commit 73be23491df081be0311e65c7744c9f1ec6ad412 Author: Greg Kroah-Hartman Date: Fri Apr 8 14:06:58 2022 +0200 Linux 5.16.19 Link: https://lore.kernel.org/r/20220405070354.155796697@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Jon Hunter Tested-by: Jon Hunter Tested-by: Ron Economos Tested-by: Linux Kernel Functional Testing Tested-by: Fox Chen Tested-by: Bagas Sanjaya Link: https://lore.kernel.org/r/20220406133109.570377390@linuxfoundation.org Tested-by: Jon Hunter Tested-by: Shuah Khan Tested-by: Florian Fainelli Tested-by: Fox Chen Tested-by: Linux Kernel Functional Testing Tested-by: Bagas Sanjaya Tested-by: Ron Economos Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit acce682b0ae435f26f8b8e64148b76518a2970db Author: Marc Zyngier Date: Mon Mar 21 10:48:42 2022 +0000 PCI: xgene: Revert "PCI: xgene: Use inbound resources for setup" commit 1874b6d7ab1bdc900e8398026350313ac29caddb upstream. Commit 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") killed PCIe on my XGene-1 box (a Mustang board). The machine itself is still alive, but half of its storage (over NVMe) is gone, and the NVMe driver just times out. Note that this machine boots with a device tree provided by the UEFI firmware (2016 vintage), which could well be non conformant with the spec, hence the breakage. With the patch reverted, the box boots 5.17-rc8 with flying colors. Link: https://lore.kernel.org/all/Yf2wTLjmcRj+AbDv@xps13.dannf Link: https://lore.kernel.org/r/20220321104843.949645-2-maz@kernel.org Fixes: 6dce5aa59e0b ("PCI: xgene: Use inbound resources for setup") Signed-off-by: Marc Zyngier Signed-off-by: Lorenzo Pieralisi Cc: stable@vger.kernel.org Cc: Rob Herring Cc: Toan Le Cc: Lorenzo Pieralisi Cc: Krzysztof Wilczyński Cc: Bjorn Helgaas Cc: Stéphane Graber Cc: dann frazier [dannf: minor context adjustment] Signed-off-by: dann frazier Signed-off-by: Greg Kroah-Hartman commit c8015981eaa5bd8901a145c8d1253592a5619d2b Author: Eric W. Biederman Date: Tue Mar 8 13:04:19 2022 -0600 coredump: Use the vma snapshot in fill_files_note commit 390031c942116d4733310f0684beb8db19885fe6 upstream. Matthew Wilcox reported that there is a missing mmap_lock in file_files_note that could possibly lead to a user after free. Solve this by using the existing vma snapshot for consistency and to avoid the need to take the mmap_lock anywhere in the coredump code except for dump_vma_snapshot. Update the dump_vma_snapshot to capture vm_pgoff and vm_file that are neeeded by fill_files_note. Add free_vma_snapshot to free the captured values of vm_file. Reported-by: Matthew Wilcox Link: https://lkml.kernel.org/r/20220131153740.2396974-1-willy@infradead.org Cc: stable@vger.kernel.org Fixes: a07279c9a8cd ("binfmt_elf, binfmt_elf_fdpic: use a VMA list snapshot") Fixes: 2aa362c49c31 ("coredump: extend core dump note section to contain file names of mapped files") Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 76dadd51249fc4ec41ffafcd3fa6a083e86f2b45 Author: Eric W. Biederman Date: Mon Jan 31 12:17:38 2022 -0600 coredump/elf: Pass coredump_params into fill_note_info commit 9ec7d3230717b4fe9b6c7afeb4811909c23fa1d7 upstream. Instead of individually passing cprm->siginfo and cprm->regs into fill_note_info pass all of struct coredump_params. This is preparation to allow fill_files_note to use the existing vma snapshot. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit fea73e1a48018fac124629f953d60d0b4d90d1eb Author: Eric W. Biederman Date: Tue Mar 8 13:01:19 2022 -0600 coredump: Remove the WARN_ON in dump_vma_snapshot commit 49c1866348f364478a0c4d3dd13fd08bb82d3a5b upstream. The condition is impossible and to the best of my knowledge has never triggered. We are in deep trouble if that conditions happens and we walk past the end of our allocated array. So delete the WARN_ON and the code that makes it look like the kernel can handle the case of walking past the end of it's vma_meta array. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 45bdff9c94adfeaf4c7d416286ea1313b2bfb3e8 Author: Eric W. Biederman Date: Tue Mar 8 12:55:29 2022 -0600 coredump: Snapshot the vmas in do_coredump commit 95c5436a4883841588dae86fb0b9325f47ba5ad3 upstream. Move the call of dump_vma_snapshot and kvfree(vma_meta) out of the individual coredump routines into do_coredump itself. This makes the code less error prone and easier to maintain. Make the vma snapshot available to the coredump routines in struct coredump_params. This makes it easier to change and update what is captures in the vma snapshot and will be needed for fixing fill_file_notes. Reviewed-by: Jann Horn Reviewed-by: Kees Cook Signed-off-by: "Eric W. Biederman" Signed-off-by: Greg Kroah-Hartman commit 9a611c57530050dc359a83177c2f97678b1f961e Author: Paolo Bonzini Date: Tue Mar 29 12:56:24 2022 -0400 KVM: x86/mmu: do compare-and-exchange of gPTE via the user address commit 2a8859f373b0a86f0ece8ec8312607eacf12485d upstream. FNAME(cmpxchg_gpte) is an inefficient mess. It is at least decent if it can go through get_user_pages_fast(), but if it cannot then it tries to use memremap(); that is not just terribly slow, it is also wrong because it assumes that the VM_PFNMAP VMA is contiguous. The right way to do it would be to do the same thing as hva_to_pfn_remapped() does since commit add6a0cd1c5b ("KVM: MMU: try to fix up page faults before giving up", 2016-07-05), using follow_pte() and fixup_user_fault() to determine the correct address to use for memremap(). To do this, one could for example extract hva_to_pfn() for use outside virt/kvm/kvm_main.c. But really there is no reason to do that either, because there is already a perfectly valid address to do the cmpxchg() on, only it is a userspace address. That means doing user_access_begin()/user_access_end() and writing the code in assembly to handle exceptions correctly. Worse, the guest PTE can be 8-byte even on i686 so there is the extra complication of using cmpxchg8b to account for. But at least it is an efficient mess. (Thanks to Linus for suggesting improvement on the inline assembly). Reported-by: Qiuhao Li Reported-by: Gaoning Pan Reported-by: Yongkang Jia Reported-by: syzbot+6cde2282daa792c49ab8@syzkaller.appspotmail.com Debugged-by: Tadeusz Struk Tested-by: Maxim Levitsky Cc: stable@vger.kernel.org Fixes: bd53cb35a3e9 ("X86/KVM: Handle PFNs outside of kernel reach when touching GPTEs") Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 99a0c17db205e6fdca25441dda586d58d1993cdb Author: Ulf Hansson Date: Tue Mar 1 12:53:00 2022 +0100 mmc: rtsx: Fix build errors/warnings for unused variable commit 3dd9a926ec2308e49445f22abef149fc64e9332e upstream. The struct device *dev, is no longer needed at various functions, let's therefore drop it to fix the build errors/warnings. Fixes: 7570fb41e450 ("mmc: rtsx: Let MMC core handle runtime PM") Cc: Kai-Heng Feng Reported-by: kernel test robot Signed-off-by: Ulf Hansson Link: https://lore.kernel.org/r/20220301115300.64332-1-ulf.hansson@linaro.org Signed-off-by: Greg Kroah-Hartman commit 1016d5af150630b8f9e0680d045b0a4cdf67cc62 Author: Kai-Heng Feng Date: Wed Feb 16 13:54:31 2022 +0800 mmc: rtsx: Let MMC core handle runtime PM commit 7570fb41e450ba37bf9335fe3751fa9f502c30fa upstream. Since MMC core handles runtime PM reference counting, we can avoid doing redundant runtime PM work in the driver. That means the only thing commit 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") misses is to always enable runtime PM, to let its parent driver enable ASPM in the runtime idle routine. Fixes: 7499b529d97f ("mmc: rtsx: Use pm_runtime_{get,put}() to handle runtime PM") Reviewed-by: Ulf Hansson Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20220216055435.2335297-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman commit 24781c1b691c60c42748c669973d567a90573337 Author: Jens Axboe Date: Sat Apr 2 11:40:23 2022 -0600 Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()" commit 7198bfc2017644c6b92d2ecef9b8b8e0363bb5fd upstream. This reverts commit 6d35d04a9e18990040e87d2bbf72689252669d54. Both Gabriel and Borislav report that this commit casues a regression with nbd: sysfs: cannot create duplicate filename '/dev/block/43:0' Revert it before 5.18-rc1 and we'll investigage this separately in due time. Link: https://lore.kernel.org/all/YkiJTnFOt9bTv6A2@zn.tnic/ Reported-by: Gabriel L. Somlo Reported-by: Borislav Petkov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4e89152183268c3ac770c7c30cfbc3bb14fb1b92 Author: Jackie Liu Date: Mon Mar 21 15:12:16 2022 +0800 n64cart: convert bi_disk to bi_bdev->bd_disk fix build commit b2479de38d8fc7ef13d5c78ff5ded6e5a1a4eac0 upstream. My kernel robot report below: drivers/block/n64cart.c: In function ‘n64cart_submit_bio’: drivers/block/n64cart.c:91:26: error: ‘struct bio’ has no member named ‘bi_disk’ 91 | struct device *dev = bio->bi_disk->private_data; | ^~ CC drivers/slimbus/qcom-ctrl.o CC drivers/auxdisplay/hd44780.o CC drivers/watchdog/watchdog_core.o CC drivers/nvme/host/fault_inject.o AR drivers/accessibility/braille/built-in.a make[2]: *** [scripts/Makefile.build:288: drivers/block/n64cart.o] Error 1 Fixes: 309dca309fc3 ("block: store a block_device pointer in struct bio"); Reported-by: k2ci Signed-off-by: Jackie Liu Reviewed-by: Chaitanya Kulkarni Link: https://lore.kernel.org/r/20220321071216.1549596-1-liu.yun@linux.dev Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 4ea7e8a97df10c1962c29518e82fe84d1a8d1eca Author: Paul E. McKenney Date: Thu Jan 27 09:39:15 2022 -0800 torture: Make torture.sh help message match reality commit f233673cd32a048f2eed69e56b61174c33fb740b upstream. This commit fixes a couple of typos: s/--doall/--do-all/ and s/--doallmodconfig/--do-allmodconfig/. [ paulmck: Add Fixes: supplied by Paul Menzel. ] Fixes: a115a775a8d5 ("torture: Add "make allmodconfig" to torture.sh") Reported-by: Paul Menzel Signed-off-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 49dcbfe455fcd36701d329e492b693effb6ca68c Author: Martin Varghese Date: Mon Mar 28 11:11:48 2022 +0530 openvswitch: Fixed nd target mask field in the flow dump. commit f19c44452b58a84d95e209b847f5495d91c9983a upstream. IPv6 nd target mask was not getting populated in flow dump. In the function __ovs_nla_put_key the icmp code mask field was checked instead of icmp code key field to classify the flow as neighbour discovery. ufid:bdfbe3e5-60c2-43b0-a5ff-dfcac1c37328, recirc_id(0),dp_hash(0/0), skb_priority(0/0),in_port(ovs-nm1),skb_mark(0/0),ct_state(0/0), ct_zone(0/0),ct_mark(0/0),ct_label(0/0), eth(src=00:00:00:00:00:00/00:00:00:00:00:00, dst=00:00:00:00:00:00/00:00:00:00:00:00), eth_type(0x86dd), ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no), icmpv6(type=135,code=0), nd(target=2001::2/::, sll=00:00:00:00:00:00/00:00:00:00:00:00, tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:10, bytes:860, used:0.504s, dp:ovs, actions:ovs-nm2 Fixes: e64457191a25 (openvswitch: Restructure datapath.c and flow.c) Signed-off-by: Martin Varghese Link: https://lore.kernel.org/r/20220328054148.3057-1-martinvarghesenokia@gmail.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 973789b0dd990a5abf642e24e85a155af01cc09c Author: Eli Cohen Date: Mon Mar 21 16:13:03 2022 +0200 vdpa/mlx5: Avoid processing works if workqueue was destroyed commit ad6dc1daaf29f97f23cc810d60ee01c0e83f4c6b upstream. If mlx5_vdpa gets unloaded while a VM is running, the workqueue will be destroyed. However, vhost might still have reference to the kick function and might attempt to push new works. This could lead to null pointer dereference. To fix this, set mvdev->wq to NULL just before destroying and verify that the workqueue is not NULL in mlx5_vdpa_kick_vq before attempting to push a new work. Fixes: 5262912ef3cf ("vdpa/mlx5: Add support for control VQ and MAC setting") Signed-off-by: Eli Cohen Link: https://lore.kernel.org/r/20220321141303.9586-1-elic@nvidia.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 4c6f219dcee86a067b4317963c7f2cc373ff6897 Author: Maciej Fijalkowski Date: Mon Mar 28 16:21:23 2022 +0200 ice: xsk: Fix indexing in ice_tx_xsk_pool() commit 1ac2524de7b366633fc336db6c94062768d0ab03 upstream. Ice driver tries to always create XDP rings array to be num_possible_cpus() sized, regardless of user's queue count setting that can be changed via ethtool -L for example. Currently, ice_tx_xsk_pool() calculates the qid by decrementing the ring->q_index by the count of XDP queues, but ring->q_index is set to 'i + vsi->alloc_txq'. When user did ethtool -L $IFACE combined 1, alloc_txq is 1, but vsi->num_xdp_txq is still num_possible_cpus(). Then, ice_tx_xsk_pool() will do OOB access and in the final result ring would not get xsk_pool pointer assigned. Then, each ice_xsk_wakeup() call will fail with error and it will not be possible to get into NAPI and do the processing from driver side. Fix this by decrementing vsi->alloc_txq instead of vsi->num_xdp_txq from ring-q_index in ice_tx_xsk_pool() so the calculation is reflected to the setting of ring->q_index. Fixes: 22bf877e528f ("ice: introduce XDP_TX fallback path") Signed-off-by: Maciej Fijalkowski Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220328142123.170157-5-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman commit 607a6b6c4007ce4995f3a3ecff402da0b11d936c Author: Magnus Karlsson Date: Mon Mar 28 16:21:20 2022 +0200 xsk: Do not write NULL in SW ring at allocation failure commit a95a4d9b39b0324402569ed7395aae59b8fd2b11 upstream. For the case when xp_alloc_batch() is used but the batched allocation cannot be used, there is a slow path that uses the non-batched xp_alloc(). When it fails to allocate an entry, it returns NULL. The current code wrote this NULL into the entry of the provided results array (pointer to the driver SW ring usually) and returned. This might not be what the driver expects and to make things simpler, just write successfully allocated xdp_buffs into the SW ring,. The driver might have information in there that is still important after an allocation failure. Note that at this point in time, there are no drivers using xp_alloc_batch() that could trigger this slow path. But one might get added. Fixes: 47e4075df300 ("xsk: Batched buffer allocation for the pool") Signed-off-by: Magnus Karlsson Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20220328142123.170157-2-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman commit 9eff62b7b8ae0e322897aa54f23b615f90d99084 Author: Guilherme G. Piccoli Date: Wed Mar 23 16:07:03 2022 -0700 docs: sysctl/kernel: add missing bit to panic_print commit a1ff1de00db21ecb956213f046b79741b64c6b65 upstream. Patch series "Some improvements on panic_print". This is a mix of a documentation fix with some additions to the "panic_print" syscall / parameter. The goal here is being able to collect all CPUs backtraces during a panic event and also to enable "panic_print" in a kdump event - details of the reasoning and design choices in the patches. This patch (of 3): Commit de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") added a new bit to the sysctl/kernel parameter "panic_print", but the documentation was added only in kernel-parameters.txt, not in the sysctl guide. Fix it here by adding bit 5 to sysctl admin-guide documentation. [rdunlap@infradead.org: fix table format warning] Link: https://lkml.kernel.org/r/20220109055635.6999-1-rdunlap@infradead.org Link: https://lkml.kernel.org/r/20211109202848.610874-1-gpiccoli@igalia.com Link: https://lkml.kernel.org/r/20211109202848.610874-2-gpiccoli@igalia.com Fixes: de6da1e8bcf0 ("panic: add an option to replay all the printk message in buffer") Signed-off-by: Guilherme G. Piccoli Reviewed-by: Feng Tang Cc: Luis Chamberlain Cc: Kees Cook Cc: Iurii Zaikin Cc: Samuel Iglesias Gonsalvez Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 99d371638a5dbf6cdb877e34bc86e0d1338d3308 Author: Anton Ivanov Date: Tue Feb 22 12:44:10 2022 +0000 um: Fix uml_mconsole stop/go commit 1a3a6a2a035bb6c3a7ef4c788d8fd69a7b2d6284 upstream. Moving to an EPOLL based IRQ controller broke uml_mconsole stop/go commands. This fixes it and restores stop/go functionality. Fixes: ff6a17989c08 ("Epoll based IRQ controller") Signed-off-by: Anton Ivanov Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 7d933bb27a13fbe74dc3dfe4b2c04ec20e9764a4 Author: Kuldeep Singh Date: Sat Mar 26 09:53:12 2022 +0530 arm64: dts: ls1046a: Update i2c node dma properties commit eeeb4f1075d71d67083c75f69247206e9b3d9f4a upstream. Reorder dmas and dma-names properties for i2c controller node to make it compliant with bindings. Fixes: 8126d88162a5 ("arm64: dts: add QorIQ LS1046A SoC support") Signed-off-by: Kuldeep Singh CC: soc@kernel.org Link: https://lore.kernel.org/r/20220326042313.97862-5-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit 93b22d99869eb4060c2b80a9270de08f220e25e2 Author: Kuldeep Singh Date: Sat Mar 26 09:53:11 2022 +0530 arm64: dts: ls1043a: Update i2c dma properties commit aa4df840d1c5eab2bb33695efe4409b3e5526749 upstream. Reorder dmas and dma-names properties for i2c controller node to make it compliant with bindings. Fixes: 6d453cd22357 ("arm64: dts: add Freescale LS1043a SoC support") Signed-off-by: Kuldeep Singh CC: soc@kernel.org Link: https://lore.kernel.org/r/20220326042313.97862-4-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit ff19c77c86cdca08fe4fab0134dd5e43b715669a Author: Kuldeep Singh Date: Sat Mar 26 09:53:09 2022 +0530 ARM: dts: spear13xx: Update SPI dma properties commit 31d3687d6017c7ce6061695361598d9cda70807a upstream. Reorder dmas and dma-names property for spi controller node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-2-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit fb4e21153be1a70977b91951218a9c6114b65e18 Author: Kuldeep Singh Date: Sat Mar 26 09:53:10 2022 +0530 ARM: dts: spear1340: Update serial node properties commit 583d6b0062640def86f3265aa1042ecb6672516e upstream. Reorder dma and dma-names property for serial node to make it compliant with bindings. Fixes: 6e8887f60f60 ("ARM: SPEAr13xx: Pass generic DW DMAC platform data from DT") Signed-off-by: Kuldeep Singh Acked-by: Viresh Kumar Link: https://lore.kernel.org/r/20220326042313.97862-3-singh.kuldeep87k@gmail.com' Signed-off-by: Arnd Bergmann Signed-off-by: Greg Kroah-Hartman commit cac80d02947da3aebab5e4efa0f2743ea9c66bd4 Author: Leilk Liu Date: Tue Mar 15 11:24:06 2022 +0800 spi: mediatek: support tick_delay without enhance_timing commit 03b1be379dcee2e9c866c2a455a1a4a9581b3efd upstream. this patch support tick_delay bit[31:30] without enhance_timing feature. Fixes: f84d866ab43f("spi: mediatek: add tick_delay support") Signed-off-by: Leilk Liu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220315032411.2826-2-leilk.liu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 921e6298919a875c7f9b732121bd630668a97ac5 Author: Guodong Liu Date: Wed Feb 16 11:21:24 2022 +0800 pinctrl: canonical rsel resistance selection property commit 7966c5051fc7d52425155ab30ad568d9d97f3b02 upstream. Change "mediatek,rsel_resistance_in_si_unit" to "mediatek,rsel-resistance-in-si-unit" Fixes: fb34a9ae383a ("pinctrl: mediatek: support rsel feature") Signed-off-by: Guodong Liu Link: https://lore.kernel.org/r/20220216032124.28067-4-guodong.liu@mediatek.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 14a60be75c72d2c7d94fe2a1c0776928df262e00 Author: Janusz Krzysztofik Date: Mon May 4 00:06:18 2020 +0200 media: ov6650: Fix crop rectangle affected by set format commit 985d2d7a482e9b64ef9643702b066da9cbd6ae8e upstream. According to subdevice interface specification found in V4L2 API documentation, set format pad operations should not affect image geometry set in preceding image processing steps. Unfortunately, that requirement is not respected by the driver implementation of set format as it was not the case when that code was still implementing a pair of now obsolete .s_mbus_fmt() / .try_mbus_fmt() video operations before they have been merged and reused as an implementation of .set_fmt() pad operation by commit 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt"). Exclude non-compliant crop rectangle adjustments from set format try, as well as a call to .set_selection() from set format active processing path, so only frame scaling is applied as needed and crop rectangle is no longer modified. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c1f8b28b83c19a3e55d5d484c2412bd30214f232 Author: Janusz Krzysztofik Date: Mon May 4 00:06:17 2020 +0200 media: ov6650: Add try support to selection API operations commit c74052646496ffe0bc606152e6b9653137020cbf upstream. Try requests are now only supported by format processing pad operations implemented by the driver. The driver selection API operations currently respond to them with -EINVAL. While that is correct, it constraints video device drivers to not use subdevice cropping at all while processing user requested active frame size, otherwise their set try format results might differ from active. As a consequence, we can't fix set format pad operation as not to touch crop rectangle since that would affect users not being able to set arbitrary frame sizes. Moreover, without a working set try selection support we are not able to use pad config crop rectangle as a reference while processing set try format requests. Implement missing try selection support. Moreover, as it will be now possible to maintain the pad config crop rectangle via selection API, start using it instead of the active one as a reference while processing set try format requests. is_unscaled_ok() helper, now also called from set selection operation, has been just moved up in the source file to avoid a prototype, with no functional changes. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 7fdc67c5ff65d4145740b6191290bccc4aa02a53 Author: Ian Rogers Date: Mon Jan 31 17:58:34 2022 -0800 perf vendor events: Update metrics for SkyLake Server commit 3bad20d7d129c3b3063658a0f83974dfe6dac5c4 upstream. Based on TMA_metrics-full.csv version 4.3 at 01.org: https://download.01.org/perfmon/ Events are updated to version 1.26: https://download.01.org/perfmon/SKX Json files generated by: https://github.com/intel/event-converter-for-linux-perf Fixes were made that allow the skx-metrics.json to successfully generate, bringing back TopdownL1 metrics. Tested: $ perf test ... 6: Parse event definition strings : Ok 7: Simple expression parser : Ok ... 9: Parse perf pmu format : Ok 10: PMU events : 10.1: PMU event table sanity : Ok 10.2: PMU event map aliases : Ok 10.3: Parsing of PMU event table metrics : Ok 10.4: Parsing of PMU event table metrics with fake PMUs : Ok ... 68: Parse and process metrics : Ok ... 88: perf stat metrics (shadow stat) test : Ok 89: perf all metricgroups test : Ok 90: perf all metrics test : Skip 91: perf all PMU test : Ok ... 90 skips due to a lack of floating point samples, which is understandable. Fixes: c4ad8fabd03f76ed ("perf vendor events: Update metrics for SkyLake Server") Reviewed-by: Kan Liang Signed-off-by: Ian Rogers Cc: Alexander Shishkin Cc: Alexandre Torgue Cc: Andi Kleen Cc: Ingo Molnar Cc: James Clark Cc: Jin Yao Cc: Jiri Olsa Cc: John Garry Cc: Mark Rutland Cc: Maxime Coquelin Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Zhengjun Xing Link: https://lore.kernel.org/r/20220201015858.1226914-3-irogers@google.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit c5680779671c9561a9c19c42c8218badfb7b4609 Author: Amadeusz Sławiński Date: Wed Jan 12 18:00:29 2022 +0100 ASoC: topology: Allow TLV control to be either read or write commit feb00b736af64875560f371fe7f58b0b7f239046 upstream. There is no reason to force readwrite access on TLV controls. It can be either read, write or both. This is further evidenced in code where it performs following checks: if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_READ) && !sbe->get) return -EINVAL; if ((k->access & SNDRV_CTL_ELEM_ACCESS_TLV_WRITE) && !sbe->put) return -EINVAL; Fixes: 1a3232d2f61d ("ASoC: topology: Add support for TLV bytes controls") Signed-off-by: Amadeusz Sławiński Reviewed-by: Cezary Rojewski Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220112170030.569712-3-amadeuszx.slawinski@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit a911af09c9b016e45bbbaac35f72b5e53361325c Author: Zheng Bin Date: Wed Mar 23 17:25:01 2022 +0800 ASoC: SOF: Intel: Fix build error without SND_SOC_SOF_PCI_DEV commit 664d66dc0a64b32e60a5ad59a9aebb08676a612b upstream. If SND_SOC_SOF_PCI_DEV is n, bulding fails: sound/soc/sof/intel/pci-tng.o:(.data+0x1c0): undefined reference to `sof_pci_probe' sound/soc/sof/intel/pci-tng.o:(.data+0x1c8): undefined reference to `sof_pci_remove' sound/soc/sof/intel/pci-tng.o:(.data+0x1e0): undefined reference to `sof_pci_shutdown' sound/soc/sof/intel/pci-tng.o:(.data+0x290): undefined reference to `sof_pci_pm' Make SND_SOC_SOF_MERRIFIELD select SND_SOC_SOF_PCI_DEV to fix this. Fixes: 8d4ba1be3d22 ("ASoC: SOF: pci: split PCI into different drivers") Reported-by: Hulk Robot Signed-off-by: Zheng Bin Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220323092501.145879-1-zhengbin13@huawei.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9c7f45822b38ab3f9a0adfa22257549892359d06 Author: Zhihao Cheng Date: Mon Dec 27 11:22:42 2021 +0800 ubi: fastmap: Return error code if memory allocation fails in add_aeb() commit c3c07fc25f37c157fde041b3a0c3dfcb1590cbce upstream. Abort fastmap scanning and return error code if memory allocation fails in add_aeb(). Otherwise ubi will get wrong peb statistics information after scanning. Fixes: dbb7d2a88d2a7b ("UBI: Add fastmap core") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 5a859a3ad871708541ab5ea4234f27ef51206ced Author: Horatiu Vultur Date: Fri Feb 4 16:35:34 2022 +0100 dt-bindings: pinctrl: pinctrl-microchip-sgpio: Fix example commit a6ff90f3fbd4d902aad8777f0329cef3a2768bde upstream. The blamed commit adds support for irq, but the reqisters for irq are outside of the memory size. They are at address 0x108. Therefore update the memory size to cover all the registers used by the device. Fixes: 01a9350bdd49fb ("dt-bindings: pinctrl: pinctrl-microchip-sgpio: Add irq support") Signed-off-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220204153535.465827-2-horatiu.vultur@microchip.com Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit a31daf75e69e0aaddc0a1da149e448c9dda3e19e Author: Yong Wu Date: Thu Jan 13 19:10:53 2022 +0800 dt-bindings: memory: mtk-smi: Correct minItems to 2 for the gals clocks commit 996ebc0e332bfb3091395f9bd286d8349a57be62 upstream. Mute the warning from "make dtbs_check": larb@14017000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml ... larb@16010000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml larb@17010000: clock-names: ['apb', 'smi'] is too short arch/arm64/boot/dts/mediatek/mt8183-evb.dt.yaml arch/arm64/boot/dts/mediatek/mt8183-kukui-jacuzzi-burnet.dt.yaml If a platform's larb supports gals, there will be some larbs have one more "gals" clock while the others still only need "apb"/"smi" clocks, then the minItems for clocks and clock-names are 2. Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-4-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit 1e338970b5ad0ba41073009065b1b0cba9d43377 Author: Yong Wu Date: Thu Jan 13 19:10:52 2022 +0800 dt-bindings: memory: mtk-smi: No need mediatek,larb-id for mt8167 commit ddc3a324889686ec9b358de20fdeec0d2668c7a8 upstream. Mute the warning from "make dtbs_check": larb@14016000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml larb@15001000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml larb@16010000: 'mediatek,larb-id' is a required property arch/arm64/boot/dts/mediatek/mt8167-pumpkin.dt.yaml As the description of mediatek,larb-id, the property is only required when the larbid is not consecutive from its IOMMU point of view. Also, from the description of mediatek,larbs in Documentation/devicetree/bindings/iommu/mediatek,iommu.yaml, all the larbs must sort by the larb index. In mt8167, there is only one IOMMU HW and three larbs. The drivers already know its larb index from the mediatek,larbs property of IOMMU, thus no need this property. Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Acked-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-3-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit a707203a7b6cd0693f1190477373f95a2974989f Author: Yong Wu Date: Thu Jan 13 19:10:51 2022 +0800 dt-bindings: memory: mtk-smi: Rename clock to clocks commit 5bf7fa48374eafe29dbb30448a0b0c083853583f upstream. The property "clock" should be rename to "clocks", and delete the "items", the minItems/maxItems should not be put under "items". Fixes: 27bb0e42855a ("dt-bindings: memory: mediatek: Convert SMI to DT schema") Signed-off-by: Yong Wu Acked-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220113111057.29918-2-yong.wu@mediatek.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Greg Kroah-Hartman commit b9ec5cf33753ec9b59de93e349ab6607d0d03363 Author: Martin Kepplinger Date: Tue Jan 11 14:39:37 2022 +0100 media: dt-bindings: media: hynix,hi846: add link-frequencies description commit a44b8e8c9b2615ea7cf2361cbca3c1dff8119c87 upstream. link-frequencies is required but only mentioned in the example. Add it to the description. Fixes: f3ce7200ca18 ("media: dt-bindings: media: document SK Hynix Hi-846 MIPI CSI-2 8M pixel sensor") Signed-off-by: Martin Kepplinger Reviewed-by: Laurent Pinchart Reviewed-by: Rob Herring Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 9699d0c0dcf9b76ad226beaf5a1486589b4d1305 Author: Martin Kepplinger Date: Tue Jan 11 14:39:36 2022 +0100 media: dt-binding: media: hynix,hi846: use $defs/port-base port description commit 6492eba4fafb5a9715ecf78b7155e88f8f88909a upstream. This fixes "make dt_binding_check": Documentation/devicetree/bindings/media/i2c/hynix,hi846.example.dt.yaml: camera@20: port:endpoint: Unevaluated properties are not allowed ('link-frequencies', 'data-lanes' were unexpected) From schema: Documentation/devicetree/bindings/media/i2c/hynix,hi846.yaml [Sakari Ailus: Reword commit message] Fixes: f3ce7200ca18 ("media: dt-bindings: media: document SK Hynix Hi-846 MIPI CSI-2 8M pixel sensor") Reported-by: Geert Uytterhoeven Signed-off-by: Martin Kepplinger Reviewed-by: Laurent Pinchart Reviewed-by: Rob Herring Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit aceda125f9c4a3c48163ae4c1ee1503cff78cc9d Author: Miquel Raynal Date: Thu Dec 16 12:16:33 2021 +0100 dt-bindings: spi: mxic: The interrupt property is not mandatory commit 90c204d3195a795f77f5bce767e311dd1c59ca17 upstream. The interrupt property is not mandatory at all, this property should not be part of the required properties list, so move it into the optional properties list. Fixes: 326e5c8d4a87 ("dt-binding: spi: Document Macronix controller bindings") Signed-off-by: Miquel Raynal Reviewed-by: Rob Herring Reviewed-by: Mark Brown Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-8-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit b5bff318e99bd91fc37b222b7cc9e1ce5fdc3117 Author: Miquel Raynal Date: Thu Dec 16 12:16:28 2021 +0100 dt-bindings: mtd: nand-controller: Fix a comment in the examples commit 0e7f1b557974ce297e5e4c9d4245720fbb489886 upstream. The controller properties should be in the controller 'parent' node, while properties in the children nodes are specific to the NAND *chip*. This error was already present during the yaml conversion. Fixes: 2d472aba15ff ("mtd: nand: document the NAND controller/NAND chip DT representation") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-3-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit cd4d51a68560617b6b003dbc51365fd735194c33 Author: Miquel Raynal Date: Thu Dec 16 12:16:27 2021 +0100 dt-bindings: mtd: nand-controller: Fix the reg property description commit 93f2ec9e401276fb4ea9903194a5bfcf175f9a2c upstream. The reg property of a NAND device always references the chip-selects. The ready/busy lines are described in the nand-rb property. I believe this was a harmless copy/paste error during the conversion to yaml. Fixes: 212e49693592 ("dt-bindings: mtd: Add YAML schemas for the generic NAND options") Signed-off-by: Miquel Raynal Acked-by: Rob Herring Link: https://lore.kernel.org/linux-mtd/20211216111654.238086-2-miquel.raynal@bootlin.com Signed-off-by: Greg Kroah-Hartman commit 24b8b217185d4db23bd684d31f70efc293775028 Author: Kai-Heng Feng Date: Tue Jan 25 13:50:06 2022 +0800 mmc: rtsx: Use pm_runtime_{get,put}() to handle runtime PM commit 7499b529d97f752124fa62fefa1d6d44b371215a upstream. Commit 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") doesn't use pm_runtime_{get,put}() helpers when it should, so the RPM refcount keeps at zero, hence its parent driver, rtsx_pci, has to do lots of weird tricks to keep it from runtime suspending. So use those helpers at right places to properly manage runtime PM. Fixes: 5b4258f6721f ("misc: rtsx: rts5249 support runtime PM") Cc: Ricky WU Tested-by: Ricky WU Signed-off-by: Kai-Heng Feng Link: https://lore.kernel.org/r/20220125055010.1866563-1-kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit d42740aab3ea29578d11a042bb50ded12ad3aa8a Author: Zhang Wensheng Date: Thu Mar 10 17:32:24 2022 +0800 nbd: fix possible overflow on 'first_minor' in nbd_dev_add() commit 6d35d04a9e18990040e87d2bbf72689252669d54 upstream. When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. Fixes: b0d9111a2d53 ("nbd: use an idr to keep track of nbd devices") Fixes: 940c264984fd ("nbd: fix possible overflow for 'first_minor' in nbd_dev_add()") Signed-off-by: Zhang Wensheng Reviewed-by: Josef Bacik Link: https://lore.kernel.org/r/20220310093224.4002895-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7e11d8a32855313970dbc8302332f910a018853e Author: Hengqi Chen Date: Thu Mar 10 23:53:35 2022 +0800 bpf: Fix comment for helper bpf_current_task_under_cgroup() commit 58617014405ad5c9f94f464444f4972dabb71ca7 upstream. Fix the descriptions of the return values of helper bpf_current_task_under_cgroup(). Fixes: c6b5fb8690fa ("bpf: add documentation for eBPF helpers (42-50)") Signed-off-by: Hengqi Chen Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220310155335.1278783-1-hengqi.chen@gmail.com Signed-off-by: Greg Kroah-Hartman commit e750f78c4ed7cefbcefb9769b3b9e08033db39da Author: Namhyung Kim Date: Mon Mar 14 11:20:41 2022 -0700 bpf: Adjust BPF stack helper functions to accommodate skip > 0 commit ee2a098851bfbe8bcdd964c0121f4246f00ff41e upstream. Let's say that the caller has storage for num_elem stack frames. Then, the BPF stack helper functions walk the stack for only num_elem frames. This means that if skip > 0, one keeps only 'num_elem - skip' frames. This is because it sets init_nr in the perf_callchain_entry to the end of the buffer to save num_elem entries only. I believe it was because the perf callchain code unwound the stack frames until it reached the global max size (sysctl_perf_event_max_stack). However it now has perf_callchain_entry_ctx.max_stack to limit the iteration locally. This simplifies the code to handle init_nr in the BPF callstack entries and removes the confusion with the perf_event's __PERF_SAMPLE_CALLCHAIN_EARLY which sets init_nr to 0. Also change the comment on bpf_get_stack() in the header file to be more explicit what the return value means. Fixes: c195651e565a ("bpf: add bpf_get_stack helper") Signed-off-by: Namhyung Kim Signed-off-by: Alexei Starovoitov Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/30a7b5d5-6726-1cc2-eaee-8da2828a9a9c@oracle.com Link: https://lore.kernel.org/bpf/20220314182042.71025-1-namhyung@kernel.org Signed-off-by: Greg Kroah-Hartman Based-on-patch-by: Eugene Loh commit ceb93b21ca92a572057537319354721a506c9d48 Author: Toke Høiland-Jørgensen Date: Tue Jan 18 15:13:27 2022 +0100 libbpf: Define BTF_KIND_* constants in btf.h to avoid compilation errors commit eaa266d83a3730a15de2ceebcc89e8f6290e8cf6 upstream. The btf.h header included with libbpf contains inline helper functions to check for various BTF kinds. These helpers directly reference the BTF_KIND_* constants defined in the kernel header, and because the header file is included in user applications, this happens in the user application compile units. This presents a problem if a user application is compiled on a system with older kernel headers because the constants are not available. To avoid this, add #defines of the constants directly in btf.h before using them. Since the kernel header moved to an enum for BTF_KIND_*, the #defines can shadow the enum values without any errors, so we only need #ifndef guards for the constants that predates the conversion to enum. We group these so there's only one guard for groups of values that were added together. [0] Closes: https://github.com/libbpf/libbpf/issues/436 Fixes: 223f903e9c83 ("bpf: Rename BTF_KIND_TAG to BTF_KIND_DECL_TAG") Fixes: 5b84bd10363e ("libbpf: Add support for BTF_KIND_TAG") Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Andrii Nakryiko Acked-by: Arnaldo Carvalho de Melo Link: https://lore.kernel.org/bpf/20220118141327.34231-1-toke@redhat.com Signed-off-by: Greg Kroah-Hartman commit 4ce70fa5510e20a44d844bd9b56095a15d0b818d Author: Kuniyuki Iwashima Date: Thu Mar 17 12:08:09 2022 +0900 af_unix: Support POLLPRI for OOB. commit d9a232d435dcc966738b0f414a86f7edf4f4c8c4 upstream. The commit 314001f0bf92 ("af_unix: Add OOB support") introduced OOB for AF_UNIX, but it lacks some changes for POLLPRI. Let's add the missing piece. In the selftest, normal datagrams are sent followed by OOB data, so this commit replaces `POLLIN | POLLPRI` with just `POLLPRI` in the first test case. Fixes: 314001f0bf92 ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8d0eaf440743252ce97cd0966417c43c0a28ee46 Author: Randy Dunlap Date: Tue Mar 22 14:47:52 2022 -0700 mm/usercopy: return 1 from hardened_usercopy __setup() handler commit 05fe3c103f7e6b8b4fca8a7001dfc9ed4628085b upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 hardened_usercopy=off or hardened_usercopy=on but when "hardened_usercopy=foo" is used, there is no Unknown kernel command line parameter. Return 1 to indicate that the boot option has been handled. Print a warning if strtobool() returns an error on the option string, but do not mark this as in unknown command line option and do not cause init's environment to be polluted with this string. Link: https://lkml.kernel.org/r/20220222034249.14795-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: b5cb15d9372ab ("usercopy: Allow boot cmdline disabling of hardening") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Acked-by: Chris von Recklinghausen Cc: Kees Cook Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c9adfbbf2d6edb40609b862f2be78ac6188dd001 Author: Randy Dunlap Date: Tue Mar 22 14:40:31 2022 -0700 mm/memcontrol: return 1 from cgroup.memory __setup() handler commit 460a79e18842caca6fa0c415de4a3ac1e671ac50 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). The only reason that this particular __setup handler does not pollute init's environment is that the setup string contains a '.', as in "cgroup.memory". This causes init/main.c::unknown_boottoption() to consider it to be an "Unused module parameter" and ignore it. (This is for parsing of loadable module parameters any time after kernel init.) Otherwise the string "cgroup.memory=whatever" would be added to init's environment strings. Instead of relying on this '.' quirk, just return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: cgroup.memory=anything_invalid Link: https://lkml.kernel.org/r/20220222005811.10672-1-rdunlap@infradead.org Fixes: f7e1cb6ec51b0 ("mm: memcontrol: account socket memory in unified hierarchy memory controller") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Reviewed-by: Michal Koutný Cc: Johannes Weiner Cc: Michal Hocko Cc: Vladimir Davydov Cc: Roman Gushchin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2b7ecf0bac542a17c3b989f2fa734180ba8cfca6 Author: Randy Dunlap Date: Sat Mar 12 07:36:09 2022 +0100 ARM: 9187/1: JIVE: fix return value of __setup handler commit 8b2360c7157b462c4870d447d1e65d30ef31f9aa upstream. __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from jive_mtdset(). Fixes: 9db829f485c5 ("[ARM] JIVE: Initial machine support for Logitech Jive") Signed-off-by: Randy Dunlap Cc: Ben Dooks Cc: Krzysztof Kozlowski Cc: Alim Akhtar Cc: linux-arm-kernel@lists.infradead.org Cc: linux-samsung-soc@vger.kernel.org Cc: patches@armlinux.org.uk Signed-off-by: Russell King (Oracle) Signed-off-by: Greg Kroah-Hartman commit 82656b259721b3ecec87c72d11d7a7ddaa79b435 Author: Randy Dunlap Date: Tue Mar 22 14:42:27 2022 -0700 mm/mmap: return 1 from stack_guard_gap __setup() handler commit e6d094936988910ce6e8197570f2753898830081 upstream. __setup() handlers should return 1 if the command line option is handled and 0 if not (or maybe never return 0; it just pollutes init's environment). This prevents: Unknown kernel command line parameters \ "BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100", will be \ passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 stack_guard_gap=100 Return 1 to indicate that the boot option has been handled. Note that there is no warning message if someone enters: stack_guard_gap=anything_invalid and 'val' and stack_guard_gap are both set to 0 due to the use of simple_strtoul(). This could be improved by using kstrtoxxx() and checking for an error. It appears that having stack_guard_gap == 0 is valid (if unexpected) since using "stack_guard_gap=0" on the kernel command line does that. Link: https://lkml.kernel.org/r/20220222005817.11087-1-rdunlap@infradead.org Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1be7107fbe18e ("mm: larger stack guard gap, between vmas") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a9a6d30264327d8ff7f23da33e7a77ffb793fa3f Author: Eric Dumazet Date: Mon Feb 21 19:21:13 2022 -0800 net: preserve skb_end_offset() in skb_unclone_keeptruesize() commit 2b88cba55883eaafbc9b7cbff0b2c7cdba71ed01 upstream. syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issues in the blamed commits, but forgot that TCP was possibly shifting data after skb_unclone_keeptruesize() has been used, notably from tcp_retrans_try_collapse(). So we not only need to keep same skb->truesize value, we also need to make sure TCP wont fill new tailroom that pskb_expand_head() was able to get from a addr = kmalloc(...) followed by ksize(addr) Split skb_unclone_keeptruesize() into two parts: 1) Inline skb_unclone_keeptruesize() for the common case, when skb is not cloned. 2) Out of line __skb_unclone_keeptruesize() for the 'slow path'. WARNING: CPU: 1 PID: 6490 at net/core/skbuff.c:5295 skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Modules linked in: CPU: 1 PID: 6490 Comm: syz-executor161 Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:skb_try_coalesce+0x1235/0x1560 net/core/skbuff.c:5295 Code: bf 01 00 00 00 0f b7 c0 89 c6 89 44 24 20 e8 62 24 4e fa 8b 44 24 20 83 e8 01 0f 85 e5 f0 ff ff e9 87 f4 ff ff e8 cb 20 4e fa <0f> 0b e9 06 f9 ff ff e8 af b2 95 fa e9 69 f0 ff ff e8 95 b2 95 fa RSP: 0018:ffffc900063af268 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 00000000ffffffd5 RCX: 0000000000000000 RDX: ffff88806fc05700 RSI: ffffffff872abd55 RDI: 0000000000000003 RBP: ffff88806e675500 R08: 00000000ffffffd5 R09: 0000000000000000 R10: ffffffff872ab659 R11: 0000000000000000 R12: ffff88806dd554e8 R13: ffff88806dd9bac0 R14: ffff88806dd9a2c0 R15: 0000000000000155 FS: 00007f18014f9700(0000) GS:ffff8880b9c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020002000 CR3: 000000006be7a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: tcp_try_coalesce net/ipv4/tcp_input.c:4651 [inline] tcp_try_coalesce+0x393/0x920 net/ipv4/tcp_input.c:4630 tcp_queue_rcv+0x8a/0x6e0 net/ipv4/tcp_input.c:4914 tcp_data_queue+0x11fd/0x4bb0 net/ipv4/tcp_input.c:5025 tcp_rcv_established+0x81e/0x1ff0 net/ipv4/tcp_input.c:5947 tcp_v4_do_rcv+0x65e/0x980 net/ipv4/tcp_ipv4.c:1719 sk_backlog_rcv include/net/sock.h:1037 [inline] __release_sock+0x134/0x3b0 net/core/sock.c:2779 release_sock+0x54/0x1b0 net/core/sock.c:3311 sk_wait_data+0x177/0x450 net/core/sock.c:2821 tcp_recvmsg_locked+0xe28/0x1fd0 net/ipv4/tcp.c:2457 tcp_recvmsg+0x137/0x610 net/ipv4/tcp.c:2572 inet_recvmsg+0x11b/0x5e0 net/ipv4/af_inet.c:850 sock_recvmsg_nosec net/socket.c:948 [inline] sock_recvmsg net/socket.c:966 [inline] sock_recvmsg net/socket.c:962 [inline] ____sys_recvmsg+0x2c4/0x600 net/socket.c:2632 ___sys_recvmsg+0x127/0x200 net/socket.c:2674 __sys_recvmsg+0xe2/0x1a0 net/socket.c:2704 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c4777efa751d ("net: add and use skb_unclone_keeptruesize() helper") Fixes: 097b9146c0e2 ("net: fix up truesize of cloned skb in skb_prepare_for_shift()") Reported-by: syzbot Signed-off-by: Eric Dumazet Cc: Marco Elver Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit f68f5782d77643764fd28771f3d3d5f80be7c107 Author: Eric Dumazet Date: Mon Feb 21 19:21:12 2022 -0800 net: add skb_set_end_offset() helper commit 763087dab97547230a6807c865a6a5ae53a59247 upstream. We have multiple places where this helper is convenient, and plan using it in the following patch. Signed-off-by: Eric Dumazet Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 01c2017cd32ad88f7a07275e6abd686dd075443a Author: Steven Rostedt (Google) Date: Fri Mar 18 15:34:32 2022 -0400 tracing: Have type enum modifications copy the strings commit 795301d3c28996219d555023ac6863401b6076bc upstream. When an enum is used in the visible parts of a trace event that is exported to user space, the user space applications like perf and trace-cmd do not have a way to know what the value of the enum is. To solve this, at boot up (or module load) the printk formats are modified to replace the enum with their numeric value in the string output. Array fields of the event are defined by [] in the type portion of the format file so that the user space parsers can correctly parse the array into the appropriate size chunks. But in some trace events, an enum is used in defining the size of the array, which once again breaks the parsing of user space tooling. This was solved the same way as the print formats were, but it modified the type strings of the trace event. This caused crashes in some architectures because, as supposed to the print string, is a const string value. This was not detected on x86, as it appears that const strings are still writable (at least in boot up), but other architectures this is not the case, and writing to a const string will cause a kernel fault. To fix this, use kstrdup() to copy the type before modifying it. If the trace event is for the core kernel there's no need to free it because the string will be in use for the life of the machine being on line. For modules, create a link list to store all the strings being allocated for modules and when the module is removed, free them. Link: https://lore.kernel.org/all/yt9dr1706b4i.fsf@linux.ibm.com/ Link: https://lkml.kernel.org/r/20220318153432.3984b871@gandalf.local.home Tested-by: Marc Zyngier Tested-by: Sven Schnelle Reported-by: Sven Schnelle Fixes: b3bc8547d3be ("tracing: Have TRACE_DEFINE_ENUM affect trace event types as well") Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit dcead36b19d999d687cd9c99b7f37520d9102b57 Author: Linus Torvalds Date: Mon Mar 28 11:37:05 2022 -0700 Reinstate some of "swiotlb: rework "fix info leak with DMA_FROM_DEVICE"" commit 901c7280ca0d5e2b4a8929fbe0bfb007ac2a6544 upstream. Halil Pasic points out [1] that the full revert of that commit (revert in bddac7c1e02b), and that a partial revert that only reverts the problematic case, but still keeps some of the cleanups is probably better.  And that partial revert [2] had already been verified by Oleksandr Natalenko to also fix the issue, I had just missed that in the long discussion. So let's reinstate the cleanups from commit aa6f8dcbab47 ("swiotlb: rework "fix info leak with DMA_FROM_DEVICE""), and effectively only revert the part that caused problems. Link: https://lore.kernel.org/all/20220328013731.017ae3e3.pasic@linux.ibm.com/ [1] Link: https://lore.kernel.org/all/20220324055732.GB12078@lst.de/ [2] Link: https://lore.kernel.org/all/4386660.LvFx2qVVIh@natalenko.name/ [3] Suggested-by: Halil Pasic Tested-by: Oleksandr Natalenko Cc: Christoph Hellwig Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 38f26d59c0c33e90b5ea4af00b21d207ce04b9f0 Author: Jiasheng Jiang Date: Thu Mar 10 11:00:41 2022 +0800 ASoC: soc-compress: Change the check for codec_dai commit ccb4214f7f2a8b75acf493f31128e464ee1a3536 upstream. It should be better to reverse the check on codec_dai and returned early in order to be easier to understand. Fixes: de2c6f98817f ("ASoC: soc-compress: prevent the potentially use of null pointer") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Jiasheng Jiang Reviewed-by: Charles Keepax Link: https://lore.kernel.org/r/20220310030041.1556323-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 7662205b8f36dd51c171f22062a6da9e211c7408 Author: Will Deacon Date: Wed Mar 9 12:21:37 2022 +0000 arm64: mm: Drop 'const' from conditional arm64_dma_phys_limit definition commit 770093459b9b333380aa71f2c31c60b14895c1df upstream. Commit 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones") introduced different definitions for 'arm64_dma_phys_limit' depending on CONFIG_ZONE_DMA{,32} based on a late suggestion from Pasha. Sadly, this results in a build error when passing W=1: | arch/arm64/mm/init.c:90:19: error: conflicting type qualifiers for 'arm64_dma_phys_limit' Drop the 'const' for now and use '__ro_after_init' consistently. Link: https://lore.kernel.org/r/202203090241.aj7paWeX-lkp@intel.com Link: https://lore.kernel.org/r/CA+CK2bDbbx=8R=UthkMesWOST8eJMtOGJdfMRTFSwVmo0Vn0EA@mail.gmail.com Fixes: 031495635b46 ("arm64: Do not defer reserve_crashkernel() for platforms with no DMA memory zones") Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 4c69932ed1e42135e3027f22ed7aadf9b8bdf0cf Author: Wan Jiabing Date: Mon Feb 28 10:56:41 2022 +0800 docs: fix 'make htmldocs' warning in SCTP.rst commit 70868c6b8fd80db585da57a264c50a69af8fd3c3 upstream. Fix following 'make htmldocs' warnings: ./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:123: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ./Documentation/security/SCTP.rst:273: WARNING: Title underline too short. security_sctp_assoc_established() ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 5e50f5d4ff31 ("security: add sctp_assoc_established hook") Signed-off-by: Wan Jiabing Reviewed-by: Xin Long Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit c64f94fef5c18d78abcd51f08b7f194993b2ef1b Author: Arınç ÜNAL Date: Tue Feb 15 11:17:24 2022 +0300 staging: mt7621-dts: fix pinctrl-0 items to be size-1 items on ethernet commit 25e4f5220efead592c83200241e098e757d37e1f upstream. Fix pinctrl-0 items under the ethernet node to be size-1 items. Current notation would be used on specifications with non-zero cells. Fixes: 0a93c0d75809 ("staging: mt7621-dts: fix pinctrl properties for ethernet") Reported-by: Sander Vanheule Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220215081725.3463-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit f227f444d7b8d56bb3d7087691cdb7347267d0ef Author: Saurav Kashyap Date: Tue Feb 8 01:39:46 2022 -0800 scsi: qla2xxx: Add qla2x00_async_done() for async routines commit 49b729f58e7a98a006a8a0c1dcca8a1a4f58d2a8 upstream. This done routine will delete the timer and check for its return value and decrease the reference count accordingly. This prevents boot hangs reported after commit 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") was merged. Link: https://lore.kernel.org/r/20220208093946.4471-1-njavali@marvell.com Fixes: 31e6cdbe0eae ("scsi: qla2xxx: Implement ref count for SRB") Reported-by: Ewan Milne Tested-by: Ewan D. Milne Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 6925a5a98d21aa0143d8a1c8e6ba954cd2227cb7 Author: Maxime Ripard Date: Wed Feb 2 10:43:40 2022 +0100 drm/connector: Fix typo in documentation commit dca384a3bf5af1c781cfa6aec63904bdb5018c36 upstream. Commit 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444") introduced two new variables in struct drm_display_info and their documentation, but the documentation part had a typo resulting in a doc build warning. Fixes: 4adc33f36d80 ("drm/edid: Split deep color modes between RGB and YUV444") Reported-by: Stephen Rothwell Signed-off-by: Maxime Ripard Reviewed-by: Simon Ser Link: https://patchwork.freedesktop.org/patch/msgid/20220202094340.875190-1-maxime@cerno.tech Signed-off-by: Greg Kroah-Hartman commit fe61765d8642370d892cb681560e4d317c75bed2 Author: Lv Ruyi Date: Tue Mar 29 10:40:04 2022 +0000 proc: bootconfig: Add null pointer check commit bed5b60bf67ccd8957b8c0558fead30c4a3f5d3f upstream. kzalloc is a memory allocation function which can return NULL when some internal memory errors happen. It is safer to add null pointer check. Link: https://lkml.kernel.org/r/20220329104004.2376879-1-lv.ruyi@zte.com.cn Cc: stable@vger.kernel.org Fixes: c1a3c36017d4 ("proc: bootconfig: Add /proc/bootconfig to show boot config list") Acked-by: Masami Hiramatsu Reported-by: Zeal Robot Signed-off-by: Lv Ruyi Signed-off-by: Steven Rostedt (Google) Signed-off-by: Greg Kroah-Hartman commit 8473e4929218e5df852712010217305e745401e2 Author: Oliver Hartkopp Date: Mon Mar 28 13:36:11 2022 +0200 can: isotp: restore accidentally removed MSG_PEEK feature [ Upstream commit e382fea8ae54f5bb62869c6b69b33993d43adeca ] In commit 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") a new check for recvmsg flags has been introduced that only checked for the flags that are handled in isotp_recvmsg() itself. This accidentally removed the MSG_PEEK feature flag which is processed later in the call chain in __skb_try_recv_from_queue(). Add MSG_PEEK to the set of valid flags to restore the feature. Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1079554254 Link: https://lore.kernel.org/all/20220328113611.3691-1-socketcan@hartkopp.net Reported-by: Derek Will Suggested-by: Derek Will Tested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2ea464a6162d395d277a3167f0949f8bdf00cfdc Author: Prashant Malani Date: Wed Jan 26 19:02:20 2022 +0000 platform/chrome: cros_ec_typec: Check for EC device commit ffebd90532728086007038986900426544e3df4e upstream. The Type C ACPI device on older Chromebooks is not generated correctly (since their EC firmware doesn't support the new commands required). In such cases, the crafted ACPI device doesn't have an EC parent, and it is therefore not useful (it shouldn't be generated in the first place since the EC firmware doesn't support any of the Type C commands). To handle devices which use these older firmware revisions, check for the parent EC device handle, and fail the probe if it's not found. Fixes: fdc6b21e2444 ("platform/chrome: Add Type C connector class driver") Reported-by: Alyssa Ross Reviewed-by: Tzung-Bi Shih Signed-off-by: Prashant Malani Acked-by: Heikki Krogerus Reviewed-by: Alyssa Ross Tested-by: Alyssa Ross Link: https://lore.kernel.org/r/20220126190219.3095419-1-pmalani@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit be7f1448a2c7c7741827f6c42ced81a724fd1970 Author: Jon Hunter Date: Mon Mar 7 11:35:29 2022 +0000 spi: Fix Tegra QSPI example commit 320689a1b543ca1396b3ed43bb18045e4a7ffd79 upstream. When running dt_binding_check on the nvidia,tegra210-quad.yaml binding document the following error is reported ... nvidia,tegra210-quad.example.dt.yaml:0:0: /example-0/spi@70410000/flash@0: failed to match any schema with compatible: ['spi-nor'] Update the example in the binding document to fix the above error. Signed-off-by: Jon Hunter Fixes: 9684752e5fe3 ("dt-bindings: spi: Add Tegra Quad SPI device tree binding") Link: https://lore.kernel.org/r/20220307113529.315685-1-jonathanh@nvidia.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0fc1ae15b9daec00434cc75fa1f87d5847b787fc Author: Anirudh Rayabharam Date: Sat Mar 12 19:41:21 2022 +0530 vhost: handle error while adding split ranges to iotlb commit 03a91c9af2c42ae14afafb829a4b7e6589ab5892 upstream. vhost_iotlb_add_range_ctx() handles the range [0, ULONG_MAX] by splitting it into two ranges and adding them separately. The return value of adding the first range to the iotlb is currently ignored. Check the return value and bail out in case of an error. Signed-off-by: Anirudh Rayabharam Link: https://lore.kernel.org/r/20220312141121.4981-1-mail@anirudhrb.com Signed-off-by: Michael S. Tsirkin Fixes: e2ae38cf3d91 ("vhost: fix hung thread due to erroneous iotlb entries") Reviewed-by: Stefano Garzarella Signed-off-by: Greg Kroah-Hartman commit b80b19b32a432c9eee1cd200ef7aaddf608f54d1 Author: Rafael J. Wysocki Date: Tue Mar 22 17:02:05 2022 +0100 ACPI: CPPC: Avoid out of bounds access when parsing _CPC data commit 40d8abf364bcab23bc715a9221a3c8623956257b upstream. If the NumEntries field in the _CPC return package is less than 2, do not attempt to access the "Revision" element of that package, because it may not be present then. Fixes: 337aadff8e45 ("ACPI: Introduce CPU performance controls using CPPC") BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ Reported-by: kernel test robot Signed-off-by: Rafael J. Wysocki Reviewed-by: Huang Rui Signed-off-by: Greg Kroah-Hartman commit d64ac4ae0ea0c82f009bf48398a88764b4bce41c Author: Fangrui Song Date: Mon Mar 21 18:26:17 2022 -0700 riscv module: remove (NOLOAD) commit 60210a3d86dc57ce4a76a366e7841dda746a33f7 upstream. On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually inappropriate for .plt, .got, and .got.plt sections which are always SHT_PROGBITS. In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway and (NOLOAD) will be essentially ignored. In ld.lld, since https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to customize the output section type"), ld.lld will report a `section type mismatch` error (later changed to a warning). Just remove (NOLOAD) to fix the warning. [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The section should be marked as not loadable" on https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is outdated for ELF. Link: https://github.com/ClangBuiltLinux/linux/issues/1597 Fixes: ab1ef68e5401 ("RISC-V: Add sections of PLT and GOT for kernel module") Reported-by: Nathan Chancellor Signed-off-by: Fangrui Song Signed-off-by: Palmer Dabbelt Signed-off-by: Greg Kroah-Hartman commit d6d7a517e81accf6ed22d55684baea763d2dbe43 Author: Pavel Begunkov Date: Fri Mar 25 16:36:31 2022 +0000 io_uring: fix memory leak of uid in files registration commit c86d18f4aa93e0e66cda0e55827cd03eea6bc5f8 upstream. When there are no files for __io_sqe_files_scm() to process in the range, it'll free everything and return. However, it forgets to put uid. Fixes: 08a451739a9b5 ("io_uring: allow sparse fixed file sets") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/accee442376f33ce8aaebb099d04967533efde92.1648226048.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 94e9f5da39ee5f8ea31be1585de31c54f10dedce Author: Stefano Garzarella Date: Tue Mar 22 12:43:13 2022 +0100 virtio: use virtio_device_ready() in virtio_device_restore() commit 8d65bc9a5be3f23c5e2ab36b6b8ef40095165b18 upstream. After waking up a suspended VM, the kernel prints the following trace for virtio drivers which do not directly call virtio_device_ready() in the .restore: PM: suspend exit irq 22: nobody cared (try booting with the "irqpoll" option) Call Trace: dump_stack_lvl+0x38/0x49 dump_stack+0x10/0x12 __report_bad_irq+0x3a/0xaf note_interrupt.cold+0xb/0x60 handle_irq_event+0x71/0x80 handle_fasteoi_irq+0x95/0x1e0 __common_interrupt+0x6b/0x110 common_interrupt+0x63/0xe0 asm_common_interrupt+0x1e/0x40 ? __do_softirq+0x75/0x2f3 irq_exit_rcu+0x93/0xe0 sysvec_apic_timer_interrupt+0xac/0xd0 asm_sysvec_apic_timer_interrupt+0x12/0x20 arch_cpu_idle+0x12/0x20 default_idle_call+0x39/0xf0 do_idle+0x1b5/0x210 cpu_startup_entry+0x20/0x30 start_secondary+0xf3/0x100 secondary_startup_64_no_verify+0xc3/0xcb handlers: [<000000008f9bac49>] vp_interrupt [<000000008f9bac49>] vp_interrupt Disabling IRQ #22 This happens because we don't invoke .enable_cbs callback in virtio_device_restore(). That callback is used by some transports (e.g. virtio-pci) to enable interrupts. Let's fix it, by calling virtio_device_ready() as we do in virtio_dev_probe(). This function calls .enable_cts callback and sets DRIVER_OK status bit. This fix also avoids setting DRIVER_OK twice for those drivers that call virtio_device_ready() in the .restore. Fixes: d50497eb4e55 ("virtio_config: introduce a new .enable_cbs method") Signed-off-by: Stefano Garzarella Link: https://lore.kernel.org/r/20220322114313.116516-1-sgarzare@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit fc4a91afef240f5c6016a45d38a78ccaa0519c83 Author: Jason Wang Date: Wed Mar 23 11:15:24 2022 +0800 Revert "virtio_pci: harden MSI-X interrupts" commit eb4cecb453a19b34d5454b49532e09e9cb0c1529 upstream. This reverts commit 9e35276a5344f74d4a3600fc4100b3dd251d5c56. Issue were reported for the drivers that are using affinity managed IRQ where manually toggling IRQ status is not expected. And we forget to enable the interrupts in the restore path as well. In the future, we will rework on the interrupt hardening. Fixes: 9e35276a5344 ("virtio_pci: harden MSI-X interrupts") Reported-by: Marc Zyngier Reported-by: Stefano Garzarella Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20220323031524.6555-2-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 1f74d671ffebd38a0267642a73aafeef969d3aa0 Author: Jason Wang Date: Wed Mar 23 11:15:23 2022 +0800 Revert "virtio-pci: harden INTX interrupts" commit 7b79edfb862d6b1ecc66479419ae67a7db2d02e3 upstream. This reverts commit 080cd7c3ac8701081d143a15ba17dd9475313188. Since the MSI-X interrupts hardening will be reverted in the next patch. We will rework the interrupt hardening in the future. Fixes: 080cd7c3ac87 ("virtio-pci: harden INTX interrupts") Signed-off-by: Jason Wang Link: https://lore.kernel.org/r/20220323031524.6555-1-jasowang@redhat.com Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 0f8cf8f5ccbad25ed6828875b222dbab29d5c272 Author: Christophe JAILLET Date: Sat Mar 26 15:50:46 2022 +0100 block: Fix the maximum minor value is blk_alloc_ext_minor() commit d1868328dec5ae2cf210111025fcbc71f78dd5ca upstream. ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive. So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). This is an issue because in device_add_disk(), this value is used in: ddev->devt = MKDEV(disk->major, disk->first_minor); and NR_EXT_DEVT is '(1 << MINORBITS)'. So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow. Fixes: 22ae8ce8b892 ("block: simplify bdev/disk lookup in blkdev_get") Signed-off-by: Christophe JAILLET Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/cc17199798312406b90834e433d2cefe8266823d.1648306232.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 85a794409211756676224dcc27197bb38a5961ea Author: Arnd Bergmann Date: Tue Nov 30 11:16:41 2021 +0100 ARM: iop32x: offset IRQ numbers by 1 commit 9d67412f24cc3a2c05f35f7c856addb07a2960ce upstream. iop32x is one of the last platforms to use IRQ 0, and this has apparently stopped working in a 2014 cleanup without anyone noticing. This interrupt is used for the DMA engine, so most likely this has not actually worked in the past 7 years, but it's also not essential for using this board. I'm splitting out this change from my GENERIC_IRQ_MULTI_HANDLER conversion so it can be backported if anyone cares. Fixes: a71b092a9c68 ("ARM: Convert handle_IRQ to use __handle_domain_irq") Signed-off-by: Arnd Bergmann [ardb: take +1 offset into account in mask/unmask and init as well] Signed-off-by: Ard Biesheuvel Tested-by: Marc Zyngier Tested-by: Vladimir Murzin # ARMv7M Reviewed-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit c32fe764191b8ae8b128588beb96e3718d9179d8 Author: Baokun Li Date: Fri Nov 5 17:30:22 2021 +0800 ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl commit 3cbf0e392f173ba0ce425968c8374a6aa3e90f2e upstream. Hulk Robot reported a KASAN report about use-after-free: ================================================================== BUG: KASAN: use-after-free in __list_del_entry_valid+0x13d/0x160 Read of size 8 at addr ffff888035e37d98 by task ubiattach/1385 [...] Call Trace: klist_dec_and_del+0xa7/0x4a0 klist_put+0xc7/0x1a0 device_del+0x4d4/0xed0 cdev_device_del+0x1a/0x80 ubi_attach_mtd_dev+0x2951/0x34b0 [ubi] ctrl_cdev_ioctl+0x286/0x2f0 [ubi] Allocated by task 1414: device_add+0x60a/0x18b0 cdev_device_add+0x103/0x170 ubi_create_volume+0x1118/0x1a10 [ubi] ubi_cdev_ioctl+0xb7f/0x1ba0 [ubi] Freed by task 1385: cdev_device_del+0x1a/0x80 ubi_remove_volume+0x438/0x6c0 [ubi] ubi_cdev_ioctl+0xbf4/0x1ba0 [ubi] [...] ================================================================== The lock held by ctrl_cdev_ioctl is ubi_devices_mutex, but the lock held by ubi_cdev_ioctl is ubi->device_mutex. Therefore, the two locks can be concurrent. ctrl_cdev_ioctl contains two operations: ubi_attach and ubi_detach. ubi_detach is bug-free because it uses reference counting to prevent concurrency. However, uif_init and uif_close in ubi_attach may race with ubi_cdev_ioctl. uif_init will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_add_volume // sysfs exist kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume cdev_del // double free cdev_device_del And uif_close will race with ubi_cdev_ioctl as in the following stack. cpu1 cpu2 cpu3 _______________________|________________________|______________________ ctrl_cdev_ioctl ubi_attach_mtd_dev uif_init ubi_cdev_ioctl ubi_create_volume cdev_device_add ubi_debugfs_init_dev //error goto out_uif; uif_close kill_volumes ubi_cdev_ioctl ubi_remove_volume cdev_device_del // first free ubi_free_volume // double free The cause of this problem is that commit 714fb87e8bc0 make device "available" before it becomes accessible via sysfs. Therefore, we roll back the modification. We will fix the race condition between ubi device creation and udev by removing ubi_get_device in vol_attribute_show and dev_attribute_show.This avoids accessing uninitialized ubi_devices[ubi_num]. ubi_get_device is used to prevent devices from being deleted during sysfs execution. However, now kernfs ensures that devices will not be deleted before all reference counting are released. The key process is shown in the following stack. device_del device_remove_attrs device_remove_groups sysfs_remove_groups sysfs_remove_group remove_files kernfs_remove_by_name kernfs_remove_by_name_ns __kernfs_remove kernfs_drain Fixes: 714fb87e8bc0 ("ubi: Fix race condition between ubi device creation and udev") Reported-by: Hulk Robot Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 7172f8d079b9602b18b6c9fe632e828564dd5b23 Author: Jiaxin Yu Date: Sat Mar 19 20:03:25 2022 +0800 ASoC: mediatek: mt6358: add missing EXPORT_SYMBOLs commit a7663c89f4193dbf717572e46e5a3251940dbdc8 upstream. Fixes the following build errors when mt6358 is configured as module: >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-rt1019-rt5682s.ko] undefined! >> ERROR: modpost: "mt6358_set_mtkaif_protocol" >> [sound/soc/mediatek/mt8186/mt8186-mt6366-da7219-max98357.ko] undefined! Fixes: 6a8d4198ca80 ("ASoC: mediatek: mt6358: add codec driver") Signed-off-by: Jiaxin Yu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220319120325.11882-1-jiaxin.yu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9979cb3312a57f55f7093a2b450f310d7b20c883 Author: Meng Tang Date: Fri Mar 18 18:01:46 2022 +0800 ASoC: rockchip: i2s_tdm: Fixup config for SND_SOC_DAIFMT_DSP_A/B commit 2f45a4e2897793cc6ae25f5fe78b485ce7fd01d0 upstream. SND_SOC_DAIFMT_DSP_A: PCM delay 1 bit mode, L data MSB after FRM LRC SND_SOC_DAIFMT_DSP_B: PCM no delay mode, L data MSB during FRM LRC Fixes: 081068fd64140 (ASoC: rockchip: add support for i2s-tdm controller) Signed-off-by: Meng Tang Link: https://lore.kernel.org/r/20220318100146.23991-1-tangmeng@uniontech.com Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit ade0418df536750dc91ef087bb46dcde28be5532 Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:30 2022 +0100 pinctrl: nuvoton: npcm7xx: Use %zu printk format for ARRAY_SIZE() commit 9d0f18bca3b557ae5d2128661ac06d33b3f45c0a upstream. When compile-testing on 64-bit architectures, GCC complains about the mismatch of types between the %d format specifier and value returned by ARRAY_LENGTH(). Use %zu, which is correct everywhere. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-2-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit f5c7227edda12ec4fffb4009683a29cc65558cf2 Author: Jonathan Neuschäfer Date: Sat Feb 5 16:53:31 2022 +0100 pinctrl: nuvoton: npcm7xx: Rename DS() macro to DSTR() commit 603501c16431c56f74eaef1ee1390f60a30c2187 upstream. The name "DS" is defined in arch/x86/um/shared/sysdep/ptrace_64.h, which results in a compiler warning when build-testing on ARCH=um. Rename this driver's "DS" macro to DSTR so avoid this collision. Reported-by: kernel test robot Fixes: 3b588e43ee5c7 ("pinctrl: nuvoton: add NPCM7xx pinctrl and GPIO driver") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220205155332.1308899-3-j.neuschaefer@gmx.net Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 1974068dc399a682064e7848672531f99005be0a Author: Randy Dunlap Date: Tue Mar 29 18:20:25 2022 -0700 net: sparx5: uses, depends on BRIDGE or !BRIDGE commit f9512d654f62604664251dedd437a22fe484974a upstream. Fix build errors when BRIDGE=m and SPARX5_SWITCH=y: riscv64-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.o: in function `.L305': sparx5_switchdev.c:(.text+0xdb0): undefined reference to `br_vlan_enabled' riscv64-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_switchdev.o: in function `.L283': sparx5_switchdev.c:(.text+0xee0): undefined reference to `br_vlan_enabled' Fixes: 3cfa11bac9bb ("net: sparx5: add the basic sparx5 driver") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Horatiu Vultur Cc: Lars Povlsen Cc: Steen Hegelund Cc: UNGLinuxDriver@microchip.com Cc: Paolo Abeni Link: https://lore.kernel.org/r/20220330012025.29560-1-rdunlap@infradead.org Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit cc09e3ed2b4640cd39d17552bf7c8fd314984938 Author: Miaoqian Lin Date: Wed Jan 5 09:21:13 2022 +0000 watchdog: rti-wdt: Add missing pm_runtime_disable() in probe function commit d055ef3a2c6919cff504ae3b710c96318d545fd2 upstream. If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Fixes: 2d63908bdbfb ("watchdog: Add K3 RTI watchdog support") Signed-off-by: Miaoqian Lin Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20220105092114.23932-1-linmq006@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 99863703d24ee437c7d568731766ea3f6b1640fe Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:46 2022 +0800 pinctrl: pinconf-generic: Print arguments for bias-pull-* commit 188e5834b930acd03ad3cf7c5e7aa24db9665a29 upstream. The bias-pull-* properties, or PIN_CONFIG_BIAS_PULL_* pin config parameters, accept optional arguments in ohms denoting the strength of the pin bias. Print these values out in debugfs as well. Fixes: eec450713e5c ("pinctrl: pinconf-generic: Add flag to print arguments") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Tested-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-2-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 3963a5d1ff75585bddf0c3a918566a6be09d7520 Author: Eric Dumazet Date: Mon Mar 28 18:07:04 2022 +0100 watch_queue: Free the page array when watch_queue is dismantled commit b490207017ba237d97b735b2aa66dc241ccd18f5 upstream. Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the watch_queue is torn down") took care of the bitmap, but not the page array. BUG: memory leak unreferenced object 0xffff88810d9bc140 (size 32): comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s) hex dump (first 32 bytes): 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: kmalloc_array include/linux/slab.h:621 [inline] kcalloc include/linux/slab.h:652 [inline] watch_queue_set_size+0x12f/0x2e0 kernel/watch_queue.c:251 pipe_ioctl+0x82/0x140 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0xfc/0x140 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] Reported-by: syzbot+25ea042ae28f3888727a@syzkaller.appspotmail.com Fixes: c73be61cede5 ("pipe: Add general notification queue support") Signed-off-by: Eric Dumazet Signed-off-by: David Howells Cc: Jann Horn Link: https://lore.kernel.org/r/20220322004654.618274-1-eric.dumazet@gmail.com/ Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a7510e7c37108f760d9c6b44111ddef6716f4e3d Author: Herbert Xu Date: Thu Mar 17 10:55:13 2022 +1200 crypto: arm/aes-neonbs-cbc - Select generic cbc and aes commit c8bd296cca3434b13b28b074eaeb78a23284de77 upstream. The algorithm __cbc-aes-neonbs requires a fallback so we need to select the config options for them or otherwise it will fail to register on boot-up. Fixes: 00b99ad2bac2 ("crypto: arm/aes-neonbs - Use generic cbc...") Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit a66314e41f7a4ba476a9fc2bc232faa37317c123 Author: Robin Gong Date: Mon Feb 7 09:52:06 2022 +0800 mailbox: imx: fix wakeup failure from freeze mode commit 892cb524ae8a27bf5e42f711318371acd9a9f74a upstream. Since IRQF_NO_SUSPEND used for imx mailbox driver, that means this irq can't be used for wakeup source so that can't wakeup from freeze mode. Add pm_system_wakeup() to wakeup from freeze mode. Fixes: b7b2796b9b31e("mailbox: imx: ONLY IPC MU needs IRQF_NO_SUSPEND flag") Reviewed-by: Jacky Bai Reviewed-by: Peng Fan Signed-off-by: Robin Gong Signed-off-by: Peng Fan Signed-off-by: Jassi Brar Signed-off-by: Greg Kroah-Hartman commit 54df5a37f1d951ed27fd47bf9b15a42279582110 Author: David Howells Date: Wed Mar 30 15:39:16 2022 +0100 rxrpc: Fix call timer start racing with call destruction commit 4a7f62f91933c8ae5308f9127fd8ea48188b6bc3 upstream. The rxrpc_call struct has a timer used to handle various timed events relating to a call. This timer can get started from the packet input routines that are run in softirq mode with just the RCU read lock held. Unfortunately, because only the RCU read lock is held - and neither ref or other lock is taken - the call can start getting destroyed at the same time a packet comes in addressed to that call. This causes the timer - which was already stopped - to get restarted. Later, the timer dispatch code may then oops if the timer got deallocated first. Fix this by trying to take a ref on the rxrpc_call struct and, if successful, passing that ref along to the timer. If the timer was already running, the ref is discarded. The timer completion routine can then pass the ref along to the call's work item when it queues it. If the timer or work item where already queued/running, the extra ref is discarded. Fixes: a158bdd3247b ("rxrpc: Fix call timeouts") Reported-by: Marc Dionne Signed-off-by: David Howells Reviewed-by: Marc Dionne Tested-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005073.html Link: https://lore.kernel.org/r/164865115696.2943015.11097991776647323586.stgit@warthog.procyon.org.uk Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit c3c415ae0c82da1349d85b8c9b18e6480aa6a230 Author: Xiaolong Huang Date: Wed Mar 30 15:22:14 2022 +0100 rxrpc: fix some null-ptr-deref bugs in server_key.c commit ff8376ade4f668130385839cef586a0990f8ef87 upstream. Some function calls are not implemented in rxrpc_no_security, there are preparse_server_key, free_preparse_server_key and destroy_server_key. When rxrpc security type is rxrpc_no_security, user can easily trigger a null-ptr-deref bug via ioctl. So judgment should be added to prevent it The crash log: user@syzkaller:~$ ./rxrpc_preparse_s [ 37.956878][T15626] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 37.957645][T15626] #PF: supervisor instruction fetch in kernel mode [ 37.958229][T15626] #PF: error_code(0x0010) - not-present page [ 37.958762][T15626] PGD 4aadf067 P4D 4aadf067 PUD 4aade067 PMD 0 [ 37.959321][T15626] Oops: 0010 [#1] PREEMPT SMP [ 37.959739][T15626] CPU: 0 PID: 15626 Comm: rxrpc_preparse_ Not tainted 5.17.0-01442-gb47d5a4f6b8d #43 [ 37.960588][T15626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 [ 37.961474][T15626] RIP: 0010:0x0 [ 37.961787][T15626] Code: Unable to access opcode bytes at RIP 0xffffffffffffffd6. [ 37.962480][T15626] RSP: 0018:ffffc9000d9abdc0 EFLAGS: 00010286 [ 37.963018][T15626] RAX: ffffffff84335200 RBX: ffff888012a1ce80 RCX: 0000000000000000 [ 37.963727][T15626] RDX: 0000000000000000 RSI: ffffffff84a736dc RDI: ffffc9000d9abe48 [ 37.964425][T15626] RBP: ffffc9000d9abe48 R08: 0000000000000000 R09: 0000000000000002 [ 37.965118][T15626] R10: 000000000000000a R11: f000000000000000 R12: ffff888013145680 [ 37.965836][T15626] R13: 0000000000000000 R14: ffffffffffffffec R15: ffff8880432aba80 [ 37.966441][T15626] FS: 00007f2177907700(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 [ 37.966979][T15626] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.967384][T15626] CR2: ffffffffffffffd6 CR3: 000000004aaf1000 CR4: 00000000000006f0 [ 37.967864][T15626] Call Trace: [ 37.968062][T15626] [ 37.968240][T15626] rxrpc_preparse_s+0x59/0x90 [ 37.968541][T15626] key_create_or_update+0x174/0x510 [ 37.968863][T15626] __x64_sys_add_key+0x139/0x1d0 [ 37.969165][T15626] do_syscall_64+0x35/0xb0 [ 37.969451][T15626] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 37.969824][T15626] RIP: 0033:0x43a1f9 Signed-off-by: Xiaolong Huang Tested-by: Xiaolong Huang Signed-off-by: David Howells Acked-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: http://lists.infradead.org/pipermail/linux-afs/2022-March/005069.html Fixes: 12da59fcab5a ("rxrpc: Hand server key parsing off to the security class") Link: https://lore.kernel.org/r/164865013439.2941502.8966285221215590921.stgit@warthog.procyon.org.uk Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit b95f792a33e5074c53aae392b92b9c3c2c274edd Author: Guangbin Huang Date: Wed Mar 30 21:45:06 2022 +0800 net: hns3: fix software vlan talbe of vlan 0 inconsistent with hardware commit 7ed258f12ec5ce855f15cdfb5710361dc82fe899 upstream. When user delete vlan 0, as driver will not delete vlan 0 for hardware in function hclge_set_vlan_filter_hw(), so vlan 0 in software vlan talbe should not be deleted. Fixes: fe4144d47eef ("net: hns3: sync VLAN filter entries when kill VLAN ID failed") Signed-off-by: Guangbin Huang Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 776c76d1f3ffad3b8fee883b1c50b4d0a934f6b1 Author: Yufeng Mo Date: Wed Mar 30 21:45:05 2022 +0800 net: hns3: fix the concurrency between functions reading debugfs commit 9c9a04212fa380d2e7d1412bb281309955c0a781 upstream. Currently, the debugfs mechanism is that all functions share a global variable to save the pointer for obtaining data. When different functions concurrently access the same file node, repeated release exceptions occur. Therefore, the granularity of the pointer for storing the obtained data is adjusted to be private for each function. Fixes: 5e69ea7ee2a6 ("net: hns3: refactor the debugfs process") Signed-off-by: Yufeng Mo Signed-off-by: Guangbin Huang Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit a4d49dc9c9c38d1075e639064d296b6577eaf74d Author: Andrew Price Date: Tue Mar 22 19:05:51 2022 +0000 gfs2: Make sure FITRIM minlen is rounded up to fs block size commit 27ca8273fda398638ca994a207323a85b6d81190 upstream. Per fstrim(8) we must round up the minlen argument to the fs block size. The current calculation doesn't take into account devices that have a discard granularity and requested minlen less than 1 fs block, so the value can get shifted away to zero in the translation to fs blocks. The zero minlen passed to gfs2_rgrp_send_discards() then allows sb_issue_discard() to be called with nr_sects == 0 which returns -EINVAL and results in gfs2_rgrp_send_discards() returning -EIO. Make sure minlen is never < 1 fs block by taking the max of the requested minlen and the fs block size before comparing to the device's discard granularity and shifting to fs blocks. Fixes: 076f0faa764ab ("GFS2: Fix FITRIM argument handling") Signed-off-by: Andrew Price Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit 6a5e6d01a6e9e2c9ce86ce540ee5ea22fa5c8304 Author: Andreas Gruenbacher Date: Thu Mar 17 14:47:24 2022 +0100 gfs2: Fix gfs2_file_buffered_write endless loop workaround commit 46f3e0421ccb5474b5c006b0089b9dfd42534bb6 upstream. Since commit 554c577cee95b, gfs2_file_buffered_write() can accidentally return a truncated iov_iter, which might confuse callers. Fix that. Fixes: 554c577cee95b ("gfs2: Prevent endless loops in gfs2_file_buffered_write") Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit e9600f5c513021eed019397070d90973e44ad96f Author: Andreas Gruenbacher Date: Fri Dec 10 14:43:36 2021 +0100 gfs2: gfs2_setattr_size error path fix commit 7336905a89f19173bf9301cd50a24421162f417c upstream. When gfs2_setattr_size() fails, it calls gfs2_rs_delete(ip, NULL) to get rid of any reservations the inode may have. Instead, it should pass in the inode's write count as the second parameter to allow gfs2_rs_delete() to figure out if the inode has any writers left. In a next step, there are two instances of gfs2_rs_delete(ip, NULL) left where we know that there can be no other users of the inode. Replace those with gfs2_rs_deltree(&ip->i_res) to avoid the unnecessary write count check. With that, gfs2_rs_delete() is only called with the inode's actual write count, so get rid of the second parameter. Fixes: a097dc7e24cb ("GFS2: Make rgrp reservations part of the gfs2_inode structure") Signed-off-by: Andreas Gruenbacher Signed-off-by: Greg Kroah-Hartman commit fa86484dfc9fd133be8710ddbdae699c30fbe604 Author: Carlos Llamas Date: Tue Mar 29 20:18:15 2022 +0000 loop: fix ioctl calls using compat_loop_info commit f941c51eeac7ebe0f8ec30943bf78e7f60aad039 upstream. Support for cryptoloop was deleted in commit 47e9624616c8 ("block: remove support for cryptoloop and the xor transfer"), making the usage of loop_info->lo_encrypt_type obsolete. However, this member was also removed from the compat_loop_info definition and this breaks userspace ioctl calls for 32-bit binaries and CONFIG_COMPAT=y. This patch restores the compat_loop_info->lo_encrypt_type member and marks it obsolete as well as in the uapi header definitions. Fixes: 47e9624616c8 ("block: remove support for cryptoloop and the xor transfer") Signed-off-by: Carlos Llamas Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220329201815.1347500-1-cmllamas@google.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 77dbaa6624b25731e77e9ec946188d258f3aa7f0 Author: Tom Rix Date: Sat Mar 26 12:42:36 2022 -0700 rtc: check if __rtc_read_time was successful commit 915593a7a663b2ad08b895a5f3ba8b19d89d4ebf upstream. Clang static analysis reports this issue interface.c:810:8: warning: Passed-by-value struct argument contains uninitialized data now = rtc_tm_to_ktime(tm); ^~~~~~~~~~~~~~~~~~~ tm is set by a successful call to __rtc_read_time() but its return status is not checked. Check if it was successful before setting the enabled flag. Move the decl of err to function scope. Fixes: 2b2f5ff00f63 ("rtc: interface: ignore expired timers when enqueuing new timers") Signed-off-by: Tom Rix Signed-off-by: Alexandre Belloni Link: https://lore.kernel.org/r/20220326194236.2916310-1-trix@redhat.com Signed-off-by: Greg Kroah-Hartman commit 929b5daafacc5085de4c5db1f3c4917f7bba86d3 Author: Masahiro Yamada Date: Sat Apr 2 00:56:10 2022 +0900 modpost: restore the warning message for missing symbol versions commit bf5c0c2231bcab677e5cdfb7f73e6c79f6d8c2d4 upstream. This log message was accidentally chopped off. I was wondering why this happened, but checking the ML log, Mark precisely followed my suggestion [1]. I just used "..." because I was too lazy to type the sentence fully. Sorry for the confusion. [1]: https://lore.kernel.org/all/CAK7LNAR6bXXk9-ZzZYpTqzFqdYbQsZHmiWspu27rtsFxvfRuVA@mail.gmail.com/ Fixes: 4a6795933a89 ("kbuild: modpost: Explicitly warn about unprototyped symbols") Signed-off-by: Masahiro Yamada Acked-by: Mark Brown Reviewed-by: Nick Desaulniers Signed-off-by: Greg Kroah-Hartman commit 9ba1807a64cd1e51bc6eca264b8796878633f8c7 Author: Matthew Wilcox (Oracle) Date: Thu Mar 31 08:27:09 2022 -0400 XArray: Update the LRU list in xas_split() commit 3ed4bb77156da0bc732847c8c9df92454c1fbeea upstream. When splitting a value entry, we may need to add the new nodes to the LRU list and remove the parent node from the LRU list. The WARN_ON checks in shadow_lru_isolate() catch this oversight. This bug was latent until we stopped splitting folios in shrink_page_list() with commit 820c4e2e6f51 ("mm/vmscan: Free non-shmem folios without splitting them"). That allows the creation of large shadow entries, and subsequently when trying to page in a small page, we will split the large shadow entry in __filemap_add_folio(). Fixes: 8fc75643c5e1 ("XArray: add xas_split") Reported-by: Hugh Dickins Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit 1ba3f87134ad63a19f6aa59786dd64a779e155e9 Author: Tom Rix Date: Sat Mar 19 08:31:28 2022 -0700 can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value commit fa7b514d2b2894e052b8e94c7a29feb98e90093f upstream. Clang static analysis reports this issue: | mcp251xfd-core.c:1813:7: warning: The left operand | of '&' is a garbage value | FIELD_GET(MCP251XFD_REG_DEVID_ID_MASK, dev_id), | ^ ~~~~~~ dev_id is set in a successful call to mcp251xfd_register_get_dev_id(). Though the status of calls made by mcp251xfd_register_get_dev_id() are checked and handled, their status' are not returned. So return err. Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN") Link: https://lore.kernel.org/all/20220319153128.2164120-1-trix@redhat.com Signed-off-by: Tom Rix Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 88272b4a37913bdf6f339162a7920bd8e9b49de2 Author: Pavel Skripkin Date: Sun Mar 13 13:09:03 2022 +0300 can: mcba_usb: properly check endpoint type commit 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 upstream. Syzbot reported warning in usb_submit_urb() which is caused by wrong endpoint type. We should check that in endpoint is actually present to prevent this warning. Found pipes are now saved to struct mcba_priv and code uses them directly instead of making pipes in place. Fail log: | usb 5-1: BOGUS urb xfer, pipe 3 != type 1 | WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | Modules linked in: | CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0 | Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 | Workqueue: usb_hub_wq hub_event | RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502 | ... | Call Trace: | | mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline] | mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858 | usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396 | call_driver_probe drivers/base/dd.c:517 [inline] Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Reviewed-by: Vincent Mailhol Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit f913412848defa326a155c47d026267624472190 Author: Hangyu Hua Date: Fri Mar 11 16:02:08 2022 +0800 can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174 upstream. There is no need to call dev_kfree_skb() when usb_submit_urb() fails because can_put_echo_skb() deletes original skb and can_free_echo_skb() deletes the cloned skb. Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer") Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com Signed-off-by: Hangyu Hua Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 29968329b926d238e3107ec071a250397555d264 Author: Matthew Wilcox (Oracle) Date: Mon Mar 28 19:25:11 2022 -0400 XArray: Fix xas_create_range() when multi-order entry present commit 3e3c658055c002900982513e289398a1aad4a488 upstream. If there is already an entry present that is of order >= XA_CHUNK_SHIFT when we call xas_create_range(), xas_create_range() will misinterpret that entry as a node and dereference xa_node->parent, generally leading to a crash that looks something like this: general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 0 PID: 32 Comm: khugepaged Not tainted 5.17.0-rc8-syzkaller-00003-g56e337f2cf13 #0 RIP: 0010:xa_parent_locked include/linux/xarray.h:1207 [inline] RIP: 0010:xas_create_range+0x2d9/0x6e0 lib/xarray.c:725 It's deterministically reproducable once you know what the problem is, but producing it in a live kernel requires khugepaged to hit a race. While the problem has been present since xas_create_range() was introduced, I'm not aware of a way to hit it before the page cache was converted to use multi-index entries. Fixes: 6b24ca4a1a8d ("mm: Use multi-index entries in the page cache") Reported-by: syzbot+0d2b0bf32ca5cfd09f2e@syzkaller.appspotmail.com Signed-off-by: Matthew Wilcox (Oracle) Signed-off-by: Greg Kroah-Hartman commit efde4c0cf7fdbaa27c11740b0ced2e84f73779d8 Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:27 2022 -0400 wireguard: socket: ignore v6 endpoints when ipv6 is disabled commit 77fc73ac89be96ec8f39e8efa53885caa7cb3645 upstream. The previous commit fixed a memory leak on the send path in the event that IPv6 is disabled at compile time, but how did a packet even arrive there to begin with? It turns out we have previously allowed IPv6 endpoints even when IPv6 support is disabled at compile time. This is awkward and inconsistent. Instead, let's just ignore all things IPv6, the same way we do other malformed endpoints, in the case where IPv6 is disabled. Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit ebcc492f4ba14bae54b898f1016a37b4282558d1 Author: Wang Hai Date: Tue Mar 29 21:31:26 2022 -0400 wireguard: socket: free skb in send6 when ipv6 is disabled commit bbbf962d9460194993ee1943a793a0a0af4a7fbf upstream. I got a memory leak report: unreferenced object 0xffff8881191fc040 (size 232): comm "kworker/u17:0", pid 23193, jiffies 4295238848 (age 3464.870s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] slab_post_alloc_hook+0x84/0x3b0 [] kmem_cache_alloc_node+0x167/0x340 [] __alloc_skb+0x1db/0x200 [] wg_socket_send_buffer_to_peer+0x3d/0xc0 [] wg_packet_send_handshake_initiation+0xfa/0x110 [] wg_packet_handshake_send_worker+0x21/0x30 [] process_one_work+0x2e8/0x770 [] worker_thread+0x4a/0x4b0 [] kthread+0x120/0x160 [] ret_from_fork+0x1f/0x30 In function wg_socket_send_buffer_as_reply_to_skb() or wg_socket_send_ buffer_to_peer(), the semantics of send6() is required to free skb. But when CONFIG_IPV6 is disable, kfree_skb() is missing. This patch adds it to fix this bug. Signed-off-by: Wang Hai Fixes: e7096c131e51 ("net: WireGuard secure network tunnel") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 76abd1562e7c43cd6cf0a2bc23edf732329a145a Author: Jason A. Donenfeld Date: Tue Mar 29 21:31:24 2022 -0400 wireguard: queueing: use CFI-safe ptr_ring cleanup function commit ec59f128a9bd4255798abb1e06ac3b442f46ef68 upstream. We make too nuanced use of ptr_ring to entirely move to the skb_array wrappers, but we at least should avoid the naughty function pointer cast when cleaning up skbs. Otherwise RAP/CFI will honk at us. This patch uses the __skb_array_destroy_skb wrapper for the cleanup, rather than directly providing kfree_skb, which is what other drivers in the same situation do too. Reported-by: PaX Team Fixes: 886fcee939ad ("wireguard: receive: use ring buffer for incoming handshakes") Signed-off-by: Jason A. Donenfeld Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 5a2f97d29740e4953771a32558b1d4c13b3effa0 Author: Pankaj Raghav Date: Tue Mar 22 10:20:48 2022 +0100 nvme: fix the read-only state for zoned namespaces with unsupposed features commit 726be2c72efc0a64c206e854b8996ad3ab9c7507 upstream. commit 2f4c9ba23b88 ("nvme: export zoned namespaces without Zone Append support read-only") marks zoned namespaces without append support read-only. It does iso by setting NVME_NS_FORCE_RO in ns->flags in nvme_update_zone_info and checking for that flag later in nvme_update_disk_info to mark the disk as read-only. But commit 73d90386b559 ("nvme: cleanup zone information initialization") rearranged nvme_update_disk_info to be called before nvme_update_zone_info and thus not marking the disk as read-only. The call order cannot be just reverted because nvme_update_zone_info sets certain queue parameters such as zone_write_granularity that depend on the prior call to nvme_update_disk_info. Remove the call to set_disk_ro in nvme_update_disk_info. and call set_disk_ro after nvme_update_zone_info and nvme_update_disk_info to set the permission for ZNS drives correctly. The same applies to the multipath disk path. Fixes: 73d90386b559 ("nvme: cleanup zone information initialization") Signed-off-by: Pankaj Raghav Signed-off-by: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 1e2f5b031bfa437626292ed78b289ebdc2399516 Author: Sungup Moon Date: Mon Mar 14 20:05:45 2022 +0900 nvme: allow duplicate NSIDs for private namespaces commit 5974ea7ce0f9a5987fc8cf5e08ad6e3e70bb542e upstream. A NVMe subsystem with multiple controller can have private namespaces that use the same NSID under some conditions: "If Namespace Management, ANA Reporting, or NVM Sets are supported, the NSIDs shall be unique within the NVM subsystem. If the Namespace Management, ANA Reporting, and NVM Sets are not supported, then NSIDs: a) for shared namespace shall be unique; and b) for private namespace are not required to be unique." Reference: Section 6.1.6 NSID and Namespace Usage; NVM Express 1.4c spec. Make sure this specific setup is supported in Linux. Fixes: 9ad1927a3bc2 ("nvme: always search for namespace head") Signed-off-by: Sungup Moon [hch: refactored and fixed the controller vs subsystem based naming conflict] Signed-off-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Signed-off-by: Greg Kroah-Hartman commit 0fbc51fb42ecc040118d4cfe85c6b7d1a127d471 Author: Baokun Li Date: Tue Feb 15 12:07:36 2022 +0800 ubifs: rename_whiteout: correct old_dir size computing commit 705757274599e2e064dd3054aabc74e8af31a095 upstream. When renaming the whiteout file, the old whiteout file is not deleted. Therefore, we add the old dentry size to the old dir like XFS. Otherwise, an error may be reported due to `fscki->calc_sz != fscki->size` in check_indes. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Reported-by: Zhihao Cheng Signed-off-by: Baokun Li Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 5aaa2c0f0052b02c4a982993d4c5bb68fb7cbe22 Author: Zhihao Cheng Date: Mon Dec 27 11:22:41 2021 +0800 ubifs: Fix to add refcount once page is set private commit 3b67db8a6ca83e6ff90b756d3da0c966f61cd37b upstream. MM defined the rule [1] very clearly that once page was set with PG_private flag, we should increment the refcount in that page, also main flows like pageout(), migrate_page() will assume there is one additional page reference count if page_has_private() returns true. Otherwise, we may get a BUG in page migration: page:0000000080d05b9d refcount:-1 mapcount:0 mapping:000000005f4d82a8 index:0xe2 pfn:0x14c12 aops:ubifs_file_address_operations [ubifs] ino:8f1 dentry name:"f30e" flags: 0x1fffff80002405(locked|uptodate|owner_priv_1|private|node=0| zone=1|lastcpupid=0x1fffff) page dumped because: VM_BUG_ON_PAGE(page_count(page) != 0) ------------[ cut here ]------------ kernel BUG at include/linux/page_ref.h:184! invalid opcode: 0000 [#1] SMP CPU: 3 PID: 38 Comm: kcompactd0 Not tainted 5.15.0-rc5 RIP: 0010:migrate_page_move_mapping+0xac3/0xe70 Call Trace: ubifs_migrate_page+0x22/0xc0 [ubifs] move_to_new_page+0xb4/0x600 migrate_pages+0x1523/0x1cc0 compact_zone+0x8c5/0x14b0 kcompactd+0x2bc/0x560 kthread+0x18c/0x1e0 ret_from_fork+0x1f/0x30 Before the time, we should make clean a concept, what does refcount means in page gotten from grab_cache_page_write_begin(). There are 2 situations: Situation 1: refcount is 3, page is created by __page_cache_alloc. TYPE_A - the write process is using this page TYPE_B - page is assigned to one certain mapping by calling __add_to_page_cache_locked() TYPE_C - page is added into pagevec list corresponding current cpu by calling lru_cache_add() Situation 2: refcount is 2, page is gotten from the mapping's tree TYPE_B - page has been assigned to one certain mapping TYPE_A - the write process is using this page (by calling page_cache_get_speculative()) Filesystem releases one refcount by calling put_page() in xxx_write_end(), the released refcount corresponds to TYPE_A (write task is using it). If there are any processes using a page, page migration process will skip the page by judging whether expected_page_refs() equals to page refcount. The BUG is caused by following process: PA(cpu 0) kcompactd(cpu 1) compact_zone ubifs_write_begin page_a = grab_cache_page_write_begin add_to_page_cache_lru lru_cache_add pagevec_add // put page into cpu 0's pagevec (refcnf = 3, for page creation process) ubifs_write_end SetPagePrivate(page_a) // doesn't increase page count ! unlock_page(page_a) put_page(page_a) // refcnt = 2 [...] PB(cpu 0) filemap_read filemap_get_pages add_to_page_cache_lru lru_cache_add __pagevec_lru_add // traverse all pages in cpu 0's pagevec __pagevec_lru_add_fn SetPageLRU(page_a) isolate_migratepages isolate_migratepages_block get_page_unless_zero(page_a) // refcnt = 3 list_add(page_a, from_list) migrate_pages(from_list) __unmap_and_move move_to_new_page ubifs_migrate_page(page_a) migrate_page_move_mapping expected_page_refs get 3 (migration[1] + mapping[1] + private[1]) release_pages put_page_testzero(page_a) // refcnt = 3 page_ref_freeze // refcnt = 0 page_ref_dec_and_test(0 - 1 = -1) page_ref_unfreeze VM_BUG_ON_PAGE(-1 != 0, page) UBIFS doesn't increase the page refcount after setting private flag, which leads to page migration task believes the page is not used by any other processes, so the page is migrated. This causes concurrent accessing on page refcount between put_page() called by other process(eg. read process calls lru_cache_add) and page_ref_unfreeze() called by migration task. Actually zhangjun has tried to fix this problem [2] by recalculating page refcnt in ubifs_migrate_page(). It's better to follow MM rules [1], because just like Kirill suggested in [2], we need to check all users of page_has_private() helper. Like f2fs does in [3], fix it by adding/deleting refcount when setting/clearing private for a page. BTW, according to [4], we set 'page->private' as 1 because ubifs just simply SetPagePrivate(). And, [5] provided a common helper to set/clear page private, ubifs can use this helper following the example of iomap, afs, btrfs, etc. Jump [6] to find a reproducer. [1] https://lore.kernel.org/lkml/2b19b3c4-2bc4-15fa-15cc-27a13e5c7af1@aol.com [2] https://www.spinics.net/lists/linux-mtd/msg04018.html [3] http://lkml.iu.edu/hypermail/linux/kernel/1903.0/03313.html [4] https://lore.kernel.org/linux-f2fs-devel/20210422154705.GO3596236@casper.infradead.org [5] https://lore.kernel.org/all/20200517214718.468-1-guoqing.jiang@cloud.ionos.com [6] https://bugzilla.kernel.org/show_bug.cgi?id=214961 Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit e09fa5318d51f522e1af4fbaf8f74999355980c8 Author: Zhihao Cheng Date: Mon Dec 27 11:22:40 2021 +0800 ubifs: Fix read out-of-bounds in ubifs_wbuf_write_nolock() commit 4f2262a334641e05f645364d5ade1f565c85f20b upstream. Function ubifs_wbuf_write_nolock() may access buf out of bounds in following process: ubifs_wbuf_write_nolock(): aligned_len = ALIGN(len, 8); // Assume len = 4089, aligned_len = 4096 if (aligned_len <= wbuf->avail) ... // Not satisfy if (wbuf->used) { ubifs_leb_write() // Fill some data in avail wbuf len -= wbuf->avail; // len is still not 8-bytes aligned aligned_len -= wbuf->avail; } n = aligned_len >> c->max_write_shift; if (n) { n <<= c->max_write_shift; err = ubifs_leb_write(c, wbuf->lnum, buf + written, wbuf->offs, n); // n > len, read out of bounds less than 8(n-len) bytes } , which can be catched by KASAN: ========================================================= BUG: KASAN: slab-out-of-bounds in ecc_sw_hamming_calculate+0x1dc/0x7d0 Read of size 4 at addr ffff888105594ff8 by task kworker/u8:4/128 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: kasan_report.cold+0x81/0x165 nand_write_page_swecc+0xa9/0x160 ubifs_leb_write+0xf2/0x1b0 [ubifs] ubifs_wbuf_write_nolock+0x421/0x12c0 [ubifs] write_head+0xdc/0x1c0 [ubifs] ubifs_jnl_write_inode+0x627/0x960 [ubifs] wb_workfn+0x8af/0xb80 Function ubifs_wbuf_write_nolock() accepts that parameter 'len' is not 8 bytes aligned, the 'len' represents the true length of buf (which is allocated in 'ubifs_jnl_xxx', eg. ubifs_jnl_write_inode), so ubifs_wbuf_write_nolock() must handle the length read from 'buf' carefully to write leb safely. Fetch a reproducer in [Link]. Fixes: 1e51764a3c2ac0 ("UBIFS: add new flash file system") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214785 Reported-by: Chengsong Ke Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 560774cc5857b45307ccf71f062d82e4dc5dc595 Author: Zhihao Cheng Date: Mon Dec 27 11:22:39 2021 +0800 ubifs: setflags: Make dirtied_ino_d 8 bytes aligned commit 1b83ec057db16b4d0697dc21ef7a9743b6041f72 upstream. Make 'ui->data_len' aligned with 8 bytes before it is assigned to dirtied_ino_d. Since 8871d84c8f8b0c6b("ubifs: convert to fileattr") applied, 'setflags()' only affects regular files and directories, only xattr inode, symlink inode and special inode(pipe/char_dev/block_dev) have none- zero 'ui->data_len' field, so assertion '!(req->dirtied_ino_d & 7)' cannot fail in ubifs_budget_space(). To avoid assertion fails in future evolution(eg. setflags can operate special inodes), it's better to make dirtied_ino_d 8 bytes aligned, after all aligned size is still zero for regular files. Fixes: 1e51764a3c2ac05a ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit de407bf5e452a6553348e34e9ddcdbcf9790f79c Author: Zhihao Cheng Date: Mon Dec 27 11:22:38 2021 +0800 ubifs: Rectify space amount budget for mkdir/tmpfile operations commit a6dab6607d4681d227905d5198710b575dbdb519 upstream. UBIFS should make sure the flash has enough space to store dirty (Data that is newer than disk) data (in memory), space budget is exactly designed to do that. If space budget calculates less data than we need, 'make_reservation()' will do more work(return -ENOSPC if no free space lelf, sometimes we can see "cannot reserve xxx bytes in jhead xxx, error -28" in ubifs error messages) with ubifs inodes locked, which may effect other syscalls. A simple way to decide how much space do we need when make a budget: See how much space is needed by 'make_reservation()' in ubifs_jnl_xxx() function according to corresponding operation. It's better to report ENOSPC in ubifs_budget_space(), as early as we can. Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE") Fixes: 1e51764a3c2ac05 ("UBIFS: add new flash file system") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit f3bdd3b7415fe4e3337bc34a2842cf1adba5c378 Author: Zhihao Cheng Date: Mon Dec 27 11:22:37 2021 +0800 ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work commit 60eb3b9c9f11206996f57cb89521824304b305ad upstream. 'ui->dirty' is not protected by 'ui_mutex' in function do_tmpfile() which may race with ubifs_write_inode[wb_workfn] to access/update 'ui->dirty', finally dirty space is released twice. open(O_TMPFILE) wb_workfn do_tmpfile ubifs_budget_space(ino_req = { .dirtied_ino = 1}) d_tmpfile // mark inode(tmpfile) dirty ubifs_jnl_update // without holding tmpfile's ui_mutex mark_inode_clean(ui) if (ui->dirty) ubifs_release_dirty_inode_budget(ui) // release first time ubifs_write_inode mutex_lock(&ui->ui_mutex) ubifs_release_dirty_inode_budget(ui) // release second time mutex_unlock(&ui->ui_mutex) ui->dirty = 0 Run generic/476 can reproduce following message easily (See reproducer in [Link]): UBIFS error (ubi0:0 pid 2578): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554 UBIFS warning (ubi0:0 pid 2578): ubifs_ro_mode [ubifs]: switched to read-only mode, error -22 Workqueue: writeback wb_workfn (flush-ubifs_0_0) Call Trace: ubifs_ro_mode+0x54/0x60 [ubifs] ubifs_assert_failed+0x4b/0x80 [ubifs] ubifs_release_budget+0x468/0x5a0 [ubifs] ubifs_release_dirty_inode_budget+0x53/0x80 [ubifs] ubifs_write_inode+0x121/0x1f0 [ubifs] ... wb_workfn+0x283/0x7b0 Fix it by holding tmpfile ubifs inode lock during ubifs_jnl_update(). Similar problem exists in whiteout renaming, but previous fix("ubifs: Rename whiteout atomically") has solved the problem. Fixes: 474b93704f32163 ("ubifs: Implement O_TMPFILE") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214765 Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 17495eb2f7f08113b50aba298c2c1a045824c4f7 Author: Zhihao Cheng Date: Mon Dec 27 11:22:36 2021 +0800 ubifs: Rename whiteout atomically commit 278d9a243635f26c05ad95dcf9c5a593b9e04dc6 upstream. Currently, rename whiteout has 3 steps: 1. create tmpfile(which associates old dentry to tmpfile inode) for whiteout, and store tmpfile to disk 2. link whiteout, associate whiteout inode to old dentry agagin and store old dentry, old inode, new dentry on disk 3. writeback dirty whiteout inode to disk Suddenly power-cut or error occurring(eg. ENOSPC returned by budget, memory allocation failure) during above steps may cause kinds of problems: Problem 1: ENOSPC returned by whiteout space budget (before step 2), old dentry will disappear after rename syscall, whiteout file cannot be found either. ls dir // we get file, whiteout rename(dir/file, dir/whiteout, REANME_WHITEOUT) ENOSPC = ubifs_budget_space(&wht_req) // return ls dir // empty (no file, no whiteout) Problem 2: Power-cut happens before step 3, whiteout inode with 'nlink=1' is not stored on disk, whiteout dentry(old dentry) is written on disk, whiteout file is lost on next mount (We get "dead directory entry" after executing 'ls -l' on whiteout file). Now, we use following 3 steps to finish rename whiteout: 1. create an in-mem inode with 'nlink = 1' as whiteout 2. ubifs_jnl_rename (Write on disk to finish associating old dentry to whiteout inode, associating new dentry with old inode) 3. iput(whiteout) Rely writing in-mem inode on disk by ubifs_jnl_rename() to finish rename whiteout, which avoids middle disk state caused by suddenly power-cut and error occurring. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit b0ef56eae05da2b62977874bbcf00abea7d1ca92 Author: Zhihao Cheng Date: Mon Dec 27 11:22:35 2021 +0800 ubifs: Add missing iput if do_tmpfile() failed in rename whiteout commit 716b4573026bcbfa7b58ed19fe15554bac66b082 upstream. whiteout inode should be put when do_tmpfile() failed if inode has been initialized. Otherwise we will get following warning during umount: UBIFS error (ubi0:0 pid 1494): ubifs_assert_failed [ubifs]: UBIFS assert failed: c->bi.dd_growth == 0, in fs/ubifs/super.c:1930 VFS: Busy inodes after unmount of ubifs. Self-destruct in 5 seconds. Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Suggested-by: Sascha Hauer Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit 70e9090acc32348cedc5def0cd6d5c126efc97b9 Author: Zhihao Cheng Date: Mon Dec 27 11:22:33 2021 +0800 ubifs: Fix deadlock in concurrent rename whiteout and inode writeback commit afd427048047e8efdedab30e8888044e2be5aa9c upstream. Following hung tasks: [ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132 [ 77.028820] Call Trace: [ 77.029027] schedule+0x8c/0x1b0 [ 77.029067] mutex_lock+0x50/0x60 [ 77.029074] ubifs_write_inode+0x68/0x1f0 [ubifs] [ 77.029117] __writeback_single_inode+0x43c/0x570 [ 77.029128] writeback_sb_inodes+0x259/0x740 [ 77.029148] wb_writeback+0x107/0x4d0 [ 77.029163] wb_workfn+0x162/0x7b0 [ 92.390442] task:aa state:D stack: 0 pid: 1506 [ 92.390448] Call Trace: [ 92.390458] schedule+0x8c/0x1b0 [ 92.390461] wb_wait_for_completion+0x82/0xd0 [ 92.390469] __writeback_inodes_sb_nr+0xb2/0x110 [ 92.390472] writeback_inodes_sb_nr+0x14/0x20 [ 92.390476] ubifs_budget_space+0x705/0xdd0 [ubifs] [ 92.390503] do_rename.cold+0x7f/0x187 [ubifs] [ 92.390549] ubifs_rename+0x8b/0x180 [ubifs] [ 92.390571] vfs_rename+0xdb2/0x1170 [ 92.390580] do_renameat2+0x554/0x770 , are caused by concurrent rename whiteout and inode writeback processes: rename_whiteout(Thread 1) wb_workfn(Thread2) ubifs_rename do_rename lock_4_inodes (Hold ui_mutex) ubifs_budget_space make_free_space shrink_liability __writeback_inodes_sb_nr bdi_split_work_to_wbs (Queue new wb work) wb_do_writeback(wb work) __writeback_single_inode ubifs_write_inode LOCK(ui_mutex) ↑ wb_wait_for_completion (Wait wb work) <-- deadlock! Reproducer (Detail program in [Link]): 1. SYS_renameat2("/mp/dir/file", "/mp/dir/whiteout", RENAME_WHITEOUT) 2. Consume out of space before kernel(mdelay) doing budget for whiteout Fix it by doing whiteout space budget before locking ubifs inodes. BTW, it also fixes wrong goto tag 'out_release' in whiteout budget error handling path(It should at least recover dir i_size and unlock 4 ubifs inodes). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Link: https://bugzilla.kernel.org/show_bug.cgi?id=214733 Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit b9a937f096e608b3368c1abc920d4d640ba2c94f Author: Zhihao Cheng Date: Mon Dec 27 11:22:32 2021 +0800 ubifs: rename_whiteout: Fix double free for whiteout_ui->data commit 40a8f0d5e7b3999f096570edab71c345da812e3e upstream. 'whiteout_ui->data' will be freed twice if space budget fail for rename whiteout operation as following process: rename_whiteout dev = kmalloc whiteout_ui->data = dev kfree(whiteout_ui->data) // Free first time iput(whiteout) ubifs_free_inode kfree(ui->data) // Double free! KASAN reports: ================================================================== BUG: KASAN: double-free or invalid-free in ubifs_free_inode+0x4f/0x70 Call Trace: kfree+0x117/0x490 ubifs_free_inode+0x4f/0x70 [ubifs] i_callback+0x30/0x60 rcu_do_batch+0x366/0xac0 __do_softirq+0x133/0x57f Allocated by task 1506: kmem_cache_alloc_trace+0x3c2/0x7a0 do_rename+0x9b7/0x1150 [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 Freed by task 1506: kfree+0x117/0x490 do_rename.cold+0x53/0x8a [ubifs] ubifs_rename+0x106/0x1f0 [ubifs] do_syscall_64+0x35/0x80 The buggy address belongs to the object at ffff88810238bed8 which belongs to the cache kmalloc-8 of size 8 ================================================================== Let ubifs_free_inode() free 'whiteout_ui->data'. BTW, delete unused assignment 'whiteout_ui->data_len = 0', process 'ubifs_evict_inode() -> ubifs_jnl_delete_inode() -> ubifs_jnl_write_inode()' doesn't need it (because 'inc_nlink(whiteout)' won't be excuted by 'goto out_release', and the nlink of whiteout inode is 0). Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT") Signed-off-by: Zhihao Cheng Signed-off-by: Richard Weinberger Signed-off-by: Greg Kroah-Hartman commit e4d153d53d9648513481eb4ef8c212e7f1f8173d Author: Yi Wang Date: Wed Mar 9 19:30:25 2022 +0800 KVM: SVM: fix panic on out-of-bounds guest IRQ commit a80ced6ea514000d34bf1239d47553de0d1ee89e upstream. As guest_irq is coming from KVM_IRQFD API call, it may trigger crash in svm_update_pi_irte() due to out-of-bounds: crash> bt PID: 22218 TASK: ffff951a6ad74980 CPU: 73 COMMAND: "vcpu8" #0 [ffffb1ba6707fa40] machine_kexec at ffffffff8565b397 #1 [ffffb1ba6707fa90] __crash_kexec at ffffffff85788a6d #2 [ffffb1ba6707fb58] crash_kexec at ffffffff8578995d #3 [ffffb1ba6707fb70] oops_end at ffffffff85623c0d #4 [ffffb1ba6707fb90] no_context at ffffffff856692c9 #5 [ffffb1ba6707fbf8] exc_page_fault at ffffffff85f95b51 #6 [ffffb1ba6707fc50] asm_exc_page_fault at ffffffff86000ace [exception RIP: svm_update_pi_irte+227] RIP: ffffffffc0761b53 RSP: ffffb1ba6707fd08 RFLAGS: 00010086 RAX: ffffb1ba6707fd78 RBX: ffffb1ba66d91000 RCX: 0000000000000001 RDX: 00003c803f63f1c0 RSI: 000000000000019a RDI: ffffb1ba66db2ab8 RBP: 000000000000019a R8: 0000000000000040 R9: ffff94ca41b82200 R10: ffffffffffffffcf R11: 0000000000000001 R12: 0000000000000001 R13: 0000000000000001 R14: ffffffffffffffcf R15: 000000000000005f ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffb1ba6707fdb8] kvm_irq_routing_update at ffffffffc09f19a1 [kvm] #8 [ffffb1ba6707fde0] kvm_set_irq_routing at ffffffffc09f2133 [kvm] #9 [ffffb1ba6707fe18] kvm_vm_ioctl at ffffffffc09ef544 [kvm] RIP: 00007f143c36488b RSP: 00007f143a4e04b8 RFLAGS: 00000246 RAX: ffffffffffffffda RBX: 00007f05780041d0 RCX: 00007f143c36488b RDX: 00007f05780041d0 RSI: 000000004008ae6a RDI: 0000000000000020 RBP: 00000000000004e8 R8: 0000000000000008 R9: 00007f05780041e0 R10: 00007f0578004560 R11: 0000000000000246 R12: 00000000000004e0 R13: 000000000000001a R14: 00007f1424001c60 R15: 00007f0578003bc0 ORIG_RAX: 0000000000000010 CS: 0033 SS: 002b Vmx have been fix this in commit 3a8b0677fc61 (KVM: VMX: Do not BUG() on out-of-bounds guest IRQ), so we can just copy source from that to fix this. Co-developed-by: Yi Liu Signed-off-by: Yi Liu Signed-off-by: Yi Wang Message-Id: <20220309113025.44469-1-wang.yi59@zte.com.cn> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit de3af9b26d34c6dfb3affca80f4e8a927cac5411 Author: Li RongQing Date: Wed Mar 9 16:35:44 2022 +0800 KVM: x86: fix sending PV IPI commit c15e0ae42c8e5a61e9aca8aac920517cf7b3e94e upstream. If apic_id is less than min, and (max - apic_id) is greater than KVM_IPI_CLUSTER_SIZE, then the third check condition is satisfied but the new apic_id does not fit the bitmask. In this case __send_ipi_mask should send the IPI. This is mostly theoretical, but it can happen if the apic_ids on three iterations of the loop are for example 1, KVM_IPI_CLUSTER_SIZE, 0. Fixes: aaffcfd1e82 ("KVM: X86: Implement PV IPIs in linux guest") Signed-off-by: Li RongQing Message-Id: <1646814944-51801-1-git-send-email-lirongqing@baidu.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 2ec90e21f1c0cd2b71014c96474e003b029c457f Author: David Matlack Date: Thu Mar 3 18:33:27 2022 +0000 KVM: Prevent module exit until all VMs are freed commit 5f6de5cbebee925a612856fce6f9182bb3eee0db upstream. Tie the lifetime the KVM module to the lifetime of each VM via kvm.users_count. This way anything that grabs a reference to the VM via kvm_get_kvm() cannot accidentally outlive the KVM module. Prior to this commit, the lifetime of the KVM module was tied to the lifetime of /dev/kvm file descriptors, VM file descriptors, and vCPU file descriptors by their respective file_operations "owner" field. This approach is insufficient because references grabbed via kvm_get_kvm() do not prevent closing any of the aforementioned file descriptors. This fixes a long standing theoretical bug in KVM that at least affects async page faults. kvm_setup_async_pf() grabs a reference via kvm_get_kvm(), and drops it in an asynchronous work callback. Nothing prevents the VM file descriptor from being closed and the KVM module from being unloaded before this callback runs. Fixes: af585b921e5d ("KVM: Halt vcpu if page it tries to access is swapped out") Fixes: 3d3aab1b973b ("KVM: set owner of cpu and vm file operations") Cc: stable@vger.kernel.org Suggested-by: Ben Gardon [ Based on a patch from Ben implemented for Google's kernel. ] Signed-off-by: David Matlack Message-Id: <20220303183328.1499189-2-dmatlack@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit e094afbdadc1e479295a50296c69d3f898761c58 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:40 2022 +0100 KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated commit b1e34d325397a33d97d845e312d7cf2a8b646b44 upstream. Setting non-zero values to SYNIC/STIMER MSRs activates certain features, this should not happen when KVM_CAP_HYPERV_SYNIC{,2} was not activated. Note, it would've been better to forbid writing anything to SYNIC/STIMER MSRs, including zeroes, however, at least QEMU tries clearing HV_X64_MSR_STIMER0_CONFIG without SynIC. HV_X64_MSR_EOM MSR is somewhat 'special' as writing zero there triggers an action, this also should not happen when SynIC wasn't activated. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-4-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 9e38128f8bd1d4f2244d8a393bc5dc204a99a541 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:39 2022 +0100 KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() commit 00b5f37189d24ac3ed46cb7f11742094778c46ce upstream. When kvm_irq_delivery_to_apic_fast() is called with APIC_DEST_SELF shorthand, 'src' must not be NULL. Crash the VM with KVM_BUG_ON() instead of crashing the host. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-3-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6e3cd49aed556ea1784558001aee7c156a93cbc4 Author: Vitaly Kuznetsov Date: Fri Mar 25 14:21:38 2022 +0100 KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq commit 7ec37d1cbe17d8189d9562178d8b29167fe1c31a upstream. When KVM_CAP_HYPERV_SYNIC{,2} is activated, KVM already checks for irqchip_in_kernel() so normally SynIC irqs should never be set. It is, however, possible for a misbehaving VMM to write to SYNIC/STIMER MSRs causing erroneous behavior. The immediate issue being fixed is that kvm_irq_delivery_to_apic() (kvm_irq_delivery_to_apic_fast()) crashes when called with 'irq.shorthand = APIC_DEST_SELF' and 'src == NULL'. Signed-off-by: Vitaly Kuznetsov Message-Id: <20220325132140.25650-2-vkuznets@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 33ccdb74dffeb15e60e7ba1fed4cf30b4b041fde Author: Paul Cercueil Date: Thu Mar 31 17:42:00 2022 +0100 MIPS: crypto: Fix CRC32 code commit 41022eff9c2d21e658c7a6fcd31005bf514d28b7 upstream. Commit 67512a8cf5a7 ("MIPS: Avoid macro redefinitions") changed how the MIPS register macros were defined, in order to allow the code to compile under LLVM/Clang. The MIPS CRC32 code however wasn't updated accordingly, causing a build bug when using a MIPS32r6 toolchain without CRC support. Update the CRC32 code to use the macros correctly, to fix the build failures. Fixes: 67512a8cf5a7 ("MIPS: Avoid macro redefinitions") Cc: Signed-off-by: Paul Cercueil Reported-by: kernel test robot Signed-off-by: Thomas Bogendoerfer Signed-off-by: Greg Kroah-Hartman commit 0ea93956203b8dafc2e84f5283a1bba3f9313fd0 Author: Gwendal Grignou Date: Fri Jan 21 16:13:01 2022 -0800 platform: chrome: Split trace include file commit eabd9a3807e17e211690e6c40f1405b427b64c48 upstream. cros_ec_trace.h defined 5 tracing events, 2 for cros_ec_proto and 3 for cros_ec_sensorhub_ring. These 2 files are in different kernel modules, the traces are defined twice in the kernel which leads to problem enabling only some traces. Move sensorhub traces from cros_ec_trace.h to cros_ec_sensorhub_trace.h and enable them only in cros_ec_sensorhub kernel module. Check we can now enable any single traces: without this patch, we can only enable all sensorhub traces or none. Fixes: d453ceb6549a ("platform/chrome: sensorhub: Add trace events for sample") Signed-off-by: Gwendal Grignou Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20220122001301.640337-1-gwendal@chromium.org Signed-off-by: Benson Leung Signed-off-by: Greg Kroah-Hartman commit 5f731907905ffc8b21a2976bea9452d2a2391b67 Author: Manish Rangankar Date: Thu Mar 10 01:26:02 2022 -0800 scsi: qla2xxx: Use correct feature type field during RFF_ID processing commit a7e05f7a1bcbe4ee055479242de46c5c16ab03b1 upstream. During SNS Register FC-4 Features (RFF_ID) the initiator driver was sending incorrect type field for NVMe supported device. Use correct feature type field. Link: https://lore.kernel.org/r/20220310092604.22950-12-njavali@marvell.com Fixes: e374f9f59281 ("scsi: qla2xxx: Migrate switch registration commands away from mailbox interface") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Manish Rangankar Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 7e811bc213ebf46c51c8738237397ca8d1bdde38 Author: Quinn Tran Date: Thu Mar 10 01:26:00 2022 -0800 scsi: qla2xxx: Reduce false trigger to login commit d2646eed7b19a206912f49101178cbbaa507256c upstream. While a session is in the middle of a relogin, a late RSCN can be delivered from switch. RSCN trigger fabric scan where the scan logic can trigger another session login while a login is in progress. Reduce the extra trigger to prevent multiple logins to the same session. Link: https://lore.kernel.org/r/20220310092604.22950-10-njavali@marvell.com Fixes: bee8b84686c4 ("scsi: qla2xxx: Reduce redundant ADISC command for RSCNs") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 48e5bb73e609062df1620a49defa044d5067a92e Author: Quinn Tran Date: Thu Mar 10 01:26:01 2022 -0800 scsi: qla2xxx: Fix stuck session of PRLI reject commit f3502e2e98a92981601edc3dadf4b0f43c79836b upstream. Remove stale recovery code that prevents normal path recovery. Link: https://lore.kernel.org/r/20220310092604.22950-11-njavali@marvell.com Fixes: 1cbc0efcd9be ("scsi: qla2xxx: Fix retry for PRLI RJT with reason of BUSY") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 608594661edf0e39cafec0e92c45edd3c4c4273e Author: Quinn Tran Date: Thu Mar 10 01:25:57 2022 -0800 scsi: qla2xxx: Fix N2N inconsistent PLOGI commit c13ce47c64ea8f14e77eecb40d1e7c2ac667f898 upstream. For N2N topology, ELS Passthrough is used to send PLOGI. On failure of ELS pass through PLOGI, driver flipped over to using LLIOCB PLOGI for N2N. This is not consistent. Delete the session to restart the connection where ELS pass through PLOGI would be used consistently. Link: https://lore.kernel.org/r/20220310092604.22950-7-njavali@marvell.com Fixes: c76ae845ea83 ("scsi: qla2xxx: Add error handling for PLOGI ELS passthrough") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 213e57b42537f1a2e5395caa9d7189854133ed12 Author: Arun Easi Date: Thu Mar 10 01:25:56 2022 -0800 scsi: qla2xxx: Fix crash during module load unload test commit 0972252450f90db56dd5415a20e2aec21a08d036 upstream. During purex packet handling the driver was incorrectly freeing a pre-allocated structure. Fix this by skipping that entry. System crashed with the following stack during a module unload test. Call Trace: sbitmap_init_node+0x7f/0x1e0 sbitmap_queue_init_node+0x24/0x150 blk_mq_init_bitmaps+0x3d/0xa0 blk_mq_init_tags+0x68/0x90 blk_mq_alloc_map_and_rqs+0x44/0x120 blk_mq_alloc_set_map_and_rqs+0x63/0x150 blk_mq_alloc_tag_set+0x11b/0x230 scsi_add_host_with_dma.cold+0x3f/0x245 qla2x00_probe_one+0xd5a/0x1b80 [qla2xxx] Call Trace with slub_debug and debug kernel: kasan_report_invalid_free+0x50/0x80 __kasan_slab_free+0x137/0x150 slab_free_freelist_hook+0xc6/0x190 kfree+0xe8/0x2e0 qla2x00_free_device+0x3bb/0x5d0 [qla2xxx] qla2x00_remove_one+0x668/0xcf0 [qla2xxx] Link: https://lore.kernel.org/r/20220310092604.22950-6-njavali@marvell.com Fixes: 62e9dd177732 ("scsi: qla2xxx: Change in PUREX to handle FPIN ELS requests") Cc: stable@vger.kernel.org Reported-by: Marco Patalano Tested-by: Marco Patalano Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 9765319079131d6a6019caec661825808c6405f1 Author: Arun Easi Date: Thu Mar 10 01:25:55 2022 -0800 scsi: qla2xxx: Fix missed DMA unmap for NVMe ls requests commit c85ab7d9e27a80e48d5b7d7fb2fe2b0fdb2de523 upstream. At NVMe ELS request time, request structure is DMA mapped and never unmapped. Fix this by calling the unmap on ELS completion. Link: https://lore.kernel.org/r/20220310092604.22950-5-njavali@marvell.com Fixes: e84067d74301 ("scsi: qla2xxx: Add FC-NVMe F/W initialization and transport registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 42bc54f1923adcc99582307a21181db2829131ec Author: Quinn Tran Date: Thu Mar 10 01:25:59 2022 -0800 scsi: qla2xxx: Fix laggy FC remote port session recovery commit 713b415726f100f6644971e75ebfe1edbef1a390 upstream. For session recovery, driver relies on the dpc thread to initiate certain operations. The dpc thread runs exclusively without the Mailbox interface being occupied. A recent code change for heartbeat check via mailbox cmd 0 is preventing the dpc thread from carrying out its operation. This patch allows the higher priority error recovery to run first before running the lower priority heartbeat check. Link: https://lore.kernel.org/r/20220310092604.22950-9-njavali@marvell.com Fixes: d94d8158e184 ("scsi: qla2xxx: Add heartbeat check") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit cce5e0137927a7bcad77a68885c39911fdbeb1f7 Author: Quinn Tran Date: Thu Mar 10 01:25:58 2022 -0800 scsi: qla2xxx: Fix hang due to session stuck commit c02aada06d19a215c8291bd968a99a270e96f734 upstream. User experienced device lost. The log shows Get port data base command was queued up, failed, and requeued again. Every time it is requeued, it set the FCF_ASYNC_ACTIVE. This prevents any recovery code from occurring because driver thinks a recovery is in progress for this session. In essence, this session is hung. The reason it gets into this place is the session deletion got in front of this call due to link perturbation. Break the requeue cycle and exit. The session deletion code will trigger a session relogin. Link: https://lore.kernel.org/r/20220310092604.22950-8-njavali@marvell.com Fixes: 726b85487067 ("qla2xxx: Add framework for async fabric discovery") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 33acb100341a27e457238bf50ab1351f0ef5fdf5 Author: Quinn Tran Date: Thu Mar 10 01:25:52 2022 -0800 scsi: qla2xxx: Fix incorrect reporting of task management failure commit 58ca5999e0367d131de82a75257fbfd5aed0195d upstream. User experienced no task management error while target device is responding with error. The RSP_CODE field in the status IOCB is in little endian. Driver assumes it's big endian and it picked up erroneous data. Convert the data back to big endian as is on the wire. Link: https://lore.kernel.org/r/20220310092604.22950-2-njavali@marvell.com Fixes: faef62d13463 ("[SCSI] qla2xxx: Fix Task Management command asynchronous handling") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 22ba449506d72a89216e1dfef8fea4b0e591dcca Author: Quinn Tran Date: Thu Mar 10 01:25:53 2022 -0800 scsi: qla2xxx: Fix disk failure to rediscover commit 6a45c8e137d4e2c72eecf1ac7cf64f2fdfcead99 upstream. User experienced some of the LUN failed to get rediscovered after long cable pull test. The issue is triggered by a race condition between driver setting session online state vs starting the LUN scan process at the same time. Current code set the online state after notifying the session is available. In this case, trigger to start the LUN scan process happened before driver could set the session in online state. LUN scan ends up with failure due to the session online check was failing. Set the online state before reporting of the availability of the session. Link: https://lore.kernel.org/r/20220310092604.22950-3-njavali@marvell.com Fixes: aecf043443d3 ("scsi: qla2xxx: Fix Remote port registration") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 1ab81d82fb1db7ec4be4b0d04563513e6d4bcdd5 Author: Saurav Kashyap Date: Sun Jan 9 21:02:15 2022 -0800 scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair() commit a60447e7d451df42c7bde43af53b34f10f34f469 upstream. [ 12.323788] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-udevd/1020 [ 12.332297] caller is qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.338417] CPU: 7 PID: 1020 Comm: systemd-udevd Tainted: G I --------- --- 5.14.0-29.el9.x86_64 #1 [ 12.348827] Hardware name: Dell Inc. PowerEdge R610/0F0XJ6, BIOS 6.6.0 05/22/2018 [ 12.356356] Call Trace: [ 12.358821] dump_stack_lvl+0x34/0x44 [ 12.362514] check_preemption_disabled+0xd9/0xe0 [ 12.367164] qla2xxx_create_qpair+0x32a/0x5d0 [qla2xxx] [ 12.372481] qla2x00_probe_one+0xa3a/0x1b80 [qla2xxx] [ 12.377617] ? _raw_spin_lock_irqsave+0x19/0x40 [ 12.384284] local_pci_probe+0x42/0x80 [ 12.390162] ? pci_match_device+0xd7/0x110 [ 12.396366] pci_device_probe+0xfd/0x1b0 [ 12.402372] really_probe+0x1e7/0x3e0 [ 12.408114] __driver_probe_device+0xfe/0x180 [ 12.414544] driver_probe_device+0x1e/0x90 [ 12.420685] __driver_attach+0xc0/0x1c0 [ 12.426536] ? __device_attach_driver+0xe0/0xe0 [ 12.433061] ? __device_attach_driver+0xe0/0xe0 [ 12.439538] bus_for_each_dev+0x78/0xc0 [ 12.445294] bus_add_driver+0x12b/0x1e0 [ 12.451021] driver_register+0x8f/0xe0 [ 12.456631] ? 0xffffffffc07bc000 [ 12.461773] qla2x00_module_init+0x1be/0x229 [qla2xxx] [ 12.468776] do_one_initcall+0x44/0x200 [ 12.474401] ? load_module+0xad3/0xba0 [ 12.479908] ? kmem_cache_alloc_trace+0x45/0x410 [ 12.486268] do_init_module+0x5c/0x280 [ 12.491730] __do_sys_init_module+0x12e/0x1b0 [ 12.497785] do_syscall_64+0x3b/0x90 [ 12.503029] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 12.509764] RIP: 0033:0x7f554f73ab2e Link: https://lore.kernel.org/r/20220110050218.3958-15-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 05d5f802d52218f09b84e7ac9cbe227002e17109 Author: Joe Carnuccio Date: Sun Jan 9 21:02:17 2022 -0800 scsi: qla2xxx: Check for firmware dump already collected commit cfbafad7c6032d449a5a07f2d273acd2437bbc6a upstream. While allocating firmware dump, check if dump is already collected and do not re-allocate the buffer. Link: https://lore.kernel.org/r/20220110050218.3958-17-njavali@marvell.com Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8cb0121e0d9d8d8279457953ac25636ea038497a Author: Joe Carnuccio Date: Sun Jan 9 21:02:16 2022 -0800 scsi: qla2xxx: Add devids and conditionals for 28xx commit 0d6a536cb1fcabb6c3e9c94871c8d0b29bb5813b upstream. This is an update to the original 28xx adapter enablement. Add a bunch of conditionals that are applicable for 28xx. Link: https://lore.kernel.org/r/20220110050218.3958-16-njavali@marvell.com Fixes: ecc89f25e225 ("scsi: qla2xxx: Add Device ID for ISP28XX") Cc: stable@vger.kernel.org Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit f61eabc70031f6317b56dfb9ada3354746cc2643 Author: Joe Carnuccio Date: Sun Jan 9 21:02:14 2022 -0800 scsi: qla2xxx: Fix T10 PI tag escape and IP guard options for 28XX adapters commit 4c103a802c69fca63976af6b372ccba39ed74370 upstream. 28XX adapters are capable of detecting both T10 PI tag escape values as well as IP guard. This was missed due to the adapter type missed in the corresponding macros. Fix this by adding support for 28xx in those macros. Link: https://lore.kernel.org/r/20220110050218.3958-14-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Tested-by: Martin K. Petersen Signed-off-by: Joe Carnuccio Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit de62a60bd09c1fd38a896325d740cfe647cd982b Author: Quinn Tran Date: Sun Jan 9 21:02:13 2022 -0800 scsi: qla2xxx: edif: Fix clang warning commit 73825fd7a37c1a685e9e9e27c9dc91ef1f3e2971 upstream. Silence compile warning due to unaligned memory access. qla_edif.c:713:45: warning: taking address of packed member 'u' of class or structure 'auth_complete_cmd' may result in an unaligned pointer value [-Waddress-of-packed-member] fcport = qla2x00_find_fcport_by_pid(vha, &appplogiok.u.d_id); Link: https://lore.kernel.org/r/20220110050218.3958-13-njavali@marvell.com Cc: stable@vger.kernel.org Reported-by: kernel test robot Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit ef84aeac59e42be5b33700ed99d50303c75f5c14 Author: Arun Easi Date: Sun Jan 9 21:02:11 2022 -0800 scsi: qla2xxx: Fix device reconnect in loop topology commit 8ad4be3d15cf144b5834bdb00d5bbe4050938dc7 upstream. A device logout in loop topology initiates a device connection teardown which loses the FW device handle. In loop topo, the device handle is not regrabbed leading to device login failures and eventually to loss of the device. Fix this by taking the main login path that does it. Link: https://lore.kernel.org/r/20220110050218.3958-11-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit c6e69e51bc5a2aeffb9e4b3f3b02cfc2281c4d1a Author: Nilesh Javali Date: Sun Jan 9 21:02:12 2022 -0800 scsi: qla2xxx: Fix warning for missing error code commit 14cb838d245ae0d523b2f7804af5a02c22e79f5a upstream. Fix smatch-reported warning message: drivers/scsi/qla2xxx/qla_target.c:3324 qlt_xmit_response() warn: missing error code 'res' Link: https://lore.kernel.org/r/20220110050218.3958-12-njavali@marvell.com Fixes: 4a8f71014b4d ("scsi: qla2xxx: Fix unmap of already freed sgl") Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 8c9dbad5ba92f26560ec911ad471d7adb43d5941 Author: Bikash Hazarika Date: Sun Jan 9 21:02:09 2022 -0800 scsi: qla2xxx: Fix wrong FDMI data for 64G adapter commit 1cfbbacbee2d6ea3816386a483e3c7a96e5bd657 upstream. Corrected transmission speed mask values for FC. Supported Speed: 16 32 20 Gb/s ===> Should be 64 instead of 20 Supported Speed: 16G 32G 48G ===> Should be 64G instead of 48G Link: https://lore.kernel.org/r/20220110050218.3958-9-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Bikash Hazarika Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d7994dff9071555a959a168f9184dd9abae68a6b Author: Quinn Tran Date: Sun Jan 9 21:02:06 2022 -0800 scsi: qla2xxx: Fix premature hw access after PCI error commit e35920ab7874d5e2faeb4f958a74bfa793f1ce5a upstream. After a recoverable PCI error has been detected and recovered, qla driver needs to check to see if the error condition still persist and/or wait for the OS to give the resume signal. Sep 8 22:26:03 localhost kernel: WARNING: CPU: 9 PID: 124606 at qla_tmpl.c:440 qla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx] Sep 8 22:26:03 localhost kernel: RIP: 0010:qla27xx_fwdt_entry_t266+0x55/0x60 [qla2xxx] Sep 8 22:26:03 localhost kernel: Call Trace: Sep 8 22:26:03 localhost kernel: ? qla27xx_walk_template+0xb1/0x1b0 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla27xx_execute_fwdt_template+0x12a/0x160 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla27xx_fwdump+0xa0/0x1c0 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? qla2xxx_pci_mmio_enabled+0xfb/0x120 [qla2xxx] Sep 8 22:26:03 localhost kernel: ? report_mmio_enabled+0x44/0x80 Sep 8 22:26:03 localhost kernel: ? report_slot_reset+0x80/0x80 Sep 8 22:26:03 localhost kernel: ? pci_walk_bus+0x70/0x90 Sep 8 22:26:03 localhost kernel: ? aer_dev_correctable_show+0xc0/0xc0 Sep 8 22:26:03 localhost kernel: ? pcie_do_recovery+0x1bb/0x240 Sep 8 22:26:03 localhost kernel: ? aer_recover_work_func+0xaa/0xd0 Sep 8 22:26:03 localhost kernel: ? process_one_work+0x1a7/0x360 .. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-8041:22: detected PCI disconnect. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: qla27xx_fwdt_entry_t262: dump ram MB failed. Area 5h start 198013h end 198013h Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-107ff:22: Unable to capture FW dump Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-1015:22: cmd=0x0, waited 5221 msecs Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-680d:22: mmio enabled returning. Sep 8 22:26:03 localhost kernel: qla2xxx [0000:42:00.2]-d04c:22: MBX Command timeout for cmd 0, iocontrol=ffffffff jiffies=10140f2e5 mb[0-3]=[0xffff 0xffff 0xffff 0xffff] Link: https://lore.kernel.org/r/20220110050218.3958-6-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 78225d6a2a4ffdb2250ce2b7691a9e68a3f86912 Author: Quinn Tran Date: Sun Jan 9 21:02:07 2022 -0800 scsi: qla2xxx: Fix scheduling while atomic commit afd438ff874ca40b74321b3fa19bd61adfd7ca0c upstream. The driver makes a call into midlayer (fc_remote_port_delete) which can put the thread to sleep. The thread that originates the call is in interrupt context. The combination of the two trigger a crash. Schedule the call in non-interrupt context where it is more safe. kernel: BUG: scheduling while atomic: swapper/7/0/0x00010000 kernel: Call Trace: kernel: kernel: dump_stack+0x66/0x81 kernel: __schedule_bug.cold.90+0x5/0x1d kernel: __schedule+0x7af/0x960 kernel: schedule+0x28/0x80 kernel: schedule_timeout+0x26d/0x3b0 kernel: wait_for_completion+0xb4/0x140 kernel: ? wake_up_q+0x70/0x70 kernel: __wait_rcu_gp+0x12c/0x160 kernel: ? sdev_evt_alloc+0xc0/0x180 [scsi_mod] kernel: synchronize_sched+0x6c/0x80 kernel: ? call_rcu_bh+0x20/0x20 kernel: ? __bpf_trace_rcu_invoke_callback+0x10/0x10 kernel: sdev_evt_alloc+0xfd/0x180 [scsi_mod] kernel: starget_for_each_device+0x85/0xb0 [scsi_mod] kernel: ? scsi_init_io+0x360/0x3d0 [scsi_mod] kernel: scsi_init_io+0x388/0x3d0 [scsi_mod] kernel: device_for_each_child+0x54/0x90 kernel: fc_remote_port_delete+0x70/0xe0 [scsi_transport_fc] kernel: qla2x00_schedule_rport_del+0x62/0xf0 [qla2xxx] kernel: qla2x00_mark_device_lost+0x9c/0xd0 [qla2xxx] kernel: qla24xx_handle_plogi_done_event+0x55f/0x570 [qla2xxx] kernel: qla2x00_async_login_sp_done+0xd2/0x100 [qla2xxx] kernel: qla24xx_logio_entry+0x13a/0x3c0 [qla2xxx] kernel: qla24xx_process_response_queue+0x306/0x400 [qla2xxx] kernel: qla24xx_msix_rsp_q+0x3f/0xb0 [qla2xxx] kernel: __handle_irq_event_percpu+0x40/0x180 kernel: handle_irq_event_percpu+0x30/0x80 kernel: handle_irq_event+0x36/0x60 Link: https://lore.kernel.org/r/20220110050218.3958-7-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit b13baf97ddbc1a7e7536168383bc0d84c2204b03 Author: Quinn Tran Date: Sun Jan 9 21:02:05 2022 -0800 scsi: qla2xxx: Fix warning message due to adisc being flushed commit 64f24af75b79cba3b86b0760e27e0fa904db570f upstream. Fix warning message due to adisc being flushed. Linux kernel triggered a warning message where a different error code type is not matching up with the expected type. Add additional translation of one error code type to another. WARNING: CPU: 2 PID: 1131623 at drivers/scsi/qla2xxx/qla_init.c:498 qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] CPU: 2 PID: 1131623 Comm: drmgr Not tainted 5.13.0-rc1-autotest #1 .. GPR28: c000000aaa9c8890 c0080000079ab678 c00000140a104800 c00000002bd19000 NIP [c00800000790857c] qla2x00_async_adisc_sp_done+0x294/0x2b0 [qla2xxx] LR [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] Call Trace: [c00000001cdc3620] [c008000007908578] qla2x00_async_adisc_sp_done+0x290/0x2b0 [qla2xxx] (unreliable) [c00000001cdc3710] [c0080000078f3080] __qla2x00_abort_all_cmds+0x1b8/0x580 [qla2xxx] [c00000001cdc3840] [c0080000078f589c] qla2x00_abort_all_cmds+0x34/0xd0 [qla2xxx] [c00000001cdc3880] [c0080000079153d8] qla2x00_abort_isp_cleanup+0x3f0/0x570 [qla2xxx] [c00000001cdc3920] [c0080000078fb7e8] qla2x00_remove_one+0x3d0/0x480 [qla2xxx] [c00000001cdc39b0] [c00000000071c274] pci_device_remove+0x64/0x120 [c00000001cdc39f0] [c0000000007fb818] device_release_driver_internal+0x168/0x2a0 [c00000001cdc3a30] [c00000000070e304] pci_stop_bus_device+0xb4/0x100 [c00000001cdc3a70] [c00000000070e4f0] pci_stop_and_remove_bus_device+0x20/0x40 [c00000001cdc3aa0] [c000000000073940] pci_hp_remove_devices+0x90/0x130 [c00000001cdc3b30] [c0080000070704d0] disable_slot+0x38/0x90 [rpaphp] [ c00000001cdc3b60] [c00000000073eb4c] power_write_file+0xcc/0x180 [c00000001cdc3be0] [c0000000007354bc] pci_slot_attr_store+0x3c/0x60 [c00000001cdc3c00] [c00000000055f820] sysfs_kf_write+0x60/0x80 [c00000001cdc3c20] [c00000000055df10] kernfs_fop_write_iter+0x1a0/0x290 [c00000001cdc3c70] [c000000000447c4c] new_sync_write+0x14c/0x1d0 [c00000001cdc3d10] [c00000000044b134] vfs_write+0x224/0x330 [c00000001cdc3d60] [c00000000044b3f4] ksys_write+0x74/0x130 [c00000001cdc3db0] [c00000000002df70] system_call_exception+0x150/0x2d0 [c00000001cdc3e10] [c00000000000d45c] system_call_common+0xec/0x278 Link: https://lore.kernel.org/r/20220110050218.3958-5-njavali@marvell.com Cc: stable@vger.kernel.org Reported-by: Abdul Haleem Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 62f336e8e150bcb92ee0882206d869dca263901c Author: Quinn Tran Date: Sun Jan 9 21:02:04 2022 -0800 scsi: qla2xxx: Fix stuck session in gpdb commit 725d3a0d31a51c0debf970011e05f585e805165b upstream. Fix stuck sessions in get port database. When a thread is in the process of re-establishing a session, a flag is set to prevent multiple threads / triggers from doing the same task. This flag was left on, where any attempt to relogin was locked out. Clear this flag, if the attempt has failed. Link: https://lore.kernel.org/r/20220110050218.3958-4-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Quinn Tran Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit e140723f78ff418c8df7d990e102e07b65c87d4a Author: Saurav Kashyap Date: Sun Jan 9 21:02:03 2022 -0800 scsi: qla2xxx: Implement ref count for SRB commit 31e6cdbe0eae37badceb5e0d4f06cf051432fd77 upstream. The timeout handler and the done function are racing. When qla2x00_async_iocb_timeout() starts to run it can be preempted by the normal response path (via the firmware?). qla24xx_async_gpsc_sp_done() releases the SRB unconditionally. When scheduling back to qla2x00_async_iocb_timeout() qla24xx_async_abort_cmd() will access an freed sp->qpair pointer: qla2xxx [0000:83:00.0]-2871:0: Async-gpsc timeout - hdl=63d portid=234500 50:06:0e:80:08:77:b6:21. qla2xxx [0000:83:00.0]-2853:0: Async done-gpsc res 0, WWPN 50:06:0e:80:08:77:b6:21 qla2xxx [0000:83:00.0]-2854:0: Async-gpsc OUT WWPN 20:45:00:27:f8:75:33:00 speeds=2c00 speed=0400. qla2xxx [0000:83:00.0]-28d8:0: qla24xx_handle_gpsc_event 50:06:0e:80:08:77:b6:21 DS 7 LS 6 rc 0 login 1|1 rscn 1|0 lid 5 BUG: unable to handle kernel NULL pointer dereference at 0000000000000004 IP: qla24xx_async_abort_cmd+0x1b/0x1c0 [qla2xxx] Obvious solution to this is to introduce a reference counter. One reference is taken for the normal code path (the 'good' case) and one for the timeout path. As we always race between the normal good case and the timeout/abort handler we need to serialize it. Also we cannot assume any order between the handlers. Since this is slow path we can use proper synchronization via locks. When we are able to cancel a timer (del_timer returns 1) we know there can't be any error handling in progress because the timeout handler hasn't expired yet, thus we can safely decrement the refcounter by one. If we are not able to cancel the timer, we know an abort handler is running. We have to make sure we call sp->done() in the abort handlers before calling kref_put(). Link: https://lore.kernel.org/r/20220110050218.3958-3-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Co-developed-by: Daniel Wagner Signed-off-by: Daniel Wagner Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit d8e59f830331da47d2776bc32499eaae57ffa054 Author: Daniel Wagner Date: Sun Jan 9 21:02:02 2022 -0800 scsi: qla2xxx: Refactor asynchronous command initialization commit d4523bd6fd5d3afa9f08a86038a8a92176089f5b upstream. Move common open-coded asynchronous command initializing code such as setting up the timer and the done callback into one function. This is a preparation step and allows us later on to change the low level error flow handling at a central place. Link: https://lore.kernel.org/r/20220110050218.3958-2-njavali@marvell.com Cc: stable@vger.kernel.org Reviewed-by: Himanshu Madhani Signed-off-by: Daniel Wagner Signed-off-by: Saurav Kashyap Signed-off-by: Nilesh Javali Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 0feee60cbeca144e434c35f714f8582824a8d051 Author: Ville Syrjälä Date: Fri Mar 11 23:28:45 2022 +0200 drm/i915: Reject unsupported TMDS rates on ICL+ commit 9cddf03b2af07443bebdc73cba21acb360c079e8 upstream. ICL+ PLLs can't genenerate certain frequencies. Running the PLL algorithms through for all frequencies 25-594MHz we see a gap just above 500 MHz. Specifically 500-522.8MHZ for TC PLLs, and 500-533.2 MHz for combo PHY PLLs. Reject those frequencies hdmi_port_clock_valid() so that we properly filter out unsupported modes and/or color depths for HDMI. Cc: stable@vger.kernel.org Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/5247 Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220311212845.32358-1-ville.syrjala@linux.intel.com Reviewed-by: Mika Kahola (cherry picked from commit e5086cb3f3d3f94091be29eec38cf13f8a75a778) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit 17b793605d6dff3e1120410a31149ba47dbfab89 Author: Ville Syrjälä Date: Wed Mar 9 18:49:46 2022 +0200 drm/i915: Fix PSF GV point mask when SAGV is not possible commit 3ef8b5e19ead5a79600ea55f9549658281415893 upstream. Don't just mask off all the PSF GV points when SAGV gets disabled. This should in fact cause the Pcode to reject the request since at least one PSF point must remain enabled at all times. Cc: stable@vger.kernel.org Cc: Stanislav Lisovskiy Fixes: 192fbfb76744 ("drm/i915: Implement PSF GV point support") Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220309164948.10671-7-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit 0fed4ddd18f064d2359b430c6e83ee60dd1f49b1) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit 1714c5d649ec267b1f98426fe98fa43478b557ff Author: Ville Syrjälä Date: Wed Mar 9 18:49:41 2022 +0200 drm/i915: Treat SAGV block time 0 as SAGV disabled commit 1937f3feb0e84089ae4065e09c871b8ab4676f01 upstream. For modern platforms the spec explicitly states that a SAGV block time of zero means that SAGV is not supported. Let's extend that to all platforms. Supposedly there should be no systems where this isn't true, and it'll allow us to: - use the same code regardless of older vs. newer platform - wm latencies already treat 0 as disabled, so this fits well with other related code - make it a bit more clear when SAGV is used vs. not - avoid overflows from adding U32_MAX with a u16 wm0 latency value which could cause us to miscalculate the SAGV watermarks on tgl+ Cc: stable@vger.kernel.org Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220309164948.10671-2-ville.syrjala@linux.intel.com Reviewed-by: Stanislav Lisovskiy (cherry picked from commit d8f5855b31c0523ea3b171db8dfb998830e8735d) Signed-off-by: Tvrtko Ursulin Signed-off-by: Greg Kroah-Hartman commit e504041c01d95a761d69803352a6a6689f6f9229 Author: Kees Cook Date: Thu Feb 24 19:56:09 2022 -0800 drm/dp: Fix off-by-one in register cache size commit d4da1f27396fb1dde079447a3612f4f512caed07 upstream. The pcon_dsc_dpcd array holds 13 registers (0x92 through 0x9E). Fix the math to calculate the max size. Found from a -Warray-bounds build: drivers/gpu/drm/drm_dp_helper.c: In function 'drm_dp_pcon_dsc_bpp_incr': drivers/gpu/drm/drm_dp_helper.c:3130:28: error: array subscript 12 is outside array bounds of 'const u8[12]' {aka 'const unsigned char[12]'} [-Werror=array-bounds] 3130 | buf = pcon_dsc_dpcd[DP_PCON_DSC_BPP_INCR - DP_PCON_DSC_ENCODER]; | ~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/drm_dp_helper.c:3126:39: note: while referencing 'pcon_dsc_dpcd' 3126 | int drm_dp_pcon_dsc_bpp_incr(const u8 pcon_dsc_dpcd[DP_PCON_DSC_ENCODER_CAP_SIZE]) | ~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: Thomas Zimmermann Cc: David Airlie Cc: dri-devel@lists.freedesktop.org Fixes: e2e16da398d9 ("drm/dp_helper: Add support for Configuring DSC for HDMI2.1 Pcon") Cc: stable@vger.kernel.org Reviewed-by: Gustavo A. R. Silva Link: https://lore.kernel.org/lkml/20211214001849.GA62559@embeddedor/ Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220105173310.2420598-1-keescook@chromium.org Signed-off-by: Thierry Reding Link: https://patchwork.freedesktop.org/patch/msgid/20220225035610.2552144-2-keescook@chromium.org Signed-off-by: Greg Kroah-Hartman commit e20c750229f2832be86dbaa63fcf9673fc743699 Author: Anders Roxell Date: Thu Feb 24 17:22:14 2022 +0100 powerpc: Fix build errors with newer binutils commit 8667d0d64dd1f84fd41b5897fd87fa9113ae05e3 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:1190: Error: unrecognized opcode: `stbcix' {standard input}:1433: Error: unrecognized opcode: `lwzcix' {standard input}:1453: Error: unrecognized opcode: `stbcix' {standard input}:1460: Error: unrecognized opcode: `stwcix' {standard input}:1596: Error: unrecognized opcode: `stbcix' ... Rework to add assembler directives [1] around the instruction. Going through them one by one shows that the changes should be safe. Like __get_user_atomic_128_aligned() is only called in p9_hmi_special_emu(), which according to the name is specific to power9. And __raw_rm_read*() are only called in things that are powernv or book3s_hv specific. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Cc: stable@vger.kernel.org Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool [mpe: Make commit subject more descriptive] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-2-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit 29a9e30a806858dd4e524c537634700ceb0130e1 Author: Christophe Leroy Date: Fri Dec 24 11:07:40 2021 +0000 powerpc: Add set_memory_{p/np}() and remove set_memory_attr() commit f222ab83df92acf72691a2021e1f0d99880dcdf1 upstream. set_memory_attr() was implemented by commit 4d1755b6a762 ("powerpc/mm: implement set_memory_attr()") because the set_memory_xx() couldn't be used at that time to modify memory "on the fly" as explained it the commit. But set_memory_attr() uses set_pte_at() which leads to warnings when CONFIG_DEBUG_VM is selected, because set_pte_at() is unexpected for updating existing page table entries. The check could be bypassed by using __set_pte_at() instead, as it was the case before commit c988cfd38e48 ("powerpc/32: use set_memory_attr()") but since commit 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") it is now possible to use set_memory_xx() functions to update page table entries "on the fly" because the update is now atomic. For DEBUG_PAGEALLOC we need to clear and set back _PAGE_PRESENT. Add set_memory_np() and set_memory_p() for that. Replace all uses of set_memory_attr() by the relevant set_memory_xx() and remove set_memory_attr(). Fixes: c988cfd38e48 ("powerpc/32: use set_memory_attr()") Cc: stable@vger.kernel.org Reported-by: Maxime Bizon Signed-off-by: Christophe Leroy Tested-by: Maxime Bizon Reviewed-by: Russell Currey Depends-on: 9f7853d7609d ("powerpc/mm: Fix set_memory_*() against concurrent accesses") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/cda2b44b55c96f9ac69fa92e68c01084ec9495c5.1640344012.git.christophe.leroy@csgroup.eu Signed-off-by: Greg Kroah-Hartman commit 08bbf945603f093da181c6f2f3250b08eda3068e Author: Anders Roxell Date: Thu Feb 24 17:22:15 2022 +0100 powerpc/lib/sstep: Fix build errors with newer binutils commit 8219d31effa7be5dbc7ff915d7970672e028c701 upstream. Building tinyconfig with gcc (Debian 11.2.0-16) and assembler (Debian 2.37.90.20220207) the following build error shows up: {standard input}: Assembler messages: {standard input}:10576: Error: unrecognized opcode: `stbcx.' {standard input}:10680: Error: unrecognized opcode: `lharx' {standard input}:10694: Error: unrecognized opcode: `lbarx' Rework to add assembler directives [1] around the instruction. The problem with this might be that we can trick a power6 into single-stepping through an stbcx. for instance, and it will execute that in kernel mode. [1] https://sourceware.org/binutils/docs/as/PowerPC_002dPseudo.html#PowerPC_002dPseudo Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Co-developed-by: Arnd Bergmann Signed-off-by: Arnd Bergmann Signed-off-by: Anders Roxell Reviewed-by: Segher Boessenkool Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-3-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit d44804ff8ed64e2a1dbcd98a729e430c654e67be Author: Anders Roxell Date: Thu Feb 24 17:22:13 2022 +0100 powerpc/lib/sstep: Fix 'sthcx' instruction commit a633cb1edddaa643fadc70abc88f89a408fa834a upstream. Looks like there been a copy paste mistake when added the instruction 'stbcx' twice and one was probably meant to be 'sthcx'. Changing to 'sthcx' from 'stbcx'. Fixes: 350779a29f11 ("powerpc: Handle most loads and stores in instruction emulation code") Cc: stable@vger.kernel.org # v4.14+ Reported-by: Arnd Bergmann Signed-off-by: Anders Roxell Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224162215.3406642-1-anders.roxell@linaro.org Signed-off-by: Greg Kroah-Hartman commit de56beace6648065d404cd9835aa7d30e3df519d Author: Chen Jingwen Date: Wed Dec 29 11:52:26 2021 +0800 powerpc/kasan: Fix early region not updated correctly commit dd75080aa8409ce10d50fb58981c6b59bf8707d3 upstream. The shadow's page table is not updated when PTE_RPN_SHIFT is 24 and PAGE_SHIFT is 12. It not only causes false positives but also false negative as shown the following text. Fix it by bringing the logic of kasan_early_shadow_page_entry here. 1. False Positive: ================================================================== BUG: KASAN: vmalloc-out-of-bounds in pcpu_alloc+0x508/0xa50 Write of size 16 at addr f57f3be0 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.15.0-12267-gdebe436e77c7 #1 Call Trace: [c80d1c20] [c07fe7b8] dump_stack_lvl+0x4c/0x6c (unreliable) [c80d1c40] [c02ff668] print_address_description.constprop.0+0x88/0x300 [c80d1c70] [c02ff45c] kasan_report+0x1ec/0x200 [c80d1cb0] [c0300b20] kasan_check_range+0x160/0x2f0 [c80d1cc0] [c03018a4] memset+0x34/0x90 [c80d1ce0] [c0280108] pcpu_alloc+0x508/0xa50 [c80d1d40] [c02fd7bc] __kmem_cache_create+0xfc/0x570 [c80d1d70] [c0283d64] kmem_cache_create_usercopy+0x274/0x3e0 [c80d1db0] [c2036580] init_sd+0xc4/0x1d0 [c80d1de0] [c00044a0] do_one_initcall+0xc0/0x33c [c80d1eb0] [c2001624] kernel_init_freeable+0x2c8/0x384 [c80d1ef0] [c0004b14] kernel_init+0x24/0x170 [c80d1f10] [c001b26c] ret_from_kernel_thread+0x5c/0x64 Memory state around the buggy address: f57f3a80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3b00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 >f57f3b80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f57f3c00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f57f3c80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== 2. False Negative (with KASAN tests): ================================================================== Before fix: ok 45 - kmalloc_double_kzfree # vmalloc_oob: EXPECTATION FAILED at lib/test_kasan.c:1039 KASAN failure expected in "((volatile char *)area)[3100]", but none occurred not ok 46 - vmalloc_oob not ok 1 - kasan ================================================================== After fix: ok 1 - kasan Fixes: cbd18991e24fe ("powerpc/mm: Fix an Oops in kasan_mmu_init()") Cc: stable@vger.kernel.org # 5.4.x Signed-off-by: Chen Jingwen Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20211229035226.59159-1-chenjingwen6@huawei.com Signed-off-by: Greg Kroah-Hartman commit 5950a25345f40b4f5f8896dff1df809259b73567 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:42 2022 +0100 KVM: x86: hyper-v: HVCALL_SEND_IPI_EX is an XMM fast hypercall commit 47d3e5cdfe607ec6883eb0faa7acf05b8cb3f92a upstream. It has been proven on practice that at least Windows Server 2019 tries using HVCALL_SEND_IPI_EX in 'XMM fast' mode when it has more than 64 vCPUs and it needs to send an IPI to a vCPU > 63. Similarly to other XMM Fast hypercalls (HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE}{,_EX}), this information is missing in TLFS as of 6.0b. Currently, KVM returns an error (HV_STATUS_INVALID_HYPERCALL_INPUT) and Windows crashes. Note, HVCALL_SEND_IPI is a 'standard' fast hypercall (not 'XMM fast') as all its parameters fit into RDX:R8 and this is handled by KVM correctly. Cc: stable@vger.kernel.org # 5.14.x: 3244867af8c0: KVM: x86: Ignore sparse banks size for an "all CPUs", non-sparse IPI req Cc: stable@vger.kernel.org # 5.14.x Fixes: d8f5537a8816 ("KVM: hyper-v: Advertise support for fast XMM hypercalls") Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-5-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c97284f3ad2c98b40311ac0a2fbd3fb24893d3b1 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:41 2022 +0100 KVM: x86: hyper-v: Fix the maximum number of sparse banks for XMM fast TLB flush hypercalls commit 7321f47eada53a395fb3086d49297eebb19e8e58 upstream. When TLB flush hypercalls (HVCALL_FLUSH_VIRTUAL_ADDRESS_{LIST,SPACE}_EX are issued in 'XMM fast' mode, the maximum number of allowed sparse_banks is not 'HV_HYPERCALL_MAX_XMM_REGISTERS - 1' (5) but twice as many (10) as each XMM register is 128 bit long and can hold two 64 bit long banks. Cc: stable@vger.kernel.org # 5.14.x Fixes: 5974565bc26d ("KVM: x86: kvm_hv_flush_tlb use inputs from XMM registers") Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-4-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 8724eb988486713e8dcd92efeb7802f8c40dbb31 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:40 2022 +0100 KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_flush_tlb() commit 82c1ead0d678af31e5d883656c12096a0004178b upstream. 'struct kvm_hv_hcall' has all the required information already, there's no need to pass 'ex' additionally. No functional change intended. Cc: stable@vger.kernel.org # 5.14.x Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-3-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 2871c85e74973bd7d5e9fc3791c9d9ade770c5f5 Author: Vitaly Kuznetsov Date: Tue Feb 22 16:46:39 2022 +0100 KVM: x86: hyper-v: Drop redundant 'ex' parameter from kvm_hv_send_ipi() commit 50e523dd79f6a856d793ce5711719abe27cffbf2 upstream. 'struct kvm_hv_hcall' has all the required information already, there's no need to pass 'ex' additionally. No functional change intended. Cc: stable@vger.kernel.org # 5.14.x Signed-off-by: Vitaly Kuznetsov Message-Id: <20220222154642.684285-2-vkuznets@redhat.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c252274fffcfb3bc2d585965cb3a6054e55823da Author: Sean Christopherson Date: Sat Feb 26 00:15:20 2022 +0000 KVM: x86/mmu: Check for present SPTE when clearing dirty bit in TDP MMU commit 3354ef5a592d219364cf442c2f784ce7ad7629fd upstream. Explicitly check for present SPTEs when clearing dirty bits in the TDP MMU. This isn't strictly required for correctness, as setting the dirty bit in a defunct SPTE will not change the SPTE from !PRESENT to PRESENT. However, the guarded MMU_WARN_ON() in spte_ad_need_write_protect() would complain if anyone actually turned on KVM's MMU debugging. Fixes: a6a0b05da9f3 ("kvm: x86/mmu: Support dirty logging for the TDP MMU") Cc: Ben Gardon Signed-off-by: Sean Christopherson Reviewed-by: Ben Gardon Message-Id: <20220226001546.360188-3-seanjc@google.com> Cc: stable@vger.kernel.org Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 0c8a8da182d4333d9bbb9131d765145568c847b2 Author: Sean Christopherson Date: Wed Dec 15 01:15:56 2021 +0000 KVM: x86/mmu: Zap _all_ roots when unmapping gfn range in TDP MMU commit d62007edf01f5c11f75d0f4b1e538fc52a5b1982 upstream. Zap both valid and invalid roots when zapping/unmapping a gfn range, as KVM must ensure it holds no references to the freed page after returning from the unmap operation. Most notably, the TDP MMU doesn't zap invalid roots in mmu_notifier callbacks. This leads to use-after-free and other issues if the mmu_notifier runs to completion while an invalid root zapper yields as KVM fails to honor the requirement that there must be _no_ references to the page after the mmu_notifier returns. The bug is most easily reproduced by hacking KVM to cause a collision between set_nx_huge_pages() and kvm_mmu_notifier_release(), but the bug exists between kvm_mmu_notifier_invalidate_range_start() and memslot updates as well. Invalidating a root ensures pages aren't accessible by the guest, and KVM won't read or write page data itself, but KVM will trigger e.g. kvm_set_pfn_dirty() when zapping SPTEs, and thus completing a zap of an invalid root _after_ the mmu_notifier returns is fatal. WARNING: CPU: 24 PID: 1496 at arch/x86/kvm/../../../virt/kvm/kvm_main.c:173 [kvm] RIP: 0010:kvm_is_zone_device_pfn+0x96/0xa0 [kvm] Call Trace: kvm_set_pfn_dirty+0xa8/0xe0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] __handle_changed_spte+0x2ab/0x5e0 [kvm] zap_gfn_range+0x1f3/0x310 [kvm] kvm_tdp_mmu_zap_invalidated_roots+0x50/0x90 [kvm] kvm_mmu_zap_all_fast+0x177/0x1a0 [kvm] set_nx_huge_pages+0xb4/0x190 [kvm] param_attr_store+0x70/0x100 module_attr_store+0x19/0x30 kernfs_fop_write_iter+0x119/0x1b0 new_sync_write+0x11c/0x1b0 vfs_write+0x1cc/0x270 ksys_write+0x5f/0xe0 do_syscall_64+0x38/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: b7cccd397f31 ("KVM: x86/mmu: Fast invalidation for TDP MMU") Cc: stable@vger.kernel.org Cc: Ben Gardon Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-4-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 5d6e8b7d52d425b688692c6a84e5872af5d80a72 Author: Sean Christopherson Date: Wed Dec 15 01:15:55 2021 +0000 KVM: x86/mmu: Move "invalid" check out of kvm_tdp_mmu_get_root() commit 04dc4e6ce274fa729feda32aa957b27388a3870c upstream. Move the check for an invalid root out of kvm_tdp_mmu_get_root() and into the one place it actually matters, tdp_mmu_next_root(), as the other user already has an implicit validity check. A future bug fix will need to get references to invalid roots to honor mmu_notifier requests; there's no point in forcing what will be a common path to open code getting a reference to a root. No functional change intended. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-3-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 1623434d4773341ef4a8247ff17377da1e1cc6cf Author: Sean Christopherson Date: Wed Dec 15 01:15:54 2021 +0000 KVM: x86/mmu: Use common TDP MMU zap helper for MMU notifier unmap hook commit 83b83a02073ec8d18c77a9bbe0881d710f7a9d32 upstream. Use the common TDP MMU zap helper when handling an MMU notifier unmap event, the two flows are semantically identical. Consolidate the code in preparation for a future bug fix, as both kvm_tdp_mmu_unmap_gfn_range() and __kvm_tdp_mmu_zap_gfn_range() are guilty of not zapping SPTEs in invalid roots. No functional change intended. Cc: stable@vger.kernel.org Signed-off-by: Sean Christopherson Message-Id: <20211215011557.399940-2-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit f8a4f764ded680e225901938dff78a2ecba60290 Author: Paolo Bonzini Date: Wed Feb 9 04:56:05 2022 -0500 KVM: x86: Reinitialize context if host userspace toggles EFER.LME commit d6174299365ddbbf491620c0b8c5ca1a6ef2eea5 upstream. While the guest runs, EFER.LME cannot change unless CR0.PG is clear, and therefore EFER.NX is the only bit that can affect the MMU role. However, set_efer accepts a host-initiated change to EFER.LME even with CR0.PG=1. In that case, the MMU has to be reset. Fixes: 11988499e62b ("KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes") Cc: stable@vger.kernel.org Reviewed-by: Sean Christopherson Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit 6f2a22571fbbbf0264a2577ee7d6b923fca8b8bd Author: Matt Kramer Date: Tue Mar 22 13:48:17 2022 -0700 ALSA: hda/realtek: Add alc256-samsung-headphone fixup [ Upstream commit ef248d9bd616b04df8be25539a4dc5db4b6c56f4 ] This fixes the near-silence of the headphone jack on the ALC256-based Samsung Galaxy Book Flex Alpha (NP730QCJ). The magic verbs were found through trial and error, using known ALC298 hacks as inspiration. The fixup is auto-enabled only when the NP730QCJ is detected. It can be manually enabled using model=alc256-samsung-headphone. Signed-off-by: Matt Kramer Link: https://lore.kernel.org/r/3168355.aeNJFYEL58@linus Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit f3ded4a93eea7e008f1eb4e3ca98679396b351ad Author: Mauro Carvalho Chehab Date: Mon Mar 14 18:11:38 2022 +0100 media: atomisp: fix bad usage at error handling logic [ Upstream commit fc0b582c858ed73f94c8f3375c203ea46f1f7402 ] As warned by sparse: atomisp: drivers/staging/media/atomisp/pci/atomisp_acc.c:508 atomisp_acc_load_extensions() warn: iterator used outside loop: 'acc_fw' The acc_fw interactor is used outside the loop, at the error handling logic. On most cases, this is actually safe there, but, if atomisp_css_set_acc_parameters() has an error, an attempt to use it will pick an invalid value for acc_fw. Reported-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b6283cc505cfc7f23c9d6e062a948e0455e35270 Author: Ulf Hansson Date: Thu Mar 3 17:51:42 2022 +0100 mmc: host: Return an error when ->enable_sdio_irq() ops is missing [ Upstream commit d6c9219ca1139b74541b2a98cee47a3426d754a9 ] Even if the current WARN() notifies the user that something is severely wrong, we can still end up in a PANIC() when trying to invoke the missing ->enable_sdio_irq() ops. Therefore, let's also return an error code and prevent the host from being added. While at it, move the code into a separate function to prepare for subsequent changes and for further host caps validations. Signed-off-by: Ulf Hansson Link: https://lore.kernel.org/r/20220303165142.129745-1-ulf.hansson@linaro.org Signed-off-by: Sasha Levin commit 55defdf935fab9f2989a197aae1042c082d9a343 Author: Steven Rostedt (Google) Date: Thu Mar 10 23:27:38 2022 -0500 tracing: Have TRACE_DEFINE_ENUM affect trace event types as well [ Upstream commit b3bc8547d3be60898818885f5bf22d0a62e2eb48 ] The macro TRACE_DEFINE_ENUM is used to convert enums in the kernel to their actual value when they are exported to user space via the trace event format file. Currently only the enums in the "print fmt" (TP_printk in the TRACE_EVENT macro) have the enums converted. But the enums can be used to denote array size: field:unsigned int fc_ineligible_rc[EXT4_FC_REASON_MAX]; offset:12; size:36; signed:0; The EXT4_FC_REASON_MAX has no meaning to userspace but it needs to know that information to know how to parse the array. Have the array indexes also be parsed as well. Link: https://lore.kernel.org/all/cover.1646922487.git.riteshh@linux.ibm.com/ Reported-by: Ritesh Harjani Tested-by: Ritesh Harjani Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit b4cef68ea516548d3443fcdfac396f666a05aa1e Author: Pierre-Louis Bossart Date: Tue Mar 8 13:26:05 2022 -0600 ASoC: Intel: sof_es8336: log all quirks [ Upstream commit 9c818d849192491a8799b1cb14ca0f7aead4fb09 ] We only logged the SSP quirk, make sure the GPIO and DMIC quirks are exposed. Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-16-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ff881306b0b4efc0b4612af3fe403217a11ed91d Author: Pierre-Louis Bossart Date: Tue Mar 8 13:26:03 2022 -0600 ASoC: Intel: Revert "ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021" [ Upstream commit 1b5283483a782f6560999d8d5965b1874d104812 ] This reverts commit ce6a70bfce21bb4edb7c0f29ecfb0522fa34ab71. The next patch will add run-time detection of the required SSP and this hard-coded quirk is not needed. Acked-by: Mauro Carvalho Chehab Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-14-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0fb7cc67852f5631afe5f9daf75dac822c744086 Author: Pierre-Louis Bossart Date: Tue Mar 8 13:25:58 2022 -0600 ASoC: Intel: soc-acpi: add more ACPI HIDs for ES83x6 devices [ Upstream commit 1cedb6eabf0f2dd8285d3bb0ce1abd2369529084 ] We only saw ESSX8336 so far, but now with reports of 'ESSX8326' we need to expand to a full list. Let's reuse the 'snd_soc_acpi_codecs' structure to store the information. Note that ES8326 will need a dedicated codec driver, but the plan is to use the same machine driver for all Everest Audio devices. Reported-by: anthony tonitch Signed-off-by: Pierre-Louis Bossart Reviewed-by: Bard Liao Reviewed-by: Péter Ujfalusi Link: https://lore.kernel.org/r/20220308192610.392950-9-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1fa132fb8adc4c843aa8906fcf2be6294bfcbcb3 Author: Anthony I Gilea Date: Fri Mar 4 14:45:32 2022 -0600 ASoC: Intel: sof_sdw: fix quirks for 2022 HP Spectre x360 13" [ Upstream commit ce73ef6ec67104d1fcc4c5911d77ce83288a0998 ] HP changed the DMI identification for 2022 devices: Product Name: HP Spectre x360 Conv 13-ap0001na Product Name: 8709 This patch relaxes the DMI_MATCH criterion to work with all versions of this product. Reviewed-by: Rander Wang Signed-off-by: Anthony I Gilea Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220304204532.54675-4-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9abf4402e0bf5acdea102ce8082a2b90483c4c2e Author: Dongliang Mu Date: Fri Feb 18 10:41:30 2022 +0100 media: hdpvr: initialize dev->worker at hdpvr_register_videodev [ Upstream commit 07922937e9a580825f9965c46fd15e23ba5754b6 ] hdpvr_register_videodev is responsible to initialize a worker in hdpvr_device. However, the worker is only initialized at hdpvr_start_streaming other than hdpvr_register_videodev. When hdpvr_probe does not initialize its worker, the hdpvr_disconnect will encounter one WARN in flush_work.The stack trace is as follows: hdpvr_disconnect+0xb8/0xf2 drivers/media/usb/hdpvr/hdpvr-core.c:425 usb_unbind_interface+0xbf/0x3a0 drivers/usb/core/driver.c:458 __device_release_driver drivers/base/dd.c:1206 [inline] device_release_driver_internal+0x22a/0x230 drivers/base/dd.c:1237 bus_remove_device+0x108/0x160 drivers/base/bus.c:529 device_del+0x1fe/0x510 drivers/base/core.c:3592 usb_disable_device+0xd1/0x1d0 drivers/usb/core/message.c:1419 usb_disconnect+0x109/0x330 drivers/usb/core/hub.c:2228 Fix this by moving the initialization of dev->worker to the starting of hdpvr_register_videodev Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e7fb5ec627792a50380ce6bba76b08f8283fea7e Author: Pavel Skripkin Date: Thu Jan 20 20:37:30 2022 +0100 media: Revert "media: em28xx: add missing em28xx_close_extension" [ Upstream commit fde18c3bac3f964d8333ae53b304d8fee430502b ] This reverts commit 2c98b8a3458df03abdc6945bbef67ef91d181938. Reverted patch causes problems with Hauppauge WinTV dualHD as Maximilian reported [1]. Since quick solution didn't come up let's just revert it to make this device work with upstream kernels. Link: https://lore.kernel.org/all/6a72a37b-e972-187d-0322-16336e12bdc5@elbmurf.de/ [1] Reported-by: Maximilian Böhm Tested-by: Maximilian Böhm Signed-off-by: Pavel Skripkin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e859dbd315a13dbdcd601278b53928d106953bc0 Author: Hans de Goede Date: Thu Feb 3 13:33:12 2022 +0100 media: i2c: ov5648: Fix lockdep error [ Upstream commit d4cb5d3c4cee28aa89b02bc33d930a6cf75e7f79 ] ov5648_state_init() calls ov5648_state_mipi_configure() which uses __v4l2_ctrl_s_ctrl[_int64](). This means that sensor->mutex (which is also sensor->ctrls.handler.lock) must be locked before calling ov5648_state_init(). ov5648_state_mipi_configure() is also used in other places where the lock is already held so it cannot be changed itself. Note this is based on an identical (tested) fix for the ov8865 driver, this has only been compile-tested. Cc: Paul Kocialkowski Reviewed-by: Paul Kocialkowski Signed-off-by: Hans de Goede Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit aeb635b49530b7d19e140949753409f759ba99be Author: Zheyu Ma Date: Wed Mar 2 22:33:11 2022 +0800 video: fbdev: sm712fb: Fix crash in smtcfb_write() [ Upstream commit 4f01d09b2bbfbcb47b3eb305560a7f4857a32260 ] When the sm712fb driver writes three bytes to the framebuffer, the driver will crash: BUG: unable to handle page fault for address: ffffc90001ffffff RIP: 0010:smtcfb_write+0x454/0x5b0 Call Trace: vfs_write+0x291/0xd60 ? do_sys_openat2+0x27d/0x350 ? __fget_light+0x54/0x340 ksys_write+0xce/0x190 do_syscall_64+0x43/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fix it by removing the open-coded endianness fixup-code. Signed-off-by: Zheyu Ma Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 1c709e8b71edc7f4929bfe3e263ed5664dac52ba Author: Vijendar Mukunda Date: Sat Feb 26 01:00:25 2022 +0530 ASoC: amd: vangogh: fix uninitialized symbol warning in machine driver [ Upstream commit 6f989800639a7a29ab9a02e165b04dc144dd4f2b ] Fixed below smatch static checker warning. sound/soc/amd/vangogh/acp5x-mach.c:190 acp5x_cs35l41_hw_params() error: uninitialized symbol 'ret'. Reported-by: Dan Carpenter Signed-off-by: Vijendar Mukunda Link: https://lore.kernel.org/r/20220225193054.24916-4-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d134139567645ccd5d65617c0ae725f76e4ce64b Author: Vijendar Mukunda Date: Sat Feb 26 01:00:22 2022 +0530 ASoC: amd: vg: fix for pm resume callback sequence [ Upstream commit 83b713619ee1b15e09eae11a92a7f3305534223d ] The previous condition is used to cross check only the active stream status for I2S HS instance playback and capture use cases. Modified logic to invoke sequence for two i2s controller instances. This also fixes warnings reported by kernel robot: "warning: variable 'frmt_val' set but not used" "warning: variable 'reg_val' set but not used" Reported-by: kernel test robot Signed-off-by: Vijendar Mukunda Link: https://lore.kernel.org/r/20220225193054.24916-1-Vijendar.Mukunda@amd.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 56f25cad7d3e3a55612d9596551ad436f8647317 Author: Uwe Kleine-König Date: Mon Jul 26 22:01:58 2021 +0200 ARM: mmp: Fix failure to remove sram device [ Upstream commit 4036b29a146b2749af3bb213b003eb69f3e5ecc4 ] Make sure in .probe() to set driver data before the function is left to make it possible in .remove() to undo the actions done. This fixes a potential memory leak and stops returning an error code in .remove() that is ignored by the driver core anyhow. Signed-off-by: Uwe Kleine-König Reviewed-by: Greg Kroah-Hartman Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit bebb06d4b16f5da61304af91b26853b88416f4c4 Author: Richard Leitner Date: Wed Dec 1 17:11:48 2021 +0100 ARM: tegra: tamonten: Fix I2C3 pad setting [ Upstream commit 0092c25b541a5422d7e71892a13c55ee91abc34b ] This patch fixes the tristate configuration for i2c3 function assigned to the dtf pins on the Tamonten Tegra20 SoM. Signed-off-by: Richard Leitner Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit b1228b0c42b6f430dc556d7f9d171e1e006af32b Author: Arnd Bergmann Date: Wed Feb 16 13:48:06 2022 +0100 lib/test_lockup: fix kernel pointer check for separate address spaces [ Upstream commit 5a06fcb15b43d1f7bf740c672950122331cb5655 ] test_kernel_ptr() uses access_ok() to figure out if a given address points to user space instead of kernel space. However on architectures that set CONFIG_ALTERNATE_USER_ADDRESS_SPACE, a pointer can be valid for both, and the check always fails because access_ok() returns true. Make the check for user space pointers conditional on the type of address space layout. Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 8a75574a75496093df9dcdb1c19491e3320af041 Author: Arnd Bergmann Date: Mon Feb 14 20:22:10 2022 +0100 uaccess: fix type mismatch warnings from access_ok() [ Upstream commit 23fc539e81295b14b50c6ccc5baeb4f3d59d822d ] On some architectures, access_ok() does not do any argument type checking, so replacing the definition with a generic one causes a few warnings for harmless issues that were never caught before. Fix the ones that I found either through my own test builds or that were reported by the 0-day bot. Reported-by: kernel test robot Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 6865b5a7c5c033fa78ff6c0ac3b32a2108505000 Author: Derek Fang Date: Wed Feb 23 18:14:50 2022 +0800 ASoC: rt5682s: Fix the wrong jack type detected [ Upstream commit c07ac3ee76e5e5506bca9c03fbbb15e40ab28430 ] Some powers were changed during the jack insert detection and clk's enable/disable in CCF. If in parallel, the influence has a chance to detect the wrong jack type. We refer to the below commit of the variant codec (rt5682) to fix this issue. ASoC: rt5682: Fix deadlock on resume 1. Remove rt5682s_headset_detect in rt5682s_jd_check_handler and use jack_detect_work instead of. 2. Use dapm mutex used in CCF to protect most of jack_detect_work. Signed-off-by: Derek Fang Link: https://lore.kernel.org/r/20220223101450.4577-1-derek.fang@realtek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e25b48204dce34fbe26c8a37aad20936d5711b3e Author: Daniel González Cabanelas Date: Sun Feb 20 19:19:50 2022 +0100 media: cx88-mpeg: clear interrupt status register before streaming video [ Upstream commit 56cb61f70e547e1b0cdfe6ff5a1f1ce6242e6d96 ] Some cx88 video cards may have transport stream status interrupts set to 1 from cold start, causing errors like this: cx88xx: cx88_print_irqbits: core:irq mpeg [0x100000] ts_err?* cx8802: cx8802_mpeg_irq: mpeg:general errors: 0x00100000 According to CX2388x datasheet, the interrupt status register should be cleared before enabling IRQs to stream video. Fix it by clearing the Transport Stream Interrupt Status register. Signed-off-by: Daniel González Cabanelas Signed-off-by: Sasha Levin commit 20c8b90430c5d6c4a3936eaa7c35aac670581487 Author: Ming Qian Date: Mon Feb 7 14:28:43 2022 +0800 media: imx-jpeg: fix a bug of accessing array out of bounds [ Upstream commit 97558d170a1236280407e8d29a7d095d2c2ed554 ] When error occurs in parsing jpeg, the slot isn't acquired yet, it may be the default value MXC_MAX_SLOTS. If the driver access the slot using the incorrect slot number, it will access array out of bounds. The result is the driver will change num_domains, which follows slot_data in struct mxc_jpeg_dev. Then the driver won't detach the pm domain at rmmod, which will lead to kernel panic when trying to insmod again. Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 3509825520a4867e8192f1be50580c415ab4b5fc Author: Mauro Carvalho Chehab Date: Fri Dec 24 14:09:50 2021 +0100 ASoC: Intel: sof_es8336: add quirk for Huawei D15 2021 [ Upstream commit ce6a70bfce21bb4edb7c0f29ecfb0522fa34ab71 ] Huawei D15 uses SSP_CODEC(0). Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/d560a1c76edb633c37acf04a9a82518b6233a719.1640351150.git.mchehab@kernel.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0fb750b0fca76ce1532cb5c359279a68a668a636 Author: Shengjiu Wang Date: Thu Feb 10 19:19:12 2022 +0800 ASoC: soc-core: skip zero num_dai component in searching dai name [ Upstream commit f7d344a2bd5ec81fbd1ce76928fd059e57ec9bea ] In the case like dmaengine which's not a dai but as a component, the num_dai is zero, dmaengine component has the same component_of_node as cpu dai, when cpu dai component is not ready, but dmaengine component is ready, try to get cpu dai name, the snd_soc_get_dai_name() return -EINVAL, not -EPROBE_DEFER, that cause below error: asoc-simple-card : parse error -22 asoc-simple-card: probe of failed with error -22 The sound card failed to probe. So this patch fixes the issue above by skipping the zero num_dai component in searching dai name. Signed-off-by: Shengjiu Wang Link: https://lore.kernel.org/r/1644491952-7457-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 81e014a9084ac55ebef9f6a88a53fc8e96b10ae1 Author: Richard Schleich Date: Tue Dec 21 23:48:30 2021 +0100 ARM: dts: bcm2711: Add the missing L1/L2 cache information [ Upstream commit 618682b350990f8f1bee718949c4b3858711eb58 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2711 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 1e79a536e6e4f120ae710cb6df2d5934ffab1386 Author: Jing Yao Date: Thu Nov 4 11:52:29 2021 +0000 video: fbdev: udlfb: replace snprintf in show functions with sysfs_emit [ Upstream commit 81a998288956d09d7a7a2303d47e4d60ad55c401 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit b3e7f4fff89a3a30c40ce54ee77cb07ccf7febb4 Author: Jing Yao Date: Fri Nov 5 08:20:44 2021 +0000 video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf() [ Upstream commit c07a039cbb96748f54c02995bae8131cc9a73b0a ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit dd189d40ee51b9036a1c2ae5c715bac28edaa3c1 Author: Jing Yao Date: Fri Nov 5 08:13:33 2021 +0000 video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf() [ Upstream commit f63658a59c3d439c8ad7b290f8ec270980e0f384 ] Use sysfs_emit instead of scnprintf, snprintf or sprintf. Reported-by: Zeal Robot Signed-off-by: Jing Yao Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 9cf7472ca149002d96c30328d774b479ec22ce1c Author: Marcel Ziswiler Date: Fri Jan 28 17:00:56 2022 +0100 arm64: defconfig: build imx-sdma as a module [ Upstream commit e95622289f263662240544a9f0009b25c19e64d4 ] This avoids firmware load error and sysfs fallback reported as follows: [ 0.199448] imx-sdma 302c0000.dma-controller: Direct firmware load for imx/sdma/sdma-imx7d.bin failed with error -2 [ 0.199487] imx-sdma 302c0000.dma-controller: Falling back to sysfs fallback for: imx/sdma/sdma-imx7d.bin Signed-off-by: Marcel Ziswiler Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit c17ecf86816dd2f55dcad206ce67b6e53e42717a Author: Abel Vesa Date: Thu Jan 27 16:10:51 2022 +0200 ARM: dts: imx7: Use audio_mclk_post_div instead audio_mclk_root_clk [ Upstream commit 4cb7df64c732b2b9918424095c11660c2a8c4a33 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. Moreover, the consumer driver of the mentioned clock might gate it and leave the ECSPI2 (the true owner of that gate) hanging. So lets use the audio_mclk_post_div, which is the parent. Signed-off-by: Abel Vesa Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 8550b212e8d2b3e58e36a133aa5a9716a454c15d Author: Takashi Iwai Date: Wed Feb 9 09:19:12 2022 +0100 ALSA: hda: Fix driver index handling at re-binding [ Upstream commit 69458e2c27800da7697c87ed908b65323ef3f3bd ] HD-audio driver handles the multiple instances and keeps the static index that is incremented at each probe. This becomes a problem when user tries to re-bind the device via sysfs multiple times; as the device index isn't cleared unlike rmmod case, it points to the next element at re-binding, and eventually later you can't probe any more when it reaches to SNDRV_CARDS_MAX (usually 32). This patch is an attempt to improve the handling at rebinding. Instead of a static device index, now we keep a bitmap and assigns to the first zero bit position. At the driver remove, in return, the bitmap slot is cleared again, so that it'll be available for the next probe. Reported-by: Alexander Sergeyev Link: https://lore.kernel.org/r/20220209081912.20687-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 059449add003c4836dda5edae4d28d7f132daf90 Author: Ard Biesheuvel Date: Sun Jan 23 20:18:33 2022 +0100 ARM: ftrace: avoid redundant loads or clobbering IP [ Upstream commit d11967870815b5ab89843980e35aab616c97c463 ] Tweak the ftrace return paths to avoid redundant loads of SP, as well as unnecessary clobbering of IP. This also fixes the inconsistency of using MOV to perform a function return, which is sub-optimal on recent micro-architectures but more importantly, does not perform an interworking return, unlike compiler generated function returns in Thumb2 builds. Let's fix this by popping PC from the stack like most ordinary code does. Signed-off-by: Ard Biesheuvel Reviewed-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit edaa87390aab4d9452730540243c2f0ef06d5fc9 Author: Tsuchiya Yuto Date: Sun Oct 17 18:23:33 2021 +0200 media: atomisp: fix dummy_ptr check to avoid duplicate active_bo [ Upstream commit 127efdbc51fe6064336c0452ce9c910b3e107cf0 ] The dummy_ptr check in hmm_init() [1] results in the following "hmm_init Failed to create sysfs" error exactly once every two times on atomisp reload by rmmod/insmod (although atomisp module loads and works fine regardless of this error): [ 140.230662] sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:03.0/active_bo' [ 140.230668] CPU: 1 PID: 2502 Comm: insmod Tainted: G C OE 5.15.0-rc4-1-surface-mainline #1 b8acf6eb64994414b2e20bad312a7a2c45f748f9 [ 140.230675] Hardware name: OEMB OEMB/OEMB, BIOS 1.51116.238 03/09/2015 [ 140.230678] Call Trace: [ 140.230687] dump_stack_lvl+0x46/0x5a [ 140.230702] sysfs_warn_dup.cold+0x17/0x24 [ 140.230710] sysfs_add_file_mode_ns+0x160/0x170 [ 140.230717] internal_create_group+0x126/0x390 [ 140.230723] hmm_init+0x5c/0x70 [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230811] atomisp_pci_probe.cold+0x1136/0x148e [atomisp 7a6a680bf400629363d2a6f58fd10e7299678b99] [ 140.230875] local_pci_probe+0x45/0x80 [ 140.230882] ? pci_match_device+0xd7/0x130 [ 140.230887] pci_device_probe+0xfa/0x1b0 [ 140.230892] really_probe+0x1f5/0x3f0 [ 140.230899] __driver_probe_device+0xfe/0x180 [ 140.230903] driver_probe_device+0x1e/0x90 [ 140.230908] __driver_attach+0xc0/0x1c0 [ 140.230912] ? __device_attach_driver+0xe0/0xe0 [ 140.230915] ? __device_attach_driver+0xe0/0xe0 [ 140.230919] bus_for_each_dev+0x89/0xd0 [ 140.230924] bus_add_driver+0x12b/0x1e0 [ 140.230929] driver_register+0x8f/0xe0 [ 140.230933] ? 0xffffffffc153f000 [ 140.230937] do_one_initcall+0x57/0x220 [ 140.230945] do_init_module+0x5c/0x260 [ 140.230952] load_module+0x24bd/0x26a0 [ 140.230962] ? __do_sys_finit_module+0xae/0x110 [ 140.230966] __do_sys_finit_module+0xae/0x110 [ 140.230972] do_syscall_64+0x5c/0x80 [ 140.230979] ? syscall_exit_to_user_mode+0x23/0x40 [ 140.230983] ? do_syscall_64+0x69/0x80 [ 140.230988] ? exc_page_fault+0x72/0x170 [ 140.230991] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 140.230997] RIP: 0033:0x7f7fd5d8718d [ 140.231003] Code: b4 0c 00 0f 05 eb a9 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d b3 6c 0c 00 f7 d8 64 89 01 48 [ 140.231006] RSP: 002b:00007ffefc25f0e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 140.231012] RAX: ffffffffffffffda RBX: 000055ac3edcd7f0 RCX: 00007f7fd5d8718d [ 140.231015] RDX: 0000000000000000 RSI: 000055ac3d723270 RDI: 0000000000000003 [ 140.231017] RBP: 0000000000000000 R08: 0000000000000000 R09: 00007f7fd5e52380 [ 140.231019] R10: 0000000000000003 R11: 0000000000000246 R12: 000055ac3d723270 [ 140.231021] R13: 0000000000000000 R14: 000055ac3edd06e0 R15: 0000000000000000 [ 140.231038] atomisp-isp2 0000:00:03.0: hmm_init Failed to create sysfs The problem is that dummy_ptr == 0 is a valid value. So, change the logic which checks if dummy_ptr was allocated. At this point, atomisp now gives WARN_ON() in hmm_free() [2] on atomisp reload by rmmod/insmod. Again, the check is wrong there. So, change both checks for mmgr_EXCEPTION, which is the error value when HMM allocation fails, and initialize dummy_ptr with such value. [1] added on commit d9ab83953fa7 ("media: atomisp: don't cause a warn if probe failed") [2] added on commit b83cc378dfc4 ("atomisp: clean up the hmm init/cleanup indirections") Link: https://lore.kernel.org/linux-media/20211017162337.44860-3-kitakar@gmail.com Signed-off-by: Tsuchiya Yuto Co-developed-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 45c5943ef78148b5a10c3290c3572c02a95bc0a1 Author: Hans de Goede Date: Sun Jan 16 22:52:04 2022 +0100 media: atomisp_gmin_platform: Add DMI quirk to not turn AXP ELDO2 regulator off on some boards [ Upstream commit 2c39a01154ea57d596470afa1d278e3be3b37f6a ] The TrekStor SurfTab duo W1 10.1 has a hw bug where turning eldo2 back on after having turned it off causes the CPLM3218 ambient-light-sensor on the front camera sensor's I2C bus to crash, hanging the bus. Add a DMI quirk table for systems on which to leave eldo2 on. Note an alternative fix is to turn off the CPLM3218 ambient-light-sensor as long as the camera sensor is being used, this is what Windows seems to do as a workaround (based on analyzing the DSDT). But that is not easy to do cleanly under Linux. Link: https://lore.kernel.org/linux-media/20220116215204.307649-10-hdegoede@redhat.com Signed-off-by: Hans de Goede Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit dfc9bafe5ec4a86f350a7c4bdbf03275a3968dd1 Author: Charles Keepax Date: Thu Feb 3 11:50:25 2022 +0000 ASoC: madera: Add dependencies on MFD [ Upstream commit ec29170c724ca30305fc3a19ba2ee73ecac65509 ] The Madera CODECs use regmap_irq functions but nothing ensures that regmap_irq is built into the kernel. Add dependencies on the ASoC symbols for the relevant MFD component. There is no point in building the ASoC driver if the MFD doesn't support it and the MFD part contains the necessary dependencies to ensure everything is built into the kernel. Reported-by: Mark Brown Signed-off-by: Charles Keepax Link: https://lore.kernel.org/r/20220203115025.16464-1-ckeepax@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit fbd93018756f5304d66895be207718a376579f2b Author: Richard Schleich Date: Sat Dec 18 21:00:09 2021 +0100 ARM: dts: bcm2837: Add the missing L1/L2 cache information [ Upstream commit bdf8762da268d2a34abf517c36528413906e9cd5 ] This patch fixes the kernel warning "cacheinfo: Unable to detect cache hierarchy for CPU 0" for the bcm2837 on newer kernel versions. Signed-off-by: Richard Schleich Tested-by: Stefan Wahren [florian: Align and remove comments matching property values] Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 8feb97b64b34b5a67eb52d36e20976e89a4c8a3f Author: David Heidelberg Date: Sat Jan 8 18:42:28 2022 +0100 ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960 [ Upstream commit 6f7e221e7a5cfc3299616543fce42b36e631497b ] IRQ types blindly copied from very similar APQ8064. Fixes warnings as: WARNING: CPU: 0 PID: 1 at drivers/irqchip/irq-gic.c:1080 gic_irq_domain_translate+0x118/0x120 ... Tested-by: LogicalErzor # boot-tested on Samsung S3 Signed-off-by: David Heidelberg Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220108174229.60384-1-david@ixit.cz Signed-off-by: Sasha Levin commit b50ebeec90d348ddc91afe5133595f4251f98fd4 Author: Yang Guang Date: Tue Nov 30 08:06:03 2021 +0800 video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit [ Upstream commit 24565bc4115961db7ee64fcc7ad2a7437c0d0a49 ] coccinelle report: ./drivers/video/fbdev/omap2/omapfb/displays/panel-sony-acx565akm.c: 479:9-17: WARNING: use scnprintf or sprintf Use sysfs_emit instead of scnprintf or sprintf makes more sense. Reported-by: Zeal Robot Signed-off-by: Yang Guang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 45800c42ef000f417270bcfc08630e42486fca99 Author: George Kennedy Date: Wed Oct 27 15:30:13 2021 -0500 video: fbdev: cirrusfb: check pixclock to avoid divide by zero [ Upstream commit 5c6f402bdcf9e7239c6bc7087eda71ac99b31379 ] Do a sanity check on pixclock value to avoid divide by zero. If the pixclock value is zero, the cirrusfb driver will round up pixclock to get the derived frequency as close to maxclock as possible. Syzkaller reported a divide error in cirrusfb_check_pixclock. divide error: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 14938 Comm: cirrusfb_test Not tainted 5.15.0-rc6 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2 RIP: 0010:cirrusfb_check_var+0x6f1/0x1260 Call Trace: fb_set_var+0x398/0xf90 do_fb_ioctl+0x4b8/0x6f0 fb_ioctl+0xeb/0x130 __x64_sys_ioctl+0x19d/0x220 do_syscall_64+0x3a/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Signed-off-by: George Kennedy Reviewed-by: Geert Uytterhoeven Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit a478566d6c34f5061f9c8d1df6a5492387aa98f2 Author: Evgeny Novikov Date: Wed Aug 11 19:58:26 2021 +0300 video: fbdev: w100fb: Reset global state [ Upstream commit 8738ddcac644964ae128ccd3d80d48773c8d528e ] w100fb_probe() did not reset the global state to its initial state. This can result in invocation of iounmap() even when there was not the appropriate successful call of ioremap(). For instance, this may be the case if first probe fails after two successful ioremap() while second probe fails when first ioremap() fails. The similar issue is with w100fb_remove(). The patch fixes both bugs. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Evgeny Novikov Co-developed-by: Kirill Shilimanov Signed-off-by: Kirill Shilimanov Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 6a5226e544ac043bb2d8dc1bfe8920d02282f7cd Author: Tim Gardner Date: Mon Sep 27 09:45:02 2021 -0600 video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow [ Upstream commit 37a1a2e6eeeb101285cd34e12e48a881524701aa ] Coverity complains of a possible buffer overflow. However, given the 'static' scope of nvidia_setup_i2c_bus() it looks like that can't happen after examiniing the call sites. CID 19036 (#1 of 1): Copy into fixed size buffer (STRING_OVERFLOW) 1. fixed_size_dest: You might overrun the 48-character fixed-size string chan->adapter.name by copying name without checking the length. 2. parameter_as_source: Note: This defect has an elevated risk because the source argument is a parameter of the current function. 89 strcpy(chan->adapter.name, name); Fix this warning by using strscpy() which will silence the warning and prevent any future buffer overflows should the names used to identify the channel become much longer. Cc: Antonino Daplas Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Tim Gardner Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit b7bf68272b6ae7c469854e2e054db1db1d158999 Author: Yong Wu Date: Mon Jan 17 08:05:02 2022 +0100 media: iommu/mediatek: Add device_link between the consumer and the larb devices [ Upstream commit 635319a4a7444ca97124d781cd96deb277ff4d40 ] MediaTek IOMMU-SMI diagram is like below. all the consumer connect with smi-larb, then connect with smi-common. M4U | smi-common | ------------- | | ... | | larb1 larb2 | | vdec venc When the consumer works, it should enable the smi-larb's power which also need enable the smi-common's power firstly. Thus, First of all, use the device link connect the consumer and the smi-larbs. then add device link between the smi-larb and smi-common. This patch adds device_link between the consumer and the larbs. When device_link_add, I add the flag DL_FLAG_STATELESS to avoid calling pm_runtime_xx to keep the original status of clocks. It can avoid two issues: 1) Display HW show fastlogo abnormally reported in [1]. At the beggining, all the clocks are enabled before entering kernel, but the clocks for display HW(always in larb0) will be gated after clk_enable and clk_disable called from device_link_add(->pm_runtime_resume) and rpm_idle. The clock operation happened before display driver probe. At that time, the display HW will be abnormal. 2) A deadlock issue reported in [2]. Use DL_FLAG_STATELESS to skip pm_runtime_xx to avoid the deadlock. Corresponding, DL_FLAG_AUTOREMOVE_CONSUMER can't be added, then device_link_removed should be added explicitly. Meanwhile, Currently we don't have a device connect with 2 larbs at the same time. Disallow this case, print the error log. [1] https://lore.kernel.org/linux-mediatek/1564213888.22908.4.camel@mhfsdcap03/ [2] https://lore.kernel.org/patchwork/patch/1086569/ Suggested-by: Tomasz Figa Signed-off-by: Yong Wu Tested-by: Frank Wunderlich # BPI-R2/MT7623 Acked-by: Joerg Roedel Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 088d690ba04fd15cb34812165453cdb76698a321 Author: Yong Wu Date: Mon Jan 17 08:05:00 2022 +0100 media: iommu/mediatek: Return ENODEV if the device is NULL [ Upstream commit 2fb0feed51085db77606de9b9477c96894328809 ] The platform device is created at: of_platform_default_populate_init: arch_initcall_sync ->of_platform_populate ->of_platform_device_create_pdata When entering our probe, all the devices should be already created. if it is null, means NODEV. Currently we don't get the fail case. It's a minor fix, no need add fixes tags. Signed-off-by: Yong Wu Acked-by: Joerg Roedel Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 4fd01753ae2c8ddb6b533789e3c4f66ed2019e12 Author: Yong Wu Date: Mon Jan 17 08:04:59 2022 +0100 media: iommu/mediatek-v1: Free the existed fwspec if the master dev already has [ Upstream commit 822a2ed8c606caf6a11b1a180b8e46292bd77d71 ] When the iommu master device enters of_iommu_xlate, the ops may be NULL(iommu dev is defered), then it will initialize the fwspec here: [] (dev_iommu_fwspec_set) from [] (iommu_fwspec_init+0xbc/0xd4) [] (iommu_fwspec_init) from [] (of_iommu_xlate+0x7c/0x12c) [] (of_iommu_xlate) from [] (of_iommu_configure+0x144/0x1e8) BUT the mtk_iommu_v1.c only supports arm32, the probing flow still is a bit weird. We always expect create the fwspec internally. otherwise it will enter here and return fail. static int mtk_iommu_create_mapping(struct device *dev, struct of_phandle_args *args) { ... if (!fwspec) { .... } else if (dev_iommu_fwspec_get(dev)->ops != &mtk_iommu_ops) { >>>>>>>>>>Enter here. return fail.<<<<<<<<<<<< return -EINVAL; } ... } Thus, Free the existed fwspec if the master device already has fwspec. This issue is reported at: https://lore.kernel.org/linux-mediatek/trinity-7d9ebdc9-4849-4d93-bfb5-429dcb4ee449-1626253158870@3c-app-gmx-bs01/ Reported-by: Frank Wunderlich Tested-by: Frank Wunderlich # BPI-R2/MT7623 Signed-off-by: Yong Wu Acked-by: Joerg Roedel Acked-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8d075ede7d24f19dc817c5bd517a53f0524f9031 Author: Mirela Rabulea Date: Wed Jan 12 20:12:08 2022 +0100 media: imx-jpeg: Prevent decoding NV12M jpegs into single-planar buffers [ Upstream commit 417591a766b3c040c346044541ff949c0b2bb7b2 ] If the application queues an NV12M jpeg as output buffer, but then queues a single planar capture buffer, the kernel will crash with "Unable to handle kernel NULL pointer dereference" in mxc_jpeg_addrs, prevent this by finishing the job with error. Signed-off-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 08c110af43940d5cd43bbbce41fb8a41ec656f75 Author: Bard Liao Date: Thu Jan 20 17:21:56 2022 -0600 ASoC: SOF: Intel: match sdw version on link_slaves_found [ Upstream commit f67c0c0d3b9048d86ea6ae52e36a2b78c48f265d ] Codecs with the same part id, manufacturer id and part id, but different sdw version should be treated as different codecs. For example, rt711 and rt711-sdca are different. So, we should match sdw version as well. Reported-by: Reddy Muralidhar Reviewed-by: Ranjani Sridharan Reviewed-by: Rander Wang Signed-off-by: Bard Liao Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220120232157.199919-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d7f3afcbb527b2270a1d3b2a00e7573e0a34ddc7 Author: Richard Fitzgerald Date: Fri Jan 21 12:04:10 2022 +0000 ASoC: cs42l42: Report full jack status when plug is detected [ Upstream commit 8d06f797f844d04a961f201f886f7f9985edc9bf ] When a plug event is detect report the full state of all status bits, don't assume that there will have been a previous unplug event to clear all the bits. Report the state of both HEADPHONE and MICROPHONE bits according to detected type, and clear all the button status bits. The current button status is already checked and reported at the end of the function. During a system suspend the jack could be unplugged and plugged, possibly changing the jack type. On resume the interrupt status will indicate a plug event - there will not be an unplug event to clear the bits. Signed-off-by: Richard Fitzgerald Link: https://lore.kernel.org/r/20220121120412.672284-2-rf@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 35739b7e0b712648d337666310bd6152e5233566 Author: Lad Prabhakar Date: Mon Jan 10 09:47:08 2022 +0000 ASoC: sh: rz-ssi: Make the data structures available before registering the handlers [ Upstream commit 0788785c78342d422f93b1c9831c2b2b7f137937 ] Initialize the spinlock and make the data structures available before registering the interrupt handlers. Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Biju Das Link: https://lore.kernel.org/r/20220110094711.8574-3-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 382e0f6958ef34eb093127b6d74c12f3b8fd0904 Author: Peiwei Hu Date: Wed Dec 29 02:15:18 2021 +0100 media: ir_toy: free before error exiting [ Upstream commit 52cdb013036391d9d87aba5b4fc49cdfc6ea4b23 ] Fix leak in error path. Signed-off-by: Peiwei Hu Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9ef8bf414cd8eb047df7a0a51177fd17729583fb Author: Eugen Hristev Date: Mon Dec 13 14:49:26 2021 +0100 media: atmel: atmel-isc-base: report frame sizes as full supported range [ Upstream commit 72802a86e11c34e819fbfb38f58c5aef668f833d ] The ISC supports a full broad range of frame sizes. Until now, the subdevice was queried for possible frame sizes and these were reported to the user space. However, the ISC should not care about which frame sizes the subdev supports, as long as this frame size is supported. Thus, report a continuous range from smallest frame size up to the max resolution. Signed-off-by: Eugen Hristev Reviewed-by: Jacopo Mondi Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 42ebde369e8c9740da1e6580537dd9f67a1f37af Author: Hans Verkuil Date: Tue Dec 14 17:16:33 2021 +0100 media: staging: media: zoran: fix various V4L2 compliance errors [ Upstream commit 914941827aad5ecddf9bf3a6dee67fbec1af1fff ] This fixes several issues found with 'v4l2-compliance -s': 1) read()/write() is supported, but not reported in the capabilities 2) S_STD(G_STD()) failed: setting the same standard should just return 0. 3) G_PARM failed to set readbuffers. 4) different field values in the format vs. what v4l2_buffer reported. 5) zero the sequence number when starting streaming. 6) drop VB_USERPTR: makes no sense with dma_contig streaming. Signed-off-by: Hans Verkuil Signed-off-by: Corentin Labbe Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 20db2ed1e2f9fcd417fa67853e5154f0c2537d6c Author: Corentin Labbe Date: Tue Dec 14 17:16:32 2021 +0100 media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com [ Upstream commit e3b86f4e558cea9eed71d894df2f19b10d60a207 ] On the case tmp_dcim=1, the index of buffer is miscalculated. This generate a NULL pointer dereference later. So let's fix the calcul and add a check to prevent this to reappear. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c1ba65100a359fe28cfe37e09e10c99f247cbf1e Author: Corentin Labbe Date: Tue Dec 14 17:16:26 2021 +0100 media: staging: media: zoran: move videodev alloc [ Upstream commit 82e3a496eb56da0b9f29fdc5b63cedb3289e91de ] Move some code out of zr36057_init() and create new functions for handling zr->video_dev. This permit to ease code reading and fix a zr->video_dev memory leak. Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 115fae2c1566eacc5ad2055f72521354612e72c3 Author: Dongliang Mu Date: Tue Mar 22 14:38:39 2022 -0700 ntfs: add sanity check on allocation size [ Upstream commit 714fbf2647b1a33d914edd695d4da92029c7e7c0 ] ntfs_read_inode_mount invokes ntfs_malloc_nofs with zero allocation size. It triggers one BUG in the __ntfs_malloc function. Fix this by adding sanity check on ni->attr_list_size. Link: https://lkml.kernel.org/r/20220120094914.47736-1-dzm91@hust.edu.cn Reported-by: syzbot+3c765c5248797356edaa@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Acked-by: Anton Altaparmakov Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 5a4fc2cb68c73baf1f03f5fefdb14e1bc5545b15 Author: Rohith Surabattula Date: Mon Mar 7 18:37:22 2022 +0000 Adjust cifssb maximum read size [ Upstream commit 06a466565d54a1a42168f9033a062a3f5c40e73b ] When session gets reconnected during mount then read size in super block fs context gets set to zero and after negotiate, rsize is not modified which results in incorrect read with requested bytes as zero. Fixes intermittent failure of xfstest generic/240 Note that stable requires a different version of this patch which will be sent to the stable mailing list. Signed-off-by: Rohith Surabattula Acked-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 160179bbf9db60f79872cf4a503403f07e6043c9 Author: Chao Yu Date: Wed Mar 16 18:20:00 2022 +0800 f2fs: compress: fix to print raw data size in error path of lz4 decompression [ Upstream commit d284af43f703760e261b1601378a0c13a19d5f1f ] In lz4_decompress_pages(), if size of decompressed data is not equal to expected one, we should print the size rather than size of target buffer for decompressed data, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 738886004bd2885ac2db0bc63b4874aa471ca87e Author: Jaegeuk Kim Date: Mon Mar 7 17:27:46 2022 -0800 f2fs: use spin_lock to avoid hang [ Upstream commit 98237fcda4a24e67b0a4498c17d5aa4ad4537bc7 ] [14696.634553] task:cat state:D stack: 0 pid:1613738 ppid:1613735 flags:0x00000004 [14696.638285] Call Trace: [14696.639038] [14696.640032] __schedule+0x302/0x930 [14696.640969] schedule+0x58/0xd0 [14696.641799] schedule_preempt_disabled+0x18/0x30 [14696.642890] __mutex_lock.constprop.0+0x2fb/0x4f0 [14696.644035] ? mod_objcg_state+0x10c/0x310 [14696.645040] ? obj_cgroup_charge+0xe1/0x170 [14696.646067] __mutex_lock_slowpath+0x13/0x20 [14696.647126] mutex_lock+0x34/0x40 [14696.648070] stat_show+0x25/0x17c0 [f2fs] [14696.649218] seq_read_iter+0x120/0x4b0 [14696.650289] ? aa_file_perm+0x12a/0x500 [14696.651357] ? lru_cache_add+0x1c/0x20 [14696.652470] seq_read+0xfd/0x140 [14696.653445] full_proxy_read+0x5c/0x80 [14696.654535] vfs_read+0xa0/0x1a0 [14696.655497] ksys_read+0x67/0xe0 [14696.656502] __x64_sys_read+0x1a/0x20 [14696.657580] do_syscall_64+0x3b/0xc0 [14696.658671] entry_SYSCALL_64_after_hwframe+0x44/0xae [14696.660068] RIP: 0033:0x7efe39df1cb2 [14696.661133] RSP: 002b:00007ffc8badd948 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [14696.662958] RAX: ffffffffffffffda RBX: 0000000000020000 RCX: 00007efe39df1cb2 [14696.664757] RDX: 0000000000020000 RSI: 00007efe399df000 RDI: 0000000000000003 [14696.666542] RBP: 00007efe399df000 R08: 00007efe399de010 R09: 00007efe399de010 [14696.668363] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000000000 [14696.670155] R13: 0000000000000003 R14: 0000000000020000 R15: 0000000000020000 [14696.671965] [14696.672826] task:umount state:D stack: 0 pid:1614985 ppid:1614984 flags:0x00004000 [14696.674930] Call Trace: [14696.675903] [14696.676780] __schedule+0x302/0x930 [14696.677927] schedule+0x58/0xd0 [14696.679019] schedule_preempt_disabled+0x18/0x30 [14696.680412] __mutex_lock.constprop.0+0x2fb/0x4f0 [14696.681783] ? destroy_inode+0x65/0x80 [14696.683006] __mutex_lock_slowpath+0x13/0x20 [14696.684305] mutex_lock+0x34/0x40 [14696.685442] f2fs_destroy_stats+0x1e/0x60 [f2fs] [14696.686803] f2fs_put_super+0x158/0x390 [f2fs] [14696.688238] generic_shutdown_super+0x7a/0x120 [14696.689621] kill_block_super+0x27/0x50 [14696.690894] kill_f2fs_super+0x7f/0x100 [f2fs] [14696.692311] deactivate_locked_super+0x35/0xa0 [14696.693698] deactivate_super+0x40/0x50 [14696.694985] cleanup_mnt+0x139/0x190 [14696.696209] __cleanup_mnt+0x12/0x20 [14696.697390] task_work_run+0x64/0xa0 [14696.698587] exit_to_user_mode_prepare+0x1b7/0x1c0 [14696.700053] syscall_exit_to_user_mode+0x27/0x50 [14696.701418] do_syscall_64+0x48/0xc0 [14696.702630] entry_SYSCALL_64_after_hwframe+0x44/0xae Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit e76c78c48902dae6fa612749f59162bca0a79e0b Author: Josef Bacik Date: Fri Feb 18 10:03:29 2022 -0500 btrfs: do not clean up repair bio if submit fails [ Upstream commit 8cbc3001a3264d998d6b6db3e23f935c158abd4d ] The submit helper will always run bio_endio() on the bio if it fails to submit, so cleaning up the bio just leads to a variety of use-after-free and NULL pointer dereference bugs because we race with the endio function that is cleaning up the bio. Instead just return BLK_STS_OK as the repair function has to continue to process the rest of the pages, and the endio for the repair bio will do the appropriate cleanup for the page that it was given. Reviewed-by: Boris Burkov Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 4a4ceb2b990771c374d85d496a1a45255dde48e3 Author: Josef Bacik Date: Fri Feb 18 10:03:27 2022 -0500 btrfs: do not double complete bio on errors during compressed reads [ Upstream commit f9f15de85d74e7eef021af059ca53a15f041cdd8 ] I hit some weird panics while fixing up the error handling from btrfs_lookup_bio_sums(). Turns out the compression path will complete the bio we use if we set up any of the compression bios and then return an error, and then btrfs_submit_data_bio() will also call bio_endio() on the bio. Fix this by making btrfs_submit_compressed_read() responsible for calling bio_endio() on the bio if there are any errors. Currently it was only doing it if we created the compression bios, otherwise it was depending on btrfs_submit_data_bio() to do the right thing. This creates the above problem, so fix up btrfs_submit_compressed_read() to always call bio_endio() in case of an error, and then simply return from btrfs_submit_data_bio() if we had to call btrfs_submit_compressed_read(). Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit f181b2e060929da91c01e2068179774ab8fa18fc Author: Josef Bacik Date: Fri Feb 18 10:03:23 2022 -0500 btrfs: handle csum lookup errors properly on reads [ Upstream commit 1784b7d502a94b561eae58249adde5f72c26eb3c ] Currently any error we get while trying to lookup csums during reads shows up as a missing csum, and then on the read completion side we print an error saying there was a csum mismatch and we increase the device corruption count. However we could have gotten an EIO from the lookup. We could also be inside of a memory constrained container and gotten a ENOMEM while trying to do the read. In either case we don't want to make this look like a file system corruption problem, we want to make it look like the actual error it is. Capture any negative value, convert it to the appropriate blk_status_t, free the csum array if we have one and bail. Note: a possible improvement would be to make the relocation code look up the owning inode and see if it's marked as NODATASUM and set EXTENT_NODATASUM there, that way if there's corruption and there isn't a checksum when we want it we can fail here rather than later. Signed-off-by: Josef Bacik Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 3c40052e3fde325cbe9dac4f52a229d74a5f3b8a Author: Josef Bacik Date: Fri Feb 18 10:03:22 2022 -0500 btrfs: make search_csum_tree return 0 if we get -EFBIG [ Upstream commit 03ddb19d2ea745228879b9334f3b550c88acb10a ] We can either fail to find a csum entry at all and return -ENOENT, or we can find a range that is close, but return -EFBIG. In essence these both mean the same thing when we are doing a lookup for a csum in an existing range, we didn't find a csum. We want to treat both of these errors the same way, complain loudly that there wasn't a csum. This currently happens anyway because we do count = search_csum_tree(); if (count <= 0) { // reloc and error handling } However it forces us to incorrectly treat EIO or ENOMEM errors as on disk corruption. Fix this by returning 0 if we get either -ENOENT or -EFBIG from btrfs_lookup_csum() so we can do proper error handling. Reviewed-by: Boris Burkov Reviewed-by: Johannes Thumshirn Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 0cfccb13cb877b5872b42f46f4453ad916b9fc48 Author: Anand Jain Date: Wed Jan 12 13:05:59 2022 +0800 btrfs: harden identification of a stale device [ Upstream commit 770c79fb65506fc7c16459855c3839429f46cb32 ] Identifying and removing the stale device from the fs_uuids list is done by btrfs_free_stale_devices(). btrfs_free_stale_devices() in turn depends on device_path_matched() to check if the device appears in more than one btrfs_device structure. The matching of the device happens by its path, the device path. However, when device mapper is in use, the dm device paths are nothing but a link to the actual block device, which leads to the device_path_matched() failing to match. Fix this by matching the dev_t as provided by lookup_bdev() instead of plain string compare of the device paths. Reported-by: Josef Bacik Signed-off-by: Anand Jain Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit c9ad16d72a9958cb70291da3f9742bd48cdf7223 Author: Jaegeuk Kim Date: Fri Mar 4 09:40:05 2022 -0800 f2fs: don't get FREEZE lock in f2fs_evict_inode in frozen fs [ Upstream commit ba900534f807f0b327c92d5141c85d2313e2d55c ] Let's purge inode cache in order to avoid the below deadlock. [freeze test] shrinkder freeze_super - pwercpu_down_write(SB_FREEZE_FS) - super_cache_scan - down_read(&sb->s_umount) - prune_icache_sb - dispose_list - evict - f2fs_evict_inode thaw_super - down_write(&sb->s_umount); - __percpu_down_read(SB_FREEZE_FS) Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 69fbace881bb495cacba7d6a39bf2fef39822432 Author: Chuck Lever Date: Mon Feb 14 15:30:13 2022 -0500 NFSD: Fix nfsd_breaker_owns_lease() return values [ Upstream commit 50719bf3442dd6cd05159e9c98d020b3919ce978 ] These have been incorrect since the function was introduced. A proper kerneldoc comment is added since this function, though static, is part of an external interface. Reported-by: Dai Ngo Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 0748a0f7dcb9d9dddc80302d73ebcecef6782ef0 Author: Chao Yu Date: Fri Mar 4 09:49:13 2022 +0800 f2fs: fix to do sanity check on curseg->alloc_type [ Upstream commit f41ee8b91c00770d718be2ff4852a80017ae9ab3 ] As Wenqing Liu reported in bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=215657 - Overview UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 when mount and operate a corrupted image - Reproduce tested on kernel 5.17-rc4, 5.17-rc6 1. mkdir test_crash 2. cd test_crash 3. unzip tmp2.zip 4. mkdir mnt 5. ./single_test.sh f2fs 2 - Kernel dump [ 46.434454] loop0: detected capacity change from 0 to 131072 [ 46.529839] F2FS-fs (loop0): Mounted with checkpoint version = 7548c2d9 [ 46.738319] ================================================================================ [ 46.738412] UBSAN: array-index-out-of-bounds in fs/f2fs/segment.c:3460:2 [ 46.738475] index 231 is out of range for type 'unsigned int [2]' [ 46.738539] CPU: 2 PID: 939 Comm: umount Not tainted 5.17.0-rc6 #1 [ 46.738547] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 46.738551] Call Trace: [ 46.738556] [ 46.738563] dump_stack_lvl+0x47/0x5c [ 46.738581] ubsan_epilogue+0x5/0x50 [ 46.738592] __ubsan_handle_out_of_bounds+0x68/0x80 [ 46.738604] f2fs_allocate_data_block+0xdff/0xe60 [f2fs] [ 46.738819] do_write_page+0xef/0x210 [f2fs] [ 46.738934] f2fs_do_write_node_page+0x3f/0x80 [f2fs] [ 46.739038] __write_node_page+0x2b7/0x920 [f2fs] [ 46.739162] f2fs_sync_node_pages+0x943/0xb00 [f2fs] [ 46.739293] f2fs_write_checkpoint+0x7bb/0x1030 [f2fs] [ 46.739405] kill_f2fs_super+0x125/0x150 [f2fs] [ 46.739507] deactivate_locked_super+0x60/0xc0 [ 46.739517] deactivate_super+0x70/0xb0 [ 46.739524] cleanup_mnt+0x11a/0x200 [ 46.739532] __cleanup_mnt+0x16/0x20 [ 46.739538] task_work_run+0x67/0xa0 [ 46.739547] exit_to_user_mode_prepare+0x18c/0x1a0 [ 46.739559] syscall_exit_to_user_mode+0x26/0x40 [ 46.739568] do_syscall_64+0x46/0xb0 [ 46.739584] entry_SYSCALL_64_after_hwframe+0x44/0xae The root cause is we missed to do sanity check on curseg->alloc_type, result in out-of-bound accessing on sbi->block_count[] array, fix it. Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 343117559ef41e992e326f7a92da1a8f254dfa8c Author: Theodore Ts'o Date: Thu Mar 3 09:38:47 2022 -0500 ext4: don't BUG if someone dirty pages without asking ext4 first [ Upstream commit cc5095747edfb054ca2068d01af20be3fcc3634f ] [un]pin_user_pages_remote is dirtying pages without properly warning the file system in advance. A related race was noted by Jan Kara in 2018[1]; however, more recently instead of it being a very hard-to-hit race, it could be reliably triggered by process_vm_writev(2) which was discovered by Syzbot[2]. This is technically a bug in mm/gup.c, but arguably ext4 is fragile in that if some other kernel subsystem dirty pages without properly notifying the file system using page_mkwrite(), ext4 will BUG, while other file systems will not BUG (although data will still be lost). So instead of crashing with a BUG, issue a warning (since there may be potential data loss) and just mark the page as clean to avoid unprivileged denial of service attacks until the problem can be properly fixed. More discussion and background can be found in the thread starting at [2]. [1] https://lore.kernel.org/linux-mm/20180103100430.GE4911@quack2.suse.cz [2] https://lore.kernel.org/r/Yg0m6IjcNmfaSokM@google.com Reported-by: syzbot+d59332e2db681cf18f0318a06e994ebbb529a8db@syzkaller.appspotmail.com Reported-by: Lee Jones Signed-off-by: Theodore Ts'o Link: https://lore.kernel.org/r/YiDS9wVfq4mM2jGK@mit.edu Signed-off-by: Sasha Levin commit 1efabe24346fb34fb7b4489aa66cbe71900abfea Author: Valentin Schneider Date: Thu Jan 20 16:25:20 2022 +0000 sched/tracing: Report TASK_RTLOCK_WAIT tasks as TASK_UNINTERRUPTIBLE [ Upstream commit 25795ef6299f07ce3838f3253a9cb34f64efcfae ] TASK_RTLOCK_WAIT currently isn't part of TASK_REPORT, thus a task blocking on an rtlock will appear as having a task state == 0, IOW TASK_RUNNING. The actual state is saved in p->saved_state, but reading it after reading p->__state has a few issues: o that could still be TASK_RUNNING in the case of e.g. rt_spin_lock o ttwu_state_match() might have changed that to TASK_RUNNING As pointed out by Eric, adding TASK_RTLOCK_WAIT to TASK_REPORT implies exposing a new state to userspace tools which way not know what to do with them. The only information that needs to be conveyed here is that a task is waiting on an rt_mutex, which matches TASK_UNINTERRUPTIBLE - there's no need for a new state. Reported-by: Uwe Kleine-König Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Steven Rostedt (Google) Link: https://lore.kernel.org/r/20220120162520.570782-3-valentin.schneider@arm.com Signed-off-by: Sasha Levin commit b07eedd0222e9548ffc568ec429bb1f61d21a39c Author: Ritesh Harjani Date: Wed Feb 16 12:32:44 2022 +0530 ext4: fix ext4_mb_mark_bb() with flex_bg with fast_commit [ Upstream commit bfdc502a4a4c058bf4cbb1df0c297761d528f54d ] In case of flex_bg feature (which is by default enabled), extents for any given inode might span across blocks from two different block group. ext4_mb_mark_bb() only reads the buffer_head of block bitmap once for the starting block group, but it fails to read it again when the extent length boundary overflows to another block group. Then in this below loop it accesses memory beyond the block group bitmap buffer_head and results into a data abort. for (i = 0; i < clen; i++) if (!mb_test_bit(blkoff + i, bitmap_bh->b_data) == !state) already++; This patch adds this functionality for checking block group boundary in ext4_mb_mark_bb() and update the buffer_head(bitmap_bh) for every different block group. w/o this patch, I was easily able to hit a data access abort using Power platform. <...> [ 74.327662] EXT4-fs error (device loop3): ext4_mb_generate_buddy:1141: group 11, block bitmap and bg descriptor inconsistent: 21248 vs 23294 free clusters [ 74.533214] EXT4-fs (loop3): shut down requested (2) [ 74.536705] Aborting journal on device loop3-8. [ 74.702705] BUG: Unable to handle kernel data access on read at 0xc00000005e980000 [ 74.703727] Faulting instruction address: 0xc0000000007bffb8 cpu 0xd: Vector: 300 (Data Access) at [c000000015db7060] pc: c0000000007bffb8: ext4_mb_mark_bb+0x198/0x5a0 lr: c0000000007bfeec: ext4_mb_mark_bb+0xcc/0x5a0 sp: c000000015db7300 msr: 800000000280b033 dar: c00000005e980000 dsisr: 40000000 current = 0xc000000027af6880 paca = 0xc00000003ffd5200 irqmask: 0x03 irq_happened: 0x01 pid = 5167, comm = mount <...> enter ? for help [c000000015db7380] c000000000782708 ext4_ext_clear_bb+0x378/0x410 [c000000015db7400] c000000000813f14 ext4_fc_replay+0x1794/0x2000 [c000000015db7580] c000000000833f7c do_one_pass+0xe9c/0x12a0 [c000000015db7710] c000000000834504 jbd2_journal_recover+0x184/0x2d0 [c000000015db77c0] c000000000841398 jbd2_journal_load+0x188/0x4a0 [c000000015db7880] c000000000804de8 ext4_fill_super+0x2638/0x3e10 [c000000015db7a40] c0000000005f8404 get_tree_bdev+0x2b4/0x350 [c000000015db7ae0] c0000000007ef058 ext4_get_tree+0x28/0x40 [c000000015db7b00] c0000000005f6344 vfs_get_tree+0x44/0x100 [c000000015db7b70] c00000000063c408 path_mount+0xdd8/0xe70 [c000000015db7c40] c00000000063c8f0 sys_mount+0x450/0x550 [c000000015db7d50] c000000000035770 system_call_exception+0x4a0/0x4e0 [c000000015db7e10] c00000000000c74c system_call_common+0xec/0x250 Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/2609bc8f66fc15870616ee416a18a3d392a209c4.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit c270fdcc53ec2bc171a1d85a13cfc184535f7ec7 Author: Ritesh Harjani Date: Wed Feb 16 12:32:43 2022 +0530 ext4: correct cluster len and clusters changed accounting in ext4_mb_mark_bb [ Upstream commit a5c0e2fdf7cea535ba03259894dc184e5a4c2800 ] ext4_mb_mark_bb() currently wrongly calculates cluster len (clen) and flex_group->free_clusters. This patch fixes that. Identified based on code review of ext4_mb_mark_bb() function. Signed-off-by: Ritesh Harjani Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/a0b035d536bafa88110b74456853774b64c8ac40.1644992609.git.riteshh@linux.ibm.com Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin commit 5092c6707bf15360b3b493d32f6d930519bfd1cc Author: Waiman Long Date: Thu Feb 10 22:55:26 2022 -0500 locking/lockdep: Iterate lock_classes directly when reading lockdep files [ Upstream commit fb7275acd6fb988313dddd8d3d19efa70d9015ad ] When dumping lock_classes information via /proc/lockdep, we can't take the lockdep lock as the lock hold time is indeterminate. Iterating over all_lock_classes without holding lock can be dangerous as there is a slight chance that it may branch off to other lists leading to infinite loop or even access invalid memory if changes are made to all_lock_classes list in parallel. To avoid this problem, iteration of lock classes is now done directly on the lock_classes array itself. The lock_classes_in_use bitmap is checked to see if the lock class is being used. To avoid iterating the full array all the times, a new max_lock_class_idx value is added to track the maximum lock_class index that is currently being used. We can theoretically take the lockdep lock for iterating all_lock_classes when other lockdep files (lockdep_stats and lock_stat) are accessed as the lock hold time will be shorter for them. For consistency, they are also modified to iterate the lock_classes array directly. Signed-off-by: Waiman Long Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220211035526.1329503-2-longman@redhat.com Signed-off-by: Sasha Levin commit f2542b33a69b5ea220b1d064c4275c37e2f00eb0 Author: Mark Rutland Date: Mon Feb 7 10:19:43 2022 +0000 atomics: Fix atomic64_{read_acquire,set_release} fallbacks [ Upstream commit dc1b4df09acdca7a89806b28f235cd6d8dcd3d24 ] Arnd reports that on 32-bit architectures, the fallbacks for atomic64_read_acquire() and atomic64_set_release() are broken as they use smp_load_acquire() and smp_store_release() respectively, which do not work on types larger than the native word size. Since those contain compiletime_assert_atomic_type(), any attempt to use those fallbacks will result in a build-time error. e.g. with the following added to arch/arm/kernel/setup.c: | void test_atomic64(atomic64_t *v) | { | atomic64_set_release(v, 5); | atomic64_read_acquire(v); | } The compiler will complain as follows: | In file included from : | In function 'arch_atomic64_set_release', | inlined from 'test_atomic64' at ./include/linux/atomic/atomic-instrumented.h:669:2: | ././include/linux/compiler_types.h:346:38: error: call to '__compiletime_assert_9' declared with attribute error: Need native word sized stores/loads for atomicity. | 346 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | | ^ | ././include/linux/compiler_types.h:327:4: note: in definition of macro '__compiletime_assert' | 327 | prefix ## suffix(); \ | | ^~~~~~ | ././include/linux/compiler_types.h:346:2: note: in expansion of macro '_compiletime_assert' | 346 | _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) | | ^~~~~~~~~~~~~~~~~~~ | ././include/linux/compiler_types.h:349:2: note: in expansion of macro 'compiletime_assert' | 349 | compiletime_assert(__native_word(t), \ | | ^~~~~~~~~~~~~~~~~~ | ./include/asm-generic/barrier.h:133:2: note: in expansion of macro 'compiletime_assert_atomic_type' | 133 | compiletime_assert_atomic_type(*p); \ | | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | ./include/asm-generic/barrier.h:164:55: note: in expansion of macro '__smp_store_release' | 164 | #define smp_store_release(p, v) do { kcsan_release(); __smp_store_release(p, v); } while (0) | | ^~~~~~~~~~~~~~~~~~~ | ./include/linux/atomic/atomic-arch-fallback.h:1270:2: note: in expansion of macro 'smp_store_release' | 1270 | smp_store_release(&(v)->counter, i); | | ^~~~~~~~~~~~~~~~~ | make[2]: *** [scripts/Makefile.build:288: arch/arm/kernel/setup.o] Error 1 | make[1]: *** [scripts/Makefile.build:550: arch/arm/kernel] Error 2 | make: *** [Makefile:1831: arch/arm] Error 2 Fix this by only using smp_load_acquire() and smp_store_release() for native atomic types, and otherwise falling back to the regular barriers necessary for acquire/release semantics, as we do in the more generic acquire and release fallbacks. Since the fallback templates are used to generate the atomic64_*() and atomic_*() operations, the __native_word() check is added to both. For the atomic_*() operations, which are always 32-bit, the __native_word() check is redundant but not harmful, as it is always true. For the example above this works as expected on 32-bit, e.g. for arm multi_v7_defconfig: | : | push {r4, r5} | dmb ish | pldw [r0] | mov r2, #5 | mov r3, #0 | ldrexd r4, [r0] | strexd r4, r2, [r0] | teq r4, #0 | bne 484 | ldrexd r2, [r0] | dmb ish | pop {r4, r5} | bx lr ... and also on 64-bit, e.g. for arm64 defconfig: | : | bti c | paciasp | mov x1, #0x5 | stlr x1, [x0] | ldar x0, [x0] | autiasp | ret Reported-by: Arnd Bergmann Signed-off-by: Mark Rutland Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Ard Biesheuvel Reviewed-by: Boqun Feng Link: https://lore.kernel.org/r/20220207101943.439825-1-mark.rutland@arm.com Signed-off-by: Sasha Levin commit d4982ceb137e6ecd2b466a6de639790a148cf19a Author: Eddie James Date: Thu Mar 17 16:14:26 2022 -0500 spi: fsi: Implement a timeout for polling status [ Upstream commit 89b35e3f28514087d3f1e28e8f5634fbfd07c554 ] The data transfer routines must poll the status register to determine when more data can be shifted in or out. If the hardware gets into a bad state, these polling loops may never exit. Prevent this by returning an error if a timeout is exceeded. Signed-off-by: Eddie James Link: https://lore.kernel.org/r/20220317211426.38940-1-eajames@linux.ibm.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4420aaf9455efd149f1d40ad21a085a1a0dd9a66 Author: Minghao Chi Date: Tue Mar 15 02:31:38 2022 +0000 spi: tegra20: Use of_device_get_match_data() [ Upstream commit c9839acfcbe20ce43d363c2a9d0772472d9921c0 ] Use of_device_get_match_data() to simplify the code. Reported-by: Zeal Robot Signed-off-by: Minghao Chi Link: https://lore.kernel.org/r/20220315023138.2118293-1-chi.minghao@zte.com.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c8ceb1658fa926da23dffa416755cc03cbb8d462 Author: Chris Leech Date: Tue Feb 15 18:22:49 2022 -0800 nvme-tcp: lockdep: annotate in-kernel sockets [ Upstream commit 841aee4d75f18fdfb53935080b03de0c65e9b92c ] Put NVMe/TCP sockets in their own class to avoid some lockdep warnings. Sockets created by nvme-tcp are not exposed to user-space, and will not trigger certain code paths that the general socket API exposes. Lockdep complains about a circular dependency between the socket and filesystem locks, because setsockopt can trigger a page fault with a socket lock held, but nvme-tcp sends requests on the socket while file system locks are held. ====================================================== WARNING: possible circular locking dependency detected 5.15.0-rc3 #1 Not tainted ------------------------------------------------------ fio/1496 is trying to acquire lock: (sk_lock-AF_INET){+.+.}-{0:0}, at: tcp_sendpage+0x23/0x80 but task is already holding lock: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] which lock already depends on the new lock. other info that might help us debug this: chain exists of: sk_lock-AF_INET --> sb_internal --> &xfs_dir_ilock_class/5 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&xfs_dir_ilock_class/5); lock(sb_internal); lock(&xfs_dir_ilock_class/5); lock(sk_lock-AF_INET); *** DEADLOCK *** 6 locks held by fio/1496: #0: (sb_writers#13){.+.+}-{0:0}, at: path_openat+0x9fc/0xa20 #1: (&inode->i_sb->s_type->i_mutex_dir_key){++++}-{3:3}, at: path_openat+0x296/0xa20 #2: (sb_internal){.+.+}-{0:0}, at: xfs_trans_alloc_icreate+0x41/0xd0 [xfs] #3: (&xfs_dir_ilock_class/5){+.+.}-{3:3}, at: xfs_ilock+0xcf/0x290 [xfs] #4: (hctx->srcu){....}-{0:0}, at: hctx_lock+0x51/0xd0 #5: (&queue->send_mutex){+.+.}-{3:3}, at: nvme_tcp_queue_rq+0x33e/0x380 [nvme_tcp] This annotation lets lockdep analyze nvme-tcp controlled sockets independently of what the user-space sockets API does. Link: https://lore.kernel.org/linux-nvme/CAHj4cs9MDYLJ+q+2_GXUK9HxFizv2pxUryUR0toX974M040z7g@mail.gmail.com/ Signed-off-by: Chris Leech Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 3a354b5a1db54284b94bb768077c760a8b938ec1 Author: John David Anglin Date: Wed Mar 9 21:14:36 2022 +0000 parisc: Fix handling off probe non-access faults [ Upstream commit e00b0a2ab8ec019c344e53bfc76e31c18bb587b7 ] Currently, the parisc kernel does not fully support non-access TLB fault handling for probe instructions. In the fast path, we set the target register to zero if it is not a shadowed register. The slow path is not implemented, so we call do_page_fault. The architecture indicates that non-access faults should not cause a page fault from disk. This change adds to code to provide non-access fault support for probe instructions. It also modifies the handling of faults on userspace so that if the address lies in a valid VMA and the access type matches that for the VMA, the probe target register is set to one. Otherwise, the target register is set to zero. This was done to make probe instructions more useful for userspace. Probe instructions are not very useful if they set the target register to zero whenever a page is not present in memory. Nominally, the purpose of the probe instruction is determine whether read or write access to a given address is allowed. This fixes a problem in function pointer comparison noticed in the glibc testsuite (stdio-common/tst-vfprintf-user-type). The same problem is likely in glibc (_dl_lookup_address). V2 adds flush and lpa instruction support to handle_nadtlb_fault. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit b3d6adb3a49d82e4e557c5fc16f50c9ff731da5d Author: John David Anglin Date: Fri Mar 11 17:22:54 2022 +0000 parisc: Fix non-access data TLB cache flush faults [ Upstream commit f839e5f1cef36ce268950c387129b1bfefdaebc9 ] When a page is not present, we get non-access data TLB faults from the fdc and fic instructions in flush_user_dcache_range_asm and flush_user_icache_range_asm. When these occur, the cache line is not invalidated and potentially we get memory corruption. The problem was hidden by the nullification of the flush instructions. These faults also affect performance. With pa8800/pa8900 processors, there will be 32 faults per 4 KB page since the cache line is 128 bytes. There will be more faults with earlier processors. The problem is fixed by using flush_cache_pages(). It does the flush using a tmp alias mapping. The flush_cache_pages() call in flush_cache_range() flushed too large a range. V2: Remove unnecessary preempt_disable() and preempt_enable() calls. Signed-off-by: John David Anglin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 2add538e57a2825c61d639260386f385c75e4166 Author: Dmitry Baryshkov Date: Sat Mar 5 14:02:14 2022 +0300 PM: core: keep irq flags in device_pm_check_callbacks() [ Upstream commit 524bb1da785a7ae43dd413cd392b5071c6c367f8 ] The function device_pm_check_callbacks() can be called under the spin lock (in the reported case it happens from genpd_add_device() -> dev_pm_domain_set(), when the genpd uses spinlocks rather than mutexes. However this function uncoditionally uses spin_lock_irq() / spin_unlock_irq(), thus not preserving the CPU flags. Use the irqsave/irqrestore instead. The backtrace for the reference: [ 2.752010] ------------[ cut here ]------------ [ 2.756769] raw_local_irq_restore() called with IRQs enabled [ 2.762596] WARNING: CPU: 4 PID: 1 at kernel/locking/irqflag-debug.c:10 warn_bogus_irq_restore+0x34/0x50 [ 2.772338] Modules linked in: [ 2.775487] CPU: 4 PID: 1 Comm: swapper/0 Tainted: G S 5.17.0-rc6-00384-ge330d0d82eff-dirty #684 [ 2.781384] Freeing initrd memory: 46024K [ 2.785839] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 2.785841] pc : warn_bogus_irq_restore+0x34/0x50 [ 2.785844] lr : warn_bogus_irq_restore+0x34/0x50 [ 2.785846] sp : ffff80000805b7d0 [ 2.785847] x29: ffff80000805b7d0 x28: 0000000000000000 x27: 0000000000000002 [ 2.785850] x26: ffffd40e80930b18 x25: ffff7ee2329192b8 x24: ffff7edfc9f60800 [ 2.785853] x23: ffffd40e80930b18 x22: ffffd40e80930d30 x21: ffff7edfc0dffa00 [ 2.785856] x20: ffff7edfc09e3768 x19: 0000000000000000 x18: ffffffffffffffff [ 2.845775] x17: 6572206f74206465 x16: 6c696166203a3030 x15: ffff80008805b4f7 [ 2.853108] x14: 0000000000000000 x13: ffffd40e809550b0 x12: 00000000000003d8 [ 2.860441] x11: 0000000000000148 x10: ffffd40e809550b0 x9 : ffffd40e809550b0 [ 2.867774] x8 : 00000000ffffefff x7 : ffffd40e809ad0b0 x6 : ffffd40e809ad0b0 [ 2.875107] x5 : 000000000000bff4 x4 : 0000000000000000 x3 : 0000000000000000 [ 2.882440] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff7edfc03a8000 [ 2.889774] Call trace: [ 2.892290] warn_bogus_irq_restore+0x34/0x50 [ 2.896770] _raw_spin_unlock_irqrestore+0x94/0xa0 [ 2.901690] genpd_unlock_spin+0x20/0x30 [ 2.905724] genpd_add_device+0x100/0x2d0 [ 2.909850] __genpd_dev_pm_attach+0xa8/0x23c [ 2.914329] genpd_dev_pm_attach_by_id+0xc4/0x190 [ 2.919167] genpd_dev_pm_attach_by_name+0x3c/0xd0 [ 2.924086] dev_pm_domain_attach_by_name+0x24/0x30 [ 2.929102] psci_dt_attach_cpu+0x24/0x90 [ 2.933230] psci_cpuidle_probe+0x2d4/0x46c [ 2.937534] platform_probe+0x68/0xe0 [ 2.941304] really_probe.part.0+0x9c/0x2fc [ 2.945605] __driver_probe_device+0x98/0x144 [ 2.950085] driver_probe_device+0x44/0x15c [ 2.954385] __device_attach_driver+0xb8/0x120 [ 2.958950] bus_for_each_drv+0x78/0xd0 [ 2.962896] __device_attach+0xd8/0x180 [ 2.966843] device_initial_probe+0x14/0x20 [ 2.971144] bus_probe_device+0x9c/0xa4 [ 2.975092] device_add+0x380/0x88c [ 2.978679] platform_device_add+0x114/0x234 [ 2.983067] platform_device_register_full+0x100/0x190 [ 2.988344] psci_idle_init+0x6c/0xb0 [ 2.992113] do_one_initcall+0x74/0x3a0 [ 2.996060] kernel_init_freeable+0x2fc/0x384 [ 3.000543] kernel_init+0x28/0x130 [ 3.004132] ret_from_fork+0x10/0x20 [ 3.007817] irq event stamp: 319826 [ 3.011404] hardirqs last enabled at (319825): [] __up_console_sem+0x78/0x84 [ 3.020332] hardirqs last disabled at (319826): [] el1_dbg+0x24/0x8c [ 3.028458] softirqs last enabled at (318312): [] _stext+0x410/0x588 [ 3.036678] softirqs last disabled at (318299): [] __irq_exit_rcu+0x158/0x174 [ 3.045607] ---[ end trace 0000000000000000 ]--- Signed-off-by: Dmitry Baryshkov Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 0e840465cbb041414b6d9539f083715825de4344 Author: Darren Hart Date: Tue Mar 8 10:50:48 2022 -0800 ACPI/APEI: Limit printable size of BERT table data [ Upstream commit 3f8dec116210ca649163574ed5f8df1e3b837d07 ] Platforms with large BERT table data can trigger soft lockup errors while attempting to print the entire BERT table data to the console at boot: watchdog: BUG: soft lockup - CPU#160 stuck for 23s! [swapper/0:1] Observed on Ampere Altra systems with a single BERT record of ~250KB. The original bert driver appears to have assumed relatively small table data. Since it is impractical to reassemble large table data from interwoven console messages, and the table data is available in /sys/firmware/acpi/tables/data/BERT limit the size for tables printed to the console to 1024 (for no reason other than it seemed like a good place to kick off the discussion, would appreciate feedback from existing users in terms of what size would maintain their current usage model). Alternatively, we could make printing a CONFIG option, use the bert_disable boot arg (or something similar), or use a debug log level. However, all those solutions require extra steps or change the existing behavior for small table data. Limiting the size preserves existing behavior on existing platforms with small table data, and eliminates the soft lockups for platforms with large table data, while still making it available. Signed-off-by: Darren Hart Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit abc2129e646af7b43025d90a071f83043f1ae76c Author: Paolo Valente Date: Thu Nov 25 19:15:10 2021 +0100 Revert "Revert "block, bfq: honor already-setup queue merges"" [ Upstream commit 15729ff8143f8135b03988a100a19e66d7cb7ecd ] A crash [1] happened to be triggered in conjunction with commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges"). The latter was then reverted by commit ebc69e897e17 ("Revert "block, bfq: honor already-setup queue merges""). Yet, the reverted commit was not the one introducing the bug. In fact, it actually triggered a UAF introduced by a different commit, and now fixed by commit d29bd41428cf ("block, bfq: reset last_bfqq_created on group change"). So, there is no point in keeping commit 2d52c58b9c9b ("block, bfq: honor already-setup queue merges") out. This commit restores it. [1] https://bugzilla.kernel.org/show_bug.cgi?id=214503 Reported-by: Holger Hoffstätte Signed-off-by: Paolo Valente Link: https://lore.kernel.org/r/20211125181510.15004-1-paolo.valente@linaro.org Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit e8b18f5730c8a15764433d6ba2f51a677480e240 Author: Paul Menzel Date: Tue Feb 8 16:21:48 2022 +0100 lib/raid6/test/Makefile: Use $(pound) instead of \# for Make 4.3 [ Upstream commit 633174a7046ec3b4572bec24ef98e6ee89bce14b ] Buidling raid6test on Ubuntu 21.10 (ppc64le) with GNU Make 4.3 shows the errors below: $ cd lib/raid6/test/ $ make :1:1: error: stray ‘\’ in program :1:2: error: stray ‘#’ in program :1:11: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ \ before ‘<’ token [...] The errors come from the HAS_ALTIVEC test, which fails, and the POWER optimized versions are not built. That’s also reason nobody noticed on the other architectures. GNU Make 4.3 does not remove the backslash anymore. From the 4.3 release announcment: > * WARNING: Backward-incompatibility! > Number signs (#) appearing inside a macro reference or function invocation > no longer introduce comments and should not be escaped with backslashes: > thus a call such as: > foo := $(shell echo '#') > is legal. Previously the number sign needed to be escaped, for example: > foo := $(shell echo '\#') > Now this latter will resolve to "\#". If you want to write makefiles > portable to both versions, assign the number sign to a variable: > H := \# > foo := $(shell echo '$H') > This was claimed to be fixed in 3.81, but wasn't, for some reason. > To detect this change search for 'nocomment' in the .FEATURES variable. So, do the same as commit 9564a8cf422d ("Kbuild: fix # escaping in .cmd files for future Make") and commit 929bef467771 ("bpf: Use $(pound) instead of \# in Makefiles") and define and use a $(pound) variable. Reference for the change in make: https://git.savannah.gnu.org/cgit/make.git/commit/?id=c6966b323811c37acedff05b57 Cc: Matt Brown Signed-off-by: Paul Menzel Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 3440f2cfcb6f62d5375a91e44ce26c402fda1301 Author: Rafael J. Wysocki Date: Mon Mar 7 20:28:26 2022 +0100 ACPICA: Avoid walking the ACPI Namespace if it is not there [ Upstream commit 0c9992315e738e7d6e927ef36839a466b080dba6 ] ACPICA commit b1c3656ef4950098e530be68d4b589584f06cddc Prevent acpi_ns_walk_namespace() from crashing when called with start_node equal to ACPI_ROOT_OBJECT if the Namespace has not been instantiated yet and acpi_gbl_root_node is NULL. For instance, this can happen if the kernel is run with "acpi=off" in the command line. Link: https://github.com/acpica/acpica/commit/b1c3656ef4950098e530be68d4b589584f06cddc Link: https://lore.kernel.org/linux-acpi/CAJZ5v0hJWW_vZ3wwajE7xT38aWjY7cZyvqMJpXHzUL98-SiCVQ@mail.gmail.com/ Reported-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 5687958bf18f84384d809f521210d0f5deed03b0 Author: Zhang Wensheng Date: Thu Mar 3 15:03:34 2022 +0800 bfq: fix use-after-free in bfq_dispatch_request [ Upstream commit ab552fcb17cc9e4afe0e4ac4df95fc7b30e8490a ] KASAN reports a use-after-free report when doing normal scsi-mq test [69832.239032] ================================================================== [69832.241810] BUG: KASAN: use-after-free in bfq_dispatch_request+0x1045/0x44b0 [69832.243267] Read of size 8 at addr ffff88802622ba88 by task kworker/3:1H/155 [69832.244656] [69832.245007] CPU: 3 PID: 155 Comm: kworker/3:1H Not tainted 5.10.0-10295-g576c6382529e #8 [69832.246626] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014 [69832.249069] Workqueue: kblockd blk_mq_run_work_fn [69832.250022] Call Trace: [69832.250541] dump_stack+0x9b/0xce [69832.251232] ? bfq_dispatch_request+0x1045/0x44b0 [69832.252243] print_address_description.constprop.6+0x3e/0x60 [69832.253381] ? __cpuidle_text_end+0x5/0x5 [69832.254211] ? vprintk_func+0x6b/0x120 [69832.254994] ? bfq_dispatch_request+0x1045/0x44b0 [69832.255952] ? bfq_dispatch_request+0x1045/0x44b0 [69832.256914] kasan_report.cold.9+0x22/0x3a [69832.257753] ? bfq_dispatch_request+0x1045/0x44b0 [69832.258755] check_memory_region+0x1c1/0x1e0 [69832.260248] bfq_dispatch_request+0x1045/0x44b0 [69832.261181] ? bfq_bfqq_expire+0x2440/0x2440 [69832.262032] ? blk_mq_delay_run_hw_queues+0xf9/0x170 [69832.263022] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.264011] ? blk_mq_sched_request_inserted+0x100/0x100 [69832.265101] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.266206] ? blk_mq_do_dispatch_ctx+0x570/0x570 [69832.267147] ? __switch_to+0x5f4/0xee0 [69832.267898] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.268946] __blk_mq_run_hw_queue+0xc0/0x270 [69832.269840] blk_mq_run_work_fn+0x51/0x60 [69832.278170] process_one_work+0x6d4/0xfe0 [69832.278984] worker_thread+0x91/0xc80 [69832.279726] ? __kthread_parkme+0xb0/0x110 [69832.280554] ? process_one_work+0xfe0/0xfe0 [69832.281414] kthread+0x32d/0x3f0 [69832.282082] ? kthread_park+0x170/0x170 [69832.282849] ret_from_fork+0x1f/0x30 [69832.283573] [69832.283886] Allocated by task 7725: [69832.284599] kasan_save_stack+0x19/0x40 [69832.285385] __kasan_kmalloc.constprop.2+0xc1/0xd0 [69832.286350] kmem_cache_alloc_node+0x13f/0x460 [69832.287237] bfq_get_queue+0x3d4/0x1140 [69832.287993] bfq_get_bfqq_handle_split+0x103/0x510 [69832.289015] bfq_init_rq+0x337/0x2d50 [69832.289749] bfq_insert_requests+0x304/0x4e10 [69832.290634] blk_mq_sched_insert_requests+0x13e/0x390 [69832.291629] blk_mq_flush_plug_list+0x4b4/0x760 [69832.292538] blk_flush_plug_list+0x2c5/0x480 [69832.293392] io_schedule_prepare+0xb2/0xd0 [69832.294209] io_schedule_timeout+0x13/0x80 [69832.295014] wait_for_common_io.constprop.1+0x13c/0x270 [69832.296137] submit_bio_wait+0x103/0x1a0 [69832.296932] blkdev_issue_discard+0xe6/0x160 [69832.297794] blk_ioctl_discard+0x219/0x290 [69832.298614] blkdev_common_ioctl+0x50a/0x1750 [69832.304715] blkdev_ioctl+0x470/0x600 [69832.305474] block_ioctl+0xde/0x120 [69832.306232] vfs_ioctl+0x6c/0xc0 [69832.306877] __se_sys_ioctl+0x90/0xa0 [69832.307629] do_syscall_64+0x2d/0x40 [69832.308362] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [69832.309382] [69832.309701] Freed by task 155: [69832.310328] kasan_save_stack+0x19/0x40 [69832.311121] kasan_set_track+0x1c/0x30 [69832.311868] kasan_set_free_info+0x1b/0x30 [69832.312699] __kasan_slab_free+0x111/0x160 [69832.313524] kmem_cache_free+0x94/0x460 [69832.314367] bfq_put_queue+0x582/0x940 [69832.315112] __bfq_bfqd_reset_in_service+0x166/0x1d0 [69832.317275] bfq_bfqq_expire+0xb27/0x2440 [69832.318084] bfq_dispatch_request+0x697/0x44b0 [69832.318991] __blk_mq_do_dispatch_sched+0x52f/0x830 [69832.319984] __blk_mq_sched_dispatch_requests+0x398/0x4f0 [69832.321087] blk_mq_sched_dispatch_requests+0xdf/0x140 [69832.322225] __blk_mq_run_hw_queue+0xc0/0x270 [69832.323114] blk_mq_run_work_fn+0x51/0x60 [69832.323942] process_one_work+0x6d4/0xfe0 [69832.324772] worker_thread+0x91/0xc80 [69832.325518] kthread+0x32d/0x3f0 [69832.326205] ret_from_fork+0x1f/0x30 [69832.326932] [69832.338297] The buggy address belongs to the object at ffff88802622b968 [69832.338297] which belongs to the cache bfq_queue of size 512 [69832.340766] The buggy address is located 288 bytes inside of [69832.340766] 512-byte region [ffff88802622b968, ffff88802622bb68) [69832.343091] The buggy address belongs to the page: [69832.344097] page:ffffea0000988a00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88802622a528 pfn:0x26228 [69832.346214] head:ffffea0000988a00 order:2 compound_mapcount:0 compound_pincount:0 [69832.347719] flags: 0x1fffff80010200(slab|head) [69832.348625] raw: 001fffff80010200 ffffea0000dbac08 ffff888017a57650 ffff8880179fe840 [69832.354972] raw: ffff88802622a528 0000000000120008 00000001ffffffff 0000000000000000 [69832.356547] page dumped because: kasan: bad access detected [69832.357652] [69832.357970] Memory state around the buggy address: [69832.358926] ffff88802622b980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.360358] ffff88802622ba00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.361810] >ffff88802622ba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [69832.363273] ^ [69832.363975] ffff88802622bb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc [69832.375960] ffff88802622bb80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [69832.377405] ================================================================== In bfq_dispatch_requestfunction, it may have function call: bfq_dispatch_request __bfq_dispatch_request bfq_select_queue bfq_bfqq_expire __bfq_bfqd_reset_in_service bfq_put_queue kmem_cache_free In this function call, in_serv_queue has beed expired and meet the conditions to free. In the function bfq_dispatch_request, the address of in_serv_queue pointing to has been released. For getting the value of idle_timer_disabled, it will get flags value from the address which in_serv_queue pointing to, then the problem of use-after-free happens; Fix the problem by check in_serv_queue == bfqd->in_service_queue, to get the value of idle_timer_disabled if in_serve_queue is equel to bfqd->in_service_queue. If the space of in_serv_queue pointing has been released, this judge will aviod use-after-free problem. And if in_serv_queue may be expired or finished, the idle_timer_disabled will be false which would not give effects to bfq_update_dispatch_stats. Reported-by: Hulk Robot Signed-off-by: Zhang Wensheng Link: https://lore.kernel.org/r/20220303070334.3020168-1-zhangwensheng5@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 95c37542c86f060e0e02c724c20afa32bcf89dea Author: Akira Kawata Date: Thu Jan 27 21:40:16 2022 +0900 fs/binfmt_elf: Fix AT_PHDR for unusual ELF files [ Upstream commit 0da1d5002745cdc721bc018b582a8a9704d56c42 ] BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=197921 As pointed out in the discussion of buglink, we cannot calculate AT_PHDR as the sum of load_addr and exec->e_phoff. : The AT_PHDR of ELF auxiliary vectors should point to the memory address : of program header. But binfmt_elf.c calculates this address as follows: : : NEW_AUX_ENT(AT_PHDR, load_addr + exec->e_phoff); : : which is wrong since e_phoff is the file offset of program header and : load_addr is the memory base address from PT_LOAD entry. : : The ld.so uses AT_PHDR as the memory address of program header. In normal : case, since the e_phoff is usually 64 and in the first PT_LOAD region, it : is the correct program header address. : : But if the address of program header isn't equal to the first PT_LOAD : address + e_phoff (e.g. Put the program header in other non-consecutive : PT_LOAD region), ld.so will try to read program header from wrong address : then crash or use incorrect program header. This is because exec->e_phoff is the offset of PHDRs in the file and the address of PHDRs in the memory may differ from it. This patch fixes the bug by calculating the address of program headers from PT_LOADs directly. Signed-off-by: Akira Kawata Reported-by: kernel test robot Acked-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220127124014.338760-2-akirakawata1@gmail.com Signed-off-by: Sasha Levin commit 02728ea149b9330221b1e43d972cd8121ba8c32b Author: Souptick Joarder (HPE) Date: Fri Feb 18 22:03:03 2022 +0530 irqchip/nvic: Release nvic_base upon failure [ Upstream commit e414c25e3399b2b3d7337dc47abccab5c71b7c8f ] smatch warning was reported as below -> smatch warnings: drivers/irqchip/irq-nvic.c:131 nvic_of_init() warn: 'nvic_base' not released on lines: 97. Release nvic_base upon failure. Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Souptick Joarder (HPE) Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220218163303.33344-1-jrdr.linux@gmail.com Signed-off-by: Sasha Levin commit 4272ecc4ffb4c3c5500404e2d0985f8266a6c513 Author: Marc Zyngier Date: Thu Feb 24 10:12:25 2022 +0000 irqchip/qcom-pdc: Fix broken locking [ Upstream commit a6aca2f460e203781dc41391913cc5b54f4bc0ce ] pdc_enable_intr() serves as a primitive to qcom_pdc_gic_{en,dis}able, and has a raw spinlock for mutual exclusion, which is uses with interruptible primitives. This means that this critical section can itself be interrupted. Should the interrupt also be a PDC interrupt, and the endpoint driver perform an irq_disable() on that interrupt, we end-up in a deadlock. Fix this by using the irqsave/irqrestore variants of the locking primitives. Signed-off-by: Marc Zyngier Reviewed-by: Maulik Shah Link: https://lore.kernel.org/r/20220224101226.88373-5-maz@kernel.org Signed-off-by: Sasha Levin commit d182b6d1e630bfaaf911754ef73eb7b4586ea80f Author: Casey Schaufler Date: Mon Feb 28 15:45:32 2022 -0800 Fix incorrect type in assignment of ipv6 port for audit [ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ] Remove inappropriate use of ntohs() and assign the port value directly. Reported-by: kernel test robot Signed-off-by: Casey Schaufler Signed-off-by: Sasha Levin commit 134f76bad2d887a9072e79bb1725256ca4778f53 Author: Chaitanya Kulkarni Date: Tue Feb 15 13:33:07 2022 -0800 loop: use sysfs_emit() in the sysfs xxx show() [ Upstream commit b27824d31f09ea7b4a6ba2c1b18bd328df3e8bed ] sprintf does not know the PAGE_SIZE maximum of the temporary buffer used for outputting sysfs content and it's possible to overrun the PAGE_SIZE buffer length. Use a generic sysfs_emit function that knows the size of the temporary buffer and ensures that no overrun is done for offset attribute in loop_attr_[offset|sizelimit|autoclear|partscan|dio]_show() callbacks. Signed-off-by: Chaitanya Kulkarni Reviewed-by: Himanshu Madhani Link: https://lore.kernel.org/r/20220215213310.7264-2-kch@nvidia.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit b2ec24277169ea5b68d6c25f9885afe5b711ff5a Author: Richard Haines Date: Fri Feb 25 17:54:38 2022 +0000 selinux: allow FIOCLEX and FIONCLEX with policy capability [ Upstream commit 65881e1db4e948614d9eb195b8e1197339822949 ] These ioctls are equivalent to fcntl(fd, F_SETFD, flags), which SELinux always allows too. Furthermore, a failed FIOCLEX could result in a file descriptor being leaked to a process that should not have access to it. As this patch removes access controls, a policy capability needs to be enabled in policy to always allow these ioctls. Based-on-patch-by: Demi Marie Obenour Signed-off-by: Richard Haines [PM: subject line tweak] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 3a17a2dcd409d1a41104fd188e0dba5f9a12ad9c Author: Fangrui Song Date: Fri Feb 18 00:12:09 2022 -0800 arm64: module: remove (NOLOAD) from linker script [ Upstream commit 4013e26670c590944abdab56c4fa797527b74325 ] On ELF, (NOLOAD) sets the section type to SHT_NOBITS[1]. It is conceptually inappropriate for .plt and .text.* sections which are always SHT_PROGBITS. In GNU ld, if PLT entries are needed, .plt will be SHT_PROGBITS anyway and (NOLOAD) will be essentially ignored. In ld.lld, since https://reviews.llvm.org/D118840 ("[ELF] Support (TYPE=) to customize the output section type"), ld.lld will report a `section type mismatch` error. Just remove (NOLOAD) to fix the error. [1] https://lld.llvm.org/ELF/linker_script.html As of today, "The section should be marked as not loadable" on https://sourceware.org/binutils/docs/ld/Output-Section-Type.html is outdated for ELF. Tested-by: Nathan Chancellor Reported-by: Nathan Chancellor Signed-off-by: Fangrui Song Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20220218081209.354383-1-maskray@google.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 3c6eaaf3d381b87151561c43d712883fc047841a Author: Daniel Lezcano Date: Sun Jan 30 22:02:04 2022 +0100 powercap/dtpm_cpu: Reset per_cpu variable in the release function [ Upstream commit 0aea2e4ec2a2bfa2d7e8820e37ba5b5ce04f20a5 ] The release function does not reset the per cpu variable when it is called. That will prevent creation again as the variable will be already from the previous creation. Fix it by resetting them. Signed-off-by: Daniel Lezcano Reviewed-by: Ulf Hansson Link: https://lore.kernel.org/r/20220130210210.549877-2-daniel.lezcano@linaro.org Signed-off-by: Sasha Levin commit 63ff236354f45182ce69783f6cda738f16b016fc Author: Christian Göttsche Date: Thu Feb 17 15:21:25 2022 +0100 selinux: use correct type for context length [ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ] security_sid_to_context() expects a pointer to an u32 as the address where to store the length of the computed context. Reported by sparse: security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4 (different signedness) security/selinux/xfrm.c:359:39: expected unsigned int [usertype] *scontext_len security/selinux/xfrm.c:359:39: got int * Signed-off-by: Christian Göttsche [PM: wrapped commit description] Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit 87fdfe8589d43e471dffb4c60f75eeb6f37afc4c Author: Yu Kuai Date: Sat Jan 29 09:59:24 2022 +0800 block, bfq: don't move oom_bfqq [ Upstream commit 8410f70977734f21b8ed45c37e925d311dfda2e7 ] Our test report a UAF: [ 2073.019181] ================================================================== [ 2073.019188] BUG: KASAN: use-after-free in __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019191] Write of size 8 at addr ffff8000ccf64128 by task rmmod/72584 [ 2073.019192] [ 2073.019196] CPU: 0 PID: 72584 Comm: rmmod Kdump: loaded Not tainted 4.19.90-yk #5 [ 2073.019198] Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015 [ 2073.019200] Call trace: [ 2073.019203] dump_backtrace+0x0/0x310 [ 2073.019206] show_stack+0x28/0x38 [ 2073.019210] dump_stack+0xec/0x15c [ 2073.019216] print_address_description+0x68/0x2d0 [ 2073.019220] kasan_report+0x238/0x2f0 [ 2073.019224] __asan_store8+0x88/0xb0 [ 2073.019229] __bfq_put_async_bfqq+0xa0/0x168 [ 2073.019233] bfq_put_async_queues+0xbc/0x208 [ 2073.019236] bfq_pd_offline+0x178/0x238 [ 2073.019240] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019244] bfq_exit_queue+0x128/0x178 [ 2073.019249] blk_mq_exit_sched+0x12c/0x160 [ 2073.019252] elevator_exit+0xc8/0xd0 [ 2073.019256] blk_exit_queue+0x50/0x88 [ 2073.019259] blk_cleanup_queue+0x228/0x3d8 [ 2073.019267] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019274] null_exit+0x90/0x114 [null_blk] [ 2073.019278] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019282] el0_svc_common+0xc8/0x320 [ 2073.019287] el0_svc_handler+0xf8/0x160 [ 2073.019290] el0_svc+0x10/0x218 [ 2073.019291] [ 2073.019294] Allocated by task 14163: [ 2073.019301] kasan_kmalloc+0xe0/0x190 [ 2073.019305] kmem_cache_alloc_node_trace+0x1cc/0x418 [ 2073.019308] bfq_pd_alloc+0x54/0x118 [ 2073.019313] blkcg_activate_policy+0x250/0x460 [ 2073.019317] bfq_create_group_hierarchy+0x38/0x110 [ 2073.019321] bfq_init_queue+0x6d0/0x948 [ 2073.019325] blk_mq_init_sched+0x1d8/0x390 [ 2073.019330] elevator_switch_mq+0x88/0x170 [ 2073.019334] elevator_switch+0x140/0x270 [ 2073.019338] elv_iosched_store+0x1a4/0x2a0 [ 2073.019342] queue_attr_store+0x90/0xe0 [ 2073.019348] sysfs_kf_write+0xa8/0xe8 [ 2073.019351] kernfs_fop_write+0x1f8/0x378 [ 2073.019359] __vfs_write+0xe0/0x360 [ 2073.019363] vfs_write+0xf0/0x270 [ 2073.019367] ksys_write+0xdc/0x1b8 [ 2073.019371] __arm64_sys_write+0x50/0x60 [ 2073.019375] el0_svc_common+0xc8/0x320 [ 2073.019380] el0_svc_handler+0xf8/0x160 [ 2073.019383] el0_svc+0x10/0x218 [ 2073.019385] [ 2073.019387] Freed by task 72584: [ 2073.019391] __kasan_slab_free+0x120/0x228 [ 2073.019394] kasan_slab_free+0x10/0x18 [ 2073.019397] kfree+0x94/0x368 [ 2073.019400] bfqg_put+0x64/0xb0 [ 2073.019404] bfqg_and_blkg_put+0x90/0xb0 [ 2073.019408] bfq_put_queue+0x220/0x228 [ 2073.019413] __bfq_put_async_bfqq+0x98/0x168 [ 2073.019416] bfq_put_async_queues+0xbc/0x208 [ 2073.019420] bfq_pd_offline+0x178/0x238 [ 2073.019424] blkcg_deactivate_policy+0x1f0/0x420 [ 2073.019429] bfq_exit_queue+0x128/0x178 [ 2073.019433] blk_mq_exit_sched+0x12c/0x160 [ 2073.019437] elevator_exit+0xc8/0xd0 [ 2073.019440] blk_exit_queue+0x50/0x88 [ 2073.019443] blk_cleanup_queue+0x228/0x3d8 [ 2073.019451] null_del_dev+0xfc/0x1e0 [null_blk] [ 2073.019459] null_exit+0x90/0x114 [null_blk] [ 2073.019462] __arm64_sys_delete_module+0x358/0x5a0 [ 2073.019467] el0_svc_common+0xc8/0x320 [ 2073.019471] el0_svc_handler+0xf8/0x160 [ 2073.019474] el0_svc+0x10/0x218 [ 2073.019475] [ 2073.019479] The buggy address belongs to the object at ffff8000ccf63f00 which belongs to the cache kmalloc-1024 of size 1024 [ 2073.019484] The buggy address is located 552 bytes inside of 1024-byte region [ffff8000ccf63f00, ffff8000ccf64300) [ 2073.019486] The buggy address belongs to the page: [ 2073.019492] page:ffff7e000333d800 count:1 mapcount:0 mapping:ffff8000c0003a00 index:0x0 compound_mapcount: 0 [ 2073.020123] flags: 0x7ffff0000008100(slab|head) [ 2073.020403] raw: 07ffff0000008100 ffff7e0003334c08 ffff7e00001f5a08 ffff8000c0003a00 [ 2073.020409] raw: 0000000000000000 00000000001c001c 00000001ffffffff 0000000000000000 [ 2073.020411] page dumped because: kasan: bad access detected [ 2073.020412] [ 2073.020414] Memory state around the buggy address: [ 2073.020420] ffff8000ccf64000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020424] ffff8000ccf64080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020428] >ffff8000ccf64100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020430] ^ [ 2073.020434] ffff8000ccf64180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020438] ffff8000ccf64200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 2073.020439] ================================================================== The same problem exist in mainline as well. This is because oom_bfqq is moved to a non-root group, thus root_group is freed earlier. Thus fix the problem by don't move oom_bfqq. Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Acked-by: Paolo Valente Link: https://lore.kernel.org/r/20220129015924.3958918-4-yukuai3@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit a8820e841670c8a626b211507d25ffafd6882e44 Author: Kai Ye Date: Fri Feb 11 17:08:18 2022 +0800 crypto: hisilicon/sec - not need to enable sm4 extra mode at HW V3 [ Upstream commit f8a2652826444d13181061840b96a5d975d5b6c6 ] It is not need to enable sm4 extra mode in at HW V3. Here is fix it. Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 12f5e354998f7da910b0c8dfc67dd49a96844fef Author: Herbert Xu Date: Thu Feb 10 13:09:40 2022 +1100 crypto: xts - Add softdep on ecb [ Upstream commit dfe085d8dcd0bb1fe20cc2327e81c8064cead441 ] The xts module needs ecb to be present as it's meant to work on top of ecb. This patch adds a softdep so ecb can be included automatically into the initramfs. Reported-by: rftc Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b909cc120d8a101950339a2b7dce32e420e3545c Author: Yahu Gao Date: Fri Jan 7 14:58:59 2022 +0800 block/bfq_wf2q: correct weight to ioprio [ Upstream commit bcd2be763252f3a4d5fc4d6008d4d96c601ee74b ] The return value is ioprio * BFQ_WEIGHT_CONVERSION_COEFF or 0. What we want is ioprio or 0. Correct this by changing the calculation. Signed-off-by: Yahu Gao Acked-by: Paolo Valente Link: https://lore.kernel.org/r/20220107065859.25689-1-gaoyahu19@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 057b53c4f87690d626203acef8b63d52a9bf2f43 Author: Christoph Hellwig Date: Tue Feb 15 10:45:12 2022 +0100 memstick/mspro_block: fix handling of read-only devices [ Upstream commit 6dab421bfe06a59bf8f212a72e34673e8acf2018 ] Use set_disk_ro to propagate the read-only state to the block layer instead of checking for it in ->open and leaking a reference in case of a read-only device. Signed-off-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220215094514.3828912-4-hch@lst.de Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 7d6cebd25a0b0e4e9161537f15cf094c2ced82c5 Author: Ming Lei Date: Wed Feb 16 12:45:12 2022 +0800 block: throttle split bio in case of iops limit [ Upstream commit 9f5ede3c01f9951b0ae7d68b28762ad51d9bacc8 ] Commit 111be8839817 ("block-throttle: avoid double charge") marks bio as BIO_THROTTLED unconditionally if __blk_throtl_bio() is called on this bio, then this bio won't be called into __blk_throtl_bio() any more. This way is to avoid double charge in case of bio splitting. It is reasonable for read/write throughput limit, but not reasonable for IOPS limit because block layer provides io accounting against split bio. Chunguang Xu has already observed this issue and fixed it in commit 4f1e9630afe6 ("blk-throtl: optimize IOPS throttle for large IO scenarios"). However, that patch only covers bio splitting in __blk_queue_split(), and we have other kind of bio splitting, such as bio_split() & submit_bio_noacct() and other ways. This patch tries to fix the issue in one generic way by always charging the bio for iops limit in blk_throtl_bio(). This way is reasonable: re-submission & fast-cloned bio is charged if it is submitted to same disk/queue, and BIO_THROTTLED will be cleared if bio->bi_bdev is changed. This new approach can get much more smooth/stable iops limit compared with commit 4f1e9630afe6 ("blk-throtl: optimize IOPS throttle for large IO scenarios") since that commit can't throttle current split bios actually. Also this way won't cause new double bio iops charge in blk_throtl_dispatch_work_fn() in which blk_throtl_bio() won't be called any more. Reported-by: Ning Li Acked-by: Tejun Heo Cc: Chunguang Xu Signed-off-by: Ming Lei Link: https://lore.kernel.org/r/20220216044514.2903784-7-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit c72882e57ad4ae07b2d4bcb9aaa4132714208760 Author: Paul E. McKenney Date: Tue Jan 4 10:34:34 2022 -0800 rcu: Mark writes to the rcu_segcblist structure's ->flags field [ Upstream commit c09929031018913b5783872a8b8cdddef4a543c7 ] KCSAN reports data races between the rcu_segcblist_clear_flags() and rcu_segcblist_set_flags() functions, though misreporting the latter as a call to rcu_segcblist_is_enabled() from call_rcu(). This commit converts the updates of this field to WRITE_ONCE(), relying on the resulting unmarked reads to continue to detect buggy concurrent writes to this field. Reported-by: Zhouyi Zhou Signed-off-by: Paul E. McKenney Cc: Frederic Weisbecker Signed-off-by: Sasha Levin commit 1320b4d314de0e5e50a715e3877be1df756b6c32 Author: Marc Zyngier Date: Tue Feb 1 12:03:08 2022 +0000 pinctrl: npcm: Fix broken references to chip->parent_device [ Upstream commit f7e53e2255808ca3abcc8f38d18ad0823425e771 ] The npcm driver has a bunch of references to the irq_chip parent_device field, but never sets it. Fix it by fishing that reference from somewhere else, but it is obvious that these debug statements were never used. Also remove an unused field in a local data structure. Signed-off-by: Marc Zyngier Acked-by: Bartosz Golaszewski Link: https://lore.kernel.org/r/20220201120310.878267-11-maz@kernel.org Signed-off-by: Sasha Levin commit 7e7a4f32b4efb8bad2df73e87ffa914b85cbc966 Author: David Woodhouse Date: Tue Feb 16 15:04:34 2021 +0000 rcu: Kill rnp->ofl_seq and use only rcu_state.ofl_lock for exclusion [ Upstream commit 82980b1622d97017053c6792382469d7dc26a486 ] If we allow architectures to bring APs online in parallel, then we end up requiring rcu_cpu_starting() to be reentrant. But currently, the manipulation of rnp->ofl_seq is not thread-safe. However, rnp->ofl_seq is also fairly much pointless anyway since both rcu_cpu_starting() and rcu_report_dead() hold rcu_state.ofl_lock for fairly much the whole time that rnp->ofl_seq is set to an odd number to indicate that an operation is in progress. So drop rnp->ofl_seq completely, and use only rcu_state.ofl_lock. This has a couple of minor complexities: lockdep will complain when we take rcu_state.ofl_lock, and currently accepts the 'excuse' of having an odd value in rnp->ofl_seq. So switch it to an arch_spinlock_t to avoid that false positive complaint. Since we're killing rnp->ofl_seq of course that 'excuse' has to be changed too, so make it check for arch_spin_is_locked(rcu_state.ofl_lock). There's no arch_spin_lock_irqsave() so we have to manually save and restore local interrupts around the locking. At Paul's request based on Neeraj's analysis, make rcu_gp_init not just wait but *exclude* any CPU online/offline activity, which was fairly much true already by virtue of it holding rcu_state.ofl_lock. Signed-off-by: David Woodhouse Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 59a1131272663ebfcb58b80b926c1aad6fd6d75b Author: Kees Cook Date: Sun Feb 6 09:08:20 2022 -0800 gcc-plugins/stackleak: Exactly match strings instead of prefixes [ Upstream commit 27e9faf415dbf94af19b9c827842435edbc1fbbc ] Since STRING_CST may not be NUL terminated, strncmp() was used for check for equality. However, this may lead to mismatches for longer section names where the start matches the tested-for string. Test for exact equality by checking for the presences of NUL termination. Cc: Alexander Popov Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 8ff4b3bf5990487a2954fe7897c9f49467cedfc1 Author: Kai Ye Date: Sat Jan 22 17:30:42 2022 +0800 crypto: hisilicon/qm - cleanup warning in qm_vf_read_qos [ Upstream commit 05b3bade290d6c940701f97f3233c07cfe27205d ] The kernel test rebot report this warning: Uninitialized variable: ret. The code flow may return value of ret directly. This value is an uninitialized variable, here is fix it. Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 373c90c664dc6c26f72f7f5684f853973c319593 Author: Dave Stevenson Date: Mon Jan 24 17:01:22 2022 -0500 regulator: rpi-panel: Handle I2C errors/timing to the Atmel [ Upstream commit 5665eee7a3800430e7dc3ef6f25722476b603186 ] The Atmel is doing some things in the I2C ISR, during which period it will not respond to further commands. This is particularly true of the POWERON command. Increase delays appropriately, and retry should I2C errors be reported. Signed-off-by: Dave Stevenson Signed-off-by: Detlev Casanova Link: https://lore.kernel.org/r/20220124220129.158891-3-detlev.casanova@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 00fc07fa0b4a004711b6e1a944f0d2e46f7093b7 Author: Casey Schaufler Date: Thu Jan 27 04:51:00 2022 +0000 LSM: general protection fault in legacy_parse_param [ Upstream commit ecff30575b5ad0eda149aadad247b7f75411fd47 ] The usual LSM hook "bail on fail" scheme doesn't work for cases where a security module may return an error code indicating that it does not recognize an input. In this particular case Smack sees a mount option that it recognizes, and returns 0. A call to a BPF hook follows, which returns -ENOPARAM, which confuses the caller because Smack has processed its data. The SELinux hook incorrectly returns 1 on success. There was a time when this was correct, however the current expectation is that it return 0 on success. This is repaired. Reported-by: syzbot+d1e3b1d92d25abf97943@syzkaller.appspotmail.com Signed-off-by: Casey Schaufler Acked-by: James Morris Signed-off-by: Paul Moore Signed-off-by: Sasha Levin commit afc46998a32e7670fe77321e33f10e31e980d56f Author: Linus Torvalds Date: Tue Mar 29 23:29:18 2022 -0700 fs: fix fd table size alignment properly [ Upstream commit d888c83fcec75194a8a48ccd283953bdba7b2550 ] Jason Donenfeld reports that my commit 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") doesn't work, and the reason is an embarrassing brown-paper-bag bug. Yes, we want to align the number of fds to BITS_PER_LONG, and yes, the reason they might not be aligned is because the incoming 'max_fd' argument might not be aligned. But aligining the argument - while simple - will cause a "infinitely big" maxfd (eg NR_OPEN_MAX) to just overflow to zero. Which most definitely isn't what we want either. The obvious fix was always just to do the alignment last, but I had moved it earlier just to make the patch smaller and the code look simpler. Duh. It certainly made _me_ look simple. Fixes: 1c24a186398f ("fs: fd tables have to be multiples of BITS_PER_LONG") Reported-and-tested-by: Jason A. Donenfeld Cc: Fedor Pchelkin Cc: Alexey Khoroshilov Cc: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 0d26d371130d0edd59e9db0cf8142d460953d402 Author: Dan Carpenter Date: Thu Mar 24 08:52:07 2022 +0300 lib/test: use after free in register_test_dev_kmod() [ Upstream commit dc0ce6cc4b133f5f2beb8b47dacae13a7d283c2c ] The "test_dev" pointer is freed but then returned to the caller. Fixes: d9c6a72d6fa2 ("kmod: add test driver to stress test the module loader") Signed-off-by: Dan Carpenter Signed-off-by: Luis Chamberlain Signed-off-by: Sasha Levin commit 2ee9660213b7aee78b7a6bd7c91b3cbcfc965d2e Author: Linus Torvalds Date: Tue Mar 29 15:06:39 2022 -0700 fs: fd tables have to be multiples of BITS_PER_LONG [ Upstream commit 1c24a186398f59c80adb9a967486b65c1423a59d ] This has always been the rule: fdtables have several bitmaps in them, and as a result they have to be sized properly for bitmaps. We walk those bitmaps in chunks of 'unsigned long' in serveral cases, but even when we don't, we use the regular kernel bitops that are defined to work on arrays of 'unsigned long', not on some byte array. Now, the distinction between arrays of bytes and 'unsigned long' normally only really ends up being noticeable on big-endian systems, but Fedor Pchelkin and Alexey Khoroshilov reported that copy_fd_bitmaps() could be called with an argument that wasn't even a multiple of BITS_PER_BYTE. And then it fails to do the proper copy even on little-endian machines. The bug wasn't in copy_fd_bitmap(), but in sane_fdtable_size(), which didn't actually sanitize the fdtable size sufficiently, and never made sure it had the proper BITS_PER_LONG alignment. That's partly because the alignment historically came not from having to explicitly align things, but simply from previous fdtable sizes, and from count_open_files(), which counts the file descriptors by walking them one 'unsigned long' word at a time and thus naturally ends up doing sizing in the proper 'chunks of unsigned long'. But with the introduction of close_range(), we now have an external source of "this is how many files we want to have", and so sane_fdtable_size() needs to do a better job. This also adds that explicit alignment to alloc_fdtable(), although there it is mainly just for documentation at a source code level. The arithmetic we do there to pick a reasonable fdtable size already aligns the result sufficiently. In fact,clang notices that the added ALIGN() in that function doesn't actually do anything, and does not generate any extra code for it. It turns out that gcc ends up confusing itself by combining a previous constant-sized shift operation with the variable-sized shift operations in roundup_pow_of_two(). And probably due to that doesn't notice that the ALIGN() is a no-op. But that's a (tiny) gcc misfeature that doesn't matter. Having the explicit alignment makes sense, and would actually matter on a 128-bit architecture if we ever go there. This also adds big comments above both functions about how fdtable sizes have to have that BITS_PER_LONG alignment. Fixes: 60997c3d45d9 ("close_range: add CLOSE_RANGE_UNSHARE") Reported-by: Fedor Pchelkin Reported-by: Alexey Khoroshilov Link: https://lore.kernel.org/all/20220326114009.1690-1-aissur0002@gmail.com/ Tested-and-acked-by: Christian Brauner Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 965efd33c4e22c66bbd5753f272e492264b7b2ac Author: Xiaomeng Tong Date: Mon Mar 28 11:24:31 2022 +0800 net: dsa: bcm_sf2_cfp: fix an incorrect NULL check on list iterator [ Upstream commit 6da69b1da130e7d96766042750cd9f902e890eba ] The bug is here: return rule; The list iterator value 'rule' will *always* be set and non-NULL by list_for_each_entry(), so it is incorrect to assume that the iterator value will be NULL if the list is empty or no element is found. To fix the bug, return 'rule' when found, otherwise return NULL. Fixes: ae7a5aff783c7 ("net: dsa: bcm_sf2: Keep copy of inserted rules") Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Signed-off-by: Xiaomeng Tong Link: https://lore.kernel.org/r/20220328032431.22538-1-xiam0nd.tong@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 7bb1b01c8143407bfa6d0098b61fc2af8688dba7 Author: Trond Myklebust Date: Mon Mar 28 08:36:34 2022 -0400 NFSv4/pNFS: Fix another issue with a list iterator pointing to the head [ Upstream commit 7c9d845f0612e5bcd23456a2ec43be8ac43458f1 ] In nfs4_callback_devicenotify(), if we don't find a matching entry for the deviceid, we're left with a pointer to 'struct nfs_server' that actually points to the list of super blocks associated with our struct nfs_client. Furthermore, even if we have a valid pointer, nothing pins the super block, and so the struct nfs_server could end up getting freed while we're using it. Since all we want is a pointer to the struct pnfs_layoutdriver_type, let's skip all the iteration over super blocks, and just use APIs to find the layout driver directly. Reported-by: Xiaomeng Tong Fixes: 1be5683b03a7 ("pnfs: CB_NOTIFY_DEVICEID") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 4bb42d73def9411e5cad885b9811987d72431df1 Author: Marcelo Ricardo Leitner Date: Thu Mar 24 16:22:10 2022 -0300 net/sched: act_ct: fix ref leak when switching zones [ Upstream commit bcb74e132a76ce0502bb33d5b65533a4ed72d159 ] When switching zones or network namespaces without doing a ct clear in between, it is now leaking a reference to the old ct entry. That's because tcf_ct_skb_nfct_cached() returns false and tcf_ct_flow_table_lookup() may simply overwrite it. The fix is to, as the ct entry is not reusable, free it already at tcf_ct_skb_nfct_cached(). Reported-by: Florian Westphal Fixes: 2f131de361f6 ("net/sched: act_ct: Fix flow table lookup after ct clear or switching zones") Signed-off-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bdd85776abe4946ca728d2fc7b3f12b660bbf4c5 Author: Florian Westphal Date: Fri Jan 7 05:03:26 2022 +0100 net: prefer nf_ct_put instead of nf_conntrack_put [ Upstream commit 408bdcfce8dfd6902f75fbcd3b99d8b24b506597 ] Its the same as nf_conntrack_put(), but without the need for an indirect call. The downside is a module dependency on nf_conntrack, but all of these already depend on conntrack anyway. Cc: Paul Blakey Cc: dev@openvswitch.org Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 1c95a962e3a5679970c50e83bc34754216cdb647 Author: Jakub Kicinski Date: Fri Mar 25 16:27:09 2022 -0700 selftests: tls: skip cmsg_to_pipe tests with TLS=n [ Upstream commit 5c7e49be96ea24776a5b5a07c732c477294add00 ] These are negative tests, testing TLS code rejects certain operations. They won't pass without TLS enabled, pure TCP accepts those operations. Reported-by: Linux Kernel Functional Testing Fixes: d87d67fd61ef ("selftests: tls: test splicing cmsgs") Signed-off-by: Jakub Kicinski Reviewed-by: Shuah Khan Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 31d34a7872f2a3589cf6d48820dba6eb01a90659 Author: Tom Rix Date: Sat Mar 26 09:03:06 2022 -0700 octeontx2-af: initialize action variable [ Upstream commit 33b5bc9e703383e396f275d51fc4bafa48dbae5a ] Clang static analysis reports this representative issue rvu_npc.c:898:15: warning: Assigned value is garbage or undefined req.match_id = action.match_id; ^ ~~~~~~~~~~~~~~~ The initial setting of action is conditional on if (is_mcam_entry_enabled(...)) The later check of action.op will sometimes be garbage. So initialize action. Reduce setting of *(u64 *)&action = 0x00; to *(u64 *)&action = 0; Fixes: 967db3529eca ("octeontx2-af: add support for multicast/promisc packet replication feature") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit c346791877e6ce923bb21e34b30c6f99326aa5a8 Author: Zheng Yongjun Date: Sat Mar 26 08:12:39 2022 +0000 net: sparx5: switchdev: fix possible NULL pointer dereference [ Upstream commit 0906f3a3df07835e37077d8971aac65347f2ed57 ] As the possible failure of the allocation, devm_kzalloc() may return NULL pointer. Therefore, it should be better to check the 'db' in order to prevent the dereference of NULL pointer. Fixes: 10615907e9b51 ("net: sparx5: switchdev: adding frame DMA functionality") Signed-off-by: Zheng Yongjun Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4a279d7ee1c65411b4055ecd428b8aa2b1711c1f Author: Duoming Zhou Date: Sat Mar 26 18:43:46 2022 +0800 net/x25: Fix null-ptr-deref caused by x25_disconnect [ Upstream commit 7781607938c8371d4c2b243527430241c62e39c2 ] When the link layer is terminating, x25->neighbour will be set to NULL in x25_disconnect(). As a result, it could cause null-ptr-deref bugs in x25_sendmsg(),x25_recvmsg() and x25_connect(). One of the bugs is shown below. (Thread 1) | (Thread 2) x25_link_terminated() | x25_recvmsg() x25_kill_by_neigh() | ... x25_disconnect() | lock_sock(sk) ... | ... x25->neighbour = NULL //(1) | ... | x25->neighbour->extended //(2) The code sets NULL to x25->neighbour in position (1) and dereferences x25->neighbour in position (2), which could cause null-ptr-deref bug. This patch adds lock_sock() in x25_kill_by_neigh() in order to synchronize with x25_sendmsg(), x25_recvmsg() and x25_connect(). What`s more, the sock held by lock_sock() is not NULL, because it is extracted from x25_list and uses x25_list_lock to synchronize. Fixes: 4becb7ee5b3d ("net/x25: Fix x25_neigh refcnt leak when x25 disconnect") Signed-off-by: Duoming Zhou Reviewed-by: Lin Ma Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f24e010072bf057a30b3de73e93aae476ab25b5f Author: Tom Rix Date: Sat Mar 26 10:20:03 2022 -0700 qlcnic: dcb: default to returning -EOPNOTSUPP [ Upstream commit 1521db37f0d42334a88e8ff28198a27d1ed5cd7b ] Clang static analysis reports this issue qlcnic_dcb.c:382:10: warning: Assigned value is garbage or undefined mbx_out = *val; ^ ~~~~ val is set in the qlcnic_dcb_query_hw_capability() wrapper. If there is no query_hw_capability op in dcp, success is returned without setting the val. For this and similar wrappers, return -EOPNOTSUPP. Fixes: 14d385b99059 ("qlcnic: dcb: Query adapter DCB capabilities.") Signed-off-by: Tom Rix Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 0aff322b951db2c5abd23ccf40c05741aa3fd248 Author: Randy Dunlap Date: Sat Mar 26 11:02:34 2022 -0700 net: sparx5: depends on PTP_1588_CLOCK_OPTIONAL [ Upstream commit 08be6b13db23f68146c600dd5adfd92e99d9ec6e ] Fix build errors when PTP_1588_CLOCK=m and SPARX5_SWTICH=y. arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ethtool.o: in function `sparx5_get_ts_info': sparx5_ethtool.c:(.text+0x146): undefined reference to `ptp_clock_index' arc-linux-ld: sparx5_ethtool.c:(.text+0x146): undefined reference to `ptp_clock_index' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o: in function `sparx5_ptp_init': sparx5_ptp.c:(.text+0xd56): undefined reference to `ptp_clock_register' arc-linux-ld: sparx5_ptp.c:(.text+0xd56): undefined reference to `ptp_clock_register' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o: in function `sparx5_ptp_deinit': sparx5_ptp.c:(.text+0xf30): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf30): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf38): undefined reference to `ptp_clock_unregister' arc-linux-ld: sparx5_ptp.c:(.text+0xf46): undefined reference to `ptp_clock_unregister' arc-linux-ld: drivers/net/ethernet/microchip/sparx5/sparx5_ptp.o:sparx5_ptp.c:(.text+0xf46): more undefined references to `ptp_clock_unregister' follow Fixes: 3cfa11bac9bb ("net: sparx5: add the basic sparx5 driver") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Horatiu Vultur Cc: UNGLinuxDriver@microchip.com Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Steen Hegelund Cc: Bjarni Jonasson Cc: Lars Povlsen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4cc7643feeba4054982ba2b4054df287d81cad4c Author: Peng Li Date: Sat Mar 26 17:51:02 2022 +0800 net: hns3: clean residual vf config after disable sriov [ Upstream commit 671cb8cbb9c9e24b681d21b1bfae991e2386ac73 ] After disable sriov, VF still has some config and info need to be cleaned, which configured by PF. This patch clean the HW config and SW struct vport->vf_info. Fixes: fa8d82e853e8 ("net: hns3: Add support of .sriov_configure in HNS3 driver") Signed-off-by: Peng Li Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6d12ce1468e18033e77d46a4f5c97522c2c90aa5 Author: Trond Myklebust Date: Fri Mar 25 21:51:03 2022 -0400 NFS: Don't loop forever in nfs_do_recoalesce() [ Upstream commit d02d81efc7564b4d5446a02e0214a164cf00b1f3 ] If __nfs_pageio_add_request() fails to add the request, it will return with either desc->pg_error < 0, or mirror->pg_recoalesce will be set, so we are guaranteed either to exit the function altogether, or to loop. However if there is nothing left in mirror->pg_list to coalesce, we must exit, so make sure that we clear mirror->pg_recoalesce every time we loop. Reported-by: Olga Kornievskaia Fixes: 70536bf4eb07 ("NFS: Clean up reset of the mirror accounting variables") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit f1b21d17ba19131c1af32cd1dbcb8b0e34f281eb Author: Ido Schimmel Date: Thu Mar 24 22:05:14 2022 +0200 selftests: test_vxlan_under_vrf: Fix broken test case [ Upstream commit b50d3b46f84282d795ae3076111acb75ae1031f3 ] The purpose of the last test case is to test VXLAN encapsulation and decapsulation when the underlay lookup takes place in a non-default VRF. This is achieved by enslaving the physical device of the tunnel to a VRF. The binding of the VXLAN UDP socket to the VRF happens when the VXLAN device itself is opened, not when its physical device is opened. This was also mentioned in the cited commit ("tests that moving the underlay from a VRF to another works when down/up the VXLAN interface"), but the test did something else. Fix it by reopening the VXLAN device instead of its physical device. Before: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [FAIL] After: # ./test_vxlan_under_vrf.sh Checking HV connectivity [ OK ] Check VM connectivity through VXLAN (underlay in the default VRF) [ OK ] Check VM connectivity through VXLAN (underlay in a VRF) [ OK ] Fixes: 03f1c26b1c56 ("test/net: Add script for VXLAN underlay in a VRF") Signed-off-by: Ido Schimmel Reviewed-by: David Ahern Link: https://lore.kernel.org/r/20220324200514.1638326-1-idosch@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 440454c0c147b7a66bd0344f93431781d3a193e5 Author: Florian Fainelli Date: Thu Mar 24 16:24:38 2022 -0700 net: phy: broadcom: Fix brcm_fet_config_init() [ Upstream commit bf8bfc4336f7a34e48b3bbd19b1542bf085bdc3d ] A Broadcom AC201 PHY (same entry as 5241) would be flagged by the Broadcom UniMAC MDIO controller as not completing the turn around properly since the PHY expects 65 MDC clock cycles to complete a write cycle, and the MDIO controller was only sending 64 MDC clock cycles as determined by looking at a scope shot. This would make the subsequent read fail with the UniMAC MDIO controller command field having MDIO_READ_FAIL set and we would abort the brcm_fet_config_init() function and thus not probe the PHY at all. After issuing a software reset, wait for at least 1ms which is well above the 1us reset delay advertised by the datasheet and issue a dummy read to let the PHY turn around the line properly. This read specifically ignores -EIO which would be returned by MDIO controllers checking for the line being turned around. If we have a genuine reaad failure, the next read of the interrupt status register would pick it up anyway. Fixes: d7a2ed9248a3 ("broadcom: Add AC131 phy support") Signed-off-by: Florian Fainelli Link: https://lore.kernel.org/r/20220324232438.1156812-1-f.fainelli@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a5e03875c953e197bd378959cb1e59ace81e6660 Author: Jian Shen Date: Thu Mar 24 20:54:50 2022 +0800 net: hns3: refine the process when PF set VF VLAN [ Upstream commit 190cd8a72b0181c543ecada6243be3a50636941b ] Currently, when PF set VF VLAN, it sends notify mailbox to VF if VF alive. VF stop its traffic, and send request mailbox to PF, then PF updates VF VLAN. It's a bit complex. If VF is killed before sending request, PF will not set VF VLAN without any log. This patch refines the process, PF can set VF VLAN direclty, and then notify the VF. If VF is resetting at that time, the notify may be dropped, so VF should query it after reset finished. Fixes: 92f11ea177cd ("net: hns3: fix set port based VLAN issue for VF") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 863f4215b42d5449d53d15ec29e893d354adfb15 Author: Yufeng Mo Date: Wed Nov 24 09:06:52 2021 +0800 net: hns3: format the output of the MAC address [ Upstream commit 4f331fda35f1695af8ddd8180edc948880def74b ] Printing the whole MAC addresse may bring security risks. Therefore, the MAC address is partially encrypted to improve security. Signed-off-by: Yufeng Mo Signed-off-by: Guangbin Huang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 09e383ca97e798f9954189b741af54b5c51e7a97 Author: Jian Shen Date: Thu Mar 24 20:54:49 2022 +0800 net: hns3: add vlan list lock to protect vlan list [ Upstream commit 1932a624ab88ff407d1a1d567fe581faa15dc725 ] When adding port base VLAN, vf VLAN need to remove from HW and modify the vlan state in vf VLAN list as false. If the periodicity task is freeing the same node, it may cause "use after free" error. This patch adds a vlan list lock to protect the vlan list. Fixes: c6075b193462 ("net: hns3: Record VF vlan tables") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0f049f16ec5f11d5c69ac02d2495013d938070c4 Author: Jian Shen Date: Thu Mar 24 20:54:48 2022 +0800 net: hns3: fix port base vlan add fail when concurrent with reset [ Upstream commit c0f46de30c965d4ba208b5bf1a6d3437a7556ee2 ] Currently, Port base vlan is initiated by PF and configured to its VFs, by using command "ip link set vf vlan ". When a global reset was triggered, the hardware vlan table and the soft recorded vlan information will be cleared by PF, and restored them until VFs were ready. There is a short time window between the table had been cleared and before table restored. If configured a new port base vlan tag at this moment, driver will check the soft recorded vlan information, and find there hasn't the old tag in it, which causing a warning print. Due to the port base vlan is managed by PF, so the VFs's port base vlan restoring should be handled by PF when PF was ready. This patch fixes it. Fixes: 039ba863e8d7 ("net: hns3: optimize the filter table entries handling when resetting") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a889f1eb70889841ff8838744548f53b46c74955 Author: Jian Shen Date: Thu Mar 24 20:54:47 2022 +0800 net: hns3: fix bug when PF set the duplicate MAC address for VFs [ Upstream commit ccb18f05535c96d26e2d559d402acb87700fc5a7 ] If the MAC address A is configured to vport A and then vport B. The MAC address of vport A in the hardware becomes invalid. If the address of vport A is changed to MAC address B, the driver needs to delete the MAC address A of vport A. Due to the MAC address A of vport A has become invalid in the hardware entry, so "-ENOENT" is returned. In this case, the "used_umv_size" value recorded in driver is not updated. As a result, the MAC entry status of the software is inconsistent with that of the hardware. Therefore, the driver updates the umv size even if the MAC entry cannot be found. Ensure that the software and hardware status is consistent. Fixes: ee4bcd3b7ae4 ("net: hns3: refactor the MAC address configure") Signed-off-by: Jian Shen Signed-off-by: Guangbin Huang Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 66bbdb5b29b91520eb123872af28aceb44d9c48c Author: Vladimir Oltean Date: Thu Mar 24 18:12:10 2022 +0200 net: enetc: report software timestamping via SO_TIMESTAMPING [ Upstream commit feb13dcb1818b775fbd9191f797be67cd605f03e ] Let user space properly determine that the enetc driver provides software timestamps. Fixes: 4caefbce06d1 ("enetc: add software timestamping") Signed-off-by: Vladimir Oltean Reviewed-by: Claudiu Manoil Link: https://lore.kernel.org/r/20220324161210.4122281-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 980bc42812c0a4788aee4b519bc911bfb911c23c Author: Juergen Gross Date: Fri Mar 25 15:20:02 2022 +0100 xen: fix is_xen_pmu() [ Upstream commit de2ae403b4c0e79a3410e63bc448542fbb9f9bfc ] is_xen_pmu() is taking the cpu number as parameter, but it is not using it. Instead it just tests whether the Xen PMU initialization on the current cpu did succeed. As this test is done by checking a percpu pointer, preemption needs to be disabled in order to avoid switching the cpu while doing the test. While resuming from suspend() this seems not to be the case: [ 88.082751] ACPI: PM: Low-level resume complete [ 88.087933] ACPI: EC: EC started [ 88.091464] ACPI: PM: Restoring platform NVS memory [ 88.097166] xen_acpi_processor: Uploading Xen processor PM info [ 88.103850] Enabling non-boot CPUs ... [ 88.108128] installing Xen timer for CPU 1 [ 88.112763] BUG: using smp_processor_id() in preemptible [00000000] code: systemd-sleep/7138 [ 88.122256] caller is is_xen_pmu+0x12/0x30 [ 88.126937] CPU: 0 PID: 7138 Comm: systemd-sleep Tainted: G W 5.16.13-2.fc32.qubes.x86_64 #1 [ 88.137939] Hardware name: Star Labs StarBook/StarBook, BIOS 7.97 03/21/2022 [ 88.145930] Call Trace: [ 88.148757] [ 88.151193] dump_stack_lvl+0x48/0x5e [ 88.155381] check_preemption_disabled+0xde/0xe0 [ 88.160641] is_xen_pmu+0x12/0x30 [ 88.164441] xen_smp_intr_init_pv+0x75/0x100 Fix that by replacing is_xen_pmu() by a simple boolean variable which reflects the Xen PMU initialization state on cpu 0. Modify xen_pmu_init() to return early in case it is being called for a cpu other than cpu 0 and the boolean variable not being set. Fixes: bf6dfb154d93 ("xen/PMU: PMU emulation code") Reported-by: Marek Marczykowski-Górecki Signed-off-by: Juergen Gross Reviewed-by: Boris Ostrovsky Link: https://lore.kernel.org/r/20220325142002.31789-1-jgross@suse.com Signed-off-by: Boris Ostrovsky Signed-off-by: Sasha Levin commit a7e290fb0ab129eced884224733730d7c2adeaa0 Author: Maxime Ripard Date: Fri Mar 25 17:11:42 2022 +0100 clk: Initialize orphan req_rate [ Upstream commit 5f7e2af00807f2117650e711a58b7f0e986ce1df ] When registering a clock that doesn't have a recalc_rate implementation, and doesn't have its parent registered yet, we initialize the clk_core rate and 'req_rate' fields to 0. The rate field is later updated when the parent is registered in clk_core_reparent_orphans_nolock() using __clk_recalc_rates(), but the 'req_rate' field is never updated. This leads to an issue in clk_set_rate_range() and clk_put(), since those functions will call clk_set_rate() with the content of 'req_rate' to provide drivers with the opportunity to change the rate based on the new boundaries. In this case, we would call clk_set_rate() with a rate of 0, effectively enforcing the minimum allowed for this clock whenever we would call one of those two functions, even though the actual rate might be within range. Let's fix this by setting 'req_rate' in clk_core_reparent_orphans_nolock() with the rate field content just updated by the call to __clk_recalc_rates(). Fixes: 1c8e600440c7 ("clk: Add rate constraints to clocks") Reported-by: Dmitry Osipenko Tested-by: Dmitry Osipenko # T30 Nexus7 Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220325161144.1901695-2-maxime@cerno.tech [sboyd@kernel.org: Reword comment] Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 4c7bd3f98e9426d2f94163aaccf11e5fc25a3a4f Author: Stefano Garzarella Date: Wed Mar 23 18:36:25 2022 +0100 vsock/virtio: enable VQs early on probe [ Upstream commit 88704454ef8b00ea91537ae0d47d9348077e0e72 ] virtio spec requires drivers to set DRIVER_OK before using VQs. This is set automatically after probe returns, but virtio-vsock driver uses VQs in the probe function to fill rx and event VQs with new buffers. Let's fix this, calling virtio_device_ready() before using VQs in the probe function. Fixes: 0ea9e1d3a9e3 ("VSOCK: Introduce virtio_transport.ko") Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e8443ac700985a5af75d88af8d5f4b43c3da72b4 Author: Stefano Garzarella Date: Wed Mar 23 18:36:24 2022 +0100 vsock/virtio: read the negotiated features before using VQs [ Upstream commit c1011c0b3a9c8d2065f425407475cbcc812540b7 ] Complete the driver configuration, reading the negotiated features, before using the VQs in the virtio_vsock_probe(). Fixes: 53efbba12cc7 ("virtio/vsock: enable SEQPACKET for transport") Suggested-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 27cb7d136224a81904ead19d9da2c82357bcc9a9 Author: Stefano Garzarella Date: Wed Mar 23 18:36:23 2022 +0100 vsock/virtio: initialize vdev->priv before using VQs [ Upstream commit 4b5f1ad5566ada230aaa2ce861b28d1895f1ea68 ] When we fill VQs with empty buffers and kick the host, it may send an interrupt. `vdev->priv` must be initialized before this since it is used in the virtqueue callbacks. Fixes: 0deab087b16a ("vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock") Suggested-by: Michael S. Tsirkin Signed-off-by: Stefano Garzarella Acked-by: Michael S. Tsirkin Reviewed-by: Stefan Hajnoczi Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d8fc5a901ca274ff1550cfea3fddf73997ba28dc Author: Konrad Dybcio Date: Sat Mar 19 18:49:40 2022 +0100 clk: qcom: gcc-msm8994: Fix gpll4 width [ Upstream commit 71021db1c532c2545ae53b9ee85b37b7154f51d4 ] The gpll4 postdiv is actually a div4, so make sure that Linux is aware of this. This fixes the following error messages: mmc1: Card appears overclocked; req 200000000 Hz, actual 343999999 Hz mmc1: Card appears overclocked; req 400000000 Hz, actual 687999999 Hz Fixes: aec89f78cf01 ("clk: qcom: Add support for msm8994 global clock controller") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20220319174940.341137-1-konrad.dybcio@somainline.org Tested-by: Petr Vorel Reviewed-by: Petr Vorel Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 41b84c380eb85269f16eddae4a2680c2deaf7cc0 Author: Thomas Richter Date: Thu Mar 17 16:53:46 2022 +0100 perf stat: Fix forked applications enablement of counters [ Upstream commit d0a0a511493d269514fcbd852481cdca32c95350 ] I have run into the following issue: # perf stat -a -e new_pmu/INSTRUCTION_7/ -- mytest -c1 7 Performance counter stats for 'system wide': 0 new_pmu/INSTRUCTION_7/ 0.000366428 seconds time elapsed # The new PMU for s390 counts the execution of certain CPU instructions. The root cause is the extremely small run time of the mytest program. It just executes some assembly instructions and then exits. In above invocation the instruction is executed exactly one time (-c1 option). The PMU is expected to report this one time execution by a counter value of one, but fails to do so in some cases, not all. Debugging reveals the invocation of the child process is done *before* the counter events are installed and enabled. Tracing reveals that sometimes the child process starts and exits before the event is installed on all CPUs. The more CPUs the machine has, the more often this miscount happens. Fix this by reversing the start of the work load after the events have been installed on the specified CPUs. Now the comment also matches the code. Output after: # perf stat -a -e new_pmu/INSTRUCTION_7/ -- mytest -c1 7 Performance counter stats for 'system wide': 1 new_pmu/INSTRUCTION_7/ 0.000366428 seconds time elapsed # Now the correct result is reported rock solid all the time regardless how many CPUs are online. Reviewers notes: Jiri: Right, without -a the event has enable_on_exec so the race does not matter, but it's a problem for system wide with fork. Namhyung: Agreed. Also we may move the enable_counters() and the clock code out of the if block to be shared with the else block. Fixes: acf2892270dcc428 ("perf stat: Use perf_evlist__prepare/start_workload()") Signed-off-by: Thomas Richter Acked-by: Jiri Olsa Acked-by: Namhyung Kim Acked-by: Sumanth Korikkar Cc: Heiko Carstens Cc: Sven Schnelle Cc: Vasily Gorbik Link: https://lore.kernel.org/r/20220317155346.577384-1-tmricht@linux.ibm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 943f6f52b75ce39a13b131b590ddfbd272b293c6 Author: Daniel Thompson Date: Fri Jan 28 14:40:55 2022 +0000 kdb: Fix the putarea helper function [ Upstream commit c1cb81429df462eca1b6ba615cddd21dd3103c46 ] Currently kdb_putarea_size() uses copy_from_kernel_nofault() to write *to* arbitrary kernel memory. This is obviously wrong and means the memory modify ('mm') command is a serious risk to debugger stability: if we poke to a bad address we'll double-fault and lose our debug session. Fix this the (very) obvious way. Note that there are two Fixes: tags because the API was renamed and this patch will only trivially backport as far as the rename (and this is probably enough). Nevertheless Christoph's rename did not introduce this problem so I wanted to record that! Fixes: fe557319aa06 ("maccess: rename probe_kernel_{read,write} to copy_{from,to}_kernel_nofault") Fixes: 5d5314d6795f ("kdb: core for kgdb back end (1 of 2)") Signed-off-by: Daniel Thompson Reviewed-by: Douglas Anderson Link: https://lore.kernel.org/r/20220128144055.207267-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit 8d98a56f357779b8054c00b84084fe6d9eb26202 Author: Olga Kornievskaia Date: Thu Mar 24 10:38:42 2022 -0400 NFSv4.1: don't retry BIND_CONN_TO_SESSION on session error [ Upstream commit 1d15d121cc2ad4d016a7dc1493132a9696f91fc5 ] There is no reason to retry the operation if a session error had occurred in such case result structure isn't filled out. Fixes: dff58530c4ca ("NFSv4.1: fix handling of backchannel binding in BIND_CONN_TO_SESSION") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit fd12bebaf69fe26aa644a9b3fab1ab676a2f9c0e Author: Olga Kornievskaia Date: Thu Mar 24 10:22:58 2022 -0400 SUNRPC don't resend a task on an offlined transport [ Upstream commit 82ee41b85cef16b4be1f4732650012d9baaedddd ] When a task is being retried, due to an NFS error, if the assigned transport has been put offline and the task is relocatable pick a new transport. Fixes: 6f081693e7b2b ("sunrpc: remove an offlined xprt using sysfs") Signed-off-by: Olga Kornievskaia Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 85aa76a3deb60fa104336644b45d74c43948c108 Author: Pablo Neira Ayuso Date: Mon Mar 21 11:38:32 2022 +0100 netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options [ Upstream commit f2dd495a8d589371289981d5ed33e6873df94ecc ] Do not reset IP_CT_TCP_FLAG_BE_LIBERAL flag in out-of-sync scenarios coming before the TCP window tracking, otherwise such connections will fail in the window check. Update tcp_options() to leave this flag in place and add a new helper function to reset the tcp window state. Based on patch from Sven Auhagen. Fixes: c4832c7bbc3f ("netfilter: nf_ct_tcp: improve out-of-sync situation in TCP tracking") Tested-by: Sven Auhagen Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit efd489886c09709a88150471fe10398b28c9e7d3 Author: Phil Sutter Date: Thu Mar 24 15:02:40 2022 +0100 netfilter: egress: Report interface as outgoing [ Upstream commit d645552e9bd96671079b27015294ec7f9748fa2b ] Otherwise packets in egress chains seem like they are being received by the interface, not sent out via it. Fixes: 42df6e1d221dd ("netfilter: Introduce egress hook") Signed-off-by: Phil Sutter Signed-off-by: Florian Westphal Signed-off-by: Sasha Levin commit fd5c282939fabddbdcce9161681fa3dfb3fda806 Author: Trond Myklebust Date: Wed Mar 16 19:10:43 2022 -0400 SUNRPC: Don't call connect() more than once on a TCP socket [ Upstream commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d ] Avoid socket state races due to repeated calls to ->connect() using the same socket. If connect() returns 0 due to the connection having completed, but we are in fact in a closing state, then we may leave the XPRT_CONNECTING flag set on the transport. Reported-by: Enrico Scholz Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 451f785029cbdf29b0a34d3bc3b6f0767aa09001 Author: NeilBrown Date: Mon Mar 7 10:41:44 2022 +1100 SUNRPC: improve 'swap' handling: scheduling and PF_MEMALLOC [ Upstream commit 8db55a032ac7ac1ed7b98d6b1dc980e6378c652f ] rpc tasks can be marked as RPC_TASK_SWAPPER. This causes GFP_MEMALLOC to be used for some allocations. This is needed in some cases, but not in all where it is currently provided, and in some where it isn't provided. Currently *all* tasks associated with a rpc_client on which swap is enabled get the flag and hence some GFP_MEMALLOC support. GFP_MEMALLOC is provided for ->buf_alloc() but only swap-writes need it. However xdr_alloc_bvec does not get GFP_MEMALLOC - though it often does need it. xdr_alloc_bvec is called while the XPRT_LOCK is held. If this blocks, then it blocks all other queued tasks. So this allocation needs GFP_MEMALLOC for *all* requests, not just writes, when the xprt is used for any swap writes. Similarly, if the transport is not connected, that will block all requests including swap writes, so memory allocations should get GFP_MEMALLOC if swap writes are possible. So with this patch: 1/ we ONLY set RPC_TASK_SWAPPER for swap writes. 2/ __rpc_execute() sets PF_MEMALLOC while handling any task with RPC_TASK_SWAPPER set, or when handling any task that holds the XPRT_LOCKED lock on an xprt used for swap. This removes the need for the RPC_IS_SWAPPER() test in ->buf_alloc handlers. 3/ xprt_prepare_transmit() sets PF_MEMALLOC after locking any task to a swapper xprt. __rpc_execute() will clear it. 3/ PF_MEMALLOC is set for all the connect workers. Reviewed-by: Chuck Lever (for xprtrdma parts) Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit aaac30e80b9f1c49c3c6357a58c233e486384171 Author: NeilBrown Date: Mon Mar 7 10:41:44 2022 +1100 SUNRPC/call_alloc: async tasks mustn't block waiting for memory [ Upstream commit c487216bec83b0c5a8803e5c61433d33ad7b104d ] When memory is short, new worker threads cannot be created and we depend on the minimum one rpciod thread to be able to handle everything. So it must not block waiting for memory. mempools are particularly a problem as memory can only be released back to the mempool by an async rpc task running. If all available workqueue threads are waiting on the mempool, no thread is available to return anything. rpc_malloc() can block, and this might cause deadlocks. So check RPC_IS_ASYNC(), rather than RPC_IS_SWAPPER() to determine if blocking is acceptable. Signed-off-by: NeilBrown Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit f57d9aee874dcee01ac0e48e8f3e5a0ad6500cd7 Author: Pavel Skripkin Date: Sat Mar 19 22:30:00 2022 +0300 jfs: fix divide error in dbNextAG [ Upstream commit 2cc7cc01c15f57d056318c33705647f87dcd4aab ] Syzbot reported divide error in dbNextAG(). The problem was in missing validation check for malicious image. Syzbot crafted an image with bmp->db_numag equal to 0. There wasn't any validation checks, but dbNextAG() blindly use bmp->db_numag in divide expression Fix it by validating bmp->db_numag in dbMount() and return an error if image is malicious Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+46f5c25af73eb8330eb6@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit 27ddc8815e232ae913329fe700111d85df4cf6bc Author: Randy Dunlap Date: Mon Feb 28 20:18:29 2022 -0800 driver core: dd: fix return value of __setup handler [ Upstream commit f2aad54703dbe630f9d8b235eb58e8c8cc78f37d ] When "driver_async_probe=nulltty" is used on the kernel boot command line, it causes an Unknown parameter message and the string is added to init's environment strings, polluting them. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 driver_async_probe=nulltty Change the return value of the __setup function to 1 to indicate that the __setup option has been handled. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1ea61b68d0f8 ("async: Add cmdline option to specify drivers to be async probed") Cc: Feng Tang Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Reported-by: Igor Zhbanov Reviewed-by: Feng Tang Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220301041829.15137-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2958ed8d722d0740536ea2b42c6e4e052860bcdb Author: David Gow Date: Fri Feb 25 12:15:02 2022 +0800 firmware: google: Properly state IOMEM dependency [ Upstream commit 37fd83916da2e4cae03d350015c82a67b1b334c4 ] The Google Coreboot implementation requires IOMEM functions (memmremap, memunmap, devm_memremap), but does not specify this is its Kconfig. This results in build errors when HAS_IOMEM is not set, such as on some UML configurations: /usr/bin/ld: drivers/firmware/google/coreboot_table.o: in function `coreboot_table_probe': coreboot_table.c:(.text+0x311): undefined reference to `memremap' /usr/bin/ld: coreboot_table.c:(.text+0x34e): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/memconsole-coreboot.o: in function `memconsole_probe': memconsole-coreboot.c:(.text+0x12d): undefined reference to `memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x17e): undefined reference to `devm_memremap' /usr/bin/ld: memconsole-coreboot.c:(.text+0x191): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_destroy.isra.0': vpd.c:(.text+0x300): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_section_init': vpd.c:(.text+0x382): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x459): undefined reference to `memunmap' /usr/bin/ld: drivers/firmware/google/vpd.o: in function `vpd_probe': vpd.c:(.text+0x59d): undefined reference to `memremap' /usr/bin/ld: vpd.c:(.text+0x5d3): undefined reference to `memunmap' collect2: error: ld returned 1 exit status Fixes: a28aad66da8b ("firmware: coreboot: Collapse platform drivers into bus core") Acked-By: anton ivanov Acked-By: Julius Werner Signed-off-by: David Gow Link: https://lore.kernel.org/r/20220225041502.1901806-1-davidgow@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 001b43f5a282e297bdb4cd09c78dc8e2598f38ba Author: Randy Dunlap Date: Mon Mar 7 19:32:55 2022 -0800 kgdbts: fix return value of __setup handler [ Upstream commit 96c9e802c64014a7716865332d732cc9c7f24593 ] __setup() handlers should return 1 to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdbts_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: e8d31c204e36 ("kgdb: add kgdb internal test suite") Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: Arnd Bergmann Cc: Greg Kroah-Hartman Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308033255.22118-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ee827d86ee73583c0f0b65db877467d9b5551aa4 Author: Xiaolong Huang Date: Tue Mar 8 17:20:47 2022 +0800 virt: acrn: fix a memory leak in acrn_dev_ioctl() [ Upstream commit ecd1735f14d6ac868ae5d8b7a2bf193fa11f388b ] The vm_param and cpu_regs need to be freed via kfree() before return -EINVAL error. Fixes: 9c5137aedd11 ("virt: acrn: Introduce VM management interfaces") Fixes: 2ad2aaee1bc9 ("virt: acrn: Introduce an ioctl to set vCPU registers state") Signed-off-by: Xiaolong Huang Signed-off-by: Fei Li Link: https://lore.kernel.org/r/20220308092047.1008409-1-butterflyhuangxx@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 149d5fb7e0124c3763e92edd1fde19417f4d2d09 Author: Yonghua Huang Date: Mon Feb 28 05:22:12 2022 +0300 virt: acrn: obtain pa from VMA with PFNMAP flag [ Upstream commit 8a6e85f75a83d16a71077e41f2720c691f432002 ] acrn_vm_ram_map can't pin the user pages with VM_PFNMAP flag by calling get_user_pages_fast(), the PA(physical pages) may be mapped by kernel driver and set PFNMAP flag. This patch fixes logic to setup EPT mapping for PFN mapped RAM region by checking the memory attribute before adding EPT mapping for them. Fixes: 88f537d5e8dd ("virt: acrn: Introduce EPT mapping management") Signed-off-by: Yonghua Huang Signed-off-by: Fei Li Link: https://lore.kernel.org/r/20220228022212.419406-1-yonghua.huang@intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 231ba7c0715db042f9fc0bc1019522c7be6103fe Author: Ilpo Järvinen Date: Mon Mar 14 11:14:32 2022 +0200 serial: 8250: fix XOFF/XON sending when DMA is used [ Upstream commit f58c252e30cf74f68b0054293adc03b5923b9f0e ] When 8250 UART is using DMA, x_char (XON/XOFF) is never sent to the wire. After this change, x_char is injected correctly. Create uart_xchar_out() helper for sending the x_char out and accounting related to it. It seems that almost every driver does these same steps with x_char. Except for 8250, however, almost all currently lack .serial_out so they cannot immediately take advantage of this new helper. The downside of this patch is that it might reintroduce the problems some devices faced with mixed DMA/non-DMA transfer which caused revert f967fc8f165f (Revert "serial: 8250_dma: don't bother DMA with small transfers"). However, the impact should be limited to cases with XON/XOFF (that didn't work with DMA capable devices to begin with so this problem is not very likely to cause a major issue, if any at all). Fixes: 9ee4b83e51f74 ("serial: 8250: Add support for dmaengine") Reported-by: Gilles Buloz Tested-by: Gilles Buloz Reviewed-by: Andy Shevchenko Signed-off-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20220314091432.4288-2-ilpo.jarvinen@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9010154beae2a685c7d1045f08da69f48fce9f47 Author: Randy Dunlap Date: Tue Mar 8 19:30:18 2022 -0800 kgdboc: fix return value of __setup handler [ Upstream commit ab818c7aa7544bf8d2dd4bdf68878b17a02eb332 ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. So return 1 from kgdboc_option_setup(). Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts=", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc7 kgdboc=kbd kgdbts= Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 1bd54d851f50 ("kgdboc: Passing ekgdboc to command line causes panic") Fixes: f2d937f3bf00 ("consoles: polling support, kgdboc") Cc: He Zhe Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: kgdb-bugreport@lists.sourceforge.net Cc: Jason Wessel Cc: Daniel Thompson Cc: Douglas Anderson Cc: linux-serial@vger.kernel.org Reported-by: Igor Zhbanov Reviewed-by: Douglas Anderson Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220309033018.17936-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7952a2f8b18c874c8b1f618bb93e7623cb8f3e5d Author: Randy Dunlap Date: Mon Mar 7 18:42:28 2022 -0800 tty: hvc: fix return value of __setup handler [ Upstream commit 53819a0d97aace1425bb042829e3446952a9e8a9 ] __setup() handlers should return 1 to indicate that the boot option has been handled or 0 to indicate that it was not handled. Add a pr_warn() message if the option value is invalid and then always return 1. Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Fixes: 86b40567b917 ("tty: replace strict_strtoul() with kstrtoul()") Cc: Jingoo Han Cc: Greg Kroah-Hartman Cc: Jiri Slaby Cc: Michael Ellerman Cc: Julian Wiedmann Cc: Vasily Gorbik Cc: linuxppc-dev@lists.ozlabs.org Reported-by: Igor Zhbanov Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20220308024228.20477-1-rdunlap@infradead.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5ffff45bbea8e14271f5095d5940364f5faf4aab Author: Miaoqian Lin Date: Mon Mar 7 12:02:34 2022 +0000 pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe [ Upstream commit 89388f8730699c259f8090ec435fb43569efe4ac ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: 1e747e59cc4d ("pinctrl: rockchip: base regmap supplied by a syscon") Fixes: 14dee8677e19 ("pinctrl: rockchip: let pmu registers be supplied by a syscon") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307120234.28657-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9511c6018cd772668def8b034bc67269847e591a Author: Miaoqian Lin Date: Mon Mar 7 11:51:16 2022 +0000 pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe [ Upstream commit c09ac191b1f97cfa06f394dbfd7a5db07986cefc ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 32e67eee670e ("pinctrl: nomadik: Allow prcm_base to be extracted from Device Tree") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307115116.25316-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 91fd2cd49528b30dd036d8efd6bccbffab33f5d1 Author: Michael Walle Date: Sat Feb 26 21:45:03 2022 +0100 pinctrl: microchip-sgpio: lock RMW access [ Upstream commit 7996c5f5ec7a20b3f6b8fae93fcf3cb8f1c01743 ] Protect any RMW access to the registers by a spinlock. Fixes: 7e5ea974e61c ("pinctrl: pinctrl-microchip-sgpio: Add pinctrl driver for Microsemi Serial GPIO") Signed-off-by: Michael Walle Link: https://lore.kernel.org/r/20220226204507.2511633-2-michael@walle.cc Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 45a291ef12b60845e598a5f567f9302c644d5d4b Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:51 2022 +0800 pinctrl: mediatek: paris: Skip custom extra pin config dump for virtual GPIOs [ Upstream commit 1763933d377ecb05454f8d20e3c8922480db2ac0 ] Virtual GPIOs do not have any hardware state associated with them. Any attempt to read back hardware state for these pins result in error codes. Skip dumping extra pin config information for these virtual GPIOs. Fixes: 184d8e13f9b1 ("pinctrl: mediatek: Add support for pin configuration dump via debugfs.") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-7-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 43f1481142b38b6f161f905ca5bac56aaf6f4975 Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:49 2022 +0800 pinctrl: mediatek: paris: Fix pingroup pin config state readback [ Upstream commit 54fe55fb384ade630ef20b9a8b8f3b2a89ad97f2 ] mtk_pconf_group_get(), used to read back pingroup pin config state, simply returns a set of configs saved from a previous invocation of mtk_pconf_group_set(). This is an unfiltered, unvalidated set passed in from the pinconf core, which does not match the current hardware state. Since the driver library is designed to have one pin per group, pass through mtk_pconf_group_get() to mtk_pinconf_get(), to read back the current pin config state of the only pin in the group. Also drop the assignment of pin config state to the group. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-5-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 34b37a081a37cca1afd164b94a015ea6e71b26a7 Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:48 2022 +0800 pinctrl: mediatek: paris: Fix "argument" argument type for mtk_pinconf_get() [ Upstream commit 19bce7ce0a593c7024030a0cda9e23facea3c93d ] For mtk_pinconf_get(), the "argument" argument is typically returned by pinconf_to_config_argument(), which holds the value for a given pinconf parameter. It certainly should not have the type of "enum pin_config_param", which describes the type of the pinconf parameter itself. Change the type to u32, which matches the return type of pinconf_to_config_argument(). Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-4-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 00a5f2c779c70c87b0aa215046d8d2f51acda4ff Author: Chen-Yu Tsai Date: Tue Mar 8 18:09:47 2022 +0800 pinctrl: mediatek: paris: Fix PIN_CONFIG_BIAS_* readback [ Upstream commit 3e8c6bc608480010f360c4a59578d7841726137d ] When reading back pin bias settings, if the pin is not in the corresponding bias state, the function should return -EINVAL. Fix this in the mediatek-paris pinctrl library so that the read back state is not littered with bogus a "input bias disabled" combined with "pull up" or "pull down" states. Fixes: 805250982bb5 ("pinctrl: mediatek: add pinctrl-paris that implements the vendor dt-bindings") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308100956.2750295-3-wenst@chromium.org Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 160df5c599c564f65da53667c82bc766fbf68101 Author: Miaoqian Lin Date: Tue Mar 8 07:11:54 2022 +0000 pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init [ Upstream commit dab4df9ca919f59e5b9dd84385eaf34d4f20dbb0 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: a6df410d420a ("pinctrl: mediatek: Add Pinctrl/GPIO driver for mt8135.") Signed-off-by: Miaoqian Lin Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220308071155.21114-1-linmq006@gmail.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 6075954e0e2e1fd93b943afa16c0b95c312831a1 Author: Arınç ÜNAL Date: Fri Mar 11 12:03:20 2022 +0300 staging: mt7621-dts: fix GB-PC2 devicetree [ Upstream commit 5bc148649cf358d0cccf525452a4efbd4bc89a0f ] Fix the GB-PC2 devicetree. Refer to the schematics of the device for more information. GB-PC2 devicetree fixes: - Include mt7621.dtsi instead of gbpc1.dts. Add the missing definitions. - Remove gpio-leds node as the system LED is not wired to anywhere on the board and the power LED is directly wired to GND. - Remove uart3 pin group from gpio-pinmux node as it's not used as GPIO. - Use reg 7 for the external phy to be on par with Documentation/devicetree/bindings/net/dsa/mt7530.txt. - Use the status value "okay". Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC2_V1.1_schematic.pdf Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit cdc18fd0de0cf1fd55045f2fb018d62cfd7b9a42 Author: Arınç ÜNAL Date: Tue Jan 25 18:39:03 2022 +0300 staging: mt7621-dts: fix pinctrl properties for ethernet [ Upstream commit 0a93c0d75809582893e82039143591b9265b520e ] Add pinctrl properties with rgmii1 & mdio pins under ethernet node which was wrongfully put under an external phy node. GMAC1 will start working with this fix. Link: https://lore.kernel.org/netdev/02ecce91-7aad-4392-c9d7-f45ca1b31e0b@arinc9.com/T/ Move GB-PC2 specific phy_external node to its own device tree. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-5-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d9b08f90c50dc435fbbb65b1fc0fc02acc6ca0bb Author: Arınç ÜNAL Date: Tue Jan 25 18:39:00 2022 +0300 staging: mt7621-dts: fix formatting [ Upstream commit 7eeec44d33f6be7caca4fe9ca4e653cf315a36c1 ] Fix formatting on mt7621.dtsi. Reviewed-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220125153903.1469-2-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit d9b0da5fdd611a2fd4f2a62046d93f6a5750093d Author: Arınç ÜNAL Date: Fri Mar 11 12:03:19 2022 +0300 staging: mt7621-dts: fix LEDs and pinctrl on GB-PC1 devicetree [ Upstream commit 6256e18686158fa49e019297f990f1c1817aabf1 ] Fix LED and pinctrl definitions on the GB-PC1 devicetree. Refer to the schematics of the device for more information. LED fixes: - Change GPIO6 LED label from system to power as GPIO6 is connected to PLED. - Add default-on default-trigger to power LED. - Change GPIO8 LED label from status to system as GPIO8 is connected to SYS_LED. - Add disk-activity default-trigger to system LED. - Switch to the color:function naming scheme. - Remove lan1 and lan2 LEDs as they don't exist. Pinctrl fixes: - Claim state_default node under pinctrl node. - Change pinctrl0 node name to state-default. - Change gpio node name to gpio-pinmux to respect Documentation/devicetree/bindings/pinctrl/ralink,rt2880-pinmux.yaml. - Sort pin groups alphabetically. Misc fixes: - Fix formatting. - Use the status value "okay". - Define hexadecimal addresses in lower case. - Make hexadecimal addresses for memory easier to read. Link: https://github.com/ngiger/GnuBee_Docs/blob/master/GB-PCx/Documents/GB-PC1_V1.0_Schematic.pdf Tested-by: Sergio Paracuellos Signed-off-by: Arınç ÜNAL Link: https://lore.kernel.org/r/20220311090320.3068-1-arinc.unal@arinc9.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e53f2f987435aa8ff208f3ef7a6e90862c8cb71b Author: Alexey Khoroshilov Date: Tue Feb 15 13:17:04 2022 +0300 NFS: remove unneeded check in decode_devicenotify_args() [ Upstream commit cb8fac6d2727f79f211e745b16c9abbf4d8be652 ] [You don't often get email from khoroshilov@ispras.ru. Learn why this is important at http://aka.ms/LearnAboutSenderIdentification.] Overflow check in not needed anymore after we switch to kmalloc_array(). Signed-off-by: Alexey Khoroshilov Fixes: a4f743a6bb20 ("NFSv4.1: Convert open-coded array allocation calls to kmalloc_array()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit cc204a1f812fcd3de5355ef0c3bd9d1f4419b492 Author: Robin Gong Date: Mon Feb 7 09:52:07 2022 +0800 mailbox: imx: fix crash in resume on i.mx8ulp [ Upstream commit 8219efd08a0aa1d7944bdb66d84ba57549258968 ] check 'priv->clk' before 'imx_mu_read()' otherwise crash happens on i.mx8ulp, since clock not enabled. Fixes: 4f0b776ef5831 ("mailbox: imx-mailbox: support i.MX8ULP MU") Reviewed-by: Jacky Bai Signed-off-by: Robin Gong Signed-off-by: Peng Fan Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit 4ba672ab730557ce349a99c804099e663f065316 Author: Miaoqian Lin Date: Wed Jan 12 10:45:01 2022 +0000 clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver [ Upstream commit 6d6ef58c2470da85a99119f74d34216c8074b9f0 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 2db04f16b589 ("clk: tegra: Add EMC clock driver") Signed-off-by: Miaoqian Lin Acked-by: Thierry Reding Link: https://lore.kernel.org/r/20220112104501.30655-1-linmq006@gmail.com Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit d183f20cf5a7b546d4108e796b98210ceb317579 Author: Maxime Ripard Date: Fri Feb 25 15:35:23 2022 +0100 clk: Fix clk_hw_get_clk() when dev is NULL [ Upstream commit 0c1b56df451716ba207bbf59f303473643eee4fd ] Any registered clk_core structure can have a NULL pointer in its dev field. While never actually documented, this is evidenced by the wide usage of clk_register and clk_hw_register with a NULL device pointer, and the fact that the core of_clk_hw_register() function also passes a NULL device pointer. A call to clk_hw_get_clk() on a clk_hw struct whose clk_core is in that case will result in a NULL pointer derefence when it calls dev_name() on that NULL device pointer. Add a test for this case and use NULL as the dev_id if the device pointer is NULL. Fixes: 30d6f8c15d2c ("clk: add api to get clk consumer from clk_hw") Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220225143534.405820-2-maxime@cerno.tech Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 40ed7940fd6fa9f5eeb6603dd31138b419eb976c Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:20 2022 +0100 clk: clps711x: Terminate clk_div_table with sentinel element [ Upstream commit 8bed4ed5aa3431085d9d27afc35d684856460eda ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: 631c53478973d ("clk: Add CLPS711X clk driver") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20220218000922.134857-5-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit b2df0d1979433ee8858a5265b1eafc9f0efc1fd7 Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:19 2022 +0100 clk: hisilicon: Terminate clk_div_table with sentinel element [ Upstream commit 113b261bdf2b4fd34e7769a147a7acd0a4d9137f ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: 6c81966107dc0 ("clk: hisilicon: Add clock driver for hi3559A SoC") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20220218000922.134857-4-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c49b72aa1ae25ce92f9cbccf2c97f8eccfd53a3c Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:18 2022 +0100 clk: loongson1: Terminate clk_div_table with sentinel element [ Upstream commit 3eb00f89162e80083dfcaa842468b510462cfeaa ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). Fixes: b4626a7f4892 ("CLK: Add Loongson1C clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Philippe Mathieu-Daudé Link: https://lore.kernel.org/r/20220218000922.134857-3-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 139844478aa99776793de7970502d10c29cb7306 Author: Jonathan Neuschäfer Date: Fri Feb 18 01:09:17 2022 +0100 clk: actions: Terminate clk_div_table with sentinel element [ Upstream commit d8a441e53e2434b1401e52dfd66b05263e442edc ] In order that the end of a clk_div_table can be detected, it must be terminated with a sentinel element (.div = 0). In owl-s900.s, the { 0, 8 } element was probably meant to be just that, so this patch changes { 0, 8 } to { 0, 0 }. Fixes: d47317ca4ade1 ("clk: actions: Add S700 SoC clock support") Fixes: d85d20053e195 ("clk: actions: Add S900 SoC clock support") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20220218000922.134857-2-j.neuschaefer@gmx.net Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 3c627a37f1bdcc0c66bd3a7776a6199a7b2fd719 Author: Dan Williams Date: Wed Mar 9 19:49:21 2022 -0800 nvdimm/region: Fix default alignment for small regions [ Upstream commit d9d290d7e659e9db3e4518040cc18b97f5535f4a ] In preparation for removing BLK aperture support the NVDIMM unit tests discovered that the default alignment can be set higher than the capacity of the region. Fall back to PAGE_SIZE in that case. Given this has not been seen in the wild, elide notifying -stable. Fixes: 2522afb86a8c ("libnvdimm/region: Introduce an 'align' attribute") Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/164688416128.2879318.17890707310125575258.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit a7d988735e757e111f9722de7cf1b40a84a48b1f Author: Miaoqian Lin Date: Tue Mar 8 06:45:21 2022 +0000 remoteproc: qcom_q6v5_mss: Fix some leaks in q6v5_alloc_memory_region [ Upstream commit 07a5dcc4bed9d7cae54adf5aa10ff9f037a3204b ] The device_node pointer is returned by of_parse_phandle() or of_get_child_by_name() with refcount incremented. We should use of_node_put() on it when done. This function only call of_node_put(node) when of_address_to_resource succeeds, missing error cases. Fixes: 278d744c46fd ("remoteproc: qcom: Fix potential device node leaks") Fixes: 051fb70fd4ea ("remoteproc: qcom: Driver for the self-authenticating Hexagon v5") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308064522.13804-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 83b4946cf173699f926199ee7dd633c9b28f4396 Author: Miaoqian Lin Date: Tue Mar 8 06:31:02 2022 +0000 remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region [ Upstream commit 8f90161a66bc3d6b9fe8dde4d9028d20eae1b62a ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308063102.10049-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 7844467f992354b83726502fed00c61e679ef97c Author: Miaoqian Lin Date: Tue Mar 8 03:12:19 2022 +0000 remoteproc: qcom: Fix missing of_node_put in adsp_alloc_memory_region [ Upstream commit 505b5b1616e200042999de715dbe7c1e2735cd65 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: dc160e449122 ("remoteproc: qcom: Introduce Non-PAS ADSP PIL driver") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220308031219.4718-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 76e4ba4715862e88457cdb12b3c168c542959cf7 Author: Jie Hai Date: Wed Feb 16 15:21:01 2022 +0800 dmaengine: hisi_dma: fix MSI allocate fail when reload hisi_dma [ Upstream commit b95044b38425f563404234d96bbb20cc6360c7e1 ] Remove the loaded hisi_dma driver and reload it, the driver fails to work properly. The following error is reported in the kernel log: [ 1475.597609] hisi_dma 0000:7b:00.0: Failed to allocate MSI vectors! [ 1475.604915] hisi_dma: probe of 0000:7b:00.0 failed with error -28 As noted in "The MSI Driver Guide HOWTO"[1], the number of MSI interrupt must be a power of two. The Kunpeng DMA driver allocates 30 MSI interrupts. As a result, no space left on device is reported when the driver is reloaded and allocates interrupt vectors from the interrupt domain. This patch changes the number of interrupt vectors allocated by hisi_dma driver to 32 to avoid this problem. [1] https://www.kernel.org/doc/html/latest/PCI/msi-howto.html Fixes: e9f08b65250d ("dmaengine: hisilicon: Add Kunpeng DMA engine support") Signed-off-by: Jie Hai Acked-by: Zhou Wang Link: https://lore.kernel.org/r/20220216072101.34473-1-haijie1@huawei.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit dd4498aafebb36a1380fa40e042428c6dc0f188d Author: Taniya Das Date: Sun Feb 27 23:25:36 2022 +0530 clk: qcom: clk-rcg2: Update the frac table for pixel clock [ Upstream commit b527358cb4cd58a8279c9062b0786f1fab628fdc ] Support the new numerator and denominator for pixel clock on SM8350 and support rgb101010, RGB888 use cases on SM8450. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-2-tdas@codeaurora.org Signed-off-by: Sasha Levin commit 96888f0dcf351e758b9df57e015a48427ca709c1 Author: Taniya Das Date: Sun Feb 27 23:25:35 2022 +0530 clk: qcom: clk-rcg2: Update logic to calculate D value for RCG [ Upstream commit 58922910add18583d5273c2edcdb9fd7bf4eca02 ] The display pixel clock has a requirement on certain newer platforms to support M/N as (2/3) and the final D value calculated results in underflow errors. As the current implementation does not check for D value is within the accepted range for a given M & N value. Update the logic to calculate the final D value based on the range. Fixes: 99cbd064b059f ("clk: qcom: Support display RCG clocks") Signed-off-by: Taniya Das Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220227175536.3131-1-tdas@codeaurora.org Signed-off-by: Sasha Levin commit 173ded0b55e1bb8f732a4d5820b99a17cae48613 Author: Codrin Ciubotariu Date: Fri Mar 4 20:26:16 2022 +0200 clk: at91: sama7g5: fix parents of PDMCs' GCLK [ Upstream commit 1a944729d8635fa59638f24e8727d5ccaa0c8c19 ] Audio PLL can be used as parent by the GCLKs of PDMCs. Fixes: cb783bbbcf54 ("clk: at91: sama7g5: add clock support for sama7g5") Signed-off-by: Codrin Ciubotariu Reviewed-by: Claudiu Beznea Signed-off-by: Nicolas Ferre Link: https://lore.kernel.org/r/20220304182616.1920392-1-codrin.ciubotariu@microchip.com Signed-off-by: Sasha Levin commit 629367efdebe4464593d823642964cd6f2934d2b Author: Dan Carpenter Date: Mon Feb 28 10:50:14 2022 +0300 clk: imx: off by one in imx_lpcg_parse_clks_from_dt() [ Upstream commit 135efc3a76d127691afaf1864e4ab627bf09d53d ] The > needs to be >= to prevent an off by one access. Fixes: d5f1e6a2bb61 ("clk: imx: imx8qxp-lpcg: add parsing clocks from device tree") Reported-by: kernel test robot Signed-off-by: Dan Carpenter Reviewed-by: Abel Vesa Link: https://lore.kernel.org/r/20220228075014.GD13685@kili Signed-off-by: Abel Vesa Signed-off-by: Sasha Levin commit 27082e4eefcc838cb33facefa6207f716ba8824a Author: Abel Vesa Date: Thu Jan 27 16:10:52 2022 +0200 clk: imx7d: Remove audio_mclk_root_clk [ Upstream commit eccac77ede3946c90143447cdc785dc16aec4b24 ] The audio_mclk_root_clk was added as a gate with the CCGR121 (0x4790), but according to the reference manual, there is no such gate. The CCGR121 belongs to ECSPI2 and it is not shared. Fixes: 8f6d8094b215b57 ("ARM: imx: add imx7d clk tree support") Reported-by: David Wolfe Signed-off-by: Abel Vesa Reviewed-by: Peng Fan Link: https://lore.kernel.org/r/20220127141052.1900174-2-abel.vesa@nxp.com Signed-off-by: Sasha Levin commit b3f66f25374a089993c36a9c5cc3793fdda688af Author: Randy Dunlap Date: Mon Feb 28 14:04:53 2022 -0800 dma-debug: fix return value of __setup handlers [ Upstream commit 80e4390981618e290616dbd06ea190d4576f219d ] When valid kernel command line parameters dma_debug=off dma_debug_entries=100 are used, they are reported as Unknown parameters and added to init's environment strings, polluting it. Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100", will be passed to user space. and Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 dma_debug=off dma_debug_entries=100 Return 1 from these __setup handlers to indicate that the command line option has been handled. Fixes: 59d3daafa1726 ("dma-debug: add kernel command line parameters") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Joerg Roedel Cc: Christoph Hellwig Cc: Marek Szyprowski Cc: iommu@lists.linux-foundation.org Cc: Robin Murphy Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 5e9b767c6cd44707cd118cd1ef3a3870bbb19c1d Author: Martin Kaiser Date: Sat Feb 26 19:14:53 2022 +0100 staging: r8188eu: fix endless loop in recv_func [ Upstream commit 1327fcf175fa63d3b7a058b8148ed7714acdc035 ] Fix an endless loop in recv_func. If pending_frame is not NULL, we're stuck in the while loop forever. We have to call rtw_alloc_recvframe each time we loop. Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") Reported-by: Pavel Skripkin Signed-off-by: Martin Kaiser Link: https://lore.kernel.org/r/20220226181457.1138035-4-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 960a7932326b2a992e8726e9b3b02f23afe1ff64 Author: Trond Myklebust Date: Thu Feb 24 10:59:37 2022 -0500 NFS: Return valid errors from nfs2/3_decode_dirent() [ Upstream commit 64cfca85bacde54caa64e0ab855c48734894fa37 ] Valid return values for decode_dirent() callback functions are: 0: Success -EBADCOOKIE: End of directory -EAGAIN: End of xdr_stream All errors need to map into one of those three values. Fixes: 573c4e1ef53a ("NFS: Simplify ->decode_dirent() calling sequence") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 04655dd1d8ac375f607b2716fd12b33d2c1037b3 Author: Jiasheng Jiang Date: Thu Feb 24 14:58:05 2022 +0800 habanalabs: Add check for pci_enable_device [ Upstream commit 9c27896ac1bb83ea5c461ce6f7089d02102a2b21 ] As the potential failure of the pci_enable_device(), it should be better to check the return value and return error if fails. Fixes: 70b2f993ea4a ("habanalabs: create common folder") Signed-off-by: Jiasheng Jiang Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 20b9e1b67b140c03dfe473e3319d4c44ec81abcc Author: Jiasheng Jiang Date: Thu Feb 24 14:28:49 2022 +0800 iio: adc: Add check for devm_request_threaded_irq [ Upstream commit b30537a4cedcacf0ade2f33ebb7610178ed1e7d7 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value and return error if fails. Fixes: fa659a40b80b ("iio: adc: twl6030-gpadc: Use devm_* API family") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224062849.3280966-1-jiasheng@iscas.ac.cn Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit bd041541a7d2553afee3c7c2e5a7b905b65d8271 Author: Uwe Kleine-König Date: Tue Feb 15 17:02:36 2022 +0100 serial: 8250: Fix race condition in RTS-after-send handling [ Upstream commit dedab69fd650ea74710b2e626e63fd35584ef773 ] Set em485->active_timer = NULL isn't always enough to take out the stop timer. While there is a check that it acts in the right state (i.e. waiting for RTS-after-send to pass after sending some chars) but the following might happen: - CPU1: some chars send, shifter becomes empty, stop tx timer armed - CPU0: more chars send before RTS-after-send expired - CPU0: shifter empty irq, port lock taken - CPU1: tx timer triggers, waits for port lock - CPU0: em485->active_timer = &em485->stop_tx_timer, hrtimer_start(), releases lock() - CPU1: get lock, see em485->active_timer == &em485->stop_tx_timer, tear down RTS too early This fix bases on research done by Steffen Trumtrar. Fixes: b86f86e8e7c5 ("serial: 8250: fix potential deadlock in rs485-mode") Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20220215160236.344236-1-u.kleine-koenig@pengutronix.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 187e87216b8c02de0ab43ec6d48136ab81083366 Author: Trond Myklebust Date: Tue Feb 15 15:58:38 2022 -0500 NFS: Use of mapping_set_error() results in spurious errors [ Upstream commit 6c984083ec2453dfd3fcf98f392f34500c73e3f2 ] The use of mapping_set_error() in conjunction with calls to filemap_check_errors() is problematic because every error gets reported as either an EIO or an ENOSPC by filemap_check_errors() in functions such as filemap_write_and_wait() or filemap_write_and_wait_range(). In almost all cases, we prefer to use the more nuanced wb errors. Fixes: b8946d7bfb94 ("NFS: Revalidate the file mapping on all fatal writeback errors") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 864d4a5dd5a3baa02f374c38aba8e895198c296a Author: Andy Shevchenko Date: Wed Feb 23 17:12:40 2022 +0200 serial: 8250_lpss: Balance reference count for PCI DMA device [ Upstream commit 5318f70da7e82649d794fc27d8a127c22aa3566e ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 9a1870ce812e ("serial: 8250: don't use slave_id of dma_slave_config") Depends-on: a13e19cf3dc1 ("serial: 8250_lpss: split LPSS driver to separate module") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Link: https://lore.kernel.org/r/20220223151240.70248-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 22a2fdfc47058956f5f064e5a9c9c8e83c3112a8 Author: Andy Shevchenko Date: Tue Feb 15 12:09:20 2022 +0200 serial: 8250_mid: Balance reference count for PCI DMA device [ Upstream commit 67ec6dd0b257bd81b4e9fcac89b29da72f6265e5 ] The pci_get_slot() increases its reference count, the caller must decrement the reference count by calling pci_dev_put(). Fixes: 90b9aacf912a ("serial: 8250_pci: add Intel Tangier support") Fixes: f549e94effa1 ("serial: 8250_pci: add Intel Penwell ports") Reported-by: Qing Wang Signed-off-by: Andy Shevchenko Depends-on: d9eda9bab237 ("serial: 8250_pci: Intel MID UART support to its own driver") Link: https://lore.kernel.org/r/20220215100920.41984-1-andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 770efebcb4722a165e746f10dceec62de16b480f Author: Rafał Miłecki Date: Fri Feb 18 18:24:59 2022 +0100 phy: phy-brcm-usb: fixup BCM4908 support [ Upstream commit 32942d33d63d27714ed16a4176e5a99547adb6e0 ] Just like every other family BCM4908 should get its own enum value. That is required to properly handle it in chipset conditional code. The real change is excluding BCM4908 from the PLL reprogramming code (see brcmusb_usb3_pll_54mhz()). I'm not sure what's the BCM4908 reference clock frequency but: 1. BCM4908 custom driver from Broadcom's SDK doesn't reprogram PLL 2. Doing that in Linux driver stopped PHY handling some USB 3.0 devices This change makes USB 3.0 PHY recognize e.g.: 1. 04e8:6860 - Samsung Electronics Co., Ltd Galaxy series, misc. (MTP mode) 2. 1058:259f - Western Digital My Passport 259F Broadcom's STB SoCs come with a set of SUN_TOP_CTRL_* registers that allow reading chip family and product ids. Such a block & register is missing on BCM4908 so this commit introduces "compatible" string specific binding. Fixes: 4b402fa8e0b7 ("phy: phy-brcm-usb: support PHY on the BCM4908") Signed-off-by: Rafał Miłecki Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20220218172459.10431-1-zajec5@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4d21de3c0334365d5c66baa015af934756c3fcc0 Author: Liu Ying Date: Wed Feb 16 15:12:57 2022 +0800 phy: dphy: Correct lpx parameter and its derivatives(ta_{get,go,sure}) [ Upstream commit 3153fa38e38af566cf6454a03b1dbadaf6f323c0 ] According to the comment of the function phy_mipi_dphy_get_default_config(), it uses minimum D-PHY timings based on MIPI D-PHY specification. They are derived from the valid ranges specified in Section 6.9, Table 14, Page 41 of the D-PHY specification (v1.2). The table 14 explicitly mentions that the minimum T-LPX parameter is 50 nanoseconds and the minimum TA-SURE parameter is T-LPX nanoseconds. Likewise, the kernel doc of the 'lpx' and 'ta_sure' members of struct phy_configure_opts_mipi_dphy mentions that the minimum values are 50000 picoseconds and @lpx picoseconds respectively. Also, the function phy_mipi_dphy_config_validate() checks if cfg->lpx is less than 50000 picoseconds and if cfg->ta_sure is less than cfg->lpx, which hints the same minimum values. Without this patch, the function phy_mipi_dphy_get_default_config() wrongly sets cfg->lpx to 60000 picoseconds and cfg->ta_sure to 2 * cfg->lpx. So, let's correct them to 50000 picoseconds and cfg->lpx respectively. Note that I've only tested the patch with RM67191 DSI panel on i.MX8mq EVK. Help is needed to test with other i.MX8mq, Meson and Rockchip platforms, as I don't have the hardwares. Fixes: dddc97e82303 ("phy: dphy: Add configuration helpers") Cc: Andrzej Hajda Cc: Neil Armstrong Cc: Laurent Pinchart Cc: Kishon Vijay Abraham I Cc: Vinod Koul Cc: Heiko Stuebner Cc: Maxime Ripard Cc: Guido Günther Signed-off-by: Liu Ying Link: https://lore.kernel.org/r/20220216071257.1647703-1-victor.liu@nxp.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 4dbb53a032b1dc06180c6482405754de04d7f081 Author: Dirk Buchwalder Date: Thu Feb 10 18:31:00 2022 +0100 clk: qcom: ipq8074: Use floor ops for SDCC1 clock [ Upstream commit b77d8306d84f83d1da68028a68c91da9c867b6f6 ] Use floor ops on SDCC1 APPS clock in order to round down selected clock frequency and avoid overclocking SD/eMMC cards. For example, currently HS200 cards were failling tuning as they were actually being clocked at 384MHz instead of 192MHz. This caused some boards to disable 1.8V I/O and force the eMMC into the standard HS mode (50MHz) and that appeared to work despite the eMMC being overclocked to 96Mhz in that case. There was a previous commit to use floor ops on SDCC clocks, but it looks to have only covered SDCC2 clock. Fixes: 9607f6224b39 ("clk: qcom: ipq8074: add PCIE, USB and SDCC clocks") Signed-off-by: Dirk Buchwalder Signed-off-by: Robert Marko Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220210173100.505128-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit 56979cb79ced13474a0027a47112bc988b146696 Author: Geert Uytterhoeven Date: Mon Feb 21 17:21:58 2022 +0100 pinctrl: renesas: checker: Fix miscalculation of number of states [ Upstream commit de9b861018d46af27a5edff8b6baef35c0c0ad4f ] The checker failed to validate all enum IDs in the description of a register with fixed-width register fields, due to a miscalculation of the number of described states: each register field of n bits can have "1 << n" possible states, not "1". Increase SH_PFC_MAX_ENUMS accordingly, now more enum IDs are checked (SH-Mobile AG5 has more than 4000 enum IDs defined). Fixes: 12d057bad683b1c6 ("pinctrl: sh-pfc: checker: Add check for enum ID conflicts") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/6d8a6a05564f38f9d20464c1c17f96e52740cf6a.1645460429.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 615d909beee38a40fc2e81089b59bbc5d964b7e1 Author: Geert Uytterhoeven Date: Thu Dec 23 15:41:11 2021 +0100 pinctrl: renesas: r8a77470: Reduce size for narrow VIN1 channel [ Upstream commit 9e04a0eda84fccab0ac22a33825ad53f47c968c7 ] The second video-in channel on RZ/G1C has only 12 data lanes, but the pin control driver uses the vin_data union, which is meant for 24 data lanes, thus wasting space. Fix this by using the vin_data12 union instead. This reduces kernel size by 96 bytes. Fixes: 50f3f2d73e3426ba ("pinctrl: sh-pfc: Reduce kernel size for narrow VIN channels") Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/52716fa89139f6f92592633edb52804d4c5e18f0.1640269757.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 0b1ce4373bad863df0b188db22d968b32cf90b04 Author: Jonathan Cameron Date: Sun Feb 6 19:03:09 2022 +0000 staging:iio:adc:ad7280a: Fix handing of device address bit reversing. [ Upstream commit f281e4ddbbc0b60f061bc18a2834e9363ba85f9f ] The bit reversal was wrong for bits 1 and 3 of the 5 bits. Result is driver failure to probe if you have more than 2 daisy-chained devices. Discovered via QEMU based device emulation. Fixes tag is for when this moved from a macro to a function, but it was broken before that. Signed-off-by: Jonathan Cameron Fixes: 065a7c0b1fec ("Staging: iio: adc: ad7280a.c: Fixed Macro argument reuse") Reviewed-by: Marcelo Schmitt Link: https://lore.kernel.org/r/20220206190328.333093-2-jic23@kernel.org Signed-off-by: Sasha Levin commit f7f33fd5dfd2718eb5eadda2a52790c4201611fa Author: Zev Weiss Date: Thu Feb 10 16:42:03 2022 -0800 serial: 8250_aspeed_vuart: add PORT_ASPEED_VUART port type [ Upstream commit a603ca60cebff8589882427a67f870ed946b3fc8 ] Commit 54da3e381c2b ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") fixed a bug that had, as a side-effect, prevented the 8250_aspeed_vuart driver from enabling the VUART's FIFOs. However, fixing that (and hence enabling the FIFOs) has in turn revealed what appears to be a hardware bug in the ASPEED VUART in which the host-side THRE bit doesn't get if the BMC-side receive FIFO trigger level is set to anything but one byte. This causes problems for polled-mode writes from the host -- for example, Linux kernel console writes proceed at a glacial pace (less than 100 bytes per second) because the write path waits for a 10ms timeout to expire after every character instead of being able to continue on to the next character upon seeing THRE asserted. (GRUB behaves similarly.) As a workaround, introduce a new port type for the ASPEED VUART that's identical to PORT_16550A as it had previously been using, but with UART_FCR_R_TRIG_00 instead to set the receive FIFO trigger level to one byte, which (experimentally) seems to avoid the problematic THRE behavior. Fixes: 54da3e381c2b ("serial: 8250_aspeed_vuart: use UPF_IOREMAP to set up register mapping") Tested-by: Konstantin Aladyshev Reviewed-by: Andy Shevchenko Signed-off-by: Zev Weiss Link: https://lore.kernel.org/r/20220211004203.14915-1-zev@bewilderbeest.net Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f0ee56ab97ce7bac731bb2f34349a4c94e21151d Author: Hangyu Hua Date: Mon Feb 21 16:55:52 2022 +0800 staging: qlge: add unregister_netdev in qlge_probe [ Upstream commit 4fcc0c275e3f59cd68f977c57953783f8014ed15 ] unregister_netdev need to be called when register_netdev succeeds qlge_health_create_reporters fails. Fixes: d8827ae8e22b ("staging: qlge: deal with the case that devlink_health_reporter_create fails") Signed-off-by: Hangyu Hua Link: https://lore.kernel.org/r/20220221085552.93561-1-hbh25y@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 04b00d0970480d34c4d8b5cf540a41579415c9a1 Author: Hans de Goede Date: Tue Feb 8 13:43:35 2022 +0100 iio: mma8452: Fix probe failing when an i2c_device_id is used [ Upstream commit a47ac019e7e8129b93a0b991e04b2a59872e053d ] The mma8452_driver declares both of_match_table and i2c_driver.id_table match-tables, but its probe() function only checked for of matches. Add support for i2c_device_id matches. This fixes the driver not loading on some x86 tablets (e.g. the Nextbook Ares 8) where the i2c_client is instantiated by platform code using an i2c_device_id. Drop of_match_ptr() protection to avoid unused warning. Fixes: c3cdd6e48e35 ("iio: mma8452: refactor for seperating chip specific data") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20220208124336.511884-1-hdegoede@redhat.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 467eea9a3d4cd1713b3451490e7c6258685e3b4c Author: Dave Jiang Date: Mon Jan 24 09:20:33 2022 -0700 dmaengine: idxd: restore traffic class defaults after wq reset [ Upstream commit ea7c8f598c323f6ebaf9ddae01fb2a981fe8c56a ] When clearing the group configurations, the driver fails to restore the default setting for DSA 1.x based devices. Add defaults in idxd_groups_clear_state() for traffic class configuration. Fixes: ade8a86b512c ("dmaengine: idxd: Set defaults for GRPCFG traffic class") Reported-by: Binuraj Ravindran Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/164304123369.824298.6952463420266592087.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 35c87dd5c5503faadddc9a5873f881c2e6426d23 Author: Dave Jiang Date: Tue Dec 14 13:23:09 2021 -0700 dmaengine: idxd: change bandwidth token to read buffers [ Upstream commit 7ed6f1b85fb613e5e44ef3e14d73f2dc96860935 ] DSA spec v1.2 has changed the term of "bandwidth tokens" to "read buffers" in order to make the concept clearer. Deprecate bandwidth token naming in the driver and convert to read buffers in order to match with the spec and reduce confusion when reading the spec. Signed-off-by: Dave Jiang Link: https://lore.kernel.org/r/163951338932.2988321.6162640806935567317.stgit@djiang5-desk3.ch.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d02b3d4a8c525068bc5cfb4341e0023d8eb82ace Author: Robert Marko Date: Mon Dec 20 12:41:19 2021 +0100 clk: qcom: ipq8074: fix PCI-E clock oops [ Upstream commit bf8f5182b8f59309809b41c1d1730ed9ca6134b1 ] Fix PCI-E clock related kernel oops that are caused by a missing clock parent. pcie0_rchng_clk_src has num_parents set to 2 but only one parent is actually set via parent_hws, it should also have "XO" defined. This will cause the kernel to panic on a NULL pointer in clk_core_get_parent_by_index(). So, to fix this utilize clk_parent_data to provide gcc_xo_gpll0 parent data. Since there is already an existing static const char * const gcc_xo_gpll0[] used to provide the same parents via parent_names convert those users to clk_parent_data as well. Without this earlycon is needed to even catch the OOPS as it will reset the board before serial is initialized with the following: [ 0.232279] Unable to handle kernel paging request at virtual address 0000a00000000000 [ 0.232322] Mem abort info: [ 0.239094] ESR = 0x96000004 [ 0.241778] EC = 0x25: DABT (current EL), IL = 32 bits [ 0.244908] SET = 0, FnV = 0 [ 0.250377] EA = 0, S1PTW = 0 [ 0.253236] FSC = 0x04: level 0 translation fault [ 0.256277] Data abort info: [ 0.261141] ISV = 0, ISS = 0x00000004 [ 0.264262] CM = 0, WnR = 0 [ 0.267820] [0000a00000000000] address between user and kernel address ranges [ 0.270954] Internal error: Oops: 96000004 [#1] SMP [ 0.278067] Modules linked in: [ 0.282751] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.10 #0 [ 0.285882] Hardware name: Xiaomi AX3600 (DT) [ 0.292043] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 0.296299] pc : clk_core_get_parent_by_index+0x68/0xec [ 0.303067] lr : __clk_register+0x1d8/0x820 [ 0.308273] sp : ffffffc01111b7d0 [ 0.312438] x29: ffffffc01111b7d0 x28: 0000000000000000 x27: 0000000000000040 [ 0.315919] x26: 0000000000000002 x25: 0000000000000000 x24: ffffff8000308800 [ 0.323037] x23: ffffff8000308850 x22: ffffff8000308880 x21: ffffff8000308828 [ 0.330155] x20: 0000000000000028 x19: ffffff8000309700 x18: 0000000000000020 [ 0.337272] x17: 000000005cc86990 x16: 0000000000000004 x15: ffffff80001d9d0a [ 0.344391] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000006 [ 0.351508] x11: 0000000000000003 x10: 0101010101010101 x9 : 0000000000000000 [ 0.358626] x8 : 7f7f7f7f7f7f7f7f x7 : 6468626f5e626266 x6 : 17000a3a403c1b06 [ 0.365744] x5 : 061b3c403a0a0017 x4 : 0000000000000000 x3 : 0000000000000001 [ 0.372863] x2 : 0000a00000000000 x1 : 0000000000000001 x0 : ffffff8000309700 [ 0.379982] Call trace: [ 0.387091] clk_core_get_parent_by_index+0x68/0xec [ 0.389351] __clk_register+0x1d8/0x820 [ 0.394210] devm_clk_hw_register+0x5c/0xe0 [ 0.398030] devm_clk_register_regmap+0x44/0x8c [ 0.402198] qcom_cc_really_probe+0x17c/0x1d0 [ 0.406711] qcom_cc_probe+0x34/0x44 [ 0.411224] gcc_ipq8074_probe+0x18/0x30 [ 0.414869] platform_probe+0x68/0xe0 [ 0.418776] really_probe.part.0+0x9c/0x30c [ 0.422336] __driver_probe_device+0x98/0x144 [ 0.426329] driver_probe_device+0x44/0x11c [ 0.430842] __device_attach_driver+0xb4/0x120 [ 0.434836] bus_for_each_drv+0x68/0xb0 [ 0.439349] __device_attach+0xb0/0x170 [ 0.443081] device_initial_probe+0x14/0x20 [ 0.446901] bus_probe_device+0x9c/0xa4 [ 0.451067] device_add+0x35c/0x834 [ 0.454886] of_device_add+0x54/0x64 [ 0.458360] of_platform_device_create_pdata+0xc0/0x100 [ 0.462181] of_platform_bus_create+0x114/0x370 [ 0.467128] of_platform_bus_create+0x15c/0x370 [ 0.471641] of_platform_populate+0x50/0xcc [ 0.476155] of_platform_default_populate_init+0xa8/0xc8 [ 0.480324] do_one_initcall+0x50/0x1b0 [ 0.485877] kernel_init_freeable+0x234/0x29c [ 0.489436] kernel_init+0x24/0x120 [ 0.493948] ret_from_fork+0x10/0x20 [ 0.497253] Code: d50323bf d65f03c0 f94002a2 b4000302 (f9400042) [ 0.501079] ---[ end trace 4ca7e1129da2abce ]--- Fixes: f0cfcf1a ("clk: qcom: ipq8074: Add missing clocks for pcie") Signed-off-by: Robert Marko Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220114119.465247-1-robimarko@gmail.com Signed-off-by: Sasha Levin commit 31b94103bb7c21d1413d6b170b0753e56ab57ce5 Author: Libin Yang Date: Wed Jan 26 09:14:51 2022 +0800 soundwire: intel: fix wrong register name in intel_shim_wake [ Upstream commit 3957db3ae3dae6f8b8168791f154567fe49e1fd7 ] When clearing the sdw wakests status, we should use SDW_SHIM_WAKESTS. Fixes: 4a17c441c7cb ("soundwire: intel: revisit SHIM programming sequences.") Signed-off-by: Libin Yang Reviewed-by: Pierre-Louis Bossart Reviewed-by: Rander Wang Signed-off-by: Bard Liao Link: https://lore.kernel.org/r/20220126011451.27853-1-yung-chuan.liao@linux.intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 22b1ea0421d486b8a7e49cad4a2f3c18f6305300 Author: Luca Weiss Date: Sun Jan 30 12:45:35 2022 +0100 cpufreq: qcom-cpufreq-nvmem: fix reading of PVS Valid fuse [ Upstream commit 4a8a77abf0e2b6468ba0281e33384cbec5fb476a ] The fuse consists of 64 bits, with this statement we're supposed to get the upper 32 bits but it actually read out of bounds and got 0 instead of the desired value which lead to the "PVS bin not set." codepath being run resetting our pvs value. Fixes: a8811ec764f9 ("cpufreq: qcom: Add support for krait based socs") Signed-off-by: Luca Weiss Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit 4066c612f842903fdb7cc8b75331c3c1a87cdf85 Author: Christophe JAILLET Date: Sun Feb 6 09:39:54 2022 +0100 misc: alcor_pci: Fix an error handling path [ Upstream commit 5b3dc949f554379edcb8ef6111aa5ecb78feb798 ] A successful ida_simple_get() should be balanced by a corresponding ida_simple_remove(). Add the missing call in the error handling path of the probe. While at it, switch to ida_alloc()/ida_free() instead to ida_simple_get()/ida_simple_remove(). The latter is deprecated and more verbose. Fixes: 4f556bc04e3c ("misc: cardreader: add new Alcor Micro Cardreader PCI driver") Reviewed-by: Oleksij Rempel Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/918a9875b7f67b7f8f123c4446452603422e8c5e.1644136776.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b5596995211c3241c1c68e1240a58c86597be8ed Author: Christophe JAILLET Date: Sun Jan 9 22:56:10 2022 +0100 fsi: Aspeed: Fix a potential double free [ Upstream commit 83ba7e895debc529803a7a258653f2fe9bf3bf40 ] A struct device can never be devm_alloc()'ed. Here, it is embedded in "struct fsi_master", and "struct fsi_master" is embedded in "struct fsi_master_aspeed". Since "struct device" is embedded, the data structure embedding it must be released with the release function, as is already done here. So use kzalloc() instead of devm_kzalloc() when allocating "aspeed" and update all error handling branches accordingly. This prevent a potential double free(). This also fix another issue if opb_readl() fails. Instead of a direct return, it now jumps in the error handling path. Fixes: 606397d67f41 ("fsi: Add ast2600 master driver") Suggested-by: Greg KH Suggested-by: Guenter Roeck Reviewed-by: Guenter Roeck Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/2c123f8b0a40dc1a061fae982169fe030b4f47e6.1641765339.git.christophe.jaillet@wanadoo.fr Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 03358bca86d56db9679e72818ab06e610e313187 Author: Robert Hancock Date: Wed Jan 12 14:52:14 2022 -0600 pps: clients: gpio: Propagate return value from pps_gpio_probe [ Upstream commit abaca3179b41d4b3b115f27814ee36f6fb45e897 ] If the pps-gpio driver was probed prior to the GPIO device it uses, the devm_gpiod_get call returned an -EPROBE_DEFER error, but pps_gpio_probe replaced that error code with -EINVAL, causing the pps-gpio probe to fail and not be retried later. Propagate the error return value so that deferred probe works properly. Fixes: 161520451dfa (pps: new client driver using GPIO) Reviewed-by: Andy Shevchenko Acked-by: Rodolfo Giometti Signed-off-by: Robert Hancock Signed-off-by: Rodolfo Giometti Link: https://lore.kernel.org/r/20220112205214.2060954-1-robert.hancock@calian.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b7571c72572f17fc3c57f368e2f4e946535e41c6 Author: Uwe Kleine-König Date: Wed Nov 10 09:49:48 2021 +0100 pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add() [ Upstream commit 0401f24cd238ae200a23a13925f98de3d2c883b8 ] When a driver calls pwmchip_add() it has to be prepared to immediately get its callbacks called. So move allocation of driver data and hardware initialization before the call to pwmchip_add(). This fixes a potential NULL pointer exception and a race condition on register writes. Fixes: 841e6f90bb78 ("pwm: NXP LPC18xx PWM/SCT driver") Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9cd5e110c2caba6eea6b59c5802faa6b1cb00a22 Author: Joel Stanley Date: Tue Dec 7 14:08:11 2021 +1030 fsi: scom: Remove retries in indirect scoms [ Upstream commit ab1b79159ad5a6dc4e4994b49737f7feb13b7155 ] In commit f72ddbe1d7b7 ("fsi: scom: Remove retries") the retries were removed from get and put scoms. That patch missed the retires in get and put indirect scom. For the same reason, remove them from the scom driver to allow the caller to decide to retry. This removes the following special case which would have caused the retry code to return early: - if ((ind_data & XSCOM_DATA_IND_COMPLETE) || (err != SCOM_PIB_BLOCKED)) - return 0; I believe this case is handled. Fixes: f72ddbe1d7b7 ("fsi: scom: Remove retries") Signed-off-by: Joel Stanley Reviewed-by: Eddie James Link: https://lore.kernel.org/r/20211207033811.518981-3-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 8f3a0311add1eb17e422b8fe14f9173214b473c5 Author: Joel Stanley Date: Tue Dec 7 14:08:10 2021 +1030 fsi: scom: Fix error handling [ Upstream commit d46fddd52d11eb6a3a7ed836f9f273e9cf8cd01c ] SCOM error handling is made complex by trying to pass around two bits of information: the function return code, and a status parameter that represents the CFAM error status register. The commit f72ddbe1d7b7 ("fsi: scom: Remove retries") removed the "hidden" retries in the SCOM driver, in preference of allowing the calling code (userspace or driver) to decide how to handle a failed SCOM. However it introduced a bug by attempting to be smart about the return codes that were "errors" and which were ok to fall through to the status register parsing. We get the following errors: - EINVAL or ENXIO, for indirect scoms where the value is invalid - EINVAL, where the size or address is incorrect - EIO or ETIMEOUT, where FSI write failed (aspeed master) - EAGAIN, where the master detected a crc error (GPIO master only) - EBUSY, where the bus is disabled (GPIO master in external mode) In all of these cases we should fail the SCOM read/write and return the error. Thanks to Dan Carpenter for the detailed bug report. Fixes: f72ddbe1d7b7 ("fsi: scom: Remove retries") Link: https://lists.ozlabs.org/pipermail/linux-fsi/2021-November/000235.html Reported-by: Dan Carpenter Signed-off-by: Joel Stanley Reviewed-by: Eddie James Link: https://lore.kernel.org/r/20211207033811.518981-2-joel@jms.id.au Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 6c9041b2f90c0eace73106f22350e1d2c98f5edc Author: Jiri Slaby Date: Mon Jan 24 08:14:24 2022 +0100 mxser: fix xmit_buf leak in activate when LSR == 0xff [ Upstream commit cd3a4907ee334b40d7aa880c7ab310b154fd5cd4 ] When LSR is 0xff in ->activate() (rather unlike), we return an error. Provided ->shutdown() is not called when ->activate() fails, nothing actually frees the buffer in this case. Fix this by properly freeing the buffer in a designated label. We jump there also from the "!info->type" if now too. Fixes: 6769140d3047 ("tty: mxser: use the tty_port_open method") Signed-off-by: Jiri Slaby Link: https://lore.kernel.org/r/20220124071430.14907-6-jslaby@suse.cz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit f3c006d3a4440a749bd3c38dd2c57442b005542a Author: Michael Straube Date: Fri Jan 7 11:36:04 2022 +0100 staging: r8188eu: release_firmware is not called if allocation fails [ Upstream commit 39850edf2befe27bcb3d6c37b6ee76d2ee4df903 ] In function load_firmware() release_firmware() is not called if the allocation of pFirmware->szFwBuffer fails or if fw->size is greater than FW_8188E_SIZE. Move the call to release_firmware() to the exit label at the end of the function to fix this. Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver") Signed-off-by: Michael Straube Link: https://lore.kernel.org/r/20220107103620.15648-4-straube.linux@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 58cfaad888b81ee5b6e23a6b2dda876cdcfb0bc8 Author: Phillip Potter Date: Mon Nov 29 00:20:39 2021 +0000 staging: r8188eu: convert DBG_88E_LEVEL call in hal/rtl8188e_hal_init.c [ Upstream commit 5ec394d58bdba731c2a33645be7018e71f72f287 ] Convert DBG_88E_LEVEL macro call in hal/rtl8188e_hal_init.c to plain dev_dbg call, as although the information is potentially useful, we should be exposing it using standard kernel debugging functionality. Signed-off-by: Phillip Potter Link: https://lore.kernel.org/r/20211129002041.865-6-phil@philpotter.co.uk Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 40cf07dcf413bc462a81e640911ccce91cc8cd8f Author: Lad Prabhakar Date: Thu Dec 23 09:32:23 2021 +0000 clk: renesas: r9a07g044: Update multiplier and divider values for PLL2/3 [ Upstream commit b289cdecc7c3e25e001cde260c882e4d9a8b0772 ] As per the HW manual (Rev.1.00 Sep, 2021) PLL2 and PLL3 should be 1600 MHz, but with current multiplier and divider values this resulted to 1596 MHz. This patch updates the multiplier and divider values for PLL2 and PLL3 so that we get the exact (1600 MHz) values. Fixes: 17f0ff3d49ff1 ("clk: renesas: Add support for R9A07G044 SoC") Suggested-by: Biju Das Signed-off-by: Lad Prabhakar Link: https://lore.kernel.org/r/20211223093223.4725-1-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit d7faa04a44a0c37ac3d222fa8e0bdcbfcee9c0c8 Author: Miaohe Lin Date: Wed Mar 23 16:07:18 2022 -0700 kernel/resource: fix kfree() of bootmem memory again [ Upstream commit 0cbcc92917c5de80f15c24d033566539ad696892 ] Since commit ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory"), we could get a resource allocated during boot via alloc_resource(). And it's required to release the resource using free_resource(). Howerver, many people use kfree directly which will result in kernel BUG. In order to fix this without fixing every call site, just leak a couple of bytes in such corner case. Link: https://lkml.kernel.org/r/20220217083619.19305-1-linmiaohe@huawei.com Fixes: ebff7d8f270d ("mem hotunplug: fix kfree() of bootmem memory") Signed-off-by: Miaohe Lin Suggested-by: David Hildenbrand Cc: Dan Williams Cc: Alistair Popple Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 459080fab12b23c0526026e5cedbf3fabb5457cc Author: Sondhauß, Jan Date: Wed Mar 23 08:47:33 2022 +0000 drivers: ethernet: cpsw: fix panic when interrupt coaleceing is set via ethtool [ Upstream commit 2844e2434385819f674d1fb4130c308c50ba681e ] cpsw_ethtool_begin directly returns the result of pm_runtime_get_sync when successful. pm_runtime_get_sync returns -error code on failure and 0 on successful resume but also 1 when the device is already active. So the common case for cpsw_ethtool_begin is to return 1. That leads to inconsistent calls to pm_runtime_put in the call-chain so that pm_runtime_put is called one too many times and as result leaving the cpsw dev behind suspended. The suspended cpsw dev leads to an access violation later on by different parts of the cpsw driver. Fix this by calling the return-friendly pm_runtime_resume_and_get function. Fixes: d43c65b05b84 ("ethtool: runtime-resume netdev parent in ethnl_ops_begin") Signed-off-by: Jan Sondhauss Reviewed-by: Vignesh Raghavendra Link: https://lore.kernel.org/r/20220323084725.65864-1-jan.sondhauss@wago.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 494218cd99e90cc21102053c2110969e84d14184 Author: Alexander Lobakin Date: Wed Mar 23 13:43:53 2022 +0100 ice: don't allow to run ice_send_event_to_aux() in atomic ctx [ Upstream commit 5a3156932da06f09953764de113419f254086faf ] ice_send_event_to_aux() eventually descends to mutex_lock() (-> might_sched()), so it must not be called under non-task context. However, at least two fixes have happened already for the bug splats occurred due to this function being called from atomic context. To make the emergency landings softer, bail out early when executed in non-task context emitting a warn splat only once. This way we trade some events being potentially lost for system stability and avoid any related hangs and crashes. Fixes: 348048e724a0e ("ice: Implement iidc operations") Signed-off-by: Alexander Lobakin Tested-by: Michal Kubiak Reviewed-by: Maciej Fijalkowski Acked-by: Tony Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 24d7ac8426306ae7ccea7f7dd612a7368fe7201d Author: Alexander Lobakin Date: Wed Mar 23 13:43:52 2022 +0100 ice: fix 'scheduling while atomic' on aux critical err interrupt [ Upstream commit 32d53c0aa3a7b727243473949bad2a830b908edc ] There's a kernel BUG splat on processing aux critical error interrupts in ice_misc_intr(): [ 2100.917085] BUG: scheduling while atomic: swapper/15/0/0x00010000 ... [ 2101.060770] Call Trace: [ 2101.063229] [ 2101.065252] dump_stack+0x41/0x60 [ 2101.068587] __schedule_bug.cold.100+0x4c/0x58 [ 2101.073060] __schedule+0x6a4/0x830 [ 2101.076570] schedule+0x35/0xa0 [ 2101.079727] schedule_preempt_disabled+0xa/0x10 [ 2101.084284] __mutex_lock.isra.7+0x310/0x420 [ 2101.088580] ? ice_misc_intr+0x201/0x2e0 [ice] [ 2101.093078] ice_send_event_to_aux+0x25/0x70 [ice] [ 2101.097921] ice_misc_intr+0x220/0x2e0 [ice] [ 2101.102232] __handle_irq_event_percpu+0x40/0x180 [ 2101.106965] handle_irq_event_percpu+0x30/0x80 [ 2101.111434] handle_irq_event+0x36/0x53 [ 2101.115292] handle_edge_irq+0x82/0x190 [ 2101.119148] handle_irq+0x1c/0x30 [ 2101.122480] do_IRQ+0x49/0xd0 [ 2101.125465] common_interrupt+0xf/0xf [ 2101.129146] ... As Andrew correctly mentioned previously[0], the following call ladder happens: ice_misc_intr() <- hardirq ice_send_event_to_aux() device_lock() mutex_lock() might_sleep() might_resched() <- oops Add a new PF state bit which indicates that an aux critical error occurred and serve it in ice_service_task() in process context. The new ice_pf::oicr_err_reg is read-write in both hardirq and process contexts, but only 3 bits of non-critical data probably aren't worth explicit synchronizing (and they're even in the same byte [31:24]). [0] https://lore.kernel.org/all/YeSRUVmrdmlUXHDn@lunn.ch Fixes: 348048e724a0e ("ice: Implement iidc operations") Signed-off-by: Alexander Lobakin Tested-by: Michal Kubiak Acked-by: Tony Nguyen Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 0bf5c123f9cd77b25ba0d6217d62d8be2051c1cc Author: Miaoqian Lin Date: Mon Mar 7 07:29:47 2022 +0000 mfd: asic3: Add missing iounmap() on error asic3_mfd_probe [ Upstream commit e84ee1a75f944a0fe3c277aaa10c426603d2b0bc ] Add the missing iounmap() before return from asic3_mfd_probe in the error handling case. Fixes: 64e8867ba809 ("mfd: tmio_mmc hardware abstraction for CNF area") Signed-off-by: Miaoqian Lin Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220307072947.5369-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit b58fa5cf636f66cd3d955b351f15c0e5d9445250 Author: Hoang Le Date: Mon Mar 21 11:22:29 2022 +0700 tipc: fix the timer expires after interval 100ms [ Upstream commit 6a7d8cff4a3301087dd139293e9bddcf63827282 ] In the timer callback function tipc_sk_timeout(), we're trying to reschedule another timeout to retransmit a setup request if destination link is congested. But we use the incorrect timeout value (msecs_to_jiffies(100)) instead of (jiffies + msecs_to_jiffies(100)), so that the timer expires immediately, it's irrelevant for original description. In this commit we correct the timeout value in sk_reset_timer() Fixes: 6787927475e5 ("tipc: buffer overflow handling in listener socket") Acked-by: Ying Xue Signed-off-by: Hoang Le Link: https://lore.kernel.org/r/20220321042229.314288-1-hoang.h.le@dektech.com.au Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit b6e668ff43ebd87ccc8a19e5481345c428672295 Author: Vladimir Oltean Date: Fri Mar 18 21:54:43 2022 +0200 net: dsa: fix panic on shutdown if multi-chip tree failed to probe [ Upstream commit 8fd36358ce82382519b50b05f437493e1e00c4a9 ] DSA probing is atypical because a tree of devices must probe all at once, so out of N switches which call dsa_tree_setup_routing_table() during probe, for (N - 1) of them, "complete" will return false and they will exit probing early. The Nth switch will set up the whole tree on their behalf. The implication is that for (N - 1) switches, the driver binds to the device successfully, without doing anything. When the driver is bound, the ->shutdown() method may run. But if the Nth switch has failed to initialize the tree, there is nothing to do for the (N - 1) driver instances, since the slave devices have not been created, etc. Moreover, dsa_switch_shutdown() expects that the calling @ds has been in fact initialized, so it jumps at dereferencing the various data structures, which is incorrect. Avoid the ensuing NULL pointer dereferences by simply checking whether the Nth switch has previously set "ds->setup = true" for the switch which is currently shutting down. The entire setup is serialized under dsa2_mutex which we already hold. Fixes: 0650bf52b31f ("net: dsa: be compatible with masters which unregister on shutdown") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20220318195443.275026-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a04bcdb8a33f932397f17856f4a900b4a07a64bd Author: Aaron Conole Date: Fri Mar 18 08:43:19 2022 -0400 openvswitch: always update flow key after nat [ Upstream commit 60b44ca6bd7518dd38fa2719bc9240378b6172c3 ] During NAT, a tuple collision may occur. When this happens, openvswitch will make a second pass through NAT which will perform additional packet modification. This will update the skb data, but not the flow key that OVS uses. This means that future flow lookups, and packet matches will have incorrect data. This has been supported since 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack"). That commit failed to properly update the sw_flow_key attributes, since it only called the ovs_ct_nat_update_key once, rather than each time ovs_ct_nat_execute was called. As these two operations are linked, the ovs_ct_nat_execute() function should always make sure that the sw_flow_key is updated after a successful call through NAT infrastructure. Fixes: 5d50aa83e2c8 ("openvswitch: support asymmetric conntrack") Cc: Dumitru Ceara Cc: Numan Siddique Signed-off-by: Aaron Conole Acked-by: Eelco Chaudron Link: https://lore.kernel.org/r/20220318124319.3056455-1-aconole@redhat.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit fcdacebb81908a943b50f05817af662144527ab7 Author: Jakub Kicinski Date: Mon Mar 21 09:59:57 2022 -0700 tcp: ensure PMTU updates are processed during fastopen [ Upstream commit ed0c99dc0f499ff8b6e75b5ae6092ab42be1ad39 ] tp->rx_opt.mss_clamp is not populated, yet, during TFO send so we rise it to the local MSS. tp->mss_cache is not updated, however: tcp_v6_connect(): tp->rx_opt.mss_clamp = IPV6_MIN_MTU - headers; tcp_connect(): tcp_connect_init(): tp->mss_cache = min(mtu, tp->rx_opt.mss_clamp) tcp_send_syn_data(): tp->rx_opt.mss_clamp = tp->advmss After recent fixes to ICMPv6 PTB handling we started dropping PMTU updates higher than tp->mss_cache. Because of the stale tp->mss_cache value PMTU updates during TFO are always dropped. Thanks to Wei for helping zero in on the problem and the fix! Fixes: c7bb4b89033b ("ipv6: tcp: drop silly ICMPv6 packet too big messages") Reported-by: Andre Nash Reported-by: Neil Spring Reviewed-by: Wei Wang Acked-by: Yuchung Cheng Acked-by: Martin KaFai Lau Signed-off-by: Jakub Kicinski Reviewed-by: Eric Dumazet Link: https://lore.kernel.org/r/20220321165957.1769954-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 1d717816189fd68f9e089cf89ed1f7327d2c2e71 Author: Jeremy Linton Date: Wed Mar 9 22:53:58 2022 -0600 net: bcmgenet: Use stronger register read/writes to assure ordering [ Upstream commit 8d3ea3d402db94b61075617e71b67459a714a502 ] GCC12 appears to be much smarter about its dependency tracking and is aware that the relaxed variants are just normal loads and stores and this is causing problems like: [ 210.074549] ------------[ cut here ]------------ [ 210.079223] NETDEV WATCHDOG: enabcm6e4ei0 (bcmgenet): transmit queue 1 timed out [ 210.086717] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:529 dev_watchdog+0x234/0x240 [ 210.095044] Modules linked in: genet(E) nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat] [ 210.146561] ACPI CPPC: PCC check channel failed for ss: 0. ret=-110 [ 210.146927] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G E 5.17.0-rc7G12+ #58 [ 210.153226] CPPC Cpufreq:cppc_scale_freq_workfn: failed to read perf counters [ 210.161349] Hardware name: Raspberry Pi Foundation Raspberry Pi 4 Model B/Raspberry Pi 4 Model B, BIOS EDK2-DEV 02/08/2022 [ 210.161353] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 210.161358] pc : dev_watchdog+0x234/0x240 [ 210.161364] lr : dev_watchdog+0x234/0x240 [ 210.161368] sp : ffff8000080a3a40 [ 210.161370] x29: ffff8000080a3a40 x28: ffffcd425af87000 x27: ffff8000080a3b20 [ 210.205150] x26: ffffcd425aa00000 x25: 0000000000000001 x24: ffffcd425af8ec08 [ 210.212321] x23: 0000000000000100 x22: ffffcd425af87000 x21: ffff55b142688000 [ 210.219491] x20: 0000000000000001 x19: ffff55b1426884c8 x18: ffffffffffffffff [ 210.226661] x17: 64656d6974203120 x16: 0000000000000001 x15: 6d736e617274203a [ 210.233831] x14: 2974656e65676d63 x13: ffffcd4259c300d8 x12: ffffcd425b07d5f0 [ 210.241001] x11: 00000000ffffffff x10: ffffcd425b07d5f0 x9 : ffffcd4258bdad9c [ 210.248171] x8 : 00000000ffffdfff x7 : 000000000000003f x6 : 0000000000000000 [ 210.255341] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000001000 [ 210.262511] x2 : 0000000000001000 x1 : 0000000000000005 x0 : 0000000000000044 [ 210.269682] Call trace: [ 210.272133] dev_watchdog+0x234/0x240 [ 210.275811] call_timer_fn+0x3c/0x15c [ 210.279489] __run_timers.part.0+0x288/0x310 [ 210.283777] run_timer_softirq+0x48/0x80 [ 210.287716] __do_softirq+0x128/0x360 [ 210.291392] __irq_exit_rcu+0x138/0x140 [ 210.295243] irq_exit_rcu+0x1c/0x30 [ 210.298745] el1_interrupt+0x38/0x54 [ 210.302334] el1h_64_irq_handler+0x18/0x24 [ 210.306445] el1h_64_irq+0x7c/0x80 [ 210.309857] arch_cpu_idle+0x18/0x2c [ 210.313445] default_idle_call+0x4c/0x140 [ 210.317470] cpuidle_idle_call+0x14c/0x1a0 [ 210.321584] do_idle+0xb0/0x100 [ 210.324737] cpu_startup_entry+0x30/0x8c [ 210.328675] secondary_start_kernel+0xe4/0x110 [ 210.333138] __secondary_switched+0x94/0x98 The assumption when these were relaxed seems to be that device memory would be mapped non reordering, and that other constructs (spinlocks/etc) would provide the barriers to assure that packet data and in memory rings/queues were ordered with respect to device register reads/writes. This itself seems a bit sketchy, but the real problem with GCC12 is that it is moving the actual reads/writes around at will as though they were independent operations when in truth they are not, but the compiler can't know that. When looking at the assembly dumps for many of these routines its possible to see very clean, but not strictly in program order operations occurring as the compiler would be free to do if these weren't actually register reads/write operations. Its possible to suppress the timeout with a liberal bit of dma_mb()'s sprinkled around but the device still seems unable to reliably send/receive data. A better plan is to use the safer readl/writel everywhere. Since this partially reverts an older commit, which notes the use of the relaxed variants for performance reasons. I would suggest that any performance problems with this commit are targeted at relaxing only the performance critical code paths after assuring proper barriers. Fixes: 69d2ea9c79898 ("net: bcmgenet: Use correct I/O accessors") Reported-by: Peter Robinson Signed-off-by: Jeremy Linton Acked-by: Peter Robinson Tested-by: Peter Robinson Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/20220310045358.224350-1-jeremy.linton@arm.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit dae84466c716ee053ca657950ba5ea255b0d8b14 Author: Bjorn Helgaas Date: Mon Mar 21 13:34:46 2022 -0500 PCI: Avoid broken MSI on SB600 USB devices [ Upstream commit 63cd736f449445edcd7f0bcc7d84453e9beec0aa ] Some ATI SB600 USB adapters advertise MSI, but if INTx is disabled by setting PCI_COMMAND_INTX_DISABLE, MSI doesn't work either. The PCI/PCIe specs do not require software to set PCI_COMMAND_INTX_DISABLE when enabling MSI, but Linux has done that for many years. Mick reported that 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") broke these devices. Prior to 306c54d0edb6, they used INTx. Starting with 306c54d0edb6, they use MSI, and and the fact that Linux sets PCI_COMMAND_INTX_DISABLE means both INTx and MSI are disabled on these devices. Avoid this SB600 defect by disabling MSI so we use INTx as before. Fixes: 306c54d0edb6 ("usb: hcd: Try MSI interrupts on PCI devices") Link: https://lore.kernel.org/r/20220321183446.1108325-1-helgaas@kernel.org Link: https://bugzilla.kernel.org/show_bug.cgi?id=215690 Link: https://lore.kernel.org/all/PxIByDyBRcsbpcmVhGSNDFAoUcMmb78ctXCkw6fbpx25TGlCHvA6SJjjFkNr1FfQZMntYPTNyvEnblxzAZ8a6jP9ddLpKeCN6Chi_2FuexU=@protonmail.com/ Link: https://lore.kernel.org/r/20220314101448.90074-1-andriy.shevchenko@linux.intel.com BugLink: https://lore.kernel.org/all/20200702143045.23429-1-andriy.shevchenko@linux.intel.com/ Reported-by: Mick Lorain Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit 7da646d7f743cac32176ab8d6acd4bb1978590d6 Author: Yafang Shao Date: Sun Mar 20 06:08:14 2022 +0000 bpftool: Fix print error when show bpf map [ Upstream commit 1824d8ea75f275a5e69e5f6bc0ffe122ea9b938c ] If there is no btf_id or frozen, it will not show the pids, but the pids don't depend on any one of them. Below is the result after this change: $ ./bpftool map show 2: lpm_trie flags 0x1 key 8B value 8B max_entries 1 memlock 4096B pids systemd(1) 3: lpm_trie flags 0x1 key 20B value 8B max_entries 1 memlock 4096B pids systemd(1) While before this change, the 'pids systemd(1)' can't be displayed. Fixes: 9330986c0300 ("bpf: Add bloom filter map implementation") Signed-off-by: Yafang Shao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220320060815.7716-1-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit 4fb6d7e4fbb018d3bb5bbca4037478de995de254 Author: Hangbin Liu Date: Mon Mar 21 10:41:49 2022 +0800 selftests/bpf/test_lirc_mode2.sh: Exit with proper code [ Upstream commit ec80906b0fbd7be11e3e960813b977b1ffe5f8fe ] When test_lirc_mode2_user exec failed, the test report failed but still exit with 0. Fix it by exiting with an error code. Another issue is for the LIRCDEV checking. With bash -n, we need to quote the variable, or it will always be true. So if test_lirc_mode2_user was not run, just exit with skip code. Fixes: 6bdd533cee9a ("bpf: add selftest for lirc_mode2 type program") Signed-off-by: Hangbin Liu Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220321024149.157861-1-liuhangbin@gmail.com Signed-off-by: Sasha Levin commit 403f9e0bc5535a0a5184d1352fa3a70e6ffacb6f Author: Michael Ellerman Date: Fri Mar 18 14:42:19 2022 +1100 powerpc/pseries: Fix use after free in remove_phb_dynamic() [ Upstream commit fe2640bd7a62f1f7c3f55fbda31084085075bc30 ] In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but with slub_debug and page_poison enabled it can lead to a crash: PID: 7574 TASK: c0000000d492cb80 CPU: 13 COMMAND: "drmgr" #0 [c0000000e4f075a0] crash_kexec at c00000000027d7dc #1 [c0000000e4f075d0] oops_end at c000000000029608 #2 [c0000000e4f07650] __bad_page_fault at c0000000000904b4 #3 [c0000000e4f076c0] do_bad_slb_fault at c00000000009a5a8 #4 [c0000000e4f076f0] data_access_slb_common_virt at c000000000008b30 Data SLB Access [380] exception frame: R0: c000000000167250 R1: c0000000e4f07a00 R2: c000000002a46100 R3: c000000002b39ce8 R4: 00000000000000c0 R5: 00000000000000a9 R6: 3894674d000000c0 R7: 0000000000000000 R8: 00000000000000ff R9: 0000000000000100 R10: 6b6b6b6b6b6b6b6b R11: 0000000000008000 R12: c00000000023da80 R13: c0000009ffd38b00 R14: 0000000000000000 R15: 000000011c87f0f0 R16: 0000000000000006 R17: 0000000000000003 R18: 0000000000000002 R19: 0000000000000004 R20: 0000000000000005 R21: 000000011c87ede8 R22: 000000011c87c5a8 R23: 000000011c87d3a0 R24: 0000000000000000 R25: 0000000000000001 R26: c0000000e4f07cc8 R27: c00000004d1cc400 R28: c0080000031d00e8 R29: c00000004d23d800 R30: c00000004d1d2400 R31: c00000004d1d2540 NIP: c000000000167258 MSR: 8000000000009033 OR3: c000000000e9f474 CTR: 0000000000000000 LR: c000000000167250 XER: 0000000020040003 CCR: 0000000024088420 MQ: 0000000000000000 DAR: 6b6b6b6b6b6b6ba3 DSISR: c0000000e4f07920 Syscall Result: fffffffffffffff2 [NIP : release_resource+56] [LR : release_resource+48] #5 [c0000000e4f07a00] release_resource at c000000000167258 (unreliable) #6 [c0000000e4f07a30] remove_phb_dynamic at c000000000105648 #7 [c0000000e4f07ab0] dlpar_remove_slot at c0080000031a09e8 [rpadlpar_io] #8 [c0000000e4f07b50] remove_slot_store at c0080000031a0b9c [rpadlpar_io] #9 [c0000000e4f07be0] kobj_attr_store at c000000000817d8c #10 [c0000000e4f07c00] sysfs_kf_write at c00000000063e504 #11 [c0000000e4f07c20] kernfs_fop_write_iter at c00000000063d868 #12 [c0000000e4f07c70] new_sync_write at c00000000054339c #13 [c0000000e4f07d10] vfs_write at c000000000546624 #14 [c0000000e4f07d60] ksys_write at c0000000005469f4 #15 [c0000000e4f07db0] system_call_exception at c000000000030840 #16 [c0000000e4f07e10] system_call_vectored_common at c00000000000c168 To avoid it, we can take a reference to the host_bridge->dev until we're done using phb. Then when we drop the reference the phb will be freed. Fixes: 2dd9c11b9d4d ("powerpc/pseries: use pci_host_bridge.release_fn() to kfree(phb)") Reported-by: David Dai Signed-off-by: Michael Ellerman Tested-by: Sachin Sant Link: https://lore.kernel.org/r/20220318034219.1188008-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit a1537a708a981918302af68f1689bcdc65c85cdf Author: Peter Rosin Date: Wed Mar 2 12:22:35 2022 +0100 i2c: mux: demux-pinctrl: do not deactivate a master that is not active [ Upstream commit 1a22aabf20adf89cb216f566913196128766f25b ] Attempting to rollback the activation of the current master when the current master has not been activated is bad. priv->cur_chan and priv->cur_adap are both still zeroed out and the rollback may result in attempts to revert an of changeset that has not been applied and do result in calls to both del and put the zeroed out i2c_adapter. Maybe it crashes, or whatever, but it's bad in any case. Fixes: e9d1a0a41d44 ("i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()'") Signed-off-by: Peter Rosin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit bbfc3df91204ec3a1e56c26c6ad3a046e1e37d0e Author: Phil Sutter Date: Wed Mar 2 22:02:55 2022 +0100 netfilter: conntrack: Add and use nf_ct_set_auto_assign_helper_warned() [ Upstream commit 31d0bb9763efad30377505f3467f958d1ebe1e3d ] The function sets the pernet boolean to avoid the spurious warning from nf_ct_lookup_helper() when assigning conntrack helpers via nftables. Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") Signed-off-by: Phil Sutter Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit a92cc431975bab516f42adabc8acd577bbd05517 Author: Lucas Tanure Date: Tue Mar 1 07:26:00 2022 +0000 i2c: meson: Fix wrong speed use from probe [ Upstream commit cb13aa16f34f794a9cee2626862af8a95f0f0ee9 ] Having meson_i2c_set_clk_div after i2c_add_adapter causes issues for client drivers that try to use the bus before the requested speed is applied. The bus can be used just after i2c_add_adapter, so move i2c_add_adapter to the final step as meson_i2c_set_clk_div needs to be called before the bus is used. Fixes: 09af1c2fa490 ("i2c: meson: set clock divider in probe instead of setting it for each transfer") Signed-off-by: Lucas Tanure Reviewed-by: Neil Armstrong Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit e8aaf3134bc5e943048eefe9f2ddaabf41d92b1a Author: Petr Machata Date: Thu Mar 17 15:53:06 2022 +0100 af_netlink: Fix shift out of bounds in group mask calculation [ Upstream commit 0caf6d9922192dd1afa8dc2131abfb4df1443b9f ] When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds shift attempts. Which bits end up being set in such case is implementation defined, but it's either going to be a wrong non-zero value, or zero, which is at least not misleading. Make the latter choice deterministic by always setting to 0 for higher-numbered multicast groups. To get information about membership in groups >= 32, userspace is expected to use nl_pktinfo control messages[0], which are enabled by NETLINK_PKTINFO socket option. [0] https://lwn.net/Articles/147608/ The way to trigger this issue is e.g. through monitoring the BRVLAN group: # bridge monitor vlan & # ip link add name br type bridge Which produces the following citation: UBSAN: shift-out-of-bounds in net/netlink/af_netlink.c:162:19 shift exponent 32 is too large for 32-bit type 'int' Fixes: f7fa9b10edbb ("[NETLINK]: Support dynamic number of multicast groups per netlink family") Signed-off-by: Petr Machata Reviewed-by: Ido Schimmel Link: https://lore.kernel.org/r/2bef6aabf201d1fc16cca139a744700cff9dcb04.1647527635.git.petrm@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 752add6f5ce5305e55d8bda4ac8d69be3a09f14d Author: Yonglong Li Date: Thu Mar 17 15:09:53 2022 -0700 mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb [ Upstream commit 3ef3905aa3b5b3e222ee6eb0210bfd999417a8cc ] Got crash when doing pressure test of mptcp: =========================================================================== dst_release: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 Oops: 0011 [#1] SMP PTI CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 Call Trace: ? skb_release_head_state+0x68/0x100 ? skb_release_all+0xe/0x30 ? kfree_skb+0x32/0xa0 ? mptcp_sendmsg_frag+0x57e/0x750 ? __mptcp_retrans+0x21b/0x3c0 ? __switch_to_asm+0x35/0x70 ? mptcp_worker+0x25e/0x320 ? process_one_work+0x1a7/0x360 ? worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 ? kthread+0x112/0x130 ? kthread_flush_work_fn+0x10/0x10 ? ret_from_fork+0x35/0x40 =========================================================================== In __mptcp_alloc_tx_skb skb was allocated and skb->tcp_tsorted_anchor will be initialized, in under memory pressure situation sk_wmem_schedule will return false and then kfree_skb. In this case skb->_skb_refdst is not null because_skb_refdst and tcp_tsorted_anchor are stored in the same mem, and kfree_skb will try to release dst and cause crash. Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache") Reviewed-by: Paolo Abeni Signed-off-by: Yonglong Li Signed-off-by: Mat Martineau Link: https://lore.kernel.org/r/20220317220953.426024-1-mathew.j.martineau@linux.intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 48ab2897521cf53e1a09015a70f24a5fe9c32dd2 Author: Guillaume Nault Date: Thu Mar 17 13:45:09 2022 +0100 ipv4: Fix route lookups when handling ICMP redirects and PMTU updates [ Upstream commit 544b4dd568e3b09c1ab38a759d3187e7abda11a0 ] The PMTU update and ICMP redirect helper functions initialise their fl4 variable with either __build_flow_key() or build_sk_flow_key(). These initialisation functions always set ->flowi4_scope with RT_SCOPE_UNIVERSE and might set the ECN bits of ->flowi4_tos. This is not a problem when the route lookup is later done via ip_route_output_key_hash(), which properly clears the ECN bits from ->flowi4_tos and initialises ->flowi4_scope based on the RTO_ONLINK flag. However, some helpers call fib_lookup() directly, without sanitising the tos and scope fields, so the route lookup can fail and, as a result, the ICMP redirect or PMTU update aren't taken into account. Fix this by extracting the ->flowi4_tos and ->flowi4_scope sanitisation code into ip_rt_fix_tos(), then use this function in handlers that call fib_lookup() directly. Note 1: We can't sanitise ->flowi4_tos and ->flowi4_scope in a central place (like __build_flow_key() or flowi4_init_output()), because ip_route_output_key_hash() expects non-sanitised values. When called with sanitised values, it can erroneously overwrite RT_SCOPE_LINK with RT_SCOPE_UNIVERSE in ->flowi4_scope. Therefore we have to be careful to sanitise the values only for those paths that don't call ip_route_output_key_hash(). Note 2: The problem is mostly about sanitising ->flowi4_tos. Having ->flowi4_scope initialised with RT_SCOPE_UNIVERSE instead of RT_SCOPE_LINK probably wasn't really a problem: sockets with the SOCK_LOCALROUTE flag set (those that'd result in RTO_ONLINK being set) normally shouldn't receive ICMP redirects or PMTU updates. Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") Signed-off-by: Guillaume Nault Reviewed-by: David Ahern Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f6dd8669b8299a3a536cd92a7069152a7704da1d Author: Dan Carpenter Date: Wed Mar 16 11:39:48 2022 +0300 RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit() [ Upstream commit 87e0eacb176f9500c2063d140c0a1d7fa51ab8a5 ] This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows. Fixes: 3c3c1f141639 ("RDMA/nldev: Allow optional-counter status configuration through RDMA netlink") Link: https://lore.kernel.org/r/20220316083948.GC30941@kili Signed-off-by: Dan Carpenter Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4d3d1f2c35a19988d3c5f0ee86038b525e830840 Author: Yake Yang Date: Thu Mar 17 07:15:19 2022 +0800 Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt [ Upstream commit b062a0b9c1dc1ff63094337dccfe1568d5b62023 ] Fix the following kernel oops in btmtksdio_interrrupt [ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30 That happened because hdev->power_on is already called before sdio_set_drvdata which btmtksdio_interrupt handler relies on is not properly set up. The details are shown as the below: hci_register_dev would run queue_work(hdev->req_workqueue, &hdev->power_on) as WQ_HIGHPRI workqueue_struct to complete the power-on sequeunce and thus hci_power_on may run before sdio_set_drvdata is done in btmtksdio_probe. The hci_dev_do_open in hci_power_on would initialize the device and enable the interrupt and thus it is possible that btmtksdio_interrupt is being called right before sdio_set_drvdata is filled out. When btmtksdio_interrupt is being called and sdio_set_drvdata is not filled , the kernel oops is going to happen because btmtksdio_interrupt access an uninitialized pointer. Fixes: 9aebfd4a2200 ("Bluetooth: mediatek: add support for MediaTek MT7663S and MT7668S SDIO devices") Reviewed-by: Mark Chen Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Yake Yang Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit c1f3339e43db025d3662d62af93e86bd4a867139 Author: Niels Dossche Date: Wed Mar 16 16:33:50 2022 +0100 Bluetooth: call hci_le_conn_failed with hdev lock in hci_le_conn_failed [ Upstream commit 9fa6b4cda3b414e990f008f45f9bcecbcb54d4d1 ] hci_le_conn_failed function's documentation says that the caller must hold hdev->lock. The only callsite that does not hold that lock is hci_le_conn_failed. The other 3 callsites hold the hdev->lock very locally. The solution is to hold the lock during the call to hci_le_conn_failed. Fixes: 3c857757ef6e ("Bluetooth: Add directed advertising support through connect()") Signed-off-by: Niels Dossche Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit e6b6c904c0f88588b6a3ace20e4c0d61eab124f8 Author: Pavel Skripkin Date: Sun Mar 13 20:49:36 2022 +0300 Bluetooth: hci_uart: add missing NULL check in h5_enqueue [ Upstream commit 32cb08e958696908a9aad5e49a78d74f7e32fffb ] Syzbot hit general protection fault in __pm_runtime_resume(). The problem was in missing NULL check. hu->serdev can be NULL and we should not blindly pass &serdev->dev somewhere, since it will cause GPF. Reported-by: syzbot+b9bd12fbed3485a3e51f@syzkaller.appspotmail.com Fixes: d9dd833cf6d2 ("Bluetooth: hci_h5: Add runtime suspend") Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit bef0f3083c07ff257e65d0caf85adb5e98bd614f Author: Jakub Sitnicki Date: Thu Mar 17 12:39:17 2022 +0100 selftests/bpf: Fix error reporting from sock_fields programs [ Upstream commit a4c9fe0ed4a13e25e43fcd44d9f89bc19ba8fbb7 ] The helper macro that records an error in BPF programs that exercise sock fields access has been inadvertently broken by adaptation work that happened in commit b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables"). BPF_NOEXIST flag cannot be used to update BPF_MAP_TYPE_ARRAY. The operation always fails with -EEXIST, which in turn means the error never gets recorded, and the checks for errors always pass. Revert the change in update flags. Fixes: b18c1f0aa477 ("bpf: selftest: Adapt sock_fields test to use skel and global variables") Signed-off-by: Jakub Sitnicki Signed-off-by: Daniel Borkmann Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20220317113920.1068535-2-jakub@cloudflare.com Signed-off-by: Sasha Levin commit 2ab6cd7f1b027b11416fe8145f63d68e72bd576c Author: Kuniyuki Iwashima Date: Thu Mar 17 12:08:08 2022 +0900 af_unix: Fix some data-races around unix_sk(sk)->oob_skb. [ Upstream commit e82025c623e2bf04d162bafceb66a59115814479 ] Out-of-band data automatically places a "mark" showing wherein the sequence the out-of-band data would have been. If the out-of-band data implies cancelling everything sent so far, the "mark" is helpful to flush them. When the socket's read pointer reaches the "mark", the ioctl() below sets a non zero value to the arg `atmark`: The out-of-band data is queued in sk->sk_receive_queue as well as ordinary data and also saved in unix_sk(sk)->oob_skb. It can be used to test if the head of the receive queue is the out-of-band data meaning the socket is at the "mark". While testing that, unix_ioctl() reads unix_sk(sk)->oob_skb locklessly. Thus, all accesses to oob_skb need some basic protection to avoid load/store tearing which KCSAN detects when these are called concurrently: - ioctl(fd_a, SIOCATMARK, &atmark, sizeof(atmark)) - send(fd_b_connected_to_a, buf, sizeof(buf), MSG_OOB) BUG: KCSAN: data-race in unix_ioctl / unix_stream_sendmsg write to 0xffff888003d9cff0 of 8 bytes by task 175 on cpu 1: unix_stream_sendmsg (net/unix/af_unix.c:2087 net/unix/af_unix.c:2191) sock_sendmsg (net/socket.c:705 net/socket.c:725) __sys_sendto (net/socket.c:2040) __x64_sys_sendto (net/socket.c:2048) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) read to 0xffff888003d9cff0 of 8 bytes by task 176 on cpu 0: unix_ioctl (net/unix/af_unix.c:3101 (discriminator 1)) sock_do_ioctl (net/socket.c:1128) sock_ioctl (net/socket.c:1242) __x64_sys_ioctl (fs/ioctl.c:52 fs/ioctl.c:874 fs/ioctl.c:860 fs/ioctl.c:860) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:113) value changed: 0xffff888003da0c00 -> 0xffff888003da0d00 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 176 Comm: unix_race_oob_i Not tainted 5.17.0-rc5-59529-g83dc4c2af682 #12 Hardware name: Red Hat KVM, BIOS 1.11.0-2.amzn2 04/01/2014 Fixes: 314001f0bf92 ("af_unix: Add OOB support") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 475f9cce98b63bc145b4efa66fa51175d4cb345f Author: Sukadev Bhattiprolu Date: Wed Mar 16 18:12:31 2022 -0700 ibmvnic: fix race between xmit and reset [ Upstream commit 4219196d1f662cb10a462eb9e076633a3fc31a15 ] There is a race between reset and the transmit paths that can lead to ibmvnic_xmit() accessing an scrq after it has been freed in the reset path. It can result in a crash like: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000016189f8 Oops: Kernel access of bad area, sig: 11 [#1] ... NIP [c0080000016189f8] ibmvnic_xmit+0x60/0xb60 [ibmvnic] LR [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 Call Trace: [c008000001618f08] ibmvnic_xmit+0x570/0xb60 [ibmvnic] (unreliable) [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 [c000000000c9cfcc] sch_direct_xmit+0xec/0x330 [c000000000bfe640] __dev_xmit_skb+0x3a0/0x9d0 [c000000000c00ad4] __dev_queue_xmit+0x394/0x730 [c008000002db813c] __bond_start_xmit+0x254/0x450 [bonding] [c008000002db8378] bond_start_xmit+0x40/0xc0 [bonding] [c000000000c0046c] dev_hard_start_xmit+0x11c/0x280 [c000000000c00ca4] __dev_queue_xmit+0x564/0x730 [c000000000cf97e0] neigh_hh_output+0xd0/0x180 [c000000000cfa69c] ip_finish_output2+0x31c/0x5c0 [c000000000cfd244] __ip_queue_xmit+0x194/0x4f0 [c000000000d2a3c4] __tcp_transmit_skb+0x434/0x9b0 [c000000000d2d1e0] __tcp_retransmit_skb+0x1d0/0x6a0 [c000000000d2d984] tcp_retransmit_skb+0x34/0x130 [c000000000d310e8] tcp_retransmit_timer+0x388/0x6d0 [c000000000d315ec] tcp_write_timer_handler+0x1bc/0x330 [c000000000d317bc] tcp_write_timer+0x5c/0x200 [c000000000243270] call_timer_fn+0x50/0x1c0 [c000000000243704] __run_timers.part.0+0x324/0x460 [c000000000243894] run_timer_softirq+0x54/0xa0 [c000000000ea713c] __do_softirq+0x15c/0x3e0 [c000000000166258] __irq_exit_rcu+0x158/0x190 [c000000000166420] irq_exit+0x20/0x40 [c00000000002853c] timer_interrupt+0x14c/0x2b0 [c000000000009a00] decrementer_common_virt+0x210/0x220 --- interrupt: 900 at plpar_hcall_norets_notrace+0x18/0x2c The immediate cause of the crash is the access of tx_scrq in the following snippet during a reset, where the tx_scrq can be either NULL or an address that will soon be invalid: ibmvnic_xmit() { ... tx_scrq = adapter->tx_scrq[queue_num]; txq = netdev_get_tx_queue(netdev, queue_num); ind_bufp = &tx_scrq->ind_buf; if (test_bit(0, &adapter->resetting)) { ... } But beyond that, the call to ibmvnic_xmit() itself is not safe during a reset and the reset path attempts to avoid this by stopping the queue in ibmvnic_cleanup(). However just after the queue was stopped, an in-flight ibmvnic_complete_tx() could have restarted the queue even as the reset is progressing. Since the queue was restarted we could get a call to ibmvnic_xmit() which can then access the bad tx_scrq (or other fields). We cannot however simply have ibmvnic_complete_tx() check the ->resetting bit and skip starting the queue. This can race at the "back-end" of a good reset which just restarted the queue but has not cleared the ->resetting bit yet. If we skip restarting the queue due to ->resetting being true, the queue would remain stopped indefinitely potentially leading to transmit timeouts. IOW ->resetting is too broad for this purpose. Instead use a new flag that indicates whether or not the queues are active. Only the open/ reset paths control when the queues are active. ibmvnic_complete_tx() and others wake up the queue only if the queue is marked active. So we will have: A. reset/open thread in ibmvnic_cleanup() and __ibmvnic_open() ->resetting = true ->tx_queues_active = false disable tx queues ... ->tx_queues_active = true start tx queues B. Tx interrupt in ibmvnic_complete_tx(): if (->tx_queues_active) netif_wake_subqueue(); To ensure that ->tx_queues_active and state of the queues are consistent, we need a lock which: - must also be taken in the interrupt path (ibmvnic_complete_tx()) - shared across the multiple queues in the adapter (so they don't become serialized) Use rcu_read_lock() and have the reset thread synchronize_rcu() after updating the ->tx_queues_active state. While here, consolidate a few boolean fields in ibmvnic_adapter for better alignment. Based on discussions with Brian King and Dany Madden. Fixes: 7ed5b31f4a66 ("net/ibmvnic: prevent more than one thread from running in reset") Reported-by: Vaishnavi Bhat Signed-off-by: Sukadev Bhattiprolu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit f5738b4af71ef7baedb54e806a906e6d158a9915 Author: Hangbin Liu Date: Tue Mar 15 14:26:18 2022 +0800 bareudp: use ipv6_mod_enabled to check if IPv6 enabled [ Upstream commit e077ed58c243afc197bc2a2ba0e1ff61135e4ec2 ] bareudp_create_sock() use AF_INET6 by default if IPv6 CONFIG enabled. But if user start kernel with ipv6.disable=1, the bareudp sock will created failed, which cause the interface open failed even with ethertype ip. e.g. # ip link add bareudp1 type bareudp dstport 2 ethertype ip # ip link set bareudp1 up RTNETLINK answers: Address family not supported by protocol Fix it by using ipv6_mod_enabled() to check if IPv6 enabled. There is no need to check IS_ENABLED(CONFIG_IPV6) as ipv6_mod_enabled() will return false when CONFIG_IPV6 no enabled in include/linux/ipv6.h. Reported-by: Jianlin Shi Fixes: 571912c69f0e ("net: UDP tunnel encapsulation module for tunnelling different protocols like MPLS, IP, NSH etc.") Signed-off-by: Hangbin Liu Link: https://lore.kernel.org/r/20220315062618.156230-1-liuhangbin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e9b9b992bc29d35634fc05c2aefbc060f17a45de Author: Oliver Hartkopp Date: Wed Mar 16 17:42:58 2022 +0100 can: isotp: support MSG_TRUNC flag when reading from socket [ Upstream commit 42bf50a1795a1854d48717b7361dbdbce496b16b ] When providing the MSG_TRUNC flag via recvmsg() syscall the return value provides the real length of the packet or datagram, even when it was longer than the passed buffer. Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/347#issuecomment-1065932671 Link: https://lore.kernel.org/all/20220316164258.54155-3-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit f55ffb5a533271c27ca1112db6222a25129c0151 Author: Oliver Hartkopp Date: Wed Mar 16 17:42:57 2022 +0100 can: isotp: return -EADDRNOTAVAIL when reading from unbound socket [ Upstream commit 30ffd5332e06316bd69a654c06aa033872979b7c ] When reading from an unbound can-isotp socket the syscall blocked indefinitely. As unbound sockets (without given CAN address information) do not make sense anyway we directly return -EADDRNOTAVAIL on read() analogue to the known behavior from sendmsg(). Fixes: e057dd3fc20f ("can: add ISO 15765-2:2016 transport protocol") Link: https://github.com/linux-can/can-utils/issues/349 Link: https://lore.kernel.org/all/20220316164258.54155-2-socketcan@hartkopp.net Suggested-by: Derek Will Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 7d6c538cf5a4666ac5f2eaf3f683d97cdb2b60f3 Author: Lorenzo Bianconi Date: Thu Mar 3 09:46:41 2022 +0100 mt76: mt7921: fix mt7921_queues_acq implementation [ Upstream commit 849ee6ac9dd3efd0a57cbc98b9a9d6ae87374aff ] Fix mt7921_queues_acq implementation according to the vendor sdk. Fixes: 474a9f21e2e20 ("mt76: mt7921: add debugfs support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 9519482c849e1da6698d830d7bfd3e836b8cd9dd Author: Pablo Neira Ayuso Date: Wed Mar 16 11:19:43 2022 +0100 netfilter: flowtable: Fix QinQ and pppoe support for inet table [ Upstream commit 0492d857636e1c52cd71594a723c4b26a7b31978 ] nf_flow_offload_inet_hook() does not check for 802.1q and PPPoE. Fetch inner ethertype from these encapsulation protocols. Fixes: 72efd585f714 ("netfilter: flowtable: add pppoe support") Fixes: 4cd91f7c290f ("netfilter: flowtable: add vlan support") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit d658d369ad644469d80498153bb8d7adb832a25d Author: José Roberto de Souza Date: Fri Mar 11 10:51:49 2022 -0800 drm/i915/display: Do not re-enable PSR after it was marked as not reliable [ Upstream commit 278da06c03655c2bb9bc36ebdf45b90a079b3bfd ] If a error happens and sink_not_reliable is set, PSR should be disabled for good but that is not happening. It would be disabled by the function handling the PSR error but then on the next fastset it would be enabled again in _intel_psr_post_plane_update(). It would only be disabled for good in the next modeset where has_psr will be set false. v2: - release psr lock before continue Fixes: 9ce5884e5139 ("drm/i915/display: Only keep PSR enabled if there is active planes") Reported-by: Khaled Almahallawy Reported-by: Charlton Lin Cc: Jouni Högander Signed-off-by: José Roberto de Souza Reviewed-by: Jouni Högander Link: https://patchwork.freedesktop.org/patch/msgid/20220311185149.110527-2-jose.souza@intel.com (cherry picked from commit 15f26bdc81f7f03561aaea5a10d87bd6638e1459) Signed-off-by: Joonas Lahtinen Signed-off-by: Sasha Levin commit 9759a3547526cd1ff4b4a49703c7ed16d3921420 Author: José Roberto de Souza Date: Fri Mar 11 10:51:48 2022 -0800 drm/i915/display: Fix HPD short pulse handling for eDP [ Upstream commit 3a84fd1ed53582b31e843a152ee3219e9e4ccb8c ] Commit 13ea6db2cf24 ("drm/i915/edp: Ignore short pulse when panel powered off") completely broke short pulse handling for eDP as it is usually generated by sink when it is displaying image and there is some error or status that source needs to handle. When power panel is enabled, this state is enough to power aux transactions and VDD override is disabled, so intel_pps_have_power() is always returning false causing short pulses to be ignored. So here better naming this function that intends to check if aux lines are powered to avoid the endless cycle mentioned in the commit being fixed and fixing the check for what it is intended. v2: - renamed to intel_pps_have_panel_power_or_vdd() - fixed indentation Fixes: 13ea6db2cf24 ("drm/i915/edp: Ignore short pulse when panel powered off") Cc: Anshuman Gupta Cc: Jani Nikula Cc: Uma Shankar Cc: Ville Syrjälä Reviewed-by: Ville Syrjälä Signed-off-by: José Roberto de Souza Link: https://patchwork.freedesktop.org/patch/msgid/20220311185149.110527-1-jose.souza@intel.com (cherry picked from commit 8f0c1c0949b609acfad62b8d5f742a3b5e7b05ab) Signed-off-by: Joonas Lahtinen Signed-off-by: Sasha Levin commit ff11dd4b9a7d83e3b0b5ed62e800d4455148b669 Author: Bob Pearson Date: Thu Mar 3 18:07:57 2022 -0600 RDMA/rxe: Fix ref error in rxe_av.c [ Upstream commit 63221acb0c63141cc7650f8eefb148337061e6db ] The commit referenced below can take a reference to the AH which is never dropped. This only happens in the UD request path. This patch optionally passes that AH back to the caller so that it can hold the reference while the AV is being accessed and then drop it. Code to do this is added to rxe_req.c. The AV is also passed to rxe_prepare in rxe_net.c as an optimization. Fixes: e2fe06c90806 ("RDMA/rxe: Lookup kernel AH from ah index in UD WQEs") Link: https://lore.kernel.org/r/20220304000808.225811-2-rpearsonhpe@gmail.com Signed-off-by: Bob Pearson Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4bf26b79a1d8a73e271a31aeb8c6193d07f60b44 Author: Chengguang Xu Date: Mon Mar 7 22:50:46 2022 +0800 RDMA/rxe: Change variable and function argument to proper type [ Upstream commit 7e8e611d6a0ff228577b1167335ffefb0f44d5d8 ] The type of wqe length is u32 so in order to avoid overflow and shadow casting change variable and relevant function argument to proper type. Link: https://lore.kernel.org/r/20220307145047.3235675-1-cgxu519@mykernel.net Signed-off-by: Chengguang Xu Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit b955ba243a74bfc16bbed6e2aa2835da3b930a66 Author: Dan Carpenter Date: Fri Mar 4 10:35:04 2022 +0300 USB: storage: ums-realtek: fix error code in rts51x_read_mem() [ Upstream commit b07cabb8361dc692522538205552b1b9dab134be ] The rts51x_read_mem() function should return negative error codes. Currently if the kmalloc() fails it returns USB_STOR_TRANSPORT_ERROR (3) which is treated as success by the callers. Fixes: 065e60964e29 ("ums_realtek: do not use stack memory for DMA") Acked-by: Alan Stern Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20220304073504.GA26464@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit be75121e4594bf13b32ff35a9145495a83be44cf Author: Niklas Söderlund Date: Tue Mar 15 11:29:48 2022 +0100 samples/bpf, xdpsock: Fix race when running for fix duration of time [ Upstream commit 8fa42d78f6354bb96ad3a079dcbef528ca9fa9e0 ] When running xdpsock for a fix duration of time before terminating using --duration=, there is a race condition that may cause xdpsock to terminate immediately. When running for a fixed duration of time the check to determine when to terminate execution is in is_benchmark_done() and is being executed in the context of the poller thread, if (opt_duration > 0) { unsigned long dt = (get_nsecs() - start_time); if (dt >= opt_duration) benchmark_done = true; } However start_time is only set after the poller thread have been created. This leaves a small window when the poller thread is starting and calls is_benchmark_done() for the first time that start_time is not yet set. In that case start_time have its initial value of 0 and the duration check fails as it do not correlate correctly for the applications start time and immediately sets benchmark_done which in turn terminates the xdpsock application. Fix this by setting start_time before creating the poller thread. Fixes: d3f11b018f6c ("samples/bpf: xdpsock: Add duration option to specify how long to run") Signed-off-by: Niklas Söderlund Signed-off-by: Simon Horman Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220315102948.466436-1-niklas.soderlund@corigine.com Signed-off-by: Sasha Levin commit 223f3c51ab163852dd4819d357dcf33039929434 Author: Wang Yufen Date: Fri Mar 4 16:11:45 2022 +0800 bpf, sockmap: Fix double uncharge the mem of sk_msg [ Upstream commit 2486ab434b2c2a14e9237296db00b1e1b7ae3273 ] If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-5-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 87d532d41ef937e16f61b3d2094f3a2ac49be365 Author: Wang Yufen Date: Fri Mar 4 16:11:44 2022 +0800 bpf, sockmap: Fix more uncharged while msg has more_data [ Upstream commit 84472b436e760ba439e1969a9e3c5ae7c86de39d ] In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(11000) to sk->sk_forward_alloc The msg->sg.size(11000) has been uncharged twice, to fix we can charge the remaining msg->sg.size before goto more data. This issue can cause the following info: WARNING: CPU: 0 PID: 9860 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 ? vfs_write+0x237/0x290 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-4-wangyufen@huawei.com Signed-off-by: Sasha Levin commit f677328f05f52d535cbdc15cb04476db49477eb4 Author: Wang Yufen Date: Fri Mar 4 16:11:43 2022 +0800 bpf, sockmap: Fix memleak in tcp_bpf_sendmsg while sk msg is full [ Upstream commit 9c34e38c4a870eb30b13f42f5b44f42e9d19ccb8 ] If tcp_bpf_sendmsg() is running while sk msg is full. When sk_msg_alloc() returns -ENOMEM error, tcp_bpf_sendmsg() goes to wait_for_memory. If partial memory has been alloced by sk_msg_alloc(), that is, msg_tx->sg.size is greater than osize after sk_msg_alloc(), memleak occurs. To fix we use sk_msg_trim() to release the allocated memory, then goto wait for memory. Other call paths of sk_msg_alloc() have the similar issue, such as tls_sw_sendmsg(), so handle sk_msg_trim logic inside sk_msg_alloc(), as Cong Wang suggested. This issue can cause the following info: WARNING: CPU: 3 PID: 7950 at net/core/stream.c:208 sk_stream_kill_queues+0xd4/0x1a0 Call Trace: inet_csk_destroy_sock+0x55/0x110 __tcp_close+0x279/0x470 tcp_close+0x1f/0x60 inet_release+0x3f/0x80 __sock_release+0x3d/0xb0 sock_close+0x11/0x20 __fput+0x92/0x250 task_work_run+0x6a/0xa0 do_exit+0x33b/0xb60 do_group_exit+0x2f/0xa0 get_signal+0xb6/0x950 arch_do_signal_or_restart+0xac/0x2a0 exit_to_user_mode_prepare+0xa9/0x200 syscall_exit_to_user_mode+0x12/0x30 do_syscall_64+0x46/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae WARNING: CPU: 3 PID: 2094 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 kthread+0xe6/0x110 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-3-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 4dd2e947d3be13a4de3b3028859b9a6497266bcf Author: Wang Yufen Date: Fri Mar 4 16:11:42 2022 +0800 bpf, sockmap: Fix memleak in sk_psock_queue_msg [ Upstream commit 938d3480b92fa5e454b7734294f12a7b75126f09 ] If tcp_bpf_sendmsg is running during a tear down operation we may enqueue data on the ingress msg queue while tear down is trying to free it. sk1 (redirect sk2) sk2 ------------------- --------------- tcp_bpf_sendmsg() tcp_bpf_send_verdict() tcp_bpf_sendmsg_redir() bpf_tcp_ingress() sock_map_close() lock_sock() lock_sock() ... blocking sk_psock_stop sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); release_sock(sk); lock_sock() sk_mem_charge() get_page() sk_psock_queue_msg() sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED); drop_sk_msg() release_sock() While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge and has sg pages need to put. To fix we use sk_msg_free() and then kfee() msg. This issue can cause the following info: WARNING: CPU: 0 PID: 9202 at net/core/stream.c:205 sk_stream_kill_queues+0xc8/0xe0 Call Trace: inet_csk_destroy_sock+0x55/0x110 tcp_rcv_state_process+0xe5f/0xe90 ? sk_filter_trim_cap+0x10d/0x230 ? tcp_v4_do_rcv+0x161/0x250 tcp_v4_do_rcv+0x161/0x250 tcp_v4_rcv+0xc3a/0xce0 ip_protocol_deliver_rcu+0x3d/0x230 ip_local_deliver_finish+0x54/0x60 ip_local_deliver+0xfd/0x110 ? ip_protocol_deliver_rcu+0x230/0x230 ip_rcv+0xd6/0x100 ? ip_local_deliver+0x110/0x110 __netif_receive_skb_one_core+0x85/0xa0 process_backlog+0xa4/0x160 __napi_poll+0x29/0x1b0 net_rx_action+0x287/0x300 __do_softirq+0xff/0x2fc do_softirq+0x79/0x90 WARNING: CPU: 0 PID: 531 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x175/0x1b0 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 ? process_one_work+0x3c0/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 9635720b7c88 ("bpf, sockmap: Fix memleak on ingress msg enqueue") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-2-wangyufen@huawei.com Signed-off-by: Sasha Levin commit d66498507801fd9a20307a15a0814a0a016c3cde Author: Yongzhi Liu Date: Fri Mar 11 09:06:01 2022 -0800 RDMA/mlx5: Fix memory leak in error flow for subscribe event routine [ Upstream commit 087f9c3f2309ed183f7e4b85ae57121d8663224d ] In case the second xa_insert() fails, the obj_event is not released. Fix the error unwind flow to free that memory to avoid a memory leak. Fixes: 759738537142 ("IB/mlx5: Enable subscription for device events over DEVX") Link: https://lore.kernel.org/r/1647018361-18266-1-git-send-email-lyz_cs@pku.edu.cn Signed-off-by: Yongzhi Liu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit eed4e3e752c2f8dfa290d3cd872e2945d30b46e7 Author: Leon Romanovsky Date: Wed Mar 9 20:42:13 2022 +0200 Revert "RDMA/core: Fix ib_qp_usecnt_dec() called when error" [ Upstream commit 7922d3de4d270a9aedb71212fc0d5ae697ced516 ] This reverts commit 7c4a539ec38f4ce400a0f3fcb5ff6c940fcd67bb. which causes to the following error in mlx4. Destroy of kernel CQ shouldn't fail WARNING: CPU: 4 PID: 18064 at include/rdma/ib_verbs.h:3936 mlx4_ib_dealloc_xrcd+0x12e/0x1b0 [mlx4_ib] Modules linked in: bonding ib_ipoib ip_gre ipip tunnel4 geneve rdma_ucm nf_tables ib_umad mlx4_en mlx4_ib ib_uverbs mlx4_core ip6_gre gre ip6_tunnel tunnel6 iptable_raw openvswitch nsh rpcrdma ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter overlay fuse [last unloaded: mlx4_core] CPU: 4 PID: 18064 Comm: ibv_xsrq_pingpo Not tainted 5.17.0-rc7_master_62c6ecb #1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx4_ib_dealloc_xrcd+0x12e/0x1b0 [mlx4_ib] Code: 1e 93 08 00 40 80 fd 01 0f 87 fa f1 04 00 83 e5 01 0f 85 2b ff ff ff 48 c7 c7 20 4f b6 a0 c6 05 fd 92 08 00 01 e8 47 c9 82 e2 <0f> 0b e9 11 ff ff ff 0f b6 2d eb 92 08 00 40 80 fd 01 0f 87 b1 f1 RSP: 0018:ffff8881a4957750 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff8881ac4b6800 RCX: 0000000000000000 RDX: 0000000000000027 RSI: 0000000000000004 RDI: ffffed103492aedc RBP: 0000000000000000 R08: 0000000000000001 R09: ffff8884d2e378eb R10: ffffed109a5c6f1d R11: 0000000000000001 R12: ffff888132620000 R13: ffff8881a4957a90 R14: ffff8881aa2d4000 R15: ffff8881a4957ad0 FS: 00007f0401747740(0000) GS:ffff8884d2e00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055f8ae036118 CR3: 000000012fe94005 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ib_dealloc_xrcd_user+0xce/0x120 [ib_core] ib_uverbs_dealloc_xrcd+0xad/0x210 [ib_uverbs] uverbs_free_xrcd+0xe8/0x190 [ib_uverbs] destroy_hw_idr_uobject+0x7a/0x130 [ib_uverbs] uverbs_destroy_uobject+0x164/0x730 [ib_uverbs] uobj_destroy+0x72/0xf0 [ib_uverbs] ib_uverbs_cmd_verbs+0x19fb/0x3110 [ib_uverbs] ib_uverbs_ioctl+0x169/0x260 [ib_uverbs] __x64_sys_ioctl+0x856/0x1550 do_syscall_64+0x3d/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 7c4a539ec38f ("RDMA/core: Fix ib_qp_usecnt_dec() called when error") Link: https://lore.kernel.org/r/74c11029adaf449b3b9228a77cc82f39e9e892c8.1646851220.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f21056f15bbeacab7b4b87af232f5599d1f2bff1 Author: Dan Carpenter Date: Mon Mar 7 15:59:28 2022 +0300 RDMA/irdma: Prevent some integer underflows [ Upstream commit 6f6dbb819dfc1a35bcb8b709b5c83a3ea8beff75 ] My static checker complains that: drivers/infiniband/hw/irdma/ctrl.c:3605 irdma_sc_ceq_init() warn: can subtract underflow 'info->dev->hmc_fpm_misc.max_ceqs'? It appears that "info->dev->hmc_fpm_misc.max_ceqs" comes from the firmware in irdma_sc_parse_fpm_query_buf() so, yes, there is a chance that it could be zero. Even if we trust the firmware, it's easy enough to change the condition just as a hardenning measure. Fixes: 3f49d6842569 ("RDMA/irdma: Implement HW Admin Queue OPs") Link: https://lore.kernel.org/r/20220307125928.GE16710@kili Signed-off-by: Dan Carpenter Acked-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit e0bd5424aa8016c2a6a9001070cda184bff08b3e Author: Linus Walleij Date: Tue Mar 8 16:44:25 2022 +0100 power: ab8500_chargalg: Use CLOCK_MONOTONIC [ Upstream commit c22fca40522e2be8af168f3087d87d85e404ea72 ] The HRTimer in the AB8500 charging code is using CLOCK_REALTIME to set an alarm some hours forward in time +/- 5 min for a safety timer. I have observed that this will sometimes fire sporadically early when charging a battery with the result that charging stops. As CLOCK_REALTIME can be subject to adjustments of time from sources such as NTP, this cannot be trusted and will likely for example fire events if the clock is set forward some hours by say NTP. Use CLOCK_MONOTONIC as indicated in other instances and the problem goes away. Also initialize the timer to REL mode as this is what will be used later. Fixes: 257107ae6b9b ("ab8500-chargalg: Use hrtimer") Cc: Lee Jones Suggested-by: Matti Vaittinen Signed-off-by: Linus Walleij Reviewed-by: Matti Vaittinen Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 8baea2b96fa90af8d0f937caf4cf2105ee094d93 Author: Xin Xiong Date: Fri Mar 4 16:53:32 2022 +0800 mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init [ Upstream commit fecbd4a317c95d73c849648c406bcf1b6a0ec1cf ] The reference counting issue happens in several error handling paths on a refcounted object "nc->dmac". In these paths, the function simply returns the error code, forgetting to balance the reference count of "nc->dmac", increased earlier by dma_request_channel(), which may cause refcount leaks. Fix it by decrementing the refcount of specific object in those error paths. Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver") Co-developed-by: Xiyu Yang Signed-off-by: Xiyu Yang Co-developed-by: Xin Tan Signed-off-by: Xin Tan Signed-off-by: Xin Xiong Reviewed-by: Claudiu Beznea Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220304085330.3610-1-xiongx18@fudan.edu.cn Signed-off-by: Sasha Levin commit 5a8501d34b261906e4c76ec9da679f2cb4d309ed Author: Yaliang Wang Date: Thu Mar 10 19:31:16 2022 +0800 MIPS: pgalloc: fix memory leak caused by pgd_free() [ Upstream commit 2bc5bab9a763d520937e4f3fe8df51c6a1eceb97 ] pgd page is freed by generic implementation pgd_free() since commit f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()"), however, there are scenarios that the system uses more than one page as the pgd table, in such cases the generic implementation pgd_free() won't be applicable anymore. For example, when PAGE_SIZE_4KB is enabled and MIPS_VA_BITS_48 is not enabled in a 64bit system, the macro "PGD_ORDER" will be set as "1", which will cause allocating two pages as the pgd table. Well, at the same time, the generic implementation pgd_free() just free one pgd page, which will result in the memory leak. The memory leak can be easily detected by executing shell command: "while true; do ls > /dev/null; grep MemFree /proc/meminfo; done" Fixes: f9cb654cb550 ("asm-generic: pgalloc: provide generic pgd_free()") Signed-off-by: Yaliang Wang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 33014306020d97f6dc028a37050038ed9abe10da Author: Randy Dunlap Date: Fri Mar 11 20:20:26 2022 -0800 MIPS: RB532: fix return value of __setup handler [ Upstream commit 8755d57ba1ff910666572fab9e32890e8cc6ed3b ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) argument or environment strings. Also, error return codes don't mean anything to obsolete_checksetup() -- only non-zero (usually 1) or zero. So return 1 from setup_kmac(). Fixes: 9e21c7e40b7e ("MIPS: RB532: Replace parse_mac_addr() with mac_pton().") Fixes: 73b4390fb234 ("[MIPS] Routerboard 532: Support for base system") Signed-off-by: Randy Dunlap From: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Thomas Bogendoerfer Cc: linux-mips@vger.kernel.org Cc: "David S. Miller" Cc: Jakub Kicinski Cc: Phil Sutter Cc: Florian Fainelli Cc: Ralf Baechle Cc: Daniel Walter Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 4680c2ac9aabda82acd23ebbd1f900fb6a889cd3 Author: Miaoqian Lin Date: Wed Mar 9 09:17:10 2022 +0000 mips: cdmm: Fix refcount leak in mips_cdmm_phys_base [ Upstream commit 4528668ca331f7ce5999b7746657b46db5b3b785 ] The of_find_compatible_node() function returns a node pointer with refcount incremented, We should use of_node_put() on it when done Add the missing of_node_put() to release the refcount. Fixes: 2121aa3e2312 ("mips: cdmm: Add mti,mips-cdmm dtb node support") Signed-off-by: Miaoqian Lin Acked-by: Serge Semin Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 74b1d41e1b6410eed5c76d00eedb262036e9eff5 Author: Miaoqian Lin Date: Tue Mar 8 07:02:38 2022 +0000 ath10k: Fix error handling in ath10k_setup_msa_resources [ Upstream commit 9747a78d5f758a5284751a10aee13c30d02bd5f1 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: 727fec790ead ("ath10k: Setup the msa resources before qmi init") Signed-off-by: Miaoqian Lin Reviewed-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220308070238.19295-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit babb99d9ee0a663245dbf43fe07712ce91251e15 Author: Oliver Hartkopp Date: Wed Mar 9 13:04:16 2022 +0100 vxcan: enable local echo for sent CAN frames [ Upstream commit 259bdba27e32368b4404f69d613b1c1014c07cbf ] The vxcan driver provides a pair of virtual CAN interfaces to exchange CAN traffic between different namespaces - analogue to veth. In opposite to the vcan driver the local sent CAN traffic on this interface is not echo'ed back but only sent to the remote peer. This is unusual and can be easily fixed by removing IFF_ECHO from the netdevice flags that are set for vxcan interfaces by default at startup. Without IFF_ECHO set on driver level, the local sent CAN frames are echo'ed in af_can.c in can_send(). This patch makes vxcan interfaces adopt the same local echo behavior and procedures as known from the vcan interfaces. Fixes: a8f820a380a2 ("can: add Virtual CAN Tunnel driver (vxcan)") Link: https://lore.kernel.org/all/20220309120416.83514-5-socketcan@hartkopp.net Signed-off-by: Oliver Hartkopp Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e91645e719955da1eec12ad8b38665d8481b8a1b Author: Johannes Berg Date: Fri Mar 4 13:21:24 2022 +0200 iwlwifi: pcie: fix SW error MSI-X mapping [ Upstream commit 7b9f485091a5755f6e0a7dd3725f3b312768ecd0 ] We need to also update the IVAR location, since we've shifted the bit. Signed-off-by: Johannes Berg Fixes: 571836a02c7b ("iwlwifi: pcie: update sw error interrupt for BZ family") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220304131517.bcfb28484e50.I921df6b5134785d7eeb0c934e4a43157c582fa79@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 3cd3a7c3b72e39a281e3a262910a92ed65e6ce2c Author: Max Filippov Date: Tue Dec 28 01:20:20 2021 -0800 xtensa: add missing XCHAL_HAVE_WINDOWED check [ Upstream commit 8c9ab55c0fbdc76cb876140c2dad75a610bb23ef ] Add missing preprocessor conditions to secondary reset vector code. Fixes: 09af39f649da ("xtensa: use register window specific opcodes only when present") Signed-off-by: Max Filippov Signed-off-by: Sasha Levin commit 48f4f19937f46b5f141dd1e22253d0158c22d6c6 Author: Hangyu Hua Date: Wed Feb 23 15:02:23 2022 +0800 powerpc: 8xx: fix a return value error in mpc8xx_pic_init [ Upstream commit 3fd46e551f67f4303c3276a0d6cd20baf2d192c4 ] mpc8xx_pic_init() should return -ENOMEM instead of 0 when irq_domain_add_linear() return NULL. This cause mpc8xx_pics_init to continue executing even if mpc8xx_pic_host is NULL. Fixes: cc76404feaed ("powerpc/8xx: Fix possible device node reference leak") Signed-off-by: Hangyu Hua Reviewed-by: Christophe Leroy Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220223070223.26845-1-hbh25y@gmail.com Signed-off-by: Sasha Levin commit dddc212182008ca3d6b1f6212c3a440012eb8f61 Author: Sreekanth Reddy Date: Thu Mar 3 19:32:30 2022 +0530 scsi: mpt3sas: Fix incorrect 4GB boundary check [ Upstream commit 208cc9fe6f21112b5cc6cb87065fb8ab66e79316 ] The driver must perform its 4GB boundary check using the pool's DMA address instead of using the virtual address. Link: https://lore.kernel.org/r/20220303140230.13098-1-sreekanth.reddy@broadcom.com Fixes: d6adc251dd2f ("scsi: mpt3sas: Force PCIe scatterlist allocations to be within same 4 GB region") Signed-off-by: Sreekanth Reddy Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 366e1e6d0f801e0e9bf554d101ce899a7004c243 Author: Jia-Ju Bai Date: Wed Mar 2 18:24:21 2022 -0800 platform/x86: huawei-wmi: check the return value of device_create_file() [ Upstream commit c91a5b1c221a58d008485cf7d02ccce73108b119 ] The function device_create_file() in huawei_wmi_battery_add() can fail, so its return value should be checked. Fixes: 355a070b09ab ("platform/x86: huawei-wmi: Add battery charging thresholds") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220303022421.313-1-baijiaju1990@gmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 1f8f9b3ae27da29cf7dea575d06f71a44db45875 Author: Felix Maurer Date: Thu Mar 3 12:15:26 2022 +0100 selftests/bpf: Make test_lwt_ip_encap more stable and faster [ Upstream commit d23a8720327d33616f584d76c80824bfa4699be6 ] In test_lwt_ip_encap, the ingress IPv6 encap test failed from time to time. The failure occured when an IPv4 ping through the IPv6 GRE encapsulation did not receive a reply within the timeout. The IPv4 ping and the IPv6 ping in the test used different timeouts (1 sec for IPv4 and 6 sec for IPv6), probably taking into account that IPv6 might need longer to successfully complete. However, when IPv4 pings (with the short timeout) are encapsulated into the IPv6 tunnel, the delays of IPv6 apply. The actual reason for the long delays with IPv6 was that the IPv6 neighbor discovery sometimes did not complete in time. This was caused by the outgoing interface only having a tentative link local address, i.e., not having completed DAD for that lladdr. The ND was successfully retried after 1 sec but that was too late for the ping timeout. The IPv6 addresses for the test were already added with nodad. However, for the lladdrs, DAD was still performed. We now disable DAD in the test netns completely and just assume that the two lladdrs on each veth pair do not collide. This removes all the delays for IPv6 traffic in the test. Without the delays, we can now also reduce the delay of the IPv6 ping to 1 sec. This makes the whole test complete faster because we don't need to wait for the excessive timeout for each IPv6 ping that is supposed to fail. Fixes: 0fde56e4385b0 ("selftests: bpf: add test_lwt_ip_encap selftest") Signed-off-by: Felix Maurer Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/4987d549d48b4e316cd5b3936de69c8d4bc75a4f.1646305899.git.fmaurer@redhat.com Signed-off-by: Sasha Levin commit 6007b82332e3a7dbb5057444c1e1b6f6bf381f68 Author: lic121 Date: Tue Mar 1 13:26:23 2022 +0000 libbpf: Unmap rings when umem deleted [ Upstream commit 9c6e6a80ee741adf6cb3cfd8eef7d1554f91fceb ] xsk_umem__create() does mmap for fill/comp rings, but xsk_umem__delete() doesn't do the unmap. This works fine for regular cases, because xsk_socket__delete() does unmap for the rings. But for the case that xsk_socket__create_shared() fails, umem rings are not unmapped. fill_save/comp_save are checked to determine if rings have already be unmapped by xsk. If fill_save and comp_save are NULL, it means that the rings have already been used by xsk. Then they are supposed to be unmapped by xsk_socket__delete(). Otherwise, xsk_umem__delete() does the unmap. Fixes: 2f6324a3937f ("libbpf: Support shared umems between queues and devices") Signed-off-by: Cheng Li Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220301132623.GA19995@vscode.7~ Signed-off-by: Sasha Levin commit 7327ecc92175e6dccc540f366f34d5bd27ac004b Author: Jiasheng Jiang Date: Thu Feb 24 10:23:31 2022 +0800 mfd: mc13xxx: Add check for mc13xxx_irq_request [ Upstream commit e477e51a41cb5d6034f3c5ea85a71ad4613996b9 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the mc13xxx_irq_request() and return error if fails. Fixes: 8e00593557c3 ("mfd: Add mc13892 support to mc13xxx") Signed-off-by: Jiasheng Jiang Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220224022331.3208275-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit a3dae36d632b2cf6eb20314273e512a96cb43c9a Author: Michael Ellerman Date: Tue Feb 22 22:34:49 2022 +1100 powerpc/64s: Don't use DSISR for SLB faults [ Upstream commit d4679ac8ea2e5078704aa1c026db36580cc1bf9a ] Since commit 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") we use page_fault_is_write(regs->dsisr) in __bad_page_fault() to determine if the fault is for a read or write, and change the message printed accordingly. But SLB faults, aka Data Segment Interrupts, don't set DSISR (Data Storage Interrupt Status Register) to a useful value. All ISA versions from v2.03 through v3.1 specify that the Data Segment Interrupt sets DSISR "to an undefined value". As far as I can see there's no mention of SLB faults setting DSISR in any BookIV content either. This manifests as accesses that should be a read being incorrectly reported as writes, for example, using the xmon "dump" command: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [359526.415354][ C6] BUG: Unable to handle kernel data access on write at 0x5deadbeef0000000 [359526.415611][ C6] Faulting instruction address: 0xc00000000010a300 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf400] pc: c00000000010a300: mread+0x90/0x190 If we disassemble the PC, we see a load instruction: 0:mon> di c00000000010a300 c00000000010a300 89490000 lbz r10,0(r9) We can also see in exceptions-64s.S that the data_access_slb block doesn't set IDSISR=1, which means it doesn't load DSISR into pt_regs. So the value we're using to determine if the fault is a read/write is some stale value in pt_regs from a previous page fault. Rework the printing logic to separate the SLB fault case out, and only print read/write in the cases where we can determine it. The result looks like eg: 0:mon> d 0x5deadbeef0000000 5deadbeef0000000 [ 721.779525][ C6] BUG: Unable to handle kernel data access at 0x5deadbeef0000000 [ 721.779697][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390] 0:mon> d 0 0000000000000000 [ 742.793242][ C6] BUG: Kernel NULL pointer dereference at 0x00000000 [ 742.793316][ C6] Faulting instruction address: 0xc00000000014cbe0 cpu 0x6: Vector: 380 (Data SLB Access) at [c00000000ffbf390] Fixes: 46ddcb3950a2 ("powerpc/mm: Show if a bad page fault on data is read or write.") Reported-by: Nageswara R Sastry Signed-off-by: Michael Ellerman Reviewed-by: Nicholas Piggin Link: https://lore.kernel.org/r/20220222113449.319193-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit cee19678f0754e30eca994da3fd46b43017271ab Author: Jakob Koschel Date: Mon Feb 28 15:24:33 2022 +0100 powerpc/sysdev: fix incorrect use to determine if list is empty [ Upstream commit fa1321b11bd01752f5be2415e74a0e1a7c378262 ] 'gtm' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 83ff9dcf375c ("powerpc/sysdev: implement FSL GTM support") Signed-off-by: Jakob Koschel Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220228142434.576226-1-jakobkoschel@gmail.com Signed-off-by: Sasha Levin commit b2eb97a285af4d921d5d5f57a5f8fe5c4659142c Author: Maciej W. Rozycki Date: Fri Mar 4 21:13:11 2022 +0000 MIPS: Sanitise Cavium switch cases in TLB handler synthesizers [ Upstream commit 6ddcba9d480b6bcced4223a729794dfa6becb7eb ] It makes no sense to fall through to `break'. Therefore reorder the switch statements so as to have the Cavium cases first, followed by the default case, which improves readability and pacifies code analysis tools. No change in semantics, assembly produced is exactly the same. Reported-by: kernel test robot Signed-off-by: Maciej W. Rozycki Fixes: bc431d2153cc ("MIPS: Fix fall-through warnings for Clang") Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit ba088f6e3e538050b4e0f1bbb350ec4f1db7eb73 Author: Randy Dunlap Date: Fri Mar 4 08:24:27 2022 -0800 mips: DEC: honor CONFIG_MIPS_FP_SUPPORT=n [ Upstream commit 97bf0395c226907e1a9b908511a35192bf1e09bb ] Include the DECstation interrupt handler in opting out of FPU support. Fixes a linker error: mips-linux-ld: arch/mips/dec/int-handler.o: in function `fpu': (.text+0x148): undefined reference to `handle_fpe_int' Fixes: 183b40f992c8 ("MIPS: Allow FP support to be disabled") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Paul Burton Cc: Thomas Bogendoerfer Cc: Maciej W. Rozycki Cc: linux-mips@vger.kernel.org Acked-by: Maciej W. Rozycki Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit a1da4b2a250a1f6056430b4b5c148a965e988bdd Author: Rob Clark Date: Sat Mar 5 09:34:03 2022 -0800 drm/msm/a6xx: Fix missing ARRAY_SIZE() check [ Upstream commit cca96584b35765bf9eb5f38ca55a144ea2ba0de4 ] Fixes: f6d62d091cfd ("drm/msm/a6xx: add support for Adreno 660 GPU") Signed-off-by: Rob Clark Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220305173405.914989-1-robdclark@gmail.com Signed-off-by: Sasha Levin commit 27e1a417e26588b9675c82642e89eaaa843aafac Author: Robert Hancock Date: Fri Mar 4 20:24:37 2022 -0600 net: axienet: fix RX ring refill allocation failure handling [ Upstream commit 7a7d340ba4d9351e4c8847b898a2b996727a922a ] If a memory allocation error occurred during an attempt to refill a slot in the RX ring after the packet was received, the hardware tail pointer would still have been updated to point to or past the slot which remained marked as previously completed. This would likely result in the DMA engine raising an error when it eventually tried to use that slot again. If a slot cannot be refilled, then just stop processing and do not move the tail pointer past it. On the next attempt, we should skip receiving the packet from the empty slot and just try to refill it again. This failure mode has not actually been observed, but was found as part of other driver updates. Fixes: 8a3b7a252dca ("drivers/net/ethernet/xilinx: added Xilinx AXI Ethernet driver") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2167b75ad88fe3e97a8d326e7252ac6a05530a23 Author: Mark Tomlinson Date: Thu Aug 6 16:14:55 2020 +1200 PCI: Reduce warnings on possible RW1C corruption [ Upstream commit 92c45b63ce22c8898aa41806e8d6692bcd577510 ] For hardware that only supports 32-bit writes to PCI there is the possibility of clearing RW1C (write-one-to-clear) bits. A rate-limited messages was introduced by fb2659230120, but rate-limiting is not the best choice here. Some devices may not show the warnings they should if another device has just produced a bunch of warnings. Also, the number of messages can be a nuisance on devices which are otherwise working fine. Change the ratelimit to a single warning per bus. This ensures no bus is 'starved' of emitting a warning and also that there isn't a continuous stream of warnings. It would be preferable to have a warning per device, but the pci_dev structure is not available here, and a lookup from devfn would be far too slow. Suggested-by: Bjorn Helgaas Fixes: fb2659230120 ("PCI: Warn on possible RW1C corruption for sub-32 bit config writes") Link: https://lore.kernel.org/r/20200806041455.11070-1-mark.tomlinson@alliedtelesis.co.nz Signed-off-by: Mark Tomlinson Signed-off-by: Bjorn Helgaas Reviewed-by: Florian Fainelli Reviewed-by: Rob Herring Acked-by: Scott Branden Signed-off-by: Sasha Levin commit c62452bd75f59b13019d3f4ce508a30949fb6375 Author: Yajun Deng Date: Thu Mar 3 10:42:32 2022 +0800 RDMA/core: Fix ib_qp_usecnt_dec() called when error [ Upstream commit 7c4a539ec38f4ce400a0f3fcb5ff6c940fcd67bb ] ib_destroy_qp() would called by ib_create_qp_user() if error, the former contains ib_qp_usecnt_dec(), but ib_qp_usecnt_inc() was not called before. So move ib_qp_usecnt_inc() into create_qp(). Fixes: d2b10794fc13 ("RDMA/core: Create clean QP creations interface for uverbs") Link: https://lore.kernel.org/r/20220303024232.2847388-1-yajun.deng@linux.dev Signed-off-by: Yajun Deng Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 832ce8456bb69ad183b3355cc93d8a01d35bde1d Author: Mike Marciniszyn Date: Tue Feb 8 14:25:09 2022 -0500 IB/hfi1: Allow larger MTU without AIP [ Upstream commit b135e324d7a2e7fa0a7ef925076136e799b79f44 ] The AIP code signals the phys_mtu in the following query_port() fragment: props->phys_mtu = HFI1_CAP_IS_KSET(AIP) ? hfi1_max_mtu : ib_mtu_enum_to_int(props->max_mtu); Using the largest MTU possible should not depend on AIP. Fix by unconditionally using the hfi1_max_mtu value. Fixes: 6d72344cf6c4 ("IB/ipoib: Increase ipoib Datagram mode MTU's upper limit") Link: https://lore.kernel.org/r/1644348309-174874-1-git-send-email-mike.marciniszyn@cornelisnetworks.com Reviewed-by: Dennis Dalessandro Signed-off-by: Mike Marciniszyn Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit ae07ec8110ba83295c88bff7e85835cc2f6cc4ea Author: Jiasheng Jiang Date: Thu Mar 3 17:43:22 2022 +0800 power: supply: wm8350-power: Add missing free in free_charger_irq [ Upstream commit 6dee930f6f6776d1e5a7edf542c6863b47d9f078 ] In free_charger_irq(), there is no free for 'WM8350_IRQ_CHG_FAST_RDY'. Therefore, it should be better to add it in order to avoid the memory leak. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 7b07a86852e7754f6b28b8a904119da6c3a6c49b Author: Jiasheng Jiang Date: Fri Mar 4 09:57:51 2022 +0800 power: supply: wm8350-power: Handle error for wm8350_register_irq [ Upstream commit b0b14b5ba11bec56fad344a4a0b2e16449cc8b94 ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid same code. Fixes: 14431aa0c5a4 ("power_supply: Add support for WM8350 PMU") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 4a536a7d22a54029d4ce7ad928c34f509d30c5e2 Author: Divya Koppera Date: Fri Mar 4 15:04:16 2022 +0530 net: phy: micrel: Fix concurrent register access [ Upstream commit 4488f6b6148045424459ef1d5b153c6895ee1dbb ] Make Extended page register accessing atomic, to overcome unexpected output from register reads/writes. Fixes: 7c2dcfa295b1 ("net: phy: micrel: Add support for LAN8804 PHY") Signed-off-by: Divya Koppera Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d3d28d9b54b416b6636d3a22f5c814de90601c19 Author: Robert Hancock Date: Thu Jan 27 11:50:13 2022 -0600 i2c: xiic: Make bus names unique [ Upstream commit 1d366c2f9df8279df2adbb60471f86fc40a1c39e ] This driver is for an FPGA logic core, so there can be arbitrarily many instances of the bus on a given system. Previously all of the I2C bus names were "xiic-i2c" which caused issues with lm_sensors when trying to map human-readable names to sensor inputs because it could not properly distinguish the busses, for example. Append the platform device name to the I2C bus name so it is unique between different instances. Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface") Signed-off-by: Robert Hancock Tested-by: Michal Simek Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 0378416e6481c3d8a3984cafa910efd4fe6a42e8 Author: Mark Brown Date: Fri Feb 25 18:46:58 2022 +0000 KVM: arm64: Enable Cortex-A510 erratum 2077057 by default [ Upstream commit 4c11113c1a3d10f5b617e5d2b9acd8d1d715450f ] The recently added configuration option for Cortex A510 erratum 2077057 does not have a "default y" unlike other errata fixes. This appears to simply be an oversight since the help text suggests enabling the option if unsure and there's nothing in the commit log to suggest it is intentional. Fixes: 1dd498e5e26ad ("KVM: arm64: Workaround Cortex-A510's single-step and PAC trap errata") Signed-off-by: Mark Brown Acked-by: Catalin Marinas Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20220225184658.172527-1-broonie@kernel.org Signed-off-by: Sasha Levin commit 1edf7f641568908a7b4d31ac6bed55e9974ed10a Author: Anssi Hannula Date: Tue Feb 22 16:14:00 2022 +0200 hv_balloon: rate-limit "Unhandled message" warning [ Upstream commit 1d7286729aa616772be334eb908e11f527e1e291 ] For a couple of times I have encountered a situation where hv_balloon: Unhandled message: type: 12447 is being flooded over 1 million times per second with various values, filling the log and consuming cycles, making debugging difficult. Add rate limiting to the message. Most other Hyper-V drivers already have similar rate limiting in their message callbacks. The cause of the floods in my case was probably fixed by 96d9d1fa5cd5 ("Drivers: hv: balloon: account for vmbus packet header in max_pkt_size"). Fixes: 9aa8b50b2b3d ("Drivers: hv: Add Hyper-V balloon driver") Signed-off-by: Anssi Hannula Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20220222141400.98160-1-anssi.hannula@bitwise.fi Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 455098b912448c0f718f3adf5aa65286ef8651d9 Author: Sean Christopherson Date: Fri Feb 25 20:52:09 2022 +0000 KVM: SVM: Exit to userspace on ENOMEM/EFAULT GHCB errors [ Upstream commit aa9f58415a8e45598bf44befa90b9d5babe09601 ] Exit to userspace if setup_vmgexit_scratch() fails due to OOM or because copying data from guest (userspace) memory failed/faulted. The OOM scenario is clearcut, it's userspace's decision as to whether it should terminate the guest, free memory, etc... As for -EFAULT, arguably, any guest issue is a violation of the guest's contract with userspace, and thus userspace needs to decide how to proceed. E.g. userspace defines what is RAM vs. MMIO and communicates that directly to the guest, KVM is not involved in deciding what is/isn't RAM nor in communicating that information to the guest. If the scratch GPA doesn't resolve to a memslot, then the guest is not honoring the memory configuration as defined by userspace. And if userspace unmaps an hva for whatever reason, then exiting to userspace with -EFAULT is absolutely the right thing to do. KVM's ABI currently sucks and doesn't provide enough information to act on the -EFAULT, but that will hopefully be remedied in the future as there are multiple use cases, e.g. uffd and virtiofs truncation, that shouldn't require any work in KVM beyond returning -EFAULT with a small amount of metadata. KVM could define its ABI such that failure to access the scratch area is reflected into the guest, i.e. establish a contract with userspace, but that's undesirable as it limits KVM's options in the future, e.g. in the potential uffd case any failure on a uaccess needs to kick out to userspace. KVM does have several cases where it reflects these errors into the guest, e.g. kvm_pv_clock_pairing() and Hyper-V emulation, but KVM would preferably "fix" those instead of propagating the falsehood that any memory failure is the guest's fault. Lastly, returning a boolean as an "error" for that a helper that isn't named accordingly never works out well. Fixes: ad5b353240c8 ("KVM: SVM: Do not terminate SEV-ES guests on GHCB validation failure") Cc: Alper Gun Cc: Peter Gonda Signed-off-by: Sean Christopherson Message-Id: <20220225205209.3881130-1-seanjc@google.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit f0a6128ce7ef1631c934a3e490588a90aa5758f7 Author: Hou Wenlong Date: Tue Feb 8 17:34:03 2022 +0800 KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor() [ Upstream commit ca85f002258fdac3762c57d12d5e6e401b6a41af ] Per Intel's SDM on the "Instruction Set Reference", when loading segment descriptor, not-present segment check should be after all type and privilege checks. But the emulator checks it first, then #NP is triggered instead of #GP if privilege fails and segment is not present. Put not-present segment check after type and privilege checks in __load_segment_descriptor(). Fixes: 38ba30ba51a00 (KVM: x86 emulator: Emulate task switch in emulator.c) Reviewed-by: Sean Christopherson Signed-off-by: Hou Wenlong Message-Id: <52573c01d369f506cadcf7233812427cf7db81a7.1644292363.git.houwenlong.hwl@antgroup.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit c219590190731235afe9d2fde1b75738b7269200 Author: Zhenzhong Duan Date: Thu Feb 10 17:45:06 2022 +0800 KVM: x86: Fix emulation in writing cr8 [ Upstream commit f66af9f222f08d5b11ea41c1bd6c07a0f12daa07 ] In emulation of writing to cr8, one of the lowest four bits in TPR[3:0] is kept. According to Intel SDM 10.8.6.1(baremetal scenario): "APIC.TPR[bits 7:4] = CR8[bits 3:0], APIC.TPR[bits 3:0] = 0"; and SDM 28.3(use TPR shadow): "MOV to CR8. The instruction stores bits 3:0 of its source operand into bits 7:4 of VTPR; the remainder of VTPR (bits 3:0 and bits 31:8) are cleared."; and AMD's APM 16.6.4: "Task Priority Sub-class (TPS)-Bits 3 : 0. The TPS field indicates the current sub-priority to be used when arbitrating lowest-priority messages. This field is written with zero when TPR is written using the architectural CR8 register."; so in KVM emulated scenario, clear TPR[3:0] to make a consistent behavior as in other scenarios. This doesn't impact evaluation and delivery of pending virtual interrupts because processor does not use the processor-priority sub-class to determine which interrupts to delivery and which to inhibit. Sub-class is used by hardware to arbitrate lowest priority interrupts, but KVM just does a round-robin style delivery. Fixes: b93463aa59d6 ("KVM: Accelerated apic support") Signed-off-by: Zhenzhong Duan Reviewed-by: Sean Christopherson Message-Id: <20220210094506.20181-1-zhenzhong.duan@intel.com> Signed-off-by: Paolo Bonzini Signed-off-by: Sasha Levin commit 27c742ca76e72775441eee4f846c799bc07cde36 Author: Michael Ellerman Date: Tue Feb 15 22:28:58 2022 +1100 powerpc/Makefile: Don't pass -mcpu=powerpc64 when building 32-bit [ Upstream commit 2863dd2db23e0407f6c50b8ba5c0e55abef894f1 ] When CONFIG_GENERIC_CPU=y (true for all our defconfigs) we pass -mcpu=powerpc64 to the compiler, even when we're building a 32-bit kernel. This happens because we have an ifdef CONFIG_PPC_BOOK3S_64/else block in the Makefile that was written before 32-bit supported GENERIC_CPU. Prior to that the else block only applied to 64-bit Book3E. The GCC man page says -mcpu=powerpc64 "[specifies] a pure ... 64-bit big endian PowerPC ... architecture machine [type], with an appropriate, generic processor model assumed for scheduling purposes." It's unclear how that interacts with -m32, which we are also passing, although obviously -m32 is taking precedence in some sense, as the 32-bit kernel only contains 32-bit instructions. This was noticed by inspection, not via any bug reports, but it does affect code generation. Comparing before/after code generation, there are some changes to instruction scheduling, and the after case (with -mcpu=powerpc64 removed) the compiler seems more keen to use r8. Fix it by making the else case only apply to Book3E 64, which excludes 32-bit. Fixes: 0e00a8c9fd92 ("powerpc: Allow CPU selection also on PPC32") Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220215112858.304779-1-mpe@ellerman.id.au Signed-off-by: Sasha Levin commit 6c0a5f94940b8e3c07aacfe0f8cfce68f8fa4a9e Author: Daniel Henrique Barboza Date: Thu Feb 24 15:23:12 2022 -0300 powerpc/mm/numa: skip NUMA_NO_NODE onlining in parse_numa_properties() [ Upstream commit 749ed4a20657bcea66a6e082ca3dc0d228cbec80 ] Executing node_set_online() when nid = NUMA_NO_NODE results in an undefined behavior. node_set_online() will call node_set_state(), into __node_set(), into set_bit(), and since NUMA_NO_NODE is -1 we'll end up doing a negative shift operation inside arch/powerpc/include/asm/bitops.h. This potential UB was detected running a kernel with CONFIG_UBSAN. The behavior was introduced by commit 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0"), where the check for nid > 0 was removed to fix a problem that was happening with nid = 0, but the result is that now we're trying to online NUMA_NO_NODE nids as well. Checking for nid >= 0 will allow node 0 to be onlined while avoiding this UB with NUMA_NO_NODE. Fixes: 10f78fd0dabb ("powerpc/numa: Fix a regression on memoryless node 0") Reported-by: Ping Fang Signed-off-by: Daniel Henrique Barboza Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220224182312.1012527-1-danielhb413@gmail.com Signed-off-by: Sasha Levin commit 346eb815e8593106dc1453168222d3b3c2e8e39d Author: Xu Kuohai Date: Tue Mar 1 00:32:49 2022 -0500 libbpf: Skip forward declaration when counting duplicated type names [ Upstream commit 4226961b0019b2e1612029e8950a9e911affc995 ] Currently if a declaration appears in the BTF before the definition, the definition is dumped as a conflicting name, e.g.: $ bpftool btf dump file vmlinux format raw | grep "'unix_sock'" [81287] FWD 'unix_sock' fwd_kind=struct [89336] STRUCT 'unix_sock' size=1024 vlen=14 $ bpftool btf dump file vmlinux format c | grep "struct unix_sock" struct unix_sock; struct unix_sock___2 { <--- conflict, the "___2" is unexpected struct unix_sock___2 *unix_sk; This causes a compilation error if the dump output is used as a header file. Fix it by skipping declaration when counting duplicated type names. Fixes: 351131b51c7a ("libbpf: add btf_dump API for BTF-to-C conversion") Signed-off-by: Xu Kuohai Signed-off-by: Daniel Borkmann Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220301053250.1464204-2-xukuohai@huawei.com Signed-off-by: Sasha Levin commit 5124a344983e1b9670dae7add0e4d00d589aabcd Author: Christophe JAILLET Date: Sun Nov 7 22:16:36 2021 +0100 gpu: host1x: Fix a memory leak in 'host1x_remove()' [ Upstream commit 025c6643a81564f066d8381b9e2f4603e0f8438f ] Add a missing 'host1x_channel_list_free()' call in the remove function, as already done in the error handling path of the probe function. Fixes: 8474b02531c4 ("gpu: host1x: Refactor channel allocation code") Signed-off-by: Christophe JAILLET Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit feb3cf936cbf17972adc1c80932a3860932047a1 Author: Mustafa Ismail Date: Fri Feb 25 10:32:11 2022 -0600 RDMA/irdma: Remove incorrect masking of PD [ Upstream commit 17850f2b0b4b806e47cc44df94186bfc2cdd490b ] The PD id is masked with 0x7fff, while PD can be 18 bits for GEN2 HW. Remove the masking as it should not be needed and can cause incorrect PD id to be used. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Link: https://lore.kernel.org/r/20220225163211.127-4-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 66cea3fa9ff09e2da7e6136a38df27c1db53b491 Author: Mustafa Ismail Date: Fri Feb 25 10:32:10 2022 -0600 RDMA/irdma: Fix Passthrough mode in VM [ Upstream commit b200189626b5cefbaf8be9cadd7a28215e065bb9 ] Using PCI_FUNC macro in a VM, when the device is in passthrough mode does not provide the real function instance. This means that currently, devices will not probe unless the instance in the VM matches the instance in the host. Fix this by getting the pf_id from the LAN during the probe. Fixes: 8498a30e1b94 ("RDMA/irdma: Register auxiliary driver and implement private channel OPs") Link: https://lore.kernel.org/r/20220225163211.127-3-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 38194777aea70ac04f5a001e9cc94f1338a88fe4 Author: Mustafa Ismail Date: Fri Feb 25 10:32:09 2022 -0600 RDMA/irdma: Fix netdev notifications for vlan's [ Upstream commit 6702bc14744847842a87fed21a795b6e8bab6965 ] Currently, events on vlan netdevs are being ignored. Fix this by finding the real netdev and processing the notifications for vlan netdevs. Fixes: 915cc7ac0f8e ("RDMA/irdma: Add miscellaneous utility definitions") Link: https://lore.kernel.org/r/20220225163211.127-2-shiraz.saleem@intel.com Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d1579253ffce39986e7a6ab757ac93b2680a665f Author: Magnus Karlsson Date: Mon Feb 28 10:45:52 2022 +0100 xsk: Fix race at socket teardown [ Upstream commit 18b1ab7aa76bde181bdb1ab19a87fa9523c32f21 ] Fix a race in the xsk socket teardown code that can lead to a NULL pointer dereference splat. The current xsk unbind code in xsk_unbind_dev() starts by setting xs->state to XSK_UNBOUND, sets xs->dev to NULL and then waits for any NAPI processing to terminate using synchronize_net(). After that, the release code starts to tear down the socket state and free allocated memory. BUG: kernel NULL pointer dereference, address: 00000000000000c0 PGD 8000000932469067 P4D 8000000932469067 PUD 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 25 PID: 69132 Comm: grpcpp_sync_ser Tainted: G I 5.16.0+ #2 Hardware name: Dell Inc. PowerEdge R730/0599V5, BIOS 1.2.10 03/09/2015 RIP: 0010:__xsk_sendmsg+0x2c/0x690 [...] RSP: 0018:ffffa2348bd13d50 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000040 RCX: ffff8d5fc632d258 RDX: 0000000000400000 RSI: ffffa2348bd13e10 RDI: ffff8d5fc5489800 RBP: ffffa2348bd13db0 R08: 0000000000000000 R09: 00007ffffffff000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8d5fc5489800 R13: ffff8d5fcb0f5140 R14: ffff8d5fcb0f5140 R15: 0000000000000000 FS: 00007f991cff9400(0000) GS:ffff8d6f1f700000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000000000c0 CR3: 0000000114888005 CR4: 00000000001706e0 Call Trace: ? aa_sk_perm+0x43/0x1b0 xsk_sendmsg+0xf0/0x110 sock_sendmsg+0x65/0x70 __sys_sendto+0x113/0x190 ? debug_smp_processor_id+0x17/0x20 ? fpregs_assert_state_consistent+0x23/0x50 ? exit_to_user_mode_prepare+0xa5/0x1d0 __x64_sys_sendto+0x29/0x30 do_syscall_64+0x3b/0xc0 entry_SYSCALL_64_after_hwframe+0x44/0xae There are two problems with the current code. First, setting xs->dev to NULL before waiting for all users to stop using the socket is not correct. The entry to the data plane functions xsk_poll(), xsk_sendmsg(), and xsk_recvmsg() are all guarded by a test that xs->state is in the state XSK_BOUND and if not, it returns right away. But one process might have passed this test but still have not gotten to the point in which it uses xs->dev in the code. In this interim, a second process executing xsk_unbind_dev() might have set xs->dev to NULL which will lead to a crash for the first process. The solution here is just to get rid of this NULL assignment since it is not used anymore. Before commit 42fddcc7c64b ("xsk: use state member for socket synchronization"), xs->dev was the gatekeeper to admit processes into the data plane functions, but it was replaced with the state variable xs->state in the aforementioned commit. The second problem is that synchronize_net() does not wait for any process in xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() to complete, which means that the state they rely on might be cleaned up prematurely. This can happen when the notifier gets called (at driver unload for example) as it uses xsk_unbind_dev(). Solve this by extending the RCU critical region from just the ndo_xsk_wakeup to the whole functions mentioned above, so that both the test of xs->state == XSK_BOUND and the last use of any member of xs is covered by the RCU critical section. This will guarantee that when synchronize_net() completes, there will be no processes left executing xsk_poll(), xsk_sendmsg(), or xsk_recvmsg() and state can be cleaned up safely. Note that we need to drop the RCU lock for the skb xmit path as it uses functions that might sleep. Due to this, we have to retest the xs->state after we grab the mutex that protects the skb xmit code from, among a number of things, an xsk_unbind_dev() being executed from the notifier at the same time. Fixes: 42fddcc7c64b ("xsk: use state member for socket synchronization") Reported-by: Elza Mathew Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20220228094552.10134-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit b7abdabadd8d787a0a1d2d1d05eff59b1eafea2c Author: Hou Tao Date: Sat Feb 26 20:19:06 2022 +0800 bpf, arm64: Feed byte-offset into bpf line info [ Upstream commit dda7596c109fc382876118627e29db7607cde35d ] insn_to_jit_off passed to bpf_prog_fill_jited_linfo() is calculated in instruction granularity instead of bytes granularity, but BPF line info requires byte offset. bpf_prog_fill_jited_linfo() will be the last user of ctx.offset before it is freed, so convert the offset into byte-offset before calling into bpf_prog_fill_jited_linfo() in order to fix the line info dump on arm64. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Suggested-by: Daniel Borkmann Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-3-houtao1@huawei.com Signed-off-by: Sasha Levin commit bde52f3c0c60b835e16bcbcce4c55e3cf9a0884f Author: Hou Tao Date: Sat Feb 26 20:19:05 2022 +0800 bpf, arm64: Call build_prologue() first in first JIT pass [ Upstream commit 68e4f238b0e9d3670a1612ad900a6e98b2b3f7dd ] BPF line info needs ctx->offset to be the instruction offset in the whole JITed image instead of the body itself, so also call build_prologue() first in first JIT pass. Fixes: 37ab566c178d ("bpf: arm64: Enable arm64 jit to provide bpf_line_info") Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220226121906.5709-2-houtao1@huawei.com Signed-off-by: Sasha Levin commit eb5624f274b10b8b253560be21ea782d10e671d6 Author: Nishanth Menon Date: Tue Sep 21 12:40:59 2021 -0500 drm/bridge: cdns-dsi: Make sure to to create proper aliases for dt [ Upstream commit ffb5c099aaa13ab7f73c29ea6ae26bce8d7575ae ] Add MODULE_DEVICE_TABLE to the device tree table to create required aliases needed for module to be loaded with device tree based platform. Fixes: e19233955d9e ("drm/bridge: Add Cadence DSI driver") Signed-off-by: Nishanth Menon Reviewed-by: Tomi Valkeinen Reviewed-by: Laurent Pinchart Signed-off-by: Tomi Valkeinen Link: https://patchwork.freedesktop.org/patch/msgid/20210921174059.17946-1-nm@ti.com Signed-off-by: Sasha Levin commit 4cad7db4064e00093ace88b7be2cafd0a91673b3 Author: Xiang Chen Date: Thu Feb 24 19:51:24 2022 +0800 scsi: hisi_sas: Change permission of parameter prot_mask [ Upstream commit c4e070457a93705e56ed06b3910d9e5fe56d3be3 ] Currently the permission of parameter prot_mask is 0x0, which means that the member does not appear in sysfs. Change it as other module parameters to 0444 for world-readable. [mkp: s/v3/v2/] Link: https://lore.kernel.org/r/1645703489-87194-2-git-send-email-john.garry@huawei.com Fixes: d6a9000b81be ("scsi: hisi_sas: Add support for DIF feature for v2 hw") Reported-by: Yihang Li Signed-off-by: Xiang Chen Signed-off-by: John Garry Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 15f87b50750d92d0c6639d2f510330d5f183e4da Author: Hans de Goede Date: Sat Feb 12 17:48:16 2022 +0100 power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return [ Upstream commit f7731754fdce33dad19be746f647d6ac47c5d695 ] The datasheet says that the BQ24190_REG_POC_CHG_CONFIG bits can have a value of either 10(0x2) or 11(0x3) for OTG (5V boost regulator) mode. Sofar bq24190_vbus_is_enabled() was only checking for 10 but some BIOS-es uses 11 when enabling the regulator at boot. Make bq24190_vbus_is_enabled() also check for 11 so that it does not wrongly returns false when the bits are set to 11. Fixes: 66b6bef2c4e0 ("power: supply: bq24190_charger: Export 5V boost converter as regulator") Cc: Bastien Nocera Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit cd78b74031cbc94133965f1017deb822657fc1a6 Author: Miaoqian Lin Date: Mon Jan 10 06:53:16 2022 +0000 drm/tegra: Fix reference leak in tegra_dsi_ganged_probe [ Upstream commit 221e3638feb8bc42143833c9a704fa89b6c366bb ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add put_device() call to fix this. Fixes: e94236cde4d5 ("drm/tegra: dsi: Add ganged mode support") Signed-off-by: Miaoqian Lin Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9b30cc5d313b64b56ce6da7cfe30366c291a0d82 Author: Zhang Yi Date: Sat Feb 12 13:05:32 2022 +0800 ext2: correct max file size computing [ Upstream commit 50b3a818991074177a56c87124c7a7bdf5fa4f67 ] We need to calculate the max file size accurately if the total blocks that can address by block tree exceed the upper_limit. But this check is not correct now, it only compute the total data blocks but missing metadata blocks are needed. So in the case of "data blocks < upper_limit && total blocks > upper_limit", we will get wrong result. Fortunately, this case could not happen in reality, but it's confused and better to correct the computing. bits data blocks metadatablocks upper_limit 10 16843020 66051 2147483647 11 134480396 263171 1073741823 12 1074791436 1050627 536870911 (*) 13 8594130956 4198403 268435455 (*) 14 68736258060 16785411 134217727 (*) 15 549822930956 67125251 67108863 (*) 16 4398314962956 268468227 33554431 (*) [*] Need to calculate in depth. Fixes: 1c2d14212b15 ("ext2: Fix underflow in ext2_max_size()") Link: https://lore.kernel.org/r/20220212050532.179055-1-yi.zhang@huawei.com Signed-off-by: Zhang Yi Signed-off-by: Jan Kara Signed-off-by: Sasha Levin commit 24a46253365cbb7c095970d182b51c5478871c75 Author: MeiChia Chiu Date: Tue Feb 15 16:48:58 2022 +0800 mt76: mt7915: fix the muru tlv issue [ Upstream commit d98a72725bc96c98f68eac12e5a91ec349322c88 ] The muru enable/disable are only set after the first station connection. Without this patch, the firmware couldn't enable muru if the first connected station is non-HE type. Fixes: 16bff457dd33a ("mt76: mt7915: rework mt7915_mcu_sta_muru_tlv()") Reviewed-by: Ryder Lee Signed-off-by: MeiChia Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 37ceb7e6fbcf608661af10308de272bbad4e0366 Author: Christophe JAILLET Date: Sun Feb 13 18:07:03 2022 +0100 power: supply: sbs-charger: Don't cancel work that is not initialized [ Upstream commit de85193cff0d94d030a53656d8fcc41794807bef ] This driver can use an interrupt or polling in order get the charger's status. When using polling, a delayed work is used. However, the remove() function unconditionally call cancel_delayed_work_sync(), even if the delayed work is not used and is not initialized. In order to fix it, use devm_delayed_work_autocancel() and remove the now useless remove() function. Fixes: feb583e37f8a ("power: supply: add sbs-charger driver") Signed-off-by: Christophe JAILLET Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 5879eb57587aef69d72514c83be782b56f140fd1 Author: Randy Dunlap Date: Tue Feb 22 13:45:33 2022 -0800 TOMOYO: fix __setup handlers return values [ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ] __setup() handlers should return 1 if the parameter is handled. Returning 0 causes the entire string to be added to init's environment strings (limited to 32 strings), unnecessarily polluting it. Using the documented strings "TOMOYO_loader=string1" and "TOMOYO_trigger=string2" causes an Unknown parameter message: Unknown kernel command line parameters "BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \ TOMOYO_trigger=string2", will be passed to user space. and these strings are added to init's environment string space: Run /sbin/init as init process with arguments: /sbin/init with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 TOMOYO_trigger=string2 With this change, these __setup handlers act as expected, and init's environment is not polluted with these strings. Fixes: 0e4ae0e0dec63 ("TOMOYO: Make several options configurable.") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: James Morris Cc: Kentaro Takeda Cc: tomoyo-dev-en@lists.osdn.me Cc: "Serge E. Hallyn" Signed-off-by: Tetsuo Handa Signed-off-by: Sasha Levin commit 67193fa433b402850c525091db00a15862d455d0 Author: Maíra Canal Date: Tue Feb 22 10:16:57 2022 -0300 drm/amd/display: Remove vupdate_int_entry definition [ Upstream commit 3679b8518cd213c25d555553ef212e233faf698c ] Remove the vupdate_int_entry definition and utilization to avoid the following warning by Clang: drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:410:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(0), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:404:2: note: previous initialization is here vupdate_int_entry(0), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:411:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(1), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:405:2: note: previous initialization is here vupdate_int_entry(1), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:412:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(2), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:406:2: note: previous initialization is here vupdate_int_entry(2), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:413:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(3), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:407:2: note: previous initialization is here vupdate_int_entry(3), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:414:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(4), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:408:2: note: previous initialization is here vupdate_int_entry(4), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:415:2: warning: initializer overrides prior initialization of this subobject [-Winitializer-overrides] vupdate_no_lock_int_entry(5), ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:280:39: note: expanded from macro 'vupdate_no_lock_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:409:2: note: previous initialization is here vupdate_int_entry(5), ^~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/amd/amdgpu/../display/dc/irq/dcn21/irq_service_dcn21.c:269:39: note: expanded from macro 'vupdate_int_entry' [DC_IRQ_SOURCE_VUPDATE1 + reg_num] = {\ ^~ 6 warnings generated. Fixes: 688f97ed3f5e ("drm/amd/display: Add vupdate_no_lock interrupts for DCN2.1") Signed-off-by: Maíra Canal Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 8bb42130f90cbaf777da534e73e727b913bff908 Author: Aharon Landau Date: Tue Feb 15 19:55:30 2022 +0200 RDMA/mlx5: Fix the flow of a miss in the allocation of a cache ODP MR [ Upstream commit 2f0e60d5e9f96341a0c8a01be8878cdb3b29ff20 ] When an ODP MR cache entry is empty and trying to allocate it, increment the ent->miss counter and call to queue_adjust_cache_locked() to verify the entry is balanced. Fixes: aad719dcf379 ("RDMA/mlx5: Allow MRs to be created in the cache synchronously") Link: https://lore.kernel.org/r/09503e295276dcacc92cb1d8aef1ad0961c99dc1.1644947594.git.leonro@nvidia.com Signed-off-by: Aharon Landau Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit eb65e64dd4aa1884d86bb8c767b5db166c5190f0 Author: Luiz Angelo Daros de Luca Date: Fri Jan 28 03:04:58 2022 -0300 net: dsa: realtek-smi: move to subdirectory [ Upstream commit 319a70a5fea9590e9431dd57f56191996c4787f4 ] Signed-off-by: Luiz Angelo Daros de Luca Tested-by: Arınç ÜNAL Reviewed-by: Alvin Šipraga Reviewed-by: Linus Walleij Reviewed-by: Florian Fainelli Reviewed-by: Vladimir Oltean Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4ab39ef318079a9ac2be2e35d13222ed2e174bf3 Author: Luiz Angelo Daros de Luca Date: Fri Jan 28 03:04:57 2022 -0300 net: dsa: realtek-smi: fix kdoc warnings [ Upstream commit 0f0c6da03ba37739901ca5db4361c1ef1ae9463f ] Removed kdoc mark for incomplete struct description. Added a return description for rtl8366rb_drop_untagged. Signed-off-by: Luiz Angelo Daros de Luca Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b1a693e58106bf3e1730dafb646cc8ac4573b636 Author: Deren Wu Date: Wed Feb 9 09:40:27 2022 +0800 mt76: mt7921s: fix missing fc type/sub-type for 802.11 pkts [ Upstream commit 355c060d5f38a784822d544e969121a273bcf545 ] For non-mmio devices, should set fc values to proper txwi config Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Tested-by: Sean Wang Co-developed-by: Leon Yen Signed-off-by: Leon Yen Signed-off-by: Deren Wu Acked-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 326d894adf89f3c707b7784becbe241830daaab6 Author: Damien Le Moal Date: Sun Feb 20 12:17:55 2022 +0900 scsi: pm8001: Fix abort all task initialization [ Upstream commit 7f12845c8389855dbcc67baa068b6832dc4a396e ] In pm80xx_send_abort_all(), the n_elem field of the ccb used is not initialized to 0. This missing initialization sometimes lead to the task completion path seeing the ccb with a non-zero n_elem resulting in the execution of invalid dma_unmap_sg() calls in pm8001_ccb_task_free(), causing a crash such as: [ 197.676341] RIP: 0010:iommu_dma_unmap_sg+0x6d/0x280 [ 197.700204] RSP: 0018:ffff889bbcf89c88 EFLAGS: 00010012 [ 197.705485] RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff83d0bda0 [ 197.712687] RDX: 0000000000000002 RSI: 0000000000000000 RDI: ffff88810dffc0d0 [ 197.719887] RBP: 0000000000000000 R08: 0000000000000000 R09: ffff8881c790098b [ 197.727089] R10: ffffed1038f20131 R11: 0000000000000001 R12: 0000000000000000 [ 197.734296] R13: ffff88810dffc0d0 R14: 0000000000000010 R15: 0000000000000000 [ 197.741493] FS: 0000000000000000(0000) GS:ffff889bbcf80000(0000) knlGS:0000000000000000 [ 197.749659] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 197.755459] CR2: 00007f16c1b42734 CR3: 0000000004814000 CR4: 0000000000350ee0 [ 197.762656] Call Trace: [ 197.765127] [ 197.767162] pm8001_ccb_task_free+0x5f1/0x820 [pm80xx] [ 197.772364] ? do_raw_spin_unlock+0x54/0x220 [ 197.776680] pm8001_mpi_task_abort_resp+0x2ce/0x4f0 [pm80xx] [ 197.782406] process_oq+0xe85/0x7890 [pm80xx] [ 197.786817] ? lock_acquire+0x194/0x490 [ 197.790697] ? handle_irq_event+0x10e/0x1b0 [ 197.794920] ? mpi_sata_completion+0x2d70/0x2d70 [pm80xx] [ 197.800378] ? __wake_up_bit+0x100/0x100 [ 197.804340] ? lock_is_held_type+0x98/0x110 [ 197.808565] pm80xx_chip_isr+0x94/0x130 [pm80xx] [ 197.813243] tasklet_action_common.constprop.0+0x24b/0x2f0 [ 197.818785] __do_softirq+0x1b5/0x82d [ 197.822485] ? do_raw_spin_unlock+0x54/0x220 [ 197.826799] __irq_exit_rcu+0x17e/0x1e0 [ 197.830678] irq_exit_rcu+0xa/0x20 [ 197.834114] common_interrupt+0x78/0x90 [ 197.840051] [ 197.844236] [ 197.848397] asm_common_interrupt+0x1e/0x40 Avoid this issue by always initializing the ccb n_elem field to 0 in pm8001_send_abort_all(), pm8001_send_read_log() and pm80xx_send_abort_all(). Link: https://lore.kernel.org/r/20220220031810.738362-17-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4c3ce4a13af474c1aab4a1f33bfa489618eec33d Author: Damien Le Moal Date: Sun Feb 20 12:17:54 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command completion handling [ Upstream commit 1d6736c3e162061dc811c76e605f35ef3234bffa ] NCQ NON DATA is an NCQ command with the DMA_NONE DMA direction and so a register-device-to-host-FIS response is expected for it. However, for an IO_SUCCESS case, mpi_sata_completion() expects a set-device-bits-FIS for any ata task with an use_ncq field true, which includes NCQ NON DATA commands. Fix this to correctly treat NCQ NON DATA commands as non-data by also testing for the DMA_NONE DMA direction. Link: https://lore.kernel.org/r/20220220031810.738362-16-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 2879647beddfda36954d21955a0451a40ec53300 Author: Damien Le Moal Date: Sun Feb 20 12:17:53 2022 +0900 scsi: pm8001: Fix NCQ NON DATA command task initialization [ Upstream commit aa028141ab0bc62c44a84d42f09db35d82df82a2 ] In the pm8001_chip_sata_req() and pm80xx_chip_sata_req() functions, all tasks with a DMA direction of DMA_NONE (no data transfer) are initialized using the ATAP value 0x04. However, NCQ NON DATA commands, while being DMA_NONE commands are NCQ commands and need to be initialized using the value 0x07 for ATAP, similarly to other NCQ commands. Make sure that NCQ NON DATA command tasks are initialized similarly to other NCQ commands by also testing the task "use_ncq" field in addition to the DMA direction. While at it, reorganize the code into a chain of if - else if - else to avoid useless affectations and debug messages. Link: https://lore.kernel.org/r/20220220031810.738362-15-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a572a94948f60d64cd27fc567d549b4ec59a148a Author: Damien Le Moal Date: Sun Feb 20 12:17:50 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_sata_req() [ Upstream commit fd6d0e376211d7ed759db96b0fbd9a1cee67d462 ] Make sure that the __le32 fields of struct sata_cmd are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, fix some code identation and add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-12-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4f65665c60eeb9eaf558f3f1ac2e32c4a7853983 Author: Damien Le Moal Date: Sun Feb 20 12:17:49 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_chip_ssp_io_req() [ Upstream commit 970404cc5744b1033b6ee601be4ef0e2d1fbcf72 ] Make sure that the __le32 fields of struct ssp_ini_io_start_req are manipulated after applying the correct endian conversion. That is, use cpu_to_le32() for assigning values and le32_to_cpu() for consulting a field value. In particular, make sure that the calculations for the 4G boundary check are done using CPU endianness and *not* little endian values. With these fixes, many sparse warnings are removed. While at it, add blank lines after variable declarations and in some other places to make this code more readable. Link: https://lore.kernel.org/r/20220220031810.738362-11-damien.lemoal@opensource.wdc.com Fixes: 0ecdf00ba6e5 ("[SCSI] pm80xx: 4G boundary fix.") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8bc597987a579f36cfe3bff83bbeedfdeb698fe0 Author: Damien Le Moal Date: Sun Feb 20 12:17:48 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_encrypt_update() [ Upstream commit f8b12dfb476dad38ce755aaf5e2df46f06f1822e ] All fields of the kek_mgmt_req structure have the type __le32. So make sure to use cpu_to_le32() to initialize them. This suppresses the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] new_curidx_ksop got int Link: https://lore.kernel.org/r/20220220031810.738362-10-damien.lemoal@opensource.wdc.com Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit a0381df41c3f68b193229ad15e94f7db9b8d1642 Author: Damien Le Moal Date: Sun Feb 20 12:17:47 2022 +0900 scsi: pm8001: Fix le32 values handling in pm80xx_set_sas_protocol_timer_config() [ Upstream commit ca374f5d92b8ae778f6a37dd3e7ed809bbf7a953 ] All fields of the SASProtocolTimerConfig structure have the __le32 type. As such, use cpu_to_le32() to initialize them. This change suppresses many sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [usertype] pageCode got int Note that the check to limit the value of the STP_IDLE_TMO field is removed as this field is initialized using the fixed (and small) value defined by the STP_IDLE_TIME macro. The pm8001_dbg() calls printing the values of the SASProtocolTimerConfig structure fileds are changed to use le32_to_cpu() to present the values in human readable form. Link: https://lore.kernel.org/r/20220220031810.738362-9-damien.lemoal@opensource.wdc.com Fixes: a6cb3d012b98 ("[SCSI] pm80xx: thermal, sas controller config and error handling update") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 39fa721599410d548371bf7c2ca36e8addb5c5d5 Author: Damien Le Moal Date: Sun Feb 20 12:17:46 2022 +0900 scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config() [ Upstream commit bb225b12dbcc82d53d637d10b8d70b64494f8c16 ] The fields of the set_ctrl_cfg_req structure have the __le32 type, so use cpu_to_le32() to assign them. This removes the sparse warnings: warning: incorrect type in assignment (different base types) expected restricted __le32 got unsigned int Link: https://lore.kernel.org/r/20220220031810.738362-8-damien.lemoal@opensource.wdc.com Fixes: 842784e0d15b ("pm80xx: Update For Thermal Page Code") Fixes: f5860992db55 ("[SCSI] pm80xx: Added SPCv/ve specific hardware functionalities and relevant changes in common files") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9b5226185db43cf40a81b946dca63aef4dfd5a92 Author: Damien Le Moal Date: Sun Feb 20 12:17:45 2022 +0900 scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req() [ Upstream commit cd2268a180117aa8ebb23e090ba204324b2d0e93 ] The ds_ads_m field of struct ssp_ini_tm_start_req has the type __le32. Assigning a value to it should thus use cpu_to_le32(). This fixes the sparse warning: warning: incorrect type in assignment (different base types) expected restricted __le32 [addressable] [assigned] [usertype] ds_ads_m got int Link: https://lore.kernel.org/r/20220220031810.738362-7-damien.lemoal@opensource.wdc.com Fixes: dbf9bfe61571 ("[SCSI] pm8001: add SAS/SATA HBA driver") Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit b3193ed94d694742e5bc59742e9b6e90e4084260 Author: Damien Le Moal Date: Sun Feb 20 12:17:43 2022 +0900 scsi: pm8001: Fix command initialization in pm80XX_send_read_log() [ Upstream commit 1a37b6738b58d86f6b144b3fc754ace0f2e0166d ] Since the sata_cmd struct is zeroed out before its fields are initialized, there is no need for using "|=" to initialize the ncqtag_atap_dir_m field. Using a standard assignment removes the sparse warning: warning: invalid assignment: |= Also, since the ncqtag_atap_dir_m field has type __le32, use cpu_to_le32() to generate the assigned value. Link: https://lore.kernel.org/r/20220220031810.738362-5-damien.lemoal@opensource.wdc.com Fixes: c6b9ef5779c3 ("[SCSI] pm80xx: NCQ error handling changes") Reviewed-by: John Garry Reviewed-by: Jack Wang Signed-off-by: Damien Le Moal Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 6eb3868b5b2e1014d5b721388008a3f18ea46030 Author: Bart Van Assche Date: Fri Feb 18 11:50:49 2022 -0800 scsi: fnic: Fix a tracing statement [ Upstream commit 3032ed77a28913203a4fe0ab8f05752331af79b3 ] Report both the command flags and command state instead of only the command state. Link: https://lore.kernel.org/r/20220218195117.25689-22-bvanassche@acm.org Fixes: 4d7007b49d52 ("[SCSI] fnic: Fnic Trace Utility") Cc: Hiral Patel Reviewed-by: Hannes Reinecke Reviewed-by: Himanshu Madhani Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 82b4afbccfa12e29e64417fe197734e9bcd71091 Author: Abhishek Sahu Date: Thu Feb 17 17:51:07 2022 +0530 vfio/pci: wake-up devices around reset functions [ Upstream commit 26a17b12d7f3dd8a7aa45a290e5b46e9cc775ddf ] If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For reset-related functionalities, vfio driver uses PCI reset API's. These API's internally change the PCI power state back to D0 first if the device power state is non-D0. This state change to D0 will happen without the involvement of vfio driver. Let's consider the following example: 1. The device is in D3hot. 2. User invokes VFIO_DEVICE_RESET ioctl. 3. pci_try_reset_function() will be called which internally invokes pci_dev_save_and_disable(). 4. pci_set_power_state(dev, PCI_D0) will be called first. 5. pci_save_state() will happen then. Now, for the devices which has NoSoftRst-, the pci_set_power_state() can trigger soft reset and the original PCI config state will be lost at step (4) and this state cannot be restored again. This original PCI state can include any setting which is performed by SBIOS or host linux kernel (for example LTR, ASPM L1 substates, etc.). When this soft reset will be triggered, then all these settings will be reset, and the device state saved at step (5) will also have this setting cleared so it cannot be restored. Since the vfio driver only exposes limited PCI capabilities to its user, so the vfio driver user also won't have the option to save and restore these capabilities state either and these original settings will be permanently lost. For pci_reset_bus() also, we can have the above situation. The other functions/devices can be in D3hot and the reset will change the power state of all devices to D0 without the involvement of vfio driver. So, before calling any reset-related API's, we need to make sure that the device state is D0. This is mainly to preserve the state around soft reset. For vfio_pci_core_disable(), we use __pci_reset_function_locked() which internally can use pci_pm_reset() for the function reset. pci_pm_reset() requires the device power state to be in D0, otherwise it returns error. This patch changes the device power state to D0 by invoking vfio_pci_set_power_state() explicitly before calling any reset related API's. Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition") Signed-off-by: Abhishek Sahu Link: https://lore.kernel.org/r/20220217122107.22434-3-abhsahu@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 26ddd196e9eb264da8e1bdc4df8a94d62581c8b5 Author: Abhishek Sahu Date: Thu Feb 17 17:51:06 2022 +0530 vfio/pci: fix memory leak during D3hot to D0 transition [ Upstream commit eadf88ecf6ac7d6a9f47a76c6055d9a1987a8991 ] If 'vfio_pci_core_device::needs_pm_restore' is set (PCI device does not have No_Soft_Reset bit set in its PMCSR config register), then the current PCI state will be saved locally in 'vfio_pci_core_device::pm_save' during D0->D3hot transition and same will be restored back during D3hot->D0 transition. For saving the PCI state locally, pci_store_saved_state() is being used and the pci_load_and_free_saved_state() will free the allocated memory. But for reset related IOCTLs, vfio driver calls PCI reset-related API's which will internally change the PCI power state back to D0. So, when the guest resumes, then it will get the current state as D0 and it will skip the call to vfio_pci_set_power_state() for changing the power state to D0 explicitly. In this case, the memory pointed by 'pm_save' will never be freed. In a malicious sequence, the state changing to D3hot followed by VFIO_DEVICE_RESET/VFIO_DEVICE_PCI_HOT_RESET can be run in a loop and it can cause an OOM situation. This patch frees the earlier allocated memory first before overwriting 'pm_save' to prevent the mentioned memory leak. Fixes: 51ef3a004b1e ("vfio/pci: Restore device state on PM transition") Signed-off-by: Abhishek Sahu Link: https://lore.kernel.org/r/20220217122107.22434-2-abhsahu@nvidia.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 24bbb15b40a20b1dc49fbe91338710b29fad0158 Author: Aashish Sharma Date: Fri Feb 11 12:15:38 2022 +0000 dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS [ Upstream commit 6fc51504388c1a1a53db8faafe9fff78fccc7c87 ] Explicitly convert unsigned int in the right of the conditional expression to int to match the left side operand and the return type, fixing the following compiler warning: drivers/md/dm-crypt.c:2593:43: warning: signed and unsigned type in conditional expression [-Wsign-compare] Fixes: c538f6ec9f56 ("dm crypt: add ability to use keys from the kernel key retention service") Signed-off-by: Aashish Sharma Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 2b908375a70aec1c4c3be4f69779b7590fbb4634 Author: Rameshkumar Sundaram Date: Wed Feb 16 14:02:34 2022 +0530 ath11k: Invalidate cached reo ring entry before accessing it [ Upstream commit f2180ccb52b5fd0876291ad2df37e2898cac18cf ] REO2SW ring descriptor is currently allocated in cacheable memory. While reaping reo ring entries on second trial after updating head pointer, first entry is not invalidated before accessing it. This results in host reaping and using cached descriptor which is already overwritten in memory by DMA device (HW). Since the contents of descriptor(buffer id, peer info and other information bits) are outdated host throws errors like below while parsing corresponding MSDU's and drops them. [347712.048904] ath11k_pci 0004:01:00.0: msdu_done bit in attention is not set [349173.355503] ath11k_pci 0004:01:00.0: frame rx with invalid buf_id 962 Move the try_again: label above ath11k_hal_srng_access_begin() so that first entry will be invalidated and prefetched. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Fixes: 6452f0a3d565 ("ath11k: allocate dst ring descriptors from cacheable memory") Signed-off-by: Rameshkumar Sundaram Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1645000354-32558-1-git-send-email-quic_ramess@quicinc.com Signed-off-by: Sasha Levin commit 8adb14be6d2548d2cd680e4c48d3935d624f2de6 Author: P Praneesh Date: Fri Nov 12 11:02:18 2021 +0200 ath11k: avoid active pdev check for each msdu [ Upstream commit c4d12cb37ea2e6c2b70880350d7bf1bbbd825c6c ] The Active Pdev and CAC check are done for each msdu in ath11k_dp_rx_process_received_packets which is a overhead. To avoid this overhead, collect all msdus in a per mac msdu list and pass to function. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.4.0.1.r2-00012-QCAHKSWPL_SILICONZ-1 Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.4.0.1-01695-QCAHKSWPL_SILICONZ-1 Co-developed-by: Sriram R Signed-off-by: Sriram R Signed-off-by: Jouni Malinen Signed-off-by: P Praneesh Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1630560820-21905-6-git-send-email-ppranees@codeaurora.org Signed-off-by: Sasha Levin commit cf584e960c6ed3d81819ce6eedf2fb2a2fe2e52c Author: Alexander Lobakin Date: Fri Feb 18 13:50:33 2022 -0800 i40e: remove dead stores on XSK hotpath [ Upstream commit 7e1b54d07751edcbf23c7211508abf5667b490ee ] The 'if (ntu == rx_ring->count)' block in i40e_alloc_rx_buffers_zc() was previously residing in the loop, but after introducing the batched interface it is used only to wrap-around the NTU descriptor, thus no more need to assign 'xdp'. 'cleaned_count' in i40e_clean_rx_irq_zc() was previously being incremented in the loop, but after commit f12738b6ec06 ("i40e: remove unnecessary cleaned_count updates") it gets assigned only once after it, so the initialization can be dropped. Fixes: 6aab0bb0c5cd ("i40e: Use the xsk batched rx allocation interface") Fixes: f12738b6ec06 ("i40e: remove unnecessary cleaned_count updates") Signed-off-by: Alexander Lobakin Acked-by: Maciej Fijalkowski Tested-by: George Kuruvinakunnel Signed-off-by: Tony Nguyen Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 53a52e8932ab53fb34d684d9fab88ecd95e8bdef Author: Dmitry Baryshkov Date: Thu Feb 17 06:53:52 2022 +0300 drm/msm/dpu: fix dp audio condition [ Upstream commit 1e0505a5a7a2fea243f8e6d7e13fcde65f9e41bc ] DP audio enablement code which is comparing intf_type, DRM_MODE_ENCODER_TMDS (= 2) with DRM_MODE_CONNECTOR_DisplayPort (= 10). Which would never succeed. Fix it to check for DRM_MODE_ENCODER_TMDS. Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM") Reviewed-by: Abhinav Kumar Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220217035358.465904-2-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 5c26101b5ec6770116aefaaf4b3fa0e19eb224f6 Author: Dmitry Baryshkov Date: Sat Jan 22 00:06:14 2022 +0300 drm/msm/dpu: add DSPP blocks teardown [ Upstream commit d5c5e78f217172e87d8fb2c3418dd8b58b4adfcb ] Add missing calls to dpu_hw_dspp_destroy() to free resources allocated for DSPP hardware blocks. Fixes: e47616df008b ("drm/msm/dpu: add support for color processing blocks in dpu driver") Signed-off-by: Dmitry Baryshkov Reviewed-by: Stephen Boyd Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20220121210618.3482550-3-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 195b4dbf7335c0fb8966f9ead960e3566007f040 Author: Dmitry Baryshkov Date: Thu Feb 17 03:08:37 2022 +0300 drm/msm/dsi/phy: fix 7nm v4.0 settings for C-PHY mode [ Upstream commit bb07af2ed2a47dc6c4d0681f275bb27d4f845465 ] The dsi_7nm_phy_enable() disagrees with downstream for glbl_str_swi_cal_sel_ctrl and glbl_hstx_str_ctrl_0 values. Update programmed settings to match downstream driver. To remove the possibility for such errors in future drop less_than_1500_mhz assignment and specify settings explicitly. Fixes: 5ac178381d26 ("drm/msm/dsi: support CPHY mode for 7nm pll/phy") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Link: https://lore.kernel.org/r/20220217000837.435340-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit f955ab8046a99b4da9ddc5c55b3ed80de1503df5 Author: Marijn Suijten Date: Sat Sep 11 15:19:20 2021 +0200 drm/msm/dsi: Use "ref" fw clock instead of global name for VCO parent [ Upstream commit 3a3ee71bd8e14c5e852c71f317eebfda8f88dff0 ] All DSI PHY/PLL drivers were referencing their VCO parent clock by a global name, most of which don't exist or have been renamed. These clock drivers seem to function fine without that except the 14nm driver for sdm6xx [1]. At the same time all DTs provide a "ref" clock as per the requirements of dsi-phy-common.yaml, but the clock is never used. This patchset puts that clock to use without relying on a global clock name, so that all dependencies are explicitly defined in DT (the firmware) in the end. Note that this patch intentionally breaks older firmware (DT) that relies on the clock to be found globally instead. The only affected platform is msm8974 [2] for whose dsi_phy_28nm a .name="xo" fallback is left in place to accommodate a more graceful transition period. All other platforms had the "ref" clock added to their phy node since its inception, or in a followup patch some time after. These patches wrongly assumed that the "ref" clock was actively used and have hence been listed as "Fixes:" below. Furthermore apq8064 was providing the wrong 19.2MHz cxo instead of 27MHz pxo clock, which has been addressed in [3]. It is expected that both [2] and [3] are applied to the tree well in advance of this patch such that any actual breakage is extremely unlikely, but might still occur if kernel upgrades are performed without the DT to match. After some time the fallback for msm8974 can be removed again as well. [1]: https://lore.kernel.org/linux-arm-msm/386db1a6-a1cd-3c7d-a88e-dc83f8a1be96@somainline.org/ [2]: https://lore.kernel.org/linux-arm-msm/20210830175739.143401-1-marijn.suijten@somainline.org/ [3]: https://lore.kernel.org/linux-arm-msm/20210829203027.276143-2-marijn.suijten@somainline.org/ Fixes: 79e51645a1dd ("arm64: dts: qcom: msm8916: Set 'xo_board' as ref clock of the DSI PHY") Fixes: 6969d1d9c615 ("ARM: dts: qcom-apq8064: Set 'cxo_board' as ref clock of the DSI PHY") Fixes: 0c0e72705a33 ("arm64: dts: sdm845: Set 'bi_tcxo' as ref clock of the DSI PHYs") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20210911131922.387964-2-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 73850aa94ea748b7c848f8b3425e95922e647347 Author: Kuogee Hsieh Date: Mon Jan 24 15:17:54 2022 -0800 drm/msm/dp: always add fail-safe mode into connector mode list [ Upstream commit d4aca422539c441a7f3fec749287b36de37d9b6b ] Some of DP link compliant test expects to return fail-safe mode if prefer detailed timing mode can not be supported by mainlink's lane and rate after link training. Therefore add fail-safe mode into connector mode list as backup mode. This patch fixes test case 4.2.2.1. Changes in v2: -- add Fixes text string Fixes: 4b85d405cfe9 ( "drm/msm/dp: reduce link rate if failed at link training 1") Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1643066274-25814-1-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 65d62819aa0998eb3435ebc7df741846b1dae549 Author: Kuogee Hsieh Date: Tue Jan 18 10:47:28 2022 -0800 drm/msm/dp: stop link training after link training 2 failed [ Upstream commit 9051d629dbf7a998a40f7eac65a9512b01bc3bb8 ] Each DP link training contains link training 1 followed by link training 2. There is maximum of 5 retries of DP link training before declared link training failed. It is required to stop link training at end of link training 2 if it is failed so that next link training 1 can start freshly. This patch fixes link compliance test case 4.3.1.13 (Source Device Link Training EQ Fallback Test). Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Fixes: 2e0adc765d88 ("drm/msm/dp: do not end dp link training until video is ready") Signed-off-by: Kuogee Hsieh Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-5-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit fbba600f432a360b42452fee79d1fb35d3aa8aeb Author: Kuogee Hsieh Date: Tue Jan 18 10:47:26 2022 -0800 drm/msm/dp: populate connector of struct dp_panel [ Upstream commit 5e602f5156910c7b19661699896cb6e3fb94fab9 ] DP CTS test case 4.2.2.6 has valid edid with bad checksum on purpose and expect DP source return correct checksum. During drm edid read, correct edid checksum is calculated and stored at connector::real_edid_checksum. The problem is struct dp_panel::connector never be assigned, instead the connector is stored in struct msm_dp::connector. When we run compliance testing test case 4.2.2.6 dp_panel_handle_sink_request() won't have a valid edid set in struct dp_panel::edid so we'll try to use the connectors real_edid_checksum and hit a NULL pointer dereference error because the connector pointer is never assigned. Changes in V2: -- populate panel connector at msm_dp_modeset_init() instead of at dp_panel_read_sink_caps() Changes in V3: -- remove unhelpful kernel crash trace commit text -- remove renaming dp_display parameter to dp Changes in V4: -- add more details to commit text Changes in v10: -- group into one series Changes in v11: -- drop drm/msm/dp: dp_link_parse_sink_count() return immediately if aux read Fixes: 7948fe12d47 ("drm/msm/dp: return correct edid checksum after corrupted edid checksum read") Signee-off-by: Kuogee Hsieh Reviewed-by: Bjorn Andersson Reviewed-by: Stephen Boyd Link: https://lore.kernel.org/r/1642531648-8448-3-git-send-email-quic_khsieh@quicinc.com Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit cdd79e4ddf19641a39550bd67ccb2babf4df6db2 Author: Amit Kumar Mahapatra Date: Wed Feb 9 11:04:27 2022 +0530 mtd: rawnand: pl353: Set the nand chip node as the flash node [ Upstream commit a1fe2ace2c39dcdc7c053705459a73b7598b1e4f ] In devicetree the flash information is embedded within nand chip node, so during nand chip initialization the nand chip node should be passed to nand_set_flash_node() api, instead of nand controller node. Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller") Signed-off-by: Amit Kumar Mahapatra Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220209053427.27676-1-amit.kumar-mahapatra@xilinx.com Signed-off-by: Sasha Levin commit df43a5b519558de55db822afe66e8aab61f6bad0 Author: Dan Carpenter Date: Mon Aug 16 21:39:30 2021 +0300 iwlwifi: mvm: Fix an error code in iwl_mvm_up() [ Upstream commit 583d18336abdfb1b355270289ff8f6a2608ba905 ] Return -ENODEV instead of success on this error path. Fixes: dd36a507c806 ("iwlwifi: mvm: look for the first supported channel when add/remove phy ctxt") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/20210816183930.GA2068@kili Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 22ed8cee319f54d98c6ffc37d7d9711cdd0fd817 Author: Colin Ian King Date: Tue Sep 7 11:46:58 2021 +0100 iwlwifi: Fix -EIO error code that is never returned [ Upstream commit c305c94bdc18e45b5ad1db54da4269f8cbfdff6b ] Currently the error -EIO is being assinged to variable ret when the READY_BIT is not set but the function iwlagn_mac_start returns 0 rather than ret. Fix this by returning ret instead of 0. Addresses-Coverity: ("Unused value") Fixes: 7335613ae27a ("iwlwifi: move all mac80211 related functions to one place") Signed-off-by: Colin Ian King Link: https://lore.kernel.org/r/20210907104658.14706-1-colin.king@canonical.com Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 15345b59dc761a0c5647d93ca789a340c463ad15 Author: Mukesh Sisodiya Date: Fri Feb 4 12:25:01 2022 +0200 iwlwifi: yoyo: Avoid using dram data if allocation failed [ Upstream commit e2d53d10ef666859517360e711fd7761e7e984ce ] The config set TLV setting depend on dram allocation and if allocation failed the data used in config set tlv should not set this. Adding the check if dram fragment is available or not. Signed-off-by: Mukesh Sisodiya Fixes: 1a5daead217c ("iwlwifi: yoyo: support for ROM usniffer") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220204122220.44835d181528.I3e78ba29c13bbeada017fcb2a620f3552c1dfa30@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 43ec5e56e6f3b5e31271f651522b56235b99c6af Author: Rotem Saado Date: Sat Jan 29 13:16:21 2022 +0200 iwlwifi: yoyo: remove DBGI_SRAM address reset writing [ Upstream commit ce014c9861544bb4e789323d0d8956a5ad262e25 ] Due to preg protection we cannot write to this register while FW is running (when FW in Halt it is ok). since we have some cases that we need to dump this region while FW is running remove this writing from DRV. FW will do this writing. Signed-off-by: Rotem Saado Fixes: 89639e06d0f3 ("iwlwifi: yoyo: support for new DBGI_SRAM region") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.209f3078bc74.I463530bd2f40daedb39f6d9df987bb7cee209033@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit b5cdbe2c3c51fe84f3745fbc08b80a8b73578e73 Author: Johannes Berg Date: Sat Jan 29 13:16:16 2022 +0200 iwlwifi: mvm: align locking in D3 test debugfs [ Upstream commit 59e1221f470c2e5d2f2d4c95153edd577a7071c5 ] Since commit a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") we're not only holding the RTNL when going in and out of suspend, but also the wiphy->mtx. Add that to the D3 test debugfs in iwlwifi since it's required for various calls to mac80211. Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") Signed-off-by: Johannes Berg Fixes: a05829a7222e ("cfg80211: avoid holding the RTNL when calling the driver") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.fcec0204e162.Ib73bf787ab4d83581de20eb89b1f8dbfcaaad0e3@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit 68fdc688b55ac240f733044531e4f12192775732 Author: Luca Coelho Date: Sat Jan 29 13:16:15 2022 +0200 iwlwifi: mvm: don't iterate unadded vifs when handling FW SMPS req [ Upstream commit 8a265d1a619c16400406c9d598411850ee104aed ] We may not have all the interfaces added to the driver when we get the THERMAL_DUAL_CHAIN_REQUEST notification from the FW, so instead of iterating all vifs to update SMPS, iterate only the ones that are already assigned. The interfaces that were not assigned yet, will be updated accordingly when we start using them. Signed-off-by: Luca Coelho Fixes: 2a7ce54ccc23 ("iwlwifi: mvm: honour firmware SMPS requests") Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220129105618.9416aade2ba0.I0b71142f89e3f158aa058a1dfb2517c8c1fa3726@changeid Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit de29913ffe00842815aec57d6229c61818914336 Author: Takashi Iwai Date: Fri Jan 21 12:40:24 2022 +0100 iwlwifi: mvm: Don't call iwl_mvm_sta_from_mac80211() with NULL sta [ Upstream commit 30d17c12b0895e15ce22ebc1f52a4ff02df6dbc6 ] The recent fix for NULL sta in iwl_mvm_get_tx_rate() still has a call of iwl_mvm_sta_from_mac80211() that may be called with NULL sta. Although this practically only points to the address and the actual access doesn't happen due to the conditional evaluation at a later point, it looks a bit flaky. This patch drops the temporary variable above and evaluates iwm_mvm_sta_from_mac80211() directly for avoiding confusions. Fixes: d599f714b73e ("iwlwifi: mvm: don't crash on invalid rate w/o STA") Signed-off-by: Takashi Iwai Link: https://lore.kernel.org/r/20220121114024.10454-1-tiwai@suse.de Signed-off-by: Luca Coelho Signed-off-by: Sasha Levin commit cb0db98193a045d9575a10a869178c6f75befe81 Author: Geliang Tang Date: Thu Feb 17 19:03:11 2022 -0800 selftests: mptcp: add csum mib check for mptcp_connect [ Upstream commit 24720d7452df2dff2e539d9dff28904e25bb1c6d ] This patch added the data checksum error mib counters check for the script mptcp_connect.sh when the data checksum is enabled. In do_transfer(), got the mib counters twice, before and after running the mptcp_connect commands. The latter minus the former is the actual number of the data checksum mib counter. The output looks like this: ns1 MPTCP -> ns2 (dead:beef:1::2:10007) MPTCP (duration 86ms) [ OK ] ns1 MPTCP -> ns2 (10.0.2.1:10008 ) MPTCP (duration 66ms) [ FAIL ] server got 1 data checksum error[s] Fixes: 94d66ba1d8e48 ("selftests: mptcp: enable checksum in mptcp_connect.sh") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/255 Signed-off-by: Geliang Tang Signed-off-by: Mat Martineau Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f2a1e0eb70c2d954176c07d75d28742bde30e9f3 Author: Tong Zhang Date: Fri Feb 11 23:11:11 2022 -0800 dax: make sure inodes are flushed before destroy cache [ Upstream commit a7e8de822e0b1979f08767c751f6c8a9c1d4ad86 ] A bug can be triggered by following command $ modprobe nd_pmem && modprobe -r nd_pmem [ 10.060014] BUG dax_cache (Not tainted): Objects remaining in dax_cache on __kmem_cache_shutdown() [ 10.060938] Slab 0x0000000085b729ac objects=9 used=1 fp=0x000000004f5ae469 flags=0x200000000010200(slab|head|node) [ 10.062433] Call Trace: [ 10.062673] dump_stack_lvl+0x34/0x44 [ 10.062865] slab_err+0x90/0xd0 [ 10.063619] __kmem_cache_shutdown+0x13b/0x2f0 [ 10.063848] kmem_cache_destroy+0x4a/0x110 [ 10.064058] __x64_sys_delete_module+0x265/0x300 This is caused by dax_fs_exit() not flushing inodes before destroy cache. To fix this issue, call rcu_barrier() before destroy cache. Signed-off-by: Tong Zhang Reviewed-by: Ira Weiny Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20220212071111.148575-1-ztong0001@gmail.com Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit b0022ca445d5fc4d0c89d15dcd0f855977b22c1d Author: Dan Williams Date: Wed Feb 16 16:25:11 2022 -0800 cxl/port: Hold port reference until decoder release [ Upstream commit 74be98774dfbc5b8b795db726bd772e735d2edd4 ] KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 Workqueue: events kobject_delayed_cleanup Call Trace: dump_stack_lvl+0x59/0x73 print_address_description.constprop.0+0x1f/0x150 ? to_cxl_port+0x18/0x90 [cxl_core] kasan_report.cold+0x83/0xdf ? to_cxl_port+0x18/0x90 [cxl_core] to_cxl_port+0x18/0x90 [cxl_core] cxl_decoder_release+0x2a/0x60 [cxl_core] device_release+0x5f/0x100 kobject_cleanup+0x80/0x1c0 The device core only guarantees parent lifetime until all children are unregistered. If a child needs a parent to complete its ->release() callback that child needs to hold a reference to extend the lifetime of the parent. Fixes: 40ba17afdfab ("cxl/acpi: Introduce cxl_decoder objects") Reported-by: Ben Widawsky Tested-by: Ben Widawsky Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/164505751190.4175768.13324905271463416712.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit e3c409aa40a845bf063d594380d98be8c550d95b Author: Håkon Bugge Date: Wed Feb 9 16:39:35 2022 +0100 IB/cma: Allow XRC INI QPs to set their local ACK timeout [ Upstream commit 748663c8ccf6b2e5a800de19127c2cc1c4423fd2 ] XRC INI QPs should be able to adjust their local ACK timeout. Fixes: 2c1619edef61 ("IB/cma: Define option to set ack timeout and pack tos_set") Link: https://lore.kernel.org/r/1644421175-31943-1-git-send-email-haakon.bugge@oracle.com Signed-off-by: Håkon Bugge Suggested-by: Avneesh Pant Reviewed-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 7cedd22f1a8db371b0937bad0ec1c3020d8ebf51 Author: Andrii Nakryiko Date: Wed Feb 16 23:39:58 2022 -0800 libbpf: Fix memleak in libbpf_netlink_recv() [ Upstream commit 1b8c924a05934d2e758ec7da7bd217ef8ebd80ce ] Ensure that libbpf_netlink_recv() frees dynamically allocated buffer in all code paths. Fixes: 9c3de619e13e ("libbpf: Use dynamically allocated buffer when receiving netlink messages") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/bpf/20220217073958.276959-1-andrii@kernel.org Signed-off-by: Sasha Levin commit e9bbd9504bfaf70d8a299fc243931b93ae9fc933 Author: Roman Li Date: Thu Dec 23 17:39:57 2021 -0500 drm/amd/display: Add affected crtcs to atomic state for dsc mst unplug [ Upstream commit 128f8ed5902a287a6bb4afe0ffdae8a80b2a64ec ] [Why] When display topology changed on DSC hub we add all crtcs with dsc support to atomic state. Refer to patch:"drm/amd/display: Trigger modesets on MST DSC connectors" However the original implementation may skip crtc if the topology change caused by unplug. That potentially could lead to no-lightup or corruption on DSC hub after unplug event on one of the connectors. [How] Update add_affected_mst_dsc_crtcs() to use old connector state if new connector state has no crtc (undergoes modeset due to unplug) Fixes: 44be939ff7ac58 ("drm/amd/display: Trigger modesets on MST DSC connectors") Reviewed-by: Hersen Wu Acked-by: Jasdeep Dhillon Signed-off-by: Roman Li Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6e0be3da2e9d2749aa7df921fb88e72d33684a2c Author: Yiqing Yao Date: Mon Jan 24 16:11:20 2022 +0800 drm/amd/pm: enable pm sysfs write for one VF mode [ Upstream commit e610941c45bad75aa839af015c27d236ab6749e5 ] [why] pm sysfs should be writable in one VF mode as is in passthrough [how] do not remove write access on pm sysfs if device is in one VF mode Fixes: 11c9cc95f818 ("amdgpu/pm: Make sysfs pm attributes as read-only for VFs") Signed-off-by: Yiqing Yao Reviewed-by: Monk Liu Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b28cac8a30f1823d4871f5211e2e60b12322530a Author: Yinjun Zhang Date: Tue Feb 8 00:00:25 2022 +0800 bpftool: Fix the error when lookup in no-btf maps [ Upstream commit edc21dc909c6c133a2727f063eadd7907af51f94 ] When reworking btf__get_from_id() in commit a19f93cfafdf the error handling when calling bpf_btf_get_fd_by_id() changed. Before the rework if bpf_btf_get_fd_by_id() failed the error would not be propagated to callers of btf__get_from_id(), after the rework it is. This lead to a change in behavior in print_key_value() that now prints an error when trying to lookup keys in maps with no btf available. Fix this by following the way used in dumping maps to allow to look up keys in no-btf maps, by which it decides whether and where to get the btf info according to the btf value type. Fixes: a19f93cfafdf ("libbpf: Add internal helper to load BTF data by FD") Signed-off-by: Yinjun Zhang Signed-off-by: Simon Horman Signed-off-by: Andrii Nakryiko Reviewed-by: Niklas Söderlund Acked-by: Jiri Olsa Link: https://lore.kernel.org/bpf/1644249625-22479-1-git-send-email-yinjun.zhang@corigine.com Signed-off-by: Sasha Levin commit 7d6831008d82b22909befce68a9fdd803a97160d Author: Martin Povišer Date: Fri Feb 4 10:59:14 2022 +0100 i2c: pasemi: Drop I2C classes from platform driver variant [ Upstream commit 19e138e43a0820bb4dbf8fb5c7691f82e9221f2b ] Drop I2C device-probing classes from platform variant of the PASemi controller as it is only used on platforms where I2C devices should be instantiated in devicetree. (The I2C_CLASS_DEPRECATED flag is not raised as up to this point no devices relied on the old behavior.) Fixes: d88ae2932df0 ("i2c: pasemi: Add Apple platform driver") Signed-off-by: Martin Povišer Reviewed-by: Sven Peter Acked-by: Hector Martin Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f0d5d938d51af4eb08d9d8684fd9903425a0a87d Author: Pin-Yen Lin Date: Thu Feb 10 18:38:27 2022 +0800 drm/bridge: anx7625: Fix overflow issue on reading EDID [ Upstream commit d5c6f647aec9ed524aedd04a3aec5ebc21d39007 ] The length of EDID block can be longer than 256 bytes, so we should use `int` instead of `u8` for the `edid_pos` variable. Fixes: 8bdfc5dae4e3 ("drm/bridge: anx7625: Add anx7625 MIPI DSI/DPI to DP") Signed-off-by: Pin-Yen Lin Reviewed-by: Jernej Skrabec Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220210103827.402436-1-treapking@chromium.org Signed-off-by: Sasha Levin commit dfabf75a4a715524e118ee0c42c1246e565ae886 Author: Jiasheng Jiang Date: Thu Jan 6 10:43:02 2022 +0800 iommu/ipmmu-vmsa: Check for error num after setting mask [ Upstream commit 1fdbbfd5099f797a4dac05e7ef0192ba4a9c39b4 ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: 1c894225bf5b ("iommu/ipmmu-vmsa: IPMMU device is 40-bit bus master") Signed-off-by: Jiasheng Jiang Reviewed-by: Nikita Yushchenko Link: https://lore.kernel.org/r/20220106024302.2574180-1-jiasheng@iscas.ac.cn Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6100d0290868c956b155887fde186ca92d8a55a1 Author: Dmitry Torokhov Date: Mon Jan 17 23:26:18 2022 -0800 HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports [ Upstream commit a5e5e03e94764148a01757b2fa4737d3445c13a6 ] Internally kernel prepends all report buffers, for both numbered and unnumbered reports, with report ID, therefore to properly handle unnumbered reports we should prepend it ourselves. For the same reason we should skip the first byte of the buffer when calling i2c_hid_set_or_send_report() which then will take care of properly formatting the transfer buffer based on its separate report ID argument along with report payload. [jkosina@suse.cz: finalize trimmed sentence in changelog as spotted by Benjamin] Fixes: 9b5a9ae88573 ("HID: i2c-hid: implement ll_driver transport-layer callbacks") Signed-off-by: Dmitry Torokhov Tested-by: Benjamin Tissoires Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 261041097ab3470f1120b7733cbf472712304d1e Author: Miaoqian Lin Date: Mon Jan 24 13:13:46 2022 +0000 power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init [ Upstream commit 6a4760463dbc6b603690938c468839985189ce0a ] kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). Fixes: 8c0984e5a753 ("power: move power supply drivers to power/supply") Signed-off-by: Miaoqian Lin Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 723644ebfdb2ef7dccdaf4f1b05be9186fdba6b1 Author: Toke Høiland-Jørgensen Date: Sat Feb 12 00:48:19 2022 +0100 libbpf: Use dynamically allocated buffer when receiving netlink messages [ Upstream commit 9c3de619e13ee6693ec5ac74f50b7aa89056a70e ] When receiving netlink messages, libbpf was using a statically allocated stack buffer of 4k bytes. This happened to work fine on systems with a 4k page size, but on systems with larger page sizes it can lead to truncated messages. The user-visible impact of this was that libbpf would insist no XDP program was attached to some interfaces because that bit of the netlink message got chopped off. Fix this by switching to a dynamically allocated buffer; we borrow the approach from iproute2 of using recvmsg() with MSG_PEEK|MSG_TRUNC to get the actual size of the pending message before receiving it, adjusting the buffer as necessary. While we're at it, also add retries on interrupted system calls around the recvmsg() call. v2: - Move peek logic to libbpf_netlink_recv(), don't double free on ENOMEM. Fixes: 8bbb77b7c7a2 ("libbpf: Add various netlink helpers") Reported-by: Zhiqian Guan Signed-off-by: Toke Høiland-Jørgensen Signed-off-by: Andrii Nakryiko Acked-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/bpf/20220211234819.612288-1-toke@redhat.com Signed-off-by: Sasha Levin commit 7b69ae8b03983d16809131a7df027c52ba7b936c Author: Neil Armstrong Date: Fri Feb 4 15:33:37 2022 +0100 drm/bridge: dw-hdmi: use safe format when first in bridge chain [ Upstream commit 1528038385c0a706aac9ac165eeb24044fef6825 ] When the dw-hdmi bridge is in first place of the bridge chain, this means there is no way to select an input format of the dw-hdmi HW component. Since introduction of display-connector, negotiation was broken since the dw-hdmi negotiation code only worked when the dw-hdmi bridge was in last position of the bridge chain or behind another bridge also supporting input & output format negotiation. Commit 7cd70656d128 ("drm/bridge: display-connector: implement bus fmts callbacks") was introduced to make negotiation work again by making display-connector act as a pass-through concerning input & output format negotiation. But in the case where the dw-hdmi is single in the bridge chain, for example on Renesas SoCs, with the display-connector bridge the dw-hdmi is no more single, breaking output format. Reported-by: Biju Das Bisected-by: Kieran Bingham Tested-by: Kieran Bingham Fixes: 6c3c719936da ("drm/bridge: synopsys: dw-hdmi: add bus format negociation") Signed-off-by: Neil Armstrong [narmstrong: add proper fixes commit] Reviewed-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220204143337.89221-1-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit e696ed9f7d7796efa27f4b5404cd57fb6f49ed96 Author: Andrii Nakryiko Date: Tue Feb 8 22:39:09 2022 -0800 libbpf: Fix compilation warning due to mismatched printf format [ Upstream commit dc37dc617fabfb1c3a16d49f5d8cc20e9e3608ca ] On ppc64le architecture __s64 is long int and requires %ld. Cast to ssize_t and use %zd to avoid architecture-specific specifiers. Fixes: 4172843ed4a3 ("libbpf: Fix signedness bug in btf_dump_array_data()") Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20220209063909.1268319-1-andrii@kernel.org Signed-off-by: Sasha Levin commit 75bc32198e060ce5e4cca6973f7c4b6bb317923a Author: Po Liu Date: Wed Feb 9 20:33:01 2022 +0800 net:enetc: allocate CBD ring data memory using DMA coherent methods [ Upstream commit b3a723dbc94a6e38f67669d03b521edd766ad895 ] To replace the dma_map_single() stream DMA mapping with DMA coherent method dma_alloc_coherent() which is more simple. dma_map_single() found by Tim Gardner not proper. Suggested by Claudiu Manoil and Jakub Kicinski to use dma_alloc_coherent(). Discussion at: https://lore.kernel.org/netdev/AM9PR04MB8397F300DECD3C44D2EBD07796BD9@AM9PR04MB8397.eurprd04.prod.outlook.com/t/ Fixes: 888ae5a3952ba ("net: enetc: add tc flower psfp offload driver") cc: Claudiu Manoil Reported-by: Tim Gardner Signed-off-by: Po Liu Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 05171ee9095562ad6f026c50763df0316c5364e0 Author: Jonathan Cameron Date: Tue Feb 1 15:34:37 2022 +0000 cxl/regs: Fix size of CXL Capability Header Register [ Upstream commit 74b0fe80409733055971bbfaf33c80a33fddeeb3 ] In CXL 2.0, 8.2.5.1 CXL Capability Header Register: this register is given as 32 bits. 8.2.3 which covers the CXL 2.0 Component registers, including the CXL Capability Header Register states that access restrictions specified in Section 8.2.2 apply. 8.2.2 includes: * A 32 bit register shall be accessed as a 4 Byte quantity. ... If these rules are not followed, the behavior is undefined. Discovered during review of CXL QEMU emulation. Alex Bennée pointed out there was a comment saying that 4 byte registers must be read with a 4 byte read, but 8 byte reads were being emulated. https://lore.kernel.org/qemu-devel/87bkzyd3c7.fsf@linaro.org/ Fixing that, led to this code failing. Whilst a given hardware implementation 'might' work with an 8 byte read, it should not be relied upon. The QEMU emulation v5 will return 0 and log the wrong access width. The code moved, so one fixes tag for where this will directly apply and also a reference to the earlier introduction of the code for backports. Fixes: 0f06157e0135 ("cxl/core: Move register mapping infrastructure") Fixes: 08422378c4ad ("cxl/pci: Add HDM decoder capabilities") Signed-off-by: Jonathan Cameron Cc: Alex Bennée Reviewed-by: Ben Widawsky Link: https://lore.kernel.org/r/20220201153437.2873-1-Jonathan.Cameron@huawei.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 0b315513d26a12dce6dbee81866d44fbadf80594 Author: Dan Williams Date: Sun Jan 23 16:31:56 2022 -0800 tools/testing/cxl: Fix root port to host bridge assignment [ Upstream commit a4a0ce242fcd7022349212c4e2f795762e6ff050 ] Mocked root-ports are meant to be round-robin assigned to host-bridges. Fixes: 67dcdd4d3b83 ("tools/testing/cxl: Introduce a mocked-up CXL port hierarchy") Link: https://lore.kernel.org/r/164298431629.3018233.14004377108116384485.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit 52fbd8266709e941db55e5a620450a832ea0ed06 Author: Dan Williams Date: Sun Jan 23 16:29:42 2022 -0800 cxl/core: Fix cxl_probe_component_regs() error message [ Upstream commit d621bc2e7282f9955033a6359877fd4ac4be60e1 ] Fix a '\n' vs '/n' typo. Fixes: 08422378c4ad ("cxl/pci: Add HDM decoder capabilities") Acked-by: Ben Widawsky Link: https://lore.kernel.org/r/164298418268.3018233.17790073375430834911.stgit@dwillia2-desk3.amr.corp.intel.com Signed-off-by: Dan Williams Signed-off-by: Sasha Levin commit db930b62d03fa22dd0432f5303e10314d7794b7c Author: Dan Carpenter Date: Tue Feb 8 10:15:52 2022 +0300 libbpf: Fix signedness bug in btf_dump_array_data() [ Upstream commit 4172843ed4a38f97084032f74f07b2037b5da3a6 ] The btf__resolve_size() function returns negative error codes so "elem_size" must be signed for the error handling to work. Fixes: 920d16af9b42 ("libbpf: BTF dumper support for typed data") Signed-off-by: Dan Carpenter Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20220208071552.GB10495@kili Signed-off-by: Sasha Levin commit 1269b6b51b176c86ba78b4ca800c4b9e3dcec9bb Author: Xiao Yang Date: Wed Dec 29 11:44:38 2021 +0800 RDMA/rxe: Check the last packet by RXE_END_MASK [ Upstream commit b1377cc37f6bebd57ce8747b7e16163a475af295 ] It's wrong to check the last packet by RXE_COMP_MASK because the flag is to indicate if responder needs to generate a completion. Fixes: 9fcd67d1772c ("IB/rxe: increment msn only when completing a request") Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20211229034438.1854908-1-yangx.jy@fujitsu.com Signed-off-by: Xiao Yang Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit aae926f8c2ec01bae3efb47550aa686516516a4d Author: Pali Rohár Date: Mon Jan 10 02:50:09 2022 +0100 PCI: aardvark: Fix reading PCI_EXP_RTSTA_PME bit on emulated bridge [ Upstream commit 735f5ae49e1b44742cc63ca9b5c1ffde3e94ba91 ] The emulated bridge returns incorrect value for PCI_EXP_RTSTA register during readout in advk_pci_bridge_emul_pcie_conf_read() function: the correct bit is BIT(16), but we are setting BIT(23), because the code does *value = (isr0 & PCIE_MSG_PM_PME_MASK) << 16 where PCIE_MSG_PM_PME_MASK is BIT(7). The code should probably have been something like *value = (!!(isr0 & PCIE_MSG_PM_PME_MASK)) << 16, but we are better of using an if() and using the proper macro for this bit. Link: https://lore.kernel.org/r/20220110015018.26359-15-kabel@kernel.org Fixes: 8a3ebd8de328 ("PCI: aardvark: Implement emulated root PCI bridge config space") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 538fa11fc43024b40d5957676ca4f12877c645ed Author: Pali Rohár Date: Mon Jan 10 02:49:57 2022 +0100 PCI: aardvark: Fix reading MSI interrupt number [ Upstream commit 805dfc18dd3d4dd97a987d4406593b5a225b1253 ] In advk_pcie_handle_msi() it is expected that when bit i in the W1C register PCIE_MSI_STATUS_REG is cleared, the PCIE_MSI_PAYLOAD_REG is updated to contain the MSI number corresponding to index i. Experiments show that this is not so, and instead PCIE_MSI_PAYLOAD_REG always contains the number of the last received MSI, overall. Do not read PCIE_MSI_PAYLOAD_REG register for determining MSI interrupt number. Since Aardvark already forbids more than 32 interrupts and uses own allocated hwirq numbers, the msi_idx already corresponds to the received MSI number. Link: https://lore.kernel.org/r/20220110015018.26359-3-kabel@kernel.org Fixes: 8c39d710363c ("PCI: aardvark: Add Aardvark PCI host controller driver") Signed-off-by: Pali Rohár Signed-off-by: Marek Behún Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 408db8ec1fa6b7f5ca786c9b99a87c2fda885b40 Author: Corinna Vinschen Date: Wed Jan 19 15:52:59 2022 +0100 igb: refactor XDP registration [ Upstream commit e62ad74aa534404b3ee7e250b114a3536ac56987 ] On changing the RX ring parameters igb uses a hack to avoid a warning when calling xdp_rxq_info_reg via igb_setup_rx_resources. It just clears the struct xdp_rxq_info content. Instead, change this to unregister if we're already registered. Align code to the igc code. Fixes: 9cbc948b5a20c ("igb: add XDP support") Signed-off-by: Corinna Vinschen Acked-by: Vinicius Costa Gomes Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 3ddb49af08094ebee250b461172ee7b8e27a35d3 Author: Corinna Vinschen Date: Wed Jan 19 15:52:58 2022 +0100 igc: avoid kernel warning when changing RX ring parameters [ Upstream commit 453307b569a0d41bddd07f26bf41b784cd82a4c9 ] Calling ethtool changing the RX ring parameters like this: $ ethtool -G eth0 rx 1024 on igc triggers kernel warnings like this: [ 225.198467] ------------[ cut here ]------------ [ 225.198473] Missing unregister, handled but fix driver [ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168 xdp_rxq_info_reg+0x79/0xd0 [...] [ 225.198601] Call Trace: [ 225.198604] [ 225.198609] igc_setup_rx_resources+0x3f/0xe0 [igc] [ 225.198617] igc_ethtool_set_ringparam+0x30e/0x450 [igc] [ 225.198626] ethnl_set_rings+0x18a/0x250 [ 225.198631] genl_family_rcv_msg_doit+0xca/0x110 [ 225.198637] genl_rcv_msg+0xce/0x1c0 [ 225.198640] ? rings_prepare_data+0x60/0x60 [ 225.198644] ? genl_get_cmd+0xd0/0xd0 [ 225.198647] netlink_rcv_skb+0x4e/0xf0 [ 225.198652] genl_rcv+0x24/0x40 [ 225.198655] netlink_unicast+0x20e/0x330 [ 225.198659] netlink_sendmsg+0x23f/0x480 [ 225.198663] sock_sendmsg+0x5b/0x60 [ 225.198667] __sys_sendto+0xf0/0x160 [ 225.198671] ? handle_mm_fault+0xb2/0x280 [ 225.198676] ? do_user_addr_fault+0x1eb/0x690 [ 225.198680] __x64_sys_sendto+0x20/0x30 [ 225.198683] do_syscall_64+0x38/0x90 [ 225.198687] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 225.198693] RIP: 0033:0x7f7ae38ac3aa igc_ethtool_set_ringparam() copies the igc_ring structure but neglects to reset the xdp_rxq_info member before calling igc_setup_rx_resources(). This in turn calls xdp_rxq_info_reg() with an already registered xdp_rxq_info. Make sure to unregister the xdp_rxq_info structure first in igc_setup_rx_resources. Fixes: 73f1071c1d29 ("igc: Add support for XDP_TX action") Reported-by: Lennert Buytenhek Signed-off-by: Corinna Vinschen Acked-by: Vinicius Costa Gomes Tested-by: Dvora Fuxbrumer Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 3026ac17733b9232e8d204587c893823a4f9a36c Author: Naveen N. Rao Date: Fri Feb 4 17:05:19 2022 +0530 selftests/bpf: Use "__se_" prefix on architectures without syscall wrapper [ Upstream commit 046b841ea7c528931e7d2e74d5e668aa6c94c1fc ] On architectures that don't use a syscall wrapper, sys_* function names are set as an alias of __se_sys_* functions. Due to this, there is no BTF associated with sys_* function names. This results in some of the test progs failing to load. Set the SYS_PREFIX to "__se_" to fix this issue. Fixes: 38261f369fb905 ("selftests/bpf: Fix probe_user test failure with clang build kernel") Signed-off-by: Naveen N. Rao Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/013d632aacd3e41290445c0025db6a7055ec6e18.1643973917.git.naveen.n.rao@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 73e6b7759220c543c99c56cd740569835a0df8e6 Author: Kenta Tada Date: Mon Jan 24 23:16:20 2022 +0900 selftests/bpf: Extract syscall wrapper [ Upstream commit 78a2054156dd6265619b230cc5372b74f9ba5233 ] Extract the helper to set up SYS_PREFIX for fentry and kprobe selftests that use __x86_sys_* attach functions. Suggested-by: Andrii Nakryiko Signed-off-by: Kenta Tada Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220124141622.4378-2-Kenta.Tada@sony.com Signed-off-by: Sasha Levin commit 4c9ca11e44f52cbe6508bd41f95fe3db26c75376 Author: Mark Brown Date: Wed Feb 2 14:34:04 2022 +0000 mtd: mchp48l640: Add SPI ID table [ Upstream commit 69a6d06878f05d63673b0dcdc3c3ef1af2996d46 ] Currently autoloading for SPI devices does not use the DT ID table, it uses SPI modalises. Supporting OF modalises is going to be difficult if not impractical, an attempt was made but has been reverted, so ensure that module autoloading works for this driver by adding an id_table listing the SPI IDs for everything. Fixes: 96c8395e2166 ("spi: Revert modalias changes") Signed-off-by: Mark Brown Reviewed-by: Michael Walle Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220202143404.16070-4-broonie@kernel.org Signed-off-by: Sasha Levin commit 5b8f6d94c8f5f9950cd8cd80bc78de0e8cfa61b3 Author: Mark Brown Date: Wed Feb 2 14:34:03 2022 +0000 mtd: mchp23k256: Add SPI ID table [ Upstream commit bc7ee2e34b219da6813c17a1680dd20766648883 ] Currently autoloading for SPI devices does not use the DT ID table, it uses SPI modalises. Supporting OF modalises is going to be difficult if not impractical, an attempt was made but has been reverted, so ensure that module autoloading works for this driver by adding an id_table listing the SPI IDs for everything. Fixes: 96c8395e2166 ("spi: Revert modalias changes") Signed-off-by: Mark Brown Reviewed-by: Michael Walle Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220202143404.16070-3-broonie@kernel.org Signed-off-by: Sasha Levin commit c7df23a54d6da79b2d4189468ce87cc1d42d2453 Author: Christophe JAILLET Date: Fri Aug 20 20:43:33 2021 +0200 i2c: bcm2835: Fix the error handling in 'bcm2835_i2c_probe()' [ Upstream commit b205f5850263632b6897d8f0bfaeeea4955f8663 ] Some resource should be released if an error occurs in 'bcm2835_i2c_probe()'. Add an error handling path and the needed 'clk_disable_unprepare()' and 'clk_rate_exclusive_put()' calls. While at it, rework the bottom of the function to use this newly added error handling path and have an explicit and more standard "return 0;" at the end of the normal path. Fixes: bebff81fb8b9 ("i2c: bcm2835: Model Divider in CCF") Signed-off-by: Christophe JAILLET [wsa: rebased] Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit dbad8b608dda87a625523bfbed8e7e96a3010537 Author: Lad Prabhakar Date: Tue Dec 21 17:53:20 2021 +0000 i2c: bcm2835: Use platform_get_irq() to get the interrupt [ Upstream commit c3b2f911ac11892b672df7829becf28d3a830073 ] platform_get_resource(pdev, IORESOURCE_IRQ, ..) relies on static allocation of IRQ resources in DT core code, this causes an issue when using hierarchical interrupt domains using "interrupts" property in the node as this bypasses the hierarchical setup and messes up the irq chaining. In preparation for removal of static setup of IRQ resource from DT core code use platform_get_irq(). Signed-off-by: Lad Prabhakar Reviewed-by: Florian Fainelli Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 9ea8d2fca8fea3b17005b4dc02f8ef15f7a2fb97 Author: Pavel Skripkin Date: Sun Feb 6 21:05:16 2022 +0300 net: asix: add proper error handling of usb read errors [ Upstream commit 920a9fa27e7805499cfe78491b36fed2322c02ec ] Syzbot once again hit uninit value in asix driver. The problem still the same -- asix_read_cmd() reads less bytes, than was requested by caller. Since all read requests are performed via asix_read_cmd() let's catch usb related error there and add __must_check notation to be sure all callers actually check return value. So, this patch adds sanity check inside asix_read_cmd(), that simply checks if bytes read are not less, than was requested and adds missing error handling of asix_read_cmd() all across the driver code. Fixes: d9fe64e51114 ("net: asix: Add in_pm parameter") Reported-and-tested-by: syzbot+6ca9f7867b77c2d316ac@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Tested-by: Oleksij Rempel Reviewed-by: Greg Kroah-Hartman Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3203b13ab934bf97f3e4f068f6937e666a3d75cc Author: Christophe Leroy Date: Mon Dec 20 16:38:02 2021 +0000 livepatch: Fix build failure on 32 bits processors [ Upstream commit 2f293651eca3eacaeb56747dede31edace7329d2 ] Trying to build livepatch on powerpc/32 results in: kernel/livepatch/core.c: In function 'klp_resolve_symbols': kernel/livepatch/core.c:221:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c:221:21: error: assignment to 'Elf32_Sym *' {aka 'struct elf32_sym *'} from incompatible pointer type 'Elf64_Sym *' {aka 'struct elf64_sym *'} [-Werror=incompatible-pointer-types] 221 | sym = (Elf64_Sym *)sechdrs[symndx].sh_addr + ELF_R_SYM(relas[i].r_info); | ^ kernel/livepatch/core.c: In function 'klp_apply_section_relocs': kernel/livepatch/core.c:312:35: error: passing argument 1 of 'klp_resolve_symbols' from incompatible pointer type [-Werror=incompatible-pointer-types] 312 | ret = klp_resolve_symbols(sechdrs, strtab, symndx, sec, sec_objname); | ^~~~~~~ | | | Elf32_Shdr * {aka struct elf32_shdr *} kernel/livepatch/core.c:193:44: note: expected 'Elf64_Shdr *' {aka 'struct elf64_shdr *'} but argument is of type 'Elf32_Shdr *' {aka 'struct elf32_shdr *'} 193 | static int klp_resolve_symbols(Elf64_Shdr *sechdrs, const char *strtab, | ~~~~~~~~~~~~^~~~~~~ Fix it by using the right types instead of forcing 64 bits types. Fixes: 7c8e2bdd5f0d ("livepatch: Apply vmlinux-specific KLP relocations early") Signed-off-by: Christophe Leroy Acked-by: Petr Mladek Acked-by: Joe Lawrence Acked-by: Miroslav Benes Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/5288e11b018a762ea3351cc8fb2d4f15093a4457.1640017960.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 15ab376fc350dafd8a83e287c1e8b013cf017ada Author: Thomas Bracht Laumann Jespersen Date: Mon Jan 31 12:20:28 2022 +0100 scripts/dtc: Call pkg-config POSIXly correct [ Upstream commit a8b309ce9760943486e0585285e0125588a31650 ] Running with POSIXLY_CORRECT=1 in the environment the scripts/dtc build fails, because pkg-config doesn't output anything when the flags come after the arguments. Fixes: 067c650c456e ("dtc: Use pkg-config to locate libyaml") Signed-off-by: Thomas Bracht Laumann Jespersen Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220131112028.7907-1-t@laumann.xyz Signed-off-by: Sasha Levin commit 36fb65a150bd55f1a001c041ab5eeab2216e08b0 Author: Johannes Berg Date: Wed Feb 2 10:49:34 2022 +0200 mac80211: limit bandwidth in HE capabilities [ Upstream commit 1f2c104448477512fcf7296df54bfbc3a6f9a765 ] If we're limiting bandwidth for some reason such as regulatory restrictions, then advertise that limitation just like we do for VHT today, so the AP is aware we cannot use the higher BW it might be using. Fixes: 41cbb0f5a295 ("mac80211: add support for HE") Signed-off-by: Johannes Berg Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20220202104617.70c8e3e7ee76.If317630de69ff1146bec7d47f5b83038695eb71d@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 89970f74c5fe6766ec1323c820054cf9532d5f43 Author: Ilan Peer Date: Mon Nov 29 15:32:44 2021 +0200 mac80211: Remove a couple of obsolete TODO [ Upstream commit cee04f3c3a00ffd2a2a6ed1028e0ab58a3a28d25 ] The HE capability IE is an extension IE so remove an irrelevant comments. Signed-off-by: Ilan Peer Signed-off-by: Luca Coelho Link: https://lore.kernel.org/r/iwlwifi.20211129152938.550b95b5fca7.Ia31395e880172aefcc0a8c70ed060f84b94bdb83@changeid Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit a3bcd2110c087bc62e90fddd4a93237b049d6e68 Author: Yonghong Song Date: Thu Feb 3 11:17:27 2022 -0800 bpf: Fix a btf decl_tag bug when tagging a function [ Upstream commit d7e7b42f4f956f2c68ad8cda87d750093dbba737 ] syzbot reported a btf decl_tag bug with stack trace below: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 3592 Comm: syz-executor914 Not tainted 5.16.0-syzkaller-11424-gb7892f7d5cb2 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:btf_type_vlen include/linux/btf.h:231 [inline] RIP: 0010:btf_decl_tag_resolve+0x83e/0xaa0 kernel/bpf/btf.c:3910 ... Call Trace: btf_resolve+0x251/0x1020 kernel/bpf/btf.c:4198 btf_check_all_types kernel/bpf/btf.c:4239 [inline] btf_parse_type_sec kernel/bpf/btf.c:4280 [inline] btf_parse kernel/bpf/btf.c:4513 [inline] btf_new_fd+0x19fe/0x2370 kernel/bpf/btf.c:6047 bpf_btf_load kernel/bpf/syscall.c:4039 [inline] __sys_bpf+0x1cbb/0x5970 kernel/bpf/syscall.c:4679 __do_sys_bpf kernel/bpf/syscall.c:4738 [inline] __se_sys_bpf kernel/bpf/syscall.c:4736 [inline] __x64_sys_bpf+0x75/0xb0 kernel/bpf/syscall.c:4736 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The kasan error is triggered with an illegal BTF like below: type 0: void type 1: int type 2: decl_tag to func type 3 type 3: func to func_proto type 8 The total number of types is 4 and the type 3 is illegal since its func_proto type is out of range. Currently, the target type of decl_tag can be struct/union, var or func. Both struct/union and var implemented their own 'resolve' callback functions and hence handled properly in kernel. But func type doesn't have 'resolve' callback function. When btf_decl_tag_resolve() tries to check func type, it tries to get vlen of its func_proto type, which triggered the above kasan error. To fix the issue, btf_decl_tag_resolve() needs to do btf_func_check() before trying to accessing func_proto type. In the current implementation, func type is checked with btf_func_check() in the main checking function btf_check_all_types(). To fix the above kasan issue, let us implement 'resolve' callback func type properly. The 'resolve' callback will be also called in btf_check_all_types() for func types. Fixes: b5ea834dde6b ("bpf: Support for new btf kind BTF_KIND_TAG") Reported-by: syzbot+53619be9444215e785ed@syzkaller.appspotmail.com Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20220203191727.741862-1-yhs@fb.com Signed-off-by: Sasha Levin commit 7d276fc566986294901965dab003174512787398 Author: Tobias Waldekranz Date: Thu Feb 3 11:16:55 2022 +0100 net: dsa: mv88e6xxx: Enable port policy support on 6097 [ Upstream commit 585d42bb57bb358d48906660a8de273b078810b1 ] This chip has support for the same per-port policy actions found in later versions of LinkStreet devices. Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy") Signed-off-by: Tobias Waldekranz Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9c796a57cbb5daf124a665689f0b2bc9262e0ced Author: Miroslav Lichvar Date: Wed Feb 2 10:33:55 2022 +0100 ptp: unregister virtual clocks when unregistering physical clock. [ Upstream commit bfcbb76b0f595ea9ede9f7a218086fef85242f10 ] When unregistering a physical clock which has some virtual clocks, unregister the virtual clocks with it. This fixes the following oops, which can be triggered by unloading a driver providing a PTP clock when it has enabled virtual clocks: BUG: unable to handle page fault for address: ffffffffc04fc4d8 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ptp_vclock_read+0x31/0xb0 Call Trace: timecounter_read+0xf/0x50 ptp_vclock_refresh+0x2c/0x50 ? ptp_clock_release+0x40/0x40 ptp_aux_kworker+0x17/0x30 kthread_worker_fn+0x9b/0x240 ? kthread_should_park+0x30/0x30 kthread+0xe2/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 73f37068d540 ("ptp: support ptp physical/virtual clocks conversion") Signed-off-by: Miroslav Lichvar Acked-by: Richard Cochran Cc: Yangbo Lu Cc: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7bd520ccc34b444873551cab0580adb975960e65 Author: MeiChia Chiu Date: Thu Jan 27 21:32:26 2022 +0800 mt76: mt7915: fix the nss setting in bitrates [ Upstream commit c41d2a075206fcbdc89695b874a6ac06160b4f1a ] without this change, the fixed MCS only supports 1 Nss. Fixes: 70fd1333cd32f ("mt76: mt7915: rework .set_bitrate_mask() to support more options") Reviewed-by: Ryder Lee Signed-off-by: MeiChia Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 1d0221e88dcef40fb329dbdc5689d766cd237ee5 Author: Peter Chiu Date: Wed Jan 26 10:05:29 2022 +0800 mt76: mt7915: fix mcs_map in mt7915_mcu_set_sta_he_mcs() [ Upstream commit ade25ca7950bc8930356d98ec89aa41560a9dab5 ] Should use peer's bandwidth instead of chandef->width to get correct mcs_map. Fixes: 76be6c076c077 ("mt76: mt7915: add .set_bitrate_mask() callback") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit daf02c7e3c3dc82ffa925999597bd455cf799551 Author: Lorenzo Bianconi Date: Mon Jan 24 20:36:52 2022 +0100 mt76: mt7915: fix possible memory leak in mt7915_mcu_add_sta [ Upstream commit a43736cd12d82913102eb49cb56787a5553e028f ] Free allocated skb in mt7915_mcu_add_sta routine in case of failures. Fixes: 89bbd3730f382 ("mt76: mt7915: rework starec TLV tags") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4dae8fc559f47539cb9a72941b0dcf1190320e30 Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:58 2022 +0100 mt76: mt7615: check sta_rates pointer in mt7615_sta_rate_tbl_update [ Upstream commit 6a6f457ed5fdf6777536c20644a9e42128a50ec2 ] Check sta_rates pointer value in mt7615_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: 04b8e65922f63 ("mt76: add mac80211 driver for MT7615 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit f8ae1204e6ec571acf44e32b169eeb2c0bef89c7 Author: Lorenzo Bianconi Date: Sat Jan 22 15:58:57 2022 +0100 mt76: mt7603: check sta_rates pointer in mt7603_sta_rate_tbl_update [ Upstream commit fc8e2c707ce11c8ec2e992885b0d53a5e04031ac ] Check sta_rates pointer value in mt7603_sta_rate_tbl_update routine since minstrel_ht_update_rates can fail allocating rates array. Fixes: c8846e1015022 ("mt76: add driver for MT7603E and MT7628/7688") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit a6708b96a640fa6ab4145f1c0269a3f7b15ef440 Author: Sean Wang Date: Fri Jan 7 15:30:03 2022 +0800 mt76: mt7921e: fix possible probe failure after reboot [ Upstream commit 602cc0c9618a819ab00ea3c9400742a0ca318380 ] It doesn't guarantee the mt7921e gets started with ASPM L0 after each machine reboot on every platform. If mt7921e gets started with not ASPM L0, it would be possible that the driver encounters time to time failure in mt7921_pci_probe, like a weird chip identifier is read [ 215.514503] mt7921e 0000:05:00.0: ASIC revision: feed0000 [ 216.604741] mt7921e: probe of 0000:05:00.0 failed with error -110 or failing to init hardware because the driver is not allowed to access the register until the device is in ASPM L0 state. So, we call __mt7921e_mcu_drv_pmctrl in early mt7921_pci_probe to force the device to bring back to the L0 state for we can safely access registers in any case. In the patch, we move all functions from dma.c to pci.c and register mt76 bus operation earilier, that is the __mt7921e_mcu_drv_pmctrl depends on. Fixes: bf3747ae2e25 ("mt76: mt7921: enable aspm by default") Reported-by: Kai-Chuan Hsieh Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit f9131399b83ea4e3ab3b3088aa68133de420524f Author: Leon Yen Date: Fri Jan 7 03:50:10 2022 +0800 mt76: mt7921s: fix mt7921s_mcu_[fw|drv]_pmctrl [ Upstream commit b12deb5e86fa36dc6f3aa3321f5da27addec4f1f ] According to the firmware behavior (even the oldest one in linux-firmware) If the firmware is downloaded, MT7921S must rely on the additional mailbox mechanism that resides in firmware to check if the device is the right state for mt7921s_mcu_[fw|drv]_pmctrl. Otherwise, we still apply the old way for that. That is a necessary patch before we enable runtime pm for mt7921s as default. Fixes: 48fab5bbef40 ("mt76: mt7921: introduce mt7921s support") Co-developed-by: Sean Wang Signed-off-by: Sean Wang Signed-off-by: Leon Yen Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit b26151b7868b5080de00db1614d942bbdda59961 Author: Peter Chiu Date: Thu Jan 6 14:20:57 2022 +0800 mt76: mt7921: fix ht mcs in mt7921_mac_add_txs_skb() [ Upstream commit b1fe07ed21024f64719315ba0f3a5676d8b36db6 ] The mcs value of HT mode reported by mt7921_mac_add_txs_skb() has already been converted to the expected format. Fixes: 970ab80ef9f63 ("mt76: mt7921: report tx rate directly from tx status") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 4e86f6d14ba830a8c5915229869bd004ca19c779 Author: Peter Chiu Date: Thu Jan 6 14:20:56 2022 +0800 mt76: mt7915: fix ht mcs in mt7915_mac_add_txs_skb() [ Upstream commit d8e4e8d148fb68858d6a997d88a87a2c615629ce ] The mcs value of HT mode reported by mt7915_mac_add_txs_skb() has already been converted to the expected format. Fixes: 9908d98ae72cd ("mt76: mt7915: report tx rate directly from tx status") Signed-off-by: Peter Chiu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5a80bb2fd51fcd0bdb2c5ec17b4ea99f85386f3d Author: Lorenzo Bianconi Date: Thu Dec 30 21:47:06 2021 +0100 mt76: mt7615: fix a leftover race in runtime-pm [ Upstream commit 42ce8d3b623162f3248db50a38359f294e6b06fd ] Fix a possible race in mt7615_pm_power_save_work() if rx/tx napi schedules ps_work and we are currently accessing device register on a different cpu. Fixes: db928f1ab9789 ("mt76: mt7663: rely on mt76_connac_pm_ref/mt76_connac_pm_unref in tx/rx napi") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 82b581f7b1ec0549431be603c7ebdd990af4201b Author: Lorenzo Bianconi Date: Thu Dec 30 21:47:05 2021 +0100 mt76: mt7921: fix a leftover race in runtime-pm [ Upstream commit 591cdccebdd4d02eb46d400dea911136400cc567 ] Fix a possible race in mt7921_pm_power_save_work() if rx/tx napi schedules ps_work and we are currently accessing device register on a different cpu. Fixes: 1d8efc741df8 ("mt76: mt7921: introduce Runtime PM support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 26b5f12470ce65e4859df95d7b78bf77f2b87318 Author: Lorenzo Bianconi Date: Fri Dec 31 12:36:02 2021 +0100 mt76: mt7921: do not always disable fw runtime-pm [ Upstream commit b44eeb8cbdf2b88f2844f11e4f263b0abed5b5b0 ] After commit 'd430dffbe9dd ("mt76: mt7921: fix a possible race enabling/disabling runtime-pm")', runtime-pm is always disabled in the fw even if the user requests to enable it toggling debugfs node since mt7921_pm_interface_iter routine will use pm->enable to configure the fw. Fix the issue moving enable variable configuration before running mt7921_pm_interface_iter routine. Fixes: d430dffbe9dd ("mt76: mt7921: fix a possible race enabling/disabling runtime-pm") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 64ed8b9b2ed172e5c9b5d7ffbd189ec2b34eb374 Author: Sean Wang Date: Fri Dec 24 16:33:56 2021 +0800 mt76: mt7921: set EDCA parameters with the MCU CE command [ Upstream commit 66ca1a7b2d5503f561b751abdd6ec6fa96343eb6 ] The command MCU_EXT_CMD_EDCA_UPDATE is not fully supported by the MT7921 firmware, so we apply CE command MCU_CE_CMD_SET_EDCA_PARAMS instead which is supported even in the oldest firmware to properly set up EDCA parameters for each AC. Fixes: 1c099ab44727 ("mt76: mt7921: add MCU support") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 3773af2d5679a2965da06df336900ab7a69cb49c Author: Sean Wang Date: Fri Dec 24 16:33:55 2021 +0800 mt76: mt76_connac: fix MCU_CE_CMD_SET_ROC definition error [ Upstream commit bf9727a27442a50c75b7d99a5088330c578b2a42 ] Fixed an MCU_CE_CMD_SET_ROC definition error that occurred from a previous refactor work. Fixes: d0e274af2f2e4 ("mt76: mt76_connac: create mcu library") Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 32ba2da1626c30df70ea8759dc989b35896c1d97 Author: Lorenzo Bianconi Date: Wed Dec 22 17:06:36 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_sta_basic_tlv [ Upstream commit abdb8bc94be4cf68aa71c9a8ee0bad9b3e6f52d3 ] Similar to mt7915_mcu_wtbl_generic_tlv, rely on vif->bss_conf.aid for aid in sta mode and not on sta->aid. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 9da08143c62001ad52e7860b8c48a19516e363fc Author: Lorenzo Bianconi Date: Wed Dec 22 12:52:17 2021 +0100 mt76: mt7915: use proper aid value in mt7915_mcu_wtbl_generic_tlv in sta mode [ Upstream commit a56b1b0f145ef2d6bb9312dedf3ab8558ef50a5b ] mac80211 provides aid in vif->bss_conf.aid for sta mode and not in sta->aid. Fix mt7915_mcu_wtbl_generic_tlv routine using proper value for aid in sta mode. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 5748252cf822b1db5b404bac4c46fb88814c3cd1 Author: Lorenzo Bianconi Date: Sun Dec 19 18:40:06 2021 +0100 mt76: connac: fix sta_rec_wtbl tag len [ Upstream commit 74c337ec0905d99111fc63a15f2e0784b9ed5503 ] Similar to mt7915 driver, fix tag len error for sta_rec_wtbl, which causes fw parsing error for the tags placed behind it. Fixes: d0e274af2f2e4 ("mt76: mt76_connac: create mcu library") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 833e110f9707729c355f0c2775012f7046660c3f Author: Athira Rajeev Date: Wed Feb 2 09:48:37 2022 +0530 powerpc/perf: Don't use perf_hw_context for trace IMC PMU [ Upstream commit 0198322379c25215b2778482bf1221743a76e2b5 ] Trace IMC (In-Memory collection counters) in powerpc is useful for application level profiling. For trace_imc, presently task context (task_ctx_nr) is set to perf_hw_context. But perf_hw_context should only be used for CPU PMU. See commit 26657848502b ("perf/core: Verify we have a single perf_hw_context PMU"). So for trace_imc, even though it is per thread PMU, it is preferred to use sw_context in order to be able to do application level monitoring. Hence change the task_ctx_nr to use perf_sw_context. Fixes: 012ae244845f ("powerpc/perf: Trace imc PMU functions") Signed-off-by: Athira Rajeev Reviewed-by: Madhavan Srinivasan [mpe: Update subject & incorporate notes into change log, reflow comment] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220202041837.65968-1-atrajeev@linux.vnet.ibm.com Signed-off-by: Sasha Levin commit 182d3a791246c4c8d1988bf68b6a7100b8b4fe7f Author: Fabiano Rosas Date: Tue Jan 25 12:57:32 2022 -0300 KVM: PPC: Book3S HV: Check return value of kvmppc_radix_init [ Upstream commit 69ab6ac380a00244575de02c406dcb9491bf3368 ] The return of the function is being shadowed by the call to kvmppc_uvmem_init. Fixes: ca9f4942670c ("KVM: PPC: Book3S HV: Support for running secure guests") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125155735.1018683-2-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit e3e84a5ac13e30676643312759eb56f0e805e348 Author: Maxim Kiselev Date: Fri Jan 21 12:14:47 2022 +0300 powerpc: dts: t1040rdb: fix ports names for Seville Ethernet switch [ Upstream commit 5ebb74749202a25da4b3cc2eb15470225a05527c ] On board rev A, the network interface labels for the switch ports written on the front panel are different than on rev B and later. This patch fixes network interface names for the switch ports according to labels that are written on the front panel of the board rev B. They start from ETH3 and end at ETH10. This patch also introduces a separate device tree for rev A. The main device tree is supposed to cover rev B and later. Fixes: e69eb0824d8c ("powerpc: dts: t1040rdb: add ports for Seville Ethernet switch") Signed-off-by: Maxim Kiselev Reviewed-by: Maxim Kochetkov Reviewed-by: Vladimir Oltean Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220121091447.3412907-1-bigunclemax@gmail.com Signed-off-by: Sasha Levin commit cf61f850bf28a6d00971a1a10dd2e71fbfdb5e8a Author: Jiasheng Jiang Date: Thu Dec 30 10:29:26 2021 +0800 ray_cs: Check ioremap return value [ Upstream commit 7e4760713391ee46dc913194b33ae234389a174e ] As the possible failure of the ioremap(), the 'local->sram' and other two could be NULL. Therefore it should be better to check it in order to avoid the later dev_dbg. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Jiasheng Jiang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211230022926.1846757-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit f675761c5bffac0c7c1ea06cd7f02228c32b00f5 Author: Miaoqian Lin Date: Thu Jan 20 10:46:54 2022 +0000 power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe [ Upstream commit ba18dad0fb880cd29aa97b6b75560ef14d1061ba ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: f7a388d6cd1c ("power: reset: Add a driver for the Gemini poweroff") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 413b1212afaf0b8679c6d67d011d80732d31c6f3 Author: Alexander Lobakin Date: Wed Dec 8 15:07:02 2021 +0100 ixgbe: respect metadata on XSK Rx to skb [ Upstream commit f322a620be69e95594eda89502b478aa7dbf6ec2 ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match ixgbe_construct_skb(). Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e1bb730184a8dbccc6ba2050b80d2610034d44a7 Author: Alexander Lobakin Date: Wed Dec 8 15:07:01 2021 +0100 ixgbe: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit 8f405221a73a53234486c185d8ef647377a53cc6 ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, ixgbe_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: d0bcacd0a130 ("ixgbe: add AF_XDP zero-copy Rx support") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit cb239ef882f2bb609ac904475d950ed6e35603db Author: Alexander Lobakin Date: Wed Dec 8 15:07:00 2021 +0100 ixgbe: pass bi->xdp to ixgbe_construct_skb_zc() directly [ Upstream commit 1fbdaa13386804a31eefd3db3c5fe00e80ce9bc3 ] To not dereference bi->xdp each time in ixgbe_construct_skb_zc(), pass bi->xdp as an argument instead of bi. We can also call xsk_buff_free() outside of the function as well as assign bi->xdp to NULL, which seems to make it closer to its name. Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Tested-by: Sandeep Penigalapati Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e01777c273f83046385e6694be85046b64a28eaa Author: Alexander Lobakin Date: Wed Dec 8 15:06:59 2021 +0100 igc: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit f9e61d365bafdee40fe2586fc6be490c3e824dad ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, igc_construct_skb_zc() currently allocates and reserves additional `xdp->data_meta - xdp->data_hard_start`, which is about XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only (+ meta) to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Also, net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match igc_construct_skb(). Fixes: fc9df2a0b520 ("igc: Enable RX via AF_XDP zero-copy") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Nechama Kraus Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e473fd21df6e69caf30659c59d86cded083ac26e Author: Alexander Lobakin Date: Wed Dec 8 15:06:58 2021 +0100 ice: respect metadata on XSK Rx to skb [ Upstream commit 45a34ca68070e34e09d5bf4309f7f1f286a27fc7 ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match ice_construct_skb(). Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit cc27e71cdf668231054ec0623ac503849c2f1f93 Author: Alexander Lobakin Date: Wed Dec 8 15:06:57 2021 +0100 ice: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit dc44572d195e10ec41a03e09b3b5addab4af5cea ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, ice_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: 2d4238f55697 ("ice: Add support for AF_XDP") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 9821302eec591ef3a52f9941fc0a90a780c684a7 Author: Alexander Lobakin Date: Wed Dec 8 15:06:55 2021 +0100 i40e: respect metadata on XSK Rx to skb [ Upstream commit 6dba29537c0f639b482bd8f8bbd50ab4ae74b48d ] For now, if the XDP prog returns XDP_PASS on XSK, the metadata will be lost as it doesn't get copied to the skb. Copy it along with the frame headers. Account its size on skb allocation, and when copying just treat it as a part of the frame and do a pull after to "move" it to the "reserved" zone. net_prefetch() xdp->data_meta and align the copy size to speed-up memcpy() a little and better match i40e_construct_skb(). Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Suggested-by: Jesper Dangaard Brouer Suggested-by: Maciej Fijalkowski Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit f54e5c9d401662fe10b5476883f4a65e0f0a1cd3 Author: Alexander Lobakin Date: Wed Dec 8 15:06:54 2021 +0100 i40e: don't reserve excessive XDP_PACKET_HEADROOM on XSK Rx to skb [ Upstream commit bc97f9c6f988b31b728eb47a94ca825401dbeffe ] {__,}napi_alloc_skb() allocates and reserves additional NET_SKB_PAD + NET_IP_ALIGN for any skb. OTOH, i40e_construct_skb_zc() currently allocates and reserves additional `xdp->data - xdp->data_hard_start`, which is XDP_PACKET_HEADROOM for XSK frames. There's no need for that at all as the frame is post-XDP and will go only to the networking stack core. Pass the size of the actual data only to __napi_alloc_skb() and don't reserve anything. This will give enough headroom for stack processing. Fixes: 0a714186d3c0 ("i40e: add AF_XDP zero-copy Rx support") Signed-off-by: Alexander Lobakin Reviewed-by: Michal Swiatkowski Acked-by: Jesper Dangaard Brouer Tested-by: Kiran Bhandare Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 20e81143b4303e337141058762d9ae1365cb68ed Author: Gerhard Engleder Date: Sun Jan 30 10:54:22 2022 +0100 selftests/net: timestamping: Fix bind_phc check [ Upstream commit 678dfd5280341d877ca646499bfdc82a3d8b4356 ] timestamping checks socket options during initialisation. For the field bind_phc of the socket option SO_TIMESTAMPING it expects the value -1 if PHC is not bound. Actually the value of bind_phc is 0 if PHC is not bound. This results in the following output: SIOCSHWTSTAMP: tx_type 0 requested, got 0; rx_filter 0 requested, got 0 SO_TIMESTAMP 0 SO_TIMESTAMPNS 0 SO_TIMESTAMPING flags 0, bind phc 0 not expected, flags 0, bind phc -1 This is fixed by setting default value and expected value of bind_phc to 0. Fixes: 2214d7032479 ("selftests/net: timestamping: support binding PHC") Signed-off-by: Gerhard Engleder Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 43862572a201c39f60543fd8933d61853fc80261 Author: Fabiano Rosas Date: Tue Jan 25 18:56:52 2022 -0300 KVM: PPC: Fix vmx/vsx mixup in mmio emulation [ Upstream commit b99234b918c6e36b9aa0a5b2981e86b6bd11f8e2 ] The MMIO emulation code for vector instructions is duplicated between VSX and VMX. When emulating VMX we should check the VMX copy size instead of the VSX one. Fixes: acc9eb9305fe ("KVM: PPC: Reimplement LOAD_VMX/STORE_VMX instruction ...") Signed-off-by: Fabiano Rosas Reviewed-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220125215655.1026224-3-farosas@linux.ibm.com Signed-off-by: Sasha Levin commit 7f63c7215c9e48e44e0351066990fb53fd4f6e58 Author: Maor Gottlieb Date: Tue Jan 18 09:35:02 2022 +0200 RDMA/core: Set MR type in ib_reg_user_mr [ Upstream commit 32a88d16615c2be295571c29273c4ac94cb75309 ] Add missing assignment of MR type to IB_MR_TYPE_USER. Fixes: 33006bd4f37f ("IB/core: Introduce ib_reg_user_mr") Link: https://lore.kernel.org/r/be2e91bcd6e52dc36be289ae92f30d3a5cc6dcb1.1642491047.git.leonro@nvidia.com Signed-off-by: Maor Gottlieb Signed-off-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c08db032ddb7ee23a5a7e25d1a4a08529d48dd8b Author: Wen Gong Date: Tue Jan 18 22:42:11 2022 -0500 ath11k: set WMI_PEER_40MHZ while peer assoc for 6 GHz [ Upstream commit 1cb747192de2edb7e55920af8c458e4792908486 ] When station connect to AP of 6 GHz with 40 MHz bandwidth, the TX is always stay 20 MHz, it is because the flag WMI_PEER_40MHZ is not set while peer assoc. Add the flag if remote peer is 40 MHz bandwidth. Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03003-QCAHSPSWPL_V1_V2_SILICONZ_LITE-2 Fixes: c3a7d7eb4c98 ("ath11k: add 6 GHz params in peer assoc command") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220119034211.28622-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit 7da6169b6ebb75816b57be3beb829afa74f3b4b6 Author: Pavel Skripkin Date: Wed Jan 19 10:52:37 2022 +0200 ath9k_htc: fix uninit value bugs [ Upstream commit d1e0df1c57bd30871dd1c855742a7c346dbca853 ] Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero whole array to make KMSAN happy Fail logs: BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 4-7 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 BUG: KMSAN: kernel-usb-infoleak in usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 usb_submit_urb+0x6c1/0x2aa0 drivers/usb/core/urb.c:430 hif_usb_send_regout drivers/net/wireless/ath/ath9k/hif_usb.c:127 [inline] hif_usb_send+0x5f0/0x16f0 drivers/net/wireless/ath/ath9k/hif_usb.c:479 htc_issue_send drivers/net/wireless/ath/ath9k/htc_hst.c:34 [inline] htc_connect_service+0x143e/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:275 ... Uninit was created at: slab_post_alloc_hook mm/slab.h:524 [inline] slab_alloc_node mm/slub.c:3251 [inline] __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 kmalloc_reserve net/core/skbuff.c:354 [inline] __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 alloc_skb include/linux/skbuff.h:1126 [inline] htc_connect_service+0x1029/0x1960 drivers/net/wireless/ath/ath9k/htc_hst.c:258 ... Bytes 16-17 of 18 are uninitialized Memory access of size 18 starts at ffff888027377e00 Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") Reported-by: syzbot+f83a1df1ed4f67e8d8ad@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220115122733.11160-1-paskripkin@gmail.com Signed-off-by: Sasha Levin commit 3161dd44d4b93bef22a64951f90e47f8e57a7af1 Author: Hangbin Liu Date: Tue Jan 25 16:17:11 2022 +0800 selftests/bpf/test_xdp_redirect_multi: use temp netns for testing [ Upstream commit cec74489a8dee93053340ec88ea938ff4008c3c0 ] Use temp netns instead of hard code name for testing in case the netns already exists. Remove the hard code interface index when creating the veth interfaces. Because when the system loads some virtual interface modules, e.g. tunnels. the ifindex of 2 will be used and the cmd will fail. As the netns has not created if checking environment failed. Trap the clean up function after checking env. Fixes: 8955c1a32987 ("selftests/bpf/xdp_redirect_multi: Limit the tests in netns") Signed-off-by: Hangbin Liu Acked-by: William Tu Link: https://lore.kernel.org/r/20220125081717.1260849-2-liuhangbin@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit f18a459c31dc6c3d8b468b6b17a51eeb8f5df3a4 Author: Robert Hancock Date: Tue Jan 25 10:54:08 2022 -0600 net: phy: at803x: move page selection fix to config_init [ Upstream commit 4f3a00c7f5b2cfe4e127fd3fe49b55e1b318c01f ] The fix to select the copper page on AR8031 was being done in the probe function rather than config_init, so it would not be redone after resume from suspend. Move this to config_init so it is always redone when needed. Fixes: c329e5afb42f ("net: phy: at803x: select correct page on config init") Signed-off-by: Robert Hancock Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 427a6f88253e7d7e721e15fed4a0b927c13d6a60 Author: Tom Rix Date: Mon Jan 24 12:18:12 2022 -0800 drm/amd/pm: return -ENOTSUPP if there is no get_dpm_ultimate_freq function [ Upstream commit 430e6a0212b2a0eb1de5e9d47a016fa79edf3978 ] clang static analysis reports this represenative problem amdgpu_smu.c:144:18: warning: The left operand of '*' is a garbage value return clk_freq * 100; ~~~~~~~~ ^ If there is no get_dpm_ultimate_freq function, smu_get_dpm_freq_range returns success without setting the output min,max parameters. So return an -ENOTSUPP error. Fixes: e5ef784b1e17 ("drm/amd/powerplay: revise calling chain on retrieving frequency range") Signed-off-by: Tom Rix Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f4eaa999fec78dec2a9c2d797438e05cbffb125b Author: Zhou Qingyang Date: Tue Jan 25 00:57:29 2022 +0800 drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() [ Upstream commit 588a70177df3b1777484267584ef38ab2ca899a2 ] In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() is assigned to mode and is passed to drm_mode_probed_add() directly after that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and there is a dereference of it in list_add_tail() without recoveries, which could lead to NULL pointer dereference on failure of amdgpu_dm_create_common_mode(). Fix this by adding a NULL check of mode. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: e7b07ceef2a6 ("drm/amd/display: Merge amdgpu_dm_types and amdgpu_dm") Signed-off-by: Zhou Qingyang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 837fd4a8b63b17193d5fa7feb07f3aa4f6eab27e Author: Zhou Qingyang Date: Tue Jan 25 00:58:55 2022 +0800 drm/nouveau/acr: Fix undefined behavior in nvkm_acr_hsfw_load_bl() [ Upstream commit 2343bcdb4747d4f418a4daf2e898b94f86c24a59 ] In nvkm_acr_hsfw_load_bl(), the return value of kmalloc() is directly passed to memcpy(), which could lead to undefined behavior on failure of kmalloc(). Fix this bug by using kmemdup() instead of kmalloc()+memcpy(). This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 22dcda45a3d1 ("drm/nouveau/acr: implement new subdev to replace "secure boot"") Signed-off-by: Zhou Qingyang Reviewed-by: Lyude Paul Signed-off-by: Lyude Paul Link: https://patchwork.freedesktop.org/patch/msgid/20220124165856.57022-1-zhou1615@umn.edu Signed-off-by: Sasha Levin commit 36cb41f9117e7bc9bc294e9d20403817e35c1cf5 Author: Brett Creeley Date: Mon Jan 24 10:53:04 2022 -0800 ionic: Correctly print AQ errors if completions aren't received [ Upstream commit bc43ed4f35abfdb1d52311110d49b545fccce975 ] Recent changes went into the driver to allow flexibility when printing error messages. Unfortunately this had the unexpected consequence of printing confusing messages like the following: IONIC_CMD_RX_FILTER_ADD (31) failed: IONIC_RC_SUCCESS (-6) In cases like this the completion of the admin queue command never completes, so the completion status is 0, hence IONIC_RC_SUCCESS is printed even though the command clearly failed. For example, this could happen when the driver tries to add a filter and at the same time the FW goes through a reset, so the AQ command never completes. Fix this by forcing the FW completion status to IONIC_RC_ERROR in cases where we never get the completion. Fixes: 8c9d956ab6fb ("ionic: allow adminq requests to override default error message") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 648c10c7065fdc58fee14bbf12f37163a262b560 Author: Shannon Nelson Date: Mon Jan 24 10:53:03 2022 -0800 ionic: fix up printing of timeout error [ Upstream commit 4cc787bd88be6974f3362fa49fd8c5609bd039b8 ] Make sure we print the TIMEOUT string if we had a timeout error, rather than printing the wrong status. Fixes: 8c9d956ab6fb ("ionic: allow adminq requests to override default error message") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit dd7c960c3527661cc92ea1bb47613602238b9ac5 Author: Brett Creeley Date: Mon Jan 24 10:53:00 2022 -0800 ionic: Don't send reset commands if FW isn't running [ Upstream commit b8fd0271dad00b953caaabe73474788d3d19e252 ] It's possible the FW is already shutting down while the driver is being removed and/or when the driver is going through reset. This can cause unexpected/unnecessary errors to be printed: eth0: DEV_CMD IONIC_CMD_PORT_RESET (12) error, IONIC_RC_ERROR (29) failed eth1: DEV_CMD IONIC_CMD_RESET (3) error, IONIC_RC_ERROR (29) failed Fix this by checking the FW status register before issuing the reset commands. Also, since err may not be assigned in ionic_port_reset(), assign it a default value of 0, and remove an unnecessary log message. Fixes: fbfb8031533c ("ionic: Add hardware init and device commands") Signed-off-by: Brett Creeley Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9ac0406855eb304b83bca4cdca0ab268786d7d7f Author: Shannon Nelson Date: Mon Jan 24 10:52:58 2022 -0800 ionic: start watchdog after all is setup [ Upstream commit 9ad2939a1525962a79a2fd974ec7e3a71455b964 ] The watchdog expects the lif to fully exist when it goes off, so lets not start the watchdog until all is ready in case there is some quirky time dialation that makes probe take multiple seconds. Fixes: 089406bc5ad6 ("ionic: add a watchdog timer to monitor heartbeat") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6af03dc0e19da3c0782310603d421b65922e5c88 Author: Shannon Nelson Date: Mon Jan 24 10:52:57 2022 -0800 ionic: fix type complaint in ionic_dev_cmd_clean() [ Upstream commit bc0bf9de6f48268f4ee59e57fb42ac751be3ecda ] Sparse seems to have gotten a little more picky lately and we need to revisit this bit of code to make sparse happy. warning: incorrect type in initializer (different address spaces) expected union ionic_dev_cmd_regs *regs got union ionic_dev_cmd_regs [noderef] __iomem *dev_cmd_regs warning: incorrect type in argument 2 (different address spaces) expected void [noderef] __iomem * got unsigned int * warning: incorrect type in argument 1 (different address spaces) expected void volatile [noderef] __iomem * got union ionic_dev_cmd * Fixes: d701ec326a31 ("ionic: clean up sparse complaints") Signed-off-by: Shannon Nelson Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2e16b1f7e8bbf6421bcf14280ed67dc22c34a59d Author: Maxime Ripard Date: Thu Jan 20 16:16:12 2022 +0100 drm/edid: Split deep color modes between RGB and YUV444 [ Upstream commit 4adc33f36d80489339f1b43dfeee96bb9ea8e459 ] The current code assumes that the RGB444 and YUV444 formats are the same, but the HDMI 2.0 specification states that: The three DC_XXbit bits above only indicate support for RGB 4:4:4 at that pixel size. Support for YCBCR 4:4:4 in Deep Color modes is indicated with the DC_Y444 bit. If DC_Y444 is set, then YCBCR 4:4:4 is supported for all modes indicated by the DC_XXbit flags. So if we have YUV444 support and any DC_XXbit flag set but the DC_Y444 flag isn't, we'll assume that we support that deep colour mode for YUV444 which breaks the specification. In order to fix this, let's split the edid_hdmi_dc_modes field in struct drm_display_info into two fields, one for RGB444 and one for YUV444. Suggested-by: Ville Syrjälä Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") Signed-off-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-4-maxime@cerno.tech Signed-off-by: Sasha Levin commit b2e326889b80ef200b10d582e8dbee0b5691f3c4 Author: Maxime Ripard Date: Thu Jan 20 16:16:11 2022 +0100 drm/edid: Don't clear formats if using deep color [ Upstream commit 75478b3b393bcbdca4e6da76fe3a9f1a4133ec5d ] The current code, when parsing the EDID Deep Color depths, that the YUV422 cannot be used, referring to the HDMI 1.3 Specification. This specification, in its section 6.2.4, indeed states: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is not permitted for any Deep Color mode. This indeed can be interpreted like the code does, but the HDMI 1.4 specification further clarifies that statement in its section 6.2.4: For each supported Deep Color mode, RGB 4:4:4 shall be supported and optionally YCBCR 4:4:4 may be supported. YCBCR 4:2:2 is also 36-bit mode but does not require the further use of the Deep Color modes described in section 6.5.2 and 6.5.3. This means that, even though YUV422 can be used with 12 bit per color, it shouldn't be treated as a deep color mode. This is also broken with YUV444 if it's supported by the display, but DRM_EDID_HDMI_DC_Y444 isn't set. In such a case, the code will clear color_formats of the YUV444 support set previously in drm_parse_cea_ext(), but will not set it back. Since the formats supported are already setup properly in drm_parse_cea_ext(), let's just remove the code modifying the formats in drm_parse_hdmi_deep_color_info() Fixes: d0c94692e0a3 ("drm/edid: Parse and handle HDMI deep color modes.") Signed-off-by: Maxime Ripard Reviewed-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20220120151625.594595-3-maxime@cerno.tech Signed-off-by: Sasha Levin commit f9b6368fa354b511bbc8df777f4441dd882b1395 Author: Magnus Karlsson Date: Fri Jan 21 13:35:08 2022 +0100 selftests, xsk: Fix rx_full stats test [ Upstream commit b4ec6a19231224f6b08dc54ea07da4c4090e8ee3 ] Fix the rx_full stats test so that it correctly reports pass even when the fill ring is not full of buffers. Fixes: 872a1184dbf2 ("selftests: xsk: Put the same buffer only once in the fill ring") Signed-off-by: Magnus Karlsson Signed-off-by: Daniel Borkmann Tested-by: Maciej Fijalkowski Acked-by: Maciej Fijalkowski Link: https://lore.kernel.org/bpf/20220121123508.12759-1-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin commit 99229e173fa53a0df0aaca400056c03c4507bc3a Author: Dario Binacchi Date: Tue Jan 18 10:54:32 2022 +0100 mtd: rawnand: gpmi: fix controller timings setting [ Upstream commit 2970bf5a32f079e1e9197411db4fe9faccb1503a ] Set the controller registers according to the real clock rate. The controller registers configuration (setup, hold, timeout, ... cycles) depends on the clock rate of the GPMI. Using the real rate instead of the ideal one, avoids that this inaccuracy (required_rate - real_rate) affects the registers setting. This patch has been tested on two custom boards with i.MX28 and i.MX6 SOCs: - i.MX28: required rate 100MHz, real rate 99.3MHz - i.MX6 required rate 100MHz, real rate 99MHz Fixes: b1206122069a ("mtd: rawnand: gpmi: use core timings instead of an empirical derivation") Co-developed-by: Michael Trimarchi Signed-off-by: Michael Trimarchi Signed-off-by: Dario Binacchi Tested-by: Sascha Hauer Reviewed-by: Sascha Hauer Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220118095434.35081-3-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit 29568323bfbc5187f319427170b948e75df705be Author: Jiasheng Jiang Date: Wed Jan 5 00:26:58 2022 +0800 mtd: onenand: Check for error irq [ Upstream commit 3e68f331c8c759c0daa31cc92c3449b23119a215 ] For the possible failure of the platform_get_irq(), the returned irq could be error number and will finally cause the failure of the request_irq(). Consider that platform_get_irq() can now in certain cases return -EPROBE_DEFER, and the consequences of letting request_irq() effectively convert that into -EINVAL, even at probe time rather than later on. So it might be better to check just now. Fixes: 2c22120fbd01 ("MTD: OneNAND: interrupt based wait support") Signed-off-by: Jiasheng Jiang Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20220104162658.1988142-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 24608d8489cb3622f5ca968fb7996d193e4f9f81 Author: Pavel Skripkin Date: Thu Jan 13 16:27:04 2022 +0300 Bluetooth: hci_serdev: call init_rwsem() before p->open() [ Upstream commit 9d7cbe2b9cf5f650067df4f402fdd799d4bbb4e1 ] kvartet reported, that hci_uart_tx_wakeup() uses uninitialized rwsem. The problem was in wrong place for percpu_init_rwsem() call. hci_uart_proto::open() may register a timer whose callback may call hci_uart_tx_wakeup(). There is a chance, that hci_uart_register_device() thread won't be fast enough to call percpu_init_rwsem(). Fix it my moving percpu_init_rwsem() call before p->open(). INFO: trying to register non-static key. The code is fine but needs lockdep annotation, or maybe you didn't initialize this object before use? turning off the locking correctness validator. CPU: 2 PID: 18524 Comm: syz-executor.5 Not tainted 5.16.0-rc6 #9 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 assign_lock_key kernel/locking/lockdep.c:951 [inline] register_lock_class+0x148d/0x1950 kernel/locking/lockdep.c:1263 __lock_acquire+0x106/0x57e0 kernel/locking/lockdep.c:4906 lock_acquire kernel/locking/lockdep.c:5637 [inline] lock_acquire+0x1ab/0x520 kernel/locking/lockdep.c:5602 percpu_down_read_trylock include/linux/percpu-rwsem.h:92 [inline] hci_uart_tx_wakeup+0x12e/0x490 drivers/bluetooth/hci_ldisc.c:124 h5_timed_event+0x32f/0x6a0 drivers/bluetooth/hci_h5.c:188 call_timer_fn+0x1a5/0x6b0 kernel/time/timer.c:1421 Fixes: d73e17281665 ("Bluetooth: hci_serdev: Init hci_uart proto_lock to avoid oops") Reported-by: Yiru Xu Signed-off-by: Pavel Skripkin Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit bf6a0bdc1ac1a4b28d3076543eeb4a3776d3f4e9 Author: Tedd Ho-Jeong An Date: Thu Jan 20 11:44:18 2022 -0800 Bluetooth: btintel: Fix WBS setting for Intel legacy ROM products [ Upstream commit 55235304c2560d4a94ccfff2a47ea927b4114064 ] This patch adds the flag to identify the Intel legacy ROM products that don't support WBS like WP and StP. Fixes: 3df4dfbec0f29 ("Bluetooth: btintel: Move hci quirks to setup routine") Signed-off-by: Tedd Ho-Jeong An Signed-off-by: Marcel Holtmann Signed-off-by: Sasha Levin commit af6b7f41d794edf73ae49b0886d7c9a67094516a Author: Felix Maurer Date: Tue Jan 18 16:11:56 2022 +0100 selftests: bpf: Fix bind on used port [ Upstream commit 8c0be0631d81e48f77d0ebf0534c86e32bef5f89 ] The bind_perm BPF selftest failed when port 111/tcp was already in use during the test. To fix this, the test now runs in its own network name space. To use unshare, it is necessary to reorder the includes. The style of the includes is adapted to be consistent with the other prog_tests. v2: Replace deprecated CHECK macro with ASSERT_OK Fixes: 8259fdeb30326 ("selftests/bpf: Verify that rebinding to port < 1024 from BPF works") Signed-off-by: Felix Maurer Signed-off-by: Andrii Nakryiko Reviewed-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/551ee65533bb987a43f93d88eaf2368b416ccd32.1642518457.git.fmaurer@redhat.com Signed-off-by: Sasha Levin commit 15a0b313d4e05603b7b3b593817b17f299c0b1f6 Author: Jani Nikula Date: Thu Jan 20 11:48:56 2022 +0200 drm/locking: fix drm_modeset_acquire_ctx kernel-doc [ Upstream commit 6f043b5969a4d6d385ca429388ded37e30e0d179 ] The stack_depot member was added without kernel-doc, leading to below warning. Fix it. ./include/drm/drm_modeset_lock.h:74: warning: Function parameter or member 'stack_depot' not described in 'drm_modeset_acquire_ctx' Reported-by: Stephen Rothwell Fixes: cd06ab2fd48f ("drm/locking: add backtrace for locking contended locks without backoff") Signed-off-by: Jani Nikula Reviewed-by: Daniel Vetter Tested-by: Stephen Rothwell Link: https://patchwork.freedesktop.org/patch/msgid/20220120094856.3004147-1-jani.nikula@intel.com Signed-off-by: Sasha Levin commit 3ee7db7ea79bd318614a5ce5bcbbab4b7976ff98 Author: José Expósito Date: Sat Jan 8 17:58:12 2022 +0100 drm/selftests/test-drm_dp_mst_helper: Fix memory leak in sideband_msg_req_encode_decode [ Upstream commit ba3a5ddcf1e5df31f2291006d5297ca62035584f ] Avoid leaking the "out" variable if it is not possible to allocate the "txmsg" variable. Fixes: 09234b88ef55 ("drm/selftests/test-drm_dp_mst_helper: Move 'sideband_msg_req_encode_decode' onto the heap") Addresses-Coverity-ID: 1475685 ("Resource leak") Signed-off-by: José Expósito Signed-off-by: Daniel Vetter Link: https://patchwork.freedesktop.org/patch/msgid/20220108165812.46797-1-jose.exposito89@gmail.com Signed-off-by: Sasha Levin commit d7fccf264b1a785525b366a5b7f8113c756187ad Author: Kumar Kartikeya Dwivedi Date: Fri Jan 14 22:09:44 2022 +0530 bpf: Fix UAF due to race between btf_try_get_module and load_module [ Upstream commit 18688de203b47e5d8d9d0953385bf30b5949324f ] While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall is happening in parallel. Currently, BTF parsing happens from MODULE_STATE_COMING notifier callback. At this point, the module initcalls have not been invoked. The notifier callback parses and prepares the module BTF, allocates an ID, which publishes it to userspace, and then adds it to the btf_modules list allowing the kernel to invoke btf_try_get_module for the BTF. However, at this point, the module has not been fully initialized (i.e. its initcalls have not finished). The code in module.c can still fail and free the module, without caring for other users. However, nothing stops btf_try_get_module from succeeding between the state transition from MODULE_STATE_COMING to MODULE_STATE_LIVE. This leads to a use-after-free issue when BPF program loads successfully in the state transition, load_module's do_init_module call fails and frees the module, and BPF program fd on close calls module_put for the freed module. Future patch has test case to verify we don't regress in this area in future. There are multiple points after prepare_coming_module (in load_module) where failure can occur and module loading can return error. We illustrate and test for the race using the last point where it can practically occur (in module __init function). An illustration of the race: CPU 0 CPU 1 load_module notifier_call(MODULE_STATE_COMING) btf_parse_module btf_alloc_id // Published to userspace list_add(&btf_mod->list, btf_modules) mod->init(...) ... ^ bpf_check | check_pseudo_btf_id | btf_try_get_module | returns true | ... ... | module __init in progress return prog_fd | ... ... V if (ret < 0) free_module(mod) ... close(prog_fd) ... bpf_prog_free_deferred module_put(used_btf.mod) // use-after-free We fix this issue by setting a flag BTF_MODULE_F_LIVE, from the notifier callback when MODULE_STATE_LIVE state is reached for the module, so that we return NULL from btf_try_get_module for modules that are not fully formed. Since try_module_get already checks that module is not in MODULE_STATE_GOING state, and that is the only transition a live module can make before being removed from btf_modules list, this is enough to close the race and prevent the bug. A later selftest patch crafts the race condition artifically to verify that it has been fixed, and that verifier fails to load program (with ENXIO). Lastly, a couple of comments: 1. Even if this race didn't exist, it seems more appropriate to only access resources (ksyms and kfuncs) of a fully formed module which has been initialized completely. 2. This patch was born out of need for synchronization against module initcall for the next patch, so it is needed for correctness even without the aforementioned race condition. The BTF resources initialized by module initcall are set up once and then only looked up, so just waiting until the initcall has finished ensures correct behavior. Fixes: 541c3bad8dc5 ("bpf: Support BPF ksym variables in kernel modules") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20220114163953.1455836-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit a3728d32fc61eb0fe283cb8ff60b2c8f751e2202 Author: Pavel Skripkin Date: Thu Dec 30 17:26:49 2021 +0300 udmabuf: validate ubuf->pagecount [ Upstream commit 2b6dd600dd72573c23ea180b5b0b2f1813405882 ] Syzbot has reported GPF in sg_alloc_append_table_from_pages(). The problem was in ubuf->pages == ZERO_PTR. ubuf->pagecount is calculated from arguments passed from user-space. If user creates udmabuf with list.size == 0 then ubuf->pagecount will be also equal to zero; it causes kmalloc_array() to return ZERO_PTR. Fix it by validating ubuf->pagecount before passing it to kmalloc_array(). Fixes: fbb0de795078 ("Add udmabuf misc device") Reported-and-tested-by: syzbot+2c56b725ec547fa9cb29@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Link: http://patchwork.freedesktop.org/patch/msgid/20211230142649.23022-1-paskripkin@gmail.com Signed-off-by: Gerd Hoffmann Signed-off-by: Sasha Levin commit 0b59c4918a69baee73ce544c3421ee53a9485f71 Author: Wei Fu Date: Sat Jan 8 16:40:08 2022 +0800 bpftool: Only set obj->skeleton on complete success [ Upstream commit 0991f6a38f576aa9a5e34713e23c998a3310d4d0 ] After `bpftool gen skeleton`, the ${bpf_app}.skel.h will provide that ${bpf_app_name}__open helper to load bpf. If there is some error like ENOMEM, the ${bpf_app_name}__open will rollback(free) the allocated object, including `bpf_object_skeleton`. Since the ${bpf_app_name}__create_skeleton set the obj->skeleton first and not rollback it when error, it will cause double-free in ${bpf_app_name}__destory at ${bpf_app_name}__open. Therefore, we should set the obj->skeleton before return 0; Fixes: 5dc7a8b21144 ("bpftool, selftests/bpf: Embed object file inside skeleton") Signed-off-by: Wei Fu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220108084008.1053111-1-fuweid89@gmail.com Signed-off-by: Sasha Levin commit 650f1a4e01f1edbb168b557bcdb9218d48e58b03 Author: Yafang Shao Date: Sat Jan 8 13:47:39 2022 +0000 libbpf: Fix possible NULL pointer dereference when destroying skeleton [ Upstream commit a32ea51a3f17ce6524c9fc19d311e708331c8b5f ] When I checked the code in skeleton header file generated with my own bpf prog, I found there may be possible NULL pointer dereference when destroying skeleton. Then I checked the in-tree bpf progs, finding that is a common issue. Let's take the generated samples/bpf/xdp_redirect_cpu.skel.h for example. Below is the generated code in xdp_redirect_cpu__create_skeleton(): xdp_redirect_cpu__create_skeleton struct bpf_object_skeleton *s; s = (struct bpf_object_skeleton *)calloc(1, sizeof(*s)); if (!s) goto error; ... error: bpf_object__destroy_skeleton(s); return -ENOMEM; After goto error, the NULL 's' will be deferenced in bpf_object__destroy_skeleton(). We can simply fix this issue by just adding a NULL check in bpf_object__destroy_skeleton(). Fixes: d66562fba1ce ("libbpf: Add BPF object skeleton support") Signed-off-by: Yafang Shao Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20220108134739.32541-1-laoar.shao@gmail.com Signed-off-by: Sasha Levin commit 861bccf3bb9fd6479f3d8ed23017b214d944cdd9 Author: Mauricio Vásquez Date: Fri Jan 7 10:26:20 2022 -0500 bpftool: Fix error check when calling hashmap__new() [ Upstream commit 622a5b582cc27d3deedc38fcef68da2972e8e58d ] hashmap__new() encodes errors with ERR_PTR(), hence it's not valid to check the returned pointer against NULL and IS_ERR() has to be used instead. libbpf_get_error() can't be used in this case as hashmap__new() is not part of the public libbpf API and it'll continue using ERR_PTR() after libbpf 1.0. Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects") Fixes: 2828d0d75b73 ("bpftool: Switch to libbpf's hashmap for programs/maps in BTF listing") Fixes: d6699f8e0f83 ("bpftool: Switch to libbpf's hashmap for PIDs/names references") Signed-off-by: Mauricio Vásquez Signed-off-by: Andrii Nakryiko Reviewed-by: Quentin Monnet Acked-by: Song Liu Link: https://lore.kernel.org/bpf/20220107152620.192327-2-mauricio@kinvolk.io Signed-off-by: Sasha Levin commit f86631de2ed85809bbcc755f4a732c35160eea35 Author: Jiasheng Jiang Date: Thu Jan 6 11:03:26 2022 +0800 drm/panfrost: Check for error num after setting mask [ Upstream commit 44ab30b056149bd59dd7989a593dd25ead6007fd ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Fixes: f3ba91228e8e ("drm/panfrost: Add initial panfrost driver") Signed-off-by: Jiasheng Jiang [Steve: fix Fixes: line] Reviewed-by: Steven Price Signed-off-by: Steven Price Link: https://patchwork.freedesktop.org/patch/msgid/20220106030326.2620942-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 58a8c42abcaa7b1cd4a32824947198c1c95440da Author: Jiasheng Jiang Date: Mon Jan 10 09:38:07 2022 +0800 drm/v3d/v3d_drv: Check for error num after setting mask [ Upstream commit 4a39156166b90465da0f9a33b3442d63b5651bec ] Because of the possible failure of the dma_supported(), the dma_set_mask_and_coherent() may return error num. Therefore, it should be better to check it and return the error if fails. Also, we can create a variable for the mask to solve the alignment issue. Fixes: 334dd38a3878 ("drm/v3d: Set dma_mask as well as coherent_dma_mask") Signed-off-by: Jiasheng Jiang Reviewed-by: Melissa Wen Signed-off-by: Melissa Wen Link: https://patchwork.freedesktop.org/patch/msgid/20220110013807.4105270-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit bd56a6d045ad7394aff1d81ecc828cfb83cb0699 Author: Wen Gong Date: Mon Jan 10 16:24:13 2022 +0200 ath10k: fix memory overwrite of the WoWLAN wakeup packet pattern [ Upstream commit e3fb3d4418fce5484dfe7995fcd94c18b10a431a ] In function ath10k_wow_convert_8023_to_80211(), it will do memcpy for the new->pattern, and currently the new->pattern and new->mask is same with the old, then the memcpy of new->pattern will also overwrite the old->pattern, because the header format of new->pattern is 802.11, its length is larger than the old->pattern which is 802.3. Then the operation of "Copy frame body" will copy a mistake value because the body memory has been overwrite when memcpy the new->pattern. Assign another empty value to new_pattern to avoid the overwrite issue. Tested-on: QCA6174 hw3.2 SDIO WLAN.RMH.4.4.1-00049 Fixes: fa3440fa2fa1 ("ath10k: convert wow pattern from 802.3 to 802.11") Signed-off-by: Wen Gong Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211222031347.25463-1-quic_wgong@quicinc.com Signed-off-by: Sasha Levin commit 01c69900e54168e6f61a8769c70c9b605efc6658 Author: Jagan Teki Date: Sun Jan 9 22:59:49 2022 +0530 drm: bridge: adv7511: Fix ADV7535 HPD enablement [ Upstream commit 3dbc84a595d17f64f14fcea00120d31e33e98880 ] Existing HPD enablement logic is not compatible with ADV7535 bridge, thus any runtime plug-in of HDMI cable is not working on these bridge designs. Unlike other ADV7511 family of bridges, the ADV7535 require HPD_OVERRIDE bit to set and reset for proper handling of HPD functionality. Fix it. Fixes: 8501fe4b14a3 ("drm: bridge: adv7511: Add support for ADV7535") Signed-off-by: Jagan Teki Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220109172949.168167-1-jagan@amarulasolutions.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 7debe80d8a84a7c4c93aefbcb0d6430fc0c039e7 Author: Miaoqian Lin Date: Wed Jan 5 10:48:26 2022 +0000 drm/bridge: nwl-dsi: Fix PM disable depth imbalance in nwl_dsi_probe [ Upstream commit b146e343a9e05605b491b1bf4a2b62a39d5638d8 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 44cfc6233447 ("drm/bridge: Add NWL MIPI DSI host controller support") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104826.1418-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 9172c711bd8833b1ebe5a818290a4a63f5340c6f Author: Miaoqian Lin Date: Wed Jan 5 10:41:09 2022 +0000 drm/bridge: Add missing pm_runtime_disable() in __dw_mipi_dsi_probe [ Upstream commit 96211b7c56b109a52768e6cc5e23a1f79316eca0 ] If the probe fails, we should use pm_runtime_disable() to balance pm_runtime_enable(). Add missing pm_runtime_disable() for __dw_mipi_dsi_probe. Fixes: 46fc51546d44 ("drm/bridge/synopsys: Add MIPI DSI host controller bridge") Signed-off-by: Miaoqian Lin Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20220105104113.31415-1-linmq006@gmail.com Reviewed-by: Robert Foss Signed-off-by: Sasha Levin commit 5274b9079343bd249578f02082736c35614f2ca8 Author: Miaoqian Lin Date: Mon Dec 27 09:25:22 2021 +0000 drm/bridge: Fix free wrong object in sii8620_init_rcp_input_dev [ Upstream commit 7c442e76c06cb1bef16a6c523487438175584eea ] rc_dev is allocated by rc_allocate_device(), and doesn't assigned to ctx->rc_dev before calling rc_free_device(ctx->rc_dev). So it should call rc_free_device(rc_dev); Fixes: e25f1f7c94e1 ("drm/bridge/sii8620: add remote control support") Signed-off-by: Miaoqian Lin Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20211227092522.21755-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit c03d7c890eefdd43c89c9e1e21cee2e27052df94 Author: Martin Blumenstingl Date: Fri Dec 31 00:55:15 2021 +0100 drm/meson: Fix error handling when afbcd.ops->init fails [ Upstream commit fa747d75f65d1b1cbc3f4691fa67b695e8a399c8 ] When afbcd.ops->init fails we need to free the struct drm_device. Also all errors which come after afbcd.ops->init was successful need to exit the AFBCD, just like meson_drv_unbind() does. Fixes: d1b5e41e13a7e9 ("drm/meson: Add AFBCD module driver") Signed-off-by: Martin Blumenstingl Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211230235515.1627522-3-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 7e88f6d40f5875212f9d9ee8ba19147159908d4a Author: Neil Armstrong Date: Wed Oct 20 14:39:44 2021 +0200 drm/meson: split out encoder from meson_dw_hdmi [ Upstream commit e67f6037ae1be34b2b686bab72caa41d57714534 ] This moves all the non-DW-HDMI code where it should be: an encoder in the drm/meson core driver. The bridge functions are copied as-is, except: - the encoder init uses the simple kms helper - the mode_set has been moved to atomic_enable() - debug prints are converted to dev_debg() For now the bridge attach flags is 0, DRM_BRIDGE_ATTACH_NO_CONNECTOR will be handled later. The meson dw-hdmi glue is slightly fixed to live without the encoder in the same driver. Signed-off-by: Neil Armstrong Acked-by: Sam Ravnborg Acked-by: Martin Blumenstingl [narmstrong: fixed warning because missing meson_encoder_hdmi.h include] Link: https://patchwork.freedesktop.org/patch/msgid/20211020123947.2585572-4-narmstrong@baylibre.com Signed-off-by: Sasha Levin commit a69bace3401f165d736283b963bf528f50b7f42e Author: Martin Blumenstingl Date: Fri Dec 31 00:55:14 2021 +0100 drm/meson: osd_afbcd: Add an exit callback to struct meson_afbcd_ops [ Upstream commit 04b8a5d9cfd171f65df75f444b5617a372649edd ] Use this to simplify the driver shutdown. It will also come handy when fixing the error handling in meson_drv_bind_master(). Signed-off-by: Martin Blumenstingl Fixes: d1b5e41e13a7e9 ("drm/meson: Add AFBCD module driver") Acked-by: Neil Armstrong Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20211230235515.1627522-2-martin.blumenstingl@googlemail.com Signed-off-by: Sasha Levin commit 9cf0755c156099b7a11fd7d1a90d9c8f17161c13 Author: Andre Przywara Date: Thu Mar 17 18:30:41 2022 +0000 ARM: configs: multi_v5_defconfig: re-enable DRM_PANEL and FB_xxx [ Upstream commit 9c44d0805f949c56121b4ae6949fb064537bf198 ] Commit 91185d55b32e ("drm: Remove DRM_KMS_FB_HELPER Kconfig option") led to de-selection of CONFIG_FB, which was a prerequisite for BACKLIGHT_CLASS_DEVICE, which CONFIG_DRM_PANEL_SIMPLE depended on. Explicitly set CONFIG_FB, to bring DRM_PANEL_SIMPLE, DRM_PANEL_EDP, FB_IMX and FB_ATMEL back into the generated .config. This also adds some new FB related features like fonts and the framebuffer console. See also commit 8c1768967e27 ("ARM: config: mutli v7: Reenable FB dependency"), which solved the same problem for multi_v7_defconfig. This relies on [1], to fix a broken Kconfig dependency. [1] https://lore.kernel.org/dri-devel/20220315084559.23510-1-tzimmermann@suse.de/raw Fixes: 91185d55b32e ("drm: Remove DRM_KMS_FB_HELPER Kconfig option") Signed-off-by: Andre Przywara Link: https://lore.kernel.org/r/20220317183043.948432-4-andre.przywara@arm.com' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 034117cac318345189f93b14dbabb115f982344a Author: Andre Przywara Date: Thu Mar 17 18:30:40 2022 +0000 ARM: configs: multi_v5_defconfig: re-enable CONFIG_V4L_PLATFORM_DRIVERS [ Upstream commit f5eb04d7a0e419d61f784de3ced708259ddb71d7 ] Commit 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") introduced CONFIG_MEDIA_PLATFORM_SUPPORT, to allow more fine grained control over the inclusion of certain Kconfig files. multi_v5_defconfig was selecting some drivers described in drivers/media/platform/Kconfig, which now wasn't included anymore. Explicitly set the new symbol in multi_v5_defconfig to bring those drivers back. This enables some new V4L2 and VIDEOBUF2 features, but as modules only. Fixes: 06b93644f4d1 ("media: Kconfig: add an option to filter in/out platform drivers") Signed-off-by: Andre Przywara Link: https://lore.kernel.org/r/20220317183043.948432-3-andre.przywara@arm.com' Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 177fb68c577bead1629411a61d586fb6bef69557 Author: Meng Tang Date: Wed Mar 16 17:13:03 2022 +0800 ASoC: amd: Fix reference to PCM buffer address [ Upstream commit 54e1bf9f6177a3ffbd920474f4481a25361163aa ] PCM buffers might be allocated dynamically when the buffer preallocation failed or a larger buffer is requested, and it's not guaranteed that substream->dma_buffer points to the actually used buffer. The driver needs to refer to substream->runtime->dma_addr instead for the buffer address. Fixes: cab396d8b22c1 ("ASoC: amd: add ACP5x pcm dma driver ops") Signed-off-by: Meng Tang Link: https://lore.kernel.org/r/20220316091303.9745-1-tangmeng@uniontech.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f3793eeb7b94a5eeed6f5c7a44bce403c6681a12 Author: Miaoqian Lin Date: Wed Mar 16 08:36:31 2022 +0000 ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data [ Upstream commit 9531a631379169d57756b2411178c6238655df88 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This is similar to commit 64b92de9603f ("ASoC: wcd9335: fix a leaked reference by adding missing of_node_put") Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316083631.14103-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 37dec3bc01e6d2bf6f586241cb371919b37ca1bc Author: Miaoqian Lin Date: Wed Mar 16 04:19:24 2022 +0000 ASoC: msm8916-wcd-analog: Fix error handling in pm8916_wcd_analog_spmi_probe [ Upstream commit 9ebd62d60edcd4d9c75485e5ccd0b79581ad3c49 ] In the error handling path, the clk_prepare_enable() function call should be balanced by a corresponding 'clk_disable_unprepare()' call , as already done in the remove function. Fixes: de66b3455023 ("ASoC: codecs: msm8916-wcd-analog: add MBHC support") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220316041924.17560-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 14228225091a0854b1de23e5b4fe8bdeeca9683b Author: Miaoqian Lin Date: Wed Mar 16 11:15:30 2022 +0000 ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe [ Upstream commit 740dc3e846537c3743da98bf106f376023fd085c ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error path. Fixes: fdbcb3cba54b ("ASoC: atmel: machine driver for at91sam9x5-wm8731 boards") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220316111530.4551-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4e5510219111607b1f1875ab3c3f0485ba3c381c Author: zhangqilong Date: Tue Mar 15 10:54:15 2022 +0800 ASoC: rockchip: Fix PM usage reference of rockchip_i2s_tdm_resume [ Upstream commit cc5d8ac95663a5813c696008bc524b794d471215 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with pm_runtime_resume_and_get to keep usage counter balanced. Fixes:081068fd64140 ("ASoC: rockchip: add support for i2s-tdm controller") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20220315025415.2593762-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 92e34984703b934175c9727d99454c248f81d60c Author: Jiasheng Jiang Date: Tue Mar 8 15:14:15 2022 +0800 mmc: davinci_mmc: Handle error for clk_enable [ Upstream commit 09e7af76db02c74f2a339b3cb2d95460fa2ddbe4 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: bbce5802afc5 ("davinci: mmc: updates to suspend/resume implementation") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220308071415.1093393-1-jiasheng@iscas.ac.cn Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 7a8dc27b7cac3bf0ef35a15429eab330c3d898b1 Author: Miaoqian Lin Date: Mon Mar 7 08:45:22 2022 +0000 ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe [ Upstream commit 375a347da4889f64d86e1ab7f4e6702b6e9bf299 ] Fix the missing clk_disable_unprepare() before return from msm8916_wcd_digital_probe in the error handling case. Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307084523.28687-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2d7f81dc8c0762136f3a148277abc88983636ed6 Author: Kai Vehmanen Date: Thu Mar 10 11:16:47 2022 -0600 ASoC: SOF: Intel: enable DMI L1 for playback streams [ Upstream commit a174e72e2355b9025205b4b6727bf43047eac6c6 ] Add back logic to mark all playback streams as L1 compatible. Fixes: 246dd4287dfb ("ASoC: SOF: Intel: make DMI L1 selection more robust") Reviewed-by: Ranjani Sridharan Reviewed-by: Péter Ujfalusi Signed-off-by: Kai Vehmanen Signed-off-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20220310171651.249385-2-pierre-louis.bossart@linux.intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dc9e910499dbd5f6158b8df8bcd470ce86715e87 Author: Wang Wensheng Date: Thu Mar 10 09:19:02 2022 +0000 ASoC: imx-es8328: Fix error return code in imx_es8328_probe() [ Upstream commit 3b891513f95cba3944e72c1139ea706d04f3781b ] Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 7e7292dba215 ("ASoC: fsl: add imx-es8328 machine driver") Signed-off-by: Wang Wensheng Link: https://lore.kernel.org/r/20220310091902.129299-1-wangwensheng4@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9f498ab25e24101615aa3e00de013221566881a5 Author: Shengjiu Wang Date: Thu Mar 10 10:37:43 2022 +0800 ASoC: fsl_spdif: Disable TX clock when stop [ Upstream commit 6ddf611219ba8f7c8fa0d26b39710a641e7d37a5 ] The TX clock source may be changed in next case, need to disable it when stop, otherwise the TX may not work after changing the clock source, error log is: aplay: pcm_write:2058: write error: Input/output error Fixes: a2388a498ad2 ("ASoC: fsl: Add S/PDIF CPU DAI driver") Signed-off-by: Shengjiu Wang Reviewed-by: Fabio Estevam Link: https://lore.kernel.org/r/1646879863-27711-1-git-send-email-shengjiu.wang@nxp.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d2923b48d99fe663cb93d8b481c93299fcd68656 Author: Miaoqian Lin Date: Tue Mar 8 02:01:44 2022 +0000 ASoC: mxs: Fix error handling in mxs_sgtl5000_probe [ Upstream commit 6ae0a4d8fec551ec581d620f0eb1fe31f755551c ] This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. For example, when codec_np is NULL, saif_np[0] and saif_np[1] are not NULL, it will cause leaks. of_node_put() will check if the node pointer is NULL, so we can call it directly to release the refcount of regular pointers. Fixes: e968194b45c4 ("ASoC: mxs: add device tree support for mxs-sgtl5000") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220308020146.26496-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3cbe0872818c6943517261f79e7be1594733621f Author: Codrin Ciubotariu Date: Mon Mar 7 14:21:57 2022 +0200 ASoC: dmaengine: do not use a NULL prepare_slave_config() callback [ Upstream commit 9a1e13440a4f2e7566fd4c5eae6a53e6400e08a4 ] Even if struct snd_dmaengine_pcm_config is used, prepare_slave_config() callback might not be set. Check if this callback is set before using it. Fixes: fa654e085300 ("ASoC: dmaengine-pcm: Provide default config") Signed-off-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307122202.2251639-2-codrin.ciubotariu@microchip.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7a752cb8e75979c0c0eb98e92f5887364007b41e Author: Miaoqian Lin Date: Mon Mar 7 09:01:30 2022 +0000 ASoC: rk817: Fix missing clk_disable_unprepare() in rk817_platform_probe [ Upstream commit a6b44a2518a08348bd0f0401e4d2b99233bbabc2 ] Fix the missing clk_disable_unprepare() before return from rk817_platform_probe() in the error handling case. Fixes: 0d6a04da9b25 ("ASoC: Add Rockchip rk817 audio CODEC support") Signed-off-by: Miaoqian Lin Tested-by: Chris Morgan Link: https://lore.kernel.org/r/20220307090146.4104-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d5a38629f1aaf397fd471b27e49d55289ddc0656 Author: Miaoqian Lin Date: Tue Mar 8 01:52:22 2022 +0000 ASoC: mediatek: mt8192-mt6359: Fix error handling in mt8192_mt6359_dev_probe [ Upstream commit e45ac7831ff3e2934d58cce319c17c8ec763c95c ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. Fix this by calling of_node_put() in error handling too. Fixes: 4e28491a7a19 ("ASoC: mediatek: mt8192-mt6359: fix device_node leak") Signed-off-by: Miaoqian Lin Reviewed-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20220308015224.23585-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0ae3df7d07cb4b985d653448d46da46ee61a3933 Author: Tzung-Bi Shih Date: Mon Dec 27 14:21:53 2021 +0800 ASoC: mediatek: use of_device_get_match_data() [ Upstream commit 3667a037e50a31555276a7989435126e501f0f15 ] Uses of_device_get_match_data() helper to clean some boilerplate code. Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20211227062153.3887447-1-tzungbi@google.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e5ca0a59871f35e661f95d24c88ba329d0797539 Author: Miaoqian Lin Date: Tue Mar 8 02:33:23 2022 +0000 ASoC: SOF: Add missing of_node_put() in imx8m_probe [ Upstream commit 5575f7f49134c7386a684335c9007737c606d3b5 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: afb93d716533 ("ASoC: SOF: imx: Add i.MX8M HW support") Signed-off-by: Miaoqian Lin Reviewed-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220308023325.31702-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4f19cdbb3c33703cfadecc56dbb85e4b9f71a58f Author: Miaoqian Lin Date: Mon Mar 7 08:35:52 2022 +0000 ASoC: rockchip: i2s: Fix missing clk_disable_unprepare() in rockchip_i2s_probe [ Upstream commit f725d20579807a68afbe5dba69e78b8fa05f5ef0 ] Fix the missing clk_disable_unprepare() before return from rockchip_i2s_probe() in the error handling case. Fixes: 01605ad12875 ("ASoC: rockchip-i2s: enable "hclk" for rockchip I2S controller") Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20220307083553.26009-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0f517480d5888cd54487c5662ce4da95b30ad798 Author: Miaoqian Lin Date: Tue Mar 8 01:39:48 2022 +0000 ASoC: atmel: Fix error handling in snd_proto_probe [ Upstream commit b0bfaf0544d08d093d6211d7ef8816fb0b5b6c75 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. This function only calls of_node_put() in the regular path. And it will cause refcount leak in error paths. Fix this by calling of_node_put() in error handling too. Fixes: a45f8853a5f9 ("ASoC: Add driver for PROTO Audio CODEC (with a WM8731)") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220308013949.20323-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit aee4c256883694e730a032dd2c360282bf5d17ab Author: Hans Verkuil Date: Sun Mar 6 12:29:11 2022 +0100 ivtv: fix incorrect device_caps for ivtvfb [ Upstream commit 25e94139218c0293b4375233c14f2256d7dcfaa8 ] The VIDIOC_G_FBUF and related overlay ioctls no longer worked (-ENOTTY was returned). The root cause was the introduction of the caps field in ivtv-driver.h. While loading the ivtvfb module would update the video_device device_caps field with V4L2_CAP_VIDEO_OUTPUT_OVERLAY it would not update that caps field, and that's what the overlay ioctls would look at. It's a bad idea to keep information in two places, so drop the caps field and only use vdev.device_caps. Signed-off-by: Hans Verkuil Reported-by: Martin Dauskardt Fixes: 2161536516ed (media: media/pci: set device_caps in struct video_device) Signed-off-by: Sasha Levin commit a489073bfe225f2789aab1f4c38a6be8cfb39428 Author: Jakob Koschel Date: Mon Feb 28 15:26:26 2022 +0100 media: saa7134: fix incorrect use to determine if list is empty [ Upstream commit 9f1f4b642451d35667a4dc6a9c0a89d954b530a3 ] 'dev' will *always* be set by list_for_each_entry(). It is incorrect to assume that the iterator value will be NULL if the list is empty. Instead of checking the pointer it should be checked if the list is empty. Fixes: 79dd0c69f05f ("V4L: 925: saa7134 alsa is now a standalone module") Signed-off-by: Jakob Koschel Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit bea378bba9cec045424bdb0c396251c17a5f789a Author: Miaoqian Lin Date: Mon Mar 7 12:38:12 2022 +0000 video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of [ Upstream commit a58c22cfbbf62fefca090334bbd35fd132e92a23 ] The device_node pointer is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb") Signed-off-by: Miaoqian Lin Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 077b90a45c32b496e00d66c06a0c0b73cfbe19a9 Author: Jiasheng Jiang Date: Wed Mar 2 14:28:44 2022 +0800 ASoC: fsi: Add check for clk_enable [ Upstream commit 405afed8a728f23cfaa02f75bbc8bdd6b7322123 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: ab6f6d85210c ("ASoC: fsi: add master clock control functions") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220302062844.46869-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f38fde9314f9d4d9ef9d4822a131d9bdd08f3fdd Author: Jiasheng Jiang Date: Fri Mar 4 10:38:21 2022 +0800 ASoC: wm8350: Handle error for wm8350_register_irq [ Upstream commit db0350da8084ad549bca16cc0486c11cc70a1f9b ] As the potential failure of the wm8350_register_irq(), it should be better to check it and return error if fails. Also, use 'free_' in order to avoid the same code. Fixes: a6ba2b2dabb5 ("ASoC: Implement WM8350 headphone jack detection") Signed-off-by: Jiasheng Jiang Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220304023821.391936-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 32e6ceb05f36432811753852c674a301f944a24b Author: Miaoqian Lin Date: Mon Mar 7 12:45:39 2022 +0000 ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe [ Upstream commit f590797fa3c1bccdd19e55441592a23b46aef449 ] This node pointer is returned by of_parse_phandle() with refcount incremented in this function. Calling of_node_put() to avoid the refcount leak. Fixes: 531f67e41dcd ("ASoC: at91sam9g20ek-wm8731: convert to dt support") Signed-off-by: Miaoqian Lin Reviewed-by: Codrin Ciubotariu Link: https://lore.kernel.org/r/20220307124539.1743-1-linmq006@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b2ba2927bb73c5741c6af09a6b6d266eb56cba1d Author: Lucas Tanure Date: Thu Mar 3 17:30:41 2022 +0000 ASoC: cs35l41: Fix max number of TX channels [ Upstream commit 16639d39bdf577168d3fe34315917a94365c8d19 ] This device only has 4 TX channels. Fixes: fe1024d50477b ("ASoC: cs35l41: Combine adjacent register writes") Signed-off-by: Lucas Tanure Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220303173059.269657-3-tanureal@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit d36f4e666b5701b4a9658459290b5866df459308 Author: David Rhodes Date: Thu Mar 3 17:30:40 2022 +0000 ASoC: cs35l41: Fix GPIO2 configuration [ Upstream commit 03a7895ee701e873c88c06bdb830ff40adb2be73 ] Fix GPIO2 polarity and direction configuration Fixes: fe1024d50477b ("ASoC: cs35l41: Combine adjacent register writes") Signed-off-by: David Rhodes Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20220303173059.269657-2-tanureal@opensource.cirrus.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit dd18f929458762f07b969d24d46e1d0a0d94c908 Author: Jiasheng Jiang Date: Fri Jan 14 07:28:40 2022 +0100 media: vidtv: Check for null return of vzalloc [ Upstream commit e6a21a14106d9718aa4f8e115b1e474888eeba44 ] As the possible failure of the vzalloc(), e->encoder_buf might be NULL. Therefore, it should be better to check it in order to guarantee the success of the initialization. If fails, we need to free not only 'e' but also 'e->name'. Also, if the allocation for ctx fails, we need to free 'e->encoder_buf' else. Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2874122ca4ca74adec72d6d6bf8828228ec20f15 Author: Dafna Hirschfeld Date: Tue Jan 25 09:02:11 2022 +0100 media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED [ Upstream commit fbe04b49a54e31f4321d632270207f0e6304cd16 ] If the callback 'start_streaming' fails, then all queued buffers in the driver should be returned with state 'VB2_BUF_STATE_QUEUED'. Currently, they are returned with 'VB2_BUF_STATE_ERROR' which is wrong. Fix this. This also fixes the warning: [ 65.583633] WARNING: CPU: 5 PID: 593 at drivers/media/common/videobuf2/videobuf2-core.c:1612 vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.585027] Modules linked in: snd_usb_audio snd_hwdep snd_usbmidi_lib snd_rawmidi snd_soc_hdmi_codec dw_hdmi_i2s_audio saa7115 stk1160 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_common videodev mc crct10dif_ce panfrost snd_soc_simple_card snd_soc_audio_graph_card snd_soc_spdif_tx snd_soc_simple_card_utils gpu_sched phy_rockchip_pcie snd_soc_rockchip_i2s rockchipdrm analogix_dp dw_mipi_dsi dw_hdmi cec drm_kms_helper drm rtc_rk808 rockchip_saradc industrialio_triggered_buffer kfifo_buf rockchip_thermal pcie_rockchip_host ip_tables x_tables ipv6 [ 65.589383] CPU: 5 PID: 593 Comm: v4l2src0:src Tainted: G W 5.16.0-rc4-62408-g32447129cb30-dirty #14 [ 65.590293] Hardware name: Radxa ROCK Pi 4B (DT) [ 65.590696] pstate: 80000005 (Nzcv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 65.591304] pc : vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.591850] lr : vb2_start_streaming+0x6c/0x160 [videobuf2_common] [ 65.592395] sp : ffff800012bc3ad0 [ 65.592685] x29: ffff800012bc3ad0 x28: 0000000000000000 x27: ffff800012bc3cd8 [ 65.593312] x26: 0000000000000000 x25: ffff00000d8a7800 x24: 0000000040045612 [ 65.593938] x23: ffff800011323000 x22: ffff800012bc3cd8 x21: ffff00000908a8b0 [ 65.594562] x20: ffff00000908a8c8 x19: 00000000fffffff4 x18: ffffffffffffffff [ 65.595188] x17: 000000040044ffff x16: 00400034b5503510 x15: ffff800011323f78 [ 65.595813] x14: ffff000013163886 x13: ffff000013163885 x12: 00000000000002ce [ 65.596439] x11: 0000000000000028 x10: 0000000000000001 x9 : 0000000000000228 [ 65.597064] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : fefefeff726c5e78 [ 65.597690] x5 : ffff800012bc3990 x4 : 0000000000000000 x3 : ffff000009a34880 [ 65.598315] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000007cd99f0 [ 65.598940] Call trace: [ 65.599155] vb2_start_streaming+0xd4/0x160 [videobuf2_common] [ 65.599672] vb2_core_streamon+0x17c/0x1a8 [videobuf2_common] [ 65.600179] vb2_streamon+0x54/0x88 [videobuf2_v4l2] [ 65.600619] vb2_ioctl_streamon+0x54/0x60 [videobuf2_v4l2] [ 65.601103] v4l_streamon+0x3c/0x50 [videodev] [ 65.601521] __video_do_ioctl+0x1a4/0x428 [videodev] [ 65.601977] video_usercopy+0x320/0x828 [videodev] [ 65.602419] video_ioctl2+0x3c/0x58 [videodev] [ 65.602830] v4l2_ioctl+0x60/0x90 [videodev] [ 65.603227] __arm64_sys_ioctl+0xa8/0xe0 [ 65.603576] invoke_syscall+0x54/0x118 [ 65.603911] el0_svc_common.constprop.3+0x84/0x100 [ 65.604332] do_el0_svc+0x34/0xa0 [ 65.604625] el0_svc+0x1c/0x50 [ 65.604897] el0t_64_sync_handler+0x88/0xb0 [ 65.605264] el0t_64_sync+0x16c/0x170 [ 65.605587] ---[ end trace 578e0ba07742170d ]--- Fixes: 8ac456495a33d ("[media] stk1160: Stop device and unqueue buffers when start_streaming() fails") Signed-off-by: Dafna Hirschfeld Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 39417ad6de7e96bcd596247fbcaea00d3f3e3c11 Author: Randy Dunlap Date: Fri Mar 4 22:40:36 2022 -0800 m68k: coldfire/device.c: only build for MCF_EDMA when h/w macros are defined [ Upstream commit e6e1e7b19fa132d23d09c465942aab4c110d3da9 ] When CONFIG_MCF_EDMA is set (due to COMPILE_TEST, not due to CONFIG_M5441x), coldfire/device.c has compile errors due to missing MCFEDMA_* symbols. In the .config file that was provided, CONFIG_M5206=y, not CONFIG_M5441x, so is not included in coldfire/device.c. Only build the MCF_EDMA code in coldfire/device.c if the MCFEDMA_* hardware macros are defined. Fixes these build errors: ../arch/m68k/coldfire/device.c:512:35: error: 'MCFEDMA_BASE' undeclared here (not in a function); did you mean 'MCFDMA_BASE1'? 512 | .start = MCFEDMA_BASE, ../arch/m68k/coldfire/device.c:513:50: error: 'MCFEDMA_SIZE' undeclared here (not in a function) 513 | .end = MCFEDMA_BASE + MCFEDMA_SIZE - 1, ../arch/m68k/coldfire/device.c:517:35: error: 'MCFEDMA_IRQ_INTR0' undeclared here (not in a function) 517 | .start = MCFEDMA_IRQ_INTR0, ../arch/m68k/coldfire/device.c:523:35: error: 'MCFEDMA_IRQ_INTR16' undeclared here (not in a function) 523 | .start = MCFEDMA_IRQ_INTR16, ../arch/m68k/coldfire/device.c:529:35: error: 'MCFEDMA_IRQ_INTR56' undeclared here (not in a function) 529 | .start = MCFEDMA_IRQ_INTR56, ../arch/m68k/coldfire/device.c:535:35: error: 'MCFEDMA_IRQ_ERR' undeclared here (not in a function) 535 | .start = MCFEDMA_IRQ_ERR, Fixes: d7e9d01ac292 ("m68k: add ColdFire mcf5441x eDMA platform support") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Link: lore.kernel.org/r/202203030252.P752DK46-lkp@intel.com Cc: Angelo Dureghello Cc: Greg Ungerer Cc: Greg Ungerer Cc: Geert Uytterhoeven Cc: linux-m68k@lists.linux-m68k.org Cc: uclinux-dev@uclinux.org Signed-off-by: Greg Ungerer Signed-off-by: Sasha Levin commit b214c69a5c49a260be2dea13c313fea18fab3be7 Author: Rob Herring Date: Fri Mar 4 14:25:58 2022 -0600 arm64: dts: rockchip: Fix SDIO regulator supply properties on rk3399-firefly [ Upstream commit 37cbd3c522869247ed4525b5042ff4c6a276c813 ] A label reference without brackets is a path string, not a phandle as intended. Add the missing brackets. Fixes: a5002c41c383 ("arm64: dts: rockchip: add WiFi module support for Firefly-RK3399") Signed-off-by: Rob Herring Link: https://lore.kernel.org/r/20220304202559.317749-1-robh@kernel.org Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit d07e4bbaff6fbba6f70c04b092ea7d9afcdf392e Author: Takashi Sakamoto Date: Fri Mar 4 21:56:47 2022 +0900 ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction [ Upstream commit bf0cd60b7e33cf221fbe1114e4acb2c828b0af0d ] AV/C deferred transaction was supported at a commit 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") while 'deferrable' flag can be uninitialized for non-control/notify AV/C transactions. UBSAN reports it: kernel: ================================================================================ kernel: UBSAN: invalid-load in /build/linux-aa0B4d/linux-5.15.0/sound/firewire/fcp.c:363:9 kernel: load of value 158 is not a valid value for type '_Bool' kernel: CPU: 3 PID: 182227 Comm: irq/35-firewire Tainted: P OE 5.15.0-18-generic #18-Ubuntu kernel: Hardware name: Gigabyte Technology Co., Ltd. AX370-Gaming 5/AX370-Gaming 5, BIOS F42b 08/01/2019 kernel: Call Trace: kernel: kernel: show_stack+0x52/0x58 kernel: dump_stack_lvl+0x4a/0x5f kernel: dump_stack+0x10/0x12 kernel: ubsan_epilogue+0x9/0x45 kernel: __ubsan_handle_load_invalid_value.cold+0x44/0x49 kernel: fcp_response.part.0.cold+0x1a/0x2b [snd_firewire_lib] kernel: fcp_response+0x28/0x30 [snd_firewire_lib] kernel: fw_core_handle_request+0x230/0x3d0 [firewire_core] kernel: handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? handle_ar_packet+0x1d9/0x200 [firewire_ohci] kernel: ? transmit_complete_callback+0x9f/0x120 [firewire_core] kernel: ar_context_tasklet+0xa8/0x2e0 [firewire_ohci] kernel: tasklet_action_common.constprop.0+0xea/0xf0 kernel: tasklet_action+0x22/0x30 kernel: __do_softirq+0xd9/0x2e3 kernel: ? irq_finalize_oneshot.part.0+0xf0/0xf0 kernel: do_softirq+0x75/0xa0 kernel: kernel: kernel: __local_bh_enable_ip+0x50/0x60 kernel: irq_forced_thread_fn+0x7e/0x90 kernel: irq_thread+0xba/0x190 kernel: ? irq_thread_fn+0x60/0x60 kernel: kthread+0x11e/0x140 kernel: ? irq_thread_check_affinity+0xf0/0xf0 kernel: ? set_kthread_struct+0x50/0x50 kernel: ret_from_fork+0x22/0x30 kernel: kernel: ================================================================================ This commit fixes the bug. The bug has no disadvantage for the non- control/notify AV/C transactions since the flag has an effect for AV/C response with INTERIM (0x0f) status which is not used for the transactions in AV/C general specification. Fixes: 00a7bb81c20f ("ALSA: firewire-lib: Add support for deferred transaction") Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/20220304125647.78430-1-o-takashi@sakamocchi.jp Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5403a3885a782f3114266ef2200c77b3aa82fad8 Author: Jia-Ju Bai Date: Fri Feb 25 05:25:52 2022 -0800 memory: emif: check the pointer temp in get_device_details() [ Upstream commit 5b5ab1bfa1898c6d52936a57c25c5ceba2cb2f87 ] The pointer temp is allocated by devm_kzalloc(), so it should be checked for error handling. Fixes: 7ec944538dde ("memory: emif: add basic infrastructure for EMIF driver") Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225132552.27894-1-baijiaju1990@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit e7d2e6e13ec1f54fd9628af8672c86c36e0b2599 Author: Jiasheng Jiang Date: Thu Feb 24 10:54:44 2022 +0800 memory: emif: Add check for setup_interrupts [ Upstream commit fd7bd80b46373887b390852f490f21b07e209498 ] As the potential failure of the devm_request_threaded_irq(), it should be better to check the return value of the setup_interrupts() and return error if fails. Fixes: 68b4aee35d1f ("memory: emif: add interrupt and temperature handling") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220224025444.3256530-1-jiasheng@iscas.ac.cn Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 08af6da684b44097ea09f1d74d5858b837ed203b Author: Jiasheng Jiang Date: Fri Oct 15 08:13:53 2021 +0000 ASoC: soc-compress: prevent the potentially use of null pointer [ Upstream commit de2c6f98817fa5decb9b7d3b3a8a3ab864c10588 ] There is one call trace that snd_soc_register_card() ->snd_soc_bind_card()->soc_init_pcm_runtime() ->snd_soc_dai_compress_new()->snd_soc_new_compress(). In the trace the 'codec_dai' transfers from card->dai_link, and we can see from the snd_soc_add_pcm_runtime() in snd_soc_bind_card() that, if value of card->dai_link->num_codecs is 0, then 'codec_dai' could be null pointer caused by index out of bound in 'asoc_rtd_to_codec(rtd, 0)'. And snd_soc_register_card() is called by various platforms. Therefore, it is better to add the check in the case of misusing. And because 'cpu_dai' has already checked in soc_init_pcm_runtime(), there is no need to check again. Adding the check as follow, then if 'codec_dai' is null, snd_soc_new_compress() will not pass through the check 'if (playback + capture != 1)', avoiding the leftover use of 'codec_dai'. Fixes: 467fece ("ASoC: soc-dai: move snd_soc_dai_stream_valid() to soc-dai.c") Signed-off-by: Jiasheng Jiang Reported-by: kernel test robot Reported-by: Dan Carpenter Link: https://lore.kernel.org/r/1634285633-529368-1-git-send-email-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit ad7d2aeb799b7409fc6957d87828c0c2b3c6fa88 Author: Jiasheng Jiang Date: Tue Mar 1 16:47:42 2022 +0800 ASoC: dwc-i2s: Handle errors for clk_enable [ Upstream commit 45ea97d74313bae681328b0c36fa348036777644 ] As the potential failure of the clk_enable(), it should be better to check it, as same as clk_prepare_enable(). Fixes: c9afc1834e81 ("ASoC: dwc: Disallow building designware_pcm as a module") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301084742.3751939-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4e71d824e6dc6852a4a6288feaeb46c638048ec2 Author: Jiasheng Jiang Date: Tue Mar 1 17:06:37 2022 +0800 ASoC: atmel_ssc_dai: Handle errors for clk_enable [ Upstream commit f9e2ca0640e59d19af0ff285ee5591ed39069b09 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fals. Fixes: cbaadf0f90d6 ("ASoC: atmel_ssc_dai: refactor the startup and shutdown") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301090637.3776558-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9e563574f9ecf361e0ee5fed40b2048c0cf3e600 Author: Jiasheng Jiang Date: Tue Mar 1 16:17:17 2022 +0800 ASoC: mxs-saif: Handle errors for clk_enable [ Upstream commit 2ecf362d220317debf5da376e0390e9f7a3f7b29 ] As the potential failure of the clk_enable(), it should be better to check it, like mxs_saif_trigger(). Fixes: d0ba4c014934 ("ASoC: mxs-saif: set a base clock rate for EXTMASTER mode work") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220301081717.3727190-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3fcdb9921cd84bd9282555c1643fdd2c848cf23b Author: Randy Dunlap Date: Mon Feb 28 14:05:56 2022 -0800 printk: fix return value of printk.devkmsg __setup handler [ Upstream commit b665eae7a788c5e2bc10f9ac3c0137aa0ad1fc97 ] If an invalid option value is used with "printk.devkmsg=", it is silently ignored. If a valid option value is used, it is honored but the wrong return value (0) is used, indicating that the command line option had an error and was not handled. This string is not added to init's environment strings due to init/main.c::unknown_bootoption() checking for a '.' in the boot option string and then considering that string to be an "Unused module parameter". Print a warning message if a bad option string is used. Always return 1 from the __setup handler to indicate that the command line option has been handled. Fixes: 750afe7babd1 ("printk: add kernel parameter to control writes to /dev/kmsg") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Cc: Borislav Petkov Cc: Andrew Morton Cc: Petr Mladek Cc: Sergey Senozhatsky Cc: Steven Rostedt Cc: John Ogness Reviewed-by: John Ogness Reviewed-by: Sergey Senozhatsky Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220228220556.23484-1-rdunlap@infradead.org Signed-off-by: Sasha Levin commit f3bca343c2021e542d6165879c3c9cbc94d5a0b8 Author: Frank Wunderlich Date: Tue Mar 1 16:24:18 2022 +0100 arm64: dts: broadcom: Fix sata nodename [ Upstream commit 55927cb44db43a57699fa652e2437a91620385dc ] After converting ahci-platform txt binding to yaml nodename is reported as not matching the standard: arch/arm64/boot/dts/broadcom/northstar2/ns2-svk.dt.yaml: ahci@663f2000: $nodename:0: 'ahci@663f2000' does not match '^sata(@.*)?$' Fix it to match binding. Fixes: ac9aae00f0fc ("arm64: dts: Add SATA3 AHCI and SATA3 PHY DT nodes for NS2") Signed-off-by: Frank Wunderlich Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit a4733c0048714f077fe313e32e3f8b46837e3dbb Author: Kuldeep Singh Date: Mon Feb 28 16:39:03 2022 +0530 arm64: dts: ns2: Fix spi-cpol and spi-cpha property [ Upstream commit c953c764e505428f59ffe6afb1c73b89b5b1ac35 ] Broadcom ns2 platform has spi-cpol and spi-cpho properties set incorrectly. As per spi-slave-peripheral-prop.yaml, these properties are of flag or boolean type and not integer type. Fix the values. Fixes: d69dbd9f41a7c (arm64: dts: Add ARM PL022 SPI DT nodes for NS2) Signed-off-by: Kuldeep Singh CC: Ray Jui CC: Scott Branden CC: Florian Fainelli Signed-off-by: Sasha Levin commit 2adfc7431a51e24cbb8e723a4855693dba122488 Author: Jiasheng Jiang Date: Mon Feb 28 10:28:39 2022 +0800 ALSA: spi: Add check for clk_enable() [ Upstream commit ca1697eb09208f0168d94b88b72f57505339cbe5 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 3568459a5113 ("ALSA: at73c213: manage SSC clock") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220228022839.3547266-1-jiasheng@iscas.ac.cn Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 95427ae5cd3c761e85a73557d552b0c37983d13c Author: Jiasheng Jiang Date: Mon Feb 28 11:15:40 2022 +0800 ASoC: ti: davinci-i2s: Add check for clk_enable() [ Upstream commit ed7c9fef11931fc5d32a83d68017ff390bf5c280 ] As the potential failure of the clk_enable(), it should be better to check it and return error if fails. Fixes: 5f9a50c3e55e ("ASoC: Davinci: McBSP: add device tree support for McBSP") Signed-off-by: Jiasheng Jiang Acked-by: Peter Ujfalusi Link: https://lore.kernel.org/r/20220228031540.3571959-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0340f9bf4c69bbdc7fc9ce91d4941946bb618ca1 Author: Aswath Govindraju Date: Fri Feb 11 13:20:55 2022 +0530 mmc: sdhci_am654: Fix the driver data of AM64 SoC [ Upstream commit 3b7340f1c89cc488e4df0b033bf7ae502ebbf5b2 ] The MMCSD IPs used in AM64 are the same as the ones used in J721E. Therefore, fix this by using the driver data from J721E for AM64 too, for both 8 and 4 bit instances. Fixes: 754b7f2f7d2a ("mmc: sdhci_am654: Add Support for TI's AM64 SoC") Signed-off-by: Aswath Govindraju Link: https://lore.kernel.org/r/20220211075056.26179-1-a-govindraju@ti.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 7f069deeb62d4fb38892f7c1afbfd99057da44f7 Author: Chun-Jie Chen Date: Sun Jan 30 09:21:01 2022 +0800 soc: mediatek: pm-domains: Add wakeup capacity support in power domain [ Upstream commit ac0ca395543af061f7ad77afcda0afb323d82468 ] Due to some power domain needs to keep on for wakeup in system suspend, so add GENPD_FLAG_ACTIVE_WAKEUP support in Mediatek power domain driver. Fixes: 59b644b01cf4 ("soc: mediatek: Add MediaTek SCPSYS power domains") Signed-off-by: Chun-Jie Chen Reviewed-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20220130012104.5292-3-chun-jie.chen@mediatek.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit df116784b10506bcdefebfcc936ea5f9dc935da3 Author: Jia-Ju Bai Date: Fri Feb 25 05:16:45 2022 -0800 ASoC: acp: check the return value of devm_kzalloc() in acp_legacy_dai_links_create() [ Upstream commit 431f9a77a4a62694ce90742d1f4c5abe1b8b6612 ] The function devm_kzalloc() in acp_legacy_dai_links_create() can fail, so its return value should be checked. Fixes: d4c750f2c7d4 ("ASoC: amd: acp: Add generic machine driver support for ACP cards") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225131645.27556-1-baijiaju1990@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7b8c273415c0305abf84f5bc0aa9977b7198e91d Author: Jia-Ju Bai Date: Fri Feb 25 05:10:30 2022 -0800 ASoC: rt5663: check the return value of devm_kzalloc() in rt5663_parse_dp() [ Upstream commit 4d06f92f38b799295ae22c98be7a20cac3e2a1a7 ] The function devm_kzalloc() in rt5663_parse_dp() can fail, so its return value should be checked. Fixes: 457c25efc592 ("ASoC: rt5663: Add the function of impedance sensing") Reported-by: TOTE Robot Signed-off-by: Jia-Ju Bai Link: https://lore.kernel.org/r/20220225131030.27248-1-baijiaju1990@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3363c0fb2886aa3c76705938762b0448b3c37146 Author: Arnd Bergmann Date: Tue Feb 15 15:37:37 2022 +0100 uaccess: fix nios2 and microblaze get_user_8() [ Upstream commit a97b693c3712f040c5802f32b2d685352e08cefa ] These two architectures implement 8-byte get_user() through a memcpy() into a four-byte variable, which won't fit. Use a temporary 64-bit variable instead here, and use a double cast the way that risc-v and openrisc do to avoid compile-time warnings. Fixes: 6a090e97972d ("arch/microblaze: support get_user() of size 8 bytes") Fixes: 5ccc6af5e88e ("nios2: Memory management") Reviewed-by: Christoph Hellwig Acked-by: Dinh Nguyen Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 63a368bf69caafecf69d95295a0f0f529e49a406 Author: Christophe Leroy Date: Thu Feb 17 09:49:59 2022 +0100 vsprintf: Fix %pK with kptr_restrict == 0 [ Upstream commit 84842911322fc6a02a03ab9e728a48c691fe3efd ] Although kptr_restrict is set to 0 and the kernel is booted with no_hash_pointers parameter, the content of /proc/vmallocinfo is lacking the real addresses. / # cat /proc/vmallocinfo 0x(ptrval)-0x(ptrval) 8192 load_module+0xc0c/0x2c0c pages=1 vmalloc 0x(ptrval)-0x(ptrval) 12288 start_kernel+0x4e0/0x690 pages=2 vmalloc 0x(ptrval)-0x(ptrval) 12288 start_kernel+0x4e0/0x690 pages=2 vmalloc 0x(ptrval)-0x(ptrval) 8192 _mpic_map_mmio.constprop.0+0x20/0x44 phys=0x80041000 ioremap 0x(ptrval)-0x(ptrval) 12288 _mpic_map_mmio.constprop.0+0x20/0x44 phys=0x80041000 ioremap ... According to the documentation for /proc/sys/kernel/, %pK is equivalent to %p when kptr_restrict is set to 0. Fixes: 5ead723a20e0 ("lib/vsprintf: no_hash_pointers prints all addresses as unhashed") Signed-off-by: Christophe Leroy Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/107476128e59bff11a309b5bf7579a1753a41aca.1645087605.git.christophe.leroy@csgroup.eu Signed-off-by: Sasha Levin commit 7a8bc51565b55e563dff2cbe2a3740e68ceb80ae Author: Muhammad Usama Anjum Date: Fri Jan 21 19:51:53 2022 +0500 selftests/lkdtm: Add UBSAN config [ Upstream commit 1900be289b598b2c553b3add13e491c0bb8a8550 ] UBSAN_BOUNDS and UBSAN_TRAP depend on UBSAN config option. merge_config.sh script generates following warnings if parent config doesn't have UBSAN config already enabled and UBSAN_BOUNDS/UBSAN_TRAP config options don't get added to the parent config. Value requested for CONFIG_UBSAN_BOUNDS not in final .config Requested value: CONFIG_UBSAN_BOUNDS=y Actual value: Value requested for CONFIG_UBSAN_TRAP not in final .config Requested value: CONFIG_UBSAN_TRAP=y Actual value: Fix this by including UBSAN config. Fixes: c75be56e35b2 ("lkdtm/bugs: Add ARRAY_BOUNDS to selftests") Signed-off-by: Muhammad Usama Anjum Acked-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit c3ba2637fd7d1b6dad9e245d1fb8b81e1dfc77df Author: Mirela Rabulea Date: Mon Nov 1 21:52:51 2021 +0200 media: ov5640: Fix set format, v4l2_mbus_pixelcode not updated [ Upstream commit e738f5dd67eb8098d75345908a5e73782d0569a5 ] In ov5640_set_fmt, pending_fmt_change will always be false, because the sensor format is saved before comparing it with the previous format: fmt = &sensor->fmt;... *fmt = *mbus_fmt;... if (mbus_fmt->code != sensor->fmt.code) sensor->pending_fmt_change = true; This causes the sensor to capture with the previous pixelcode. Also, changes might happen even for V4L2_SUBDEV_FORMAT_TRY, so fix that. Basically, revert back to the state before commit 071154499193 ("media: ov5640: Fix set format regression") as it was more clear, and then update format even when pixelcode does not change, as resolution might change. Fixes: 071154499193 ("media: ov5640: Fix set format regression") Fixes: 6949d864776e ("media: ov5640: do not change mode if format or frame interval is unchanged") Fixes: fb98e29ff1ea5 ("media: ov5640: fix mode change regression") Signed-off-by: Mirela Rabulea Reviewed-by: Jacopo Mondi Acked-by: Hugues Fruchet Tested-by: Hugues Fruchet Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit f6ce8604b7f61740ea1d8e64e3560073a68406ed Author: Nicolas Dufresne Date: Fri Feb 18 13:42:07 2022 -0500 media: v4l2-core: Initialize h264 scaling matrix [ Upstream commit 0f6146d476fc99862899e70f2554ee77b444b7b9 ] In the final H264 API, it is not required to set scaling matrix if they are not present in the bitstream. A flag was added in order to let the driver know. The downside is that it leaves the default control value to 0, which isn't valid. As per the spec (see formulas 7-8/7-9), when the scaling matrix are absent from the bitstream, flat values of 16 should be used. This improves this control semantic in a way that the control value are always valid. Drivers can then use the scaling_matrix control values without having to check its presence. Same method was employed for MPEG2_QUANTISATION. This fixes issues with MTK VCODEC H264 decoder when using GStreamer. GStreamer does not set this control if its not present in the bitstream. As MTK VDCODEC was using the initialized to 0 values, the frames ended up completely gray. Fixes: 54889c51b833d236 ("media: uapi: h264: Rename and clarify PPS_FLAG_SCALING_MATRIX_PRESENT") Signed-off-by: Nicolas Dufresne Tested-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 80ba0bc740d7a63ca2e1184eed90fbb4e9c2622f Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:12 2022 +0000 ASoC: codecs: wcd934x: fix return value of wcd934x_rx_hph_mode_put [ Upstream commit 4b0bec6088588a120d33db85b1f0d9f096d1df71 ] wcd934x_rx_hph_mode_put currently returns zero eventhough it changes the value. Fix this, so that change notifications are sent correctly. Fixes: 1cde8b822332 ("ASoC: wcd934x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-10-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 033e3041ce7c6c8f042e321b7cf0285a8da15b42 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:11 2022 +0000 ASoC: codecs: wcd934x: fix kcontrol max values [ Upstream commit 61163c3e7480106804269182e24db05244866493 ] set "HPH Type" Kcontrol max value of WCD_MBHC_HPH_STEREO instead of UINT_MAX. set "HPHL/R Impedance" Kcontrols max value to INT_MAX instead of UINT_MAX as max field is integer type. Without this patch amixer for these controls will show -1 as max value to userspace. Fixes: 9fb9b1690f0b ("ASoC: codecs: wcd934x: add mbhc support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-9-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 34ce9535f88c549979d86b306ed06e580e4492e1 Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:10 2022 +0000 ASoC: codecs: wcd938x: fix kcontrol max values [ Upstream commit b0217519236924f77a8382b4004e43ef8fd0dcbb ] set "HPH Type" Kcontrol max value of WCD_MBHC_HPH_STEREO instead of UINT_MAX. set "HPHL/R Impedance" Kcontrols max value to INT_MAX instead of UINT_MAX as max field is integer type. Without this patch amixer for these controls will show -1 as max value to userspace. Fixes: bcee7ed09b8e ("ASoC: codecs: wcd938x: add Multi Button Headset Control support") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-8-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f03c0c94186d5876857132d97e28f20cdc100bdc Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:09 2022 +0000 ASoC: codecs: wc938x: fix accessing array out of bounds for enum type [ Upstream commit cc587b7c8fbbe128f6bd0dad025a0caea5e6d164 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fix this by using enumerated items instead of integers. Fixes: e8ba1e05bdc0 ("ASoC: codecs: wcd938x: add basic controls") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-7-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4a799972a283ab4ec031041304d7e2d34e1a16eb Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:07 2022 +0000 ASoC: codecs: va-macro: fix accessing array out of bounds for enum type [ Upstream commit 0ea5eff7c6063a8f124188424f8e4c6727f35051 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fixes: 908e6b1df26e ("ASoC: codecs: lpass-va-macro: Add support to VA Macro") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-5-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7e3629e256d1cabf801d00050550ade4d036cafe Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:05 2022 +0000 ASoC: codecs: rx-macro: fix accessing array out of bounds for enum type [ Upstream commit bcfe5f76cc4051ea3f9eb5d2c8ea621641f290a5 ] Accessing enums using integer would result in array out of bounds access on platforms like aarch64 where sizeof(long) is 8 compared to enum size which is 4 bytes. Fixes: 4f692926f562 ("ASoC: codecs: lpass-rx-macro: add dapm widgets and route") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-3-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 87a2b44cb3005d30c3a72234d1e47b03ae3bb29a Author: Srinivas Kandagatla Date: Tue Feb 22 18:32:04 2022 +0000 ASoC: codecs: rx-macro: fix accessing compander for aux [ Upstream commit 42c709c4e1ce4c136891530646c9abd5dff3524f ] AUX interpolator does not have compander, so check before accessing compander data for this. Without this checkan array of out bounds access will be made in comp_enabled[] array. Fixes: 4f692926f562 ("ASoC: codecs: lpass-rx-macro: add dapm widgets and route") Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20220222183212.11580-2-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c67e5c05188bd1eb1fdbd4f775fb944294c58967 Author: Jernej Skrabec Date: Mon Feb 14 20:08:39 2022 +0100 media: cedrus: h264: Fix neighbour info buffer size [ Upstream commit fecd363ae2d5042553370b0adf60c47e35c34a83 ] According to BSP library source, H264 neighbour info buffer size needs to be 32 kiB for H6. This is similar to H265 decoding, which also needs double buffer size in comparison to older Cedrus core generations. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Issue was discovered using iommu and cross checked with BSP library source. Fixes: 6eb9b758e307 ("media: cedrus: Add H264 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit cb27d0232cb001470225f965c2eb505f1aa1dabb Author: Jernej Skrabec Date: Sat Feb 12 08:42:41 2022 +0100 media: cedrus: H265: Fix neighbour info buffer size [ Upstream commit ee8b887329c78971967506f3ac79b9302c9f83c1 ] Neighbour info buffer size needs to be 794 kiB in H6. This is actually already indirectly mentioned in the comment, but smaller size is used nevertheless. Increase buffer size to cover H6 needs. Since increase is not that big in absolute numbers, it doesn't make sense to complicate logic for older generations. Bug was discovered using iommu, which reported access error when trying to play H265 video. Fixes: 86caab29da78 ("media: cedrus: Add HEVC/H.265 decoding support") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit b5470f3efa530b10296257bb578ce4b1769e9a04 Author: Dan Carpenter Date: Wed Feb 2 20:52:01 2022 +0300 media: usb: go7007: s2250-board: fix leak in probe() [ Upstream commit 67e4550ecd6164bfbdff54c169e5bbf9ccfaf14d ] Call i2c_unregister_device(audio) on this error path. Fixes: d3b2ccd9e307 ("[media] s2250: convert to the control framework") Signed-off-by: Dan Carpenter Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 37f808a9e734e9036f7aa42ba4864fc6e91d2572 Author: Dongliang Mu Date: Sat Jan 22 15:44:59 2022 +0800 media: em28xx: initialize refcount before kref_get [ Upstream commit c08eadca1bdfa099e20a32f8fa4b52b2f672236d ] The commit 47677e51e2a4("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") adds kref_get to many init functions (e.g., em28xx_audio_init). However, kref_init is called too late in em28xx_usb_probe, since em28xx_init_dev before will invoke those init functions and call kref_get function. Then refcount bug occurs in my local syzkaller instance. Fix it by moving kref_init before em28xx_init_dev. This issue occurs not only in dev but also dev->dev_next. Fixes: 47677e51e2a4 ("[media] em28xx: Only deallocate struct em28xx after finishing all extensions") Reported-by: syzkaller Signed-off-by: Dongliang Mu Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 91e2805579ab0783eed53acc2bf9fb553e939004 Author: Zhou Qingyang Date: Mon Jan 24 18:20:01 2022 +0100 media: ti-vpe: cal: Fix a NULL pointer dereference in cal_ctx_v4l2_init_formats() [ Upstream commit abd77889851d2ead0d0c9c4d29f1808801477b00 ] In cal_ctx_v4l2_init_formats(), devm_kzalloc() is assigned to ctx->active_fmt and there is a dereference of it after that, which could lead to NULL pointer dereference on failure of devm_kzalloc(). Fix this bug by adding a NULL check of ctx->active_fmt. This bug was found by a static analyzer. Builds with 'make allyesconfig' show no new warnings, and our static analyzer no longer warns about this code. Fixes: 7168155002cf ("media: ti-vpe: cal: Move format handling to cal.c and expose helpers") Signed-off-by: Zhou Qingyang Reviewed-by: Pratyush Yadav Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit e66594954d168b61049af5a763091deb00e16ef1 Author: Tom Rix Date: Thu Aug 12 19:01:46 2021 +0200 media: video/hdmi: handle short reads of hdmi info frame. [ Upstream commit 4a92fc6e55da5b87cecb572275deaff6ac9dd27e ] Calling hdmi_infoframe_unpack() with static sizeof(buffer) skips all the size checking done later in hdmi_infoframe_unpack(). A better value is the amount of data read into buffer. Fixes: 480b8b3e42c3 ("video/hdmi: Pass buffer size to infoframe unpack functions") Signed-off-by: Tom Rix Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7ed1bd0a9d2dde442183e84cce0acfb83ca8c881 Author: Neil Armstrong Date: Thu Jun 3 10:42:15 2021 +0200 media: mexon-ge2d: fixup frames size in registers [ Upstream commit 79e8c421a099bfbcebe59740153e55aa0442ced6 ] The CLIP, SRC & DST registers are coded to take the pixel/line start & end, starting from 0. Thus the end should be the width/height minus 1. It can be an issue with clipping and rotation, where it will add spurious lines from uninitialized or unwanted data with a shift in the result. Fixes: 59a635327ca7 ("media: meson: Add M2M driver for the Amlogic GE2D Accelerator Unit") Signed-off-by: Neil Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5176d48dde2b8abe84ea0b8f5286381541f9bd2e Author: Marek Vasut Date: Sun Feb 6 23:11:23 2022 +0100 ARM: dts: imx: Add missing LVDS decoder on M53Menlo [ Upstream commit 0c6f71176ea43d6f4003a4d57f7bb518c5ad6145 ] The M53Menlo display unit uses an LVDS-to-DPI bridge, TI DS90CF364A. Describe this bridge in DT, otherwise the DT incorrectly describes DPI panel attached directly to LVDS source. Fixes: 716be61d1869 ("ARM: dts: imx53: Add Menlosystems M53 board") Signed-off-by: Marek Vasut Cc: Shawn Guo Cc: Fabio Estevam Cc: NXP Linux Team Signed-off-by: Shawn Guo Signed-off-by: Sasha Levin commit 88b5779c17f52860a0ae0d8aae4449d7d08a1646 Author: Andy Shevchenko Date: Thu Jan 27 20:12:32 2022 +0200 vsprintf: Fix potential unaligned access [ Upstream commit d75b26f880f60ead301e79ba0f4a635c5a60767f ] The %p4cc specifier in some cases might get an unaligned pointer. Due to this we need to make copy to local variable once to avoid potential crashes on some architectures due to improper access. Fixes: af612e43de6d ("lib/vsprintf: Add support for printing V4L2 and DRM fourccs") Cc: Sakari Ailus Signed-off-by: Andy Shevchenko Reviewed-by: Petr Mladek Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20220127181233.72910-1-andriy.shevchenko@linux.intel.com Signed-off-by: Sasha Levin commit 808caebf0bc63b180a9b45613afbbaab08a236e2 Author: Olivier Moysan Date: Mon Jan 24 16:35:25 2022 +0100 ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 [ Upstream commit ee2aacb6f3a901a95b1dd68964b69c92cdbbf213 ] Replace sai2a-2 node name by sai2a-sleep-2, to avoid name duplication. Fixes: 1a9a9d226f0f ("ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15") Signed-off-by: Olivier Moysan Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 710a17e955f81c283f6203870c3805f0cea6f42c Author: Paul Kocialkowski Date: Sat Feb 5 19:53:24 2022 +0100 ARM: dts: sun8i: v3s: Move the csi1 block to follow address order [ Upstream commit c4af51698c4fb4fc683f2ac67f482cdf9ba2cd13 ] The csi1 block node was mistakenly added before the gic node, although its address comes after the gic's. Move the node to its correct position. Fixes: 90e048101fa1 ("ARM: dts: sun8i: V3/V3s/S3/S3L: add CSI1 device node") Signed-off-by: Paul Kocialkowski Signed-off-by: Maxime Ripard Link: https://lore.kernel.org/r/20220205185429.2278860-2-paul.kocialkowski@bootlin.com Signed-off-by: Sasha Levin commit e2f23d2191cd6076deee57b3087daaf3dc95e053 Author: Stephan Gerhold Date: Wed Dec 1 14:05:02 2021 +0100 cpuidle: qcom-spm: Check if any CPU is managed by SPM [ Upstream commit 0ee30ace67e425ab83a1673bf51f50b577328cf9 ] At the moment, the "qcom-spm-cpuidle" platform device is always created, even if none of the CPUs is actually managed by the SPM. On non-qcom platforms this will result in infinite probe-deferral due to the failing qcom_scm_is_available() call. To avoid this, look through the CPU DT nodes and check if there is actually any CPU managed by a SPM (as indicated by the qcom,saw property). It should also be available because e.g. MSM8916 has qcom,saw defined but it's typically not enabled with ARM64/PSCI firmwares. This is needed in preparation of a follow-up change that calls qcom_scm_set_warm_boot_addr() a single time before registering any cpuidle drivers. Otherwise this call might be made even on devices that have this driver enabled but actually make use of PSCI. Fixes: 60f3692b5f0b ("cpuidle: qcom_spm: Detach state machine from main SPM handling") Reported-by: Marek Szyprowski Link: https://lore.kernel.org/r/86e3e09f-a8d7-3dff-3fc6-ddd7d30c5d78@samsung.com/ Signed-off-by: Stephan Gerhold Tested-by: Marek Szyprowski Acked-by: Daniel Lezcano Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211201130505.257379-2-stephan@gerhold.net Signed-off-by: Sasha Levin commit 768473311a4ee57137ede9bcc7a4b35a15dd3cb6 Author: Miaoqian Lin Date: Fri Jan 14 06:28:40 2022 +0000 soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe [ Upstream commit c3d66a164c726cc3b072232d3b6d87575d194084 ] platform_get_irq() returns negative error number instead 0 on failure. And the doc of platform_get_irq() provides a usage example: int irq = platform_get_irq(pdev, 0); if (irq < 0) return irq; Fix the check of return value to catch errors correctly. Fixes: cdd5de500b2c ("soc: ti: Add wkup_m3_ipc driver") Signed-off-by: Miaoqian Lin Signed-off-by: Nishanth Menon Acked-by: Dave Gerlach Link: https://lore.kernel.org/r/20220114062840.16620-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit c53aefa790cd101094b965c793cbf00d7ee9dd54 Author: Christophe JAILLET Date: Thu Dec 23 17:23:00 2021 +0100 firmware: ti_sci: Fix compilation failure when CONFIG_TI_SCI_PROTOCOL is not defined [ Upstream commit 043cfff99a18933fda2fb2e163daee73cc07910b ] Remove an extra ";" which breaks compilation. Fixes: 53bf2b0e4e4c ("firmware: ti_sci: Add support for getting resource with subtype") Signed-off-by: Christophe JAILLET Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/e6c3cb793e1a6a2a0ae2528d5a5650dfe6a4b6ff.1640276505.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 6d0901558601f4e140adc4c44a324d4417f88ba6 Author: Baruch Siach Date: Thu Jan 20 20:43:41 2022 +0200 arm64: dts: qcom: ipq6018: fix usb reference period [ Upstream commit d1c10ab1494f09eb12fa6e58fc78bb28d44922ae ] Reference clock period for rate of 24MHz is 41ns (0x29). Link: https://lore.kernel.org/r/1965fc315525b8ab26cf9f71f939c24d@codeaurora.org Link: https://lore.kernel.org/r/a1932eba-564c-fe32-f220-53aa75250105@seco.com Fixes: 20bb9e3dd2e4 ("arm64: dts: qcom: ipq6018: add usb3 DT description") Reported-by: Kathiravan T Signed-off-by: Baruch Siach Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/4f4df55cf44cd0fd7d773aca171d4f48662fb1a5.1642704221.git.baruch@tkos.co.il Signed-off-by: Sasha Levin commit 472bb29c9999c0a8d009caf26056727ce9b53222 Author: Petr Vorel Date: Fri Jan 14 00:33:55 2022 +0100 arm64: dts: qcom: msm8994: Provide missing "xo_board" and "sleep_clk" to GCC [ Upstream commit 4dd1ad6192748523878463a285346db408b34a02 ] This is needed due changes in commit 0519d1d0bf33 ("clk: qcom: gcc-msm8994: Modernize the driver"), which removed struct clk_fixed_factor. Preparation for next commit for enabling SD/eMMC. Inspired by 2c2f64ae36d9. This is required for both msm8994-huawei-angler (sdhc1 will be enabled in next commit) and msm8992-lg-bullhead (where actually fixes sdhc1 - tested on bullhead rev 1.01). Fixes: 0519d1d0bf33 ("clk: qcom: gcc-msm8994: Modernize the driver") Signed-off-by: Petr Vorel Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220113233358.17972-4-petr.vorel@gmail.com Signed-off-by: Sasha Levin commit 3226045e0863bbb47ea6d17b3222ee20edbc08b1 Author: Maulik Shah Date: Sun Jan 9 22:55:00 2022 +0530 arm64: dts: qcom: sm8350: Correct TCS configuration for apps rsc [ Upstream commit a131255e4ad1ef8d4873ecba21561ba272b2547a ] Correct the TCS config by updating the number of TCSes for each type. Cc: devicetree@vger.kernel.org Fixes: b7e8f433a673 ("arm64: dts: qcom: Add basic devicetree support for SM8350 SoC") Signed-off-by: Maulik Shah Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-4-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit d1e40e2732dc52a768348b8b8c93bcda0bdbec83 Author: Maulik Shah Date: Sun Jan 9 22:54:58 2022 +0530 arm64: dts: qcom: sm8150: Correct TCS configuration for apps rsc [ Upstream commit 17ac8af678b6da6a8f1df7da8ebf2c5198741827 ] Correct the TCS config by updating the number of TCSes for each type. Cc: devicetree@vger.kernel.org Fixes: d8cf9372b654 ("arm64: dts: qcom: sm8150: Add apps shared nodes") Signed-off-by: Maulik Shah Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/1641749107-31979-2-git-send-email-quic_mkshah@quicinc.com Signed-off-by: Sasha Levin commit bdfc6ff99a6befa3d8bf8fce37d24f268b96de2c Author: Rafał Miłecki Date: Wed Dec 29 11:23:14 2021 +0100 arm64: dts: broadcom: bcm4908: use proper TWD binding [ Upstream commit 33826e9c6ba76b265d4e26cb95493fa27ed78974 ] Block at is a TWD that contains timers, watchdog and reset. Actual timers happen to be at block beginning but they only span across the first 0x28 registers. It means the old block description was incorrect (size 0x3c). Drop timers binding for now and use documented TWD binding. Timers should be properly documented and defined as TWD subnode. Fixes: 2961f69f151c ("arm64: dts: broadcom: add BCM4908 and Asus GT-AC5300 early DTS files") Signed-off-by: Rafał Miłecki Signed-off-by: Florian Fainelli Signed-off-by: Sasha Levin commit 07ccb527ad78cf0019d4cfbe45345d9a02ff4581 Author: Dmitry Baryshkov Date: Wed Dec 15 02:14:48 2021 +0300 arm64: dts: qcom: sm8250: fix PCIe bindings to follow schema [ Upstream commit d60507200485bc778bf6a5556271d784ab09d913 ] Replace (unused) enable-gpio binding with schema-defined wake-gpios. The GPIO line is still unused, but at least we'd follow the defined schema. While we are at it, change perst-gpio property to follow the preferred naming schema (perst-gpios). Fixes: 13e948a36db7 ("arm64: dts: qcom: sm8250: Commonize PCIe pins") Cc: Konrad Dybcio Signed-off-by: Dmitry Baryshkov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211214231448.2044987-1-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit d7bd4ca047be23e3a74a7ba14641a40bcf438b94 Author: David Heidelberg Date: Mon Dec 13 20:51:04 2021 +0100 arm64: dts: qcom: sdm845: fix microphone bias properties and values [ Upstream commit 625c24460dbbc3b6c9a148c0a30f0830893fc909 ] replace millivolt with correct microvolt and adjust value to the minimal value allowed by documentation. Found with `make qcom/sdm845-oneplus-fajita.dtb`. Fixes: arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias2-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias3-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias4-microvolt' is a required property From schema: Documentation/devicetree/bindings/sound/qcom,wcd934x.yaml arch/arm64/boot/dts/qcom/sdm845-oneplus-fajita.dt.yaml: codec@1: 'qcom,micbias1-millivolt', 'qcom,micbias2-millivolt', 'qcom,micbias3-millivolt', 'qcom,micbias4-millivolt' do not match any of the regexes: '^.*@[0-9a-f]+$', 'pinctrl-[0-9]+' Fixes: 27ca1de07dc3 ("arm64: dts: qcom: sdm845: add slimbus nodes") Signed-off-by: David Heidelberg Tested-by: Steev Klimaszewski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211213195105.114596-1-david@ixit.cz Signed-off-by: Sasha Levin commit fd9a79835d65d0e7eca945fce8dec05076140a5e Author: Daniel Thompson Date: Thu Jan 27 17:35:54 2022 +0000 soc: qcom: aoss: remove spurious IRQF_ONESHOT flags [ Upstream commit 8030cb9a55688c1339edd284d9d6ce5f9fc75160 ] Quoting the header comments, IRQF_ONESHOT is "Used by threaded interrupts which need to keep the irq line disabled until the threaded handler has been run.". When applied to an interrupt that doesn't request a threaded irq then IRQF_ONESHOT has a lesser known (undocumented?) side effect, which it to disable the forced threading of the irq. For "normal" kernels (without forced threading) then, if there is no thread_fn, then IRQF_ONESHOT is a nop. In this case disabling forced threading is not appropriate for this driver because it calls wake_up_all() and this API cannot be called from no-thread interrupt handlers on PREEMPT_RT systems (deadlock risk, triggers sleeping-while-atomic warnings). Fix this by removing IRQF_ONESHOT. Fixes: 2209481409b7 ("soc: qcom: Add AOSS QMP driver") Signed-off-by: Daniel Thompson [bjorn: Added Fixes tag] Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220127173554.158111-1-daniel.thompson@linaro.org Signed-off-by: Sasha Levin commit 2ee39164a701782bb88cf4a564dc7d8cb43c9bff Author: Miaoqian Lin Date: Sat Jan 8 09:59:31 2022 +0000 soc: qcom: aoss: Fix missing put_device call in qmp_get [ Upstream commit 4b41a9d0fe3db5f91078a380f62f0572c3ecf2dd ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling paths. Fixes: 8c75d585b931 ("soc: qcom: aoss: Expose send for generic usecase") Signed-off-by: Miaoqian Lin Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220108095931.21527-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 447499ab94356d9e57b223b8b10aed836dbd54f8 Author: Miaoqian Lin Date: Fri Jan 7 07:31:26 2022 +0000 soc: qcom: ocmem: Fix missing put_device() call in of_get_ocmem [ Upstream commit 0ff027027e05a866491bbb53494f0e2a61354c85 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: 01f937ffc468 ("soc: qcom: ocmem: don't return NULL in of_get_ocmem") Signed-off-by: Miaoqian Lin Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220107073126.2335-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 84b89fa877ad576e9ee8130f412cfd592f274508 Author: Jiasheng Jiang Date: Fri Dec 31 17:44:19 2021 +0800 soc: qcom: rpmpd: Check for null return of devm_kcalloc [ Upstream commit 5a811126d38f9767a20cc271b34db7c8efc5a46c ] Because of the possible failure of the allocation, data->domains might be NULL pointer and will cause the dereference of the NULL pointer later. Therefore, it might be better to check it and directly return -ENOMEM without releasing data manually if fails, because the comment of the devm_kmalloc() says "Memory allocated with this function is automatically freed on driver detach.". Fixes: bbe3a66c3f5a ("soc: qcom: rpmpd: Add a Power domain driver to model corners") Signed-off-by: Jiasheng Jiang Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211231094419.1941054-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit e561e1f6411e5b606508aa386d730e14f47f833c Author: Pavel Kubelun Date: Mon Dec 20 18:03:52 2021 +0100 ARM: dts: qcom: ipq4019: fix sleep clock [ Upstream commit 3d7e7980993d2c1ae42d3d314040fc2de6a9c45f ] It seems like sleep_clk was copied from ipq806x. Fix ipq40xx sleep_clk to the value QSDK defines. Link: https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-msm/commit/?id=d92ec59973484acc86dd24b67f10f8911b4b4b7d Link: https://patchwork.kernel.org/comment/22721613/ Fixes: bec6ba4cdf2a ("qcom: ipq4019: Add basic board/dts support for IPQ4019 SoC") Suggested-by: Bjorn Andersson (clock-output-names) Signed-off-by: Pavel Kubelun Signed-off-by: Christian Lamparter (removed clock rename) Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211220170352.34591-1-chunkeey@gmail.com Signed-off-by: Sasha Levin commit 36166c395c3de1740e9ab7be8d2035bf03632e7d Author: Marijn Suijten Date: Wed Dec 8 09:34:21 2021 +0100 firmware: qcom: scm: Remove reassignment to desc following initializer [ Upstream commit 7823e5aa5d1dd9ed5849923c165eb8f29ad23c54 ] Member assignments to qcom_scm_desc were moved into struct initializers in 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") including the case in qcom_scm_iommu_secure_ptbl_init, except that the - now duplicate - assignment to desc was left in place. While not harmful, remove this unnecessary extra reassignment. Fixes: 57d3b816718c ("firmware: qcom_scm: Remove thin wrappers") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Alex Elder Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20211208083423.22037-2-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit f26269c8ac92c4abbe06c90667d98d45c5c72d07 Author: Douglas Anderson Date: Tue Jan 25 14:44:18 2022 -0800 arm64: dts: qcom: sc7280: Fix gmu unit address [ Upstream commit 142a4d995c6adb6bf5b22166f51b525e83c96661 ] When processing sc7280 device trees, I can see: Warning (simple_bus_reg): /soc@0/gmu@3d69000: simple-bus unit address format error, expected "3d6a000" There's a clear typo in the node name. Fix it. Fixes: 96c471970b7b ("arm64: dts: qcom: sc7280: Add gpu support") Signed-off-by: Douglas Anderson Reviewed-by: Stephen Boyd Reviewed-by: Matthias Kaehlcke Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220125144316.v2.1.I19f60014e9be4b9dda4d66b5d56ef3d9600b6e10@changeid Signed-off-by: Sasha Levin commit 722d3fdc090ce4252c7e140250e656d83cab0ce7 Author: Randy Dunlap Date: Sat Jan 29 00:02:59 2022 -0800 ASoC: max98927: add missing header file [ Upstream commit bb45f689fa62110c263c86070bfcb9ecbb6e1e23 ] Add a header file that provides the missing function prototypes and macro to fix these build errors (seen on arch/alpha/): ../sound/soc/codecs/max98927.c: In function 'max98927_i2c_probe': ../sound/soc/codecs/max98927.c:902:19: error: implicit declaration of function 'devm_gpiod_get_optional'; did you mean 'devm_regulator_get_optional'? [-Werror=implicit-function-declaration] 902 | = devm_gpiod_get_optional(&i2c->dev, "reset", GPIOD_OUT_HIGH); | ^~~~~~~~~~~~~~~~~~~~~~~ ../sound/soc/codecs/max98927.c:902:63: error: 'GPIOD_OUT_HIGH' undeclared (first use in this function); did you mean 'GPIOF_INIT_HIGH'? 902 | = devm_gpiod_get_optional(&i2c->dev, "reset", GPIOD_OUT_HIGH); | ^~~~~~~~~~~~~~ ../sound/soc/codecs/max98927.c:909:17: error: implicit declaration of function 'gpiod_set_value_cansleep'; did you mean 'gpio_set_value_cansleep'? [-Werror=implicit-function-declaration] 909 | gpiod_set_value_cansleep(max98927->reset_gpio, 0); | ^~~~~~~~~~~~~~~~~~~~~~~~ Fixes: 4d67dc1998f1 ("ASoC: max98927: Handle reset gpio when probing i2c") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Alejandro Tafalla Cc: Mark Brown Cc: Liam Girdwood Cc: Takashi Iwai Cc: alsa-devel@alsa-project.org Link: https://lore.kernel.org/r/20220129080259.19964-1-rdunlap@infradead.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c6002691f47daf80ee2cfd8d0259a3cf25f9e67c Author: Zev Weiss Date: Tue Jan 4 16:37:18 2022 -0800 ARM: dts: Fix OpenBMC flash layout label addresses [ Upstream commit e011df3579ac980d840db8e8c3b9431f88ebddab ] We've ended up with some inconsistencies between the addresses in the DT node labels and the actual offsets of the partitions; this brings them back in sync. Signed-off-by: Zev Weiss Fixes: 529022738c8e ("ARM: dts: Add OpenBMC flash layout") Fixes: 8dec60e7b8d0 ("ARM: dts: aspeed: Grow u-boot partition 64MiB OpenBMC flash layout") Reviewed-by: Lei YU Link: https://lore.kernel.org/r/20220105003718.19888-1-zev@bewilderbeest.net Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 6bc73f4fa891e81896162749d07d269580a2aa0f Author: Dan Carpenter Date: Thu Sep 16 16:29:19 2021 +0300 video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name() [ Upstream commit 78482af095abd9f4f29f1aa3fe575d25c6ae3028 ] This code has two bugs: 1) "cnt" is 255 but the size of the buffer is 256 so the last byte is not used. 2) If we try to print more than 255 characters then "cnt" will be negative and that will trigger a WARN() in snprintf(). The fix for this is to use scnprintf() instead of snprintf(). We can re-write this code to be cleaner: 1) Rename "offset" to "off" because that's shorter. 2) Get rid of the "cnt" variable and just use "size - off" directly. 3) Get rid of the "read" variable and just increment "off" directly. Fixes: 96fe6a2109db ("fbdev: Add VESA Coordinated Video Timings (CVT) support") Signed-off-by: Dan Carpenter Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit bcef1fe26ac5bc84bb8f15a826dae627cc12736f Author: Dan Carpenter Date: Fri Dec 3 12:58:08 2021 +0300 video: fbdev: atmel_lcdfb: fix an error code in atmel_lcdfb_probe() [ Upstream commit fee5c1e4b789e41719af9fee0e2dd397cd31988f ] If "sinfo->config" is not found, then return -ENODEV. Don't return success. Fixes: b985172b328a ("video: atmel_lcdfb: add device tree suport") Signed-off-by: Dan Carpenter Acked-by: Nicolas Ferre Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit d396c651e2b508b6179bb678cc029f3becbf5170 Author: Wang Hai Date: Thu Oct 14 21:22:31 2021 +0800 video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() [ Upstream commit 1791f487f877a9e83d81c8677bd3e7b259e7cb27 ] I got a null-ptr-deref report: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:fb_destroy_modelist+0x38/0x100 ... Call Trace: ufx_usb_probe.cold+0x2b5/0xac1 [smscufx] usb_probe_interface+0x1aa/0x3c0 [usbcore] really_probe+0x167/0x460 ... ret_from_fork+0x1f/0x30 If fb_alloc_cmap() fails in ufx_usb_probe(), fb_destroy_modelist() will be called to destroy modelist in the error handling path. But modelist has not been initialized yet, so it will result in null-ptr-deref. Initialize modelist before calling fb_alloc_cmap() to fix this bug. Fixes: 3c8a63e22a08 ("Add support for SMSC UFX6000/7000 USB display adapters") Reported-by: Hulk Robot Signed-off-by: Wang Hai Acked-by: Thomas Zimmermann Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 546fba26b9054286ea24bf969e7e58e6e01280e8 Author: YueHaibing Date: Thu Dec 9 17:01:13 2021 +0800 video: fbdev: controlfb: Fix COMPILE_TEST build [ Upstream commit 567e44fb51b4f909ae58038a7301352eecea8426 ] If PPC_BOOK3S, PPC_PMAC and PPC32 is n, COMPILE_TEST build fails: drivers/video/fbdev/controlfb.c:70:0: error: "pgprot_cached_wthru" redefined [-Werror] #define pgprot_cached_wthru(prot) (prot) In file included from ./arch/powerpc/include/asm/pgtable.h:20:0, from ./include/linux/pgtable.h:6, from ./include/linux/mm.h:33, from drivers/video/fbdev/controlfb.c:37: ./arch/powerpc/include/asm/nohash/pgtable.h:243:0: note: this is the location of the previous definition #define pgprot_cached_wthru(prot) (__pgprot((pgprot_val(prot) & ~_PAGE_CACHE_CTL) | \ Fixes: a07a63b0e24d ("video: fbdev: controlfb: add COMPILE_TEST support") Signed-off-by: YueHaibing Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 0e73b4065cad92a409a398fd82ea76a46202029c Author: Z. Liu Date: Sun Dec 19 02:00:35 2021 +0800 video: fbdev: matroxfb: set maxvram of vbG200eW to the same as vbG200 to avoid black screen [ Upstream commit 62d89a7d49afe46e6b9bbe9e23b004ad848dbde4 ] Start from commit 11be60bd66d54 "matroxfb: add Matrox MGA-G200eW board support", when maxvram is 0x800000, monitor become black w/ error message said: "The current input timing is not supported by the monitor display. Please change your input timing to 1920x1080@60Hz ...". Fixes: 11be60bd66d5 ("matroxfb: add Matrox MGA-G200eW board support") Signed-off-by: Z. Liu Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 26ee497132e269896da859da37641d095622f450 Author: Jammy Huang Date: Tue Jan 25 07:44:07 2022 +0100 media: aspeed: Correct value for h-total-pixels [ Upstream commit 4b732a0016853eaff35944f900b0db66f3914374 ] Previous reg-field, 0x98[11:0], stands for the period of the detected hsync signal. Use the correct reg, 0xa0, to get h-total in pixels. Fixes: d2b4387f3bdf ("media: platform: Add Aspeed Video Engine driver") Signed-off-by: Jammy Huang Reviewed-by: Joel Stanley Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0526147bb21083e7891b69b30c8d2847036cfa03 Author: Sakari Ailus Date: Mon Jan 10 17:16:51 2022 +0100 media: ov5648: Don't pack controls struct [ Upstream commit edd4fbff5378a8103470304809195dc8f4b1d42a ] Don't pack the driver specific struct containing control pointers. This lead to potential alignment issues when working with the pointers. Reported-by: kernel test robot Fixes: e43ccb0a045f ("media: i2c: Add support for the OV5648 image sensor") Reviewed-by: Paul Kocialkowski Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d3d7847bd7c052d02fabc37ab29c8ddeb184af5c Author: Sakari Ailus Date: Mon Jan 10 15:53:12 2022 +0100 media: v4l: Avoid unaligned access warnings when printing 4cc modifiers [ Upstream commit 24bb30c8c894ec7213ad810b46e2a6a4c12136c1 ] Pointers V4L2 pixelformat and dataformat fields in a few packed structs are directly passed to printk family of functions. This could result in an unaligned access albeit no such possibility appears to exist at the moment i.e. this clang warning appears to be a false positive. Address the warning by copying the pixelformat or dataformat value to a local variable first. Reported-by: kernel test robot Fixes: e927e1e0f0dd ("v4l: ioctl: Use %p4cc printk modifier to print FourCC codes") Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ca1cba08a2f1c289c6dabf88dfc4b83611f89bcb Author: Janusz Krzysztofik Date: Mon May 4 00:06:16 2020 +0200 media: ov6650: Fix set format try processing path [ Upstream commit 1f6f1e959a85ee999fbc86f4b094827f63194c7f ] According to subdevice interface specification found in V4L2 API documentation, set format pad operations should not affect image geometry set in preceding image processing steps. Unfortunately, that requirement is not respected by the driver implementation of set format as it was not the case when that code was still implementing a pair of now obsolete .s_mbus_fmt() / .try_mbus_fmt() video operations before they have been merged and reused as an implementation of .set_fmt() pad operation by commit 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt"). In case of set format active processing path the issue can be fixed easily by excluding a call to set active selection from that path. That will effectively limit frame size processing to optimal frame scaling against active crop rectangle without touching it. Users can just call set active selection themselves to obtain desired frame size. However, set format try processing path needs more work. First of all, the driver should be extended with set try selection support. Lack of it constraints video device drivers to not use subdevice cropping at all while processing user requested active frame size, otherwise their set try format results might differ from active. Next, set format try processing path should use pad config crop rectangle as a reference, not the active one as it does now. That issue can be resolved easily as soon as set try selection support is added to the driver so pad config crop rectangle can be maintained by users via selection API. Last, set format try processing path should give the same results as active in respect to active vs. pad config crop rectangle geometry. Both rectangles should be either not touched by set format (that's what we are going to achieve) or modified the same way, otherwise users won't be able to obtain equal results from both paths while iterating through set format and set selection operations in order to obtain desired frame size. We can't begin with modifying set format pad operation as not to touch crop rectangle since that depends on availability of set try selection for symmetry. Neither can we begin with adding set try selection since that in turn depends on equal handling of active and pad config crop rectangles by set format. We can either implement all required modifications in a single patch, or begin with fixing current set format try processing path to appropriately handle pad config crop rectangle. This patch implements the latter approach as believed to be more readable. Move crop rectangle adjustments code from a helper (the former implementation of .s_fmt(), now called from set format active processing path) to the body of set format pad operation function where it can be also used for processing try requests for symmetry with active ones. As the helper no longer processes frame geometry, only frame format and half scaling, simplify its API accordingly and update its users. Moreover, extract code that applies crop rectangle hardware limits (now a part of .set_selection() operation which is called from set format active processing path) to a new helper and call that helper from set format try processing path as well for symmetry with active. [Sakari Ailus: Rebase on subdev state patches] Fixes: 717fd5b4907a ("[media] v4l2: replace try_mbus_fmt by set_fmt") Signed-off-by: Janusz Krzysztofik Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a920a08d13824c440211910a58bcefaf30005567 Author: Chen-Yu Tsai Date: Fri Jan 7 10:34:49 2022 +0100 media: hantro: Fix overfill bottom register field name [ Upstream commit 89d78e0133e71ba324fb67ca776223fba4353418 ] The Hantro H1 hardware can crop off pixels from the right and bottom of the source frame. These are controlled with the H1_REG_IN_IMG_CTRL_OVRFLB and H1_REG_IN_IMG_CTRL_OVRFLR in the H1_REG_IN_IMG_CTRL register. The ChromeOS kernel driver that this was based on incorrectly added the _D4 suffix H1_REG_IN_IMG_CTRL_OVRFLB. This field crops the bottom of the input frame, and the number is _not_ divided by 4. [1] Correct the name to avoid confusion when crop support with the selection API is added. [1] https://chromium.googlesource.com/chromiumos/third_party/kernel/+/refs/ \ heads/chromeos-4.19/drivers/staging/media/hantro/hantro_h1_vp8_enc.c#377 Fixes: 775fec69008d ("media: add Rockchip VPU JPEG encoder driver") Fixes: a29add8c9bb2 ("media: rockchip/vpu: rename from rockchip to hantro") Signed-off-by: Chen-Yu Tsai Reviewed-by: Ezequiel Garcia Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c316e6a49745b09025eed102e30cc1e9ba2910b2 Author: Jiasheng Jiang Date: Thu Jan 13 07:59:28 2022 +0100 media: meson: vdec: potential dereference of null pointer [ Upstream commit c8c80c996182239ff9b05eda4db50184cf3b2e99 ] As the possible failure of the kzalloc(), the 'new_ts' could be NULL pointer. Therefore, it should be better to check it in order to avoid the dereference of the NULL pointer. Also, the caller esparser_queue() needs to deal with the return value of the amvdec_add_ts(). Fixes: 876f123b8956 ("media: meson: vdec: bring up to compliance") Signed-off-by: Jiasheng Jiang Suggested-by: Neil Armstrong Reviewed-by: Neil Armstrong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 56ef536ce39c92d43a77f42b644d17143505aba3 Author: Miaoqian Lin Date: Wed Jan 12 12:05:54 2022 +0100 media: coda: Fix missing put_device() call in coda_get_vdoa_data [ Upstream commit ca85d271531a1e1c86f24b892f57b7d0a3ddb5a6 ] The reference taken by 'of_find_device_by_node()' must be released when not needed anymore. Add the corresponding 'put_device()' in the error handling path. Fixes: e7f3c5481035 ("[media] coda: use VDOA for un-tiling custom macroblock format") Signed-off-by: Miaoqian Lin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2230ed44f59fd0be765aab9f418b54921491d951 Author: Dmitry Osipenko Date: Wed Dec 22 07:32:15 2021 +0300 memory: tegra20-emc: Correct memory device mask [ Upstream commit 9ff684342ee7d3ea2755c6e9b60bc43085baa3ad ] Memory chip select is swapped when we read mode register, correct it. We didn't have devices that use a single LPDDR chip and both chips are always identical, hence this change is just a minor improvement. Fixes: 131dd9a436d8 ("memory: tegra20-emc: Support matching timings by LPDDR2 configuration") Signed-off-by: Dmitry Osipenko Link: https://lore.kernel.org/r/20211222043215.28237-2-digetx@gmail.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 64a6dcbe0831a82556a8969b8539c1691b9d1676 Author: Robert Hancock Date: Thu Jan 20 13:58:30 2022 -0600 ASoC: simple-card-utils: Set sysclk on all components [ Upstream commit ce2f7b8d4290c22e462e465d1da38a1c113ae66a ] If an mclk-fs value was provided in the device tree configuration, the calculated MCLK was fed into the downstream codec DAI and CPU DAI, however set_sysclk was not being called on the platform device. Some platform devices such as the Xilinx Audio Formatter need to know the MCLK as well. Call snd_soc_component_set_sysclk on each component in the stream to set the proper sysclk value in addition to the existing call of snd_soc_dai_set_sysclk on the codec DAI and CPU DAI. This may end up resulting in redundant calls if one of the snd_soc_dai_set_sysclk calls ends up calling snd_soc_component_set_sysclk itself, but that isn't expected to cause any significant harm. Fixes: f48dcbb6d47d ("ASoC: simple-card-utils: share asoc_simple_hw_param()") Signed-off-by: Robert Hancock Reviewed-by: Kuninori Morimoto Link: https://lore.kernel.org/r/20220120195832.1742271-5-robert.hancock@calian.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 915f0bf118248e527f721f0c39e17eb6845a7820 Author: Robert Hancock Date: Thu Jan 20 13:58:27 2022 -0600 ASoC: xilinx: xlnx_formatter_pcm: Handle sysclk setting [ Upstream commit 1c5091fbe7e0d0804158200b7feac5123f7b4fbd ] This driver did not set the MM2S Fs Multiplier Register to the proper value for playback streams. This needs to be set to the sample rate to MCLK multiplier, or random stream underflows can occur on the downstream I2S transmitter. Store the sysclk value provided via the set_sysclk callback and use that in conjunction with the sample rate in the hw_params callback to calculate the proper value to set for this register. Fixes: 6f6c3c36f091 ("ASoC: xlnx: add pcm formatter platform driver") Signed-off-by: Robert Hancock Link: https://lore.kernel.org/r/20220120195832.1742271-2-robert.hancock@calian.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a84d5e5b55805b9074483e682daa8379684c107f Author: Jiasheng Jiang Date: Sat Jan 22 01:10:31 2022 +0800 ASoC: codecs: Check for error pointer after calling devm_regmap_init_mmio [ Upstream commit aa505ecccf2ae7546e0e262d574e18a9241f3005 ] Since the potential failure of the devm_regmap_init_mmio(), it will return error pointer and be assigned to the regmap. Then the error pointer will be dereferenced. For example rx->regmap will be used in rx_macro_mclk_enable(). Therefore, it should be better to check it. Fixes: af3d54b99764 ("ASoC: codecs: lpass-rx-macro: add support for lpass rx macro") Fixes: c39667ddcfc5 ("ASoC: codecs: lpass-tx-macro: add support for lpass tx macro") Fixes: 809bcbcecebf ("ASoC: codecs: lpass-wsa-macro: Add support to WSA Macro") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220121171031.2826198-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7fe48c07395785607cd28a6bb9210a367c07df2c Author: Lad Prabhakar Date: Mon Jan 10 09:47:07 2022 +0000 ASoC: sh: rz-ssi: Drop calling rz_ssi_pio_recv() recursively [ Upstream commit 6570f991582e32b7992601d0497c61962a2c5dcc ] Instead of recursively calling rz_ssi_pio_recv() use a while loop to read the samples from RX fifo. This also fixes an issue where the return value of rz_ssi_pio_recv() was ignored when called recursively. Fixes: 03e786bd4341 ("ASoC: sh: Add RZ/G2L SSIF-2 driver") Reported-by: Pavel Machek Signed-off-by: Lad Prabhakar Reviewed-by: Biju Das Link: https://lore.kernel.org/r/20220110094711.8574-2-prabhakar.mahadev-lad.rj@bp.renesas.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9fc93d0802a00585340e390ecea93492d1cc7f0d Author: Eugen Hristev Date: Mon Dec 13 14:49:23 2021 +0100 media: atmel: atmel-sama7g5-isc: fix ispck leftover [ Upstream commit 1b52ce99e9f2dcda868a1a7026bfb58d04bd6bc8 ] The ispck is not used for sama7g5 variant of the ISC. Calls to ispck have to be removed also from module insert/removal. Fixes: d7f26849ed7c ("media: atmel: fix the ispck initialization") Signed-off-by: Eugen Hristev Reviewed-by: Jacopo Mondi Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a80c71879123decd36a1e73a3c4533fb58b67206 Author: Ondrej Zary Date: Sat Dec 25 22:58:44 2021 +0100 media: bttv: fix WARNING regression on tunerless devices [ Upstream commit ef058cc8b7193d15a771272359c7454839ae74ee ] Commit 2161536516ed ("media: media/pci: set device_caps in struct video_device") introduced a regression: V4L2_CAP_TUNER is always present in device_caps, even when the device has no tuner. This causes a warning: WARNING: CPU: 0 PID: 249 at drivers/media/v4l2-core/v4l2-ioctl.c:1102 v4l_querycap+0xa0/0xb0 [videodev] Fixes: 2161536516ed ("media: media/pci: set device_caps in struct video_device") Signed-off-by: Ondrej Zary Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2f5ecf5edb6892464c25de1405b266c8f6fea1ed Author: Martin Kepplinger Date: Thu Dec 16 10:03:36 2021 +0100 media: imx: imx8mq-mipi_csi2: fix system resume [ Upstream commit f0c2ba1ed4ad868331d8c6ea9119669a729b01a9 ] during system resume, interconnect bandwidth would currently be requested even though the device is runtime suspended. This leaves the system in an unbalanced state. Fix that by only doing that in runtimem pm and splitting up runtime and system suspend to be a more readable: imx8mq_mipi_csi_pm_*() does the generic things called from system- and runtime functions that each do specific things on top. Fixes: f33fd8d77dd0 ("media: imx: add a driver for i.MX8MQ mipi csi rx phy and controller") Signed-off-by: Martin Kepplinger Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f86721483437281e39dd556f51d8583736e2448e Author: Martin Kepplinger Date: Thu Dec 16 10:03:35 2021 +0100 media: imx: imx8mq-mipi-csi2: remove wrong irq config write operation [ Upstream commit 59c2b6d51803ad6b7af28f2a60a843b24374e692 ] The place where this register writel() that masks one interrupt is placed does not guarantee that the device is powered so that's not allowed. Moreover imx8mq_mipi_csi_start_stream() masks the interrupt anyway so the write is not even needed. Remove it as this is a mistake that slipped in with the driver. Fixes: f33fd8d77dd0 ("media: imx: add a driver for i.MX8MQ mipi csi rx phy and controller") Signed-off-by: Martin Kepplinger Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit cbdabb48be7b76d2a61a3554745243e37d81599e Author: Jiasheng Jiang Date: Wed Dec 15 06:21:57 2021 +0100 media: mtk-vcodec: potential dereference of null pointer [ Upstream commit e25a89f743b18c029bfbe5e1663ae0c7190912b0 ] The return value of devm_kzalloc() needs to be checked. To avoid use of null pointer in case of thefailure of alloc. Fixes: 46233e91fa24 ("media: mtk-vcodec: move firmware implementations into their own files") Signed-off-by: Jiasheng Jiang Reviewed-by: Tzung-Bi Shih Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2a5fd6b402049521f657966a42c4277f083a63c0 Author: Chen-Yu Tsai Date: Thu Dec 9 17:38:03 2021 +0100 media: v4l2-mem2mem: Apply DST_QUEUE_OFF_BASE on MMAP buffers across ioctls [ Upstream commit 8310ca94075e784bbb06593cd6c068ee6b6e4ca6 ] DST_QUEUE_OFF_BASE is applied to offset/mem_offset on MMAP capture buffers only for the VIDIOC_QUERYBUF ioctl, while the userspace fields (including offset/mem_offset) are filled in for VIDIOC_{QUERY,PREPARE,Q,DQ}BUF ioctls. This leads to differences in the values presented to userspace. If userspace attempts to mmap the capture buffer directly using values from DQBUF, it will fail. Move the code that applies the magic offset into a helper, and call that helper from all four ioctl entry points. [hverkuil: drop unnecessary '= 0' in v4l2_m2m_querybuf() for ret] Fixes: 7f98639def42 ("V4L/DVB: add memory-to-memory device helper framework for videobuf") Fixes: 908a0d7c588e ("[media] v4l: mem2mem: port to videobuf2") Signed-off-by: Chen-Yu Tsai Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7ad00365f22c7557e6e41105895399ee695a2103 Author: Laurent Pinchart Date: Fri Jun 25 04:26:35 2021 +0200 media: staging: media: imx: imx7-mipi-csis: Make subdev name unique [ Upstream commit 5be7f8c91d25089be847a71b336c13b5bb0db772 ] When multiple CSIS instances are present in a single graph, they are currently all named "imx7-mipi-csis.0", which breaks the entity name uniqueness requirement. Fix it by using the device name to create the subdev name. Fixes: 7807063b862b ("media: staging/imx7: add MIPI CSI-2 receiver subdev for i.MX7") Signed-off-by: Laurent Pinchart Reviewed-by: Rui Miguel Silva Reviewed-by: Sakari Ailus Reviewed-by: Jerome Brunet Tested-by: Jerome Brunet # On i.MX8MP Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 31dd7ea96fec0a76fde7249464b33796d867c302 Author: Jonathan Marek Date: Wed Dec 22 01:37:45 2021 +0100 media: camss: vfe-170: fix "VFE halt timeout" error [ Upstream commit 1ce8c48b06f249a9739e36c5d56883f6f49ce047 ] This function waits for halt_complete but doesn't do anything to cause it to complete, and always hits the "VFE halt timeout" error. Just delete this code for now. Fixes: 7319cdf189bb ("media: camss: Add support for VFE hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit d7339f78c5d453f8490907cc0eb97ee4e9365bb6 Author: Jonathan Marek Date: Wed Dec 22 01:37:41 2021 +0100 media: camss: csid-170: set the right HALT_CMD when disabled [ Upstream commit ee780cd7be3b5608550bafe7d5f113db2140e99b ] Use the "HALT_CMD_RESUME_AT_FRAME_BOUNDARY" define instead of a "1" which is otherwise confusing, and add a "HALT_CMD_HALT_AT_FRAME_BOUNDARY" which is set when disabling. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 8c1b7620c119ebc258f33fa32233431f31505aed Author: Jonathan Marek Date: Wed Dec 22 01:37:38 2021 +0100 media: camss: csid-170: don't enable unused irqs [ Upstream commit a6da362491e409de0978d733441e59db6584d69f ] csid_isr() only checks for the reset irq, so enabling any other irqs doesn't make sense. The "RDI irq" comment is also wrong, the register should be CSID_CSI2_RDIN_IRQ_MASK. Without this fix there may be an excessive amount of irqs. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 7a2e50fca3b8d16c134a2379bc69d774e8174332 Author: Jonathan Marek Date: Wed Dec 22 01:37:37 2021 +0100 media: camss: csid-170: fix non-10bit formats [ Upstream commit 14d510e040f85ff05734fd6db8bae44b47886464 ] Use the decode_format/data_type from the "format" struct instead of a hardcoded 10-bit format. Fixes: eebe6d00e9bf ("media: camss: Add support for CSID hardware version Titan 170") Signed-off-by: Jonathan Marek Reviewed-by: Robert Foss Tested-by: Julian Grahsl Tested-by: Bryan O'Donoghue Signed-off-by: Bryan O'Donoghue Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit a0287f8e5c7092c393454f44c6a0a583dd37e7bd Author: Corentin Labbe Date: Tue Dec 14 17:16:29 2021 +0100 media: staging: media: zoran: fix usage of vb2_dma_contig_set_max_seg_size [ Upstream commit 241f5b67fb48def58643f279dfb8468bdd54b443 ] vb2_dma_contig_set_max_seg_size need to have a size in parameter and not a DMA_BIT_MASK(). While fixing this issue, also fix error handling of all DMA size setting. Reported-by: kernel test robot Fixes: d4ae3689226e5 ("media: zoran: device support only 32bit DMA address") Signed-off-by: Corentin Labbe Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 040afed9768b7776cf45e82dc841127e25147428 Author: Sam Protsenko Date: Fri Jan 14 22:37:57 2022 +0200 pinctrl: samsung: Remove EINT handler for Exynos850 ALIVE and CMGP gpios [ Upstream commit 96f79935015cf3d7ca6fabf63cd13b8af45a7713 ] GPIO_ALIVE and GPIO_CMGP blocks in Exynos850 SoC don't have EINT capabilities (like EINT_SVC register), and there are no corresponding interrupts wired to GIC. Instead those blocks have wake-up interrupts for each pin. The ".eint_gpio_init" callbacks were specified by mistake for these blocks, when porting pinctrl code from downstream kernel. That leads to error messages like this: samsung-pinctrl 11850000.pinctrl: irq number not available Remove ".eint_gpio_init" for pinctrl_alive and pinctrl_gpmc to fix this error. This change doesn't affect proper interrupt handling for related pins, as all those pins are handled in ".eint_wkup_init". Fixes: cdd3d945dcec ("pinctrl: samsung: Add Exynos850 SoC specific data") Signed-off-by: Sam Protsenko Link: https://lore.kernel.org/r/20220114203757.4860-1-semen.protsenko@linaro.org Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit ad7769973f1590ba880556d8f5cbc12f8af412b0 Author: Peng Liu Date: Tue Mar 22 14:48:19 2022 -0700 kunit: make kunit_test_timeout compatible with comment [ Upstream commit bdd015f7b71b92c2e4ecabac689642cc72553e04 ] In function kunit_test_timeout, it is declared "300 * MSEC_PER_SEC" represent 5min. However, it is wrong when dealing with arm64 whose default HZ = 250, or some other situations. Use msecs_to_jiffies to fix this, and kunit_test_timeout will work as desired. Link: https://lkml.kernel.org/r/20220309083753.1561921-3-liupeng256@huawei.com Fixes: 5f3e06208920 ("kunit: test: add support for test abort") Signed-off-by: Peng Liu Reviewed-by: Marco Elver Reviewed-by: Daniel Latypov Reviewed-by: Brendan Higgins Tested-by: Brendan Higgins Cc: Alexander Potapenko Cc: Dmitry Vyukov Cc: Wang Kefeng Cc: David Gow Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d1a2c0aefa9cb001bf35bb62ce628a34a41e1fdb Author: David Hildenbrand Date: Tue Mar 22 14:47:09 2022 -0700 drivers/base/memory: add memory block to memory group after registration succeeded [ Upstream commit 7ea0d2d79da09d1f7d71c96a9c9bc1b5229360b5 ] If register_memory() fails, we freed the memory block but already added the memory block to the group list, not good. Let's defer adding the block to the memory group to after registering the memory block device. We do handle it properly during unregister_memory(), but that's not called when the registration fails. Link: https://lkml.kernel.org/r/20220128144540.153902-1-david@redhat.com Fixes: 028fc57a1c36 ("drivers/base/memory: introduce "memory groups" to logically group memory blocks") Signed-off-by: David Hildenbrand Reviewed-by: Oscar Salvador Acked-by: Michal Hocko Cc: Greg Kroah-Hartman Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit d9da87226dcd0c6b267d131d6add96858e6f64d4 Author: Guillaume Tucker Date: Tue Mar 22 14:41:44 2022 -0700 selftests, x86: fix how check_cc.sh is being invoked [ Upstream commit ef696f93ed9778d570bd5ac58414421cdd4f1aab ] The $(CC) variable used in Makefiles could contain several arguments such as "ccache gcc". These need to be passed as a single string to check_cc.sh, otherwise only the first argument will be used as the compiler command. Without quotes, the $(CC) variable is passed as distinct arguments which causes the script to fail to build trivial programs. Fix this by adding quotes around $(CC) when calling check_cc.sh to pass the whole string as a single argument to the script even if it has several words such as "ccache gcc". Link: https://lkml.kernel.org/r/d0d460d7be0107a69e3c52477761a6fe694c1840.1646991629.git.guillaume.tucker@collabora.com Fixes: e9886ace222e ("selftests, x86: Rework x86 target architecture detection") Signed-off-by: Guillaume Tucker Tested-by: "kernelci.org bot" Reviewed-by: Guenter Roeck Cc: Shuah Khan Cc: Borislav Petkov Cc: Dave Hansen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 89b1c23591e0a86e7b82e013ca6ca62ffebf8a1c Author: Fengnan Chang Date: Fri Mar 18 09:23:04 2022 +0800 f2fs: fix compressed file start atomic write may cause data corruption [ Upstream commit 9b56adcf525522e9ffa52471260298d91fc1d395 ] When compressed file has blocks, f2fs_ioc_start_atomic_write will succeed, but compressed flag will be remained in inode. If write partial compreseed cluster and commit atomic write will cause data corruption. This is the reproduction process: Step 1: create a compressed file ,write 64K data , call fsync(), then the blocks are write as compressed cluster. Step2: iotcl(F2FS_IOC_START_ATOMIC_WRITE) --- this should be fail, but not. write page 0 and page 3. iotcl(F2FS_IOC_COMMIT_ATOMIC_WRITE) -- page 0 and 3 write as normal file, Step3: drop cache. read page 0-4 -- Since page 0 has a valid block address, read as non-compressed cluster, page 1 and 2 will be filled with compressed data or zero. The root cause is, after commit 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster"), in step 2, f2fs_write_begin() only set target page dirty, and in f2fs_commit_inmem_pages(), we will write partial raw pages into compressed cluster, result in corrupting compressed cluster layout. Fixes: 4c8ff7095bef ("f2fs: support data compression") Fixes: 7eab7a696827 ("f2fs: compress: remove unneeded read when rewrite whole cluster") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Fengnan Chang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit b5ae7c468e4ec644e6b6a06fc43fa3a39397bae4 Author: Filipe Manana Date: Thu Feb 17 12:12:07 2022 +0000 btrfs: fix unexpected error path when reflinking an inline extent [ Upstream commit 1f4613cdbe7739ce291554b316bff8e551383389 ] When reflinking an inline extent, we assert that its file offset is 0 and that its uncompressed length is not greater than the sector size. We then return an error if one of those conditions is not satisfied. However we use a return statement, which results in returning from btrfs_clone() without freeing the path and buffer that were allocated before, as well as not clearing the flag BTRFS_INODE_NO_DELALLOC_FLUSH for the destination inode. Fix that by jumping to the 'out' label instead, and also add a WARN_ON() for each condition so that in case assertions are disabled, we get to known which of the unexpected conditions triggered the error. Fixes: a61e1e0df9f321 ("Btrfs: simplify inline extent handling when doing reflinks") Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 1789bd98815ffeedf4141035901a02ac1b80b952 Author: Chao Yu Date: Thu Jan 27 13:44:49 2022 +0800 f2fs: fix to avoid potential deadlock [ Upstream commit 344150999b7fc88502a65bbb147a47503eca2033 ] Quoted from Jing Xia's report, there is a potential deadlock may happen between kworker and checkpoint as below: [T:writeback] [T:checkpoint] - wb_writeback - blk_start_plug bio contains NodeA was plugged in writeback threads - do_writepages -- sync write inodeB, inc wb_sync_req[DATA] - f2fs_write_data_pages - f2fs_write_single_data_page -- write last dirty page - f2fs_do_write_data_page - set_page_writeback -- clear page dirty flag and PAGECACHE_TAG_DIRTY tag in radix tree - f2fs_outplace_write_data - f2fs_update_data_blkaddr - f2fs_wait_on_page_writeback -- wait NodeA to writeback here - inode_dec_dirty_pages - writeback_sb_inodes - writeback_single_inode - do_writepages - f2fs_write_data_pages -- skip writepages due to wb_sync_req[DATA] - wbc->pages_skipped += get_dirty_pages() -- PAGECACHE_TAG_DIRTY is not set but get_dirty_pages() returns one - requeue_inode -- requeue inode to wb->b_dirty queue due to non-zero.pages_skipped - blk_finish_plug Let's try to avoid deadlock condition by forcing unplugging previous bio via blk_finish_plug(current->plug) once we'v skipped writeback in writepages() due to valid sbi->wb_sync_req[DATA/NODE]. Fixes: 687de7f1010c ("f2fs: avoid IO split due to mixed WB_SYNC_ALL and WB_SYNC_NONE") Signed-off-by: Zhiguo Niu Signed-off-by: Jing Xia Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit eae729e0f9ffcb1e5b152fd1af613cffd9cd4717 Author: Valentin Schneider Date: Thu Jan 27 15:40:59 2022 +0000 sched/rt: Plug rt_mutex_setprio() vs push_rt_task() race [ Upstream commit 49bef33e4b87b743495627a529029156c6e09530 ] John reported that push_rt_task() can end up invoking find_lowest_rq(rq->curr) when curr is not an RT task (in this case a CFS one), which causes mayhem down convert_prio(). This can happen when current gets demoted to e.g. CFS when releasing an rt_mutex, and the local CPU gets hit with an rto_push_work irqwork before getting the chance to reschedule. Exactly who triggers this work isn't entirely clear to me - switched_from_rt() only invokes rt_queue_pull_task() if there are no RT tasks on the local RQ, which means the local CPU can't be in the rto_mask. My current suspected sequence is something along the lines of the below, with the demoted task being current. mark_wakeup_next_waiter() rt_mutex_adjust_prio() rt_mutex_setprio() // deboost originally-CFS task check_class_changed() switched_from_rt() // Only rt_queue_pull_task() if !rq->rt.rt_nr_running switched_to_fair() // Sets need_resched __balance_callbacks() // if pull_rt_task(), tell_cpu_to_push() can't select local CPU per the above raw_spin_rq_unlock(rq) // need_resched is set, so task_woken_rt() can't // invoke push_rt_tasks(). Best I can come up with is // local CPU has rt_nr_migratory >= 2 after the demotion, so stays // in the rto_mask, and then: push_rt_task() // breakage follows here as rq->curr is CFS Move an existing check to check rq->curr vs the next pushable task's priority before getting anywhere near find_lowest_rq(). While at it, add an explicit sched_class of rq->curr check prior to invoking find_lowest_rq(rq->curr). Align the DL logic to also reschedule regardless of next_task's migratability. Fixes: a7c81556ec4d ("sched: Fix migrate_disable() vs rt/dl balancing") Reported-by: John Keeping Signed-off-by: Valentin Schneider Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Dietmar Eggemann Tested-by: John Keeping Link: https://lore.kernel.org/r/20220127154059.974729-1-valentin.schneider@arm.com Signed-off-by: Sasha Levin commit cd7b6e5080dcd433997c64d5391fba67673ff87f Author: Chengming Zhou Date: Sun Feb 20 13:14:24 2022 +0800 sched/cpuacct: Fix charge percpu cpuusage [ Upstream commit 248cc9993d1cc12b8e9ed716cc3fc09f6c3517dd ] The cpuacct_account_field() is always called by the current task itself, so it's ok to use __this_cpu_add() to charge the tick time. But cpuacct_charge() maybe called by update_curr() in load_balance() on a random CPU, different from the CPU on which the task is running. So __this_cpu_add() will charge that cputime to a random incorrect CPU. Fixes: 73e6aafd9ea8 ("sched/cpuacct: Simplify the cpuacct code") Reported-by: Minye Zhu Signed-off-by: Chengming Zhou Signed-off-by: Peter Zijlstra (Intel) Acked-by: Tejun Heo Link: https://lore.kernel.org/r/20220220051426.5274-1-zhouchengming@bytedance.com Signed-off-by: Sasha Levin commit a0fe04fa612034d5a5d74e4171e26aaff6c08c44 Author: Amir Goldstein Date: Thu Feb 24 18:17:05 2022 +0200 nfsd: more robust allocation failure handling in nfsd_file_cache_init [ Upstream commit 4d2eeafecd6c83b4444db3dc0ada201c89b1aa44 ] The nfsd file cache table can be pretty large and its allocation may require as many as 80 contigious pages. Employ the same fix that was employed for similar issue that was reported for the reply cache hash table allocation several years ago by commit 8f97514b423a ("nfsd: more robust allocation failure handling in nfsd_reply_cache_init"). Fixes: 65294c1f2c5e ("nfsd: add a new struct file caching facility to nfsd") Link: https://lore.kernel.org/linux-nfs/e3cdaeec85a6cfec980e87fc294327c0381c1778.camel@kernel.org/ Suggested-by: Jeff Layton Signed-off-by: Amir Goldstein Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Tested-by: Amir Goldstein Signed-off-by: Sasha Levin commit aa80bf73e3b3fb7026d343c77b3ddc849e26a095 Author: Jaegeuk Kim Date: Fri Feb 11 18:56:46 2022 -0800 f2fs: fix missing free nid in f2fs_handle_failed_inode [ Upstream commit 2fef99b8372c1ae3d8445ab570e888b5a358dbe9 ] This patch fixes xfstests/generic/475 failure. [ 293.680694] F2FS-fs (dm-1): May loss orphan inode, run fsck to fix. [ 293.685358] Buffer I/O error on dev dm-1, logical block 8388592, async page read [ 293.691527] Buffer I/O error on dev dm-1, logical block 8388592, async page read [ 293.691764] sh (7615): drop_caches: 3 [ 293.691819] sh (7616): drop_caches: 3 [ 293.694017] Buffer I/O error on dev dm-1, logical block 1, async page read [ 293.695659] sh (7618): drop_caches: 3 [ 293.696979] sh (7617): drop_caches: 3 [ 293.700290] sh (7623): drop_caches: 3 [ 293.708621] sh (7626): drop_caches: 3 [ 293.711386] sh (7628): drop_caches: 3 [ 293.711825] sh (7627): drop_caches: 3 [ 293.716738] sh (7630): drop_caches: 3 [ 293.719613] sh (7632): drop_caches: 3 [ 293.720971] sh (7633): drop_caches: 3 [ 293.727741] sh (7634): drop_caches: 3 [ 293.730783] sh (7636): drop_caches: 3 [ 293.732681] sh (7635): drop_caches: 3 [ 293.732988] sh (7637): drop_caches: 3 [ 293.738836] sh (7639): drop_caches: 3 [ 293.740568] sh (7641): drop_caches: 3 [ 293.743053] sh (7640): drop_caches: 3 [ 293.821889] ------------[ cut here ]------------ [ 293.824654] kernel BUG at fs/f2fs/node.c:3334! [ 293.826226] invalid opcode: 0000 [#1] PREEMPT SMP PTI [ 293.828713] CPU: 0 PID: 7653 Comm: umount Tainted: G OE 5.17.0-rc1-custom #1 [ 293.830946] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 293.832526] RIP: 0010:f2fs_destroy_node_manager+0x33f/0x350 [f2fs] [ 293.833905] Code: e8 d6 3d f9 f9 48 8b 45 d0 65 48 2b 04 25 28 00 00 00 75 1a 48 81 c4 28 03 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b [ 293.837783] RSP: 0018:ffffb04ec31e7a20 EFLAGS: 00010202 [ 293.839062] RAX: 0000000000000001 RBX: ffff9df947db2eb8 RCX: 0000000080aa0072 [ 293.840666] RDX: 0000000000000000 RSI: ffffe86c0432a140 RDI: ffffffffc0b72a21 [ 293.842261] RBP: ffffb04ec31e7d70 R08: ffff9df94ca85780 R09: 0000000080aa0072 [ 293.843909] R10: ffff9df94ca85700 R11: ffff9df94e1ccf58 R12: ffff9df947db2e00 [ 293.845594] R13: ffff9df947db2ed0 R14: ffff9df947db2eb8 R15: ffff9df947db2eb8 [ 293.847855] FS: 00007f5a97379800(0000) GS:ffff9dfa77c00000(0000) knlGS:0000000000000000 [ 293.850647] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 293.852940] CR2: 00007f5a97528730 CR3: 000000010bc76005 CR4: 0000000000370ef0 [ 293.854680] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 293.856423] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 293.858380] Call Trace: [ 293.859302] [ 293.860311] ? ttwu_do_wakeup+0x1c/0x170 [ 293.861800] ? ttwu_do_activate+0x6d/0xb0 [ 293.863057] ? _raw_spin_unlock_irqrestore+0x29/0x40 [ 293.864411] ? try_to_wake_up+0x9d/0x5e0 [ 293.865618] ? debug_smp_processor_id+0x17/0x20 [ 293.866934] ? debug_smp_processor_id+0x17/0x20 [ 293.868223] ? free_unref_page+0xbf/0x120 [ 293.869470] ? __free_slab+0xcb/0x1c0 [ 293.870614] ? preempt_count_add+0x7a/0xc0 [ 293.871811] ? __slab_free+0xa0/0x2d0 [ 293.872918] ? __wake_up_common_lock+0x8a/0xc0 [ 293.874186] ? __slab_free+0xa0/0x2d0 [ 293.875305] ? free_inode_nonrcu+0x20/0x20 [ 293.876466] ? free_inode_nonrcu+0x20/0x20 [ 293.877650] ? debug_smp_processor_id+0x17/0x20 [ 293.878949] ? call_rcu+0x11a/0x240 [ 293.880060] ? f2fs_destroy_stats+0x59/0x60 [f2fs] [ 293.881437] ? kfree+0x1fe/0x230 [ 293.882674] f2fs_put_super+0x160/0x390 [f2fs] [ 293.883978] generic_shutdown_super+0x7a/0x120 [ 293.885274] kill_block_super+0x27/0x50 [ 293.886496] kill_f2fs_super+0x7f/0x100 [f2fs] [ 293.887806] deactivate_locked_super+0x35/0xa0 [ 293.889271] deactivate_super+0x40/0x50 [ 293.890513] cleanup_mnt+0x139/0x190 [ 293.891689] __cleanup_mnt+0x12/0x20 [ 293.892850] task_work_run+0x64/0xa0 [ 293.894035] exit_to_user_mode_prepare+0x1b7/0x1c0 [ 293.895409] syscall_exit_to_user_mode+0x27/0x50 [ 293.896872] do_syscall_64+0x48/0xc0 [ 293.898090] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 293.899517] RIP: 0033:0x7f5a975cd25b Fixes: 7735730d39d7 ("f2fs: fix to propagate error from __get_meta_page()") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 87c0a005cfdccc2f081f792570a4e49164be03b8 Author: Mel Gorman Date: Tue Feb 8 09:43:33 2022 +0000 sched/fair: Improve consistency of allowed NUMA balance calculations [ Upstream commit 2cfb7a1b031b0e816af7a6ee0c6ab83b0acdf05a ] There are inconsistencies when determining if a NUMA imbalance is allowed that should be corrected. o allow_numa_imbalance changes types and is not always examining the destination group so both the type should be corrected as well as the naming. o find_idlest_group uses the sched_domain's weight instead of the group weight which is different to find_busiest_group o find_busiest_group uses the source group instead of the destination which is different to task_numa_find_cpu o Both find_idlest_group and find_busiest_group should account for the number of running tasks if a move was allowed to be consistent with task_numa_find_cpu Fixes: 7d2b5dd0bcc4 ("sched/numa: Allow a floating imbalance between NUMA nodes") Signed-off-by: Mel Gorman Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Gautham R. Shenoy Link: https://lore.kernel.org/r/20220208094334.16379-2-mgorman@techsingularity.net Signed-off-by: Sasha Levin commit b87eaeb7ad7abc4cd8b0d23ff16e78262df1db41 Author: Adrian Hunter Date: Mon Jan 31 09:24:52 2022 +0200 perf/x86/intel/pt: Fix address filter config for 32-bit kernel [ Upstream commit e5524bf1047eb3b3f3f33b5f59897ba67b3ade87 ] Change from shifting 'unsigned long' to 'u64' to prevent the config bits being lost on a 32-bit kernel. Fixes: eadf48cab4b6b0 ("perf/x86/intel/pt: Add support for address range filtering in PT") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220131072453.2839535-5-adrian.hunter@intel.com Signed-off-by: Sasha Levin commit 9ae9401e663a075ddd10995b5e3f5df533288388 Author: Adrian Hunter Date: Mon Jan 31 09:24:51 2022 +0200 perf/core: Fix address filter parser for multiple filters [ Upstream commit d680ff24e9e14444c63945b43a37ede7cd6958f9 ] Reset appropriate variables in the parser loop between parsing separate filters, so that they do not interfere with parsing the next filter. Fixes: 375637bc524952 ("perf/core: Introduce address range filtering") Signed-off-by: Adrian Hunter Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220131072453.2839535-4-adrian.hunter@intel.com Signed-off-by: Sasha Levin commit b0d539fe52226668332c0d7ba1d5966cc6593a03 Author: Mathieu Desnoyers Date: Thu Jan 27 10:27:20 2022 -0500 rseq: Remove broken uapi field layout on 32-bit little endian [ Upstream commit bfdf4e6208051ed7165b2e92035b4bf11f43eb63 ] The rseq rseq_cs.ptr.{ptr32,padding} uapi endianness handling is entirely wrong on 32-bit little endian: a preprocessor logic mistake wrongly uses the big endian field layout on 32-bit little endian architectures. Fortunately, those ptr32 accessors were never used within the kernel, and only meant as a convenience for user-space. Remove those and replace the whole rseq_cs union by a __u64 type, as this is the only thing really needed to express the ABI. Document how 32-bit architectures are meant to interact with this field. Fixes: ec9c82e03a74 ("rseq: uapi: Declare rseq_cs field as union, update includes") Signed-off-by: Mathieu Desnoyers Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20220127152720.25898-1-mathieu.desnoyers@efficios.com Signed-off-by: Sasha Levin commit 11385426f1d69dca3e3209fb11de1fba0f599928 Author: Qais Yousef Date: Thu Dec 16 22:53:20 2021 +0000 sched/uclamp: Fix iowait boost escaping uclamp restriction [ Upstream commit d37aee9018e68b0d356195caefbb651910e0bbfa ] iowait_boost signal is applied independently of util and doesn't take into account uclamp settings of the rq. An io heavy task that is capped by uclamp_max could still request higher frequency because sugov_iowait_apply() doesn't clamp the boost via uclamp_rq_util_with() like effective_cpu_util() does. Make sure that iowait_boost honours uclamp requests by calling uclamp_rq_util_with() when applying the boost. Fixes: 982d9cdc22c9 ("sched/cpufreq, sched/uclamp: Add clamps for FAIR and RT tasks") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Acked-by: Rafael J. Wysocki Link: https://lore.kernel.org/r/20211216225320.2957053-3-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 65b0a8457b67582b38b232b6e9b0a593b081d955 Author: Qais Yousef Date: Thu Oct 28 12:50:05 2021 +0100 sched/core: Export pelt_thermal_tp [ Upstream commit 77cf151b7bbdfa3577b3c3f3a5e267a6c60a263b ] We can't use this tracepoint in modules without having the symbol exported first, fix that. Fixes: 765047932f15 ("sched/pelt: Add support to track thermal pressure") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20211028115005.873539-1-qais.yousef@arm.com Signed-off-by: Sasha Levin commit aa9d617c344f7ea02a2121e38b83e0b4ebea3d0d Author: Bharata B Rao Date: Tue Jan 18 10:35:15 2022 +0530 sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa [ Upstream commit 28c988c3ec29db74a1dda631b18785958d57df4f ] The older format of /proc/pid/sched printed home node info which required the mempolicy and task lock around mpol_get(). However the format has changed since then and there is no need for sched_show_numa() any more to have mempolicy argument, asssociated mpol_get/put and task_lock/unlock. Remove them. Fixes: 397f2378f1361 ("sched/numa: Fix numa balancing stats in /proc/pid/sched") Signed-off-by: Bharata B Rao Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Srikar Dronamraju Acked-by: Mel Gorman Link: https://lore.kernel.org/r/20220118050515.2973-1-bharata@amd.com Signed-off-by: Sasha Levin commit b459d92905b2d005ad6dcb1af3137e2218bee0b6 Author: Chao Yu Date: Tue Jan 18 11:48:02 2022 +0800 f2fs: fix to enable ATGC correctly via gc_idle sysfs interface [ Upstream commit 7d19e3dab0002e527052b0aaf986e8c32e5537bf ] It needs to assign sbi->gc_mode with GC_IDLE_AT rather than GC_AT when user tries to enable ATGC via gc_idle sysfs interface, fix it. Fixes: 093749e296e2 ("f2fs: support age threshold based garbage collection") Cc: Zhipeng Tan Signed-off-by: Jicheng Shao Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7e8c9b0df07a77f0d072603b8ced2677e30e1893 Author: David Howells Date: Mon Mar 21 11:18:54 2022 +0000 watch_queue: Actually free the watch [ Upstream commit 3d8dcf278b1ee1eff1e90be848fa2237db4c07a7 ] free_watch() does everything barring actually freeing the watch object. Fix this by adding the missing kfree. kmemleak produces a report something like the following. Note that as an address can be seen in the first word, the watch would appear to have gone through call_rcu(). BUG: memory leak unreferenced object 0xffff88810ce4a200 (size 96): comm "syz-executor352", pid 3605, jiffies 4294947473 (age 13.720s) hex dump (first 32 bytes): e0 82 48 0d 81 88 ff ff 00 00 00 00 00 00 00 00 ..H............. 80 a2 e4 0c 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc include/linux/slab.h:581 [inline] [] kzalloc include/linux/slab.h:714 [inline] [] keyctl_watch_key+0xec/0x2e0 security/keys/keyctl.c:1800 [] __do_sys_keyctl+0x3c4/0x490 security/keys/keyctl.c:2016 [] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [] entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-and-tested-by: syzbot+6e2de48f06cdb2884bfc@syzkaller.appspotmail.com Signed-off-by: David Howells Signed-off-by: Sasha Levin commit 112a2f9b0a8457794095a0450598f150724ec456 Author: David Howells Date: Mon Mar 21 08:11:52 2022 +0000 watch_queue: Fix NULL dereference in error cleanup [ Upstream commit a635415a064e77bcfbf43da413fd9dfe0bbed9cb ] In watch_queue_set_size(), the error cleanup code doesn't take account of the fact that __free_page() can't handle a NULL pointer when trying to free up buffer pages that did get allocated. Fix this by only calling __free_page() on the pages actually allocated. Without the fix, this can lead to something like the following: BUG: KASAN: null-ptr-deref in __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 Read of size 4 at addr 0000000000000034 by task syz-executor168/3599 ... Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 __kasan_report mm/kasan/report.c:446 [inline] kasan_report.cold+0x66/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 instrument_atomic_read include/linux/instrumented.h:71 [inline] atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] page_ref_count include/linux/page_ref.h:67 [inline] put_page_testzero include/linux/mm.h:717 [inline] __free_pages+0x1f/0x1b0 mm/page_alloc.c:5473 watch_queue_set_size+0x499/0x630 kernel/watch_queue.c:275 pipe_ioctl+0xac/0x2b0 fs/pipe.c:632 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x193/0x200 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: c73be61cede5 ("pipe: Add general notification queue support") Reported-and-tested-by: syzbot+d55757faa9b80590767b@syzkaller.appspotmail.com Signed-off-by: David Howells Reviewed-by: Fabio M. De Francesco Signed-off-by: Sasha Levin commit c418517bb12d6467725441e47b6ba38f3df44d82 Author: Jens Axboe Date: Fri Mar 18 11:28:13 2022 -0600 io_uring: terminate manual loop iterator loop correctly for non-vecs [ Upstream commit 5e929367468c8f97cd1ffb0417316cecfebef94b ] The fix for not advancing the iterator if we're using fixed buffers is broken in that it can hit a condition where we don't terminate the loop. This results in io-wq looping forever, asking to read (or write) 0 bytes for every subsequent loop. Reported-by: Joel Jaeschke Link: https://github.com/axboe/liburing/issues/549 Fixes: 16c8d2df7ec0 ("io_uring: ensure symmetry in handling iter types in loop_rw_iter()") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit ded168c80f857381d3b1b4eef813ef47fcc7403b Author: Jens Axboe Date: Mon Mar 14 17:26:19 2022 -0600 io_uring: don't check unrelated req->open.how in accept request [ Upstream commit adf3a9e9f556613197583a1884f0de40a8bb6fb9 ] Looks like a victim of too much copy/paste, we should not be looking at req->open.how in accept. The point is to check CLOEXEC and error out, which we don't invalid direct descriptors on exec. Hence any attempt to get a direct descriptor with CLOEXEC is invalid. No harm is done here, as req->open.how.flags overlaps with req->accept.flags, but it's very confusing and might change if either of those command structs are modified. Fixes: aaa4db12ef7b ("io_uring: accept directly into fixed file table") Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 5aedc51cd53c2a6a2646b881faa69d262e4ace3d Author: Randy Dunlap Date: Thu Mar 17 08:39:39 2022 -0700 clocksource: acpi_pm: fix return value of __setup handler [ Upstream commit 6a861abceecb68497dd82a324fee45a5332dcece ] __setup() handlers should return 1 to obsolete_checksetup() in init/main.c to indicate that the boot option has been handled. A return of 0 causes the boot option/value to be listed as an Unknown kernel parameter and added to init's (limited) environment strings. The __setup() handler interface isn't meant to handle negative return values -- they are non-zero, so they mean "handled" (like a return value of 1 does), but that's just a quirk. So return 1 from parse_pmtmr(). Also print a warning message if kstrtouint() returns an error. Fixes: 6b148507d3d0 ("pmtmr: allow command line override of ioport") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 2a3ef2bef158f3bf4a37d4ab0d7f8f786d13ee5e Author: Brandon Wyman Date: Thu Mar 17 23:21:23 2022 +0000 hwmon: (pmbus) Add Vin unit off handling [ Upstream commit a5436af598779219b375c1977555c82def1c35d0 ] If there is an input undervoltage fault, reported in STATUS_INPUT command response, there is quite likely a "Unit Off For Insufficient Input Voltage" condition as well. Add a constant for bit 3 of STATUS_INPUT. Update the Vin limit attributes to include both bits in the mask for clearing faults. If an input undervoltage fault occurs, causing a unit off for insufficient input voltage, but the unit is off bit is not cleared, the STATUS_WORD will not be updated to clear the input fault condition. Including the unit is off bit (bit 3) allows for the input fault condition to completely clear. Signed-off-by: Brandon Wyman Link: https://lore.kernel.org/r/20220317232123.2103592-1-bjwyman@gmail.com Fixes: b4ce237b7f7d3 ("hwmon: (pmbus) Introduce infrastructure to detect sensors and limit registers") [groeck: Dropped unnecessary ()] Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit dd64f2c5db39d4d42e81a96bb9cc81cd2c070e8e Author: Miaoqian Lin Date: Mon Mar 7 11:07:24 2022 +0000 hwrng: nomadik - Change clk_disable to clk_disable_unprepare [ Upstream commit 7f0f1f3ef62ed7a40e30aff28115bd94c4211d1d ] The corresponding API for clk_prepare_enable is clk_disable_unprepare, other than clk_disable_unprepare. Fix this by changing clk_disable to clk_disable_unprepare. Fixes: beca35d05cc2 ("hwrng: nomadik - use clk_prepare_enable()") Signed-off-by: Miaoqian Lin Reviewed-by: Linus Walleij Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 25c358efee5153dfd240d4e0d3169d5bebe9cacd Author: Jianglei Nie Date: Thu Mar 3 10:23:37 2022 +0800 crypto: ccree - Fix use after free in cc_cipher_exit() [ Upstream commit 3d950c34074ed74d2713c3856ba01264523289e6 ] kfree_sensitive(ctx_p->user.key) will free the ctx_p->user.key. But ctx_p->user.key is still used in the next line, which will lead to a use after free. We can call kfree_sensitive() after dev_dbg() to avoid the uaf. Fixes: 63ee04c8b491 ("crypto: ccree - add skcipher support") Signed-off-by: Jianglei Nie Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6c7189f766bcbe45bee50c5f7d07a93f8e65cae5 Author: Dāvis Mosāns Date: Mon Feb 28 05:15:45 2022 +0200 crypto: ccp - ccp_dmaengine_unregister release dma channels [ Upstream commit 54cce8ecb9254f971b40a72911c6da403720a2d2 ] ccp_dmaengine_register adds dma_chan->device_node to dma_dev->channels list but ccp_dmaengine_unregister didn't remove them. That can cause crashes in various dmaengine methods that tries to use dma_dev->channels Fixes: 58ea8abf4904 ("crypto: ccp - Register the CCP as a DMA...") Signed-off-by: Dāvis Mosāns Acked-by: John Allen Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 471dcf1833fd7ce6e067108a606aba0e4d6567d5 Author: Randy Dunlap Date: Sat Mar 5 18:46:20 2022 -0800 ACPI: APEI: fix return value of __setup handlers [ Upstream commit f3303ff649dbf7dcdc6a6e1a922235b12b3028f4 ] __setup() handlers should return 1 to indicate that the boot option has been handled. Returning 0 causes a boot option to be listed in the Unknown kernel command line parameters and also added to init's arg list (if no '=' sign) or environment list (if of the form 'a=b'). Unknown kernel command line parameters "erst_disable bert_disable hest_disable BOOT_IMAGE=/boot/bzImage-517rc6", will be passed to user space. Run /sbin/init as init process with arguments: /sbin/init erst_disable bert_disable hest_disable with environment: HOME=/ TERM=linux BOOT_IMAGE=/boot/bzImage-517rc6 Fixes: a3e2acc5e37b ("ACPI / APEI: Add Boot Error Record Table (BERT) support") Fixes: a08f82d08053 ("ACPI, APEI, Error Record Serialization Table (ERST) support") Fixes: 9dc966641677 ("ACPI, APEI, HEST table parsing") Signed-off-by: Randy Dunlap Reported-by: Igor Zhbanov Link: lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru Reviewed-by: "Huang, Ying" Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 6316281f0478cc92696b21614409f8c68a2fdcfc Author: Dave Kleikamp Date: Wed Jan 26 14:32:43 2022 -0600 KEYS: trusted: Avoid calling null function trusted_key_exit [ Upstream commit c5d1ed846e15090bc90dfdaafc07eac066e070bb ] If one loads and unloads the trusted module, trusted_key_exit can be NULL. Call it through static_call_cond() to avoid a kernel trap. Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") Signed-off-by: Dave Kleikamp Cc: Sumit Garg Cc: James Bottomley Cc: Jarkko Sakkinen Cc: Mimi Zohar Cc: David Howells Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-integrity@vger.kernel.org Cc: keyrings@vger.kernel.org Cc: linux-security-module@vger.kernel.org Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit d543d28928da698ae07f668ccb4e315bd9c5cce5 Author: Andreas Rammhold Date: Wed Dec 1 10:59:00 2021 +0100 KEYS: trusted: Fix trusted key backends when building as module [ Upstream commit 969a26446bcd142faedfe8c6f41cd7668596c1fa ] Before this commit the kernel could end up with no trusted key sources even though both of the currently supported backends (TPM and TEE) were compiled as modules. This manifested in the trusted key type not being registered at all. When checking if a CONFIG_… preprocessor variable is defined we only test for the builtin (=y) case and not the module (=m) case. By using the IS_REACHABLE() macro we do test for both cases. Fixes: 5d0682be3189 ("KEYS: trusted: Add generic trusted keys framework") Reviewed-by: Jarkko Sakkinen Reviewed-by: Ahmad Fatoum Reviewed-by: Sumit Garg Signed-off-by: Andreas Rammhold Tested-by: Ahmad Fatoum Signed-off-by: Ahmad Fatoum Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit cdf805717b28ff8c587121c4e0590d7fdb63bc23 Author: Mark Rutland Date: Thu Feb 24 18:10:28 2022 +0000 arm64: prevent instrumentation of bp hardening callbacks [ Upstream commit 614c0b9fee711dd89b1dd65c88ba83612a373fdc ] We may call arm64_apply_bp_hardening() early during entry (e.g. in el0_ia()) before it is safe to run instrumented code. Unfortunately this may result in running instrumented code in two cases: * The hardening callbacks called by arm64_apply_bp_hardening() are not marked as `noinstr`, and have been observed to be instrumented when compiled with either GCC or LLVM. * Since arm64_apply_bp_hardening() itself is only marked as `inline` rather than `__always_inline`, it is possible that the compiler decides to place it out-of-line, whereupon it may be instrumented. For example, with defconfig built with clang 13.0.0, call_hvc_arch_workaround_1() is compiled as: | : | d503233f paciasp | f81f0ffe str x30, [sp, #-16]! | 320183e0 mov w0, #0x80008000 | d503201f nop | d4000002 hvc #0x0 | f84107fe ldr x30, [sp], #16 | d50323bf autiasp | d65f03c0 ret ... but when CONFIG_FTRACE=y and CONFIG_KCOV=y this is compiled as: | : | d503245f bti c | d503201f nop | d503201f nop | d503233f paciasp | a9bf7bfd stp x29, x30, [sp, #-16]! | 910003fd mov x29, sp | 94000000 bl 0 <__sanitizer_cov_trace_pc> | 320183e0 mov w0, #0x80008000 | d503201f nop | d4000002 hvc #0x0 | a8c17bfd ldp x29, x30, [sp], #16 | d50323bf autiasp | d65f03c0 ret ... with a patchable function entry registered with ftrace, and a direct call to __sanitizer_cov_trace_pc(). Neither of these are safe early during entry sequences. This patch avoids the unsafe instrumentation by marking arm64_apply_bp_hardening() as `__always_inline` and by marking the hardening functions as `noinstr`. This avoids the potential for instrumentation, and causes clang to consistently generate the function as with the defconfig sample. Note: in the defconfig compilation, when CONFIG_SVE=y, x30 is spilled to the stack without being placed in a frame record, which will result in a missing entry if call_hvc_arch_workaround_1() is backtraced. Similar is true of qcom_link_stack_sanitisation(), where inline asm spills the LR to a GPR prior to corrupting it. This is not a significant issue presently as we will only backtrace here if an exception is taken, and in such cases we may omit entries for other reasons today. The relevant hardening functions were introduced in commits: ec82b567a74fbdff ("arm64: Implement branch predictor hardening for Falkor") b092201e00206141 ("arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support") ... and these were subsequently moved in commit: d4647f0a2ad71110 ("arm64: Rewrite Spectre-v2 mitigation code") The arm64_apply_bp_hardening() function was introduced in commit: 0f15adbb2861ce6f ("arm64: Add skeleton to harden the branch predictor against aliasing attacks") ... and was subsequently moved and reworked in commit: 6279017e807708a0 ("KVM: arm64: Move BP hardening helpers into spectre.h") Fixes: ec82b567a74fbdff ("arm64: Implement branch predictor hardening for Falkor") Fixes: b092201e00206141 ("arm64: Add ARM_SMCCC_ARCH_WORKAROUND_1 BP hardening support") Fixes: d4647f0a2ad71110 ("arm64: Rewrite Spectre-v2 mitigation code") Fixes: 0f15adbb2861ce6f ("arm64: Add skeleton to harden the branch predictor against aliasing attacks") Fixes: 6279017e807708a0 ("KVM: arm64: Move BP hardening helpers into spectre.h") Signed-off-by: Mark Rutland Cc: Ard Biesheuvel Cc: Catalin Marinas Cc: James Morse Cc: Marc Zyngier Cc: Mark Brown Cc: Will Deacon Acked-by: Marc Zyngier Reviewed-by: Mark Brown Link: https://lore.kernel.org/r/20220224181028.512873-1-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 94ef872d7a07643cb856c1efe1675a2f138d77c6 Author: Guillaume Ranquet Date: Mon Mar 7 18:26:56 2022 +0100 clocksource/drivers/timer-of: Check return value of of_iomap in timer_of_base_init() [ Upstream commit 4467b8bad2401794fb89a0268c8c8257180bf60f ] of_base->base can either be iomapped using of_io_request_and_map() or of_iomap() depending whether or not an of_base->name has been set. Thus check of_base->base against NULL as of_iomap() does not return a PTR_ERR() in case of error. Fixes: 9aea417afa6b ("clocksource/drivers/timer-of: Don't request the resource by name") Signed-off-by: Guillaume Ranquet Link: https://lore.kernel.org/r/20220307172656.4836-1-granquet@baylibre.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 406592e2edfaafd305d282eb37c4142964c1e8f6 Author: Claudiu Beznea Date: Fri Mar 4 15:35:57 2022 +0200 clocksource/drivers/timer-microchip-pit64b: Use notrace [ Upstream commit ff10ee97cb203262e88d9c8bc87369cbd4004a0c ] Use notrace for mchp_pit64b_sched_read_clk() to avoid recursive call of prepare_ftrace_return() when issuing: echo function_graph > /sys/kernel/debug/tracing/current_tracer Fixes: 625022a5f160 ("clocksource/drivers/timer-microchip-pit64b: Add Microchip PIT64B support") Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20220304133601.2404086-3-claudiu.beznea@microchip.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit ff37c4784dedb5b815bb2f8a0de23e4a5f51371f Author: Krzysztof Kozlowski Date: Sun Feb 20 11:38:15 2022 +0100 clocksource/drivers/exynos_mct: Handle DTS with higher number of interrupts [ Upstream commit ab8da93dc06d82f464c47ab30e6c75190702f369 ] The driver statically defines maximum number of interrupts it can handle, however it does not respect that limit when configuring them. When provided with a DTS with more interrupts than assumed, the driver will overwrite static array mct_irqs leading to silent memory corruption. Validate the interrupts coming from DTS to avoid this. This does not change the fact that such DTS might not boot at all, because it is simply incompatible, however at least some warning will be printed. Fixes: 36ba5d527e95 ("ARM: EXYNOS: add device tree support for MCT controller driver") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Alim Akhtar Link: https://lore.kernel.org/r/20220220103815.135380-1-krzysztof.kozlowski@canonical.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit a2270b06baf5799685cf0f554def1e6679732fc6 Author: Marek Szyprowski Date: Mon Nov 1 21:35:30 2021 +0200 clocksource/drivers/exynos_mct: Refactor resources allocation [ Upstream commit 7cd925a8823d16de5614d3f0aabea9948747accd ] Move interrupts allocation from exynos4_timer_resources() into separate function together with the interrupt number parsing code from mct_init_dt(), so the code for managing interrupts is kept together. While touching exynos4_timer_resources() function, move of_iomap() to it. No functional changes. Signed-off-by: Marek Szyprowski Reviewed-by: Chanwoo Choi Tested-by: Chanwoo Choi Reviewed-by: Krzysztof Kozlowski Signed-off-by: Sam Protsenko Link: https://lore.kernel.org/r/20211101193531.15078-2-semen.protsenko@linaro.org Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit d95da112c29f62d44f4cc52f75c558727954d0dd Author: Drew Fustini Date: Thu Feb 3 21:35:05 2022 -0800 clocksource/drivers/timer-ti-dm: Fix regression from errata i940 fix [ Upstream commit bceaae3bac0ce27c549bb050336d8d08abc2ee54 ] The existing fix for errata i940 causes a conflict for IPU2 which is using timer 3 and 4. From arch/arm/boot/dts/dra7-ipu-dsp-common.dtsi: &ipu2 { mboxes = <&mailbox6 &mbox_ipu2_ipc3x>; ti,timers = <&timer3>; ti,watchdog-timers = <&timer4>, <&timer9>; }; The conflict was noticed when booting mainline on the BeagleBoard X15 which has a TI AM5728 SoC: remoteproc remoteproc1: 55020000.ipu is available remoteproc remoteproc1: powering up 55020000.ipu remoteproc remoteproc1: Booting fw image dra7-ipu2-fw.xem4 omap-rproc 55020000.ipu: could not get timer platform device omap-rproc 55020000.ipu: omap_rproc_enable_timers failed: -19 remoteproc remoteproc1: can't start rproc 55020000.ipu: -19 This change modifies the errata fix to instead use timer 15 and 16 which resolves the timer conflict. It does not appear to introduce any latency regression. Results from cyclictest with original errata fix using dmtimer 3 and 4: # cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0 policy: fifo: loadavg: 0.02 0.03 0.05 T: 0 ( 1449) P:80 I:200 C: 800368 Min: 0 Act: 32 Avg: 22 Max: 128 T: 1 ( 1450) P:80 I:200 C: 800301 Min: 0 Act: 12 Avg: 23 Max: 70 The results after the change to dmtimer 15 and 16: # cyclictest --mlockall --smp --priority=80 --interval=200 --distance=0 policy: fifo: loadavg: 0.36 0.19 0.07 T: 0 ( 1711) P:80 I:200 C: 759599 Min: 0 Act: 6 Avg: 22 Max: 108 T: 1 ( 1712) P:80 I:200 C: 759539 Min: 0 Act: 19 Avg: 23 Max: 79 Fixes: 25de4ce5ed02 ("clocksource/drivers/timer-ti-dm: Handle dra7 timer wrap errata i940") Link: https://lore.kernel.org/linux-omap/YfWsG0p6to3IJuvE@x1/ Suggested-by: Suman Anna Reviewed-by: Tony Lindgren Signed-off-by: Drew Fustini Link: https://lore.kernel.org/r/20220204053503.1409162-1-dfustini@baylibre.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit f6b3a28e4bc12728fdaee4ee18c510455190ba07 Author: Petr Vorel Date: Wed Feb 23 16:11:15 2022 +0100 crypto: vmx - add missing dependencies [ Upstream commit 647d41d3952d726d4ae49e853a9eff68ebad3b3f ] vmx-crypto module depends on CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS, thus add them. These dependencies are likely to be enabled, but if CRYPTO_DEV_VMX=y && !CRYPTO_MANAGER_DISABLE_TESTS and either of CRYPTO_AES, CRYPTO_CBC, CRYPTO_CTR or CRYPTO_XTS is built as module or disabled, alg_test() from crypto/testmgr.c complains during boot about failing to allocate the generic fallback implementations (2 == ENOENT): [ 0.540953] Failed to allocate xts(aes) fallback: -2 [ 0.541014] alg: skcipher: failed to allocate transform for p8_aes_xts: -2 [ 0.541120] alg: self-tests for p8_aes_xts (xts(aes)) failed (rc=-2) [ 0.544440] Failed to allocate ctr(aes) fallback: -2 [ 0.544497] alg: skcipher: failed to allocate transform for p8_aes_ctr: -2 [ 0.544603] alg: self-tests for p8_aes_ctr (ctr(aes)) failed (rc=-2) [ 0.547992] Failed to allocate cbc(aes) fallback: -2 [ 0.548052] alg: skcipher: failed to allocate transform for p8_aes_cbc: -2 [ 0.548156] alg: self-tests for p8_aes_cbc (cbc(aes)) failed (rc=-2) [ 0.550745] Failed to allocate transformation for 'aes': -2 [ 0.550801] alg: cipher: Failed to load transform for p8_aes: -2 [ 0.550892] alg: self-tests for p8_aes (aes) failed (rc=-2) Fixes: c07f5d3da643 ("crypto: vmx - Adding support for XTS") Fixes: d2e3ae6f3aba ("crypto: vmx - Enabling VMX module for PPC64") Suggested-by: Nicolai Stange Signed-off-by: Petr Vorel Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0fb90cfad5784aac24a8011c77ef79278392c95b Author: Corentin Labbe Date: Mon Feb 21 12:08:32 2022 +0000 crypto: gemini - call finalize with bh disabled [ Upstream commit 7f22421103c5a7f9a1726f0ed125274c38174ddb ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: 46c5338db7bd45b2 ("crypto: sl3516 - Add sl3516 crypto engine") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9fdd78e44a33c6ec694294f30d737715b961d021 Author: Corentin Labbe Date: Mon Feb 21 12:08:31 2022 +0000 crypto: amlogic - call finalize with bh disabled [ Upstream commit dba633342994ce47d347bcf5522ba28301247b79 ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator for amlogic GXL") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 86dd989a507d79576b40a5e908c2b326ec61db4d Author: Corentin Labbe Date: Mon Feb 21 12:08:30 2022 +0000 crypto: sun8i-ce - call finalize with bh disabled [ Upstream commit f75a749b6d78aeae2ce90e14fcc4b7b3ba46126d ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c5e24990503040001503c74f2003e610895c05de Author: Corentin Labbe Date: Mon Feb 21 12:08:29 2022 +0000 crypto: sun8i-ss - call finalize with bh disabled [ Upstream commit b169b3766242b6f3336e24a6c8ee1522978b57a7 ] Doing ipsec produces a spinlock recursion warning. This is due to not disabling BH during crypto completion function. Fixes: f08fcced6d00 ("crypto: allwinner - Add sun8i-ss cryptographic offloader") Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 51517a22dc4dfb6f68f83e582c85b3a7084a15c6 Author: Claudiu Beznea Date: Mon Feb 21 09:59:23 2022 +0200 hwrng: atmel - disable trng on failure path [ Upstream commit a223ea9f89ab960eb254ba78429efd42eaf845eb ] Call atmel_trng_disable() on failure path of probe. Fixes: a1fa98d8116f ("hwrng: atmel - disable TRNG during suspend") Signed-off-by: Claudiu Beznea Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit a81bda2340bdec165600103647330467c3b6be0d Author: Jiasheng Jiang Date: Wed Mar 2 17:20:51 2022 +0800 spi: spi-zynqmp-gqspi: Handle error for dma_set_mask [ Upstream commit 13262fc26c1837c51a5131dbbdd67a2387f8bfc7 ] As the potential failure of the dma_set_mask(), it should be better to check it and return error if fails. Fixes: 126bdb606fd2 ("spi: spi-zynqmp-gqspi: return -ENOMEM if dma_map_single fails") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20220302092051.121343-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 101bf7d153c9522e35e998d26d0caf8cb36ceff7 Author: Randy Dunlap Date: Mon Feb 28 14:05:44 2022 -0800 PM: suspend: fix return value of __setup handler [ Upstream commit 7a64ca17e4dd50d5f910769167f3553902777844 ] If an invalid option is given for "test_suspend=