commit d6a980a0da6cacb523bb1e069b1780ae1c3086a7 Author: Greg Kroah-Hartman Date: Sat Dec 31 13:33:12 2022 +0100 Linux 6.1.2 Link: https://lore.kernel.org/r/20221228144330.180012208@linuxfoundation.org Tested-by: Justin M. Forbes Tested-by: Florian Fainelli Tested-by: Slade Watkins Tested-by: Ron Economos Tested-by: Thierry Reding Tested-by: Bagas Sanjaya Tested-by: Linux Kernel Functional Testing Tested-by: Ronald Warsow Tested-by: Shuah Khan Tested-by: Rudi Heitbaum Link: https://lore.kernel.org/r/20221230094107.317705320@linuxfoundation.org Tested-by: Rudi Heitbaum Tested-by: Ronald Warsow Tested-by: Thierry Reding Tested-by: Slade Watkins Tested-by: Florian Fainelli Tested-by: Guenter Roeck Tested-by: Bagas Sanjaya Tested-by: Linux Kernel Functional Testing Tested-by: Ron Economos Signed-off-by: Greg Kroah-Hartman commit 5f3d8993e095ac7e456558cfd37f93b445832a84 Author: Steven Price Date: Thu Nov 10 11:45:48 2022 +0000 pwm: tegra: Fix 32 bit build [ Upstream commit dd1f1da4ada5d8ac774c2ebe97230637820b3323 ] The value of NSEC_PER_SEC << PWM_DUTY_WIDTH doesn't fix within a 32 bit integer causing a build warning/error (and the value truncated): drivers/pwm/pwm-tegra.c: In function ‘tegra_pwm_config’: drivers/pwm/pwm-tegra.c:148:53: error: result of ‘1000000000 << 8’ requires 39 bits to represent, but ‘long int’ only has 32 bits [-Werror=shift-overflow=] 148 | required_clk_rate = DIV_ROUND_UP_ULL(NSEC_PER_SEC << PWM_DUTY_WIDTH, | ^~ Explicitly cast to a u64 to ensure the correct result. Fixes: cfcb68817fb3 ("pwm: tegra: Improve required rate calculation") Signed-off-by: Steven Price Reviewed-by: Uwe Kleine-König Reviewed-by: Jon Hunter Signed-off-by: Sasha Levin commit 70c6f7025014d51280edf6761a8715fdccfb76a5 Author: Christophe JAILLET Date: Sun Nov 20 14:01:43 2022 +0100 mfd: qcom_rpm: Use devm_of_platform_populate() to simplify code [ Upstream commit e48dee96046246980d476714b3f6684d45f29c13 ] Use devm_of_platform_populate() instead of hand-writing it. This simplifies the code. Signed-off-by: Christophe JAILLET Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/fd997dc92b9cee219e9c55e22959a94f4bbf570b.1668949256.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 5c692f1ed39d2143bfb7234c3866987bc4d2d506 Author: Martin Leung Date: Thu Nov 3 11:35:44 2022 -0400 drm/amd/display: revert Disable DRR actions during state commit commit 6f8816261db9251f2635533572f95ab8e530266c upstream. why and how: causes unstable on certain surface format/mpo transitions This reverts commit de020e5fa9ebc6fc32e82ae6ccb0282451ed937c Reviewed-by: Wesley Chalmers Acked-by: Tom Chung Signed-off-by: Martin Leung Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Greg Kroah-Hartman commit e970e4ee3fc2c5164474641150a6109b413ee754 Author: Lin Ma Date: Mon Nov 28 16:21:59 2022 +0000 media: dvbdev: fix refcnt bug commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream. Previous commit initialize the dvbdev->ref before the template copy, which will overwrite the reference and cause refcnt bug. refcount_t: addition on 0; use-after-free. WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0 ... RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25 RSP: 0000:ffffc900000678d0 EFLAGS: 00010282 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_add include/linux/refcount.h:199 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] kref_get include/linux/kref.h:45 [inline] dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline] dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517 ... Just place the kref_init at correct position. Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") Signed-off-by: Lin Ma Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 539479d00c51b1101176f8c2fac6013b1419899c Author: Lin Ma Date: Mon Nov 28 08:39:03 2022 +0000 media: dvbdev: fix build warning due to comments commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream. Previous commit that introduces reference counter does not add proper comments, which will lead to warning when building htmldocs. Fix them. Reported-by: "Stephen Rothwell" Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF") Signed-off-by: Lin Ma Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 882056ef338495e6b3a49843915c3d81842254fa Author: Gaosheng Cui Date: Wed Dec 14 16:01:17 2022 +0800 net: stmmac: fix errno when create_singlethread_workqueue() fails commit 2cb815cfc78b137ee38bcd65e7c955d6cc2cc250 upstream. We should set the return value to -ENOMEM explicitly when create_singlethread_workqueue() fails in stmmac_dvr_probe(), otherwise we'll lose the error value. Fixes: a137f3f27f92 ("net: stmmac: fix possible memory leak in stmmac_dvr_probe()") Signed-off-by: Gaosheng Cui Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/20221214080117.3514615-1-cuigaosheng1@huawei.com Signed-off-by: Paolo Abeni Signed-off-by: Greg Kroah-Hartman commit 69c2ad94fd0b5217a28ce20bba84f2063d383e94 Author: Pavel Begunkov Date: Wed Nov 23 11:33:42 2022 +0000 io_uring: remove iopoll spinlock commit 2dac1a159216b39ced8d78dba590c5d2f4249586 upstream. This reverts commit 2ccc92f4effcfa1c51c4fcf1e34d769099d3cad4 io_req_complete_post() should now behave well even in case of IOPOLL, we can remove completion_lock locking. Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/7e171c8b530656b14a671c59100ca260e46e7f2a.1669203009.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 9b5d3f21f1aba54064f8f56694d09ee8d91daec3 Author: Pavel Begunkov Date: Fri Dec 2 17:47:22 2022 +0000 io_uring: protect cq_timeouts with timeout_lock commit ea011ee10231f5fa6cbb415007048ca0bb948baf upstream. Read cq_timeouts in io_flush_timeouts() only after taking the timeout_lock, as it's protected by it. There are many places where we also grab ->completion_lock, but for instance io_timeout_fn() doesn't and still modifies cq_timeouts. Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/9c79544dd6cf5c4018cb1bab99cf481a93ea46ef.1670002973.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f9ef51a7055cb1abd4b58d2a8fcb87db0a58ccf2 Author: Pavel Begunkov Date: Mon Dec 19 15:11:40 2022 +0000 io_uring/net: fix cleanup after recycle commit 6c3e8955d4bd9811a6e1761eea412a14fb51a2e6 upstream. Don't access io_async_msghdr io_netmsg_recycle(), it may be reallocated. Cc: stable@vger.kernel.org Fixes: 9bb66906f23e5 ("io_uring: support multishot in recvmsg") Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/9e326f4ad4046ddadf15bf34bf3fa58c6372f6b5.1671461985.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b87006265a1649e96e77f454e7dc47c22333635a Author: Jens Axboe Date: Mon Dec 19 07:28:26 2022 -0700 io_uring/net: ensure compat import handlers clear free_iov commit 990a4de57e44f4f4cfc33c90d2ec5d285b7c8342 upstream. If we're not allocating the vectors because the count is below UIO_FASTIOV, we still do need to properly clear ->free_iov to prevent an erronous free of on-stack data. Reported-by: Jiri Slaby Fixes: 4c17a496a7a0 ("io_uring/net: fix cleanup double free free_iov init") Cc: stable@vger.kernel.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit e2c22a38fe299c4ed58aa4606fd435048c662a3a Author: Pavel Begunkov Date: Wed Dec 7 03:53:27 2022 +0000 io_uring: improve io_double_lock_ctx fail handling commit 4c979eaefa4356d385b7c7d2877dc04d7fe88969 upstream. msg_ring will fail the request if it can't lock rings, instead punt it to io-wq as was originally intended. Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/4697f05afcc37df5c8f89e2fe6d9c7c19f0241f9.1670384893.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit f6a5cada4ff62dd13b92ef7d6964307fcbdf6779 Author: Pavel Begunkov Date: Wed Dec 7 03:53:26 2022 +0000 io_uring: dont remove file from msg_ring reqs commit ef0ec1ad03119b8b46b035dad42bca7d6da7c2e5 upstream. We should not be messing with req->file outside of core paths. Clearing it makes msg_ring non reentrant, i.e. luckily io_msg_send_fd() fails the request on failed io_double_lock_ctx() but clearly was originally intended to do retries instead. Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/e5ac9edadb574fe33f6d727cb8f14ce68262a684.1670384893.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 16225abb3cbc0d810c589541f5b9ca88003f5128 Author: Pavel Begunkov Date: Wed Nov 23 11:33:36 2022 +0000 io_uring: add completion locking for iopoll commit 2ccc92f4effcfa1c51c4fcf1e34d769099d3cad4 upstream. There are pieces of code that may allow iopoll to race filling cqes, temporarily add spinlocking around posting events. Cc: stable@vger.kernel.org Signed-off-by: Pavel Begunkov Link: https://lore.kernel.org/r/84d86b5c117feda075471c5c9e65208e0dccf5d0.1669203009.git.asml.silence@gmail.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 3a6ee45e3ceb60818c5fa4acd3c258bb124452a8 Author: Stefan Metzmacher Date: Thu Oct 27 20:34:45 2022 +0200 io_uring/net: introduce IORING_SEND_ZC_REPORT_USAGE flag commit e307e6698165ca6508ed42c69cb1be76c8eb6a3c upstream. It might be useful for applications to detect if a zero copy transfer with SEND[MSG]_ZC was actually possible or not. The application can fallback to plain SEND[MSG] in order to avoid the overhead of two cqes per request. Or it can generate a log message that could indicate to an administrator that no zero copy was possible and could explain degraded performance. Cc: stable@vger.kernel.org # 6.1 Link: https://lore.kernel.org/io-uring/fb6a7599-8a9b-15e5-9b64-6cd9d01c6ff4@gmail.com/T/#m2b0d9df94ce43b0e69e6c089bdff0ce6babbdfaa Signed-off-by: Stefan Metzmacher Reviewed-by: Pavel Begunkov Link: https://lore.kernel.org/r/8945b01756d902f5d5b0667f20b957ad3f742e5e.1666895626.git.metze@samba.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 215f9437dda09531bcb80605298a24219f01cec5 Author: Tejun Heo Date: Sat Dec 10 08:33:10 2022 -1000 blk-iolatency: Fix memory leak on add_disk() failures commit 813e693023ba10da9e75067780f8378465bf27cc upstream. When a gendisk is successfully initialized but add_disk() fails such as when a loop device has invalid number of minor device numbers specified, blkcg_init_disk() is called during init and then blkcg_exit_disk() during error handling. Unfortunately, iolatency gets initialized in the former but doesn't get cleaned up in the latter. This is because, in non-error cases, the cleanup is performed by del_gendisk() calling rq_qos_exit(), the assumption being that rq_qos policies, iolatency being one of them, can only be activated once the disk is fully registered and visible. That assumption is true for wbt and iocost, but not so for iolatency as it gets initialized before add_disk() is called. It is desirable to lazy-init rq_qos policies because they are optional features and add to hot path overhead once initialized - each IO has to walk all the registered rq_qos policies. So, we want to switch iolatency to lazy init too. However, that's a bigger change. As a fix for the immediate problem, let's just add an extra call to rq_qos_exit() in blkcg_exit_disk(). This is safe because duplicate calls to rq_qos_exit() become noop's. Signed-off-by: Tejun Heo Reported-by: darklight2357@icloud.com Cc: Josef Bacik Cc: Linus Torvalds Fixes: d70675121546 ("block: introduce blk-iolatency io controller") Cc: stable@vger.kernel.org # v4.19+ Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/Y5TQ5gm3O4HXrXR3@slm.duckdns.org Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 05382ed9142cf8a8a3fb662224477eecc415778b Author: Arun Easi Date: Tue Nov 29 01:26:34 2022 -0800 scsi: qla2xxx: Fix crash when I/O abort times out commit 68ad83188d782b2ecef2e41ac245d27e0710fe8e upstream. While performing CPU hotplug, a crash with the following stack was seen: Call Trace: qla24xx_process_response_queue+0x42a/0x970 [qla2xxx] qla2x00_start_nvme_mq+0x3a2/0x4b0 [qla2xxx] qla_nvme_post_cmd+0x166/0x240 [qla2xxx] nvme_fc_start_fcp_op.part.0+0x119/0x2e0 [nvme_fc] blk_mq_dispatch_rq_list+0x17b/0x610 __blk_mq_sched_dispatch_requests+0xb0/0x140 blk_mq_sched_dispatch_requests+0x30/0x60 __blk_mq_run_hw_queue+0x35/0x90 __blk_mq_delay_run_hw_queue+0x161/0x180 blk_execute_rq+0xbe/0x160 __nvme_submit_sync_cmd+0x16f/0x220 [nvme_core] nvmf_connect_admin_queue+0x11a/0x170 [nvme_fabrics] nvme_fc_create_association.cold+0x50/0x3dc [nvme_fc] nvme_fc_connect_ctrl_work+0x19/0x30 [nvme_fc] process_one_work+0x1e8/0x3c0 On abort timeout, completion was called without checking if the I/O was already completed. Verify that I/O and abort request are indeed outstanding before attempting completion. Fixes: 71c80b75ce8f ("scsi: qla2xxx: Do command completion on abort timeout") Reported-by: Marco Patalano Tested-by: Marco Patalano Cc: stable@vger.kernel.org Signed-off-by: Arun Easi Signed-off-by: Nilesh Javali Link: https://lore.kernel.org/r/20221129092634.15347-1-njavali@marvell.com Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 5cfb9a60ed2d5afed6500078ac3a25fd4d71c1aa Author: David Hildenbrand Date: Mon Oct 31 16:25:24 2022 +0100 mm/gup: disallow FOLL_FORCE|FOLL_WRITE on hugetlb mappings commit f347454d034184b4f0a2caf6e14daf7848cea01c upstream. hugetlb does not support fake write-faults (write faults without write permissions). However, we are currently able to trigger a FAULT_FLAG_WRITE fault on a VMA without VM_WRITE. If we'd ever want to support FOLL_FORCE|FOLL_WRITE, we'd have to teach hugetlb to: (1) Leave the page mapped R/O after the fake write-fault, like maybe_mkwrite() does. (2) Allow writing to an exclusive anon page that's mapped R/O when FOLL_FORCE is set, like can_follow_write_pte(). E.g., __follow_hugetlb_must_fault() needs adjustment. For now, it's not clear if that added complexity is really required. History tolds us that FOLL_FORCE is dangerous and that we better limit its use to a bare minimum. -------------------------------------------------------------------------- #include #include #include #include #include #include #include #include int main(int argc, char **argv) { char *map; int mem_fd; map = mmap(NULL, 2 * 1024 * 1024u, PROT_READ, MAP_PRIVATE|MAP_ANON|MAP_HUGETLB|MAP_HUGE_2MB, -1, 0); if (map == MAP_FAILED) { fprintf(stderr, "mmap() failed: %d\n", errno); return 1; } mem_fd = open("/proc/self/mem", O_RDWR); if (mem_fd < 0) { fprintf(stderr, "open(/proc/self/mem) failed: %d\n", errno); return 1; } if (pwrite(mem_fd, "0", 1, (uintptr_t) map) == 1) { fprintf(stderr, "write() succeeded, which is unexpected\n"); return 1; } printf("write() failed as expected: %d\n", errno); return 0; } -------------------------------------------------------------------------- Fortunately, we have a sanity check in hugetlb_wp() in place ever since commit 1d8d14641fd9 ("mm/hugetlb: support write-faults in shared mappings"), that bails out instead of silently mapping a page writable in a !PROT_WRITE VMA. Consequently, above reproducer triggers a warning, similar to the one reported by szsbot: ------------[ cut here ]------------ WARNING: CPU: 1 PID: 3612 at mm/hugetlb.c:5313 hugetlb_wp+0x20a/0x1af0 mm/hugetlb.c:5313 Modules linked in: CPU: 1 PID: 3612 Comm: syz-executor250 Not tainted 6.1.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/11/2022 RIP: 0010:hugetlb_wp+0x20a/0x1af0 mm/hugetlb.c:5313 Code: ea 03 80 3c 02 00 0f 85 31 14 00 00 49 8b 5f 20 31 ff 48 89 dd 83 e5 02 48 89 ee e8 70 ab b7 ff 48 85 ed 75 5b e8 76 ae b7 ff <0f> 0b 41 bd 40 00 00 00 e8 69 ae b7 ff 48 b8 00 00 00 00 00 fc ff RSP: 0018:ffffc90003caf620 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 0000000008640070 RCX: 0000000000000000 RDX: ffff88807b963a80 RSI: ffffffff81c4ed2a RDI: 0000000000000007 RBP: 0000000000000000 R08: 0000000000000007 R09: 0000000000000000 R10: 0000000000000000 R11: 000000000008c07e R12: ffff888023805800 R13: 0000000000000000 R14: ffffffff91217f38 R15: ffff88801d4b0360 FS: 0000555555bba300(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fff7a47a1b8 CR3: 000000002378d000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: hugetlb_no_page mm/hugetlb.c:5755 [inline] hugetlb_fault+0x19cc/0x2060 mm/hugetlb.c:5874 follow_hugetlb_page+0x3f3/0x1850 mm/hugetlb.c:6301 __get_user_pages+0x2cb/0xf10 mm/gup.c:1202 __get_user_pages_locked mm/gup.c:1434 [inline] __get_user_pages_remote+0x18f/0x830 mm/gup.c:2187 get_user_pages_remote+0x84/0xc0 mm/gup.c:2260 __access_remote_vm+0x287/0x6b0 mm/memory.c:5517 ptrace_access_vm+0x181/0x1d0 kernel/ptrace.c:61 generic_ptrace_pokedata kernel/ptrace.c:1323 [inline] ptrace_request+0xb46/0x10c0 kernel/ptrace.c:1046 arch_ptrace+0x36/0x510 arch/x86/kernel/ptrace.c:828 __do_sys_ptrace kernel/ptrace.c:1296 [inline] __se_sys_ptrace kernel/ptrace.c:1269 [inline] __x64_sys_ptrace+0x178/0x2a0 kernel/ptrace.c:1269 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] So let's silence that warning by teaching GUP code that FOLL_FORCE -- so far -- does not apply to hugetlb. Note that FOLL_FORCE for read-access seems to be working as expected. The assumption is that this has been broken forever, only ever since above commit, we actually detect the wrong handling and WARN_ON_ONCE(). I assume this has been broken at least since 2014, when mm/gup.c came to life. I failed to come up with a suitable Fixes tag quickly. Link: https://lkml.kernel.org/r/20221031152524.173644-1-david@redhat.com Fixes: 1d8d14641fd9 ("mm/hugetlb: support write-faults in shared mappings") Signed-off-by: David Hildenbrand Reported-by: Cc: Mike Kravetz Cc: Peter Xu Cc: John Hubbard Cc: Jason Gunthorpe Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1baf3370e2dc5e6bd1368348736189457dab2a27 Author: Filipe Manana Date: Mon Nov 28 15:07:30 2022 +0000 btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range commit 162d053e15fe985f754ef495a96eb3db970c43ed upstream. If we get -ENOMEM while dropping file extent items in a given range, at btrfs_drop_extents(), due to failure to allocate memory when attempting to increment the reference count for an extent or drop the reference count, we handle it with a BUG_ON(). This is excessive, instead we can simply abort the transaction and return the error to the caller. In fact most callers of btrfs_drop_extents(), directly or indirectly, already abort the transaction if btrfs_drop_extents() returns any error. Also, we already have error paths at btrfs_drop_extents() that may return -ENOMEM and in those cases we abort the transaction, like for example anything that changes the b+tree may return -ENOMEM due to a failure to allocate a new extent buffer when COWing an existing extent buffer, such as a call to btrfs_duplicate_item() for example. So replace the BUG_ON() calls with proper logic to abort the transaction and return the error. Reported-by: syzbot+0b1fb6b0108c27419f9f@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-btrfs/00000000000089773e05ee4b9cb4@google.com/ CC: stable@vger.kernel.org # 5.4+ Reviewed-by: Josef Bacik Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit ac551b1f500b99ab05fb7ade8ba61fd61f3cfbe7 Author: Chen Zhongjin Date: Mon Nov 28 11:33:05 2022 +0100 ovl: fix use inode directly in rcu-walk mode commit 672e4268b2863d7e4978dfed29552b31c2f9bd4e upstream. ovl_dentry_revalidate_common() can be called in rcu-walk mode. As document said, "in rcu-walk mode, d_parent and d_inode should not be used without care". Check inode here to protect access under rcu-walk mode. Fixes: bccece1ead36 ("ovl: allow remote upper") Reported-and-tested-by: syzbot+a4055c78774bbf3498bb@syzkaller.appspotmail.com Signed-off-by: Chen Zhongjin Cc: # v5.7 Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit a609bfc1e644a8467cb31945ed1488374ebdc013 Author: Tetsuo Handa Date: Tue Dec 6 07:10:31 2022 +0900 fbdev: fbcon: release buffer when fbcon_do_set_font() failed commit 3c3bfb8586f848317ceba5d777e11204ba3e5758 upstream. syzbot is reporting memory leak at fbcon_do_set_font() [1], for commit a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") missed that the buffer might be newly allocated by fbcon_set_font(). Link: https://syzkaller.appspot.com/bug?extid=25bdb7b1703639abd498 [1] Reported-by: syzbot Signed-off-by: Tetsuo Handa Tested-by: syzbot Fixes: a5a923038d70 ("fbdev: fbcon: Properly revert changes when vc_resize() failed") CC: stable@vger.kernel.org # 5.15+ Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 9c9e8be758c628e8a3104b6a0940b3510a17b4e2 Author: Liam Howlett Date: Mon Dec 19 16:20:15 2022 +0000 maple_tree: fix mas_spanning_rebalance() on insufficient data commit 0abb964aae3da746ea2fd4301599a6fa26da58db upstream. Mike Rapoport contacted me off-list with a regression in running criu. Periodic tests fail with an RCU stall during execution. Although rare, it is possible to hit this with other uses so this patch should be backported to fix the regression. This patchset adds the fix and a test case to the maple tree test suite. This patch (of 2): An insufficient node was causing an out-of-bounds access on the node in mas_leaf_max_gap(). The cause was the faulty detection of the new node being a root node when overwriting many entries at the end of the tree. Fix the detection of a new root and ensure there is sufficient data prior to entering the spanning rebalance loop. Link: https://lkml.kernel.org/r/20221219161922.2708732-1-Liam.Howlett@oracle.com Link: https://lkml.kernel.org/r/20221219161922.2708732-2-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Reported-by: Mike Rapoport Tested-by: Mike Rapoport Cc: Andrei Vagin Cc: Mike Rapoport Cc: Muhammad Usama Anjum Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 8034a1ad67b8346da0eb7b9fd6a9c894ea4cf80e Author: Liam Howlett Date: Mon Dec 19 16:20:15 2022 +0000 test_maple_tree: add test for mas_spanning_rebalance() on insufficient data commit c5651b31f51584bd1199b3a552c8211a8523d6e1 upstream. Add a test to the maple tree test suite for the spanning rebalance insufficient node issue does not go undetected again. Link: https://lkml.kernel.org/r/20221219161922.2708732-3-Liam.Howlett@oracle.com Fixes: 54a611b60590 ("Maple Tree: add new data structure") Signed-off-by: Liam R. Howlett Cc: Andrei Vagin Cc: Mike Rapoport Cc: Muhammad Usama Anjum Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b7334223cc7e7f9409e03dda142bb3a97e78b1f9 Author: Rickard x Andersson Date: Tue Dec 20 11:23:18 2022 +0100 gcov: add support for checksum field commit e96b95c2b7a63a454b6498e2df67aac14d046d13 upstream. In GCC version 12.1 a checksum field was added. This patch fixes a kernel crash occurring during boot when using gcov-kernel with GCC version 12.2. The crash occurred on a system running on i.MX6SX. Link: https://lkml.kernel.org/r/20221220102318.3418501-1-rickaran@axis.com Fixes: 977ef30a7d88 ("gcov: support GCC 12.1 and newer compilers") Signed-off-by: Rickard x Andersson Reviewed-by: Peter Oberparleiter Tested-by: Peter Oberparleiter Reviewed-by: Martin Liska Cc: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 55b3c66a0d441cd37154ae95e44d0b82ccfd580e Author: Yuan Can Date: Mon Oct 31 12:04:43 2022 +0000 floppy: Fix memory leak in do_floppy_init() commit f8ace2e304c5dd8a7328db9cd2b8a4b1b98d83ec upstream. A memory leak was reported when floppy_alloc_disk() failed in do_floppy_init(). unreferenced object 0xffff888115ed25a0 (size 8): comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) hex dump (first 8 bytes): 00 ac 67 5b 81 88 ff ff ..g[.... backtrace: [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 [<00000000a87bfa9e>] blk_mq_realloc_tag_set_tags.part.0+0x6f/0x180 [<000000006f02e8b1>] blk_mq_alloc_tag_set+0x573/0x1130 [<0000000066007fd7>] 0xffffffffc06b8b08 [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 [<00000000e26d04ee>] do_init_module+0x1a4/0x680 [<000000001bb22407>] load_module+0x6249/0x7110 [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 [<000000007bddca46>] do_syscall_64+0x35/0x80 [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810fc30540 (size 32): comm "modprobe", pid 727, jiffies 4295051278 (age 25.529s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000007f457abb>] __kmalloc_node+0x4c/0xc0 [<000000006b91eab4>] blk_mq_alloc_tag_set+0x393/0x1130 [<0000000066007fd7>] 0xffffffffc06b8b08 [<0000000081f5ac40>] do_one_initcall+0xd0/0x4f0 [<00000000e26d04ee>] do_init_module+0x1a4/0x680 [<000000001bb22407>] load_module+0x6249/0x7110 [<00000000ad31ac4d>] __do_sys_finit_module+0x140/0x200 [<000000007bddca46>] do_syscall_64+0x35/0x80 [<00000000b5afec39>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 If the floppy_alloc_disk() failed, disks of current drive will not be set, thus the lastest allocated set->tag cannot be freed in the error handling path. A simple call graph shown as below: floppy_module_init() floppy_init() do_floppy_init() for (drive = 0; drive < N_DRIVE; drive++) blk_mq_alloc_tag_set() blk_mq_alloc_tag_set_tags() blk_mq_realloc_tag_set_tags() # set->tag allocated floppy_alloc_disk() blk_mq_alloc_disk() # error occurred, disks failed to allocated ->out_put_disk: for (drive = 0; drive < N_DRIVE; drive++) if (!disks[drive][0]) # the last disks is not set and loop break break; blk_mq_free_tag_set() # the latest allocated set->tag leaked Fix this problem by free the set->tag of current drive before jump to error handling path. Cc: stable@vger.kernel.org Fixes: 302cfee15029 ("floppy: use a separate gendisk for each media format") Signed-off-by: Yuan Can [efremov: added stable list, changed title] Signed-off-by: Denis Efremov Signed-off-by: Greg Kroah-Hartman commit d01f65ac191e3fa5b4e34b08b113afe1e2d69a7c Author: Christophe Leroy Date: Wed Dec 14 14:41:33 2022 +0100 spi: fsl_spi: Don't change speed while chipselect is active commit 3b553e0041a65e499fa4e25ee146f01f4ec4e617 upstream. Commit c9bfcb315104 ("spi_mpc83xx: much improved driver") made modifications to the driver to not perform speed changes while chipselect is active. But those changes where lost with the convertion to tranfer_one. Previous implementation was allowing speed changes during message transfer when cs_change flag was set. At the time being, core SPI does not provide any feature to change speed while chipselect is off, so do not allow any speed change during message transfer, and perform the transfer setup in prepare_message in order to set correct speed while chipselect is still off. Reported-by: Herve Codina Fixes: 64ca1a034f00 ("spi: fsl_spi: Convert to transfer_one") Cc: stable@vger.kernel.org Signed-off-by: Christophe Leroy Tested-by: Herve Codina Reviewed-by: Herve Codina Link: https://lore.kernel.org/r/8aab84c51aa330cf91f4b43782a1c483e150a4e3.1671025244.git.christophe.leroy@csgroup.eu Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 9e977e2642a154dab6240f8d15fdbf4b86323ff6 Author: Johan Hovold Date: Thu Dec 15 11:46:46 2022 +0100 regulator: core: fix deadlock on regulator enable commit cb3543cff90a4448ed560ac86c98033ad5fecda9 upstream. When updating the operating mode as part of regulator enable, the caller has already locked the regulator tree and drms_uA_update() must not try to do the same in order not to trigger a deadlock. The lock inversion is reported by lockdep as: ====================================================== WARNING: possible circular locking dependency detected 6.1.0-next-20221215 #142 Not tainted ------------------------------------------------------ udevd/154 is trying to acquire lock: ffffc11f123d7e50 (regulator_list_mutex){+.+.}-{3:3}, at: regulator_lock_dependent+0x54/0x280 but task is already holding lock: ffff80000e4c36e8 (regulator_ww_class_acquire){+.+.}-{0:0}, at: regulator_enable+0x34/0x80 which lock already depends on the new lock. ... Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(regulator_ww_class_acquire); lock(regulator_list_mutex); lock(regulator_ww_class_acquire); lock(regulator_list_mutex); *** DEADLOCK *** just before probe of a Qualcomm UFS controller (occasionally) deadlocks when enabling one of its regulators. Fixes: 9243a195be7a ("regulator: core: Change voltage setting path") Fixes: f8702f9e4aa7 ("regulator: core: Use ww_mutex for regulators locking") Cc: stable@vger.kernel.org # 5.0 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221215104646.19818-1-johan+linaro@kernel.org Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 1665c3aa251f8bf8db1ba52092652ba41b5cba53 Author: Rasmus Villemoes Date: Fri Nov 18 13:32:08 2022 +0100 iio: addac: ad74413r: fix integer promotion bug in ad74413_get_input_current_offset() commit 980389d06d08442fad0139874bff455c76125e47 upstream. The constant AD74413R_ADC_RESULT_MAX is defined via GENMASK, so its type is "unsigned long". Hence in the expression voltage_offset * AD74413R_ADC_RESULT_MAX, voltage_offset is first promoted to unsigned long, and since it may be negative, that results in a garbage value. For example, when range is AD74413R_ADC_RANGE_5V_BI_DIR, voltage_offset is -2500 and voltage_range is 5000, so the RHS of this assignment is, depending on sizeof(long), either 826225UL or 3689348814709142UL, which after truncation to int then results in either 826225 or 1972216214 being the output from in_currentX_offset. Casting to int avoids that promotion and results in the correct -32767 output. Signed-off-by: Rasmus Villemoes Fixes: fea251b6a5db (iio: addac: add AD74413R driver) Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20221118123209.1658420-1-linux@rasmusvillemoes.dk Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit d04481ee5e15b88e57514fa11eac77f53f7f0a24 Author: Rasmus Villemoes Date: Tue Nov 15 14:23:23 2022 +0100 iio: adc128s052: add proper .data members in adc128_of_match table commit e2af60f5900c6ade53477b494ffb54690eee11f5 upstream. Prior to commit bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280"), the driver unconditionally used spi_get_device_id() to get the index into the adc128_config array. However, with that commit, OF-based boards now incorrectly treat all supported sensors as if they are an adc128s052, because all the .data members of the adc128_of_match table are implicitly 0. Our board, which has an adc122s021, thus exposes 8 channels whereas it really only has two. Fixes: bd5d54e4d49d ("iio: adc128s052: add ACPI _HID AANT1280") Signed-off-by: Rasmus Villemoes Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/20221115132324.1078169-1-linux@rasmusvillemoes.dk Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 49cfd1f61f445e34dc7dbe98ac2c261e07c6bf19 Author: Nuno Sá Date: Tue Sep 20 13:28:07 2022 +0200 iio: adc: ad_sigma_delta: do not use internal iio_dev lock commit 20228a1d5a55e7db0c6720840f2c7d2b48c55f69 upstream. Drop 'mlock' usage by making use of iio_device_claim_direct_mode(). This change actually makes sure we cannot do a single conversion while buffering is enable. Note there was a potential race in the previous code since we were only acquiring the lock after checking if the bus is enabled. Fixes: af3008485ea0 ("iio:adc: Add common code for ADI Sigma Delta devices") Signed-off-by: Nuno Sá Reviewed-by: Miquel Raynal Cc: #No rush as race is very old. Link: https://lore.kernel.org/r/20220920112821.975359-2-nuno.sa@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit a154b1c139fbf6a49762159be81d425d41ceec87 Author: Zeng Heng Date: Tue Nov 15 10:37:12 2022 +0800 iio: fix memory leak in iio_device_register_eventset() commit 86fdd15e10e404e70ecb2a3bff24d70356d42b36 upstream. When iio_device_register_sysfs_group() returns failed, iio_device_register_eventset() needs to free attrs array. Otherwise, kmemleak would scan & report memory leak as below: unreferenced object 0xffff88810a1cc3c0 (size 32): comm "100-i2c-vcnl302", pid 728, jiffies 4295052307 (age 156.027s) backtrace: __kmalloc+0x46/0x1b0 iio_device_register_eventset at drivers/iio/industrialio-event.c:541 __iio_device_register at drivers/iio/industrialio-core.c:1959 __devm_iio_device_register at drivers/iio/industrialio-core.c:2040 Fixes: 32f171724e5c ("iio: core: rework iio device group creation") Signed-off-by: Zeng Heng Link: https://lore.kernel.org/r/20221115023712.3726854-1-zengheng4@huawei.com Cc: Signed-off-by: Jonathan Cameron Signed-off-by: Greg Kroah-Hartman commit 02ed209aa6f1b5a58a2fef3dbf84132d0bc663c8 Author: Roberto Sassu Date: Thu Nov 10 10:46:35 2022 +0100 reiserfs: Add missing calls to reiserfs_security_free() commit 572302af1258459e124437b8f3369357447afac7 upstream. Commit 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") defined reiserfs_security_free() to free the name and value of a security xattr allocated by the active LSM through security_old_inode_init_security(). However, this function is not called in the reiserfs code. Thus, add a call to reiserfs_security_free() whenever reiserfs_security_init() is called, and initialize value to NULL, to avoid to call kfree() on an uninitialized pointer. Finally, remove the kfree() for the xattr name, as it is not allocated anymore. Fixes: 57fe60df6241 ("reiserfs: add atomic addition of selinux attributes during inode creation") Cc: stable@vger.kernel.org Cc: Jeff Mahoney Cc: Tetsuo Handa Reported-by: Mimi Zohar Reported-by: Tetsuo Handa Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 21ca0bfa11bbb9a9207f5d2104f47d3d71b4616e Author: Nathan Chancellor Date: Wed Dec 14 16:26:03 2022 -0700 security: Restrict CONFIG_ZERO_CALL_USED_REGS to gcc or clang > 15.0.6 commit d6a9fb87e9d18f3394a9845546bbe868efdccfd2 upstream. A bad bug in clang's implementation of -fzero-call-used-regs can result in NULL pointer dereferences (see the links above the check for more information). Restrict CONFIG_CC_HAS_ZERO_CALL_USED_REGS to either a supported GCC version or a clang newer than 15.0.6, which will catch both a theoretical 15.0.7 and the upcoming 16.0.0, which will both have the bug fixed. Cc: stable@vger.kernel.org # v5.15+ Signed-off-by: Nathan Chancellor Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221214232602.4118147-1-nathan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 967fc34f297e40fd2e068cf6b0c3eb4916228539 Author: Schspa Shi Date: Thu Dec 1 11:33:10 2022 +0800 9p: set req refcount to zero to avoid uninitialized usage commit 26273ade77f54716e30dfd40ac6e85ceb54ac0f9 upstream. When a new request is allocated, the refcount will be zero if it is reused, but if the request is newly allocated from slab, it is not fully initialized before being added to idr. If the p9_read_work got a response before the refcount initiated. It will use a uninitialized req, which will result in a bad request data struct. Here is the logs from syzbot. Corrupted memory at 0xffff88807eade00b [ 0xff 0x07 0x00 0x00 0x00 0x00 0x00 0x00 . . . . . . . . ] (in kfence-#110): p9_fcall_fini net/9p/client.c:248 [inline] p9_req_put net/9p/client.c:396 [inline] p9_req_put+0x208/0x250 net/9p/client.c:390 p9_client_walk+0x247/0x540 net/9p/client.c:1165 clone_fid fs/9p/fid.h:21 [inline] v9fs_fid_xattr_set+0xe4/0x2b0 fs/9p/xattr.c:118 v9fs_xattr_set fs/9p/xattr.c:100 [inline] v9fs_xattr_handler_set+0x6f/0x120 fs/9p/xattr.c:159 __vfs_setxattr+0x119/0x180 fs/xattr.c:182 __vfs_setxattr_noperm+0x129/0x5f0 fs/xattr.c:216 __vfs_setxattr_locked+0x1d3/0x260 fs/xattr.c:277 vfs_setxattr+0x143/0x340 fs/xattr.c:309 setxattr+0x146/0x160 fs/xattr.c:617 path_setxattr+0x197/0x1c0 fs/xattr.c:636 __do_sys_setxattr fs/xattr.c:652 [inline] __se_sys_setxattr fs/xattr.c:648 [inline] __ia32_sys_setxattr+0xc0/0x160 fs/xattr.c:648 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203 entry_SYSENTER_compat_after_hwframe+0x70/0x82 Below is a similar scenario, the scenario in the syzbot log looks more complicated than this one, but this patch can fix it. T21124 p9_read_work ======================== second trans ================================= p9_client_walk p9_client_rpc p9_client_prepare_req p9_tag_alloc req = kmem_cache_alloc(p9_req_cache, GFP_NOFS); tag = idr_alloc << preempted >> req->tc.tag = tag; /* req->[refcount/tag] == uninitialized */ m->rreq = p9_tag_lookup(m->client, m->rc.tag); /* increments uninitalized refcount */ refcount_set(&req->refcount, 2); /* cb drops one ref */ p9_client_cb(req) /* reader thread drops its ref: request is incorrectly freed */ p9_req_put(req) /* use after free and ref underflow */ p9_req_put(req) To fix it, we can initialize the refcount to zero before add to idr. Link: https://lkml.kernel.org/r/20221201033310.18589-1-schspa@gmail.com Cc: stable@vger.kernel.org # 6.0+ due to 6cda12864cb0 ("9p: Drop kref usage") Fixes: 728356dedeff ("9p: Add refcount to p9_req_t") Reported-by: syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com Signed-off-by: Schspa Shi Reviewed-by: Christian Schoenebeck Signed-off-by: Dominique Martinet Signed-off-by: Greg Kroah-Hartman commit 1f572877e0ea466aeec4dd65e6c89838de1ba715 Author: Isaac J. Manjarres Date: Thu Dec 8 13:29:01 2022 -0800 loop: Fix the max_loop commandline argument treatment when it is set to 0 commit 85c50197716c60fe57f411339c579462e563ac57 upstream. Currently, the max_loop commandline argument can be used to specify how many loop block devices are created at init time. If it is not specified on the commandline, CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block devices will be created. The max_loop commandline argument can be used to override the value of CONFIG_BLK_DEV_LOOP_MIN_COUNT. However, when max_loop is set to 0 through the commandline, the current logic treats it as if it had not been set, and creates CONFIG_BLK_DEV_LOOP_MIN_COUNT devices anyway. Fix this by starting max_loop off as set to CONFIG_BLK_DEV_LOOP_MIN_COUNT. This preserves the intended behavior of creating CONFIG_BLK_DEV_LOOP_MIN_COUNT loop block devices if the max_loop commandline parameter is not specified, and allowing max_loop to be respected for all values, including 0. This allows environments that can create all of their required loop block devices on demand to not have to unnecessarily preallocate loop block devices. Fixes: 732850827450 ("remove artificial software max_loop limit") Cc: stable@vger.kernel.org Cc: Ken Chen Signed-off-by: Isaac J. Manjarres Link: https://lore.kernel.org/r/20221208212902.765781-1-isaacmanjarres@google.com Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 24117ea4303c07003495cc21faed9beee4e00f09 Author: Enrik Berkhan Date: Thu Nov 3 23:27:12 2022 +0100 HID: mcp2221: don't connect hidraw commit 67c90d14018775556d5420382ace86521421f9ff upstream. The MCP2221 driver should not connect to the hidraw userspace interface, as it needs exclusive access to the chip. If you want to use /dev/hidrawX with the MCP2221, you need to avoid binding this driver to the device and use the hid generic driver instead (e.g. using udev rules). Cc: stable@vger.kernel.org Reported-by: Sven Zühlsdorf Signed-off-by: Enrik Berkhan Signed-off-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20221103222714.21566-2-Enrik.Berkhan@inka.de Signed-off-by: Greg Kroah-Hartman commit 608c6aed71365e3932f9eab209439f00084711e9 Author: Jason Gerecke Date: Thu Dec 1 15:11:41 2022 -0800 HID: wacom: Ensure bootloader PID is usable in hidraw mode commit 1db1f392591aff13fd643f0ec7c1d5e27391d700 upstream. Some Wacom devices have a special "bootloader" mode that is used for firmware flashing. When operating in this mode, the device cannot be used for input, and the HID descriptor is not able to be processed by the driver. The driver generates an "Unknown device_type" warning and then returns an error code from wacom_probe(). This is a problem because userspace still needs to be able to interact with the device via hidraw to perform the firmware flash. This commit adds a non-generic device definition for 056a:0094 which is used when devices are in "bootloader" mode. It marks the devices with a special BOOTLOADER type that is recognized by wacom_probe() and wacom_raw_event(). When we see this type we ensure a hidraw device is created and otherwise keep our hands off so that userspace is in full control. Signed-off-by: Jason Gerecke Tested-by: Tatsunosuke Tobita Cc: Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit c3c115368ef9a143fbc0ba440f232b249ad4b1c9 Author: Mathias Nyman Date: Wed Nov 30 11:19:43 2022 +0200 xhci: Prevent infinite loop in transaction errors recovery for streams commit a1575120972ecd7baa6af6a69e4e7ea9213bde7c upstream. Make sure to also limit the amount of soft reset retries for transaction errors on streams in cases where the transaction error event doesn't point to any specific TRB. In these cases we don't know the TRB or stream ring, but we do know which endpoint had the error. To keep error counting simple and functional, move the current err_count from ring structure to endpoint structure. Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/20221130091944.2171610-6-mathias.nyman@linux.intel.com Signed-off-by: Greg Kroah-Hartman commit 2f3b51189f7a7be5d822fb8c537d778c57eb9821 Author: Miaoqian Lin Date: Tue Dec 6 12:17:31 2022 +0400 usb: dwc3: qcom: Fix memory leak in dwc3_qcom_interconnect_init commit 97a48da1619ba6bd42a0e5da0a03aa490a9496b1 upstream. of_icc_get() alloc resources for path handle, we should release it when not need anymore. Like the release in dwc3_qcom_interconnect_exit() function. Add icc_put() in error handling to fix this. Fixes: bea46b981515 ("usb: dwc3: qcom: Add interconnect support in dwc3 driver") Cc: stable Acked-by: Thinh Nguyen Signed-off-by: Miaoqian Lin Link: https://lore.kernel.org/r/20221206081731.818107-1-linmq006@gmail.com Signed-off-by: Greg Kroah-Hartman commit 2fd6ad7bc56049ce10c1cd3325905be1116df580 Author: Ferry Toth Date: Mon Dec 5 21:15:27 2022 +0100 usb: dwc3: core: defer probe on ulpi_read_id timeout commit 63130462c919ece0ad0d9bb5a1f795ef8d79687e upstream. Since commit 0f0101719138 ("usb: dwc3: Don't switch OTG -> peripheral if extcon is present"), Dual Role support on Intel Merrifield platform broke due to rearranging the call to dwc3_get_extcon(). It appears to be caused by ulpi_read_id() masking the timeout on the first test write. In the past dwc3 probe continued by calling dwc3_core_soft_reset() followed by dwc3_get_extcon() which happend to return -EPROBE_DEFER. On deferred probe ulpi_read_id() finally succeeded. Due to above mentioned rearranging -EPROBE_DEFER is not returned and probe completes without phy. On Intel Merrifield the timeout on the first test write issue is reproducible but it is difficult to find the root cause. Using a mainline kernel and rootfs with buildroot ulpi_read_id() succeeds. As soon as adding ftrace / bootconfig to find out why, ulpi_read_id() fails and we can't analyze the flow. Using another rootfs ulpi_read_id() fails even without adding ftrace. We suspect the issue is some kind of timing / race, but merely retrying ulpi_read_id() does not resolve the issue. As we now changed ulpi_read_id() to return -ETIMEDOUT in this case, we need to handle the error by calling dwc3_core_soft_reset() and request -EPROBE_DEFER. On deferred probe ulpi_read_id() is retried and succeeds. Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") Cc: stable@vger.kernel.org Acked-by: Thinh Nguyen Signed-off-by: Ferry Toth Link: https://lore.kernel.org/r/20221205201527.13525-3-ftoth@exalondelft.nl Signed-off-by: Greg Kroah-Hartman commit d2837c6a1dbc4f7e3bb27ce9f42118dc55c2d5cd Author: Sven Peter Date: Mon Nov 28 17:15:26 2022 +0100 usb: dwc3: Fix race between dwc3_set_mode and __dwc3_set_mode commit 62c73bfea048e66168df09da6d3e4510ecda40bb upstream. dwc->desired_dr_role is changed by dwc3_set_mode inside a spinlock but then read by __dwc3_set_mode outside of that lock. This can lead to a race condition when very quick successive role switch events happen: CPU A dwc3_set_mode(DWC3_GCTL_PRTCAP_HOST) // first role switch event spin_lock_irqsave(&dwc->lock, flags); dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_HOST spin_unlock_irqrestore(&dwc->lock, flags); queue_work(system_freezable_wq, &dwc->drd_work); CPU B __dwc3_set_mode // .... spin_lock_irqsave(&dwc->lock, flags); // desired_dr_role is DWC3_GCTL_PRTCAP_HOST dwc3_set_prtcap(dwc, dwc->desired_dr_role); spin_unlock_irqrestore(&dwc->lock, flags); CPU A dwc3_set_mode(DWC3_GCTL_PRTCAP_DEVICE) // second event spin_lock_irqsave(&dwc->lock, flags); dwc->desired_dr_role = mode; // DWC3_GCTL_PRTCAP_DEVICE spin_unlock_irqrestore(&dwc->lock, flags); CPU B (continues running __dwc3_set_mode) switch (dwc->desired_dr_role) { // DWC3_GCTL_PRTCAP_DEVICE // .... case DWC3_GCTL_PRTCAP_DEVICE: // .... ret = dwc3_gadget_init(dwc); We then have DWC3_GCTL.DWC3_GCTL_PRTCAPDIR = DWC3_GCTL_PRTCAP_HOST and dwc->current_dr_role = DWC3_GCTL_PRTCAP_HOST but initialized the controller in device mode. It's also possible to get into a state where both host and device are intialized at the same time. Fix this race by creating a local copy of desired_dr_role inside __dwc3_set_mode while holding dwc->lock. Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") Cc: stable Acked-by: Thinh Nguyen Signed-off-by: Sven Peter Link: https://lore.kernel.org/r/20221128161526.79730-1-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman commit 1ba53c9c79951d221f3e29af008ce3d8f98f13b4 Author: Li Jun Date: Fri Sep 30 22:54:22 2022 +0800 clk: imx: imx8mp: add shared clk gate for usb suspend clk commit ed1f4ccfe947a3e1018a3bd7325134574c7ff9b3 upstream. 32K usb suspend clock gate is shared with usb_root_clk, this shared clock gate was initially defined only for usb suspend clock, usb suspend clk is kept on while system is active or system sleep with usb wakeup enabled, so usb root clock is fine with this situation; with the commit cf7f3f4fa9e5 ("clk: imx8mp: fix usb_root_clk parent"), this clock gate is changed to be for usb root clock, but usb root clock will be off while usb is suspended, so usb suspend clock will be gated too, this cause some usb functionalities will not work, so define this clock to be a shared clock gate to conform with the real HW status. Fixes: 9c140d9926761 ("clk: imx: Add support for i.MX8MP clock driver") Cc: stable@vger.kernel.org # v5.19+ Tested-by: Alexander Stein Signed-off-by: Li Jun Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/1664549663-20364-2-git-send-email-jun.li@nxp.com Signed-off-by: Greg Kroah-Hartman commit 7579645760a4b949300817874d75620c4c73153c Author: Li Jun Date: Fri Sep 30 22:54:21 2022 +0800 dt-bindings: clocks: imx8mp: Add ID for usb suspend clock commit 5c1f7f1090947d494c30042123e0ec846f696336 upstream. usb suspend clock has a gate shared with usb_root_clk. Fixes: 9c140d9926761 ("clk: imx: Add support for i.MX8MP clock driver") Cc: stable@vger.kernel.org # v5.19+ Acked-by: Krzysztof Kozlowski Tested-by: Alexander Stein Signed-off-by: Li Jun Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/1664549663-20364-1-git-send-email-jun.li@nxp.com Signed-off-by: Greg Kroah-Hartman commit 1a77a5bfe821bc341775a8bd7ac084ab4b009b6d Author: Johan Hovold Date: Fri Nov 11 10:47:29 2022 +0100 arm64: dts: qcom: sm8250: fix USB-DP PHY registers commit f8d8840c72b3df61b5252052b79020dabec01ab5 upstream. When adding support for the DisplayPort part of the QMP PHY the binding (and devicetree parser) for the (USB) child node was simply reused and this has lead to some confusion. The third DP register region is really the DP_PHY region, not "PCS" as the binding claims, and lie at offset 0x2a00 (not 0x2c00). Similarly, there likely are no "RX", "RX2" or "PCS_MISC" regions as there are for the USB part of the PHY (and in any case the Linux driver does not use them). Note that the sixth "PCS_MISC" region is not even in the binding. Fixes: 5aa0d1becd5b ("arm64: dts: qcom: sm8250: switch usb1 qmp phy to USB3+DP mode") Cc: stable@vger.kernel.org # 5.13 Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221111094729.11842-3-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman commit 299f141f90cd45e1eea113f91ef4e9ea40be3fbc Author: Johan Hovold Date: Fri Nov 11 10:47:28 2022 +0100 arm64: dts: qcom: sm6350: fix USB-DP PHY registers commit 347b9491c595d5091bfabe65cad2fd6eee786153 upstream. When adding support for the DisplayPort part of the QMP PHY the binding (and devicetree parser) for the (USB) child node was simply reused and this has lead to some confusion. The third DP register region is really the DP_PHY region, not "PCS" as the binding claims, and lie at offset 0x2a00 (not 0x2c00). Similarly, there likely are no "RX", "RX2" or "PCS_MISC" regions as there are for the USB part of the PHY (and in any case the Linux driver does not use them). Note that the sixth "PCS_MISC" region is not even in the binding. Fixes: 23737b9557fe ("arm64: dts: qcom: sm6350: Add USB1 nodes") Cc: stable@vger.kernel.org # 5.16 Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221111094729.11842-2-johan+linaro@kernel.org Signed-off-by: Greg Kroah-Hartman commit c8e7463844888dc8344bbb9cbad88cdce9cb8077 Author: Chunfeng Yun Date: Mon Nov 28 14:33:37 2022 +0800 usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq commit 03a88b0bafbe3f548729d970d8366f48718c9b19 upstream. Can not set the @shared_hcd to NULL before decrease the usage count by usb_put_hcd(), this will cause the shared hcd not released. Fixes: 04284eb74e0c ("usb: xhci-mtk: add support runtime PM") Cc: Signed-off-by: Chunfeng Yun Link: https://lore.kernel.org/r/20221128063337.18124-1-chunfeng.yun@mediatek.com Signed-off-by: Greg Kroah-Hartman commit dfbbc47d8672a73679311df5acbeae6a6ff23dee Author: Pawel Laszczak Date: Tue Nov 22 03:51:38 2022 -0500 usb: cdnsp: fix lack of ZLP for ep0 commit ae423ef5d095e09970f52c08020fdbf7f9d87c22 upstream. Patch implements the handling of ZLP for control transfer. To send the ZLP driver must prepare the extra TRB in TD with length set to zero and TRB type to TRB_NORMAL. The first TRB must have set TRB_CHAIN flag, TD_SIZE = 1 and TRB type to TRB_DATA. Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver") cc: Reviewed-by: Peter Chen Signed-off-by: Pawel Laszczak Link: https://lore.kernel.org/r/20221122085138.332434-1-pawell@cadence.com Signed-off-by: Greg Kroah-Hartman commit 5b7c3061067efaa82ce9833a6ea21ed7cf44c234 Author: Bastien Nocera Date: Thu Dec 15 16:44:16 2022 +0100 HID: logitech-hidpp: Guard FF init code against non-USB devices commit 0e13e7b448005612972eae36c0f698c21d1e2f8a upstream. The Force Feedback code assumes that all the devices passed to it will be USB devices, but that might not be the case for emulated devices. Guard against a crash by checking the device type before poking at USB properties. Cc: stable@vger.kernel.org # v5.16+ Reported-by: Benjamin Tissoires Signed-off-by: Bastien Nocera Signed-off-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20221215154416.111704-1-hadess@hadess.net Signed-off-by: Greg Kroah-Hartman commit d95d83041b87e1efec86eab1ec222d7f667d1b6d Author: Jiao Zhou Date: Tue Dec 6 13:53:11 2022 -0500 ALSA: hda/hdmi: Add HP Device 0x8711 to force connect list commit 31b573946ea55e1ea0e08ae8e83bcf879b30f83a upstream. HDMI audio is not working on the HP EliteDesk 800 G6 because the pin is unconnected. This issue can be resolved by using the 'hdajackretask' tool to override the unconnected pin to force it to connect. Signed-off-by: Jiao Zhou Cc: Link: https://lore.kernel.org/r/20221206185311.3669950-1-jiaozhou@google.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 05d30f4b6cbea9de0b0b5e182d425d305c6b2f06 Author: Edward Pacman Date: Wed Dec 7 21:32:18 2022 +0800 ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB commit 4bf5bf54476dffe60e6b6d8d539f67309ff599e2 upstream. Lenovo TianYi510Pro-14IOB (17aa:3742) require quirk for enabling headset-mic Signed-off-by: Edward Pacman Cc: Link: https://bugzilla.kernel.org/show_bug.cgi?id=216756 Link: https://lore.kernel.org/r/20221207133218.18989-1-edward@edward-p.xyz Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 80202ef4f7cc378a971d5c69236ca77f1ecf6674 Author: wangdicheng Date: Wed Dec 7 16:20:36 2022 +0800 ALSA: usb-audio: add the quirk for KT0206 device commit 696b66ac26ef953aed5783ef26a252ec8f207013 upstream. Add relevant information to the quirks-table.h file. The test passes and the sound source file plays normally. Signed-off-by: wangdicheng Cc: Link: https://lore.kernel.org/r/SG2PR02MB587849631CB96809CF90DBED8A1A9@SG2PR02MB5878.apcprd02.prod.outlook.com Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 67fd112b4b04030aa8b77a82f999607e7afc57b9 Author: Takashi Iwai Date: Mon Dec 5 14:21:24 2022 +0100 ALSA: usb-audio: Workaround for XRUN at prepare commit 198dde085ecc0138e4f0b0b69d18a0c870f2dea6 upstream. Under certain situations (typically in the implicit feedback mode), USB-audio driver starts a playback stream already at PCM prepare call even before the actual PCM trigger-START call. For implicit feedback mode, this effectively starts two streams for data and sync endpoints, and if a coupled sync stream gets XRUN at this point, it results in an error -EPIPE. The problem is that currently we return -EPIPE error as is from the prepare. Then application tries to recover again via the prepare call, but it'll fail again because the sync-stop is missing. The sync-stop is missing because it's an internal trigger call (hence the PCM core isn't involved). Since we'll need to re-issue the prepare in anyway when trapped into this pitfall, this patch attempts to address it in a bit different way; namely, the driver tries to prepare once again after syncing the stop manually by itself -- so applications don't see the internal error. At the second failure, we report the error as is, but this shouldn't happen in normal situations. Reported-and-tested-by: Carl Hetherington Cc: Link: https://lore.kernel.org/r/b4e71631-4a94-613-27b2-fb595792630@carlh.net Link: https://lore.kernel.org/r/20221205132124.11585-4-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b669bd94a1c8a49b58e77aeddcad44af83d6e23e Author: Jeff LaBundy Date: Sat Oct 22 19:57:13 2022 -0500 dt-bindings: input: iqs7222: Add support for IQS7222A v1.13+ [ Upstream commit 97384a65c5e304ccab0477751546f5519d9371c3 ] IQS7222A revisions 1.13 and later widen the gesture multiplier from x4 ms to x16 ms; update the binding accordingly. As part of this change, refresh the corresponding properties in the example as well. Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Reviewed-by: Rob Herring Link: https://lore.kernel.org/r/Y1SRaVGwj30z/g6r@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2ca347287d3fcc3c753cb8f5333435428e02fc84 Author: Jeff LaBundy Date: Sat Oct 22 19:56:51 2022 -0500 dt-bindings: input: iqs7222: Correct minimum slider size [ Upstream commit 99d03b54ef8506771c15deb714396665592f6adf ] The minimum slider size enforced by the driver is 1 or 16 for the IQS7222C or IQS7222A, respectively. Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Acked-by: Rob Herring Link: https://lore.kernel.org/r/Y1SRU37t74wRvZv3@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 78e01a98860e4168f3cc89d4db60958a3f46253e Author: Jeff LaBundy Date: Sat Oct 22 19:56:24 2022 -0500 dt-bindings: input: iqs7222: Reduce 'linux,code' to optional [ Upstream commit ccad486525c49df2fe2e7090990522547dfd2785 ] Following a recent refactor of the driver to properly drop unused device nodes, the 'linux,code' property is now optional. This can be useful for applications that define GPIO-mapped events that do not correspond to any keycode. Fixes: 44dc42d254bf ("dt-bindings: input: Add bindings for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Reviewed-by: Rob Herring Link: https://lore.kernel.org/r/Y1SROIrrC1LwX0Sd@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c8ab62f13d6639c4fece33890de3eed24a9b85a0 Author: Jeff LaBundy Date: Sat Oct 22 19:57:25 2022 -0500 Input: iqs7222 - add support for IQS7222A v1.13+ [ Upstream commit 8d4c313c03f104c69e25ab03058d8955be9dc387 ] IQS7222A revisions 1.13 and later widen the gesture multiplier from x4 ms to x16 ms. Add a means to scale the gesture timings specified in the device tree based on the revision of the device. Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Reviewed-by: Mattijs Korpershoek Link: https://lore.kernel.org/r/Y1SRdbK1Dp2q7O8o@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit fa25c90ee9a7a942ff9d892e314c8f0b323cd67d Author: Jeff LaBundy Date: Sat Oct 22 19:56:38 2022 -0500 Input: iqs7222 - report malformed properties [ Upstream commit 404f3b48e65f058d94429e4a1ec16a1f82ff3b2f ] Nonzero return values of several calls to fwnode_property_read_u32() are silently ignored, leaving no way to know the properties were not applied in the event of an error. Solve this problem by evaluating fwnode_property_read_u32()'s return value, and reporting an error for any nonzero return value not equal to -EINVAL which indicates the property was absent altogether. Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Reviewed-by: Mattijs Korpershoek Link: https://lore.kernel.org/r/Y1SRRrpQXvkETjfm@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 201d1baa9a455dbf133674e46bf0a99ca2dbe10d Author: Jeff LaBundy Date: Sat Oct 22 19:56:04 2022 -0500 Input: iqs7222 - drop unused device node references [ Upstream commit bbd16b0d839978e8c8bec2b9a162373f64fc2fbb ] Each call to device/fwnode_get_named_child_node() must be matched with a call to fwnode_handle_put() once the corresponding node is no longer in use. This ensures a reference count remains balanced in the case of dynamic device tree support. Currently, the driver never calls fwnode_handle_put(). Solve this problem by moving the node handling from iqs7222_parse_props() to the new iqs7222_parse_reg_grp(), leaving the former to do nothing but parse properties. The latter then manages the reference count in a single location and consistent fashion. This change drastically simplifies iqs7222_parse_all(), which can then call iqs7222_parse_reg_grp() on every register group without having to treat each register group differently. For nested event nodes, common parsing code has been factored out to the new iqs7222_parse_event() so as to allow the event node to be dropped from as few locations as possible. As part of this refactor, the 'linux,code' property has been made optional. This enables applications that define an event with the sole purpose of enabling a GPIO. Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Link: https://lore.kernel.org/r/Y1SRJIQ3WPwNpC0K@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 26e69e719a2f977c3676bd0556a2eac6b4f1c7d8 Author: GUO Zihua Date: Wed Sep 21 20:58:03 2022 +0800 ima: Simplify ima_lsm_copy_rule [ Upstream commit d57378d3aa4d864d9e590482602068af1b20c0c5 ] Currently ima_lsm_copy_rule() set the arg_p field of the source rule to NULL, so that the source rule could be freed afterward. It does not make sense for this behavior to be inside a "copy" function. So move it outside and let the caller handle this field. ima_lsm_copy_rule() now produce a shallow copy of the original entry including args_p field. Meaning only the lsm.rule and the rule itself should be freed for the original rule. Thus, instead of calling ima_lsm_free_rule() which frees lsm.rule as well as args_p field, free the lsm.rule directly. Signed-off-by: GUO Zihua Reviewed-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit 475add46170dc1b634cb31c85c74c6487ad04414 Author: John Stultz Date: Wed Dec 21 05:18:55 2022 +0000 pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES [ Upstream commit 2f4fec5943407318b9523f01ce1f5d668c028332 ] In commit 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion") I changed a lock to an rt_mutex. However, its possible that CONFIG_RT_MUTEXES is not enabled, which then results in a build failure, as the 0day bot detected: https://lore.kernel.org/linux-mm/202212211244.TwzWZD3H-lkp@intel.com/ Thus this patch changes CONFIG_PSTORE_PMSG to select CONFIG_RT_MUTEXES, which ensures the build will not fail. Cc: Wei Wang Cc: Midas Chien Cc: Connor O'Brien Cc: Kees Cook Cc: Anton Vorontsov Cc: Colin Cross Cc: Tony Luck Cc: kernel test robot Cc: kernel-team@android.com Fixes: 76d62f24db07 ("pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion") Reported-by: kernel test robot Signed-off-by: John Stultz Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221221051855.15761-1-jstultz@google.com Signed-off-by: Sasha Levin commit 810f2cfdfe4e072555781fa5dd188949195dda16 Author: Sami Tolvanen Date: Thu Dec 22 22:57:47 2022 +0000 cfi: Fix CFI failure with KASAN [ Upstream commit cf8016408d880afe9c5dc495af40dc2932874e77 ] When CFI_CLANG and KASAN are both enabled, LLVM doesn't generate a CFI type hash for asan.module_ctor functions in translation units where CFI is disabled, which leads to a CFI failure during boot when do_ctors calls the affected constructors: CFI failure at do_basic_setup+0x64/0x90 (target: asan.module_ctor+0x0/0x28; expected type: 0xa540670c) Specifically, this happens because CFI is disabled for kernel/cfi.c. There's no reason to keep CFI disabled here anymore, so fix the failure by not filtering out CC_FLAGS_CFI for the file. Note that https://reviews.llvm.org/rG3b14862f0a96 fixed the issue where LLVM didn't emit CFI type hashes for any sanitizer constructors, but now type hashes are emitted correctly for TUs that use CFI. Link: https://github.com/ClangBuiltLinux/linux/issues/1742 Fixes: 89245600941e ("cfi: Switch to -fsanitize=kcfi") Reported-by: Mark Rutland Signed-off-by: Sami Tolvanen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221222225747.3538676-1-samitolvanen@google.com Signed-off-by: Sasha Levin commit b4a59fd2e50b733d0182b65266121ffb2e72a8e9 Author: David Howells Date: Wed Dec 21 14:30:48 2022 +0000 afs: Fix lost servers_outstanding count [ Upstream commit 36f82c93ee0bd88f1c95a52537906b8178b537f1 ] The afs_fs_probe_dispatcher() work function is passed a count on net->servers_outstanding when it is scheduled (which may come via its timer). This is passed back to the work_item, passed to the timer or dropped at the end of the dispatcher function. But, at the top of the dispatcher function, there are two checks which skip the rest of the function: if the network namespace is being destroyed or if there are no fileservers to probe. These two return paths, however, do not drop the count passed to the dispatcher, and so, sometimes, the destruction of a network namespace, such as induced by rmmod of the kafs module, may get stuck in afs_purge_servers(), waiting for net->servers_outstanding to become zero. Fix this by adding the missing decrements in afs_fs_probe_dispatcher(). Fixes: f6cbb368bcb0 ("afs: Actively poll fileservers to maintain NAT or firewall openings") Reported-by: Marc Dionne Signed-off-by: David Howells Tested-by: Marc Dionne cc: linux-afs@lists.infradead.org Link: https://lore.kernel.org/r/167164544917.2072364.3759519569649459359.stgit@warthog.procyon.org.uk/ Signed-off-by: Sasha Levin commit 6c7b9d12578d590f05ee230404f7107164c8cf7b Author: Michael Petlan Date: Mon Dec 19 17:30:08 2022 +0100 perf test: Fix "all PMU test" to skip parametrized events [ Upstream commit b50d691e50e600fab82b423be871860537d75dc9 ] Parametrized events are not only a powerpc domain. They occur on other platforms too (e.g. aarch64). They should be ignored in this testcase, since proper setup of the parameters is out of scope of this script. Let's not filter them out by PMU name, but rather based on the fact that they expect a parameter. Fixes: 451ed8058c69a3fe ("perf test: Fix "all PMU test" to skip hv_24x7/hv_gpci tests on powerpc") Signed-off-by: Michael Petlan Cc: Athira Rajeev Cc: Disha Goel Cc: Ian Rogers Cc: Michael Ellerman Cc: Nageswara R Sastry Link: https://lore.kernel.org/r/20221219163008.9691-1-mpetlan@redhat.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit a7a2d258101dd57192e55700c15082093e118864 Author: Sergio Paracuellos Date: Sat Dec 17 08:48:06 2022 +0100 MIPS: ralink: mt7621: avoid to init common ralink reset controller [ Upstream commit 76ce51798cb16738a4a28a6662e7344aaf7ef769 ] Commit 38a8553b0a22 ("clk: ralink: make system controller node a reset provider") make system controller a reset provider for mt7621 ralink SoCs. Ralink init code also tries to start previous common reset controller which at the end tries to find device tree node 'ralink,rt2880-reset'. mt7621 device tree file is not using at all this node anymore. Hence avoid to init this common reset controller for mt7621 ralink SoCs to avoid 'Failed to find reset controller node' boot error trace error. Fixes: 64b2d6ffff86 ("staging: mt7621-dts: align resets with binding documentation") Signed-off-by: Sergio Paracuellos Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 59871742b4810f7c5d282908f0a7090df092805a Author: Yang Jihong Date: Tue Dec 20 11:57:02 2022 +0800 perf probe: Check -v and -q options in the right place [ Upstream commit 8b269b75551227796c1ddac2dbdb2ba504158c61 ] Check the -q and -v options first to return earlier on error. Before: # perf probe -q -v test probe-definition(0): test symbol:test file:(null) line:0 offset:0 return:0 lazy:(null) 0 arguments Error: -v and -q are exclusive. After: # perf probe -q -v test Error: -v and -q are exclusive. Fixes: 5e17b28f1e246b98 ("perf probe: Add --quiet option to suppress output result message") Reviewed-by: Adrian Hunter Signed-off-by: Yang Jihong Cc: Alexander Shishkin Cc: Andi Kleen Cc: Carsten Haitzler Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Martin KaFai Lau Cc: Masami Hiramatsu Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Ravi Bangoria Link: https://lore.kernel.org/r/20221220035702.188413-4-yangjihong1@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 5d098b5080cbef4e96e5b7a8574bfab2e5a5c93a Author: James Clark Date: Tue Oct 18 10:41:36 2022 +0100 perf tools: Make quiet mode consistent between tools [ Upstream commit a527c2c1e2d43e9f145f5d0c5d6ac0bdf5220e22 ] Use the global quiet variable everywhere so that all tools hide warnings in quiet mode and update the documentation to reflect this. 'perf probe' claimed that errors are not printed in quiet mode but I don't see this so remove it from the docs. Signed-off-by: James Clark Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20221018094137.783081-3-james.clark@arm.com Signed-off-by: Arnaldo Carvalho de Melo Stable-dep-of: 8b269b755512 ("perf probe: Check -v and -q options in the right place") Signed-off-by: Sasha Levin commit 01c4004e40b6b08783a11daf3280a4a1a552c5a0 Author: Yang Jihong Date: Tue Dec 20 11:57:00 2022 +0800 perf debug: Set debug_peo_args and redirect_to_stderr variable to correct values in perf_quiet_option() [ Upstream commit 188ac720d364035008a54d249cf47b4cc100f819 ] When perf uses quiet mode, perf_quiet_option() sets the 'debug_peo_args' variable to -1, and display_attr() incorrectly determines the value of 'debug_peo_args'. As a result, unexpected information is displayed. Before: # perf record --quiet -- ls > /dev/null ------------------------------------------------------------ perf_event_attr: size 128 { sample_period, sample_freq } 4000 sample_type IP|TID|TIME|PERIOD read_format ID|LOST disabled 1 inherit 1 mmap 1 comm 1 freq 1 enable_on_exec 1 task 1 precise_ip 3 sample_id_all 1 exclude_guest 1 mmap2 1 comm_exec 1 ksymbol 1 bpf_event 1 ------------------------------------------------------------ ... After: # perf record --quiet -- ls > /dev/null # redirect_to_stderr is a similar problem. Fixes: f78eaef0e0493f60 ("perf tools: Allow to force redirect pr_debug to stderr.") Fixes: ccd26741f5e6bdf2 ("perf tool: Provide an option to print perf_event_open args and return value") Suggested-by: Adrian Hunter Reviewed-by: Adrian Hunter Signed-off-by: Yang Jihong Cc: Alexander Shishkin Cc: Andi Kleen Cc: Carsten Haitzler Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: martin.lau@kernel.org Cc: Masami Hiramatsu Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Ravi Bangoria Cc: Ravi Bangoria Link: https://lore.kernel.org/r/20221220035702.188413-2-yangjihong1@huawei.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 86777de67a85ed65db9e2e665030490fc87b8cf3 Author: Arnd Bergmann Date: Thu Dec 15 17:36:31 2022 +0100 drm/amd/pm: avoid large variable on kernel stack [ Upstream commit d118b18fb1da02b41df2da78cb2794b3638d89cd ] The activity_monitor_external[] array is too big to fit on the kernel stack, resulting in this warning with clang: drivers/gpu/drm/amd/amdgpu/../pm/swsmu/smu13/smu_v13_0_7_ppt.c:1438:12: error: stack frame size (1040) exceeds limit (1024) in 'smu_v13_0_7_get_power_profile_mode' [-Werror,-Wframe-larger-than] Use dynamic allocation instead. It should also be possible to have single element here instead of the array, but this seems easier. v2: fix up argument to sizeof() (Alex) Fixes: 334682ae8151 ("drm/amd/pm: enable workload type change on smu_v13_0_7") Signed-off-by: Arnd Bergmann Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit e84276c8dd8867690bf20ef2ed613eeaca134dc7 Author: John Stultz Date: Wed Dec 14 23:18:34 2022 +0000 pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion [ Upstream commit 76d62f24db07f22ccf9bc18ca793c27d4ebef721 ] Wei Wang reported seeing priority inversion caused latencies caused by contention on pmsg_lock, and suggested it be switched to a rt_mutex. I was initially hesitant this would help, as the tasks in that trace all seemed to be SCHED_NORMAL, so the benefit would be limited to only nice boosting. However, another similar issue was raised where the priority inversion was seen did involve a blocked RT task so it is clear this would be helpful in that case. Cc: Wei Wang Cc: Midas Chien Cc: Connor O'Brien Cc: Kees Cook Cc: Anton Vorontsov Cc: Colin Cross Cc: Tony Luck Cc: kernel-team@android.com Fixes: 9d5438f462ab ("pstore: Add pmsg - user-space accessible pstore object") Reported-by: Wei Wang Signed-off-by: John Stultz Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221214231834.3711880-1-jstultz@google.com Signed-off-by: Sasha Levin commit d7d99f1a0af0fafbb16123148859759580174e07 Author: Kristina Martsenko Date: Fri Dec 9 17:34:41 2022 +0000 lkdtm: cfi: Make PAC test work with GCC 7 and 8 [ Upstream commit f68022ae0aeb0803450e05abc0e984027c33ef1b ] The CFI test uses the branch-protection=none compiler attribute to disable PAC return address protection on a function. While newer GCC versions support this attribute, older versions (GCC 7 and 8) instead supported the sign-return-address=none attribute, leading to a build failure when the test is built with older compilers. Fix it by checking which attribute is supported and using the correct one. Fixes: 2e53b877dc12 ("lkdtm: Add CFI_BACKWARD to test ROP mitigations") Reported-by: Daniel Díaz Signed-off-by: Kristina Martsenko Signed-off-by: Kees Cook Link: https://lore.kernel.org/all/CAEUSe78kDPxQmQqCWW-_9LCgJDFhAeMoVBFnX9QLx18Z4uT4VQ@mail.gmail.com/ Signed-off-by: Sasha Levin commit 2c5e64f0a8d356616329ea26382b86dd191f9d70 Author: Kees Cook Date: Fri Dec 9 11:54:57 2022 -0800 LoadPin: Ignore the "contents" argument of the LSM hooks [ Upstream commit 1a17e5b513ceebf21100027745b8731b4728edf7 ] LoadPin only enforces the read-only origin of kernel file reads. Whether or not it was a partial read isn't important. Remove the overly conservative checks so that things like partial firmware reads will succeed (i.e. reading a firmware header). Fixes: 2039bda1fa8d ("LSM: Add "contents" flag to kernel_read_file hook") Cc: Paul Moore Cc: James Morris Cc: "Serge E. Hallyn" Cc: linux-security-module@vger.kernel.org Signed-off-by: Kees Cook Acked-by: Serge Hallyn Tested-by: Ping-Ke Shih Link: https://lore.kernel.org/r/20221209195453.never.494-kees@kernel.org Signed-off-by: Sasha Levin commit 2d57269cabeb52c6e80223a9d838e0a758005af7 Author: Khaled Almahallawy Date: Wed Nov 23 14:09:26 2022 -0800 drm/i915/display: Don't disable DDI/Transcoder when setting phy test pattern [ Upstream commit 3153eebb7a76e663ac76d6670dc113296de96622 ] Bspecs has updated recently to remove the restriction to disable DDI/Transcoder before setting PHY test pattern. This update is to address PHY compliance test failures observed on a port with LTTPR. The issue is that when Transc. is disabled, the main link signals fed to LTTPR will be dropped invalidating link training, which will affect the quality of the phy test pattern when the transcoder is enabled again. v2: Update commit message (Clint) v3: Add missing Signed-off in v2 v4: Update Bspec and commit message for pre-gen12 (Jani) Bspec: 50482, 7555 Fixes: 8cdf72711928 ("drm/i915/dp: Program vswing, pre-emphasis, test-pattern") Cc: Imre Deak Cc: Clint Taylor CC: Jani Nikula Tested-by: Khaled Almahallawy Reviewed-by: Clint Taylor Signed-off-by: Khaled Almahallawy Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20221123220926.170034-1-khaled.almahallawy@intel.com (cherry picked from commit be4a847652056b067d6dc6fe0fc024a9e2e987ca) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit 7ed4007347b5690c373fbd642edb7b79c672d7ab Author: Hans de Goede Date: Tue Dec 13 13:33:19 2022 +0100 ASoC: rt5670: Remove unbalanced pm_runtime_put() [ Upstream commit 6c900dcc3f7331a67ed29739d74524e428d137fb ] For some reason rt5670_i2c_probe() does a pm_runtime_put() at the end of a successful probe. But it has never done a pm_runtime_get() leading to the following error being logged into dmesg: rt5670 i2c-10EC5640:00: Runtime PM usage count underflow! Fix this by removing the unnecessary pm_runtime_put(). Fixes: 64e89e5f5548 ("ASoC: rt5670: Add runtime PM support") Signed-off-by: Hans de Goede Link: https://lore.kernel.org/r/20221213123319.11285-1-hdegoede@redhat.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0fe3a0cd2699df79eb21d1b67e21d9f02c1fce23 Author: Wang Jingjin Date: Thu Dec 8 14:39:00 2022 +0800 ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() [ Upstream commit 6d94d0090527b1763872275a7ccd44df7219b31e ] rk_spdif_runtime_resume() may have called clk_prepare_enable() before return from failed branches, add missing clk_disable_unprepare() in this case. Fixes: f874b80e1571 ("ASoC: rockchip: Add rockchip SPDIF transceiver driver") Signed-off-by: Wang Jingjin Link: https://lore.kernel.org/r/20221208063900.4180790-1-wangjingjin1@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 6df3ccb6aff0773d426cb024f1d9cc0adfaca890 Author: Marek Szyprowski Date: Fri Dec 9 10:16:57 2022 +0100 ASoC: wm8994: Fix potential deadlock [ Upstream commit 9529dc167ffcdfd201b9f0eda71015f174095f7e ] Fix this by dropping wm8994->accdet_lock while calling cancel_delayed_work_sync(&wm8994->mic_work) in wm1811_jackdet_irq(). Fixes: c0cc3f166525 ("ASoC: wm8994: Allow a delay between jack insertion and microphone detect") Signed-off-by: Marek Szyprowski Acked-by: Charles Keepax Link: https://lore.kernel.org/r/20221209091657.1183-1-m.szyprowski@samsung.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f64bb48f27fbe789e9d66930008267cfccccac1e Author: Kai Vehmanen Date: Fri Dec 9 12:18:22 2022 +0200 ALSA: hda/hdmi: fix stream-id config keep-alive for rt suspend [ Upstream commit ee0b089d660021792e4ab4dda191b097ce1e964f ] When the new style KAE keep-alive implementation is used on compatible Intel hardware, the clocks are maintained when codec is in D3. The generic code in hda_cleanup_all_streams() can however interfere with generation of audio samples in this mode, by setting the stream and channel ids to zero. To get full benefit of the keepalive, set the new no_stream_clean_at_suspend quirk bit on affected Intel hardware. When this bit is set, stream cleanup is skipped in hda_call_codec_suspend(). Special handling is needed for the case when system goes to suspend. The stream id programming can be lost in this case. This will also cause codec->cvt_setups to be out of sync. Handle this by implementing custom suspend/resume handlers. If keep-alive is active for any converter, set the quirk flags no_stream_clean_at_suspend and forced_resume. Upon resume, keepalive programming is restored if needed. Fixes: 15175a4f2bbb ("ALSA: hda/hdmi: add keep-alive support for ADL-P and DG2") Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20221209101822.3893675-4-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit b4b2c4305cf4fea5f47cc3d5a588264a78a42a71 Author: Kai Vehmanen Date: Fri Dec 9 12:18:21 2022 +0200 ALSA: hda/hdmi: set default audio parameters for KAE silent-stream [ Upstream commit b17e7ea041d8b565063632501ca4597afd105102 ] If the stream-id is zero, the keep-alive (KAE) will only ensure clock is generated, but no audio samples are sent over display link. This happens before first real audio stream is played out to a newly connected receiver. Reuse the code in silent_stream_enable() to set up stream parameters to sane defaults values, also when using the newer keep-alive flow. Fixes: 15175a4f2bbb ("ALSA: hda/hdmi: add keep-alive support for ADL-P and DG2") Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Tested-by: Rodrigo Vivi Link: https://lore.kernel.org/r/20221209101822.3893675-3-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 1cc133bee40f47bf8da3bbe7983a0708b4855b6b Author: Kai Vehmanen Date: Fri Dec 9 12:18:20 2022 +0200 ALSA: hda/hdmi: fix i915 silent stream programming flow [ Upstream commit ada261b690ecd5c2f55f0c51bdf11d852a4561a6 ] The i915 display codec may not successfully transition to normal audio streaming mode, if the stream id is programmed while codec is actively transmitting data. This can happen when silent stream is enabled in KAE mode. Fix the issue by implementing a i915 specific programming flow, where the silent streaming is temporarily stopped, a small delay is applied to ensure display codec becomes idle, and then proceed with reprogramming the stream ID. Fixes: 15175a4f2bbb ("ALSA: hda/hdmi: add keep-alive support for ADL-P and DG2") Link: https://gitlab.freedesktop.org/drm/intel/-/issues/7353 Signed-off-by: Kai Vehmanen Reviewed-by: Pierre-Louis Bossart Tested-by: Rodrigo Vivi Link: https://lore.kernel.org/r/20221209101822.3893675-2-kai.vehmanen@linux.intel.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 156b0c19c1a44153e34cfdfa5937546a93dcb288 Author: Wang Yufen Date: Mon Dec 5 17:56:28 2022 +0800 ASoC: mediatek: mt8183: fix refcount leak in mt8183_mt6358_ts3a227_max98357_dev_probe() [ Upstream commit 38eef3be38ab895959c442702864212cc3beb96c ] The node returned by of_parse_phandle() with refcount incremented, of_node_put() needs be called when finish using it. So add it in the error path in mt8183_mt6358_ts3a227_max98357_dev_probe(). Fixes: 11c0269017b2 ("ASoC: Mediatek: MT8183: Add machine driver with TS3A227") Signed-off-by: Wang Yufen Link: https://lore.kernel.org/r/1670234188-23596-1-git-send-email-wangyufen@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit bebbba710321f7c5f606c1628b3543141753a4d8 Author: Wang Jingjin Date: Mon Dec 5 11:28:02 2022 +0800 ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() [ Upstream commit ef0a098efb36660326c133af9b5a04a96a00e3ca ] The clk_disable_unprepare() should be called in the error handling of rockchip_pdm_runtime_resume(). Fixes: fc05a5b22253 ("ASoC: rockchip: add support for pdm controller") Signed-off-by: Wang Jingjin Link: https://lore.kernel.org/r/20221205032802.2422983-1-wangjingjin1@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 4cc8431ec77a43ea106d8bde0860c61cfdda1cd0 Author: Wang Yufen Date: Mon Dec 5 16:15:27 2022 +0800 ASoC: audio-graph-card: fix refcount leak of cpu_ep in __graph_for_each_link() [ Upstream commit 8ab2d12c726f0fde0692fa5d81d8019b3dcd62d0 ] The of_get_next_child() returns a node with refcount incremented, and decrements the refcount of prev. So in the error path of the while loop, of_node_put() needs be called for cpu_ep. Fixes: fce9b90c1ab7 ("ASoC: audio-graph-card: cleanup DAI link loop method - step2") Signed-off-by: Wang Yufen Acked-by: Kuninori Morimoto Link: https://lore.kernel.org/r/1670228127-13835-1-git-send-email-wangyufen@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a22cfbf78a87f0772f59920cb7370e46481369d8 Author: Wang Yufen Date: Mon Dec 5 18:04:24 2022 +0800 ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() [ Upstream commit 3327d721114c109ba0575f86f8fda3b525404054 ] The node returned by of_parse_phandle() with refcount incremented, of_node_put() needs be called when finish using it. So add it in the error path in mt8173_rt5650_rt5514_dev_probe(). Fixes: 0d1d7a664288 ("ASoC: mediatek: Refine mt8173 driver and change config option") Signed-off-by: Wang Yufen Link: https://lore.kernel.org/r/1670234664-24246-1-git-send-email-wangyufen@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 18a548fdecca5b276594ee8e245e6434e53cd937 Author: Cezary Rojewski Date: Mon Dec 5 09:53:29 2022 +0100 ASoC: Intel: Skylake: Fix driver hang during shutdown [ Upstream commit 171107237246d66bce04f3769d33648f896b4ce3 ] AudioDSP cores and HDAudio links need to be turned off on shutdown to ensure no communication or data transfer occurs during the procedure. Fixes: c5a76a246989 ("ASoC: Intel: Skylake: Add shutdown callback") Signed-off-by: Cezary Rojewski Tested-by: Lukasz Majczak Link: https://lore.kernel.org/r/20221205085330.857665-6-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 390a1a98288a53b2e7555097d83c6e55d579b166 Author: Yang Yingliang Date: Mon Dec 5 22:37:21 2022 +0800 ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() [ Upstream commit 1b41beaa7a58467505ec3023af8aad74f878b888 ] sof_es8336_remove() calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function has finished, which would result in a use-after-free. Fix by calling cancel_delayed_work_sync(), which ensures that the work is properly cancelled, no longer running, and unable to re-schedule itself. Fixes: 89cdb224f2ab ("ASoC: sof_es8336: reduce pop noise on speaker") Signed-off-by: Yang Yingliang Acked-by: Pierre-Louis Bossart Link: https://lore.kernel.org/r/20221205143721.3988988-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 48c509f3f1210d3a2011e7fd4bae6dfc781c5243 Author: Yang Yingliang Date: Thu Oct 27 14:29:31 2022 +0800 hwmon: (jc42) Fix missing unlock on error in jc42_write() [ Upstream commit b744db17abf6a2efc2bfa80870cc88e9799a8ccc ] Add the missing unlock before return from function jc42_write() in the error handling case. Fixes: 37dedaee8bc6 ("hwmon: (jc42) Convert register access and caching to regmap/regcache") Signed-off-by: Yang Yingliang Reviewed-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20221027062931.598247-1-yangyingliang@huawei.com Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 0cd303aad220fafa595e0ed593e99aa51b90412b Author: Zhang Xiaoxu Date: Tue Oct 18 12:40:07 2022 +0800 orangefs: Fix kmemleak in orangefs_{kernel,client}_debug_init() [ Upstream commit 31720a2b109b3080eb77e97b8f6f50a27b4ae599 ] When insert and remove the orangefs module, there are memory leaked as below: unreferenced object 0xffff88816b0cc000 (size 2048): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): 6e 6f 6e 65 0a 00 00 00 00 00 00 00 00 00 00 00 none............ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005b405fee>] orangefs_debugfs_init.cold+0xaf/0x17f [<00000000e5a0085b>] 0xffffffffa02780f9 [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Use the golbal variable as the buffer rather than dynamic allocate to slove the problem. Signed-off-by: Zhang Xiaoxu Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin commit 22409490294180c39be7dd0e5b2667d41556307d Author: Zhang Xiaoxu Date: Tue Oct 18 12:40:06 2022 +0800 orangefs: Fix kmemleak in orangefs_sysfs_init() [ Upstream commit 1f2c0e8a587bcafad85019a2d80f158d8d41a868 ] When insert and remove the orangefs module, there are kobjects memory leaked as below: unreferenced object 0xffff88810f95af00 (size 64): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): a0 83 af 01 81 88 ff ff 08 af 95 0f 81 88 ff ff ................ 08 af 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005a6e4dfe>] orangefs_sysfs_init+0x42/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ae80 (size 64): comm "insmod", pid 783, jiffies 4294813439 (age 65.512s) hex dump (first 32 bytes): c8 90 0f 02 81 88 ff ff 88 ae 95 0f 81 88 ff ff ................ 88 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000001a4841fa>] orangefs_sysfs_init+0xc7/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ae00 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.511s) hex dump (first 32 bytes): 60 87 a1 00 81 88 ff ff 08 ae 95 0f 81 88 ff ff `............... 08 ae 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000005915e797>] orangefs_sysfs_init+0x12b/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ad80 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.511s) hex dump (first 32 bytes): 78 90 0f 02 81 88 ff ff 88 ad 95 0f 81 88 ff ff x............... 88 ad 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000007a14eb35>] orangefs_sysfs_init+0x1ac/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ac00 (size 64): comm "insmod", pid 783, jiffies 4294813440 (age 65.531s) hex dump (first 32 bytes): e0 ff 67 02 81 88 ff ff 08 ac 95 0f 81 88 ff ff ..g............. 08 ac 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000001f38adcb>] orangefs_sysfs_init+0x291/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 unreferenced object 0xffff88810f95ab80 (size 64): comm "insmod", pid 783, jiffies 4294813441 (age 65.530s) hex dump (first 32 bytes): 50 bf 2f 02 81 88 ff ff 88 ab 95 0f 81 88 ff ff P./............. 88 ab 95 0f 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000031ab7788>] kmalloc_trace+0x27/0xa0 [<000000009cc7d95b>] orangefs_sysfs_init+0x2f5/0x3a0 [<00000000722645ca>] 0xffffffffa02780fe [<000000004232d9f7>] do_one_initcall+0x87/0x2a0 [<0000000054f22384>] do_init_module+0xdf/0x320 [<000000003263bdea>] load_module+0x2f98/0x3330 [<0000000052cd4153>] __do_sys_finit_module+0x113/0x1b0 [<00000000250ae02b>] do_syscall_64+0x35/0x80 [<00000000f11c03c7>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Should add release function for each kobject_type to free the memory. Signed-off-by: Zhang Xiaoxu Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin commit 19be31668552a198e887762e25bdcc560800ecb4 Author: Zhang Xiaoxu Date: Tue Oct 18 12:40:05 2022 +0800 orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() [ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ] When insert and remove the orangefs module, then debug_help_string will be leaked: unreferenced object 0xffff8881652ba000 (size 4096): comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) hex dump (first 32 bytes): 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow backtrace: [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 [<000000001d0614ae>] do_init_module+0xdf/0x320 [<00000000efef068c>] load_module+0x2f98/0x3330 [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 [<00000000a0da6f99>] do_syscall_64+0x35/0x80 [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 When remove the module, should always free debug_help_string. Should always free the allocated buffer when change the free_debug_help_string. Signed-off-by: Zhang Xiaoxu Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin commit 3ecdca49ca49d4770639d81503c873b6d25887c4 Author: Maurizio Lombardi Date: Tue Nov 15 13:56:38 2022 +0100 scsi: target: iscsi: Fix a race condition between login_work and the login thread [ Upstream commit fec1b2fa62c162d03f5dcd7b03e3c89d3116d49f ] In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may end without clearing the LOGIN_FLAGS_INITIAL_PDU flag (because no additional PDU exchanges are required to complete the login). The login has been completed but the login_work function will find the LOGIN_FLAGS_INITIAL_PDU flag set and will never stop from rescheduling itself; at this point, if the initiator drops the connection, the iscsit_conn structure will be freed, login_work will dereference a released socket structure and the kernel crashes. BUG: kernel NULL pointer dereference, address: 0000000000000230 PF: supervisor write access in kernel mode PF: error_code(0x0002) - not-present page Workqueue: events iscsi_target_do_login_rx [iscsi_target_mod] RIP: 0010:_raw_read_lock_bh+0x15/0x30 Call trace: iscsi_target_do_login_rx+0x75/0x3f0 [iscsi_target_mod] process_one_work+0x1e8/0x3c0 Fix this bug by forcing login_work to stop after the login has been completed and the socket callbacks have been restored. Add a comment to clearify the return values of iscsi_target_do_login() Signed-off-by: Maurizio Lombardi Link: https://lore.kernel.org/r/20221115125638.102517-1-mlombard@redhat.com Reviewed-by: Mike Christie Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 04371a75a58422a301a9ff9ae3babd310ac3bb3f Author: Nathan Chancellor Date: Wed Nov 2 08:56:23 2022 -0700 drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() [ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_hda_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_dvo_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = sti_hdmi_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ->mode_valid() in 'struct drm_connector_helper_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Adjust the return type of sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 23d2bed04159265a3764e3c8d6c3828ede261ef7 Author: Nathan Chancellor Date: Wed Nov 2 08:42:15 2022 -0700 drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() [ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = fsl_dcu_drm_connector_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. ->mode_valid() in 'struct drm_connector_helper_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Adjust the return type of fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org Signed-off-by: Sasha Levin commit d1c8b86b4ab7e8588a8cfadbdd6f20adbb15c938 Author: Kumar Meiyappan Date: Tue Nov 8 13:21:58 2022 -0600 scsi: smartpqi: Correct device removal for multi-actuator devices [ Upstream commit cc9befcbbb5ebce77726f938508700d913530035 ] Correct device count for multi-actuator drives which can cause kernel panics. Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Reviewed-by: Mike Mcgowan Reviewed-by: Kevin Barnett Signed-off-by: Kumar Meiyappan Signed-off-by: Don Brace Link: https://lore.kernel.org/r/166793531872.322537.9003385780343419275.stgit@brunhilda Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 41d8a934e2ea7446c71b6415d8da4ef66dc3f00b Author: Mike McGowen Date: Tue Nov 8 13:21:43 2022 -0600 scsi: smartpqi: Add new controller PCI IDs [ Upstream commit 0b93cf2a9097b1c3d75642ef878ba87f15f03043 ] All PCI ID entries in Hex. Add PCI IDs for ByteDance controllers: VID / DID / SVID / SDID ---- ---- ---- ---- ByteHBA JGH43024-8 9005 / 028f / 1e93 / 1000 ByteHBA JGH43034-8 9005 / 028f / 1e93 / 1001 ByteHBA JGH44014-8 9005 / 028f / 1e93 / 1002 Add PCI IDs for new Inspur controllers: VID / DID / SVID / SDID ---- ---- ---- ---- INSPUR RT0800M7E 9005 / 028f / 1bd4 / 0086 INSPUR RT0800M7H 9005 / 028f / 1bd4 / 0087 INSPUR RT0804M7R 9005 / 028f / 1bd4 / 0088 INSPUR RT0808M7R 9005 / 028f / 1bd4 / 0089 Add PCI IDs for new FAB A controllers: VID / DID / SVID / SDID ---- ---- ---- ---- Adaptec SmartRAID 3254-16e /e 9005 / 028f / 9005 / 1475 Adaptec HBA 1200-16e 9005 / 028f / 9005 / 14c3 Adaptec HBA 1200-8e 9005 / 028f / 9005 / 14c4 Add H3C controller PCI IDs: VID / DID / SVID / SDID ---- ---- ---- ---- H3C H4508-Mf-8i 9005 / 028f / 193d / 110b Reviewed-by: Scott Benesh Reviewed-by: Scott Teel Signed-off-by: Mike McGowen Signed-off-by: Don Brace Link: https://lore.kernel.org/r/166793530327.322537.6056884426657539311.stgit@brunhilda Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit f2207145693ae5697a7b59e2add4b92f9e5b0e3c Author: Hawkins Jiawei Date: Fri Oct 21 07:16:08 2022 +0800 hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() [ Upstream commit 26215b7ee923b9251f7bb12c4e5f09dc465d35f2 ] Syzkaller reports a null-ptr-deref bug as follows: ====================================================== KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380 [...] Call Trace: vfs_parse_fs_param fs/fs_context.c:148 [inline] vfs_parse_fs_param+0x1f9/0x3c0 fs/fs_context.c:129 vfs_parse_fs_string+0xdb/0x170 fs/fs_context.c:191 generic_parse_monolithic+0x16f/0x1f0 fs/fs_context.c:231 do_new_mount fs/namespace.c:3036 [inline] path_mount+0x12de/0x1e20 fs/namespace.c:3370 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount fs/namespace.c:3568 [inline] __x64_sys_mount+0x27f/0x300 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] ====================================================== According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, hugetlbfs_parse_param() will dereference the param->string, without checking whether it is a null pointer. To be more specific, if hugetlbfs_parse_param() parses an illegal mount parameter, such as "size=,", kernel will constructs struct fs_parameter with null pointer in vfs_parse_fs_string(), then passes this struct fs_parameter to hugetlbfs_parse_param(), which triggers the above null-ptr-deref bug. This patch solves it by adding sanity check on param->string in hugetlbfs_parse_param(). Link: https://lkml.kernel.org/r/20221020231609.4810-1-yin31149@gmail.com Reported-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com Tested-by: syzbot+a3e6acd85ded5c16a709@syzkaller.appspotmail.com Link: https://lore.kernel.org/all/0000000000005ad00405eb7148c6@google.com/ Signed-off-by: Hawkins Jiawei Reviewed-by: Mike Kravetz Cc: Hawkins Jiawei Cc: Muchun Song Cc: Ian Kent Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 74de6f6c84797d6863f22ca12c161364837fddab Author: Nathan Chancellor Date: Wed Nov 2 09:19:06 2022 -0700 scsi: elx: libefc: Fix second parameter type in state callbacks [ Upstream commit 3d75e766b58a7410d4e835c534e1b4664a8f62d0 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/scsi/elx/libefc/efc_node.c:811:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict] ctx->current_state = state; ^ ~~~~~ drivers/scsi/elx/libefc/efc_node.c:878:21: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict] node->nodedb_state = state; ^ ~~~~~ drivers/scsi/elx/libefc/efc_node.c:905:6: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' from 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') [-Werror,-Wincompatible-function-pointer-types-strict] pf = node->nodedb_state; ^ ~~~~~~~~~~~~~~~~~~ drivers/scsi/elx/libefc/efc_device.c:455:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict] node->nodedb_state = __efc_d_init; ^ ~~~~~~~~~~~~ drivers/scsi/elx/libefc/efc_sm.c:41:22: error: incompatible function pointer types assigning to 'void (*)(struct efc_sm_ctx *, u32, void *)' (aka 'void (*)(struct efc_sm_ctx *, unsigned int, void *)') from 'void (*)(struct efc_sm_ctx *, enum efc_sm_event, void *)' [-Werror,-Wincompatible-function-pointer-types-strict] ctx->current_state = state; ^ ~~~~~ The type of the second parameter in the prototypes of ->current_state() and ->nodedb_state() ('u32') does not match the implementations, which have a second parameter type of 'enum efc_sm_event'. Update the prototypes to have the correct second parameter type, clearing up all the warnings and CFI failures. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Signed-off-by: Nathan Chancellor Link: https://lore.kernel.org/r/20221102161906.2781508-1-nathan@kernel.org Reviewed-by: Kees Cook Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit cbb17d7087ce8ba60ae4a59e515960955e4c4adf Author: Bjorn Helgaas Date: Mon Nov 7 15:31:08 2022 -0600 Revert "PCI: Clear PCI_STATUS when setting up device" [ Upstream commit 44e985938e85503d0a69ec538e15fd33c1a4df05 ] This reverts commit 6cd514e58f12b211d638dbf6f791fa18d854f09c. Christophe Fergeau reported that 6cd514e58f12 ("PCI: Clear PCI_STATUS when setting up device") causes boot failures when trying to start linux guests with Apple's virtualization framework (for example using https://developer.apple.com/documentation/virtualization/running_linux_in_a_virtual_machine?language=objc) 6cd514e58f12 only solved a cosmetic problem, so revert it to fix the boot failures. Link: https://bugzilla.redhat.com/show_bug.cgi?id=2137803 Signed-off-by: Bjorn Helgaas Signed-off-by: Sasha Levin commit fc521abb6ee4b8f06fdfc52646140dab6a2ed334 Author: Kai Ye Date: Sat Oct 22 01:17:44 2022 +0000 crypto: hisilicon/qm - increase the memory of local variables [ Upstream commit 3efe90af4c0c46c58dba1b306de142827153d9c0 ] Increase the buffer to prevent stack overflow by fuzz test. The maximum length of the qos configuration buffer is 256 bytes. Currently, the value of the 'val buffer' is only 32 bytes. The sscanf does not check the dest memory length. So the 'val buffer' may stack overflow. Signed-off-by: Kai Ye Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit fc80b877f1d0554d669395c776af24be968a290e Author: Bart Van Assche Date: Tue Oct 18 13:29:54 2022 -0700 scsi: ufs: Reduce the START STOP UNIT timeout [ Upstream commit dcd5b7637c6d442d957f73780a03047413ed3a10 ] Reduce the START STOP UNIT command timeout to one second since on Android devices a kernel panic is triggered if an attempt to suspend the system takes more than 20 seconds. One second should be enough for the START STOP UNIT command since this command completes in less than a millisecond for the UFS devices I have access to. Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20221018202958.1902564-7-bvanassche@acm.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 39761417ea7b654217d6d9085afbf7c87ba3675d Author: Justin Tee Date: Mon Oct 17 09:43:20 2022 -0700 scsi: lpfc: Fix hard lockup when reading the rx_monitor from debugfs [ Upstream commit c44e50f4a0ec00c2298f31f91bc2c3e9bbd81c7e ] During I/O and simultaneous cat of /sys/kernel/debug/lpfc/fnX/rx_monitor, a hard lockup similar to the call trace below may occur. The spin_lock_bh in lpfc_rx_monitor_report is not protecting from timer interrupts as expected, so change the strength of the spin lock to _irq. Kernel panic - not syncing: Hard LOCKUP CPU: 3 PID: 110402 Comm: cat Kdump: loaded exception RIP: native_queued_spin_lock_slowpath+91 [IRQ stack] native_queued_spin_lock_slowpath at ffffffffb814e30b _raw_spin_lock at ffffffffb89a667a lpfc_rx_monitor_record at ffffffffc0a73a36 [lpfc] lpfc_cmf_timer at ffffffffc0abbc67 [lpfc] __hrtimer_run_queues at ffffffffb8184250 hrtimer_interrupt at ffffffffb8184ab0 smp_apic_timer_interrupt at ffffffffb8a026ba apic_timer_interrupt at ffffffffb8a01c4f [End of IRQ stack] apic_timer_interrupt at ffffffffb8a01c4f lpfc_rx_monitor_report at ffffffffc0a73c80 [lpfc] lpfc_rx_monitor_read at ffffffffc0addde1 [lpfc] full_proxy_read at ffffffffb83e7fc3 vfs_read at ffffffffb833fe71 ksys_read at ffffffffb83402af do_syscall_64 at ffffffffb800430b entry_SYSCALL_64_after_hwframe at ffffffffb8a000ad Signed-off-by: Justin Tee Link: https://lore.kernel.org/r/20221017164323.14536-2-justintee8345@gmail.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit cb873c93a7ad27681920bf062ef052fca1e8d5b1 Author: Zhiqi Song Date: Sat Sep 24 15:38:31 2022 +0800 crypto: hisilicon/hpre - fix resource leak in remove process [ Upstream commit 45e6319bd5f2154d8b8c9f1eaa4ac030ba0d330c ] In hpre_remove(), when the disable operation of qm sriov failed, the following logic should continue to be executed to release the remaining resources that have been allocated, instead of returning directly, otherwise there will be resource leakage. Signed-off-by: Zhiqi Song Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 65a1a20caf72328541cea3f557fe5d87c8ef54eb Author: ChiYuan Huang Date: Wed Dec 14 09:37:11 2022 +0800 regulator: core: Fix resolve supply lookup issue [ Upstream commit 0debed5b117d11e33cba52870c4dcb64f5911891 ] From Marek's log, the previous change modify the parent of rdev. https://lore.kernel.org/all/58b92e75-f373-dae7-7031-8abd465bb874@samsung.com/ In 'regulator_resolve_supply', it uses the parent DT node of rdev as the DT-lookup starting node. But the parent DT node may not exist. This will cause the NULL supply issue. This patch modify the parent of rdev back to the device that provides from 'regulator_config' in 'regulator_register'. Fixes: 8f3cbcd6b440 ("regulator: core: Use different devices for resource allocation and DT lookup") Reported-by: Marek Szyprowski Tested-by: Marek Szyprowski Signed-off-by: ChiYuan Huang Link: https://lore.kernel.org/r/1670981831-12583-1-git-send-email-u0084500@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 077bff242c13c372d2bd5c44c521d6852df6caf9 Author: Sven Peter Date: Fri Nov 4 22:13:02 2022 +0100 Bluetooth: Add quirk to disable MWS Transport Configuration [ Upstream commit ffcb0a445ec2d5753751437706aa0a7ea8351099 ] Broadcom 4378/4387 controllers found in Apple Silicon Macs claim to support getting MWS Transport Layer Configuration, < HCI Command: Read Local Supported... (0x04|0x0002) plen 0 > HCI Event: Command Complete (0x0e) plen 68 Read Local Supported Commands (0x04|0x0002) ncmd 1 Status: Success (0x00) [...] Get MWS Transport Layer Configuration (Octet 30 - Bit 3)] [...] , but then don't actually allow the required command: > HCI Event: Command Complete (0x0e) plen 15 Get MWS Transport Layer Configuration (0x05|0x000c) ncmd 1 Status: Command Disallowed (0x0c) Number of transports: 0 Baud rate list: 0 entries 00 00 00 00 00 00 00 00 00 00 Signed-off-by: Sven Peter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 9c89dcd53c64e950fe1b4ace204a6a7f68c0528e Author: Sven Peter Date: Fri Nov 4 22:13:01 2022 +0100 Bluetooth: Add quirk to disable extended scanning [ Upstream commit 392fca352c7a95e2828d49e7500e26d0c87ca265 ] Broadcom 4377 controllers found in Apple x86 Macs with the T2 chip claim to support extended scanning when querying supported states, < HCI Command: LE Read Supported St.. (0x08|0x001c) plen 0 > HCI Event: Command Complete (0x0e) plen 12 LE Read Supported States (0x08|0x001c) ncmd 1 Status: Success (0x00) States: 0x000003ffffffffff [...] LE Set Extended Scan Parameters (Octet 37 - Bit 5) LE Set Extended Scan Enable (Octet 37 - Bit 6) [...] , but then fail to actually implement the extended scanning: < HCI Command: LE Set Extended Sca.. (0x08|0x0041) plen 8 Own address type: Random (0x01) Filter policy: Accept all advertisement (0x00) PHYs: 0x01 Entry 0: LE 1M Type: Active (0x01) Interval: 11.250 msec (0x0012) Window: 11.250 msec (0x0012) > HCI Event: Command Complete (0x0e) plen 4 LE Set Extended Scan Parameters (0x08|0x0041) ncmd 1 Status: Unknown HCI Command (0x01) Signed-off-by: Sven Peter Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 619523c1ab53caeefae5ff9375aecc4e5a1a14d4 Author: Marek Vasut Date: Wed Nov 2 17:47:05 2022 +0100 Bluetooth: hci_bcm: Add CYW4373A0 support [ Upstream commit 02d056a3404e20245a69dcb4022a0930085fc5ec ] CYW4373A0 is a Wi-Fi + Bluetooth combo device from Cypress. This chip is present e.g. on muRata 2AE module. This chip has additional quirk where the HCI command 0xfc45, used on older chips to switch UART clock from 24 MHz to 48 MHz, to support baudrates over 3 Mbdps, is no longer recognized by this newer chip. This newer chip can configure the 4 Mbdps baudrate without the need to issue HCI command 0xfc45, so add flag to indicate this and do not issue the command on this chip to avoid failure to set 4 Mbdps baud rate. It is not clear whether there is a way to determine which chip does and which chip does not support the HCI command 0xfc45, other than trial and error. Reviewed-by: Linus Walleij Signed-off-by: Marek Vasut Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit e070ef957b1382e536b01b924fe178e9352fb3a0 Author: Jacob Keller Date: Mon Dec 5 11:52:46 2022 -0800 ice: synchronize the misc IRQ when tearing down Tx tracker [ Upstream commit f0ae124019faaa03f8b4c3fbe52ae35ab3a8dbda ] Since commit 1229b33973c7 ("ice: Add low latency Tx timestamp read") the ice driver has used a threaded IRQ for handling Tx timestamps. This change did not add a call to synchronize_irq during ice_ptp_release_tx_tracker. Thus it is possible that an interrupt could occur just as the tracker is being removed. This could lead to a use-after-free of the Tx tracker structure data. Fix this by calling sychronize_irq in ice_ptp_release_tx_tracker after we've cleared the init flag. In addition, make sure that we re-check the init flag at the end of ice_ptp_tx_tstamp before we exit ensuring that we will stop polling for new timestamps once the tracker de-initialization has begun. Refactor the ts_handled variable into "more_timestamps" so that we can simply directly assign this boolean instead of relying on an initialized value of true. This makes the new combined check easier to read. With this change, the ice_ptp_release_tx_tracker function will now wait for the threaded interrupt to complete if it was executing while the init flag was cleared. Signed-off-by: Jacob Keller Tested-by: Gurucharan G (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit b0f25ca1ff9be7abd1679ae7e59a8f25dbffe67a Author: ChiYuan Huang Date: Tue Dec 6 15:22:21 2022 +0800 regulator: core: Use different devices for resource allocation and DT lookup [ Upstream commit 8f3cbcd6b440032ebc7f7d48a1689dcc70a4eb98 ] Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/ From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_get_init_data() i2c_unregister_device() | device_del() | devres_release_all() | // init_data is freed | release_nodes() | | // using init_data causes UAF | regulator_register() It's common to use mfd core to create child device for the regulator. In order to do the DT lookup for init data, the child that registered the regulator would pass its parent as the parameter. And this causes init data resource allocated to its parent, not itself. The issue happen when parent device is going to release and regulator core is still doing some operation of init data constraint for the regulator of child device. To fix it, this patch expand 'regulator_register' API to use the different devices for init data allocation and DT lookup. Reported-by: Yang Yingliang Signed-off-by: ChiYuan Huang Link: https://lore.kernel.org/r/1670311341-32664-1-git-send-email-u0084500@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit f4731395d6db850127634197863aede188d8e9de Author: Xiu Jianfeng Date: Tue Nov 22 21:36:14 2022 +0800 clk: st: Fix memory leak in st_of_quadfs_setup() [ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ] If st_clk_register_quadfs_pll() fails, @lock should be freed before goto @err_exit, otherwise will cause meory leak issue, fix it. Signed-off-by: Xiu Jianfeng Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com Reviewed-by: Patrice Chotard Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 92b0888398e4ba51d93b618a6506781f4e3879c9 Author: Shigeru Yoshida Date: Wed Nov 23 03:51:59 2022 +0900 media: si470x: Fix use-after-free in si470x_int_in_callback() [ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ] syzbot reported use-after-free in si470x_int_in_callback() [1]. This indicates that urb->context, which contains struct si470x_device object, is freed when si470x_int_in_callback() is called. The cause of this issue is that si470x_int_in_callback() is called for freed urb. si470x_usb_driver_probe() calls si470x_start_usb(), which then calls usb_submit_urb() and si470x_start(). If si470x_start_usb() fails, si470x_usb_driver_probe() doesn't kill urb, but it just frees struct si470x_device object, as depicted below: si470x_usb_driver_probe() ... si470x_start_usb() ... usb_submit_urb() retval = si470x_start() return retval if (retval < 0) free struct si470x_device object, but don't kill urb This patch fixes this issue by killing urb when si470x_start_usb() fails and urb is submitted. If si470x_start_usb() fails and urb is not submitted, i.e. submitting usb fails, it just frees struct si470x_device object. Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1] Signed-off-by: Shigeru Yoshida Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 43e5c20a8b44637da25a2629ca0915467b954bf2 Author: Prathamesh Shete Date: Tue Dec 6 17:59:45 2022 +0100 mmc: sdhci-tegra: Issue CMD and DAT resets together [ Upstream commit acc13958c2b2623c17e2450b8cd6881b698756d3 ] In case of error condition to avoid system crash Tegra SDMMC controller requires CMD and DAT resets issued together. SDHCI controller FSM goes into bad state due to rapid SD card hot-plug event. Issuing reset on the CMD FSM before DATA FSM results in kernel panic, hence add support to issue CMD and DAT resets together. This is applicable to Tegra186 and later chips. Signed-off-by: Aniruddha TVS Rao Signed-off-by: Prathamesh Shete Acked-by: Adrian Hunter Acked-by: Thierry Reding Signed-off-by: Thierry Reding Link: https://lore.kernel.org/r/20221206165945.3551774-7-thierry.reding@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 11ca98a1ed044975f44126c2e3a9465ab4a7643b Author: Wolfram Sang Date: Sun Nov 20 12:34:55 2022 +0100 mmc: renesas_sdhi: better reset from HS400 mode [ Upstream commit 0da69dd2155019ed4c444ede0e79ce7a4a6af627 ] Up to now, HS400 adjustment mode was only disabled on soft reset when a calibration table was in use. It is safer, though, to disable it as soon as the instance has an adjustment related quirk set, i.e. bad taps or a calibration table. Signed-off-by: Wolfram Sang Reviewed-by: Yoshihiro Shimoda Tested-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20221120113457.42010-3-wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 63604e820f1525975e6a9f017a6fb7db6d703e1e Author: Wolfram Sang Date: Thu Oct 6 21:04:50 2022 +0200 mmc: renesas_sdhi: add quirk for broken register layout [ Upstream commit ec9e80ae1719de541c719116a1ca0a0c70e9240c ] Some early Gen3 SoCs have the DTRANEND1 bit at a different location than all later SoCs. Because we need the bit soon, add a quirk so we know which bit to use. Signed-off-by: Wolfram Sang Tested-by: Duy Nguyen Tested-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20221006190452.5316-5-wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit c490e8c3d50029633148827cb215d4f30718a98c Author: Kunihiko Hayashi Date: Fri Nov 11 17:10:33 2022 +0900 mmc: f-sdh30: Add quirks for broken timeout clock capability [ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ] There is a case where the timeout clock is not supplied to the capability. Add a quirk for that. Signed-off-by: Kunihiko Hayashi Acked-by: Jassi Brar Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 55513864b418c6453d68aebc36cffcf965342426 Author: Hawkins Jiawei Date: Mon Oct 24 00:39:45 2022 +0800 nfs: fix possible null-ptr-deref when parsing param [ Upstream commit 5559405df652008e56eee88872126fe4c451da67 ] According to commit "vfs: parse: deal with zero length string value", kernel will set the param->string to null pointer in vfs_parse_fs_string() if fs string has zero length. Yet the problem is that, nfs_fs_context_parse_param() will dereferences the param->string, without checking whether it is a null pointer, which may trigger a null-ptr-deref bug. This patch solves it by adding sanity check on param->string in nfs_fs_context_parse_param(). Signed-off-by: Hawkins Jiawei Reviewed-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 96521aa5bc7658e9d674da4aa0260dea4396b9a6 Author: James Hilliard Date: Fri Dec 2 18:08:44 2022 -0700 selftests/bpf: Fix conflicts with built-in functions in bpf_iter_ksym [ Upstream commit ab0350c743d5c93fd88742f02b3dff12168ab435 ] Both tolower and toupper are built in c functions, we should not redefine them as this can result in a build error. Fixes the following errors: progs/bpf_iter_ksym.c:10:20: error: conflicting types for built-in function 'tolower'; expected 'int(int)' [-Werror=builtin-declaration-mismatch] 10 | static inline char tolower(char c) | ^~~~~~~ progs/bpf_iter_ksym.c:5:1: note: 'tolower' is declared in header '' 4 | #include +++ |+#include 5 | progs/bpf_iter_ksym.c:17:20: error: conflicting types for built-in function 'toupper'; expected 'int(int)' [-Werror=builtin-declaration-mismatch] 17 | static inline char toupper(char c) | ^~~~~~~ progs/bpf_iter_ksym.c:17:20: note: 'toupper' is declared in header '' See background on this sort of issue: https://stackoverflow.com/a/20582607 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=12213 (C99, 7.1.3p1) "All identifiers with external linkage in any of the following subclauses (including the future library directions) are always reserved for use as identifiers with external linkage." This is documented behavior in GCC: https://gcc.gnu.org/onlinedocs/gcc/Other-Builtins.html#index-std-2 Signed-off-by: James Hilliard Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20221203010847.2191265-1-james.hilliard1@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit a4fe51cd689445fa892f09d1554fda6dad0df6ec Author: Denis Pauk Date: Mon Nov 14 23:44:56 2022 +0200 hwmon: (nct6775) add ASUS CROSSHAIR VIII/TUF/ProArt B550M [ Upstream commit 1864069c695d475e0ce98a335c62274b81be57b4 ] Boards such as * ProArt B550-CREATOR * ProArt Z490-CREATOR 10G * ROG CROSSHAIR VIII EXTREME * ROG CROSSHAIR VIII HERO (WI-FI) * TUF GAMING B550M-E * TUF GAMING B550M-E (WI-FI) * TUF GAMING B550M-PLUS WIFI II have got a nct6775 chip, but by default there's no use of it because of resource conflict with WMI method. This commit adds such boards to the WMI monitoring list. BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=204807 Signed-off-by: Denis Pauk Reported-by: yutesdb Tested-by: yutesdb Link: https://lore.kernel.org/r/20221114214456.3891-1-pauk.denis@gmail.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit f5ac749a0b21beee55d87d0b05de36976b22dff9 Author: Lorenzo Bianconi Date: Thu Oct 13 21:07:37 2022 +0200 wifi: mt76: do not run mt76u_status_worker if the device is not running [ Upstream commit bd5dac7ced5a7c9faa4dc468ac9560c3256df845 ] Fix the following NULL pointer dereference avoiding to run mt76u_status_worker thread if the device is not running yet. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 98 Comm: kworker/u2:2 Not tainted 5.14.0+ #78 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: mt76 mt76u_tx_status_data RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: mt76x02_send_tx_status+0x1d2/0xeb0 mt76x02_tx_status_data+0x8e/0xd0 mt76u_tx_status_data+0xe1/0x240 process_one_work+0x92b/0x1460 worker_thread+0x95/0xe00 kthread+0x3a1/0x480 ret_from_fork+0x1f/0x30 Modules linked in: --[ end trace 8df5d20fc5040f65 ]-- RIP: 0010:mt76x02_mac_fill_tx_status.isra.0+0x82c/0x9e0 Code: c5 48 b8 00 00 00 00 00 fc ff df 80 3c 02 00 0f 85 94 01 00 00 48 b8 00 00 00 00 00 fc ff df 4d 8b 34 24 4c 89 f2 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 89 01 00 00 41 8b 16 41 0f b7 RSP: 0018:ffffc900005af988 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffffc900005afae8 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffffffff832fc661 RDI: ffffc900005afc2a RBP: ffffc900005afae0 R08: 0000000000000001 R09: fffff520000b5f3c R10: 0000000000000003 R11: fffff520000b5f3b R12: ffff88810b6132d8 R13: 000000000000ffff R14: 0000000000000000 R15: ffffc900005afc28 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa0eda6a000 CR3: 0000000118f17000 CR4: 0000000000750ef0 PKRU: 55555554 Moreover move stat_work schedule out of the for loop. Reported-by: Dokyung Song Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit bc6c381df5793ebcf32db88a3e65acf7870379fc Author: Rui Zhang Date: Thu Dec 1 11:38:06 2022 +0800 regulator: core: fix use_count leakage when handling boot-on [ Upstream commit 0591b14ce0398125439c759f889647369aa616a0 ] I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B) will increment inside regulator_enable(rdev->supply). Thus, B will acts like always-on, and further balanced regulator_enable/disable cannot actually disable it anymore. However, B was also configured with `regulator-boot-on', we wish it could be disabled afterwards. Signed-off-by: Rui Zhang Link: https://lore.kernel.org/r/20221201033806.2567812-1-zr.zhang@vivo.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 66d2f118d7d736907c51f416c6e0fdba8cef3df5 Author: Andrii Nakryiko Date: Wed Nov 30 12:00:12 2022 -0800 libbpf: Avoid enum forward-declarations in public API in C++ mode [ Upstream commit b42693415b86f608049cf1b4870adc1dc65e58b0 ] C++ enum forward declarations are fundamentally not compatible with pure C enum definitions, and so libbpf's use of `enum bpf_stats_type;` forward declaration in libbpf/bpf.h public API header is causing C++ compilation issues. More details can be found in [0], but it comes down to C++ supporting enum forward declaration only with explicitly specified backing type: enum bpf_stats_type: int; In C (and I believe it's a GCC extension also), such forward declaration is simply: enum bpf_stats_type; Further, in Linux UAPI this enum is defined in pure C way: enum bpf_stats_type { BPF_STATS_RUN_TIME = 0; } And even though in both cases backing type is int, which can be confirmed by looking at DWARF information, for C++ compiler actual enum definition and forward declaration are incompatible. To eliminate this problem, for C++ mode define input argument as int, which makes enum unnecessary in libbpf public header. This solves the issue and as demonstrated by next patch doesn't cause any unwanted compiler warnings, at least with default warnings setting. [0] https://stackoverflow.com/questions/42766839/c11-enum-forward-causes-underlying-type-mismatch [1] Closes: https://github.com/libbpf/libbpf/issues/249 Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20221130200013.2997831-1-andrii@kernel.org Signed-off-by: Sasha Levin commit ec58eae6c93a83260d8b1e735f3db5b77e801752 Author: Artem Lukyanov Date: Wed Nov 30 11:52:47 2022 +0300 ASoC: amd: yc: Add Xiaomi Redmi Book Pro 14 2022 into DMI table [ Upstream commit c1dd6bf6199752890d8c59d895dd45094da51d1f ] This model requires an additional detection quirk to enable the internal microphone - BIOS doesn't seem to support AcpDmicConnected (nothing in acpidump output). Signed-off-by: Artem Lukyanov Link: https://lore.kernel.org/r/20221130085247.85126-1-dukzcry@ya.ru Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 62db9242c1ca5177418e1f84732e11c9fe25bb82 Author: Alvin Lee Date: Sat Nov 19 11:42:41 2022 -0500 drm/amd/display: Fix DTBCLK disable requests and SRC_SEL programming [ Upstream commit f6015da7f2410109bd2ccd2e2828f26185aeb81d ] [Description] - When transitioning FRL / DP2 is not required, we will always request DTBCLK = 0Mhz, but PMFW returns the min freq - This causes us to make DTBCLK requests every time we call optimize after transitioning from FRL to non-FRL - If DTBCLK is not required, request the min instead (then we only need to make 1 extra request at boot time) - Also when programming PIPE_DTO_SRC_SEL, don't programming for DP first, just programming once for the required selection (programming DP on an HDMI connection then switching back causes corruption) Reviewed-by: Dillon Varone Acked-by: Jasdeep Dhillon Signed-off-by: Alvin Lee Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ec7475a20ceb5bb7d434fbf5d2b7efcb6132ebb5 Author: Wesley Chalmers Date: Wed Nov 9 17:43:13 2022 -0500 drm/amd/display: Use the largest vready_offset in pipe group [ Upstream commit 5842abd985b792a3b13a89b6dae4869b56656c92 ] [WHY] Corruption can occur in LB if vready_offset is not large enough. DML calculates vready_offset for each pipe, but we currently select the top pipe's vready_offset, which is not necessarily enough for all pipes in the group. [HOW] Wherever program_global_sync is currently called, iterate through the entire pipe group and find the highest vready_offset. Reviewed-by: Dillon Varone Acked-by: Jasdeep Dhillon Signed-off-by: Wesley Chalmers Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit b9f8ed9b01c40167bf46f6c25391a875b41c60b5 Author: Liang He Date: Tue Nov 22 12:28:49 2022 +0800 drm/amdgpu: Fix potential double free and null pointer dereference [ Upstream commit dfd0287bd3920e132a8dae2a0ec3d92eaff5f2dd ] In amdgpu_get_xgmi_hive(), we should not call kfree() after kobject_put() as the PUT will call kfree(). In amdgpu_device_ip_init(), we need to check the returned *hive* which can be NULL before we dereference it. Signed-off-by: Liang He Reviewed-by: Luben Tuikov Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3759ae6600e401297a51ebcfe9a7c6a4a8aa23b7 Author: John Keeping Date: Tue Nov 29 13:00:59 2022 +0000 ALSA: usb-audio: Add quirk for Tascam Model 12 [ Upstream commit 67df411db3f0209e4bb5227d4dd9d41b21368b9d ] Tascam's Model 12 is a mixer which can also operate as a USB audio interface. The audio interface uses explicit feedback but it seems that it does not correctly handle missing isochronous frames. When injecting an xrun (or doing anything else that pauses the playback stream) the feedback rate climbs (for example, at 44,100Hz nominal, I see a stable rate around 44,099 but xrun injection sees this peak at around 44,135 in most cases) and glitches are heard in the audio stream for several seconds - this is significantly worse than the single glitch expected for an underrun. While the stream does normally recover and the feedback rate returns to a stable value, I have seen some occurrences where this does not happen and the rate continues to increase while no audio is heard from the output. I have not found a solid reproduction for this. This misbehaviour can be avoided by totally resetting the stream state by switching the interface to alt 0 and back before restarting the playback stream. Add a new quirk flag which forces the endpoint and interface to be reconfigured whenever the stream is stopped, and use this for the Tascam Model 12. Separate interfaces are used for the playback and capture endpoints, so resetting the playback interface here will not affect the capture stream if it is running. While there are two endpoints on the interface, these are the OUT data endpoint and the IN explicit feedback endpoint corresponding to it and these are always stopped and started together. Signed-off-by: John Keeping Link: https://lore.kernel.org/r/20221129130100.1257904-1-john@metanate.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 33e8a3f61814ea30615d0fafaf50477975d6c1ca Author: Ye Bin Date: Thu Nov 17 10:29:40 2022 +0800 blk-mq: fix possible memleak when register 'hctx' failed [ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ] There's issue as follows when do fault injection test: unreferenced object 0xffff888132a9f400 (size 512): comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2.... 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............ backtrace: [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0 [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0 [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230 [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910 [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0 [<00000000a2a34657>] 0xffffffffa2ad310f [<00000000b173f718>] 0xffffffffa2af824a [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0 [<00000000f32fdf93>] do_init_module+0xdf/0x320 [<00000000cbe8541e>] load_module+0x3006/0x3390 [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0 [<00000000a1a29ae8>] do_syscall_64+0x35/0x80 [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 Fault injection context as follows: kobject_add blk_mq_register_hctx blk_mq_sysfs_register blk_register_queue device_add_disk null_add_dev.part.0 [null_blk] As 'blk_mq_register_hctx' may already add some objects when failed halfway, but there isn't do fallback, caller don't know which objects add failed. To solve above issue just do fallback when add objects failed halfway in 'blk_mq_register_hctx'. Signed-off-by: Ye Bin Reviewed-by: Ming Lei Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 66d26ed30056e7d2da3e9c14125ffe6049a4f907 Author: Yunfei Dong Date: Thu Nov 17 09:24:50 2022 +0000 media: mediatek: vcodec: Can't set dst buffer to done when lat decode error [ Upstream commit 3568ecd3f3a6d133ab7feffbba34955c8c79bbc4 ] Core thread will call v4l2_m2m_buf_done to set dst buffer done for lat architecture. If lat call v4l2_m2m_buf_done_and_job_finish to free dst buffer when lat decode error, core thread will access kernel NULL pointer dereference, then crash. Signed-off-by: Yunfei Dong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 93bbf2ed428142aa9a9693721230b28571678bf8 Author: Mazin Al Haddad Date: Wed Aug 24 02:21:52 2022 +0100 media: dvb-usb: fix memory leak in dvb_usb_adapter_init() [ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ] Syzbot reports a memory leak in "dvb_usb_adapter_init()". The leak is due to not accounting for and freeing current iteration's adapter->priv in case of an error. Currently if an error occurs, it will exit before incrementing "num_adapters_initalized", which is used as a reference counter to free all adap->priv in "dvb_usb_adapter_exit()". There are multiple error paths that can exit from before incrementing the counter. Including the error handling paths for "dvb_usb_adapter_stream_init()", "dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" within "dvb_usb_adapter_init()". This means that in case of an error in any of these functions the current iteration is not accounted for and the current iteration's adap->priv is not freed. Fix this by freeing the current iteration's adap->priv in the "stream_init_err:" label in the error path. The rest of the (accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() as expected using the num_adapters_initalized variable. Syzbot report: BUG: memory leak unreferenced object 0xffff8881172f1a00 (size 512): comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] [] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] [] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 [] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 [] call_driver_probe drivers/base/dd.c:542 [inline] [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [] really_probe drivers/base/dd.c:583 [inline] [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 [] __device_attach+0x122/0x260 drivers/base/dd.c:970 [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 [] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 [] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 [] call_driver_probe drivers/base/dd.c:542 [inline] [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 [] really_probe drivers/base/dd.c:583 [inline] [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com Signed-off-by: Mazin Al Haddad Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 9945d05d6693710574f354c5dbddc47f5101eb77 Author: Lin Ma Date: Sun Aug 7 15:59:52 2022 +0100 media: dvbdev: adopts refcnt to avoid UAF [ Upstream commit 0fc044b2b5e2d05a1fa1fb0d7f270367a7855d79 ] dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference counter into struct dvb_device and delays its deallocation until no pointer refers to the object. Link: https://lore.kernel.org/linux-media/20220807145952.10368-1-linma@zju.edu.cn Signed-off-by: Lin Ma Reported-by: kernel test robot Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 669fb90507dbaf419aa3871bf73160e93d50487f Author: Yan Lei Date: Sun Apr 10 07:19:25 2022 +0100 media: dvb-frontends: fix leak of memory fw [ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ] Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com Signed-off-by: Yan Lei Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f299f97a8e29b52e5cedded681a4801e85c940d3 Author: Maxim Korotkov Date: Tue Nov 22 15:29:01 2022 +0300 ethtool: avoiding integer overflow in ethtool_phys_id() [ Upstream commit 64a8f8f7127da228d59a39e2c5e75f86590f90b4 ] The value of an arithmetic expression "n * id.data" is subject to possible overflow due to a failure to cast operands to a larger data type before performing arithmetic. Used macro for multiplication instead operator for avoiding overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE. Signed-off-by: Maxim Korotkov Reviewed-by: Alexander Lobakin Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/20221122122901.22294-1-korotkov.maxim.s@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e6d276dcc9204f95632580c43d66c52ca502d7ec Author: Stanislav Fomichev Date: Tue Nov 22 19:54:22 2022 -0800 bpf: Prevent decl_tag from being referenced in func_proto arg [ Upstream commit f17472d4599697d701aa239b4c475a506bccfd19 ] Syzkaller managed to hit another decl_tag issue: btf_func_proto_check kernel/bpf/btf.c:4506 [inline] btf_check_all_types kernel/bpf/btf.c:4734 [inline] btf_parse_type_sec+0x1175/0x1980 kernel/bpf/btf.c:4763 btf_parse kernel/bpf/btf.c:5042 [inline] btf_new_fd+0x65a/0xb00 kernel/bpf/btf.c:6709 bpf_btf_load+0x6f/0x90 kernel/bpf/syscall.c:4342 __sys_bpf+0x50a/0x6c0 kernel/bpf/syscall.c:5034 __do_sys_bpf kernel/bpf/syscall.c:5093 [inline] __se_sys_bpf kernel/bpf/syscall.c:5091 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5091 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 This seems similar to commit ea68376c8bed ("bpf: prevent decl_tag from being referenced in func_proto") but for the argument. Reported-by: syzbot+8dd0551dda6020944c5d@syzkaller.appspotmail.com Signed-off-by: Stanislav Fomichev Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221123035422.872531-2-sdf@google.com Signed-off-by: Sasha Levin commit 8f4fb3844a0de9488c8c8463a3874ef5bcf6439c Author: Yonghong Song Date: Wed Nov 23 07:57:59 2022 -0800 bpf: Fix a BTF_ID_LIST bug with CONFIG_DEBUG_INFO_BTF not set [ Upstream commit beb3d47d1d3d7185bb401af628ad32ee204a9526 ] With CONFIG_DEBUG_INFO_BTF not set, we hit the following compilation error, /.../kernel/bpf/verifier.c:8196:23: error: array index 6 is past the end of the array (that has type 'u32[5]' (aka 'unsigned int[5]')) [-Werror,-Warray-bounds] if (meta->func_id == special_kfunc_list[KF_bpf_cast_to_kern_ctx]) ^ ~~~~~~~~~~~~~~~~~~~~~~~ /.../kernel/bpf/verifier.c:8174:1: note: array 'special_kfunc_list' declared here BTF_ID_LIST(special_kfunc_list) ^ /.../include/linux/btf_ids.h:207:27: note: expanded from macro 'BTF_ID_LIST' #define BTF_ID_LIST(name) static u32 __maybe_unused name[5]; ^ /.../kernel/bpf/verifier.c:8443:19: error: array index 5 is past the end of the array (that has type 'u32[5]' (aka 'unsigned int[5]')) [-Werror,-Warray-bounds] btf_id == special_kfunc_list[KF_bpf_list_pop_back]; ^ ~~~~~~~~~~~~~~~~~~~~ /.../kernel/bpf/verifier.c:8174:1: note: array 'special_kfunc_list' declared here BTF_ID_LIST(special_kfunc_list) ^ /.../include/linux/btf_ids.h:207:27: note: expanded from macro 'BTF_ID_LIST' #define BTF_ID_LIST(name) static u32 __maybe_unused name[5]; ... Fix the problem by increase the size of BTF_ID_LIST to 16 to avoid compilation error and also prevent potentially unintended issue due to out-of-bound access. Reported-by: kernel test robot Reported-by: Dan Carpenter Reported-by: Nathan Chancellor Signed-off-by: Yonghong Song Link: https://lore.kernel.org/r/20221123155759.2669749-1-yhs@fb.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit a866d6fe65baa1970fb53c410ffd7f7159f5701f Author: Ilya Bakoulin Date: Fri Nov 11 12:03:54 2022 -0500 drm/amd/display: Fix display corruption w/ VSR enable [ Upstream commit e643cd384270fd3a4b66f65f15dafc8db0607adc ] [Why] Brief corruption is observed on hotplug/unplug with certain display configurations when VSR is enabled. [How] Work around the issue by avoiding 2to1 ODM when stream plane_count is 0. Reviewed-by: Dillon Varone Acked-by: Brian Chang Signed-off-by: Ilya Bakoulin Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit ee678b1f52f9439e930db2db3fd7e345d03e1a50 Author: Stanislav Fomichev Date: Mon Nov 21 10:29:13 2022 -0800 ppp: associate skb with a device at tx [ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ] Syzkaller triggered flow dissector warning with the following: r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0) [ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 [ 9.485929] skb_get_poff+0x53/0xa0 [ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 [ 9.485944] ? ppp_send_frame+0xc2/0x5b0 [ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 [ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 [ 9.485968] ? ppp_xmit_process+0x5b/0xb0 [ 9.485974] ? ppp_write+0x12a/0x190 [ 9.485981] ? do_iter_write+0x18e/0x2d0 [ 9.485987] ? __import_iovec+0x30/0x130 [ 9.485997] ? do_pwritev+0x1b6/0x240 [ 9.486016] ? trace_hardirqs_on+0x47/0x50 [ 9.486023] ? __x64_sys_pwritev+0x24/0x30 [ 9.486026] ? do_syscall_64+0x3d/0x80 [ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd Flow dissector tries to find skb net namespace either via device or via socket. Neigher is set in ppp_send_frame, so let's manually use ppp->dev. Cc: Paul Mackerras Cc: linux-ppp@vger.kernel.org Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com Signed-off-by: Stanislav Fomichev Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit ba5dd4d3a3390d100f327774aecd6f61a75179ad Author: Kees Cook Date: Fri Nov 18 10:34:14 2022 -0800 bpf/verifier: Use kmalloc_size_roundup() to match ksize() usage [ Upstream commit ceb35b666d42c2e91b1f94aeca95bb5eb0943268 ] Most allocation sites in the kernel want an explicitly sized allocation (and not "more"), and that dynamic runtime analysis tools (e.g. KASAN, UBSAN_BOUNDS, FORTIFY_SOURCE, etc) are looking for precise bounds checking (i.e. not something that is rounded up). A tiny handful of allocations were doing an implicit alloc/realloc loop that actually depended on ksize(), and didn't actually always call realloc. This has created a long series of bugs and problems over many years related to the runtime bounds checking, so these callers are finally being adjusted to _not_ depend on the ksize() side-effect, by doing one of several things: - tracking the allocation size precisely and just never calling ksize() at all [1]. - always calling realloc and not using ksize() at all. (This solution ends up actually be a subset of the next solution.) - using kmalloc_size_roundup() to explicitly round up the desired allocation size immediately [2]. The bpf/verifier case is this another of this latter case, and is the last outstanding case to be fixed in the kernel. Because some of the dynamic bounds checking depends on the size being an _argument_ to an allocator function (i.e. see the __alloc_size attribute), the ksize() users are rare, and it could waste local variables, it was been deemed better to explicitly separate the rounding up from the allocation itself [3]. Round up allocations with kmalloc_size_roundup() so that the verifier's use of ksize() is always accurate. [1] e.g.: https://git.kernel.org/linus/712f210a457d https://git.kernel.org/linus/72c08d9f4c72 [2] e.g.: https://git.kernel.org/netdev/net-next/c/12d6c1d3a2ad https://git.kernel.org/netdev/net-next/c/ab3f7828c979 https://git.kernel.org/netdev/net-next/c/d6dd508080a3 [3] https://lore.kernel.org/lkml/0ea1fc165a6c6117f982f4f135093e69cb884930.camel@redhat.com/ Signed-off-by: Kees Cook Signed-off-by: Daniel Borkmann Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/bpf/20221118183409.give.387-kees@kernel.org Signed-off-by: Sasha Levin commit f51617c41da1e50d77728c064833e2da50016332 Author: Felix Fietkau Date: Wed Nov 16 09:07:30 2022 +0100 net: ethernet: mtk_eth_soc: drop packets to WDMA if the ring is full [ Upstream commit f4b2fa2c25e1ade78f766aa82e733a0b5198d484 ] Improves handling of DMA ring overflow. Clarify other WDMA drop related comment. Signed-off-by: Felix Fietkau Link: https://lore.kernel.org/r/20221116080734.44013-3-nbd@nbd.name Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 563e45fd5046045cc194af3ba17f5423e1c98170 Author: Schspa Shi Date: Wed Nov 16 19:45:11 2022 +0800 mrp: introduce active flags to prevent UAF when applicant uninit [ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ] The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com Signed-off-by: Schspa Shi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 207501a986831174df09a36a8cb62a28f92f0dc8 Author: Eric Dumazet Date: Tue Nov 15 08:53:56 2022 +0000 ipv6/sit: use DEV_STATS_INC() to avoid data-races [ Upstream commit cb34b7cf17ecf33499c9298943f85af247abc1e9 ] syzbot/KCSAN reported that multiple cpus are updating dev->stats.tx_error concurrently. This is because sit tunnels are NETIF_F_LLTX, meaning their ndo_start_xmit() is not protected by a spinlock. While original KCSAN report was about tx path, rx path has the same issue. Reported-by: syzbot Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9921d1b68c46ae1926e634d21dc3d2103f4310fd Author: Eric Dumazet Date: Tue Nov 15 08:53:55 2022 +0000 net: add atomic_long_t to net_device_stats fields [ Upstream commit 6c1c5097781f563b70a81683ea6fdac21637573b ] Long standing KCSAN issues are caused by data-race around some dev->stats changes. Most performance critical paths already use per-cpu variables, or per-queue ones. It is reasonable (and more correct) to use atomic operations for the slow paths. This patch adds an union for each field of net_device_stats, so that we can convert paths that are not yet protected by a spinlock or a mutex. netdev_stats_to_stats64() no longer has an #if BITS_PER_LONG==64 Note that the memcpy() we were using on 64bit arches had no provision to avoid load-tearing, while atomic_long_read() is providing the needed protection at no cost. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1f116dfd114fe8e419c1f4f90ce55a38a92a4fe1 Author: Sagi Grimberg Date: Sun Nov 13 13:24:11 2022 +0200 nvme-auth: don't override ctrl keys before validation [ Upstream commit 01604350e14560d4d69323eb1ba12a257a643ea8 ] Replace ctrl ctrl_key/host_key only after nvme_auth_generate_key is successful. Also, this fixes a bug where the keys are leaked. Reviewed-by: Hannes Reinecke Signed-off-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 43a819c467a1a1b1a31936b2f97c1b7c2f1c9da3 Author: Aurabindo Pillai Date: Wed Nov 2 15:35:53 2022 -0400 drm/amd/display: fix array index out of bound error in bios parser [ Upstream commit 4fc1ba4aa589ca267468ad23fedef37562227d32 ] [Why&How] Firmware headers dictate that gpio_pin array only has a size of 8. The count returned from vbios however is greater than 8. Fix this by not using array indexing but incrementing the pointer since gpio_pin definition in atomfirmware.h is hardcoded to size 8 Reviewed-by: Martin Leung Acked-by: Tom Chung Signed-off-by: Aurabindo Pillai Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2ed52650a287d8f2f2c33357556cb37914acc3ce Author: George Shen Date: Tue Nov 1 00:16:56 2022 -0400 drm/amd/display: Workaround to increase phantom pipe vactive in pipesplit [ Upstream commit 5b8f9deaf3b6badfc0da968e6e07ceabd19700b6 ] [Why] Certain high resolution displays exhibit DCC line corruption with SubVP enabled. This is likely due to insufficient DCC meta data buffered immediately after the mclk switch. [How] Add workaround to increase phantom pipe vactive height by meta_row_height number of lines, thus increasing the amount of meta data buffered immediately after mclk switch finishes. Reviewed-by: Alvin Lee Acked-by: Tom Chung Signed-off-by: George Shen Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d26364596db8f8b55277b2afb3952e05a4057a21 Author: Jiang Li Date: Mon Nov 7 22:16:59 2022 +0800 md/raid1: stop mdx_raid1 thread when raid1 array run failed [ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ] fail run raid1 array when we assemble array with the inactive disk only, but the mdx_raid1 thread were not stop, Even if the associated resources have been released. it will caused a NULL dereference when we do poweroff. This causes the following Oops: [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 [ 287.594762] #PF: supervisor read access in kernel mode [ 287.599912] #PF: error_code(0x0000) - not-present page [ 287.605061] PGD 0 P4D 0 [ 287.607612] Oops: 0000 [#1] SMP NOPTI [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 [ 287.713033] Call Trace: [ 287.715498] raid1d+0x6c/0xbbb [raid1] [ 287.719256] ? __schedule+0x1ff/0x760 [ 287.722930] ? schedule+0x3b/0xb0 [ 287.726260] ? schedule_timeout+0x1ed/0x290 [ 287.730456] ? __switch_to+0x11f/0x400 [ 287.734219] md_thread+0xe9/0x140 [md_mod] [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] [ 287.742601] ? wait_woken+0x80/0x80 [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] [ 287.751064] kthread+0x11a/0x140 [ 287.754300] ? kthread_park+0x90/0x90 [ 287.757974] ret_from_fork+0x1f/0x30 In fact, when raid1 array run fail, we need to do md_unregister_thread() before raid1_free(). Signed-off-by: Jiang Li Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 27e5d61a8e6919b5c0c6f473703ffea2acba862a Author: Xiao Ni Date: Wed Nov 2 10:07:30 2022 +0800 md/raid0, raid10: Don't set discard sectors for request queue [ Upstream commit 8e1a2279ca2b0485cc379a153d02a9793f74a48f ] It should use disk_stack_limits to get a proper max_discard_sectors rather than setting a value by stack drivers. And there is a bug. If all member disks are rotational devices, raid0/raid10 set max_discard_sectors. So the member devices are not ssd/nvme, but raid0/raid10 export the wrong value. It reports warning messages in function __blkdev_issue_discard when mkfs.xfs like this: [ 4616.022599] ------------[ cut here ]------------ [ 4616.027779] WARNING: CPU: 4 PID: 99634 at block/blk-lib.c:50 __blkdev_issue_discard+0x16a/0x1a0 [ 4616.140663] RIP: 0010:__blkdev_issue_discard+0x16a/0x1a0 [ 4616.146601] Code: 24 4c 89 20 31 c0 e9 fe fe ff ff c1 e8 09 8d 48 ff 4c 89 f0 4c 09 e8 48 85 c1 0f 84 55 ff ff ff b8 ea ff ff ff e9 df fe ff ff <0f> 0b 48 8d 74 24 08 e8 ea d6 00 00 48 c7 c6 20 1e 89 ab 48 c7 c7 [ 4616.167567] RSP: 0018:ffffaab88cbffca8 EFLAGS: 00010246 [ 4616.173406] RAX: ffff9ba1f9e44678 RBX: 0000000000000000 RCX: ffff9ba1c9792080 [ 4616.181376] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9ba1c9792080 [ 4616.189345] RBP: 0000000000000cc0 R08: ffffaab88cbffd10 R09: 0000000000000000 [ 4616.197317] R10: 0000000000000012 R11: 0000000000000000 R12: 0000000000000000 [ 4616.205288] R13: 0000000000400000 R14: 0000000000000cc0 R15: ffff9ba1c9792080 [ 4616.213259] FS: 00007f9a5534e980(0000) GS:ffff9ba1b7c80000(0000) knlGS:0000000000000000 [ 4616.222298] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4616.228719] CR2: 000055a390a4c518 CR3: 0000000123e40006 CR4: 00000000001706e0 [ 4616.236689] Call Trace: [ 4616.239428] blkdev_issue_discard+0x52/0xb0 [ 4616.244108] blkdev_common_ioctl+0x43c/0xa00 [ 4616.248883] blkdev_ioctl+0x116/0x280 [ 4616.252977] __x64_sys_ioctl+0x8a/0xc0 [ 4616.257163] do_syscall_64+0x5c/0x90 [ 4616.261164] ? handle_mm_fault+0xc5/0x2a0 [ 4616.265652] ? do_user_addr_fault+0x1d8/0x690 [ 4616.270527] ? do_syscall_64+0x69/0x90 [ 4616.274717] ? exc_page_fault+0x62/0x150 [ 4616.279097] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 4616.284748] RIP: 0033:0x7f9a55398c6b Signed-off-by: Xiao Ni Reported-by: Yi Zhang Reviewed-by: Ming Lei Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 99bef41f8e8d1d52b5cb34f2f193f1346192752b Author: Li Zhong Date: Fri Sep 16 16:33:05 2022 -0700 drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() [ Upstream commit 3bd548e5b819b8c0f2c9085de775c5c7bff9052f ] Check the return value of md_bitmap_get_counter() in case it returns NULL pointer, which will result in a null pointer dereference. v2: update the check to include other dereference Signed-off-by: Li Zhong Signed-off-by: Song Liu Signed-off-by: Sasha Levin commit 302c0a8ed3bcf32e251990e74e24bd33d66d3df6 Author: Nathan Chancellor Date: Wed Nov 2 08:47:12 2022 -0700 drm/mediatek: Fix return type of mtk_hdmi_bridge_mode_valid() [ Upstream commit 890d637523eec9d730e3885532fa1228ba678880 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/mediatek/mtk_hdmi.c:1407:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' with an expression of type 'int (struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = mtk_hdmi_bridge_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. ->mode_valid() in 'struct drm_bridge_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Adjust the return type of mtk_hdmi_bridge_mode_valid() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit a29f8af3e45ff05c0c8cf7c57080c0bea04eba18 Author: Ville Syrjälä Date: Mon Nov 7 21:25:45 2022 +0200 drm/sti: Use drm_mode_copy() [ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ] struct drm_display_mode embeds a list head, so overwriting the full struct with another one will corrupt the list (if the destination mode is on a list). Use drm_mode_copy() instead which explicitly preserves the list head of the destination mode. Even if we know the destination mode is not on any list using drm_mode_copy() seems decent as it sets a good example. Bad examples of not using it might eventually get copied into code where preserving the list head actually matters. Obviously one case not covered here is when the mode itself is embedded in a larger structure and the whole structure is copied. But if we are careful when copying into modes embedded in structures I think we can be a little more reassured that bogus list heads haven't been propagated in. @is_mode_copy@ @@ drm_mode_copy(...) { ... } @depends on !is_mode_copy@ struct drm_display_mode *mode; expression E, S; @@ ( - *mode = E + drm_mode_copy(mode, &E) | - memcpy(mode, E, S) + drm_mode_copy(mode, E) ) @depends on !is_mode_copy@ struct drm_display_mode mode; expression E; @@ ( - mode = E + drm_mode_copy(&mode, &E) | - memcpy(&mode, E, S) + drm_mode_copy(&mode, E) ) @@ struct drm_display_mode *mode; @@ - &*mode + mode Cc: Alain Volmat Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com Reviewed-by: Daniel Vetter Signed-off-by: Sasha Levin commit e398c0ad0c56cc77b714660f0abb98d216f67403 Author: Ville Syrjälä Date: Mon Nov 7 21:25:44 2022 +0200 drm/rockchip: Use drm_mode_copy() [ Upstream commit 2bfaa28000d2830d3209161a4541cce0660e1b84 ] struct drm_display_mode embeds a list head, so overwriting the full struct with another one will corrupt the list (if the destination mode is on a list). Use drm_mode_copy() instead which explicitly preserves the list head of the destination mode. Even if we know the destination mode is not on any list using drm_mode_copy() seems decent as it sets a good example. Bad examples of not using it might eventually get copied into code where preserving the list head actually matters. Obviously one case not covered here is when the mode itself is embedded in a larger structure and the whole structure is copied. But if we are careful when copying into modes embedded in structures I think we can be a little more reassured that bogus list heads haven't been propagated in. @is_mode_copy@ @@ drm_mode_copy(...) { ... } @depends on !is_mode_copy@ struct drm_display_mode *mode; expression E, S; @@ ( - *mode = E + drm_mode_copy(mode, &E) | - memcpy(mode, E, S) + drm_mode_copy(mode, E) ) @depends on !is_mode_copy@ struct drm_display_mode mode; expression E; @@ ( - mode = E + drm_mode_copy(&mode, &E) | - memcpy(&mode, E, S) + drm_mode_copy(&mode, E) ) @@ struct drm_display_mode *mode; @@ - &*mode + mode Signed-off-by: Ville Syrjälä Cc: Sandy Huang Cc: "Heiko Stübner" Cc: linux-arm-kernel@lists.infradead.org Cc: linux-rockchip@lists.infradead.org Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-7-ville.syrjala@linux.intel.com Reviewed-by: Daniel Vetter Signed-off-by: Sasha Levin commit b6ebe51e836ec1cd5d607355fc57a9dbd34014be Author: Ville Syrjälä Date: Mon Nov 7 21:25:42 2022 +0200 drm/msm: Use drm_mode_copy() [ Upstream commit b2a1c5ca50db22b3677676dd5bad5f6092429acf ] struct drm_display_mode embeds a list head, so overwriting the full struct with another one will corrupt the list (if the destination mode is on a list). Use drm_mode_copy() instead which explicitly preserves the list head of the destination mode. Even if we know the destination mode is not on any list using drm_mode_copy() seems decent as it sets a good example. Bad examples of not using it might eventually get copied into code where preserving the list head actually matters. Obviously one case not covered here is when the mode itself is embedded in a larger structure and the whole structure is copied. But if we are careful when copying into modes embedded in structures I think we can be a little more reassured that bogus list heads haven't been propagated in. @is_mode_copy@ @@ drm_mode_copy(...) { ... } @depends on !is_mode_copy@ struct drm_display_mode *mode; expression E, S; @@ ( - *mode = E + drm_mode_copy(mode, &E) | - memcpy(mode, E, S) + drm_mode_copy(mode, E) ) @depends on !is_mode_copy@ struct drm_display_mode mode; expression E; @@ ( - mode = E + drm_mode_copy(&mode, &E) | - memcpy(&mode, E, S) + drm_mode_copy(&mode, E) ) @@ struct drm_display_mode *mode; @@ - &*mode + mode Cc: Rob Clark Cc: Sean Paul Cc: Abhinav Kumar Cc: linux-arm-msm@vger.kernel.org Cc: freedreno@lists.freedesktop.org Reviewed-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Reviewed-by: Daniel Vetter Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-5-ville.syrjala@linux.intel.com Signed-off-by: Sasha Levin commit cf0dcf0e8746b69c77f1237339f30d3ed260812d Author: Wesley Chalmers Date: Fri Oct 21 19:06:10 2022 -0400 drm/amd/display: Disable DRR actions during state commit [ Upstream commit de020e5fa9ebc6fc32e82ae6ccb0282451ed937c ] [WHY] Committing a state while performing DRR actions can cause underflow. [HOW] Disabled features performing DRR actions during state commit. Need to follow-up on why DRR actions affect state commit. Reviewed-by: Jun Lei Acked-by: Alan Liu Signed-off-by: Wesley Chalmers Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit d5368e054eb85022fc3ab51c679052bac27e0e9c Author: Alvin Lee Date: Thu Oct 20 18:33:05 2022 -0400 drm/amd/display: Use min transition for SubVP into MPO [ Upstream commit 9e7d03e8b046c84e1b2973a29cd800495a5a2f09 ] [Description] - For SubVP transitioning into MPO, we want to use a minimal transition to prevent transient underflow - Transitioning a phantom pipe directly into a "real" pipe can result in underflow due to the HUBP still having it's "phantom" programming when HUBP is unblanked (have to wait for next VUPDATE of the new OTG) - Also ensure subvp pipe lock is acquired early enough for programming in dc_commit_state_no_check - When disabling phantom planes, enable phantom OTG first so the disable gets the double buffer update Reviewed-by: Aric Cyr Acked-by: Alan Liu Signed-off-by: Alvin Lee Tested-by: Daniel Wheeler Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit cda74cdc280ba35c8993e7517bac5c257ff36f18 Author: Nathan Chancellor Date: Thu Nov 3 10:01:30 2022 -0700 s390/lcs: Fix return type of lcs_start_xmit() [ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = lcs_start_xmit, ^~~~~~~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reviewed-by: Alexandra Winter Reviewed-by: Kees Cook Signed-off-by: Nathan Chancellor Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit d034fa43af92fc46a81d882f46d9cc3e4ffdbbcc Author: Nathan Chancellor Date: Thu Nov 3 10:01:29 2022 -0700 s390/netiucv: Fix return type of netiucv_tx() [ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = netiucv_tx, ^~~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Additionally, while in the area, remove a comment block that is no longer relevant. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reviewed-by: Alexandra Winter Reviewed-by: Kees Cook Signed-off-by: Nathan Chancellor Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 636f8534a772a9d62c0a2afef6f78f07f70c8831 Author: Nathan Chancellor Date: Thu Nov 3 10:01:28 2022 -0700 s390/ctcm: Fix return type of ctc{mp,}m_tx() [ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = ctcm_tx, ^~~~~~~ drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = ctcmpc_tx, ^~~~~~~~~ ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to match the prototype's to resolve the warning and potential CFI failure, should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. Additionally, while in the area, remove a comment block that is no longer relevant. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reviewed-by: Alexandra Winter Reviewed-by: Kees Cook Signed-off-by: Nathan Chancellor Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 36217f676b55932a12d6732c95388150015fdee6 Author: Nathan Chancellor Date: Wed Nov 2 08:25:40 2022 -0700 drm/amdgpu: Fix type of second parameter in odn_edit_dpm_table() callback [ Upstream commit e4d0ef752081e7aa6ffb7ccac11c499c732a2e05 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/amd/amdgpu/../pm/swsmu/amdgpu_smu.c:3008:29: error: incompatible function pointer types initializing 'int (*)(void *, uint32_t, long *, uint32_t)' (aka 'int (*)(void *, unsigned int, long *, unsigned int)') with an expression of type 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, uint32_t)' (aka 'int (void *, enum PP_OD_DPM_TABLE_COMMAND, long *, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .odn_edit_dpm_table = smu_od_edit_dpm_table, ^~~~~~~~~~~~~~~~~~~~~ 1 error generated. There are only two implementations of ->odn_edit_dpm_table() in 'struct amd_pm_funcs': smu_od_edit_dpm_table() and pp_odn_edit_dpm_table(). One has a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND' and the other uses 'u32'. Ultimately, smu_od_edit_dpm_table() calls ->od_edit_dpm_table() from 'struct pptable_funcs' and pp_odn_edit_dpm_table() calls ->odn_edit_dpm_table() from 'struct pp_hwmgr_func', which both have a second parameter type of 'enum PP_OD_DPM_TABLE_COMMAND'. Update the type parameter in both the prototype in 'struct amd_pm_funcs' and pp_odn_edit_dpm_table() to 'enum PP_OD_DPM_TABLE_COMMAND', which cleans up the warning. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Reviewed-by: Kees Cook Signed-off-by: Nathan Chancellor Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 1cae33c8f9952e26f0c2ddfaa11012b23da24e30 Author: Nathan Chancellor Date: Wed Nov 2 08:25:39 2022 -0700 drm/amdgpu: Fix type of second parameter in trans_msg() callback [ Upstream commit f0d0f1087333714ee683cc134a95afe331d7ddd9 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/amd/amdgpu/mxgpu_ai.c:412:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .trans_msg = xgpu_ai_mailbox_trans_msg, ^~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. drivers/gpu/drm/amd/amdgpu/mxgpu_nv.c:435:15: error: incompatible function pointer types initializing 'void (*)(struct amdgpu_device *, u32, u32, u32, u32)' (aka 'void (*)(struct amdgpu_device *, unsigned int, unsigned int, unsigned int, unsigned int)') with an expression of type 'void (struct amdgpu_device *, enum idh_request, u32, u32, u32)' (aka 'void (struct amdgpu_device *, enum idh_request, unsigned int, unsigned int, unsigned int)') [-Werror,-Wincompatible-function-pointer-types-strict] .trans_msg = xgpu_nv_mailbox_trans_msg, ^~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. The type of the second parameter in the prototype should be 'enum idh_request' instead of 'u32'. Update it to clear up the warnings. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Reviewed-by: Kees Cook Signed-off-by: Nathan Chancellor Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 56483aecf6b22eb7dff6315b3a174688c6ad494c Author: Kees Cook Date: Tue Oct 18 02:25:24 2022 -0700 igb: Do not free q_vector unless new one was allocated [ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ] Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position. Cc: Jesse Brandeburg Cc: Tony Nguyen Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: intel-wired-lan@lists.osuosl.org Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Reviewed-by: Michael J. Ruhl Reviewed-by: Jacob Keller Tested-by: Gurucharan (A Contingent worker at Intel) Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 46675bdbbb5e48f6e76b91555c399562e299cdd9 Author: José Expósito Date: Sat Oct 29 18:12:40 2022 +0200 HID: uclogic: Add support for XP-PEN Deco LW [ Upstream commit f9ce4db0ec2b6301f4264ba8627863e2632c922b ] The XP-PEN Deco LW is a UGEE v2 device with a frame with 8 buttons. Its pen has 2 buttons, supports tilt and pressure. It can be connected by USB cable or using a USB Bluetooth dongle to use it in wireless mode. When it is connected using the dongle, the device battery is used to power it. Its vendor, product and version are identical to the Deco L. The only difference reported by its firmware is the product name. In order to add support for battery reporting, add a new HID descriptor and a quirk to detect the wireless version of the tablet. Link: https://github.com/DIGImend/digimend-kernel-drivers/issues/635 Tested-by: Mia Kanashi Tested-by: Andreas Grosse Tested-by: Mia Kanashi Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 84bc0fe76182765273bd037d79057eb613178abb Author: José Expósito Date: Sat Oct 29 18:12:39 2022 +0200 HID: input: do not query XP-PEN Deco LW battery [ Upstream commit 037c1aaeb96fe5f778026f4c1ef28b26cf600bfa ] The XP-PEN Deco LW drawing tablet can be connected by USB cable or using a USB Bluetooth dongle. When it is connected using the dongle, there might be a small delay until the tablet is paired with the dongle. Fetching the device battery during this delay results in random battery percentage values. Add a quirk to avoid actively querying the battery percentage and wait for the device to report it on its own. Reported-by: Mia Kanashi Tested-by: Mia Kanashi Signed-off-by: José Expósito Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 630ab215956ef47ca559006ba2adf08fd87e01fb Author: Jisoo Jang Date: Wed Nov 2 03:36:42 2022 +0900 wifi: brcmfmac: Fix potential NULL pointer dereference in 'brcmf_c_preinit_dcmds()' [ Upstream commit 683b9728f28895660c66da250cd31654b8fcbc6e ] This patch fixes a NULL pointer dereference bug in brcmfmac that occurs when ptr which is NULL pointer passed as an argument of strlcpy() in brcmf_c_preinit_dcmds(). This happens when the driver passes a firmware version string that does not contain a space " ", making strrchr() return a null pointer. This patch adds a null pointer check. Found by a modified version of syzkaller. KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 0 PID: 1983 Comm: kworker/0:2 Not tainted 5.14.0+ #79 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event RIP: 0010:strlen+0x1a/0x90 Code: 23 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00 RSP: 0018:ffffc90002bfedd8 EFLAGS: 00010296 RAX: dffffc0000000000 RBX: 1ffff9200057fdc1 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000001 RBP: 0000000000000001 R08: 0000000000000039 R09: ffffed1023549801 R10: ffff88811aa4c007 R11: ffffed1023549800 R12: ffff88800bc68d6c R13: ffffc90002bfef08 R14: ffff88800bc6bc7c R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020546180 CR3: 0000000117ff1000 CR4: 0000000000750ef0 PKRU: 55555554 Call Trace: brcmf_c_preinit_dcmds+0x9f2/0xc40 ? brcmf_c_set_joinpref_default+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lock_acquire+0x19d/0x4e0 ? find_held_lock+0x2d/0x110 ? brcmf_usb_deq+0x1a7/0x260 ? brcmf_usb_rx_fill_all+0x5a/0xf0 brcmf_attach+0x246/0xd40 ? wiphy_new_nm+0x1703/0x1dd0 ? kmemdup+0x43/0x50 brcmf_usb_probe+0x12de/0x1690 ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 usb_probe_interface+0x2aa/0x760 ? usb_probe_device+0x250/0x250 really_probe+0x205/0xb70 ? driver_allows_async_probing+0x130/0x130 __driver_probe_device+0x311/0x4b0 ? driver_allows_async_probing+0x130/0x130 driver_probe_device+0x4e/0x150 __device_attach_driver+0x1cc/0x2a0 bus_for_each_drv+0x156/0x1d0 ? bus_rescan_devices+0x30/0x30 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x46/0x160 __device_attach+0x23f/0x3a0 ? device_bind_driver+0xd0/0xd0 ? kobject_uevent_env+0x287/0x14b0 bus_probe_device+0x1da/0x290 device_add+0xb7b/0x1eb0 ? wait_for_completion+0x290/0x290 ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 usb_set_configuration+0xf59/0x16f0 usb_generic_driver_probe+0x82/0xa0 usb_probe_device+0xbb/0x250 ? usb_suspend+0x590/0x590 really_probe+0x205/0xb70 ? driver_allows_async_probing+0x130/0x130 __driver_probe_device+0x311/0x4b0 ? usb_generic_driver_match+0x75/0x90 ? driver_allows_async_probing+0x130/0x130 driver_probe_device+0x4e/0x150 __device_attach_driver+0x1cc/0x2a0 bus_for_each_drv+0x156/0x1d0 ? bus_rescan_devices+0x30/0x30 ? _raw_spin_unlock_irqrestore+0x47/0x50 __device_attach+0x23f/0x3a0 ? device_bind_driver+0xd0/0xd0 ? kobject_uevent_env+0x287/0x14b0 bus_probe_device+0x1da/0x290 device_add+0xb7b/0x1eb0 ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 ? kfree+0x14a/0x6b0 ? __usb_get_extra_descriptor+0x116/0x160 usb_new_device.cold+0x49c/0x1029 ? hub_disconnect+0x450/0x450 ? rwlock_bug.part.0+0x90/0x90 ? _raw_spin_unlock_irq+0x24/0x30 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 hub_event+0x248b/0x31c9 ? usb_port_suspend.cold+0x139/0x139 ? check_irq_usage+0x861/0xf20 ? drain_workqueue+0x280/0x360 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x92b/0x1460 ? pwq_dec_nr_in_flight+0x330/0x330 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x95/0xe00 ? __kthread_parkme+0x115/0x1e0 ? process_one_work+0x1460/0x1460 kthread+0x3a1/0x480 ? set_kthread_struct+0x120/0x120 ret_from_fork+0x1f/0x30 Modulesdd linked in: ---[ end trace c112c68924ddd800 ]--- RIP: 0010:strlen+0x1a/0x90 Code: 23 ff ff ff 66 66 2e 0f 1f 84 00 00 00 00 00 90 48 b8 00 00 00 00 00 fc ff df 48 89 fa 55 48 89 fd 48 c1 ea 03 53 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f 04 84 c0 75 48 80 7d 00 00 RSP: 0018:ffffc90002bfedd8 EFLAGS: 00010296 RAX: dffffc0000000000 RBX: 1ffff9200057fdc1 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000020 RDI: 0000000000000001 RBP: 0000000000000001 R08: 0000000000000039 R09: ffffed1023549801 R10: ffff88811aa4c007 R11: ffffed1023549800 R12: ffff88800bc68d6c R13: ffffc90002bfef08 R14: ffff88800bc6bc7c R15: 0000000000000001 FS: 0000000000000000(0000) GS:ffff88811aa00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020546180 CR3: 0000000117ff1000 CR4: 0000000000750ef0 PKRU: 55555554 Kernel panic - not syncing: Fatal exception Kernel Offset: disabled Reported-by: Dokyung Song Reported-by: Jisoo Jang Reported-by: Minsuk Kang Signed-off-by: Jisoo Jang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221101183642.166450-1-jisoo.jang@yonsei.ac.kr Signed-off-by: Sasha Levin commit ffb589963df103caaf062081a32db0b9e1798660 Author: Minsuk Kang Date: Mon Oct 24 16:13:29 2022 +0900 wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() [ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ] This patch fixes a shift-out-of-bounds in brcmfmac that occurs in BIT(chiprev) when a 'chiprev' provided by the device is too large. It should also not be equal to or greater than BITS_PER_TYPE(u32) as we do bitwise AND with a u32 variable and BIT(chiprev). The patch adds a check that makes the function return NULL if that is the case. Note that the NULL case is later handled by the bus-specific caller, brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example. Found by a modified version of syzkaller. UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c shift exponent 151055786 is too large for 64-bit type 'long unsigned int' CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Workqueue: usb_hub_wq hub_event Call Trace: dump_stack_lvl+0x57/0x7d ubsan_epilogue+0x5/0x40 __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb ? lock_chain_count+0x20/0x20 brcmf_fw_alloc_request.cold+0x19/0x3ea ? brcmf_fw_get_firmwares+0x250/0x250 ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 brcmf_usb_get_fwname+0x114/0x1a0 ? brcmf_usb_reset_resume+0x120/0x120 ? number+0x6c4/0x9a0 brcmf_c_process_clm_blob+0x168/0x590 ? put_dec+0x90/0x90 ? enable_ptr_key_workfn+0x20/0x20 ? brcmf_common_pd_remove+0x50/0x50 ? rcu_read_lock_sched_held+0xa1/0xd0 brcmf_c_preinit_dcmds+0x673/0xc40 ? brcmf_c_set_joinpref_default+0x100/0x100 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lock_acquire+0x19d/0x4e0 ? find_held_lock+0x2d/0x110 ? brcmf_usb_deq+0x1cc/0x260 ? mark_held_locks+0x9f/0xe0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? _raw_spin_unlock_irqrestore+0x47/0x50 ? trace_hardirqs_on+0x1c/0x120 ? brcmf_usb_deq+0x1a7/0x260 ? brcmf_usb_rx_fill_all+0x5a/0xf0 brcmf_attach+0x246/0xd40 ? wiphy_new_nm+0x1476/0x1d50 ? kmemdup+0x30/0x40 brcmf_usb_probe+0x12de/0x1690 ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 usb_probe_interface+0x25f/0x710 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 ? usb_match_id.part.0+0x88/0xc0 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __mutex_unlock_slowpath+0xe7/0x660 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_set_configuration+0x984/0x1770 ? kernfs_create_link+0x175/0x230 usb_generic_driver_probe+0x69/0x90 usb_probe_device+0x9c/0x220 really_probe+0x1be/0xa90 __driver_probe_device+0x2ab/0x460 driver_probe_device+0x49/0x120 __device_attach_driver+0x18a/0x250 ? driver_allows_async_probing+0x120/0x120 bus_for_each_drv+0x123/0x1a0 ? bus_rescan_devices+0x20/0x20 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 ? trace_hardirqs_on+0x1c/0x120 __device_attach+0x207/0x330 ? device_bind_driver+0xb0/0xb0 ? kobject_uevent_env+0x230/0x12c0 bus_probe_device+0x1a2/0x260 device_add+0xa61/0x1ce0 ? __fw_devlink_link_to_suppliers+0x550/0x550 usb_new_device.cold+0x463/0xf66 ? hub_disconnect+0x400/0x400 ? _raw_spin_unlock_irq+0x24/0x30 hub_event+0x10d5/0x3330 ? hub_port_debounce+0x280/0x280 ? __lock_acquire+0x1671/0x5790 ? wq_calc_node_cpumask+0x170/0x2a0 ? lock_release+0x640/0x640 ? rcu_read_lock_sched_held+0xa1/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? lockdep_hardirqs_on_prepare+0x273/0x3e0 process_one_work+0x873/0x13e0 ? lock_release+0x640/0x640 ? pwq_dec_nr_in_flight+0x320/0x320 ? rwlock_bug.part.0+0x90/0x90 worker_thread+0x8b/0xd10 ? __kthread_parkme+0xd9/0x1d0 ? process_one_work+0x13e0/0x13e0 kthread+0x379/0x450 ? _raw_spin_unlock_irq+0x24/0x30 ? set_kthread_struct+0x100/0x100 ret_from_fork+0x1f/0x30 Reported-by: Dokyung Song Reported-by: Jisoo Jang Reported-by: Minsuk Kang Signed-off-by: Minsuk Kang Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr Signed-off-by: Sasha Levin commit 1adbbdce22aa720aa827f3c055712960545f734a Author: Nathan Chancellor Date: Wed Nov 2 09:06:10 2022 -0700 hamradio: baycom_epp: Fix return type of baycom_send_packet() [ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = baycom_send_packet, ^~~~~~~~~~~~~~~~~~ 1 error generated. ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 1e4953b826e12b31995564a459dbd4e9e4604a35 Author: Nathan Chancellor Date: Wed Nov 2 09:09:33 2022 -0700 net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() [ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] .ndo_start_xmit = netcp_ndo_start_xmit, ^~~~~~~~~~~~~~~~~~~~ 1 error generated. ->ndo_start_xmit() in 'struct net_device_ops' expects a return type of 'netdev_tx_t', not 'int'. Adjust the return type of netcp_ndo_start_xmit() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit f186303845a01cc7e991f9dc51d7e5a3cdc7aedb Author: Stanislav Fomichev Date: Thu Oct 27 15:55:37 2022 -0700 bpf: make sure skb->len != 0 when redirecting to a tunneling device [ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ] syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after __skb_pull? Cc: Eric Dumazet Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com Signed-off-by: Martin KaFai Lau Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit ab576e2f1c5b665a18714283908473077bdb804e Author: Nathan Chancellor Date: Wed Nov 2 08:52:42 2022 -0700 drm/meson: Fix return type of meson_encoder_cvbs_mode_valid() [ Upstream commit 6c4e4d35203301906afb53c6d1e1302d4c793c05 ] With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at compile time, which reveals: drivers/gpu/drm/meson/meson_encoder_cvbs.c:211:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' with an expression of type 'int (struct drm_bridge *, const struct drm_display_info *, const struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] .mode_valid = meson_encoder_cvbs_mode_valid, ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1 error generated. ->mode_valid() in 'struct drm_bridge_funcs' expects a return type of 'enum drm_mode_status', not 'int'. Adjust the return type of meson_encoder_cvbs_mode_valid() to match the prototype's to resolve the warning and CFI failure. Link: https://github.com/ClangBuiltLinux/linux/issues/1750 Reported-by: Sami Tolvanen Signed-off-by: Nathan Chancellor Reviewed-by: Kees Cook Signed-off-by: Neil Armstrong Link: https://patchwork.freedesktop.org/patch/msgid/20221102155242.1927166-1-nathan@kernel.org Signed-off-by: Sasha Levin commit 7dccd53ec7dc64a921699682fcc9ffcd814bbb25 Author: Jiri Slaby (SUSE) Date: Mon Oct 31 12:43:54 2022 +0100 qed (gcc13): use u16 for fid to be big enough [ Upstream commit 7d84118229bf7f7290438c85caa8e49de52d50c1 ] gcc 13 correctly reports overflow in qed_grc_dump_addr_range(): In file included from drivers/net/ethernet/qlogic/qed/qed.h:23, from drivers/net/ethernet/qlogic/qed/qed_debug.c:10: drivers/net/ethernet/qlogic/qed/qed_debug.c: In function 'qed_grc_dump_addr_range': include/linux/qed/qed_if.h:1217:9: error: overflow in conversion from 'int' to 'u8' {aka 'unsigned char'} changes value from '(int)vf_id << 8 | 128' to '128' [-Werror=overflow] We do: u8 fid; ... fid = vf_id << 8 | 128; Since fid is 16bit (and the stored value above too), fid should be u16, not u8. Fix that. Cc: Martin Liska Cc: Ariel Elior Cc: Manish Chopra Signed-off-by: Jiri Slaby (SUSE) Link: https://lore.kernel.org/r/20221031114354.10398-1-jirislaby@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a10e1530c424bb277b4edc7def0195857a548495 Author: Rahul Bhattacharjee Date: Fri Oct 21 14:31:26 2022 +0530 wifi: ath11k: Fix qmi_msg_handler data structure initialization [ Upstream commit ed3725e15a154ebebf44e0c34806c57525483f92 ] qmi_msg_handler is required to be null terminated by QMI module. There might be a case where a handler for a msg id is not present in the handlers array which can lead to infinite loop while searching the handler and therefore out of bound access in qmi_invoke_handler(). Hence update the initialization in qmi_msg_handler data structure. Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Signed-off-by: Rahul Bhattacharjee Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221021090126.28626-1-quic_rbhattac@quicinc.com Signed-off-by: Sasha Levin commit 15e6830642e6d71fe5850b83ec7a20699e960706 Author: Kerem Karabay Date: Sat Sep 24 12:53:06 2022 +0300 HID: apple: enable APPLE_ISO_TILDE_QUIRK for the keyboards of Macs with the T2 chip [ Upstream commit 084bc074c231e716cbcb9e8f9db05b17fd3563cf ] The iso_layout parameter must be manually set to get the driver to swap KEY_102ND and KEY_GRAVE. This patch eliminates the need to do that. This is safe to do, as Macs with keyboards that do not need the quirk will keep working the same way as the value of hid->country will be different than HID_COUNTRY_INTERNATIONAL_ISO. This was tested by one person with a Mac with the WELLSPRINGT2_J152F keyboard with a layout that does not require the quirk to be set. Signed-off-by: Kerem Karabay Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 508cc67f944905b7a777d6e70d0e6f9962c3c6e3 Author: Kerem Karabay Date: Sat Sep 24 12:53:05 2022 +0300 HID: apple: fix key translations where multiple quirks attempt to translate the same key [ Upstream commit 5476fcf7f7b901db1cea92acb1abdd12609e30e1 ] The hid-apple driver does not support chaining translations or dependencies on other translations. This creates two problems: 1 - In Non-English keyboards of Macs, KEY_102ND and KEY_GRAVE are swapped and the APPLE_ISO_TILDE_QUIRK is used to work around this problem. The quirk is not set for the Macs where these bugs happen yet (see the 2nd patch for that), but this can be forced by setting the iso_layout parameter. Unfortunately, this only partially works. KEY_102ND gets translated to KEY_GRAVE, but KEY_GRAVE does not get translated to KEY_102ND, so both of them end up functioning as KEY_GRAVE. This is because the driver translates the keys as if Fn was pressed and the original is sent if it is not pressed, without any further translations happening on the key[#463]. KEY_GRAVE is present at macbookpro_no_esc_fn_keys[#195], so this is what happens: - KEY_GRAVE -> KEY_ESC (as if Fn is pressed) - KEY_GRAVE is returned (Fn isn't pressed, so translation is discarded) - KEY_GRAVE -> KEY_102ND (this part is not reached!) ... 2 - In case the touchbar does not work, the driver supports sending Escape when Fn+KEY_GRAVE is pressed. As mentioned previously, KEY_102ND is actually KEY_GRAVE and needs to be translated before this happens. Normally, these are the steps that should happen: - KEY_102ND -> KEY_GRAVE - KEY_GRAVE -> KEY_ESC (Fn is pressed) - KEY_ESC is returned Though this is what happens instead, as dependencies on other translations are not supported: - KEY_102ND -> KEY_ESC (Fn is pressed) - KEY_ESC is returned This patch fixes both bugs by ordering the translations correctly and by making the translations continue and not return immediately after translating a key so that chained translations work and translations can depend on other ones. This patch also simplifies the implementation of the swap_fn_leftctrl option a little bit, as it makes it simply use a normal translation instead adding extra code to translate a key to KEY_FN[#381]. This change wasn't put in another patch as the code that translates the Fn key needs to be changed because of the changes in the patch, and those changes would be discarded with the next patch anyway (the part that originally translates KEY_FN to KEY_LEFTCTRL needs to be made an else-if branch of the part that transltes KEY_LEFTCTRL to KEY_FN). Note: Line numbers (#XYZ) are for drivers/hid/hid-apple.c at commit 20afcc462579 ("HID: apple: Add "GANSS" to the non-Apple list"). Note: These bugs are only present on Macs with a keyboard with no dedicated escape key and a non-English layout. Signed-off-by: Kerem Karabay Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 8b3d6b029a552d2978bbac275303d11419826a69 Author: David Jeffery Date: Wed Oct 26 13:19:57 2022 +0800 blk-mq: avoid double ->queue_rq() because of early timeout [ Upstream commit 82c229476b8f6afd7e09bc4dc77d89dc19ff7688 ] David Jeffery found one double ->queue_rq() issue, so far it can be triggered in VM use case because of long vmexit latency or preempt latency of vCPU pthread or long page fault in vCPU pthread, then block IO req could be timed out before queuing the request to hardware but after calling blk_mq_start_request() during ->queue_rq(), then timeout handler may handle it by requeue, then double ->queue_rq() is caused, and kernel panic. So far, it is driver's responsibility to cover the race between timeout and completion, so it seems supposed to be solved in driver in theory, given driver has enough knowledge. But it is really one common problem, lots of driver could have similar issue, and could be hard to fix all affected drivers, even it isn't easy for driver to handle the race. So David suggests this patch by draining in-progress ->queue_rq() for solving this issue. Cc: Stefan Hajnoczi Cc: Keith Busch Cc: virtualization@lists.linux-foundation.org Cc: Bart Van Assche Signed-off-by: David Jeffery Signed-off-by: Ming Lei Reviewed-by: Bart Van Assche Link: https://lore.kernel.org/r/20221026051957.358818-1-ming.lei@redhat.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6ec50ce315f47b4d0789e7d61e39886a179c6adb Author: Yuan Can Date: Wed Jun 15 06:26:44 2022 +0000 drm/rockchip: use pm_runtime_resume_and_get() instead of pm_runtime_get_sync() [ Upstream commit e3558747ebe15306e6d0b75bd6d211436be4a7d5 ] Replace pm_runtime_get_sync() with pm_runtime_resume_and_get() to avoid device usage counter leak. Signed-off-by: Yuan Can Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20220615062644.96837-1-yuancan@huawei.com Signed-off-by: Sasha Levin commit 22c4f8ef9c62819f2152c8cabe07529bddfaf674 Author: Hamza Mahfooz Date: Tue Oct 25 15:04:36 2022 -0400 Revert "drm/amd/display: Limit max DSC target bpp for specific monitors" [ Upstream commit 6803dfd3a69ccb318772463a86e40929fd4fbac7 ] This reverts commit 55eea8ef98641f6e1e1c202bd3a49a57c1dd4059. This quirk is now handled in the DRM core, so we can drop all of the internal code that was added to handle it. Reviewed-by: Harry Wentland Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit dd76b1c9f6921af9a8d1e09aca3fab57d9f3555f Author: Hamza Mahfooz Date: Fri Oct 21 16:37:34 2022 -0400 drm/edid: add a quirk for two LG monitors to get them to work on 10bpc [ Upstream commit aa193f7eff8ff753577351140b8af13b76cdc7c2 ] The LG 27GP950 and LG 27GN950 have visible display corruption when trying to use 10bpc modes. So, to fix this, cap their maximum DSC target bitrate to 15bpp. Suggested-by: Roman Li Reviewed-by: Harry Wentland Signed-off-by: Hamza Mahfooz Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2b7e54cdda3f5d0b92740860bd680fb4a247bd35 Author: gehao Date: Wed Oct 26 17:54:05 2022 +0800 drm/amd/display: prevent memory leak [ Upstream commit d232afb1f3417ae8194ccf19ad3a8360e70e104e ] In dce6(0,1,4)_create_resource_pool and dce80_create_resource_pool the allocated memory should be released if construct pool fails. Reviewed-by: Rodrigo Siqueira Signed-off-by: gehao Signed-off-by: Rodrigo Siqueira Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f97e6d4af8ea20d851d9faa8133d3b94c2c5aa79 Author: zhikzhai Date: Thu Oct 20 11:46:55 2022 -0400 drm/amd/display: skip commit minimal transition state [ Upstream commit 1e8fd864afdc7a52df375e888a03b8472fc24f5d ] [WHY] Now dynamic ODM will now be disabled when MPO is required safe transitions to avoid underflow, but we are triggering the way of minimal transition too often. Commit state of dc with no check will do pipeline setup which may re-initialize the component with no need such as audio. [HOW] Just do the minimal transition when all of pipes are in use, otherwise return true to skip. Tested-by: Mark Broadworth Reviewed-by: Dillon Varone Acked-by: Rodrigo Siqueira Signed-off-by: zhikzhai Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 6cfa68c7d2ce500cecde5b13e77cb1fafddf2b21 Author: Kees Cook Date: Fri Oct 21 19:10:47 2022 -0700 bnx2: Use kmalloc_size_roundup() to match ksize() usage [ Upstream commit d6dd508080a3cdc0ab34ebf66c3734f2dff907ad ] Round up allocations with kmalloc_size_roundup() so that build_skb()'s use of ksize() is always accurate and no special handling of the memory is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Cc: Rasesh Mody Cc: GR-Linux-NIC-Dev@marvell.com Cc: "David S. Miller" Cc: Eric Dumazet Cc: Jakub Kicinski Cc: Paolo Abeni Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221022021004.gonna.489-kees@kernel.org Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit bde272c8758dc379b65d05a05fc048b3ae98498e Author: Kees Cook Date: Tue Oct 18 02:06:33 2022 -0700 openvswitch: Use kmalloc_size_roundup() to match ksize() usage [ Upstream commit ab3f7828c9793a5dfa99a54dc19ae3491c38bfa3 ] Round up allocations with kmalloc_size_roundup() so that openvswitch's use of ksize() is always accurate and no special handling of the memory is needed by KASAN, UBSAN_BOUNDS, nor FORTIFY_SOURCE. Cc: Pravin B Shelar Cc: dev@openvswitch.org Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221018090628.never.537-kees@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 79a124b588aadb5a22695542778de14366ff3219 Author: Youghandhar Chintala Date: Thu Oct 13 09:34:59 2022 +0300 wifi: ath10k: Delay the unmapping of the buffer [ Upstream commit acd4324e5f1f11351630234297f95076f0ac9a2f ] On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interrupt, host driver will immediately unmap and frees the buffer presuming that hardware has processed the buffer. In the issue case, upon receiving copy complete interrupt, host driver will unmap and free the buffer but since hardware is still accessing the buffer (which in this case got unmapped in parallel), SMMU hardware will trigger an SMMU fault resulting in a kernel panic. In order to avoid this, as a work around, add a delay before unmapping the copy engine source DMA buffer. This is conditionally done for WCN3990 and only for the CE3 channel where issue is seen. Below is the crash signature: wifi smmu error: kernel: [ 10.120965] arm-smmu 15000000.iommu: Unhandled context fault: fsr=0x402, iova=0x7fdfd8ac0, fsynr=0x500003,cbfrsynra=0xc1, cb=6 arm-smmu 15000000.iommu: Unhandled context fault:fsr=0x402, iova=0x7fe06fdc0, fsynr=0x710003, cbfrsynra=0xc1, cb=6 qcom-q6v5-mss 4080000.remoteproc: fatal error received: err_qdi.c:1040:EF:wlan_process:0x1:WLAN RT:0x2091: cmnos_thread.c:3998:Asserted in copy_engine.c:AXI_ERROR_DETECTED:2149 remoteproc remoteproc0: crash detected in 4080000.remoteproc: type fatal error <3> remoteproc remoteproc0: handling crash #1 in 4080000.remoteproc pc : __arm_lpae_unmap+0x500/0x514 lr : __arm_lpae_unmap+0x4bc/0x514 sp : ffffffc011ffb530 x29: ffffffc011ffb590 x28: 0000000000000000 x27: 0000000000000000 x26: 0000000000000004 x25: 0000000000000003 x24: ffffffc011ffb890 x23: ffffffa762ef9be0 x22: ffffffa77244ef00 x21: 0000000000000009 x20: 00000007fff7c000 x19: 0000000000000003 x18: 0000000000000000 x17: 0000000000000004 x16: ffffffd7a357d9f0 x15: 0000000000000000 x14: 00fd5d4fa7ffffff x13: 000000000000000e x12: 0000000000000000 x11: 00000000ffffffff x10: 00000000fffffe00 x9 : 000000000000017c x8 : 000000000000000c x7 : 0000000000000000 x6 : ffffffa762ef9000 x5 : 0000000000000003 x4 : 0000000000000004 x3 : 0000000000001000 x2 : 00000007fff7c000 x1 : ffffffc011ffb890 x0 : 0000000000000000 Call trace: __arm_lpae_unmap+0x500/0x514 __arm_lpae_unmap+0x4bc/0x514 __arm_lpae_unmap+0x4bc/0x514 arm_lpae_unmap_pages+0x78/0xa4 arm_smmu_unmap_pages+0x78/0x104 __iommu_unmap+0xc8/0x1e4 iommu_unmap_fast+0x38/0x48 __iommu_dma_unmap+0x84/0x104 iommu_dma_free+0x34/0x50 dma_free_attrs+0xa4/0xd0 ath10k_htt_rx_free+0xc4/0xf4 [ath10k_core] ath10k_core_stop+0x64/0x7c [ath10k_core] ath10k_halt+0x11c/0x180 [ath10k_core] ath10k_stop+0x54/0x94 [ath10k_core] drv_stop+0x48/0x1c8 [mac80211] ieee80211_do_open+0x638/0x77c [mac80211] ieee80211_open+0x48/0x5c [mac80211] __dev_open+0xb4/0x174 __dev_change_flags+0xc4/0x1dc dev_change_flags+0x3c/0x7c devinet_ioctl+0x2b4/0x580 inet_ioctl+0xb0/0x1b4 sock_do_ioctl+0x4c/0x16c compat_ifreq_ioctl+0x1cc/0x35c compat_sock_ioctl+0x110/0x2ac __arm64_compat_sys_ioctl+0xf4/0x3e0 el0_svc_common+0xb4/0x17c el0_svc_compat_handler+0x2c/0x58 el0_svc_compat+0x8/0x2c Tested-on: WCN3990 hw1.0 SNOC WLAN.HL.2.0-01387-QCAHLSWMTPLZ-1 Tested-by: Douglas Anderson Signed-off-by: Youghandhar Chintala Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221012142733.32420-1-quic_youghand@quicinc.com Signed-off-by: Sasha Levin commit 34cfc4f0327484107f76b11019d50491310c84b6 Author: Zhang Yuchen Date: Fri Oct 7 17:26:17 2022 +0800 ipmi: fix memleak when unload ipmi driver [ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ] After the IPMI disconnect problem, the memory kept rising and we tried to unload the driver to free the memory. However, only part of the free memory is recovered after the driver is uninstalled. Using ebpf to hook free functions, we find that neither ipmi_user nor ipmi_smi_msg is free, only ipmi_recv_msg is free. We find that the deliver_smi_err_response call in clean_smi_msgs does the destroy processing on each message from the xmit_msg queue without checking the return value and free ipmi_smi_msg. deliver_smi_err_response is called only at this location. Adding the free handling has no effect. To verify, try using ebpf to trace the free function. $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n", arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n", retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}' Signed-off-by: Zhang Yuchen Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com> [Fixed the comment above handle_one_recv_msg().] Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit 488c3ad53ac92ca3b45ccca11e834261a38d337d Author: Amadeusz Sławiński Date: Mon Oct 10 14:19:44 2022 +0200 ASoC: Intel: avs: Add quirk for KBL-R RVP platform [ Upstream commit 9d0737fa0e7530313634c0ecd75f09a95ba8d44a ] KBL-R RVPs contain built-in rt298 codec which requires different PLL clock and .dai_fmt configuration than seen on other boards. Signed-off-by: Amadeusz Sławiński Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221010121955.718168-5-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 82f4b57e26243153eb7d9852d546a38de69cb029 Author: Amadeusz Sławiński Date: Mon Oct 10 14:19:43 2022 +0200 ASoC: codecs: rt298: Add quirk for KBL-R RVP platform [ Upstream commit 953dbd1cef18ce9ac0d69c1bd735b929fe52a17e ] KBL-R RVP platforms also use combojack, so we need to enable that configuration for them. Signed-off-by: Amadeusz Sławiński Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221010121955.718168-4-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9aef34e1ae35a87e5f6a22278c17823b7ce64c88 Author: Shigeru Yoshida Date: Mon Oct 10 03:32:23 2022 +0900 wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out [ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ] syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] [ 39.023237][ C3] In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out. Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1] Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com Signed-off-by: Shigeru Yoshida Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com Signed-off-by: Sasha Levin commit 0b7e6d681e00a96cde2b32a15ffa70e1be2e3209 Author: Fedor Pchelkin Date: Sun Oct 9 00:15:32 2022 +0300 wifi: ath9k: verify the expected usb_endpoints are present [ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ] The bug arises when a USB device claims to be an ATH9K but doesn't have the expected endpoints. (In this case there was an interrupt endpoint where the driver expected a bulk endpoint.) The kernel needs to be able to handle such devices without getting an internal error. usb 1-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Modules linked in: CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 Workqueue: events request_firmware_work_func RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 Call Trace: ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline] ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019 ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline] ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242 request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097 process_one_work+0x9af/0x1600 kernel/workqueue.c:2279 worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425 kthread+0x3b4/0x4a0 kernel/kthread.c:313 ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Suggested-by: Alan Stern Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 200347eb3b2608cc8b54c13dd1d5e03809ba2eb2 Author: Wright Feng Date: Wed Sep 28 22:10:00 2022 -0500 brcmfmac: return error when getting invalid max_flowrings from dongle [ Upstream commit 2aca4f3734bd717e04943ddf340d49ab62299a00 ] When firmware hit trap at initialization, host will read abnormal max_flowrings number from dongle, and it will cause kernel panic when doing iowrite to initialize dongle ring. To detect this error at early stage, we directly return error when getting invalid max_flowrings(>256). Signed-off-by: Wright Feng Signed-off-by: Chi-hsien Lin Signed-off-by: Ian Lin Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220929031001.9962-3-ian.lin@infineon.com Signed-off-by: Sasha Levin commit 35591c2469953d59abdb16cb7beac834052cdb4f Author: Ming Qian Date: Thu Aug 4 17:38:41 2022 +0800 media: imx-jpeg: Disable useless interrupt to avoid kernel panic [ Upstream commit c3720e65c9013a7b2a5dbb63e6bf6d74a35dd894 ] There is a hardware bug that the interrupt STMBUF_HALF may be triggered after or when disable interrupt. It may led to unexpected kernel panic. And interrupt STMBUF_HALF and STMBUF_RTND have no other effect. So disable them and the unused interrupts. meanwhile clear the interrupt status when disable interrupt. Signed-off-by: Ming Qian Reviewed-by: Mirela Rabulea Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit da4113e63f1773545dff7523642d1771b2844fe2 Author: Doug Brown Date: Sat Sep 10 13:29:38 2022 -0700 drm/etnaviv: add missing quirks for GC300 [ Upstream commit cc7d3fb446a91f24978a6aa59cbb578f92e22242 ] The GC300's features register doesn't specify that a 2D pipe is available, and like the GC600, its idle register reports zero bits where modules aren't present. Signed-off-by: Doug Brown Reviewed-by: Christian Gmeiner Signed-off-by: Lucas Stach Signed-off-by: Sasha Levin commit bfc9d8f27f89717431a6aecce42ae230b437433f Author: ZhangPeng Date: Wed Nov 30 06:59:59 2022 +0000 hfs: fix OOB Read in __hfs_brec_find [ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ] Syzbot reported a OOB read bug: ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted 6.1.0-rc6-syzkaller-00308-g644e9524388a #0 Workqueue: writeback wb_workfn (flush-7:0) Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 write_inode fs/fs-writeback.c:1440 [inline] If the input inode of hfs_write_inode() is incorrect: struct inode struct hfs_inode_info struct hfs_cat_key struct hfs_name u8 len # len is greater than HFS_NAMELEN(31) which is the maximum length of an HFS filename OOB read occurred: hfs_write_inode() hfs_brec_find() __hfs_brec_find() hfs_cat_keycmp() hfs_strcmp() # OOB read occurred due to len is too large Fix this by adding a Check on len in hfs_write_inode() before calling hfs_brec_find(). Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com Signed-off-by: ZhangPeng Reported-by: Cc: Damien Le Moal Cc: Ira Weiny Cc: Jeff Layton Cc: Kefeng Wang Cc: Matthew Wilcox Cc: Nanyong Sun Cc: Viacheslav Dubeyko Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 96d66b7074cbc97d9f44b707555c883f7608e83d Author: Hans de Goede Date: Thu Dec 8 12:02:02 2022 +0100 ACPI: x86: Add skip i2c clients quirk for Medion Lifetab S10346 [ Upstream commit ecc6aaabcedc276128315f57755364106017c606 ] The Medion Lifetab S10346 is a x86 tablet which ships with Android x86 as factory OS. The Android x86 kernel fork ignores I2C devices described in the DSDT, except for the PMIC and Audio codecs. As usual the Medion Lifetab S10346's DSDT contains a bunch of extra I2C devices which are not actually there, causing various resource conflicts. Add an ACPI_QUIRK_SKIP_I2C_CLIENTS quirk for the Medion Lifetab S10346 to the acpi_quirk_skip_dmi_ids table to woraround this. Signed-off-by: Hans de Goede Reviewed-by: Andy Shevchenko Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit ef7cf3c923822106b50b644d43c233797ae6db37 Author: Josef Bacik Date: Fri Oct 14 10:00:41 2022 -0400 btrfs: do not panic if we can't allocate a prealloc extent state [ Upstream commit 5a75034e71ef5ec0fce983afcb6c9cb0147cd5b9 ] We sometimes have to allocate new extent states when clearing or setting new bits in an extent io tree. Generally we preallocate this before taking the tree spin lock, but we can use this preallocated extent state sometimes and then need to try to do a GFP_ATOMIC allocation under the lock. Unfortunately sometimes this fails, and then we hit the BUG_ON() and bring the box down. This happens roughly 20 times a week in our fleet. However the vast majority of callers use GFP_NOFS, which means that if this GFP_ATOMIC allocation fails, we could simply drop the spin lock, go back and allocate a new extent state with our given gfp mask, and begin again from where we left off. For the remaining callers that do not use GFP_NOFS, they are generally using GFP_NOWAIT, which still allows for some reclaim. So allow these allocations to attempt to happen outside of the spin lock so we don't need to rely on GFP_ATOMIC allocations. This in essence creates an infinite loop for anything that isn't GFP_NOFS. To address this we may want to migrate to using mempools for extent states so that we will always have emergency reserves in order to make our allocations. Signed-off-by: Josef Bacik Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit a1f90b9a333c6daa97f86d47eb2a033ce69738c0 Author: Hans de Goede Date: Sun Nov 27 19:24:03 2022 +0100 ACPI: x86: Add skip i2c clients quirk for Lenovo Yoga Tab 3 Pro (YT3-X90F) [ Upstream commit fe820db35275561d8bf86ad19044d40ffc95bc04 ] The Lenovo Yoga Tab 3 Pro (YT3-X90F) is a x86 (Cherry Trail) tablet which ships with Android x86 as factory OS. The Android x86 kernel fork ignores I2C devices described in the DSDT, except for the PMIC and Audio codecs. As usual the Lenovo Yoga Tab 3 Pro's DSDT contains a bunch of extra I2C devices which are not actually there, causing various resource conflicts. Add an ACPI_QUIRK_SKIP_I2C_CLIENTS quirk for the Lenovo Yoga Tab 3 Pro to the acpi_quirk_skip_dmi_ids table to woraround this. ACPI_QUIRK_SKIP_I2C_CLIENTS handling uses i2c_acpi_known_good_ids[], so that PMICs and Audio codecs will still be enumerated properly. The Lenovo Yoga Tab 3 Pro uses a Whiskey Cove PMIC, add the INT34D3 HID for this PMIC to the i2c_acpi_known_good_ids[] list. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 87c51832b7af08c0e59fab32ada893d84717420d Author: Mateusz Jończyk Date: Tue Nov 29 22:50:08 2022 +0100 x86/apic: Handle no CONFIG_X86_X2APIC on systems with x2APIC enabled by BIOS [ Upstream commit e3998434da4f5b1f57f8d6a8a9f8502ee3723bae ] A kernel that was compiled without CONFIG_X86_X2APIC was unable to boot on platforms that have x2APIC already enabled in the BIOS before starting the kernel. The kernel was supposed to panic with an approprite error message in validate_x2apic() due to the missing X2APIC support. However, validate_x2apic() was run too late in the boot cycle, and the kernel tried to initialize the APIC nonetheless. This resulted in an earlier panic in setup_local_APIC() because the APIC was not registered. In my experiments, a panic message in setup_local_APIC() was not visible in the graphical console, which resulted in a hang with no indication what has gone wrong. Instead of calling panic(), disable the APIC, which results in a somewhat working system with the PIC only (and no SMP). This way the user is able to diagnose the problem more easily. Disabling X2APIC mode is not an option because it's impossible on systems with locked x2APIC. The proper place to disable the APIC in this case is in check_x2apic(), which is called early from setup_arch(). Doing this in __apic_intr_mode_select() is too late. Make check_x2apic() unconditionally available and remove the empty stub. Reported-by: Paul Menzel Reported-by: Robert Elliott (Servers) Signed-off-by: Mateusz Jończyk Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/lkml/d573ba1c-0dc4-3016-712a-cc23a8a33d42@molgen.mpg.de Link: https://lore.kernel.org/lkml/20220911084711.13694-3-mat.jonczyk@o2.pl Link: https://lore.kernel.org/all/20221129215008.7247-1-mat.jonczyk@o2.pl Signed-off-by: Sasha Levin commit 0aac6e60c464a5f942f995428e67f8ae1c422250 Author: Zheng Yejian Date: Sat May 15 22:06:31 2021 +0800 acct: fix potential integer overflow in encode_comp_t() [ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ] The integer overflow is descripted with following codes: > 317 static comp_t encode_comp_t(u64 value) > 318 { > 319 int exp, rnd; ...... > 341 exp <<= MANTSIZE; > 342 exp += value; > 343 return exp; > 344 } Currently comp_t is defined as type of '__u16', but the variable 'exp' is type of 'int', so overflow would happen when variable 'exp' in line 343 is greater than 65535. Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com Signed-off-by: Zheng Yejian Cc: Hanjun Guo Cc: Randy Dunlap Cc: Vlastimil Babka Cc: Zhang Jinhao Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit a16731fa1b96226c75bbf18e73513b14fc318360 Author: Ryusuke Konishi Date: Thu Oct 27 13:43:06 2022 +0900 nilfs2: fix shift-out-of-bounds due to too large exponent of block size [ Upstream commit ebeccaaef67a4895d2496ab8d9c2fb8d89201211 ] If field s_log_block_size of superblock data is corrupted and too large, init_nilfs() and load_nilfs() still can trigger a shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn is set): shift exponent 38973 is too large for 32-bit type 'int' Call Trace: dump_stack_lvl+0xcd/0x134 ubsan_epilogue+0xb/0x50 __ubsan_handle_shift_out_of_bounds.cold.12+0x17b/0x1f5 init_nilfs.cold.11+0x18/0x1d [nilfs2] nilfs_mount+0x9b5/0x12b0 [nilfs2] ... This fixes the issue by adding and using a new helper function for getting block size with sanity check. Link: https://lkml.kernel.org/r/20221027044306.42774-3-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 62d11ec205ef14d8acf172cfc9904fdbf200025a Author: Ryusuke Konishi Date: Thu Oct 27 13:43:05 2022 +0900 nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() [ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ] Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount time". The first patch fixes a bug reported by syzbot, and the second one fixes the remaining bug of the same kind. Although they are triggered by the same super block data anomaly, I divided it into the above two because the details of the issues and how to fix it are different. Both are required to eliminate the shift-out-of-bounds issues at mount time. This patch (of 2): If the block size exponent information written in an on-disk superblock is corrupted, nilfs_sb2_bad_offset helper function can trigger shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn is set): shift exponent 38983 is too large for 64-bit type 'unsigned long long' Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 ubsan_epilogue lib/ubsan.c:151 [inline] __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322 nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline] nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523 init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577 nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047 nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317 ... In addition, since nilfs_sb2_bad_offset() performs multiplication without considering the upper bound, the computation may overflow if the disk layout parameters are not normal. This fixes these issues by inserting preliminary sanity checks for those parameters and by converting the comparison from one involving multiplication and left bit-shifting to one using division and right bit-shifting. Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com Signed-off-by: Ryusuke Konishi Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com Tested-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 64958e12bb98de40d2d9920fb60a16213d3a7e54 Author: Hans de Goede Date: Mon Nov 14 15:44:57 2022 +0100 ACPI: video: Add force_native quirk for Sony Vaio VPCY11S1E [ Upstream commit f5a6ff923d4a1d639da36228d00e95ff67d417f0 ] The Sony Vaio VPCY11S1E advertises both native and ACPI video backlight control interfaces, but only the native interface works and the default heuristics end up picking ACPI video on this model. Add a video_detect_force_native DMI quirk for this. Reported-by: Stefan Joosten Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 218c556cded573e1a9eaa442faa48578f3c93b14 Author: Hans de Goede Date: Mon Nov 14 15:44:56 2022 +0100 ACPI: video: Add force_vendor quirk for Sony Vaio PCG-FRV35 [ Upstream commit 23735543eb228c604e59f99f2f5d13aa507e5db2 ] The Sony Vaio PCG-FRV35 advertises both native and vendor backlight control interfaces. With the upcoming changes to prefer native over vendor acpi_video_get_backlight_type() will start returning native on these laptops. But the native radeon_bl0 interface does not work, where as the sony vendor interface does work. Add a quirk to force use of the vendor interface. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c6b9b32002987f63caa1b8798084d941af87ec16 Author: Hans de Goede Date: Mon Nov 14 15:44:55 2022 +0100 ACPI: video: Change Sony Vaio VPCEH3U1E quirk to force_native [ Upstream commit 84d56f326a8ef0071df8c0c3b983b9e2c3b73006 ] According to: https://bugzilla.kernel.org/show_bug.cgi?id=202401 the Sony Vaio VPCEH3U1E quirk was added to disable the acpi_video0 backlight interface because that was not working, so that userspace will pick the actually working native nv_backlight interface instead. With the new kernel behavior of hiding native interfaces unless acpi_video_get_backlight_type() returns native, the current video_detect_force_vendor quirk will cause the working nv_backlight interface will be disabled too. Change the quirk to video_detect_force_native to get the desired result of only registering the nv_backlight interface. After this all currently remaining force_vendor quirks in video_detect_dmi_table[] are there to prefer a vendor interface over a non working ACPI video interface, add a comment to document this. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 478412161af4323d94717672c0e9218822fb03d7 Author: Hans de Goede Date: Mon Nov 14 15:44:54 2022 +0100 ACPI: video: Change GIGABYTE GB-BXBT-2807 quirk to force_none [ Upstream commit 9f7dd272ff9338f1f43c7a837d5a7ee67811d552 ] The GIGABYTE GB-BXBT-2807 DMI quirk was added by commit 25417185e9b5 ("ACPI: video: Add DMI quirk for GIGABYTE GB-BXBT-2807") which says the following in its commit message: "The GIGABYTE GB-BXBT-2807 is a mini-PC which uses off the shelf components, like an Intel GPU which is meant for mobile systems. As such, it, by default, has a backlight controller exposed. Unfortunately, the backlight controller only confuses userspace, which sees the existence of a backlight device node and has the unrealistic belief that there is actually a backlight there! Add a DMI quirk to force the backlight off on this system." So in essence this quirk was using a video_detect_force_vendor quirk to disable backlight control. Now a days we have a specific "none" backlight type for this. Change the quirk to video_detect_force_none and group it together with the other force_none quirks. Signed-off-by: Hans de Goede Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c547d7ee0455aef3d7a0e746ecf11180b9b08136 Author: Guenter Roeck Date: Thu Nov 10 07:24:54 2022 -0800 thermal/core: Ensure that thermal device is registered in thermal_zone_get_temp [ Upstream commit 1c6b30060777352e7881383bab726046d8c3c610 ] Calls to thermal_zone_get_temp() are not protected against thermal zone device removal. As result, it is possible that the thermal zone operations callbacks are no longer valid when thermal_zone_get_temp() is called. This may result in crashes such as BUG: unable to handle page fault for address: ffffffffc04ef420 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 5d60e067 P4D 5d60e067 PUD 5d610067 PMD 110197067 PTE 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 1 PID: 3209 Comm: cat Tainted: G W 5.10.136-19389-g615abc6eb807 #1 02df41ac0b12f3a64f4b34245188d8875bb3bce1 Hardware name: Google Coral/Coral, BIOS Google_Coral.10068.92.0 11/27/2018 RIP: 0010:thermal_zone_get_temp+0x26/0x73 Code: 89 c3 eb d3 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 53 48 85 ff 74 50 48 89 fb 48 81 ff 00 f0 ff ff 77 44 48 8b 83 98 03 00 00 <48> 83 78 10 00 74 36 49 89 f6 4c 8d bb d8 03 00 00 4c 89 ff e8 9f RSP: 0018:ffffb3758138fd38 EFLAGS: 00010287 RAX: ffffffffc04ef410 RBX: ffff98f14d7fb000 RCX: 0000000000000000 RDX: ffff98f17cf90000 RSI: ffffb3758138fd64 RDI: ffff98f14d7fb000 RBP: ffffb3758138fd50 R08: 0000000000001000 R09: ffff98f17cf90000 R10: 0000000000000000 R11: ffffffff8dacad28 R12: 0000000000001000 R13: ffff98f1793a7d80 R14: ffff98f143231708 R15: ffff98f14d7fb018 FS: 00007ec166097800(0000) GS:ffff98f1bbd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffc04ef420 CR3: 000000010ee9a000 CR4: 00000000003506e0 Call Trace: temp_show+0x31/0x68 dev_attr_show+0x1d/0x4f sysfs_kf_seq_show+0x92/0x107 seq_read_iter+0xf5/0x3f2 vfs_read+0x205/0x379 __x64_sys_read+0x7c/0xe2 do_syscall_64+0x43/0x55 entry_SYSCALL_64_after_hwframe+0x61/0xc6 if a thermal device is removed while accesses to its device attributes are ongoing. The problem is exposed by code in iwl_op_mode_mvm_start(), which registers a thermal zone device only to unregister it shortly afterwards if an unrelated failure is encountered while accessing the hardware. Check if the thermal zone device is registered after acquiring the thermal zone device mutex to ensure this does not happen. The code was tested by triggering the failure in iwl_op_mode_mvm_start() on purpose. Without this patch, the kernel crashes reliably. The crash is no longer observed after applying this and the preceding patches. Signed-off-by: Guenter Roeck Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 799881db3e03b5e98fe6a900d9d7de8c7d61e7ee Author: Rafael J. Wysocki Date: Mon Nov 7 18:42:36 2022 +0100 ACPICA: Fix error code path in acpi_ds_call_control_method() [ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ] A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state() is freed on errors, but it is not popped from the thread beforehand. Thus acpi_ds_get_current_walk_state() called by acpi_ps_parse_aml() subsequently returns it as the new walk state which is incorrect. To address this, make acpi_ds_call_control_method() call acpi_ds_pop_walk_state() to pop next_walk_state from the thread before returning an error. Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1] Reported-by: Chen Zhongjin Signed-off-by: Rafael J. Wysocki Reviewed-by: Chen Zhongjin Signed-off-by: Sasha Levin commit f72e95c2204f26c5a13ea613212cc48820dcbf0c Author: Mia Kanashi Date: Sun Oct 30 01:20:08 2022 +0300 ACPI: EC: Add quirk for the HP Pavilion Gaming 15-cx0041ur [ Upstream commit b423f240a66ad928c4cb5ec6055dfc90ce8d894e ] Added GPE quirk entry for the HP Pavilion Gaming 15-cx0041ur. There is a quirk entry for the 15-cx0xxx laptops, but this one has different DMI_PRODUCT_NAME. Notably backlight keys and other ACPI events now function correctly. Signed-off-by: Mia Kanashi Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit b85f0e292f73f353eea915499604fbf50c8238b4 Author: Li Zhong Date: Fri Sep 2 00:37:30 2022 -0700 ACPI: processor: idle: Check acpi_fetch_acpi_dev() return value [ Upstream commit 2437513a814b3e93bd02879740a8a06e52e2cf7d ] The return value of acpi_fetch_acpi_dev() could be NULL, which would cause a NULL pointer dereference to occur in acpi_device_hid(). Signed-off-by: Li Zhong [ rjw: Subject and changelog edits, added empty line after if () ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 3d340b684dcec5e34efc470227cd1c7d2df121ad Author: Hoi Pok Wu Date: Tue Oct 25 23:20:45 2022 +0800 fs: jfs: fix shift-out-of-bounds in dbDiscardAG [ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ] This should be applied to most URSAN bugs found recently by syzbot, by guarding the dbMount. As syzbot feeding rubbish into the bmap descriptor. Signed-off-by: Hoi Pok Wu Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit ccb6bdf0b7b64beb8c0808cef0bcf9e893504830 Author: Dr. David Alan Gilbert Date: Sat Oct 22 21:39:14 2022 +0100 jfs: Fix fortify moan in symlink [ Upstream commit ebe060369f8d6e4588b115f252bebf5ba4d64350 ] JFS has in jfs_incore.h: /* _inline may overflow into _inline_ea when needed */ /* _inline_ea may overlay the last part of * file._xtroot if maxentry = XTROOTINITSLOT */ union { struct { /* 128: inline symlink */ unchar _inline[128]; /* 128: inline extended attr */ unchar _inline_ea[128]; }; unchar _inline_all[256]; and currently the symlink code copies into _inline; if this is larger than 128 bytes it triggers a fortify warning of the form: memcpy: detected field-spanning write (size 132) of single field "ip->i_link" at fs/jfs/namei.c:950 (size 18446744073709551615) when it's actually OK. Copy it into _inline_all instead. Reported-by: syzbot+5fc38b2ddbbca7f5c680@syzkaller.appspotmail.com Signed-off-by: Dr. David Alan Gilbert Reviewed-by: Kees Cook Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit 090bf49833c51da297ec74f98ad2bf44daea9311 Author: Shigeru Yoshida Date: Sun Oct 23 18:57:41 2022 +0900 udf: Avoid double brelse() in udf_rename() [ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ] syzbot reported a warning like below [1]: VFS: brelse: Trying to free free buffer WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 ... Call Trace: invalidate_bh_lru+0x99/0x150 smp_call_function_many_cond+0xe2a/0x10c0 ? generic_remap_file_range_prep+0x50/0x50 ? __brelse+0xa0/0xa0 ? __mutex_lock+0x21c/0x12d0 ? smp_call_on_cpu+0x250/0x250 ? rcu_read_lock_sched_held+0xb/0x60 ? lock_release+0x587/0x810 ? __brelse+0xa0/0xa0 ? generic_remap_file_range_prep+0x50/0x50 on_each_cpu_cond_mask+0x3c/0x80 blkdev_flush_mapping+0x13a/0x2f0 blkdev_put_whole+0xd3/0xf0 blkdev_put+0x222/0x760 deactivate_locked_super+0x96/0x160 deactivate_super+0xda/0x100 cleanup_mnt+0x222/0x3d0 task_work_run+0x149/0x240 ? task_work_cancel+0x30/0x30 do_exit+0xb29/0x2a40 ? reacquire_held_locks+0x4a0/0x4a0 ? do_raw_spin_lock+0x12a/0x2b0 ? mm_update_next_owner+0x7c0/0x7c0 ? rwlock_bug.part.0+0x90/0x90 ? zap_other_threads+0x234/0x2d0 do_group_exit+0xd0/0x2a0 __x64_sys_exit_group+0x3a/0x50 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x63/0xcd The cause of the issue is that brelse() is called on both ofibh.sbh and ofibh.ebh by udf_find_entry() when it returns NULL. However, brelse() is called by udf_rename(), too. So, b_count on buffer_head becomes unbalanced. This patch fixes the issue by not calling brelse() by udf_rename() when udf_find_entry() returns NULL. Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1] Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com Signed-off-by: Shigeru Yoshida Signed-off-by: Jan Kara Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com Signed-off-by: Sasha Levin commit 67973caae78e21ee46a7281aaa8ca364eb9c444f Author: Dongliang Mu Date: Tue Oct 18 08:48:07 2022 -0500 fs: jfs: fix shift-out-of-bounds in dbAllocAG [ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ] Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The underlying bug is the missing check of bmp->db_agl2size. The field can be greater than 64 and trigger the shift-out-of-bounds. Fix this bug by adding a check of bmp->db_agl2size in dbMount since this field is used in many following functions. The upper bound for this field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp. Note that, for maintenance, I reorganized error handling code of dbMount. Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com Signed-off-by: Dongliang Mu Signed-off-by: Dave Kleikamp Signed-off-by: Sasha Levin commit aaf8770746da397527b3368950cb93c31884bbba Author: Marijn Suijten Date: Sun Oct 30 08:32:32 2022 +0100 arm64: dts: qcom: sm6350: Add apps_smmu with streamID to SDHCI 1/2 nodes [ Upstream commit 7372b944a6ba5ac86628eaacc89ed4f103435cb9 ] When enabling the APPS SMMU the mainline driver reconfigures the SMMU from its bootloader configuration, losing the stream mapping for (among which) the SDHCI hardware and breaking its ADMA feature. This feature can be disabled with: sdhci.debug_quirks=0x40 But it is of course desired to have this feature enabled and working through the SMMU. Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Reviewed-by: Luca Weiss Tested-by: Luca Weiss # sm7225-fairphone-fp4 Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221030073232.22726-11-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit a10ff5b8cf862cebc24bd3fff9f260451b9d3b87 Author: Krzysztof Kozlowski Date: Wed Oct 26 16:03:55 2022 -0400 arm64: dts: qcom: sm8450: disable SDHCI SDR104/SDR50 on all boards [ Upstream commit 9d561dc4e5cc31e757f91eb7bb709d2e2a8c9ce0 ] SDHCI on SM8450 HDK also has problems with SDR104/SDR50: mmc0: card never left busy state mmc0: error -110 whilst initialising SD card so I think it is safe to assume this issue affects all SM8450 boards. Move the quirk disallowing these modes to the SoC DTSI, to spare people working on other boards the misery of debugging this issue. Signed-off-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221026200357.391635-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit a91123d4bda463469f68f0427adabf8108001f94 Author: Liu Shixin Date: Wed Nov 2 10:51:23 2022 +0800 binfmt_misc: fix shift-out-of-bounds in check_special_flags [ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ] UBSAN reported a shift-out-of-bounds warning: left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 ubsan_epilogue+0xa/0x44 lib/ubsan.c:151 __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322 check_special_flags fs/binfmt_misc.c:241 [inline] create_entry fs/binfmt_misc.c:456 [inline] bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654 vfs_write+0x11e/0x580 fs/read_write.c:582 ksys_write+0xcf/0x120 fs/read_write.c:637 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x4194e1 Since the type of Node's flags is unsigned long, we should define these macros with same type too. Signed-off-by: Liu Shixin Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com Signed-off-by: Sasha Levin commit 46db95e714acdc736a0925e86b930c714f4a5c70 Author: Gaurav Kohli Date: Fri Nov 25 22:14:51 2022 -0800 x86/hyperv: Remove unregister syscore call from Hyper-V cleanup [ Upstream commit 32c97d980e2eef25465d453f2956a9ca68926a3c ] Hyper-V cleanup code comes under panic path where preemption and irq is already disabled. So calling of unregister_syscore_ops might schedule out the thread even for the case where mutex lock is free. hyperv_cleanup unregister_syscore_ops mutex_lock(&syscore_ops_lock) might_sleep Here might_sleep might schedule out this thread, where voluntary preemption config is on and this thread will never comes back. And also this was added earlier to maintain the symmetry which is not required as this can comes during crash shutdown path only. To prevent the same, removing unregister_syscore_ops function call. Signed-off-by: Gaurav Kohli Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/1669443291-2575-1-git-send-email-gauravkohli@linux.microsoft.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 16fed31153ceeb7be73dd74370a7c09e77a84dfb Author: Guilherme G. Piccoli Date: Fri Aug 19 19:17:29 2022 -0300 video: hyperv_fb: Avoid taking busy spinlock on panic path [ Upstream commit 1d044ca035dc22df0d3b39e56f2881071d9118bd ] The Hyper-V framebuffer code registers a panic notifier in order to try updating its fbdev if the kernel crashed. The notifier callback is straightforward, but it calls the vmbus_sendpacket() routine eventually, and such function takes a spinlock for the ring buffer operations. Panic path runs in atomic context, with local interrupts and preemption disabled, and all secondary CPUs shutdown. That said, taking a spinlock might cause a lockup if a secondary CPU was disabled with such lock taken. Fix it here by checking if the ring buffer spinlock is busy on Hyper-V framebuffer panic notifier; if so, bail-out avoiding the potential lockup scenario. Cc: Andrea Parri (Microsoft) Cc: Dexuan Cui Cc: Haiyang Zhang Cc: "K. Y. Srinivasan" Cc: Michael Kelley Cc: Stephen Hemminger Cc: Tianyu Lan Cc: Wei Liu Tested-by: Fabio A M Martins Signed-off-by: Guilherme G. Piccoli Reviewed-by: Michael Kelley Link: https://lore.kernel.org/r/20220819221731.480795-10-gpiccoli@igalia.com Signed-off-by: Wei Liu Signed-off-by: Sasha Levin commit 2e356d6de4c71389c493adb444fd52333e72c2dc Author: Adriana Kobylak Date: Fri Sep 16 14:55:35 2022 -0500 ARM: dts: aspeed: rainier,everest: Move reserved memory regions [ Upstream commit e184d42a6e085f95f5c4f1a4fbabebab2984cb68 ] Move the reserved regions to account for a decrease in DRAM when ECC is enabled. ECC takes 1/9th of memory. Running on HW with ECC off, u-boot prints: DRAM: already initialized, 1008 MiB (capacity:1024 MiB, VGA:16 MiB, ECC:off) And with ECC on, u-boot prints: DRAM: already initialized, 896 MiB (capacity:1024 MiB, VGA:16 MiB, ECC:on, ECC size:896 MiB) This implies that MCR54 is configured for ECC to be bounded at the bottom of a 16MiB VGA memory region: 1024MiB - 16MiB (VGA) = 1008MiB 1008MiB / 9 (for ECC) = 112MiB 1008MiB - 112MiB = 896MiB (available DRAM) The flash_memory region currently starts at offset 896MiB: 0xb8000000 (flash_memory offset) - 0x80000000 (base memory address) = 0x38000000 = 896MiB This is the end of the available DRAM with ECC enabled and therefore it needs to be moved. Since the flash_memory is 64MiB in size and needs to be 64MiB aligned, it can just be moved up by 64MiB and would sit right at the end of the available DRAM buffer. The ramoops region currently follows the flash_memory, but it can be moved to sit above flash_memory which would minimize the address-space fragmentation. Signed-off-by: Adriana Kobylak Reviewed-by: Andrew Jeffery Link: https://lore.kernel.org/r/20220916195535.1020185-1-anoo@linux.ibm.com Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 992469fb6ca0c7edf9dbf4af5cbba4b62358eea5 Author: Mark Rutland Date: Mon Nov 14 14:40:42 2022 +0000 arm64: make is_ttbrX_addr() noinstr-safe [ Upstream commit d8c1d798a2e5091128c391c6dadcc9be334af3f5 ] We use is_ttbr0_addr() in noinstr code, but as it's only marked as inline, it's theoretically possible for the compiler to place it out-of-line and instrument it, which would be problematic. Mark is_ttbr0_addr() as __always_inline such that that can safely be used from noinstr code. For consistency, do the same to is_ttbr1_addr(). Note that while is_ttbr1_addr() calls arch_kasan_reset_tag(), this is a macro (and its callees are either macros or __always_inline), so there is not a risk of transient instrumentation. Signed-off-by: Mark Rutland Cc: Catalin Marinas Cc: Will Deacon Link: https://lore.kernel.org/r/20221114144042.3001140-1-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 80a3e7ab477b3655615fc1627c88c248d4ad28d9 Author: Zqiang Date: Thu Oct 13 12:41:48 2022 +0800 rcu: Fix __this_cpu_read() lockdep warning in rcu_force_quiescent_state() [ Upstream commit ceb1c8c9b8aa9199da46a0f29d2d5f08d9b44c15 ] Running rcutorture with non-zero fqs_duration module parameter in a kernel built with CONFIG_PREEMPTION=y results in the following splat: BUG: using __this_cpu_read() in preemptible [00000000] code: rcu_torture_fqs/398 caller is __this_cpu_preempt_check+0x13/0x20 CPU: 3 PID: 398 Comm: rcu_torture_fqs Not tainted 6.0.0-rc1-yoctodev-standard+ Call Trace: dump_stack_lvl+0x5b/0x86 dump_stack+0x10/0x16 check_preemption_disabled+0xe5/0xf0 __this_cpu_preempt_check+0x13/0x20 rcu_force_quiescent_state.part.0+0x1c/0x170 rcu_force_quiescent_state+0x1e/0x30 rcu_torture_fqs+0xca/0x160 ? rcu_torture_boost+0x430/0x430 kthread+0x192/0x1d0 ? kthread_complete_and_exit+0x30/0x30 ret_from_fork+0x22/0x30 The problem is that rcu_force_quiescent_state() uses __this_cpu_read() in preemptible code instead of the proper raw_cpu_read(). This commit therefore changes __this_cpu_read() to raw_cpu_read(). Signed-off-by: Zqiang Reviewed-by: Joel Fernandes (Google) Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit 1373e1b7206de7464b266475def8925afc54cdd5 Author: Wei Fang Date: Mon Dec 19 10:27:55 2022 +0800 net: fec: check the return value of build_skb() [ Upstream commit 19e72b064fc32cd58f6fc0b1eb64ac2e4f770e76 ] The build_skb might return a null pointer but there is no check on the return value in the fec_enet_rx_queue(). So a null pointer dereference might occur. To avoid this, we check the return value of build_skb. If the return value is a null pointer, the driver will recycle the page and update the statistic of ndev. Then jump to rx_processing_done to clear the status flags of the BD so that the hardware can recycle the BD. Fixes: 95698ff6177b ("net: fec: using page pool to manage RX buffers") Signed-off-by: Wei Fang Reviewed-by: Shenwei Wang Reviewed-by: Alexander Duyck Link: https://lore.kernel.org/r/20221219022755.1047573-1-wei.fang@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 8a37cf11dc78b71a5e0ef18aa33af41415b5ca38 Author: Jiasheng Jiang Date: Tue Dec 20 10:49:21 2022 +0800 HID: amd_sfh: Add missing check for dma_alloc_coherent [ Upstream commit 53ffa6a9f83b2170c60591da1ead8791d5a42e81 ] Add check for the return value of the dma_alloc_coherent since it may return NULL pointer if allocation fails. Fixes: 4b2c53d93a4b ("SFH:Transport Driver to add support of AMD Sensor Fusion Hub (SFH)") Signed-off-by: Jiasheng Jiang Acked-by: Basavaraj Natikar Signed-off-by: Benjamin Tissoires Link: https://lore.kernel.org/r/20221220024921.21992-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit 7b606804bbf0808e7f0c23a96e9c8446bbfbadf8 Author: Matt Johnston Date: Thu Dec 15 13:49:33 2022 +0800 mctp: Remove device type check at unregister [ Upstream commit b389a902dd5be4ece505a2e0463b9b034de04bf5 ] The unregister check could be incorrectly triggered if a netdev changes its type after register. That is possible for a tun device using TUNSETLINK ioctl, resulting in mctp unregister failing and the netdev unregister waiting forever. This was encountered by https://github.com/openthread/openthread/issues/8523 Neither check at register or unregister is required. They were added in an attempt to track down mctp_ptr being set unexpectedly, which should not happen in normal operation. Fixes: 7b1871af75f3 ("mctp: Warn if pointer is set for a wrong dev type") Signed-off-by: Matt Johnston Link: https://lore.kernel.org/r/20221215054933.2403401-1-matt@codeconstruct.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 96ea05df9ed54895f8e459029b50066c0dc18086 Author: Arun Ramadoss Date: Tue Dec 13 15:44:40 2022 +0530 net: dsa: microchip: remove IRQF_TRIGGER_FALLING in request_threaded_irq [ Upstream commit 62e027fb0e5293d95e8d36655757ef4687c8795d ] KSZ swithes used interrupts for detecting the phy link up and down. During registering the interrupt handler, it used IRQF_TRIGGER_FALLING flag. But this flag has to be retrieved from device tree instead of hard coding in the driver, so removing the flag. Fixes: ff319a644829 ("net: dsa: microchip: move interrupt handling logic from lan937x to ksz_common") Reported-by: Christian Eggers Signed-off-by: Arun Ramadoss Link: https://lore.kernel.org/r/20221213101440.24667-1-arun.ramadoss@microchip.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ae6fb31c0086dfe468a63c346ff55a86ed9950c7 Author: Paulo Alcantara Date: Mon Dec 19 10:21:50 2022 -0300 cifs: don't leak -ENOMEM in smb2_open_file() [ Upstream commit f60ffa662d1427cfd31fe9d895c3566ac50bfe52 ] A NULL error response might be a valid case where smb2_reconnect() failed to reconnect the session and tcon due to a disconnected server prior to issuing the I/O operation, so don't leak -ENOMEM to userspace on such occasions. Fixes: 76894f3e2f71 ("cifs: improve symlink handling for smb2+") Signed-off-by: Paulo Alcantara (SUSE) Signed-off-by: Steve French Signed-off-by: Sasha Levin commit a37f6d5541b29adab22a7de8e39872b32cdcf914 Author: Jeremy Kerr Date: Fri Dec 16 11:44:09 2022 +0800 mctp: serial: Fix starting value for frame check sequence [ Upstream commit 2856a62762c8409e360d4fd452194c8e57ba1058 ] RFC1662 defines the start state for the crc16 FCS to be 0xffff, but we're currently starting at zero. This change uses the correct start state. We're only early in the adoption for the serial binding, so there aren't yet any other users to interface to. Fixes: a0c2ccd9b5ad ("mctp: Add MCTP-over-serial transport binding") Reported-by: Harsh Tyagi Tested-by: Harsh Tyagi Signed-off-by: Jeremy Kerr Reviewed-by: Alexander Duyck Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit b458d349f8753f666233828ebd30df6f100cf7d5 Author: Eric Dumazet Date: Fri Dec 16 16:29:17 2022 +0000 net: stream: purge sk_error_queue in sk_stream_kill_queues() [ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ] Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers. Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()") Reported-by: Changheon Lee Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 70c8fcab6bf205c104987908cc6a421fcf572649 Author: Christophe JAILLET Date: Sun Dec 18 19:08:40 2022 +0100 myri10ge: Fix an error handling path in myri10ge_probe() [ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ] Some memory allocated in myri10ge_probe_slices() is not released in the error handling path of myri10ge_probe(). Add the corresponding kfree(), as already done in the remove function. Fixes: 0dcffac1a329 ("myri10ge: add multislices support") Signed-off-by: Christophe JAILLET Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7d88da597173beb3b45a71008db72b174a2e339b Author: David Howells Date: Thu Dec 15 16:19:47 2022 +0000 rxrpc: Fix missing unlock in rxrpc_do_sendmsg() [ Upstream commit 4feb2c44629e6f9b459b41a5a60491069d346a95 ] One of the error paths in rxrpc_do_sendmsg() doesn't unlock the call mutex before returning. Fix it to do this. Note that this still doesn't get rid of the checker warning: ../net/rxrpc/sendmsg.c:617:5: warning: context imbalance in 'rxrpc_do_sendmsg' - wrong count at exit I think the interplay between the socket lock and the call's user_mutex may be too complicated for checker to analyse, especially as rxrpc_new_client_call_for_sendmsg(), which it calls, returns with the call's user_mutex if successful but unconditionally drops the socket lock. Fixes: e754eba685aa ("rxrpc: Provide a cmsg to specify the amount of Tx data for a call") Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 233bfb28d0fab89ea4d14a05825812622d3f46cc Author: Cong Wang Date: Sat Dec 17 14:17:07 2022 -0800 net_sched: reject TCF_EM_SIMPLE case for complex ematch module [ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ] When TCF_EM_SIMPLE was introduced, it is supposed to be convenient for ematch implementation: https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/ "You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE set will simply result in allocating & copy. It's an optimization, nothing more." So if an ematch module provides ops->datalen that means it wants a complex data structure (saved in its em->data) instead of a simple u32 value. We should simply reject such a combination, otherwise this u32 could be misinterpreted as a pointer. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com Reported-by: Jun Nie Cc: Jamal Hadi Salim Cc: Paolo Abeni Signed-off-by: Cong Wang Acked-by: Paolo Abeni Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 3fcf079958c00d83c51e4f250abf2c77fe9cc1b9 Author: Yang Yingliang Date: Thu Nov 10 23:08:22 2022 +0800 mailbox: zynq-ipi: fix error handling while device_register() fails [ Upstream commit a6792a0cdef0b1c2d77920246283a72537e60e94 ] If device_register() fails, it has two issues: 1. The name allocated by dev_set_name() is leaked. 2. The parent of device is not NULL, device_unregister() is called in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because of removing not added device. Call put_device() to give up the reference, so the name is freed in kobject_cleanup(). Add device registered check in zynqmp_ipi_free_mboxes() to avoid null-ptr-deref. Fixes: 4981b82ba2ff ("mailbox: ZynqMP IPI mailbox controller") Signed-off-by: Yang Yingliang Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit 525e54789c2bd75723556f5b27d40d4cbfe6493d Author: Yang Yingliang Date: Fri Nov 25 14:35:48 2022 +0800 mailbox: arm_mhuv2: Fix return value check in mhuv2_probe() [ Upstream commit 165b7643f2df890066b1b4e8a387888a600ca9bf ] If devm_of_iomap() fails, it returns ERR_PTR() and never return NULL, so replace NULL pointer check with IS_ERR() to fix this problem. Fixes: 5a6338cce9f4 ("mailbox: arm_mhuv2: Add driver") Signed-off-by: Yang Yingliang Acked-by: Viresh Kumar Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit cca61191a89470972b52ea583d3b8fd23072a148 Author: Conor Dooley Date: Wed Nov 23 17:56:52 2022 +0000 mailbox: mpfs: read the system controller's status [ Upstream commit ab47d0bfdf88faac0eb02749e5bfaa306e004300 ] Some services explicitly return an error code in their response, but others rely on the system controller to set a status in its status register. The meaning of the bits varies based on what service is requested, so pass it back up to the driver that requested the service in the first place. The field in the message struct already existed, but was unused until now. If the system controller is busy, in which case we should never actually be in the interrupt handler, or if the service fails the mailbox itself should not be read. Callers should check the status before operating on the response. There's an existing, but unused, #define for the mailbox mask - but it was incorrect. It was doing a GENMASK_ULL(32, 16) which should've just been a GENMASK(31, 16), so fix that up and start using it. Fixes: 83d7b1560810 ("mbox: add polarfire soc system controller mailbox") Signed-off-by: Conor Dooley Reviewed-by: Palmer Dabbelt Signed-off-by: Jassi Brar Signed-off-by: Sasha Levin commit 331615d837f4979eb91a336a223a5c7f7886ecd5 Author: Subash Abhinov Kasiviswanathan Date: Wed Dec 14 23:11:58 2022 -0700 skbuff: Account for tail adjustment during pull operations [ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ] Extending the tail can have some unexpected side effects if a program uses a helper like BPF_FUNC_skb_pull_data to read partial content beyond the head skb headlen when all the skbs in the gso frag_list are linear with no head_frag - kernel BUG at net/core/skbuff.c:4219! pc : skb_segment+0xcf4/0xd2c lr : skb_segment+0x63c/0xd2c Call trace: skb_segment+0xcf4/0xd2c __udp_gso_segment+0xa4/0x544 udp4_ufo_fragment+0x184/0x1c0 inet_gso_segment+0x16c/0x3a4 skb_mac_gso_segment+0xd4/0x1b0 __skb_gso_segment+0xcc/0x12c udp_rcv_segment+0x54/0x16c udp_queue_rcv_skb+0x78/0x144 udp_unicast_rcv_skb+0x8c/0xa4 __udp4_lib_rcv+0x490/0x68c udp_rcv+0x20/0x30 ip_protocol_deliver_rcu+0x1b0/0x33c ip_local_deliver+0xd8/0x1f0 ip_rcv+0x98/0x1a4 deliver_ptype_list_skb+0x98/0x1ec __netif_receive_skb_core+0x978/0xc60 Fix this by marking these skbs as GSO_DODGY so segmentation can handle the tail updates accordingly. Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") Signed-off-by: Sean Tranchetti Signed-off-by: Subash Abhinov Kasiviswanathan Reviewed-by: Alexander Duyck Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit ce321a1cd66beba6bdfda4136b34ff19e8716a53 Author: Jakub Kicinski Date: Thu Dec 15 20:41:22 2022 -0800 devlink: protect devlink dump by the instance lock [ Upstream commit 214964a13ab56a9757d146b79b468a7ca190fbfb ] Take the instance lock around devlink_nl_fill() when dumping, doit takes it already. We are only dumping basic info so in the worst case we were risking data races around the reload statistics. Until the big devlink mutex was removed all relevant code was protected by it, so the missing instance lock was not exposed. Fixes: d3efc2a6a6d8 ("net: devlink: remove devlink_mutex") Reviewed-by: Jiri Pirko Reviewed-by: Jacob Keller Link: https://lore.kernel.org/r/20221216044122.1863550-1-kuba@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2838f0736cf0df0890726de19527b872377bf2d4 Author: Chen-Yu Tsai Date: Tue Sep 27 12:11:19 2022 +0200 arm64: dts: mt8183: Fix Mali GPU clock [ Upstream commit ad2631b5645a1d0ca9bf6fecf71f77e3b0071ee5 ] The actual clock feeding into the Mali GPU on the MT8183 is from the clock gate in the MFGCFG block, not CLK_TOP_MFGPLL_CK from the TOPCKGEN block, which itself is simply a pass-through placeholder for the MFGPLL in the APMIXEDSYS block. Fix the hardware description with the correct clock reference. Fixes: a8168cebf1bc ("arm64: dts: mt8183: Add node for the Mali GPU") Signed-off-by: Chen-Yu Tsai Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: AngeloGioacchino Del Regno Tested-by: Nícolas F. R. A. Prado Link: https://lore.kernel.org/r/20220927101128.44758-2-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 6207862836aef87c2531dba2f686164b69675543 Author: Chun-Jie Chen Date: Fri Oct 14 18:20:29 2022 +0800 soc: mediatek: pm-domains: Fix the power glitch issue [ Upstream commit dba8eb83af9dd757ef645b52200775e86883d858 ] Power reset maybe generate unexpected signal. In order to avoid the glitch issue, we need to enable isolation first to guarantee the stable signal when power reset is triggered. Fixes: 59b644b01cf4 ("soc: mediatek: Add MediaTek SCPSYS power domains") Signed-off-by: Chun-Jie Chen Signed-off-by: Allen-KH Cheng Reviewed-by: Chen-Yu Tsai Reviewed-by: Miles Chen Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221014102029.1162-1-allen-kh.cheng@mediatek.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 32d5fa5bdccec2361fc6c4ed05a7367155b3a1e9 Author: Eelco Chaudron Date: Thu Dec 15 15:46:33 2022 +0100 openvswitch: Fix flow lookup to use unmasked key [ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ] The commit mentioned below causes the ovs_flow_tbl_lookup() function to be called with the masked key. However, it's supposed to be called with the unmasked key. This due to the fact that the datapath supports installing wider flows, and OVS relies on this behavior. For example if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/ 128.0.0.0) is allowed to be added. However, if we try to add a wildcard rule, the installation fails: $ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2 $ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2 ovs-vswitchd: updating flow table (File exists) The reason is that the key used to determine if the flow is already present in the system uses the original key ANDed with the mask. This results in the IP address not being part of the (miniflow) key, i.e., being substituted with an all-zero value. When doing the actual lookup, this results in the key wrongfully matching the first flow, and therefore the flow does not get installed. This change reverses the commit below, but rather than having the key on the stack, it's allocated. Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.") Signed-off-by: Eelco Chaudron Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit a02f965d828f8ff6be4ac2a78c323a930219949f Author: Jakub Kicinski Date: Wed Dec 14 18:01:01 2022 -0800 selftests: devlink: fix the fd redirect in dummy_reporter_test [ Upstream commit 2fc60e2ff972d3dca836bff0b08cbe503c4ca1ce ] $number + > bash means redirect FD $number, e.g. commonly used 2> redirects stderr (fd 2). The test uses 8192> to write the number 8192 to a file, this results in: ./devlink.sh: line 499: 8192: Bad file descriptor Oddly the test also papers over this issue by checking for failure (expecting an error rather than success) so it passes, anyway. Fixes: ff18176ad806 ("selftests: Add a test of large binary to devlink health test") Signed-off-by: Jakub Kicinski Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6298cab4d80bfdb6fe01fe31fd9f0ba26317fdae Author: Jakub Kicinski Date: Wed Dec 14 18:01:00 2022 -0800 devlink: hold region lock when flushing snapshots [ Upstream commit b4cafb3d2c740f8d1b1234b43ac4a60e5291c960 ] Netdevsim triggers a splat on reload, when it destroys regions with snapshots pending: WARNING: CPU: 1 PID: 787 at net/core/devlink.c:6291 devlink_region_snapshot_del+0x12e/0x140 CPU: 1 PID: 787 Comm: devlink Not tainted 6.1.0-07460-g7ae9888d6e1c #580 RIP: 0010:devlink_region_snapshot_del+0x12e/0x140 Call Trace: devl_region_destroy+0x70/0x140 nsim_dev_reload_down+0x2f/0x60 [netdevsim] devlink_reload+0x1f7/0x360 devlink_nl_cmd_reload+0x6ce/0x860 genl_family_rcv_msg_doit.isra.0+0x145/0x1c0 This is the locking assert in devlink_region_snapshot_del(), we're supposed to be holding the region->snapshot_lock here. Fixes: 2dec18ad826f ("net: devlink: remove region snapshots list dependency on devlink->lock") Signed-off-by: Jakub Kicinski Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 71e00044628125f9ff8d3114edf1f05baed8f529 Author: GUO Zihua Date: Tue Nov 22 16:50:46 2022 +0800 rtc: mxc_v2: Add missing clk_disable_unprepare() [ Upstream commit 55d5a86618d3b1a768bce01882b74cbbd2651975 ] The call to clk_disable_unprepare() is left out in the error handling of devm_rtc_allocate_device. Add it back. Fixes: 5490a1e018a4 ("rtc: mxc_v2: fix possible race condition") Signed-off-by: GUO Zihua Link: https://lore.kernel.org/r/20221122085046.21689-1-guozihua@huawei.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit a7316d07f0874a7c34437e973cdbcd017eee0b89 Author: Tan Tee Min Date: Fri Dec 9 12:15:22 2022 +0800 igc: Set Qbv start_time and end_time to end_time if not being configured in GCL [ Upstream commit 72abeedd83982c1bc6023f631e412db78374d9b4 ] The default setting of end_time minus start_time is whole 1 second. Thus, if it's not being configured in any GCL entry then it will be staying at original 1 second. This patch is changing the start_time and end_time to be end_time as if setting zero will be having weird HW behavior where the gate will not be fully closed. Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading") Signed-off-by: Tan Tee Min Signed-off-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 4a3c071ff325b852755d230c4251f0dd2567f2bf Author: Tan Tee Min Date: Fri Dec 9 12:15:21 2022 +0800 igc: recalculate Qbv end_time by considering cycle time [ Upstream commit 6d05251d537a4d3835959a8cdd8cbbbdcdc0c904 ] Qbv users can specify a cycle time that is not equal to the total GCL intervals. Hence, recalculation is necessary here to exclude the time interval that exceeds the cycle time. As those GCL which exceeds the cycle time will be truncated. According to IEEE Std. 802.1Q-2018 section 8.6.9.2, once the end of the list is reached, it will switch to the END_OF_CYCLE state and leave the gates in the same state until the next cycle is started. Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading") Signed-off-by: Tan Tee Min Signed-off-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit e0d11cda89a2ff4eee1e7220a61653709d878325 Author: Tan Tee Min Date: Fri Dec 9 12:15:20 2022 +0800 igc: allow BaseTime 0 enrollment for Qbv [ Upstream commit e17090eb24944fbbe1f24d9f336d7bad4fbe47e8 ] Introduce qbv_enable flag in igc_adapter struct to store the Qbv on/off. So this allow the BaseTime to enroll with zero value. Fixes: 61572d5f8f91 ("igc: Simplify TSN flags handling") Signed-off-by: Muhammad Husaini Zulkifli Signed-off-by: Tan Tee Min Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 3770bdee96402e1a94df55f8b1d6d34b4dac03ba Author: Muhammad Husaini Zulkifli Date: Fri Dec 9 12:15:19 2022 +0800 igc: Add checking for basetime less than zero [ Upstream commit 3b61764fb49a6e147ac90d71dccdddc9d5508ba1 ] Using the tc qdisc command, the user can set basetime to any value. Checking should be done on the driver's side to prevent registering basetime values that are less than zero. Fixes: ec50a9d437f0 ("igc: Add support for taprio offloading") Signed-off-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 94a033ae7d77fdec09106aac7018a20a8cb80354 Author: Vinicius Costa Gomes Date: Fri Dec 9 12:15:18 2022 +0800 igc: Use strict cycles for Qbv scheduling [ Upstream commit d8f45be01dd9381065a3778a579385249ed011dc ] Configuring strict cycle mode in the controller forces more well behaved transmissions when taprio is offloaded. When set this strict_cycle and strict_end, transmission is not enabled if the whole packet cannot be completed before end of the Qbv cycle. Fixes: 82faa9b79950 ("igc: Add support for ETF offloading") Signed-off-by: Vinicius Costa Gomes Signed-off-by: Aravindhan Gunasekaran Signed-off-by: Muhammad Husaini Zulkifli Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit 99dd830903d6167594001d1254cf93a7150b92dc Author: Vinicius Costa Gomes Date: Fri Dec 9 12:15:17 2022 +0800 igc: Enhance Qbv scheduling by using first flag bit [ Upstream commit db0b124f02ba68de6517ac303d431af220ccfe9f ] The I225 hardware has a limitation that packets can only be scheduled in the [0, cycle-time] interval. So, scheduling a packet to the start of the next cycle doesn't usually work. To overcome this, we use the Transmit Descriptor first flag to indicates that a packet should be the first packet (from a queue) in a cycle according to the section 7.5.2.9.3.4 The First Packet on Each QBV Cycle in Intel Discrete I225/6 User Manual. But this only works if there was any packet from that queue during the current cycle, to avoid this issue, we issue an empty packet if that's not the case. Also require one more descriptor to be available, to take into account the empty packet that might be issued. Test Setup: Talker: Use l2_tai to generate the launchtime into packet load. Listener: Use timedump.c to compute the delta between packet arrival and LaunchTime packet payload. Test Result: Before: 1666000610127300000,1666000610127300096,96,621273 1666000610127400000,1666000610127400192,192,621274 1666000610127500000,1666000610127500032,32,621275 1666000610127600000,1666000610127600128,128,621276 1666000610127700000,1666000610127700224,224,621277 1666000610127800000,1666000610127800064,64,621278 1666000610127900000,1666000610127900160,160,621279 1666000610128000000,1666000610128000000,0,621280 1666000610128100000,1666000610128100096,96,621281 1666000610128200000,1666000610128200192,192,621282 1666000610128300000,1666000610128300032,32,621283 1666000610128400000,1666000610128301056,-98944,621284 1666000610128500000,1666000610128302080,-197920,621285 1666000610128600000,1666000610128302848,-297152,621286 1666000610128700000,1666000610128303872,-396128,621287 1666000610128800000,1666000610128304896,-495104,621288 1666000610128900000,1666000610128305664,-594336,621289 1666000610129000000,1666000610128306688,-693312,621290 1666000610129100000,1666000610128307712,-792288,621291 1666000610129200000,1666000610128308480,-891520,621292 1666000610129300000,1666000610128309504,-990496,621293 1666000610129400000,1666000610128310528,-1089472,621294 1666000610129500000,1666000610128311296,-1188704,621295 1666000610129600000,1666000610128312320,-1287680,621296 1666000610129700000,1666000610128313344,-1386656,621297 1666000610129800000,1666000610128314112,-1485888,621298 1666000610129900000,1666000610128315136,-1584864,621299 1666000610130000000,1666000610128316160,-1683840,621300 1666000610130100000,1666000610128316928,-1783072,621301 1666000610130200000,1666000610128317952,-1882048,621302 1666000610130300000,1666000610128318976,-1981024,621303 1666000610130400000,1666000610128319744,-2080256,621304 1666000610130500000,1666000610128320768,-2179232,621305 1666000610130600000,1666000610128321792,-2278208,621306 1666000610130700000,1666000610128322816,-2377184,621307 1666000610130800000,1666000610128323584,-2476416,621308 1666000610130900000,1666000610128324608,-2575392,621309 1666000610131000000,1666000610128325632,-2674368,621310 1666000610131100000,1666000610128326400,-2773600,621311 1666000610131200000,1666000610128327424,-2872576,621312 1666000610131300000,1666000610128328448,-2971552,621313 1666000610131400000,1666000610128329216,-3070784,621314 1666000610131500000,1666000610131500032,32,621315 1666000610131600000,1666000610131600128,128,621316 1666000610131700000,1666000610131700224,224,621317 After: 1666073510646200000,1666073510646200064,64,2676462 1666073510646300000,1666073510646300160,160,2676463 1666073510646400000,1666073510646400256,256,2676464 1666073510646500000,1666073510646500096,96,2676465 1666073510646600000,1666073510646600192,192,2676466 1666073510646700000,1666073510646700032,32,2676467 1666073510646800000,1666073510646800128,128,2676468 1666073510646900000,1666073510646900224,224,2676469 1666073510647000000,1666073510647000064,64,2676470 1666073510647100000,1666073510647100160,160,2676471 1666073510647200000,1666073510647200256,256,2676472 1666073510647300000,1666073510647300096,96,2676473 1666073510647400000,1666073510647400192,192,2676474 1666073510647500000,1666073510647500032,32,2676475 1666073510647600000,1666073510647600128,128,2676476 1666073510647700000,1666073510647700224,224,2676477 1666073510647800000,1666073510647800064,64,2676478 1666073510647900000,1666073510647900160,160,2676479 1666073510648000000,1666073510648000000,0,2676480 1666073510648100000,1666073510648100096,96,2676481 1666073510648200000,1666073510648200192,192,2676482 1666073510648300000,1666073510648300032,32,2676483 1666073510648400000,1666073510648400128,128,2676484 1666073510648500000,1666073510648500224,224,2676485 1666073510648600000,1666073510648600064,64,2676486 1666073510648700000,1666073510648700160,160,2676487 1666073510648800000,1666073510648800000,0,2676488 1666073510648900000,1666073510648900096,96,2676489 1666073510649000000,1666073510649000192,192,2676490 1666073510649100000,1666073510649100032,32,2676491 1666073510649200000,1666073510649200128,128,2676492 1666073510649300000,1666073510649300224,224,2676493 1666073510649400000,1666073510649400064,64,2676494 1666073510649500000,1666073510649500160,160,2676495 1666073510649600000,1666073510649600000,0,2676496 1666073510649700000,1666073510649700096,96,2676497 1666073510649800000,1666073510649800192,192,2676498 1666073510649900000,1666073510649900032,32,2676499 1666073510650000000,1666073510650000128,128,2676500 Fixes: 82faa9b79950 ("igc: Add support for ETF offloading") Signed-off-by: Vinicius Costa Gomes Co-developed-by: Aravindhan Gunasekaran Signed-off-by: Aravindhan Gunasekaran Co-developed-by: Muhammad Husaini Zulkifli Signed-off-by: Muhammad Husaini Zulkifli Signed-off-by: Malli C Tested-by: Naama Meir Signed-off-by: Tony Nguyen Signed-off-by: Sasha Levin commit c13d65dca354a998f648359fcacdcc0a2c586775 Author: Vladimir Oltean Date: Wed Dec 14 13:01:20 2022 +0200 net: dsa: mv88e6xxx: avoid reg_lock deadlock in mv88e6xxx_setup_port() [ Upstream commit a7d82367daa6baa5e8399e6327e7f2f463534505 ] In the blamed commit, it was not noticed that one implementation of chip->info->ops->phylink_get_caps(), called by mv88e6xxx_get_caps(), may access hardware registers, and in doing so, it takes the mv88e6xxx_reg_lock(). Namely, this is mv88e6352_phylink_get_caps(). This is a problem because mv88e6xxx_get_caps(), apart from being a top-level function (method invoked by dsa_switch_ops), is now also directly called from mv88e6xxx_setup_port(), which runs under the mv88e6xxx_reg_lock() taken by mv88e6xxx_setup(). Therefore, when running on mv88e6352, the reg_lock would be acquired a second time and the system would deadlock on driver probe. The things that mv88e6xxx_setup() can compete with in terms of register access with are the IRQ handlers and MDIO bus operations registered by mv88e6xxx_probe(). So there is a real need to acquire the register lock. The register lock can, in principle, be dropped and re-acquired pretty much at will within the driver, as long as no operations that involve waiting for indirect access to complete (essentially, callers of mv88e6xxx_smi_direct_wait() and mv88e6xxx_wait_mask()) are interrupted with the lock released. However, I would guess that in mv88e6xxx_setup(), the critical section is kept open for such a long time just in order to optimize away multiple lock/unlock operations on the registers. We could, in principle, drop the reg_lock right before the mv88e6xxx_setup_port() -> mv88e6xxx_get_caps() call, and re-acquire it immediately afterwards. But this would look ugly, because mv88e6xxx_setup_port() would release a lock which it didn't acquire, but the caller did. A cleaner solution to this issue comes from the observation that struct mv88e6xxxx_ops methods generally assume they are called with the reg_lock already acquired. Whereas mv88e6352_phylink_get_caps() is more the exception rather than the norm, in that it acquires the lock itself. Let's enforce the same locking pattern/convention for chip->info->ops->phylink_get_caps() as well, and make mv88e6xxx_get_caps(), the top-level function, acquire the register lock explicitly, for this one implementation that will access registers for port 4 to work properly. This means that mv88e6xxx_setup_port() will no longer call the top-level function, but the low-level mv88e6xxx_ops method which expects the correct calling context (register lock held). Compared to chip->info->ops->phylink_get_caps(), mv88e6xxx_get_caps() also fixes up the supported_interfaces bitmap for internal ports, since that can be done generically and does not require per-switch knowledge. That's code which will no longer execute, however mv88e6xxx_setup_port() doesn't need that. It just needs to look at the mac_capabilities bitmap. Fixes: cc1049ccee20 ("net: dsa: mv88e6xxx: fix speed setting for CPU/DSA ports") Reported-by: Maksim Kiselev Signed-off-by: Vladimir Oltean Tested-by: Maksim Kiselev Link: https://lore.kernel.org/r/20221214110120.3368472-1-vladimir.oltean@nxp.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 5944c25c67de54e0aa53623e1e1af3bf8b16ed44 Author: Li Zetao Date: Tue Dec 13 20:56:14 2022 +0800 r6040: Fix kmemleak in probe and remove [ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ] There is a memory leaks reported by kmemleak: unreferenced object 0xffff888116111000 (size 2048): comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s) hex dump (first 32 bytes): 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................ 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc_trace+0x22/0x60 [] phy_device_create+0x4e/0x90 [] get_phy_device+0xd2/0x220 [] mdiobus_scan+0xa4/0x2e0 [] __mdiobus_register+0x482/0x8b0 [] r6040_init_one+0x714/0xd2c [r6040] ... The problem occurs in probe process as follows: r6040_init_one: mdiobus_register mdiobus_scan <- alloc and register phy_device, the reference count of phy_device is 3 r6040_mii_probe phy_connect <- connect to the first phy_device, so the reference count of the first phy_device is 4, others are 3 register_netdev <- fault inject succeeded, goto error handling path // error handling path err_out_mdio_unregister: mdiobus_unregister(lp->mii_bus); err_out_mdio: mdiobus_free(lp->mii_bus); <- the reference count of the first phy_device is 1, it is not released and other phy_devices are released // similarly, the remove process also has the same problem The root cause is traced to the phy_device is not disconnected when removes one r6040 device in r6040_remove_one() or on error handling path after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet device is connected to the first PHY device of mii_bus, in order to notify the connected driver when the link status changes, which is the default behavior of the PHY infrastructure to handle everything. Therefore the phy_device should be disconnected when removes one r6040 device or on error handling path. Fix it by adding phy_disconnect() when removes one r6040 device or on error handling path after r6040_mii probed successfully. Fixes: 3831861b4ad8 ("r6040: implement phylib") Signed-off-by: Li Zetao Reviewed-by: Leon Romanovsky Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 1d033ec2d1794c44c793296f1c92003060c143ee Author: Kirill Tkhai Date: Tue Dec 13 00:05:53 2022 +0300 unix: Fix race in SOCK_SEQPACKET's unix_dgram_sendmsg() [ Upstream commit 3ff8bff704f4de125dca2262e5b5b963a3da1d87 ] There is a race resulting in alive SOCK_SEQPACKET socket may change its state from TCP_ESTABLISHED to TCP_CLOSE: unix_release_sock(peer) unix_dgram_sendmsg(sk) sock_orphan(peer) sock_set_flag(peer, SOCK_DEAD) sock_alloc_send_pskb() if !(sk->sk_shutdown & SEND_SHUTDOWN) OK if sock_flag(peer, SOCK_DEAD) sk->sk_state = TCP_CLOSE sk->sk_shutdown = SHUTDOWN_MASK After that socket sk remains almost normal: it is able to connect, listen, accept and recvmsg, while it can't sendmsg. Since this is the only possibility for alive SOCK_SEQPACKET to change the state in such way, we should better fix this strange and potentially danger corner case. Note, that we will return EPIPE here like this is normally done in sock_alloc_send_pskb(). Originally used ECONNREFUSED looks strange, since it's strange to return a specific retval in dependence of race in kernel, when user can't affect on this. Also, move TCP_CLOSE assignment for SOCK_DGRAM sockets under state lock to fix race with unix_dgram_connect(): unix_dgram_connect(other) unix_dgram_sendmsg(sk) unix_peer(sk) = NULL unix_state_unlock(sk) unix_state_double_lock(sk, other) sk->sk_state = TCP_ESTABLISHED unix_peer(sk) = other unix_state_double_unlock(sk, other) sk->sk_state = TCP_CLOSED This patch fixes both of these races. Fixes: 83301b5367a9 ("af_unix: Set TCP_ESTABLISHED for datagram sockets too") Signed-off-by: Kirill Tkhai Link: https://lore.kernel.org/r/135fda25-22d5-837a-782b-ceee50e19844@ya.ru Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit e491285b4d08884b622638be8e4961eb43b0af64 Author: Minsuk Kang Date: Wed Dec 14 10:51:39 2022 +0900 nfc: pn533: Clear nfc_target before being used [ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ] Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used. Found by a modified version of syzkaller. BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection") Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533") Signed-off-by: Minsuk Kang Reviewed-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 306526331e7a37e714e11ab7c6d73eb004745224 Author: Vladimir Oltean Date: Tue Dec 13 02:19:08 2022 +0200 net: enetc: avoid buffer leaks on xdp_do_redirect() failure [ Upstream commit 628050ec952d2e2e46ec9fb6aa07e41139e030c8 ] Before enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software BD in the RX ring between index orig_i and i can have one of 2 refcount values on its page. We are the owner of the current buffer that is being processed, so the refcount will be at least 1. If the current owner of the buffer at the diametrically opposed index in the RX ring (i.o.w, the other half of this page) has not yet called kfree(), this page's refcount could even be 2. enetc_page_reusable() in enetc_flip_rx_buff() tests for the page refcount against 1, and [ if it's 2 ] does not attempt to reuse it. But if enetc_flip_rx_buff() is put after the xdp_do_redirect() call, the page refcount can have one of 3 values. It can also be 0, if there is no owner of the other page half, and xdp_do_redirect() for this buffer ran so far that it triggered a flush of the devmap/cpumap bulk queue, and the consumers of those bulk queues also freed the buffer, all by the time xdp_do_redirect() returns the execution back to enetc. This is the reason why enetc_flip_rx_buff() is called before xdp_do_redirect(), but there is a big flaw with that reasoning: enetc_flip_rx_buff() will set rx_swbd->page = NULL on both sides of the enetc_page_reusable() branch, and if xdp_do_redirect() returns an error, we call enetc_xdp_free(), which does not deal gracefully with that. In fact, what happens is quite special. The page refcounts start as 1. enetc_flip_rx_buff() figures they're reusable, transfers these rx_swbd->page pointers to a different rx_swbd in enetc_reuse_page(), and bumps the refcount to 2. When xdp_do_redirect() later returns an error, we call the no-op enetc_xdp_free(), but we still haven't lost the reference to that page. A copy of it is still at rx_ring->next_to_alloc, but that has refcount 2 (and there are no concurrent owners of it in flight, to drop the refcount). What really kills the system is when we'll flip the rx_swbd->page the second time around. With an updated refcount of 2, the page will not be reusable and we'll really leak it. Then enetc_new_page() will have to allocate more pages, which will then eventually leak again on further errors from xdp_do_redirect(). The problem, summarized, is that we zeroize rx_swbd->page before we're completely done with it, and this makes it impossible for the error path to do something with it. Since the packet is potentially multi-buffer and therefore the rx_swbd->page is potentially an array, manual passing of the old pointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit difficult. For the sake of going with a simple solution, we accept the possibility of racing with xdp_do_redirect(), and we move the flip procedure to execute only on the redirect success path. By racing, I mean that the page may be deemed as not reusable by enetc (having a refcount of 0), but there will be no leak in that case, either. Once we accept that, we have something better to do with buffers on XDP_REDIRECT failure. Since we haven't performed half-page flipping yet, we won't, either (and this way, we can avoid enetc_xdp_free() completely, which gives the entire page to the slab allocator). Instead, we'll call enetc_xdp_drop(), which will recycle this half of the buffer back to the RX ring. Fixes: 9d2b68cc108d ("net: enetc: add support for XDP_REDIRECT") Suggested-by: Lorenzo Bianconi Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20221213001908.2347046-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a44053cf3b9c8e4c78929c348a1c34978d19e7b3 Author: Hans Verkuil Date: Mon Dec 12 08:32:20 2022 +0000 media: v4l2-ctrls-api.c: add back dropped ctrl->is_new = 1 [ Upstream commit 73278d483378cf850ade923a1107a70297b2602a ] The patch adding support for dynamically allocated arrays accidentally dropped the line setting ctrl->is_new to 1, thus new string values were always ignored. Fixes: fb582cba4492 ("media: v4l2-ctrls: add support for dynamically allocated arrays.") Reported-by: Alice Yuan Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6a1504dd36cd9a0a69250d61da8bdb17b29f1fe8 Author: Milan Landaverde Date: Tue Dec 13 12:57:14 2022 -0500 bpf: prevent leak of lsm program after failed attach [ Upstream commit e89f3edffb860a0f54a9ed16deadb7a4a1fa3862 ] In [0], we added the ability to bpf_prog_attach LSM programs to cgroups, but in our validation to make sure the prog is meant to be attached to BPF_LSM_CGROUP, we return too early if the check fails. This results in lack of decrementing prog's refcnt (through bpf_prog_put) leaving the LSM program alive past the point of the expected lifecycle. This fix allows for the decrement to take place. [0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@google.com/ Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor") Signed-off-by: Milan Landaverde Signed-off-by: Martin KaFai Lau Signed-off-by: Daniel Borkmann Reviewed-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20221213175714.31963-1-milan@mdaverde.com Signed-off-by: Sasha Levin commit 146891d1af80d1c66525158835f6ccefa10019b7 Author: Song Liu Date: Tue Dec 13 14:05:00 2022 -0800 selftests/bpf: Select CONFIG_FUNCTION_ERROR_INJECTION [ Upstream commit a8dfde09c90109e3a98af54847e91bde7dc2d5c2 ] BPF selftests require CONFIG_FUNCTION_ERROR_INJECTION to work. However, CONFIG_FUNCTION_ERROR_INJECTION is no longer 'y' by default after recent changes. As a result, we are seeing errors like the following from BPF CI: bpf_testmod_test_read() is not modifiable __x64_sys_setdomainname is not sleepable __x64_sys_getpgid is not sleepable Fix this by explicitly selecting CONFIG_FUNCTION_ERROR_INJECTION in the selftest config. Fixes: a4412fdd49dc ("error-injection: Add prompt for function error injection") Reported-by: Daniel Müller Signed-off-by: Song Liu Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Daniel Müller Link: https://lore.kernel.org/bpf/20221213220500.3427947-1-song@kernel.org Signed-off-by: Sasha Levin commit 761564d93c8265f65543acf0a576b32d66bfa26a Author: Yu Kuai Date: Wed Dec 14 11:04:30 2022 +0800 block, bfq: fix possible uaf for 'bfqq->bic' [ Upstream commit 64dc8c732f5c2b406cc752e6aaa1bd5471159cab ] Our test report a uaf for 'bfqq->bic' in 5.10: ================================================================== BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-20220320_160524-szxrtosci10000 04/01/2014 Call Trace: bfq_select_queue+0x378/0xa30 bfq_dispatch_request+0xe8/0x130 blk_mq_do_dispatch_sched+0x62/0xb0 __blk_mq_sched_dispatch_requests+0x215/0x2a0 blk_mq_sched_dispatch_requests+0x8f/0xd0 __blk_mq_run_hw_queue+0x98/0x180 __blk_mq_delay_run_hw_queue+0x22b/0x240 blk_mq_run_hw_queue+0xe3/0x190 blk_mq_sched_insert_requests+0x107/0x200 blk_mq_flush_plug_list+0x26e/0x3c0 blk_finish_plug+0x63/0x90 __iomap_dio_rw+0x7b5/0x910 iomap_dio_rw+0x36/0x80 ext4_dio_read_iter+0x146/0x190 [ext4] ext4_file_read_iter+0x1e2/0x230 [ext4] new_sync_read+0x29f/0x400 vfs_read+0x24e/0x2d0 ksys_read+0xd5/0x1b0 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x61/0xc6 Commit 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") changes that move process to a new cgroup will allocate a new bfqq to use, however, the old bfqq and new bfqq can point to the same bic: 1) Initial state, two process with io in the same cgroup. Process 1 Process 2 (BIC1) (BIC2) | Λ | Λ | | | | V | V | bfqq1 bfqq2 2) bfqq1 is merged to bfqq2. Process 1 Process 2 (BIC1) (BIC2) | | \-------------\| V bfqq1 bfqq2(coop) 3) Process 1 exit, then issue new io(denoce IOA) from Process 2. (BIC2) | Λ | | V | bfqq2(coop) 4) Before IOA is completed, move Process 2 to another cgroup and issue io. Process 2 (BIC2) Λ |\--------------\ | V bfqq2 bfqq3 Now that BIC2 points to bfqq3, while bfqq2 and bfqq3 both point to BIC2. If all the requests are completed, and Process 2 exit, BIC2 will be freed while there is no guarantee that bfqq2 will be freed before BIC2. Fix the problem by clearing bfqq->bic while bfqq is detached from bic. Fixes: 3bc5e683c67d ("bfq: Split shared queues on move between cgroups") Suggested-by: Jan Kara Signed-off-by: Yu Kuai Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20221214030430.3304151-1-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 27f94fc22305aab70b47b5d996f72a19978cda13 Author: Yang Yingliang Date: Mon Dec 12 16:41:39 2022 +0800 mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() [ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg() and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use skb_queue_splice_init() to move the dch->squeue to a free queue, also enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") Signed-off-by: Yang Yingliang Reviewed-by: Alexander Duyck Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 06fcc7543f302bce197f770d51738340af81e875 Author: Yang Yingliang Date: Mon Dec 12 16:41:38 2022 +0800 mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() [ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(), kfree_skb() is called in it, to fix this, use skb_queue_splice_init() to move the dch->squeue to a free queue, also enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") Signed-off-by: Yang Yingliang Reviewed-by: Alexander Duyck Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 793f872866d678c95500d5bbac57cb6f3b1ea819 Author: Yang Yingliang Date: Mon Dec 12 16:41:37 2022 +0800 mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() [ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(), kfree_skb() is called in it, to fix this, use skb_queue_splice_init() to move the dch->squeue to a free queue, also enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted SKB, so replace it with dev_consume_skb_irq(). Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") Signed-off-by: Yang Yingliang Reviewed-by: Alexander Duyck Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b316841b6bdccf66f2a6729074dc712b8016bb32 Author: Hangbin Liu Date: Mon Dec 12 11:56:46 2022 +0800 bonding: do failover when high prio link up [ Upstream commit e95cc44763a41d5c715ef16742bcb1d8e6524a62 ] Currently, when a high prio link enslaved, or when current link down, the high prio port could be selected. But when high prio link up, the new active slave reselection is not triggered. Fix it by checking link's prio when getting up. Making the do_failover after looping all slaves as there may be multi high prio slaves up. Reported-by: Liang Li Fixes: 0a2ff7cc8ad4 ("Bonding: add per-port priority for failover re-selection") Signed-off-by: Hangbin Liu Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 2d31c6ed44287863ecb93173b0b98aeec1ed0d1c Author: Hangbin Liu Date: Mon Dec 12 11:56:45 2022 +0800 bonding: add missed __rcu annotation for curr_active_slave [ Upstream commit 3d0b738fc5adf9f380702ac1424672e4b32c3781 ] There is one direct accesses to bond->curr_active_slave in bond_miimon_commit(). Protected it by rcu_access_pointer() since the later of this function also use this one. Signed-off-by: Hangbin Liu Signed-off-by: Jakub Kicinski Stable-dep-of: e95cc44763a4 ("bonding: do failover when high prio link up") Signed-off-by: Sasha Levin commit ba44c1fe82340cd1a52fdda0aa64408aae5c6c20 Author: Emeel Hakim Date: Sun Dec 11 09:55:32 2022 +0200 net: macsec: fix net device access prior to holding a lock [ Upstream commit f3b4a00f0f62da252c598310698dfc82ef2f2e2e ] Currently macsec offload selection update routine accesses the net device prior to holding the relevant lock. Fix by holding the lock prior to the device access. Fixes: dcb780fb2795 ("net: macsec: add nla support for changing the offloading selection") Reviewed-by: Raed Salem Signed-off-by: Emeel Hakim Link: https://lore.kernel.org/r/20221211075532.28099-1-ehakim@nvidia.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit d843ebd860c58a38e45527e8ec6516059f4c97f3 Author: Dan Aloni Date: Mon Dec 12 13:11:06 2022 +0200 nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure [ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ] On error situation `clp->cl_cb_conn.cb_xprt` should not be given a reference to the xprt otherwise both client cleanup and the error handling path of the caller call to put it. Better to delay handing over the reference to a later branch. [ 72.530665] refcount_t: underflow; use-after-free. [ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120 [ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc] [ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 [ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 [ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd] [ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120 [ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 [ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 [ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 [ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 [ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff [ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 [ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 [ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 [ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 [ 72.554874] Call Trace: [ 72.555278] [ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc] [ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd] [ 72.557087] ? update_load_avg+0x82/0x610 [ 72.557652] ? cpuacct_charge+0x60/0x70 [ 72.558212] ? dequeue_entity+0xdb/0x3e0 [ 72.558765] ? queued_spin_unlock+0x9/0x20 [ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd] [ 72.560031] process_one_work+0x1df/0x390 [ 72.560600] worker_thread+0x37/0x3b0 [ 72.561644] ? process_one_work+0x390/0x390 [ 72.562247] kthread+0x12f/0x150 [ 72.562710] ? set_kthread_struct+0x50/0x50 [ 72.563309] ret_from_fork+0x22/0x30 [ 72.563818] [ 72.564189] ---[ end trace 031117b1c72ec616 ]--- [ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). [ 72.567647] ------------[ cut here ]------------ Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed") Cc: Xiyu Yang Cc: J. Bruce Fields Signed-off-by: Dan Aloni Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit f8059a2a2bdf1107bf086b0f4393e359ca83c251 Author: Dan Carpenter Date: Wed Dec 7 18:56:09 2022 +0300 iommu/mediatek: Fix forever loop in error handling [ Upstream commit 462e768b55a2331324ff72e74706261134369826 ] There is a typo so this loop does i++ where i-- was intended. It will result in looping until the kernel crashes. Fixes: 26593928564c ("iommu/mediatek: Add error path for loop of mm_dts_parse") Signed-off-by: Dan Carpenter Reviewed-by: Yong Wu Link: https://lore.kernel.org/r/Y5C3mTam2nkbaz6o@kili Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 8a1a382895831145c8acd7976b1e413d4a9ad71d Author: Alexandre Belloni Date: Sun Dec 11 23:35:53 2022 +0100 rtc: pcf85063: fix pcf85063_clkout_control [ Upstream commit c2d12e85336f6d4172fb2bab5935027c446d7343 ] pcf85063_clkout_control reads the wrong register but then update the correct one. Reported-by: Janne Terho Fixes: 8c229ab6048b ("rtc: pcf85063: Add pcf85063 clkout control to common clock framework") Link: https://lore.kernel.org/r/20221211223553.59955-1-alexandre.belloni@bootlin.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit ed829c3b79b486e7333dd8759cb3e4c6407c2732 Author: Gaosheng Cui Date: Wed Nov 23 09:59:53 2022 +0800 rtc: pic32: Move devm_rtc_allocate_device earlier in pic32_rtc_probe() [ Upstream commit 90cd5c88830140c9fade92a8027e0fb2c6e4cc49 ] The pic32_rtc_enable(pdata, 0) and clk_disable_unprepare(pdata->clk) should be called in the error handling of devm_rtc_allocate_device(), so we should move devm_rtc_allocate_device earlier in pic32_rtc_probe() to fix it. Fixes: 6515e23b9fde ("rtc: pic32: convert to devm_rtc_allocate_device") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221123015953.1998521-1-cuigaosheng1@huawei.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit abfa5dd914538ffd9284ceb4ea8d0da311a6a095 Author: Gaosheng Cui Date: Wed Nov 23 09:48:05 2022 +0800 rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() [ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ] The clk_disable_unprepare() should be called in the error handling of clk_get_rate(), fix it. Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 75b2692c90cee258fb10bab9660a75841939bcbe Author: Qingfang DENG Date: Thu Dec 8 20:35:29 2022 +0800 netfilter: flowtable: really fix NAT IPv6 offload [ Upstream commit 5fb45f95eec682621748b7cb012c6a8f0f981e6a ] The for-loop was broken from the start. It translates to: for (i = 0; i < 4; i += 4) which means the loop statement is run only once, so only the highest 32-bit of the IPv6 address gets mangled. Fix the loop increment. Fixes: 0e07e25b481a ("netfilter: flowtable: fix NAT IPv6 offload mangling") Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") Signed-off-by: Qingfang DENG Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit 7f47c91e465ae1aa56b92e090c163d32838f67ad Author: Yang Yingliang Date: Fri Nov 25 15:36:26 2022 +0800 mfd: pm8008: Fix return value check in pm8008_probe() [ Upstream commit 14f8c55d48e02157519fbcb3a5de557abd8a06e2 ] In case of error, the function devm_regmap_init_i2c() returns ERR_PTR() and never returns NULL. The NULL test in the return value check should be replaced with IS_ERR(). Fixes: 6b149f3310a4 ("mfd: pm8008: Add driver for QCOM PM8008 PMIC") Signed-off-by: Yang Yingliang Reviewed-by: Bjorn Andersson Acked-by: Guru Das Srinagesh Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20221125073626.1868229-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit b8d07df9ede9159b332959598159aa7dd7d5b27a Author: Christophe JAILLET Date: Sun Nov 20 18:19:01 2022 +0100 mfd: qcom_rpm: Fix an error handling path in qcom_rpm_probe() [ Upstream commit 36579aca877a62f67ecd77eb3edefc4c86292406 ] If an error occurs after the clk_prepare_enable() call, a corresponding clk_disable_unprepare() should be called. Simplify code and switch to devm_clk_get_enabled() to fix it. Fixes: 3526403353c2 ("mfd: qcom_rpm: Handle message RAM clock") Signed-off-by: Christophe JAILLET Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/e39752476d02605b2be46cab7115f71255ce13a8.1668949256.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit e295ac85d61853eedae186c58b92bb475faae1fc Author: Matti Vaittinen Date: Wed Nov 16 10:19:21 2022 +0200 mfd: bd957x: Fix Kconfig dependency on REGMAP_IRQ [ Upstream commit 85842c46fd47fa6bd78681c154223bed27d5fd19 ] The BD957x driver uses REGMAP_IRQ but does not 'select' to depend on it. This can cause build failures. Select REGMAP_IRQ for BD957X. Fixes: 0e9692607f94 ("mfd: bd9576: Add IRQ support") Signed-off-by: Matti Vaittinen Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/Y3SdCWkRr1L64SWK@dc75zzyyyyyyyyyyyyydt-3.rev.dnainternet.fi Signed-off-by: Sasha Levin commit 3bcc06c5fd4842841763c398f301ea1291d0b653 Author: Samuel Holland Date: Sat Nov 5 16:29:09 2022 -0500 mfd: axp20x: Do not sleep in the power off handler [ Upstream commit 3f37d4f695cff180033254b9ed5adc8ab927cba9 ] Since commit 856c288b0039 ("ARM: Use do_kernel_power_off()"), the function axp20x_power_off() now runs inside a RCU read-side critical section, so it is not allowed to call msleep(). Use mdelay() instead. Fixes: 856c288b0039 ("ARM: Use do_kernel_power_off()") Signed-off-by: Samuel Holland Reviewed-by: Dmitry Osipenko Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20221105212909.6526-1-samuel@sholland.org Signed-off-by: Sasha Levin commit d387d36fcc545f6563f3a197ee87352cfd0cbde2 Author: Bryan O'Donoghue Date: Wed Sep 28 01:05:17 2022 +0100 dt-bindings: mfd: qcom,spmi-pmic: Drop PWM reg dependency [ Upstream commit 763ab98687404d924b6612f7c9c8430333d31229 ] The PWM node is not a separate device and is expected to be part of parent SPMI PMIC node, thus it obtains the address space from the parent. One IO address in "reg" is also not correct description because LPG block maps to several regions. Fixes: 3f5117be9584 ("dt-bindings: mfd: convert to yaml Qualcomm SPMI PMIC") Suggested-by: Krzysztof Kozlowski Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bryan O'Donoghue Signed-off-by: Lee Jones Link: https://lore.kernel.org/r/20220928000517.228382-2-bryan.odonoghue@linaro.org Signed-off-by: Sasha Levin commit 0ab849944365096bece42d0c8f0f6e6e72440ef9 Author: Nathan Lynch Date: Fri Nov 18 09:07:43 2022 -0600 powerpc/pseries/eeh: use correct API for error log size [ Upstream commit 9aafbfa5f57a4b75bafd3bed0191e8429c5fa618 ] rtas-error-log-max is not the name of an RTAS function, so rtas_token() is not the appropriate API for retrieving its value. We already have rtas_get_error_log_max() which returns a sensible value if the property is absent for any reason, so use that instead. Fixes: 8d633291b4fc ("powerpc/eeh: pseries platform EEH error log retrieval") Signed-off-by: Nathan Lynch [mpe: Drop no-longer possible error handling as noticed by ajd] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221118150751.469393-6-nathanl@linux.ibm.com Signed-off-by: Sasha Levin commit bce7d8e9596d87cde7ad26df48f2a606739f9af4 Author: Shang XiaoJing Date: Sun Dec 4 16:27:57 2022 +0800 remoteproc: qcom: q6v5: Fix missing clk_disable_unprepare() in q6v5_wcss_qcs404_power_on() [ Upstream commit 7ff5d60f18bba5cbaf17b2926aa9da44d5beca01 ] q6v5_wcss_qcs404_power_on() have no fail path for readl_poll_timeout(). Add fail path for readl_poll_timeout(). Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404") Signed-off-by: Shang XiaoJing Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221204082757.18850-1-shangxiaojing@huawei.com Signed-off-by: Sasha Levin commit add474591d6e2466b2d2f2b357c137814cbb8be4 Author: Yuan Can Date: Sat Dec 3 07:06:39 2022 +0000 remoteproc: qcom_q6v5_pas: Fix missing of_node_put() in adsp_alloc_memory_region() [ Upstream commit 38e7d9c19276832ebb0277f415b9214bf7baeb37 ] The pointer node is returned by of_parse_phandle() with refcount incremented. We should use of_node_put() on it when done. Fixes: b9e718e950c3 ("remoteproc: Introduce Qualcomm ADSP PIL") Signed-off-by: Yuan Can Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221203070639.15128-1-yuancan@huawei.com Signed-off-by: Sasha Levin commit f09a52e442636f44540e4962348c27677eb7e829 Author: Luca Weiss Date: Fri Nov 18 10:08:16 2022 +0100 remoteproc: qcom_q6v5_pas: detach power domains on remove [ Upstream commit 34d01df00b84127be04c914fc9f8e8be1fcdf851 ] We need to detach from the power domains also on remove, not just on probe fail so a subsequent probe works as expected. Otherwise the following error appears on re-probe: [ 29.452005] sysfs: cannot create duplicate filename '/devices/genpd:0:3000000.remoteproc' [ 29.477121] CPU: 1 PID: 483 Comm: sh Tainted: G W 6.1.0-rc4-00075-g71a113770bda #78 [ 29.510319] Hardware name: Fairphone 4 (DT) [ 29.538335] Call trace: [ 29.564470] dump_backtrace.part.0+0xe0/0xf0 [ 29.592602] show_stack+0x18/0x30 [ 29.619616] dump_stack_lvl+0x64/0x80 [ 29.646834] dump_stack+0x18/0x34 [ 29.673541] sysfs_warn_dup+0x60/0x7c [ 29.700592] sysfs_create_dir_ns+0xec/0x110 [ 29.728057] kobject_add_internal+0xb8/0x374 [ 29.755530] kobject_add+0x9c/0x104 [ 29.782072] device_add+0xbc/0x8a0 [ 29.808445] device_register+0x20/0x30 [ 29.835175] genpd_dev_pm_attach_by_id+0xa4/0x190 [ 29.862851] genpd_dev_pm_attach_by_name+0x3c/0xb0 [ 29.890472] dev_pm_domain_attach_by_name+0x20/0x30 [ 29.918212] adsp_probe+0x278/0x580 [ 29.944384] platform_probe+0x68/0xc0 [ 29.970603] really_probe+0xbc/0x2dc [ 29.996662] __driver_probe_device+0x78/0xe0 [ 30.023491] device_driver_attach+0x48/0xac [ 30.050215] bind_store+0xb8/0x114 [ 30.075957] drv_attr_store+0x24/0x3c [ 30.101874] sysfs_kf_write+0x44/0x54 [ 30.127751] kernfs_fop_write_iter+0x120/0x1f0 [ 30.154448] vfs_write+0x1ac/0x380 [ 30.179937] ksys_write+0x70/0x104 [ 30.205274] __arm64_sys_write+0x1c/0x2c [ 30.231060] invoke_syscall+0x48/0x114 [ 30.256594] el0_svc_common.constprop.0+0x44/0xec [ 30.283183] do_el0_svc+0x2c/0xd0 [ 30.308320] el0_svc+0x2c/0x84 [ 30.333059] el0t_64_sync_handler+0xf4/0x120 [ 30.359001] el0t_64_sync+0x18c/0x190 [ 30.384385] kobject_add_internal failed for genpd:0:3000000.remoteproc with -EEXIST, don't try to register things with the same name in the same directory. [ 30.406029] remoteproc remoteproc0: releasing 3000000.remoteproc [ 30.416064] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17 Fixes: 17ee2fb4e856 ("remoteproc: qcom: pas: Vote for active/proxy power domains") Reviewed-by: Sibi Sankar Reviewed-by: Mukesh Ojha Signed-off-by: Luca Weiss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221118090816.100012-2-luca.weiss@fairphone.com Signed-off-by: Sasha Levin commit 4458ed2d9570d949a58665c6a94ebaadc44813db Author: Luca Weiss Date: Fri Nov 18 10:08:15 2022 +0100 remoteproc: qcom_q6v5_pas: disable wakeup on probe fail or remove [ Upstream commit 9a70551996e699fda262e8d54bbd41739d7aad6d ] Leaving wakeup enabled during probe fail (-EPROBE_DEFER) or remove makes the subsequent probe fail. [ 3.749454] remoteproc remoteproc0: releasing 3000000.remoteproc [ 3.752949] qcom_q6v5_pas: probe of 3000000.remoteproc failed with error -17 [ 3.878935] remoteproc remoteproc0: releasing 4080000.remoteproc [ 3.887602] qcom_q6v5_pas: probe of 4080000.remoteproc failed with error -17 [ 4.319552] remoteproc remoteproc0: releasing 8300000.remoteproc [ 4.332716] qcom_q6v5_pas: probe of 8300000.remoteproc failed with error -17 Fix this by disabling wakeup in both cases so the driver can properly probe on the next try. Fixes: a781e5aa5911 ("remoteproc: core: Prevent system suspend during remoteproc recovery") Fixes: dc86c129b4fb ("remoteproc: qcom: pas: Mark devices as wakeup capable") Reviewed-by: Mukesh Ojha Signed-off-by: Luca Weiss Reviewed-by: Caleb Connolly Reviewed-by: Sibi Sankar Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221118090816.100012-1-luca.weiss@fairphone.com Signed-off-by: Sasha Levin commit 0903a87490a9ed456ac765a84dcc484c1ee42c32 Author: Shang XiaoJing Date: Fri Nov 25 10:16:41 2022 +0800 remoteproc: qcom: q6v5: Fix potential null-ptr-deref in q6v5_wcss_init_mmio() [ Upstream commit f360e2b275efbb745ba0af8b47d9ef44221be586 ] q6v5_wcss_init_mmio() will call platform_get_resource_byname() that may fail and return NULL. devm_ioremap() will use res->start as input, which may causes null-ptr-deref. Check the ret value of platform_get_resource_byname() to avoid the null-ptr-deref. Fixes: 0af65b9b915e ("remoteproc: qcom: wcss: Add non pas wcss Q6 support for QCS404") Signed-off-by: Shang XiaoJing Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221125021641.29392-1-shangxiaojing@huawei.com Signed-off-by: Sasha Levin commit ec97e9a5c2f25d2f9f9d7005e9ac67f23cc751cd Author: Gaosheng Cui Date: Tue Nov 29 18:56:50 2022 +0800 remoteproc: sysmon: fix memory leak in qcom_add_sysmon_subdev() [ Upstream commit e01ce676aaef3b13d02343d7e70f9637d93a3367 ] The kfree() should be called when of_irq_get_byname() fails or devm_request_threaded_irq() fails in qcom_add_sysmon_subdev(), otherwise there will be a memory leak, so add kfree() to fix it. Fixes: 027045a6e2b7 ("remoteproc: qcom: Add shutdown-ack irq") Signed-off-by: Gaosheng Cui Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221129105650.1539187-1-cuigaosheng1@huawei.com Signed-off-by: Sasha Levin commit b773e86fc1968c2483c836db26b976ab6cbef7a1 Author: Anup Patel Date: Wed Dec 7 09:16:51 2022 +0530 RISC-V: KVM: Fix reg_val check in kvm_riscv_vcpu_set_reg_config() [ Upstream commit e482d9e33d5b0f222cbef7341dcd52cead6b9edc ] The reg_val check in kvm_riscv_vcpu_set_reg_config() should only be done for isa config register. Fixes: 9bfd900beeec ("RISC-V: KVM: Improve ISA extension by using a bitmap") Signed-off-by: Anup Patel Reviewed-by: Andrew Jones Reviewed-by: Atish Patra Signed-off-by: Anup Patel Signed-off-by: Sasha Levin commit c786f2ac30102f9bfca86ad5640d12111ff70360 Author: Daniel Golle Date: Fri Dec 2 19:35:08 2022 +0100 pwm: mediatek: always use bus clock for PWM on MT7622 [ Upstream commit aa3c668f2f98856af96e13f44da6ca4f26f0b98c ] According to MT7622 Reference Manual for Development Board v1.0 the PWM unit found in the MT7622 SoC also comes with the PWM_CK_26M_SEL register at offset 0x210 just like other modern MediaTek ARM64 SoCs. And also MT7622 sets that register to 0x00000001 on reset which is described as 'Select 26M fix CLK as BCLK' in the datasheet. Hence set has_ck_26m_sel to true also for MT7622 which results in the driver writing 0 to the PWM_CK_26M_SEL register which is described as 'Select bus CLK as BCLK'. Fixes: 0c0ead76235db0 ("pwm: mediatek: Always use bus clock") Signed-off-by: Daniel Golle Reviewed-by: AngeloGioacchino Del Regno Acked-by: Uwe Kleine-König Link: https://lore.kernel.org/r/Y1iF2slvSblf6bYK@makrotopia.org Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 24cc0c9b591a6c55ccb6a308f55a4b93e4852692 Author: xinlei lee Date: Fri Dec 2 19:35:06 2022 +0100 pwm: mtk-disp: Fix the parameters calculated by the enabled flag of disp_pwm [ Upstream commit 0b5ef3429d8f78427558ab0dcbfd862098ba2a63 ] In the original mtk_disp_pwm_get_state() function wrongly uses bit 0 of CON0 to judge if the PWM is enabled. However that is indicated by a bit (at a machine dependent position) in the DISP_PWM_EN register. Fix this accordingly. Fixes: 3f2b16734914 ("pwm: mtk-disp: Implement atomic API .get_state()") Signed-off-by: xinlei lee Reviewed-by: Uwe Kleine-König Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/1666172538-11652-1-git-send-email-xinlei.lee@mediatek.com Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 0bdadab074308dd50cc99b888b4b82d17e0bd071 Author: Uwe Kleine-König Date: Fri Dec 2 19:35:05 2022 +0100 pwm: sifive: Call pwm_sifive_update_clock() while mutex is held [ Upstream commit 45558b3abb87eeb2cedb8a59cb2699c120b5102a ] As was documented in commit 0f02f491b786 ("pwm: sifive: Reduce time the controller lock is held") a caller of pwm_sifive_update_clock() must hold the mutex. So fix pwm_sifive_clock_notifier() to grab the lock. While this necessity was only documented later, the race exists since the driver was introduced. Fixes: 9e37a53eb051 ("pwm: sifive: Add a driver for SiFive SoC PWM") Reported-by: Emil Renner Berthing Reviewed-by: Emil Renner Berthing Link: https://lore.kernel.org/r/20221018061656.1428111-1-u.kleine-koenig@pengutronix.de Signed-off-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 9a87b1562c3753ef539916d16418d8520bbc860b Author: Jason Gunthorpe Date: Mon Nov 28 10:06:28 2022 -0400 iommu/sun50i: Remove IOMMU_DOMAIN_IDENTITY [ Upstream commit ef5bb8e7a7127218f826b9ccdf7508e7a339f4c2 ] This driver treats IOMMU_DOMAIN_IDENTITY the same as UNMANAGED, which cannot possibly be correct. UNMANAGED domains are required to start out blocking all DMAs. This seems to be what this driver does as it allocates a first level 'dt' for the IO page table that is 0 filled. Thus UNMANAGED looks like a working IO page table, and so IDENTITY must be a mistake. Remove it. Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jason Gunthorpe Reviewed-by: Robin Murphy Link: https://lore.kernel.org/r/0-v1-97f0adf27b5e+1f0-s50_identity_jgg@nvidia.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 94221812897624d861d8e609409f1c463b41418f Author: Guenter Roeck Date: Tue Oct 18 10:42:56 2022 +0800 iommu/mediatek: Validate number of phandles associated with "mediatek,larbs" [ Upstream commit ef693a8440926884bfd9cc3d6d36f65719513350 ] Fix the smatch warnings: drivers/iommu/mtk_iommu.c:878 mtk_iommu_mm_dts_parse() error: uninitialized symbol 'larbnode'. If someone abuse the dtsi node(Don't follow the definition of dt-binding), for example "mediatek,larbs" is provided as boolean property, "larb_nr" will be zero and cause abnormal. To fix this problem and improve the code safety, add some checking for the invalid input from dtsi, e.g. checking the larb_nr/larbid valid range, and avoid "mediatek,larb-id" property conflicts in the smi-larb nodes. Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE") Reported-by: kernel test robot Reported-by: Dan Carpenter Signed-off-by: Guenter Roeck Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20221018024258.19073-5-yong.wu@mediatek.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 8412e5dd24ffc8bc21a00bfaa0b80d4596cdc9da Author: Yong Wu Date: Tue Oct 18 10:42:55 2022 +0800 iommu/mediatek: Add error path for loop of mm_dts_parse [ Upstream commit 26593928564cf5b576ff05d3cbd958f57c9534bb ] The mtk_iommu_mm_dts_parse will parse the smi larbs nodes. if the i+1 larb is parsed fail, we should put_device for the i..0 larbs. There are two places need to comment: 1) The larbid may be not linear mapping, we should loop whole the array in the error path. 2) I move this line position: "data->larb_imu[id].dev = &plarbdev->dev;" before "if (!plarbdev->dev.driver)", That means set data->larb_imu[id].dev before the error path. then we don't need "platform_device_put(plarbdev)" again in probe_defer case. All depend on "put_device" of the error path in error cases. Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE") Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20221018024258.19073-4-yong.wu@mediatek.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 21f56af865837b52c7007d0de66b26122e8e2fa0 Author: Yong Wu Date: Tue Oct 18 10:42:54 2022 +0800 iommu/mediatek: Use component_match_add [ Upstream commit b5765a1b44bea9dfcae69c53ffeb4c689d0922a7 ] In order to simplify the error patch(avoid call of_node_put), Use component_match_add instead component_match_add_release since we are only interested in the "device" here. Then we could always call of_node_put in normal path. Strictly this is not a fixes patch, but it is a prepare for adding the error path, thus I add a Fixes tag too. Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE") Suggested-by: Robin Murphy Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20221018024258.19073-3-yong.wu@mediatek.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 44d7712267d1711f215805c32bdc4d423a57a5c7 Author: Yong Wu Date: Tue Oct 18 10:42:53 2022 +0800 iommu/mediatek: Add platform_device_put for recovering the device refcnt [ Upstream commit dcb40e9fcce9bd251eaff19f3724131db522846c ] Add platform_device_put to match with of_find_device_by_node. Meanwhile, I add a new variable "pcommdev" which is for smi common device. Otherwise, "platform_device_put(plarbdev)" for smi-common dev may be not readable. And add a checking for whether pcommdev is NULL. Fixes: d2e9a1102cfc ("iommu/mediatek: Contain MM IOMMU flow with the MM TYPE") Signed-off-by: Yong Wu Reviewed-by: AngeloGioacchino Del Regno Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20221018024258.19073-2-yong.wu@mediatek.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit b5dd27890c6d67db534e04ff6b29a763f82ea68b Author: Miaoqian Lin Date: Mon Dec 5 12:44:27 2022 +0400 selftests/powerpc: Fix resource leaks [ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ] In check_all_cpu_dscr_defaults, opendir() opens the directory stream. Add missing closedir() in the error path to release it. In check_cpu_dscr_default, open() creates an open file descriptor. Add missing close() in the error path to release it. Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces") Signed-off-by: Miaoqian Lin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit 01e3641b168cfdfb49042841dcda1c11ee45827b Author: Kajol Jain Date: Wed Nov 30 23:15:13 2022 +0530 powerpc/hv-gpci: Fix hv_gpci event list [ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ] Based on getPerfCountInfo v1.018 documentation, some of the hv_gpci events were deprecated for platform firmware that supports counter_info_version 0x8 or above. Fix the hv_gpci event list by adding a new attribute group called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6" macro to enable these events for platform firmware that supports counter_info_version 0x6 or below. And assigning the hv_gpci event list based on output counter info version of underlying plaform. Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests") Signed-off-by: Kajol Jain Reviewed-by: Madhavan Srinivasan Reviewed-by: Athira Rajeev Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com Signed-off-by: Sasha Levin commit 983e28974755aab7daa2cb755f0b4cacada646d2 Author: Yang Yingliang Date: Sat Oct 29 19:16:26 2022 +0800 powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() [ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ] If platform_device_add() is not called or failed, it can not call platform_device_del() to clean up memory, it should call platform_device_put() in error case. Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi") Signed-off-by: Yang Yingliang Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 5429722209eadaa93e555a012b5f92a4cde34c1f Author: Nicholas Piggin Date: Sun Nov 27 22:49:28 2022 +1000 powerpc/perf: callchain validate kernel stack pointer bounds [ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ] The interrupt frame detection and loads from the hypothetical pt_regs are not bounds-checked. The next-frame validation only bounds-checks STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another test for this. The user could set r1 to be equal to the address matching the first interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page due to the kernel redzone, and induce the kernel to load the marker from there. Possibly this could cause a crash at least. If the user could induce the previous page to contain a valid marker, then it might be able to direct perf to read specific memory addresses in a way that could be transmitted back to the user in the perf data. Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support") Signed-off-by: Nicholas Piggin Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com Signed-off-by: Sasha Levin commit e45e3aae8df8e7fca4c6cfa19eb7afd58a0e64e9 Author: Pali Rohár Date: Fri Sep 30 14:39:01 2022 +0200 powerpc: dts: turris1x.dts: Add channel labels for temperature sensor [ Upstream commit 67bbb62f61e810734da0a1577a9802ddaed24140 ] Channel 0 of SA56004ED chip refers to internal SA56004ED chip sensor (chip itself is located on the board) and channel 1 of SA56004ED chip refers to external sensor which is connected to temperature diode of the P2020 CPU. Fixes: 54c15ec3b738 ("powerpc: dts: Add DTS file for CZ.NIC Turris 1.x routers") Signed-off-by: Pali Rohár Reviewed-by: Marek Behún Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220930123901.10251-1-pali@kernel.org Signed-off-by: Sasha Levin commit c909985dd0c0f74b61e3f8f0e04bf8aa9c8b97c7 Author: Li Huafei Date: Sat Nov 26 19:43:16 2022 +0800 kprobes: Fix check for probe enabled in kill_kprobe() [ Upstream commit 0c76ef3f26d5ef2ac2c21b47e7620cff35809fbb ] In kill_kprobe(), the check whether disarm_kprobe_ftrace() needs to be called always fails. This is because before that we set the KPROBE_FLAG_GONE flag for kprobe so that "!kprobe_disabled(p)" is always false. The disarm_kprobe_ftrace() call introduced by commit: 0cb2f1372baa ("kprobes: Fix NULL pointer dereference at kprobe_ftrace_handler") to fix the NULL pointer reference problem. When the probe is enabled, if we do not disarm it, this problem still exists. Fix it by putting the probe enabled check before setting the KPROBE_FLAG_GONE flag. Link: https://lore.kernel.org/all/20221126114316.201857-1-lihuafei1@huawei.com/ Fixes: 3031313eb3d54 ("kprobes: Fix to check probe enabled before disarm_kprobe_ftrace()") Signed-off-by: Li Huafei Acked-by: Masami Hiramatsu (Google) Reviewed-by: Steven Rostedt (Google) Signed-off-by: Masami Hiramatsu (Google) Signed-off-by: Sasha Levin commit 03d7168103f3a3e64e316b0329ba1e6e5a71a2eb Author: Nayna Jain Date: Sun Nov 6 15:58:39 2022 -0500 powerpc/pseries: fix plpks_read_var() code for different consumers [ Upstream commit 1f622f3f80cbf8999ff5955a2fcfbd801a1f32e0 ] Even though plpks_read_var() is currently called to read variables owned by different consumers, it internally supports only OS consumer. Fix plpks_read_var() to handle different consumers correctly. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221106205839.600442-7-nayna@linux.ibm.com Signed-off-by: Sasha Levin commit c156df808e117ba86c1e188cbb0b48c5e28bd1d6 Author: Nayna Jain Date: Sun Nov 6 15:58:36 2022 -0500 powerpc/pseries: Return -EIO instead of -EINTR for H_ABORTED error [ Upstream commit bb8e4c7cb759b90a04f2e94056b50288ff46a0ed ] Some commands for eg. "cat" might continue to retry on encountering EINTR. This is not expected for original error code H_ABORTED. Map H_ABORTED to more relevant Linux error code EIO. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221106205839.600442-4-nayna@linux.ibm.com Signed-off-by: Sasha Levin commit 1a7657adb06ba20a78e5638e1452f3958cd06ab2 Author: Nayna Jain Date: Sun Nov 6 15:58:35 2022 -0500 powerpc/pseries: Fix the H_CALL error code in PLPKS driver [ Upstream commit af223e1728c448073d1e12fe464bf344310edeba ] PAPR Spec defines H_P1 actually as H_PARAMETER and maps H_ABORTED to a different numerical value. Fix the error codes as per PAPR Specification. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221106205839.600442-3-nayna@linux.ibm.com Signed-off-by: Sasha Levin commit b38e5a3c469ef0652d7b5ef5b5a3d992aa6a856b Author: Nayna Jain Date: Sun Nov 6 15:58:34 2022 -0500 powerpc/pseries: fix the object owners enum value in plpks driver [ Upstream commit 2330757e0be0acad88852e211dcd6106390a729b ] OS_VAR_LINUX enum in PLPKS driver should be 0x02 instead of 0x01. Fixes: 2454a7af0f2a ("powerpc/pseries: define driver for Platform KeyStore") Signed-off-by: Nayna Jain Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221106205839.600442-2-nayna@linux.ibm.com Signed-off-by: Sasha Levin commit 8240299519dbb876987f17c4036bfdb56ed5aaec Author: Yang Yingliang Date: Mon Oct 17 11:23:33 2022 +0800 powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() [ Upstream commit 8b49670f3bb3f10cd4d5a6dca17f5a31b173ecdc ] If remapping 'data->trig_page' fails, the 'data->eoi_mmio' need be unmapped before returning from xive_spapr_populate_irq_data(). Fixes: eac1e731b59e ("powerpc/xive: guest exploitation of the XIVE interrupt controller") Signed-off-by: Yang Yingliang Reviewed-by: Cédric Le Goater Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221017032333.1852406-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 028631dd53a0bdf7fb1c142bf8d52350fa83b10a Author: Gustavo A. R. Silva Date: Fri Sep 16 15:15:04 2022 +0100 powerpc/xmon: Fix -Wswitch-unreachable warning in bpt_cmds [ Upstream commit 1c4a4a4c8410be4a231a58b23e7a30923ff954ac ] When building with automatic stack variable initialization, GCC 12 complains about variables defined outside of switch case statements. Move the variable into the case that uses it, which silences the warning: arch/powerpc/xmon/xmon.c: In function ‘bpt_cmds’: arch/powerpc/xmon/xmon.c:1529:13: warning: statement will never be executed [-Wswitch-unreachable] 1529 | int mode; | ^~~~ Fixes: 09b6c1129f89 ("powerpc/xmon: Fix compile error with PPC_8xx=y") Signed-off-by: Gustavo A. R. Silva Reviewed-by: Kees Cook Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/YySE6FHiOcbWWR+9@work Signed-off-by: Sasha Levin commit 2d7b6580384e6d65419933ddc525bd176095da54 Author: Miaoqian Lin Date: Sun Jun 5 10:00:38 2022 +0400 cxl: Fix refcount leak in cxl_calc_capp_routing [ Upstream commit 1d09697ff22908ae487fc8c4fbde1811732be523 ] of_get_next_parent() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. This function only calls of_node_put() in normal path, missing it in the error path. Add missing of_node_put() to avoid refcount leak. Fixes: f24be42aab37 ("cxl: Add psl9 specific code") Signed-off-by: Miaoqian Lin Acked-by: Andrew Donnellan Acked-by: Frederic Barrat Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220605060038.62217-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit fb3ef6a5af4b003502c940ea50c0f55b06ebbfc9 Author: Christophe JAILLET Date: Sat Jan 29 08:16:04 2022 +0100 powerpc/52xx: Fix a resource leak in an error handling path [ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ] The error handling path of mpc52xx_lpbfifo_probe() has a request_irq() that is not balanced by a corresponding free_irq(). Add the missing call, as already done in the remove function. Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver") Signed-off-by: Christophe JAILLET Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 65572a13163f380cc33c19fda4dab86b2a14a093 Author: Xie Shaowen Date: Tue Aug 2 15:41:48 2022 +0800 macintosh/macio-adb: check the return value of ioremap() [ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ] The function ioremap() in macio_init() can fail, so its return value should be checked. Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix") Reported-by: Hacash Robot Signed-off-by: Xie Shaowen Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com Signed-off-by: Sasha Levin commit 76837e7f6b30da72ad59f56291e22804a219e015 Author: Yang Yingliang Date: Fri Nov 4 11:25:51 2022 +0800 macintosh: fix possible memory leak in macio_add_one_device() [ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ] Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically. It needs to be freed when of_device_register() fails. Call put_device() to give up the reference that's taken in device_initialize(), so that it can be freed in kobject_cleanup() when the refcount hits 0. macio device is freed in macio_release_dev(), so the kfree() can be removed. Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit de7eb55009796687fc0a1670e0b944fa8ed54e9b Author: Yuan Can Date: Mon Nov 21 08:20:22 2022 +0000 iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() [ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ] The fsl_pamu_probe() returns directly when create_csd() failed, leaving irq and memories unreleased. Fix by jumping to error if create_csd() returns error. Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit b0637f4bd426925f5c3a15e8f8e36190fe06bac5 Author: Yang Yingliang Date: Fri Nov 18 17:36:04 2022 +0800 iommu/amd: Fix pci device refcount leak in ppr_notifier() [ Upstream commit 6cf0981c2233f97d56938d9d61845383d6eb227c ] As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it before returning from ppr_notifier() to avoid refcount leak. Fixes: daae2d25a477 ("iommu/amd: Don't copy GCR3 table root pointer") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221118093604.216371-1-yangyingliang@huawei.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 26427454bebf3e59c2c9020d9f3a8478669d062b Author: Robin Murphy Date: Fri Nov 4 19:51:43 2022 +0000 iommu: Avoid races around device probe [ Upstream commit 01657bc14a3990c665375f77978631fee77b1fce ] We currently have 3 different ways that __iommu_probe_device() may be called, but no real guarantee that multiple callers can't tread on each other, especially once asynchronous driver probe gets involved. It would likely have taken a fair bit of luck to hit this previously, but commit 57365a04c921 ("iommu: Move bus setup to IOMMU device registration") ups the odds since now it's not just omap-iommu that may trigger multiple bus_iommu_probe() calls in parallel if probing asynchronously. Add a lock to ensure we can't try to double-probe a device, and also close some possible race windows to make sure we're truly robust against trying to double-initialise a group via two different member devices. Reported-by: Brian Norris Signed-off-by: Robin Murphy Tested-by: Brian Norris Fixes: 57365a04c921 ("iommu: Move bus setup to IOMMU device registration") Link: https://lore.kernel.org/r/1946ef9f774851732eed78760a78ec40dbc6d178.1667591503.git.robin.murphy@arm.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit feca904412483b2e0a903dd1f2e2843afd445f8c Author: Yang Yingliang Date: Sat Oct 29 18:35:50 2022 +0800 iommu/mediatek: Check return value after calling platform_get_resource() [ Upstream commit 73b6924cdebc899de9b719e1319aa86c6bed4acf ] platform_get_resource() may return NULL pointer, we need check its return value to avoid null-ptr-deref in resource_size(). Fixes: 42d57fc58aeb ("iommu/mediatek: Initialise/Remove for multi bank dev") Signed-off-by: Yang Yingliang Reviewed-by: Matthias Brugger Link: https://lore.kernel.org/r/20221029103550.3774365-1-yangyingliang@huawei.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 51a7fbc5984522fd179b3590011d4846cd481642 Author: Alexander Stein Date: Wed Sep 21 09:41:41 2022 +0200 rtc: pcf85063: Fix reading alarm [ Upstream commit a6ceee26fd5ed9b5bd37322b1ca88e4548cee4a3 ] If the alarms are disabled the topmost bit (AEN_*) is set in the alarm registers. This is also interpreted in BCD number leading to this warning: rtc rtc0: invalid alarm value: 2022-09-21T80:80:80 Fix this by masking alarm enabling and reserved bits. Fixes: 05cb3a56ee8c ("rtc: pcf85063: add alarm support") Signed-off-by: Alexander Stein Link: https://lore.kernel.org/r/20220921074141.3903104-1-alexander.stein@ew.tq-group.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 6d4dacd4a91a365999c5cf57a996b96a306602c8 Author: Stefan Eichenberger Date: Sun Nov 6 12:59:15 2022 +0100 rtc: snvs: Allow a time difference on clock register read [ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ] On an iMX6ULL the following message appears when a wakealarm is set: echo 0 > /sys/class/rtc/rtc1/wakealarm rtc rtc1: Timeout trying to get valid LPSRT Counter read This does not always happen but is reproducible quite often (7 out of 10 times). The problem appears because the iMX6ULL is not able to read the registers within one 32kHz clock cycle which is the base clock of the RTC. Therefore, this patch allows a difference of up to 320 cycles (10ms). 10ms was chosen to be big enough even on systems with less cpu power (e.g. iMX6ULL). According to the reference manual a difference is fine: - If the two consecutive reads are similar, the value is correct. The values have to be similar, not equal. Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups") Reviewed-by: Francesco Dolcini Signed-off-by: Stefan Eichenberger Signed-off-by: Francesco Dolcini Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 421091ae0e27dfb29fed9ea2eecbf0100e9c7049 Author: Rafael J. Wysocki Date: Wed Nov 9 13:15:36 2022 +0100 rtc: cmos: Disable ACPI RTC event on removal [ Upstream commit 83ebb7b3036d151ee39a4a752018665648fc3bd4 ] Make cmos_do_remove() drop the ACPI RTC fixed event handler so as to prevent it from operating on stale data in case the event triggers after driver removal. Fixes: 311ee9c151ad ("rtc: cmos: allow using ACPI for RTC alarm instead of HPET") Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Tested-by: Zhang Rui Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/2224609.iZASKD2KPV@kreacher Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 93893e25d97998d9af3dc3fda3f8215b17356340 Author: Rafael J. Wysocki Date: Wed Nov 9 13:12:00 2022 +0100 rtc: cmos: Rename ACPI-related functions [ Upstream commit d13e9ad9f5146f066a5c5a1cc993d09e4fb21ead ] The names of rtc_wake_setup() and cmos_wake_setup() don't indicate that these functions are ACPI-related, which is the case, and the former doesn't really reflect the role of the function. Rename them to acpi_rtc_event_setup() and acpi_cmos_wake_setup(), respectively, to address this shortcoming. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Tested-by: Zhang Rui Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/3225614.44csPzL39Z@kreacher Signed-off-by: Alexandre Belloni Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") Signed-off-by: Sasha Levin commit fbf866b150dfcad70f064caadc4ec15ae0578991 Author: Rafael J. Wysocki Date: Wed Nov 9 13:09:32 2022 +0100 rtc: cmos: Eliminate forward declarations of some functions [ Upstream commit dca4d3b71c8a09a16951add656711fbd6f5bfbb0 ] Reorder the ACPI-related code before cmos_do_probe() so as to eliminate excessive forward declarations of some functions. While at it, for consistency, add the inline modifier to the definitions of empty stub static funtions and remove it from the corresponding definitions of functions with non-empty bodies. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Tested-by: Zhang Rui Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/13157911.uLZWGnKmhe@kreacher Signed-off-by: Alexandre Belloni Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") Signed-off-by: Sasha Levin commit fd8b7f41a416e2b9ce4be88d913c85129c5b9c86 Author: Rafael J. Wysocki Date: Wed Nov 9 13:09:07 2022 +0100 rtc: cmos: Call rtc_wake_setup() from cmos_do_probe() [ Upstream commit 375bbba09692fe4c5218eddee8e312dd733fa846 ] To reduce code duplication, move the invocation of rtc_wake_setup() into cmos_do_probe() and simplify the callers of the latter. No intentional functional impact. Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Tested-by: Zhang Rui Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/2143522.irdbgypaU6@kreacher Signed-off-by: Alexandre Belloni Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") Signed-off-by: Sasha Levin commit 054d6b32c5766216659440a89d3d7777f5c6e6c6 Author: Rafael J. Wysocki Date: Wed Nov 9 13:07:08 2022 +0100 rtc: cmos: Call cmos_wake_setup() from cmos_do_probe() [ Upstream commit 508ccdfb86b21da37ad091003a4d4567709d5dfb ] Notice that cmos_wake_setup() is the only user of acpi_rtc_info and it can operate on the cmos_rtc variable directly, so it need not set the platform_data pointer before cmos_do_probe() is called. Instead, it can be called by cmos_do_probe() in the case when the platform_data pointer is not set to implement the default behavior (which is to use the FADT information as long as ACPI support is enabled). Modify the code accordingly. While at it, drop a comment that doesn't really match the code it is supposed to be describing. Signed-off-by: Rafael J. Wysocki Reviewed-by: Zhang Rui Tested-by: Zhang Rui Reviewed-by: Andy Shevchenko Link: https://lore.kernel.org/r/4803444.31r3eYUQgx@kreacher Signed-off-by: Alexandre Belloni Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") Signed-off-by: Sasha Levin commit 9ba808aec5a12f356cb2519fce28e709f16ef551 Author: Uwe Kleine-König Date: Fri Oct 21 15:07:03 2022 +0200 rtc: pcf2127: Convert to .probe_new() [ Upstream commit 5418e595f30bf4fde83ebb0121417c0c95cff98e ] .probe_new() doesn't get the i2c_device_id * parameter, so determine that explicitly in .probe(). The device_id array has to move up for that to work. Signed-off-by: Uwe Kleine-König Link: https://lore.kernel.org/r/20221021130706.178687-7-u.kleine-koenig@pengutronix.de Signed-off-by: Alexandre Belloni Stable-dep-of: 83ebb7b3036d ("rtc: cmos: Disable ACPI RTC event on removal") Signed-off-by: Sasha Levin commit 59457a0f079eae19aaf322b3cc1c8ba66f55c5f3 Author: Shang XiaoJing Date: Thu Nov 10 17:08:10 2022 +0800 rtc: class: Fix potential memleak in devm_rtc_allocate_device() [ Upstream commit 60da73808298ff2cfa9f165d55eb3d7aa7078601 ] devm_rtc_allocate_device() will alloc a rtc_device first, and then run dev_set_name(). If dev_set_name() failed, the rtc_device will memleak. Move devm_add_action_or_reset() in front of dev_set_name() to prevent memleak. unreferenced object 0xffff888110a53000 (size 2048): comm "python3", pid 470, jiffies 4296078308 (age 58.882s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 08 30 a5 10 81 88 ff ff .........0...... 08 30 a5 10 81 88 ff ff 00 00 00 00 00 00 00 00 .0.............. backtrace: [<000000004aac0364>] kmalloc_trace+0x21/0x110 [<000000000ff02202>] devm_rtc_allocate_device+0xd4/0x400 [<000000001bdf5639>] devm_rtc_device_register+0x1a/0x80 [<00000000351bf81c>] rx4581_probe+0xdd/0x110 [rtc_rx4581] [<00000000f0eba0ae>] spi_probe+0xde/0x130 [<00000000bff89ee8>] really_probe+0x175/0x3f0 [<00000000128e8d84>] __driver_probe_device+0xe6/0x170 [<00000000ee5bf913>] device_driver_attach+0x32/0x80 [<00000000f3f28f92>] bind_store+0x10b/0x1a0 [<000000009ff812d8>] drv_attr_store+0x49/0x70 [<000000008139c323>] sysfs_kf_write+0x8d/0xb0 [<00000000b6146e01>] kernfs_fop_write_iter+0x214/0x2d0 [<00000000ecbe3895>] vfs_write+0x61a/0x7d0 [<00000000aa2196ea>] ksys_write+0xc8/0x190 [<0000000046a600f5>] do_syscall_64+0x37/0x90 [<00000000541a336f>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 24d23181e43d ("rtc: class: check return value when calling dev_set_name()") Signed-off-by: Shang XiaoJing Reviewed-by: Yang Yingliang Link: https://lore.kernel.org/r/20221110090810.11225-1-shangxiaojing@huawei.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 6cb7ea1426208ebfcc57f6fae654d1c25e89f7fe Author: Yushan Zhou Date: Mon Nov 7 17:25:44 2022 +0800 rtc: rzn1: Check return value in rzn1_rtc_probe [ Upstream commit 9800f24f7bd5b99fb4fc4ce981427102e2e15a1c ] The rzn1_rtc_probe() function utilizes devm_pm_runtime_enable() but wasn't checking the return value. Fix it by adding missing check. Fixes: deeb4b5393e1 ("rtc: rzn1: Add new RTC driver") Signed-off-by: Yushan Zhou Reviewed-by: Miquel Raynal Link: https://lore.kernel.org/r/20221107092544.3721053-1-zys.zljxml@gmail.com Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 9f2a53f143e85afac1679299e4a6816c0c52a42c Author: Fenghua Yu Date: Thu Nov 10 17:27:15 2022 -0800 dmaengine: idxd: Fix crc_val field for completion record [ Upstream commit dc901d98b1fe6e52ab81cd3e0879379168e06daa ] The crc_val in the completion record should be 64 bits and not 32 bits. Fixes: 4ac823e9cd85 ("dmaengine: idxd: fix delta_rec and crc size field for completion record") Reported-by: Nirav N Shah Signed-off-by: Fenghua Yu Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20221111012715.2031481-1-fenghua.yu@intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f2e58e95273ce072ca95a2afa1f274825a1e1772 Author: Abdun Nihaal Date: Sat Oct 1 12:30:24 2022 +0530 fs/ntfs3: Fix slab-out-of-bounds read in ntfs_trim_fs [ Upstream commit 557d19675a470bb0a98beccec38c5dc3735c20fa ] Syzbot reports an out of bound access in ntfs_trim_fs. The cause of this is using a loop termination condition that compares window index (iw) with wnd->nbits instead of wnd->nwnd, due to which the index used for wnd->free_bits exceeds the size of the array allocated. Fix the loop condition. Fixes: 3f3b442b5ad2 ("fs/ntfs3: Add bitmap") Link: https://syzkaller.appspot.com/bug?extid=b892240eac461e488d51 Reported-by: syzbot+b892240eac461e488d51@syzkaller.appspotmail.com Signed-off-by: Abdun Nihaal Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit cf66351484ad946faabb8de26faba37f0f124b58 Author: Manivannan Sadhasivam Date: Wed Nov 2 13:48:35 2022 +0530 phy: qcom-qmp-pcie: Fix sm8450_qmp_gen4x2_pcie_pcs_tbl[] register names [ Upstream commit 883aebf6e1ea88145d64dcf940dbcb5181313338 ] sm8450_qmp_gen4x2_pcie_pcs_tbl[] contains the init sequence for PCS registers of QMP PHY v5.20. So use the v5.20 specific register names. Only major change is the rename of PCS_EQ_CONFIG{2/3} registers to PCS_EQ_CONFIG{4/5}. Fixes: 2c91bf6bf290 ("phy: qcom-qmp: Add SM8450 PCIe1 PHY support") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20221102081835.41892-2-manivannan.sadhasivam@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c5ca087f47def5645be252830585b1d69d83ca23 Author: Manivannan Sadhasivam Date: Wed Nov 2 13:48:34 2022 +0530 phy: qcom-qmp-pcie: Fix high latency with 4x2 PHY when ASPM is enabled [ Upstream commit 9ddcd920f8edfe65c3670fbd0b49db00e1e562fe ] The PCIe QMP 4x2 RC PHY generates high latency when ASPM is enabled. This seem to be fixed by clearing the QPHY_V5_20_PCS_PCIE_PRESET_P10_POST register of the pcs_misc register space. Fixes: 2c91bf6bf290 ("phy: qcom-qmp: Add SM8450 PCIe1 PHY support") Signed-off-by: Manivannan Sadhasivam Link: https://lore.kernel.org/r/20221102081835.41892-1-manivannan.sadhasivam@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 5d39a1d9a2435eae9e8e329cba07499041f20256 Author: Dmitry Baryshkov Date: Tue Sep 27 12:22:04 2022 +0300 phy: qcom-qmp-pcie: Support SM8450 PCIe1 PHY in EP mode [ Upstream commit f5682f13b7ab0bbdffd11934afe4b5c011d5be74 ] Add support for using PCIe1 (gen4x2) in EP mode on SM8450. The tables to program are mostly common with the RC mode tables, so only register difference are split into separate RC and EP tables. Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220927092207.161501-4-dmitry.baryshkov@linaro.org Signed-off-by: Vinod Koul Stable-dep-of: 9ddcd920f8ed ("phy: qcom-qmp-pcie: Fix high latency with 4x2 PHY when ASPM is enabled") Signed-off-by: Sasha Levin commit e83821af647144cc87afae1b65047d08aaf502ad Author: Dmitry Baryshkov Date: Tue Sep 27 12:22:03 2022 +0300 phy: qcom-qmp-pcie: support separate tables for EP mode [ Upstream commit 11bf53a38c82baef349b4efc6a84f069dab7085a ] The PCIe QMP PHY requires different programming sequences when being used for the RC (Root Complex) or for the EP (End Point) modes. Allow selecting the submode and thus selecting a set of PHY programming tables. Since the RC and EP modes share common some common init sequence, the common sequence is kept in the main table and the sequence differences are pushed to the extra tables. Reviewed-by: Johan Hovold Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220927092207.161501-3-dmitry.baryshkov@linaro.org Signed-off-by: Vinod Koul Stable-dep-of: 9ddcd920f8ed ("phy: qcom-qmp-pcie: Fix high latency with 4x2 PHY when ASPM is enabled") Signed-off-by: Sasha Levin commit d1945ec03ca643a008ad0859246e2a67e419d85b Author: Christian Marangi Date: Thu Nov 3 22:21:24 2022 +0100 phy: qcom-qmp-pcie: split pcs_misc init cfg for ipq8074 pcs table [ Upstream commit 2584068a9ef4a7bff3b9302dd058a4c95ce68631 ] Commit af6643242d3a ("phy: qcom-qmp-pcie: split pcs_misc region for ipq6018 pcie gen3") reworked the pcs regs values and removed the 0x400 offset for each pcs_misc regs. This change caused the malfunction of ipq8074 downstream since it still has the legacy pcs table where pcs_misc are not placed on a different table and instead put together assuming the offset of 0x400 for the related pcs_misc regs. Split pcs_misc init cfg from the ipq8074 pcs init table to be handled correctly to prepare for actual support for gen3 pcie for ipq8074. Fixes: af6643242d3a ("phy: qcom-qmp-pcie: split pcs_misc region for ipq6018 pcie gen3") Reported-by: Robert Marko Tested-by: Robert Marko Signed-off-by: Christian Marangi Link: https://lore.kernel.org/r/20221103212125.17156-1-ansuelsmth@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 814cd5ca1c77c1961df680dcab9f5c8dda7c9773 Author: Dmitry Baryshkov Date: Tue Sep 27 12:22:02 2022 +0300 phy: qcom-qmp-pcie: split register tables into common and extra parts [ Upstream commit 2566ad8ec418934c213cb50fd2084ffd896a2fea ] SM8250 configuration tables are split into two parts: the common one and the PHY-specific tables. Make this split more formal. Rather than having a blind renamed copy of all QMP table fields, add separate struct qmp_phy_cfg_tables and add two instances of this structure to the struct qmp_phy_cfg. Later on this will be used to support different PHY modes (RC vs EP). Reviewed-by: Johan Hovold Signed-off-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220927092207.161501-2-dmitry.baryshkov@linaro.org Signed-off-by: Vinod Koul Stable-dep-of: 2584068a9ef4 ("phy: qcom-qmp-pcie: split pcs_misc init cfg for ipq8074 pcs table") Signed-off-by: Sasha Levin commit 984f35f57f74ad29168f9ddb784c029e9089e0f1 Author: Jon Hunter Date: Fri Oct 28 13:33:56 2022 +0100 pwm: tegra: Ensure the clock rate is not less than needed [ Upstream commit 5eccd0d9fabc4d2ab8d2a0c056fb1d7e2ff892fc ] When dynamically scaling the PWM clock, the function dev_pm_opp_set_rate() may set the PWM clock to a rate that is lower than what is required. The clock rate requested when calling dev_pm_opp_set_rate() is the minimum clock rate that is needed to drive the PWM to achieve the required period. Hence, if the actual clock rate is less than the requested clock rate, then the required period cannot be achieved and configuring the PWM fails. Fix this by calling clk_round_rate() to check if the clock rate that will be provided is sufficient and if not, double the required clock rate to ensure the required period can be attained. Fixes: 8c193f4714df ("pwm: tegra: Optimize period calculation") Signed-off-by: Jon Hunter Acked-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 49c8cc208464fad38d5986d7782349070abec29f Author: Jon Hunter Date: Fri Oct 28 13:33:55 2022 +0100 pwm: tegra: Improve required rate calculation [ Upstream commit f271946117dde2ca8741b8138b347b2d68e6ad56 ] For the case where dev_pm_opp_set_rate() is called to set the PWM clock rate, the requested rate is calculated as ... required_clk_rate = (NSEC_PER_SEC / period_ns) << PWM_DUTY_WIDTH; The above calculation may lead to rounding errors because the NSEC_PER_SEC is divided by 'period_ns' before applying the PWM_DUTY_WIDTH multiplication factor. For example, if the period is 45334ns, the above calculation yields a rate of 5646848Hz instead of 5646976Hz. Fix this by applying the multiplication factor before dividing and using the DIV_ROUND_UP macro which yields the expected result of 5646976Hz. Fixes: 1d7796bdb63a ("pwm: tegra: Support dynamic clock frequency configuration") Signed-off-by: Jon Hunter Reviewed-by: Uwe Kleine-König Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 67edfd98073132a117157015c974cc67a23686a0 Author: Matt Redfearn Date: Tue Sep 27 14:52:56 2022 -0700 include/uapi/linux/swab: Fix potentially missing __always_inline [ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ] Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining of some byteswap operations") added __always_inline to swab functions and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers") added a definition of __always_inline for use in exported headers when the kernel's compiler.h is not available. However, since swab.h does not include stddef.h, if the header soup does not indirectly include it, the definition of __always_inline is missing, resulting in a compilation failure, which was observed compiling the perf tool using exported headers containing this commit: In file included from /usr/include/linux/byteorder/little_endian.h:12:0, from /usr/include/asm/byteorder.h:14, from tools/include/uapi/linux/perf_event.h:20, from perf.h:8, from builtin-bench.c:18: /usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline' static __always_inline __u16 __swab16p(const __u16 *p) Fix this by replacing the inclusion of linux/compiler.h with linux/stddef.h to ensure that we pick up that definition if required, without relying on it's indirect inclusion. compiler.h is then included indirectly, via stddef.h. Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers") Signed-off-by: Matt Redfearn Signed-off-by: Florian Fainelli Signed-off-by: Arnd Bergmann Tested-by: Nathan Chancellor Reviewed-by: Petr Vaněk Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 238a935ac0a71c53082aee2de3d4460298afc02c Author: Justin Chen Date: Wed Oct 5 14:30:18 2022 -0700 phy: usb: Fix clock imbalance for suspend/resume [ Upstream commit 8484199c09347bdd5d81ee8a2bc530850f900797 ] We should be disabling clocks when wake from USB is not needed. Since this wasn't done, we had a clock imbalance since clocks were always being enabled on resume. Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers") Fixes: b0c0b66c0b43 ("phy: usb: Add support for wake and USB low power mode for 7211 S2/S5") Signed-off-by: Justin Chen Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/1665005418-15807-7-git-send-email-justinpopo6@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit d19f1664c843b60c9cc9d1879ee75205ea1a580b Author: Justin Chen Date: Wed Oct 5 14:30:17 2022 -0700 phy: usb: Use slow clock for wake enabled suspend [ Upstream commit 700c44b508020a3ea29d297c677f8d4ab14b7e6a ] The logic was incorrect when switching to slow clock. We want the slow clock if wake_enabled is set. Fixes: ae532b2b7aa5 ("phy: usb: Add "wake on" functionality for newer Synopsis XHCI controllers") Signed-off-by: Justin Chen Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/1665005418-15807-6-git-send-email-justinpopo6@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0bceef84f716da8fd02464517cccda8d3c0a88c1 Author: Al Cooper Date: Wed Oct 5 14:30:14 2022 -0700 phy: usb: s2 WoL wakeup_count not incremented for USB->Eth devices [ Upstream commit f7fc5b7090372fc4dd7798c874635ca41b8ba733 ] The PHY's "wakeup_count" is not incrementing when waking from WoL. The wakeup count can be found in sysfs at: /sys/bus/platform/devices/rdb/*.usb-phy/power/wakeup_count. The problem is that the system wakup event handler was being passed the wrong "device" by the PHY driver. Fixes: f1c0db40a3ad ("phy: usb: Add "wake on" functionality") Signed-off-by: Al Cooper Signed-off-by: Justin Chen Acked-by: Florian Fainelli Link: https://lore.kernel.org/r/1665005418-15807-3-git-send-email-justinpopo6@gmail.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c40b86861146464dd0c1c53641db98cf79f93fe9 Author: Johan Hovold Date: Fri Oct 28 18:04:23 2022 +0200 phy: qcom-qmp-usb: fix sc8280xp PCS_USB offset [ Upstream commit 4c6b3af3906d0c59497d3bfb07760f3a082b4150 ] The PCS_USB register block lives at an offset of 0x1000 from the PCS region on SC8280XP so add the missing offset to avoid corrupting unrelated registers on runtime suspend. Note that the current binding is broken as it does not describe the PCS_USB region and the PCS register size does not cover PCS_USB and the regions in between. As Linux currently maps full pages, simply adding the offset to driver works until the binding has been fixed. Fixes: c0c7769cdae2 ("phy: qcom-qmp: Add SC8280XP USB3 UNI phy") Reviewed-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221028160435.26948-2-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit c91e4513bc182901fcc7590aa5cf51d058205818 Author: Xiaochen Shen Date: Sat Oct 22 15:49:49 2022 +0800 dmaengine: idxd: Make read buffer sysfs attributes invisible for Intel IAA [ Upstream commit 9a8ddb35a9d5d3ad76784a012459b256a9d7de7e ] In current code, the following sysfs attributes are exposed to user to show or update the values: max_read_buffers (max_tokens) read_buffer_limit (token_limit) group/read_buffers_allowed (group/tokens_allowed) group/read_buffers_reserved (group/tokens_reserved) group/use_read_buffer_limit (group/use_token_limit) >From Intel IAA spec [1], Intel IAA does not support Read Buffer allocation control. So these sysfs attributes should not be supported on IAA device. Fix this issue by making these sysfs attributes invisible through is_visible() filter when the device is IAA. Add description in the ABI documentation to mention that these attributes are not visible when the device does not support Read Buffer allocation control. [1]: https://cdrdv2.intel.com/v1/dl/getContent/721858 Fixes: fde212e44f45 ("dmaengine: idxd: deprecate token sysfs attributes for read buffers") Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Signed-off-by: Xiaochen Shen Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20221022074949.11719-1-xiaochen.shen@intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit f2f10a2db278b13f5e532b512a64e79c5b956eb6 Author: Michael Riesch Date: Wed Nov 2 07:35:53 2022 +0100 iommu/rockchip: fix permission bits in page table entries v2 [ Upstream commit 7eb99841f340b80be0d0973b0deb592d75fb8928 ] As pointed out in the corresponding downstream fix [0], the permission bits of the page table entries are compatible between v1 and v2 of the IOMMU. This is in contrast to the current mainline code that incorrectly assumes that the read and write permission bits are switched. Fix the permission bits by reusing the v1 bit defines. [0] https://github.com/rockchip-linux/kernel/commit/e3bc123a2260145e34b57454da3db0edd117eb8e Fixes: c55356c534aa ("iommu: rockchip: Add support for iommu v2") Signed-off-by: Michael Riesch Reviewed-by: Heiko Stuebner Link: https://lore.kernel.org/r/20221102063553.2464161-1-michael.riesch@wolfvision.net Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 92af3bbeb9182ec93637c87c619fc6b9ce30339e Author: Jernej Skrabec Date: Tue Oct 25 18:54:15 2022 +0200 iommu/sun50i: Implement .iotlb_sync_map [ Upstream commit e563cc0c787c85a4d9def0a77078dc5d3f445e3d ] Allocated iova ranges need to be invalidated immediately or otherwise they might or might not work when used by master or CPU. This was discovered when running video decoder conformity test with Cedrus. Some videos were now and then decoded incorrectly and generated page faults. According to vendor driver, it's enough to invalidate just start and end TLB and PTW cache lines. Documentation says that neighbouring lines must be invalidated too. Finally, when page fault occurs, that iova must be invalidated the same way, according to documentation. Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221025165415.307591-6-jernej.skrabec@gmail.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 9b25137905c8664ad792cd315b3679323d60769d Author: Jernej Skrabec Date: Tue Oct 25 18:54:14 2022 +0200 iommu/sun50i: Fix flush size [ Upstream commit 67a8a67f9eceb72e4c73d1d09ed9ab04f4b8e12d ] Function sun50i_table_flush() takes number of entries as an argument, not number of bytes. Fix that mistake in sun50i_dte_get_page_table(). Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221025165415.307591-5-jernej.skrabec@gmail.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 3b95b7b0ddec94f2c9f89ab9043d1d5f49f91b0f Author: Jernej Skrabec Date: Tue Oct 25 18:54:13 2022 +0200 iommu/sun50i: Fix R/W permission check [ Upstream commit eac0104dc69be50bed86926d6f32e82b44f8c921 ] Because driver has enum type permissions and iommu subsystem has bitmap type, we have to be careful how check for combined read and write permissions is done. In such case, we have to mask both permissions and check that both are set at the same time. Current code just masks both flags but doesn't check that both are set. In short, it always sets R/W permission, regardles if requested permissions were RO, WO or RW. Fix that. Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221025165415.307591-4-jernej.skrabec@gmail.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 5ad5a837c3645e32173a68974c4ec09a5ef56d2b Author: Jernej Skrabec Date: Tue Oct 25 18:54:12 2022 +0200 iommu/sun50i: Consider all fault sources for reset [ Upstream commit cef20703e2b2276aaa402ec5a65ec9a09963b83e ] We have to reset masters for all faults - permissions, L1 fault or L2 fault. Currently it's done only for permissions. If other type of fault happens, master is in locked up state. Fix that by really considering all fault sources. Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221025165415.307591-3-jernej.skrabec@gmail.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit b4d8bf6c2a772d86287ae4f8a59cd334447faecf Author: Jernej Skrabec Date: Tue Oct 25 18:54:11 2022 +0200 iommu/sun50i: Fix reset release [ Upstream commit 9ad0c1252e84dbc664f0462707182245ed603237 ] Reset signal is asserted by writing 0 to the corresponding locations of masters we want to reset. So in order to deassert all reset signals, we should write 1's to all locations. Current code writes 1's to locations of masters which were just reset which is good. However, at the same time it also writes 0's to other locations and thus asserts reset signals of remaining masters. Fix code by writing all 1's when we want to deassert all reset signals. This bug was discovered when working with Cedrus (video decoder). When it faulted, display went blank due to reset signal assertion. Fixes: 4100b8c229b3 ("iommu: Add Allwinner H6 IOMMU driver") Signed-off-by: Jernej Skrabec Link: https://lore.kernel.org/r/20221025165415.307591-2-jernej.skrabec@gmail.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 9b5569846a343f3d5e80bbd72e15d8de5369f741 Author: Niklas Schnelle Date: Tue Oct 25 13:56:52 2022 +0200 iommu/s390: Fix duplicate domain attachments [ Upstream commit bf8d2dd2ed0825a58f31cc510245a1eb46f8a87e ] Since commit fa7e9ecc5e1c ("iommu/s390: Tolerate repeat attach_dev calls") we can end up with duplicates in the list of devices attached to a domain. This is inefficient and confusing since only one domain can actually be in control of the IOMMU translations for a device. Fix this by detaching the device from the previous domain, if any, on attach. Add a WARN_ON() in case we still have attached devices on freeing the domain. While here remove the re-attach on failure dance as it was determined to be unlikely to help and may confuse debug and recovery. Fixes: fa7e9ecc5e1c ("iommu/s390: Tolerate repeat attach_dev calls") Reviewed-by: Matthew Rosato Reviewed-by: Jason Gunthorpe Signed-off-by: Niklas Schnelle Link: https://lore.kernel.org/r/20221025115657.1666860-2-schnelle@linux.ibm.com Signed-off-by: Joerg Roedel Signed-off-by: Sasha Levin commit 6792416576ff69112b954d442a267d1eb4656899 Author: Dmitry Baryshkov Date: Thu Sep 29 22:00:17 2022 +0300 phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY [ Upstream commit 922adfd59efd337059f8445a8d8968552b06ed4e ] According to the kernel 4.4 sources from NHSS.QSDK.9.0.2 and according to hardware docs, the PHY registers layout used for IPQ8074 USB3 PHY is incorrect. This platform uses offset 0x174 for the PCS_STATUS register, 0xd8 for PCS_AUTONOMOUS_MODE_CTRL, etc. Correct the PHY registers layout. Fixes: 94a407cc17a4 ("phy: qcom-qmp: create copies of QMP PHY driver") Fixes: 507156f5a99f ("phy: qcom-qmp: Add USB QMP PHY support for IPQ8074") Signed-off-by: Dmitry Baryshkov Reviewed-by: Kathiravan T Link: https://lore.kernel.org/r/20220929190017.529207-1-dmitry.baryshkov@linaro.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 655d02663482882741ef6eef51f0a58a873edcb9 Author: Johan Hovold Date: Wed Oct 12 10:50:02 2022 +0200 phy: qcom-qmp-usb: drop start and pwrdn-ctrl abstraction [ Upstream commit 47b009db545ae90f0b50149029a6b8137685f524 ] Drop the start and pwrdn-ctrl abstractions which are no longer needed since the QMP driver split. Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012085002.24099-20-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 922adfd59efd ("phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY") Signed-off-by: Sasha Levin commit f674ef5bf4e19553510f249ce9a9d41e071e1fc3 Author: Johan Hovold Date: Wed Oct 12 10:49:55 2022 +0200 phy: qcom-qmp-usb: clean up status polling [ Upstream commit f5ef85adece529a6cd1e7563081c41038923a9ed ] Clean up the PHY status polling by dropping the configuration mask which is no longer needed since the QMP driver split. Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012085002.24099-13-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 922adfd59efd ("phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY") Signed-off-by: Sasha Levin commit 71c03e6a052516f58a22ccc25910954429eff93f Author: Johan Hovold Date: Wed Oct 12 10:12:41 2022 +0200 phy: qcom-qmp-usb: drop power-down delay config [ Upstream commit 38cd167d1fc6b5bf038229b1fa02bb1f551a564f ] The power-down delay was included in the first version of the QMP driver as an optional delay after powering on the PHY (using POWER_DOWN_CONTROL) and just before starting it. Later changes modified this sequence by powering on before initialising the PHY, but the optional delay stayed where it was (i.e. before starting the PHY). The vendor driver does not use a delay before starting the PHY and this is likely not needed on any platform unless there is a corresponding delay in the vendor kernel init sequence tables (i.e. in devicetree). Let's keep the delay for now, but drop the redundant delay period configuration while increasing the unnecessarily low timer slack somewhat. Reviewed-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221012081241.18273-15-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 922adfd59efd ("phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY") Signed-off-by: Sasha Levin commit 71098933ea1b4fc2d7259c30beb4fcabede31e24 Author: Johan Hovold Date: Wed Oct 12 10:12:40 2022 +0200 phy: qcom-qmp-usb: drop sc8280xp power-down delay [ Upstream commit 898ab85d6b1e8f6271d180c47ef8a024dea9e357 ] The SC8280XP PHY does not need a delay before starting the PHY (which is what the has_pwrdn_delay config option really controls) so drop the unnecessary delay. Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012081241.18273-14-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 922adfd59efd ("phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY") Signed-off-by: Sasha Levin commit c6f0977eaa19394fcd0e22099c02052c474edc14 Author: Johan Hovold Date: Mon Oct 17 08:50:11 2022 +0200 phy: qcom-qmp-usb: clean up power-down handling [ Upstream commit 645d3d04702401e002928b934b830bd25be9e277 ] Always define the POWER_DOWN_CONTROL register instead of falling back to the v2 (and v3) offset during power on and power off. Reviewed-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221017065013.19647-10-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 922adfd59efd ("phy: qcom-qmp-usb: correct registers layout for IPQ8074 USB3 PHY") Signed-off-by: Sasha Levin commit d668d34df96a82c44bc828b5d3d7a59f5333357b Author: Johan Hovold Date: Wed Oct 12 10:49:45 2022 +0200 phy: qcom-qmp-pcie: fix ipq6018 initialisation [ Upstream commit 30518b19895789aa9101474af2ee0f62cd882d5e ] The phy_status mask was never set for IPQ6018 which meant that the driver would not wait for the PHY to be initialised during power-on and would never detect PHY initialisation timeouts. Fixes: 520264db3bf9 ("phy: qcom-qmp: add QMP V2 PCIe PHY support for ipq60xx") Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012085002.24099-3-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 73af0c169079e923e21a5a39b618abc8481783d0 Author: Johan Hovold Date: Wed Oct 12 10:49:44 2022 +0200 phy: qcom-qmp-pcie: fix ipq8074-gen3 initialisation [ Upstream commit 94b7288eadf6e2c09e6280c65a9d07cca01bf434 ] The phy_status mask was never set for IPQ8074 (gen3) which meant that the driver would not wait for the PHY to be initialised during power-on and would never detect PHY initialisation timeouts. Fixes: 334fad185415 ("phy: qcom-qmp-pcie: add IPQ8074 PCIe Gen3 QMP PHY support") Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012085002.24099-2-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit abe9bf8c9501fccf05e72084a3d33ca22eeb7ddb Author: Johan Hovold Date: Wed Oct 12 10:49:43 2022 +0200 phy: qcom-qmp-pcie: fix sc8180x initialisation [ Upstream commit 4a9eac5ae2200f1b208dd33738777f89f93dc0fe ] The phy_status mask was never set for SC8180X which meant that the driver would not wait for the PHY to be initialised during power-on and would never detect PHY initialisation timeouts. Fixes: f839f14e24f2 ("phy: qcom-qmp: Add sc8180x PCIe support") Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012085002.24099-1-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0b2e4f939450d7550af544b0c142822634f75167 Author: Johan Hovold Date: Wed Oct 12 10:12:36 2022 +0200 phy: qcom-qmp-pcie: replace power-down delay [ Upstream commit 51bd33069f80705aba5f4725287bc5688ca6d92a ] The power-down delay was included in the first version of the QMP driver as an optional delay after powering on the PHY (using POWER_DOWN_CONTROL) and just before starting it. Later changes modified this sequence by powering on before initialising the PHY, but the optional delay stayed where it was (i.e. before starting the PHY). The vendor driver does not use a delay before starting the PHY and this is likely not needed on any platform unless there is a corresponding delay in the vendor kernel init sequence tables (i.e. in devicetree). But as the vendor kernel do have a 1 ms delay *after* starting the PHY and before starting to poll the status it is possible that later contributors have simply not noticed that the mainline power-down delay is not equivalent. As the current delay before even starting the PHY is pretty much pointless and likely a mistake, move the delay after starting the PHY which avoids a few iterations of polling and speeds up startup by 1 ms (the poll loop otherwise takes about 1.8 ms). Note that MSM8998 has never used a power-down delay so add a flag to skip the delay in case starting the PHY is faster on MSM8998. This can be removed after someone takes a measurement. Signed-off-by: Johan Hovold Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20221012081241.18273-10-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 4a9eac5ae220 ("phy: qcom-qmp-pcie: fix sc8180x initialisation") Signed-off-by: Sasha Levin commit b52920f887e606ea79037569d6ed696927597f27 Author: Johan Hovold Date: Wed Oct 12 10:12:35 2022 +0200 phy: qcom-qmp-pcie: drop power-down delay config [ Upstream commit e71906144b432135b483e228d65be59fbb44c310 ] The power-down delay was included in the first version of the QMP driver as an optional delay after powering on the PHY (using POWER_DOWN_CONTROL) and just before starting it. Later changes modified this sequence by powering on before initialising the PHY, but the optional delay stayed where it was (i.e. before starting the PHY). The vendor driver does not use a delay before starting the PHY and this is likely not needed on any platform unless there is a corresponding delay in the vendor kernel init sequence tables (i.e. in devicetree). Let's keep the delay for now, but drop the redundant delay period configuration while increasing the unnecessarily low timer slack somewhat. Reviewed-by: Dmitry Baryshkov Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221012081241.18273-9-johan+linaro@kernel.org Signed-off-by: Vinod Koul Stable-dep-of: 4a9eac5ae220 ("phy: qcom-qmp-pcie: fix sc8180x initialisation") Signed-off-by: Sasha Levin commit aa51fd765fe5dd51d2f65a15ce6cb3e77733414d Author: Shengjiu Wang Date: Tue Oct 18 21:44:04 2022 +0800 remoteproc: core: Auto select rproc-virtio device id [ Upstream commit 65fcf3872f83d63fb7268e05d4b02640df14126e ] With multiple remoteproc device, there will below error: sysfs: cannot create duplicate filename '/bus/platform/devices/rproc-virtio.0' The rvdev_data.index is duplicate, that cause issue, so need to use the PLATFORM_DEVID_AUTO instead. After fixing device name it becomes something like: /bus/platform/devices/rproc-virtio.2.auto Fixes: 1d7b61c06dc3 ("remoteproc: virtio: Create platform device for the remoteproc_virtio") Signed-off-by: Shengjiu Wang Reviewed-by: Arnaud Pouliquen Reviewed-by: Mukesh Ojha Tested-by: Peng Fan Link: https://lore.kernel.org/r/1666100644-27010-1-git-send-email-shengjiu.wang@nxp.com [Fixed typographical error in comment block] Signed-off-by: Mathieu Poirier Signed-off-by: Sasha Levin commit d53171d1d0e76bd1ac608601ba84ff439d027ee0 Author: Martin Povišer Date: Wed Oct 19 15:23:24 2022 +0200 dmaengine: apple-admac: Allocate cache SRAM to channels [ Upstream commit 568aa6dd641f63166bb60d769e256789b3ac42d4 ] There's a previously unknown part of the controller interface: We have to assign SRAM carveouts to channels to store their in-flight samples in. So, obtain the size of the SRAM from a read-only register and divide it into 2K blocks for allocation to channels. The FIFO depths we configure will always fit into 2K. (This fixes audio artifacts during simultaneous playback/capture on multiple channels -- which looking back is fully accounted for by having had the caches in the DMA controller overlap in memory.) Fixes: b127315d9a78 ("dmaengine: apple-admac: Add Apple ADMAC driver") Signed-off-by: Martin Povišer Link: https://lore.kernel.org/r/20221019132324.8585-2-povik+lin@cutebit.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit cc743a1d832d7ab1f9024e32f241724dfcd3bee7 Author: Xiaochen Shen Date: Sat Oct 1 04:15:28 2022 +0800 dmaengine: idxd: Make max batch size attributes in sysfs invisible for Intel IAA [ Upstream commit 91123b37e8a99cc489d5bdcfebd1c25f29382504 ] In current code, dev.max_batch_size and wq.max_batch_size attributes in sysfs are exposed to user to show or update the values. >From Intel IAA spec [1], Intel IAA does not support batch processing. So these sysfs attributes should not be supported on IAA device. Fix this issue by making the attributes of max_batch_size invisible in sysfs through is_visible() filter when the device is IAA. Add description in the ABI documentation to mention that the attributes are not visible when the device does not support batch. [1]: https://cdrdv2.intel.com/v1/dl/getContent/721858 Fixes: e7184b159dd3 ("dmaengine: idxd: add support for configurable max wq batch size") Fixes: c52ca478233c ("dmaengine: idxd: add configuration component of driver") Signed-off-by: Xiaochen Shen Reviewed-by: Dave Jiang Reviewed-by: Fenghua Yu Link: https://lore.kernel.org/r/20220930201528.18621-3-xiaochen.shen@intel.com Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit 0d0382b9c0d526fc643dc24a212a360b6ee19071 Author: Johan Hovold Date: Mon Oct 17 08:50:13 2022 +0200 phy: qcom-qmp-pcie: drop bogus register update [ Upstream commit 2d93887cb4bac0a36ce9e146956f631ab7994680 ] Since commit 0d58280cf1e6 ("phy: Update PHY power control sequence") the PHY is powered on before configuring the registers and only the MSM8996 PCIe PHY, which includes the POWER_DOWN_CONTROL register in its PCS initialisation table, may possibly require a second update afterwards. To make things worse, the POWER_DOWN_CONTROL register lies at a different offset on more recent SoCs so that the second update, which still used a hard-coded offset, would write to an unrelated register (e.g. a revision-id register on SC8280XP). As the MSM8996 PCIe PHY is now handled by a separate driver, simply drop the bogus register update. Fixes: e4d8b05ad5f9 ("phy: qcom-qmp: Use proper PWRDOWN offset for sm8150 USB") added support Reviewed-by: Dmitry Baryshkov Tested-by: Dmitry Baryshkov #RB3 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20221017065013.19647-12-johan+linaro@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit cd1e1735aeab49abc679218a79ee764c0d394880 Author: Pali Rohár Date: Tue Sep 20 14:11:54 2022 +0200 phy: marvell: phy-mvebu-a3700-comphy: Reset COMPHY registers before USB 3.0 power on [ Upstream commit b01d622d76134e9401970ffd3fbbb9a7051f976a ] Turris MOX board with older ARM Trusted Firmware version v1.5 is not able to detect any USB 3.0 device connected to USB-A port on Mox-A module after commit 0a6fc70d76bd ("phy: marvell: phy-mvebu-a3700-comphy: Remove broken reset support"). On the other hand USB 2.0 devices connected to the same USB-A port are working fine. It looks as if the older firmware configures COMPHY registers for USB 3.0 somehow incompatibly for kernel driver. Experiments show that resetting COMPHY registers via setting SFT_RST auto-clearing bit in COMPHY_SFT_RESET register fixes this issue. Reset the COMPHY in mvebu_a3700_comphy_usb3_power_on() function as a first step after selecting COMPHY lane and USB 3.0 function. With this change Turris MOX board can successfully detect USB 3.0 devices again. Before the above mentioned commit this reset was implemented in PHY reset method, so this is the reason why there was no issue with older firmware version then. Fixes: 0a6fc70d76bd ("phy: marvell: phy-mvebu-a3700-comphy: Remove broken reset support") Reported-by: Marek Behún Signed-off-by: Pali Rohár Tested-by: Shin'ichiro Kawasaki Link: https://lore.kernel.org/r/20220920121154.30115-1-pali@kernel.org Signed-off-by: Vinod Koul Signed-off-by: Sasha Levin commit b259e31d150a9a6be986e1667793e39074866f6e Author: Dan Carpenter Date: Mon Sep 12 18:08:51 2022 +0300 fs/ntfs3: Harden against integer overflows [ Upstream commit e001e60869390686809663c02bceb1d3922548fb ] Smatch complains that the "add_bytes" is not to be trusted. Use size_add() to prevent an integer overflow. Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations") Signed-off-by: Dan Carpenter Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 95afb464c86c6e9e95ea9e595282fa6f693072e8 Author: Shigeru Yoshida Date: Tue Aug 23 23:46:25 2022 +0900 fs/ntfs3: Avoid UBSAN error on true_sectors_per_clst() [ Upstream commit caad9dd8792a2622737b7273cb34835fd9536cd2 ] syzbot reported UBSAN error as below: [ 76.901829][ T6677] ================================================================================ [ 76.903908][ T6677] UBSAN: shift-out-of-bounds in fs/ntfs3/super.c:675:13 [ 76.905363][ T6677] shift exponent -247 is negative This patch avoid this error. Link: https://syzkaller.appspot.com/bug?id=b0299c09a14aababf0f1c862dd4ebc8ab9eb0179 Fixes: a3b774342fa7 (fs/ntfs3: validate BOOT sectors_per_clusters) Cc: Author: Randy Dunlap Reported-by: syzbot+35b87c668935bb55e666@syzkaller.appspotmail.com Signed-off-by: Shigeru Yoshida Signed-off-by: Konstantin Komarov Signed-off-by: Sasha Levin commit 2246ac03dd590ad4b0463ac43b43bd7074c5fad4 Author: Arnd Bergmann Date: Thu Dec 15 18:03:43 2022 +0100 RDMA/siw: Fix pointer cast warning [ Upstream commit 5244ca88671a1981ceec09c5c8809f003e6a62aa ] The previous build fix left a remaining issue in configurations with 64-bit dma_addr_t on 32-bit architectures: drivers/infiniband/sw/siw/siw_qp_tx.c: In function 'siw_get_pblpage': drivers/infiniband/sw/siw/siw_qp_tx.c:32:37: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 32 | return virt_to_page((void *)paddr); | ^ Use the same double cast here that the driver uses elsewhere to convert between dma_addr_t and void*. Fixes: 0d1b756acf60 ("RDMA/siw: Pass a pointer to virt_to_page()") Link: https://lore.kernel.org/r/20221215170347.2612403-1-arnd@kernel.org Signed-off-by: Arnd Bergmann Acked-by: Bernard Metzler Reviewed-by: Linus Walleij Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 54af75ddf3c699e0246a48e523c49ea6194ae6c4 Author: Namhyung Kim Date: Mon Dec 12 15:08:20 2022 -0800 perf stat: Do not delay the workload with --delay [ Upstream commit c587e77e100fa40eb6af10e00497c67acf493f33 ] The -D/--delay option is to delay the measure after the program starts. But the current code goes to sleep before starting the program so the program is delayed too. This is not the intention, let's fix it. Before: $ time sudo ./perf stat -a -e cycles -D 3000 sleep 4 Events disabled Events enabled Performance counter stats for 'system wide': 4,326,949,337 cycles 4.007494118 seconds time elapsed real 0m7.474s user 0m0.356s sys 0m0.120s It ran the workload for 4 seconds and gave the 3 second delay. So it should skip the first 3 second and measure the last 1 second only. But as you can see, it delays 3 seconds and ran the workload after that for 4 seconds. So the total time (real) was 7 seconds. After: $ time sudo ./perf stat -a -e cycles -D 3000 sleep 4 Events disabled Events enabled Performance counter stats for 'system wide': 1,063,551,013 cycles 1.002769510 seconds time elapsed real 0m4.484s user 0m0.385s sys 0m0.086s The bug was introduced when it changed enablement of system-wide events with a command line workload. But it should've considered the initial delay case. The code was reworked since then (in bb8bc52e7578) so I'm afraid it won't be applied cleanly. Fixes: d0a0a511493d2695 ("perf stat: Fix forked applications enablement of counters") Reported-by: Kevin Nomura Signed-off-by: Namhyung Kim Tested-by: Thomas Richter Cc: Adrian Hunter Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Peter Zijlstra Cc: Sumanth Korikkar Link: https://lore.kernel.org/r/20221212230820.901382-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 9f4c997cd12387190e1606d1238c2f132b882499 Author: Ard Biesheuvel Date: Tue Dec 13 14:24:07 2022 +0100 ftrace: Allow WITH_ARGS flavour of graph tracer with shadow call stack [ Upstream commit 38792972de4294163f44d6360fd221e6f2c22a05 ] The recent switch on arm64 from DYNAMIC_FTRACE_WITH_REGS to DYNAMIC_FTRACE_WITH_ARGS failed to take into account that we currently require the former in order to allow the function graph tracer to be enabled in combination with shadow call stacks. This means that this is no longer permitted at all, in spite of the fact that either flavour of ftrace works perfectly fine in this combination. So permit WITH_ARGS as well as WITH_REGS. Fixes: ddc9863e9e90 ("scs: Disable when function graph tracing is enabled") Acked-by: Mark Rutland Acked-by: Steven Rostedt (Google) Signed-off-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20221213132407.1485025-1-ardb@kernel.org Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 616c17a2ef99f763ae0d386e6872fa5b08b3b488 Author: Namhyung Kim Date: Thu Dec 8 10:26:36 2022 -0800 perf off_cpu: Fix a typo in BTF tracepoint name, it should be 'btf_trace_sched_switch' [ Upstream commit 167b266bf66c5b93171011ef9d1f09b070c2c537 ] In BTF, tracepoint definitions have the "btf_trace_" prefix. The off-cpu profiler needs to check the signature of the sched_switch event using that definition. But there's a typo (s/bpf/btf/) so it failed always. Fixes: b36888f71c8542cd ("perf record: Handle argument change in sched_switch") Signed-off-by: Namhyung Kim Cc: Adrian Hunter Cc: bpf@vger.kernel.org Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Song Liu Link: https://lore.kernel.org/r/20221208182636.524139-1-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 75f7820de9339cd18564336cfc2ed74dceeaeeb9 Author: Luca Weiss Date: Tue Nov 29 22:29:01 2022 +0100 leds: is31fl319x: Fix setting current limit for is31fl319{0,1,3} [ Upstream commit 135780f1048b3f956f5b10bb23dec9c2d2c4ef6d ] The current setting lives in bits 4:2 (as also defined by the mask) but the current limit defines in the driver use bits 2:0 which should be shifted over so they don't get masked out completely (except for 17.5mA which became 10mA). Now checking /sys/kernel/debug/regmap/1-0068/registers shows that the current limit is applied correctly and doesn't take the default b000 = 42mA. Fixes: fa877cf1abb9 ("leds: is31fl319x: Add support for is31fl319{0,1,3} chips") Signed-off-by: Luca Weiss Reviewed-by: Vincent Knecht Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 308eef3e16fd890e7170ab57baa03430fc0799af Author: Andreas Gruenbacher Date: Mon Dec 5 22:27:28 2022 +0100 gfs2: Partially revert gfs2_inode_lookup change [ Upstream commit 88f4a9f813c549f6b8a6fbf12030949b48a4d5a4 ] Commit c412a97cf6c5 changed delete_work_func() to always perform an inode lookup when gfs2_try_evict() fails. This doesn't make sense as a gfs2_try_evict() failure indicates that the inode is likely still in use. Revert that change. Fixes: c412a97cf6c5 ("gfs2: Use TRY lock in gfs2_inode_lookup for UNLINKED inodes") Signed-off-by: Andreas Gruenbacher Signed-off-by: Sasha Levin commit b8131efb89d9f837c9244f900f0fc2699fd1181d Author: ruanjinjie Date: Mon Dec 5 15:51:53 2022 +0800 power: supply: fix null pointer dereferencing in power_supply_get_battery_info [ Upstream commit 104bb8a663451404a26331263ce5b96c34504049 ] when kmalloc() fail to allocate memory in kasprintf(), propname will be NULL, strcmp() called by of_get_property() will cause null pointer dereference. So return ENOMEM if kasprintf() return NULL pointer. Fixes: 3afb50d7125b ("power: supply: core: Add some helpers to use the battery OCV capacity table") Signed-off-by: ruanjinjie Reviewed-by: Baolin Wang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 301e40552833e21b4c812e49273918caf216279b Author: James Clark Date: Wed Nov 30 16:51:58 2022 +0000 perf branch: Fix interpretation of branch records [ Upstream commit 20ed9fa4965875fdde5bfd65d838465e38d46b22 ] Commit 93315e46b000fc80 ("perf/core: Add speculation info to branch entries") added a new field in between type and new_type. Perf has its own copy of this struct so update it to match the kernel side. This doesn't currently cause any issues because new_type is only used by the Arm BRBE driver which isn't merged yet. Committer notes: Is this really an ABI? How are we supposed to deal with old perf.data files with new tools and vice versa? :-\ Fixes: 93315e46b000fc80 ("perf/core: Add speculation info to branch entries") Reviewed-by: Anshuman Khandual Signed-off-by: James Clark Acked-by: Namhyung Kim Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Peter Zijlstra Cc: Sandipan Das Link: https://lore.kernel.org/r/20221130165158.517385-1-james.clark@arm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 64245114c072ed3f5c2f6ff11a862e3b1b6df7fe Author: Hans de Goede Date: Mon Nov 28 10:28:48 2022 +0100 power: supply: bq25890: Ensure pump_express_work is cancelled on remove [ Upstream commit a7aaa80098d5b7608b2dc1e883e3c3f929415243 ] The pump_express_work which gets queued from an external_power_changed callback might be pending / running on remove() (or on probe failure). Add a devm action cancelling the work, to ensure that it is cancelled. Note the devm action is added before devm_power_supply_register(), making it run after devm unregisters the power_supply, so that the work cannot be queued anymore (this is also why a devm action is used for this). Fixes: 48f45b094dbb ("power: supply: bq25890: Support higher charging voltages through Pump Express+ protocol") Reviewed-by: Marek Vasut Signed-off-by: Hans de Goede Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 81b0e5d5aa0c4cb08bdffec4bdb97785b5459d11 Author: Uwe Kleine-König Date: Fri Nov 18 23:44:14 2022 +0100 power: supply: bq25890: Convert to i2c's .probe_new() [ Upstream commit c5cddca2351b291c8787b45cd046b1dfeb86979f ] The probe function doesn't make use of the i2c_device_id * parameter so it can be trivially converted. Signed-off-by: Uwe Kleine-König Signed-off-by: Sebastian Reichel Stable-dep-of: a7aaa80098d5 ("power: supply: bq25890: Ensure pump_express_work is cancelled on remove") Signed-off-by: Sasha Levin commit ebf085a725b68c5c58f52fb6705427a5c0701a85 Author: Marek Vasut Date: Fri Oct 14 19:24:25 2022 +0200 power: supply: bq25890: Factor out regulator registration code [ Upstream commit 5f5c10ecaf3fdeba9b2b0af5301977420c2c4df0 ] Pull the regulator registration code into separate function, so it can be extended to register more regulators later. Currently this is only moving ifdeffery into one place and other preparatory changes. The dev_err_probe() output string is changed to explicitly list vbus regulator failure, so that once more regulators are registered, it would be clear which one failed. Reviewed-by: Hans de Goede Signed-off-by: Marek Vasut Signed-off-by: Sebastian Reichel Stable-dep-of: a7aaa80098d5 ("power: supply: bq25890: Ensure pump_express_work is cancelled on remove") Signed-off-by: Sasha Levin commit 7d1e3961725e69774871b081a065c2b3640c5f0e Author: Qiheng Lin Date: Mon Nov 28 22:27:40 2022 +0800 power: supply: Fix refcount leak in rk817_charger_probe [ Upstream commit 54c03bfd094fb74f9533a9c28250219afe182382 ] of_get_child_by_name() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. Fixes: 11cb8da0189b ("power: supply: Add charger driver for Rockchip RK817") Signed-off-by: Qiheng Lin Reviewed-by: Chris Morgan Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit b866e8a0b7dc28d7f1b1c4f7d1329b6f0ff5c77d Author: Yuan Can Date: Thu Nov 24 03:19:32 2022 +0000 power: supply: ab8500: Fix error handling in ab8500_charger_init() [ Upstream commit c4d33381b134da188ccd1084aef21e2b8c3c422e ] The ab8500_charger_init() returns the platform_driver_register() directly without checking its return value, if platform_driver_register() failed, all ab8500_charger_component_drivers are not unregistered. Fix by unregister ab8500_charger_component_drivers when platform_driver_register() failed. Fixes: 1c1f13a006ed ("power: supply: ab8500: Move to componentized binding") Signed-off-by: Yuan Can Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 42d976bd9766a74ba87f5a8d0dcadda31378b7c7 Author: Yuan Can Date: Thu Nov 24 11:33:32 2022 +0000 HSI: omap_ssi_core: Fix error handling in ssi_init() [ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ] The ssi_init() returns the platform_driver_register() directly without checking its return value, if platform_driver_register() failed, the ssi_pdriver is not unregistered. Fix by unregister ssi_pdriver when the last platform_driver_register() failed. Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module") Signed-off-by: Yuan Can Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 5150b76aa2eb8bb8feb7f7a048417f9d39c3dd04 Author: Shang XiaoJing Date: Thu Nov 17 10:45:58 2022 +0800 power: supply: cw2015: Fix potential null-ptr-deref in cw_bat_probe() [ Upstream commit 97f2b4ddb0aa700d673691a7d5e44d226d22bab7 ] cw_bat_probe() calls create_singlethread_workqueue() and not checked the ret value, which may return NULL. And a null-ptr-deref may happen: cw_bat_probe() create_singlethread_workqueue() # failed, cw_bat->wq is NULL queue_delayed_work() queue_delayed_work_on() __queue_delayed_work() # warning here, but continue __queue_work() # access wq->flags, null-ptr-deref Check the ret value and return -ENOMEM if it is NULL. Fixes: b4c7715c10c1 ("power: supply: add CellWise cw2015 fuel gauge driver") Signed-off-by: Shang XiaoJing Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit be11e095131437084d2dd214cb9ff5a7e281995d Author: Zhang Qilong Date: Mon Nov 21 09:18:31 2022 +0800 power: supply: z2_battery: Fix possible memleak in z2_batt_probe() [ Upstream commit 955bee204f3dd307642c101b75e370662987e735 ] If devm_gpiod_get_optional() returns error, the charger should be freed before z2_batt_probe returns according to the context. We fix it by just gotoing to 'err' branch. Fixes: a3b4388ea19b ("power: supply: z2_battery: Convert to GPIO descriptors") Signed-off-by: Zhang Qilong Reviewed-by: Linus Walleij Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 38d35aae1b2712a58f5e075f5bb508b32e12ab34 Author: Ajay Kaher Date: Wed Nov 23 15:48:16 2022 +0530 perf symbol: correction while adjusting symbol [ Upstream commit 6f520ce17920b3cdfbd2479b3ccf27f9706219d0 ] perf doesn't provide proper symbol information for specially crafted .debug files. Sometimes .debug file may not have similar program header as runtime ELF file. For example if we generate .debug file using objcopy --only-keep-debug resulting file will not contain .text, .data and other runtime sections. That means corresponding program headers will have zero FileSiz and modified Offset. Example: program header of text section of libxxx.so: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flags Align LOAD 0x00000000003d3000 0x00000000003d3000 0x00000000003d3000 0x000000000055ae80 0x000000000055ae80 R E 0x1000 Same program header after executing: objcopy --only-keep-debug libxxx.so libxxx.so.debug LOAD 0x0000000000001000 0x00000000003d3000 0x00000000003d3000 0x0000000000000000 0x000000000055ae80 R E 0x1000 Offset and FileSiz have been changed. Following formula will not provide correct value, if program header taken from .debug file (syms_ss): sym.st_value -= phdr.p_vaddr - phdr.p_offset; Correct program header information is located inside runtime ELF file (runtime_ss). Fixes: 2d86612aacb7805f ("perf symbol: Correct address for bss symbols") Signed-off-by: Ajay Kaher Cc: Alexander Shishkin Cc: Alexey Makhalov Cc: Jiri Olsa Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Srivatsa S. Bhat Cc: Steven Rostedt (VMware) Cc: Vasavi Sirnapalli Link: http://lore.kernel.org/lkml/1669198696-50547-1-git-send-email-akaher@vmware.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit bc05eb64a10ca60bf969369bfb993ff2169f7f66 Author: Leo Yan Date: Mon Nov 21 07:52:35 2022 +0000 perf trace: Handle failure when trace point folder is missed [ Upstream commit 03e9a5d8eb552a1bf692a9c8a5ecd50f4e428006 ] On Arm64 a case is perf tools fails to find the corresponding trace point folder for system calls listed in the table 'syscalltbl_arm64', e.g. the generated system call table contains "lookup_dcookie" but we cannot find out the matched trace point folder for it. We need to figure out if there have any issue for the generated system call table, on the other hand, we need to handle the case when trace point folder is missed under sysfs, this patch sets the flag syscall::nonexistent as true and returns the error from trace__read_syscall_info(). Another problem is for trace__syscall_info(), it returns two different values if a system call doesn't exist: at the first time calling trace__syscall_info() it returns NULL when the system call doesn't exist, later if call trace__syscall_info() again for the same missed system call, it returns pointer of syscall. trace__syscall_info() checks the condition 'syscalls.table[id].name == NULL', but the name will be assigned in the first invoking even the system call is not found. So checking system call's name in trace__syscall_info() is not the right thing to do, this patch simply checks flag syscall::nonexistent to make decision if a system call exists or not, finally trace__syscall_info() returns the consistent result (NULL) if a system call doesn't existed. Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages") Signed-off-by: Leo Yan Acked-by: Ian Rogers Cc: Alexander Shishkin Cc: bpf@vger.kernel.org Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20221121075237.127706-4-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 27e9c2ca24cecdff7ad2335857bf7db6ef3d9417 Author: Leo Yan Date: Mon Nov 21 07:52:33 2022 +0000 perf trace: Use macro RAW_SYSCALL_ARGS_NUM to replace number [ Upstream commit eadcab4c7a66e1df03d32da0db55d89fd9343fcc ] This patch defines a macro RAW_SYSCALL_ARGS_NUM to replace the open coded number '6'. Signed-off-by: Leo Yan Acked-by: Ian Rogers Cc: Alexander Shishkin Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: bpf@vger.kernel.org Link: https://lore.kernel.org/r/20221121075237.127706-2-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Stable-dep-of: 03e9a5d8eb55 ("perf trace: Handle failure when trace point folder is missed") Signed-off-by: Sasha Levin commit 01673142a6793865082cb9c46c6edaa47bfc83b2 Author: Leo Yan Date: Mon Nov 21 07:52:34 2022 +0000 perf trace: Return error if a system call doesn't exist [ Upstream commit d4223e1776c30b2ce8d0e6eaadcbf696e60fca3c ] When a system call is not detected, the reason is either because the system call ID is out of scope or failure to find the corresponding path in the sysfs, trace__read_syscall_info() returns zero. Finally, without returning an error value it introduces confusion for the caller. This patch lets the function trace__read_syscall_info() to return -EEXIST when a system call doesn't exist. Fixes: b8b1033fcaa091d8 ("perf trace: Mark syscall ids that are not allocated to avoid unnecessary error messages") Signed-off-by: Leo Yan Acked-by: Ian Rogers Cc: Alexander Shishkin Cc: bpf@vger.kernel.org Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20221121075237.127706-3-leo.yan@linaro.org Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 0fd13791feb649c2e0e5c855eaf7c07864535578 Author: Mika Westerberg Date: Fri Oct 28 09:27:50 2022 +0300 watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running [ Upstream commit ef9b7bf52c2f47f0a9bf988543c577b92c92d15e ] Daniel reported that the commit 1ae3e78c0820 ("watchdog: iTCO_wdt: No need to stop the timer in probe") makes QEMU implementation of the iTCO watchdog not to trigger reboot anymore when NO_REBOOT flag is initially cleared using this option (in QEMU command line): -global ICH9-LPC.noreboot=false The problem with the commit is that it left the unconditional setting of NO_REBOOT that is not cleared anymore when the kernel keeps pinging the watchdog (as opposed to the previous code that called iTCO_wdt_stop() that cleared it). Fix this so that we only set NO_REBOOT if the watchdog was not initially running. Fixes: 1ae3e78c0820 ("watchdog: iTCO_wdt: No need to stop the timer in probe") Reported-by: Daniel P. Berrangé Signed-off-by: Mika Westerberg Tested-by: Daniel P. Berrangé Reviewed-by: Daniel P. Berrangé Reviewed-by: Guenter Roeck Link: https://lore.kernel.org/r/20221028062750.45451-1-mika.westerberg@linux.intel.com Signed-off-by: Guenter Roeck Signed-off-by: Wim Van Sebroeck Signed-off-by: Sasha Levin commit a9b65ba1afcc9dbdcd786c3a7a13452fdb9b5fd8 Author: Zeng Heng Date: Thu Nov 17 16:32:19 2022 +0800 power: supply: fix residue sysfs file in error handle route of __power_supply_register() [ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ] If device_add() succeeds, we should call device_del() when want to get rid of it, so move it into proper jump symbol. Otherwise, when __power_supply_register() returns fail and goto wakeup_init_failed to exit, there is still residue device file in sysfs. When attempt to probe device again, sysfs would complain as below: sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061' Call Trace: dump_stack_lvl+0x68/0x85 sysfs_warn_dup.cold+0x1c/0x29 sysfs_create_dir_ns+0x1b1/0x1d0 kobject_add_internal+0x143/0x390 kobject_add+0x108/0x170 Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate") Signed-off-by: Zeng Heng Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit fa80f145e543421f8ef985ad1915f834d73fd842 Author: Yang Yingliang Date: Mon Oct 31 15:43:37 2022 +0800 HSI: omap_ssi_core: fix possible memory leak in ssi_probe() [ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ] If ssi_add_controller() returns error, it should call hsi_put_controller() to give up the reference that was set in hsi_alloc_controller(), so that it can call hsi_controller_release() to free controller and ports that allocated in hsi_alloc_controller(). Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") Signed-off-by: Yang Yingliang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 8159e2f8b60ea3a7d818e2eda235577a67b1a03e Author: Yang Yingliang Date: Tue Nov 1 11:41:18 2022 +0800 HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() [ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ] In error label 'out1' path in ssi_probe(), the pm_runtime_enable() has not been called yet, so pm_runtime_disable() is not needed. Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") Signed-off-by: Yang Yingliang Signed-off-by: Sebastian Reichel Signed-off-by: Sasha Levin commit 8a9c05d988cc7cf51c74ecd6aa8c14bdd1771d9f Author: Namhyung Kim Date: Mon Nov 7 13:33:09 2022 -0800 perf stat: Move common code in print_metric_headers() [ Upstream commit f4e55f88da923f39f0b76edc3da3c52d0b72d429 ] The struct perf_stat_output_ctx is set in a loop with the same values. Move the code out of the loop and keep the loop minimal. Signed-off-by: Namhyung Kim Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Peter Zijlstra Cc: Xing Zhengjun Link: https://lore.kernel.org/r/20221107213314.3239159-5-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Stable-dep-of: fdc7d6082459 ("perf stat: Fix --metric-only --json output") Signed-off-by: Sasha Levin commit 1b2a63c33106262de08921357ac03d0fa4e2e0f3 Author: Namhyung Kim Date: Mon Oct 17 19:02:10 2022 -0700 perf stat: Use evsel__is_hybrid() more [ Upstream commit 93d5e700156e03e66eb1bf2158ba3b8a8b354c71 ] In the stat-display code, it needs to check if the current evsel is hybrid but it uses perf_pmu__has_hybrid() which can return true for non-hybrid event too. I think it's better to use evsel__is_hybrid(). Also remove a NULL check for the 'config' parameter in the hybrid_merge() since it's called after config->no_merge check. Signed-off-by: Namhyung Kim Acked-by: Ian Rogers Cc: Adrian Hunter Cc: Andi Kleen Cc: Athira Jajeev Cc: Ingo Molnar Cc: James Clark Cc: Jiri Olsa Cc: Kan Liang Cc: Leo Yan Cc: Michael Petlan Cc: Peter Zijlstra Cc: Xing Zhengjun Link: https://lore.kernel.org/r/20221018020227.85905-4-namhyung@kernel.org Signed-off-by: Arnaldo Carvalho de Melo Stable-dep-of: fdc7d6082459 ("perf stat: Fix --metric-only --json output") Signed-off-by: Sasha Levin commit 6c8d5578180c36069db5c5b7d939ae1f523e59f0 Author: James Clark Date: Tue Oct 18 10:41:35 2022 +0100 perf tools: Fix "kernel lock contention analysis" test by not printing warnings in quiet mode [ Upstream commit 65319890c32db29fb56b41f84265a2c7029943f4 ] Especially when CONFIG_LOCKDEP and other debug configs are enabled, Perf can print the following warning when running the "kernel lock contention analysis" test: Warning: Processed 1378918 events and lost 4 chunks! Check IO/CPU overload! Warning: Processed 4593325 samples and lost 70.00%! The test already supplies -q to run in quiet mode, so extend quiet mode to perf_stdio__warning() and also ui__warning() for consistency. This fixes the following failure due to the extra lines counted: perf test "lock cont" -vvv 82: kernel lock contention analysis test : --- start --- test child forked, pid 3125 Testing perf lock record and perf lock contention [Fail] Recorded result count is not 1: 9 test child finished with -1 ---- end ---- kernel lock contention analysis test: FAILED! Fixes: ec685de25b6718f8 ("perf test: Add kernel lock contention test") Signed-off-by: James Clark Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Ian Rogers Cc: Ingo Molnar Cc: Jiri Olsa Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: https://lore.kernel.org/r/20221018094137.783081-2-james.clark@arm.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 380304391fa7fb084745f26b4b9a59f4666520c1 Author: Dmitry Baryshkov Date: Fri Oct 21 22:19:40 2022 +0300 led: qcom-lpg: Fix sleeping in atomic [ Upstream commit 3031993b3474794ecb71b6f969a3e60e4bda9d8a ] lpg_brighness_set() function can sleep, while led's brightness_set() callback must be non-blocking. Change LPG driver to use brightness_set_blocking() instead. BUG: sleeping function called from invalid context at kernel/locking/mutex.c:580 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 0, name: swapper/0 preempt_count: 101, expected: 0 INFO: lockdep is turned off. CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 6.1.0-rc1-00014-gbe99b089c6fc-dirty #85 Hardware name: Qualcomm Technologies, Inc. DB820c (DT) Call trace: dump_backtrace.part.0+0xe4/0xf0 show_stack+0x18/0x40 dump_stack_lvl+0x88/0xb4 dump_stack+0x18/0x34 __might_resched+0x170/0x254 __might_sleep+0x48/0x9c __mutex_lock+0x4c/0x400 mutex_lock_nested+0x2c/0x40 lpg_brightness_single_set+0x40/0x90 led_set_brightness_nosleep+0x34/0x60 led_heartbeat_function+0x80/0x170 call_timer_fn+0xb8/0x340 __run_timers.part.0+0x20c/0x254 run_timer_softirq+0x3c/0x7c _stext+0x14c/0x578 ____do_softirq+0x10/0x20 call_on_irq_stack+0x2c/0x5c do_softirq_own_stack+0x1c/0x30 __irq_exit_rcu+0x164/0x170 irq_exit_rcu+0x10/0x40 el1_interrupt+0x38/0x50 el1h_64_irq_handler+0x18/0x2c el1h_64_irq+0x64/0x68 cpuidle_enter_state+0xc8/0x380 cpuidle_enter+0x38/0x50 do_idle+0x244/0x2d0 cpu_startup_entry+0x24/0x30 rest_init+0x128/0x1a0 arch_post_acpi_subsys_init+0x0/0x18 start_kernel+0x6f4/0x734 __primary_switched+0xbc/0xc4 Fixes: 24e2d05d1b68 ("leds: Add driver for Qualcomm LPG") Signed-off-by: Dmitry Baryshkov Signed-off-by: Pavel Machek Signed-off-by: Sasha Levin commit 7aca1cea8fcc37c29ffeae1b51994e8ae6b66f14 Author: Christophe JAILLET Date: Sat Dec 10 12:35:22 2022 +0100 fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() [ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ] If an error occurs after a successful uvesafb_init_mtrr() call, it must be undone by a corresponding arch_phys_wc_del() call, as already done in the remove function. This has been added in the remove function in commit 63e28a7a5ffc ("uvesafb: Clean up MTRR code") Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core") Signed-off-by: Christophe JAILLET Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 5976889098e6adbcdff7a7b77527ffffe6b435bf Author: Randy Dunlap Date: Wed Nov 30 13:55:59 2022 -0800 fbdev: uvesafb: don't build on UML [ Upstream commit 35b4f4d4a725cf8f8c10649163cd12aed509b953 ] The uvesafb fbdev driver uses memory management information that is not available on ARCH=um, so don't allow this driver to be built on UML. Prevents these build errors: ../drivers/video/fbdev/uvesafb.c: In function ‘uvesafb_vbe_init’: ../drivers/video/fbdev/uvesafb.c:807:21: error: ‘__supported_pte_mask’ undeclared (first use in this function) 807 | if (__supported_pte_mask & _PAGE_NX) { ../drivers/video/fbdev/uvesafb.c:807:44: error: ‘_PAGE_NX’ undeclared (first use in this function) 807 | if (__supported_pte_mask & _PAGE_NX) { Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") Signed-off-by: Randy Dunlap Cc: Johannes Berg Cc: Richard Weinberger Cc: linux-um@lists.infradead.org Cc: Daniel Vetter Cc: Helge Deller Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: Michal Januszewski Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit e268a579253645352665e6f80edc4b213e76bee0 Author: Randy Dunlap Date: Wed Nov 30 13:55:44 2022 -0800 fbdev: geode: don't build on UML [ Upstream commit 71c53e19226b0166ba387d3c590d0509f541a0a1 ] The geode fbdev driver uses struct cpuinfo fields that are not present on ARCH=um, so don't allow this driver to be built on UML. Prevents these build errors: In file included from ../arch/x86/include/asm/olpc.h:7:0, from ../drivers/mfd/cs5535-mfd.c:17: ../arch/x86/include/asm/geode.h: In function ‘is_geode_gx’: ../arch/x86/include/asm/geode.h:16:24: error: ‘struct cpuinfo_um’ has no member named ‘x86_vendor’ return ((boot_cpu_data.x86_vendor == X86_VENDOR_NSC) && ../arch/x86/include/asm/geode.h:16:39: error: ‘X86_VENDOR_NSC’ undeclared (first use in this function); did you mean ‘X86_VENDOR_ANY’? return ((boot_cpu_data.x86_vendor == X86_VENDOR_NSC) && ../arch/x86/include/asm/geode.h:17:17: error: ‘struct cpuinfo_um’ has no member named ‘x86’ (boot_cpu_data.x86 == 5) && ../arch/x86/include/asm/geode.h:18:17: error: ‘struct cpuinfo_um’ has no member named ‘x86_model’ (boot_cpu_data.x86_model == 5)); ../arch/x86/include/asm/geode.h: In function ‘is_geode_lx’: ../arch/x86/include/asm/geode.h:23:24: error: ‘struct cpuinfo_um’ has no member named ‘x86_vendor’ return ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && ../arch/x86/include/asm/geode.h:23:39: error: ‘X86_VENDOR_AMD’ undeclared (first use in this function); did you mean ‘X86_VENDOR_ANY’? return ((boot_cpu_data.x86_vendor == X86_VENDOR_AMD) && ../arch/x86/include/asm/geode.h:24:17: error: ‘struct cpuinfo_um’ has no member named ‘x86’ (boot_cpu_data.x86 == 5) && ../arch/x86/include/asm/geode.h:25:17: error: ‘struct cpuinfo_um’ has no member named ‘x86_model’ (boot_cpu_data.x86_model == 10)); Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") Signed-off-by: Randy Dunlap Cc: Johannes Berg Cc: Richard Weinberger Cc: linux-um@lists.infradead.org Cc: Daniel Vetter Cc: Helge Deller Cc: linux-fbdev@vger.kernel.org Cc: dri-devel@lists.freedesktop.org Cc: Andres Salomon Cc: linux-geode@lists.infradead.org Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 4c0d613d7999c789fbdbd0c515e8181ceeb5dd70 Author: Gaosheng Cui Date: Wed Nov 23 17:29:43 2022 +0800 fbdev: ep93xx-fb: Add missing clk_disable_unprepare in ep93xxfb_probe() [ Upstream commit c84bf485a5aaf9aa0764a58832b7ef4375c29f03 ] The clk_disable_unprepare() should be called in the error handling of register_framebuffer(), fix it. Fixes: 0937a7b3625d ("video: ep93xx: Prepare clock before using it") Signed-off-by: Gaosheng Cui Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 1fb436db9c879942688ef6718c1fc19c60bf36d0 Author: Xiongfeng Wang Date: Mon Nov 14 16:56:54 2022 +0800 fbdev: vermilion: decrease reference count in error path [ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ] pci_get_device() will increase the reference count for the returned pci_dev. For the error path, we need to use pci_dev_put() to decrease the reference count. Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range") Signed-off-by: Xiongfeng Wang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit e94ae434f659d9c4e46ac5ce45ea30e19cd2aa42 Author: Shang XiaoJing Date: Mon Nov 14 09:08:52 2022 +0800 fbdev: via: Fix error in via_core_init() [ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ] via_core_init() won't exit the driver when pci_register_driver() failed. Exit the viafb-i2c and the viafb-gpio in failed path to prevent error. VIA Graphics Integration Chipset framebuffer 2.4 initializing Error: Driver 'viafb-i2c' is already registered, aborting... Error: Driver 'viafb-gpio' is already registered, aborting... Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices") Signed-off-by: Shang XiaoJing Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 85255669ce724241d6c5a241864db7a3135f7329 Author: Yang Yingliang Date: Sat Nov 12 17:55:10 2022 +0800 fbdev: pm2fb: fix missing pci_disable_device() [ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ] Add missing pci_disable_device() in error path of probe() and remove() path. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit 3be1f75453696decf3e04c1bf26ddf9119efbc27 Author: Andy Shevchenko Date: Tue Nov 1 17:09:46 2022 +0200 fbdev: ssd1307fb: Drop optional dependency [ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ] Only a single out of three devices need a PWM, so from driver it's optional. Moreover it's a single driver in the entire kernel that currently selects PWM. Unfortunately this selection is a root cause of the circular dependencies when we want to enable optional PWM for some other drivers that select GPIOLIB. Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller") Signed-off-by: Andy Shevchenko Signed-off-by: Helge Deller Signed-off-by: Sasha Levin commit ba9550952f20114cb63caf88c873d7ab219ad530 Author: Bjorn Andersson Date: Wed Mar 16 11:03:22 2022 -0700 thermal/drivers/qcom/lmh: Fix irq handler return value [ Upstream commit 46a891e45be97c6781ac34f5ec777d69370e252b ] After enough invocations the LMh irq is eventually reported as bad, because the handler doesn't return IRQ_HANDLED, fix this. Fixes: 53bca371cdf7 ("thermal/drivers/qcom: Add support for LMh driver") Reported-by: Daniel Lezcano Signed-off-by: Bjorn Andersson Reviewed-by: Dmitry Baryshkov Link: https://lore.kernel.org/r/20220316180322.88132-1-bjorn.andersson@linaro.org Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit f7f3721c78a255d69ca245312d4ee716fec7c74f Author: Luca Weiss Date: Thu Oct 20 16:52:37 2022 +0200 thermal/drivers/qcom/temp-alarm: Fix inaccurate warning for gen2 [ Upstream commit 8763f8acbf8aef22a2321d4c978cd078aa3b8f64 ] On gen2 chips the stage2 threshold is not 140 degC but 125 degC. Make the warning message clearer by using this variable and also by including the temperature that was checked for. Fixes: aa92b3310c55 ("thermal/drivers/qcom-spmi-temp-alarm: Add support for GEN2 rev 1 PMIC peripherals") Signed-off-by: Luca Weiss Reviewed-by: Amit Kucheria Link: https://lore.kernel.org/r/20221020145237.942146-1-luca.weiss@fairphone.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 6ddc86823973276411b5df1df0645caf7e24558d Author: Ido Schimmel Date: Thu Oct 20 13:36:58 2022 +0300 thermal/of: Fix memory leak on thermal_of_zone_register() failure [ Upstream commit 7ef2f023c2c77a452ba5d0c9b1ad04a5a895d553 ] The function does not free 'of_ops' upon failure, leading to a memory leak [1]. Fix by freeing 'of_ops' in the error path. [1] unreferenced object 0xffff8ee846198c80 (size 128): comm "swapper/0", pid 1, jiffies 4294699704 (age 70.076s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ d0 3f 6e 8c ff ff ff ff 00 00 00 00 00 00 00 00 .?n............. backtrace: [<00000000d136f562>] __kmalloc_node_track_caller+0x42/0x120 [<0000000063f31678>] kmemdup+0x1d/0x40 [<00000000e6d24096>] thermal_of_zone_register+0x49/0x520 [<000000005e78c755>] devm_thermal_of_zone_register+0x54/0x90 [<00000000ee6b209e>] pmbus_add_sensor+0x1b4/0x1d0 [<00000000896105e3>] pmbus_add_sensor_attrs_one+0x123/0x440 [<0000000049e990a6>] pmbus_add_sensor_attrs+0xfe/0x1d0 [<00000000466b5440>] pmbus_do_probe+0x66b/0x14e0 [<0000000084d42285>] i2c_device_probe+0x13b/0x2f0 [<0000000029e2ae74>] really_probe+0xce/0x2c0 [<00000000692df15c>] driver_probe_device+0x19/0xd0 [<00000000547d9cce>] __device_attach_driver+0x6f/0x100 [<0000000020abd24b>] bus_for_each_drv+0x76/0xc0 [<00000000665d9563>] __device_attach+0xfc/0x180 [<000000008ddd4d6a>] bus_probe_device+0x82/0xa0 [<000000009e61132b>] device_add+0x3fe/0x920 Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization") Signed-off-by: Ido Schimmel Reviewed-by: Vadim Pasternak Link: https://lore.kernel.org/r/20221020103658.802457-1-idosch@nvidia.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 8eeda6567cc4329d58d06f72deca6937db6e39da Author: Keerthy Date: Mon Oct 10 09:11:26 2022 +0530 thermal/drivers/k3_j72xx_bandgap: Fix the debug print message [ Upstream commit a7c42af78b19a11e98a5555a664c343e3a672632 ] The debug print message to check the workaround applicability is inverted. Fix the same. Fixes: ffcb2fc86eb7 ("thermal: k3_j72xx_bandgap: Add the bandgap driver support") Reported-by: Bryan Brattlof Signed-off-by: Keerthy Link: https://lore.kernel.org/r/20221010034126.3550-1-j-keerthy@ti.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit db9d0e74a663b3f2e4c4bf44c215a8211517de7d Author: Marcus Folkesson Date: Fri Oct 14 09:35:07 2022 +0200 thermal/drivers/imx8mm_thermal: Validate temperature range [ Upstream commit d37edc7370273306d8747097fafa62436c1cfe16 ] Check against the upper temperature limit (125 degrees C) before consider the temperature valid. Fixes: 5eed800a6811 ("thermal: imx8mm: Add support for i.MX8MM thermal monitoring unit") Signed-off-by: Marcus Folkesson Reviewed-by: Jacky Bai Link: https://lore.kernel.org/r/20221014073507.1594844-1-marcus.folkesson@gmail.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 5cba61bcd2f75f074a97130b2a54e7990c32c0ca Author: Shang XiaoJing Date: Thu Dec 8 09:33:41 2022 +0800 samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() [ Upstream commit d1f0f50fbbbbca1e3e8157e51934613bf88f6d44 ] Add missing pci_disable_device() in fail path of mdpy_fb_probe(). Besides, fix missing release functions in mdpy_fb_remove(). Fixes: cacade1946a4 ("sample: vfio mdev display - guest driver") Signed-off-by: Shang XiaoJing Link: https://lore.kernel.org/r/20221208013341.3999-1-shangxiaojing@huawei.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit f9ed133381eba883c5e0059063d5b3ca7cac6d41 Author: Xiu Jianfeng Date: Wed Nov 16 20:22:37 2022 +0800 ksmbd: Fix resource leak in ksmbd_session_rpc_open() [ Upstream commit bc044414fa0326a4e5c3c509c00b1fcaf621b5f4 ] When ksmbd_rpc_open() fails then it must call ksmbd_rpc_id_free() to undo the result of ksmbd_ipc_id_alloc(). Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") Signed-off-by: Xiu Jianfeng Acked-by: Namjae Jeon Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 7f09fe9fc6ea1e299cd3520ceec598fc6c6500ce Author: Zheng Yejian Date: Wed Dec 7 21:53:26 2022 +0800 tracing/hist: Fix issue of losting command info in error_log [ Upstream commit 608c6ed3337850c767ab0dd6c583477922233e29 ] When input some constructed invalid 'trigger' command, command info in 'error_log' are lost [1]. The root cause is that there is a path that event_hist_trigger_parse() is recursely called once and 'last_cmd' which save origin command is cleared, then later calling of hist_err() will no longer record origin command info: event_hist_trigger_parse() { last_cmd_set() // <1> 'last_cmd' save origin command here at first create_actions() { onmatch_create() { action_create() { trace_action_create() { trace_action_create_field_var() { create_field_var_hist() { event_hist_trigger_parse() { // <2> recursely called once hist_err_clear() // <3> 'last_cmd' is cleared here } hist_err() // <4> No longer find origin command!!! Since 'glob' is empty string while running into the recurse call, we can trickly check it and bypass the call of hist_err_clear() to solve it. [1] # cd /sys/kernel/tracing # echo "my_synth_event int v1; int v2; int v3;" >> synthetic_events # echo 'hist:keys=pid' >> events/sched/sched_waking/trigger # echo "hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(\ pid,pid1)" >> events/sched/sched_switch/trigger # cat error_log [ 8.405018] hist:sched:sched_switch: error: Couldn't find synthetic event Command: hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) ^ [ 8.816902] hist:sched:sched_switch: error: Couldn't find field Command: hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) ^ [ 8.816902] hist:sched:sched_switch: error: Couldn't parse field variable Command: hist:keys=next_pid:onmatch(sched.sched_waking).my_synth_event(pid,pid1) ^ [ 8.999880] : error: Couldn't find field Command: ^ [ 8.999880] : error: Couldn't parse field variable Command: ^ [ 8.999880] : error: Couldn't find field Command: ^ [ 8.999880] : error: Couldn't create histogram for field Command: ^ Link: https://lore.kernel.org/linux-trace-kernel/20221207135326.3483216-1-zhengyejian1@huawei.com Cc: Cc: Fixes: f404da6e1d46 ("tracing: Add 'last error' error facility for hist triggers") Signed-off-by: Zheng Yejian Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit 82d1211f673bbdc822eaf1dbcbf1f2ae06556964 Author: Yang Yingliang Date: Sat Dec 3 15:10:27 2022 +0800 usb: typec: wusb3801: fix fwnode refcount leak in wusb3801_probe() [ Upstream commit dc18a4c7b3bd447cef2395deeb1f6ac16dfaca0e ] I got the following report while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 4, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/tcpc@60/connector If wusb3801_hw_init() fails, fwnode_handle_put() needs be called to avoid refcount leak. Fixes: d016cbe4d7ac ("usb: typec: Support the WUSB3801 port controller") Reviewed-by: Heikki Krogerus Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221203071027.3808308-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 94cca9c339412b57bee4dfb854e1e4b409322689 Author: Jiasheng Jiang Date: Thu Dec 8 19:00:58 2022 +0800 usb: storage: Add check for kcalloc [ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ] As kcalloc may return NULL pointer, the return value should be checked and return error if fails as same as the ones in alauda_read_map. Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") Acked-by: Alan Stern Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 233348a04becf133283f0076e20b317302de21d9 Author: Zheyu Ma Date: Fri Jul 29 19:02:16 2022 +0800 i2c: ismt: Fix an out-of-bounds bug in ismt_access() [ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ] When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 [ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE [ 33.996475] ================================================================== [ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b [ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 [ 33.999450] Call Trace: [ 34.001849] memcpy+0x20/0x60 [ 34.002077] ismt_access.cold+0x374/0x214b [ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 [ 34.004007] i2c_smbus_xfer+0x10a/0x390 [ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 [ 34.005196] i2cdev_ioctl+0x5ec/0x74c Fix this bug by checking the size of 'data->block[0]' first. Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller") Signed-off-by: Zheyu Ma Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit f7a440c89b6d460154efeb058272760e41bdfea8 Author: Yang Yingliang Date: Sat Oct 29 17:38:25 2022 +0800 i2c: mux: reg: check return value after calling platform_get_resource() [ Upstream commit 2d47b79d2bd39cc6369eccf94a06568d84c906ae ] It will cause null-ptr-deref in resource_size(), if platform_get_resource() returns NULL, move calling resource_size() after devm_ioremap_resource() that will check 'res' to avoid null-ptr-deref. And use devm_platform_get_and_ioremap_resource() to simplify code. Fixes: b3fdd32799d8 ("i2c: mux: Add register-based mux i2c-mux-reg") Signed-off-by: Yang Yingliang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit 86fdf151b9b8385fe08e6b8327728cf106a7e252 Author: Bartosz Golaszewski Date: Mon Dec 5 13:39:03 2022 +0100 gpiolib: protect the GPIO device against being dropped while in use by user-space [ Upstream commit bdbbae241a04f387ba910b8609f95fad5f1470c7 ] While any of the GPIO cdev syscalls is in progress, the kernel can call gpiochip_remove() (for instance, when a USB GPIO expander is disconnected) which will set gdev->chip to NULL after which any subsequent access will cause a crash. To avoid that: use an RW-semaphore in which the syscalls take it for reading (so that we don't needlessly prohibit the user-space from calling syscalls simultaneously) while gpiochip_remove() takes it for writing so that it can only happen once all syscalls return. Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL") Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL") Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL") Signed-off-by: Bartosz Golaszewski [Nick: fixed a build failure with CDEV_V1 disabled] Co-authored-by: Nick Hainke Reviewed-by: Kent Gibson Reviewed-by: Andy Shevchenko Reviewed-by: Linus Walleij Signed-off-by: Sasha Levin commit ac6ce3cd7a3e10a2e37b8970bab81b4d33d5cfc3 Author: Bartosz Golaszewski Date: Mon Dec 5 13:39:02 2022 +0100 gpiolib: cdev: fix NULL-pointer dereferences [ Upstream commit 533aae7c94dbc2b14301cfd68ae7e0e90f0c8438 ] There are several places where we can crash the kernel by requesting lines, unbinding the GPIO device, then calling any of the system calls relevant to the GPIO character device's annonymous file descriptors: ioctl(), read(), poll(). While I observed it with the GPIO simulator, it will also happen for any of the GPIO devices that can be hot-unplugged - for instance any HID GPIO expander (e.g. CP2112). This affects both v1 and v2 uAPI. This fixes it partially by checking if gdev->chip is not NULL but it doesn't entirely remedy the situation as we still have a race condition in which another thread can remove the device after the check. Fixes: d7c51b47ac11 ("gpio: userspace ABI for reading/writing GPIO lines") Fixes: 3c0d9c635ae2 ("gpiolib: cdev: support GPIO_V2_GET_LINE_IOCTL and GPIO_V2_LINE_GET_VALUES_IOCTL") Fixes: aad955842d1c ("gpiolib: cdev: support GPIO_V2_GET_LINEINFO_IOCTL and GPIO_V2_GET_LINEINFO_WATCH_IOCTL") Fixes: a54756cb24ea ("gpiolib: cdev: support GPIO_V2_LINE_SET_CONFIG_IOCTL") Fixes: 7b8e00d98168 ("gpiolib: cdev: support GPIO_V2_LINE_SET_VALUES_IOCTL") Signed-off-by: Bartosz Golaszewski Reviewed-by: Andy Shevchenko Reviewed-by: Linus Walleij Signed-off-by: Sasha Levin commit 60ff9bd4ffc87bace581e235a6728f5ac8e5071f Author: Chen Zhongjin Date: Mon Dec 5 16:48:05 2022 +0800 vme: Fix error not catched in fake_init() [ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] In fake_init(), __root_device_register() is possible to fail but it's ignored, which can cause unregistering vme_root fail when exit. general protection fault, probably for non-canonical address 0xdffffc000000008c KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] RIP: 0010:root_device_unregister+0x26/0x60 Call Trace: __x64_sys_delete_module+0x34f/0x540 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Return error when __root_device_register() fails. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Signed-off-by: Chen Zhongjin Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7155f549dbcabc95d6dbd74d023a2cf2f42d098f Author: YueHaibing Date: Wed Nov 23 16:12:53 2022 +0800 staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() [ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ] The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it, after calling this, dereferencing skb may trigger use-after-free. Found by Smatch. Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 73df1172bbcc8d45cd28e3b1a9ca2edb2f9f7ce6 Author: Dan Carpenter Date: Wed Nov 23 09:43:14 2022 +0300 staging: rtl8192u: Fix use after free in ieee80211_rx() [ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ] We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit c8889afcd8293d97c9d30f58caa8aeab235cdf44 Author: Hui Tang Date: Mon Nov 14 17:25:40 2022 +0800 i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe [ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ] Using pcim_enable_device() to avoid missing pci_disable_device(). Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller") Signed-off-by: Hui Tang Signed-off-by: Wolfram Sang Signed-off-by: Sasha Levin commit ba090c6debb5de85ef1289ce23e9adda05e59f3f Author: Joao Martins Date: Tue Nov 29 13:12:35 2022 +0000 vfio/iova_bitmap: refactor iova_bitmap_set() to better handle page boundaries [ Upstream commit b058ea3ab5afea873ab8d976277539ca9e43869a ] Commit f38044e5ef58 ("vfio/iova_bitmap: Fix PAGE_SIZE unaligned bitmaps") had fixed the unaligned bitmaps by capping the remaining iterable set at the start of the bitmap. Although, that mistakenly worked around iova_bitmap_set() incorrectly setting bits across page boundary. Fix this by reworking the loop inside iova_bitmap_set() to iterate over a range of bits to set (cur_bit .. last_bit) which may span different pinned pages, thus updating @page_idx and @offset as it sets the bits. The previous cap to the first page is now adjusted to be always accounted rather than when there's only a non-zero pgoff. While at it, make @page_idx , @offset and @nbits to be unsigned int given that it won't be more than 512 and 4096 respectively (even a bigger PAGE_SIZE or a smaller struct page size won't make this bigger than the above 32-bit max). Also, delete the stale kdoc on Return type. Cc: Avihai Horon Fixes: f38044e5ef58 ("vfio/iova_bitmap: Fix PAGE_SIZE unaligned bitmaps") Co-developed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Joao Martins Reviewed-by: Jason Gunthorpe Tested-by: Avihai Horon Link: https://lore.kernel.org/r/20221129131235.38880-1-joao.m.martins@oracle.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit 85a5660491b507d33662b8e81c142e6041e642eb Author: Yang Yingliang Date: Fri Dec 2 11:02:37 2022 +0800 chardev: fix error handling in cdev_device_add() [ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ] While doing fault injection test, I got the following report: ------------[ cut here ]------------ kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:kobject_put+0x23d/0x4e0 Call Trace: cdev_device_add+0x15e/0x1b0 __iio_device_register+0x13b4/0x1af0 [industrialio] __devm_iio_device_register+0x22/0x90 [industrialio] max517_probe+0x3d8/0x6b4 [max517] i2c_device_probe+0xa81/0xc00 When device_add() is injected fault and returns error, if dev->devt is not set, cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt in error path. Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4a9f1a8b3af287581ffb690d0e1593c681729ddb Author: Yang Yingliang Date: Fri Dec 2 01:38:50 2022 -0800 mcb: mcb-parse: fix error handing in chameleon_parse_gdd() [ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ] If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount of bus and device name are leaked. Fix this by calling put_device() to give up the reference, so they can be released in mcb_release_dev() and kobject_cleanup(). Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") Reviewed-by: Johannes Thumshirn Signed-off-by: Yang Yingliang Signed-off-by: Johannes Thumshirn Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0468a585710bbb807a1b9c31df54bcf564d28b2b Author: Zhengchao Shao Date: Fri Dec 2 01:38:49 2022 -0800 drivers: mcb: fix resource leak in mcb_probe() [ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ] When probe hook function failed in mcb_probe(), it doesn't put the device. Compiled test only. Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe") Signed-off-by: Zhengchao Shao Signed-off-by: Johannes Thumshirn Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 216437dd64fce36791a3b6cc8f8013df36856958 Author: John Keeping Date: Tue Nov 22 12:35:22 2022 +0000 usb: gadget: f_hid: fix refcount leak on error path [ Upstream commit 70a3288a7586526315105c699b687d78cd32559a ] When failing to allocate report_desc, opts->refcnt has already been incremented so it needs to be decremented to avoid leaving the options structure permanently locked. Fixes: 21a9476a7ba8 ("usb: gadget: hid: add configfs support") Tested-by: Lee Jones Reviewed-by: Andrzej Pietrasiewicz Reviewed-by: Lee Jones Signed-off-by: John Keeping Link: https://lore.kernel.org/r/20221122123523.3068034-3-john@metanate.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9e08b7f5fa00e9d550851352bd0d1ba74ccffef2 Author: John Keeping Date: Tue Nov 22 12:35:21 2022 +0000 usb: gadget: f_hid: fix f_hidg lifetime vs cdev [ Upstream commit 89ff3dfac604614287ad5aad9370c3f984ea3f4b ] The embedded struct cdev does not have its lifetime correctly tied to the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN is held open while the gadget is deleted. This can readily be replicated with libusbgx's example programs (for conciseness - operating directly via configfs is equivalent): gadget-hid exec 3<> /dev/hidg0 gadget-vid-pid-remove exec 3<&- Pull the existing device up in to struct f_hidg and make use of the cdev_device_{add,del}() helpers. This changes the lifetime of the device object to match struct f_hidg, but note that it is still added and deleted at the same time. Fixes: 71adf1189469 ("USB: gadget: add HID gadget driver") Tested-by: Lee Jones Reviewed-by: Andrzej Pietrasiewicz Reviewed-by: Lee Jones Signed-off-by: John Keeping Link: https://lore.kernel.org/r/20221122123523.3068034-2-john@metanate.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6fe1adeabc2a215833d2ed94b35c2dafc6ca7876 Author: Yang Yingliang Date: Fri Nov 25 14:41:20 2022 +0800 usb: core: hcd: Fix return value check in usb_hcd_setup_local_mem() [ Upstream commit 3c347cdafa3db43337870006e5c2d7b78a8dae20 ] If dmam_alloc_attrs() fails, it returns NULL pointer and never return ERR_PTR(), so repleace IS_ERR() with IS_ERR_OR_NULL() and if it's NULL, returns -ENOMEM. Fixes: 9ba26f5cecd8 ("ARM: sa1100/assabet: move dmabounce hack to ohci driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221125064120.2842452-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b3862858b67821cf51919d895552d5a2a2e83213 Author: Yang Yingliang Date: Tue Nov 22 19:12:26 2022 +0800 usb: roles: fix of node refcount leak in usb_role_switch_is_parent() [ Upstream commit 1ab30c610630da5391a373cddb8a065bf4c4bc01 ] I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34 The 'parent' returned by fwnode_get_parent() with refcount incremented. it needs be put after using. Fixes: 6fadd72943b8 ("usb: roles: get usb-role-switch from parent") Reviewed-by: Heikki Krogerus Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221122111226.251588-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 0a022b756f74d2a783bc4e85161dd29ad9eb27f8 Author: Beau Belgrave Date: Wed Nov 23 10:32:48 2022 -0800 tracing/user_events: Fix call print_fmt leak [ Upstream commit 4bded7af8b9af6e97514b0521004f90267905aef ] If user_event_trace_register() fails within user_event_parse() the call's print_fmt member is not freed. Add kfree call to fix this. Link: https://lkml.kernel.org/r/20221123183248.554-1-beaub@linux.microsoft.com Fixes: aa3b2b4c6692 ("user_events: Add print_fmt generation support for basic types") Signed-off-by: Beau Belgrave Signed-off-by: Steven Rostedt (Google) Signed-off-by: Sasha Levin commit e4b7d7297d374e690dde2a2737ec1e4d591bdea9 Author: Mike Leach Date: Wed Nov 23 19:38:18 2022 +0000 coresight: cti: Fix null pointer error on CTI init before ETM [ Upstream commit 3dc228b35387803d9c43ed1b098aabb1d3ae9c7d ] When CTI is discovered first then the function coresight_set_assoc_ectdev_mutex() is called to set the association between CTI and ETM device. Recent lockdep fix passes a null pointer. This patch passes the correct pointer. Before patch: log of boot oops sequence with CTI discovered first: [ 12.424091] cs_system_cfg: CoreSight Configuration manager initialised [ 12.483474] coresight cti_sys0: CTI initialized [ 12.488109] coresight cti_sys1: CTI initialized [ 12.503594] coresight cti_cpu0: CTI initialized [ 12.517877] coresight-cpu-debug 850000.debug: Coresight debug-CPU0 initialized [ 12.523479] coresight-cpu-debug 852000.debug: Coresight debug-CPU1 initialized [ 12.529926] coresight-cpu-debug 854000.debug: Coresight debug-CPU2 initialized [ 12.541808] coresight stm0: STM32 initialized [ 12.544421] coresight-cpu-debug 856000.debug: Coresight debug-CPU3 initialized [ 12.585639] coresight cti_cpu1: CTI initialized [ 12.614028] coresight cti_cpu2: CTI initialized [ 12.631679] CSCFG registered etm0 [ 12.633920] coresight etm0: CPU0: etm v4.0 initialized [ 12.656392] coresight cti_cpu3: CTI initialized ... [ 12.708383] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000348 ... [ 12.755094] Internal error: Oops: 0000000096000044 [#1] SMP [ 12.761817] Modules linked in: coresight_etm4x(+) coresight_tmc coresight_cpu_debug coresight_replicator coresight_funnel coresight_cti coresight_tpiu coresight_stm coresight [ 12.767210] CPU: 3 PID: 1346 Comm: systemd-udevd Not tainted 6.1.0-rc3tid-v6tid-v6-235166-gf7f7d7a2204a-dirty #498 [ 12.782827] Hardware name: Qualcomm Technologies, Inc. APQ 8016 SBC (DT) [ 12.793154] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 12.800010] pc : coresight_set_assoc_ectdev_mutex+0x30/0x50 [coresight] [ 12.806694] lr : coresight_set_assoc_ectdev_mutex+0x30/0x50 [coresight] ... [ 12.885064] Call trace: [ 12.892352] coresight_set_assoc_ectdev_mutex+0x30/0x50 [coresight] [ 12.894693] cti_add_assoc_to_csdev+0x144/0x1b0 [coresight_cti] [ 12.900943] coresight_register+0x2c8/0x320 [coresight] [ 12.906844] etm4_add_coresight_dev.isra.27+0x148/0x280 [coresight_etm4x] [ 12.912056] etm4_probe+0x144/0x1c0 [coresight_etm4x] [ 12.918998] etm4_probe_amba+0x40/0x78 [coresight_etm4x] [ 12.924032] amba_probe+0x11c/0x1f0 After patch: similar log [ 12.444467] cs_system_cfg: CoreSight Configuration manager initialised [ 12.456329] coresight-cpu-debug 850000.debug: Coresight debug-CPU0 initialized [ 12.456754] coresight-cpu-debug 852000.debug: Coresight debug-CPU1 initialized [ 12.469672] coresight-cpu-debug 854000.debug: Coresight debug-CPU2 initialized [ 12.476098] coresight-cpu-debug 856000.debug: Coresight debug-CPU3 initialized [ 12.532409] coresight stm0: STM32 initialized [ 12.533708] coresight cti_sys0: CTI initialized [ 12.539478] coresight cti_sys1: CTI initialized [ 12.550106] coresight cti_cpu0: CTI initialized [ 12.633931] coresight cti_cpu1: CTI initialized [ 12.634664] coresight cti_cpu2: CTI initialized [ 12.638090] coresight cti_cpu3: CTI initialized [ 12.721136] CSCFG registered etm0 ... [ 12.762643] CSCFG registered etm1 [ 12.762666] coresight etm1: CPU1: etm v4.0 initialized [ 12.776258] CSCFG registered etm2 [ 12.776282] coresight etm2: CPU2: etm v4.0 initialized [ 12.784357] CSCFG registered etm3 [ 12.785455] coresight etm3: CPU3: etm v4.0 initialized Error can also be triggered by manually starting the modules using modprobe in the following order: root@linaro-developer:/home/linaro/cs-mods# modprobe coresight root@linaro-developer:/home/linaro/cs-mods# modprobe coresight-cti root@linaro-developer:/home/linaro/cs-mods# modprobe coresight-etm4x Tested on Dragonboard DB410c Applies to coresight/next Fixes: 23722fb46725 ("coresight: Fix possible deadlock with lock dependency") Signed-off-by: Mike Leach Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20221123193818.6253-1-mike.leach@linaro.org Signed-off-by: Sasha Levin commit 3c18888bc0b51835c74123b1e04d5df11543724c Author: Yang Shen Date: Tue Nov 22 17:03:55 2022 +0800 coresight: trbe: remove cpuhp instance node before remove cpuhp state [ Upstream commit 20ee8c223f792947378196307d8e707c9cdc2d61 ] cpuhp_state_add_instance() and cpuhp_state_remove_instance() should be used in pairs. Or there will lead to the warn on cpuhp_remove_multi_state() since the cpuhp_step list is not empty. The following is the error log with 'rmmod coresight-trbe': Error: Removing state 215 which has instances left. Call trace: __cpuhp_remove_state_cpuslocked+0x144/0x160 __cpuhp_remove_state+0xac/0x100 arm_trbe_device_remove+0x2c/0x60 [coresight_trbe] platform_remove+0x34/0x70 device_remove+0x54/0x90 device_release_driver_internal+0x1e4/0x250 driver_detach+0x5c/0xb0 bus_remove_driver+0x64/0xc0 driver_unregister+0x3c/0x70 platform_driver_unregister+0x20/0x30 arm_trbe_exit+0x1c/0x658 [coresight_trbe] __arm64_sys_delete_module+0x1ac/0x24c invoke_syscall+0x50/0x120 el0_svc_common.constprop.0+0x58/0x1a0 do_el0_svc+0x38/0xd0 el0_svc+0x2c/0xc0 el0t_64_sync_handler+0x1ac/0x1b0 el0t_64_sync+0x19c/0x1a0 ---[ end trace 0000000000000000 ]--- Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver") Reviewed-by: Anshuman Khandual Signed-off-by: Yang Shen Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20221122090355.23533-1-shenyang39@huawei.com Signed-off-by: Sasha Levin commit 064bdc3405269e51e8d284d90590ec53c3fe0422 Author: Fabrice Gasnier Date: Wed Nov 23 14:36:09 2022 +0100 counter: stm32-lptimer-cnt: fix the check on arr and cmp registers update [ Upstream commit fd5ac974fc25feed084c2d1599d0dddb4e0556bc ] The ARR (auto reload register) and CMP (compare) registers are successively written. The status bits to check the update of these registers are polled together with regmap_read_poll_timeout(). The condition to end the loop may become true, even if one of the register isn't correctly updated. So ensure both status bits are set before clearing them. Fixes: d8958824cf07 ("iio: counter: Add support for STM32 LPTimer") Signed-off-by: Fabrice Gasnier Link: https://lore.kernel.org/r/20221123133609.465614-1-fabrice.gasnier@foss.st.com/ Signed-off-by: William Breathitt Gray Signed-off-by: Sasha Levin commit bc34896cd75a406f94840e009561b23445bfc90d Author: Ramona Bolboaca Date: Tue Nov 22 10:27:49 2022 +0200 iio: adis: add '__adis_enable_irq()' implementation [ Upstream commit 99c05e4283a19a02a256f14100ca4ec3b2da3f62 ] Add '__adis_enable_irq()' implementation which is the unlocked version of 'adis_enable_irq()'. Call '__adis_enable_irq()' instead of 'adis_enable_irq()' from '__adis_intial_startup()' to keep the expected unlocked functionality. This fix is needed to remove a deadlock for all devices which are using 'adis_initial_startup()'. The deadlock occurs because the same mutex is acquired twice, without releasing it. The mutex is acquired once inside 'adis_initial_startup()', before calling '__adis_initial_startup()', and once inside 'adis_enable_irq()', which is called by '__adis_initial_startup()'. The deadlock is removed by calling '__adis_enable_irq()', instead of 'adis_enable_irq()' from within '__adis_initial_startup()'. Fixes: b600bd7eb3335 ("iio: adis: do not disabe IRQs in 'adis_init()'") Signed-off-by: Ramona Bolboaca Reviewed-by: Nuno Sá Link: https://lore.kernel.org/r/20221122082757.449452-2-ramona.bolboaca@analog.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 49ac222945d773ce71bea478e938faead1f1073a Author: Cosmin Tanislav Date: Thu Nov 3 15:00:29 2022 +0200 iio: temperature: ltc2983: make bulk write buffer DMA-safe [ Upstream commit 5e0176213949724fbe9a8e4a39817edce337b8a0 ] regmap_bulk_write() does not guarantee implicit DMA-safety, even though the current implementation duplicates the given buffer. Do not rely on it. Fixes: f110f3188e56 ("iio: temperature: Add support for LTC2983") Signed-off-by: Cosmin Tanislav Link: https://lore.kernel.org/r/20221103130041.2153295-2-demonsingur@gmail.com Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 2f5fd31b2f24b9b8a80ab566fd8c4e1e94cb4339 Author: Yang Yingliang Date: Fri Nov 11 22:54:40 2022 +0800 cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() [ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ] If device_register() fails in cxl_pci_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_device(), then goes to put dev when register fails. Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access") Signed-off-by: Yang Yingliang Acked-by: Frederic Barrat Acked-by: Andrew Donnellan Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ab44c182353be101c3be9465e1d15d42130c53c4 Author: Yang Yingliang Date: Fri Nov 11 22:54:39 2022 +0800 cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() [ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ] If device_register() fails in cxl_register_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_device(), then goes to put dev when register fails. Fixes: 14baf4d9c739 ("cxl: Add guest-specific code") Signed-off-by: Yang Yingliang Acked-by: Andrew Donnellan Acked-by: Frederic Barrat Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 71d2abab374f707ab8ac8dcef191fd2b3b67b8bd Author: Yang Yingliang Date: Thu Nov 17 15:06:36 2022 +0800 firmware: raspberrypi: fix possible memory leak in rpi_firmware_probe() [ Upstream commit 7b51161696e803fd5f9ad55b20a64c2df313f95c ] In rpi_firmware_probe(), if mbox_request_channel() fails, the 'fw' will not be freed through rpi_firmware_delete(), fix this leak by calling kfree() in the error path. Fixes: 1e7c57355a3b ("firmware: raspberrypi: Keep count of all consumers") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221117070636.3849773-1-yangyingliang@huawei.com Acked-by: Joel Savitz Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 4e947fc71bec7c7da791f8562d5da233b235ba5e Author: Zheng Wang Date: Thu Nov 10 11:50:33 2022 +0800 misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os [ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ] In some bad situation, the gts may be freed gru_check_chiplet_assignment. The call chain can be gru_unload_context->gru_free_gru_context->gts_drop and kfree finally. However, the caller didn't know if the gts is freed or not and use it afterwards. This will trigger a Use after Free bug. Fix it by introducing a return value to see if it's in error path or not. Free the gts in caller if gru_check_chiplet_assignment check failed. Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") Signed-off-by: Zheng Wang Acked-by: Dimitri Sivanich Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ef843ee20576039126d34d6eb5f45d14c3e6ce18 Author: ruanjinjie Date: Thu Nov 17 14:47:25 2022 +0800 misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() [ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ] If device_register() returns error in tifm_7xx1_switch_media(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. Never directly free @dev after calling device_register(), even if it returned an error! Always use put_device() to give up the reference initialized. Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core") Signed-off-by: ruanjinjie Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 40ff4c2335a98f0ee96b099bfd70b8e6644f321f Author: Yang Yingliang Date: Mon Nov 21 23:43:39 2022 +0800 ocxl: fix pci device refcount leak when calling get_function_0() [ Upstream commit 27158c72678b39ee01cc01de1aba6b51c71abe2f ] get_function_0() calls pci_get_domain_bus_and_slot(), as comment says, it returns a pci device with refcount increment, so after using it, pci_dev_put() needs be called. Get the device reference when get_function_0() is not called, so pci_dev_put() can be called in the error path and callers unconditionally. And add comment above get_dvsec_vendor0() to tell callers to call pci_dev_put(). Fixes: 87db7579ebd5 ("ocxl: control via sysfs whether the FPGA is reloaded on a link reset") Suggested-by: Andrew Donnellan Signed-off-by: Yang Yingliang Acked-by: Andrew Donnellan Link: https://lore.kernel.org/r/20221121154339.4088935-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 2fce8b3583d1641a1716486f408478b58e96ec91 Author: Yang Yingliang Date: Fri Nov 11 22:59:29 2022 +0800 misc: ocxl: fix possible name leak in ocxl_file_register_afu() [ Upstream commit a4cb1004aeed2ab893a058fad00a5b41a12c4691 ] If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need be freed. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and info is freed in info_release(). Fixes: 75ca758adbaf ("ocxl: Create a clear delineation between ocxl backend & frontend") Signed-off-by: Yang Yingliang Acked-by: Andrew Donnellan Acked-by: Frederic Barrat Link: https://lore.kernel.org/r/20221111145929.2429271-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6dd5fbd243f19f087dc79481acb7d69fb57fea2c Author: Zhengchao Shao Date: Sat Nov 19 11:57:21 2022 +0800 test_firmware: fix memory leak in test_firmware_init() [ Upstream commit 7610615e8cdb3f6f5bbd9d8e7a5d8a63e3cabf2e ] When misc_register() failed in test_firmware_init(), the memory pointed by test_fw_config->name is not released. The memory leak information is as follows: unreferenced object 0xffff88810a34cb00 (size 32): comm "insmod", pid 7952, jiffies 4294948236 (age 49.060s) hex dump (first 32 bytes): 74 65 73 74 2d 66 69 72 6d 77 61 72 65 2e 62 69 test-firmware.bi 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n............... backtrace: [] __kmalloc_node_track_caller+0x4b/0xc0 [] kstrndup+0x46/0xc0 [] __test_firmware_config_init+0x29/0x380 [test_firmware] [] 0xffffffffa040f068 [] do_one_initcall+0x141/0x780 [] do_init_module+0x1c3/0x630 [] load_module+0x623e/0x76a0 [] __do_sys_finit_module+0x181/0x240 [] do_syscall_64+0x39/0xb0 [] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests") Signed-off-by: Zhengchao Shao Acked-by: Luis Chamberlain Link: https://lore.kernel.org/r/20221119035721.18268-1-shaozhengchao@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit a4b84c112d8ec544868c18fdbe0e3a2c165ae14e Author: Yang Yingliang Date: Fri Sep 23 22:39:13 2022 +0800 habanalabs: fix return value check in hl_fw_get_sec_attest_data() [ Upstream commit 8749c27895a369a99e4a21709b3e3bec4785778f ] If hl_cpu_accessible_dma_pool_alloc() fails, we should check 'req_cpu_addr', fix it. Fixes: 0c88760f8f5e ("habanalabs/gaudi2: add secured attestation info uapi") Signed-off-by: Yang Yingliang Reviewed-by: Oded Gabbay Signed-off-by: Oded Gabbay Signed-off-by: Sasha Levin commit 03dbb9e2e97561072665024050d3f861afe56301 Author: Yuan Can Date: Wed Nov 23 06:12:12 2022 +0000 serial: sunsab: Fix error handling in sunsab_init() [ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ] The sunsab_init() returns the platform_driver_register() directly without checking its return value, if platform_driver_register() failed, the allocated sunsab_ports is leaked. Fix by free sunsab_ports and set it to NULL when platform_driver_register() failed. Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ca89c2eb36ed2e71554470d337b3811f802faab7 Author: Gabriel Somlo Date: Tue Nov 22 15:04:26 2022 -0500 serial: altera_uart: fix locking in polling mode [ Upstream commit 1307c5d33cce8a41dd77c2571e4df65a5b627feb ] Since altera_uart_interrupt() may also be called from a poll timer in "serving_softirq" context, use spin_[lock_irqsave|unlock_irqrestore] variants, which are appropriate for both softirq and hardware interrupt contexts. Fixes: 2f8b9c15cd88 ("altera_uart: Add support for polling mode (IRQ-less)") Signed-off-by: Gabriel Somlo Link: https://lore.kernel.org/r/20221122200426.888349-1-gsomlo@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 516614a371c26e3334625b4bca19a5362bf658d6 Author: Xiongfeng Wang Date: Tue Nov 22 19:45:59 2022 +0800 serial: pch: Fix PCI device refcount leak in pch_request_dma() [ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ] As comment of pci_get_slot() says, it returns a pci_device with its refcount increased. The caller must decrement the reference count by calling pci_dev_put(). Since 'dma_dev' is only used to filter the channel in filter(), we can call pci_dev_put() before exiting from pch_request_dma(). Add the missing pci_dev_put() for the normal and error path. Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver") Signed-off-by: Xiongfeng Wang Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 408f64a6de74003f2164d839566eb8c4bb2676c4 Author: Valentin Caron Date: Fri Nov 18 18:06:02 2022 +0100 serial: stm32: move dma_request_chan() before clk_prepare_enable() [ Upstream commit 0d114e9ff940ebad8e88267013bf96c605a6b336 ] If dma_request_chan() returns a PROBE_DEFER error, clk_disable_unprepare() will be called and USART clock will be disabled. But early console can be still active on the same USART. While moving dma_request_chan() before clk_prepare_enable(), the clock won't be taken in case of a DMA PROBE_DEFER error, and so it doesn't need to be disabled. Then USART is still clocked for early console. Fixes: a7770a4bfcf4 ("serial: stm32: defer probe for dma devices") Reported-by: Uwe Kleine-König Signed-off-by: Valentin Caron Link: https://lore.kernel.org/r/20221118170602.1057863-1-valentin.caron@foss.st.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 898a162d5fc4565ce9e4dd2be6a3d97e2878a277 Author: delisun Date: Thu Nov 10 10:01:08 2022 +0800 serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. [ Upstream commit 032d5a71ed378ffc6a2d41a187d8488a4f9fe415 ] Clearing the RX FIFO will cause data loss. Copy the pl011_enabl_interrupts implementation, and remove the clear interrupt and FIFO part of the code. Fixes: 211565b10099 ("serial: pl011: UPSTAT_AUTORTS requires .throttle/unthrottle") Signed-off-by: delisun Reviewed-by: Ilpo Järvinen Link: https://lore.kernel.org/r/20221110020108.7700-1-delisun@pateo.com.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 64bc5dbc3260230e2f022288c71e5c680059384a Author: Jiamei Xie Date: Thu Nov 17 18:32:37 2022 +0800 serial: amba-pl011: avoid SBSA UART accessing DMACR register [ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ] Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] documentation describes a generic UART interface. Such generic UART does not support DMA. In current code, sbsa_uart_pops and amba_pl011_pops share the same stop_rx operation, which will invoke pl011_dma_rx_stop, leading to an access of the DMACR register. This commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the access to DMACR register for SBSA UARTs which does not support DMA. When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux SBSA PL011 driver will access PL011 DMACR register in some functions. For most real SBSA Pl011 hardware implementations, the DMACR write behaviour will be ignored. So these DMACR operations will not cause obvious problems. But for some virtual SBSA PL011 hardware, like Xen virtual SBSA PL011 (vpl011) device, the behaviour might be different. Xen vpl011 emulation will inject a data abort to guest, when guest is accessing an unimplemented UART register. As Xen VPL011 is SBSA compatible, it will not implement DMACR register. So when Linux SBSA PL011 driver access DMACR register, it will get an unhandled data abort fault and the application will get a segmentation fault: Unhandled fault at 0xffffffc00944d048 Mem abort info: ESR = 0x96000000 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x00: ttbr address size fault Data abort info: ISV = 0, ISS = 0x00000000 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 [ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP ... Call trace: pl011_stop_rx+0x70/0x80 tty_port_shutdown+0x7c/0xb4 tty_port_close+0x60/0xcc uart_close+0x34/0x8c tty_release+0x144/0x4c0 __fput+0x78/0x220 ____fput+0x1c/0x30 task_work_run+0x88/0xc0 do_notify_resume+0x8d0/0x123c el0_svc+0xa8/0xc0 el0t_64_sync_handler+0xa4/0x130 el0t_64_sync+0x1a0/0x1a4 Code: b9000083 b901f001 794038a0 8b000042 (b9000041) ---[ end trace 83dd93df15c3216f ]--- note: bootlogd[132] exited with preempt_count 1 /etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon This has been discussed in the Xen community, and we think it should fix this in Linux. See [2] for more information. [1] https://developer.arm.com/documentation/den0094/c/?lang=en [2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART) Signed-off-by: Jiamei Xie Reviewed-by: Andre Przywara Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 99a58ac42d9b6911834b0224b6782aea0c311346 Author: Jiantao Zhang Date: Mon Nov 21 13:08:05 2022 +0000 USB: gadget: Fix use-after-free during usb config switch [ Upstream commit afdc12887f2b2ecf20d065a7d81ad29824155083 ] In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as follows: ======================================================================= (1) write /config/usb_gadget/g1/UDC "none" gether_disconnect+0x2c/0x1f8 rndis_disable+0x4c/0x74 composite_disconnect+0x74/0xb0 configfs_composite_disconnect+0x60/0x7c usb_gadget_disconnect+0x70/0x124 usb_gadget_unregister_driver+0xc8/0x1d8 gadget_dev_desc_UDC_store+0xec/0x1e4 (2) rm /config/usb_gadget/g1/configs/b.1/f1 rndis_deregister+0x28/0x54 rndis_free+0x44/0x7c usb_put_function+0x14/0x1c config_usb_cfg_unlink+0xc4/0xe0 configfs_unlink+0x124/0x1c8 vfs_unlink+0x114/0x1dc (3) rmdir /config/usb_gadget/g1/functions/rndis.gs4 panic+0x1fc/0x3d0 do_page_fault+0xa8/0x46c do_mem_abort+0x3c/0xac el1_sync_handler+0x40/0x78 0xffffff801138f880 rndis_close+0x28/0x34 eth_stop+0x74/0x110 dev_close_many+0x48/0x194 rollback_registered_many+0x118/0x814 unregister_netdev+0x20/0x30 gether_cleanup+0x1c/0x38 rndis_attr_release+0xc/0x14 kref_put+0x74/0xb8 configfs_rmdir+0x314/0x374 If gadget->ops->pullup() return an error, function rndis_close() will be called, then it will causes a use-after-free problem. ======================================================================= Fixes: 0a55187a1ec8 ("USB: gadget core: Issue ->disconnect() callback from usb_gadget_disconnect()") Signed-off-by: Jiantao Zhang Signed-off-by: TaoXue Link: https://lore.kernel.org/r/20221121130805.10735-1-water.zhangjiantao@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5b38782cc3589d714058c54eb1886697df7c5763 Author: Marek Vasut Date: Sun Nov 20 15:15:09 2022 +0100 extcon: usbc-tusb320: Update state on probe even if no IRQ pending [ Upstream commit 581c848b610dbf3fe1ed4d85fd53d0743c61faba ] Currently this driver triggers extcon and typec state update in its probe function, to read out current state reported by the chip and report the correct state to upper layers. This synchronization is performed correctly, but only in case the chip indicates a pending interrupt in reg09 register. This fails to cover the situation where all interrupts reported by the chip were already handled by Linux before reboot, then the system rebooted, and then Linux starts again. In this case, the TUSB320 no longer reports any interrupts in reg09, and the state update does not perform any update as it depends on that interrupt indication. Fix this by turning tusb320_irq_handler() into a thin wrapper around tusb320_state_update_handler(), where the later now contains the bulk of the code of tusb320_irq_handler(), but adds new function parameter "force_update". The "force_update" parameter can be used by the probe function to assure that the state synchronization is always performed, independent of the interrupt indicated in reg09. The interrupt handler tusb320_irq_handler() callback uses force_update=false to avoid state updates on potential spurious interrupts and retain current behavior. Fixes: 06bc4ca115cdd ("extcon: Add driver for TI TUSB320") Signed-off-by: Marek Vasut Reviewed-by: Alvin Šipraga Acked-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221120141509.81012-1-marex@denx.de Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 22b60658a90260e3fbd57824e3afe5682c6afcf5 Author: Tony Lindgren Date: Fri Nov 18 12:25:32 2022 +0200 usb: musb: omap2430: Fix probe regression for missing resources [ Upstream commit ffbe2feac59b37c8dc536727552b4f375e1b9aec ] Probe for omap2430 glue layer is now broken for interrupt resources in all cases. Commit 239071064732 ("partially Revert "usb: musb: Set the DT node on the child device"") broke probing for SoCs using ti-sysc interconnect target module as the dt node is not found. Commit a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core") caused omap3 to fail with error "-ENXIO: IRQ mc not found" as the IRQ resources are no longer automatically populated from devicetree. Let's fix the issues by calling device_set_of_node_from_dev() only if the SoC has been updated to probe with ti-sysc. And for legacy SoCs, let's populate the resources manually as needed. Note that once we have updated the SoCs to probe with proper devicetree data in all cases, this is no longer needed. But doing that requires patching both devicetree and SoC code, so let's fix the probe issues first. Fixes: a1a2b7125e10 ("of/platform: Drop static setup of IRQ resource from DT core") Fixes: 239071064732 ("partially Revert "usb: musb: Set the DT node on the child device"") Cc: H. Nikolaus Schaller Reported-by: Sicelo Mhlongo Tested-by: Sicelo Mhlongo Signed-off-by: Tony Lindgren Link: https://lore.kernel.org/r/20221118102532.34458-1-tony@atomide.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 20a945280d69463560c7c5842b188135f1ad9034 Author: Sven Peter Date: Mon Nov 14 18:44:48 2022 +0100 usb: typec: tipd: Fix typec_unregister_port error paths [ Upstream commit 4c8f27ba9ede0118cac9d775204f9b0ecdb877b0 ] typec_unregister_port is only called for some error paths after typec_register_port was successful. Ensure it's called in all cases. Fixes: 92440202a880 ("usb: typec: tipd: Only update power status on IRQ") Signed-off-by: Sven Peter Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221114174449.34634-3-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 63fff60c006611e06b8257fc748a69a3e1fea48e Author: Sven Peter Date: Mon Nov 14 18:44:47 2022 +0100 usb: typec: tipd: Fix spurious fwnode_handle_put in error path [ Upstream commit 782c70edc4852a5d39be12377a85501546236212 ] The err_role_put error path always calls fwnode_handle_put to release the fwnode. This path can be reached after probe itself has already released that fwnode though. Fix that by moving fwnode_handle_put in the happy path to the very end. Fixes: 18a6c866bb19 ("usb: typec: tps6598x: Add USB role switching logic") Signed-off-by: Sven Peter Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221114174449.34634-2-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 7bc33793042b1ee550d90a1bdcf20e7335d12693 Author: Sven Peter Date: Mon Nov 14 18:44:46 2022 +0100 usb: typec: tipd: Cleanup resources if devm_tps6598_psy_register fails [ Upstream commit 19c220e9ab00f50edefb9667e3101e84a5112df2 ] We can't just return if devm_tps6598_psy_register fails since previous resources are not devres managed and have yet to be cleaned up. Fixes: 10eb0b6ac63a ("usb: typec: tps6598x: Export some power supply properties") Signed-off-by: Sven Peter Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221114174449.34634-1-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 5f125507d2270035dfcf83fbff6cff5a143e200c Author: Yang Yingliang Date: Mon Nov 21 14:24:16 2022 +0800 usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() [ Upstream commit 0384e87e3fec735e47f1c133c796f32ef7a72a9b ] I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34/tcpc/connector The 'fwnode' set in tcpci_parse_config() which is called in tcpci_register_port(), its node refcount is increased in device_get_named_child_node(). It needs be put while exiting, so call fwnode_handle_put() in the error path of tcpci_register_port() and in tcpci_unregister_port() to avoid leak. Fixes: 5e85a04c8c0d ("usb: typec: add fwnode to tcpc") Signed-off-by: Yang Yingliang Acked-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221121062416.1026192-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 26937dcf067a5238e01887dc9c0c6aeb8eb4c770 Author: Sven Peter Date: Mon Nov 14 17:59:24 2022 +0100 usb: typec: Check for ops->exit instead of ops->enter in altmode_exit [ Upstream commit b6ddd180e3d9f92c1e482b3cdeec7dda086b1341 ] typec_altmode_exit checks if ops->enter is not NULL but then calls ops->exit a few lines below. Fix that and check for the function pointer it's about to call instead. Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") Signed-off-by: Sven Peter Reviewed-by: Heikki Krogerus Link: https://lore.kernel.org/r/20221114165924.33487-1-sven@svenpeter.dev Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 85db68fc901da52314ded80aace99f8b684c7815 Author: Gaosheng Cui Date: Thu Nov 17 11:59:14 2022 +0800 staging: vme_user: Fix possible UAF in tsi148_dma_list_add [ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 71cfd25e2211d8af46cd1668bd22b5682b2614a8 Author: Krzysztof Kozlowski Date: Thu Oct 27 11:48:46 2022 -0400 interconnect: qcom: sc7180: fix dropped const of qcom_icc_bcm [ Upstream commit f24227a640344f894522045f74bb2decbdc4f55e ] Pointers to struct qcom_icc_bcm are const, but the change was dropped during merge. Fixes: 016fca59f95f ("Merge branch 'icc-const' into icc-next") Signed-off-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20221027154848.293523-1-krzysztof.kozlowski@linaro.org Signed-off-by: Georgi Djakov Signed-off-by: Sasha Levin commit bdfa9f57b2a2f23aa7d0126bfe8e0a553d178862 Author: Linus Walleij Date: Fri Nov 11 10:03:17 2022 +0100 usb: fotg210-udc: Fix ages old endianness issues [ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ] The code in the FOTG210 driver isn't entirely endianness-agnostic as reported by the kernel robot sparse testing. This came to the surface while moving the files around. The driver is only used on little-endian systems, so this causes no real-world regression, but it is nice to be strict and have some compile coverage also on big endian machines, so fix it up with the right LE accessors. Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") Reported-by: kernel test robot Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/ Signed-off-by: Linus Walleij Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit b9dcd53356eae2850209e9c39d7a1edd9325031a Author: Rafael Mendonca Date: Fri Sep 30 19:40:58 2022 -0300 uio: uio_dmem_genirq: Fix deadlock between irq config and handling [ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ] This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix concurrency issue"): "In a SMP case there was a race condition issue between Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on another CPU. Fix it by spin_locking shared resources access inside irq handler." The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and it is used in a similar manner to the "uio_pdrv_genirq" driver with respect to interrupt configuration and handling. At the time "uio_dmem_genirq" was merged, both had the same implementation of the 'uio_info' handlers irqcontrol() and handler(), thus, both had the same concurrency issue mentioned by the above commit. However, the above patch was only applied to the "uio_pdrv_genirq" driver. Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") Signed-off-by: Rafael Mendonca Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ee180e867ce4b2f744799247b81050b3e5dd62cd Author: Rafael Mendonca Date: Fri Sep 30 19:40:57 2022 -0300 uio: uio_dmem_genirq: Fix missing unlock in irq configuration [ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ] Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") started calling disable_irq() without holding the spinlock because it can sleep. However, that fix introduced another bug: if interrupt is already disabled and a new disable request comes in, then the spinlock is not unlocked: root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002 [ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc] [ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21 [ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 14.855664] Call Trace: [ 14.855861] [ 14.856025] dump_stack_lvl+0x4d/0x67 [ 14.856325] dump_stack+0x14/0x1a [ 14.856583] __schedule_bug.cold+0x4b/0x5c [ 14.856915] __schedule+0xe81/0x13d0 [ 14.857199] ? idr_find+0x13/0x20 [ 14.857456] ? get_work_pool+0x2d/0x50 [ 14.857756] ? __flush_work+0x233/0x280 [ 14.858068] ? __schedule+0xa95/0x13d0 [ 14.858307] ? idr_find+0x13/0x20 [ 14.858519] ? get_work_pool+0x2d/0x50 [ 14.858798] schedule+0x6c/0x100 [ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110 [ 14.859335] ? tty_write_room+0x1f/0x30 [ 14.859598] ? n_tty_poll+0x1ec/0x220 [ 14.859830] ? tty_ldisc_deref+0x1a/0x20 [ 14.860090] schedule_hrtimeout_range+0x17/0x20 [ 14.860373] do_select+0x596/0x840 [ 14.860627] ? __kernel_text_address+0x16/0x50 [ 14.860954] ? poll_freewait+0xb0/0xb0 [ 14.861235] ? poll_freewait+0xb0/0xb0 [ 14.861517] ? rpm_resume+0x49d/0x780 [ 14.861798] ? common_interrupt+0x59/0xa0 [ 14.862127] ? asm_common_interrupt+0x2b/0x40 [ 14.862511] ? __uart_start.isra.0+0x61/0x70 [ 14.862902] ? __check_object_size+0x61/0x280 [ 14.863255] core_sys_select+0x1c6/0x400 [ 14.863575] ? vfs_write+0x1c9/0x3d0 [ 14.863853] ? vfs_write+0x1c9/0x3d0 [ 14.864121] ? _copy_from_user+0x45/0x70 [ 14.864526] do_pselect.constprop.0+0xb3/0xf0 [ 14.864893] ? do_syscall_64+0x6d/0x90 [ 14.865228] ? do_syscall_64+0x6d/0x90 [ 14.865556] __x64_sys_pselect6+0x76/0xa0 [ 14.865906] do_syscall_64+0x60/0x90 [ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50 [ 14.866640] ? do_syscall_64+0x6d/0x90 [ 14.866972] ? do_syscall_64+0x6d/0x90 [ 14.867286] ? do_syscall_64+0x6d/0x90 [ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] stripped [ 14.872959] ('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this) The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and it is used in a similar manner to the "uio_pdrv_genirq" driver with respect to interrupt configuration and handling. At the time "uio_dmem_genirq" was introduced, both had the same implementation of the 'uio_info' handlers irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency issue"), which was only applied to "uio_pdrv_genirq", ended up making them a little different. That commit, among other things, changed disable_irq() to disable_irq_nosync() in the implementation of irqcontrol(). The motivation there was to avoid a deadlock between irqcontrol() and handler(), since it added a spinlock in the irq handler, and disable_irq() waits for the completion of the irq handler. By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to fix. Thus, this fixes the missing unlock in irqcontrol() by importing the implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver. In the end, it reverts commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change disable_irq() to disable_irq_nosync(). It is worth noting that this still does not address the concurrency issue fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be addressed separately in the next commits. Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") Signed-off-by: Rafael Mendonca Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 31ef3d554d592c7212d7d0d4320a1a5bdf2ebe26 Author: Joao Martins Date: Tue Oct 25 20:31:14 2022 +0100 vfio/iova_bitmap: Fix PAGE_SIZE unaligned bitmaps [ Upstream commit f38044e5ef58ad0346fdabd7027ea5c1e1a3b624 ] iova_bitmap_set() doesn't consider the end of the page boundary when the first bitmap page offset isn't zero, and wrongly changes the consecutive page right after. Consequently this leads to missing dirty pages from reported by the device as seen from the VMM. The current logic iterates over a given number of base pages and clamps it to the remaining indexes to iterate in the last page. Instead of having to consider extra pages to pin (e.g. first and extra pages), just handle the first page as its own range and let the rest of the bitmap be handled as if it was base page aligned. This is done by changing iova_bitmap_mapped_remaining() to return PAGE_SIZE - pgoff (on the first bitmap page), and leads to pgoff being set to 0 on following iterations. Fixes: 58ccf0190d19 ("vfio: Add an IOVA bitmap support") Reported-by: Avihai Horon Tested-by: Avihai Horon Signed-off-by: Joao Martins Link: https://lore.kernel.org/r/20221025193114.58695-3-joao.m.martins@oracle.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit f0865e4f2c820e24334171bdfaeaf29ce79125ee Author: Rafael Mendonca Date: Tue Oct 18 12:28:25 2022 -0300 vfio: platform: Do not pass return buffer to ACPI _RST method [ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ] The ACPI _RST method has no return value, there's no need to pass a return buffer to acpi_evaluate_object(). Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI") Signed-off-by: Rafael Mendonca Reviewed-by: Eric Auger Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com Signed-off-by: Alex Williamson Signed-off-by: Sasha Levin commit abaedb68a769e6bf36836b55a2f49b531c5f3f7b Author: Yang Yingliang Date: Wed Oct 26 16:28:03 2022 +0800 class: fix possible memory leak in __class_register() [ Upstream commit 8c3e8a6bdb5253b97ad532570f8b5db5f7a06407 ] If class_add_groups() returns error, the 'cp->subsys' need be unregister, and the 'cp' need be freed. We can not call kset_unregister() here, because the 'cls' will be freed in callback function class_release() and it's also freed in caller's error path, it will cause double free. So fix this by calling kobject_del() and kfree_const(name) to cleanup kobject. Besides, call kfree() to free the 'cp'. Fault injection test can trigger this: unreferenced object 0xffff888102fa8190 (size 8): comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s) hex dump (first 8 bytes): 70 6b 74 63 64 76 64 00 pktcdvd. backtrace: [<00000000e7c7703d>] __kmalloc_track_caller+0x1ae/0x320 [<000000005e4d70bc>] kstrdup+0x3a/0x70 [<00000000c2e5e85a>] kstrdup_const+0x68/0x80 [<000000000049a8c7>] kvasprintf_const+0x10b/0x190 [<0000000029123163>] kobject_set_name_vargs+0x56/0x150 [<00000000747219c9>] kobject_set_name+0xab/0xe0 [<0000000005f1ea4e>] __class_register+0x15c/0x49a unreferenced object 0xffff888037274000 (size 1024): comm "modprobe", pid 502, jiffies 4294906074 (age 49.296s) hex dump (first 32 bytes): 00 40 27 37 80 88 ff ff 00 40 27 37 80 88 ff ff .@'7.....@'7.... 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<00000000151f9600>] kmem_cache_alloc_trace+0x17c/0x2f0 [<00000000ecf3dd95>] __class_register+0x86/0x49a Fixes: ced6473e7486 ("driver core: class: add class_groups support") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221026082803.3458760-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 9494faf74f8dcd9368d1aff9f44503c6ec2adf2d Author: Duoming Zhou Date: Tue Oct 18 16:34:24 2022 +0800 drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in rtw_join_timeout_handler [ Upstream commit ce8cc75c7419ad54cb99437543a54c97c7446db5 ] The rtw_join_timeout_handler() is a timer handler that runs in atomic context, but it could call msleep(). As a result, the sleep-in-atomic-context bug will happen. The process is shown below: (atomic context) rtw_join_timeout_handler _rtw_join_timeout_handler rtw_do_join rtw_select_and_join_from_scanned_queue rtw_indicate_disconnect rtw_lps_ctrl_wk_cmd lps_ctrl_wk_hdl LPS_Leave LPS_RF_ON_check msleep //sleep in atomic context Fix by removing msleep() and replacing with mdelay(). Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20221018083424.79741-1-duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3d97c13a1152b4e7e50673d7648f3f69b9839b03 Author: Yuan Can Date: Wed Nov 9 07:21:10 2022 +0000 serial: 8250_bcm7271: Fix error handling in brcmuart_init() [ Upstream commit 6a3ff858915fa8ca36c7eb02c87c9181ae2fc333 ] A problem about 8250_bcm7271 create debugfs failed is triggered with the following log given: [ 324.516635] debugfs: Directory 'bcm7271-uart' with parent '/' already present! The reason is that brcmuart_init() returns platform_driver_register() directly without checking its return value, if platform_driver_register() failed, it returns without destroy the newly created debugfs, resulting the debugfs of 8250_bcm7271 can never be created later. brcmuart_init() debugfs_create_dir() # create debugfs directory platform_driver_register() driver_register() bus_add_driver() priv = kzalloc(...) # OOM happened # return without destroy debugfs directory Fix by removing debugfs when platform_driver_register() returns error. Fixes: 41a469482de2 ("serial: 8250: Add new 8250-core based Broadcom STB driver") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221109072110.117291-2-yuancan@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit bffec1abc07427635233c88988d04ba00ec7fe2c Author: Kartik Date: Tue Oct 18 20:28:06 2022 +0530 serial: tegra: Read DMA status before terminating [ Upstream commit 109a951a9f1fd8a34ebd1896cbbd5d5cede880a7 ] Read the DMA status before terminating the DMA, as doing so deletes the DMA desc. Also, to get the correct transfer status information, pause the DMA using dmaengine_pause() before reading the DMA status. Fixes: e9ea096dd225 ("serial: tegra: add serial driver") Reviewed-by: Jon Hunter Reviewed-by: Ilpo Järvinen Acked-by: Thierry Reding Signed-off-by: Akhil R Signed-off-by: Kartik Link: https://lore.kernel.org/r/1666105086-17326-1-git-send-email-kkartik@nvidia.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 78fddc0ff971f9874d53c854818cc4aafa144114 Author: Yang Yingliang Date: Wed Nov 9 14:40:36 2022 +0800 drivers: dio: fix possible memory leak in dio_init() [ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ] If device_register() returns error, the 'dev' and name needs be freed. Add a release function, and then call put_device() in the error path, so the name is freed in kobject_cleanup() and to the 'dev' is freed in release function. Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings") Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 6392d71b4bf9b11ed51d3fcfba1764e01663df67 Author: Alexandre Ghiti Date: Thu Dec 1 14:51:28 2022 +0100 riscv: Fix P4D_SHIFT definition for 3-level page table mode [ Upstream commit 71fc3621efc38ace9640ee6a0db3300900689592 ] RISC-V kernels support 3,4,5-level page tables at runtime by folding upper levels. In case of a 3-level page table, PGDIR is folded into P4D which in turn is folded into PUD: PGDIR_SHIFT value is correctly set to the same value as PUD_SHIFT, but P4D_SHIFT is not, then any use of P4D_SHIFT will access invalid address bits (all set to 1). Fix this by dynamically defining P4D_SHIFT value, like we already do for PGDIR_SHIFT. Fixes: d10efa21a937 ("riscv: mm: Control p4d's folding by pgtable_l5_enabled") Signed-off-by: Alexandre Ghiti Reviewed-by: Palmer Dabbelt Link: https://lore.kernel.org/r/20221201135128.1482189-2-alexghiti@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit dd203468f07194a5a6e3999f01c3a22d579e9aee Author: Yangtao Li Date: Mon Dec 5 22:56:03 2022 +0800 f2fs: fix iostat parameter for discard [ Upstream commit 15e38ee44d50cad264da80ef75626b9224ddc4a3 ] Just like other data we count uses the number of bytes as the basic unit, but discard uses the number of cmds as the statistical unit. In fact the discard command contains the number of blocks, so let's change to the number of bytes as the base unit. Fixes: b0af6d491a6b ("f2fs: add app/fs io stat") Signed-off-by: Yangtao Li Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 652b2cdb3007be0fbfc0b9c6bab912ea81bc2b5e Author: Palmer Dabbelt Date: Tue Nov 29 18:35:14 2022 -0800 RISC-V: Align the shadow stack [ Upstream commit b003b3b77d65133a0011ae3b7b255347438c12f6 ] The standard RISC-V ABIs all require 16-byte stack alignment. We're only calling that one function on the shadow stack so I doubt it'd result in a real issue, but might as well keep this lined up. Fixes: 31da94c25aea ("riscv: add VMAP_STACK overflow detection") Reviewed-by: Jisheng Zhang Link: https://lore.kernel.org/r/20221130023515.20217-1-palmer@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit ee0e9b2c4b9c35837553124b4912230a7e7c7212 Author: Dragos Tatulea Date: Thu Dec 8 09:52:54 2022 +0200 IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces [ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ] There are 2 ways to create IPoIB PKEY child interfaces: 1) Writing a PKEY to /sys/class/net//create_child. 2) Using netlink with iproute. While with sysfs the child interface has the same number of tx and rx queues as the parent, with netlink there will always be 1 tx and 1 rx queue for the child interface. That's because the get_num_tx/rx_queues() netlink ops are missing and the default value of 1 is taken for the number of queues (in rtnl_create_link()). This change adds the get_num_tx/rx_queues() ops which allows for interfaces with multiple queues to be created over netlink. This constant only represents the max number of tx and rx queues on that net device. Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") Signed-off-by: Dragos Tatulea Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 19b7b85773b18457ff85a9ff4f5e2a2d4bf7ed0c Author: Xiongfeng Wang Date: Fri Dec 2 21:22:34 2022 +0800 hwrng: geode - Fix PCI device refcount leak [ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ] for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. We add a new struct 'amd_geode_priv' to record pointer of the pci_dev and membase, and then add missing pci_dev_put() for the normal and error path. Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver") Signed-off-by: Xiongfeng Wang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2e10ecd012ae2b2a374b34f307e9bc1e6096c03d Author: Xiongfeng Wang Date: Fri Dec 2 21:22:33 2022 +0800 hwrng: amd - Fix PCI device refcount leak [ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ] for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put() for the normal and error path. Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver") Signed-off-by: Xiongfeng Wang Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 84ebdb6b65adc30aa325da34071481df306aa31e Author: Gaosheng Cui Date: Thu Dec 1 14:25:26 2022 +0800 crypto: img-hash - Fix variable dereferenced before check 'hdev->req' [ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ] Smatch report warning as follows: drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable dereferenced before check 'hdev->req' Variable dereferenced should be done after check 'hdev->req', fix it. Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator") Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception") Signed-off-by: Gaosheng Cui Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f2f2c6102acef47f76364631ef0ffaa1447bfecc Author: Samuel Holland Date: Sat Nov 26 00:09:19 2022 -0600 riscv: Fix crash during early errata patching [ Upstream commit 0c49688174f5347c3f8012e84c0ffa0d2b2890c8 ] The patch function for the T-Head PBMT errata calls __pa_symbol() before relocation. This crashes when CONFIG_DEBUG_VIRTUAL is enabled, because __pa_symbol() forwards to __phys_addr_symbol(), and __phys_addr_symbol() checks against the absolute kernel start/end address. Fix this by checking against the kernel map instead of a symbol address. Fixes: a35707c3d850 ("riscv: add memory-type errata for T-Head") Reviewed-by: Heiko Stuebner Tested-by: Heiko Stuebner Signed-off-by: Samuel Holland Link: https://lore.kernel.org/r/20221126060920.65009-1-samuel@sholland.org Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit e395fdfec46d4adbee0e849e9feaa706871da2af Author: Anup Patel Date: Mon Nov 14 14:35:34 2022 +0530 RISC-V: Fix MEMREMAP_WB for systems with Svpbmt [ Upstream commit b91676fc16cd384a81e3af52c641aa61985cc231 ] Currently, the memremap() called with MEMREMAP_WB maps memory using the generic ioremap() function which breaks on system with Svpbmt because memory mapped using _PAGE_IOREMAP page attributes is treated as strongly-ordered non-cacheable IO memory. To address this, we implement RISC-V specific arch_memremap_wb() which maps memory using _PAGE_KERNEL page attributes resulting in write-back cacheable mapping on systems with Svpbmt. Fixes: ff689fd21cb1 ("riscv: add RISC-V Svpbmt extension support") Co-developed-by: Mayuresh Chitale Signed-off-by: Mayuresh Chitale Signed-off-by: Anup Patel Acked-by: Conor Dooley Link: https://lore.kernel.org/r/20221114090536.1662624-2-apatel@ventanamicro.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit eced7ec0cd894972f819d05ad2ef0bc57c585873 Author: Andrew Bresticker Date: Fri Nov 11 17:31:08 2022 -0500 RISC-V: Fix unannoted hardirqs-on in return to userspace slow-path [ Upstream commit b0f4c74eadbf69a3298f38566bfaa2e202541f2f ] The return to userspace path in entry.S may enable interrupts without the corresponding lockdep annotation, producing a splat[0] when DEBUG_LOCKDEP is enabled. Simply calling __trace_hardirqs_on() here gets a bit messy due to the use of RA to point back to ret_from_exception, so just move the whole slow-path loop into C. It's more readable and it lets us use local_irq_{enable,disable}(), avoiding the need for manual annotations altogether. [0]: ------------[ cut here ]------------ DEBUG_LOCKS_WARN_ON(!lockdep_hardirqs_enabled()) WARNING: CPU: 2 PID: 1 at kernel/locking/lockdep.c:5512 check_flags+0x10a/0x1e0 Modules linked in: CPU: 2 PID: 1 Comm: init Not tainted 6.1.0-rc4-00160-gb56b6e2b4f31 #53 Hardware name: riscv-virtio,qemu (DT) epc : check_flags+0x10a/0x1e0 ra : check_flags+0x10a/0x1e0 status: 0000000200000100 badaddr: 0000000000000000 cause: 0000000000000003 [] lock_is_held_type+0x78/0x14e [] __might_resched+0x26/0x22c [] __might_sleep+0x3c/0x66 [] get_signal+0x9e/0xa70 [] do_notify_resume+0x6e/0x422 [] ret_from_exception+0x0/0x10 irq event stamp: 44512 hardirqs last enabled at (44511): [] _raw_spin_unlock_irqrestore+0x54/0x62 hardirqs last disabled at (44512): [] __trace_hardirqs_off+0xc/0x14 softirqs last enabled at (44472): [] __do_softirq+0x3de/0x51e softirqs last disabled at (44467): [] irq_exit+0xd6/0x104 ---[ end trace 0000000000000000 ]--- possible reason: unannotated irqs-on. Signed-off-by: Andrew Bresticker Fixes: 3c4697982982 ("riscv: Enable LOCKDEP_SUPPORT & fixup TRACE_IRQFLAGS_SUPPORT") Link: https://lore.kernel.org/r/20221111223108.1976562-1-abrestic@rivosinc.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit 9f4379692ace14f6f537a47f0dd847a7dfd1f084 Author: Chengchang Tang Date: Sat Nov 26 18:29:11 2022 +0800 RDMA/hns: Fix XRC caps on HIP08 [ Upstream commit 682c0722addae4b4a1440c9db9d8c86cb8e09ce5 ] XRC caps has been set by default. But in fact, XRC is not supported in HIP08. Fixes: 32548870d438 ("RDMA/hns: Add support for XRC on HIP09") Link: https://lore.kernel.org/r/20221126102911.2921820-7-xuhaoyue1@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 9e711eafabf0337ea48ab3cbe18c127ceb9808d3 Author: Chengchang Tang Date: Sat Nov 26 18:29:10 2022 +0800 RDMA/hns: Fix error code of CMD [ Upstream commit 667d6164b84884c64de3fc18670cd5a98b0b10cf ] The error code is fixed to EIO when CMD fails to excute. This patch converts the error status reported by firmware to linux errno. Fixes: a04ff739f2a9 ("RDMA/hns: Add command queue support for hip08 RoCE driver") Link: https://lore.kernel.org/r/20221126102911.2921820-6-xuhaoyue1@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d78e8b4c862d1788fa19c55ba4e9ba18a2ee0c4f Author: Chengchang Tang Date: Sat Nov 26 18:29:09 2022 +0800 RDMA/hns: Fix page size cap from firmware [ Upstream commit 99dc5a0712883d5d13b620d25b3759d429577bc8 ] Add verification to make sure the roce page size cap is supported by the system page size. Fixes: ba6bb7e97421 ("RDMA/hns: Add interfaces to get pf capabilities from firmware") Link: https://lore.kernel.org/r/20221126102911.2921820-5-xuhaoyue1@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit aaa589124d4c7e38a2cf198b96ad24a4ab4b0138 Author: Chengchang Tang Date: Sat Nov 26 18:29:08 2022 +0800 RDMA/hns: Fix PBL page MTR find [ Upstream commit 9fb39ef2ff3e18f1740625ba04093dfbef086d2b ] Now, The address of the first two pages in the MR will be searched, which use to speed up the lookup of the pbl table for hardware. An exception will occur when there is only one page in this MR. This patch fix the number of page to search. Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process") Link: https://lore.kernel.org/r/20221126102911.2921820-4-xuhaoyue1@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d3238c4d3a4614048b2efe109ba2294ae2a8f605 Author: Chengchang Tang Date: Sat Nov 26 18:29:07 2022 +0800 RDMA/hns: Fix AH attr queried by query_qp [ Upstream commit bc34c04f7b97c3794dec5a6d6d27ffd5f0e4f5c8 ] The queried AH attr is invalid. This patch fix it. This problem is found by rdma-core test test_mr_rereg_pd ERROR: test_mr_rereg_pd (tests.test_mr.MRTest) Test that cover rereg MR's PD with this flow: ---------------------------------------------------------------------- Traceback (most recent call last): File "./tests/test_mr.py", line 157, in test_mr_rereg_pd self.restate_qps() File "./tests/test_mr.py", line 113, in restate_qps self.server.qp.to_rts(self.server_qp_attr) File "qp.pyx", line 1137, in pyverbs.qp.QP.to_rts File "qp.pyx", line 1123, in pyverbs.qp.QP.to_rtr pyverbs.pyverbs_error.PyverbsRDMAError: Failed to modify QP state to RTR. Errno: 22, Invalid argument Fixes: 926a01dc000d ("RDMA/hns: Add QP operations support for hip08 SoC") Link: https://lore.kernel.org/r/20221126102911.2921820-3-xuhaoyue1@hisilicon.com Signed-off-by: Chengchang Tang Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 60549c5224cd85250f995d345978b1431a8034e1 Author: Yixing Liu Date: Sat Nov 26 18:29:06 2022 +0800 RDMA/hns: Fix the gid problem caused by free mr [ Upstream commit 487d65090a3dce1ae54946aded55d0f8ac87cbab ] After the hns roce driver is loaded, if you modify the mac address of the network port, the following error will appear: __ib_cache_gid_add: unable to add gid fe80:0000:0000:0000:4600:4dff:fe22:abb5 error=-28 hns3 0000:7d:00.0 hns_0: attr path_mtu(1) invalid while modify qp The reason for the error is that the gid being occupied will cause the failure to modify the gid. The gid is occupied by the loopback QP used by free mr. When the mac address is modified, the gid will change. If there is a busy QP at this time, the gid will not be released and the modification will fail. The QP of free mr is created using the ib interface. The ib interface will add a reference count to the gid, resulting in this error scenario. Considering that free mr is solving a bug in HIP08, not an actual business, it is not necessary to use ib interfaces. Fixes: 70f92521584f ("RDMA/hns: Use the reserved loopback QPs to free MR before destroying MPT") Link: https://lore.kernel.org/r/20221126102911.2921820-2-xuhaoyue1@hisilicon.com Signed-off-by: Yixing Liu Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit bf0ad007e6cb5b22b38b7e45aea0595177cdda93 Author: Zhang Xiaoxu Date: Tue Oct 18 12:40:04 2022 +0800 orangefs: Fix sysfs not cleanup when dev init failed [ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ] When the dev init failed, should cleanup the sysfs, otherwise, the module will never be loaded since can not create duplicate sysfs directory: sysfs: cannot create duplicate filename '/fs/orangefs' CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 sysfs_warn_dup.cold+0x17/0x24 sysfs_create_dir_ns+0x16d/0x180 kobject_add_internal+0x156/0x3a0 kobject_init_and_add+0xcf/0x120 orangefs_sysfs_init+0x7e/0x3a0 [orangefs] orangefs_init+0xfe/0x1000 [orangefs] do_one_initcall+0x87/0x2a0 do_init_module+0xdf/0x320 load_module+0x2f98/0x3330 __do_sys_finit_module+0x113/0x1b0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory. Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem") Signed-off-by: Zhang Xiaoxu Signed-off-by: Mike Marshall Signed-off-by: Sasha Levin commit 38c1d5d2f8ae3b46355d76bc58e1ec7b5db1bb06 Author: Francisco Munoz Date: Mon Dec 5 17:16:37 2022 -0700 PCI: vmd: Fix secondary bus reset for Intel bridges [ Upstream commit 0a584655ef89541dae4d48d2c523b1480ae80284 ] The reset was never applied in the current implementation because Intel Bridges owned by VMD are parentless. Internally, pci_reset_bus() applies a reset to the parent of the PCI device supplied as argument, but in this case it failed because there wasn't a parent. In more detail, this change allows the VMD driver to enumerate NVMe devices in pass-through configurations when guest reboots are performed. There was an attempted to fix this, but later we discovered that the code inside pci_reset_bus() wasn’t triggering secondary bus resets. Therefore, we updated the parameters passed to it, and now NVMe SSDs attached to VMD bridges are properly enumerated in VT-d pass-through scenarios. Link: https://lore.kernel.org/r/20221206001637.4744-1-francisco.munoz.ruiz@linux.intel.com Fixes: 6aab5622296b ("PCI: vmd: Clean up domain before enumeration") Signed-off-by: Francisco Munoz Signed-off-by: Lorenzo Pieralisi Reviewed-by: Nirmal Patel Reviewed-by: Jonathan Derrick Signed-off-by: Sasha Levin commit 6c8319b90fe7a3df5fd9066cf2be22661890cd29 Author: Wang Yufen Date: Fri Dec 2 12:00:38 2022 +0800 RDMA/srp: Fix error return code in srp_parse_options() [ Upstream commit ed461b30b22c8fa85c25189c14cb89f29595cd14 ] In the previous iteration of the while loop, the "ret" may have been assigned a value of 0, so the error return code -EINVAL may have been incorrectly set to 0. To fix set valid return code before calling to goto. Also investigate each case separately as Andy suggessted. Fixes: e711f968c49c ("IB/srp: replace custom implementation of hex2bin()") Fixes: 2a174df0c602 ("IB/srp: Use kstrtoull() instead of simple_strtoull()") Fixes: 19f313438c77 ("IB/srp: Add RDMA/CM support") Signed-off-by: Wang Yufen Link: https://lore.kernel.org/r/1669953638-11747-2-git-send-email-wangyufen@huawei.com Reviewed-by: Bart Van Assche Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 8bc0ecf1c382754e644359c03de7416b5b57b69d Author: Wang Yufen Date: Fri Dec 2 12:00:37 2022 +0800 RDMA/hfi1: Fix error return code in parse_platform_config() [ Upstream commit 725349f8ba1e78a146c6ff8f3ee5e2712e517106 ] In the previous iteration of the while loop, the "ret" may have been assigned a value of 0, so the error return code -EINVAL may have been incorrectly set to 0. To fix set valid return code before calling to goto. Fixes: 97167e813415 ("staging/rdma/hfi1: Tune for unknown channel if configuration file is absent") Signed-off-by: Wang Yufen Link: https://lore.kernel.org/r/1669953638-11747-1-git-send-email-wangyufen@huawei.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit de888c02ac32c0209525eeca2046521f97372c4b Author: Randy Dunlap Date: Fri Dec 2 13:19:40 2022 -0800 RDMA: Disable IB HW for UML [ Upstream commit 323a74fc20f53c0d0e13a16aee703a30d9751235 ] Disable all of drivers/infiniband/hw/ and rdmavt for UML builds until someone needs it and provides patches to support it. This prevents build errors in hw/qib/qib_wc_x86_64.c. Fixes: 68f5d3f3b654 ("um: add PCI over virtio emulation driver") Signed-off-by: Randy Dunlap Cc: Jason Gunthorpe Cc: Dennis Dalessandro Cc: Christoph Hellwig Cc: linux-rdma@vger.kernel.org Cc: Jeff Dike Cc: Richard Weinberger Cc: Anton Ivanov Cc: Johannes Berg Cc: linux-um@lists.infradead.org Link: https://lore.kernel.org/r/20221202211940.29111-1-rdunlap@infradead.org Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 3829187387e4f9c3b9288bdc82cfe6b3e6cf4ac2 Author: Tong Tiangen Date: Mon Oct 24 09:47:25 2022 +0000 riscv/mm: add arch hook arch_clear_hugepage_flags [ Upstream commit d8bf77a1dc3079692f54be3087a5fd16d90027b0 ] With the PG_arch_1 we keep track if the page's data cache is clean, architecture rely on this property to treat new pages as dirty with respect to the data cache and perform the flushing before mapping the pages into userspace. This patch adds a new architecture hook, arch_clear_hugepage_flags,so that architectures which rely on the page flags being in a particular state for fresh allocations can adjust the flags accordingly when a page is freed into the pool. Fixes: 9e953cda5cdf ("riscv: Introduce huge page support for 32/64bit kernel") Signed-off-by: Tong Tiangen Link: https://lore.kernel.org/r/20221024094725.3054311-3-tongtiangen@huawei.com Signed-off-by: Palmer Dabbelt Signed-off-by: Sasha Levin commit c19ca6553c2d04ab943a4f58747889c234858dd3 Author: Shang XiaoJing Date: Thu Nov 24 14:49:40 2022 +0800 crypto: omap-sham - Use pm_runtime_resume_and_get() in omap_sham_probe() [ Upstream commit 7bcceb4c9896b1b672b636ae70fe75110d6bf1ad ] omap_sham_probe() calls pm_runtime_get_sync() and calls pm_runtime_put_sync() latter to put usage_counter. However, pm_runtime_get_sync() will increment usage_counter even it failed. Fix it by replacing it with pm_runtime_resume_and_get() to keep usage counter balanced. Fixes: b359f034c8bf ("crypto: omap-sham - Convert to use pm_runtime API") Signed-off-by: Shang XiaoJing Acked-by: Mark Greer Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 22a59bb0aa5ae2545d7e2feee994eaa877ff09dc Author: Christophe JAILLET Date: Tue Nov 22 22:56:19 2022 +0100 crypto: amlogic - Remove kcalloc without check [ Upstream commit 3d780c8a9850ad60dee47a8d971ba7888f3d1bd3 ] There is no real point in allocating dedicated memory for the irqs array. MAXFLOW is only 2, so it is easier to allocated the needed space directly within the 'meson_dev' structure. This saves some memory allocation and avoids an indirection when using the irqs array. Fixes: 48fe583fe541 ("crypto: amlogic - Add crypto accelerator...") Signed-off-by: Christophe JAILLET Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 10ed78c85b52f87b54dbf7884a97687029d3c32b Author: Wang Yufen Date: Mon Nov 21 19:27:34 2022 +0800 crypto: qat - fix error return code in adf_probe [ Upstream commit 31f81401e23fb88cc030cd586abd28740e6c8136 ] Fix to return a negative error code -EINVAL instead of 0. Fixes: 0cec19c761e5 ("crypto: qat - add support for compression for 4xxx") Signed-off-by: Wang Yufen Acked-by: Giovanni Cabiddu Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit c458c9d0ce9767f05f39cc0f6610da7a00cf234a Author: Mark Zhang Date: Mon Nov 28 13:52:46 2022 +0200 RDMA/nldev: Fix failure to send large messages [ Upstream commit fc8f93ad3e5485d45c992233c96acd902992dfc4 ] Return "-EMSGSIZE" instead of "-EINVAL" when filling a QP entry, so that new SKBs will be allocated if there's not enough room in current SKB. Fixes: 65959522f806 ("RDMA: Add support to dump resource tracker in RAW format") Signed-off-by: Mark Zhang Reviewed-by: Patrisious Haddad Link: https://lore.kernel.org/r/b5e9c62f6b8369acab5648b661bf539cbceeffdc.1669636336.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 3ee8611a1d0dbf5b229d3d165d76d5d3ab3a5a84 Author: Yonggil Song Date: Tue Nov 22 18:03:20 2022 +0900 f2fs: avoid victim selection from previous victim section [ Upstream commit e219aecfd4b766c4e878a3769057e9809f7fcadc ] When f2fs chooses GC victim in large section & LFS mode, next_victim_seg[gc_type] is referenced first. After segment is freed, next_victim_seg[gc_type] has the next segment number. However, next_victim_seg[gc_type] still has the last segment number even after the last segment of section is freed. In this case, when f2fs chooses a victim for the next GC round, the last segment of previous victim section is chosen as a victim. Initialize next_victim_seg[gc_type] to NULL_SEGNO for the last segment in large section. Fixes: e3080b0120a1 ("f2fs: support subsectional garbage collection") Signed-off-by: Yonggil Song Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 0807071c1b2b5e4eeef8b092295c97d30c0b0d79 Author: Sheng Yong Date: Fri Nov 11 18:08:29 2022 +0800 f2fs: fix to enable compress for newly created file if extension matches [ Upstream commit 787caf1bdcd9f04058e4e8d8ed56db1dbafea0b7 ] If compress_extension is set, and a newly created file matches the extension, the file could be marked as compression file. However, if inline_data is also enabled, there is no chance to check its extension since f2fs_should_compress() always returns false. This patch moves set_compress_inode(), which do extension check, in f2fs_should_compress() to check extensions before setting inline data flag. Fixes: 7165841d578e ("f2fs: fix to check inline_data during compressed inode conversion") Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 1f9d91ffc383768a6402bc55e56dcc8bd011bba4 Author: Sheng Yong Date: Thu Nov 17 23:10:54 2022 +0800 f2fs: set zstd compress level correctly [ Upstream commit 4ff23a6547b81ca22adb852dfe93ee5fc45328ac ] Fixes: cf30f6a5f0c6 ("lib: zstd: Add kernel-specific API") Signed-off-by: Sheng Yong Reviewed-by: Chao Yu Reviewed-by: Nick Terrell Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 65c73bc771d611d016b00cc8251640c68b22e52c Author: Yuan Can Date: Sat Nov 26 04:34:10 2022 +0000 RDMA/nldev: Add checks for nla_nest_start() in fill_stat_counter_qps() [ Upstream commit ea5ef136e215fdef35f14010bc51fcd6686e6922 ] As the nla_nest_start() may fail with NULL returned, the return value needs to be checked. Fixes: c4ffee7c9bdb ("RDMA/netlink: Implement counter dumpit calback") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221126043410.85632-1-yuancan@huawei.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 02e0170c4da25c0d887bdea5ba83f9b516d90764 Author: Bart Van Assche Date: Fri Nov 18 15:37:03 2022 -0800 scsi: ufs: core: Fix the polling implementation [ Upstream commit ee8c88cab4afbd5ee10a127d6cbecd6b200185a5 ] Fix the following issues in ufshcd_poll(): - If polling succeeds, return a positive value. - Do not complete polling requests from interrupt context because the block layer expects these requests to be completed from thread context. From block/bio.c: If REQ_ALLOC_CACHE is set, the final put of the bio MUST be done from process context, not hard/soft IRQ. Fixes: eaab9b573054 ("scsi: ufs: Implement polling support") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20221118233717.441298-1-bvanassche@acm.org Reviewed-by: Adrian Hunter Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4141cd9e8b3379aea52a85d2c35f6eaf26d14e86 Author: Gaosheng Cui Date: Thu Nov 17 11:51:00 2022 +0800 scsi: snic: Fix possible UAF in snic_tgt_create() [ Upstream commit e118df492320176af94deec000ae034cc92be754 ] Smatch reports a warning as follows: drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: '&tgt->list' not removed from list If device_add() fails in snic_tgt_create(), tgt will be freed, but tgt->list will not be removed from snic->disc.tgt_list, then list traversal may cause UAF. Remove from snic->disc.tgt_list before free(). Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com Acked-by: Narsimhulu Musini Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit aef82d16be5a353d913163f26fc4385e296be2b8 Author: Chen Zhongjin Date: Tue Nov 15 17:24:42 2022 +0800 scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails [ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ] fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed &fcoe_sw_transport on fcoe_transports list. This causes panic when reinserting module. BUG: unable to handle page fault for address: fffffbfff82e2213 RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe] Call Trace: do_one_initcall+0xd0/0x4e0 load_module+0x5eee/0x7210 ... Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver") Signed-off-by: Chen Zhongjin Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 4399a8632e5f8f1f695d91d992c7d418fb451f07 Author: Shang XiaoJing Date: Sun Nov 13 14:45:13 2022 +0800 scsi: ipr: Fix WARNING in ipr_init() [ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ] ipr_init() will not call unregister_reboot_notifier() when pci_register_driver() fails, which causes a WARNING. Call unregister_reboot_notifier() when pci_register_driver() fails. notifier callback ipr_halt [ipr] already registered WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 notifier_chain_register+0x16d/0x230 Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks agpgart cfbft CPU: 3 PID: 299 Comm: modprobe Tainted: G W 6.1.0-rc1-00190-g39508d23b672-dirty #332 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 RIP: 0010:notifier_chain_register+0x16d/0x230 Call Trace: __blocking_notifier_chain_register+0x73/0xb0 ipr_init+0x30/0x1000 [ipr] do_one_initcall+0xdb/0x480 do_init_module+0x1cf/0x680 load_module+0x6a50/0x70a0 __do_sys_finit_module+0x12f/0x1c0 do_syscall_64+0x3f/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter") Signed-off-by: Shang XiaoJing Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit bc31e6820424a7cea058d8feed59d1b7116bad34 Author: Yang Yingliang Date: Sat Nov 12 21:10:10 2022 +0800 scsi: scsi_debug: Fix possible name leak in sdebug_add_host_helper() [ Upstream commit e6d773f93a49e0eda88a903a2a6542ca83380eb1 ] Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, it needs be freed when device_register() returns error. As comment of device_register() says, one should use put_device() to give up the reference in the error path. Fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and sdbg_host is freed in sdebug_release_adapter(). When the device release is not set, it means the device is not initialized. We can not call put_device() in this case. Use kfree() to free memory. Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221112131010.3757845-1-yangyingliang@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit cfa2f8098a6e2455fac1569fabb770068b7c9c5f Author: Yang Yingliang Date: Sat Nov 12 17:43:10 2022 +0800 scsi: fcoe: Fix possible name leak when device_register() fails [ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ] If device_register() returns an error, the name allocated by dev_set_name() needs to be freed. As the comment of device_register() says, one should use put_device() to give up the reference in the error path. Fix this by calling put_device(), then the name can be freed in kobject_cleanup(). The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the error path can be removed. The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error label, just return NULL after calling put_device(). Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8698f359f2523b31a523d02c90e02e12308bdda1 Author: Harshit Mogalapalli Date: Fri Nov 11 23:06:12 2022 -0800 scsi: scsi_debug: Fix a warning in resp_report_zones() [ Upstream commit 07f2ca139d9a7a1ba71c4c03997c8de161db2346 ] As 'alloc_len' is user controlled data, if user tries to allocate memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack trace and messes up dmesg with a warning. Add __GFP_NOWARN in order to avoid too large allocation warning. This is detected by static analysis using smatch. Fixes: 7db0e0c8190a ("scsi: scsi_debug: Fix buffer size of REPORT ZONES command") Signed-off-by: Harshit Mogalapalli Link: https://lore.kernel.org/r/20221112070612.2121535-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 582b0a422642f02c45e6b062e695382059909ced Author: Harshit Mogalapalli Date: Fri Nov 11 23:00:31 2022 -0800 scsi: scsi_debug: Fix a warning in resp_verify() [ Upstream commit ed0f17b748b20271cb568c7ca0b23b120316a47d ] As 'vnum' is controlled by user, so if user tries to allocate memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack trace and messes up dmesg with a warning. Add __GFP_NOWARN in order to avoid too large allocation warning. This is detected by static analysis using smatch. Fixes: c3e2fe9222d4 ("scsi: scsi_debug: Implement VERIFY(10), add VERIFY(16)") Signed-off-by: Harshit Mogalapalli Link: https://lore.kernel.org/r/20221112070031.2121068-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c7e96168a8ca3be96c4959475164bef31115f07e Author: Chen Zhongjin Date: Fri Nov 11 15:40:46 2022 +0800 scsi: efct: Fix possible memleak in efct_device_init() [ Upstream commit bb0cd225dd37df1f4a22e36dad59ff33178ecdfc ] In efct_device_init(), when efct_scsi_reg_fc_transport() fails, efct_scsi_tgt_driver_exit() is not called to release memory for efct_scsi_tgt_driver_init() and causes memleak: unreferenced object 0xffff8881020ce000 (size 2048): comm "modprobe", pid 465, jiffies 4294928222 (age 55.872s) backtrace: [<0000000021a1ef1b>] kmalloc_trace+0x27/0x110 [<000000004c3ed51c>] target_register_template+0x4fd/0x7b0 [target_core_mod] [<00000000f3393296>] efct_scsi_tgt_driver_init+0x18/0x50 [efct] [<00000000115de533>] 0xffffffffc0d90011 [<00000000d608f646>] do_one_initcall+0xd0/0x4e0 [<0000000067828cf1>] do_init_module+0x1cc/0x6a0 ... Fixes: 4df84e846624 ("scsi: elx: efct: Driver initialization routines") Signed-off-by: Chen Zhongjin Link: https://lore.kernel.org/r/20221111074046.57061-1-chenzhongjin@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit c2e4692d019ad0090c919ee6730d07234aa3abdb Author: Yang Yingliang Date: Fri Nov 11 12:30:12 2022 +0800 scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() [ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ] If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in sas_end_device_alloc() needs to be freed. Address this by calling sas_rphy_free() in the error path. Fixes: d04e62b9d63a ("hpsa: add in sas transport class") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 9aa5b09a55486c6713aa5f8830141811864cbb7c Author: Yang Yingliang Date: Thu Nov 10 23:11:29 2022 +0800 scsi: hpsa: Fix error handling in hpsa_add_sas_host() [ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ] hpsa_sas_port_add_phy() does: ... sas_phy_add() -> may return error here sas_port_add_phy() ... Whereas hpsa_free_sas_phy() does: ... sas_port_delete_phy() sas_phy_delete() ... If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be called to free the memory because the port and the phy have not been added yet. Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel crash in this case. Fixes: d04e62b9d63a ("hpsa: add in sas transport class") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit d17bca3ddfe507874cb826d32721552da12e741f Author: Yang Yingliang Date: Wed Nov 9 11:24:03 2022 +0800 scsi: mpt3sas: Fix possible resource leaks in mpt3sas_transport_port_add() [ Upstream commit 78316e9dfc24906dd474630928ed1d3c562b568e ] In mpt3sas_transport_port_add(), if sas_rphy_add() returns error, sas_rphy_free() needs be called to free the resource allocated in sas_end_device_alloc(). Otherwise a kernel crash will happen: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000108 CPU: 45 PID: 37020 Comm: bash Kdump: loaded Tainted: G W 6.1.0-rc1+ #189 pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : device_del+0x54/0x3d0 lr : device_del+0x37c/0x3d0 Call trace: device_del+0x54/0x3d0 attribute_container_class_device_del+0x28/0x38 transport_remove_classdev+0x6c/0x80 attribute_container_device_trigger+0x108/0x110 transport_remove_device+0x28/0x38 sas_rphy_remove+0x50/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_rphy_remove+0x38/0x78 [scsi_transport_sas] sas_port_delete+0x30/0x148 [scsi_transport_sas] do_sas_phy_delete+0x78/0x80 [scsi_transport_sas] device_for_each_child+0x68/0xb0 sas_remove_children+0x30/0x50 [scsi_transport_sas] sas_remove_host+0x20/0x38 [scsi_transport_sas] scsih_remove+0xd8/0x420 [mpt3sas] Because transport_add_device() is not called when sas_rphy_add() fails, the device is not added. When sas_rphy_remove() is subsequently called to remove the device in the remove() path, a NULL pointer dereference happens. Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221109032403.1636422-1-yangyingliang@huawei.com Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 8642c72b081e35ce86b36b2b295209b1d9d721c7 Author: Weili Qian Date: Sat Nov 19 17:48:43 2022 +0800 crypto: hisilicon/qm - fix 'QM_XEQ_DEPTH_CAP' mask value [ Upstream commit 3901355624d14afe3230252cb36bc3da8ff6890e ] 'QM_XEQ_DEPTH_CAP' mask value is GENMASK(31, 0) instead of GENMASK(15, 0). If the mask value is incorrect, will cause abnormal events cannot be handled. So fix it. Fixes: 129a9f340172 ("crypto: hisilicon/qm - get qp num and depth from hardware registers") Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 4841596b93f0708fba68b78f5e8ed3fb28ca6689 Author: Eric Biggers Date: Fri Nov 18 11:44:19 2022 -0800 crypto: arm64/sm3 - fix possible crash with CFI enabled [ Upstream commit be8f6b6496076588fd49cbe5bfaaf3ab883eb779 ] sm3_neon_transform() is called via indirect function calls. Therefore it needs to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause its type hash to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect call). Fixes: c50d32859e70 ("arm64: Add types to indirect called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9c1b30d5c1f722598eef12751bc5ccc5506830c9 Author: Tianjia Zhang Date: Thu Oct 27 14:54:54 2022 +0800 crypto: arm64/sm3 - add NEON assembly implementation [ Upstream commit a41b2129461f6c88e087ca9a6e2fde34cb6deb48 ] This patch adds the NEON acceleration implementation of the SM3 hash algorithm. The main algorithm is based on SM3 NEON accelerated work of the libgcrypt project. Benchmark on T-Head Yitian-710 2.75 GHz, the data comes from the 326 mode of tcrypt, and compares the performance data of sm3-generic and sm3-ce. The abscissas are blocks of different lengths. The data is tabulated and the unit is Mb/s: update-size | 16 64 256 1024 2048 4096 8192 ---------------+-------------------------------------------------------- sm3-generic | 185.24 221.28 301.26 307.43 300.83 308.82 308.91 sm3-neon | 171.81 220.20 322.94 339.28 334.09 343.61 343.87 sm3-ce | 227.48 333.48 502.62 527.87 520.45 534.91 535.40 Signed-off-by: Tianjia Zhang Signed-off-by: Herbert Xu Stable-dep-of: be8f6b649607 ("crypto: arm64/sm3 - fix possible crash with CFI enabled") Signed-off-by: Sasha Levin commit 23cf91c76489dd9bcc22fc744456f8ebdfe93ba9 Author: Eric Biggers Date: Fri Nov 18 11:44:17 2022 -0800 crypto: x86/sm4 - fix crash with CFI enabled [ Upstream commit 2d203c46a0fa5df0785383b13b722483e1fd27a8 ] sm4_aesni_avx_ctr_enc_blk8(), sm4_aesni_avx_cbc_dec_blk8(), sm4_aesni_avx_cfb_dec_blk8(), sm4_aesni_avx2_ctr_enc_blk16(), sm4_aesni_avx2_cbc_dec_blk16(), and sm4_aesni_avx2_cfb_dec_blk16() are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure. (Or at least that should be the case. For some reason the CFI checks in sm4_avx_cbc_decrypt(), sm4_avx_cfb_decrypt(), and sm4_avx_ctr_crypt() are not always being generated, using current tip-of-tree clang. Anyway, this patch is a good idea anyway.) Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit e6e4e281be903c45e8eaedd0198ec47565df56f7 Author: Eric Biggers Date: Fri Nov 18 11:44:16 2022 -0800 crypto: x86/sm3 - fix possible crash with CFI enabled [ Upstream commit 8ba490d9f5a56f52091644325a32d3f71a982776 ] sm3_transform_avx() is called via indirect function calls. Therefore it needs to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause its type hash to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect call). Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ae252643e884913aa9110bf5e84019e685fe5862 Author: Eric Biggers Date: Fri Nov 18 11:44:15 2022 -0800 crypto: x86/sha512 - fix possible crash with CFI enabled [ Upstream commit a1d72fa33186ac69c7d8120c71f41ea4fc23dcc9 ] sha512_transform_ssse3(), sha512_transform_avx(), and sha512_transform_rorx() are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect calls). Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 76994f26226e69cb4980b5ab3fe104eb882e03fc Author: Eric Biggers Date: Fri Nov 18 11:44:14 2022 -0800 crypto: x86/sha256 - fix possible crash with CFI enabled [ Upstream commit 19940ebbb59c12146d05c5f8acd873197b290648 ] sha256_transform_ssse3(), sha256_transform_avx(), sha256_transform_rorx(), and sha256_ni_transform() are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect calls). Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f3b1021db697a1f28089019238748c82cedd31ae Author: Eric Biggers Date: Fri Nov 18 11:44:13 2022 -0800 crypto: x86/sha1 - fix possible crash with CFI enabled [ Upstream commit 32f34bf7e44eeaa241fb845d6f52af5104bc30fd ] sha1_transform_ssse3(), sha1_transform_avx(), and sha1_ni_transform() (but not sha1_transform_avx2()) are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect calls). Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8d447b92c3e26d50e87f7491e6bab5bab8eec982 Author: Eric Biggers Date: Fri Nov 18 11:44:11 2022 -0800 crypto: x86/aria - fix crash with CFI enabled [ Upstream commit c67b553a4f4a8bd921e4c9ceae00e111be09c488 ] aria_aesni_avx_encrypt_16way(), aria_aesni_avx_decrypt_16way(), aria_aesni_avx_ctr_crypt_16way(), aria_aesni_avx_gfni_encrypt_16way(), aria_aesni_avx_gfni_decrypt_16way(), and aria_aesni_avx_gfni_ctr_crypt_16way() are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure. Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Cc: Taehee Yoo Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 5ab743151a62df1fa393184a758bd74bfff8e128 Author: Eric Biggers Date: Fri Nov 18 11:44:10 2022 -0800 crypto: x86/aegis128 - fix possible crash with CFI enabled [ Upstream commit 8bd9974b6bfcd1e14a001deeca051aed7295559a ] crypto_aegis128_aesni_enc(), crypto_aegis128_aesni_enc_tail(), crypto_aegis128_aesni_dec(), and crypto_aegis128_aesni_dec_tail() are called via indirect function calls. Therefore they need to use SYM_TYPED_FUNC_START instead of SYM_FUNC_START to cause their type hashes to be emitted when the kernel is built with CONFIG_CFI_CLANG=y. Otherwise, the code crashes with a CFI failure (if the compiler didn't happen to optimize out the indirect calls). Fixes: ccace936eec7 ("x86: Add types to indirectly called assembly functions") Acked-by: Peter Zijlstra (Intel) Reviewed-by: Sami Tolvanen Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ff28b8afb786f262fd2cbb2de8b004f9af7807aa Author: Daniel Jordan Date: Wed Nov 16 20:28:04 2022 -0500 padata: Fix list iterator in padata_do_serial() [ Upstream commit 57ddfecc72a6c9941d159543e1c0c0a74fe9afdd ] list_for_each_entry_reverse() assumes that the iterated list is nonempty and that every list_head is embedded in the same type, but its use in padata_do_serial() breaks both rules. This doesn't cause any issues now because padata_priv and padata_list happen to have their list fields at the same offset, but we really shouldn't be relying on that. Fixes: bfde23ce200e ("padata: unbind parallel jobs from specific CPUs") Signed-off-by: Daniel Jordan Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 6cfa9e60c0f88fdec6368e081ab968411cc706b1 Author: Daniel Jordan Date: Wed Nov 16 20:28:02 2022 -0500 padata: Always leave BHs disabled when running ->parallel() [ Upstream commit 34c3a47d20ae55b3600fed733bf96eafe9c500d5 ] A deadlock can happen when an overloaded system runs ->parallel() in the context of the current task: padata_do_parallel ->parallel() pcrypt_aead_enc/dec padata_do_serial spin_lock(&reorder->lock) // BHs still enabled ... __do_softirq ... padata_do_serial spin_lock(&reorder->lock) It's a bug for BHs to be on in _do_serial as Steffen points out, so ensure they're off in the "current task" case like they are in padata_parallel_worker to avoid this situation. Reported-by: syzbot+bc05445bc14148d51915@syzkaller.appspotmail.com Fixes: 4611ce224688 ("padata: allocate work structures for parallel jobs from a pool") Signed-off-by: Daniel Jordan Acked-by: Steffen Klassert Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 314398bc1014d9d407ef3c03f4c864607a066382 Author: Zhang Yiqun Date: Wed Nov 16 17:24:11 2022 +0800 crypto: tcrypt - Fix multibuffer skcipher speed test mem leak [ Upstream commit 1aa33fc8d4032227253ceb736f47c52b859d9683 ] In the past, the data for mb-skcipher test has been allocated twice, that means the first allcated memory area is without free, which may cause a potential memory leakage. So this patch is to remove one allocation to fix this error. Fixes: e161c5930c15 ("crypto: tcrypt - add multibuf skcipher...") Signed-off-by: Zhang Yiqun Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 0aa7be66168b1e84b2581ffff3ccb54a6c804a1e Author: Yuan Can Date: Tue Nov 22 01:57:51 2022 +0000 scsi: hpsa: Fix possible memory leak in hpsa_init_one() [ Upstream commit 9c9ff300e0de07475796495d86f449340d454a0c ] The hpda_alloc_ctlr_info() allocates h and its field reply_map. However, in hpsa_init_one(), if alloc_percpu() failed, the hpsa_init_one() jumps to clean1 directly, which frees h and leaks the h->reply_map. Fix by calling hpda_free_ctlr_info() to release h->replay_map and h instead free h directly. Fixes: 8b834bff1b73 ("scsi: hpsa: fix selection of reply queue") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221122015751.87284-1-yuancan@huawei.com Reviewed-by: Ming Lei Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 21d8b6bd3730fc6af7ff0eb3c65a8364da310f66 Author: Frank Li Date: Wed Nov 2 10:10:10 2022 -0400 PCI: endpoint: pci-epf-vntb: Fix call pci_epc_mem_free_addr() in error path [ Upstream commit 0c031262d2ddfb938f9668d620d7ed674771646c ] Replace pci_epc_mem_free_addr() with pci_epf_free_space() in the error handle path to match pci_epf_alloc_space(). Link: https://lore.kernel.org/r/20221102141014.1025893-4-Frank.Li@nxp.com Fixes: e35f56bb0330 ("PCI: endpoint: Support NTB transfer between RC and EP") Signed-off-by: Frank Li Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit eef5d05cbbd69c189d46aefe9fbf258f76bcf855 Author: Serge Semin Date: Sun Nov 13 22:12:43 2022 +0300 dt-bindings: visconti-pcie: Fix interrupts array max constraints [ Upstream commit 4cf4b9b70ab2785461190c08a3542d2d74c28b46 ] In accordance with the way the device DT-node is actually defined in arch/arm64/boot/dts/toshiba/tmpv7708.dtsi and the way the device is probed by the DW PCIe driver there are two IRQs it actually has. It's MSI IRQ the DT-bindings lack. Let's extend the interrupts property constraints then and fix the schema example so one would be acceptable by the actual device DT-bindings. Link: https://lore.kernel.org/r/20221113191301.5526-3-Sergey.Semin@baikalelectronics.ru Fixes: 17c1b16340f0 ("dt-bindings: pci: Add DT binding for Toshiba Visconti PCIe controller") Signed-off-by: Serge Semin Signed-off-by: Lorenzo Pieralisi Acked-by: Rob Herring Acked-by: Nobuhiro Iwamatsu Signed-off-by: Sasha Levin commit e75080f9b4ee5db60d5ad033df5f12f7cd5ccd8e Author: Serge Semin Date: Sun Nov 13 22:12:42 2022 +0300 dt-bindings: imx6q-pcie: Fix clock names for imx6sx and imx8mq [ Upstream commit b8a83e600bdde93e7da41ea3204b2b3832a3c99b ] Originally as it was defined the legacy bindings the pcie_inbound_axi and pcie_aux clock names were supposed to be used in the fsl,imx6sx-pcie and fsl,imx8mq-pcie devices respectively. But the bindings conversion has been incorrectly so now the fourth clock name is defined as "pcie_inbound_axi for imx6sx-pcie, pcie_aux for imx8mq-pcie", which is completely wrong. Let's fix that by conditionally apply the clock-names constraints based on the compatible string content. Link: https://lore.kernel.org/r/20221113191301.5526-2-Sergey.Semin@baikalelectronics.ru Fixes: 751ca492f131 ("dt-bindings: PCI: imx6: convert the imx pcie controller to dtschema") Signed-off-by: Serge Semin Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Acked-by: Alexander Stein Signed-off-by: Sasha Levin commit 821f9a18210f6b9fd6792471714c799607b25db4 Author: Zhang Xiaoxu Date: Tue Nov 22 23:14:37 2022 +0800 RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed [ Upstream commit f67376d801499f4fa0838c18c1efcad8840e550d ] There is a null-ptr-deref when mount.cifs over rdma: BUG: KASAN: null-ptr-deref in rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] Read of size 8 at addr 0000000000000018 by task mount.cifs/3046 CPU: 2 PID: 3046 Comm: mount.cifs Not tainted 6.1.0-rc5+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc3 Call Trace: dump_stack_lvl+0x34/0x44 kasan_report+0xad/0x130 rxe_qp_do_cleanup+0x2f3/0x360 [rdma_rxe] execute_in_process_context+0x25/0x90 __rxe_cleanup+0x101/0x1d0 [rdma_rxe] rxe_create_qp+0x16a/0x180 [rdma_rxe] create_qp.part.0+0x27d/0x340 ib_create_qp_kernel+0x73/0x160 rdma_create_qp+0x100/0x230 _smbd_get_connection+0x752/0x20f0 smbd_get_connection+0x21/0x40 cifs_get_tcp_session+0x8ef/0xda0 mount_get_conns+0x60/0x750 cifs_mount+0x103/0xd00 cifs_smb3_do_mount+0x1dd/0xcb0 smb3_get_tree+0x1d5/0x300 vfs_get_tree+0x41/0xf0 path_mount+0x9b3/0xdd0 __x64_sys_mount+0x190/0x1d0 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The root cause of the issue is the socket create failed in rxe_qp_init_req(). So move the reset rxe_qp_do_cleanup() after the NULL ptr check. Fixes: 8700e3e7c485 ("Soft RoCE driver") Link: https://lore.kernel.org/r/20221122151437.1057671-1-zhangxiaoxu5@huawei.com Signed-off-by: Zhang Xiaoxu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fc2c43bf41c89e7451fe750025ae55eb2e2a741d Author: Zhengchao Shao Date: Sat Nov 19 15:08:34 2022 +0800 RDMA/hns: fix memory leak in hns_roce_alloc_mr() [ Upstream commit a115aa00b18f7b8982b8f458149632caf64a862a ] When hns_roce_mr_enable() failed in hns_roce_alloc_mr(), mr_key is not released. Compiled test only. Fixes: 9b2cf76c9f05 ("RDMA/hns: Optimize PBL buffer allocation process") Signed-off-by: Zhengchao Shao Link: https://lore.kernel.org/r/20221119070834.48502-1-shaozhengchao@huawei.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 26cee0603af08da94f90c71e78e82fe7fdb51fb3 Author: Mustafa Ismail Date: Mon Nov 21 18:44:10 2022 -0600 RDMA/irdma: Initialize net_type before checking it [ Upstream commit 9907526d25c4ad8a6e3006487a544140776ba005 ] The av->net_type is not initialized before it is checked in irdma_modify_qp_roce. This leads to an incorrect update to the ARP cache and QP context. RoCEv2 connections might fail as result. Set the net_type using rdma_gid_attr_network_type. Fixes: 80005c43d4c8 ("RDMA/irdma: Use net_type to check network type") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Link: https://lore.kernel.org/r/20221122004410.1471-1-shiraz.saleem@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit d9dbd4ca26464ef8a9f0eac5a7fb181784ff759f Author: Uwe Kleine-König Date: Mon Nov 21 18:22:36 2022 +0100 crypto: ccree - Make cc_debugfs_global_fini() available for module init function [ Upstream commit 8e96729fc26c8967db45a3fb7a60387619f77a22 ] ccree_init() calls cc_debugfs_global_fini(), the former is an init function and the latter an exit function though. A modular build emits: WARNING: modpost: drivers/crypto/ccree/ccree.o: section mismatch in reference: init_module (section: .init.text) -> cc_debugfs_global_fini (section: .exit.text) (with CONFIG_DEBUG_SECTION_MISMATCH=y). Fixes: 4f1c596df706 ("crypto: ccree - Remove debugfs when platform_driver_register failed") Signed-off-by: Uwe Kleine-König Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ed8b5ff3b078c9564b7c99704986be89fd12392c Author: Xiongfeng Wang Date: Thu Nov 17 21:15:46 2022 +0800 RDMA/hfi: Decrease PCI device reference count in error path [ Upstream commit 9b51d072da1d27e1193e84708201c48e385ad912 ] pci_get_device() will increase the reference count for the returned pci_dev, and also decrease the reference count for the input parameter *from* if it is not NULL. If we break out the loop in node_affinity_init() with 'dev' not NULL, we need to call pci_dev_put() to decrease the reference count. Add missing pci_dev_put() in error path. Fixes: c513de490f80 ("IB/hfi1: Invalid NUMA node information can cause a divide by zero") Signed-off-by: Xiongfeng Wang Link: https://lore.kernel.org/r/20221117131546.113280-1-wangxiongfeng2@huawei.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 76ca6756bf038bd6d0fa735673e4fc97d63622d0 Author: Zeng Heng Date: Mon Nov 21 10:00:29 2022 +0800 PCI: Check for alloc failure in pci_request_irq() [ Upstream commit 2d9cd957d40c3ac491b358e7cff0515bb07a3a9c ] When kvasprintf() fails to allocate memory, it returns a NULL pointer. Return error from pci_request_irq() so we don't dereference it. [bhelgaas: commit log] Fixes: 704e8953d3e9 ("PCI/irq: Add pci_request_irq() and pci_free_irq() helpers") Link: https://lore.kernel.org/r/20221121020029.3759444-1-zengheng4@huawei.com Signed-off-by: Zeng Heng Signed-off-by: Bjorn Helgaas Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin commit c5a6776e44aa632cd82fbc42c2062db1e233279a Author: Luoyouming Date: Tue Nov 8 21:38:47 2022 +0800 RDMA/hns: Fix incorrect sge nums calculation [ Upstream commit 0c5e259b06a8efc69f929ad777ea49281bb58e37 ] The user usually configures the number of sge through the max_send_sge parameter when creating qp, and configures the maximum size of inline data that can be sent through max_inline_data. Inline uses sge to fill data to send. Expect the following: 1) When the sge space cannot hold inline data, the sge space needs to be expanded to accommodate all inline data 2) When the sge space is enough to accommodate inline data, the upper limit of inline data can be increased so that users can send larger inline data Currently case one is not implemented. When the inline data is larger than the sge space, an error of insufficient sge space occurs. This part of the code needs to be reimplemented according to the expected rules. The calculation method of sge num is modified to take the maximum value of max_send_sge and the sge for max_inline_data to solve this problem. Fixes: 05201e01be93 ("RDMA/hns: Refactor process of setting extended sge") Fixes: 30b707886aeb ("RDMA/hns: Support inline data in extented sge space for RC") Link: https://lore.kernel.org/r/20221108133847.2304539-3-xuhaoyue1@hisilicon.com Signed-off-by: Luoyouming Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2b214368bc0cf4c9fbda2395d98a4ca3fa4441cf Author: Luoyouming Date: Tue Nov 8 21:38:46 2022 +0800 RDMA/hns: Fix ext_sge num error when post send [ Upstream commit 8eaa6f7d569b4a22bfc1b0a3fdfeeb401feb65a4 ] In the HNS ROCE driver, The sge is divided into standard sge and extended sge. There are 2 standard sge in RC/XRC, and the UD standard sge is 0. In the scenario of RC SQ inline, if the data does not exceed 32bytes, the standard sge will be used. If it exceeds, only the extended sge will be used to fill the data. Currently, when filling the extended sge, max_gs is directly used as the number of the extended sge, which did not subtract the number of standard sge. There is a logical error. The new algorithm subtracts the number of standard sge from max_gs to get the actual number of extended sge. Fixes: 30b707886aeb ("RDMA/hns: Support inline data in extented sge space for RC") Link: https://lore.kernel.org/r/20221108133847.2304539-2-xuhaoyue1@hisilicon.com Signed-off-by: Luoyouming Signed-off-by: Haoyue Xu Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 06f73568f553b5be6ba7f6fe274d333ea29fc46d Author: Li Zhijian Date: Sun Oct 30 03:04:33 2022 +0000 RDMA/rxe: Fix mr->map double free [ Upstream commit 7d984dac8f6bf4ebd3398af82b357e1d181ecaac ] rxe_mr_cleanup() which tries to free mr->map again will be called when rxe_mr_init_user() fails: CPU: 0 PID: 4917 Comm: rdma_flush_serv Kdump: loaded Not tainted 6.1.0-rc1-roce-flush+ #25 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x45/0x5d panic+0x19e/0x349 end_report.part.0+0x54/0x7c kasan_report.cold+0xa/0xf rxe_mr_cleanup+0x9d/0xf0 [rdma_rxe] __rxe_cleanup+0x10a/0x1e0 [rdma_rxe] rxe_reg_user_mr+0xb7/0xd0 [rdma_rxe] ib_uverbs_reg_mr+0x26a/0x480 [ib_uverbs] ib_uverbs_handler_UVERBS_METHOD_INVOKE_WRITE+0x1a2/0x250 [ib_uverbs] ib_uverbs_cmd_verbs+0x1397/0x15a0 [ib_uverbs] This issue was firstly exposed since commit b18c7da63fcb ("RDMA/rxe: Fix memory leak in error path code") and then we fixed it in commit 8ff5f5d9d8cf ("RDMA/rxe: Prevent double freeing rxe_map_set()") but this fix was reverted together at last by commit 1e75550648da (Revert "RDMA/rxe: Create duplicate mapping tables for FMRs") Simply let rxe_mr_cleanup() always handle freeing the mr->map once it is successfully allocated. Fixes: 1e75550648da ("Revert "RDMA/rxe: Create duplicate mapping tables for FMRs"") Link: https://lore.kernel.org/r/1667099073-2-1-git-send-email-lizhijian@fujitsu.com Signed-off-by: Li Zhijian Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit f98601f9abde04a800a17f6e86c6c7f3eb524ed9 Author: Xiongfeng Wang Date: Fri Nov 11 18:00:36 2022 +0800 crypto: hisilicon/qm - add missing pci_dev_put() in q_num_set() [ Upstream commit cc7710d0d4ebc6998f04035cde4f32c5ddbe9d7f ] pci_get_device() will increase the reference count for the returned pci_dev. We need to use pci_dev_put() to decrease the reference count before q_num_set() returns. Fixes: c8b4b477079d ("crypto: hisilicon - add HiSilicon HPRE accelerator") Signed-off-by: Xiongfeng Wang Reviewed-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit b5be6724f222890f407d499e2d3daa2dfa7bfcc8 Author: Herbert Xu Date: Fri Nov 11 17:59:17 2022 +0800 crypto: cryptd - Use request context instead of stack for sub-request [ Upstream commit 3a58c231172537f7b0e19d93ed33decd04f80eab ] cryptd is buggy as it tries to use sync_skcipher without going through the proper sync_skcipher interface. In fact it doesn't even need sync_skcipher since it's already a proper skcipher and can easily access the request context instead of using something off the stack. Fixes: 36b3875a97b8 ("crypto: cryptd - Remove VLA usage of skcipher") Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 677f01f396aee868082ebc2eebb5fdb9c6efd493 Author: Gaosheng Cui Date: Tue Nov 8 16:29:12 2022 +0800 crypto: ccree - Remove debugfs when platform_driver_register failed [ Upstream commit 4f1c596df706c9aca662b6c214fad84047ae2a97 ] When platform_driver_register failed, we need to remove debugfs, which will caused a resource leak, fix it. Failed logs as follows: [ 32.606488] debugfs: Directory 'ccree' with parent '/' already present! Fixes: 4c3f97276e15 ("crypto: ccree - introduce CryptoCell driver") Signed-off-by: Gaosheng Cui Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 953c81ffe384e770744c33baa898ff31f0299be7 Author: Harshit Mogalapalli Date: Fri Nov 11 02:05:25 2022 -0800 scsi: scsi_debug: Fix a warning in resp_write_scat() [ Upstream commit 216e179724c1d9f57a8ababf8bd7aaabef67f01b ] As 'lbdof_blen' is coming from user, if the size in kzalloc() is >= MAX_ORDER then we hit a warning. Call trace: sg_ioctl sg_ioctl_common scsi_ioctl sg_scsi_ioctl blk_execute_rq blk_mq_sched_insert_request blk_mq_run_hw_queue __blk_mq_delay_run_hw_queue __blk_mq_run_hw_queue blk_mq_sched_dispatch_requests __blk_mq_sched_dispatch_requests blk_mq_dispatch_rq_list scsi_queue_rq scsi_dispatch_cmd scsi_debug_queuecommand schedule_resp resp_write_scat If you try to allocate a memory larger than(>=) MAX_ORDER, then kmalloc() will definitely fail. It creates a stack trace and messes up dmesg. The user controls the size here so if they specify a too large size it will fail. Add __GFP_NOWARN in order to avoid too large allocation warning. This is detected by static analysis using smatch. Fixes: 481b5e5c7949 ("scsi: scsi_debug: add resp_write_scat function") Signed-off-by: Harshit Mogalapalli Link: https://lore.kernel.org/r/20221111100526.1790533-1-harshit.m.mogalapalli@oracle.com Acked-by: Douglas Gilbert Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 70adec0c790f0de23954555ae18d48b73c15c303 Author: Mustafa Ismail Date: Mon Nov 14 19:17:01 2022 -0600 RDMA/irdma: Do not request 2-level PBLEs for CQ alloc [ Upstream commit 8f7e2daa6336f9f4b6f8a4715a809674606df16b ] When allocating PBLE's for a large CQ, it is possible that a 2-level PBLE is returned which would cause the CQ allocation to fail since 1-level is assumed and checked for. Fix this by requesting a level one PBLE only. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Link: https://lore.kernel.org/r/20221115011701.1379-4-shiraz.saleem@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b4502647c0b2c67a6804f6835d357ae26eeb2c07 Author: Mustafa Ismail Date: Mon Nov 14 19:17:00 2022 -0600 RDMA/irdma: Fix RQ completion opcode [ Upstream commit 24419777e9431137d5923a747f546facb1e49b1f ] The opcode written by HW, in the RQ CQE, is the RoCEv2/iWARP protocol opcode from the received packet and not the SW opcode as currently assumed. Fix this by returning the raw operation type and queue type in the CQE to irdma_process_cqe and add 2 helpers set_ib_wc_op_sq set_ib_wc_op_rq to map IRDMA HW op types to IB op types. Note that for iWARP, only Write with Immediate is supported so the opcode can only be IB_WC_RECV_RDMA_WITH_IMM when there is immediate data present. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Link: https://lore.kernel.org/r/20221115011701.1379-3-shiraz.saleem@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 1df9f815553dd80cf431b9388f136323cedad40a Author: Mustafa Ismail Date: Mon Nov 14 19:16:59 2022 -0600 RDMA/irdma: Fix inline for multiple SGE's [ Upstream commit 4f44e519b6a945068755708119cca5b74d01d1f6 ] Currently, inline send and inline write assume a single SGE and only copy data from the first one. Add support for multiple SGE's. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Signed-off-by: Mustafa Ismail Signed-off-by: Shiraz Saleem Link: https://lore.kernel.org/r/20221115011701.1379-2-shiraz.saleem@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 3930245bc845bc433076284ef17e970f336ec72f Author: Bernard Metzler Date: Tue Nov 15 18:07:47 2022 +0100 RDMA/siw: Set defined status for work completion with undefined status [ Upstream commit 60da2d11fcbc043304910e4d2ca82f9bab953e63 ] A malicious user may write undefined values into memory mapped completion queue elements status or opcode. Undefined status or opcode values will result in out-of-bounds access to an array mapping siw internal representation of opcode and status to RDMA core representation when reaping CQ elements. While siw detects those undefined values, it did not correctly set completion status to a defined value, thus defeating the whole purpose of the check. This bug leads to the following Smatch static checker warning: drivers/infiniband/sw/siw/siw_cq.c:96 siw_reap_cqe() error: buffer overflow 'map_cqe_status' 10 <= 21 Fixes: bdf1da5df9da ("RDMA/siw: Fix immediate work request flush to completion queue") Link: https://lore.kernel.org/r/20221115170747.1263298-1-bmt@zurich.ibm.com Reported-by: Dan Carpenter Signed-off-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit c1d5a12f930f6ece54650075c792f8a653878f99 Author: Mark Zhang Date: Mon Nov 7 10:51:36 2022 +0200 RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port [ Upstream commit ecacb3751f254572af0009b9501e2cdc83a30b6a ] When filling a cm_id entry, return "-EAGAIN" instead of 0 if the cm_id doesn'the have the same port as requested, otherwise an incomplete entry may be returned, which causes "rdam res show cm_id" to return an error. For example on a machine with two rdma devices with "rping -C 1 -v -s" running background, the "rdma" command fails: $ rdma -V rdma utility, iproute2-5.19.0 $ rdma res show cm_id link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 28056 comm rping src-addr 0.0.0.0:7174 error: Protocol not available While with this fix it succeeds: $ rdma res show cm_id link mlx5_0/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174 link mlx5_1/- cm-idn 0 state LISTEN ps TCP pid 26395 comm rping src-addr 0.0.0.0:7174 Fixes: 00313983cda6 ("RDMA/nldev: provide detailed CM_ID information") Signed-off-by: Mark Zhang Link: https://lore.kernel.org/r/a08e898cdac5e28428eb749a99d9d981571b8ea7.1667810736.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit cd06d32a71fbb198b2d43dddf794badd80ffd25d Author: Mark Zhang Date: Mon Nov 7 10:51:35 2022 +0200 RDMA/core: Make sure "ib_port" is valid when access sysfs node [ Upstream commit 5e15ff29b156bbbdeadae230c8ecd5ecd8ca2477 ] The "ib_port" structure must be set before adding the sysfs kobject, and reset after removing it, otherwise it may crash when accessing the sysfs node: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 Mem abort info: ESR = 0x96000006 Exception class = DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 user pgtable: 4k pages, 48-bit VAs, pgdp = 00000000e85f5ba5 [0000000000000050] pgd=0000000848fd9003, pud=000000085b387003, pmd=0000000000000000 Internal error: Oops: 96000006 [#2] PREEMPT SMP Modules linked in: ib_umad(O) mlx5_ib(O) nfnetlink_cttimeout(E) nfnetlink(E) act_gact(E) cls_flower(E) sch_ingress(E) openvswitch(E) nsh(E) nf_nat_ipv6(E) nf_nat_ipv4(E) nf_conncount(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) mst_pciconf(O) ipmi_devintf(E) ipmi_msghandler(E) ipmb_dev_int(OE) mlx5_core(O) mlxfw(O) mlxdevm(O) auxiliary(O) ib_uverbs(O) ib_core(O) mlx_compat(O) psample(E) sbsa_gwdt(E) uio_pdrv_genirq(E) uio(E) mlxbf_pmc(OE) mlxbf_gige(OE) mlxbf_tmfifo(OE) gpio_mlxbf2(OE) pwr_mlxbf(OE) mlx_trio(OE) i2c_mlxbf(OE) mlx_bootctl(OE) bluefield_edac(OE) knem(O) ip_tables(E) ipv6(E) crc_ccitt(E) [last unloaded: mst_pci] Process grep (pid: 3372, stack limit = 0x0000000022055c92) CPU: 5 PID: 3372 Comm: grep Tainted: G D OE 4.19.161-mlnx.47.gadcd9e3 #1 Hardware name: https://www.mellanox.com BlueField SoC/BlueField SoC, BIOS BlueField:3.9.2-15-ga2403ab Sep 8 2022 pstate: 40000005 (nZcv daif -PAN -UAO) pc : hw_stat_port_show+0x4c/0x80 [ib_core] lr : port_attr_show+0x40/0x58 [ib_core] sp : ffff000029f43b50 x29: ffff000029f43b50 x28: 0000000019375000 x27: ffff8007b821a540 x26: ffff000029f43e30 x25: 0000000000008000 x24: ffff000000eaa958 x23: 0000000000001000 x22: ffff8007a4ce3000 x21: ffff8007baff8000 x20: ffff8007b9066ac0 x19: ffff8007bae97578 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : ffff8007a4ce4000 x7 : 0000000000000000 x6 : 000000000000003f x5 : ffff000000e6a280 x4 : ffff8007a4ce3000 x3 : 0000000000000000 x2 : aaaaaaaaaaaaaaab x1 : ffff8007b9066a10 x0 : ffff8007baff8000 Call trace: hw_stat_port_show+0x4c/0x80 [ib_core] port_attr_show+0x40/0x58 [ib_core] sysfs_kf_seq_show+0x8c/0x150 kernfs_seq_show+0x44/0x50 seq_read+0x1b4/0x45c kernfs_fop_read+0x148/0x1d8 __vfs_read+0x58/0x180 vfs_read+0x94/0x154 ksys_read+0x68/0xd8 __arm64_sys_read+0x28/0x34 el0_svc_common+0x88/0x18c el0_svc_handler+0x78/0x94 el0_svc+0x8/0xe8 Code: f2955562 aa1603e4 aa1503e0 f9405683 (f9402861) Fixes: d8a5883814b9 ("RDMA/core: Replace the ib_port_data hw_stats pointers with a ib_port pointer") Signed-off-by: Mark Zhang Reviewed-by: Michael Guralnik Link: https://lore.kernel.org/r/88867e705c42c1cd2011e45201c25eecdb9fef94.1667810736.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 8731cb5c7820bef577bab4ff17691fbf61c671cb Author: Mark Zhang Date: Mon Nov 7 10:51:34 2022 +0200 RDMA/restrack: Release MR restrack when delete [ Upstream commit dac153f2802db1ad46207283cb9b2aae3d707a45 ] The MR restrack also needs to be released when delete it, otherwise it cause memory leak as the task struct won't be released. Fixes: 13ef5539def7 ("RDMA/restrack: Count references to the verbs objects") Signed-off-by: Mark Zhang Reviewed-by: Michael Guralnik Link: https://lore.kernel.org/r/703db18e8d4ef628691fb93980a709be673e62e3.1667810736.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit cf968790a08f8218dc777818e3e7e332021e2c91 Author: Chao Yu Date: Sun Nov 6 21:25:44 2022 +0800 f2fs: fix to avoid accessing uninitialized spinlock [ Upstream commit cc249e4cba9a6002c9d9e1438daf8440a160bc9e ] syzbot reports a kernel bug: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 assign_lock_key+0x22a/0x240 kernel/locking/lockdep.c:981 register_lock_class+0x287/0x9b0 kernel/locking/lockdep.c:1294 __lock_acquire+0xe4/0x1f60 kernel/locking/lockdep.c:4934 lock_acquire+0x1a7/0x400 kernel/locking/lockdep.c:5668 __raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline] _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:154 spin_lock include/linux/spinlock.h:350 [inline] f2fs_save_errors fs/f2fs/super.c:3868 [inline] f2fs_handle_error+0x29/0x230 fs/f2fs/super.c:3896 f2fs_iget+0x215/0x4bb0 fs/f2fs/inode.c:516 f2fs_fill_super+0x47d3/0x7b50 fs/f2fs/super.c:4222 mount_bdev+0x26c/0x3a0 fs/super.c:1401 legacy_get_tree+0xea/0x180 fs/fs_context.c:610 vfs_get_tree+0x88/0x270 fs/super.c:1531 do_new_mount+0x289/0xad0 fs/namespace.c:3040 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] __se_sys_mount+0x2e3/0x3d0 fs/namespace.c:3568 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd F2FS-fs (loop1): Failed to read F2FS meta data inode The root cause is if sbi->error_lock may be accessed before its initialization, fix it. Link: https://lore.kernel.org/linux-f2fs-devel/0000000000007edb6605ecbb6442@google.com/T/#u Reported-by: syzbot+40642be9b7e0bb28e0df@syzkaller.appspotmail.com Fixes: 95fa90c9e5a7 ("f2fs: support recording errors into superblock") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 71bf3550b5303e04c4dcdba8ea0e8288b795b196 Author: Sascha Hauer Date: Tue Nov 1 10:57:14 2022 +0100 PCI: imx6: Initialize PHY before deasserting core reset [ Upstream commit ae6b9a65af480144da323436d90e149501ea8937 ] When the PHY is the reference clock provider then it must be initialized and powered on before the reset on the client is deasserted, otherwise the link will never come up. The order was changed in cf236e0c0d59. Restore the correct order to make the driver work again on boards where the PHY provides the reference clock. This also changes the order for boards where the Soc is the PHY reference clock divider, but this shouldn't do any harm. Link: https://lore.kernel.org/r/20221101095714.440001-1-s.hauer@pengutronix.de Fixes: cf236e0c0d59 ("PCI: imx6: Do not hide PHY driver callbacks and refine the error handling") Tested-by: Richard Zhu Signed-off-by: Sascha Hauer Signed-off-by: Lorenzo Pieralisi Signed-off-by: Sasha Levin commit 5d2e13358243410743a2b89187e28a972fb45d10 Author: Nirmal Patel Date: Wed Nov 9 07:26:52 2022 -0700 PCI: vmd: Disable MSI remapping after suspend [ Upstream commit d899aa668498c07ff217b666ae9712990306e682 ] MSI remapping is disabled by VMD driver for Intel's Icelake and newer systems in order to improve performance by setting VMCONFIG_MSI_REMAP. By design VMCONFIG_MSI_REMAP register is cleared by firmware during boot. The same register gets cleared when system is put in S3 power state. VMD driver needs to set this register again in order to avoid interrupt issues with devices behind VMD if MSI remapping was disabled before. Link: https://lore.kernel.org/r/20221109142652.450998-1-nirmal.patel@linux.intel.com Fixes: ee81ee84f873 ("PCI: vmd: Disable MSI-X remapping when possible") Signed-off-by: Nirmal Patel Signed-off-by: Lorenzo Pieralisi Reviewed-by: Francisco Munoz Signed-off-by: Sasha Levin commit fa8a2f3be78e4585996bcf4c15e4504441a4c7a0 Author: Leonid Ravich Date: Wed Nov 9 11:57:17 2022 +0200 IB/mad: Don't call to function that might sleep while in atomic context [ Upstream commit 5c20311d76cbaeb7ed2ecf9c8b8322f8fc4a7ae3 ] Tracepoints are not allowed to sleep, as such the following splat is generated due to call to ib_query_pkey() in atomic context. WARNING: CPU: 0 PID: 1888000 at kernel/trace/ring_buffer.c:2492 rb_commit+0xc1/0x220 CPU: 0 PID: 1888000 Comm: kworker/u9:0 Kdump: loaded Tainted: G OE --------- - - 4.18.0-305.3.1.el8.x86_64 #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module_el8.3.0+555+a55c8938 04/01/2014 Workqueue: ib-comp-unb-wq ib_cq_poll_work [ib_core] RIP: 0010:rb_commit+0xc1/0x220 RSP: 0000:ffffa8ac80f9bca0 EFLAGS: 00010202 RAX: ffff8951c7c01300 RBX: ffff8951c7c14a00 RCX: 0000000000000246 RDX: ffff8951c707c000 RSI: ffff8951c707c57c RDI: ffff8951c7c14a00 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff8951c7c01300 R11: 0000000000000001 R12: 0000000000000246 R13: 0000000000000000 R14: ffffffff964c70c0 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff8951fbc00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f20e8f39010 CR3: 000000002ca10005 CR4: 0000000000170ef0 Call Trace: ring_buffer_unlock_commit+0x1d/0xa0 trace_buffer_unlock_commit_regs+0x3b/0x1b0 trace_event_buffer_commit+0x67/0x1d0 trace_event_raw_event_ib_mad_recv_done_handler+0x11c/0x160 [ib_core] ib_mad_recv_done+0x48b/0xc10 [ib_core] ? trace_event_raw_event_cq_poll+0x6f/0xb0 [ib_core] __ib_process_cq+0x91/0x1c0 [ib_core] ib_cq_poll_work+0x26/0x80 [ib_core] process_one_work+0x1a7/0x360 ? create_worker+0x1a0/0x1a0 worker_thread+0x30/0x390 ? create_worker+0x1a0/0x1a0 kthread+0x116/0x130 ? kthread_flush_work_fn+0x10/0x10 ret_from_fork+0x35/0x40 ---[ end trace 78ba8509d3830a16 ]--- Fixes: 821bf1de45a1 ("IB/MAD: Add recv path trace point") Signed-off-by: Leonid Ravich Link: https://lore.kernel.org/r/Y2t5feomyznrVj7V@leonid-Inspiron-3421 Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit f3d26a8589dfdeff328779b511f71fb90b10005e Author: Bernard Metzler Date: Mon Nov 7 15:50:57 2022 +0100 RDMA/siw: Fix immediate work request flush to completion queue [ Upstream commit bdf1da5df9da680589a7f74448dd0a94dd3e1446 ] Correctly set send queue element opcode during immediate work request flushing in post sendqueue operation, if the QP is in ERROR state. An undefined ocode value results in out-of-bounds access to an array for mapping the opcode between siw internal and RDMA core representation in work completion generation. It resulted in a KASAN BUG report of type 'global-out-of-bounds' during NFSoRDMA testing. This patch further fixes a potential case of a malicious user which may write undefined values for completion queue elements status or opcode, if the CQ is memory mapped to user land. It avoids the same out-of-bounds access to arrays for status and opcode mapping as described above. Fixes: 303ae1cdfdf7 ("rdma/siw: application interface") Fixes: b0fff7317bb4 ("rdma/siw: completion queue methods") Reported-by: Olga Kornievskaia Reviewed-by: Tom Talpey Signed-off-by: Bernard Metzler Link: https://lore.kernel.org/r/20221107145057.895747-1-bmt@zurich.ibm.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit fdb9c354ac869acb0e7f1996a0fc6b7dfff98a04 Author: Bart Van Assche Date: Mon Oct 31 15:48:18 2022 -0700 scsi: qla2xxx: Fix set-but-not-used variable warnings [ Upstream commit 4fb2169d66b837a2986f569f5d5b81f79e6e4a4c ] Fix the following two compiler warnings: drivers/scsi/qla2xxx/qla_init.c: In function ‘qla24xx_async_abort_cmd’: drivers/scsi/qla2xxx/qla_init.c:171:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable] 171 | uint8_t bail; | ^~~~ drivers/scsi/qla2xxx/qla_init.c: In function ‘qla2x00_async_tm_cmd’: drivers/scsi/qla2xxx/qla_init.c:2023:17: warning: variable ‘bail’ set but not used [-Wunused-but-set-variable] 2023 | uint8_t bail; | ^~~~ Cc: Arun Easi Cc: Giridhar Malavali Fixes: feafb7b1714c ("[SCSI] qla2xxx: Fix vport delete issues") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20221031224818.2607882-1-bvanassche@acm.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 425c9bd06b7a70796d880828d15c11321bdfb76d Author: Shiraz Saleem Date: Fri Nov 4 18:49:57 2022 -0500 RDMA/irdma: Report the correct link speed [ Upstream commit 4eace75e0853273755b878ffa9cce6de84df975a ] The active link speed is currently hard-coded in irdma_query_port due to which the port rate in ibstatus does reflect the active link speed. Call ib_get_eth_speed in irdma_query_port to get the active link speed. Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") Reported-by: Kamal Heib Signed-off-by: Shiraz Saleem Link: https://lore.kernel.org/r/20221104234957.1135-1-shiraz.saleem@intel.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit 0b8578dc8477c67da7fb59a35fe7e7a5c6c978c3 Author: Chao Yu Date: Fri Oct 28 17:30:26 2022 +0800 f2fs: fix to destroy sbi->post_read_wq in error path of f2fs_fill_super() [ Upstream commit 7b02b2201893a71b881026cf574902019ab00db5 ] In error path of f2fs_fill_super(), this patch fixes to call f2fs_destroy_post_read_wq() once if we fail in f2fs_start_ckpt_thread(). Fixes: 261eeb9c1585 ("f2fs: introduce checkpoint_merge mount option") Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit b4244ca341ea95c52ee8fa93d04f5af3e584dd37 Author: Mukesh Ojha Date: Thu Oct 27 14:42:40 2022 +0530 f2fs: fix the assign logic of iocb [ Upstream commit 0db18eec0d9a7ee525209e31e3ac2f673545b12f ] commit 18ae8d12991b ("f2fs: show more DIO information in tracepoint") introduces iocb field in 'f2fs_direct_IO_enter' trace event And it only assigns the pointer and later it accesses its field in trace print log. Unable to handle kernel paging request at virtual address ffffffc04cef3d30 Mem abort info: ESR = 0x96000007 EC = 0x25: DABT (current EL), IL = 32 bits pc : trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4 lr : trace_raw_output_f2fs_direct_IO_enter+0x2c/0xa4 sp : ffffffc0443cbbd0 x29: ffffffc0443cbbf0 x28: ffffff8935b120d0 x27: ffffff8935b12108 x26: ffffff8935b120f0 x25: ffffff8935b12100 x24: ffffff8935b110c0 x23: ffffff8935b10000 x22: ffffff88859a936c x21: ffffff88859a936c x20: ffffff8935b110c0 x19: ffffff8935b10000 x18: ffffffc03b195060 x17: ffffff8935b11e76 x16: 00000000000000cc x15: ffffffef855c4f2c x14: 0000000000000001 x13: 000000000000004e x12: ffff0000ffffff00 x11: ffffffef86c350d0 x10: 00000000000010c0 x9 : 000000000fe0002c x8 : ffffffc04cef3d28 x7 : 7f7f7f7f7f7f7f7f x6 : 0000000002000000 x5 : ffffff8935b11e9a x4 : 0000000000006250 x3 : ffff0a00ffffff04 x2 : 0000000000000002 x1 : ffffffef86a0a31f x0 : ffffff8935b10000 Call trace: trace_raw_output_f2fs_direct_IO_enter+0x54/0xa4 print_trace_fmt+0x9c/0x138 print_trace_line+0x154/0x254 tracing_read_pipe+0x21c/0x380 vfs_read+0x108/0x3ac ksys_read+0x7c/0xec __arm64_sys_read+0x20/0x30 invoke_syscall+0x60/0x150 el0_svc_common.llvm.1237943816091755067+0xb8/0xf8 do_el0_svc+0x28/0xa0 Fix it by copying the required variables for printing and while at it fix the similar issue at some other places in the same file. Fixes: bd984c03097b ("f2fs: show more DIO information in tracepoint") Signed-off-by: Mukesh Ojha Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 734e2cf3ee29dbc8d6a27341fa2c5c681c29d1d6 Author: Jaegeuk Kim Date: Mon Oct 24 16:00:35 2022 -0700 f2fs: allow to set compression for inlined file [ Upstream commit a995627e6dd81d4485d40ce64880017a080d71e6 ] The below commit disallows to set compression on empty created file which has a inline_data. Let's fix it. Fixes: 7165841d578e ("f2fs: fix to check inline_data during compressed inode conversion") Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit fa2e65c1b1c6d0369e20b295d68cada1d25bc5a1 Author: Dongdong Zhang Date: Tue Oct 25 17:40:36 2022 +0800 f2fs: fix normal discard process [ Upstream commit b5f1a218ae5e4339130d6e733f0e63d623e09a2c ] In the DPOLICY_BG mode, there is a conflict between the two conditions "i + 1 < dpolicy->granularity" and "i < DEFAULT_DISCARD_GRANULARITY". If i = 15, the first condition is false, it will enter the second condition and dispatch all small granularity discards in function __issue_discard_cmd_orderly. The restrictive effect of the first condition to small discards will be invalidated. These two conditions should align. Fixes: 20ee4382322c ("f2fs: issue small discard by LBA order") Signed-off-by: Dongdong Zhang Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 7e7db55d1e67f0fa0e7347769cc1a53e85d9d4c2 Author: Yangtao Li Date: Tue Oct 25 14:50:24 2022 +0800 f2fs: fix gc mode when gc_urgent_high_remaining is 1 [ Upstream commit 6359a1aaca527311b7145ec6eb16890a5ddf5214 ] Under the current logic, when gc_urgent_high_remaining is set to 1, the mode will be switched to normal at the beginning, instead of running in gc_urgent mode. Let's switch the gc mode back to normal when the gc ends. Fixes: 265576181b4a ("f2fs: remove gc_urgent_high_limited for cleanup") Signed-off-by: Yangtao Li Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit ae6c960a82c52c3bda5adc82d90643d6c12d308e Author: Chao Yu Date: Fri Oct 21 10:34:22 2022 +0800 f2fs: fix to invalidate dcc->f2fs_issue_discard in error path [ Upstream commit 91586ce0d39a05f88795aa8814fb99b1387236b3 ] Syzbot reports a NULL pointer dereference issue as below: __refcount_add include/linux/refcount.h:193 [inline] __refcount_inc include/linux/refcount.h:250 [inline] refcount_inc include/linux/refcount.h:267 [inline] get_task_struct include/linux/sched/task.h:110 [inline] kthread_stop+0x34/0x1c0 kernel/kthread.c:703 f2fs_stop_discard_thread+0x3c/0x5c fs/f2fs/segment.c:1638 kill_f2fs_super+0x5c/0x194 fs/f2fs/super.c:4522 deactivate_locked_super+0x70/0xe8 fs/super.c:332 deactivate_super+0xd0/0xd4 fs/super.c:363 cleanup_mnt+0x1f8/0x234 fs/namespace.c:1186 __cleanup_mnt+0x20/0x30 fs/namespace.c:1193 task_work_run+0xc4/0x14c kernel/task_work.c:177 exit_task_work include/linux/task_work.h:38 [inline] do_exit+0x26c/0xbe0 kernel/exit.c:795 do_group_exit+0x60/0xe8 kernel/exit.c:925 __do_sys_exit_group kernel/exit.c:936 [inline] __se_sys_exit_group kernel/exit.c:934 [inline] __wake_up_parent+0x0/0x40 kernel/exit.c:934 __invoke_syscall arch/arm64/kernel/syscall.c:38 [inline] invoke_syscall arch/arm64/kernel/syscall.c:52 [inline] el0_svc_common+0x138/0x220 arch/arm64/kernel/syscall.c:142 do_el0_svc+0x48/0x164 arch/arm64/kernel/syscall.c:206 el0_svc+0x58/0x150 arch/arm64/kernel/entry-common.c:636 el0t_64_sync_handler+0x84/0xf0 arch/arm64/kernel/entry-common.c:654 el0t_64_sync+0x18c/0x190 arch/arm64/kernel/entry.S:581 The root cause of this issue is in error path of f2fs_start_discard_thread(), it missed to invalidate dcc->f2fs_issue_discard, later kthread_stop() may access invalid pointer. Fixes: 4d67490498ac ("f2fs: Don't create discard thread when device doesn't support realtime discard") Reported-by: syzbot+035a381ea1afb63f098d@syzkaller.appspotmail.com Reported-by: syzbot+729c925c2d9fc495ddee@syzkaller.appspotmail.com Signed-off-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit ed88147bfb4e7cd009cb33c7395a45d52f296bcc Author: Kees Cook Date: Tue Oct 25 16:05:18 2022 -0700 fortify: Do not cast to "unsigned char" [ Upstream commit e9a40e1585d792751d3a122392695e5a53032809 ] Do not cast to "unsigned char", as this needlessly creates type problems when attempting builds without -Wno-pointer-sign[1]. The intent of the cast is to drop possible "const" types. [1] https://lore.kernel.org/lkml/CAHk-=wgz3Uba8w7kdXhsqR1qvfemYL+OFQdefJnkeqXG8qZ_pA@mail.gmail.com/ Suggested-by: Linus Torvalds Fixes: 3009f891bb9f ("fortify: Allow strlen() and strnlen() to pass compile-time known lengths") Cc: linux-hardening@vger.kernel.org Signed-off-by: Kees Cook Signed-off-by: Sasha Levin commit 12695b4b76d437b9c0182a6f7dfb2248013a9daf Author: Xiu Jianfeng Date: Fri Oct 28 20:33:20 2022 +0800 apparmor: Fix memleak in alloc_ns() [ Upstream commit e9e6fa49dbab6d84c676666f3fe7d360497fd65b ] After changes in commit a1bd627b46d1 ("apparmor: share profile name on replacement"), the hname member of struct aa_policy is not valid slab object, but a subset of that, it can not be freed by kfree_sensitive(), use aa_policy_destroy() to fix it. Fixes: a1bd627b46d1 ("apparmor: share profile name on replacement") Signed-off-by: Xiu Jianfeng Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 7417cc5151bc3394ad9a9d501282ea09b79b54b0 Author: Corentin Labbe Date: Tue Sep 27 07:54:48 2022 +0000 crypto: rockchip - rework by using crypto_engine [ Upstream commit 57d67c6e8219b2a034c16d6149e30fb40fd39935 ] Instead of doing manual queue management, let's use the crypto/engine for that. In the same time, rework the requests handling to be easier to understand (and fix all bugs related to them). Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f945afb80f1d0976adc323e7f314e908f51b8282 Author: Corentin Labbe Date: Tue Sep 27 07:54:47 2022 +0000 crypto: rockchip - remove non-aligned handling [ Upstream commit bb3c7b73363c9a149b12b74c44ae94b73a8fddf8 ] Now driver have fallback for un-aligned cases, remove all code handling those cases. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 89117da0102c7ce575da96f80abf5c8c956b5fe6 Author: Corentin Labbe Date: Tue Sep 27 07:54:46 2022 +0000 crypto: rockchip - better handle cipher key [ Upstream commit d6b23ccef82816050c2fd458c9dabfa0e0af09b9 ] The key should not be set in hardware too much in advance, this will fail it 2 TFM with different keys generate alternative requests. The key should be stored and used just before doing cipher operations. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2edab0edfef55c3296643e6549834ee8fc8b7819 Author: Corentin Labbe Date: Tue Sep 27 07:54:45 2022 +0000 crypto: rockchip - add fallback for ahash [ Upstream commit 816600485cb597b3ff7d6806a95a78512839f775 ] Adds a fallback for all case hardware cannot handle. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit ac798fd39e2a12cf19516839741648fc303813ef Author: Corentin Labbe Date: Tue Sep 27 07:54:44 2022 +0000 crypto: rockchip - add fallback for cipher [ Upstream commit 68ef8af09a1a912a5ed2cfaa4cca7606f52cef90 ] The hardware does not handle 0 size length request, let's add a fallback. Furthermore fallback will be used for all unaligned case the hardware cannot handle. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit d2ce2922fd395219dc936431c0a9c221dc52cc2e Author: Corentin Labbe Date: Tue Sep 27 07:54:43 2022 +0000 crypto: rockchip - do not store mode globally [ Upstream commit 87e356c4966444866186f68f05832fdcc0f351a3 ] Storing the mode globally does not work if 2 requests are handled in the same time. We should store it in a request context. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 2aecc5029fcc9450beae139d35a59d1a2591df81 Author: Corentin Labbe Date: Tue Sep 27 07:54:41 2022 +0000 crypto: rockchip - do not do custom power management [ Upstream commit c50ef1411c8cbad0c7db100c477126076b6e3348 ] The clock enable/disable at tfm init/exit is fragile, if 2 tfm are init in the same time and one is removed just after, it will leave the hardware uncloked even if a user remains. Instead simply enable clocks at probe time. We will do PM later. Fixes: ce0183cb6464b ("crypto: rockchip - switch to skcipher API") Reviewed-by: John Keeping Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 1550e871120e779b6147490367c72d66aaf72ac2 Author: Zhang Qilong Date: Tue Oct 18 10:45:32 2022 +0800 f2fs: Fix the race condition of resize flag between resizefs [ Upstream commit 28fc4e9077ce59ab28c89c20dc6be5154473218f ] Because the set/clear SBI_IS_RESIZEFS flag not between any locks, In the following case: thread1 thread2 ->ioctl(resizefs) ->set RESIZEFS flag ->ioctl(resizefs) ... ->set RESIZEFS flag ->clear RESIZEFS flag ->resizefs stream # No RESIZEFS flag in the stream Also before freeze_super, the resizefs not started, we should not set the SBI_IS_RESIZEFS flag. So move the set/clear SBI_IS_RESIZEFS flag between the cp_mutex and gc_lock. Fixes: b4b10061ef98 ("f2fs: refactor resize_fs to avoid meta updates in progress") Signed-off-by: Zhang Xiaoxu Signed-off-by: Zhang Qilong Reviewed-by: Chao Yu Signed-off-by: Jaegeuk Kim Signed-off-by: Sasha Levin commit 0ea2ba0d5b4ff04905c8afabc147d0ad5b2e019f Author: Kunihiko Hayashi Date: Thu Aug 25 18:01:01 2022 +0900 PCI: pci-epf-test: Register notifier if only core_init_notifier is enabled [ Upstream commit 6acd25cc98ce0c9ee4fefdaf44fc8bca534b26e5 ] The pci_epf_test_notifier function should be installed also if only core_init_notifier is enabled. Fix the current logic. Link: https://lore.kernel.org/r/20220825090101.20474-1-hayashi.kunihiko@socionext.com Fixes: 5e50ee27d4a5 ("PCI: pci-epf-test: Add support to defer core initialization") Signed-off-by: Kunihiko Hayashi Signed-off-by: Lorenzo Pieralisi Acked-by: Om Prakash Singh Acked-by: Kishon Vijay Abraham I Signed-off-by: Sasha Levin commit 7123963c57eedd3b121b25e8edf3c4bf2be876fc Author: Leon Romanovsky Date: Tue Oct 25 10:37:13 2022 +0300 RDMA/core: Fix order of nldev_exit call [ Upstream commit 4508d32ccced24c972bc4592104513e1ff8439b5 ] Create symmetrical exit flow by calling to nldev_exit() after call to rdma_nl_unregister(RDMA_NL_LS). Fixes: 6c80b41abe22 ("RDMA/netlink: Add nldev initialization flows") Signed-off-by: Leon Romanovsky Link: https://lore.kernel.org/r/64e676774a53a406f4cde265d5a4cfd6b8e97df9.1666683334.git.leonro@nvidia.com Signed-off-by: Leon Romanovsky Signed-off-by: Sasha Levin commit b5c7878b034c4c37f8e9adcb9442dfaa65c37d9c Author: Vidya Sagar Date: Mon Sep 26 16:49:23 2022 +0530 PCI: dwc: Fix n_fts[] array overrun [ Upstream commit 66110361281b2f7da0c8bd51eaf1f152f4236035 ] commit aeaa0bfe89654 ("PCI: dwc: Move N_FTS setup to common setup") incorrectly uses pci->link_gen in deriving the index to the n_fts[] array also introducing the issue of accessing beyond the boundaries of array for greater than Gen-2 speeds. This change fixes that issue. Link: https://lore.kernel.org/r/20220926111923.22487-1-vidyas@nvidia.com Fixes: aeaa0bfe8965 ("PCI: dwc: Move N_FTS setup to common setup") Signed-off-by: Vidya Sagar Signed-off-by: Lorenzo Pieralisi Reviewed-by: Rob Herring Acked-by: Jingoo Han Signed-off-by: Sasha Levin commit 756e412cfcac27d24ad01d80fe50b946442ea294 Author: Xiu Jianfeng Date: Fri Oct 21 08:46:04 2022 +0800 apparmor: Use pointer to struct aa_label for lbs_cred [ Upstream commit 37923d4321b1e38170086da2c117f78f2b0f49c6 ] According to the implementations of cred_label() and set_cred_label(), we should use pointer to struct aa_label for lbs_cred instead of struct aa_task_ctx, this patch fixes it. Fixes: bbd3662a8348 ("Infrastructure management of the cred security blob") Signed-off-by: Xiu Jianfeng Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 51a90328179813846b76421c1fb0115c61d59f2d Author: Bart Van Assche Date: Tue Oct 18 13:29:49 2022 -0700 scsi: core: Fix a race between scsi_done() and scsi_timeout() [ Upstream commit 978b7922d3dca672b41bb4b8ce6c06ab77112741 ] If there is a race between scsi_done() and scsi_timeout() and if scsi_timeout() loses the race, scsi_timeout() should not reset the request timer. Hence change the return value for this case from BLK_EH_RESET_TIMER into BLK_EH_DONE. Although the block layer holds a reference on a request (req->ref) while calling a timeout handler, restarting the timer (blk_add_timer()) while a request is being completed is racy. Reviewed-by: Mike Christie Cc: Keith Busch Cc: Christoph Hellwig Cc: Ming Lei Cc: John Garry Cc: Hannes Reinecke Reported-by: Adrian Hunter Fixes: 15f73f5b3e59 ("blk-mq: move failure injection out of blk_mq_complete_request") Signed-off-by: Bart Van Assche Link: https://lore.kernel.org/r/20221018202958.1902564-2-bvanassche@acm.org Signed-off-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 7b5bc00a59efb3e74edeecc7b0b5c8983f87149f Author: Robert Elliott Date: Fri Sep 30 16:40:14 2022 -0500 crypto: tcrypt - fix return value for multiple subtests [ Upstream commit 65c92cbb3f2365627a10cf97560d51e88fb4e588 ] When a test mode invokes multiple tests (e.g., mode 0 invokes modes 1 through 199, and mode 3 tests three block cipher modes with des), don't keep accumulating the return values with ret += tcrypt_test(), which results in a bogus value if more than one report a nonzero value (e.g., two reporting -2 (-ENOENT) end up reporting -4 (-EINTR)). Instead, keep track of the minimum return value reported by any subtest. Fixes: 4e033a6bc70f ("crypto: tcrypt - Do not exit on success in fips mode") Signed-off-by: Robert Elliott Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 51592cf716825faac5149187d7d594bbc1e06ea7 Author: Natalia Petrova Date: Wed Sep 28 13:25:05 2022 +0300 crypto: nitrox - avoid double free on error path in nitrox_sriov_init() [ Upstream commit 094528b6a5a755b1195a01e10b13597d67d1a0e6 ] If alloc_workqueue() fails in nitrox_mbox_init() it deallocates ndev->iov.vfdev and returns error code, but then nitrox_sriov_init() calls nitrox_sriov_cleanup() where ndev->iov.vfdev is deallocated again. Fix this by nulling ndev->iov.vfdev after the first deallocation. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 9e5de3e06e54 ("crypto: cavium/nitrox - Add mailbox...") Signed-off-by: Natalia Petrova Signed-off-by: Alexey Khoroshilov Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 204fdddd4698868bfefb07a91fcc1418bb0e3b6e Author: Corentin Labbe Date: Tue Sep 27 08:55:55 2022 +0000 crypto: sun8i-ss - use dma_addr instead u32 [ Upstream commit 839b8ae2fc10f205317bcc32c9de18456756e1f5 ] The DMA address need to be stored in a dma_addr_t Fixes: 359e893e8af4 ("crypto: sun8i-ss - rework handling of IV") Reported-by: Dan Carpenter Signed-off-by: Corentin Labbe Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 8a9db7913497bdb96bcf324cfb535bf9aae9c9fe Author: Weili Qian Date: Sat Sep 24 19:04:31 2022 +0800 crypto: hisilicon/qm - re-enable communicate interrupt before notifying PF [ Upstream commit ee1537fe3dd89860d0336563891f6cac707d0cb5 ] After the device is reset, the VF needs to re-enable communication interrupt before the VF sends restart complete message to the PF. If the interrupt is re-enabled after the VF notifies the PF, the PF may fail to send messages to the VF after receiving VF's restart complete message. Fixes: 760fe22cf5e9 ("crypto: hisilicon/qm - update reset flow") Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit 9a6fab168cbce7350f32548e4b9616985070d09d Author: Weili Qian Date: Sat Sep 24 18:14:42 2022 +0800 crypto: hisilicon/qm - fix incorrect parameters usage [ Upstream commit f57e292897cac13b6ddee078aea21173b234ecb7 ] In qm_get_xqc_depth(), parameters low_bits and high_bits save the values of the corresponding bits. However, the values saved by the two parameters are opposite. As a result, the values returned to the callers are incorrect. Fixes: 129a9f340172 ("crypto: hisilicon/qm - get qp num and depth from hardware registers") Signed-off-by: Weili Qian Signed-off-by: Herbert Xu Signed-off-by: Sasha Levin commit f024bf13d4ff0a31549aa2d41a3f71098c7ebfaf Author: John Johansen Date: Tue Sep 20 04:01:28 2022 -0700 apparmor: Fix regression in stacking due to label flags [ Upstream commit 1f939c6bd1512d0b39b470396740added3cb403f ] The unconfined label flag is not being computed correctly. It should only be set if all the profiles in the vector are set, which is different than what is required for the debug and stale flag that are set if any on the profile flags are set. Fixes: c1ed5da19765 ("apparmor: allow label to carry debug flags") Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 72a5b5641cac472bd37d4fd6b120d53926d622cb Author: John Johansen Date: Fri May 6 18:57:12 2022 -0700 apparmor: Fix abi check to include v8 abi [ Upstream commit 1b5a6198f5a9d0aa5497da0dc4bcd4fc166ee516 ] The v8 abi is supported by the kernel but the userspace supported version check does not allow for it. This was missed when v8 was added due to a bug in the userspace compiler which was setting an older abi version for v8 encoding (which is forward compatible except on the network encoding). However it is possible to detect the network encoding by checking the policydb network support which the code does. The end result was that missing the abi flag worked until userspace was fixed and began correctly checking for the v8 abi version. Fixes: 56974a6fcfef ("apparmor: add base infastructure for socket mediation") Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 053816fb455f45a3bbe22c74c50fb7d730fd5f67 Author: John Johansen Date: Tue Sep 6 03:39:55 2022 -0700 apparmor: fix lockdep warning when removing a namespace [ Upstream commit 9c4557efc558a68e4cd973490fd936d6e3414db8 ] Fix the following lockdep warning [ 1119.158984] ============================================ [ 1119.158988] WARNING: possible recursive locking detected [ 1119.158996] 6.0.0-rc1+ #257 Tainted: G E N [ 1119.158999] -------------------------------------------- [ 1119.159001] bash/80100 is trying to acquire lock: [ 1119.159007] ffff88803e79b4a0 (&ns->lock/1){+.+.}-{4:4}, at: destroy_ns.part.0+0x43/0x140 [ 1119.159028] but task is already holding lock: [ 1119.159030] ffff8881009764a0 (&ns->lock/1){+.+.}-{4:4}, at: aa_remove_profiles+0x3f0/0x640 [ 1119.159040] other info that might help us debug this: [ 1119.159042] Possible unsafe locking scenario: [ 1119.159043] CPU0 [ 1119.159045] ---- [ 1119.159047] lock(&ns->lock/1); [ 1119.159051] lock(&ns->lock/1); [ 1119.159055] *** DEADLOCK *** Which is caused by an incorrect lockdep nesting notation Fixes: feb3c766a3ab ("apparmor: fix possible recursive lock warning in __aa_create_ns") Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 3d27a436e294ac5d7a51bd5348ca63a42a468b35 Author: Gaosheng Cui Date: Tue Aug 23 09:15:03 2022 +0800 apparmor: fix a memleak in multi_transaction_new() [ Upstream commit c73275cf6834787ca090317f1d20dbfa3b7f05aa ] In multi_transaction_new(), the variable t is not freed or passed out on the failure of copy_from_user(t->data, buf, size), which could lead to a memleak. Fix this bug by adding a put_multi_transaction(t) in the error path. Fixes: 1dea3b41e84c5 ("apparmor: speed up transactional queries") Signed-off-by: Gaosheng Cui Signed-off-by: John Johansen Signed-off-by: Sasha Levin commit 14ed46a13aba42a6ddd85de6f6274090df3586a5 Author: Vladimir Oltean Date: Sat Dec 10 01:52:42 2022 +0200 net: dsa: tag_8021q: avoid leaking ctx on dsa_tag_8021q_register() error path [ Upstream commit e095493091e850d5292ad01d8fbf5cde1d89ac53 ] If dsa_tag_8021q_setup() fails, for example due to the inability of the device to install a VLAN, the tag_8021q context of the switch will leak. Make sure it is freed on the error path. Fixes: 328621f6131f ("net: dsa: tag_8021q: absorb dsa_8021q_setup into dsa_tag_8021q_{,un}register") Signed-off-by: Vladimir Oltean Link: https://lore.kernel.org/r/20221209235242.480344-1-vladimir.oltean@nxp.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 06b81b4e669a7c5cce4ca67d5938f98f030a6414 Author: Bartosz Staszewski Date: Fri Dec 9 10:54:11 2022 -0800 i40e: Fix the inability to attach XDP program on downed interface [ Upstream commit 0c87b545a2ed5cd8a6318011f1c92b188c2d74bc ] Whenever trying to load XDP prog on downed interface, function i40e_xdp was passing vsi->rx_buf_len field to i40e_xdp_setup() which was equal 0. i40e_open() calls i40e_vsi_configure_rx() which configures that field, but that only happens when interface is up. When it is down, i40e_open() is not being called, thus vsi->rx_buf_len is not set. Solution for this is calculate buffer length in newly created function - i40e_calculate_vsi_rx_buf_len() that return actual buffer length. Buffer length is being calculated based on the same rules applied previously in i40e_vsi_configure_rx() function. Fixes: 613142b0bb88 ("i40e: Log error for oversized MTU on device") Fixes: 0c8493d90b6b ("i40e: add XDP support for pass and drop actions") Signed-off-by: Bartosz Staszewski Signed-off-by: Mateusz Palczewski Tested-by: Shwetha Nagaraju Reviewed-by: Maciej Fijalkowski Signed-off-by: Tony Nguyen Reviewed-by: Saeed Mahameed Link: https://lore.kernel.org/r/20221209185411.2519898-1-anthony.l.nguyen@intel.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e0c54906cf67cfc1b5dfdaf2399fe84f876c9784 Author: Piergiorgio Beruto Date: Sat Dec 10 23:37:22 2022 +0100 stmmac: fix potential division by 0 [ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ] When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived from the MAC reference clock (default), the clk_ptp_rate becomes too small and the calculated sub second increment becomes 0 when computed by the stmmac_config_sub_second_increment() function within stmmac_init_tstamp_counter(). Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter() operation triggers a divide by 0 exception as shown below. [ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0 [ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49) [ 95.095964] dwmac1000: Master AXI performs any burst length [ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found [ 95.109428] Division by zero in kernel. [ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77 [ 95.123686] Hardware name: Altera SOCFPGA [ 95.127695] unwind_backtrace from show_stack+0x10/0x14 [ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c [ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10 [ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18 [ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40 [ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164 [ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00 [ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4 [ 95.171117] __stmmac_open from stmmac_open+0x30/0x44 [ 95.176182] stmmac_open from __dev_open+0x11c/0x134 [ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c [ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50 [ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604 [ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214 [ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4 [ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38 [ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844 [ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c [ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0) [ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50 [ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000 [ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74 Signed-off-by: Piergiorgio Beruto Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment") Reviewed-by: Andrew Lunn Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit aff5bca3c2e5d7b6ec7a7d0d45aaef00d7d98182 Author: Christophe JAILLET Date: Sat Dec 10 18:35:00 2022 +0100 octeontx2-af: cn10k: mcs: Fix a resource leak in the probe and remove functions [ Upstream commit 87c978123ef1f346d7385eaccc141022d368166f ] In mcs_register_interrupts(), a call to request_irq() is not balanced by a corresponding free_irq(), neither in the error handling path, nor in the remove function. Add the missing calls. Fixes: 6c635f78c474 ("octeontx2-af: cn10k: mcs: Handle MCS block interrupts") Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/69f153db5152a141069f990206e7389f961d41ec.1670693669.git.christophe.jaillet@wanadoo.fr Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e97a4ad295b0f041b08870f4d1853dae95e25fce Author: Yang Yingliang Date: Wed Dec 7 10:18:35 2022 +0800 Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit 0ba18967d4544955b2eff2fbc4f2a8750c4df90a ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 9114e7fa80ceeb5562ff9dcfc7ab61bbd6102d63 Author: Yang Yingliang Date: Wed Dec 7 10:18:34 2022 +0800 Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit c1f213a8ccf33e590ab430781e6d8269ae2a073a Author: Yang Yingliang Date: Wed Dec 7 10:18:33 2022 +0800 Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 866b20962954735a8c51da30084124fb3175a43d Author: Yang Yingliang Date: Wed Dec 7 10:18:32 2022 +0800 Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 91ed02b7977b1121d8ea5df55273979b8ec6af71 Author: Yang Yingliang Date: Wed Dec 7 10:18:31 2022 +0800 Bluetooth: hci_ll: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit 8f458f783dfbb19c1f1cb58ed06eeb701f52091b ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 166d2f6a4332 ("[Bluetooth] Add UART driver for Texas Instruments' BRF63xx chips") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 08c847f1a1636ff84b053c73bc0f3113e168514e Author: Yang Yingliang Date: Wed Dec 7 10:18:30 2022 +0800 Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit d123f2b94b9e4ebef47d7ea9b5b9289c4b5f5f04 Author: Yang Yingliang Date: Tue Dec 6 20:59:10 2022 +0800 Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() [ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 8eefaa20568d9d73e8c108daa79d76a0ccc1ad70 Author: Wang ShaoBo Date: Mon Dec 5 21:53:57 2022 +0800 Bluetooth: btintel: Fix missing free skb in btintel_setup_combined() [ Upstream commit cee50ce899de415baf4da3ed38b7d4f13c3170d1 ] skb allocated by __hci_cmd_sync would not be used whether in checking for supported iBT hardware variants or after, we should free it in all error branches, this patch makes the case read version failed or default error case free skb before return. Fixes: c86c7285bb08 ("Bluetooth: btintel: Fix the legacy bootloader returns tlv based version") Fixes: 019a1caa7fd2 ("Bluetooth: btintel: Refactoring setup routine for bootloader devices") Signed-off-by: Wang ShaoBo Reviewed-by: Tedd Ho-Jeong An Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 09a3b0c9c7c6b10587fbb610b718014703cff341 Author: Luiz Augusto von Dentz Date: Mon Dec 5 17:11:57 2022 -0800 Bluetooth: hci_conn: Fix crash on hci_create_cis_sync [ Upstream commit 50757a259ba78c4e938b5735e76ffec6cd0c942e ] When attempting to connect multiple ISO sockets without using DEFER_SETUP may result in the following crash: BUG: KASAN: null-ptr-deref in hci_create_cis_sync+0x18b/0x2b0 Read of size 2 at addr 0000000000000036 by task kworker/u3:1/50 CPU: 0 PID: 50 Comm: kworker/u3:1 Not tainted 6.0.0-rc7-02243-gb84a13ff4eda #4373 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-1.fc36 04/01/2014 Workqueue: hci0 hci_cmd_sync_work Call Trace: dump_stack_lvl+0x19/0x27 kasan_report+0xbc/0xf0 ? hci_create_cis_sync+0x18b/0x2b0 hci_create_cis_sync+0x18b/0x2b0 ? get_link_mode+0xd0/0xd0 ? __ww_mutex_lock_slowpath+0x10/0x10 ? mutex_lock+0xe0/0xe0 ? get_link_mode+0xd0/0xd0 hci_cmd_sync_work+0x111/0x190 process_one_work+0x427/0x650 worker_thread+0x87/0x750 ? process_one_work+0x650/0x650 kthread+0x14e/0x180 ? kthread_exit+0x50/0x50 ret_from_fork+0x22/0x30 Fixes: 26afbd826ee3 ("Bluetooth: Add initial implementation of CIS connections") Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit a65b09e3130b38eb8c40ca8bcebba00d42be4fe5 Author: Christophe JAILLET Date: Sun Oct 30 08:00:03 2022 +0100 Bluetooth: Fix EALREADY and ELOOP cases in bt_status() [ Upstream commit 63db780a93eb802ece1bbf61ab5894ad8827b56e ] 'err' is known to be <0 at this point. So, some cases can not be reached because of a missing "-". Add it. Fixes: ca2045e059c3 ("Bluetooth: Add bt_status") Signed-off-by: Christophe JAILLET Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 72560759f6e0aaa7920a1cfe41d005143ba31030 Author: Inga Stotland Date: Fri Oct 21 17:48:56 2022 -0700 Bluetooth: MGMT: Fix error report for ADD_EXT_ADV_PARAMS [ Upstream commit 3b1c7c00b8c22b3cb79532252c59eb0b287bb86d ] When validating the parameter length for MGMT_OP_ADD_EXT_ADV_PARAMS command, use the correct op code in error status report: was MGMT_OP_ADD_ADVERTISING, changed to MGMT_OP_ADD_EXT_ADV_PARAMS. Fixes: 12410572833a2 ("Bluetooth: Break add adv into two mgmt commands") Signed-off-by: Inga Stotland Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit 66324c5eb5eea1be5b61fefb12750cfc2118ffa7 Author: Yang Yingliang Date: Thu Oct 20 10:16:56 2022 +0800 Bluetooth: hci_core: fix error handling in hci_register_dev() [ Upstream commit 0d75da38e060d21f948b3df5f5e349c962cf1ed2 ] If hci_register_suspend_notifier() returns error, the hdev and rfkill are leaked. We could disregard the error and print a warning message instead to avoid leaks, as it just means we won't be handing suspend requests. Fixes: 9952d90ea288 ("Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND") Signed-off-by: Yang Yingliang Signed-off-by: Luiz Augusto von Dentz Signed-off-by: Sasha Levin commit b17b3203d4797364df11a005aa4d44bc9c6244e8 Author: Firo Yang Date: Fri Dec 9 13:48:54 2022 +0800 sctp: sysctl: make extra pointers netns aware [ Upstream commit da05cecc4939c0410d56c29e252998b192756318 ] Recently, a customer reported that from their container whose net namespace is different to the host's init_net, they can't set the container's net.sctp.rto_max to any value smaller than init_net.sctp.rto_min. For instance, Host: sudo sysctl net.sctp.rto_min net.sctp.rto_min = 1000 Container: echo 100 > /mnt/proc-net/sctp/rto_min echo 400 > /mnt/proc-net/sctp/rto_max echo: write error: Invalid argument This is caused by the check made from this'commit 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl")' When validating the input value, it's always referring the boundary value set for the init_net namespace. Having container's rto_max smaller than host's init_net.sctp.rto_min does make sense. Consider that the rto between two containers on the same host is very likely smaller than it for two hosts. So to fix this problem, as suggested by Marcelo, this patch makes the extra pointers of rto_min, rto_max, pf_retrans, and ps_retrans point to the corresponding variables from the newly created net namespace while the new net namespace is being registered in sctp_sysctl_net_register. Fixes: 4f3fdf3bc59c ("sctp: add check rto_min and rto_max in sysctl") Reviewed-by: Marcelo Ricardo Leitner Reviewed-by: Jakub Kicinski Acked-by: Marcelo Ricardo Leitner Signed-off-by: Firo Yang Link: https://lore.kernel.org/r/20221209054854.23889-1-firo.yang@suse.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 07e28a8f450217db679802ebd4de0915556ce846 Author: Eric Pilmore Date: Thu Dec 8 16:06:59 2022 -0800 ntb_netdev: Use dev_kfree_skb_any() in interrupt context [ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ] TX/RX callback handlers (ntb_netdev_tx_handler(), ntb_netdev_rx_handler()) can be called in interrupt context via the DMA framework when the respective DMA operations have completed. As such, any calls by these routines to free skb's, should use the interrupt context safe dev_kfree_skb_any() function. Previously, these callback handlers would call the interrupt unsafe version of dev_kfree_skb(). This has not presented an issue on Intel IOAT DMA engines as that driver utilizes tasklets rather than a hard interrupt handler, like the AMD PTDMA DMA driver. On AMD systems, a kernel WARNING message is encountered, which is being issued from skb_release_head_state() due to in_hardirq() being true. Besides the user visible WARNING from the kernel, the other symptom of this bug was that TCP/IP performance across the ntb_netdev interface was very poor, i.e. approximately an order of magnitude below what was expected. With the repair to use dev_kfree_skb_any(), kernel WARNINGs from skb_release_head_state() ceased and TCP/IP performance, as measured by iperf, was on par with expected results, approximately 20 Gb/s on AMD Milan based server. Note that this performance is comparable with Intel based servers. Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak") Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device") Signed-off-by: Eric Pilmore Reviewed-by: Dave Jiang Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4f9bcc999062ee4be747c8c15680cd53fd9ea9f9 Author: Jerry Ray Date: Fri Dec 9 09:35:02 2022 -0600 net: lan9303: Fix read error execution path [ Upstream commit 8964916d206071b058c6351f88b1966bd58cbde0 ] This patch fixes an issue where a read failure of a port statistic counter will return unknown results. While it is highly unlikely the read will ever fail, it is much cleaner to return a zero for the stat count. Fixes: a1292595e006 ("net: dsa: add new DSA switch driver for the SMSC-LAN9303") Signed-off-by: Jerry Ray Reviewed-by: Vladimir Oltean Reviewed-by: Florian Fainelli Link: https://lore.kernel.org/r/20221209153502.7429-1-jerry.ray@microchip.com Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit a8846b3398600a632696b6cf79f8a44a107eb226 Author: Roger Quadros Date: Thu Dec 8 12:55:34 2022 +0200 net: ethernet: ti: am65-cpsw: Fix PM runtime leakage in am65_cpsw_nuss_ndo_slave_open() [ Upstream commit 5821504f5073983733465b8bc430049c4343bbd7 ] Ensure pm_runtime_put() is issued in error path. Reported-by: Jakub Kicinski Fixes: 93a76530316a ("net: ethernet: ti: introduce am65x/j721e gigabit eth subsystem driver") Signed-off-by: Roger Quadros Reviewed-by: Saeed Mahameed Link: https://lore.kernel.org/r/20221208105534.63709-1-rogerq@kernel.org Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 512dc6796946acd6e49981febf394c87648cb3f9 Author: Markus Schneider-Pargmann Date: Tue Dec 6 12:57:26 2022 +0100 can: tcan4x5x: Fix use of register error status mask [ Upstream commit 67727a17a6b375d68fe569b77e6516b034b834c0 ] TCAN4X5X_ERROR_STATUS is not a status register that needs clearing during interrupt handling. Instead this is a masking register that masks error interrupts. Writing TCAN4X5X_CLEAR_ALL_INT to this register effectively masks everything. Rename the register and mask all error interrupts only once by writing to the register in tcan4x5x_init. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Signed-off-by: Markus Schneider-Pargmann Link: https://lore.kernel.org/all/20221206115728.1056014-10-msp@baylibre.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 73a1f06a4b6fdccf98adab0339bfbdbd2cfc1559 Author: Vivek Yadav Date: Wed Dec 7 15:36:31 2022 +0530 can: m_can: Call the RAM init directly from m_can_chip_config [ Upstream commit eaacfeaca7ad0804b9a6eff7afeba93a87db7638 ] When we try to access the mcan message ram addresses during the probe, hclk is gated by any other drivers or disabled, because of that probe gets failed. Move the mram init functionality to mcan chip config called by m_can_start from mcan open function, by that time clocks are enabled. Suggested-by: Marc Kleine-Budde Signed-off-by: Vivek Yadav Link: https://lore.kernel.org/all/20221207100632.96200-2-vivek.2311@samsung.com Signed-off-by: Marc Kleine-Budde Stable-dep-of: 67727a17a6b3 ("can: tcan4x5x: Fix use of register error status mask") Signed-off-by: Sasha Levin commit 9f38ec24342664520e28828dcb2a753cfe631037 Author: Markus Schneider-Pargmann Date: Tue Dec 6 12:57:25 2022 +0100 can: tcan4x5x: Remove invalid write in clear_interrupts [ Upstream commit 40c9e4f676abbe194541d88e796341c92d5a13c0 ] Register 0x824 TCAN4X5X_MCAN_INT_REG is a read-only register. Any writes to this register do not have any effect. Remove this write. The m_can driver aldready clears the interrupts in m_can_isr() by writing to M_CAN_IR which is translated to register 0x1050 which is a writable version of this register. Fixes: 5443c226ba91 ("can: tcan4x5x: Add tcan4x5x driver to the kernel") Signed-off-by: Markus Schneider-Pargmann Link: https://lore.kernel.org/all/20221206115728.1056014-9-msp@baylibre.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 8718e17e0fac4c735e283c8540f8dda64bd9a67a Author: Tom Lendacky Date: Thu Dec 8 10:22:25 2022 -0600 net: amd-xgbe: Check only the minimum speed for active/passive cables [ Upstream commit f8ab263d4d48e6dab752029bf562f20a2ee630ed ] There are cables that exist that can support speeds in excess of 10GbE. The driver, however, restricts the EEPROM advertised nominal bitrate to a specific range, which can prevent usage of cables that can support, for example, up to 25GbE. Rather than checking that an active or passive cable supports a specific range, only check for a minimum supported speed. Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") Signed-off-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7a7de9a6f198ce1952229eac9c7b2c63fe468d39 Author: Tom Lendacky Date: Thu Dec 8 10:22:24 2022 -0600 net: amd-xgbe: Fix logic around active and passive cables [ Upstream commit 4998006c73afe44e2f639d55bd331c6c26eb039f ] SFP+ active and passive cables are copper cables with fixed SFP+ end connectors. Due to a misinterpretation of this, SFP+ active cables could end up not being recognized, causing the driver to fail to establish a connection. Introduce a new enum in SFP+ cable types, XGBE_SFP_CABLE_FIBER, that is the default cable type, and handle active and passive cables when they are specifically detected. Fixes: abf0a1c2b26a ("amd-xgbe: Add support for SFP+ modules") Signed-off-by: Tom Lendacky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 99a75f34db5bf4d22c37515bceb1e9512a2491a9 Author: Yang Yingliang Date: Thu Dec 8 23:01:58 2022 +0800 af_unix: call proto_unregister() in the error path in af_unix_init() [ Upstream commit 73e341e0281a35274629e9be27eae2f9b1b492bf ] If register unix_stream_proto returns error, unix_dgram_proto needs be unregistered. Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap") Signed-off-by: Yang Yingliang Reviewed-by: Simon Horman Reviewed-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 22dbe4a6ea37449738b06e276381c1af1790cd8f Author: Richard Gobert Date: Thu Dec 8 15:54:46 2022 +0100 net: setsockopt: fix IPV6_UNICAST_IF option for connected sockets [ Upstream commit 526682b458b1b56d2e0db027df535cb5cdcfde59 ] Change the behaviour of ip6_datagram_connect to consider the interface set by the IPV6_UNICAST_IF socket option, similarly to udpv6_sendmsg. This change is the IPv6 counterpart of the fix for IP_UNICAST_IF. The tests introduced by that patch showed that the incorrect behavior is present in IPv6 as well. This patch fixes the broken test. Reported-by: kernel test robot Link: https://lore.kernel.org/r/202210062117.c7eef1a3-oliver.sang@intel.com Fixes: 0e4d354762ce ("net-next: Fix IP_UNICAST_IF option behavior for connected sockets") Signed-off-by: Richard Gobert Reviewed-by: David Ahern Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7cc54e9ffcf5ffbf7a80cc30211848ae9911776c Author: Yang Yingliang Date: Thu Dec 8 22:21:47 2022 +0800 net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In these two cases, dev_kfree_skb() is called consume the xmited SKB, so replace it with dev_consume_skb_irq(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit df7c78c3ab06b6c5915481ed19911ec59170c3f3 Author: Yang Yingliang Date: Thu Dec 8 22:21:46 2022 +0800 hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs, so replace it with dev_kfree_skb_irq(). In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed queue length, so replace it with dev_kfree_skb_irq(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 4bc76162596e5bfe9b6d11e4e40bbb69eceea3bb Author: Yang Yingliang Date: Thu Dec 8 22:21:45 2022 +0800 net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. In this case, the lock is used to protected 'bp', so we can move dev_kfree_skb() after the spin_unlock_irqrestore(). Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 2a979f087430ee8c85ed4dc3e528b507dd4bb055 Author: Yang Yingliang Date: Thu Dec 8 22:21:44 2022 +0800 net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 9027ed144a1c10907a323596c2ed5c5d6f08a8f9 Author: Yang Yingliang Date: Thu Dec 8 21:37:35 2022 +0800 net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6c0fba2b683da962080b112a4d7c31c364a10f27 Author: Yang Yingliang Date: Thu Dec 8 21:37:34 2022 +0800 net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 588d0b8462f5ffed3e677e65639825b2678117ab Author: Hangbin Liu Date: Thu Dec 8 20:04:52 2022 +0800 net/tunnel: wait until all sk_user_data reader finish before releasing the sock [ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ] There is a race condition in vxlan that when deleting a vxlan device during receiving packets, there is a possibility that the sock is released after getting vxlan_sock vs from sk_user_data. Then in later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got NULL pointer dereference. e.g. #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 [exception RIP: vxlan_ecn_decapsulate+0x3b] RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3 Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh Fix this by waiting for all sk_user_data reader to finish before releasing the sock. Reported-by: Jianlin Shi Suggested-by: Jakub Sitnicki Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs") Signed-off-by: Hangbin Liu Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bb1715a6bfb0c57a68524732a376498a2569f016 Author: Li Zetao Date: Thu Dec 8 20:05:40 2022 +0800 net: farsync: Fix kmemleak when rmmods farsync [ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ] There are two memory leaks reported by kmemleak: unreferenced object 0xffff888114b20200 (size 128): comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s) hex dump (first 32 bytes): e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW..... 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [] kmalloc_trace+0x22/0x60 [] __hw_addr_add_ex+0x198/0x6c0 [] dev_addr_init+0x13d/0x230 [] alloc_netdev_mqs+0x10d/0xe50 [] alloc_hdlcdev+0x2e/0x80 [] fst_add_one+0x601/0x10e0 [farsync] ... unreferenced object 0xffff88810b85b000 (size 1024): comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s) hex dump (first 32 bytes): 00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p...... 00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................ backtrace: [] kmalloc_trace+0x22/0x60 [] fst_add_one+0x154/0x10e0 [farsync] [] local_pci_probe+0xd3/0x170 ... The root cause is traced to the netdev and fst_card_info are not freed when removes one fst in fst_remove_one(), which may trigger oom if repeated insmod and rmmod module. Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as the operations on the error handling path in fst_add_one(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Li Zetao Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 5253d432dd36537cf44f26599b5930e69d5f2fc1 Author: Yang Yingliang Date: Thu Dec 8 20:01:21 2022 +0800 ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() [ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ] It is not allowed to call kfree_skb() or consume_skb() from hardware interrupt context or with hardware interrupts being disabled. It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. The difference between them is free reason, dev_kfree_skb_irq() means the SKB is dropped in error and dev_consume_skb_irq() means the SKB is consumed in normal. In this case, dev_kfree_skb() is called in free_tx_buffers() to drop the SKBs in tx buffers, when the card is down, so replace it with dev_kfree_skb_irq() here. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 71d88c7453ec3d2ceff98e18ce4d6354abd3b5b6 Author: ruanjinjie Date: Sun Dec 11 10:33:37 2022 +0800 of: overlay: fix null pointer dereferencing in find_dup_cset_node_entry() and find_dup_cset_prop() [ Upstream commit ee9d7a0e754568180a2f8ebc4aad226278a9116f ] When kmalloc() fail to allocate memory in kasprintf(), fn_1 or fn_2 will be NULL, and strcmp() will cause null pointer dereference. Fixes: 2fe0e8769df9 ("of: overlay: check prevents multiple fragments touching same property") Signed-off-by: ruanjinjie Link: https://lore.kernel.org/r/20221211023337.592266-1-ruanjinjie@huawei.com Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit cbde8b3acbc8d098240d8f423512689ffa84e80c Author: Julian Anastasov Date: Tue Nov 22 18:46:01 2022 +0200 ipvs: use u64_stats_t for the per-cpu counters [ Upstream commit 1dbd8d9a82e3f26b9d063292d47ece673f48fce2 ] Use the provided u64_stats_t type to avoid load/store tearing. Fixes: 316580b69d0a ("u64_stats: provide u64_stats_t type") Signed-off-by: Julian Anastasov Cc: yunhong-cgl jiang Cc: "dust.li" Reviewed-by: Jiri Wiesner Tested-by: Jiri Wiesner Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit dcae92a249551d1a447804b4be1c9fab0e8c95e8 Author: Yuan Can Date: Wed Dec 7 08:54:10 2022 +0000 drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() [ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ] If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") Signed-off-by: Yuan Can Reviewed-by: Leon Romanovsky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 446757787baf99b7db15cb347783c45a37bfe21f Author: Gaosheng Cui Date: Wed Dec 7 16:34:13 2022 +0800 net: stmmac: fix possible memory leak in stmmac_dvr_probe() [ Upstream commit a137f3f27f9290933fe7e40e6dc8a445781c31a2 ] The bitmap_free() should be called to free priv->af_xdp_zc_qps when create_singlethread_workqueue() fails, otherwise there will be a memory leak, so we add the err path error_wq_init to fix it. Fixes: bba2556efad6 ("net: stmmac: Enable RX via AF_XDP zero-copy") Signed-off-by: Gaosheng Cui Reviewed-by: Leon Romanovsky Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bfbc4f7f82da544920635e87323542051d253c8f Author: Zhang Changzhong Date: Wed Dec 7 16:31:59 2022 +0800 net: stmmac: selftests: fix potential memleak in stmmac_test_arpoffload() [ Upstream commit f150b63f3fa5fdd81e0dd6151e8850268e29438c ] The skb allocated by stmmac_test_get_arp_skb() hasn't been released in some error handling case, which will lead to a memory leak. Fix this up by adding kfree_skb() to release skb. Compile tested only. Fixes: 5e3fb0a6e2b3 ("net: stmmac: selftests: Implement the ARP Offload test") Signed-off-by: Zhang Changzhong Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit e6730e15df96805799f097078c38ee821c6c5183 Author: Yongqiang Liu Date: Wed Dec 7 07:20:45 2022 +0000 net: defxx: Fix missing err handling in dfx_init() [ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ] When eisa_driver_register() or tc_register_driver() failed, the modprobe defxx would fail with some err log as follows: Error: Driver 'defxx' is already registered, aborting... Fix this issue by adding err hanling in dfx_init(). Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support") Signed-off-by: Yongqiang Liu Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 6af94424012cb56d7c21479aab876f78f3d9e2cf Author: Artem Chernyshev Date: Tue Dec 6 09:58:34 2022 +0300 net: vmw_vsock: vmci: Check memcpy_from_msg() [ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ] vmci_transport_dgram_enqueue() does not check the return value of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that uninitialized memory contents are sent unintentionally instead of user's message in the datagram to the destination. Return with an error if memcpy_from_msg() fails. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr") Signed-off-by: Artem Chernyshev Reviewed-by: Stefano Garzarella Reviewed-by: Vishnu Dasa Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit bd72ab5e6fc1c4d3e6b84636141d26a41b977b03 Author: Xiu Jianfeng Date: Wed Nov 23 11:16:22 2022 +0800 clk: socfpga: Fix memory leak in socfpga_gate_init() [ Upstream commit 0b8ba891ad4d1ef6bfa4c72efc83f9f9f855f68b ] Free @socfpga_clk and @ops on the error path to avoid memory leak issue. Fixes: a30a67be7b6e ("clk: socfpga: Don't have get_parent for single parent ops") Signed-off-by: Xiu Jianfeng Link: https://lore.kernel.org/r/20221123031622.63171-1-xiujianfeng@huawei.com Acked-by: Dinh Nguyen Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 8d64aca5e8f36cf71338846a4bb87efd54386ac7 Author: Björn Töpel Date: Wed Dec 7 11:35:40 2022 +0100 bpf: Do not zero-extend kfunc return values [ Upstream commit d35af0a7feb077c43ff0233bba5a8c6e75b73e35 ] In BPF all global functions, and BPF helpers return a 64-bit value. For kfunc calls, this is not the case, and they can return e.g. 32-bit values. The return register R0 for kfuncs calls can therefore be marked as subreg_def != DEF_NOT_SUBREG. In general, if a register is marked with subreg_def != DEF_NOT_SUBREG, some archs (where bpf_jit_needs_zext() returns true) require the verifier to insert explicit zero-extension instructions. For kfuncs calls, however, the caller should do sign/zero extension for return values. In other words, the compiler is responsible to insert proper instructions, not the verifier. An example, provided by Yonghong Song: $ cat t.c extern unsigned foo(void); unsigned bar1(void) { return foo(); } unsigned bar2(void) { if (foo()) return 10; else return 20; } $ clang -target bpf -mcpu=v3 -O2 -c t.c && llvm-objdump -d t.o t.o: file format elf64-bpf Disassembly of section .text: 0000000000000000 : 0: 85 10 00 00 ff ff ff ff call -0x1 1: 95 00 00 00 00 00 00 00 exit 0000000000000010 : 2: 85 10 00 00 ff ff ff ff call -0x1 3: bc 01 00 00 00 00 00 00 w1 = w0 4: b4 00 00 00 14 00 00 00 w0 = 0x14 5: 16 01 01 00 00 00 00 00 if w1 == 0x0 goto +0x1 6: b4 00 00 00 0a 00 00 00 w0 = 0xa 0000000000000038 : 7: 95 00 00 00 00 00 00 00 exit If the return value of 'foo()' is used in the BPF program, the proper zero-extension will be done. Currently, the verifier correctly marks, say, a 32-bit return value as subreg_def != DEF_NOT_SUBREG, but will fail performing the actual zero-extension, due to a verifier bug in opt_subreg_zext_lo32_rnd_hi32(). load_reg is not properly set to R0, and the following path will be taken: if (WARN_ON(load_reg == -1)) { verbose(env, "verifier bug. zext_dst is set, but no reg is defined\n"); return -EFAULT; } A longer discussion from v1 can be found in the link below. Correct the verifier by avoiding doing explicit zero-extension of R0 for kfunc calls. Note that R0 will still be marked as a sub-register for return values smaller than 64-bit. Fixes: 83a2881903f3 ("bpf: Account for BPF_FETCH in insn_has_def32()") Link: https://lore.kernel.org/bpf/20221202103620.1915679-1-bjorn@kernel.org/ Suggested-by: Yonghong Song Signed-off-by: Björn Töpel Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20221207103540.396496-1-bjorn@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 8682d0a6ee546d365f53b9d5dfb509f2ad3a2f07 Author: Yang Jihong Date: Tue Nov 22 12:04:10 2022 +0800 blktrace: Fix output non-blktrace event when blk_classic option enabled [ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ] When the blk_classic option is enabled, non-blktrace events must be filtered out. Otherwise, events of other types are output in the blktrace classic format, which is unexpected. The problem can be triggered in the following ways: # echo 1 > /sys/kernel/debug/tracing/options/blk_classic # echo 1 > /sys/kernel/debug/tracing/events/enable # echo blk > /sys/kernel/debug/tracing/current_tracer # cat /sys/kernel/debug/tracing/trace_pipe Fixes: c71a89615411 ("blktrace: add ftrace plugin") Signed-off-by: Yang Jihong Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit bbb2d35386c11e13b19261ed7f926b305e19a07c Author: Wang Yufen Date: Fri Dec 2 13:35:42 2022 +0800 wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() [ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ] Fix to return a negative error code instead of 0 when brcmf_chip_set_active() fails. In addition, change the return value for brcmf_pcie_exit_download_state() to keep consistent. Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions") Signed-off-by: Wang Yufen Reviewed-by: Arend van Spriel Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 36a2786145efa55e7311059f3a05c330c72c4249 Author: Bitterblue Smith Date: Thu Dec 1 16:15:08 2022 +0200 wifi: rtl8xxxu: Fix the channel width reporting [ Upstream commit 76c16af2cb10282274596e21add2c9f0b95c941b ] The gen 2 chips RTL8192EU and RTL8188FU periodically send the driver reports about the TX rate, and the driver passes these reports to sta_statistics. The reports from RTL8192EU may or may not include the channel width. The reports from RTL8188FU do not include it. Only access the c2h->ra_report.bw field if the report (skb) is big enough. The other problem fixed here is that the code was actually never changing the channel width initially reported by rtl8xxxu_bss_info_changed because the value of RATE_INFO_BW_20 is 0. Fixes: 0985d3a410ac ("rtl8xxxu: Feed current txrate information for mac80211") Signed-off-by: Bitterblue Smith Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/5b41f1ae-72e7-6b7a-2459-b736399a1c40@gmail.com Signed-off-by: Sasha Levin commit 8e2d450c4e5b579ab90fbdaadeb389c542f699d5 Author: Bitterblue Smith Date: Thu Dec 1 16:13:57 2022 +0200 wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h [ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ] This struct is used to access a sequence of bytes received from the wifi chip. It must not have any padding bytes between the members. This doesn't change anything on my system, possibly because currently none of the members need more than byte alignment. Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu") Signed-off-by: Bitterblue Smith Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com Signed-off-by: Sasha Levin commit 9d0190d4722ae9a5be9de21fa2b3a3eb9db2bc0e Author: Kris Bahnsen Date: Wed Dec 7 15:08:53 2022 -0800 spi: spi-gpio: Don't set MOSI as an input if not 3WIRE mode [ Upstream commit 3a6f994f848a69deb2bf3cd9d130dd0c09730e55 ] The addition of 3WIRE support would affect MOSI direction even when still in standard (4 wire) mode. This can lead to MOSI being at an invalid logic level when a device driver sets an SPI message with a NULL tx_buf. spi.h states that if tx_buf is NULL then "zeros will be shifted out ... " If MOSI is tristated then the data shifted out is subject to pull resistors, keepers, or in the absence of those, noise. This issue came to light when using spi-gpio connected to an ADS7843 touchscreen controller. MOSI pulled high when clocking MISO data in caused the SPI device to interpret this as a command which would put the device in an unexpected and non-functional state. Fixes: 4b859db2c606 ("spi: spi-gpio: add SPI_3WIRE support") Fixes: 5132b3d28371 ("spi: gpio: Support 3WIRE high-impedance turn-around") Signed-off-by: Kris Bahnsen Link: https://lore.kernel.org/r/20221207230853.6174-1-kris@embeddedTS.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a35323218ff32782d051d2643912311a22e07b6a Author: Xiu Jianfeng Date: Wed Nov 23 11:20:15 2022 +0800 clk: samsung: Fix memory leak in _samsung_clk_register_pll() [ Upstream commit 5174e5b0d1b669a489524192b6adcbb3c54ebc72 ] If clk_register() fails, @pll->rate_table may have allocated memory by kmemdup(), so it needs to be freed, otherwise will cause memory leak issue, this patch fixes it. Fixes: 3ff6e0d8d64d ("clk: samsung: Add support to register rate_table for samsung plls") Signed-off-by: Xiu Jianfeng Link: https://lore.kernel.org/r/20221123032015.63980-1-xiujianfeng@huawei.com Reviewed-by: Alim Akhtar Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit c93ecbb21b9a5a2bb93b49a146a3b4e5ddd9f8de Author: Geert Uytterhoeven Date: Mon Nov 21 16:58:33 2022 +0100 media: staging: stkwebcam: Restore MEDIA_{USB,CAMERA}_SUPPORT dependencies [ Upstream commit faaf901727eddcfbe889fe172ec9cdb5e63c8236 ] By moving support for the USB Syntek DC1125 Camera to staging, the dependencies on MEDIA_USB_SUPPORT and MEDIA_CAMERA_SUPPORT were lost. Fixes: 56280c64ecac ("media: stkwebcam: deprecate driver, move to staging") Signed-off-by: Geert Uytterhoeven Reviewed-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 0209e70ad496c1fcd85c2ec70e6736fd09f95d14 Author: Jiasheng Jiang Date: Thu Nov 17 15:02:36 2022 +0800 media: coda: Add check for kmalloc [ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ] As the kmalloc may return NULL pointer, it should be better to check the return value in order to avoid NULL poineter dereference, same as the others. Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 05f165ded4a7baec31b65aba88e2cd1fb9b91db2 Author: Jiasheng Jiang Date: Thu Nov 17 14:56:52 2022 +0800 media: coda: Add check for dcoda_iram_alloc [ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ] As the coda_iram_alloc may return NULL pointer, it should be better to check the return value in order to avoid NULL poineter dereference, same as the others. Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit ccb4e8de1e7ed71028b8bc9d42e5cb6aff8fb9ba Author: Liang He Date: Tue Jul 19 22:10:23 2022 +0800 media: c8sectpfe: Add of_node_put() when breaking out of loop [ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ] In configure_channels(), we should call of_node_put() when breaking out of for_each_child_of_node() which will automatically increase and decrease the refcount. Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") Signed-off-by: Liang He Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 86e52c02e28886a8e3e73e82a6ad5aff6bfbf11c Author: Yuan Can Date: Sat Dec 3 06:21:09 2022 +0000 regulator: qcom-labibb: Fix missing of_node_put() in qcom_labibb_regulator_probe() [ Upstream commit cf34ac6aa2b12fb0c3aacfdcae8acd7904b949ec ] The reg_node needs to be released through of_node_put() in the error handling path when of_irq_get_byname() failed. Fixes: 390af53e0411 ("regulator: qcom-labibb: Implement short-circuit and over-current IRQs") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221203062109.115043-1-yuancan@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 83a9cd6e0a967a6e9b4683a93d28f213175680ee Author: Christoph Hellwig Date: Wed Nov 30 17:16:52 2022 +0100 nvme: pass nr_maps explicitly to nvme_alloc_io_tag_set [ Upstream commit dcef77274ae52136925287b6b59d5c6e6a4adfb9 ] Don't look at ctrl->ops as only RDMA and TCP actually support multiple maps. Fixes: 6dfba1c09c10 ("nvme-fc: use the tagset alloc/free helpers") Fixes: ceee1953f923 ("nvme-loop: use the tagset alloc/free helpers") Signed-off-by: Christoph Hellwig Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Signed-off-by: Sasha Levin commit 5aebe9ba130a38db914347a397190a8405ae7671 Author: Zhen Lei Date: Wed Nov 30 21:49:20 2022 +0800 mmc: core: Normalize the error handling branch in sd_read_ext_regs() [ Upstream commit fc02e2b52389c8fde02852b2f959c0b45f042bbd ] Let's use pr_err() to output the error messages and let's extend a comment to clarify why returning 0 (success) in one case make sense. Fixes: c784f92769ae ("mmc: core: Read the SD function extension registers for power management") Signed-off-by: Zhen Lei [Ulf: Clarified the comment and the commit-msg] Link: https://lore.kernel.org/r/20221130134920.2109-1-thunder.leizhen@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 1b3f0b02486b553983c352442e20aded7458decd Author: Jiasheng Jiang Date: Sat Nov 26 09:25:58 2022 +0800 memstick/ms_block: Add check for alloc_ordered_workqueue [ Upstream commit 4f431a047a5c8698ed4b67e2760cfbeb5fffb69d ] As the alloc_ordered_workqueue may return NULL pointer, it should be better to add check for the return value. Moreover, the msb->io_queue should be freed if error occurs later. Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20221126012558.34374-1-jiasheng@iscas.ac.cn Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit d87d565fec52e8c3b91b434eb4386e74ae26f8f0 Author: Wolfram Sang Date: Sun Nov 20 12:34:54 2022 +0100 mmc: renesas_sdhi: alway populate SCC pointer [ Upstream commit 3d4f9898c1c74323dd61d6a8a0efca9401232ad4 ] We need the SCC pointer to reset the device, so populate it even when we don't need it for tuning. Fixes: 45bffc371fef ("mmc: renesas_sdhi: only reset SCC when its pointer is populated") Signed-off-by: Takeshi Saito Signed-off-by: Takeshi Kihara Signed-off-by: Wolfram Sang Reviewed-by: Yoshihiro Shimoda Tested-by: Yoshihiro Shimoda Link: https://lore.kernel.org/r/20221120113457.42010-2-wsa+renesas@sang-engineering.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit eb8431dc4b5a8f104f5414ce80d8df4f21bdffbd Author: Yang Yingliang Date: Wed Nov 9 21:35:39 2022 +0800 mmc: mmci: fix return value check of mmc_add_host() [ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 3697d9af93bf600da5078eb3ed49eac7cc55e9d9 Author: Yang Yingliang Date: Wed Nov 9 21:32:37 2022 +0800 mmc: wbsd: fix return value check of mmc_add_host() [ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, other resources also need be released. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit ba91b413983a9235792523c6b9f7ba2586c4d75d Author: Yang Yingliang Date: Tue Nov 8 21:09:49 2022 +0800 mmc: via-sdmmc: fix return value check of mmc_add_host() [ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit f5ce76aeddf01ca8f2a80fc37119388d59db7c10 Author: Yang Yingliang Date: Tue Nov 8 20:34:17 2022 +0800 mmc: meson-gx: fix return value check of mmc_add_host() [ Upstream commit 90935f16f2650ab7416fa2ffbe5c28cb39cf3f1e ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: 51c5d8447bd7 ("MMC: meson: initial support for GX platforms") Signed-off-by: Yang Yingliang Reviewed-by: Neil Armstrong Link: https://lore.kernel.org/r/20221108123417.479045-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 4e1dc24bcfc8257f24c0663badec7e4f3ae80558 Author: Yang Yingliang Date: Tue Nov 8 20:13:16 2022 +0800 mmc: omap_hsmmc: fix return value check of mmc_add_host() [ Upstream commit a525cad241c339ca00bf7ebf03c5180f2a9b767c ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path wihch will call mmc_free_host(). Fixes: a45c6cb81647 ("[ARM] 5369/1: omap mmc: Add new omap hsmmc controller for 2430 and 34xx, v3") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221108121316.340354-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 85946ceb0fac20ab39cdb85333086daf0291a553 Author: Yang Yingliang Date: Tue Nov 8 20:28:19 2022 +0800 mmc: atmel-mci: fix return value check of mmc_add_host() [ Upstream commit 9e6e8c43726673ca2abcaac87640b9215fd72f4c ] mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). So fix this by checking the return value and calling mmc_free_host() in the error path. Fixes: 7d2be0749a59 ("atmel-mci: Driver for Atmel on-chip MMC controllers") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221108122819.429975-1-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 9229e7a00f5b7e1566110840ea05db22139bc246 Author: Gabriel Somlo Date: Mon Nov 7 10:55:16 2022 -0500 mmc: litex_mmc: ensure `host->irq == 0` if polling [ Upstream commit 5c1a2b77cd1b59112cf22b3e338f7e416797ad32 ] Ensure the flag is explicitly set to 0 if we determine that polling is needed during driver probe, to cover all possible cases. Fixes: 92e099104729 ("mmc: Add driver for LiteX's LiteSDCard interface") Signed-off-by: Gabriel Somlo Link: https://lore.kernel.org/r/20221107155516.2535912-1-gsomlo@gmail.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit eb7a2d516d4fbd165c07877a20feccb047342b1f Author: Yang Yingliang Date: Tue Nov 1 14:30:23 2022 +0800 mmc: wmt-sdmmc: fix return value check of mmc_add_host() [ Upstream commit 29276d56f6ed138db0f38cd31aedc0b725c8c76c ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, clk_disable_unprepare() also needs be called. Fixes: 3a96dff0f828 ("mmc: SD/MMC Host Controller for Wondermedia WM8505/WM8650") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-10-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 2044b2ea77945f372ef161d1bbf814e471767ff2 Author: Yang Yingliang Date: Tue Nov 1 14:30:22 2022 +0800 mmc: vub300: fix return value check of mmc_add_host() [ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes another missing call mmc_free_host() if usb_control_msg() fails. Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit bfd77b194c94aefbde4efc30ddf8607dd9244672 Author: Yang Yingliang Date: Tue Nov 1 14:30:21 2022 +0800 mmc: toshsd: fix return value check of mmc_add_host() [ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, free_irq() also needs be called. Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit a522e26a20a43dcfbef9ee9f71ed803290e852b0 Author: Yang Yingliang Date: Tue Nov 1 14:30:20 2022 +0800 mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() [ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path, besides, led_classdev_unregister() and pm_runtime_disable() also need be called. Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit ffa9b2a79e3e959683efbad3f6db937eca9d38f5 Author: Yang Yingliang Date: Tue Nov 1 14:30:19 2022 +0800 mmc: rtsx_pci: fix return value check of mmc_add_host() [ Upstream commit 0c87db77423a282b3b38b8a6daf057b822680516 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path, beside, runtime PM also needs be disabled. Fixes: ff984e57d36e ("mmc: Add realtek pcie sdmmc host driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-6-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 5a62cba138519161a2fe4937720b2649760e57e9 Author: Yang Yingliang Date: Tue Nov 1 14:30:18 2022 +0800 mmc: pxamci: fix return value check of mmc_add_host() [ Upstream commit 80e1ef3afb8bfbe768380b70ffe1b6cab87d1a3b ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, ->exit() need be called to uninit the pdata. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-5-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit d2ead18bc7cc166220cab5a744a05c5b69431a12 Author: Yang Yingliang Date: Tue Nov 1 14:30:17 2022 +0800 mmc: mxcmmc: fix return value check of mmc_add_host() [ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 40aa73c70e8a5706f9cbe01409a5e51cc0f1750e Author: Yang Yingliang Date: Tue Nov 1 14:30:16 2022 +0800 mmc: moxart: fix return value check of mmc_add_host() [ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(). Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 60fafcf2fb7ee9a4125dc9a86eeb9d490acf23e2 Author: Yang Yingliang Date: Tue Nov 1 14:30:15 2022 +0800 mmc: alcor: fix return value check of mmc_add_host() [ Upstream commit e93d1468f429475a753d6baa79b853b7ee5ef8c0 ] mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and calling mmc_free_host() in the error path. Fixes: c5413ad815a6 ("mmc: add new Alcor Micro Cardreader SD/MMC driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221101063023.1664968-2-yangyingliang@huawei.com Signed-off-by: Ulf Hansson Signed-off-by: Sasha Levin commit 774d97b5ed7c8b837cd5fcf6efe79fa8e22ad2b0 Author: Xingjiang Qiao Date: Tue Dec 6 13:53:31 2022 +0800 hwmon: (emc2305) fix pwm never being able to set lower [ Upstream commit 364ffd2537c44cb6914ff5669153f4a86fffad29 ] There are fields 'last_hwmon_state' and 'last_thermal_state' in the structure 'emc2305_cdev_data', which respectively store the cooling state set by the 'hwmon' and 'thermal' subsystem, and the driver author hopes that if the state set by 'hwmon' is lower than the value set by 'thermal', the driver will just save it without actually setting the pwm. Currently, the 'last_thermal_state' also be updated by 'hwmon', which will cause the cooling state to never be set to a lower value. This patch fixes that. Signed-off-by: Xingjiang Qiao Link: https://lore.kernel.org/r/20221206055331.170459-2-nanpuyue@gmail.com Fixes: 0d8400c5a2ce1 ("hwmon: (emc2305) add support for EMC2301/2/3/5 RPM-based PWM Fan Speed Controller.") [groeck: renamed emc2305_set_cur_state_shim -> __emc2305_set_cur_state] Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 4cf53e91f36a8e8b7b6ffe33fd5c8ad195ed0f80 Author: Xingjiang Qiao Date: Tue Dec 6 13:53:30 2022 +0800 hwmon: (emc2305) fix unable to probe emc2301/2/3 [ Upstream commit 4d50591ebf60ccf79380fff3a4c23659c61c482f ] The definitions of 'EMC2305_REG_PRODUCT_ID' and 'EMC2305_REG_DEVICE' are both '0xfd', they actually return the same value, but the values returned by emc2301/2/3/5 are different, so probe emc2301/2/3 will fail, This patch fixes that. Signed-off-by: Xingjiang Qiao Link: https://lore.kernel.org/r/20221206055331.170459-1-nanpuyue@gmail.com Fixes: 0d8400c5a2ce1 ("hwmon: (emc2305) add support for EMC2301/2/3/5 RPM-based PWM Fan Speed Controller.") Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 12e6772017774c46088099ce045d6bbea0da854c Author: Miaoqian Lin Date: Tue Dec 6 11:19:06 2022 +0400 bpftool: Fix memory leak in do_build_table_cb [ Upstream commit fa55ef14ef4fe06198c0ce811b603aec24134bc2 ] strdup() allocates memory for path. We need to release the memory in the following error path. Add free() to avoid memory leak. Fixes: 8f184732b60b ("bpftool: Switch to libbpf's hashmap for pinned paths of BPF objects") Signed-off-by: Miaoqian Lin Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/20221206071906.806384-1-linmq006@gmail.com Signed-off-by: Sasha Levin commit adebac5995c9f75f24ee0c32bcd5f32749ce707e Author: Pu Lehui Date: Tue Dec 6 17:14:10 2022 +0800 riscv, bpf: Emit fixed-length instructions for BPF_PSEUDO_FUNC [ Upstream commit b54b6003612a376e7be32cbc5c1af3754bbbbb3d ] For BPF_PSEUDO_FUNC instruction, verifier will refill imm with correct addresses of bpf_calls and then run last pass of JIT. Since the emit_imm of RV64 is variable-length, which will emit appropriate length instructions accorroding to the imm, it may broke ctx->offset, and lead to unpredictable problem, such as inaccurate jump. So let's fix it with fixed-length instructions. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Suggested-by: Björn Töpel Signed-off-by: Pu Lehui Signed-off-by: Daniel Borkmann Reviewed-by: Björn Töpel Acked-by: Björn Töpel Link: https://lore.kernel.org/bpf/20221206091410.1584784-1-pulehui@huaweicloud.com Signed-off-by: Sasha Levin commit 86c1f5d5f49847f3023d57e9865efac7192c4b5d Author: Trond Myklebust Date: Tue Dec 6 12:42:59 2022 -0500 NFSv4.x: Fail client initialisation if state manager thread can't run [ Upstream commit b4e4f66901658fae0614dea5bf91062a5387eda7 ] If the state manager thread fails to start, then we should just mark the client initialisation as failed so that other processes or threads don't get stuck in nfs_wait_client_init_complete(). Reported-by: ChenXiaoSong Fixes: 4697bd5e9419 ("NFSv4: Fix a race in the net namespace mount notification") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit a89715bc95233a31441c0474daabba1d5d36c016 Author: Anna Schumaker Date: Wed Nov 30 15:30:47 2022 -0500 NFS: Allow very small rsize & wsize again [ Upstream commit a60214c2465493aac0b014d87ee19327b6204c42 ] 940261a19508 introduced nfs_io_size() to clamp the iosize to a multiple of PAGE_SIZE. This had the unintended side effect of no longer allowing iosizes less than a page, which could be useful in some situations. UDP already has an exception that causes it to fall back on the power-of-two style sizes instead. This patch adds an additional exception for very small iosizes. Reported-by: Jeff Layton Fixes: 940261a19508 ("NFS: Allow setting rsize / wsize to a multiple of PAGE_SIZE") Signed-off-by: Anna Schumaker Reviewed-by: Jeff Layton Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit f6a174755c330fe30ba023c4511ce1caf51a7ce1 Author: Anna Schumaker Date: Wed Nov 30 13:15:25 2022 -0500 NFSv4.2: Set the correct size scratch buffer for decoding READ_PLUS [ Upstream commit 36357fe74ef736524a29fbd3952948768510a8b9 ] The scratch_buf array is 16 bytes, but I was passing 32 to the xdr_set_scratch_buffer() function. Fix this by using sizeof(), which is what I probably should have been doing this whole time. Fixes: d3b00a802c84 ("NFS: Replace the READ_PLUS decoding code") Signed-off-by: Anna Schumaker Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 05acc401bca3e5cecd75d9ce6b8d70517c4875aa Author: Wang ShaoBo Date: Thu Nov 24 17:23:42 2022 +0800 SUNRPC: Fix missing release socket in rpc_sockname() [ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ] socket dynamically created is not released when getting an unintended address family type in rpc_sockname(), direct to out_release for calling sock_release(). Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address") Signed-off-by: Wang ShaoBo Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 17c49afc694eb3ab4e1b56e41cb186c3ad77a2ed Author: Zhang Xiaoxu Date: Sun Nov 20 15:34:29 2022 +0800 xprtrdma: Fix regbuf data not freed in rpcrdma_req_create() [ Upstream commit 9181f40fb2952fd59ecb75e7158620c9c669eee3 ] If rdma receive buffer allocate failed, should call rpcrdma_regbuf_free() to free the send buffer, otherwise, the buffer data will be leaked. Fixes: bb93a1ae2bf4 ("xprtrdma: Allocate req's regbufs at xprt create time") Signed-off-by: Zhang Xiaoxu Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit aae4846e8e49044cb51d0276bec2a3fc2d5cd8da Author: Gaosheng Cui Date: Tue Nov 29 20:01:26 2022 +0800 pinctrl: thunderbay: fix possible memory leak in thunderbay_build_functions() [ Upstream commit 83e1bcaf8cef26edaaf2a6098ef760f563683483 ] The thunderbay_add_functions() will free memory of thunderbay_funcs when everything is ok, but thunderbay_funcs will not be freed when thunderbay_add_functions() fails, then there will be a memory leak, so we need to add kfree() when thunderbay_add_functions() fails to fix it. In addition, doing some cleaner works, moving kfree(funcs) from thunderbay_add_functions() to thunderbay_build_functions(). Fixes: 12422af8194d ("pinctrl: Add Intel Thunder Bay pinctrl driver") Signed-off-by: Gaosheng Cui Reviewed-by: Rafał Miłecki Link: https://lore.kernel.org/r/20221129120126.1567338-1-cuigaosheng1@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 250eed7b9994d79f9c409f954dbd08e88f5afd83 Author: Gaosheng Cui Date: Tue Dec 6 14:10:04 2022 +0800 ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt [ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ] I got a null-ptr-defer error report when I do the following tests on the qemu platform: make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, CONFIG_SND_MTS64=m Then making test scripts: cat>test_mod1.sh< snd_mts64_interrupt+0x24/0xa0 [snd_mts64] parport_irq_handler+0x37/0x50 [parport] __handle_irq_event_percpu+0x39/0x190 handle_irq_event_percpu+0xa/0x30 handle_irq_event+0x2f/0x50 handle_edge_irq+0x99/0x1b0 __common_interrupt+0x5d/0x100 common_interrupt+0xa0/0xc0 asm_common_interrupt+0x22/0x40 RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 parport_claim+0xbd/0x230 [parport] snd_mts64_probe+0x14a/0x465 [snd_mts64] platform_probe+0x3f/0xa0 really_probe+0x129/0x2c0 __driver_probe_device+0x6d/0xc0 driver_probe_device+0x1a/0xa0 __device_attach_driver+0x7a/0xb0 bus_for_each_drv+0x62/0xb0 __device_attach+0xe4/0x180 bus_probe_device+0x82/0xa0 device_add+0x550/0x920 platform_device_add+0x106/0x220 snd_mts64_attach+0x2e/0x80 [snd_mts64] port_check+0x14/0x20 [parport] bus_for_each_dev+0x6e/0xc0 __parport_register_driver+0x7c/0xb0 [parport] snd_mts64_module_init+0x31/0x1000 [snd_mts64] do_one_initcall+0x3c/0x1f0 do_init_module+0x46/0x1c6 load_module+0x1d8d/0x1e10 __do_sys_finit_module+0xa2/0xf0 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Kernel panic - not syncing: Fatal exception in interrupt Rebooting in 1 seconds.. The mts wa not initialized during interrupt, we add check for mts to fix this bug. Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0859b2e1d5fa650b45c29b3426611c5f997cfcdf Author: Guoniu.zhou Date: Fri Nov 25 09:20:24 2022 +0000 media: ov5640: set correct default link frequency [ Upstream commit d7b41196927ba2a2b5badad1a85f9087eb90b076 ] current_link_freq field in ov5640_dev structure is link frequency, not link frequency array index, so correct it. Fixes: 3c28588f35d3 ("media: ov5640: Update pixel_rate and link_freq") Signed-off-by: Guoniu.zhou Acked-by: Jacopo Mondi Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3872adf30623bd16fd7f2a77dfef4f4da1505b84 Author: Liu Shixin Date: Sat Nov 26 11:31:26 2022 +0000 media: saa7164: fix missing pci_disable_device() [ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ] Add missing pci_disable_device() in the error path in saa7164_initdev(). Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon") Signed-off-by: Liu Shixin Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 809b48cb2eee2d9f5259eb79a22f9c725e9c6ed9 Author: Takashi Iwai Date: Mon Dec 5 14:21:22 2022 +0100 ALSA: pcm: Set missing stop_operating flag at undoing trigger start [ Upstream commit 5c8cc93b06d1ff860327a273abf3ac006290d242 ] When a PCM trigger-start fails at snd_pcm_do_start(), PCM core tries to undo the action at snd_pcm_undo_start() by issuing the trigger STOP manually. At that point, we forgot to set the stop_operating flag, hence the sync-stop won't be issued at the next prepare or other calls. This patch adds the missing stop_operating flag at snd_pcm_undo_start(). Fixes: 1e850beea278 ("ALSA: pcm: Add the support for sync-stop operation") Link: https://lore.kernel.org/r/b4e71631-4a94-613-27b2-fb595792630@carlh.net Link: https://lore.kernel.org/r/20221205132124.11585-2-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 5c3568166129bc73fd6b37748d2d8f95cd8f22f3 Author: Eric Dumazet Date: Fri Dec 2 11:16:40 2022 +0000 bpf, sockmap: fix race in sock_map_free() [ Upstream commit 0a182f8d607464911756b4dbef5d6cad8de22469 ] sock_map_free() calls release_sock(sk) without owning a reference on the socket. This can cause use-after-free as syzbot found [1] Jakub Sitnicki already took care of a similar issue in sock_hash_free() in commit 75e68e5bf2c7 ("bpf, sockhash: Synchronize delete from bucket list on map free") [1] refcount_t: decrement hit 0; leaking memory. WARNING: CPU: 0 PID: 3785 at lib/refcount.c:31 refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Modules linked in: CPU: 0 PID: 3785 Comm: kworker/u4:6 Not tainted 6.1.0-rc7-syzkaller-00103-gef4d3ea40565 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: events_unbound bpf_map_free_deferred RIP: 0010:refcount_warn_saturate+0x17c/0x1a0 lib/refcount.c:31 Code: 68 8b 31 c0 e8 75 71 15 fd 0f 0b e9 64 ff ff ff e8 d9 6e 4e fd c6 05 62 9c 3d 0a 01 48 c7 c7 80 bb 68 8b 31 c0 e8 54 71 15 fd <0f> 0b e9 43 ff ff ff 89 d9 80 e1 07 80 c1 03 38 c1 0f 8c a2 fe ff RSP: 0018:ffffc9000456fb60 EFLAGS: 00010246 RAX: eae59bab72dcd700 RBX: 0000000000000004 RCX: ffff8880207057c0 RDX: 0000000000000000 RSI: 0000000000000201 RDI: 0000000000000000 RBP: 0000000000000004 R08: ffffffff816fdabd R09: fffff520008adee5 R10: fffff520008adee5 R11: 1ffff920008adee4 R12: 0000000000000004 R13: dffffc0000000000 R14: ffff88807b1c6c00 R15: 1ffff1100f638dcf FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b30c30000 CR3: 000000000d08e000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __refcount_dec include/linux/refcount.h:344 [inline] refcount_dec include/linux/refcount.h:359 [inline] __sock_put include/net/sock.h:779 [inline] tcp_release_cb+0x2d0/0x360 net/ipv4/tcp_output.c:1092 release_sock+0xaf/0x1c0 net/core/sock.c:3468 sock_map_free+0x219/0x2c0 net/core/sock_map.c:356 process_one_work+0x81c/0xd10 kernel/workqueue.c:2289 worker_thread+0xb14/0x1330 kernel/workqueue.c:2436 kthread+0x266/0x300 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down") Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Jakub Sitnicki Cc: John Fastabend Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Song Liu Acked-by: John Fastabend Link: https://lore.kernel.org/r/20221202111640.2745533-1-edumazet@google.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 9283a0f51173a65cbef4bc7a951ac9c0a9fabae6 Author: Toke Høiland-Jørgensen Date: Thu Dec 1 13:39:39 2022 +0100 bpf: Add dummy type reference to nf_conn___init to fix type deduplication [ Upstream commit 578ce69ffda49d6c1a252490553290d1f27199f0 ] The bpf_ct_set_nat_info() kfunc is defined in the nf_nat.ko module, and takes as a parameter the nf_conn___init struct, which is allocated through the bpf_xdp_ct_alloc() helper defined in the nf_conntrack.ko module. However, because kernel modules can't deduplicate BTF types between each other, and the nf_conn___init struct is not referenced anywhere in vmlinux BTF, this leads to two distinct BTF IDs for the same type (one in each module). This confuses the verifier, as described here: https://lore.kernel.org/all/87leoh372s.fsf@toke.dk/ As a workaround, add an explicit BTF_TYPE_EMIT for the type in net/filter.c, so the type definition gets included in vmlinux BTF. This way, both modules can refer to the same type ID (as they both build on top of vmlinux BTF), and the verifier is no longer confused. v2: - Use BTF_TYPE_EMIT (which is a statement so it has to be inside a function definition; use xdp_func_proto() for this, since this is mostly xdp-related). Fixes: 820dc0523e05 ("net: netfilter: move bpf_ct_set_nat_info kfunc in nf_nat_bpf.c") Signed-off-by: Toke Høiland-Jørgensen Link: https://lore.kernel.org/r/20221201123939.696558-1-toke@redhat.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 204d0f668d0f31c812982261b1720c9326c3c384 Author: Martin Blumenstingl Date: Sun Oct 23 23:31:57 2022 +0200 hwmon: (jc42) Restore the min/max/critical temperatures on resume [ Upstream commit 084ed144c448fd5bc8ed5a58247153fbbfd115c3 ] The JC42 compatible thermal sensor on Kingston KSM32ES8/16ME DIMMs (using Micron E-Die) is an ST Microelectronics STTS2004 (manufacturer 0x104a, device 0x2201). It does not keep the previously programmed minimum, maximum and critical temperatures after system suspend and resume (which is a shutdown / startup cycle for the JC42 temperature sensor). This results in an alarm on system resume because the hardware default for these values is 0°C (so any environment temperature greater than 0°C will trigger the alarm). Example before system suspend: jc42-i2c-0-1a Adapter: SMBus PIIX4 adapter port 0 at 0b00 temp1: +34.8°C (low = +0.0°C) (high = +85.0°C, hyst = +85.0°C) (crit = +95.0°C, hyst = +95.0°C) Example after system resume (without this change): jc42-i2c-0-1a Adapter: SMBus PIIX4 adapter port 0 at 0b00 temp1: +34.8°C (low = +0.0°C) ALARM (HIGH, CRIT) (high = +0.0°C, hyst = +0.0°C) (crit = +0.0°C, hyst = +0.0°C) Apply the cached values from the JC42_REG_TEMP_UPPER, JC42_REG_TEMP_LOWER, JC42_REG_TEMP_CRITICAL and JC42_REG_SMBUS (where the SMBUS register is not related to this issue but a side-effect of using regcache_sync() during system resume with the previously cached/programmed values. This fixes the alarm due to the hardware defaults of 0°C because the previously applied limits (set by userspace) are re-applied on system resume. Fixes: 175c490c9e7f ("hwmon: (jc42) Add support for STTS2004 and AT30TSE004") Reviewed-by: Guenter Roeck Signed-off-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20221023213157.11078-3-martin.blumenstingl@googlemail.com Signed-off-by: Guenter Roeck Signed-off-by: Sasha Levin commit 24186b599624678eb02dac04708ffb01a0c64e2e Author: Martin Blumenstingl Date: Sun Oct 23 23:31:56 2022 +0200 hwmon: (jc42) Convert register access and caching to regmap/regcache [ Upstream commit 8f2fa4726faf01094d7a5be7bd0c120c565f54d9 ] Switch the jc42 driver to use an I2C regmap to access the registers. Also move over to regmap's built-in caching instead of adding a custom caching implementation. This works for JC42_REG_TEMP_UPPER, JC42_REG_TEMP_LOWER and JC42_REG_TEMP_CRITICAL as these values never change except when explicitly written. The cache For JC42_REG_TEMP is dropped (regmap can't cache it because it's volatile, meaning it can change at any time) as well for simplicity and consistency with other drivers. Signed-off-by: Martin Blumenstingl Link: https://lore.kernel.org/r/20221023213157.11078-2-martin.blumenstingl@googlemail.com Signed-off-by: Guenter Roeck Stable-dep-of: 084ed144c448 ("hwmon: (jc42) Restore the min/max/critical temperatures on resume") Signed-off-by: Sasha Levin commit f86b2f216636790d5922458578825e4628fb570f Author: Yang Yingliang Date: Fri Dec 2 10:51:11 2022 +0800 regulator: core: fix resource leak in regulator_register() [ Upstream commit ba62319a42c50e6254e98b3f316464fac8e77968 ] I got some resource leak reports while doing fault injection test: OF: ERROR: memory leak, expected refcount 1 instead of 100, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@64/regulators/buck1 unreferenced object 0xffff88810deea000 (size 512): comm "490-i2c-rt5190a", pid 253, jiffies 4294859840 (age 5061.046s) hex dump (first 32 bytes): 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... ff ff ff ff ff ff ff ff a0 1e 00 a1 ff ff ff ff ................ backtrace: [<00000000d78541e2>] kmalloc_trace+0x21/0x110 [<00000000b343d153>] device_private_init+0x32/0xd0 [<00000000be1f0c70>] device_add+0xb2d/0x1030 [<00000000e3e6344d>] regulator_register+0xaf2/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] unreferenced object 0xffff88810b617b80 (size 32): comm "490-i2c-rt5190a", pid 253, jiffies 4294859904 (age 5060.983s) hex dump (first 32 bytes): 72 65 67 75 6c 61 74 6f 72 2e 32 38 36 38 2d 53 regulator.2868-S 55 50 50 4c 59 00 ff ff 29 00 00 00 2b 00 00 00 UPPLY...)...+... backtrace: [<000000009da9280d>] __kmalloc_node_track_caller+0x44/0x1b0 [<0000000025c6a4e5>] kstrdup+0x3a/0x70 [<00000000790efb69>] create_regulator+0xc0/0x4e0 [<0000000005ed203a>] regulator_resolve_supply+0x2d4/0x440 [<0000000045796214>] regulator_register+0x10b3/0x12a0 [<00000000e2f5e754>] devm_regulator_register+0x57/0xb0 [<000000008b898197>] rt5190a_probe+0x52a/0x861 [rt5190a_regulator] After calling regulator_resolve_supply(), the 'rdev->supply' is set by set_supply(), after this set, in the error path, the resources need be released, so call regulator_put() to avoid the leaks. Fixes: aea6cb99703e ("regulator: resolve supply after creating regulator") Fixes: 8a866d527ac0 ("regulator: core: Resolve supply name earlier to prevent double-init") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221202025111.496402-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit c72eb6e6e49a71f7598740786568fafdd013a227 Author: Chen Zhongjin Date: Mon Oct 17 09:42:30 2022 +0800 configfs: fix possible memory leak in configfs_create_dir() [ Upstream commit c65234b283a65cfbfc94619655e820a5e55199eb ] kmemleak reported memory leaks in configfs_create_dir(): unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) ... This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as: configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 ... configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() ... *dentry_unlink_inode()* configfs_d_iput() # s_count = 0, release However, if we failed in configfs_create(): configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 ... configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode); There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked. To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct. Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem") Signed-off-by: Chen Zhongjin Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit d2576d29da71aaa62e51a7ed641b6316c8ef8ebd Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:13 2022 +0100 hsr: Synchronize sequence number updates. [ Upstream commit 5c7aa13210c3abdd34fd421f62347665ec6eb551 ] hsr_register_frame_out() compares new sequence_nr vs the old one recorded in hsr_node::seq_out and if the new sequence_nr is higher then it will be written to hsr_node::seq_out as the new value. This operation isn't locked so it is possible that two frames with the same sequence number arrive (via the two slave devices) and are fed to hsr_register_frame_out() at the same time. Both will pass the check and update the sequence counter later to the same value. As a result the content of the same packet is fed into the stack twice. This was noticed by running ping and observing DUP being reported from time to time. Instead of using the hsr_priv::seqnr_lock for the whole receive path (as it is for sending in the master node) add an additional lock that is only used for sequence number checks and updates. Add a per-node lock that is used during sequence number reads and updates. Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit b5259dcfa3e11ca53b53a238fca2cc5959c34192 Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:12 2022 +0100 hsr: Synchronize sending frames to have always incremented outgoing seq nr. [ Upstream commit 06afd2c31d338fa762548580c1bf088703dd1e03 ] Sending frames via the hsr (master) device requires a sequence number which is tracked in hsr_priv::sequence_nr and protected by hsr_priv::seqnr_lock. Each time a new frame is sent, it will obtain a new id and then send it via the slave devices. Each time a packet is sent (via hsr_forward_do()) the sequence number is checked via hsr_register_frame_out() to ensure that a frame is not handled twice. This make sense for the receiving side to ensure that the frame is not injected into the stack twice after it has been received from both slave ports. There is no locking to cover the sending path which means the following scenario is possible: CPU0 CPU1 hsr_dev_xmit(skb1) hsr_dev_xmit(skb2) fill_frame_info() fill_frame_info() hsr_fill_frame_info() hsr_fill_frame_info() handle_std_frame() handle_std_frame() skb1's sequence_nr = 1 skb2's sequence_nr = 2 hsr_forward_do() hsr_forward_do() hsr_register_frame_out(, 2) // okay, send) hsr_register_frame_out(, 1) // stop, lower seq duplicate Both skbs (or their struct hsr_frame_info) received an unique id. However since skb2 was sent before skb1, the higher sequence number was recorded in hsr_register_frame_out() and the late arriving skb1 was dropped and never sent. This scenario has been observed in a three node HSR setup, with node1 + node2 having ping and iperf running in parallel. From time to time ping reported a missing packet. Based on tracing that missing ping packet did not leave the system. It might be possible (didn't check) to drop the sequence number check on the sending side. But if the higher sequence number leaves on wire before the lower does and the destination receives them in that order and it will drop the packet with the lower sequence number and never inject into the stack. Therefore it seems the only way is to lock the whole path from obtaining the sequence number and sending via dev_queue_xmit() and assuming the packets leave on wire in the same order (and don't get reordered by the NIC). Cover the whole path for the master interface from obtaining the ID until after it has been forwarded via hsr_forward_skb() to ensure the skbs are sent to the NIC in the order of the assigned sequence numbers. Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 3b79aaa88bab469449637218897bba75cf7364a8 Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:11 2022 +0100 hsr: Disable netpoll. [ Upstream commit d5c7652eb16fa203d82546e0285136d7b321ffa9 ] The hsr device is a software device. Its net_device_ops::ndo_start_xmit() routine will process the packet and then pass the resulting skb to dev_queue_xmit(). During processing, hsr acquires a lock with spin_lock_bh() (hsr_add_node()) which needs to be promoted to the _irq() suffix in order to avoid a potential deadlock. Then there are the warnings in dev_queue_xmit() (due to local_bh_disable() with disabled interrupts) left. Instead trying to address those (there is qdisc and…) for netpoll sake, just disable netpoll on hsr. Disable netpoll on hsr and replace the _irqsave() locking with _bh(). Fixes: f421436a591d3 ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 1517be0aef6df35534be71e3b9e9920ab9a675ab Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:10 2022 +0100 hsr: Avoid double remove of a node. [ Upstream commit 0c74d9f79ec4299365bbe803baa736ae0068179e ] Due to the hashed-MAC optimisation one problem become visible: hsr_handle_sup_frame() walks over the list of available nodes and merges two node entries into one if based on the information in the supervision both MAC addresses belong to one node. The list-walk happens on a RCU protected list and delete operation happens under a lock. If the supervision arrives on both slave interfaces at the same time then this delete operation can occur simultaneously on two CPUs. The result is the first-CPU deletes the from the list and the second CPUs BUGs while attempting to dereference a poisoned list-entry. This happens more likely with the optimisation because a new node for the mac_B entry is created once a packet has been received and removed (merged) once the supervision frame has been received. Avoid removing/ cleaning up a hsr_node twice by adding a `removed' field which is set to true after the removal and checked before the removal. Fixes: f266a683a4804 ("net/hsr: Better frame dispatch") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 4d2f6c44fd8525fba2ca5bdd2ae3aa24ac3e133a Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:09 2022 +0100 hsr: Add a rcu-read lock to hsr_forward_skb(). [ Upstream commit 5aa2820177af650293b2f9f1873c1f6f8e4ad7a4 ] hsr_forward_skb() a skb and keeps information in an on-stack hsr_frame_info. hsr_get_node() assigns hsr_frame_info::node_src which is from a RCU list. This pointer is used later in hsr_forward_do(). I don't see a reason why this pointer can't vanish midway since there is no guarantee that hsr_forward_skb() is invoked from an RCU read section. Use rcu_read_lock() to protect hsr_frame_info::node_src from its assignment until it is no longer used. Fixes: f266a683a4804 ("net/hsr: Better frame dispatch") Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 41d4bcc624cff970bb31945be6ad18fb0edef32c Author: Sebastian Andrzej Siewior Date: Tue Nov 29 17:48:08 2022 +0100 Revert "net: hsr: use hlist_head instead of list_head for mac addresses" [ Upstream commit e012764cebf6e33097f6833ff15a936fbe7b846c ] The hlist optimisation (which not only uses hlist_head instead of list_head but also splits hsr_priv::node_db into an array of 256 slots) does not consider the "node merge": Upon starting the hsr network (with three nodes) a packet that is sent from node1 to node3 will also be sent from node1 to node2 and then forwarded to node3. As a result node3 will receive 2 packets because it is not able to filter out the duplicate. Each packet received will create a new struct hsr_node with macaddress_A only set the MAC address it received from (the two MAC addesses from node1). At some point (early in the process) two supervision frames will be received from node1. They will be processed by hsr_handle_sup_frame() and one frame will leave early ("Node has already been merged") and does nothing. The other frame will be merged as portB and have its MAC address written to macaddress_B and the hsr_node (that was created for it as macaddress_A) will be removed. From now on HSR is able to identify a duplicate because both packets sent from one node will result in the same struct hsr_node because hsr_get_node() will find the MAC address either on macaddress_A or macaddress_B. Things get tricky with the optimisation: If sender's MAC address is saved as macaddress_A then the lookup will work as usual. If the MAC address has been merged into macaddress_B of another hsr_node then the lookup won't work because it is likely that the data structure is in another bucket. This results in creating a new struct hsr_node and not recognising a possible duplicate. A way around it would be to add another hsr_node::mac_list_B and attach it to the other bucket to ensure that this hsr_node will be looked up either via macaddress_A _or_ macaddress_B. I however prefer to revert it because it sounds like an academic problem rather than real life workload plus it adds complexity. I'm not an HSR expert with what is usual size of a network but I would guess 40 to 60 nodes. With 10.000 nodes and assuming 60us for pass-through (from node to node) then it would take almost 600ms for a packet to almost wrap around which sounds a lot. Revert the hash MAC addresses optimisation. Fixes: 4acc45db71158 ("net: hsr: use hlist_head instead of list_head for mac addresses") Cc: Juhee Kang Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit 35a6ae235108857bb8deed54040767c5522d282b Author: Christian Marangi Date: Tue Nov 8 22:56:25 2022 +0100 clk: qcom: clk-krait: fix wrong div2 functions [ Upstream commit d676d3a3717cf726d3affedbe5ba98fc4ccad7b3 ] Currently div2 value is applied to the wrong bits. This is caused by a bug in the code where the shift is done only for lpl, for anything else the mask is not shifted to the correct bits. Fix this by correctly shift if lpl is not supported. Fixes: 4d7dc77babfe ("clk: qcom: Add support for Krait clocks") Signed-off-by: Christian Marangi Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221108215625.30186-1-ansuelsmth@gmail.com Signed-off-by: Sasha Levin commit 3b317660e43f7e19c0349d3c11c15df0b843f8c5 Author: Douglas Anderson Date: Fri Nov 4 06:56:29 2022 -0700 clk: qcom: lpass-sc7180: Fix pm_runtime usage [ Upstream commit ff1ccf59eaffd192efe21f7de9fb0c130faf1b1b ] The sc7180 lpass clock controller's pm_runtime usage wasn't broken quite as spectacularly as the sc7280's pm_runtime usage, but it was still broken. Putting some printouts in at boot showed me this (with serial console enabled, which makes the prints slow and thus changes timing): [ 3.109951] DOUG: my_pm_clk_resume, usage=1 [ 3.114767] DOUG: my_pm_clk_resume, usage=1 [ 3.664443] DOUG: my_pm_clk_suspend, usage=0 [ 3.897566] DOUG: my_pm_clk_suspend, usage=0 [ 3.910137] DOUG: my_pm_clk_resume, usage=1 [ 3.923217] DOUG: my_pm_clk_resume, usage=0 [ 4.440116] DOUG: my_pm_clk_suspend, usage=-1 [ 4.444982] DOUG: my_pm_clk_suspend, usage=0 [ 14.170501] DOUG: my_pm_clk_resume, usage=1 [ 14.176245] DOUG: my_pm_clk_resume, usage=0 ...or this w/out serial console: [ 0.556139] DOUG: my_pm_clk_resume, usage=1 [ 0.556279] DOUG: my_pm_clk_resume, usage=1 [ 1.058422] DOUG: my_pm_clk_suspend, usage=-1 [ 1.058464] DOUG: my_pm_clk_suspend, usage=0 [ 1.186250] DOUG: my_pm_clk_resume, usage=1 [ 1.186292] DOUG: my_pm_clk_resume, usage=0 [ 1.731536] DOUG: my_pm_clk_suspend, usage=-1 [ 1.731557] DOUG: my_pm_clk_suspend, usage=0 [ 10.288910] DOUG: my_pm_clk_resume, usage=1 [ 10.289496] DOUG: my_pm_clk_resume, usage=0 It seems to be doing roughly the right sequence of calls, but just like with sc7280 this is more by luck than anything. Having a usage of -1 is just not OK. Let's fix this like we did with sc7280. Signed-off-by: Douglas Anderson Fixes: ce8c195e652f ("clk: qcom: lpasscc: Introduce pm autosuspend for SC7180") Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221104064055.2.I49b25b9bda9430fc7ea21e5a708ca5a0aced2798@changeid Signed-off-by: Sasha Levin commit 607ccb7d3d351df10e063b063bfb0c741118eaf4 Author: Douglas Anderson Date: Fri Nov 4 06:56:28 2022 -0700 clk: qcom: lpass-sc7280: Fix pm_runtime usage [ Upstream commit d470be3c4f30b4666e43eef6bab80f543563cdb0 ] The pm_runtime usage in lpass-sc7280 was broken in quite a few ways. Specifically: 1. At the end of probe it called "put" twice. This is a no-no and will end us up with a negative usage count. Even worse than calling "put" twice, it never called "get" once. Thus after bootup it could be seen that the runtime usage of the devices managed by this driver was -2. 2. In some error cases it manually called pm_runtime_disable() even though it had previously used devm_add_action_or_reset() to set this up to be called automatically. This meant that in these error cases we'd double-call pm_runtime_disable(). 3. It forgot to call undo pm_runtime_use_autosuspend(), which can sometimes have subtle problems (and the docs specifically mention that you need to undo this function). Overall the above seriously calls into question how this driver is working. It seems like a combination of "it doesn't", "by luck", and "because of the weirdness of runtime_pm". Specifically I put a printout to the serial console every time the runtime suspend/resume was called for the two devices created by this driver (I wrapped the pm_clk calls). When I had serial console enabled, I found that the calls got resumed at bootup (when the clk core probed and before our double-put) and then never touched again. That's no good. [ 0.829997] DOUG: my_pm_clk_resume, usage=1 [ 0.835487] DOUG: my_pm_clk_resume, usage=1 When I disabled serial console (speeding up boot), I got a different pattern, which I guess (?) is better: [ 0.089767] DOUG: my_pm_clk_resume, usage=1 [ 0.090507] DOUG: my_pm_clk_resume, usage=1 [ 0.151885] DOUG: my_pm_clk_suspend, usage=-2 [ 0.151914] DOUG: my_pm_clk_suspend, usage=-2 [ 1.825747] DOUG: my_pm_clk_resume, usage=-1 [ 1.825774] DOUG: my_pm_clk_resume, usage=-1 [ 1.888269] DOUG: my_pm_clk_suspend, usage=-2 [ 1.888282] DOUG: my_pm_clk_suspend, usage=-2 These different patterns have to do with the fact that the core PM Runtime code really isn't designed to be robust to negative usage counts and sometimes may happen to stumble upon a behavior that happens to "work". For instance, you can see that __pm_runtime_suspend() will treat any non-zero value (including negative numbers) as if the device is in use. In any case, let's fix the driver to be correct. We'll hold a pm_runtime reference for the whole probe and then drop it (once!) at the end. We'll get rid of manual pm_runtime_disable() calls in the error handling. We'll also switch to devm_pm_runtime_enable(), which magically handles undoing pm_runtime_use_autosuspend() as of commit b4060db9251f ("PM: runtime: Have devm_pm_runtime_enable() handle pm_runtime_dont_use_autosuspend()"). While we're at this, let's also use devm_pm_clk_create() instead of rolling it ourselves. Note that the above changes make it obvious that lpassaudio_create_pm_clks() was doing more than just creating clocks. It was also setting up pm_runtime parameters. Let's rename it. All of these problems were found by code inspection. I started looking at this driver because it was involved in a deadlock that I reported a while ago [1]. Though I bisected the deadlock to commit 1b771839de05 ("clk: qcom: gdsc: enable optional power domain support"), it was never really clear why that patch affected it other than a luck of timing changes. I'll also note that by fixing the timing (as done in this change) we also seem to aboid the deadlock, which is a nice benefit. Also note that some of the fixes here are much the same type of stuff that Dmitry did in commit 72cfc73f4663 ("clk: qcom: use devm_pm_runtime_enable and devm_pm_clk_create"), but I guess lpassaudiocc-sc7280.c didn't exist then. [1] https://lore.kernel.org/r/20220922154354.2486595-1-dianders@chromium.org Fixes: a9dd26639d05 ("clk: qcom: lpass: Add support for LPASS clock controller for SC7280") Signed-off-by: Douglas Anderson Reviewed-by: Dmitry Baryshkov Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221104064055.1.I00a0e4564a25489e85328ec41636497775627564@changeid Signed-off-by: Sasha Levin commit 89f19d11aad82780d1d065164e98a6c1cb04a817 Author: Yang Yingliang Date: Thu Dec 1 20:27:05 2022 +0800 regulator: core: fix module refcount leak in set_supply() [ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ] If create_regulator() fails in set_supply(), the module refcount needs be put to keep refcount balanced. Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2d4b9c7e81f3a4df27749ebecb426b145e68be2a Author: Xiongfeng Wang Date: Fri Nov 25 10:58:31 2022 +0800 mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2() [ Upstream commit 5938196cc188ba4323bc6357f5ac55127d715888 ] As comment of pci_get_device() says, it returns a pci_device with its refcount increased. We need to call pci_dev_put() to decrease the refcount. Save the return value of pci_get_device() and call pci_dev_put() to decrease the refcount. Fixes: 9093cfff72e3 ("mt76: mt7915: add support for using a secondary PCIe link for gen1") Fixes: 2e30db0dde61 ("mt76: mt7915: add device id for mt7916") Signed-off-by: Xiongfeng Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit d26fdb1ec5b7705c9d3317183ca1dd4d336fb7a7 Author: Deren Wu Date: Thu Nov 24 22:20:38 2022 +0800 wifi: mt76: do not send firmware FW_FEATURE_NON_DL region [ Upstream commit f37f76d43865c58cb96aa13c87164abb41f22d0b ] skip invalid section to avoid potential risks Fixes: 23bdc5d8cadf ("wifi: mt76: mt7921: introduce Country Location Control support") Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 52f7e23926178dcf8dcd63dacac0955aec8ac83d Author: Deren Wu Date: Mon Nov 28 15:04:21 2022 +0800 wifi: mt76: mt7921: Add missing __packed annotation of struct mt7921_clc [ Upstream commit e5c6bc6f19d8c293f86b347cddab54d5a3830b38 ] Add __packed annotation to avoid potential CLC parsing error Fixes: 23bdc5d8cadf ("wifi: mt76: mt7921: introduce Country Location Control support") Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit eb91025565658702c0ebb4ab26aca62d3239ae20 Author: Deren Wu Date: Sun Nov 27 10:35:37 2022 +0800 wifi: mt76: fix coverity overrun-call in mt76_get_txpower() [ Upstream commit 03dd0d49de7db680a856fa566963bb8421f46368 ] Make sure the nss is valid for nss_delta array. Return zero if the index is invalid. Coverity message: Event overrun-call: Overrunning callee's array of size 4 by passing argument "n_chains" (which evaluates to 15) in call to "mt76_tx_power_nss_delta". int delta = mt76_tx_power_nss_delta(n_chains); Fixes: 07cda406308b ("mt76: fix rounding issues on converting per-chain and combined txpower") Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit f11c5a1926c9430b90e19fe5d8dcc0e1ee71a0ca Author: YN Chen Date: Wed Nov 16 22:43:02 2022 +0800 wifi: mt76: mt7921: fix wrong power after multiple SAR set [ Upstream commit 7eefb93d4a6fbccd859e538d208c50fd10b44cb7 ] We should update CLC config before SAR set to synchronize all related settings. Fixes: 23bdc5d8cadf ("wifi: mt76: mt7921: introduce Country Location Control support") Signed-off-by: YN Chen Signed-off-by: Deren Wu Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 71e73d3ce2b85d3efa6d546d161645a0a9ee49ce Author: Nicolas Cavallari Date: Thu Nov 10 16:39:51 2022 +0100 wifi: mt76: mt7915: Fix chainmask calculation on mt7915 DBDC [ Upstream commit de147cc28985a2a09e5d6d179fc5ef59b22fc058 ] mt7915 does not have a per-band number of chains unlike the other chips, it only has a total number of chains. Yet the current code would consider the total number as a per-band number. For example, it would report that a 2x2 + 2x2 DBDC card have 4 chains on each band and set chainmask to 0b1111 for the first interface and 0b11110000 for the second. Fixes: 99ad32a4ca3a ("mt76: mt7915: add support for MT7986") Co-developed-by: Felix Fietkau Signed-off-by: Nicolas Cavallari Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 13b31708e54f37e91379031e5f797855b6128318 Author: Shayne Chen Date: Fri Sep 30 23:13:10 2022 +0800 wifi: mt76: mt7915: rework eeprom tx paths and streams init [ Upstream commit a7ec8bcf00034ce84d4c9a15dffd7577fbed4db2 ] Rework tx paths and streams init part to improve readability, and make sure that the available tx streams should be smaller than or equal to the available tx paths. Signed-off-by: Shayne Chen Signed-off-by: Felix Fietkau Stable-dep-of: de147cc28985 ("wifi: mt76: mt7915: Fix chainmask calculation on mt7915 DBDC") Signed-off-by: Sasha Levin commit 5e55a45d91960ab02ea8dfa04cb3ee044ee6dcdf Author: Lorenzo Bianconi Date: Wed Nov 2 13:46:50 2022 +0100 wifi: mt76: mt7921: fix reporting of TX AGGR histogram [ Upstream commit 028b4f22b37b88821fd87b56ce47b180583c774e ] Similar to mt7915, fix stats clash between bins [4-7] in 802.11 tx aggregation histogram. Fixes: 163f4d22c118d ("mt76: mt7921: add MAC support") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 6435fc52ef368ff534a763d4dfda51bb031b6669 Author: Lorenzo Bianconi Date: Wed Nov 2 13:35:01 2022 +0100 wifi: mt76: mt7915: fix reporting of TX AGGR histogram [ Upstream commit 528d13e7f033b54d50e0077922dd52f005d648cf ] Fix stats clash between bins [4-7] in 802.11 tx aggregation histogram. Fixes: e57b7901469fc ("mt76: add mac80211 driver for MT7915 PCIe-based chipsets") Signed-off-by: Lorenzo Bianconi Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit 1d3ecd15729457d04568ef94275f6d6573089c8c Author: Ryder Lee Date: Sat Oct 1 09:42:44 2022 +0800 wifi: mt76: mt7915: fix mt7915_mac_set_timing() [ Upstream commit 0c881dc08fd71ca2673f31a64989fbb28eac26f4 ] Correct mac timiing settings for different hardware generations. This improves 40-60Mbps performance. Fixes: 9aac2969fe5f ("mt76: mt7915: update mac timing settings") Reported-By: Carson Vandegriffe Tested-by: Chad Monroe Signed-off-by: Ryder Lee Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit c6cd8bacafc2306dc7b2ef947affe62d16511ca1 Author: Sean Wang Date: Sat Sep 17 06:46:45 2022 +0800 wifi: mt76: mt7921: fix antenna signal are way off in monitor mode [ Upstream commit c256ba6b1909f28b517274282b6845567e974143 ] Group 3 in RxD is disabled in monitor mode. We should use the group 5 in RxD instead to fix antenna signal way off issue, e.g we would see the incorrect antenna signal value in wireshark. On the other hand, Group 5 wouldn't be used in STA or AP mode, so the patch shouldn't cause any harm to those modes. Fixes: cbaa0a404f8d ("mt76: mt7921: fix up the monitor mode") Reported-by: Adrian Granados Co-developed-by: Deren Wu Signed-off-by: Deren Wu Signed-off-by: Sean Wang Signed-off-by: Felix Fietkau Signed-off-by: Sasha Levin commit ae99debcf6b8676af542cc3cb199ae6377ccbd14 Author: Chen Zhongjin Date: Wed Nov 9 17:02:37 2022 +0800 wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails [ Upstream commit 833a9fd28c9b7ccb39a334721379e992dc1c0c89 ] In regulatory_init_db(), when it's going to return a error, reg_pdev should be unregistered. When load_builtin_regdb_keys() fails it doesn't do it and makes cfg80211 can't be reload with report: sysfs: cannot create duplicate filename '/devices/platform/regulatory.0' ... dump_stack_lvl+0x79/0x9b sysfs_warn_dup.cold+0x1c/0x29 sysfs_create_dir_ns+0x22d/0x290 kobject_add_internal+0x247/0x800 kobject_add+0x135/0x1b0 device_add+0x389/0x1be0 platform_device_add+0x28f/0x790 platform_device_register_full+0x376/0x4b0 regulatory_init+0x9a/0x4b2 [cfg80211] cfg80211_init+0x84/0x113 [cfg80211] ... Fixes: 90a53e4432b1 ("cfg80211: implement regdb signature checking") Signed-off-by: Chen Zhongjin Link: https://lore.kernel.org/r/20221109090237.214127-1-chenzhongjin@huawei.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 92c9732ce7ebb8633abe61870049377e2e9574d4 Author: Íñigo Huguet Date: Fri Nov 11 16:36:22 2022 +0100 wifi: mac80211: fix maybe-unused warning [ Upstream commit 09d838a457a89883a926b8b0104d575158fd4b92 ] In ieee80211_lookup_key, the variable named `local` is unused if compiled without lockdep, getting this warning: net/mac80211/cfg.c: In function ‘ieee80211_lookup_key’: net/mac80211/cfg.c:542:26: error: unused variable ‘local’ [-Werror=unused-variable] struct ieee80211_local *local = sdata->local; ^~~~~ Fix it with __maybe_unused. Fixes: 8cbf0c2ab6df ("wifi: mac80211: refactor some key code") Signed-off-by: Íñigo Huguet Link: https://lore.kernel.org/r/20221111153622.29016-1-ihuguet@redhat.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 9a50a7f64243bd21a84353c371f3977b9ffd9fa5 Author: Zhengchao Shao Date: Thu Nov 17 14:45:00 2022 +0800 wifi: mac80211: fix memory leak in ieee80211_if_add() [ Upstream commit 13e5afd3d773c6fc6ca2b89027befaaaa1ea7293 ] When register_netdevice() failed in ieee80211_if_add(), ndev->tstats isn't released. Fix it. Fixes: 5a490510ba5f ("mac80211: use per-CPU TX/RX statistics") Signed-off-by: Zhengchao Shao Link: https://lore.kernel.org/r/20221117064500.319983-1-shaozhengchao@huawei.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 687b6b37c09481a39ec60cfa94e7049daeb1af2f Author: Yuan Can Date: Tue Nov 29 01:42:11 2022 +0000 wifi: nl80211: Add checks for nla_nest_start() in nl80211_send_iface() [ Upstream commit 5cc58b376675981386c6192405fe887cd29c527a ] As the nla_nest_start() may fail with NULL returned, the return value needs to be checked. Fixes: ce08cd344a00 ("wifi: nl80211: expose link information for interfaces") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221129014211.56558-1-yuancan@huawei.com Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 16984b61ef15a15915cbf8b6ecc38c41c972d4ca Author: Alexander Sverdlin Date: Wed Nov 30 17:29:27 2022 +0100 spi: spidev: mask SPI_CS_HIGH in SPI_IOC_RD_MODE [ Upstream commit 7dbfa445ff7393d1c4c066c1727c9e0af1251958 ] Commit f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs") has changed the user-space interface so that bogus SPI_CS_HIGH started to appear in the mask returned by SPI_IOC_RD_MODE even for active-low CS pins. Commit 138c9c32f090 ("spi: spidev: Fix CS polarity if GPIO descriptors are used") fixed only SPI_IOC_WR_MODE part of the problem. Let's fix SPI_IOC_RD_MODE symmetrically. Test case: #include #include #include int main(int argc, char **argv) { char modew = SPI_CPHA; char moder; int f = open("/dev/spidev0.0", O_RDWR); if (f < 0) return 1; ioctl(f, SPI_IOC_WR_MODE, &modew); ioctl(f, SPI_IOC_RD_MODE, &moder); return moder == modew ? 0 : 2; } Fixes: f3186dd87669 ("spi: Optionally use GPIO descriptors for CS GPIOs") Signed-off-by: Alexander Sverdlin Link: https://lore.kernel.org/r/20221130162927.539512-1-alexander.sverdlin@siemens.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 58cf9f4b79ad0878cb05dda71b08ccc376c3ba47 Author: Dan Carpenter Date: Mon Nov 28 14:06:14 2022 +0300 bonding: uninitialized variable in bond_miimon_inspect() [ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ] The "ignore_updelay" variable needs to be initialized to false. Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero") Signed-off-by: Dan Carpenter Reviewed-by: Pavan Chebbi Acked-by: Jay Vosburgh Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit 26a844a91ecbea7bf4d7eac50168cc00d9242da7 Author: Pengcheng Yang Date: Tue Nov 29 18:40:40 2022 +0800 bpf, sockmap: Fix data loss caused by using apply_bytes on ingress redirect [ Upstream commit 9072931f020bfd907d6d89ee21ff1481cd78b407 ] Use apply_bytes on ingress redirect, when apply_bytes is less than the length of msg data, some data may be skipped and lost in bpf_tcp_ingress(). If there is still data in the scatterlist that has not been consumed, we cannot move the msg iter. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Pengcheng Yang Signed-off-by: Daniel Borkmann Acked-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/1669718441-2654-4-git-send-email-yangpc@wangsu.com Signed-off-by: Sasha Levin commit e45de3007ac5c0029a50c93559150be32c33a55c Author: Pengcheng Yang Date: Tue Nov 29 18:40:39 2022 +0800 bpf, sockmap: Fix missing BPF_F_INGRESS flag when using apply_bytes [ Upstream commit a351d6087bf7d3d8440d58d3bf244ec64b89394a ] When redirecting, we use sk_msg_to_ingress() to get the BPF_F_INGRESS flag from the msg->flags. If apply_bytes is used and it is larger than the current data being processed, sk_psock_msg_verdict() will not be called when sendmsg() is called again. At this time, the msg->flags is 0, and we lost the BPF_F_INGRESS flag. So we need to save the BPF_F_INGRESS flag in sk_psock and use it when redirection. Fixes: 8934ce2fd081 ("bpf: sockmap redirect ingress support") Signed-off-by: Pengcheng Yang Signed-off-by: Daniel Borkmann Acked-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/1669718441-2654-3-git-send-email-yangpc@wangsu.com Signed-off-by: Sasha Levin commit 113236e8f49f262f318c00ebb14b15f4834e87c1 Author: Pengcheng Yang Date: Tue Nov 29 18:40:38 2022 +0800 bpf, sockmap: Fix repeated calls to sock_put() when msg has more_data [ Upstream commit 7a9841ca025275b5b0edfb0b618934abb6ceec15 ] In tcp_bpf_send_verdict() redirection, the eval variable is assigned to __SK_REDIRECT after the apply_bytes data is sent, if msg has more_data, sock_put() will be called multiple times. We should reset the eval variable to __SK_NONE every time more_data starts. This causes: IPv4: Attempt to release TCP socket in state 1 00000000b4c925d7 ------------[ cut here ]------------ refcount_t: addition on 0; use-after-free. WARNING: CPU: 5 PID: 4482 at lib/refcount.c:25 refcount_warn_saturate+0x7d/0x110 Modules linked in: CPU: 5 PID: 4482 Comm: sockhash_bypass Kdump: loaded Not tainted 6.0.0 #1 Hardware name: Red Hat KVM, BIOS 1.11.0-2.el7 04/01/2014 Call Trace: __tcp_transmit_skb+0xa1b/0xb90 ? __alloc_skb+0x8c/0x1a0 ? __kmalloc_node_track_caller+0x184/0x320 tcp_write_xmit+0x22a/0x1110 __tcp_push_pending_frames+0x32/0xf0 do_tcp_sendpages+0x62d/0x640 tcp_bpf_push+0xae/0x2c0 tcp_bpf_sendmsg_redir+0x260/0x410 ? preempt_count_add+0x70/0xa0 tcp_bpf_send_verdict+0x386/0x4b0 tcp_bpf_sendmsg+0x21b/0x3b0 sock_sendmsg+0x58/0x70 __sys_sendto+0xfa/0x170 ? xfd_validate_state+0x1d/0x80 ? switch_fpu_return+0x59/0xe0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: cd9733f5d75c ("tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function") Signed-off-by: Pengcheng Yang Signed-off-by: Daniel Borkmann Acked-by: Jakub Sitnicki Link: https://lore.kernel.org/bpf/1669718441-2654-2-git-send-email-yangpc@wangsu.com Signed-off-by: Sasha Levin commit ff0d392a4255dc5e075a0efc2abc64cf81cd2b5a Author: Randy Dunlap Date: Wed Nov 30 15:01:07 2022 -0800 Input: wistron_btns - disable on UML [ Upstream commit b2b80d9dd14cb5b70dc254bddbc4eea932694791 ] The wistron_btns driver calls rtc_cmos_read(), which isn't available with UML builds, so disable this driver on UML. Prevents this build error: ld: drivers/input/misc/wistron_btns.o: in function `poll_bios': wistron_btns.c:(.text+0x4be): undefined reference to `rtc_cmos_read' Fixes: 0bbadafdc49d ("um: allow disabling NO_IOMEM") # v5.14+ Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20221130161604.1879-1-rdunlap@infradead.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ce7de847f19e9a84d3caca2739a80ec7d6428be4 Author: Florian Westphal Date: Tue Nov 22 16:00:09 2022 +0100 netfilter: conntrack: set icmpv6 redirects as RELATED [ Upstream commit 7d7cfb48d81353e826493d24c7cec7360950968f ] icmp conntrack will set icmp redirects as RELATED, but icmpv6 will not do this. For icmpv6, only icmp errors (code <= 128) are examined for RELATED state. ICMPV6 Redirects are part of neighbour discovery mechanism, those are handled by marking a selected subset (e.g. neighbour solicitations) as UNTRACKED, but not REDIRECT -- they will thus be flagged as INVALID. Add minimal support for REDIRECTs. No parsing of neighbour options is added for simplicity, so this will only check that we have the embeeded original header (ND_OPT_REDIRECT_HDR), and then attempt to do a flow lookup for this tuple. Also extend the existing test case to cover redirects. Fixes: 9fb9cbb1082d ("[NETFILTER]: Add nf_conntrack subsystem.") Reported-by: Eric Garver Link: https://github.com/firewalld/firewalld/issues/1046 Signed-off-by: Florian Westphal Acked-by: Eric Garver Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin commit f0f1982ddfb418bf7bf05dadebae5c6869a41d41 Author: Xiu Jianfeng Date: Tue Nov 22 23:23:53 2022 +0800 clk: visconti: Fix memory leak in visconti_register_pll() [ Upstream commit b55226f8553d255f5002c751c7c6ba9291f34bf2 ] @pll->rate_table has allocated memory by kmemdup(), if clk_hw_register() fails, it should be freed, otherwise it will cause memory leak issue, this patch fixes it. Fixes: b4cbe606dc36 ("clk: visconti: Add support common clock driver and reset driver") Signed-off-by: Xiu Jianfeng Link: https://lore.kernel.org/r/20221122152353.204132-1-xiujianfeng@huawei.com Acked-by: Nobuhiro Iwamatsu Signed-off-by: Stephen Boyd Signed-off-by: Sasha Levin commit 4fa98de4f8c8f9eb860d05b75e818b070188406d Author: Zhang Qilong Date: Thu Sep 29 00:04:02 2022 +0800 ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe [ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. We fix it by going to err_pm instead of err_clk. Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL") Signed-off-by: Zhang Qilong Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7c852e8f93f04e57c1e3883caa72542469c6c4c4 Author: Xia Fukun Date: Fri Nov 25 14:34:28 2022 +0800 drm/i915/bios: fix a memory leak in generate_lfp_data_ptrs [ Upstream commit 1382901f75a5a7dc8eac05059fd0c7816def4eae ] When (size != 0 || ptrs->lvds_ entries != 3), the program tries to free() the ptrs. However, the ptrs is not created by calling kzmalloc(), but is obtained by pointer offset operation. This may lead to memory leaks or undefined behavior. Fix this by replacing the arguments of kfree() with ptrs_block. Fixes: a87d0a847607 ("drm/i915/bios: Generate LFP data table pointers if the VBT lacks them") Signed-off-by: Xia Fukun Signed-off-by: Jani Nikula Link: https://patchwork.freedesktop.org/patch/msgid/20221125063428.69486-1-xiafukun@huawei.com (cherry picked from commit 7674cd0b7d28b952151c3df26bbfa7e07eb2b4ec) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit c65564790048fa416ccd26a8945c7ec0cf9ef0b7 Author: Konstantin Meskhidze Date: Mon Nov 28 23:02:54 2022 -0500 drm/amdkfd: Fix memory leakage [ Upstream commit 75818afff631e1ea785a82c3e8bb82eb0dee539c ] This patch fixes potential memory leakage and seg fault in _gpuvm_import_dmabuf() function Fixes: d4ec4bdc0bd5 ("drm/amdkfd: Allow access for mmapping KFD BOs") Signed-off-by: Konstantin Meskhidze Signed-off-by: Felix Kuehling Reviewed-by: Felix Kuehling Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a8b54ad7106c0604c4adc4933138b3557739bce0 Author: Xiongfeng Wang Date: Tue Nov 22 19:30:43 2022 +0800 drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() [ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ] As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") Signed-off-by: Xiongfeng Wang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit a6cffe54064a5f6c2162a85af3c16c6b453eac4e Author: Xiongfeng Wang Date: Tue Nov 22 19:30:42 2022 +0800 drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() [ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ] As comment of pci_get_class() says, it returns a pci_device with its refcount increased and decreased the refcount for the input parameter @from if it is not NULL. If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we need to call pci_dev_put() to decrease the refcount. Add the missing pci_dev_put() to avoid refcount leak. Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM") Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)") Signed-off-by: Xiongfeng Wang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit dba7d85722243638d5f7df7fd2ab02957c412f0b Author: Veerabadhran Gopalakrishnan Date: Wed Nov 23 20:10:32 2022 +0530 amdgpu/nv.c: Corrected typo in the video capabilities resolution [ Upstream commit 65009bf2b4d287ef7ad7e6eb082b7c3d35eb611f ] Corrected the typo in the 4K resolution parameters. Fixes: b3a24461f9fb15 ("amdgpu/nv.c - Added codec query for Beige Goby") Fixes: 9075096b09e590 ("amdgpu/nv.c - Optimize code for video codec support structure") Fixes: 9ac0edaa0f8323 ("drm/amdgpu: add vcn_4_0_0 video codec query") Signed-off-by: Veerabadhran Gopalakrishnan Acked-by: Luben Tuikov Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit dd574ff7a7f247117cee7b823762ab467fe6bbd2 Author: Guchun Chen Date: Tue Nov 22 17:33:24 2022 +0800 drm/amd/pm/smu11: BACO is supported when it's in BACO state [ Upstream commit 6dca7efe6e522bf213c7dab691fa580d82f48f74 ] Return true early if ASIC is in BACO state already, no need to talk to SMU. It can fix the issue that driver was not calling BACO exit at all in runtime pm resume, and a timing issue leading to a PCI AER error happened eventually. Fixes: 8795e182b02d ("PCI/portdrv: Don't disable AER reporting in get_port_device_capability()") Suggested-by: Lijo Lazar Signed-off-by: Guchun Chen Reviewed-by: Lijo Lazar Reviewed-by: Evan Quan Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 95569b7285dc130e278cb72c9987372dbe4aab97 Author: Daniel Golle Date: Wed Oct 26 17:18:07 2022 +0100 clk: mediatek: fix dependency of MT7986 ADC clocks [ Upstream commit a46315295489933209e902638cd287aeb5f982ab ] It seems like CLK_INFRA_ADC_FRC_CK always need to be enabled for CLK_INFRA_ADC_26M_CK to work. Instead of adding this dependency to the mtk-thermal and mt6577_auxadc drivers, add dependency to the clock driver clk-mt7986-infracfg.c. Fixes: ec97d23c8e22 ("clk: mediatek: add mt7986 clock support") Suggested-by: AngeloGioacchino Del Regno Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Daniel Golle Link: https://lore.kernel.org/r/5e55012567da74870e1fb2edc2dc513b5821e523.1666801017.git.daniel@makrotopia.org Signed-off-by: Chen-Yu Tsai Signed-off-by: Sasha Levin commit 77c6b6be7e80ca4a4d4b66b63fd5bb48ccefdd5a Author: Ricardo Ribalda Date: Mon Nov 28 11:49:16 2022 +0100 ASoC: mediatek: mt8173: Enable IRQ when pdata is ready [ Upstream commit 4cbb264d4e9136acab2c8fd39e39ab1b1402b84b ] If the device does not come straight from reset, we might receive an IRQ before we are ready to handle it. Fixes: [ 2.334737] Unable to handle kernel read from unreadable memory at virtual address 00000000000001e4 [ 2.522601] Call trace: [ 2.525040] regmap_read+0x1c/0x80 [ 2.528434] mt8173_afe_irq_handler+0x40/0xf0 ... [ 2.598921] start_kernel+0x338/0x42c Signed-off-by: Ricardo Ribalda Fixes: ee0bcaff109f ("ASoC: mediatek: Add AFE platform driver") Link: https://lore.kernel.org/r/20221128-mt8173-afe-v1-0-70728221628f@chromium.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3a2ecd1ec14075117ccb3e85f0fed224578ec228 Author: Ben Greear Date: Wed Nov 23 23:02:06 2022 +0200 wifi: iwlwifi: mvm: fix double free on tx path. [ Upstream commit 0473cbae2137b963bd0eaa74336131cb1d3bc6c3 ] We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. So, return 0 in that particular error case and do cleanup manually. BUG: KASAN: use-after-free in __list_del_entry_valid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000000 | tsf hi Read of size 8 at addr ffff88813cfa4ba0 by task btserver/9650 CPU: 4 PID: 9650 Comm: btserver Tainted: G W 5.19.8+ #5 iwlwifi 0000:06:00.0: 0x00000000 | time gp1 Hardware name: Default string Default string/SKYBAY, BIOS 5.12 02/19/2019 Call Trace: dump_stack_lvl+0x55/0x6d print_report.cold.12+0xf2/0x684 iwlwifi 0000:06:00.0: 0x1D0915A8 | time gp2 ? __list_del_entry_valid+0x12/0x90 kasan_report+0x8b/0x180 iwlwifi 0000:06:00.0: 0x00000001 | uCode revision type ? __list_del_entry_valid+0x12/0x90 __list_del_entry_valid+0x12/0x90 iwlwifi 0000:06:00.0: 0x00000048 | uCode version major tcp_update_skb_after_send+0x5d/0x170 __tcp_transmit_skb+0xb61/0x15c0 iwlwifi 0000:06:00.0: 0xDAA05125 | uCode version minor ? __tcp_select_window+0x490/0x490 iwlwifi 0000:06:00.0: 0x00000420 | hw version ? trace_kmalloc_node+0x29/0xd0 ? __kmalloc_node_track_caller+0x12a/0x260 ? memset+0x1f/0x40 ? __build_skb_around+0x125/0x150 ? __alloc_skb+0x1d4/0x220 ? skb_zerocopy_clone+0x55/0x230 iwlwifi 0000:06:00.0: 0x00489002 | board version ? kmalloc_reserve+0x80/0x80 ? rcu_read_lock_bh_held+0x60/0xb0 tcp_write_xmit+0x3f1/0x24d0 iwlwifi 0000:06:00.0: 0x034E001C | hcmd ? __check_object_size+0x180/0x350 iwlwifi 0000:06:00.0: 0x24020000 | isr0 tcp_sendmsg_locked+0x8a9/0x1520 iwlwifi 0000:06:00.0: 0x01400000 | isr1 ? tcp_sendpage+0x50/0x50 iwlwifi 0000:06:00.0: 0x48F0000A | isr2 ? lock_release+0xb9/0x400 ? tcp_sendmsg+0x14/0x40 iwlwifi 0000:06:00.0: 0x00C3080C | isr3 ? lock_downgrade+0x390/0x390 ? do_raw_spin_lock+0x114/0x1d0 iwlwifi 0000:06:00.0: 0x00200000 | isr4 ? rwlock_bug.part.2+0x50/0x50 iwlwifi 0000:06:00.0: 0x034A001C | last cmd Id ? rwlock_bug.part.2+0x50/0x50 ? lockdep_hardirqs_on_prepare+0xe/0x200 iwlwifi 0000:06:00.0: 0x0000C2F0 | wait_event ? __local_bh_enable_ip+0x87/0xe0 ? inet_send_prepare+0x220/0x220 iwlwifi 0000:06:00.0: 0x000000C4 | l2p_control tcp_sendmsg+0x22/0x40 sock_sendmsg+0x5f/0x70 iwlwifi 0000:06:00.0: 0x00010034 | l2p_duration __sys_sendto+0x19d/0x250 iwlwifi 0000:06:00.0: 0x00000007 | l2p_mhvalid ? __ia32_sys_getpeername+0x40/0x40 iwlwifi 0000:06:00.0: 0x00000000 | l2p_addr_match ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_sched_held+0x5a/0xd0 ? lock_release+0xb9/0x400 ? lock_downgrade+0x390/0x390 ? ktime_get+0x64/0x130 ? ktime_get+0x8d/0x130 ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_held_common+0x12/0x50 ? rcu_read_lock_sched_held+0x5a/0xd0 ? rcu_read_lock_bh_held+0xb0/0xb0 ? rcu_read_lock_bh_held+0xb0/0xb0 __x64_sys_sendto+0x6f/0x80 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7f1d126e4531 Code: 00 00 00 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 35 80 0c 00 41 89 ca 8b 00 85 c0 75 1c 45 31 c9 45 31 c0 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 67 c3 66 0f 1f 44 00 00 55 48 83 ec 20 48 89 RSP: 002b:00007ffe21a679d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 000000000000ffdc RCX: 00007f1d126e4531 RDX: 0000000000010000 RSI: 000000000374acf0 RDI: 0000000000000014 RBP: 00007ffe21a67ac0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000010 R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000000 Allocated by task 9650: kasan_save_stack+0x1c/0x40 __kasan_slab_alloc+0x6d/0x90 kmem_cache_alloc_node+0xf3/0x2b0 __alloc_skb+0x191/0x220 tcp_stream_alloc_skb+0x3f/0x330 tcp_sendmsg_locked+0x67c/0x1520 tcp_sendmsg+0x22/0x40 sock_sendmsg+0x5f/0x70 __sys_sendto+0x19d/0x250 __x64_sys_sendto+0x6f/0x80 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 9650: kasan_save_stack+0x1c/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0x102/0x170 kmem_cache_free+0xc8/0x3e0 iwl_mvm_mac_itxq_xmit+0x124/0x270 [iwlmvm] ieee80211_queue_skb+0x874/0xd10 [mac80211] ieee80211_xmit_fast+0xf80/0x1180 [mac80211] __ieee80211_subif_start_xmit+0x287/0x680 [mac80211] ieee80211_subif_start_xmit+0xcd/0x730 [mac80211] dev_hard_start_xmit+0xf6/0x420 __dev_queue_xmit+0x165b/0x1b50 ip_finish_output2+0x66e/0xfb0 __ip_finish_output+0x487/0x6d0 ip_output+0x11c/0x350 __ip_queue_xmit+0x36b/0x9d0 __tcp_transmit_skb+0xb35/0x15c0 tcp_write_xmit+0x3f1/0x24d0 tcp_sendmsg_locked+0x8a9/0x1520 tcp_sendmsg+0x22/0x40 sock_sendmsg+0x5f/0x70 __sys_sendto+0x19d/0x250 __x64_sys_sendto+0x6f/0x80 do_syscall_64+0x34/0xb0 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff88813cfa4b40 which belongs to the cache skbuff_fclone_cache of size 472 The buggy address is located 96 bytes inside of 472-byte region [ffff88813cfa4b40, ffff88813cfa4d18) The buggy address belongs to the physical page: page:ffffea0004f3e900 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88813cfa6c40 pfn:0x13cfa4 head:ffffea0004f3e900 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x5fff8000010200(slab|head|node=0|zone=2|lastcpupid=0x3fff) raw: 005fff8000010200 ffffea0004656b08 ffffea0008e8cf08 ffff8881081a5240 raw: ffff88813cfa6c40 0000000000170015 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88813cfa4a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88813cfa4b00: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb >ffff88813cfa4b80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88813cfa4c00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88813cfa4c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: 08f7d8b69aaf ("iwlwifi: mvm: bring back mvm GSO code") Link: https://lore.kernel.org/linux-wireless/20220928193057.16132-1-greearb@candelatech.com/ Tested-by: Amol Jawale Signed-off-by: Ben Greear Link: https://lore.kernel.org/r/20221123225313.21b1ee31d666.I3b3ba184433dd2a544d91eeeda29b467021824ae@changeid Signed-off-by: Gregory Greenman Signed-off-by: Sasha Levin commit f52cf83c18cf95eba9d3737387f4ebd93608777f Author: Bitterblue Smith Date: Mon Nov 21 22:56:58 2022 +0200 wifi: rtl8xxxu: Fix use after rcu_read_unlock in rtl8xxxu_bss_info_changed [ Upstream commit 7927afb5e27baac694f585b59c436ba323528dc2 ] Commit a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width") introduced a line where the pointer returned by ieee80211_find_sta() is used after rcu_read_unlock(). Move rcu_read_unlock() a bit lower to fix this. Fixes: a8b5aef2cca1 ("wifi: rtl8xxxu: gen2: Enable 40 MHz channel width") Signed-off-by: Bitterblue Smith Reviewed-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/3c82ad09-7593-3be1-1d2c-e58505fb43cb@gmail.com Signed-off-by: Sasha Levin commit fce7e46273649d9cdcd98d89551975a65f206a14 Author: Ziyang Xuan Date: Sat Nov 19 13:19:00 2022 +0800 wifi: plfxlc: fix potential memory leak in __lf_x_usb_enable_rx() [ Upstream commit 895b3b06efc285c1245242e9638b9ae251dc13ec ] urbs does not be freed in exception paths in __lf_x_usb_enable_rx(). That will trigger memory leak. To fix it, add kfree() for urbs within "error" label. Compile tested only. Fixes: 68d57a07bfe5 ("wireless: add plfxlc driver for pureLiFi X, XL, XC devices") Signed-off-by: Ziyang Xuan Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221119051900.1192401-1-william.xuanziyang@huawei.com Signed-off-by: Sasha Levin commit 98dbd1329b4a6c17e0b1583101867cf4251e6fc0 Author: Liu Shixin Date: Sat Nov 26 10:14:29 2022 +0800 ALSA: asihpi: fix missing pci_disable_device() [ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ] pci_disable_device() need be called while module exiting, switch to use pcim_enable(), pci_disable_device() will be called in pcim_release(). Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.") Signed-off-by: Liu Shixin Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 6f3d56783fbed861e483736a7001bdafd0dddd53 Author: Trond Myklebust Date: Mon Nov 14 17:30:39 2022 -0500 NFS: Fix an Oops in nfs_d_automount() [ Upstream commit 35e3b6ae84935d0d7ff76cbdaa83411b0ad5e471 ] When mounting from a NFSv4 referral, path->dentry can end up being a negative dentry, so derive the struct nfs_server from the dentry itself instead. Fixes: 2b0143b5c986 ("VFS: normal filesystems (and lustre): d_inode() annotations") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 0393e0316cdd1f4b30bfc4af70ae1bc22552bfdc Author: Trond Myklebust Date: Fri Nov 4 13:20:01 2022 -0400 NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn [ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ] If we're asked to recover open state while a delegation return is outstanding, then the state manager thread cannot use a cached open, so if the server returns a delegation, we can end up deadlocked behind the pending delegreturn. To avoid this problem, let's just ask the server not to give us a delegation unless we're explicitly reclaiming one. Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b247a9828f6607d41189fa6c2a3be754d33cae86 Author: Trond Myklebust Date: Thu Oct 27 16:50:12 2022 -0400 NFSv4: Fix a credential leak in _nfs4_discover_trunking() [ Upstream commit e83458fce080dc23c25353a1af90bfecf79c7369 ] Fixes: 4f40a5b55446 ("NFSv4: Add an fattr allocation to _nfs4_discover_trunking()") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 43fe5686d4a4dfc884bcb029e4ba5dc1c6c7a470 Author: Trond Myklebust Date: Wed Oct 19 13:12:11 2022 -0400 NFSv4.2: Fix initialisation of struct nfs4_label [ Upstream commit c528f70f504434eaff993a5ddd52203a2010d51f ] The call to nfs4_label_init_security() should return a fully initialised label. Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 7c6975209d98bb02a8fcd85dcbe35b9ed292aca7 Author: Trond Myklebust Date: Tue Oct 18 18:21:14 2022 -0400 NFSv4.2: Fix a memory stomp in decode_attr_security_label [ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ] We must not change the value of label->len if it is zero, since that indicates we stored a label. Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 4711196ada6bcadce9f543a40e3e848f8e31f9cf Author: Trond Myklebust Date: Tue Oct 18 17:41:30 2022 -0400 NFSv4.2: Always decode the security label [ Upstream commit c8a62f440229ae7a10874776344dfcc17d860336 ] If the server returns a reply that includes a security label, then we must decode it whether or not we can store the results. Fixes: 1e2f67da8931 ("NFS: Remove the nfs4_label argument from decode_getattr_*() functions") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 860b951e92c38ec8d37c94e7950df0dfbb15bbd9 Author: Trond Myklebust Date: Tue Oct 18 16:44:47 2022 -0400 NFSv4.2: Clear FATTR4_WORD2_SECURITY_LABEL when done decoding [ Upstream commit eef7314caf2d73a94b68ba293cd105154d3a664e ] We need to clear the FATTR4_WORD2_SECURITY_LABEL bitmap flag irrespective of whether or not the label is too long. Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit b88b4035b21859e576aa2915e7a5f82e3a661d7e Author: Dmitry Baryshkov Date: Fri Nov 25 02:02:13 2022 +0200 drm/msm/mdp5: fix reading hw revision on db410c platform [ Upstream commit 5d8c0417ea62fed3cec7f5daed06a20477efeb39 ] Since the commit commit c6122688f265 ("drm/msm/mdp5: stop overriding drvdata") reading the MDP5 hw revision on db410c will crash the board as the MDSS_GDSC is not enabled. Revert a part of the offending commit (moving rpm enablement) and set priv->kms earlier. This make it possible to use pm_runtime_get_sync() during read_mdp_hw_revision(), which will power up both the MDP5 and MDSS devices. Fixes: c6122688f265 ("drm/msm/mdp5: stop overriding drvdata") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/512985/ Link: https://lore.kernel.org/r/20221125000213.252115-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit deed9567aae02078912e610f404f740c91a006dd Author: Jiasheng Jiang Date: Wed Nov 16 11:07:50 2022 +0800 ASoC: mediatek: mtk-btcvsd: Add checks for write and read of mtk_btcvsd_snd [ Upstream commit d067b3378a78c9c3048ac535e31c171b6f5b5846 ] As the mtk_btcvsd_snd_write and mtk_btcvsd_snd_read may return error, it should be better to catch the exception. Fixes: 4bd8597dc36c ("ASoC: mediatek: add btcvsd driver") Signed-off-by: Jiasheng Jiang Link: https://lore.kernel.org/r/20221116030750.40500-1-jiasheng@iscas.ac.cn Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 9d997d67e501ba5986a7a473705333f56b83dd1b Author: Dmitry Torokhov Date: Thu Oct 27 00:46:48 2022 -0700 ASoC: dt-bindings: wcd9335: fix reset line polarity in example [ Upstream commit 34cb111f8a7b98b5fec809dd194003bca20ef1b2 ] When resetting the block, the reset line is being driven low and then high, which means that the line in DTS should be annotated as "active low". Fixes: 1877c9fda1b7 ("ASoC: dt-bindings: add dt bindings for wcd9335 audio codec") Signed-off-by: Dmitry Torokhov Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20221027074652.1044235-2-dmitry.torokhov@gmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a5d99bf9cf7770b871e4a4f194d429b216888758 Author: Zhang Zekun Date: Tue Aug 2 08:50:50 2022 +0000 drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() [ Upstream commit 7ad4384d53c67672a8720cdc2ef638d7d1710ab8 ] Add the missing clk_disable_unprepare() before return from tegra_dc_probe() in the error handling path. Fixes: f68ba6912bd2 ("drm/tegra: dc: Link DC1 to DC0 on Tegra20") Signed-off-by: Zhang Zekun Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 6a27110802eb287d71fadb464d268611bcbd9081 Author: Aakarsh Jain Date: Mon Nov 14 11:50:23 2022 +0000 media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC [ Upstream commit f50ebe10f5d8092c37e2bd430c78e03bf38b1e20 ] Commit 5441e9dafdfc6dc40 ("[media] s5p-mfc: Core support for MFC v7") which adds mfc v7 support for Exynos3250 and use the same compatible string as used by Exynos5240 but both the IPs are a bit different in terms of IP clock. Add variant driver data based on the new compatible string "samsung,exynos3250-mfc" for Exynos3250 SoC. Suggested-by: Alim Akhtar Fixes: 5441e9dafdfc ("[media] s5p-mfc: Core support for MFC v7") Signed-off-by: Aakarsh Jain Reviewed-by: Alim Akhtar Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 2e6203ef474ba8cc9a1c53bbe9d94246f63c25a3 Author: Yunfei Dong Date: Thu Nov 17 09:24:53 2022 +0000 media: mediatek: vcodec: Core thread depends on core_list [ Upstream commit 95bc23513c9188065a22194f9af870376fc38fdd ] Core thread will continue to work when core_list is not empty, not depends on lat_list. Fixes: 365e4ba01df4 ("media: mtk-vcodec: Add work queue for core hardware decode") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c703b86a49724bb71962195909473a17b7bebf08 Author: Yunfei Dong Date: Thu Nov 17 09:24:52 2022 +0000 media: mediatek: vcodec: Setting lat buf to lat_list when lat decode error [ Upstream commit 12ac20d60213a439d1552382d04aabb905e0b784 ] Need to set lat buf to lat_list when lat decode error, or lat buffer will be lost. Fixes: 5d418351ca8f ("media: mediatek: vcodec: support stateless VP9 decoding") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 43a4ae7b787934499746b3b40b1963ba32781567 Author: Yunfei Dong Date: Thu Nov 17 09:24:51 2022 +0000 media: mediatek: vcodec: Fix h264 set lat buffer error [ Upstream commit 23d677bd9cdd10323e6d290578bbb0a408f43499 ] Will set lat buffer to lat_list two times when lat decode timeout for inner racing mode. If core thread can't get frame buffer, need to return error value. Fixes: 59fba9eed5a7 ("media: mediatek: vcodec: support stateless H.264 decoding for mt8192") Signed-off-by: Yunfei Dong Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit fd975256eb264e25d9f4df0cae6ce440eecb66a9 Author: Yunfei Dong Date: Thu Nov 17 09:24:49 2022 +0000 media: mediatek: vcodec: Fix getting NULL pointer for dst buffer [ Upstream commit d879f770e4d1d5f0d9b692d3a2702f23ee441dbb ] The driver may can't get v4l2 buffer when lat or core decode timeout, will lead to crash when call v4l2_m2m_buf_done to set dst buffer (NULL pointer) done. Fixes: 7b182b8d9c85 ("media: mediatek: vcodec: Refactor get and put capture buffer flow") Signed-off-by: Yunfei Dong Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c9411d57c1de5673c5cc6d14fbf802ae7c96bdfb Author: Ming Qian Date: Mon Nov 21 06:34:42 2022 +0000 media: amphion: lock and check m2m_ctx in event handler [ Upstream commit 1ade3f3f16986cd7c6fce02feede957f03eb8a42 ] driver needs to cancel vpu before releasing the vpu instance, so call v4l2_m2m_ctx_release() first, to handle the redundant event triggered after m2m_ctx is released. lock and check m2m_ctx in the event handler. Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c0c1903e87336aeb4d455580f9170635ebe0246f Author: Ming Qian Date: Mon Nov 21 06:34:07 2022 +0000 media: amphion: cancel vpu before release instance [ Upstream commit b3dd974af9de342c733492565ad02d7e23372876 ] Revert "media: amphion: release m2m ctx when releasing vpu instance" This reverts commit d91d7bc85062309aae6d8064563ddf17947cb6bc. Call v4l2_m2m_ctx_release() to cancel vpu, afterwards release the vpu instance. Fixes: d91d7bc85062 ("media: amphion: release m2m ctx when releasing vpu instance") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 1ca1405d52c843e4914e95880ac306473208c9f7 Author: Ming Qian Date: Fri Nov 18 08:51:29 2022 +0000 media: amphion: try to wakeup vpu core to avoid failure [ Upstream commit 082744433f7b96db7214a98202ed96f367684693 ] firmware should be waked up by start or configure command, but there is a very small chance that firmware failed to wakeup. in such case, try to wakeup firmware again by sending a noop command Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5100ab6744e7fcc557f38cf5170e61222ec0b0f8 Author: Paul Kocialkowski Date: Fri Sep 9 14:39:54 2022 +0100 media: sun8i-a83t-mipi-csi2: Register async subdev with no sensor attached [ Upstream commit 614f6e35a9e214c80270ab942bf58d85066a3e34 ] This allows the device to probe and register its async subdev without a sensor attached. The rationale is that the parent driver might otherwise wait for the subdev to be registered when it should be available (from the fwnode graph endpoint perspective). This is generally not problematic when the MIPI CSI-2 bridge is the only device attached to the parent, but in the case of a CSI controller that can feed from both MIPI CSI-2 and parallel, it would prevent using the parallel sensor due to the parent waiting for the MIPI CSI-2 subdev to register. Fixes: 576d196c522b ("media: sunxi: Add support for the A83T MIPI CSI-2 controller") Signed-off-by: Paul Kocialkowski Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 65b3232f9e9148ae073271418fb804bfb3b20dae Author: Paul Kocialkowski Date: Fri Sep 9 14:39:53 2022 +0100 media: sun6i-mipi-csi2: Register async subdev with no sensor attached [ Upstream commit 67182951f1dde5a88479cf8befee5f32ea014a49 ] This allows the device to probe and register its async subdev without a sensor attached. The rationale is that the parent driver might otherwise wait for the subdev to be registered when it should be available (from the fwnode graph endpoint perspective). This is generally not problematic when the MIPI CSI-2 bridge is the only device attached to the parent, but in the case of a CSI controller that can feed from both MIPI CSI-2 and parallel, it would prevent using the parallel sensor due to the parent waiting for the MIPI CSI-2 subdev to register. Fixes: af54b4f4c17f ("media: sunxi: Add support for the A31 MIPI CSI-2 controller") Signed-off-by: Paul Kocialkowski Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 6c1c8499cdb627c43ab1fe51436f185e39157588 Author: Paul Kocialkowski Date: Fri Sep 9 14:39:52 2022 +0100 media: sun8i-a83t-mipi-csi2: Require both pads to be connected for streaming [ Upstream commit 8985fc724ba89d9b00694304b3f9faf69f4073d0 ] The bridge needs both its pads connected to be able to stream data. Enforcing this is useful to produce an error when no sensor is connected. Fixes: 576d196c522b ("media: sunxi: Add support for the A83T MIPI CSI-2 controller") Signed-off-by: Paul Kocialkowski Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit daf248d2d6a52e195cc9570ab30656b85992e9fa Author: Paul Kocialkowski Date: Fri Sep 9 14:39:51 2022 +0100 media: sun6i-mipi-csi2: Require both pads to be connected for streaming [ Upstream commit f042b08b833de3be810f8769d88ca44aeefd7eba ] The bridge needs both its pads connected to be able to stream data. Enforcing this is useful to produce an error when no sensor is connected. Fixes: af54b4f4c17f ("media: sunxi: Add support for the A31 MIPI CSI-2 controller") Signed-off-by: Paul Kocialkowski Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit b1898793777fe10a31c160bb8bc385d6eea640c6 Author: Juergen Gross Date: Wed Nov 23 12:45:23 2022 +0100 x86/boot: Skip realmode init code when running as Xen PV guest [ Upstream commit f1e525009493cbd569e7c8dd7d58157855f8658d ] When running as a Xen PV guest there is no need for setting up the realmode trampoline, as realmode isn't supported in this environment. Trying to setup the trampoline has been proven to be problematic in some cases, especially when trying to debug early boot problems with Xen requiring to keep the EFI boot-services memory mapped (some firmware variants seem to claim basically all memory below 1Mb for boot services). Introduce new x86_platform_ops operations for that purpose, which can be set to a NOP by the Xen PV specific kernel boot code. [ bp: s/call_init_real_mode/do_init_real_mode/ ] Fixes: 084ee1c641a0 ("x86, realmode: Relocator for realmode code") Suggested-by: H. Peter Anvin Signed-off-by: Juergen Gross Signed-off-by: Borislav Petkov Link: https://lore.kernel.org/r/20221123114523.3467-1-jgross@suse.com Signed-off-by: Sasha Levin commit 6b60cf73a931af34b7a0a3f467a79d9fe0df2d70 Author: Baisong Zhong Date: Sun Nov 20 06:59:18 2022 +0000 media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() [ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ] Wei Chen reports a kernel bug as blew: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] ... Call Trace: __i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:870 [inline] __se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fd834a8bded In az6027_i2c_xfer(), if msg[i].addr is 0x99, a null-ptr-deref will caused when accessing msg[i].buf. For msg[i].len is 0 and msg[i].buf is null. Fix this by checking msg[i].len in az6027_i2c_xfer(). Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/ Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") Reported-by: Wei Chen Signed-off-by: Baisong Zhong Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit ed4293a07c1ced3503bdebb8d555858ffbf60194 Author: Chen Zhongjin Date: Tue Nov 8 03:30:05 2022 +0000 media: dvb-core: Fix ignored return value in dvb_register_frontend() [ Upstream commit a574359e2e71ce16be212df3a082ed60a4bd2c5f ] In dvb_register_frontend(), dvb_register_device() is possible to fail but its return value is ignored. It will cause use-after-free when module is removed, because in dvb_unregister_frontend() it tries to unregister a not registered device. BUG: KASAN: use-after-free in dvb_remove_device+0x18b/0x1f0 [dvb_core] Read of size 4 at addr ffff88800dff4824 by task rmmod/428 CPU: 3 PID: 428 Comm: rmmod Call Trace: ... dvb_remove_device+0x18b/0x1f0 [dvb_core] dvb_unregister_frontend+0x7b/0x130 [dvb_core] vidtv_bridge_remove+0x6e/0x160 [dvb_vidtv_bridge] ... Fix this by catching return value of dvb_register_device(). However the fe->refcount can't be put to zero immediately, because there are still modules calling dvb_frontend_detach() when dvb_register_frontend() fails. Link: https://lore.kernel.org/linux-media/20221108033005.169095-1-chenzhongjin@huawei.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Chen Zhongjin Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 5e2fa5132995de2641fc1ac2a5aec9740b0377c1 Author: ZhangPeng Date: Fri Nov 25 07:01:56 2022 +0000 pinctrl: pinconf-generic: add missing of_node_put() [ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ] of_node_put() needs to be called when jumping out of the loop, since for_each_available_child_of_node() will increase the refcount of node. Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node") Signed-off-by: ZhangPeng Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit d998e985232a46a7860d7bffe196a9c3f3a87920 Author: Dario Binacchi Date: Thu Nov 17 12:36:37 2022 +0100 clk: imx8mn: fix imx8mn_enet_phy_sels clocks list [ Upstream commit 2626cf67f20b28446dfc3a5b9493dd535cdb747b ] According to the "Clock Root" table of the reference manual (document IMX8MNRM Rev 2, 07/2022): Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX]) ... ... ... ENET_PHY_REF_CLK_ROOT 0xAA80 000 - 24M_REF_CLK 001 - SYSTEM_PLL2_DIV20 010 - SYSTEM_PLL2_DIV8 011 - SYSTEM_PLL2_DIV5 100 - SYSTEM_PLL2_DIV2 101 - AUDIO_PLL1_CLK 110 - VIDEO_PLL_CLK 111 - AUDIO_PLL2_CLK ... ... ... while the imx8mn_enet_phy_sels list didn't contained audio_pll1_out for source select bits 101b. Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Dario Binacchi Acked-by: Marco Felsch Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117113637.1978703-6-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit a03b59a0c83dc08ce3913b88f16d7952ce927007 Author: Dario Binacchi Date: Thu Nov 17 12:36:36 2022 +0100 clk: imx8mn: fix imx8mn_sai2_sels clocks list [ Upstream commit 34d996747a74e3a86990f9f9c48de09159d78edb ] According to the "Clock Root" table of the reference manual (document IMX8MNRM Rev 2, 07/2022): Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX]) ... ... ... SAI2_CLK_ROOT 0xA600 000 - 24M_REF_CLK 001 - AUDIO_PLL1_CLK 010 - AUDIO_PLL2_CLK 011 - VIDEO_PLL_CLK 100 - SYSTEM_PLL1_DIV6 110 - EXT_CLK_2 111 - EXT_CLK_3 ... ... ... while the imx8mn_sai2_sels list contained clk_ext3 and clk_ext4 for source select bits 110b and 111b. Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Dario Binacchi Acked-by: Marco Felsch Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117113637.1978703-5-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit 4b7b740009fa230c0caf5f0ec6009a3d18e6b3ca Author: Dario Binacchi Date: Thu Nov 17 12:36:35 2022 +0100 clk: imx: rename video_pll1 to video_pll [ Upstream commit bedcf9d1dcf88ed38731f0ac9620e5a421e1e9d6 ] Unlike audio_pll1 and audio_pll2, there is no video_pll2. Further, the name used in the RM is video_pll. So, let's rename "video_pll1" to "video_pll" to be consistent with the RM and avoid misunderstandings. The IMX8MN_VIDEO_PLL1* constants have not been removed to ensure backward compatibility of the patch. No functional changes intended. Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Dario Binacchi Acked-by: Marco Felsch Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117113637.1978703-4-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit 90b4de6684662c00ec2d160c195eca0ea327dd5a Author: Dario Binacchi Date: Thu Nov 17 12:36:34 2022 +0100 clk: imx: replace osc_hdmi with dummy [ Upstream commit e7fa365ff66f16772dc06b480cd78f858d10856b ] There is no occurrence of the hdmi oscillator in the reference manual (document IMX8MNRM Rev 2, 07/2022). Further, if we consider the indexes 76-81 and 134 of the "Clock Root" table of chapter 5 of the RM, there is no entry for the source select bits 101b, which is the setting referenced by "osc_hdmi". Fix by renaming "osc_hdmi" with "dummy", a clock which has already been used for missing source select bits. Tested on the BSH SystemMaster (SMM) S2 board. Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Dario Binacchi Acked-by: Marco Felsch Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117113637.1978703-3-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit 99bd07dc8519ae7d29e0781063d39f13f6cf478e Author: Dario Binacchi Date: Thu Nov 17 12:36:33 2022 +0100 clk: imx8mn: rename vpu_pll to m7_alt_pll [ Upstream commit a429c60baefd95ab43a2ce7f25d5b2d7a2e431df ] The IMX8MN platform does not have any video processing unit (VPU), and indeed in the reference manual (document IMX8MNRM Rev 2, 07/2022) there is no occurrence of its pll. From an analysis of the code and the RM itself, I think vpu pll is used instead of m7 alternate pll, probably for copy and paste of code taken from modules of similar architectures. As an example for all, if we consider the second row of the "Clock Root" table of chapter 5 (Clocks and Power Management) of the RM: Clock Root offset Source Select (CCM_TARGET_ROOTn[MUX]) ... ... ... ARM_M7_CLK_ROOT 0x8080 000 - 24M_REF_CLK 001 - SYSTEM_PLL2_DIV5 010 - SYSTEM_PLL2_DIV4 011 - M7_ALT_PLL_CLK 100 - SYSTEM_PLL1_CLK 101 - AUDIO_PLL1_CLK 110 - VIDEO_PLL_CLK 111 - SYSTEM_PLL3_CLK ... ... ... but in the source code, the imx8mn_m7_sels clocks list contains vpu_pll for the source select bits 011b. So, let's rename "vpu_pll" to "m7_alt_pll" to be consistent with the RM. The IMX8MN_VPU_* constants have not been removed to ensure backward compatibility of the patch. No functional changes intended. Fixes: 96d6392b54dbb ("clk: imx: Add support for i.MX8MN clock driver") Signed-off-by: Dario Binacchi Acked-by: Marco Felsch Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117113637.1978703-2-dario.binacchi@amarulasolutions.com Signed-off-by: Sasha Levin commit d6ebcae042ce90c46213284a0a0ff835961524fe Author: Marek Vasut Date: Sun Nov 20 14:13:04 2022 +0000 media: mt9p031: Drop bogus v4l2_subdev_get_try_crop() call from mt9p031_init_cfg() [ Upstream commit e208ad015f9310a87b4bb1ba1e4d3e347f391aa4 ] The mt9p031_init_cfg() already calls __mt9p031_get_pad_crop(), which correctly calls v4l2_subdev_get_try_crop() on V4L2_SUBDEV_FORMAT_TRY or returns &mt9p031->crop on V4L2_SUBDEV_FORMAT_ACTIVE. No need to call v4l2_subdev_get_try_crop() in mt9p031_init_cfg() again in case of both V4L2_SUBDEV_FORMAT_TRY and V4L2_SUBDEV_FORMAT_ACTIVE. This also fixes a splat generated by this call since commit 2ba3e38517f5a ("media: v4l: subdev: Fail graciously when getting try data for NULL state") because v4l2_subdev_get_try_crop() is called with sd_state = NULL in mt9p031_init_cfg(). Fixes: 69681cd041648 ("media: mt9p031: Move open subdev op init code into init_cfg") Signed-off-by: Marek Vasut Reviewed-by: Laurent Pinchart Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 0f5250e1de5f27a1a8268032b54329ef65aa660c Author: Laurent Pinchart Date: Wed Sep 7 19:42:16 2022 +0100 media: imx: imx7-media-csi: Clear BIT_MIPI_DOUBLE_CMPNT for <16b formats [ Upstream commit cccc08a95ca57624563daafd47df5691e8c38995 ] Commit 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") set BIT_MIPI_DOUBLE_CMPNT in the CR18 register for 16-bit YUV formats in imx7_csi_configure(). The CR18 register is always updated with read-modify-write cycles, so if a 16-bit YUV format is selected, the bit will stay set forever, even if the format is changed. Fix it by clearing the bit at the beginning of the imx7_csi_configure() function. While at it, swap two of the bits being cleared to match the MSB to LSB order. This doesn't cause any functional change. Fixes: 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Acked-by: Rui Miguel Silva Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 3f8b24ab0d0001ef9cb13400add90a38aaa63173 Author: Gautam Menghani Date: Wed Oct 19 06:02:14 2022 +0100 media: imon: fix a race condition in send_packet() [ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ] The function send_packet() has a race condition as follows: func send_packet() { // do work call usb_submit_urb() mutex_unlock() wait_for_event_interruptible() <-- lock gone mutex_lock() } func vfd_write() { mutex_lock() call send_packet() <- prev call is not completed mutex_unlock() } When the mutex is unlocked and the function send_packet() waits for the call to complete, vfd_write() can start another call, which leads to the "URB submitted while active" warning in usb_submit_urb(). Fix this by removing the mutex_unlock() call in send_packet() and using mutex_lock_interruptible(). Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com Signed-off-by: Gautam Menghani Signed-off-by: Sean Young Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit f38df8984ef1b45ba23888d0e232cc21a95bd04b Author: Chen Zhongjin Date: Thu Nov 10 07:26:33 2022 +0000 media: vimc: Fix wrong function called when vimc_init() fails [ Upstream commit f74d3f326d1d5b8951ce263c59a121ecfa65e7c0 ] In vimc_init(), when platform_driver_register(&vimc_pdrv) fails, platform_driver_unregister(&vimc_pdrv) is wrongly called rather than platform_device_unregister(&vimc_pdev), which causes kernel warning: Unexpected driver unregister! WARNING: CPU: 1 PID: 14517 at drivers/base/driver.c:270 driver_unregister+0x8f/0xb0 RIP: 0010:driver_unregister+0x8f/0xb0 Call Trace: vimc_init+0x7d/0x1000 [vimc] do_one_initcall+0xd0/0x4e0 do_init_module+0x1cf/0x6b0 load_module+0x65c2/0x7820 Fixes: 4a29b7090749 ("[media] vimc: Subdevices as modules") Signed-off-by: Chen Zhongjin Signed-off-by: Shuah Khan Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 841315c1db6b0f62b99ea758fa560c17c8fb7f38 Author: Jiaxin Yu Date: Thu Nov 24 10:30:50 2022 +0800 ASoC: mediatek: mt8186: Correct I2S shared clocks [ Upstream commit 248579fc9a4f3bf36e7cfe9f6a354cee0f9848dc ] In mt8186 platform, I2S2 should be the main I2S port that provide the clock, on the contrary I2S3 should be the second I2S port that use this clock. Fixes: 9986bdaee477 ("ASoC: mediatek: mt8186: Configure shared clocks") Signed-off-by: Jiaxin Yu Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221124023050.4470-1-jiaxin.yu@mediatek.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 5827a5656d5a6bea313d58ab56b6d1923331e4f5 Author: Srinivas Kandagatla Date: Thu Nov 24 14:03:51 2022 +0000 ASoC: qcom: cleanup and fix dependency of QCOM_COMMON [ Upstream commit 8d89cf6ff229ff31cd4f73f5b3928564b81fc41e ] SND_SOC_QCOM_COMMON depends on SOUNDWIRE for some symbols but this is not explicitly specified using Kconfig depends. On the other hand SND_SOC_QCOM_COMMON is also directly selected by the sound card Kconfigs, this could result in various combinations and some symbols ending up in modules and soundcard that uses those symbols as in-build driver. Fix these issues by explicitly specifying the dependencies of SND_SOC_QCOM_COMMON and also use imply a to select SND_SOC_QCOM_COMMON so that the symbol is selected based on its dependencies. Also remove dummy stubs in common.c around CONFIG_SOUNDWIRE Fixes: 3bd975f3ae0a ("ASoC: qcom: sm8250: move some code to common") Reported-by: kernel test robot Signed-off-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221124140351.407506-1-srinivas.kandagatla@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b1e4f92dd0c1d3c162d7ca6c1196995565cca96d Author: Yuan Can Date: Thu Nov 24 14:05:10 2022 +0000 ASoC: qcom: Add checks for devm_kcalloc [ Upstream commit 1bf5ee979076ceb121ee51c95197d890b1cee7f4 ] As the devm_kcalloc may return NULL, the return value needs to be checked to avoid NULL poineter dereference. Fixes: 24caf8d9eb10 ("ASoC: qcom: lpass-sc7180: Add platform driver for lpass audio") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221124140510.63468-1-yuancan@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a999525c7b69e10c7fceaa749fe6b24b9b1ec0f0 Author: Wang ShaoBo Date: Thu Nov 24 09:58:17 2022 +0800 drbd: destroy workqueue when drbd device was freed [ Upstream commit 8692814b77ca4228a99da8a005de0acf40af6132 ] A submitter workqueue is dynamically allocated by init_submitter() called by drbd_create_device(), we should destroy it when this device is not needed or destroyed. Fixes: 113fef9e20e0 ("drbd: prepare to queue write requests on a submit worker") Signed-off-by: Wang ShaoBo Link: https://lore.kernel.org/r/20221124015817.2729789-3-bobo.shaobowang@huawei.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 6c4c5d5e4a0de5d21ead41a021ce5b59813e4273 Author: Wang ShaoBo Date: Thu Nov 24 09:58:16 2022 +0800 drbd: remove call to memset before free device/resource/connection [ Upstream commit 6e7b854e4c1b02dba00760dfa79d8dbf6cce561e ] This revert c2258ffc56f2 ("drbd: poison free'd device, resource and connection structs"), add memset is odd here for debugging, there are some methods to accurately show what happened, such as kdump. Signed-off-by: Wang ShaoBo Link: https://lore.kernel.org/r/20221124015817.2729789-2-bobo.shaobowang@huawei.com Signed-off-by: Jens Axboe Stable-dep-of: 8692814b77ca ("drbd: destroy workqueue when drbd device was freed") Signed-off-by: Sasha Levin commit a1b061cafdbcb1ff259731f30e2bdc1de64dcaba Author: Zheng Yongjun Date: Sat Nov 19 07:33:07 2022 +0000 mtd: maps: pxa2xx-flash: fix memory leak in probe [ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ] Free 'info' upon remapping error to avoid a memory leak. Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver") Signed-off-by: Zheng Yongjun [: Reword the commit log] Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com Signed-off-by: Sasha Levin commit 616dc895d982026f41f500c88d1bfea004938cc8 Author: Shang XiaoJing Date: Sat Nov 19 14:39:15 2022 +0800 mtd: core: Fix refcount error in del_mtd_device() [ Upstream commit 56570bdad5e31c5c538cd6efff5c4510256e1bb4 ] del_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which is mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before of_node_put(). As the result, of_node_put() won't do anything in del_mtd_device(), and causes the refcount leak. del_mtd_device() memset(&mtd->dev, 0, sizeof(mtd->dev) # clear mtd->dev of_node_put() mtd_get_of_node(mtd) # mtd->dev is cleared, can't locate of_node # of_node_put(NULL) won't do anything Fix the error by caching the pointer of the device_node. OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /spi/spi-sram@0 CPU: 3 PID: 275 Comm: python3 Tainted: G N 6.1.0-rc3+ #54 0d8a1edddf51f172ff5226989a7565c6313b08e2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x67/0x83 kobject_get+0x155/0x160 of_node_get+0x1f/0x30 of_fwnode_get+0x43/0x70 fwnode_handle_get+0x54/0x80 fwnode_get_nth_parent+0xc9/0xe0 fwnode_full_name_string+0x3f/0xa0 device_node_string+0x30f/0x750 pointer+0x598/0x7a0 vsnprintf+0x62d/0x9b0 ... cfs_overlay_release+0x30/0x90 config_item_release+0xbe/0x1a0 config_item_put+0x5e/0x80 configfs_rmdir+0x3bd/0x540 vfs_rmdir+0x18c/0x320 do_rmdir+0x198/0x330 __x64_sys_rmdir+0x2c/0x40 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 00596576a051 ("mtd: core: clear out unregistered devices a bit more") Signed-off-by: Shang XiaoJing [: Light reword of the commit log] Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20221119063915.11108-1-shangxiaojing@huawei.com Signed-off-by: Sasha Levin commit 95e90bcc934fbfe6273974759233d09550948258 Author: Hui Tang Date: Sat Nov 19 13:48:58 2022 +0800 clk: microchip: check for null return of devm_kzalloc() [ Upstream commit e2e6a217a84d09785848a82599729c9a41566e3a ] Because of the possible failure of devm_kzalloc(), name might be NULL and will cause null pointer dereference later. Therefore, it might be better to check it and directly return -ENOMEM. Fixes: d39fb172760e ("clk: microchip: add PolarFire SoC fabric clock support") Signed-off-by: Hui Tang Reviewed-by: Conor Dooley [claudiu.beznea: s/refrence/reference/, s/possilble/possible] Signed-off-by: Claudiu Beznea Link: https://lore.kernel.org/r/20221119054858.178629-1-tanghui20@huawei.com Signed-off-by: Sasha Levin commit d87f58c25447d2c2d25a0940e0876891da81a1b5 Author: Jonathan Toppins Date: Tue Nov 22 16:24:29 2022 -0500 bonding: fix link recovery in mode 2 when updelay is nonzero [ Upstream commit f8a65ab2f3ff7410921ebbf0dc55453102c33c56 ] Before this change when a bond in mode 2 lost link, all of its slaves lost link, the bonding device would never recover even after the expiration of updelay. This change removes the updelay when the bond currently has no usable links. Conforming to bonding.txt section 13.1 paragraph 4. Fixes: 41f891004063 ("bonding: ignore updelay param when there is no active slave") Signed-off-by: Jonathan Toppins Acked-by: Jay Vosburgh Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin commit e1abb71ed774636966fc445197c20963cb52bcd4 Author: Stanislav Fomichev Date: Wed Nov 23 12:08:29 2022 -0800 selftests/bpf: Mount debugfs in setns_by_fd [ Upstream commit 8ac88eece8009428e2577c345080a458e4507e2f ] Jiri reports broken test_progs after recent commit 68f8e3d4b916 ("selftests/bpf: Make sure zero-len skbs aren't redirectable"). Apparently we don't remount debugfs when we switch back networking namespace. Let's explicitly mount /sys/kernel/debug. 0: https://lore.kernel.org/bpf/63b85917-a2ea-8e35-620c-808560910819@meta.com/T/#ma66ca9c92e99eee0a25e40f422489b26ee0171c1 Fixes: a30338840fa5 ("selftests/bpf: Move open_netns() and close_netns() into network_helpers.c") Reported-by: Jiri Olsa Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20221123200829.2226254-1-sdf@google.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 4074774f55d4a1b35f2e89e450ab33a793212249 Author: Stanislav Fomichev Date: Mon Nov 21 10:03:40 2022 -0800 selftests/bpf: Make sure zero-len skbs aren't redirectable [ Upstream commit 68f8e3d4b916531ea3bb8b83e35138cf78f2fce5 ] LWT_XMIT to test L3 case, TC to test L2 case. v2: - s/veth_ifindex/ipip_ifindex/ in two places (Martin) - add comment about which condition triggers the rejection (Martin) Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20221121180340.1983627-2-sdf@google.com Signed-off-by: Martin KaFai Lau Stable-dep-of: 8ac88eece800 ("selftests/bpf: Mount debugfs in setns_by_fd") Signed-off-by: Sasha Levin commit cbd17cb4df07040fa3734b0a23eb88c871d48ed0 Author: Jani Nikula Date: Tue Nov 22 16:16:16 2022 +0200 drm/i915/guc: make default_lists const data [ Upstream commit dfa5e6ef3ccefff9fa8a70d9f5fa6ef6244aa312 ] The default_lists array should be in rodata. Fixes: dce2bd542337 ("drm/i915/guc: Add Gen9 registers for GuC error state capture.") Cc: Alan Previn Cc: Umesh Nerlige Ramappa Cc: Lucas De Marchi Signed-off-by: Jani Nikula Reviewed-by: Lucas De Marchi Link: https://patchwork.freedesktop.org/patch/msgid/20221122141616.3469214-1-jani.nikula@intel.com (cherry picked from commit 8b7f7a9b10b704ba7d73199ff0f01354e0bad7a5) Signed-off-by: Rodrigo Vivi Signed-off-by: Sasha Levin commit d7352b410471cbebf6350b2990bae82bb0d59a76 Author: Yang Yingliang Date: Thu Nov 17 23:00:03 2022 +0800 drm/amdgpu: fix pci device refcount leak [ Upstream commit b85e285e3d6352b02947fc1b72303673dfacb0aa ] As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So before returning from amdgpu_device_resume|suspend_display_audio(), pci_dev_put() is called to avoid refcount leak. Fixes: 3f12acc8d6d4 ("drm/amdgpu: put the audio codec into suspend state before gpu reset V3") Reviewed-by: Evan Quan Signed-off-by: Yang Yingliang Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f2ffb8653ea85ae39ce44347751fcc4c3e41f6bb Author: Xiu Jianfeng Date: Wed Nov 23 17:12:01 2022 +0800 clk: rockchip: Fix memory leak in rockchip_clk_register_pll() [ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ] If clk_register() fails, @pll->rate_table may have allocated memory by kmemdup(), so it needs to be freed, otherwise will cause memory leak issue, this patch fixes it. Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066") Signed-off-by: Xiu Jianfeng Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com Signed-off-by: Heiko Stuebner Signed-off-by: Sasha Levin commit 55e44791a547830b2906dd364afae2a1ec49a401 Author: Wang ShaoBo Date: Wed Nov 23 11:46:16 2022 +0800 regulator: core: use kfree_const() to free space conditionally [ Upstream commit dc8d006d15b623c1d80b90b45d6dcb6e890dad09 ] Use kfree_const() to free supply_name conditionally in create_regulator() as supply_name may be allocated from kmalloc() or directly from .rodata section. Fixes: 87fe29b61f95 ("regulator: push allocations in create_regulator() outside of lock") Signed-off-by: Wang ShaoBo Link: https://lore.kernel.org/r/20221123034616.3609537-1-bobo.shaobowang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 83ddd4cc8f25c1100abb617148daa6945cedc5ec Author: Baisong Zhong Date: Mon Nov 21 19:16:30 2022 +0800 ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT [ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ] Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22 left shift of 1 by 31 places cannot be represented in type 'int' ... Call Trace: dump_stack_lvl+0x8d/0xcf ubsan_epilogue+0xa/0x44 __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 snd_seq_deliver_single_event.constprop.21+0x191/0x2f0 snd_seq_deliver_event+0x1a2/0x350 snd_seq_kernel_client_dispatch+0x8b/0xb0 snd_seq_client_notify_subscription+0x72/0xa0 snd_seq_ioctl_subscribe_port+0x128/0x160 snd_seq_kernel_client_ctl+0xce/0xf0 snd_seq_oss_create_client+0x109/0x15b alsa_seq_oss_init+0x11c/0x1aa do_one_initcall+0x80/0x440 kernel_init_freeable+0x370/0x3c3 kernel_init+0x1b/0x190 ret_from_fork+0x1f/0x30 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Baisong Zhong Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 2b951e13bd17dcab98608ce9e10304ece84db3a1 Author: Baisong Zhong Date: Mon Nov 21 19:00:44 2022 +0800 ALSA: pcm: fix undefined behavior in bit shift for SNDRV_PCM_RATE_KNOT [ Upstream commit b5172e62458f8e6ff359e5f096044a488db90ac5 ] Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in sound/core/pcm_native.c:2676:21 left shift of 1 by 31 places cannot be represented in type 'int' ... Call Trace: dump_stack_lvl+0x8d/0xcf ubsan_epilogue+0xa/0x44 __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 snd_pcm_open_substream+0x9f0/0xa90 snd_pcm_oss_open.part.26+0x313/0x670 snd_pcm_oss_open+0x30/0x40 soundcore_open+0x18b/0x2e0 chrdev_open+0xe2/0x270 do_dentry_open+0x2f7/0x620 path_openat+0xd66/0xe70 do_filp_open+0xe3/0x170 do_sys_openat2+0x357/0x4a0 do_sys_open+0x87/0xd0 do_syscall_64+0x34/0x80 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Baisong Zhong Link: https://lore.kernel.org/r/20221121110044.3115686-1-zhongbaisong@huawei.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit bfa34e24ced68067af77acd5c3b91cd6c1d0c3c4 Author: Cezary Rojewski Date: Wed Nov 16 12:55:49 2022 +0100 ASoC: Intel: avs: Lock substream before snd_pcm_stop() [ Upstream commit c30c8f9d51ec24b36e2c65a6307a5c8cbc5a0ebc ] snd_pcm_stop() shall be called with stream lock held to prevent any races between nonatomic streaming operations. Fixes: 2f1f570cd730 ("ASoC: Intel: avs: Coredump and recovery flow") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221116115550.1100398-2-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 51618c1d77af4c4e1dd326ec384a82fd7279b561 Author: Lili Li Date: Mon Nov 21 18:47:42 2022 +0800 ASoC: Intel: Skylake: Fix Kconfig dependency [ Upstream commit e5d4d2b23aed20a7815d1b500dbcd50af1da0023 ] Commit e4746d94d00c ("ASoC: Intel: Skylake: Introduce HDA codec init and exit routines") introduced HDA codec init routine which depends on SND_HDA. Select SND_SOC_HDAC_HDA unconditionally to fix following compile error: ERROR: modpost: "snd_hda_codec_device_init" [sound/soc/intel/skylake/snd-soc-skl.ko] undefined! Fixes: e4746d94d00c ("ASoC: Intel: Skylake: Introduce HDA codec init and exit routines") Reviewed-by: Junxiao Chang Suggested-by: Cezary Rojewski Signed-off-by: Lili Li Reviewed-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221121104742.1007486-1-lili.li@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 1dc70897f1ac390c6a9aad146a41450c512616c6 Author: Zong-Zhe Yang Date: Fri Nov 18 12:23:22 2022 +0800 wifi: rtw89: fix physts IE page check [ Upstream commit 9e2f177de1bfb7d891bf38140bda54831ecef30d ] The index RTW89_PHYSTS_BITMAP_NUM is not a valid physts IE page. So, fix the check condition. Fixes: eb4e52b3f38d ("rtw89: fix incorrect channel info during scan") Signed-off-by: Zong-Zhe Yang Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221118042322.26794-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit 60dcaf068f42e25ed723850fec5a5498ed21d699 Author: ZhangPeng Date: Tue Nov 22 07:58:53 2022 +0000 pinctrl: k210: call of_node_put() [ Upstream commit a8acc11643082a706de86a19f1f824712d971984 ] Since for_each_available_child_of_node() will increase the refcount of node, we need to call of_node_put() manually when breaking out of the iteration. Fixes: d4c34d09ab03 ("pinctrl: Add RISC-V Canaan Kendryte K210 FPIOA driver") Signed-off-by: ZhangPeng Reviewed-by: Damien Le Moal Link: https://lore.kernel.org/r/20221122075853.2496680-1-zhangpeng362@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 66d362f16d46388d66c949b1ff230f45bf4a3b49 Author: Giulio Benetti Date: Thu Nov 17 19:10:11 2022 +0100 clk: imx: imxrt1050: fix IMXRT1050_CLK_LCDIF_APB offsets [ Upstream commit 3095c02f95e537c553e0b30948c2f6c7cbed87ee ] Fix IMXRT1050_CLK_LCDIF_APB offsets. Fixes: 7154b046d8f3 ("clk: imx: Add initial support for i.MXRT1050 clock driver") Cc: Jesse Taube Signed-off-by: Giulio Benetti Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221117181014.851505-1-giulio.benetti@benettiengineering.com Signed-off-by: Sasha Levin commit 258730e8f68fc67d0da04fa7daff5b1cfcd18f5a Author: Marcus Folkesson Date: Thu Nov 17 13:13:26 2022 +0100 HID: hid-sensor-custom: set fixed size for custom attributes [ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ] This is no bugfix (so no Fixes: tag is necessary) as it is taken care of in hid_sensor_custom_add_attributes(). The motivation for this patch is that: hid_sensor_custom_field.attr_name and hid_sensor_custom_field.attrs has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context. We compare against HID_CUSTOM_TOTAL_ATTRS when looping through hid_custom_attrs. We will silent the smatch error: hid_sensor_custom_add_attributes() error: buffer overflow 'hid_custom_attrs' 8 <= 10 Signed-off-by: Marcus Folkesson Acked-by: Jonathan Cameron Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 21f15d8ffdb46e95d721810c2d7ed2149fff397c Author: Stanislav Fomichev Date: Mon Nov 21 10:03:39 2022 -0800 bpf: Move skb->len == 0 checks into __bpf_redirect [ Upstream commit 114039b342014680911c35bd6b72624180fd669a ] To avoid potentially breaking existing users. Both mac/no-mac cases have to be amended; mac_header >= network_header is not enough (verified with a new test, see next patch). Fixes: fd1894224407 ("bpf: Don't redirect packets with invalid pkt_len") Signed-off-by: Stanislav Fomichev Link: https://lore.kernel.org/r/20221121180340.1983627-1-sdf@google.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit 92f30b33df3d5609f7f613f72238e07aabcb36cd Author: Peng Fan Date: Fri Oct 28 17:52:07 2022 +0800 clk: imx93: correct enet clock [ Upstream commit 4be5d91b9433f1dc76de485e240ca6aaa2d19f65 ] Per update Reference Mannual, correct the enet clock parent to wakeup_axi_root. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Reviewed-by: Ye Li Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221028095211.2598312-3-peng.fan@oss.nxp.com Signed-off-by: Sasha Levin commit a1981f67d57e3a3b97c933e3066d96eddd4f624a Author: Peng Fan Date: Fri Oct 28 17:52:06 2022 +0800 clk: imx93: unmap anatop base in error handling path [ Upstream commit bda7b7f396f94d8df89ecacc88f2826908e8762c ] The anatop base is not unmapped during error handling path, fix it. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Reported-by: Dan Carpenter Signed-off-by: Peng Fan Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/20221028095211.2598312-2-peng.fan@oss.nxp.com Signed-off-by: Sasha Levin commit 1372f4f6fcb19d4e9c69d00c6f919163823bf785 Author: Dmitry Torokhov Date: Fri Nov 18 09:02:45 2022 -0800 HID: i2c: let RMI devices decide what constitutes wakeup event [ Upstream commit 9984fbf55b9bd998b4ff66395cbb118020c1effa ] HID-RMI is special in the sense that it does not carry HID events directly, but rather uses HID protocol as a wrapper/transport for RMI protocol. Therefore we should not assume that all data coming from the device via interrupt is associated with user activity and report wakeup event indiscriminately, but rather let HID-RMI do that when appropriate. HID-RMI devices tag responses to the commands issued by the host as RMI_READ_DATA_REPORT_ID whereas motion and other input events from the device are tagged as RMI_ATTN_REPORT_ID. Change hid-rmi to report wakeup events when receiving the latter packets. This allows ChromeOS to accurately identify wakeup source and make correct decision on the mode of the resume the system should take ("dark" where the display stays off vs normal one). Fixes: d951ae1ce803 ("HID: i2c-hid: Report wakeup events") Signed-off-by: Dmitry Torokhov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 3751ba4aec0b460a94aaa692013b9dd1a0cb14f7 Author: Hou Tao Date: Mon Nov 21 15:34:38 2022 +0800 bpf: Pin the start cgroup in cgroup_iter_seq_init() [ Upstream commit 1a5160d4d8fe63ba4964cfff4a85831b6af75f2d ] bpf_iter_attach_cgroup() has already acquired an extra reference for the start cgroup, but the reference may be released if the iterator link fd is closed after the creation of iterator fd, and it may lead to user-after-free problem when reading the iterator fd. An alternative fix is pinning iterator link when opening iterator, but it will make iterator link being still visible after the close of iterator link fd and the behavior is different with other link types, so just fixing it by acquiring another reference for the start cgroup. Fixes: d4ccaf58a847 ("bpf: Introduce cgroup iter") Signed-off-by: Hou Tao Signed-off-by: Daniel Borkmann Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221121073440.1828292-2-houtao@huaweicloud.com Signed-off-by: Sasha Levin commit b7c906977301cbfcead885ac74a1879f3c1e4a34 Author: Haibo Chen Date: Mon Oct 24 13:26:39 2022 +0800 clk: imx93: correct the flexspi1 clock setting [ Upstream commit 62dfdbcc16e767b91ed35d4fc0428c86d4688505 ] Correct IMX93_CLK_FLEXSPI1_GATE CCGR setting. Otherwise the flexspi always can't be assigned to a parent clock when dump the clock tree. Fixes: 24defbe194b6 ("clk: imx: add i.MX93 clk") Reviewed-by: Peng Fan Signed-off-by: Haibo Chen Reviewed-by: Abel Vesa Signed-off-by: Abel Vesa Link: https://lore.kernel.org/r/1666589199-1199-1-git-send-email-haibo.chen@nxp.com Signed-off-by: Sasha Levin commit c536932b6a2aa9fca61eaf422f287eaf5d54895a Author: Allen-KH Cheng Date: Mon Oct 31 20:46:33 2022 +0800 mtd: spi-nor: Fix the number of bytes for the dummy cycles [ Upstream commit fdc20370d93e8c6d2f448a539d08c2c064af7694 ] The number of bytes used by spi_nor_spimem_check_readop() may be incorrect for the dummy cycles. Since nor->read_dummy is not initialized before spi_nor_spimem_adjust_hwcaps(). We use both mode and wait state clock cycles instead of nor->read_dummy. Fixes: 0e30f47232ab ("mtd: spi-nor: add support for DTR protocol") Co-developed-by: Bayi Cheng Signed-off-by: Bayi Cheng Signed-off-by: Allen-KH Cheng Signed-off-by: Tudor Ambarus Tested-by: Dhruva Gole Tested-by: AngeloGioacchino Del Regno Reviewed-by: Pratyush Yadav Link: https://lore.kernel.org/r/20221031124633.13189-1-allen-kh.cheng@mediatek.com Signed-off-by: Sasha Levin commit 58701a96062faaedd86a42c1a195c11d000a7267 Author: Michael Walle Date: Thu Aug 11 00:06:48 2022 +0200 mtd: spi-nor: hide jedec_id sysfs attribute if not present [ Upstream commit 7d388551b6888f3725e6c957f472526b35161a5b ] Some non-jedec compliant flashes (like the Everspin flashes) don't have an ID at all. Hide the attribute in this case. Fixes: 36ac02286265 ("mtd: spi-nor: add initial sysfs support") Signed-off-by: Michael Walle Signed-off-by: Tudor Ambarus Reviewed-by: Takahiro Kuwano Link: https://lore.kernel.org/r/20220810220654.1297699-2-michael@walle.cc Signed-off-by: Sasha Levin commit d24fd986ae9d40fe3fcea0c1d7c44605b3527ca4 Author: Kuniyuki Iwashima Date: Fri Nov 18 10:25:06 2022 -0800 net: Return errno in sk->sk_prot->get_port(). [ Upstream commit 7a7160edf1bfde25422262fb26851cef65f695d3 ] We assume the correct errno is -EADDRINUSE when sk->sk_prot->get_port() fails, so some ->get_port() functions return just 1 on failure and the callers return -EADDRINUSE instead. However, mptcp_get_port() can return -EINVAL. Let's not ignore the error. Note the only exception is inet_autobind(), all of whose callers return -EAGAIN instead. Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections") Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 073b50de84cbc9064180097d89facecdbb49e177 Author: Kuniyuki Iwashima Date: Mon Nov 14 13:57:53 2022 -0800 udp: Clean up some functions. [ Upstream commit 919dfa0b20ae56060dce0436eb710717f8987d18 ] This patch adds no functional change and cleans up some functions that the following patches touch around so that we make them tidy and easy to review/revert. The change is mainly to keep reverse christmas tree order. Signed-off-by: Kuniyuki Iwashima Signed-off-by: David S. Miller Stable-dep-of: 7a7160edf1bf ("net: Return errno in sk->sk_prot->get_port().") Signed-off-by: Sasha Levin commit 53fc231277da4aeb685b943d86ab96b0285cda33 Author: Lorenzo Bianconi Date: Thu Nov 17 15:29:53 2022 +0100 net: ethernet: mtk_eth_soc: fix RSTCTRL_PPE{0,1} definitions [ Upstream commit ef8c373bd91df3cf70596497da0955d218961ead ] Fix RSTCTRL_PPE0 and RSTCTRL_PPE1 register mask definitions for MTK_NETSYS_V2. Remove duplicated definitions. Fixes: 160d3a9b1929 ("net: ethernet: mtk_eth_soc: introduce MTK_NETSYS_V2 support") Signed-off-by: Lorenzo Bianconi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 7d4af96be5359d78a4a6dca0baad896d04ebcf69 Author: Christoph Hellwig Date: Wed Dec 18 11:39:07 2019 +0100 media: videobuf-dma-contig: use dma_mmap_coherent [ Upstream commit b3dc3f8e49577840dc8ac8a365c5b3da4edb10b8 ] dma_alloc_coherent does not return a physical address, but a DMA address, which might be remapped or have an offset. Passing the DMA address to vm_iomap_memory is thus broken. Use the proper dma_mmap_coherent helper instead, and stop passing __GFP_COMP to dma_alloc_coherent, as the memory management inside the DMA allocator is hidden from the callers and does not require it. With this the gfp_t argument to __videobuf_dc_alloc can be removed and hard coded to GFP_KERNEL. Fixes: a8f3c203e19b ("[media] videobuf-dma-contig: add cache support") Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit d72bff7e6cc324b31b62826d5fe279c0390e2335 Author: Yuan Can Date: Fri Nov 11 06:09:26 2022 +0000 media: amphion: Fix error handling in vpu_driver_init() [ Upstream commit a95cc6d11aae16a7b2d043b073a40de81bbea689 ] A problem about modprobe amphion-vpu failed is triggered with the following log given: [ 2208.634841] Error: Driver 'amphion-vpu' is already registered, aborting... modprobe: ERROR: could not insert 'amphion_vpu': Device or resource busy The reason is that vpu_driver_init() returns vpu_core_driver_init() directly without checking its return value, if vpu_core_driver_init() failed, it returns without unregister amphion_vpu_driver, resulting the amphion-vpu can never be installed later. A simple call graph is shown as below: vpu_driver_init() platform_driver_register() # register amphion_vpu_driver vpu_core_driver_init() platform_driver_register() driver_register() bus_add_driver() dev = kzalloc(...) # OOM happened # return without unregister amphion_vpu_driver Fix by unregister amphion_vpu_driver when vpu_core_driver_init() returns error. Fixes: b50a64fc54af ("media: amphion: add amphion vpu device driver") Signed-off-by: Yuan Can Reviewed-by: ming_qian Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit abc73b6739a1943e18438b83d351614858e4cbce Author: Yuan Can Date: Fri Nov 11 06:08:53 2022 +0000 media: platform: exynos4-is: Fix error handling in fimc_md_init() [ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ] A problem about modprobe s5p_fimc failed is triggered with the following log given: [ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting... modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy The reason is that fimc_md_init() returns platform_driver_register() directly without checking its return value, if platform_driver_register() failed, it returns without unregister fimc_driver, resulting the s5p_fimc can never be installed later. A simple call graph is shown as below: fimc_md_init() fimc_register_driver() # register fimc_driver platform_driver_register() platform_driver_register() driver_register() bus_add_driver() dev = kzalloc(...) # OOM happened # return without unregister fimc_driver Fix by unregister fimc_driver when platform_driver_register() returns error. Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver") Signed-off-by: Yuan Can Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 9416861170ba0da8ddb0f4fd2d28334f0ed3b9c2 Author: Yang Yingliang Date: Thu Nov 10 16:24:23 2022 +0800 media: solo6x10: fix possible memory leak in solo_sysfs_init() [ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ] If device_register() returns error in solo_sysfs_init(), the name allocated by dev_set_name() need be freed. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(). Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo") Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 8a204a0b4a0d105229735222c515759ea2b126c1 Author: Chen Zhongjin Date: Tue Nov 8 15:06:30 2022 +0800 media: vidtv: Fix use-after-free in vidtv_bridge_dvb_init() [ Upstream commit ba8d9405935097e296bcf7a942c3a01df0edb865 ] KASAN reports a use-after-free: BUG: KASAN: use-after-free in dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] Call Trace: ... dvb_dmxdev_release+0x4d5/0x5d0 [dvb_core] vidtv_bridge_probe+0x7bf/0xa40 [dvb_vidtv_bridge] platform_probe+0xb6/0x170 ... Allocated by task 1238: ... dvb_register_device+0x1a7/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... Freed by task 1238: dvb_register_device+0x6d2/0xa70 [dvb_core] dvb_dmxdev_init+0x2af/0x4a0 [dvb_core] vidtv_bridge_probe+0x766/0xa40 [dvb_vidtv_bridge] ... It is because the error handling in vidtv_bridge_dvb_init() is wrong. First, vidtv_bridge_dmx(dev)_init() will clean themselves when fail, but goto fail_dmx(_dev): calls release functions again, which causes use-after-free. Also, in fail_fe, fail_tuner_probe and fail_demod_probe, j = i will cause out-of-bound when i finished its loop (i == NUM_FE). And the loop releasing is wrong, although now NUM_FE is 1 so it won't cause problem. Fix this by correctly releasing everything. Fixes: f90cf6079bf6 ("media: vidtv: add a bridge driver") Signed-off-by: Chen Zhongjin Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 48c489fafa46f9c56ef2d7c8f697ca997d640204 Author: Ming Qian Date: Tue Nov 1 16:04:53 2022 +0800 media: amphion: apply vb2_queue_error instead of setting manually [ Upstream commit 9d175a81e28f260916a0a13f457dd8b940eafb4e ] vb2_queue_error is help to set the error of vb2_queue, don't need to set it manually Fixes: 3cd084519c6f ("media: amphion: add vpu v4l2 m2m support") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit e9fbed19ad17a88ed74c749d398e1c4d69302346 Author: Ming Qian Date: Tue Nov 1 16:04:20 2022 +0800 media: amphion: add lock around vdec_g_fmt [ Upstream commit 8480dd5fb3c82b5887d456b3fbe4201d99231814 ] the capture format may be changed when sequence header is parsed, it may be read and write in the same time, add lock around vdec_g_fmt to synchronize it Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 2bf8461ee33c30a5a53d9ed6df780dc5c35d7c4f Author: Lorenzo Bianconi Date: Thu Nov 17 00:35:04 2022 +0100 net: ethernet: mtk_eth_soc: do not overwrite mtu configuration running reset routine [ Upstream commit b677d6c7a695dad1b02d2e0e428c39b3b344f270 ] Restore user configured MTU running mtk_hw_init() during tx timeout routine since it will be overwritten after a hw reset. Reported-by: Felix Fietkau Fixes: 9ea4d311509f ("net: ethernet: mediatek: add the whole ethernet reset into the reset process") Signed-off-by: Lorenzo Bianconi Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 38e2a92cd174b6abd6de1cca758140b0a0d31355 Author: Gaosheng Cui Date: Fri Nov 18 11:00:56 2022 +0800 ASoC: amd: acp: Fix possible UAF in acp_dma_open [ Upstream commit 3420fdb8ae99f0a08d78d2b80f42a71971cf478d ] Smatch report warning as follows: sound/soc/amd/acp/acp-platform.c:199 acp_dma_open() warn: '&stream->list' not removed from list If snd_pcm_hw_constraint_integer() fails in acp_dma_open(), stream will be freed, but stream->list will not be removed from adata->stream_list, then list traversal may cause UAF. Fix by adding the newly allocated stream to the list once it's fully initialised. Fixes: 7929985cfe36 ("ASoC: amd: acp: Initialize list to store acp_stream during pcm_open") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221118030056.3135960-1-cuigaosheng1@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 917e58a84e85e2a3355450a40e459c8de3a6a17f Author: Douglas Anderson Date: Thu Nov 17 21:49:19 2022 -0800 Input: elants_i2c - properly handle the reset GPIO when power is off [ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ] As can be seen in elants_i2c_power_off(), we want the reset GPIO asserted when power is off. The reset GPIO is active low so we need the reset line logic low when power is off to avoid leakage. We have a problem, though, at probe time. At probe time we haven't powered the regulators on yet but we have: devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW); While that _looks_ right, it turns out that it's not. The GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the GPIO to "not asserted". Since this is an active low GPIO that inits it to be high. Let's fix this to properly init the GPIO. Now after both probe and power off the state of the GPIO is consistent (it's "asserted" or level low). Once we fix this, we can see that at power on time we no longer to assert the reset GPIO as the first thing. The reset GPIO is _always_ asserted before powering on. Let's fix powering on to account for this. Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support") Signed-off-by: Douglas Anderson Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c4cc41e94d8357f5f02b8ef40257bb23931d8438 Author: Hui Tang Date: Mon Nov 14 17:02:40 2022 +0800 mtd: lpddr2_nvm: Fix possible null-ptr-deref [ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ] It will cause null-ptr-deref when resource_size(add_range) invoked, if platform_get_resource() returns NULL. Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") Signed-off-by: Hui Tang Acked-by: Uwe Kleine-König Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com Signed-off-by: Sasha Levin commit fee1df5a5835e235ed33e0c5e05008f6e597f2f0 Author: Rob Clark Date: Tue Nov 15 07:46:34 2022 -0800 drm/msm/a6xx: Fix speed-bin detection vs probe-defer [ Upstream commit f6d1918794ef92b4e26b80c3d40365347b76b1fd ] If we get an error (other than -ENOENT) we need to propagate that up the stack. Otherwise if the nvmem driver hasn't probed yet, we'll end up end up claiming that we support all the OPPs which is not likely to be true (and on some generations impossible to be true, ie. if there are conflicting OPPs). v2: Update commit msg, gc unused label, etc v3: Add previously missing \n's Fixes: fe7952c629da ("drm/msm: Add speed-bin support to a618 gpu") Signed-off-by: Rob Clark Reviewed-by: Douglas Anderson Reviewed-by: Akhil P Oommen Patchwork: https://patchwork.freedesktop.org/patch/511690/ Link: https://lore.kernel.org/r/20221115154637.1613968-1-robdclark@gmail.com Signed-off-by: Sasha Levin commit 73b7f8a820d2b7c8e5afc3a4d195a817abb657bd Author: Xiu Jianfeng Date: Thu Nov 10 14:19:26 2022 +0800 wifi: ath10k: Fix return value in ath10k_pci_init() [ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ] This driver is attempting to register to support two different buses. if either of these is successful then ath10k_pci_init() should return 0 so that hardware attached to the successful bus can be probed and supported. only if both of these are unsuccessful should ath10k_pci_init() return an errno. Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb") Signed-off-by: Xiu Jianfeng Reviewed-by: Jeff Johnson Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com Signed-off-by: Sasha Levin commit 4448a8dd1e7c246db2ce909e7ad65ca99d3390b9 Author: Wang Yufen Date: Tue Nov 15 11:29:40 2022 +0800 selftests/bpf: fix memory leak of lsm_cgroup [ Upstream commit c453e64cbc9532c0c2edfa999c35d29dad16b8bb ] kmemleak reports this issue: unreferenced object 0xffff88810b7835c0 (size 32): comm "test_progs", pid 270, jiffies 4294969007 (age 1621.315s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 03 00 00 00 03 00 00 00 0f 00 00 00 00 00 00 00 ................ backtrace: [<00000000376cdeab>] kmalloc_trace+0x27/0x110 [<000000003bcdb3b6>] selinux_sk_alloc_security+0x66/0x110 [<000000003959008f>] security_sk_alloc+0x47/0x80 [<00000000e7bc6668>] sk_prot_alloc+0xbd/0x1a0 [<0000000002d6343a>] sk_alloc+0x3b/0x940 [<000000009812a46d>] unix_create1+0x8f/0x3d0 [<000000005ed0976b>] unix_create+0xa1/0x150 [<0000000086a1d27f>] __sock_create+0x233/0x4a0 [<00000000cffe3a73>] __sys_socket_create.part.0+0xaa/0x110 [<0000000007c63f20>] __sys_socket+0x49/0xf0 [<00000000b08753c8>] __x64_sys_socket+0x42/0x50 [<00000000b56e26b3>] do_syscall_64+0x3b/0x90 [<000000009b4871b8>] entry_SYSCALL_64_after_hwframe+0x63/0xcd The issue occurs in the following scenarios: unix_create1() sk_alloc() sk_prot_alloc() security_sk_alloc() call_int_hook() hlist_for_each_entry() entry1->hook.sk_alloc_security <-- selinux_sk_alloc_security() succeeded, <-- sk->security alloced here. entry2->hook.sk_alloc_security <-- bpf_lsm_sk_alloc_security() failed goto out_free; ... <-- the sk->security not freed, memleak The core problem is that the LSM is not yet fully stacked (work is actively going on in this space) which means that some LSM hooks do not support multiple LSMs at the same time. To fix, skip the "EPERM" test when it runs in the environments that already have non-bpf lsms installed Fixes: dca85aac8895 ("selftests/bpf: lsm_cgroup functional test") Signed-off-by: Wang Yufen Cc: Stanislav Fomichev Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/r/1668482980-16163-1-git-send-email-wangyufen@huawei.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit 773bfda35c9511734d7f898e2ee73cd60d2a3f38 Author: Christoph Hellwig Date: Tue Nov 15 22:10:50 2022 +0800 dm: track per-add_disk holder relations in DM [ Upstream commit 1a581b72169968f4154b5793828f3bc28b258b35 ] dm is a bit special in that it opens the underlying devices. Commit 89f871af1b26 ("dm: delay registering the gendisk") tried to accommodate that by allowing to add the holder to the list before add_gendisk and then just add them to sysfs once add_disk is called. But that leads to really odd lifetime problems and error handling problems as we can't know the state of the kobjects and don't unwind properly. To fix this switch to just registering all existing table_devices with the holder code right after add_disk, and remove them before calling del_gendisk. Fixes: 89f871af1b26 ("dm: delay registering the gendisk") Reported-by: Yu Kuai Signed-off-by: Christoph Hellwig Signed-off-by: Yu Kuai Reviewed-by: Mike Snitzer Link: https://lore.kernel.org/r/20221115141054.1051801-7-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit ce65ef11d37e8342f17e7c822c43a2ff9317c016 Author: Yu Kuai Date: Tue Nov 15 22:10:49 2022 +0800 dm: make sure create and remove dm device won't race with open and close table [ Upstream commit d563792c8933a810d28ce0f2831f0726c2b15a31 ] open_table_device() and close_table_device() is protected by table_devices_lock, hence use it to protect add_disk() and del_gendisk(). Prepare to track per-add_disk holder relations in dm. Signed-off-by: Yu Kuai Reviewed-by: Mike Snitzer Reviewed-by: Christoph Hellwig Link: https://lore.kernel.org/r/20221115141054.1051801-6-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM") Signed-off-by: Sasha Levin commit 365c351efd4a34c139dcb40fd6519f1521d94db0 Author: Christoph Hellwig Date: Tue Nov 15 22:10:48 2022 +0800 dm: cleanup close_table_device [ Upstream commit 7b5865831c1003122f737df5e16adaa583f1a595 ] Take the list unlink and free into close_table_device so that no half torn down table_devices exist. Also remove the check for a NULL bdev as that can't happen - open_table_device never adds a table_device to the list that does not have a valid block_device. Signed-off-by: Christoph Hellwig Signed-off-by: Yu Kuai Reviewed-by: Mike Snitzer Link: https://lore.kernel.org/r/20221115141054.1051801-5-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM") Signed-off-by: Sasha Levin commit 3a3742f6b0a2fe026e721c0759160cc592b21b58 Author: Christoph Hellwig Date: Tue Nov 15 22:10:47 2022 +0800 dm: cleanup open_table_device [ Upstream commit b9a785d2dc6567b2fd9fc60057a6a945a276927a ] Move all the logic for allocation the table_device and linking it into the list into the open_table_device. This keeps the code tidy and ensures that the table_devices only exist in fully initialized state. Signed-off-by: Christoph Hellwig Signed-off-by: Yu Kuai Reviewed-by: Mike Snitzer Link: https://lore.kernel.org/r/20221115141054.1051801-4-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Stable-dep-of: 1a581b721699 ("dm: track per-add_disk holder relations in DM") Signed-off-by: Sasha Levin commit 475bdd75447acd9e771addf4c15d14a2d483d5c8 Author: Christoph Hellwig Date: Tue Nov 15 22:10:45 2022 +0800 block: clear ->slave_dir when dropping the main slave_dir reference [ Upstream commit d90db3b1c8676bc88b4309c5a571333de2263b8e ] Zero out the pointer to ->slave_dir so that the holder code doesn't incorrectly treat the object as alive when add_disk failed or after del_gendisk was called. Fixes: 89f871af1b26 ("dm: delay registering the gendisk") Reported-by: Yu Kuai Signed-off-by: Christoph Hellwig Signed-off-by: Yu Kuai Reviewed-by: Mike Snitzer Link: https://lore.kernel.org/r/20221115141054.1051801-2-yukuai1@huaweicloud.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit d2845542a95336d4238e19e2a645f92ca16c472e Author: Xiu Jianfeng Date: Sat Nov 12 17:27:19 2022 +0800 ima: Fix misuse of dereference of pointer in template_desc_init_fields() [ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ] The input parameter @fields is type of struct ima_template_field ***, so when allocates array memory for @fields, the size of element should be sizeof(**field) instead of sizeof(*field). Actually the original code would not cause any runtime error, but it's better to make it logically right. Fixes: adf53a778a0a ("ima: new templates management mechanism") Signed-off-by: Xiu Jianfeng Reviewed-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit c591c48842f08d30ec6b8416757831985ed9a315 Author: GUO Zihua Date: Fri Nov 11 18:13:17 2022 +0800 integrity: Fix memory leakage in keyring allocation error path [ Upstream commit 39419ef7af0916cc3620ecf1ed42d29659109bf3 ] Key restriction is allocated in integrity_init_keyring(). However, if keyring allocation failed, it is not freed, causing memory leaks. Fixes: 2b6aa412ff23 ("KEYS: Use structure to capture key restriction function and data") Signed-off-by: GUO Zihua Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit accc7993a780c5cd4e45051634bf66400df10f36 Author: Takashi Iwai Date: Mon Nov 14 15:16:58 2022 +0100 ALSA: memalloc: Allocate more contiguous pages for fallback case [ Upstream commit cc26516374065a34e10c9a8bf3e940e42cd96e2a ] Currently the fallback SG allocation tries to allocate each single page, and this tends to result in the reverse order of memory addresses when large space is available at boot, as the kernel takes a free page from the top to the bottom in the zone. The end result looks as if non-contiguous (although it actually is). What's worse is that it leads to an overflow of BDL entries for HD-audio. For avoiding such a problem, this patch modifies the allocation code slightly; now it tries to allocate the larger contiguous chunks as much as possible, then reduces to the smaller chunks only if the allocation failed -- a similar strategy as the existing snd_dma_alloc_pages_fallback() function. Along with the trick, drop the unused address array from snd_dma_sg_fallback object. It was needed in the past when dma_alloc_coherent() was used, but with the standard page allocator, it became superfluous and never referred. Fixes: a8d302a0b770 ("ALSA: memalloc: Revive x86-specific WC page allocations again") Reviewed-by: Kai Vehmanen Link: https://lore.kernel.org/r/20221114141658.29620-1-tiwai@suse.de Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0a730f51b02ae44031fb0be12700066c91a9af7e Author: Brian Starkey Date: Tue Sep 13 15:43:06 2022 +0100 drm/fourcc: Fix vsub/hsub for Q410 and Q401 [ Upstream commit b230555f3257f197dd98641ef6ebaf778b52dd51 ] These formats are not subsampled, but that means hsub and vsub should be 1, not 0. Fixes: 94b292b27734 ("drm: drm_fourcc: add NV15, Q410, Q401 YUV formats") Reported-by: George Kennedy Reported-by: butt3rflyh4ck Signed-off-by: Brian Starkey Reviewed-by: Liviu Dudau Signed-off-by: Liviu Dudau Link: https://patchwork.freedesktop.org/patch/msgid/20220913144306.17279-1-brian.starkey@arm.com Signed-off-by: Sasha Levin commit 8cf1235a49a3f5e2b9ff803849f59c3d589c3ebd Author: Konrad Dybcio Date: Thu Nov 10 22:07:05 2022 +0100 regulator: qcom-rpmh: Fix PMR735a S3 regulator spec [ Upstream commit dd801b2265c81bf0c8b0b4b8f7c1e7bfed078403 ] PMR735a has a wider range than previously defined. Fix it. Fixes: c4e5aa3dbee5 ("regulator: qcom-rpmh: Add PM7325/PMR735A regulator support") Signed-off-by: Konrad Dybcio Link: https://lore.kernel.org/r/20221110210706.80301-1-konrad.dybcio@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit a428dcc4a42172c9437a83bac0e8bcd7e5768470 Author: Christophe JAILLET Date: Sun Nov 13 16:49:18 2022 +0100 wifi: rtw89: Fix some error handling path in rtw89_core_sta_assoc() [ Upstream commit 81c0b8928437ddfe87b0024c5bd817bc331d8524 ] 'ret' is not updated after a function call in rtw89_core_sta_assoc(). This prevent error handling from working. Add the missing assignment. Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") Signed-off-by: Christophe JAILLET Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/7b1d82594635e4406d3438f33d8da29eaa056c5a.1668354547.git.christophe.jaillet@wanadoo.fr Signed-off-by: Sasha Levin commit 18ef9434379b695442d778a8c7f1094ca170a7cb Author: Joel Granados Date: Wed Nov 2 18:17:08 2022 +0100 nvme: return err on nvme_init_non_mdts_limits fail [ Upstream commit bcaf434b8f04e1ee82a8b1e1bce0de99fbff67fa ] In nvme_init_non_mdts_limits function we were returning 0 when kzalloc failed; it now returns -ENOMEM. Fixes: 5befc7c26e5a ("nvme: implement non-mdts command limits") Signed-off-by: Joel Granados Reviewed-by: Chaitanya Kulkarni Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin commit 8084bd0a64e278314b733993f388d83a86aa1183 Author: Dan Carpenter Date: Tue Nov 15 15:56:57 2022 +0300 amdgpu/pm: prevent array underflow in vega20_odn_edit_dpm_table() [ Upstream commit d27252b5706e51188aed7647126e44dcf9e940c1 ] In the PP_OD_EDIT_VDDC_CURVE case the "input_index" variable is capped at 2 but not checked for negative values so it results in an out of bounds read. This value comes from the user via sysfs. Fixes: d5bf26539494 ("drm/amd/powerplay: added vega20 overdrive support V3") Signed-off-by: Dan Carpenter Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 2f98469c3141f8e42ba11075a273fb795bbad57f Author: Yang Yingliang Date: Tue Nov 15 17:15:08 2022 +0800 regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() [ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ] I got the the following report: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@62/regulators/exten In of_get_regulator(), the node is returned from of_parse_phandle() with refcount incremented, after using it, of_node_put() need be called. Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 3b97e1e894ece722a812fbdafe1841182c46221b Author: Christoph Hellwig Date: Mon Nov 7 14:01:24 2022 +0100 nvmet: only allocate a single slab for bvecs [ Upstream commit fa8f9ac42350edd3ce82d0d148a60f0fa088f995 ] There is no need to have a separate slab cache for each namespace, and having separate ones creates duplicate debugs file names as well. Fixes: d5eff33ee6f8 ("nvmet: add simple file backed ns support") Signed-off-by: Christoph Hellwig Reviewed-by: Keith Busch Reviewed-by: Sagi Grimberg Reviewed-by: Chaitanya Kulkarni Reviewed-by: Martin K. Petersen Signed-off-by: Sasha Levin commit 21b92cf41952577a95bfa430e39478cbd66e42a7 Author: Zeng Heng Date: Mon Nov 14 16:56:29 2022 +0800 ASoC: pxa: fix null-pointer dereference in filter() [ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ] kasprintf() would return NULL pointer when kmalloc() fail to allocate. Need to check the return pointer before calling strcmp(). Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support") Signed-off-by: Zeng Heng Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 83a583a36982927406fa64f2907ba0215cc15636 Author: Xinlei Lee Date: Wed Nov 9 18:00:59 2022 +0800 drm/mediatek: Modify dpi power on/off sequence. [ Upstream commit ff446c0f6290185cefafe3b376bb86063a3a9f6a ] Modify dpi power on/off sequence so that the first gpio operation will take effect. Fixes: 6bd4763fd532 ("drm/mediatek: set dpi pin mode to gpio low to avoid leakage current") Signed-off-by: Xinlei Lee Signed-off-by: Chun-Kuang Hu Signed-off-by: Sasha Levin commit 8c39a6157c45c6e8c06c0ee948d58535c7f31942 Author: Martin KaFai Lau Date: Mon Nov 7 15:04:19 2022 -0800 selftests/bpf: Fix incorrect ASSERT in the tcp_hdr_options test [ Upstream commit 52929912d7bda040b43538e8d88e8d231b76eb4e ] This patch fixes the incorrect ASSERT test in tcp_hdr_options during the CHECK to ASSERT macro cleanup. Fixes: 3082f8cd4ba3 ("selftests/bpf: Convert tcp_hdr_options test to ASSERT_* macros") Signed-off-by: Martin KaFai Lau Signed-off-by: Andrii Nakryiko Acked-by: Wang Yufen Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221107230420.4192307-3-martin.lau@linux.dev Signed-off-by: Sasha Levin commit 6bbbe4948d4640dd3ddfb5a971065edc29c14cf4 Author: Yang Jihong Date: Fri Nov 11 11:08:36 2022 +0800 selftests/bpf: Fix xdp_synproxy compilation failure in 32-bit arch [ Upstream commit e4c9cf0ce8c413c2030e8fb215551d7e0582ee7b ] xdp_synproxy fails to be compiled in the 32-bit arch, log is as follows: xdp_synproxy.c: In function 'parse_options': xdp_synproxy.c:175:36: error: left shift count >= width of type [-Werror=shift-count-overflow] 175 | *tcpipopts = (mss6 << 32) | (ttl << 24) | (wscale << 16) | mss4; | ^~ xdp_synproxy.c: In function 'syncookie_open_bpf_maps': xdp_synproxy.c:289:28: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 289 | .map_ids = (__u64)map_ids, | ^ Fix it. Fixes: fb5cd0ce70d4 ("selftests/bpf: Add selftests for raw syncookie helpers") Signed-off-by: Yang Jihong Signed-off-by: Andrii Nakryiko Acked-by: Yonghong Song Link: https://lore.kernel.org/bpf/20221111030836.37632-1-yangjihong1@huawei.com Signed-off-by: Sasha Levin commit 69d51c26ea8359da7fe9aaa7dd23bfe301c9073c Author: Randy Dunlap Date: Mon Nov 7 16:18:29 2022 -0800 ASoC: codecs: wsa883x: use correct header file [ Upstream commit 5f52ceddc40cd61b1dd2ecf735624deaf05f779f ] Fix build errors when GPIOLIB is not set/enabled: ../sound/soc/codecs/wsa883x.c: In function 'wsa883x_probe': ../sound/soc/codecs/wsa883x.c:1394:25: error: implicit declaration of function 'devm_gpiod_get_optional'; did you mean 'devm_regulator_get_optional'? [-Werror=implicit-function-declaration] wsa883x->sd_n = devm_gpiod_get_optional(&pdev->dev, "powerdown", ../sound/soc/codecs/wsa883x.c:1395:49: error: 'GPIOD_FLAGS_BIT_NONEXCLUSIVE' undeclared (first use in this function) GPIOD_FLAGS_BIT_NONEXCLUSIVE); ../sound/soc/codecs/wsa883x.c:1414:9: error: implicit declaration of function 'gpiod_direction_output'; did you mean 'gpio_direction_output'? [-Werror=implicit-function-declaration] gpiod_direction_output(wsa883x->sd_n, 1); Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") Signed-off-by: Randy Dunlap Reported-by: kernel test robot Cc: Srinivas Kandagatla Cc: Banajit Goswami Cc: Mark Brown Cc: Liam Girdwood Cc: alsa-devel@alsa-project.org Cc: Jaroslav Kysela Cc: Takashi Iwai Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221108001829.5100-1-rdunlap@infradead.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 66fdbc0f2445d2f7b75d22a1a7d10c1a8aa2c054 Author: Krzysztof Kozlowski Date: Thu Nov 10 14:35:12 2022 +0100 ASoC: codecs: wsa883x: Use proper shutdown GPIO polarity [ Upstream commit ec5dba73f7ba10797904cf18092d2e6975a22147 ] The shutdown GPIO is active low (SD_N), but this depends on actual board layout. Linux drivers should only care about logical state, where high (1) means shutdown and low (0) means do not shutdown. Invert the GPIO to match logical value. Fixes: 43b8c7dc85a1 ("ASoC: codecs: add wsa883x amplifier support") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Srinivas Kandagatla Link: https://lore.kernel.org/r/20221110133512.478831-2-krzysztof.kozlowski@linaro.org Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 7a779e84b3c451ce4713456a413d3300143747a7 Author: Miaoqian Lin Date: Thu Nov 10 06:58:34 2022 +0400 module: Fix NULL vs IS_ERR checking for module_get_next_page [ Upstream commit 45af1d7aae7d5520d2858f8517a1342646f015db ] The module_get_next_page() function return error pointers on error instead of NULL. Use IS_ERR() to check the return value to fix this. Fixes: b1ae6dc41eaa ("module: add in-kernel support for decompressing") Signed-off-by: Miaoqian Lin Reviewed-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 0183b7c49cfdda91284505cbcdc7feecde48cbb9 Author: Johannes Berg Date: Sun Oct 30 19:17:45 2022 +0200 wifi: iwlwifi: mei: fix potential NULL-ptr deref after clone [ Upstream commit d3df49dda431f7ae4132a9a0ac25a5134c04e812 ] If cloning the SKB fails, don't try to use it, but rather return as if we should pass it. Coverity CID: 1503456 Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Johannes Berg Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20221030191011.0ce03ba99601.I87960b7cb0a3d16b9fd8d9144027e7e2587f5a58@changeid Signed-off-by: Sasha Levin commit 57f6784d8831ac1091336b41ef3b80f6bae13191 Author: Avraham Stern Date: Sun Oct 30 19:17:44 2022 +0200 wifi: iwlwifi: mei: avoid blocking sap messages handling due to rtnl lock [ Upstream commit d288067ede4b375e72daf7f9a98d937ede11a311 ] The AMT_STATE sap message handler tries to take the rtnl lock. This means that in case the rtnl lock is already taken, sap messages will not be processed. When an interface is brought up, the host requests ownership from csme. However, since the rtnl lock is already held, if there is a pending amt state message, the host will not be able to read the ownership confirm message because the amt state message handler is pending. As a result, the host fails to get ownership although csme granted it. Fix it by moving the part that needs the rtnl lock into a dedicated worker, so handling sap messages can continue. Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Avraham Stern Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20221030191011.8599f2b4e9dd.I518f79e9099bf815c5f8d90235b4ce3250f59970@changeid Signed-off-by: Sasha Levin commit a29e442ee110aafdf7785fac6de44b22d3da43db Author: Emmanuel Grumbach Date: Sun Oct 30 19:17:43 2022 +0200 wifi: iwlwifi: mei: fix tx DHCP packet for devices with new Tx API [ Upstream commit bcd68b3dbe78b7b0f7b6b55162cf1eff1e7fff9e ] Devices with new Tx API have the IV introduced by the HW and it is not present in the skb at all. Hence we don't need to tell iwl_mvm_mei_tx_copy_to_csme to jump over 8 bytes to get to the ethernet header. Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Emmanuel Grumbach Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20221030191011.12dc42133502.Idd744ffeeb84b880eb497963ee02563cbb959a42@changeid Signed-off-by: Sasha Levin commit 9829f3a5ae4b657dbf4b337fb1cb2a74e1b1c263 Author: Emmanuel Grumbach Date: Sun Oct 30 19:17:42 2022 +0200 wifi: iwlwifi: mei: don't send SAP commands if AMT is disabled [ Upstream commit 95170a46b7dddbc3ac31b20ef2e8fa9d556d783d ] We should not send any SAP command to CSME if AMT is disabled. Reported-by: Toke Høiland-Jørgensen Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Emmanuel Grumbach Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20221030191011.ea222d41c781.Ifc90ddc3e35187683ff7f59371d792b61c8854c8@changeid Signed-off-by: Sasha Levin commit 39138cee7ab9d2bc178daf266e58395d78a69c8c Author: Avraham Stern Date: Sun Oct 30 19:17:41 2022 +0200 wifi: iwlwifi: mei: make sure ownership confirmed message is sent [ Upstream commit 5aa7ce31bd84c2f4f059200f06c537c920cbb458 ] It is possible that CSME will try to take ownership while the driver is stopping. In this case, if the CSME takes ownership message arrives after the driver started unregistering, the iwl_mei_cache->ops is already invalid, so the host will not answer with the ownership confirmed message. Similarly, if the take ownership message arrived after the mac was stopped or when iwl_mvm_up() failed, setting rfkill will not trigger sending the confirm message. As a result, CSME will not take ownership, which will result in a disconnection. Fix it by sending the ownership confirmed message immediately in such cases. Fixes: 2da4366f9e2c ("iwlwifi: mei: add the driver to allow cooperation with CSME") Signed-off-by: Avraham Stern Signed-off-by: Gregory Greenman Link: https://lore.kernel.org/r/20221030191011.b2a4c009e3e6.I7f931b7ee8b168e8ac88b11f23bff98b7ed3cb19@changeid Signed-off-by: Sasha Levin commit 61dd45b01b207b6f23439d0551e8d1a40a416752 Author: Sam Shih Date: Sun Nov 6 09:01:11 2022 +0100 pinctrl: mediatek: fix the pinconf register offset of some pins [ Upstream commit 3476b354c65db442580ef355885c69e60c546ef0 ] Correct the bias-pull-up, bias-pull-down and bias-disable register offset of mt7986 pin-42 to pin-49, in the original driver, the relative offset value was erroneously decremented by 1. Fixes: 360de6728064 ("pinctrl: mediatek: add support for MT7986 SoC") Signed-off-by: Sam Shih Signed-off-by: Frank Wunderlich Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221106080114.7426-5-linux@fw-web.de Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit afe3309dedec8a5959441589a117f167ce98b2d3 Author: Frank Wunderlich Date: Sun Nov 6 09:01:09 2022 +0100 dt-bindings: pinctrl: update uart/mmc bindings for MT7986 SoC [ Upstream commit c115e7f51e685536ecb885854bdd4b3f225ff3e4 ] Fix mmc and uart pins after uart splitting. Some pinmux pins of the mt7986 pinctrl driver is composed of multiple pinctrl groups, the original binding only allows one pinctrl group per dts node, this patch sets "maxItems" for these groups and add new examples to the binding documentation. Fixes: 65916a1ca90a ("dt-bindings: pinctrl: update bindings for MT7986 SoC") Signed-off-by: Sam Shih Signed-off-by: Frank Wunderlich Acked-by: Krzysztof Kozlowski Link: https://lore.kernel.org/r/20221106080114.7426-3-linux@fw-web.de Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 9e203e437310f61fdf3c1107f41f85864cf4f6b1 Author: Hanjun Guo Date: Fri Nov 4 17:50:02 2022 +0800 drm/radeon: Add the missed acpi_put_table() to fix memory leak [ Upstream commit 10276a20be1115e1f76c189330da2992df980eee ] When the radeon driver reads the bios information from ACPI table in radeon_acpi_vfct_bios(), it misses to call acpi_put_table() to release the ACPI memory after the init, so add acpi_put_table() properly to fix the memory leak. v2: fix text formatting (Alex) Fixes: 268ba0a99f89 ("drm/radeon: implement ACPI VFCT vbios fetch (v3)") Signed-off-by: Hanjun Guo Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 0544ea57f999fc2aee076ff82cc70091e7fc2585 Author: Khazhismel Kumykov Date: Tue Nov 8 10:10:29 2022 -0800 bfq: fix waker_bfqq inconsistency crash [ Upstream commit a1795c2ccb1e4c49220d2a0d381540024d71647c ] This fixes crashes in bfq_add_bfqq_busy due to waker_bfqq being NULL, but woken_list_node still being hashed. This would happen when bfq_init_rq() expects a brand new allocated queue to be returned from bfq_get_bfqq_handle_split() and unconditionally updates waker_bfqq without resetting woken_list_node. Since we can always return oom_bfqq when attempting to allocate, we cannot assume waker_bfqq starts as NULL. Avoid setting woken_bfqq for oom_bfqq entirely, as it's not useful. Crashes would have a stacktrace like: [160595.656560] bfq_add_bfqq_busy+0x110/0x1ec [160595.661142] bfq_add_request+0x6bc/0x980 [160595.666602] bfq_insert_request+0x8ec/0x1240 [160595.671762] bfq_insert_requests+0x58/0x9c [160595.676420] blk_mq_sched_insert_request+0x11c/0x198 [160595.682107] blk_mq_submit_bio+0x270/0x62c [160595.686759] __submit_bio_noacct_mq+0xec/0x178 [160595.691926] submit_bio+0x120/0x184 [160595.695990] ext4_mpage_readpages+0x77c/0x7c8 [160595.701026] ext4_readpage+0x60/0xb0 [160595.705158] filemap_read_page+0x54/0x114 [160595.711961] filemap_fault+0x228/0x5f4 [160595.716272] do_read_fault+0xe0/0x1f0 [160595.720487] do_fault+0x40/0x1c8 Tested by injecting random failures into bfq_get_queue, crashes go away completely. Fixes: 8ef3fc3a043c ("block, bfq: make shared queues inherit wakers") Signed-off-by: Khazhismel Kumykov Reviewed-by: Jan Kara Link: https://lore.kernel.org/r/20221108181030.1611703-1-khazhy@google.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 0c57b39033e002af8f560c85091bd9c633f5aedd Author: Christoph Böhmwalder Date: Wed Nov 9 14:34:51 2022 +0100 drbd: use blk_queue_max_discard_sectors helper [ Upstream commit 258bea6388ac93f34561fd91064232d14e174bff ] We currently only set q->limits.max_discard_sectors, but that is not enough. Another field, max_hw_discard_sectors, was introduced in commit 0034af036554 ("block: make /sys/block//queue/discard_max_bytes writeable"). The difference is that max_discard_sectors can be changed from user space via sysfs, while max_hw_discard_sectors is the "hardware" upper limit. So use this helper, which sets both. This is also a fixup for commit 998e9cbcd615 ("drbd: cleanup decide_on_discard_support"): if discards are not supported, that does not necessarily mean we also want to disable write_zeroes. Fixes: 998e9cbcd615 ("drbd: cleanup decide_on_discard_support") Reviewed-by: Joel Colledge Signed-off-by: Christoph Böhmwalder Link: https://lore.kernel.org/r/20221109133453.51652-2-christoph.boehmwalder@linbit.com Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 961db32e52f4d34a9a95939a30393fd190397f84 Author: Yassine Oudjana Date: Mon Nov 7 23:21:14 2022 +0300 regmap-irq: Use the new num_config_regs property in regmap_add_irq_chip_fwnode [ Upstream commit 84498d1fb35de6ab71bdfdb6270a464fb4a0951b ] Commit faa87ce9196d ("regmap-irq: Introduce config registers for irq types") added the num_config_regs, then commit 9edd4f5aee84 ("regmap-irq: Deprecate type registers and virtual registers") suggested to replace num_type_reg with it. However, regmap_add_irq_chip_fwnode wasn't modified to use the new property. Later on, commit 255a03bb1bb3 ("ASoC: wcd9335: Convert irq chip to config regs") removed the old num_type_reg property from the WCD9335 driver's struct regmap_irq_chip, causing a null pointer dereference in regmap_irq_set_type when it tried to index d->type_buf as it was never allocated in regmap_add_irq_chip_fwnode: [ 39.199374] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 [ 39.200006] Call trace: [ 39.200014] regmap_irq_set_type+0x84/0x1c0 [ 39.200026] __irq_set_trigger+0x60/0x1c0 [ 39.200040] __setup_irq+0x2f4/0x78c [ 39.200051] request_threaded_irq+0xe8/0x1a0 Use num_config_regs in regmap_add_irq_chip_fwnode instead of num_type_reg, and fall back to it if num_config_regs isn't defined to maintain backward compatibility. Fixes: faa87ce9196d ("regmap-irq: Introduce config registers for irq types") Signed-off-by: Yassine Oudjana Link: https://lore.kernel.org/r/20221107202114.823975-1-y.oudjana@protonmail.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 2bba26652613176f3557be236b9189a17ada8687 Author: Laurent Pinchart Date: Sun Oct 2 00:31:10 2022 +0300 drm: rcar-du: Drop leftovers dependencies from Kconfig [ Upstream commit 1760eb547276299ab0c6a6cd3d29469e54ade615 ] Commit 841281fe52a7 ("drm: rcar-du: Drop LVDS device tree backward compatibility") has removed device tree overlay sources used for backward compatibility with old bindings, but forgot to remove related dependencies from Kconfig. Fix it. Fixes: 841281fe52a7 ("drm: rcar-du: Drop LVDS device tree backward compatibility") Reviewed-by: Geert Uytterhoeven Reviewed-by: Kieran Bingham Signed-off-by: Laurent Pinchart Signed-off-by: Sasha Levin commit 7f8811ed9853e72f01872cf3cb06f51aafe04be5 Author: Ping-Ke Shih Date: Tue Nov 8 09:38:58 2022 +0800 wifi: rtw89: use u32_encode_bits() to fill MAC quota value [ Upstream commit 525c06c81d75690a9b795cc62a758838c1a6b6fe ] Coverity reported shift 16 bits could cause sign extension and might get an unexpected value. Since the input values are predefined and no this kind of case, original code is safe so far. But, still changing them to use u32_encode_bits() will be more clear and prevent mistakes in the future. The original message of Coverity is: Suspicious implicit sign extension: "max_cfg->cma0_dma" with type "u16" (16 bits, unsigned) is promoted in "max_cfg->cma0_dma << 16" to type "int" (32 bits, signed), then sign-extended to type "unsigned long" (64 bits, unsigned). If "max_cfg->cma0_dma << 16" is greater than 0x7FFFFFFF, the upper bits of the result will all be 1." Reported-by: coverity-bot Addresses-Coverity-ID: 1527095 ("Integer handling issues") Fixes: e3ec7017f6a2 ("rtw89: add Realtek 802.11ax driver") Signed-off-by: Ping-Ke Shih Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221108013858.10806-1-pkshih@realtek.com Signed-off-by: Sasha Levin commit fb9277b1c82c590ba35d2b4f6a2829125dea57e8 Author: Marek Vasut Date: Tue Nov 1 16:26:29 2022 +0100 drm: lcdif: Set and enable FIFO Panic threshold [ Upstream commit e3cac8f7749f78dacdf19c00ed5862a1db52239f ] In case the LCDIFv3 is used to drive a 4k panel via i.MX8MP HDMI bridge, the LCDIFv3 becomes susceptible to FIFO underflows, these lead to nasty flicker of the image on the panel, or image being shifted by half frame horizontally every second frame. The flicker can be easily triggered by running 3D application on top of weston compositor, like neverball or chromium. Surprisingly glmark2-es2-wayland or glmark2-es2-drm does not trigger this effect so easily. Configure the FIFO Panic threshold register and enable the FIFO Panic mode, which internally boosts the NoC interconnect priority for LCDIFv3 transactions in case of possible underflow. This mitigates the flicker effect on 4k panels as well. Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant") Signed-off-by: Marek Vasut Tested-by: Liu Ying # i.MX8mp EVK Reviewed-by: Liu Ying Link: https://patchwork.freedesktop.org/patch/msgid/20221101152629.21768-1-marex@denx.de Signed-off-by: Sasha Levin commit 735d1820a6b1c369b88417bded50b42c927e274c Author: David Howells Date: Wed Sep 7 19:17:29 2022 +0100 rxrpc: Fix ack.bufferSize to be 0 when generating an ack [ Upstream commit 8889a711f9b4dcf4dd1330fa493081beebd118c9 ] ack.bufferSize should be set to 0 when generating an ack. Fixes: 8d94aa381dab ("rxrpc: Calls shouldn't hold socket refs") Reported-by: Jeffrey Altman Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org Signed-off-by: Sasha Levin commit 5697a0d4a7e11f68aef0c132c9f147d7ae5b8ddc Author: David Howells Date: Mon Oct 3 07:34:21 2022 +0100 net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() [ Upstream commit c3d96f690a790074b508fe183a41e36a00cd7ddd ] Provide a CONFIG_PROC_FS=n fallback for proc_create_net_single_write(). Also provide a fallback for proc_create_net_data_write(). Fixes: 564def71765c ("proc: Add a way to make network proc files writable") Reported-by: kernel test robot Signed-off-by: David Howells cc: Marc Dionne cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org Signed-off-by: Sasha Levin commit 3c1aac9cef5fac1a0cced123d15bb49383c4e88d Author: Cole Robinson Date: Fri Nov 4 16:42:45 2022 -0400 virt/sev-guest: Add a MODULE_ALIAS [ Upstream commit 2874529b3513bdc90299c90f40713602da685e35 ] Autoload the driver when, for example, SNP init code creates the corresponding platform device. [ bp: Rewrite commit message. ] Fixes: fce96cf04430 ("virt: Add SEV-SNP guest driver") Signed-off-by: Cole Robinson Signed-off-by: Borislav Petkov Acked-by: Tom Lendacky Link: https://lore.kernel.org/r/ff480c5e688eb0a72a4db0a29c7b1bb54c45bfd4.1667594253.git.crobinso@redhat.com Signed-off-by: Sasha Levin commit 91426b258392365ce223ba1a7470ee97352a8c23 Author: Wolfram Sang Date: Thu Nov 3 15:34:38 2022 +0100 clk: renesas: r8a779f0: Fix SCIF parent clocks [ Upstream commit 2e0d7d3eabce3babae1fd66d7650e00c848a3b45 ] As serial communication requires a clean clock signal, the Serial Communication Interfaces with FIFO (SCIF) are clocked by a clock that is not affected by Spread Spectrum or Fractional Multiplication. Hence change the parent clocks for the SCIF modules from the S0D12_PER clock to the SASYNCPERD4 clock (which has the same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81. Fixes: 24aaff6a6ce4 ("clk: renesas: cpg-mssr: Add support for R-Car S4-8") Reported-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20221103143440.46449-3-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 697fc4dfcb6e04b955a24ced5980441e615ded61 Author: Wolfram Sang Date: Thu Nov 3 15:34:37 2022 +0100 clk: renesas: r8a779f0: Fix HSCIF parent clocks [ Upstream commit c258e3ab639112d8f5ae9df9a873750ae2623ce2 ] As serial communication requires a clean clock signal, the High Speed Serial Communication Interfaces with FIFO (HSCIF) are clocked by a clock that is not affected by Spread Spectrum or Fractional Multiplication. Hence change the parent clocks for the HSCIF modules from the S0D3_PER clock to the SASYNCPERD1 clock (which has the same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81. Fixes: 080bcd8d5997 ("clk: renesas: r8a779f0: Add HSCIF clocks") Reported-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20221103143440.46449-2-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 3eb954aac2087a77d34039e0ed7cb972e0647f2a Author: Vladimir Zapolskiy Date: Mon Jul 4 23:08:14 2022 +0100 media: camss: Do not attach an already attached power domain on MSM8916 platform [ Upstream commit 3d658980e6dac2af6a024fdb6ded3d7bc44dc9ff ] The change to dynamically allocated power domains neglected a case of CAMSS on MSM8916 platform, where a single VFE power domain is neither attached, linked or managed in runtime in any way explicitly. This is a special case and it shall be kept as is, because the power domain management is done outside of the driver, and it's very different in comparison to all other platforms supported by CAMSS. Fixes: 6b1814e26989 ("media: camss: Allocate power domain resources dynamically") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Robert Foss Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit 24df4fa3e795fb4b15fd4d3c036596e0978d265a Author: Vladimir Zapolskiy Date: Mon Jul 4 10:44:37 2022 +0100 media: camss: Clean up received buffers on failed start of streaming [ Upstream commit c8f3582345e6a69da65ab588f7c4c2d1685b0e80 ] It is required to return the received buffers, if streaming can not be started. For instance media_pipeline_start() may fail with EPIPE, if a link validation between entities is not passed, and in such a case a user gets a kernel warning: WARNING: CPU: 1 PID: 520 at drivers/media/common/videobuf2/videobuf2-core.c:1592 vb2_start_streaming+0xec/0x160 Call trace: vb2_start_streaming+0xec/0x160 vb2_core_streamon+0x9c/0x1a0 vb2_ioctl_streamon+0x68/0xbc v4l_streamon+0x30/0x3c __video_do_ioctl+0x184/0x3e0 video_usercopy+0x37c/0x7b0 video_ioctl2+0x24/0x40 v4l2_ioctl+0x4c/0x70 The fix is to correct the error path in video_start_streaming() of camss. Fixes: 0ac2586c410f ("media: camss: Add files which handle the video device nodes") Signed-off-by: Vladimir Zapolskiy Reviewed-by: Robert Foss Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin commit c6e31be0f72caec6b9f26afca5b3844b05ec9e2d Author: Marek Vasut Date: Fri Nov 4 17:33:39 2022 +0100 wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port [ Upstream commit b8f6efccbb9dc0ff5dee7e20d69a4747298ee603 ] When using wpa_supplicant v2.10, this driver is no longer able to associate with any AP and fails in the EAPOL 4-way handshake while sending the 2/4 message to the AP. The problem is not present in wpa_supplicant v2.9 or older. The problem stems from HostAP commit 144314eaa ("wpa_supplicant: Send EAPOL frames over nl80211 where available") which changes the way EAPOL frames are sent, from them being send at L2 frames to them being sent via nl80211 control port. An EAPOL frame sent as L2 frame is passed to the WiFi driver with skb->protocol ETH_P_PAE, while EAPOL frame sent via nl80211 control port has skb->protocol set to ETH_P_802_3 . The later happens in ieee80211_tx_control_port(), where the EAPOL frame is encapsulated into 802.3 frame. The rsi_91x driver handles ETH_P_PAE EAPOL frames as high-priority frames and sends them via highest-priority transmit queue, while the ETH_P_802_3 frames are sent as regular frames. The EAPOL 4-way handshake frames must be sent as highest-priority, otherwise the 4-way handshake times out. Therefore, to fix this problem, inspect the skb control flags and if flag IEEE80211_TX_CTRL_PORT_CTRL_PROTO is set, assume this is an EAPOL frame and transmit the frame via high-priority queue just like other ETH_P_PAE frames. Fixes: 0eb42586cf87 ("rsi: data packet descriptor enhancements") Signed-off-by: Marek Vasut Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221104163339.227432-1-marex@denx.de Signed-off-by: Sasha Levin commit 7503bb76a141cb20beb916cfe977496fe0a9848a Author: Randy Dunlap Date: Fri Nov 4 13:12:38 2022 -0700 Input: joystick - fix Kconfig warning for JOYSTICK_ADC [ Upstream commit 6100a19c4fcfe154dd32f8a8ef4e8c0b1f607c75 ] Fix a Kconfig warning for JOYSTICK_ADC by also selecting IIO_BUFFER. WARNING: unmet direct dependencies detected for IIO_BUFFER_CB Depends on [n]: IIO [=y] && IIO_BUFFER [=n] Selected by [y]: - JOYSTICK_ADC [=y] && INPUT [=y] && INPUT_JOYSTICK [=y] && IIO [=y] Fixes: 2c2b364fddd5 ("Input: joystick - add ADC attached joystick driver.") Reported-by: kernel test robot Signed-off-by: Randy Dunlap Link: https://lore.kernel.org/r/20221104201238.31628-1-rdunlap@infradead.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 26c304a3f136009c5a2a04e2bf3ac6aa25aabcb4 Author: Gaosheng Cui Date: Mon Oct 24 14:51:09 2022 +0800 mtd: core: fix possible resource leak in init_mtd() [ Upstream commit 1aadf01e5076b9ab6bf294b9622335c651314895 ] I got the error report while inject fault in init_mtd(): sysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0' Call Trace: dump_stack_lvl+0x67/0x83 sysfs_warn_dup+0x60/0x70 sysfs_create_dir_ns+0x109/0x120 kobject_add_internal+0xce/0x2f0 kobject_add+0x98/0x110 device_add+0x179/0xc00 device_create_groups_vargs+0xf4/0x100 device_create+0x7b/0xb0 bdi_register_va.part.13+0x58/0x2d0 bdi_register+0x9b/0xb0 init_mtd+0x62/0x171 [mtd] do_one_initcall+0x6c/0x3c0 do_init_module+0x58/0x222 load_module+0x268e/0x27d0 __do_sys_finit_module+0xd5/0x140 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd kobject_add_internal failed for mtd-0 with -EEXIST, don't try to register things with the same name in the same directory. Error registering mtd class or bdi: -17 If init_mtdchar() fails in init_mtd(), mtd_bdi will not be unregistered, as a result, we can't load the mtd module again, to fix this by calling bdi_unregister(mtd_bdi) after out_procfs label. Fixes: 445caaa20c4d ("mtd: Allocate bdi objects dynamically") Signed-off-by: Gaosheng Cui Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20221024065109.2050705-1-cuigaosheng1@huawei.com Signed-off-by: Sasha Levin commit bcabe1dc2a344adbb3382930a23e273ba9382277 Author: Zhang Xiaoxu Date: Sat Oct 22 20:13:52 2022 +0800 mtd: Fix device name leak when register device failed in add_mtd_device() [ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ] There is a kmemleak when register device failed: unreferenced object 0xffff888101aab550 (size 8): comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s) hex dump (first 8 bytes): 6d 74 64 30 00 88 ff ff mtd0.... backtrace: [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150 [<000000003c32b416>] kvasprintf+0xb0/0x130 [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0 [<000000006e781163>] dev_set_name+0xab/0xe0 [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700 [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0 [<00000000c0d88488>] 0xffffffffa0238457 [<00000000b40d0922>] 0xffffffffa02a008f [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0 [<00000000770f6ca6>] do_init_module+0xdf/0x320 [<000000007b6768fe>] load_module+0x2f98/0x3330 [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0 [<00000000674c2290>] do_syscall_64+0x35/0x80 [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 If register device failed, should call put_device() to give up the reference. Fixes: 1f24b5a8ecbb ("[MTD] driver model updates") Signed-off-by: Zhang Xiaoxu Signed-off-by: Miquel Raynal Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com Signed-off-by: Sasha Levin commit 386cb647b8fbbcc311700e9608377a49ff4f2728 Author: Manivannan Sadhasivam Date: Wed Nov 2 14:43:20 2022 +0530 clk: qcom: gcc-sm8250: Use retention mode for USB GDSCs [ Upstream commit ac1c5a03d3772b1db25e8092f771aa33f6ae2f7e ] USB controllers on SM8250 doesn't work after coming back from suspend. This can be fixed by keeping the USB GDSCs in retention mode so that hardware can keep them ON and put into rentention mode once the parent domain goes to a low power state. Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250") Signed-off-by: Manivannan Sadhasivam Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221102091320.66007-1-manivannan.sadhasivam@linaro.org Signed-off-by: Sasha Levin commit c4809c3dd342b6a29622285b07b5c1aaecbe255f Author: Konrad Dybcio Date: Mon Oct 10 17:55:46 2022 +0200 clk: qcom: dispcc-sm6350: Add CLK_OPS_PARENT_ENABLE to pixel&byte src [ Upstream commit 92039e8c080c63748f8e133e7cfad33a75daefb6 ] Add the CLK_OPS_PARENT_ENABLE flag to pixel and byte clk srcs to ensure set_rate can succeed. Signed-off-by: Konrad Dybcio Fixes: 837519775f1d ("clk: qcom: Add display clock controller driver for SM6350") Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221010155546.73884-1-konrad.dybcio@somainline.org Signed-off-by: Sasha Levin commit ab6bfd335cf1d5420dc75069c2f6f4fd8185bb98 Author: Dmitry Baryshkov Date: Tue Sep 27 14:38:25 2022 +0300 clk: qcom: gcc-ipq806x: use parent_data for the last remaining entry [ Upstream commit 55307e522cc7a4dddc3d231ca5cb7e68e9668f66 ] Use parent_data for the last remaining entry (pll4). This clock is provided by the lcc device. Fixes: cb02866f9a74 ("clk: qcom: gcc-ipq806x: convert parent_names to parent_data") Signed-off-by: Dmitry Baryshkov Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220927113826.246241-3-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit ddbed3b583ac7a31c7019dfeb886de47423bad54 Author: Andrii Nakryiko Date: Fri Nov 4 09:36:45 2022 -0700 bpf: propagate precision across all frames, not just the last one [ Upstream commit 529409ea92d590659be487ba0839710329bd8074 ] When equivalent completed state is found and it has additional precision restrictions, BPF verifier propagates precision to currently-being-verified state chain (i.e., including parent states) so that if some of the states in the chain are not yet completed, necessary precision restrictions are enforced. Unfortunately, right now this happens only for the last frame (deepest active subprogram's frame), not all the frames. This can lead to incorrect matching of states due to missing precision marker. Currently this doesn't seem possible as BPF verifier forces everything to precise when validated BPF program has any subprograms. But with the next patch lifting this restriction, this becomes problematic. In fact, without this fix, we'll start getting failure in one of the existing test_verifier test cases: #906/p precise: cross frame pruning FAIL Unexpected success to load! verification time 48 usec stack depth 0+0 processed 26 insns (limit 1000000) max_states_per_insn 3 total_states 17 peak_states 17 mark_read 8 This patch adds precision propagation across all frames. Fixes: a3ce685dd01a ("bpf: fix precision tracking") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20221104163649.121784-3-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 3a59f8bef66362211dbb06fdc67bc238a00e9e05 Author: Andrii Nakryiko Date: Fri Nov 4 09:36:44 2022 -0700 bpf: propagate precision in ALU/ALU64 operations [ Upstream commit a3b666bfa9c9edc05bca62a87abafe0936bd7f97 ] When processing ALU/ALU64 operations (apart from BPF_MOV, which is handled correctly already; and BPF_NEG and BPF_END are special and don't have source register), if destination register is already marked precise, this causes problem with potentially missing precision tracking for the source register. E.g., when we have r1 >>= r5 and r1 is marked precise, but r5 isn't, this will lead to r5 staying as imprecise. This is due to the precision backtracking logic stopping early when it sees r1 is already marked precise. If r1 wasn't precise, we'd keep backtracking and would add r5 to the set of registers that need to be marked precise. So there is a discrepancy here which can lead to invalid and incompatible states matched due to lack of precision marking on r5. If r1 wasn't precise, precision backtracking would correctly mark both r1 and r5 as precise. This is simple to fix, though. During the forward instruction simulation pass, for arithmetic operations of `scalar = scalar` form (where is ALU or ALU64 operations), if destination register is already precise, mark source register as precise. This applies only when both involved registers are SCALARs. `ptr += scalar` and `scalar += ptr` cases are already handled correctly. This does have (negative) effect on some selftest programs and few Cilium programs. ~/baseline-tmp-results.csv are veristat results with this patch, while ~/baseline-results.csv is without it. See post scriptum for instructions on how to make Cilium programs testable with veristat. Correctness has a price. $ ./veristat -C -e file,prog,insns,states ~/baseline-results.csv ~/baseline-tmp-results.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_cubic.bpf.linked1.o bpf_cubic_cong_avoid 997 1700 +703 (+70.51%) 62 90 +28 (+45.16%) test_l4lb.bpf.linked1.o balancer_ingress 4559 5469 +910 (+19.96%) 118 126 +8 (+6.78%) ----------------------- -------------------- --------------- --------------- ------------------ ---------------- ---------------- ------------------- $ ./veristat -C -e file,prog,verdict,insns,states ~/baseline-results-cilium.csv ~/baseline-tmp-results-cilium.csv | grep -v '+0' File Program Total insns (A) Total insns (B) Total insns (DIFF) Total states (A) Total states (B) Total states (DIFF) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- bpf_host.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) bpf_host.o tail_nodeport_nat_ipv6_egress 3396 3446 +50 (+1.47%) 201 203 +2 (+1.00%) bpf_lxc.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) bpf_overlay.o tail_nodeport_nat_ingress_ipv6 4448 5261 +813 (+18.28%) 234 247 +13 (+5.56%) bpf_xdp.o tail_lb_ipv4 71736 73442 +1706 (+2.38%) 4295 4370 +75 (+1.75%) ------------- ------------------------------ --------------- --------------- ------------------ ---------------- ---------------- ------------------- P.S. To make Cilium ([0]) programs libbpf-compatible and thus veristat-loadable, apply changes from topmost commit in [1], which does minimal changes to Cilium source code, mostly around SEC() annotations and BPF map definitions. [0] https://github.com/cilium/cilium/ [1] https://github.com/anakryiko/cilium/commits/libbpf-friendliness Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/r/20221104163649.121784-2-andrii@kernel.org Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit fac1282fc80acede07d111bd9d3b1766d39b316e Author: Yang Yingliang Date: Mon Oct 24 21:46:50 2022 +0800 media: platform: exynos4-is: fix return value check in fimc_md_probe() [ Upstream commit e38e42c078da4af962d322b97e726dcb2f184e3f ] devm_pinctrl_get() may return ERR_PTR(-EPROBE_DEFER), add a minus sign to fix it. Fixes: 4163851f7b99 ("[media] s5p-fimc: Use pinctrl API for camera ports configuration") Signed-off-by: Yang Yingliang Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 2f558c5208b0f70c8140e08ce09fcc84da48e789 Author: Liu Shixin Date: Thu Oct 27 20:38:55 2022 +0800 media: vivid: fix compose size exceed boundary [ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ] syzkaller found a bug: BUG: unable to handle page fault for address: ffffc9000a3b1000 #PF: supervisor write access in kernel mode #PF: error_code(0x0002) - not-present page PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 Oops: 0002 [#1] PREEMPT SMP CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:memcpy_erms+0x6/0x10 [...] Call Trace: ? tpg_fill_plane_buffer+0x856/0x15b0 vivid_fillbuff+0x8ac/0x1110 vivid_thread_vid_cap_tick+0x361/0xc90 vivid_thread_vid_cap+0x21a/0x3a0 kthread+0x143/0x180 ret_from_fork+0x1f/0x30 This is because we forget to check boundary after adjust compose->height int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem for this case. Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts") Signed-off-by: Liu Shixin Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 40356e4c885be138b94294950d48680c51ae5153 Author: Andrzej Pietrasiewicz Date: Thu Oct 27 10:02:17 2022 +0200 media: rkvdec: Add required padding [ Upstream commit 00c47aa85bb26450edc6059c3d245de062e60b5d ] The addresses of two elements of the segmap[][] member are passed to the hardware which expects 128-bit aligned addresses. However, without this patch offsetof(struct rkvdec_vp9_priv_tbl, segmap[0]) is an odd number (2421) but the hardware just ignores the 5 least significant bits of the address. As a result, the hardware writes the segmentation map to incorrect locations. Inserting 11 bytes of padding corrects this situation by making the said addresses divisible by 16 (i.e. aligned on a 128-bit boundary). Signed-off-by: Andrzej Pietrasiewicz Fixes: f25709c4ff15 ("media: rkvdec: Add the VP9 backend") Reviewed-by: Nicolas Dufresne Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 926893538b71421dc6bdbdf741d0f9a72ff69927 Author: Moudy Ho Date: Thu Oct 20 15:18:00 2022 +0800 media: platform: mtk-mdp3: fix error handling in mdp_probe() [ Upstream commit 82b7d4b5d393d6654148e885efca0a3df63806f6 ] Adjust label "err_return" order to avoid double freeing, and add two labels for easy traceability. Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") Signed-off-by: Moudy Ho Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit ef9170c00e1aa6f972defa7dc80a042b8a83a5fe Author: Moudy Ho Date: Thu Oct 20 15:17:59 2022 +0800 media: platform: mtk-mdp3: fix error handling about components clock_on [ Upstream commit 74a596e7fca6d240d61def5f448e55c256c12fed ] Add goto statement in mdp_comp_clock_on() to avoid error code not being propagated or returning positive values. This change also performs a well-timed clock_off when an error occurs, and reduces unnecessary error logging in mdp_cmdq_send(). Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") Signed-off-by: Moudy Ho Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit ab49175a5a88d83511d4f144b5bbefbaf84d9dad Author: Moudy Ho Date: Thu Oct 20 15:17:58 2022 +0800 media: platform: mtk-mdp3: fix error handling in mdp_cmdq_send() [ Upstream commit 64e0a0804b1a7a77ee364f44ffa6a8e0e7b157d2 ] Increase and refine the goto label in mdp_cmdq_send() to avoid double free and facilitate traceability. Also, remove redundant work queue event in blocking function mdp_cmdq_send(). Fixes: 61890ccaefaf ("media: platform: mtk-mdp3: add MediaTek MDP3 driver") Signed-off-by: Moudy Ho Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 12b7733807b62541577ac9ac880348de7cbc37d4 Author: Marijn Suijten Date: Wed Oct 26 20:28:24 2022 +0200 drm/msm/dsi: Prevent signed BPG offsets from bleeding into adjacent bits [ Upstream commit cc84b66be223d36a3d10d59d68ba647e72db3099 ] The bpg_offset array contains negative BPG offsets which fill the full 8 bits of a char thanks to two's complement: this however results in those bits bleeding into the next field when the value is packed into DSC PPS by the drm_dsc_helper function, which only expects range_bpg_offset to contain 6-bit wide values. As a consequence random slices appear corrupted on-screen (tested on a Sony Tama Akatsuki device with sdm845). Use AND operators to limit these two's complement values to 6 bits, similar to the AMD and i915 drivers. Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508941/ Link: https://lore.kernel.org/r/20221026182824.876933-11-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 043b1493deae742878b55548c16e766705dff019 Author: Marijn Suijten Date: Wed Oct 26 20:28:22 2022 +0200 drm/msm/dsi: Disallow 8 BPC DSC configuration for alternative BPC values [ Upstream commit d053fbc449c47517b1f6516dbce2f917f2a9f51d ] According to the `/* bpc 8 */` comment below only values for a bits_per_component of 8 are currently hardcoded in place. This is further confirmed by downstream sources [1] containing different constants for other BPC values (and different initial_offset too, with an extra dependency on bits_per_pixel). Prevent future mishaps by explicitly disallowing any other bits_per_component value until the right parameters are put in place and tested. [1]: https://git.codelinaro.org/clo/la/platform/vendor/opensource/display-drivers/-/blob/DISPLAY.LA.2.0.r1-08000-WAIPIO.0/msm/sde_dsc_helper.c#L110-139 Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508942/ Link: https://lore.kernel.org/r/20221026182824.876933-9-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 0a323c2aa1271355a88a921e2ccec46edb27ff4b Author: Marijn Suijten Date: Wed Oct 26 20:28:21 2022 +0200 drm/msm/dsi: Account for DSC's bits_per_pixel having 4 fractional bits [ Upstream commit d2c277c61986942e99680cb67ce26423d0f42f11 ] drm_dsc_config's bits_per_pixel field holds a fractional value with 4 bits, which all panel drivers should adhere to for drm_dsc_pps_payload_pack() to generate a valid payload. All code in the DSI driver here seems to assume that this field doesn't contain any fractional bits, hence resulting in the wrong values being computed. Since none of the calculations leave any room for fractional bits or seem to indicate any possible area of support, disallow such values altogether. calculate_rc_params() in intel_vdsc.c performs an identical bitshift to get at this integer value. Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508938/ Link: https://lore.kernel.org/r/20221026182824.876933-8-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 8a80ad33dbd235368e3415d8f0d6548755ba5690 Author: Marijn Suijten Date: Wed Oct 26 20:28:20 2022 +0200 drm/msm/dsi: Migrate to drm_dsc_compute_rc_parameters() [ Upstream commit c3a1aabce2d4087255de90100c3dad492e7d925c ] As per the FIXME this code is entirely duplicate with what is already provided inside drm_dsc_compute_rc_parameters(), supposedly because that function was yielding "incorrect" results while in reality the panel driver(s?) used for testing were providing incorrect parameters. For example, this code from downstream assumed dsc->bits_per_pixel to contain an integer value, whereas the upstream drm_dsc_config struct stores it with 4 fractional bits. drm_dsc_compute_rc_parameters() already accounts for this feat while the panel driver used for testing [1] wasn't, hence making drm_dsc_compute_rc_parameters() seem like it was returning an incorrect result. Other users of dsc->bits_per_pixel inside dsi_populate_dsc_params() also treat it in the same erroneous way, and will be addressed in a separate patch. In the end, using drm_dsc_compute_rc_parameters() spares both a lot of duplicate code and erratic behaviour. [1]: https://git.linaro.org/people/vinod.koul/kernel.git/commit/?h=topic/pixel3_5.18-rc1&id=1d7d98ad564f1ec69e7525e07418918d90f247a1 Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Signed-off-by: Marijn Suijten Reviewed-by: Dmitry Baryshkov Patchwork: https://patchwork.freedesktop.org/patch/508939/ Link: https://lore.kernel.org/r/20221026182824.876933-7-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 9929c46ccca80d62e76325f3e71b2fb45875060b Author: Marijn Suijten Date: Wed Oct 26 20:28:19 2022 +0200 drm/msm/dsi: Appropriately set dsc->mux_word_size based on bpc [ Upstream commit 0ca870ca304d3449b2ccdc3f0bad9843ff1519f0 ] This field is currently unread but will come into effect when duplicated code below is migrated to call drm_dsc_compute_rc_parameters(), which uses the bpc-dependent value of the local variable mux_words_size in much the same way. The hardcoded constant seems to be a remnant from the `/* bpc 8 */` comment right above, indicating that this group of field assignments is applicable to bpc = 8 exclusively and should probably bail out on different bpc values, until constants for other bpc values are added (or the current ones are confirmed to be correct across multiple bpc's). Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508943/ Link: https://lore.kernel.org/r/20221026182824.876933-6-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 275b1d41f9b24e26e4e0dc18d9f05f995b2fe595 Author: Marijn Suijten Date: Wed Oct 26 20:28:18 2022 +0200 drm/msm/dsi: Reuse earlier computed dsc->slice_chunk_size [ Upstream commit e443459e2e6b8e0d3187dd0d09ef7fcea87531d2 ] dsi_populate_dsc_params() is called prior to dsi_update_dsc_timing() and already computes a value for slice_chunk_size, whose value doesn't need to be recomputed and re-set here. Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508934/ Link: https://lore.kernel.org/r/20221026182824.876933-5-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit f5bf0e54c47c3bb2205ee725894df0dbc9e5ab89 Author: Marijn Suijten Date: Wed Oct 26 20:28:17 2022 +0200 drm/msm/dsi: Use DIV_ROUND_UP instead of conditional increment on modulo [ Upstream commit 1e8196103bd02a396b45c8f6188541634a47fce2 ] This exact same math is used to compute bytes_in_slice above in dsi_update_dsc_timing(), also used to fill slice_chunk_size. Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508935/ Link: https://lore.kernel.org/r/20221026182824.876933-4-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit f0282e1d5749280e0df0297680703372dd865382 Author: Marijn Suijten Date: Wed Oct 26 20:28:16 2022 +0200 drm/msm/dsi: Remove repeated calculation of slice_per_intf [ Upstream commit 170ffca836dd9f1a0219c4f67554d408fa2b5912 ] slice_per_intf is already computed for intf_width, which holds the same value as hdisplay. Fixes: 08802f515c3c ("drm/msm/dsi: Add support for DSC configuration") Reviewed-by: Bjorn Andersson Reviewed-by: Konrad Dybcio Reviewed-by: Abhinav Kumar Reviewed-by: Vinod Koul Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508933/ Link: https://lore.kernel.org/r/20221026182824.876933-3-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 36e8894c5676ec26f34330abf8a8e2d7dc03406a Author: Marijn Suijten Date: Wed Oct 26 20:28:15 2022 +0200 drm/msm/dsi: Remove useless math in DSC calculations [ Upstream commit 01a907980e0be3310f18c7d4955968f3b28e7147 ] Multiplying a value by 2 and adding 1 to it always results in a value that is uneven, and that 1 gets truncated immediately when performing integer division by 2 again. There is no "rounding" possible here. After that target_bpp_x16 is used to store a multiplication of bits_per_pixel by 16 which is only ever read to immediately be divided by 16 again, and is elided in much the same way. Fixes: b9080324d6ca ("drm/msm/dsi: add support for dsc data") Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Signed-off-by: Marijn Suijten Patchwork: https://patchwork.freedesktop.org/patch/508932/ Link: https://lore.kernel.org/r/20221026182824.876933-2-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 4235be829c9ed176eaef476a3869ed8db5df4bc5 Author: Marijn Suijten Date: Wed Oct 26 20:28:23 2022 +0200 drm/msm/dpu1: Account for DSC's bits_per_pixel having 4 fractional bits [ Upstream commit d3c1a8663d0ddb74eaa51121ccbb8340739a12a8 ] According to the comment this DPU register contains the bits per pixel as a 6.4 fractional value, conveniently matching the contents of bits_per_pixel in struct drm_dsc_config which also uses 4 fractional bits. However, the downstream source this implementation was copy-pasted from has its bpp field stored _without_ fractional part. This makes the entire convoluted math obsolete as it is impossible to pull those 4 fractional bits out of thin air, by somehow trying to reuse the lowest 2 bits of a non-fractional bpp (lsb = bpp % 4??). The rest of the code merely attempts to keep the integer part a multiple of 4, which is rendered useless thanks to data |= dsc->bits_per_pixel << 12; already filling up those bits anyway (but not on downstream). Fixes: c110cfd1753e ("drm/msm/disp/dpu1: Add support for DSC") Signed-off-by: Marijn Suijten Reviewed-by: Abhinav Kumar Reviewed-by: Dmitry Baryshkov Reviewed-by: Vinod Koul Patchwork: https://patchwork.freedesktop.org/patch/508946/ Link: https://lore.kernel.org/r/20221026182824.876933-10-marijn.suijten@somainline.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit fae22b0b5b4b4dfb2435c3858b97a9d9579060b8 Author: Kumar Kartikeya Dwivedi Date: Fri Nov 4 00:39:53 2022 +0530 bpf: Fix slot type check in check_stack_write_var_off [ Upstream commit f5e477a861e4a20d8a1c5f7a245f3a3c3c376b03 ] For the case where allow_ptr_leaks is false, code is checking whether slot type is STACK_INVALID and STACK_SPILL and rejecting other cases. This is a consequence of incorrectly checking for register type instead of the slot type (NOT_INIT and SCALAR_VALUE respectively). Fix the check. Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20221103191013.1236066-5-memxor@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit ebe6c699ee2681265d14af9c274af7da2e1ad440 Author: Kumar Kartikeya Dwivedi Date: Fri Nov 4 00:39:52 2022 +0530 bpf: Clobber stack slot when writing over spilled PTR_TO_BTF_ID [ Upstream commit 261f4664caffdeb9dff4e83ee3c0334b1c3a552f ] When support was added for spilled PTR_TO_BTF_ID to be accessed by helper memory access, the stack slot was not overwritten to STACK_MISC (and that too is only safe when env->allow_ptr_leaks is true). This means that helpers who take ARG_PTR_TO_MEM and write to it may essentially overwrite the value while the verifier continues to track the slot for spilled register. This can cause issues when PTR_TO_BTF_ID is spilled to stack, and then overwritten by helper write access, which can then be passed to BPF helpers or kfuncs. Handle this by falling back to the case introduced in a later commit, which will also handle PTR_TO_BTF_ID along with other pointer types, i.e. cd17d38f8b28 ("bpf: Permits pointers on stack for helper calls"). Finally, include a comment on why REG_LIVE_WRITTEN is not being set when clobber is set to true. In short, the reason is that while when clobber is unset, we know that we won't be writing, when it is true, we *may* write to any of the stack slots in that range. It may be a partial or complete write, to just one or many stack slots. We cannot be sure, hence to be conservative, we leave things as is and never set REG_LIVE_WRITTEN for any stack slot. However, clobber still needs to reset them to STACK_MISC assuming writes happened. However read marks still need to be propagated upwards from liveness point of view, as parent stack slot's contents may still continue to matter to child states. Cc: Yonghong Song Fixes: 1d68f22b3d53 ("bpf: Handle spilled PTR_TO_BTF_ID properly when checking stack_boundary") Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20221103191013.1236066-4-memxor@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit e7a3542f44fd2f52be82fd817e7b6a8a83164ae2 Author: Dmitry Baryshkov Date: Fri Aug 26 12:39:23 2022 +0300 drm/msm/hdmi: use devres helper for runtime PM management [ Upstream commit b964444b2b64ce182495731d830499d1c588ccf6 ] Use devm_pm_runtime_enable() to enable runtime PM. This way its effect will be reverted on device unbind/destruction. Fixes: 6ed9ed484d04 ("drm/msm/hdmi: Set up runtime PM for HDMI") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/499647/ Link: https://lore.kernel.org/r/20220826093927.851597-2-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 8008f1691c15f353f5a53dc5d450b8262cb57421 Author: GUO Zihua Date: Wed Sep 21 20:58:04 2022 +0800 ima: Handle -ESTALE returned by ima_filter_rule_match() [ Upstream commit c7423dbdbc9ecef7fff5239d144cad4b9887f4de ] IMA relies on the blocking LSM policy notifier callback to update the LSM based IMA policy rules. When SELinux update its policies, IMA would be notified and starts updating all its lsm rules one-by-one. During this time, -ESTALE would be returned by ima_filter_rule_match() if it is called with a LSM rule that has not yet been updated. In ima_match_rules(), -ESTALE is not handled, and the LSM rule is considered a match, causing extra files to be measured by IMA. Fix it by re-initializing a temporary rule if -ESTALE is returned by ima_filter_rule_match(). The origin rule in the rule list would be updated by the LSM policy notifier callback. Fixes: b16942455193 ("ima: use the lsm policy update notifier") Signed-off-by: GUO Zihua Reviewed-by: Roberto Sassu Signed-off-by: Mimi Zohar Signed-off-by: Sasha Levin commit e9a22f40f3473b11644836e03d467837b68df97d Author: Dmitry Baryshkov Date: Mon Oct 24 18:26:42 2022 +0300 drm/msm/mdp5: stop overriding drvdata [ Upstream commit c6122688f2652d7f8a44000ce21e84e82bae2b5e ] The rest of the code expects that master's device drvdata is the struct msm_drm_private instance. Do not override the mdp5's drvdata. Fixes: 6874f48bb8b0 ("drm/msm: make mdp5/dpu devices master components") Signed-off-by: Dmitry Baryshkov Reviewed-by: Abhinav Kumar Patchwork: https://patchwork.freedesktop.org/patch/508334/ Link: https://lore.kernel.org/r/20221024152642.3213488-1-dmitry.baryshkov@linaro.org Signed-off-by: Dmitry Baryshkov Signed-off-by: Sasha Levin commit 6528971fdce0dfc0a28fec42c151a1eccdabadf5 Author: Gaosheng Cui Date: Mon Oct 31 19:33:50 2022 +0800 drm/ttm: fix undefined behavior in bit shift for TTM_TT_FLAG_PRIV_POPULATED [ Upstream commit 387659939c00156f8d6bab0fbc55b4eaf2b6bc5b ] Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in ./include/drm/ttm/ttm_tt.h:122:26 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c ttm_bo_move_memcpy+0x3b4/0x460 [ttm] bo_driver_move+0x32/0x40 [drm_vram_helper] ttm_bo_handle_move_mem+0x118/0x200 [ttm] ttm_bo_validate+0xfa/0x220 [ttm] drm_gem_vram_pin_locked+0x70/0x1b0 [drm_vram_helper] drm_gem_vram_pin+0x48/0xb0 [drm_vram_helper] drm_gem_vram_plane_helper_prepare_fb+0x53/0xe0 [drm_vram_helper] drm_gem_vram_simple_display_pipe_prepare_fb+0x26/0x30 [drm_vram_helper] drm_simple_kms_plane_prepare_fb+0x4d/0xe0 [drm_kms_helper] drm_atomic_helper_prepare_planes+0xda/0x210 [drm_kms_helper] drm_atomic_helper_commit+0xc3/0x1e0 [drm_kms_helper] drm_atomic_commit+0x9c/0x160 [drm] drm_client_modeset_commit_atomic+0x33a/0x380 [drm] drm_client_modeset_commit_locked+0x77/0x220 [drm] drm_client_modeset_commit+0x31/0x60 [drm] __drm_fb_helper_restore_fbdev_mode_unlocked+0xa7/0x170 [drm_kms_helper] drm_fb_helper_set_par+0x51/0x90 [drm_kms_helper] fbcon_init+0x316/0x790 visual_init+0x113/0x1d0 do_bind_con_driver+0x2a3/0x5c0 do_take_over_console+0xa9/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: 3312be8f6fc8 ("drm/ttm: move populated state into page flags") Signed-off-by: Gaosheng Cui Reviewed-by: Christian König Link: https://patchwork.freedesktop.org/patch/msgid/20221031113350.4180975-1-cuigaosheng1@huawei.com Signed-off-by: Christian König Signed-off-by: Sasha Levin commit 465611e812587e72bf235034edce0e51be3d6809 Author: Marek Vasut Date: Sat Oct 15 01:11:06 2022 +0200 drm/panel/panel-sitronix-st7701: Remove panel on DSI attach failure [ Upstream commit c62102165dd79284d42383d2f7ed17301bd8e629 ] In case mipi_dsi_attach() fails, call drm_panel_remove() to avoid memory leak. Fixes: 849b2e3ff969 ("drm/panel: Add Sitronix ST7701 panel driver") Signed-off-by: Marek Vasut Signed-off-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20221014231106.468063-1-marex@denx.de Signed-off-by: Sasha Levin commit 8b39120d4d9c9958a910d9e95e6590273a0b55ff Author: Jonathan Neuschäfer Date: Tue Nov 1 18:32:51 2022 +0100 spi: Update reference to struct spi_controller [ Upstream commit bf585ccee22faf469d82727cf375868105b362f7 ] struct spi_master has been renamed to struct spi_controller. Update the reference in spi.rst to make it clickable again. Fixes: 8caab75fd2c2 ("spi: Generalize SPI "master" to "controller"") Signed-off-by: Jonathan Neuschäfer Link: https://lore.kernel.org/r/20221101173252.1069294-1-j.neuschaefer@gmx.net Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 18f36c3eed394002e659cd90b74df40191cb7ac9 Author: Marek Vasut Date: Thu Oct 13 00:11:59 2022 +0200 drm/panel/panel-sitronix-st7701: Fix RTNI calculation [ Upstream commit c1cdee9b685a174fca849e1451c201a846a69318 ] The RTNI field is multiplied by 16 and incremented by 512 before being used as the minimum number of pixel clock per horizontal line, hence it is necessary to subtract those 512 bytes from htotal and then divide the result by 16 before writing the value into the RTNI field. Fix the calculation. Fixes: de2b4917843c ("drm/panel/panel-sitronix-st7701: Infer horizontal pixel count from TFT mode") Signed-off-by: Marek Vasut Reviewed-by: Linus Walleij Link: https://patchwork.freedesktop.org/patch/msgid/20221012221159.88397-1-marex@denx.de Signed-off-by: Sasha Levin commit f3ba0b7a4794f3dde09fe0a84969c7d7e4a68e13 Author: Marco Felsch Date: Tue Nov 1 17:46:15 2022 +0100 drm: lcdif: change burst size to 256B [ Upstream commit 2215cb3be5c28a1fd43036550c00c2371aeeba95 ] If a axi bus master with a higher priority do a lot of memory access FIFO underruns can be inspected. Increase the burst size to 256B to avoid such underruns and to improve the memory access efficiency. Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant") Signed-off-by: Marco Felsch Reviewed-by: Marek Vasut Signed-off-by: Marek Vasut Link: https://patchwork.freedesktop.org/patch/msgid/20221101164615.778299-1-m.felsch@pengutronix.de Signed-off-by: Sasha Levin commit 521dc068ef5d1f293a432b5dd27d1cbd2f7ea4dc Author: Marek Vasut Date: Fri Oct 28 13:38:34 2022 +0200 clk: renesas: r9a06g032: Repair grave increment error [ Upstream commit 02693e11611e082e3c4d8653e8af028e43d31164 ] If condition (clkspec.np != pd->dev.of_node) is true, then the driver ends up in an endless loop, forever, locking up the machine. Fixes: aad03a66f902 ("clk: renesas: r9a06g032: Add clock domain support") Reviewed-by: Ralph Siemsen Signed-off-by: Marek Vasut Reviewed-by: Gareth Williams Link: https://lore.kernel.org/r/20221028113834.7496-1-marex@denx.de Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit bd449cadc8db481eeaa4fe2f051e30b288a34933 Author: Anshuman Gupta Date: Thu Oct 27 14:52:42 2022 +0530 drm/i915/dgfx: Grab wakeref at i915_ttm_unmap_virtual [ Upstream commit 1cacd6894d5f4084f1581435e92d8a18d6721b25 ] We had already grabbed the rpm wakeref at obj destruction path, but it also required to grab the wakeref when object moves. When i915_gem_object_release_mmap_offset() gets called by i915_ttm_move_notify(), it will release the mmap offset without grabbing the wakeref. We want to avoid that therefore, grab the wakeref at i915_ttm_unmap_virtual() accordingly. While doing that also changed the lmem_userfault_lock from mutex to spinlock, as spinlock widely used for list. Also changed if (obj->userfault_count) to GEM_BUG_ON(!obj->userfault_count). v2: - Removed lmem_userfault_{list,lock} from intel_gt. [Matt Auld] Fixes: ad74457a6b5a ("drm/i915/dgfx: Release mmap on rpm suspend") Suggested-by: Matthew Auld Signed-off-by: Anshuman Gupta Reviewed-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20221027092242.1476080-3-anshuman.gupta@intel.com Signed-off-by: Sasha Levin commit 6039c79ea54fb079adf7a8351313575371cbff52 Author: Anshuman Gupta Date: Thu Oct 27 14:52:41 2022 +0530 drm/i915: Encapsulate lmem rpm stuff in intel_runtime_pm [ Upstream commit e66c8dcf997ed54b62f754351e7129e1cc4e3cf9 ] Runtime pm is not really per GT, therefore it make sense to move lmem_userfault_list, lmem_userfault_lock and userfault_wakeref from intel_gt to intel_runtime_pm structure, which is embedded to i915. No functional change. v2: - Fixes the code comment nit. [Matt Auld] Signed-off-by: Anshuman Gupta Reviewed-by: Matthew Auld Acked-by: Rodrigo Vivi Link: https://patchwork.freedesktop.org/patch/msgid/20221027092242.1476080-2-anshuman.gupta@intel.com Stable-dep-of: 1cacd6894d5f ("drm/i915/dgfx: Grab wakeref at i915_ttm_unmap_virtual") Signed-off-by: Sasha Levin commit 37ec70c44ec9cc43d3b98c6f5f83eb018d2b02a4 Author: Nirmoy Das Date: Fri Oct 14 15:14:27 2022 +0200 drm/i915: Refactor ttm ghost obj detection [ Upstream commit 6667d78a1123d237d66e34923754ebca97d06d39 ] Currently i915_ttm_to_gem() returns NULL for ttm ghost object which makes it unclear when we should add a NULL check for a caller of i915_ttm_to_gem() as ttm ghost objects are expected behaviour for certain cases. Create a separate function to detect ttm ghost object and use that in places where we expect a ghost obj from ttm. Signed-off-by: Nirmoy Das Reviewed-by: Matthew Auld Signed-off-by: Matthew Auld Link: https://patchwork.freedesktop.org/patch/msgid/20221014131427.21102-1-nirmoy.das@intel.com Stable-dep-of: 1cacd6894d5f ("drm/i915/dgfx: Grab wakeref at i915_ttm_unmap_virtual") Signed-off-by: Sasha Levin commit ed52edf44432a053cda7a1891f6c97f746d92fad Author: Tvrtko Ursulin Date: Thu Sep 15 16:26:54 2022 -0700 drm/i915: Handle all GTs on driver (un)load paths [ Upstream commit f569ae759472fbe1f6fdddc7398360d43fdcc199 ] This, along with the changes already landed in commit 1c66a12ab431 ("drm/i915: Handle each GT on init/release and suspend/resume") makes engines from all GTs actually known to the driver. To accomplish this we need to sprinkle a lot of for_each_gt calls around but is otherwise pretty un-eventuful. v2: - Consolidate adjacent GT loops in a couple places. (Daniele) Cc: Daniele Ceraolo Spurio Signed-off-by: Tvrtko Ursulin Signed-off-by: Matt Roper Reviewed-by: Andi Shyti Link: https://patchwork.freedesktop.org/patch/msgid/20220915232654.3283095-5-matthew.d.roper@intel.com Stable-dep-of: 1cacd6894d5f ("drm/i915/dgfx: Grab wakeref at i915_ttm_unmap_virtual") Signed-off-by: Sasha Levin commit 12a9b4c4ebd9a0ba856370e088564af83cffd565 Author: Zhang Qilong Date: Thu Sep 22 21:21:07 2022 +0800 drm/rockchip: lvds: fix PM usage counter unbalance in poweron [ Upstream commit 4dba27f1a14592ac4cf71c3bc1cc1fd05dea8015 ] pm_runtime_get_sync will increment pm usage counter even it failed. Forgetting to putting operation will result in reference leak here. We fix it by replacing it with the newest pm_runtime_resume_and_get to keep usage counter balanced. Fixes: 34cc0aa25456 ("drm/rockchip: Add support for Rockchip Soc LVDS") Fixes: cca1705c3d89 ("drm/rockchip: lvds: Add PX30 support") Signed-off-by: Zhang Qilong Signed-off-by: Heiko Stuebner Link: https://patchwork.freedesktop.org/patch/msgid/20220922132107.105419-3-zhangqilong3@huawei.com Signed-off-by: Sasha Levin commit 2734b3eb7210441b203c404fb1725875e5b077d0 Author: Haiyi Zhou Date: Thu Oct 20 11:46:54 2022 -0400 drm/amd/display: wait for vblank during pipe programming [ Upstream commit 203ccaf586446b578909de1b763278033fb74b51 ] [WHY] Skipping vblank during global sync update request can result in underflow on certain displays. [HOW] Roll back to the previous behavior where DC waits for vblank during pipe programming. Fixes: 5d3e14421410 ("drm/amd/display: do not wait for vblank during pipe programming") Tested-by: Mark Broadworth Reviewed-by: Martin Leung Acked-by: Rodrigo Siqueira Signed-off-by: Haiyi Zhou Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit f87cd02c3b653bfd508999d506d4d652e74dc9e3 Author: Sakari Ailus Date: Mon Oct 17 10:23:28 2022 +0300 dw9768: Enable low-power probe on ACPI [ Upstream commit 5f9a089b6de34655318afe8e544d9a9cc0fc1d29 ] Add support for low-power probe to the driver. Also fix runtime PM API usage in the driver. Much of the hassle comes from different factors affecting device power states during probe for ACPI and DT. Signed-off-by: Sakari Ailus Fixes: 859891228e56 ("media: i2c: dw9768: Add DW9768 VCM driver") Signed-off-by: Sasha Levin commit 64f61e18286ba363fc9ab9130718411d8f1cf87c Author: Alan Previn Date: Tue Oct 25 23:05:06 2022 -0700 drm/i915/guc: Fix GuC error capture sizing estimation and reporting [ Upstream commit befb231d5de2773f6c6f6cf918234e2e709110a5 ] During GuC error capture initialization, we estimate the amount of size we need for the error-capture-region of the shared GuC-log-buffer. This calculation was incorrect so fix that. With the fixed calculation we can reduce the allocation of error-capture region from 4MB to 1MB (see note2 below for reasoning). Additionally, switch from drm_notice to drm_debug for the 3X spare size check since that would be impossible to hit without redesigning gpu_coredump framework to hold multiple captures. NOTE1: Even for 1x the min size estimation case, actually running out of space is a corner case because it can only occur if all engine instances get reset all at once and i915 isn't able extract the capture data fast enough within G2H handler worker. NOTE2: With the corrected calculation, a DG2 part required ~77K and a PVC required ~115K (1X min-est-size that is calculated as one-shot all-engine- reset scenario). Fixes: d7c15d76a554 ("drm/i915/guc: Check sizing of guc_capture output") Cc: Alan Previn Cc: Matthew Brost Cc: Lucas De Marchi Cc: John Harrison Cc: Umesh Nerlige Ramappa Cc: Balasubramani Vivekanandan Cc: Matt Roper Cc: Jani Nikula Cc: Joonas Lahtinen Cc: Chris Wilson Signed-off-by: Alan Previn Reviewed-by: John Harrison Signed-off-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20221026060506.1007830-2-alan.previn.teres.alexis@intel.com Signed-off-by: Sasha Levin commit 2fb13ac78aa99634547f364de6d41561a74c24f2 Author: Alan Previn Date: Wed Oct 19 00:29:29 2022 -0700 drm/i915/guc: Add error-capture init warnings when needed [ Upstream commit a894077890ad118de88c97c03f67a611ca60882a ] If GuC is being used and we initialized GuC-error-capture, we need to be warning if we don't provide an error-capture register list in the firmware ADS, for valid GT engines. A warning makes sense as this would impact debugability without realizing why a reglist wasn't retrieved and reported by GuC. However, depending on the platform, we might have certain engines that have a register list for engine instance error state but not for engine class. Thus, add a check only to warn if the register list was non existent vs an empty list (use the empty lists to skip the warning). NOTE: if a future platform were to introduce new registers in place of what was an empty list on existing / legacy hardware engines no warning is provided as the empty list is meant to be used intentionally. As an example, if a future hardware were to add blitter engine-class-registers (new) on top of the legacy blitter engine-instance-register (HEAD, TAIL, etc.), no warning is generated. Signed-off-by: Alan Previn Reviewed-by: John Harrison Signed-off-by: John Harrison Link: https://patchwork.freedesktop.org/patch/msgid/20221019072930.17755-2-alan.previn.teres.alexis@intel.com Stable-dep-of: befb231d5de2 ("drm/i915/guc: Fix GuC error capture sizing estimation and reporting") Signed-off-by: Sasha Levin commit fe9f9b9d06d3039091614311bc886685ebec25db Author: Nícolas F. R. A. Prado Date: Mon Oct 24 18:00:14 2022 -0400 ASoC: dt-bindings: rt5682: Set sound-dai-cells to 1 [ Upstream commit 07b16192f3f01d002d8ff37dcd4372980330ea93 ] Commit 0adccaf1eac9 ("ASoC: dt-bindings: rt5682: Add #sound-dai-cells") defined the sound-dai-cells property as 0. However, rt5682 has two DAIs, AIF1 and AIF2, and therefore should have sound-dai-cells set to 1. Fix it. Fixes: 0adccaf1eac9 ("ASoC: dt-bindings: rt5682: Add #sound-dai-cells") Signed-off-by: Nícolas F. R. A. Prado Reviewed-by: Chen-Yu Tsai Acked-by: Krzysztof Kozlowski Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221024220015.1759428-4-nfraprado@collabora.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit 0b708cb7f03d394a8056f45a55380831ee792ac1 Author: Wolfram Sang Date: Wed Oct 12 20:48:30 2022 +0200 clk: renesas: r8a779a0: Fix SD0H clock name [ Upstream commit db7076d5a7f0ca7dcf08f5095c74f86d4d0085ff ] Correct the misspelled textual name of the SD0H clock. Fixes: 470e3f0d0b15 ("clk: renesas: rcar-gen4: Introduce R-Car Gen4 CPG driver") Reported-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20221012184830.3199-1-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit fb0425321947991edbe2230be577537c7eddaa2b Author: Geert Uytterhoeven Date: Wed Oct 12 09:02:33 2022 +0200 clk: renesas: r8a779f0: Fix SD0H clock name [ Upstream commit 99c05a2b710f16ea592ccb63ef5fe5f1f6b15db9 ] Correct the misspelled textual name of the SD0H clock. Fixes: 9b5dd1ff705c6854 ("clk: renesas: r8a779f0: Add SDH0 clock") Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Link: https://lore.kernel.org/r/1f682d338f133608f138ae87323707436ad8c748.1665558014.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit a8e14234ac267932fd5ed38b088e5b3d9644f897 Author: Jimmy Assarsson Date: Mon Oct 10 20:52:37 2022 +0200 can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming [ Upstream commit 39d3df6b0ea80f9b515c632ca07b39b1c156edee ] The device will respond with a CMD_ERROR_EVENT command, with error_code KVASER_USB_{LEAF,HYDRA}_ERROR_EVENT_PARAM, if the CMD_SET_BUSPARAMS_REQ contains invalid bittiming parameters. However, this command does not contain any channel reference. To check if the CMD_SET_BUSPARAMS_REQ was successful, redback and compare the requested bittiming parameters with the device reported parameters. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family") Tested-by: Anssi Hannula Co-developed-by: Anssi Hannula Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-12-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 70e91ddbe3b1fc5b0fbe83a04e5698c48a0ee22a Author: Jimmy Assarsson Date: Mon Oct 10 20:52:36 2022 +0200 can: kvaser_usb: Add struct kvaser_usb_busparams [ Upstream commit 00e5786177649c1e3110f9454fdd34e336597265 ] Add struct kvaser_usb_busparams containing the busparameters used in CMD_{SET,GET}_BUSPARAMS* commands. Tested-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-11-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Stable-dep-of: 39d3df6b0ea8 ("can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming") Signed-off-by: Sasha Levin commit 87669964867a052f4ef385c471035e624ae81185 Author: Anssi Hannula Date: Mon Oct 10 20:52:35 2022 +0200 can: kvaser_usb_leaf: Fix bogus restart events [ Upstream commit 90904d326269a38fe5dd895fb2db7c03199654c4 ] When auto-restart is enabled, the kvaser_usb_leaf driver considers transition from any state >= CAN_STATE_BUS_OFF as a bus-off recovery event (restart). However, these events may occur at interface startup time before kvaser_usb_open() has set the state to CAN_STATE_ERROR_ACTIVE, causing restarts counter to increase and CAN_ERR_RESTARTED to be sent despite no actual restart having occurred. Fix that by making the auto-restart condition checks more strict so that they only trigger when the interface was actually in the BUS_OFF state. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-10-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit e66e75eed961b5dbcf1b9267e88f917d77660b6f Author: Anssi Hannula Date: Mon Oct 10 20:52:33 2022 +0200 can: kvaser_usb_leaf: Fix wrong CAN state after stopping [ Upstream commit a11249acf802341294557895d8e5f6aef080253f ] 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 sends a CMD_CHIP_STATE_EVENT indicating bus-off after stopping the device, causing a stopped device to appear as CAN_STATE_BUS_OFF instead of CAN_STATE_STOPPED. Fix that by not handling error events on stopped devices. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-8-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 1eef65b79fcea070561593bdef0512c5ad60ed31 Author: Anssi Hannula Date: Mon Oct 10 20:52:32 2022 +0200 can: kvaser_usb_leaf: Fix improved state not being reported [ Upstream commit 8d21f5927ae604881f98587fabf6753f88730968 ] The tested 0bfd:0017 Kvaser Memorator Professional HS/HS FW 2.0.50 and 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778 do not seem to send any unsolicited events when error counters decrease or when the device transitions from ERROR_PASSIVE to ERROR_ACTIVE (or WARNING). This causes the interface to e.g. indefinitely stay in the ERROR_PASSIVE state. Fix that by asking for chip state (inc. counters) event every 0.5 secs when error counters are non-zero. Since there are non-error-counter devices, also always poll in ERROR_PASSIVE even if the counters show zero. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-7-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 6354011aa53cf175eae5277c958852af0dcadec7 Author: Anssi Hannula Date: Mon Oct 10 20:52:31 2022 +0200 can: kvaser_usb_leaf: Set Warning state even without bus errors [ Upstream commit df1b7af2761b935f63b4a53e789d41ed859edf61 ] kvaser_usb_leaf_rx_error_update_can_state() sets error state according to error counters when the hardware does not indicate a specific state directly. However, this is currently gated behind a check for M16C_STATE_BUS_ERROR which does not always seem to be set when error counters are increasing, and may not be set when error counters are decreasing. This causes the CAN_STATE_ERROR_WARNING state to not be set in some cases even when appropriate. Change the code to set error state from counters even without M16C_STATE_BUS_ERROR. The Error-Passive case seems superfluous as it is already set via M16C_STATE_BUS_PASSIVE flag above, but it is kept for now. Tested with 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Jimmy Assarsson Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-6-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 10081f449a06769d73eb941dc8958c4f7cd1a016 Author: Jimmy Assarsson Date: Mon Oct 10 20:52:30 2022 +0200 can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT [ Upstream commit b24cb2d169e0c9dce664a959e1f2aa9781285dc9 ] The device will send an error event command, to indicate certain errors. This indicates a misbehaving driver, and should never occur. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Tested-by: Anssi Hannula Co-developed-by: Anssi Hannula Signed-off-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-5-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 368ee61e7b13c559d014bebeae0b9ef6584dffc0 Author: Jimmy Assarsson Date: Mon Oct 10 20:52:29 2022 +0200 can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event [ Upstream commit 7ea56128dbf904a3359bcf9289cccdfa3c85c7e8 ] Prepare for handling CMD_ERROR_EVENT. Rename struct {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Reported-by: Anssi Hannula Tested-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-4-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 2a07780ad2ffad9a812275a740d3fb5afdfd5a7f Author: Jimmy Assarsson Date: Mon Oct 10 20:52:28 2022 +0200 can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device [ Upstream commit 35364f5b41a4917fe94a3f393d149b63ec583297 ] Use the CMD_GET_CAPABILITIES_REQ command to query the device for certain capabilities. We are only interested in LISTENONLY mode and wither the device reports CAN error counters. Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices") Reported-by: Anssi Hannula Tested-by: Anssi Hannula Signed-off-by: Jimmy Assarsson Link: https://lore.kernel.org/all/20221010185237.319219-3-extja@kvaser.com Signed-off-by: Marc Kleine-Budde Signed-off-by: Sasha Levin commit 8543ac4923668109d5f9b752387b1b391f43277b Author: Alan Maguire Date: Mon Oct 24 15:38:29 2022 +0100 libbpf: Btf dedup identical struct test needs check for nested structs/arrays [ Upstream commit f3c51fe02c55bd944662714e5b91b96dc271ad9f ] When examining module BTF, it is common to see core kernel structures such as sk_buff, net_device duplicated in the module. After adding debug messaging to BTF it turned out that much of the problem was down to the identical struct test failing during deduplication; sometimes the compiler adds identical structs. However it turns out sometimes that type ids of identical struct members can also differ, even when the containing structs are still identical. To take an example, for struct sk_buff, debug messaging revealed that the identical struct matching was failing for the anon struct "headers"; specifically for the first field: __u8 __pkt_type_offset[0]; /* 128 0 */ Looking at the code in BTF deduplication, we have code that guards against the possibility of identical struct definitions, down to type ids, and identical array definitions. However in this case we have a struct which is being defined twice but does not have identical type ids since each duplicate struct has separate type ids for the above array member. A similar problem (though not observed) could occur for struct-in-struct. The solution is to make the "identical struct" test check members not just for matching ids, but to also check if they in turn are identical structs or arrays. The results of doing this are quite dramatic (for some modules at least); I see the number of type ids drop from around 10000 to just over 1000 in one module for example. For testing use latest pahole or apply [1], otherwise dedups can fail for the reasons described there. Also fix return type of btf_dedup_identical_arrays() as suggested by Andrii to match boolean return type used elsewhere. Fixes: efdd3eb8015e ("libbpf: Accommodate DWARF/compiler bug with duplicated structs") Signed-off-by: Alan Maguire Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/1666622309-22289-1-git-send-email-alan.maguire@oracle.com [1] https://lore.kernel.org/bpf/1666364523-9648-1-git-send-email-alan.maguire Signed-off-by: Sasha Levin commit 5d68a8c8275974c41cb7efa2eebe57ea04bd7bb2 Author: Marek Szyprowski Date: Fri Sep 23 11:42:01 2022 +0200 media: exynos4-is: don't rely on the v4l2_async_subdev internals [ Upstream commit f98a5c2e1c4396488c27274ba82afc11725a4bcc ] Commit 1f391df44607 ("media: v4l2-async: Use endpoints in __v4l2_async_nf_add_fwnode_remote()") changed the data that is stored in the v4l2_async_subdev internals from the fwnode pointer to the parent device to the fwnode pointer to the matched endpoint. This broke the sensor matching code, which relied on the particular fwnode data in the v4l2_async_subdev internals. Fix this by simply matching the v4l2_async_subdev pointer, which is already available there. Reported-by: Daniel Scally Fixes: fa91f1056f17 ("[media] exynos4-is: Add support for asynchronous subdevices registration") Signed-off-by: Marek Szyprowski Reviewed-by: Daniel Scally Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit 3a54b72868930f07935accaf95ec4df639324940 Author: Rafael Mendonca Date: Tue Sep 20 11:27:48 2022 -0300 media: i2c: ov5648: Free V4L2 fwnode data on unbind [ Upstream commit c95770e4fc172696dcb1450893cda7d6324d96fc ] The V4L2 fwnode data structure doesn't get freed on unbind, which leads to a memleak. Fixes: e43ccb0a045f ("media: i2c: Add support for the OV5648 image sensor") Signed-off-by: Rafael Mendonca Reviewed-by: Tommaso Merciai Reviewed-by: Paul Kocialkowski Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit 91a8528694a19b22a1f9a04b053279d502beb986 Author: Kuniyuki Iwashima Date: Fri Oct 21 13:44:34 2022 -0700 soreuseport: Fix socket selection for SO_INCOMING_CPU. [ Upstream commit b261eda84ec136240a9ca753389853a3a1bccca2 ] Kazuho Oku reported that setsockopt(SO_INCOMING_CPU) does not work with setsockopt(SO_REUSEPORT) since v4.6. With the combination of SO_REUSEPORT and SO_INCOMING_CPU, we could build a highly efficient server application. setsockopt(SO_INCOMING_CPU) associates a CPU with a TCP listener or UDP socket, and then incoming packets processed on the CPU will likely be distributed to the socket. Technically, a socket could even receive packets handled on another CPU if no sockets in the reuseport group have the same CPU receiving the flow. The logic exists in compute_score() so that a socket will get a higher score if it has the same CPU with the flow. However, the score gets ignored after the blamed two commits, which introduced a faster socket selection algorithm for SO_REUSEPORT. This patch introduces a counter of sockets with SO_INCOMING_CPU in a reuseport group to check if we should iterate all sockets to find a proper one. We increment the counter when * calling listen() if the socket has SO_INCOMING_CPU and SO_REUSEPORT * enabling SO_INCOMING_CPU if the socket is in a reuseport group Also, we decrement it when * detaching a socket out of the group to apply SO_INCOMING_CPU to migrated TCP requests * disabling SO_INCOMING_CPU if the socket is in a reuseport group When the counter reaches 0, we can get back to the O(1) selection algorithm. The overall changes are negligible for the non-SO_INCOMING_CPU case, and the only notable thing is that we have to update sk_incomnig_cpu under reuseport_lock. Otherwise, the race prevents transitioning to the O(n) algorithm and results in the wrong socket selection. cpu1 (setsockopt) cpu2 (listen) +-----------------+ +-------------+ lock_sock(sk1) lock_sock(sk2) reuseport_update_incoming_cpu(sk1, val) . | /* set CPU as 0 */ |- WRITE_ONCE(sk1->incoming_cpu, val) | | spin_lock_bh(&reuseport_lock) | reuseport_grow(sk2, reuse) | . | |- more_socks_size = reuse->max_socks * 2U; | |- if (more_socks_size > U16_MAX && | | reuse->num_closed_socks) | | . | | |- RCU_INIT_POINTER(sk1->sk_reuseport_cb, NULL); | | `- __reuseport_detach_closed_sock(sk1, reuse) | | . | | `- reuseport_put_incoming_cpu(sk1, reuse) | | . | | | /* Read shutdown()ed sk1's sk_incoming_cpu | | | * without lock_sock(). | | | */ | | `- if (sk1->sk_incoming_cpu >= 0) | | . | | | /* decrement not-yet-incremented | | | * count, which is never incremented. | | | */ | | `- __reuseport_put_incoming_cpu(reuse); | | | `- spin_lock_bh(&reuseport_lock) | |- spin_lock_bh(&reuseport_lock) | |- reuse = rcu_dereference_protected(sk1->sk_reuseport_cb, ...) |- if (!reuse) | . | | /* Cannot increment reuse->incoming_cpu. */ | `- goto out; | `- spin_unlock_bh(&reuseport_lock) Fixes: e32ea7e74727 ("soreuseport: fast reuseport UDP socket selection") Fixes: c125e80b8868 ("soreuseport: fast reuseport TCP socket selection") Reported-by: Kazuho Oku Signed-off-by: Kuniyuki Iwashima Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin commit a5514f2f83a1a36e698c4bfdc25875ba0e3b5b5d Author: Tang Bin Date: Tue Sep 13 14:37:00 2022 +0800 venus: pm_helpers: Fix error check in vcodec_domains_get() [ Upstream commit 0f6e8d8c94a82e85e1b9b62a7671990740dc6f70 ] In the function vcodec_domains_get(), dev_pm_domain_attach_by_name() may return NULL in some cases, so IS_ERR() doesn't meet the requirements. Thus fix it. Fixes: 7482a983dea3 ("media: venus: redesign clocks and pm domains control") Signed-off-by: Tang Bin Signed-off-by: Sasha Levin commit 0a132a42b77ff0cd12ef9b6efb2d7dab4f6ffc12 Author: Ricardo Ribalda Date: Wed Sep 21 13:38:00 2022 +0200 media: i2c: ad5820: Fix error path [ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ] Error path seems to be swaped. Fix the order and provide some meaningful names. Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil") Signed-off-by: Ricardo Ribalda Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit 4368730678412a8fa71960dbda81e122dafa70f7 Author: Rafael Mendonca Date: Sun Sep 18 23:12:51 2022 -0300 media: i2c: hi846: Fix memory leak in hi846_parse_dt() [ Upstream commit 80113026d415e27483669db7a88b548d1ec3d3d1 ] If any of the checks related to the supported link frequencies fail, then the V4L2 fwnode resources don't get released before returning, which leads to a memleak. Fix this by properly freeing the V4L2 fwnode data in a designated label. Fixes: e8c0882685f9 ("media: i2c: add driver for the SK Hynix Hi-846 8M pixel camera") Signed-off-by: Rafael Mendonca Reviewed-by: Tommaso Merciai Reviewed-by: Martin Kepplinger Signed-off-by: Sakari Ailus Signed-off-by: Sasha Levin commit 5459eaca151dcf1a31fd54a4ce8a874c9ebce1ca Author: John Harrison Date: Thu Oct 6 14:38:11 2022 -0700 drm/i915: Fix compute pre-emption w/a to apply to compute engines [ Upstream commit c3bd49cd9a1043b963331e7fd874b380bed3f2bd ] An earlier patch added support for compute engines. However, it missed enabling the anti-pre-emption w/a for the new engine class. So move the 'compute capable' flag earlier and use it for the pre-emption w/a test. Fixes: c674c5b9342e ("drm/i915/xehp: CCS should use RCS setup functions") Cc: Tvrtko Ursulin Cc: Daniele Ceraolo Spurio Cc: Aravind Iddamsetty Cc: Matt Roper Cc: Tvrtko Ursulin Cc: Daniel Vetter Cc: Maarten Lankhorst Cc: Lucas De Marchi Cc: John Harrison Cc: Jason Ekstrand Cc: "Michał Winiarski" Cc: Matthew Brost Cc: Chris Wilson Cc: Tejas Upadhyay Cc: Umesh Nerlige Ramappa Cc: "Thomas Hellström" Cc: Stuart Summers Cc: Matthew Auld Cc: Jani Nikula Cc: Ramalingam C Cc: Akeem G Abodunrin Signed-off-by: John Harrison Reviewed-by: Matt Roper Link: https://patchwork.freedesktop.org/patch/msgid/20221006213813.1563435-3-John.C.Harrison@Intel.com Signed-off-by: Sasha Levin commit 72b414661dc19acb81d58eb97f20f71e2ee6afc8 Author: John Harrison Date: Thu Oct 6 14:38:10 2022 -0700 drm/i915/guc: Limit scheduling properties to avoid overflow [ Upstream commit 568944af44e7538ed5d1389dabf56e938afdaf4f ] GuC converts the pre-emption timeout and timeslice quantum values into clock ticks internally. That significantly reduces the point of 32bit overflow. On current platforms, worst case scenario is approximately 110 seconds. Rather than allowing the user to set higher values and then get confused by early timeouts, add limits when setting these values. v2: Add helper functions for clamping (review feedback from Tvrtko). v3: Add a bunch of BUG_ON range checks in addition to the checks already in the clamping functions (Tvrtko) Signed-off-by: John Harrison Reviewed-by: Daniele Ceraolo Spurio Acked-by: Tvrtko Ursulin Link: https://patchwork.freedesktop.org/patch/msgid/20221006213813.1563435-2-John.C.Harrison@Intel.com Stable-dep-of: c3bd49cd9a10 ("drm/i915: Fix compute pre-emption w/a to apply to compute engines") Signed-off-by: Sasha Levin commit ad8eb8ed0d39e18628ec6e2ec45fc2f791f72852 Author: Yunfei Dong Date: Tue Oct 18 19:41:22 2022 +0800 media: mediatek: vcodec: fix h264 cavlc bitstream fail [ Upstream commit d555409dd1b7cc9e7e5b9e2924c0ef4bf23f6c9b ] Some cavlc bistream will decode fail when the frame size is less than 20 bytes. Need to add pending data at the end of the bitstream. For the minimum size of mapped memory is 256 bytes(16x16), adding four bytes data won't lead to access unknown virtual memory. Fixes: 59fba9eed5a7 ("media: mediatek: vcodec: support stateless H.264 decoding for mt8192") Signed-off-by: Yunfei Dong Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 246f266634f546bb0cc7f5f09631dd5d03b3318e Author: Jernej Skrabec Date: Mon Oct 17 21:44:13 2022 +0200 media: cedrus: hevc: Fix offset adjustments [ Upstream commit e9120e76a6f7e19a8d26c03f2964937e4ce69784 ] As it turns out, current padding size check works fine in theory but it doesn't in practice. Most probable reason are caching issues. Let's rework reading data from bitstream using Cedrus engine instead of CPU. That way we avoid all cache issues and make sure that we're reading same data as Cedrus. Fixes: e7060d9a78c2 ("media: uapi: Change data_bit_offset definition") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 563d50ec220ffdc307018f670ee444d403821dc0 Author: Jernej Skrabec Date: Sat Oct 15 11:11:05 2022 +0200 media: v4l2-ioctl.c: Unify YCbCr/YUV terms in format descriptions [ Upstream commit 6a394d563dffb60c150d87dc6678994ef8028c53 ] Format descriptions use YCbCr and YUV terms interchangeably. Let's unify them so they all use YUV. While YCbCr is actually correct term here, YUV is shorter and thus it also fixes too long description of P010 tiled format. Fixes: 3c8e19d3d3f9 ("media: Add P010 tiled format") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit 5d1a2d2a1183d94e459523acd5ba6929905019a6 Author: Niklas Söderlund Date: Sun Oct 9 16:41:46 2022 +0200 media: adv748x: afe: Select input port when initializing AFE [ Upstream commit 23ddb85dafefdace1ad79d1a30b0a4e7c4b5cd8d ] When moving the input selection to adv748x_reset() it was missed that during probe the device is reset _before_ the initialization and parsing of DT by the AFE subdevice. This can lead to the wrong input port (in case it's not port 0) being selected until the device is reset for the first time. Fix this by restoring the call to adv748x_afe_s_input() in the AFE initialization while also keeping it in the adv748x_reset(). Fixes: c30ed81afe89 ("media: adv748x: afe: Select input port when device is reset") Signed-off-by: Niklas Söderlund Reviewed-by: Kieran Bingham Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit fc6579f00506eced99cbd58b6cb24cc580251bd4 Author: Ming Qian Date: Fri Sep 30 14:40:47 2022 +0800 media: amphion: reset instance if it's aborted before codec header parsed [ Upstream commit 3984ea32e83bcad06b4b034ddd4b0a934c1b2f91 ] there is hardware limitation that if it's aborted before the first codec header parsed, the codec may be stalled unless we do reset codec. and drop the source change event if it's triggered after reset. Fixes: 6de8d628df6e ("media: amphion: add v4l2 m2m vpu decoder stateful driver") Signed-off-by: Ming Qian Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit e7d1e0b752641963be2586b0d8a563294e8dc2e4 Author: Jiasheng Jiang Date: Tue Sep 27 09:28:13 2022 +0800 media: coda: jpeg: Add check for kmalloc [ Upstream commit f30ce3d3760b22ee33c8d9c2e223764ad30bdc5f ] As kmalloc can return NULL pointer, it should be better to check the return value and return error, same as coda_jpeg_decode_header. Fixes: 96f6f62c4656 ("media: coda: jpeg: add CODA960 JPEG encoder support") Signed-off-by: Jiasheng Jiang Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit b9d1093140e2cee2a196f2925cd76e871c119cd3 Author: Laurent Pinchart Date: Mon Sep 26 19:31:51 2022 +0300 media: v4l2-ctrls: Fix off-by-one error in integer menu control check [ Upstream commit b6bcdf763db1f5ea602bf876cfe91debfb3c7773 ] The V4L2 API defines the maximum value for an integer menu control as the number of elements minus one. The v4l2_ctrl_new_std_menu() validates this constraint with an off-by-one error. Fix it. Fixes: d1e9b7c12b74 ("[media] V4L: Add support for integer menu controls with standard menu items") Signed-off-by: Laurent Pinchart Reviewed-by: Sakari Ailus Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin commit a7e8439e297ef3b08b1a9455b8c355b7fa446987 Author: Jeff LaBundy Date: Sat Oct 22 19:57:00 2022 -0500 Input: iqs7222 - protect against undefined slider size [ Upstream commit 2f6fd232978906f6fb054529210b9faec384bd45 ] Select variants of silicon do not define a default slider size, in which case the size must be specified in the device tree. If it is not, the axis's maximum value is reported as 65535 due to unsigned integer overflow. To solve this problem, move the existing zero-check outside of the conditional block that checks whether the property is present. Fixes: e505edaedcb9 ("Input: add support for Azoteq IQS7222A/B/C") Signed-off-by: Jeff LaBundy Link: https://lore.kernel.org/r/Y1SRXEi7XMlncDWk@nixie71 Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 172d4d64075075f955e6e416915e3f287eec514a Author: Pin-yen Lin Date: Thu Oct 13 19:04:08 2022 +0800 drm/bridge: it6505: Initialize AUX channel in it6505_i2c_probe [ Upstream commit e577d4b13064c337b83fe7edecb3f34e87144821 ] During device boot, the HPD interrupt could be triggered before the DRM subsystem registers it6505 as a DRM bridge. In such cases, the driver tries to access AUX channel and causes NULL pointer dereference. Initializing the AUX channel earlier to prevent such error. Fixes: b5c84a9edcd4 ("drm/bridge: add it6505 driver") Signed-off-by: Pin-yen Lin Reviewed-by: Robert Foss Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/20221013110411.1674359-2-treapking@chromium.org Signed-off-by: Sasha Levin commit 782175a601768723b40b0966c3d5869c838ed0ab Author: Wang Yufen Date: Thu Oct 20 11:05:34 2022 +0800 selftests/bpf: fix missing BPF object files [ Upstream commit 98af3746026c3eccb51b43181c41e001fe73f7af ] After commit afef88e65554 ("selftests/bpf: Store BPF object files with .bpf.o extension"), we should use *.bpf.o instead of *.o. In addition, use the BPF_FILE variable to save the BPF object file name, which can be better identified and modified. Fixes: afef88e65554 ("selftests/bpf: Store BPF object files with .bpf.o extension") Signed-off-by: Wang Yufen Acked-by: Stanislav Fomichev Link: https://lore.kernel.org/r/1666235134-562-1-git-send-email-wangyufen@huawei.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin commit 05d55bbd8d27ab79925df24d918fa14d08c81dde Author: Gerhard Engleder Date: Sat Oct 15 23:30:50 2022 +0200 samples/bpf: Fix MAC address swapping in xdp2_kern [ Upstream commit 7a698edf954cb3f8b6e8dacdb77615355170420c ] xdp2_kern rewrites and forwards packets out on the same interface. Forwarding still works but rewrite got broken when xdp multibuffer support has been added. With xdp multibuffer a local copy of the packet has been introduced. The MAC address is now swapped in the local copy, but the local copy in not written back. Fix MAC address swapping be adding write back of modified packet. Fixes: 772251742262 ("samples/bpf: fixup some tools to be able to support xdp multibuffer") Signed-off-by: Gerhard Engleder Reviewed-by: Andy Gospodarek Link: https://lore.kernel.org/r/20221015213050.65222-1-gerhard@engleder-embedded.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit 818b68651cde02a94444d1ac56cf4afb12e6d9db Author: Gerhard Engleder Date: Thu Oct 13 22:09:22 2022 +0200 samples/bpf: Fix map iteration in xdp1_user [ Upstream commit 05ee658c654bacda03f7fecef367e62aaf8e1cfe ] BPF map iteration in xdp1_user results in endless loop without any output, because the return value of bpf_map_get_next_key() is checked against the wrong value. Other call locations of bpf_map_get_next_key() check for equal 0 for continuing the iteration. xdp1_user checks against unequal -1. This is wrong for a function which can return arbitrary negative errno values, because a return value of e.g. -2 results in an endless loop. With this fix xdp1_user is printing statistics again: proto 0: 1 pkt/s proto 0: 1 pkt/s proto 17: 107383 pkt/s proto 17: 881655 pkt/s proto 17: 882083 pkt/s proto 17: 881758 pkt/s Fixes: bd054102a8c7 ("libbpf: enforce strict libbpf 1.0 behaviors") Signed-off-by: Gerhard Engleder Acked-by: Song Liu Link: https://lore.kernel.org/r/20221013200922.17167-1-gerhard@engleder-embedded.com Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit 22d569b3d1a0c031c8d2f35d3558a518e42fca9d Author: Alexandru Tachici Date: Mon Oct 17 19:37:03 2022 +0300 net: ethernet: adi: adin1110: Fix SPI transfers [ Upstream commit a526a3cc9c8d426713f8bebc18ebbe39a8495d82 ] No need to use more than one SPI transfer for reads. Use only one from now as ADIN1110/2111 does not tolerate CS changes during reads. The BCM2711/2708 SPI controllers worked fine, but the NXP IMX8MM could not keep CS lowered during SPI bursts. This change aims to make the ADIN1110/2111 driver compatible with both SPI controllers, without any loss of bandwidth/other capabilities. Fixes: bc93e19d088b ("net: ethernet: adi: Add ADIN1110 support") Signed-off-by: Alexandru Tachici Signed-off-by: David S. Miller Signed-off-by: Sasha Levin commit 1c65f8f98148709e08bd6157a807c443ba91f0ac Author: Rafael Mendonca Date: Mon Oct 17 21:53:57 2022 -0300 drm/amdgpu/powerplay/psm: Fix memory leak in power state init [ Upstream commit 8f8033d5663b18e6efb33feb61f2287a04605ab5 ] Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") made the power state init function return early in case of failure to get an entry from the powerplay table, but it missed to clean up the allocated memory for the current power state before returning. Fixes: 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") Reviewed-by: Evan Quan Signed-off-by: Rafael Mendonca Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 9ccd11718d76b95c69aa773f2abedef560776037 Author: Asher Song Date: Fri Oct 14 11:36:33 2022 +0800 drm/amdgpu: Revert "drm/amdgpu: getting fan speed pwm for vega10 properly" [ Upstream commit e5b781c56d46c44c52caa915f1b65064f2f7c1ba ] This reverts commit 16fb4dca95daa9d8e037201166a58de8284f4268. Unfortunately, that commit causes fan monitors can't be read and written properly. Fixes: 16fb4dca95daa9 ("drm/amdgpu: getting fan speed pwm for vega10 properly") Signed-off-by: Asher Song Reviewed-by: Guchun Chen Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 3265e0f2f85a6be88d6d187d46d0a31c5c235cb0 Author: Andrew Jeffery Date: Sat Aug 13 00:17:41 2022 +0930 ipmi: kcs: Poll OBF briefly to reduce OBE latency [ Upstream commit f90bc0f97f2b65af233a37b2e32fc81871a1e3cf ] The ASPEED KCS devices don't provide a BMC-side interrupt for the host reading the output data register (ODR). The act of the host reading ODR clears the output buffer full (OBF) flag in the status register (STR), informing the BMC it can transmit a subsequent byte. On the BMC side the KCS client must enable the OBE event *and* perform a subsequent read of STR anyway to avoid races - the polling provides a window for the host to read ODR if data was freshly written while minimising BMC-side latency. Fixes: 28651e6c4237 ("ipmi: kcs_bmc: Allow clients to control KCS IRQ state") Signed-off-by: Andrew Jeffery Reviewed-by: Joel Stanley Message-Id: <20220812144741.240315-1-andrew@aj.id.au> Signed-off-by: Corey Minyard Signed-off-by: Sasha Levin commit 0bad12fee5ae16ab439d97c66c4238f5f4cc7f68 Author: Cezary Rojewski Date: Mon Oct 10 14:19:42 2022 +0200 ASoC: Intel: avs: Fix potential RX buffer overflow [ Upstream commit 23ae34e033b2c0e5e88237af82b163b296fd6aa9 ] If an event caused firmware to return invalid RX size for LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes. Fix by utilizing min_t(). Reported-by: CoolStar Fixes: f14a1c5a9f83 ("ASoC: Intel: avs: Add module management requests") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221010121955.718168-3-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit b793142e7d6f780edd3e6e5a0d53accfd2c36672 Author: Cezary Rojewski Date: Mon Oct 10 14:19:41 2022 +0200 ASoC: Intel: avs: Fix DMA mask assignment [ Upstream commit 83375566a7a7042cb34b24986d100f46bfa0c1e5 ] Spelling error leads to incorrect behavior when setting up DMA mask. Fixes: a5bbbde2b81e ("ASoC: Intel: avs: Use helper function to set up DMA") Signed-off-by: Cezary Rojewski Link: https://lore.kernel.org/r/20221010121955.718168-2-cezary.rojewski@intel.com Signed-off-by: Mark Brown Signed-off-by: Sasha Levin commit e02b42f3fc56c67c6f81caea6911f83f18ccb4d4 Author: Yang Yingliang Date: Sun Sep 25 10:12:58 2022 +0800 pinctrl: ocelot: add missing destroy_workqueue() in error path in ocelot_pinctrl_probe() [ Upstream commit 8ada020ade3bc4125b639a1dca50a6df687dd986 ] Using devm_add_action_or_reset() to make workqueue device-managed, so it can be destroy whenever the driver is unbound. Fixes: c297561bc98a ("pinctrl: ocelot: Fix interrupt controller") Signed-off-by: Yang Yingliang Reviewed-by: Horatiu Vultur Link: https://lore.kernel.org/r/20220925021258.1492905-1-yangyingliang@huawei.com Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 55442d2f2cfaa1f1ded9fcb029a112a8136a6612 Author: Niklas Cassel Date: Mon Sep 26 20:53:06 2022 +0000 ata: libata: fix NCQ autosense logic [ Upstream commit 7390896b3484d44cbdb8bc4859964314ac66d3c9 ] Currently, the logic if we should call ata_scsi_set_sense() (and set flag ATA_QCFLAG_SENSE_VALID to indicate that we have successfully added sense data to the struct ata_queued_cmd) looks like this: if (dev->class == ATA_DEV_ZAC && ((qc->result_tf.status & ATA_SENSE) || qc->result_tf.auxiliary)) The problem with this is that a drive can support the NCQ command error log without supporting NCQ autosense. On such a drive, if the failing command has sense data, the status field in the NCQ command error log will have the ATA_SENSE bit set. It is just that this sense data is not included in the NCQ command error log when NCQ autosense is not supported. Instead the sense data has to be fetched using the REQUEST SENSE DATA EXT command. Therefore, we should only add the sense data if the drive supports NCQ autosense AND the ATA_SENSE bit is set in the status field. Fix this, and at the same time, remove the duplicated ATA_DEV_ZAC check. The struct ata_taskfile supplied to ata_eh_read_log_10h() is memset:ed before calling the function, so simply checking if qc->result_tf.auxiliary is set is sufficient to tell us that the log actually contained sense data. Fixes: d238ffd59d3c ("libata: do not attempt to retrieve sense code twice") Signed-off-by: Niklas Cassel Signed-off-by: Damien Le Moal Signed-off-by: Sasha Levin commit 76b014f2f59558e5bf1abc66e3ad264fe23c6cdf Author: Laurent Pinchart Date: Fri Sep 30 11:39:54 2022 +0300 drm: lcdif: Switch to limited range for RGB to YUV conversion [ Upstream commit ec39dee8b25229a646271815cc86a8fc865525cf ] Up to and including v1.3, HDMI supported limited quantization range only for YCbCr. HDMI v1.4 introduced selectable quantization ranges, but this feature isn't supported in the dw-hdmi driver that is used in conjunction with the LCDIF in the i.MX8MP. The HDMI YCbCr output is thus always advertised in the AVI infoframe as limited range. The LCDIF driver, on the other hand, configures the CSC to produce full range YCbCr. This mismatch results in loss of details and incorrect colours. Fix it by switching to limited range YCbCr. The coefficients are copied from drivers/media/platforms/nxp/imx-pxp.c for coherency, as the hardware is most likely identical. Fixes: 9db35bb349a0 ("drm: lcdif: Add support for i.MX8MP LCDIF variant") Signed-off-by: Laurent Pinchart Reviewed-by: Marek Vasut Reviewed-by: Kieran Bingham Reviewed-by: Liu Ying Signed-off-by: Marek Vasut Link: https://patchwork.freedesktop.org/patch/msgid/20220930083955.31580-4-laurent.pinchart@ideasonboard.com Signed-off-by: Sasha Levin commit ecb0f3d7dd137828940d14b7706096a96b43d815 Author: Shung-Hsi Yu Date: Wed Oct 12 10:23:53 2022 +0800 libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() [ Upstream commit d0d382f95a9270dcf803539d6781d6bd67e3f5b2 ] When there are no program sections, obj->programs is left unallocated, and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL, and will cause null-pointer dereference in the following access to prog->sec_idx. Guard the search with obj->nr_programs similar to what's being done in __bpf_program__iter() to prevent null-pointer access from happening. Fixes: db2b8b06423c ("libbpf: Support CO-RE relocations for multi-prog sections") Signed-off-by: Shung-Hsi Yu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com Signed-off-by: Sasha Levin commit e0f5361d95aab1c36af5fc9f57f44287623d8d73 Author: Shung-Hsi Yu Date: Wed Oct 12 10:23:52 2022 +0800 libbpf: Deal with section with no data gracefully [ Upstream commit 35a855509e6ee3442477c8ebc6827b5b5d32a7b5 ] ELF section data pointer returned by libelf may be NULL (if section has SHT_NOBITS), so null check section data pointer before attempting to copy license and kversion section. Fixes: cb1e5e961991 ("bpf tools: Collect version and license from ELF sections") Signed-off-by: Shung-Hsi Yu Signed-off-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20221012022353.7350-3-shung-hsi.yu@suse.com Signed-off-by: Sasha Levin commit 622ff59742fe7bf53c06a57332040fa0e08b8242 Author: Shung-Hsi Yu Date: Wed Oct 12 10:23:51 2022 +0800 libbpf: Use elf_getshdrnum() instead of e_shnum [ Upstream commit 51deedc9b8680953437dfe359e5268120de10e30 ] This commit replace e_shnum with the elf_getshdrnum() helper to fix two oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both reports are incorrectly marked as fixed and while still being reproducible in the latest libbpf. # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704 libbpf: loading object 'fuzz-object' from buffer libbpf: sec_cnt is 0 libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2 libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1 ================================================================= ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8 WRITE of size 4 at 0x6020000000c0 thread T0 SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds) #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24 #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16 #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20 ... The issue lie in libbpf's direct use of e_shnum field in ELF header as the section header count. Where as libelf implemented an extra logic that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the initial section header as the real section header count (part of ELF spec to accommodate situation where section header counter is larger than SHN_LORESERVE). The above inconsistency lead to libbpf writing into a zero-entry calloc area. So intead of using e_shnum directly, use the elf_getshdrnum() helper provided by libelf to retrieve the section header counter into sec_cnt. Fixes: 0d6988e16a12 ("libbpf: Fix section counting logic") Fixes: 25bbbd7a444b ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps") Signed-off-by: Shung-Hsi Yu Signed-off-by: Andrii Nakryiko Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868 Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957 Link: https://lore.kernel.org/bpf/20221012022353.7350-2-shung-hsi.yu@suse.com Signed-off-by: Sasha Levin commit 3c48bbf4264f4575c87d41d8a96f8502b598e626 Author: Xu Kuohai Date: Tue Oct 11 08:01:08 2022 -0400 selftest/bpf: Fix error usage of ASSERT_OK in xdp_adjust_tail.c [ Upstream commit cbc1c998da59687e8bbc4667154a72eead2daf2d ] xdp_adjust_tail.c calls ASSERT_OK() to check the return value of bpf_prog_test_load(), but the condition is not correct. Fix it. Fixes: 791cad025051 ("bpf: selftests: Get rid of CHECK macro in xdp_adjust_tail.c") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-7-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit bec359a2a48f8a631546a19e18bae99a63f4a6f4 Author: Xu Kuohai Date: Tue Oct 11 08:01:07 2022 -0400 selftests/bpf: Fix error failure of case test_xdp_adjust_tail_grow [ Upstream commit 4abdb1d5b250df4b5b3afd394d5e2fa516064c04 ] test_xdp_adjust_tail_grow failed with ipv6: test_xdp_adjust_tail_grow:FAIL:ipv6 unexpected error: -28 (errno 28) The reason is that this test case tests ipv4 before ipv6, and when ipv4 test finished, topts.data_size_out was set to 54, which is smaller than the ipv6 output data size 114, so ipv6 test fails with NOSPC error. Fix it by reset topts.data_size_out to sizeof(buf) before testing ipv6. Fixes: 04fcb5f9a104 ("selftests/bpf: Migrate from bpf_prog_test_run") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-6-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit 661e952bc9ef798d1d33ba67f2950a3e0bea455f Author: Xu Kuohai Date: Tue Oct 11 08:01:06 2022 -0400 selftest/bpf: Fix memory leak in kprobe_multi_test [ Upstream commit 6d2e21dc4db3933db65293552ecc1ede26febeca ] The get_syms() function in kprobe_multi_test.c does not free the string memory allocated by sscanf correctly. Fix it. Fixes: 5b6c7e5c4434 ("selftests/bpf: Add attach bench test") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Jiri Olsa Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-5-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit d7dc8fad67fab906530c50155b12cf6117e99299 Author: Xu Kuohai Date: Tue Oct 11 08:01:05 2022 -0400 selftests/bpf: Fix memory leak caused by not destroying skeleton [ Upstream commit 6e8280b958c5d7edc514cf347a800b23b7732b2b ] Some test cases does not destroy skeleton object correctly, causing ASAN to report memory leak warning. Fix it. Fixes: 0ef6740e9777 ("selftests/bpf: Add tests for kptr_ref refcounting") Fixes: 1642a3945e22 ("selftests/bpf: Add struct argument tests with fentry/fexit programs.") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-4-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit 13866e924a5760ee1ba9aa64dbfb5b44f4138c01 Author: Xu Kuohai Date: Tue Oct 11 08:01:04 2022 -0400 libbpf: Fix memory leak in parse_usdt_arg() [ Upstream commit 0dc9254e03704c75f2ebc9cbef2ce4de83fba603 ] In the arm64 version of parse_usdt_arg(), when sscanf returns 2, reg_name is allocated but not freed. Fix it. Fixes: 0f8619929c57 ("libbpf: Usdt aarch64 arg parsing support") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-3-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit fbe08093fb2334549859829ef81d42570812597d Author: Xu Kuohai Date: Tue Oct 11 08:01:03 2022 -0400 libbpf: Fix use-after-free in btf_dump_name_dups [ Upstream commit 93c660ca40b5d2f7c1b1626e955a8e9fa30e0749 ] ASAN reports an use-after-free in btf_dump_name_dups: ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928 READ of size 2 at 0xffff927006db thread T0 #0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614) #1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127 #2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143 #3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212 #4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525 #5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552 #6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567 #7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912 #8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798 #9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282 #10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236 #11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 #12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 #13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 #14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 #15 0xaaaab5d65990 (test_progs+0x185990) 0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0) freed by thread T0 here: #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4) #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191 #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163 #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106 #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157 #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519 #6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032 #7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232 #8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 #9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 #10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 #11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 #12 0xaaaab5d65990 (test_progs+0x185990) previously allocated by thread T0 here: #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4) #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191 #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163 #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106 #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157 #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519 #6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070 #7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102 #8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162 #9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875 #10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062 #11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697 #12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308 #13 0xaaaab5d65990 (test_progs+0x185990) The reason is that the key stored in hash table name_map is a string address, and the string memory is allocated by realloc() function, when the memory is resized by realloc() later, the old memory may be freed, so the address stored in name_map references to a freed memory, causing use-after-free. Fix it by storing duplicated string address in name_map. Fixes: 919d2b1dbb07 ("libbpf: Allow modification of BTF and add btf__add_str API") Signed-off-by: Xu Kuohai Signed-off-by: Andrii Nakryiko Acked-by: Martin KaFai Lau Link: https://lore.kernel.org/bpf/20221011120108.782373-2-xukuohai@huaweicloud.com Signed-off-by: Sasha Levin commit e4ebe4eb7ef5d69d670a163f6fc129d62caeda74 Author: Abhinav Kumar Date: Tue Oct 11 14:10:49 2022 -0700 drm/bridge: adv7533: remove dynamic lane switching from adv7533 bridge [ Upstream commit 9a0cdcd6649b76f0b7ceec0e55b0a718321e34d3 ] adv7533 bridge tries to dynamically switch lanes based on the mode by detaching and attaching the mipi dsi device. This approach is incorrect because this method of dynamic switch of detaching and attaching the mipi dsi device also results in removing and adding the component which is not necessary. This approach is also prone to deadlocks. So for example, on the db410c whenever this path is executed with lockdep enabled, this results in a deadlock due to below ordering of locks. -> #1 (crtc_ww_class_acquire){+.+.}-{0:0}: lock_acquire+0x6c/0x90 drm_modeset_acquire_init+0xf4/0x150 drmm_mode_config_init+0x220/0x770 msm_drm_bind+0x13c/0x654 try_to_bring_up_aggregate_device+0x164/0x1d0 __component_add+0xa8/0x174 component_add+0x18/0x2c dsi_dev_attach+0x24/0x30 dsi_host_attach+0x98/0x14c devm_mipi_dsi_attach+0x38/0xb0 adv7533_attach_dsi+0x8c/0x110 adv7511_probe+0x5a0/0x930 i2c_device_probe+0x30c/0x350 really_probe.part.0+0x9c/0x2b0 __driver_probe_device+0x98/0x144 driver_probe_device+0xac/0x14c __device_attach_driver+0xbc/0x124 bus_for_each_drv+0x78/0xd0 __device_attach+0xa8/0x1c0 device_initial_probe+0x18/0x24 bus_probe_device+0xa0/0xac deferred_probe_work_func+0x90/0xd0 process_one_work+0x28c/0x6b0 worker_thread+0x240/0x444 kthread+0x110/0x114 ret_from_fork+0x10/0x20 -> #0 (component_mutex){+.+.}-{3:3}: __lock_acquire+0x1280/0x20ac lock_acquire.part.0+0xe0/0x230 lock_acquire+0x6c/0x90 __mutex_lock+0x84/0x400 mutex_lock_nested+0x3c/0x70 component_del+0x34/0x170 dsi_dev_detach+0x24/0x30 dsi_host_detach+0x20/0x64 mipi_dsi_detach+0x2c/0x40 adv7533_mode_set+0x64/0x90 adv7511_bridge_mode_set+0x210/0x214 drm_bridge_chain_mode_set+0x5c/0x84 crtc_set_mode+0x18c/0x1dc drm_atomic_helper_commit_modeset_disables+0x40/0x50 msm_atomic_commit_tail+0x1d0/0x6e0 commit_tail+0xa4/0x180 drm_atomic_helper_commit+0x178/0x3b0 drm_atomic_commit+0xa4/0xe0 drm_client_modeset_commit_atomic+0x228/0x284 drm_client_modeset_commit_locked+0x64/0x1d0 drm_client_modeset_commit+0x34/0x60 drm_fb_helper_lastclose+0x74/0xcc drm_lastclose+0x3c/0x80 drm_release+0xfc/0x114 __fput+0x70/0x224 ____fput+0x14/0x20 task_work_run+0x88/0x1a0 do_exit+0x350/0xa50 do_group_exit+0x38/0xa4 __wake_up_parent+0x0/0x34 invoke_syscall+0x48/0x114 el0_svc_common.constprop.0+0x60/0x11c do_el0_svc+0x30/0xc0 el0_svc+0x58/0x100 el0t_64_sync_handler+0x1b0/0x1bc el0t_64_sync+0x18c/0x190 Due to above reasons, remove the dynamic lane switching code from adv7533 bridge chip and filter out the modes which would need different number of lanes as compared to the initialization time using the mode_valid callback. This can be potentially re-introduced by using the pre_enable() callback but this needs to be evaluated first whether such an approach will work so this will be done with a separate change. changes since RFC: - Fix commit text and add TODO comment changes in v2: - Fix checkpatch formatting errors Fixes: 62b2f026cd8e ("drm/bridge: adv7533: Change number of DSI lanes dynamically") Closes: https://gitlab.freedesktop.org/drm/msm/-/issues/16 Suggested-by: Dmitry Baryshkov Signed-off-by: Abhinav Kumar Reviewed-by: Robert Foss Link: https://lore.kernel.org/r/1661797363-7564-1-git-send-email-quic_abhinavk@quicinc.com Signed-off-by: Robert Foss Link: https://patchwork.freedesktop.org/patch/msgid/1665522649-3423-1-git-send-email-quic_abhinavk@quicinc.com Signed-off-by: Sasha Levin commit edf05f091cc7a557d594ac85a63c7318a30985f1 Author: Aditya Kumar Singh Date: Wed Oct 5 15:24:30 2022 +0530 wifi: ath11k: fix firmware assert during bandwidth change for peer sta [ Upstream commit 3ff51d7416ee1ea2d771051a0ffa1ec8be054768 ] Currently, ath11k sends peer assoc command for each peer to firmware when bandwidth changes. Peer assoc command is a bulky command and if many clients are connected, this could lead to firmware buffer getting overflowed leading to a firmware assert. However, during bandwidth change, only phymode and bandwidth also can be updated by WMI set peer param command. This makes the overall command light when compared to peer assoc and for multi-client cases, firmware buffer overflow also does not occur. Remove sending peer assoc command during sta bandwidth change and instead add sending WMI set peer param command for phymode and bandwidth. Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.5.0.1-01100-QCAHKSWPL_SILICONZ-1 Fixes: f187fe8e3bc65 ("ath11k: fix firmware crash during channel switch") Signed-off-by: Aditya Kumar Singh Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221005095430.19890-1-quic_adisi@quicinc.com Signed-off-by: Sasha Levin commit d161b3de52dd03256a1af4849e59df7454a7a940 Author: Bitterblue Smith Date: Sat Oct 8 13:56:09 2022 +0300 wifi: rtl8xxxu: Fix reading the vendor of combo chips [ Upstream commit 6f103aeb5e985ac08f3a4a049a2c17294f40cff9 ] The wifi + bluetooth combo chips (RTL8723AU and RTL8723BU) read the chip vendor from the wrong register because the val32 variable gets overwritten. Add one more variable to avoid this. This had no real effect on RTL8723BU. It may have had an effect on RTL8723AU. Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") Signed-off-by: Bitterblue Smith Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/24af8024-2f07-552b-93d8-38823d8e3cb0@gmail.com Signed-off-by: Sasha Levin commit 71fc0ad671a62c494d2aec731baeabd3bfe6c95d Author: Fedor Pchelkin Date: Sat Oct 8 14:49:17 2022 +0300 wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() [ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ] It is possible that skb is freed in ath9k_htc_rx_msg(), then usb_submit_urb() fails and we try to free skb again. It causes use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes NULL but rx_buf is not freed and there can be a memory leak. The patch removes unnecessary nskb and makes skb processing more clear: it is supposed that ath9k_htc_rx_msg() either frees old skb or passes its managing to another callback function. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe") Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 08aa0537ec8cf29ceccae98acc1a534fc12598c1 Author: Fedor Pchelkin Date: Mon Jul 25 18:13:59 2022 +0300 wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() [ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ] Syzkaller reports a long-known leak of urbs in ath9k_hif_usb_dealloc_tx_urbs(). The cause of the leak is that usb_get_urb() is called but usb_free_urb() (or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or urb->ep fields have not been initialized and usb_kill_urb() returns immediately. The patch removes trying to kill urbs located in hif_dev->tx.tx_buf because hif_dev->tx.tx_buf is not supposed to contain urbs which are in pending state (the pending urbs are stored in hif_dev->tx.tx_pending). The tx.tx_lock is acquired so there should not be any changes in the list. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()") Signed-off-by: Fedor Pchelkin Signed-off-by: Alexey Khoroshilov Acked-by: Toke Høiland-Jørgensen Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru Signed-off-by: Sasha Levin commit 588f2f9c7df692b48cad959d4f6d1bb09b6e984d Author: Thomas Zimmermann Date: Fri Oct 7 14:43:37 2022 +0200 drm/atomic-helper: Don't allocate new plane state in CRTC check [ Upstream commit dbbf933d365da1a76a540211bee3d57bde520194 ] In drm_atomic_helper_check_crtc_state(), do not add a new plane state to the global state if it does not exist already. Adding a new plane state will result in overhead for the plane during the atomic-commit step. For the test in drm_atomic_helper_check_crtc_state() to succeed, it is important that the CRTC has an enabled primary plane after the commit. Simply testing the CRTC state's plane_mask for a primary plane is sufficient. Note that the helper still only tests for an attached primary plane. Drivers have to ensure that the plane contains valid pixel information. v5: * fix commit description (Javier) v3: * test for a primary plane in plane_mask (Ville) v2: * remove unnecessary test for plane->crtc (Ville) * inline drm_atomic_get_next_plane_state() (Ville) * acquire plane lock before accessing plane->state (Ville) Signed-off-by: Thomas Zimmermann Reviewed-by: Javier Martinez Canillas Fixes: d6b9af1097fe ("drm/atomic-helper: Add helper drm_atomic_helper_check_crtc_state()") Cc: Thomas Zimmermann Cc: Jocelyn Falempe Cc: Maarten Lankhorst Cc: Maxime Ripard Cc: David Airlie Cc: Daniel Vetter Cc: dri-devel@lists.freedesktop.org Link: https://patchwork.freedesktop.org/patch/msgid/20221007124338.24152-2-tzimmermann@suse.de Signed-off-by: Sasha Levin commit daf8163bd9caead6791fe28fdc997c7986d99fae Author: Johannes Berg Date: Wed Oct 5 14:08:41 2022 +0200 wifi: mac80211: fix ifdef symbol name [ Upstream commit 9d13aff91ecd3f077b432df35291c945bde585be ] This should of course be CONFIG_, not CPTCFG_, which is an artifact from working with backports. Fixes: 9dd1953846c7 ("wifi: nl80211/mac80211: clarify link ID in control port TX") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 8f8e5ca4e0387fa8f5fdb6024de09016108429b4 Author: Johannes Berg Date: Wed Sep 21 23:01:46 2022 +0200 wifi: mac80211: check link ID in auth/assoc continuation [ Upstream commit 85176a3fcd9748558cff72d4cdff5465b8732282 ] Ensure that the link ID matches in auth/assoc continuation, otherwise we need to reset all the data. Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit bb7743955a929e44b308cc3f63f8cc03873c1bee Author: Johannes Berg Date: Wed Sep 21 02:44:58 2022 +0200 wifi: mac80211: mlme: fix null-ptr deref on failed assoc [ Upstream commit 78a6a43aaf87180ec7425a2a90468e1b4d09a1ec ] If association to an AP without a link 0 fails, then we crash in tracing because it assumes that either ap_mld_addr or link 0 BSS is valid, since we clear sdata->vif.valid_links and then don't add the ap_mld_addr to the struct. Since we clear also sdata->vif.cfg.ap_addr, keep a local copy of it and assign it earlier, before clearing valid_links, to fix this. Fixes: 81151ce462e5 ("wifi: mac80211: support MLO authentication/association with one link") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit cd5d16539330a1d237bd8f44fedac123ee630644 Author: Johannes Berg Date: Sat Sep 17 03:14:53 2022 +0200 wifi: fix multi-link element subelement iteration [ Upstream commit 1177aaa7fe9373c762cd5bf5f5de8517bac989d5 ] The subelements obviously start after the common data, including the common multi-link element structure definition itself. This bug was possibly just hidden by the higher bits of the control being set to 0, so the iteration just found one bogus element and most of the code could continue anyway. Fixes: 0f48b8b88aa9 ("wifi: ieee80211: add definitions for multi-link element") Signed-off-by: Johannes Berg Signed-off-by: Sasha Levin commit 49cafaad0ba5508528dfd8d1398a0610f0629791 Author: Jiri Olsa Date: Thu Oct 6 10:31:06 2022 +0200 selftests/bpf: Add missing bpf_iter_vma_offset__destroy call [ Upstream commit 1d2d941bc140b34587b4c889699fb0f89d29937f ] Adding missing bpf_iter_vma_offset__destroy call and using in-skeletin link pointer so we don't need extra bpf_link__destroy call. Fixes: b3e1331eb925 ("selftests/bpf: Test parameterized task BPF iterators.") Cc: Kui-Feng Lee Signed-off-by: Jiri Olsa Link: https://lore.kernel.org/r/20221006083106.117987-1-jolsa@kernel.org Signed-off-by: Martin KaFai Lau Signed-off-by: Sasha Levin commit cd58eb4338ce2b2d4c1e849cd6fbc96f77c17c88 Author: James Hurley Date: Fri Dec 9 09:35:19 2022 -0500 platform/mellanox: mlxbf-pmc: Fix event typo [ Upstream commit b0b698b80c56b0712f0d4346d51bf0363ba03068 ] Had a duplicate event typo, so just fixed the 1 character typo. Fixes: 1a218d312e65 ("platform/mellanox: mlxbf-pmc: Add Mellanox BlueField PMC driver") Signed-off-by: James Hurley Reviewed-by: David Thompson Reviewed-by: Shravan Kumar Ramani Link: https://lore.kernel.org/r/aadacdbbd3186c55e74ea9456fe011b77938eb6c.1670535330.git.jahurley@nvidia.com Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 28dad915abe46d38c5799a0c8130e9a2a1540385 Author: Zhengchao Shao Date: Fri Dec 9 17:29:29 2022 +0800 ipc: fix memory leak in init_mqueue_fs() [ Upstream commit 12b677f2c697d61e5ddbcb6c1650050a39392f54 ] When setup_mq_sysctls() failed in init_mqueue_fs(), mqueue_inode_cachep is not released. In order to fix this issue, the release path is reordered. Link: https://lkml.kernel.org/r/20221209092929.1978875-1-shaozhengchao@huawei.com Fixes: dc55e35f9e81 ("ipc: Store mqueue sysctls in the ipc namespace") Signed-off-by: Zhengchao Shao Cc: Alexey Gladkov Cc: "Eric W. Biederman" Cc: Jingyu Wang Cc: Muchun Song Cc: Roman Gushchin Cc: Waiman Long Cc: Wei Yongjun Cc: YueHaibing Cc: Yu Zhe Cc: Manfred Spraul Cc: Davidlohr Bueso Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit b596242585984b5f3085aa8f7a82c65640b384b6 Author: Cai Xinchen Date: Sat Dec 3 08:57:21 2022 +0000 rapidio: devices: fix missing put_device in mport_cdev_open [ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ] When kfifo_alloc fails, the refcount of chdev->dev is left incremental. We should use put_device(&chdev->dev) to decrease the ref count of chdev->dev to avoid refcount leak. Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com Fixes: e8de370188d0 ("rapidio: add mport char device driver") Signed-off-by: Cai Xinchen Cc: Alexandre Bounine Cc: Dan Carpenter Cc: Jakob Koschel Cc: John Hubbard Cc: Matt Porter Cc: Wang Weiyang Cc: Yang Yingliang Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 88579c158e026860c61c4192531e8bc42f4bc642 Author: ZhangPeng Date: Fri Dec 2 03:00:38 2022 +0000 hfs: Fix OOB Write in hfs_asc2mac [ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ] Syzbot reported a OOB Write bug: loop0: detected capacity change from 0 to 64 ================================================================== BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 print_address_description+0x74/0x340 mm/kasan/report.c:284 print_report+0x107/0x1f0 mm/kasan/report.c:395 kasan_report+0xcd/0x100 mm/kasan/report.c:495 hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 lookup_open fs/namei.c:3391 [inline] open_last_lookups fs/namei.c:3481 [inline] path_openat+0x10e6/0x2df0 fs/namei.c:3710 do_filp_open+0x264/0x4f0 fs/namei.c:3740 If in->len is much larger than HFS_NAMELEN(31) which is the maximum length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In that case, when the dst reaches the boundary, the srclen is still greater than 0, which causes a OOB write. Fix this by adding a check on dstlen in while() before writing to dst address. Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com Fixes: 328b92278650 ("[PATCH] hfs: NLS support") Signed-off-by: ZhangPeng Reviewed-by: Viacheslav Dubeyko Reported-by: Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit caaa3b42a204c6d2ec226e92df45199933e850a3 Author: Gavrilov Ilia Date: Tue Nov 29 09:23:38 2022 +0000 relay: fix type mismatch when allocating memory in relay_create_buf() [ Upstream commit 4d8586e04602fe42f0a782d2005956f8b6302678 ] The 'padding' field of the 'rchan_buf' structure is an array of 'size_t' elements, but the memory is allocated for an array of 'size_t *' elements. Found by Linux Verification Center (linuxtesting.org) with SVACE. Link: https://lkml.kernel.org/r/20221129092002.3538384-1-Ilia.Gavrilov@infotecs.ru Fixes: b86ff981a825 ("[PATCH] relay: migrate from relayfs to a generic relay API") Signed-off-by: Ilia.Gavrilov Cc: Colin Ian King Cc: Jens Axboe Cc: wuchi Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit ab2f429240b8a5227300c37e2a7a52f165b750d1 Author: Zhang Qilong Date: Thu Nov 24 22:01:54 2022 +0800 eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD [ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ] Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function. Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") Signed-off-by: Zhang Qilong Cc: Dylan Yudaken Cc: Jens Axboe Cc: Sha Zhengju Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit cb87af2c19c0993f6e21f75b963a5599c5a73e76 Author: Wang Weiyang Date: Wed Nov 23 17:51:47 2022 +0800 rapidio: fix possible UAF when kfifo_alloc() fails [ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ] If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com Fixes: e8de370188d0 ("rapidio: add mport char device driver") Signed-off-by: Wang Weiyang Cc: Alexandre Bounine Cc: Dan Carpenter Cc: Jakob Koschel Cc: John Hubbard Cc: Matt Porter Cc: Yang Yingliang Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit c8d1f3d1b25b5ccea7a54f9eed58d4ad4389afc5 Author: Chen Zhongjin Date: Fri Dec 9 18:04:48 2022 +0800 fs: sysv: Fix sysv_nblocks() returns wrong value [ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ] sysv_nblocks() returns 'blocks' rather than 'res', which only counting the number of triple-indirect blocks and causing sysv_getattr() gets a wrong result. [AV: this is actually a sysv counterpart of minixfs fix - 0fcd426de9d0 "[PATCH] minix block usage counting fix" in historical tree; mea culpa, should've thought to check fs/sysv back then...] Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Chen Zhongjin Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit b6dccca21b1fd481a6ba2a3cb3defa7c09c23343 Author: Brian Foster Date: Wed Nov 16 10:28:36 2022 -0500 NFSD: pass range end to vfs_fsync_range() instead of count [ Upstream commit 79a1d88a36f77374c77fd41a4386d8c2736b8704 ] _nfsd_copy_file_range() calls vfs_fsync_range() with an offset and count (bytes written), but the former wants the start and end bytes of the range to sync. Fix it up. Fixes: eac0b17a77fb ("NFSD add vfs_fsync after async copy is done") Signed-off-by: Brian Foster Tested-by: Dai Ngo Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 82474db85baba1fdcbef9487c88d64f2172c23cf Author: Jeff Layton Date: Mon Nov 7 06:58:41 2022 -0500 nfsd: return error if nfs4_setacl fails [ Upstream commit 01d53a88c08951f88f2a42f1f1e6568928e0590e ] With the addition of POSIX ACLs to struct nfsd_attrs, we no longer return an error if setting the ACL fails. Ensure we return the na_aclerr error on SETATTR if there is one. Fixes: c0cbe70742f4 ("NFSD: add posix ACLs to struct nfsd_attrs") Cc: Neil Brown Reported-by: Yongcheng Yang Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit d7aa9f7778316beb690f6e2763b6d672ad8b256f Author: Trond Myklebust Date: Sun Nov 6 14:02:39 2022 -0500 lockd: set other missing fields when unlocking files [ Upstream commit 18ebd35b61b4693a0ddc270b6d4f18def232e770 ] vfs_lock_file() expects the struct file_lock to be fully initialised by the caller. Re-exported NFSv3 has been seen to Oops if the fl_file field is NULL. Fixes: aec158242b87 ("lockd: set fl_owner when unlocking files") Signed-off-by: Trond Myklebust Reviewed-by: Jeff Layton Link: https://bugzilla.kernel.org/show_bug.cgi?id=216582 Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 5c8e13a2b66abc290da39767bfb5ba3fba2b053e Author: Ladislav Michl Date: Thu Dec 8 12:25:57 2022 +0100 MIPS: OCTEON: warn only once if deprecated link status is being used [ Upstream commit 4c587a982603d7e7e751b4925809a1512099a690 ] Avoid flooding kernel log with warnings. Fixes: 2c0756d306c2 ("MIPS: OCTEON: warn if deprecated link status is being used") Signed-off-by: Ladislav Michl Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 412bd425cc35271265e47c1492bf2024d2a2e156 Author: Anastasia Belova Date: Fri Dec 9 13:05:50 2022 +0300 MIPS: BCM63xx: Add check for NULL for clk in clk_enable [ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ] Check clk for NULL before calling clk_enable_unlocked where clk is dereferenced. There is such check in other implementations of clk_enable. Found by Linux Verification Center (linuxtesting.org) with SVACE. Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.") Signed-off-by: Anastasia Belova Reviewed-by: Philippe Mathieu-Daudé Acked-by: Florian Fainelli Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit dc72247494843a257cd3791dfc70b2a0c69daeba Author: Yang Yingliang Date: Thu Dec 8 23:19:16 2022 +0800 platform/x86: intel_scu_ipc: fix possible name leak in __intel_scu_ipc_register() [ Upstream commit 0b3d0cb7c0bed2fd6454f77ed75e7a662c6efd12 ] In some error paths before device_register(), the names allocated by dev_set_name() are not freed. Move dev_set_name() front to device_register(), so the name can be freed while calling put_device(). Fixes: 54b34aa0a729 ("platform/x86: intel_scu_ipc: Split out SCU IPC functionality from the SCU driver") Signed-off-by: Yang Yingliang Link: https://lore.kernel.org/r/20221208151916.2404977-1-yangyingliang@huawei.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 87426ce3bd57ad414b6e2436434ef8128986a9a5 Author: Yu Liao Date: Tue Nov 29 09:11:01 2022 +0800 platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() [ Upstream commit 727cc0147f5066e359aca65cc6cc5e6d64cc15d8 ] The ACPI buffer memory (out.pointer) returned by wmi_evaluate_method() is not freed after the call, so it leads to memory leak. The method results in ACPI buffer is not used, so just pass NULL to wmi_evaluate_method() which fixes the memory leak. Fixes: 99b38b4acc0d ("platform/x86: add MXM WMI driver.") Signed-off-by: Yu Liao Link: https://lore.kernel.org/r/20221129011101.2042315-1-liaoyu15@huawei.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 6613f36a2fa5c69e528bccba8b3d831f759dad2f Author: Victor Ding Date: Wed Dec 7 09:39:40 2022 +0000 platform/chrome: cros_ec_typec: zero out stale pointers [ Upstream commit 9a8aadcf0b459c1257b9477fd6402e1d5952ae07 ] `cros_typec_get_switch_handles` allocates four pointers when obtaining type-c switch handles. These pointers are all freed if failing to obtain any of them; therefore, pointers in `port` become stale. The stale pointers eventually cause use-after-free or double free in later code paths. Zeroing out all pointer fields after freeing to eliminate these stale pointers. Fixes: f28adb41dab4 ("platform/chrome: cros_ec_typec: Register Type C switches") Fixes: 1a8912caba02 ("platform/chrome: cros_ec_typec: Get retimer handle") Signed-off-by: Victor Ding Acked-by: Prashant Malani Signed-off-by: Tzung-Bi Shih Link: https://lore.kernel.org/r/20221207093924.v2.1.I1864b6a7ee98824118b93677868d22d3750f439b@changeid Signed-off-by: Sasha Levin commit 40c73b2ea9611b5388807be406f30f5e4e1162da Author: Gao Xiang Date: Mon Dec 5 23:00:50 2022 +0800 erofs: validate the extent length for uncompressed pclusters [ Upstream commit c505feba4c0d76084e56ec498ce819f02a7043ae ] syzkaller reported a KASAN use-after-free: https://syzkaller.appspot.com/bug?extid=2ae90e873e97f1faf6f2 The referenced fuzzed image actually has two issues: - m_pa == 0 as a non-inlined pcluster; - The logical length is longer than its physical length. The first issue has already been addressed. This patch addresses the second issue by checking the extent length validity. Reported-by: syzbot+2ae90e873e97f1faf6f2@syzkaller.appspotmail.com Fixes: 02827e1796b3 ("staging: erofs: add erofs_map_blocks_iter") Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20221205150050.47784-2-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 373b6f350aecf5dca2e7474f0b4ec8cca659f2f0 Author: Gao Xiang Date: Mon Dec 5 23:00:49 2022 +0800 erofs: fix missing unmap if z_erofs_get_extent_compressedlen() fails [ Upstream commit d5d188b8f8b38d3d71dd05993874b4fc9284ce95 ] Otherwise, meta buffers could be leaked. Fixes: cec6e93beadf ("erofs: support parsing big pcluster compress indexes") Reviewed-by: Yue Hu Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Link: https://lore.kernel.org/r/20221205150050.47784-1-hsiangkao@linux.alibaba.com Signed-off-by: Sasha Levin commit 618e712b99c78d1004b70a1a9ab0a4830d0b2673 Author: Chen Zhongjin Date: Mon Dec 5 11:49:57 2022 +0800 erofs: Fix pcluster memleak when its block address is zero [ Upstream commit c42c0ffe81176940bd5dead474216b7198d77675 ] syzkaller reported a memleak: https://syzkaller.appspot.com/bug?id=62f37ff612f0021641eda5b17f056f1668aa9aed unreferenced object 0xffff88811009c7f8 (size 136): ... backtrace: [] z_erofs_do_read_page+0x99b/0x1740 [] z_erofs_readahead+0x24e/0x580 [] read_pages+0x86/0x3d0 ... syzkaller constructed a case: in z_erofs_register_pcluster(), ztailpacking = false and map->m_pa = zero. This makes pcl->obj.index be zero although pcl is not a inline pcluster. Then following path adds refcount for grp, but the refcount won't be put because pcl is inline. z_erofs_readahead() z_erofs_do_read_page() # for another page z_erofs_collector_begin() erofs_find_workgroup() erofs_workgroup_get() Since it's illegal for the block address of a non-inlined pcluster to be zero, add check here to avoid registering the pcluster which would be leaked. Fixes: cecf864d3d76 ("erofs: support inline data decompression") Reported-by: syzbot+6f8cd9a0155b366d227f@syzkaller.appspotmail.com Signed-off-by: Chen Zhongjin Reviewed-by: Yue Hu Reviewed-by: Gao Xiang Reviewed-by: Chao Yu Link: https://lore.kernel.org/r/Y42Kz6sVkf+XqJRB@debian Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 18067e262416a2c256645c6a280e86cad370fdf9 Author: Hou Tao Date: Fri Nov 25 19:08:22 2022 +0800 erofs: check the uniqueness of fsid in shared domain in advance [ Upstream commit 27f2a2dcc6261406b509b5022a1e5c23bf622830 ] When shared domain is enabled, doing mount twice with the same fsid and domain_id will trigger sysfs warning as shown below: sysfs: cannot create duplicate filename '/fs/erofs/d0,meta.bin' CPU: 15 PID: 1051 Comm: mount Not tainted 6.1.0-rc6+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace: dump_stack_lvl+0x38/0x49 dump_stack+0x10/0x12 sysfs_warn_dup.cold+0x17/0x27 sysfs_create_dir_ns+0xb8/0xd0 kobject_add_internal+0xb1/0x240 kobject_init_and_add+0x71/0xa0 erofs_register_sysfs+0x89/0x110 erofs_fc_fill_super+0x98c/0xaf0 vfs_get_super+0x7d/0x100 get_tree_nodev+0x16/0x20 erofs_fc_get_tree+0x20/0x30 vfs_get_tree+0x24/0xb0 path_mount+0x2fa/0xa90 do_mount+0x7c/0xa0 __x64_sys_mount+0x8b/0xe0 do_syscall_64+0x30/0x60 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The reason is erofs_fscache_register_cookie() doesn't guarantee the primary data blob (aka fsid) is unique in the shared domain and erofs_register_sysfs() invoked by the second mount will fail due to the duplicated fsid in the shared domain and report warning. It would be better to check the uniqueness of fsid before doing erofs_register_sysfs(), so adding a new flags parameter for erofs_fscache_register_cookie() and doing the uniqueness check if EROFS_REG_COOKIE_NEED_NOEXIST is enabled. After the patch, the error in dmesg for the duplicated mount would be: erofs: ...: erofs_domain_register_cookie: XX already exists in domain YY Reviewed-by: Jia Zhu Reviewed-by: Jingbo Xu Reviewed-by: Chao Yu Signed-off-by: Hou Tao Link: https://lore.kernel.org/r/20221125110822.3812942-1-houtao@huaweicloud.com Fixes: 7d41963759fe ("erofs: Support sharing cookies in the same domain") Signed-off-by: Gao Xiang Signed-off-by: Sasha Levin commit 6a5061dd651c40cbd904cf7be67937601f9c5341 Author: Rafael J. Wysocki Date: Fri Dec 2 15:30:28 2022 +0100 PM: runtime: Do not call __rpm_callback() from rpm_idle() [ Upstream commit bc80c2e438dcbfcf748452ec0f7ad5b79ff3ad88 ] Calling __rpm_callback() from rpm_idle() after adding device links support to the former is a clear mistake. Not only it causes rpm_idle() to carry out unnecessary actions, but it is also against the assumption regarding the stability of PM-runtime status across __rpm_callback() invocations, because rpm_suspend() and rpm_resume() may run in parallel with __rpm_callback() when it is called by rpm_idle() and the device's PM-runtime status can be updated by any of them. Fixes: 21d5c57b3726 ("PM / runtime: Use device links") Link: https://lore.kernel.org/linux-pm/36aed941-a73e-d937-2721-4f0decd61ce0@quicinc.com Signed-off-by: Rafael J. Wysocki Reviewed-by: Adrian Hunter Signed-off-by: Sasha Levin commit 4da411086f5ab32f811a89ef804980ec106ebb65 Author: Harshit Mogalapalli Date: Fri Nov 25 21:07:45 2022 -0800 xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() [ Upstream commit 8b997b2bb2c53b76a6db6c195930e9ab8e4b0c79 ] As 'kdata.num' is user-controlled data, if user tries to allocate memory larger than(>=) MAX_ORDER, then kcalloc() will fail, it creates a stack trace and messes up dmesg with a warning. Call trace: -> privcmd_ioctl --> privcmd_ioctl_mmap_resource Add __GFP_NOWARN in order to avoid too large allocation warning. This is detected by static analysis using smatch. Fixes: 3ad0876554ca ("xen/privcmd: add IOCTL_PRIVCMD_MMAP_RESOURCE") Signed-off-by: Harshit Mogalapalli Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20221126050745.778967-1-harshit.m.mogalapalli@oracle.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit b44457b83a034efef58ffa5f3131d4615f1a9837 Author: Xiu Jianfeng Date: Wed Nov 23 23:58:58 2022 +0800 x86/xen: Fix memory leak in xen_init_lock_cpu() [ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ] In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead to a memory leak issue, fix it. Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks") Signed-off-by: Xiu Jianfeng Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit f698f88f042c6a19bbbac6c84782039a75e7f349 Author: Xiu Jianfeng Date: Wed Nov 23 23:58:57 2022 +0800 x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() [ Upstream commit 69143f60868b3939ddc89289b29db593b647295e ] These local variables @{resched|pmu|callfunc...}_name saves the new string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler() fails, it goes to the @fail tag, and calls xen_smp_intr_free{_pv}() to free resource, however the new string is not saved, which cause a memory leak issue. fix it. Fixes: 9702785a747a ("i386: move xen") Signed-off-by: Xiu Jianfeng Reviewed-by: Juergen Gross Link: https://lore.kernel.org/r/20221123155858.11382-2-xiujianfeng@huawei.com Signed-off-by: Juergen Gross Signed-off-by: Sasha Levin commit daea9a0647dfdf76a6dcfe3aa94a953313643133 Author: Oleg Nesterov Date: Sun Dec 4 18:39:33 2022 +0100 uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix [ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ] Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each function to reserve extra space for hot-patching, and currently it is not possible to probe these functions because branch_setup_xol_ops() wrongly rejects NOP with REP prefix as it treats them like word-sized branch instructions. Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns") Reported-by: Seiji Nishikawa Suggested-by: Denys Vlasenko Signed-off-by: Oleg Nesterov Signed-off-by: Thomas Gleixner Acked-by: Masami Hiramatsu (Google) Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com Signed-off-by: Sasha Levin commit 01f2c2052ea50fb9a8ce12e4e83aed0267934ef0 Author: Li Zetao Date: Thu Dec 1 16:05:14 2022 +0800 ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() [ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ] There is an use-after-free reported by KASAN: BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace: kasan_report+0xae/0xe0 acpi_ut_remove_reference+0x3b/0x82 acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5 acpi_ds_store_object_to_local+0x15d/0x3a0 acpi_ex_store+0x78d/0x7fd acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b acpi_ps_parse_aml+0x217/0x8d5 ... The root cause of the problem is that the acpi_operand_object is freed when acpi_ut_walk_package_tree() fails in acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in acpi_ut_copy_iobject_to_iobject(). The problem was introduced by "8aa5e56eeb61" commit, this commit is to fix memory leak in acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove operation, lead to "acpi_operand_object" used after free. Fix it by removing acpi_ut_remove_reference() in acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage() is called to copy an internal package object into another internal package object, when it fails, the memory of acpi_operand_object should be freed by the caller. Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject") Signed-off-by: Li Zetao Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 404b4b9770d88a1a81147ecee354da412c7267cd Author: Yang Yingliang Date: Sat Oct 29 19:44:27 2022 +0800 clocksource/drivers/timer-ti-dm: Fix missing clk_disable_unprepare in dmtimer_systimer_init_clock() [ Upstream commit 180d35a7c05d520314a590c99ad8643d0213f28b ] If clk_get_rate() fails which is called after clk_prepare_enable(), clk_disable_unprepare() need be called in error path to disable the clock in dmtimer_systimer_init_clock(). Fixes: 52762fbd1c47 ("clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support") Signed-off-by: Yang Yingliang Reviewed-by: Tony Lindgren Link: https://lore.kernel.org/r/20221029114427.946520-1-yangyingliang@huawei.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 6b0a5f9e153ef06f47ae74ecb69beaf575f5f08c Author: Tony Lindgren Date: Fri Oct 28 13:35:26 2022 +0300 clocksource/drivers/timer-ti-dm: Fix warning for omap_timer_match [ Upstream commit 9688498b1648aa98a3ee45d9f07763c099f6fb12 ] We can now get a warning for 'omap_timer_match' defined but not used. Let's fix this by dropping of_match_ptr for omap_timer_match. Reported-by: kernel test robot Fixes: ab0bbef3ae0f ("clocksource/drivers/timer-ti-dm: Make timer selectable for ARCH_K3") Signed-off-by: Tony Lindgren Link: https://lore.kernel.org/r/20221028103526.40319-1-tony@atomide.com Signed-off-by: Daniel Lezcano Signed-off-by: Sasha Levin commit 685c4ec6c8d043063b29df440f4833319e90a638 Author: Vincent Donnefort Date: Tue Sep 27 11:12:59 2022 +0100 cpu/hotplug: Do not bail-out in DYING/STARTING sections [ Upstream commit 6f855b39e4602b6b42a8e5cbcfefb8a1b8b5f0be ] The DYING/STARTING callbacks are not expected to fail. However, as reported by Derek, buggy drivers such as tboot are still free to return errors within those sections, which halts the hot(un)plug and leaves the CPU in an unrecoverable state. As there is no rollback possible, only log the failures and proceed with the following steps. This restores the hotplug behaviour prior to commit 453e41085183 ("cpu/hotplug: Add cpuhp_invoke_callback_range()") Fixes: 453e41085183 ("cpu/hotplug: Add cpuhp_invoke_callback_range()") Reported-by: Derek Dolney Signed-off-by: Vincent Donnefort Signed-off-by: Thomas Gleixner Tested-by: Derek Dolney Reviewed-by: Valentin Schneider Link: https://bugzilla.kernel.org/show_bug.cgi?id=215867 Link: https://lore.kernel.org/r/20220927101259.1149636-1-vdonnefort@google.com Signed-off-by: Sasha Levin commit 4070e9cf72206b136992611f21202e90c596982b Author: Phil Auld Date: Thu Nov 17 11:23:28 2022 -0500 cpu/hotplug: Make target_store() a nop when target == state [ Upstream commit 64ea6e44f85b9b75925ebe1ba0e6e8430cc4e06f ] Writing the current state back in hotplug/target calls cpu_down() which will set cpu dying even when it isn't and then nothing will ever clear it. A stress test that reads values and writes them back for all cpu device files in sysfs will trigger the BUG() in select_fallback_rq once all cpus are marked as dying. kernel/cpu.c::target_store() ... if (st->state < target) ret = cpu_up(dev->id, target); else ret = cpu_down(dev->id, target); cpu_down() -> cpu_set_state() bool bringup = st->state < target; ... if (cpu_dying(cpu) != !bringup) set_cpu_dying(cpu, !bringup); Fix this by letting state==target fall through in the target_store() conditional. Also make sure st->target == target in that case. Fixes: 757c989b9994 ("cpu/hotplug: Make target state writeable") Signed-off-by: Phil Auld Signed-off-by: Thomas Gleixner Reviewed-by: Valentin Schneider Link: https://lore.kernel.org/r/20221117162329.3164999-2-pauld@redhat.com Signed-off-by: Sasha Levin commit a1e49256c78642cf49015d0e8d7cd1355d961419 Author: Alexey Izbyshev Date: Sat Nov 12 00:54:39 2022 +0300 futex: Resend potentially swallowed owner death notification [ Upstream commit 90d758896787048fa3d4209309d4800f3920e66f ] Commit ca16d5bee598 ("futex: Prevent robust futex exit race") addressed two cases when tasks waiting on a robust non-PI futex remained blocked despite the futex not being owned anymore: * if the owner died after writing zero to the futex word, but before waking up a waiter * if a task waiting on the futex was woken up, but died before updating the futex word (effectively swallowing the notification without acting on it) In the second case, the task could be woken up either by the previous owner (after the futex word was reset to zero) or by the kernel (after the OWNER_DIED bit was set and the TID part of the futex word was reset to zero) if the previous owner died without the resetting the futex. Because the referenced commit wakes up a potential waiter only if the whole futex word is zero, the latter subcase remains unaddressed. Fix this by looking only at the TID part of the futex when deciding whether a wake up is needed. Fixes: ca16d5bee598 ("futex: Prevent robust futex exit race") Signed-off-by: Alexey Izbyshev Signed-off-by: Thomas Gleixner Acked-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20221111215439.248185-1-izbyshev@ispras.ru Signed-off-by: Sasha Levin commit fba0ec3a25ee84d5662bca6908a5d4cc7a422e04 Author: Wolfram Sang Date: Wed Nov 30 22:06:09 2022 +0100 clocksource/drivers/sh_cmt: Access registers according to spec [ Upstream commit 3f44f7156f59cae06e9160eafb5d8b2dfd09e639 ] Documentation for most CMTs say that it takes two input clocks before changes propagate to the timer. This is especially relevant when the timer is stopped to change further settings. Implement the delays according to the spec. To avoid unnecessary delays in atomic mode, also check if the to-be-written value actually differs. CMCNT is a bit special because testing showed that it requires 3 cycles to propagate, which affects all CMTs. Also, the WRFLAG needs to be checked before writing. This fixes "cannot clear CMCNT" messages which occur often on R-Car Gen4 SoCs, but only very rarely on older SoCs for some reason. Fixes: 81b3b2711072 ("clocksource: sh_cmt: Add support for multiple channels per device") Signed-off-by: Wolfram Sang Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20221130210609.7718-1-wsa+renesas@sang-engineering.com Signed-off-by: Sasha Levin commit 9abba4aa60874c5216fc8de7dededadc791de696 Author: Yang Yingliang Date: Mon Nov 14 23:26:36 2022 +0800 rapidio: rio: fix possible name leak in rio_register_mport() [ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ] If device_register() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and list_del() is called to delete the port from rio_mports. Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices") Signed-off-by: Yang Yingliang Cc: Alexandre Bounine Cc: Matt Porter Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 85fbf58b15c09d3a6a03098c1e42ebfe9002f39d Author: Yang Yingliang Date: Mon Nov 14 23:26:35 2022 +0800 rapidio: fix possible name leaks when rio_add_device() fails [ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ] Patch series "rapidio: fix three possible memory leaks". This patchset fixes three name leaks in error handling. - patch #1 fixes two name leaks while rio_add_device() fails. - patch #2 fixes a name leak while rio_register_mport() fails. This patch (of 2): If rio_add_device() returns error, the name allocated by dev_set_name() need be freed. It should use put_device() to give up the reference in the error path, so that the name can be freed in kobject_cleanup(), and the 'rdev' can be freed in rio_release_dev(). Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com Fixes: e8de370188d0 ("rapidio: add mport char device driver") Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Cc: Alexandre Bounine Cc: Matt Porter Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 50ab0ca3aff4da26037113d69f5a756d8c1a92cd Author: Li Zetao Date: Wed Nov 9 15:46:27 2022 +0800 ocfs2: fix memory leak in ocfs2_mount_volume() [ Upstream commit ce2fcf1516d674a174d9b34d1e1024d64de9fba3 ] There is a memory leak reported by kmemleak: unreferenced object 0xffff88810cc65e60 (size 32): comm "mount.ocfs2", pid 23753, jiffies 4302528942 (age 34735.105s) hex dump (first 32 bytes): 10 00 00 00 00 00 00 00 00 01 01 01 01 01 01 01 ................ 01 01 01 01 01 01 01 01 00 00 00 00 00 00 00 00 ................ backtrace: [] __kmalloc+0x4d/0x150 [] ocfs2_compute_replay_slots+0x121/0x330 [ocfs2] [] ocfs2_check_volume+0x485/0x900 [ocfs2] [] ocfs2_mount_volume.isra.0+0x1e9/0x650 [ocfs2] [] ocfs2_fill_super+0xe0b/0x1740 [ocfs2] [] mount_bdev+0x312/0x400 [] legacy_get_tree+0xed/0x1d0 [] vfs_get_tree+0x7d/0x230 [] path_mount+0xd62/0x1760 [] do_mount+0xca/0xe0 [] __x64_sys_mount+0x12c/0x1a0 [] do_syscall_64+0x35/0x80 [] entry_SYSCALL_64_after_hwframe+0x46/0xb0 This call stack is related to two problems. Firstly, the ocfs2 super uses "replay_map" to trace online/offline slots, in order to recover offline slots during recovery and mount. But when ocfs2_truncate_log_init() returns an error in ocfs2_mount_volume(), the memory of "replay_map" will not be freed in error handling path. Secondly, the memory of "replay_map" will not be freed if d_make_root() returns an error in ocfs2_fill_super(). But the memory of "replay_map" will be freed normally when completing recovery and mount in ocfs2_complete_mount_recovery(). Fix the first problem by adding error handling path to free "replay_map" when ocfs2_truncate_log_init() fails. And fix the second problem by calling ocfs2_free_replay_slots(osb) in the error handling path "out_dismount". In addition, since ocfs2_free_replay_slots() is static, it is necessary to remove its static attribute and declare it in header file. Link: https://lkml.kernel.org/r/20221109074627.2303950-1-lizetao1@huawei.com Fixes: 9140db04ef18 ("ocfs2: recover orphans in offline slots during recovery and mount") Signed-off-by: Li Zetao Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 92425441949e86b41154d6833b3331a805edf18f Author: Akinobu Mita Date: Tue Sep 20 02:24:18 2022 +0900 debugfs: fix error when writing negative value to atomic_t debugfs file [ Upstream commit d472cf797c4e268613dbce5ec9b95d0bcae19ecb ] The simple attribute files do not accept a negative value since the commit 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()"), so we have to use a 64-bit value to write a negative value for a debugfs file created by debugfs_create_atomic_t(). This restores the previous behaviour by introducing DEFINE_DEBUGFS_ATTRIBUTE_SIGNED for a signed value. Link: https://lkml.kernel.org/r/20220919172418.45257-4-akinobu.mita@gmail.com Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") Signed-off-by: Akinobu Mita Reported-by: Zhao Gongyi Reviewed-by: David Hildenbrand Reviewed-by: Greg Kroah-Hartman Cc: Alexander Viro Cc: Jonathan Corbet Cc: Oscar Salvador Cc: Rafael J. Wysocki Cc: Shuah Khan Cc: Wei Yongjun Cc: Yicong Yang Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 93148085cb70091f9b72c1bbee79ed2b82fdf71f Author: Akinobu Mita Date: Tue Sep 20 02:24:17 2022 +0900 lib/notifier-error-inject: fix error when writing -errno to debugfs file [ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ] The simple attribute files do not accept a negative value since the commit 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()"). This restores the previous behaviour by using newly introduced DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE. Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") Signed-off-by: Akinobu Mita Reported-by: Zhao Gongyi Reviewed-by: David Hildenbrand Reviewed-by: Greg Kroah-Hartman Cc: Alexander Viro Cc: Jonathan Corbet Cc: Oscar Salvador Cc: Rafael J. Wysocki Cc: Shuah Khan Cc: Wei Yongjun Cc: Yicong Yang Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 79be3d5f2ef1245a4e8c3b0dcfb69283f628e44b Author: Akinobu Mita Date: Tue Sep 20 02:24:16 2022 +0900 libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value [ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ] Patch series "fix error when writing negative value to simple attribute files". The simple attribute files do not accept a negative value since the commit 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()"), but some attribute files want to accept a negative value. This patch (of 3): The simple attribute files do not accept a negative value since the commit 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()"), so we have to use a 64-bit value to write a negative value. This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value. Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") Signed-off-by: Akinobu Mita Reported-by: Zhao Gongyi Reviewed-by: David Hildenbrand Reviewed-by: Greg Kroah-Hartman Cc: Alexander Viro Cc: Jonathan Corbet Cc: Oscar Salvador Cc: Rafael J. Wysocki Cc: Shuah Khan Cc: Wei Yongjun Cc: Yicong Yang Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 52116d130bcb3ea4c3e36ae813e9cd050f883fdd Author: Xiongfeng Wang Date: Wed Nov 16 19:33:39 2022 +0800 cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() [ Upstream commit 91fda1f88c0968f1491ab150bb01690525af150a ] pci_get_device() will increase the reference count for the returned pci_dev. We need to use pci_dev_put() to decrease the reference count after using pci_get_device(). Let's add it. Fixes: 59a3b3a8db16 ("cpufreq: AMD: Ignore the check for ProcFeedback in ST/CZ") Signed-off-by: Xiongfeng Wang Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 6eda351971bed2b9cd288c2b88f24e15cf508efc Author: Yang Yingliang Date: Mon Nov 28 23:16:12 2022 +0800 genirq/irqdesc: Don't try to remove non-existing sysfs files [ Upstream commit 9049e1ca41983ab773d7ea244bee86d7835ec9f5 ] Fault injection tests trigger warnings like this: kernfs: can not remove 'chip_name', no directory WARNING: CPU: 0 PID: 253 at fs/kernfs/dir.c:1616 kernfs_remove_by_name_ns+0xce/0xe0 RIP: 0010:kernfs_remove_by_name_ns+0xce/0xe0 Call Trace: remove_files.isra.1+0x3f/0xb0 sysfs_remove_group+0x68/0xe0 sysfs_remove_groups+0x41/0x70 __kobject_del+0x45/0xc0 kobject_del+0x29/0x40 free_desc+0x42/0x70 irq_free_descs+0x5e/0x90 The reason is that the interrupt descriptor sysfs handling does not roll back on a failing kobject_add() during allocation. If the descriptor is freed later on, kobject_del() is invoked with a not added kobject resulting in the above warnings. A proper rollback in case of a kobject_add() failure would be the straight forward solution. But this is not possible due to the way how interrupt descriptor sysfs handling works. Interrupt descriptors are allocated before sysfs becomes available. So the sysfs files for the early allocated descriptors are added later in the boot process. At this point there can be nothing useful done about a failing kobject_add(). For consistency the interrupt descriptor allocation always treats kobject_add() failures as non-critical and just emits a warning. To solve this problem, keep track in the interrupt descriptor whether kobject_add() was successful or not and make the invocation of kobject_del() conditional on that. [ tglx: Massage changelog, comments and use a state bit. ] Fixes: ecb3f394c5db ("genirq: Expose interrupt information through sysfs") Signed-off-by: Yang Yingliang Signed-off-by: Thomas Gleixner Reviewed-by: Greg Kroah-Hartman Link: https://lore.kernel.org/r/20221128151612.1786122-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 23ac79e755dfa10d8d317f8b7a3ab1c8467c79a7 Author: Jeff Layton Date: Fri Oct 28 08:13:53 2022 -0400 nfsd: don't call nfsd_file_put from client states seqfile display [ Upstream commit e0aa651068bfd520afcd357af8ecd2de005fc83d ] We had a report of this: BUG: sleeping function called from invalid context at fs/nfsd/filecache.c:440 ...with a stack trace showing nfsd_file_put being called from nfs4_show_open. This code has always tried to call fput while holding a spinlock, but we recently changed this to use the filecache, and that started triggering the might_sleep() in nfsd_file_put. states_start takes and holds the cl_lock while iterating over the client's states, and we can't sleep with that held. Have the various nfs4_show_* functions instead hold the fi_lock instead of taking a nfsd_file reference. Fixes: 78599c42ae3c ("nfsd4: add file to display list of client's opens") Link: https://bugzilla.redhat.com/show_bug.cgi?id=2138357 Reported-by: Zhi Li Signed-off-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit b04556ef19ed92720c9fad6c9fb28fcab4a576e3 Author: Chuck Lever Date: Sun Oct 16 11:47:08 2022 -0400 NFSD: Finish converting the NFSv3 GETACL result encoder [ Upstream commit 841fd0a3cb490eae5dfd262eccb8c8b11d57f8b8 ] For some reason, the NFSv2 GETACL result encoder was fully converted to use the new nfs_stream_encode_acl(), but the NFSv3 equivalent was not similarly converted. Fixes: 20798dfe249a ("NFSD: Update the NFSv3 GETACL result encoder to use struct xdr_stream") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit 2b825efb0577a32a872e872a869e0947cf9dd6d3 Author: Chuck Lever Date: Sun Oct 16 11:47:02 2022 -0400 NFSD: Finish converting the NFSv2 GETACL result encoder [ Upstream commit ea5021e911d3479346a75ac9b7d9dcd751b0fb99 ] The xdr_stream conversion inadvertently left some code that set the page_len of the send buffer. The XDR stream encoders should handle this automatically now. This oversight adds garbage past the end of the Reply message. Clients typically ignore the garbage, but NFSD does not need to send it, as it leaks stale memory contents onto the wire. Fixes: f8cba47344f7 ("NFSD: Update the NFSv2 GETACL result encoder to use struct xdr_stream") Reviewed-by: Jeff Layton Signed-off-by: Chuck Lever Signed-off-by: Sasha Levin commit f29c2f57cdf7a57223dcd9fbaa2261faab5234b2 Author: Yang Yingliang Date: Mon Nov 28 14:55:12 2022 +0800 EDAC/i10nm: fix refcount leak in pci_get_dev_wrapper() [ Upstream commit 9c8921555907f4d723f01ed2d859b66f2d14f08e ] As the comment of pci_get_domain_bus_and_slot() says, it returns a PCI device with refcount incremented, so it doesn't need to call an extra pci_dev_get() in pci_get_dev_wrapper(), and the PCI device needs to be put in the error path. Fixes: d4dc89d069aa ("EDAC, i10nm: Add a driver for Intel 10nm server processors") Signed-off-by: Yang Yingliang Reviewed-by: Qiuxu Zhuo Signed-off-by: Tony Luck Link: https://lore.kernel.org/r/20221128065512.3572550-1-yangyingliang@huawei.com Signed-off-by: Sasha Levin commit 6a9592cd34827a9fcd7c2d7f425e6b9cdee962bf Author: Liu Peibao Date: Fri Nov 4 19:07:12 2022 +0800 irqchip/loongson-liointc: Fix improper error handling in liointc_init() [ Upstream commit 4a60a3cdcf1875c965095eb9e22c3d12bbc5a53d ] For cores less than 4, eg, loongson2k1000 with 2 cores, the of_property_match_string() may return with an error value, which causes that liointc could not work. At least isr0 is what should be checked like previous commit b2c4c3969fd7 ("irqchip/loongson-liointc: irqchip add 2.0 version") did. Fixes: 0858ed035a85 ("irqchip/loongson-liointc: Add ACPI init support") Signed-off-by: Liu Peibao Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20221104110712.23300-1-liupeibao@loongson.cn Signed-off-by: Sasha Levin commit 773c9d7f127f7a599d42ceed831de69f5aa22f03 Author: Wei Yongjun Date: Tue Nov 15 09:25:32 2022 +0000 irqchip/wpcm450: Fix memory leak in wpcm450_aic_of_init() [ Upstream commit 4208d4faf36573a507b5e5de17abe342e9276759 ] If of_iomap() failed, 'aic' should be freed before return. Otherwise there is a memory leak. Fixes: fead4dd49663 ("irqchip: Add driver for WPCM450 interrupt controller") Signed-off-by: Wei Yongjun Reviewed-by: Jonathan Neuschäfer Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20221115092532.1704032-1-weiyongjun@huaweicloud.com Signed-off-by: Sasha Levin commit 12f45dc266f847daa7262d0a13dc47c1cb1b288c Author: Shang XiaoJing Date: Thu Nov 24 14:51:50 2022 +0800 irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() [ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ] gic_probe() calls pm_runtime_get_sync() and added fail path as rpm_put to put usage_counter. However, pm_runtime_get_sync() will increment usage_counter even it failed. Fix it by replacing it with pm_runtime_resume_and_get() to keep usage counter balanced. Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM") Signed-off-by: Shang XiaoJing Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com Signed-off-by: Sasha Levin commit 9e04d2548a02d1af634b44ad162cfa481787e6ea Author: Jianmin Lv Date: Sat Oct 22 15:59:53 2022 +0800 irqchip/loongson-pch-pic: Fix translate callback for DT path [ Upstream commit c7c00138015975c8f0e268564249cc47d8de632c ] In DT path of translate callback, if fwspec->param_count==1 and of_node is non-null, fwspec->param[1] will be accessed, which is introduced from previous commit bcdd75c596c8 (irqchip/loongson-pch-pic: Add ACPI init support). Before the patch, for non-null of_node, translate callback (use irq_domain_translate_twocell()) will return -EINVAL if fwspec->param_count < 2, so the check in the patch is added. Fixes: bcdd75c596c8 ("irqchip/loongson-pch-pic: Add ACPI init support") Signed-off-by: Jianmin Lv Reviewed-by: Huacai Chen Signed-off-by: Marc Zyngier Link: https://lore.kernel.org/r/20221022075955.11726-3-lvjianmin@loongson.cn Signed-off-by: Sasha Levin commit e0d8b51bbe84d6a98c162e06344de2d773d9e722 Author: Yang Yingliang Date: Tue Nov 15 17:19:45 2022 +0800 thermal: core: fix some possible name leaks in error paths [ Upstream commit 4748f9687caaeefab8578285b97b2f30789fc4b4 ] In some error paths before device_register(), the names allocated by dev_set_name() are not freed. Move dev_set_name() front to device_register(), so the name can be freed while calling put_device(). Fixes: 1dd7128b839f ("thermal/core: Fix null pointer dereference in thermal_release()") Signed-off-by: Yang Yingliang Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 751f12696d797e785d2611099fe9f0569d47556e Author: Yuan Can Date: Thu Nov 17 08:08:23 2022 +0000 platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init() [ Upstream commit 5a2d96623670155d94aca72c320c0ac27bdc6bd2 ] The following WARNING message was given when rmmod cros_usbpd_notify: Unexpected driver unregister! WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0 Modules linked in: cros_usbpd_notify(-) CPU: 0 PID: 253 Comm: rmmod Not tainted 6.1.0-rc3 #24 ... Call Trace: cros_usbpd_notify_exit+0x11/0x1e [cros_usbpd_notify] __x64_sys_delete_module+0x3c7/0x570 ? __ia32_sys_delete_module+0x570/0x570 ? lock_is_held_type+0xe3/0x140 ? syscall_enter_from_user_mode+0x17/0x50 ? rcu_read_lock_sched_held+0xa0/0xd0 ? syscall_enter_from_user_mode+0x1c/0x50 do_syscall_64+0x37/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f333fe9b1b7 The reason is that the cros_usbpd_notify_init() does not check the return value of platform_driver_register(), and the cros_usbpd_notify can install successfully even if platform_driver_register() failed. Fix by checking the return value of platform_driver_register() and unregister cros_usbpd_notify_plat_driver when it failed. Fixes: ec2daf6e33f9 ("platform: chrome: Add cros-usbpd-notify driver") Signed-off-by: Yuan Can Reviewed-by: Brian Norris Link: https://lore.kernel.org/r/20221117080823.77549-1-yuancan@huawei.com Signed-off-by: Prashant Malani Signed-off-by: Sasha Levin commit 254d2d322721dbe5f20d753b9fe2f2e875df9429 Author: Xiongfeng Wang Date: Fri Nov 18 14:31:37 2022 +0800 perf/x86/intel/uncore: Fix reference count leak in __uncore_imc_init_box() [ Upstream commit 17b8d847b92d815d1638f0de154654081d66b281 ] pci_get_device() will increase the reference count for the returned pci_dev, so tgl_uncore_get_mc_dev() will return a pci_dev with its reference count increased. We need to call pci_dev_put() to decrease the reference count before exiting from __uncore_imc_init_box(). Add pci_dev_put() for both normal and error path. Fixes: fdb64822443e ("perf/x86: Add Intel Tiger Lake uncore support") Signed-off-by: Xiongfeng Wang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kan Liang Link: https://lore.kernel.org/r/20221118063137.121512-5-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit dc7f07bc1ebb56a23fd1c4f664db5cbeb8900800 Author: Xiongfeng Wang Date: Fri Nov 18 14:31:36 2022 +0800 perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() [ Upstream commit 8ebd16c11c346751b3944d708e6c181ed4746c39 ] pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its reference count increased. We need to call pci_dev_put() to decrease the reference count. Let's add the missing pci_dev_put(). Fixes: ee49532b38dd ("perf/x86/intel/uncore: Add IMC uncore support for Snow Ridge") Signed-off-by: Xiongfeng Wang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kan Liang Link: https://lore.kernel.org/r/20221118063137.121512-4-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit bd66877c0b3b42eed0ecee0bd2a2a505c1e54177 Author: Xiongfeng Wang Date: Fri Nov 18 14:31:35 2022 +0800 perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() [ Upstream commit 1ff9dd6e7071a561f803135c1d684b13c7a7d01d ] pci_get_device() will increase the reference count for the returned 'dev'. We need to call pci_dev_put() to decrease the reference count. Since 'dev' is only used in pci_read_config_dword(), let's add pci_dev_put() right after it. Fixes: 9d480158ee86 ("perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3") Signed-off-by: Xiongfeng Wang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kan Liang Link: https://lore.kernel.org/r/20221118063137.121512-3-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit a7be6b849b537d29763e8abe45ff27839760ae90 Author: Xiongfeng Wang Date: Fri Nov 18 14:31:34 2022 +0800 perf/x86/intel/uncore: Fix reference count leak in sad_cfg_iio_topology() [ Upstream commit c508eb042d9739bf9473526f53303721b70e9100 ] pci_get_device() will increase the reference count for the returned pci_dev, and also decrease the reference count for the input parameter *from* if it is not NULL. If we break the loop in sad_cfg_iio_topology() with 'dev' not NULL. We need to call pci_dev_put() to decrease the reference count. Since pci_dev_put() can handle the NULL input parameter, we can just add one pci_dev_put() right before 'return ret'. Fixes: c1777be3646b ("perf/x86/intel/uncore: Enable I/O stacks to IIO PMON mapping on SNR") Signed-off-by: Xiongfeng Wang Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Kan Liang Link: https://lore.kernel.org/r/20221118063137.121512-2-wangxiongfeng2@huawei.com Signed-off-by: Sasha Levin commit c00901e98b1e95a127f914641b2d946d95db5cc0 Author: Wang ShaoBo Date: Fri Nov 18 14:32:19 2022 +0800 ACPI: pfr_update: use ACPI_FREE() to free acpi_object [ Upstream commit e335beed78ec82656dcb554f9fe560709f0dc408 ] acpi_evaluate_dsm_typed()/acpi_evaluate_dsm() should be coupled with ACPI_FREE() to free the ACPI memory, because we need to track the allocation of acpi_object when ACPI_DBG_TRACK_ALLOCATIONS enabled, so use ACPI_FREE() instead of kfree(). Fixes: 0db89fa243e5 ("ACPI: Introduce Platform Firmware Runtime Update device driver") Signed-off-by: Wang ShaoBo Reviewed-by: Chen Yu Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit ae3075b54fa8d5a73f77f979dc7a161676212667 Author: Wang ShaoBo Date: Fri Nov 18 14:32:18 2022 +0800 ACPI: pfr_telemetry: use ACPI_FREE() to free acpi_object [ Upstream commit 0f2aa7fc2a9aee05bafb965d5b1638d3e74b4c61 ] acpi_evaluate_dsm_typed()/acpi_evaluate_dsm() should be coupled with ACPI_FREE() to free the ACPI memory, because we need to track the allocation of acpi_object when ACPI_DBG_TRACK_ALLOCATIONS enabled, so use ACPI_FREE() instead of kfree(). Fixes: b0013e037a8b ("ACPI: Introduce Platform Firmware Runtime Telemetry driver") Signed-off-by: Wang ShaoBo Reviewed-by: Chen Yu Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit f0d5624fbe37cd7c88e7917fd358f26c8db83931 Author: Huisong Li Date: Sat Nov 12 10:05:28 2022 +0800 mailbox: pcc: Reset pcc_chan_count to zero in case of PCC probe failure [ Upstream commit 6d7d3c287410c0ad499e478e2338dc3d7e3392b1 ] Currently, 'pcc_chan_count' is remains set to a non-zero value if PCC subspaces are parsed successfully but something else fail later during the initial PCC probing phase. This will result in pcc_mbox_request_channel trying to access the resources that are not initialised or allocated and may end up in a system crash. Reset pcc_chan_count to 0 when the PCC probe fails in order to prevent the possible issue as described above. Fixes: ce028702ddbc ("mailbox: pcc: Move bulk of PCCT parsing into pcc_mbox_probe") Signed-off-by: Huisong Li Reviewed-by: Sudeep Holla Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 290dd73b943c95c006df973257076ff163adf4d0 Author: Yang Yingliang Date: Fri Nov 11 09:23:58 2022 +0800 PNP: fix name memory leak in pnp_alloc_dev() [ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ] After commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, move dev_set_name() after pnp_add_id() to avoid memory leak. Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Reviewed-by: Hanjun Guo Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fb7f50d9b87abd7073ef197b4d15c64007d191f4 Author: Zhao Gongyi Date: Tue Nov 22 19:26:26 2022 +0800 selftests/efivarfs: Add checking of the test return value [ Upstream commit c93924267fe6f2b44af1849f714ae9cd8117a9cd ] Add checking of the test return value, otherwise it will report success forever for test_create_read(). Fixes: dff6d2ae56d0 ("selftests/efivarfs: clean up test files from test_create*()") Signed-off-by: Zhao Gongyi Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit faf8fd9f576acbff4674bee41b256934f80874a5 Author: Yang Yingliang Date: Fri Nov 4 11:39:45 2022 +0800 MIPS: vpe-cmp: fix possible memory leak while module exiting [ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ] dev_set_name() allocates memory for name, it need be freed when module exiting, call put_device() to give up reference, so that it can be freed in kobject_cleanup() when the refcount hit to 0. The vpe_device is static, so remove kfree() from vpe_device_release(). Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.") Signed-off-by: Yang Yingliang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit ab3d47c1fd0202821abd473ca87580faafd47847 Author: Yang Yingliang Date: Fri Nov 4 11:39:44 2022 +0800 MIPS: vpe-mt: fix possible memory leak while module exiting [ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ] Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically, it need be freed when module exiting, call put_device() to give up reference, so that it can be freed in kobject_cleanup() when the refcount hit to 0. The vpe_device is static, so remove kfree() from vpe_device_release(). Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") Signed-off-by: Yang Yingliang Signed-off-by: Thomas Bogendoerfer Signed-off-by: Sasha Levin commit 205f5e984d30cdb7b01f770d6dd8838afb9d71b6 Author: Manivannan Sadhasivam Date: Thu Nov 17 11:01:45 2022 +0530 cpufreq: qcom-hw: Fix the frequency returned by cpufreq_driver->get() [ Upstream commit c72cf0cb1d77f6b1b58c334dcc3d09fa13111c4c ] The cpufreq_driver->get() callback is supposed to return the current frequency of the CPU and not the one requested by the CPUFreq core. Fix it by returning the frequency that gets supplied to the CPU after the DCVS operation of EPSS/OSM. Fixes: 2849dd8bc72b ("cpufreq: qcom-hw: Add support for QCOM cpufreq HW driver") Reported-by: Sudeep Holla Signed-off-by: Manivannan Sadhasivam Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit a753ee5103656c31d452de4ead4aa8f03e45b3b9 Author: YueHaibing Date: Sat Nov 5 19:06:11 2022 +0800 selftests: cgroup: fix unsigned comparison with less than zero [ Upstream commit 333d073dee3a6865171d43e3b0a9ff688bff5891 ] 'size' is unsigned, it never less than zero. Link: https://lkml.kernel.org/r/20221105110611.28920-1-yuehaibing@huawei.com Fixes: 6c26df84e1f2 ("selftests: cgroup: return -errno from cg_read()/cg_write() on failure") Signed-off-by: YueHaibing Reviewed-by: Yosry Ahmed Acked-by: Roman Gushchin Reviewed-by: Kamalesh Babulal Cc: David Rientjes Cc: Johannes Weiner Cc: Shakeel Butt Cc: Shuah Khan Cc: Tejun Heo Cc: zefan li Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 0b2128b70849f2728949babfc1c760096ef72f5d Author: Shang XiaoJing Date: Tue Nov 1 19:15:33 2022 +0800 ocfs2: fix memory leak in ocfs2_stack_glue_init() [ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ] ocfs2_table_header should be free in ocfs2_stack_glue_init() if ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak. BUG: memory leak unreferenced object 0xffff88810eeb5800 (size 128): comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s) hex dump (first 32 bytes): c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@.............. 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0 [<00000000c04f70f7>] 0xffffffffa0050037 [<000000001bd12912>] do_one_initcall+0xdb/0x480 [<0000000064f766c9>] do_init_module+0x1cf/0x680 [<000000002ba52db0>] load_module+0x6441/0x6f20 [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0 [<00000000380c1f22>] do_syscall_64+0x3f/0x90 [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.") Signed-off-by: Shang XiaoJing Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 890d91b31f4874361e0df047f57d268a7021cb12 Author: Gaosheng Cui Date: Mon Oct 31 19:38:29 2022 +0800 lib/fonts: fix undefined behavior in bit shift for get_default_font [ Upstream commit 6fe888c4d2fb174408e4540bb2d5602b9f507f90 ] Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in lib/fonts/fonts.c:139:20 left shift of 1 by 31 places cannot be represented in type 'int' dump_stack_lvl+0x7d/0xa5 dump_stack+0x15/0x1b ubsan_epilogue+0xe/0x4e __ubsan_handle_shift_out_of_bounds+0x1e7/0x20c get_default_font+0x1c7/0x1f0 fbcon_startup+0x347/0x3a0 do_take_over_console+0xce/0x270 do_fbcon_takeover+0xa1/0x170 do_fb_registered+0x2a8/0x340 fbcon_fb_registered+0x47/0xe0 register_framebuffer+0x294/0x4a0 __drm_fb_helper_initial_config_and_unlock+0x43c/0x880 [drm_kms_helper] drm_fb_helper_initial_config+0x52/0x80 [drm_kms_helper] drm_fbdev_client_hotplug+0x156/0x1b0 [drm_kms_helper] drm_fbdev_generic_setup+0xfc/0x290 [drm_kms_helper] bochs_pci_probe+0x6ca/0x772 [bochs] local_pci_probe+0x4d/0xb0 pci_device_probe+0x119/0x320 really_probe+0x181/0x550 __driver_probe_device+0xc6/0x220 driver_probe_device+0x32/0x100 __driver_attach+0x195/0x200 bus_for_each_dev+0xbb/0x120 driver_attach+0x27/0x30 bus_add_driver+0x22e/0x2f0 driver_register+0xa9/0x190 __pci_register_driver+0x90/0xa0 bochs_pci_driver_init+0x52/0x1000 [bochs] do_one_initcall+0x76/0x430 do_init_module+0x61/0x28a load_module+0x1f82/0x2e50 __do_sys_finit_module+0xf8/0x190 __x64_sys_finit_module+0x23/0x30 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Link: https://lkml.kernel.org/r/20221031113829.4183153-1-cuigaosheng1@huawei.com Fixes: c81f717cb9e0 ("fbcon: Fix typo and bogus logic in get_default_font") Signed-off-by: Gaosheng Cui Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit b457907d50670b03e7a8afe49761d5b250bb2c0f Author: Alexey Dobriyan Date: Mon Oct 24 21:08:09 2022 +0300 proc: fixup uptime selftest [ Upstream commit 5cc81d5c81af0dee54da9a67a3ebe4be076a13db ] syscall(3) returns -1 and sets errno on error, unlike "syscall" instruction. Systems which have <= 32/64 CPUs are unaffected. Test won't bounce to all CPUs before completing if there are more of them. Link: https://lkml.kernel.org/r/Y1bUiT7VRXlXPQa1@p183 Fixes: 1f5bd0547654 ("proc: selftests: test /proc/uptime") Signed-off-by: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit 21bec0ebb854e358c6c3be55af553131808323c3 Author: Barnabás Pőcze Date: Mon Nov 14 19:54:23 2022 +0000 timerqueue: Use rb_entry_safe() in timerqueue_getnext() [ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ] When `timerqueue_getnext()` is called on an empty timer queue, it will use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using `rb_entry_safe()` which handles NULL pointers. This has not caused any issues so far because the offset of the `rb_node` member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op. Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer") Signed-off-by: Barnabás Pőcze Signed-off-by: Thomas Gleixner Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com Signed-off-by: Sasha Levin commit 790c52369e5dab00f51dfed0d4a4ba8c0b3bf1ba Author: Barnabás Pőcze Date: Wed Oct 5 15:00:45 2022 +0000 platform/x86: huawei-wmi: fix return value calculation [ Upstream commit 0b9a1dcdb6a2c841899389bf2dd7a3e0e2aa0e99 ] Previously, `huawei_wmi_input_setup()` returned the result of logical or-ing the return values of two functions that return negative errno-style error codes and one that returns `acpi_status`. If this returned value was non-zero, then it was propagated from the platform driver's probe function. That function should return a negative errno-style error code, so the result of the logical or that `huawei_wmi_input_setup()` returned was not appropriate. Fix that by checking each function separately and returning the error code unmodified. Fixes: 1ac9abeb2e5b ("platform/x86: huawei-wmi: Move to platform driver") Signed-off-by: Barnabás Pőcze Link: https://lore.kernel.org/r/20221005150032.173198-2-pobrn@protonmail.com Reviewed-by: Hans de Goede Signed-off-by: Hans de Goede Signed-off-by: Sasha Levin commit 51b2ea9e4e53abc55cd7f2ce4fa6a3bd05030297 Author: wuchi Date: Sat Jun 11 21:06:34 2022 +0800 lib/debugobjects: fix stat count and optimize debug_objects_mem_init [ Upstream commit eabb7f1ace53e127309407b2b5e74e8199e85270 ] 1. Var debug_objects_allocated tracks valid kmem_cache_alloc calls, so track it in debug_objects_replace_static_objects. Do similar things in object_cpu_offline. 2. In debug_objects_mem_init, there is no need to call function cpuhp_setup_state_nocalls when debug_objects_enabled = 0 (out of memory). Link: https://lkml.kernel.org/r/20220611130634.99741-1-wuchi.zero@gmail.com Fixes: 634d61f45d6f ("debugobjects: Percpu pool lookahead freeing/allocation") Fixes: c4b73aabd098 ("debugobjects: Track number of kmem_cache_alloc/kmem_cache_free done") Signed-off-by: wuchi Reviewed-by: Waiman Long Cc: Thomas Gleixner Cc: Christoph Hellwig Cc: Kees Cook Signed-off-by: Andrew Morton Signed-off-by: Sasha Levin commit e9b4dc13d32c7be9a5a6418317477bcc821d164b Author: Chen Zhongjin Date: Fri Nov 11 18:36:53 2022 +0800 perf: Fix possible memleak in pmu_dev_alloc() [ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ] In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev and call put_device(pmu->dev) to release it. However pmu->dev->release is assigned after this, which makes warning and memleak. Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it. Device '(null)' does not have a release() function... WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240 ... Call Trace: kobject_put+0x17f/0x460 put_device+0x20/0x30 pmu_dev_alloc+0x152/0x400 perf_pmu_register+0x96b/0xee0 ... kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) unreferenced object 0xffff888014759000 (size 2048): comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s) backtrace: [<0000000005aed3b4>] kmalloc_trace+0x27/0x110 [<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400 [<00000000735f17be>] perf_pmu_register+0x96b/0xee0 [<00000000e38477f1>] 0xffffffffc0ad8603 [<000000004e162216>] do_one_initcall+0xd0/0x4e0 ... Fixes: abe43400579d ("perf: Sysfs enumeration") Signed-off-by: Chen Zhongjin Signed-off-by: Peter Zijlstra (Intel) Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com Signed-off-by: Sasha Levin commit 619dd807f99350b76b5852b528d3ce4c543e3b30 Author: Yipeng Zou Date: Fri Nov 4 10:09:31 2022 +0800 selftests/ftrace: event_triggers: wait longer for test_event_enable [ Upstream commit a1d6cd88c8973cfb08ee85722488b1d6d5d16327 ] In some platform, the schedule event may came slowly, delay 100ms can't cover it. I was notice that on my board which running in low cpu_freq,and this selftests allways gose fail. So maybe we can check more times here to wait longer. Fixes: 43bb45da82f9 ("selftests: ftrace: Add a selftest to test event enable/disable func trigger") Signed-off-by: Yipeng Zou Acked-by: Masami Hiramatsu (Google) Acked-by: Steven Rostedt (Google) Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 14addeebbb0fc4a829463687d691406074ddb647 Author: Xiongfeng Wang Date: Tue Nov 8 09:46:23 2022 +0800 ACPI: irq: Fix some kernel-doc issues [ Upstream commit ebb92d58b90753e658059f5d8590d9048395491a ] The following commit change the second parameter of acpi_set_irq_model() but forgot to update the function description. Let's fix it. commit 7327b16f5f56 ("APCI: irq: Add support for multiple GSI domains") Also add description of parameter 'gsi' for acpi_get_irq_source_fwhandle() to avoid the following build W=1 warning. drivers/acpi/irq.c:108: warning: Function parameter or member 'gsi' not described in 'acpi_get_irq_source_fwhandle' Fixes: 7327b16f5f56 ("APCI: irq: Add support for multiple GSI domains") Signed-off-by: Xiongfeng Wang Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit bb1878d741ffe848c05313b99e0938621e1df0ce Author: Guilherme G. Piccoli Date: Mon Oct 24 17:02:54 2022 -0300 x86/split_lock: Add sysctl to control the misery mode [ Upstream commit 727209376f4998bc84db1d5d8af15afea846a92b ] Commit b041b525dab9 ("x86/split_lock: Make life miserable for split lockers") changed the way the split lock detector works when in "warn" mode; basically, it not only shows the warn message, but also intentionally introduces a slowdown through sleeping plus serialization mechanism on such task. Based on discussions in [0], seems the warning alone wasn't enough motivation for userspace developers to fix their applications. This slowdown is enough to totally break some proprietary (aka. unfixable) userspace[1]. Happens that originally the proposal in [0] was to add a new mode which would warns + slowdown the "split locking" task, keeping the old warn mode untouched. In the end, that idea was discarded and the regular/default "warn" mode now slows down the applications. This is quite aggressive with regards proprietary/legacy programs that basically are unable to properly run in kernel with this change. While it is understandable that a malicious application could DoS by split locking, it seems unacceptable to regress old/proprietary userspace programs through a default configuration that previously worked. An example of such breakage was reported in [1]. Add a sysctl to allow controlling the "misery mode" behavior, as per Thomas suggestion on [2]. This way, users running legacy and/or proprietary software are allowed to still execute them with a decent performance while still observing the warning messages on kernel log. [0] https://lore.kernel.org/lkml/20220217012721.9694-1-tony.luck@intel.com/ [1] https://github.com/doitsujin/dxvk/issues/2938 [2] https://lore.kernel.org/lkml/87pmf4bter.ffs@tglx/ [ dhansen: minor changelog tweaks, including clarifying the actual problem ] Fixes: b041b525dab9 ("x86/split_lock: Make life miserable for split lockers") Suggested-by: Thomas Gleixner Signed-off-by: Guilherme G. Piccoli Signed-off-by: Dave Hansen Reviewed-by: Tony Luck Tested-by: Andre Almeida Link: https://lore.kernel.org/all/20221024200254.635256-1-gpiccoli%40igalia.com Signed-off-by: Sasha Levin commit 242e23be8f31ebd90525c57ee3244c28e99a1697 Author: Chen Hui Date: Tue Nov 8 15:23:02 2022 +0800 cpufreq: qcom-hw: Fix memory leak in qcom_cpufreq_hw_read_lut() [ Upstream commit 9901c21bcaf2f01fe5078f750d624f4ddfa8f81b ] If "cpu_dev" fails to get opp table in qcom_cpufreq_hw_read_lut(), the program will return, resulting in "table" resource is not released. Fixes: 51c843cf77bb ("cpufreq: qcom: Update the bandwidth levels on frequency change") Signed-off-by: Chen Hui Reviewed-by: Sibi Sankar Signed-off-by: Viresh Kumar Signed-off-by: Sasha Levin commit cfea50b0e5972331c1274e2666b763a3f239f4c1 Author: Ondrej Mosnacek Date: Thu Nov 3 16:12:05 2022 +0100 fs: don't audit the capability check in simple_xattr_list() [ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ] The check being unconditional may lead to unwanted denials reported by LSMs when a process has the capability granted by DAC, but denied by an LSM. In the case of SELinux such denials are a problem, since they can't be effectively filtered out via the policy and when not silenced, they produce noise that may hide a true problem or an attack. Checking for the capability only if any trusted xattr is actually present wouldn't really address the issue, since calling listxattr(2) on such node on its own doesn't indicate an explicit attempt to see the trusted xattrs. Additionally, it could potentially leak the presence of trusted xattrs to an unprivileged user if they can check for the denials (e.g. through dmesg). Therefore, it's best (and simplest) to keep the check unconditional and instead use ns_capable_noaudit() that will silence any associated LSM denials. Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs") Reported-by: Martin Pitt Suggested-by: Christian Brauner (Microsoft) Signed-off-by: Ondrej Mosnacek Reviewed-by: Christian Brauner (Microsoft) Reviewed-by: Paul Moore Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Sasha Levin commit 574b10475d69f3104e1009ed777fcb703d0d6177 Author: xiongxin Date: Tue Nov 1 10:28:39 2022 +0800 PM: hibernate: Fix mistake in kerneldoc comment [ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ] The actual maximum image size formula in hibernate_preallocate_memory() is as follows: max_size = (count - (size + PAGES_FOR_IO)) / 2 - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE); but the one in the kerneldoc comment of the function is different and incorrect. Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers") Signed-off-by: xiongxin [ rjw: Subject and changelog rewrite ] Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit fa90769d3f255935db9ba6aad59fb820c2a38ead Author: Reinette Chatre Date: Mon Oct 31 10:29:58 2022 -0700 x86/sgx: Reduce delay and interference of enclave release [ Upstream commit 7b72c823ddf8aaaec4e9fb28e6fbe4d511e7dad1 ] commit 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves") introduced a cond_resched() during enclave release where the EREMOVE instruction is applied to every 4k enclave page. Giving other tasks an opportunity to run while tearing down a large enclave placates the soft lockup detector but Iqbal found that the fix causes a 25% performance degradation of a workload run using Gramine. Gramine maintains a 1:1 mapping between processes and SGX enclaves. That means if a workload in an enclave creates a subprocess then Gramine creates a duplicate enclave for that subprocess to run in. The consequence is that the release of the enclave used to run the subprocess can impact the performance of the workload that is run in the original enclave, especially in large enclaves when SGX2 is not in use. The workload run by Iqbal behaves as follows: Create enclave (enclave "A") /* Initialize workload in enclave "A" */ Create enclave (enclave "B") /* Run subprocess in enclave "B" and send result to enclave "A" */ Release enclave (enclave "B") /* Run workload in enclave "A" */ Release enclave (enclave "A") The performance impact of releasing enclave "B" in the above scenario is amplified when there is a lot of SGX memory and the enclave size matches the SGX memory. When there is 128GB SGX memory and an enclave size of 128GB, from the time enclave "B" starts the 128GB SGX memory is oversubscribed with a combined demand for 256GB from the two enclaves. Before commit 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves") enclave release was done in a tight loop without giving other tasks a chance to run. Even though the system experienced soft lockups the workload (run in enclave "A") obtained good performance numbers because when the workload started running there was no interference. Commit 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves") gave other tasks opportunity to run while an enclave is released. The impact of this in this scenario is that while enclave "B" is released and needing to access each page that belongs to it in order to run the SGX EREMOVE instruction on it, enclave "A" is attempting to run the workload needing to access the enclave pages that belong to it. This causes a lot of swapping due to the demand for the oversubscribed SGX memory. Longer latencies are experienced by the workload in enclave "A" while enclave "B" is released. Improve the performance of enclave release while still avoiding the soft lockup detector with two enhancements: - Only call cond_resched() after XA_CHECK_SCHED iterations. - Use the xarray advanced API to keep the xarray locked for XA_CHECK_SCHED iterations instead of locking and unlocking at every iteration. This batching solution is copied from sgx_encl_may_map() that also iterates through all enclave pages using this technique. With this enhancement the workload experiences a 5% performance degradation when compared to a kernel without commit 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves"), an improvement to the reported 25% degradation, while still placating the soft lockup detector. Scenarios with poor performance are still possible even with these enhancements. For example, short workloads creating sub processes while running in large enclaves. Further performance improvements are pursued in user space through avoiding to create duplicate enclaves for certain sub processes, and using SGX2 that will do lazy allocation of pages as needed so enclaves created for sub processes start quickly and release quickly. Fixes: 8795359e35bc ("x86/sgx: Silence softlockup detection when releasing large enclaves") Reported-by: Md Iqbal Hossain Signed-off-by: Reinette Chatre Signed-off-by: Dave Hansen Tested-by: Md Iqbal Hossain Link: https://lore.kernel.org/all/00efa80dd9e35dc85753e1c5edb0344ac07bb1f0.1667236485.git.reinette.chatre%40intel.com Signed-off-by: Sasha Levin commit 44de1adb24841511c82386fe4e3892954d1ccf3b Author: Hao Lee Date: Mon Sep 19 07:23:56 2022 +0000 sched/psi: Fix possible missing or delayed pending event [ Upstream commit e38f89af6a13e895805febd3a329a13ab7e66fa4 ] When a pending event exists and growth is less than the threshold, the current logic is to skip this trigger without generating event. However, from e6df4ead85d9 ("psi: fix possible trigger missing in the window"), our purpose is to generate event as long as pending event exists and the rate meets the limit, no matter what growth is. This patch handles this case properly. Fixes: e6df4ead85d9 ("psi: fix possible trigger missing in the window") Signed-off-by: Hao Lee Signed-off-by: Peter Zijlstra (Intel) Acked-by: Suren Baghdasaryan Link: https://lore.kernel.org/r/20220919072356.GA29069@haolee.io Signed-off-by: Sasha Levin commit 3878f601e14c344f06b797bec97ba6b0e96627e0 Author: Al Viro Date: Sat Sep 18 18:18:48 2021 -0400 alpha: fix syscall entry in !AUDUT_SYSCALL case [ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ] We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_ thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to be set. Fixes: a9302e843944 "alpha: Enable system-call auditing support" Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit 84fe26b06f82da05069319653f6de8789d98cfba Author: Al Viro Date: Sat Sep 18 18:08:56 2021 -0400 alpha: fix TIF_NOTIFY_SIGNAL handling [ Upstream commit e2c7554cc6d85f95e3c6635f270ec839ab9fe05e ] it needs to be added to _TIF_WORK_MASK, or we might not reach do_work_pending() in the first place... Fixes: 5a9a8897c253a "alpha: add support for TIF_NOTIFY_SIGNAL" Signed-off-by: Al Viro Signed-off-by: Sasha Levin commit dc0da257ebaf00e188c5e836427a566ad7166bd4 Author: Ulf Hansson Date: Fri Oct 21 17:10:12 2022 +0200 cpuidle: dt: Return the correct numbers of parsed idle states [ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ] While we correctly skips to initialize an idle state from a disabled idle state node in DT, the returned value from dt_init_idle_driver() don't get adjusted accordingly. Instead the number of found idle state nodes are returned, while the callers are expecting the number of successfully initialized idle states from DT. This leads to cpuidle drivers unnecessarily continues to initialize their idle state specific data. Moreover, in the case when all idle states have been disabled in DT, we would end up registering a cpuidle driver, rather than relying on the default arch specific idle call. Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure") Signed-off-by: Ulf Hansson Reviewed-by: Sudeep Holla Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit e7c542d2cfae906aaeef326a9dd368344d2ff5f3 Author: Qais Yousef Date: Thu Aug 4 15:36:07 2022 +0100 sched/uclamp: Cater for uclamp in find_energy_efficient_cpu()'s early exit condition [ Upstream commit d81304bc6193554014d4372a01debdf65e1e9a4d ] If the utilization of the woken up task is 0, we skip the energy calculation because it has no impact. But if the task is boosted (uclamp_min != 0) will have an impact on task placement and frequency selection. Only skip if the util is truly 0 after applying uclamp values. Change uclamp_task_cpu() signature to avoid unnecessary additional calls to uclamp_eff_get(). feec() is the only user now. Fixes: 732cd75b8c920 ("sched/fair: Select an energy-efficient CPU on task wake-up") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-8-qais.yousef@arm.com Signed-off-by: Sasha Levin commit cbd8c040409cd7343db655d4b0fc702bfd9560f6 Author: Qais Yousef Date: Thu Aug 4 15:36:06 2022 +0100 sched/uclamp: Make cpu_overutilized() use util_fits_cpu() [ Upstream commit c56ab1b3506ba0e7a872509964b100912bde165d ] So that it is now uclamp aware. This fixes a major problem of busy tasks capped with UCLAMP_MAX keeping the system in overutilized state which disables EAS and leads to wasting energy in the long run. Without this patch running a busy background activity like JIT compilation on Pixel 6 causes the system to be in overutilized state 74.5% of the time. With this patch this goes down to 9.79%. It also fixes another problem when long running tasks that have their UCLAMP_MIN changed while running such that they need to upmigrate to honour the new UCLAMP_MIN value. The upmigration doesn't get triggered because overutilized state never gets set in this state, hence misfit migration never happens at tick in this case until the task wakes up again. Fixes: af24bde8df202 ("sched/uclamp: Add uclamp support to energy_compute()") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-7-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 324ce6e2c603a8e53c1b5b8f7d66eec41275ff89 Author: Qais Yousef Date: Thu Aug 4 15:36:05 2022 +0100 sched/uclamp: Make asym_fits_capacity() use util_fits_cpu() [ Upstream commit a2e7f03ed28fce26c78b985f87913b6ce3accf9d ] Use the new util_fits_cpu() to ensure migration margin and capacity pressure are taken into account correctly when uclamp is being used otherwise we will fail to consider CPUs as fitting in scenarios where they should. s/asym_fits_capacity/asym_fits_cpu/ to better reflect what it does now. Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-6-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 3b9c1559de8c3a5b974f7ad931dafc56e8694b2a Author: Qais Yousef Date: Thu Aug 4 15:36:04 2022 +0100 sched/uclamp: Make select_idle_capacity() use util_fits_cpu() [ Upstream commit b759caa1d9f667b94727b2ad12589cbc4ce13a82 ] Use the new util_fits_cpu() to ensure migration margin and capacity pressure are taken into account correctly when uclamp is being used otherwise we will fail to consider CPUs as fitting in scenarios where they should. Fixes: b4c9c9f15649 ("sched/fair: Prefer prev cpu in asymmetric wakeup path") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-5-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 75ba48621b33c072d26a6635a32842f8b6ab3338 Author: Qais Yousef Date: Thu Aug 4 15:36:03 2022 +0100 sched/uclamp: Fix fits_capacity() check in feec() [ Upstream commit 244226035a1f9b2b6c326e55ae5188fab4f428cb ] As reported by Yun Hsiang [1], if a task has its uclamp_min >= 0.8 * 1024, it'll always pick the previous CPU because fits_capacity() will always return false in this case. The new util_fits_cpu() logic should handle this correctly for us beside more corner cases where similar failures could occur, like when using UCLAMP_MAX. We open code uclamp_rq_util_with() except for the clamp() part, util_fits_cpu() needs the 'raw' values to be passed to it. Also introduce uclamp_rq_{set, get}() shorthand accessors to get uclamp value for the rq. Makes the code more readable and ensures the right rules (use READ_ONCE/WRITE_ONCE) are respected transparently. [1] https://lists.linaro.org/pipermail/eas-dev/2020-July/001488.html Fixes: 1d42509e475c ("sched/fair: Make EAS wakeup placement consider uclamp restrictions") Reported-by: Yun Hsiang Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-4-qais.yousef@arm.com Signed-off-by: Sasha Levin commit d355960543a7b8699d73e09f115d5b6825dc4be3 Author: Qais Yousef Date: Thu Aug 4 15:36:02 2022 +0100 sched/uclamp: Make task_fits_capacity() use util_fits_cpu() [ Upstream commit b48e16a69792b5dc4a09d6807369d11b2970cc36 ] So that the new uclamp rules in regard to migration margin and capacity pressure are taken into account correctly. Fixes: a7008c07a568 ("sched/fair: Make task_fits_capacity() consider uclamp restrictions") Co-developed-by: Vincent Guittot Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-3-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 0ef8dac2464618afcb1d2e168eba1a62ac5040bf Author: Qais Yousef Date: Thu Aug 4 15:36:01 2022 +0100 sched/uclamp: Fix relationship between uclamp and migration margin [ Upstream commit 48d5e9daa8b767e75ed9421665b037a49ce4bc04 ] fits_capacity() verifies that a util is within 20% margin of the capacity of a CPU, which is an attempt to speed up upmigration. But when uclamp is used, this 20% margin is problematic because for example if a task is boosted to 1024, then it will not fit on any CPU according to fits_capacity() logic. Or if a task is boosted to capacity_orig_of(medium_cpu). The task will end up on big instead on the desired medium CPU. Similar corner cases exist for uclamp and usage of capacity_of(). Slightest irq pressure on biggest CPU for example will make a 1024 boosted task look like it can't fit. What we really want is for uclamp comparisons to ignore the migration margin and capacity pressure, yet retain them for when checking the _actual_ util signal. For example, task p: p->util_avg = 300 p->uclamp[UCLAMP_MIN] = 1024 Will fit a big CPU. But p->util_avg = 900 p->uclamp[UCLAMP_MIN] = 1024 will not, this should trigger overutilized state because the big CPU is now *actually* being saturated. Similar reasoning applies to capping tasks with UCLAMP_MAX. For example: p->util_avg = 1024 p->uclamp[UCLAMP_MAX] = capacity_orig_of(medium_cpu) Should fit the task on medium cpus without triggering overutilized state. Inlined comments expand more on desired behavior in more scenarios. Introduce new util_fits_cpu() function which encapsulates the new logic. The new function is not used anywhere yet, but will be used to update various users of fits_capacity() in later patches. Fixes: af24bde8df202 ("sched/uclamp: Add uclamp support to energy_compute()") Signed-off-by: Qais Yousef Signed-off-by: Peter Zijlstra (Intel) Link: https://lore.kernel.org/r/20220804143609.515789-2-qais.yousef@arm.com Signed-off-by: Sasha Levin commit 7e48315397067f9ca294e222bfaab0ecced8bd7f Author: Amir Goldstein Date: Mon Oct 17 17:06:39 2022 +0200 ovl: remove privs in ovl_fallocate() [ Upstream commit 23a8ce16419a3066829ad4a8b7032a75817af65b ] Underlying fs doesn't remove privs because fallocate is called with privileged mounter credentials. This fixes some failure in fstests generic/683..687. Fixes: aab8848cee5e ("ovl: add ovl_fallocate()") Acked-by: Miklos Szeredi Signed-off-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Sasha Levin commit 155428ea202684f1dc5424f010221f3ce5097cb0 Author: Amir Goldstein Date: Mon Oct 17 17:06:38 2022 +0200 ovl: remove privs in ovl_copyfile() [ Upstream commit b306e90ffabdaa7e3b3350dbcd19b7663e71ab17 ] Underlying fs doesn't remove privs because copy_range/remap_range are called with privileged mounter credentials. This fixes some failures in fstest generic/673. Fixes: 8ede205541ff ("ovl: add reflink/copyfile/dedup support") Acked-by: Miklos Szeredi Signed-off-by: Amir Goldstein Signed-off-by: Christian Brauner (Microsoft) Signed-off-by: Sasha Levin commit 82855e986453f895e49175c52952ff8f9ff95169 Author: Michael Kelley Date: Fri Nov 11 11:38:53 2022 -0800 tpm/tpm_crb: Fix error message in __crb_relinquish_locality() [ Upstream commit f5264068071964b56dc02c9dab3d11574aaca6ff ] The error message in __crb_relinquish_locality() mentions requestAccess instead of Relinquish. Fix it. Fixes: 888d867df441 ("tpm: cmd_ready command can be issued only after granting locality") Signed-off-by: Michael Kelley Acked-by: Tomas Winkler Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 60eb1529a300c2d5e7f4b301613af99c67837614 Author: Yuan Can Date: Thu Nov 24 03:19:26 2022 +0000 tpm/tpm_ftpm_tee: Fix error handling in ftpm_mod_init() [ Upstream commit 2b7d07f7acaac2c7750e420dcf4414588ede6d03 ] The ftpm_mod_init() returns the driver_register() directly without checking its return value, if driver_register() failed, the ftpm_tee_plat_driver is not unregistered. Fix by unregister ftpm_tee_plat_driver when driver_register() failed. Fixes: 9f1944c23c8c ("tpm_ftpm_tee: register driver on TEE bus") Signed-off-by: Yuan Can Reviewed-by: Maxim Uvarov Acked-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 1abbeab55631083ac43de1f4cf5b35b096982ca6 Author: Eddie James Date: Mon Nov 7 11:14:23 2022 -0600 tpm: Add flag to use default cancellation policy [ Upstream commit 7bfda9c73fa9710a842a7d6f89b024351c80c19c ] The check for cancelled request depends on the VID of the chip, but some chips share VID which shouldn't share their cancellation behavior. This is the case for the Nuvoton NPCT75X, which should use the default cancellation check, not the Winbond one. To avoid changing the existing behavior, add a new flag to indicate that the chip should use the default cancellation check and set it for the I2C TPM2 TIS driver. Fixes: bbc23a07b072 ("tpm: Add tpm_tis_i2c backend for tpm_tis_core") Signed-off-by: Eddie James Tested-by: Joel Stanley Reviewed-by: Jarkko Sakkinen Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 05ab9752f97530c6571b62bcb5a1b1e9da1d309f Author: Eddie James Date: Wed Aug 17 15:03:33 2022 -0500 tpm: tis_i2c: Fix sanity check interrupt enable mask [ Upstream commit 561d6ef75628db9cce433e573aa3cdb6b3bba903 ] The sanity check mask for TPM_INT_ENABLE register was off by 8 bits, resulting in failure to probe if the TPM_INT_ENABLE register was a valid value. Fixes: bbc23a07b072 ("tpm: Add tpm_tis_i2c backend for tpm_tis_core") Signed-off-by: Eddie James Reviewed-by: Jarkko Sakkinen Tested-by: Joel Stanley Signed-off-by: Jarkko Sakkinen Signed-off-by: Sasha Levin commit 63f089c0365e25153408598fbc1dc9de9ee41981 Author: Janne Grunau Date: Tue Dec 6 23:57:36 2022 +0100 arch: arm64: apple: t8103: Use standard "iommu" node name [ Upstream commit 56d32c51dffac8a431b472a4c31efb8563b048d1 ] The PCIe iommu nodes use "dart" as node names. Replace it with the the standard "iommu" node name as all other iommu nodes. Fixes: 3c866bb79577 ("arm64: dts: apple: t8103: Add PCIe DARTs") Signed-off-by: Janne Grunau Reviewed-by: Mark Kettenis Signed-off-by: Hector Martin Signed-off-by: Sasha Levin commit 2f82381d0681b10f9ddd27be98c27363b5a3cd1c Author: Stephen Boyd Date: Mon Dec 5 15:31:36 2022 -0800 pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP [ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ] An oops can be induced by running 'cat /proc/kcore > /dev/null' on devices using pstore with the ram backend because kmap_atomic() assumes lowmem pages are accessible with __va(). Unable to handle kernel paging request at virtual address ffffff807ff2b000 Mem abort info: ESR = 0x96000006 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault Data abort info: ISV = 0, ISS = 0x00000006 CM = 0, WnR = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 Internal error: Oops: 96000006 [#1] PREEMPT SMP Modules linked in: dm_integrity CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba Hardware name: Google Lazor (rev3 - 8) (DT) pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __memcpy+0x110/0x260 lr : vread+0x194/0x294 sp : ffffffc013ee39d0 x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 Call trace: __memcpy+0x110/0x260 read_kcore+0x584/0x778 proc_reg_read+0xb4/0xe4 During early boot, memblock reserves the pages for the ramoops reserved memory node in DT that would otherwise be part of the direct lowmem mapping. Pstore's ram backend reuses those reserved pages to change the memory type (writeback or non-cached) by passing the pages to vmap() (see pfn_to_page() usage in persistent_ram_vmap() for more details) with specific flags. When read_kcore() starts iterating over the vmalloc region, it runs over the virtual address that vmap() returned for ramoops. In aligned_vread() the virtual address is passed to vmalloc_to_page() which returns the page struct for the reserved lowmem area. That lowmem page is passed to kmap_atomic(), which effectively calls page_to_virt() that assumes a lowmem page struct must be directly accessible with __va() and friends. These pages are mapped via vmap() though, and the lowmem mapping was never made, so accessing them via the lowmem virtual address oopses like above. Let's side-step this problem by passing VM_IOREMAP to vmap(). This will tell vread() to not include the ramoops region in the kcore. Instead the area will look like a bunch of zeros. The alternative is to teach kmap() about vmalloc areas that intersect with lowmem. Presumably such a change isn't a one-liner, and there isn't much interest in inspecting the ramoops region in kcore files anyway, so the most expedient route is taken for now. Cc: Brian Geffon Cc: Mike Rapoport Cc: Andrew Morton Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory") Signed-off-by: Stephen Boyd Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org Signed-off-by: Sasha Levin commit 3c6dfce2c76c46dd555d2c91e2797d572a497d48 Author: Doug Brown Date: Sat Dec 3 16:51:17 2022 -0800 ARM: mmp: fix timer_read delay [ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ] timer_read() was using an empty 100-iteration loop to wait for the TMR_CVWR register to capture the latest timer counter value. The delay wasn't long enough. This resulted in CPU idle time being extremely underreported on PXA168 with CONFIG_NO_HZ_IDLE=y. Switch to the approach used in the vendor kernel, which implements the capture delay by reading TMR_CVWR a few times instead. Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line") Signed-off-by: Doug Brown Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 65f1ff9011f1d533d0a23c3294d82e0146f2648b Author: Wang Yufen Date: Fri Dec 2 16:22:54 2022 +0800 pstore/ram: Fix error return code in ramoops_probe() [ Upstream commit e1fce564900f8734edf15b87f028c57e14f6e28d ] In the if (dev_of_node(dev) && !pdata) path, the "err" may be assigned a value of 0, so the error return code -EINVAL may be incorrectly set to 0. To fix set valid return code before calling to goto. Fixes: 35da60941e44 ("pstore/ram: add Device Tree bindings") Signed-off-by: Wang Yufen Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/1669969374-46582-1-git-send-email-wangyufen@huawei.com Signed-off-by: Sasha Levin commit 5b81f0c6c60e35bf8153230ddfb03ebb14e17986 Author: Kuniyuki Iwashima Date: Tue Aug 23 08:45:32 2022 -0700 seccomp: Move copy_seccomp() to no failure path. [ Upstream commit a1140cb215fa13dcec06d12ba0c3ee105633b7c4 ] Our syzbot instance reported memory leaks in do_seccomp() [0], similar to the report [1]. It shows that we miss freeing struct seccomp_filter and some objects included in it. We can reproduce the issue with the program below [2] which calls one seccomp() and two clone() syscalls. The first clone()d child exits earlier than its parent and sends a signal to kill it during the second clone(), more precisely before the fatal_signal_pending() test in copy_process(). When the parent receives the signal, it has to destroy the embryonic process and return -EINTR to user space. In the failure path, we have to call seccomp_filter_release() to decrement the filter's refcount. Initially, we called it in free_task() called from the failure path, but the commit 3a15fb6ed92c ("seccomp: release filter after task is fully dead") moved it to release_task() to notify user space as early as possible that the filter is no longer used. To keep the change and current seccomp refcount semantics, let's move copy_seccomp() just after the signal check and add a WARN_ON_ONCE() in free_task() for future debugging. [0]: unreferenced object 0xffff8880063add00 (size 256): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.914s) hex dump (first 32 bytes): 01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................ ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................ backtrace: do_seccomp (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/seccomp.c:666 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffffc90000035000 (size 4096): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 05 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: __vmalloc_node_range (mm/vmalloc.c:3226) __vmalloc_node (mm/vmalloc.c:3261 (discriminator 4)) bpf_prog_alloc_no_stats (kernel/bpf/core.c:91) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888003fa1000 (size 1024): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: bpf_prog_alloc_no_stats (./include/linux/slab.h:600 ./include/linux/slab.h:733 kernel/bpf/core.c:95) bpf_prog_alloc (kernel/bpf/core.c:129) bpf_prog_create_from_user (net/core/filter.c:1414) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff888006360240 (size 16): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 16 bytes): 01 00 37 00 76 65 72 6c e0 83 01 06 80 88 ff ff ..7.verl........ backtrace: bpf_prog_store_orig_filter (net/core/filter.c:1137) bpf_prog_create_from_user (net/core/filter.c:1428) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) unreferenced object 0xffff8880060183e0 (size 8): comm "repro_seccomp", pid 230, jiffies 4294687090 (age 9.915s) hex dump (first 8 bytes): 06 00 00 00 00 00 ff 7f ........ backtrace: kmemdup (mm/util.c:129) bpf_prog_store_orig_filter (net/core/filter.c:1144) bpf_prog_create_from_user (net/core/filter.c:1428) do_seccomp (kernel/seccomp.c:671 kernel/seccomp.c:708 kernel/seccomp.c:1871 kernel/seccomp.c:1991) do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) [1]: https://syzkaller.appspot.com/bug?id=2809bb0ac77ad9aa3f4afe42d6a610aba594a987 [2]: #define _GNU_SOURCE #include #include #include #include #include #include void main(void) { struct sock_filter filter[] = { BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), }; struct sock_fprog fprog = { .len = sizeof(filter) / sizeof(filter[0]), .filter = filter, }; long i, pid; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &fprog); for (i = 0; i < 2; i++) { pid = syscall(__NR_clone, CLONE_NEWNET | SIGKILL, NULL, NULL, 0); if (pid == 0) return; } } Fixes: 3a15fb6ed92c ("seccomp: release filter after task is fully dead") Reported-by: syzbot+ab17848fe269b573eb71@syzkaller.appspotmail.com Reported-by: Ayushman Dutta Suggested-by: Kees Cook Signed-off-by: Kuniyuki Iwashima Reviewed-by: Christian Brauner (Microsoft) Signed-off-by: Kees Cook Link: https://lore.kernel.org/r/20220823154532.82913-1-kuniyu@amazon.com Signed-off-by: Sasha Levin commit ef400e41a85a9e49fbb8e191499a34d4dfa0e6aa Author: Yicong Yang Date: Thu Nov 17 16:41:33 2022 +0800 drivers/perf: hisi: Fix some event id for hisi-pcie-pmu [ Upstream commit 6b4bb4f38dbfe85247f006f06135ba46450d5bf0 ] Some event id of hisi-pcie-pmu is incorrect, fix them. Fixes: 8404b0fbc7fb ("drivers/perf: hisi: Add driver for HiSilicon PCIe PMU") Reviewed-by: Jonathan Cameron Signed-off-by: Yicong Yang Link: https://lore.kernel.org/r/20221117084136.53572-2-yangyicong@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 5daa0a727c830cafe70038345182cdf6fc703524 Author: Sven Peter Date: Fri Nov 4 16:41:53 2022 +0100 soc: apple: rtkit: Stop casting function pointer signatures [ Upstream commit 5acf07ff25f0c1c44105e6b8ebf88c55a0a04d2f ] Fixes: 9bd1d9a0d8bb ("soc: apple: Add RTKit IPC library") Reported-by: kernel test robot Signed-off-by: Sven Peter Signed-off-by: Hector Martin Signed-off-by: Sasha Levin commit 868d9310c4607b8e1aaeb1981d070bcefb52969c Author: Sven Peter Date: Fri Nov 4 16:39:02 2022 +0100 soc: apple: sart: Stop casting function pointer signatures [ Upstream commit 422d0b860dc223b5dfc6d083697cae258bb5a4a1 ] Fixes: b170143ae111 ("soc: apple: Add SART driver") Reported-by: kernel test robot Signed-off-by: Sven Peter Signed-off-by: Hector Martin Signed-off-by: Sasha Levin commit d20a0234f0d8e81b3bcdcf0f9c2aeb36e166d60c Author: Pali Rohár Date: Sat Sep 24 13:58:26 2022 +0200 arm64: dts: armada-3720-turris-mox: Add missing interrupt for RTC [ Upstream commit 21aad8ba615e9c39cee6c5d0b76726f63791926c ] MCP7940MT-I/MNY RTC has connected interrupt line to GPIO2_5. Fixes: 7109d817db2e ("arm64: dts: marvell: add DTS for Turris Mox") Signed-off-by: Pali Rohár Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit a1b28c36ec202dc60c27c7af2e27dbf724c1ba06 Author: Pali Rohár Date: Thu Aug 25 14:21:02 2022 +0200 ARM: dts: turris-omnia: Add switch port 6 node [ Upstream commit f87db2005f73876602211af0ee156817019b6bda ] Switch port 6 is connected to eth0, so add appropriate device tree node for it. Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") Signed-off-by: Pali Rohár Reviewed-by: Andrew Lunn Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 88b5d11a6d983a8ef1053bc068665e7ef114a5cf Author: Pali Rohár Date: Wed Jul 27 15:09:26 2022 +0200 ARM: dts: turris-omnia: Add ethernet aliases [ Upstream commit f1f3e530c59a7e8c5f06172f4c28b945a6b4bfb8 ] This allows bootloader to correctly pass MAC addresses used by bootloader to individual interfaces into kernel device tree. Signed-off-by: Pali Rohár Fixes: 26ca8b52d6e1 ("ARM: dts: add support for Turris Omnia") Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 1a8b127d7b155013cf90243e6c30904a4f2bbd11 Author: Pali Rohár Date: Thu Aug 18 00:30:53 2022 +0200 ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port [ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 18d8e15a53c66ee97c938eb7b647c992d7c0fe7e Author: Pali Rohár Date: Thu Aug 18 00:30:52 2022 +0200 ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port [ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 8f4cd6481bbb3b03e774afd8151faf6823648351 Author: Pali Rohár Date: Thu Aug 18 00:30:51 2022 +0200 ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port [ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 0e23b6a16af361e6eae9781c667581b5e25e3a2d Author: Pali Rohár Date: Thu Aug 18 00:30:50 2022 +0200 ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port [ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP") Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable") Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit aa67f198dc81827974b1dc57ee5132f0770f794e Author: Pali Rohár Date: Thu Aug 18 00:30:49 2022 +0200 ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port [ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 714ae279ac9cd4801e012202b4b1efa96e45b782 Author: Pali Rohár Date: Thu Aug 18 00:30:48 2022 +0200 ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port [ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ] BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port (PCI-to-PCI bridge) should match BDF in address part in that DT node name as specified resource belongs to Marvell PCIe Root Port itself. Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT") Signed-off-by: Pali Rohár Signed-off-by: Gregory CLEMENT Signed-off-by: Sasha Levin commit 2460aca3c425ca3e0a9832b2a3cc3cd96d0238e5 Author: Frank Wunderlich Date: Fri Nov 18 20:01:16 2022 +0100 arm64: dts: mt7986: move wed_pcie node [ Upstream commit 99cce13b82a9366cfdd230ba6ddb48ba30d2741f ] Move the wed_pcie node to have node aligned by address. Fixes: 00b9903996b3 ("arm64: dts: mediatek: mt7986: add support for Wireless Ethernet Dispatch") Signed-off-by: Frank Wunderlich Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221118190126.100895-2-linux@fw-web.de Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit b2429741cb42a4598538b361388eb5deb9bca427 Author: Vidya Sagar Date: Tue Oct 25 23:55:08 2022 +0530 arm64: tegra: Fix non-prefetchable aperture of PCIe C3 controller [ Upstream commit 47a2f35d9ea76d92aa2385671f527b75aa9dfe45 ] Fix the starting address of the non-prefetchable aperture of PCIe C3 controller. Fixes: ec142c44b026 ("arm64: tegra: Add P2U and PCIe controller nodes to Tegra234 DT") Signed-off-by: Vidya Sagar Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 75a0e121937d4bcdc5c1ddd6fb3d0c8ea1ad56be Author: Vidya Sagar Date: Wed Sep 28 11:57:31 2022 +0530 arm64: tegra: Fix Prefetchable aperture ranges of Tegra234 PCIe controllers [ Upstream commit 248400656b1cd85de37f3742d065dc1826cdf589 ] commit edf408b946d3 ("PCI: dwc: Validate iATU outbound mappings against hardware constraints") exposes an issue with the existing partitioning of the aperture space where the Prefetchable apertures of controllers C5, C7 and C9 in Tegra234 cross the 32GB boundary hardware constraint. This patch makes sure that the Prefetchable region doesn't spill over the 32GB boundary. Fixes: ec142c44b026 ("arm64: tegra: Add P2U and PCIe controller nodes to Tegra234 DT") Signed-off-by: Vidya Sagar Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 29ca6ffb08408a10511569706e540d40c33e4a97 Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:12 2022 +0200 arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name [ Upstream commit 5f535cc583759c9c60d4cc9b8d221762e2d75387 ] Update its unit name to oscillator-26m and remove the unneeded unit address to fix a unit_address_vs_reg warning. Fixes: 464c510f60c6 ("arm64: dts: mediatek: add mt6797 support") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-9-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit e435f8959aad7c652a3f1437d51c19760708b2b9 Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:11 2022 +0200 arm64: dts: mediatek: pumpkin-common: Fix devicetree warnings [ Upstream commit 509438336ce75c8b4e6ce8e8d507dc77d0783bdd ] Fix the pinctrl submodes and optee node to remove unneeded unit address, fixing all unit_address_vs_reg warnings. Fixes: 9983822c8cf9 ("arm64: dts: mediatek: add pumpkin board dts") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-8-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 81d0b66f185d5eeef0b20106d65739a7f0a0d7ee Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:10 2022 +0200 arm64: dts: mt2712-evb: Fix usb vbus regulators unit names [ Upstream commit ec1ae39a8d25cfb067b5459fac7c5b7b9bce6f6a ] Update the names to regulator-usb-p{0-3}-vbus to fix unit_address_vs_reg warnings for those. Fixes: 1724f4cc5133 ("arm64: dts: Add USB3 related nodes for MT2712") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-7-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit bb225f227cb284315f1f98f164a175efd15cea5a Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:09 2022 +0200 arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names [ Upstream commit 377063156893bf6c088309ac799fe5c6dce2822d ] Update the names to regulator-vproc-buck{0,1} to fix unit_addres_vs_reg warnings for those. Fixes: f75dd8bdd344 ("arm64: dts: mediatek: add mt2712 cpufreq related device nodes") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-6-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit e547c30e963ffe57f3f340a588126385123bfb4b Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:08 2022 +0200 arm64: dts: mt2712e: Fix unit address for pinctrl node [ Upstream commit 1d4516f53a611b362db7ba7a8889923d469f57e1 ] The unit address for the pinctrl node is (0x)1000b000 and not (0x)10005000, which is the syscfg_pctl_a address instead. This fixes the following warning: arch/arm64/boot/dts/mediatek/mt2712e.dtsi:264.40-267.4: Warning (unique_unit_address): /syscfg_pctl_a@10005000: duplicate unit-address (also used in node /pinctrl@10005000) Fixes: f0c64340b748 ("arm64: dts: mt2712: add pintcrl device node.") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-5-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit cb9bb1895b43296dbc9fff6a556e73ed531e4239 Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:07 2022 +0200 arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators [ Upstream commit e4495a0a8b3d84816c9a46edf3ce060bbf267475 ] Rename the fixed-clock oscillators to remove the unit address. This solves unit_address_vs_reg warnings. Fixes: 5d4839709c8e ("arm64: dts: mt2712: Add clock controller device nodes") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-4-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 5e5190363463f262597b67ca1e04b614ea5b7748 Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:06 2022 +0200 arm64: dts: mt6779: Fix devicetree build warnings [ Upstream commit 4d759c524c15dc4151e40b9e3f368147fda7b789 ] Rename fixed-clock oscillators to oscillator-26m and oscillator-32k and remove the unit address to fix the unit_address_vs_reg warning; fix the unit address for interrupt and intpol controllers by removing a leading zero in their unit address. This commit fixes the following warnings: (unit_address_vs_reg): /oscillator@0: node has a unit name, but no reg or ranges property (unit_address_vs_reg): /oscillator@1: node has a unit name, but no reg or ranges property (simple_bus_reg): /soc/interrupt-controller@0c000000: simple-bus unit address format error, expected "c000000" (simple_bus_reg): /soc/intpol-controller@0c53a650: simple-bus unit address format error, expected "c53a650" Fixes: 4c7a6260775d ("arm64: dts: add dts nodes for MT6779") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-3-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 39ce535c4bf1b7d4ec05bb6e2646ac2212deb7e0 Author: AngeloGioacchino Del Regno Date: Thu Oct 13 17:22:05 2022 +0200 arm64: dts: mt7896a: Fix unit_address_vs_reg warning for oscillator [ Upstream commit 7898d047b1eb2bec2622668cd70181442a580c6d ] Rename the oscillator fixed-clock to oscillator-40m and remove the unit address to fix warnings. arch/arm64/boot/dts/mediatek/mt7986a.dtsi:17.23-22.4: Warning (unit_address_vs_reg): /oscillator@0: node has a unit name, but no reg or ranges property Fixes: 1f9986b258c2 ("arm64: dts: mediatek: add clock support for mt7986a") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221013152212.416661-2-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit ffd7eb58731514dfc642e81efc7aff324a7a9f20 Author: AngeloGioacchino Del Regno Date: Wed Oct 5 11:34:03 2022 +0200 arm64: dts: mediatek: mt8195: Fix CPUs capacity-dmips-mhz [ Upstream commit 513c43328b189874fdfee3ae99cac81e5502e7f7 ] The capacity-dmips-mhz parameter was miscalculated: this SoC runs the first (Cortex-A55) cluster at a maximum of 2000MHz and the second (Cortex-A78) cluster at a maximum of 3000MHz. In order to calculate the right capacity-dmips-mhz, the following test was performed: 1. CPUFREQ governor was set to 'performance' on both clusters 2. Ran dhrystone with 500000000 iterations for 10 times on each cluster 3. Calculate the mean result for each cluster 4. Calculate DMIPS/MHz: dmips_mhz = dmips_per_second / cpu_mhz 5. Scale results to 1024: result_c0 = (dmips_mhz_c0 - min_dmips_mhz(c0, c1)) / (max_dmips_mhz(c0, c1) - min_dmips_mhz(c0, c1)) * 1024 The mean results for this SoC are: Cluster 0 (LITTLE): 11990400 Dhry/s Cluster 1 (BIG): 59809036 Dhry/s The calculated scaled results are: Cluster 0: 307,934312801831 (rounded to 308) Cluster 1: 1024 Fixes: 37f2582883be ("arm64: dts: Add mediatek SoC mt8195 and evaluation board") Signed-off-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221005093404.33102-1-angelogioacchino.delregno@collabora.com Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 121fa4e630dc61886afdaa338fce618d61f015d0 Author: Jonathan Neuschäfer Date: Mon Oct 31 23:15:52 2022 +0100 ARM: dts: nuvoton: Remove bogus unit addresses from fixed-partition nodes [ Upstream commit ea3ce4cf076ba11bb591c8013c5315136cae52c8 ] The unit addresses do not correspond to the nodes' reg properties, because they don't have any. Fixes: e42b650f828d ("ARM: dts: nuvoton: Add new device nodes to NPCM750 EVB") Fixes: ee33e2fb3d70 ("ARM: dts: nuvoton: Add Quanta GBS BMC Device Tree") Fixes: 59f5abe09f0a ("ARM: dts: nuvoton: Add Quanta GSJ BMC") Fixes: 14579c76f5ca ("ARM: dts: nuvoton: Add Fii Kudo system") Signed-off-by: Jonathan Neuschäfer Reviewed-by: Joel Stanley Link: https://lore.kernel.org/r/20221031221553.163273-1-j.neuschaefer@gmx.net Signed-off-by: Joel Stanley Signed-off-by: Sasha Levin commit 3aa5508359f3eeb889cddcf6486f0efc538ff0ad Author: Conor Dooley Date: Tue Nov 15 15:25:46 2022 +0000 riscv: dts: microchip: remove pcie node from the sev kit [ Upstream commit 1150f4cff831e1d7db673417bcb81833d6544cf8 ] The SEV kit reference design does not hook up the PCIe root port to the core complex including it is misleading. The entry is a re-use mistake - I was not aware of this when I moved the PCIe node out of mpfs.dtsi so that individual bistreams could connect it to different fics etc. The node is disabled, so there should be no functional change here. Fixes: 978a17d1a688 ("riscv: dts: microchip: add sevkit device tree") Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit d31b758ee77737d39c4e4689827d14ee9a6b6686 Author: Keerthy Date: Thu Sep 22 12:59:50 2022 +0530 arm64: dts: ti: k3-j721s2: Fix the interrupt ranges property for main & wkup gpio intr [ Upstream commit b8aa36c22da7d64c5a5d89ccb4a2abb9aeaab2e3 ] The parent's input irq number is wrongly subtracted with 32 instead of using the exact numbers in: https://software-dl.ti.com/tisci/esd/latest/5_soc_doc/j721s2/interrupt_cfg.html The GPIO interrupts are not working because of that. The toggling works fine but interrupts are not firing. Fix the parent's input irq that specifies the base for parent irq. Tested for MAIN_GPIO0_6 interrupt on the j721s2 EVM. Fixes: b8545f9d3a54 ("arm64: dts: ti: Add initial support for J721S2 SoC") Signed-off-by: Keerthy Signed-off-by: Nishanth Menon Reviewed-by: Vaishnav Achath Link: https://lore.kernel.org/r/20220922072950.9157-1-j-keerthy@ti.com Signed-off-by: Sasha Levin commit 2b2c143237f3017810c2a1af0937630bef060991 Author: Jayesh Choudhary Date: Mon Oct 31 20:55:20 2022 +0530 arm64: dts: ti: k3-j7200-mcu-wakeup: Drop dma-coherent in crypto node [ Upstream commit f00f26711d7183f8675c5591ba8daaabe94be452 ] crypto driver itself is not dma-coherent. So drop it. Fixes: d683a73980a6 ("arm64: dts: ti: k3-j7200-mcu-wakeup: Add SA2UL node") Signed-off-by: Jayesh Choudhary Signed-off-by: Nishanth Menon Reviewed-by: Manorit Chawdhry Link: https://lore.kernel.org/r/20221031152520.355653-4-j-choudhary@ti.com Signed-off-by: Sasha Levin commit dc7d896b7d5029dc09d0a66989fc8371708b842a Author: Jayesh Choudhary Date: Mon Oct 31 20:55:19 2022 +0530 arm64: dts: ti: k3-j721e-main: Drop dma-coherent in crypto node [ Upstream commit 26c5012403f3f1fd3bf8f7d3389ee539ae5cc162 ] crypto driver itself is not dma-coherent. So drop it. Fixes: 8ebcaaae8017 ("arm64: dts: ti: k3-j721e-main: Add crypto accelerator node") Signed-off-by: Jayesh Choudhary Signed-off-by: Nishanth Menon Reviewed-by: Manorit Chawdhry Link: https://lore.kernel.org/r/20221031152520.355653-3-j-choudhary@ti.com Signed-off-by: Sasha Levin commit 0e2de8570880102294a353a35573367e3b3fb9ee Author: Jayesh Choudhary Date: Mon Oct 31 20:55:18 2022 +0530 arm64: dts: ti: k3-am65-main: Drop dma-coherent in crypto node [ Upstream commit b86833ab3653dbb0dc453eec4eef8615e63de4e2 ] crypto driver itself is not dma-coherent. So drop it. Fixes: b366b2409c97 ("arm64: dts: ti: k3-am6: Add crypto accelarator node") Signed-off-by: Jayesh Choudhary Signed-off-by: Nishanth Menon Reviewed-by: Manorit Chawdhry Link: https://lore.kernel.org/r/20221031152520.355653-2-j-choudhary@ti.com Signed-off-by: Sasha Levin commit 582babe17ea878ec1d76f30e03f3a6ce6e30eb91 Author: Shang XiaoJing Date: Tue Nov 15 19:55:40 2022 +0800 perf/smmuv3: Fix hotplug callback leak in arm_smmu_pmu_init() [ Upstream commit 6f2d566b46436a50a80d6445e82879686b89588c ] arm_smmu_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") Fixes: 7d839b4b9e00 ("perf/smmuv3: Add arm64 smmuv3 pmu driver") Signed-off-by: Shang XiaoJing Reviewed-by: Punit Agrawal Link: https://lore.kernel.org/r/20221115115540.6245-3-shangxiaojing@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit adf7c3bbcc819db6e95b6a61c9822230f0ef4778 Author: Shang XiaoJing Date: Tue Nov 15 19:55:39 2022 +0800 perf/arm_dmc620: Fix hotplug callback leak in dmc620_pmu_init() [ Upstream commit d9f564c966e63925aac4ba273a9319d7fb6f4b4e ] dmc620_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") Fixes: 53c218da220c ("driver/perf: Add PMU driver for the ARM DMC-620 memory controller") Signed-off-by: Shang XiaoJing Reviewed-by: Punit Agrawal Link: https://lore.kernel.org/r/20221115115540.6245-2-shangxiaojing@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7772f4de934123ccd7c7cdc1dc4e46fdd5d767fb Author: Yuan Can Date: Tue Nov 15 07:02:07 2022 +0000 drivers: perf: marvell_cn10k: Fix hotplug callback leak in tad_pmu_init() [ Upstream commit 973ae93d80d9d262f695eb485a1902b74c4b9098 ] tad_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") Fixes: 036a7584bede ("drivers: perf: Add LLC-TAD perf counter support") Signed-off-by: Yuan Can Link: https://lore.kernel.org/r/20221115070207.32634-3-yuancan@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 0823732f0aa06f8cd72d1325467baa56d118cf24 Author: Yuan Can Date: Tue Nov 15 07:02:06 2022 +0000 perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() [ Upstream commit facafab7611f7b872c6b9eeaff53461ef11f482e ] dsu_pmu_init() won't remove the callback added by cpuhp_setup_state_multi() when platform_driver_register() failed. Remove the callback by cpuhp_remove_multi_state() in fail path. Similar to the handling of arm_ccn_init() in commit 26242b330093 ("bus: arm-ccn: Prevent hotplug callback leak") Fixes: 7520fa99246d ("perf: ARM DynamIQ Shared Unit PMU support") Signed-off-by: Yuan Can Acked-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20221115070207.32634-2-yuancan@huawei.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7f7634d72def46d5578e2275463a2a07f9c2896d Author: Mark Rutland Date: Mon Nov 14 10:44:11 2022 +0000 arm64: mm: kfence: only handle translation faults [ Upstream commit 0bb1fbffc631064db567ccaeb9ed6b6df6342b66 ] Alexander noted that KFENCE only expects to handle faults from invalid page table entries (i.e. translation faults), but arm64's fault handling logic will call kfence_handle_page_fault() for other types of faults, including alignment faults caused by unaligned atomics. This has the unfortunate property of causing those other faults to be reported as "KFENCE: use-after-free", which is misleading and hinders debugging. Fix this by only forwarding unhandled translation faults to the KFENCE code, similar to what x86 does already. Alexander has verified that this passes all the tests in the KFENCE test suite and avoids bogus reports on misaligned atomics. Link: https://lore.kernel.org/all/20221102081620.1465154-1-zhongbaisong@huawei.com/ Fixes: 840b23986344 ("arm64, kfence: enable KFENCE for ARM64") Signed-off-by: Mark Rutland Reviewed-by: Alexander Potapenko Tested-by: Alexander Potapenko Cc: Catalin Marinas Cc: Marco Elver Cc: Will Deacon Link: https://lore.kernel.org/r/20221114104411.2853040-1-mark.rutland@arm.com Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit afafeb0cf5b18074517fc3ba5c6a0cd9bb8bf9d8 Author: Zhang Qilong Date: Tue Nov 8 16:03:22 2022 +0800 soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe [ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.") Signed-off-by: Zhang Qilong Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com Signed-off-by: Sasha Levin commit 01c972a33cae0743c799a3a9b86d8a8dfdf22a94 Author: Zhang Qilong Date: Tue Nov 8 16:03:21 2022 +0800 soc: ti: knav_qmss_queue: Fix PM disable depth imbalance in knav_queue_probe [ Upstream commit e961c0f19450fd4a26bd043dd2979990bf12caf6 ] The pm_runtime_enable will increase power disable depth. Thus a pairing decrement is needed on the error handling path to keep it balanced according to context. Fixes: 41f93af900a2 ("soc: ti: add Keystone Navigator QMSS driver") Signed-off-by: Zhang Qilong Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20221108080322.52268-2-zhangqilong3@huawei.com Signed-off-by: Sasha Levin commit 5e9e8ee71319aae9a3c8ba151c4f44f44bbca0e1 Author: Conor Dooley Date: Fri Oct 7 12:35:11 2022 +0100 riscv: dts: microchip: fix the icicle's #pwm-cells [ Upstream commit bdd28ab35c163553a2a686fdc5ea3cf247aad69b ] \#pwm-cells for the Icicle kit's fabric PWM was incorrectly set to 2 & blindly overridden by the (out of tree) driver anyway. The core can support inverted operation, so update the entry to correctly report its capabilities. Fixes: 72560c6559b8 ("riscv: dts: microchip: add fpga fabric section to icicle kit") Reviewed-by: Uwe Kleine-König Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit d9d93b6cd047c0a7eb1eff5088124d1d73cb2ce5 Author: Kory Maincent Date: Wed Nov 2 18:10:06 2022 +0100 arm: dts: spear600: Fix clcd interrupt [ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ] Interrupt 12 of the Interrupt controller belongs to the SMI controller, the right one for the display controller is the interrupt 13. Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes") Signed-off-by: Kory Maincent Acked-by: Viresh Kumar Signed-off-by: Arnd Bergmann Signed-off-by: Sasha Levin commit 9c113e3add6195c18ac0cf67dedc67d301bdd2f4 Author: Sibi Sankar Date: Thu Nov 10 12:38:12 2022 +0530 arm64: dts: qcom: sc7280: Mark all Qualcomm reference boards as LTE [ Upstream commit 3c800bcf07a5957da01593e8f83d797b285a37e0 ] When the modem node was re-located to a separate LTE source file "sc7280-herobrine-lte-sku.dtsi", some of the previous LTE users weren't marked appropriately. Fix this by marking all Qualcomm reference devices as LTE. Suggested-by: Douglas Anderson Fixes: d42fae738f3a ("arm64: dts: qcom: Add LTE SKUs for sc7280-villager family") Signed-off-by: Sibi Sankar Reviewed-by: Douglas Anderson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221110070813.1777-1-quic_sibis@quicinc.com Signed-off-by: Sasha Levin commit 7d6370223db67b6dbe9c3fdd61d8f604845583f4 Author: Sumit Gupta Date: Wed Nov 9 19:27:17 2022 +0530 soc/tegra: cbb: Check firewall before enabling error reporting [ Upstream commit 2927cf85f4877f417f884919de8e04ab9b362d32 ] To enable error reporting for a fabric to CCPLEX, we need to write its register for enabling error interrupt to CCPLEX during boot and later clear the error status register after error occurs. If a fabric's registers are protected and not accessible from CCPLEX, then accessing the registers will cause CBB firewall error. Add support to check whether write access from CCPLEX to the registers of a fabric is not blocked by it's firewall before enabling error reporting to CCPLEX for that fabric. Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0") Signed-off-by: Sumit Gupta Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit b75d11a62bb359777bcf6182aa234fe0c9d5bf39 Author: Sumit Gupta Date: Wed Nov 9 19:27:16 2022 +0530 soc/tegra: cbb: Add checks for potential out of bound errors [ Upstream commit 55084947d6b48977c5122fbe443743a6c50c12bf ] Added checks to avoid potential out of bounds errors which can happen if the 'slave map' and 'CBB errors' arrays are not correct or latest where some entries are missing. Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0") Signed-off-by: Sumit Gupta Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit d8ed37219e27fe1b9c8459ab1756884fa4a74404 Author: Sumit Gupta Date: Wed Nov 9 19:27:15 2022 +0530 soc/tegra: cbb: Update slave maps for Tegra234 [ Upstream commit cd1d719b47767f1970d02d18661122b649c35b00 ] Updating the slave map for fabrics and using the same maps for DCE, RCE and SCE as they all are a replica in Tegra234. Signed-off-by: Sumit Gupta Signed-off-by: Thierry Reding Stable-dep-of: 55084947d6b4 ("soc/tegra: cbb: Add checks for potential out of bound errors") Signed-off-by: Sasha Levin commit 6ede06dde33148ec41fd2933e7d88906bf9c34e3 Author: Sumit Gupta Date: Wed Nov 9 19:27:14 2022 +0530 soc/tegra: cbb: Use correct master_id mask for CBB NOC in Tegra194 [ Upstream commit 33af51a652191d7b9fe449563594b0bdbeb93c2a ] In Tegra194 SoC, master_id bit range is different between cluster NOC and CBB NOC. Currently same bit range is used which results in wrong master_id value. Due to this, illegal accesses from the CCPLEX master do not result in a crash as expected. Fix this by using the correct range for the CBB NOC. Finally, it is only necessary to extract the master_id when the erd_mask_inband_err flag is set because when this is not set, a crash is always triggered. Fixes: b71344221466 ("soc/tegra: cbb: Add CBB 1.0 driver for Tegra194") Fixes: fc2f151d2314 ("soc/tegra: cbb: Add driver for Tegra234 CBB 2.0") Signed-off-by: Sumit Gupta Signed-off-by: Thierry Reding Signed-off-by: Sasha Levin commit 61eb9624e764e9374e912430214bed38c4be2894 Author: Frank Wunderlich Date: Thu Oct 27 17:10:22 2022 +0200 arm64: dts: mt7986: fix trng node name [ Upstream commit 07ce611c705217507c2a036bba8695cbd82c9e36 ] Binding requires node name to be rng not trng: trng@1020f000: $nodename:0: 'trng@1020f000' does not match '^rng@[0-9a-f]+$' Fixes: 50137c150f5f ("arm64: dts: mediatek: add basic mt7986 support") Signed-off-by: Frank Wunderlich Reviewed-by: AngeloGioacchino Del Regno Link: https://lore.kernel.org/r/20221027151022.5541-1-linux@fw-web.de Signed-off-by: Matthias Brugger Signed-off-by: Sasha Levin commit 5e1a9c98c116a5d2a43d5412dcb20d92783afa48 Author: Yang Yingliang Date: Tue Oct 18 10:31:49 2022 +0800 soc: sifive: ccache: fix missing of_node_put() in sifive_ccache_init() [ Upstream commit 8fbf94fea0b4e187ca9100936c5429f96b8a4e44 ] The device_node pointer returned by of_find_matching_node() with refcount incremented, when finish using it, the refcount need be decreased. Fixes: a967a289f169 ("RISC-V: sifive_l2_cache: Add L2 cache controller driver for SiFive SoCs") Signed-off-by: Yang Yingliang Reviewed-by: Conor Dooley Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit 0883dc428c95c123228a4acf340ff21ce5bdd8a3 Author: Yang Yingliang Date: Tue Oct 18 10:31:48 2022 +0800 soc: sifive: ccache: fix missing free_irq() in error path in sifive_ccache_init() [ Upstream commit 756344e7cb1afbb87da8705c20384dddd0dea233 ] Add missing free_irq() before return error from sifive_ccache_init(). Fixes: a967a289f169 ("RISC-V: sifive_l2_cache: Add L2 cache controller driver for SiFive SoCs") Signed-off-by: Yang Yingliang Reviewed-by: Conor Dooley Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit 7ea9128d1a91001edd954dd1b8cf5666145ddafe Author: Yang Yingliang Date: Tue Oct 18 10:31:47 2022 +0800 soc: sifive: ccache: fix missing iounmap() in error path in sifive_ccache_init() [ Upstream commit 73e770f085023da327dc9ffeb6cd96b0bb22d97e ] Add missing iounmap() before return error from sifive_ccache_init(). Fixes: a967a289f169 ("RISC-V: sifive_l2_cache: Add L2 cache controller driver for SiFive SoCs") Signed-off-by: Yang Yingliang Reviewed-by: Conor Dooley Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit 48ad27467b00819c0885ccada3f24a36501a6dab Author: Conor Dooley Date: Fri Oct 7 12:35:10 2022 +0100 dt-bindings: pwm: fix microchip corePWM's pwm-cells [ Upstream commit a62d196e89887c029d5aef409135f9a2a8667268 ] corePWM is capable of inverted operation but the binding requires \#pwm-cells of 2. Expand the binding to support setting the polarity. Fixes: df77f7735786 ("dt-bindings: pwm: add microchip corepwm binding") Acked-by: Rob Herring Acked-by: Uwe Kleine-König Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit d12b10a783960be2f075759633569ba8cba2029d Author: Fabrizio Castro Date: Mon Nov 7 16:50:27 2022 +0000 arm64: dts: renesas: r9a09g011: Fix I2C SoC specific strings [ Upstream commit 2ac909916b520df09a23f152bb9016d7b892b496 ] The preferred form for Renesas' compatible strings is: ",-" Somehow the compatible string for the r9a09g011 I2C IP was upstreamed as renesas,i2c-r9a09g011 instead of renesas,r9a09g011-i2c, which is really confusing, especially considering the generic fallback is renesas,rzv2m-i2c. The first user of renesas,i2c-r9a09g011 in the kernel is not yet in a kernel release, it will be in v6.1, therefore it can still be fixed in v6.1. Even if we don't fix it before v6.2, I don't think there is any harm in making such a change. s/renesas,i2c-r9a09g011/renesas,r9a09g011-i2c/g for consistency. Fixes: 54ac6794df9d ("arm64: dts: renesas: r9a09g011: Add i2c nodes") Signed-off-by: Fabrizio Castro Link: https://lore.kernel.org/r/20221107165027.54150-3-fabrizio.castro.jz@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 68093e2e7a416540e77b4a5662b5445718989801 Author: Fabrizio Castro Date: Thu Nov 3 23:06:46 2022 +0000 arm64: dts: renesas: r9a09g011: Fix unit address format error [ Upstream commit 278f5015a3deaa2ea0db6070bbc2a8edf2455643 ] Although the HW User Manual for RZ/V2M states in the "Address Map" section that the interrupt controller is assigned addresses starting from 0x82000000, the memory locations from 0x82000000 0x0x8200FFFF are marked as reserved in the "Interrupt Controller (GIC)" section and are currently not used by the device tree, leading to the below warning: arch/arm64/boot/dts/renesas/r9a09g011.dtsi:51.38-63.5: Warning (simple_bus_reg): /soc/interrupt-controller@82000000: simple-bus unit address format error, expected "82010000" Fix the unit address accordingly. Fixes: fb1929b98f2e ("arm64: dts: renesas: Add initial DTSI for RZ/V2M SoC") Signed-off-by: Fabrizio Castro Link: https://lore.kernel.org/r/20221103230648.53748-2-fabrizio.castro.jz@renesas.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 4bc03f485add236e72be1c567a329d623f0cbfba Author: Wolfram Sang Date: Thu Nov 3 15:34:40 2022 +0100 arm64: dts: renesas: r8a779f0: Fix SCIF "brg_int" clock [ Upstream commit 64416ef0b0c4d73349035d1b3206eed3d2047ee0 ] As serial communication requires a clean clock signal, the Serial Communication Interfaces with FIFO (SCIF) are clocked by a clock that is not affected by Spread Spectrum or Fractional Multiplication. Hence change the clock input for the SCIF Baud Rate Generator internal clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81. Fixes: c62331e8222f ("arm64: dts: renesas: Add Renesas R8A779F0 SoC support") Fixes: 40753144256b ("arm64: dts: renesas: r8a779f0: Add SCIF nodes") Reported-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20221103143440.46449-5-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit e4d95cd9fb1537a139cac63f07a509b80c065c11 Author: Wolfram Sang Date: Thu Nov 3 15:34:39 2022 +0100 arm64: dts: renesas: r8a779f0: Fix HSCIF "brg_int" clock [ Upstream commit a5101ef18b4d0751588f61d939694bad183cc240 ] As serial communication requires a clean clock signal, the High Speed Serial Communication Interfaces with FIFO (HSCIF) are clocked by a clock that is not affected by Spread Spectrum or Fractional Multiplication. Hence change the clock input for the HSCIF Baud Rate Generator internal clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the same clock rate), cfr. R-Car S4-8 Hardware User's Manual rev. 0.81. Fixes: 01a787f78bfd ("arm64: dts: renesas: r8a779f0: Add HSCIF nodes") Reported-by: Geert Uytterhoeven Signed-off-by: Wolfram Sang Link: https://lore.kernel.org/r/20221103143440.46449-4-wsa+renesas@sang-engineering.com Signed-off-by: Geert Uytterhoeven Signed-off-by: Sasha Levin commit 8a894fab2d26c879eb80c8c977180b4281a9896d Author: Krzysztof Kozlowski Date: Wed Oct 26 12:36:46 2022 -0400 arm64: dts: qcom: sm6125: fix SDHCI CQE reg names [ Upstream commit 3de1172624b3c4ca65730bc34333ab493510b3e1 ] SM6125 comes with SDCC (SDHCI controller) v5, so the second range of registers is cqhci, not core. Fixes: cff4bbaf2a2d ("arm64: dts: qcom: Add support for SM6125") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Marijn Suijten Tested-by: Marijn Suijten # Sony Xperia 10 II Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221026163646.37433-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 2454706d2645f64c42d90e93bff158d599b81aa8 Author: Marijn Suijten Date: Sun Oct 30 08:32:26 2022 +0100 arm64: dts: qcom: pm6350: Include header for KEY_POWER [ Upstream commit f6e2d6914c7c095660a9c7c503328eebab1e2557 ] Make pm6350.dtsi self-contained by including input.h, needed for the KEY_POWER constant used to define the power key. Fixes: d8a3c775d7cd ("arm64: dts: qcom: Add PM6350 PMIC") Signed-off-by: Marijn Suijten Reviewed-by: Konrad Dybcio Reviewed-by: Luca Weiss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221030073232.22726-5-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 492480a9453e5782d4a10922b93eb1c3322655d5 Author: Jiasheng Jiang Date: Mon Nov 7 09:44:03 2022 +0800 soc: qcom: apr: Add check for idr_alloc and of_property_read_string_index [ Upstream commit 6d7860f5750d73da2fa1a1f6c9405058a593fa32 ] As idr_alloc() and of_property_read_string_index() can return negative numbers, it should be better to check the return value and deal with the exception. Therefore, it should be better to use goto statement to stop and return error. Fixes: 6adba21eb434 ("soc: qcom: Add APR bus driver") Signed-off-by: Jiasheng Jiang Reviewed-by: Bjorn Andersson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221107014403.3606-1-jiasheng@iscas.ac.cn Signed-off-by: Sasha Levin commit a51d57fd6f37bb01115426fe74b657185f65e4b6 Author: Johan Hovold Date: Wed Oct 26 17:25:11 2022 +0200 arm64: dts: qcom: sm6350: drop bogus DP PHY clock [ Upstream commit 95fade4016cbd57ee050ab226c8f0483af1753c4 ] The QMP pipe clock is used by the USB part of the PHY so drop the corresponding properties from the DP child node. Fixes: 23737b9557fe ("arm64: dts: qcom: sm6350: Add USB1 nodes") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221026152511.9661-3-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 8ab46b95bff6b78a6d95a7bc976786dbb7ede6e1 Author: Johan Hovold Date: Wed Oct 26 17:25:10 2022 +0200 arm64: dts: qcom: sm8250: drop bogus DP PHY clock [ Upstream commit bb9f23e46ddcebe1bc68a43a0f7acfc1865a6472 ] The QMP pipe clock is used by the USB part of the PHY so drop the corresponding properties from the DP child node. Fixes: 5aa0d1becd5b ("arm64: dts: qcom: sm8250: switch usb1 qmp phy to USB3+DP mode") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221026152511.9661-2-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 564a8e6ef47be0788ad9ace06a442fe4e42467dd Author: Dmitry Torokhov Date: Thu Oct 27 00:46:51 2022 -0700 arm64: dts: qcom: sc7280: fix codec reset line polarity for CRD 1.0/2.0 [ Upstream commit b8f298d4f69d82119ac0d22809a17c80b1f188d1 ] The driver for the codec, when resetting the chip, first drives the line low, and then high. This means that the line is active low. Change the annotation in the DTS accordingly. Fixes: f8b4eb64f200 ("arm64: dts: qcom: sc7280: Add wcd9385 codec node for CRD 1.0/2.0 and IDP boards") Signed-off-by: Dmitry Torokhov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221027074652.1044235-5-dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin commit efabb772e4bbc43dc90ad8a9eb59a08ec6502de0 Author: Dmitry Torokhov Date: Thu Oct 27 00:46:50 2022 -0700 arm64: dts: qcom: sc7280: fix codec reset line polarity for CRD 3.0/3.1 [ Upstream commit 1caf66104c02d327a2467a69ab18fb24b44e9715 ] The driver for the codec, when resetting the chip, first drives the line low, and then high. This means that the line is active low. Change the annotation in the DTS accordingly. Fixes: 0a3a56a93fd9 ("arm64: dts: qcom: sc7280: Add wcd9385 codec node for CRD 3.0/3.1") Signed-off-by: Dmitry Torokhov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221027074652.1044235-4-dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin commit c05e7b9c5474998180516314b0cc7328df05ce74 Author: Dmitry Torokhov Date: Thu Oct 27 00:46:49 2022 -0700 arm64: dts: qcom: sm8250-mtp: fix reset line polarity [ Upstream commit 15d9fcbb3e6e8420c7d1ae331405780c5d9c1c25 ] The driver for the codec, when resetting the chip, first drives the line low, and then high. This means that the line is active low. Change the annotation in the DTS accordingly. Fixes: 36c9d012f193 ("arm64: dts: qcom: use GPIO flags for tlmm") Fixes: 5a263cf629a8 ("arm64: dts: qcom: sm8250-mtp: Add wcd9380 audio codec node") Signed-off-by: Dmitry Torokhov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221027074652.1044235-3-dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin commit 07fe2707eac4b56a03b682fb0e498fe80f7686c4 Author: Dmitry Torokhov Date: Thu Oct 27 00:46:47 2022 -0700 arm64: dts: qcom: msm8996: fix sound card reset line polarity [ Upstream commit 76d21ffc5d425bf7ea9888652c49d7dbda15f356 ] When resetting the block, the reset line is being driven low and then high, which means that the line in DTS should be annotated as "active low". It will become important when wcd9335 driver will be converted to gpiod API that respects declared line polarities. Fixes: f3eb39a55a1f ("arm64: dts: db820c: Add sound card support") Signed-off-by: Dmitry Torokhov Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221027074652.1044235-1-dmitry.torokhov@gmail.com Signed-off-by: Sasha Levin commit 4b5f25ae1ba5be18e8abb1b348333c3fff1ad08d Author: Johan Hovold Date: Mon Oct 24 11:15:07 2022 +0200 arm64: dts: qcom: sm8450: fix UFS PHY registers [ Upstream commit 7af949211a0554bbc06163b081fc2cb516674880 ] The sizes of the UFS PHY register regions are too small and does specifically not cover all registers used by the Linux driver. As Linux maps these regions as full pages this is currently not an issue on Linux, but let's update the sizes to match the vendor driver. Fixes: 07fa917a335e ("arm64: dts: qcom: sm8450: add ufs nodes") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221024091507.20342-5-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit b9002a984c98a08d14ec1e33875e3a20867d4df3 Author: Johan Hovold Date: Mon Oct 24 11:15:06 2022 +0200 arm64: dts: qcom: sm8350: fix UFS PHY registers [ Upstream commit b3c7839b698cc617e97dd2e4f1eeb4adc280fe58 ] The sizes of the UFS PHY register regions are too small and does specifically not cover all registers used by the Linux driver. As Linux maps these regions as full pages this is currently not an issue on Linux, but let's update the sizes to match the vendor driver. Fixes: 59c7cf814783 ("arm64: dts: qcom: sm8350: Add UFS nodes") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221024091507.20342-4-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit 1d488fcb63d3aa43e355832e36e5c92e09429451 Author: Johan Hovold Date: Mon Oct 24 11:15:05 2022 +0200 arm64: dts: qcom: sm8250: fix UFS PHY registers [ Upstream commit 7f8b37dd4e7bf50160529530d9789b846153df71 ] The sizes of the UFS PHY register regions are too small and does specifically not cover all registers used by the Linux driver. As Linux maps these regions as full pages this is currently not an issue on Linux, but let's update the sizes to match the vendor driver. Fixes: b7e2fba06622 ("arm64: dts: qcom: sm8250: Add UFS controller and PHY") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221024091507.20342-3-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit b2b777270c94a69624a800a7a36461ffb89be3f2 Author: Johan Hovold Date: Mon Oct 24 11:15:04 2022 +0200 arm64: dts: qcom: sm8150: fix UFS PHY registers [ Upstream commit 36a31b3a8d9ba1707a23de8d8dc1ceaef4eda695 ] The sizes of the UFS PHY register regions are too small and does specifically not cover all registers used by the Linux driver. As Linux maps these regions as full pages this is currently not an issue on Linux, but let's update the sizes to match the vendor driver. Fixes: 3834a2e92229 ("arm64: dts: qcom: sm8150: Add ufs nodes") Signed-off-by: Johan Hovold Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221024091507.20342-2-johan+linaro@kernel.org Signed-off-by: Sasha Levin commit e89e8e0648f233e996e19a50e4a49722a7a1357f Author: Luca Weiss Date: Fri Nov 4 16:30:41 2022 +0100 soc: qcom: llcc: make irq truly optional [ Upstream commit c882c899ead3545102a4d71b5fbe73b9e4bc2657 ] The function platform_get_irq prints an error message into the kernel log when the irq isn't found. Since the interrupt is actually optional and not provided by some SoCs, use platform_get_irq_optional which does not print an error message. Fixes: c081f3060fab ("soc: qcom: Add support to register LLCC EDAC driver") Signed-off-by: Luca Weiss Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221104153041.412020-1-luca.weiss@fairphone.com Signed-off-by: Sasha Levin commit 91724983c7fda4544c1e3f63a2e3a3b37c641b4a Author: Krzysztof Kozlowski Date: Thu Oct 20 18:51:33 2022 -0400 arm64: dts: qcom: sc7180-trogdor-homestar: fully configure secondary I2S pins [ Upstream commit 59e787935cfe6f562fbb9117e2df4076eaf810d8 ] The Trogdor Homestar DTSI adds additional GPIO52 pin to secondary I2S pins ("sec_mi2s_active") and configures it to "mi2s_1" function. The Trogdor DTSI (which is included by Homestar) configures drive strength and bias for all "sec_mi2s_active" pins, thus the intention was to apply this configuration also to GPIO52 on Homestar. Reported-by: Doug Anderson Signed-off-by: Krzysztof Kozlowski Fixes: be0416a3f917 ("arm64: dts: qcom: Add sc7180-trogdor-homestar") Reviewed-by: Douglas Anderson Reviewed-by: Stephen Boyd Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221020225135.31750-2-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit aceaa757137c078a55a4f5138cfa0169f85e3b7b Author: Krzysztof Kozlowski Date: Tue Sep 27 17:34:20 2022 +0200 arm64: dts: qcom: sm8250: correct LPASS pin pull down [ Upstream commit 195a0a11d66d6c696cbcf398d6bc3f3a3a462f7c ] The pull-down property is actually bias-pull-down. Fixes: 3160c1b894d9 ("arm64: dts: qcom: sm8250: add lpass lpi pin controller node") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Neil Armstrong Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220927153429.55365-4-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 77777664ccdd6938d15e7ab23fc641aca839e078 Author: Marijn Suijten Date: Mon Sep 26 21:01:45 2022 +0200 arm64: dts: qcom: pm660: Use unique ADC5_VCOIN address in node name [ Upstream commit 02549ba5de0a09a27616496c3512db5af4ad7862 ] The register address in the node name is shadowing vph_pwr@83, whereas the ADC5_VCOIN register resolves to 0x85. Fix this copy-paste discrepancy. Fixes: 4bf097540506 ("arm64: dts: qcom: pm660: Add VADC and temp alarm nodes") Signed-off-by: Marijn Suijten Reviewed-by: AngeloGioacchino Del Regno Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220926190148.283805-3-marijn.suijten@somainline.org Signed-off-by: Sasha Levin commit 9d043ee0de80935a141c019adac2cee67225c2d8 Author: Conor Dooley Date: Tue Oct 25 20:56:44 2022 +0100 riscv: dts: microchip: fix memory node unit address for icicle [ Upstream commit d6105a8b7c160a73ae04054c8921eba80a294146 ] Evidently I forgot to update the unit address for the 38-bit cached memory node when I changed the address in the reg property.. Update it to match. Fixes: 6c1193301791 ("riscv: dts: microchip: update memory configuration for v2022.10") Signed-off-by: Conor Dooley Signed-off-by: Sasha Levin commit 0eb788089ddb3bc658432de160d57449daf60efd Author: Georgi Vlaev Date: Fri Oct 21 21:57:04 2022 +0300 firmware: ti_sci: Fix polled mode during system suspend [ Upstream commit b13b2c3e0e4d0854228b5217fa34e145f3ace8ac ] Commit b9e8a7d950ff ("firmware: ti_sci: Switch transport to polled mode during system suspend") uses read_poll_timeout_atomic() macro in ti_sci_do_xfer() to wait for completion when the system is suspending. The break condition of the macro is set to "true" which will cause it break immediately when evaluated, likely before the TISCI xfer is completed, and always return 0. We want to poll here until "done_state == true". 1) Change the break condition of read_poll_timeout_atomic() to the bool variable "done_state". 2) The read_poll_timeout_atomic() returns 0 if the break condition is met or -ETIMEDOUT if not. Since our break condition has changed to "done_state", we also don't have to check for "!done_state" when evaluating the return value. Fixes: b9e8a7d950ff ("firmware: ti_sci: Switch transport to polled mode during system suspend") Signed-off-by: Georgi Vlaev Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20221021185704.181316-1-g-vlaev@ti.com Signed-off-by: Sasha Levin commit f024ba5e05ab673ce38f6802babb3439b0f32514 Author: Chen Jiahao Date: Wed Oct 19 23:32:12 2022 +0800 drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static [ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ] There is a sparse warning shown below: drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol 'knav_acc_firmwares' was not declared. Should it be static? Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c, mark it as static to fix the warning. Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver") Signed-off-by: Chen Jiahao Signed-off-by: Nishanth Menon Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com Signed-off-by: Sasha Levin commit 10ee1f7a0fa08c4f4c7eab4fb03d7fbfa60eafba Author: Marek Vasut Date: Fri Oct 21 12:00:57 2022 +0200 ARM: dts: stm32: Fix AV96 WLAN regulator gpio property [ Upstream commit d5d577e3d50713ad11d98dbdaa48bb494346c26d ] The WLAN regulator uses 'gpios' property instead of 'gpio' to specify regulator enable GPIO. While the former is also currently handled by the Linux kernel regulator-fixed driver, the later is the correct one per DT bindings. Update the DT to use the later. Fixes: 7dd5cbba42c93 ("ARM: dts: stm32: Enable WiFi on AV96") Signed-off-by: Marek Vasut Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 0d7d7d9ccf6dd2e095bce8bac7886832aad47ce2 Author: Marek Vasut Date: Fri Sep 23 04:37:45 2022 +0200 ARM: dts: stm32: Drop stm32mp15xc.dtsi from Avenger96 [ Upstream commit 3b835f1b8acef53c8882b25f40f48d7f5982c938 ] The Avenger96 is populated with STM32MP157A DHCOR SoM, drop the stm32mp15xc.dtsi which should only be included in DTs of devices which are populated with STM32MP15xC/F SoC as the stm32mp15xc.dtsi enables CRYP block not present in the STM32MP15xA/D SoC . Fixes: 7e76f82acd9e1 ("ARM: dts: stm32: Split Avenger96 into DHCOR SoM and Avenger96 board") Signed-off-by: Marek Vasut Reviewed-by: Patrice Chotard Reviewed-by: Manivannan Sadhasivam Signed-off-by: Alexandre Torgue Signed-off-by: Sasha Levin commit 1c1e7514cf3ef6e9b33f5cd4a67fb62aac2ba604 Author: Marco Elver Date: Mon Sep 12 11:45:41 2022 +0200 objtool, kcsan: Add volatile read/write instrumentation to whitelist [ Upstream commit 63646fcba5bb4b59a19031c21913f94e46a3d0d4 ] Adds KCSAN's volatile instrumentation to objtool's uaccess whitelist. Recent kernel change have shown that this was missing from the uaccess whitelist (since the first upstreamed version of KCSAN): mm/gup.o: warning: objtool: fault_in_readable+0x101: call to __tsan_volatile_write1() with UACCESS enabled Fixes: 75d75b7a4d54 ("kcsan: Support distinguishing volatile accesses") Signed-off-by: Marco Elver Reviewed-by: Dmitry Vyukov Signed-off-by: Paul E. McKenney Signed-off-by: Sasha Levin commit f3107fca5491a3a8a80fe402a34a6a77482acf95 Author: Cong Dang Date: Wed Oct 12 16:01:51 2022 +0200 memory: renesas-rpc-if: Clear HS bit during hardware initialization [ Upstream commit 5192481f908e576be42bd39ec12979b79e11f7e0 ] According to the datasheet, HS bit should be specified to 1 when using DMA transfer. As DMA transfer is not supported, it should be cleared to 0. Previously, the driver relied on the HS bit being cleared by prior firmware but this is not always the case. Fix this by ensuring the bit is cleared during hardware initialization. Fixes: ca7d8b980b67 ("memory: add Renesas RPC-IF driver") Signed-off-by: Cong Dang Signed-off-by: Hai Pham Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Link: https://lore.kernel.org/r/08d9fb10b3051decebf871267a6e2e7cb2d4faf9.1665583089.git.geert+renesas@glider.be Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 85c570c3b33db4f82f320b14ab9d666e9e292fb3 Author: Padmanabhan Rajanbabu Date: Thu Oct 13 16:10:22 2022 +0530 arm64: dts: fsd: fix drive strength values as per FSD HW UM [ Upstream commit 21f6546e8bf68a847601e2710378e2224bf49704 ] Drive strength values used for HSI2C, SPI and UART are not reflecting the default values recommended by FSD HW UM. Fixes: 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support") Signed-off-by: Padmanabhan Rajanbabu Reviewed-by: Alim Akhtar Link: https://lore.kernel.org/r/20221013104024.50179-3-p.rajanbabu@samsung.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit c6c98b75a5db856d20eaa3a2fc736f86543bf0eb Author: Padmanabhan Rajanbabu Date: Thu Oct 13 16:10:21 2022 +0530 arm64: dts: fsd: fix drive strength macros as per FSD HW UM [ Upstream commit 574d6c59daefb51729b0640465f007f6c9600358 ] Drive strength macros defined for FSD platform is not reflecting actual names and values as per HW UM. FSD SoC pinctrl has following four levels of drive-strength and their corresponding values: Level-1 <-> 0 Level-2 <-> 1 Level-4 <-> 2 Level-6 <-> 3 The commit 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support") used drive strength macros defined for Exynos4 SoC family. For some IPs the macros values of Exynos4 matched and worked well, but Exynos4 SoC family drive-strength (names and values) is not exactly matching with FSD SoC. Fix the drive strength macros to reflect actual names and values given in FSD HW UM. Fixes: 684dac402f21 ("arm64: dts: fsd: Add initial pinctrl support") Signed-off-by: Padmanabhan Rajanbabu Reviewed-by: Alim Akhtar Link: https://lore.kernel.org/r/20221013104024.50179-2-p.rajanbabu@samsung.com Signed-off-by: Krzysztof Kozlowski Signed-off-by: Sasha Levin commit 6d2f8d9c14d5e2a34ce7772d19ee35e16eb56b52 Author: Stephan Gerhold Date: Mon Jul 18 16:03:40 2022 +0200 arm64: dts: qcom: msm8916: Drop MSS fallback compatible [ Upstream commit ff02ac621634e82c0c34d02a79d402ae700cdfd0 ] MSM8916 was originally using the "qcom,q6v5-pil" compatible for the MSS remoteproc. Later it was decided to use SoC-specific compatibles instead, so "qcom,msm8916-mss-pil" is now the preferred compatible. Commit 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific compatibles to SCM/MSS") updated the MSM8916 device tree to make use of the new compatible but still kept the old "qcom,q6v5-pil" as fallback. This is inconsistent with other SoCs and conflicts with the description in the binding documentation (which says that only one compatible should be present). Also, it has no functional advantage since older kernels could not handle this DT anyway (e.g. "power-domains" in the MSS node is only supported by kernels that also support "qcom,msm8916-mss-pil"). Make this consistent with other SoCs by using only the "qcom,msm8916-mss-pil" compatible. Fixes: 60a05ed059a0 ("arm64: dts: qcom: msm8916: Add MSM8916-specific compatibles to SCM/MSS") Signed-off-by: Stephan Gerhold Reviewed-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220718140344.1831731-2-stephan.gerhold@kernkonzept.com Signed-off-by: Sasha Levin commit 29e76d127ab140a42fece5e5e26eed6f034a8c07 Author: Krzysztof Kozlowski Date: Mon Oct 10 07:44:14 2022 -0400 arm64: dts: qcom: sdm845-cheza: fix AP suspend pin bias [ Upstream commit 9bce41fab14da8f21027dc9847535ef5e22cbe8b ] There is no "bias-no-pull" property. Assume intentions were disabling bias. Fixes: 79e7739f7b87 ("arm64: dts: qcom: sdm845-cheza: add initial cheza dt") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Douglas Anderson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221010114417.29859-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 0094e48d90d5bf48c874c6350e5b5804ba3ea133 Author: Krzysztof Kozlowski Date: Mon Oct 10 07:44:12 2022 -0400 arm64: dts: qcom: sdm630: fix UART1 pin bias [ Upstream commit 780f836fe071a9e8703fe6a05ae00129acf83391 ] There is no "bias-no-pull" property. Assume intentions were disabling bias. Fixes: b190fb010664 ("arm64: dts: qcom: sdm630: Add sdm630 dts file") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Douglas Anderson Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221010114417.29859-1-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 40713b3e902a9122de9cdd46d53e301ad1f0dbf3 Author: Luca Weiss Date: Thu Oct 13 21:06:57 2022 +0200 ARM: dts: qcom: apq8064: fix coresight compatible [ Upstream commit a42b1ee868361f1cb0492f1bdaefb43e0751e468 ] There's a typo missing the arm, prefix of arm,coresight-etb10. Fix it to make devicetree validation happier. Signed-off-by: Luca Weiss Fixes: 7a5c275fd821 ("ARM: dts: qcom: Add apq8064 CoreSight components") Reviewed-by: Krzysztof Kozlowski Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221013190657.48499-3-luca@z3ntu.xyz Signed-off-by: Sasha Levin commit 56a0ab80c09517f8da6df8b0fe9c09e4a1d57ba9 Author: Dmitry Baryshkov Date: Sun Jul 24 17:04:20 2022 +0300 arm64: dts: qcom: msm8996: fix GPU OPP table [ Upstream commit 0d440d811e6e2f37093e54db55bc27fe66678170 ] Fix Adreno OPP table according to the msm-3.18. Enable 624 MHz for the speed bin 3 and 560 MHz for bins 2 and 3. Fixes: 69cc3114ab0f ("arm64: dts: Add Adreno GPU definitions") Signed-off-by: Dmitry Baryshkov Acked-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220724140421.1933004-7-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit fa6d1956270c6cfc5d9839929ec140aef80f1692 Author: Dmitry Baryshkov Date: Sun Jul 24 17:04:18 2022 +0300 arm64: dts: qcom: msm8996: fix supported-hw in cpufreq OPP tables [ Upstream commit 0154caaa2b748e7414a4ec3c6ee60e8f483b2d4f ] Adjust MSM8996 cpufreq tables according to tables in msm-3.18. Some of the frequencies are not supported on speed bins other than 0. Also other speed bins support intermediate topmost frequencies, not supported on speed bin 0. Implement all these differencies. Fixes: 90173a954a22 ("arm64: dts: qcom: msm8996: Add CPU opps") Signed-off-by: Dmitry Baryshkov Acked-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220724140421.1933004-5-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 830c07c7d8ddecd9b9cc295c26bf559a1d44e10c Author: Yassine Oudjana Date: Sun Jul 24 17:04:16 2022 +0300 arm64: dts: qcom: msm8996: Add MSM8996 Pro support [ Upstream commit 8898c9748a872866f8c2973e719b26bf7c6ab64e ] Qualcomm MSM8996 Pro is a variant of MSM8996 with higher frequencies supported both on CPU and GPU. There are other minor hardware differencies in the CPU and GPU regulators and bus fabrics. However this results in significant differences between 8996 and 8996 Pro CPU OPP tables. Judging from msm-3.18 there are only few common frequencies supported by both msm8996 and msm8996pro. Rather than hacking the tables for msm8996, split msm8996pro support into a separate file. Later this would allow having additional customizations for the CBF, CPR, retulators, etc. [DB: dropped all non-CPU-OPP changes] Fixes: 90173a954a22 ("arm64: dts: qcom: msm8996: Add CPU opps") Signed-off-by: Yassine Oudjana [DB: Realigned supported-hw to keep compat with current cpufreq driver] Signed-off-by: Dmitry Baryshkov Acked-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220724140421.1933004-3-dmitry.baryshkov@linaro.org Signed-off-by: Sasha Levin commit 03cb7d4dacb340dbc885649d8b98425b91e88218 Author: Krzysztof Kozlowski Date: Fri Sep 30 21:20:39 2022 +0200 arm64: dts: qcom: sdm845-xiaomi-polaris: fix codec pin conf name [ Upstream commit 58c4a0b6f4bdf8c3c2b4aad7f980e4019cc0fc83 ] Fix typo in the codec's pin name to be configured. Mismatched name caused the pin configuration to be ignored. Fixes: be497abe19bf ("arm64: dts: qcom: Add support for Xiaomi Mi Mix2s") Signed-off-by: Krzysztof Kozlowski Tested-by: Molly Sophia Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220930192039.240486-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit fbba08a9209fe7a6cbeb773a6e47b26b28c3d346 Author: Krzysztof Kozlowski Date: Fri Sep 30 21:29:40 2022 +0200 arm64: dts: qcom: sm8250-sony-xperia-edo: fix touchscreen bias-disable [ Upstream commit 7ff4a646fae3697b039c6b684786a1e309e8445c ] The property to disable bias is "bias-disable". Fixes: e76c7e1f15fe ("arm64: dts: qcom: sm8250-edo: Add Samsung touchscreen") Reviewed-by: Konrad Dybcio Signed-off-by: Krzysztof Kozlowski Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20220930192954.242546-3-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 97e197f5c483631c3e48858a7e144418004f65ab Author: Krzysztof Kozlowski Date: Thu Oct 6 14:46:26 2022 +0200 arm64: dts: qcom: ipq6018-cp01-c1: use BLSPI1 pins [ Upstream commit 4871d3c38893c8a585e3e96364b7fb91cda8322e ] When BLSPI1 (originally SPI0, later renamed in commit f82c48d46852 ("arm64: dts: qcom: ipq6018: correct QUP peripheral labels")) was added, the device node lacked respective pin configuration assignment. Fixes: 5bf635621245 ("arm64: dts: ipq6018: Add a few device nodes") Signed-off-by: Krzysztof Kozlowski Reviewed-by: Bjorn Andersson Reviewed-by: Konrad Dybcio Signed-off-by: Bjorn Andersson Link: https://lore.kernel.org/r/20221006124659.217540-2-krzysztof.kozlowski@linaro.org Signed-off-by: Sasha Levin commit 4d37ecb21de411605414b23b038f761cd6c82efc Author: Geert Uytterhoeven Date: Fri Oct 7 17:20:03 2022 +0200 arm64: dts: renesas: r8a779g0: Fix HSCIF0 "brg_int" clock [ Upstream commit a4290d407aa9fd174d8053878783d466d3124e38 ] As serial communication requires a clock signal, the High Speed Serial Communication Interfaces with FIFO (HSCIF) are clocked by a clock that is not affected by Spread Spectrum or Fractional Multiplication. Hence change the clock input for the HSCIF0 Baud Rate Generator internal clock from the S0D3_PER clock to the SASYNCPERD1 clock (which has the same clock rate), cfr. R-Car V4H Hardware User's Manual rev. 0.54. Fixes: 987da486d84a5643 ("arm64: dts: renesas: Add Renesas R8A779G0 SoC support") Signed-off-by: Geert Uytterhoeven Reviewed-by: Wolfram Sang Link: https://lore.kernel.org/r/a5bd4148f92806f7c8e577d383370f810315f586.1665155947.git.geert+renesas@glider.be Signed-off-by: Sasha Levin commit 7913fc303d121077d9c24ed70538d87d4538f465 Author: Ivaylo Dimitrov Date: Fri Nov 25 20:21:15 2022 +0200 usb: musb: remove extra check in musb_gadget_vbus_draw [ Upstream commit ecec4b20d29c3d6922dafe7d2555254a454272d2 ] The checks for musb->xceiv and musb->xceiv->set_power duplicate those in usb_phy_set_power(), so there is no need of them. Moreover, not calling usb_phy_set_power() results in usb_phy_set_charger_current() not being called, so current USB config max current is not propagated through USB charger framework and charger drivers may try to draw more current than allowed or possible. Fix that by removing those extra checks and calling usb_phy_set_power() directly. Tested on Motorola Droid4 and Nokia N900 Fixes: a9081a008f84 ("usb: phy: Add USB charger support") Cc: stable Signed-off-by: Ivaylo Dimitrov Link: https://lore.kernel.org/r/1669400475-4762-1-git-send-email-ivo.g.dimitrov.75@gmail.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit e72fab11d350849fc33cddd7304a8bbb4ecbe640 Author: Dmitry Torokhov Date: Fri Nov 18 08:43:47 2022 -0800 MIPS: DTS: CI20: fix reset line polarity of the ethernet controller commit ca637c0ece144ce62ec8ef75dc127bcccd4f442a upstream. The reset line is called PWRST#, annotated as "active low" in the binding documentation, and is driven low and then high by the driver to reset the chip. However in device tree for CI20 board it was incorrectly marked as "active high". Fix it. Because (as far as I know) the ci20.dts is always built in the kernel I elected not to also add a quirk to gpiolib to force the polarity there. Fixes: db49ca38579d ("net: davicom: dm9000: switch to using gpiod API") Reported-by: Paul Cercueil Signed-off-by: Dmitry Torokhov Acked-by: Paul Cercueil Signed-off-by: Thomas Bogendoerfer Cc: Sudip Mukherjee Signed-off-by: Greg Kroah-Hartman