WRITE_ONCE(), relying on the resulting unmarked reads to continue to detect buggy concurrent writes to this field. Reported-by: Zhouyi Zhou Signed-off-by: Paul E. McKenney Cc: Frederic Weisbecker Signed-off-by: Sasha Levin commit 77e2de05e5cd61e4e691a394f126645347684cec Author: Marc Zyngier Date: Tue Feb 1 12:03:08 2022 +0000 pinctrl: npcm: Fix broken references to chip->parent_device [ Upstream commit f7e53e2255808ca3abcc8f38d18ad0823425e771 ] The npcm driver has a bunch of references to the irq_chip parent_device field, but never sets it. Fix it by fishing that reference from somewhere else, but it is obvious that these debug statements were never used. Also remove an unused field in a local data structure. Signed-off-by: Marc Zyngier Acked-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20220201120310.878267-11-maz@kernel.org Signed-off-by: Sasha Levin commit 1680a05ff9e93cdc932d9b7c684f215c3167ce42 Author: David Woodhouse Date: Tue Feb 16 15:04:34 2021 +0000 rcu: Kill rnp->ofl_seq and use only rcu_state.ofl_lock for exclusion [ Upstream commit 82980b1622d97017053c6792382469d7dc26a486 ] If we allow architectures to bring APs online in parallel, then we end up requiring rcu_cpu_starting() to be reentrant. But currently, the manipulation of rnp->ofl_seq is not thread-safe. However, rnp->ofl_seq is also fairly much pointless anyway since both rcu_cpu_starting() and rcu_report_dead() hold rcu_state.ofl_lock for fairly much the whole time that rnp->ofl_seq is set to an odd number to indicate that an operation is in progress. So drop rnp->ofl_seq completely, and use only rcu_state.ofl_lock. This has a couple of minor complexities: lockdep will complain when we take rcu_state.ofl_lock, and currently accepts the 'excuse' of having an odd value in rnp->ofl_seq. So switch it to an arch_spinlock_t to avoid that false positive complaint. Since we're killing rnp->ofl_seq of course that 'excuse' has to be changed too, so make it check for arch_spin_is_locked(rcu_state.ofl_lock). There's no arch_spin_lock_irqsave() so we have to manually save and restore local interrupts around the locking. At Paul's request based on Neeraj's analysis, make rcu_gp_init not just wait but *exclude* any CPU online/offline activity, which was fairly much true already by virtue of it holding rcu_state.ofl_lock. Signed-off-by: David Woodhouse Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 0a639f01f90dea71462320d2e477d716a2479a61 Author: Kees Cook Date: Sun Feb 6 09:08:20 2022 -0800 gcc-plugins/stackleak: Exactly match strings instead of prefixes [ Upstream commit 27e9faf415dbf94af19b9c827842435edbc1fbbc ] Since STRING_CST may not be NUL terminated, strncmp() was used for check for equality. However, this may lead to mismatches for longer section names where the start matches the tested-for string. Test for exact equality by checking for the presences of NUL termination. Cc: Alexander Popov Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit c756b8a20176f5537b2604c9d917827f1a3834bc Author: Srujana Challa Date: Tue Jan 25 23:56:22 2022 +0530 crypto: octeontx2 - CN10K CPT to RNM workaround [ Upstream commit bd9305b0cb69bfe98885a63a9e6231ae92e822e2 ] When software sets CPT_AF_CTL[RNM_REQ_EN]=1 and RNM in not producing entropy(i.e., RNM_ENTROPY_STATUS[NORMAL_CNT] < 0x40), the first cycle of the response may be lost due to a conditional clocking issue. Due to this, the subsequent random number stream will be corrupted. So, this patch adds support to ensure RNM_ENTROPY_STATUS[NORMAL_CNT] = 0x40 before writing CPT_AF_CTL[RNM_REQ_EN] = 1, as a workaround. Signed-off-by: Srujana Challa Signed-off-by: Shijith Thotton Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9c165d544540ce12718ed3099efa7acdf68d497a Author: Kai Ye Date: Sat Jan 22 17:30:42 2022 +0800 crypto: hisilicon/qm - cleanup warning in qm_vf_read_qos [ Upstream commit 05b3bade290d6c940701f97f3233c07cfe27205d ] The kernel test rebot report this warning: Uninitialized variable: ret. The code flow may return value of ret directly. This value is an uninitialized variable, here is fix it. Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c40e9e49349fbea6dde81cad954e6c9051bcd09b Author: Dave Stevenson Date: Mon Jan 24 17:01:22 2022 -0500 regulator: rpi-panel: Handle I2C errors/timing to the Atmel [ Upstream commit 5665eee7a3800430e7dc3ef6f25722476b603186 ] The Atmel is doing some things in the I2C ISR, during which period it will not respond to further commands. This is particularly true of the POWERON command. Increase delays appropriately, and retry should I2C errors be reported. Signed-off-by: Dave Stevenson Signed-off-by: Detlev Casanova Link: https://lore.kernel.org/r/20220124220129.158891-3-detlev.casanova@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cadae7c5e477aaafcba819b8e4a3d1c1a1503b62 Author: Casey Schaufler Date: Thu Jan 27 04:51:00 2022 +0000 LSM: general protection fault in legacy_parse_param [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943@syzkaller.appspotmail.com Signed-off-by: Casey Schaufler Acked-by: James Morris Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 28dfe0fc1115d884061fa54a25f434158625500a Author: Linus Torvalds Date: Tue Mar 29 23:29:18 2022 -0700 fs: fix fd table size alignment properly [ Upstream commit d888c83fcec75194a8a48ccd283953bdba7b2550 ] Jason Donenfeld reports that my commit 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") doesn't work, and the reason is an embarrassing brown-paper-bag bug. Yes, we want to align the number of fds to BITS_PER_LONG, and yes, the reason they might not be aligned is because the incoming 'max_fd' argument might not be aligned. But aligining the argument - while simple - will cause a "infinitely big" maxfd (eg NR_OPEN_MAX) to just overflow to zero. Which most definitely isn't what we want either. The obvious fix was always just to do the alignment last, but I had moved it earlier just to make the patch smaller and the code look simpler. Duh. It certainly made _me_ look simple. Fixes: 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") Reported-and-tested-by: Jason A. Donenfeld Cc: Fedor Pchelkin Cc: Alexey Khoroshilov Cc: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 05f90fe2c7e8f27d7691ae57cb604e4c156b70e6 Author: Dan Carpenter Date: Thu Mar 24 08:52:07 2022 +0300 lib/test: use after free in register_test_dev_kmod() [ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ] The "test_dev" pointer is freed but then returned to the caller. Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") Signed-off-by: Dan Carpenter Signed-off-by: Luis Chamberlain Signed-off-by: Sasha Levin commit 11f03ba4bcaba6d3a26e109ab7bd5a2b2a53bd93 Author: Linus Torvalds Date: Tue Mar 29 15:06:39 2022 -0700 fs: fd tables have to be multiples of BITS_PER_LONG [ Upstream commit 1c24a186398f59c80adb9a967486b65c1423a59d ] This has always been the rule: fdtables have several bitmaps in them, and as a result they have to be sized properly for bitmaps. We walk those bitmaps in chunks of 'unsigned long' in serveral cases, but even when we don't, we use the regular kernel bitops that are defined to work on arrays of 'unsigned long', not on some byte array. Now, the distinction between arrays of bytes and 'unsigned long' normally only really ends up being noticeable on big-endian systems, but Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps() could be called with an argument that wasn't even a multiple of BITS_PER_BYTE. And then it fails to do the proper copy even on little-endian machines. The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which didn't actually sanitize the fdtable size sufficiently, and never made sure it had the proper BITS_PER_LONG alignment. That's partly because the alignment historically came not from having to explicitly align things, but simply from previous fdtable sizes, and from count_open_files(), which counts the file descriptors by walking them one 'unsigned long' word at a time and thus naturally ends up doing sizing in the proper 'chunks of unsigned long'. But with the introduction of close_range(), we now have an external source of "this is how many files we want to have", and so sane_fdtable_size() needs to do a better job. This also adds that explicit alignment to alloc_fdtable(), although there it is mainly just for documentation at a source code level. The arithmetic we do there to pick a reasonable fdtable size already aligns the result sufficiently. In fact,clang notices that the added ALIGN() in that function doesn't actually do anything, and does not generate any extra code for it. It turns out that gcc ends up confusing itself by combining a previous constant-sized shift operation with the variable-sized shift operations in roundup_pow_of_two(). And probably due to that doesn't notice that the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't matter. Having the explicit alignment makes sense, and would actually matter on a 128-bit architecture if we ever go there. This also adds big comments above both functions about how fdtable sizes have to have that BITS_PER_LONG alignment. Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE") Reported-by: Fedor Pchelkin Reported-by: Alexey Khoroshilov Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/ Tested-and-acked-by: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 6cae86ef7554d8daa00af6b59ea9e62ebbdc2717 Author: Xiaomeng Tong Date: Mon Mar 28 11:24:31 2022 +0800 net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator [ Upstream commit 6da69b1da130e7d96766042750cd9f902e890eba ] The bug is here: return rule; The list iterator value 'rule' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element is found. To fix the bug, return 'rule' when found, otherwise return NULL. Fixes: ae7a5aff783c7 ("net: dsa: bcm_sf2: Keep copy of inserted rules") Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: Xiaomeng Tong Link: https://lore.kernel.org/r/20220328032431.22538-1-xiam0nd.tong@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 294953e64a62e8c6b58953950eec80cc9bcd5262 Author: Trond Myklebust Date: Mon Mar 28 08:36:34 2022 -0400 NFSv4/pNFS: Fix another issue with a list iterator pointing to the head [ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ] In nfs4_callback_devicenotify(), if we don't find a matching entry for the deviceid, we're left with a pointer to 'struct nfs_server' that actually points to the list of super blocks associated with our struct nfs_client. Furthermore, even if we have a valid pointer, nothing pins the super block, and so the struct nfs_server could end up getting freed while we're using it. Since all we want is a pointer to the struct pnfs_layoutdriver_type, let's skip all the iteration over super blocks, and just use APIs to find the layout driver directly. Reported-by: Xiaomeng Tong Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b24793a37d91aacad7cb9893b226a7924a89636a Author: Marcelo Ricardo Leitner Date: Thu Mar 24 16:22:10 2022 -0300 net/sched: act_ct: fix ref leak when switching zones [ Upstream commit bcb74e132a76ce0502bb33d5b65533a4ed72d159 ] When switching zones or network namespaces without doing a ct clear in between, it is now leaking a reference to the old ct entry. That's because tcf_ct_skb_nfct_cached() returns false and tcf_ct_flow_table_lookup() may simply overwrite it. The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). Reported-by: Florian Westphal Fixes: 2f131de361f6 ("net/sched: act_ct: Fix flow table lookup after ct clear or switching zones") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit fc4696ccacd6e32d9f12e704cd428fbe8bd4fcf6 Author: Jakub Kicinski Date: Fri Mar 25 16:27:09 2022 -0700 selftests: tls: skip cmsg_to_pipe tests with TLS=n [ Upstream commit 5c7e49be96ea24776a5b5a07c732c477294add00 ] These are negative tests, testing TLS code rejects certain operations. They won't pass without TLS enabled, pure TCP accepts those operations. Reported-by: Linux Kernel Functional Testing Fixes: d87d67fd61ef ("selftests: tls: test splicing cmsgs") Signed-off-by: Jakub Kicinski Reviewed-by: Shuah Khan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a5e4b7a11e1c879f55370abdb7b6b6b8da73d73b Author: Tom Rix Date: Sat Mar 26 09:03:06 2022 -0700 octeontx2-af: initialize action variable [ Upstream commit 33b5bc9e703383e396f275d51fc4bafa48dbae5a ] Clang static analysis reports this representative issue rvu_npc.c:898:15: warning: Assigned value is garbage or undefined req.match_id = action.match_id; ^ ~~~~~~~~~~~~~~~ The initial setting of action is conditional on if (is_mcam_entry_enabled(...)) The later check of action.op will sometimes be garbage. So initialize action. Reduce setting of *(u64 *)&action = 0x00; to *(u64 *)&action = 0; Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e7e1fff76c4c57688dc7d53a3b6212182d5628d0 Author: Zheng Yongjun Date: Sat Mar 26 08:12:39 2022 +0000 net: sparx5: switchdev: fix possible NULL pointer dereference [ Upstream commit 0906f3a3df07835e37077d8971aac65347f2ed57 ] As the possible failure of the allocation, devm_kzalloc() may return NULL pointer. Therefore, it should be better to check the 'db' in order to prevent the dereference of NULL pointer. Fixes: 10615907e9b51 ("net: sparx5: switchdev: adding frame DMA functionality") Signed-off-by: Zheng Yongjun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 671529db75e6be777bb1c76aa07c2bdd2992be6d Author: Duoming Zhou Date: Sat Mar 26 18:43:46 2022 +0800 net/x25: Fix null-ptr-deref caused by x25_disconnect [ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ] When the link layer is terminating, x25->neighbour will be set to NULL in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is shown below. (Thread 1) | (Thread 2) x25_link_terminated() | x25_recvmsg() x25_kill_by_neigh() | ... x25_disconnect() | lock_sock(sk) ... | ... x25->neighbour = NULL //(1) | ... | x25->neighbour->extended //(2) The code sets NULL to x25->neighbour in position (1) and dereferences x25->neighbour in position (2), which could cause null-ptr-deref bug. This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the sock held by lock_sock() is not NULL, because it is extracted from x25_list and uses x25_list_lock to synchronize. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Duoming Zhou Reviewed-by: Lin Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f6983bfc6347195202881f8503832cbc92bbd345 Author: Tom Rix Date: Sat Mar 26 10:20:03 2022 -0700 qlcnic: dcb: default to returning -EOPNOTSUPP [ Upstream commit 1521db37f0d42334a88e8ff28198a27d1ed5cd7b ] Clang static analysis reports this issue qlcnic_dcb.c:382:10: warning: Assigned value is garbage or undefined mbx_out = *val; ^ ~~~~ val is set in the qlcnic_dcb_query_hw_capability() wrapper. If there is no query_hw_capability op in dcp, success is returned without setting the val. For this and similar wrappers, return -EOPNOTSUPP. Fixes: 14d385b99059 ("qlcnic: dcb: Query adapter DCB capabilities.") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 05a62f47ec0410a61876b269308e301af63c862c Author: Randy Dunlap Date: Sat Mar 26 11:02:34 2022 -0700 net: sparx5: depends on PTP_1588_CLOCK_OPTIONAL [ Upstream commit 08be6b13db23f68146c600dd5adfd92e99d9ec6e ] Fix build errors when PTP_1588_CLOCK=m and SPARX5_SWTICH=y. arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ethtool.o: in function `sparx5_get_ts_info': sparx5_ethtool.c:(.text+0x146): undefined reference to `ptp_clock_index' arc-linux-ld: sparx5_ethtool.c:(.text+0x146): undefined reference to `ptp_clock_index' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o: in function `sparx5_ptp_init': sparx5_ptp.c:(.text+0xd56): undefined reference to `ptp_clock_register' arc-linux-ld: sparx5_ptp.c:(.text+0xd56): undefined reference to `ptp_clock_register' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o: in function `sparx5_ptp_deinit': sparx5_ptp.c:(.text+0xf30): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf30): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf38): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf46): undefined reference to `ptp_clock_unregister' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o:sparx5_ptp.c:(.text+0xf46): more undefined references to `ptp_clock_unregister' follow Fixes: 3cfa11bac9bb ("net: sparx5: add the basic sparx5 driver") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Horatiu Vultur Cc: UNGLinuxDriver@microchip.com Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Steen Hegelund Cc: Bjarni Jonasson Cc: Lars Povlsen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 86f23cceff4a6382456abd62959bd0956cc5c68e Author: Guangbin Huang Date: Sat Mar 26 17:51:05 2022 +0800 net: hns3: fix phy can not link up when autoneg off and reset [ Upstream commit ad0ecaef6a2c07e67ef9fe163c007f7b3dad8643 ] Currently, function hclge_mdio_read() will return 0 if during reset(the cmd state will be set to disable). If use general phy driver, the phy_state_machine() will update phy speed every second in function genphy_read_status_fixed() when PHY is set to autoneg off, no matter of link down or link up. If phy driver happens to read BMCR register during reset, phy speed will be updated to 10Mpbs as BMCR register value is 0. So it may call phy can not link up if previous speed is not 10Mpbs. To fix this problem, function hclge_mdio_read() should return -EBUSY if the cmd state is disable. So does function hclge_mdio_write(). Fixes: 1c1249380992 ("net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read") Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 74a96ae7e3064299dd03a6891116f3b8885dd987 Author: Hao Chen Date: Sat Mar 26 17:51:04 2022 +0800 net: hns3: add NULL pointer check for hns3_set/get_ringparam() [ Upstream commit 4d07c5936c2508ddd1cfd49b0a91d94cb4d1f0e8 ] When pci devices init failed and haven't reinit, priv->ring is NULL and hns3_set/get_ringparam() will access priv->ring. it causes call trace. So, add NULL pointer check for hns3_set/get_ringparam() to avoid this situation. Fixes: 5668abda0931 ("net: hns3: add support for set_ringparam") Signed-off-by: Hao Chen Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1ff44dd148f038c8ac37266773b833b3499293e3 Author: Hao Chen Date: Sat Mar 26 17:51:03 2022 +0800 net: hns3: add netdev reset check for hns3_set_tunable() [ Upstream commit f5cd60169f981ca737c9e49c446506dfafc90a35 ] When pci device reset failed, it does uninit operation and priv->ring is NULL, it causes accessing NULL pointer error. Add netdev reset check for hns3_set_tunable() to fix it. Fixes: 99f6b5fb5f63 ("net: hns3: use bounce buffer when rx page can not be reused") Signed-off-by: Hao Chen Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 81d47015a854cdc41491102109e683f7e657f54d Author: Peng Li Date: Sat Mar 26 17:51:02 2022 +0800 net: hns3: clean residual vf config after disable sriov [ Upstream commit 671cb8cbb9c9e24b681d21b1bfae991e2386ac73 ] After disable sriov, VF still has some config and info need to be cleaned, which configured by PF. This patch clean the HW config and SW struct vport->vf_info. Fixes: fa8d82e853e8 ("net: hns3: Add support of .sriov_configure in HNS3 driver") Signed-off-by: Peng Li Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit cfdb5af6d4dbbf5990f52bdc792d2df9048c7e3c Author: Hao Chen Date: Sat Mar 26 17:51:01 2022 +0800 net: hns3: add max order judgement for tx spare buffer [ Upstream commit a89cbb16995bf15582e0d1bdb922ad1a54a2fa8c ] Add max order judgement for tx spare buffer to avoid triggering call trace, print related fail information instead, when user set tx spare buf size to a large value which causes order exceeding 10. Fixes: e445f08af2b1 ("net: hns3: add support to set/get tx copybreak buf size via ethtool for hns3 driver") Signed-off-by: Hao Chen Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 08665d642838d651179a69bc811bb48fe1c7a424 Author: Hao Chen Date: Sat Mar 26 17:51:00 2022 +0800 net: hns3: fix ethtool tx copybreak buf size indicating not aligned issue [ Upstream commit 8778372118023e2258612c03573c47efef41d755 ] When use ethtoool set tx copybreak buf size to a large value which causes order exceeding 10 or memory is not enough, it causes allocating tx copybreak buffer failed and print "the active tx spare buf is 0, not enabled tx spare buffer", however, use --get-tunable parameter query tx copybreak buf size and it indicates setting value not 0. So, it's necessary to change the print value from setting value to 0. Set kinfo.tx_spare_buf_size to 0 when set tx copybreak buf size failed. Fixes: e445f08af2b1 ("net: hns3: add support to set/get tx copybreak buf size via ethtool for hns3 driver") Signed-off-by: Hao Chen Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 77166ce0a38048e2a45bab93ef93cb50fd001620 Author: Shunsuke Nakamura Date: Fri Mar 25 13:38:23 2022 +0900 libperf tests: Fix typo in perf_evlist__open() failure error messages [ Upstream commit c2eeac985657f61543e6c5a333b94f3bd18e6b9d ] This patch corrects typos in error messages. I should be "evlist", not "evsel" as the function that fails is perf_evlist__open(). Fixes: 3ce311afb5583cf3 ("libperf: Move to tools/lib/perf") Fixes: a7f3713f6bf207e6 ("libperf tests: Add test_stat_multiplexing test") Signed-off-by: Shunsuke Nakamura Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20220325043829.224045-2-nakamura.shun@fujitsu.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fc31fa11e331f1dd617ca9714eec91832c9c0591 Author: Trond Myklebust Date: Fri Mar 25 21:51:03 2022 -0400 NFS: Don't loop forever in nfs_do_recoalesce() [ Upstream commit d02d81efc7564b4d5446a02e0214a164cf00b1f3 ] If __nfs_pageio_add_request() fails to add the request, it will return with either desc->pg_error < 0, or mirror->pg_recoalesce will be set, so we are guaranteed either to exit the function altogether, or to loop. However if there is nothing left in mirror->pg_list to coalesce, we must exit, so make sure that we clear mirror->pg_recoalesce every time we loop. Reported-by: Olga Kornievskaia Fixes: 70536bf4eb07 ("NFS: Clean up reset of the mirror accounting variables") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 72b9d4598b0903562ebbff04b6fe93e4588c16a2 Author: Ido Schimmel Date: Thu Mar 24 22:05:14 2022 +0200 selftests: test_vxlan_under_vrf: Fix broken test case [ Upstream commit b50d3b46f84282d795ae3076111acb75ae1031f3 ] The purpose of the last test case is to test VXLAN encapsulation and decapsulation when the underlay lookup takes place in a non-default VRF. This is achieved by enslaving the physical device of the tunnel to a VRF. The binding of the VXLAN UDP socket to the VRF happens when the VXLAN device itself is opened, not when its physical device is opened. This was also mentioned in the cited commit ("tests that moving the underlay from a VRF to another works when down/up the VXLAN interface"), but the test did something else. Fix it by reopening the VXLAN device instead of its physical device. Before: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [FAIL] After: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [ OK ] Fixes: 03f1c26b1c56 ("test/net: Add script for VXLAN underlay in a VRF") Signed-off-by: Ido Schimmel Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220324200514.1638326-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 9352775b24c28e82d2d7364158f57112fe68f388 Author: Florian Fainelli Date: Thu Mar 24 16:24:38 2022 -0700 net: phy: broadcom: Fix brcm_fet_config_init() [ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ] A Broadcom AC201 PHY (same entry as 5241) would be flagged by the Broadcom UniMAC MDIO controller as not completing the turn around properly since the PHY expects 65 MDC clock cycles to complete a write cycle, and the MDIO controller was only sending 64 MDC clock cycles as determined by looking at a scope shot. This would make the subsequent read fail with the UniMAC MDIO controller command field having MDIO_READ_FAIL set and we would abort the brcm_fet_config_init() function and thus not probe the PHY at all. After issuing a software reset, wait for at least 1ms which is well above the 1us reset delay advertised by the datasheet and issue a dummy read to let the PHY turn around the line properly. This read specifically ignores -EIO which would be returned by MDIO controllers checking for the line being turned around. If we have a genuine reaad failure, the next read of the interrupt status register would pick it up anyway. Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support") Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit aaeb9711ed8525b7d5bd322fa91fe93902797965 Author: Jian Shen Date: Thu Mar 24 20:54:50 2022 +0800 net: hns3: refine the process when PF set VF VLAN [ Upstream commit 190cd8a72b0181c543ecada6243be3a50636941b ] Currently, when PF set VF VLAN, it sends notify mailbox to VF if VF alive. VF stop its traffic, and send request mailbox to PF, then PF updates VF VLAN. It's a bit complex. If VF is killed before sending request, PF will not set VF VLAN without any log. This patch refines the process, PF can set VF VLAN direclty, and then notify the VF. If VF is resetting at that time, the notify may be dropped, so VF should query it after reset finished. Fixes: 92f11ea177cd ("net: hns3: fix set port based VLAN issue for VF") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f58af41deeab0f45c9c80adf5f2de489ebbac3dd Author: Jian Shen Date: Thu Mar 24 20:54:49 2022 +0800 net: hns3: add vlan list lock to protect vlan list [ Upstream commit 1932a624ab88ff407d1a1d567fe581faa15dc725 ] When adding port base VLAN, vf VLAN need to remove from HW and modify the vlan state in vf VLAN list as false. If the periodicity task is freeing the same node, it may cause "use after free" error. This patch adds a vlan list lock to protect the vlan list. Fixes: c6075b193462 ("net: hns3: Record VF vlan tables") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7ad2a34201893c5f4349cc90a019668349702f41 Author: Jian Shen Date: Thu Mar 24 20:54:48 2022 +0800 net: hns3: fix port base vlan add fail when concurrent with reset [ Upstream commit c0f46de30c965d4ba208b5bf1a6d3437a7556ee2 ] Currently, Port base vlan is initiated by PF and configured to its VFs, by using command "ip link set vf vlan ". When a global reset was triggered, the hardware vlan table and the soft recorded vlan information will be cleared by PF, and restored them until VFs were ready. There is a short time window between the table had been cleared and before table restored. If configured a new port base vlan tag at this moment, driver will check the soft recorded vlan information, and find there hasn't the old tag in it, which causing a warning print. Due to the port base vlan is managed by PF, so the VFs's port base vlan restoring should be handled by PF when PF was ready. This patch fixes it. Fixes: 039ba863e8d7 ("net: hns3: optimize the filter table entries handling when resetting") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a73853ffe0078d04f0b25c33a5c2b08ea09de4b8 Author: Jian Shen Date: Thu Mar 24 20:54:47 2022 +0800 net: hns3: fix bug when PF set the duplicate MAC address for VFs [ Upstream commit ccb18f05535c96d26e2d559d402acb87700fc5a7 ] If the MAC address A is configured to vport A and then vport B. The MAC address of vport A in the hardware becomes invalid. If the address of vport A is changed to MAC address B, the driver needs to delete the MAC address A of vport A. Due to the MAC address A of vport A has become invalid in the hardware entry, so "-ENOENT" is returned. In this case, the "used_umv_size" value recorded in driver is not updated. As a result, the MAC entry status of the software is inconsistent with that of the hardware. Therefore, the driver updates the umv size even if the MAC entry cannot be found. Ensure that the software and hardware status is consistent. Fixes: ee4bcd3b7ae4 ("net: hns3: refactor the MAC address configure") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7c285ea989009f90d759b30f41e22823bed30a2b Author: Vladimir Oltean Date: Thu Mar 24 18:12:10 2022 +0200 net: enetc: report software timestamping via SO_TIMESTAMPING [ Upstream commit feb13dcb1818b775fbd9191f797be67cd605f03e ] Let user space properly determine that the enetc driver provides software timestamps. Fixes: 4caefbce06d1 ("enetc: add software timestamping") Signed-off-by: Vladimir Oltean Reviewed-by: Claudiu Manoil Link: https://lore.kernel.org/r/20220324161210.4122281-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 26911a822148bef5dcfc55e7df49cb05a18737e3 Author: Juergen Gross Date: Fri Mar 25 15:20:02 2022 +0100 xen: fix is_xen_pmu() [ Upstream commit de2ae403b4c0e79a3410e63bc448542fbb9f9bfc ] is_xen_pmu() is taking the cpu number as parameter, but it is not using it. Instead it just tests whether the Xen PMU initialization on the current cpu did succeed. As this test is done by checking a percpu pointer, preemption needs to be disabled in order to avoid switching the cpu while doing the test. While resuming from suspend() this seems not to be the case: [ 88.082751] ACPI: PM: Low-level resume complete [ 88.087933] ACPI: EC: EC started [ 88.091464] ACPI: PM: Restoring platform NVS memory [ 88.097166] xen_acpi_processor: Uploading Xen processor PM info [ 88.103850] Enabling non-boot CPUs ... [ 88.108128] installing Xen timer for CPU 1 [ 88.112763] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-sleep/7138 [ 88.122256] caller is is_xen_pmu+0x12/0x30 [ 88.126937] CPU: 0 PID: 7138 Comm: systemd-sleep Tainted: G W 5.16.13-2.fc32.qubes.x86_64 #1 [ 88.137939] Hardware name: Star Labs StarBook/StarBook, BIOS 7.97 03/21/2022 [ 88.145930] Call Trace: [ 88.148757] [ 88.151193] dump_stack_lvl+0x48/0x5e [ 88.155381] check_preemption_disabled+0xde/0xe0 [ 88.160641] is_xen_pmu+0x12/0x30 [ 88.164441] xen_smp_intr_init_pv+0x75/0x100 Fix that by replacing is_xen_pmu() by a simple boolean variable which reflects the Xen PMU initialization state on cpu 0. Modify xen_pmu_init() to return early in case it is being called for a cpu other than cpu 0 and the boolean variable not being set. Fixes: bf6dfb154d93 ("xen/PMU: PMU emulation code") Reported-by: Marek Marczykowski-Górecki Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20220325142002.31789-1-jgross@suse.com Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit f258574926c80bee35fba3ed01708eec59203761 Author: Maxime Ripard Date: Fri Mar 25 17:11:42 2022 +0100 clk: Initialize orphan req_rate [ Upstream commit 5f7e2af00807f2117650e711a58b7f0e986ce1df ] When registering a clock that doesn't have a recalc_rate implementation, and doesn't have its parent registered yet, we initialize the clk_core rate and 'req_rate' fields to 0. The rate field is later updated when the parent is registered in clk_core_reparent_orphans_nolock() using __clk_recalc_rates(), but the 'req_rate' field is never updated. This leads to an issue in clk_set_rate_range() and clk_put(), since those functions will call clk_set_rate() with the content of 'req_rate' to provide drivers with the opportunity to change the rate based on the new boundaries. In this case, we would call clk_set_rate() with a rate of 0, effectively enforcing the minimum allowed for this clock whenever we would call one of those two functions, even though the actual rate might be within range. Let's fix this by setting 'req_rate' in clk_core_reparent_orphans_nolock() with the rate field content just updated by the call to __clk_recalc_rates(). Fixes: 1c8e600440c7 ("clk: Add rate constraints to clocks") Reported-by: Dmitry Osipenko Tested-by: Dmitry Osipenko # T30 Nexus7 Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220325161144.1901695-2-maxime@cerno.tech [sboyd@kernel.org: Reword comment] Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 76feaa7d00d6bcf004b79462d10b3a74ceef4579 Author: Stefano Garzarella Date: Wed Mar 23 18:36:25 2022 +0100 vsock/virtio: enable VQs early on probe [ Upstream commit 88704454ef8b00ea91537ae0d47d9348077e0e72 ] virtio spec requires drivers to set DRIVER_OK before using VQs. This is set automatically after probe returns, but virtio-vsock driver uses VQs in the probe function to fill rx and event VQs with new buffers. Let's fix this, calling virtio_device_ready() before using VQs in the probe function. Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko") Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3c5f5d584866c1b417349aad8a06d2a4f5af6e82 Author: Stefano Garzarella Date: Wed Mar 23 18:36:24 2022 +0100 vsock/virtio: read the negotiated features before using VQs [ Upstream commit c1011c0b3a9c8d2065f425407475cbcc812540b7 ] Complete the driver configuration, reading the negotiated features, before using the VQs in the virtio_vsock_probe(). Fixes: 53efbba12cc7 ("virtio/vsock: enable SEQPACKET for transport") Suggested-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 83c80024c20d192168970a6029097f1c0b8bba40 Author: Stefano Garzarella Date: Wed Mar 23 18:36:23 2022 +0100 vsock/virtio: initialize vdev->priv before using VQs [ Upstream commit 4b5f1ad5566ada230aaa2ce861b28d1895f1ea68 ] When we fill VQs with empty buffers and kick the host, it may send an interrupt. `vdev->priv` must be initialized before this since it is used in the virtqueue callbacks. Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Suggested-by: Michael S. Tsirkin Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e6196323dd2a0e82b6b83262438032b9e2d28b05 Author: Konrad Dybcio Date: Sat Mar 19 18:49:40 2022 +0100 clk: qcom: gcc-msm8994: Fix gpll4 width [ Upstream commit 71021db1c532c2545ae53b9ee85b37b7154f51d4 ] The gpll4 postdiv is actually a div4, so make sure that Linux is aware of this. This fixes the following error messages: mmc1: Card appears overclocked; req 200000000 Hz, actual 343999999 Hz mmc1: Card appears overclocked; req 400000000 Hz, actual 687999999 Hz Fixes: aec89f78cf01 ("clk: qcom: Add support for msm8994 global clock controller") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20220319174940.341137-1-konrad.dybcio@somainline.org Tested-by: Petr Vorel Reviewed-by: Petr Vorel Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 7738b9b4c3a0083f28acbded9fd00e1dd61ffe21 Author: Bjorn Andersson Date: Tue Mar 22 20:32:55 2022 -0700 net: stmmac: dwmac-qcom-ethqos: Enable RGMII functional clock on resume [ Upstream commit ffba2123e1714a27e9362fda57c42155dda37efc ] When the Qualcomm ethqos driver is properly described in its associated GDSC power-domain, the hardware will be powered down and loose its state between qcom_ethqos_probe() and stmmac_init_dma_engine(). The result of this is that the functional clock from the RGMII IO macro is no longer provides and the DMA software reset in dwmac4_dma_reset() will time out, due to lacking clock signal. Re-enable the functional clock, as part of the Qualcomm specific clock enablement sequence to avoid this problem. The final clock configuration will be adjusted by ethqos_fix_mac_speed() once the link is being brought up. Fixes: a7c30e62d4b8 ("net: stmmac: Add driver for Qualcomm ethqos") Signed-off-by: Bjorn Andersson Tested-and-reviewed-by: Bhupesh Sharma Link: https://lore.kernel.org/r/20220323033255.2282930-1-bjorn.andersson@linaro.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 51a258c0db86565871c5ee826676ee26805ce7a8 Author: Thomas Richter Date: Thu Mar 17 16:53:46 2022 +0100 perf stat: Fix forked applications enablement of counters [ Upstream commit d0a0a511493d269514fcbd852481cdca32c95350 ] I have run into the following issue: # perf stat -a -e new_pmu/INSTRUCTION_7/ -- mytest -c1 7 Performance counter stats for 'system wide': 0 new_pmu/INSTRUCTION_7/ 0.000366428 seconds time elapsed # The new PMU for s390 counts the execution of certain CPU instructions. The root cause is the extremely small run time of the mytest program. It just executes some assembly instructions and then exits. In above invocation the instruction is executed exactly one time (-c1 option). The PMU is expected to report this one time execution by a counter value of one, but fails to do so in some cases, not all. Debugging reveals the invocation of the child process is done *before* the counter events are installed and enabled. Tracing reveals that sometimes the child process starts and exits before the event is installed on all CPUs. The more CPUs the machine has, the more often this miscount happens. Fix this by reversing the start of the work load after the events have been installed on the specified CPUs. Now the comment also matches the code. Output after: # perf stat -a -e new_pmu/INSTRUCTION_7/ -- mytest -c1 7 Performance counter stats for 'system wide': 1 new_pmu/INSTRUCTION_7/ 0.000366428 seconds time elapsed # Now the correct result is reported rock solid all the time regardless how many CPUs are online. Reviewers notes: Jiri: Right, without -a the event has enable_on_exec so the race does not matter, but it's a problem for system wide with fork. Namhyung: Agreed. Also we may move the enable_counters() and the clock code out of the if block to be shared with the else block. Fixes: acf2892270dcc428 ("perf stat: Use perf_evlist__prepare/start_workload()") Signed-off-by: Thomas Richter Acked-by: Jiri Olsa Acked-by: Namhyung Kim Acked-by: Sumanth Korikkar Cc: Heiko Carstens Cc: Sven Schnelle Cc: Vasily Gorbik Link: https://lore.kernel.org/r/20220317155346.577384-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 739c2f07b2b37965ed2dd6f8493672aa598ce6d9 Author: Daniel Thompson Date: Fri Jan 28 14:40:55 2022 +0000 kdb: Fix the putarea helper function [ Upstream commit c1cb81429df462eca1b6ba615cddd21dd3103c46 ] Currently kdb_putarea_size() uses copy_from_kernel_nofault() to write *to* arbitrary kernel memory. This is obviously wrong and means the memory modify ('mm') command is a serious risk to debugger stability: if we poke to a bad address we'll double-fault and lose our debug session. Fix this the (very) obvious way. Note that there are two Fixes: tags because the API was renamed and this patch will only trivially backport as far as the rename (and this is probably enough). Nevertheless Christoph's rename did not introduce this problem so I wanted to record that! Fixes: fe557319aa06 ("maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault") Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Daniel Thompson Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20220128144055.207267-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit c42e690c31826bd13d72a137b253511a6d0d58f6 Author: Olga Kornievskaia Date: Thu Mar 24 10:38:42 2022 -0400 NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error [ Upstream commit 1d15d121cc2ad4d016a7dc1493132a9696f91fc5 ] There is no reason to retry the operation if a session error had occurred in such case result structure isn't filled out. Fixes: dff58530c4ca ("NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit af4d52f1756a247b5f0c432a53fd698aa032fec3 Author: Olga Kornievskaia Date: Thu Mar 24 10:22:58 2022 -0400 SUNRPC don't resend a task on an offlined transport [ Upstream commit 82ee41b85cef16b4be1f4732650012d9baaedddd ] When a task is being retried, due to an NFS error, if the assigned transport has been put offline and the task is relocatable pick a new transport. Fixes: 6f081693e7b2b ("sunrpc: remove an offlined xprt using sysfs") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 8f5efbc98f24c24faf73c0f83d64f7ccd6ed14fc Author: Pablo Neira Ayuso Date: Mon Mar 21 11:38:32 2022 +0100 netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options [ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ] Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios coming before the TCP window tracking, otherwise such connections will fail in the window check. Update tcp_options() to leave this flag in place and add a new helper function to reset the tcp window state. Based on patch from Sven Auhagen. Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") Tested-by: Sven Auhagen Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 025f7a65ae16ee19f9c3cb80bc1e2e24effdf97b Author: Phil Sutter Date: Thu Mar 24 15:02:40 2022 +0100 netfilter: egress: Report interface as outgoing [ Upstream commit d645552e9bd96671079b27015294ec7f9748fa2b ] Otherwise packets in egress chains seem like they are being received by the interface, not sent out via it. Fixes: 42df6e1d221dd ("netfilter: Introduce egress hook") Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin commit 1e367d30f04b30f1b7b98baf6f1adbed52933813 Author: Ian Rogers Date: Mon Mar 21 15:33:44 2022 -0700 perf parse-events: Move slots only with topdown [ Upstream commit bc355822f0d9623b632069105d425c822d124cc8 ] If slots isn't with a topdown event then moving it is unnecessary. For example {instructions, slots} is re-ordered: $ perf stat -e '{instructions,slots}' -a sleep 1 Performance counter stats for 'system wide': 936,600,825 slots 144,440,968 instructions 1.006061423 seconds time elapsed Which can break tools expecting the command line order to match the printed order. It is necessary to move the slots event first when it appears with topdown events. Add extra checking so that the slots event is only moved in the case of there being a topdown event like: $ perf stat -e '{instructions,slots,topdown-fe-bound}' -a sleep 1 Performance counter stats for 'system wide': 2427568570 slots 300927614 instructions 551021649 topdown-fe-bound 1.001771803 seconds time elapsed Fixes: 94dbfd6781a0e87b ("perf parse-events: Architecture specific leader override") Reported-by: Kan Liang Signed-off-by: Ian Rogers Tested-by: Kan Liang Cc: Alexander Shishkin Cc: Alexandre Torgue Cc: Andi Kleen Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: John Garry Cc: Mark Rutland Cc: Maxime Coquelin Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Xing Zhengjun Link: https://lore.kernel.org/r/20220321223344.1034479-1-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 9fc76cd41d8fe29eb07d1f909418a6f59a9d2600 Author: Trond Myklebust Date: Wed Mar 16 19:10:43 2022 -0400 SUNRPC: Don't call connect() more than once on a TCP socket [ Upstream commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d ] Avoid socket state races due to repeated calls to ->connect() using the same socket. If connect() returns 0 due to the connection having completed, but we are in fact in a closing state, then we may leave the XPRT_CONNECTING flag set on the transport. Reported-by: Enrico Scholz Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit cc00a8299455b4d87131a651839d957d3972af03 Author: NeilBrown Date: Mon Mar 7 10:41:44 2022 +1100 SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC [ Upstream commit 8db55a032ac7ac1ed7b98d6b1dc980e6378c652f ] rpc tasks can be marked as RPC_TASK_SWAPPER. This causes GFP_MEMALLOC to be used for some allocations. This is needed in some cases, but not in all where it is currently provided, and in some where it isn't provided. Currently *all* tasks associated with a rpc_client on which swap is enabled get the flag and hence some GFP_MEMALLOC support. GFP_MEMALLOC is provided for ->buf_alloc() but only swap-writes need it. However xdr_alloc_bvec does not get GFP_MEMALLOC - though it often does need it. xdr_alloc_bvec is called while the XPRT_LOCK is held. If this blocks, then it blocks all other queued tasks. So this allocation needs GFP_MEMALLOC for *all* requests, not just writes, when the xprt is used for any swap writes. Similarly, if the transport is not connected, that will block all requests including swap writes, so memory allocations should get GFP_MEMALLOC if swap writes are possible. So with this patch: 1/ we ONLY set RPC_TASK_SWAPPER for swap writes. 2/ __rpc_execute() sets PF_MEMALLOC while handling any task with RPC_TASK_SWAPPER set, or when handling any task that holds the XPRT_LOCKED lock on an xprt used for swap. This removes the need for the RPC_IS_SWAPPER() test in ->buf_alloc handlers. 3/ xprt_prepare_transmit() sets PF_MEMALLOC after locking any task to a swapper xprt. __rpc_execute() will clear it. 3/ PF_MEMALLOC is set for all the connect workers. Reviewed-by: Chuck Lever (for xprtrdma parts) Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 1756ef89afd47c356b826c1ac4588b422fda89b2 Author: NeilBrown Date: Mon Mar 7 10:41:44 2022 +1100 SUNRPC/call_alloc: async tasks mustn't block waiting for memory [ Upstream commit c487216bec83b0c5a8803e5c61433d33ad7b104d ] When memory is short, new worker threads cannot be created and we depend on the minimum one rpciod thread to be able to handle everything. So it must not block waiting for memory. mempools are particularly a problem as memory can only be released back to the mempool by an async rpc task running. If all available workqueue threads are waiting on the mempool, no thread is available to return anything. rpc_malloc() can block, and this might cause deadlocks. So check RPC_IS_ASYNC(), rather than RPC_IS_SWAPPER() to determine if blocking is acceptable. Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit e411e3740e8865c0829bb0d468b34889150e86d4 Author: Pavel Skripkin Date: Sat Mar 19 22:30:00 2022 +0300 jfs: fix divide error in dbNextAG [ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ] Syzbot reported divide error in dbNextAG(). The problem was in missing validation check for malicious image. Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any validation checks, but dbNextAG() blindly use bmp->db_numag in divide expression Fix it by validating bmp->db_numag in dbMount() and return an error if image is malicious Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit 8f50fb4bb27a83f81323101b04516554491b4537 Author: German Gomez Date: Wed Mar 16 17:20:15 2022 +0000 perf test arm64: Test unwinding using fame-pointer (fp) mode [ Upstream commit cd6382d82752737e43ef3617bb9e72913d2b1d47 ] Add a shell script to check that the call-graphs generated using frame pointers (--call-graph fp) are complete and not missing leaf functions: | $ perf test 88 -v | 88: Check Arm64 callgraphs are complete in fp mode : | --- start --- | test child forked, pid 8734 | + Compiling test program (/tmp/test_program.Cz3yL)... | + Recording (PID=8749)... | + Stopping perf-record... | test_program.Cz | 728 leaf | 753 parent | 76c main | test child finished with 0 | ---- end ---- | Check Arm SPE callgraphs are complete in fp mode: Ok It's supposed to work with both unwinders: | $ make                # for libunwind (default) | $ make NO_LIBUNWIND=1 # for libdw Tester notes: Ran it on N1SDP and it passes, and it fails if b9f6fbb3b2c29736 ("perf arm64: Inject missing frames when using 'perf record --call-graph=fp'") isn't applied. Fixes: b9f6fbb3b2c29736 ("perf arm64: Inject missing frames when using 'perf record --call-graph=fp'") Suggested-by: Jiri Olsa Reviewed-by: James Clark Tested-by: James Clark Signed-off-by: German Gomez Cc: Alexandre Truong Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Link: https://lore.kernel.org/r/20220316172015.98000-1-german.gomez@arm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 9c3cc379d7d44e6edb4ef631dd6b0b6f98baff5e Author: Randy Dunlap Date: Mon Feb 28 20:18:29 2022 -0800 driver core: dd: fix return value of __setup handler [ Upstream commit f2aad54703dbe630f9d8b235eb58e8c8cc78f37d ] When "driver_async_probe=nulltty" is used on the kernel boot command line, it causes an Unknown parameter message and the string is added to init's environment strings, polluting them. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty Change the return value of the __setup function to 1 to indicate that the __setup option has been handled. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1ea61b68d0f8 ("async: Add cmdline option to specify drivers to be async probed") Cc: Feng Tang Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Reported-by: Igor Zhbanov Reviewed-by: Feng Tang Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220301041829.15137-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c5211e1740d1fccc92a9df4ecec33fd1c7262d2f Author: David Gow Date: Fri Feb 25 12:15:02 2022 +0800 firmware: google: Properly state IOMEM dependency [ Upstream commit 37fd83916da2e4cae03d350015c82a67b1b334c4 ] The Google Coreboot implementation requires IOMEM functions (memmremap, memunmap, devm_memremap), but does not specify this is its Kconfig. This results in build errors when HAS_IOMEM is not set, such as on some UML configurations: /usr/bin/ld: drivers/firmware/google/coreboot_table.o: in function `coreboot_table_probe': coreboot_table.c:(.text+0x311): undefined reference to `memremap' /usr/bin/ld: coreboot_table.c:(.text+0x34e): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/memconsole-coreboot.o: in function `memconsole_probe': memconsole-coreboot.c:(.text+0x12d): undefined reference to `memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x17e): undefined reference to `devm_memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x191): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_destroy.isra.0': vpd.c:(.text+0x300): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_init': vpd.c:(.text+0x382): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x459): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_probe': vpd.c:(.text+0x59d): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x5d3): undefined reference to `memunmap' collect2: error: ld returned 1 exit status Fixes: a28aad66da8b ("firmware: coreboot: Collapse platform drivers into bus core") Acked-By: anton ivanov Acked-By: Julius Werner Signed-off-by: David Gow Link: https://lore.kernel.org/r/20220225041502.1901806-1-davidgow@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2aeabe92085080bcb69d787c27b49e81a99fb675 Author: Randy Dunlap Date: Mon Mar 7 19:32:55 2022 -0800 kgdbts: fix return value of __setup handler [ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ] __setup() handlers should return 1 to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdbts_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f8e6e18d117e461110c849a11c6a396dcccdbd4e Author: Xiaolong Huang Date: Tue Mar 8 17:20:47 2022 +0800 virt: acrn: fix a memory leak in acrn_dev_ioctl() [ Upstream commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b ] The vm_param and cpu_regs need to be freed via kfree() before return -EINVAL error. Fixes: 9c5137aedd11 ("virt: acrn: Introduce VM management interfaces") Fixes: 2ad2aaee1bc9 ("virt: acrn: Introduce an ioctl to set vCPU registers state") Signed-off-by: Xiaolong Huang Signed-off-by: Fei Li Link: https://lore.kernel.org/r/20220308092047.1008409-1-butterflyhuangxx@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 02098ac42b7ff055ec72cd083ee1eb0a23481a19 Author: Yonghua Huang Date: Mon Feb 28 05:22:12 2022 +0300 virt: acrn: obtain pa from VMA with PFNMAP flag [ Upstream commit 8a6e85f75a83d16a71077e41f2720c691f432002 ] acrn_vm_ram_map can't pin the user pages with VM_PFNMAP flag by calling get_user_pages_fast(), the PA(physical pages) may be mapped by kernel driver and set PFNMAP flag. This patch fixes logic to setup EPT mapping for PFN mapped RAM region by checking the memory attribute before adding EPT mapping for them. Fixes: 88f537d5e8dd ("virt: acrn: Introduce EPT mapping management") Signed-off-by: Yonghua Huang Signed-off-by: Fei Li Link: https://lore.kernel.org/r/20220228022212.419406-1-yonghua.huang@intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 20d434fe7925a0187132b301f04cf1a69e3fd4f5 Author: Ilpo Järvinen Date: Mon Mar 14 11:14:32 2022 +0200 serial: 8250: fix XOFF/XON sending when DMA is used [ Upstream commit f58c252e30cf74f68b0054293adc03b5923b9f0e ] When 8250 UART is using DMA, x_char (XON/XOFF) is never sent to the wire. After this change, x_char is injected correctly. Create uart_xchar_out() helper for sending the x_char out and accounting related to it. It seems that almost every driver does these same steps with x_char. Except for 8250, however, almost all currently lack .serial_out so they cannot immediately take advantage of this new helper. The downside of this patch is that it might reintroduce the problems some devices faced with mixed DMA/non-DMA transfer which caused revert f967fc8f165f (Revert "serial: 8250_dma: don't bother DMA with small transfers"). However, the impact should be limited to cases with XON/XOFF (that didn't work with DMA capable devices to begin with so this problem is not very likely to cause a major issue, if any at all). Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine") Reported-by: Gilles Buloz Tested-by: Gilles Buloz Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220314091432.4288-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d65c2d76062012e542f765911ca8eecec36df5bb Author: Randy Dunlap Date: Tue Mar 8 19:30:18 2022 -0800 kgdboc: fix return value of __setup handler [ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdboc_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic") Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc") Cc: He Zhe Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: linux-serial@vger.kernel.org Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 679993cbb423cc5cab17f59030cca2b680e6ae22 Author: Randy Dunlap Date: Mon Mar 7 18:42:28 2022 -0800 tty: hvc: fix return value of __setup handler [ Upstream commit 53819a0d97aace1425bb042829e3446952a9e8a9 ] __setup() handlers should return 1 to indicate that the boot option has been handled or 0 to indicate that it was not handled. Add a pr_warn() message if the option value is invalid and then always return 1. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 86b40567b917 ("tty: replace strict_strtoul() with kstrtoul()") Cc: Jingoo Han Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: Michael Ellerman Cc: Julian Wiedmann Cc: Vasily Gorbik Cc: linuxppc-dev@lists.ozlabs.org Reported-by: Igor Zhbanov Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308024228.20477-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2723543c1d60278d5aef1c4ad732dbad24b84a81 Author: Dan Carpenter Date: Wed Mar 16 11:35:33 2022 +0300 clk: visconti: prevent array overflow in visconti_clk_register_gates() [ Upstream commit c5601e0720ce1a3ad895f94a5838530edde01ed3 ] This code was using -1 to represent that there was no reset function. Unfortunately, the -1 was stored in u8 so the if (clks[i].rs_id >= 0) condition was always true. This lead to an out of bounds access in visconti_clk_register_gates(). Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220316083533.GA30941@kili Acked-by: Nobuhiro Iwamatsu Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 0374913ec0c5e88d3c9bc76f486aa841b59460aa Author: Miaoqian Lin Date: Mon Mar 7 12:02:34 2022 +0000 pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe [ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon") Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 62580a40c9bef3d8a90629c64dda381344b35ffd Author: Miaoqian Lin Date: Mon Mar 7 11:51:16 2022 +0000 pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe [ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 621467ba4d2138d318df995c54c9b24b5e72907f Author: Michael Walle Date: Sat Feb 26 21:45:03 2022 +0100 pinctrl: microchip-sgpio: lock RMW access [ Upstream commit 7996c5f5ec7a20b3f6b8fae93fcf3cb8f1c01743 ] Protect any RMW access to the registers by a spinlock. Fixes: 7e5ea974e61c ("pinctrl: pinctrl-microchip-sgpio: Add pinctrl driver for Microsemi Serial GPIO") Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20220226204507.2511633-2-michael@walle.cc Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit e5314f4cf2753179dafb2c247f3d373d50d58072 Author: Horatiu Vultur Date: Fri Mar 4 15:44:32 2022 +0100 pinctrl: ocelot: Fix interrupt parsing [ Upstream commit d1f2c82f3b1f428bdc0933dde52fb93ae796d4ee ] In the blamed commit, it removes the duplicate of_node assignment in the driver. But the driver uses this before calling into of_gpio_dev_init to determine if it needs to assign an IRQ chip to the GPIO. The fixes consists in using the platform_get_irq_optional Fixes: 8a8d6bbe1d3bc7 ("pinctrl: Get rid of duplicate of_node assignment in the drivers") Signed-off-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220304144432.3397621-3-horatiu.vultur@microchip.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit afd43a88066d9f14ccdd14b47736d2e9ec11ec61 Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:51 2022 +0800 pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs [ Upstream commit 1763933d377ecb05454f8d20e3c8922480db2ac0 ] Virtual GPIOs do not have any hardware state associated with them. Any attempt to read back hardware state for these pins result in error codes. Skip dumping extra pin config information for these virtual GPIOs. Fixes: 184d8e13f9b1 ("pinctrl: mediatek: Add support for pin configuration dump via debugfs.") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-7-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 142b908187464eb409ee1bda2860a902fdc862bf Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:49 2022 +0800 pinctrl: mediatek: paris: Fix pingroup pin config state readback [ Upstream commit 54fe55fb384ade630ef20b9a8b8f3b2a89ad97f2 ] mtk_pconf_group_get(), used to read back pingroup pin config state, simply returns a set of configs saved from a previous invocation of mtk_pconf_group_set(). This is an unfiltered, unvalidated set passed in from the pinconf core, which does not match the current hardware state. Since the driver library is designed to have one pin per group, pass through mtk_pconf_group_get() to mtk_pinconf_get(), to read back the current pin config state of the only pin in the group. Also drop the assignment of pin config state to the group. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-5-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit c7af48ff8cc2c594938629f7dc914b459acda55f Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:48 2022 +0800 pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get() [ Upstream commit 19bce7ce0a593c7024030a0cda9e23facea3c93d ] For mtk_pinconf_get(), the "argument" argument is typically returned by pinconf_to_config_argument(), which holds the value for a given pinconf parameter. It certainly should not have the type of "enum pin_config_param", which describes the type of the pinconf parameter itself. Change the type to u32, which matches the return type of pinconf_to_config_argument(). Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-4-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 1084b6c9ac81e57f9e19734bd100ce49cc0bb7ae Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:47 2022 +0800 pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback [ Upstream commit 3e8c6bc608480010f360c4a59578d7841726137d ] When reading back pin bias settings, if the pin is not in the corresponding bias state, the function should return -EINVAL. Fix this in the mediatek-paris pinctrl library so that the read back state is not littered with bogus a "input bias disabled" combined with "pull up" or "pull down" states. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-3-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 8bf205b67ddaab0181da543c2f9548aa6aa197f9 Author: Miaoqian Lin Date: Tue Mar 8 07:11:54 2022 +0000 pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init [ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.") Signed-off-by: Miaoqian Lin Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 898851b2a0473f6eafba6e6795f74e01d70dcc2e Author: Michael Walle Date: Wed Feb 16 13:27:27 2022 +0100 pinctrl: ocelot: fix duplicate debugfs entry [ Upstream commit 359afd90fef3ec9285432f50720c813987df4a89 ] This driver can have up to two regmaps. If the second one is registered its debugfs entry will have the same name as the first one and the following error will be printed: [ 2.242568] debugfs: Directory 'e2004064.pinctrl' with parent 'regmap' already present! Give the second regmap a name to avoid this. Fixes: 076d9e71bcf8 ("pinctrl: ocelot: convert pinctrl to regmap") Signed-off-by: Michael Walle Reviewed-by: Colin Foster Link: https://lore.kernel.org/r/20220216122727.1005041-1-michael@walle.cc Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit fa4e3ee5765138cfa69e2b5a743a3e9dd54e57a6 Author: Michael Walle Date: Wed Feb 16 09:20:20 2022 +0100 pinctrl: ocelot: fix confops resource index [ Upstream commit 94ef32970d4076b3179b801c251bf99446b62da5 ] Prior to commit ad96111e658a ("pinctrl: ocelot: combine get resource and ioremap into single call") the resource index was 1, now it is 0. But 0 is the base region for the pinctrl block. Fix it. I noticed this because there was an error that the memory region was ioremapped twice. Fixes: ad96111e658a ("pinctrl: ocelot: combine get resource and ioremap into single call") Signed-off-by: Michael Walle Reviewed-by: Colin Foster Link: https://lore.kernel.org/r/20220216082020.981797-1-michael@walle.cc Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 70c8f6186149b52273c35b6968499d0976998787 Author: Arınç ÜNAL Date: Fri Mar 11 12:03:20 2022 +0300 staging: mt7621-dts: fix GB-PC2 devicetree [ Upstream commit 5bc148649cf358d0cccf525452a4efbd4bc89a0f ] Fix the GB-PC2 devicetree. Refer to the schematics of the device for more information. GB-PC2 devicetree fixes: - Include mt7621.dtsi instead of gbpc1.dts. Add the missing definitions. - Remove gpio-leds node as the system LED is not wired to anywhere on the board and the power LED is directly wired to GND. - Remove uart3 pin group from gpio-pinmux node as it's not used as GPIO. - Use reg 7 for the external phy to be on par with Documentation/devicetree/bindings/net/dsa/mt7530.txt. - Use the status value "okay". Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC2_V1.1_schematic.pdf Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d0e2fd350c45c79a3db7dbae6ad93d566384e857 Author: Arınç ÜNAL Date: Tue Jan 25 18:39:03 2022 +0300 staging: mt7621-dts: fix pinctrl properties for ethernet [ Upstream commit 0a93c0d75809582893e82039143591b9265b520e ] Add pinctrl properties with rgmii1 & mdio pins under ethernet node which was wrongfully put under an external phy node. GMAC1 will start working with this fix. Link: https://lore.kernel.org/netdev/02ecce91-7aad-4392-c9d7-f45ca1b31e0b@arinc9.com/T/ Move GB-PC2 specific phy_external node to its own device tree. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-5-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9c21aa48ad4b617870b3058d899a4bacc7658cdf Author: Arınç ÜNAL Date: Tue Jan 25 18:39:00 2022 +0300 staging: mt7621-dts: fix formatting [ Upstream commit 7eeec44d33f6be7caca4fe9ca4e653cf315a36c1 ] Fix formatting on mt7621.dtsi. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c72db3ac4151eec55b185a93872375e2717700e0 Author: Arınç ÜNAL Date: Fri Mar 11 12:03:19 2022 +0300 staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree [ Upstream commit 6256e18686158fa49e019297f990f1c1817aabf1 ] Fix LED and pinctrl definitions on the GB-PC1 devicetree. Refer to the schematics of the device for more information. LED fixes: - Change GPIO6 LED label from system to power as GPIO6 is connected to PLED. - Add default-on default-trigger to power LED. - Change GPIO8 LED label from status to system as GPIO8 is connected to SYS_LED. - Add disk-activity default-trigger to system LED. - Switch to the color:function naming scheme. - Remove lan1 and lan2 LEDs as they don't exist. Pinctrl fixes: - Claim state_default node under pinctrl node. - Change pinctrl0 node name to state-default. - Change gpio node name to gpio-pinmux to respect Documentation/devicetree/bindings/pinctrl/ralink,rt2880-pinmux.yaml. - Sort pin groups alphabetically. Misc fixes: - Fix formatting. - Use the status value "okay". - Define hexadecimal addresses in lower case. - Make hexadecimal addresses for memory easier to read. Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC1_V1.0_Schematic.pdf Tested-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit dafe0551e2c5c7e8ee4d3a06bdb599bc2aff2087 Author: Alexey Khoroshilov Date: Tue Feb 15 13:17:04 2022 +0300 NFS: remove unneeded check in decode_devicenotify_args() [ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ] [You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] Overflow check in not needed anymore after we switch to kmalloc_array(). Signed-off-by: Alexey Khoroshilov Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 064b229d2ad5a1ea4d5d696b40cf691cf84e3355 Author: Robin Gong Date: Mon Feb 7 09:52:07 2022 +0800 mailbox: imx: fix crash in resume on i.mx8ulp [ Upstream commit 8219efd08a0aa1d7944bdb66d84ba57549258968 ] check 'priv->clk' before 'imx_mu_read()' otherwise crash happens on i.mx8ulp, since clock not enabled. Fixes: 4f0b776ef5831 ("mailbox: imx-mailbox: support i.MX8ULP MU") Reviewed-by: Jacky Bai Signed-off-by: Robin Gong Signed-off-by: Peng Fan Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit abb7fa6f73821d7893f26791d2305d754cf76340 Author: Miaoqian Lin Date: Wed Jan 12 10:45:01 2022 +0000 clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver [ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") Signed-off-by: Miaoqian Lin Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 23f89fe005b105f0dcc55034c13eb89f9b570fac Author: Maxime Ripard Date: Fri Feb 25 15:35:23 2022 +0100 clk: Fix clk_hw_get_clk() when dev is NULL [ Upstream commit 0c1b56df451716ba207bbf59f303473643eee4fd ] Any registered clk_core structure can have a NULL pointer in its dev field. While never actually documented, this is evidenced by the wide usage of clk_register and clk_hw_register with a NULL device pointer, and the fact that the core of_clk_hw_register() function also passes a NULL device pointer. A call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that case will result in a NULL pointer derefence when it calls dev_name() on that NULL device pointer. Add a test for this case and use NULL as the dev_id if the device pointer is NULL. Fixes: 30d6f8c15d2c ("clk: add api to get clk consumer from clk_hw") Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220225143534.405820-2-maxime@cerno.tech Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit d97a7e35c229da59fea3d32753310a24fcb0ff3c Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:20 2022 +0100 clk: clps711x: Terminate clk_div_table with sentinel element [ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: 631c53478973d ("clk: Add CLPS711X clk driver") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 9f25367743121f2e9459983367be9bf22a35513c Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:19 2022 +0100 clk: hisilicon: Terminate clk_div_table with sentinel element [ Upstream commit 113b261bdf2b4fd34e7769a147a7acd0a4d9137f ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: 6c81966107dc0 ("clk: hisilicon: Add clock driver for hi3559A SoC") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20220218000922.134857-4-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit a14b7dd62ad6e8eb8896a8a712b3a763e765bd34 Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:18 2022 +0100 clk: loongson1: Terminate clk_div_table with sentinel element [ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Philippe Mathieu-Daudé Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f6110808202cf94853c450440af5df537d456b6d Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:17 2022 +0100 clk: actions: Terminate clk_div_table with sentinel element [ Upstream commit d8a441e53e2434b1401e52dfd66b05263e442edc ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). In owl-s900.s, the { 0, 8 } element was probably meant to be just that, so this patch changes { 0, 8 } to { 0, 0 }. Fixes: d47317ca4ade1 ("clk: actions: Add S700 SoC clock support") Fixes: d85d20053e195 ("clk: actions: Add S900 SoC clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20220218000922.134857-2-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 865ff3e613f2ca49602c00f40fd99580e2dd39c6 Author: Dan Williams Date: Wed Mar 9 19:49:21 2022 -0800 nvdimm/region: Fix default alignment for small regions [ Upstream commit d9d290d7e659e9db3e4518040cc18b97f5535f4a ] In preparation for removing BLK aperture support the NVDIMM unit tests discovered that the default alignment can be set higher than the capacity of the region. Fall back to PAGE_SIZE in that case. Given this has not been seen in the wild, elide notifying -stable. Fixes: 2522afb86a8c ("libnvdimm/region: Introduce an 'align' attribute") Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/164688416128.2879318.17890707310125575258.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b9df3007b3cda4936cc50f5a7d2d30505a652828 Author: Miaoqian Lin Date: Tue Mar 8 06:45:21 2022 +0000 remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region [ Upstream commit 07a5dcc4bed9d7cae54adf5aa10ff9f037a3204b ] The device_node pointer is returned by of_parse_phandle() or of_get_child_by_name() with refcount incremented. We should use of_node_put() on it when done. This function only call of_node_put(node) when of_address_to_resource succeeds, missing error cases. Fixes: 278d744c46fd ("remoteproc: qcom: Fix potential device node leaks") Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308064522.13804-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 81655886d336f860c8a63b91ccca3bc7fbd9b682 Author: Miaoqian Lin Date: Tue Mar 8 06:31:02 2022 +0000 remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region [ Upstream commit 8f90161a66bc3d6b9fe8dde4d9028d20eae1b62a ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308063102.10049-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 251a8bdd7316ed7a5a8d038fea92a5172e6f3c93 Author: Miaoqian Lin Date: Tue Mar 8 03:12:19 2022 +0000 remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region [ Upstream commit 505b5b1616e200042999de715dbe7c1e2735cd65 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: dc160e449122 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308031219.4718-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 915a9cf822e3997587acf5fb91ebb077060b2560 Author: Jie Hai Date: Wed Feb 16 15:21:01 2022 +0800 dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma [ Upstream commit b95044b38425f563404234d96bbb20cc6360c7e1 ] Remove the loaded hisi_dma driver and reload it, the driver fails to work properly. The following error is reported in the kernel log: [ 1475.597609] hisi_dma 0000:7b:00.0: Failed to allocate MSI vectors! [ 1475.604915] hisi_dma: probe of 0000:7b:00.0 failed with error -28 As noted in "The MSI Driver Guide HOWTO"[1], the number of MSI interrupt must be a power of two. The Kunpeng DMA driver allocates 30 MSI interrupts. As a result, no space left on device is reported when the driver is reloaded and allocates interrupt vectors from the interrupt domain. This patch changes the number of interrupt vectors allocated by hisi_dma driver to 32 to avoid this problem. [1] https://www.kernel.org/doc/html/latest/PCI/msi-howto.html Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") Signed-off-by: Jie Hai Acked-by: Zhou Wang Link: https://lore.kernel.org/r/20220216072101.34473-1-haijie1@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f6ea015f961d86091e7e2090b8539357322b3021 Author: Emil Renner Berthing Date: Wed Jan 26 18:39:48 2022 +0100 clk: starfive: jh7100: Handle audio_div clock properly [ Upstream commit 73bfc8d745a98744088cb30517399222674455b1 ] It turns out the audio_div clock is a fractional divider where the lowest byte of the ctrl register is the integer part of the divider and the 2nd byte is the number of 100th added to the divider. The children of this clock is used by the audio peripherals for their sample rate clock, so round to the closest possible rate rather than always rounding down like regular dividers. Fixes: 4210be668a09 ("clk: starfive: Add JH7100 clock generator driver") Signed-off-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20220126173953.1016706-3-kernel@esmil.dk Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit fb1fb83dcefc759962a069c4bf5a32dc2b60692c Author: Emil Renner Berthing Date: Wed Jan 26 18:39:47 2022 +0100 clk: starfive: jh7100: Don't round divisor up twice [ Upstream commit 40dda3532f903107a063cd6ec1f15e10dd0eccc5 ] The problem is best illustrated by an example. Suppose a consumer wants a 4MHz clock rate from a divider with a 10MHz parent. It would then call clk_round_rate(clk, 4000000) which would call into our determine_rate() callback that correctly rounds up and finds that a divisor of 3 gives the highest possible frequency below the requested 4MHz and returns 10000000 / 3 = 3333333Hz. However the consumer would then call clk_set_rate(clk, 3333333) but since 3333333 doesn't divide 10000000 evenly our set_rate() callback would again round the divisor up and set it to 4 which results in an unnecessarily low rate of 2.5MHz. Fix it by using DIV_ROUND_CLOSEST in the set_rate() callback. Fixes: 4210be668a09 ("clk: starfive: Add JH7100 clock generator driver") Signed-off-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20220126173953.1016706-2-kernel@esmil.dk Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit f1b7467b1eef60cab6b11b0c6df7d04485c65982 Author: Taniya Das Date: Sun Feb 27 23:25:36 2022 +0530 clk: qcom: clk-rcg2: Update the frac table for pixel clock [ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ] Support the new numerator and denominator for pixel clock on SM8350 and support rgb101010, RGB888 use cases on SM8450. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org Signed-off-by: Sasha Levin commit a4e2e31971354790b0d1fa3e783452a9d135fcff Author: Taniya Das Date: Sun Feb 27 23:25:35 2022 +0530 clk: qcom: clk-rcg2: Update logic to calculate D value for RCG [ Upstream commit 58922910add18583d5273c2edcdb9fd7bf4eca02 ] The display pixel clock has a requirement on certain newer platforms to support M/N as (2/3) and the final D value calculated results in underflow errors. As the current implementation does not check for D value is within the accepted range for a given M & N value. Update the logic to calculate the final D value based on the range. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-1-tdas@codeaurora.org Signed-off-by: Sasha Levin commit 557e1d87d7939dec299692d0b7eaccf25c1de98d Author: Codrin Ciubotariu Date: Fri Mar 4 20:26:16 2022 +0200 clk: at91: sama7g5: fix parents of PDMCs' GCLK [ Upstream commit 1a944729d8635fa59638f24e8727d5ccaa0c8c19 ] Audio PLL can be used as parent by the GCLKs of PDMCs. Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5") Signed-off-by: Codrin Ciubotariu Reviewed-by: Claudiu Beznea Signed-off-by: Nicolas Ferre Link: https://lore.kernel.org/r/20220304182616.1920392-1-codrin.ciubotariu@microchip.com Signed-off-by: Sasha Levin commit 80edfcb95a3a9a1f5f01d20a1928d6e234fb6b67 Author: Dan Carpenter Date: Mon Feb 28 10:50:14 2022 +0300 clk: imx: off by one in imx_lpcg_parse_clks_from_dt() [ Upstream commit 135efc3a76d127691afaf1864e4ab627bf09d53d ] The > needs to be >= to prevent an off by one access. Fixes: d5f1e6a2bb61 ("clk: imx: imx8qxp-lpcg: add parsing clocks from device tree") Reported-by: kernel test robot Signed-off-by: Dan Carpenter Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220228075014.GD13685@kili Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit ecd599d6d0266f7fd797100d27f9a8c66a43b70a Author: Abel Vesa Date: Thu Jan 27 16:10:52 2022 +0200 clk: imx7d: Remove audio_mclk_root_clk [ Upstream commit eccac77ede3946c90143447cdc785dc16aec4b24 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. The CCGR121 belongs to ECSPI2 and it is not shared. Fixes: 8f6d8094b215b57 ("ARM: imx: add imx7d clk tree support") Reported-by: David Wolfe Signed-off-by: Abel Vesa Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/20220127141052.1900174-2-abel.vesa@nxp.com Signed-off-by: Sasha Levin commit fcc8d685e1157e9a79136ff00e22ae771ded6458 Author: Randy Dunlap Date: Mon Feb 28 14:04:53 2022 -0800 dma-debug: fix return value of __setup handlers [ Upstream commit 80e4390981618e290616dbd06ea190d4576f219d ] When valid kernel command line parameters dma_debug=off dma_debug_entries=100 are used, they are reported as Unknown parameters and added to init's environment strings, polluting it. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100", will be passed to user space. and Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100 Return 1 from these __setup handlers to indicate that the command line option has been handled. Fixes: 59d3daafa1726 ("dma-debug: add kernel command line parameters") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Joerg Roedel Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: iommu@lists.linux-foundation.org Cc: Robin Murphy Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 08daef36c5c8796a7564c83a23291b30aec4b357 Author: Martin Kaiser Date: Sat Feb 26 19:14:53 2022 +0100 staging: r8188eu: fix endless loop in recv_func [ Upstream commit 1327fcf175fa63d3b7a058b8148ed7714acdc035 ] Fix an endless loop in recv_func. If pending_frame is not NULL, we're stuck in the while loop forever. We have to call rtw_alloc_recvframe each time we loop. Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") Reported-by: Pavel Skripkin Signed-off-by: Martin Kaiser Link: https://lore.kernel.org/r/20220226181457.1138035-4-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9a706a01dfd7810f47f4260642a04d07ccbdce08 Author: Trond Myklebust Date: Thu Feb 24 10:59:37 2022 -0500 NFS: Return valid errors from nfs2/3_decode_dirent() [ Upstream commit 64cfca85bacde54caa64e0ab855c48734894fa37 ] Valid return values for decode_dirent() callback functions are: 0: Success -EBADCOOKIE: End of directory -EAGAIN: End of xdr_stream All errors need to map into one of those three values. Fixes: 573c4e1ef53a ("NFS: Simplify ->decode_dirent() calling sequence") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit acb04f2699a4d49e2530cd3818a081e4ad958571 Author: Jiasheng Jiang Date: Thu Feb 24 14:58:05 2022 +0800 habanalabs: Add check for pci_enable_device [ Upstream commit 9c27896ac1bb83ea5c461ce6f7089d02102a2b21 ] As the potential failure of the pci_enable_device(), it should be better to check the return value and return error if fails. Fixes: 70b2f993ea4a ("habanalabs: create common folder") Signed-off-by: Jiasheng Jiang Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 757e75cac9d072a1500486214c2cdd76b65d0934 Author: Jiasheng Jiang Date: Thu Feb 24 14:28:49 2022 +0800 iio: adc: Add check for devm_request_threaded_irq [ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value and return error if fails. Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 98e5d6053ed1efb45cbf1c72fb51f04e1b0c57f0 Author: Uwe Kleine-König Date: Tue Feb 15 17:02:36 2022 +0100 serial: 8250: Fix race condition in RTS-after-send handling [ Upstream commit dedab69fd650ea74710b2e626e63fd35584ef773 ] Set em485->active_timer = NULL isn't always enough to take out the stop timer. While there is a check that it acts in the right state (i.e. waiting for RTS-after-send to pass after sending some chars) but the following might happen: - CPU1: some chars send, shifter becomes empty, stop tx timer armed - CPU0: more chars send before RTS-after-send expired - CPU0: shifter empty irq, port lock taken - CPU1: tx timer triggers, waits for port lock - CPU0: em485->active_timer = &em485->stop_tx_timer, hrtimer_start(), releases lock() - CPU1: get lock, see em485->active_timer == &em485->stop_tx_timer, tear down RTS too early This fix bases on research done by Steffen Trumtrar. Fixes: b86f86e8e7c5 ("serial: 8250: fix potential deadlock in rs485-mode") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220215160236.344236-1-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 08cbcba92c671f7ed57de62d0acadf8267ccc712 Author: Trond Myklebust Date: Tue Feb 15 15:58:38 2022 -0500 NFS: Use of mapping_set_error() results in spurious errors [ Upstream commit 6c984083ec2453dfd3fcf98f392f34500c73e3f2 ] The use of mapping_set_error() in conjunction with calls to filemap_check_errors() is problematic because every error gets reported as either an EIO or an ENOSPC by filemap_check_errors() in functions such as filemap_write_and_wait() or filemap_write_and_wait_range(). In almost all cases, we prefer to use the more nuanced wb errors. Fixes: b8946d7bfb94 ("NFS: Revalidate the file mapping on all fatal writeback errors") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit afff243cea66255d906755a3796cb30379139427 Author: Andy Shevchenko Date: Wed Feb 23 17:12:40 2022 +0200 serial: 8250_lpss: Balance reference count for PCI DMA device [ Upstream commit 5318f70da7e82649d794fc27d8a127c22aa3566e ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 9a1870ce812e ("serial: 8250: don't use slave_id of dma_slave_config") Depends-on: a13e19cf3dc1 ("serial: 8250_lpss: split LPSS driver to separate module") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220223151240.70248-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2bab56fab147276dd2d4a625f9aaf9595e066814 Author: Andy Shevchenko Date: Tue Feb 15 12:09:20 2022 +0200 serial: 8250_mid: Balance reference count for PCI DMA device [ Upstream commit 67ec6dd0b257bd81b4e9fcac89b29da72f6265e5 ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 90b9aacf912a ("serial: 8250_pci: add Intel Tangier support") Fixes: f549e94effa1 ("serial: 8250_pci: add Intel Penwell ports") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Depends-on: d9eda9bab237 ("serial: 8250_pci: Intel MID UART support to its own driver") Link: https://lore.kernel.org/r/20220215100920.41984-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 12e4a9251a0c7c3524b00523b787e723f736edf0 Author: Rafał Miłecki Date: Fri Feb 18 18:24:59 2022 +0100 phy: phy-brcm-usb: fixup BCM4908 support [ Upstream commit 32942d33d63d27714ed16a4176e5a99547adb6e0 ] Just like every other family BCM4908 should get its own enum value. That is required to properly handle it in chipset conditional code. The real change is excluding BCM4908 from the PLL reprogramming code (see brcmusb_usb3_pll_54mhz()). I'm not sure what's the BCM4908 reference clock frequency but: 1. BCM4908 custom driver from Broadcom's SDK doesn't reprogram PLL 2. Doing that in Linux driver stopped PHY handling some USB 3.0 devices This change makes USB 3.0 PHY recognize e.g.: 1. 04e8:6860 - Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode) 2. 1058:259f - Western Digital My Passport 259F Broadcom's STB SoCs come with a set of SUN_TOP_CTRL_* registers that allow reading chip family and product ids. Such a block & register is missing on BCM4908 so this commit introduces "compatible" string specific binding. Fixes: 4b402fa8e0b7 ("phy: phy-brcm-usb: support PHY on the BCM4908") Signed-off-by: Rafał Miłecki Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20220218172459.10431-1-zajec5@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 1dd1b4cd6fa7f52be9451c60c167cde0bb1c1c48 Author: Liu Ying Date: Wed Feb 16 15:12:57 2022 +0800 phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure}) [ Upstream commit 3153fa38e38af566cf6454a03b1dbadaf6f323c0 ] According to the comment of the function phy_mipi_dphy_get_default_config(), it uses minimum D-PHY timings based on MIPI D-PHY specification. They are derived from the valid ranges specified in Section 6.9, Table 14, Page 41 of the D-PHY specification (v1.2). The table 14 explicitly mentions that the minimum T-LPX parameter is 50 nanoseconds and the minimum TA-SURE parameter is T-LPX nanoseconds. Likewise, the kernel doc of the 'lpx' and 'ta_sure' members of struct phy_configure_opts_mipi_dphy mentions that the minimum values are 50000 picoseconds and @lpx picoseconds respectively. Also, the function phy_mipi_dphy_config_validate() checks if cfg->lpx is less than 50000 picoseconds and if cfg->ta_sure is less than cfg->lpx, which hints the same minimum values. Without this patch, the function phy_mipi_dphy_get_default_config() wrongly sets cfg->lpx to 60000 picoseconds and cfg->ta_sure to 2 * cfg->lpx. So, let's correct them to 50000 picoseconds and cfg->lpx respectively. Note that I've only tested the patch with RM67191 DSI panel on i.MX8mq EVK. Help is needed to test with other i.MX8mq, Meson and Rockchip platforms, as I don't have the hardwares. Fixes: dddc97e82303 ("phy: dphy: Add configuration helpers") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Laurent Pinchart Cc: Kishon Vijay Abraham I Cc: Vinod Koul Cc: Heiko Stuebner Cc: Maxime Ripard Cc: Guido Günther Signed-off-by: Liu Ying Link: https://lore.kernel.org/r/20220216071257.1647703-1-victor.liu@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit ad1ba190bf62695b31d8b9ee472d8e59882fb1bd Author: Dirk Buchwalder Date: Thu Feb 10 18:31:00 2022 +0100 clk: qcom: ipq8074: Use floor ops for SDCC1 clock [ Upstream commit b77d8306d84f83d1da68028a68c91da9c867b6f6 ] Use floor ops on SDCC1 APPS clock in order to round down selected clock frequency and avoid overclocking SD/eMMC cards. For example, currently HS200 cards were failling tuning as they were actually being clocked at 384MHz instead of 192MHz. This caused some boards to disable 1.8V I/O and force the eMMC into the standard HS mode (50MHz) and that appeared to work despite the eMMC being overclocked to 96Mhz in that case. There was a previous commit to use floor ops on SDCC clocks, but it looks to have only covered SDCC2 clock. Fixes: 9607f6224b39 ("clk: qcom: ipq8074: add PCIE, USB and SDCC clocks") Signed-off-by: Dirk Buchwalder Signed-off-by: Robert Marko Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220210173100.505128-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit 0d986ccb8c4fcca00232767c7143e8a920eb3efb Author: Geert Uytterhoeven Date: Mon Feb 21 17:21:58 2022 +0100 pinctrl: renesas: checker: Fix miscalculation of number of states [ Upstream commit de9b861018d46af27a5edff8b6baef35c0c0ad4f ] The checker failed to validate all enum IDs in the description of a register with fixed-width register fields, due to a miscalculation of the number of described states: each register field of n bits can have "1 << n" possible states, not "1". Increase SH_PFC_MAX_ENUMS accordingly, now more enum IDs are checked (SH-Mobile AG5 has more than 4000 enum IDs defined). Fixes: 12d057bad683b1c6 ("pinctrl: sh-pfc: checker: Add check for enum ID conflicts") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/6d8a6a05564f38f9d20464c1c17f96e52740cf6a.1645460429.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 339a2739cb7e643bd3afe5f821b5c56bdfa02449 Author: Geert Uytterhoeven Date: Thu Dec 23 15:41:11 2021 +0100 pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel [ Upstream commit 9e04a0eda84fccab0ac22a33825ad53f47c968c7 ] The second video-in channel on RZ/G1C has only 12 data lanes, but the pin control driver uses the vin_data union, which is meant for 24 data lanes, thus wasting space. Fix this by using the vin_data12 union instead. This reduces kernel size by 96 bytes. Fixes: 50f3f2d73e3426ba ("pinctrl: sh-pfc: Reduce kernel size for narrow VIN channels") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/52716fa89139f6f92592633edb52804d4c5e18f0.1640269757.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit e224396bf211abfd86d81376b2f0942fbc480694 Author: Geert Uytterhoeven Date: Fri Jan 7 15:34:36 2022 +0100 clk: renesas: r8a779f0: Fix RSW2 clock divider [ Upstream commit 691419f90f7fb8a6f247b477cb539644e11431da ] According to Section 8.1.2 Figure 8.1.1 ("Block Diagram of CPG"), Note 22 ("RSW2 divider"), and Table 8.1.4d ("Lists of CPG clocks generated from CPGMA1"), the RSwitch2 and PCI Express clock is generated from PLL5 by dividing by two, followed by the RSW2 divider. As PLL5 runs at 3200 MHz, and RSW2 is fixed to 320 MHz, the RSW2 divider must be 5. Correct the parent and the fixed divider. Fixes: 24aaff6a6ce4c4de ("clk: renesas: cpg-mssr: Add support for R-Car S4-8") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/d6a406f31e6f02f892e0253f4e8a9a2f68fd652e.1641566003.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit d71b1f117dc13eb3354d446905ec74ee298e1ae3 Author: Jonathan Cameron Date: Sun Feb 6 19:03:09 2022 +0000 staging:iio:adc:ad7280a: Fix handing of device address bit reversing. [ Upstream commit f281e4ddbbc0b60f061bc18a2834e9363ba85f9f ] The bit reversal was wrong for bits 1 and 3 of the 5 bits. Result is driver failure to probe if you have more than 2 daisy-chained devices. Discovered via QEMU based device emulation. Fixes tag is for when this moved from a macro to a function, but it was broken before that. Signed-off-by: Jonathan Cameron Fixes: 065a7c0b1fec ("Staging: iio: adc: ad7280a.c: Fixed Macro argument reuse") Reviewed-by: Marcelo Schmitt Link: https://lore.kernel.org/r/20220206190328.333093-2-jic23@kernel.org Signed-off-by: Sasha Levin commit c309985a999277f1487554a7e9bd15451f7d63f2 Author: Zev Weiss Date: Thu Feb 10 16:42:03 2022 -0800 serial: 8250_aspeed_vuart: add PORT_ASPEED_VUART port type [ Upstream commit a603ca60cebff8589882427a67f870ed946b3fc8 ] Commit 54da3e381c2b ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") fixed a bug that had, as a side-effect, prevented the 8250_aspeed_vuart driver from enabling the VUART's FIFOs. However, fixing that (and hence enabling the FIFOs) has in turn revealed what appears to be a hardware bug in the ASPEED VUART in which the host-side THRE bit doesn't get if the BMC-side receive FIFO trigger level is set to anything but one byte. This causes problems for polled-mode writes from the host -- for example, Linux kernel console writes proceed at a glacial pace (less than 100 bytes per second) because the write path waits for a 10ms timeout to expire after every character instead of being able to continue on to the next character upon seeing THRE asserted. (GRUB behaves similarly.) As a workaround, introduce a new port type for the ASPEED VUART that's identical to PORT_16550A as it had previously been using, but with UART_FCR_R_TRIG_00 instead to set the receive FIFO trigger level to one byte, which (experimentally) seems to avoid the problematic THRE behavior. Fixes: 54da3e381c2b ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") Tested-by: Konstantin Aladyshev Reviewed-by: Andy Shevchenko Signed-off-by: Zev Weiss Link: https://lore.kernel.org/r/20220211004203.14915-1-zev@bewilderbeest.net Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e950cd7a7ed57a653b31287e34d11c7806c57677 Author: Hangyu Hua Date: Mon Feb 21 16:55:52 2022 +0800 staging: qlge: add unregister_netdev in qlge_probe [ Upstream commit 4fcc0c275e3f59cd68f977c57953783f8014ed15 ] unregister_netdev need to be called when register_netdev succeeds qlge_health_create_reporters fails. Fixes: d8827ae8e22b ("staging: qlge: deal with the case that devlink_health_reporter_create fails") Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20220221085552.93561-1-hbh25y@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0646c782086f2a6081186a9898d40ea8886b8ade Author: Hans de Goede Date: Tue Feb 8 13:43:35 2022 +0100 iio: mma8452: Fix probe failing when an i2c_device_id is used [ Upstream commit a47ac019e7e8129b93a0b991e04b2a59872e053d ] The mma8452_driver declares both of_match_table and i2c_driver.id_table match-tables, but its probe() function only checked for of matches. Add support for i2c_device_id matches. This fixes the driver not loading on some x86 tablets (e.g. the Nextbook Ares 8) where the i2c_client is instantiated by platform code using an i2c_device_id. Drop of_match_ptr() protection to avoid unused warning. Fixes: c3cdd6e48e35 ("iio: mma8452: refactor for seperating chip specific data") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220208124336.511884-1-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 22105272874ac1cf9c49daa6d16c359deeb15292 Author: Dave Jiang Date: Mon Jan 24 09:20:33 2022 -0700 dmaengine: idxd: restore traffic class defaults after wq reset [ Upstream commit ea7c8f598c323f6ebaf9ddae01fb2a981fe8c56a ] When clearing the group configurations, the driver fails to restore the default setting for DSA 1.x based devices. Add defaults in idxd_groups_clear_state() for traffic class configuration. Fixes: ade8a86b512c ("dmaengine: idxd: Set defaults for GRPCFG traffic class") Reported-by: Binuraj Ravindran Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/164304123369.824298.6952463420266592087.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5a5576ad405c3c89fc9afb245c4dcc3e412b0aa9 Author: Robert Marko Date: Mon Dec 20 12:41:19 2021 +0100 clk: qcom: ipq8074: fix PCI-E clock oops [ Upstream commit bf8f5182b8f59309809b41c1d1730ed9ca6134b1 ] Fix PCI-E clock related kernel oops that are caused by a missing clock parent. pcie0_rchng_clk_src has num_parents set to 2 but only one parent is actually set via parent_hws, it should also have "XO" defined. This will cause the kernel to panic on a NULL pointer in clk_core_get_parent_by_index(). So, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent data. Since there is already an existing static const char * const gcc_xo_gpll0[] used to provide the same parents via parent_names convert those users to clk_parent_data as well. Without this earlycon is needed to even catch the OOPS as it will reset the board before serial is initialized with the following: [ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000 [ 0.232322] Mem abort info: [ 0.239094] ESR = 0x96000004 [ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.244908] SET = 0, FnV = 0 [ 0.250377] EA = 0, S1PTW = 0 [ 0.253236] FSC = 0x04: level 0 translation fault [ 0.256277] Data abort info: [ 0.261141] ISV = 0, ISS = 0x00000004 [ 0.264262] CM = 0, WnR = 0 [ 0.267820] [0000a00000000000] address between user and kernel address ranges [ 0.270954] Internal error: Oops: 96000004 [#1] SMP [ 0.278067] Modules linked in: [ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0 [ 0.285882] Hardware name: Xiaomi AX3600 (DT) [ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec [ 0.303067] lr : __clk_register+0x1d8/0x820 [ 0.308273] sp : ffffffc01111b7d0 [ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040 [ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800 [ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828 [ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020 [ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a [ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006 [ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000 [ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06 [ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001 [ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700 [ 0.379982] Call trace: [ 0.387091] clk_core_get_parent_by_index+0x68/0xec [ 0.389351] __clk_register+0x1d8/0x820 [ 0.394210] devm_clk_hw_register+0x5c/0xe0 [ 0.398030] devm_clk_register_regmap+0x44/0x8c [ 0.402198] qcom_cc_really_probe+0x17c/0x1d0 [ 0.406711] qcom_cc_probe+0x34/0x44 [ 0.411224] gcc_ipq8074_probe+0x18/0x30 [ 0.414869] platform_probe+0x68/0xe0 [ 0.418776] really_probe.part.0+0x9c/0x30c [ 0.422336] __driver_probe_device+0x98/0x144 [ 0.426329] driver_probe_device+0x44/0x11c [ 0.430842] __device_attach_driver+0xb4/0x120 [ 0.434836] bus_for_each_drv+0x68/0xb0 [ 0.439349] __device_attach+0xb0/0x170 [ 0.443081] device_initial_probe+0x14/0x20 [ 0.446901] bus_probe_device+0x9c/0xa4 [ 0.451067] device_add+0x35c/0x834 [ 0.454886] of_device_add+0x54/0x64 [ 0.458360] of_platform_device_create_pdata+0xc0/0x100 [ 0.462181] of_platform_bus_create+0x114/0x370 [ 0.467128] of_platform_bus_create+0x15c/0x370 [ 0.471641] of_platform_populate+0x50/0xcc [ 0.476155] of_platform_default_populate_init+0xa8/0xc8 [ 0.480324] do_one_initcall+0x50/0x1b0 [ 0.485877] kernel_init_freeable+0x234/0x29c [ 0.489436] kernel_init+0x24/0x120 [ 0.493948] ret_from_fork+0x10/0x20 [ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042) [ 0.501079] ---[ end trace 4ca7e1129da2abce ]--- Fixes: f0cfcf1a ("clk: qcom: ipq8074: Add missing clocks for pcie") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220114119.465247-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit 8fba07053f1ef7921cbc7d82c90b56ce0996e479 Author: Libin Yang Date: Wed Jan 26 09:14:51 2022 +0800 soundwire: intel: fix wrong register name in intel_shim_wake [ Upstream commit 3957db3ae3dae6f8b8168791f154567fe49e1fd7 ] When clearing the sdw wakests status, we should use SDW_SHIM_WAKESTS. Fixes: 4a17c441c7cb ("soundwire: intel: revisit SHIM programming sequences.") Signed-off-by: Libin Yang Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20220126011451.27853-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 50b65f410814a2891505ed9bdfff3486abdc8d0b Author: Luca Weiss Date: Sun Jan 30 12:45:35 2022 +0100 cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse [ Upstream commit 4a8a77abf0e2b6468ba0281e33384cbec5fb476a ] The fuse consists of 64 bits, with this statement we're supposed to get the upper 32 bits but it actually read out of bounds and got 0 instead of the desired value which lead to the "PVS bin not set." codepath being run resetting our pvs value. Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs") Signed-off-by: Luca Weiss Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 8a0fc15fe530cb9ba86deed1526459c7043de688 Author: Christophe JAILLET Date: Sun Feb 6 09:39:54 2022 +0100 misc: alcor_pci: Fix an error handling path [ Upstream commit 5b3dc949f554379edcb8ef6111aa5ecb78feb798 ] A successful ida_simple_get() should be balanced by a corresponding ida_simple_remove(). Add the missing call in the error handling path of the probe. While at it, switch to ida_alloc()/ida_free() instead to ida_simple_get()/ida_simple_remove(). The latter is deprecated and more verbose. Fixes: 4f556bc04e3c ("misc: cardreader: add new Alcor Micro Cardreader PCI driver") Reviewed-by: Oleksij Rempel Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/918a9875b7f67b7f8f123c4446452603422e8c5e.1644136776.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a789c12fe4da2083f6ff8e5cd50b62c21b458d60 Author: Christophe JAILLET Date: Sun Jan 9 22:56:10 2022 +0100 fsi: Aspeed: Fix a potential double free [ Upstream commit 83ba7e895debc529803a7a258653f2fe9bf3bf40 ] A struct device can never be devm_alloc()'ed. Here, it is embedded in "struct fsi_master", and "struct fsi_master" is embedded in "struct fsi_master_aspeed". Since "struct device" is embedded, the data structure embedding it must be released with the release function, as is already done here. So use kzalloc() instead of devm_kzalloc() when allocating "aspeed" and update all error handling branches accordingly. This prevent a potential double free(). This also fix another issue if opb_readl() fails. Instead of a direct return, it now jumps in the error handling path. Fixes: 606397d67f41 ("fsi: Add ast2600 master driver") Suggested-by: Greg KH Suggested-by: Guenter Roeck Reviewed-by: Guenter Roeck Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/2c123f8b0a40dc1a061fae982169fe030b4f47e6.1641765339.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9f09e78db583f478a7683f03c6e87d7564bb14d1 Author: Robert Hancock Date: Wed Jan 12 14:52:14 2022 -0600 pps: clients: gpio: Propagate return value from pps_gpio_probe [ Upstream commit abaca3179b41d4b3b115f27814ee36f6fb45e897 ] If the pps-gpio driver was probed prior to the GPIO device it uses, the devm_gpiod_get call returned an -EPROBE_DEFER error, but pps_gpio_probe replaced that error code with -EINVAL, causing the pps-gpio probe to fail and not be retried later. Propagate the error return value so that deferred probe works properly. Fixes: 161520451dfa (pps: new client driver using GPIO) Reviewed-by: Andy Shevchenko Acked-by: Rodolfo Giometti Signed-off-by: Robert Hancock Signed-off-by: Rodolfo Giometti Link: https://lore.kernel.org/r/20220112205214.2060954-1-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 8139e3663284f50bb2f661c41d24bea976b5b5d4 Author: Uwe Kleine-König Date: Wed Nov 10 09:49:48 2021 +0100 pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() [ Upstream commit 0401f24cd238ae200a23a13925f98de3d2c883b8 ] When a driver calls pwmchip_add() it has to be prepared to immediately get its callbacks called. So move allocation of driver data and hardware initialization before the call to pwmchip_add(). This fixes a potential NULL pointer exception and a race condition on register writes. Fixes: 841e6f90bb78 ("pwm: NXP LPC18xx PWM/SCT driver") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9189674ba34af43f6c4010dcf2f0a14c7b6120ac Author: Joel Stanley Date: Tue Dec 7 14:08:11 2021 +1030 fsi: scom: Remove retries in indirect scoms [ Upstream commit ab1b79159ad5a6dc4e4994b49737f7feb13b7155 ] In commit f72ddbe1d7b7 ("fsi: scom: Remove retries") the retries were removed from get and put scoms. That patch missed the retires in get and put indirect scom. For the same reason, remove them from the scom driver to allow the caller to decide to retry. This removes the following special case which would have caused the retry code to return early: - if ((ind_data & XSCOM_DATA_IND_COMPLETE) || (err != SCOM_PIB_BLOCKED)) - return 0; I believe this case is handled. Fixes: f72ddbe1d7b7 ("fsi: scom: Remove retries") Signed-off-by: Joel Stanley Reviewed-by: Eddie James Link: https://lore.kernel.org/r/20211207033811.518981-3-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit fa290a34c2f0944154e5ef471da0833373ca1b1f Author: Joel Stanley Date: Tue Dec 7 14:08:10 2021 +1030 fsi: scom: Fix error handling [ Upstream commit d46fddd52d11eb6a3a7ed836f9f273e9cf8cd01c ] SCOM error handling is made complex by trying to pass around two bits of information: the function return code, and a status parameter that represents the CFAM error status register. The commit f72ddbe1d7b7 ("fsi: scom: Remove retries") removed the "hidden" retries in the SCOM driver, in preference of allowing the calling code (userspace or driver) to decide how to handle a failed SCOM. However it introduced a bug by attempting to be smart about the return codes that were "errors" and which were ok to fall through to the status register parsing. We get the following errors: - EINVAL or ENXIO, for indirect scoms where the value is invalid - EINVAL, where the size or address is incorrect - EIO or ETIMEOUT, where FSI write failed (aspeed master) - EAGAIN, where the master detected a crc error (GPIO master only) - EBUSY, where the bus is disabled (GPIO master in external mode) In all of these cases we should fail the SCOM read/write and return the error. Thanks to Dan Carpenter for the detailed bug report. Fixes: f72ddbe1d7b7 ("fsi: scom: Remove retries") Link: https://lists.ozlabs.org/pipermail/linux-fsi/2021-November/000235.html Reported-by: Dan Carpenter Signed-off-by: Joel Stanley Reviewed-by: Eddie James Link: https://lore.kernel.org/r/20211207033811.518981-2-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 6dffc2035fbaada60ca8db59e0962e34f760370a Author: Jiri Slaby Date: Mon Jan 24 08:14:24 2022 +0100 mxser: fix xmit_buf leak in activate when LSR == 0xff [ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ] When LSR is 0xff in ->activate() (rather unlike), we return an error. Provided ->shutdown() is not called when ->activate() fails, nothing actually frees the buffer in this case. Fix this by properly freeing the buffer in a designated label. We jump there also from the "!info->type" if now too. Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 295a9303346b22fe95f3b4e6ba33c481181d48da Author: Michael Straube Date: Fri Jan 7 11:36:04 2022 +0100 staging: r8188eu: release_firmware is not called if allocation fails [ Upstream commit 39850edf2befe27bcb3d6c37b6ee76d2ee4df903 ] In function load_firmware() release_firmware() is not called if the allocation of pFirmware->szFwBuffer fails or if fw->size is greater than FW_8188E_SIZE. Move the call to release_firmware() to the exit label at the end of the function to fix this. Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver") Signed-off-by: Michael Straube Link: https://lore.kernel.org/r/20220107103620.15648-4-straube.linux@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bcb238d1311daeb34a5307b00f19b32408d9086e Author: Lad Prabhakar Date: Thu Dec 23 09:32:23 2021 +0000 clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3 [ Upstream commit b289cdecc7c3e25e001cde260c882e4d9a8b0772 ] As per the HW manual (Rev.1.00 Sep, 2021) PLL2 and PLL3 should be 1600 MHz, but with current multiplier and divider values this resulted to 1596 MHz. This patch updates the multiplier and divider values for PLL2 and PLL3 so that we get the exact (1600 MHz) values. Fixes: 17f0ff3d49ff1 ("clk: renesas: Add support for R9A07G044 SoC") Suggested-by: Biju Das Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20211223093223.4725-1-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit ab86020070999e758ce2e60c4348f20bf7ddba56 Author: Miaohe Lin Date: Wed Mar 23 16:07:18 2022 -0700 kernel/resource: fix kfree() of bootmem memory again [ Upstream commit 0cbcc92917c5de80f15c24d033566539ad696892 ] Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory"), we could get a resource allocated during boot via alloc_resource(). And it's required to release the resource using free_resource(). Howerver, many people use kfree directly which will result in kernel BUG. In order to fix this without fixing every call site, just leak a couple of bytes in such corner case. Link: https://lkml.kernel.org/r/20220217083619.19305-1-linmiaohe@huawei.com Fixes: ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory") Signed-off-by: Miaohe Lin Suggested-by: David Hildenbrand Cc: Dan Williams Cc: Alistair Popple Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 30ad11bff021a94aff6dab1ec9236fdfd884fbff Author: Sondhauß, Jan Date: Wed Mar 23 08:47:33 2022 +0000 drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool [ Upstream commit 2844e2434385819f674d1fb4130c308c50ba681e ] cpsw_ethtool_begin directly returns the result of pm_runtime_get_sync when successful. pm_runtime_get_sync returns -error code on failure and 0 on successful resume but also 1 when the device is already active. So the common case for cpsw_ethtool_begin is to return 1. That leads to inconsistent calls to pm_runtime_put in the call-chain so that pm_runtime_put is called one too many times and as result leaving the cpsw dev behind suspended. The suspended cpsw dev leads to an access violation later on by different parts of the cpsw driver. Fix this by calling the return-friendly pm_runtime_resume_and_get function. Fixes: d43c65b05b84 ("ethtool: runtime-resume netdev parent in ethnl_ops_begin") Signed-off-by: Jan Sondhauss Reviewed-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20220323084725.65864-1-jan.sondhauss@wago.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ec1107dc816a712ff3564c053eabb4a24395278d Author: Alexander Lobakin Date: Wed Mar 23 13:43:53 2022 +0100 ice: don't allow to run ice_send_event_to_aux() in atomic ctx [ Upstream commit 5a3156932da06f09953764de113419f254086faf ] ice_send_event_to_aux() eventually descends to mutex_lock() (-> might_sched()), so it must not be called under non-task context. However, at least two fixes have happened already for the bug splats occurred due to this function being called from atomic context. To make the emergency landings softer, bail out early when executed in non-task context emitting a warn splat only once. This way we trade some events being potentially lost for system stability and avoid any related hangs and crashes. Fixes: 348048e724a0e ("ice: Implement iidc operations") Signed-off-by: Alexander Lobakin Tested-by: Michal Kubiak Reviewed-by: Maciej Fijalkowski Acked-by: Tony Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 59e88a50afad7469c55804e46bf2924b9130281f Author: Alexander Lobakin Date: Wed Mar 23 13:43:52 2022 +0100 ice: fix 'scheduling while atomic' on aux critical err interrupt [ Upstream commit 32d53c0aa3a7b727243473949bad2a830b908edc ] There's a kernel BUG splat on processing aux critical error interrupts in ice_misc_intr(): [ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000 ... [ 2101.060770] Call Trace: [ 2101.063229] [ 2101.065252] dump_stack+0x41/0x60 [ 2101.068587] __schedule_bug.cold.100+0x4c/0x58 [ 2101.073060] __schedule+0x6a4/0x830 [ 2101.076570] schedule+0x35/0xa0 [ 2101.079727] schedule_preempt_disabled+0xa/0x10 [ 2101.084284] __mutex_lock.isra.7+0x310/0x420 [ 2101.088580] ? ice_misc_intr+0x201/0x2e0 [ice] [ 2101.093078] ice_send_event_to_aux+0x25/0x70 [ice] [ 2101.097921] ice_misc_intr+0x220/0x2e0 [ice] [ 2101.102232] __handle_irq_event_percpu+0x40/0x180 [ 2101.106965] handle_irq_event_percpu+0x30/0x80 [ 2101.111434] handle_irq_event+0x36/0x53 [ 2101.115292] handle_edge_irq+0x82/0x190 [ 2101.119148] handle_irq+0x1c/0x30 [ 2101.122480] do_IRQ+0x49/0xd0 [ 2101.125465] common_interrupt+0xf/0xf [ 2101.129146] ... As Andrew correctly mentioned previously[0], the following call ladder happens: ice_misc_intr() <- hardirq ice_send_event_to_aux() device_lock() mutex_lock() might_sleep() might_resched() <- oops Add a new PF state bit which indicates that an aux critical error occurred and serve it in ice_service_task() in process context. The new ice_pf::oicr_err_reg is read-write in both hardirq and process contexts, but only 3 bits of non-critical data probably aren't worth explicit synchronizing (and they're even in the same byte [31:24]). [0] https://lore.kernel.org/all/YeSRUVmrdmlUXHDn@lunn.ch Fixes: 348048e724a0e ("ice: Implement iidc operations") Signed-off-by: Alexander Lobakin Tested-by: Michal Kubiak Acked-by: Tony Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e84318b3866caf78adc962b1927cf4d9cb96ce4a Author: Miaoqian Lin Date: Mon Mar 7 07:29:47 2022 +0000 mfd: asic3: Add missing iounmap() on error asic3_mfd_probe [ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ] Add the missing iounmap() before return from asic3_mfd_probe in the error handling case. Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area") Signed-off-by: Miaoqian Lin Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 8d8cb4166a4705b9067087d459bf8369869782fa Author: Hoang Le Date: Mon Mar 21 11:22:29 2022 +0700 tipc: fix the timer expires after interval 100ms [ Upstream commit 6a7d8cff4a3301087dd139293e9bddcf63827282 ] In the timer callback function tipc_sk_timeout(), we're trying to reschedule another timeout to retransmit a setup request if destination link is congested. But we use the incorrect timeout value (msecs_to_jiffies(100)) instead of (jiffies + msecs_to_jiffies(100)), so that the timer expires immediately, it's irrelevant for original description. In this commit we correct the timeout value in sk_reset_timer() Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") Acked-by: Ying Xue Signed-off-by: Hoang Le Link: https://lore.kernel.org/r/20220321042229.314288-1-hoang.h.le@dektech.com.au Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 06db021cb7c26bac7ba18a4655ed662df51a9ddc Author: Yang Yingliang Date: Sat Mar 19 11:24:50 2022 +0800 net: wwan: qcom_bam_dmux: fix wrong pointer passed to IS_ERR() [ Upstream commit 6b3c74550224c3be24c4cf6ab8c333602b458bff ] It should check dmux->tx after calling dma_request_chan(). Fixes: 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver") Signed-off-by: Yang Yingliang Reviewed-by: Stephan Gerhold Link: https://lore.kernel.org/r/20220319032450.3288224-1-yangyingliang@huawei.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit b864d5350c18bea9369d0bdd9e7eb6f6172cc283 Author: Vladimir Oltean Date: Fri Mar 18 21:54:43 2022 +0200 net: dsa: fix panic on shutdown if multi-chip tree failed to probe [ Upstream commit 8fd36358ce82382519b50b05f437493e1e00c4a9 ] DSA probing is atypical because a tree of devices must probe all at once, so out of N switches which call dsa_tree_setup_routing_table() during probe, for (N - 1) of them, "complete" will return false and they will exit probing early. The Nth switch will set up the whole tree on their behalf. The implication is that for (N - 1) switches, the driver binds to the device successfully, without doing anything. When the driver is bound, the ->shutdown() method may run. But if the Nth switch has failed to initialize the tree, there is nothing to do for the (N - 1) driver instances, since the slave devices have not been created, etc. Moreover, dsa_switch_shutdown() expects that the calling @ds has been in fact initialized, so it jumps at dereferencing the various data structures, which is incorrect. Avoid the ensuing NULL pointer dereferences by simply checking whether the Nth switch has previously set "ds->setup = true" for the switch which is currently shutting down. The entire setup is serialized under dsa2_mutex which we already hold. Fixes: 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220318195443.275026-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f7e675bf0b7e3a0188d684746318daeebe3c500e Author: Aaron Conole Date: Fri Mar 18 08:43:19 2022 -0400 openvswitch: always update flow key after nat [ Upstream commit 60b44ca6bd7518dd38fa2719bc9240378b6172c3 ] During NAT, a tuple collision may occur. When this happens, openvswitch will make a second pass through NAT which will perform additional packet modification. This will update the skb data, but not the flow key that OVS uses. This means that future flow lookups, and packet matches will have incorrect data. This has been supported since 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack"). That commit failed to properly update the sw_flow_key attributes, since it only called the ovs_ct_nat_update_key once, rather than each time ovs_ct_nat_execute was called. As these two operations are linked, the ovs_ct_nat_execute() function should always make sure that the sw_flow_key is updated after a successful call through NAT infrastructure. Fixes: 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack") Cc: Dumitru Ceara Cc: Numan Siddique Signed-off-by: Aaron Conole Acked-by: Eelco Chaudron Link: https://lore.kernel.org/r/20220318124319.3056455-1-aconole@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7136af32eb22c4f5a92de710e918ce9d8f86951b Author: Jakub Kicinski Date: Mon Mar 21 09:59:57 2022 -0700 tcp: ensure PMTU updates are processed during fastopen [ Upstream commit ed0c99dc0f499ff8b6e75b5ae6092ab42be1ad39 ] tp->rx_opt.mss_clamp is not populated, yet, during TFO send so we rise it to the local MSS. tp->mss_cache is not updated, however: tcp_v6_connect(): tp->rx_opt.mss_clamp = IPV6_MIN_MTU - headers; tcp_connect(): tcp_connect_init(): tp->mss_cache = min(mtu, tp->rx_opt.mss_clamp) tcp_send_syn_data(): tp->rx_opt.mss_clamp = tp->advmss After recent fixes to ICMPv6 PTB handling we started dropping PMTU updates higher than tp->mss_cache. Because of the stale tp->mss_cache value PMTU updates during TFO are always dropped. Thanks to Wei for helping zero in on the problem and the fix! Fixes: c7bb4b89033b ("ipv6: tcp: drop silly ICMPv6 packet too big messages") Reported-by: Andre Nash Reported-by: Neil Spring Reviewed-by: Wei Wang Acked-by: Yuchung Cheng Acked-by: Martin KaFai Lau Signed-off-by: Jakub Kicinski Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220321165957.1769954-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f49769b462f282477ca801cf648f875b1c5b59db Author: Jeremy Linton Date: Wed Mar 9 22:53:58 2022 -0600 net: bcmgenet: Use stronger register read/writes to assure ordering [ Upstream commit 8d3ea3d402db94b61075617e71b67459a714a502 ] GCC12 appears to be much smarter about its dependency tracking and is aware that the relaxed variants are just normal loads and stores and this is causing problems like: [ 210.074549] ------------[ cut here ]------------ [ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out [ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240 [ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat] [ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110 [ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58 [ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters [ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022 [ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 210.161358] pc : dev_watchdog+0x234/0x240 [ 210.161364] lr : dev_watchdog+0x234/0x240 [ 210.161368] sp : ffff8000080a3a40 [ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20 [ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08 [ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000 [ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff [ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a [ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0 [ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c [ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000 [ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000 [ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044 [ 210.269682] Call trace: [ 210.272133] dev_watchdog+0x234/0x240 [ 210.275811] call_timer_fn+0x3c/0x15c [ 210.279489] __run_timers.part.0+0x288/0x310 [ 210.283777] run_timer_softirq+0x48/0x80 [ 210.287716] __do_softirq+0x128/0x360 [ 210.291392] __irq_exit_rcu+0x138/0x140 [ 210.295243] irq_exit_rcu+0x1c/0x30 [ 210.298745] el1_interrupt+0x38/0x54 [ 210.302334] el1h_64_irq_handler+0x18/0x24 [ 210.306445] el1h_64_irq+0x7c/0x80 [ 210.309857] arch_cpu_idle+0x18/0x2c [ 210.313445] default_idle_call+0x4c/0x140 [ 210.317470] cpuidle_idle_call+0x14c/0x1a0 [ 210.321584] do_idle+0xb0/0x100 [ 210.324737] cpu_startup_entry+0x30/0x8c [ 210.328675] secondary_start_kernel+0xe4/0x110 [ 210.333138] __secondary_switched+0x94/0x98 The assumption when these were relaxed seems to be that device memory would be mapped non reordering, and that other constructs (spinlocks/etc) would provide the barriers to assure that packet data and in memory rings/queues were ordered with respect to device register reads/writes. This itself seems a bit sketchy, but the real problem with GCC12 is that it is moving the actual reads/writes around at will as though they were independent operations when in truth they are not, but the compiler can't know that. When looking at the assembly dumps for many of these routines its possible to see very clean, but not strictly in program order operations occurring as the compiler would be free to do if these weren't actually register reads/write operations. Its possible to suppress the timeout with a liberal bit of dma_mb()'s sprinkled around but the device still seems unable to reliably send/receive data. A better plan is to use the safer readl/writel everywhere. Since this partially reverts an older commit, which notes the use of the relaxed variants for performance reasons. I would suggest that any performance problems with this commit are targeted at relaxing only the performance critical code paths after assuring proper barriers. Fixes: 69d2ea9c79898 ("net: bcmgenet: Use correct I/O accessors") Reported-by: Peter Robinson Signed-off-by: Jeremy Linton Acked-by: Peter Robinson Tested-by: Peter Robinson Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20220310045358.224350-1-jeremy.linton@arm.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 45f705fc814bb3d5bd4bee22df1d2e43da44d35a Author: Bjorn Helgaas Date: Mon Mar 21 13:34:46 2022 -0500 PCI: Avoid broken MSI on SB600 USB devices [ Upstream commit 63cd736f449445edcd7f0bcc7d84453e9beec0aa ] Some ATI SB600 USB adapters advertise MSI, but if INTx is disabled by setting PCI_COMMAND_INTX_DISABLE, MSI doesn't work either. The PCI/PCIe specs do not require software to set PCI_COMMAND_INTX_DISABLE when enabling MSI, but Linux has done that for many years. Mick reported that 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") broke these devices. Prior to 306c54d0edb6, they used INTx. Starting with 306c54d0edb6, they use MSI, and and the fact that Linux sets PCI_COMMAND_INTX_DISABLE means both INTx and MSI are disabled on these devices. Avoid this SB600 defect by disabling MSI so we use INTx as before. Fixes: 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") Link: https://lore.kernel.org/r/20220321183446.1108325-1-helgaas@kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=215690 Link: https://lore.kernel.org/all/PxIByDyBRcsbpcmVhGSNDFAoUcMmb78ctXCkw6fbpx25TGlCHvA6SJjjFkNr1FfQZMntYPTNyvEnblxzAZ8a6jP9ddLpKeCN6Chi_2FuexU=@protonmail.com/ Link: https://lore.kernel.org/r/20220314101448.90074-1-andriy.shevchenko@linux.intel.com BugLink: https://lore.kernel.org/all/20200702143045.23429-1-andriy.shevchenko@linux.intel.com/ Reported-by: Mick Lorain Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit da18b6e851a51377a4476d032dcccbe055dc2554 Author: Yafang Shao Date: Sun Mar 20 06:08:14 2022 +0000 bpftool: Fix print error when show bpf map [ Upstream commit 1824d8ea75f275a5e69e5f6bc0ffe122ea9b938c ] If there is no btf_id or frozen, it will not show the pids, but the pids don't depend on any one of them. Below is the result after this change: $ ./bpftool map show 2: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B pids systemd(1) 3: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B pids systemd(1) While before this change, the 'pids systemd(1)' can't be displayed. Fixes: 9330986c0300 ("bpf: Add bloom filter map implementation") Signed-off-by: Yafang Shao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220320060815.7716-1-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit 8facc3d9a4863e026c55ef33f7cda7f24b92652e Author: Hangbin Liu Date: Mon Mar 21 10:41:49 2022 +0800 selftests/bpf/test_lirc_mode2.sh: Exit with proper code [ Upstream commit ec80906b0fbd7be11e3e960813b977b1ffe5f8fe ] When test_lirc_mode2_user exec failed, the test report failed but still exit with 0. Fix it by exiting with an error code. Another issue is for the LIRCDEV checking. With bash -n, we need to quote the variable, or it will always be true. So if test_lirc_mode2_user was not run, just exit with skip code. Fixes: 6bdd533cee9a ("bpf: add selftest for lirc_mode2 type program") Signed-off-by: Hangbin Liu Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220321024149.157861-1-liuhangbin@gmail.com Signed-off-by: Sasha Levin commit 07c7bd2880cc1f7599a8e07431d34f67ab56545d Author: Lucas De Marchi Date: Wed Mar 16 16:45:37 2022 -0700 drm/i915: Fix renamed struct field [ Upstream commit 00f4150d27d2c01eaeffe1091fc311a7c0872c69 ] Earlier versions of commit a5b7ef27da60 ("drm/i915: Add struct to hold IP version") named "ver" as "arch" and then when it was renamed it missed the rename on MEDIA_VER_FULL() since it it's currently not used. Fixes: a5b7ef27da60 ("drm/i915: Add struct to hold IP version") Cc: José Roberto de Souza Cc: Matt Roper Signed-off-by: Lucas De Marchi Reviewed-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20220316234538.434357-1-lucas.demarchi@intel.com (cherry picked from commit b4ac33b973233dc08a56c8ef9d3c2edeab7a4370) Signed-off-by: Tvrtko Ursulin Signed-off-by: Sasha Levin commit a45dba71849a963c427637b3330e2ccf098f42d1 Author: Duoming Zhou Date: Fri Mar 18 08:54:05 2022 +0800 ax25: Fix NULL pointer dereferences in ax25 timers [ Upstream commit fc6d01ff9ef03b66d4a3a23b46fc3c3d8cf92009 ] The previous commit 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") move ax25_disconnect into lock_sock() in order to prevent NPD bugs. But there are race conditions that may lead to null pointer dereferences in ax25_heartbeat_expiry(), ax25_t1timer_expiry(), ax25_t2timer_expiry(), ax25_t3timer_expiry() and ax25_idletimer_expiry(), when we use ax25_kill_by_device() to detach the ax25 device. One of the race conditions that cause null pointer dereferences can be shown as below: (Thread 1) | (Thread 2) ax25_connect() | ax25_std_establish_data_link() | ax25_start_t1timer() | mod_timer(&ax25->t1timer,..) | | ax25_kill_by_device() (wait a time) | ... | s->ax25_dev = NULL; //(1) ax25_t1timer_expiry() | ax25->ax25_dev->values[..] //(2)| ... ... | We set null to ax25_cb->ax25_dev in position (1) and dereference the null pointer in position (2). The corresponding fail log is shown below: =============================================================== BUG: kernel NULL pointer dereference, address: 0000000000000050 CPU: 1 PID: 0 Comm: swapper/1 Not tainted 5.17.0-rc6-00794-g45690b7d0 RIP: 0010:ax25_t1timer_expiry+0x12/0x40 ... Call Trace: call_timer_fn+0x21/0x120 __run_timers.part.0+0x1ca/0x250 run_timer_softirq+0x2c/0x60 __do_softirq+0xef/0x2f3 irq_exit_rcu+0xb6/0x100 sysvec_apic_timer_interrupt+0xa2/0xd0 ... This patch moves ax25_disconnect() before s->ax25_dev = NULL and uses del_timer_sync() to delete timers in ax25_disconnect(). If ax25_disconnect() is called by ax25_kill_by_device() or ax25->ax25_dev is NULL, the reason in ax25_disconnect() will be equal to ENETUNREACH, it will wait all timers to stop before we set null to s->ax25_dev in ax25_kill_by_device(). Fixes: 7ec02f5ac8a5 ("ax25: fix NPD bug in ax25_disconnect") Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 534156dd4ed768e30a43de0036f45dca7c54818f Author: Duoming Zhou Date: Fri Mar 18 08:54:04 2022 +0800 ax25: Fix refcount leaks caused by ax25_cb_del() [ Upstream commit 9fd75b66b8f68498454d685dc4ba13192ae069b0 ] The previous commit d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") and commit feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") increase the refcounts of ax25_dev and net_device in ax25_bind() and decrease the matching refcounts in ax25_kill_by_device() in order to prevent UAF bugs, but there are reference count leaks. The root cause of refcount leaks is shown below: (Thread 1) | (Thread 2) ax25_bind() | ... | ax25_addr_ax25dev() | ax25_dev_hold() //(1) | ... | dev_hold_track() //(2) | ... | ax25_destroy_socket() | ax25_cb_del() | ... | hlist_del_init() //(3) | | (Thread 3) | ax25_kill_by_device() | ... | ax25_for_each(s, &ax25_list) { | if (s->ax25_dev == ax25_dev) //(4) | ... | Firstly, we use ax25_bind() to increase the refcount of ax25_dev in position (1) and increase the refcount of net_device in position (2). Then, we use ax25_cb_del() invoked by ax25_destroy_socket() to delete ax25_cb in hlist in position (3) before calling ax25_kill_by_device(). Finally, the decrements of refcounts in ax25_kill_by_device() will not be executed, because no s->ax25_dev equals to ax25_dev in position (4). This patch adds decrements of refcounts in ax25_release() and use lock_sock() to do synchronization. If refcounts decrease in ax25_release(), the decrements of refcounts in ax25_kill_by_device() will not be executed and vice versa. Fixes: d01ffb9eee4a ("ax25: add refcount in ax25_dev to avoid UAF bugs") Fixes: 87563a043cef ("ax25: fix reference count leaks of ax25_dev") Fixes: feef318c855a ("ax25: fix UAF bugs of net_device caused by rebinding operation") Reported-by: Thomas Osterried Signed-off-by: Duoming Zhou Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 895ca4ae1f72e0a0160ab162723e59c9f265ec93 Author: Michael Ellerman Date: Fri Mar 18 14:42:19 2022 +1100 powerpc/pseries: Fix use after free in remove_phb_dynamic() [ Upstream commit fe2640bd7a62f1f7c3f55fbda31084085075bc30 ] In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but with slub_debug and page_poison enabled it can lead to a crash: PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc #1 [c0000000e4f075d0] oops_end at c000000000029608 #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4 #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8 #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : release_resource+56] [LR : release_resource+48] #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648 #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io] #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io] #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504 #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868 #12 [c0000000e4f07c70] new_sync_write at c00000000054339c #13 [c0000000e4f07d10] vfs_write at c000000000546624 #14 [c0000000e4f07d60] ksys_write at c0000000005469f4 #15 [c0000000e4f07db0] system_call_exception at c000000000030840 #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168 To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed. Fixes: 2dd9c11b9d4d ("powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)") Reported-by: David Dai Signed-off-by: Michael Ellerman Tested-by: Sachin Sant Link: https://lore.kernel.org/r/20220318034219.1188008-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 744c365385b605744df8487d78a25af3f2354851 Author: Peter Rosin Date: Wed Mar 2 12:22:35 2022 +0100 i2c: mux: demux-pinctrl: do not deactivate a master that is not active [ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ] Attempting to rollback the activation of the current master when the current master has not been activated is bad. priv->cur_chan and priv->cur_adap are both still zeroed out and the rollback may result in attempts to revert an of changeset that has not been applied and do result in calls to both del and put the zeroed out i2c_adapter. Maybe it crashes, or whatever, but it's bad in any case. Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'") Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e8ca70951d447b47b1171ad1377d1790e43bddf3 Author: Phil Sutter Date: Wed Mar 2 22:02:55 2022 +0100 netfilter: conntrack: Add and use nf_ct_set_auto_assign_helper_warned() [ Upstream commit 31d0bb9763efad30377505f3467f958d1ebe1e3d ] The function sets the pernet boolean to avoid the spurious warning from nf_ct_lookup_helper() when assigning conntrack helpers via nftables. Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 2e67ec3594c7e89cde9d80adb609ff95a91b0fe9 Author: Lucas Tanure Date: Tue Mar 1 07:26:00 2022 +0000 i2c: meson: Fix wrong speed use from probe [ Upstream commit cb13aa16f34f794a9cee2626862af8a95f0f0ee9 ] Having meson_i2c_set_clk_div after i2c_add_adapter causes issues for client drivers that try to use the bus before the requested speed is applied. The bus can be used just after i2c_add_adapter, so move i2c_add_adapter to the final step as meson_i2c_set_clk_div needs to be called before the bus is used. Fixes: 09af1c2fa490 ("i2c: meson: set clock divider in probe instead of setting it for each transfer") Signed-off-by: Lucas Tanure Reviewed-by: Neil Armstrong Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e23e1e981247feb3c7d0236fe58aceb685f234ae Author: Petr Machata Date: Thu Mar 17 15:53:06 2022 +0100 af_netlink: Fix shift out of bounds in group mask calculation [ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts. Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups. To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/ The way to trigger this issue is e.g. through monitoring the BRVLAN group: # bridge monitor vlan & # ip link add name br type bridge Which produces the following citation: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int' Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4d54181eba4b077fb74033a7186898ad4000a7a5 Author: Yonglong Li Date: Thu Mar 17 15:09:53 2022 -0700 mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb [ Upstream commit 3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc ] Got crash when doing pressure test of mptcp: =========================================================================== dst_release: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 Oops: 0011 [#1] SMP PTI CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 Call Trace: ? skb_release_head_state+0x68/0x100 ? skb_release_all+0xe/0x30 ? kfree_skb+0x32/0xa0 ? mptcp_sendmsg_frag+0x57e/0x750 ? __mptcp_retrans+0x21b/0x3c0 ? __switch_to_asm+0x35/0x70 ? mptcp_worker+0x25e/0x320 ? process_one_work+0x1a7/0x360 ? worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 ? kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ? ret_from_fork+0x35/0x40 =========================================================================== In __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will be initialized, in under memory pressure situation sk_wmem_schedule will return false and then kfree_skb. In this case skb->_skb_refdst is not null because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and kfree_skb will try to release dst and cause crash. Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache") Reviewed-by: Paolo Abeni Signed-off-by: Yonglong Li Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20220317220953.426024-1-mathew.j.martineau@linux.intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2c1a824a8db01466db3da79aa50a57e04906e619 Author: Guillaume Nault Date: Thu Mar 17 13:45:09 2022 +0100 ipv4: Fix route lookups when handling ICMP redirects and PMTU updates [ Upstream commit 544b4dd568e3b09c1ab38a759d3187e7abda11a0 ] The PMTU update and ICMP redirect helper functions initialise their fl4 variable with either __build_flow_key() or build_sk_flow_key(). These initialisation functions always set ->flowi4_scope with RT_SCOPE_UNIVERSE and might set the ECN bits of ->flowi4_tos. This is not a problem when the route lookup is later done via ip_route_output_key_hash(), which properly clears the ECN bits from ->flowi4_tos and initialises ->flowi4_scope based on the RTO_ONLINK flag. However, some helpers call fib_lookup() directly, without sanitising the tos and scope fields, so the route lookup can fail and, as a result, the ICMP redirect or PMTU update aren't taken into account. Fix this by extracting the ->flowi4_tos and ->flowi4_scope sanitisation code into ip_rt_fix_tos(), then use this function in handlers that call fib_lookup() directly. Note 1: We can't sanitise ->flowi4_tos and ->flowi4_scope in a central place (like __build_flow_key() or flowi4_init_output()), because ip_route_output_key_hash() expects non-sanitised values. When called with sanitised values, it can erroneously overwrite RT_SCOPE_LINK with RT_SCOPE_UNIVERSE in ->flowi4_scope. Therefore we have to be careful to sanitise the values only for those paths that don't call ip_route_output_key_hash(). Note 2: The problem is mostly about sanitising ->flowi4_tos. Having ->flowi4_scope initialised with RT_SCOPE_UNIVERSE instead of RT_SCOPE_LINK probably wasn't really a problem: sockets with the SOCK_LOCALROUTE flag set (those that'd result in RTO_ONLINK being set) normally shouldn't receive ICMP redirects or PMTU updates. Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Guillaume Nault Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2a495ef04d5f42e6f00eb2bec1ee9075e3d5a771 Author: Dan Carpenter Date: Wed Mar 16 11:39:48 2022 +0300 RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit() [ Upstream commit 87e0eacb176f9500c2063d140c0a1d7fa51ab8a5 ] This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows. Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink") Link: https://lore.kernel.org/r/20220316083948.GC30941@kili Signed-off-by: Dan Carpenter Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 6d7be5afbb41c918d2f12f857f8c7efa50500be2 Author: Yake Yang Date: Thu Mar 17 07:15:19 2022 +0800 Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt [ Upstream commit b062a0b9c1dc1ff63094337dccfe1568d5b62023 ] Fix the following kernel oops in btmtksdio_interrrupt [ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30 That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up. The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe. The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out. When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer. Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Reviewed-by: Mark Chen Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Yake Yang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 8b69661838e59c15c9b476dea61c82a465ac2e80 Author: Niels Dossche Date: Wed Mar 16 16:33:50 2022 +0100 Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed [ Upstream commit 9fa6b4cda3b414e990f008f45f9bcecbcb54d4d1 ] hci_le_conn_failed function's documentation says that the caller must hold hdev->lock. The only callsite that does not hold that lock is hci_le_conn_failed. The other 3 callsites hold the hdev->lock very locally. The solution is to hold the lock during the call to hci_le_conn_failed. Fixes: 3c857757ef6e ("Bluetooth: Add directed advertising support through connect()") Signed-off-by: Niels Dossche Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 8a3896c30f542439d36303183dc96f65df8cc528 Author: Pavel Skripkin Date: Sun Mar 13 20:49:36 2022 +0300 Bluetooth: hci_uart: add missing NULL check in h5_enqueue [ Upstream commit 32cb08e958696908a9aad5e49a78d74f7e32fffb ] Syzbot hit general protection fault in __pm_runtime_resume(). The problem was in missing NULL check. hu->serdev can be NULL and we should not blindly pass &serdev->dev somewhere, since it will cause GPF. Reported-by: syzbot+b9bd12fbed3485a3e51f@syzkaller.appspotmail.com Fixes: d9dd833cf6d2 ("Bluetooth: hci_h5: Add runtime suspend") Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 067a7ef1e2b2d80b7b491f45774054bbbcc1732e Author: Jakub Sitnicki Date: Thu Mar 17 12:39:17 2022 +0100 selftests/bpf: Fix error reporting from sock_fields programs [ Upstream commit a4c9fe0ed4a13e25e43fcd44d9f89bc19ba8fbb7 ] The helper macro that records an error in BPF programs that exercise sock fields access has been inadvertently broken by adaptation work that happened in commit b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables"). BPF_NOEXIST flag cannot be used to update BPF_MAP_TYPE_ARRAY. The operation always fails with -EEXIST, which in turn means the error never gets recorded, and the checks for errors always pass. Revert the change in update flags. Fixes: b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables") Signed-off-by: Jakub Sitnicki Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20220317113920.1068535-2-jakub@cloudflare.com Signed-off-by: Sasha Levin commit 2d2f9dec0e5ccc30c140779cd2b72fd42b8a8298 Author: Kuniyuki Iwashima Date: Thu Mar 17 12:08:08 2022 +0900 af_unix: Fix some data-races around unix_sk(sk)->oob_skb. [ Upstream commit e82025c623e2bf04d162bafceb66a59115814479 ] Out-of-band data automatically places a "mark" showing wherein the sequence the out-of-band data would have been. If the out-of-band data implies cancelling everything sent so far, the "mark" is helpful to flush them. When the socket's read pointer reaches the "mark", the ioctl() below sets a non zero value to the arg `atmark`: The out-of-band data is queued in sk->sk_receive_queue as well as ordinary data and also saved in unix_sk(sk)->oob_skb. It can be used to test if the head of the receive queue is the out-of-band data meaning the socket is at the "mark". While testing that, unix_ioctl() reads unix_sk(sk)->oob_skb locklessly. Thus, all accesses to oob_skb need some basic protection to avoid load/store tearing which KCSAN detects when these are called concurrently: - ioctl(fd_a, SIOCATMARK, &atmark, sizeof(atmark)) - send(fd_b_connected_to_a, buf, sizeof(buf), MSG_OOB) BUG: KCSAN: data-race in unix_ioctl / unix_stream_sendmsg write to 0xffff888003d9cff0 of 8 bytes by task 175 on cpu 1: unix_stream_sendmsg (net/unix/af_unix.c:2087 net/unix/af_unix.c:2191) sock_sendmsg (net/socket.c:705 net/socket.c:725) __sys_sendto (net/socket.c:2040) __x64_sys_sendto (net/socket.c:2048) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) read to 0xffff888003d9cff0 of 8 bytes by task 176 on cpu 0: unix_ioctl (net/unix/af_unix.c:3101 (discriminator 1)) sock_do_ioctl (net/socket.c:1128) sock_ioctl (net/socket.c:1242) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:874 fs/ioctl.c:860 fs/ioctl.c:860) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) value changed: 0xffff888003da0c00 -> 0xffff888003da0d00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 176 Comm: unix_race_oob_i Not tainted 5.17.0-rc5-59529-g83dc4c2af682 #12 Hardware name: Red Hat KVM, BIOS 1.11.0-2.amzn2 04/01/2014 Fixes: 314001f0bf92 ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 8507c6ade73cdbbbda5c3d31d67f52f2e1cf03fe Author: Sukadev Bhattiprolu Date: Wed Mar 16 18:12:31 2022 -0700 ibmvnic: fix race between xmit and reset [ Upstream commit 4219196d1f662cb10a462eb9e076633a3fc31a15 ] There is a race between reset and the transmit paths that can lead to ibmvnic_xmit() accessing an scrq after it has been freed in the reset path. It can result in a crash like: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000016189f8 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c0080000016189f8] ibmvnic_xmit+0x60/0xb60 [ibmvnic] LR [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 Call Trace: [c008000001618f08] ibmvnic_xmit+0x570/0xb60 [ibmvnic] (unreliable) [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 [c000000000c9cfcc] sch_direct_xmit+0xec/0x330 [c000000000bfe640] __dev_xmit_skb+0x3a0/0x9d0 [c000000000c00ad4] __dev_queue_xmit+0x394/0x730 [c008000002db813c] __bond_start_xmit+0x254/0x450 [bonding] [c008000002db8378] bond_start_xmit+0x40/0xc0 [bonding] [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 [c000000000c00ca4] __dev_queue_xmit+0x564/0x730 [c000000000cf97e0] neigh_hh_output+0xd0/0x180 [c000000000cfa69c] ip_finish_output2+0x31c/0x5c0 [c000000000cfd244] __ip_queue_xmit+0x194/0x4f0 [c000000000d2a3c4] __tcp_transmit_skb+0x434/0x9b0 [c000000000d2d1e0] __tcp_retransmit_skb+0x1d0/0x6a0 [c000000000d2d984] tcp_retransmit_skb+0x34/0x130 [c000000000d310e8] tcp_retransmit_timer+0x388/0x6d0 [c000000000d315ec] tcp_write_timer_handler+0x1bc/0x330 [c000000000d317bc] tcp_write_timer+0x5c/0x200 [c000000000243270] call_timer_fn+0x50/0x1c0 [c000000000243704] __run_timers.part.0+0x324/0x460 [c000000000243894] run_timer_softirq+0x54/0xa0 [c000000000ea713c] __do_softirq+0x15c/0x3e0 [c000000000166258] __irq_exit_rcu+0x158/0x190 [c000000000166420] irq_exit+0x20/0x40 [c00000000002853c] timer_interrupt+0x14c/0x2b0 [c000000000009a00] decrementer_common_virt+0x210/0x220 --- interrupt: 900 at plpar_hcall_norets_notrace+0x18/0x2c The immediate cause of the crash is the access of tx_scrq in the following snippet during a reset, where the tx_scrq can be either NULL or an address that will soon be invalid: ibmvnic_xmit() { ... tx_scrq = adapter->tx_scrq[queue_num]; txq = netdev_get_tx_queue(netdev, queue_num); ind_bufp = &tx_scrq->ind_buf; if (test_bit(0, &adapter->resetting)) { ... } But beyond that, the call to ibmvnic_xmit() itself is not safe during a reset and the reset path attempts to avoid this by stopping the queue in ibmvnic_cleanup(). However just after the queue was stopped, an in-flight ibmvnic_complete_tx() could have restarted the queue even as the reset is progressing. Since the queue was restarted we could get a call to ibmvnic_xmit() which can then access the bad tx_scrq (or other fields). We cannot however simply have ibmvnic_complete_tx() check the ->resetting bit and skip starting the queue. This can race at the "back-end" of a good reset which just restarted the queue but has not cleared the ->resetting bit yet. If we skip restarting the queue due to ->resetting being true, the queue would remain stopped indefinitely potentially leading to transmit timeouts. IOW ->resetting is too broad for this purpose. Instead use a new flag that indicates whether or not the queues are active. Only the open/ reset paths control when the queues are active. ibmvnic_complete_tx() and others wake up the queue only if the queue is marked active. So we will have: A. reset/open thread in ibmvnic_cleanup() and __ibmvnic_open() ->resetting = true ->tx_queues_active = false disable tx queues ... ->tx_queues_active = true start tx queues B. Tx interrupt in ibmvnic_complete_tx(): if (->tx_queues_active) netif_wake_subqueue(); To ensure that ->tx_queues_active and state of the queues are consistent, we need a lock which: - must also be taken in the interrupt path (ibmvnic_complete_tx()) - shared across the multiple queues in the adapter (so they don't become serialized) Use rcu_read_lock() and have the reset thread synchronize_rcu() after updating the ->tx_queues_active state. While here, consolidate a few boolean fields in ibmvnic_adapter for better alignment. Based on discussions with Brian King and Dany Madden. Fixes: 7ed5b31f4a66 ("net/ibmvnic: prevent more than one thread from running in reset") Reported-by: Vaishnavi Bhat Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 43bfb1a40d25bf647100b5ff56b3bbe260a1f15f Author: Richard Zhu Date: Thu Feb 24 11:06:53 2022 +0800 PCI: imx6: Assert i.MX8MM CLKREQ# even if no device present [ Upstream commit 45514f78c65cc9a09437f20e180625f94f769863 ] The CLKREQ# signal is an open drain, active low signal that is driven low by the remote Endpoint device. But it might not be driven low if no Endpoint device is connected. On i.MX8MM PCIe, phy_init() may fail and system boot may hang if no Endpoint is connected to assert CLKREQ#. Handle this as on i.MX8MQ, where we explicitly assert CLKREQ# so the PHY can be initialized. Link: https://lore.kernel.org/r/1645672013-8949-1-git-send-email-hongxing.zhu@nxp.com Fixes: 178e244cb6e2 ("PCI: imx: Add the imx8mm pcie support") Signed-off-by: Richard Zhu Signed-off-by: Lorenzo Pieralisi Reviewed-by: Lucas Stach Signed-off-by: Sasha Levin commit 4a1a82dc954b3f73a2fec93d254fba5af29656fe Author: Richard Zhu Date: Thu Mar 3 14:34:35 2022 +0800 PCI: imx6: Invoke the PHY exit function after PHY power off [ Upstream commit deaf7a2c2e4b5072a743633bf37c45f34426a093 ] To balance phy->init_count, invoke the phy_exit() after phy_power_off(). Link: https://lore.kernel.org/r/1646289275-17813-1-git-send-email-hongxing.zhu@nxp.com Fixes: 178e244cb6e2 ("PCI: imx: Add the imx8mm pcie support") Signed-off-by: Richard Zhu Signed-off-by: Lorenzo Pieralisi Reviewed-by: Lucas Stach Signed-off-by: Sasha Levin commit 99d6920bee1af79cee0cb6a3cf5f61967a38dc3c Author: Hangbin Liu Date: Tue Mar 15 14:26:18 2022 +0800 bareudp: use ipv6_mod_enabled to check if IPv6 enabled [ Upstream commit e077ed58c243afc197bc2a2ba0e1ff61135e4ec2 ] bareudp_create_sock() use AF_INET6 by default if IPv6 CONFIG enabled. But if user start kernel with ipv6.disable=1, the bareudp sock will created failed, which cause the interface open failed even with ethertype ip. e.g. # ip link add bareudp1 type bareudp dstport 2 ethertype ip # ip link set bareudp1 up RTNETLINK answers: Address family not supported by protocol Fix it by using ipv6_mod_enabled() to check if IPv6 enabled. There is no need to check IS_ENABLED(CONFIG_IPV6) as ipv6_mod_enabled() will return false when CONFIG_IPV6 no enabled in include/linux/ipv6.h. Reported-by: Jianlin Shi Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Hangbin Liu Link: https://lore.kernel.org/r/20220315062618.156230-1-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 97defb77ec2939bdd41041225d3675d6645d3943 Author: Oliver Hartkopp Date: Wed Mar 16 17:42:58 2022 +0100 can: isotp: support MSG_TRUNC flag when reading from socket [ Upstream commit 42bf50a1795a1854d48717b7361dbdbce496b16b ] When providing the MSG_TRUNC flag via recvmsg() syscall the return value provides the real length of the packet or datagram, even when it was longer than the passed buffer. Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1065932671 Link: https://lore.kernel.org/all/20220316164258.54155-3-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 1866771dea68c5fd4f6f4105d7dbe845b88b002e Author: Oliver Hartkopp Date: Wed Mar 16 17:42:57 2022 +0100 can: isotp: return -EADDRNOTAVAIL when reading from unbound socket [ Upstream commit 30ffd5332e06316bd69a654c06aa033872979b7c ] When reading from an unbound can-isotp socket the syscall blocked indefinitely. As unbound sockets (without given CAN address information) do not make sense anyway we directly return -EADDRNOTAVAIL on read() analogue to the known behavior from sendmsg(). Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/349 Link: https://lore.kernel.org/all/20220316164258.54155-2-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 10cdfbc5d03c624c2329c330036e4fcaa2dbc1f4 Author: Lorenzo Bianconi Date: Thu Mar 3 09:46:41 2022 +0100 mt76: mt7921: fix mt7921_queues_acq implementation [ Upstream commit 849ee6ac9dd3efd0a57cbc98b9a9d6ae87374aff ] Fix mt7921_queues_acq implementation according to the vendor sdk. Fixes: 474a9f21e2e20 ("mt76: mt7921: add debugfs support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 0582475e53b5875f842bec9f798ab9a335f44722 Author: Pablo Neira Ayuso Date: Wed Mar 16 11:19:43 2022 +0100 netfilter: flowtable: Fix QinQ and pppoe support for inet table [ Upstream commit 0492d857636e1c52cd71594a723c4b26a7b31978 ] nf_flow_offload_inet_hook() does not check for 802.1q and PPPoE. Fetch inner ethertype from these encapsulation protocols. Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") Fixes: 4cd91f7c290f ("netfilter: flowtable: add vlan support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 02e8969618fc63c836f5a6a495d53650c50fdb62 Author: José Roberto de Souza Date: Fri Mar 11 10:51:49 2022 -0800 drm/i915/display: Do not re-enable PSR after it was marked as not reliable [ Upstream commit 278da06c03655c2bb9bc36ebdf45b90a079b3bfd ] If a error happens and sink_not_reliable is set, PSR should be disabled for good but that is not happening. It would be disabled by the function handling the PSR error but then on the next fastset it would be enabled again in _intel_psr_post_plane_update(). It would only be disabled for good in the next modeset where has_psr will be set false. v2: - release psr lock before continue Fixes: 9ce5884e5139 ("drm/i915/display: Only keep PSR enabled if there is active planes") Reported-by: Khaled Almahallawy Reported-by: Charlton Lin Cc: Jouni Högander Signed-off-by: José Roberto de Souza Reviewed-by: Jouni Högander Link: https://patchwork.freedesktop.org/patch/msgid/20220311185149.110527-2-jose.souza@intel.com (cherry picked from commit 15f26bdc81f7f03561aaea5a10d87bd6638e1459) Signed-off-by: Joonas Lahtinen Signed-off-by: Sasha Levin commit e2a194c6818d8f187f46362855e5c4bf0739c262 Author: José Roberto de Souza Date: Fri Mar 11 10:51:48 2022 -0800 drm/i915/display: Fix HPD short pulse handling for eDP [ Upstream commit 3a84fd1ed53582b31e843a152ee3219e9e4ccb8c ] Commit 13ea6db2cf24 ("drm/i915/edp: Ignore short pulse when panel powered off") completely broke short pulse handling for eDP as it is usually generated by sink when it is displaying image and there is some error or status that source needs to handle. When power panel is enabled, this state is enough to power aux transactions and VDD override is disabled, so intel_pps_have_power() is always returning false causing short pulses to be ignored. So here better naming this function that intends to check if aux lines are powered to avoid the endless cycle mentioned in the commit being fixed and fixing the check for what it is intended. v2: - renamed to intel_pps_have_panel_power_or_vdd() - fixed indentation Fixes: 13ea6db2cf24 ("drm/i915/edp: Ignore short pulse when panel powered off") Cc: Anshuman Gupta Cc: Jani Nikula Cc: Uma Shankar Cc: Ville Syrjälä Reviewed-by: Ville Syrjälä Signed-off-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20220311185149.110527-1-jose.souza@intel.com (cherry picked from commit 8f0c1c0949b609acfad62b8d5f742a3b5e7b05ab) Signed-off-by: Joonas Lahtinen Signed-off-by: Sasha Levin commit 16fc7d5e13896cc98dbbd1a2b86d175560ba11b4 Author: Nicholas Piggin Date: Tue Jan 25 00:39:29 2022 +1000 powerpc/time: Fix KVM host re-arming a timer beyond decrementer range [ Upstream commit cf74ff52e352112be78c4c4c3637a37ec36a6608 ] If the next host timer is beyond decrementer range, timer_rearm_host_dec will leave decrementer not programmed. This will not cause a problem for the host it will just set the decrementer correctly when the decrementer interrupt hits, it seems safer not to leave the next host decrementer interrupt timing able to be influenced by a guest. This code is only used in the P9 KVM paths so it's unlikely to be hit practically unless large decrementer is force disabled in the host. Fixes: 25aa145856cd ("powerpc/time: add API for KVM to re-arm the host timer/decrementer") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220124143930.3923442-2-npiggin@gmail.com Signed-off-by: Sasha Levin commit 574b6e8f60b47a4955c0c815041b9e1e2806b71b Author: Randy Dunlap Date: Sat Mar 12 22:59:36 2022 -0800 powerpc/xive: fix return value of __setup handler [ Upstream commit d64e3eab75a8e1e900c0fda2410a2df8893d8f85 ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from xive_off() and xive_store_eoi_cmdline(). Fixes: 243e25112d06 ("powerpc/xive: Native exploitation of the XIVE interrupt controller") Fixes: c21ee04f11ae ("powerpc/xive: Add a kernel parameter for StoreEOI") [lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru] Reported-by: Igor Zhbanov : Signed-off-by: Randy Dunlap Reviewed-by: Cédric Le Goater Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220313065936.4363-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit b0b86b7ba7bc4f06d38c3d6273a906e4021dffbe Author: Bob Pearson Date: Thu Mar 3 18:07:57 2022 -0600 RDMA/rxe: Fix ref error in rxe_av.c [ Upstream commit 63221acb0c63141cc7650f8eefb148337061e6db ] The commit referenced below can take a reference to the AH which is never dropped. This only happens in the UD request path. This patch optionally passes that AH back to the caller so that it can hold the reference while the AV is being accessed and then drop it. Code to do this is added to rxe_req.c. The AV is also passed to rxe_prepare in rxe_net.c as an optimization. Fixes: e2fe06c90806 ("RDMA/rxe: Lookup kernel AH from ah index in UD WQEs") Link: https://lore.kernel.org/r/20220304000808.225811-2-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1a6fc3caf626aa8612015d074e8edce8c4aaf5d8 Author: Chengguang Xu Date: Mon Mar 7 22:50:46 2022 +0800 RDMA/rxe: Change variable and function argument to proper type [ Upstream commit 7e8e611d6a0ff228577b1167335ffefb0f44d5d8 ] The type of wqe length is u32 so in order to avoid overflow and shadow casting change variable and relevant function argument to proper type. Link: https://lore.kernel.org/r/20220307145047.3235675-1-cgxu519@mykernel.net Signed-off-by: Chengguang Xu Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit bbfcdd6289ba6f00f0cd7d496946dce9f6c600ac Author: Nicholas Kazlauskas Date: Mon Feb 28 10:48:56 2022 -0500 drm/amd/display: Fix double free during GPU reset on DC streams [ Upstream commit 32685b32d825ca08c5dec826477332df886c4743 ] [Why] The issue only occurs during the GPU reset code path. We first backup the current state prior to commiting 0 streams internally from DM to DC. This state backup contains valid link encoder assignments. DC will clear the link encoder assignments as part of current state (but not the backup, since it was a copied before the commit) and free the extra stream reference it held. DC requires that the link encoder assignments remain cleared/invalid prior to commiting. Since the backup still has valid assignments we call the interface post reset to clear them. This routine also releases the extra reference that the link encoder interface held - resulting in a double free (and eventually a NULL pointer dereference). [How] We'll have to do a full DC commit anyway after GPU reset because the stream count previously went to 0. We don't need to retain the assignment that we had backed up, so just copy off of the now clean current state assignment after the reset has occcurred with the new link_enc_cfg_copy() interface. Fixes: 6d63fcc2a334 ("drm/amd/display: Reset link encoder assignments for GPU reset") Reviewed-by: Jimmy Kizito Acked-by: Alan Liu Signed-off-by: Nicholas Kazlauskas Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit cfa9c20d964714470950cc3e216d0133e9309f1a Author: Dan Carpenter Date: Fri Mar 4 10:35:04 2022 +0300 USB: storage: ums-realtek: fix error code in rts51x_read_mem() [ Upstream commit b07cabb8361dc692522538205552b1b9dab134be ] The rts51x_read_mem() function should return negative error codes. Currently if the kmalloc() fails it returns USB_STOR_TRANSPORT_ERROR (3) which is treated as success by the callers. Fixes: 065e60964e29 ("ums_realtek: do not use stack memory for DMA") Acked-by: Alan Stern Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220304073504.GA26464@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 50831782781e34a053cf3444804d51eabcf37808 Author: Niklas Söderlund Date: Tue Mar 15 11:29:48 2022 +0100 samples/bpf, xdpsock: Fix race when running for fix duration of time [ Upstream commit 8fa42d78f6354bb96ad3a079dcbef528ca9fa9e0 ] When running xdpsock for a fix duration of time before terminating using --duration=, there is a race condition that may cause xdpsock to terminate immediately. When running for a fixed duration of time the check to determine when to terminate execution is in is_benchmark_done() and is being executed in the context of the poller thread, if (opt_duration > 0) { unsigned long dt = (get_nsecs() - start_time); if (dt >= opt_duration) benchmark_done = true; } However start_time is only set after the poller thread have been created. This leaves a small window when the poller thread is starting and calls is_benchmark_done() for the first time that start_time is not yet set. In that case start_time have its initial value of 0 and the duration check fails as it do not correlate correctly for the applications start time and immediately sets benchmark_done which in turn terminates the xdpsock application. Fix this by setting start_time before creating the poller thread. Fixes: d3f11b018f6c ("samples/bpf: xdpsock: Add duration option to specify how long to run") Signed-off-by: Niklas Söderlund Signed-off-by: Simon Horman Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220315102948.466436-1-niklas.soderlund@corigine.com Signed-off-by: Sasha Levin commit ac3ecb7760c750c8e4fc09c719241d8e6e88028c Author: Wang Yufen Date: Fri Mar 4 16:11:45 2022 +0800 bpf, sockmap: Fix double uncharge the mem of sk_msg [ Upstream commit 2486ab434b2c2a14e9237296db00b1e1b7ae3273 ] If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-5-wangyufen@huawei.com Signed-off-by: Sasha Levin commit abb4caa477a5450817d2aa1198edce66450aecf8 Author: Wang Yufen Date: Fri Mar 4 16:11:44 2022 +0800 bpf, sockmap: Fix more uncharged while msg has more_data [ Upstream commit 84472b436e760ba439e1969a9e3c5ae7c86de39d ] In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-4-wangyufen@huawei.com Signed-off-by: Sasha Levin commit d0b85dfc6f01d26808e2576c6537c131b590e270 Author: Wang Yufen Date: Fri Mar 4 16:11:43 2022 +0800 bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full [ Upstream commit 9c34e38c4a870eb30b13f42f5b44f42e9d19ccb8 ] If tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc() returns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial memory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is greater than osize after sk_msg_alloc(), memleak occurs. To fix we use sk_msg_trim() to release the allocated memory, then goto wait for memory. Other call paths of sk_msg_alloc() have the similar issue, such as tls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(), as Cong Wang suggested. This issue can cause the following info: WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 kthread+0xe6/0x110 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-3-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 03948ed6553960db62f1c33bec29e64d7c191a3f Author: Wang Yufen Date: Fri Mar 4 16:11:42 2022 +0800 bpf, sockmap: Fix memleak in sk_psock_queue_msg [ Upstream commit 938d3480b92fa5e454b7734294f12a7b75126f09 ] If tcp_bpf_sendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it. sk1 (redirect sk2) sk2 ------------------- --------------- tcp_bpf_sendmsg() tcp_bpf_send_verdict() tcp_bpf_sendmsg_redir() bpf_tcp_ingress() sock_map_close() lock_sock() lock_sock() ... blocking sk_psock_stop sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); release_sock(sk); lock_sock() sk_mem_charge() get_page() sk_psock_queue_msg() sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED); drop_sk_msg() release_sock() While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge and has sg pages need to put. To fix we use sk_msg_free() and then kfee() msg. This issue can cause the following info: WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0 Call Trace: inet_csk_destroy_sock+0x55/0x110 tcp_rcv_state_process+0xe5f/0xe90 ? sk_filter_trim_cap+0x10d/0x230 ? tcp_v4_do_rcv+0x161/0x250 tcp_v4_do_rcv+0x161/0x250 tcp_v4_rcv+0xc3a/0xce0 ip_protocol_deliver_rcu+0x3d/0x230 ip_local_deliver_finish+0x54/0x60 ip_local_deliver+0xfd/0x110 ? ip_protocol_deliver_rcu+0x230/0x230 ip_rcv+0xd6/0x100 ? ip_local_deliver+0x110/0x110 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0xa4/0x160 __napi_poll+0x29/0x1b0 net_rx_action+0x287/0x300 __do_softirq+0xff/0x2fc do_softirq+0x79/0x90 WARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 9635720b7c88 ("bpf, sockmap: Fix memleak on ingress msg enqueue") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-2-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 414b4e8738484379f18d6c4e780787c80dbf8a2c Author: Yongzhi Liu Date: Fri Mar 11 09:06:01 2022 -0800 RDMA/mlx5: Fix memory leak in error flow for subscribe event routine [ Upstream commit 087f9c3f2309ed183f7e4b85ae57121d8663224d ] In case the second xa_insert() fails, the obj_event is not released. Fix the error unwind flow to free that memory to avoid a memory leak. Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") Link: https://lore.kernel.org/r/1647018361-18266-1-git-send-email-lyz_cs@pku.edu.cn Signed-off-by: Yongzhi Liu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7826a1f517e17fe47b33cd7fb2efeff2f1913d6b Author: Leon Romanovsky Date: Wed Mar 9 20:42:13 2022 +0200 Revert "RDMA/core: Fix ib_qp_usecnt_dec() called when error" [ Upstream commit 7922d3de4d270a9aedb71212fc0d5ae697ced516 ] This reverts commit 7c4a539ec38f4ce400a0f3fcb5ff6c940fcd67bb. which causes to the following error in mlx4. Destroy of kernel CQ shouldn't fail WARNING: CPU: 4 PID: 18064 at include/rdma/ib_verbs.h:3936 mlx4_ib_dealloc_xrcd+0x12e/0x1b0 [mlx4_ib] Modules linked in: bonding ib_ipoib ip_gre ipip tunnel4 geneve rdma_ucm nf_tables ib_umad mlx4_en mlx4_ib ib_uverbs mlx4_core ip6_gre gre ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay fuse [last unloaded: mlx4_core] CPU: 4 PID: 18064 Comm: ibv_xsrq_pingpo Not tainted 5.17.0-rc7_master_62c6ecb #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx4_ib_dealloc_xrcd+0x12e/0x1b0 [mlx4_ib] Code: 1e 93 08 00 40 80 fd 01 0f 87 fa f1 04 00 83 e5 01 0f 85 2b ff ff ff 48 c7 c7 20 4f b6 a0 c6 05 fd 92 08 00 01 e8 47 c9 82 e2 <0f> 0b e9 11 ff ff ff 0f b6 2d eb 92 08 00 40 80 fd 01 0f 87 b1 f1 RSP: 0018:ffff8881a4957750 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8881ac4b6800 RCX: 0000000000000000 RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed103492aedc RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8884d2e378eb R10: ffffed109a5c6f1d R11: 0000000000000001 R12: ffff888132620000 R13: ffff8881a4957a90 R14: ffff8881aa2d4000 R15: ffff8881a4957ad0 FS: 00007f0401747740(0000) GS:ffff8884d2e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f8ae036118 CR3: 000000012fe94005 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ib_dealloc_xrcd_user+0xce/0x120 [ib_core] ib_uverbs_dealloc_xrcd+0xad/0x210 [ib_uverbs] uverbs_free_xrcd+0xe8/0x190 [ib_uverbs] destroy_hw_idr_uobject+0x7a/0x130 [ib_uverbs] uverbs_destroy_uobject+0x164/0x730 [ib_uverbs] uobj_destroy+0x72/0xf0 [ib_uverbs] ib_uverbs_cmd_verbs+0x19fb/0x3110 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x856/0x1550 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 7c4a539ec38f ("RDMA/core: Fix ib_qp_usecnt_dec() called when error") Link: https://lore.kernel.org/r/74c11029adaf449b3b9228a77cc82f39e9e892c8.1646851220.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7340c3675d7ac946f4019b84cd7c64ed542dfe4c Author: Dan Carpenter Date: Mon Mar 7 15:59:28 2022 +0300 RDMA/irdma: Prevent some integer underflows [ Upstream commit 6f6dbb819dfc1a35bcb8b709b5c83a3ea8beff75 ] My static checker complains that: drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init() warn: can subtract underflow 'info->dev->hmc_fpm_misc.max_ceqs'? It appears that "info->dev->hmc_fpm_misc.max_ceqs" comes from the firmware in irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could be zero. Even if we trust the firmware, it's easy enough to change the condition just as a hardenning measure. Fixes: 3f49d6842569 ("RDMA/irdma: Implement HW Admin Queue OPs") Link: https://lore.kernel.org/r/20220307125928.GE16710@kili Signed-off-by: Dan Carpenter Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2334f49e937646bde20f3c064f1da007d073a1f4 Author: Linus Walleij Date: Tue Mar 8 16:44:25 2022 +0100 power: ab8500_chargalg: Use CLOCK_MONOTONIC [ Upstream commit c22fca40522e2be8af168f3087d87d85e404ea72 ] The HRTimer in the AB8500 charging code is using CLOCK_REALTIME to set an alarm some hours forward in time +/- 5 min for a safety timer. I have observed that this will sometimes fire sporadically early when charging a battery with the result that charging stops. As CLOCK_REALTIME can be subject to adjustments of time from sources such as NTP, this cannot be trusted and will likely for example fire events if the clock is set forward some hours by say NTP. Use CLOCK_MONOTONIC as indicated in other instances and the problem goes away. Also initialize the timer to REL mode as this is what will be used later. Fixes: 257107ae6b9b ("ab8500-chargalg: Use hrtimer") Cc: Lee Jones Suggested-by: Matti Vaittinen Signed-off-by: Linus Walleij Reviewed-by: Matti Vaittinen Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit f1694169f3674cdf7553aed06864254635679878 Author: Xin Xiong Date: Fri Mar 4 16:53:32 2022 +0800 mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init [ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ] The reference counting issue happens in several error handling paths on a refcounted object "nc->dmac". In these paths, the function simply returns the error code, forgetting to balance the reference count of "nc->dmac", increased earlier by dma_request_channel(), which may cause refcount leaks. Fix it by decrementing the refcount of specific object in those error paths. Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Co-developed-by: Xiyu Yang Signed-off-by: Xiyu Yang Co-developed-by: Xin Tan Signed-off-by: Xin Tan Signed-off-by: Xin Xiong Reviewed-by: Claudiu Beznea Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn Signed-off-by: Sasha Levin commit 1bf0d78c8cc3cf615a6e7bf33ada70b73592f0a1 Author: Yaliang Wang Date: Thu Mar 10 19:31:16 2022 +0800 MIPS: pgalloc: fix memory leak caused by pgd_free() [ Upstream commit 2bc5bab9a763d520937e4f3fe8df51c6a1eceb97 ] pgd page is freed by generic implementation pgd_free() since commit f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()"), however, there are scenarios that the system uses more than one page as the pgd table, in such cases the generic implementation pgd_free() won't be applicable anymore. For example, when PAGE_SIZE_4KB is enabled and MIPS_VA_BITS_48 is not enabled in a 64bit system, the macro "PGD_ORDER" will be set as "1", which will cause allocating two pages as the pgd table. Well, at the same time, the generic implementation pgd_free() just free one pgd page, which will result in the memory leak. The memory leak can be easily detected by executing shell command: "while true; do ls > /dev/null; grep MemFree /proc/meminfo; done" Fixes: f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()") Signed-off-by: Yaliang Wang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 9404107dcf2766dc1a8bf0c3dcd7dbd5a35ac5c6 Author: Randy Dunlap Date: Fri Mar 11 20:20:26 2022 -0800 MIPS: RB532: fix return value of __setup handler [ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from setup_kmac(). Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().") Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") Signed-off-by: Randy Dunlap From: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Phil Sutter Cc: Florian Fainelli Cc: Ralf Baechle Cc: Daniel Walter Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 721ab4be20d4448dd04c2cc8ed99cd4f3e45f765 Author: Miaoqian Lin Date: Wed Mar 9 09:17:10 2022 +0000 mips: cdmm: Fix refcount leak in mips_cdmm_phys_base [ Upstream commit 4528668ca331f7ce5999b7746657b46db5b3b785 ] The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. Fixes: 2121aa3e2312 ("mips: cdmm: Add mti,mips-cdmm dtb node support") Signed-off-by: Miaoqian Lin Acked-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 4ed37d611ea5d222c3ecb3549e4c2d34b8f3c335 Author: Miaoqian Lin Date: Tue Mar 8 07:02:38 2022 +0000 ath10k: Fix error handling in ath10k_setup_msa_resources [ Upstream commit 9747a78d5f758a5284751a10aee13c30d02bd5f1 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: 727fec790ead ("ath10k: Setup the msa resources before qmi init") Signed-off-by: Miaoqian Lin Reviewed-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220308070238.19295-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit b1b4345ce83e6e04c3cc055f22eaaa20bdbb60c1 Author: Oliver Hartkopp Date: Wed Mar 9 13:04:16 2022 +0100 vxcan: enable local echo for sent CAN frames [ Upstream commit 259bdba27e32368b4404f69d613b1c1014c07cbf ] The vxcan driver provides a pair of virtual CAN interfaces to exchange CAN traffic between different namespaces - analogue to veth. In opposite to the vcan driver the local sent CAN traffic on this interface is not echo'ed back but only sent to the remote peer. This is unusual and can be easily fixed by removing IFF_ECHO from the netdevice flags that are set for vxcan interfaces by default at startup. Without IFF_ECHO set on driver level, the local sent CAN frames are echo'ed in af_can.c in can_send(). This patch makes vxcan interfaces adopt the same local echo behavior and procedures as known from the vcan interfaces. Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)") Link: https://lore.kernel.org/all/20220309120416.83514-5-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 84a8ecddac421fbcb0bc8c2a9fd9c84a168543bb Author: Johannes Berg Date: Fri Mar 4 13:21:24 2022 +0200 iwlwifi: pcie: fix SW error MSI-X mapping [ Upstream commit 7b9f485091a5755f6e0a7dd3725f3b312768ecd0 ] We need to also update the IVAR location, since we've shifted the bit. Signed-off-by: Johannes Berg Fixes: 571836a02c7b ("iwlwifi: pcie: update sw error interrupt for BZ family") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220304131517.bcfb28484e50.I921df6b5134785d7eeb0c934e4a43157c582fa79@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit ea85a459c098d303e2d60d35a68a77313d42220d Author: Max Filippov Date: Tue Dec 28 01:20:20 2021 -0800 xtensa: add missing XCHAL_HAVE_WINDOWED check [ Upstream commit 8c9ab55c0fbdc76cb876140c2dad75a610bb23ef ] Add missing preprocessor conditions to secondary reset vector code. Fixes: 09af39f649da ("xtensa: use register window specific opcodes only when present") Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit b3795097173784c9985dcf374c995274d199f3ef Author: Hangyu Hua Date: Wed Feb 23 15:02:23 2022 +0800 powerpc: 8xx: fix a return value error in mpc8xx_pic_init [ Upstream commit 3fd46e551f67f4303c3276a0d6cd20baf2d192c4 ] mpc8xx_pic_init() should return -ENOMEM instead of 0 when irq_domain_add_linear() return NULL. This cause mpc8xx_pics_init to continue executing even if mpc8xx_pic_host is NULL. Fixes: cc76404feaed ("powerpc/8xx: Fix possible device node reference leak") Signed-off-by: Hangyu Hua Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220223070223.26845-1-hbh25y@gmail.com Signed-off-by: Sasha Levin commit fb28e1b227fc1d23eae4436e12316ac7fd017df1 Author: Sreekanth Reddy Date: Thu Mar 3 19:32:30 2022 +0530 scsi: mpt3sas: Fix incorrect 4GB boundary check [ Upstream commit 208cc9fe6f21112b5cc6cb87065fb8ab66e79316 ] The driver must perform its 4GB boundary check using the pool's DMA address instead of using the virtual address. Link: https://lore.kernel.org/r/20220303140230.13098-1-sreekanth.reddy@broadcom.com Fixes: d6adc251dd2f ("scsi: mpt3sas: Force PCIe scatterlist allocations to be within same 4 GB region") Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 63f4a625389efbd6e7a5dcb28ae0aa2c741b11dd Author: Jia-Ju Bai Date: Wed Mar 2 18:24:21 2022 -0800 platform/x86: huawei-wmi: check the return value of device_create_file() [ Upstream commit c91a5b1c221a58d008485cf7d02ccce73108b119 ] The function device_create_file() in huawei_wmi_battery_add() can fail, so its return value should be checked. Fixes: 355a070b09ab ("platform/x86: huawei-wmi: Add battery charging thresholds") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220303022421.313-1-baijiaju1990@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 1b1722f3deb223047c4866ff513f68c532b1e7d3 Author: Felix Maurer Date: Thu Mar 3 12:15:26 2022 +0100 selftests/bpf: Make test_lwt_ip_encap more stable and faster [ Upstream commit d23a8720327d33616f584d76c80824bfa4699be6 ] In test_lwt_ip_encap, the ingress IPv6 encap test failed from time to time. The failure occured when an IPv4 ping through the IPv6 GRE encapsulation did not receive a reply within the timeout. The IPv4 ping and the IPv6 ping in the test used different timeouts (1 sec for IPv4 and 6 sec for IPv6), probably taking into account that IPv6 might need longer to successfully complete. However, when IPv4 pings (with the short timeout) are encapsulated into the IPv6 tunnel, the delays of IPv6 apply. The actual reason for the long delays with IPv6 was that the IPv6 neighbor discovery sometimes did not complete in time. This was caused by the outgoing interface only having a tentative link local address, i.e., not having completed DAD for that lladdr. The ND was successfully retried after 1 sec but that was too late for the ping timeout. The IPv6 addresses for the test were already added with nodad. However, for the lladdrs, DAD was still performed. We now disable DAD in the test netns completely and just assume that the two lladdrs on each veth pair do not collide. This removes all the delays for IPv6 traffic in the test. Without the delays, we can now also reduce the delay of the IPv6 ping to 1 sec. This makes the whole test complete faster because we don't need to wait for the excessive timeout for each IPv6 ping that is supposed to fail. Fixes: 0fde56e4385b0 ("selftests: bpf: add test_lwt_ip_encap selftest") Signed-off-by: Felix Maurer Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/4987d549d48b4e316cd5b3936de69c8d4bc75a4f.1646305899.git.fmaurer@redhat.com Signed-off-by: Sasha Levin commit f0eaa23f1273f6303ce8bf745c0a5a2faf1b32bb Author: lic121 Date: Tue Mar 1 13:26:23 2022 +0000 libbpf: Unmap rings when umem deleted [ Upstream commit 9c6e6a80ee741adf6cb3cfd8eef7d1554f91fceb ] xsk_umem__create() does mmap for fill/comp rings, but xsk_umem__delete() doesn't do the unmap. This works fine for regular cases, because xsk_socket__delete() does unmap for the rings. But for the case that xsk_socket__create_shared() fails, umem rings are not unmapped. fill_save/comp_save are checked to determine if rings have already be unmapped by xsk. If fill_save and comp_save are NULL, it means that the rings have already been used by xsk. Then they are supposed to be unmapped by xsk_socket__delete(). Otherwise, xsk_umem__delete() does the unmap. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Cheng Li Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220301132623.GA19995@vscode.7~ Signed-off-by: Sasha Levin commit 1e702504beabeedeaebaf6cd3a442ba6aee23d69 Author: Jiasheng Jiang Date: Thu Feb 24 10:23:31 2022 +0800 mfd: mc13xxx: Add check for mc13xxx_irq_request [ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the mc13xxx_irq_request() and return error if fails. Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx") Signed-off-by: Jiasheng Jiang Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 093449bb182db885dae816d62874cccab7a4c42a Author: Michael Ellerman Date: Tue Feb 22 22:34:49 2022 +1100 powerpc/64s: Don't use DSISR for SLB faults [ Upstream commit d4679ac8ea2e5078704aa1c026db36580cc1bf9a ] Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") we use page_fault_is_write(regs->dsisr) in __bad_page_fault() to determine if the fault is for a read or write, and change the message printed accordingly. But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data Storage Interrupt Status Register) to a useful value. All ISA versions from v2.03 through v3.1 specify that the Data Segment Interrupt sets DSISR "to an undefined value". As far as I can see there's no mention of SLB faults setting DSISR in any BookIV content either. This manifests as accesses that should be a read being incorrectly reported as writes, for example, using the xmon "dump" command: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000 [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400] pc: c00000000010a300: mread+0x90/0x190 If we disassemble the PC, we see a load instruction: 0:mon> di c00000000010a300 c00000000010a300 89490000 lbz r10,0(r9) We can also see in exceptions-64s.S that the data_access_slb block doesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So the value we're using to determine if the fault is a read/write is some stale value in pt_regs from a previous page fault. Rework the printing logic to separate the SLB fault case out, and only print read/write in the cases where we can determine it. The result looks like eg: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000 [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390] 0:mon> d 0 0000000000000000 [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000 [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390] Fixes: 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") Reported-by: Nageswara R Sastry Signed-off-by: Michael Ellerman Reviewed-by: Nicholas Piggin Link: https://lore.kernel.org/r/20220222113449.319193-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit cffe6b5344953727571dbf5df72d459447eae258 Author: Jakob Koschel Date: Mon Feb 28 15:24:33 2022 +0100 powerpc/sysdev: fix incorrect use to determine if list is empty [ Upstream commit fa1321b11bd01752f5be2415e74a0e1a7c378262 ] 'gtm' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 83ff9dcf375c ("powerpc/sysdev: implement FSL GTM support") Signed-off-by: Jakob Koschel Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220228142434.576226-1-jakobkoschel@gmail.com Signed-off-by: Sasha Levin commit 7379ad25949c2917559c502b2bef6a4123827f92 Author: Maciej W. Rozycki Date: Fri Mar 4 21:13:11 2022 +0000 MIPS: Sanitise Cavium switch cases in TLB handler synthesizers [ Upstream commit 6ddcba9d480b6bcced4223a729794dfa6becb7eb ] It makes no sense to fall through to `break'. Therefore reorder the switch statements so as to have the Cavium cases first, followed by the default case, which improves readability and pacifies code analysis tools. No change in semantics, assembly produced is exactly the same. Reported-by: kernel test robot Signed-off-by: Maciej W. Rozycki Fixes: bc431d2153cc ("MIPS: Fix fall-through warnings for Clang") Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit d6eb8b15b19d7c2478e39eced9ae163784e70c09 Author: Randy Dunlap Date: Fri Mar 4 08:24:27 2022 -0800 mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n [ Upstream commit 97bf0395c226907e1a9b908511a35192bf1e09bb ] Include the DECstation interrupt handler in opting out of FPU support. Fixes a linker error: mips-linux-ld: arch/mips/dec/int-handler.o: in function `fpu': (.text+0x148): undefined reference to `handle_fpe_int' Fixes: 183b40f992c8 ("MIPS: Allow FP support to be disabled") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Paul Burton Cc: Thomas Bogendoerfer Cc: Maciej W. Rozycki Cc: linux-mips@vger.kernel.org Acked-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 6f85bff46cee5df98e9c6800e2c186227b7488f0 Author: Rob Clark Date: Sat Mar 5 09:34:03 2022 -0800 drm/msm/a6xx: Fix missing ARRAY_SIZE() check [ Upstream commit cca96584b35765bf9eb5f38ca55a144ea2ba0de4 ] Fixes: f6d62d091cfd ("drm/msm/a6xx: add support for Adreno 660 GPU") Signed-off-by: Rob Clark Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220305173405.914989-1-robdclark@gmail.com Signed-off-by: Sasha Levin commit 74d539719fce07b5dfc8a74fdd916d1ae0267663 Author: Robert Hancock Date: Fri Mar 4 20:24:37 2022 -0600 net: axienet: fix RX ring refill allocation failure handling [ Upstream commit 7a7d340ba4d9351e4c8847b898a2b996727a922a ] If a memory allocation error occurred during an attempt to refill a slot in the RX ring after the packet was received, the hardware tail pointer would still have been updated to point to or past the slot which remained marked as previously completed. This would likely result in the DMA engine raising an error when it eventually tried to use that slot again. If a slot cannot be refilled, then just stop processing and do not move the tail pointer past it. On the next attempt, we should skip receiving the packet from the empty slot and just try to refill it again. This failure mode has not actually been observed, but was found as part of other driver updates. Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 54054e4ea188d99cfcdaafc255477f51b296c655 Author: Mark Tomlinson Date: Thu Aug 6 16:14:55 2020 +1200 PCI: Reduce warnings on possible RW1C corruption [ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ] For hardware that only supports 32-bit writes to PCI there is the possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited messages was introduced by fb2659230120, but rate-limiting is not the best choice here. Some devices may not show the warnings they should if another device has just produced a bunch of warnings. Also, the number of messages can be a nuisance on devices which are otherwise working fine. Change the ratelimit to a single warning per bus. This ensures no bus is 'starved' of emitting a warning and also that there isn't a continuous stream of warnings. It would be preferable to have a warning per device, but the pci_dev structure is not available here, and a lookup from devfn would be far too slow. Suggested-by: Bjorn Helgaas Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes") Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz Signed-off-by: Mark Tomlinson Signed-off-by: Bjorn Helgaas Reviewed-by: Florian Fainelli Reviewed-by: Rob Herring Acked-by: Scott Branden Signed-off-by: Sasha Levin commit a75a91a3ac514cc2c849a4bb8141e6cbf2573da5 Author: Yajun Deng Date: Thu Mar 3 10:42:32 2022 +0800 RDMA/core: Fix ib_qp_usecnt_dec() called when error [ Upstream commit 7c4a539ec38f4ce400a0f3fcb5ff6c940fcd67bb ] ib_destroy_qp() would called by ib_create_qp_user() if error, the former contains ib_qp_usecnt_dec(), but ib_qp_usecnt_inc() was not called before. So move ib_qp_usecnt_inc() into create_qp(). Fixes: d2b10794fc13 ("RDMA/core: Create clean QP creations interface for uverbs") Link: https://lore.kernel.org/r/20220303024232.2847388-1-yajun.deng@linux.dev Signed-off-by: Yajun Deng Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3fd2d8548d086e050b14e2bbe05ffc5929d9f0f3 Author: Mike Marciniszyn Date: Tue Feb 8 14:25:09 2022 -0500 IB/hfi1: Allow larger MTU without AIP [ Upstream commit b135e324d7a2e7fa0a7ef925076136e799b79f44 ] The AIP code signals the phys_mtu in the following query_port() fragment: props->phys_mtu = HFI1_CAP_IS_KSET(AIP) ? hfi1_max_mtu : ib_mtu_enum_to_int(props->max_mtu); Using the largest MTU possible should not depend on AIP. Fix by unconditionally using the hfi1_max_mtu value. Fixes: 6d72344cf6c4 ("IB/ipoib: Increase ipoib Datagram mode MTU's upper limit") Link: https://lore.kernel.org/r/1644348309-174874-1-git-send-email-mike.marciniszyn@cornelisnetworks.com Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 011ce263361608bb2a1a5cbcc0e3c53b1d7a41d7 Author: Jiasheng Jiang Date: Thu Mar 3 17:43:22 2022 +0800 power: supply: wm8350-power: Add missing free in free_charger_irq [ Upstream commit 6dee930f6f6776d1e5a7edf542c6863b47d9f078 ] In free_charger_irq(), there is no free for 'WM8350_IRQ_CHG_FAST_RDY'. Therefore, it should be better to add it in order to avoid the memory leak. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit c1e62957d33fe21165ff199a078870695a070154 Author: Jiasheng Jiang Date: Fri Mar 4 09:57:51 2022 +0800 power: supply: wm8350-power: Handle error for wm8350_register_irq [ Upstream commit b0b14b5ba11bec56fad344a4a0b2e16449cc8b94 ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid same code. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0f526a6d3e9347d94c2c0b5292a3cb3b25115019 Author: Radoslaw Biernacki Date: Tue Feb 1 20:10:32 2022 +0000 Bluetooth: Fix skb allocation in mgmt_remote_name() & mgmt_device_connected() [ Upstream commit ba17bb62ce415950753c19d16bb43b2bd3701158 ] This patch fixes skb allocation, as lack of space for ev might push skb tail beyond its end. Also introduce eir_precalc_len() that can be used instead of magic numbers for similar eir operations on skb. Fixes: cf1bce1de7eeb ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_FOUND") Fixes: e96741437ef0a ("Bluetooth: mgmt: Make use of mgmt_send_event_skb in MGMT_EV_DEVICE_CONNECTED") Signed-off-by: Angela Czubak Signed-off-by: Marek Maslanka Signed-off-by: Radoslaw Biernacki Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 21ef1c8dbb9ad98e4afe7856b9c3ef6fe0df31a0 Author: Tom Rix Date: Tue Feb 1 09:42:56 2022 -0800 Bluetooth: hci_sync: fix undefined return of hci_disconnect_all_sync() [ Upstream commit 8cd3c55c629efd91e5f2b3e89d850575c5b90d47 ] clang static analysis reports this problem hci_sync.c:4428:2: warning: Undefined or garbage value returned to caller return err; ^~~~~~~~~~ If there are no connections this function is a noop but err is never set and a false error could be reported. Return 0 as other hci_* functions do. Fixes: 182ee45da083 ("Bluetooth: hci_sync: Rework hci_suspend_notifier") Signed-off-by: Tom Rix Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit f4af43f565bbfb1d97894d6d4dcfb96900b8be93 Author: Divya Koppera Date: Fri Mar 4 15:04:16 2022 +0530 net: phy: micrel: Fix concurrent register access [ Upstream commit 4488f6b6148045424459ef1d5b153c6895ee1dbb ] Make Extended page register accessing atomic, to overcome unexpected output from register reads/writes. Fixes: 7c2dcfa295b1 ("net: phy: micrel: Add support for LAN8804 PHY") Signed-off-by: Divya Koppera Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 624666e99444ec5b50e894675cfdf2e8c2dfa33d Author: Robert Hancock Date: Thu Jan 27 11:50:13 2022 -0600 i2c: xiic: Make bus names unique [ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ] This driver is for an FPGA logic core, so there can be arbitrarily many instances of the bus on a given system. Previously all of the I2C bus names were "xiic-i2c" which caused issues with lm_sensors when trying to map human-readable names to sensor inputs because it could not properly distinguish the busses, for example. Append the platform device name to the I2C bus name so it is unique between different instances. Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") Signed-off-by: Robert Hancock Tested-by: Michal Simek Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 51b81983f94ff3785ed81484d90e0a513ef9435e Author: Mark Brown Date: Fri Feb 25 18:46:58 2022 +0000 KVM: arm64: Enable Cortex-A510 erratum 2077057 by default [ Upstream commit 4c11113c1a3d10f5b617e5d2b9acd8d1d715450f ] The recently added configuration option for Cortex A510 erratum 2077057 does not have a "default y" unlike other errata fixes. This appears to simply be an oversight since the help text suggests enabling the option if unsure and there's nothing in the commit log to suggest it is intentional. Fixes: 1dd498e5e26ad ("KVM: arm64: Workaround Cortex-A510's single-step and PAC trap errata") Signed-off-by: Mark Brown Acked-by: Catalin Marinas Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220225184658.172527-1-broonie@kernel.org Signed-off-by: Sasha Levin commit 4e2ce79413e94ae819884e07dfc311589c100e95 Author: Anssi Hannula Date: Tue Feb 22 16:14:00 2022 +0200 hv_balloon: rate-limit "Unhandled message" warning [ Upstream commit 1d7286729aa616772be334eb908e11f527e1e291 ] For a couple of times I have encountered a situation where hv_balloon: Unhandled message: type: 12447 is being flooded over 1 million times per second with various values, filling the log and consuming cycles, making debugging difficult. Add rate limiting to the message. Most other Hyper-V drivers already have similar rate limiting in their message callbacks. The cause of the floods in my case was probably fixed by 96d9d1fa5cd5 ("Drivers: hv: balloon: account for vmbus packet header in max_pkt_size"). Fixes: 9aa8b50b2b3d ("Drivers: hv: Add Hyper-V balloon driver") Signed-off-by: Anssi Hannula Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20220222141400.98160-1-anssi.hannula@bitwise.fi Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 2d88154ed14da500e5bca4b26d03aba0f1c16add Author: Sean Christopherson Date: Fri Feb 25 20:52:09 2022 +0000 KVM: SVM: Exit to userspace on ENOMEM/EFAULT GHCB errors [ Upstream commit aa9f58415a8e45598bf44befa90b9d5babe09601 ] Exit to userspace if setup_vmgexit_scratch() fails due to OOM or because copying data from guest (userspace) memory failed/faulted. The OOM scenario is clearcut, it's userspace's decision as to whether it should terminate the guest, free memory, etc... As for -EFAULT, arguably, any guest issue is a violation of the guest's contract with userspace, and thus userspace needs to decide how to proceed. E.g. userspace defines what is RAM vs. MMIO and communicates that directly to the guest, KVM is not involved in deciding what is/isn't RAM nor in communicating that information to the guest. If the scratch GPA doesn't resolve to a memslot, then the guest is not honoring the memory configuration as defined by userspace. And if userspace unmaps an hva for whatever reason, then exiting to userspace with -EFAULT is absolutely the right thing to do. KVM's ABI currently sucks and doesn't provide enough information to act on the -EFAULT, but that will hopefully be remedied in the future as there are multiple use cases, e.g. uffd and virtiofs truncation, that shouldn't require any work in KVM beyond returning -EFAULT with a small amount of metadata. KVM could define its ABI such that failure to access the scratch area is reflected into the guest, i.e. establish a contract with userspace, but that's undesirable as it limits KVM's options in the future, e.g. in the potential uffd case any failure on a uaccess needs to kick out to userspace. KVM does have several cases where it reflects these errors into the guest, e.g. kvm_pv_clock_pairing() and Hyper-V emulation, but KVM would preferably "fix" those instead of propagating the falsehood that any memory failure is the guest's fault. Lastly, returning a boolean as an "error" for that a helper that isn't named accordingly never works out well. Fixes: ad5b353240c8 ("KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure") Cc: Alper Gun Cc: Peter Gonda Signed-off-by: Sean Christopherson Message-Id: <20220225205209.3881130-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 207cd150472357da4aa29810f0a829535559f978 Author: Hou Wenlong Date: Tue Feb 8 17:34:03 2022 +0800 KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor() [ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ] Per Intel's SDM on the "Instruction Set Reference", when loading segment descriptor, not-present segment check should be after all type and privilege checks. But the emulator checks it first, then #NP is triggered instead of #GP if privilege fails and segment is not present. Put not-present segment check after type and privilege checks in __load_segment_descriptor(). Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c) Reviewed-by: Sean Christopherson Signed-off-by: Hou Wenlong Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit ab6b8e71bb67ef3bb72e715f45f862b912893279 Author: Zhenzhong Duan Date: Thu Feb 10 17:45:06 2022 +0800 KVM: x86: Fix emulation in writing cr8 [ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ] In emulation of writing to cr8, one of the lowest four bits in TPR[3:0] is kept. According to Intel SDM 10.8.6.1(baremetal scenario): "APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0"; and SDM 28.3(use TPR shadow): "MOV to CR8. The instruction stores bits 3:0 of its source operand into bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are cleared."; and AMD's APM 16.6.4: "Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the current sub-priority to be used when arbitrating lowest-priority messages. This field is written with zero when TPR is written using the architectural CR8 register."; so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior as in other scenarios. This doesn't impact evaluation and delivery of pending virtual interrupts because processor does not use the processor-priority sub-class to determine which interrupts to delivery and which to inhibit. Sub-class is used by hardware to arbitrate lowest priority interrupts, but KVM just does a round-robin style delivery. Fixes: b93463aa59d6 ("KVM: Accelerated apic support") Signed-off-by: Zhenzhong Duan Reviewed-by: Sean Christopherson Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit e27256a55e6dd6d83818f70eed0e9dcd6e85e319 Author: Michael Ellerman Date: Tue Feb 15 22:28:58 2022 +1100 powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit [ Upstream commit 2863dd2db23e0407f6c50b8ba5c0e55abef894f1 ] When CONFIG_GENERIC_CPU=y (true for all our defconfigs) we pass -mcpu=powerpc64 to the compiler, even when we're building a 32-bit kernel. This happens because we have an ifdef CONFIG_PPC_BOOK3S_64/else block in the Makefile that was written before 32-bit supported GENERIC_CPU. Prior to that the else block only applied to 64-bit Book3E. The GCC man page says -mcpu=powerpc64 "[specifies] a pure ... 64-bit big endian PowerPC ... architecture machine [type], with an appropriate, generic processor model assumed for scheduling purposes." It's unclear how that interacts with -m32, which we are also passing, although obviously -m32 is taking precedence in some sense, as the 32-bit kernel only contains 32-bit instructions. This was noticed by inspection, not via any bug reports, but it does affect code generation. Comparing before/after code generation, there are some changes to instruction scheduling, and the after case (with -mcpu=powerpc64 removed) the compiler seems more keen to use r8. Fix it by making the else case only apply to Book3E 64, which excludes 32-bit. Fixes: 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220215112858.304779-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 8915146b93046f5a7064c58efb6861cd1c951591 Author: Daniel Henrique Barboza Date: Thu Feb 24 15:23:12 2022 -0300 powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() [ Upstream commit 749ed4a20657bcea66a6e082ca3dc0d228cbec80 ] Executing node_set_online() when nid = NUMA_NO_NODE results in an undefined behavior. node_set_online() will call node_set_state(), into __node_set(), into set_bit(), and since NUMA_NO_NODE is -1 we'll end up doing a negative shift operation inside arch/powerpc/include/asm/bitops.h. This potential UB was detected running a kernel with CONFIG_UBSAN. The behavior was introduced by commit 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0"), where the check for nid > 0 was removed to fix a problem that was happening with nid = 0, but the result is that now we're trying to online NUMA_NO_NODE nids as well. Checking for nid >= 0 will allow node 0 to be onlined while avoiding this UB with NUMA_NO_NODE. Fixes: 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0") Reported-by: Ping Fang Signed-off-by: Daniel Henrique Barboza Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224182312.1012527-1-danielhb413@gmail.com Signed-off-by: Sasha Levin commit 2c6b80f1aec156305252bede370805b3daa68937 Author: Xu Kuohai Date: Tue Mar 1 00:32:49 2022 -0500 libbpf: Skip forward declaration when counting duplicated type names [ Upstream commit 4226961b0019b2e1612029e8950a9e911affc995 ] Currently if a declaration appears in the BTF before the definition, the definition is dumped as a conflicting name, e.g.: $ bpftool btf dump file vmlinux format raw | grep "'unix_sock'" [81287] FWD 'unix_sock' fwd_kind=struct [89336] STRUCT 'unix_sock' size=1024 vlen=14 $ bpftool btf dump file vmlinux format c | grep "struct unix_sock" struct unix_sock; struct unix_sock___2 { <--- conflict, the "___2" is unexpected struct unix_sock___2 *unix_sk; This causes a compilation error if the dump output is used as a header file. Fix it by skipping declaration when counting duplicated type names. Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") Signed-off-by: Xu Kuohai Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220301053250.1464204-2-xukuohai@huawei.com Signed-off-by: Sasha Levin commit fe1ce680560d4f0049ffa0c687de17567421c1ec Author: Christophe JAILLET Date: Sun Nov 7 22:16:36 2021 +0100 gpu: host1x: Fix a memory leak in 'host1x_remove()' [ Upstream commit 025c6643a81564f066d8381b9e2f4603e0f8438f ] Add a missing 'host1x_channel_list_free()' call in the remove function, as already done in the error handling path of the probe function. Fixes: 8474b02531c4 ("gpu: host1x: Refactor channel allocation code") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 87098615af780763970b852e853e33f67f1518fb Author: Christophe JAILLET Date: Sun Nov 7 22:16:25 2021 +0100 gpu: host1x: Fix an error handling path in 'host1x_probe()' [ Upstream commit e5d5db1a79a5929b9ced99472f9a748a243d6a69 ] Add the missing 'host1x_bo_cache_destroy()' call in the error handling path of the probe, as already done in the remove function. In order to simplify the error handling, move the 'host1x_bo_cache_init()' call after all the devm_ function. Fixes: 1f39b1dfa53c ("drm/tegra: Implement buffer object cache") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit e65591860cf32770b480e6add2dc6dd0a8d724db Author: Stijn Tintel Date: Fri Feb 25 17:23:55 2022 +0200 libbpf: Fix BPF_MAP_TYPE_PERF_EVENT_ARRAY auto-pinning [ Upstream commit a4fbfdd7a160eccaafc093eb5b34f838b1ca0bf0 ] When a BPF map of type BPF_MAP_TYPE_PERF_EVENT_ARRAY doesn't have the max_entries parameter set, the map will be created with max_entries set to the number of available CPUs. When we try to reuse such a pinned map, map_is_reuse_compat will return false, as max_entries in the map definition differs from max_entries of the existing map, causing the following error: libbpf: couldn't reuse pinned map at '/sys/fs/bpf/m_logging': parameter mismatch Fix this by overwriting max_entries in the map definition. For this to work, we need to do this in bpf_object__create_maps, before calling bpf_object__reuse_map. Fixes: 57a00f41644f ("libbpf: Add auto-pinning of maps when loading BPF objects") Signed-off-by: Stijn Tintel Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220225152355.315204-1-stijn@linux-ipv6.be Signed-off-by: Sasha Levin commit ef3ad5faa450d5f552e41960a9ef00a011025c83 Author: Mustafa Ismail Date: Fri Feb 25 10:32:11 2022 -0600 RDMA/irdma: Remove incorrect masking of PD [ Upstream commit 17850f2b0b4b806e47cc44df94186bfc2cdd490b ] The PD id is masked with 0x7fff, while PD can be 18 bits for GEN2 HW. Remove the masking as it should not be needed and can cause incorrect PD id to be used. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Link: https://lore.kernel.org/r/20220225163211.127-4-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e48cf1c73f262d083d8f0af3e2daa1f1909eb70b Author: Mustafa Ismail Date: Fri Feb 25 10:32:10 2022 -0600 RDMA/irdma: Fix Passthrough mode in VM [ Upstream commit b200189626b5cefbaf8be9cadd7a28215e065bb9 ] Using PCI_FUNC macro in a VM, when the device is in passthrough mode does not provide the real function instance. This means that currently, devices will not probe unless the instance in the VM matches the instance in the host. Fix this by getting the pf_id from the LAN during the probe. Fixes: 8498a30e1b94 ("RDMA/irdma: Register auxiliary driver and implement private channel OPs") Link: https://lore.kernel.org/r/20220225163211.127-3-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 38826277b043e66794bf4938016a042bc087456a Author: Mustafa Ismail Date: Fri Feb 25 10:32:09 2022 -0600 RDMA/irdma: Fix netdev notifications for vlan's [ Upstream commit 6702bc14744847842a87fed21a795b6e8bab6965 ] Currently, events on vlan netdevs are being ignored. Fix this by finding the real netdev and processing the notifications for vlan netdevs. Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") Link: https://lore.kernel.org/r/20220225163211.127-2-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 8a2dea162b92c322f3e42eae0c4a74b8d20aa7a9 Author: Magnus Karlsson Date: Mon Feb 28 10:45:52 2022 +0100 xsk: Fix race at socket teardown [ Upstream commit 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 ] Fix a race in the xsk socket teardown code that can lead to a NULL pointer dereference splat. The current xsk unbind code in xsk_unbind_dev() starts by setting xs->state to XSK_UNBOUND, sets xs->dev to NULL and then waits for any NAPI processing to terminate using synchronize_net(). After that, the release code starts to tear down the socket state and free allocated memory. BUG: kernel NULL pointer dereference, address: 00000000000000c0 PGD 8000000932469067 P4D 8000000932469067 PUD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2 Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015 RIP: 0010:__xsk_sendmsg+0x2c/0x690 [...] RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258 RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800 RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800 R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000 FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0 Call Trace: ? aa_sk_perm+0x43/0x1b0 xsk_sendmsg+0xf0/0x110 sock_sendmsg+0x65/0x70 __sys_sendto+0x113/0x190 ? debug_smp_processor_id+0x17/0x20 ? fpregs_assert_state_consistent+0x23/0x50 ? exit_to_user_mode_prepare+0xa5/0x1d0 __x64_sys_sendto+0x29/0x30 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae There are two problems with the current code. First, setting xs->dev to NULL before waiting for all users to stop using the socket is not correct. The entry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg() are all guarded by a test that xs->state is in the state XSK_BOUND and if not, it returns right away. But one process might have passed this test but still have not gotten to the point in which it uses xs->dev in the code. In this interim, a second process executing xsk_unbind_dev() might have set xs->dev to NULL which will lead to a crash for the first process. The solution here is just to get rid of this NULL assignment since it is not used anymore. Before commit 42fddcc7c64b ("xsk: use state member for socket synchronization"), xs->dev was the gatekeeper to admit processes into the data plane functions, but it was replaced with the state variable xs->state in the aforementioned commit. The second problem is that synchronize_net() does not wait for any process in xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the state they rely on might be cleaned up prematurely. This can happen when the notifier gets called (at driver unload for example) as it uses xsk_unbind_dev(). Solve this by extending the RCU critical region from just the ndo_xsk_wakeup to the whole functions mentioned above, so that both the test of xs->state == XSK_BOUND and the last use of any member of xs is covered by the RCU critical section. This will guarantee that when synchronize_net() completes, there will be no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and state can be cleaned up safely. Note that we need to drop the RCU lock for the skb xmit path as it uses functions that might sleep. Due to this, we have to retest the xs->state after we grab the mutex that protects the skb xmit code from, among a number of things, an xsk_unbind_dev() being executed from the notifier at the same time. Fixes: 42fddcc7c64b ("xsk: use state member for socket synchronization") Reported-by: Elza Mathew Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20220228094552.10134-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit 3812013b98c1f97d8cdd8cf5586388082cd7ca1b Author: Hou Tao Date: Sat Feb 26 20:19:06 2022 +0800 bpf, arm64: Feed byte-offset into bpf line info [ Upstream commit dda7596c109fc382876118627e29db7607cde35d ] insn_to_jit_off passed to bpf_prog_fill_jited_linfo() is calculated in instruction granularity instead of bytes granularity, but BPF line info requires byte offset. bpf_prog_fill_jited_linfo() will be the last user of ctx.offset before it is freed, so convert the offset into byte-offset before calling into bpf_prog_fill_jited_linfo() in order to fix the line info dump on arm64. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Suggested-by: Daniel Borkmann Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-3-houtao1@huawei.com Signed-off-by: Sasha Levin commit 684825ba016a19921b3b6fd98d069b39481f8b65 Author: Hou Tao Date: Sat Feb 26 20:19:05 2022 +0800 bpf, arm64: Call build_prologue() first in first JIT pass [ Upstream commit 68e4f238b0e9d3670a1612ad900a6e98b2b3f7dd ] BPF line info needs ctx->offset to be the instruction offset in the whole JITed image instead of the body itself, so also call build_prologue() first in first JIT pass. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-2-houtao1@huawei.com Signed-off-by: Sasha Levin commit 26f86218b59ad5fc00c4b9d7303625acd7215eef Author: Nishanth Menon Date: Tue Sep 21 12:40:59 2021 -0500 drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt [ Upstream commit ffb5c099aaa13ab7f73c29ea6ae26bce8d7575ae ] Add MODULE_DEVICE_TABLE to the device tree table to create required aliases needed for module to be loaded with device tree based platform. Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Nishanth Menon Reviewed-by: Tomi Valkeinen Reviewed-by: Laurent Pinchart Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20210921174059.17946-1-nm@ti.com Signed-off-by: Sasha Levin commit 463f60afbec484bd2c4a0ff6e5f4db4b409f329d Author: Xiang Chen Date: Thu Feb 24 19:51:24 2022 +0800 scsi: hisi_sas: Change permission of parameter prot_mask [ Upstream commit c4e070457a93705e56ed06b3910d9e5fe56d3be3 ] Currently the permission of parameter prot_mask is 0x0, which means that the member does not appear in sysfs. Change it as other module parameters to 0444 for world-readable. [mkp: s/v3/v2/] Link: https://lore.kernel.org/r/1645703489-87194-2-git-send-email-john.garry@huawei.com Fixes: d6a9000b81be ("scsi: hisi_sas: Add support for DIF feature for v2 hw") Reported-by: Yihang Li Signed-off-by: Xiang Chen Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 609756b3b573e4b3b6f18fea0016923b6c832d26 Author: Hans de Goede Date: Sat Feb 12 17:48:16 2022 +0100 power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return [ Upstream commit f7731754fdce33dad19be746f647d6ac47c5d695 ] The datasheet says that the BQ24190_REG_POC_CHG_CONFIG bits can have a value of either 10(0x2) or 11(0x3) for OTG (5V boost regulator) mode. Sofar bq24190_vbus_is_enabled() was only checking for 10 but some BIOS-es uses 11 when enabling the regulator at boot. Make bq24190_vbus_is_enabled() also check for 11 so that it does not wrongly returns false when the bits are set to 11. Fixes: 66b6bef2c4e0 ("power: supply: bq24190_charger: Export 5V boost converter as regulator") Cc: Bastien Nocera Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit f3c99c686e098300c246e5e8a1474133e3dacb05 Author: Miaoqian Lin Date: Mon Jan 10 06:53:16 2022 +0000 drm/tegra: Fix reference leak in tegra_dsi_ganged_probe [ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add put_device() call to fix this. Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") Signed-off-by: Miaoqian Lin Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 3f5ec4d20a251f1d4053aab57c239bade473c92f Author: Zhang Yi Date: Sat Feb 12 13:05:32 2022 +0800 ext2: correct max file size computing [ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ] We need to calculate the max file size accurately if the total blocks that can address by block tree exceed the upper_limit. But this check is not correct now, it only compute the total data blocks but missing metadata blocks are needed. So in the case of "data blocks < upper_limit && total blocks > upper_limit", we will get wrong result. Fortunately, this case could not happen in reality, but it's confused and better to correct the computing. bits data blocks metadatablocks upper_limit 10 16843020 66051 2147483647 11 134480396 263171 1073741823 12 1074791436 1050627 536870911 (*) 13 8594130956 4198403 268435455 (*) 14 68736258060 16785411 134217727 (*) 15 549822930956 67125251 67108863 (*) 16 4398314962956 268468227 33554431 (*) [*] Need to calculate in depth. Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()") Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com Signed-off-by: Zhang Yi Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit aeaed9a9fe694f8b1462fb81e2d33298c929180b Author: Kees Cook Date: Thu Feb 24 19:56:10 2022 -0800 drm/dp: Fix OOB read when handling Post Cursor2 register [ Upstream commit a2151490cc6c57b368d7974ffd447a8b36ade639 ] The link_status array was not large enough to read the Adjust Request Post Cursor2 register, so remove the common helper function to avoid an OOB read, found with a -Warray-bounds build: drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_get_adjust_request_post_cursor': drivers/gpu/drm/drm_dp_helper.c:59:27: error: array subscript 10 is outside array bounds of 'const u8[6]' {aka 'const unsigned char[6]'} [-Werror=array-bounds] 59 | return link_status[r - DP_LANE0_1_STATUS]; | ~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/drm_dp_helper.c:147:51: note: while referencing 'link_status' 147 | u8 drm_dp_get_adjust_request_post_cursor(const u8 link_status[DP_LINK_STATUS_SIZE], | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Replace the only user of the helper with an open-coded fetch and decode, similar to drivers/gpu/drm/amd/display/dc/core/dc_link_dp.c. Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Fixes: 79465e0ffeb9 ("drm/dp: Add helper to get post-cursor adjustments") Signed-off-by: Kees Cook Reviewed-by: Gustavo A. R. Silva Reviewed-by: Jani Nikula Link: https://lore.kernel.org/r/20220105173507.2420910-1-keescook@chromium.org Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 8e9d30108d76aaa0407bf052faea2076b02599cd Author: MeiChia Chiu Date: Tue Feb 15 16:48:58 2022 +0800 mt76: mt7915: fix the muru tlv issue [ Upstream commit d98a72725bc96c98f68eac12e5a91ec349322c88 ] The muru enable/disable are only set after the first station connection. Without this patch, the firmware couldn't enable muru if the first connected station is non-HE type. Fixes: 16bff457dd33a ("mt76: mt7915: rework mt7915_mcu_sta_muru_tlv()") Reviewed-by: Ryder Lee Signed-off-by: MeiChia Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 58cea80539eabb42940df120120c756a71176a56 Author: Bo Jiao Date: Mon Dec 20 10:17:59 2021 +0800 mt76: mt7915: enlarge wcid size to 544 [ Upstream commit b37d0c9735bc1976f85636e06e07f1a7547d969d ] The mt7916 can support up to 544 wcid entries. This is an intermediate patch to add mt7916 support. Co-developed-by: Sujuan Chen Signed-off-by: Sujuan Chen Co-developed-by: Ryder Lee Signed-off-by: Ryder Lee Signed-off-by: Bo Jiao Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 2fd1798d0baddd5c0ef5faf52454657f04a21f5c Author: Christophe JAILLET Date: Sun Feb 13 18:07:03 2022 +0100 power: supply: sbs-charger: Don't cancel work that is not initialized [ Upstream commit de85193cff0d94d030a53656d8fcc41794807bef ] This driver can use an interrupt or polling in order get the charger's status. When using polling, a delayed work is used. However, the remove() function unconditionally call cancel_delayed_work_sync(), even if the delayed work is not used and is not initialized. In order to fix it, use devm_delayed_work_autocancel() and remove the now useless remove() function. Fixes: feb583e37f8a ("power: supply: add sbs-charger driver") Signed-off-by: Christophe JAILLET Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit fd6e4a2679ae9dd2824ca40b02f552a98e6c155d Author: Randy Dunlap Date: Tue Feb 22 13:45:33 2022 -0800 TOMOYO: fix __setup handlers return values [ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ] __setup() handlers should return 1 if the parameter is handled. Returning 0 causes the entire string to be added to init's environment strings (limited to 32 strings), unnecessarily polluting it. Using the documented strings "TOMOYO_loader=string1" and "TOMOYO_trigger=string2" causes an Unknown parameter message: Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \ TOMOYO_trigger=string2", will be passed to user space. and these strings are added to init's environment string space: Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 TOMOYO_trigger=string2 With this change, these __setup handlers act as expected, and init's environment is not polluted with these strings. Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: James Morris Cc: Kentaro Takeda Cc: tomoyo-dev-en@lists.osdn.me Cc: "Serge E. Hallyn" Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin commit cfec88b01dec455604e7b7965f5851b1402eff67 Author: Maíra Canal Date: Tue Feb 22 10:16:57 2022 -0300 drm/amd/display: Remove vupdate_int_entry definition [ Upstream commit 3679b8518cd213c25d555553ef212e233faf698c ] Remove the vupdate_int_entry definition and utilization to avoid the following warning by Clang: drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:410:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(0), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:404:2: note: previous initialization is here vupdate_int_entry(0), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:411:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(1), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:405:2: note: previous initialization is here vupdate_int_entry(1), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:412:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(2), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:406:2: note: previous initialization is here vupdate_int_entry(2), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:413:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(3), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:407:2: note: previous initialization is here vupdate_int_entry(3), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:414:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(4), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:408:2: note: previous initialization is here vupdate_int_entry(4), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:415:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(5), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:409:2: note: previous initialization is here vupdate_int_entry(5), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ 6 warnings generated. Fixes: 688f97ed3f5e ("drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1") Signed-off-by: Maíra Canal Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2b2d91e2dac29711e46659ed8a9e7cdfc1bfd2a5 Author: Aharon Landau Date: Tue Feb 15 19:55:30 2022 +0200 RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR [ Upstream commit 2f0e60d5e9f96341a0c8a01be8878cdb3b29ff20 ] When an ODP MR cache entry is empty and trying to allocate it, increment the ent->miss counter and call to queue_adjust_cache_locked() to verify the entry is balanced. Fixes: aad719dcf379 ("RDMA/mlx5: Allow MRs to be created in the cache synchronously") Link: https://lore.kernel.org/r/09503e295276dcacc92cb1d8aef1ad0961c99dc1.1644947594.git.leonro@nvidia.com Signed-off-by: Aharon Landau Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit b0cbd13db467ef03b28297d3effb6b726c0dcba8 Author: Luiz Angelo Daros de Luca Date: Fri Jan 28 03:04:58 2022 -0300 net: dsa: realtek-smi: move to subdirectory [ Upstream commit 319a70a5fea9590e9431dd57f56191996c4787f4 ] Signed-off-by: Luiz Angelo Daros de Luca Tested-by: Arınç ÜNAL Reviewed-by: Alvin Šipraga Reviewed-by: Linus Walleij Reviewed-by: Florian Fainelli Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4b92c450c4e80681b2f9f83b2f73c998ad11fb84 Author: Luiz Angelo Daros de Luca Date: Fri Jan 28 03:04:57 2022 -0300 net: dsa: realtek-smi: fix kdoc warnings [ Upstream commit 0f0c6da03ba37739901ca5db4361c1ef1ae9463f ] Removed kdoc mark for incomplete struct description. Added a return description for rtl8366rb_drop_untagged. Signed-off-by: Luiz Angelo Daros de Luca Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9b6521ead7b905549bd0e346834d6db224ed5ab2 Author: Deren Wu Date: Wed Feb 9 09:40:27 2022 +0800 mt76: mt7921s: fix missing fc type/sub-type for 802.11 pkts [ Upstream commit 355c060d5f38a784822d544e969121a273bcf545 ] For non-mmio devices, should set fc values to proper txwi config Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Tested-by: Sean Wang Co-developed-by: Leon Yen Signed-off-by: Leon Yen Signed-off-by: Deren Wu Acked-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 14e91a84027f0b525a510952a9cd53f4d2e44d2c Author: Lorenzo Bianconi Date: Sun Feb 6 19:53:23 2022 +0100 mt76: fix endianness errors in reverse_frag0_hdr_trans [ Upstream commit d0c0cefb87e283b5000121989f3c10c9915a2787 ] Fix ht ctl field size in mt{7615,7915,7921}_reverse_frag0_hdr_trans. Fix the following endianness warnings in mt{7615,7915,7921}_reverse_frag0_hdr_trans: drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:29: warning: cast to restricted __le32 drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:29: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:29: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:27: warning: incorrect type in assignment (different base types) drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:27: expected restricted __le16 [usertype] frame_control drivers/net/wireless/mediatek/mt76/mt7915/mac.c:417:27: got unsigned long drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:24: warning: cast to restricted __le32 drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:24: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:24: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:22: warning: incorrect type in assignment (different base types) drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:22: expected restricted __le16 [usertype] seq_ctrl drivers/net/wireless/mediatek/mt76/mt7915/mac.c:418:22: got unsigned long drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:20: warning: cast to restricted __le32 drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:20: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:20: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:18: warning: incorrect type in assignment (different base types) drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:18: expected restricted __le32 [usertype] qos_ctrl drivers/net/wireless/mediatek/mt76/mt7915/mac.c:419:18: got unsigned long drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:19: warning: cast to restricted __le32 drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:19: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:19: warning: restricted __le32 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:17: warning: incorrect type in assignment (different base types) drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:17: expected restricted __le32 [usertype] ht_ctrl drivers/net/wireless/mediatek/mt76/mt7915/mac.c:420:17: got unsigned long drivers/net/wireless/mediatek/mt76/mt7915/mac.c:448:25: warning: restricted __be16 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:448:38: warning: restricted __be16 degrades to integer drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1450:23: warning: incorrect type in assignment (different base types) drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1450:23: expected unsigned int [usertype] *cur_info drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1450:23: got restricted __le32 * drivers/net/wireless/mediatek/mt76/mt7915/mac.c:1451:34: warning: cast to restricted __le32 Fixes: dc5399a50b45f ("mt76: reverse the first fragmented frame to 802.11") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 43b1ffbb112fc259894f4408d5a63c59244eb348 Author: Lorenzo Bianconi Date: Tue Jan 11 16:10:05 2022 +0100 mt76: do not always copy ethhdr in reverse_frag0_hdr_trans [ Upstream commit eea7437e80216ac29a87b417896ce75656816b56 ] Do not always copy ethernet header in mt{7615,7915,7921}_reverse_frag0_hdr_trans and use a pointer instead. Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 16cd02e0951b520bef324adb9a35afcc92501caf Author: Damien Le Moal Date: Sun Feb 20 12:17:55 2022 +0900 scsi: pm8001: Fix abort all task initialization [ Upstream commit 7f12845c8389855dbcc67baa068b6832dc4a396e ] In pm80xx_send_abort_all(), the n_elem field of the ccb used is not initialized to 0. This missing initialization sometimes lead to the task completion path seeing the ccb with a non-zero n_elem resulting in the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(), causing a crash such as: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Call Trace: [ 197.765127] [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051] [ 197.844236] [ 197.848397] asm_common_interrupt+0x1e/0x40 Avoid this issue by always initializing the ccb n_elem field to 0 in pm8001_send_abort_all(), pm8001_send_read_log() and pm80xx_send_abort_all(). Link: https://lore.kernel.org/r/20220220031810.738362-17-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bb942d7bc74b2230de34d59ef70540e7cb93ba4a Author: Damien Le Moal Date: Sun Feb 20 12:17:54 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command completion handling [ Upstream commit 1d6736c3e162061dc811c76e605f35ef3234bffa ] NCQ NON DATA is an NCQ command with the DMA_NONE DMA direction and so a register-device-to-host-FIS response is expected for it. However, for an IO_SUCCESS case, mpi_sata_completion() expects a set-device-bits-FIS for any ata task with an use_ncq field true, which includes NCQ NON DATA commands. Fix this to correctly treat NCQ NON DATA commands as non-data by also testing for the DMA_NONE DMA direction. Link: https://lore.kernel.org/r/20220220031810.738362-16-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 0a87b4f6679b334eecb45e249bc9769fc5be85b1 Author: Damien Le Moal Date: Sun Feb 20 12:17:53 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command task initialization [ Upstream commit aa028141ab0bc62c44a84d42f09db35d82df82a2 ] In the pm8001_chip_sata_req() and pm80xx_chip_sata_req() functions, all tasks with a DMA direction of DMA_NONE (no data transfer) are initialized using the ATAP value 0x04. However, NCQ NON DATA commands, while being DMA_NONE commands are NCQ commands and need to be initialized using the value 0x07 for ATAP, similarly to other NCQ commands. Make sure that NCQ NON DATA command tasks are initialized similarly to other NCQ commands by also testing the task "use_ncq" field in addition to the DMA direction. While at it, reorganize the code into a chain of if - else if - else to avoid useless affectations and debug messages. Link: https://lore.kernel.org/r/20220220031810.738362-15-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 70a5ad749ecc3b963ff08ad05b0ce20c5e0d4bda Author: Damien Le Moal Date: Sun Feb 20 12:17:50 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req() [ Upstream commit fd6d0e376211d7ed759db96b0fbd9a1cee67d462 ] Make sure that the __le32 fields of struct sata_cmd are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, fix some code identation and add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-12-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 64e6823a93a07236d4eff2c4f0a41d64864bd960 Author: Damien Le Moal Date: Sun Feb 20 12:17:49 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req() [ Upstream commit 970404cc5744b1033b6ee601be4ef0e2d1fbcf72 ] Make sure that the __le32 fields of struct ssp_ini_io_start_req are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-11-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 666c9baa979e1b6ffcf31b51caf8547446c197c6 Author: Damien Le Moal Date: Sun Feb 20 12:17:48 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update() [ Upstream commit f8b12dfb476dad38ce755aaf5e2df46f06f1822e ] All fields of the kek_mgmt_req structure have the type __le32. So make sure to use cpu_to_le32() to initialize them. This suppresses the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] new_curidx_ksop got int Link: https://lore.kernel.org/r/20220220031810.738362-10-damien.lemoal@opensource.wdc.com Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 644b7b70633ea1d748242136c8dca04872ccdd7d Author: Damien Le Moal Date: Sun Feb 20 12:17:47 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config() [ Upstream commit ca374f5d92b8ae778f6a37dd3e7ed809bbf7a953 ] All fields of the SASProtocolTimerConfig structure have the __le32 type. As such, use cpu_to_le32() to initialize them. This change suppresses many sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [usertype] pageCode got int Note that the check to limit the value of the STP_IDLE_TMO field is removed as this field is initialized using the fixed (and small) value defined by the STP_IDLE_TIME macro. The pm8001_dbg() calls printing the values of the SASProtocolTimerConfig structure fileds are changed to use le32_to_cpu() to present the values in human readable form. Link: https://lore.kernel.org/r/20220220031810.738362-9-damien.lemoal@opensource.wdc.com Fixes: a6cb3d012b98 ("[SCSI] pm80xx: thermal, sas controller config and error handling update") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1ad54126ce1213cc53c605b274897929f8bb88f3 Author: Damien Le Moal Date: Sun Feb 20 12:17:46 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config() [ Upstream commit bb225b12dbcc82d53d637d10b8d70b64494f8c16 ] The fields of the set_ctrl_cfg_req structure have the __le32 type, so use cpu_to_le32() to assign them. This removes the sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 got unsigned int Link: https://lore.kernel.org/r/20220220031810.738362-8-damien.lemoal@opensource.wdc.com Fixes: 842784e0d15b ("pm80xx: Update For Thermal Page Code") Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9d98ec6da3adea161ec70dc33a9cfe649940574c Author: Damien Le Moal Date: Sun Feb 20 12:17:45 2022 +0900 scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() [ Upstream commit cd2268a180117aa8ebb23e090ba204324b2d0e93 ] The ds_ads_m field of struct ssp_ini_tm_start_req has the type __le32. Assigning a value to it should thus use cpu_to_le32(). This fixes the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] ds_ads_m got int Link: https://lore.kernel.org/r/20220220031810.738362-7-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4f2564ef2996e11fd7286719d6f863e0e93912cd Author: Damien Le Moal Date: Sun Feb 20 12:17:43 2022 +0900 scsi: pm8001: Fix command initialization in pm80XX_send_read_log() [ Upstream commit 1a37b6738b58d86f6b144b3fc754ace0f2e0166d ] Since the sata_cmd struct is zeroed out before its fields are initialized, there is no need for using "|=" to initialize the ncqtag_atap_dir_m field. Using a standard assignment removes the sparse warning: warning: invalid assignment: |= Also, since the ncqtag_atap_dir_m field has type __le32, use cpu_to_le32() to generate the assigned value. Link: https://lore.kernel.org/r/20220220031810.738362-5-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 1c6c6c3a35f55d19954ac944eb55f7388af5f4d0 Author: Bart Van Assche Date: Fri Feb 18 11:50:49 2022 -0800 scsi: fnic: Fix a tracing statement [ Upstream commit 3032ed77a28913203a4fe0ab8f05752331af79b3 ] Report both the command flags and command state instead of only the command state. Link: https://lore.kernel.org/r/20220218195117.25689-22-bvanassche@acm.org Fixes: 4d7007b49d52 ("[SCSI] fnic: Fnic Trace Utility") Cc: Hiral Patel Reviewed-by: Hannes Reinecke Reviewed-by: Himanshu Madhani Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit eaec1238afff277a8e71b488ec6e6f016ee34c80 Author: Abhishek Sahu Date: Thu Feb 17 17:51:07 2022 +0530 vfio/pci: wake-up devices around reset functions [ Upstream commit 26a17b12d7f3dd8a7aa45a290e5b46e9cc775ddf ] If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For reset-related functionalities, vfio driver uses PCI reset API's. These API's internally change the PCI power state back to D0 first if the device power state is non-D0. This state change to D0 will happen without the involvement of vfio driver. Let's consider the following example: 1. The device is in D3hot. 2. User invokes VFIO_DEVICE_RESET ioctl. 3. pci_try_reset_function() will be called which internally invokes pci_dev_save_and_disable(). 4. pci_set_power_state(dev, PCI_D0) will be called first. 5. pci_save_state() will happen then. Now, for the devices which has NoSoftRst-, the pci_set_power_state() can trigger soft reset and the original PCI config state will be lost at step (4) and this state cannot be restored again. This original PCI state can include any setting which is performed by SBIOS or host linux kernel (for example LTR, ASPM L1 substates, etc.). When this soft reset will be triggered, then all these settings will be reset, and the device state saved at step (5) will also have this setting cleared so it cannot be restored. Since the vfio driver only exposes limited PCI capabilities to its user, so the vfio driver user also won't have the option to save and restore these capabilities state either and these original settings will be permanently lost. For pci_reset_bus() also, we can have the above situation. The other functions/devices can be in D3hot and the reset will change the power state of all devices to D0 without the involvement of vfio driver. So, before calling any reset-related API's, we need to make sure that the device state is D0. This is mainly to preserve the state around soft reset. For vfio_pci_core_disable(), we use __pci_reset_function_locked() which internally can use pci_pm_reset() for the function reset. pci_pm_reset() requires the device power state to be in D0, otherwise it returns error. This patch changes the device power state to D0 by invoking vfio_pci_set_power_state() explicitly before calling any reset related API's. Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition") Signed-off-by: Abhishek Sahu Link: https://lore.kernel.org/r/20220217122107.22434-3-abhsahu@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit c8a1f8bd586ee31020614b8d48b702ece3e2ae44 Author: Abhishek Sahu Date: Thu Feb 17 17:51:06 2022 +0530 vfio/pci: fix memory leak during D3hot to D0 transition [ Upstream commit eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991 ] If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory. But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation. This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak. Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition") Signed-off-by: Abhishek Sahu Link: https://lore.kernel.org/r/20220217122107.22434-2-abhsahu@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 29cabf372b31ec4ae8a9740b800243891cef705c Author: Aashish Sharma Date: Fri Feb 11 12:15:38 2022 +0000 dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS [ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ] Explicitly convert unsigned int in the right of the conditional expression to int to match the left side operand and the return type, fixing the following compiler warning: drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned type in conditional expression [-Wsign-compare] Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") Signed-off-by: Aashish Sharma Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 958b5990153934ba68436305f53f48ed87a1ae9a Author: Nemanja Rakovic Date: Mon Jan 31 11:17:09 2022 +0100 mips: Enable KCSAN [ Upstream commit e0a8b93efa2382d370be44bf289157de7e5dacb4 ] This patch enables KCSAN for the 64-bit version. Updated rules for the incompatible compilation units (vdso, boot/compressed). Signed-off-by: Nemanja Rakovic Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit f051deb65d4f37d240a921901d014441ed82f344 Author: Rameshkumar Sundaram Date: Wed Feb 16 14:02:34 2022 +0530 ath11k: Invalidate cached reo ring entry before accessing it [ Upstream commit f2180ccb52b5fd0876291ad2df37e2898cac18cf ] REO2SW ring descriptor is currently allocated in cacheable memory. While reaping reo ring entries on second trial after updating head pointer, first entry is not invalidated before accessing it. This results in host reaping and using cached descriptor which is already overwritten in memory by DMA device (HW). Since the contents of descriptor(buffer id, peer info and other information bits) are outdated host throws errors like below while parsing corresponding MSDU's and drops them. [347712.048904] ath11k_pci 0004:01:00.0: msdu_done bit in attention is not set [349173.355503] ath11k_pci 0004:01:00.0: frame rx with invalid buf_id 962 Move the try_again: label above ath11k_hal_srng_access_begin() so that first entry will be invalidated and prefetched. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Fixes: 6452f0a3d565 ("ath11k: allocate dst ring descriptors from cacheable memory") Signed-off-by: Rameshkumar Sundaram Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1645000354-32558-1-git-send-email-quic_ramess@quicinc.com Signed-off-by: Sasha Levin commit d90e0213661c91e649b4e59e7ccf2a8210ff8c58 Author: Alexander Lobakin Date: Fri Feb 18 13:50:33 2022 -0800 i40e: remove dead stores on XSK hotpath [ Upstream commit 7e1b54d07751edcbf23c7211508abf5667b490ee ] The 'if (ntu == rx_ring->count)' block in i40e_alloc_rx_buffers_zc() was previously residing in the loop, but after introducing the batched interface it is used only to wrap-around the NTU descriptor, thus no more need to assign 'xdp'. 'cleaned_count' in i40e_clean_rx_irq_zc() was previously being incremented in the loop, but after commit f12738b6ec06 ("i40e: remove unnecessary cleaned_count updates") it gets assigned only once after it, so the initialization can be dropped. Fixes: 6aab0bb0c5cd ("i40e: Use the xsk batched rx allocation interface") Fixes: f12738b6ec06 ("i40e: remove unnecessary cleaned_count updates") Signed-off-by: Alexander Lobakin Acked-by: Maciej Fijalkowski Tested-by: George Kuruvinakunnel Signed-off-by: Tony Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 22efb1063406387de09d45f4dbe24add583d2557 Author: Dmitry Baryshkov Date: Sat Feb 12 01:40:02 2022 +0300 drm/msm/dp: fix panel bridge attachment [ Upstream commit 4d793a02c4967ab14d4ae5e86a51ee02ed78921a ] In commit 8a3b4c17f863 ("drm/msm/dp: employ bridge mechanism for display enable and disable") the DP driver received a drm_bridge instance, which is always attached to the encoder as a root bridge. However it conflicts with the panel_bridge support for eDP panels. The panel bridge attaches to the encoder before the "dp" bridge (DP driver's drm_bridge instance created in msm_dp_bridge_init()) has a chance to do so. Change panel bridge attachment to come after the "dp" bridge attachment (and to use it as a previous bridge). Fixes: 8a3b4c17f863 ("drm/msm/dp: employ bridge mechanism for display enable and disable") Cc: Kuogee Hsieh Signed-off-by: Dmitry Baryshkov Tested-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/20220211224006.1797846-2-dmitry.baryshkov@linaro.org [db: fixed commit message according to Stephen's suggestions] Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit ec3f7e96adaee8252014ab5fde91ee6d8b869c61 Author: Dmitry Baryshkov Date: Thu Feb 17 06:53:54 2022 +0300 drm/msm/dpu: remove msm_dp cached in dpu_encoder_virt [ Upstream commit b78f30a5c8a396ca31a905982c8cd955cd35807e ] Stop caching msm_dp instance in dpu_encoder_virt since it's not used now. Fixes: 8a3b4c17f863 ("drm/msm/dp: employ bridge mechanism for display enable and disable") Reviewed-by: Abhinav Kumar Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220217035358.465904-4-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit c7459ed60399253cf01fed0c8a21dd803a6963e2 Author: Dmitry Baryshkov Date: Thu Feb 17 06:53:52 2022 +0300 drm/msm/dpu: fix dp audio condition [ Upstream commit 1e0505a5a7a2fea243f8e6d7e13fcde65f9e41bc ] DP audio enablement code which is comparing intf_type, DRM_MODE_ENCODER_TMDS (= 2) with DRM_MODE_CONNECTOR_DisplayPort (= 10). Which would never succeed. Fix it to check for DRM_MODE_ENCODER_TMDS. Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") Reviewed-by: Abhinav Kumar Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220217035358.465904-2-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 3c94c92b8cc020925b81a504f90673abc2992106 Author: Dmitry Baryshkov Date: Sat Jan 22 00:06:14 2022 +0300 drm/msm/dpu: add DSPP blocks teardown [ Upstream commit d5c5e78f217172e87d8fb2c3418dd8b58b4adfcb ] Add missing calls to dpu_hw_dspp_destroy() to free resources allocated for DSPP hardware blocks. Fixes: e47616df008b ("drm/msm/dpu: add support for color processing blocks in dpu driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Stephen Boyd Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20220121210618.3482550-3-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 1d975020471c796464aaefd20f896eaabcfb91e2 Author: Dmitry Baryshkov Date: Thu Feb 17 03:08:37 2022 +0300 drm/msm/dsi/phy: fix 7nm v4.0 settings for C-PHY mode [ Upstream commit bb07af2ed2a47dc6c4d0681f275bb27d4f845465 ] The dsi_7nm_phy_enable() disagrees with downstream for glbl_str_swi_cal_sel_ctrl and glbl_hstx_str_ctrl_0 values. Update programmed settings to match downstream driver. To remove the possibility for such errors in future drop less_than_1500_mhz assignment and specify settings explicitly. Fixes: 5ac178381d26 ("drm/msm/dsi: support CPHY mode for 7nm pll/phy") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20220217000837.435340-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit be2aa1ab72205542379e06eac0d35d9d9ab44435 Author: Marijn Suijten Date: Sat Sep 11 15:19:20 2021 +0200 drm/msm/dsi: Use "ref" fw clock instead of global name for VCO parent [ Upstream commit 3a3ee71bd8e14c5e852c71f317eebfda8f88dff0 ] All DSI PHY/PLL drivers were referencing their VCO parent clock by a global name, most of which don't exist or have been renamed. These clock drivers seem to function fine without that except the 14nm driver for sdm6xx [1]. At the same time all DTs provide a "ref" clock as per the requirements of dsi-phy-common.yaml, but the clock is never used. This patchset puts that clock to use without relying on a global clock name, so that all dependencies are explicitly defined in DT (the firmware) in the end. Note that this patch intentionally breaks older firmware (DT) that relies on the clock to be found globally instead. The only affected platform is msm8974 [2] for whose dsi_phy_28nm a .name="xo" fallback is left in place to accommodate a more graceful transition period. All other platforms had the "ref" clock added to their phy node since its inception, or in a followup patch some time after. These patches wrongly assumed that the "ref" clock was actively used and have hence been listed as "Fixes:" below. Furthermore apq8064 was providing the wrong 19.2MHz cxo instead of 27MHz pxo clock, which has been addressed in [3]. It is expected that both [2] and [3] are applied to the tree well in advance of this patch such that any actual breakage is extremely unlikely, but might still occur if kernel upgrades are performed without the DT to match. After some time the fallback for msm8974 can be removed again as well. [1]: https://lore.kernel.org/linux-arm-msm/386db1a6-a1cd-3c7d-a88e-dc83f8a1be96@somainline.org/ [2]: https://lore.kernel.org/linux-arm-msm/20210830175739.143401-1-marijn.suijten@somainline.org/ [3]: https://lore.kernel.org/linux-arm-msm/20210829203027.276143-2-marijn.suijten@somainline.org/ Fixes: 79e51645a1dd ("arm64: dts: qcom: msm8916: Set 'xo_board' as ref clock of the DSI PHY") Fixes: 6969d1d9c615 ("ARM: dts: qcom-apq8064: Set 'cxo_board' as ref clock of the DSI PHY") Fixes: 0c0e72705a33 ("arm64: dts: sdm845: Set 'bi_tcxo' as ref clock of the DSI PHYs") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20210911131922.387964-2-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 0340c56a2bfb68af39eb0c32a49cf010a68ed3f0 Author: Kuogee Hsieh Date: Mon Jan 24 15:17:54 2022 -0800 drm/msm/dp: always add fail-safe mode into connector mode list [ Upstream commit d4aca422539c441a7f3fec749287b36de37d9b6b ] Some of DP link compliant test expects to return fail-safe mode if prefer detailed timing mode can not be supported by mainlink's lane and rate after link training. Therefore add fail-safe mode into connector mode list as backup mode. This patch fixes test case 4.2.2.1. Changes in v2: -- add Fixes text string Fixes: 4b85d405cfe9 ( "drm/msm/dp: reduce link rate if failed at link training 1") Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1643066274-25814-1-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 0cba8ad286c64f05a06ad844cf25598daa925783 Author: Kuogee Hsieh Date: Tue Jan 18 10:47:28 2022 -0800 drm/msm/dp: stop link training after link training 2 failed [ Upstream commit 9051d629dbf7a998a40f7eac65a9512b01bc3bb8 ] Each DP link training contains link training 1 followed by link training 2. There is maximum of 5 retries of DP link training before declared link training failed. It is required to stop link training at end of link training 2 if it is failed so that next link training 1 can start freshly. This patch fixes link compliance test case 4.3.1.13 (Source Device Link Training EQ Fallback Test). Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Fixes: 2e0adc765d88 ("drm/msm/dp: do not end dp link training until video is ready") Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-5-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 104074ebc0c3f358dd1ee944fbcde92c6e5a21dd Author: Kuogee Hsieh Date: Tue Jan 18 10:47:26 2022 -0800 drm/msm/dp: populate connector of struct dp_panel [ Upstream commit 5e602f5156910c7b19661699896cb6e3fb94fab9 ] DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum. The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned. Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps() Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp Changes in V4: -- add more details to commit text Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Fixes: 7948fe12d47 ("drm/msm/dp: return correct edid checksum after corrupted edid checksum read") Signee-off-by: Kuogee Hsieh Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-3-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 3795c424ffcbb101bfefe78ca25a96558adedcb6 Author: Kuogee Hsieh Date: Tue Jan 18 10:47:25 2022 -0800 drm/msm/dp: do not initialize phy until plugin interrupt received [ Upstream commit 989ebe7bc4463002c210db0010c8475797a9098f ] Current DP drivers have regulators, clocks, irq and phy are grouped together within a function and executed not in a symmetric manner. This increase difficulty of code maintenance and limited code scalability. This patch divides the driver life cycle of operation into four states, resume (including booting up), dongle plugin, dongle unplugged and suspend. Regulators, core clocks and irq are grouped together and enabled at resume (or booting up) so that the DP controller is armed and ready to receive HPD plugin interrupts. HPD plugin interrupt is generated when a dongle plugs into DUT (device under test). Once HPD plugin interrupt is received, DP controller will initialize phy so that dpcd read/write will function and following link training can be proceeded successfully. DP phy will be disabled after main link is teared down at end of unplugged HPD interrupt handle triggered by dongle unplugged out of DUT. Finally regulators, code clocks and irq are disabled at corresponding suspension. Changes in V2: -- removed unnecessary dp_ctrl NULL check -- removed unnecessary phy init_count and power_count DRM_DEBUG_DP logs -- remove flip parameter out of dp_ctrl_irq_enable() -- add fixes tag Changes in V3: -- call dp_display_host_phy_init() instead of dp_ctrl_phy_init() at dp_display_host_init() for eDP Changes in V4: -- rewording commit text to match this commit changes Changes in V5: -- rebase on top of msm-next branch Changes in V6: -- delete flip variable Changes in V7: -- dp_ctrl_irq_enable/disabe() merged into dp_ctrl_reset_irq_ctrl() Changes in V8: -- add more detail comment regrading dp phy at dp_display_host_init() Changes in V9: -- remove set phy_initialized to false when -ECONNRESET detected Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Changes in v12: -- move dp_display_host_phy_exit() after dp_display_host_deinit() Changes in v13: -- do not execute phy_init until plugged_in interrupt for edp, same as DP. Changes in v14: -- remove redundant dp->core_initialized = false form dp_pm_suspend. Changes in v15: -- remove core_initialized flag check at both host_init and host_deinit Changes in v16: -- remove dp_display_host_phy_exit core_initialized=false at dp_pm_suspend Changes in v17: -- remove core_initialized checking before execute attention_cb() Changes in v18: -- remove core_initialized checking at dp_pm_suspend Fixes: 8ede2ecc3e5e ("drm/msm/dp: Add DP compliance tests on Snapdragon Chipsets") Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-2-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit ba140938a0b1a404f99652da747af55e7dff41ac Author: Amit Kumar Mahapatra Date: Wed Feb 9 11:04:27 2022 +0530 mtd: rawnand: pl353: Set the nand chip node as the flash node [ Upstream commit a1fe2ace2c39dcdc7c053705459a73b7598b1e4f ] In devicetree the flash information is embedded within nand chip node, so during nand chip initialization the nand chip node should be passed to nand_set_flash_node() api, instead of nand controller node. Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") Signed-off-by: Amit Kumar Mahapatra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220209053427.27676-1-amit.kumar-mahapatra@xilinx.com Signed-off-by: Sasha Levin commit cb3313eca1289fdf14a926bec67a56473314c28d Author: Dan Carpenter Date: Mon Aug 16 21:39:30 2021 +0300 iwlwifi: mvm: Fix an error code in iwl_mvm_up() [ Upstream commit 583d18336abdfb1b355270289ff8f6a2608ba905 ] Return -ENODEV instead of success on this error path. Fixes: dd36a507c806 ("iwlwifi: mvm: look for the first supported channel when add/remove phy ctxt") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20210816183930.GA2068@kili Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 509ec085b0d35eea10dd19809c609d8164c62b6c Author: Colin Ian King Date: Tue Sep 7 11:46:58 2021 +0100 iwlwifi: Fix -EIO error code that is never returned [ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ] Currently the error -EIO is being assinged to variable ret when the READY_BIT is not set but the function iwlagn_mac_start returns 0 rather than ret. Fix this by returning ret instead of 0. Addresses-Coverity: ("Unused value") Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit a82a8fe66d872cb7327a5d7757f9c01f6da95494 Author: Dan Carpenter Date: Thu Jan 6 10:18:25 2022 +0300 iwlwifi: mvm: fix off by one in iwl_mvm_stat_iterator_all_macs() [ Upstream commit f1cbb0a8ca9db80c086009c88c71464ac50f50a2 ] Change the comparison from ">" to ">=" to avoid accessing one element beyond the end of the ->per_mac_stats[] array. Fixes: 6324c173ff4a ("iwlwifi: mvm: add support for statistics update version 15") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220106071825.GA5836@kili Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit ea6720f2b3165d7bb482740a8efd6e884c9ade62 Author: Mukesh Sisodiya Date: Fri Feb 4 12:25:01 2022 +0200 iwlwifi: yoyo: Avoid using dram data if allocation failed [ Upstream commit e2d53d10ef666859517360e711fd7761e7e984ce ] The config set TLV setting depend on dram allocation and if allocation failed the data used in config set tlv should not set this. Adding the check if dram fragment is available or not. Signed-off-by: Mukesh Sisodiya Fixes: 1a5daead217c ("iwlwifi: yoyo: support for ROM usniffer") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220204122220.44835d181528.I3e78ba29c13bbeada017fcb2a620f3552c1dfa30@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 12a4b0563e5c298ebe179633cd2a3444a3a4a810 Author: Rotem Saado Date: Sat Jan 29 13:16:21 2022 +0200 iwlwifi: yoyo: remove DBGI_SRAM address reset writing [ Upstream commit ce014c9861544bb4e789323d0d8956a5ad262e25 ] Due to preg protection we cannot write to this register while FW is running (when FW in Halt it is ok). since we have some cases that we need to dump this region while FW is running remove this writing from DRV. FW will do this writing. Signed-off-by: Rotem Saado Fixes: 89639e06d0f3 ("iwlwifi: yoyo: support for new DBGI_SRAM region") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.209f3078bc74.I463530bd2f40daedb39f6d9df987bb7cee209033@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 6f792a0d9a8a6c53f0000d7aef370aff46e9ee7a Author: Johannes Berg Date: Sat Jan 29 13:16:16 2022 +0200 iwlwifi: mvm: align locking in D3 test debugfs [ Upstream commit 59e1221f470c2e5d2f2d4c95153edd577a7071c5 ] Since commit a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") we're not only holding the RTNL when going in and out of suspend, but also the wiphy->mtx. Add that to the D3 test debugfs in iwlwifi since it's required for various calls to mac80211. Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") Signed-off-by: Johannes Berg Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.fcec0204e162.Ib73bf787ab4d83581de20eb89b1f8dbfcaaad0e3@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 9f099444cee715080f0275882c08e23adaafe55f Author: Luca Coelho Date: Sat Jan 29 13:16:15 2022 +0200 iwlwifi: mvm: don't iterate unadded vifs when handling FW SMPS req [ Upstream commit 8a265d1a619c16400406c9d598411850ee104aed ] We may not have all the interfaces added to the driver when we get the THERMAL_DUAL_CHAIN_REQUEST notification from the FW, so instead of iterating all vifs to update SMPS, iterate only the ones that are already assigned. The interfaces that were not assigned yet, will be updated accordingly when we start using them. Signed-off-by: Luca Coelho Fixes: 2a7ce54ccc23 ("iwlwifi: mvm: honour firmware SMPS requests") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.9416aade2ba0.I0b71142f89e3f158aa058a1dfb2517c8c1fa3726@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 765707a53847d20e6f91d781e5d95470c335d83d Author: Takashi Iwai Date: Fri Jan 21 12:40:24 2022 +0100 iwlwifi: mvm: Don't call iwl_mvm_sta_from_mac80211() with NULL sta [ Upstream commit 30d17c12b0895e15ce22ebc1f52a4ff02df6dbc6 ] The recent fix for NULL sta in iwl_mvm_get_tx_rate() still has a call of iwl_mvm_sta_from_mac80211() that may be called with NULL sta. Although this practically only points to the address and the actual access doesn't happen due to the conditional evaluation at a later point, it looks a bit flaky. This patch drops the temporary variable above and evaluates iwm_mvm_sta_from_mac80211() directly for avoiding confusions. Fixes: d599f714b73e ("iwlwifi: mvm: don't crash on invalid rate w/o STA") Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20220121114024.10454-1-tiwai@suse.de Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 9ee41edf96ad7cc234177659bb6cd8d853fadb80 Author: Geliang Tang Date: Thu Feb 17 19:03:11 2022 -0800 selftests: mptcp: add csum mib check for mptcp_connect [ Upstream commit 24720d7452df2dff2e539d9dff28904e25bb1c6d ] This patch added the data checksum error mib counters check for the script mptcp_connect.sh when the data checksum is enabled. In do_transfer(), got the mib counters twice, before and after running the mptcp_connect commands. The latter minus the former is the actual number of the data checksum mib counter. The output looks like this: ns1 MPTCP -> ns2 (dead:beef:1::2:10007) MPTCP (duration 86ms) [ OK ] ns1 MPTCP -> ns2 (10.0.2.1:10008 ) MPTCP (duration 66ms) [ FAIL ] server got 1 data checksum error[s] Fixes: 94d66ba1d8e48 ("selftests: mptcp: enable checksum in mptcp_connect.sh") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/255 Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b786abe7c67c6ef71410c8e23292b3091d616ad1 Author: Tong Zhang Date: Fri Feb 11 23:11:11 2022 -0800 dax: make sure inodes are flushed before destroy cache [ Upstream commit a7e8de822e0b1979f08767c751f6c8a9c1d4ad86 ] A bug can be triggered by following command $ modprobe nd_pmem && modprobe -r nd_pmem [ 10.060014] BUG dax_cache (Not tainted): Objects remaining in dax_cache on __kmem_cache_shutdown() [ 10.060938] Slab 0x0000000085b729ac objects=9 used=1 fp=0x000000004f5ae469 flags=0x200000000010200(slab|head|node) [ 10.062433] Call Trace: [ 10.062673] dump_stack_lvl+0x34/0x44 [ 10.062865] slab_err+0x90/0xd0 [ 10.063619] __kmem_cache_shutdown+0x13b/0x2f0 [ 10.063848] kmem_cache_destroy+0x4a/0x110 [ 10.064058] __x64_sys_delete_module+0x265/0x300 This is caused by dax_fs_exit() not flushing inodes before destroy cache. To fix this issue, call rcu_barrier() before destroy cache. Signed-off-by: Tong Zhang Reviewed-by: Ira Weiny Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220212071111.148575-1-ztong0001@gmail.com Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 49f2dab77a5e1354f5da6ccdc9346a8212697be2 Author: Dan Williams Date: Wed Feb 16 16:25:11 2022 -0800 cxl/port: Hold port reference until decoder release [ Upstream commit 74be98774dfbc5b8b795db726bd772e735d2edd4 ] KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent. Fixes: 40ba17afdfab ("cxl/acpi: Introduce cxl_decoder objects") Reported-by: Ben Widawsky Tested-by: Ben Widawsky Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/164505751190.4175768.13324905271463416712.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 6d9b1aa339d8283996b599bb67ffffdb736ad9d0 Author: Dan Williams Date: Sun Jan 23 16:29:21 2022 -0800 cxl/core/port: Rename bus.c to port.c [ Upstream commit 0ff0af18216436d0151af4e410400c7a19ca9437 ] Given it is dominated by port infrastructure, and will only acquire more, rename bus.c to port.c. Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/164298416136.3018233.15442880970000855425.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 84274488ef587700568bbe4f932fad41d72ebe9b Author: Håkon Bugge Date: Wed Feb 9 16:39:35 2022 +0100 IB/cma: Allow XRC INI QPs to set their local ACK timeout [ Upstream commit 748663c8ccf6b2e5a800de19127c2cc1c4423fd2 ] XRC INI QPs should be able to adjust their local ACK timeout. Fixes: 2c1619edef61 ("IB/cma: Define option to set ack timeout and pack tos_set") Link: https://lore.kernel.org/r/1644421175-31943-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Suggested-by: Avneesh Pant Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c3d665699e872061bdcd014fb462188d66b94b57 Author: Andrii Nakryiko Date: Wed Feb 16 23:39:58 2022 -0800 libbpf: Fix memleak in libbpf_netlink_recv() [ Upstream commit 1b8c924a05934d2e758ec7da7bd217ef8ebd80ce ] Ensure that libbpf_netlink_recv() frees dynamically allocated buffer in all code paths. Fixes: 9c3de619e13e ("libbpf: Use dynamically allocated buffer when receiving netlink messages") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/bpf/20220217073958.276959-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 0da0a33b87d1a0715bd5e18c3b77e8dafe8319a7 Author: Jiri Olsa Date: Wed Feb 16 10:21:02 2022 +0100 bpftool: Fix pretty print dump for maps without BTF loaded [ Upstream commit f76d8507d23834f7e56b0fe95c82605e7d7e0efe ] The commit e5043894b21f ("bpftool: Use libbpf_get_error() to check error") fails to dump map without BTF loaded in pretty mode (-p option). Fixing this by making sure get_map_kv_btf won't fail in case there's no BTF available for the map. Fixes: e5043894b21f ("bpftool: Use libbpf_get_error() to check error") Suggested-by: Andrii Nakryiko Signed-off-by: Jiri Olsa Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220216092102.125448-1-jolsa@kernel.org Signed-off-by: Sasha Levin commit e96a17a3c909f788fb1064bc9d9542c8b2d09093 Author: Roman Li Date: Thu Dec 23 17:39:57 2021 -0500 drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug [ Upstream commit 128f8ed5902a287a6bb4afe0ffdae8a80b2a64ec ] [Why] When display topology changed on DSC hub we add all crtcs with dsc support to atomic state. Refer to patch:"drm/amd/display: Trigger modesets on MST DSC connectors" However the original implementation may skip crtc if the topology change caused by unplug. That potentially could lead to no-lightup or corruption on DSC hub after unplug event on one of the connectors. [How] Update add_affected_mst_dsc_crtcs() to use old connector state if new connector state has no crtc (undergoes modeset due to unplug) Fixes: 44be939ff7ac58 ("drm/amd/display: Trigger modesets on MST DSC connectors") Reviewed-by: Hersen Wu Acked-by: Jasdeep Dhillon Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d13c90e636cd363bc5b01f4694c408f28d772f9a Author: Yiqing Yao Date: Mon Jan 24 16:11:20 2022 +0800 drm/amd/pm: enable pm sysfs write for one VF mode [ Upstream commit e610941c45bad75aa839af015c27d236ab6749e5 ] [why] pm sysfs should be writable in one VF mode as is in passthrough [how] do not remove write access on pm sysfs if device is in one VF mode Fixes: 11c9cc95f818 ("amdgpu/pm: Make sysfs pm attributes as read-only for VFs") Signed-off-by: Yiqing Yao Reviewed-by: Monk Liu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e8b42ba320f5fde6eee1c3fb99939ed48e27d899 Author: Yinjun Zhang Date: Tue Feb 8 00:00:25 2022 +0800 bpftool: Fix the error when lookup in no-btf maps [ Upstream commit edc21dc909c6c133a2727f063eadd7907af51f94 ] When reworking btf__get_from_id() in commit a19f93cfafdf the error handling when calling bpf_btf_get_fd_by_id() changed. Before the rework if bpf_btf_get_fd_by_id() failed the error would not be propagated to callers of btf__get_from_id(), after the rework it is. This lead to a change in behavior in print_key_value() that now prints an error when trying to lookup keys in maps with no btf available. Fix this by following the way used in dumping maps to allow to look up keys in no-btf maps, by which it decides whether and where to get the btf info according to the btf value type. Fixes: a19f93cfafdf ("libbpf: Add internal helper to load BTF data by FD") Signed-off-by: Yinjun Zhang Signed-off-by: Simon Horman Signed-off-by: Andrii Nakryiko Reviewed-by: Niklas Söderlund Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/1644249625-22479-1-git-send-email-yinjun.zhang@corigine.com Signed-off-by: Sasha Levin commit 40dd2b2d0d148710597625cce079c1a4bee094e7 Author: Martin Povišer Date: Fri Feb 4 10:59:14 2022 +0100 i2c: pasemi: Drop I2C classes from platform driver variant [ Upstream commit 19e138e43a0820bb4dbf8fb5c7691f82e9221f2b ] Drop I2C device-probing classes from platform variant of the PASemi controller as it is only used on platforms where I2C devices should be instantiated in devicetree. (The I2C_CLASS_DEPRECATED flag is not raised as up to this point no devices relied on the old behavior.) Fixes: d88ae2932df0 ("i2c: pasemi: Add Apple platform driver") Signed-off-by: Martin Povišer Reviewed-by: Sven Peter Acked-by: Hector Martin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit b7c5c620087f4fa8cd176fa7f8b79d88920273ff Author: Wen Gong Date: Wed Feb 9 01:08:16 2022 -0500 ath11k: fix uninitialized rate_idx in ath11k_dp_tx_update_txcompl() [ Upstream commit 8c4c567fa291e4805d5116f1333b2ed83877032b ] The rate_idx which passed to ath11k_debugfs_sta_add_tx_stats() by ath11k_dp_tx_update_txcompl() is not initialized, add initialization for it. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2 Fixes: 1b8bb94c0612 ("ath11k: report tx bitrate for iw wlan station dump") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220209060816.423-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit db1c47d299298a7c52ccb201905d6be979fd7507 Author: Pin-Yen Lin Date: Thu Feb 10 18:38:27 2022 +0800 drm/bridge: anx7625: Fix overflow issue on reading EDID [ Upstream commit d5c6f647aec9ed524aedd04a3aec5ebc21d39007 ] The length of EDID block can be longer than 256 bytes, so we should use `int` instead of `u8` for the `edid_pos` variable. Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP") Signed-off-by: Pin-Yen Lin Reviewed-by: Jernej Skrabec Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220210103827.402436-1-treapking@chromium.org Signed-off-by: Sasha Levin commit 1de0860a10e016c32283556323b18f4411a53fb4 Author: Jiasheng Jiang Date: Thu Jan 6 10:43:02 2022 +0800 iommu/ipmmu-vmsa: Check for error num after setting mask [ Upstream commit 1fdbbfd5099f797a4dac05e7ef0192ba4a9c39b4 ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: 1c894225bf5b ("iommu/ipmmu-vmsa: IPMMU device is 40-bit bus master") Signed-off-by: Jiasheng Jiang Reviewed-by: Nikita Yushchenko Link: https://lore.kernel.org/r/20220106024302.2574180-1-jiasheng@iscas.ac.cn Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 904e163aac62195b407740d3058abd5431f6d6b9 Author: Dmitry Torokhov Date: Mon Jan 17 23:26:18 2022 -0800 HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports [ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ] Internally kernel prepends all report buffers, for both numbered and unnumbered reports, with report ID, therefore to properly handle unnumbered reports we should prepend it ourselves. For the same reason we should skip the first byte of the buffer when calling i2c_hid_set_or_send_report() which then will take care of properly formatting the transfer buffer based on its separate report ID argument along with report payload. [jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin] Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks") Signed-off-by: Dmitry Torokhov Tested-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit c32f6b6196b6efc1c68990dfeaac36fb8eb3b8e1 Author: Miaoqian Lin Date: Mon Jan 24 13:13:46 2022 +0000 power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init [ Upstream commit 6a4760463dbc6b603690938c468839985189ce0a ] kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). Fixes: 8c0984e5a753 ("power: move power supply drivers to power/supply") Signed-off-by: Miaoqian Lin Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit dc69beab5b7baa106d8a195d2c690f7970a81eb5 Author: Toke Høiland-Jørgensen Date: Sat Feb 12 00:48:19 2022 +0100 libbpf: Use dynamically allocated buffer when receiving netlink messages [ Upstream commit 9c3de619e13ee6693ec5ac74f50b7aa89056a70e ] When receiving netlink messages, libbpf was using a statically allocated stack buffer of 4k bytes. This happened to work fine on systems with a 4k page size, but on systems with larger page sizes it can lead to truncated messages. The user-visible impact of this was that libbpf would insist no XDP program was attached to some interfaces because that bit of the netlink message got chopped off. Fix this by switching to a dynamically allocated buffer; we borrow the approach from iproute2 of using recvmsg() with MSG_PEEK|MSG_TRUNC to get the actual size of the pending message before receiving it, adjusting the buffer as necessary. While we're at it, also add retries on interrupted system calls around the recvmsg() call. v2: - Move peek logic to libbpf_netlink_recv(), don't double free on ENOMEM. Fixes: 8bbb77b7c7a2 ("libbpf: Add various netlink helpers") Reported-by: Zhiqian Guan Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Andrii Nakryiko Acked-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/bpf/20220211234819.612288-1-toke@redhat.com Signed-off-by: Sasha Levin commit 7416cbe41329eee689411edfc028fb8d00c7a8f2 Author: Andrii Nakryiko Date: Fri Feb 11 12:52:35 2022 -0800 libbpf: Fix libbpf.map inheritance chain for LIBBPF_0.7.0 [ Upstream commit d130e954a002b901391037c33b9ae11bae5aaa91 ] Ensure that LIBBPF_0.7.0 inherits everything from LIBBPF_0.6.0. Fixes: dbdd2c7f8cec ("libbpf: Add API to get/set log_level at per-program level") Signed-off-by: Andrii Nakryiko Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220211205235.2089104-1-andrii@kernel.org Signed-off-by: Sasha Levin commit e3964cde51da406b1128ef0f738fa6227daa52fe Author: Linus Walleij Date: Sat Jan 29 01:49:16 2022 +0100 power: supply: ab8500: Swap max and overvoltage [ Upstream commit d662a7df36e1edc65eaf166ec1c8527ce9d088ea ] We should terminate charging when we reach the voltage_max_design_uv not overvoltage_limit_uv, this is an abuse of that struct member. The overvoltage limit is actually not configurable on the AB8500, it is fixed to 4.75 V so drop a comment about that in the code. Fixes: 2a5f41830aad ("power: supply: ab8500: Standardize voltages") Signed-off-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 0ef004d1fae53c5d9fce03b463c4ce1f306e2779 Author: Neil Armstrong Date: Fri Feb 4 15:33:37 2022 +0100 drm/bridge: dw-hdmi: use safe format when first in bridge chain [ Upstream commit 1528038385c0a706aac9ac165eeb24044fef6825 ] When the dw-hdmi bridge is in first place of the bridge chain, this means there is no way to select an input format of the dw-hdmi HW component. Since introduction of display-connector, negotiation was broken since the dw-hdmi negotiation code only worked when the dw-hdmi bridge was in last position of the bridge chain or behind another bridge also supporting input & output format negotiation. Commit 7cd70656d128 ("drm/bridge: display-connector: implement bus fmts callbacks") was introduced to make negotiation work again by making display-connector act as a pass-through concerning input & output format negotiation. But in the case where the dw-hdmi is single in the bridge chain, for example on Renesas SoCs, with the display-connector bridge the dw-hdmi is no more single, breaking output format. Reported-by: Biju Das Bisected-by: Kieran Bingham Tested-by: Kieran Bingham Fixes: 6c3c719936da ("drm/bridge: synopsys: dw-hdmi: add bus format negociation") Signed-off-by: Neil Armstrong [narmstrong: add proper fixes commit] Reviewed-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220204143337.89221-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit d9fb80ad781e28b332df8c10b0511e9ca856e55d Author: Dan Carpenter Date: Thu Feb 3 11:25:32 2022 +0300 rtw88: fix use after free in rtw_hw_scan_update_probe_req() [ Upstream commit a954f29aea5d2cf58feedf83235edf3367229a37 ] This code needs to use skb_queue_walk_safe() instead of skb_queue_walk() because it frees the list iterator. Fixes: d95984b5580d ("rtw88: fix memory overrun and memory leak during hw_scan") Signed-off-by: Dan Carpenter Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220203082532.GA25151@kili Signed-off-by: Sasha Levin commit daad99303c6d773a13ecf92b91a52c053a6a9831 Author: Andrii Nakryiko Date: Tue Feb 8 22:39:09 2022 -0800 libbpf: Fix compilation warning due to mismatched printf format [ Upstream commit dc37dc617fabfb1c3a16d49f5d8cc20e9e3608ca ] On ppc64le architecture __s64 is long int and requires %ld. Cast to ssize_t and use %zd to avoid architecture-specific specifiers. Fixes: 4172843ed4a3 ("libbpf: Fix signedness bug in btf_dump_array_data()") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220209063909.1268319-1-andrii@kernel.org Signed-off-by: Sasha Levin commit e6fa83a0c1969f071331fd26fd141d90cfbb0e40 Author: Po Liu Date: Wed Feb 9 20:33:01 2022 +0800 net:enetc: allocate CBD ring data memory using DMA coherent methods [ Upstream commit b3a723dbc94a6e38f67669d03b521edd766ad895 ] To replace the dma_map_single() stream DMA mapping with DMA coherent method dma_alloc_coherent() which is more simple. dma_map_single() found by Tim Gardner not proper. Suggested by Claudiu Manoil and Jakub Kicinski to use dma_alloc_coherent(). Discussion at: https://lore.kernel.org/netdev/AM9PR04MB8397F300DECD3C44D2EBD07796BD9@AM9PR04MB8397.eurprd04.prod.outlook.com/t/ Fixes: 888ae5a3952ba ("net: enetc: add tc flower psfp offload driver") cc: Claudiu Manoil Reported-by: Tim Gardner Signed-off-by: Po Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 23587481ef1ba41b71b0f83e903dbbd95123670f Author: Tianyu Lan Date: Tue Feb 8 09:26:52 2022 -0500 Netvsc: Call hv_unmap_memory() in the netvsc_device_remove() [ Upstream commit b539324f6fe798bdb186e4e91eafb37dd851db2a ] netvsc_device_remove() calls vunmap() inside which should not be called in the interrupt context. Current code calls hv_unmap_memory() in the free_netvsc_device() which is rcu callback and maybe called in the interrupt context. This will trigger BUG_ON(in_interrupt()) in the vunmap(). Fix it via moving hv_unmap_memory() to netvsc_device_ remove(). Fixes: 846da38de0e8 ("net: netvsc: Add Isolation VM support for netvsc driver") Signed-off-by: Tianyu Lan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 074773148ebacdeca107a449abe608b1117d6434 Author: Jonathan Cameron Date: Tue Feb 1 15:34:37 2022 +0000 cxl/regs: Fix size of CXL Capability Header Register [ Upstream commit 74b0fe80409733055971bbfaf33c80a33fddeeb3 ] In CXL 2.0, 8.2.5.1 CXL Capability Header Register: this register is given as 32 bits. 8.2.3 which covers the CXL 2.0 Component registers, including the CXL Capability Header Register states that access restrictions specified in Section 8.2.2 apply. 8.2.2 includes: * A 32 bit register shall be accessed as a 4 Byte quantity. ... If these rules are not followed, the behavior is undefined. Discovered during review of CXL QEMU emulation. Alex Bennée pointed out there was a comment saying that 4 byte registers must be read with a 4 byte read, but 8 byte reads were being emulated. https://lore.kernel.org/qemu-devel/87bkzyd3c7.fsf@linaro.org/ Fixing that, led to this code failing. Whilst a given hardware implementation 'might' work with an 8 byte read, it should not be relied upon. The QEMU emulation v5 will return 0 and log the wrong access width. The code moved, so one fixes tag for where this will directly apply and also a reference to the earlier introduction of the code for backports. Fixes: 0f06157e0135 ("cxl/core: Move register mapping infrastructure") Fixes: 08422378c4ad ("cxl/pci: Add HDM decoder capabilities") Signed-off-by: Jonathan Cameron Cc: Alex Bennée Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/20220201153437.2873-1-Jonathan.Cameron@huawei.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 7d52930fc83bd70fbb59294fe5f912e3e4ffdcf3 Author: Dan Williams Date: Sun Jan 23 16:31:56 2022 -0800 tools/testing/cxl: Fix root port to host bridge assignment [ Upstream commit a4a0ce242fcd7022349212c4e2f795762e6ff050 ] Mocked root-ports are meant to be round-robin assigned to host-bridges. Fixes: 67dcdd4d3b83 ("tools/testing/cxl: Introduce a mocked-up CXL port hierarchy") Link: https://lore.kernel.org/r/164298431629.3018233.14004377108116384485.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 13b49a3e8479efda537ff920bb2e78a8fe8d044b Author: Dan Williams Date: Sun Jan 23 16:29:42 2022 -0800 cxl/core: Fix cxl_probe_component_regs() error message [ Upstream commit d621bc2e7282f9955033a6359877fd4ac4be60e1 ] Fix a '\n' vs '/n' typo. Fixes: 08422378c4ad ("cxl/pci: Add HDM decoder capabilities") Acked-by: Ben Widawsky Link: https://lore.kernel.org/r/164298418268.3018233.17790073375430834911.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit e9eb8f04560f78675dc4eb9a2766a0fbd550a558 Author: Ilya Leoshkevich Date: Wed Feb 9 03:17:40 2022 +0100 libbpf: Fix riscv register names [ Upstream commit 5c101153bfd67387ba159b7864176217a40757da ] riscv registers are accessed via struct user_regs_struct, not struct pt_regs. The program counter member in this struct is called pc, not epc. The frame pointer is called s0, not fp. Fixes: 3cc31d794097 ("libbpf: Normalize PT_REGS_xxx() macro definitions") Signed-off-by: Ilya Leoshkevich Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220209021745.2215452-6-iii@linux.ibm.com Signed-off-by: Sasha Levin commit f72bf5a0281182841f6717336356af21db6dfbe5 Author: Dan Carpenter Date: Tue Feb 8 10:15:52 2022 +0300 libbpf: Fix signedness bug in btf_dump_array_data() [ Upstream commit 4172843ed4a38f97084032f74f07b2037b5da3a6 ] The btf__resolve_size() function returns negative error codes so "elem_size" must be signed for the error handling to work. Fixes: 920d16af9b42 ("libbpf: BTF dumper support for typed data") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220208071552.GB10495@kili Signed-off-by: Sasha Levin commit 07655520b52e5bdf28bcb7c16829a1cb30212f3e Author: Xiao Yang Date: Wed Dec 29 11:44:38 2021 +0800 RDMA/rxe: Check the last packet by RXE_END_MASK [ Upstream commit b1377cc37f6bebd57ce8747b7e16163a475af295 ] It's wrong to check the last packet by RXE_COMP_MASK because the flag is to indicate if responder needs to generate a completion. Fixes: 9fcd67d1772c ("IB/rxe: increment msn only when completing a request") Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20211229034438.1854908-1-yangx.jy@fujitsu.com Signed-off-by: Xiao Yang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 1a0e004c32d0b10f3a962161599d236a97a4c9fd Author: Pali Rohár Date: Mon Jan 10 02:50:09 2022 +0100 PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge [ Upstream commit 735f5ae49e1b44742cc63ca9b5c1ffde3e94ba91 ] The emulated bridge returns incorrect value for PCI_EXP_RTSTA register during readout in advk_pci_bridge_emul_pcie_conf_read() function: the correct bit is BIT(16), but we are setting BIT(23), because the code does *value = (isr0 & PCIE_MSG_PM_PME_MASK) << 16 where PCIE_MSG_PM_PME_MASK is BIT(7). The code should probably have been something like *value = (!!(isr0 & PCIE_MSG_PM_PME_MASK)) << 16, but we are better of using an if() and using the proper macro for this bit. Link: https://lore.kernel.org/r/20220110015018.26359-15-kabel@kernel.org Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 6504a12db05b7e79f17e289a13568bea5fd671ce Author: Pali Rohár Date: Mon Jan 10 02:49:57 2022 +0100 PCI: aardvark: Fix reading MSI interrupt number [ Upstream commit 805dfc18dd3d4dd97a987d4406593b5a225b1253 ] In advk_pcie_handle_msi() it is expected that when bit i in the W1C register PCIE_MSI_STATUS_REG is cleared, the PCIE_MSI_PAYLOAD_REG is updated to contain the MSI number corresponding to index i. Experiments show that this is not so, and instead PCIE_MSI_PAYLOAD_REG always contains the number of the last received MSI, overall. Do not read PCIE_MSI_PAYLOAD_REG register for determining MSI interrupt number. Since Aardvark already forbids more than 32 interrupts and uses own allocated hwirq numbers, the msi_idx already corresponds to the received MSI number. Link: https://lore.kernel.org/r/20220110015018.26359-3-kabel@kernel.org Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 6f34538876bfd7669ca4f0740e38c4b57283083d Author: Luben Tuikov Date: Thu Feb 3 19:05:20 2022 -0500 drm/amdgpu: Don't offset by 2 in FRU EEPROM [ Upstream commit 3f3a24a0a3a58677d2b4f3c442d7a1be05afb123 ] Read buffers no longer expose the I2C address, and so we don't need to offset by two when we get the read data. Cc: Alex Deucher Cc: Kent Russell Cc: Andrey Grodzovsky Fixes: bd607166af7fe3 ("drm/amdgpu: Enable reading FRU chip via I2C v3") Signed-off-by: Luben Tuikov Acked-by: Harish Kasiviswanathan Reviewed-by: Kent Russell Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d46833eadcc3993f933786e7c0c9f4d1586e1a03 Author: Corinna Vinschen Date: Wed Jan 19 15:52:59 2022 +0100 igb: refactor XDP registration [ Upstream commit e62ad74aa534404b3ee7e250b114a3536ac56987 ] On changing the RX ring parameters igb uses a hack to avoid a warning when calling xdp_rxq_info_reg via igb_setup_rx_resources. It just clears the struct xdp_rxq_info content. Instead, change this to unregister if we're already registered. Align code to the igc code. Fixes: 9cbc948b5a20c ("igb: add XDP support") Signed-off-by: Corinna Vinschen Acked-by: Vinicius Costa Gomes Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 65aebcf1e05bd97d2e7ffcdff36efea1757c9450 Author: Corinna Vinschen Date: Wed Jan 19 15:52:58 2022 +0100 igc: avoid kernel warning when changing RX ring parameters [ Upstream commit 453307b569a0d41bddd07f26bf41b784cd82a4c9 ] Calling ethtool changing the RX ring parameters like this: $ ethtool -G eth0 rx 1024 on igc triggers kernel warnings like this: [ 225.198467] ------------[ cut here ]------------ [ 225.198473] Missing unregister, handled but fix driver [ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168 xdp_rxq_info_reg+0x79/0xd0 [...] [ 225.198601] Call Trace: [ 225.198604] [ 225.198609] igc_setup_rx_resources+0x3f/0xe0 [igc] [ 225.198617] igc_ethtool_set_ringparam+0x30e/0x450 [igc] [ 225.198626] ethnl_set_rings+0x18a/0x250 [ 225.198631] genl_family_rcv_msg_doit+0xca/0x110 [ 225.198637] genl_rcv_msg+0xce/0x1c0 [ 225.198640] ? rings_prepare_data+0x60/0x60 [ 225.198644] ? genl_get_cmd+0xd0/0xd0 [ 225.198647] netlink_rcv_skb+0x4e/0xf0 [ 225.198652] genl_rcv+0x24/0x40 [ 225.198655] netlink_unicast+0x20e/0x330 [ 225.198659] netlink_sendmsg+0x23f/0x480 [ 225.198663] sock_sendmsg+0x5b/0x60 [ 225.198667] __sys_sendto+0xf0/0x160 [ 225.198671] ? handle_mm_fault+0xb2/0x280 [ 225.198676] ? do_user_addr_fault+0x1eb/0x690 [ 225.198680] __x64_sys_sendto+0x20/0x30 [ 225.198683] do_syscall_64+0x38/0x90 [ 225.198687] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 225.198693] RIP: 0033:0x7f7ae38ac3aa igc_ethtool_set_ringparam() copies the igc_ring structure but neglects to reset the xdp_rxq_info member before calling igc_setup_rx_resources(). This in turn calls xdp_rxq_info_reg() with an already registered xdp_rxq_info. Make sure to unregister the xdp_rxq_info structure first in igc_setup_rx_resources. Fixes: 73f1071c1d29 ("igc: Add support for XDP_TX action") Reported-by: Lennert Buytenhek Signed-off-by: Corinna Vinschen Acked-by: Vinicius Costa Gomes Tested-by: Dvora Fuxbrumer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 2b6a4a320e5f0fe91662983838baeca6a7200b81 Author: Naveen N. Rao Date: Fri Feb 4 17:05:19 2022 +0530 selftests/bpf: Use "__se_" prefix on architectures without syscall wrapper [ Upstream commit 046b841ea7c528931e7d2e74d5e668aa6c94c1fc ] On architectures that don't use a syscall wrapper, sys_* function names are set as an alias of __se_sys_* functions. Due to this, there is no BTF associated with sys_* function names. This results in some of the test progs failing to load. Set the SYS_PREFIX to "__se_" to fix this issue. Fixes: 38261f369fb905 ("selftests/bpf: Fix probe_user test failure with clang build kernel") Signed-off-by: Naveen N. Rao Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/013d632aacd3e41290445c0025db6a7055ec6e18.1643973917.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit cb72bf6d402491d9f0aa9c4c82efc2af483f5101 Author: Kenta Tada Date: Mon Jan 24 23:16:20 2022 +0900 selftests/bpf: Extract syscall wrapper [ Upstream commit 78a2054156dd6265619b230cc5372b74f9ba5233 ] Extract the helper to set up SYS_PREFIX for fentry and kprobe selftests that use __x86_sys_* attach functions. Suggested-by: Andrii Nakryiko Signed-off-by: Kenta Tada Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220124141622.4378-2-Kenta.Tada@sony.com Signed-off-by: Sasha Levin commit e21e302605e76e0a5b52a611468b685d34deb2bd Author: Mark Brown Date: Wed Feb 2 14:34:04 2022 +0000 mtd: mchp48l640: Add SPI ID table [ Upstream commit 69a6d06878f05d63673b0dcdc3c3ef1af2996d46 ] Currently autoloading for SPI devices does not use the DT ID table, it uses SPI modalises. Supporting OF modalises is going to be difficult if not impractical, an attempt was made but has been reverted, so ensure that module autoloading works for this driver by adding an id_table listing the SPI IDs for everything. Fixes: 96c8395e2166 ("spi: Revert modalias changes") Signed-off-by: Mark Brown Reviewed-by: Michael Walle Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220202143404.16070-4-broonie@kernel.org Signed-off-by: Sasha Levin commit d05cd4413741283ff299c067d33c2d90633fc68c Author: Mark Brown Date: Wed Feb 2 14:34:03 2022 +0000 mtd: mchp23k256: Add SPI ID table [ Upstream commit bc7ee2e34b219da6813c17a1680dd20766648883 ] Currently autoloading for SPI devices does not use the DT ID table, it uses SPI modalises. Supporting OF modalises is going to be difficult if not impractical, an attempt was made but has been reverted, so ensure that module autoloading works for this driver by adding an id_table listing the SPI IDs for everything. Fixes: 96c8395e2166 ("spi: Revert modalias changes") Signed-off-by: Mark Brown Reviewed-by: Michael Walle Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220202143404.16070-3-broonie@kernel.org Signed-off-by: Sasha Levin commit 24c8914db6f57e105afd8d2bdf47c40068675400 Author: Christophe JAILLET Date: Fri Aug 20 20:43:33 2021 +0200 i2c: bcm2835: Fix the error handling in 'bcm2835_i2c_probe()' [ Upstream commit b205f5850263632b6897d8f0bfaeeea4955f8663 ] Some resource should be released if an error occurs in 'bcm2835_i2c_probe()'. Add an error handling path and the needed 'clk_disable_unprepare()' and 'clk_rate_exclusive_put()' calls. While at it, rework the bottom of the function to use this newly added error handling path and have an explicit and more standard "return 0;" at the end of the normal path. Fixes: bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") Signed-off-by: Christophe JAILLET [wsa: rebased] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 662ff765470ad0d11a1153d6d8e99d69a98e60b4 Author: Pavel Skripkin Date: Sun Feb 6 21:05:16 2022 +0300 net: asix: add proper error handling of usb read errors [ Upstream commit 920a9fa27e7805499cfe78491b36fed2322c02ec ] Syzbot once again hit uninit value in asix driver. The problem still the same -- asix_read_cmd() reads less bytes, than was requested by caller. Since all read requests are performed via asix_read_cmd() let's catch usb related error there and add __must_check notation to be sure all callers actually check return value. So, this patch adds sanity check inside asix_read_cmd(), that simply checks if bytes read are not less, than was requested and adds missing error handling of asix_read_cmd() all across the driver code. Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Reported-and-tested-by: syzbot+6ca9f7867b77c2d316ac@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Tested-by: Oleksij Rempel Reviewed-by: Greg Kroah-Hartman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6586273ef57fb9714a75ba5029b6b77f42efa9fb Author: Christophe Leroy Date: Mon Dec 20 16:38:02 2021 +0000 livepatch: Fix build failure on 32 bits processors [ Upstream commit 2f293651eca3eacaeb56747dede31edace7329d2 ] Trying to build livepatch on powerpc/32 results in: kernel/livepatch/core.c: In function 'klp_resolve_symbols': kernel/livepatch/core.c:221:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c:221:21: error: assignment to 'Elf32_Sym *' {aka 'struct elf32_sym *'} from incompatible pointer type 'Elf64_Sym *' {aka 'struct elf64_sym *'} [-Werror=incompatible-pointer-types] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c: In function 'klp_apply_section_relocs': kernel/livepatch/core.c:312:35: error: passing argument 1 of 'klp_resolve_symbols' from incompatible pointer type [-Werror=incompatible-pointer-types] 312 | ret = klp_resolve_symbols(sechdrs, strtab, symndx, sec, sec_objname); | ^~~~~~~ | | | Elf32_Shdr * {aka struct elf32_shdr *} kernel/livepatch/core.c:193:44: note: expected 'Elf64_Shdr *' {aka 'struct elf64_shdr *'} but argument is of type 'Elf32_Shdr *' {aka 'struct elf32_shdr *'} 193 | static int klp_resolve_symbols(Elf64_Shdr *sechdrs, const char *strtab, | ~~~~~~~~~~~~^~~~~~~ Fix it by using the right types instead of forcing 64 bits types. Fixes: 7c8e2bdd5f0d ("livepatch: Apply vmlinux-specific KLP relocations early") Signed-off-by: Christophe Leroy Acked-by: Petr Mladek Acked-by: Joe Lawrence Acked-by: Miroslav Benes Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/5288e11b018a762ea3351cc8fb2d4f15093a4457.1640017960.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 4c4c2471e1378c5b51df6989e85624d4fe49e970 Author: Thomas Bracht Laumann Jespersen Date: Mon Jan 31 12:20:28 2022 +0100 scripts/dtc: Call pkg-config POSIXly correct [ Upstream commit a8b309ce9760943486e0585285e0125588a31650 ] Running with POSIXLY_CORRECT=1 in the environment the scripts/dtc build fails, because pkg-config doesn't output anything when the flags come after the arguments. Fixes: 067c650c456e ("dtc: Use pkg-config to locate libyaml") Signed-off-by: Thomas Bracht Laumann Jespersen Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220131112028.7907-1-t@laumann.xyz Signed-off-by: Sasha Levin commit 0e3637e146769c8b493bdfcd0af27554c3016620 Author: Johannes Berg Date: Wed Feb 2 10:49:34 2022 +0200 mac80211: limit bandwidth in HE capabilities [ Upstream commit 1f2c104448477512fcf7296df54bfbc3a6f9a765 ] If we're limiting bandwidth for some reason such as regulatory restrictions, then advertise that limitation just like we do for VHT today, so the AP is aware we cannot use the higher BW it might be using. Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220202104617.70c8e3e7ee76.If317630de69ff1146bec7d47f5b83038695eb71d@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 796d5666f6422ddadc938fb888044fcc16f2dbe3 Author: Yonghong Song Date: Thu Feb 3 11:17:27 2022 -0800 bpf: Fix a btf decl_tag bug when tagging a function [ Upstream commit d7e7b42f4f956f2c68ad8cda87d750093dbba737 ] syzbot reported a btf decl_tag bug with stack trace below: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline] RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198 btf_check_all_types kernel/bpf/btf.c:4239 [inline] btf_parse_type_sec kernel/bpf/btf.c:4280 [inline] btf_parse kernel/bpf/btf.c:4513 [inline] btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpf_btf_load kernel/bpf/syscall.c:4039 [inline] __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 __do_sys_bpf kernel/bpf/syscall.c:4738 [inline] __se_sys_bpf kernel/bpf/syscall.c:4736 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decl_tag to func type 3 type 3: func to func_proto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range. Currently, the target type of decl_tag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btf_decl_tag_resolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error. To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check() before trying to accessing func_proto type. In the current implementation, func type is checked with btf_func_check() in the main checking function btf_check_all_types(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btf_check_all_types() for func types. Fixes: b5ea834dde6b ("bpf: Support for new btf kind BTF_KIND_TAG") Reported-by: syzbot+53619be9444215e785ed@syzkaller.appspotmail.com Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20220203191727.741862-1-yhs@fb.com Signed-off-by: Sasha Levin commit 3e4015af1a248a8b7fa6cc491795a0dcc38147ec Author: Tobias Waldekranz Date: Thu Feb 3 11:16:55 2022 +0100 net: dsa: mv88e6xxx: Enable port policy support on 6097 [ Upstream commit 585d42bb57bb358d48906660a8de273b078810b1 ] This chip has support for the same per-port policy actions found in later versions of LinkStreet devices. Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy") Signed-off-by: Tobias Waldekranz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c49eafe6249f844c26f9866886cc6719d81762df Author: Miroslav Lichvar Date: Wed Feb 2 10:33:55 2022 +0100 ptp: unregister virtual clocks when unregistering physical clock. [ Upstream commit bfcbb76b0f595ea9ede9f7a218086fef85242f10 ] When unregistering a physical clock which has some virtual clocks, unregister the virtual clocks with it. This fixes the following oops, which can be triggered by unloading a driver providing a PTP clock when it has enabled virtual clocks: BUG: unable to handle page fault for address: ffffffffc04fc4d8 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ptp_vclock_read+0x31/0xb0 Call Trace: timecounter_read+0xf/0x50 ptp_vclock_refresh+0x2c/0x50 ? ptp_clock_release+0x40/0x40 ptp_aux_kworker+0x17/0x30 kthread_worker_fn+0x9b/0x240 ? kthread_should_park+0x30/0x30 kthread+0xe2/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion") Signed-off-by: Miroslav Lichvar Acked-by: Richard Cochran Cc: Yangbo Lu Cc: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0c048b80d28ca43f72c9c92c0d577d6572275e13 Author: MeiChia Chiu Date: Thu Jan 27 21:32:26 2022 +0800 mt76: mt7915: fix the nss setting in bitrates [ Upstream commit c41d2a075206fcbdc89695b874a6ac06160b4f1a ] without this change, the fixed MCS only supports 1 Nss. Fixes: 70fd1333cd32f ("mt76: mt7915: rework .set_bitrate_mask() to support more options") Reviewed-by: Ryder Lee Signed-off-by: MeiChia Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit aec8848242a3e54eb40016278733728d41fd8d61 Author: Peter Chiu Date: Wed Jan 26 10:05:29 2022 +0800 mt76: mt7915: fix mcs_map in mt7915_mcu_set_sta_he_mcs() [ Upstream commit ade25ca7950bc8930356d98ec89aa41560a9dab5 ] Should use peer's bandwidth instead of chandef->width to get correct mcs_map. Fixes: 76be6c076c077 ("mt76: mt7915: add .set_bitrate_mask() callback") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit b301043384c5c2447357952be9a536c2026d8ad0 Author: Lorenzo Bianconi Date: Mon Jan 24 21:03:44 2022 +0100 mt76: mt7921s: fix a possible memory leak in mt7921_load_patch [ Upstream commit 11005b18f453aa192d035d410c11d07edcba5a45 ] Always release fw data at the end of mt7921_load_patch routine. Fixes: 78b217580c509 ("mt76: mt7921s: fix bus hang with wrong privilege") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit b334a245ff1d76b1e97af8cea648ea6798b9eb87 Author: Lorenzo Bianconi Date: Mon Jan 24 20:36:52 2022 +0100 mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta [ Upstream commit a43736cd12d82913102eb49cb56787a5553e028f ] Free allocated skb in mt7915_mcu_add_sta routine in case of failures. Fixes: 89bbd3730f382 ("mt76: mt7915: rework starec TLV tags") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5c2ef67f48372a25c04be5598a7ccd69d741515c Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:58 2022 +0100 mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update [ Upstream commit 6a6f457ed5fdf6777536c20644a9e42128a50ec2 ] Check sta_rates pointer value in mt7615_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 8295d129e53746bd5ffdaf6829c6e6471d52d110 Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:57 2022 +0100 mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update [ Upstream commit fc8e2c707ce11c8ec2e992885b0d53a5e04031ac ] Check sta_rates pointer value in mt7603_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: c8846e1015022 ("mt76: add driver for MT7603E and MT7628/7688") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 110c4be3fc8d9d7f28bb83e1dfc212625fd71074 Author: Sean Wang Date: Fri Jan 7 15:30:03 2022 +0800 mt76: mt7921e: fix possible probe failure after reboot [ Upstream commit 602cc0c9618a819ab00ea3c9400742a0ca318380 ] It doesn't guarantee the mt7921e gets started with ASPM L0 after each machine reboot on every platform. If mt7921e gets started with not ASPM L0, it would be possible that the driver encounters time to time failure in mt7921_pci_probe, like a weird chip identifier is read [ 215.514503] mt7921e 0000:05:00.0: ASIC revision: feed0000 [ 216.604741] mt7921e: probe of 0000:05:00.0 failed with error -110 or failing to init hardware because the driver is not allowed to access the register until the device is in ASPM L0 state. So, we call __mt7921e_mcu_drv_pmctrl in early mt7921_pci_probe to force the device to bring back to the L0 state for we can safely access registers in any case. In the patch, we move all functions from dma.c to pci.c and register mt76 bus operation earilier, that is the __mt7921e_mcu_drv_pmctrl depends on. Fixes: bf3747ae2e25 ("mt76: mt7921: enable aspm by default") Reported-by: Kai-Chuan Hsieh Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 0c151aa574d716ce1096edf0c471473ec657d31a Author: Leon Yen Date: Fri Jan 7 03:50:10 2022 +0800 mt76: mt7921s: fix mt7921s_mcu_[fw|drv]_pmctrl [ Upstream commit b12deb5e86fa36dc6f3aa3321f5da27addec4f1f ] According to the firmware behavior (even the oldest one in linux-firmware) If the firmware is downloaded, MT7921S must rely on the additional mailbox mechanism that resides in firmware to check if the device is the right state for mt7921s_mcu_[fw|drv]_pmctrl. Otherwise, we still apply the old way for that. That is a necessary patch before we enable runtime pm for mt7921s as default. Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Leon Yen Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6b84089d6baa1ff09a6c5813617d35ba37415a6a Author: Peter Chiu Date: Thu Jan 6 14:20:57 2022 +0800 mt76: mt7921: fix ht mcs in mt7921_mac_add_txs_skb() [ Upstream commit b1fe07ed21024f64719315ba0f3a5676d8b36db6 ] The mcs value of HT mode reported by mt7921_mac_add_txs_skb() has already been converted to the expected format. Fixes: 970ab80ef9f63 ("mt76: mt7921: report tx rate directly from tx status") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit c72c4690aee8134acc4c04a27b2db11d14680a11 Author: Peter Chiu Date: Thu Jan 6 14:20:56 2022 +0800 mt76: mt7915: fix ht mcs in mt7915_mac_add_txs_skb() [ Upstream commit d8e4e8d148fb68858d6a997d88a87a2c615629ce ] The mcs value of HT mode reported by mt7915_mac_add_txs_skb() has already been converted to the expected format. Fixes: 9908d98ae72cd ("mt76: mt7915: report tx rate directly from tx status") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit db0d4b78f3f627ea483b13948f965007cc5f4ccd Author: Lorenzo Bianconi Date: Thu Dec 30 21:47:06 2021 +0100 mt76: mt7615: fix a leftover race in runtime-pm [ Upstream commit 42ce8d3b623162f3248db50a38359f294e6b06fd ] Fix a possible race in mt7615_pm_power_save_work() if rx/tx napi schedules ps_work and we are currently accessing device register on a different cpu. Fixes: db928f1ab9789 ("mt76: mt7663: rely on mt76_connac_pm_ref/mt76_connac_pm_unref in tx/rx napi") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 299d5320d48482d2937d5cecf5678d118847faf5 Author: Lorenzo Bianconi Date: Thu Dec 30 21:47:05 2021 +0100 mt76: mt7921: fix a leftover race in runtime-pm [ Upstream commit 591cdccebdd4d02eb46d400dea911136400cc567 ] Fix a possible race in mt7921_pm_power_save_work() if rx/tx napi schedules ps_work and we are currently accessing device register on a different cpu. Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 7769c1899d157ee1c9f49a7215804b509a526d1a Author: Lorenzo Bianconi Date: Fri Dec 31 12:36:02 2021 +0100 mt76: mt7921: do not always disable fw runtime-pm [ Upstream commit b44eeb8cbdf2b88f2844f11e4f263b0abed5b5b0 ] After commit 'd430dffbe9dd ("mt76: mt7921: fix a possible race enabling/disabling runtime-pm")', runtime-pm is always disabled in the fw even if the user requests to enable it toggling debugfs node since mt7921_pm_interface_iter routine will use pm->enable to configure the fw. Fix the issue moving enable variable configuration before running mt7921_pm_interface_iter routine. Fixes: d430dffbe9dd ("mt76: mt7921: fix a possible race enabling/disabling runtime-pm") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit fb1d7f3b116bd7e2eb1d5c4ea4babc9a418a7d83 Author: Sean Wang Date: Fri Dec 24 16:33:56 2021 +0800 mt76: mt7921: set EDCA parameters with the MCU CE command [ Upstream commit 66ca1a7b2d5503f561b751abdd6ec6fa96343eb6 ] The command MCU_EXT_CMD_EDCA_UPDATE is not fully supported by the MT7921 firmware, so we apply CE command MCU_CE_CMD_SET_EDCA_PARAMS instead which is supported even in the oldest firmware to properly set up EDCA parameters for each AC. Fixes: 1c099ab44727 ("mt76: mt7921: add MCU support") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4c6456bf3181c57eb32ba97bc91d6339c3f569a9 Author: Sean Wang Date: Fri Dec 24 16:33:55 2021 +0800 mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error [ Upstream commit bf9727a27442a50c75b7d99a5088330c578b2a42 ] Fixed an MCU_CE_CMD_SET_ROC definition error that occurred from a previous refactor work. Fixes: d0e274af2f2e4 ("mt76: mt76_connac: create mcu library") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 71a8b19982f5292d1650aebe581ba6d799a056a7 Author: Lorenzo Bianconi Date: Wed Dec 22 17:06:36 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv [ Upstream commit abdb8bc94be4cf68aa71c9a8ee0bad9b3e6f52d3 ] Similar to mt7915_mcu_wtbl_generic_tlv, rely on vif->bss_conf.aid for aid in sta mode and not on sta->aid. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5922dbab07147befc56d1899b2db322e7be56fce Author: Lorenzo Bianconi Date: Wed Dec 22 12:52:17 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode [ Upstream commit a56b1b0f145ef2d6bb9312dedf3ab8558ef50a5b ] mac80211 provides aid in vif->bss_conf.aid for sta mode and not in sta->aid. Fix mt7915_mcu_wtbl_generic_tlv routine using proper value for aid in sta mode. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 61d29dca367c4b3ed6cc4fcccd10f90d3e5ae52c Author: Lorenzo Bianconi Date: Sun Dec 19 18:40:06 2021 +0100 mt76: connac: fix sta_rec_wtbl tag len [ Upstream commit 74c337ec0905d99111fc63a15f2e0784b9ed5503 ] Similar to mt7915 driver, fix tag len error for sta_rec_wtbl, which causes fw parsing error for the tags placed behind it. Fixes: d0e274af2f2e4 ("mt76: mt76_connac: create mcu library") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit ff3f17791f0fc87b1505ed81d74e2314d39dfe58 Author: Athira Rajeev Date: Wed Feb 2 09:48:37 2022 +0530 powerpc/perf: Don't use perf_hw_context for trace IMC PMU [ Upstream commit 0198322379c25215b2778482bf1221743a76e2b5 ] Trace IMC (In-Memory collection counters) in powerpc is useful for application level profiling. For trace_imc, presently task context (task_ctx_nr) is set to perf_hw_context. But perf_hw_context should only be used for CPU PMU. See commit 26657848502b ("perf/core: Verify we have a single perf_hw_context PMU"). So for trace_imc, even though it is per thread PMU, it is preferred to use sw_context in order to be able to do application level monitoring. Hence change the task_ctx_nr to use perf_sw_context. Fixes: 012ae244845f ("powerpc/perf: Trace imc PMU functions") Signed-off-by: Athira Rajeev Reviewed-by: Madhavan Srinivasan [mpe: Update subject & incorporate notes into change log, reflow comment] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220202041837.65968-1-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit bbbf7dba0fee7f45fe3f342aa8103cbc8dde53b1 Author: Fabiano Rosas Date: Tue Jan 25 12:57:32 2022 -0300 KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init [ Upstream commit 69ab6ac380a00244575de02c406dcb9491bf3368 ] The return of the function is being shadowed by the call to kvmppc_uvmem_init. Fixes: ca9f4942670c ("KVM: PPC: Book3S HV: Support for running secure guests") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125155735.1018683-2-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit 714865b25696314afb15fe384c4c320619e746cf Author: Maxim Kiselev Date: Fri Jan 21 12:14:47 2022 +0300 powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch [ Upstream commit 5ebb74749202a25da4b3cc2eb15470225a05527c ] On board rev A, the network interface labels for the switch ports written on the front panel are different than on rev B and later. This patch fixes network interface names for the switch ports according to labels that are written on the front panel of the board rev B. They start from ETH3 and end at ETH10. This patch also introduces a separate device tree for rev A. The main device tree is supposed to cover rev B and later. Fixes: e69eb0824d8c ("powerpc: dts: t1040rdb: add ports for Seville Ethernet switch") Signed-off-by: Maxim Kiselev Reviewed-by: Maxim Kochetkov Reviewed-by: Vladimir Oltean Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220121091447.3412907-1-bigunclemax@gmail.com Signed-off-by: Sasha Levin commit 0c0411b99e634ecd6ca05993dd7a686828750484 Author: Jiasheng Jiang Date: Thu Dec 30 10:29:26 2021 +0800 ray_cs: Check ioremap return value [ Upstream commit 7e4760713391ee46dc913194b33ae234389a174e ] As the possible failure of the ioremap(), the 'local->sram' and other two could be NULL. Therefore it should be better to check it in order to avoid the later dev_dbg. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jiasheng Jiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211230022926.1846757-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit ec595a1f8cbae5b1a71dbe8b570c9f9f173bb41d Author: Miaoqian Lin Date: Thu Jan 20 10:46:54 2022 +0000 power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe [ Upstream commit ba18dad0fb880cd29aa97b6b75560ef14d1061ba ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: f7a388d6cd1c ("power: reset: Add a driver for the Gemini poweroff") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 946d9be522dcaec6d02e652ebb027a5d901eac17 Author: Alexander Lobakin Date: Wed Dec 8 15:07:02 2021 +0100 ixgbe: respect metadata on XSK Rx to skb [ Upstream commit f322a620be69e95594eda89502b478aa7dbf6ec2 ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match ixgbe_construct_skb(). Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 7689483cf089be1521cc7a8367cbe0f7aca4776a Author: Alexander Lobakin Date: Wed Dec 8 15:07:01 2021 +0100 ixgbe: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit 8f405221a73a53234486c185d8ef647377a53cc6 ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, ixgbe_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e2225fccce7d65a152887d0b49622d56cb0851c2 Author: Alexander Lobakin Date: Wed Dec 8 15:07:00 2021 +0100 ixgbe: pass bi->xdp to ixgbe_construct_skb_zc() directly [ Upstream commit 1fbdaa13386804a31eefd3db3c5fe00e80ce9bc3 ] To not dereference bi->xdp each time in ixgbe_construct_skb_zc(), pass bi->xdp as an argument instead of bi. We can also call xsk_buff_free() outside of the function as well as assign bi->xdp to NULL, which seems to make it closer to its name. Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit f0252b99631e4acaf8cd533713f5eb95a7cc70a4 Author: Alexander Lobakin Date: Wed Dec 8 15:06:59 2021 +0100 igc: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit f9e61d365bafdee40fe2586fc6be490c3e824dad ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, igc_construct_skb_zc() currently allocates and reserves additional `xdp->data_meta - xdp->data_hard_start`, which is about XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only (+ meta) to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Also, net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match igc_construct_skb(). Fixes: fc9df2a0b520 ("igc: Enable RX via AF_XDP zero-copy") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Nechama Kraus Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit c6e90d582b2d66be616e0e1f9d9f011f1bb029f0 Author: Alexander Lobakin Date: Wed Dec 8 15:06:58 2021 +0100 ice: respect metadata on XSK Rx to skb [ Upstream commit 45a34ca68070e34e09d5bf4309f7f1f286a27fc7 ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match ice_construct_skb(). Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit dad74ceef47ff578c1103b9c6369ae1156b63050 Author: Alexander Lobakin Date: Wed Dec 8 15:06:57 2021 +0100 ice: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit dc44572d195e10ec41a03e09b3b5addab4af5cea ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, ice_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b0a197e4221bb2d67302402353452b45ec75e409 Author: Alexander Lobakin Date: Wed Dec 8 15:06:55 2021 +0100 i40e: respect metadata on XSK Rx to skb [ Upstream commit 6dba29537c0f639b482bd8f8bbd50ab4ae74b48d ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match i40e_construct_skb(). Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit a831a61524a24a06f3b768b57c1a931964a623ae Author: Alexander Lobakin Date: Wed Dec 8 15:06:54 2021 +0100 i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit bc97f9c6f988b31b728eb47a94ca825401dbeffe ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, i40e_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Acked-by: Jesper Dangaard Brouer Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit ff809d6367355c3fbf3de8aec832969872c01a5c Author: Christophe JAILLET Date: Sat Jan 29 16:06:24 2022 +0100 drm/bridge: lt9611: Fix an error handling path in lt9611_probe() [ Upstream commit 9987151a90567785beebcbd5c8ac58d05f254137 ] If lt9611_audio_init() fails, some resources still need to be released before returning an error code. Add the missing goto the error handling path. Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge") Signed-off-by: Christophe JAILLET Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/9c20eb74d42f6d4128e58e3e46aa320482472b77.1643468761.git.christophe.jaillet@wanadoo.fr Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit ec5da191bfcd5fd22b95459b623694f66c1cc10b Author: Po-Hao Huang Date: Fri Jan 21 15:08:13 2022 +0800 rtw88: fix memory overrun and memory leak during hw_scan [ Upstream commit d95984b5580dcb8b1c0036577c52b609990a1dab ] Previously we allocated less memory than actual required, overwrite to the buffer causes the mm module to complaint and raise access violation faults. Along with potential memory leaks when returned early. Fix these by passing the correct size and proper deinit flow. Fixes: 10d162b2ed39 ("rtw88: 8822c: add ieee80211_ops::hw_scan") Signed-off-by: Po-Hao Huang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220121070813.9656-4-pkshih@realtek.com Signed-off-by: Sasha Levin commit 2dbd48fd5d19d37616455631bf76869c88f8598b Author: Po-Hao Huang Date: Fri Jan 21 15:08:12 2022 +0800 rtw88: fix idle mode flow for hw scan [ Upstream commit c17f27167b4cb4988ae035fb8dce0c314e9de155 ] Upon hw scan completion, idle mode is not re-entered. This might increase power consumption under no link mode. Fix this by adding the re-enter flow. We need another work for this since enter_ips waits for c2h_work to finish, which might lead to deadlock if caller is in the same work. Fixes: 10d162b2ed39 ("rtw88: 8822c: add ieee80211_ops::hw_scan") Signed-off-by: Po-Hao Huang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220121070813.9656-3-pkshih@realtek.com Signed-off-by: Sasha Levin commit 487e8f68ae101bdfa708aacab58c3598e04ce9bd Author: Muhammad Usama Anjum Date: Fri Jan 21 15:08:11 2022 +0800 rtw88: check for validity before using a pointer [ Upstream commit a12f809968dbf46ce2a6bc94463db8d431bb75fc ] ieee80211_probereq_get() can return NULL. Pointer skb should be checked for validty before use. If it is not valid, list of skbs needs to be freed. Fixes: 10d162b2ed39 ("rtw88: 8822c: add ieee80211_ops::hw_scan") Signed-off-by: Muhammad Usama Anjum Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220121070813.9656-2-pkshih@realtek.com Signed-off-by: Sasha Levin commit e1b5ddc06f1e27b49163b5e6c68b139774b088d0 Author: Gerhard Engleder Date: Sun Jan 30 10:54:22 2022 +0100 selftests/net: timestamping: Fix bind_phc check [ Upstream commit 678dfd5280341d877ca646499bfdc82a3d8b4356 ] timestamping checks socket options during initialisation. For the field bind_phc of the socket option SO_TIMESTAMPING it expects the value -1 if PHC is not bound. Actually the value of bind_phc is 0 if PHC is not bound. This results in the following output: SIOCSHWTSTAMP: tx_type 0 requested, got 0; rx_filter 0 requested, got 0 SO_TIMESTAMP 0 SO_TIMESTAMPNS 0 SO_TIMESTAMPING flags 0, bind phc 0 not expected, flags 0, bind phc -1 This is fixed by setting default value and expected value of bind_phc to 0. Fixes: 2214d7032479 ("selftests/net: timestamping: support binding PHC") Signed-off-by: Gerhard Engleder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ed45ce503ca932b06cce2bf5ea142b5b63b6f2ff Author: Fabiano Rosas Date: Tue Jan 25 18:56:52 2022 -0300 KVM: PPC: Fix vmx/vsx mixup in mmio emulation [ Upstream commit b99234b918c6e36b9aa0a5b2981e86b6bd11f8e2 ] The MMIO emulation code for vector instructions is duplicated between VSX and VMX. When emulating VMX we should check the VMX copy size instead of the VSX one. Fixes: acc9eb9305fe ("KVM: PPC: Reimplement LOAD_VMX/STORE_VMX instruction ...") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125215655.1026224-3-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit 16ad5b3013ac41803ac1b4e8c842d2e64a9f8d5e Author: Maor Gottlieb Date: Tue Jan 18 09:35:02 2022 +0200 RDMA/core: Set MR type in ib_reg_user_mr [ Upstream commit 32a88d16615c2be295571c29273c4ac94cb75309 ] Add missing assignment of MR type to IB_MR_TYPE_USER. Fixes: 33006bd4f37f ("IB/core: Introduce ib_reg_user_mr") Link: https://lore.kernel.org/r/be2e91bcd6e52dc36be289ae92f30d3a5cc6dcb1.1642491047.git.leonro@nvidia.com Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 3a3d93349c61e597bf7c8bb0f05ed11fa55a102e Author: Wen Gong Date: Tue Jan 18 22:42:11 2022 -0500 ath11k: set WMI_PEER_40MHZ while peer assoc for 6 GHz [ Upstream commit 1cb747192de2edb7e55920af8c458e4792908486 ] When station connect to AP of 6 GHz with 40 MHz bandwidth, the TX is always stay 20 MHz, it is because the flag WMI_PEER_40MHZ is not set while peer assoc. Add the flag if remote peer is 40 MHz bandwidth. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2 Fixes: c3a7d7eb4c98 ("ath11k: add 6 GHz params in peer assoc command") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220119034211.28622-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit 5abf2b761b998063f5e2bae93fd4ab10e2a80f10 Author: Pavel Skripkin Date: Wed Jan 19 10:52:37 2022 +0200 ath9k_htc: fix uninit value bugs [ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ] Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com Signed-off-by: Sasha Levin commit 675274a87a61777488a72f1299e3f332ce1e4101 Author: Hangbin Liu Date: Tue Jan 25 16:17:11 2022 +0800 selftests/bpf/test_xdp_redirect_multi: use temp netns for testing [ Upstream commit cec74489a8dee93053340ec88ea938ff4008c3c0 ] Use temp netns instead of hard code name for testing in case the netns already exists. Remove the hard code interface index when creating the veth interfaces. Because when the system loads some virtual interface modules, e.g. tunnels. the ifindex of 2 will be used and the cmd will fail. As the netns has not created if checking environment failed. Trap the clean up function after checking env. Fixes: 8955c1a32987 ("selftests/bpf/xdp_redirect_multi: Limit the tests in netns") Signed-off-by: Hangbin Liu Acked-by: William Tu Link: https://lore.kernel.org/r/20220125081717.1260849-2-liuhangbin@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 1503899b2bceed6fb747943ba3ed266d78716384 Author: Robert Hancock Date: Tue Jan 25 10:54:08 2022 -0600 net: phy: at803x: move page selection fix to config_init [ Upstream commit 4f3a00c7f5b2cfe4e127fd3fe49b55e1b318c01f ] The fix to select the copper page on AR8031 was being done in the probe function rather than config_init, so it would not be redone after resume from suspend. Move this to config_init so it is always redone when needed. Fixes: c329e5afb42f ("net: phy: at803x: select correct page on config init") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 341fb81e86db42ed17eac3507d180c737c2e3e5e Author: Tom Rix Date: Mon Jan 24 12:18:12 2022 -0800 drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function [ Upstream commit 430e6a0212b2a0eb1de5e9d47a016fa79edf3978 ] clang static analysis reports this represenative problem amdgpu_smu.c:144:18: warning: The left operand of '*' is a garbage value return clk_freq * 100; ~~~~~~~~ ^ If there is no get_dpm_ultimate_freq function, smu_get_dpm_freq_range returns success without setting the output min,max parameters. So return an -ENOTSUPP error. Fixes: e5ef784b1e17 ("drm/amd/powerplay: revise calling chain on retrieving frequency range") Signed-off-by: Tom Rix Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 639b3b9def0a6a3f316a195d705d14113236e89c Author: Zhou Qingyang Date: Tue Jan 25 00:57:29 2022 +0800 drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() [ Upstream commit 588a70177df3b1777484267584ef38ab2ca899a2 ] In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() is assigned to mode and is passed to drm_mode_probed_add() directly after that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and there is a dereference of it in list_add_tail() without recoveries, which could lead to NULL pointer dereference on failure of amdgpu_dm_create_common_mode(). Fix this by adding a NULL check of mode. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm") Signed-off-by: Zhou Qingyang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a28b7b6a0c827ce672edcdb5b2b5916b0beebe03 Author: Nicholas Kazlauskas Date: Mon Jan 24 13:50:49 2022 -0500 drm/amd/display: Call dc_stream_release for remove link enc assignment [ Upstream commit f2bde8349c35d01d7c50456ea06a5c7d5e0e5ed0 ] [Why] A porting error resulted in the stream assignment for the link being retained without being released - a memory leak. [How] Fix the porting error by adding back the dc_stream_release() intended as part of the original patch. Fixes: 0bb245558584 ("drm/amd/display: retain/release at proper places in link_enc assignment") Signed-off-by: Nicholas Kazlauskas Reviewed-by: Harry Wentland Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ff4b32f60c5cf11e9cbd0427b29c8461788b3da8 Author: Zhou Qingyang Date: Tue Jan 25 00:58:55 2022 +0800 drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() [ Upstream commit 2343bcdb4747d4f418a4daf2e898b94f86c24a59 ] In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly passed to memcpy(), which could lead to undefined behavior on failure of kmalloc(). Fix this bug by using kmemdup() instead of kmalloc()+memcpy(). This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"") Signed-off-by: Zhou Qingyang Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220124165856.57022-1-zhou1615@umn.edu Signed-off-by: Sasha Levin commit 851bad5837cb25daef32de210ff6a9d596c26d3c Author: Luiz Augusto von Dentz Date: Tue Jan 25 10:53:05 2022 -0800 Bluetooth: hci_event: Fix HCI_EV_VENDOR max_len [ Upstream commit 314d8cd2787418c5ac6b02035c344644f47b292b ] HCI_EV_VENDOR is in fact variable length since it acts as metaevent where a vendor can implement their own event sets. In addition to it this makes use of bt_dev_warn_ratelimited to supress the amount of logging in case the event has more data than expected. Fixes: 3e54c5890c87 ("Bluetooth: hci_event: Use of a function table to handle HCI event") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e1f2a4dd8d433eec393d09273a78a3d3551339cf Author: Tobias Waldekranz Date: Mon Jan 24 22:09:44 2022 +0100 net: dsa: Avoid cross-chip syncing of VLAN filtering [ Upstream commit 108dc8741c203e9d6ce4e973367f1bac20c7192b ] Changes to VLAN filtering are not applicable to cross-chip notifications. On a system like this: .-----. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-' '-1-2-' '-1-2-' Before this change, upon sw1p1 leaving a bridge, a call to dsa_port_vlan_filtering would also be made to sw2p1 and sw3p1. In this scenario: .---------. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-3-4-' '-1-2-' '-1-2-' When sw1p4 would leave a bridge, dsa_port_vlan_filtering would be called for sw2 and sw3 with a non-existing port - leading to array out-of-bounds accesses and crashes on mv88e6xxx. Fixes: d371b7c92d19 ("net: dsa: Unset vlan_filtering when ports leave the bridge") Signed-off-by: Tobias Waldekranz Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1217bfe1fa4239a303d032b34fa992cd8e6cd61c Author: Tobias Waldekranz Date: Mon Jan 24 22:09:43 2022 +0100 net: dsa: Move VLAN filtering syncing out of dsa_switch_bridge_leave [ Upstream commit 381a730182f1d174e1950cd4e63e885b1c302051 ] Most of dsa_switch_bridge_leave was, in fact, dealing with the syncing of VLAN filtering for switches on which that is a global setting. Separate the two phases to prepare for the cross-chip related bugfix in the following commit. Signed-off-by: Tobias Waldekranz Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b1a7046c275c47323dc98526d7ebd27e54049c6b Author: Brett Creeley Date: Mon Jan 24 10:53:04 2022 -0800 ionic: Correctly print AQ errors if completions aren't received [ Upstream commit bc43ed4f35abfdb1d52311110d49b545fccce975 ] Recent changes went into the driver to allow flexibility when printing error messages. Unfortunately this had the unexpected consequence of printing confusing messages like the following: IONIC_CMD_RX_FILTER_ADD (31) failed: IONIC_RC_SUCCESS (-6) In cases like this the completion of the admin queue command never completes, so the completion status is 0, hence IONIC_RC_SUCCESS is printed even though the command clearly failed. For example, this could happen when the driver tries to add a filter and at the same time the FW goes through a reset, so the AQ command never completes. Fix this by forcing the FW completion status to IONIC_RC_ERROR in cases where we never get the completion. Fixes: 8c9d956ab6fb ("ionic: allow adminq requests to override default error message") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 391fd5fbca8ee10c0e9eaeb14bfb32fc24b2f9b8 Author: Shannon Nelson Date: Mon Jan 24 10:53:03 2022 -0800 ionic: fix up printing of timeout error [ Upstream commit 4cc787bd88be6974f3362fa49fd8c5609bd039b8 ] Make sure we print the TIMEOUT string if we had a timeout error, rather than printing the wrong status. Fixes: 8c9d956ab6fb ("ionic: allow adminq requests to override default error message") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a82fed5cc2b24964eceaa789471b30e6233b634e Author: Brett Creeley Date: Mon Jan 24 10:53:00 2022 -0800 ionic: Don't send reset commands if FW isn't running [ Upstream commit b8fd0271dad00b953caaabe73474788d3d19e252 ] It's possible the FW is already shutting down while the driver is being removed and/or when the driver is going through reset. This can cause unexpected/unnecessary errors to be printed: eth0: DEV_CMD IONIC_CMD_PORT_RESET (12) error, IONIC_RC_ERROR (29) failed eth1: DEV_CMD IONIC_CMD_RESET (3) error, IONIC_RC_ERROR (29) failed Fix this by checking the FW status register before issuing the reset commands. Also, since err may not be assigned in ionic_port_reset(), assign it a default value of 0, and remove an unnecessary log message. Fixes: fbfb8031533c ("ionic: Add hardware init and device commands") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6d78cf636ee46088e30954dfb784a6882e14d7ce Author: Shannon Nelson Date: Mon Jan 24 10:52:58 2022 -0800 ionic: start watchdog after all is setup [ Upstream commit 9ad2939a1525962a79a2fd974ec7e3a71455b964 ] The watchdog expects the lif to fully exist when it goes off, so lets not start the watchdog until all is ready in case there is some quirky time dialation that makes probe take multiple seconds. Fixes: 089406bc5ad6 ("ionic: add a watchdog timer to monitor heartbeat") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f81cc470cca8884338512f6c26fd3a242d8e54f7 Author: Shannon Nelson Date: Mon Jan 24 10:52:57 2022 -0800 ionic: fix type complaint in ionic_dev_cmd_clean() [ Upstream commit bc0bf9de6f48268f4ee59e57fb42ac751be3ecda ] Sparse seems to have gotten a little more picky lately and we need to revisit this bit of code to make sparse happy. warning: incorrect type in initializer (different address spaces) expected union ionic_dev_cmd_regs *regs got union ionic_dev_cmd_regs [noderef] __iomem *dev_cmd_regs warning: incorrect type in argument 2 (different address spaces) expected void [noderef] __iomem * got unsigned int * warning: incorrect type in argument 1 (different address spaces) expected void volatile [noderef] __iomem * got union ionic_dev_cmd * Fixes: d701ec326a31 ("ionic: clean up sparse complaints") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d677c9052e79f578d69f7d258b1a1bb71408e10f Author: Maxime Ripard Date: Thu Jan 20 16:16:12 2022 +0100 drm/edid: Split deep color modes between RGB and YUV444 [ Upstream commit 4adc33f36d80489339f1b43dfeee96bb9ea8e459 ] The current code assumes that the RGB444 and YUV444 formats are the same, but the HDMI 2.0 specification states that: The three DC_XXbit bits above only indicate support for RGB 4:4:4 at that pixel size. Support for YCBCR 4:4:4 in Deep Color modes is indicated with the DC_Y444 bit. If DC_Y444 is set, then YCBCR 4:4:4 is supported for all modes indicated by the DC_XXbit flags. So if we have YUV444 support and any DC_XXbit flag set but the DC_Y444 flag isn't, we'll assume that we support that deep colour mode for YUV444 which breaks the specification. In order to fix this, let's split the edid_hdmi_dc_modes field in struct drm_display_info into two fields, one for RGB444 and one for YUV444. Suggested-by: Ville Syrjälä Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") Signed-off-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-4-maxime@cerno.tech Signed-off-by: Sasha Levin commit 776af0628a5c2186f7d14a04b87885f8dd688ddb Author: Maxime Ripard Date: Thu Jan 20 16:16:11 2022 +0100 drm/edid: Don't clear formats if using deep color [ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ] The current code, when parsing the EDID Deep Color depths, that the YUV422 cannot be used, referring to the HDMI 1.3 Specification. This specification, in its section 6.2.4, indeed states: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is not permitted for any Deep Color mode. This indeed can be interpreted like the code does, but the HDMI 1.4 specification further clarifies that statement in its section 6.2.4: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is also 36-bit mode but does not require the further use of the Deep Color modes described in section 6.5.2 and 6.5.3. This means that, even though YUV422 can be used with 12 bit per color, it shouldn't be treated as a deep color mode. This is also broken with YUV444 if it's supported by the display, but DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear color_formats of the YUV444 support set previously in drm_parse_cea_ext(), but will not set it back. Since the formats supported are already setup properly in drm_parse_cea_ext(), let's just remove the code modifying the formats in drm_parse_hdmi_deep_color_info() Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") Signed-off-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech Signed-off-by: Sasha Levin commit 49e53274845bbf8ea2ec7a906303327397c63d54 Author: Magnus Karlsson Date: Fri Jan 21 13:35:08 2022 +0100 selftests, xsk: Fix rx_full stats test [ Upstream commit b4ec6a19231224f6b08dc54ea07da4c4090e8ee3 ] Fix the rx_full stats test so that it correctly reports pass even when the fill ring is not full of buffers. Fixes: 872a1184dbf2 ("selftests: xsk: Put the same buffer only once in the fill ring") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Tested-by: Maciej Fijalkowski Acked-by: Maciej Fijalkowski Link: https://lore.kernel.org/bpf/20220121123508.12759-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit 4b2eed1d1ee8f26a4844c17c5032a11ae680b113 Author: Dario Binacchi Date: Tue Jan 18 10:54:32 2022 +0100 mtd: rawnand: gpmi: fix controller timings setting [ Upstream commit 2970bf5a32f079e1e9197411db4fe9faccb1503a ] Set the controller registers according to the real clock rate. The controller registers configuration (setup, hold, timeout, ... cycles) depends on the clock rate of the GPMI. Using the real rate instead of the ideal one, avoids that this inaccuracy (required_rate - real_rate) affects the registers setting. This patch has been tested on two custom boards with i.MX28 and i.MX6 SOCs: - i.MX28: required rate 100MHz, real rate 99.3MHz - i.MX6 required rate 100MHz, real rate 99MHz Fixes: b1206122069a ("mtd: rawnand: gpmi: use core timings instead of an empirical derivation") Co-developed-by: Michael Trimarchi Signed-off-by: Michael Trimarchi Signed-off-by: Dario Binacchi Tested-by: Sascha Hauer Reviewed-by: Sascha Hauer Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220118095434.35081-3-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit a9788acda5c705ff52f69a726da00109951eb1d9 Author: Jiasheng Jiang Date: Wed Jan 5 00:26:58 2022 +0800 mtd: onenand: Check for error irq [ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ] For the possible failure of the platform_get_irq(), the returned irq could be error number and will finally cause the failure of the request_irq(). Consider that platform_get_irq() can now in certain cases return -EPROBE_DEFER, and the consequences of letting request_irq() effectively convert that into -EINVAL, even at probe time rather than later on. So it might be better to check just now. Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support") Signed-off-by: Jiasheng Jiang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 43f3937325ee61233d37d25acc6ed56a56a8dfc2 Author: Sean Wang Date: Wed Jan 12 15:39:17 2022 +0800 Bluetooth: btmtksdio: mask out interrupt status [ Upstream commit db3f1f9b5d88d8d7f9eaa486f71784dd319285ff ] Currently, there is a loop in btmtksdio_txrx_work() which iteratively executes until the variable int_status is zero. But the variable int_status should be masked out with the actual interrupt sources (MTK_REG_CHISR bit 0-15) before we check the loop condition. Otherwise, RX_PKT_LEN (MTK_REG_CHISR bit 16-31) which is read-only and unclearable would cause the loop to get stuck on some chipsets like MT7663s. Fixes: 26270bc189ea ("Bluetooth: btmtksdio: move interrupt service to work") Signed-off-by: Sean Wang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit d02375eca312b8957224645311cb589bcd2ad999 Author: Mark Chen Date: Wed Jan 12 15:39:14 2022 +0800 Bluetooth: mt7921s: fix btmtksdio_[drv|fw]_pmctrl() [ Upstream commit 01ecc177b7d7ba055b79645e60e89385736ef2fc ] According to the firmware behavior (even the oldest one in linux-firmware) If the firmware is downloaded, MT7921S must rely on the additional mailbox mechanism that resides in firmware to check if the device is the right state for btmtksdio_mcu_[drv|fw]_pmctrl(). Otherwise, we still apply the old way for that. That is a necessary patch before we enable runtime pm for mt7921s as default. Fixes: c603bf1f94d0 ("Bluetooth: btmtksdio: add MT7921s Bluetooth support") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Mark Chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e41432428bb99aa265f5e58077e9de8a7d37014e Author: Mark Chen Date: Wed Jan 12 15:39:12 2022 +0800 Bluetooth: btmtksdio: refactor btmtksdio_runtime_[suspend|resume]() [ Upstream commit c7e301d7c85544607ccc52ca5f26d20c59485342 ] Refactor btmtksdio_runtime_[suspend|resume]() to create the common funcitons btmtksdio_[fw|drv]_pmctrl() shared with btmtksdio_[open|close]() to avoid the redundant code as well. This is also a prerequisite patch for the incoming patches. Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Mark Chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 323fe673d92d43bbc34f958d222b401335a0e2c3 Author: Mark Chen Date: Wed Jan 12 15:39:13 2022 +0800 Bluetooth: mt7921s: fix bus hang with wrong privilege [ Upstream commit 752aea58489fd42f5c54dc50cb098d19e486ae61 ] According to chip hw flow, mt7921s need to re-acquire privilege again before normal running. Otherwise, the bus may be stuck in an abnormal status. Fixes: c603bf1f94d0 ("Bluetooth: btmtksdio: add MT7921s Bluetooth support") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Mark Chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c20594254ebaa4048564cac30254c0f7391acdbd Author: Mark Chen Date: Wed Jan 12 15:39:11 2022 +0800 Bluetooth: mt7921s: fix firmware coredump retrieve [ Upstream commit 2fc967cc0dadad6735448cfbcbc77fe0ea30203d ] According to the MCU firmware behavior, as the driver is aware of the notification of the interrupt source FW_MAILBOX_INT that shows the MCU completed delivered a core dump piece to the host, the driver must acknowledge the MCU with the register PH2DSM0R bit PH2DSM0R_DRIVER_OWN to notify the MCU to handle the next core dump piece. Fixes: db57b625912a ("Bluetooth: btmtksdio: add support of processing firmware coredump and log") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Mark Chen Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c6049161291737242d5a008bd8ebe0409b175a43 Author: Pavel Skripkin Date: Thu Jan 13 16:27:04 2022 +0300 Bluetooth: hci_serdev: call init_rwsem() before p->open() [ Upstream commit 9d7cbe2b9cf5f650067df4f402fdd799d4bbb4e1 ] kvartet reported, that hci_uart_tx_wakeup() uses uninitialized rwsem. The problem was in wrong place for percpu_init_rwsem() call. hci_uart_proto::open() may register a timer whose callback may call hci_uart_tx_wakeup(). There is a chance, that hci_uart_register_device() thread won't be fast enough to call percpu_init_rwsem(). Fix it my moving percpu_init_rwsem() call before p->open(). INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 2 PID: 18524 Comm: syz-executor.5 Not tainted 5.16.0-rc6 #9 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 assign_lock_key kernel/locking/lockdep.c:951 [inline] register_lock_class+0x148d/0x1950 kernel/locking/lockdep.c:1263 __lock_acquire+0x106/0x57e0 kernel/locking/lockdep.c:4906 lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5602 percpu_down_read_trylock include/linux/percpu-rwsem.h:92 [inline] hci_uart_tx_wakeup+0x12e/0x490 drivers/bluetooth/hci_ldisc.c:124 h5_timed_event+0x32f/0x6a0 drivers/bluetooth/hci_h5.c:188 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 Fixes: d73e17281665 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops") Reported-by: Yiru Xu Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit 1d71c002b761b1112c5308b6ef8974dc75ff9611 Author: Tedd Ho-Jeong An Date: Thu Jan 20 11:44:18 2022 -0800 Bluetooth: btintel: Fix WBS setting for Intel legacy ROM products [ Upstream commit 55235304c2560d4a94ccfff2a47ea927b4114064 ] This patch adds the flag to identify the Intel legacy ROM products that don't support WBS like WP and StP. Fixes: 3df4dfbec0f29 ("Bluetooth: btintel: Move hci quirks to setup routine") Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit fb70014b898eb1b093a452659777acb7ecabb71b Author: Felix Maurer Date: Tue Jan 18 16:11:56 2022 +0100 selftests: bpf: Fix bind on used port [ Upstream commit 8c0be0631d81e48f77d0ebf0534c86e32bef5f89 ] The bind_perm BPF selftest failed when port 111/tcp was already in use during the test. To fix this, the test now runs in its own network name space. To use unshare, it is necessary to reorder the includes. The style of the includes is adapted to be consistent with the other prog_tests. v2: Replace deprecated CHECK macro with ASSERT_OK Fixes: 8259fdeb30326 ("selftests/bpf: Verify that rebinding to port < 1024 from BPF works") Signed-off-by: Felix Maurer Signed-off-by: Andrii Nakryiko Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/551ee65533bb987a43f93d88eaf2368b416ccd32.1642518457.git.fmaurer@redhat.com Signed-off-by: Sasha Levin commit e2f679add74fe0dc032f64b6b6d3c1e99615d6e2 Author: Jani Nikula Date: Thu Jan 20 11:48:56 2022 +0200 drm/locking: fix drm_modeset_acquire_ctx kernel-doc [ Upstream commit 6f043b5969a4d6d385ca429388ded37e30e0d179 ] The stack_depot member was added without kernel-doc, leading to below warning. Fix it. ./include/drm/drm_modeset_lock.h:74: warning: Function parameter or member 'stack_depot' not described in 'drm_modeset_acquire_ctx' Reported-by: Stephen Rothwell Fixes: cd06ab2fd48f ("drm/locking: add backtrace for locking contended locks without backoff") Signed-off-by: Jani Nikula Reviewed-by: Daniel Vetter Tested-by: Stephen Rothwell Link: https://patchwork.freedesktop.org/patch/msgid/20220120094856.3004147-1-jani.nikula@intel.com Signed-off-by: Sasha Levin commit f6d1fd0abaacce95fdccfc19fc2175d8d9b37bfb Author: José Expósito Date: Sat Jan 8 17:58:12 2022 +0100 drm/selftests/test-drm_dp_mst_helper: Fix memory leak in sideband_msg_req_encode_decode [ Upstream commit ba3a5ddcf1e5df31f2291006d5297ca62035584f ] Avoid leaking the "out" variable if it is not possible to allocate the "txmsg" variable. Fixes: 09234b88ef55 ("drm/selftests/test-drm_dp_mst_helper: Move 'sideband_msg_req_encode_decode' onto the heap") Addresses-Coverity-ID: 1475685 ("Resource leak") Signed-off-by: José Expósito Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220108165812.46797-1-jose.exposito89@gmail.com Signed-off-by: Sasha Levin commit 0481baa2318cb1ab13277715da6cdbb657807b3f Author: Kumar Kartikeya Dwivedi Date: Fri Jan 14 22:09:44 2022 +0530 bpf: Fix UAF due to race between btf_try_get_module and load_module [ Upstream commit 18688de203b47e5d8d9d0953385bf30b5949324f ] While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior. Fixes: 541c3bad8dc5 ("bpf: Support BPF ksym variables in kernel modules") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20220114163953.1455836-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 9e9b4a269f84d3230f2af84ff42322db676440d9 Author: Pavel Skripkin Date: Thu Dec 30 17:26:49 2021 +0300 udmabuf: validate ubuf->pagecount [ Upstream commit 2b6dd600dd72573c23ea180b5b0b2f1813405882 ] Syzbot has reported GPF in sg_alloc_append_table_from_pages(). The problem was in ubuf->pages == ZERO_PTR. ubuf->pagecount is calculated from arguments passed from user-space. If user creates udmabuf with list.size == 0 then ubuf->pagecount will be also equal to zero; it causes kmalloc_array() to return ZERO_PTR. Fix it by validating ubuf->pagecount before passing it to kmalloc_array(). Fixes: fbb0de795078 ("Add udmabuf misc device") Reported-and-tested-by: syzbot+2c56b725ec547fa9cb29@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Link: http://patchwork.freedesktop.org/patch/msgid/20211230142649.23022-1-paskripkin@gmail.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit dd817263ac5df907eb83d28d8a14a000ce52aa14 Author: Dan Carpenter Date: Wed Jan 12 10:15:11 2022 +0200 ath11k: fix error code in ath11k_qmi_assign_target_mem_chunk() [ Upstream commit c9b41832dc080fa59bad597de94865b3ea2d5bab ] The "ret" vairable is not set at this point. It could be uninitialized or zero. The correct thing to return is -ENODEV. Fixes: 6ac04bdc5edb ("ath11k: Use reserved host DDR addresses from DT for PCI devices") Signed-off-by: Dan Carpenter Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220111071445.GA11243@kili Signed-off-by: Sasha Levin commit 2c14ace87557834a3890a6d614910748fdc858b8 Author: Wei Fu Date: Sat Jan 8 16:40:08 2022 +0800 bpftool: Only set obj->skeleton on complete success [ Upstream commit 0991f6a38f576aa9a5e34713e23c998a3310d4d0 ] After `bpftool gen skeleton`, the ${bpf_app}.skel.h will provide that ${bpf_app_name}__open helper to load bpf. If there is some error like ENOMEM, the ${bpf_app_name}__open will rollback(free) the allocated object, including `bpf_object_skeleton`. Since the ${bpf_app_name}__create_skeleton set the obj->skeleton first and not rollback it when error, it will cause double-free in ${bpf_app_name}__destory at ${bpf_app_name}__open. Therefore, we should set the obj->skeleton before return 0; Fixes: 5dc7a8b21144 ("bpftool, selftests/bpf: Embed object file inside skeleton") Signed-off-by: Wei Fu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220108084008.1053111-1-fuweid89@gmail.com Signed-off-by: Sasha Levin commit 31e124e77dc2dad3dfd9eb16088345460cfdfe15 Author: Yafang Shao Date: Sat Jan 8 13:47:39 2022 +0000 libbpf: Fix possible NULL pointer dereference when destroying skeleton [ Upstream commit a32ea51a3f17ce6524c9fc19d311e708331c8b5f ] When I checked the code in skeleton header file generated with my own bpf prog, I found there may be possible NULL pointer dereference when destroying skeleton. Then I checked the in-tree bpf progs, finding that is a common issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for example. Below is the generated code in xdp_redirect_cpu__create_skeleton(): xdp_redirect_cpu__create_skeleton struct bpf_object_skeleton *s; s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); if (!s) goto error; ... error: bpf_object__destroy_skeleton(s); return -ENOMEM; After goto error, the NULL 's' will be deferenced in bpf_object__destroy_skeleton(). We can simply fix this issue by just adding a NULL check in bpf_object__destroy_skeleton(). Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support") Signed-off-by: Yafang Shao Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220108134739.32541-1-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit debc1bf7e93d9e682d811c1a5631969baa463808 Author: Mauricio Vásquez Date: Fri Jan 7 10:26:20 2022 -0500 bpftool: Fix error check when calling hashmap__new() [ Upstream commit 622a5b582cc27d3deedc38fcef68da2972e8e58d ] hashmap__new() encodes errors with ERR_PTR(), hence it's not valid to check the returned pointer against NULL and IS_ERR() has to be used instead. libbpf_get_error() can't be used in this case as hashmap__new() is not part of the public libbpf API and it'll continue using ERR_PTR() after libbpf 1.0. Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects") Fixes: 2828d0d75b73 ("bpftool: Switch to libbpf's hashmap for programs/maps in BTF listing") Fixes: d6699f8e0f83 ("bpftool: Switch to libbpf's hashmap for PIDs/names references") Signed-off-by: Mauricio Vásquez Signed-off-by: Andrii Nakryiko Reviewed-by: Quentin Monnet Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220107152620.192327-2-mauricio@kinvolk.io Signed-off-by: Sasha Levin commit 96586f17a9dfe03bdb69e2648220f0fa5f7d04dd Author: Jiasheng Jiang Date: Thu Jan 6 11:03:26 2022 +0800 drm/panfrost: Check for error num after setting mask [ Upstream commit 44ab30b056149bd59dd7989a593dd25ead6007fd ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Signed-off-by: Jiasheng Jiang [Steve: fix Fixes: line] Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220106030326.2620942-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 400705c50bbf184794c885d1efad7fe9ccf1471a Author: Wen Gong Date: Tue Jan 11 16:42:52 2022 +0200 ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 [ Upstream commit 212ad7cb7d7592669c067125949e0a8e31ce6a0b ] Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") is to fix firmware crash by changing the WMI command sequence, but actually skip all the peer delete operation, then it lead commit 58595c9874c6 ("ath11k: Fixing dangling pointer issue upon peer delete failure") not take effect, and then happened a use-after-free warning from KASAN. because the peer->sta is not set to NULL and then used later. Change to only skip the WMI_PEER_DELETE_CMDID for QCA6390/WCN6855. log of user-after-free: [ 534.888665] BUG: KASAN: use-after-free in ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888696] Read of size 8 at addr ffff8881396bb1b8 by task rtcwake/2860 [ 534.888705] CPU: 4 PID: 2860 Comm: rtcwake Kdump: loaded Tainted: G W 5.15.0-wt-ath+ #523 [ 534.888712] Hardware name: Intel(R) Client Systems NUC8i7HVK/NUC8i7HVB, BIOS HNKBLi70.86A.0067.2021.0528.1339 05/28/2021 [ 534.888716] Call Trace: [ 534.888720] [ 534.888726] dump_stack_lvl+0x57/0x7d [ 534.888736] print_address_description.constprop.0+0x1f/0x170 [ 534.888745] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888771] kasan_report.cold+0x83/0xdf [ 534.888783] ? ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888810] ath11k_dp_rx_update_peer_stats+0x912/0xc10 [ath11k] [ 534.888840] ath11k_dp_rx_process_mon_status+0x529/0xa70 [ath11k] [ 534.888874] ? ath11k_dp_rx_mon_status_bufs_replenish+0x3f0/0x3f0 [ath11k] [ 534.888897] ? check_prev_add+0x20f0/0x20f0 [ 534.888922] ? __lock_acquire+0xb72/0x1870 [ 534.888937] ? find_held_lock+0x33/0x110 [ 534.888954] ath11k_dp_rx_process_mon_rings+0x297/0x520 [ath11k] [ 534.888981] ? rcu_read_unlock+0x40/0x40 [ 534.888990] ? ath11k_dp_rx_pdev_alloc+0xd90/0xd90 [ath11k] [ 534.889026] ath11k_dp_service_mon_ring+0x67/0xe0 [ath11k] [ 534.889053] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889075] call_timer_fn+0x167/0x4a0 [ 534.889084] ? add_timer_on+0x3b0/0x3b0 [ 534.889103] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889117] __run_timers.part.0+0x539/0x8b0 [ 534.889123] ? ath11k_dp_rx_process_mon_rings+0x520/0x520 [ath11k] [ 534.889157] ? call_timer_fn+0x4a0/0x4a0 [ 534.889164] ? mark_lock_irq+0x1c30/0x1c30 [ 534.889173] ? clockevents_program_event+0xdd/0x280 [ 534.889189] ? mark_held_locks+0xa5/0xe0 [ 534.889203] run_timer_softirq+0x97/0x180 [ 534.889213] __do_softirq+0x276/0x86a [ 534.889230] __irq_exit_rcu+0x11c/0x180 [ 534.889238] irq_exit_rcu+0x5/0x20 [ 534.889244] sysvec_apic_timer_interrupt+0x8e/0xc0 [ 534.889251] [ 534.889254] [ 534.889259] asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 534.889265] RIP: 0010:_raw_spin_unlock_irqrestore+0x38/0x70 [ 534.889271] Code: 74 24 10 e8 ea c2 bf fd 48 89 ef e8 12 53 c0 fd 81 e3 00 02 00 00 75 25 9c 58 f6 c4 02 75 2d 48 85 db 74 01 fb bf 01 00 00 00 13 a7 b5 fd 65 8b 05 cc d9 9c 5e 85 c0 74 0a 5b 5d c3 e8 a0 ee [ 534.889276] RSP: 0018:ffffc90002e5f880 EFLAGS: 00000206 [ 534.889284] RAX: 0000000000000006 RBX: 0000000000000200 RCX: ffffffff9f256f10 [ 534.889289] RDX: 0000000000000000 RSI: ffffffffa1c6e420 RDI: 0000000000000001 [ 534.889293] RBP: ffff8881095e6200 R08: 0000000000000001 R09: ffffffffa40d2b8f [ 534.889298] R10: fffffbfff481a571 R11: 0000000000000001 R12: ffff8881095e6e68 [ 534.889302] R13: ffffc90002e5f908 R14: 0000000000000246 R15: 0000000000000000 [ 534.889316] ? mark_lock+0xd0/0x14a0 [ 534.889332] klist_next+0x1d4/0x450 [ 534.889340] ? dpm_wait_for_subordinate+0x2d0/0x2d0 [ 534.889350] device_for_each_child+0xa8/0x140 [ 534.889360] ? device_remove_class_symlinks+0x1b0/0x1b0 [ 534.889370] ? __lock_release+0x4bd/0x9f0 [ 534.889378] ? dpm_suspend+0x26b/0x3f0 [ 534.889390] dpm_wait_for_subordinate+0x82/0x2d0 [ 534.889400] ? dpm_for_each_dev+0xa0/0xa0 [ 534.889410] ? dpm_suspend+0x233/0x3f0 [ 534.889427] __device_suspend+0xd4/0x10c0 [ 534.889440] ? wait_for_completion_io+0x270/0x270 [ 534.889456] ? async_suspend_late+0xe0/0xe0 [ 534.889463] ? async_schedule_node_domain+0x468/0x640 [ 534.889482] dpm_suspend+0x25a/0x3f0 [ 534.889491] ? dpm_suspend_end+0x1a0/0x1a0 [ 534.889497] ? ktime_get+0x214/0x2f0 [ 534.889502] ? lockdep_hardirqs_on+0x79/0x100 [ 534.889509] ? recalibrate_cpu_khz+0x10/0x10 [ 534.889516] ? ktime_get+0x119/0x2f0 [ 534.889528] dpm_suspend_start+0xab/0xc0 [ 534.889538] suspend_devices_and_enter+0x1ca/0x350 [ 534.889546] ? suspend_enter+0x850/0x850 [ 534.889566] enter_state+0x27c/0x3d7 [ 534.889575] pm_suspend.cold+0x42/0x189 [ 534.889583] state_store+0xab/0x160 [ 534.889595] ? sysfs_file_ops+0x160/0x160 [ 534.889601] kernfs_fop_write_iter+0x2b5/0x450 [ 534.889615] new_sync_write+0x36a/0x600 [ 534.889625] ? new_sync_read+0x600/0x600 [ 534.889639] ? rcu_read_unlock+0x40/0x40 [ 534.889668] vfs_write+0x619/0x910 [ 534.889681] ksys_write+0xf4/0x1d0 [ 534.889689] ? __ia32_sys_read+0xa0/0xa0 [ 534.889699] ? lockdep_hardirqs_on_prepare.part.0+0x18c/0x370 [ 534.889707] ? syscall_enter_from_user_mode+0x1d/0x50 [ 534.889719] do_syscall_64+0x3b/0x90 [ 534.889725] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 534.889731] RIP: 0033:0x7f0b9bc931e7 [ 534.889736] Code: 64 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24 [ 534.889741] RSP: 002b:00007ffd9d34cc88 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 534.889749] RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f0b9bc931e7 [ 534.889753] RDX: 0000000000000004 RSI: 0000561cd023c5f0 RDI: 0000000000000004 [ 534.889757] RBP: 0000561cd023c5f0 R08: 0000000000000000 R09: 0000000000000004 [ 534.889761] R10: 0000561ccef842a6 R11: 0000000000000246 R12: 0000000000000004 [ 534.889765] R13: 0000561cd0239590 R14: 00007f0b9bd6f4a0 R15: 00007f0b9bd6e8a0 [ 534.889789] [ 534.889796] Allocated by task 2711: [ 534.889800] kasan_save_stack+0x1b/0x40 [ 534.889805] __kasan_kmalloc+0x7c/0x90 [ 534.889810] sta_info_alloc+0x98/0x1ef0 [mac80211] [ 534.889874] ieee80211_prep_connection+0x30b/0x11e0 [mac80211] [ 534.889950] ieee80211_mgd_auth+0x529/0xe00 [mac80211] [ 534.890024] cfg80211_mlme_auth+0x332/0x6f0 [cfg80211] [ 534.890090] nl80211_authenticate+0x839/0xcf0 [cfg80211] [ 534.890147] genl_family_rcv_msg_doit+0x1f4/0x2f0 [ 534.890154] genl_rcv_msg+0x280/0x500 [ 534.890160] netlink_rcv_skb+0x11c/0x340 [ 534.890165] genl_rcv+0x1f/0x30 [ 534.890170] netlink_unicast+0x42b/0x700 [ 534.890176] netlink_sendmsg+0x71b/0xc60 [ 534.890181] sock_sendmsg+0xdf/0x110 [ 534.890187] ____sys_sendmsg+0x5c0/0x850 [ 534.890192] ___sys_sendmsg+0xe4/0x160 [ 534.890197] __sys_sendmsg+0xb2/0x140 [ 534.890202] do_syscall_64+0x3b/0x90 [ 534.890207] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 534.890215] Freed by task 2825: [ 534.890218] kasan_save_stack+0x1b/0x40 [ 534.890223] kasan_set_track+0x1c/0x30 [ 534.890227] kasan_set_free_info+0x20/0x30 [ 534.890232] __kasan_slab_free+0xce/0x100 [ 534.890237] slab_free_freelist_hook+0xf0/0x1a0 [ 534.890242] kfree+0xe5/0x370 [ 534.890248] __sta_info_flush+0x333/0x4b0 [mac80211] [ 534.890308] ieee80211_set_disassoc+0x324/0xd20 [mac80211] [ 534.890382] ieee80211_mgd_deauth+0x537/0xee0 [mac80211] [ 534.890472] cfg80211_mlme_deauth+0x349/0x810 [cfg80211] [ 534.890526] cfg80211_mlme_down+0x1ce/0x270 [cfg80211] [ 534.890578] cfg80211_disconnect+0x4f5/0x7b0 [cfg80211] [ 534.890631] cfg80211_leave+0x24/0x40 [cfg80211] [ 534.890677] wiphy_suspend+0x23d/0x2f0 [cfg80211] [ 534.890723] dpm_run_callback+0xf4/0x1b0 [ 534.890728] __device_suspend+0x648/0x10c0 [ 534.890733] async_suspend+0x16/0xe0 [ 534.890737] async_run_entry_fn+0x90/0x4f0 [ 534.890741] process_one_work+0x866/0x1490 [ 534.890747] worker_thread+0x596/0x1010 [ 534.890751] kthread+0x35d/0x420 [ 534.890756] ret_from_fork+0x22/0x30 [ 534.890763] The buggy address belongs to the object at ffff8881396ba000 which belongs to the cache kmalloc-8k of size 8192 [ 534.890767] The buggy address is located 4536 bytes inside of 8192-byte region [ffff8881396ba000, ffff8881396bc000) [ 534.890772] The buggy address belongs to the page: [ 534.890775] page:ffffea0004e5ae00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1396b8 [ 534.890780] head:ffffea0004e5ae00 order:3 compound_mapcount:0 compound_pincount:0 [ 534.890784] flags: 0x200000000010200(slab|head|node=0|zone=2) [ 534.890791] raw: 0200000000010200 ffffea000562be08 ffffea0004b04c08 ffff88810004e340 [ 534.890795] raw: 0000000000000000 0000000000010001 00000001ffffffff 0000000000000000 [ 534.890798] page dumped because: kasan: bad access detected [ 534.890804] Memory state around the buggy address: [ 534.890807] ffff8881396bb080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890811] ffff8881396bb100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890814] >ffff8881396bb180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890817] ^ [ 534.890821] ffff8881396bb200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890824] ffff8881396bb280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 534.890827] ================================================================== [ 534.890830] Disabling lock debugging due to kernel taint Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-01720.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 Fixes: b4a0f54156ac ("ath11k: move peer delete after vdev stop of station for QCA6390 and WCN6855") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211222070431.29595-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit e5d6d748f8764824a40ea938b696cdcb9a758ef8 Author: Dan Carpenter Date: Tue Jan 11 10:23:19 2022 +0300 Bluetooth: hci_sync: unlock on error in hci_inquiry_result_with_rssi_evt() [ Upstream commit c07ba878ca199a6089cdb323bf526adbeeb4201f ] Add unlocks to two error paths in hci_inquiry_result_with_rssi_evt(). Fixes: fee645033e2c ("Bluetooth: hci_event: Use skb_pull_data when processing inquiry results") Signed-off-by: Dan Carpenter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 9549ac189454a588d90989b061b064a5b75f88a6 Author: Jiasheng Jiang Date: Mon Jan 10 09:38:07 2022 +0800 drm/v3d/v3d_drv: Check for error num after setting mask [ Upstream commit 4a39156166b90465da0f9a33b3442d63b5651bec ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Also, we can create a variable for the mask to solve the alignment issue. Fixes: 334dd38a3878 ("drm/v3d: Set dma_mask as well as coherent_dma_mask") Signed-off-by: Jiasheng Jiang Reviewed-by: Melissa Wen Signed-off-by: Melissa Wen Link: https://patchwork.freedesktop.org/patch/msgid/20220110013807.4105270-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit cea55ac79feb3e5f1be5bb10fb3be7b897153414 Author: Wen Gong Date: Mon Jan 10 16:24:13 2022 +0200 ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern [ Upstream commit e3fb3d4418fce5484dfe7995fcd94c18b10a431a ] In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for the new->pattern, and currently the new->pattern and new->mask is same with the old, then the memcpy of new->pattern will also overwrite the old->pattern, because the header format of new->pattern is 802.11, its length is larger than the old->pattern which is 802.3. Then the operation of "Copy frame body" will copy a mistake value because the body memory has been overwrite when memcpy the new->pattern. Assign another empty value to new_pattern to avoid the overwrite issue. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Fixes: fa3440fa2fa1 ("ath10k: convert wow pattern from 802.3 to 802.11") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211222031347.25463-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit 7d51cb010b20d70b16dc6e4341bf29d6c5b32564 Author: Yang Yingliang Date: Mon Jan 10 16:24:13 2022 +0200 ath11k: add missing of_node_put() to avoid leak [ Upstream commit 3d38faef0de1756994b3d95e47b2302842f729e2 ] The node pointer is returned by of_find_node_by_type() or of_parse_phandle() with refcount incremented. Calling of_node_put() to aovid the refcount leak. Fixes: 6ac04bdc5edb ("ath11k: Use reserved host DDR addresses from DT for PCI devices") Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211221114003.335557-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 76201f3738e5e8263636cd2833c0df35bfc16186 Author: Jagan Teki Date: Sun Jan 9 22:59:49 2022 +0530 drm: bridge: adv7511: Fix ADV7535 HPD enablement [ Upstream commit 3dbc84a595d17f64f14fcea00120d31e33e98880 ] Existing HPD enablement logic is not compatible with ADV7535 bridge, thus any runtime plug-in of HDMI cable is not working on these bridge designs. Unlike other ADV7511 family of bridges, the ADV7535 require HPD_OVERRIDE bit to set and reset for proper handling of HPD functionality. Fix it. Fixes: 8501fe4b14a3 ("drm: bridge: adv7511: Add support for ADV7535") Signed-off-by: Jagan Teki Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220109172949.168167-1-jagan@amarulasolutions.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 7b32cff290378c8bf3398e06675dd39a655c9cf3 Author: Miaoqian Lin Date: Wed Jan 5 10:48:26 2022 +0000 drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe [ Upstream commit b146e343a9e05605b491b1bf4a2b62a39d5638d8 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 44cfc6233447 ("drm/bridge: Add NWL MIPI DSI host controller support") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104826.1418-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit f1a22a077197867ed185d0321273c26dc19b664d Author: Miaoqian Lin Date: Wed Jan 5 10:41:09 2022 +0000 drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe [ Upstream commit 96211b7c56b109a52768e6cc5e23a1f79316eca0 ] If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Add missing pm_runtime_disable() for __dw_mipi_dsi_probe. Fixes: 46fc51546d44 ("drm/bridge/synopsys: Add MIPI DSI host controller bridge") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104113.31415-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 26d36a321c62adc69568e355724431805cc114d2 Author: Miaoqian Lin Date: Mon Dec 27 09:25:22 2021 +0000 drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev [ Upstream commit 7c442e76c06cb1bef16a6c523487438175584eea ] rc_dev is allocated by rc_allocate_device(), and doesn't assigned to ctx->rc_dev before calling rc_free_device(ctx->rc_dev). So it should call rc_free_device(rc_dev); Fixes: e25f1f7c94e1 ("drm/bridge/sii8620: add remote control support") Signed-off-by: Miaoqian Lin Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20211227092522.21755-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit a840164ab46c5bd644e559dc31bf107feffe6d26 Author: Martin Blumenstingl Date: Fri Dec 31 00:55:15 2021 +0100 drm/meson: Fix error handling when afbcd.ops->init fails [ Upstream commit fa747d75f65d1b1cbc3f4691fa67b695e8a399c8 ] When afbcd.ops->init fails we need to free the struct drm_device. Also all errors which come after afbcd.ops->init was successful need to exit the AFBCD, just like meson_drv_unbind() does. Fixes: d1b5e41e13a7e9 ("drm/meson: Add AFBCD module driver") Signed-off-by: Martin Blumenstingl Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211230235515.1627522-3-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 04f2292b8b2f5fb4dd700f78ee3875d63bbeac9f Author: Martin Blumenstingl Date: Fri Dec 31 00:55:14 2021 +0100 drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops [ Upstream commit 04b8a5d9cfd171f65df75f444b5617a372649edd ] Use this to simplify the driver shutdown. It will also come handy when fixing the error handling in meson_drv_bind_master(). Signed-off-by: Martin Blumenstingl Fixes: d1b5e41e13a7e9 ("drm/meson: Add AFBCD module driver") Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211230235515.1627522-2-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit ed5b65fd3a72c1c813f516f3d75ee19dcaf57bb5 Author: Christophe JAILLET Date: Wed Dec 29 09:58:44 2021 +0100 drm/bridge: sn65dsi83: Fix an error handling path in sn65dsi83_probe() [ Upstream commit 6edf615618b8259f16eeb1df98f0ba0d2312c22e ] sn65dsi83_parse_dt() takes a reference on 'ctx->host_node' that must be released in the error handling path of this function and of the probe. This is only done in the remove function up to now. Fixes: ceb515ba29ba ("drm/bridge: ti-sn65dsi83: Add TI SN65DSI83 and SN65DSI84 driver") Signed-off-by: Christophe JAILLET Reviewed-by: Laurent Pinchart Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/4bc21aed4b60d3d5ac4b28d8b07a6fdd8da6a536.1640768126.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit b8a37388540d67dba6e304eb9f3b6b9b88a450bc Author: Andre Przywara Date: Thu Mar 17 18:30:41 2022 +0000 ARM: configs: multi_v5_defconfig: re-enable DRM_PANEL and FB_xxx [ Upstream commit 9c44d0805f949c56121b4ae6949fb064537bf198 ] Commit 91185d55b32e ("drm: Remove DRM_KMS_FB_HELPER Kconfig option") led to de-selection of CONFIG_FB, which was a prerequisite for BACKLIGHT_CLASS_DEVICE, which CONFIG_DRM_PANEL_SIMPLE depended on. Explicitly set CONFIG_FB, to bring DRM_PANEL_SIMPLE, DRM_PANEL_EDP, FB_IMX and FB_ATMEL back into the generated .config. This also adds some new FB related features like fonts and the framebuffer console. See also commit 8c1768967e27 ("ARM: config: mutli v7: Reenable FB dependency"), which solved the same problem for multi_v7_defconfig. This relies on [1], to fix a broken Kconfig dependency. [1] https://lore.kernel.org/dri-devel/20220315084559.23510-1-tzimmermann@suse.de/raw Fixes: 91185d55b32e ("drm: Remove DRM_KMS_FB_HELPER Kconfig option") Signed-off-by: Andre Przywara Link: https://lore.kernel.org/r/20220317183043.948432-4-andre.przywara@arm.com' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 2c3cdb867eff71bd4751175135ea3a8cc96e0511 Author: Andre Przywara Date: Thu Mar 17 18:30:40 2022 +0000 ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS [ Upstream commit f5eb04d7a0e419d61f784de3ced708259ddb71d7 ] Commit 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") introduced CONFIG_MEDIA_PLATFORM_SUPPORT, to allow more fine grained control over the inclusion of certain Kconfig files. multi_v5_defconfig was selecting some drivers described in drivers/media/platform/Kconfig, which now wasn't included anymore. Explicitly set the new symbol in multi_v5_defconfig to bring those drivers back. This enables some new V4L2 and VIDEOBUF2 features, but as modules only. Fixes: 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") Signed-off-by: Andre Przywara Link: https://lore.kernel.org/r/20220317183043.948432-3-andre.przywara@arm.com' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 2bd8c27ae91a83c403fa3c427622873ce6eb7ec9 Author: Meng Tang Date: Wed Mar 16 17:13:03 2022 +0800 ASoC: amd: Fix reference to PCM buffer address [ Upstream commit 54e1bf9f6177a3ffbd920474f4481a25361163aa ] PCM buffers might be allocated dynamically when the buffer preallocation failed or a larger buffer is requested, and it's not guaranteed that substream->dma_buffer points to the actually used buffer. The driver needs to refer to substream->runtime->dma_addr instead for the buffer address. Fixes: cab396d8b22c1 ("ASoC: amd: add ACP5x pcm dma driver ops") Signed-off-by: Meng Tang Link: https://lore.kernel.org/r/20220316091303.9745-1-tangmeng@uniontech.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f8e89d84ea83c51ba3ba97ff154f7aa679326760 Author: Miaoqian Lin Date: Wed Mar 16 08:36:31 2022 +0000 ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data [ Upstream commit 9531a631379169d57756b2411178c6238655df88 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This is similar to commit 64b92de9603f ("ASoC: wcd9335: fix a leaked reference by adding missing of_node_put") Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316083631.14103-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c652f8f0875b569f8afa80b8cf9762828fd6187b Author: Miaoqian Lin Date: Wed Mar 16 08:46:15 2022 +0000 ASoC: mediatek: mt8195: Fix error handling in mt8195_mt6359_rt1019_rt5682_dev_probe [ Upstream commit c4b7174fe5bb875a09a78674a14a1589d1a672f3 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: 082482a50227 ("ASoC: mediatek: mt8195: release device_node after snd_soc_register_card") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316084623.24238-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5e6c67316919ab0ce781a53264cdab8aab5546a3 Author: Miaoqian Lin Date: Wed Mar 16 04:19:24 2022 +0000 ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe [ Upstream commit 9ebd62d60edcd4d9c75485e5ccd0b79581ad3c49 ] In the error handling path, the clk_prepare_enable() function call should be balanced by a corresponding 'clk_disable_unprepare()' call , as already done in the remove function. Fixes: de66b3455023 ("ASoC: codecs: msm8916-wcd-analog: add MBHC support") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316041924.17560-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f43ad5dc43240289f4cf13c16cc506f4f7087931 Author: Miaoqian Lin Date: Wed Mar 16 11:15:30 2022 +0000 ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe [ Upstream commit 740dc3e846537c3743da98bf106f376023fd085c ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: fdbcb3cba54b ("ASoC: atmel: machine driver for at91sam9x5-wm8731 boards") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220316111530.4551-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5c1834aac759ddfd0f17c9f38db1b30adc8eb4e8 Author: zhangqilong Date: Tue Mar 15 10:54:15 2022 +0800 ASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume [ Upstream commit cc5d8ac95663a5813c696008bc524b794d471215 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes:081068fd64140 ("ASoC: rockchip: add support for i2s-tdm controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20220315025415.2593762-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 27a0a95b8add281d534c3ee41b8973b6affd8407 Author: Daniel Bristot de Oliveira Date: Wed Mar 2 20:01:38 2022 +0100 rtla/osnoise: Fix osnoise hist stop tracing message [ Upstream commit 7d38c35167c58153e8b5bea839616d00e90564b9 ] rtla osnoise hist is printing the following message when hitting stop tracing: printf("rtla timelat hit stop tracing\n"); which is obviosly wrong. s/timerlat/osnoise/ fixing the printf. Link: https://lkml.kernel.org/r/2b8f090556fe37b81d183b74ce271421f131c77b.1646247211.git.bristot@kernel.org Fixes: 829a6c0b5698 ("rtla/osnoise: Add the hist mode") Cc: Daniel Bristot de Oliveira Cc: Clark Williams Cc: Juri Lelli Cc: Jonathan Corbet Signed-off-by: Daniel Bristot de Oliveira Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit ddea8cdeb2ecf68a0a3a4265842f7e60ea84e796 Author: Jiasheng Jiang Date: Tue Mar 8 15:14:15 2022 +0800 mmc: davinci_mmc: Handle error for clk_enable [ Upstream commit 09e7af76db02c74f2a339b3cb2d95460fa2ddbe4 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: bbce5802afc5 ("davinci: mmc: updates to suspend/resume implementation") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220308071415.1093393-1-jiasheng@iscas.ac.cn Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 6798c3e19fad8b3c2031cdb3b627aee1098af8d3 Author: Miaoqian Lin Date: Mon Mar 7 08:45:22 2022 +0000 ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe [ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ] Fix the missing clk_disable_unprepare() before return from msm8916_wcd_digital_probe in the error handling case. Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6cdecf2d9790c2e4dd9c02ce9a9ae316f130ab6b Author: Kai Vehmanen Date: Thu Mar 10 11:16:47 2022 -0600 ASoC: SOF: Intel: enable DMI L1 for playback streams [ Upstream commit a174e72e2355b9025205b4b6727bf43047eac6c6 ] Add back logic to mark all playback streams as L1 compatible. Fixes: 246dd4287dfb ("ASoC: SOF: Intel: make DMI L1 selection more robust") Reviewed-by: Ranjani Sridharan Reviewed-by: Péter Ujfalusi Signed-off-by: Kai Vehmanen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220310171651.249385-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7417e2e3f93f6dca2117bf6814b0c0d3498f56eb Author: Wang Wensheng Date: Thu Mar 10 09:19:02 2022 +0000 ASoC: imx-es8328: Fix error return code in imx_es8328_probe() [ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") Signed-off-by: Wang Wensheng Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 19d0b2a63e9f1206aefb8dc2e0facc5cd4b9b9d0 Author: Shengjiu Wang Date: Thu Mar 10 10:37:43 2022 +0800 ASoC: fsl_spdif: Disable TX clock when stop [ Upstream commit 6ddf611219ba8f7c8fa0d26b39710a641e7d37a5 ] The TX clock source may be changed in next case, need to disable it when stop, otherwise the TX may not work after changing the clock source, error log is: aplay: pcm_write:2058: write error: Input/output error Fixes: a2388a498ad2 ("ASoC: fsl: Add S/PDIF CPU DAI driver") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1646879863-27711-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8d880226c86f37624e2a5f3c6d92ac0ec3375f96 Author: Miaoqian Lin Date: Tue Mar 8 02:01:44 2022 +0000 ASoC: mxs: Fix error handling in mxs_sgtl5000_probe [ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ] This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. For example, when codec_np is NULL, saif_np[0] and saif_np[1] are not NULL, it will cause leaks. of_node_put() will check if the node pointer is NULL, so we can call it directly to release the refcount of regular pointers. Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 17141f17b55d3ee218ec6f19d489d1c578e7ce4c Author: Codrin Ciubotariu Date: Mon Mar 7 14:21:57 2022 +0200 ASoC: dmaengine: do not use a NULL prepare_slave_config() callback [ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ] Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config() callback might not be set. Check if this callback is set before using it. Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config") Signed-off-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b4a3766e8c3cac7a4d65dcac1953999d18496908 Author: Miaoqian Lin Date: Mon Mar 7 09:01:30 2022 +0000 ASoC: rk817: Fix missing clk_disable_unprepare() in rk817_platform_probe [ Upstream commit a6b44a2518a08348bd0f0401e4d2b99233bbabc2 ] Fix the missing clk_disable_unprepare() before return from rk817_platform_probe() in the error handling case. Fixes: 0d6a04da9b25 ("ASoC: Add Rockchip rk817 audio CODEC support") Signed-off-by: Miaoqian Lin Tested-by: Chris Morgan Link: https://lore.kernel.org/r/20220307090146.4104-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1765787ec02e824f4f5e672cf269280a5da09d2f Author: Miaoqian Lin Date: Tue Mar 8 01:52:22 2022 +0000 ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe [ Upstream commit e45ac7831ff3e2934d58cce319c17c8ec763c95c ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. Fix this by calling of_node_put() in error handling too. Fixes: 4e28491a7a19 ("ASoC: mediatek: mt8192-mt6359: fix device_node leak") Signed-off-by: Miaoqian Lin Reviewed-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20220308015224.23585-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b2521cd5c579b8b757af520cd591c3214d36c433 Author: Miaoqian Lin Date: Tue Mar 8 02:33:23 2022 +0000 ASoC: SOF: Add missing of_node_put() in imx8m_probe [ Upstream commit 5575f7f49134c7386a684335c9007737c606d3b5 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: afb93d716533 ("ASoC: SOF: imx: Add i.MX8M HW support") Signed-off-by: Miaoqian Lin Reviewed-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220308023325.31702-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 575354cf9304148f096a3178e2f01038b5df9eaa Author: Miaoqian Lin Date: Mon Mar 7 08:35:52 2022 +0000 ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe [ Upstream commit f725d20579807a68afbe5dba69e78b8fa05f5ef0 ] Fix the missing clk_disable_unprepare() before return from rockchip_i2s_probe() in the error handling case. Fixes: 01605ad12875 ("ASoC: rockchip-i2s: enable "hclk" for rockchip I2S controller") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307083553.26009-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8fa969cd8485031294f91fc7184399000cae6355 Author: Miaoqian Lin Date: Tue Mar 8 01:39:48 2022 +0000 ASoC: atmel: Fix error handling in snd_proto_probe [ Upstream commit b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. Fix this by calling of_node_put() in error handling too. Fixes: a45f8853a5f9 ("ASoC: Add driver for PROTO Audio CODEC (with a WM8731)") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220308013949.20323-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dac04e6911785bb09c9decf5c1f8dce5930dfdbf Author: Hans Verkuil Date: Sun Mar 6 12:29:11 2022 +0100 ivtv: fix incorrect device_caps for ivtvfb [ Upstream commit 25e94139218c0293b4375233c14f2256d7dcfaa8 ] The VIDIOC_G_FBUF and related overlay ioctls no longer worked (-ENOTTY was returned). The root cause was the introduction of the caps field in ivtv-driver.h. While loading the ivtvfb module would update the video_device device_caps field with V4L2_CAP_VIDEO_OUTPUT_OVERLAY it would not update that caps field, and that's what the overlay ioctls would look at. It's a bad idea to keep information in two places, so drop the caps field and only use vdev.device_caps. Signed-off-by: Hans Verkuil Reported-by: Martin Dauskardt Fixes: 2161536516ed (media: media/pci: set device_caps in struct video_device) Signed-off-by: Sasha Levin commit 0fe6ac436c4335bff384556cd80cdbe75240e253 Author: Jakob Koschel Date: Mon Feb 28 15:26:26 2022 +0100 media: saa7134: fix incorrect use to determine if list is empty [ Upstream commit 9f1f4b642451d35667a4dc6a9c0a89d954b530a3 ] 'dev' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 79dd0c69f05f ("V4L: 925: saa7134 alsa is now a standalone module") Signed-off-by: Jakob Koschel Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 58ab4c59f5cf6070133514063b4832c8f9ca45f8 Author: Miaoqian Lin Date: Mon Mar 7 12:38:12 2022 +0000 video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of [ Upstream commit a58c22cfbbf62fefca090334bbd35fd132e92a23 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") Signed-off-by: Miaoqian Lin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 18c3113e3ab0d601924f71567459a032db1a86d1 Author: Jiasheng Jiang Date: Wed Mar 2 14:28:44 2022 +0800 ASoC: fsi: Add check for clk_enable [ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0698dafe1bf4933307277b06cc38a7eb883f43b0 Author: Jiasheng Jiang Date: Fri Mar 4 10:38:21 2022 +0800 ASoC: wm8350: Handle error for wm8350_register_irq [ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid the same code. Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4793a02deb31b71b3984abc67bf1011a03c13b18 Author: Miaoqian Lin Date: Mon Mar 7 12:45:39 2022 +0000 ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe [ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 54ad962ca8817bad9adaf7091185f1e6e5ac333f Author: Lucas Tanure Date: Thu Mar 3 17:30:41 2022 +0000 ASoC: cs35l41: Fix max number of TX channels [ Upstream commit 16639d39bdf577168d3fe34315917a94365c8d19 ] This device only has 4 TX channels. Fixes: fe1024d50477b ("ASoC: cs35l41: Combine adjacent register writes") Signed-off-by: Lucas Tanure Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220303173059.269657-3-tanureal@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 8bfbc247f3bb6378e1f8db8a39b599fdd343c345 Author: David Rhodes Date: Thu Mar 3 17:30:40 2022 +0000 ASoC: cs35l41: Fix GPIO2 configuration [ Upstream commit 03a7895ee701e873c88c06bdb830ff40adb2be73 ] Fix GPIO2 polarity and direction configuration Fixes: fe1024d50477b ("ASoC: cs35l41: Combine adjacent register writes") Signed-off-by: David Rhodes Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220303173059.269657-2-tanureal@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 79d17521953d0a16f4df91be59a543a54d1d8c4a Author: Jiasheng Jiang Date: Fri Jan 14 07:28:40 2022 +0100 media: vidtv: Check for null return of vzalloc [ Upstream commit e6a21a14106d9718aa4f8e115b1e474888eeba44 ] As the possible failure of the vzalloc(), e->encoder_buf might be NULL. Therefore, it should be better to check it in order to guarantee the success of the initialization. If fails, we need to free not only 'e' but also 'e->name'. Also, if the allocation for ctx fails, we need to free 'e->encoder_buf' else. Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f66e6fd1488d26229f11d86616de1b658c70fa8a Author: Dafna Hirschfeld Date: Tue Jan 25 09:02:11 2022 +0100 media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED [ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ] If the callback 'start_streaming' fails, then all queued buffers in the driver should be returned with state 'VB2_BUF_STATE_QUEUED'. Currently, they are returned with 'VB2_BUF_STATE_ERROR' which is wrong. Fix this. This also fixes the warning: [ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6 [ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14 [ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT) [ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common] [ 65.592395] sp : ffff800012bc3ad0 [ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8 [ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612 [ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0 [ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff [ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78 [ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce [ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228 [ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78 [ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880 [ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0 [ 65.598940] Call trace: [ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common] [ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2] [ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2] [ 65.601103] v4l_streamon+0x3c/0x50 [videodev] [ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev] [ 65.601977] video_usercopy+0x320/0x828 [videodev] [ 65.602419] video_ioctl2+0x3c/0x58 [videodev] [ 65.602830] v4l2_ioctl+0x60/0x90 [videodev] [ 65.603227] __arm64_sys_ioctl+0xa8/0xe0 [ 65.603576] invoke_syscall+0x54/0x118 [ 65.603911] el0_svc_common.constprop.3+0x84/0x100 [ 65.604332] do_el0_svc+0x34/0xa0 [ 65.604625] el0_svc+0x1c/0x50 [ 65.604897] el0t_64_sync_handler+0x88/0xb0 [ 65.605264] el0t_64_sync+0x16c/0x170 [ 65.605587] ---[ end trace 578e0ba07742170d ]--- Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails") Signed-off-by: Dafna Hirschfeld Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1df09885f8a02a59421a498cb06daa26cc9c66c7 Author: Randy Dunlap Date: Fri Mar 4 22:40:36 2022 -0800 m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined [ Upstream commit e6e1e7b19fa132d23d09c465942aab4c110d3da9 ] When CONFIG_MCF_EDMA is set (due to COMPILE_TEST, not due to CONFIG_M5441x), coldfire/device.c has compile errors due to missing MCFEDMA_* symbols. In the .config file that was provided, CONFIG_M5206=y, not CONFIG_M5441x, so is not included in coldfire/device.c. Only build the MCF_EDMA code in coldfire/device.c if the MCFEDMA_* hardware macros are defined. Fixes these build errors: ../arch/m68k/coldfire/device.c:512:35: error: 'MCFEDMA_BASE' undeclared here (not in a function); did you mean 'MCFDMA_BASE1'? 512 | .start = MCFEDMA_BASE, ../arch/m68k/coldfire/device.c:513:50: error: 'MCFEDMA_SIZE' undeclared here (not in a function) 513 | .end = MCFEDMA_BASE + MCFEDMA_SIZE - 1, ../arch/m68k/coldfire/device.c:517:35: error: 'MCFEDMA_IRQ_INTR0' undeclared here (not in a function) 517 | .start = MCFEDMA_IRQ_INTR0, ../arch/m68k/coldfire/device.c:523:35: error: 'MCFEDMA_IRQ_INTR16' undeclared here (not in a function) 523 | .start = MCFEDMA_IRQ_INTR16, ../arch/m68k/coldfire/device.c:529:35: error: 'MCFEDMA_IRQ_INTR56' undeclared here (not in a function) 529 | .start = MCFEDMA_IRQ_INTR56, ../arch/m68k/coldfire/device.c:535:35: error: 'MCFEDMA_IRQ_ERR' undeclared here (not in a function) 535 | .start = MCFEDMA_IRQ_ERR, Fixes: d7e9d01ac292 ("m68k: add ColdFire mcf5441x eDMA platform support") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Link: lore.kernel.org/r/202203030252.P752DK46-lkp@intel.com Cc: Angelo Dureghello Cc: Greg Ungerer Cc: Greg Ungerer Cc: Geert Uytterhoeven Cc: linux-m68k@lists.linux-m68k.org Cc: uclinux-dev@uclinux.org Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit d0a138ac5d5508e09088216ee4cd2143532236bf Author: Rob Herring Date: Fri Mar 4 14:25:58 2022 -0600 arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly [ Upstream commit 37cbd3c522869247ed4525b5042ff4c6a276c813 ] A label reference without brackets is a path string, not a phandle as intended. Add the missing brackets. Fixes: a5002c41c383 ("arm64: dts: rockchip: add WiFi module support for Firefly-RK3399") Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220304202559.317749-1-robh@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 39d2c4a33dc1b4402cec68a3c8f82c6588b6edce Author: Takashi Sakamoto Date: Fri Mar 4 21:56:47 2022 +0900 ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction [ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ] AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") while 'deferrable' flag can be uninitialized for non-control/notify AV/C transactions. UBSAN reports it: kernel: ================================================================================ kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 kernel: load of value 158 is not a valid value for type '_Bool' kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 kernel: Call Trace: kernel: kernel: show_stack+0x52/0x58 kernel: dump_stack_lvl+0x4a/0x5f kernel: dump_stack+0x10/0x12 kernel: ubsan_epilogue+0x9/0x45 kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] kernel: fcp_response+0x28/0x30 [snd_firewire_lib] kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] kernel: tasklet_action_common.constprop.0+0xea/0xf0 kernel: tasklet_action+0x22/0x30 kernel: __do_softirq+0xd9/0x2e3 kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 kernel: do_softirq+0x75/0xa0 kernel: kernel: kernel: __local_bh_enable_ip+0x50/0x60 kernel: irq_forced_thread_fn+0x7e/0x90 kernel: irq_thread+0xba/0x190 kernel: ? irq_thread_fn+0x60/0x60 kernel: kthread+0x11e/0x140 kernel: ? irq_thread_check_affinity+0xf0/0xf0 kernel: ? set_kthread_struct+0x50/0x50 kernel: ret_from_fork+0x22/0x30 kernel: kernel: ================================================================================ This commit fixes the bug. The bug has no disadvantage for the non- control/notify AV/C transactions since the flag has an effect for AV/C response with INTERIM (0x0f) status which is not used for the transactions in AV/C general specification. Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 3d163f4667d14e7a8d03ed31b6e30dcbb8fb8ab9 Author: Jia-Ju Bai Date: Fri Feb 25 05:25:52 2022 -0800 memory: emif: check the pointer temp in get_device_details() [ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ] The pointer temp is allocated by devm_kzalloc(), so it should be checked for error handling. Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver") Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 9003e8daf551483f05306ee866e044632e0c8a82 Author: Jiasheng Jiang Date: Thu Feb 24 10:54:44 2022 +0800 memory: emif: Add check for setup_interrupts [ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the setup_interrupts() and return error if fails. Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 449932367d2de0f5e9e916516768f95b7d8954cd Author: Daniel Scally Date: Wed Mar 2 22:24:48 2022 +0000 media: i2c: Fix pixel array positions in ov8865 [ Upstream commit 3d1e4228c9dd5c945a5cb621749f358766ee5777 ] The ov8865's datasheet gives the pixel array as 3296x2528, and the active portion as the centre 3264x2448. This makes for a top offset of 40 and a left offset of 16, not 32 and 80. Fixes: acd25e220921 ("media: i2c: Add .get_selection() support to ov8865") Reported-by: Jean-Michel Hautbois Signed-off-by: Daniel Scally Reviewed-by: Kieran Bingham Reviewed-by: Paul Kocialkowski Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit f69a75cb8a98c6c487d620442c68595726a69f60 Author: Jiasheng Jiang Date: Fri Oct 15 08:13:53 2021 +0000 ASoC: soc-compress: prevent the potentially use of null pointer [ Upstream commit de2c6f98817fa5decb9b7d3b3a8a3ab864c10588 ] There is one call trace that snd_soc_register_card() ->snd_soc_bind_card()->soc_init_pcm_runtime() ->snd_soc_dai_compress_new()->snd_soc_new_compress(). In the trace the 'codec_dai' transfers from card->dai_link, and we can see from the snd_soc_add_pcm_runtime() in snd_soc_bind_card() that, if value of card->dai_link->num_codecs is 0, then 'codec_dai' could be null pointer caused by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'. And snd_soc_register_card() is called by various platforms. Therefore, it is better to add the check in the case of misusing. And because 'cpu_dai' has already checked in soc_init_pcm_runtime(), there is no need to check again. Adding the check as follow, then if 'codec_dai' is null, snd_soc_new_compress() will not pass through the check 'if (playback + capture != 1)', avoiding the leftover use of 'codec_dai'. Fixes: 467fece ("ASoC: soc-dai: move snd_soc_dai_stream_valid() to soc-dai.c") Signed-off-by: Jiasheng Jiang Reported-by: kernel test robot Reported-by: Dan Carpenter Link: https://lore.kernel.org/r/1634285633-529368-1-git-send-email-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit cabd6051d913ae473a9d00f17cbdffc1255f025d Author: Jiasheng Jiang Date: Tue Mar 1 16:47:42 2022 +0800 ASoC: dwc-i2s: Handle errors for clk_enable [ Upstream commit 45ea97d74313bae681328b0c36fa348036777644 ] As the potential failure of the clk_enable(), it should be better to check it, as same as clk_prepare_enable(). Fixes: c9afc1834e81 ("ASoC: dwc: Disallow building designware_pcm as a module") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301084742.3751939-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 63c71e5e677fb20f2e2f1d1014bd4a7ffde78a9b Author: Jiasheng Jiang Date: Tue Mar 1 17:06:37 2022 +0800 ASoC: atmel_ssc_dai: Handle errors for clk_enable [ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fals. Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b89a9bcf88c036f14a41cce2050c3469716bc5af Author: Jiasheng Jiang Date: Tue Mar 1 16:17:17 2022 +0800 ASoC: mxs-saif: Handle errors for clk_enable [ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ] As the potential failure of the clk_enable(), it should be better to check it, like mxs_saif_trigger(). Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c2b7f61f52908168a73c1ce7a7fb7cfe09692bba Author: Randy Dunlap Date: Mon Feb 28 14:05:56 2022 -0800 printk: fix return value of printk.devkmsg __setup handler [ Upstream commit b665eae7a788c5e2bc10f9ac3c0137aa0ad1fc97 ] If an invalid option value is used with "printk.devkmsg=", it is silently ignored. If a valid option value is used, it is honored but the wrong return value (0) is used, indicating that the command line option had an error and was not handled. This string is not added to init's environment strings due to init/main.c::unknown_bootoption() checking for a '.' in the boot option string and then considering that string to be an "Unused module parameter". Print a warning message if a bad option string is used. Always return 1 from the __setup handler to indicate that the command line option has been handled. Fixes: 750afe7babd1 ("printk: add kernel parameter to control writes to /dev/kmsg") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Borislav Petkov Cc: Andrew Morton Cc: Petr Mladek Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: John Ogness Reviewed-by: John Ogness Reviewed-by: Sergey Senozhatsky Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220228220556.23484-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit 36fcb82d0022b3e9368f3d52ea051391b728a0fb Author: Frank Wunderlich Date: Tue Mar 1 16:24:18 2022 +0100 arm64: dts: broadcom: Fix sata nodename [ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ] After converting ahci-platform txt binding to yaml nodename is reported as not matching the standard: arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml: ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$' Fix it to match binding. Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2") Signed-off-by: Frank Wunderlich Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 5638ac0f46a5d559cad79d20b5d8b683ecdc6efd Author: Kuldeep Singh Date: Mon Feb 28 16:39:03 2022 +0530 arm64: dts: ns2: Fix spi-cpol and spi-cpha property [ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ] Broadcom ns2 platform has spi-cpol and spi-cpho properties set incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are of flag or boolean type and not integer type. Fix the values. Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2) Signed-off-by: Kuldeep Singh CC: Ray Jui CC: Scott Branden CC: Florian Fainelli Signed-off-by: Sasha Levin commit dedcf2fc2534a8bdeec648f9c4d7dc34923c744c Author: Jiasheng Jiang Date: Mon Feb 28 10:28:39 2022 +0800 ALSA: spi: Add check for clk_enable() [ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b1aa6c8d4ad8ee0146644cc97b5b3181b070d5b1 Author: Jiasheng Jiang Date: Mon Feb 28 11:15:40 2022 +0800 ASoC: ti: davinci-i2s: Add check for clk_enable() [ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP") Signed-off-by: Jiasheng Jiang Acked-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e5d3019047228640338e676da81b516c24adc6fa Author: Aswath Govindraju Date: Fri Feb 11 13:20:55 2022 +0530 mmc: sdhci_am654: Fix the driver data of AM64 SoC [ Upstream commit 3b7340f1c89cc488e4df0b033bf7ae502ebbf5b2 ] The MMCSD IPs used in AM64 are the same as the ones used in J721E. Therefore, fix this by using the driver data from J721E for AM64 too, for both 8 and 4 bit instances. Fixes: 754b7f2f7d2a ("mmc: sdhci_am654: Add Support for TI's AM64 SoC") Signed-off-by: Aswath Govindraju Link: https://lore.kernel.org/r/20220211075056.26179-1-a-govindraju@ti.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit ba5c444b60d2c6aff36370823e27e1241bb9a574 Author: Chun-Jie Chen Date: Sun Jan 30 09:21:01 2022 +0800 soc: mediatek: pm-domains: Add wakeup capacity support in power domain [ Upstream commit ac0ca395543af061f7ad77afcda0afb323d82468 ] Due to some power domain needs to keep on for wakeup in system suspend, so add GENPD_FLAG_ACTIVE_WAKEUP support in Mediatek power domain driver. Fixes: 59b644b01cf4 ("soc: mediatek: Add MediaTek SCPSYS power domains") Signed-off-by: Chun-Jie Chen Reviewed-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220130012104.5292-3-chun-jie.chen@mediatek.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit a6b40f6630331afc793c93ccfa45500613c923ac Author: Jia-Ju Bai Date: Fri Feb 25 05:16:45 2022 -0800 ASoC: acp: check the return value of devm_kzalloc() in acp_legacy_dai_links_create() [ Upstream commit 431f9a77a4a62694ce90742d1f4c5abe1b8b6612 ] The function devm_kzalloc() in acp_legacy_dai_links_create() can fail, so its return value should be checked. Fixes: d4c750f2c7d4 ("ASoC: amd: acp: Add generic machine driver support for ACP cards") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225131645.27556-1-baijiaju1990@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5c0f8cbeecd5e7ffb9ef6bb7f3534ac6ca5370fc Author: Jia-Ju Bai Date: Fri Feb 25 05:10:30 2022 -0800 ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() [ Upstream commit 4d06f92f38b799295ae22c98be7a20cac3e2a1a7 ] The function devm_kzalloc() in rt5663_parse_dp() can fail, so its return value should be checked. Fixes: 457c25efc592 ("ASoC: rt5663: Add the function of impedance sensing") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225131030.27248-1-baijiaju1990@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1188d8b12956eb03dab387d379971c13920907dc Author: Arnd Bergmann Date: Tue Feb 15 15:37:37 2022 +0100 uaccess: fix nios2 and microblaze get_user_8() [ Upstream commit a97b693c3712f040c5802f32b2d685352e08cefa ] These two architectures implement 8-byte get_user() through a memcpy() into a four-byte variable, which won't fit. Use a temporary 64-bit variable instead here, and use a double cast the way that risc-v and openrisc do to avoid compile-time warnings. Fixes: 6a090e97972d ("arch/microblaze: support get_user() of size 8 bytes") Fixes: 5ccc6af5e88e ("nios2: Memory management") Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit cae6a6bd99561f9994088eea3343fb672a663123 Author: Christophe Leroy Date: Thu Feb 17 09:49:59 2022 +0100 vsprintf: Fix %pK with kptr_restrict == 0 [ Upstream commit 84842911322fc6a02a03ab9e728a48c691fe3efd ] Although kptr_restrict is set to 0 and the kernel is booted with no_hash_pointers parameter, the content of /proc/vmallocinfo is lacking the real addresses. / # cat /proc/vmallocinfo 0x(ptrval)-0x(ptrval) 8192 load_module+0xc0c/0x2c0c pages=1 vmalloc 0x(ptrval)-0x(ptrval) 12288 start_kernel+0x4e0/0x690 pages=2 vmalloc 0x(ptrval)-0x(ptrval) 12288 start_kernel+0x4e0/0x690 pages=2 vmalloc 0x(ptrval)-0x(ptrval) 8192 _mpic_map_mmio.constprop.0+0x20/0x44 phys=0x80041000 ioremap 0x(ptrval)-0x(ptrval) 12288 _mpic_map_mmio.constprop.0+0x20/0x44 phys=0x80041000 ioremap ... According to the documentation for /proc/sys/kernel/, %pK is equivalent to %p when kptr_restrict is set to 0. Fixes: 5ead723a20e0 ("lib/vsprintf: no_hash_pointers prints all addresses as unhashed") Signed-off-by: Christophe Leroy Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/107476128e59bff11a309b5bf7579a1753a41aca.1645087605.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 2372410d4dd82ea03171485f60088b74a45e3891 Author: Muhammad Usama Anjum Date: Fri Jan 21 19:51:53 2022 +0500 selftests/lkdtm: Add UBSAN config [ Upstream commit 1900be289b598b2c553b3add13e491c0bb8a8550 ] UBSAN_BOUNDS and UBSAN_TRAP depend on UBSAN config option. merge_config.sh script generates following warnings if parent config doesn't have UBSAN config already enabled and UBSAN_BOUNDS/UBSAN_TRAP config options don't get added to the parent config. Value requested for CONFIG_UBSAN_BOUNDS not in final .config Requested value: CONFIG_UBSAN_BOUNDS=y Actual value: Value requested for CONFIG_UBSAN_TRAP not in final .config Requested value: CONFIG_UBSAN_TRAP=y Actual value: Fix this by including UBSAN config. Fixes: c75be56e35b2 ("lkdtm/bugs: Add ARRAY_BOUNDS to selftests") Signed-off-by: Muhammad Usama Anjum Acked-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit ce99e83551b1ba020dc6be8a96594068abf3e530 Author: Muhammad Usama Anjum Date: Wed Jan 19 15:15:31 2022 +0500 selftests: vm: remove dependecy from internal kernel macros [ Upstream commit 681696862bc1823595c05960a83766d1aa965c17 ] The defination of swap() is used from kernel's internal header when this test is built in source tree. The build fails when this test is built out of source tree as defination of swap() isn't found. Selftests shouldn't depend on kernel's internal header files. They can only depend on uapi header files. Add the defination of swap() to fix the build error: gcc -Wall -I/linux_mainline2/build/usr/include -no-pie userfaultfd.c -lrt -lpthread -o /linux_mainline2/build/kselftest/vm/userfaultfd userfaultfd.c: In function ‘userfaultfd_stress’: userfaultfd.c:1530:3: warning: implicit declaration of function ‘swap’; did you mean ‘swab’? [-Wimplicit-function-declaration] 1530 | swap(area_src, area_dst); | ^~~~ | swab /usr/bin/ld: /tmp/cclUUH7V.o: in function `userfaultfd_stress': userfaultfd.c:(.text+0x4d64): undefined reference to `swap' /usr/bin/ld: userfaultfd.c:(.text+0x4d82): undefined reference to `swap' collect2: error: ld returned 1 exit status Fixes: 2c769ed7137a ("tools/testing/selftests/vm/userfaultfd.c: use swap() to make code cleaner") Signed-off-by: Muhammad Usama Anjum Reviewed-by: Alistair Popple Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 90fe229ecbe2c65f0a511266692994fa981d9fea Author: Mirela Rabulea Date: Mon Nov 1 21:52:51 2021 +0200 media: ov5640: Fix set format, v4l2_mbus_pixelcode not updated [ Upstream commit e738f5dd67eb8098d75345908a5e73782d0569a5 ] In ov5640_set_fmt, pending_fmt_change will always be false, because the sensor format is saved before comparing it with the previous format: fmt = &sensor->fmt;... *fmt = *mbus_fmt;... if (mbus_fmt->code != sensor->fmt.code) sensor->pending_fmt_change = true; This causes the sensor to capture with the previous pixelcode. Also, changes might happen even for V4L2_SUBDEV_FORMAT_TRY, so fix that. Basically, revert back to the state before commit 071154499193 ("media: ov5640: Fix set format regression") as it was more clear, and then update format even when pixelcode does not change, as resolution might change. Fixes: 071154499193 ("media: ov5640: Fix set format regression") Fixes: 6949d864776e ("media: ov5640: do not change mode if format or frame interval is unchanged") Fixes: fb98e29ff1ea5 ("media: ov5640: fix mode change regression") Signed-off-by: Mirela Rabulea Reviewed-by: Jacopo Mondi Acked-by: Hugues Fruchet Tested-by: Hugues Fruchet Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit f886e72afb31dcfd0500f79c0c74ca574c61f80e Author: Jernej Skrabec Date: Tue Feb 22 19:03:28 2022 +0100 media: hantro: sunxi: Fix VP9 steps [ Upstream commit 17e83a0a1e134401616120b6976f65234e7ccc45 ] It turns out that postproc on Allwinner H6 needs width and height to be multiple of 32. Fixes: 86790a4fdf4b ("media: hantro: Add support for Allwinner H6") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 2d6c05d4ac09f2740ae618aa47ae90c5a4c864fa Author: Nicolas Dufresne Date: Fri Feb 18 13:42:07 2022 -0500 media: v4l2-core: Initialize h264 scaling matrix [ Upstream commit 0f6146d476fc99862899e70f2554ee77b444b7b9 ] In the final H264 API, it is not required to set scaling matrix if they are not present in the bitstream. A flag was added in order to let the driver know. The downside is that it leaves the default control value to 0, which isn't valid. As per the spec (see formulas 7-8/7-9), when the scaling matrix are absent from the bitstream, flat values of 16 should be used. This improves this control semantic in a way that the control value are always valid. Drivers can then use the scaling_matrix control values without having to check its presence. Same method was employed for MPEG2_QUANTISATION. This fixes issues with MTK VCODEC H264 decoder when using GStreamer. GStreamer does not set this control if its not present in the bitstream. As MTK VDCODEC was using the initialized to 0 values, the frames ended up completely gray. Fixes: 54889c51b833d236 ("media: uapi: h264: Rename and clarify PPS_FLAG_SCALING_MATRIX_PRESENT") Signed-off-by: Nicolas Dufresne Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 56a659041140308d9a6409d1992cd56bc5e62f78 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:12 2022 +0000 ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put [ Upstream commit 4b0bec6088588a120d33db85b1f0d9f096d1df71 ] wcd934x_rx_hph_mode_put currently returns zero eventhough it changes the value. Fix this, so that change notifications are sent correctly. Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-10-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5ddc03f321a7ac4b8419aca673b39861ec760779 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:11 2022 +0000 ASoC: codecs: wcd934x: fix kcontrol max values [ Upstream commit 61163c3e7480106804269182e24db05244866493 ] set "HPH Type" Kcontrol max value of WCD_MBHC_HPH_STEREO instead of UINT_MAX. set "HPHL/R Impedance" Kcontrols max value to INT_MAX instead of UINT_MAX as max field is integer type. Without this patch amixer for these controls will show -1 as max value to userspace. Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-9-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a54642a38da658143820fecdd86283cbd2735c59 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:10 2022 +0000 ASoC: codecs: wcd938x: fix kcontrol max values [ Upstream commit b0217519236924f77a8382b4004e43ef8fd0dcbb ] set "HPH Type" Kcontrol max value of WCD_MBHC_HPH_STEREO instead of UINT_MAX. set "HPHL/R Impedance" Kcontrols max value to INT_MAX instead of UINT_MAX as max field is integer type. Without this patch amixer for these controls will show -1 as max value to userspace. Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-8-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d09aee1b1da196be11ed86dd4897f228f2487613 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:09 2022 +0000 ASoC: codecs: wc938x: fix accessing array out of bounds for enum type [ Upstream commit cc587b7c8fbbe128f6bd0dad025a0caea5e6d164 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fix this by using enumerated items instead of integers. Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-7-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c0099bbf8bc85d30c4cf38220fca3c8d4253fa7f Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:07 2022 +0000 ASoC: codecs: va-macro: fix accessing array out of bounds for enum type [ Upstream commit 0ea5eff7c6063a8f124188424f8e4c6727f35051 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fixes: 908e6b1df26e ("ASoC: codecs: lpass-va-macro: Add support to VA Macro") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-5-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit aed43e92e4b9187029903880d5db608f7fa1c53c Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:05 2022 +0000 ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type [ Upstream commit bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fixes: 4f692926f562 ("ASoC: codecs: lpass-rx-macro: add dapm widgets and route") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-3-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6aa8ef9535dbd561293406608ebe791627b10196 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:04 2022 +0000 ASoC: codecs: rx-macro: fix accessing compander for aux [ Upstream commit 42c709c4e1ce4c136891530646c9abd5dff3524f ] AUX interpolator does not have compander, so check before accessing compander data for this. Without this checkan array of out bounds access will be made in comp_enabled[] array. Fixes: 4f692926f562 ("ASoC: codecs: lpass-rx-macro: add dapm widgets and route") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f77b2123d2c20be8557d3661c0a236f7c96799a2 Author: Keerthy Date: Thu Feb 3 18:56:47 2022 +0530 arm64: dts: ti: k3-j721s2-mcu-wakeup: Fix the interrupt-parent for wkup_gpioX instances [ Upstream commit 223d9ac45efb9311e7b2b0494c3ed25c701c6a5d ] The interrupt-parent for wkup_gpioX instances are wrongly assigned as main_gpio_intr instead of wkup_gpio_intr. Fix it. Fixes: b8545f9d3a54 ("arm64: dts: ti: Add initial support for J721S2 SoC") Signed-off-by: Keerthy Signed-off-by: Aswath Govindraju Signed-off-by: Nishanth Menon Reviewed-by: Kishon Vijay Abraham I Link: https://lore.kernel.org/r/20220203132647.11314-1-a-govindraju@ti.com Signed-off-by: Sasha Levin commit 3624fda281732cfdebfc65105e95041679a041fc Author: Jernej Skrabec Date: Mon Feb 14 20:08:39 2022 +0100 media: cedrus: h264: Fix neighbour info buffer size [ Upstream commit fecd363ae2d5042553370b0adf60c47e35c34a83 ] According to BSP library source, H264 neighbour info buffer size needs to be 32 kiB for H6. This is similar to H265 decoding, which also needs double buffer size in comparison to older Cedrus core generations. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Issue was discovered using iommu and cross checked with BSP library source. Fixes: 6eb9b758e307 ("media: cedrus: Add H264 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 67fabbf89a92107ce8172b1fd4525e7523e929be Author: Jernej Skrabec Date: Sat Feb 12 08:42:41 2022 +0100 media: cedrus: H265: Fix neighbour info buffer size [ Upstream commit ee8b887329c78971967506f3ac79b9302c9f83c1 ] Neighbour info buffer size needs to be 794 kiB in H6. This is actually already indirectly mentioned in the comment, but smaller size is used nevertheless. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Bug was discovered using iommu, which reported access error when trying to play H265 video. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 948ad5e5624487079c24cb5c81c74ddd02832440 Author: Dan Carpenter Date: Wed Feb 2 20:52:01 2022 +0300 media: usb: go7007: s2250-board: fix leak in probe() [ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ] Call i2c_unregister_device(audio) on this error path. Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 86f88bad9f1750944c912175102074d7b37253b8 Author: Yunfei Dong Date: Fri Jan 28 11:23:30 2022 +0800 media: uapi: Init VP9 stateless decode params [ Upstream commit f15799b7b796dfaea63a86913246202d64762941 ] Init some of VP9 frame decode params to default value. Fixes: b88dbe38dca8 ("media: uapi: Add VP9 stateless decoder controls") Signed-off-by: Yunfei Dong Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit d96dd287ca21c5b494bdb55555b33a6afec807cb Author: Dongliang Mu Date: Sat Jan 22 15:44:59 2022 +0800 media: em28xx: initialize refcount before kref_get [ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] The commit 47677e51e2a4("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 1381f1a629a090c251965edb56f849ad648414a4 Author: Zhou Qingyang Date: Mon Jan 24 18:20:01 2022 +0100 media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats() [ Upstream commit abd77889851d2ead0d0c9c4d29f1808801477b00 ] In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to ctx->active_fmt and there is a dereference of it after that, which could lead to NULL pointer dereference on failure of devm_kzalloc(). Fix this bug by adding a NULL check of ctx->active_fmt. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers") Signed-off-by: Zhou Qingyang Reviewed-by: Pratyush Yadav Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5f276c3bfe03b40f2984a0f9bf69efd076f71858 Author: Tom Rix Date: Thu Aug 12 19:01:46 2021 +0200 media: video/hdmi: handle short reads of hdmi info frame. [ Upstream commit 4a92fc6e55da5b87cecb572275deaff6ac9dd27e ] Calling hdmi_infoframe_unpack() with static sizeof(buffer) skips all the size checking done later in hdmi_infoframe_unpack(). A better value is the amount of data read into buffer. Fixes: 480b8b3e42c3 ("video/hdmi: Pass buffer size to infoframe unpack functions") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 512cb273e1523d7624765dea8161ee79e1fe712e Author: Neil Armstrong Date: Thu Jun 3 10:42:15 2021 +0200 media: mexon-ge2d: fixup frames size in registers [ Upstream commit 79e8c421a099bfbcebe59740153e55aa0442ced6 ] The CLIP, SRC & DST registers are coded to take the pixel/line start & end, starting from 0. Thus the end should be the width/height minus 1. It can be an issue with clipping and rotation, where it will add spurious lines from uninitialized or unwanted data with a shift in the result. Fixes: 59a635327ca7 ("media: meson: Add M2M driver for the Amlogic GE2D Accelerator Unit") Signed-off-by: Neil Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c0ced04f35107da730882fbcdeb5a0d4dcc428ad Author: Marek Vasut Date: Sun Feb 6 23:11:23 2022 +0100 ARM: dts: imx: Add missing LVDS decoder on M53Menlo [ Upstream commit 0c6f71176ea43d6f4003a4d57f7bb518c5ad6145 ] The M53Menlo display unit uses an LVDS-to-DPI bridge, TI DS90CF364A. Describe this bridge in DT, otherwise the DT incorrectly describes DPI panel attached directly to LVDS source. Fixes: 716be61d1869 ("ARM: dts: imx53: Add Menlosystems M53 board") Signed-off-by: Marek Vasut Cc: Shawn Guo Cc: Fabio Estevam Cc: NXP Linux Team Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit ecc3080d042bc349ad13bb8b4f7b36e354e1a2d1 Author: Manivannan Sadhasivam Date: Tue Feb 8 23:22:21 2022 +0530 ARM: dts: qcom: sdx55: Fix the address used for PCIe EP local addr space [ Upstream commit c8a8f755170719dde7964d5172a145dd27e107ec ] Fix the address range used for mapping the PCIe host memory in the DDR. Fixes: e6b69813283f ("ARM: dts: qcom: sdx55: Add support for PCIe EP") Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220208175222.415762-1-manivannan.sadhasivam@linaro.org Signed-off-by: Sasha Levin commit fc624fa3a68333a8c87d368d5b8135d117add6d4 Author: Andy Shevchenko Date: Thu Jan 27 20:12:32 2022 +0200 vsprintf: Fix potential unaligned access [ Upstream commit d75b26f880f60ead301e79ba0f4a635c5a60767f ] The %p4cc specifier in some cases might get an unaligned pointer. Due to this we need to make copy to local variable once to avoid potential crashes on some architectures due to improper access. Fixes: af612e43de6d ("lib/vsprintf: Add support for printing V4L2 and DRM fourccs") Cc: Sakari Ailus Signed-off-by: Andy Shevchenko Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220127181233.72910-1-andriy.shevchenko@linux.intel.com Signed-off-by: Sasha Levin commit 14b91b5575171c3f0f7165224e547f4276b3b8d7 Author: Olivier Moysan Date: Mon Jan 24 16:35:25 2022 +0100 ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 [ Upstream commit ee2aacb6f3a901a95b1dd68964b69c92cdbbf213 ] Replace sai2a-2 node name by sai2a-sleep-2, to avoid name duplication. Fixes: 1a9a9d226f0f ("ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15") Signed-off-by: Olivier Moysan Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit c211e8803bdffd67b92230043747d4d6c95e05ec Author: Paul Kocialkowski Date: Sat Feb 5 19:53:24 2022 +0100 ARM: dts: sun8i: v3s: Move the csi1 block to follow address order [ Upstream commit c4af51698c4fb4fc683f2ac67f482cdf9ba2cd13 ] The csi1 block node was mistakenly added before the gic node, although its address comes after the gic's. Move the node to its correct position. Fixes: 90e048101fa1 ("ARM: dts: sun8i: V3/V3s/S3/S3L: add CSI1 device node") Signed-off-by: Paul Kocialkowski Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220205185429.2278860-2-paul.kocialkowski@bootlin.com Signed-off-by: Sasha Levin commit c09f1248b13fa956f27229655be05bc5d6fe4fa2 Author: Stephan Gerhold Date: Wed Dec 1 14:05:02 2021 +0100 cpuidle: qcom-spm: Check if any CPU is managed by SPM [ Upstream commit 0ee30ace67e425ab83a1673bf51f50b577328cf9 ] At the moment, the "qcom-spm-cpuidle" platform device is always created, even if none of the CPUs is actually managed by the SPM. On non-qcom platforms this will result in infinite probe-deferral due to the failing qcom_scm_is_available() call. To avoid this, look through the CPU DT nodes and check if there is actually any CPU managed by a SPM (as indicated by the qcom,saw property). It should also be available because e.g. MSM8916 has qcom,saw defined but it's typically not enabled with ARM64/PSCI firmwares. This is needed in preparation of a follow-up change that calls qcom_scm_set_warm_boot_addr() a single time before registering any cpuidle drivers. Otherwise this call might be made even on devices that have this driver enabled but actually make use of PSCI. Fixes: 60f3692b5f0b ("cpuidle: qcom_spm: Detach state machine from main SPM handling") Reported-by: Marek Szyprowski Link: https://lore.kernel.org/r/86e3e09f-a8d7-3dff-3fc6-ddd7d30c5d78@samsung.com/ Signed-off-by: Stephan Gerhold Tested-by: Marek Szyprowski Acked-by: Daniel Lezcano Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211201130505.257379-2-stephan@gerhold.net Signed-off-by: Sasha Levin commit 03e01cdcbb9059664b2f5a4639aea6a0b1642d84 Author: Miaoqian Lin Date: Fri Jan 14 06:28:40 2022 +0000 soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe [ Upstream commit c3d66a164c726cc3b072232d3b6d87575d194084 ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: cdd5de500b2c ("soc: ti: Add wkup_m3_ipc driver") Signed-off-by: Miaoqian Lin Signed-off-by: Nishanth Menon Acked-by: Dave Gerlach Link: https://lore.kernel.org/r/20220114062840.16620-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit e8bf862410a600d53d09d3ba745d3c1e9b621994 Author: Christophe JAILLET Date: Thu Dec 23 17:23:00 2021 +0100 firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined [ Upstream commit 043cfff99a18933fda2fb2e163daee73cc07910b ] Remove an extra ";" which breaks compilation. Fixes: 53bf2b0e4e4c ("firmware: ti_sci: Add support for getting resource with subtype") Signed-off-by: Christophe JAILLET Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/e6c3cb793e1a6a2a0ae2528d5a5650dfe6a4b6ff.1640276505.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 5da67c9f539e0d8335bebbf8feaff08c2bdcd515 Author: Baruch Siach Date: Thu Jan 20 20:43:41 2022 +0200 arm64: dts: qcom: ipq6018: fix usb reference period [ Upstream commit d1c10ab1494f09eb12fa6e58fc78bb28d44922ae ] Reference clock period for rate of 24MHz is 41ns (0x29). Link: https://lore.kernel.org/r/1965fc315525b8ab26cf9f71f939c24d@codeaurora.org Link: https://lore.kernel.org/r/a1932eba-564c-fe32-f220-53aa75250105@seco.com Fixes: 20bb9e3dd2e4 ("arm64: dts: qcom: ipq6018: add usb3 DT description") Reported-by: Kathiravan T Signed-off-by: Baruch Siach Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/4f4df55cf44cd0fd7d773aca171d4f48662fb1a5.1642704221.git.baruch@tkos.co.il Signed-off-by: Sasha Levin commit bbfd796da314e865753afbe2793c556e0267a78f Author: Petr Vorel Date: Fri Jan 14 00:33:55 2022 +0100 arm64: dts: qcom: msm8994: Provide missing "xo_board" and "sleep_clk" to GCC [ Upstream commit 4dd1ad6192748523878463a285346db408b34a02 ] This is needed due changes in commit 0519d1d0bf33 ("clk: qcom: gcc-msm8994: Modernize the driver"), which removed struct clk_fixed_factor. Preparation for next commit for enabling SD/eMMC. Inspired by 2c2f64ae36d9. This is required for both msm8994-huawei-angler (sdhc1 will be enabled in next commit) and msm8992-lg-bullhead (where actually fixes sdhc1 - tested on bullhead rev 1.01). Fixes: 0519d1d0bf33 ("clk: qcom: gcc-msm8994: Modernize the driver") Signed-off-by: Petr Vorel Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220113233358.17972-4-petr.vorel@gmail.com Signed-off-by: Sasha Levin commit 52121c02d3becca4f35bb65eab948a706fe778dc Author: Maulik Shah Date: Sun Jan 9 22:55:01 2022 +0530 arm64: dts: qcom: sm8450: Update cpuidle states parameters [ Upstream commit 6574702b0d394d2acc9ff808c4a79df8b9999173 ] This change updates/corrects below cpuidle parameters 1. entry-latency, exit-latency and residency for various idle states. 2. arm,psci-suspend-param which is same for CLUSTER_SLEEP_0/1 states. 3. Add CLUSTER_SLEEP_1 in CLUSTER_PD. Cc: devicetree@vger.kernel.org Fixes: 5188049c9b36 ("arm64: dts: qcom: Add base SM8450 DTSI") Signed-off-by: Maulik Shah Reviewed-by: Ulf Hansson [bjorn: Split domain-idle-states, per Ulf's request] Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-5-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit 98550f17f7d0737ad0d7854e0985fd435cb7834e Author: Maulik Shah Date: Sun Jan 9 22:55:00 2022 +0530 arm64: dts: qcom: sm8350: Correct TCS configuration for apps rsc [ Upstream commit a131255e4ad1ef8d4873ecba21561ba272b2547a ] Correct the TCS config by updating the number of TCSes for each type. Cc: devicetree@vger.kernel.org Fixes: b7e8f433a673 ("arm64: dts: qcom: Add basic devicetree support for SM8350 SoC") Signed-off-by: Maulik Shah Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-4-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit faa529c149f04db99104056dd4d6d9bd09e477af Author: Maulik Shah Date: Sun Jan 9 22:54:58 2022 +0530 arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc [ Upstream commit 17ac8af678b6da6a8f1df7da8ebf2c5198741827 ] Correct the TCS config by updating the number of TCSes for each type. Cc: devicetree@vger.kernel.org Fixes: d8cf9372b654 ("arm64: dts: qcom: sm8150: Add apps shared nodes") Signed-off-by: Maulik Shah Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-2-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit 03f124076b2fba95903f1f5f78959f7efbd2d679 Author: Rafał Miłecki Date: Wed Dec 29 11:23:14 2021 +0100 arm64: dts: broadcom: bcm4908: use proper TWD binding [ Upstream commit 33826e9c6ba76b265d4e26cb95493fa27ed78974 ] Block at is a TWD that contains timers, watchdog and reset. Actual timers happen to be at block beginning but they only span across the first 0x28 registers. It means the old block description was incorrect (size 0x3c). Drop timers binding for now and use documented TWD binding. Timers should be properly documented and defined as TWD subnode. Fixes: 2961f69f151c ("arm64: dts: broadcom: add BCM4908 and Asus GT-AC5300 early DTS files") Signed-off-by: Rafał Miłecki Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit b6a049a69e33587e3650fed17b79c948e63bf3b8 Author: Petr Vorel Date: Fri Dec 31 22:36:35 2021 +0100 arm64: dts: qcom: msm8916-j5: Fix typo [ Upstream commit 1f87900493845c0a0d731496150e915649209f1c ] Fixes: bd943653b10d ("arm64: dts: qcom: Add device tree for Samsung J5 2015 (samsung-j5)") Signed-off-by: Petr Vorel Reviewed-by: Stephan Gerhold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211231213635.116324-1-petr.vorel@gmail.com Signed-off-by: Sasha Levin commit aa156aba43dc797c839a5ea91556ecf5a99aca30 Author: Dmitry Baryshkov Date: Wed Dec 15 02:14:48 2021 +0300 arm64: dts: qcom: sm8250: fix PCIe bindings to follow schema [ Upstream commit d60507200485bc778bf6a5556271d784ab09d913 ] Replace (unused) enable-gpio binding with schema-defined wake-gpios. The GPIO line is still unused, but at least we'd follow the defined schema. While we are at it, change perst-gpio property to follow the preferred naming schema (perst-gpios). Fixes: 13e948a36db7 ("arm64: dts: qcom: sm8250: Commonize PCIe pins") Cc: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211214231448.2044987-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 37a503bfe7619deedba51aae69cc73501af2fbcc Author: David Heidelberg Date: Mon Dec 13 20:51:04 2021 +0100 arm64: dts: qcom: sdm845: fix microphone bias properties and values [ Upstream commit 625c24460dbbc3b6c9a148c0a30f0830893fc909 ] replace millivolt with correct microvolt and adjust value to the minimal value allowed by documentation. Found with `make qcom/sdm845-oneplus-fajita.dtb`. Fixes: arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias2-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias3-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias4-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-millivolt', 'qcom,micbias2-millivolt', 'qcom,micbias3-millivolt', 'qcom,micbias4-millivolt' do not match any of the regexes: '^.*@[0-9a-f]+$', 'pinctrl-[0-9]+' Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes") Signed-off-by: David Heidelberg Tested-by: Steev Klimaszewski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211213195105.114596-1-david@ixit.cz Signed-off-by: Sasha Levin commit 86835564efbce6e099666a550528dfee5755dacd Author: Daniel Thompson Date: Thu Jan 27 17:35:54 2022 +0000 soc: qcom: aoss: remove spurious IRQF_ONESHOT flags [ Upstream commit 8030cb9a55688c1339edd284d9d6ce5f9fc75160 ] Quoting the header comments, IRQF_ONESHOT is "Used by threaded interrupts which need to keep the irq line disabled until the threaded handler has been run.". When applied to an interrupt that doesn't request a threaded irq then IRQF_ONESHOT has a lesser known (undocumented?) side effect, which it to disable the forced threading of the irq. For "normal" kernels (without forced threading) then, if there is no thread_fn, then IRQF_ONESHOT is a nop. In this case disabling forced threading is not appropriate for this driver because it calls wake_up_all() and this API cannot be called from no-thread interrupt handlers on PREEMPT_RT systems (deadlock risk, triggers sleeping-while-atomic warnings). Fix this by removing IRQF_ONESHOT. Fixes: 2209481409b7 ("soc: qcom: Add AOSS QMP driver") Signed-off-by: Daniel Thompson [bjorn: Added Fixes tag] Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220127173554.158111-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit 863bf0d2d794de665f7d3dfa5241c55300fad591 Author: Miaoqian Lin Date: Sat Jan 8 09:59:31 2022 +0000 soc: qcom: aoss: Fix missing put_device call in qmp_get [ Upstream commit 4b41a9d0fe3db5f91078a380f62f0572c3ecf2dd ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling paths. Fixes: 8c75d585b931 ("soc: qcom: aoss: Expose send for generic usecase") Signed-off-by: Miaoqian Lin Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220108095931.21527-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit f3106d49b8d649d551c56cae07ac7b189a23e077 Author: Miaoqian Lin Date: Fri Jan 7 07:31:26 2022 +0000 soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem [ Upstream commit 0ff027027e05a866491bbb53494f0e2a61354c85 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 01f937ffc468 ("soc: qcom: ocmem: don't return NULL in of_get_ocmem") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220107073126.2335-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 31b5124d742969ea8bf7a1360596f548ca23e770 Author: Jiasheng Jiang Date: Fri Dec 31 17:44:19 2021 +0800 soc: qcom: rpmpd: Check for null return of devm_kcalloc [ Upstream commit 5a811126d38f9767a20cc271b34db7c8efc5a46c ] Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.". Fixes: bbe3a66c3f5a ("soc: qcom: rpmpd: Add a Power domain driver to model corners") Signed-off-by: Jiasheng Jiang Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211231094419.1941054-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit f6ef6d4ddf848f2ddfe3b1307dbf85d80cf649f7 Author: Pavel Kubelun Date: Mon Dec 20 18:03:52 2021 +0100 ARM: dts: qcom: ipq4019: fix sleep clock [ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ] It seems like sleep_clk was copied from ipq806x. Fix ipq40xx sleep_clk to the value QSDK defines. Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d Link: https://patchwork.kernel.org/comment/22721613/ Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC") Suggested-by: Bjorn Andersson (clock-output-names) Signed-off-by: Pavel Kubelun Signed-off-by: Christian Lamparter (removed clock rename) Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com Signed-off-by: Sasha Levin commit 88d707f40576e5aa87d765d193ad4f64c7a2a8e0 Author: Marijn Suijten Date: Wed Dec 8 09:34:21 2021 +0100 firmware: qcom: scm: Remove reassignment to desc following initializer [ Upstream commit 7823e5aa5d1dd9ed5849923c165eb8f29ad23c54 ] Member assignments to qcom_scm_desc were moved into struct initializers in 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") including the case in qcom_scm_iommu_secure_ptbl_init, except that the - now duplicate - assignment to desc was left in place. While not harmful, remove this unnecessary extra reassignment. Fixes: 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Alex Elder Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211208083423.22037-2-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 0c92621fe5b9ec87abc5b867a9a85ab1568ae27c Author: Douglas Anderson Date: Tue Jan 25 14:44:18 2022 -0800 arm64: dts: qcom: sc7280: Fix gmu unit address [ Upstream commit 142a4d995c6adb6bf5b22166f51b525e83c96661 ] When processing sc7280 device trees, I can see: Warning (simple_bus_reg): /soc@0/gmu@3d69000: simple-bus unit address format error, expected "3d6a000" There's a clear typo in the node name. Fix it. Fixes: 96c471970b7b ("arm64: dts: qcom: sc7280: Add gpu support") Signed-off-by: Douglas Anderson Reviewed-by: Stephen Boyd Reviewed-by: Matthias Kaehlcke Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220125144316.v2.1.I19f60014e9be4b9dda4d66b5d56ef3d9600b6e10@changeid Signed-off-by: Sasha Levin commit 3749b7ad4d43bbb6b31046f008f4de2c12ff9839 Author: Randy Dunlap Date: Sat Jan 29 00:02:59 2022 -0800 ASoC: max98927: add missing header file [ Upstream commit bb45f689fa62110c263c86070bfcb9ecbb6e1e23 ] Add a header file that provides the missing function prototypes and macro to fix these build errors (seen on arch/alpha/): ../sound/soc/codecs/max98927.c: In function 'max98927_i2c_probe': ../sound/soc/codecs/max98927.c:902:19: error: implicit declaration of function 'devm_gpiod_get_optional'; did you mean 'devm_regulator_get_optional'? [-Werror=implicit-function-declaration] 902 | = devm_gpiod_get_optional(&i2c->dev, "reset", GPIOD_OUT_HIGH); | ^~~~~~~~~~~~~~~~~~~~~~~ ../sound/soc/codecs/max98927.c:902:63: error: 'GPIOD_OUT_HIGH' undeclared (first use in this function); did you mean 'GPIOF_INIT_HIGH'? 902 | = devm_gpiod_get_optional(&i2c->dev, "reset", GPIOD_OUT_HIGH); | ^~~~~~~~~~~~~~ ../sound/soc/codecs/max98927.c:909:17: error: implicit declaration of function 'gpiod_set_value_cansleep'; did you mean 'gpio_set_value_cansleep'? [-Werror=implicit-function-declaration] 909 | gpiod_set_value_cansleep(max98927->reset_gpio, 0); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 4d67dc1998f1 ("ASoC: max98927: Handle reset gpio when probing i2c") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Alejandro Tafalla Cc: Mark Brown Cc: Liam Girdwood Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Link: https://lore.kernel.org/r/20220129080259.19964-1-rdunlap@infradead.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 129c34d7e365c02a9aeec9ea01019d209e694775 Author: Zev Weiss Date: Tue Jan 4 16:37:18 2022 -0800 ARM: dts: Fix OpenBMC flash layout label addresses [ Upstream commit e011df3579ac980d840db8e8c3b9431f88ebddab ] We've ended up with some inconsistencies between the addresses in the DT node labels and the actual offsets of the partitions; this brings them back in sync. Signed-off-by: Zev Weiss Fixes: 529022738c8e ("ARM: dts: Add OpenBMC flash layout") Fixes: 8dec60e7b8d0 ("ARM: dts: aspeed: Grow u-boot partition 64MiB OpenBMC flash layout") Reviewed-by: Lei YU Link: https://lore.kernel.org/r/20220105003718.19888-1-zev@bewilderbeest.net Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit a9e1c8d2e0f91d845c2b38e2cd0b90ff9550ea74 Author: Dan Carpenter Date: Thu Sep 16 16:29:19 2021 +0300 video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() [ Upstream commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 ] This code has two bugs: 1) "cnt" is 255 but the size of the buffer is 256 so the last byte is not used. 2) If we try to print more than 255 characters then "cnt" will be negative and that will trigger a WARN() in snprintf(). The fix for this is to use scnprintf() instead of snprintf(). We can re-write this code to be cleaner: 1) Rename "offset" to "off" because that's shorter. 2) Get rid of the "cnt" variable and just use "size - off" directly. 3) Get rid of the "read" variable and just increment "off" directly. Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Dan Carpenter Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit c19c5424ec7a04097949bdad9b7b6ad470c612d6 Author: Dan Carpenter Date: Fri Dec 3 12:58:08 2021 +0300 video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() [ Upstream commit fee5c1e4b789e41719af9fee0e2dd397cd31988f ] If "sinfo->config" is not found, then return -ENODEV. Don't return success. Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") Signed-off-by: Dan Carpenter Acked-by: Nicolas Ferre Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 9280ef235b05e8f19f8bc6d547b992f0a0ef398d Author: Wang Hai Date: Thu Oct 14 21:22:31 2021 +0800 video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() [ Upstream commit 1791f487f877a9e83d81c8677bd3e7b259e7cb27 ] I got a null-ptr-deref report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:fb_destroy_modelist+0x38/0x100 ... Call Trace: ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] usb_probe_interface+0x1aa/0x3c0 [usbcore] really_probe+0x167/0x460 ... ret_from_fork+0x1f/0x30 If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will be called to destroy modelist in the error handling path. But modelist has not been initialized yet, so it will result in null-ptr-deref. Initialize modelist before calling fb_alloc_cmap() to fix this bug. Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Thomas Zimmermann Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 3a26a60807b6baa0d1f833f90fceaa8693cf66ac Author: YueHaibing Date: Thu Dec 9 17:01:13 2021 +0800 video: fbdev: controlfb: Fix COMPILE_TEST build [ Upstream commit 567e44fb51b4f909ae58038a7301352eecea8426 ] If PPC_BOOK3S, PPC_PMAC and PPC32 is n, COMPILE_TEST build fails: drivers/video/fbdev/controlfb.c:70:0: error: "pgprot_cached_wthru" redefined [-Werror] #define pgprot_cached_wthru(prot) (prot) In file included from ./arch/powerpc/include/asm/pgtable.h:20:0, from ./include/linux/pgtable.h:6, from ./include/linux/mm.h:33, from drivers/video/fbdev/controlfb.c:37: ./arch/powerpc/include/asm/nohash/pgtable.h:243:0: note: this is the location of the previous definition #define pgprot_cached_wthru(prot) (__pgprot((pgprot_val(prot) & ~_PAGE_CACHE_CTL) | \ Fixes: a07a63b0e24d ("video: fbdev: controlfb: add COMPILE_TEST support") Signed-off-by: YueHaibing Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 323bc0cd892e003829e1b95a47285385eeb69fa0 Author: Z. Liu Date: Sun Dec 19 02:00:35 2021 +0800 video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen [ Upstream commit 62d89a7d49afe46e6b9bbe9e23b004ad848dbde4 ] Start from commit 11be60bd66d54 "matroxfb: add Matrox MGA-G200eW board support", when maxvram is 0x800000, monitor become black w/ error message said: "The current input timing is not supported by the monitor display. Please change your input timing to 1920x1080@60Hz ...". Fixes: 11be60bd66d5 ("matroxfb: add Matrox MGA-G200eW board support") Signed-off-by: Z. Liu Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit a07ff4eeaf0696182cd54b8135da5d1cdeba761c Author: Jammy Huang Date: Tue Jan 25 07:44:07 2022 +0100 media: aspeed: Correct value for h-total-pixels [ Upstream commit 4b732a0016853eaff35944f900b0db66f3914374 ] Previous reg-field, 0x98[11:0], stands for the period of the detected hsync signal. Use the correct reg, 0xa0, to get h-total in pixels. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Signed-off-by: Jammy Huang Reviewed-by: Joel Stanley Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d183fe68360791638f53c129015d618130ca4f89 Author: Bingbu Cao Date: Thu Jan 13 01:18:48 2022 +0100 media: ov2740: identify module after subdev initialisation [ Upstream commit 54ade663d4bb606e23dbc4e0d49e2e9837dbb33f ] The module identifying will try to get the sub device data which will be ready after sub device initialisation, so if try to use the subdev data to deference the client will cause NULL pointer dereference, this patch move the module identification after v4l2_i2c_subdev_init() to fix this issue, it also fixes duplicate module idendification. Fixes: ada2c4f54d0a ("media: ov2740: support device probe in non-zero ACPI D state") Signed-off-by: Bingbu Cao Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5b3b0b7d6e2f5f87513c8d21213ce6245b21183b Author: Sakari Ailus Date: Mon Jan 10 17:16:51 2022 +0100 media: ov5648: Don't pack controls struct [ Upstream commit edd4fbff5378a8103470304809195dc8f4b1d42a ] Don't pack the driver specific struct containing control pointers. This lead to potential alignment issues when working with the pointers. Reported-by: kernel test robot Fixes: e43ccb0a045f ("media: i2c: Add support for the OV5648 image sensor") Reviewed-by: Paul Kocialkowski Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e745922a4018b7f2529d5ff128979d333d18cbcf Author: Sakari Ailus Date: Mon Jan 10 15:53:12 2022 +0100 media: v4l: Avoid unaligned access warnings when printing 4cc modifiers [ Upstream commit 24bb30c8c894ec7213ad810b46e2a6a4c12136c1 ] Pointers V4L2 pixelformat and dataformat fields in a few packed structs are directly passed to printk family of functions. This could result in an unaligned access albeit no such possibility appears to exist at the moment i.e. this clang warning appears to be a false positive. Address the warning by copying the pixelformat or dataformat value to a local variable first. Reported-by: kernel test robot Fixes: e927e1e0f0dd ("v4l: ioctl: Use %p4cc printk modifier to print FourCC codes") Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bd938c06c4968008027a58bdae5bdf6e4687d795 Author: Janusz Krzysztofik Date: Mon May 4 00:06:16 2020 +0200 media: ov6650: Fix set format try processing path [ Upstream commit 1f6f1e959a85ee999fbc86f4b094827f63194c7f ] According to subdevice interface specification found in V4L2 API documentation, set format pad operations should not affect image geometry set in preceding image processing steps. Unfortunately, that requirement is not respected by the driver implementation of set format as it was not the case when that code was still implementing a pair of now obsolete .s_mbus_fmt() / .try_mbus_fmt() video operations before they have been merged and reused as an implementation of .set_fmt() pad operation by commit 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt"). In case of set format active processing path the issue can be fixed easily by excluding a call to set active selection from that path. That will effectively limit frame size processing to optimal frame scaling against active crop rectangle without touching it. Users can just call set active selection themselves to obtain desired frame size. However, set format try processing path needs more work. First of all, the driver should be extended with set try selection support. Lack of it constraints video device drivers to not use subdevice cropping at all while processing user requested active frame size, otherwise their set try format results might differ from active. Next, set format try processing path should use pad config crop rectangle as a reference, not the active one as it does now. That issue can be resolved easily as soon as set try selection support is added to the driver so pad config crop rectangle can be maintained by users via selection API. Last, set format try processing path should give the same results as active in respect to active vs. pad config crop rectangle geometry. Both rectangles should be either not touched by set format (that's what we are going to achieve) or modified the same way, otherwise users won't be able to obtain equal results from both paths while iterating through set format and set selection operations in order to obtain desired frame size. We can't begin with modifying set format pad operation as not to touch crop rectangle since that depends on availability of set try selection for symmetry. Neither can we begin with adding set try selection since that in turn depends on equal handling of active and pad config crop rectangles by set format. We can either implement all required modifications in a single patch, or begin with fixing current set format try processing path to appropriately handle pad config crop rectangle. This patch implements the latter approach as believed to be more readable. Move crop rectangle adjustments code from a helper (the former implementation of .s_fmt(), now called from set format active processing path) to the body of set format pad operation function where it can be also used for processing try requests for symmetry with active ones. As the helper no longer processes frame geometry, only frame format and half scaling, simplify its API accordingly and update its users. Moreover, extract code that applies crop rectangle hardware limits (now a part of .set_selection() operation which is called from set format active processing path) to a new helper and call that helper from set format try processing path as well for symmetry with active. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 353d7db4a39319019488dc772835d7c74aa5fef8 Author: Chen-Yu Tsai Date: Fri Jan 7 10:34:49 2022 +0100 media: hantro: Fix overfill bottom register field name [ Upstream commit 89d78e0133e71ba324fb67ca776223fba4353418 ] The Hantro H1 hardware can crop off pixels from the right and bottom of the source frame. These are controlled with the H1_REG_IN_IMG_CTRL_OVRFLB and H1_REG_IN_IMG_CTRL_OVRFLR in the H1_REG_IN_IMG_CTRL register. The ChromeOS kernel driver that this was based on incorrectly added the _D4 suffix H1_REG_IN_IMG_CTRL_OVRFLB. This field crops the bottom of the input frame, and the number is _not_ divided by 4. [1] Correct the name to avoid confusion when crop support with the selection API is added. [1] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/ \ heads/chromeos-4.19/drivers/staging/media/hantro/hantro_h1_vp8_enc.c#377 Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") Fixes: a29add8c9bb2 ("media: rockchip/vpu: rename from rockchip to hantro") Signed-off-by: Chen-Yu Tsai Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 879ab4096ebf996e97a768b8fd8acae4a736cce7 Author: Jiasheng Jiang Date: Thu Jan 13 07:59:28 2022 +0100 media: meson: vdec: potential dereference of null pointer [ Upstream commit c8c80c996182239ff9b05eda4db50184cf3b2e99 ] As the possible failure of the kzalloc(), the 'new_ts' could be NULL pointer. Therefore, it should be better to check it in order to avoid the dereference of the NULL pointer. Also, the caller esparser_queue() needs to deal with the return value of the amvdec_add_ts(). Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance") Signed-off-by: Jiasheng Jiang Suggested-by: Neil Armstrong Reviewed-by: Neil Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6cb49f4ece0c1a9bfc413ea6d27b239f7e028d41 Author: Miaoqian Lin Date: Wed Jan 12 12:05:54 2022 +0100 media: coda: Fix missing put_device() call in coda_get_vdoa_data [ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format") Signed-off-by: Miaoqian Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3bba11801647202c40a1e9a4edf819970da1d4c4 Author: Dmitry Osipenko Date: Wed Dec 22 07:32:15 2021 +0300 memory: tegra20-emc: Correct memory device mask [ Upstream commit 9ff684342ee7d3ea2755c6e9b60bc43085baa3ad ] Memory chip select is swapped when we read mode register, correct it. We didn't have devices that use a single LPDDR chip and both chips are always identical, hence this change is just a minor improvement. Fixes: 131dd9a436d8 ("memory: tegra20-emc: Support matching timings by LPDDR2 configuration") Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20211222043215.28237-2-digetx@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit aba0a907c004f93a57e70181576b30458a9191b8 Author: Robert Hancock Date: Thu Jan 20 13:58:30 2022 -0600 ASoC: simple-card-utils: Set sysclk on all components [ Upstream commit ce2f7b8d4290c22e462e465d1da38a1c113ae66a ] If an mclk-fs value was provided in the device tree configuration, the calculated MCLK was fed into the downstream codec DAI and CPU DAI, however set_sysclk was not being called on the platform device. Some platform devices such as the Xilinx Audio Formatter need to know the MCLK as well. Call snd_soc_component_set_sysclk on each component in the stream to set the proper sysclk value in addition to the existing call of snd_soc_dai_set_sysclk on the codec DAI and CPU DAI. This may end up resulting in redundant calls if one of the snd_soc_dai_set_sysclk calls ends up calling snd_soc_component_set_sysclk itself, but that isn't expected to cause any significant harm. Fixes: f48dcbb6d47d ("ASoC: simple-card-utils: share asoc_simple_hw_param()") Signed-off-by: Robert Hancock Reviewed-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20220120195832.1742271-5-robert.hancock@calian.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2091de10a1ffc3b76a527e90d5399d15fca0a8ce Author: Robert Hancock Date: Thu Jan 20 13:58:27 2022 -0600 ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting [ Upstream commit 1c5091fbe7e0d0804158200b7feac5123f7b4fbd ] This driver did not set the MM2S Fs Multiplier Register to the proper value for playback streams. This needs to be set to the sample rate to MCLK multiplier, or random stream underflows can occur on the downstream I2S transmitter. Store the sysclk value provided via the set_sysclk callback and use that in conjunction with the sample rate in the hw_params callback to calculate the proper value to set for this register. Fixes: 6f6c3c36f091 ("ASoC: xlnx: add pcm formatter platform driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220120195832.1742271-2-robert.hancock@calian.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0e46a690428925ec7daf946891f0becd4d178e35 Author: Jiasheng Jiang Date: Sat Jan 22 01:10:31 2022 +0800 ASoC: codecs: Check for error pointer after calling devm_regmap_init_mmio [ Upstream commit aa505ecccf2ae7546e0e262d574e18a9241f3005 ] Since the potential failure of the devm_regmap_init_mmio(), it will return error pointer and be assigned to the regmap. Then the error pointer will be dereferenced. For example rx->regmap will be used in rx_macro_mclk_enable(). Therefore, it should be better to check it. Fixes: af3d54b99764 ("ASoC: codecs: lpass-rx-macro: add support for lpass rx macro") Fixes: c39667ddcfc5 ("ASoC: codecs: lpass-tx-macro: add support for lpass tx macro") Fixes: 809bcbcecebf ("ASoC: codecs: lpass-wsa-macro: Add support to WSA Macro") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220121171031.2826198-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6420c93b08ace40f2b27926952245509c41fc4c1 Author: Lad Prabhakar Date: Mon Jan 10 09:47:07 2022 +0000 ASoC: sh: rz-ssi: Drop calling rz_ssi_pio_recv() recursively [ Upstream commit 6570f991582e32b7992601d0497c61962a2c5dcc ] Instead of recursively calling rz_ssi_pio_recv() use a while loop to read the samples from RX fifo. This also fixes an issue where the return value of rz_ssi_pio_recv() was ignored when called recursively. Fixes: 03e786bd4341 ("ASoC: sh: Add RZ/G2L SSIF-2 driver") Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Biju Das Link: https://lore.kernel.org/r/20220110094711.8574-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1dacd9c19d4e8d81d58bd2bd5fdab451ccced990 Author: Eugen Hristev Date: Mon Dec 13 14:49:23 2021 +0100 media: atmel: atmel-sama7g5-isc: fix ispck leftover [ Upstream commit 1b52ce99e9f2dcda868a1a7026bfb58d04bd6bc8 ] The ispck is not used for sama7g5 variant of the ISC. Calls to ispck have to be removed also from module insert/removal. Fixes: d7f26849ed7c ("media: atmel: fix the ispck initialization") Signed-off-by: Eugen Hristev Reviewed-by: Jacopo Mondi Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 506769d5a3beffc9b6dfbe060d473d988c0cb60c Author: Ondrej Zary Date: Sat Dec 25 22:58:44 2021 +0100 media: bttv: fix WARNING regression on tunerless devices [ Upstream commit ef058cc8b7193d15a771272359c7454839ae74ee ] Commit 2161536516ed ("media: media/pci: set device_caps in struct video_device") introduced a regression: V4L2_CAP_TUNER is always present in device_caps, even when the device has no tuner. This causes a warning: WARNING: CPU: 0 PID: 249 at drivers/media/v4l2-core/v4l2-ioctl.c:1102 v4l_querycap+0xa0/0xb0 [videodev] Fixes: 2161536516ed ("media: media/pci: set device_caps in struct video_device") Signed-off-by: Ondrej Zary Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit efac3af1b53e6a793fe258b1204526f0e581c901 Author: Martin Kepplinger Date: Thu Dec 16 10:03:36 2021 +0100 media: imx: imx8mq-mipi_csi2: fix system resume [ Upstream commit f0c2ba1ed4ad868331d8c6ea9119669a729b01a9 ] during system resume, interconnect bandwidth would currently be requested even though the device is runtime suspended. This leaves the system in an unbalanced state. Fix that by only doing that in runtimem pm and splitting up runtime and system suspend to be a more readable: imx8mq_mipi_csi_pm_*() does the generic things called from system- and runtime functions that each do specific things on top. Fixes: f33fd8d77dd0 ("media: imx: add a driver for i.MX8MQ mipi csi rx phy and controller") Signed-off-by: Martin Kepplinger Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ec51f0ac79e0d5a01c30171f06068756ecef4630 Author: Martin Kepplinger Date: Thu Dec 16 10:03:35 2021 +0100 media: imx: imx8mq-mipi-csi2: remove wrong irq config write operation [ Upstream commit 59c2b6d51803ad6b7af28f2a60a843b24374e692 ] The place where this register writel() that masks one interrupt is placed does not guarantee that the device is powered so that's not allowed. Moreover imx8mq_mipi_csi_start_stream() masks the interrupt anyway so the write is not even needed. Remove it as this is a mistake that slipped in with the driver. Fixes: f33fd8d77dd0 ("media: imx: add a driver for i.MX8MQ mipi csi rx phy and controller") Signed-off-by: Martin Kepplinger Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0aeb244eb2fddbbc34f2227cf3fd85c86e111c9a Author: Jiasheng Jiang Date: Wed Dec 15 06:21:57 2021 +0100 media: mtk-vcodec: potential dereference of null pointer [ Upstream commit e25a89f743b18c029bfbe5e1663ae0c7190912b0 ] The return value of devm_kzalloc() needs to be checked. To avoid use of null pointer in case of thefailure of alloc. Fixes: 46233e91fa24 ("media: mtk-vcodec: move firmware implementations into their own files") Signed-off-by: Jiasheng Jiang Reviewed-by: Tzung-Bi Shih Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3c6ec01525254e4489c6e60df2a8c48ee81f6f78 Author: Chen-Yu Tsai Date: Thu Dec 9 17:38:03 2021 +0100 media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls [ Upstream commit 8310ca94075e784bbb06593cd6c068ee6b6e4ca6 ] DST_QUEUE_OFF_BASE is applied to offset/mem_offset on MMAP capture buffers only for the VIDIOC_QUERYBUF ioctl, while the userspace fields (including offset/mem_offset) are filled in for VIDIOC_{QUERY,PREPARE,Q,DQ}BUF ioctls. This leads to differences in the values presented to userspace. If userspace attempts to mmap the capture buffer directly using values from DQBUF, it will fail. Move the code that applies the magic offset into a helper, and call that helper from all four ioctl entry points. [hverkuil: drop unnecessary '= 0' in v4l2_m2m_querybuf() for ret] Fixes: 7f98639def42 ("V4L/DVB: add memory-to-memory device helper framework for videobuf") Fixes: 908a0d7c588e ("[media] v4l: mem2mem: port to videobuf2") Signed-off-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d4d111e26c8da4d16e2f05bb97c0a63007ce06bc Author: Laurent Pinchart Date: Fri Jun 25 04:26:35 2021 +0200 media: staging: media: imx: imx7-mipi-csis: Make subdev name unique [ Upstream commit 5be7f8c91d25089be847a71b336c13b5bb0db772 ] When multiple CSIS instances are present in a single graph, they are currently all named "imx7-mipi-csis.0", which breaks the entity name uniqueness requirement. Fix it by using the device name to create the subdev name. Fixes: 7807063b862b ("media: staging/imx7: add MIPI CSI-2 receiver subdev for i.MX7") Signed-off-by: Laurent Pinchart Reviewed-by: Rui Miguel Silva Reviewed-by: Sakari Ailus Reviewed-by: Jerome Brunet Tested-by: Jerome Brunet # On i.MX8MP Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a5e400961ef0038f71d226405a73321233395ca3 Author: Jonathan Marek Date: Wed Dec 22 01:37:45 2021 +0100 media: camss: vfe-170: fix "VFE halt timeout" error [ Upstream commit 1ce8c48b06f249a9739e36c5d56883f6f49ce047 ] This function waits for halt_complete but doesn't do anything to cause it to complete, and always hits the "VFE halt timeout" error. Just delete this code for now. Fixes: 7319cdf189bb ("media: camss: Add support for VFE hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit bffe9effd00abfae3ff1b28c5550b35d3acc11ae Author: Jonathan Marek Date: Wed Dec 22 01:37:41 2021 +0100 media: camss: csid-170: set the right HALT_CMD when disabled [ Upstream commit ee780cd7be3b5608550bafe7d5f113db2140e99b ] Use the "HALT_CMD_RESUME_AT_FRAME_BOUNDARY" define instead of a "1" which is otherwise confusing, and add a "HALT_CMD_HALT_AT_FRAME_BOUNDARY" which is set when disabling. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8dc396eb0f88825390ff170e726509dadb432796 Author: Jonathan Marek Date: Wed Dec 22 01:37:38 2021 +0100 media: camss: csid-170: don't enable unused irqs [ Upstream commit a6da362491e409de0978d733441e59db6584d69f ] csid_isr() only checks for the reset irq, so enabling any other irqs doesn't make sense. The "RDI irq" comment is also wrong, the register should be CSID_CSI2_RDIN_IRQ_MASK. Without this fix there may be an excessive amount of irqs. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3e7ffb131106d494c346d8abc3aafb26225cc157 Author: Jonathan Marek Date: Wed Dec 22 01:37:37 2021 +0100 media: camss: csid-170: fix non-10bit formats [ Upstream commit 14d510e040f85ff05734fd6db8bae44b47886464 ] Use the decode_format/data_type from the "format" struct instead of a hardcoded 10-bit format. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d72dfffe7fcbd345083c43e1e70c464626c24db2 Author: Corentin Labbe Date: Tue Dec 14 17:16:29 2021 +0100 media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size [ Upstream commit 241f5b67fb48def58643f279dfb8468bdd54b443 ] vb2_dma_contig_set_max_seg_size need to have a size in parameter and not a DMA_BIT_MASK(). While fixing this issue, also fix error handling of all DMA size setting. Reported-by: kernel test robot Fixes: d4ae3689226e5 ("media: zoran: device support only 32bit DMA address") Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 597756073769ebc912fcb5aa0dbfad220484d033 Author: Sam Protsenko Date: Fri Jan 14 22:37:57 2022 +0200 pinctrl: samsung: Remove EINT handler for Exynos850 ALIVE and CMGP gpios [ Upstream commit 96f79935015cf3d7ca6fabf63cd13b8af45a7713 ] GPIO_ALIVE and GPIO_CMGP blocks in Exynos850 SoC don't have EINT capabilities (like EINT_SVC register), and there are no corresponding interrupts wired to GIC. Instead those blocks have wake-up interrupts for each pin. The ".eint_gpio_init" callbacks were specified by mistake for these blocks, when porting pinctrl code from downstream kernel. That leads to error messages like this: samsung-pinctrl 11850000.pinctrl: irq number not available Remove ".eint_gpio_init" for pinctrl_alive and pinctrl_gpmc to fix this error. This change doesn't affect proper interrupt handling for related pins, as all those pins are handled in ".eint_wkup_init". Fixes: cdd3d945dcec ("pinctrl: samsung: Add Exynos850 SoC specific data") Signed-off-by: Sam Protsenko Link: https://lore.kernel.org/r/20220114203757.4860-1-semen.protsenko@linaro.org Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 45b334190cfa8c5330031a8f3742dbd23d6076a7 Author: Peng Liu Date: Tue Mar 22 14:48:19 2022 -0700 kunit: make kunit_test_timeout compatible with comment [ Upstream commit bdd015f7b71b92c2e4ecabac689642cc72553e04 ] In function kunit_test_timeout, it is declared "300 * MSEC_PER_SEC" represent 5min. However, it is wrong when dealing with arm64 whose default HZ = 250, or some other situations. Use msecs_to_jiffies to fix this, and kunit_test_timeout will work as desired. Link: https://lkml.kernel.org/r/20220309083753.1561921-3-liupeng256@huawei.com Fixes: 5f3e06208920 ("kunit: test: add support for test abort") Signed-off-by: Peng Liu Reviewed-by: Marco Elver Reviewed-by: Daniel Latypov Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Wang Kefeng Cc: David Gow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d11c95216fab1813c29c965f6fbbcadab89164a9 Author: David Hildenbrand Date: Tue Mar 22 14:47:09 2022 -0700 drivers/base/memory: add memory block to memory group after registration succeeded [ Upstream commit 7ea0d2d79da09d1f7d71c96a9c9bc1b5229360b5 ] If register_memory() fails, we freed the memory block but already added the memory block to the group list, not good. Let's defer adding the block to the memory group to after registering the memory block device. We do handle it properly during unregister_memory(), but that's not called when the registration fails. Link: https://lkml.kernel.org/r/20220128144540.153902-1-david@redhat.com Fixes: 028fc57a1c36 ("drivers/base/memory: introduce "memory groups" to logically group memory blocks") Signed-off-by: David Hildenbrand Reviewed-by: Oscar Salvador Acked-by: Michal Hocko Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 8c88b263c9a2ed13e5bc71477fb2323ce394ca0f Author: Guillaume Tucker Date: Tue Mar 22 14:41:44 2022 -0700 selftests, x86: fix how check_cc.sh is being invoked [ Upstream commit ef696f93ed9778d570bd5ac58414421cdd4f1aab ] The $(CC) variable used in Makefiles could contain several arguments such as "ccache gcc". These need to be passed as a single string to check_cc.sh, otherwise only the first argument will be used as the compiler command. Without quotes, the $(CC) variable is passed as distinct arguments which causes the script to fail to build trivial programs. Fix this by adding quotes around $(CC) when calling check_cc.sh to pass the whole string as a single argument to the script even if it has several words such as "ccache gcc". Link: https://lkml.kernel.org/r/d0d460d7be0107a69e3c52477761a6fe694c1840.1646991629.git.guillaume.tucker@collabora.com Fixes: e9886ace222e ("selftests, x86: Rework x86 target architecture detection") Signed-off-by: Guillaume Tucker Tested-by: "kernelci.org bot" Reviewed-by: Guenter Roeck Cc: Shuah Khan Cc: Borislav Petkov Cc: Dave Hansen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit dd9ccff8c8980bf9ea7f25e83eeb28154f902920 Author: Shyam Prasad N Date: Tue Feb 15 13:55:40 2022 +0000 cifs: use a different reconnect helper for non-cifsd threads [ Upstream commit dca65818c80cf06e0f08ba2cf94060a5236e73c2 ] The cifs_demultiplexer_thread should only call cifs_reconnect. If any other thread wants to trigger a reconnect, they can do so by updating the server tcpStatus to CifsNeedReconnect. The last patch attempted to use the same helper function for both types of threads, but that causes other issues with lock dependencies. This patch creates a new helper for non-cifsd threads, that will indicate to cifsd that the server needs reconnect. Fixes: 2a05137a0575 ("cifs: mark sessions for reconnection in helper function") Signed-off-by: Shyam Prasad N Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 9fa8e3e691b344348651d8b1f52666be70138724 Author: Fengnan Chang Date: Fri Mar 18 09:23:04 2022 +0800 f2fs: fix compressed file start atomic write may cause data corruption [ Upstream commit 9b56adcf525522e9ffa52471260298d91fc1d395 ] When compressed file has blocks, f2fs_ioc_start_atomic_write will succeed, but compressed flag will be remained in inode. If write partial compreseed cluster and commit atomic write will cause data corruption. This is the reproduction process: Step 1: create a compressed file ,write 64K data , call fsync(), then the blocks are write as compressed cluster. Step2: iotcl(F2FS_IOC_START_ATOMIC_WRITE) --- this should be fail, but not. write page 0 and page 3. iotcl(F2FS_IOC_COMMIT_ATOMIC_WRITE) -- page 0 and 3 write as normal file, Step3: drop cache. read page 0-4 -- Since page 0 has a valid block address, read as non-compressed cluster, page 1 and 2 will be filled with compressed data or zero. The root cause is, after commit 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster"), in step 2, f2fs_write_begin() only set target page dirty, and in f2fs_commit_inmem_pages(), we will write partial raw pages into compressed cluster, result in corrupting compressed cluster layout. Fixes: 4c8ff7095bef ("f2fs: support data compression") Fixes: 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Fengnan Chang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 31000f7ad64afbf36cf3a0ae3d17b521b8390d8a Author: Dongliang Mu Date: Tue Mar 15 21:28:14 2022 +0800 fs: erofs: add sanity check for kobject in erofs_unregister_sysfs [ Upstream commit a942da24abc5839c11a8fc2a4b7cb268ea94ba54 ] Syzkaller hit 'WARNING: kobject bug in erofs_unregister_sysfs'. This bug is triggered by injecting fault in kobject_init_and_add of erofs_unregister_sysfs. Fix this by adding sanity check for kobject in erofs_unregister_sysfs Note that I've tested the patch and the crash does not occur any more. Link: https://lore.kernel.org/r/20220315132814.12332-1-dzm91@hust.edu.cn Signed-off-by: Dongliang Mu Fixes: 168e9a76200c ("erofs: add sysfs interface") Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit b6fe2ba6c344da83ea74be98864ef672791d8d1b Author: Matthew Wilcox (Oracle) Date: Wed Feb 9 20:21:22 2022 +0000 iomap: Fix iomap_invalidatepage tracepoint [ Upstream commit 1241ebeca3f94b417751cb3ff62454cefdac75bc ] This tracepoint is defined to take an offset in the file, not an offset in the folio. Fixes: 1ac994525b9d ("iomap: Remove pgoff from tracepoints") Signed-off-by: Matthew Wilcox (Oracle) Tested-by: Damien Le Moal Acked-by: Damien Le Moal Tested-by: Mike Marshall # orangefs Tested-by: David Howells # afs Signed-off-by: Sasha Levin commit 783ab5b8e289ebf4b3404ea94de90e63a5c1354e Author: Filipe Manana Date: Thu Feb 17 12:12:07 2022 +0000 btrfs: fix unexpected error path when reflinking an inline extent [ Upstream commit 1f4613cdbe7739ce291554b316bff8e551383389 ] When reflinking an inline extent, we assert that its file offset is 0 and that its uncompressed length is not greater than the sector size. We then return an error if one of those conditions is not satisfied. However we use a return statement, which results in returning from btrfs_clone() without freeing the path and buffer that were allocated before, as well as not clearing the flag BTRFS_INODE_NO_DELALLOC_FLUSH for the destination inode. Fix that by jumping to the 'out' label instead, and also add a WARN_ON() for each condition so that in case assertions are disabled, we get to known which of the unexpected conditions triggered the error. Fixes: a61e1e0df9f321 ("Btrfs: simplify inline extent handling when doing reflinks") Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 06f6c6fc8355fe9f1c1ef2077200f2d4c23a2176 Author: Chao Yu Date: Thu Jan 27 13:44:49 2022 +0800 f2fs: fix to avoid potential deadlock [ Upstream commit 344150999b7fc88502a65bbb147a47503eca2033 ] Quoted from Jing Xia's report, there is a potential deadlock may happen between kworker and checkpoint as below: [T:writeback] [T:checkpoint] - wb_writeback - blk_start_plug bio contains NodeA was plugged in writeback threads - do_writepages -- sync write inodeB, inc wb_sync_req[DATA] - f2fs_write_data_pages - f2fs_write_single_data_page -- write last dirty page - f2fs_do_write_data_page - set_page_writeback -- clear page dirty flag and PAGECACHE_TAG_DIRTY tag in radix tree - f2fs_outplace_write_data - f2fs_update_data_blkaddr - f2fs_wait_on_page_writeback -- wait NodeA to writeback here - inode_dec_dirty_pages - writeback_sb_inodes - writeback_single_inode - do_writepages - f2fs_write_data_pages -- skip writepages due to wb_sync_req[DATA] - wbc->pages_skipped += get_dirty_pages() -- PAGECACHE_TAG_DIRTY is not set but get_dirty_pages() returns one - requeue_inode -- requeue inode to wb->b_dirty queue due to non-zero.pages_skipped - blk_finish_plug Let's try to avoid deadlock condition by forcing unplugging previous bio via blk_finish_plug(current->plug) once we'v skipped writeback in writepages() due to valid sbi->wb_sync_req[DATA/NODE]. Fixes: 687de7f1010c ("f2fs: avoid IO split due to mixed WB_SYNC_ALL and WB_SYNC_NONE") Signed-off-by: Zhiguo Niu Signed-off-by: Jing Xia Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit feedbfeb225c034043fd8a873d4cc44141d88c56 Author: Valentin Schneider Date: Thu Jan 27 15:40:59 2022 +0000 sched/rt: Plug rt_mutex_setprio() vs push_rt_task() race [ Upstream commit 49bef33e4b87b743495627a529029156c6e09530 ] John reported that push_rt_task() can end up invoking find_lowest_rq(rq->curr) when curr is not an RT task (in this case a CFS one), which causes mayhem down convert_prio(). This can happen when current gets demoted to e.g. CFS when releasing an rt_mutex, and the local CPU gets hit with an rto_push_work irqwork before getting the chance to reschedule. Exactly who triggers this work isn't entirely clear to me - switched_from_rt() only invokes rt_queue_pull_task() if there are no RT tasks on the local RQ, which means the local CPU can't be in the rto_mask. My current suspected sequence is something along the lines of the below, with the demoted task being current. mark_wakeup_next_waiter() rt_mutex_adjust_prio() rt_mutex_setprio() // deboost originally-CFS task check_class_changed() switched_from_rt() // Only rt_queue_pull_task() if !rq->rt.rt_nr_running switched_to_fair() // Sets need_resched __balance_callbacks() // if pull_rt_task(), tell_cpu_to_push() can't select local CPU per the above raw_spin_rq_unlock(rq) // need_resched is set, so task_woken_rt() can't // invoke push_rt_tasks(). Best I can come up with is // local CPU has rt_nr_migratory >= 2 after the demotion, so stays // in the rto_mask, and then: push_rt_task() // breakage follows here as rq->curr is CFS Move an existing check to check rq->curr vs the next pushable task's priority before getting anywhere near find_lowest_rq(). While at it, add an explicit sched_class of rq->curr check prior to invoking find_lowest_rq(rq->curr). Align the DL logic to also reschedule regardless of next_task's migratability. Fixes: a7c81556ec4d ("sched: Fix migrate_disable() vs rt/dl balancing") Reported-by: John Keeping Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Tested-by: John Keeping Link: https://lore.kernel.org/r/20220127154059.974729-1-valentin.schneider@arm.com Signed-off-by: Sasha Levin commit ccd5b65aeea993b742f31893b868b5eaf08fbeec Author: Chengming Zhou Date: Sun Feb 20 13:14:24 2022 +0800 sched/cpuacct: Fix charge percpu cpuusage [ Upstream commit 248cc9993d1cc12b8e9ed716cc3fc09f6c3517dd ] The cpuacct_account_field() is always called by the current task itself, so it's ok to use __this_cpu_add() to charge the tick time. But cpuacct_charge() maybe called by update_curr() in load_balance() on a random CPU, different from the CPU on which the task is running. So __this_cpu_add() will charge that cputime to a random incorrect CPU. Fixes: 73e6aafd9ea8 ("sched/cpuacct: Simplify the cpuacct code") Reported-by: Minye Zhu Signed-off-by: Chengming Zhou Signed-off-by: Peter Zijlstra (Intel) Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20220220051426.5274-1-zhouchengming@bytedance.com Signed-off-by: Sasha Levin commit 252b3ef9ec600dcfdce0c91a32cac2ec0e56ef74 Author: Amir Goldstein Date: Thu Feb 24 18:17:05 2022 +0200 nfsd: more robust allocation failure handling in nfsd_file_cache_init [ Upstream commit 4d2eeafecd6c83b4444db3dc0ada201c89b1aa44 ] The nfsd file cache table can be pretty large and its allocation may require as many as 80 contigious pages. Employ the same fix that was employed for similar issue that was reported for the reply cache hash table allocation several years ago by commit 8f97514b423a ("nfsd: more robust allocation failure handling in nfsd_reply_cache_init"). Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd") Link: https://lore.kernel.org/linux-nfs/e3cdaeec85a6cfec980e87fc294327c0381c1778.camel@kernel.org/ Suggested-by: Jeff Layton Signed-off-by: Amir Goldstein Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Tested-by: Amir Goldstein Signed-off-by: Sasha Levin commit e0c4acb75ec6afeb93656b9cd4ef6d89400f2190 Author: Lukas Czerner Date: Tue Feb 1 14:13:45 2022 +0100 ext4: fix remount with 'abort' option [ Upstream commit e3952fcce1aad934f1322843b564ff86256444b2 ] After commit 6e47a3cc68fc ("ext4: get rid of super block and sbi from handle_mount_ops()") the 'abort' options stopped working. This is because we're using ctx_set_mount_flags() helper that's expecting an argument with the approp